From: Greg Kroah-Hartman Date: Wed, 4 Jul 2018 11:56:35 +0000 (+0200) Subject: 4.17-stable patches X-Git-Tag: v4.14.54~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d525f80f49ca99d1ee9ce7f537de2c341b71e308;p=thirdparty%2Fkernel%2Fstable-queue.git 4.17-stable patches added patches: acpi-add-helper-for-deactivating-memory-region.patch drm-amdgpu-add-apu-support-in-vi_set_uvd_clocks.patch drm-amdgpu-add-apu-support-in-vi_set_vce_clocks.patch drm-amdgpu-fix-clear_all-and-replace-handling-in-the-vm-v2.patch drm-amdgpu-fix-the-missed-vcn-fw-version-report.patch drm-amdgpu-grab-put-runtime-pm-references-in-atomic_commit_tail.patch iio-mma8452-fix-ignoring-mma8452_int_drdy.patch n_tty-access-echo_-variables-carefully.patch n_tty-fix-stall-at-n_tty_receive_char_special.patch serdev-fix-memleak-on-module-unload.patch serial-8250_pci-remove-stalled-entries-in-blacklist.patch staging-android-ion-return-an-err_ptr-in-ion_map_kernel.patch usb-cdc_acm-add-quirk-for-uniden-ubc125-scanner.patch usb-dwc2-fix-the-incorrect-bitmaps-for-the-ports-of-multi_tt-hub.patch usb-serial-cp210x-add-cesinel-device-ids.patch usb-serial-cp210x-add-silicon-labs-ids-for-windows-update.patch usb-typec-tcpm-fix-logbuffer-index-is-wrong-if-_tcpm_log-is-re-entered.patch usb-typec-ucsi-acpi-workaround-for-cache-mode-issue.patch usb-typec-ucsi-fix-for-incorrect-status-data-issue.patch vt-prevent-leaking-uninitialized-data-to-userspace-via-dev-vcs.patch xhci-fix-kernel-oops-in-trace_xhci_free_virt_device.patch xhci-fix-perceived-dead-host-due-to-runtime-suspend-race-with-event-handler.patch --- diff --git a/queue-4.17/acpi-add-helper-for-deactivating-memory-region.patch b/queue-4.17/acpi-add-helper-for-deactivating-memory-region.patch new file mode 100644 index 00000000000..8934bcc576f --- /dev/null +++ b/queue-4.17/acpi-add-helper-for-deactivating-memory-region.patch @@ -0,0 +1,140 @@ +From d2d2e3c46be5d6dd8001d0eebdf7cafb9bc7006b Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Thu, 21 Jun 2018 16:43:17 +0300 +Subject: acpi: Add helper for deactivating memory region + +From: Heikki Krogerus + +commit d2d2e3c46be5d6dd8001d0eebdf7cafb9bc7006b upstream. + +Sometimes memory resource may be overlapping with +SystemMemory Operation Region by design, for example if the +memory region is used as a mailbox for communication with a +firmware in the system. One occasion of such mailboxes is +USB Type-C Connector System Software Interface (UCSI). + +With regions like that, it is important that the driver is +able to map the memory with the requirements it has. For +example, the driver should be allowed to map the memory as +non-cached memory. However, if the operation region has been +accessed before the driver has mapped the memory, the memory +has been marked as write-back by the time the driver is +loaded. That means the driver will fail to map the memory +if it expects non-cached memory. + +To work around the problem, introducing helper that the +drivers can use to temporarily deactivate (unmap) +SystemMemory Operation Regions that overlap with their +IO memory. + +Fixes: 8243edf44152 ("usb: typec: ucsi: Add ACPI driver") +Cc: stable@vger.kernel.org +Reviewed-by: Rafael J. Wysocki +Signed-off-by: Heikki Krogerus +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/osl.c | 72 +++++++++++++++++++++++++++++++++++++++++++++++++++ + include/linux/acpi.h | 3 ++ + 2 files changed, 75 insertions(+) + +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -45,6 +45,8 @@ + #include + #include + ++#include "acpica/accommon.h" ++#include "acpica/acnamesp.h" + #include "internal.h" + + #define _COMPONENT ACPI_OS_SERVICES +@@ -1490,6 +1492,76 @@ int acpi_check_region(resource_size_t st + } + EXPORT_SYMBOL(acpi_check_region); + ++static acpi_status acpi_deactivate_mem_region(acpi_handle handle, u32 level, ++ void *_res, void **return_value) ++{ ++ struct acpi_mem_space_context **mem_ctx; ++ union acpi_operand_object *handler_obj; ++ union acpi_operand_object *region_obj2; ++ union acpi_operand_object *region_obj; ++ struct resource *res = _res; ++ acpi_status status; ++ ++ region_obj = acpi_ns_get_attached_object(handle); ++ if (!region_obj) ++ return AE_OK; ++ ++ handler_obj = region_obj->region.handler; ++ if (!handler_obj) ++ return AE_OK; ++ ++ if (region_obj->region.space_id != ACPI_ADR_SPACE_SYSTEM_MEMORY) ++ return AE_OK; ++ ++ if (!(region_obj->region.flags & AOPOBJ_SETUP_COMPLETE)) ++ return AE_OK; ++ ++ region_obj2 = acpi_ns_get_secondary_object(region_obj); ++ if (!region_obj2) ++ return AE_OK; ++ ++ mem_ctx = (void *)®ion_obj2->extra.region_context; ++ ++ if (!(mem_ctx[0]->address >= res->start && ++ mem_ctx[0]->address < res->end)) ++ return AE_OK; ++ ++ status = handler_obj->address_space.setup(region_obj, ++ ACPI_REGION_DEACTIVATE, ++ NULL, (void **)mem_ctx); ++ if (ACPI_SUCCESS(status)) ++ region_obj->region.flags &= ~(AOPOBJ_SETUP_COMPLETE); ++ ++ return status; ++} ++ ++/** ++ * acpi_release_memory - Release any mappings done to a memory region ++ * @handle: Handle to namespace node ++ * @res: Memory resource ++ * @level: A level that terminates the search ++ * ++ * Walks through @handle and unmaps all SystemMemory Operation Regions that ++ * overlap with @res and that have already been activated (mapped). ++ * ++ * This is a helper that allows drivers to place special requirements on memory ++ * region that may overlap with operation regions, primarily allowing them to ++ * safely map the region as non-cached memory. ++ * ++ * The unmapped Operation Regions will be automatically remapped next time they ++ * are called, so the drivers do not need to do anything else. ++ */ ++acpi_status acpi_release_memory(acpi_handle handle, struct resource *res, ++ u32 level) ++{ ++ if (!(res->flags & IORESOURCE_MEM)) ++ return AE_TYPE; ++ ++ return acpi_walk_namespace(ACPI_TYPE_REGION, handle, level, ++ acpi_deactivate_mem_region, NULL, res, NULL); ++} ++EXPORT_SYMBOL_GPL(acpi_release_memory); ++ + /* + * Let drivers know whether the resource checks are effective + */ +--- a/include/linux/acpi.h ++++ b/include/linux/acpi.h +@@ -443,6 +443,9 @@ int acpi_check_resource_conflict(const s + int acpi_check_region(resource_size_t start, resource_size_t n, + const char *name); + ++acpi_status acpi_release_memory(acpi_handle handle, struct resource *res, ++ u32 level); ++ + int acpi_resources_are_enforced(void); + + #ifdef CONFIG_HIBERNATION diff --git a/queue-4.17/drm-amdgpu-add-apu-support-in-vi_set_uvd_clocks.patch b/queue-4.17/drm-amdgpu-add-apu-support-in-vi_set_uvd_clocks.patch new file mode 100644 index 00000000000..a2c6fa582b5 --- /dev/null +++ b/queue-4.17/drm-amdgpu-add-apu-support-in-vi_set_uvd_clocks.patch @@ -0,0 +1,100 @@ +From 819a23f83e3b2513cffbef418458a47ca02c36b3 Mon Sep 17 00:00:00 2001 +From: Rex Zhu +Date: Tue, 10 Apr 2018 17:17:22 +0800 +Subject: drm/amdgpu: Add APU support in vi_set_uvd_clocks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rex Zhu + +commit 819a23f83e3b2513cffbef418458a47ca02c36b3 upstream. + +fix the issue set uvd clock failed on CZ/ST +which lead 1s delay when boot up. + +Reviewed-by: Alex Deucher +Reviewed-by: Huang Rui +Acked-by: Christian König +Acked-by: Shirish S +Signed-off-by: Rex Zhu +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/vi.c | 48 ++++++++++++++++++++++++++++++---------- + 1 file changed, 36 insertions(+), 12 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/vi.c ++++ b/drivers/gpu/drm/amd/amdgpu/vi.c +@@ -728,33 +728,57 @@ static int vi_set_uvd_clock(struct amdgp + return r; + + tmp = RREG32_SMC(cntl_reg); +- tmp &= ~(CG_DCLK_CNTL__DCLK_DIR_CNTL_EN_MASK | +- CG_DCLK_CNTL__DCLK_DIVIDER_MASK); ++ ++ if (adev->flags & AMD_IS_APU) ++ tmp &= ~CG_DCLK_CNTL__DCLK_DIVIDER_MASK; ++ else ++ tmp &= ~(CG_DCLK_CNTL__DCLK_DIR_CNTL_EN_MASK | ++ CG_DCLK_CNTL__DCLK_DIVIDER_MASK); + tmp |= dividers.post_divider; + WREG32_SMC(cntl_reg, tmp); + + for (i = 0; i < 100; i++) { +- if (RREG32_SMC(status_reg) & CG_DCLK_STATUS__DCLK_STATUS_MASK) +- break; ++ tmp = RREG32_SMC(status_reg); ++ if (adev->flags & AMD_IS_APU) { ++ if (tmp & 0x10000) ++ break; ++ } else { ++ if (tmp & CG_DCLK_STATUS__DCLK_STATUS_MASK) ++ break; ++ } + mdelay(10); + } + if (i == 100) + return -ETIMEDOUT; +- + return 0; + } + ++#define ixGNB_CLK1_DFS_CNTL 0xD82200F0 ++#define ixGNB_CLK1_STATUS 0xD822010C ++#define ixGNB_CLK2_DFS_CNTL 0xD8220110 ++#define ixGNB_CLK2_STATUS 0xD822012C ++ + static int vi_set_uvd_clocks(struct amdgpu_device *adev, u32 vclk, u32 dclk) + { + int r; + +- r = vi_set_uvd_clock(adev, vclk, ixCG_VCLK_CNTL, ixCG_VCLK_STATUS); +- if (r) +- return r; +- +- r = vi_set_uvd_clock(adev, dclk, ixCG_DCLK_CNTL, ixCG_DCLK_STATUS); +- if (r) +- return r; ++ if (adev->flags & AMD_IS_APU) { ++ r = vi_set_uvd_clock(adev, vclk, ixGNB_CLK2_DFS_CNTL, ixGNB_CLK2_STATUS); ++ if (r) ++ return r; ++ ++ r = vi_set_uvd_clock(adev, dclk, ixGNB_CLK1_DFS_CNTL, ixGNB_CLK1_STATUS); ++ if (r) ++ return r; ++ } else { ++ r = vi_set_uvd_clock(adev, vclk, ixCG_VCLK_CNTL, ixCG_VCLK_STATUS); ++ if (r) ++ return r; ++ ++ r = vi_set_uvd_clock(adev, dclk, ixCG_DCLK_CNTL, ixCG_DCLK_STATUS); ++ if (r) ++ return r; ++ } + + return 0; + } diff --git a/queue-4.17/drm-amdgpu-add-apu-support-in-vi_set_vce_clocks.patch b/queue-4.17/drm-amdgpu-add-apu-support-in-vi_set_vce_clocks.patch new file mode 100644 index 00000000000..055f153da6f --- /dev/null +++ b/queue-4.17/drm-amdgpu-add-apu-support-in-vi_set_vce_clocks.patch @@ -0,0 +1,109 @@ +From 08ebb6e9f4fd7098c28e0ebbb42847cf0488ebb8 Mon Sep 17 00:00:00 2001 +From: Rex Zhu +Date: Tue, 10 Apr 2018 17:49:56 +0800 +Subject: drm/amdgpu: Add APU support in vi_set_vce_clocks +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rex Zhu + +commit 08ebb6e9f4fd7098c28e0ebbb42847cf0488ebb8 upstream. + +1. fix set vce clocks failed on Cz/St + which lead 1s delay when boot up. +2. remove the workaround in vce_v3_0.c + +Reviewed-by: Alex Deucher +Reviewed-by: Huang Rui +Acked-by: Christian König +Acked-by: Shirish S +Signed-off-by: Rex Zhu +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/vce_v3_0.c | 4 ++-- + drivers/gpu/drm/amd/amdgpu/vi.c | 31 +++++++++++++++++++++++++------ + 2 files changed, 27 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/vce_v3_0.c ++++ b/drivers/gpu/drm/amd/amdgpu/vce_v3_0.c +@@ -467,8 +467,8 @@ static int vce_v3_0_hw_init(void *handle + struct amdgpu_device *adev = (struct amdgpu_device *)handle; + + vce_v3_0_override_vce_clock_gating(adev, true); +- if (!(adev->flags & AMD_IS_APU)) +- amdgpu_asic_set_vce_clocks(adev, 10000, 10000); ++ ++ amdgpu_asic_set_vce_clocks(adev, 10000, 10000); + + for (i = 0; i < adev->vce.num_rings; i++) + adev->vce.ring[i].ready = false; +--- a/drivers/gpu/drm/amd/amdgpu/vi.c ++++ b/drivers/gpu/drm/amd/amdgpu/vi.c +@@ -757,6 +757,8 @@ static int vi_set_uvd_clock(struct amdgp + #define ixGNB_CLK1_STATUS 0xD822010C + #define ixGNB_CLK2_DFS_CNTL 0xD8220110 + #define ixGNB_CLK2_STATUS 0xD822012C ++#define ixGNB_CLK3_DFS_CNTL 0xD8220130 ++#define ixGNB_CLK3_STATUS 0xD822014C + + static int vi_set_uvd_clocks(struct amdgpu_device *adev, u32 vclk, u32 dclk) + { +@@ -788,6 +790,22 @@ static int vi_set_vce_clocks(struct amdg + int r, i; + struct atom_clock_dividers dividers; + u32 tmp; ++ u32 reg_ctrl; ++ u32 reg_status; ++ u32 status_mask; ++ u32 reg_mask; ++ ++ if (adev->flags & AMD_IS_APU) { ++ reg_ctrl = ixGNB_CLK3_DFS_CNTL; ++ reg_status = ixGNB_CLK3_STATUS; ++ status_mask = 0x00010000; ++ reg_mask = CG_ECLK_CNTL__ECLK_DIVIDER_MASK; ++ } else { ++ reg_ctrl = ixCG_ECLK_CNTL; ++ reg_status = ixCG_ECLK_STATUS; ++ status_mask = CG_ECLK_STATUS__ECLK_STATUS_MASK; ++ reg_mask = CG_ECLK_CNTL__ECLK_DIR_CNTL_EN_MASK | CG_ECLK_CNTL__ECLK_DIVIDER_MASK; ++ } + + r = amdgpu_atombios_get_clock_dividers(adev, + COMPUTE_GPUCLK_INPUT_FLAG_DEFAULT_GPUCLK, +@@ -796,24 +814,25 @@ static int vi_set_vce_clocks(struct amdg + return r; + + for (i = 0; i < 100; i++) { +- if (RREG32_SMC(ixCG_ECLK_STATUS) & CG_ECLK_STATUS__ECLK_STATUS_MASK) ++ if (RREG32_SMC(reg_status) & status_mask) + break; + mdelay(10); + } ++ + if (i == 100) + return -ETIMEDOUT; + +- tmp = RREG32_SMC(ixCG_ECLK_CNTL); +- tmp &= ~(CG_ECLK_CNTL__ECLK_DIR_CNTL_EN_MASK | +- CG_ECLK_CNTL__ECLK_DIVIDER_MASK); ++ tmp = RREG32_SMC(reg_ctrl); ++ tmp &= ~reg_mask; + tmp |= dividers.post_divider; +- WREG32_SMC(ixCG_ECLK_CNTL, tmp); ++ WREG32_SMC(reg_ctrl, tmp); + + for (i = 0; i < 100; i++) { +- if (RREG32_SMC(ixCG_ECLK_STATUS) & CG_ECLK_STATUS__ECLK_STATUS_MASK) ++ if (RREG32_SMC(reg_status) & status_mask) + break; + mdelay(10); + } ++ + if (i == 100) + return -ETIMEDOUT; + diff --git a/queue-4.17/drm-amdgpu-fix-clear_all-and-replace-handling-in-the-vm-v2.patch b/queue-4.17/drm-amdgpu-fix-clear_all-and-replace-handling-in-the-vm-v2.patch new file mode 100644 index 00000000000..6d068747373 --- /dev/null +++ b/queue-4.17/drm-amdgpu-fix-clear_all-and-replace-handling-in-the-vm-v2.patch @@ -0,0 +1,50 @@ +From 387f49e5467244b7bcb4cad0946a5d0fcade5f92 Mon Sep 17 00:00:00 2001 +From: Junwei Zhang +Date: Tue, 5 Jun 2018 17:31:51 +0800 +Subject: drm/amdgpu: fix clear_all and replace handling in the VM (v2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Junwei Zhang + +commit 387f49e5467244b7bcb4cad0946a5d0fcade5f92 upstream. + +v2: assign bo_va as well + +We need to put the lose ends on the invalid list because it is possible +that we need to split up huge pages for them. + +Cc: stable@vger.kernel.org +Signed-off-by: Christian König +Signed-off-by: Junwei Zhang (v2) +Reviewed-by: David Zhou +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c +@@ -2112,7 +2112,8 @@ int amdgpu_vm_bo_clear_mappings(struct a + before->last = saddr - 1; + before->offset = tmp->offset; + before->flags = tmp->flags; +- list_add(&before->list, &tmp->list); ++ before->bo_va = tmp->bo_va; ++ list_add(&before->list, &tmp->bo_va->invalids); + } + + /* Remember mapping split at the end */ +@@ -2122,7 +2123,8 @@ int amdgpu_vm_bo_clear_mappings(struct a + after->offset = tmp->offset; + after->offset += after->start - tmp->start; + after->flags = tmp->flags; +- list_add(&after->list, &tmp->list); ++ after->bo_va = tmp->bo_va; ++ list_add(&after->list, &tmp->bo_va->invalids); + } + + list_del(&tmp->list); diff --git a/queue-4.17/drm-amdgpu-fix-the-missed-vcn-fw-version-report.patch b/queue-4.17/drm-amdgpu-fix-the-missed-vcn-fw-version-report.patch new file mode 100644 index 00000000000..93025a2f075 --- /dev/null +++ b/queue-4.17/drm-amdgpu-fix-the-missed-vcn-fw-version-report.patch @@ -0,0 +1,35 @@ +From a0b2ac29415bb44d1c212184c1385a1abe68db5c Mon Sep 17 00:00:00 2001 +From: Huang Rui +Date: Wed, 23 May 2018 11:18:43 +0800 +Subject: drm/amdgpu: fix the missed vcn fw version report +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Huang Rui + +commit a0b2ac29415bb44d1c212184c1385a1abe68db5c upstream. + +It missed vcn.fw_version setting when init vcn microcode, and it will be used to +report vcn ucode version via amdgpu_firmware_info sysfs interface. + +Signed-off-by: Huang Rui +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vcn.c +@@ -84,6 +84,7 @@ int amdgpu_vcn_sw_init(struct amdgpu_dev + } + + hdr = (const struct common_firmware_header *)adev->vcn.fw->data; ++ adev->vcn.fw_version = le32_to_cpu(hdr->ucode_version); + family_id = le32_to_cpu(hdr->ucode_version) & 0xff; + version_major = (le32_to_cpu(hdr->ucode_version) >> 24) & 0xff; + version_minor = (le32_to_cpu(hdr->ucode_version) >> 8) & 0xff; diff --git a/queue-4.17/drm-amdgpu-grab-put-runtime-pm-references-in-atomic_commit_tail.patch b/queue-4.17/drm-amdgpu-grab-put-runtime-pm-references-in-atomic_commit_tail.patch new file mode 100644 index 00000000000..4674d027bce --- /dev/null +++ b/queue-4.17/drm-amdgpu-grab-put-runtime-pm-references-in-atomic_commit_tail.patch @@ -0,0 +1,91 @@ +From 97028037a38ae40c0e06789b71038d3a6045a413 Mon Sep 17 00:00:00 2001 +From: Lyude Paul +Date: Mon, 4 Jun 2018 15:35:03 -0400 +Subject: drm/amdgpu: Grab/put runtime PM references in atomic_commit_tail() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lyude Paul + +commit 97028037a38ae40c0e06789b71038d3a6045a413 upstream. + +So, unfortunately I recently made the discovery that in the upstream +kernel, the only reason that amdgpu is not currently suffering from +issues with runtime PM putting the GPU into suspend while it's driving +displays is due to the fact that on most prime systems, we have sound +devices associated with the GPU that hold their own runtime PM ref for +the GPU. + +What this means however, is that in the event that there isn't any kind +of sound device active (which can easily be reproduced by building a +kernel with sound drivers disabled), the GPU will fall asleep even when +there's displays active. This appears to be in part due to the fact that +amdgpu has not actually ever relied on it's rpm_idle() function to be +the only thing keeping it running, and normally grabs it's own power +references whenever there are displays active (as can be seen with the +original pre-DC codepath in amdgpu_display_crtc_set_config() in +amdgpu_display.c). This means it's very likely that this bug was +introduced during the switch over the DC. + +So to fix this, we start grabbing runtime PM references every time we +enable a previously disabled CRTC in atomic_commit_tail(). This appears +to be the correct solution, as it matches up with what i915 does in +i915/intel_runtime_pm.c. + +The one sideaffect of this is that we ignore the variable that the +pre-DC code used to use for tracking when it needed runtime PM refs, +adev->have_disp_power_ref. This is mainly because there's no way for a +driver to tell whether or not all of it's CRTCs are enabled or disabled +when we've begun committing an atomic state, as there may be CRTC +commits happening in parallel that aren't contained within the atomic +state being committed. So, it's safer to just get/put a reference for +each CRTC being enabled or disabled in the new atomic state. + +Signed-off-by: Lyude Paul +Acked-by: Christian König . +Reviewed-by: Harry Wentland +Signed-off-by: Alex Deucher +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c ++++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c +@@ -46,6 +46,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -4211,6 +4212,8 @@ static void amdgpu_dm_atomic_commit_tail + if (dm_old_crtc_state->stream) + remove_stream(adev, acrtc, dm_old_crtc_state->stream); + ++ pm_runtime_get_noresume(dev->dev); ++ + acrtc->enabled = true; + acrtc->hw_mode = new_crtc_state->mode; + crtc->hwmode = new_crtc_state->mode; +@@ -4396,6 +4399,16 @@ static void amdgpu_dm_atomic_commit_tail + drm_atomic_helper_wait_for_flip_done(dev, state); + + drm_atomic_helper_cleanup_planes(dev, state); ++ ++ /* Finally, drop a runtime PM reference for each newly disabled CRTC, ++ * so we can put the GPU into runtime suspend if we're not driving any ++ * displays anymore ++ */ ++ pm_runtime_mark_last_busy(dev->dev); ++ for_each_oldnew_crtc_in_state(state, crtc, old_crtc_state, new_crtc_state, i) { ++ if (old_crtc_state->active && !new_crtc_state->active) ++ pm_runtime_put_autosuspend(dev->dev); ++ } + } + + diff --git a/queue-4.17/iio-mma8452-fix-ignoring-mma8452_int_drdy.patch b/queue-4.17/iio-mma8452-fix-ignoring-mma8452_int_drdy.patch new file mode 100644 index 00000000000..f01a3eb2826 --- /dev/null +++ b/queue-4.17/iio-mma8452-fix-ignoring-mma8452_int_drdy.patch @@ -0,0 +1,39 @@ +From b02ec67a8e38875cdc5f9214be885022f11c0017 Mon Sep 17 00:00:00 2001 +From: Leonard Crestez +Date: Thu, 7 Jun 2018 21:52:50 +0300 +Subject: iio: mma8452: Fix ignoring MMA8452_INT_DRDY + +From: Leonard Crestez + +commit b02ec67a8e38875cdc5f9214be885022f11c0017 upstream. + +Interrupts are ignored if no event bit is set in the status status +register and this breaks the buffer interface. No data is shown when +running "iio_generic_buffer -n mma8451 -a" and interrupt counts go +crazy. + +Fix by not returning IRQ_NONE if DRDY is set. + +Fixes: 605f72de137a ("iio: accel: mma8452: improvements to handle +multiple events") + +Signed-off-by: Leonard Crestez +cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/accel/mma8452.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/accel/mma8452.c ++++ b/drivers/iio/accel/mma8452.c +@@ -1034,7 +1034,7 @@ static irqreturn_t mma8452_interrupt(int + if (src < 0) + return IRQ_NONE; + +- if (!(src & data->chip_info->enabled_events)) ++ if (!(src & (data->chip_info->enabled_events | MMA8452_INT_DRDY))) + return IRQ_NONE; + + if (src & MMA8452_INT_DRDY) { diff --git a/queue-4.17/n_tty-access-echo_-variables-carefully.patch b/queue-4.17/n_tty-access-echo_-variables-carefully.patch new file mode 100644 index 00000000000..1e8c66d3244 --- /dev/null +++ b/queue-4.17/n_tty-access-echo_-variables-carefully.patch @@ -0,0 +1,175 @@ +From ebec3f8f5271139df618ebdf8427e24ba102ba94 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Sat, 26 May 2018 09:53:14 +0900 +Subject: n_tty: Access echo_* variables carefully. + +From: Tetsuo Handa + +commit ebec3f8f5271139df618ebdf8427e24ba102ba94 upstream. + +syzbot is reporting stalls at __process_echoes() [1]. This is because +since ldata->echo_commit < ldata->echo_tail becomes true for some reason, +the discard loop is serving as almost infinite loop. This patch tries to +avoid falling into ldata->echo_commit < ldata->echo_tail situation by +making access to echo_* variables more carefully. + +Since reset_buffer_flags() is called without output_lock held, it should +not touch echo_* variables. And omit a call to reset_buffer_flags() from +n_tty_open() by using vzalloc(). + +Since add_echo_byte() is called without output_lock held, it needs memory +barrier between storing into echo_buf[] and incrementing echo_head counter. +echo_buf() needs corresponding memory barrier before reading echo_buf[]. +Lack of handling the possibility of not-yet-stored multi-byte operation +might be the reason of falling into ldata->echo_commit < ldata->echo_tail +situation, for if I do WARN_ON(ldata->echo_commit == tail + 1) prior to +echo_buf(ldata, tail + 1), the WARN_ON() fires. + +Also, explicitly masking with buffer for the former "while" loop, and +use ldata->echo_commit > tail for the latter "while" loop. + +[1] https://syzkaller.appspot.com/bug?id=17f23b094cd80df750e5b0f8982c521ee6bcbf40 + +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Cc: Peter Hurley +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +diff --git a/drivers/tty/n_tty.c b/drivers/tty/n_tty.c +index b279f8730e04..431742201709 100644 +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -143,6 +143,7 @@ static inline unsigned char *read_buf_addr(struct n_tty_data *ldata, size_t i) + + static inline unsigned char echo_buf(struct n_tty_data *ldata, size_t i) + { ++ smp_rmb(); /* Matches smp_wmb() in add_echo_byte(). */ + return ldata->echo_buf[i & (N_TTY_BUF_SIZE - 1)]; + } + +@@ -318,9 +319,7 @@ static inline void put_tty_queue(unsigned char c, struct n_tty_data *ldata) + static void reset_buffer_flags(struct n_tty_data *ldata) + { + ldata->read_head = ldata->canon_head = ldata->read_tail = 0; +- ldata->echo_head = ldata->echo_tail = ldata->echo_commit = 0; + ldata->commit_head = 0; +- ldata->echo_mark = 0; + ldata->line_start = 0; + + ldata->erasing = 0; +@@ -619,12 +618,19 @@ static size_t __process_echoes(struct tty_struct *tty) + old_space = space = tty_write_room(tty); + + tail = ldata->echo_tail; +- while (ldata->echo_commit != tail) { ++ while (MASK(ldata->echo_commit) != MASK(tail)) { + c = echo_buf(ldata, tail); + if (c == ECHO_OP_START) { + unsigned char op; + int no_space_left = 0; + ++ /* ++ * Since add_echo_byte() is called without holding ++ * output_lock, we might see only portion of multi-byte ++ * operation. ++ */ ++ if (MASK(ldata->echo_commit) == MASK(tail + 1)) ++ goto not_yet_stored; + /* + * If the buffer byte is the start of a multi-byte + * operation, get the next byte, which is either the +@@ -636,6 +642,8 @@ static size_t __process_echoes(struct tty_struct *tty) + unsigned int num_chars, num_bs; + + case ECHO_OP_ERASE_TAB: ++ if (MASK(ldata->echo_commit) == MASK(tail + 2)) ++ goto not_yet_stored; + num_chars = echo_buf(ldata, tail + 2); + + /* +@@ -730,7 +738,8 @@ static size_t __process_echoes(struct tty_struct *tty) + /* If the echo buffer is nearly full (so that the possibility exists + * of echo overrun before the next commit), then discard enough + * data at the tail to prevent a subsequent overrun */ +- while (ldata->echo_commit - tail >= ECHO_DISCARD_WATERMARK) { ++ while (ldata->echo_commit > tail && ++ ldata->echo_commit - tail >= ECHO_DISCARD_WATERMARK) { + if (echo_buf(ldata, tail) == ECHO_OP_START) { + if (echo_buf(ldata, tail + 1) == ECHO_OP_ERASE_TAB) + tail += 3; +@@ -740,6 +749,7 @@ static size_t __process_echoes(struct tty_struct *tty) + tail++; + } + ++ not_yet_stored: + ldata->echo_tail = tail; + return old_space - space; + } +@@ -750,6 +760,7 @@ static void commit_echoes(struct tty_struct *tty) + size_t nr, old, echoed; + size_t head; + ++ mutex_lock(&ldata->output_lock); + head = ldata->echo_head; + ldata->echo_mark = head; + old = ldata->echo_commit - ldata->echo_tail; +@@ -758,10 +769,12 @@ static void commit_echoes(struct tty_struct *tty) + * is over the threshold (and try again each time another + * block is accumulated) */ + nr = head - ldata->echo_tail; +- if (nr < ECHO_COMMIT_WATERMARK || (nr % ECHO_BLOCK > old % ECHO_BLOCK)) ++ if (nr < ECHO_COMMIT_WATERMARK || ++ (nr % ECHO_BLOCK > old % ECHO_BLOCK)) { ++ mutex_unlock(&ldata->output_lock); + return; ++ } + +- mutex_lock(&ldata->output_lock); + ldata->echo_commit = head; + echoed = __process_echoes(tty); + mutex_unlock(&ldata->output_lock); +@@ -812,7 +825,9 @@ static void flush_echoes(struct tty_struct *tty) + + static inline void add_echo_byte(unsigned char c, struct n_tty_data *ldata) + { +- *echo_buf_addr(ldata, ldata->echo_head++) = c; ++ *echo_buf_addr(ldata, ldata->echo_head) = c; ++ smp_wmb(); /* Matches smp_rmb() in echo_buf(). */ ++ ldata->echo_head++; + } + + /** +@@ -1881,30 +1896,21 @@ static int n_tty_open(struct tty_struct *tty) + struct n_tty_data *ldata; + + /* Currently a malloc failure here can panic */ +- ldata = vmalloc(sizeof(*ldata)); ++ ldata = vzalloc(sizeof(*ldata)); + if (!ldata) +- goto err; ++ return -ENOMEM; + + ldata->overrun_time = jiffies; + mutex_init(&ldata->atomic_read_lock); + mutex_init(&ldata->output_lock); + + tty->disc_data = ldata; +- reset_buffer_flags(tty->disc_data); +- ldata->column = 0; +- ldata->canon_column = 0; +- ldata->num_overrun = 0; +- ldata->no_room = 0; +- ldata->lnext = 0; + tty->closing = 0; + /* indicate buffer work may resume */ + clear_bit(TTY_LDISC_HALTED, &tty->flags); + n_tty_set_termios(tty, NULL); + tty_unthrottle(tty); +- + return 0; +-err: +- return -ENOMEM; + } + + static inline int input_available_p(struct tty_struct *tty, int poll) diff --git a/queue-4.17/n_tty-fix-stall-at-n_tty_receive_char_special.patch b/queue-4.17/n_tty-fix-stall-at-n_tty_receive_char_special.patch new file mode 100644 index 00000000000..55ecdc1955e --- /dev/null +++ b/queue-4.17/n_tty-fix-stall-at-n_tty_receive_char_special.patch @@ -0,0 +1,83 @@ +From 3d63b7e4ae0dc5e02d28ddd2fa1f945defc68d81 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Sat, 26 May 2018 09:53:13 +0900 +Subject: n_tty: Fix stall at n_tty_receive_char_special(). + +From: Tetsuo Handa + +commit 3d63b7e4ae0dc5e02d28ddd2fa1f945defc68d81 upstream. + +syzbot is reporting stalls at n_tty_receive_char_special() [1]. This is +because comparison is not working as expected since ldata->read_head can +change at any moment. Mitigate this by explicitly masking with buffer size +when checking condition for "while" loops. + +[1] https://syzkaller.appspot.com/bug?id=3d7481a346958d9469bebbeb0537d5f056bdd6e8 + +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Fixes: bc5a5e3f45d04784 ("n_tty: Don't wrap input buffer indices at buffer size") +Cc: stable +Cc: Peter Hurley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/n_tty.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -124,6 +124,8 @@ struct n_tty_data { + struct mutex output_lock; + }; + ++#define MASK(x) ((x) & (N_TTY_BUF_SIZE - 1)) ++ + static inline size_t read_cnt(struct n_tty_data *ldata) + { + return ldata->read_head - ldata->read_tail; +@@ -978,14 +980,15 @@ static void eraser(unsigned char c, stru + } + + seen_alnums = 0; +- while (ldata->read_head != ldata->canon_head) { ++ while (MASK(ldata->read_head) != MASK(ldata->canon_head)) { + head = ldata->read_head; + + /* erase a single possibly multibyte character */ + do { + head--; + c = read_buf(ldata, head); +- } while (is_continuation(c, tty) && head != ldata->canon_head); ++ } while (is_continuation(c, tty) && ++ MASK(head) != MASK(ldata->canon_head)); + + /* do not partially erase */ + if (is_continuation(c, tty)) +@@ -1027,7 +1030,7 @@ static void eraser(unsigned char c, stru + * This info is used to go back the correct + * number of columns. + */ +- while (tail != ldata->canon_head) { ++ while (MASK(tail) != MASK(ldata->canon_head)) { + tail--; + c = read_buf(ldata, tail); + if (c == '\t') { +@@ -1302,7 +1305,7 @@ n_tty_receive_char_special(struct tty_st + finish_erasing(ldata); + echo_char(c, tty); + echo_char_raw('\n', ldata); +- while (tail != ldata->read_head) { ++ while (MASK(tail) != MASK(ldata->read_head)) { + echo_char(read_buf(ldata, tail), tty); + tail++; + } +@@ -2411,7 +2414,7 @@ static unsigned long inq_canon(struct n_ + tail = ldata->read_tail; + nr = head - tail; + /* Skip EOF-chars.. */ +- while (head != tail) { ++ while (MASK(head) != MASK(tail)) { + if (test_bit(tail & (N_TTY_BUF_SIZE - 1), ldata->read_flags) && + read_buf(ldata, tail) == __DISABLED_CHAR) + nr--; diff --git a/queue-4.17/serdev-fix-memleak-on-module-unload.patch b/queue-4.17/serdev-fix-memleak-on-module-unload.patch new file mode 100644 index 00000000000..76e2d66c472 --- /dev/null +++ b/queue-4.17/serdev-fix-memleak-on-module-unload.patch @@ -0,0 +1,31 @@ +From bc6cf3669d22371f573ab0305b3abf13887c0786 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 13 Jun 2018 17:08:59 +0200 +Subject: serdev: fix memleak on module unload + +From: Johan Hovold + +commit bc6cf3669d22371f573ab0305b3abf13887c0786 upstream. + +Make sure to free all resources associated with the ida on module +exit. + +Fixes: cd6484e1830b ("serdev: Introduce new bus for serial attached devices") +Cc: stable # 4.11 +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serdev/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/serdev/core.c ++++ b/drivers/tty/serdev/core.c +@@ -617,6 +617,7 @@ EXPORT_SYMBOL_GPL(__serdev_device_driver + static void __exit serdev_exit(void) + { + bus_unregister(&serdev_bus_type); ++ ida_destroy(&ctrl_ida); + } + module_exit(serdev_exit); + diff --git a/queue-4.17/serial-8250_pci-remove-stalled-entries-in-blacklist.patch b/queue-4.17/serial-8250_pci-remove-stalled-entries-in-blacklist.patch new file mode 100644 index 00000000000..09263cc80b2 --- /dev/null +++ b/queue-4.17/serial-8250_pci-remove-stalled-entries-in-blacklist.patch @@ -0,0 +1,44 @@ +From 20dcff436e9fcd2e106b0ccc48a52206bc176d70 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Wed, 6 Jun 2018 21:00:41 +0300 +Subject: serial: 8250_pci: Remove stalled entries in blacklist + +From: Andy Shevchenko + +commit 20dcff436e9fcd2e106b0ccc48a52206bc176d70 upstream. + +After the commit + + 7d8905d06405 ("serial: 8250_pci: Enable device after we check black list") + +pure serial multi-port cards, such as CH355, got blacklisted and thus +not being enumerated anymore. Previously, it seems, blacklisting them +was on purpose to shut up pciserial_init_one() about record duplication. + +So, remove the entries from blacklist in order to get cards enumerated. + +Fixes: 7d8905d06405 ("serial: 8250_pci: Enable device after we check black list") +Reported-by: Matt Turner +Cc: Sergej Pupykin +Cc: Alexandr Petrenko +Signed-off-by: Andy Shevchenko +Reviewed-and-Tested-by: Matt Turner +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_pci.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -3339,9 +3339,7 @@ static const struct pci_device_id blackl + /* multi-io cards handled by parport_serial */ + { PCI_DEVICE(0x4348, 0x7053), }, /* WCH CH353 2S1P */ + { PCI_DEVICE(0x4348, 0x5053), }, /* WCH CH353 1S1P */ +- { PCI_DEVICE(0x4348, 0x7173), }, /* WCH CH355 4S */ + { PCI_DEVICE(0x1c00, 0x3250), }, /* WCH CH382 2S1P */ +- { PCI_DEVICE(0x1c00, 0x3470), }, /* WCH CH384 4S */ + + /* Moxa Smartio MUE boards handled by 8250_moxa */ + { PCI_VDEVICE(MOXA, 0x1024), }, diff --git a/queue-4.17/staging-android-ion-return-an-err_ptr-in-ion_map_kernel.patch b/queue-4.17/staging-android-ion-return-an-err_ptr-in-ion_map_kernel.patch new file mode 100644 index 00000000000..c2b4b6c8f91 --- /dev/null +++ b/queue-4.17/staging-android-ion-return-an-err_ptr-in-ion_map_kernel.patch @@ -0,0 +1,33 @@ +From 0a2bc00341dcfcc793c0dbf4f8d43adf60458b05 Mon Sep 17 00:00:00 2001 +From: Laura Abbott +Date: Mon, 11 Jun 2018 11:06:53 -0700 +Subject: staging: android: ion: Return an ERR_PTR in ion_map_kernel + +From: Laura Abbott + +commit 0a2bc00341dcfcc793c0dbf4f8d43adf60458b05 upstream. + +The expected return value from ion_map_kernel is an ERR_PTR. The error +path for a vmalloc failure currently just returns NULL, triggering +a warning in ion_buffer_kmap_get. Encode the vmalloc failure as an ERR_PTR. + +Reported-by: syzbot+55b1d9f811650de944c6@syzkaller.appspotmail.com +Signed-off-by: Laura Abbott +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/android/ion/ion_heap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/android/ion/ion_heap.c ++++ b/drivers/staging/android/ion/ion_heap.c +@@ -29,7 +29,7 @@ void *ion_heap_map_kernel(struct ion_hea + struct page **tmp = pages; + + if (!pages) +- return NULL; ++ return ERR_PTR(-ENOMEM); + + if (buffer->flags & ION_FLAG_CACHED) + pgprot = PAGE_KERNEL; diff --git a/queue-4.17/usb-cdc_acm-add-quirk-for-uniden-ubc125-scanner.patch b/queue-4.17/usb-cdc_acm-add-quirk-for-uniden-ubc125-scanner.patch new file mode 100644 index 00000000000..e016c14e813 --- /dev/null +++ b/queue-4.17/usb-cdc_acm-add-quirk-for-uniden-ubc125-scanner.patch @@ -0,0 +1,126 @@ +From 4a762569a2722b8a48066c7bacf0e1dc67d17fa1 Mon Sep 17 00:00:00 2001 +From: Houston Yaroschoff +Date: Mon, 11 Jun 2018 12:39:09 +0200 +Subject: usb: cdc_acm: Add quirk for Uniden UBC125 scanner + +From: Houston Yaroschoff + +commit 4a762569a2722b8a48066c7bacf0e1dc67d17fa1 upstream. + +Uniden UBC125 radio scanner has USB interface which fails to work +with cdc_acm driver: + usb 1-1.5: new full-speed USB device number 4 using xhci_hcd + cdc_acm 1-1.5:1.0: Zero length descriptor references + cdc_acm: probe of 1-1.5:1.0 failed with error -22 + +Adding the NO_UNION_NORMAL quirk for the device fixes the issue: + usb 1-4: new full-speed USB device number 15 using xhci_hcd + usb 1-4: New USB device found, idVendor=1965, idProduct=0018 + usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3 + usb 1-4: Product: UBC125XLT + usb 1-4: Manufacturer: Uniden Corp. + usb 1-4: SerialNumber: 0001 + cdc_acm 1-4:1.0: ttyACM0: USB ACM device + +`lsusb -v` of the device: + + Bus 001 Device 015: ID 1965:0018 Uniden Corporation + Device Descriptor: + bLength 18 + bDescriptorType 1 + bcdUSB 2.00 + bDeviceClass 2 Communications + bDeviceSubClass 0 + bDeviceProtocol 0 + bMaxPacketSize0 64 + idVendor 0x1965 Uniden Corporation + idProduct 0x0018 + bcdDevice 0.01 + iManufacturer 1 Uniden Corp. + iProduct 2 UBC125XLT + iSerial 3 0001 + bNumConfigurations 1 + Configuration Descriptor: + bLength 9 + bDescriptorType 2 + wTotalLength 48 + bNumInterfaces 2 + bConfigurationValue 1 + iConfiguration 0 + bmAttributes 0x80 + (Bus Powered) + MaxPower 500mA + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 0 + bAlternateSetting 0 + bNumEndpoints 1 + bInterfaceClass 2 Communications + bInterfaceSubClass 2 Abstract (modem) + bInterfaceProtocol 0 None + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x87 EP 7 IN + bmAttributes 3 + Transfer Type Interrupt + Synch Type None + Usage Type Data + wMaxPacketSize 0x0008 1x 8 bytes + bInterval 10 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 1 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 10 CDC Data + bInterfaceSubClass 0 Unused + bInterfaceProtocol 0 + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x81 EP 1 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x02 EP 2 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 0 + Device Status: 0x0000 + (Bus Powered) + +Signed-off-by: Houston Yaroschoff +Cc: stable +Acked-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-acm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1758,6 +1758,9 @@ static const struct usb_device_id acm_id + { USB_DEVICE(0x11ca, 0x0201), /* VeriFone Mx870 Gadget Serial */ + .driver_info = SINGLE_RX_URB, + }, ++ { USB_DEVICE(0x1965, 0x0018), /* Uniden UBC125XLT */ ++ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ ++ }, + { USB_DEVICE(0x22b8, 0x7000), /* Motorola Q Phone */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, diff --git a/queue-4.17/usb-dwc2-fix-the-incorrect-bitmaps-for-the-ports-of-multi_tt-hub.patch b/queue-4.17/usb-dwc2-fix-the-incorrect-bitmaps-for-the-ports-of-multi_tt-hub.patch new file mode 100644 index 00000000000..0ea8caca1f1 --- /dev/null +++ b/queue-4.17/usb-dwc2-fix-the-incorrect-bitmaps-for-the-ports-of-multi_tt-hub.patch @@ -0,0 +1,42 @@ +From 8760675932ddb614e83702117d36ea644050c609 Mon Sep 17 00:00:00 2001 +From: William Wu +Date: Mon, 21 May 2018 18:12:00 +0800 +Subject: usb: dwc2: fix the incorrect bitmaps for the ports of multi_tt hub + +From: William Wu + +commit 8760675932ddb614e83702117d36ea644050c609 upstream. + +The dwc2_get_ls_map() use ttport to reference into the +bitmap if we're on a multi_tt hub. But the bitmaps index +from 0 to (hub->maxchild - 1), while the ttport index from +1 to hub->maxchild. This will cause invalid memory access +when the number of ttport is hub->maxchild. + +Without this patch, I can easily meet a Kernel panic issue +if connect a low-speed USB mouse with the max port of FE2.1 +multi-tt hub (1a40:0201) on rk3288 platform. + +Fixes: 9f9f09b048f5 ("usb: dwc2: host: Totally redo the microframe scheduler") +Cc: +Reviewed-by: Douglas Anderson +Acked-by: Minas Harutyunyan hminas@synopsys.com> +Signed-off-by: William Wu +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc2/hcd_queue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/dwc2/hcd_queue.c ++++ b/drivers/usb/dwc2/hcd_queue.c +@@ -383,7 +383,7 @@ static unsigned long *dwc2_get_ls_map(st + /* Get the map and adjust if this is a multi_tt hub */ + map = qh->dwc_tt->periodic_bitmaps; + if (qh->dwc_tt->usb_tt->multi) +- map += DWC2_ELEMENTS_PER_LS_BITMAP * qh->ttport; ++ map += DWC2_ELEMENTS_PER_LS_BITMAP * (qh->ttport - 1); + + return map; + } diff --git a/queue-4.17/usb-serial-cp210x-add-cesinel-device-ids.patch b/queue-4.17/usb-serial-cp210x-add-cesinel-device-ids.patch new file mode 100644 index 00000000000..90a7b02c2f7 --- /dev/null +++ b/queue-4.17/usb-serial-cp210x-add-cesinel-device-ids.patch @@ -0,0 +1,66 @@ +From 24160628a34af962ac99f2f58e547ac3c4cbd26f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 18 Jun 2018 10:24:03 +0200 +Subject: USB: serial: cp210x: add CESINEL device ids + +From: Johan Hovold + +commit 24160628a34af962ac99f2f58e547ac3c4cbd26f upstream. + +Add device ids for CESINEL products. + +Reported-by: Carlos Barcala Lara +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/cp210x.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -95,6 +95,9 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x10C4, 0x8156) }, /* B&G H3000 link cable */ + { USB_DEVICE(0x10C4, 0x815E) }, /* Helicomm IP-Link 1220-DVM */ + { USB_DEVICE(0x10C4, 0x815F) }, /* Timewave HamLinkUSB */ ++ { USB_DEVICE(0x10C4, 0x817C) }, /* CESINEL MEDCAL N Power Quality Monitor */ ++ { USB_DEVICE(0x10C4, 0x817D) }, /* CESINEL MEDCAL NT Power Quality Monitor */ ++ { USB_DEVICE(0x10C4, 0x817E) }, /* CESINEL MEDCAL S Power Quality Monitor */ + { USB_DEVICE(0x10C4, 0x818B) }, /* AVIT Research USB to TTL */ + { USB_DEVICE(0x10C4, 0x819F) }, /* MJS USB Toslink Switcher */ + { USB_DEVICE(0x10C4, 0x81A6) }, /* ThinkOptics WavIt */ +@@ -112,6 +115,9 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x10C4, 0x826B) }, /* Cygnal Integrated Products, Inc., Fasttrax GPS demonstration module */ + { USB_DEVICE(0x10C4, 0x8281) }, /* Nanotec Plug & Drive */ + { USB_DEVICE(0x10C4, 0x8293) }, /* Telegesis ETRX2USB */ ++ { USB_DEVICE(0x10C4, 0x82EF) }, /* CESINEL FALCO 6105 AC Power Supply */ ++ { USB_DEVICE(0x10C4, 0x82F1) }, /* CESINEL MEDCAL EFD Earth Fault Detector */ ++ { USB_DEVICE(0x10C4, 0x82F2) }, /* CESINEL MEDCAL ST Network Analyzer */ + { USB_DEVICE(0x10C4, 0x82F4) }, /* Starizona MicroTouch */ + { USB_DEVICE(0x10C4, 0x82F9) }, /* Procyon AVS */ + { USB_DEVICE(0x10C4, 0x8341) }, /* Siemens MC35PU GPRS Modem */ +@@ -124,7 +130,9 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x10C4, 0x8470) }, /* Juniper Networks BX Series System Console */ + { USB_DEVICE(0x10C4, 0x8477) }, /* Balluff RFID */ + { USB_DEVICE(0x10C4, 0x84B6) }, /* Starizona Hyperion */ ++ { USB_DEVICE(0x10C4, 0x851E) }, /* CESINEL MEDCAL PT Network Analyzer */ + { USB_DEVICE(0x10C4, 0x85A7) }, /* LifeScan OneTouch Verio IQ */ ++ { USB_DEVICE(0x10C4, 0x85B8) }, /* CESINEL ReCon T Energy Logger */ + { USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */ + { USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */ + { USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */ +@@ -134,10 +142,13 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x10C4, 0x8857) }, /* CEL EM357 ZigBee USB Stick */ + { USB_DEVICE(0x10C4, 0x88A4) }, /* MMB Networks ZigBee USB Device */ + { USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */ ++ { USB_DEVICE(0x10C4, 0x88FB) }, /* CESINEL MEDCAL STII Network Analyzer */ ++ { USB_DEVICE(0x10C4, 0x8938) }, /* CESINEL MEDCAL S II Network Analyzer */ + { USB_DEVICE(0x10C4, 0x8946) }, /* Ketra N1 Wireless Interface */ + { USB_DEVICE(0x10C4, 0x8962) }, /* Brim Brothers charging dock */ + { USB_DEVICE(0x10C4, 0x8977) }, /* CEL MeshWorks DevKit Device */ + { USB_DEVICE(0x10C4, 0x8998) }, /* KCF Technologies PRN */ ++ { USB_DEVICE(0x10C4, 0x89A4) }, /* CESINEL FTBC Flexible Thyristor Bridge Controller */ + { USB_DEVICE(0x10C4, 0x8A2A) }, /* HubZ dual ZigBee and Z-Wave dongle */ + { USB_DEVICE(0x10C4, 0x8A5E) }, /* CEL EM3588 ZigBee USB Stick Long Range */ + { USB_DEVICE(0x10C4, 0x8B34) }, /* Qivicon ZigBee USB Radio Stick */ diff --git a/queue-4.17/usb-serial-cp210x-add-silicon-labs-ids-for-windows-update.patch b/queue-4.17/usb-serial-cp210x-add-silicon-labs-ids-for-windows-update.patch new file mode 100644 index 00000000000..a806a7d11e1 --- /dev/null +++ b/queue-4.17/usb-serial-cp210x-add-silicon-labs-ids-for-windows-update.patch @@ -0,0 +1,38 @@ +From 2f839823382748664b643daa73f41ee0cc01ced6 Mon Sep 17 00:00:00 2001 +From: Karoly Pados +Date: Sat, 9 Jun 2018 13:26:08 +0200 +Subject: USB: serial: cp210x: add Silicon Labs IDs for Windows Update + +From: Karoly Pados + +commit 2f839823382748664b643daa73f41ee0cc01ced6 upstream. + +Silicon Labs defines alternative VID/PID pairs for some chips that when +used will automatically install drivers for Windows users without manual +intervention. Unfortunately, these IDs are not recognized by the Linux +module, so using these IDs improves user experience on one platform but +degrades it on Linux. This patch addresses this problem. + +Signed-off-by: Karoly Pados +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/cp210x.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -154,8 +154,11 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x10C4, 0x8B34) }, /* Qivicon ZigBee USB Radio Stick */ + { USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */ + { USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */ ++ { USB_DEVICE(0x10C4, 0xEA63) }, /* Silicon Labs Windows Update (CP2101-4/CP2102N) */ + { USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */ + { USB_DEVICE(0x10C4, 0xEA71) }, /* Infinity GPS-MIC-1 Radio Monophone */ ++ { USB_DEVICE(0x10C4, 0xEA7A) }, /* Silicon Labs Windows Update (CP2105) */ ++ { USB_DEVICE(0x10C4, 0xEA7B) }, /* Silicon Labs Windows Update (CP2108) */ + { USB_DEVICE(0x10C4, 0xF001) }, /* Elan Digital Systems USBscope50 */ + { USB_DEVICE(0x10C4, 0xF002) }, /* Elan Digital Systems USBwave12 */ + { USB_DEVICE(0x10C4, 0xF003) }, /* Elan Digital Systems USBpulse100 */ diff --git a/queue-4.17/usb-typec-tcpm-fix-logbuffer-index-is-wrong-if-_tcpm_log-is-re-entered.patch b/queue-4.17/usb-typec-tcpm-fix-logbuffer-index-is-wrong-if-_tcpm_log-is-re-entered.patch new file mode 100644 index 00000000000..edeba601935 --- /dev/null +++ b/queue-4.17/usb-typec-tcpm-fix-logbuffer-index-is-wrong-if-_tcpm_log-is-re-entered.patch @@ -0,0 +1,56 @@ +From d5a4f93511b7000183c0d528739b824752139f79 Mon Sep 17 00:00:00 2001 +From: Peter Chen +Date: Tue, 12 Jun 2018 09:53:01 +0800 +Subject: usb: typec: tcpm: fix logbuffer index is wrong if _tcpm_log is re-entered + +From: Peter Chen + +commit d5a4f93511b7000183c0d528739b824752139f79 upstream. + +The port->logbuffer_head may be wrong if the two processes enters +_tcpm_log at the mostly same time. The 2nd process enters _tcpm_log +before the 1st process update the index, then the 2nd process will +not allocate logbuffer, when the 2nd process tries to use log buffer, +the index has already updated by the 1st process, so it will get +NULL pointer for updated logbuffer, the error message like below: + + tcpci 0-0050: Log buffer index 6 is NULL + +Cc: Heikki Krogerus +Cc: Guenter Roeck +Cc: Jun Li +Signed-off-by: Peter Chen +Reviewed-by: Heikki Krogerus +Cc: stable +Reviewed-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/typec/tcpm.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/usb/typec/tcpm.c ++++ b/drivers/usb/typec/tcpm.c +@@ -388,17 +388,18 @@ static void _tcpm_log(struct tcpm_port * + u64 ts_nsec = local_clock(); + unsigned long rem_nsec; + ++ mutex_lock(&port->logbuffer_lock); + if (!port->logbuffer[port->logbuffer_head]) { + port->logbuffer[port->logbuffer_head] = + kzalloc(LOG_BUFFER_ENTRY_SIZE, GFP_KERNEL); +- if (!port->logbuffer[port->logbuffer_head]) ++ if (!port->logbuffer[port->logbuffer_head]) { ++ mutex_unlock(&port->logbuffer_lock); + return; ++ } + } + + vsnprintf(tmpbuffer, sizeof(tmpbuffer), fmt, args); + +- mutex_lock(&port->logbuffer_lock); +- + if (tcpm_log_full(port)) { + port->logbuffer_head = max(port->logbuffer_head - 1, 0); + strcpy(tmpbuffer, "overflow"); diff --git a/queue-4.17/usb-typec-ucsi-acpi-workaround-for-cache-mode-issue.patch b/queue-4.17/usb-typec-ucsi-acpi-workaround-for-cache-mode-issue.patch new file mode 100644 index 00000000000..81ead6b3b07 --- /dev/null +++ b/queue-4.17/usb-typec-ucsi-acpi-workaround-for-cache-mode-issue.patch @@ -0,0 +1,58 @@ +From 1f9f9d168ce619608572b01771c47a41b15429e6 Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Thu, 21 Jun 2018 16:43:18 +0300 +Subject: usb: typec: ucsi: acpi: Workaround for cache mode issue + +From: Heikki Krogerus + +commit 1f9f9d168ce619608572b01771c47a41b15429e6 upstream. + +This fixes an issue where the driver fails with an error: + + ioremap error for 0x3f799000-0x3f79a000, requested 0x2, got 0x0 + +On some platforms the UCSI ACPI mailbox SystemMemory +Operation Region may be setup before the driver has been +loaded. That will lead into the driver failing to map the +mailbox region, as it has been already marked as write-back +memory. acpi_os_ioremap() for x86 uses ioremap_cache() +unconditionally. + +When the issue happens, the embedded controller has a +pending query event for the UCSI notification right after +boot-up which causes the operation region to be setup before +UCSI driver has been loaded. + +The fix is to notify acpi core that the driver is about to +access memory region which potentially overlaps with an +operation region right before mapping it. +acpi_release_memory() will check if the memory has already +been setup (mapped) by acpi core, and deactivate it (unmap) +if it has. The driver is then able to map the memory with +ioremap_nocache() and set the memtype to uncached for the +region. + +Reported-by: Paul Menzel +Fixes: 8243edf44152 ("usb: typec: ucsi: Add ACPI driver") +Cc: stable@vger.kernel.org +Signed-off-by: Heikki Krogerus +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/typec/ucsi/ucsi_acpi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/typec/ucsi/ucsi_acpi.c ++++ b/drivers/usb/typec/ucsi/ucsi_acpi.c +@@ -79,6 +79,11 @@ static int ucsi_acpi_probe(struct platfo + return -ENODEV; + } + ++ /* This will make sure we can use ioremap_nocache() */ ++ status = acpi_release_memory(ACPI_HANDLE(&pdev->dev), res, 1); ++ if (ACPI_FAILURE(status)) ++ return -ENOMEM; ++ + /* + * NOTE: The memory region for the data structures is used also in an + * operation region, which means ACPI has already reserved it. Therefore diff --git a/queue-4.17/usb-typec-ucsi-fix-for-incorrect-status-data-issue.patch b/queue-4.17/usb-typec-ucsi-fix-for-incorrect-status-data-issue.patch new file mode 100644 index 00000000000..59a3df23841 --- /dev/null +++ b/queue-4.17/usb-typec-ucsi-fix-for-incorrect-status-data-issue.patch @@ -0,0 +1,56 @@ +From 68816e16b4789f2d05e77b6dcb77564cf5d6a8d8 Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Thu, 21 Jun 2018 16:43:19 +0300 +Subject: usb: typec: ucsi: Fix for incorrect status data issue + +From: Heikki Krogerus + +commit 68816e16b4789f2d05e77b6dcb77564cf5d6a8d8 upstream. + +According to UCSI Specification, Connector Change Event only +means a change in the Connector Status and Operation Mode +fields of the STATUS data structure. So any other change +should create another event. + +Unfortunately on some platforms the firmware acting as PPM +(platform policy manager - usually embedded controller +firmware) still does not report any other status changes if +there is a connector change event. So if the connector power +or data role was changed when a device was plugged to the +connector, the driver does not get any indication about +that. The port will show wrong roles if that happens. + +To fix the issue, always checking the data and power role +together with a connector change event. + +Fixes: c1b0bc2dabfa ("usb: typec: Add support for UCSI interface") +Signed-off-by: Heikki Krogerus +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/typec/ucsi/ucsi.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/usb/typec/ucsi/ucsi.c ++++ b/drivers/usb/typec/ucsi/ucsi.c +@@ -350,6 +350,19 @@ static void ucsi_connector_change(struct + } + + if (con->status.change & UCSI_CONSTAT_CONNECT_CHANGE) { ++ typec_set_pwr_role(con->port, con->status.pwr_dir); ++ ++ switch (con->status.partner_type) { ++ case UCSI_CONSTAT_PARTNER_TYPE_UFP: ++ typec_set_data_role(con->port, TYPEC_HOST); ++ break; ++ case UCSI_CONSTAT_PARTNER_TYPE_DFP: ++ typec_set_data_role(con->port, TYPEC_DEVICE); ++ break; ++ default: ++ break; ++ } ++ + if (con->status.connected) + ucsi_register_partner(con); + else diff --git a/queue-4.17/vt-prevent-leaking-uninitialized-data-to-userspace-via-dev-vcs.patch b/queue-4.17/vt-prevent-leaking-uninitialized-data-to-userspace-via-dev-vcs.patch new file mode 100644 index 00000000000..7f4e05eff18 --- /dev/null +++ b/queue-4.17/vt-prevent-leaking-uninitialized-data-to-userspace-via-dev-vcs.patch @@ -0,0 +1,69 @@ +From 21eff69aaaa0e766ca0ce445b477698dc6a9f55a Mon Sep 17 00:00:00 2001 +From: Alexander Potapenko +Date: Thu, 14 Jun 2018 12:23:09 +0200 +Subject: vt: prevent leaking uninitialized data to userspace via /dev/vcs* + +From: Alexander Potapenko + +commit 21eff69aaaa0e766ca0ce445b477698dc6a9f55a upstream. + +KMSAN reported an infoleak when reading from /dev/vcs*: + + BUG: KMSAN: kernel-infoleak in vcs_read+0x18ba/0x1cc0 + Call Trace: + ... + kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253 + copy_to_user ./include/linux/uaccess.h:184 + vcs_read+0x18ba/0x1cc0 drivers/tty/vt/vc_screen.c:352 + __vfs_read+0x1b2/0x9d0 fs/read_write.c:416 + vfs_read+0x36c/0x6b0 fs/read_write.c:452 + ... + Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 + kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189 + kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315 + __kmalloc+0x13a/0x350 mm/slub.c:3818 + kmalloc ./include/linux/slab.h:517 + vc_allocate+0x438/0x800 drivers/tty/vt/vt.c:787 + con_install+0x8c/0x640 drivers/tty/vt/vt.c:2880 + tty_driver_install_tty drivers/tty/tty_io.c:1224 + tty_init_dev+0x1b5/0x1020 drivers/tty/tty_io.c:1324 + tty_open_by_driver drivers/tty/tty_io.c:1959 + tty_open+0x17b4/0x2ed0 drivers/tty/tty_io.c:2007 + chrdev_open+0xc25/0xd90 fs/char_dev.c:417 + do_dentry_open+0xccc/0x1440 fs/open.c:794 + vfs_open+0x1b6/0x2f0 fs/open.c:908 + ... + Bytes 0-79 of 240 are uninitialized + +Consistently allocating |vc_screenbuf| with kzalloc() fixes the problem + +Reported-by: syzbot+17a8efdf800000@syzkaller.appspotmail.com +Signed-off-by: Alexander Potapenko +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/vt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -784,7 +784,7 @@ int vc_allocate(unsigned int currcons) / + if (!*vc->vc_uni_pagedir_loc) + con_set_default_unimap(vc); + +- vc->vc_screenbuf = kmalloc(vc->vc_screenbuf_size, GFP_KERNEL); ++ vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL); + if (!vc->vc_screenbuf) + goto err_free; + +@@ -871,7 +871,7 @@ static int vc_do_resize(struct tty_struc + + if (new_screen_size > (4 << 20)) + return -EINVAL; +- newscreen = kmalloc(new_screen_size, GFP_USER); ++ newscreen = kzalloc(new_screen_size, GFP_USER); + if (!newscreen) + return -ENOMEM; + diff --git a/queue-4.17/xhci-fix-kernel-oops-in-trace_xhci_free_virt_device.patch b/queue-4.17/xhci-fix-kernel-oops-in-trace_xhci_free_virt_device.patch new file mode 100644 index 00000000000..96d14503ff6 --- /dev/null +++ b/queue-4.17/xhci-fix-kernel-oops-in-trace_xhci_free_virt_device.patch @@ -0,0 +1,129 @@ +From d850c1658328e757635a46763783c6fd56390dcb Mon Sep 17 00:00:00 2001 +From: Zhengjun Xing +Date: Thu, 21 Jun 2018 16:19:42 +0300 +Subject: xhci: Fix kernel oops in trace_xhci_free_virt_device + +From: Zhengjun Xing + +commit d850c1658328e757635a46763783c6fd56390dcb upstream. + +commit 44a182b9d177 ("xhci: Fix use-after-free in xhci_free_virt_device") +set dev->udev pointer to NULL in xhci_free_dev(), it will cause kernel +panic in trace_xhci_free_virt_device. This patch reimplement the trace +function trace_xhci_free_virt_device, remove dev->udev dereference and +added more useful parameters to show in the trace function,it also makes +sure dev->udev is not NULL before calling trace_xhci_free_virt_device. +This issue happened when xhci-hcd trace is enabled and USB devices hot +plug test. Original use-after-free patch went to stable so this needs so +be applied there as well. + +[ 1092.022457] usb 2-4: USB disconnect, device number 6 +[ 1092.092772] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 +[ 1092.101694] PGD 0 P4D 0 +[ 1092.104601] Oops: 0000 [#1] SMP +[ 1092.207734] Workqueue: usb_hub_wq hub_event +[ 1092.212507] RIP: 0010:trace_event_raw_event_xhci_log_virt_dev+0x6c/0xf0 +[ 1092.220050] RSP: 0018:ffff8c252e883d28 EFLAGS: 00010086 +[ 1092.226024] RAX: ffff8c24af86fa84 RBX: 0000000000000003 RCX: ffff8c25255c2a01 +[ 1092.234130] RDX: 0000000000000000 RSI: 00000000aef55009 RDI: ffff8c252e883d28 +[ 1092.242242] RBP: ffff8c252550e2c0 R08: ffff8c24af86fa84 R09: 0000000000000a70 +[ 1092.250364] R10: 0000000000000a70 R11: 0000000000000000 R12: ffff8c251f21a000 +[ 1092.258468] R13: 000000000000000c R14: ffff8c251f21a000 R15: ffff8c251f432f60 +[ 1092.266572] FS: 0000000000000000(0000) GS:ffff8c252e880000(0000) knlGS:0000000000000000 +[ 1092.275757] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 1092.282281] CR2: 0000000000000000 CR3: 0000000154209001 CR4: 00000000003606e0 +[ 1092.290384] Call Trace: +[ 1092.293156] +[ 1092.295439] xhci_free_virt_device.part.34+0x182/0x1a0 +[ 1092.301288] handle_cmd_completion+0x7ac/0xfa0 +[ 1092.306336] ? trace_event_raw_event_xhci_log_trb+0x6e/0xa0 +[ 1092.312661] xhci_irq+0x3e8/0x1f60 +[ 1092.316524] __handle_irq_event_percpu+0x75/0x180 +[ 1092.321876] handle_irq_event_percpu+0x20/0x50 +[ 1092.326922] handle_irq_event+0x36/0x60 +[ 1092.331273] handle_edge_irq+0x6d/0x180 +[ 1092.335644] handle_irq+0x16/0x20 +[ 1092.339417] do_IRQ+0x41/0xc0 +[ 1092.342782] common_interrupt+0xf/0xf +[ 1092.346955] + +Fixes: 44a182b9d177 ("xhci: Fix use-after-free in xhci_free_virt_device") +Cc: +Signed-off-by: Zhengjun Xing +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-mem.c | 4 ++-- + drivers/usb/host/xhci-trace.h | 36 +++++++++++++++++++++++++++++++----- + 2 files changed, 33 insertions(+), 7 deletions(-) + +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -878,12 +878,12 @@ void xhci_free_virt_device(struct xhci_h + + dev = xhci->devs[slot_id]; + +- trace_xhci_free_virt_device(dev); +- + xhci->dcbaa->dev_context_ptrs[slot_id] = 0; + if (!dev) + return; + ++ trace_xhci_free_virt_device(dev); ++ + if (dev->tt_info) + old_active_eps = dev->tt_info->active_eps; + +--- a/drivers/usb/host/xhci-trace.h ++++ b/drivers/usb/host/xhci-trace.h +@@ -171,6 +171,37 @@ DEFINE_EVENT(xhci_log_trb, xhci_dbc_gadg + TP_ARGS(ring, trb) + ); + ++DECLARE_EVENT_CLASS(xhci_log_free_virt_dev, ++ TP_PROTO(struct xhci_virt_device *vdev), ++ TP_ARGS(vdev), ++ TP_STRUCT__entry( ++ __field(void *, vdev) ++ __field(unsigned long long, out_ctx) ++ __field(unsigned long long, in_ctx) ++ __field(u8, fake_port) ++ __field(u8, real_port) ++ __field(u16, current_mel) ++ ++ ), ++ TP_fast_assign( ++ __entry->vdev = vdev; ++ __entry->in_ctx = (unsigned long long) vdev->in_ctx->dma; ++ __entry->out_ctx = (unsigned long long) vdev->out_ctx->dma; ++ __entry->fake_port = (u8) vdev->fake_port; ++ __entry->real_port = (u8) vdev->real_port; ++ __entry->current_mel = (u16) vdev->current_mel; ++ ), ++ TP_printk("vdev %p ctx %llx | %llx fake_port %d real_port %d current_mel %d", ++ __entry->vdev, __entry->in_ctx, __entry->out_ctx, ++ __entry->fake_port, __entry->real_port, __entry->current_mel ++ ) ++); ++ ++DEFINE_EVENT(xhci_log_free_virt_dev, xhci_free_virt_device, ++ TP_PROTO(struct xhci_virt_device *vdev), ++ TP_ARGS(vdev) ++); ++ + DECLARE_EVENT_CLASS(xhci_log_virt_dev, + TP_PROTO(struct xhci_virt_device *vdev), + TP_ARGS(vdev), +@@ -207,11 +238,6 @@ DEFINE_EVENT(xhci_log_virt_dev, xhci_all + TP_PROTO(struct xhci_virt_device *vdev), + TP_ARGS(vdev) + ); +- +-DEFINE_EVENT(xhci_log_virt_dev, xhci_free_virt_device, +- TP_PROTO(struct xhci_virt_device *vdev), +- TP_ARGS(vdev) +-); + + DEFINE_EVENT(xhci_log_virt_dev, xhci_setup_device, + TP_PROTO(struct xhci_virt_device *vdev), diff --git a/queue-4.17/xhci-fix-perceived-dead-host-due-to-runtime-suspend-race-with-event-handler.patch b/queue-4.17/xhci-fix-perceived-dead-host-due-to-runtime-suspend-race-with-event-handler.patch new file mode 100644 index 00000000000..2e34c8f227d --- /dev/null +++ b/queue-4.17/xhci-fix-perceived-dead-host-due-to-runtime-suspend-race-with-event-handler.patch @@ -0,0 +1,122 @@ +From 229bc19fd7aca4f37964af06e3583c1c8f36b5d6 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Thu, 21 Jun 2018 16:19:41 +0300 +Subject: xhci: Fix perceived dead host due to runtime suspend race with event handler + +From: Mathias Nyman + +commit 229bc19fd7aca4f37964af06e3583c1c8f36b5d6 upstream. + +Don't rely on event interrupt (EINT) bit alone to detect pending port +change in resume. If no change event is detected the host may be suspended +again, oterwise roothubs are resumed. + +There is a lag in xHC setting EINT. If we don't notice the pending change +in resume, and the controller is runtime suspeded again, it causes the +event handler to assume host is dead as it will fail to read xHC registers +once PCI puts the controller to D3 state. + +[ 268.520969] xhci_hcd: xhci_resume: starting port polling. +[ 268.520985] xhci_hcd: xhci_hub_status_data: stopping port polling. +[ 268.521030] xhci_hcd: xhci_suspend: stopping port polling. +[ 268.521040] xhci_hcd: // Setting command ring address to 0x349bd001 +[ 268.521139] xhci_hcd: Port Status Change Event for port 3 +[ 268.521149] xhci_hcd: resume root hub +[ 268.521163] xhci_hcd: port resume event for port 3 +[ 268.521168] xhci_hcd: xHC is not running. +[ 268.521174] xhci_hcd: handle_port_status: starting port polling. +[ 268.596322] xhci_hcd: xhci_hc_died: xHCI host controller not responding, assume dead + +The EINT lag is described in a additional note in xhci specs 4.19.2: + +"Due to internal xHC scheduling and system delays, there will be a lag +between a change bit being set and the Port Status Change Event that it +generated being written to the Event Ring. If SW reads the PORTSC and +sees a change bit set, there is no guarantee that the corresponding Port +Status Change Event has already been written into the Event Ring." + +Cc: +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci.c | 40 +++++++++++++++++++++++++++++++++++++--- + drivers/usb/host/xhci.h | 4 ++++ + 2 files changed, 41 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -844,6 +844,41 @@ static void xhci_disable_port_wake_on_bi + spin_unlock_irqrestore(&xhci->lock, flags); + } + ++static bool xhci_pending_portevent(struct xhci_hcd *xhci) ++{ ++ struct xhci_port **ports; ++ int port_index; ++ u32 status; ++ u32 portsc; ++ ++ status = readl(&xhci->op_regs->status); ++ if (status & STS_EINT) ++ return true; ++ /* ++ * Checking STS_EINT is not enough as there is a lag between a change ++ * bit being set and the Port Status Change Event that it generated ++ * being written to the Event Ring. See note in xhci 1.1 section 4.19.2. ++ */ ++ ++ port_index = xhci->usb2_rhub.num_ports; ++ ports = xhci->usb2_rhub.ports; ++ while (port_index--) { ++ portsc = readl(ports[port_index]->addr); ++ if (portsc & PORT_CHANGE_MASK || ++ (portsc & PORT_PLS_MASK) == XDEV_RESUME) ++ return true; ++ } ++ port_index = xhci->usb3_rhub.num_ports; ++ ports = xhci->usb3_rhub.ports; ++ while (port_index--) { ++ portsc = readl(ports[port_index]->addr); ++ if (portsc & PORT_CHANGE_MASK || ++ (portsc & PORT_PLS_MASK) == XDEV_RESUME) ++ return true; ++ } ++ return false; ++} ++ + /* + * Stop HC (not bus-specific) + * +@@ -945,7 +980,7 @@ EXPORT_SYMBOL_GPL(xhci_suspend); + */ + int xhci_resume(struct xhci_hcd *xhci, bool hibernated) + { +- u32 command, temp = 0, status; ++ u32 command, temp = 0; + struct usb_hcd *hcd = xhci_to_hcd(xhci); + struct usb_hcd *secondary_hcd; + int retval = 0; +@@ -1069,8 +1104,7 @@ int xhci_resume(struct xhci_hcd *xhci, b + done: + if (retval == 0) { + /* Resume root hubs only when have pending events. */ +- status = readl(&xhci->op_regs->status); +- if (status & STS_EINT) { ++ if (xhci_pending_portevent(xhci)) { + usb_hcd_resume_root_hub(xhci->shared_hcd); + usb_hcd_resume_root_hub(hcd); + } +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -382,6 +382,10 @@ struct xhci_op_regs { + #define PORT_PLC (1 << 22) + /* port configure error change - port failed to configure its link partner */ + #define PORT_CEC (1 << 23) ++#define PORT_CHANGE_MASK (PORT_CSC | PORT_PEC | PORT_WRC | PORT_OCC | \ ++ PORT_RC | PORT_PLC | PORT_CEC) ++ ++ + /* Cold Attach Status - xHC can set this bit to report device attached during + * Sx state. Warm port reset should be perfomed to clear this bit and move port + * to connected state.