From: Greg Kroah-Hartman Date: Fri, 16 Mar 2018 13:33:30 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v3.18.100~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e4e6339e85b74ff588802ddcb2f56fe8ac002989;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: asoc-rt5651-fix-regcache-sync-errors-on-resume.patch asoc-sgtl5000-fix-suspend-resume.patch asoc-sun4i-i2s-fix-rx-slot-number-of-sun8i.patch asoc-wm_adsp-for-tlv-controls-only-register-tlv-get-set.patch dm-mpath-fix-passing-integrity-data.patch earlycon-add-reg-offset-to-physical-address-before-mapping.patch serial-8250_pci-add-brainboxes-uc-260-4-port-serial-device.patch serial-core-mark-port-as-initialized-in-autoconfig.patch serial-sh-sci-prevent-lockup-on-full-tty-buffers.patch staging-android-ashmem-fix-lockdep-issue-during-llseek.patch staging-comedi-fix-comedi_nsamples_left.patch tty-serial-atmel-add-new-version-check-for-usart.patch uas-fix-comparison-for-error-code.patch usb-dwc3-fix-lock-up-on-id-change-during-system-suspend-resume.patch usb-gadget-f_fs-fix-use-after-free-in-ffs_fs_kill_sb.patch usb-host-xhci-rcar-add-support-for-r8a77965.patch usb-quirks-add-control-message-delay-for-1b1c-1b20.patch usb-storage-add-jmicron-bridge-152d-2567-to-unusual_devs.h.patch usb-usbmon-read-text-within-supplied-buffer-size.patch usbip-vudc-fix-null-pointer-dereference-on-udc-lock.patch xhci-fix-endpoint-context-tracer-output.patch xhci-fix-front-usb-ports-on-asus-prime-b350m-a.patch --- diff --git a/queue-4.14/asoc-rt5651-fix-regcache-sync-errors-on-resume.patch b/queue-4.14/asoc-rt5651-fix-regcache-sync-errors-on-resume.patch new file mode 100644 index 00000000000..722824873ad --- /dev/null +++ b/queue-4.14/asoc-rt5651-fix-regcache-sync-errors-on-resume.patch @@ -0,0 +1,35 @@ +From 2d30e9494f1ea320aaaad0cff9ddd92c87eac355 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 18 Feb 2018 23:01:44 +0100 +Subject: ASoC: rt5651: Fix regcache sync errors on resume + +From: Hans de Goede + +commit 2d30e9494f1ea320aaaad0cff9ddd92c87eac355 upstream. + +The ALC5651 does not like multi-write accesses, avoid them. This fixes: + +rt5651 i2c-10EC5651:00: Unable to sync registers 0x27-0x28. -121 + +Errors on resume (and all registers after the registers in the error not +being synced). + +Signed-off-by: Hans de Goede +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/rt5651.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/soc/codecs/rt5651.c ++++ b/sound/soc/codecs/rt5651.c +@@ -1694,6 +1694,7 @@ static const struct regmap_config rt5651 + .num_reg_defaults = ARRAY_SIZE(rt5651_reg), + .ranges = rt5651_ranges, + .num_ranges = ARRAY_SIZE(rt5651_ranges), ++ .use_single_rw = true, + }; + + #if defined(CONFIG_OF) diff --git a/queue-4.14/asoc-sgtl5000-fix-suspend-resume.patch b/queue-4.14/asoc-sgtl5000-fix-suspend-resume.patch new file mode 100644 index 00000000000..edcd3dd9a37 --- /dev/null +++ b/queue-4.14/asoc-sgtl5000-fix-suspend-resume.patch @@ -0,0 +1,60 @@ +From a8992973edbb2555e956b90f6fe97c4bc14d761d Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Fri, 16 Feb 2018 11:58:54 -0200 +Subject: ASoC: sgtl5000: Fix suspend/resume + +From: Fabio Estevam + +commit a8992973edbb2555e956b90f6fe97c4bc14d761d upstream. + +Commit 8419caa72702 ("ASoC: sgtl5000: Do not disable regulators in +SND_SOC_BIAS_OFF") causes the sgtl5000 to fail after a suspend/resume +sequence: + +Playing WAVE '/media/a2002011001-e02.wav' : Signed 16 bit Little +Endian, Rate 44100 Hz, Stereo +aplay: pcm_write:2051: write error: Input/output error + +The problem is caused by the fact that the aforementioned commit +dropped the cache handling, so re-introduce the register map +resync to fix the problem. + +Suggested-by: Mark Brown +Signed-off-by: Fabio Estevam +Signed-off-by: Mark Brown +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/sgtl5000.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/sound/soc/codecs/sgtl5000.c ++++ b/sound/soc/codecs/sgtl5000.c +@@ -871,15 +871,26 @@ static int sgtl5000_pcm_hw_params(struct + static int sgtl5000_set_bias_level(struct snd_soc_codec *codec, + enum snd_soc_bias_level level) + { ++ struct sgtl5000_priv *sgtl = snd_soc_codec_get_drvdata(codec); ++ int ret; ++ + switch (level) { + case SND_SOC_BIAS_ON: + case SND_SOC_BIAS_PREPARE: + case SND_SOC_BIAS_STANDBY: ++ regcache_cache_only(sgtl->regmap, false); ++ ret = regcache_sync(sgtl->regmap); ++ if (ret) { ++ regcache_cache_only(sgtl->regmap, true); ++ return ret; ++ } ++ + snd_soc_update_bits(codec, SGTL5000_CHIP_ANA_POWER, + SGTL5000_REFTOP_POWERUP, + SGTL5000_REFTOP_POWERUP); + break; + case SND_SOC_BIAS_OFF: ++ regcache_cache_only(sgtl->regmap, true); + snd_soc_update_bits(codec, SGTL5000_CHIP_ANA_POWER, + SGTL5000_REFTOP_POWERUP, 0); + break; diff --git a/queue-4.14/asoc-sun4i-i2s-fix-rx-slot-number-of-sun8i.patch b/queue-4.14/asoc-sun4i-i2s-fix-rx-slot-number-of-sun8i.patch new file mode 100644 index 00000000000..103a4b767ac --- /dev/null +++ b/queue-4.14/asoc-sun4i-i2s-fix-rx-slot-number-of-sun8i.patch @@ -0,0 +1,33 @@ +From 5a3386790a172cf738194e1574f631cd43c6140a Mon Sep 17 00:00:00 2001 +From: Yong Deng +Date: Mon, 26 Feb 2018 10:43:52 +0800 +Subject: ASoC: sun4i-i2s: Fix RX slot number of SUN8I + +From: Yong Deng + +commit 5a3386790a172cf738194e1574f631cd43c6140a upstream. + +I2S's RX slot number of SUN8I should be shifted 4 bit to left. + +Fixes: 7d2993811a1e ("ASoC: sun4i-i2s: Add support for H3") +Signed-off-by: Yong Deng +Reviewed-by: Chen-Yu Tsai +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/sunxi/sun4i-i2s.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/sunxi/sun4i-i2s.c ++++ b/sound/soc/sunxi/sun4i-i2s.c +@@ -104,7 +104,7 @@ + + #define SUN8I_I2S_CHAN_CFG_REG 0x30 + #define SUN8I_I2S_CHAN_CFG_RX_SLOT_NUM_MASK GENMASK(6, 4) +-#define SUN8I_I2S_CHAN_CFG_RX_SLOT_NUM(chan) (chan - 1) ++#define SUN8I_I2S_CHAN_CFG_RX_SLOT_NUM(chan) ((chan - 1) << 4) + #define SUN8I_I2S_CHAN_CFG_TX_SLOT_NUM_MASK GENMASK(2, 0) + #define SUN8I_I2S_CHAN_CFG_TX_SLOT_NUM(chan) (chan - 1) + diff --git a/queue-4.14/asoc-wm_adsp-for-tlv-controls-only-register-tlv-get-set.patch b/queue-4.14/asoc-wm_adsp-for-tlv-controls-only-register-tlv-get-set.patch new file mode 100644 index 00000000000..93998c00410 --- /dev/null +++ b/queue-4.14/asoc-wm_adsp-for-tlv-controls-only-register-tlv-get-set.patch @@ -0,0 +1,55 @@ +From d7789f5bcdb298c4a302db471b1b20f74a20de95 Mon Sep 17 00:00:00 2001 +From: Richard Fitzgerald +Date: Wed, 28 Feb 2018 10:31:10 +0000 +Subject: ASoC: wm_adsp: For TLV controls only register TLV get/set + +From: Richard Fitzgerald + +commit d7789f5bcdb298c4a302db471b1b20f74a20de95 upstream. + +Normal 512-byte get/set of a TLV isn't supported but we were +registering the normal get/set anyway and relying on omitting +the SNDRV_CTL_ELEM_ACCESS_[READ|WRITE] flags to prevent them +being called. + +Trouble is if this gets broken in the core ALSA code - as it has +been since at least 4.14 - the standard get/set can be called +unexpectedly and corrupt memory. + +There's no point providing functions that won't be called and +it's a trivial change. The benefit is that if the ALSA core gets +broken again we get a big fat immediate NULL dereference instead +of a memory corruption timebomb. + +Signed-off-by: Richard Fitzgerald +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/wm_adsp.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/sound/soc/codecs/wm_adsp.c ++++ b/sound/soc/codecs/wm_adsp.c +@@ -1204,12 +1204,14 @@ static int wmfw_add_ctl(struct wm_adsp * + kcontrol->put = wm_coeff_put_acked; + break; + default: +- kcontrol->get = wm_coeff_get; +- kcontrol->put = wm_coeff_put; +- +- ctl->bytes_ext.max = ctl->len; +- ctl->bytes_ext.get = wm_coeff_tlv_get; +- ctl->bytes_ext.put = wm_coeff_tlv_put; ++ if (kcontrol->access & SNDRV_CTL_ELEM_ACCESS_TLV_CALLBACK) { ++ ctl->bytes_ext.max = ctl->len; ++ ctl->bytes_ext.get = wm_coeff_tlv_get; ++ ctl->bytes_ext.put = wm_coeff_tlv_put; ++ } else { ++ kcontrol->get = wm_coeff_get; ++ kcontrol->put = wm_coeff_put; ++ } + break; + } + diff --git a/queue-4.14/dm-mpath-fix-passing-integrity-data.patch b/queue-4.14/dm-mpath-fix-passing-integrity-data.patch new file mode 100644 index 00000000000..e4253f73b66 --- /dev/null +++ b/queue-4.14/dm-mpath-fix-passing-integrity-data.patch @@ -0,0 +1,45 @@ +From 8c5c147339d2e201108169327b1f99aa6d57d2cd Mon Sep 17 00:00:00 2001 +From: Steffen Maier +Date: Wed, 14 Mar 2018 15:33:06 +0100 +Subject: dm mpath: fix passing integrity data + +From: Steffen Maier + +commit 8c5c147339d2e201108169327b1f99aa6d57d2cd upstream. + +After v4.12 commit e2460f2a4bc7 ("dm: mark targets that pass integrity +data"), dm-multipath, e.g. on DIF+DIX SCSI disk paths, does not support +block integrity any more. So add it to the whitelist. + +This is also a pre-requisite to use block integrity with other dm layer(s) +on top of multipath, such as kpartx partitions (dm-linear) or LVM. + +Also, bump target version to reflect this fix. + +Fixes: e2460f2a4bc7 ("dm: mark targets that pass integrity data") +Cc: #4.12+ +Bisected-by: Fedor Loshakov +Signed-off-by: Steffen Maier +Reviewed-by: Hannes Reinecke +Reviewed-by: Martin K. Petersen +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-mpath.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/md/dm-mpath.c ++++ b/drivers/md/dm-mpath.c +@@ -1941,8 +1941,9 @@ static int multipath_busy(struct dm_targ + *---------------------------------------------------------------*/ + static struct target_type multipath_target = { + .name = "multipath", +- .version = {1, 12, 0}, +- .features = DM_TARGET_SINGLETON | DM_TARGET_IMMUTABLE, ++ .version = {1, 13, 0}, ++ .features = DM_TARGET_SINGLETON | DM_TARGET_IMMUTABLE | ++ DM_TARGET_PASSES_INTEGRITY, + .module = THIS_MODULE, + .ctr = multipath_ctr, + .dtr = multipath_dtr, diff --git a/queue-4.14/earlycon-add-reg-offset-to-physical-address-before-mapping.patch b/queue-4.14/earlycon-add-reg-offset-to-physical-address-before-mapping.patch new file mode 100644 index 00000000000..a652ee27213 --- /dev/null +++ b/queue-4.14/earlycon-add-reg-offset-to-physical-address-before-mapping.patch @@ -0,0 +1,41 @@ +From 1f66dd36bb18437397ea0d7882c52f7e3c476e15 Mon Sep 17 00:00:00 2001 +From: Greentime Hu +Date: Tue, 13 Feb 2018 17:09:08 +0800 +Subject: earlycon: add reg-offset to physical address before mapping + +From: Greentime Hu + +commit 1f66dd36bb18437397ea0d7882c52f7e3c476e15 upstream. + +It will get the wrong virtual address because port->mapbase is not added +the correct reg-offset yet. We have to update it before earlycon_map() +is called + +Signed-off-by: Greentime Hu +Acked-by: Arnd Bergmann +Cc: Peter Hurley +Cc: stable@vger.kernel.org +Fixes: 088da2a17619 ("of: earlycon: Initialize port fields from DT properties") +Acked-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/earlycon.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/earlycon.c ++++ b/drivers/tty/serial/earlycon.c +@@ -253,11 +253,12 @@ int __init of_setup_earlycon(const struc + } + port->mapbase = addr; + port->uartclk = BASE_BAUD * 16; +- port->membase = earlycon_map(port->mapbase, SZ_4K); + + val = of_get_flat_dt_prop(node, "reg-offset", NULL); + if (val) + port->mapbase += be32_to_cpu(*val); ++ port->membase = earlycon_map(port->mapbase, SZ_4K); ++ + val = of_get_flat_dt_prop(node, "reg-shift", NULL); + if (val) + port->regshift = be32_to_cpu(*val); diff --git a/queue-4.14/serial-8250_pci-add-brainboxes-uc-260-4-port-serial-device.patch b/queue-4.14/serial-8250_pci-add-brainboxes-uc-260-4-port-serial-device.patch new file mode 100644 index 00000000000..56e799313e7 --- /dev/null +++ b/queue-4.14/serial-8250_pci-add-brainboxes-uc-260-4-port-serial-device.patch @@ -0,0 +1,41 @@ +From 9f2068f35729948bde84d87a40d135015911345d Mon Sep 17 00:00:00 2001 +From: Nikola Ciprich +Date: Tue, 13 Feb 2018 15:04:46 +0100 +Subject: serial: 8250_pci: Add Brainboxes UC-260 4 port serial device + +From: Nikola Ciprich + +commit 9f2068f35729948bde84d87a40d135015911345d upstream. + +Add PCI ids for two variants of Brainboxes UC-260 quad port +PCI serial cards. + +Suggested-by: Andy Shevchenko +Signed-off-by: Nikola Ciprich +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_pci.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/tty/serial/8250/8250_pci.c ++++ b/drivers/tty/serial/8250/8250_pci.c +@@ -4701,6 +4701,17 @@ static const struct pci_device_id serial + PCI_ANY_ID, PCI_ANY_ID, 0, 0, /* 135a.0dc0 */ + pbn_b2_4_115200 }, + /* ++ * BrainBoxes UC-260 ++ */ ++ { PCI_VENDOR_ID_INTASHIELD, 0x0D21, ++ PCI_ANY_ID, PCI_ANY_ID, ++ PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00, ++ pbn_b2_4_115200 }, ++ { PCI_VENDOR_ID_INTASHIELD, 0x0E34, ++ PCI_ANY_ID, PCI_ANY_ID, ++ PCI_CLASS_COMMUNICATION_MULTISERIAL << 8, 0xffff00, ++ pbn_b2_4_115200 }, ++ /* + * Perle PCI-RAS cards + */ + { PCI_VENDOR_ID_PLX, PCI_DEVICE_ID_PLX_9030, diff --git a/queue-4.14/serial-core-mark-port-as-initialized-in-autoconfig.patch b/queue-4.14/serial-core-mark-port-as-initialized-in-autoconfig.patch new file mode 100644 index 00000000000..e5d32bd9336 --- /dev/null +++ b/queue-4.14/serial-core-mark-port-as-initialized-in-autoconfig.patch @@ -0,0 +1,41 @@ +From 714569064adee3c114a2a6490735b94abe269068 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior +Date: Sat, 3 Feb 2018 12:27:23 +0100 +Subject: serial: core: mark port as initialized in autoconfig + +From: Sebastian Andrzej Siewior + +commit 714569064adee3c114a2a6490735b94abe269068 upstream. + +This is a followup on 44117a1d1732 ("serial: core: mark port as +initialized after successful IRQ change"). +Nikola has been using autoconfig via setserial and reported a crash +similar to what I fixed in the earlier mentioned commit. Here I do the +same fixup for the autoconfig. I wasn't sure that this is the right +approach. Nikola confirmed that it fixes his crash. + +Fixes: b3b576461864 ("tty: serial_core: convert uart_open to use tty_port_open") +Link: http://lkml.kernel.org/r/20180131072000.GD1853@localhost.localdomain +Reported-by: Nikola Ciprich +Tested-by: Nikola Ciprich +Cc: +Signed-off-by: Sebastian Andrzej Siewior +Tested-by: Nikola Ciprich +Acked-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/serial_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -1157,6 +1157,8 @@ static int uart_do_autoconfig(struct tty + uport->ops->config_port(uport, flags); + + ret = uart_startup(tty, state, 1); ++ if (ret == 0) ++ tty_port_set_initialized(port, true); + if (ret > 0) + ret = 0; + } diff --git a/queue-4.14/serial-sh-sci-prevent-lockup-on-full-tty-buffers.patch b/queue-4.14/serial-sh-sci-prevent-lockup-on-full-tty-buffers.patch new file mode 100644 index 00000000000..dce223b4b4b --- /dev/null +++ b/queue-4.14/serial-sh-sci-prevent-lockup-on-full-tty-buffers.patch @@ -0,0 +1,49 @@ +From 7842055bfce4bf0170d0f61df8b2add8399697be Mon Sep 17 00:00:00 2001 +From: Ulrich Hecht +Date: Thu, 15 Feb 2018 13:02:27 +0100 +Subject: serial: sh-sci: prevent lockup on full TTY buffers + +From: Ulrich Hecht + +commit 7842055bfce4bf0170d0f61df8b2add8399697be upstream. + +When the TTY buffers fill up to the configured maximum, a system lockup +occurs: + +[ 598.820128] INFO: rcu_preempt detected stalls on CPUs/tasks: +[ 598.825796] 0-...!: (1 GPs behind) idle=5a6/2/0 softirq=1974/1974 fqs=1 +[ 598.832577] (detected by 3, t=62517 jiffies, g=296, c=295, q=126) +[ 598.838755] Task dump for CPU 0: +[ 598.841977] swapper/0 R running task 0 0 0 0x00000022 +[ 598.849023] Call trace: +[ 598.851476] __switch_to+0x98/0xb0 +[ 598.854870] (null) + +This can be prevented by doing a dummy read of the RX data register. + +This issue affects both HSCIF and SCIF ports. Reported for R-Car H3 ES2.0; +reproduced and fixed on H3 ES1.1. Probably affects other R-Car platforms +as well. + +Reported-by: Yoshihiro Shimoda +Signed-off-by: Ulrich Hecht +Reviewed-by: Geert Uytterhoeven +Cc: stable +Tested-by: Nguyen Viet Dung +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/sh-sci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -886,6 +886,8 @@ static void sci_receive_chars(struct uar + /* Tell the rest of the system the news. New characters! */ + tty_flip_buffer_push(tport); + } else { ++ /* TTY buffers full; read from RX reg to prevent lockup */ ++ serial_port_in(port, SCxRDR); + serial_port_in(port, SCxSR); /* dummy read */ + sci_clear_SCxSR(port, SCxSR_RDxF_CLEAR(port)); + } diff --git a/queue-4.14/series b/queue-4.14/series index 76f2a0cf42e..68173fd4545 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -1,3 +1,25 @@ net-phy-fix-resume-handling.patch net-phy-restore-phy_resume-locking-assumption.patch x86-treat-r_x86_64_plt32-as-r_x86_64_pc32.patch +asoc-sun4i-i2s-fix-rx-slot-number-of-sun8i.patch +asoc-sgtl5000-fix-suspend-resume.patch +asoc-wm_adsp-for-tlv-controls-only-register-tlv-get-set.patch +asoc-rt5651-fix-regcache-sync-errors-on-resume.patch +usb-host-xhci-rcar-add-support-for-r8a77965.patch +xhci-fix-front-usb-ports-on-asus-prime-b350m-a.patch +xhci-fix-endpoint-context-tracer-output.patch +serial-sh-sci-prevent-lockup-on-full-tty-buffers.patch +tty-serial-atmel-add-new-version-check-for-usart.patch +uas-fix-comparison-for-error-code.patch +staging-comedi-fix-comedi_nsamples_left.patch +staging-android-ashmem-fix-lockdep-issue-during-llseek.patch +usb-storage-add-jmicron-bridge-152d-2567-to-unusual_devs.h.patch +usbip-vudc-fix-null-pointer-dereference-on-udc-lock.patch +usb-quirks-add-control-message-delay-for-1b1c-1b20.patch +usb-usbmon-read-text-within-supplied-buffer-size.patch +usb-gadget-f_fs-fix-use-after-free-in-ffs_fs_kill_sb.patch +usb-dwc3-fix-lock-up-on-id-change-during-system-suspend-resume.patch +serial-8250_pci-add-brainboxes-uc-260-4-port-serial-device.patch +serial-core-mark-port-as-initialized-in-autoconfig.patch +earlycon-add-reg-offset-to-physical-address-before-mapping.patch +dm-mpath-fix-passing-integrity-data.patch diff --git a/queue-4.14/staging-android-ashmem-fix-lockdep-issue-during-llseek.patch b/queue-4.14/staging-android-ashmem-fix-lockdep-issue-during-llseek.patch new file mode 100644 index 00000000000..20cad11213b --- /dev/null +++ b/queue-4.14/staging-android-ashmem-fix-lockdep-issue-during-llseek.patch @@ -0,0 +1,88 @@ +From cb57469c9573f6018cd1302953dd45d6e05aba7b Mon Sep 17 00:00:00 2001 +From: Joel Fernandes +Date: Fri, 16 Feb 2018 11:02:01 -0800 +Subject: staging: android: ashmem: Fix lockdep issue during llseek + +From: Joel Fernandes + +commit cb57469c9573f6018cd1302953dd45d6e05aba7b upstream. + +ashmem_mutex create a chain of dependencies like so: + +(1) +mmap syscall -> + mmap_sem -> (acquired) + ashmem_mmap + ashmem_mutex (try to acquire) + (block) + +(2) +llseek syscall -> + ashmem_llseek -> + ashmem_mutex -> (acquired) + inode_lock -> + inode->i_rwsem (try to acquire) + (block) + +(3) +getdents -> + iterate_dir -> + inode_lock -> + inode->i_rwsem (acquired) + copy_to_user -> + mmap_sem (try to acquire) + +There is a lock ordering created between mmap_sem and inode->i_rwsem +causing a lockdep splat [2] during a syzcaller test, this patch fixes +the issue by unlocking the mutex earlier. Functionally that's Ok since +we don't need to protect vfs_llseek. + +[1] https://patchwork.kernel.org/patch/10185031/ +[2] https://lkml.org/lkml/2018/1/10/48 + +Acked-by: Todd Kjos +Cc: Arve Hjonnevag +Cc: stable@vger.kernel.org +Reported-by: syzbot+8ec30bb7bf1a981a2012@syzkaller.appspotmail.com +Signed-off-by: Joel Fernandes +Acked-by: Greg Hackmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/android/ashmem.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/staging/android/ashmem.c ++++ b/drivers/staging/android/ashmem.c +@@ -334,24 +334,23 @@ static loff_t ashmem_llseek(struct file + mutex_lock(&ashmem_mutex); + + if (asma->size == 0) { +- ret = -EINVAL; +- goto out; ++ mutex_unlock(&ashmem_mutex); ++ return -EINVAL; + } + + if (!asma->file) { +- ret = -EBADF; +- goto out; ++ mutex_unlock(&ashmem_mutex); ++ return -EBADF; + } + ++ mutex_unlock(&ashmem_mutex); ++ + ret = vfs_llseek(asma->file, offset, origin); + if (ret < 0) +- goto out; ++ return ret; + + /** Copy f_pos from backing file, since f_ops->llseek() sets it */ + file->f_pos = asma->file->f_pos; +- +-out: +- mutex_unlock(&ashmem_mutex); + return ret; + } + diff --git a/queue-4.14/staging-comedi-fix-comedi_nsamples_left.patch b/queue-4.14/staging-comedi-fix-comedi_nsamples_left.patch new file mode 100644 index 00000000000..38e80f4e7fe --- /dev/null +++ b/queue-4.14/staging-comedi-fix-comedi_nsamples_left.patch @@ -0,0 +1,34 @@ +From a42ae5905140c324362fe5036ae1dbb16e4d359c Mon Sep 17 00:00:00 2001 +From: Frank Mori Hess +Date: Thu, 15 Feb 2018 15:13:42 -0500 +Subject: staging: comedi: fix comedi_nsamples_left. + +From: Frank Mori Hess + +commit a42ae5905140c324362fe5036ae1dbb16e4d359c upstream. + +A rounding error was causing comedi_nsamples_left to +return the wrong value when nsamples was not a multiple +of the scan length. + +Cc: # v4.4+ +Signed-off-by: Frank Mori Hess +Reviewed-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/staging/comedi/drivers.c ++++ b/drivers/staging/comedi/drivers.c +@@ -484,8 +484,7 @@ unsigned int comedi_nsamples_left(struct + struct comedi_cmd *cmd = &async->cmd; + + if (cmd->stop_src == TRIG_COUNT) { +- unsigned int nscans = nsamples / cmd->scan_end_arg; +- unsigned int scans_left = __comedi_nscans_left(s, nscans); ++ unsigned int scans_left = __comedi_nscans_left(s, cmd->stop_arg); + unsigned int scan_pos = + comedi_bytes_to_samples(s, async->scan_progress); + unsigned long long samples_left = 0; diff --git a/queue-4.14/tty-serial-atmel-add-new-version-check-for-usart.patch b/queue-4.14/tty-serial-atmel-add-new-version-check-for-usart.patch new file mode 100644 index 00000000000..00bdb50eb41 --- /dev/null +++ b/queue-4.14/tty-serial-atmel-add-new-version-check-for-usart.patch @@ -0,0 +1,33 @@ +From fd63a8903a2c40425a9811c3371dd4d0f42c0ad3 Mon Sep 17 00:00:00 2001 +From: Jonas Danielsson +Date: Mon, 29 Jan 2018 12:39:15 +0100 +Subject: tty/serial: atmel: add new version check for usart + +From: Jonas Danielsson + +commit fd63a8903a2c40425a9811c3371dd4d0f42c0ad3 upstream. + +On our at91sam9260 based board the usart0 and usart1 ports report +their versions (ATMEL_US_VERSION) as 0x10302. This version is not +included in the current checks in the driver. + +Signed-off-by: Jonas Danielsson +Acked-by: Richard Genoud +Acked-by: Nicolas Ferre +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/atmel_serial.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -1763,6 +1763,7 @@ static void atmel_get_ip_name(struct uar + switch (version) { + case 0x302: + case 0x10213: ++ case 0x10302: + dev_dbg(port->dev, "This version is usart\n"); + atmel_port->has_frac_baudrate = true; + atmel_port->has_hw_timer = true; diff --git a/queue-4.14/uas-fix-comparison-for-error-code.patch b/queue-4.14/uas-fix-comparison-for-error-code.patch new file mode 100644 index 00000000000..bdaedf8b846 --- /dev/null +++ b/queue-4.14/uas-fix-comparison-for-error-code.patch @@ -0,0 +1,32 @@ +From 9a513c905bb95bef79d96feb08621c1ec8d8c4bb Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 6 Mar 2018 15:04:24 +0100 +Subject: uas: fix comparison for error code + +From: Oliver Neukum + +commit 9a513c905bb95bef79d96feb08621c1ec8d8c4bb upstream. + +A typo broke the comparison. + +Fixes: cbeef22fd611 ("usb: uas: unconditionally bring back host after reset") +Signed-off-by: Oliver Neukum +CC: stable@kernel.org +Acked-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/uas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -1076,7 +1076,7 @@ static int uas_post_reset(struct usb_int + return 0; + + err = uas_configure_endpoints(devinfo); +- if (err && err != ENODEV) ++ if (err && err != -ENODEV) + shost_printk(KERN_ERR, shost, + "%s: alloc streams error %d after reset", + __func__, err); diff --git a/queue-4.14/usb-dwc3-fix-lock-up-on-id-change-during-system-suspend-resume.patch b/queue-4.14/usb-dwc3-fix-lock-up-on-id-change-during-system-suspend-resume.patch new file mode 100644 index 00000000000..160dfe035d8 --- /dev/null +++ b/queue-4.14/usb-dwc3-fix-lock-up-on-id-change-during-system-suspend-resume.patch @@ -0,0 +1,44 @@ +From 084a804e01205bcd74cd0849bc72cb5c88f8e648 Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Tue, 27 Feb 2018 12:41:41 +0200 +Subject: usb: dwc3: Fix lock-up on ID change during system suspend/resume + +From: Roger Quadros + +commit 084a804e01205bcd74cd0849bc72cb5c88f8e648 upstream. + +To reproduce the lock up do the following +- connect otg host adapter and a USB device to the dual-role port +so that it is in host mode. +- suspend to mem. +- disconnect otg adapter. +- resume the system. + +If we call dwc3_host_exit() before tasks are thawed +xhci_plat_remove() seems to lock up at the second usb_remove_hcd() call. + +To work around this we queue the _dwc3_set_mode() work on +the system_freezable_wq. + +Fixes: 41ce1456e1db ("usb: dwc3: core: make dwc3_set_mode() work properly") +Cc: # v4.12+ +Suggested-by: Manu Gautam +Signed-off-by: Roger Quadros +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -186,7 +186,7 @@ void dwc3_set_mode(struct dwc3 *dwc, u32 + dwc->desired_dr_role = mode; + spin_unlock_irqrestore(&dwc->lock, flags); + +- queue_work(system_power_efficient_wq, &dwc->drd_work); ++ queue_work(system_freezable_wq, &dwc->drd_work); + } + + u32 dwc3_core_fifo_space(struct dwc3_ep *dep, u8 type) diff --git a/queue-4.14/usb-gadget-f_fs-fix-use-after-free-in-ffs_fs_kill_sb.patch b/queue-4.14/usb-gadget-f_fs-fix-use-after-free-in-ffs_fs_kill_sb.patch new file mode 100644 index 00000000000..5947305fa17 --- /dev/null +++ b/queue-4.14/usb-gadget-f_fs-fix-use-after-free-in-ffs_fs_kill_sb.patch @@ -0,0 +1,84 @@ +From 1a087f032111a88e826877449dfb93ceb22b78b9 Mon Sep 17 00:00:00 2001 +From: Xinyong +Date: Fri, 2 Mar 2018 19:20:07 +0800 +Subject: usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb() + +From: Xinyong + +commit 1a087f032111a88e826877449dfb93ceb22b78b9 upstream. + +When I debug a kernel crash issue in funcitonfs, found ffs_data.ref +overflowed, While functionfs is unmounting, ffs_data is put twice. + +Commit 43938613c6fd ("drivers, usb: convert ffs_data.ref from atomic_t to +refcount_t") can avoid refcount overflow, but that is risk some situations. +So no need put ffs data in ffs_fs_kill_sb, already put in ffs_data_closed. + +The issue can be reproduced in Mediatek mt6763 SoC, ffs for ADB device. +KASAN enabled configuration reports use-after-free errro. + +BUG: KASAN: use-after-free in refcount_dec_and_test+0x14/0xe0 at addr ffffffc0579386a0 +Read of size 4 by task umount/4650 +==================================================== +BUG kmalloc-512 (Tainted: P W O ): kasan: bad access detected +----------------------------------------------------------------------------- + +INFO: Allocated in ffs_fs_mount+0x194/0x844 age=22856 cpu=2 pid=566 + alloc_debug_processing+0x1ac/0x1e8 + ___slab_alloc.constprop.63+0x640/0x648 + __slab_alloc.isra.57.constprop.62+0x24/0x34 + kmem_cache_alloc_trace+0x1a8/0x2bc + ffs_fs_mount+0x194/0x844 + mount_fs+0x6c/0x1d0 + vfs_kern_mount+0x50/0x1b4 + do_mount+0x258/0x1034 +INFO: Freed in ffs_data_put+0x25c/0x320 age=0 cpu=3 pid=4650 + free_debug_processing+0x22c/0x434 + __slab_free+0x2d8/0x3a0 + kfree+0x254/0x264 + ffs_data_put+0x25c/0x320 + ffs_data_closed+0x124/0x15c + ffs_fs_kill_sb+0xb8/0x110 + deactivate_locked_super+0x6c/0x98 + deactivate_super+0xb0/0xbc +INFO: Object 0xffffffc057938600 @offset=1536 fp=0x (null) +...... +Call trace: +[] dump_backtrace+0x0/0x250 +[] show_stack+0x14/0x1c +[] dump_stack+0xa0/0xc8 +[] print_trailer+0x158/0x260 +[] object_err+0x3c/0x40 +[] kasan_report_error+0x2a8/0x754 +[] kasan_report+0x5c/0x60 +[] __asan_load4+0x70/0x88 +[] refcount_dec_and_test+0x14/0xe0 +[] ffs_data_put+0x80/0x320 +[] ffs_fs_kill_sb+0xc8/0x110 +[] deactivate_locked_super+0x6c/0x98 +[] deactivate_super+0xb0/0xbc +[] cleanup_mnt+0x64/0xec +[] __cleanup_mnt+0x10/0x18 +[] task_work_run+0xcc/0x124 +[] do_notify_resume+0x60/0x70 +[] work_pending+0x10/0x14 + +Cc: stable@vger.kernel.org +Signed-off-by: Xinyong +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_fs.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1539,7 +1539,6 @@ ffs_fs_kill_sb(struct super_block *sb) + if (sb->s_fs_info) { + ffs_release_dev(sb->s_fs_info); + ffs_data_closed(sb->s_fs_info); +- ffs_data_put(sb->s_fs_info); + } + } + diff --git a/queue-4.14/usb-host-xhci-rcar-add-support-for-r8a77965.patch b/queue-4.14/usb-host-xhci-rcar-add-support-for-r8a77965.patch new file mode 100644 index 00000000000..a69a5423952 --- /dev/null +++ b/queue-4.14/usb-host-xhci-rcar-add-support-for-r8a77965.patch @@ -0,0 +1,45 @@ +From 015dbeb2282030bf56762e21d25f09422edfd750 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Tue, 27 Feb 2018 17:15:20 +0900 +Subject: usb: host: xhci-rcar: add support for r8a77965 + +From: Yoshihiro Shimoda + +commit 015dbeb2282030bf56762e21d25f09422edfd750 upstream. + +This patch adds support for r8a77965 (R-Car M3-N). + +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Simon Horman +Reviewed-by: Rob Herring +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/devicetree/bindings/usb/usb-xhci.txt | 1 + + drivers/usb/host/xhci-rcar.c | 4 ++++ + 2 files changed, 5 insertions(+) + +--- a/Documentation/devicetree/bindings/usb/usb-xhci.txt ++++ b/Documentation/devicetree/bindings/usb/usb-xhci.txt +@@ -12,6 +12,7 @@ Required properties: + - "renesas,xhci-r8a7793" for r8a7793 SoC + - "renesas,xhci-r8a7795" for r8a7795 SoC + - "renesas,xhci-r8a7796" for r8a7796 SoC ++ - "renesas,xhci-r8a77965" for r8a77965 SoC + - "renesas,rcar-gen2-xhci" for a generic R-Car Gen2 compatible device + - "renesas,rcar-gen3-xhci" for a generic R-Car Gen3 compatible device + - "xhci-platform" (deprecated) +--- a/drivers/usb/host/xhci-rcar.c ++++ b/drivers/usb/host/xhci-rcar.c +@@ -86,6 +86,10 @@ static const struct soc_device_attribute + .soc_id = "r8a7796", + .data = (void *)RCAR_XHCI_FIRMWARE_V3, + }, ++ { ++ .soc_id = "r8a77965", ++ .data = (void *)RCAR_XHCI_FIRMWARE_V3, ++ }, + { /* sentinel */ }, + }; + diff --git a/queue-4.14/usb-quirks-add-control-message-delay-for-1b1c-1b20.patch b/queue-4.14/usb-quirks-add-control-message-delay-for-1b1c-1b20.patch new file mode 100644 index 00000000000..238372aec0e --- /dev/null +++ b/queue-4.14/usb-quirks-add-control-message-delay-for-1b1c-1b20.patch @@ -0,0 +1,85 @@ +From cb88a0588717ba6c756cb5972d75766b273a6817 Mon Sep 17 00:00:00 2001 +From: Danilo Krummrich +Date: Tue, 6 Mar 2018 09:38:49 +0100 +Subject: usb: quirks: add control message delay for 1b1c:1b20 + +From: Danilo Krummrich + +commit cb88a0588717ba6c756cb5972d75766b273a6817 upstream. + +Corsair Strafe RGB keyboard does not respond to usb control messages +sometimes and hence generates timeouts. + +Commit de3af5bf259d ("usb: quirks: add delay init quirk for Corsair +Strafe RGB keyboard") tried to fix those timeouts by adding +USB_QUIRK_DELAY_INIT. + +Unfortunately, even with this quirk timeouts of usb_control_msg() +can still be seen, but with a lower frequency (approx. 1 out of 15): + +[ 29.103520] usb 1-8: string descriptor 0 read error: -110 +[ 34.363097] usb 1-8: can't set config #1, error -110 + +Adding further delays to different locations where usb control +messages are issued just moves the timeouts to other locations, +e.g.: + +[ 35.400533] usbhid 1-8:1.0: can't add hid device: -110 +[ 35.401014] usbhid: probe of 1-8:1.0 failed with error -110 + +The only way to reliably avoid those issues is having a pause after +each usb control message. In approx. 200 boot cycles no more timeouts +were seen. + +Addionaly, keep USB_QUIRK_DELAY_INIT as it turned out to be necessary +to have the delay in hub_port_connect() after hub_port_init(). + +The overall boot time seems not to be influenced by these additional +delays, even on fast machines and lightweight distributions. + +Fixes: de3af5bf259d ("usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard") +Cc: stable@vger.kernel.org +Signed-off-by: Danilo Krummrich +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/message.c | 4 ++++ + drivers/usb/core/quirks.c | 3 ++- + include/linux/usb/quirks.h | 3 +++ + 3 files changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -150,6 +150,10 @@ int usb_control_msg(struct usb_device *d + + ret = usb_internal_control_msg(dev, pipe, dr, data, size, timeout); + ++ /* Linger a bit, prior to the next control message. */ ++ if (dev->quirks & USB_QUIRK_DELAY_CTRL_MSG) ++ msleep(200); ++ + kfree(dr); + + return ret; +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -229,7 +229,8 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x1b1c, 0x1b13), .driver_info = USB_QUIRK_DELAY_INIT }, + + /* Corsair Strafe RGB */ +- { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT }, ++ { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT | ++ USB_QUIRK_DELAY_CTRL_MSG }, + + /* Corsair K70 LUX */ + { USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT }, +--- a/include/linux/usb/quirks.h ++++ b/include/linux/usb/quirks.h +@@ -57,4 +57,7 @@ + */ + #define USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL BIT(11) + ++/* Device needs a pause after every control message. */ ++#define USB_QUIRK_DELAY_CTRL_MSG BIT(13) ++ + #endif /* __LINUX_USB_QUIRKS_H */ diff --git a/queue-4.14/usb-storage-add-jmicron-bridge-152d-2567-to-unusual_devs.h.patch b/queue-4.14/usb-storage-add-jmicron-bridge-152d-2567-to-unusual_devs.h.patch new file mode 100644 index 00000000000..093b7b79ad6 --- /dev/null +++ b/queue-4.14/usb-storage-add-jmicron-bridge-152d-2567-to-unusual_devs.h.patch @@ -0,0 +1,38 @@ +From 5126a504b63d82785eaece3a9c30c660b313785a Mon Sep 17 00:00:00 2001 +From: Teijo Kinnunen +Date: Thu, 1 Mar 2018 19:34:29 +0200 +Subject: USB: storage: Add JMicron bridge 152d:2567 to unusual_devs.h + +From: Teijo Kinnunen + +commit 5126a504b63d82785eaece3a9c30c660b313785a upstream. + +This USB-SATA controller seems to be similar with JMicron bridge +152d:2566 already on the list. Adding it here fixes "Invalid +field in cdb" errors. + +Signed-off-by: Teijo Kinnunen +Cc: stable@vger.kernel.org +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/unusual_devs.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -2137,6 +2137,13 @@ UNUSUAL_DEV( 0x152d, 0x2566, 0x0114, 0x + USB_SC_DEVICE, USB_PR_DEVICE, NULL, + US_FL_BROKEN_FUA ), + ++/* Reported by Teijo Kinnunen */ ++UNUSUAL_DEV( 0x152d, 0x2567, 0x0117, 0x0117, ++ "JMicron", ++ "USB to ATA/ATAPI Bridge", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_BROKEN_FUA ), ++ + /* Reported-by George Cherian */ + UNUSUAL_DEV(0x152d, 0x9561, 0x0000, 0x9999, + "JMicron", diff --git a/queue-4.14/usb-usbmon-read-text-within-supplied-buffer-size.patch b/queue-4.14/usb-usbmon-read-text-within-supplied-buffer-size.patch new file mode 100644 index 00000000000..9c38aaa3081 --- /dev/null +++ b/queue-4.14/usb-usbmon-read-text-within-supplied-buffer-size.patch @@ -0,0 +1,183 @@ +From a5f596830e27e15f7a0ecd6be55e433d776986d8 Mon Sep 17 00:00:00 2001 +From: Pete Zaitcev +Date: Fri, 9 Mar 2018 00:21:14 -0600 +Subject: usb: usbmon: Read text within supplied buffer size + +From: Pete Zaitcev + +commit a5f596830e27e15f7a0ecd6be55e433d776986d8 upstream. + +This change fixes buffer overflows and silent data corruption with the +usbmon device driver text file read operations. + +Signed-off-by: Fredrik Noring +Signed-off-by: Pete Zaitcev +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/mon/mon_text.c | 124 +++++++++++++++++++++++++++------------------ + 1 file changed, 77 insertions(+), 47 deletions(-) + +--- a/drivers/usb/mon/mon_text.c ++++ b/drivers/usb/mon/mon_text.c +@@ -85,6 +85,8 @@ struct mon_reader_text { + + wait_queue_head_t wait; + int printf_size; ++ size_t printf_offset; ++ size_t printf_togo; + char *printf_buf; + struct mutex printf_lock; + +@@ -376,75 +378,103 @@ err_alloc: + return rc; + } + +-/* +- * For simplicity, we read one record in one system call and throw out +- * what does not fit. This means that the following does not work: +- * dd if=/dbg/usbmon/0t bs=10 +- * Also, we do not allow seeks and do not bother advancing the offset. +- */ ++static ssize_t mon_text_copy_to_user(struct mon_reader_text *rp, ++ char __user * const buf, const size_t nbytes) ++{ ++ const size_t togo = min(nbytes, rp->printf_togo); ++ ++ if (copy_to_user(buf, &rp->printf_buf[rp->printf_offset], togo)) ++ return -EFAULT; ++ rp->printf_togo -= togo; ++ rp->printf_offset += togo; ++ return togo; ++} ++ ++/* ppos is not advanced since the llseek operation is not permitted. */ + static ssize_t mon_text_read_t(struct file *file, char __user *buf, +- size_t nbytes, loff_t *ppos) ++ size_t nbytes, loff_t *ppos) + { + struct mon_reader_text *rp = file->private_data; + struct mon_event_text *ep; + struct mon_text_ptr ptr; ++ ssize_t ret; + +- ep = mon_text_read_wait(rp, file); +- if (IS_ERR(ep)) +- return PTR_ERR(ep); + mutex_lock(&rp->printf_lock); +- ptr.cnt = 0; +- ptr.pbuf = rp->printf_buf; +- ptr.limit = rp->printf_size; +- +- mon_text_read_head_t(rp, &ptr, ep); +- mon_text_read_statset(rp, &ptr, ep); +- ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt, +- " %d", ep->length); +- mon_text_read_data(rp, &ptr, ep); + +- if (copy_to_user(buf, rp->printf_buf, ptr.cnt)) +- ptr.cnt = -EFAULT; ++ if (rp->printf_togo == 0) { ++ ++ ep = mon_text_read_wait(rp, file); ++ if (IS_ERR(ep)) { ++ mutex_unlock(&rp->printf_lock); ++ return PTR_ERR(ep); ++ } ++ ptr.cnt = 0; ++ ptr.pbuf = rp->printf_buf; ++ ptr.limit = rp->printf_size; ++ ++ mon_text_read_head_t(rp, &ptr, ep); ++ mon_text_read_statset(rp, &ptr, ep); ++ ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt, ++ " %d", ep->length); ++ mon_text_read_data(rp, &ptr, ep); ++ ++ rp->printf_togo = ptr.cnt; ++ rp->printf_offset = 0; ++ ++ kmem_cache_free(rp->e_slab, ep); ++ } ++ ++ ret = mon_text_copy_to_user(rp, buf, nbytes); + mutex_unlock(&rp->printf_lock); +- kmem_cache_free(rp->e_slab, ep); +- return ptr.cnt; ++ return ret; + } + ++/* ppos is not advanced since the llseek operation is not permitted. */ + static ssize_t mon_text_read_u(struct file *file, char __user *buf, +- size_t nbytes, loff_t *ppos) ++ size_t nbytes, loff_t *ppos) + { + struct mon_reader_text *rp = file->private_data; + struct mon_event_text *ep; + struct mon_text_ptr ptr; ++ ssize_t ret; + +- ep = mon_text_read_wait(rp, file); +- if (IS_ERR(ep)) +- return PTR_ERR(ep); + mutex_lock(&rp->printf_lock); +- ptr.cnt = 0; +- ptr.pbuf = rp->printf_buf; +- ptr.limit = rp->printf_size; + +- mon_text_read_head_u(rp, &ptr, ep); +- if (ep->type == 'E') { +- mon_text_read_statset(rp, &ptr, ep); +- } else if (ep->xfertype == USB_ENDPOINT_XFER_ISOC) { +- mon_text_read_isostat(rp, &ptr, ep); +- mon_text_read_isodesc(rp, &ptr, ep); +- } else if (ep->xfertype == USB_ENDPOINT_XFER_INT) { +- mon_text_read_intstat(rp, &ptr, ep); +- } else { +- mon_text_read_statset(rp, &ptr, ep); ++ if (rp->printf_togo == 0) { ++ ++ ep = mon_text_read_wait(rp, file); ++ if (IS_ERR(ep)) { ++ mutex_unlock(&rp->printf_lock); ++ return PTR_ERR(ep); ++ } ++ ptr.cnt = 0; ++ ptr.pbuf = rp->printf_buf; ++ ptr.limit = rp->printf_size; ++ ++ mon_text_read_head_u(rp, &ptr, ep); ++ if (ep->type == 'E') { ++ mon_text_read_statset(rp, &ptr, ep); ++ } else if (ep->xfertype == USB_ENDPOINT_XFER_ISOC) { ++ mon_text_read_isostat(rp, &ptr, ep); ++ mon_text_read_isodesc(rp, &ptr, ep); ++ } else if (ep->xfertype == USB_ENDPOINT_XFER_INT) { ++ mon_text_read_intstat(rp, &ptr, ep); ++ } else { ++ mon_text_read_statset(rp, &ptr, ep); ++ } ++ ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt, ++ " %d", ep->length); ++ mon_text_read_data(rp, &ptr, ep); ++ ++ rp->printf_togo = ptr.cnt; ++ rp->printf_offset = 0; ++ ++ kmem_cache_free(rp->e_slab, ep); + } +- ptr.cnt += snprintf(ptr.pbuf + ptr.cnt, ptr.limit - ptr.cnt, +- " %d", ep->length); +- mon_text_read_data(rp, &ptr, ep); + +- if (copy_to_user(buf, rp->printf_buf, ptr.cnt)) +- ptr.cnt = -EFAULT; ++ ret = mon_text_copy_to_user(rp, buf, nbytes); + mutex_unlock(&rp->printf_lock); +- kmem_cache_free(rp->e_slab, ep); +- return ptr.cnt; ++ return ret; + } + + static struct mon_event_text *mon_text_read_wait(struct mon_reader_text *rp, diff --git a/queue-4.14/usbip-vudc-fix-null-pointer-dereference-on-udc-lock.patch b/queue-4.14/usbip-vudc-fix-null-pointer-dereference-on-udc-lock.patch new file mode 100644 index 00000000000..ac5555787c1 --- /dev/null +++ b/queue-4.14/usbip-vudc-fix-null-pointer-dereference-on-udc-lock.patch @@ -0,0 +1,44 @@ +From df3334c223a033f562645712e832ca4cbb326bbf Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Thu, 22 Feb 2018 17:39:17 +0000 +Subject: usbip: vudc: fix null pointer dereference on udc->lock + +From: Colin Ian King + +commit df3334c223a033f562645712e832ca4cbb326bbf upstream. + +Currently the driver attempts to spin lock on udc->lock before a NULL +pointer check is performed on udc, hence there is a potential null +pointer dereference on udc->lock. Fix this by moving the null check +on udc before the lock occurs. + +Fixes: ea6873a45a22 ("usbip: vudc: Add SysFS infrastructure for VUDC") +Signed-off-by: Colin Ian King +Acked-by: Shuah Khan +Reviewed-by: Krzysztof Opasiak +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/usbip/vudc_sysfs.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/usb/usbip/vudc_sysfs.c ++++ b/drivers/usb/usbip/vudc_sysfs.c +@@ -117,10 +117,14 @@ static ssize_t store_sockfd(struct devic + if (rv != 0) + return -EINVAL; + ++ if (!udc) { ++ dev_err(dev, "no device"); ++ return -ENODEV; ++ } + spin_lock_irqsave(&udc->lock, flags); + /* Don't export what we don't have */ +- if (!udc || !udc->driver || !udc->pullup) { +- dev_err(dev, "no device or gadget not bound"); ++ if (!udc->driver || !udc->pullup) { ++ dev_err(dev, "gadget not bound"); + ret = -ENODEV; + goto unlock; + } diff --git a/queue-4.14/xhci-fix-endpoint-context-tracer-output.patch b/queue-4.14/xhci-fix-endpoint-context-tracer-output.patch new file mode 100644 index 00000000000..c4bc6261d10 --- /dev/null +++ b/queue-4.14/xhci-fix-endpoint-context-tracer-output.patch @@ -0,0 +1,70 @@ +From 97ef0faf575e03b352553f92c9430cb4c0431436 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Thu, 8 Mar 2018 17:17:14 +0200 +Subject: xhci: fix endpoint context tracer output + +From: Mathias Nyman + +commit 97ef0faf575e03b352553f92c9430cb4c0431436 upstream. + +Fix incorrent values showed for max Primary stream and +Linear stream array (LSA) values in the endpoint context +decoder. + +Fixes: 19a7d0d65c4a ("usb: host: xhci: add Slot and EP Context tracers") +Cc: # v4.12+ +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci.h | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -728,11 +728,12 @@ struct xhci_ep_ctx { + /* bits 10:14 are Max Primary Streams */ + /* bit 15 is Linear Stream Array */ + /* Interval - period between requests to an endpoint - 125u increments. */ +-#define EP_INTERVAL(p) (((p) & 0xff) << 16) +-#define EP_INTERVAL_TO_UFRAMES(p) (1 << (((p) >> 16) & 0xff)) +-#define CTX_TO_EP_INTERVAL(p) (((p) >> 16) & 0xff) +-#define EP_MAXPSTREAMS_MASK (0x1f << 10) +-#define EP_MAXPSTREAMS(p) (((p) << 10) & EP_MAXPSTREAMS_MASK) ++#define EP_INTERVAL(p) (((p) & 0xff) << 16) ++#define EP_INTERVAL_TO_UFRAMES(p) (1 << (((p) >> 16) & 0xff)) ++#define CTX_TO_EP_INTERVAL(p) (((p) >> 16) & 0xff) ++#define EP_MAXPSTREAMS_MASK (0x1f << 10) ++#define EP_MAXPSTREAMS(p) (((p) << 10) & EP_MAXPSTREAMS_MASK) ++#define CTX_TO_EP_MAXPSTREAMS(p) (((p) & EP_MAXPSTREAMS_MASK) >> 10) + /* Endpoint is set up with a Linear Stream Array (vs. Secondary Stream Array) */ + #define EP_HAS_LSA (1 << 15) + /* hosts with LEC=1 use bits 31:24 as ESIT high bits. */ +@@ -2540,21 +2541,22 @@ static inline const char *xhci_decode_ep + u8 burst; + u8 cerr; + u8 mult; +- u8 lsa; +- u8 hid; ++ ++ bool lsa; ++ bool hid; + + esit = CTX_TO_MAX_ESIT_PAYLOAD_HI(info) << 16 | + CTX_TO_MAX_ESIT_PAYLOAD(tx_info); + + ep_state = info & EP_STATE_MASK; +- max_pstr = info & EP_MAXPSTREAMS_MASK; ++ max_pstr = CTX_TO_EP_MAXPSTREAMS(info); + interval = CTX_TO_EP_INTERVAL(info); + mult = CTX_TO_EP_MULT(info) + 1; +- lsa = info & EP_HAS_LSA; ++ lsa = !!(info & EP_HAS_LSA); + + cerr = (info2 & (3 << 1)) >> 1; + ep_type = CTX_TO_EP_TYPE(info2); +- hid = info2 & (1 << 7); ++ hid = !!(info2 & (1 << 7)); + burst = CTX_TO_MAX_BURST(info2); + maxp = MAX_PACKET_DECODED(info2); + diff --git a/queue-4.14/xhci-fix-front-usb-ports-on-asus-prime-b350m-a.patch b/queue-4.14/xhci-fix-front-usb-ports-on-asus-prime-b350m-a.patch new file mode 100644 index 00000000000..b8c1c5c7cac --- /dev/null +++ b/queue-4.14/xhci-fix-front-usb-ports-on-asus-prime-b350m-a.patch @@ -0,0 +1,64 @@ +From 191edc5e2e515aab1075a3f0ef23599e80be5f59 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Thu, 8 Mar 2018 17:17:17 +0200 +Subject: xhci: Fix front USB ports on ASUS PRIME B350M-A + +From: Kai-Heng Feng + +commit 191edc5e2e515aab1075a3f0ef23599e80be5f59 upstream. + +When a USB device gets plugged on ASUS PRIME B350M-A's front ports, the +xHC stops working: +[ 549.114587] xhci_hcd 0000:02:00.0: WARN: xHC CMD_RUN timeout +[ 549.114608] suspend_common(): xhci_pci_suspend+0x0/0xc0 returns -110 +[ 549.114638] xhci_hcd 0000:02:00.0: can't suspend (hcd_pci_runtime_suspend returned -110) + +Delay before running xHC command CMD_RUN can workaround the issue. + +Use a new quirk to make the delay only targets to the affected xHC. + +Signed-off-by: Kai-Heng Feng +Signed-off-by: Mathias Nyman +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-pci.c | 3 +++ + drivers/usb/host/xhci.c | 3 +++ + drivers/usb/host/xhci.h | 1 + + 3 files changed, 7 insertions(+) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -134,6 +134,9 @@ static void xhci_pci_quirks(struct devic + if (pdev->vendor == PCI_VENDOR_ID_AMD && usb_amd_find_chipset_info()) + xhci->quirks |= XHCI_AMD_PLL_FIX; + ++ if (pdev->vendor == PCI_VENDOR_ID_AMD && pdev->device == 0x43bb) ++ xhci->quirks |= XHCI_SUSPEND_DELAY; ++ + if (pdev->vendor == PCI_VENDOR_ID_AMD) + xhci->quirks |= XHCI_TRUST_TX_LENGTH; + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -887,6 +887,9 @@ int xhci_suspend(struct xhci_hcd *xhci, + clear_bit(HCD_FLAG_POLL_RH, &xhci->shared_hcd->flags); + del_timer_sync(&xhci->shared_hcd->rh_timer); + ++ if (xhci->quirks & XHCI_SUSPEND_DELAY) ++ usleep_range(1000, 1500); ++ + spin_lock_irq(&xhci->lock); + clear_bit(HCD_FLAG_HW_ACCESSIBLE, &hcd->flags); + clear_bit(HCD_FLAG_HW_ACCESSIBLE, &xhci->shared_hcd->flags); +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1830,6 +1830,7 @@ struct xhci_hcd { + #define XHCI_LIMIT_ENDPOINT_INTERVAL_7 (1 << 26) + /* Reserved. It was XHCI_U2_DISABLE_WAKE */ + #define XHCI_ASMEDIA_MODIFY_FLOWCONTROL (1 << 28) ++#define XHCI_SUSPEND_DELAY (1 << 30) + + unsigned int num_active_eps; + unsigned int limit_active_eps;