From: Greg Kroah-Hartman Date: Thu, 7 Dec 2017 12:23:34 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v3.18.87~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d2399fc9f23ce1c64b5d492265227525903b9290;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: staging-ccree-fix-leak-of-import-after-init.patch usb-core-add-type-specific-length-check-of-bos-descriptors.patch usb-host-fix-incorrect-updating-of-offset.patch usb-hub-cycle-hub-power-when-initialization-fails.patch usb-ulpi-fix-bus-node-lookup.patch usb-usbfs-filter-flags-passed-in-from-user-space.patch usb-xhci-fix-panic-in-xhci_free_virt_devices_depth_first.patch xhci-don-t-show-incorrect-warn-message-about-events-for-empty-rings.patch --- diff --git a/queue-4.14/series b/queue-4.14/series index 020e67dca59..57c2c1a0690 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -65,3 +65,11 @@ locking-refcounts-x86-asm-enable-config_arch_has_refcount.patch powerpc-jprobes-disable-preemption-when-triggered-through-ftrace.patch powerpc-kprobes-disable-preemption-before-invoking-probe-handler-for-optprobes.patch dma-buf-sw_sync-force-signal-all-unsignaled-fences-on-dying-timeline.patch +staging-ccree-fix-leak-of-import-after-init.patch +usb-hub-cycle-hub-power-when-initialization-fails.patch +usb-ulpi-fix-bus-node-lookup.patch +xhci-don-t-show-incorrect-warn-message-about-events-for-empty-rings.patch +usb-xhci-fix-panic-in-xhci_free_virt_devices_depth_first.patch +usb-core-add-type-specific-length-check-of-bos-descriptors.patch +usb-usbfs-filter-flags-passed-in-from-user-space.patch +usb-host-fix-incorrect-updating-of-offset.patch diff --git a/queue-4.14/staging-ccree-fix-leak-of-import-after-init.patch b/queue-4.14/staging-ccree-fix-leak-of-import-after-init.patch new file mode 100644 index 00000000000..86282ee39b8 --- /dev/null +++ b/queue-4.14/staging-ccree-fix-leak-of-import-after-init.patch @@ -0,0 +1,45 @@ +From c5f39d07860c35e5e4c63188139465af790f86ce Mon Sep 17 00:00:00 2001 +From: Gilad Ben-Yossef +Date: Thu, 9 Nov 2017 09:16:09 +0000 +Subject: staging: ccree: fix leak of import() after init() + +From: Gilad Ben-Yossef + +commit c5f39d07860c35e5e4c63188139465af790f86ce upstream. + +crypto_ahash_import() may be called either after +crypto_ahash_init() or without such call. Right now +we always internally call init() as part of +import(), thus leaking memory and mappings if the +user has already called init() herself. + +Fix this by only calling init() internally if the +state is not already initialized. + +Fixes: commit 454527d0d94f ("staging: ccree: fix hash import/export") +Signed-off-by: Gilad Ben-Yossef +Reviewed-by: Dan Carpenter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/ccree/ssi_hash.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/staging/ccree/ssi_hash.c ++++ b/drivers/staging/ccree/ssi_hash.c +@@ -1790,9 +1790,12 @@ static int ssi_ahash_import(struct ahash + } + in += sizeof(u32); + +- rc = ssi_hash_init(state, ctx); +- if (rc) +- goto out; ++ /* call init() to allocate bufs if the user hasn't */ ++ if (!state->digest_buff) { ++ rc = ssi_hash_init(state, ctx); ++ if (rc) ++ goto out; ++ } + + dma_sync_single_for_cpu(dev, state->digest_buff_dma_addr, + ctx->inter_digestsize, DMA_BIDIRECTIONAL); diff --git a/queue-4.14/usb-core-add-type-specific-length-check-of-bos-descriptors.patch b/queue-4.14/usb-core-add-type-specific-length-check-of-bos-descriptors.patch new file mode 100644 index 00000000000..5356b52c099 --- /dev/null +++ b/queue-4.14/usb-core-add-type-specific-length-check-of-bos-descriptors.patch @@ -0,0 +1,109 @@ +From 81cf4a45360f70528f1f64ba018d61cb5767249a Mon Sep 17 00:00:00 2001 +From: Masakazu Mokuno +Date: Fri, 10 Nov 2017 01:25:50 +0900 +Subject: USB: core: Add type-specific length check of BOS descriptors + +From: Masakazu Mokuno + +commit 81cf4a45360f70528f1f64ba018d61cb5767249a upstream. + +As most of BOS descriptors are longer in length than their header +'struct usb_dev_cap_header', comparing solely with it is not sufficient +to avoid out-of-bounds access to BOS descriptors. + +This patch adds descriptor type specific length check in +usb_get_bos_descriptor() to fix the issue. + +Signed-off-by: Masakazu Mokuno +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/config.c | 28 ++++++++++++++++++++++++---- + include/uapi/linux/usb/ch9.h | 3 +++ + 2 files changed, 27 insertions(+), 4 deletions(-) + +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -905,14 +905,25 @@ void usb_release_bos_descriptor(struct u + } + } + ++static const __u8 bos_desc_len[256] = { ++ [USB_CAP_TYPE_WIRELESS_USB] = USB_DT_USB_WIRELESS_CAP_SIZE, ++ [USB_CAP_TYPE_EXT] = USB_DT_USB_EXT_CAP_SIZE, ++ [USB_SS_CAP_TYPE] = USB_DT_USB_SS_CAP_SIZE, ++ [USB_SSP_CAP_TYPE] = USB_DT_USB_SSP_CAP_SIZE(1), ++ [CONTAINER_ID_TYPE] = USB_DT_USB_SS_CONTN_ID_SIZE, ++ [USB_PTM_CAP_TYPE] = USB_DT_USB_PTM_ID_SIZE, ++}; ++ + /* Get BOS descriptor set */ + int usb_get_bos_descriptor(struct usb_device *dev) + { + struct device *ddev = &dev->dev; + struct usb_bos_descriptor *bos; + struct usb_dev_cap_header *cap; ++ struct usb_ssp_cap_descriptor *ssp_cap; + unsigned char *buffer; +- int length, total_len, num, i; ++ int length, total_len, num, i, ssac; ++ __u8 cap_type; + int ret; + + bos = kzalloc(sizeof(struct usb_bos_descriptor), GFP_KERNEL); +@@ -965,7 +976,13 @@ int usb_get_bos_descriptor(struct usb_de + dev->bos->desc->bNumDeviceCaps = i; + break; + } ++ cap_type = cap->bDevCapabilityType; + length = cap->bLength; ++ if (bos_desc_len[cap_type] && length < bos_desc_len[cap_type]) { ++ dev->bos->desc->bNumDeviceCaps = i; ++ break; ++ } ++ + total_len -= length; + + if (cap->bDescriptorType != USB_DT_DEVICE_CAPABILITY) { +@@ -973,7 +990,7 @@ int usb_get_bos_descriptor(struct usb_de + continue; + } + +- switch (cap->bDevCapabilityType) { ++ switch (cap_type) { + case USB_CAP_TYPE_WIRELESS_USB: + /* Wireless USB cap descriptor is handled by wusb */ + break; +@@ -986,8 +1003,11 @@ int usb_get_bos_descriptor(struct usb_de + (struct usb_ss_cap_descriptor *)buffer; + break; + case USB_SSP_CAP_TYPE: +- dev->bos->ssp_cap = +- (struct usb_ssp_cap_descriptor *)buffer; ++ ssp_cap = (struct usb_ssp_cap_descriptor *)buffer; ++ ssac = (le32_to_cpu(ssp_cap->bmAttributes) & ++ USB_SSP_SUBLINK_SPEED_ATTRIBS) + 1; ++ if (length >= USB_DT_USB_SSP_CAP_SIZE(ssac)) ++ dev->bos->ssp_cap = ssp_cap; + break; + case CONTAINER_ID_TYPE: + dev->bos->ss_id = +--- a/include/uapi/linux/usb/ch9.h ++++ b/include/uapi/linux/usb/ch9.h +@@ -876,6 +876,8 @@ struct usb_wireless_cap_descriptor { /* + __u8 bReserved; + } __attribute__((packed)); + ++#define USB_DT_USB_WIRELESS_CAP_SIZE 11 ++ + /* USB 2.0 Extension descriptor */ + #define USB_CAP_TYPE_EXT 2 + +@@ -1068,6 +1070,7 @@ struct usb_ptm_cap_descriptor { + __u8 bDevCapabilityType; + } __attribute__((packed)); + ++#define USB_DT_USB_PTM_ID_SIZE 3 + /* + * The size of the descriptor for the Sublink Speed Attribute Count + * (SSAC) specified in bmAttributes[4:0]. diff --git a/queue-4.14/usb-host-fix-incorrect-updating-of-offset.patch b/queue-4.14/usb-host-fix-incorrect-updating-of-offset.patch new file mode 100644 index 00000000000..9820af70a13 --- /dev/null +++ b/queue-4.14/usb-host-fix-incorrect-updating-of-offset.patch @@ -0,0 +1,37 @@ +From 1d5a31582ef046d3b233f0da1a68ae26519b2f0a Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Tue, 7 Nov 2017 16:45:04 +0000 +Subject: usb: host: fix incorrect updating of offset + +From: Colin Ian King + +commit 1d5a31582ef046d3b233f0da1a68ae26519b2f0a upstream. + +The variable temp is incorrectly being updated, instead it should +be offset otherwise the loop just reads the same capability value +and loops forever. Thanks to Alan Stern for pointing out the +correct fix to my original fix. Fix also cleans up clang warning: + +drivers/usb/host/ehci-dbg.c:840:4: warning: Value stored to 'temp' +is never read + +Fixes: d49d43174400 ("USB: misc ehci updates") +Signed-off-by: Colin Ian King +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ehci-dbg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/ehci-dbg.c ++++ b/drivers/usb/host/ehci-dbg.c +@@ -837,7 +837,7 @@ static ssize_t fill_registers_buffer(str + default: /* unknown */ + break; + } +- temp = (cap >> 8) & 0xff; ++ offset = (cap >> 8) & 0xff; + } + } + #endif diff --git a/queue-4.14/usb-hub-cycle-hub-power-when-initialization-fails.patch b/queue-4.14/usb-hub-cycle-hub-power-when-initialization-fails.patch new file mode 100644 index 00000000000..19efc7c9a77 --- /dev/null +++ b/queue-4.14/usb-hub-cycle-hub-power-when-initialization-fails.patch @@ -0,0 +1,57 @@ +From 973593a960ddac0f14f0d8877d2d0abe0afda795 Mon Sep 17 00:00:00 2001 +From: Mike Looijmans +Date: Thu, 9 Nov 2017 13:16:46 +0100 +Subject: usb: hub: Cycle HUB power when initialization fails + +From: Mike Looijmans + +commit 973593a960ddac0f14f0d8877d2d0abe0afda795 upstream. + +Sometimes the USB device gets confused about the state of the initialization and +the connection fails. In particular, the device thinks that it's already set up +and running while the host thinks the device still needs to be configured. To +work around this issue, power-cycle the hub's output to issue a sort of "reset" +to the device. This makes the device restart its state machine and then the +initialization succeeds. + +This fixes problems where the kernel reports a list of errors like this: + +usb 1-1.3: device not accepting address 19, error -71 + +The end result is a non-functioning device. After this patch, the sequence +becomes like this: + +usb 1-1.3: new high-speed USB device number 18 using ci_hdrc +usb 1-1.3: device not accepting address 18, error -71 +usb 1-1.3: new high-speed USB device number 19 using ci_hdrc +usb 1-1.3: device not accepting address 19, error -71 +usb 1-1-port3: attempt power cycle +usb 1-1.3: new high-speed USB device number 21 using ci_hdrc +usb-storage 1-1.3:1.2: USB Mass Storage device detected + +Signed-off-by: Mike Looijmans +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -4935,6 +4935,15 @@ loop: + usb_put_dev(udev); + if ((status == -ENOTCONN) || (status == -ENOTSUPP)) + break; ++ ++ /* When halfway through our retry count, power-cycle the port */ ++ if (i == (SET_CONFIG_TRIES / 2) - 1) { ++ dev_info(&port_dev->dev, "attempt power cycle\n"); ++ usb_hub_set_port_power(hdev, hub, port1, false); ++ msleep(2 * hub_power_on_good_delay(hub)); ++ usb_hub_set_port_power(hdev, hub, port1, true); ++ msleep(hub_power_on_good_delay(hub)); ++ } + } + if (hub->hdev->parent || + !hcd->driver->port_handed_over || diff --git a/queue-4.14/usb-ulpi-fix-bus-node-lookup.patch b/queue-4.14/usb-ulpi-fix-bus-node-lookup.patch new file mode 100644 index 00000000000..f95e2357337 --- /dev/null +++ b/queue-4.14/usb-ulpi-fix-bus-node-lookup.patch @@ -0,0 +1,40 @@ +From 33c309ebc797b908029fd3a0851aefe697e9b598 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Sat, 11 Nov 2017 16:31:18 +0100 +Subject: USB: ulpi: fix bus-node lookup + +From: Johan Hovold + +commit 33c309ebc797b908029fd3a0851aefe697e9b598 upstream. + +Fix bus-node lookup during registration, which ended up searching the whole +device tree depth-first starting at the parent (or grand parent) rather +than just matching on its children. + +To make things worse, the parent (or grand-parent) node could end being +prematurely freed as well. + +Fixes: ef6a7bcfb01c ("usb: ulpi: Support device discovery via DT") +Reported-by: Peter Robinson +Reported-by: Stephen Boyd +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/common/ulpi.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/common/ulpi.c ++++ b/drivers/usb/common/ulpi.c +@@ -183,9 +183,9 @@ static int ulpi_of_register(struct ulpi + /* Find a ulpi bus underneath the parent or the grandparent */ + parent = ulpi->dev.parent; + if (parent->of_node) +- np = of_find_node_by_name(parent->of_node, "ulpi"); ++ np = of_get_child_by_name(parent->of_node, "ulpi"); + else if (parent->parent && parent->parent->of_node) +- np = of_find_node_by_name(parent->parent->of_node, "ulpi"); ++ np = of_get_child_by_name(parent->parent->of_node, "ulpi"); + if (!np) + return 0; + diff --git a/queue-4.14/usb-usbfs-filter-flags-passed-in-from-user-space.patch b/queue-4.14/usb-usbfs-filter-flags-passed-in-from-user-space.patch new file mode 100644 index 00000000000..4c93470a0c9 --- /dev/null +++ b/queue-4.14/usb-usbfs-filter-flags-passed-in-from-user-space.patch @@ -0,0 +1,47 @@ +From 446f666da9f019ce2ffd03800995487e79a91462 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 23 Nov 2017 16:39:52 +0100 +Subject: USB: usbfs: Filter flags passed in from user space + +From: Oliver Neukum + +commit 446f666da9f019ce2ffd03800995487e79a91462 upstream. + +USBDEVFS_URB_ISO_ASAP must be accepted only for ISO endpoints. +Improve sanity checking. + +Reported-by: Andrey Konovalov +Signed-off-by: Oliver Neukum +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/devio.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -1455,14 +1455,18 @@ static int proc_do_submiturb(struct usb_ + int number_of_packets = 0; + unsigned int stream_id = 0; + void *buf; +- +- if (uurb->flags & ~(USBDEVFS_URB_ISO_ASAP | +- USBDEVFS_URB_SHORT_NOT_OK | ++ unsigned long mask = USBDEVFS_URB_SHORT_NOT_OK | + USBDEVFS_URB_BULK_CONTINUATION | + USBDEVFS_URB_NO_FSBR | + USBDEVFS_URB_ZERO_PACKET | +- USBDEVFS_URB_NO_INTERRUPT)) +- return -EINVAL; ++ USBDEVFS_URB_NO_INTERRUPT; ++ /* USBDEVFS_URB_ISO_ASAP is a special case */ ++ if (uurb->type == USBDEVFS_URB_TYPE_ISO) ++ mask |= USBDEVFS_URB_ISO_ASAP; ++ ++ if (uurb->flags & ~mask) ++ return -EINVAL; ++ + if ((unsigned int)uurb->buffer_length >= USBFS_XFER_MAX) + return -EINVAL; + if (uurb->buffer_length > 0 && !uurb->buffer) diff --git a/queue-4.14/usb-xhci-fix-panic-in-xhci_free_virt_devices_depth_first.patch b/queue-4.14/usb-xhci-fix-panic-in-xhci_free_virt_devices_depth_first.patch new file mode 100644 index 00000000000..9fdf0d0cccb --- /dev/null +++ b/queue-4.14/usb-xhci-fix-panic-in-xhci_free_virt_devices_depth_first.patch @@ -0,0 +1,72 @@ +From 80e457699a8dbdd70f2d26911e46f538645c55fc Mon Sep 17 00:00:00 2001 +From: Yu Chen +Date: Fri, 1 Dec 2017 13:41:20 +0200 +Subject: usb: xhci: fix panic in xhci_free_virt_devices_depth_first + +From: Yu Chen + +commit 80e457699a8dbdd70f2d26911e46f538645c55fc upstream. + +Check vdev->real_port 0 to avoid panic +[ 9.261347] [] xhci_free_virt_devices_depth_first+0x58/0x108 +[ 9.261352] [] xhci_mem_cleanup+0x1bc/0x570 +[ 9.261355] [] xhci_stop+0x140/0x1c8 +[ 9.261365] [] usb_remove_hcd+0xfc/0x1d0 +[ 9.261369] [] xhci_plat_remove+0x6c/0xa8 +[ 9.261377] [] platform_drv_remove+0x2c/0x70 +[ 9.261384] [] __device_release_driver+0x80/0x108 +[ 9.261387] [] device_release_driver+0x2c/0x40 +[ 9.261392] [] bus_remove_device+0xe0/0x120 +[ 9.261396] [] device_del+0x114/0x210 +[ 9.261399] [] platform_device_del+0x30/0xa0 +[ 9.261403] [] dwc3_otg_work+0x204/0x488 +[ 9.261407] [] event_work+0x304/0x5b8 +[ 9.261414] [] process_one_work+0x148/0x490 +[ 9.261417] [] worker_thread+0x50/0x4a0 +[ 9.261421] [] kthread+0xe8/0x100 +[ 9.261427] [] ret_from_fork+0x10/0x50 + +The problem can occur if xhci_plat_remove() is called shortly after +xhci_plat_probe(). While xhci_free_virt_devices_depth_first been +called before the device has been setup and get real_port initialized. +The problem occurred on Hikey960 and was reproduced by Guenter Roeck +on Kevin with chromeos-4.4. + +Fixes: ee8665e28e8d ("xhci: free xhci virtual devices with leaf nodes first") +Cc: Guenter Roeck +Reviewed-by: Guenter Roeck +Tested-by: Guenter Roeck +Signed-off-by: Fan Ning +Signed-off-by: Li Rui +Signed-off-by: yangdi +Signed-off-by: Yu Chen +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-mem.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -947,6 +947,12 @@ void xhci_free_virt_devices_depth_first( + if (!vdev) + return; + ++ if (vdev->real_port == 0 || ++ vdev->real_port > HCS_MAX_PORTS(xhci->hcs_params1)) { ++ xhci_dbg(xhci, "Bad vdev->real_port.\n"); ++ goto out; ++ } ++ + tt_list_head = &(xhci->rh_bw[vdev->real_port - 1].tts); + list_for_each_entry_safe(tt_info, next, tt_list_head, tt_list) { + /* is this a hub device that added a tt_info to the tts list */ +@@ -960,6 +966,7 @@ void xhci_free_virt_devices_depth_first( + } + } + } ++out: + /* we are now at a leaf device */ + xhci_free_virt_device(xhci, slot_id); + } diff --git a/queue-4.14/xhci-don-t-show-incorrect-warn-message-about-events-for-empty-rings.patch b/queue-4.14/xhci-don-t-show-incorrect-warn-message-about-events-for-empty-rings.patch new file mode 100644 index 00000000000..968c5f92cc8 --- /dev/null +++ b/queue-4.14/xhci-don-t-show-incorrect-warn-message-about-events-for-empty-rings.patch @@ -0,0 +1,51 @@ +From e4ec40ec4b260efcca15089de4285a0a3411259b Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Fri, 1 Dec 2017 13:41:19 +0200 +Subject: xhci: Don't show incorrect WARN message about events for empty rings + +From: Mathias Nyman + +commit e4ec40ec4b260efcca15089de4285a0a3411259b upstream. + +xHC can generate two events for a short transfer if the short TRB and +last TRB in the TD are not the same TRB. + +The driver will handle the TD after the first short event, and remove +it from its internal list. Driver then incorrectly prints a warning +for the second event: + +"WARN Event TRB for slot x ep y with no TDs queued" + +Fix this by not printing a warning if we get a event on a empty list +if the previous event was a short event. + +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-ring.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -2486,12 +2486,16 @@ static int handle_tx_event(struct xhci_h + */ + if (list_empty(&ep_ring->td_list)) { + /* +- * A stopped endpoint may generate an extra completion +- * event if the device was suspended. Don't print +- * warnings. ++ * Don't print wanings if it's due to a stopped endpoint ++ * generating an extra completion event if the device ++ * was suspended. Or, a event for the last TRB of a ++ * short TD we already got a short event for. ++ * The short TD is already removed from the TD list. + */ ++ + if (!(trb_comp_code == COMP_STOPPED || +- trb_comp_code == COMP_STOPPED_LENGTH_INVALID)) { ++ trb_comp_code == COMP_STOPPED_LENGTH_INVALID || ++ ep_ring->last_td_was_short)) { + xhci_warn(xhci, "WARN Event TRB for slot %d ep %d with no TDs queued?\n", + TRB_TO_SLOT_ID(le32_to_cpu(event->flags)), + ep_index);