From: Greg Kroah-Hartman Date: Sun, 15 Oct 2017 14:06:38 +0000 (+0200) Subject: 4.13-stable patches X-Git-Tag: v3.18.76~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a6276a9102e6a328b154b83ab99c27c47cdd2df8;p=thirdparty%2Fkernel%2Fstable-queue.git 4.13-stable patches added patches: alsa-caiaq-fix-stray-urb-at-probe-error-path.patch alsa-line6-fix-leftover-urb-at-error-path-during-probe.patch alsa-line6-fix-missing-initialization-before-error-path.patch alsa-line6-fix-null-dereference-at-podhd_disconnect.patch alsa-seq-fix-copy_from_user-call-inside-lock.patch bio_copy_user_iov-don-t-ignore-iov_offset.patch direct-io-prevent-null-pointer-access-in-submit_page_section.patch drm-atomic-unref-duplicated-drm_atomic_state-in-drm_atomic_helper_resume.patch drm-i915-bios-parse-ddi-ports-also-for-chv-for-hdmi-ddc-pin-and-dp-aux-channel.patch drm-i915-edp-get-the-panel-power-off-timestamp-after-panel-is-off.patch drm-i915-read-timings-from-the-correct-transcoder-in-intel_crtc_mode_get.patch drm-i915-use-crtc_state_is_legacy_gamma-in-intel_color_check.patch fix-unbalanced-page-refcounting-in-bio_map_user_iov.patch genirq-cpuhotplug-add-sanity-check-for-effective-affinity-mask.patch genirq-cpuhotplug-enforce-affinity-setting-on-startup-of-managed-irqs.patch more-bio_map_user_iov-leak-fixes.patch pci-aardvark-move-to-struct-pci_host_bridge-irq-mapping-functions.patch perf-script-add-missing-separator-for-f-ip-brstack-and-brstackoff.patch revert-pci-tegra-do-not-allocate-msi-target-memory.patch usb-gadget-composite-fix-use-after-free-in-usb_composite_overwrite_options.patch usb-gadget-configfs-fix-memory-leak-of-interface-directory-data.patch usb-serial-console-fix-use-after-free-after-failed-setup.patch usb-serial-console-fix-use-after-free-on-disconnect.patch usb-serial-cp210x-add-support-for-elv-tfd500.patch usb-serial-cp210x-fix-partnum-regression.patch usb-serial-ftdi_sio-add-id-for-cypress-wiced-dev-board.patch usb-serial-option-add-support-for-tp-link-lte-module.patch usb-serial-qcserial-add-dell-dw5818-dw5819.patch --- diff --git a/queue-4.13/alsa-caiaq-fix-stray-urb-at-probe-error-path.patch b/queue-4.13/alsa-caiaq-fix-stray-urb-at-probe-error-path.patch new file mode 100644 index 00000000000..191ab37a2da --- /dev/null +++ b/queue-4.13/alsa-caiaq-fix-stray-urb-at-probe-error-path.patch @@ -0,0 +1,51 @@ +From 99fee508245825765ff60155fed43f970ff83a8f Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 11 Oct 2017 16:39:02 +0200 +Subject: ALSA: caiaq: Fix stray URB at probe error path + +From: Takashi Iwai + +commit 99fee508245825765ff60155fed43f970ff83a8f upstream. + +caiaq driver doesn't kill the URB properly at its error path during +the probe, which may lead to a use-after-free error later. This patch +addresses it. + +Reported-by: Johan Hovold +Reviewed-by: Johan Hovold +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/caiaq/device.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/sound/usb/caiaq/device.c ++++ b/sound/usb/caiaq/device.c +@@ -469,10 +469,12 @@ static int init_card(struct snd_usb_caia + + err = snd_usb_caiaq_send_command(cdev, EP1_CMD_GET_DEVICE_INFO, NULL, 0); + if (err) +- return err; ++ goto err_kill_urb; + +- if (!wait_event_timeout(cdev->ep1_wait_queue, cdev->spec_received, HZ)) +- return -ENODEV; ++ if (!wait_event_timeout(cdev->ep1_wait_queue, cdev->spec_received, HZ)) { ++ err = -ENODEV; ++ goto err_kill_urb; ++ } + + usb_string(usb_dev, usb_dev->descriptor.iManufacturer, + cdev->vendor_name, CAIAQ_USB_STR_LEN); +@@ -507,6 +509,10 @@ static int init_card(struct snd_usb_caia + + setup_card(cdev); + return 0; ++ ++ err_kill_urb: ++ usb_kill_urb(&cdev->ep1_in_urb); ++ return err; + } + + static int snd_probe(struct usb_interface *intf, diff --git a/queue-4.13/alsa-line6-fix-leftover-urb-at-error-path-during-probe.patch b/queue-4.13/alsa-line6-fix-leftover-urb-at-error-path-during-probe.patch new file mode 100644 index 00000000000..18290b06b31 --- /dev/null +++ b/queue-4.13/alsa-line6-fix-leftover-urb-at-error-path-during-probe.patch @@ -0,0 +1,58 @@ +From c95072b3d88fac4be295815f2b67df366c0c297f Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 9 Oct 2017 14:51:23 +0200 +Subject: ALSA: line6: Fix leftover URB at error-path during probe + +From: Takashi Iwai + +commit c95072b3d88fac4be295815f2b67df366c0c297f upstream. + +While line6_probe() may kick off URB for a control MIDI endpoint, the +function doesn't clean up it properly at its error path. This results +in a leftover URB action that is eventually triggered later and causes +an Oops like: + general protection fault: 0000 [#1] PREEMPT SMP KASAN + CPU: 1 PID: 0 Comm: swapper/1 Not tainted + RIP: 0010:usb_fill_bulk_urb ./include/linux/usb.h:1619 + RIP: 0010:line6_start_listen+0x3fe/0x9e0 sound/usb/line6/driver.c:76 + Call Trace: + + line6_data_received+0x1f7/0x470 sound/usb/line6/driver.c:326 + __usb_hcd_giveback_urb+0x2e0/0x650 drivers/usb/core/hcd.c:1779 + usb_hcd_giveback_urb+0x337/0x420 drivers/usb/core/hcd.c:1845 + dummy_timer+0xba9/0x39f0 drivers/usb/gadget/udc/dummy_hcd.c:1965 + call_timer_fn+0x2a2/0x940 kernel/time/timer.c:1281 + .... + +Since the whole clean-up procedure is done in line6_disconnect() +callback, we can simply call it in the error path instead of +open-coding the whole again. It'll fix such an issue automagically. + +The bug was spotted by syzkaller. + +Fixes: eedd0e95d355 ("ALSA: line6: Don't forget to call driver's destructor at error path") +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/line6/driver.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/sound/usb/line6/driver.c ++++ b/sound/usb/line6/driver.c +@@ -779,9 +779,10 @@ int line6_probe(struct usb_interface *in + return 0; + + error: +- if (line6->disconnect) +- line6->disconnect(line6); +- snd_card_free(card); ++ /* we can call disconnect callback here because no close-sync is ++ * needed yet at this point ++ */ ++ line6_disconnect(interface); + return ret; + } + EXPORT_SYMBOL_GPL(line6_probe); diff --git a/queue-4.13/alsa-line6-fix-missing-initialization-before-error-path.patch b/queue-4.13/alsa-line6-fix-missing-initialization-before-error-path.patch new file mode 100644 index 00000000000..21fc4aac37f --- /dev/null +++ b/queue-4.13/alsa-line6-fix-missing-initialization-before-error-path.patch @@ -0,0 +1,66 @@ +From cb02ffc76a53b5ea751b79b8d4f4d180e5868475 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 9 Oct 2017 14:32:15 +0200 +Subject: ALSA: line6: Fix missing initialization before error path + +From: Takashi Iwai + +commit cb02ffc76a53b5ea751b79b8d4f4d180e5868475 upstream. + +The error path in podhd_init() tries to clear the pending timer, while +the timer object is initialized at the end of init sequence, thus it +may hit the uninitialized object, as spotted by syzkaller: + + INFO: trying to register non-static key. + the code is fine but needs lockdep annotation. + turning off the locking correctness validator. + CPU: 1 PID: 1845 Comm: kworker/1:2 Not tainted + 4.14.0-rc2-42613-g1488251d1a98 #238 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + Workqueue: usb_hub_wq hub_event + Call Trace: + __dump_stack lib/dump_stack.c:16 + dump_stack+0x292/0x395 lib/dump_stack.c:52 + register_lock_class+0x6c4/0x1a00 kernel/locking/lockdep.c:769 + __lock_acquire+0x27e/0x4550 kernel/locking/lockdep.c:3385 + lock_acquire+0x259/0x620 kernel/locking/lockdep.c:4002 + del_timer_sync+0x12c/0x280 kernel/time/timer.c:1237 + podhd_disconnect+0x8c/0x160 sound/usb/line6/podhd.c:299 + line6_probe+0x844/0x1310 sound/usb/line6/driver.c:783 + podhd_probe+0x64/0x70 sound/usb/line6/podhd.c:474 + .... + +For addressing it, assure the initializations of timer and work by +moving them to the beginning of podhd_init(). + +Fixes: 790869dacc3d ("ALSA: line6: Add support for POD X3") +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/line6/podhd.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/sound/usb/line6/podhd.c ++++ b/sound/usb/line6/podhd.c +@@ -318,6 +318,9 @@ static int podhd_init(struct usb_line6 * + + line6->disconnect = podhd_disconnect; + ++ init_timer(&pod->startup_timer); ++ INIT_WORK(&pod->startup_work, podhd_startup_workqueue); ++ + if (pod->line6.properties->capabilities & LINE6_CAP_CONTROL) { + /* claim the data interface */ + intf = usb_ifnum_to_if(line6->usbdev, +@@ -359,8 +362,6 @@ static int podhd_init(struct usb_line6 * + } + + /* init device and delay registering */ +- init_timer(&pod->startup_timer); +- INIT_WORK(&pod->startup_work, podhd_startup_workqueue); + podhd_startup(pod); + return 0; + } diff --git a/queue-4.13/alsa-line6-fix-null-dereference-at-podhd_disconnect.patch b/queue-4.13/alsa-line6-fix-null-dereference-at-podhd_disconnect.patch new file mode 100644 index 00000000000..e16cd7b7ee9 --- /dev/null +++ b/queue-4.13/alsa-line6-fix-null-dereference-at-podhd_disconnect.patch @@ -0,0 +1,37 @@ +From 54a4b2b45817ea2365b40c923c098a26af0c0dbb Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 9 Oct 2017 14:26:27 +0200 +Subject: ALSA: line6: Fix NULL dereference at podhd_disconnect() + +From: Takashi Iwai + +commit 54a4b2b45817ea2365b40c923c098a26af0c0dbb upstream. + +When podhd_init() failed with the acquiring a ctrl i/f, the line6 +helper still calls the disconnect callback that eventually calls again +usb_driver_release_interface() with the NULL intf. + +Put the proper NULL check before calling it for avoiding an Oops. + +Fixes: fc90172ba283 ("ALSA: line6: Claim pod x3 usb data interface") +Reported-by: Andrey Konovalov +Tested-by: Andrey Konovalov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/line6/podhd.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/usb/line6/podhd.c ++++ b/sound/usb/line6/podhd.c +@@ -301,7 +301,8 @@ static void podhd_disconnect(struct usb_ + + intf = usb_ifnum_to_if(line6->usbdev, + pod->line6.properties->ctrl_if); +- usb_driver_release_interface(&podhd_driver, intf); ++ if (intf) ++ usb_driver_release_interface(&podhd_driver, intf); + } + } + diff --git a/queue-4.13/alsa-seq-fix-copy_from_user-call-inside-lock.patch b/queue-4.13/alsa-seq-fix-copy_from_user-call-inside-lock.patch new file mode 100644 index 00000000000..a27733ea7c4 --- /dev/null +++ b/queue-4.13/alsa-seq-fix-copy_from_user-call-inside-lock.patch @@ -0,0 +1,137 @@ +From 5803b023881857db32ffefa0d269c90280a67ee0 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 9 Oct 2017 10:02:56 +0200 +Subject: ALSA: seq: Fix copy_from_user() call inside lock + +From: Takashi Iwai + +commit 5803b023881857db32ffefa0d269c90280a67ee0 upstream. + +The event handler in the virmidi sequencer code takes a read-lock for +the linked list traverse, while it's calling snd_seq_dump_var_event() +in the loop. The latter function may expand the user-space data +depending on the event type. It eventually invokes copy_from_user(), +which might be a potential dead-lock. + +The sequencer core guarantees that the user-space data is passed only +with atomic=0 argument, but snd_virmidi_dev_receive_event() ignores it +and always takes read-lock(). For avoiding the problem above, this +patch introduces rwsem for non-atomic case, while keeping rwlock for +atomic case. + +Also while we're at it: the superfluous irq flags is dropped in +snd_virmidi_input_open(). + +Reported-by: Jia-Ju Bai +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + include/sound/seq_virmidi.h | 1 + + sound/core/seq/seq_virmidi.c | 27 +++++++++++++++++++-------- + 2 files changed, 20 insertions(+), 8 deletions(-) + +--- a/include/sound/seq_virmidi.h ++++ b/include/sound/seq_virmidi.h +@@ -60,6 +60,7 @@ struct snd_virmidi_dev { + int port; /* created/attached port */ + unsigned int flags; /* SNDRV_VIRMIDI_* */ + rwlock_t filelist_lock; ++ struct rw_semaphore filelist_sem; + struct list_head filelist; + }; + +--- a/sound/core/seq/seq_virmidi.c ++++ b/sound/core/seq/seq_virmidi.c +@@ -77,13 +77,17 @@ static void snd_virmidi_init_event(struc + * decode input event and put to read buffer of each opened file + */ + static int snd_virmidi_dev_receive_event(struct snd_virmidi_dev *rdev, +- struct snd_seq_event *ev) ++ struct snd_seq_event *ev, ++ bool atomic) + { + struct snd_virmidi *vmidi; + unsigned char msg[4]; + int len; + +- read_lock(&rdev->filelist_lock); ++ if (atomic) ++ read_lock(&rdev->filelist_lock); ++ else ++ down_read(&rdev->filelist_sem); + list_for_each_entry(vmidi, &rdev->filelist, list) { + if (!vmidi->trigger) + continue; +@@ -97,7 +101,10 @@ static int snd_virmidi_dev_receive_event + snd_rawmidi_receive(vmidi->substream, msg, len); + } + } +- read_unlock(&rdev->filelist_lock); ++ if (atomic) ++ read_unlock(&rdev->filelist_lock); ++ else ++ up_read(&rdev->filelist_sem); + + return 0; + } +@@ -115,7 +122,7 @@ int snd_virmidi_receive(struct snd_rawmi + struct snd_virmidi_dev *rdev; + + rdev = rmidi->private_data; +- return snd_virmidi_dev_receive_event(rdev, ev); ++ return snd_virmidi_dev_receive_event(rdev, ev, true); + } + #endif /* 0 */ + +@@ -130,7 +137,7 @@ static int snd_virmidi_event_input(struc + rdev = private_data; + if (!(rdev->flags & SNDRV_VIRMIDI_USE)) + return 0; /* ignored */ +- return snd_virmidi_dev_receive_event(rdev, ev); ++ return snd_virmidi_dev_receive_event(rdev, ev, atomic); + } + + /* +@@ -209,7 +216,6 @@ static int snd_virmidi_input_open(struct + struct snd_virmidi_dev *rdev = substream->rmidi->private_data; + struct snd_rawmidi_runtime *runtime = substream->runtime; + struct snd_virmidi *vmidi; +- unsigned long flags; + + vmidi = kzalloc(sizeof(*vmidi), GFP_KERNEL); + if (vmidi == NULL) +@@ -223,9 +229,11 @@ static int snd_virmidi_input_open(struct + vmidi->client = rdev->client; + vmidi->port = rdev->port; + runtime->private_data = vmidi; +- write_lock_irqsave(&rdev->filelist_lock, flags); ++ down_write(&rdev->filelist_sem); ++ write_lock_irq(&rdev->filelist_lock); + list_add_tail(&vmidi->list, &rdev->filelist); +- write_unlock_irqrestore(&rdev->filelist_lock, flags); ++ write_unlock_irq(&rdev->filelist_lock); ++ up_write(&rdev->filelist_sem); + vmidi->rdev = rdev; + return 0; + } +@@ -264,9 +272,11 @@ static int snd_virmidi_input_close(struc + struct snd_virmidi_dev *rdev = substream->rmidi->private_data; + struct snd_virmidi *vmidi = substream->runtime->private_data; + ++ down_write(&rdev->filelist_sem); + write_lock_irq(&rdev->filelist_lock); + list_del(&vmidi->list); + write_unlock_irq(&rdev->filelist_lock); ++ up_write(&rdev->filelist_sem); + snd_midi_event_free(vmidi->parser); + substream->runtime->private_data = NULL; + kfree(vmidi); +@@ -520,6 +530,7 @@ int snd_virmidi_new(struct snd_card *car + rdev->rmidi = rmidi; + rdev->device = device; + rdev->client = -1; ++ init_rwsem(&rdev->filelist_sem); + rwlock_init(&rdev->filelist_lock); + INIT_LIST_HEAD(&rdev->filelist); + rdev->seq_mode = SNDRV_VIRMIDI_SEQ_DISPATCH; diff --git a/queue-4.13/bio_copy_user_iov-don-t-ignore-iov_offset.patch b/queue-4.13/bio_copy_user_iov-don-t-ignore-iov_offset.patch new file mode 100644 index 00000000000..13f8030edd1 --- /dev/null +++ b/queue-4.13/bio_copy_user_iov-don-t-ignore-iov_offset.patch @@ -0,0 +1,35 @@ +From 1cfd0ddd82232804e03f3023f6a58b50dfef0574 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 24 Sep 2017 10:21:15 -0400 +Subject: bio_copy_user_iov(): don't ignore ->iov_offset + +From: Al Viro + +commit 1cfd0ddd82232804e03f3023f6a58b50dfef0574 upstream. + +Since "block: support large requests in blk_rq_map_user_iov" we +started to call it with partially drained iter; that works fine +on the write side, but reads create a copy of iter for completion +time. And that needs to take the possibility of ->iov_iter != 0 +into account... + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + block/bio.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/block/bio.c ++++ b/block/bio.c +@@ -1235,8 +1235,8 @@ struct bio *bio_copy_user_iov(struct req + */ + bmd->is_our_pages = map_data ? 0 : 1; + memcpy(bmd->iov, iter->iov, sizeof(struct iovec) * iter->nr_segs); +- iov_iter_init(&bmd->iter, iter->type, bmd->iov, +- iter->nr_segs, iter->count); ++ bmd->iter = *iter; ++ bmd->iter.iov = bmd->iov; + + ret = -ENOMEM; + bio = bio_kmalloc(gfp_mask, nr_pages); diff --git a/queue-4.13/direct-io-prevent-null-pointer-access-in-submit_page_section.patch b/queue-4.13/direct-io-prevent-null-pointer-access-in-submit_page_section.patch new file mode 100644 index 00000000000..3268dde186d --- /dev/null +++ b/queue-4.13/direct-io-prevent-null-pointer-access-in-submit_page_section.patch @@ -0,0 +1,37 @@ +From 899f0429c7d3eed886406cd72182bee3b96aa1f9 Mon Sep 17 00:00:00 2001 +From: Andreas Gruenbacher +Date: Mon, 9 Oct 2017 11:13:18 +0200 +Subject: direct-io: Prevent NULL pointer access in submit_page_section + +From: Andreas Gruenbacher + +commit 899f0429c7d3eed886406cd72182bee3b96aa1f9 upstream. + +In the code added to function submit_page_section by commit b1058b981, +sdio->bio can currently be NULL when calling dio_bio_submit. This then +leads to a NULL pointer access in dio_bio_submit, so check for a NULL +bio in submit_page_section before trying to submit it instead. + +Fixes xfstest generic/250 on gfs2. + +Signed-off-by: Andreas Gruenbacher +Reviewed-by: Jan Kara +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/direct-io.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/direct-io.c ++++ b/fs/direct-io.c +@@ -838,7 +838,8 @@ out: + */ + if (sdio->boundary) { + ret = dio_send_cur_page(dio, sdio, map_bh); +- dio_bio_submit(dio, sdio); ++ if (sdio->bio) ++ dio_bio_submit(dio, sdio); + put_page(sdio->cur_page); + sdio->cur_page = NULL; + } diff --git a/queue-4.13/drm-atomic-unref-duplicated-drm_atomic_state-in-drm_atomic_helper_resume.patch b/queue-4.13/drm-atomic-unref-duplicated-drm_atomic_state-in-drm_atomic_helper_resume.patch new file mode 100644 index 00000000000..962ff5c4e2c --- /dev/null +++ b/queue-4.13/drm-atomic-unref-duplicated-drm_atomic_state-in-drm_atomic_helper_resume.patch @@ -0,0 +1,50 @@ +From 78279127253a6c36ed8829eb2b7bc28ef48d9717 Mon Sep 17 00:00:00 2001 +From: Jeffy Chen +Date: Mon, 9 Oct 2017 14:46:41 +0800 +Subject: drm/atomic: Unref duplicated drm_atomic_state in drm_atomic_helper_resume() + +From: Jeffy Chen + +commit 78279127253a6c36ed8829eb2b7bc28ef48d9717 upstream. + +Kmemleak reported memory leak after suspend and resume: +unreferenced object 0xffffffc0e31d8880 (size 128): + comm "bash", pid 181, jiffies 4294763583 (age 24.694s) + hex dump (first 32 bytes): + 01 00 00 00 00 00 00 00 00 20 a2 eb c0 ff ff ff ......... ...... + 01 00 00 00 00 00 00 00 80 87 1d e3 c0 ff ff ff ................ + backtrace: + [] __save_stack_trace+0x48/0x6c + [] create_object+0x138/0x254 + [] kmemleak_alloc+0x58/0x8c + [] kmem_cache_alloc_trace+0x188/0x254 + [] drm_atomic_state_alloc+0x3c/0x88 + [] drm_atomic_helper_duplicate_state+0x28/0x158 + [] drm_atomic_helper_suspend+0x5c/0xf0 + +Problem here is that we are duplicating the drm_atomic_state in +drm_atomic_helper_suspend(), but not unreference it in the resume path. + +Fixes: 1494276000db ("drm/atomic-helper: Implement subsystem-level suspend/resume") +Signed-off-by: Jeffy Chen +Reviewed-by: Maarten Lankhorst +Signed-off-by: Maarten Lankhorst +Link: https://patchwork.freedesktop.org/patch/msgid/20171009064641.15174-1-jeffy.chen@rock-chips.com +Fixes: 0853695c3ba4 ("drm: Add reference counting to drm_atomic_state") +(cherry picked from commit 6d281b1f79e194c02125da29ea77316810261ca8) +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_atomic_helper.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/drm_atomic_helper.c ++++ b/drivers/gpu/drm/drm_atomic_helper.c +@@ -2756,6 +2756,7 @@ out: + drm_modeset_backoff(&ctx); + } + ++ drm_atomic_state_put(state); + drm_modeset_drop_locks(&ctx); + drm_modeset_acquire_fini(&ctx); + diff --git a/queue-4.13/drm-i915-bios-parse-ddi-ports-also-for-chv-for-hdmi-ddc-pin-and-dp-aux-channel.patch b/queue-4.13/drm-i915-bios-parse-ddi-ports-also-for-chv-for-hdmi-ddc-pin-and-dp-aux-channel.patch new file mode 100644 index 00000000000..29bc049b6a5 --- /dev/null +++ b/queue-4.13/drm-i915-bios-parse-ddi-ports-also-for-chv-for-hdmi-ddc-pin-and-dp-aux-channel.patch @@ -0,0 +1,47 @@ +From ea850f64c2722278f150dc11de2141baeb24211c Mon Sep 17 00:00:00 2001 +From: Jani Nikula +Date: Thu, 28 Sep 2017 11:21:57 +0300 +Subject: drm/i915/bios: parse DDI ports also for CHV for HDMI DDC pin and DP AUX channel +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jani Nikula + +commit ea850f64c2722278f150dc11de2141baeb24211c upstream. + +While technically CHV isn't DDI, we do look at the VBT based DDI port +info for HDMI DDC pin and DP AUX channel. (We call these "alternate", +but they're really just something that aren't platform defaults.) + +In commit e4ab73a13291 ("drm/i915: Respect alternate_ddc_pin for all DDI +ports") Ville writes, "IIRC there may be CHV system that might actually +need this." + +I'm not sure why there couldn't be even more platforms that need this, +but start conservative, and parse the info for CHV in addition to DDI. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=100553 +Reported-by: Marek Wilczewski +Reviewed-by: Ville Syrjälä +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/d0815082cb98487618429b62414854137049b888.1506586821.git.jani.nikula@intel.com +(cherry picked from commit 348e4058ebf53904e817eec7a1b25327143c2ed2) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_bios.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/intel_bios.c ++++ b/drivers/gpu/drm/i915/intel_bios.c +@@ -1231,7 +1231,7 @@ static void parse_ddi_ports(struct drm_i + { + enum port port; + +- if (!HAS_DDI(dev_priv)) ++ if (!HAS_DDI(dev_priv) && !IS_CHERRYVIEW(dev_priv)) + return; + + if (!dev_priv->vbt.child_dev_num) diff --git a/queue-4.13/drm-i915-edp-get-the-panel-power-off-timestamp-after-panel-is-off.patch b/queue-4.13/drm-i915-edp-get-the-panel-power-off-timestamp-after-panel-is-off.patch new file mode 100644 index 00000000000..9250136c305 --- /dev/null +++ b/queue-4.13/drm-i915-edp-get-the-panel-power-off-timestamp-after-panel-is-off.patch @@ -0,0 +1,53 @@ +From d7ba25bd9ef802ff02414e9105f4222d1795f27a Mon Sep 17 00:00:00 2001 +From: Manasi Navare +Date: Wed, 4 Oct 2017 09:48:26 -0700 +Subject: drm/i915/edp: Get the Panel Power Off timestamp after panel is off + +From: Manasi Navare + +commit d7ba25bd9ef802ff02414e9105f4222d1795f27a upstream. + +Kernel stores the time in jiffies at which the eDP panel is turned +off. This should be obtained after the panel is off (after the +wait_panel_off). When we next attempt to turn the panel on, we use the +difference between the timestamp at which we want to turn the panel on +and timestamp at which panel was turned off to ensure that this is equal +to panel power cycle delay and if not we wait for the remaining +time. Not waiting for the panel power cycle delay can cause the panel to +not turn on giving rise to AUX timeouts for the attempted AUX +transactions. + +v2: +* Separate lines for bugzilla (Jani Nikula) +* Suggested by tag (Daniel Vetter) + +Cc: Daniel Vetter +Cc: Jani Nikula +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101518 +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=101144 +Suggested-by: Daniel Vetter +Signed-off-by: Manasi Navare +Reviewed-by: Daniel Vetter +Reviewed-by: Jani Nikula +Signed-off-by: Jani Nikula +Link: https://patchwork.freedesktop.org/patch/msgid/1507135706-17147-1-git-send-email-manasi.d.navare@intel.com +(cherry picked from commit cbacf02e7796fea02e5c6e46c90ed7cbe9e6f2c0) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_dp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/intel_dp.c ++++ b/drivers/gpu/drm/i915/intel_dp.c +@@ -2263,8 +2263,8 @@ static void edp_panel_off(struct intel_d + I915_WRITE(pp_ctrl_reg, pp); + POSTING_READ(pp_ctrl_reg); + +- intel_dp->panel_power_off_time = ktime_get_boottime(); + wait_panel_off(intel_dp); ++ intel_dp->panel_power_off_time = ktime_get_boottime(); + + /* We got a reference when we enabled the VDD. */ + intel_display_power_put(dev_priv, intel_dp->aux_power_domain); diff --git a/queue-4.13/drm-i915-read-timings-from-the-correct-transcoder-in-intel_crtc_mode_get.patch b/queue-4.13/drm-i915-read-timings-from-the-correct-transcoder-in-intel_crtc_mode_get.patch new file mode 100644 index 00000000000..35761f4691a --- /dev/null +++ b/queue-4.13/drm-i915-read-timings-from-the-correct-transcoder-in-intel_crtc_mode_get.patch @@ -0,0 +1,75 @@ +From 7b50f7b24cd6c98541f1af53bddc5b6e861ee8c8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Fri, 1 Apr 2016 18:37:25 +0300 +Subject: drm/i915: Read timings from the correct transcoder in intel_crtc_mode_get() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit 7b50f7b24cd6c98541f1af53bddc5b6e861ee8c8 upstream. + +intel_crtc->config->cpu_transcoder isn't yet filled out when +intel_crtc_mode_get() gets called during output probing, so we should +not use it there. Instead intel_crtc_mode_get() figures out the correct +transcoder on its own, and that's what we should use. + +If the BIOS boots LVDS on pipe B, intel_crtc_mode_get() would actually +end up reading the timings from pipe A instead (since PIPE_A==0), +which clearly isn't what we want. + +It looks to me like this may have been broken by +commit eccb140bca67 ("drm/i915: hw state readout&check support for cpu_transcoder") +as that one removed the early initialization of cpu_transcoder from +intel_crtc_init(). + +Cc: dri-devel@lists.freedesktop.org +Cc: Rob Kramer +Cc: Daniel Vetter +Reported-by: Rob Kramer +Fixes: eccb140bca67 ("drm/i915: hw state readout&check support for cpu_transcoder") +References: https://lists.freedesktop.org/archives/dri-devel/2016-April/104142.html +Signed-off-by: Ville Syrjälä +Reviewed-by: Chris Wilson +Link: https://patchwork.freedesktop.org/patch/msgid/1459525046-19425-1-git-send-email-ville.syrjala@linux.intel.com +(cherry picked from commit e30a154b5262b967b133b06ac40777e651045898) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_display.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -10059,13 +10059,10 @@ struct drm_display_mode *intel_crtc_mode + { + struct drm_i915_private *dev_priv = to_i915(dev); + struct intel_crtc *intel_crtc = to_intel_crtc(crtc); +- enum transcoder cpu_transcoder = intel_crtc->config->cpu_transcoder; ++ enum transcoder cpu_transcoder; + struct drm_display_mode *mode; + struct intel_crtc_state *pipe_config; +- int htot = I915_READ(HTOTAL(cpu_transcoder)); +- int hsync = I915_READ(HSYNC(cpu_transcoder)); +- int vtot = I915_READ(VTOTAL(cpu_transcoder)); +- int vsync = I915_READ(VSYNC(cpu_transcoder)); ++ u32 htot, hsync, vtot, vsync; + enum pipe pipe = intel_crtc->pipe; + + mode = kzalloc(sizeof(*mode), GFP_KERNEL); +@@ -10093,6 +10090,13 @@ struct drm_display_mode *intel_crtc_mode + i9xx_crtc_clock_get(intel_crtc, pipe_config); + + mode->clock = pipe_config->port_clock / pipe_config->pixel_multiplier; ++ ++ cpu_transcoder = pipe_config->cpu_transcoder; ++ htot = I915_READ(HTOTAL(cpu_transcoder)); ++ hsync = I915_READ(HSYNC(cpu_transcoder)); ++ vtot = I915_READ(VTOTAL(cpu_transcoder)); ++ vsync = I915_READ(VSYNC(cpu_transcoder)); ++ + mode->hdisplay = (htot & 0xffff) + 1; + mode->htotal = ((htot & 0xffff0000) >> 16) + 1; + mode->hsync_start = (hsync & 0xffff) + 1; diff --git a/queue-4.13/drm-i915-use-crtc_state_is_legacy_gamma-in-intel_color_check.patch b/queue-4.13/drm-i915-use-crtc_state_is_legacy_gamma-in-intel_color_check.patch new file mode 100644 index 00000000000..466ffcca3b2 --- /dev/null +++ b/queue-4.13/drm-i915-use-crtc_state_is_legacy_gamma-in-intel_color_check.patch @@ -0,0 +1,159 @@ +From d6a55c63e6adcb58957bbdce2d390088970273da Mon Sep 17 00:00:00 2001 +From: Maarten Lankhorst +Date: Thu, 5 Oct 2017 16:15:20 +0200 +Subject: drm/i915: Use crtc_state_is_legacy_gamma in intel_color_check + +From: Maarten Lankhorst + +commit d6a55c63e6adcb58957bbdce2d390088970273da upstream. + +crtc_state_is_legacy_gamma also checks for CTM, which was missing from +intel_color_check. By using the same condition for commit and check +we reduce the chance of mismatches. + +This was spotted by KASAN while trying to rework kms_color igt test. + +[ 72.008660] ================================================================== +[ 72.009326] BUG: KASAN: slab-out-of-bounds in bdw_load_gamma_lut.isra.3+0x15c/0x360 [i915] +[ 72.009519] Read of size 2 at addr ffff880220216e50 by task kms_color/1158 +[ 72.009900] CPU: 2 PID: 1158 Comm: kms_color Tainted: G U W 4.14.0-rc3-patser+ #5281 +[ 72.009921] Hardware name: GIGABYTE GB-BKi3A-7100/MFLP3AP-00, BIOS F1 07/27/2016 +[ 72.009941] Call Trace: +[ 72.009968] dump_stack+0xc5/0x151 +[ 72.009996] ? _atomic_dec_and_lock+0x10f/0x10f +[ 72.010024] ? show_regs_print_info+0x3c/0x3c +[ 72.010072] print_address_description+0x7f/0x240 +[ 72.010108] kasan_report+0x216/0x370 +[ 72.010308] ? bdw_load_gamma_lut.isra.3+0x15c/0x360 [i915] +[ 72.010349] __asan_load2+0x74/0x80 +[ 72.010552] bdw_load_gamma_lut.isra.3+0x15c/0x360 [i915] +[ 72.010772] broadwell_load_luts+0x1f0/0x300 [i915] +[ 72.010997] intel_color_load_luts+0x36/0x40 [i915] +[ 72.011205] intel_begin_crtc_commit+0xa1/0x310 [i915] +[ 72.011283] drm_atomic_helper_commit_planes_on_crtc+0xa6/0x320 [drm_kms_helper] +[ 72.011316] ? wait_for_completion_io+0x460/0x460 +[ 72.011524] intel_update_crtc+0xe3/0x100 [i915] +[ 72.011720] skl_update_crtcs+0x360/0x3f0 [i915] +[ 72.011945] ? intel_update_crtcs+0xf0/0xf0 [i915] +[ 72.012010] ? drm_atomic_helper_wait_for_dependencies+0x3d9/0x400 [drm_kms_helper] +[ 72.012231] intel_atomic_commit_tail+0x8db/0x1500 [i915] +[ 72.012273] ? __lock_is_held+0x9c/0xc0 +[ 72.012494] ? skl_update_crtcs+0x3f0/0x3f0 [i915] +[ 72.012518] ? find_next_bit+0xb/0x10 +[ 72.012544] ? cpumask_next+0x1a/0x20 +[ 72.012745] ? i915_sw_fence_complete+0x9d/0xe0 [i915] +[ 72.012938] ? __i915_sw_fence_complete+0x5d0/0x5d0 [i915] +[ 72.013176] intel_atomic_commit+0x528/0x570 [i915] +[ 72.013280] ? drm_atomic_get_property+0xc00/0xc00 [drm] +[ 72.013466] ? intel_atomic_commit_tail+0x1500/0x1500 [i915] +[ 72.013496] ? kmem_cache_alloc_trace+0x266/0x280 +[ 72.013714] ? intel_atomic_commit_tail+0x1500/0x1500 [i915] +[ 72.013812] drm_atomic_commit+0x77/0x80 [drm] +[ 72.013911] set_property_atomic+0x14a/0x210 [drm] +[ 72.014015] ? drm_object_property_get_value+0x70/0x70 [drm] +[ 72.014080] ? mutex_unlock+0xd/0x10 +[ 72.014292] ? intel_atomic_commit_tail+0x1500/0x1500 [i915] +[ 72.014379] drm_mode_obj_set_property_ioctl+0x1cf/0x310 [drm] +[ 72.014481] ? drm_mode_obj_find_prop_id+0xa0/0xa0 [drm] +[ 72.014510] ? lock_release+0x6c0/0x6c0 +[ 72.014602] ? drm_is_current_master+0x46/0x60 [drm] +[ 72.014706] drm_ioctl_kernel+0x148/0x1d0 [drm] +[ 72.014799] ? drm_mode_obj_find_prop_id+0xa0/0xa0 [drm] +[ 72.014898] ? drm_ioctl_permit+0x100/0x100 [drm] +[ 72.014936] ? kasan_check_write+0x14/0x20 +[ 72.015039] drm_ioctl+0x441/0x660 [drm] +[ 72.015129] ? drm_mode_obj_find_prop_id+0xa0/0xa0 [drm] +[ 72.015235] ? drm_getstats+0x20/0x20 [drm] +[ 72.015287] ? ___might_sleep+0x159/0x340 +[ 72.015311] ? find_held_lock+0xcf/0xf0 +[ 72.015341] ? __schedule_bug+0x110/0x110 +[ 72.015405] do_vfs_ioctl+0xa88/0xb10 +[ 72.015449] ? ioctl_preallocate+0x1a0/0x1a0 +[ 72.015487] ? selinux_capable+0x20/0x20 +[ 72.015525] ? rcu_dynticks_momentary_idle+0x40/0x40 +[ 72.015607] SyS_ioctl+0x4e/0x80 +[ 72.015647] entry_SYSCALL_64_fastpath+0x18/0xad +[ 72.015670] RIP: 0033:0x7ff74a3d04d7 +[ 72.015691] RSP: 002b:00007ffc594bec08 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +[ 72.015734] RAX: ffffffffffffffda RBX: ffffffff8718f54a RCX: 00007ff74a3d04d7 +[ 72.015756] RDX: 00007ffc594bec40 RSI: 00000000c01864ba RDI: 0000000000000003 +[ 72.015777] RBP: ffff880211c0ff98 R08: 0000000000000086 R09: 0000000000000000 +[ 72.015799] R10: 00007ff74a691b58 R11: 0000000000000246 R12: 0000000000000355 +[ 72.015821] R13: 00000000ff00eb00 R14: 0000000000000a00 R15: 00007ff746082000 +[ 72.015857] ? trace_hardirqs_off_caller+0xfa/0x110 + +Signed-off-by: Maarten Lankhorst +Link: https://patchwork.freedesktop.org/patch/msgid/20171005141520.23990-1-maarten.lankhorst@linux.intel.com +[mlankhorst: s/crtc_state_is_legacy/&_gamma/ (danvet)] +Reviewed-by: Daniel Vetter +Fixes: 82cf435b3134 ("drm/i915: Implement color management on bdw/skl/bxt/kbl") +(cherry picked from commit 0c3767b28186c8129f2a2cfec06a93dcd6102391) +Signed-off-by: Rodrigo Vivi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_color.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_color.c ++++ b/drivers/gpu/drm/i915/intel_color.c +@@ -58,7 +58,7 @@ + #define I9XX_CSC_COEFF_1_0 \ + ((7 << 12) | I9XX_CSC_COEFF_FP(CTM_COEFF_1_0, 8)) + +-static bool crtc_state_is_legacy(struct drm_crtc_state *state) ++static bool crtc_state_is_legacy_gamma(struct drm_crtc_state *state) + { + return !state->degamma_lut && + !state->ctm && +@@ -245,7 +245,7 @@ static void cherryview_load_csc_matrix(s + } + + mode = (state->ctm ? CGM_PIPE_MODE_CSC : 0); +- if (!crtc_state_is_legacy(state)) { ++ if (!crtc_state_is_legacy_gamma(state)) { + mode |= (state->degamma_lut ? CGM_PIPE_MODE_DEGAMMA : 0) | + (state->gamma_lut ? CGM_PIPE_MODE_GAMMA : 0); + } +@@ -426,7 +426,7 @@ static void broadwell_load_luts(struct d + struct intel_crtc_state *intel_state = to_intel_crtc_state(state); + enum pipe pipe = to_intel_crtc(state->crtc)->pipe; + +- if (crtc_state_is_legacy(state)) { ++ if (crtc_state_is_legacy_gamma(state)) { + haswell_load_luts(state); + return; + } +@@ -486,7 +486,7 @@ static void glk_load_luts(struct drm_crt + + glk_load_degamma_lut(state); + +- if (crtc_state_is_legacy(state)) { ++ if (crtc_state_is_legacy_gamma(state)) { + haswell_load_luts(state); + return; + } +@@ -508,7 +508,7 @@ static void cherryview_load_luts(struct + uint32_t i, lut_size; + uint32_t word0, word1; + +- if (crtc_state_is_legacy(state)) { ++ if (crtc_state_is_legacy_gamma(state)) { + /* Turn off degamma/gamma on CGM block. */ + I915_WRITE(CGM_PIPE_MODE(pipe), + (state->ctm ? CGM_PIPE_MODE_CSC : 0)); +@@ -589,12 +589,10 @@ int intel_color_check(struct drm_crtc *c + return 0; + + /* +- * We also allow no degamma lut and a gamma lut at the legacy ++ * We also allow no degamma lut/ctm and a gamma lut at the legacy + * size (256 entries). + */ +- if (!crtc_state->degamma_lut && +- crtc_state->gamma_lut && +- crtc_state->gamma_lut->length == LEGACY_LUT_LENGTH) ++ if (crtc_state_is_legacy_gamma(crtc_state)) + return 0; + + return -EINVAL; diff --git a/queue-4.13/fix-unbalanced-page-refcounting-in-bio_map_user_iov.patch b/queue-4.13/fix-unbalanced-page-refcounting-in-bio_map_user_iov.patch new file mode 100644 index 00000000000..cbc56e47039 --- /dev/null +++ b/queue-4.13/fix-unbalanced-page-refcounting-in-bio_map_user_iov.patch @@ -0,0 +1,46 @@ +From 95d78c28b5a85bacbc29b8dba7c04babb9b0d467 Mon Sep 17 00:00:00 2001 +From: Vitaly Mayatskikh +Date: Fri, 22 Sep 2017 01:18:39 -0400 +Subject: fix unbalanced page refcounting in bio_map_user_iov + +From: Vitaly Mayatskikh + +commit 95d78c28b5a85bacbc29b8dba7c04babb9b0d467 upstream. + +bio_map_user_iov and bio_unmap_user do unbalanced pages refcounting if +IO vector has small consecutive buffers belonging to the same page. +bio_add_pc_page merges them into one, but the page reference is never +dropped. + +Signed-off-by: Vitaly Mayatskikh +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + block/bio.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/block/bio.c ++++ b/block/bio.c +@@ -1379,6 +1379,7 @@ struct bio *bio_map_user_iov(struct requ + offset = offset_in_page(uaddr); + for (j = cur_page; j < page_limit; j++) { + unsigned int bytes = PAGE_SIZE - offset; ++ unsigned short prev_bi_vcnt = bio->bi_vcnt; + + if (len <= 0) + break; +@@ -1393,6 +1394,13 @@ struct bio *bio_map_user_iov(struct requ + bytes) + break; + ++ /* ++ * check if vector was merged with previous ++ * drop page reference if needed ++ */ ++ if (bio->bi_vcnt == prev_bi_vcnt) ++ put_page(pages[j]); ++ + len -= bytes; + offset = 0; + } diff --git a/queue-4.13/genirq-cpuhotplug-add-sanity-check-for-effective-affinity-mask.patch b/queue-4.13/genirq-cpuhotplug-add-sanity-check-for-effective-affinity-mask.patch new file mode 100644 index 00000000000..86ee041e83c --- /dev/null +++ b/queue-4.13/genirq-cpuhotplug-add-sanity-check-for-effective-affinity-mask.patch @@ -0,0 +1,66 @@ +From 60b09c51bb4fb46e2331fdbb39f91520f31d35f7 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Mon, 9 Oct 2017 12:47:24 +0200 +Subject: genirq/cpuhotplug: Add sanity check for effective affinity mask + +From: Thomas Gleixner + +commit 60b09c51bb4fb46e2331fdbb39f91520f31d35f7 upstream. + +The effective affinity mask handling has no safety net when the mask is not +updated by the interrupt chip or the mask contains offline CPUs. + +If that happens the CPU unplug code fails to migrate interrupts. + +Add sanity checks and emit a warning when the mask contains only offline +CPUs. + +Fixes: 415fcf1a2293 ("genirq/cpuhotplug: Use effective affinity mask") +Signed-off-by: Thomas Gleixner +Cc: Marc Zyngier +Cc: Christoph Hellwig +Link: http://lkml.kernel.org/r/alpine.DEB.2.20.1710042208400.2406@nanos +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/irq/cpuhotplug.c | 28 +++++++++++++++++++++++++++- + 1 file changed, 27 insertions(+), 1 deletion(-) + +--- a/kernel/irq/cpuhotplug.c ++++ b/kernel/irq/cpuhotplug.c +@@ -18,8 +18,34 @@ + static inline bool irq_needs_fixup(struct irq_data *d) + { + const struct cpumask *m = irq_data_get_effective_affinity_mask(d); ++ unsigned int cpu = smp_processor_id(); + +- return cpumask_test_cpu(smp_processor_id(), m); ++#ifdef CONFIG_GENERIC_IRQ_EFFECTIVE_AFF_MASK ++ /* ++ * The cpumask_empty() check is a workaround for interrupt chips, ++ * which do not implement effective affinity, but the architecture has ++ * enabled the config switch. Use the general affinity mask instead. ++ */ ++ if (cpumask_empty(m)) ++ m = irq_data_get_affinity_mask(d); ++ ++ /* ++ * Sanity check. If the mask is not empty when excluding the outgoing ++ * CPU then it must contain at least one online CPU. The outgoing CPU ++ * has been removed from the online mask already. ++ */ ++ if (cpumask_any_but(m, cpu) < nr_cpu_ids && ++ cpumask_any_and(m, cpu_online_mask) >= nr_cpu_ids) { ++ /* ++ * If this happens then there was a missed IRQ fixup at some ++ * point. Warn about it and enforce fixup. ++ */ ++ pr_warn("Eff. affinity %*pbl of IRQ %u contains only offline CPUs after offlining CPU %u\n", ++ cpumask_pr_args(m), d->irq, cpu); ++ return true; ++ } ++#endif ++ return cpumask_test_cpu(cpu, m); + } + + static bool migrate_one_irq(struct irq_desc *desc) diff --git a/queue-4.13/genirq-cpuhotplug-enforce-affinity-setting-on-startup-of-managed-irqs.patch b/queue-4.13/genirq-cpuhotplug-enforce-affinity-setting-on-startup-of-managed-irqs.patch new file mode 100644 index 00000000000..ff4740a036d --- /dev/null +++ b/queue-4.13/genirq-cpuhotplug-enforce-affinity-setting-on-startup-of-managed-irqs.patch @@ -0,0 +1,158 @@ +From e43b3b58548051f8809391eb7bec7a27ed3003ea Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Wed, 4 Oct 2017 21:07:38 +0200 +Subject: genirq/cpuhotplug: Enforce affinity setting on startup of managed irqs + +From: Thomas Gleixner + +commit e43b3b58548051f8809391eb7bec7a27ed3003ea upstream. + +Managed interrupts can end up in a stale state on CPU hotplug. If the +interrupt is not targeting a single CPU, i.e. the affinity mask spawns +multiple CPUs then the following can happen: + +After boot: + +dstate: 0x01601200 + IRQD_ACTIVATED + IRQD_IRQ_STARTED + IRQD_SINGLE_TARGET + IRQD_AFFINITY_SET + IRQD_AFFINITY_MANAGED +node: 0 +affinity: 24-31 +effectiv: 24 +pending: 0 + +After offlining CPU 31 - 24 + +dstate: 0x01a31000 + IRQD_IRQ_DISABLED + IRQD_IRQ_MASKED + IRQD_SINGLE_TARGET + IRQD_AFFINITY_SET + IRQD_AFFINITY_MANAGED + IRQD_MANAGED_SHUTDOWN +node: 0 +affinity: 24-31 +effectiv: 24 +pending: 0 + +Now CPU 25 gets onlined again, so it should get the effective interrupt +affinity for this interruopt, but due to the x86 interrupt affinity setter +restrictions this ends up after restarting the interrupt with: + +dstate: 0x01601300 + IRQD_ACTIVATED + IRQD_IRQ_STARTED + IRQD_SINGLE_TARGET + IRQD_AFFINITY_SET + IRQD_SETAFFINITY_PENDING + IRQD_AFFINITY_MANAGED +node: 0 +affinity: 24-31 +effectiv: 24 +pending: 24-31 + +So the interrupt is still affine to CPU 24, which was the last CPU to go +offline of that affinity set and the move to an online CPU within 24-31, +in this case 25, is pending. This mechanism is x86/ia64 specific as those +architectures cannot move interrupts from thread context and do this when +an interrupt is actually handled. So the move is set to pending. + +Whats worse is that offlining CPU 25 again results in: + +dstate: 0x01601300 + IRQD_ACTIVATED + IRQD_IRQ_STARTED + IRQD_SINGLE_TARGET + IRQD_AFFINITY_SET + IRQD_SETAFFINITY_PENDING + IRQD_AFFINITY_MANAGED +node: 0 +affinity: 24-31 +effectiv: 24 +pending: 24-31 + +This means the interrupt has not been shut down, because the outgoing CPU +is not in the effective affinity mask, but of course nothing notices that +the effective affinity mask is pointing at an offline CPU. + +In the case of restarting a managed interrupt the move restriction does not +apply, so the affinity setting can be made unconditional. This needs to be +done _before_ the interrupt is started up as otherwise the condition for +moving it from thread context would not longer be fulfilled. + +With that change applied onlining CPU 25 after offlining 31-24 results in: + +dstate: 0x01600200 + IRQD_ACTIVATED + IRQD_IRQ_STARTED + IRQD_SINGLE_TARGET + IRQD_AFFINITY_MANAGED +node: 0 +affinity: 24-31 +effectiv: 25 +pending: + +And after offlining CPU 25: + +dstate: 0x01a30000 + IRQD_IRQ_DISABLED + IRQD_IRQ_MASKED + IRQD_SINGLE_TARGET + IRQD_AFFINITY_MANAGED + IRQD_MANAGED_SHUTDOWN +node: 0 +affinity: 24-31 +effectiv: 25 +pending: + +which is the correct and expected result. + +Fixes: 761ea388e8c4 ("genirq: Handle managed irqs gracefully in irq_startup()") +Reported-by: YASUAKI ISHIMATSU +Signed-off-by: Thomas Gleixner +Cc: axboe@kernel.dk +Cc: linux-scsi@vger.kernel.org +Cc: Sumit Saxena +Cc: Marc Zyngier +Cc: mpe@ellerman.id.au +Cc: Shivasharan Srikanteshwara +Cc: Kashyap Desai +Cc: keith.busch@intel.com +Cc: peterz@infradead.org +Cc: Hannes Reinecke +Cc: Christoph Hellwig +Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1710042208400.2406@nanos +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/irq/chip.c | 2 +- + kernel/irq/manage.c | 3 +++ + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/kernel/irq/chip.c ++++ b/kernel/irq/chip.c +@@ -265,8 +265,8 @@ int irq_startup(struct irq_desc *desc, b + irq_setup_affinity(desc); + break; + case IRQ_STARTUP_MANAGED: ++ irq_do_set_affinity(d, aff, false); + ret = __irq_startup(desc); +- irq_set_affinity_locked(d, aff, false); + break; + case IRQ_STARTUP_ABORT: + return 0; +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -175,6 +175,9 @@ int irq_do_set_affinity(struct irq_data + struct irq_chip *chip = irq_data_get_irq_chip(data); + int ret; + ++ if (!chip || !chip->irq_set_affinity) ++ return -EINVAL; ++ + ret = chip->irq_set_affinity(data, mask, force); + switch (ret) { + case IRQ_SET_MASK_OK: diff --git a/queue-4.13/more-bio_map_user_iov-leak-fixes.patch b/queue-4.13/more-bio_map_user_iov-leak-fixes.patch new file mode 100644 index 00000000000..21251b01d51 --- /dev/null +++ b/queue-4.13/more-bio_map_user_iov-leak-fixes.patch @@ -0,0 +1,58 @@ +From 2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 23 Sep 2017 15:51:23 -0400 +Subject: more bio_map_user_iov() leak fixes + +From: Al Viro + +commit 2b04e8f6bbb196cab4b232af0f8d48ff2c7a8058 upstream. + +we need to take care of failure exit as well - pages already +in bio should be dropped by analogue of bio_unmap_pages(), +since their refcounts had been bumped only once per reference +in bio. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + block/bio.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/block/bio.c ++++ b/block/bio.c +@@ -1327,6 +1327,7 @@ struct bio *bio_map_user_iov(struct requ + int ret, offset; + struct iov_iter i; + struct iovec iov; ++ struct bio_vec *bvec; + + iov_for_each(iov, i, *iter) { + unsigned long uaddr = (unsigned long) iov.iov_base; +@@ -1371,7 +1372,12 @@ struct bio *bio_map_user_iov(struct requ + ret = get_user_pages_fast(uaddr, local_nr_pages, + (iter->type & WRITE) != WRITE, + &pages[cur_page]); +- if (ret < local_nr_pages) { ++ if (unlikely(ret < local_nr_pages)) { ++ for (j = cur_page; j < page_limit; j++) { ++ if (!pages[j]) ++ break; ++ put_page(pages[j]); ++ } + ret = -EFAULT; + goto out_unmap; + } +@@ -1427,10 +1433,8 @@ struct bio *bio_map_user_iov(struct requ + return bio; + + out_unmap: +- for (j = 0; j < nr_pages; j++) { +- if (!pages[j]) +- break; +- put_page(pages[j]); ++ bio_for_each_segment_all(bvec, bio, j) { ++ put_page(bvec->bv_page); + } + out: + kfree(pages); diff --git a/queue-4.13/pci-aardvark-move-to-struct-pci_host_bridge-irq-mapping-functions.patch b/queue-4.13/pci-aardvark-move-to-struct-pci_host_bridge-irq-mapping-functions.patch new file mode 100644 index 00000000000..a306e00256b --- /dev/null +++ b/queue-4.13/pci-aardvark-move-to-struct-pci_host_bridge-irq-mapping-functions.patch @@ -0,0 +1,46 @@ +From 407dae1e4415acde2d9f48bb76361893c4653756 Mon Sep 17 00:00:00 2001 +From: Thomas Petazzoni +Date: Mon, 9 Oct 2017 09:00:49 +0200 +Subject: PCI: aardvark: Move to struct pci_host_bridge IRQ mapping functions + +From: Thomas Petazzoni + +commit 407dae1e4415acde2d9f48bb76361893c4653756 upstream. + +struct pci_host_bridge gained hooks to map/swizzle IRQs, so that the IRQ +mapping can be done automatically by PCI core code through the +pci_assign_irq() function instead of resorting to arch-specific +implementation callbacks to carry out the same task which force PCI host +bridge drivers implementation to implement per-arch kludges to carry out a +task that is inherently architecture agnostic. + +Commit 769b461fc0c0 ("arm64: PCI: Drop DT IRQ allocation from +pcibios_alloc_irq()") was assuming all PCI host controller drivers had been +converted to use ->map_irq(), but that wasn't the case: pci-aardvark had +not been converted. Due to this, it broke the support for legacy PCI +interrupts when using the pci-aardvark driver (used on Marvell Armada 3720 +platforms). + +In order to fix this, we make sure the ->map_irq and ->swizzle_irq fields +of pci_host_bridge are properly filled in. + +Fixes: 769b461fc0c0 ("arm64: PCI: Drop DT IRQ allocation from pcibios_alloc_irq()") +Signed-off-by: Thomas Petazzoni +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/host/pci-aardvark.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pci/host/pci-aardvark.c ++++ b/drivers/pci/host/pci-aardvark.c +@@ -936,6 +936,8 @@ static int advk_pcie_probe(struct platfo + bridge->sysdata = pcie; + bridge->busnr = 0; + bridge->ops = &advk_pcie_ops; ++ bridge->map_irq = of_irq_parse_and_map_pci; ++ bridge->swizzle_irq = pci_common_swizzle; + + ret = pci_scan_root_bus_bridge(bridge); + if (ret < 0) { diff --git a/queue-4.13/perf-script-add-missing-separator-for-f-ip-brstack-and-brstackoff.patch b/queue-4.13/perf-script-add-missing-separator-for-f-ip-brstack-and-brstackoff.patch new file mode 100644 index 00000000000..4d76d227855 --- /dev/null +++ b/queue-4.13/perf-script-add-missing-separator-for-f-ip-brstack-and-brstackoff.patch @@ -0,0 +1,57 @@ +From e9516c0813aeb89ebd19ec0ed39fbfcd78b6ef3a Mon Sep 17 00:00:00 2001 +From: Mark Santaniello +Date: Fri, 6 Oct 2017 01:07:22 -0700 +Subject: perf script: Add missing separator for "-F ip,brstack" (and brstackoff) + +From: Mark Santaniello + +commit e9516c0813aeb89ebd19ec0ed39fbfcd78b6ef3a upstream. + +Prior to commit 55b9b50811ca ("perf script: Support -F brstack,dso and +brstacksym,dso"), we were printing a space before the brstack data. It +seems that this space was important. Without it, parsing is difficult. + +Very sorry for the mistake. + +Notice here how the "ip" and "brstack" run together: + +$ perf script -F ip,brstack | head -n 1 + 22e18c40x22e19e2/0x22e190b/P/-/-/0 0x22e19a1/0x22e19d0/P/-/-/0 0x22e195d/0x22e1990/P/-/-/0 0x22e18e9/0x22e1943/P/-/-/0 0x22e1a69/0x22e18c0/P/-/-/0 0x22e19f7/0x22e1a20/P/-/-/0 0x22e1910/0x22e19ee/P/-/-/0 0x22e19e2/0x22e190b/P/-/-/0 0x22e19a1/0x22e19d0/P/-/-/0 0x22e195d/0x22e1990/P/-/-/0 0x22e18e9/0x22e1943/P/-/-/0 0x22e1a69/0x22e18c0/P/-/-/0 0x22e19f7/0x22e1a20/P/-/-/0 0x22e1910/0x22e19ee/P/-/-/0 0x22e19e2/0x22e190b/P/-/-/0 0x22e19a1/0x22e19d0/P/-/-/0 + +After this diff, sanity is restored: + +$ perf script -F ip,brstack | head -n 1 + 22e18c4 0x22e19e2/0x22e190b/P/-/-/0 0x22e19a1/0x22e19d0/P/-/-/0 0x22e195d/0x22e1990/P/-/-/0 0x22e18e9/0x22e1943/P/-/-/0 0x22e1a69/0x22e18c0/P/-/-/0 0x22e19f7/0x22e1a20/P/-/-/0 0x22e1910/0x22e19ee/P/-/-/0 0x22e19e2/0x22e190b/P/-/-/0 0x22e19a1/0x22e19d0/P/-/-/0 0x22e195d/0x22e1990/P/-/-/0 0x22e18e9/0x22e1943/P/-/-/0 0x22e1a69/0x22e18c0/P/-/-/0 0x22e19f7/0x22e1a20/P/-/-/0 0x22e1910/0x22e19ee/P/-/-/0 0x22e19e2/0x22e190b/P/-/-/0 0x22e19a1/0x22e19d0/P/-/-/0 + +Signed-off-by: Mark Santaniello +Cc: Alexander Shishkin +Cc: Peter Zijlstra +Fixes: 55b9b50811ca ("perf script: Support -F brstack,dso and brstacksym,dso") +Link: http://lkml.kernel.org/r/20171006080722.3442046-1-marksan@fb.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/builtin-script.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/tools/perf/builtin-script.c ++++ b/tools/perf/builtin-script.c +@@ -578,7 +578,7 @@ static void print_sample_brstack(struct + thread__find_addr_map(thread, sample->cpumode, MAP__FUNCTION, to, &alt); + } + +- printf("0x%"PRIx64, from); ++ printf(" 0x%"PRIx64, from); + if (PRINT_FIELD(DSO)) { + printf("("); + map__fprintf_dsoname(alf.map, stdout); +@@ -673,7 +673,7 @@ static void print_sample_brstackoff(stru + if (alt.map && !alt.map->dso->adjust_symbols) + to = map__map_ip(alt.map, to); + +- printf("0x%"PRIx64, from); ++ printf(" 0x%"PRIx64, from); + if (PRINT_FIELD(DSO)) { + printf("("); + map__fprintf_dsoname(alf.map, stdout); diff --git a/queue-4.13/revert-pci-tegra-do-not-allocate-msi-target-memory.patch b/queue-4.13/revert-pci-tegra-do-not-allocate-msi-target-memory.patch new file mode 100644 index 00000000000..705b0a52ee6 --- /dev/null +++ b/queue-4.13/revert-pci-tegra-do-not-allocate-msi-target-memory.patch @@ -0,0 +1,89 @@ +From 8c2b4e3c3725801b57d7b858d216d38f83bdb35d Mon Sep 17 00:00:00 2001 +From: Thierry Reding +Date: Mon, 9 Oct 2017 12:29:35 +0200 +Subject: Revert "PCI: tegra: Do not allocate MSI target memory" + +From: Thierry Reding + +commit 8c2b4e3c3725801b57d7b858d216d38f83bdb35d upstream. + +This reverts commit d7bd554f27c942e6b8b54100b4044f9be1038edf. + +It turns out that Tegra20 has a bug in the implementation of the MSI +target address register (which is worked around by the existence of the +struct tegra_pcie_soc.msi_base_shift parameter) that restricts the MSI +target memory to the lower 32 bits of physical memory on that particular +generation. The offending patch causes a regression on TrimSlice, which +is a Tegra20-based device and has a PCI network interface card. + +An initial, simpler fix was to change the MSI target address for Tegra20 +only, but it was pointed out that the offending commit also prevents the +use of 32-bit only MSI capable devices, even on later chips. Technically +this was never guaranteed to work with the prior code in the first place +because the allocated page could have resided beyond the 4 GiB boundary, +but it is still possible that this could've introduced a regression. + +The proper fix that was settled on is to select a fixed address within +the lowest 32 bits of physical address space that is otherwise unused, +but testing of that patch has provided mixed results that are not fully +understood yet. + +Given all of the above and the relative urgency to get this fixed in +v4.13, revert the offending commit until a universal fix is found. + +Fixes: d7bd554f27c9 ("PCI: tegra: Do not allocate MSI target memory") +Reported-by: Tomasz Maciej Nowak +Reported-by: Erik Faye-Lund +Signed-off-by: Thierry Reding +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/host/pci-tegra.c | 22 ++++++---------------- + 1 file changed, 6 insertions(+), 16 deletions(-) + +--- a/drivers/pci/host/pci-tegra.c ++++ b/drivers/pci/host/pci-tegra.c +@@ -233,6 +233,7 @@ struct tegra_msi { + struct msi_controller chip; + DECLARE_BITMAP(used, INT_PCI_MSI_NR); + struct irq_domain *domain; ++ unsigned long pages; + struct mutex lock; + u64 phys; + int irq; +@@ -1529,22 +1530,9 @@ static int tegra_pcie_enable_msi(struct + goto err; + } + +- /* +- * The PCI host bridge on Tegra contains some logic that intercepts +- * MSI writes, which means that the MSI target address doesn't have +- * to point to actual physical memory. Rather than allocating one 4 +- * KiB page of system memory that's never used, we can simply pick +- * an arbitrary address within an area reserved for system memory +- * in the FPCI address map. +- * +- * However, in order to avoid confusion, we pick an address that +- * doesn't map to physical memory. The FPCI address map reserves a +- * 1012 GiB region for system memory and memory-mapped I/O. Since +- * none of the Tegra SoCs that contain this PCI host bridge can +- * address more than 16 GiB of system memory, the last 4 KiB of +- * these 1012 GiB is a good candidate. +- */ +- msi->phys = 0xfcfffff000; ++ /* setup AFI/FPCI range */ ++ msi->pages = __get_free_pages(GFP_KERNEL, 0); ++ msi->phys = virt_to_phys((void *)msi->pages); + + afi_writel(pcie, msi->phys >> soc->msi_base_shift, AFI_MSI_FPCI_BAR_ST); + afi_writel(pcie, msi->phys, AFI_MSI_AXI_BAR_ST); +@@ -1596,6 +1584,8 @@ static int tegra_pcie_disable_msi(struct + afi_writel(pcie, 0, AFI_MSI_EN_VEC6); + afi_writel(pcie, 0, AFI_MSI_EN_VEC7); + ++ free_pages(msi->pages, 0); ++ + if (msi->irq > 0) + free_irq(msi->irq, pcie); + diff --git a/queue-4.13/series b/queue-4.13/series index 85a11c0e021..1a31dd83450 100644 --- a/queue-4.13/series +++ b/queue-4.13/series @@ -19,3 +19,31 @@ revert-vmalloc-back-off-when-the-current-task-is-killed.patch fs-mpage.c-fix-mpage_writepage-for-pages-with-buffers.patch alsa-usb-audio-kill-stray-urb-at-exiting.patch alsa-seq-fix-use-after-free-at-creating-a-port.patch +alsa-seq-fix-copy_from_user-call-inside-lock.patch +alsa-caiaq-fix-stray-urb-at-probe-error-path.patch +alsa-line6-fix-null-dereference-at-podhd_disconnect.patch +alsa-line6-fix-missing-initialization-before-error-path.patch +alsa-line6-fix-leftover-urb-at-error-path-during-probe.patch +drm-atomic-unref-duplicated-drm_atomic_state-in-drm_atomic_helper_resume.patch +drm-i915-edp-get-the-panel-power-off-timestamp-after-panel-is-off.patch +drm-i915-read-timings-from-the-correct-transcoder-in-intel_crtc_mode_get.patch +drm-i915-bios-parse-ddi-ports-also-for-chv-for-hdmi-ddc-pin-and-dp-aux-channel.patch +drm-i915-use-crtc_state_is_legacy_gamma-in-intel_color_check.patch +usb-gadget-configfs-fix-memory-leak-of-interface-directory-data.patch +usb-gadget-composite-fix-use-after-free-in-usb_composite_overwrite_options.patch +pci-aardvark-move-to-struct-pci_host_bridge-irq-mapping-functions.patch +revert-pci-tegra-do-not-allocate-msi-target-memory.patch +direct-io-prevent-null-pointer-access-in-submit_page_section.patch +fix-unbalanced-page-refcounting-in-bio_map_user_iov.patch +more-bio_map_user_iov-leak-fixes.patch +bio_copy_user_iov-don-t-ignore-iov_offset.patch +perf-script-add-missing-separator-for-f-ip-brstack-and-brstackoff.patch +genirq-cpuhotplug-enforce-affinity-setting-on-startup-of-managed-irqs.patch +genirq-cpuhotplug-add-sanity-check-for-effective-affinity-mask.patch +usb-serial-ftdi_sio-add-id-for-cypress-wiced-dev-board.patch +usb-serial-cp210x-fix-partnum-regression.patch +usb-serial-cp210x-add-support-for-elv-tfd500.patch +usb-serial-option-add-support-for-tp-link-lte-module.patch +usb-serial-qcserial-add-dell-dw5818-dw5819.patch +usb-serial-console-fix-use-after-free-on-disconnect.patch +usb-serial-console-fix-use-after-free-after-failed-setup.patch diff --git a/queue-4.13/usb-gadget-composite-fix-use-after-free-in-usb_composite_overwrite_options.patch b/queue-4.13/usb-gadget-composite-fix-use-after-free-in-usb_composite_overwrite_options.patch new file mode 100644 index 00000000000..9bed11444ab --- /dev/null +++ b/queue-4.13/usb-gadget-composite-fix-use-after-free-in-usb_composite_overwrite_options.patch @@ -0,0 +1,58 @@ +From aec17e1e249567e82b26dafbb86de7d07fde8729 Mon Sep 17 00:00:00 2001 +From: Andrew Gabbasov +Date: Sat, 30 Sep 2017 08:55:55 -0700 +Subject: usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options + +From: Andrew Gabbasov + +commit aec17e1e249567e82b26dafbb86de7d07fde8729 upstream. + +KASAN enabled configuration reports an error + + BUG: KASAN: use-after-free in usb_composite_overwrite_options+... + [libcomposite] at addr ... + Read of size 1 by task ... + +when some driver is un-bound and then bound again. +For example, this happens with FunctionFS driver when "ffs-test" +test application is run several times in a row. + +If the driver has empty manufacturer ID string in initial static data, +it is then replaced with generated string. After driver unbinding +the generated string is freed, but the driver data still keep that +pointer. And if the driver is then bound again, that pointer +is re-used for string emptiness check. + +The fix is to clean up the driver string data upon its unbinding +to drop the pointer to freed memory. + +Fixes: cc2683c318a5 ("usb: gadget: Provide a default implementation of default manufacturer string") +Signed-off-by: Andrew Gabbasov +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/composite.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -2026,6 +2026,8 @@ static DEVICE_ATTR_RO(suspended); + static void __composite_unbind(struct usb_gadget *gadget, bool unbind_driver) + { + struct usb_composite_dev *cdev = get_gadget_data(gadget); ++ struct usb_gadget_strings *gstr = cdev->driver->strings[0]; ++ struct usb_string *dev_str = gstr->strings; + + /* composite_disconnect() must already have been called + * by the underlying peripheral controller driver! +@@ -2045,6 +2047,9 @@ static void __composite_unbind(struct us + + composite_dev_cleanup(cdev); + ++ if (dev_str[USB_GADGET_MANUFACTURER_IDX].s == cdev->def_manufacturer) ++ dev_str[USB_GADGET_MANUFACTURER_IDX].s = ""; ++ + kfree(cdev->def_manufacturer); + kfree(cdev); + set_gadget_data(gadget, NULL); diff --git a/queue-4.13/usb-gadget-configfs-fix-memory-leak-of-interface-directory-data.patch b/queue-4.13/usb-gadget-configfs-fix-memory-leak-of-interface-directory-data.patch new file mode 100644 index 00000000000..d6590b2a845 --- /dev/null +++ b/queue-4.13/usb-gadget-configfs-fix-memory-leak-of-interface-directory-data.patch @@ -0,0 +1,141 @@ +From ff74745e6d3d97a865eda8c1f3fd29c13b79f0cc Mon Sep 17 00:00:00 2001 +From: Andrew Gabbasov +Date: Sat, 30 Sep 2017 08:54:52 -0700 +Subject: usb: gadget: configfs: Fix memory leak of interface directory data + +From: Andrew Gabbasov + +commit ff74745e6d3d97a865eda8c1f3fd29c13b79f0cc upstream. + +Kmemleak checking configuration reports a memory leak in +usb_os_desc_prepare_interf_dir function when rndis function +instance is freed and then allocated again. For example, this +happens with FunctionFS driver with RNDIS function enabled +when "ffs-test" test application is run several times in a row. + +The data for intermediate "os_desc" group for interface directories +is allocated as a single VLA chunk and (after a change of default +groups handling) is not ever freed and actually not stored anywhere +besides inside a list of default groups of a parent group. + +The fix is to make usb_os_desc_prepare_interf_dir function return +a pointer to allocated data (as a pointer to the first VLA item) +instead of (an unused) integer and to make the caller component +(currently the only one is RNDIS function) responsible for storing +the pointer and freeing the memory when appropriate. + +Fixes: 1ae1602de028 ("configfs: switch ->default groups to a linked list") +Signed-off-by: Andrew Gabbasov +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/configfs.c | 15 ++++++++------- + drivers/usb/gadget/configfs.h | 11 ++++++----- + drivers/usb/gadget/function/f_rndis.c | 12 ++++++++++-- + drivers/usb/gadget/function/u_rndis.h | 1 + + 4 files changed, 25 insertions(+), 14 deletions(-) + +--- a/drivers/usb/gadget/configfs.c ++++ b/drivers/usb/gadget/configfs.c +@@ -1143,11 +1143,12 @@ static struct configfs_attribute *interf + NULL + }; + +-int usb_os_desc_prepare_interf_dir(struct config_group *parent, +- int n_interf, +- struct usb_os_desc **desc, +- char **names, +- struct module *owner) ++struct config_group *usb_os_desc_prepare_interf_dir( ++ struct config_group *parent, ++ int n_interf, ++ struct usb_os_desc **desc, ++ char **names, ++ struct module *owner) + { + struct config_group *os_desc_group; + struct config_item_type *os_desc_type, *interface_type; +@@ -1159,7 +1160,7 @@ int usb_os_desc_prepare_interf_dir(struc + + char *vlabuf = kzalloc(vla_group_size(data_chunk), GFP_KERNEL); + if (!vlabuf) +- return -ENOMEM; ++ return ERR_PTR(-ENOMEM); + + os_desc_group = vla_ptr(vlabuf, data_chunk, os_desc_group); + os_desc_type = vla_ptr(vlabuf, data_chunk, os_desc_type); +@@ -1184,7 +1185,7 @@ int usb_os_desc_prepare_interf_dir(struc + configfs_add_default_group(&d->group, os_desc_group); + } + +- return 0; ++ return os_desc_group; + } + EXPORT_SYMBOL(usb_os_desc_prepare_interf_dir); + +--- a/drivers/usb/gadget/configfs.h ++++ b/drivers/usb/gadget/configfs.h +@@ -5,11 +5,12 @@ + + void unregister_gadget_item(struct config_item *item); + +-int usb_os_desc_prepare_interf_dir(struct config_group *parent, +- int n_interf, +- struct usb_os_desc **desc, +- char **names, +- struct module *owner); ++struct config_group *usb_os_desc_prepare_interf_dir( ++ struct config_group *parent, ++ int n_interf, ++ struct usb_os_desc **desc, ++ char **names, ++ struct module *owner); + + static inline struct usb_os_desc *to_usb_os_desc(struct config_item *item) + { +--- a/drivers/usb/gadget/function/f_rndis.c ++++ b/drivers/usb/gadget/function/f_rndis.c +@@ -892,6 +892,7 @@ static void rndis_free_inst(struct usb_f + free_netdev(opts->net); + } + ++ kfree(opts->rndis_interf_group); /* single VLA chunk */ + kfree(opts); + } + +@@ -900,6 +901,7 @@ static struct usb_function_instance *rnd + struct f_rndis_opts *opts; + struct usb_os_desc *descs[1]; + char *names[1]; ++ struct config_group *rndis_interf_group; + + opts = kzalloc(sizeof(*opts), GFP_KERNEL); + if (!opts) +@@ -920,8 +922,14 @@ static struct usb_function_instance *rnd + names[0] = "rndis"; + config_group_init_type_name(&opts->func_inst.group, "", + &rndis_func_type); +- usb_os_desc_prepare_interf_dir(&opts->func_inst.group, 1, descs, +- names, THIS_MODULE); ++ rndis_interf_group = ++ usb_os_desc_prepare_interf_dir(&opts->func_inst.group, 1, descs, ++ names, THIS_MODULE); ++ if (IS_ERR(rndis_interf_group)) { ++ rndis_free_inst(&opts->func_inst); ++ return ERR_CAST(rndis_interf_group); ++ } ++ opts->rndis_interf_group = rndis_interf_group; + + return &opts->func_inst; + } +--- a/drivers/usb/gadget/function/u_rndis.h ++++ b/drivers/usb/gadget/function/u_rndis.h +@@ -26,6 +26,7 @@ struct f_rndis_opts { + bool bound; + bool borrowed_net; + ++ struct config_group *rndis_interf_group; + struct usb_os_desc rndis_os_desc; + char rndis_ext_compat_id[16]; + diff --git a/queue-4.13/usb-serial-console-fix-use-after-free-after-failed-setup.patch b/queue-4.13/usb-serial-console-fix-use-after-free-after-failed-setup.patch new file mode 100644 index 00000000000..eb79e0a13e4 --- /dev/null +++ b/queue-4.13/usb-serial-console-fix-use-after-free-after-failed-setup.patch @@ -0,0 +1,32 @@ +From 299d7572e46f98534033a9e65973f13ad1ce9047 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 4 Oct 2017 11:01:13 +0200 +Subject: USB: serial: console: fix use-after-free after failed setup + +From: Johan Hovold + +commit 299d7572e46f98534033a9e65973f13ad1ce9047 upstream. + +Make sure to reset the USB-console port pointer when console setup fails +in order to avoid having the struct usb_serial be prematurely freed by +the console code when the device is later disconnected. + +Fixes: 73e487fdb75f ("[PATCH] USB console: fix disconnection issues") +Acked-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/console.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/console.c ++++ b/drivers/usb/serial/console.c +@@ -186,6 +186,7 @@ static int usb_console_setup(struct cons + tty_kref_put(tty); + reset_open_count: + port->port.count = 0; ++ info->port = NULL; + usb_autopm_put_interface(serial->interface); + error_get_interface: + usb_serial_put(serial); diff --git a/queue-4.13/usb-serial-console-fix-use-after-free-on-disconnect.patch b/queue-4.13/usb-serial-console-fix-use-after-free-on-disconnect.patch new file mode 100644 index 00000000000..fdacce59557 --- /dev/null +++ b/queue-4.13/usb-serial-console-fix-use-after-free-on-disconnect.patch @@ -0,0 +1,36 @@ +From bd998c2e0df0469707503023d50d46cf0b10c787 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 4 Oct 2017 11:01:12 +0200 +Subject: USB: serial: console: fix use-after-free on disconnect + +From: Johan Hovold + +commit bd998c2e0df0469707503023d50d46cf0b10c787 upstream. + +A clean-up patch removing two redundant NULL-checks from the console +disconnect handler inadvertently also removed a third check. This could +lead to the struct usb_serial being prematurely freed by the console +code when a driver accepts but does not register any ports for an +interface which also lacks endpoint descriptors. + +Fixes: 0e517c93dc02 ("USB: serial: console: clean up sanity checks") +Reported-by: Andrey Konovalov +Acked-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/console.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/serial/console.c ++++ b/drivers/usb/serial/console.c +@@ -265,7 +265,7 @@ static struct console usbcons = { + + void usb_serial_console_disconnect(struct usb_serial *serial) + { +- if (serial->port[0] == usbcons_info.port) { ++ if (serial->port[0] && serial->port[0] == usbcons_info.port) { + usb_serial_console_exit(); + usb_serial_put(serial); + } diff --git a/queue-4.13/usb-serial-cp210x-add-support-for-elv-tfd500.patch b/queue-4.13/usb-serial-cp210x-add-support-for-elv-tfd500.patch new file mode 100644 index 00000000000..94c03ffda0d --- /dev/null +++ b/queue-4.13/usb-serial-cp210x-add-support-for-elv-tfd500.patch @@ -0,0 +1,29 @@ +From c496ad835c31ad639b6865714270b3003df031f6 Mon Sep 17 00:00:00 2001 +From: Andreas Engel +Date: Mon, 18 Sep 2017 21:11:57 +0200 +Subject: USB: serial: cp210x: add support for ELV TFD500 + +From: Andreas Engel + +commit c496ad835c31ad639b6865714270b3003df031f6 upstream. + +Add the USB device id for the ELV TFD500 data logger. + +Signed-off-by: Andreas Engel +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/cp210x.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -177,6 +177,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x1843, 0x0200) }, /* Vaisala USB Instrument Cable */ + { USB_DEVICE(0x18EF, 0xE00F) }, /* ELV USB-I2C-Interface */ + { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */ ++ { USB_DEVICE(0x18EF, 0xE032) }, /* ELV TFD500 Data Logger */ + { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */ + { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */ + { USB_DEVICE(0x1901, 0x0194) }, /* GE Healthcare Remote Alarm Box */ diff --git a/queue-4.13/usb-serial-cp210x-fix-partnum-regression.patch b/queue-4.13/usb-serial-cp210x-fix-partnum-regression.patch new file mode 100644 index 00000000000..fda5ad966af --- /dev/null +++ b/queue-4.13/usb-serial-cp210x-fix-partnum-regression.patch @@ -0,0 +1,64 @@ +From 7eac35ea29dc54cbc8399de84c9bf16553575b89 Mon Sep 17 00:00:00 2001 +From: Sebastian Frei +Date: Tue, 12 Sep 2017 09:50:59 +0200 +Subject: USB: serial: cp210x: fix partnum regression + +From: Sebastian Frei + +commit 7eac35ea29dc54cbc8399de84c9bf16553575b89 upstream. + +When adding GPIO support for the cp2105, the mentioned commit by Martyn +Welch introduced a query for the part number of the chip. Unfortunately +the driver aborts probing when this query fails, so currently the driver +can not be used with chips not supporting this query. +I have a data cable for Siemens mobile phones (ID 10ab:10c5) where this +is the case. +With this patch the driver can be bound even if the part number can not +be queried. + +Fixes: cf5276ce7867 ("USB: serial: cp210x: Adding GPIO support for CP2105") +Signed-off-by: Sebastian Frei +[ johan: amend commit message; shorten error message and demote to + warning; drop unnecessary move of usb_set_serial_data() ] +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/cp210x.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -352,6 +352,7 @@ static struct usb_serial_driver * const + #define CP210X_PARTNUM_CP2104 0x04 + #define CP210X_PARTNUM_CP2105 0x05 + #define CP210X_PARTNUM_CP2108 0x08 ++#define CP210X_PARTNUM_UNKNOWN 0xFF + + /* CP210X_GET_COMM_STATUS returns these 0x13 bytes */ + struct cp210x_comm_status { +@@ -1491,8 +1492,11 @@ static int cp210x_attach(struct usb_seri + result = cp210x_read_vendor_block(serial, REQTYPE_DEVICE_TO_HOST, + CP210X_GET_PARTNUM, &priv->partnum, + sizeof(priv->partnum)); +- if (result < 0) +- goto err_free_priv; ++ if (result < 0) { ++ dev_warn(&serial->interface->dev, ++ "querying part number failed\n"); ++ priv->partnum = CP210X_PARTNUM_UNKNOWN; ++ } + + usb_set_serial_data(serial, priv); + +@@ -1505,10 +1509,6 @@ static int cp210x_attach(struct usb_seri + } + + return 0; +-err_free_priv: +- kfree(priv); +- +- return result; + } + + static void cp210x_disconnect(struct usb_serial *serial) diff --git a/queue-4.13/usb-serial-ftdi_sio-add-id-for-cypress-wiced-dev-board.patch b/queue-4.13/usb-serial-ftdi_sio-add-id-for-cypress-wiced-dev-board.patch new file mode 100644 index 00000000000..f52b9b58146 --- /dev/null +++ b/queue-4.13/usb-serial-ftdi_sio-add-id-for-cypress-wiced-dev-board.patch @@ -0,0 +1,48 @@ +From a6c215e21b0dc5fe9416dce90f9acc2ea53c4502 Mon Sep 17 00:00:00 2001 +From: Jeffrey Chu +Date: Fri, 8 Sep 2017 21:08:58 +0000 +Subject: USB: serial: ftdi_sio: add id for Cypress WICED dev board + +From: Jeffrey Chu + +commit a6c215e21b0dc5fe9416dce90f9acc2ea53c4502 upstream. + +Add CYPRESS_VID vid and CYPRESS_WICED_BT_USB and CYPRESS_WICED_WL_USB +device IDs to ftdi_sio driver. + +Signed-off-by: Jeffrey Chu +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 2 ++ + drivers/usb/serial/ftdi_sio_ids.h | 7 +++++++ + 2 files changed, 9 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1015,6 +1015,8 @@ static const struct usb_device_id id_tab + { USB_DEVICE(WICED_VID, WICED_USB20706V2_PID) }, + { USB_DEVICE(TI_VID, TI_CC3200_LAUNCHPAD_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_BT_USB_PID) }, ++ { USB_DEVICE(CYPRESS_VID, CYPRESS_WICED_WL_USB_PID) }, + { } /* Terminating entry */ + }; + +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -610,6 +610,13 @@ + #define ADI_GNICEPLUS_PID 0xF001 + + /* ++ * Cypress WICED USB UART ++ */ ++#define CYPRESS_VID 0x04B4 ++#define CYPRESS_WICED_BT_USB_PID 0x009B ++#define CYPRESS_WICED_WL_USB_PID 0xF900 ++ ++/* + * Microchip Technology, Inc. + * + * MICROCHIP_VID (0x04D8) and MICROCHIP_USB_BOARD_PID (0x000A) are diff --git a/queue-4.13/usb-serial-option-add-support-for-tp-link-lte-module.patch b/queue-4.13/usb-serial-option-add-support-for-tp-link-lte-module.patch new file mode 100644 index 00000000000..6eca33d637d --- /dev/null +++ b/queue-4.13/usb-serial-option-add-support-for-tp-link-lte-module.patch @@ -0,0 +1,38 @@ +From 837ddc4793a69b256ac5e781a5e729b448a8d983 Mon Sep 17 00:00:00 2001 +From: Henryk Heisig +Date: Mon, 11 Sep 2017 17:57:34 +0200 +Subject: USB: serial: option: add support for TP-Link LTE module + +From: Henryk Heisig + +commit 837ddc4793a69b256ac5e781a5e729b448a8d983 upstream. + +This commit adds support for TP-Link LTE mPCIe module is used +in in TP-Link MR200v1, MR6400v1 and v2 routers. + +Signed-off-by: Henryk Heisig +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -522,6 +522,7 @@ static void option_instat_callback(struc + + /* TP-LINK Incorporated products */ + #define TPLINK_VENDOR_ID 0x2357 ++#define TPLINK_PRODUCT_LTE 0x000D + #define TPLINK_PRODUCT_MA180 0x0201 + + /* Changhong products */ +@@ -2011,6 +2012,7 @@ static const struct usb_device_id option + { USB_DEVICE(CELLIENT_VENDOR_ID, CELLIENT_PRODUCT_MEN200) }, + { USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T_600A) }, + { USB_DEVICE(PETATEL_VENDOR_ID, PETATEL_PRODUCT_NP10T_600E) }, ++ { USB_DEVICE_AND_INTERFACE_INFO(TPLINK_VENDOR_ID, TPLINK_PRODUCT_LTE, 0xff, 0x00, 0x00) }, /* TP-Link LTE Module */ + { USB_DEVICE(TPLINK_VENDOR_ID, TPLINK_PRODUCT_MA180), + .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, + { USB_DEVICE(TPLINK_VENDOR_ID, 0x9000), /* TP-Link MA260 */ diff --git a/queue-4.13/usb-serial-qcserial-add-dell-dw5818-dw5819.patch b/queue-4.13/usb-serial-qcserial-add-dell-dw5818-dw5819.patch new file mode 100644 index 00000000000..a991b0a0eca --- /dev/null +++ b/queue-4.13/usb-serial-qcserial-add-dell-dw5818-dw5819.patch @@ -0,0 +1,34 @@ +From f5d9644c5fca7d8e8972268598bb516a7eae17f9 Mon Sep 17 00:00:00 2001 +From: Shrirang Bagul +Date: Fri, 29 Sep 2017 12:39:51 +0800 +Subject: USB: serial: qcserial: add Dell DW5818, DW5819 + +From: Shrirang Bagul + +commit f5d9644c5fca7d8e8972268598bb516a7eae17f9 upstream. + +Dell Wireless 5819/5818 devices are re-branded Sierra Wireless MC74 +series which will by default boot with vid 0x413c and pid's 0x81cf, +0x81d0, 0x81d1, 0x81d2. + +Signed-off-by: Shrirang Bagul +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/qcserial.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -174,6 +174,10 @@ static const struct usb_device_id id_tab + {DEVICE_SWI(0x413c, 0x81b3)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */ + {DEVICE_SWI(0x413c, 0x81b5)}, /* Dell Wireless 5811e QDL */ + {DEVICE_SWI(0x413c, 0x81b6)}, /* Dell Wireless 5811e QDL */ ++ {DEVICE_SWI(0x413c, 0x81cf)}, /* Dell Wireless 5819 */ ++ {DEVICE_SWI(0x413c, 0x81d0)}, /* Dell Wireless 5819 */ ++ {DEVICE_SWI(0x413c, 0x81d1)}, /* Dell Wireless 5818 */ ++ {DEVICE_SWI(0x413c, 0x81d2)}, /* Dell Wireless 5818 */ + + /* Huawei devices */ + {DEVICE_HWI(0x03f0, 0x581d)}, /* HP lt4112 LTE/HSPA+ Gobi 4G Modem (Huawei me906e) */