--- /dev/null
+From ebec3f8f5271139df618ebdf8427e24ba102ba94 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Sat, 26 May 2018 09:53:14 +0900
+Subject: n_tty: Access echo_* variables carefully.
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit ebec3f8f5271139df618ebdf8427e24ba102ba94 upstream.
+
+syzbot is reporting stalls at __process_echoes() [1]. This is because
+since ldata->echo_commit < ldata->echo_tail becomes true for some reason,
+the discard loop is serving as almost infinite loop. This patch tries to
+avoid falling into ldata->echo_commit < ldata->echo_tail situation by
+making access to echo_* variables more carefully.
+
+Since reset_buffer_flags() is called without output_lock held, it should
+not touch echo_* variables. And omit a call to reset_buffer_flags() from
+n_tty_open() by using vzalloc().
+
+Since add_echo_byte() is called without output_lock held, it needs memory
+barrier between storing into echo_buf[] and incrementing echo_head counter.
+echo_buf() needs corresponding memory barrier before reading echo_buf[].
+Lack of handling the possibility of not-yet-stored multi-byte operation
+might be the reason of falling into ldata->echo_commit < ldata->echo_tail
+situation, for if I do WARN_ON(ldata->echo_commit == tail + 1) prior to
+echo_buf(ldata, tail + 1), the WARN_ON() fires.
+
+Also, explicitly masking with buffer for the former "while" loop, and
+use ldata->echo_commit > tail for the latter "while" loop.
+
+[1] https://syzkaller.appspot.com/bug?id=17f23b094cd80df750e5b0f8982c521ee6bcbf40
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+108696293d7a21ab688f@syzkaller.appspotmail.com>
+Cc: Peter Hurley <peter@hurleysoftware.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/n_tty.c | 42 ++++++++++++++++++++++++------------------
+ 1 file changed, 24 insertions(+), 18 deletions(-)
+
+--- a/drivers/tty/n_tty.c
++++ b/drivers/tty/n_tty.c
+@@ -145,6 +145,7 @@ static inline unsigned char *read_buf_ad
+
+ static inline unsigned char echo_buf(struct n_tty_data *ldata, size_t i)
+ {
++ smp_rmb(); /* Matches smp_wmb() in add_echo_byte(). */
+ return ldata->echo_buf[i & (N_TTY_BUF_SIZE - 1)];
+ }
+
+@@ -320,9 +321,7 @@ static inline void put_tty_queue(unsigne
+ static void reset_buffer_flags(struct n_tty_data *ldata)
+ {
+ ldata->read_head = ldata->canon_head = ldata->read_tail = 0;
+- ldata->echo_head = ldata->echo_tail = ldata->echo_commit = 0;
+ ldata->commit_head = 0;
+- ldata->echo_mark = 0;
+ ldata->line_start = 0;
+
+ ldata->erasing = 0;
+@@ -621,13 +620,20 @@ static size_t __process_echoes(struct tt
+ old_space = space = tty_write_room(tty);
+
+ tail = ldata->echo_tail;
+- while (ldata->echo_commit != tail) {
++ while (MASK(ldata->echo_commit) != MASK(tail)) {
+ c = echo_buf(ldata, tail);
+ if (c == ECHO_OP_START) {
+ unsigned char op;
+ int no_space_left = 0;
+
+ /*
++ * Since add_echo_byte() is called without holding
++ * output_lock, we might see only portion of multi-byte
++ * operation.
++ */
++ if (MASK(ldata->echo_commit) == MASK(tail + 1))
++ goto not_yet_stored;
++ /*
+ * If the buffer byte is the start of a multi-byte
+ * operation, get the next byte, which is either the
+ * op code or a control character value.
+@@ -638,6 +644,8 @@ static size_t __process_echoes(struct tt
+ unsigned int num_chars, num_bs;
+
+ case ECHO_OP_ERASE_TAB:
++ if (MASK(ldata->echo_commit) == MASK(tail + 2))
++ goto not_yet_stored;
+ num_chars = echo_buf(ldata, tail + 2);
+
+ /*
+@@ -732,7 +740,8 @@ static size_t __process_echoes(struct tt
+ /* If the echo buffer is nearly full (so that the possibility exists
+ * of echo overrun before the next commit), then discard enough
+ * data at the tail to prevent a subsequent overrun */
+- while (ldata->echo_commit - tail >= ECHO_DISCARD_WATERMARK) {
++ while (ldata->echo_commit > tail &&
++ ldata->echo_commit - tail >= ECHO_DISCARD_WATERMARK) {
+ if (echo_buf(ldata, tail) == ECHO_OP_START) {
+ if (echo_buf(ldata, tail + 1) == ECHO_OP_ERASE_TAB)
+ tail += 3;
+@@ -742,6 +751,7 @@ static size_t __process_echoes(struct tt
+ tail++;
+ }
+
++ not_yet_stored:
+ ldata->echo_tail = tail;
+ return old_space - space;
+ }
+@@ -752,6 +762,7 @@ static void commit_echoes(struct tty_str
+ size_t nr, old, echoed;
+ size_t head;
+
++ mutex_lock(&ldata->output_lock);
+ head = ldata->echo_head;
+ ldata->echo_mark = head;
+ old = ldata->echo_commit - ldata->echo_tail;
+@@ -760,10 +771,12 @@ static void commit_echoes(struct tty_str
+ * is over the threshold (and try again each time another
+ * block is accumulated) */
+ nr = head - ldata->echo_tail;
+- if (nr < ECHO_COMMIT_WATERMARK || (nr % ECHO_BLOCK > old % ECHO_BLOCK))
++ if (nr < ECHO_COMMIT_WATERMARK ||
++ (nr % ECHO_BLOCK > old % ECHO_BLOCK)) {
++ mutex_unlock(&ldata->output_lock);
+ return;
++ }
+
+- mutex_lock(&ldata->output_lock);
+ ldata->echo_commit = head;
+ echoed = __process_echoes(tty);
+ mutex_unlock(&ldata->output_lock);
+@@ -814,7 +827,9 @@ static void flush_echoes(struct tty_stru
+
+ static inline void add_echo_byte(unsigned char c, struct n_tty_data *ldata)
+ {
+- *echo_buf_addr(ldata, ldata->echo_head++) = c;
++ *echo_buf_addr(ldata, ldata->echo_head) = c;
++ smp_wmb(); /* Matches smp_rmb() in echo_buf(). */
++ ldata->echo_head++;
+ }
+
+ /**
+@@ -1883,30 +1898,21 @@ static int n_tty_open(struct tty_struct
+ struct n_tty_data *ldata;
+
+ /* Currently a malloc failure here can panic */
+- ldata = vmalloc(sizeof(*ldata));
++ ldata = vzalloc(sizeof(*ldata));
+ if (!ldata)
+- goto err;
++ return -ENOMEM;
+
+ ldata->overrun_time = jiffies;
+ mutex_init(&ldata->atomic_read_lock);
+ mutex_init(&ldata->output_lock);
+
+ tty->disc_data = ldata;
+- reset_buffer_flags(tty->disc_data);
+- ldata->column = 0;
+- ldata->canon_column = 0;
+- ldata->num_overrun = 0;
+- ldata->no_room = 0;
+- ldata->lnext = 0;
+ tty->closing = 0;
+ /* indicate buffer work may resume */
+ clear_bit(TTY_LDISC_HALTED, &tty->flags);
+ n_tty_set_termios(tty, NULL);
+ tty_unthrottle(tty);
+-
+ return 0;
+-err:
+- return -ENOMEM;
+ }
+
+ static inline int input_available_p(struct tty_struct *tty, int poll)
--- /dev/null
+From 3d63b7e4ae0dc5e02d28ddd2fa1f945defc68d81 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Sat, 26 May 2018 09:53:13 +0900
+Subject: n_tty: Fix stall at n_tty_receive_char_special().
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 3d63b7e4ae0dc5e02d28ddd2fa1f945defc68d81 upstream.
+
+syzbot is reporting stalls at n_tty_receive_char_special() [1]. This is
+because comparison is not working as expected since ldata->read_head can
+change at any moment. Mitigate this by explicitly masking with buffer size
+when checking condition for "while" loops.
+
+[1] https://syzkaller.appspot.com/bug?id=3d7481a346958d9469bebbeb0537d5f056bdd6e8
+
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Reported-by: syzbot <syzbot+18df353d7540aa6b5467@syzkaller.appspotmail.com>
+Fixes: bc5a5e3f45d04784 ("n_tty: Don't wrap input buffer indices at buffer size")
+Cc: stable <stable@vger.kernel.org>
+Cc: Peter Hurley <peter@hurleysoftware.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/n_tty.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/tty/n_tty.c
++++ b/drivers/tty/n_tty.c
+@@ -126,6 +126,8 @@ struct n_tty_data {
+ struct mutex output_lock;
+ };
+
++#define MASK(x) ((x) & (N_TTY_BUF_SIZE - 1))
++
+ static inline size_t read_cnt(struct n_tty_data *ldata)
+ {
+ return ldata->read_head - ldata->read_tail;
+@@ -980,14 +982,15 @@ static void eraser(unsigned char c, stru
+ }
+
+ seen_alnums = 0;
+- while (ldata->read_head != ldata->canon_head) {
++ while (MASK(ldata->read_head) != MASK(ldata->canon_head)) {
+ head = ldata->read_head;
+
+ /* erase a single possibly multibyte character */
+ do {
+ head--;
+ c = read_buf(ldata, head);
+- } while (is_continuation(c, tty) && head != ldata->canon_head);
++ } while (is_continuation(c, tty) &&
++ MASK(head) != MASK(ldata->canon_head));
+
+ /* do not partially erase */
+ if (is_continuation(c, tty))
+@@ -1029,7 +1032,7 @@ static void eraser(unsigned char c, stru
+ * This info is used to go back the correct
+ * number of columns.
+ */
+- while (tail != ldata->canon_head) {
++ while (MASK(tail) != MASK(ldata->canon_head)) {
+ tail--;
+ c = read_buf(ldata, tail);
+ if (c == '\t') {
+@@ -1304,7 +1307,7 @@ n_tty_receive_char_special(struct tty_st
+ finish_erasing(ldata);
+ echo_char(c, tty);
+ echo_char_raw('\n', ldata);
+- while (tail != ldata->read_head) {
++ while (MASK(tail) != MASK(ldata->read_head)) {
+ echo_char(read_buf(ldata, tail), tty);
+ tail++;
+ }
+@@ -2413,7 +2416,7 @@ static unsigned long inq_canon(struct n_
+ tail = ldata->read_tail;
+ nr = head - tail;
+ /* Skip EOF-chars.. */
+- while (head != tail) {
++ while (MASK(head) != MASK(tail)) {
+ if (test_bit(tail & (N_TTY_BUF_SIZE - 1), ldata->read_flags) &&
+ read_buf(ldata, tail) == __DISABLED_CHAR)
+ nr--;
--- /dev/null
+From 0a2bc00341dcfcc793c0dbf4f8d43adf60458b05 Mon Sep 17 00:00:00 2001
+From: Laura Abbott <labbott@redhat.com>
+Date: Mon, 11 Jun 2018 11:06:53 -0700
+Subject: staging: android: ion: Return an ERR_PTR in ion_map_kernel
+
+From: Laura Abbott <labbott@redhat.com>
+
+commit 0a2bc00341dcfcc793c0dbf4f8d43adf60458b05 upstream.
+
+The expected return value from ion_map_kernel is an ERR_PTR. The error
+path for a vmalloc failure currently just returns NULL, triggering
+a warning in ion_buffer_kmap_get. Encode the vmalloc failure as an ERR_PTR.
+
+Reported-by: syzbot+55b1d9f811650de944c6@syzkaller.appspotmail.com
+Signed-off-by: Laura Abbott <labbott@redhat.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/android/ion/ion_heap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/android/ion/ion_heap.c
++++ b/drivers/staging/android/ion/ion_heap.c
+@@ -38,7 +38,7 @@ void *ion_heap_map_kernel(struct ion_hea
+ struct page **tmp = pages;
+
+ if (!pages)
+- return NULL;
++ return ERR_PTR(-ENOMEM);
+
+ if (buffer->flags & ION_FLAG_CACHED)
+ pgprot = PAGE_KERNEL;
--- /dev/null
+From 4a762569a2722b8a48066c7bacf0e1dc67d17fa1 Mon Sep 17 00:00:00 2001
+From: Houston Yaroschoff <hstn@4ever3.net>
+Date: Mon, 11 Jun 2018 12:39:09 +0200
+Subject: usb: cdc_acm: Add quirk for Uniden UBC125 scanner
+
+From: Houston Yaroschoff <hstn@4ever3.net>
+
+commit 4a762569a2722b8a48066c7bacf0e1dc67d17fa1 upstream.
+
+Uniden UBC125 radio scanner has USB interface which fails to work
+with cdc_acm driver:
+ usb 1-1.5: new full-speed USB device number 4 using xhci_hcd
+ cdc_acm 1-1.5:1.0: Zero length descriptor references
+ cdc_acm: probe of 1-1.5:1.0 failed with error -22
+
+Adding the NO_UNION_NORMAL quirk for the device fixes the issue:
+ usb 1-4: new full-speed USB device number 15 using xhci_hcd
+ usb 1-4: New USB device found, idVendor=1965, idProduct=0018
+ usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3
+ usb 1-4: Product: UBC125XLT
+ usb 1-4: Manufacturer: Uniden Corp.
+ usb 1-4: SerialNumber: 0001
+ cdc_acm 1-4:1.0: ttyACM0: USB ACM device
+
+`lsusb -v` of the device:
+
+ Bus 001 Device 015: ID 1965:0018 Uniden Corporation
+ Device Descriptor:
+ bLength 18
+ bDescriptorType 1
+ bcdUSB 2.00
+ bDeviceClass 2 Communications
+ bDeviceSubClass 0
+ bDeviceProtocol 0
+ bMaxPacketSize0 64
+ idVendor 0x1965 Uniden Corporation
+ idProduct 0x0018
+ bcdDevice 0.01
+ iManufacturer 1 Uniden Corp.
+ iProduct 2 UBC125XLT
+ iSerial 3 0001
+ bNumConfigurations 1
+ Configuration Descriptor:
+ bLength 9
+ bDescriptorType 2
+ wTotalLength 48
+ bNumInterfaces 2
+ bConfigurationValue 1
+ iConfiguration 0
+ bmAttributes 0x80
+ (Bus Powered)
+ MaxPower 500mA
+ Interface Descriptor:
+ bLength 9
+ bDescriptorType 4
+ bInterfaceNumber 0
+ bAlternateSetting 0
+ bNumEndpoints 1
+ bInterfaceClass 2 Communications
+ bInterfaceSubClass 2 Abstract (modem)
+ bInterfaceProtocol 0 None
+ iInterface 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x87 EP 7 IN
+ bmAttributes 3
+ Transfer Type Interrupt
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0008 1x 8 bytes
+ bInterval 10
+ Interface Descriptor:
+ bLength 9
+ bDescriptorType 4
+ bInterfaceNumber 1
+ bAlternateSetting 0
+ bNumEndpoints 2
+ bInterfaceClass 10 CDC Data
+ bInterfaceSubClass 0 Unused
+ bInterfaceProtocol 0
+ iInterface 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x81 EP 1 IN
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0040 1x 64 bytes
+ bInterval 0
+ Endpoint Descriptor:
+ bLength 7
+ bDescriptorType 5
+ bEndpointAddress 0x02 EP 2 OUT
+ bmAttributes 2
+ Transfer Type Bulk
+ Synch Type None
+ Usage Type Data
+ wMaxPacketSize 0x0040 1x 64 bytes
+ bInterval 0
+ Device Status: 0x0000
+ (Bus Powered)
+
+Signed-off-by: Houston Yaroschoff <hstn@4ever3.net>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-acm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1712,6 +1712,9 @@ static const struct usb_device_id acm_id
+ { USB_DEVICE(0x11ca, 0x0201), /* VeriFone Mx870 Gadget Serial */
+ .driver_info = SINGLE_RX_URB,
+ },
++ { USB_DEVICE(0x1965, 0x0018), /* Uniden UBC125XLT */
++ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
++ },
+ { USB_DEVICE(0x22b8, 0x7000), /* Motorola Q Phone */
+ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */
+ },
--- /dev/null
+From 8760675932ddb614e83702117d36ea644050c609 Mon Sep 17 00:00:00 2001
+From: William Wu <william.wu@rock-chips.com>
+Date: Mon, 21 May 2018 18:12:00 +0800
+Subject: usb: dwc2: fix the incorrect bitmaps for the ports of multi_tt hub
+
+From: William Wu <william.wu@rock-chips.com>
+
+commit 8760675932ddb614e83702117d36ea644050c609 upstream.
+
+The dwc2_get_ls_map() use ttport to reference into the
+bitmap if we're on a multi_tt hub. But the bitmaps index
+from 0 to (hub->maxchild - 1), while the ttport index from
+1 to hub->maxchild. This will cause invalid memory access
+when the number of ttport is hub->maxchild.
+
+Without this patch, I can easily meet a Kernel panic issue
+if connect a low-speed USB mouse with the max port of FE2.1
+multi-tt hub (1a40:0201) on rk3288 platform.
+
+Fixes: 9f9f09b048f5 ("usb: dwc2: host: Totally redo the microframe scheduler")
+Cc: <stable@vger.kernel.org>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Acked-by: Minas Harutyunyan hminas@synopsys.com>
+Signed-off-by: William Wu <william.wu@rock-chips.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc2/hcd_queue.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc2/hcd_queue.c
++++ b/drivers/usb/dwc2/hcd_queue.c
+@@ -479,7 +479,7 @@ static unsigned long *dwc2_get_ls_map(st
+ /* Get the map and adjust if this is a multi_tt hub */
+ map = qh->dwc_tt->periodic_bitmaps;
+ if (qh->dwc_tt->usb_tt->multi)
+- map += DWC2_ELEMENTS_PER_LS_BITMAP * qh->ttport;
++ map += DWC2_ELEMENTS_PER_LS_BITMAP * (qh->ttport - 1);
+
+ return map;
+ }
--- /dev/null
+From 24160628a34af962ac99f2f58e547ac3c4cbd26f Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 18 Jun 2018 10:24:03 +0200
+Subject: USB: serial: cp210x: add CESINEL device ids
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 24160628a34af962ac99f2f58e547ac3c4cbd26f upstream.
+
+Add device ids for CESINEL products.
+
+Reported-by: Carlos Barcala Lara <cabl@cesinel.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/cp210x.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -92,6 +92,9 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(0x10C4, 0x8156) }, /* B&G H3000 link cable */
+ { USB_DEVICE(0x10C4, 0x815E) }, /* Helicomm IP-Link 1220-DVM */
+ { USB_DEVICE(0x10C4, 0x815F) }, /* Timewave HamLinkUSB */
++ { USB_DEVICE(0x10C4, 0x817C) }, /* CESINEL MEDCAL N Power Quality Monitor */
++ { USB_DEVICE(0x10C4, 0x817D) }, /* CESINEL MEDCAL NT Power Quality Monitor */
++ { USB_DEVICE(0x10C4, 0x817E) }, /* CESINEL MEDCAL S Power Quality Monitor */
+ { USB_DEVICE(0x10C4, 0x818B) }, /* AVIT Research USB to TTL */
+ { USB_DEVICE(0x10C4, 0x819F) }, /* MJS USB Toslink Switcher */
+ { USB_DEVICE(0x10C4, 0x81A6) }, /* ThinkOptics WavIt */
+@@ -109,6 +112,9 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(0x10C4, 0x826B) }, /* Cygnal Integrated Products, Inc., Fasttrax GPS demonstration module */
+ { USB_DEVICE(0x10C4, 0x8281) }, /* Nanotec Plug & Drive */
+ { USB_DEVICE(0x10C4, 0x8293) }, /* Telegesis ETRX2USB */
++ { USB_DEVICE(0x10C4, 0x82EF) }, /* CESINEL FALCO 6105 AC Power Supply */
++ { USB_DEVICE(0x10C4, 0x82F1) }, /* CESINEL MEDCAL EFD Earth Fault Detector */
++ { USB_DEVICE(0x10C4, 0x82F2) }, /* CESINEL MEDCAL ST Network Analyzer */
+ { USB_DEVICE(0x10C4, 0x82F4) }, /* Starizona MicroTouch */
+ { USB_DEVICE(0x10C4, 0x82F9) }, /* Procyon AVS */
+ { USB_DEVICE(0x10C4, 0x8341) }, /* Siemens MC35PU GPRS Modem */
+@@ -121,7 +127,9 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(0x10C4, 0x8470) }, /* Juniper Networks BX Series System Console */
+ { USB_DEVICE(0x10C4, 0x8477) }, /* Balluff RFID */
+ { USB_DEVICE(0x10C4, 0x84B6) }, /* Starizona Hyperion */
++ { USB_DEVICE(0x10C4, 0x851E) }, /* CESINEL MEDCAL PT Network Analyzer */
+ { USB_DEVICE(0x10C4, 0x85A7) }, /* LifeScan OneTouch Verio IQ */
++ { USB_DEVICE(0x10C4, 0x85B8) }, /* CESINEL ReCon T Energy Logger */
+ { USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */
+ { USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */
+ { USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */
+@@ -131,10 +139,13 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(0x10C4, 0x8857) }, /* CEL EM357 ZigBee USB Stick */
+ { USB_DEVICE(0x10C4, 0x88A4) }, /* MMB Networks ZigBee USB Device */
+ { USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */
++ { USB_DEVICE(0x10C4, 0x88FB) }, /* CESINEL MEDCAL STII Network Analyzer */
++ { USB_DEVICE(0x10C4, 0x8938) }, /* CESINEL MEDCAL S II Network Analyzer */
+ { USB_DEVICE(0x10C4, 0x8946) }, /* Ketra N1 Wireless Interface */
+ { USB_DEVICE(0x10C4, 0x8962) }, /* Brim Brothers charging dock */
+ { USB_DEVICE(0x10C4, 0x8977) }, /* CEL MeshWorks DevKit Device */
+ { USB_DEVICE(0x10C4, 0x8998) }, /* KCF Technologies PRN */
++ { USB_DEVICE(0x10C4, 0x89A4) }, /* CESINEL FTBC Flexible Thyristor Bridge Controller */
+ { USB_DEVICE(0x10C4, 0x8A2A) }, /* HubZ dual ZigBee and Z-Wave dongle */
+ { USB_DEVICE(0x10C4, 0x8A5E) }, /* CEL EM3588 ZigBee USB Stick Long Range */
+ { USB_DEVICE(0x10C4, 0x8B34) }, /* Qivicon ZigBee USB Radio Stick */
--- /dev/null
+From 2f839823382748664b643daa73f41ee0cc01ced6 Mon Sep 17 00:00:00 2001
+From: Karoly Pados <pados@pados.hu>
+Date: Sat, 9 Jun 2018 13:26:08 +0200
+Subject: USB: serial: cp210x: add Silicon Labs IDs for Windows Update
+
+From: Karoly Pados <pados@pados.hu>
+
+commit 2f839823382748664b643daa73f41ee0cc01ced6 upstream.
+
+Silicon Labs defines alternative VID/PID pairs for some chips that when
+used will automatically install drivers for Windows users without manual
+intervention. Unfortunately, these IDs are not recognized by the Linux
+module, so using these IDs improves user experience on one platform but
+degrades it on Linux. This patch addresses this problem.
+
+Signed-off-by: Karoly Pados <pados@pados.hu>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/cp210x.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -151,8 +151,11 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(0x10C4, 0x8B34) }, /* Qivicon ZigBee USB Radio Stick */
+ { USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */
+ { USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */
++ { USB_DEVICE(0x10C4, 0xEA63) }, /* Silicon Labs Windows Update (CP2101-4/CP2102N) */
+ { USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */
+ { USB_DEVICE(0x10C4, 0xEA71) }, /* Infinity GPS-MIC-1 Radio Monophone */
++ { USB_DEVICE(0x10C4, 0xEA7A) }, /* Silicon Labs Windows Update (CP2105) */
++ { USB_DEVICE(0x10C4, 0xEA7B) }, /* Silicon Labs Windows Update (CP2108) */
+ { USB_DEVICE(0x10C4, 0xF001) }, /* Elan Digital Systems USBscope50 */
+ { USB_DEVICE(0x10C4, 0xF002) }, /* Elan Digital Systems USBwave12 */
+ { USB_DEVICE(0x10C4, 0xF003) }, /* Elan Digital Systems USBpulse100 */
--- /dev/null
+From 21eff69aaaa0e766ca0ce445b477698dc6a9f55a Mon Sep 17 00:00:00 2001
+From: Alexander Potapenko <glider@google.com>
+Date: Thu, 14 Jun 2018 12:23:09 +0200
+Subject: vt: prevent leaking uninitialized data to userspace via /dev/vcs*
+
+From: Alexander Potapenko <glider@google.com>
+
+commit 21eff69aaaa0e766ca0ce445b477698dc6a9f55a upstream.
+
+KMSAN reported an infoleak when reading from /dev/vcs*:
+
+ BUG: KMSAN: kernel-infoleak in vcs_read+0x18ba/0x1cc0
+ Call Trace:
+ ...
+ kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253
+ copy_to_user ./include/linux/uaccess.h:184
+ vcs_read+0x18ba/0x1cc0 drivers/tty/vt/vc_screen.c:352
+ __vfs_read+0x1b2/0x9d0 fs/read_write.c:416
+ vfs_read+0x36c/0x6b0 fs/read_write.c:452
+ ...
+ Uninit was created at:
+ kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279
+ kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189
+ kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315
+ __kmalloc+0x13a/0x350 mm/slub.c:3818
+ kmalloc ./include/linux/slab.h:517
+ vc_allocate+0x438/0x800 drivers/tty/vt/vt.c:787
+ con_install+0x8c/0x640 drivers/tty/vt/vt.c:2880
+ tty_driver_install_tty drivers/tty/tty_io.c:1224
+ tty_init_dev+0x1b5/0x1020 drivers/tty/tty_io.c:1324
+ tty_open_by_driver drivers/tty/tty_io.c:1959
+ tty_open+0x17b4/0x2ed0 drivers/tty/tty_io.c:2007
+ chrdev_open+0xc25/0xd90 fs/char_dev.c:417
+ do_dentry_open+0xccc/0x1440 fs/open.c:794
+ vfs_open+0x1b6/0x2f0 fs/open.c:908
+ ...
+ Bytes 0-79 of 240 are uninitialized
+
+Consistently allocating |vc_screenbuf| with kzalloc() fixes the problem
+
+Reported-by: syzbot+17a8efdf800000@syzkaller.appspotmail.com
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/vt/vt.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/vt/vt.c
++++ b/drivers/tty/vt/vt.c
+@@ -785,7 +785,7 @@ int vc_allocate(unsigned int currcons) /
+ if (!*vc->vc_uni_pagedir_loc)
+ con_set_default_unimap(vc);
+
+- vc->vc_screenbuf = kmalloc(vc->vc_screenbuf_size, GFP_KERNEL);
++ vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL);
+ if (!vc->vc_screenbuf)
+ goto err_free;
+
+@@ -872,7 +872,7 @@ static int vc_do_resize(struct tty_struc
+
+ if (new_screen_size > (4 << 20))
+ return -EINVAL;
+- newscreen = kmalloc(new_screen_size, GFP_USER);
++ newscreen = kzalloc(new_screen_size, GFP_USER);
+ if (!newscreen)
+ return -ENOMEM;
+
--- /dev/null
+From 229bc19fd7aca4f37964af06e3583c1c8f36b5d6 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Thu, 21 Jun 2018 16:19:41 +0300
+Subject: xhci: Fix perceived dead host due to runtime suspend race with event handler
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 229bc19fd7aca4f37964af06e3583c1c8f36b5d6 upstream.
+
+Don't rely on event interrupt (EINT) bit alone to detect pending port
+change in resume. If no change event is detected the host may be suspended
+again, oterwise roothubs are resumed.
+
+There is a lag in xHC setting EINT. If we don't notice the pending change
+in resume, and the controller is runtime suspeded again, it causes the
+event handler to assume host is dead as it will fail to read xHC registers
+once PCI puts the controller to D3 state.
+
+[ 268.520969] xhci_hcd: xhci_resume: starting port polling.
+[ 268.520985] xhci_hcd: xhci_hub_status_data: stopping port polling.
+[ 268.521030] xhci_hcd: xhci_suspend: stopping port polling.
+[ 268.521040] xhci_hcd: // Setting command ring address to 0x349bd001
+[ 268.521139] xhci_hcd: Port Status Change Event for port 3
+[ 268.521149] xhci_hcd: resume root hub
+[ 268.521163] xhci_hcd: port resume event for port 3
+[ 268.521168] xhci_hcd: xHC is not running.
+[ 268.521174] xhci_hcd: handle_port_status: starting port polling.
+[ 268.596322] xhci_hcd: xhci_hc_died: xHCI host controller not responding, assume dead
+
+The EINT lag is described in a additional note in xhci specs 4.19.2:
+
+"Due to internal xHC scheduling and system delays, there will be a lag
+between a change bit being set and the Port Status Change Event that it
+generated being written to the Event Ring. If SW reads the PORTSC and
+sees a change bit set, there is no guarantee that the corresponding Port
+Status Change Event has already been written into the Event Ring."
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c | 40 +++++++++++++++++++++++++++++++++++++---
+ drivers/usb/host/xhci.h | 4 ++++
+ 2 files changed, 41 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -891,6 +891,41 @@ static void xhci_disable_port_wake_on_bi
+ spin_unlock_irqrestore(&xhci->lock, flags);
+ }
+
++static bool xhci_pending_portevent(struct xhci_hcd *xhci)
++{
++ struct xhci_port **ports;
++ int port_index;
++ u32 status;
++ u32 portsc;
++
++ status = readl(&xhci->op_regs->status);
++ if (status & STS_EINT)
++ return true;
++ /*
++ * Checking STS_EINT is not enough as there is a lag between a change
++ * bit being set and the Port Status Change Event that it generated
++ * being written to the Event Ring. See note in xhci 1.1 section 4.19.2.
++ */
++
++ port_index = xhci->usb2_rhub.num_ports;
++ ports = xhci->usb2_rhub.ports;
++ while (port_index--) {
++ portsc = readl(ports[port_index]->addr);
++ if (portsc & PORT_CHANGE_MASK ||
++ (portsc & PORT_PLS_MASK) == XDEV_RESUME)
++ return true;
++ }
++ port_index = xhci->usb3_rhub.num_ports;
++ ports = xhci->usb3_rhub.ports;
++ while (port_index--) {
++ portsc = readl(ports[port_index]->addr);
++ if (portsc & PORT_CHANGE_MASK ||
++ (portsc & PORT_PLS_MASK) == XDEV_RESUME)
++ return true;
++ }
++ return false;
++}
++
+ /*
+ * Stop HC (not bus-specific)
+ *
+@@ -987,7 +1022,7 @@ EXPORT_SYMBOL_GPL(xhci_suspend);
+ */
+ int xhci_resume(struct xhci_hcd *xhci, bool hibernated)
+ {
+- u32 command, temp = 0, status;
++ u32 command, temp = 0;
+ struct usb_hcd *hcd = xhci_to_hcd(xhci);
+ struct usb_hcd *secondary_hcd;
+ int retval = 0;
+@@ -1109,8 +1144,7 @@ int xhci_resume(struct xhci_hcd *xhci, b
+ done:
+ if (retval == 0) {
+ /* Resume root hubs only when have pending events. */
+- status = readl(&xhci->op_regs->status);
+- if (status & STS_EINT) {
++ if (xhci_pending_portevent(xhci)) {
+ usb_hcd_resume_root_hub(xhci->shared_hcd);
+ usb_hcd_resume_root_hub(hcd);
+ }
+--- a/drivers/usb/host/xhci.h
++++ b/drivers/usb/host/xhci.h
+@@ -385,6 +385,10 @@ struct xhci_op_regs {
+ #define PORT_PLC (1 << 22)
+ /* port configure error change - port failed to configure its link partner */
+ #define PORT_CEC (1 << 23)
++#define PORT_CHANGE_MASK (PORT_CSC | PORT_PEC | PORT_WRC | PORT_OCC | \
++ PORT_RC | PORT_PLC | PORT_CEC)
++
++
+ /* Cold Attach Status - xHC can set this bit to report device attached during
+ * Sx state. Warm port reset should be perfomed to clear this bit and move port
+ * to connected state.
projects / thirdparty / kernel / stable-queue.git / commitdiff
