From: Greg Kroah-Hartman Date: Thu, 9 May 2019 08:40:34 +0000 (+0200) Subject: 5.1-stable patches X-Git-Tag: v4.9.175~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a2a7a69f1f484bbf99a7b11f8c23460a6b22b8cf;p=thirdparty%2Fkernel%2Fstable-queue.git 5.1-stable patches added patches: genirq-prevent-use-after-free-and-work-list-corruption.patch intel_th-pci-add-comet-lake-support.patch usb-cdc-acm-fix-unthrottle-races.patch usb-dwc3-allow-building-usb_dwc3_qcom-without-extcon.patch usb-dwc3-fix-default-lpm_nyet_threshold-value.patch usb-serial-f81232-fix-interrupt-worker-not-stop.patch usb-storage-set-virt_boundary_mask-to-avoid-sg-overflows.patch --- diff --git a/queue-5.1/genirq-prevent-use-after-free-and-work-list-corruption.patch b/queue-5.1/genirq-prevent-use-after-free-and-work-list-corruption.patch new file mode 100644 index 00000000000..88d7230ed70 --- /dev/null +++ b/queue-5.1/genirq-prevent-use-after-free-and-work-list-corruption.patch @@ -0,0 +1,41 @@ +From 59c39840f5abf4a71e1810a8da71aaccd6c17d26 Mon Sep 17 00:00:00 2001 +From: Prasad Sodagudi +Date: Sun, 24 Mar 2019 07:57:04 -0700 +Subject: genirq: Prevent use-after-free and work list corruption + +From: Prasad Sodagudi + +commit 59c39840f5abf4a71e1810a8da71aaccd6c17d26 upstream. + +When irq_set_affinity_notifier() replaces the notifier, then the +reference count on the old notifier is dropped which causes it to be +freed. But nothing ensures that the old notifier is not longer queued +in the work list. If it is queued this results in a use after free and +possibly in work list corruption. + +Ensure that the work is canceled before the reference is dropped. + +Signed-off-by: Prasad Sodagudi +Signed-off-by: Thomas Gleixner +Cc: marc.zyngier@arm.com +Link: https://lkml.kernel.org/r/1553439424-6529-1-git-send-email-psodagud@codeaurora.org +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/irq/manage.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -357,8 +357,10 @@ irq_set_affinity_notifier(unsigned int i + desc->affinity_notify = notify; + raw_spin_unlock_irqrestore(&desc->lock, flags); + +- if (old_notify) ++ if (old_notify) { ++ cancel_work_sync(&old_notify->work); + kref_put(&old_notify->kref, old_notify->release); ++ } + + return 0; + } diff --git a/queue-5.1/intel_th-pci-add-comet-lake-support.patch b/queue-5.1/intel_th-pci-add-comet-lake-support.patch new file mode 100644 index 00000000000..5b9d9f33bb4 --- /dev/null +++ b/queue-5.1/intel_th-pci-add-comet-lake-support.patch @@ -0,0 +1,33 @@ +From e60e9a4b231a20a199d7a61caadc48693c30d695 Mon Sep 17 00:00:00 2001 +From: Alexander Shishkin +Date: Wed, 17 Apr 2019 10:35:36 +0300 +Subject: intel_th: pci: Add Comet Lake support + +From: Alexander Shishkin + +commit e60e9a4b231a20a199d7a61caadc48693c30d695 upstream. + +This adds support for Intel TH on Comet Lake. + +Signed-off-by: Alexander Shishkin +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwtracing/intel_th/pci.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/hwtracing/intel_th/pci.c ++++ b/drivers/hwtracing/intel_th/pci.c +@@ -165,6 +165,11 @@ static const struct pci_device_id intel_ + PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x34a6), + .driver_data = (kernel_ulong_t)&intel_th_2x, + }, ++ { ++ /* Comet Lake */ ++ PCI_DEVICE(PCI_VENDOR_ID_INTEL, 0x02a6), ++ .driver_data = (kernel_ulong_t)&intel_th_2x, ++ }, + { 0 }, + }; + diff --git a/queue-5.1/series b/queue-5.1/series index 60ab1fc5e4d..4fd476a320e 100644 --- a/queue-5.1/series +++ b/queue-5.1/series @@ -4,3 +4,10 @@ staging-greybus-power_supply-fix-prop-descriptor-request-size.patch staging-wilc1000-avoid-gfp_kernel-allocation-from-atomic-context.patch staging-most-cdev-fix-chrdev_region-leak-in-mod_exit.patch staging-most-sound-pass-correct-device-when-creating-a-sound-card.patch +usb-dwc3-allow-building-usb_dwc3_qcom-without-extcon.patch +usb-dwc3-fix-default-lpm_nyet_threshold-value.patch +usb-serial-f81232-fix-interrupt-worker-not-stop.patch +usb-cdc-acm-fix-unthrottle-races.patch +usb-storage-set-virt_boundary_mask-to-avoid-sg-overflows.patch +genirq-prevent-use-after-free-and-work-list-corruption.patch +intel_th-pci-add-comet-lake-support.patch diff --git a/queue-5.1/usb-cdc-acm-fix-unthrottle-races.patch b/queue-5.1/usb-cdc-acm-fix-unthrottle-races.patch new file mode 100644 index 00000000000..09b165fb31f --- /dev/null +++ b/queue-5.1/usb-cdc-acm-fix-unthrottle-races.patch @@ -0,0 +1,132 @@ +From 764478f41130f1b8d8057575b89e69980a0f600d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 25 Apr 2019 18:05:39 +0200 +Subject: USB: cdc-acm: fix unthrottle races + +From: Johan Hovold + +commit 764478f41130f1b8d8057575b89e69980a0f600d upstream. + +Fix two long-standing bugs which could potentially lead to memory +corruption or leave the port throttled until it is reopened (on weakly +ordered systems), respectively, when read-URB completion races with +unthrottle(). + +First, the URB must not be marked as free before processing is complete +to prevent it from being submitted by unthrottle() on another CPU. + + CPU 1 CPU 2 + ================ ================ + complete() unthrottle() + process_urb(); + smp_mb__before_atomic(); + set_bit(i, free); if (test_and_clear_bit(i, free)) + submit_urb(); + +Second, the URB must be marked as free before checking the throttled +flag to prevent unthrottle() on another CPU from failing to observe that +the URB needs to be submitted if complete() sees that the throttled flag +is set. + + CPU 1 CPU 2 + ================ ================ + complete() unthrottle() + set_bit(i, free); throttled = 0; + smp_mb__after_atomic(); smp_mb(); + if (throttled) if (test_and_clear_bit(i, free)) + return; submit_urb(); + +Note that test_and_clear_bit() only implies barriers when the test is +successful. To handle the case where the URB is still in use an explicit +barrier needs to be added to unthrottle() for the second race condition. + +Also note that the first race was fixed by 36e59e0d70d6 ("cdc-acm: fix +race between callback and unthrottle") back in 2015, but the bug was +reintroduced a year later. + +Fixes: 1aba579f3cf5 ("cdc-acm: handle read pipe errors") +Fixes: 088c64f81284 ("USB: cdc-acm: re-write read processing") +Signed-off-by: Johan Hovold +Acked-by: Oliver Neukum +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-acm.c | 32 +++++++++++++++++++++++++------- + 1 file changed, 25 insertions(+), 7 deletions(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -470,12 +470,12 @@ static void acm_read_bulk_callback(struc + struct acm *acm = rb->instance; + unsigned long flags; + int status = urb->status; ++ bool stopped = false; ++ bool stalled = false; + + dev_vdbg(&acm->data->dev, "got urb %d, len %d, status %d\n", + rb->index, urb->actual_length, status); + +- set_bit(rb->index, &acm->read_urbs_free); +- + if (!acm->dev) { + dev_dbg(&acm->data->dev, "%s - disconnected\n", __func__); + return; +@@ -488,15 +488,16 @@ static void acm_read_bulk_callback(struc + break; + case -EPIPE: + set_bit(EVENT_RX_STALL, &acm->flags); +- schedule_work(&acm->work); +- return; ++ stalled = true; ++ break; + case -ENOENT: + case -ECONNRESET: + case -ESHUTDOWN: + dev_dbg(&acm->data->dev, + "%s - urb shutting down with status: %d\n", + __func__, status); +- return; ++ stopped = true; ++ break; + default: + dev_dbg(&acm->data->dev, + "%s - nonzero urb status received: %d\n", +@@ -505,10 +506,24 @@ static void acm_read_bulk_callback(struc + } + + /* +- * Unthrottle may run on another CPU which needs to see events +- * in the same order. Submission has an implict barrier ++ * Make sure URB processing is done before marking as free to avoid ++ * racing with unthrottle() on another CPU. Matches the barriers ++ * implied by the test_and_clear_bit() in acm_submit_read_urb(). + */ + smp_mb__before_atomic(); ++ set_bit(rb->index, &acm->read_urbs_free); ++ /* ++ * Make sure URB is marked as free before checking the throttled flag ++ * to avoid racing with unthrottle() on another CPU. Matches the ++ * smp_mb() in unthrottle(). ++ */ ++ smp_mb__after_atomic(); ++ ++ if (stopped || stalled) { ++ if (stalled) ++ schedule_work(&acm->work); ++ return; ++ } + + /* throttle device if requested by tty */ + spin_lock_irqsave(&acm->read_lock, flags); +@@ -842,6 +857,9 @@ static void acm_tty_unthrottle(struct tt + acm->throttle_req = 0; + spin_unlock_irq(&acm->read_lock); + ++ /* Matches the smp_mb__after_atomic() in acm_read_bulk_callback(). */ ++ smp_mb(); ++ + if (was_throttled) + acm_submit_read_urbs(acm, GFP_KERNEL); + } diff --git a/queue-5.1/usb-dwc3-allow-building-usb_dwc3_qcom-without-extcon.patch b/queue-5.1/usb-dwc3-allow-building-usb_dwc3_qcom-without-extcon.patch new file mode 100644 index 00000000000..878bcbc589b --- /dev/null +++ b/queue-5.1/usb-dwc3-allow-building-usb_dwc3_qcom-without-extcon.patch @@ -0,0 +1,44 @@ +From 77a4946516fe488b6a33390de6d749f934a243ba Mon Sep 17 00:00:00 2001 +From: Marc Gonzalez +Date: Wed, 24 Apr 2019 17:00:57 +0200 +Subject: usb: dwc3: Allow building USB_DWC3_QCOM without EXTCON + +From: Marc Gonzalez + +commit 77a4946516fe488b6a33390de6d749f934a243ba upstream. + +Keep EXTCON support optional, as some platforms do not need it. + +Do the same for USB_DWC3_OMAP while we're at it. + +Fixes: 3def4031b3e3f ("usb: dwc3: add EXTCON dependency for qcom") +Signed-off-by: Marc Gonzalez +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/Kconfig | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/usb/dwc3/Kconfig ++++ b/drivers/usb/dwc3/Kconfig +@@ -54,7 +54,8 @@ comment "Platform Glue Driver Support" + + config USB_DWC3_OMAP + tristate "Texas Instruments OMAP5 and similar Platforms" +- depends on EXTCON && (ARCH_OMAP2PLUS || COMPILE_TEST) ++ depends on ARCH_OMAP2PLUS || COMPILE_TEST ++ depends on EXTCON || !EXTCON + depends on OF + default USB_DWC3 + help +@@ -115,7 +116,8 @@ config USB_DWC3_ST + + config USB_DWC3_QCOM + tristate "Qualcomm Platform" +- depends on EXTCON && (ARCH_QCOM || COMPILE_TEST) ++ depends on ARCH_QCOM || COMPILE_TEST ++ depends on EXTCON || !EXTCON + depends on OF + default USB_DWC3 + help diff --git a/queue-5.1/usb-dwc3-fix-default-lpm_nyet_threshold-value.patch b/queue-5.1/usb-dwc3-fix-default-lpm_nyet_threshold-value.patch new file mode 100644 index 00000000000..02375810ed8 --- /dev/null +++ b/queue-5.1/usb-dwc3-fix-default-lpm_nyet_threshold-value.patch @@ -0,0 +1,33 @@ +From 8d791929b2fbdf7734c1596d808e55cb457f4562 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Thu, 25 Apr 2019 13:55:23 -0700 +Subject: usb: dwc3: Fix default lpm_nyet_threshold value + +From: Thinh Nguyen + +commit 8d791929b2fbdf7734c1596d808e55cb457f4562 upstream. + +The max possible value for DCTL.LPM_NYET_THRES is 15 and not 255. Change +the default value to 15. + +Cc: stable@vger.kernel.org +Fixes: 80caf7d21adc ("usb: dwc3: add lpm erratum support") +Signed-off-by: Thinh Nguyen +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1218,7 +1218,7 @@ static void dwc3_get_properties(struct d + u8 tx_max_burst_prd; + + /* default to highest possible threshold */ +- lpm_nyet_threshold = 0xff; ++ lpm_nyet_threshold = 0xf; + + /* default to -3.5dB de-emphasis */ + tx_de_emphasis = 1; diff --git a/queue-5.1/usb-serial-f81232-fix-interrupt-worker-not-stop.patch b/queue-5.1/usb-serial-f81232-fix-interrupt-worker-not-stop.patch new file mode 100644 index 00000000000..9bb3bd75c10 --- /dev/null +++ b/queue-5.1/usb-serial-f81232-fix-interrupt-worker-not-stop.patch @@ -0,0 +1,92 @@ +From 804dbee1e49774918339c1e5a87400988c0819e8 Mon Sep 17 00:00:00 2001 +From: "Ji-Ze Hong (Peter Hong)" +Date: Tue, 30 Apr 2019 09:22:29 +0800 +Subject: USB: serial: f81232: fix interrupt worker not stop + +From: Ji-Ze Hong (Peter Hong) + +commit 804dbee1e49774918339c1e5a87400988c0819e8 upstream. + +The F81232 will use interrupt worker to handle MSR change. +This patch will fix the issue that interrupt work should stop +in close() and suspend(). + +This also fixes line-status events being disabled after a suspend cycle +until the port is re-opened. + +Signed-off-by: Ji-Ze Hong (Peter Hong) +[ johan: amend commit message ] +Fixes: 87fe5adcd8de ("USB: f81232: implement read IIR/MSR with endpoint") +Cc: stable # 4.1 +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/f81232.c | 39 +++++++++++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +--- a/drivers/usb/serial/f81232.c ++++ b/drivers/usb/serial/f81232.c +@@ -556,9 +556,12 @@ static int f81232_open(struct tty_struct + + static void f81232_close(struct usb_serial_port *port) + { ++ struct f81232_private *port_priv = usb_get_serial_port_data(port); ++ + f81232_port_disable(port); + usb_serial_generic_close(port); + usb_kill_urb(port->interrupt_in_urb); ++ flush_work(&port_priv->interrupt_work); + } + + static void f81232_dtr_rts(struct usb_serial_port *port, int on) +@@ -632,6 +635,40 @@ static int f81232_port_remove(struct usb + return 0; + } + ++static int f81232_suspend(struct usb_serial *serial, pm_message_t message) ++{ ++ struct usb_serial_port *port = serial->port[0]; ++ struct f81232_private *port_priv = usb_get_serial_port_data(port); ++ int i; ++ ++ for (i = 0; i < ARRAY_SIZE(port->read_urbs); ++i) ++ usb_kill_urb(port->read_urbs[i]); ++ ++ usb_kill_urb(port->interrupt_in_urb); ++ ++ if (port_priv) ++ flush_work(&port_priv->interrupt_work); ++ ++ return 0; ++} ++ ++static int f81232_resume(struct usb_serial *serial) ++{ ++ struct usb_serial_port *port = serial->port[0]; ++ int result; ++ ++ if (tty_port_initialized(&port->port)) { ++ result = usb_submit_urb(port->interrupt_in_urb, GFP_NOIO); ++ if (result) { ++ dev_err(&port->dev, "submit interrupt urb failed: %d\n", ++ result); ++ return result; ++ } ++ } ++ ++ return usb_serial_generic_resume(serial); ++} ++ + static struct usb_serial_driver f81232_device = { + .driver = { + .owner = THIS_MODULE, +@@ -655,6 +692,8 @@ static struct usb_serial_driver f81232_d + .read_int_callback = f81232_read_int_callback, + .port_probe = f81232_port_probe, + .port_remove = f81232_port_remove, ++ .suspend = f81232_suspend, ++ .resume = f81232_resume, + }; + + static struct usb_serial_driver * const serial_drivers[] = { diff --git a/queue-5.1/usb-storage-set-virt_boundary_mask-to-avoid-sg-overflows.patch b/queue-5.1/usb-storage-set-virt_boundary_mask-to-avoid-sg-overflows.patch new file mode 100644 index 00000000000..29066a4f346 --- /dev/null +++ b/queue-5.1/usb-storage-set-virt_boundary_mask-to-avoid-sg-overflows.patch @@ -0,0 +1,87 @@ +From 747668dbc061b3e62bc1982767a3a1f9815fcf0e Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 15 Apr 2019 13:19:25 -0400 +Subject: usb-storage: Set virt_boundary_mask to avoid SG overflows + +From: Alan Stern + +commit 747668dbc061b3e62bc1982767a3a1f9815fcf0e upstream. + +The USB subsystem has always had an unusual requirement for its +scatter-gather transfers: Each element in the scatterlist (except the +last one) must have a length divisible by the bulk maxpacket size. +This is a particular issue for USB mass storage, which uses SG lists +created by the block layer rather than setting up its own. + +So far we have scraped by okay because most devices have a logical +block size of 512 bytes or larger, and the bulk maxpacket sizes for +USB 2 and below are all <= 512. However, USB 3 has a bulk maxpacket +size of 1024. Since the xhci-hcd driver includes native SG support, +this hasn't mattered much. But now people are trying to use USB-3 +mass storage devices with USBIP, and the vhci-hcd driver currently +does not have full SG support. + +The result is an overflow error, when the driver attempts to implement +an SG transfer of 63 512-byte blocks as a single +3584-byte (7 blocks) transfer followed by seven 4096-byte (8 blocks) +transfers. The device instead sends 31 1024-byte packets followed by +a 512-byte packet, and this overruns the first SG buffer. + +Ideally this would be fixed by adding better SG support to vhci-hcd. +But for now it appears we can work around the problem by +asking the block layer to respect the maxpacket limitation, through +the use of the virt_boundary_mask. + +Signed-off-by: Alan Stern +Reported-by: Seth Bollinger +Tested-by: Seth Bollinger +CC: Ming Lei +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/scsiglue.c | 26 ++++++++++++-------------- + 1 file changed, 12 insertions(+), 14 deletions(-) + +--- a/drivers/usb/storage/scsiglue.c ++++ b/drivers/usb/storage/scsiglue.c +@@ -65,6 +65,7 @@ static const char* host_info(struct Scsi + static int slave_alloc (struct scsi_device *sdev) + { + struct us_data *us = host_to_us(sdev->host); ++ int maxp; + + /* + * Set the INQUIRY transfer length to 36. We don't use any of +@@ -74,20 +75,17 @@ static int slave_alloc (struct scsi_devi + sdev->inquiry_len = 36; + + /* +- * USB has unusual DMA-alignment requirements: Although the +- * starting address of each scatter-gather element doesn't matter, +- * the length of each element except the last must be divisible +- * by the Bulk maxpacket value. There's currently no way to +- * express this by block-layer constraints, so we'll cop out +- * and simply require addresses to be aligned at 512-byte +- * boundaries. This is okay since most block I/O involves +- * hardware sectors that are multiples of 512 bytes in length, +- * and since host controllers up through USB 2.0 have maxpacket +- * values no larger than 512. +- * +- * But it doesn't suffice for Wireless USB, where Bulk maxpacket +- * values can be as large as 2048. To make that work properly +- * will require changes to the block layer. ++ * USB has unusual scatter-gather requirements: the length of each ++ * scatterlist element except the last must be divisible by the ++ * Bulk maxpacket value. Fortunately this value is always a ++ * power of 2. Inform the block layer about this requirement. ++ */ ++ maxp = usb_maxpacket(us->pusb_dev, us->recv_bulk_pipe, 0); ++ blk_queue_virt_boundary(sdev->request_queue, maxp - 1); ++ ++ /* ++ * Some host controllers may have alignment requirements. ++ * We'll play it safe by requiring 512-byte alignment always. + */ + blk_queue_update_dma_alignment(sdev->request_queue, (512 - 1)); +