From: Greg Kroah-Hartman Date: Wed, 4 Jul 2018 11:57:52 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v4.14.54~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f20e5eec5822309a88c833688f2746465c6d7ba7;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: n_tty-access-echo_-variables-carefully.patch n_tty-fix-stall-at-n_tty_receive_char_special.patch staging-android-ion-return-an-err_ptr-in-ion_map_kernel.patch usb-cdc_acm-add-quirk-for-uniden-ubc125-scanner.patch usb-dwc2-fix-the-incorrect-bitmaps-for-the-ports-of-multi_tt-hub.patch usb-serial-cp210x-add-cesinel-device-ids.patch usb-serial-cp210x-add-silicon-labs-ids-for-windows-update.patch vt-prevent-leaking-uninitialized-data-to-userspace-via-dev-vcs.patch xhci-fix-perceived-dead-host-due-to-runtime-suspend-race-with-event-handler.patch --- diff --git a/queue-4.9/n_tty-access-echo_-variables-carefully.patch b/queue-4.9/n_tty-access-echo_-variables-carefully.patch new file mode 100644 index 00000000000..2d451d74512 --- /dev/null +++ b/queue-4.9/n_tty-access-echo_-variables-carefully.patch @@ -0,0 +1,178 @@ +From ebec3f8f5271139df618ebdf8427e24ba102ba94 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Sat, 26 May 2018 09:53:14 +0900 +Subject: n_tty: Access echo_* variables carefully. + +From: Tetsuo Handa + +commit ebec3f8f5271139df618ebdf8427e24ba102ba94 upstream. + +syzbot is reporting stalls at __process_echoes() [1]. This is because +since ldata->echo_commit < ldata->echo_tail becomes true for some reason, +the discard loop is serving as almost infinite loop. This patch tries to +avoid falling into ldata->echo_commit < ldata->echo_tail situation by +making access to echo_* variables more carefully. + +Since reset_buffer_flags() is called without output_lock held, it should +not touch echo_* variables. And omit a call to reset_buffer_flags() from +n_tty_open() by using vzalloc(). + +Since add_echo_byte() is called without output_lock held, it needs memory +barrier between storing into echo_buf[] and incrementing echo_head counter. +echo_buf() needs corresponding memory barrier before reading echo_buf[]. +Lack of handling the possibility of not-yet-stored multi-byte operation +might be the reason of falling into ldata->echo_commit < ldata->echo_tail +situation, for if I do WARN_ON(ldata->echo_commit == tail + 1) prior to +echo_buf(ldata, tail + 1), the WARN_ON() fires. + +Also, explicitly masking with buffer for the former "while" loop, and +use ldata->echo_commit > tail for the latter "while" loop. + +[1] https://syzkaller.appspot.com/bug?id=17f23b094cd80df750e5b0f8982c521ee6bcbf40 + +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Cc: Peter Hurley +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/n_tty.c | 42 ++++++++++++++++++++++++------------------ + 1 file changed, 24 insertions(+), 18 deletions(-) + +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -145,6 +145,7 @@ static inline unsigned char *read_buf_ad + + static inline unsigned char echo_buf(struct n_tty_data *ldata, size_t i) + { ++ smp_rmb(); /* Matches smp_wmb() in add_echo_byte(). */ + return ldata->echo_buf[i & (N_TTY_BUF_SIZE - 1)]; + } + +@@ -320,9 +321,7 @@ static inline void put_tty_queue(unsigne + static void reset_buffer_flags(struct n_tty_data *ldata) + { + ldata->read_head = ldata->canon_head = ldata->read_tail = 0; +- ldata->echo_head = ldata->echo_tail = ldata->echo_commit = 0; + ldata->commit_head = 0; +- ldata->echo_mark = 0; + ldata->line_start = 0; + + ldata->erasing = 0; +@@ -621,13 +620,20 @@ static size_t __process_echoes(struct tt + old_space = space = tty_write_room(tty); + + tail = ldata->echo_tail; +- while (ldata->echo_commit != tail) { ++ while (MASK(ldata->echo_commit) != MASK(tail)) { + c = echo_buf(ldata, tail); + if (c == ECHO_OP_START) { + unsigned char op; + int no_space_left = 0; + + /* ++ * Since add_echo_byte() is called without holding ++ * output_lock, we might see only portion of multi-byte ++ * operation. ++ */ ++ if (MASK(ldata->echo_commit) == MASK(tail + 1)) ++ goto not_yet_stored; ++ /* + * If the buffer byte is the start of a multi-byte + * operation, get the next byte, which is either the + * op code or a control character value. +@@ -638,6 +644,8 @@ static size_t __process_echoes(struct tt + unsigned int num_chars, num_bs; + + case ECHO_OP_ERASE_TAB: ++ if (MASK(ldata->echo_commit) == MASK(tail + 2)) ++ goto not_yet_stored; + num_chars = echo_buf(ldata, tail + 2); + + /* +@@ -732,7 +740,8 @@ static size_t __process_echoes(struct tt + /* If the echo buffer is nearly full (so that the possibility exists + * of echo overrun before the next commit), then discard enough + * data at the tail to prevent a subsequent overrun */ +- while (ldata->echo_commit - tail >= ECHO_DISCARD_WATERMARK) { ++ while (ldata->echo_commit > tail && ++ ldata->echo_commit - tail >= ECHO_DISCARD_WATERMARK) { + if (echo_buf(ldata, tail) == ECHO_OP_START) { + if (echo_buf(ldata, tail + 1) == ECHO_OP_ERASE_TAB) + tail += 3; +@@ -742,6 +751,7 @@ static size_t __process_echoes(struct tt + tail++; + } + ++ not_yet_stored: + ldata->echo_tail = tail; + return old_space - space; + } +@@ -752,6 +762,7 @@ static void commit_echoes(struct tty_str + size_t nr, old, echoed; + size_t head; + ++ mutex_lock(&ldata->output_lock); + head = ldata->echo_head; + ldata->echo_mark = head; + old = ldata->echo_commit - ldata->echo_tail; +@@ -760,10 +771,12 @@ static void commit_echoes(struct tty_str + * is over the threshold (and try again each time another + * block is accumulated) */ + nr = head - ldata->echo_tail; +- if (nr < ECHO_COMMIT_WATERMARK || (nr % ECHO_BLOCK > old % ECHO_BLOCK)) ++ if (nr < ECHO_COMMIT_WATERMARK || ++ (nr % ECHO_BLOCK > old % ECHO_BLOCK)) { ++ mutex_unlock(&ldata->output_lock); + return; ++ } + +- mutex_lock(&ldata->output_lock); + ldata->echo_commit = head; + echoed = __process_echoes(tty); + mutex_unlock(&ldata->output_lock); +@@ -814,7 +827,9 @@ static void flush_echoes(struct tty_stru + + static inline void add_echo_byte(unsigned char c, struct n_tty_data *ldata) + { +- *echo_buf_addr(ldata, ldata->echo_head++) = c; ++ *echo_buf_addr(ldata, ldata->echo_head) = c; ++ smp_wmb(); /* Matches smp_rmb() in echo_buf(). */ ++ ldata->echo_head++; + } + + /** +@@ -1883,30 +1898,21 @@ static int n_tty_open(struct tty_struct + struct n_tty_data *ldata; + + /* Currently a malloc failure here can panic */ +- ldata = vmalloc(sizeof(*ldata)); ++ ldata = vzalloc(sizeof(*ldata)); + if (!ldata) +- goto err; ++ return -ENOMEM; + + ldata->overrun_time = jiffies; + mutex_init(&ldata->atomic_read_lock); + mutex_init(&ldata->output_lock); + + tty->disc_data = ldata; +- reset_buffer_flags(tty->disc_data); +- ldata->column = 0; +- ldata->canon_column = 0; +- ldata->num_overrun = 0; +- ldata->no_room = 0; +- ldata->lnext = 0; + tty->closing = 0; + /* indicate buffer work may resume */ + clear_bit(TTY_LDISC_HALTED, &tty->flags); + n_tty_set_termios(tty, NULL); + tty_unthrottle(tty); +- + return 0; +-err: +- return -ENOMEM; + } + + static inline int input_available_p(struct tty_struct *tty, int poll) diff --git a/queue-4.9/n_tty-fix-stall-at-n_tty_receive_char_special.patch b/queue-4.9/n_tty-fix-stall-at-n_tty_receive_char_special.patch new file mode 100644 index 00000000000..664cbf68f1e --- /dev/null +++ b/queue-4.9/n_tty-fix-stall-at-n_tty_receive_char_special.patch @@ -0,0 +1,83 @@ +From 3d63b7e4ae0dc5e02d28ddd2fa1f945defc68d81 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Sat, 26 May 2018 09:53:13 +0900 +Subject: n_tty: Fix stall at n_tty_receive_char_special(). + +From: Tetsuo Handa + +commit 3d63b7e4ae0dc5e02d28ddd2fa1f945defc68d81 upstream. + +syzbot is reporting stalls at n_tty_receive_char_special() [1]. This is +because comparison is not working as expected since ldata->read_head can +change at any moment. Mitigate this by explicitly masking with buffer size +when checking condition for "while" loops. + +[1] https://syzkaller.appspot.com/bug?id=3d7481a346958d9469bebbeb0537d5f056bdd6e8 + +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Fixes: bc5a5e3f45d04784 ("n_tty: Don't wrap input buffer indices at buffer size") +Cc: stable +Cc: Peter Hurley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/n_tty.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -126,6 +126,8 @@ struct n_tty_data { + struct mutex output_lock; + }; + ++#define MASK(x) ((x) & (N_TTY_BUF_SIZE - 1)) ++ + static inline size_t read_cnt(struct n_tty_data *ldata) + { + return ldata->read_head - ldata->read_tail; +@@ -980,14 +982,15 @@ static void eraser(unsigned char c, stru + } + + seen_alnums = 0; +- while (ldata->read_head != ldata->canon_head) { ++ while (MASK(ldata->read_head) != MASK(ldata->canon_head)) { + head = ldata->read_head; + + /* erase a single possibly multibyte character */ + do { + head--; + c = read_buf(ldata, head); +- } while (is_continuation(c, tty) && head != ldata->canon_head); ++ } while (is_continuation(c, tty) && ++ MASK(head) != MASK(ldata->canon_head)); + + /* do not partially erase */ + if (is_continuation(c, tty)) +@@ -1029,7 +1032,7 @@ static void eraser(unsigned char c, stru + * This info is used to go back the correct + * number of columns. + */ +- while (tail != ldata->canon_head) { ++ while (MASK(tail) != MASK(ldata->canon_head)) { + tail--; + c = read_buf(ldata, tail); + if (c == '\t') { +@@ -1304,7 +1307,7 @@ n_tty_receive_char_special(struct tty_st + finish_erasing(ldata); + echo_char(c, tty); + echo_char_raw('\n', ldata); +- while (tail != ldata->read_head) { ++ while (MASK(tail) != MASK(ldata->read_head)) { + echo_char(read_buf(ldata, tail), tty); + tail++; + } +@@ -2413,7 +2416,7 @@ static unsigned long inq_canon(struct n_ + tail = ldata->read_tail; + nr = head - tail; + /* Skip EOF-chars.. */ +- while (head != tail) { ++ while (MASK(head) != MASK(tail)) { + if (test_bit(tail & (N_TTY_BUF_SIZE - 1), ldata->read_flags) && + read_buf(ldata, tail) == __DISABLED_CHAR) + nr--; diff --git a/queue-4.9/staging-android-ion-return-an-err_ptr-in-ion_map_kernel.patch b/queue-4.9/staging-android-ion-return-an-err_ptr-in-ion_map_kernel.patch new file mode 100644 index 00000000000..a469a095f35 --- /dev/null +++ b/queue-4.9/staging-android-ion-return-an-err_ptr-in-ion_map_kernel.patch @@ -0,0 +1,33 @@ +From 0a2bc00341dcfcc793c0dbf4f8d43adf60458b05 Mon Sep 17 00:00:00 2001 +From: Laura Abbott +Date: Mon, 11 Jun 2018 11:06:53 -0700 +Subject: staging: android: ion: Return an ERR_PTR in ion_map_kernel + +From: Laura Abbott + +commit 0a2bc00341dcfcc793c0dbf4f8d43adf60458b05 upstream. + +The expected return value from ion_map_kernel is an ERR_PTR. The error +path for a vmalloc failure currently just returns NULL, triggering +a warning in ion_buffer_kmap_get. Encode the vmalloc failure as an ERR_PTR. + +Reported-by: syzbot+55b1d9f811650de944c6@syzkaller.appspotmail.com +Signed-off-by: Laura Abbott +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/android/ion/ion_heap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/android/ion/ion_heap.c ++++ b/drivers/staging/android/ion/ion_heap.c +@@ -38,7 +38,7 @@ void *ion_heap_map_kernel(struct ion_hea + struct page **tmp = pages; + + if (!pages) +- return NULL; ++ return ERR_PTR(-ENOMEM); + + if (buffer->flags & ION_FLAG_CACHED) + pgprot = PAGE_KERNEL; diff --git a/queue-4.9/usb-cdc_acm-add-quirk-for-uniden-ubc125-scanner.patch b/queue-4.9/usb-cdc_acm-add-quirk-for-uniden-ubc125-scanner.patch new file mode 100644 index 00000000000..62b899fec4b --- /dev/null +++ b/queue-4.9/usb-cdc_acm-add-quirk-for-uniden-ubc125-scanner.patch @@ -0,0 +1,126 @@ +From 4a762569a2722b8a48066c7bacf0e1dc67d17fa1 Mon Sep 17 00:00:00 2001 +From: Houston Yaroschoff +Date: Mon, 11 Jun 2018 12:39:09 +0200 +Subject: usb: cdc_acm: Add quirk for Uniden UBC125 scanner + +From: Houston Yaroschoff + +commit 4a762569a2722b8a48066c7bacf0e1dc67d17fa1 upstream. + +Uniden UBC125 radio scanner has USB interface which fails to work +with cdc_acm driver: + usb 1-1.5: new full-speed USB device number 4 using xhci_hcd + cdc_acm 1-1.5:1.0: Zero length descriptor references + cdc_acm: probe of 1-1.5:1.0 failed with error -22 + +Adding the NO_UNION_NORMAL quirk for the device fixes the issue: + usb 1-4: new full-speed USB device number 15 using xhci_hcd + usb 1-4: New USB device found, idVendor=1965, idProduct=0018 + usb 1-4: New USB device strings: Mfr=1, Product=2, SerialNumber=3 + usb 1-4: Product: UBC125XLT + usb 1-4: Manufacturer: Uniden Corp. + usb 1-4: SerialNumber: 0001 + cdc_acm 1-4:1.0: ttyACM0: USB ACM device + +`lsusb -v` of the device: + + Bus 001 Device 015: ID 1965:0018 Uniden Corporation + Device Descriptor: + bLength 18 + bDescriptorType 1 + bcdUSB 2.00 + bDeviceClass 2 Communications + bDeviceSubClass 0 + bDeviceProtocol 0 + bMaxPacketSize0 64 + idVendor 0x1965 Uniden Corporation + idProduct 0x0018 + bcdDevice 0.01 + iManufacturer 1 Uniden Corp. + iProduct 2 UBC125XLT + iSerial 3 0001 + bNumConfigurations 1 + Configuration Descriptor: + bLength 9 + bDescriptorType 2 + wTotalLength 48 + bNumInterfaces 2 + bConfigurationValue 1 + iConfiguration 0 + bmAttributes 0x80 + (Bus Powered) + MaxPower 500mA + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 0 + bAlternateSetting 0 + bNumEndpoints 1 + bInterfaceClass 2 Communications + bInterfaceSubClass 2 Abstract (modem) + bInterfaceProtocol 0 None + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x87 EP 7 IN + bmAttributes 3 + Transfer Type Interrupt + Synch Type None + Usage Type Data + wMaxPacketSize 0x0008 1x 8 bytes + bInterval 10 + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 1 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 10 CDC Data + bInterfaceSubClass 0 Unused + bInterfaceProtocol 0 + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x81 EP 1 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x02 EP 2 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0040 1x 64 bytes + bInterval 0 + Device Status: 0x0000 + (Bus Powered) + +Signed-off-by: Houston Yaroschoff +Cc: stable +Acked-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-acm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1712,6 +1712,9 @@ static const struct usb_device_id acm_id + { USB_DEVICE(0x11ca, 0x0201), /* VeriFone Mx870 Gadget Serial */ + .driver_info = SINGLE_RX_URB, + }, ++ { USB_DEVICE(0x1965, 0x0018), /* Uniden UBC125XLT */ ++ .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ ++ }, + { USB_DEVICE(0x22b8, 0x7000), /* Motorola Q Phone */ + .driver_info = NO_UNION_NORMAL, /* has no union descriptor */ + }, diff --git a/queue-4.9/usb-dwc2-fix-the-incorrect-bitmaps-for-the-ports-of-multi_tt-hub.patch b/queue-4.9/usb-dwc2-fix-the-incorrect-bitmaps-for-the-ports-of-multi_tt-hub.patch new file mode 100644 index 00000000000..dfd90c419ae --- /dev/null +++ b/queue-4.9/usb-dwc2-fix-the-incorrect-bitmaps-for-the-ports-of-multi_tt-hub.patch @@ -0,0 +1,42 @@ +From 8760675932ddb614e83702117d36ea644050c609 Mon Sep 17 00:00:00 2001 +From: William Wu +Date: Mon, 21 May 2018 18:12:00 +0800 +Subject: usb: dwc2: fix the incorrect bitmaps for the ports of multi_tt hub + +From: William Wu + +commit 8760675932ddb614e83702117d36ea644050c609 upstream. + +The dwc2_get_ls_map() use ttport to reference into the +bitmap if we're on a multi_tt hub. But the bitmaps index +from 0 to (hub->maxchild - 1), while the ttport index from +1 to hub->maxchild. This will cause invalid memory access +when the number of ttport is hub->maxchild. + +Without this patch, I can easily meet a Kernel panic issue +if connect a low-speed USB mouse with the max port of FE2.1 +multi-tt hub (1a40:0201) on rk3288 platform. + +Fixes: 9f9f09b048f5 ("usb: dwc2: host: Totally redo the microframe scheduler") +Cc: +Reviewed-by: Douglas Anderson +Acked-by: Minas Harutyunyan hminas@synopsys.com> +Signed-off-by: William Wu +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc2/hcd_queue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/dwc2/hcd_queue.c ++++ b/drivers/usb/dwc2/hcd_queue.c +@@ -479,7 +479,7 @@ static unsigned long *dwc2_get_ls_map(st + /* Get the map and adjust if this is a multi_tt hub */ + map = qh->dwc_tt->periodic_bitmaps; + if (qh->dwc_tt->usb_tt->multi) +- map += DWC2_ELEMENTS_PER_LS_BITMAP * qh->ttport; ++ map += DWC2_ELEMENTS_PER_LS_BITMAP * (qh->ttport - 1); + + return map; + } diff --git a/queue-4.9/usb-serial-cp210x-add-cesinel-device-ids.patch b/queue-4.9/usb-serial-cp210x-add-cesinel-device-ids.patch new file mode 100644 index 00000000000..00da2f8226b --- /dev/null +++ b/queue-4.9/usb-serial-cp210x-add-cesinel-device-ids.patch @@ -0,0 +1,66 @@ +From 24160628a34af962ac99f2f58e547ac3c4cbd26f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 18 Jun 2018 10:24:03 +0200 +Subject: USB: serial: cp210x: add CESINEL device ids + +From: Johan Hovold + +commit 24160628a34af962ac99f2f58e547ac3c4cbd26f upstream. + +Add device ids for CESINEL products. + +Reported-by: Carlos Barcala Lara +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/cp210x.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -92,6 +92,9 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x10C4, 0x8156) }, /* B&G H3000 link cable */ + { USB_DEVICE(0x10C4, 0x815E) }, /* Helicomm IP-Link 1220-DVM */ + { USB_DEVICE(0x10C4, 0x815F) }, /* Timewave HamLinkUSB */ ++ { USB_DEVICE(0x10C4, 0x817C) }, /* CESINEL MEDCAL N Power Quality Monitor */ ++ { USB_DEVICE(0x10C4, 0x817D) }, /* CESINEL MEDCAL NT Power Quality Monitor */ ++ { USB_DEVICE(0x10C4, 0x817E) }, /* CESINEL MEDCAL S Power Quality Monitor */ + { USB_DEVICE(0x10C4, 0x818B) }, /* AVIT Research USB to TTL */ + { USB_DEVICE(0x10C4, 0x819F) }, /* MJS USB Toslink Switcher */ + { USB_DEVICE(0x10C4, 0x81A6) }, /* ThinkOptics WavIt */ +@@ -109,6 +112,9 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x10C4, 0x826B) }, /* Cygnal Integrated Products, Inc., Fasttrax GPS demonstration module */ + { USB_DEVICE(0x10C4, 0x8281) }, /* Nanotec Plug & Drive */ + { USB_DEVICE(0x10C4, 0x8293) }, /* Telegesis ETRX2USB */ ++ { USB_DEVICE(0x10C4, 0x82EF) }, /* CESINEL FALCO 6105 AC Power Supply */ ++ { USB_DEVICE(0x10C4, 0x82F1) }, /* CESINEL MEDCAL EFD Earth Fault Detector */ ++ { USB_DEVICE(0x10C4, 0x82F2) }, /* CESINEL MEDCAL ST Network Analyzer */ + { USB_DEVICE(0x10C4, 0x82F4) }, /* Starizona MicroTouch */ + { USB_DEVICE(0x10C4, 0x82F9) }, /* Procyon AVS */ + { USB_DEVICE(0x10C4, 0x8341) }, /* Siemens MC35PU GPRS Modem */ +@@ -121,7 +127,9 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x10C4, 0x8470) }, /* Juniper Networks BX Series System Console */ + { USB_DEVICE(0x10C4, 0x8477) }, /* Balluff RFID */ + { USB_DEVICE(0x10C4, 0x84B6) }, /* Starizona Hyperion */ ++ { USB_DEVICE(0x10C4, 0x851E) }, /* CESINEL MEDCAL PT Network Analyzer */ + { USB_DEVICE(0x10C4, 0x85A7) }, /* LifeScan OneTouch Verio IQ */ ++ { USB_DEVICE(0x10C4, 0x85B8) }, /* CESINEL ReCon T Energy Logger */ + { USB_DEVICE(0x10C4, 0x85EA) }, /* AC-Services IBUS-IF */ + { USB_DEVICE(0x10C4, 0x85EB) }, /* AC-Services CIS-IBUS */ + { USB_DEVICE(0x10C4, 0x85F8) }, /* Virtenio Preon32 */ +@@ -131,10 +139,13 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x10C4, 0x8857) }, /* CEL EM357 ZigBee USB Stick */ + { USB_DEVICE(0x10C4, 0x88A4) }, /* MMB Networks ZigBee USB Device */ + { USB_DEVICE(0x10C4, 0x88A5) }, /* Planet Innovation Ingeni ZigBee USB Device */ ++ { USB_DEVICE(0x10C4, 0x88FB) }, /* CESINEL MEDCAL STII Network Analyzer */ ++ { USB_DEVICE(0x10C4, 0x8938) }, /* CESINEL MEDCAL S II Network Analyzer */ + { USB_DEVICE(0x10C4, 0x8946) }, /* Ketra N1 Wireless Interface */ + { USB_DEVICE(0x10C4, 0x8962) }, /* Brim Brothers charging dock */ + { USB_DEVICE(0x10C4, 0x8977) }, /* CEL MeshWorks DevKit Device */ + { USB_DEVICE(0x10C4, 0x8998) }, /* KCF Technologies PRN */ ++ { USB_DEVICE(0x10C4, 0x89A4) }, /* CESINEL FTBC Flexible Thyristor Bridge Controller */ + { USB_DEVICE(0x10C4, 0x8A2A) }, /* HubZ dual ZigBee and Z-Wave dongle */ + { USB_DEVICE(0x10C4, 0x8A5E) }, /* CEL EM3588 ZigBee USB Stick Long Range */ + { USB_DEVICE(0x10C4, 0x8B34) }, /* Qivicon ZigBee USB Radio Stick */ diff --git a/queue-4.9/usb-serial-cp210x-add-silicon-labs-ids-for-windows-update.patch b/queue-4.9/usb-serial-cp210x-add-silicon-labs-ids-for-windows-update.patch new file mode 100644 index 00000000000..3d562831619 --- /dev/null +++ b/queue-4.9/usb-serial-cp210x-add-silicon-labs-ids-for-windows-update.patch @@ -0,0 +1,38 @@ +From 2f839823382748664b643daa73f41ee0cc01ced6 Mon Sep 17 00:00:00 2001 +From: Karoly Pados +Date: Sat, 9 Jun 2018 13:26:08 +0200 +Subject: USB: serial: cp210x: add Silicon Labs IDs for Windows Update + +From: Karoly Pados + +commit 2f839823382748664b643daa73f41ee0cc01ced6 upstream. + +Silicon Labs defines alternative VID/PID pairs for some chips that when +used will automatically install drivers for Windows users without manual +intervention. Unfortunately, these IDs are not recognized by the Linux +module, so using these IDs improves user experience on one platform but +degrades it on Linux. This patch addresses this problem. + +Signed-off-by: Karoly Pados +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/cp210x.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -151,8 +151,11 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x10C4, 0x8B34) }, /* Qivicon ZigBee USB Radio Stick */ + { USB_DEVICE(0x10C4, 0xEA60) }, /* Silicon Labs factory default */ + { USB_DEVICE(0x10C4, 0xEA61) }, /* Silicon Labs factory default */ ++ { USB_DEVICE(0x10C4, 0xEA63) }, /* Silicon Labs Windows Update (CP2101-4/CP2102N) */ + { USB_DEVICE(0x10C4, 0xEA70) }, /* Silicon Labs factory default */ + { USB_DEVICE(0x10C4, 0xEA71) }, /* Infinity GPS-MIC-1 Radio Monophone */ ++ { USB_DEVICE(0x10C4, 0xEA7A) }, /* Silicon Labs Windows Update (CP2105) */ ++ { USB_DEVICE(0x10C4, 0xEA7B) }, /* Silicon Labs Windows Update (CP2108) */ + { USB_DEVICE(0x10C4, 0xF001) }, /* Elan Digital Systems USBscope50 */ + { USB_DEVICE(0x10C4, 0xF002) }, /* Elan Digital Systems USBwave12 */ + { USB_DEVICE(0x10C4, 0xF003) }, /* Elan Digital Systems USBpulse100 */ diff --git a/queue-4.9/vt-prevent-leaking-uninitialized-data-to-userspace-via-dev-vcs.patch b/queue-4.9/vt-prevent-leaking-uninitialized-data-to-userspace-via-dev-vcs.patch new file mode 100644 index 00000000000..c3c456d5314 --- /dev/null +++ b/queue-4.9/vt-prevent-leaking-uninitialized-data-to-userspace-via-dev-vcs.patch @@ -0,0 +1,69 @@ +From 21eff69aaaa0e766ca0ce445b477698dc6a9f55a Mon Sep 17 00:00:00 2001 +From: Alexander Potapenko +Date: Thu, 14 Jun 2018 12:23:09 +0200 +Subject: vt: prevent leaking uninitialized data to userspace via /dev/vcs* + +From: Alexander Potapenko + +commit 21eff69aaaa0e766ca0ce445b477698dc6a9f55a upstream. + +KMSAN reported an infoleak when reading from /dev/vcs*: + + BUG: KMSAN: kernel-infoleak in vcs_read+0x18ba/0x1cc0 + Call Trace: + ... + kmsan_copy_to_user+0x7a/0x160 mm/kmsan/kmsan.c:1253 + copy_to_user ./include/linux/uaccess.h:184 + vcs_read+0x18ba/0x1cc0 drivers/tty/vt/vc_screen.c:352 + __vfs_read+0x1b2/0x9d0 fs/read_write.c:416 + vfs_read+0x36c/0x6b0 fs/read_write.c:452 + ... + Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:279 + kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:189 + kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:315 + __kmalloc+0x13a/0x350 mm/slub.c:3818 + kmalloc ./include/linux/slab.h:517 + vc_allocate+0x438/0x800 drivers/tty/vt/vt.c:787 + con_install+0x8c/0x640 drivers/tty/vt/vt.c:2880 + tty_driver_install_tty drivers/tty/tty_io.c:1224 + tty_init_dev+0x1b5/0x1020 drivers/tty/tty_io.c:1324 + tty_open_by_driver drivers/tty/tty_io.c:1959 + tty_open+0x17b4/0x2ed0 drivers/tty/tty_io.c:2007 + chrdev_open+0xc25/0xd90 fs/char_dev.c:417 + do_dentry_open+0xccc/0x1440 fs/open.c:794 + vfs_open+0x1b6/0x2f0 fs/open.c:908 + ... + Bytes 0-79 of 240 are uninitialized + +Consistently allocating |vc_screenbuf| with kzalloc() fixes the problem + +Reported-by: syzbot+17a8efdf800000@syzkaller.appspotmail.com +Signed-off-by: Alexander Potapenko +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/vt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -785,7 +785,7 @@ int vc_allocate(unsigned int currcons) / + if (!*vc->vc_uni_pagedir_loc) + con_set_default_unimap(vc); + +- vc->vc_screenbuf = kmalloc(vc->vc_screenbuf_size, GFP_KERNEL); ++ vc->vc_screenbuf = kzalloc(vc->vc_screenbuf_size, GFP_KERNEL); + if (!vc->vc_screenbuf) + goto err_free; + +@@ -872,7 +872,7 @@ static int vc_do_resize(struct tty_struc + + if (new_screen_size > (4 << 20)) + return -EINVAL; +- newscreen = kmalloc(new_screen_size, GFP_USER); ++ newscreen = kzalloc(new_screen_size, GFP_USER); + if (!newscreen) + return -ENOMEM; + diff --git a/queue-4.9/xhci-fix-perceived-dead-host-due-to-runtime-suspend-race-with-event-handler.patch b/queue-4.9/xhci-fix-perceived-dead-host-due-to-runtime-suspend-race-with-event-handler.patch new file mode 100644 index 00000000000..a2fba3ecd1b --- /dev/null +++ b/queue-4.9/xhci-fix-perceived-dead-host-due-to-runtime-suspend-race-with-event-handler.patch @@ -0,0 +1,122 @@ +From 229bc19fd7aca4f37964af06e3583c1c8f36b5d6 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Thu, 21 Jun 2018 16:19:41 +0300 +Subject: xhci: Fix perceived dead host due to runtime suspend race with event handler + +From: Mathias Nyman + +commit 229bc19fd7aca4f37964af06e3583c1c8f36b5d6 upstream. + +Don't rely on event interrupt (EINT) bit alone to detect pending port +change in resume. If no change event is detected the host may be suspended +again, oterwise roothubs are resumed. + +There is a lag in xHC setting EINT. If we don't notice the pending change +in resume, and the controller is runtime suspeded again, it causes the +event handler to assume host is dead as it will fail to read xHC registers +once PCI puts the controller to D3 state. + +[ 268.520969] xhci_hcd: xhci_resume: starting port polling. +[ 268.520985] xhci_hcd: xhci_hub_status_data: stopping port polling. +[ 268.521030] xhci_hcd: xhci_suspend: stopping port polling. +[ 268.521040] xhci_hcd: // Setting command ring address to 0x349bd001 +[ 268.521139] xhci_hcd: Port Status Change Event for port 3 +[ 268.521149] xhci_hcd: resume root hub +[ 268.521163] xhci_hcd: port resume event for port 3 +[ 268.521168] xhci_hcd: xHC is not running. +[ 268.521174] xhci_hcd: handle_port_status: starting port polling. +[ 268.596322] xhci_hcd: xhci_hc_died: xHCI host controller not responding, assume dead + +The EINT lag is described in a additional note in xhci specs 4.19.2: + +"Due to internal xHC scheduling and system delays, there will be a lag +between a change bit being set and the Port Status Change Event that it +generated being written to the Event Ring. If SW reads the PORTSC and +sees a change bit set, there is no guarantee that the corresponding Port +Status Change Event has already been written into the Event Ring." + +Cc: +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci.c | 40 +++++++++++++++++++++++++++++++++++++--- + drivers/usb/host/xhci.h | 4 ++++ + 2 files changed, 41 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -891,6 +891,41 @@ static void xhci_disable_port_wake_on_bi + spin_unlock_irqrestore(&xhci->lock, flags); + } + ++static bool xhci_pending_portevent(struct xhci_hcd *xhci) ++{ ++ struct xhci_port **ports; ++ int port_index; ++ u32 status; ++ u32 portsc; ++ ++ status = readl(&xhci->op_regs->status); ++ if (status & STS_EINT) ++ return true; ++ /* ++ * Checking STS_EINT is not enough as there is a lag between a change ++ * bit being set and the Port Status Change Event that it generated ++ * being written to the Event Ring. See note in xhci 1.1 section 4.19.2. ++ */ ++ ++ port_index = xhci->usb2_rhub.num_ports; ++ ports = xhci->usb2_rhub.ports; ++ while (port_index--) { ++ portsc = readl(ports[port_index]->addr); ++ if (portsc & PORT_CHANGE_MASK || ++ (portsc & PORT_PLS_MASK) == XDEV_RESUME) ++ return true; ++ } ++ port_index = xhci->usb3_rhub.num_ports; ++ ports = xhci->usb3_rhub.ports; ++ while (port_index--) { ++ portsc = readl(ports[port_index]->addr); ++ if (portsc & PORT_CHANGE_MASK || ++ (portsc & PORT_PLS_MASK) == XDEV_RESUME) ++ return true; ++ } ++ return false; ++} ++ + /* + * Stop HC (not bus-specific) + * +@@ -987,7 +1022,7 @@ EXPORT_SYMBOL_GPL(xhci_suspend); + */ + int xhci_resume(struct xhci_hcd *xhci, bool hibernated) + { +- u32 command, temp = 0, status; ++ u32 command, temp = 0; + struct usb_hcd *hcd = xhci_to_hcd(xhci); + struct usb_hcd *secondary_hcd; + int retval = 0; +@@ -1109,8 +1144,7 @@ int xhci_resume(struct xhci_hcd *xhci, b + done: + if (retval == 0) { + /* Resume root hubs only when have pending events. */ +- status = readl(&xhci->op_regs->status); +- if (status & STS_EINT) { ++ if (xhci_pending_portevent(xhci)) { + usb_hcd_resume_root_hub(xhci->shared_hcd); + usb_hcd_resume_root_hub(hcd); + } +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -385,6 +385,10 @@ struct xhci_op_regs { + #define PORT_PLC (1 << 22) + /* port configure error change - port failed to configure its link partner */ + #define PORT_CEC (1 << 23) ++#define PORT_CHANGE_MASK (PORT_CSC | PORT_PEC | PORT_WRC | PORT_OCC | \ ++ PORT_RC | PORT_PLC | PORT_CEC) ++ ++ + /* Cold Attach Status - xHC can set this bit to report device attached during + * Sx state. Warm port reset should be perfomed to clear this bit and move port + * to connected state.