From d1121fbfce418046fc3777500b7fc3644f7055a1 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 24 May 2018 10:10:34 +0200 Subject: [PATCH] 4.16-stable patches added patches: alsa-usb-audio-add-native-dsd-support-for-luxman-da-06.patch bluetooth-btusb-add-device-id-for-rtl8822be.patch bluetooth-btusb-add-support-for-intel-bluetooth-device-22560.patch bluetooth-btusb-add-usb-id-7392-a611-for-edimax-ew-7611ulb.patch cfg80211-limit-wiphy-names-to-128-bytes.patch crypto-atmel-aes-fix-the-keys-zeroing-on-errors.patch crypto-ccp-don-t-disable-interrupts-while-setting-up-debugfs.patch crypto-inside-secure-do-not-overwrite-the-threshold-value.patch crypto-inside-secure-do-not-process-request-if-no-command-was-issued.patch crypto-inside-secure-fix-the-cache_len-computation.patch crypto-inside-secure-fix-the-extra-cache-computation.patch crypto-inside-secure-fix-the-invalidation-step-during-cra_exit.patch crypto-inside-secure-move-the-digest-to-the-request-context.patch crypto-inside-secure-wait-for-the-request-to-complete-if-in-the-backlog.patch crypto-sunxi-ss-add-module_alias-to-sun4i-ss.patch hfsplus-stop-workqueue-when-fill_super-failed.patch loop-don-t-call-into-filesystem-while-holding-lo_ctl_mutex.patch loop-fix-loop_get_status-lock-imbalance.patch media-em28xx-usb-bulk-packet-size-fix.patch media-lgdt3306a-fix-module-count-mismatch-on-usb-unplug.patch staging-bcm2835-audio-release-resources-on-module_exit.patch staging-fsl-dpaa2-eth-fix-incorrect-casts.patch staging-fsl-dpaa2-eth-fix-incorrect-kfree.patch staging-ks7010-use-constants-from-ieee80211_eid-instead-of-literal-ints.patch staging-lustre-fix-bug-in-osc_enter_cache_try.patch staging-lustre-lmv-correctly-iput-lmo_root.patch staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch usb-dwc2-fix-interval-type-issue.patch usb-dwc2-hcd-fix-host-channel-halt-flow.patch usb-dwc2-host-fix-transaction-errors-in-host-mode.patch usb-dwc3-add-softreset-phy-synchonization-delay.patch usb-dwc3-makefile-fix-link-error-on-randconfig.patch usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch usb-gadget-ffs-execute-copy_to_user-with-user_ds-set.patch usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch usbip-correct-maximum-value-of-config_usbip_vhci_hc_ports.patch x86-kexec-avoid-double-free_page-upon-do_kexec_load-failure.patch xhci-show-what-usb-release-number-the-xhc-supports-from-protocol-capablity.patch xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch --- ...-native-dsd-support-for-luxman-da-06.patch | 131 +++++++++ ...th-btusb-add-device-id-for-rtl8822be.patch | 33 +++ ...ort-for-intel-bluetooth-device-22560.patch | 88 ++++++ ...b-id-7392-a611-for-edimax-ew-7611ulb.patch | 74 +++++ ...80211-limit-wiphy-names-to-128-bytes.patch | 51 ++++ ...l-aes-fix-the-keys-zeroing-on-errors.patch | 34 +++ ...-interrupts-while-setting-up-debugfs.patch | 82 ++++++ ...do-not-overwrite-the-threshold-value.patch | 40 +++ ...ess-request-if-no-command-was-issued.patch | 41 +++ ...secure-fix-the-cache_len-computation.patch | 34 +++ ...cure-fix-the-extra-cache-computation.patch | 32 +++ ...he-invalidation-step-during-cra_exit.patch | 62 +++++ ...ve-the-digest-to-the-request-context.patch | 161 +++++++++++ ...equest-to-complete-if-in-the-backlog.patch | 34 +++ ...unxi-ss-add-module_alias-to-sun4i-ss.patch | 31 +++ ...top-workqueue-when-fill_super-failed.patch | 45 ++++ ...ilesystem-while-holding-lo_ctl_mutex.patch | 107 ++++++++ ...p-fix-loop_get_status-lock-imbalance.patch | 84 ++++++ ...edia-em28xx-usb-bulk-packet-size-fix.patch | 46 ++++ ...-module-count-mismatch-on-usb-unplug.patch | 44 +++ queue-4.16/series | 41 +++ ...dio-release-resources-on-module_exit.patch | 253 ++++++++++++++++++ ...ng-fsl-dpaa2-eth-fix-incorrect-casts.patch | 51 ++++ ...ng-fsl-dpaa2-eth-fix-incorrect-kfree.patch | 62 +++++ ...eee80211_eid-instead-of-literal-ints.patch | 106 ++++++++ ...ustre-fix-bug-in-osc_enter_cache_try.patch | 55 ++++ ...g-lustre-lmv-correctly-iput-lmo_root.patch | 45 ++++ ...on-failed-allocation-of-priv-oldaddr.patch | 36 +++ .../usb-dwc2-fix-interval-type-issue.patch | 31 +++ ...-dwc2-hcd-fix-host-channel-halt-flow.patch | 49 ++++ ...-fix-transaction-errors-in-host-mode.patch | 54 ++++ ...d-softreset-phy-synchonization-delay.patch | 50 ++++ ...akefile-fix-link-error-on-randconfig.patch | 32 +++ ...date-dwc_usb31-gtxfifosiz-reg-fields.patch | 40 +++ ...correct-handling-of-os-desc-requests.patch | 158 +++++++++++ ...xecute-copy_to_user-with-user_ds-set.patch | 68 +++++ ...tup-return-usb_gadget_delayed_status.patch | 53 ++++ ...to-bitshift-when-dealing-with-a-mask.patch | 32 +++ ...-value-of-config_usbip_vhci_hc_ports.patch | 35 +++ ...free_page-upon-do_kexec_load-failure.patch | 103 +++++++ ...xhc-supports-from-protocol-capablity.patch | 62 +++++ ...en-disabling-and-freeing-a-xhci-slot.patch | 38 +++ 42 files changed, 2708 insertions(+) create mode 100644 queue-4.16/alsa-usb-audio-add-native-dsd-support-for-luxman-da-06.patch create mode 100644 queue-4.16/bluetooth-btusb-add-device-id-for-rtl8822be.patch create mode 100644 queue-4.16/bluetooth-btusb-add-support-for-intel-bluetooth-device-22560.patch create mode 100644 queue-4.16/bluetooth-btusb-add-usb-id-7392-a611-for-edimax-ew-7611ulb.patch create mode 100644 queue-4.16/cfg80211-limit-wiphy-names-to-128-bytes.patch create mode 100644 queue-4.16/crypto-atmel-aes-fix-the-keys-zeroing-on-errors.patch create mode 100644 queue-4.16/crypto-ccp-don-t-disable-interrupts-while-setting-up-debugfs.patch create mode 100644 queue-4.16/crypto-inside-secure-do-not-overwrite-the-threshold-value.patch create mode 100644 queue-4.16/crypto-inside-secure-do-not-process-request-if-no-command-was-issued.patch create mode 100644 queue-4.16/crypto-inside-secure-fix-the-cache_len-computation.patch create mode 100644 queue-4.16/crypto-inside-secure-fix-the-extra-cache-computation.patch create mode 100644 queue-4.16/crypto-inside-secure-fix-the-invalidation-step-during-cra_exit.patch create mode 100644 queue-4.16/crypto-inside-secure-move-the-digest-to-the-request-context.patch create mode 100644 queue-4.16/crypto-inside-secure-wait-for-the-request-to-complete-if-in-the-backlog.patch create mode 100644 queue-4.16/crypto-sunxi-ss-add-module_alias-to-sun4i-ss.patch create mode 100644 queue-4.16/hfsplus-stop-workqueue-when-fill_super-failed.patch create mode 100644 queue-4.16/loop-don-t-call-into-filesystem-while-holding-lo_ctl_mutex.patch create mode 100644 queue-4.16/loop-fix-loop_get_status-lock-imbalance.patch create mode 100644 queue-4.16/media-em28xx-usb-bulk-packet-size-fix.patch create mode 100644 queue-4.16/media-lgdt3306a-fix-module-count-mismatch-on-usb-unplug.patch create mode 100644 queue-4.16/staging-bcm2835-audio-release-resources-on-module_exit.patch create mode 100644 queue-4.16/staging-fsl-dpaa2-eth-fix-incorrect-casts.patch create mode 100644 queue-4.16/staging-fsl-dpaa2-eth-fix-incorrect-kfree.patch create mode 100644 queue-4.16/staging-ks7010-use-constants-from-ieee80211_eid-instead-of-literal-ints.patch create mode 100644 queue-4.16/staging-lustre-fix-bug-in-osc_enter_cache_try.patch create mode 100644 queue-4.16/staging-lustre-lmv-correctly-iput-lmo_root.patch create mode 100644 queue-4.16/staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch create mode 100644 queue-4.16/usb-dwc2-fix-interval-type-issue.patch create mode 100644 queue-4.16/usb-dwc2-hcd-fix-host-channel-halt-flow.patch create mode 100644 queue-4.16/usb-dwc2-host-fix-transaction-errors-in-host-mode.patch create mode 100644 queue-4.16/usb-dwc3-add-softreset-phy-synchonization-delay.patch create mode 100644 queue-4.16/usb-dwc3-makefile-fix-link-error-on-randconfig.patch create mode 100644 queue-4.16/usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch create mode 100644 queue-4.16/usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch create mode 100644 queue-4.16/usb-gadget-ffs-execute-copy_to_user-with-user_ds-set.patch create mode 100644 queue-4.16/usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch create mode 100644 queue-4.16/usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch create mode 100644 queue-4.16/usbip-correct-maximum-value-of-config_usbip_vhci_hc_ports.patch create mode 100644 queue-4.16/x86-kexec-avoid-double-free_page-upon-do_kexec_load-failure.patch create mode 100644 queue-4.16/xhci-show-what-usb-release-number-the-xhc-supports-from-protocol-capablity.patch create mode 100644 queue-4.16/xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch diff --git a/queue-4.16/alsa-usb-audio-add-native-dsd-support-for-luxman-da-06.patch b/queue-4.16/alsa-usb-audio-add-native-dsd-support-for-luxman-da-06.patch new file mode 100644 index 00000000000..b04703cfda8 --- /dev/null +++ b/queue-4.16/alsa-usb-audio-add-native-dsd-support-for-luxman-da-06.patch @@ -0,0 +1,131 @@ +From foo@baz Thu May 24 09:45:15 CEST 2018 +From: Nobutaka Okabe +Date: Fri, 23 Mar 2018 19:18:22 +0900 +Subject: ALSA: usb-audio: Add native DSD support for Luxman DA-06 + +From: Nobutaka Okabe + +[ Upstream commit 71426535f49fe6034d0e0db77608b91a0c1a022d ] + +Add native DSD support quirk for Luxman DA-06 DAC, by adding the +PID/VID 1852:5065. + +Rename "is_marantz_denon_dac()" function to "is_itf_usb_dsd_2alts_dac()" +to cover broader device family sharing the same USB audio +implementation(*). +For the same reason, rename "is_teac_dsd_dac()" function to +"is_itf_usb_dsd_3alts_dac()". + +(*) +These devices have the same USB controller "ITF-USB DSD", supplied by +INTERFACE Co., Ltd. +"ITF-USB DSD" USB controller has two patterns, + +Pattern 1. (2 altsets version) +- Altset 0: for control +- Altset 1: for stream (S32) +- Altset 2: for stream (S32, DSD_U32) + +Pattern 2. (3 altsets version) +- Altset 0: for control +- Altset 1: for stream (S16) +- Altset 2: for stream (S32) +- Altset 3: for stream (S32, DSD_U32) + +"is_itf_usb_dsd_2alts_dac()" returns true, if the DAC has "Pattern 1" +USB controller, and "is_itf_usb_dsd_3alts_dac()" returns true, if +"Pattern2". + +Signed-off-by: Nobutaka Okabe +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + sound/usb/quirks.c | 29 ++++++++++++++++------------- + 1 file changed, 16 insertions(+), 13 deletions(-) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -1149,24 +1149,27 @@ bool snd_usb_get_sample_rate_quirk(struc + return false; + } + +-/* Marantz/Denon USB DACs need a vendor cmd to switch ++/* ITF-USB DSD based DACs need a vendor cmd to switch + * between PCM and native DSD mode ++ * (2 altsets version) + */ +-static bool is_marantz_denon_dac(unsigned int id) ++static bool is_itf_usb_dsd_2alts_dac(unsigned int id) + { + switch (id) { + case USB_ID(0x154e, 0x1003): /* Denon DA-300USB */ + case USB_ID(0x154e, 0x3005): /* Marantz HD-DAC1 */ + case USB_ID(0x154e, 0x3006): /* Marantz SA-14S1 */ ++ case USB_ID(0x1852, 0x5065): /* Luxman DA-06 */ + return true; + } + return false; + } + +-/* TEAC UD-501/UD-503/NT-503 USB DACs need a vendor cmd to switch +- * between PCM/DOP and native DSD mode ++/* ITF-USB DSD based DACs need a vendor cmd to switch ++ * between PCM and native DSD mode ++ * (3 altsets version) + */ +-static bool is_teac_dsd_dac(unsigned int id) ++static bool is_itf_usb_dsd_3alts_dac(unsigned int id) + { + switch (id) { + case USB_ID(0x0644, 0x8043): /* TEAC UD-501/UD-503/NT-503 */ +@@ -1183,7 +1186,7 @@ int snd_usb_select_mode_quirk(struct snd + struct usb_device *dev = subs->dev; + int err; + +- if (is_marantz_denon_dac(subs->stream->chip->usb_id)) { ++ if (is_itf_usb_dsd_2alts_dac(subs->stream->chip->usb_id)) { + /* First switch to alt set 0, otherwise the mode switch cmd + * will not be accepted by the DAC + */ +@@ -1204,7 +1207,7 @@ int snd_usb_select_mode_quirk(struct snd + break; + } + mdelay(20); +- } else if (is_teac_dsd_dac(subs->stream->chip->usb_id)) { ++ } else if (is_itf_usb_dsd_3alts_dac(subs->stream->chip->usb_id)) { + /* Vendor mode switch cmd is required. */ + switch (fmt->altsetting) { + case 3: /* DSD mode (DSD_U32) requested */ +@@ -1300,10 +1303,10 @@ void snd_usb_ctl_msg_quirk(struct usb_de + (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS) + mdelay(20); + +- /* Marantz/Denon devices with USB DAC functionality need a delay ++ /* ITF-USB DSD based DACs functionality need a delay + * after each class compliant request + */ +- if (is_marantz_denon_dac(chip->usb_id) ++ if (is_itf_usb_dsd_2alts_dac(chip->usb_id) + && (requesttype & USB_TYPE_MASK) == USB_TYPE_CLASS) + mdelay(20); + +@@ -1390,14 +1393,14 @@ u64 snd_usb_interface_dsd_format_quirks( + break; + } + +- /* Denon/Marantz devices with USB DAC functionality */ +- if (is_marantz_denon_dac(chip->usb_id)) { ++ /* ITF-USB DSD based DACs (2 altsets version) */ ++ if (is_itf_usb_dsd_2alts_dac(chip->usb_id)) { + if (fp->altsetting == 2) + return SNDRV_PCM_FMTBIT_DSD_U32_BE; + } + +- /* TEAC devices with USB DAC functionality */ +- if (is_teac_dsd_dac(chip->usb_id)) { ++ /* ITF-USB DSD based DACs (3 altsets version) */ ++ if (is_itf_usb_dsd_3alts_dac(chip->usb_id)) { + if (fp->altsetting == 3) + return SNDRV_PCM_FMTBIT_DSD_U32_BE; + } diff --git a/queue-4.16/bluetooth-btusb-add-device-id-for-rtl8822be.patch b/queue-4.16/bluetooth-btusb-add-device-id-for-rtl8822be.patch new file mode 100644 index 00000000000..3da8c046d84 --- /dev/null +++ b/queue-4.16/bluetooth-btusb-add-device-id-for-rtl8822be.patch @@ -0,0 +1,33 @@ +From foo@baz Thu May 24 09:45:15 CEST 2018 +From: Larry Finger +Date: Sun, 11 Feb 2018 12:24:32 -0600 +Subject: Bluetooth: btusb: Add device ID for RTL8822BE + +From: Larry Finger + +[ Upstream commit fed03fe7e55b7dc16077f672bd9d7bbe92b3a691 ] + +The Asus Z370-I contains a Realtek RTL8822BE device with an associated +BT chip using a USB ID of 0b05:185c. This device is added to the driver. + +Signed-off-by: Hon Weng Chong +Signed-off-by: Larry Finger +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -377,6 +377,9 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x13d3, 0x3461), .driver_info = BTUSB_REALTEK }, + { USB_DEVICE(0x13d3, 0x3462), .driver_info = BTUSB_REALTEK }, + ++ /* Additional Realtek 8822BE Bluetooth devices */ ++ { USB_DEVICE(0x0b05, 0x185c), .driver_info = BTUSB_REALTEK }, ++ + /* Silicon Wave based devices */ + { USB_DEVICE(0x0c10, 0x0000), .driver_info = BTUSB_SWAVE }, + diff --git a/queue-4.16/bluetooth-btusb-add-support-for-intel-bluetooth-device-22560.patch b/queue-4.16/bluetooth-btusb-add-support-for-intel-bluetooth-device-22560.patch new file mode 100644 index 00000000000..b29425c97bb --- /dev/null +++ b/queue-4.16/bluetooth-btusb-add-support-for-intel-bluetooth-device-22560.patch @@ -0,0 +1,88 @@ +From foo@baz Thu May 24 09:45:15 CEST 2018 +From: Tedd Ho-Jeong An +Date: Mon, 5 Feb 2018 14:20:36 -0800 +Subject: Bluetooth: btusb: Add support for Intel Bluetooth device 22560 [8087:0026] + +From: Tedd Ho-Jeong An + +[ Upstream commit 1ce0cec1c14cda7e514fa21b36c0f035203b447d ] + +The Intel Bluetooth device 22560 family (HarrisonPeak, QnJ, and IcyPeak) +use the same firmware loading mechanism as previous generation, +so include new USB product ID and whitelist the hardware variant. + +T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 16 Spd=12 MxCh= 0 +D: Ver= 2.01 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=8087 ProdID=0026 Rev= 0.01 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms + +Signed-off-by: Tedd Ho-Jeong An +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -340,6 +340,7 @@ static const struct usb_device_id blackl + + /* Intel Bluetooth devices */ + { USB_DEVICE(0x8087, 0x0025), .driver_info = BTUSB_INTEL_NEW }, ++ { USB_DEVICE(0x8087, 0x0026), .driver_info = BTUSB_INTEL_NEW }, + { USB_DEVICE(0x8087, 0x07da), .driver_info = BTUSB_CSR }, + { USB_DEVICE(0x8087, 0x07dc), .driver_info = BTUSB_INTEL }, + { USB_DEVICE(0x8087, 0x0a2a), .driver_info = BTUSB_INTEL }, +@@ -2086,6 +2087,8 @@ static int btusb_setup_intel_new(struct + case 0x0c: /* WsP */ + case 0x11: /* JfP */ + case 0x12: /* ThP */ ++ case 0x13: /* HrP */ ++ case 0x14: /* QnJ, IcP */ + break; + default: + BT_ERR("%s: Unsupported Intel hardware variant (%u)", +@@ -2178,6 +2181,8 @@ static int btusb_setup_intel_new(struct + break; + case 0x11: /* JfP */ + case 0x12: /* ThP */ ++ case 0x13: /* HrP */ ++ case 0x14: /* QnJ, IcP */ + snprintf(fwname, sizeof(fwname), "intel/ibt-%u-%u-%u.sfi", + le16_to_cpu(ver.hw_variant), + le16_to_cpu(ver.hw_revision), +@@ -2209,6 +2214,8 @@ static int btusb_setup_intel_new(struct + break; + case 0x11: /* JfP */ + case 0x12: /* ThP */ ++ case 0x13: /* HrP */ ++ case 0x14: /* QnJ, IcP */ + snprintf(fwname, sizeof(fwname), "intel/ibt-%u-%u-%u.ddc", + le16_to_cpu(ver.hw_variant), + le16_to_cpu(ver.hw_revision), diff --git a/queue-4.16/bluetooth-btusb-add-usb-id-7392-a611-for-edimax-ew-7611ulb.patch b/queue-4.16/bluetooth-btusb-add-usb-id-7392-a611-for-edimax-ew-7611ulb.patch new file mode 100644 index 00000000000..d5fc8356db4 --- /dev/null +++ b/queue-4.16/bluetooth-btusb-add-usb-id-7392-a611-for-edimax-ew-7611ulb.patch @@ -0,0 +1,74 @@ +From foo@baz Thu May 24 09:45:15 CEST 2018 +From: Vicente Bergas +Date: Tue, 20 Mar 2018 19:41:10 +0100 +Subject: Bluetooth: btusb: Add USB ID 7392:a611 for Edimax EW-7611ULB + +From: Vicente Bergas + +[ Upstream commit a41e0796396eeceff673af4a38feaee149c6ff86 ] + +This WiFi/Bluetooth USB dongle uses a Realtek chipset, so, use btrtl for it. + +Product information: +https://wikidevi.com/wiki/Edimax_EW-7611ULB + +>From /sys/kernel/debug/usb/devices +T: Bus=02 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=7392 ProdID=a611 Rev= 2.00 +S: Manufacturer=Realtek +S: Product=Edimax Wi-Fi N150 Bluetooth4.0 USB Adapter +S: SerialNumber=00e04c000001 +C:* #Ifs= 3 Cfg#= 1 Atr=e0 MxPwr=500mA +A: FirstIf#= 0 IfCount= 2 Cls=e0(wlcon) Sub=01 Prot=01 +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +I:* If#= 2 Alt= 0 #EPs= 6 Cls=ff(vend.) Sub=ff Prot=ff Driver=rtl8723bu +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=87(I) Atr=03(Int.) MxPS= 64 Ivl=500us +E: Ad=08(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=09(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Tested-by: Vicente Bergas +Signed-off-by: Vicente Bergas +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -367,6 +367,9 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x13d3, 0x3459), .driver_info = BTUSB_REALTEK }, + { USB_DEVICE(0x13d3, 0x3494), .driver_info = BTUSB_REALTEK }, + ++ /* Additional Realtek 8723BU Bluetooth devices */ ++ { USB_DEVICE(0x7392, 0xa611), .driver_info = BTUSB_REALTEK }, ++ + /* Additional Realtek 8821AE Bluetooth devices */ + { USB_DEVICE(0x0b05, 0x17dc), .driver_info = BTUSB_REALTEK }, + { USB_DEVICE(0x13d3, 0x3414), .driver_info = BTUSB_REALTEK }, diff --git a/queue-4.16/cfg80211-limit-wiphy-names-to-128-bytes.patch b/queue-4.16/cfg80211-limit-wiphy-names-to-128-bytes.patch new file mode 100644 index 00000000000..3f2bc9ade0a --- /dev/null +++ b/queue-4.16/cfg80211-limit-wiphy-names-to-128-bytes.patch @@ -0,0 +1,51 @@ +From a7cfebcb7594a24609268f91299ab85ba064bf82 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 3 Apr 2018 14:33:49 +0200 +Subject: cfg80211: limit wiphy names to 128 bytes + +From: Johannes Berg + +commit a7cfebcb7594a24609268f91299ab85ba064bf82 upstream. + +There's currently no limit on wiphy names, other than netlink +message size and memory limitations, but that causes issues when, +for example, the wiphy name is used in a uevent, e.g. in rfkill +where we use the same name for the rfkill instance, and then the +buffer there is "only" 2k for the environment variables. + +This was reported by syzkaller, which used a 4k name. + +Limit the name to something reasonable, I randomly picked 128. + +Reported-by: syzbot+230d9e642a85d3fec29c@syzkaller.appspotmail.com +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + include/uapi/linux/nl80211.h | 2 ++ + net/wireless/core.c | 3 +++ + 2 files changed, 5 insertions(+) + +--- a/include/uapi/linux/nl80211.h ++++ b/include/uapi/linux/nl80211.h +@@ -2618,6 +2618,8 @@ enum nl80211_attrs { + #define NL80211_ATTR_KEYS NL80211_ATTR_KEYS + #define NL80211_ATTR_FEATURE_FLAGS NL80211_ATTR_FEATURE_FLAGS + ++#define NL80211_WIPHY_NAME_MAXLEN 128 ++ + #define NL80211_MAX_SUPP_RATES 32 + #define NL80211_MAX_SUPP_HT_RATES 77 + #define NL80211_MAX_SUPP_REG_RULES 64 +--- a/net/wireless/core.c ++++ b/net/wireless/core.c +@@ -95,6 +95,9 @@ static int cfg80211_dev_check_name(struc + + ASSERT_RTNL(); + ++ if (strlen(newname) > NL80211_WIPHY_NAME_MAXLEN) ++ return -EINVAL; ++ + /* prohibit calling the thing phy%d when %d is not its number */ + sscanf(newname, PHY_NAME "%d%n", &wiphy_idx, &taken); + if (taken == strlen(newname) && wiphy_idx != rdev->wiphy_idx) { diff --git a/queue-4.16/crypto-atmel-aes-fix-the-keys-zeroing-on-errors.patch b/queue-4.16/crypto-atmel-aes-fix-the-keys-zeroing-on-errors.patch new file mode 100644 index 00000000000..852196dfb86 --- /dev/null +++ b/queue-4.16/crypto-atmel-aes-fix-the-keys-zeroing-on-errors.patch @@ -0,0 +1,34 @@ +From foo@baz Thu May 24 10:06:37 CEST 2018 +From: Antoine Tenart +Date: Fri, 23 Feb 2018 10:01:40 +0100 +Subject: crypto: atmel-aes - fix the keys zeroing on errors + +From: Antoine Tenart + +[ Upstream commit 5d804a5157dbaa64872a675923ae87161165c66b ] + +The Atmel AES driver uses memzero_explicit on the keys on error, but the +variable zeroed isn't the right one because of a typo. Fix this by using +the right variable. + +Fixes: 89a82ef87e01 ("crypto: atmel-authenc - add support to authenc(hmac(shaX), Y(aes)) modes") +Signed-off-by: Antoine Tenart +Reviewed-by: Tudor Ambarus +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/atmel-aes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/atmel-aes.c ++++ b/drivers/crypto/atmel-aes.c +@@ -2155,7 +2155,7 @@ static int atmel_aes_authenc_setkey(stru + + badkey: + crypto_aead_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); +- memzero_explicit(&key, sizeof(keys)); ++ memzero_explicit(&keys, sizeof(keys)); + return -EINVAL; + } + diff --git a/queue-4.16/crypto-ccp-don-t-disable-interrupts-while-setting-up-debugfs.patch b/queue-4.16/crypto-ccp-don-t-disable-interrupts-while-setting-up-debugfs.patch new file mode 100644 index 00000000000..e854709f168 --- /dev/null +++ b/queue-4.16/crypto-ccp-don-t-disable-interrupts-while-setting-up-debugfs.patch @@ -0,0 +1,82 @@ +From foo@baz Thu May 24 10:06:37 CEST 2018 +From: Sebastian Andrzej Siewior +Date: Fri, 23 Feb 2018 23:33:07 +0100 +Subject: crypto: ccp - don't disable interrupts while setting up debugfs + +From: Sebastian Andrzej Siewior + +[ Upstream commit 79eb382b5e06a6dca5806465d7195d686a463ab0 ] + +I don't why we need take a single write lock and disable interrupts +while setting up debugfs. This is what what happens when we try anyway: + +|ccp 0000:03:00.2: enabling device (0000 -> 0002) +|BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:69 +|in_atomic(): 1, irqs_disabled(): 1, pid: 3, name: kworker/0:0 +|irq event stamp: 17150 +|hardirqs last enabled at (17149): [<0000000097a18c49>] restore_regs_and_return_to_kernel+0x0/0x23 +|hardirqs last disabled at (17150): [<000000000773b3a9>] _raw_write_lock_irqsave+0x1b/0x50 +|softirqs last enabled at (17148): [<0000000064d56155>] __do_softirq+0x3b8/0x4c1 +|softirqs last disabled at (17125): [<0000000092633c18>] irq_exit+0xb1/0xc0 +|CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.16.0-rc2+ #30 +|Workqueue: events work_for_cpu_fn +|Call Trace: +| dump_stack+0x7d/0xb6 +| ___might_sleep+0x1eb/0x250 +| down_write+0x17/0x60 +| start_creating+0x4c/0xe0 +| debugfs_create_dir+0x9/0x100 +| ccp5_debugfs_setup+0x191/0x1b0 +| ccp5_init+0x8a7/0x8c0 +| ccp_dev_init+0xb8/0xe0 +| sp_init+0x6c/0x90 +| sp_pci_probe+0x26e/0x590 +| local_pci_probe+0x3f/0x90 +| work_for_cpu_fn+0x11/0x20 +| process_one_work+0x1ff/0x650 +| worker_thread+0x1d4/0x3a0 +| kthread+0xfe/0x130 +| ret_from_fork+0x27/0x50 + +If any locking is required, a simple mutex will do it. + +Cc: Gary R Hook +Signed-off-by: Sebastian Andrzej Siewior +Acked-by: Gary R Hook +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/ccp/ccp-debugfs.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/crypto/ccp/ccp-debugfs.c ++++ b/drivers/crypto/ccp/ccp-debugfs.c +@@ -278,7 +278,7 @@ static const struct file_operations ccp_ + }; + + static struct dentry *ccp_debugfs_dir; +-static DEFINE_RWLOCK(ccp_debugfs_lock); ++static DEFINE_MUTEX(ccp_debugfs_lock); + + #define MAX_NAME_LEN 20 + +@@ -290,16 +290,15 @@ void ccp5_debugfs_setup(struct ccp_devic + struct dentry *debugfs_stats; + struct dentry *debugfs_q_instance; + struct dentry *debugfs_q_stats; +- unsigned long flags; + int i; + + if (!debugfs_initialized()) + return; + +- write_lock_irqsave(&ccp_debugfs_lock, flags); ++ mutex_lock(&ccp_debugfs_lock); + if (!ccp_debugfs_dir) + ccp_debugfs_dir = debugfs_create_dir(KBUILD_MODNAME, NULL); +- write_unlock_irqrestore(&ccp_debugfs_lock, flags); ++ mutex_unlock(&ccp_debugfs_lock); + if (!ccp_debugfs_dir) + return; + diff --git a/queue-4.16/crypto-inside-secure-do-not-overwrite-the-threshold-value.patch b/queue-4.16/crypto-inside-secure-do-not-overwrite-the-threshold-value.patch new file mode 100644 index 00000000000..6ab9b609053 --- /dev/null +++ b/queue-4.16/crypto-inside-secure-do-not-overwrite-the-threshold-value.patch @@ -0,0 +1,40 @@ +From foo@baz Thu May 24 10:06:37 CEST 2018 +From: Antoine Tenart +Date: Tue, 13 Feb 2018 09:26:51 +0100 +Subject: crypto: inside-secure - do not overwrite the threshold value + +From: Antoine Tenart + +[ Upstream commit e1d24c0bb76648cdf789b168defb6e31adb0b1b1 ] + +This patch fixes the Inside Secure SafeXcel driver not to overwrite the +interrupt threshold value. In certain cases the value of this register, +which controls when to fire an interrupt, was overwritten. This lead to +packet not being processed or acked as the driver never was aware of +their completion. + +This patch fixes this behaviour by not setting the threshold when +requests are being processed by the engine. + +Fixes: dc7e28a3286e ("crypto: inside-secure - dequeue all requests at once") +Suggested-by: Ofer Heifetz +Signed-off-by: Antoine Tenart +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/inside-secure/safexcel.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/crypto/inside-secure/safexcel.c ++++ b/drivers/crypto/inside-secure/safexcel.c +@@ -523,8 +523,7 @@ finalize: + + if (!priv->ring[ring].busy) { + nreq -= safexcel_try_push_requests(priv, ring, nreq); +- if (nreq) +- priv->ring[ring].busy = true; ++ priv->ring[ring].busy = true; + } + + priv->ring[ring].requests_left += nreq; diff --git a/queue-4.16/crypto-inside-secure-do-not-process-request-if-no-command-was-issued.patch b/queue-4.16/crypto-inside-secure-do-not-process-request-if-no-command-was-issued.patch new file mode 100644 index 00000000000..afc7f698726 --- /dev/null +++ b/queue-4.16/crypto-inside-secure-do-not-process-request-if-no-command-was-issued.patch @@ -0,0 +1,41 @@ +From foo@baz Thu May 24 10:06:37 CEST 2018 +From: Antoine Tenart +Date: Tue, 13 Feb 2018 09:26:54 +0100 +Subject: crypto: inside-secure - do not process request if no command was issued + +From: Antoine Tenart + +[ Upstream commit 95831ceafc0de7d94a5fe86ebb1c2042317cc2cd ] + +This patch adds a check in the SafeXcel dequeue function, to avoid +processing request further if no hardware command was issued. This can +happen in certain cases where the ->send() function caches all the data +that would have been send. + +Fixes: 809778e02cd4 ("crypto: inside-secure - fix hash when length is a multiple of a block") +Signed-off-by: Antoine Tenart +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/inside-secure/safexcel.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/crypto/inside-secure/safexcel.c ++++ b/drivers/crypto/inside-secure/safexcel.c +@@ -490,6 +490,15 @@ handle_req: + if (backlog) + backlog->complete(backlog, -EINPROGRESS); + ++ /* In case the send() helper did not issue any command to push ++ * to the engine because the input data was cached, continue to ++ * dequeue other requests as this is valid and not an error. ++ */ ++ if (!commands && !results) { ++ kfree(request); ++ continue; ++ } ++ + spin_lock_bh(&priv->ring[ring].egress_lock); + list_add_tail(&request->list, &priv->ring[ring].list); + spin_unlock_bh(&priv->ring[ring].egress_lock); diff --git a/queue-4.16/crypto-inside-secure-fix-the-cache_len-computation.patch b/queue-4.16/crypto-inside-secure-fix-the-cache_len-computation.patch new file mode 100644 index 00000000000..2961e452c8d --- /dev/null +++ b/queue-4.16/crypto-inside-secure-fix-the-cache_len-computation.patch @@ -0,0 +1,34 @@ +From foo@baz Thu May 24 10:06:37 CEST 2018 +From: Antoine Tenart +Date: Tue, 13 Feb 2018 09:26:53 +0100 +Subject: crypto: inside-secure - fix the cache_len computation + +From: Antoine Tenart + +[ Upstream commit 666a9c70b04fccabde5cea5e680ae1ae92460a62 ] + +This patch fixes the cache length computation as cache_len could end up +being a negative value. The check between the queued size and the +block size is updated to reflect the caching mechanism which can cache +up to a full block size (included!). + +Fixes: 809778e02cd4 ("crypto: inside-secure - fix hash when length is a multiple of a block") +Signed-off-by: Antoine Tenart +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/inside-secure/safexcel_hash.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/inside-secure/safexcel_hash.c ++++ b/drivers/crypto/inside-secure/safexcel_hash.c +@@ -187,7 +187,7 @@ static int safexcel_ahash_send_req(struc + int i, queued, len, cache_len, extra, n_cdesc = 0, ret = 0; + + queued = len = req->len - req->processed; +- if (queued < crypto_ahash_blocksize(ahash)) ++ if (queued <= crypto_ahash_blocksize(ahash)) + cache_len = queued; + else + cache_len = queued - areq->nbytes; diff --git a/queue-4.16/crypto-inside-secure-fix-the-extra-cache-computation.patch b/queue-4.16/crypto-inside-secure-fix-the-extra-cache-computation.patch new file mode 100644 index 00000000000..5f492ae7a0b --- /dev/null +++ b/queue-4.16/crypto-inside-secure-fix-the-extra-cache-computation.patch @@ -0,0 +1,32 @@ +From foo@baz Thu May 24 10:06:37 CEST 2018 +From: Antoine Tenart +Date: Tue, 13 Feb 2018 09:26:52 +0100 +Subject: crypto: inside-secure - fix the extra cache computation + +From: Antoine Tenart + +[ Upstream commit c1a8fa6e240ed4b99778d48ab790743565cb61c8 ] + +This patch fixes the extra cache computation when the queued data is a +multiple of a block size. This fixes the hash support in some cases. + +Fixes: 809778e02cd4 ("crypto: inside-secure - fix hash when length is a multiple of a block") +Signed-off-by: Antoine Tenart +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/inside-secure/safexcel_hash.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/inside-secure/safexcel_hash.c ++++ b/drivers/crypto/inside-secure/safexcel_hash.c +@@ -201,7 +201,7 @@ static int safexcel_ahash_send_req(struc + /* If this is not the last request and the queued data + * is a multiple of a block, cache the last one for now. + */ +- extra = queued - crypto_ahash_blocksize(ahash); ++ extra = crypto_ahash_blocksize(ahash); + + if (extra) { + sg_pcopy_to_buffer(areq->src, sg_nents(areq->src), diff --git a/queue-4.16/crypto-inside-secure-fix-the-invalidation-step-during-cra_exit.patch b/queue-4.16/crypto-inside-secure-fix-the-invalidation-step-during-cra_exit.patch new file mode 100644 index 00000000000..71e059faed8 --- /dev/null +++ b/queue-4.16/crypto-inside-secure-fix-the-invalidation-step-during-cra_exit.patch @@ -0,0 +1,62 @@ +From foo@baz Thu May 24 10:06:37 CEST 2018 +From: Antoine Tenart +Date: Tue, 13 Feb 2018 09:26:55 +0100 +Subject: crypto: inside-secure - fix the invalidation step during cra_exit + +From: Antoine Tenart + +[ Upstream commit b7007dbccd92f7b8c00e590020bee542a48c6a2c ] + +When exiting a transformation, the cra_exit() helper is called in each +driver providing one. The Inside Secure SafeXcel driver has one, which +is responsible of freeing some areas and of sending one invalidation +request to the crypto engine, to invalidate the context that was used +during the transformation. + +We could see in some setups (when lots of transformations were being +used with a short lifetime, and hence lots of cra_exit() calls) NULL +pointer dereferences and other weird issues. All these issues were +coming from accessing the tfm context. + +The issue is the invalidation request completion is checked using a +wait_for_completion_interruptible() call in both the cipher and hash +cra_exit() helpers. In some cases this was interrupted while the +invalidation request wasn't processed yet. And then cra_exit() returned, +and its caller was freeing the tfm instance. Only then the request was +being handled by the SafeXcel driver, which lead to the said issues. + +This patch fixes this by using wait_for_completion() calls in these +specific cases. + +Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver") +Signed-off-by: Antoine Tenart +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/inside-secure/safexcel_cipher.c | 2 +- + drivers/crypto/inside-secure/safexcel_hash.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/inside-secure/safexcel_cipher.c ++++ b/drivers/crypto/inside-secure/safexcel_cipher.c +@@ -456,7 +456,7 @@ static int safexcel_cipher_exit_inv(stru + queue_work(priv->ring[ring].workqueue, + &priv->ring[ring].work_data.work); + +- wait_for_completion_interruptible(&result.completion); ++ wait_for_completion(&result.completion); + + if (result.error) { + dev_warn(priv->dev, +--- a/drivers/crypto/inside-secure/safexcel_hash.c ++++ b/drivers/crypto/inside-secure/safexcel_hash.c +@@ -496,7 +496,7 @@ static int safexcel_ahash_exit_inv(struc + queue_work(priv->ring[ring].workqueue, + &priv->ring[ring].work_data.work); + +- wait_for_completion_interruptible(&result.completion); ++ wait_for_completion(&result.completion); + + if (result.error) { + dev_warn(priv->dev, "hash: completion error (%d)\n", diff --git a/queue-4.16/crypto-inside-secure-move-the-digest-to-the-request-context.patch b/queue-4.16/crypto-inside-secure-move-the-digest-to-the-request-context.patch new file mode 100644 index 00000000000..bcb5197686b --- /dev/null +++ b/queue-4.16/crypto-inside-secure-move-the-digest-to-the-request-context.patch @@ -0,0 +1,161 @@ +From foo@baz Thu May 24 10:06:37 CEST 2018 +From: Antoine Tenart +Date: Mon, 19 Mar 2018 09:21:13 +0100 +Subject: crypto: inside-secure - move the digest to the request context + +From: Antoine Tenart + +[ Upstream commit b869648c060fbb00bf6578d13cbe83e6f85914bc ] + +This patches moves the digest information from the transformation +context to the request context. This fixes cases where HMAC init +functions were called and override the digest value for a short period +of time, as the HMAC init functions call the SHA init one which reset +the value. This lead to a small percentage of HMAC being incorrectly +computed under heavy load. + +Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver") +Suggested-by: Ofer Heifetz +Signed-off-by: Antoine Tenart +[Ofer here did all the work, from seeing the issue to understanding the +root cause. I only made the patch.] +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/inside-secure/safexcel_hash.c | 30 ++++++++++++++++----------- + 1 file changed, 18 insertions(+), 12 deletions(-) + +--- a/drivers/crypto/inside-secure/safexcel_hash.c ++++ b/drivers/crypto/inside-secure/safexcel_hash.c +@@ -21,7 +21,6 @@ struct safexcel_ahash_ctx { + struct safexcel_crypto_priv *priv; + + u32 alg; +- u32 digest; + + u32 ipad[SHA1_DIGEST_SIZE / sizeof(u32)]; + u32 opad[SHA1_DIGEST_SIZE / sizeof(u32)]; +@@ -35,6 +34,8 @@ struct safexcel_ahash_req { + + int nents; + ++ u32 digest; ++ + u8 state_sz; /* expected sate size, only set once */ + u32 state[SHA256_DIGEST_SIZE / sizeof(u32)] __aligned(sizeof(u32)); + +@@ -49,6 +50,8 @@ struct safexcel_ahash_export_state { + u64 len; + u64 processed; + ++ u32 digest; ++ + u32 state[SHA256_DIGEST_SIZE / sizeof(u32)]; + u8 cache[SHA256_BLOCK_SIZE]; + }; +@@ -82,9 +85,9 @@ static void safexcel_context_control(str + + cdesc->control_data.control0 |= CONTEXT_CONTROL_TYPE_HASH_OUT; + cdesc->control_data.control0 |= ctx->alg; +- cdesc->control_data.control0 |= ctx->digest; ++ cdesc->control_data.control0 |= req->digest; + +- if (ctx->digest == CONTEXT_CONTROL_DIGEST_PRECOMPUTED) { ++ if (req->digest == CONTEXT_CONTROL_DIGEST_PRECOMPUTED) { + if (req->processed) { + if (ctx->alg == CONTEXT_CONTROL_CRYPTO_ALG_SHA1) + cdesc->control_data.control0 |= CONTEXT_CONTROL_SIZE(6); +@@ -112,7 +115,7 @@ static void safexcel_context_control(str + if (req->finish) + ctx->base.ctxr->data[i] = cpu_to_le32(req->processed / blocksize); + } +- } else if (ctx->digest == CONTEXT_CONTROL_DIGEST_HMAC) { ++ } else if (req->digest == CONTEXT_CONTROL_DIGEST_HMAC) { + cdesc->control_data.control0 |= CONTEXT_CONTROL_SIZE(10); + + memcpy(ctx->base.ctxr->data, ctx->ipad, digestsize); +@@ -550,7 +553,7 @@ static int safexcel_ahash_enqueue(struct + if (ctx->base.ctxr) { + if (priv->version == EIP197 && + !ctx->base.needs_inv && req->processed && +- ctx->digest == CONTEXT_CONTROL_DIGEST_PRECOMPUTED) ++ req->digest == CONTEXT_CONTROL_DIGEST_PRECOMPUTED) + /* We're still setting needs_inv here, even though it is + * cleared right away, because the needs_inv flag can be + * set in other functions and we want to keep the same +@@ -585,7 +588,6 @@ static int safexcel_ahash_enqueue(struct + + static int safexcel_ahash_update(struct ahash_request *areq) + { +- struct safexcel_ahash_ctx *ctx = crypto_ahash_ctx(crypto_ahash_reqtfm(areq)); + struct safexcel_ahash_req *req = ahash_request_ctx(areq); + struct crypto_ahash *ahash = crypto_ahash_reqtfm(areq); + +@@ -601,7 +603,7 @@ static int safexcel_ahash_update(struct + * We're not doing partial updates when performing an hmac request. + * Everything will be handled by the final() call. + */ +- if (ctx->digest == CONTEXT_CONTROL_DIGEST_HMAC) ++ if (req->digest == CONTEXT_CONTROL_DIGEST_HMAC) + return 0; + + if (req->hmac) +@@ -660,6 +662,8 @@ static int safexcel_ahash_export(struct + export->len = req->len; + export->processed = req->processed; + ++ export->digest = req->digest; ++ + memcpy(export->state, req->state, req->state_sz); + memcpy(export->cache, req->cache, crypto_ahash_blocksize(ahash)); + +@@ -680,6 +684,8 @@ static int safexcel_ahash_import(struct + req->len = export->len; + req->processed = export->processed; + ++ req->digest = export->digest; ++ + memcpy(req->cache, export->cache, crypto_ahash_blocksize(ahash)); + memcpy(req->state, export->state, req->state_sz); + +@@ -716,7 +722,7 @@ static int safexcel_sha1_init(struct aha + req->state[4] = SHA1_H4; + + ctx->alg = CONTEXT_CONTROL_CRYPTO_ALG_SHA1; +- ctx->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED; ++ req->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED; + req->state_sz = SHA1_DIGEST_SIZE; + + return 0; +@@ -783,10 +789,10 @@ struct safexcel_alg_template safexcel_al + + static int safexcel_hmac_sha1_init(struct ahash_request *areq) + { +- struct safexcel_ahash_ctx *ctx = crypto_ahash_ctx(crypto_ahash_reqtfm(areq)); ++ struct safexcel_ahash_req *req = ahash_request_ctx(areq); + + safexcel_sha1_init(areq); +- ctx->digest = CONTEXT_CONTROL_DIGEST_HMAC; ++ req->digest = CONTEXT_CONTROL_DIGEST_HMAC; + return 0; + } + +@@ -1024,7 +1030,7 @@ static int safexcel_sha256_init(struct a + req->state[7] = SHA256_H7; + + ctx->alg = CONTEXT_CONTROL_CRYPTO_ALG_SHA256; +- ctx->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED; ++ req->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED; + req->state_sz = SHA256_DIGEST_SIZE; + + return 0; +@@ -1086,7 +1092,7 @@ static int safexcel_sha224_init(struct a + req->state[7] = SHA224_H7; + + ctx->alg = CONTEXT_CONTROL_CRYPTO_ALG_SHA224; +- ctx->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED; ++ req->digest = CONTEXT_CONTROL_DIGEST_PRECOMPUTED; + req->state_sz = SHA256_DIGEST_SIZE; + + return 0; diff --git a/queue-4.16/crypto-inside-secure-wait-for-the-request-to-complete-if-in-the-backlog.patch b/queue-4.16/crypto-inside-secure-wait-for-the-request-to-complete-if-in-the-backlog.patch new file mode 100644 index 00000000000..6920077ea90 --- /dev/null +++ b/queue-4.16/crypto-inside-secure-wait-for-the-request-to-complete-if-in-the-backlog.patch @@ -0,0 +1,34 @@ +From foo@baz Thu May 24 10:06:37 CEST 2018 +From: Antoine Tenart +Date: Mon, 26 Feb 2018 14:45:12 +0100 +Subject: crypto: inside-secure - wait for the request to complete if in the backlog + +From: Antoine Tenart + +[ Upstream commit 4dc5475ae0375ea4f9283dfd9b2ddc91b20d4c4b ] + +This patch updates the safexcel_hmac_init_pad() function to also wait +for completion when the digest return code is -EBUSY, as it would mean +the request is in the backlog to be processed later. + +Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver") +Suggested-by: Ofer Heifetz +Signed-off-by: Antoine Tenart +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/inside-secure/safexcel_hash.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/inside-secure/safexcel_hash.c ++++ b/drivers/crypto/inside-secure/safexcel_hash.c +@@ -845,7 +845,7 @@ static int safexcel_hmac_init_pad(struct + init_completion(&result.completion); + + ret = crypto_ahash_digest(areq); +- if (ret == -EINPROGRESS) { ++ if (ret == -EINPROGRESS || ret == -EBUSY) { + wait_for_completion_interruptible(&result.completion); + ret = result.error; + } diff --git a/queue-4.16/crypto-sunxi-ss-add-module_alias-to-sun4i-ss.patch b/queue-4.16/crypto-sunxi-ss-add-module_alias-to-sun4i-ss.patch new file mode 100644 index 00000000000..e4b01f1c4ce --- /dev/null +++ b/queue-4.16/crypto-sunxi-ss-add-module_alias-to-sun4i-ss.patch @@ -0,0 +1,31 @@ +From foo@baz Thu May 24 10:06:37 CEST 2018 +From: Peter Robinson +Date: Sun, 11 Feb 2018 23:15:37 +0000 +Subject: crypto: sunxi-ss - Add MODULE_ALIAS to sun4i-ss + +From: Peter Robinson + +[ Upstream commit 7c73cf4cc2ac16465f5102437dc0a12d66671bd6 ] + +The MODULE_ALIAS is required to enable the sun4i-ss driver to load +automatically when built at a module. Tested on a Cubietruck. + +Fixes: 6298e948215f ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator") +Signed-off-by: Peter Robinson +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/sunxi-ss/sun4i-ss-core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/crypto/sunxi-ss/sun4i-ss-core.c ++++ b/drivers/crypto/sunxi-ss/sun4i-ss-core.c +@@ -451,6 +451,7 @@ static struct platform_driver sun4i_ss_d + + module_platform_driver(sun4i_ss_driver); + ++MODULE_ALIAS("platform:sun4i-ss"); + MODULE_DESCRIPTION("Allwinner Security System cryptographic accelerator"); + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Corentin LABBE "); diff --git a/queue-4.16/hfsplus-stop-workqueue-when-fill_super-failed.patch b/queue-4.16/hfsplus-stop-workqueue-when-fill_super-failed.patch new file mode 100644 index 00000000000..765772a998c --- /dev/null +++ b/queue-4.16/hfsplus-stop-workqueue-when-fill_super-failed.patch @@ -0,0 +1,45 @@ +From 66072c29328717072fd84aaff3e070e3f008ba77 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Fri, 18 May 2018 16:09:16 -0700 +Subject: hfsplus: stop workqueue when fill_super() failed + +From: Tetsuo Handa + +commit 66072c29328717072fd84aaff3e070e3f008ba77 upstream. + +syzbot is reporting ODEBUG messages at hfsplus_fill_super() [1]. This +is because hfsplus_fill_super() forgot to call cancel_delayed_work_sync(). + +As far as I can see, it is hfsplus_mark_mdb_dirty() from +hfsplus_new_inode() in hfsplus_fill_super() that calls +queue_delayed_work(). Therefore, I assume that hfsplus_new_inode() does +not fail if queue_delayed_work() was called, and the out_put_hidden_dir +label is the appropriate location to call cancel_delayed_work_sync(). + +[1] https://syzkaller.appspot.com/bug?id=a66f45e96fdbeb76b796bf46eb25ea878c42a6c9 + +Link: http://lkml.kernel.org/r/964a8b27-cd69-357c-fe78-76b066056201@I-love.SAKURA.ne.jp +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Cc: Al Viro +Cc: David Howells +Cc: Ernesto A. Fernandez +Cc: Vyacheslav Dubeyko +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/hfsplus/super.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/hfsplus/super.c ++++ b/fs/hfsplus/super.c +@@ -588,6 +588,7 @@ static int hfsplus_fill_super(struct sup + return 0; + + out_put_hidden_dir: ++ cancel_delayed_work_sync(&sbi->sync_work); + iput(sbi->hidden_dir); + out_put_root: + dput(sb->s_root); diff --git a/queue-4.16/loop-don-t-call-into-filesystem-while-holding-lo_ctl_mutex.patch b/queue-4.16/loop-don-t-call-into-filesystem-while-holding-lo_ctl_mutex.patch new file mode 100644 index 00000000000..ceda063c6c9 --- /dev/null +++ b/queue-4.16/loop-don-t-call-into-filesystem-while-holding-lo_ctl_mutex.patch @@ -0,0 +1,107 @@ +From 2d1d4c1e591fd40bd7dafd868a249d7d00e215d5 Mon Sep 17 00:00:00 2001 +From: Omar Sandoval +Date: Mon, 26 Mar 2018 21:39:11 -0700 +Subject: loop: don't call into filesystem while holding lo_ctl_mutex + +From: Omar Sandoval + +commit 2d1d4c1e591fd40bd7dafd868a249d7d00e215d5 upstream. + +We hit an issue where a loop device on NFS was stuck in +loop_get_status() doing vfs_getattr() after the NFS server died, which +caused a pile-up of uninterruptible processes waiting on lo_ctl_mutex. +There's no reason to hold this lock while we wait on the filesystem; +let's drop it so that other processes can do their thing. We need to +grab a reference on lo_backing_file while we use it, and we can get rid +of the check on lo_device, which has been unnecessary since commit +a34c0ae9ebd6 ("[PATCH] loop: remove the bio remapping capability") in +the linux-history tree. + +Signed-off-by: Omar Sandoval +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/loop.c | 38 ++++++++++++++++++++++++-------------- + 1 file changed, 24 insertions(+), 14 deletions(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -1171,21 +1171,17 @@ loop_set_status(struct loop_device *lo, + static int + loop_get_status(struct loop_device *lo, struct loop_info64 *info) + { +- struct file *file = lo->lo_backing_file; ++ struct file *file; + struct kstat stat; +- int error; ++ int ret; + +- if (lo->lo_state != Lo_bound) ++ if (lo->lo_state != Lo_bound) { ++ mutex_unlock(&lo->lo_ctl_mutex); + return -ENXIO; +- error = vfs_getattr(&file->f_path, &stat, +- STATX_INO, AT_STATX_SYNC_AS_STAT); +- if (error) +- return error; ++ } ++ + memset(info, 0, sizeof(*info)); + info->lo_number = lo->lo_number; +- info->lo_device = huge_encode_dev(stat.dev); +- info->lo_inode = stat.ino; +- info->lo_rdevice = huge_encode_dev(lo->lo_device ? stat.rdev : stat.dev); + info->lo_offset = lo->lo_offset; + info->lo_sizelimit = lo->lo_sizelimit; + info->lo_flags = lo->lo_flags; +@@ -1198,7 +1194,19 @@ loop_get_status(struct loop_device *lo, + memcpy(info->lo_encrypt_key, lo->lo_encrypt_key, + lo->lo_encrypt_key_size); + } +- return 0; ++ ++ /* Drop lo_ctl_mutex while we call into the filesystem. */ ++ file = get_file(lo->lo_backing_file); ++ mutex_unlock(&lo->lo_ctl_mutex); ++ ret = vfs_getattr(&file->f_path, &stat, STATX_INO, ++ AT_STATX_SYNC_AS_STAT); ++ if (!ret) { ++ info->lo_device = huge_encode_dev(stat.dev); ++ info->lo_inode = stat.ino; ++ info->lo_rdevice = huge_encode_dev(stat.rdev); ++ } ++ fput(file); ++ return ret; + } + + static void +@@ -1378,7 +1386,8 @@ static int lo_ioctl(struct block_device + break; + case LOOP_GET_STATUS: + err = loop_get_status_old(lo, (struct loop_info __user *) arg); +- break; ++ /* loop_get_status() unlocks lo_ctl_mutex */ ++ goto out_unlocked; + case LOOP_SET_STATUS64: + err = -EPERM; + if ((mode & FMODE_WRITE) || capable(CAP_SYS_ADMIN)) +@@ -1387,7 +1396,8 @@ static int lo_ioctl(struct block_device + break; + case LOOP_GET_STATUS64: + err = loop_get_status64(lo, (struct loop_info64 __user *) arg); +- break; ++ /* loop_get_status() unlocks lo_ctl_mutex */ ++ goto out_unlocked; + case LOOP_SET_CAPACITY: + err = -EPERM; + if ((mode & FMODE_WRITE) || capable(CAP_SYS_ADMIN)) +@@ -1548,7 +1558,7 @@ static int lo_compat_ioctl(struct block_ + mutex_lock(&lo->lo_ctl_mutex); + err = loop_get_status_compat( + lo, (struct compat_loop_info __user *) arg); +- mutex_unlock(&lo->lo_ctl_mutex); ++ /* loop_get_status() unlocks lo_ctl_mutex */ + break; + case LOOP_SET_CAPACITY: + case LOOP_CLR_FD: diff --git a/queue-4.16/loop-fix-loop_get_status-lock-imbalance.patch b/queue-4.16/loop-fix-loop_get_status-lock-imbalance.patch new file mode 100644 index 00000000000..12d4f47c6d8 --- /dev/null +++ b/queue-4.16/loop-fix-loop_get_status-lock-imbalance.patch @@ -0,0 +1,84 @@ +From bdac616db9bbadb90b7d6a406144571015e138f7 Mon Sep 17 00:00:00 2001 +From: Omar Sandoval +Date: Fri, 6 Apr 2018 09:57:03 -0700 +Subject: loop: fix LOOP_GET_STATUS lock imbalance + +From: Omar Sandoval + +commit bdac616db9bbadb90b7d6a406144571015e138f7 upstream. + +Commit 2d1d4c1e591f made loop_get_status() drop lo_ctx_mutex before +returning, but the loop_get_status_old(), loop_get_status64(), and +loop_get_status_compat() wrappers don't call loop_get_status() if the +passed argument is NULL. The callers expect that the lock is dropped, so +make sure we drop it in that case, too. + +Reported-by: syzbot+31e8daa8b3fc129e75f2@syzkaller.appspotmail.com +Fixes: 2d1d4c1e591f ("loop: don't call into filesystem while holding lo_ctl_mutex") +Signed-off-by: Omar Sandoval +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/loop.c | 33 ++++++++++++++++++--------------- + 1 file changed, 18 insertions(+), 15 deletions(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -1287,12 +1287,13 @@ static int + loop_get_status_old(struct loop_device *lo, struct loop_info __user *arg) { + struct loop_info info; + struct loop_info64 info64; +- int err = 0; ++ int err; + +- if (!arg) +- err = -EINVAL; +- if (!err) +- err = loop_get_status(lo, &info64); ++ if (!arg) { ++ mutex_unlock(&lo->lo_ctl_mutex); ++ return -EINVAL; ++ } ++ err = loop_get_status(lo, &info64); + if (!err) + err = loop_info64_to_old(&info64, &info); + if (!err && copy_to_user(arg, &info, sizeof(info))) +@@ -1304,12 +1305,13 @@ loop_get_status_old(struct loop_device * + static int + loop_get_status64(struct loop_device *lo, struct loop_info64 __user *arg) { + struct loop_info64 info64; +- int err = 0; ++ int err; + +- if (!arg) +- err = -EINVAL; +- if (!err) +- err = loop_get_status(lo, &info64); ++ if (!arg) { ++ mutex_unlock(&lo->lo_ctl_mutex); ++ return -EINVAL; ++ } ++ err = loop_get_status(lo, &info64); + if (!err && copy_to_user(arg, &info64, sizeof(info64))) + err = -EFAULT; + +@@ -1530,12 +1532,13 @@ loop_get_status_compat(struct loop_devic + struct compat_loop_info __user *arg) + { + struct loop_info64 info64; +- int err = 0; ++ int err; + +- if (!arg) +- err = -EINVAL; +- if (!err) +- err = loop_get_status(lo, &info64); ++ if (!arg) { ++ mutex_unlock(&lo->lo_ctl_mutex); ++ return -EINVAL; ++ } ++ err = loop_get_status(lo, &info64); + if (!err) + err = loop_info64_to_compat(&info64, arg); + return err; diff --git a/queue-4.16/media-em28xx-usb-bulk-packet-size-fix.patch b/queue-4.16/media-em28xx-usb-bulk-packet-size-fix.patch new file mode 100644 index 00000000000..6fbeb1345e2 --- /dev/null +++ b/queue-4.16/media-em28xx-usb-bulk-packet-size-fix.patch @@ -0,0 +1,46 @@ +From foo@baz Thu May 24 09:45:15 CEST 2018 +From: Brad Love +Date: Thu, 4 Jan 2018 19:04:13 -0500 +Subject: media: em28xx: USB bulk packet size fix + +From: Brad Love + +[ Upstream commit c7c7e8d7803406daa21e96d00c357de8b77b6764 ] + +Hauppauge em28xx bulk devices exhibit continuity errors and corrupted +packets, when run in VMWare virtual machines. Unknown if other +manufacturers bulk models exhibit the same issue. KVM/Qemu is unaffected. + +According to documentation the maximum packet multiplier for em28xx in bulk +transfer mode is 256 * 188 bytes. This changes the size of bulk transfers +to maximum supported value and have a bonus beneficial alignment. + +Before: + +After: + +This sets up USB to expect just as many bytes as the em28xx is set to emit. + +Successful usage under load afterwards natively and in both VMWare +and KVM/Qemu virtual machines. + +Signed-off-by: Brad Love +Reviewed-by: Michael Ira Krufky +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/em28xx/em28xx.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/em28xx/em28xx.h ++++ b/drivers/media/usb/em28xx/em28xx.h +@@ -191,7 +191,7 @@ + USB 2.0 spec says bulk packet size is always 512 bytes + */ + #define EM28XX_BULK_PACKET_MULTIPLIER 384 +-#define EM28XX_DVB_BULK_PACKET_MULTIPLIER 384 ++#define EM28XX_DVB_BULK_PACKET_MULTIPLIER 94 + + #define EM28XX_INTERLACED_DEFAULT 1 + diff --git a/queue-4.16/media-lgdt3306a-fix-module-count-mismatch-on-usb-unplug.patch b/queue-4.16/media-lgdt3306a-fix-module-count-mismatch-on-usb-unplug.patch new file mode 100644 index 00000000000..4fe1a9a79a1 --- /dev/null +++ b/queue-4.16/media-lgdt3306a-fix-module-count-mismatch-on-usb-unplug.patch @@ -0,0 +1,44 @@ +From foo@baz Thu May 24 09:45:15 CEST 2018 +From: Brad Love +Date: Fri, 5 Jan 2018 09:57:12 -0500 +Subject: media: lgdt3306a: Fix module count mismatch on usb unplug + +From: Brad Love + +[ Upstream commit 835d66173a38538c072a7c393d02360dcfac8582 ] + +When used as an i2c device there is a module usage count mismatch on +removal, preventing the driver from being used thereafter. dvb_attach +increments the usage count so it is properly balanced on removal. + +On disconnect of Hauppauge SoloHD/DualHD before: + +lsmod | grep lgdt3306a +lgdt3306a 28672 -1 +i2c_mux 16384 1 lgdt3306a + +On disconnect of Hauppauge SoloHD/DualHD after: + +lsmod | grep lgdt3306a +lgdt3306a 28672 0 +i2c_mux 16384 1 lgdt3306a + +Signed-off-by: Brad Love +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/dvb-frontends/lgdt3306a.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/dvb-frontends/lgdt3306a.c ++++ b/drivers/media/dvb-frontends/lgdt3306a.c +@@ -2169,7 +2169,7 @@ static int lgdt3306a_probe(struct i2c_cl + sizeof(struct lgdt3306a_config)); + + config->i2c_addr = client->addr; +- fe = lgdt3306a_attach(config, client->adapter); ++ fe = dvb_attach(lgdt3306a_attach, config, client->adapter); + if (fe == NULL) { + ret = -ENODEV; + goto err_fe; diff --git a/queue-4.16/series b/queue-4.16/series index 0a2d6b35aef..68d40e48d7f 100644 --- a/queue-4.16/series +++ b/queue-4.16/series @@ -63,3 +63,44 @@ s390-extend-expoline-to-bc-instructions.patch s390-use-expoline-thunks-in-the-bpf-jit.patch scsi-sg-allocate-with-__gfp_zero-in-sg_build_indirect.patch scsi-zfcp-fix-infinite-iteration-on-erp-ready-list.patch +bluetooth-btusb-add-usb-id-7392-a611-for-edimax-ew-7611ulb.patch +alsa-usb-audio-add-native-dsd-support-for-luxman-da-06.patch +usb-dwc3-add-softreset-phy-synchonization-delay.patch +usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch +usb-dwc3-makefile-fix-link-error-on-randconfig.patch +xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch +usb-dwc2-fix-interval-type-issue.patch +usb-dwc2-hcd-fix-host-channel-halt-flow.patch +usb-dwc2-host-fix-transaction-errors-in-host-mode.patch +usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch +usb-gadget-ffs-execute-copy_to_user-with-user_ds-set.patch +usbip-correct-maximum-value-of-config_usbip_vhci_hc_ports.patch +usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch +usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch +media-lgdt3306a-fix-module-count-mismatch-on-usb-unplug.patch +media-em28xx-usb-bulk-packet-size-fix.patch +bluetooth-btusb-add-device-id-for-rtl8822be.patch +bluetooth-btusb-add-support-for-intel-bluetooth-device-22560.patch +xhci-show-what-usb-release-number-the-xhc-supports-from-protocol-capablity.patch +loop-don-t-call-into-filesystem-while-holding-lo_ctl_mutex.patch +loop-fix-loop_get_status-lock-imbalance.patch +cfg80211-limit-wiphy-names-to-128-bytes.patch +hfsplus-stop-workqueue-when-fill_super-failed.patch +x86-kexec-avoid-double-free_page-upon-do_kexec_load-failure.patch +staging-bcm2835-audio-release-resources-on-module_exit.patch +staging-fsl-dpaa2-eth-fix-incorrect-kfree.patch +staging-lustre-fix-bug-in-osc_enter_cache_try.patch +staging-fsl-dpaa2-eth-fix-incorrect-casts.patch +staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch +staging-ks7010-use-constants-from-ieee80211_eid-instead-of-literal-ints.patch +staging-lustre-lmv-correctly-iput-lmo_root.patch +crypto-inside-secure-move-the-digest-to-the-request-context.patch +crypto-inside-secure-wait-for-the-request-to-complete-if-in-the-backlog.patch +crypto-atmel-aes-fix-the-keys-zeroing-on-errors.patch +crypto-ccp-don-t-disable-interrupts-while-setting-up-debugfs.patch +crypto-inside-secure-do-not-process-request-if-no-command-was-issued.patch +crypto-inside-secure-fix-the-cache_len-computation.patch +crypto-inside-secure-fix-the-extra-cache-computation.patch +crypto-inside-secure-do-not-overwrite-the-threshold-value.patch +crypto-sunxi-ss-add-module_alias-to-sun4i-ss.patch +crypto-inside-secure-fix-the-invalidation-step-during-cra_exit.patch diff --git a/queue-4.16/staging-bcm2835-audio-release-resources-on-module_exit.patch b/queue-4.16/staging-bcm2835-audio-release-resources-on-module_exit.patch new file mode 100644 index 00000000000..d24a90349d2 --- /dev/null +++ b/queue-4.16/staging-bcm2835-audio-release-resources-on-module_exit.patch @@ -0,0 +1,253 @@ +From foo@baz Thu May 24 10:04:42 CEST 2018 +From: Kirill Marinushkin +Date: Fri, 23 Mar 2018 20:32:54 +0100 +Subject: staging: bcm2835-audio: Release resources on module_exit() + +From: Kirill Marinushkin + +[ Upstream commit 626118b472d2eb45f83a0276a18d3e6a01c69f6a ] + +In the current implementation, `rmmod snd_bcm2835` does not release +resources properly. It causes an oops when trying to list sound devices. + +This commit fixes it. + +The details WRT allocation / free are described below. + +Device structure WRT allocation: + +pdev + \childdev[] + \card + \chip + \pcm + \ctl + +Allocation / register sequence: + +* childdev: devm_kzalloc - freed during driver detach +* childdev: device_initialize - freed during device_unregister +* pdev: devres_alloc - freed during driver detach +* childdev: device_add - removed during device_unregister +* pdev, childdev: devres_add - freed during driver detach +* card: snd_card_new - freed during snd_card_free +* chip: kzalloc - freed during kfree +* card, chip: snd_device_new - freed during snd_device_free +* chip: new_pcm - TODO: free pcm +* chip: new_ctl - TODO: free ctl +* card: snd_card_register - unregistered during snd_card_free + +Free / unregister sequence: + +* card: snd_card_free +* card, chip: snd_device_free +* childdev: device_unregister +* chip: kfree + +Steps to reproduce the issue before this commit: + +~~~~ +$ rmmod snd_bcm2835 +$ aplay -L +[ 138.648130] Unable to handle kernel paging request at virtual address 7f1343c0 +[ 138.660415] pgd = ad8f0000 +[ 138.665567] [7f1343c0] *pgd=3864c811, *pte=00000000, *ppte=00000000 +[ 138.674887] Internal error: Oops: 7 [#1] SMP ARM +[ 138.683571] Modules linked in: sha256_generic cfg80211 rfkill snd_pcm snd_timer + snd fixed uio_pdrv_genirq uio ip_tables x_tables ipv6 [last unloaded: snd_bcm2835 +] +[ 138.706594] CPU: 3 PID: 463 Comm: aplay Tainted: G WC 4.15.0-rc1-v +7+ #6 +[ 138.719833] Hardware name: BCM2835 +[ 138.726016] task: b877ac00 task.stack: aebec000 +[ 138.733408] PC is at try_module_get+0x38/0x24c +[ 138.740813] LR is at snd_ctl_open+0x58/0x194 [snd] +[ 138.748485] pc : [<801c4d5c>] lr : [<7f0e6b2c>] psr: 20000013 +[ 138.757709] sp : aebedd60 ip : aebedd88 fp : aebedd84 +[ 138.765884] r10: 00000000 r9 : 00000004 r8 : 7f0ed440 +[ 138.774040] r7 : b7e469b0 r6 : 7f0e6b2c r5 : afd91900 r4 : 7f1343c0 +[ 138.783571] r3 : aebec000 r2 : 00000001 r1 : b877ac00 r0 : 7f1343c0 +[ 138.793084] Flags: nzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user +[ 138.803300] Control: 10c5387d Table: 2d8f006a DAC: 00000055 +[ 138.812064] Process aplay (pid: 463, stack limit = 0xaebec210) +[ 138.820868] Stack: (0xaebedd60 to 0xaebee000) +[ 138.828207] dd60: 00000000 b848d000 afd91900 00000000 b7e469b0 7f0ed440 aebedda4 aebedd88 +[ 138.842371] dd80: 7f0e6b2c 801c4d30 afd91900 7f0ea4dc 00000000 b7e469b0 aebeddcc aebedda8 +[ 138.856611] dda0: 7f0e250c 7f0e6ae0 7f0e2464 b8478ec0 b7e469b0 afd91900 7f0ea388 00000000 +[ 138.870864] ddc0: aebeddf4 aebeddd0 802ce590 7f0e2470 8090ab64 afd91900 afd91900 b7e469b0 +[ 138.885301] dde0: afd91908 802ce4e4 aebede1c aebeddf8 802c57b4 802ce4f0 afd91900 aebedea8 +[ 138.900110] de00: b7fa4c00 00000000 00000000 00000004 aebede3c aebede20 802c6ba8 802c56b4 +[ 138.915260] de20: aebedea8 00000000 aebedf5c 00000000 aebedea4 aebede40 802d9a68 802c6b58 +[ 138.930661] de40: b874ddd0 00000000 00000000 00000001 00000041 00000000 afd91900 aebede70 +[ 138.946402] de60: 00000000 00000000 00000002 b7e469b0 b8a87610 b8d6ab80 801852f8 00080000 +[ 138.962314] de80: aebedf5c aebedea8 00000001 80108464 aebec000 00000000 aebedf4c aebedea8 +[ 138.978414] dea0: 802dacd4 802d970c b8a87610 b8d6ab80 a7982bc6 00000009 af363019 b9231480 +[ 138.994617] dec0: 00000000 b8c038a0 b7e469b0 00000101 00000002 00000238 00000000 00000000 +[ 139.010823] dee0: 00000000 aebedee8 00080000 0000000f aebedf3c aebedf00 802ed7e4 80843f94 +[ 139.027025] df00: 00000003 00080000 b9231490 b9231480 00000000 00080000 af363000 00000000 +[ 139.043229] df20: 00000005 00000002 ffffff9c 00000000 00080000 ffffff9c af363000 00000003 +[ 139.059430] df40: aebedf94 aebedf50 802c6f70 802dac70 aebec000 00000000 00000001 00000000 +[ 139.075629] df60: 00020000 00000004 00000100 00000001 7ebe577c 0002e038 00000000 00000005 +[ 139.091828] df80: 80108464 aebec000 aebedfa4 aebedf98 802c7060 802c6e6c 00000000 aebedfa8 +[ 139.108025] dfa0: 801082c0 802c7040 7ebe577c 0002e038 7ebe577c 00080000 00000b98 e81c8400 +[ 139.124222] dfc0: 7ebe577c 0002e038 00000000 00000005 7ebe57e4 00a20af8 7ebe57f0 76f87394 +[ 139.140419] dfe0: 00000000 7ebe55c4 76ec88e8 76df1d9c 60000010 7ebe577c 00000000 00000000 +[ 139.156715] [<801c4d5c>] (try_module_get) from [<7f0e6b2c>] (snd_ctl_open+0x58/0x194 [snd]) +[ 139.173222] [<7f0e6b2c>] (snd_ctl_open [snd]) from [<7f0e250c>] (snd_open+0xa8/0x14c [snd]) +[ 139.189683] [<7f0e250c>] (snd_open [snd]) from [<802ce590>] (chrdev_open+0xac/0x188) +[ 139.205465] [<802ce590>] (chrdev_open) from [<802c57b4>] (do_dentry_open+0x10c/0x314) +[ 139.221347] [<802c57b4>] (do_dentry_open) from [<802c6ba8>] (vfs_open+0x5c/0x88) +[ 139.236788] [<802c6ba8>] (vfs_open) from [<802d9a68>] (path_openat+0x368/0x944) +[ 139.248270] [<802d9a68>] (path_openat) from [<802dacd4>] (do_filp_open+0x70/0xc4) +[ 139.263731] [<802dacd4>] (do_filp_open) from [<802c6f70>] (do_sys_open+0x110/0x1d4) +[ 139.279378] [<802c6f70>] (do_sys_open) from [<802c7060>] (SyS_open+0x2c/0x30) +[ 139.290647] [<802c7060>] (SyS_open) from [<801082c0>] (ret_fast_syscall+0x0/0x28) +[ 139.306021] Code: e3c3303f e5932004 e2822001 e5832004 (e5943000) +[ 139.316265] ---[ end trace 7f3f7f6193b663ed ]--- +[ 139.324956] note: aplay[463] exited with preempt_count 1 +~~~~ + +Signed-off-by: Kirill Marinushkin +Cc: Eric Anholt +Cc: Stefan Wahren +Cc: Greg Kroah-Hartman +Cc: Florian Fainelli +Cc: Ray Jui +Cc: Scott Branden +Cc: bcm-kernel-feedback-list@broadcom.com +Cc: Michael Zoran +Cc: Andy Shevchenko +Cc: linux-rpi-kernel@lists.infradead.org +Cc: linux-arm-kernel@lists.infradead.org +Cc: devel@driverdev.osuosl.org +Cc: linux-kernel@vger.kernel.org +Reviewed-by: Andy Shevchenko +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/vc04_services/bcm2835-audio/bcm2835.c | 54 ++++++++---------- + 1 file changed, 25 insertions(+), 29 deletions(-) + +--- a/drivers/staging/vc04_services/bcm2835-audio/bcm2835.c ++++ b/drivers/staging/vc04_services/bcm2835-audio/bcm2835.c +@@ -25,6 +25,10 @@ MODULE_PARM_DESC(enable_compat_alsa, + static void snd_devm_unregister_child(struct device *dev, void *res) + { + struct device *childdev = *(struct device **)res; ++ struct bcm2835_chip *chip = dev_get_drvdata(childdev); ++ struct snd_card *card = chip->card; ++ ++ snd_card_free(card); + + device_unregister(childdev); + } +@@ -50,6 +54,13 @@ static int snd_devm_add_child(struct dev + return 0; + } + ++static void snd_bcm2835_release(struct device *dev) ++{ ++ struct bcm2835_chip *chip = dev_get_drvdata(dev); ++ ++ kfree(chip); ++} ++ + static struct device * + snd_create_device(struct device *parent, + struct device_driver *driver, +@@ -65,6 +76,7 @@ snd_create_device(struct device *parent, + device_initialize(device); + device->parent = parent; + device->driver = driver; ++ device->release = snd_bcm2835_release; + + dev_set_name(device, "%s", name); + +@@ -75,18 +87,19 @@ snd_create_device(struct device *parent, + return device; + } + +-static int snd_bcm2835_free(struct bcm2835_chip *chip) +-{ +- kfree(chip); +- return 0; +-} +- + /* component-destructor + * (see "Management of Cards and Components") + */ + static int snd_bcm2835_dev_free(struct snd_device *device) + { +- return snd_bcm2835_free(device->device_data); ++ struct bcm2835_chip *chip = device->device_data; ++ struct snd_card *card = chip->card; ++ ++ /* TODO: free pcm, ctl */ ++ ++ snd_device_free(card, chip); ++ ++ return 0; + } + + /* chip-specific constructor +@@ -111,7 +124,7 @@ static int snd_bcm2835_create(struct snd + + err = snd_device_new(card, SNDRV_DEV_LOWLEVEL, chip, &ops); + if (err) { +- snd_bcm2835_free(chip); ++ kfree(chip); + return err; + } + +@@ -119,31 +132,14 @@ static int snd_bcm2835_create(struct snd + return 0; + } + +-static void snd_devm_card_free(struct device *dev, void *res) ++static struct snd_card *snd_bcm2835_card_new(struct device *dev) + { +- struct snd_card *snd_card = *(struct snd_card **)res; +- +- snd_card_free(snd_card); +-} +- +-static struct snd_card *snd_devm_card_new(struct device *dev) +-{ +- struct snd_card **dr; + struct snd_card *card; + int ret; + +- dr = devres_alloc(snd_devm_card_free, sizeof(*dr), GFP_KERNEL); +- if (!dr) +- return ERR_PTR(-ENOMEM); +- + ret = snd_card_new(dev, -1, NULL, THIS_MODULE, 0, &card); +- if (ret) { +- devres_free(dr); ++ if (ret) + return ERR_PTR(ret); +- } +- +- *dr = card; +- devres_add(dev, dr); + + return card; + } +@@ -260,7 +256,7 @@ static int snd_add_child_device(struct d + return PTR_ERR(child); + } + +- card = snd_devm_card_new(child); ++ card = snd_bcm2835_card_new(child); + if (IS_ERR(card)) { + dev_err(child, "Failed to create card"); + return PTR_ERR(card); +@@ -302,7 +298,7 @@ static int snd_add_child_device(struct d + return err; + } + +- dev_set_drvdata(child, card); ++ dev_set_drvdata(child, chip); + dev_info(child, "card created with %d channels\n", numchans); + + return 0; diff --git a/queue-4.16/staging-fsl-dpaa2-eth-fix-incorrect-casts.patch b/queue-4.16/staging-fsl-dpaa2-eth-fix-incorrect-casts.patch new file mode 100644 index 00000000000..0a9b4ec4edb --- /dev/null +++ b/queue-4.16/staging-fsl-dpaa2-eth-fix-incorrect-casts.patch @@ -0,0 +1,51 @@ +From foo@baz Thu May 24 10:04:42 CEST 2018 +From: Ioana Radulescu +Date: Mon, 26 Feb 2018 10:28:06 -0600 +Subject: staging: fsl-dpaa2/eth: Fix incorrect casts + +From: Ioana Radulescu + +[ Upstream commit 75c583ab9709692a60871d4719006391cde8dc1d ] + +The DPAA2 Ethernet driver incorrectly assumes virtual addresses +are always 64b long, which causes compiler errors when building +for a 32b platform. + +Fix this by using explicit casts to uintptr_t where necessary. + +Signed-off-by: Ioana Radulescu +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c ++++ b/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c +@@ -324,7 +324,7 @@ static int consume_frames(struct dpaa2_e + } + + fd = dpaa2_dq_fd(dq); +- fq = (struct dpaa2_eth_fq *)dpaa2_dq_fqd_ctx(dq); ++ fq = (struct dpaa2_eth_fq *)(uintptr_t)dpaa2_dq_fqd_ctx(dq); + fq->stats.frames++; + + fq->consume(priv, ch, fd, &ch->napi, fq->flowid); +@@ -1908,7 +1908,7 @@ static int setup_rx_flow(struct dpaa2_et + queue.destination.id = fq->channel->dpcon_id; + queue.destination.type = DPNI_DEST_DPCON; + queue.destination.priority = 1; +- queue.user_context = (u64)fq; ++ queue.user_context = (u64)(uintptr_t)fq; + err = dpni_set_queue(priv->mc_io, 0, priv->mc_token, + DPNI_QUEUE_RX, 0, fq->flowid, + DPNI_QUEUE_OPT_USER_CTX | DPNI_QUEUE_OPT_DEST, +@@ -1960,7 +1960,7 @@ static int setup_tx_flow(struct dpaa2_et + queue.destination.id = fq->channel->dpcon_id; + queue.destination.type = DPNI_DEST_DPCON; + queue.destination.priority = 0; +- queue.user_context = (u64)fq; ++ queue.user_context = (u64)(uintptr_t)fq; + err = dpni_set_queue(priv->mc_io, 0, priv->mc_token, + DPNI_QUEUE_TX_CONFIRM, 0, fq->flowid, + DPNI_QUEUE_OPT_USER_CTX | DPNI_QUEUE_OPT_DEST, diff --git a/queue-4.16/staging-fsl-dpaa2-eth-fix-incorrect-kfree.patch b/queue-4.16/staging-fsl-dpaa2-eth-fix-incorrect-kfree.patch new file mode 100644 index 00000000000..5ec1812eb0f --- /dev/null +++ b/queue-4.16/staging-fsl-dpaa2-eth-fix-incorrect-kfree.patch @@ -0,0 +1,62 @@ +From foo@baz Thu May 24 10:04:42 CEST 2018 +From: Ioana Radulescu +Date: Wed, 14 Mar 2018 15:04:51 -0500 +Subject: staging: fsl-dpaa2/eth: Fix incorrect kfree + +From: Ioana Radulescu + +[ Upstream commit 6a9bbe53db9a5aa0be9788aa8a2c250dee55444b ] + +Use netdev_alloc_frag() instead of kmalloc to allocate space for +the S/G table of egress multi-buffer frames. + +This fixes a bug where an unaligned pointer received from the +allocator would be overwritten with the 64B aligned value, +leading to a wrong address being later passed to kfree. + +Signed-off-by: Ioana Radulescu +Reported-by: Dan Carpenter +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c ++++ b/drivers/staging/fsl-dpaa2/ethernet/dpaa2-eth.c +@@ -374,12 +374,14 @@ static int build_sg_fd(struct dpaa2_eth_ + /* Prepare the HW SGT structure */ + sgt_buf_size = priv->tx_data_offset + + sizeof(struct dpaa2_sg_entry) * (1 + num_dma_bufs); +- sgt_buf = kzalloc(sgt_buf_size + DPAA2_ETH_TX_BUF_ALIGN, GFP_ATOMIC); ++ sgt_buf = netdev_alloc_frag(sgt_buf_size + DPAA2_ETH_TX_BUF_ALIGN); + if (unlikely(!sgt_buf)) { + err = -ENOMEM; + goto sgt_buf_alloc_failed; + } + sgt_buf = PTR_ALIGN(sgt_buf, DPAA2_ETH_TX_BUF_ALIGN); ++ memset(sgt_buf, 0, sgt_buf_size); ++ + sgt = (struct dpaa2_sg_entry *)(sgt_buf + priv->tx_data_offset); + + /* Fill in the HW SGT structure. +@@ -421,7 +423,7 @@ static int build_sg_fd(struct dpaa2_eth_ + return 0; + + dma_map_single_failed: +- kfree(sgt_buf); ++ skb_free_frag(sgt_buf); + sgt_buf_alloc_failed: + dma_unmap_sg(dev, scl, num_sg, DMA_BIDIRECTIONAL); + dma_map_sg_failed: +@@ -525,9 +527,9 @@ static void free_tx_fd(const struct dpaa + return; + } + +- /* Free SGT buffer kmalloc'ed on tx */ ++ /* Free SGT buffer allocated on tx */ + if (fd_format != dpaa2_fd_single) +- kfree(skbh); ++ skb_free_frag(skbh); + + /* Move on with skb release */ + dev_kfree_skb(skb); diff --git a/queue-4.16/staging-ks7010-use-constants-from-ieee80211_eid-instead-of-literal-ints.patch b/queue-4.16/staging-ks7010-use-constants-from-ieee80211_eid-instead-of-literal-ints.patch new file mode 100644 index 00000000000..9feb7f43f68 --- /dev/null +++ b/queue-4.16/staging-ks7010-use-constants-from-ieee80211_eid-instead-of-literal-ints.patch @@ -0,0 +1,106 @@ +From foo@baz Thu May 24 10:04:42 CEST 2018 +From: Quytelda Kahja +Date: Wed, 28 Feb 2018 21:19:07 -0800 +Subject: staging: ks7010: Use constants from ieee80211_eid instead of literal ints. + +From: Quytelda Kahja + +[ Upstream commit dc13498ab47fdfae3cda4df712beb2e4244b3fe0 ] + +The case statement in get_ap_information() should not use literal integers +to parse information element IDs when these values are provided by name +in 'enum ieee80211_eid' in the header 'linux/ieee80211.h'. + +Signed-off-by: Quytelda Kahja +Reviewed-by: Tobin C. Harding +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/ks7010/ks_hostif.c | 31 +++++++++++++++---------------- + drivers/staging/ks7010/ks_hostif.h | 1 + + 2 files changed, 16 insertions(+), 16 deletions(-) + +--- a/drivers/staging/ks7010/ks_hostif.c ++++ b/drivers/staging/ks7010/ks_hostif.c +@@ -242,9 +242,8 @@ int get_ap_information(struct ks_wlan_pr + offset = 0; + + while (bsize > offset) { +- /* DPRINTK(4, "Element ID=%d\n",*bp); */ +- switch (*bp) { +- case 0: /* ssid */ ++ switch (*bp) { /* Information Element ID */ ++ case WLAN_EID_SSID: + if (*(bp + 1) <= SSID_MAX_SIZE) { + ap->ssid.size = *(bp + 1); + } else { +@@ -254,8 +253,8 @@ int get_ap_information(struct ks_wlan_pr + } + memcpy(ap->ssid.body, bp + 2, ap->ssid.size); + break; +- case 1: /* rate */ +- case 50: /* ext rate */ ++ case WLAN_EID_SUPP_RATES: ++ case WLAN_EID_EXT_SUPP_RATES: + if ((*(bp + 1) + ap->rate_set.size) <= + RATE_SET_MAX_SIZE) { + memcpy(&ap->rate_set.body[ap->rate_set.size], +@@ -271,9 +270,9 @@ int get_ap_information(struct ks_wlan_pr + (RATE_SET_MAX_SIZE - ap->rate_set.size); + } + break; +- case 3: /* DS parameter */ ++ case WLAN_EID_DS_PARAMS: + break; +- case 48: /* RSN(WPA2) */ ++ case WLAN_EID_RSN: + ap->rsn_ie.id = *bp; + if (*(bp + 1) <= RSN_IE_BODY_MAX) { + ap->rsn_ie.size = *(bp + 1); +@@ -284,8 +283,8 @@ int get_ap_information(struct ks_wlan_pr + } + memcpy(ap->rsn_ie.body, bp + 2, ap->rsn_ie.size); + break; +- case 221: /* WPA */ +- if (memcmp(bp + 2, "\x00\x50\xf2\x01", 4) == 0) { /* WPA OUI check */ ++ case WLAN_EID_VENDOR_SPECIFIC: /* WPA */ ++ if (memcmp(bp + 2, "\x00\x50\xf2\x01", 4) == 0) { /* WPA OUI check */ + ap->wpa_ie.id = *bp; + if (*(bp + 1) <= RSN_IE_BODY_MAX) { + ap->wpa_ie.size = *(bp + 1); +@@ -300,18 +299,18 @@ int get_ap_information(struct ks_wlan_pr + } + break; + +- case 2: /* FH parameter */ +- case 4: /* CF parameter */ +- case 5: /* TIM */ +- case 6: /* IBSS parameter */ +- case 7: /* Country */ +- case 42: /* ERP information */ +- case 47: /* Reserve ID 47 Broadcom AP */ ++ case WLAN_EID_FH_PARAMS: ++ case WLAN_EID_CF_PARAMS: ++ case WLAN_EID_TIM: ++ case WLAN_EID_IBSS_PARAMS: ++ case WLAN_EID_COUNTRY: ++ case WLAN_EID_ERP_INFO: + break; + default: + DPRINTK(4, "unknown Element ID=%d\n", *bp); + break; + } ++ + offset += 2; /* id & size field */ + offset += *(bp + 1); /* +size offset */ + bp += (*(bp + 1) + 2); /* pointer update */ +--- a/drivers/staging/ks7010/ks_hostif.h ++++ b/drivers/staging/ks7010/ks_hostif.h +@@ -13,6 +13,7 @@ + #define _KS_HOSTIF_H_ + + #include ++#include + + /* + * HOST-MAC I/F events diff --git a/queue-4.16/staging-lustre-fix-bug-in-osc_enter_cache_try.patch b/queue-4.16/staging-lustre-fix-bug-in-osc_enter_cache_try.patch new file mode 100644 index 00000000000..aff7900021c --- /dev/null +++ b/queue-4.16/staging-lustre-fix-bug-in-osc_enter_cache_try.patch @@ -0,0 +1,55 @@ +From foo@baz Thu May 24 10:04:42 CEST 2018 +From: NeilBrown +Date: Fri, 2 Mar 2018 10:31:25 +1100 +Subject: staging: lustre: fix bug in osc_enter_cache_try + +From: NeilBrown + +[ Upstream commit 2fab9faf9b27298c4536c1c1b14072ab18b8f80b ] + +The lustre-release patch commit bdc5bb52c554 ("LU-4933 osc: +Automatically increase the max_dirty_mb") changed + +- if (cli->cl_dirty + PAGE_CACHE_SIZE <= cli->cl_dirty_max && ++ if (cli->cl_dirty_pages < cli->cl_dirty_max_pages && + +When this patch landed in Linux a couple of years later, it landed as + +- if (cli->cl_dirty + PAGE_SIZE <= cli->cl_dirty_max && ++ if (cli->cl_dirty_pages <= cli->cl_dirty_max_pages && + +which is clearly different ('<=' vs '<'), and allows cl_dirty_pages to +increase beyond cl_dirty_max_pages - which causes a latter assertion +to fails. + +Fixes: 3147b268400a ("staging: lustre: osc: Automatically increase the max_dirty_mb") +Signed-off-by: NeilBrown +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/lustre/lustre/include/obd.h | 2 +- + drivers/staging/lustre/lustre/osc/osc_cache.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/staging/lustre/lustre/include/obd.h ++++ b/drivers/staging/lustre/lustre/include/obd.h +@@ -191,7 +191,7 @@ struct client_obd { + struct sptlrpc_flavor cl_flvr_mgc; /* fixed flavor of mgc->mgs */ + + /* the grant values are protected by loi_list_lock below */ +- unsigned long cl_dirty_pages; /* all _dirty_ in pahges */ ++ unsigned long cl_dirty_pages; /* all _dirty_ in pages */ + unsigned long cl_dirty_max_pages; /* allowed w/o rpc */ + unsigned long cl_dirty_transit; /* dirty synchronous */ + unsigned long cl_avail_grant; /* bytes of credit for ost */ +--- a/drivers/staging/lustre/lustre/osc/osc_cache.c ++++ b/drivers/staging/lustre/lustre/osc/osc_cache.c +@@ -1530,7 +1530,7 @@ static int osc_enter_cache_try(struct cl + if (rc < 0) + return 0; + +- if (cli->cl_dirty_pages <= cli->cl_dirty_max_pages && ++ if (cli->cl_dirty_pages < cli->cl_dirty_max_pages && + atomic_long_read(&obd_dirty_pages) + 1 <= obd_max_dirty_pages) { + osc_consume_write_grant(cli, &oap->oap_brw_page); + if (transient) { diff --git a/queue-4.16/staging-lustre-lmv-correctly-iput-lmo_root.patch b/queue-4.16/staging-lustre-lmv-correctly-iput-lmo_root.patch new file mode 100644 index 00000000000..5fbb3b397c1 --- /dev/null +++ b/queue-4.16/staging-lustre-lmv-correctly-iput-lmo_root.patch @@ -0,0 +1,45 @@ +From foo@baz Thu May 24 10:04:42 CEST 2018 +From: NeilBrown +Date: Fri, 23 Feb 2018 09:09:33 +1100 +Subject: staging: lustre: lmv: correctly iput lmo_root + +From: NeilBrown + +[ Upstream commit 17556cdbe6ed70a6a20e597b228628f7f34387f8 ] + +Commit 8f18c8a48b73 ("staging: lustre: lmv: separate master object +with master stripe") changed how lmo_root inodes were managed, +particularly when LMV_HASH_FLAG_MIGRATION is not set. +Previously lsm_md_oinfo[0].lmo_root was always a borrowed +inode reference and didn't need to by iput(). +Since the change, that special case only applies when +LMV_HASH_FLAG_MIGRATION is set + +In the upstream (lustre-release) version of this patch [Commit +60e07b972114 ("LU-4690 lod: separate master object with master +stripe")] the for loop in the lmv_unpack_md() was changed to count +from 0 and to ignore entry 0 if LMV_HASH_FLAG_MIGRATION is set. +In the patch that got applied to Linux, that change was missing, +so lsm_md_oinfo[0].lmo_root is never iput(). +This results in a "VFS: Busy inodes" warning at unmount. + +Fixes: 8f18c8a48b73 ("staging: lustre: lmv: separate master object with master stripe") +Signed-off-by: NeilBrown +Reviewed-by: James Simmons +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/lustre/lustre/lmv/lmv_obd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/lustre/lustre/lmv/lmv_obd.c ++++ b/drivers/staging/lustre/lustre/lmv/lmv_obd.c +@@ -2695,7 +2695,7 @@ static int lmv_unpackmd(struct obd_expor + if (lsm && !lmm) { + int i; + +- for (i = 1; i < lsm->lsm_md_stripe_count; i++) { ++ for (i = 0; i < lsm->lsm_md_stripe_count; i++) { + /* + * For migrating inode, the master stripe and master + * object will be the same, so do not need iput, see diff --git a/queue-4.16/staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch b/queue-4.16/staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch new file mode 100644 index 00000000000..011a9ceadcb --- /dev/null +++ b/queue-4.16/staging-rtl8192u-return-enomem-on-failed-allocation-of-priv-oldaddr.patch @@ -0,0 +1,36 @@ +From foo@baz Thu May 24 10:04:42 CEST 2018 +From: Colin Ian King +Date: Wed, 28 Feb 2018 11:28:49 +0000 +Subject: staging: rtl8192u: return -ENOMEM on failed allocation of priv->oldaddr + +From: Colin Ian King + +[ Upstream commit e1a7418529e33bc4efc346324557251a16a3e79b ] + +Currently the allocation of priv->oldaddr is not null checked which will +lead to subsequent errors when accessing priv->oldaddr. Fix this with +a null pointer check and a return of -ENOMEM on allocation failure. + +Detected with Coccinelle: +drivers/staging/rtl8192u/r8192U_core.c:1708:2-15: alloc with no test, +possible model on line 1723 + +Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging") +Signed-off-by: Colin Ian King +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8192u/r8192U_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/staging/rtl8192u/r8192U_core.c ++++ b/drivers/staging/rtl8192u/r8192U_core.c +@@ -1706,6 +1706,8 @@ static short rtl8192_usb_initendpoints(s + + priv->rx_urb[16] = usb_alloc_urb(0, GFP_KERNEL); + priv->oldaddr = kmalloc(16, GFP_KERNEL); ++ if (!priv->oldaddr) ++ return -ENOMEM; + oldaddr = priv->oldaddr; + align = ((long)oldaddr) & 3; + if (align) { diff --git a/queue-4.16/usb-dwc2-fix-interval-type-issue.patch b/queue-4.16/usb-dwc2-fix-interval-type-issue.patch new file mode 100644 index 00000000000..d2b7f8c54af --- /dev/null +++ b/queue-4.16/usb-dwc2-fix-interval-type-issue.patch @@ -0,0 +1,31 @@ +From foo@baz Thu May 24 09:45:15 CEST 2018 +From: Grigor Tovmasyan +Date: Tue, 6 Feb 2018 19:07:38 +0400 +Subject: usb: dwc2: Fix interval type issue + +From: Grigor Tovmasyan + +[ Upstream commit 12814a3f8f9b247531d7863170cc82b3fe4218fd ] + +The maximum value that unsigned char can hold is 255, meanwhile +the maximum value of interval is 2^(bIntervalMax-1)=2^15. + +Signed-off-by: Grigor Tovmasyan +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc2/core.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/dwc2/core.h ++++ b/drivers/usb/dwc2/core.h +@@ -217,7 +217,7 @@ struct dwc2_hsotg_ep { + unsigned char dir_in; + unsigned char index; + unsigned char mc; +- unsigned char interval; ++ u16 interval; + + unsigned int halted:1; + unsigned int periodic:1; diff --git a/queue-4.16/usb-dwc2-hcd-fix-host-channel-halt-flow.patch b/queue-4.16/usb-dwc2-hcd-fix-host-channel-halt-flow.patch new file mode 100644 index 00000000000..8505c155364 --- /dev/null +++ b/queue-4.16/usb-dwc2-hcd-fix-host-channel-halt-flow.patch @@ -0,0 +1,49 @@ +From foo@baz Thu May 24 09:45:15 CEST 2018 +From: Minas Harutyunyan +Date: Fri, 19 Jan 2018 14:43:53 +0400 +Subject: usb: dwc2: hcd: Fix host channel halt flow + +From: Minas Harutyunyan + +[ Upstream commit a82c7abdf8fc3b09c4a0ed2eee6d43ecef2ccdb0 ] + +According databook in Buffer and External DMA mode +non-split periodic channels can't be halted. + +Acked-by: John Youn +Signed-off-by: Minas Harutyunyan +Signed-off-by: Grigor Tovmasyan +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc2/hcd.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/usb/dwc2/hcd.c ++++ b/drivers/usb/dwc2/hcd.c +@@ -989,6 +989,24 @@ void dwc2_hc_halt(struct dwc2_hsotg *hso + + if (dbg_hc(chan)) + dev_vdbg(hsotg->dev, "%s()\n", __func__); ++ ++ /* ++ * In buffer DMA or external DMA mode channel can't be halted ++ * for non-split periodic channels. At the end of the next ++ * uframe/frame (in the worst case), the core generates a channel ++ * halted and disables the channel automatically. ++ */ ++ if ((hsotg->params.g_dma && !hsotg->params.g_dma_desc) || ++ hsotg->hw_params.arch == GHWCFG2_EXT_DMA_ARCH) { ++ if (!chan->do_split && ++ (chan->ep_type == USB_ENDPOINT_XFER_ISOC || ++ chan->ep_type == USB_ENDPOINT_XFER_INT)) { ++ dev_err(hsotg->dev, "%s() Channel can't be halted\n", ++ __func__); ++ return; ++ } ++ } ++ + if (halt_status == DWC2_HC_XFER_NO_HALT_STATUS) + dev_err(hsotg->dev, "!!! halt_status = %d !!!\n", halt_status); + diff --git a/queue-4.16/usb-dwc2-host-fix-transaction-errors-in-host-mode.patch b/queue-4.16/usb-dwc2-host-fix-transaction-errors-in-host-mode.patch new file mode 100644 index 00000000000..29b1d5edd81 --- /dev/null +++ b/queue-4.16/usb-dwc2-host-fix-transaction-errors-in-host-mode.patch @@ -0,0 +1,54 @@ +From foo@baz Thu May 24 09:45:15 CEST 2018 +From: Minas Harutyunyan +Date: Fri, 19 Jan 2018 14:44:20 +0400 +Subject: usb: dwc2: host: Fix transaction errors in host mode + +From: Minas Harutyunyan + +[ Upstream commit 92a8dd26464e1f21f1d869ec53717bd2c1200d63 ] + +Added missing GUSBCFG programming in host mode, which fixes +transaction errors issue on HiKey and Altera Cyclone V boards. + +These field even if was programmed in device mode (in function +dwc2_hsotg_core_init_disconnected()) will be resetting to POR values +after core soft reset applied. +So, each time when switching to host mode required to set this field +to correct value. + +Acked-by: John Youn +Signed-off-by: Minas Harutyunyan +Signed-off-by: Grigor Tovmasyan +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc2/hcd.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc2/hcd.c ++++ b/drivers/usb/dwc2/hcd.c +@@ -2340,10 +2340,22 @@ static int dwc2_core_init(struct dwc2_hs + */ + static void dwc2_core_host_init(struct dwc2_hsotg *hsotg) + { +- u32 hcfg, hfir, otgctl; ++ u32 hcfg, hfir, otgctl, usbcfg; + + dev_dbg(hsotg->dev, "%s(%p)\n", __func__, hsotg); + ++ /* Set HS/FS Timeout Calibration to 7 (max available value). ++ * The number of PHY clocks that the application programs in ++ * this field is added to the high/full speed interpacket timeout ++ * duration in the core to account for any additional delays ++ * introduced by the PHY. This can be required, because the delay ++ * introduced by the PHY in generating the linestate condition ++ * can vary from one PHY to another. ++ */ ++ usbcfg = dwc2_readl(hsotg->regs + GUSBCFG); ++ usbcfg |= GUSBCFG_TOUTCAL(7); ++ dwc2_writel(usbcfg, hsotg->regs + GUSBCFG); ++ + /* Restart the Phy Clock */ + dwc2_writel(0, hsotg->regs + PCGCTL); + diff --git a/queue-4.16/usb-dwc3-add-softreset-phy-synchonization-delay.patch b/queue-4.16/usb-dwc3-add-softreset-phy-synchonization-delay.patch new file mode 100644 index 00000000000..d95b9b54c9d --- /dev/null +++ b/queue-4.16/usb-dwc3-add-softreset-phy-synchonization-delay.patch @@ -0,0 +1,50 @@ +From foo@baz Thu May 24 09:45:15 CEST 2018 +From: Thinh Nguyen +Date: Fri, 16 Mar 2018 15:33:48 -0700 +Subject: usb: dwc3: Add SoftReset PHY synchonization delay + +From: Thinh Nguyen + +[ Upstream commit fab3833338779e1e668bd58d1f76d601657304b8 ] + +>From DWC_usb31 programming guide section 1.3.2, once DWC3_DCTL_CSFTRST +bit is cleared, we must wait at least 50ms before accessing the PHY +domain (synchronization delay). + +Signed-off-by: Thinh Nguyen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -232,7 +232,7 @@ static int dwc3_core_soft_reset(struct d + do { + reg = dwc3_readl(dwc->regs, DWC3_DCTL); + if (!(reg & DWC3_DCTL_CSFTRST)) +- return 0; ++ goto done; + + udelay(1); + } while (--retries); +@@ -241,6 +241,17 @@ static int dwc3_core_soft_reset(struct d + phy_exit(dwc->usb2_generic_phy); + + return -ETIMEDOUT; ++ ++done: ++ /* ++ * For DWC_usb31 controller, once DWC3_DCTL_CSFTRST bit is cleared, ++ * we must wait at least 50ms before accessing the PHY domain ++ * (synchronization delay). DWC_usb31 programming guide section 1.3.2. ++ */ ++ if (dwc3_is_usb31(dwc)) ++ msleep(50); ++ ++ return 0; + } + + /* diff --git a/queue-4.16/usb-dwc3-makefile-fix-link-error-on-randconfig.patch b/queue-4.16/usb-dwc3-makefile-fix-link-error-on-randconfig.patch new file mode 100644 index 00000000000..7d95fd7954f --- /dev/null +++ b/queue-4.16/usb-dwc3-makefile-fix-link-error-on-randconfig.patch @@ -0,0 +1,32 @@ +From foo@baz Thu May 24 09:45:15 CEST 2018 +From: Felipe Balbi +Date: Thu, 22 Mar 2018 10:45:20 +0200 +Subject: usb: dwc3: Makefile: fix link error on randconfig + +From: Felipe Balbi + +[ Upstream commit de948a74ad6f0eefddf36d765b8f2dd6df82caa0 ] + +If building a kernel without FTRACE but with TRACING, dwc3.ko fails to +link due to missing trace events. Fix this by using the correct +Kconfig symbol on Makefile. + +Reported-by: Randy Dunlap +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/Makefile ++++ b/drivers/usb/dwc3/Makefile +@@ -6,7 +6,7 @@ obj-$(CONFIG_USB_DWC3) += dwc3.o + + dwc3-y := core.o + +-ifneq ($(CONFIG_FTRACE),) ++ifneq ($(CONFIG_TRACING),) + dwc3-y += trace.o + endif + diff --git a/queue-4.16/usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch b/queue-4.16/usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch new file mode 100644 index 00000000000..b83f5cc7630 --- /dev/null +++ b/queue-4.16/usb-dwc3-update-dwc_usb31-gtxfifosiz-reg-fields.patch @@ -0,0 +1,40 @@ +From foo@baz Thu May 24 09:45:15 CEST 2018 +From: Thinh Nguyen +Date: Fri, 16 Mar 2018 15:33:54 -0700 +Subject: usb: dwc3: Update DWC_usb31 GTXFIFOSIZ reg fields + +From: Thinh Nguyen + +[ Upstream commit 0cab8d26d6e5e053b2bed3356992aaa71dc93628 ] + +Update two GTXFIFOSIZ bit fields for the DWC_usb31 controller. TXFDEP +is a 15-bit value instead of 16-bit value, and bit 15 is TXFRAMNUM. + +The GTXFIFOSIZ register for DWC_usb31 is as follows: + +-------+-----------+----------------------------------+ + | BITS | Name | Description | + +=======+===========+==================================+ + | 31:16 | TXFSTADDR | Transmit FIFOn RAM Start Address | + | 15 | TXFRAMNUM | Asynchronous/Periodic TXFIFO | + | 14:0 | TXFDEP | TXFIFO Depth | + +-------+-----------+----------------------------------+ + +Signed-off-by: Thinh Nguyen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/core.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -241,6 +241,8 @@ + #define DWC3_GUSB3PIPECTL_TX_DEEPH(n) ((n) << 1) + + /* Global TX Fifo Size Register */ ++#define DWC31_GTXFIFOSIZ_TXFRAMNUM BIT(15) /* DWC_usb31 only */ ++#define DWC31_GTXFIFOSIZ_TXFDEF(n) ((n) & 0x7fff) /* DWC_usb31 only */ + #define DWC3_GTXFIFOSIZ_TXFDEF(n) ((n) & 0xffff) + #define DWC3_GTXFIFOSIZ_TXFSTADDR(n) ((n) & 0xffff0000) + diff --git a/queue-4.16/usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch b/queue-4.16/usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch new file mode 100644 index 00000000000..7d9d94efb9d --- /dev/null +++ b/queue-4.16/usb-gadget-composite-fix-incorrect-handling-of-os-desc-requests.patch @@ -0,0 +1,158 @@ +From foo@baz Thu May 24 09:45:15 CEST 2018 +From: Chris Dickens +Date: Sun, 31 Dec 2017 18:59:42 -0800 +Subject: usb: gadget: composite: fix incorrect handling of OS desc requests + +From: Chris Dickens + +[ Upstream commit 5d6ae4f0da8a64a185074dabb1b2f8c148efa741 ] + +When handling an OS descriptor request, one of the first operations is +to zero out the request buffer using the wLength from the setup packet. +There is no bounds checking, so a wLength > 4096 would clobber memory +adjacent to the request buffer. Fix this by taking the min of wLength +and the request buffer length prior to the memset. While at it, define +the buffer length in a header file so that magic numbers don't appear +throughout the code. + +When returning data to the host, the data length should be the min of +the wLength and the valid data we have to return. Currently we are +returning wLength, thus requests for a wLength greater than the amount +of data in the OS descriptor buffer would return invalid (albeit zero'd) +data following the valid descriptor data. Fix this by counting the +number of bytes when constructing the data and using this when +determining the length of the request. + +Signed-off-by: Chris Dickens +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/composite.c | 40 +++++++++++++++++++--------------------- + include/linux/usb/composite.h | 3 +++ + 2 files changed, 22 insertions(+), 21 deletions(-) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -1422,7 +1422,7 @@ static int count_ext_compat(struct usb_c + return res; + } + +-static void fill_ext_compat(struct usb_configuration *c, u8 *buf) ++static int fill_ext_compat(struct usb_configuration *c, u8 *buf) + { + int i, count; + +@@ -1449,10 +1449,12 @@ static void fill_ext_compat(struct usb_c + buf += 23; + } + count += 24; +- if (count >= 4096) +- return; ++ if (count + 24 >= USB_COMP_EP0_OS_DESC_BUFSIZ) ++ return count; + } + } ++ ++ return count; + } + + static int count_ext_prop(struct usb_configuration *c, int interface) +@@ -1497,25 +1499,20 @@ static int fill_ext_prop(struct usb_conf + struct usb_os_desc *d; + struct usb_os_desc_ext_prop *ext_prop; + int j, count, n, ret; +- u8 *start = buf; + + f = c->interface[interface]; ++ count = 10; /* header length */ + for (j = 0; j < f->os_desc_n; ++j) { + if (interface != f->os_desc_table[j].if_id) + continue; + d = f->os_desc_table[j].os_desc; + if (d) + list_for_each_entry(ext_prop, &d->ext_prop, entry) { +- /* 4kB minus header length */ +- n = buf - start; +- if (n >= 4086) +- return 0; +- +- count = ext_prop->data_len + ++ n = ext_prop->data_len + + ext_prop->name_len + 14; +- if (count > 4086 - n) +- return -EINVAL; +- usb_ext_prop_put_size(buf, count); ++ if (count + n >= USB_COMP_EP0_OS_DESC_BUFSIZ) ++ return count; ++ usb_ext_prop_put_size(buf, n); + usb_ext_prop_put_type(buf, ext_prop->type); + ret = usb_ext_prop_put_name(buf, ext_prop->name, + ext_prop->name_len); +@@ -1541,11 +1538,12 @@ static int fill_ext_prop(struct usb_conf + default: + return -EINVAL; + } +- buf += count; ++ buf += n; ++ count += n; + } + } + +- return 0; ++ return count; + } + + /* +@@ -1827,6 +1825,7 @@ unknown: + req->complete = composite_setup_complete; + buf = req->buf; + os_desc_cfg = cdev->os_desc_config; ++ w_length = min_t(u16, w_length, USB_COMP_EP0_OS_DESC_BUFSIZ); + memset(buf, 0, w_length); + buf[5] = 0x01; + switch (ctrl->bRequestType & USB_RECIP_MASK) { +@@ -1850,8 +1849,8 @@ unknown: + count += 16; /* header */ + put_unaligned_le32(count, buf); + buf += 16; +- fill_ext_compat(os_desc_cfg, buf); +- value = w_length; ++ value = fill_ext_compat(os_desc_cfg, buf); ++ value = min_t(u16, w_length, value); + } + break; + case USB_RECIP_INTERFACE: +@@ -1880,8 +1879,7 @@ unknown: + interface, buf); + if (value < 0) + return value; +- +- value = w_length; ++ value = min_t(u16, w_length, value); + } + break; + } +@@ -2156,8 +2154,8 @@ int composite_os_desc_req_prepare(struct + goto end; + } + +- /* OS feature descriptor length <= 4kB */ +- cdev->os_desc_req->buf = kmalloc(4096, GFP_KERNEL); ++ cdev->os_desc_req->buf = kmalloc(USB_COMP_EP0_OS_DESC_BUFSIZ, ++ GFP_KERNEL); + if (!cdev->os_desc_req->buf) { + ret = -ENOMEM; + usb_ep_free_request(ep0, cdev->os_desc_req); +--- a/include/linux/usb/composite.h ++++ b/include/linux/usb/composite.h +@@ -54,6 +54,9 @@ + /* big enough to hold our biggest descriptor */ + #define USB_COMP_EP0_BUFSIZ 1024 + ++/* OS feature descriptor length <= 4kB */ ++#define USB_COMP_EP0_OS_DESC_BUFSIZ 4096 ++ + #define USB_MS_TO_HS_INTERVAL(x) (ilog2((x * 1000 / 125)) + 1) + struct usb_configuration; + diff --git a/queue-4.16/usb-gadget-ffs-execute-copy_to_user-with-user_ds-set.patch b/queue-4.16/usb-gadget-ffs-execute-copy_to_user-with-user_ds-set.patch new file mode 100644 index 00000000000..9a5296141d0 --- /dev/null +++ b/queue-4.16/usb-gadget-ffs-execute-copy_to_user-with-user_ds-set.patch @@ -0,0 +1,68 @@ +From foo@baz Thu May 24 09:45:15 CEST 2018 +From: Lars-Peter Clausen +Date: Fri, 12 Jan 2018 11:05:02 +0100 +Subject: usb: gadget: ffs: Execute copy_to_user() with USER_DS set + +From: Lars-Peter Clausen + +[ Upstream commit 4058ebf33cb0be88ca516f968eda24ab7b6b93e4 ] + +When using a AIO read() operation on the function FS gadget driver a URB is +submitted asynchronously and on URB completion the received data is copied +to the userspace buffer associated with the read operation. + +This is done from a kernel worker thread invoking copy_to_user() (through +copy_to_iter()). And while the user space process memory is made available +to the kernel thread using use_mm(), some architecture require in addition +to this that the operation runs with USER_DS set. Otherwise the userspace +memory access will fail. + +For example on ARM64 with Privileged Access Never (PAN) and User Access +Override (UAO) enabled the following crash occurs. + + Internal error: Accessing user space memory with fs=KERNEL_DS: 9600004f [#1] SMP + Modules linked in: + CPU: 2 PID: 1636 Comm: kworker/2:1 Not tainted 4.9.0-04081-g8ab2dfb-dirty #487 + Hardware name: ZynqMP ZCU102 Rev1.0 (DT) + Workqueue: events ffs_user_copy_worker + task: ffffffc87afc8080 task.stack: ffffffc87a00c000 + PC is at __arch_copy_to_user+0x190/0x220 + LR is at copy_to_iter+0x78/0x3c8 + [...] + [] __arch_copy_to_user+0x190/0x220 + [] ffs_user_copy_worker+0x70/0x130 + [] process_one_work+0x1dc/0x460 + [] worker_thread+0x50/0x4b0 + [] kthread+0xd8/0xf0 + [] ret_from_fork+0x10/0x50 + +Address this by placing a set_fs(USER_DS) before of the copy operation +and revert it again once the copy operation has finished. + +This patch is analogous to commit d7ffde35e31a ("vhost: use USER_DS in +vhost_worker thread") which addresses the same underlying issue. + +Signed-off-by: Lars-Peter Clausen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_fs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -758,9 +758,13 @@ static void ffs_user_copy_worker(struct + bool kiocb_has_eventfd = io_data->kiocb->ki_flags & IOCB_EVENTFD; + + if (io_data->read && ret > 0) { ++ mm_segment_t oldfs = get_fs(); ++ ++ set_fs(USER_DS); + use_mm(io_data->mm); + ret = ffs_copy_to_iter(io_data->buf, ret, &io_data->data); + unuse_mm(io_data->mm); ++ set_fs(oldfs); + } + + io_data->kiocb->ki_complete(io_data->kiocb, ret, ret); diff --git a/queue-4.16/usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch b/queue-4.16/usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch new file mode 100644 index 00000000000..157926327d3 --- /dev/null +++ b/queue-4.16/usb-gadget-ffs-let-setup-return-usb_gadget_delayed_status.patch @@ -0,0 +1,53 @@ +From foo@baz Thu May 24 09:45:15 CEST 2018 +From: Lars-Peter Clausen +Date: Fri, 12 Jan 2018 11:26:16 +0100 +Subject: usb: gadget: ffs: Let setup() return USB_GADGET_DELAYED_STATUS + +From: Lars-Peter Clausen + +[ Upstream commit 946ef68ad4e45aa048a5fb41ce8823ed29da866a ] + +Some UDC drivers (like the DWC3) expect that the response to a setup() +request is queued from within the setup function itself so that it is +available as soon as setup() has completed. + +Upon receiving a setup request the function fs driver creates an event that +is made available to userspace. And only once userspace has acknowledged +that event the response to the setup request is queued. + +So it violates the requirement of those UDC drivers and random failures can +be observed. This is basically a race condition and if userspace is able to +read the event and queue the response fast enough all is good. But if it is +not, for example because other processes are currently scheduled to run, +the USB host that sent the setup request will observe an error. + +To avoid this the gadget framework provides the USB_GADGET_DELAYED_STATUS +return code. If a setup() callback returns this value the UDC driver is +aware that response is not yet available and can uses the appropriate +methods to handle this case. + +Since in the case of function fs the response will never be available when +the setup() function returns make sure that this status code is used. + +This fixed random occasional failures that were previously observed on a +DWC3 based system under high system load. + +Signed-off-by: Lars-Peter Clausen +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_fs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -3238,7 +3238,7 @@ static int ffs_func_setup(struct usb_fun + __ffs_event_add(ffs, FUNCTIONFS_SETUP); + spin_unlock_irqrestore(&ffs->ev.waitq.lock, flags); + +- return 0; ++ return USB_GADGET_DELAYED_STATUS; + } + + static bool ffs_func_req_match(struct usb_function *f, diff --git a/queue-4.16/usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch b/queue-4.16/usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch new file mode 100644 index 00000000000..c1e7efdc065 --- /dev/null +++ b/queue-4.16/usb-gadget-udc-change-comparison-to-bitshift-when-dealing-with-a-mask.patch @@ -0,0 +1,32 @@ +From foo@baz Thu May 24 09:45:15 CEST 2018 +From: Wolfram Sang +Date: Tue, 6 Feb 2018 09:50:40 +0100 +Subject: usb: gadget: udc: change comparison to bitshift when dealing with a mask + +From: Wolfram Sang + +[ Upstream commit ac87e560f7c0f91b62012e9a159c0681a373b922 ] + +Due to a typo, the mask was destroyed by a comparison instead of a bit +shift. + +Reported-by: Geert Uytterhoeven +Signed-off-by: Wolfram Sang +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/goku_udc.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/udc/goku_udc.h ++++ b/drivers/usb/gadget/udc/goku_udc.h +@@ -25,7 +25,7 @@ struct goku_udc_regs { + # define INT_EP1DATASET 0x00040 + # define INT_EP2DATASET 0x00080 + # define INT_EP3DATASET 0x00100 +-#define INT_EPnNAK(n) (0x00100 < (n)) /* 0 < n < 4 */ ++#define INT_EPnNAK(n) (0x00100 << (n)) /* 0 < n < 4 */ + # define INT_EP1NAK 0x00200 + # define INT_EP2NAK 0x00400 + # define INT_EP3NAK 0x00800 diff --git a/queue-4.16/usbip-correct-maximum-value-of-config_usbip_vhci_hc_ports.patch b/queue-4.16/usbip-correct-maximum-value-of-config_usbip_vhci_hc_ports.patch new file mode 100644 index 00000000000..1ef3727d9b9 --- /dev/null +++ b/queue-4.16/usbip-correct-maximum-value-of-config_usbip_vhci_hc_ports.patch @@ -0,0 +1,35 @@ +From foo@baz Thu May 24 09:45:15 CEST 2018 +From: Ben Hutchings +Date: Mon, 29 Jan 2018 00:04:18 +0000 +Subject: usbip: Correct maximum value of CONFIG_USBIP_VHCI_HC_PORTS + +From: Ben Hutchings + +[ Upstream commit 351a8d4837ae0d61744e64262c3a80ab92ff3e42 ] + +Now that usbip supports USB3, the maximum number of ports allowed +on a hub is 15 (USB_SS_MAXPORTS), not 31 (USB_MAXCHILDREN). + +Reported-by: Gianluigi Tiesi +Reported-by: Borissh1983 +References: https://bugs.debian.org/878866 +Fixes: 1c9de5bf4286 ("usbip: vhci-hcd: Add USB3 SuperSpeed support") +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/usbip/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/usbip/Kconfig ++++ b/drivers/usb/usbip/Kconfig +@@ -27,7 +27,7 @@ config USBIP_VHCI_HCD + + config USBIP_VHCI_HC_PORTS + int "Number of ports per USB/IP virtual host controller" +- range 1 31 ++ range 1 15 + default 8 + depends on USBIP_VHCI_HCD + ---help--- diff --git a/queue-4.16/x86-kexec-avoid-double-free_page-upon-do_kexec_load-failure.patch b/queue-4.16/x86-kexec-avoid-double-free_page-upon-do_kexec_load-failure.patch new file mode 100644 index 00000000000..fafccd8538e --- /dev/null +++ b/queue-4.16/x86-kexec-avoid-double-free_page-upon-do_kexec_load-failure.patch @@ -0,0 +1,103 @@ +From a466ef76b815b86748d9870ef2a430af7b39c710 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Wed, 9 May 2018 19:42:20 +0900 +Subject: x86/kexec: Avoid double free_page() upon do_kexec_load() failure + +From: Tetsuo Handa + +commit a466ef76b815b86748d9870ef2a430af7b39c710 upstream. + +>From ff82bedd3e12f0d3353282054ae48c3bd8c72012 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Wed, 9 May 2018 12:12:39 +0900 +Subject: x86/kexec: Avoid double free_page() upon do_kexec_load() failure + +syzbot is reporting crashes after memory allocation failure inside +do_kexec_load() [1]. This is because free_transition_pgtable() is called +by both init_transition_pgtable() and machine_kexec_cleanup() when memory +allocation failed inside init_transition_pgtable(). + +Regarding 32bit code, machine_kexec_free_page_tables() is called by both +machine_kexec_alloc_page_tables() and machine_kexec_cleanup() when memory +allocation failed inside machine_kexec_alloc_page_tables(). + +Fix this by leaving the error handling to machine_kexec_cleanup() +(and optionally setting NULL after free_page()). + +[1] https://syzkaller.appspot.com/bug?id=91e52396168cf2bdd572fe1e1bc0bc645c1c6b40 + +Fixes: f5deb79679af6eb4 ("x86: kexec: Use one page table in x86_64 machine_kexec") +Fixes: 92be3d6bdf2cb349 ("kexec/i386: allocate page table pages dynamically") +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Signed-off-by: Thomas Gleixner +Acked-by: Baoquan He +Cc: thomas.lendacky@amd.com +Cc: prudo@linux.vnet.ibm.com +Cc: Huang Ying +Cc: syzkaller-bugs@googlegroups.com +Cc: takahiro.akashi@linaro.org +Cc: H. Peter Anvin +Cc: akpm@linux-foundation.org +Cc: dyoung@redhat.com +Cc: kirill.shutemov@linux.intel.com +Link: https://lkml.kernel.org/r/201805091942.DGG12448.tMFVFSJFQOOLHO@I-love.SAKURA.ne.jp +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/machine_kexec_32.c | 6 +++++- + arch/x86/kernel/machine_kexec_64.c | 5 ++++- + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/machine_kexec_32.c ++++ b/arch/x86/kernel/machine_kexec_32.c +@@ -57,12 +57,17 @@ static void load_segments(void) + static void machine_kexec_free_page_tables(struct kimage *image) + { + free_page((unsigned long)image->arch.pgd); ++ image->arch.pgd = NULL; + #ifdef CONFIG_X86_PAE + free_page((unsigned long)image->arch.pmd0); ++ image->arch.pmd0 = NULL; + free_page((unsigned long)image->arch.pmd1); ++ image->arch.pmd1 = NULL; + #endif + free_page((unsigned long)image->arch.pte0); ++ image->arch.pte0 = NULL; + free_page((unsigned long)image->arch.pte1); ++ image->arch.pte1 = NULL; + } + + static int machine_kexec_alloc_page_tables(struct kimage *image) +@@ -79,7 +84,6 @@ static int machine_kexec_alloc_page_tabl + !image->arch.pmd0 || !image->arch.pmd1 || + #endif + !image->arch.pte0 || !image->arch.pte1) { +- machine_kexec_free_page_tables(image); + return -ENOMEM; + } + return 0; +--- a/arch/x86/kernel/machine_kexec_64.c ++++ b/arch/x86/kernel/machine_kexec_64.c +@@ -38,9 +38,13 @@ static struct kexec_file_ops *kexec_file + static void free_transition_pgtable(struct kimage *image) + { + free_page((unsigned long)image->arch.p4d); ++ image->arch.p4d = NULL; + free_page((unsigned long)image->arch.pud); ++ image->arch.pud = NULL; + free_page((unsigned long)image->arch.pmd); ++ image->arch.pmd = NULL; + free_page((unsigned long)image->arch.pte); ++ image->arch.pte = NULL; + } + + static int init_transition_pgtable(struct kimage *image, pgd_t *pgd) +@@ -90,7 +94,6 @@ static int init_transition_pgtable(struc + set_pte(pte, pfn_pte(paddr >> PAGE_SHIFT, PAGE_KERNEL_EXEC_NOENC)); + return 0; + err: +- free_transition_pgtable(image); + return result; + } + diff --git a/queue-4.16/xhci-show-what-usb-release-number-the-xhc-supports-from-protocol-capablity.patch b/queue-4.16/xhci-show-what-usb-release-number-the-xhc-supports-from-protocol-capablity.patch new file mode 100644 index 00000000000..ae159068b98 --- /dev/null +++ b/queue-4.16/xhci-show-what-usb-release-number-the-xhc-supports-from-protocol-capablity.patch @@ -0,0 +1,62 @@ +From foo@baz Thu May 24 09:45:15 CEST 2018 +From: Mathias Nyman +Date: Fri, 16 Mar 2018 16:33:06 +0200 +Subject: xhci: Show what USB release number the xHC supports from protocol capablity + +From: Mathias Nyman + +[ Upstream commit 0ee78c101425aae681c631ba59c6ac7f44b1d83a ] + +xhci driver displays the supported xHC USB revision in a message during +driver load: + +"Host supports USB 3.1 Enhanced SuperSpeed" + +Get the USB minor revision number from the xhci protocol capability. +This will show the correct supported revisions for new USB 3.2 and later +hosts + +Don't rely on the SBRN (serial bus revision number) register, it's often +showing 0x30 (USB3.0) for hosts that support USB 3.1 + +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -4769,6 +4769,7 @@ int xhci_gen_setup(struct usb_hcd *hcd, + * quirks + */ + struct device *dev = hcd->self.sysdev; ++ unsigned int minor_rev; + int retval; + + /* Accept arbitrarily long scatter-gather lists */ +@@ -4796,12 +4797,19 @@ int xhci_gen_setup(struct usb_hcd *hcd, + */ + hcd->has_tt = 1; + } else { +- /* Some 3.1 hosts return sbrn 0x30, can't rely on sbrn alone */ +- if (xhci->sbrn == 0x31 || xhci->usb3_rhub.min_rev >= 1) { +- xhci_info(xhci, "Host supports USB 3.1 Enhanced SuperSpeed\n"); ++ /* ++ * Some 3.1 hosts return sbrn 0x30, use xhci supported protocol ++ * minor revision instead of sbrn ++ */ ++ minor_rev = xhci->usb3_rhub.min_rev; ++ if (minor_rev) { + hcd->speed = HCD_USB31; + hcd->self.root_hub->speed = USB_SPEED_SUPER_PLUS; + } ++ xhci_info(xhci, "Host supports USB 3.%x %s SuperSpeed\n", ++ minor_rev, ++ minor_rev ? "Enhanced" : ""); ++ + /* xHCI private pointer was set in xhci_pci_probe for the second + * registered roothub. + */ diff --git a/queue-4.16/xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch b/queue-4.16/xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch new file mode 100644 index 00000000000..534376ebdd6 --- /dev/null +++ b/queue-4.16/xhci-zero-usb-device-slot_id-member-when-disabling-and-freeing-a-xhci-slot.patch @@ -0,0 +1,38 @@ +From foo@baz Thu May 24 09:45:15 CEST 2018 +From: Mathias Nyman +Date: Fri, 16 Mar 2018 16:33:01 +0200 +Subject: xhci: zero usb device slot_id member when disabling and freeing a xhci slot + +From: Mathias Nyman + +[ Upstream commit a400efe455f7b61ac9a801ac8d0d01f8c8d82dd5 ] + +set udev->slot_id to zero when disabling and freeing the xhci slot. +Prevents usb core from calling xhci with a stale slot id. + +xHC controller may be reset during resume to recover from some error. +All slots are unusable as they are disabled and freed. +xhci driver starts slot enumeration again from 1 in the order they are +enabled. In the worst case a stale udev->slot_id for one device matches +a newly enabled slot_id for a different device, causing us to +perform a action on the wrong device. + +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-mem.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -913,6 +913,8 @@ void xhci_free_virt_device(struct xhci_h + if (dev->out_ctx) + xhci_free_container_ctx(xhci, dev->out_ctx); + ++ if (dev->udev && dev->udev->slot_id) ++ dev->udev->slot_id = 0; + kfree(xhci->devs[slot_id]); + xhci->devs[slot_id] = NULL; + } -- 2.47.2