From: Greg Kroah-Hartman Date: Thu, 19 Jul 2018 16:40:29 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v3.18.116~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a57d817ff09ed0c905ed0a8ffe452cd736bc20dd;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: clocksource-initialize-cs-wd_list.patch crypto-af_alg-initialize-sg_num_bytes-in-error-code-path.patch media-rc-oops-in-ir_timer_keyup-after-device-unplug.patch net-cxgb3_main-fix-potential-spectre-v1.patch net-lan78xx-fix-race-in-tx-pending-skb-size-calculation.patch rtlwifi-fix-kernel-oops-fw-download-fail.patch rtlwifi-rtl8821ae-fix-firmware-is-not-ready-to-run.patch xhci-fix-usb3-null-pointer-dereference-at-logical-disconnect.patch --- diff --git a/queue-4.14/clocksource-initialize-cs-wd_list.patch b/queue-4.14/clocksource-initialize-cs-wd_list.patch new file mode 100644 index 00000000000..125264cdfe7 --- /dev/null +++ b/queue-4.14/clocksource-initialize-cs-wd_list.patch @@ -0,0 +1,40 @@ +From 5b9e886a4af97574ca3ce1147f35545da0e7afc7 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Mon, 30 Apr 2018 12:00:11 +0200 +Subject: clocksource: Initialize cs->wd_list + +From: Peter Zijlstra + +commit 5b9e886a4af97574ca3ce1147f35545da0e7afc7 upstream. + +A number of places relies on list_empty(&cs->wd_list), however the +list_head does not get initialized. Do so upon registration, such that +thereafter it is possible to rely on list_empty() correctly reflecting +the list membership status. + +Signed-off-by: Peter Zijlstra (Intel) +Signed-off-by: Thomas Gleixner +Tested-by: Diego Viola +Reviewed-by: Rafael J. Wysocki +Cc: stable@vger.kernel.org +Cc: len.brown@intel.com +Cc: rjw@rjwysocki.net +Cc: rui.zhang@intel.com +Link: https://lkml.kernel.org/r/20180430100344.472662715@infradead.org +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman +--- + kernel/time/clocksource.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/time/clocksource.c ++++ b/kernel/time/clocksource.c +@@ -322,6 +322,8 @@ static void clocksource_enqueue_watchdog + { + unsigned long flags; + ++ INIT_LIST_HEAD(&cs->wd_list); ++ + spin_lock_irqsave(&watchdog_lock, flags); + if (cs->flags & CLOCK_SOURCE_MUST_VERIFY) { + /* cs is a clocksource to be watched. */ diff --git a/queue-4.14/crypto-af_alg-initialize-sg_num_bytes-in-error-code-path.patch b/queue-4.14/crypto-af_alg-initialize-sg_num_bytes-in-error-code-path.patch new file mode 100644 index 00000000000..257f5e1ea8b --- /dev/null +++ b/queue-4.14/crypto-af_alg-initialize-sg_num_bytes-in-error-code-path.patch @@ -0,0 +1,41 @@ +From 2546da99212f22034aecf279da9c47cbfac6c981 Mon Sep 17 00:00:00 2001 +From: Stephan Mueller +Date: Sat, 7 Jul 2018 20:41:47 +0200 +Subject: crypto: af_alg - Initialize sg_num_bytes in error code path + +From: Stephan Mueller + +commit 2546da99212f22034aecf279da9c47cbfac6c981 upstream. + +The RX SGL in processing is already registered with the RX SGL tracking +list to support proper cleanup. The cleanup code path uses the +sg_num_bytes variable which must therefore be always initialized, even +in the error code path. + +Signed-off-by: Stephan Mueller +Reported-by: syzbot+9c251bdd09f83b92ba95@syzkaller.appspotmail.com +#syz test: https://github.com/google/kmsan.git master +CC: #4.14 +Fixes: e870456d8e7c ("crypto: algif_skcipher - overhaul memory management") +Fixes: d887c52d6ae4 ("crypto: algif_aead - overhaul memory management") +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/af_alg.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/crypto/af_alg.c ++++ b/crypto/af_alg.c +@@ -1183,8 +1183,10 @@ int af_alg_get_rsgl(struct sock *sk, str + + /* make one iovec available as scatterlist */ + err = af_alg_make_sg(&rsgl->sgl, &msg->msg_iter, seglen); +- if (err < 0) ++ if (err < 0) { ++ rsgl->sg_num_bytes = 0; + return err; ++ } + + /* chain the new scatterlist with previous one */ + if (areq->last_rsgl) diff --git a/queue-4.14/media-rc-oops-in-ir_timer_keyup-after-device-unplug.patch b/queue-4.14/media-rc-oops-in-ir_timer_keyup-after-device-unplug.patch new file mode 100644 index 00000000000..b09fccde1a4 --- /dev/null +++ b/queue-4.14/media-rc-oops-in-ir_timer_keyup-after-device-unplug.patch @@ -0,0 +1,39 @@ +From 8d4068810d9926250dd2435719a080b889eb44c3 Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Tue, 6 Mar 2018 08:57:57 -0500 +Subject: media: rc: oops in ir_timer_keyup after device unplug + +From: Sean Young + +commit 8d4068810d9926250dd2435719a080b889eb44c3 upstream. + +If there is IR in the raw kfifo when ir_raw_event_unregister() is called, +then kthread_stop() causes ir_raw_event_thread to be scheduled, decode +some scancodes and re-arm timer_keyup. The timer_keyup then fires when +the rc device is long gone. + +Cc: stable@vger.kernel.org +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/rc-main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/rc/rc-main.c ++++ b/drivers/media/rc/rc-main.c +@@ -1824,11 +1824,11 @@ void rc_unregister_device(struct rc_dev + if (!dev) + return; + +- del_timer_sync(&dev->timer_keyup); +- + if (dev->driver_type == RC_DRIVER_IR_RAW) + ir_raw_event_unregister(dev); + ++ del_timer_sync(&dev->timer_keyup); ++ + rc_free_rx_device(dev); + + device_del(&dev->dev); diff --git a/queue-4.14/net-cxgb3_main-fix-potential-spectre-v1.patch b/queue-4.14/net-cxgb3_main-fix-potential-spectre-v1.patch new file mode 100644 index 00000000000..7fe38ef9810 --- /dev/null +++ b/queue-4.14/net-cxgb3_main-fix-potential-spectre-v1.patch @@ -0,0 +1,53 @@ +From 676bcfece19f83621e905aa55b5ed2d45cc4f2d3 Mon Sep 17 00:00:00 2001 +From: "Gustavo A. R. Silva" +Date: Mon, 16 Jul 2018 20:59:58 -0500 +Subject: net: cxgb3_main: fix potential Spectre v1 + +From: Gustavo A. R. Silva + +commit 676bcfece19f83621e905aa55b5ed2d45cc4f2d3 upstream. + +t.qset_idx can be indirectly controlled by user-space, hence leading to +a potential exploitation of the Spectre variant 1 vulnerability. + +This issue was detected with the help of Smatch: + +drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2286 cxgb_extension_ioctl() +warn: potential spectre issue 'adapter->msix_info' + +Fix this by sanitizing t.qset_idx before using it to index +adapter->msix_info + +Notice that given that speculation windows are large, the policy is +to kill the speculation on the first load and not worry if it can be +completed with a dependent load/store [1]. + +[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 + +Cc: stable@vger.kernel.org +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c ++++ b/drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c +@@ -51,6 +51,7 @@ + #include + #include + #include ++#include + + #include "common.h" + #include "cxgb3_ioctl.h" +@@ -2268,6 +2269,7 @@ static int cxgb_extension_ioctl(struct n + + if (t.qset_idx >= nqsets) + return -EINVAL; ++ t.qset_idx = array_index_nospec(t.qset_idx, nqsets); + + q = &adapter->params.sge.qset[q1 + t.qset_idx]; + t.rspq_size = q->rspq_size; diff --git a/queue-4.14/net-lan78xx-fix-race-in-tx-pending-skb-size-calculation.patch b/queue-4.14/net-lan78xx-fix-race-in-tx-pending-skb-size-calculation.patch new file mode 100644 index 00000000000..a93414fbca0 --- /dev/null +++ b/queue-4.14/net-lan78xx-fix-race-in-tx-pending-skb-size-calculation.patch @@ -0,0 +1,55 @@ +From dea39aca1d7aef1e2b95b07edeacf04cc8863a2e Mon Sep 17 00:00:00 2001 +From: Stefan Wahren +Date: Sun, 15 Jul 2018 21:53:20 +0200 +Subject: net: lan78xx: Fix race in tx pending skb size calculation + +From: Stefan Wahren + +commit dea39aca1d7aef1e2b95b07edeacf04cc8863a2e upstream. + +The skb size calculation in lan78xx_tx_bh is in race with the start_xmit, +which could lead to rare kernel oopses. So protect the whole skb walk with +a spin lock. As a benefit we can unlink the skb directly. + +This patch was tested on Raspberry Pi 3B+ + +Link: https://github.com/raspberrypi/linux/issues/2608 +Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet") +Cc: stable +Signed-off-by: Floris Bos +Signed-off-by: Stefan Wahren +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/usb/lan78xx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/lan78xx.c ++++ b/drivers/net/usb/lan78xx.c +@@ -3197,6 +3197,7 @@ static void lan78xx_tx_bh(struct lan78xx + pkt_cnt = 0; + count = 0; + length = 0; ++ spin_lock_irqsave(&tqp->lock, flags); + for (skb = tqp->next; pkt_cnt < tqp->qlen; skb = skb->next) { + if (skb_is_gso(skb)) { + if (pkt_cnt) { +@@ -3205,7 +3206,8 @@ static void lan78xx_tx_bh(struct lan78xx + } + count = 1; + length = skb->len - TX_OVERHEAD; +- skb2 = skb_dequeue(tqp); ++ __skb_unlink(skb, tqp); ++ spin_unlock_irqrestore(&tqp->lock, flags); + goto gso_skb; + } + +@@ -3214,6 +3216,7 @@ static void lan78xx_tx_bh(struct lan78xx + skb_totallen = skb->len + roundup(skb_totallen, sizeof(u32)); + pkt_cnt++; + } ++ spin_unlock_irqrestore(&tqp->lock, flags); + + /* copy to a single skb */ + skb = alloc_skb(skb_totallen, GFP_ATOMIC); diff --git a/queue-4.14/rtlwifi-fix-kernel-oops-fw-download-fail.patch b/queue-4.14/rtlwifi-fix-kernel-oops-fw-download-fail.patch new file mode 100644 index 00000000000..0c7a7c8f2ba --- /dev/null +++ b/queue-4.14/rtlwifi-fix-kernel-oops-fw-download-fail.patch @@ -0,0 +1,165 @@ +From 12dfa2f68ab659636e092db13b5d17cf9aac82af Mon Sep 17 00:00:00 2001 +From: Ping-Ke Shih +Date: Fri, 22 Jun 2018 13:31:57 +0800 +Subject: rtlwifi: Fix kernel Oops "Fw download fail!!" + +From: Ping-Ke Shih + +commit 12dfa2f68ab659636e092db13b5d17cf9aac82af upstream. + +When connecting to AP, mac80211 asks driver to enter and leave PS quickly, +but driver deinit doesn't wait for delayed work complete when entering PS, +then driver reinit procedure and delay work are running simultaneously. +This will cause unpredictable kernel oops or crash like + +rtl8723be: error H2C cmd because of Fw download fail!!! +WARNING: CPU: 3 PID: 159 at drivers/net/wireless/realtek/rtlwifi/ + rtl8723be/fw.c:227 rtl8723be_fill_h2c_cmd+0x182/0x510 [rtl8723be] +CPU: 3 PID: 159 Comm: kworker/3:2 Tainted: G O 4.16.13-2-ARCH #1 +Hardware name: ASUSTeK COMPUTER INC. X556UF/X556UF, BIOS X556UF.406 + 10/21/2016 +Workqueue: rtl8723be_pci rtl_c2hcmd_wq_callback [rtlwifi] +RIP: 0010:rtl8723be_fill_h2c_cmd+0x182/0x510 [rtl8723be] +RSP: 0018:ffffa6ab01e1bd70 EFLAGS: 00010282 +RAX: 0000000000000000 RBX: ffffa26069071520 RCX: 0000000000000001 +RDX: 0000000080000001 RSI: ffffffff8be70e9c RDI: 00000000ffffffff +RBP: 0000000000000000 R08: 0000000000000048 R09: 0000000000000348 +R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 +R13: ffffa26069071520 R14: 0000000000000000 R15: ffffa2607d205f70 +FS: 0000000000000000(0000) GS:ffffa26081d80000(0000) knlGS:000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00000443b39d3000 CR3: 000000037700a005 CR4: 00000000003606e0 +Call Trace: + ? halbtc_send_bt_mp_operation.constprop.17+0xd5/0xe0 [btcoexist] + ? ex_btc8723b1ant_bt_info_notify+0x3b8/0x820 [btcoexist] + ? rtl_c2hcmd_launcher+0xab/0x110 [rtlwifi] + ? process_one_work+0x1d1/0x3b0 + ? worker_thread+0x2b/0x3d0 + ? process_one_work+0x3b0/0x3b0 + ? kthread+0x112/0x130 + ? kthread_create_on_node+0x60/0x60 + ? ret_from_fork+0x35/0x40 +Code: 00 76 b4 e9 e2 fe ff ff 4c 89 ee 4c 89 e7 e8 56 22 86 ca e9 5e ... + +This patch ensures all delayed works done before entering PS to satisfy +our expectation, so use cancel_delayed_work_sync() instead. An exception +is delayed work ips_nic_off_wq because running task may be itself, so add +a parameter ips_wq to deinit function to handle this case. + +This issue is reported and fixed in below threads: +https://github.com/lwfinger/rtlwifi_new/issues/367 +https://github.com/lwfinger/rtlwifi_new/issues/366 + +Tested-by: Evgeny Kapun # 8723DE +Tested-by: Shivam Kakkar # 8723BE on 4.18-rc1 +Signed-off-by: Ping-Ke Shih +Fixes: cceb0a597320 ("rtlwifi: Add work queue for c2h cmd.") +Cc: Stable # 4.11+ +Reviewed-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/base.c | 17 ++++++++++------- + drivers/net/wireless/realtek/rtlwifi/base.h | 2 +- + drivers/net/wireless/realtek/rtlwifi/core.c | 2 +- + drivers/net/wireless/realtek/rtlwifi/pci.c | 2 +- + drivers/net/wireless/realtek/rtlwifi/ps.c | 4 ++-- + drivers/net/wireless/realtek/rtlwifi/usb.c | 2 +- + 6 files changed, 16 insertions(+), 13 deletions(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/base.c ++++ b/drivers/net/wireless/realtek/rtlwifi/base.c +@@ -483,18 +483,21 @@ static void _rtl_init_deferred_work(stru + + } + +-void rtl_deinit_deferred_work(struct ieee80211_hw *hw) ++void rtl_deinit_deferred_work(struct ieee80211_hw *hw, bool ips_wq) + { + struct rtl_priv *rtlpriv = rtl_priv(hw); + + del_timer_sync(&rtlpriv->works.watchdog_timer); + +- cancel_delayed_work(&rtlpriv->works.watchdog_wq); +- cancel_delayed_work(&rtlpriv->works.ips_nic_off_wq); +- cancel_delayed_work(&rtlpriv->works.ps_work); +- cancel_delayed_work(&rtlpriv->works.ps_rfon_wq); +- cancel_delayed_work(&rtlpriv->works.fwevt_wq); +- cancel_delayed_work(&rtlpriv->works.c2hcmd_wq); ++ cancel_delayed_work_sync(&rtlpriv->works.watchdog_wq); ++ if (ips_wq) ++ cancel_delayed_work(&rtlpriv->works.ips_nic_off_wq); ++ else ++ cancel_delayed_work_sync(&rtlpriv->works.ips_nic_off_wq); ++ cancel_delayed_work_sync(&rtlpriv->works.ps_work); ++ cancel_delayed_work_sync(&rtlpriv->works.ps_rfon_wq); ++ cancel_delayed_work_sync(&rtlpriv->works.fwevt_wq); ++ cancel_delayed_work_sync(&rtlpriv->works.c2hcmd_wq); + } + EXPORT_SYMBOL_GPL(rtl_deinit_deferred_work); + +--- a/drivers/net/wireless/realtek/rtlwifi/base.h ++++ b/drivers/net/wireless/realtek/rtlwifi/base.h +@@ -121,7 +121,7 @@ void rtl_init_rfkill(struct ieee80211_hw + void rtl_deinit_rfkill(struct ieee80211_hw *hw); + + void rtl_watch_dog_timer_callback(unsigned long data); +-void rtl_deinit_deferred_work(struct ieee80211_hw *hw); ++void rtl_deinit_deferred_work(struct ieee80211_hw *hw, bool ips_wq); + + bool rtl_action_proc(struct ieee80211_hw *hw, struct sk_buff *skb, u8 is_tx); + int rtlwifi_rate_mapping(struct ieee80211_hw *hw, bool isht, +--- a/drivers/net/wireless/realtek/rtlwifi/core.c ++++ b/drivers/net/wireless/realtek/rtlwifi/core.c +@@ -196,7 +196,7 @@ static void rtl_op_stop(struct ieee80211 + /* reset sec info */ + rtl_cam_reset_sec_info(hw); + +- rtl_deinit_deferred_work(hw); ++ rtl_deinit_deferred_work(hw, false); + } + rtlpriv->intf_ops->adapter_stop(hw); + +--- a/drivers/net/wireless/realtek/rtlwifi/pci.c ++++ b/drivers/net/wireless/realtek/rtlwifi/pci.c +@@ -2359,7 +2359,7 @@ void rtl_pci_disconnect(struct pci_dev * + ieee80211_unregister_hw(hw); + rtlmac->mac80211_registered = 0; + } else { +- rtl_deinit_deferred_work(hw); ++ rtl_deinit_deferred_work(hw, false); + rtlpriv->intf_ops->adapter_stop(hw); + } + rtlpriv->cfg->ops->disable_interrupt(hw); +--- a/drivers/net/wireless/realtek/rtlwifi/ps.c ++++ b/drivers/net/wireless/realtek/rtlwifi/ps.c +@@ -66,7 +66,7 @@ bool rtl_ps_disable_nic(struct ieee80211 + struct rtl_priv *rtlpriv = rtl_priv(hw); + + /*<1> Stop all timer */ +- rtl_deinit_deferred_work(hw); ++ rtl_deinit_deferred_work(hw, true); + + /*<2> Disable Interrupt */ + rtlpriv->cfg->ops->disable_interrupt(hw); +@@ -287,7 +287,7 @@ void rtl_ips_nic_on(struct ieee80211_hw + struct rtl_ps_ctl *ppsc = rtl_psc(rtl_priv(hw)); + enum rf_pwrstate rtstate; + +- cancel_delayed_work(&rtlpriv->works.ips_nic_off_wq); ++ cancel_delayed_work_sync(&rtlpriv->works.ips_nic_off_wq); + + spin_lock(&rtlpriv->locks.ips_lock); + if (ppsc->inactiveps) { +--- a/drivers/net/wireless/realtek/rtlwifi/usb.c ++++ b/drivers/net/wireless/realtek/rtlwifi/usb.c +@@ -1150,7 +1150,7 @@ void rtl_usb_disconnect(struct usb_inter + ieee80211_unregister_hw(hw); + rtlmac->mac80211_registered = 0; + } else { +- rtl_deinit_deferred_work(hw); ++ rtl_deinit_deferred_work(hw, false); + rtlpriv->intf_ops->adapter_stop(hw); + } + /*deinit rfkill */ diff --git a/queue-4.14/rtlwifi-rtl8821ae-fix-firmware-is-not-ready-to-run.patch b/queue-4.14/rtlwifi-rtl8821ae-fix-firmware-is-not-ready-to-run.patch new file mode 100644 index 00000000000..21f5d6ea9cf --- /dev/null +++ b/queue-4.14/rtlwifi-rtl8821ae-fix-firmware-is-not-ready-to-run.patch @@ -0,0 +1,41 @@ +From 9a98302de19991d51e067b88750585203b2a3ab6 Mon Sep 17 00:00:00 2001 +From: Ping-Ke Shih +Date: Thu, 28 Jun 2018 10:02:27 +0800 +Subject: rtlwifi: rtl8821ae: fix firmware is not ready to run + +From: Ping-Ke Shih + +commit 9a98302de19991d51e067b88750585203b2a3ab6 upstream. + +Without this patch, firmware will not run properly on rtl8821ae, and it +causes bad user experience. For example, bad connection performance with +low rate, higher power consumption, and so on. + +rtl8821ae uses two kinds of firmwares for normal and WoWlan cases, and +each firmware has firmware data buffer and size individually. Original +code always overwrite size of normal firmware rtlpriv->rtlhal.fwsize, and +this mismatch causes firmware checksum error, then firmware can't start. + +In this situation, driver gives message "Firmware is not ready to run!". + +Fixes: fe89707f0afa ("rtlwifi: rtl8821ae: Simplify loading of WOWLAN firmware") +Signed-off-by: Ping-Ke Shih +Cc: Stable # 4.0+ +Reviewed-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtlwifi/core.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/wireless/realtek/rtlwifi/core.c ++++ b/drivers/net/wireless/realtek/rtlwifi/core.c +@@ -130,7 +130,6 @@ found_alt: + firmware->size); + rtlpriv->rtlhal.wowlan_fwsize = firmware->size; + } +- rtlpriv->rtlhal.fwsize = firmware->size; + release_firmware(firmware); + } + diff --git a/queue-4.14/series b/queue-4.14/series index 285e34ed378..1c299055bcb 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -46,3 +46,11 @@ tcp-fix-fast-open-key-endianness.patch tcp-prevent-bogus-frto-undos-with-non-sack-flows.patch vhost_net-validate-sock-before-trying-to-put-its-fd.patch vsock-fix-loopback-on-big-endian-systems.patch +net-cxgb3_main-fix-potential-spectre-v1.patch +rtlwifi-fix-kernel-oops-fw-download-fail.patch +rtlwifi-rtl8821ae-fix-firmware-is-not-ready-to-run.patch +net-lan78xx-fix-race-in-tx-pending-skb-size-calculation.patch +xhci-fix-usb3-null-pointer-dereference-at-logical-disconnect.patch +media-rc-oops-in-ir_timer_keyup-after-device-unplug.patch +clocksource-initialize-cs-wd_list.patch +crypto-af_alg-initialize-sg_num_bytes-in-error-code-path.patch diff --git a/queue-4.14/xhci-fix-usb3-null-pointer-dereference-at-logical-disconnect.patch b/queue-4.14/xhci-fix-usb3-null-pointer-dereference-at-logical-disconnect.patch new file mode 100644 index 00000000000..f2d747e6407 --- /dev/null +++ b/queue-4.14/xhci-fix-usb3-null-pointer-dereference-at-logical-disconnect.patch @@ -0,0 +1,61 @@ +From 2278446e2b7cd33ad894b32e7eb63afc7db6c86e Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Mon, 14 May 2018 11:57:23 +0300 +Subject: xhci: Fix USB3 NULL pointer dereference at logical disconnect. + +From: Mathias Nyman + +commit 2278446e2b7cd33ad894b32e7eb63afc7db6c86e upstream. + +Hub driver will try to disable a USB3 device twice at logical disconnect, +racing with xhci_free_dev() callback from the first port disable. + +This can be triggered with "udisksctl power-off --block-device " +or by writing "1" to the "remove" sysfs file for a USB3 device +in 4.17-rc4. + +USB3 devices don't have a similar disabled link state as USB2 devices, +and use a U3 suspended link state instead. In this state the port +is still enabled and connected. + +hub_port_connect() first disconnects the device, then later it notices +that device is still enabled (due to U3 states) it will try to disable +the port again (set to U3). + +The xhci_free_dev() called during device disable is async, so checking +for existing xhci->devs[i] when setting link state to U3 the second time +was successful, even if device was being freed. + +The regression was caused by, and whole thing revealed by, +Commit 44a182b9d177 ("xhci: Fix use-after-free in xhci_free_virt_device") +which sets xhci->devs[i]->udev to NULL before xhci_virt_dev() returned. +and causes a NULL pointer dereference the second time we try to set U3. + +Fix this by checking xhci->devs[i]->udev exists before setting link state. + +The original patch went to stable so this fix needs to be applied there as +well. + +Fixes: 44a182b9d177 ("xhci: Fix use-after-free in xhci_free_virt_device") +Cc: +Reported-by: Jordan Glover +Tested-by: Jordan Glover +Signed-off-by: Mathias Nyman +Signed-off-by: Sudip Mukherjee +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-hub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-hub.c ++++ b/drivers/usb/host/xhci-hub.c +@@ -366,7 +366,7 @@ int xhci_find_slot_id_by_port(struct usb + + slot_id = 0; + for (i = 0; i < MAX_HC_SLOTS; i++) { +- if (!xhci->devs[i]) ++ if (!xhci->devs[i] || !xhci->devs[i]->udev) + continue; + speed = xhci->devs[i]->udev->speed; + if (((speed >= USB_SPEED_SUPER) == (hcd->speed >= HCD_USB3))