From: Greg Kroah-Hartman Date: Wed, 28 Nov 2018 10:48:50 +0000 (+0100) Subject: 4.4-stable patches X-Git-Tag: v4.19.6~57 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9a7cb72c5ce599396f9d7dfc8332a845327292a2;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: alsa-oss-use-kvzalloc-for-local-buffer-allocations.patch bfs-add-sanity-check-at-bfs_fill_super.patch can-dev-__can_get_echo_skb-don-t-crash-the-kernel-if-can_priv-echo_skb-is-accessed-out-of-bounds.patch can-dev-__can_get_echo_skb-print-error-message-if-trying-to-echo-non-existing-skb.patch can-dev-__can_get_echo_skb-replace-struct-can_frame-by-canfd_frame-to-access-frame-length.patch can-dev-can_get_echo_skb-factor-out-non-sending-code-to-__can_get_echo_skb.patch drm-ast-change-resolution-may-cause-screen-blurred.patch drm-ast-fixed-cursor-may-disappear-sometimes.patch drm-ast-remove-existing-framebuffers-before-loading-driver.patch gfs2-don-t-leave-s_fs_info-pointing-to-freed-memory-in-init_sbd.patch iwlwifi-mvm-support-sta_statistics-even-on-older-firmware.patch llc-do-not-use-sk_eat_skb.patch maintainers-add-sasha-as-a-stable-branch-maintainer.patch sctp-clear-the-transport-of-some-out_chunk_list-chunks-in-sctp_assoc_rm_peer.patch usb-core-fix-hub-port-connection-events-lost.patch usb-xhci-fix-timeout-for-transition-from-rexit-to-u0.patch v9fs_dir_readdir-fix-double-free-on-p9stat_read-error.patch --- diff --git a/queue-4.4/alsa-oss-use-kvzalloc-for-local-buffer-allocations.patch b/queue-4.4/alsa-oss-use-kvzalloc-for-local-buffer-allocations.patch new file mode 100644 index 00000000000..5bf57bcd5c4 --- /dev/null +++ b/queue-4.4/alsa-oss-use-kvzalloc-for-local-buffer-allocations.patch @@ -0,0 +1,73 @@ +From 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 9 Nov 2018 11:59:45 +0100 +Subject: ALSA: oss: Use kvzalloc() for local buffer allocations + +From: Takashi Iwai + +commit 65766ee0bf7fe8b3be80e2e1c3ef54ad59b29476 upstream. + +PCM OSS layer may allocate a few temporary buffers, one for the core +read/write and another for the conversions via plugins. Currently +both are allocated via vmalloc(). But as the allocation size is +equivalent with the PCM period size, the required size might be quite +small, depending on the application. + +This patch replaces these vmalloc() calls with kvzalloc() for covering +small period sizes better. Also, we use "z"-alloc variant here for +addressing the possible uninitialized access reported by syzkaller. + +Reported-by: syzbot+1cb36954e127c98dd037@syzkaller.appspotmail.com +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/oss/pcm_oss.c | 6 +++--- + sound/core/oss/pcm_plugin.c | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -1072,8 +1072,8 @@ static int snd_pcm_oss_change_params_loc + runtime->oss.channels = params_channels(params); + runtime->oss.rate = params_rate(params); + +- vfree(runtime->oss.buffer); +- runtime->oss.buffer = vmalloc(runtime->oss.period_bytes); ++ kvfree(runtime->oss.buffer); ++ runtime->oss.buffer = kvzalloc(runtime->oss.period_bytes, GFP_KERNEL); + if (!runtime->oss.buffer) { + err = -ENOMEM; + goto failure; +@@ -2379,7 +2379,7 @@ static void snd_pcm_oss_release_substrea + { + struct snd_pcm_runtime *runtime; + runtime = substream->runtime; +- vfree(runtime->oss.buffer); ++ kvfree(runtime->oss.buffer); + runtime->oss.buffer = NULL; + #ifdef CONFIG_SND_PCM_OSS_PLUGINS + snd_pcm_oss_plugin_clear(substream); +--- a/sound/core/oss/pcm_plugin.c ++++ b/sound/core/oss/pcm_plugin.c +@@ -66,8 +66,8 @@ static int snd_pcm_plugin_alloc(struct s + return -ENXIO; + size /= 8; + if (plugin->buf_frames < frames) { +- vfree(plugin->buf); +- plugin->buf = vmalloc(size); ++ kvfree(plugin->buf); ++ plugin->buf = kvzalloc(size, GFP_KERNEL); + plugin->buf_frames = frames; + } + if (!plugin->buf) { +@@ -191,7 +191,7 @@ int snd_pcm_plugin_free(struct snd_pcm_p + if (plugin->private_free) + plugin->private_free(plugin); + kfree(plugin->buf_channels); +- vfree(plugin->buf); ++ kvfree(plugin->buf); + kfree(plugin); + return 0; + } diff --git a/queue-4.4/bfs-add-sanity-check-at-bfs_fill_super.patch b/queue-4.4/bfs-add-sanity-check-at-bfs_fill_super.patch new file mode 100644 index 00000000000..258112bfddf --- /dev/null +++ b/queue-4.4/bfs-add-sanity-check-at-bfs_fill_super.patch @@ -0,0 +1,57 @@ +From 9f2df09a33aa2c76ce6385d382693f98d7f2f07e Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Fri, 2 Nov 2018 15:48:42 -0700 +Subject: bfs: add sanity check at bfs_fill_super() + +From: Tetsuo Handa + +commit 9f2df09a33aa2c76ce6385d382693f98d7f2f07e upstream. + +syzbot is reporting too large memory allocation at bfs_fill_super() [1]. +Since file system image is corrupted such that bfs_sb->s_start == 0, +bfs_fill_super() is trying to allocate 8MB of continuous memory. Fix +this by adding a sanity check on bfs_sb->s_start, __GFP_NOWARN and +printf(). + +[1] https://syzkaller.appspot.com/bug?id=16a87c236b951351374a84c8a32f40edbc034e96 + +Link: http://lkml.kernel.org/r/1525862104-3407-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Reviewed-by: Andrew Morton +Cc: Tigran Aivazian +Cc: Matthew Wilcox +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/bfs/inode.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/fs/bfs/inode.c ++++ b/fs/bfs/inode.c +@@ -350,7 +350,8 @@ static int bfs_fill_super(struct super_b + + s->s_magic = BFS_MAGIC; + +- if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end)) { ++ if (le32_to_cpu(bfs_sb->s_start) > le32_to_cpu(bfs_sb->s_end) || ++ le32_to_cpu(bfs_sb->s_start) < BFS_BSIZE) { + printf("Superblock is corrupted\n"); + goto out1; + } +@@ -359,9 +360,11 @@ static int bfs_fill_super(struct super_b + sizeof(struct bfs_inode) + + BFS_ROOT_INO - 1; + imap_len = (info->si_lasti / 8) + 1; +- info->si_imap = kzalloc(imap_len, GFP_KERNEL); +- if (!info->si_imap) ++ info->si_imap = kzalloc(imap_len, GFP_KERNEL | __GFP_NOWARN); ++ if (!info->si_imap) { ++ printf("Cannot allocate %u bytes\n", imap_len); + goto out1; ++ } + for (i = 0; i < BFS_ROOT_INO; i++) + set_bit(i, info->si_imap); + diff --git a/queue-4.4/can-dev-__can_get_echo_skb-don-t-crash-the-kernel-if-can_priv-echo_skb-is-accessed-out-of-bounds.patch b/queue-4.4/can-dev-__can_get_echo_skb-don-t-crash-the-kernel-if-can_priv-echo_skb-is-accessed-out-of-bounds.patch new file mode 100644 index 00000000000..e4e99fc0bd8 --- /dev/null +++ b/queue-4.4/can-dev-__can_get_echo_skb-don-t-crash-the-kernel-if-can_priv-echo_skb-is-accessed-out-of-bounds.patch @@ -0,0 +1,36 @@ +From e7a6994d043a1e31d5b17706a22ce33d2a3e4cdc Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Wed, 31 Oct 2018 14:05:26 +0100 +Subject: can: dev: __can_get_echo_skb(): Don't crash the kernel if can_priv::echo_skb is accessed out of bounds + +From: Marc Kleine-Budde + +commit e7a6994d043a1e31d5b17706a22ce33d2a3e4cdc upstream. + +If the "struct can_priv::echo_skb" is accessed out of bounds would lead +to a kernel crash. Better print a sensible warning message instead and +try to recover. + +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/dev.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -427,7 +427,11 @@ struct sk_buff *__can_get_echo_skb(struc + { + struct can_priv *priv = netdev_priv(dev); + +- BUG_ON(idx >= priv->echo_skb_max); ++ if (idx >= priv->echo_skb_max) { ++ netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n", ++ __func__, idx, priv->echo_skb_max); ++ return NULL; ++ } + + if (priv->echo_skb[idx]) { + /* Using "struct canfd_frame::len" for the frame diff --git a/queue-4.4/can-dev-__can_get_echo_skb-print-error-message-if-trying-to-echo-non-existing-skb.patch b/queue-4.4/can-dev-__can_get_echo_skb-print-error-message-if-trying-to-echo-non-existing-skb.patch new file mode 100644 index 00000000000..1d361bf44db --- /dev/null +++ b/queue-4.4/can-dev-__can_get_echo_skb-print-error-message-if-trying-to-echo-non-existing-skb.patch @@ -0,0 +1,70 @@ +From 7da11ba5c5066dadc2e96835a6233d56d7b7764a Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Wed, 31 Oct 2018 14:15:13 +0100 +Subject: can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb + +From: Marc Kleine-Budde + +commit 7da11ba5c5066dadc2e96835a6233d56d7b7764a upstream. + +Prior to echoing a successfully transmitted CAN frame (by calling +can_get_echo_skb()), CAN drivers have to put the CAN frame (by calling +can_put_echo_skb() in the transmit function). These put and get function +take an index as parameter, which is used to identify the CAN frame. + +A driver calling can_get_echo_skb() with a index not pointing to a skb +is a BUG, so add an appropriate error message. + +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/dev.c | 27 ++++++++++++++------------- + 1 file changed, 14 insertions(+), 13 deletions(-) + +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -426,6 +426,8 @@ EXPORT_SYMBOL_GPL(can_put_echo_skb); + struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr) + { + struct can_priv *priv = netdev_priv(dev); ++ struct sk_buff *skb = priv->echo_skb[idx]; ++ struct canfd_frame *cf; + + if (idx >= priv->echo_skb_max) { + netdev_err(dev, "%s: BUG! Trying to access can_priv::echo_skb out of bounds (%u/max %u)\n", +@@ -433,21 +435,20 @@ struct sk_buff *__can_get_echo_skb(struc + return NULL; + } + +- if (priv->echo_skb[idx]) { +- /* Using "struct canfd_frame::len" for the frame +- * length is supported on both CAN and CANFD frames. +- */ +- struct sk_buff *skb = priv->echo_skb[idx]; +- struct canfd_frame *cf = (struct canfd_frame *)skb->data; +- u8 len = cf->len; +- +- *len_ptr = len; +- priv->echo_skb[idx] = NULL; +- +- return skb; ++ if (!skb) { ++ netdev_err(dev, "%s: BUG! Trying to echo non existing skb: can_priv::echo_skb[%u]\n", ++ __func__, idx); ++ return NULL; + } + +- return NULL; ++ /* Using "struct canfd_frame::len" for the frame ++ * length is supported on both CAN and CANFD frames. ++ */ ++ cf = (struct canfd_frame *)skb->data; ++ *len_ptr = cf->len; ++ priv->echo_skb[idx] = NULL; ++ ++ return skb; + } + + /* diff --git a/queue-4.4/can-dev-__can_get_echo_skb-replace-struct-can_frame-by-canfd_frame-to-access-frame-length.patch b/queue-4.4/can-dev-__can_get_echo_skb-replace-struct-can_frame-by-canfd_frame-to-access-frame-length.patch new file mode 100644 index 00000000000..a39b72a6517 --- /dev/null +++ b/queue-4.4/can-dev-__can_get_echo_skb-replace-struct-can_frame-by-canfd_frame-to-access-frame-length.patch @@ -0,0 +1,43 @@ +From 200f5c49f7a2cd694436bfc6cb0662b794c96736 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Wed, 31 Oct 2018 11:08:21 +0100 +Subject: can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length + +From: Marc Kleine-Budde + +commit 200f5c49f7a2cd694436bfc6cb0662b794c96736 upstream. + +This patch replaces the use of "struct can_frame::can_dlc" by "struct +canfd_frame::len" to access the frame's length. As it is ensured that +both structures have a compatible memory layout for this member this is +no functional change. Futher, this compatibility is documented in a +comment. + +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/dev.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -430,11 +430,14 @@ struct sk_buff *__can_get_echo_skb(struc + BUG_ON(idx >= priv->echo_skb_max); + + if (priv->echo_skb[idx]) { ++ /* Using "struct canfd_frame::len" for the frame ++ * length is supported on both CAN and CANFD frames. ++ */ + struct sk_buff *skb = priv->echo_skb[idx]; +- struct can_frame *cf = (struct can_frame *)skb->data; +- u8 dlc = cf->can_dlc; ++ struct canfd_frame *cf = (struct canfd_frame *)skb->data; ++ u8 len = cf->len; + +- *len_ptr = dlc; ++ *len_ptr = len; + priv->echo_skb[idx] = NULL; + + return skb; diff --git a/queue-4.4/can-dev-can_get_echo_skb-factor-out-non-sending-code-to-__can_get_echo_skb.patch b/queue-4.4/can-dev-can_get_echo_skb-factor-out-non-sending-code-to-__can_get_echo_skb.patch new file mode 100644 index 00000000000..80347bc0e3f --- /dev/null +++ b/queue-4.4/can-dev-can_get_echo_skb-factor-out-non-sending-code-to-__can_get_echo_skb.patch @@ -0,0 +1,88 @@ +From a4310fa2f24687888ce80fdb0e88583561a23700 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Wed, 31 Oct 2018 10:37:46 +0100 +Subject: can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb() + +From: Marc Kleine-Budde + +commit a4310fa2f24687888ce80fdb0e88583561a23700 upstream. + +This patch factors out all non sending parts of can_get_echo_skb() into +a seperate function __can_get_echo_skb(), so that it can be re-used in +an upcoming patch. + +Cc: linux-stable +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/dev.c | 36 +++++++++++++++++++++++++----------- + include/linux/can/dev.h | 1 + + 2 files changed, 26 insertions(+), 11 deletions(-) + +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -423,14 +423,7 @@ void can_put_echo_skb(struct sk_buff *sk + } + EXPORT_SYMBOL_GPL(can_put_echo_skb); + +-/* +- * Get the skb from the stack and loop it back locally +- * +- * The function is typically called when the TX done interrupt +- * is handled in the device driver. The driver must protect +- * access to priv->echo_skb, if necessary. +- */ +-unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx) ++struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr) + { + struct can_priv *priv = netdev_priv(dev); + +@@ -441,13 +434,34 @@ unsigned int can_get_echo_skb(struct net + struct can_frame *cf = (struct can_frame *)skb->data; + u8 dlc = cf->can_dlc; + +- netif_rx(priv->echo_skb[idx]); ++ *len_ptr = dlc; + priv->echo_skb[idx] = NULL; + +- return dlc; ++ return skb; + } + +- return 0; ++ return NULL; ++} ++ ++/* ++ * Get the skb from the stack and loop it back locally ++ * ++ * The function is typically called when the TX done interrupt ++ * is handled in the device driver. The driver must protect ++ * access to priv->echo_skb, if necessary. ++ */ ++unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx) ++{ ++ struct sk_buff *skb; ++ u8 len; ++ ++ skb = __can_get_echo_skb(dev, idx, &len); ++ if (!skb) ++ return 0; ++ ++ netif_rx(skb); ++ ++ return len; + } + EXPORT_SYMBOL_GPL(can_get_echo_skb); + +--- a/include/linux/can/dev.h ++++ b/include/linux/can/dev.h +@@ -154,6 +154,7 @@ void can_change_state(struct net_device + + void can_put_echo_skb(struct sk_buff *skb, struct net_device *dev, + unsigned int idx); ++struct sk_buff *__can_get_echo_skb(struct net_device *dev, unsigned int idx, u8 *len_ptr); + unsigned int can_get_echo_skb(struct net_device *dev, unsigned int idx); + void can_free_echo_skb(struct net_device *dev, unsigned int idx); + diff --git a/queue-4.4/drm-ast-change-resolution-may-cause-screen-blurred.patch b/queue-4.4/drm-ast-change-resolution-may-cause-screen-blurred.patch new file mode 100644 index 00000000000..721291e4acd --- /dev/null +++ b/queue-4.4/drm-ast-change-resolution-may-cause-screen-blurred.patch @@ -0,0 +1,36 @@ +From 1a37bd823891568f8721989aed0615835632d81a Mon Sep 17 00:00:00 2001 +From: "Y.C. Chen" +Date: Wed, 3 Oct 2018 14:57:47 +0800 +Subject: drm/ast: change resolution may cause screen blurred + +From: Y.C. Chen + +commit 1a37bd823891568f8721989aed0615835632d81a upstream. + +The value of pitches is not correct while calling mode_set. +The issue we found so far on following system: +- Debian8 with XFCE Desktop +- Ubuntu with KDE Desktop +- SUSE15 with KDE Desktop + +Signed-off-by: Y.C. Chen +Cc: +Tested-by: Jean Delvare +Reviewed-by: Jean Delvare +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/ast/ast_mode.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/ast/ast_mode.c ++++ b/drivers/gpu/drm/ast/ast_mode.c +@@ -552,6 +552,7 @@ static int ast_crtc_do_set_base(struct d + } + ast_bo_unreserve(bo); + ++ ast_set_offset_reg(crtc); + ast_set_start_address_crt1(crtc, (u32)gpu_addr); + + return 0; diff --git a/queue-4.4/drm-ast-fixed-cursor-may-disappear-sometimes.patch b/queue-4.4/drm-ast-fixed-cursor-may-disappear-sometimes.patch new file mode 100644 index 00000000000..394a4d88946 --- /dev/null +++ b/queue-4.4/drm-ast-fixed-cursor-may-disappear-sometimes.patch @@ -0,0 +1,30 @@ +From 7989b9ee8bafe5cc625381dd0c3c4586de27ca26 Mon Sep 17 00:00:00 2001 +From: "Y.C. Chen" +Date: Tue, 30 Oct 2018 11:34:46 +0800 +Subject: drm/ast: fixed cursor may disappear sometimes + +From: Y.C. Chen + +commit 7989b9ee8bafe5cc625381dd0c3c4586de27ca26 upstream. + +Signed-off-by: Y.C. Chen +Cc: +Reviewed-by: Dave Airlie +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/ast/ast_mode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/ast/ast_mode.c ++++ b/drivers/gpu/drm/ast/ast_mode.c +@@ -1250,7 +1250,7 @@ static int ast_cursor_move(struct drm_cr + ast_set_index_reg(ast, AST_IO_CRTC_PORT, 0xc7, ((y >> 8) & 0x07)); + + /* dummy write to fire HWC */ +- ast_set_index_reg_mask(ast, AST_IO_CRTC_PORT, 0xCB, 0xFF, 0x00); ++ ast_show_cursor(crtc); + + return 0; + } diff --git a/queue-4.4/drm-ast-remove-existing-framebuffers-before-loading-driver.patch b/queue-4.4/drm-ast-remove-existing-framebuffers-before-loading-driver.patch new file mode 100644 index 00000000000..cba1a490ce6 --- /dev/null +++ b/queue-4.4/drm-ast-remove-existing-framebuffers-before-loading-driver.patch @@ -0,0 +1,63 @@ +From 5478ad10e7850ce3d8b7056db05ddfa3c9ddad9a Mon Sep 17 00:00:00 2001 +From: Thomas Zimmermann +Date: Thu, 15 Nov 2018 11:42:16 +0100 +Subject: drm/ast: Remove existing framebuffers before loading driver + +From: Thomas Zimmermann + +commit 5478ad10e7850ce3d8b7056db05ddfa3c9ddad9a upstream. + +If vesafb attaches to the AST device, it configures the framebuffer memory +for uncached access by default. When ast.ko later tries to attach itself to +the device, it wants to use write-combining on the framebuffer memory, but +vesefb's existing configuration for uncached access takes precedence. This +results in reduced performance. + +Removing the framebuffer's configuration before loding the AST driver fixes +the problem. Other DRM drivers already contain equivalent code. + +Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1112963 +Signed-off-by: Thomas Zimmermann +Cc: +Tested-by: Y.C. Chen +Reviewed-by: Jean Delvare +Tested-by: Jean Delvare +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/ast/ast_drv.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/drivers/gpu/drm/ast/ast_drv.c ++++ b/drivers/gpu/drm/ast/ast_drv.c +@@ -60,8 +60,29 @@ static const struct pci_device_id pciidl + + MODULE_DEVICE_TABLE(pci, pciidlist); + ++static void ast_kick_out_firmware_fb(struct pci_dev *pdev) ++{ ++ struct apertures_struct *ap; ++ bool primary = false; ++ ++ ap = alloc_apertures(1); ++ if (!ap) ++ return; ++ ++ ap->ranges[0].base = pci_resource_start(pdev, 0); ++ ap->ranges[0].size = pci_resource_len(pdev, 0); ++ ++#ifdef CONFIG_X86 ++ primary = pdev->resource[PCI_ROM_RESOURCE].flags & IORESOURCE_ROM_SHADOW; ++#endif ++ drm_fb_helper_remove_conflicting_framebuffers(ap, "astdrmfb", primary); ++ kfree(ap); ++} ++ + static int ast_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + { ++ ast_kick_out_firmware_fb(pdev); ++ + return drm_get_pci_dev(pdev, ent, &driver); + } + diff --git a/queue-4.4/gfs2-don-t-leave-s_fs_info-pointing-to-freed-memory-in-init_sbd.patch b/queue-4.4/gfs2-don-t-leave-s_fs_info-pointing-to-freed-memory-in-init_sbd.patch new file mode 100644 index 00000000000..415f34d81c2 --- /dev/null +++ b/queue-4.4/gfs2-don-t-leave-s_fs_info-pointing-to-freed-memory-in-init_sbd.patch @@ -0,0 +1,40 @@ +From 4c62bd9cea7bcf10292f7e4c57a2bca332942697 Mon Sep 17 00:00:00 2001 +From: Andrew Price +Date: Mon, 8 Oct 2018 07:52:43 -0500 +Subject: gfs2: Don't leave s_fs_info pointing to freed memory in init_sbd + +From: Andrew Price + +commit 4c62bd9cea7bcf10292f7e4c57a2bca332942697 upstream. + +When alloc_percpu() fails, sdp gets freed but sb->s_fs_info still points +to the same address. Move the assignment after that error check so that +s_fs_info can only point to a valid sdp or NULL, which is checked for +later in the error path, in gfs2_kill_super(). + +Reported-by: syzbot+dcb8b3587445007f5808@syzkaller.appspotmail.com +Signed-off-by: Andrew Price +Signed-off-by: Bob Peterson +Signed-off-by: Greg Kroah-Hartman + +--- + fs/gfs2/ops_fstype.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/gfs2/ops_fstype.c ++++ b/fs/gfs2/ops_fstype.c +@@ -71,13 +71,13 @@ static struct gfs2_sbd *init_sbd(struct + if (!sdp) + return NULL; + +- sb->s_fs_info = sdp; + sdp->sd_vfs = sb; + sdp->sd_lkstats = alloc_percpu(struct gfs2_pcpu_lkstats); + if (!sdp->sd_lkstats) { + kfree(sdp); + return NULL; + } ++ sb->s_fs_info = sdp; + + set_bit(SDF_NOJOURNALID, &sdp->sd_flags); + gfs2_tune_init(&sdp->sd_tune); diff --git a/queue-4.4/iwlwifi-mvm-support-sta_statistics-even-on-older-firmware.patch b/queue-4.4/iwlwifi-mvm-support-sta_statistics-even-on-older-firmware.patch new file mode 100644 index 00000000000..905ebd9d279 --- /dev/null +++ b/queue-4.4/iwlwifi-mvm-support-sta_statistics-even-on-older-firmware.patch @@ -0,0 +1,36 @@ +From ec484d03ef0df8d34086b95710e355a259cbe1f2 Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Thu, 16 Aug 2018 13:25:48 +0300 +Subject: iwlwifi: mvm: support sta_statistics() even on older firmware + +From: Emmanuel Grumbach + +commit ec484d03ef0df8d34086b95710e355a259cbe1f2 upstream. + +The oldest firmware supported by iwlmvm do support getting +the average beacon RSSI. Enable the sta_statistics() call +from mac80211 even on older firmware versions. + +Fixes: 33cef9256342 ("iwlwifi: mvm: support beacon statistics for BSS client") +Cc: stable@vger.kernel.org # 4.2+ +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/mvm/mac80211.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/net/wireless/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/iwlwifi/mvm/mac80211.c +@@ -4050,10 +4050,6 @@ static void iwl_mvm_mac_sta_statistics(s + struct iwl_mvm_vif *mvmvif = iwl_mvm_vif_from_mac80211(vif); + struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta); + +- if (!fw_has_capa(&mvm->fw->ucode_capa, +- IWL_UCODE_TLV_CAPA_RADIO_BEACON_STATS)) +- return; +- + /* if beacon filtering isn't on mac80211 does it anyway */ + if (!(vif->driver_flags & IEEE80211_VIF_BEACON_FILTER)) + return; diff --git a/queue-4.4/llc-do-not-use-sk_eat_skb.patch b/queue-4.4/llc-do-not-use-sk_eat_skb.patch new file mode 100644 index 00000000000..30e79f2f3a9 --- /dev/null +++ b/queue-4.4/llc-do-not-use-sk_eat_skb.patch @@ -0,0 +1,164 @@ +From 604d415e2bd642b7e02c80e719e0396b9d4a77a6 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 22 Oct 2018 09:24:27 -0700 +Subject: llc: do not use sk_eat_skb() + +From: Eric Dumazet + +commit 604d415e2bd642b7e02c80e719e0396b9d4a77a6 upstream. + +syzkaller triggered a use-after-free [1], caused by a combination of +skb_get() in llc_conn_state_process() and usage of sk_eat_skb() + +sk_eat_skb() is assuming the skb about to be freed is only used by +the current thread. TCP/DCCP stacks enforce this because current +thread holds the socket lock. + +llc_conn_state_process() wants to make sure skb does not disappear, +and holds a reference on the skb it manipulates. But as soon as this +skb is added to socket receive queue, another thread can consume it. + +This means that llc must use regular skb_unlink() and kfree_skb() +so that both producer and consumer can safely work on the same skb. + +[1] +BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] +BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:43 [inline] +BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:967 [inline] +BUG: KASAN: use-after-free in kfree_skb+0xb7/0x580 net/core/skbuff.c:655 +Read of size 4 at addr ffff8801d1f6fba4 by task ksoftirqd/1/18 + +CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.19.0-rc8+ #295 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c4/0x2b6 lib/dump_stack.c:113 + print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412 + check_memory_region_inline mm/kasan/kasan.c:260 [inline] + check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 + kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272 + atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] + refcount_read include/linux/refcount.h:43 [inline] + skb_unref include/linux/skbuff.h:967 [inline] + kfree_skb+0xb7/0x580 net/core/skbuff.c:655 + llc_sap_state_process+0x9b/0x550 net/llc/llc_sap.c:224 + llc_sap_rcv+0x156/0x1f0 net/llc/llc_sap.c:297 + llc_sap_handler+0x65e/0xf80 net/llc/llc_sap.c:438 + llc_rcv+0x79e/0xe20 net/llc/llc_input.c:208 + __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913 + __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023 + process_backlog+0x218/0x6f0 net/core/dev.c:5829 + napi_poll net/core/dev.c:6249 [inline] + net_rx_action+0x7c5/0x1950 net/core/dev.c:6315 + __do_softirq+0x30c/0xb03 kernel/softirq.c:292 + run_ksoftirqd+0x94/0x100 kernel/softirq.c:653 + smpboot_thread_fn+0x68b/0xa00 kernel/smpboot.c:164 + kthread+0x35a/0x420 kernel/kthread.c:246 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413 + +Allocated by task 18: + save_stack+0x43/0xd0 mm/kasan/kasan.c:448 + set_track mm/kasan/kasan.c:460 [inline] + kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 + kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 + kmem_cache_alloc_node+0x144/0x730 mm/slab.c:3644 + __alloc_skb+0x119/0x770 net/core/skbuff.c:193 + alloc_skb include/linux/skbuff.h:995 [inline] + llc_alloc_frame+0xbc/0x370 net/llc/llc_sap.c:54 + llc_station_ac_send_xid_r net/llc/llc_station.c:52 [inline] + llc_station_rcv+0x1dc/0x1420 net/llc/llc_station.c:111 + llc_rcv+0xc32/0xe20 net/llc/llc_input.c:220 + __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913 + __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023 + process_backlog+0x218/0x6f0 net/core/dev.c:5829 + napi_poll net/core/dev.c:6249 [inline] + net_rx_action+0x7c5/0x1950 net/core/dev.c:6315 + __do_softirq+0x30c/0xb03 kernel/softirq.c:292 + +Freed by task 16383: + save_stack+0x43/0xd0 mm/kasan/kasan.c:448 + set_track mm/kasan/kasan.c:460 [inline] + __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 + kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 + __cache_free mm/slab.c:3498 [inline] + kmem_cache_free+0x83/0x290 mm/slab.c:3756 + kfree_skbmem+0x154/0x230 net/core/skbuff.c:582 + __kfree_skb+0x1d/0x20 net/core/skbuff.c:642 + sk_eat_skb include/net/sock.h:2366 [inline] + llc_ui_recvmsg+0xec2/0x1610 net/llc/af_llc.c:882 + sock_recvmsg_nosec net/socket.c:794 [inline] + sock_recvmsg+0xd0/0x110 net/socket.c:801 + ___sys_recvmsg+0x2b6/0x680 net/socket.c:2278 + __sys_recvmmsg+0x303/0xb90 net/socket.c:2390 + do_sys_recvmmsg+0x181/0x1a0 net/socket.c:2466 + __do_sys_recvmmsg net/socket.c:2484 [inline] + __se_sys_recvmmsg net/socket.c:2480 [inline] + __x64_sys_recvmmsg+0xbe/0x150 net/socket.c:2480 + do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The buggy address belongs to the object at ffff8801d1f6fac0 + which belongs to the cache skbuff_head_cache of size 232 +The buggy address is located 228 bytes inside of + 232-byte region [ffff8801d1f6fac0, ffff8801d1f6fba8) +The buggy address belongs to the page: +page:ffffea000747dbc0 count:1 mapcount:0 mapping:ffff8801d9be7680 index:0xffff8801d1f6fe80 +flags: 0x2fffc0000000100(slab) +raw: 02fffc0000000100 ffffea0007346e88 ffffea000705b108 ffff8801d9be7680 +raw: ffff8801d1f6fe80 ffff8801d1f6f0c0 000000010000000b 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8801d1f6fa80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb + ffff8801d1f6fb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +>ffff8801d1f6fb80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff8801d1f6fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8801d1f6fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/llc/af_llc.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -726,7 +726,6 @@ static int llc_ui_recvmsg(struct socket + struct sk_buff *skb = NULL; + struct sock *sk = sock->sk; + struct llc_sock *llc = llc_sk(sk); +- unsigned long cpu_flags; + size_t copied = 0; + u32 peek_seq = 0; + u32 *seq, skb_len; +@@ -851,9 +850,8 @@ static int llc_ui_recvmsg(struct socket + goto copy_uaddr; + + if (!(flags & MSG_PEEK)) { +- spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags); +- sk_eat_skb(sk, skb); +- spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags); ++ skb_unlink(skb, &sk->sk_receive_queue); ++ kfree_skb(skb); + *seq = 0; + } + +@@ -874,9 +872,8 @@ copy_uaddr: + llc_cmsg_rcv(msg, skb); + + if (!(flags & MSG_PEEK)) { +- spin_lock_irqsave(&sk->sk_receive_queue.lock, cpu_flags); +- sk_eat_skb(sk, skb); +- spin_unlock_irqrestore(&sk->sk_receive_queue.lock, cpu_flags); ++ skb_unlink(skb, &sk->sk_receive_queue); ++ kfree_skb(skb); + *seq = 0; + } + diff --git a/queue-4.4/maintainers-add-sasha-as-a-stable-branch-maintainer.patch b/queue-4.4/maintainers-add-sasha-as-a-stable-branch-maintainer.patch new file mode 100644 index 00000000000..76be3a6174e --- /dev/null +++ b/queue-4.4/maintainers-add-sasha-as-a-stable-branch-maintainer.patch @@ -0,0 +1,31 @@ +From cb5d21946d2a2f4687c482ab4604af1d29dac35a Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 15 Nov 2018 15:03:24 -0800 +Subject: MAINTAINERS: Add Sasha as a stable branch maintainer + +From: Greg Kroah-Hartman + +commit cb5d21946d2a2f4687c482ab4604af1d29dac35a upstream. + +Sasha has somehow been convinced into helping me with the stable kernel +maintenance. Codify this slip in good judgement before he realizes what +he really signed up for :) + +Signed-off-by: Greg Kroah-Hartman +Acked-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman + +--- + MAINTAINERS | 1 + + 1 file changed, 1 insertion(+) + +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -10135,6 +10135,7 @@ F: arch/alpha/kernel/srm_env.c + + STABLE BRANCH + M: Greg Kroah-Hartman ++M: Sasha Levin + L: stable@vger.kernel.org + S: Supported + F: Documentation/stable_kernel_rules.txt diff --git a/queue-4.4/sctp-clear-the-transport-of-some-out_chunk_list-chunks-in-sctp_assoc_rm_peer.patch b/queue-4.4/sctp-clear-the-transport-of-some-out_chunk_list-chunks-in-sctp_assoc_rm_peer.patch new file mode 100644 index 00000000000..7d0a4cffebb --- /dev/null +++ b/queue-4.4/sctp-clear-the-transport-of-some-out_chunk_list-chunks-in-sctp_assoc_rm_peer.patch @@ -0,0 +1,59 @@ +From df132eff463873e14e019a07f387b4d577d6d1f9 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Mon, 29 Oct 2018 23:10:29 +0800 +Subject: sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer + +From: Xin Long + +commit df132eff463873e14e019a07f387b4d577d6d1f9 upstream. + +If a transport is removed by asconf but there still are some chunks with +this transport queuing on out_chunk_list, later an use-after-free issue +will be caused when accessing this transport from these chunks in +sctp_outq_flush(). + +This is an old bug, we fix it by clearing the transport of these chunks +in out_chunk_list when removing a transport in sctp_assoc_rm_peer(). + +Reported-by: syzbot+56a40ceee5fb35932f4d@syzkaller.appspotmail.com +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/sctp/associola.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/net/sctp/associola.c ++++ b/net/sctp/associola.c +@@ -486,8 +486,9 @@ void sctp_assoc_set_primary(struct sctp_ + void sctp_assoc_rm_peer(struct sctp_association *asoc, + struct sctp_transport *peer) + { +- struct list_head *pos; +- struct sctp_transport *transport; ++ struct sctp_transport *transport; ++ struct list_head *pos; ++ struct sctp_chunk *ch; + + pr_debug("%s: association:%p addr:%pISpc\n", + __func__, asoc, &peer->ipaddr.sa); +@@ -543,7 +544,6 @@ void sctp_assoc_rm_peer(struct sctp_asso + */ + if (!list_empty(&peer->transmitted)) { + struct sctp_transport *active = asoc->peer.active_path; +- struct sctp_chunk *ch; + + /* Reset the transport of each chunk on this list */ + list_for_each_entry(ch, &peer->transmitted, +@@ -565,6 +565,10 @@ void sctp_assoc_rm_peer(struct sctp_asso + sctp_transport_hold(active); + } + ++ list_for_each_entry(ch, &asoc->outqueue.out_chunk_list, list) ++ if (ch->transport == peer) ++ ch->transport = NULL; ++ + asoc->peer.transport_count--; + + sctp_transport_free(peer); diff --git a/queue-4.4/series b/queue-4.4/series new file mode 100644 index 00000000000..d97e262cb25 --- /dev/null +++ b/queue-4.4/series @@ -0,0 +1,17 @@ +usb-core-fix-hub-port-connection-events-lost.patch +usb-xhci-fix-timeout-for-transition-from-rexit-to-u0.patch +alsa-oss-use-kvzalloc-for-local-buffer-allocations.patch +maintainers-add-sasha-as-a-stable-branch-maintainer.patch +iwlwifi-mvm-support-sta_statistics-even-on-older-firmware.patch +v9fs_dir_readdir-fix-double-free-on-p9stat_read-error.patch +bfs-add-sanity-check-at-bfs_fill_super.patch +sctp-clear-the-transport-of-some-out_chunk_list-chunks-in-sctp_assoc_rm_peer.patch +gfs2-don-t-leave-s_fs_info-pointing-to-freed-memory-in-init_sbd.patch +llc-do-not-use-sk_eat_skb.patch +drm-ast-change-resolution-may-cause-screen-blurred.patch +drm-ast-fixed-cursor-may-disappear-sometimes.patch +drm-ast-remove-existing-framebuffers-before-loading-driver.patch +can-dev-can_get_echo_skb-factor-out-non-sending-code-to-__can_get_echo_skb.patch +can-dev-__can_get_echo_skb-replace-struct-can_frame-by-canfd_frame-to-access-frame-length.patch +can-dev-__can_get_echo_skb-don-t-crash-the-kernel-if-can_priv-echo_skb-is-accessed-out-of-bounds.patch +can-dev-__can_get_echo_skb-print-error-message-if-trying-to-echo-non-existing-skb.patch diff --git a/queue-4.4/usb-core-fix-hub-port-connection-events-lost.patch b/queue-4.4/usb-core-fix-hub-port-connection-events-lost.patch new file mode 100644 index 00000000000..ab79b73c207 --- /dev/null +++ b/queue-4.4/usb-core-fix-hub-port-connection-events-lost.patch @@ -0,0 +1,46 @@ +From 22454b79e6de05fa61a2a72d00d2eed798abbb75 Mon Sep 17 00:00:00 2001 +From: Dennis Wassenberg +Date: Tue, 13 Nov 2018 14:40:34 +0100 +Subject: usb: core: Fix hub port connection events lost + +From: Dennis Wassenberg + +commit 22454b79e6de05fa61a2a72d00d2eed798abbb75 upstream. + +This will clear the USB_PORT_FEAT_C_CONNECTION bit in case of a hub port reset +only if a device is was attached to the hub port before resetting the hub port. + +Using a Lenovo T480s attached to the ultra dock it was not possible to detect +some usb-c devices at the dock usb-c ports because the hub_port_reset code +will clear the USB_PORT_FEAT_C_CONNECTION bit after the actual hub port reset. +Using this device combo the USB_PORT_FEAT_C_CONNECTION bit was set between the +actual hub port reset and the clear of the USB_PORT_FEAT_C_CONNECTION bit. +This ends up with clearing the USB_PORT_FEAT_C_CONNECTION bit after the +new device was attached such that it was not detected. + +This patch will not clear the USB_PORT_FEAT_C_CONNECTION bit if there is +currently no device attached to the port before the hub port reset. +This will avoid clearing the connection bit for new attached devices. + +Signed-off-by: Dennis Wassenberg +Acked-by: Mathias Nyman +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -2757,7 +2757,9 @@ static int hub_port_reset(struct usb_hub + USB_PORT_FEAT_C_BH_PORT_RESET); + usb_clear_port_feature(hub->hdev, port1, + USB_PORT_FEAT_C_PORT_LINK_STATE); +- usb_clear_port_feature(hub->hdev, port1, ++ ++ if (udev) ++ usb_clear_port_feature(hub->hdev, port1, + USB_PORT_FEAT_C_CONNECTION); + + /* diff --git a/queue-4.4/usb-xhci-fix-timeout-for-transition-from-rexit-to-u0.patch b/queue-4.4/usb-xhci-fix-timeout-for-transition-from-rexit-to-u0.patch new file mode 100644 index 00000000000..44de175de05 --- /dev/null +++ b/queue-4.4/usb-xhci-fix-timeout-for-transition-from-rexit-to-u0.patch @@ -0,0 +1,56 @@ +From a5baeaeabcca3244782a9b6382ebab6f8a58f583 Mon Sep 17 00:00:00 2001 +From: Aaron Ma +Date: Fri, 9 Nov 2018 17:21:21 +0200 +Subject: usb: xhci: fix timeout for transition from RExit to U0 + +From: Aaron Ma + +commit a5baeaeabcca3244782a9b6382ebab6f8a58f583 upstream. + +This definition is used by msecs_to_jiffies in milliseconds. +According to the comments, max rexit timeout should be 20ms. +Align with the comments to properly calculate the delay. + +Verified on Sunrise Point-LP and Cannon Lake. + +Cc: stable@vger.kernel.org +Signed-off-by: Aaron Ma +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-hub.c | 4 ++-- + drivers/usb/host/xhci.h | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -790,7 +790,7 @@ static u32 xhci_get_port_status(struct u + time_left = wait_for_completion_timeout( + &bus_state->rexit_done[wIndex], + msecs_to_jiffies( +- XHCI_MAX_REXIT_TIMEOUT)); ++ XHCI_MAX_REXIT_TIMEOUT_MS)); + spin_lock_irqsave(&xhci->lock, flags); + + if (time_left) { +@@ -804,7 +804,7 @@ static u32 xhci_get_port_status(struct u + } else { + int port_status = readl(port_array[wIndex]); + xhci_warn(xhci, "Port resume took longer than %i msec, port status = 0x%x\n", +- XHCI_MAX_REXIT_TIMEOUT, ++ XHCI_MAX_REXIT_TIMEOUT_MS, + port_status); + status |= USB_PORT_STAT_SUSPEND; + clear_bit(wIndex, &bus_state->rexit_ports); +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1490,7 +1490,7 @@ struct xhci_bus_state { + * It can take up to 20 ms to transition from RExit to U0 on the + * Intel Lynx Point LP xHCI host. + */ +-#define XHCI_MAX_REXIT_TIMEOUT (20 * 1000) ++#define XHCI_MAX_REXIT_TIMEOUT_MS 20 + + static inline unsigned int hcd_index(struct usb_hcd *hcd) + { diff --git a/queue-4.4/v9fs_dir_readdir-fix-double-free-on-p9stat_read-error.patch b/queue-4.4/v9fs_dir_readdir-fix-double-free-on-p9stat_read-error.patch new file mode 100644 index 00000000000..8dc371cfd40 --- /dev/null +++ b/queue-4.4/v9fs_dir_readdir-fix-double-free-on-p9stat_read-error.patch @@ -0,0 +1,56 @@ +From 81c99089bce693b94b775b6eb888115d2d540086 Mon Sep 17 00:00:00 2001 +From: Dominique Martinet +Date: Mon, 27 Aug 2018 15:12:05 +0900 +Subject: v9fs_dir_readdir: fix double-free on p9stat_read error + +From: Dominique Martinet + +commit 81c99089bce693b94b775b6eb888115d2d540086 upstream. + +p9stat_read will call p9stat_free on error, we should only free the +struct content on success. + +There also is no need to "p9stat_init" st as the read function will +zero the whole struct for us anyway, so clean up the code a bit while +we are here. + +Link: http://lkml.kernel.org/r/1535410108-20650-1-git-send-email-asmadeus@codewreck.org +Signed-off-by: Dominique Martinet +Reported-by: syzbot+d4252148d198410b864f@syzkaller.appspotmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + fs/9p/vfs_dir.c | 11 ----------- + 1 file changed, 11 deletions(-) + +--- a/fs/9p/vfs_dir.c ++++ b/fs/9p/vfs_dir.c +@@ -76,15 +76,6 @@ static inline int dt_type(struct p9_wsta + return rettype; + } + +-static void p9stat_init(struct p9_wstat *stbuf) +-{ +- stbuf->name = NULL; +- stbuf->uid = NULL; +- stbuf->gid = NULL; +- stbuf->muid = NULL; +- stbuf->extension = NULL; +-} +- + /** + * v9fs_alloc_rdir_buf - Allocate buffer used for read and readdir + * @filp: opened file structure +@@ -145,12 +136,10 @@ static int v9fs_dir_readdir(struct file + rdir->tail = n; + } + while (rdir->head < rdir->tail) { +- p9stat_init(&st); + err = p9stat_read(fid->clnt, rdir->buf + rdir->head, + rdir->tail - rdir->head, &st); + if (err) { + p9_debug(P9_DEBUG_VFS, "returned %d\n", err); +- p9stat_free(&st); + return -EIO; + } + reclen = st.size+2;