From: Greg Kroah-Hartman Date: Fri, 2 Feb 2018 10:42:23 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.4.115~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eeabf61c48ed766431a5fda391cdbb360cd2e51f;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: android-binder-remove-waitqueue-when-thread-exits.patch android-binder-use-vm_alloc-to-get-vm-area.patch cdc-acm-apply-quirk-for-card-reader.patch iio-adc-stm32-fix-scan-of-multiple-channels-with-dma.patch iio-chemical-ccs811-fix-output-of-iio_concentration-channels.patch input-synaptics-rmi4-do-not-delete-interrupt-memory-too-early.patch input-synaptics-rmi4-unmask-f03-interrupts-when-port-is-opened.patch mei-me-allow-runtime-pm-for-platform-with-d0i3.patch serial-8250_of-fix-return-code-when-probe-function-fails-to-get-reset.patch serial-8250_uniphier-fix-error-return-code-in-uniphier_uart_probe.patch serial-imx-only-wakeup-via-rtsden-bit-if-the-system-has-rts-cts.patch spi-imx-do-not-access-registers-while-clocks-disabled.patch staging-ccree-fix-fips-event-irq-handling-build.patch staging-ccree-nullify-backup_info-when-unused.patch staging-lustre-separate-a-connection-destroy-from-free-struct-kib_conn.patch test_firmware-fix-missing-unlock-on-error-in-config_num_requests_store.patch tty-fix-data-race-between-tty_init_dev-and-flush-of-buf.patch usb-cdc-acm-do-not-log-urb-submission-errors-on-disconnect.patch usb-f_fs-prevent-gadget-unbind-if-it-is-already-unbound.patch usb-gadget-fix-high-bandwidth-check-in-usb_gadget_ep_match_desc.patch usb-option-add-support-for-fs040u-modem.patch usb-serial-io_edgeport-fix-possible-sleep-in-atomic.patch usb-serial-pl2303-new-device-id-for-chilitag.patch usb-serial-simple-add-motorola-tetra-driver.patch usb-uas-unconditionally-bring-back-host-after-reset.patch usbip-list-don-t-list-devices-attached-to-vhci_hcd.patch usbip-prevent-bind-loops-on-devices-attached-to-vhci_hcd.patch x86-efi-clarify-that-reset-attack-mitigation-needs-appropriate-userspace.patch --- diff --git a/queue-4.14/android-binder-remove-waitqueue-when-thread-exits.patch b/queue-4.14/android-binder-remove-waitqueue-when-thread-exits.patch new file mode 100644 index 00000000000..9b3f6942b8d --- /dev/null +++ b/queue-4.14/android-binder-remove-waitqueue-when-thread-exits.patch @@ -0,0 +1,49 @@ +From f5cb779ba16334b45ba8946d6bfa6d9834d1527f Mon Sep 17 00:00:00 2001 +From: Martijn Coenen +Date: Fri, 5 Jan 2018 11:27:07 +0100 +Subject: ANDROID: binder: remove waitqueue when thread exits. + +From: Martijn Coenen + +commit f5cb779ba16334b45ba8946d6bfa6d9834d1527f upstream. + +binder_poll() passes the thread->wait waitqueue that +can be slept on for work. When a thread that uses +epoll explicitly exits using BINDER_THREAD_EXIT, +the waitqueue is freed, but it is never removed +from the corresponding epoll data structure. When +the process subsequently exits, the epoll cleanup +code tries to access the waitlist, which results in +a use-after-free. + +Prevent this by using POLLFREE when the thread exits. + +Signed-off-by: Martijn Coenen +Reported-by: syzbot +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -4302,6 +4302,18 @@ static int binder_thread_release(struct + if (t) + spin_lock(&t->lock); + } ++ ++ /* ++ * If this thread used poll, make sure we remove the waitqueue ++ * from any epoll data structures holding it with POLLFREE. ++ * waitqueue_active() is safe to use here because we're holding ++ * the inner lock. ++ */ ++ if ((thread->looper & BINDER_LOOPER_STATE_POLL) && ++ waitqueue_active(&thread->wait)) { ++ wake_up_poll(&thread->wait, POLLHUP | POLLFREE); ++ } ++ + binder_inner_proc_unlock(thread->proc); + + if (send_reply) diff --git a/queue-4.14/android-binder-use-vm_alloc-to-get-vm-area.patch b/queue-4.14/android-binder-use-vm_alloc-to-get-vm-area.patch new file mode 100644 index 00000000000..11183f188bd --- /dev/null +++ b/queue-4.14/android-binder-use-vm_alloc-to-get-vm-area.patch @@ -0,0 +1,52 @@ +From aac6830ec1cb681544212838911cdc57f2638216 Mon Sep 17 00:00:00 2001 +From: Ganesh Mahendran +Date: Wed, 10 Jan 2018 10:49:05 +0800 +Subject: android: binder: use VM_ALLOC to get vm area + +From: Ganesh Mahendran + +commit aac6830ec1cb681544212838911cdc57f2638216 upstream. + +VM_IOREMAP is used to access hardware through a mechanism called +I/O mapped memory. Android binder is a IPC machanism which will +not access I/O memory. + +And VM_IOREMAP has alignment requiement which may not needed in +binder. + __get_vm_area_node() + { + ... + if (flags & VM_IOREMAP) + align = 1ul << clamp_t(int, fls_long(size), + PAGE_SHIFT, IOREMAP_MAX_ORDER); + ... + } + +This patch will save some kernel vm area, especially for 32bit os. + +In 32bit OS, kernel vm area is only 240MB. We may got below +error when launching a app: + +<3>[ 4482.440053] binder_alloc: binder_alloc_mmap_handler: 15728 8ce67000-8cf65000 get_vm_area failed -12 +<3>[ 4483.218817] binder_alloc: binder_alloc_mmap_handler: 15745 8ce67000-8cf65000 get_vm_area failed -12 + +Signed-off-by: Ganesh Mahendran +Acked-by: Martijn Coenen +Acked-by: Todd Kjos +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder_alloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -668,7 +668,7 @@ int binder_alloc_mmap_handler(struct bin + goto err_already_mapped; + } + +- area = get_vm_area(vma->vm_end - vma->vm_start, VM_IOREMAP); ++ area = get_vm_area(vma->vm_end - vma->vm_start, VM_ALLOC); + if (area == NULL) { + ret = -ENOMEM; + failure_string = "get_vm_area"; diff --git a/queue-4.14/cdc-acm-apply-quirk-for-card-reader.patch b/queue-4.14/cdc-acm-apply-quirk-for-card-reader.patch new file mode 100644 index 00000000000..b1bc3ed4263 --- /dev/null +++ b/queue-4.14/cdc-acm-apply-quirk-for-card-reader.patch @@ -0,0 +1,31 @@ +From df1cc78a52491f71d8170d513d0f6f114faa1bda Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 18 Jan 2018 12:13:45 +0100 +Subject: CDC-ACM: apply quirk for card reader + +From: Oliver Neukum + +commit df1cc78a52491f71d8170d513d0f6f114faa1bda upstream. + +This devices drops random bytes from messages if you talk to it +too fast. + +Signed-off-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-acm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1765,6 +1765,9 @@ static const struct usb_device_id acm_id + { USB_DEVICE(0x0ace, 0x1611), /* ZyDAS 56K USB MODEM - new version */ + .driver_info = SINGLE_RX_URB, /* firmware bug */ + }, ++ { USB_DEVICE(0x11ca, 0x0201), /* VeriFone Mx870 Gadget Serial */ ++ .driver_info = SINGLE_RX_URB, ++ }, + { USB_DEVICE(0x22b8, 0x7000), /* Motorola Q Phone */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, diff --git a/queue-4.14/iio-adc-stm32-fix-scan-of-multiple-channels-with-dma.patch b/queue-4.14/iio-adc-stm32-fix-scan-of-multiple-channels-with-dma.patch new file mode 100644 index 00000000000..066e5c1fae7 --- /dev/null +++ b/queue-4.14/iio-adc-stm32-fix-scan-of-multiple-channels-with-dma.patch @@ -0,0 +1,44 @@ +From 04e491ca9df60ffe8637d00d68e5ab8bc73b30d5 Mon Sep 17 00:00:00 2001 +From: Fabrice Gasnier +Date: Fri, 5 Jan 2018 15:34:54 +0100 +Subject: iio: adc: stm32: fix scan of multiple channels with DMA + +From: Fabrice Gasnier + +commit 04e491ca9df60ffe8637d00d68e5ab8bc73b30d5 upstream. + +By default, watermark is set to '1'. Watermark is used to fine tune +cyclic dma buffer period. In case watermark is left untouched (e.g. 1) +and several channels are being scanned, buffer period is wrongly set +(e.g. to 1 sample). As a consequence, data is never pushed to upper layer. +Fix buffer period size, by taking scan channels number into account. + +Fixes: 2763ea0585c9 ("iio: adc: stm32: add optional dma support") + +Signed-off-by: Fabrice Gasnier +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/stm32-adc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/iio/adc/stm32-adc.c ++++ b/drivers/iio/adc/stm32-adc.c +@@ -1314,6 +1314,7 @@ static int stm32_adc_set_watermark(struc + { + struct stm32_adc *adc = iio_priv(indio_dev); + unsigned int watermark = STM32_DMA_BUFFER_SIZE / 2; ++ unsigned int rx_buf_sz = STM32_DMA_BUFFER_SIZE; + + /* + * dma cyclic transfers are used, buffer is split into two periods. +@@ -1322,7 +1323,7 @@ static int stm32_adc_set_watermark(struc + * - one buffer (period) driver can push with iio_trigger_poll(). + */ + watermark = min(watermark, val * (unsigned)(sizeof(u16))); +- adc->rx_buf_sz = watermark * 2; ++ adc->rx_buf_sz = min(rx_buf_sz, watermark * 2 * adc->num_conv); + + return 0; + } diff --git a/queue-4.14/iio-chemical-ccs811-fix-output-of-iio_concentration-channels.patch b/queue-4.14/iio-chemical-ccs811-fix-output-of-iio_concentration-channels.patch new file mode 100644 index 00000000000..efd59e3e802 --- /dev/null +++ b/queue-4.14/iio-chemical-ccs811-fix-output-of-iio_concentration-channels.patch @@ -0,0 +1,69 @@ +From 8f114acd4e1a9cfa05b70bcc4219bc88197b5c9b Mon Sep 17 00:00:00 2001 +From: Narcisa Ana Maria Vasile +Date: Wed, 6 Dec 2017 18:57:58 +0200 +Subject: iio: chemical: ccs811: Fix output of IIO_CONCENTRATION channels + +From: Narcisa Ana Maria Vasile + +commit 8f114acd4e1a9cfa05b70bcc4219bc88197b5c9b upstream. + +in_concentration_raw should report, according to sysfs-bus-iio documentation, +a "Raw (unscaled no offset etc.) percentage reading of a substance." + +Modify scale to convert from ppm/ppb to percentage: +1 ppm = 0.0001% +1 ppb = 0.0000001% + +There is no offset needed to convert the ppm/ppb to percentage, +so remove offset from IIO_CONCENTRATION (IIO_MOD_CO2) channel. + +Cc'd stable to reduce chance of userspace breakage in the long +run as we fix this wrong bit of ABI usage. + +Signed-off-by: Narcisa Ana Maria Vasile +Reviewed-by: Matt Ranostay +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/chemical/ccs811.c | 13 +++---------- + 1 file changed, 3 insertions(+), 10 deletions(-) + +--- a/drivers/iio/chemical/ccs811.c ++++ b/drivers/iio/chemical/ccs811.c +@@ -91,7 +91,6 @@ static const struct iio_chan_spec ccs811 + .channel2 = IIO_MOD_CO2, + .modified = 1, + .info_mask_separate = BIT(IIO_CHAN_INFO_RAW) | +- BIT(IIO_CHAN_INFO_OFFSET) | + BIT(IIO_CHAN_INFO_SCALE), + .scan_index = 0, + .scan_type = { +@@ -245,24 +244,18 @@ static int ccs811_read_raw(struct iio_de + switch (chan->channel2) { + case IIO_MOD_CO2: + *val = 0; +- *val2 = 12834; ++ *val2 = 100; + return IIO_VAL_INT_PLUS_MICRO; + case IIO_MOD_VOC: + *val = 0; +- *val2 = 84246; +- return IIO_VAL_INT_PLUS_MICRO; ++ *val2 = 100; ++ return IIO_VAL_INT_PLUS_NANO; + default: + return -EINVAL; + } + default: + return -EINVAL; + } +- case IIO_CHAN_INFO_OFFSET: +- if (!(chan->type == IIO_CONCENTRATION && +- chan->channel2 == IIO_MOD_CO2)) +- return -EINVAL; +- *val = -400; +- return IIO_VAL_INT; + default: + return -EINVAL; + } diff --git a/queue-4.14/input-synaptics-rmi4-do-not-delete-interrupt-memory-too-early.patch b/queue-4.14/input-synaptics-rmi4-do-not-delete-interrupt-memory-too-early.patch new file mode 100644 index 00000000000..0f84f98df40 --- /dev/null +++ b/queue-4.14/input-synaptics-rmi4-do-not-delete-interrupt-memory-too-early.patch @@ -0,0 +1,53 @@ +From a1ab69021a584d952e6548a44b93760547b1b6b5 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Wed, 17 Jan 2018 16:18:27 -0800 +Subject: Input: synaptics-rmi4 - do not delete interrupt memory too early + +From: Dmitry Torokhov + +commit a1ab69021a584d952e6548a44b93760547b1b6b5 upstream. + +We want to free memory reserved for interrupt mask handling only after we +free functions, as function drivers might want to mask interrupts. This is +needed for the followup patch to the F03 that would implement unmasking and +masking interrupts from the serio pass-through port open() and close() +methods. + +Reviewed-by: Lyude Paul +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/rmi4/rmi_driver.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/input/rmi4/rmi_driver.c ++++ b/drivers/input/rmi4/rmi_driver.c +@@ -41,6 +41,13 @@ void rmi_free_function_list(struct rmi_d + + rmi_dbg(RMI_DEBUG_CORE, &rmi_dev->dev, "Freeing function list\n"); + ++ /* Doing it in the reverse order so F01 will be removed last */ ++ list_for_each_entry_safe_reverse(fn, tmp, ++ &data->function_list, node) { ++ list_del(&fn->node); ++ rmi_unregister_function(fn); ++ } ++ + devm_kfree(&rmi_dev->dev, data->irq_memory); + data->irq_memory = NULL; + data->irq_status = NULL; +@@ -50,13 +57,6 @@ void rmi_free_function_list(struct rmi_d + + data->f01_container = NULL; + data->f34_container = NULL; +- +- /* Doing it in the reverse order so F01 will be removed last */ +- list_for_each_entry_safe_reverse(fn, tmp, +- &data->function_list, node) { +- list_del(&fn->node); +- rmi_unregister_function(fn); +- } + } + + static int reset_one_function(struct rmi_function *fn) diff --git a/queue-4.14/input-synaptics-rmi4-unmask-f03-interrupts-when-port-is-opened.patch b/queue-4.14/input-synaptics-rmi4-unmask-f03-interrupts-when-port-is-opened.patch new file mode 100644 index 00000000000..c8b88432aa1 --- /dev/null +++ b/queue-4.14/input-synaptics-rmi4-unmask-f03-interrupts-when-port-is-opened.patch @@ -0,0 +1,155 @@ +From 6abe534f0776d2437c8302f58d8eb5abd483e926 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Wed, 17 Jan 2018 15:46:18 -0800 +Subject: Input: synaptics-rmi4 - unmask F03 interrupts when port is opened + +From: Dmitry Torokhov + +commit 6abe534f0776d2437c8302f58d8eb5abd483e926 upstream. + +Currently we register the pass-through serio port when we probe the F03 RMI +function, and then, in sensor configure phase, we unmask interrupts. +Unfortunately this is too late, as other drivers are free probe devices +attached to the serio port as soon as it is probed. Because interrupts are +masked, the IO times out, which may result in not being able to detect +trackpoints on the pass-through port. + +To fix the issue we implement open() and close() methods for the +pass-through serio port and unmask interrupts from there. We also move +creation of the pass-through port form probe to configure stage, as RMI +driver does not enable transport interrupt until all functions are probed +(we should change this, but this is a separate topic). + +We also try to clear the pending data before unmasking interrupts, because +some devices like to spam the system with multiple 0xaa 0x00 announcements, +which may interfere with us trying to query ID of the device. + +Fixes: c5e8848fc98e ("Input: synaptics-rmi4 - add support for F03") +Reviewed-by: Lyude Paul +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/rmi4/rmi_f03.c | 64 ++++++++++++++++++++++++++++++++++++------- + 1 file changed, 54 insertions(+), 10 deletions(-) + +--- a/drivers/input/rmi4/rmi_f03.c ++++ b/drivers/input/rmi4/rmi_f03.c +@@ -32,6 +32,7 @@ struct f03_data { + struct rmi_function *fn; + + struct serio *serio; ++ bool serio_registered; + + unsigned int overwrite_buttons; + +@@ -138,6 +139,37 @@ static int rmi_f03_initialize(struct f03 + return 0; + } + ++static int rmi_f03_pt_open(struct serio *serio) ++{ ++ struct f03_data *f03 = serio->port_data; ++ struct rmi_function *fn = f03->fn; ++ const u8 ob_len = f03->rx_queue_length * RMI_F03_OB_SIZE; ++ const u16 data_addr = fn->fd.data_base_addr + RMI_F03_OB_OFFSET; ++ u8 obs[RMI_F03_QUEUE_LENGTH * RMI_F03_OB_SIZE]; ++ int error; ++ ++ /* ++ * Consume any pending data. Some devices like to spam with ++ * 0xaa 0x00 announcements which may confuse us as we try to ++ * probe the device. ++ */ ++ error = rmi_read_block(fn->rmi_dev, data_addr, &obs, ob_len); ++ if (!error) ++ rmi_dbg(RMI_DEBUG_FN, &fn->dev, ++ "%s: Consumed %*ph (%d) from PS2 guest\n", ++ __func__, ob_len, obs, ob_len); ++ ++ return fn->rmi_dev->driver->set_irq_bits(fn->rmi_dev, fn->irq_mask); ++} ++ ++static void rmi_f03_pt_close(struct serio *serio) ++{ ++ struct f03_data *f03 = serio->port_data; ++ struct rmi_function *fn = f03->fn; ++ ++ fn->rmi_dev->driver->clear_irq_bits(fn->rmi_dev, fn->irq_mask); ++} ++ + static int rmi_f03_register_pt(struct f03_data *f03) + { + struct serio *serio; +@@ -148,6 +180,8 @@ static int rmi_f03_register_pt(struct f0 + + serio->id.type = SERIO_PS_PSTHRU; + serio->write = rmi_f03_pt_write; ++ serio->open = rmi_f03_pt_open; ++ serio->close = rmi_f03_pt_close; + serio->port_data = f03; + + strlcpy(serio->name, "Synaptics RMI4 PS/2 pass-through", +@@ -184,17 +218,27 @@ static int rmi_f03_probe(struct rmi_func + f03->device_count); + + dev_set_drvdata(dev, f03); +- +- error = rmi_f03_register_pt(f03); +- if (error) +- return error; +- + return 0; + } + + static int rmi_f03_config(struct rmi_function *fn) + { +- fn->rmi_dev->driver->set_irq_bits(fn->rmi_dev, fn->irq_mask); ++ struct f03_data *f03 = dev_get_drvdata(&fn->dev); ++ int error; ++ ++ if (!f03->serio_registered) { ++ error = rmi_f03_register_pt(f03); ++ if (error) ++ return error; ++ ++ f03->serio_registered = true; ++ } else { ++ /* ++ * We must be re-configuring the sensor, just enable ++ * interrupts for this function. ++ */ ++ fn->rmi_dev->driver->set_irq_bits(fn->rmi_dev, fn->irq_mask); ++ } + + return 0; + } +@@ -204,7 +248,7 @@ static int rmi_f03_attention(struct rmi_ + struct rmi_device *rmi_dev = fn->rmi_dev; + struct rmi_driver_data *drvdata = dev_get_drvdata(&rmi_dev->dev); + struct f03_data *f03 = dev_get_drvdata(&fn->dev); +- u16 data_addr = fn->fd.data_base_addr; ++ const u16 data_addr = fn->fd.data_base_addr + RMI_F03_OB_OFFSET; + const u8 ob_len = f03->rx_queue_length * RMI_F03_OB_SIZE; + u8 obs[RMI_F03_QUEUE_LENGTH * RMI_F03_OB_SIZE]; + u8 ob_status; +@@ -226,8 +270,7 @@ static int rmi_f03_attention(struct rmi_ + drvdata->attn_data.size -= ob_len; + } else { + /* Grab all of the data registers, and check them for data */ +- error = rmi_read_block(fn->rmi_dev, data_addr + RMI_F03_OB_OFFSET, +- &obs, ob_len); ++ error = rmi_read_block(fn->rmi_dev, data_addr, &obs, ob_len); + if (error) { + dev_err(&fn->dev, + "%s: Failed to read F03 output buffers: %d\n", +@@ -266,7 +309,8 @@ static void rmi_f03_remove(struct rmi_fu + { + struct f03_data *f03 = dev_get_drvdata(&fn->dev); + +- serio_unregister_port(f03->serio); ++ if (f03->serio_registered) ++ serio_unregister_port(f03->serio); + } + + struct rmi_function_handler rmi_f03_handler = { diff --git a/queue-4.14/mei-me-allow-runtime-pm-for-platform-with-d0i3.patch b/queue-4.14/mei-me-allow-runtime-pm-for-platform-with-d0i3.patch new file mode 100644 index 00000000000..07ad765ef86 --- /dev/null +++ b/queue-4.14/mei-me-allow-runtime-pm-for-platform-with-d0i3.patch @@ -0,0 +1,45 @@ +From cc365dcf0e56271bedf3de95f88922abe248e951 Mon Sep 17 00:00:00 2001 +From: Tomas Winkler +Date: Tue, 2 Jan 2018 12:01:41 +0200 +Subject: mei: me: allow runtime pm for platform with D0i3 + +From: Tomas Winkler + +commit cc365dcf0e56271bedf3de95f88922abe248e951 upstream. + +>From the pci power documentation: +"The driver itself should not call pm_runtime_allow(), though. Instead, +it should let user space or some platform-specific code do that (user space +can do it via sysfs as stated above)..." + +However, the S0ix residency cannot be reached without MEI device getting +into low power state. Hence, for mei devices that support D0i3, it's better +to make runtime power management mandatory and not rely on the system +integration such as udev rules. +This policy cannot be applied globally as some older platforms +were found to have broken power management. + +Cc: Rafael J. Wysocki +Signed-off-by: Tomas Winkler +Reviewed-by: Alexander Usyskin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/pci-me.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -238,8 +238,11 @@ static int mei_me_probe(struct pci_dev * + */ + mei_me_set_pm_domain(dev); + +- if (mei_pg_is_enabled(dev)) ++ if (mei_pg_is_enabled(dev)) { + pm_runtime_put_noidle(&pdev->dev); ++ if (hw->d0i3_supported) ++ pm_runtime_allow(&pdev->dev); ++ } + + dev_dbg(&pdev->dev, "initialization successful.\n"); + diff --git a/queue-4.14/serial-8250_of-fix-return-code-when-probe-function-fails-to-get-reset.patch b/queue-4.14/serial-8250_of-fix-return-code-when-probe-function-fails-to-get-reset.patch new file mode 100644 index 00000000000..548defb91be --- /dev/null +++ b/queue-4.14/serial-8250_of-fix-return-code-when-probe-function-fails-to-get-reset.patch @@ -0,0 +1,40 @@ +From b9820a31691b771db37afe2054dd3d3a680c1eed Mon Sep 17 00:00:00 2001 +From: Masahiro Yamada +Date: Wed, 27 Dec 2017 14:21:05 +0900 +Subject: serial: 8250_of: fix return code when probe function fails to get reset + +From: Masahiro Yamada + +commit b9820a31691b771db37afe2054dd3d3a680c1eed upstream. + +The error pointer from devm_reset_control_get_optional_shared() is +not propagated. + +One of the most common problem scenarios is it returns -EPROBE_DEFER +when the reset controller has not probed yet. In this case, the +probe of the reset consumer should be deferred. + +Fixes: e2860e1f62f2 ("serial: 8250_of: Add reset support") +Signed-off-by: Masahiro Yamada +Reviewed-by: Philipp Zabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_of.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/8250/8250_of.c ++++ b/drivers/tty/serial/8250/8250_of.c +@@ -141,8 +141,11 @@ static int of_platform_serial_setup(stru + } + + info->rst = devm_reset_control_get_optional_shared(&ofdev->dev, NULL); +- if (IS_ERR(info->rst)) ++ if (IS_ERR(info->rst)) { ++ ret = PTR_ERR(info->rst); + goto err_dispose; ++ } ++ + ret = reset_control_deassert(info->rst); + if (ret) + goto err_dispose; diff --git a/queue-4.14/serial-8250_uniphier-fix-error-return-code-in-uniphier_uart_probe.patch b/queue-4.14/serial-8250_uniphier-fix-error-return-code-in-uniphier_uart_probe.patch new file mode 100644 index 00000000000..de879e6d3c0 --- /dev/null +++ b/queue-4.14/serial-8250_uniphier-fix-error-return-code-in-uniphier_uart_probe.patch @@ -0,0 +1,39 @@ +From 7defa77d2baca4d6eb85234f10f38ab618332e75 Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Thu, 4 Jan 2018 07:42:15 +0000 +Subject: serial: 8250_uniphier: fix error return code in uniphier_uart_probe() + +From: Wei Yongjun + +commit 7defa77d2baca4d6eb85234f10f38ab618332e75 upstream. + +Fix to return a negative error code from the port register error +handling case instead of 0, as done elsewhere in this function. + +Fixes: 39be40ce066d ("serial: 8250_uniphier: fix serial port index in private data") +Signed-off-by: Wei Yongjun +Acked-by: Masahiro Yamada +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_uniphier.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/8250/8250_uniphier.c ++++ b/drivers/tty/serial/8250/8250_uniphier.c +@@ -259,12 +259,13 @@ static int uniphier_uart_probe(struct pl + up.dl_read = uniphier_serial_dl_read; + up.dl_write = uniphier_serial_dl_write; + +- priv->line = serial8250_register_8250_port(&up); +- if (priv->line < 0) { ++ ret = serial8250_register_8250_port(&up); ++ if (ret < 0) { + dev_err(dev, "failed to register 8250 port\n"); + clk_disable_unprepare(priv->clk); + return ret; + } ++ priv->line = ret; + + platform_set_drvdata(pdev, priv); + diff --git a/queue-4.14/serial-imx-only-wakeup-via-rtsden-bit-if-the-system-has-rts-cts.patch b/queue-4.14/serial-imx-only-wakeup-via-rtsden-bit-if-the-system-has-rts-cts.patch new file mode 100644 index 00000000000..dc2c543c27e --- /dev/null +++ b/queue-4.14/serial-imx-only-wakeup-via-rtsden-bit-if-the-system-has-rts-cts.patch @@ -0,0 +1,46 @@ +From 38b1f0fb42f772b8c9aac53593883a18ff5eb9d7 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Thu, 4 Jan 2018 15:58:34 -0200 +Subject: serial: imx: Only wakeup via RTSDEN bit if the system has RTS/CTS + +From: Fabio Estevam + +commit 38b1f0fb42f772b8c9aac53593883a18ff5eb9d7 upstream. + +The wakeup mechanism via RTSDEN bit relies on the system using the RTS/CTS +lines, so only allow such wakeup method when the system actually has +RTS/CTS support. + +Fixes: bc85734b126f ("serial: imx: allow waking up on RTSD") +Signed-off-by: Fabio Estevam +Reviewed-by: Martin Kaiser +Acked-by: Fugang Duan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/imx.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/tty/serial/imx.c ++++ b/drivers/tty/serial/imx.c +@@ -2275,12 +2275,14 @@ static void serial_imx_enable_wakeup(str + val &= ~UCR3_AWAKEN; + writel(val, sport->port.membase + UCR3); + +- val = readl(sport->port.membase + UCR1); +- if (on) +- val |= UCR1_RTSDEN; +- else +- val &= ~UCR1_RTSDEN; +- writel(val, sport->port.membase + UCR1); ++ if (sport->have_rtscts) { ++ val = readl(sport->port.membase + UCR1); ++ if (on) ++ val |= UCR1_RTSDEN; ++ else ++ val &= ~UCR1_RTSDEN; ++ writel(val, sport->port.membase + UCR1); ++ } + } + + static int imx_serial_port_suspend_noirq(struct device *dev) diff --git a/queue-4.14/series b/queue-4.14/series index f9b51496e3f..7cc6242c3da 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -126,3 +126,31 @@ usb-gadget-don-t-dereference-g-until-after-it-has-been-null-checked.patch staging-rtl8188eu-fix-incorrect-response-to-siocgiwessid.patch drm-vc4-move-irq-enable-to-pm-path.patch kvm-x86-emulate-ud-while-in-guest-mode.patch +staging-lustre-separate-a-connection-destroy-from-free-struct-kib_conn.patch +staging-ccree-nullify-backup_info-when-unused.patch +staging-ccree-fix-fips-event-irq-handling-build.patch +tty-fix-data-race-between-tty_init_dev-and-flush-of-buf.patch +usb-option-add-support-for-fs040u-modem.patch +usb-serial-pl2303-new-device-id-for-chilitag.patch +usb-cdc-acm-do-not-log-urb-submission-errors-on-disconnect.patch +cdc-acm-apply-quirk-for-card-reader.patch +usb-serial-io_edgeport-fix-possible-sleep-in-atomic.patch +usbip-prevent-bind-loops-on-devices-attached-to-vhci_hcd.patch +usbip-list-don-t-list-devices-attached-to-vhci_hcd.patch +usb-serial-simple-add-motorola-tetra-driver.patch +usb-f_fs-prevent-gadget-unbind-if-it-is-already-unbound.patch +usb-uas-unconditionally-bring-back-host-after-reset.patch +usb-gadget-fix-high-bandwidth-check-in-usb_gadget_ep_match_desc.patch +android-binder-remove-waitqueue-when-thread-exits.patch +android-binder-use-vm_alloc-to-get-vm-area.patch +mei-me-allow-runtime-pm-for-platform-with-d0i3.patch +serial-8250_of-fix-return-code-when-probe-function-fails-to-get-reset.patch +serial-8250_uniphier-fix-error-return-code-in-uniphier_uart_probe.patch +serial-imx-only-wakeup-via-rtsden-bit-if-the-system-has-rts-cts.patch +spi-imx-do-not-access-registers-while-clocks-disabled.patch +iio-adc-stm32-fix-scan-of-multiple-channels-with-dma.patch +iio-chemical-ccs811-fix-output-of-iio_concentration-channels.patch +test_firmware-fix-missing-unlock-on-error-in-config_num_requests_store.patch +input-synaptics-rmi4-unmask-f03-interrupts-when-port-is-opened.patch +input-synaptics-rmi4-do-not-delete-interrupt-memory-too-early.patch +x86-efi-clarify-that-reset-attack-mitigation-needs-appropriate-userspace.patch diff --git a/queue-4.14/spi-imx-do-not-access-registers-while-clocks-disabled.patch b/queue-4.14/spi-imx-do-not-access-registers-while-clocks-disabled.patch new file mode 100644 index 00000000000..60bbd659e3c --- /dev/null +++ b/queue-4.14/spi-imx-do-not-access-registers-while-clocks-disabled.patch @@ -0,0 +1,51 @@ +From d593574aff0ab846136190b1729c151c736727ec Mon Sep 17 00:00:00 2001 +From: Stefan Agner +Date: Sun, 7 Jan 2018 15:05:49 +0100 +Subject: spi: imx: do not access registers while clocks disabled + +From: Stefan Agner + +commit d593574aff0ab846136190b1729c151c736727ec upstream. + +Since clocks are disabled except during message transfer clocks +are also disabled when spi_imx_remove gets called. Accessing +registers leads to a freeeze at least on a i.MX 6ULL. Enable +clocks before disabling accessing the MXC_CSPICTRL register. + +Fixes: 9e556dcc55774 ("spi: spi-imx: only enable the clocks when we start to transfer a message") +Signed-off-by: Stefan Agner +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-imx.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/spi/spi-imx.c ++++ b/drivers/spi/spi-imx.c +@@ -1496,12 +1496,23 @@ static int spi_imx_remove(struct platfor + { + struct spi_master *master = platform_get_drvdata(pdev); + struct spi_imx_data *spi_imx = spi_master_get_devdata(master); ++ int ret; + + spi_bitbang_stop(&spi_imx->bitbang); + ++ ret = clk_enable(spi_imx->clk_per); ++ if (ret) ++ return ret; ++ ++ ret = clk_enable(spi_imx->clk_ipg); ++ if (ret) { ++ clk_disable(spi_imx->clk_per); ++ return ret; ++ } ++ + writel(0, spi_imx->base + MXC_CSPICTRL); +- clk_unprepare(spi_imx->clk_ipg); +- clk_unprepare(spi_imx->clk_per); ++ clk_disable_unprepare(spi_imx->clk_ipg); ++ clk_disable_unprepare(spi_imx->clk_per); + spi_imx_sdma_exit(spi_imx); + spi_master_put(master); + diff --git a/queue-4.14/staging-ccree-fix-fips-event-irq-handling-build.patch b/queue-4.14/staging-ccree-fix-fips-event-irq-handling-build.patch new file mode 100644 index 00000000000..d06113b2d8f --- /dev/null +++ b/queue-4.14/staging-ccree-fix-fips-event-irq-handling-build.patch @@ -0,0 +1,31 @@ +From dc5591dc9c03e4cd22d3f0c3659196cc34668452 Mon Sep 17 00:00:00 2001 +From: Gilad Ben-Yossef +Date: Thu, 14 Dec 2017 14:02:46 +0000 +Subject: staging: ccree: fix fips event irq handling build + +From: Gilad Ben-Yossef + +commit dc5591dc9c03e4cd22d3f0c3659196cc34668452 upstream. + +When moving from internal for kernel FIPS infrastructure the FIPS event irq +handling code was left with the old ifdef by mistake. Fix it. + +Fixes: b7e607bf33a2 ("staging: ccree: move FIPS support to kernel infrastructure") +Signed-off-by: Gilad Ben-Yossef +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/ccree/ssi_driver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/ccree/ssi_driver.c ++++ b/drivers/staging/ccree/ssi_driver.c +@@ -141,7 +141,7 @@ static irqreturn_t cc_isr(int irq, void + irr &= ~SSI_COMP_IRQ_MASK; + complete_request(drvdata); + } +-#ifdef CC_SUPPORT_FIPS ++#ifdef CONFIG_CRYPTO_FIPS + /* TEE FIPS interrupt */ + if (likely((irr & SSI_GPR0_IRQ_MASK) != 0)) { + /* Mask interrupt - will be unmasked in Deferred service handler */ diff --git a/queue-4.14/staging-ccree-nullify-backup_info-when-unused.patch b/queue-4.14/staging-ccree-nullify-backup_info-when-unused.patch new file mode 100644 index 00000000000..4607c428ad4 --- /dev/null +++ b/queue-4.14/staging-ccree-nullify-backup_info-when-unused.patch @@ -0,0 +1,32 @@ +From 46df8824982e4fb0198776078d4a8c3e2d531464 Mon Sep 17 00:00:00 2001 +From: Gilad Ben-Yossef +Date: Sun, 3 Dec 2017 13:58:19 +0000 +Subject: staging: ccree: NULLify backup_info when unused + +From: Gilad Ben-Yossef + +commit 46df8824982e4fb0198776078d4a8c3e2d531464 upstream. + +backup_info field is only allocated for decrypt code path. +The field was not nullified when not used causing a kfree +in an error handling path to attempt to free random +addresses as uncovered in stress testing. + +Fixes: 737aed947f9b ("staging: ccree: save ciphertext for CTS IV") +Signed-off-by: Gilad Ben-Yossef +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/ccree/ssi_cipher.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/staging/ccree/ssi_cipher.c ++++ b/drivers/staging/ccree/ssi_cipher.c +@@ -904,6 +904,7 @@ static int ssi_ablkcipher_decrypt(struct + scatterwalk_map_and_copy(req_ctx->backup_info, req->src, + (req->nbytes - ivsize), ivsize, 0); + req_ctx->is_giv = false; ++ req_ctx->backup_info = NULL; + + return ssi_blkcipher_process(tfm, req_ctx, req->dst, req->src, req->nbytes, req->info, ivsize, (void *)req, DRV_CRYPTO_DIRECTION_DECRYPT); + } diff --git a/queue-4.14/staging-lustre-separate-a-connection-destroy-from-free-struct-kib_conn.patch b/queue-4.14/staging-lustre-separate-a-connection-destroy-from-free-struct-kib_conn.patch new file mode 100644 index 00000000000..0d8413e9620 --- /dev/null +++ b/queue-4.14/staging-lustre-separate-a-connection-destroy-from-free-struct-kib_conn.patch @@ -0,0 +1,109 @@ +From 9b046013e5837f8a58453d1e9f8e01d03adb7fe7 Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin +Date: Thu, 25 Jan 2018 16:51:04 +0300 +Subject: staging: lustre: separate a connection destroy from free struct kib_conn + +From: Dmitry Eremin + +commit 9b046013e5837f8a58453d1e9f8e01d03adb7fe7 upstream. + +The logic of the original commit 4d99b2581eff ("staging: lustre: avoid +intensive reconnecting for ko2iblnd") was assumed conditional free of +struct kib_conn if the second argument free_conn in function +kiblnd_destroy_conn(struct kib_conn *conn, bool free_conn) is true. +But this hunk of code was dropped from original commit. As result the logic +works wrong and current code use struct kib_conn after free. + +> drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c +> 3317 kiblnd_destroy_conn(conn, !peer); +> ^^^^ Freed always (but should be conditionally) +> 3318 +> 3319 spin_lock_irqsave(lock, flags); +> 3320 if (!peer) +> 3321 continue; +> 3322 +> 3323 conn->ibc_peer = peer; +> ^^^^^^^^^^^^^^ Use after free +> 3324 if (peer->ibp_reconnected < KIB_RECONN_HIGH_RACE) +> 3325 list_add_tail(&conn->ibc_list, +> ^^^^^^^^^^^^^^ Use after free +> 3326 &kiblnd_data.kib_reconn_list); +> 3327 else +> 3328 list_add_tail(&conn->ibc_list, +> ^^^^^^^^^^^^^^ Use after free +> 3329 &kiblnd_data.kib_reconn_wait); + +To avoid confusion this fix moved the freeing a struct kib_conn outside of +the function kiblnd_destroy_conn() and free as it was intended in original +commit. + +Fixes: 4d99b2581eff ("staging: lustre: avoid intensive reconnecting for ko2iblnd") +Signed-off-by: Dmitry Eremin +Reviewed-by: Andreas Dilger +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd.c | 7 +++---- + drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd.h | 2 +- + drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c | 6 ++++-- + 3 files changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd.c ++++ b/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd.c +@@ -825,14 +825,15 @@ struct kib_conn *kiblnd_create_conn(stru + return conn; + + failed_2: +- kiblnd_destroy_conn(conn, true); ++ kiblnd_destroy_conn(conn); ++ LIBCFS_FREE(conn, sizeof(*conn)); + failed_1: + LIBCFS_FREE(init_qp_attr, sizeof(*init_qp_attr)); + failed_0: + return NULL; + } + +-void kiblnd_destroy_conn(struct kib_conn *conn, bool free_conn) ++void kiblnd_destroy_conn(struct kib_conn *conn) + { + struct rdma_cm_id *cmid = conn->ibc_cmid; + struct kib_peer *peer = conn->ibc_peer; +@@ -895,8 +896,6 @@ void kiblnd_destroy_conn(struct kib_conn + rdma_destroy_id(cmid); + atomic_dec(&net->ibn_nconns); + } +- +- LIBCFS_FREE(conn, sizeof(*conn)); + } + + int kiblnd_close_peer_conns_locked(struct kib_peer *peer, int why) +--- a/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd.h ++++ b/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd.h +@@ -1015,7 +1015,7 @@ int kiblnd_close_peer_conns_locked(stru + struct kib_conn *kiblnd_create_conn(struct kib_peer *peer, + struct rdma_cm_id *cmid, + int state, int version); +-void kiblnd_destroy_conn(struct kib_conn *conn, bool free_conn); ++void kiblnd_destroy_conn(struct kib_conn *conn); + void kiblnd_close_conn(struct kib_conn *conn, int error); + void kiblnd_close_conn_locked(struct kib_conn *conn, int error); + +--- a/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c ++++ b/drivers/staging/lustre/lnet/klnds/o2iblnd/o2iblnd_cb.c +@@ -3313,11 +3313,13 @@ kiblnd_connd(void *arg) + spin_unlock_irqrestore(lock, flags); + dropped_lock = 1; + +- kiblnd_destroy_conn(conn, !peer); ++ kiblnd_destroy_conn(conn); + + spin_lock_irqsave(lock, flags); +- if (!peer) ++ if (!peer) { ++ kfree(conn); + continue; ++ } + + conn->ibc_peer = peer; + if (peer->ibp_reconnected < KIB_RECONN_HIGH_RACE) diff --git a/queue-4.14/test_firmware-fix-missing-unlock-on-error-in-config_num_requests_store.patch b/queue-4.14/test_firmware-fix-missing-unlock-on-error-in-config_num_requests_store.patch new file mode 100644 index 00000000000..e40f007bf60 --- /dev/null +++ b/queue-4.14/test_firmware-fix-missing-unlock-on-error-in-config_num_requests_store.patch @@ -0,0 +1,30 @@ +From a5e1923356505e46476c2fb518559b7a4d9d25b1 Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Thu, 11 Jan 2018 11:12:55 +0000 +Subject: test_firmware: fix missing unlock on error in config_num_requests_store() + +From: Wei Yongjun + +commit a5e1923356505e46476c2fb518559b7a4d9d25b1 upstream. + +Add the missing unlock before return from function +config_num_requests_store() in the error handling case. + +Fixes: c92316bf8e94 ("test_firmware: add batched firmware tests") +Signed-off-by: Wei Yongjun +Signed-off-by: Greg Kroah-Hartman + +--- + lib/test_firmware.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/lib/test_firmware.c ++++ b/lib/test_firmware.c +@@ -371,6 +371,7 @@ static ssize_t config_num_requests_store + if (test_fw_config->reqs) { + pr_err("Must call release_all_firmware prior to changing config\n"); + rc = -EINVAL; ++ mutex_unlock(&test_fw_mutex); + goto out; + } + mutex_unlock(&test_fw_mutex); diff --git a/queue-4.14/tty-fix-data-race-between-tty_init_dev-and-flush-of-buf.patch b/queue-4.14/tty-fix-data-race-between-tty_init_dev-and-flush-of-buf.patch new file mode 100644 index 00000000000..bf30f0d2b73 --- /dev/null +++ b/queue-4.14/tty-fix-data-race-between-tty_init_dev-and-flush-of-buf.patch @@ -0,0 +1,96 @@ +From b027e2298bd588d6fa36ed2eda97447fb3eac078 Mon Sep 17 00:00:00 2001 +From: Gaurav Kohli +Date: Tue, 23 Jan 2018 13:16:34 +0530 +Subject: tty: fix data race between tty_init_dev and flush of buf + +From: Gaurav Kohli + +commit b027e2298bd588d6fa36ed2eda97447fb3eac078 upstream. + +There can be a race, if receive_buf call comes before +tty initialization completes in n_tty_open and tty->disc_data +may be NULL. + +CPU0 CPU1 +---- ---- + 000|n_tty_receive_buf_common() n_tty_open() +-001|n_tty_receive_buf2() tty_ldisc_open.isra.3() +-002|tty_ldisc_receive_buf(inline) tty_ldisc_setup() + +Using ldisc semaphore lock in tty_init_dev till disc_data +initializes completely. + +Signed-off-by: Gaurav Kohli +Reviewed-by: Alan Cox +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_io.c | 8 +++++++- + drivers/tty/tty_ldisc.c | 4 ++-- + include/linux/tty.h | 2 ++ + 3 files changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -1322,6 +1322,9 @@ struct tty_struct *tty_init_dev(struct t + "%s: %s driver does not set tty->port. This will crash the kernel later. Fix the driver!\n", + __func__, tty->driver->name); + ++ retval = tty_ldisc_lock(tty, 5 * HZ); ++ if (retval) ++ goto err_release_lock; + tty->port->itty = tty; + + /* +@@ -1332,6 +1335,7 @@ struct tty_struct *tty_init_dev(struct t + retval = tty_ldisc_setup(tty, tty->link); + if (retval) + goto err_release_tty; ++ tty_ldisc_unlock(tty); + /* Return the tty locked so that it cannot vanish under the caller */ + return tty; + +@@ -1344,9 +1348,11 @@ err_module_put: + + /* call the tty release_tty routine to clean out this slot */ + err_release_tty: +- tty_unlock(tty); ++ tty_ldisc_unlock(tty); + tty_info_ratelimited(tty, "ldisc open failed (%d), clearing slot %d\n", + retval, idx); ++err_release_lock: ++ tty_unlock(tty); + release_tty(tty, idx); + return ERR_PTR(retval); + } +--- a/drivers/tty/tty_ldisc.c ++++ b/drivers/tty/tty_ldisc.c +@@ -336,7 +336,7 @@ static inline void __tty_ldisc_unlock(st + ldsem_up_write(&tty->ldisc_sem); + } + +-static int tty_ldisc_lock(struct tty_struct *tty, unsigned long timeout) ++int tty_ldisc_lock(struct tty_struct *tty, unsigned long timeout) + { + int ret; + +@@ -347,7 +347,7 @@ static int tty_ldisc_lock(struct tty_str + return 0; + } + +-static void tty_ldisc_unlock(struct tty_struct *tty) ++void tty_ldisc_unlock(struct tty_struct *tty) + { + clear_bit(TTY_LDISC_HALTED, &tty->flags); + __tty_ldisc_unlock(tty); +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -405,6 +405,8 @@ extern const char *tty_name(const struct + extern struct tty_struct *tty_kopen(dev_t device); + extern void tty_kclose(struct tty_struct *tty); + extern int tty_dev_name_to_number(const char *name, dev_t *number); ++extern int tty_ldisc_lock(struct tty_struct *tty, unsigned long timeout); ++extern void tty_ldisc_unlock(struct tty_struct *tty); + #else + static inline void tty_kref_put(struct tty_struct *tty) + { } diff --git a/queue-4.14/usb-cdc-acm-do-not-log-urb-submission-errors-on-disconnect.patch b/queue-4.14/usb-cdc-acm-do-not-log-urb-submission-errors-on-disconnect.patch new file mode 100644 index 00000000000..77f941e4f8c --- /dev/null +++ b/queue-4.14/usb-cdc-acm-do-not-log-urb-submission-errors-on-disconnect.patch @@ -0,0 +1,40 @@ +From f0386c083c2ce85284dc0b419d7b89c8e567c09f Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 14 Jan 2018 16:09:00 +0100 +Subject: USB: cdc-acm: Do not log urb submission errors on disconnect + +From: Hans de Goede + +commit f0386c083c2ce85284dc0b419d7b89c8e567c09f upstream. + +When disconnected sometimes the cdc-acm driver logs errors like these: + +[20278.039417] cdc_acm 2-2:2.1: urb 9 failed submission with -19 +[20278.042924] cdc_acm 2-2:2.1: urb 10 failed submission with -19 +[20278.046449] cdc_acm 2-2:2.1: urb 11 failed submission with -19 +[20278.049920] cdc_acm 2-2:2.1: urb 12 failed submission with -19 +[20278.053442] cdc_acm 2-2:2.1: urb 13 failed submission with -19 +[20278.056915] cdc_acm 2-2:2.1: urb 14 failed submission with -19 +[20278.060418] cdc_acm 2-2:2.1: urb 15 failed submission with -19 + +Silence these by not logging errors when the result is -ENODEV. + +Signed-off-by: Hans de Goede +Acked-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-acm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -438,7 +438,7 @@ static int acm_submit_read_urb(struct ac + + res = usb_submit_urb(acm->read_urbs[index], mem_flags); + if (res) { +- if (res != -EPERM) { ++ if (res != -EPERM && res != -ENODEV) { + dev_err(&acm->data->dev, + "urb %d failed submission with %d\n", + index, res); diff --git a/queue-4.14/usb-f_fs-prevent-gadget-unbind-if-it-is-already-unbound.patch b/queue-4.14/usb-f_fs-prevent-gadget-unbind-if-it-is-already-unbound.patch new file mode 100644 index 00000000000..d87ff0c7cac --- /dev/null +++ b/queue-4.14/usb-f_fs-prevent-gadget-unbind-if-it-is-already-unbound.patch @@ -0,0 +1,51 @@ +From ce5bf9a50daf2d9078b505aca1cea22e88ecb94a Mon Sep 17 00:00:00 2001 +From: Hemant Kumar +Date: Tue, 9 Jan 2018 12:30:53 +0530 +Subject: usb: f_fs: Prevent gadget unbind if it is already unbound + +From: Hemant Kumar + +commit ce5bf9a50daf2d9078b505aca1cea22e88ecb94a upstream. + +Upon usb composition switch there is possibility of ep0 file +release happening after gadget driver bind. In case of composition +switch from adb to a non-adb composition gadget will never gets +bound again resulting into failure of usb device enumeration. Fix +this issue by checking FFS_FL_BOUND flag and avoid extra +gadget driver unbind if it is already done as part of composition +switch. + +This fixes adb reconnection error reported on Android running +v4.4 and above kernel versions. Verified on Hikey running vanilla +v4.15-rc7 + few out of tree Mali patches. + +Reviewed-at: https://android-review.googlesource.com/#/c/582632/ + +Cc: Felipe Balbi +Cc: Greg KH +Cc: Michal Nazarewicz +Cc: John Stultz +Cc: Dmitry Shmidt +Cc: Badhri +Cc: Android Kernel Team +Signed-off-by: Hemant Kumar +[AmitP: Cherry-picked it from android-4.14 and updated the commit log] +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_fs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -3704,7 +3704,8 @@ static void ffs_closed(struct ffs_data * + ci = opts->func_inst.group.cg_item.ci_parent->ci_parent; + ffs_dev_unlock(); + +- unregister_gadget_item(ci); ++ if (test_bit(FFS_FL_BOUND, &ffs->flags)) ++ unregister_gadget_item(ci); + return; + done: + ffs_dev_unlock(); diff --git a/queue-4.14/usb-gadget-fix-high-bandwidth-check-in-usb_gadget_ep_match_desc.patch b/queue-4.14/usb-gadget-fix-high-bandwidth-check-in-usb_gadget_ep_match_desc.patch new file mode 100644 index 00000000000..01701daf935 --- /dev/null +++ b/queue-4.14/usb-gadget-fix-high-bandwidth-check-in-usb_gadget_ep_match_desc.patch @@ -0,0 +1,31 @@ +From 11fb37998759c48e4e4c200c974593cbeab25d3e Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Fri, 12 Jan 2018 17:50:02 +1100 +Subject: usb/gadget: Fix "high bandwidth" check in usb_gadget_ep_match_desc() + +From: Benjamin Herrenschmidt + +commit 11fb37998759c48e4e4c200c974593cbeab25d3e upstream. + +The current code tries to test for bits that are masked out by +usb_endpoint_maxp(). Instead, use the proper accessor to access +the new high bandwidth bits. + +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/udc/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/udc/core.c ++++ b/drivers/usb/gadget/udc/core.c +@@ -923,7 +923,7 @@ int usb_gadget_ep_match_desc(struct usb_ + return 0; + + /* "high bandwidth" works only at high speed */ +- if (!gadget_is_dualspeed(gadget) && usb_endpoint_maxp(desc) & (3<<11)) ++ if (!gadget_is_dualspeed(gadget) && usb_endpoint_maxp_mult(desc) > 1) + return 0; + + switch (type) { diff --git a/queue-4.14/usb-option-add-support-for-fs040u-modem.patch b/queue-4.14/usb-option-add-support-for-fs040u-modem.patch new file mode 100644 index 00000000000..7030fcc0122 --- /dev/null +++ b/queue-4.14/usb-option-add-support-for-fs040u-modem.patch @@ -0,0 +1,43 @@ +From 69341bd15018da0a662847e210f9b2380c71e623 Mon Sep 17 00:00:00 2001 +From: OKAMOTO Yoshiaki +Date: Tue, 16 Jan 2018 09:51:17 +0000 +Subject: usb: option: Add support for FS040U modem + +From: OKAMOTO Yoshiaki + +commit 69341bd15018da0a662847e210f9b2380c71e623 upstream. + +FS040U modem is manufactured by omega, and sold by Fujisoft. This patch +adds ID of the modem to use option1 driver. Interface 3 is used as +qmi_wwan, so the interface is ignored. + +Signed-off-by: Yoshiaki Okamoto +Signed-off-by: Hiroyuki Yamamoto +Acked-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -383,6 +383,9 @@ static void option_instat_callback(struc + #define FOUR_G_SYSTEMS_PRODUCT_W14 0x9603 + #define FOUR_G_SYSTEMS_PRODUCT_W100 0x9b01 + ++/* Fujisoft products */ ++#define FUJISOFT_PRODUCT_FS040U 0x9b02 ++ + /* iBall 3.5G connect wireless modem */ + #define IBALL_3_5G_CONNECT 0x9605 + +@@ -1897,6 +1900,8 @@ static const struct usb_device_id option + { USB_DEVICE(LONGCHEER_VENDOR_ID, FOUR_G_SYSTEMS_PRODUCT_W100), + .driver_info = (kernel_ulong_t)&four_g_w100_blacklist + }, ++ {USB_DEVICE(LONGCHEER_VENDOR_ID, FUJISOFT_PRODUCT_FS040U), ++ .driver_info = (kernel_ulong_t)&net_intf3_blacklist}, + { USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, SPEEDUP_PRODUCT_SU9800, 0xff) }, + { USB_DEVICE_INTERFACE_CLASS(LONGCHEER_VENDOR_ID, 0x9801, 0xff), + .driver_info = (kernel_ulong_t)&net_intf3_blacklist }, diff --git a/queue-4.14/usb-serial-io_edgeport-fix-possible-sleep-in-atomic.patch b/queue-4.14/usb-serial-io_edgeport-fix-possible-sleep-in-atomic.patch new file mode 100644 index 00000000000..1842e671965 --- /dev/null +++ b/queue-4.14/usb-serial-io_edgeport-fix-possible-sleep-in-atomic.patch @@ -0,0 +1,45 @@ +From c7b8f77872c73f69a16528a9eb87afefcccdc18b Mon Sep 17 00:00:00 2001 +From: Jia-Ju Bai +Date: Wed, 13 Dec 2017 20:34:36 +0800 +Subject: USB: serial: io_edgeport: fix possible sleep-in-atomic + +From: Jia-Ju Bai + +commit c7b8f77872c73f69a16528a9eb87afefcccdc18b upstream. + +According to drivers/usb/serial/io_edgeport.c, the driver may sleep +under a spinlock. +The function call path is: +edge_bulk_in_callback (acquire the spinlock) + process_rcvd_data + process_rcvd_status + change_port_settings + send_iosp_ext_cmd + write_cmd_usb + usb_kill_urb --> may sleep + +To fix it, the redundant usb_kill_urb() is removed from the error path +after usb_submit_urb() fails. + +This possible bug is found by my static analysis tool (DSAC) and checked +by my code review. + +Signed-off-by: Jia-Ju Bai +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/io_edgeport.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/usb/serial/io_edgeport.c ++++ b/drivers/usb/serial/io_edgeport.c +@@ -2286,7 +2286,6 @@ static int write_cmd_usb(struct edgeport + /* something went wrong */ + dev_err(dev, "%s - usb_submit_urb(write command) failed, status = %d\n", + __func__, status); +- usb_kill_urb(urb); + usb_free_urb(urb); + atomic_dec(&CmdUrbs); + return status; diff --git a/queue-4.14/usb-serial-pl2303-new-device-id-for-chilitag.patch b/queue-4.14/usb-serial-pl2303-new-device-id-for-chilitag.patch new file mode 100644 index 00000000000..814984aefc7 --- /dev/null +++ b/queue-4.14/usb-serial-pl2303-new-device-id-for-chilitag.patch @@ -0,0 +1,43 @@ +From d08dd3f3dd2ae351b793fc5b76abdbf0fd317b12 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 25 Jan 2018 09:48:55 +0100 +Subject: USB: serial: pl2303: new device id for Chilitag +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Greg Kroah-Hartman + +commit d08dd3f3dd2ae351b793fc5b76abdbf0fd317b12 upstream. + +This adds a new device id for Chilitag devices to the pl2303 driver. + +Reported-by: "Chu.Mike [朱堅宜]" +Acked-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/pl2303.c | 1 + + drivers/usb/serial/pl2303.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/usb/serial/pl2303.c ++++ b/drivers/usb/serial/pl2303.c +@@ -41,6 +41,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_RSAQ2) }, + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_DCU11) }, + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_RSAQ3) }, ++ { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_CHILITAG) }, + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_PHAROS) }, + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_ALDIGA) }, + { USB_DEVICE(PL2303_VENDOR_ID, PL2303_PRODUCT_ID_MMX) }, +--- a/drivers/usb/serial/pl2303.h ++++ b/drivers/usb/serial/pl2303.h +@@ -17,6 +17,7 @@ + #define PL2303_PRODUCT_ID_DCU11 0x1234 + #define PL2303_PRODUCT_ID_PHAROS 0xaaa0 + #define PL2303_PRODUCT_ID_RSAQ3 0xaaa2 ++#define PL2303_PRODUCT_ID_CHILITAG 0xaaa8 + #define PL2303_PRODUCT_ID_ALDIGA 0x0611 + #define PL2303_PRODUCT_ID_MMX 0x0612 + #define PL2303_PRODUCT_ID_GPRS 0x0609 diff --git a/queue-4.14/usb-serial-simple-add-motorola-tetra-driver.patch b/queue-4.14/usb-serial-simple-add-motorola-tetra-driver.patch new file mode 100644 index 00000000000..b41e0471236 --- /dev/null +++ b/queue-4.14/usb-serial-simple-add-motorola-tetra-driver.patch @@ -0,0 +1,73 @@ +From 46fe895e22ab3845515ec06b01eaf1282b342e29 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 18 Jan 2018 14:46:41 +1100 +Subject: USB: serial: simple: add Motorola Tetra driver + +From: Johan Hovold + +commit 46fe895e22ab3845515ec06b01eaf1282b342e29 upstream. + +Add new Motorola Tetra (simple) driver for Motorola Solutions TETRA PEI +devices. + +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=0cad ProdID=9011 Rev=24.16 +S: Manufacturer=Motorola Solutions Inc. +S: Product=Motorola Solutions TETRA PEI interface +C: #Ifs= 2 Cfg#= 1 Atr=80 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) +I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) + +Note that these devices do not support the CDC SET_CONTROL_LINE_STATE +request (for any interface). + +Reported-by: Max Schulze +Tested-by: Max Schulze +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/Kconfig | 1 + + drivers/usb/serial/usb-serial-simple.c | 7 +++++++ + 2 files changed, 8 insertions(+) + +--- a/drivers/usb/serial/Kconfig ++++ b/drivers/usb/serial/Kconfig +@@ -63,6 +63,7 @@ config USB_SERIAL_SIMPLE + - Google USB serial devices + - HP4x calculators + - a number of Motorola phones ++ - Motorola Tetra devices + - Novatel Wireless GPS receivers + - Siemens USB/MPI adapter. + - ViVOtech ViVOpay USB device. +--- a/drivers/usb/serial/usb-serial-simple.c ++++ b/drivers/usb/serial/usb-serial-simple.c +@@ -80,6 +80,11 @@ DEVICE(vivopay, VIVOPAY_IDS); + { USB_DEVICE(0x22b8, 0x2c64) } /* Motorola V950 phone */ + DEVICE(moto_modem, MOTO_IDS); + ++/* Motorola Tetra driver */ ++#define MOTOROLA_TETRA_IDS() \ ++ { USB_DEVICE(0x0cad, 0x9011) } /* Motorola Solutions TETRA PEI */ ++DEVICE(motorola_tetra, MOTOROLA_TETRA_IDS); ++ + /* Novatel Wireless GPS driver */ + #define NOVATEL_IDS() \ + { USB_DEVICE(0x09d7, 0x0100) } /* NovAtel FlexPack GPS */ +@@ -110,6 +115,7 @@ static struct usb_serial_driver * const + &google_device, + &vivopay_device, + &moto_modem_device, ++ &motorola_tetra_device, + &novatel_gps_device, + &hp4x_device, + &suunto_device, +@@ -125,6 +131,7 @@ static const struct usb_device_id id_tab + GOOGLE_IDS(), + VIVOPAY_IDS(), + MOTO_IDS(), ++ MOTOROLA_TETRA_IDS(), + NOVATEL_IDS(), + HP4X_IDS(), + SUUNTO_IDS(), diff --git a/queue-4.14/usb-uas-unconditionally-bring-back-host-after-reset.patch b/queue-4.14/usb-uas-unconditionally-bring-back-host-after-reset.patch new file mode 100644 index 00000000000..17f836e3725 --- /dev/null +++ b/queue-4.14/usb-uas-unconditionally-bring-back-host-after-reset.patch @@ -0,0 +1,66 @@ +From cbeef22fd611c4f47c494b821b2b105b8af970bb Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 11 Jan 2018 13:10:16 +0100 +Subject: usb: uas: unconditionally bring back host after reset + +From: Oliver Neukum + +commit cbeef22fd611c4f47c494b821b2b105b8af970bb upstream. + +Quoting Hans: + +If we return 1 from our post_reset handler, then our disconnect handler +will be called immediately afterwards. Since pre_reset blocks all scsi +requests our disconnect handler will then hang in the scsi_remove_host +call. + +This is esp. bad because our disconnect handler hanging for ever also +stops the USB subsys from enumerating any new USB devices, causes commands +like lsusb to hang, etc. + +In practice this happens when unplugging some uas devices because the hub +code may see the device as needing a warm-reset and calls usb_reset_device +before seeing the disconnect. In this case uas_configure_endpoints fails +with -ENODEV. We do not want to print an error for this, so this commit +also silences the shost_printk for -ENODEV. + +ENDQUOTE + +However, if we do that we better drop any unconditional execution +and report to the SCSI subsystem that we have undergone a reset +but we are not operational now. + +Signed-off-by: Oliver Neukum +Reported-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/uas.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -1076,20 +1076,19 @@ static int uas_post_reset(struct usb_int + return 0; + + err = uas_configure_endpoints(devinfo); +- if (err) { ++ if (err && err != ENODEV) + shost_printk(KERN_ERR, shost, + "%s: alloc streams error %d after reset", + __func__, err); +- return 1; +- } + ++ /* we must unblock the host in every case lest we deadlock */ + spin_lock_irqsave(shost->host_lock, flags); + scsi_report_bus_reset(shost, 0); + spin_unlock_irqrestore(shost->host_lock, flags); + + scsi_unblock_requests(shost); + +- return 0; ++ return err ? 1 : 0; + } + + static int uas_suspend(struct usb_interface *intf, pm_message_t message) diff --git a/queue-4.14/usbip-list-don-t-list-devices-attached-to-vhci_hcd.patch b/queue-4.14/usbip-list-don-t-list-devices-attached-to-vhci_hcd.patch new file mode 100644 index 00000000000..4970ed7e1c6 --- /dev/null +++ b/queue-4.14/usbip-list-don-t-list-devices-attached-to-vhci_hcd.patch @@ -0,0 +1,51 @@ +From ef824501f50846589f02173d73ce3fe6021a9d2a Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Wed, 17 Jan 2018 12:08:03 -0700 +Subject: usbip: list: don't list devices attached to vhci_hcd + +From: Shuah Khan + +commit ef824501f50846589f02173d73ce3fe6021a9d2a upstream. + +usbip host lists devices attached to vhci_hcd on the same server +when user does attach over localhost or specifies the server as the +remote. + +usbip attach -r localhost -b busid +or +usbip attach -r servername (or server IP) + +Fix it to check and not list devices that are attached to vhci_hcd. + +Signed-off-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman + +--- + tools/usb/usbip/src/usbip_list.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/tools/usb/usbip/src/usbip_list.c ++++ b/tools/usb/usbip/src/usbip_list.c +@@ -187,6 +187,7 @@ static int list_devices(bool parsable) + const char *busid; + char product_name[128]; + int ret = -1; ++ const char *devpath; + + /* Create libudev context. */ + udev = udev_new(); +@@ -209,6 +210,14 @@ static int list_devices(bool parsable) + path = udev_list_entry_get_name(dev_list_entry); + dev = udev_device_new_from_syspath(udev, path); + ++ /* Ignore devices attached to vhci_hcd */ ++ devpath = udev_device_get_devpath(dev); ++ if (strstr(devpath, USBIP_VHCI_DRV_NAME)) { ++ dbg("Skip the device %s already attached to %s\n", ++ devpath, USBIP_VHCI_DRV_NAME); ++ continue; ++ } ++ + /* Get device information. */ + idVendor = udev_device_get_sysattr_value(dev, "idVendor"); + idProduct = udev_device_get_sysattr_value(dev, "idProduct"); diff --git a/queue-4.14/usbip-prevent-bind-loops-on-devices-attached-to-vhci_hcd.patch b/queue-4.14/usbip-prevent-bind-loops-on-devices-attached-to-vhci_hcd.patch new file mode 100644 index 00000000000..f0a1c570bc7 --- /dev/null +++ b/queue-4.14/usbip-prevent-bind-loops-on-devices-attached-to-vhci_hcd.patch @@ -0,0 +1,57 @@ +From ef54cf0c600fb8f5737fb001a9e357edda1a1de8 Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Wed, 17 Jan 2018 12:07:30 -0700 +Subject: usbip: prevent bind loops on devices attached to vhci_hcd + +From: Shuah Khan + +commit ef54cf0c600fb8f5737fb001a9e357edda1a1de8 upstream. + +usbip host binds to devices attached to vhci_hcd on the same server +when user does attach over localhost or specifies the server as the +remote. + +usbip attach -r localhost -b busid +or +usbip attach -r servername (or server IP) + +Unbind followed by bind works, however device is left in a bad state with +accesses via the attached busid result in errors and system hangs during +shutdown. + +Fix it to check and bail out if the device is already attached to vhci_hcd. + +Signed-off-by: Shuah Khan +Signed-off-by: Greg Kroah-Hartman + +--- + tools/usb/usbip/src/usbip_bind.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/tools/usb/usbip/src/usbip_bind.c ++++ b/tools/usb/usbip/src/usbip_bind.c +@@ -144,6 +144,7 @@ static int bind_device(char *busid) + int rc; + struct udev *udev; + struct udev_device *dev; ++ const char *devpath; + + /* Check whether the device with this bus ID exists. */ + udev = udev_new(); +@@ -152,8 +153,16 @@ static int bind_device(char *busid) + err("device with the specified bus ID does not exist"); + return -1; + } ++ devpath = udev_device_get_devpath(dev); + udev_unref(udev); + ++ /* If the device is already attached to vhci_hcd - bail out */ ++ if (strstr(devpath, USBIP_VHCI_DRV_NAME)) { ++ err("bind loop detected: device: %s is attached to %s\n", ++ devpath, USBIP_VHCI_DRV_NAME); ++ return -1; ++ } ++ + rc = unbind_other(busid); + if (rc == UNBIND_ST_FAILED) { + err("could not unbind driver from device on busid %s", busid); diff --git a/queue-4.14/x86-efi-clarify-that-reset-attack-mitigation-needs-appropriate-userspace.patch b/queue-4.14/x86-efi-clarify-that-reset-attack-mitigation-needs-appropriate-userspace.patch new file mode 100644 index 00000000000..afc1fbf8ac5 --- /dev/null +++ b/queue-4.14/x86-efi-clarify-that-reset-attack-mitigation-needs-appropriate-userspace.patch @@ -0,0 +1,47 @@ +From a5c03c31af2291f13689d11760c0b59fb70c9a5a Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Tue, 16 Jan 2018 09:10:02 +0000 +Subject: x86/efi: Clarify that reset attack mitigation needs appropriate userspace + +From: Matthew Garrett + +commit a5c03c31af2291f13689d11760c0b59fb70c9a5a upstream. + +Some distributions have turned on the reset attack mitigation feature, +which is designed to force the platform to clear the contents of RAM if +the machine is shut down uncleanly. However, in order for the platform +to be able to determine whether the shutdown was clean or not, userspace +has to be configured to clear the MemoryOverwriteRequest flag on +shutdown - otherwise the firmware will end up clearing RAM on every +reboot, which is unnecessarily time consuming. Add some additional +clarity to the kconfig text to reduce the risk of systems being +configured this way. + +Signed-off-by: Matthew Garrett +Acked-by: Ard Biesheuvel +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: linux-efi@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firmware/efi/Kconfig | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/firmware/efi/Kconfig ++++ b/drivers/firmware/efi/Kconfig +@@ -159,7 +159,10 @@ config RESET_ATTACK_MITIGATION + using the TCG Platform Reset Attack Mitigation specification. This + protects against an attacker forcibly rebooting the system while it + still contains secrets in RAM, booting another OS and extracting the +- secrets. ++ secrets. This should only be enabled when userland is configured to ++ clear the MemoryOverwriteRequest flag on clean shutdown after secrets ++ have been evicted, since otherwise it will trigger even on clean ++ reboots. + + endmenu +