From: Greg Kroah-Hartman Date: Fri, 16 Mar 2018 13:34:29 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v3.18.100~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=27f9f94a8293b86c2a67eef2c25e78bc3f8b42b5;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: fixup-sctp-verify-size-of-a-new-chunk-in-_sctp_make_chunk.patch serial-8250_pci-add-brainboxes-uc-260-4-port-serial-device.patch serial-sh-sci-prevent-lockup-on-full-tty-buffers.patch staging-android-ashmem-fix-lockdep-issue-during-llseek.patch staging-comedi-fix-comedi_nsamples_left.patch tty-serial-atmel-add-new-version-check-for-usart.patch uas-fix-comparison-for-error-code.patch usb-gadget-f_fs-fix-use-after-free-in-ffs_fs_kill_sb.patch usb-quirks-add-control-message-delay-for-1b1c-1b20.patch usb-storage-add-jmicron-bridge-152d-2567-to-unusual_devs.h.patch usb-usbmon-read-text-within-supplied-buffer-size.patch usb-usbmon-remove-assignment-from-is_err-argument.patch --- diff --git a/queue-4.4/fixup-sctp-verify-size-of-a-new-chunk-in-_sctp_make_chunk.patch b/queue-4.4/fixup-sctp-verify-size-of-a-new-chunk-in-_sctp_make_chunk.patch new file mode 100644 index 00000000000..64eb4702cfd --- /dev/null +++ b/queue-4.4/fixup-sctp-verify-size-of-a-new-chunk-in-_sctp_make_chunk.patch @@ -0,0 +1,40 @@ +From gregkh@linuxfoundation.org Fri Mar 16 14:27:34 2018 +From: Greg Kroah-Hartman +Date: Tue, 13 Mar 2018 10:56:00 +0100 +Subject: fixup: sctp: verify size of a new chunk in _sctp_make_chunk() +To: Ben Hutchings +Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org, Alexey Kodanev , Marcelo Ricardo Leitner , Neil Horman , "David S. Miller" +Message-ID: <20180313095600.GA5131@kroah.com> +Content-Disposition: inline + +From: Greg Kroah-Hartman + +Ben writes: +> > + int chunklen; +> > + +> > + chunklen = sizeof(*chunk_hdr) + paylen; +> +> I think this length still needs to be rounded up (with WORD_ROUND here, +> instead of SCTP_PAD4 upstream). + +So here's a fix for this problem. + + +Reported-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + net/sctp/sm_make_chunk.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sctp/sm_make_chunk.c ++++ b/net/sctp/sm_make_chunk.c +@@ -1369,7 +1369,7 @@ static struct sctp_chunk *_sctp_make_chu + struct sock *sk; + int chunklen; + +- chunklen = sizeof(*chunk_hdr) + paylen; ++ chunklen = WORD_ROUND(sizeof(*chunk_hdr) + paylen); + if (chunklen > SCTP_MAX_CHUNK_LEN) + goto nodata; + diff --git a/queue-4.4/serial-8250_pci-add-brainboxes-uc-260-4-port-serial-device.patch b/queue-4.4/serial-8250_pci-add-brainboxes-uc-260-4-port-serial-device.patch new file mode 100644 index 00000000000..512edd10bf9 --- /dev/null +++ b/queue-4.4/serial-8250_pci-add-brainboxes-uc-260-4-port-serial-device.patch @@ -0,0 +1,41 @@ +From 9f2068f35729948bde84d87a40d135015911345d Mon Sep 17 00:00:00 2001 +From: Nikola Ciprich +Date: Tue, 13 Feb 2018 15:04:46 +0100 +Subject: serial: 8250_pci: Add Brainboxes UC-260 4 port serial device + +From: Nikola Ciprich + +commit 9f2068f35729948bde84d87a40d135015911345d upstream. + +Add PCI ids for two variants of Brainboxes UC-260 quad port +PCI serial cards. + +Suggested-by: Andy Shevchenko +Signed-off-by: Nikola Ciprich +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_pci.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -5300,6 +5300,17 @@ static struct pci_device_id serial_pci_t + PCI_ANY_ID, PCI_ANY_ID, 0, 0, /* 135a.0dc0 */ + pbn_b2_4_115200 }, + /* ++ * BrainBoxes UC-260 ++ */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0D21, ++ PCI_ANY_ID, PCI_ANY_ID, ++ PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00, ++ pbn_b2_4_115200 }, ++ { PCI_VENDOR_ID_INTASHIELD, 0x0E34, ++ PCI_ANY_ID, PCI_ANY_ID, ++ PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00, ++ pbn_b2_4_115200 }, ++ /* + * Perle PCI-RAS cards + */ + { PCI_VENDOR_ID_PLX, PCI_DEVICE_ID_PLX_9030, diff --git a/queue-4.4/serial-sh-sci-prevent-lockup-on-full-tty-buffers.patch b/queue-4.4/serial-sh-sci-prevent-lockup-on-full-tty-buffers.patch new file mode 100644 index 00000000000..64a900aa980 --- /dev/null +++ b/queue-4.4/serial-sh-sci-prevent-lockup-on-full-tty-buffers.patch @@ -0,0 +1,49 @@ +From 7842055bfce4bf0170d0f61df8b2add8399697be Mon Sep 17 00:00:00 2001 +From: Ulrich Hecht +Date: Thu, 15 Feb 2018 13:02:27 +0100 +Subject: serial: sh-sci: prevent lockup on full TTY buffers + +From: Ulrich Hecht + +commit 7842055bfce4bf0170d0f61df8b2add8399697be upstream. + +When the TTY buffers fill up to the configured maximum, a system lockup +occurs: + +[ 598.820128] INFO: rcu_preempt detected stalls on CPUs/tasks: +[ 598.825796] 0-...!: (1 GPs behind) idle=5a6/2/0 softirq=1974/1974 fqs=1 +[ 598.832577] (detected by 3, t=62517 jiffies, g=296, c=295, q=126) +[ 598.838755] Task dump for CPU 0: +[ 598.841977] swapper/0 R running task 0 0 0 0x00000022 +[ 598.849023] Call trace: +[ 598.851476] __switch_to+0x98/0xb0 +[ 598.854870] (null) + +This can be prevented by doing a dummy read of the RX data register. + +This issue affects both HSCIF and SCIF ports. Reported for R-Car H3 ES2.0; +reproduced and fixed on H3 ES1.1. Probably affects other R-Car platforms +as well. + +Reported-by: Yoshihiro Shimoda +Signed-off-by: Ulrich Hecht +Reviewed-by: Geert Uytterhoeven +Cc: stable +Tested-by: Nguyen Viet Dung +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/sh-sci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -847,6 +847,8 @@ static void sci_receive_chars(struct uar + /* Tell the rest of the system the news. New characters! */ + tty_flip_buffer_push(tport); + } else { ++ /* TTY buffers full; read from RX reg to prevent lockup */ ++ serial_port_in(port, SCxRDR); + serial_port_in(port, SCxSR); /* dummy read */ + sci_clear_SCxSR(port, SCxSR_RDxF_CLEAR(port)); + } diff --git a/queue-4.4/series b/queue-4.4/series index e9008d16fb2..b8a7de81a3e 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -49,3 +49,15 @@ nfs-fix-an-incorrect-type-in-struct-nfs_direct_req.patch revert-arm-dts-logicpd-torpedo-fix-i2c1-pinmux.patch x86-module-detect-and-skip-invalid-relocations.patch x86-treat-r_x86_64_plt32-as-r_x86_64_pc32.patch +serial-sh-sci-prevent-lockup-on-full-tty-buffers.patch +tty-serial-atmel-add-new-version-check-for-usart.patch +uas-fix-comparison-for-error-code.patch +staging-comedi-fix-comedi_nsamples_left.patch +staging-android-ashmem-fix-lockdep-issue-during-llseek.patch +usb-storage-add-jmicron-bridge-152d-2567-to-unusual_devs.h.patch +usb-quirks-add-control-message-delay-for-1b1c-1b20.patch +usb-usbmon-remove-assignment-from-is_err-argument.patch +usb-usbmon-read-text-within-supplied-buffer-size.patch +usb-gadget-f_fs-fix-use-after-free-in-ffs_fs_kill_sb.patch +serial-8250_pci-add-brainboxes-uc-260-4-port-serial-device.patch +fixup-sctp-verify-size-of-a-new-chunk-in-_sctp_make_chunk.patch diff --git a/queue-4.4/staging-android-ashmem-fix-lockdep-issue-during-llseek.patch b/queue-4.4/staging-android-ashmem-fix-lockdep-issue-during-llseek.patch new file mode 100644 index 00000000000..0eb5e5c2b2b --- /dev/null +++ b/queue-4.4/staging-android-ashmem-fix-lockdep-issue-during-llseek.patch @@ -0,0 +1,88 @@ +From cb57469c9573f6018cd1302953dd45d6e05aba7b Mon Sep 17 00:00:00 2001 +From: Joel Fernandes +Date: Fri, 16 Feb 2018 11:02:01 -0800 +Subject: staging: android: ashmem: Fix lockdep issue during llseek + +From: Joel Fernandes + +commit cb57469c9573f6018cd1302953dd45d6e05aba7b upstream. + +ashmem_mutex create a chain of dependencies like so: + +(1) +mmap syscall -> + mmap_sem -> (acquired) + ashmem_mmap + ashmem_mutex (try to acquire) + (block) + +(2) +llseek syscall -> + ashmem_llseek -> + ashmem_mutex -> (acquired) + inode_lock -> + inode->i_rwsem (try to acquire) + (block) + +(3) +getdents -> + iterate_dir -> + inode_lock -> + inode->i_rwsem (acquired) + copy_to_user -> + mmap_sem (try to acquire) + +There is a lock ordering created between mmap_sem and inode->i_rwsem +causing a lockdep splat [2] during a syzcaller test, this patch fixes +the issue by unlocking the mutex earlier. Functionally that's Ok since +we don't need to protect vfs_llseek. + +[1] https://patchwork.kernel.org/patch/10185031/ +[2] https://lkml.org/lkml/2018/1/10/48 + +Acked-by: Todd Kjos +Cc: Arve Hjonnevag +Cc: stable@vger.kernel.org +Reported-by: syzbot+8ec30bb7bf1a981a2012@syzkaller.appspotmail.com +Signed-off-by: Joel Fernandes +Acked-by: Greg Hackmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/android/ashmem.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/staging/android/ashmem.c ++++ b/drivers/staging/android/ashmem.c +@@ -330,24 +330,23 @@ static loff_t ashmem_llseek(struct file + mutex_lock(&ashmem_mutex); + + if (asma->size == 0) { +- ret = -EINVAL; +- goto out; ++ mutex_unlock(&ashmem_mutex); ++ return -EINVAL; + } + + if (!asma->file) { +- ret = -EBADF; +- goto out; ++ mutex_unlock(&ashmem_mutex); ++ return -EBADF; + } + ++ mutex_unlock(&ashmem_mutex); ++ + ret = vfs_llseek(asma->file, offset, origin); + if (ret < 0) +- goto out; ++ return ret; + + /** Copy f_pos from backing file, since f_ops->llseek() sets it */ + file->f_pos = asma->file->f_pos; +- +-out: +- mutex_unlock(&ashmem_mutex); + return ret; + } + diff --git a/queue-4.4/staging-comedi-fix-comedi_nsamples_left.patch b/queue-4.4/staging-comedi-fix-comedi_nsamples_left.patch new file mode 100644 index 00000000000..38e80f4e7fe --- /dev/null +++ b/queue-4.4/staging-comedi-fix-comedi_nsamples_left.patch @@ -0,0 +1,34 @@ +From a42ae5905140c324362fe5036ae1dbb16e4d359c Mon Sep 17 00:00:00 2001 +From: Frank Mori Hess +Date: Thu, 15 Feb 2018 15:13:42 -0500 +Subject: staging: comedi: fix comedi_nsamples_left. + +From: Frank Mori Hess + +commit a42ae5905140c324362fe5036ae1dbb16e4d359c upstream. + +A rounding error was causing comedi_nsamples_left to +return the wrong value when nsamples was not a multiple +of the scan length. + +Cc: # v4.4+ +Signed-off-by: Frank Mori Hess +Reviewed-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/staging/comedi/drivers.c ++++ b/drivers/staging/comedi/drivers.c +@@ -484,8 +484,7 @@ unsigned int comedi_nsamples_left(struct + struct comedi_cmd *cmd = &async->cmd; + + if (cmd->stop_src == TRIG_COUNT) { +- unsigned int nscans = nsamples / cmd->scan_end_arg; +- unsigned int scans_left = __comedi_nscans_left(s, nscans); ++ unsigned int scans_left = __comedi_nscans_left(s, cmd->stop_arg); + unsigned int scan_pos = + comedi_bytes_to_samples(s, async->scan_progress); + unsigned long long samples_left = 0; diff --git a/queue-4.4/tty-serial-atmel-add-new-version-check-for-usart.patch b/queue-4.4/tty-serial-atmel-add-new-version-check-for-usart.patch new file mode 100644 index 00000000000..a6cdbb1f8db --- /dev/null +++ b/queue-4.4/tty-serial-atmel-add-new-version-check-for-usart.patch @@ -0,0 +1,33 @@ +From fd63a8903a2c40425a9811c3371dd4d0f42c0ad3 Mon Sep 17 00:00:00 2001 +From: Jonas Danielsson +Date: Mon, 29 Jan 2018 12:39:15 +0100 +Subject: tty/serial: atmel: add new version check for usart + +From: Jonas Danielsson + +commit fd63a8903a2c40425a9811c3371dd4d0f42c0ad3 upstream. + +On our at91sam9260 based board the usart0 and usart1 ports report +their versions (ATMEL_US_VERSION) as 0x10302. This version is not +included in the current checks in the driver. + +Signed-off-by: Jonas Danielsson +Acked-by: Richard Genoud +Acked-by: Nicolas Ferre +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/atmel_serial.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -1783,6 +1783,7 @@ static void atmel_get_ip_name(struct uar + switch (version) { + case 0x302: + case 0x10213: ++ case 0x10302: + dev_dbg(port->dev, "This version is usart\n"); + atmel_port->is_usart = true; + break; diff --git a/queue-4.4/uas-fix-comparison-for-error-code.patch b/queue-4.4/uas-fix-comparison-for-error-code.patch new file mode 100644 index 00000000000..e68e763ffb9 --- /dev/null +++ b/queue-4.4/uas-fix-comparison-for-error-code.patch @@ -0,0 +1,32 @@ +From 9a513c905bb95bef79d96feb08621c1ec8d8c4bb Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 6 Mar 2018 15:04:24 +0100 +Subject: uas: fix comparison for error code + +From: Oliver Neukum + +commit 9a513c905bb95bef79d96feb08621c1ec8d8c4bb upstream. + +A typo broke the comparison. + +Fixes: cbeef22fd611 ("usb: uas: unconditionally bring back host after reset") +Signed-off-by: Oliver Neukum +CC: stable@kernel.org +Acked-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/uas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -1052,7 +1052,7 @@ static int uas_post_reset(struct usb_int + return 0; + + err = uas_configure_endpoints(devinfo); +- if (err && err != ENODEV) ++ if (err && err != -ENODEV) + shost_printk(KERN_ERR, shost, + "%s: alloc streams error %d after reset", + __func__, err); diff --git a/queue-4.4/usb-gadget-f_fs-fix-use-after-free-in-ffs_fs_kill_sb.patch b/queue-4.4/usb-gadget-f_fs-fix-use-after-free-in-ffs_fs_kill_sb.patch new file mode 100644 index 00000000000..02e1e6de015 --- /dev/null +++ b/queue-4.4/usb-gadget-f_fs-fix-use-after-free-in-ffs_fs_kill_sb.patch @@ -0,0 +1,84 @@ +From 1a087f032111a88e826877449dfb93ceb22b78b9 Mon Sep 17 00:00:00 2001 +From: Xinyong +Date: Fri, 2 Mar 2018 19:20:07 +0800 +Subject: usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb() + +From: Xinyong + +commit 1a087f032111a88e826877449dfb93ceb22b78b9 upstream. + +When I debug a kernel crash issue in funcitonfs, found ffs_data.ref +overflowed, While functionfs is unmounting, ffs_data is put twice. + +Commit 43938613c6fd ("drivers, usb: convert ffs_data.ref from atomic_t to +refcount_t") can avoid refcount overflow, but that is risk some situations. +So no need put ffs data in ffs_fs_kill_sb, already put in ffs_data_closed. + +The issue can be reproduced in Mediatek mt6763 SoC, ffs for ADB device. +KASAN enabled configuration reports use-after-free errro. + +BUG: KASAN: use-after-free in refcount_dec_and_test+0x14/0xe0 at addr ffffffc0579386a0 +Read of size 4 by task umount/4650 +==================================================== +BUG kmalloc-512 (Tainted: P W O ): kasan: bad access detected +----------------------------------------------------------------------------- + +INFO: Allocated in ffs_fs_mount+0x194/0x844 age=22856 cpu=2 pid=566 + alloc_debug_processing+0x1ac/0x1e8 + ___slab_alloc.constprop.63+0x640/0x648 + __slab_alloc.isra.57.constprop.62+0x24/0x34 + kmem_cache_alloc_trace+0x1a8/0x2bc + ffs_fs_mount+0x194/0x844 + mount_fs+0x6c/0x1d0 + vfs_kern_mount+0x50/0x1b4 + do_mount+0x258/0x1034 +INFO: Freed in ffs_data_put+0x25c/0x320 age=0 cpu=3 pid=4650 + free_debug_processing+0x22c/0x434 + __slab_free+0x2d8/0x3a0 + kfree+0x254/0x264 + ffs_data_put+0x25c/0x320 + ffs_data_closed+0x124/0x15c + ffs_fs_kill_sb+0xb8/0x110 + deactivate_locked_super+0x6c/0x98 + deactivate_super+0xb0/0xbc +INFO: Object 0xffffffc057938600 @offset=1536 fp=0x (null) +...... +Call trace: +[] dump_backtrace+0x0/0x250 +[] show_stack+0x14/0x1c +[] dump_stack+0xa0/0xc8 +[] print_trailer+0x158/0x260 +[] object_err+0x3c/0x40 +[] kasan_report_error+0x2a8/0x754 +[] kasan_report+0x5c/0x60 +[] __asan_load4+0x70/0x88 +[] refcount_dec_and_test+0x14/0xe0 +[] ffs_data_put+0x80/0x320 +[] ffs_fs_kill_sb+0xc8/0x110 +[] deactivate_locked_super+0x6c/0x98 +[] deactivate_super+0xb0/0xbc +[] cleanup_mnt+0x64/0xec +[] __cleanup_mnt+0x10/0x18 +[] task_work_run+0xcc/0x124 +[] do_notify_resume+0x60/0x70 +[] work_pending+0x10/0x14 + +Cc: stable@vger.kernel.org +Signed-off-by: Xinyong +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_fs.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1333,7 +1333,6 @@ ffs_fs_kill_sb(struct super_block *sb) + if (sb->s_fs_info) { + ffs_release_dev(sb->s_fs_info); + ffs_data_closed(sb->s_fs_info); +- ffs_data_put(sb->s_fs_info); + } + } + diff --git a/queue-4.4/usb-quirks-add-control-message-delay-for-1b1c-1b20.patch b/queue-4.4/usb-quirks-add-control-message-delay-for-1b1c-1b20.patch new file mode 100644 index 00000000000..15ead1befec --- /dev/null +++ b/queue-4.4/usb-quirks-add-control-message-delay-for-1b1c-1b20.patch @@ -0,0 +1,85 @@ +From cb88a0588717ba6c756cb5972d75766b273a6817 Mon Sep 17 00:00:00 2001 +From: Danilo Krummrich +Date: Tue, 6 Mar 2018 09:38:49 +0100 +Subject: usb: quirks: add control message delay for 1b1c:1b20 + +From: Danilo Krummrich + +commit cb88a0588717ba6c756cb5972d75766b273a6817 upstream. + +Corsair Strafe RGB keyboard does not respond to usb control messages +sometimes and hence generates timeouts. + +Commit de3af5bf259d ("usb: quirks: add delay init quirk for Corsair +Strafe RGB keyboard") tried to fix those timeouts by adding +USB_QUIRK_DELAY_INIT. + +Unfortunately, even with this quirk timeouts of usb_control_msg() +can still be seen, but with a lower frequency (approx. 1 out of 15): + +[ 29.103520] usb 1-8: string descriptor 0 read error: -110 +[ 34.363097] usb 1-8: can't set config #1, error -110 + +Adding further delays to different locations where usb control +messages are issued just moves the timeouts to other locations, +e.g.: + +[ 35.400533] usbhid 1-8:1.0: can't add hid device: -110 +[ 35.401014] usbhid: probe of 1-8:1.0 failed with error -110 + +The only way to reliably avoid those issues is having a pause after +each usb control message. In approx. 200 boot cycles no more timeouts +were seen. + +Addionaly, keep USB_QUIRK_DELAY_INIT as it turned out to be necessary +to have the delay in hub_port_connect() after hub_port_init(). + +The overall boot time seems not to be influenced by these additional +delays, even on fast machines and lightweight distributions. + +Fixes: de3af5bf259d ("usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard") +Cc: stable@vger.kernel.org +Signed-off-by: Danilo Krummrich +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/message.c | 4 ++++ + drivers/usb/core/quirks.c | 3 ++- + include/linux/usb/quirks.h | 3 +++ + 3 files changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -147,6 +147,10 @@ int usb_control_msg(struct usb_device *d + + ret = usb_internal_control_msg(dev, pipe, dr, data, size, timeout); + ++ /* Linger a bit, prior to the next control message. */ ++ if (dev->quirks & USB_QUIRK_DELAY_CTRL_MSG) ++ msleep(200); ++ + kfree(dr); + + return ret; +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -229,7 +229,8 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT }, + + /* Corsair Strafe RGB */ +- { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT }, ++ { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT | ++ USB_QUIRK_DELAY_CTRL_MSG }, + + /* Corsair K70 LUX */ + { USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT }, +--- a/include/linux/usb/quirks.h ++++ b/include/linux/usb/quirks.h +@@ -56,4 +56,7 @@ + */ + #define USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL BIT(11) + ++/* Device needs a pause after every control message. */ ++#define USB_QUIRK_DELAY_CTRL_MSG BIT(13) ++ + #endif /* __LINUX_USB_QUIRKS_H */ diff --git a/queue-4.4/usb-storage-add-jmicron-bridge-152d-2567-to-unusual_devs.h.patch b/queue-4.4/usb-storage-add-jmicron-bridge-152d-2567-to-unusual_devs.h.patch new file mode 100644 index 00000000000..adfe18dcc32 --- /dev/null +++ b/queue-4.4/usb-storage-add-jmicron-bridge-152d-2567-to-unusual_devs.h.patch @@ -0,0 +1,38 @@ +From 5126a504b63d82785eaece3a9c30c660b313785a Mon Sep 17 00:00:00 2001 +From: Teijo Kinnunen +Date: Thu, 1 Mar 2018 19:34:29 +0200 +Subject: USB: storage: Add JMicron bridge 152d:2567 to unusual_devs.h + +From: Teijo Kinnunen + +commit 5126a504b63d82785eaece3a9c30c660b313785a upstream. + +This USB-SATA controller seems to be similar with JMicron bridge +152d:2566 already on the list. Adding it here fixes "Invalid +field in cdb" errors. + +Signed-off-by: Teijo Kinnunen +Cc: stable@vger.kernel.org +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/unusual_devs.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -2142,6 +2142,13 @@ UNUSUAL_DEV( 0x22b8, 0x3010, 0x0001, 0x + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_FIX_CAPACITY | US_FL_IGNORE_RESIDUE ), + ++/* Reported by Teijo Kinnunen */ ++UNUSUAL_DEV( 0x152d, 0x2567, 0x0117, 0x0117, ++ "JMicron", ++ "USB to ATA/ATAPI Bridge", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_BROKEN_FUA ), ++ + /* Reported-by George Cherian */ + UNUSUAL_DEV(0x152d, 0x9561, 0x0000, 0x9999, + "JMicron", diff --git a/queue-4.4/usb-usbmon-read-text-within-supplied-buffer-size.patch b/queue-4.4/usb-usbmon-read-text-within-supplied-buffer-size.patch new file mode 100644 index 00000000000..38ba9930049 --- /dev/null +++ b/queue-4.4/usb-usbmon-read-text-within-supplied-buffer-size.patch @@ -0,0 +1,183 @@ +From a5f596830e27e15f7a0ecd6be55e433d776986d8 Mon Sep 17 00:00:00 2001 +From: Pete Zaitcev +Date: Fri, 9 Mar 2018 00:21:14 -0600 +Subject: usb: usbmon: Read text within supplied buffer size + +From: Pete Zaitcev + +commit a5f596830e27e15f7a0ecd6be55e433d776986d8 upstream. + +This change fixes buffer overflows and silent data corruption with the +usbmon device driver text file read operations. + +Signed-off-by: Fredrik Noring +Signed-off-by: Pete Zaitcev +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/mon/mon_text.c | 124 +++++++++++++++++++++++++++------------------ + 1 file changed, 77 insertions(+), 47 deletions(-) + +--- a/drivers/usb/mon/mon_text.c ++++ b/drivers/usb/mon/mon_text.c +@@ -82,6 +82,8 @@ struct mon_reader_text { + + wait_queue_head_t wait; + int printf_size; ++ size_t printf_offset; ++ size_t printf_togo; + char *printf_buf; + struct mutex printf_lock; + +@@ -373,75 +375,103 @@ err_alloc: + return rc; + } + +-/* +- * For simplicity, we read one record in one system call and throw out +- * what does not fit. This means that the following does not work: +- * dd if=/dbg/usbmon/0t bs=10 +- * Also, we do not allow seeks and do not bother advancing the offset. +- */ ++static ssize_t mon_text_copy_to_user(struct mon_reader_text *rp, ++ char __user * const buf, const size_t nbytes) ++{ ++ const size_t togo = min(nbytes, rp->printf_togo); ++ ++ if (copy_to_user(buf, &rp->printf_buf[rp->printf_offset], togo)) ++ return -EFAULT; ++ rp->printf_togo -= togo; ++ rp->printf_offset += togo; ++ return togo; ++} ++ ++/* ppos is not advanced since the llseek operation is not permitted. */ + static ssize_t mon_text_read_t(struct file *file, char __user *buf, +- size_t nbytes, loff_t *ppos) ++ size_t nbytes, loff_t *ppos) + { + struct mon_reader_text *rp = file->private_data; + struct mon_event_text *ep; + struct mon_text_ptr ptr; ++ ssize_t ret; + +- ep = mon_text_read_wait(rp, file); +- if (IS_ERR(ep)) +- return PTR_ERR(ep); + mutex_lock(&rp->printf_lock); +- ptr.cnt = 0; +- ptr.pbuf = rp->printf_buf; +- ptr.limit = rp->printf_size; +- +- mon_text_read_head_t(rp, &ptr, ep); +- mon_text_read_statset(rp, &ptr, ep); +- ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt, +- " %d", ep->length); +- mon_text_read_data(rp, &ptr, ep); + +- if (copy_to_user(buf, rp->printf_buf, ptr.cnt)) +- ptr.cnt = -EFAULT; ++ if (rp->printf_togo == 0) { ++ ++ ep = mon_text_read_wait(rp, file); ++ if (IS_ERR(ep)) { ++ mutex_unlock(&rp->printf_lock); ++ return PTR_ERR(ep); ++ } ++ ptr.cnt = 0; ++ ptr.pbuf = rp->printf_buf; ++ ptr.limit = rp->printf_size; ++ ++ mon_text_read_head_t(rp, &ptr, ep); ++ mon_text_read_statset(rp, &ptr, ep); ++ ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt, ++ " %d", ep->length); ++ mon_text_read_data(rp, &ptr, ep); ++ ++ rp->printf_togo = ptr.cnt; ++ rp->printf_offset = 0; ++ ++ kmem_cache_free(rp->e_slab, ep); ++ } ++ ++ ret = mon_text_copy_to_user(rp, buf, nbytes); + mutex_unlock(&rp->printf_lock); +- kmem_cache_free(rp->e_slab, ep); +- return ptr.cnt; ++ return ret; + } + ++/* ppos is not advanced since the llseek operation is not permitted. */ + static ssize_t mon_text_read_u(struct file *file, char __user *buf, +- size_t nbytes, loff_t *ppos) ++ size_t nbytes, loff_t *ppos) + { + struct mon_reader_text *rp = file->private_data; + struct mon_event_text *ep; + struct mon_text_ptr ptr; ++ ssize_t ret; + +- ep = mon_text_read_wait(rp, file); +- if (IS_ERR(ep)) +- return PTR_ERR(ep); + mutex_lock(&rp->printf_lock); +- ptr.cnt = 0; +- ptr.pbuf = rp->printf_buf; +- ptr.limit = rp->printf_size; + +- mon_text_read_head_u(rp, &ptr, ep); +- if (ep->type == 'E') { +- mon_text_read_statset(rp, &ptr, ep); +- } else if (ep->xfertype == USB_ENDPOINT_XFER_ISOC) { +- mon_text_read_isostat(rp, &ptr, ep); +- mon_text_read_isodesc(rp, &ptr, ep); +- } else if (ep->xfertype == USB_ENDPOINT_XFER_INT) { +- mon_text_read_intstat(rp, &ptr, ep); +- } else { +- mon_text_read_statset(rp, &ptr, ep); ++ if (rp->printf_togo == 0) { ++ ++ ep = mon_text_read_wait(rp, file); ++ if (IS_ERR(ep)) { ++ mutex_unlock(&rp->printf_lock); ++ return PTR_ERR(ep); ++ } ++ ptr.cnt = 0; ++ ptr.pbuf = rp->printf_buf; ++ ptr.limit = rp->printf_size; ++ ++ mon_text_read_head_u(rp, &ptr, ep); ++ if (ep->type == 'E') { ++ mon_text_read_statset(rp, &ptr, ep); ++ } else if (ep->xfertype == USB_ENDPOINT_XFER_ISOC) { ++ mon_text_read_isostat(rp, &ptr, ep); ++ mon_text_read_isodesc(rp, &ptr, ep); ++ } else if (ep->xfertype == USB_ENDPOINT_XFER_INT) { ++ mon_text_read_intstat(rp, &ptr, ep); ++ } else { ++ mon_text_read_statset(rp, &ptr, ep); ++ } ++ ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt, ++ " %d", ep->length); ++ mon_text_read_data(rp, &ptr, ep); ++ ++ rp->printf_togo = ptr.cnt; ++ rp->printf_offset = 0; ++ ++ kmem_cache_free(rp->e_slab, ep); + } +- ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt, +- " %d", ep->length); +- mon_text_read_data(rp, &ptr, ep); + +- if (copy_to_user(buf, rp->printf_buf, ptr.cnt)) +- ptr.cnt = -EFAULT; ++ ret = mon_text_copy_to_user(rp, buf, nbytes); + mutex_unlock(&rp->printf_lock); +- kmem_cache_free(rp->e_slab, ep); +- return ptr.cnt; ++ return ret; + } + + static struct mon_event_text *mon_text_read_wait(struct mon_reader_text *rp, diff --git a/queue-4.4/usb-usbmon-remove-assignment-from-is_err-argument.patch b/queue-4.4/usb-usbmon-remove-assignment-from-is_err-argument.patch new file mode 100644 index 00000000000..d6446f70704 --- /dev/null +++ b/queue-4.4/usb-usbmon-remove-assignment-from-is_err-argument.patch @@ -0,0 +1,54 @@ +From 46c236dc7d1212d7417e6fb0317f91c44c719322 Mon Sep 17 00:00:00 2001 +From: Julia Lawall +Date: Sat, 26 Dec 2015 22:57:44 +0100 +Subject: USB: usbmon: remove assignment from IS_ERR argument + +From: Julia Lawall + +commit 46c236dc7d1212d7417e6fb0317f91c44c719322 upstream. + +The semantic patch that makes this change is as follows: +(http://coccinelle.lip6.fr/) + +// +@@ +expression e1,e2; +statement S1,S2; +@@ + ++e1 = e2; +if (IS_ERR( + e1 +- = e2 + )) S1 else S2 +// + +Signed-off-by: Julia Lawall +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/mon/mon_text.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/usb/mon/mon_text.c ++++ b/drivers/usb/mon/mon_text.c +@@ -386,7 +386,8 @@ static ssize_t mon_text_read_t(struct fi + struct mon_event_text *ep; + struct mon_text_ptr ptr; + +- if (IS_ERR(ep = mon_text_read_wait(rp, file))) ++ ep = mon_text_read_wait(rp, file); ++ if (IS_ERR(ep)) + return PTR_ERR(ep); + mutex_lock(&rp->printf_lock); + ptr.cnt = 0; +@@ -413,7 +414,8 @@ static ssize_t mon_text_read_u(struct fi + struct mon_event_text *ep; + struct mon_text_ptr ptr; + +- if (IS_ERR(ep = mon_text_read_wait(rp, file))) ++ ep = mon_text_read_wait(rp, file); ++ if (IS_ERR(ep)) + return PTR_ERR(ep); + mutex_lock(&rp->printf_lock); + ptr.cnt = 0;