From: Greg Kroah-Hartman Date: Sun, 15 Oct 2017 14:29:23 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v3.18.76~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0c7242674c24ad6dbd0d0c1171d15c952624d547;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: alsa-caiaq-fix-stray-urb-at-probe-error-path.patch alsa-line6-fix-leftover-urb-at-error-path-during-probe.patch alsa-line6-fix-missing-initialization-before-error-path.patch alsa-seq-fix-copy_from_user-call-inside-lock.patch alsa-seq-fix-use-after-free-at-creating-a-port.patch alsa-usb-audio-kill-stray-urb-at-exiting.patch bio_copy_user_iov-don-t-ignore-iov_offset.patch crypto-shash-fix-zero-length-shash-ahash-digest-crash.patch device-property-track-owner-device-of-device-property.patch direct-io-prevent-null-pointer-access-in-submit_page_section.patch dmaengine-edma-align-the-memcpy-acnt-array-size-with-the-transfer.patch dmaengine-ti-dma-crossbar-fix-possible-race-condition-with-dma_inuse.patch drm-i915-bios-parse-ddi-ports-also-for-chv-for-hdmi-ddc-pin-and-dp-aux-channel.patch drm-i915-edp-get-the-panel-power-off-timestamp-after-panel-is-off.patch drm-i915-read-timings-from-the-correct-transcoder-in-intel_crtc_mode_get.patch fix-unbalanced-page-refcounting-in-bio_map_user_iov.patch fs-mpage.c-fix-mpage_writepage-for-pages-with-buffers.patch hid-usbhid-fix-out-of-bounds-bug.patch iommu-amd-finish-tlb-flush-in-amd_iommu_unmap.patch kvm-mmu-always-terminate-page-walks-at-level-1.patch kvm-nvmx-fix-guest-cr4-loading-when-emulating-l2-to-l1-exit.patch mips-math-emu-remove-pr_err-calls-from-fpu_emu.patch more-bio_map_user_iov-leak-fixes.patch pinctrl-amd-fix-build-dependency-on-pinmux-code.patch usb-dummy-hcd-fix-deadlock-caused-by-disconnect-detection.patch usb-gadget-composite-fix-use-after-free-in-usb_composite_overwrite_options.patch usb-gadget-configfs-fix-memory-leak-of-interface-directory-data.patch usb-renesas_usbhs-fix-dmac-sequence-for-receiving-zero-length-packet.patch usb-serial-console-fix-use-after-free-after-failed-setup.patch usb-serial-cp210x-add-support-for-elv-tfd500.patch usb-serial-ftdi_sio-add-id-for-cypress-wiced-dev-board.patch usb-serial-option-add-support-for-tp-link-lte-module.patch usb-serial-qcserial-add-dell-dw5818-dw5819.patch --- diff --git a/queue-4.9/alsa-caiaq-fix-stray-urb-at-probe-error-path.patch b/queue-4.9/alsa-caiaq-fix-stray-urb-at-probe-error-path.patch new file mode 100644 index 00000000000..191ab37a2da --- /dev/null +++ b/queue-4.9/alsa-caiaq-fix-stray-urb-at-probe-error-path.patch @@ -0,0 +1,51 @@ +From 99fee508245825765ff60155fed43f970ff83a8f Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 11 Oct 2017 16:39:02 +0200 +Subject: ALSA: caiaq: Fix stray URB at probe error path + +From: Takashi Iwai + +commit 99fee508245825765ff60155fed43f970ff83a8f upstream. + +caiaq driver doesn't kill the URB properly at its error path during +the probe, which may lead to a use-after-free error later. This patch +addresses it. + +Reported-by: Johan Hovold +Reviewed-by: Johan Hovold +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/caiaq/device.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/sound/usb/caiaq/device.c ++++ b/sound/usb/caiaq/device.c +@@ -469,10 +469,12 @@ static int init_card(struct snd_usb_caia + + err = snd_usb_caiaq_send_command(cdev, EP1_CMD_GET_DEVICE_INFO, NULL, 0); + if (err) +- return err; ++ goto err_kill_urb; + +- if (!wait_event_timeout(cdev->ep1_wait_queue, cdev->spec_received, HZ)) +- return -ENODEV; ++ if (!wait_event_timeout(cdev->ep1_wait_queue, cdev->spec_received, HZ)) { ++ err = -ENODEV; ++ goto err_kill_urb; ++ } + + usb_string(usb_dev, usb_dev->descriptor.iManufacturer, + cdev->vendor_name, CAIAQ_USB_STR_LEN); +@@ -507,6 +509,10 @@ static int init_card(struct snd_usb_caia + + setup_card(cdev); + return 0; ++ ++ err_kill_urb: ++ usb_kill_urb(&cdev->ep1_in_urb); ++ return err; + } + + static int snd_probe(struct usb_interface *intf, diff --git a/queue-4.9/alsa-line6-fix-leftover-urb-at-error-path-during-probe.patch b/queue-4.9/alsa-line6-fix-leftover-urb-at-error-path-during-probe.patch new file mode 100644 index 00000000000..d55209cd519 --- /dev/null +++ b/queue-4.9/alsa-line6-fix-leftover-urb-at-error-path-during-probe.patch @@ -0,0 +1,58 @@ +From c95072b3d88fac4be295815f2b67df366c0c297f Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 9 Oct 2017 14:51:23 +0200 +Subject: ALSA: line6: Fix leftover URB at error-path during probe + +From: Takashi Iwai + +commit c95072b3d88fac4be295815f2b67df366c0c297f upstream. + +While line6_probe() may kick off URB for a control MIDI endpoint, the +function doesn't clean up it properly at its error path. This results +in a leftover URB action that is eventually triggered later and causes +an Oops like: + general protection fault: 0000 [#1] PREEMPT SMP KASAN + CPU: 1 PID: 0 Comm: swapper/1 Not tainted + RIP: 0010:usb_fill_bulk_urb ./include/linux/usb.h:1619 + RIP: 0010:line6_start_listen+0x3fe/0x9e0 sound/usb/line6/driver.c:76 + Call Trace: + + line6_data_received+0x1f7/0x470 sound/usb/line6/driver.c:326 + __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779 + usb_hcd_giveback_urb+0x337/0x420 drivers/usb/core/hcd.c:1845 + dummy_timer+0xba9/0x39f0 drivers/usb/gadget/udc/dummy_hcd.c:1965 + call_timer_fn+0x2a2/0x940 kernel/time/timer.c:1281 + .... + +Since the whole clean-up procedure is done in line6_disconnect() +callback, we can simply call it in the error path instead of +open-coding the whole again. It'll fix such an issue automagically. + +The bug was spotted by syzkaller. + +Fixes: eedd0e95d355 ("ALSA: line6: Don't forget to call driver's destructor at error path") +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/line6/driver.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/sound/usb/line6/driver.c ++++ b/sound/usb/line6/driver.c +@@ -775,9 +775,10 @@ int line6_probe(struct usb_interface *in + return 0; + + error: +- if (line6->disconnect) +- line6->disconnect(line6); +- snd_card_free(card); ++ /* we can call disconnect callback here because no close-sync is ++ * needed yet at this point ++ */ ++ line6_disconnect(interface); + return ret; + } + EXPORT_SYMBOL_GPL(line6_probe); diff --git a/queue-4.9/alsa-line6-fix-missing-initialization-before-error-path.patch b/queue-4.9/alsa-line6-fix-missing-initialization-before-error-path.patch new file mode 100644 index 00000000000..78c7b4f94d8 --- /dev/null +++ b/queue-4.9/alsa-line6-fix-missing-initialization-before-error-path.patch @@ -0,0 +1,66 @@ +From cb02ffc76a53b5ea751b79b8d4f4d180e5868475 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 9 Oct 2017 14:32:15 +0200 +Subject: ALSA: line6: Fix missing initialization before error path + +From: Takashi Iwai + +commit cb02ffc76a53b5ea751b79b8d4f4d180e5868475 upstream. + +The error path in podhd_init() tries to clear the pending timer, while +the timer object is initialized at the end of init sequence, thus it +may hit the uninitialized object, as spotted by syzkaller: + + INFO: trying to register non-static key. + the code is fine but needs lockdep annotation. + turning off the locking correctness validator. + CPU: 1 PID: 1845 Comm: kworker/1:2 Not tainted + 4.14.0-rc2-42613-g1488251d1a98 #238 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + Workqueue: usb_hub_wq hub_event + Call Trace: + __dump_stack lib/dump_stack.c:16 + dump_stack+0x292/0x395 lib/dump_stack.c:52 + register_lock_class+0x6c4/0x1a00 kernel/locking/lockdep.c:769 + __lock_acquire+0x27e/0x4550 kernel/locking/lockdep.c:3385 + lock_acquire+0x259/0x620 kernel/locking/lockdep.c:4002 + del_timer_sync+0x12c/0x280 kernel/time/timer.c:1237 + podhd_disconnect+0x8c/0x160 sound/usb/line6/podhd.c:299 + line6_probe+0x844/0x1310 sound/usb/line6/driver.c:783 + podhd_probe+0x64/0x70 sound/usb/line6/podhd.c:474 + .... + +For addressing it, assure the initializations of timer and work by +moving them to the beginning of podhd_init(). + +Fixes: 790869dacc3d ("ALSA: line6: Add support for POD X3") +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/line6/podhd.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/sound/usb/line6/podhd.c ++++ b/sound/usb/line6/podhd.c +@@ -307,6 +307,9 @@ static int podhd_init(struct usb_line6 * + + line6->disconnect = podhd_disconnect; + ++ init_timer(&pod->startup_timer); ++ INIT_WORK(&pod->startup_work, podhd_startup_workqueue); ++ + if (pod->line6.properties->capabilities & LINE6_CAP_CONTROL) { + /* create sysfs entries: */ + err = snd_card_add_dev_attr(line6->card, &podhd_dev_attr_group); +@@ -330,8 +333,6 @@ static int podhd_init(struct usb_line6 * + } + + /* init device and delay registering */ +- init_timer(&pod->startup_timer); +- INIT_WORK(&pod->startup_work, podhd_startup_workqueue); + podhd_startup(pod); + return 0; + } diff --git a/queue-4.9/alsa-seq-fix-copy_from_user-call-inside-lock.patch b/queue-4.9/alsa-seq-fix-copy_from_user-call-inside-lock.patch new file mode 100644 index 00000000000..a27733ea7c4 --- /dev/null +++ b/queue-4.9/alsa-seq-fix-copy_from_user-call-inside-lock.patch @@ -0,0 +1,137 @@ +From 5803b023881857db32ffefa0d269c90280a67ee0 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 9 Oct 2017 10:02:56 +0200 +Subject: ALSA: seq: Fix copy_from_user() call inside lock + +From: Takashi Iwai + +commit 5803b023881857db32ffefa0d269c90280a67ee0 upstream. + +The event handler in the virmidi sequencer code takes a read-lock for +the linked list traverse, while it's calling snd_seq_dump_var_event() +in the loop. The latter function may expand the user-space data +depending on the event type. It eventually invokes copy_from_user(), +which might be a potential dead-lock. + +The sequencer core guarantees that the user-space data is passed only +with atomic=0 argument, but snd_virmidi_dev_receive_event() ignores it +and always takes read-lock(). For avoiding the problem above, this +patch introduces rwsem for non-atomic case, while keeping rwlock for +atomic case. + +Also while we're at it: the superfluous irq flags is dropped in +snd_virmidi_input_open(). + +Reported-by: Jia-Ju Bai +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + include/sound/seq_virmidi.h | 1 + + sound/core/seq/seq_virmidi.c | 27 +++++++++++++++++++-------- + 2 files changed, 20 insertions(+), 8 deletions(-) + +--- a/include/sound/seq_virmidi.h ++++ b/include/sound/seq_virmidi.h +@@ -60,6 +60,7 @@ struct snd_virmidi_dev { + int port; /* created/attached port */ + unsigned int flags; /* SNDRV_VIRMIDI_* */ + rwlock_t filelist_lock; ++ struct rw_semaphore filelist_sem; + struct list_head filelist; + }; + +--- a/sound/core/seq/seq_virmidi.c ++++ b/sound/core/seq/seq_virmidi.c +@@ -77,13 +77,17 @@ static void snd_virmidi_init_event(struc + * decode input event and put to read buffer of each opened file + */ + static int snd_virmidi_dev_receive_event(struct snd_virmidi_dev *rdev, +- struct snd_seq_event *ev) ++ struct snd_seq_event *ev, ++ bool atomic) + { + struct snd_virmidi *vmidi; + unsigned char msg[4]; + int len; + +- read_lock(&rdev->filelist_lock); ++ if (atomic) ++ read_lock(&rdev->filelist_lock); ++ else ++ down_read(&rdev->filelist_sem); + list_for_each_entry(vmidi, &rdev->filelist, list) { + if (!vmidi->trigger) + continue; +@@ -97,7 +101,10 @@ static int snd_virmidi_dev_receive_event + snd_rawmidi_receive(vmidi->substream, msg, len); + } + } +- read_unlock(&rdev->filelist_lock); ++ if (atomic) ++ read_unlock(&rdev->filelist_lock); ++ else ++ up_read(&rdev->filelist_sem); + + return 0; + } +@@ -115,7 +122,7 @@ int snd_virmidi_receive(struct snd_rawmi + struct snd_virmidi_dev *rdev; + + rdev = rmidi->private_data; +- return snd_virmidi_dev_receive_event(rdev, ev); ++ return snd_virmidi_dev_receive_event(rdev, ev, true); + } + #endif /* 0 */ + +@@ -130,7 +137,7 @@ static int snd_virmidi_event_input(struc + rdev = private_data; + if (!(rdev->flags & SNDRV_VIRMIDI_USE)) + return 0; /* ignored */ +- return snd_virmidi_dev_receive_event(rdev, ev); ++ return snd_virmidi_dev_receive_event(rdev, ev, atomic); + } + + /* +@@ -209,7 +216,6 @@ static int snd_virmidi_input_open(struct + struct snd_virmidi_dev *rdev = substream->rmidi->private_data; + struct snd_rawmidi_runtime *runtime = substream->runtime; + struct snd_virmidi *vmidi; +- unsigned long flags; + + vmidi = kzalloc(sizeof(*vmidi), GFP_KERNEL); + if (vmidi == NULL) +@@ -223,9 +229,11 @@ static int snd_virmidi_input_open(struct + vmidi->client = rdev->client; + vmidi->port = rdev->port; + runtime->private_data = vmidi; +- write_lock_irqsave(&rdev->filelist_lock, flags); ++ down_write(&rdev->filelist_sem); ++ write_lock_irq(&rdev->filelist_lock); + list_add_tail(&vmidi->list, &rdev->filelist); +- write_unlock_irqrestore(&rdev->filelist_lock, flags); ++ write_unlock_irq(&rdev->filelist_lock); ++ up_write(&rdev->filelist_sem); + vmidi->rdev = rdev; + return 0; + } +@@ -264,9 +272,11 @@ static int snd_virmidi_input_close(struc + struct snd_virmidi_dev *rdev = substream->rmidi->private_data; + struct snd_virmidi *vmidi = substream->runtime->private_data; + ++ down_write(&rdev->filelist_sem); + write_lock_irq(&rdev->filelist_lock); + list_del(&vmidi->list); + write_unlock_irq(&rdev->filelist_lock); ++ up_write(&rdev->filelist_sem); + snd_midi_event_free(vmidi->parser); + substream->runtime->private_data = NULL; + kfree(vmidi); +@@ -520,6 +530,7 @@ int snd_virmidi_new(struct snd_card *car + rdev->rmidi = rmidi; + rdev->device = device; + rdev->client = -1; ++ init_rwsem(&rdev->filelist_sem); + rwlock_init(&rdev->filelist_lock); + INIT_LIST_HEAD(&rdev->filelist); + rdev->seq_mode = SNDRV_VIRMIDI_SEQ_DISPATCH; diff --git a/queue-4.9/alsa-seq-fix-use-after-free-at-creating-a-port.patch b/queue-4.9/alsa-seq-fix-use-after-free-at-creating-a-port.patch new file mode 100644 index 00000000000..9fa91e54164 --- /dev/null +++ b/queue-4.9/alsa-seq-fix-use-after-free-at-creating-a-port.patch @@ -0,0 +1,138 @@ +From 71105998845fb012937332fe2e806d443c09e026 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 9 Oct 2017 11:09:20 +0200 +Subject: ALSA: seq: Fix use-after-free at creating a port + +From: Takashi Iwai + +commit 71105998845fb012937332fe2e806d443c09e026 upstream. + +There is a potential race window opened at creating and deleting a +port via ioctl, as spotted by fuzzing. snd_seq_create_port() creates +a port object and returns its pointer, but it doesn't take the +refcount, thus it can be deleted immediately by another thread. +Meanwhile, snd_seq_ioctl_create_port() still calls the function +snd_seq_system_client_ev_port_start() with the created port object +that is being deleted, and this triggers use-after-free like: + + BUG: KASAN: use-after-free in snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] at addr ffff8801f2241cb1 + ============================================================================= + BUG kmalloc-512 (Tainted: G B ): kasan: bad access detected + ----------------------------------------------------------------------------- + INFO: Allocated in snd_seq_create_port+0x94/0x9b0 [snd_seq] age=1 cpu=3 pid=4511 + ___slab_alloc+0x425/0x460 + __slab_alloc+0x20/0x40 + kmem_cache_alloc_trace+0x150/0x190 + snd_seq_create_port+0x94/0x9b0 [snd_seq] + snd_seq_ioctl_create_port+0xd1/0x630 [snd_seq] + snd_seq_do_ioctl+0x11c/0x190 [snd_seq] + snd_seq_ioctl+0x40/0x80 [snd_seq] + do_vfs_ioctl+0x54b/0xda0 + SyS_ioctl+0x79/0x90 + entry_SYSCALL_64_fastpath+0x16/0x75 + INFO: Freed in port_delete+0x136/0x1a0 [snd_seq] age=1 cpu=2 pid=4717 + __slab_free+0x204/0x310 + kfree+0x15f/0x180 + port_delete+0x136/0x1a0 [snd_seq] + snd_seq_delete_port+0x235/0x350 [snd_seq] + snd_seq_ioctl_delete_port+0xc8/0x180 [snd_seq] + snd_seq_do_ioctl+0x11c/0x190 [snd_seq] + snd_seq_ioctl+0x40/0x80 [snd_seq] + do_vfs_ioctl+0x54b/0xda0 + SyS_ioctl+0x79/0x90 + entry_SYSCALL_64_fastpath+0x16/0x75 + Call Trace: + [] dump_stack+0x63/0x82 + [] print_trailer+0xfb/0x160 + [] object_err+0x34/0x40 + [] kasan_report.part.2+0x223/0x520 + [] ? snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] + [] __asan_report_load1_noabort+0x2e/0x30 + [] snd_seq_ioctl_create_port+0x504/0x630 [snd_seq] + [] ? snd_seq_ioctl_delete_port+0x180/0x180 [snd_seq] + [] ? taskstats_exit+0xbc0/0xbc0 + [] snd_seq_do_ioctl+0x11c/0x190 [snd_seq] + [] snd_seq_ioctl+0x40/0x80 [snd_seq] + [] ? acct_account_cputime+0x63/0x80 + [] do_vfs_ioctl+0x54b/0xda0 + ..... + +We may fix this in a few different ways, and in this patch, it's fixed +simply by taking the refcount properly at snd_seq_create_port() and +letting the caller unref the object after use. Also, there is another +potential use-after-free by sprintf() call in snd_seq_create_port(), +and this is moved inside the lock. + +This fix covers CVE-2017-15265. + +Reported-and-tested-by: Michael23 Yu +Suggested-by: Linus Torvalds +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_clientmgr.c | 6 +++++- + sound/core/seq/seq_ports.c | 7 +++++-- + 2 files changed, 10 insertions(+), 3 deletions(-) + +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -1259,6 +1259,7 @@ static int snd_seq_ioctl_create_port(str + struct snd_seq_port_info *info = arg; + struct snd_seq_client_port *port; + struct snd_seq_port_callback *callback; ++ int port_idx; + + /* it is not allowed to create the port for an another client */ + if (info->addr.client != client->number) +@@ -1269,7 +1270,9 @@ static int snd_seq_ioctl_create_port(str + return -ENOMEM; + + if (client->type == USER_CLIENT && info->kernel) { +- snd_seq_delete_port(client, port->addr.port); ++ port_idx = port->addr.port; ++ snd_seq_port_unlock(port); ++ snd_seq_delete_port(client, port_idx); + return -EINVAL; + } + if (client->type == KERNEL_CLIENT) { +@@ -1290,6 +1293,7 @@ static int snd_seq_ioctl_create_port(str + + snd_seq_set_port_info(port, info); + snd_seq_system_client_ev_port_start(port->addr.client, port->addr.port); ++ snd_seq_port_unlock(port); + + return 0; + } +--- a/sound/core/seq/seq_ports.c ++++ b/sound/core/seq/seq_ports.c +@@ -122,7 +122,9 @@ static void port_subs_info_init(struct s + } + + +-/* create a port, port number is returned (-1 on failure) */ ++/* create a port, port number is returned (-1 on failure); ++ * the caller needs to unref the port via snd_seq_port_unlock() appropriately ++ */ + struct snd_seq_client_port *snd_seq_create_port(struct snd_seq_client *client, + int port) + { +@@ -151,6 +153,7 @@ struct snd_seq_client_port *snd_seq_crea + snd_use_lock_init(&new_port->use_lock); + port_subs_info_init(&new_port->c_src); + port_subs_info_init(&new_port->c_dest); ++ snd_use_lock_use(&new_port->use_lock); + + num = port >= 0 ? port : 0; + mutex_lock(&client->ports_mutex); +@@ -165,9 +168,9 @@ struct snd_seq_client_port *snd_seq_crea + list_add_tail(&new_port->list, &p->list); + client->num_ports++; + new_port->addr.port = num; /* store the port number in the port */ ++ sprintf(new_port->name, "port-%d", num); + write_unlock_irqrestore(&client->ports_lock, flags); + mutex_unlock(&client->ports_mutex); +- sprintf(new_port->name, "port-%d", num); + + return new_port; + } diff --git a/queue-4.9/alsa-usb-audio-kill-stray-urb-at-exiting.patch b/queue-4.9/alsa-usb-audio-kill-stray-urb-at-exiting.patch new file mode 100644 index 00000000000..80e3ec904f1 --- /dev/null +++ b/queue-4.9/alsa-usb-audio-kill-stray-urb-at-exiting.patch @@ -0,0 +1,117 @@ +From 124751d5e63c823092060074bd0abaae61aaa9c4 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 10 Oct 2017 14:10:32 +0200 +Subject: ALSA: usb-audio: Kill stray URB at exiting + +From: Takashi Iwai + +commit 124751d5e63c823092060074bd0abaae61aaa9c4 upstream. + +USB-audio driver may leave a stray URB for the mixer interrupt when it +exits by some error during probe. This leads to a use-after-free +error as spotted by syzkaller like: + ================================================================== + BUG: KASAN: use-after-free in snd_usb_mixer_interrupt+0x604/0x6f0 + Call Trace: + + __dump_stack lib/dump_stack.c:16 + dump_stack+0x292/0x395 lib/dump_stack.c:52 + print_address_description+0x78/0x280 mm/kasan/report.c:252 + kasan_report_error mm/kasan/report.c:351 + kasan_report+0x23d/0x350 mm/kasan/report.c:409 + __asan_report_load8_noabort+0x19/0x20 mm/kasan/report.c:430 + snd_usb_mixer_interrupt+0x604/0x6f0 sound/usb/mixer.c:2490 + __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779 + .... + + Allocated by task 1484: + save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59 + save_stack+0x43/0xd0 mm/kasan/kasan.c:447 + set_track mm/kasan/kasan.c:459 + kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 + kmem_cache_alloc_trace+0x11e/0x2d0 mm/slub.c:2772 + kmalloc ./include/linux/slab.h:493 + kzalloc ./include/linux/slab.h:666 + snd_usb_create_mixer+0x145/0x1010 sound/usb/mixer.c:2540 + create_standard_mixer_quirk+0x58/0x80 sound/usb/quirks.c:516 + snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560 + create_composite_quirk+0x1c4/0x3e0 sound/usb/quirks.c:59 + snd_usb_create_quirk+0x92/0x100 sound/usb/quirks.c:560 + usb_audio_probe+0x1040/0x2c10 sound/usb/card.c:618 + .... + + Freed by task 1484: + save_stack_trace+0x1b/0x20 arch/x86/kernel/stacktrace.c:59 + save_stack+0x43/0xd0 mm/kasan/kasan.c:447 + set_track mm/kasan/kasan.c:459 + kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:524 + slab_free_hook mm/slub.c:1390 + slab_free_freelist_hook mm/slub.c:1412 + slab_free mm/slub.c:2988 + kfree+0xf6/0x2f0 mm/slub.c:3919 + snd_usb_mixer_free+0x11a/0x160 sound/usb/mixer.c:2244 + snd_usb_mixer_dev_free+0x36/0x50 sound/usb/mixer.c:2250 + __snd_device_free+0x1ff/0x380 sound/core/device.c:91 + snd_device_free_all+0x8f/0xe0 sound/core/device.c:244 + snd_card_do_free sound/core/init.c:461 + release_card_device+0x47/0x170 sound/core/init.c:181 + device_release+0x13f/0x210 drivers/base/core.c:814 + .... + +Actually such a URB is killed properly at disconnection when the +device gets probed successfully, and what we need is to apply it for +the error-path, too. + +In this patch, we apply snd_usb_mixer_disconnect() at releasing. +Also introduce a new flag, disconnected, to struct usb_mixer_interface +for not performing the disconnection procedure twice. + +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer.c | 12 ++++++++++-- + sound/usb/mixer.h | 2 ++ + 2 files changed, 12 insertions(+), 2 deletions(-) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -2228,6 +2228,9 @@ static int parse_audio_unit(struct mixer + + static void snd_usb_mixer_free(struct usb_mixer_interface *mixer) + { ++ /* kill pending URBs */ ++ snd_usb_mixer_disconnect(mixer); ++ + kfree(mixer->id_elems); + if (mixer->urb) { + kfree(mixer->urb->transfer_buffer); +@@ -2578,8 +2581,13 @@ _error: + + void snd_usb_mixer_disconnect(struct usb_mixer_interface *mixer) + { +- usb_kill_urb(mixer->urb); +- usb_kill_urb(mixer->rc_urb); ++ if (mixer->disconnected) ++ return; ++ if (mixer->urb) ++ usb_kill_urb(mixer->urb); ++ if (mixer->rc_urb) ++ usb_kill_urb(mixer->rc_urb); ++ mixer->disconnected = true; + } + + #ifdef CONFIG_PM +--- a/sound/usb/mixer.h ++++ b/sound/usb/mixer.h +@@ -22,6 +22,8 @@ struct usb_mixer_interface { + struct urb *rc_urb; + struct usb_ctrlrequest *rc_setup_packet; + u8 rc_buffer[6]; ++ ++ bool disconnected; + }; + + #define MAX_CHANNELS 16 /* max logical channels */ diff --git a/queue-4.9/bio_copy_user_iov-don-t-ignore-iov_offset.patch b/queue-4.9/bio_copy_user_iov-don-t-ignore-iov_offset.patch new file mode 100644 index 00000000000..ec2e22cc5de --- /dev/null +++ b/queue-4.9/bio_copy_user_iov-don-t-ignore-iov_offset.patch @@ -0,0 +1,35 @@ +From 1cfd0ddd82232804e03f3023f6a58b50dfef0574 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 24 Sep 2017 10:21:15 -0400 +Subject: bio_copy_user_iov(): don't ignore ->iov_offset + +From: Al Viro + +commit 1cfd0ddd82232804e03f3023f6a58b50dfef0574 upstream. + +Since "block: support large requests in blk_rq_map_user_iov" we +started to call it with partially drained iter; that works fine +on the write side, but reads create a copy of iter for completion +time. And that needs to take the possibility of ->iov_iter != 0 +into account... + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + block/bio.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/block/bio.c ++++ b/block/bio.c +@@ -1171,8 +1171,8 @@ struct bio *bio_copy_user_iov(struct req + */ + bmd->is_our_pages = map_data ? 0 : 1; + memcpy(bmd->iov, iter->iov, sizeof(struct iovec) * iter->nr_segs); +- iov_iter_init(&bmd->iter, iter->type, bmd->iov, +- iter->nr_segs, iter->count); ++ bmd->iter = *iter; ++ bmd->iter.iov = bmd->iov; + + ret = -ENOMEM; + bio = bio_kmalloc(gfp_mask, nr_pages); diff --git a/queue-4.9/crypto-shash-fix-zero-length-shash-ahash-digest-crash.patch b/queue-4.9/crypto-shash-fix-zero-length-shash-ahash-digest-crash.patch new file mode 100644 index 00000000000..08e89758f13 --- /dev/null +++ b/queue-4.9/crypto-shash-fix-zero-length-shash-ahash-digest-crash.patch @@ -0,0 +1,47 @@ +From b61907bb42409adf9b3120f741af7c57dd7e3db2 Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Mon, 9 Oct 2017 23:30:02 +0800 +Subject: crypto: shash - Fix zero-length shash ahash digest crash +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Herbert Xu + +commit b61907bb42409adf9b3120f741af7c57dd7e3db2 upstream. + +The shash ahash digest adaptor function may crash if given a +zero-length input together with a null SG list. This is because +it tries to read the SG list before looking at the length. + +This patch fixes it by checking the length first. + +Reported-by: Stephan Müller +Signed-off-by: Herbert Xu +Tested-by: Stephan Müller +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/shash.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/crypto/shash.c ++++ b/crypto/shash.c +@@ -274,12 +274,14 @@ static int shash_async_finup(struct ahas + + int shash_ahash_digest(struct ahash_request *req, struct shash_desc *desc) + { +- struct scatterlist *sg = req->src; +- unsigned int offset = sg->offset; + unsigned int nbytes = req->nbytes; ++ struct scatterlist *sg; ++ unsigned int offset; + int err; + +- if (nbytes < min(sg->length, ((unsigned int)(PAGE_SIZE)) - offset)) { ++ if (nbytes && ++ (sg = req->src, offset = sg->offset, ++ nbytes < min(sg->length, ((unsigned int)(PAGE_SIZE)) - offset))) { + void *data; + + data = kmap_atomic(sg_page(sg)); diff --git a/queue-4.9/device-property-track-owner-device-of-device-property.patch b/queue-4.9/device-property-track-owner-device-of-device-property.patch new file mode 100644 index 00000000000..e04909c75a8 --- /dev/null +++ b/queue-4.9/device-property-track-owner-device-of-device-property.patch @@ -0,0 +1,108 @@ +From 5ab894aee0f171a682bcd90dd5d1930cb53c55dc Mon Sep 17 00:00:00 2001 +From: Jarkko Nikula +Date: Mon, 9 Oct 2017 16:28:37 +0300 +Subject: device property: Track owner device of device property + +From: Jarkko Nikula + +commit 5ab894aee0f171a682bcd90dd5d1930cb53c55dc upstream. + +Deletion of subdevice will remove device properties associated to parent +when they share the same firmware node after commit 478573c93abd (driver +core: Don't leak secondary fwnode on device removal). This was observed +with a driver adding subdevice that driver wasn't able to read device +properties after rmmod/modprobe cycle. + +Consider the lifecycle of it: + +parent device registration + ACPI_COMPANION_SET() + device_add_properties() + pset_copy_set() + set_secondary_fwnode(dev, &p->fwnode) + device_add() + +parent probe + read device properties + ACPI_COMPANION_SET(subdevice, ACPI_COMPANION(parent)) + device_add(subdevice) + +parent remove + device_del(subdevice) + device_remove_properties() + set_secondary_fwnode(dev, NULL); + pset_free() + +Parent device will have its primary firmware node pointing to an ACPI +node and secondary firmware node point to device properties. + +ACPI_COMPANION_SET() call in parent probe will set the subdevice's +firmware node to point to the same 'struct fwnode_handle' and the +associated secondary firmware node, i.e. the device properties as the +parent. + +When subdevice is deleted in parent remove that will remove those +device properties and attempt to read device properties in next +parent probe call will fail. + +Fix this by tracking the owner device of device properties and delete +them only when owner device is being deleted. + +Fixes: 478573c93abd (driver core: Don't leak secondary fwnode on device removal) +Signed-off-by: Jarkko Nikula +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/property.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/base/property.c ++++ b/drivers/base/property.c +@@ -20,6 +20,7 @@ + #include + + struct property_set { ++ struct device *dev; + struct fwnode_handle fwnode; + struct property_entry *properties; + }; +@@ -817,6 +818,7 @@ static struct property_set *pset_copy_se + void device_remove_properties(struct device *dev) + { + struct fwnode_handle *fwnode; ++ struct property_set *pset; + + fwnode = dev_fwnode(dev); + if (!fwnode) +@@ -826,16 +828,16 @@ void device_remove_properties(struct dev + * the pset. If there is no real firmware node (ACPI/DT) primary + * will hold the pset. + */ +- if (is_pset_node(fwnode)) { ++ pset = to_pset_node(fwnode); ++ if (pset) { + set_primary_fwnode(dev, NULL); +- pset_free_set(to_pset_node(fwnode)); + } else { +- fwnode = fwnode->secondary; +- if (!IS_ERR(fwnode) && is_pset_node(fwnode)) { ++ pset = to_pset_node(fwnode->secondary); ++ if (pset && dev == pset->dev) + set_secondary_fwnode(dev, NULL); +- pset_free_set(to_pset_node(fwnode)); +- } + } ++ if (pset && dev == pset->dev) ++ pset_free_set(pset); + } + EXPORT_SYMBOL_GPL(device_remove_properties); + +@@ -863,6 +865,7 @@ int device_add_properties(struct device + + p->fwnode.type = FWNODE_PDATA; + set_secondary_fwnode(dev, &p->fwnode); ++ p->dev = dev; + return 0; + } + EXPORT_SYMBOL_GPL(device_add_properties); diff --git a/queue-4.9/direct-io-prevent-null-pointer-access-in-submit_page_section.patch b/queue-4.9/direct-io-prevent-null-pointer-access-in-submit_page_section.patch new file mode 100644 index 00000000000..eac1d7902d4 --- /dev/null +++ b/queue-4.9/direct-io-prevent-null-pointer-access-in-submit_page_section.patch @@ -0,0 +1,37 @@ +From 899f0429c7d3eed886406cd72182bee3b96aa1f9 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Mon, 9 Oct 2017 11:13:18 +0200 +Subject: direct-io: Prevent NULL pointer access in submit_page_section + +From: Andreas Gruenbacher + +commit 899f0429c7d3eed886406cd72182bee3b96aa1f9 upstream. + +In the code added to function submit_page_section by commit b1058b981, +sdio->bio can currently be NULL when calling dio_bio_submit. This then +leads to a NULL pointer access in dio_bio_submit, so check for a NULL +bio in submit_page_section before trying to submit it instead. + +Fixes xfstest generic/250 on gfs2. + +Signed-off-by: Andreas Gruenbacher +Reviewed-by: Jan Kara +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/direct-io.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/direct-io.c ++++ b/fs/direct-io.c +@@ -835,7 +835,8 @@ out: + */ + if (sdio->boundary) { + ret = dio_send_cur_page(dio, sdio, map_bh); +- dio_bio_submit(dio, sdio); ++ if (sdio->bio) ++ dio_bio_submit(dio, sdio); + put_page(sdio->cur_page); + sdio->cur_page = NULL; + } diff --git a/queue-4.9/dmaengine-edma-align-the-memcpy-acnt-array-size-with-the-transfer.patch b/queue-4.9/dmaengine-edma-align-the-memcpy-acnt-array-size-with-the-transfer.patch new file mode 100644 index 00000000000..957063ee2dc --- /dev/null +++ b/queue-4.9/dmaengine-edma-align-the-memcpy-acnt-array-size-with-the-transfer.patch @@ -0,0 +1,77 @@ +From 87a2f622cc6446c7d09ac655b7b9b04886f16a4c Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Mon, 18 Sep 2017 11:16:26 +0300 +Subject: dmaengine: edma: Align the memcpy acnt array size with the transfer + +From: Peter Ujfalusi + +commit 87a2f622cc6446c7d09ac655b7b9b04886f16a4c upstream. + +Memory to Memory transfers does not have any special alignment needs +regarding to acnt array size, but if one of the areas are in memory mapped +regions (like PCIe memory), we need to make sure that the acnt array size +is aligned with the mem copy parameters. + +Before "dmaengine: edma: Optimize memcpy operation" change the memcpy was set +up in a different way: acnt == number of bytes in a word based on +__ffs((src | dest | len), bcnt and ccnt for looping the necessary number of +words to comlete the trasnfer. + +Instead of reverting the commit we can fix it to make sure that the ACNT size +is aligned to the traswnfer. + +Fixes: df6694f80365a (dmaengine: edma: Optimize memcpy operation) +Signed-off-by: Peter Ujfalusi +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/edma.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +--- a/drivers/dma/edma.c ++++ b/drivers/dma/edma.c +@@ -1143,11 +1143,24 @@ static struct dma_async_tx_descriptor *e + struct edma_desc *edesc; + struct device *dev = chan->device->dev; + struct edma_chan *echan = to_edma_chan(chan); +- unsigned int width, pset_len; ++ unsigned int width, pset_len, array_size; + + if (unlikely(!echan || !len)) + return NULL; + ++ /* Align the array size (acnt block) with the transfer properties */ ++ switch (__ffs((src | dest | len))) { ++ case 0: ++ array_size = SZ_32K - 1; ++ break; ++ case 1: ++ array_size = SZ_32K - 2; ++ break; ++ default: ++ array_size = SZ_32K - 4; ++ break; ++ } ++ + if (len < SZ_64K) { + /* + * Transfer size less than 64K can be handled with one paRAM +@@ -1169,7 +1182,7 @@ static struct dma_async_tx_descriptor *e + * When the full_length is multibple of 32767 one slot can be + * used to complete the transfer. + */ +- width = SZ_32K - 1; ++ width = array_size; + pset_len = rounddown(len, width); + /* One slot is enough for lengths multiple of (SZ_32K -1) */ + if (unlikely(pset_len == len)) +@@ -1217,7 +1230,7 @@ static struct dma_async_tx_descriptor *e + } + dest += pset_len; + src += pset_len; +- pset_len = width = len % (SZ_32K - 1); ++ pset_len = width = len % array_size; + + ret = edma_config_pset(chan, &edesc->pset[1], src, dest, 1, + width, pset_len, DMA_MEM_TO_MEM); diff --git a/queue-4.9/dmaengine-ti-dma-crossbar-fix-possible-race-condition-with-dma_inuse.patch b/queue-4.9/dmaengine-ti-dma-crossbar-fix-possible-race-condition-with-dma_inuse.patch new file mode 100644 index 00000000000..03442529bf8 --- /dev/null +++ b/queue-4.9/dmaengine-ti-dma-crossbar-fix-possible-race-condition-with-dma_inuse.patch @@ -0,0 +1,40 @@ +From 2ccb4837c938357233a0b8818e3ca3e58242c952 Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Thu, 21 Sep 2017 14:35:32 +0300 +Subject: dmaengine: ti-dma-crossbar: Fix possible race condition with dma_inuse + +From: Peter Ujfalusi + +commit 2ccb4837c938357233a0b8818e3ca3e58242c952 upstream. + +When looking for unused xbar_out lane we should also protect the set_bit() +call with the same mutex to protect against concurrent threads picking the +same ID. + +Fixes: ec9bfa1e1a796 ("dmaengine: ti-dma-crossbar: dra7: Use bitops instead of idr") +Signed-off-by: Peter Ujfalusi +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/ti-dma-crossbar.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/dma/ti-dma-crossbar.c ++++ b/drivers/dma/ti-dma-crossbar.c +@@ -262,13 +262,14 @@ static void *ti_dra7_xbar_route_allocate + mutex_lock(&xbar->mutex); + map->xbar_out = find_first_zero_bit(xbar->dma_inuse, + xbar->dma_requests); +- mutex_unlock(&xbar->mutex); + if (map->xbar_out == xbar->dma_requests) { ++ mutex_unlock(&xbar->mutex); + dev_err(&pdev->dev, "Run out of free DMA requests\n"); + kfree(map); + return ERR_PTR(-ENOMEM); + } + set_bit(map->xbar_out, xbar->dma_inuse); ++ mutex_unlock(&xbar->mutex); + + map->xbar_in = (u16)dma_spec->args[0]; + diff --git a/queue-4.9/drm-i915-bios-parse-ddi-ports-also-for-chv-for-hdmi-ddc-pin-and-dp-aux-channel.patch b/queue-4.9/drm-i915-bios-parse-ddi-ports-also-for-chv-for-hdmi-ddc-pin-and-dp-aux-channel.patch new file mode 100644 index 00000000000..da7b03f3b99 --- /dev/null +++ b/queue-4.9/drm-i915-bios-parse-ddi-ports-also-for-chv-for-hdmi-ddc-pin-and-dp-aux-channel.patch @@ -0,0 +1,47 @@ +From ea850f64c2722278f150dc11de2141baeb24211c Mon Sep 17 00:00:00 2001 +From: Jani Nikula +Date: Thu, 28 Sep 2017 11:21:57 +0300 +Subject: drm/i915/bios: parse DDI ports also for CHV for HDMI DDC pin and DP AUX channel +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jani Nikula + +commit ea850f64c2722278f150dc11de2141baeb24211c upstream. + +While technically CHV isn't DDI, we do look at the VBT based DDI port +info for HDMI DDC pin and DP AUX channel. (We call these "alternate", +but they're really just something that aren't platform defaults.) + +In commit e4ab73a13291 ("drm/i915: Respect alternate_ddc_pin for all DDI +ports") Ville writes, "IIRC there may be CHV system that might actually +need this." + +I'm not sure why there couldn't be even more platforms that need this, +but start conservative, and parse the info for CHV in addition to DDI. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=100553 +Reported-by: Marek Wilczewski +Reviewed-by: Ville Syrjälä +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/d0815082cb98487618429b62414854137049b888.1506586821.git.jani.nikula@intel.com +(cherry picked from commit 348e4058ebf53904e817eec7a1b25327143c2ed2) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_bios.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/intel_bios.c ++++ b/drivers/gpu/drm/i915/intel_bios.c +@@ -1219,7 +1219,7 @@ static void parse_ddi_ports(struct drm_i + { + enum port port; + +- if (!HAS_DDI(dev_priv)) ++ if (!HAS_DDI(dev_priv) && !IS_CHERRYVIEW(dev_priv)) + return; + + if (!dev_priv->vbt.child_dev_num) diff --git a/queue-4.9/drm-i915-edp-get-the-panel-power-off-timestamp-after-panel-is-off.patch b/queue-4.9/drm-i915-edp-get-the-panel-power-off-timestamp-after-panel-is-off.patch new file mode 100644 index 00000000000..4b9377b8c98 --- /dev/null +++ b/queue-4.9/drm-i915-edp-get-the-panel-power-off-timestamp-after-panel-is-off.patch @@ -0,0 +1,53 @@ +From d7ba25bd9ef802ff02414e9105f4222d1795f27a Mon Sep 17 00:00:00 2001 +From: Manasi Navare +Date: Wed, 4 Oct 2017 09:48:26 -0700 +Subject: drm/i915/edp: Get the Panel Power Off timestamp after panel is off + +From: Manasi Navare + +commit d7ba25bd9ef802ff02414e9105f4222d1795f27a upstream. + +Kernel stores the time in jiffies at which the eDP panel is turned +off. This should be obtained after the panel is off (after the +wait_panel_off). When we next attempt to turn the panel on, we use the +difference between the timestamp at which we want to turn the panel on +and timestamp at which panel was turned off to ensure that this is equal +to panel power cycle delay and if not we wait for the remaining +time. Not waiting for the panel power cycle delay can cause the panel to +not turn on giving rise to AUX timeouts for the attempted AUX +transactions. + +v2: +* Separate lines for bugzilla (Jani Nikula) +* Suggested by tag (Daniel Vetter) + +Cc: Daniel Vetter +Cc: Jani Nikula +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101518 +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101144 +Suggested-by: Daniel Vetter +Signed-off-by: Manasi Navare +Reviewed-by: Daniel Vetter +Reviewed-by: Jani Nikula +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/1507135706-17147-1-git-send-email-manasi.d.navare@intel.com +(cherry picked from commit cbacf02e7796fea02e5c6e46c90ed7cbe9e6f2c0) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_dp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/intel_dp.c ++++ b/drivers/gpu/drm/i915/intel_dp.c +@@ -2193,8 +2193,8 @@ static void edp_panel_off(struct intel_d + I915_WRITE(pp_ctrl_reg, pp); + POSTING_READ(pp_ctrl_reg); + +- intel_dp->panel_power_off_time = ktime_get_boottime(); + wait_panel_off(intel_dp); ++ intel_dp->panel_power_off_time = ktime_get_boottime(); + + /* We got a reference when we enabled the VDD. */ + power_domain = intel_display_port_aux_power_domain(intel_encoder); diff --git a/queue-4.9/drm-i915-read-timings-from-the-correct-transcoder-in-intel_crtc_mode_get.patch b/queue-4.9/drm-i915-read-timings-from-the-correct-transcoder-in-intel_crtc_mode_get.patch new file mode 100644 index 00000000000..5afcb58fd8b --- /dev/null +++ b/queue-4.9/drm-i915-read-timings-from-the-correct-transcoder-in-intel_crtc_mode_get.patch @@ -0,0 +1,75 @@ +From 7b50f7b24cd6c98541f1af53bddc5b6e861ee8c8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Fri, 1 Apr 2016 18:37:25 +0300 +Subject: drm/i915: Read timings from the correct transcoder in intel_crtc_mode_get() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 7b50f7b24cd6c98541f1af53bddc5b6e861ee8c8 upstream. + +intel_crtc->config->cpu_transcoder isn't yet filled out when +intel_crtc_mode_get() gets called during output probing, so we should +not use it there. Instead intel_crtc_mode_get() figures out the correct +transcoder on its own, and that's what we should use. + +If the BIOS boots LVDS on pipe B, intel_crtc_mode_get() would actually +end up reading the timings from pipe A instead (since PIPE_A==0), +which clearly isn't what we want. + +It looks to me like this may have been broken by +commit eccb140bca67 ("drm/i915: hw state readout&check support for cpu_transcoder") +as that one removed the early initialization of cpu_transcoder from +intel_crtc_init(). + +Cc: dri-devel@lists.freedesktop.org +Cc: Rob Kramer +Cc: Daniel Vetter +Reported-by: Rob Kramer +Fixes: eccb140bca67 ("drm/i915: hw state readout&check support for cpu_transcoder") +References: https://lists.freedesktop.org/archives/dri-devel/2016-April/104142.html +Signed-off-by: Ville Syrjälä +Reviewed-by: Chris Wilson +Link: https://patchwork.freedesktop.org/patch/msgid/1459525046-19425-1-git-send-email-ville.syrjala@linux.intel.com +(cherry picked from commit e30a154b5262b967b133b06ac40777e651045898) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_display.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -11471,13 +11471,10 @@ struct drm_display_mode *intel_crtc_mode + { + struct drm_i915_private *dev_priv = to_i915(dev); + struct intel_crtc *intel_crtc = to_intel_crtc(crtc); +- enum transcoder cpu_transcoder = intel_crtc->config->cpu_transcoder; ++ enum transcoder cpu_transcoder; + struct drm_display_mode *mode; + struct intel_crtc_state *pipe_config; +- int htot = I915_READ(HTOTAL(cpu_transcoder)); +- int hsync = I915_READ(HSYNC(cpu_transcoder)); +- int vtot = I915_READ(VTOTAL(cpu_transcoder)); +- int vsync = I915_READ(VSYNC(cpu_transcoder)); ++ u32 htot, hsync, vtot, vsync; + enum pipe pipe = intel_crtc->pipe; + + mode = kzalloc(sizeof(*mode), GFP_KERNEL); +@@ -11505,6 +11502,13 @@ struct drm_display_mode *intel_crtc_mode + i9xx_crtc_clock_get(intel_crtc, pipe_config); + + mode->clock = pipe_config->port_clock / pipe_config->pixel_multiplier; ++ ++ cpu_transcoder = pipe_config->cpu_transcoder; ++ htot = I915_READ(HTOTAL(cpu_transcoder)); ++ hsync = I915_READ(HSYNC(cpu_transcoder)); ++ vtot = I915_READ(VTOTAL(cpu_transcoder)); ++ vsync = I915_READ(VSYNC(cpu_transcoder)); ++ + mode->hdisplay = (htot & 0xffff) + 1; + mode->htotal = ((htot & 0xffff0000) >> 16) + 1; + mode->hsync_start = (hsync & 0xffff) + 1; diff --git a/queue-4.9/fix-unbalanced-page-refcounting-in-bio_map_user_iov.patch b/queue-4.9/fix-unbalanced-page-refcounting-in-bio_map_user_iov.patch new file mode 100644 index 00000000000..52a5f3d766c --- /dev/null +++ b/queue-4.9/fix-unbalanced-page-refcounting-in-bio_map_user_iov.patch @@ -0,0 +1,46 @@ +From 95d78c28b5a85bacbc29b8dba7c04babb9b0d467 Mon Sep 17 00:00:00 2001 +From: Vitaly Mayatskikh +Date: Fri, 22 Sep 2017 01:18:39 -0400 +Subject: fix unbalanced page refcounting in bio_map_user_iov + +From: Vitaly Mayatskikh + +commit 95d78c28b5a85bacbc29b8dba7c04babb9b0d467 upstream. + +bio_map_user_iov and bio_unmap_user do unbalanced pages refcounting if +IO vector has small consecutive buffers belonging to the same page. +bio_add_pc_page merges them into one, but the page reference is never +dropped. + +Signed-off-by: Vitaly Mayatskikh +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + block/bio.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/block/bio.c ++++ b/block/bio.c +@@ -1318,6 +1318,7 @@ struct bio *bio_map_user_iov(struct requ + offset = offset_in_page(uaddr); + for (j = cur_page; j < page_limit; j++) { + unsigned int bytes = PAGE_SIZE - offset; ++ unsigned short prev_bi_vcnt = bio->bi_vcnt; + + if (len <= 0) + break; +@@ -1332,6 +1333,13 @@ struct bio *bio_map_user_iov(struct requ + bytes) + break; + ++ /* ++ * check if vector was merged with previous ++ * drop page reference if needed ++ */ ++ if (bio->bi_vcnt == prev_bi_vcnt) ++ put_page(pages[j]); ++ + len -= bytes; + offset = 0; + } diff --git a/queue-4.9/fs-mpage.c-fix-mpage_writepage-for-pages-with-buffers.patch b/queue-4.9/fs-mpage.c-fix-mpage_writepage-for-pages-with-buffers.patch new file mode 100644 index 00000000000..86c562c791d --- /dev/null +++ b/queue-4.9/fs-mpage.c-fix-mpage_writepage-for-pages-with-buffers.patch @@ -0,0 +1,91 @@ +From f892760aa66a2d657deaf59538fb69433036767c Mon Sep 17 00:00:00 2001 +From: Matthew Wilcox +Date: Fri, 13 Oct 2017 15:58:15 -0700 +Subject: fs/mpage.c: fix mpage_writepage() for pages with buffers + +From: Matthew Wilcox + +commit f892760aa66a2d657deaf59538fb69433036767c upstream. + +When using FAT on a block device which supports rw_page, we can hit +BUG_ON(!PageLocked(page)) in try_to_free_buffers(). This is because we +call clean_buffers() after unlocking the page we've written. Introduce +a new clean_page_buffers() which cleans all buffers associated with a +page and call it from within bdev_write_page(). + +[akpm@linux-foundation.org: s/PAGE_SIZE/~0U/ per Linus and Matthew] +Link: http://lkml.kernel.org/r/20171006211541.GA7409@bombadil.infradead.org +Signed-off-by: Matthew Wilcox +Reported-by: Toshi Kani +Reported-by: OGAWA Hirofumi +Tested-by: Toshi Kani +Acked-by: Johannes Thumshirn +Cc: Ross Zwisler +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/block_dev.c | 6 ++++-- + fs/mpage.c | 14 +++++++++++--- + include/linux/buffer_head.h | 1 + + 3 files changed, 16 insertions(+), 5 deletions(-) + +--- a/fs/block_dev.c ++++ b/fs/block_dev.c +@@ -450,10 +450,12 @@ int bdev_write_page(struct block_device + + set_page_writeback(page); + result = ops->rw_page(bdev, sector + get_start_sect(bdev), page, true); +- if (result) ++ if (result) { + end_page_writeback(page); +- else ++ } else { ++ clean_page_buffers(page); + unlock_page(page); ++ } + blk_queue_exit(bdev->bd_queue); + return result; + } +--- a/fs/mpage.c ++++ b/fs/mpage.c +@@ -466,6 +466,16 @@ static void clean_buffers(struct page *p + try_to_free_buffers(page); + } + ++/* ++ * For situations where we want to clean all buffers attached to a page. ++ * We don't need to calculate how many buffers are attached to the page, ++ * we just need to specify a number larger than the maximum number of buffers. ++ */ ++void clean_page_buffers(struct page *page) ++{ ++ clean_buffers(page, ~0U); ++} ++ + static int __mpage_writepage(struct page *page, struct writeback_control *wbc, + void *data) + { +@@ -604,10 +614,8 @@ alloc_new: + if (bio == NULL) { + if (first_unmapped == blocks_per_page) { + if (!bdev_write_page(bdev, blocks[0] << (blkbits - 9), +- page, wbc)) { +- clean_buffers(page, first_unmapped); ++ page, wbc)) + goto out; +- } + } + bio = mpage_alloc(bdev, blocks[0] << (blkbits - 9), + BIO_MAX_PAGES, GFP_NOFS|__GFP_HIGH); +--- a/include/linux/buffer_head.h ++++ b/include/linux/buffer_head.h +@@ -226,6 +226,7 @@ int generic_write_end(struct file *, str + loff_t, unsigned, unsigned, + struct page *, void *); + void page_zero_new_buffers(struct page *page, unsigned from, unsigned to); ++void clean_page_buffers(struct page *page); + int cont_write_begin(struct file *, struct address_space *, loff_t, + unsigned, unsigned, struct page **, void **, + get_block_t *, loff_t *); diff --git a/queue-4.9/hid-usbhid-fix-out-of-bounds-bug.patch b/queue-4.9/hid-usbhid-fix-out-of-bounds-bug.patch new file mode 100644 index 00000000000..2dd5d64a081 --- /dev/null +++ b/queue-4.9/hid-usbhid-fix-out-of-bounds-bug.patch @@ -0,0 +1,108 @@ +From f043bfc98c193c284e2cd768fefabe18ac2fed9b Mon Sep 17 00:00:00 2001 +From: Jaejoong Kim +Date: Thu, 28 Sep 2017 19:16:30 +0900 +Subject: HID: usbhid: fix out-of-bounds bug + +From: Jaejoong Kim + +commit f043bfc98c193c284e2cd768fefabe18ac2fed9b upstream. + +The hid descriptor identifies the length and type of subordinate +descriptors for a device. If the received hid descriptor is smaller than +the size of the struct hid_descriptor, it is possible to cause +out-of-bounds. + +In addition, if bNumDescriptors of the hid descriptor have an incorrect +value, this can also cause out-of-bounds while approaching hdesc->desc[n]. + +So check the size of hid descriptor and bNumDescriptors. + + BUG: KASAN: slab-out-of-bounds in usbhid_parse+0x9b1/0xa20 + Read of size 1 at addr ffff88006c5f8edf by task kworker/1:2/1261 + + CPU: 1 PID: 1261 Comm: kworker/1:2 Not tainted + 4.14.0-rc1-42251-gebb2c2437d80 #169 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + Workqueue: usb_hub_wq hub_event + Call Trace: + __dump_stack lib/dump_stack.c:16 + dump_stack+0x292/0x395 lib/dump_stack.c:52 + print_address_description+0x78/0x280 mm/kasan/report.c:252 + kasan_report_error mm/kasan/report.c:351 + kasan_report+0x22f/0x340 mm/kasan/report.c:409 + __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:427 + usbhid_parse+0x9b1/0xa20 drivers/hid/usbhid/hid-core.c:1004 + hid_add_device+0x16b/0xb30 drivers/hid/hid-core.c:2944 + usbhid_probe+0xc28/0x1100 drivers/hid/usbhid/hid-core.c:1369 + usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361 + really_probe drivers/base/dd.c:413 + driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 + __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 + bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 + __device_attach+0x26e/0x3d0 drivers/base/dd.c:710 + device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 + bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 + device_add+0xd0b/0x1660 drivers/base/core.c:1835 + usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932 + generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174 + usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266 + really_probe drivers/base/dd.c:413 + driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 + __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 + bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 + __device_attach+0x26e/0x3d0 drivers/base/dd.c:710 + device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 + bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 + device_add+0xd0b/0x1660 drivers/base/core.c:1835 + usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457 + hub_port_connect drivers/usb/core/hub.c:4903 + hub_port_connect_change drivers/usb/core/hub.c:5009 + port_event drivers/usb/core/hub.c:5115 + hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195 + process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119 + worker_thread+0x221/0x1850 kernel/workqueue.c:2253 + kthread+0x3a1/0x470 kernel/kthread.c:231 + ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 + +Reported-by: Andrey Konovalov +Signed-off-by: Jaejoong Kim +Tested-by: Andrey Konovalov +Acked-by: Alan Stern +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/usbhid/hid-core.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/hid/usbhid/hid-core.c ++++ b/drivers/hid/usbhid/hid-core.c +@@ -971,6 +971,8 @@ static int usbhid_parse(struct hid_devic + unsigned int rsize = 0; + char *rdesc; + int ret, n; ++ int num_descriptors; ++ size_t offset = offsetof(struct hid_descriptor, desc); + + quirks = usbhid_lookup_quirk(le16_to_cpu(dev->descriptor.idVendor), + le16_to_cpu(dev->descriptor.idProduct)); +@@ -993,10 +995,18 @@ static int usbhid_parse(struct hid_devic + return -ENODEV; + } + ++ if (hdesc->bLength < sizeof(struct hid_descriptor)) { ++ dbg_hid("hid descriptor is too short\n"); ++ return -EINVAL; ++ } ++ + hid->version = le16_to_cpu(hdesc->bcdHID); + hid->country = hdesc->bCountryCode; + +- for (n = 0; n < hdesc->bNumDescriptors; n++) ++ num_descriptors = min_t(int, hdesc->bNumDescriptors, ++ (hdesc->bLength - offset) / sizeof(struct hid_class_descriptor)); ++ ++ for (n = 0; n < num_descriptors; n++) + if (hdesc->desc[n].bDescriptorType == HID_DT_REPORT) + rsize = le16_to_cpu(hdesc->desc[n].wDescriptorLength); + diff --git a/queue-4.9/iommu-amd-finish-tlb-flush-in-amd_iommu_unmap.patch b/queue-4.9/iommu-amd-finish-tlb-flush-in-amd_iommu_unmap.patch new file mode 100644 index 00000000000..48190b23846 --- /dev/null +++ b/queue-4.9/iommu-amd-finish-tlb-flush-in-amd_iommu_unmap.patch @@ -0,0 +1,31 @@ +From ce76353f169a6471542d999baf3d29b121dce9c0 Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Fri, 13 Oct 2017 14:32:37 +0200 +Subject: iommu/amd: Finish TLB flush in amd_iommu_unmap() + +From: Joerg Roedel + +commit ce76353f169a6471542d999baf3d29b121dce9c0 upstream. + +The function only sends the flush command to the IOMMU(s), +but does not wait for its completion when it returns. Fix +that. + +Fixes: 601367d76bd1 ('x86/amd-iommu: Remove iommu_flush_domain function') +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/amd_iommu.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -3120,6 +3120,7 @@ static size_t amd_iommu_unmap(struct iom + mutex_unlock(&domain->api_lock); + + domain_flush_tlb_pde(domain); ++ domain_flush_complete(domain); + + return unmap_size; + } diff --git a/queue-4.9/kvm-mmu-always-terminate-page-walks-at-level-1.patch b/queue-4.9/kvm-mmu-always-terminate-page-walks-at-level-1.patch new file mode 100644 index 00000000000..513c4671b04 --- /dev/null +++ b/queue-4.9/kvm-mmu-always-terminate-page-walks-at-level-1.patch @@ -0,0 +1,80 @@ +From 829ee279aed43faa5cb1e4d65c0cad52f2426c53 Mon Sep 17 00:00:00 2001 +From: Ladi Prosek +Date: Thu, 5 Oct 2017 11:10:23 +0200 +Subject: KVM: MMU: always terminate page walks at level 1 + +From: Ladi Prosek + +commit 829ee279aed43faa5cb1e4d65c0cad52f2426c53 upstream. + +is_last_gpte() is not equivalent to the pseudo-code given in commit +6bb69c9b69c31 ("KVM: MMU: simplify last_pte_bitmap") because an incorrect +value of last_nonleaf_level may override the result even if level == 1. + +It is critical for is_last_gpte() to return true on level == 1 to +terminate page walks. Otherwise memory corruption may occur as level +is used as an index to various data structures throughout the page +walking code. Even though the actual bug would be wherever the MMU is +initialized (as in the previous patch), be defensive and ensure here +that is_last_gpte() returns the correct value. + +This patch is also enough to fix CVE-2017-12188. + +Fixes: 6bb69c9b69c315200ddc2bc79aee14c0184cf5b2 +Cc: Andy Honig +Signed-off-by: Ladi Prosek +[Panic if walk_addr_generic gets an incorrect level; this is a serious + bug and it's not worth a WARN_ON where the recovery path might hide + further exploitable issues; suggested by Andrew Honig. - Paolo] +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/mmu.c | 14 +++++++------- + arch/x86/kvm/paging_tmpl.h | 3 ++- + 2 files changed, 9 insertions(+), 8 deletions(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -3649,19 +3649,19 @@ static inline bool is_last_gpte(struct k + unsigned level, unsigned gpte) + { + /* +- * PT_PAGE_TABLE_LEVEL always terminates. The RHS has bit 7 set +- * iff level <= PT_PAGE_TABLE_LEVEL, which for our purpose means +- * level == PT_PAGE_TABLE_LEVEL; set PT_PAGE_SIZE_MASK in gpte then. +- */ +- gpte |= level - PT_PAGE_TABLE_LEVEL - 1; +- +- /* + * The RHS has bit 7 set iff level < mmu->last_nonleaf_level. + * If it is clear, there are no large pages at this level, so clear + * PT_PAGE_SIZE_MASK in gpte if that is the case. + */ + gpte &= level - mmu->last_nonleaf_level; + ++ /* ++ * PT_PAGE_TABLE_LEVEL always terminates. The RHS has bit 7 set ++ * iff level <= PT_PAGE_TABLE_LEVEL, which for our purpose means ++ * level == PT_PAGE_TABLE_LEVEL; set PT_PAGE_SIZE_MASK in gpte then. ++ */ ++ gpte |= level - PT_PAGE_TABLE_LEVEL - 1; ++ + return gpte & PT_PAGE_SIZE_MASK; + } + +--- a/arch/x86/kvm/paging_tmpl.h ++++ b/arch/x86/kvm/paging_tmpl.h +@@ -324,10 +324,11 @@ retry_walk: + --walker->level; + + index = PT_INDEX(addr, walker->level); +- + table_gfn = gpte_to_gfn(pte); + offset = index * sizeof(pt_element_t); + pte_gpa = gfn_to_gpa(table_gfn) + offset; ++ ++ BUG_ON(walker->level < 1); + walker->table_gfn[walker->level - 1] = table_gfn; + walker->pte_gpa[walker->level - 1] = pte_gpa; + diff --git a/queue-4.9/kvm-nvmx-fix-guest-cr4-loading-when-emulating-l2-to-l1-exit.patch b/queue-4.9/kvm-nvmx-fix-guest-cr4-loading-when-emulating-l2-to-l1-exit.patch new file mode 100644 index 00000000000..0a9aa1751f8 --- /dev/null +++ b/queue-4.9/kvm-nvmx-fix-guest-cr4-loading-when-emulating-l2-to-l1-exit.patch @@ -0,0 +1,55 @@ +From 8eb3f87d903168bdbd1222776a6b1e281f50513e Mon Sep 17 00:00:00 2001 +From: Haozhong Zhang +Date: Tue, 10 Oct 2017 15:01:22 +0800 +Subject: KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit + +From: Haozhong Zhang + +commit 8eb3f87d903168bdbd1222776a6b1e281f50513e upstream. + +When KVM emulates an exit from L2 to L1, it loads L1 CR4 into the +guest CR4. Before this CR4 loading, the guest CR4 refers to L2 +CR4. Because these two CR4's are in different levels of guest, we +should vmx_set_cr4() rather than kvm_set_cr4() here. The latter, which +is used to handle guest writes to its CR4, checks the guest change to +CR4 and may fail if the change is invalid. + +The failure may cause trouble. Consider we start + a L1 guest with non-zero L1 PCID in use, + (i.e. L1 CR4.PCIDE == 1 && L1 CR3.PCID != 0) +and + a L2 guest with L2 PCID disabled, + (i.e. L2 CR4.PCIDE == 0) +and following events may happen: + +1. If kvm_set_cr4() is used in load_vmcs12_host_state() to load L1 CR4 + into guest CR4 (in VMCS01) for L2 to L1 exit, it will fail because + of PCID check. As a result, the guest CR4 recorded in L0 KVM (i.e. + vcpu->arch.cr4) is left to the value of L2 CR4. + +2. Later, if L1 attempts to change its CR4, e.g., clearing VMXE bit, + kvm_set_cr4() in L0 KVM will think L1 also wants to enable PCID, + because the wrong L2 CR4 is used by L0 KVM as L1 CR4. As L1 + CR3.PCID != 0, L0 KVM will inject GP to L1 guest. + +Fixes: 4704d0befb072 ("KVM: nVMX: Exiting from L2 to L1") +Cc: qemu-stable@nongnu.org +Signed-off-by: Haozhong Zhang +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -10690,7 +10690,7 @@ static void load_vmcs12_host_state(struc + * (KVM doesn't change it)- no reason to call set_cr4_guest_host_mask(); + */ + vcpu->arch.cr4_guest_owned_bits = ~vmcs_readl(CR4_GUEST_HOST_MASK); +- kvm_set_cr4(vcpu, vmcs12->host_cr4); ++ vmx_set_cr4(vcpu, vmcs12->host_cr4); + + nested_ept_uninit_mmu_context(vcpu); + diff --git a/queue-4.9/mips-math-emu-remove-pr_err-calls-from-fpu_emu.patch b/queue-4.9/mips-math-emu-remove-pr_err-calls-from-fpu_emu.patch new file mode 100644 index 00000000000..6b5566b912a --- /dev/null +++ b/queue-4.9/mips-math-emu-remove-pr_err-calls-from-fpu_emu.patch @@ -0,0 +1,53 @@ +From ca8eb05b5f332a9e1ab3e2ece498d49f4d683470 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Fri, 8 Sep 2017 15:12:21 -0700 +Subject: MIPS: math-emu: Remove pr_err() calls from fpu_emu() + +From: Paul Burton + +commit ca8eb05b5f332a9e1ab3e2ece498d49f4d683470 upstream. + +The FPU emulator includes 2 calls to pr_err() which are triggered by +invalid instruction encodings for MIPSr6 cmp.cond.fmt instructions. +These cases are not kernel errors, merely invalid instructions which are +already handled by delivering a SIGILL which will provide notification +that something failed in cases where that makes sense. + +In cases where that SIGILL is somewhat expected & being handled, for +example when crashme happens to generate one of the affected bad +encodings, the message is printed with no useful context about what +triggered it & spams the kernel log for no good reason. + +Remove the pr_err() calls to make crashme run silently & treat the bad +encodings the same way we do others, with a SIGILL & no further kernel +log output. + +Signed-off-by: Paul Burton +Fixes: f8c3c6717a71 ("MIPS: math-emu: Add support for the CMP.condn.fmt R6 instruction") +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/17253/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/math-emu/cp1emu.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/arch/mips/math-emu/cp1emu.c ++++ b/arch/mips/math-emu/cp1emu.c +@@ -2386,7 +2386,6 @@ dcopuop: + break; + default: + /* Reserved R6 ops */ +- pr_err("Reserved MIPS R6 CMP.condn.S operation\n"); + return SIGILL; + } + } +@@ -2460,7 +2459,6 @@ dcopuop: + break; + default: + /* Reserved R6 ops */ +- pr_err("Reserved MIPS R6 CMP.condn.D operation\n"); + return SIGILL; + } + } diff --git a/queue-4.9/more-bio_map_user_iov-leak-fixes.patch b/queue-4.9/more-bio_map_user_iov-leak-fixes.patch new file mode 100644 index 00000000000..bb23f9b4b5f --- /dev/null +++ b/queue-4.9/more-bio_map_user_iov-leak-fixes.patch @@ -0,0 +1,58 @@ +From 2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 23 Sep 2017 15:51:23 -0400 +Subject: more bio_map_user_iov() leak fixes + +From: Al Viro + +commit 2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058 upstream. + +we need to take care of failure exit as well - pages already +in bio should be dropped by analogue of bio_unmap_pages(), +since their refcounts had been bumped only once per reference +in bio. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + block/bio.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/block/bio.c ++++ b/block/bio.c +@@ -1266,6 +1266,7 @@ struct bio *bio_map_user_iov(struct requ + int ret, offset; + struct iov_iter i; + struct iovec iov; ++ struct bio_vec *bvec; + + iov_for_each(iov, i, *iter) { + unsigned long uaddr = (unsigned long) iov.iov_base; +@@ -1310,7 +1311,12 @@ struct bio *bio_map_user_iov(struct requ + ret = get_user_pages_fast(uaddr, local_nr_pages, + (iter->type & WRITE) != WRITE, + &pages[cur_page]); +- if (ret < local_nr_pages) { ++ if (unlikely(ret < local_nr_pages)) { ++ for (j = cur_page; j < page_limit; j++) { ++ if (!pages[j]) ++ break; ++ put_page(pages[j]); ++ } + ret = -EFAULT; + goto out_unmap; + } +@@ -1372,10 +1378,8 @@ struct bio *bio_map_user_iov(struct requ + return bio; + + out_unmap: +- for (j = 0; j < nr_pages; j++) { +- if (!pages[j]) +- break; +- put_page(pages[j]); ++ bio_for_each_segment_all(bvec, bio, j) { ++ put_page(bvec->bv_page); + } + out: + kfree(pages); diff --git a/queue-4.9/pinctrl-amd-fix-build-dependency-on-pinmux-code.patch b/queue-4.9/pinctrl-amd-fix-build-dependency-on-pinmux-code.patch new file mode 100644 index 00000000000..6493ce8c91e --- /dev/null +++ b/queue-4.9/pinctrl-amd-fix-build-dependency-on-pinmux-code.patch @@ -0,0 +1,43 @@ +From 83b31c2a5fdd4fb3a4ec84c59a962e816d0bc9de Mon Sep 17 00:00:00 2001 +From: Petr Mladek +Date: Tue, 26 Sep 2017 15:51:28 +0200 +Subject: pinctrl/amd: Fix build dependency on pinmux code +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Petr Mladek + +commit 83b31c2a5fdd4fb3a4ec84c59a962e816d0bc9de upstream. + +The commit 79d2c8bede2c93f943 ("pinctrl/amd: save pin registers over +suspend/resume") caused the following compilation errors: + +drivers/pinctrl/pinctrl-amd.c: In function ‘amd_gpio_should_save’: +drivers/pinctrl/pinctrl-amd.c:741:8: error: ‘const struct pin_desc’ has no member named ‘mux_owner’ + if (pd->mux_owner || pd->gpio_owner || + ^ +drivers/pinctrl/pinctrl-amd.c:741:25: error: ‘const struct pin_desc’ has no member named ‘gpio_owner’ + if (pd->mux_owner || pd->gpio_owner || + +We need to enable CONFIG_PINMUX for this driver as well. + +Fixes: 79d2c8bede2c93f943 ("pinctrl/amd: save pin registers over suspend/resume") +Signed-off-by: Petr Mladek +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pinctrl/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pinctrl/Kconfig ++++ b/drivers/pinctrl/Kconfig +@@ -82,6 +82,7 @@ config PINCTRL_AMD + tristate "AMD GPIO pin control" + depends on GPIOLIB + select GPIOLIB_IRQCHIP ++ select PINMUX + select PINCONF + select GENERIC_PINCONF + help diff --git a/queue-4.9/series b/queue-4.9/series index a541ef32a05..8d3d2c06da4 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -2,3 +2,36 @@ ext4-in-ext4_seek_-hole-data-return-enxio-for-negative-offsets.patch cifs-reconnect-expired-smb-sessions.patch nl80211-define-policy-for-packet-pattern-attributes.patch rcu-allow-for-page-faults-in-nmi-handlers.patch +usb-dummy-hcd-fix-deadlock-caused-by-disconnect-detection.patch +mips-math-emu-remove-pr_err-calls-from-fpu_emu.patch +dmaengine-edma-align-the-memcpy-acnt-array-size-with-the-transfer.patch +dmaengine-ti-dma-crossbar-fix-possible-race-condition-with-dma_inuse.patch +hid-usbhid-fix-out-of-bounds-bug.patch +crypto-shash-fix-zero-length-shash-ahash-digest-crash.patch +kvm-mmu-always-terminate-page-walks-at-level-1.patch +kvm-nvmx-fix-guest-cr4-loading-when-emulating-l2-to-l1-exit.patch +usb-renesas_usbhs-fix-dmac-sequence-for-receiving-zero-length-packet.patch +pinctrl-amd-fix-build-dependency-on-pinmux-code.patch +iommu-amd-finish-tlb-flush-in-amd_iommu_unmap.patch +device-property-track-owner-device-of-device-property.patch +fs-mpage.c-fix-mpage_writepage-for-pages-with-buffers.patch +alsa-usb-audio-kill-stray-urb-at-exiting.patch +alsa-seq-fix-use-after-free-at-creating-a-port.patch +alsa-seq-fix-copy_from_user-call-inside-lock.patch +alsa-caiaq-fix-stray-urb-at-probe-error-path.patch +alsa-line6-fix-missing-initialization-before-error-path.patch +alsa-line6-fix-leftover-urb-at-error-path-during-probe.patch +drm-i915-edp-get-the-panel-power-off-timestamp-after-panel-is-off.patch +drm-i915-read-timings-from-the-correct-transcoder-in-intel_crtc_mode_get.patch +drm-i915-bios-parse-ddi-ports-also-for-chv-for-hdmi-ddc-pin-and-dp-aux-channel.patch +usb-gadget-configfs-fix-memory-leak-of-interface-directory-data.patch +usb-gadget-composite-fix-use-after-free-in-usb_composite_overwrite_options.patch +direct-io-prevent-null-pointer-access-in-submit_page_section.patch +fix-unbalanced-page-refcounting-in-bio_map_user_iov.patch +more-bio_map_user_iov-leak-fixes.patch +bio_copy_user_iov-don-t-ignore-iov_offset.patch +usb-serial-ftdi_sio-add-id-for-cypress-wiced-dev-board.patch +usb-serial-cp210x-add-support-for-elv-tfd500.patch +usb-serial-option-add-support-for-tp-link-lte-module.patch +usb-serial-qcserial-add-dell-dw5818-dw5819.patch +usb-serial-console-fix-use-after-free-after-failed-setup.patch diff --git a/queue-4.9/usb-dummy-hcd-fix-deadlock-caused-by-disconnect-detection.patch b/queue-4.9/usb-dummy-hcd-fix-deadlock-caused-by-disconnect-detection.patch new file mode 100644 index 00000000000..a7227c4060f --- /dev/null +++ b/queue-4.9/usb-dummy-hcd-fix-deadlock-caused-by-disconnect-detection.patch @@ -0,0 +1,107 @@ +From ab219221a5064abfff9f78c323c4a257b16cdb81 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 6 Oct 2017 10:27:44 -0400 +Subject: USB: dummy-hcd: Fix deadlock caused by disconnect detection + +From: Alan Stern + +commit ab219221a5064abfff9f78c323c4a257b16cdb81 upstream. + +The dummy-hcd driver calls the gadget driver's disconnect callback +under the wrong conditions. It should invoke the callback when Vbus +power is turned off, but instead it does so when the D+ pullup is +turned off. + +This can cause a deadlock in the composite core when a gadget driver +is unregistered: + +[ 88.361471] ============================================ +[ 88.362014] WARNING: possible recursive locking detected +[ 88.362580] 4.14.0-rc2+ #9 Not tainted +[ 88.363010] -------------------------------------------- +[ 88.363561] v4l_id/526 is trying to acquire lock: +[ 88.364062] (&(&cdev->lock)->rlock){....}, at: [] composite_disconnect+0x43/0x100 [libcomposite] +[ 88.365051] +[ 88.365051] but task is already holding lock: +[ 88.365826] (&(&cdev->lock)->rlock){....}, at: [] usb_function_deactivate+0x29/0x80 [libcomposite] +[ 88.366858] +[ 88.366858] other info that might help us debug this: +[ 88.368301] Possible unsafe locking scenario: +[ 88.368301] +[ 88.369304] CPU0 +[ 88.369701] ---- +[ 88.370101] lock(&(&cdev->lock)->rlock); +[ 88.370623] lock(&(&cdev->lock)->rlock); +[ 88.371145] +[ 88.371145] *** DEADLOCK *** +[ 88.371145] +[ 88.372211] May be due to missing lock nesting notation +[ 88.372211] +[ 88.373191] 2 locks held by v4l_id/526: +[ 88.373715] #0: (&(&cdev->lock)->rlock){....}, at: [] usb_function_deactivate+0x29/0x80 [libcomposite] +[ 88.374814] #1: (&(&dum_hcd->dum->lock)->rlock){....}, at: [] dummy_pullup+0x7d/0xf0 [dummy_hcd] +[ 88.376289] +[ 88.376289] stack backtrace: +[ 88.377726] CPU: 0 PID: 526 Comm: v4l_id Not tainted 4.14.0-rc2+ #9 +[ 88.378557] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 +[ 88.379504] Call Trace: +[ 88.380019] dump_stack+0x86/0xc7 +[ 88.380605] __lock_acquire+0x841/0x1120 +[ 88.381252] lock_acquire+0xd5/0x1c0 +[ 88.381865] ? composite_disconnect+0x43/0x100 [libcomposite] +[ 88.382668] _raw_spin_lock_irqsave+0x40/0x54 +[ 88.383357] ? composite_disconnect+0x43/0x100 [libcomposite] +[ 88.384290] composite_disconnect+0x43/0x100 [libcomposite] +[ 88.385490] set_link_state+0x2d4/0x3c0 [dummy_hcd] +[ 88.386436] dummy_pullup+0xa7/0xf0 [dummy_hcd] +[ 88.387195] usb_gadget_disconnect+0xd8/0x160 [udc_core] +[ 88.387990] usb_gadget_deactivate+0xd3/0x160 [udc_core] +[ 88.388793] usb_function_deactivate+0x64/0x80 [libcomposite] +[ 88.389628] uvc_function_disconnect+0x1e/0x40 [usb_f_uvc] + +This patch changes the code to test the port-power status bit rather +than the port-connect status bit when deciding whether to isue the +callback. + +Signed-off-by: Alan Stern +Reported-by: David Tulloh +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/dummy_hcd.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/usb/gadget/udc/dummy_hcd.c ++++ b/drivers/usb/gadget/udc/dummy_hcd.c +@@ -420,6 +420,7 @@ static void set_link_state_by_speed(stru + static void set_link_state(struct dummy_hcd *dum_hcd) + { + struct dummy *dum = dum_hcd->dum; ++ unsigned int power_bit; + + dum_hcd->active = 0; + if (dum->pullup) +@@ -430,17 +431,19 @@ static void set_link_state(struct dummy_ + return; + + set_link_state_by_speed(dum_hcd); ++ power_bit = (dummy_hcd_to_hcd(dum_hcd)->speed == HCD_USB3 ? ++ USB_SS_PORT_STAT_POWER : USB_PORT_STAT_POWER); + + if ((dum_hcd->port_status & USB_PORT_STAT_ENABLE) == 0 || + dum_hcd->active) + dum_hcd->resuming = 0; + + /* Currently !connected or in reset */ +- if ((dum_hcd->port_status & USB_PORT_STAT_CONNECTION) == 0 || ++ if ((dum_hcd->port_status & power_bit) == 0 || + (dum_hcd->port_status & USB_PORT_STAT_RESET) != 0) { +- unsigned disconnect = USB_PORT_STAT_CONNECTION & ++ unsigned int disconnect = power_bit & + dum_hcd->old_status & (~dum_hcd->port_status); +- unsigned reset = USB_PORT_STAT_RESET & ++ unsigned int reset = USB_PORT_STAT_RESET & + (~dum_hcd->old_status) & dum_hcd->port_status; + + /* Report reset and disconnect events to the driver */ diff --git a/queue-4.9/usb-gadget-composite-fix-use-after-free-in-usb_composite_overwrite_options.patch b/queue-4.9/usb-gadget-composite-fix-use-after-free-in-usb_composite_overwrite_options.patch new file mode 100644 index 00000000000..fc049e4742c --- /dev/null +++ b/queue-4.9/usb-gadget-composite-fix-use-after-free-in-usb_composite_overwrite_options.patch @@ -0,0 +1,58 @@ +From aec17e1e249567e82b26dafbb86de7d07fde8729 Mon Sep 17 00:00:00 2001 +From: Andrew Gabbasov +Date: Sat, 30 Sep 2017 08:55:55 -0700 +Subject: usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options + +From: Andrew Gabbasov + +commit aec17e1e249567e82b26dafbb86de7d07fde8729 upstream. + +KASAN enabled configuration reports an error + + BUG: KASAN: use-after-free in usb_composite_overwrite_options+... + [libcomposite] at addr ... + Read of size 1 by task ... + +when some driver is un-bound and then bound again. +For example, this happens with FunctionFS driver when "ffs-test" +test application is run several times in a row. + +If the driver has empty manufacturer ID string in initial static data, +it is then replaced with generated string. After driver unbinding +the generated string is freed, but the driver data still keep that +pointer. And if the driver is then bound again, that pointer +is re-used for string emptiness check. + +The fix is to clean up the driver string data upon its unbinding +to drop the pointer to freed memory. + +Fixes: cc2683c318a5 ("usb: gadget: Provide a default implementation of default manufacturer string") +Signed-off-by: Andrew Gabbasov +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/composite.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -2018,6 +2018,8 @@ static DEVICE_ATTR_RO(suspended); + static void __composite_unbind(struct usb_gadget *gadget, bool unbind_driver) + { + struct usb_composite_dev *cdev = get_gadget_data(gadget); ++ struct usb_gadget_strings *gstr = cdev->driver->strings[0]; ++ struct usb_string *dev_str = gstr->strings; + + /* composite_disconnect() must already have been called + * by the underlying peripheral controller driver! +@@ -2037,6 +2039,9 @@ static void __composite_unbind(struct us + + composite_dev_cleanup(cdev); + ++ if (dev_str[USB_GADGET_MANUFACTURER_IDX].s == cdev->def_manufacturer) ++ dev_str[USB_GADGET_MANUFACTURER_IDX].s = ""; ++ + kfree(cdev->def_manufacturer); + kfree(cdev); + set_gadget_data(gadget, NULL); diff --git a/queue-4.9/usb-gadget-configfs-fix-memory-leak-of-interface-directory-data.patch b/queue-4.9/usb-gadget-configfs-fix-memory-leak-of-interface-directory-data.patch new file mode 100644 index 00000000000..c6e4449f872 --- /dev/null +++ b/queue-4.9/usb-gadget-configfs-fix-memory-leak-of-interface-directory-data.patch @@ -0,0 +1,141 @@ +From ff74745e6d3d97a865eda8c1f3fd29c13b79f0cc Mon Sep 17 00:00:00 2001 +From: Andrew Gabbasov +Date: Sat, 30 Sep 2017 08:54:52 -0700 +Subject: usb: gadget: configfs: Fix memory leak of interface directory data + +From: Andrew Gabbasov + +commit ff74745e6d3d97a865eda8c1f3fd29c13b79f0cc upstream. + +Kmemleak checking configuration reports a memory leak in +usb_os_desc_prepare_interf_dir function when rndis function +instance is freed and then allocated again. For example, this +happens with FunctionFS driver with RNDIS function enabled +when "ffs-test" test application is run several times in a row. + +The data for intermediate "os_desc" group for interface directories +is allocated as a single VLA chunk and (after a change of default +groups handling) is not ever freed and actually not stored anywhere +besides inside a list of default groups of a parent group. + +The fix is to make usb_os_desc_prepare_interf_dir function return +a pointer to allocated data (as a pointer to the first VLA item) +instead of (an unused) integer and to make the caller component +(currently the only one is RNDIS function) responsible for storing +the pointer and freeing the memory when appropriate. + +Fixes: 1ae1602de028 ("configfs: switch ->default groups to a linked list") +Signed-off-by: Andrew Gabbasov +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/configfs.c | 15 ++++++++------- + drivers/usb/gadget/configfs.h | 11 ++++++----- + drivers/usb/gadget/function/f_rndis.c | 12 ++++++++++-- + drivers/usb/gadget/function/u_rndis.h | 1 + + 4 files changed, 25 insertions(+), 14 deletions(-) + +--- a/drivers/usb/gadget/configfs.c ++++ b/drivers/usb/gadget/configfs.c +@@ -1140,11 +1140,12 @@ static struct configfs_attribute *interf + NULL + }; + +-int usb_os_desc_prepare_interf_dir(struct config_group *parent, +- int n_interf, +- struct usb_os_desc **desc, +- char **names, +- struct module *owner) ++struct config_group *usb_os_desc_prepare_interf_dir( ++ struct config_group *parent, ++ int n_interf, ++ struct usb_os_desc **desc, ++ char **names, ++ struct module *owner) + { + struct config_group *os_desc_group; + struct config_item_type *os_desc_type, *interface_type; +@@ -1156,7 +1157,7 @@ int usb_os_desc_prepare_interf_dir(struc + + char *vlabuf = kzalloc(vla_group_size(data_chunk), GFP_KERNEL); + if (!vlabuf) +- return -ENOMEM; ++ return ERR_PTR(-ENOMEM); + + os_desc_group = vla_ptr(vlabuf, data_chunk, os_desc_group); + os_desc_type = vla_ptr(vlabuf, data_chunk, os_desc_type); +@@ -1181,7 +1182,7 @@ int usb_os_desc_prepare_interf_dir(struc + configfs_add_default_group(&d->group, os_desc_group); + } + +- return 0; ++ return os_desc_group; + } + EXPORT_SYMBOL(usb_os_desc_prepare_interf_dir); + +--- a/drivers/usb/gadget/configfs.h ++++ b/drivers/usb/gadget/configfs.h +@@ -5,11 +5,12 @@ + + void unregister_gadget_item(struct config_item *item); + +-int usb_os_desc_prepare_interf_dir(struct config_group *parent, +- int n_interf, +- struct usb_os_desc **desc, +- char **names, +- struct module *owner); ++struct config_group *usb_os_desc_prepare_interf_dir( ++ struct config_group *parent, ++ int n_interf, ++ struct usb_os_desc **desc, ++ char **names, ++ struct module *owner); + + static inline struct usb_os_desc *to_usb_os_desc(struct config_item *item) + { +--- a/drivers/usb/gadget/function/f_rndis.c ++++ b/drivers/usb/gadget/function/f_rndis.c +@@ -892,6 +892,7 @@ static void rndis_free_inst(struct usb_f + free_netdev(opts->net); + } + ++ kfree(opts->rndis_interf_group); /* single VLA chunk */ + kfree(opts); + } + +@@ -900,6 +901,7 @@ static struct usb_function_instance *rnd + struct f_rndis_opts *opts; + struct usb_os_desc *descs[1]; + char *names[1]; ++ struct config_group *rndis_interf_group; + + opts = kzalloc(sizeof(*opts), GFP_KERNEL); + if (!opts) +@@ -920,8 +922,14 @@ static struct usb_function_instance *rnd + names[0] = "rndis"; + config_group_init_type_name(&opts->func_inst.group, "", + &rndis_func_type); +- usb_os_desc_prepare_interf_dir(&opts->func_inst.group, 1, descs, +- names, THIS_MODULE); ++ rndis_interf_group = ++ usb_os_desc_prepare_interf_dir(&opts->func_inst.group, 1, descs, ++ names, THIS_MODULE); ++ if (IS_ERR(rndis_interf_group)) { ++ rndis_free_inst(&opts->func_inst); ++ return ERR_CAST(rndis_interf_group); ++ } ++ opts->rndis_interf_group = rndis_interf_group; + + return &opts->func_inst; + } +--- a/drivers/usb/gadget/function/u_rndis.h ++++ b/drivers/usb/gadget/function/u_rndis.h +@@ -26,6 +26,7 @@ struct f_rndis_opts { + bool bound; + bool borrowed_net; + ++ struct config_group *rndis_interf_group; + struct usb_os_desc rndis_os_desc; + char rndis_ext_compat_id[16]; + diff --git a/queue-4.9/usb-renesas_usbhs-fix-dmac-sequence-for-receiving-zero-length-packet.patch b/queue-4.9/usb-renesas_usbhs-fix-dmac-sequence-for-receiving-zero-length-packet.patch new file mode 100644 index 00000000000..f73ab0db259 --- /dev/null +++ b/queue-4.9/usb-renesas_usbhs-fix-dmac-sequence-for-receiving-zero-length-packet.patch @@ -0,0 +1,40 @@ +From 29c7f3e68eec4ae94d85ad7b5dfdafdb8089f513 Mon Sep 17 00:00:00 2001 +From: Kazuya Mizuguchi +Date: Mon, 2 Oct 2017 14:01:41 +0900 +Subject: usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet + +From: Kazuya Mizuguchi + +commit 29c7f3e68eec4ae94d85ad7b5dfdafdb8089f513 upstream. + +The DREQE bit of the DnFIFOSEL should be set to 1 after the DE bit of +USB-DMAC on R-Car SoCs is set to 1 after the USB-DMAC received a +zero-length packet. Otherwise, a transfer completion interruption +of USB-DMAC doesn't happen. Even if the driver changes the sequence, +normal operations (transmit/receive without zero-length packet) will +not cause any side-effects. So, this patch fixes the sequence anyway. + +Signed-off-by: Kazuya Mizuguchi +[shimoda: revise the commit log] +Fixes: e73a9891b3a1 ("usb: renesas_usbhs: add DMAEngine support") +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/renesas_usbhs/fifo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/renesas_usbhs/fifo.c ++++ b/drivers/usb/renesas_usbhs/fifo.c +@@ -860,9 +860,9 @@ static void xfer_work(struct work_struct + fifo->name, usbhs_pipe_number(pipe), pkt->length, pkt->zero); + + usbhs_pipe_running(pipe, 1); +- usbhsf_dma_start(pipe, fifo); + usbhs_pipe_set_trans_count_if_bulk(pipe, pkt->trans); + dma_async_issue_pending(chan); ++ usbhsf_dma_start(pipe, fifo); + usbhs_pipe_enable(pipe); + + xfer_work_end: diff --git a/queue-4.9/usb-serial-console-fix-use-after-free-after-failed-setup.patch b/queue-4.9/usb-serial-console-fix-use-after-free-after-failed-setup.patch new file mode 100644 index 00000000000..eb79e0a13e4 --- /dev/null +++ b/queue-4.9/usb-serial-console-fix-use-after-free-after-failed-setup.patch @@ -0,0 +1,32 @@ +From 299d7572e46f98534033a9e65973f13ad1ce9047 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 4 Oct 2017 11:01:13 +0200 +Subject: USB: serial: console: fix use-after-free after failed setup + +From: Johan Hovold + +commit 299d7572e46f98534033a9e65973f13ad1ce9047 upstream. + +Make sure to reset the USB-console port pointer when console setup fails +in order to avoid having the struct usb_serial be prematurely freed by +the console code when the device is later disconnected. + +Fixes: 73e487fdb75f ("[PATCH] USB console: fix disconnection issues") +Acked-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/console.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/console.c ++++ b/drivers/usb/serial/console.c +@@ -186,6 +186,7 @@ static int usb_console_setup(struct cons + tty_kref_put(tty); + reset_open_count: + port->port.count = 0; ++ info->port = NULL; + usb_autopm_put_interface(serial->interface); + error_get_interface: + usb_serial_put(serial); diff --git a/queue-4.9/usb-serial-cp210x-add-support-for-elv-tfd500.patch b/queue-4.9/usb-serial-cp210x-add-support-for-elv-tfd500.patch new file mode 100644 index 00000000000..066734931bb --- /dev/null +++ b/queue-4.9/usb-serial-cp210x-add-support-for-elv-tfd500.patch @@ -0,0 +1,29 @@ +From c496ad835c31ad639b6865714270b3003df031f6 Mon Sep 17 00:00:00 2001 +From: Andreas Engel +Date: Mon, 18 Sep 2017 21:11:57 +0200 +Subject: USB: serial: cp210x: add support for ELV TFD500 + +From: Andreas Engel + +commit c496ad835c31ad639b6865714270b3003df031f6 upstream. + +Add the USB device id for the ELV TFD500 data logger. + +Signed-off-by: Andreas Engel +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/cp210x.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -171,6 +171,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */ + { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */ + { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */ ++ { USB_DEVICE(0x18EF, 0xE032) }, /* ELV TFD500 Data Logger */ + { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */ + { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */ + { USB_DEVICE(0x1901, 0x0194) }, /* GE Healthcare Remote Alarm Box */ diff --git a/queue-4.9/usb-serial-ftdi_sio-add-id-for-cypress-wiced-dev-board.patch b/queue-4.9/usb-serial-ftdi_sio-add-id-for-cypress-wiced-dev-board.patch new file mode 100644 index 00000000000..f52b9b58146 --- /dev/null +++ b/queue-4.9/usb-serial-ftdi_sio-add-id-for-cypress-wiced-dev-board.patch @@ -0,0 +1,48 @@ +From a6c215e21b0dc5fe9416dce90f9acc2ea53c4502 Mon Sep 17 00:00:00 2001 +From: Jeffrey Chu +Date: Fri, 8 Sep 2017 21:08:58 +0000 +Subject: USB: serial: ftdi_sio: add id for Cypress WICED dev board + +From: Jeffrey Chu + +commit a6c215e21b0dc5fe9416dce90f9acc2ea53c4502 upstream. + +Add CYPRESS_VID vid and CYPRESS_WICED_BT_USB and CYPRESS_WICED_WL_USB +device IDs to ftdi_sio driver. + +Signed-off-by: Jeffrey Chu +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 2 ++ + drivers/usb/serial/ftdi_sio_ids.h | 7 +++++++ + 2 files changed, 9 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1015,6 +1015,8 @@ static const struct usb_device_id id_tab + { USB_DEVICE(WICED_VID, WICED_USB20706V2_PID) }, + { USB_DEVICE(TI_VID, TI_CC3200_LAUNCHPAD_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_BT_USB_PID) }, ++ { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_WL_USB_PID) }, + { } /* Terminating entry */ + }; + +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -610,6 +610,13 @@ + #define ADI_GNICEPLUS_PID 0xF001 + + /* ++ * Cypress WICED USB UART ++ */ ++#define CYPRESS_VID 0x04B4 ++#define CYPRESS_WICED_BT_USB_PID 0x009B ++#define CYPRESS_WICED_WL_USB_PID 0xF900 ++ ++/* + * Microchip Technology, Inc. + * + * MICROCHIP_VID (0x04D8) and MICROCHIP_USB_BOARD_PID (0x000A) are diff --git a/queue-4.9/usb-serial-option-add-support-for-tp-link-lte-module.patch b/queue-4.9/usb-serial-option-add-support-for-tp-link-lte-module.patch new file mode 100644 index 00000000000..6eca33d637d --- /dev/null +++ b/queue-4.9/usb-serial-option-add-support-for-tp-link-lte-module.patch @@ -0,0 +1,38 @@ +From 837ddc4793a69b256ac5e781a5e729b448a8d983 Mon Sep 17 00:00:00 2001 +From: Henryk Heisig +Date: Mon, 11 Sep 2017 17:57:34 +0200 +Subject: USB: serial: option: add support for TP-Link LTE module + +From: Henryk Heisig + +commit 837ddc4793a69b256ac5e781a5e729b448a8d983 upstream. + +This commit adds support for TP-Link LTE mPCIe module is used +in in TP-Link MR200v1, MR6400v1 and v2 routers. + +Signed-off-by: Henryk Heisig +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -522,6 +522,7 @@ static void option_instat_callback(struc + + /* TP-LINK Incorporated products */ + #define TPLINK_VENDOR_ID 0x2357 ++#define TPLINK_PRODUCT_LTE 0x000D + #define TPLINK_PRODUCT_MA180 0x0201 + + /* Changhong products */ +@@ -2011,6 +2012,7 @@ static const struct usb_device_id option + { USB_DEVICE(CELLIENT_VENDOR_ID, CELLIENT_PRODUCT_MEN200) }, + { USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T_600A) }, + { USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T_600E) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(TPLINK_VENDOR_ID, TPLINK_PRODUCT_LTE, 0xff, 0x00, 0x00) }, /* TP-Link LTE Module */ + { USB_DEVICE(TPLINK_VENDOR_ID, TPLINK_PRODUCT_MA180), + .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, + { USB_DEVICE(TPLINK_VENDOR_ID, 0x9000), /* TP-Link MA260 */ diff --git a/queue-4.9/usb-serial-qcserial-add-dell-dw5818-dw5819.patch b/queue-4.9/usb-serial-qcserial-add-dell-dw5818-dw5819.patch new file mode 100644 index 00000000000..a991b0a0eca --- /dev/null +++ b/queue-4.9/usb-serial-qcserial-add-dell-dw5818-dw5819.patch @@ -0,0 +1,34 @@ +From f5d9644c5fca7d8e8972268598bb516a7eae17f9 Mon Sep 17 00:00:00 2001 +From: Shrirang Bagul +Date: Fri, 29 Sep 2017 12:39:51 +0800 +Subject: USB: serial: qcserial: add Dell DW5818, DW5819 + +From: Shrirang Bagul + +commit f5d9644c5fca7d8e8972268598bb516a7eae17f9 upstream. + +Dell Wireless 5819/5818 devices are re-branded Sierra Wireless MC74 +series which will by default boot with vid 0x413c and pid's 0x81cf, +0x81d0, 0x81d1, 0x81d2. + +Signed-off-by: Shrirang Bagul +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/qcserial.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -174,6 +174,10 @@ static const struct usb_device_id id_tab + {DEVICE_SWI(0x413c, 0x81b3)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */ + {DEVICE_SWI(0x413c, 0x81b5)}, /* Dell Wireless 5811e QDL */ + {DEVICE_SWI(0x413c, 0x81b6)}, /* Dell Wireless 5811e QDL */ ++ {DEVICE_SWI(0x413c, 0x81cf)}, /* Dell Wireless 5819 */ ++ {DEVICE_SWI(0x413c, 0x81d0)}, /* Dell Wireless 5819 */ ++ {DEVICE_SWI(0x413c, 0x81d1)}, /* Dell Wireless 5818 */ ++ {DEVICE_SWI(0x413c, 0x81d2)}, /* Dell Wireless 5818 */ + + /* Huawei devices */ + {DEVICE_HWI(0x03f0, 0x581d)}, /* HP lt4112 LTE/HSPA+ Gobi 4G Modem (Huawei me906e) */