From: Greg Kroah-Hartman Date: Wed, 9 Nov 2016 10:26:36 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.4.31~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8e98b4612fed6822d01159a207447aafe974d2cd;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: hid-usbhid-add-aten-cs962-to-list-of-quirky-devices.patch kvm-x86-check-memopp-before-dereference-cve-2016-8630.patch pwm-unexport-children-before-chip-removal.patch tty-vt-fix-bogus-division-in-csi_j.patch ubi-fastmap-fix-add_vol-return-value-test-in-ubi_attach_fastmap.patch ubi-fastmap-scrub-peb-when-bitflips-are-detected-in-a-free-peb-ec-header.patch usb-dwc3-fix-size-used-in-dma_free_coherent.patch --- diff --git a/queue-4.4/hid-usbhid-add-aten-cs962-to-list-of-quirky-devices.patch b/queue-4.4/hid-usbhid-add-aten-cs962-to-list-of-quirky-devices.patch new file mode 100644 index 00000000000..caa1872bd45 --- /dev/null +++ b/queue-4.4/hid-usbhid-add-aten-cs962-to-list-of-quirky-devices.patch @@ -0,0 +1,41 @@ +From cf0ea4da4c7df11f7a508b2f37518e0f117f3791 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 3 Nov 2016 12:31:41 +0100 +Subject: HID: usbhid: add ATEN CS962 to list of quirky devices + +From: Oliver Neukum + +commit cf0ea4da4c7df11f7a508b2f37518e0f117f3791 upstream. + +Like many similar devices it needs a quirk to work. +Issuing the request gets the device into an irrecoverable state. + +Signed-off-by: Oliver Neukum +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/usbhid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -168,6 +168,7 @@ + #define USB_DEVICE_ID_ATEN_4PORTKVM 0x2205 + #define USB_DEVICE_ID_ATEN_4PORTKVMC 0x2208 + #define USB_DEVICE_ID_ATEN_CS682 0x2213 ++#define USB_DEVICE_ID_ATEN_CS692 0x8021 + + #define USB_VENDOR_ID_ATMEL 0x03eb + #define USB_DEVICE_ID_ATMEL_MULTITOUCH 0x211c +--- a/drivers/hid/usbhid/hid-quirks.c ++++ b/drivers/hid/usbhid/hid-quirks.c +@@ -61,6 +61,7 @@ static const struct hid_blacklist { + { USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_4PORTKVM, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_4PORTKVMC, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_CS682, HID_QUIRK_NOGET }, ++ { USB_VENDOR_ID_ATEN, USB_DEVICE_ID_ATEN_CS692, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_FIGHTERSTICK, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_COMBATSTICK, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_CH, USB_DEVICE_ID_CH_FLIGHT_SIM_ECLIPSE_YOKE, HID_QUIRK_NOGET }, diff --git a/queue-4.4/kvm-x86-check-memopp-before-dereference-cve-2016-8630.patch b/queue-4.4/kvm-x86-check-memopp-before-dereference-cve-2016-8630.patch new file mode 100644 index 00000000000..bc89ed028c8 --- /dev/null +++ b/queue-4.4/kvm-x86-check-memopp-before-dereference-cve-2016-8630.patch @@ -0,0 +1,35 @@ +From d9092f52d7e61dd1557f2db2400ddb430e85937e Mon Sep 17 00:00:00 2001 +From: Owen Hofmann +Date: Thu, 27 Oct 2016 11:25:52 -0700 +Subject: kvm: x86: Check memopp before dereference (CVE-2016-8630) + +From: Owen Hofmann + +commit d9092f52d7e61dd1557f2db2400ddb430e85937e upstream. + +Commit 41061cdb98 ("KVM: emulate: do not initialize memopp") removes a +check for non-NULL under incorrect assumptions. An undefined instruction +with a ModR/M byte with Mod=0 and R/M-5 (e.g. 0xc7 0x15) will attempt +to dereference a null pointer here. + +Fixes: 41061cdb98a0bec464278b4db8e894a3121671f5 +Message-Id: <1477592752-126650-2-git-send-email-osh@google.com> +Signed-off-by: Owen Hofmann +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/emulate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -5033,7 +5033,7 @@ done_prefixes: + /* Decode and fetch the destination operand: register or memory. */ + rc = decode_operand(ctxt, &ctxt->dst, (ctxt->d >> DstShift) & OpMask); + +- if (ctxt->rip_relative) ++ if (ctxt->rip_relative && likely(ctxt->memopp)) + ctxt->memopp->addr.mem.ea = address_mask(ctxt, + ctxt->memopp->addr.mem.ea + ctxt->_eip); + diff --git a/queue-4.4/pwm-unexport-children-before-chip-removal.patch b/queue-4.4/pwm-unexport-children-before-chip-removal.patch new file mode 100644 index 00000000000..46f9fbd4e0c --- /dev/null +++ b/queue-4.4/pwm-unexport-children-before-chip-removal.patch @@ -0,0 +1,83 @@ +From 0733424c9ba9f42242409d1ece780777272f7ea1 Mon Sep 17 00:00:00 2001 +From: David Hsu +Date: Tue, 9 Aug 2016 14:57:46 -0700 +Subject: pwm: Unexport children before chip removal + +From: David Hsu + +commit 0733424c9ba9f42242409d1ece780777272f7ea1 upstream. + +Exported pwm channels aren't removed before the pwmchip and are +leaked. This results in invalid sysfs files. This fix removes +all exported pwm channels before chip removal. + +Signed-off-by: David Hsu +Fixes: 76abbdde2d95 ("pwm: Add sysfs interface") +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pwm/core.c | 2 ++ + drivers/pwm/sysfs.c | 18 ++++++++++++++++++ + include/linux/pwm.h | 5 +++++ + 3 files changed, 25 insertions(+) + +--- a/drivers/pwm/core.c ++++ b/drivers/pwm/core.c +@@ -321,6 +321,8 @@ int pwmchip_remove(struct pwm_chip *chip + unsigned int i; + int ret = 0; + ++ pwmchip_sysfs_unexport_children(chip); ++ + mutex_lock(&pwm_lock); + + for (i = 0; i < chip->npwm; i++) { +--- a/drivers/pwm/sysfs.c ++++ b/drivers/pwm/sysfs.c +@@ -350,6 +350,24 @@ void pwmchip_sysfs_unexport(struct pwm_c + } + } + ++void pwmchip_sysfs_unexport_children(struct pwm_chip *chip) ++{ ++ struct device *parent; ++ unsigned int i; ++ ++ parent = class_find_device(&pwm_class, NULL, chip, ++ pwmchip_sysfs_match); ++ if (!parent) ++ return; ++ ++ for (i = 0; i < chip->npwm; i++) { ++ struct pwm_device *pwm = &chip->pwms[i]; ++ ++ if (test_bit(PWMF_EXPORTED, &pwm->flags)) ++ pwm_unexport_child(parent, pwm); ++ } ++} ++ + static int __init pwm_sysfs_init(void) + { + return class_register(&pwm_class); +--- a/include/linux/pwm.h ++++ b/include/linux/pwm.h +@@ -331,6 +331,7 @@ static inline void pwm_remove_table(stru + #ifdef CONFIG_PWM_SYSFS + void pwmchip_sysfs_export(struct pwm_chip *chip); + void pwmchip_sysfs_unexport(struct pwm_chip *chip); ++void pwmchip_sysfs_unexport_children(struct pwm_chip *chip); + #else + static inline void pwmchip_sysfs_export(struct pwm_chip *chip) + { +@@ -339,6 +340,10 @@ static inline void pwmchip_sysfs_export( + static inline void pwmchip_sysfs_unexport(struct pwm_chip *chip) + { + } ++ ++static inline void pwmchip_sysfs_unexport_children(struct pwm_chip *chip) ++{ ++} + #endif /* CONFIG_PWM_SYSFS */ + + #endif /* __LINUX_PWM_H */ diff --git a/queue-4.4/series b/queue-4.4/series index 9740087136a..4a3dc1a78c3 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -60,3 +60,10 @@ drm-exynos-fix-error-handling-in-exynos_drm_subdrv_open.patch cgroup-avoid-false-positive-gcc-6-warning.patch smc91x-avoid-self-comparison-warning.patch disable-frame-address-warning.patch +ubi-fastmap-scrub-peb-when-bitflips-are-detected-in-a-free-peb-ec-header.patch +pwm-unexport-children-before-chip-removal.patch +usb-dwc3-fix-size-used-in-dma_free_coherent.patch +tty-vt-fix-bogus-division-in-csi_j.patch +kvm-x86-check-memopp-before-dereference-cve-2016-8630.patch +ubi-fastmap-fix-add_vol-return-value-test-in-ubi_attach_fastmap.patch +hid-usbhid-add-aten-cs962-to-list-of-quirky-devices.patch diff --git a/queue-4.4/tty-vt-fix-bogus-division-in-csi_j.patch b/queue-4.4/tty-vt-fix-bogus-division-in-csi_j.patch new file mode 100644 index 00000000000..88b240f7fab --- /dev/null +++ b/queue-4.4/tty-vt-fix-bogus-division-in-csi_j.patch @@ -0,0 +1,39 @@ +From 42acfc6615f47e465731c263bee0c799edb098f2 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Mon, 3 Oct 2016 11:00:17 +0200 +Subject: tty: vt, fix bogus division in csi_J +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jiri Slaby + +commit 42acfc6615f47e465731c263bee0c799edb098f2 upstream. + +In csi_J(3), the third parameter of scr_memsetw (vc_screenbuf_size) is +divided by 2 inappropriatelly. But scr_memsetw expects size, not +count, because it divides the size by 2 on its own before doing actual +memset-by-words. + +So remove the bogus division. + +Signed-off-by: Jiri Slaby +Cc: Petr Písař +Fixes: f8df13e0a9 (tty: Clean console safely) +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/vt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -1178,7 +1178,7 @@ static void csi_J(struct vc_data *vc, in + break; + case 3: /* erase scroll-back buffer (and whole display) */ + scr_memsetw(vc->vc_screenbuf, vc->vc_video_erase_char, +- vc->vc_screenbuf_size >> 1); ++ vc->vc_screenbuf_size); + set_origin(vc); + if (CON_IS_VISIBLE(vc)) + update_screen(vc); diff --git a/queue-4.4/ubi-fastmap-fix-add_vol-return-value-test-in-ubi_attach_fastmap.patch b/queue-4.4/ubi-fastmap-fix-add_vol-return-value-test-in-ubi_attach_fastmap.patch new file mode 100644 index 00000000000..3ddbab28119 --- /dev/null +++ b/queue-4.4/ubi-fastmap-fix-add_vol-return-value-test-in-ubi_attach_fastmap.patch @@ -0,0 +1,49 @@ +From 40b6e61ac72e99672e47cdb99c8d7d226004169b Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Fri, 28 Oct 2016 11:08:44 +0200 +Subject: ubi: fastmap: Fix add_vol() return value test in ubi_attach_fastmap() + +From: Boris Brezillon + +commit 40b6e61ac72e99672e47cdb99c8d7d226004169b upstream. + +Commit e96a8a3bb671 ("UBI: Fastmap: Do not add vol if it already +exists") introduced a bug by changing the possible error codes returned +by add_vol(): +- this function no longer returns NULL in case of allocation failure + but return ERR_PTR(-ENOMEM) +- when a duplicate entry in the volume RB tree is found it returns + ERR_PTR(-EEXIST) instead of ERR_PTR(-EINVAL) + +Fix the tests done on add_vol() return val to match this new behavior. + +Fixes: e96a8a3bb671 ("UBI: Fastmap: Do not add vol if it already exists") +Reported-by: Dan Carpenter +Signed-off-by: Boris Brezillon +Acked-by: Sheng Yong +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/ubi/fastmap.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/mtd/ubi/fastmap.c ++++ b/drivers/mtd/ubi/fastmap.c +@@ -749,11 +749,11 @@ static int ubi_attach_fastmap(struct ubi + fmvhdr->vol_type, + be32_to_cpu(fmvhdr->last_eb_bytes)); + +- if (!av) +- goto fail_bad; +- if (PTR_ERR(av) == -EINVAL) { +- ubi_err(ubi, "volume (ID %i) already exists", +- fmvhdr->vol_id); ++ if (IS_ERR(av)) { ++ if (PTR_ERR(av) == -EEXIST) ++ ubi_err(ubi, "volume (ID %i) already exists", ++ fmvhdr->vol_id); ++ + goto fail_bad; + } + diff --git a/queue-4.4/ubi-fastmap-scrub-peb-when-bitflips-are-detected-in-a-free-peb-ec-header.patch b/queue-4.4/ubi-fastmap-scrub-peb-when-bitflips-are-detected-in-a-free-peb-ec-header.patch new file mode 100644 index 00000000000..b2161406586 --- /dev/null +++ b/queue-4.4/ubi-fastmap-scrub-peb-when-bitflips-are-detected-in-a-free-peb-ec-header.patch @@ -0,0 +1,40 @@ +From ecbfa8eabae9cd73522d1d3d15869703c263d859 Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Fri, 16 Sep 2016 16:59:12 +0200 +Subject: UBI: fastmap: scrub PEB when bitflips are detected in a free PEB EC header + +From: Boris Brezillon + +commit ecbfa8eabae9cd73522d1d3d15869703c263d859 upstream. + +scan_pool() does not mark the PEB for scrubing when bitflips are +detected in the EC header of a free PEB (VID header region left to +0xff). +Make sure we scrub the PEB in this case. + +Signed-off-by: Boris Brezillon +Fixes: dbb7d2a88d2a ("UBI: Add fastmap core") +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/ubi/fastmap.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/mtd/ubi/fastmap.c ++++ b/drivers/mtd/ubi/fastmap.c +@@ -513,10 +513,11 @@ static int scan_pool(struct ubi_device * + unsigned long long ec = be64_to_cpu(ech->ec); + unmap_peb(ai, pnum); + dbg_bld("Adding PEB to free: %i", pnum); ++ + if (err == UBI_IO_FF_BITFLIPS) +- add_aeb(ai, free, pnum, ec, 1); +- else +- add_aeb(ai, free, pnum, ec, 0); ++ scrub = 1; ++ ++ add_aeb(ai, free, pnum, ec, scrub); + continue; + } else if (err == 0 || err == UBI_IO_BITFLIPS) { + dbg_bld("Found non empty PEB:%i in pool", pnum); diff --git a/queue-4.4/usb-dwc3-fix-size-used-in-dma_free_coherent.patch b/queue-4.4/usb-dwc3-fix-size-used-in-dma_free_coherent.patch new file mode 100644 index 00000000000..caee36e2679 --- /dev/null +++ b/queue-4.4/usb-dwc3-fix-size-used-in-dma_free_coherent.patch @@ -0,0 +1,63 @@ +From 51fbc7c06c8900370c6da5fc4a4685add8fa4fb0 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Fri, 7 Oct 2016 22:12:39 +0200 +Subject: usb: dwc3: Fix size used in dma_free_coherent() + +From: Christophe JAILLET + +commit 51fbc7c06c8900370c6da5fc4a4685add8fa4fb0 upstream. + +In commit 2abd9d5fa60f9 ("usb: dwc3: ep0: Add chained TRB support"), the +size of the memory allocated with 'dma_alloc_coherent()' has been modified +but the corresponding calls to 'dma_free_coherent()' have not been updated +accordingly. + +This has been spotted with coccinelle, using the following script: +//////////////////// +@r@ +expression x0, x1, y0, y1, z0, z1, t0, t1, ret; +@@ + +* ret = dma_alloc_coherent(x0, y0, z0, t0); + ... +* dma_free_coherent(x1, y1, ret, t1); + +@script:python@ +y0 << r.y0; +y1 << r.y1; + +@@ +if y1.find(y0) == -1: + print "WARNING: sizes look different: '%s' vs '%s'" % (y0, y1) +//////////////////// + +Fixes: 2abd9d5fa60f9 ("usb: dwc3: ep0: Add chained TRB support") + +Signed-off-by: Christophe JAILLET +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -2845,7 +2845,7 @@ err3: + kfree(dwc->setup_buf); + + err2: +- dma_free_coherent(dwc->dev, sizeof(*dwc->ep0_trb), ++ dma_free_coherent(dwc->dev, sizeof(*dwc->ep0_trb) * 2, + dwc->ep0_trb, dwc->ep0_trb_addr); + + err1: +@@ -2869,7 +2869,7 @@ void dwc3_gadget_exit(struct dwc3 *dwc) + + kfree(dwc->setup_buf); + +- dma_free_coherent(dwc->dev, sizeof(*dwc->ep0_trb), ++ dma_free_coherent(dwc->dev, sizeof(*dwc->ep0_trb) * 2, + dwc->ep0_trb, dwc->ep0_trb_addr); + + dma_free_coherent(dwc->dev, sizeof(*dwc->ctrl_req),