From d362f7e1e261abfcada392b437067ad0ef994610 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 29 Apr 2018 13:03:48 +0200 Subject: [PATCH] 4.16-stable patches added patches: alsa-dice-fix-error-path-to-destroy-initialized-stream-data.patch alsa-dice-fix-oui-for-tc-group.patch alsa-hda-skip-jack-and-others-for-non-existing-pcm-streams.patch alsa-usb-audio-skip-broken-eu-on-dell-dock-usb-audio.patch cifs-smbd-avoid-allocating-iov-on-the-stack.patch cifs-smbd-don-t-use-rdma-read-write-when-signing-is-used.patch drm-virtio-fix-vq-wait_event-condition.patch random-fix-possible-sleeping-allocation-from-irq-context.patch random-rate-limit-unseeded-randomness-warnings.patch revert-xhci-plat-register-shutdown-for-xhci_plat.patch serial-mvebu-uart-fix-local-flags-handling-on-termios-update.patch tty-avoid-possible-error-pointer-dereference-at-tty_ldisc_restore.patch tty-don-t-call-panic-at-tty_ldisc_init.patch tty-n_gsm-fix-dlci-handling-for-adm-mode-if-debug-2-is-not-set.patch tty-n_gsm-fix-long-delays-with-control-frame-timeouts-in-adm-mode.patch tty-use-__gfp_nofail-for-tty_ldisc_get.patch usb-core-add-quirk-for-hp-v222w-16gb-mini.patch usb-increment-wakeup-count-on-remote-wakeup.patch usb-serial-cp210x-add-id-for-ni-usb-serial-console.patch usb-serial-ftdi_sio-use-jtag-quirk-for-arrow-usb-blaster.patch usb-serial-simple-add-libtransistor-console.patch usb-typec-ucsi-increase-command-completion-timeout-value.patch usbip-usbip_event-fix-to-not-print-kernel-pointer-address.patch usbip-usbip_host-fix-to-hold-parent-lock-for-device_attach-calls.patch usbip-vhci_hcd-check-rhport-before-using-in-vhci_hub_control.patch usbip-vhci_hcd-fix-usb-device-and-sockfd-leaks.patch virtio-add-ability-to-iterate-over-vqs.patch virtio_console-don-t-tie-bufs-to-a-vq.patch virtio_console-drop-custom-control-queue-cleanup.patch virtio_console-free-buffers-after-reset.patch virtio_console-move-removal-code.patch virtio_console-reset-on-out-of-memory.patch xhci-fix-kernel-oops-in-xhci-dbgtty.patch xhci-fix-usb-ports-for-dell-inspiron-5775.patch --- ...h-to-destroy-initialized-stream-data.patch | 35 +++++ .../alsa-dice-fix-oui-for-tc-group.patch | 34 +++++ ...-others-for-non-existing-pcm-streams.patch | 62 ++++++++ ...kip-broken-eu-on-dell-dock-usb-audio.patch | 37 +++++ ...bd-avoid-allocating-iov-on-the-stack.patch | 97 ++++++++++++ ...rdma-read-write-when-signing-is-used.patch | 96 ++++++++++++ ...m-virtio-fix-vq-wait_event-condition.patch | 45 ++++++ ...sleeping-allocation-from-irq-context.patch | 49 ++++++ ...e-limit-unseeded-randomness-warnings.patch | 102 +++++++++++++ ...plat-register-shutdown-for-xhci_plat.patch | 36 +++++ ...cal-flags-handling-on-termios-update.patch | 56 +++++++ queue-4.16/series | 34 +++++ ...ter-dereference-at-tty_ldisc_restore.patch | 67 +++++++++ ...y-don-t-call-panic-at-tty_ldisc_init.patch | 72 +++++++++ ...g-for-adm-mode-if-debug-2-is-not-set.patch | 69 +++++++++ ...h-control-frame-timeouts-in-adm-mode.patch | 91 +++++++++++ ...y-use-__gfp_nofail-for-tty_ldisc_get.patch | 57 +++++++ ...ore-add-quirk-for-hp-v222w-16gb-mini.patch | 37 +++++ ...rement-wakeup-count-on-remote-wakeup.patch | 82 ++++++++++ ...10x-add-id-for-ni-usb-serial-console.patch | 31 ++++ ...use-jtag-quirk-for-arrow-usb-blaster.patch | 37 +++++ ...ial-simple-add-libtransistor-console.patch | 63 ++++++++ ...ase-command-completion-timeout-value.patch | 34 +++++ ...-to-not-print-kernel-pointer-address.patch | 33 ++++ ...-parent-lock-for-device_attach-calls.patch | 35 +++++ ...ort-before-using-in-vhci_hub_control.patch | 74 +++++++++ ..._hcd-fix-usb-device-and-sockfd-leaks.patch | 31 ++++ ...rtio-add-ability-to-iterate-over-vqs.patch | 32 ++++ ...irtio_console-don-t-tie-bufs-to-a-vq.patch | 79 ++++++++++ ...le-drop-custom-control-queue-cleanup.patch | 60 ++++++++ ...tio_console-free-buffers-after-reset.patch | 142 ++++++++++++++++++ .../virtio_console-move-removal-code.patch | 107 +++++++++++++ ...irtio_console-reset-on-out-of-memory.patch | 64 ++++++++ .../xhci-fix-kernel-oops-in-xhci-dbgtty.patch | 88 +++++++++++ ...fix-usb-ports-for-dell-inspiron-5775.patch | 43 ++++++ 35 files changed, 2111 insertions(+) create mode 100644 queue-4.16/alsa-dice-fix-error-path-to-destroy-initialized-stream-data.patch create mode 100644 queue-4.16/alsa-dice-fix-oui-for-tc-group.patch create mode 100644 queue-4.16/alsa-hda-skip-jack-and-others-for-non-existing-pcm-streams.patch create mode 100644 queue-4.16/alsa-usb-audio-skip-broken-eu-on-dell-dock-usb-audio.patch create mode 100644 queue-4.16/cifs-smbd-avoid-allocating-iov-on-the-stack.patch create mode 100644 queue-4.16/cifs-smbd-don-t-use-rdma-read-write-when-signing-is-used.patch create mode 100644 queue-4.16/drm-virtio-fix-vq-wait_event-condition.patch create mode 100644 queue-4.16/random-fix-possible-sleeping-allocation-from-irq-context.patch create mode 100644 queue-4.16/random-rate-limit-unseeded-randomness-warnings.patch create mode 100644 queue-4.16/revert-xhci-plat-register-shutdown-for-xhci_plat.patch create mode 100644 queue-4.16/serial-mvebu-uart-fix-local-flags-handling-on-termios-update.patch create mode 100644 queue-4.16/tty-avoid-possible-error-pointer-dereference-at-tty_ldisc_restore.patch create mode 100644 queue-4.16/tty-don-t-call-panic-at-tty_ldisc_init.patch create mode 100644 queue-4.16/tty-n_gsm-fix-dlci-handling-for-adm-mode-if-debug-2-is-not-set.patch create mode 100644 queue-4.16/tty-n_gsm-fix-long-delays-with-control-frame-timeouts-in-adm-mode.patch create mode 100644 queue-4.16/tty-use-__gfp_nofail-for-tty_ldisc_get.patch create mode 100644 queue-4.16/usb-core-add-quirk-for-hp-v222w-16gb-mini.patch create mode 100644 queue-4.16/usb-increment-wakeup-count-on-remote-wakeup.patch create mode 100644 queue-4.16/usb-serial-cp210x-add-id-for-ni-usb-serial-console.patch create mode 100644 queue-4.16/usb-serial-ftdi_sio-use-jtag-quirk-for-arrow-usb-blaster.patch create mode 100644 queue-4.16/usb-serial-simple-add-libtransistor-console.patch create mode 100644 queue-4.16/usb-typec-ucsi-increase-command-completion-timeout-value.patch create mode 100644 queue-4.16/usbip-usbip_event-fix-to-not-print-kernel-pointer-address.patch create mode 100644 queue-4.16/usbip-usbip_host-fix-to-hold-parent-lock-for-device_attach-calls.patch create mode 100644 queue-4.16/usbip-vhci_hcd-check-rhport-before-using-in-vhci_hub_control.patch create mode 100644 queue-4.16/usbip-vhci_hcd-fix-usb-device-and-sockfd-leaks.patch create mode 100644 queue-4.16/virtio-add-ability-to-iterate-over-vqs.patch create mode 100644 queue-4.16/virtio_console-don-t-tie-bufs-to-a-vq.patch create mode 100644 queue-4.16/virtio_console-drop-custom-control-queue-cleanup.patch create mode 100644 queue-4.16/virtio_console-free-buffers-after-reset.patch create mode 100644 queue-4.16/virtio_console-move-removal-code.patch create mode 100644 queue-4.16/virtio_console-reset-on-out-of-memory.patch create mode 100644 queue-4.16/xhci-fix-kernel-oops-in-xhci-dbgtty.patch create mode 100644 queue-4.16/xhci-fix-usb-ports-for-dell-inspiron-5775.patch diff --git a/queue-4.16/alsa-dice-fix-error-path-to-destroy-initialized-stream-data.patch b/queue-4.16/alsa-dice-fix-error-path-to-destroy-initialized-stream-data.patch new file mode 100644 index 00000000000..04bbd05c36f --- /dev/null +++ b/queue-4.16/alsa-dice-fix-error-path-to-destroy-initialized-stream-data.patch @@ -0,0 +1,35 @@ +From 0f925660a7bc49b269c163249a5d06da3a0c7b0a Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Thu, 26 Apr 2018 22:00:29 +0900 +Subject: ALSA: dice: fix error path to destroy initialized stream data + +From: Takashi Sakamoto + +commit 0f925660a7bc49b269c163249a5d06da3a0c7b0a upstream. + +In error path of snd_dice_stream_init_duplex(), stream data for incoming +packet can be left to be initialized. + +This commit fixes it. + +Fixes: 436b5abe2224 ('ALSA: dice: handle whole available isochronous streams') +Cc: # v4.6+ +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/dice/dice-stream.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/firewire/dice/dice-stream.c ++++ b/sound/firewire/dice/dice-stream.c +@@ -435,7 +435,7 @@ int snd_dice_stream_init_duplex(struct s + err = init_stream(dice, AMDTP_IN_STREAM, i); + if (err < 0) { + for (; i >= 0; i--) +- destroy_stream(dice, AMDTP_OUT_STREAM, i); ++ destroy_stream(dice, AMDTP_IN_STREAM, i); + goto end; + } + } diff --git a/queue-4.16/alsa-dice-fix-oui-for-tc-group.patch b/queue-4.16/alsa-dice-fix-oui-for-tc-group.patch new file mode 100644 index 00000000000..f9ecf80e6cd --- /dev/null +++ b/queue-4.16/alsa-dice-fix-oui-for-tc-group.patch @@ -0,0 +1,34 @@ +From 10412c420af9ba1f3de8483a95d360e5eb5bfc84 Mon Sep 17 00:00:00 2001 +From: Takashi Sakamoto +Date: Sun, 22 Apr 2018 21:19:24 +0900 +Subject: ALSA: dice: fix OUI for TC group + +From: Takashi Sakamoto + +commit 10412c420af9ba1f3de8483a95d360e5eb5bfc84 upstream. + +OUI for TC Electronic is 0x000166, for TC GROUP A/S. 0x001486 is for Echo +Digital Audio Corporation. + +Fixes: 7cafc65b3aa1 ('ALSA: dice: force to add two pcm devices for listed models') +Cc: # v4.6+ +Reference: http://standards-oui.ieee.org/oui/oui.txt +Signed-off-by: Takashi Sakamoto +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/firewire/dice/dice.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/firewire/dice/dice.c ++++ b/sound/firewire/dice/dice.c +@@ -14,7 +14,7 @@ MODULE_LICENSE("GPL v2"); + #define OUI_WEISS 0x001c6a + #define OUI_LOUD 0x000ff2 + #define OUI_FOCUSRITE 0x00130e +-#define OUI_TCELECTRONIC 0x001486 ++#define OUI_TCELECTRONIC 0x000166 + + #define DICE_CATEGORY_ID 0x04 + #define WEISS_CATEGORY_ID 0x00 diff --git a/queue-4.16/alsa-hda-skip-jack-and-others-for-non-existing-pcm-streams.patch b/queue-4.16/alsa-hda-skip-jack-and-others-for-non-existing-pcm-streams.patch new file mode 100644 index 00000000000..fdfa33e2015 --- /dev/null +++ b/queue-4.16/alsa-hda-skip-jack-and-others-for-non-existing-pcm-streams.patch @@ -0,0 +1,62 @@ +From 8a7d6003df41cb16f6b3b620da044fbd92d2f5ee Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 25 Apr 2018 16:19:13 +0200 +Subject: ALSA: hda - Skip jack and others for non-existing PCM streams + +From: Takashi Iwai + +commit 8a7d6003df41cb16f6b3b620da044fbd92d2f5ee upstream. + +When CONFIG_SND_DYNAMIC_MINORS isn't set, there are only limited +number of devices available, and HD-audio, especially with HDMI/DP +codec, will fail to create more than two devices. + +The driver warns about the lack of such devices and skips the PCM +device creations, but the HDMI driver still tries to create the +corresponding JACK, SPDIF and ELD controls even for the non-existing +PCM substreams. This results in confusion on user-space, and even may +break the operation. + +Similarly, Intel HDMI/DP codec builds the ELD notification from i915 +graphics driver, and this may be broken if a notification is sent for +the non-existing PCM stream. + +This patch adds the check of the existence of the assigned PCM +substream in the both scenarios above, and skips the further operation +if the PCM substream is not assigned. + +Fixes: 9152085defb6 ("ALSA: hda - add DP MST audio support") +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_hdmi.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_hdmi.c ++++ b/sound/pci/hda/patch_hdmi.c +@@ -1383,6 +1383,8 @@ static void hdmi_pcm_setup_pin(struct hd + pcm = get_pcm_rec(spec, per_pin->pcm_idx); + else + return; ++ if (!pcm->pcm) ++ return; + if (!test_bit(per_pin->pcm_idx, &spec->pcm_in_use)) + return; + +@@ -2151,8 +2153,13 @@ static int generic_hdmi_build_controls(s + int dev, err; + int pin_idx, pcm_idx; + +- + for (pcm_idx = 0; pcm_idx < spec->pcm_used; pcm_idx++) { ++ if (!get_pcm_rec(spec, pcm_idx)->pcm) { ++ /* no PCM: mark this for skipping permanently */ ++ set_bit(pcm_idx, &spec->pcm_bitmap); ++ continue; ++ } ++ + err = generic_hdmi_build_jack(codec, pcm_idx); + if (err < 0) + return err; diff --git a/queue-4.16/alsa-usb-audio-skip-broken-eu-on-dell-dock-usb-audio.patch b/queue-4.16/alsa-usb-audio-skip-broken-eu-on-dell-dock-usb-audio.patch new file mode 100644 index 00000000000..f99a4ef37a3 --- /dev/null +++ b/queue-4.16/alsa-usb-audio-skip-broken-eu-on-dell-dock-usb-audio.patch @@ -0,0 +1,37 @@ +From 1d8d6428d1da642ddd75b0be2d1bb1123ff8e017 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 24 Apr 2018 11:11:48 +0200 +Subject: ALSA: usb-audio: Skip broken EU on Dell dock USB-audio + +From: Takashi Iwai + +commit 1d8d6428d1da642ddd75b0be2d1bb1123ff8e017 upstream. + +The Dell Dock USB-audio device with 0bda:4014 is behaving notoriously +bad, and we have already applied some workaround to avoid the firmware +hiccup. Yet we still need to skip one thing, the Extension Unit at ID +4, which doesn't react correctly to the mixer ctl access. + +Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=1090658 +Cc: +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer_maps.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/usb/mixer_maps.c ++++ b/sound/usb/mixer_maps.c +@@ -353,8 +353,11 @@ static struct usbmix_name_map bose_compa + /* + * Dell usb dock with ALC4020 codec had a firmware problem where it got + * screwed up when zero volume is passed; just skip it as a workaround ++ * ++ * Also the extension unit gives an access error, so skip it as well. + */ + static const struct usbmix_name_map dell_alc4020_map[] = { ++ { 4, NULL }, /* extension unit */ + { 16, NULL }, + { 19, NULL }, + { 0 } diff --git a/queue-4.16/cifs-smbd-avoid-allocating-iov-on-the-stack.patch b/queue-4.16/cifs-smbd-avoid-allocating-iov-on-the-stack.patch new file mode 100644 index 00000000000..9e4bf1408d2 --- /dev/null +++ b/queue-4.16/cifs-smbd-avoid-allocating-iov-on-the-stack.patch @@ -0,0 +1,97 @@ +From 8bcda1d2a79da4ab84162574eee2c9f6e1a12a03 Mon Sep 17 00:00:00 2001 +From: Long Li +Date: Tue, 17 Apr 2018 12:17:07 -0700 +Subject: cifs: smbd: Avoid allocating iov on the stack + +From: Long Li + +commit 8bcda1d2a79da4ab84162574eee2c9f6e1a12a03 upstream. + +It's not necessary to allocate another iov when going through the buffers +in smbd_send() through RDMA send. + +Remove it to reduce stack size. + +Thanks to Matt for spotting a printk typo in the earlier version of this. + +CC: Matt Redfearn +Signed-off-by: Long Li +Acked-by: Ronnie Sahlberg +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smbdirect.c | 36 ++++++++++++------------------------ + 1 file changed, 12 insertions(+), 24 deletions(-) + +--- a/fs/cifs/smbdirect.c ++++ b/fs/cifs/smbdirect.c +@@ -2086,7 +2086,7 @@ int smbd_send(struct smbd_connection *in + int start, i, j; + int max_iov_size = + info->max_send_size - sizeof(struct smbd_data_transfer); +- struct kvec iov[SMBDIRECT_MAX_SGE]; ++ struct kvec *iov; + int rc; + + info->smbd_send_pending++; +@@ -2096,32 +2096,20 @@ int smbd_send(struct smbd_connection *in + } + + /* +- * This usually means a configuration error +- * We use RDMA read/write for packet size > rdma_readwrite_threshold +- * as long as it's properly configured we should never get into this +- * situation +- */ +- if (rqst->rq_nvec + rqst->rq_npages > SMBDIRECT_MAX_SGE) { +- log_write(ERR, "maximum send segment %x exceeding %x\n", +- rqst->rq_nvec + rqst->rq_npages, SMBDIRECT_MAX_SGE); +- rc = -EINVAL; +- goto done; +- } +- +- /* +- * Remove the RFC1002 length defined in MS-SMB2 section 2.1 +- * It is used only for TCP transport ++ * Skip the RFC1002 length defined in MS-SMB2 section 2.1 ++ * It is used only for TCP transport in the iov[0] + * In future we may want to add a transport layer under protocol + * layer so this will only be issued to TCP transport + */ +- iov[0].iov_base = (char *)rqst->rq_iov[0].iov_base + 4; +- iov[0].iov_len = rqst->rq_iov[0].iov_len - 4; +- buflen += iov[0].iov_len; ++ ++ if (rqst->rq_iov[0].iov_len != 4) { ++ log_write(ERR, "expected the pdu length in 1st iov, but got %zu\n", rqst->rq_iov[0].iov_len); ++ return -EINVAL; ++ } ++ iov = &rqst->rq_iov[1]; + + /* total up iov array first */ +- for (i = 1; i < rqst->rq_nvec; i++) { +- iov[i].iov_base = rqst->rq_iov[i].iov_base; +- iov[i].iov_len = rqst->rq_iov[i].iov_len; ++ for (i = 0; i < rqst->rq_nvec-1; i++) { + buflen += iov[i].iov_len; + } + +@@ -2194,14 +2182,14 @@ int smbd_send(struct smbd_connection *in + goto done; + } + i++; +- if (i == rqst->rq_nvec) ++ if (i == rqst->rq_nvec-1) + break; + } + start = i; + buflen = 0; + } else { + i++; +- if (i == rqst->rq_nvec) { ++ if (i == rqst->rq_nvec-1) { + /* send out all remaining vecs */ + remaining_data_length -= buflen; + log_write(INFO, diff --git a/queue-4.16/cifs-smbd-don-t-use-rdma-read-write-when-signing-is-used.patch b/queue-4.16/cifs-smbd-don-t-use-rdma-read-write-when-signing-is-used.patch new file mode 100644 index 00000000000..43130f3714c --- /dev/null +++ b/queue-4.16/cifs-smbd-don-t-use-rdma-read-write-when-signing-is-used.patch @@ -0,0 +1,96 @@ +From bb4c0419476bd3982ba802f0f49de83cd79532d8 Mon Sep 17 00:00:00 2001 +From: Long Li +Date: Tue, 17 Apr 2018 12:17:08 -0700 +Subject: cifs: smbd: Don't use RDMA read/write when signing is used + +From: Long Li + +commit bb4c0419476bd3982ba802f0f49de83cd79532d8 upstream. + +SMB server will not sign data transferred through RDMA read/write. When +signing is used, it's a good idea to have all the data signed. + +In this case, use RDMA send/recv for all data transfers. This will degrade +performance as this is not generally configured in RDMA environemnt. So +warn the user on signing and RDMA send/recv. + +Signed-off-by: Long Li +Acked-by: Ronnie Sahlberg +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifssmb.c | 3 +++ + fs/cifs/smb2ops.c | 18 ++++++++++++++---- + fs/cifs/smb2pdu.c | 4 ++-- + 3 files changed, 19 insertions(+), 6 deletions(-) + +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -453,6 +453,9 @@ cifs_enable_signing(struct TCP_Server_In + server->sign = true; + } + ++ if (cifs_rdma_enabled(server) && server->sign) ++ cifs_dbg(VFS, "Signing is enabled, and RDMA read/write will be disabled"); ++ + return 0; + } + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -252,9 +252,14 @@ smb2_negotiate_wsize(struct cifs_tcon *t + wsize = volume_info->wsize ? volume_info->wsize : CIFS_DEFAULT_IOSIZE; + wsize = min_t(unsigned int, wsize, server->max_write); + #ifdef CONFIG_CIFS_SMB_DIRECT +- if (server->rdma) +- wsize = min_t(unsigned int, ++ if (server->rdma) { ++ if (server->sign) ++ wsize = min_t(unsigned int, ++ wsize, server->smbd_conn->max_fragmented_send_size); ++ else ++ wsize = min_t(unsigned int, + wsize, server->smbd_conn->max_readwrite_size); ++ } + #endif + if (!(server->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU)) + wsize = min_t(unsigned int, wsize, SMB2_MAX_BUFFER_SIZE); +@@ -272,9 +277,14 @@ smb2_negotiate_rsize(struct cifs_tcon *t + rsize = volume_info->rsize ? volume_info->rsize : CIFS_DEFAULT_IOSIZE; + rsize = min_t(unsigned int, rsize, server->max_read); + #ifdef CONFIG_CIFS_SMB_DIRECT +- if (server->rdma) +- rsize = min_t(unsigned int, ++ if (server->rdma) { ++ if (server->sign) ++ rsize = min_t(unsigned int, ++ rsize, server->smbd_conn->max_fragmented_recv_size); ++ else ++ rsize = min_t(unsigned int, + rsize, server->smbd_conn->max_readwrite_size); ++ } + #endif + + if (!(server->capabilities & SMB2_GLOBAL_CAP_LARGE_MTU)) +--- a/fs/cifs/smb2pdu.c ++++ b/fs/cifs/smb2pdu.c +@@ -2479,7 +2479,7 @@ smb2_new_read_req(void **buf, unsigned i + * If we want to do a RDMA write, fill in and append + * smbd_buffer_descriptor_v1 to the end of read request + */ +- if (server->rdma && rdata && ++ if (server->rdma && rdata && !server->sign && + rdata->bytes >= server->smbd_conn->rdma_readwrite_threshold) { + + struct smbd_buffer_descriptor_v1 *v1; +@@ -2857,7 +2857,7 @@ smb2_async_writev(struct cifs_writedata + * If we want to do a server RDMA read, fill in and append + * smbd_buffer_descriptor_v1 to the end of write request + */ +- if (server->rdma && wdata->bytes >= ++ if (server->rdma && !server->sign && wdata->bytes >= + server->smbd_conn->rdma_readwrite_threshold) { + + struct smbd_buffer_descriptor_v1 *v1; diff --git a/queue-4.16/drm-virtio-fix-vq-wait_event-condition.patch b/queue-4.16/drm-virtio-fix-vq-wait_event-condition.patch new file mode 100644 index 00000000000..369eb116baa --- /dev/null +++ b/queue-4.16/drm-virtio-fix-vq-wait_event-condition.patch @@ -0,0 +1,45 @@ +From d02d270014f70dcab0117776b81a37b6fca745ae Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Tue, 3 Apr 2018 11:59:04 +0200 +Subject: drm/virtio: fix vq wait_event condition + +From: Gerd Hoffmann + +commit d02d270014f70dcab0117776b81a37b6fca745ae upstream. + +Wait until we have enough space in the virt queue to actually queue up +our request. Avoids the guest spinning in case we have a non-zero +amount of free entries but not enough for the request. + +Cc: stable@vger.kernel.org +Reported-by: Alain Magloire +Signed-off-by: Gerd Hoffmann +Reviewed-by: Dave Airlie +Link: http://patchwork.freedesktop.org/patch/msgid/20180403095904.11152-1-kraxel@redhat.com +Signed-off-by: Sean Paul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/virtio/virtgpu_vq.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/virtio/virtgpu_vq.c ++++ b/drivers/gpu/drm/virtio/virtgpu_vq.c +@@ -291,7 +291,7 @@ retry: + ret = virtqueue_add_sgs(vq, sgs, outcnt, incnt, vbuf, GFP_ATOMIC); + if (ret == -ENOSPC) { + spin_unlock(&vgdev->ctrlq.qlock); +- wait_event(vgdev->ctrlq.ack_queue, vq->num_free); ++ wait_event(vgdev->ctrlq.ack_queue, vq->num_free >= outcnt + incnt); + spin_lock(&vgdev->ctrlq.qlock); + goto retry; + } else { +@@ -366,7 +366,7 @@ retry: + ret = virtqueue_add_sgs(vq, sgs, outcnt, 0, vbuf, GFP_ATOMIC); + if (ret == -ENOSPC) { + spin_unlock(&vgdev->cursorq.qlock); +- wait_event(vgdev->cursorq.ack_queue, vq->num_free); ++ wait_event(vgdev->cursorq.ack_queue, vq->num_free >= outcnt); + spin_lock(&vgdev->cursorq.qlock); + goto retry; + } else { diff --git a/queue-4.16/random-fix-possible-sleeping-allocation-from-irq-context.patch b/queue-4.16/random-fix-possible-sleeping-allocation-from-irq-context.patch new file mode 100644 index 00000000000..eaa60b0cb31 --- /dev/null +++ b/queue-4.16/random-fix-possible-sleeping-allocation-from-irq-context.patch @@ -0,0 +1,49 @@ +From 6c1e851c4edc13a43adb3ea4044e3fc8f43ccf7d Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Mon, 23 Apr 2018 18:51:28 -0400 +Subject: random: fix possible sleeping allocation from irq context + +From: Theodore Ts'o + +commit 6c1e851c4edc13a43adb3ea4044e3fc8f43ccf7d upstream. + +We can do a sleeping allocation from an irq context when CONFIG_NUMA +is enabled. Fix this by initializing the NUMA crng instances in a +workqueue. + +Reported-by: Tetsuo Handa +Reported-by: syzbot+9de458f6a5e713ee8c1a@syzkaller.appspotmail.com +Fixes: 8ef35c866f8862df ("random: set up the NUMA crng instances...") +Cc: stable@vger.kernel.org +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -788,7 +788,7 @@ static void crng_initialize(struct crng_ + } + + #ifdef CONFIG_NUMA +-static void numa_crng_init(void) ++static void do_numa_crng_init(struct work_struct *work) + { + int i; + struct crng_state *crng; +@@ -809,6 +809,13 @@ static void numa_crng_init(void) + kfree(pool); + } + } ++ ++static DECLARE_WORK(numa_crng_init_work, do_numa_crng_init); ++ ++static void numa_crng_init(void) ++{ ++ schedule_work(&numa_crng_init_work); ++} + #else + static void numa_crng_init(void) {} + #endif diff --git a/queue-4.16/random-rate-limit-unseeded-randomness-warnings.patch b/queue-4.16/random-rate-limit-unseeded-randomness-warnings.patch new file mode 100644 index 00000000000..12cb0648dc9 --- /dev/null +++ b/queue-4.16/random-rate-limit-unseeded-randomness-warnings.patch @@ -0,0 +1,102 @@ +From 4e00b339e264802851aff8e73cde7d24b57b18ce Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 25 Apr 2018 01:12:32 -0400 +Subject: random: rate limit unseeded randomness warnings + +From: Theodore Ts'o + +commit 4e00b339e264802851aff8e73cde7d24b57b18ce upstream. + +On systems without sufficient boot randomness, no point spamming dmesg. + +Signed-off-by: Theodore Ts'o +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 39 ++++++++++++++++++++++++++++++++++----- + 1 file changed, 34 insertions(+), 5 deletions(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -261,6 +261,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -438,6 +439,16 @@ static void _crng_backtrack_protect(stru + static void process_random_ready_list(void); + static void _get_random_bytes(void *buf, int nbytes); + ++static struct ratelimit_state unseeded_warning = ++ RATELIMIT_STATE_INIT("warn_unseeded_randomness", HZ, 3); ++static struct ratelimit_state urandom_warning = ++ RATELIMIT_STATE_INIT("warn_urandom_randomness", HZ, 3); ++ ++static int ratelimit_disable __read_mostly; ++ ++module_param_named(ratelimit_disable, ratelimit_disable, int, 0644); ++MODULE_PARM_DESC(ratelimit_disable, "Disable random ratelimit suppression"); ++ + /********************************************************************** + * + * OS independent entropy store. Here are the functions which handle +@@ -931,6 +942,18 @@ static void crng_reseed(struct crng_stat + process_random_ready_list(); + wake_up_interruptible(&crng_init_wait); + pr_notice("random: crng init done\n"); ++ if (unseeded_warning.missed) { ++ pr_notice("random: %d get_random_xx warning(s) missed " ++ "due to ratelimiting\n", ++ unseeded_warning.missed); ++ unseeded_warning.missed = 0; ++ } ++ if (urandom_warning.missed) { ++ pr_notice("random: %d urandom warning(s) missed " ++ "due to ratelimiting\n", ++ urandom_warning.missed); ++ urandom_warning.missed = 0; ++ } + } + } + +@@ -1574,8 +1597,9 @@ static void _warn_unseeded_randomness(co + #ifndef CONFIG_WARN_ALL_UNSEEDED_RANDOM + print_once = true; + #endif +- pr_notice("random: %s called from %pS with crng_init=%d\n", +- func_name, caller, crng_init); ++ if (__ratelimit(&unseeded_warning)) ++ pr_notice("random: %s called from %pS with crng_init=%d\n", ++ func_name, caller, crng_init); + } + + /* +@@ -1769,6 +1793,10 @@ static int rand_initialize(void) + init_std_data(&blocking_pool); + crng_initialize(&primary_crng); + crng_global_init_time = jiffies; ++ if (ratelimit_disable) { ++ urandom_warning.interval = 0; ++ unseeded_warning.interval = 0; ++ } + return 0; + } + early_initcall(rand_initialize); +@@ -1836,9 +1864,10 @@ urandom_read(struct file *file, char __u + + if (!crng_ready() && maxwarn > 0) { + maxwarn--; +- printk(KERN_NOTICE "random: %s: uninitialized urandom read " +- "(%zd bytes read)\n", +- current->comm, nbytes); ++ if (__ratelimit(&urandom_warning)) ++ printk(KERN_NOTICE "random: %s: uninitialized " ++ "urandom read (%zd bytes read)\n", ++ current->comm, nbytes); + spin_lock_irqsave(&primary_crng.lock, flags); + crng_init_cnt = 0; + spin_unlock_irqrestore(&primary_crng.lock, flags); diff --git a/queue-4.16/revert-xhci-plat-register-shutdown-for-xhci_plat.patch b/queue-4.16/revert-xhci-plat-register-shutdown-for-xhci_plat.patch new file mode 100644 index 00000000000..e4de45189d8 --- /dev/null +++ b/queue-4.16/revert-xhci-plat-register-shutdown-for-xhci_plat.patch @@ -0,0 +1,36 @@ +From c20f53c58261b121d0989e147368803b9773b413 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Sun, 22 Apr 2018 14:31:03 +0200 +Subject: Revert "xhci: plat: Register shutdown for xhci_plat" + +From: Greg Kroah-Hartman + +commit c20f53c58261b121d0989e147368803b9773b413 upstream. + +This reverts commit b07c12517f2aed0add8ce18146bb426b14099392 + +It is incomplete and causes hangs on devices when shutting down. It +needs a much more "complete" fix in order to work properly. As that fix +has not been merged, revert this patch for now before it causes any more +problems. + +Cc: Greg Hackmann +Cc: Adam Wallis +Cc: Mathias Nyman +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-plat.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/usb/host/xhci-plat.c ++++ b/drivers/usb/host/xhci-plat.c +@@ -419,7 +419,6 @@ MODULE_DEVICE_TABLE(acpi, usb_xhci_acpi_ + static struct platform_driver usb_xhci_driver = { + .probe = xhci_plat_probe, + .remove = xhci_plat_remove, +- .shutdown = usb_hcd_platform_shutdown, + .driver = { + .name = "xhci-hcd", + .pm = &xhci_plat_pm_ops, diff --git a/queue-4.16/serial-mvebu-uart-fix-local-flags-handling-on-termios-update.patch b/queue-4.16/serial-mvebu-uart-fix-local-flags-handling-on-termios-update.patch new file mode 100644 index 00000000000..225d18fd8c8 --- /dev/null +++ b/queue-4.16/serial-mvebu-uart-fix-local-flags-handling-on-termios-update.patch @@ -0,0 +1,56 @@ +From 46c6975a1fd9794ed979565235d24b2f5004e014 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Sun, 22 Apr 2018 13:33:46 +0100 +Subject: serial: mvebu-uart: Fix local flags handling on termios update + +From: Marc Zyngier + +commit 46c6975a1fd9794ed979565235d24b2f5004e014 upstream. + +Commit 68a0db1d7da2 reworked the baud rate selection, but also added +a (not so) subtle change in the way the local flags (c_lflag in the +termios structure) are handled, forcing the new flags to always be the +same as the old ones. + +The reason for that particular change is both obscure and undocumented. +It also completely breaks userspace. Something as trivial as getty is +unusable: + + + Debian GNU/Linux 9 sy-borg ttyMV0 + + sy-borg login: root + root + [timeout] + + Debian GNU/Linux 9 sy-borg ttyMV0 + + +which is quite obvious in retrospect: getty cannot get in control of +the echo mode, is stuck in canonical mode, and times out without ever +seeing anything valid. It also begs the question of how this change was +ever tested. + +The fix is pretty obvious: stop messing with c_lflag, and the world +will be a happier place. + +Cc: stable@vger.kernel.org # 4.15+ +Fixes: 68a0db1d7da2 ("serial: mvebu-uart: add function to change baudrate") +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/mvebu-uart.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/tty/serial/mvebu-uart.c ++++ b/drivers/tty/serial/mvebu-uart.c +@@ -495,7 +495,6 @@ static void mvebu_uart_set_termios(struc + termios->c_iflag |= old->c_iflag & ~(INPCK | IGNPAR); + termios->c_cflag &= CREAD | CBAUD; + termios->c_cflag |= old->c_cflag & ~(CREAD | CBAUD); +- termios->c_lflag = old->c_lflag; + } + + spin_unlock_irqrestore(&port->lock, flags); diff --git a/queue-4.16/series b/queue-4.16/series index 76b918fd1f1..771efb03792 100644 --- a/queue-4.16/series +++ b/queue-4.16/series @@ -4,3 +4,37 @@ ext4-add-module_softdep-to-ensure-crc32c-is-included-in-the-initramfs.patch ext4-add-validity-checks-for-bitmap-block-numbers.patch ext4-fix-bitmap-position-validation.patch random-set-up-the-numa-crng-instances-after-the-crng-is-fully-initialized.patch +random-fix-possible-sleeping-allocation-from-irq-context.patch +random-rate-limit-unseeded-randomness-warnings.patch +usbip-usbip_event-fix-to-not-print-kernel-pointer-address.patch +usbip-usbip_host-fix-to-hold-parent-lock-for-device_attach-calls.patch +usbip-vhci_hcd-fix-usb-device-and-sockfd-leaks.patch +usbip-vhci_hcd-check-rhport-before-using-in-vhci_hub_control.patch +revert-xhci-plat-register-shutdown-for-xhci_plat.patch +xhci-fix-kernel-oops-in-xhci-dbgtty.patch +xhci-fix-usb-ports-for-dell-inspiron-5775.patch +usb-serial-simple-add-libtransistor-console.patch +usb-serial-ftdi_sio-use-jtag-quirk-for-arrow-usb-blaster.patch +usb-serial-cp210x-add-id-for-ni-usb-serial-console.patch +serial-mvebu-uart-fix-local-flags-handling-on-termios-update.patch +usb-typec-ucsi-increase-command-completion-timeout-value.patch +usb-core-add-quirk-for-hp-v222w-16gb-mini.patch +usb-increment-wakeup-count-on-remote-wakeup.patch +alsa-usb-audio-skip-broken-eu-on-dell-dock-usb-audio.patch +virtio-add-ability-to-iterate-over-vqs.patch +virtio_console-don-t-tie-bufs-to-a-vq.patch +virtio_console-free-buffers-after-reset.patch +virtio_console-drop-custom-control-queue-cleanup.patch +virtio_console-move-removal-code.patch +virtio_console-reset-on-out-of-memory.patch +drm-virtio-fix-vq-wait_event-condition.patch +tty-don-t-call-panic-at-tty_ldisc_init.patch +tty-n_gsm-fix-long-delays-with-control-frame-timeouts-in-adm-mode.patch +tty-n_gsm-fix-dlci-handling-for-adm-mode-if-debug-2-is-not-set.patch +tty-avoid-possible-error-pointer-dereference-at-tty_ldisc_restore.patch +tty-use-__gfp_nofail-for-tty_ldisc_get.patch +cifs-smbd-avoid-allocating-iov-on-the-stack.patch +cifs-smbd-don-t-use-rdma-read-write-when-signing-is-used.patch +alsa-dice-fix-oui-for-tc-group.patch +alsa-dice-fix-error-path-to-destroy-initialized-stream-data.patch +alsa-hda-skip-jack-and-others-for-non-existing-pcm-streams.patch diff --git a/queue-4.16/tty-avoid-possible-error-pointer-dereference-at-tty_ldisc_restore.patch b/queue-4.16/tty-avoid-possible-error-pointer-dereference-at-tty_ldisc_restore.patch new file mode 100644 index 00000000000..3e00d5614b8 --- /dev/null +++ b/queue-4.16/tty-avoid-possible-error-pointer-dereference-at-tty_ldisc_restore.patch @@ -0,0 +1,67 @@ +From 598c2d41ff44889dd8eced4f117403e472158d85 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Mon, 16 Apr 2018 20:06:34 +0900 +Subject: tty: Avoid possible error pointer dereference at tty_ldisc_restore(). + +From: Tetsuo Handa + +commit 598c2d41ff44889dd8eced4f117403e472158d85 upstream. + +syzbot is reporting crashes [1] triggered by memory allocation failure at +tty_ldisc_get() from tty_ldisc_restore(). While syzbot stops at WARN_ON() +due to panic_on_warn == true, panic_on_warn == false will after all trigger +an OOPS by dereferencing old->ops->num if IS_ERR(old) == true. + +We can simplify tty_ldisc_restore() as three calls (old->ops->num, N_TTY, +N_NULL) to tty_ldisc_failto() in addition to avoiding possible error +pointer dereference. + +If someone reports kernel panic triggered by forcing all memory allocations +for tty_ldisc_restore() to fail, we can consider adding __GFP_NOFAIL for +tty_ldisc_restore() case. + +[1] https://syzkaller.appspot.com/bug?id=6ac359c61e71d22e06db7f8f88243feb11d927e7 + +Reported-by: syzbot+40b7287c2dc987c48c81@syzkaller.appspotmail.com +Signed-off-by: Tetsuo Handa +Cc: Greg Kroah-Hartman +Cc: Jiri Slaby +Cc: Dmitry Vyukov +Cc: Johannes Weiner +Cc: Alan Cox +Cc: Christoph Hellwig +Cc: Michal Hocko +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_ldisc.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +--- a/drivers/tty/tty_ldisc.c ++++ b/drivers/tty/tty_ldisc.c +@@ -527,19 +527,16 @@ static int tty_ldisc_failto(struct tty_s + static void tty_ldisc_restore(struct tty_struct *tty, struct tty_ldisc *old) + { + /* There is an outstanding reference here so this is safe */ +- old = tty_ldisc_get(tty, old->ops->num); +- WARN_ON(IS_ERR(old)); +- tty->ldisc = old; +- tty_set_termios_ldisc(tty, old->ops->num); +- if (tty_ldisc_open(tty, old) < 0) { +- tty_ldisc_put(old); ++ if (tty_ldisc_failto(tty, old->ops->num) < 0) { ++ const char *name = tty_name(tty); ++ ++ pr_warn("Falling back ldisc for %s.\n", name); + /* The traditional behaviour is to fall back to N_TTY, we + want to avoid falling back to N_NULL unless we have no + choice to avoid the risk of breaking anything */ + if (tty_ldisc_failto(tty, N_TTY) < 0 && + tty_ldisc_failto(tty, N_NULL) < 0) +- panic("Couldn't open N_NULL ldisc for %s.", +- tty_name(tty)); ++ panic("Couldn't open N_NULL ldisc for %s.", name); + } + } + diff --git a/queue-4.16/tty-don-t-call-panic-at-tty_ldisc_init.patch b/queue-4.16/tty-don-t-call-panic-at-tty_ldisc_init.patch new file mode 100644 index 00000000000..e0b7c6d4d3d --- /dev/null +++ b/queue-4.16/tty-don-t-call-panic-at-tty_ldisc_init.patch @@ -0,0 +1,72 @@ +From 903f9db10f18f735e62ba447147b6c434b6af003 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Thu, 5 Apr 2018 19:40:16 +0900 +Subject: tty: Don't call panic() at tty_ldisc_init() + +From: Tetsuo Handa + +commit 903f9db10f18f735e62ba447147b6c434b6af003 upstream. + +syzbot is reporting kernel panic [1] triggered by memory allocation failure +at tty_ldisc_get() from tty_ldisc_init(). But since both tty_ldisc_get() +and caller of tty_ldisc_init() can cleanly handle errors, tty_ldisc_init() +does not need to call panic() when tty_ldisc_get() failed. + +[1] https://syzkaller.appspot.com/bug?id=883431818e036ae6a9981156a64b821110f39187 + +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Cc: Greg Kroah-Hartman +Cc: Jiri Slaby +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_io.c | 5 ++++- + drivers/tty/tty_ldisc.c | 5 +++-- + include/linux/tty.h | 2 +- + 3 files changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -2816,7 +2816,10 @@ struct tty_struct *alloc_tty_struct(stru + + kref_init(&tty->kref); + tty->magic = TTY_MAGIC; +- tty_ldisc_init(tty); ++ if (tty_ldisc_init(tty)) { ++ kfree(tty); ++ return NULL; ++ } + tty->session = NULL; + tty->pgrp = NULL; + mutex_init(&tty->legacy_mutex); +--- a/drivers/tty/tty_ldisc.c ++++ b/drivers/tty/tty_ldisc.c +@@ -824,12 +824,13 @@ EXPORT_SYMBOL_GPL(tty_ldisc_release); + * the tty structure is not completely set up when this call is made. + */ + +-void tty_ldisc_init(struct tty_struct *tty) ++int tty_ldisc_init(struct tty_struct *tty) + { + struct tty_ldisc *ld = tty_ldisc_get(tty, N_TTY); + if (IS_ERR(ld)) +- panic("n_tty: init_tty"); ++ return PTR_ERR(ld); + tty->ldisc = ld; ++ return 0; + } + + /** +--- a/include/linux/tty.h ++++ b/include/linux/tty.h +@@ -701,7 +701,7 @@ extern int tty_unregister_ldisc(int disc + extern int tty_set_ldisc(struct tty_struct *tty, int disc); + extern int tty_ldisc_setup(struct tty_struct *tty, struct tty_struct *o_tty); + extern void tty_ldisc_release(struct tty_struct *tty); +-extern void tty_ldisc_init(struct tty_struct *tty); ++extern int __must_check tty_ldisc_init(struct tty_struct *tty); + extern void tty_ldisc_deinit(struct tty_struct *tty); + extern int tty_ldisc_receive_buf(struct tty_ldisc *ld, const unsigned char *p, + char *f, int count); diff --git a/queue-4.16/tty-n_gsm-fix-dlci-handling-for-adm-mode-if-debug-2-is-not-set.patch b/queue-4.16/tty-n_gsm-fix-dlci-handling-for-adm-mode-if-debug-2-is-not-set.patch new file mode 100644 index 00000000000..9da9b90b9d8 --- /dev/null +++ b/queue-4.16/tty-n_gsm-fix-dlci-handling-for-adm-mode-if-debug-2-is-not-set.patch @@ -0,0 +1,69 @@ +From b2d89ad9c9682e795ed6eeb9ed455789ad6cedf1 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Sat, 7 Apr 2018 10:19:51 -0700 +Subject: tty: n_gsm: Fix DLCI handling for ADM mode if debug & 2 is not set + +From: Tony Lindgren + +commit b2d89ad9c9682e795ed6eeb9ed455789ad6cedf1 upstream. + +At least on droid 4 with control channel in ADM mode, there is no response +to Modem Status Command (MSC). Currently gsmtty_modem_update() expects to +have data in dlci->modem_rx unless debug & 2 is set. This means that on +droid 4, things only work if debug & 2 is set. + +Let's fix the issue by ignoring empty dlci->modem_rx for ADM mode. In +the AMD mode, CMD_MSC will never respond and gsm_process_modem() won't +get called to set dlci->modem_rx. + +And according to ts_127010v140000p.pdf, MSC is only relevant if basic +option is chosen, so let's test for that too. + +Fixes: ea3d8465ab9b ("tty: n_gsm: Allow ADM response in addition to UA for control dlci") +Cc: linux-serial@vger.kernel.org +Cc: Alan Cox +Cc: Dan Williams +Cc: Jiri Prchal +Cc: Jiri Slaby +Cc: Marcel Partap +Cc: Merlijn Wajer +Cc: Michael Nazzareno Trimarchi +Cc: Michael Scott +Cc: Pavel Machek +Cc: Peter Hurley +Cc: Russ Gorby +Cc: Sascha Hauer +Cc: Sebastian Reichel +Signed-off-by: Tony Lindgren +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/n_gsm.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -2871,11 +2871,22 @@ static int gsmtty_modem_update(struct gs + static int gsm_carrier_raised(struct tty_port *port) + { + struct gsm_dlci *dlci = container_of(port, struct gsm_dlci, port); ++ struct gsm_mux *gsm = dlci->gsm; ++ + /* Not yet open so no carrier info */ + if (dlci->state != DLCI_OPEN) + return 0; + if (debug & 2) + return 1; ++ ++ /* ++ * Basic mode with control channel in ADM mode may not respond ++ * to CMD_MSC at all and modem_rx is empty. ++ */ ++ if (gsm->encoding == 0 && gsm->dlci[0]->mode == DLCI_MODE_ADM && ++ !dlci->modem_rx) ++ return 1; ++ + return dlci->modem_rx & TIOCM_CD; + } + diff --git a/queue-4.16/tty-n_gsm-fix-long-delays-with-control-frame-timeouts-in-adm-mode.patch b/queue-4.16/tty-n_gsm-fix-long-delays-with-control-frame-timeouts-in-adm-mode.patch new file mode 100644 index 00000000000..72ee392c015 --- /dev/null +++ b/queue-4.16/tty-n_gsm-fix-long-delays-with-control-frame-timeouts-in-adm-mode.patch @@ -0,0 +1,91 @@ +From e9ec22547986dd32c5c70da78107ce35dbff1344 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Sat, 7 Apr 2018 10:19:50 -0700 +Subject: tty: n_gsm: Fix long delays with control frame timeouts in ADM mode + +From: Tony Lindgren + +commit e9ec22547986dd32c5c70da78107ce35dbff1344 upstream. + +Commit ea3d8465ab9b ("tty: n_gsm: Allow ADM response in addition to UA for +control dlci") added support for DLCI to stay in Asynchronous Disconnected +Mode (ADM). But we still get long delays waiting for commands to other +DLCI to complete: + +--> 5) C: SABM(P) +Q> 0) C: UIH(F) +Q> 0) C: UIH(F) +Q> 0) C: UIH(F) +... + +This happens because gsm_control_send() sets cretries timer to T2 that is +by default set to 34. This will cause resend for T2 times for the control +frame. In ADM mode, we will never get a response so the control frame, so +retries are just delaying all the commands. + +Let's fix the issue by setting DLCI_MODE_ADM flag after detecting the ADM +mode for the control DLCI. Then we can use that in gsm_control_send() to +set retries to 1. This means the control frame will be sent once allowing +the other end at an opportunity to switch from ADM to ABM mode. + +Note that retries will be decremented in gsm_control_retransmit() so +we don't want to set it to 0 here. + +Fixes: ea3d8465ab9b ("tty: n_gsm: Allow ADM response in addition to UA for control dlci") +Cc: linux-serial@vger.kernel.org +Cc: Alan Cox +Cc: Dan Williams +Cc: Jiri Prchal +Cc: Jiri Slaby +Cc: Marcel Partap +Cc: Merlijn Wajer +Cc: Michael Nazzareno Trimarchi +Cc: Michael Scott +Cc: Pavel Machek +Cc: Peter Hurley +Cc: Russ Gorby +Cc: Sascha Hauer +Cc: Sebastian Reichel +Signed-off-by: Tony Lindgren +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/n_gsm.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -121,6 +121,9 @@ struct gsm_dlci { + struct mutex mutex; + + /* Link layer */ ++ int mode; ++#define DLCI_MODE_ABM 0 /* Normal Asynchronous Balanced Mode */ ++#define DLCI_MODE_ADM 1 /* Asynchronous Disconnected Mode */ + spinlock_t lock; /* Protects the internal state */ + struct timer_list t1; /* Retransmit timer for SABM and UA */ + int retries; +@@ -1364,7 +1367,13 @@ retry: + ctrl->data = data; + ctrl->len = clen; + gsm->pending_cmd = ctrl; +- gsm->cretries = gsm->n2; ++ ++ /* If DLCI0 is in ADM mode skip retries, it won't respond */ ++ if (gsm->dlci[0]->mode == DLCI_MODE_ADM) ++ gsm->cretries = 1; ++ else ++ gsm->cretries = gsm->n2; ++ + mod_timer(&gsm->t2_timer, jiffies + gsm->t2 * HZ / 100); + gsm_control_transmit(gsm, ctrl); + spin_unlock_irqrestore(&gsm->control_lock, flags); +@@ -1472,6 +1481,7 @@ static void gsm_dlci_t1(struct timer_lis + if (debug & 8) + pr_info("DLCI %d opening in ADM mode.\n", + dlci->addr); ++ dlci->mode = DLCI_MODE_ADM; + gsm_dlci_open(dlci); + } else { + gsm_dlci_close(dlci); diff --git a/queue-4.16/tty-use-__gfp_nofail-for-tty_ldisc_get.patch b/queue-4.16/tty-use-__gfp_nofail-for-tty_ldisc_get.patch new file mode 100644 index 00000000000..401958ce358 --- /dev/null +++ b/queue-4.16/tty-use-__gfp_nofail-for-tty_ldisc_get.patch @@ -0,0 +1,57 @@ +From bcdd0ca8cb8730573afebcaae4138f8f4c8eaa20 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Wed, 25 Apr 2018 20:12:31 +0900 +Subject: tty: Use __GFP_NOFAIL for tty_ldisc_get() + +From: Tetsuo Handa + +commit bcdd0ca8cb8730573afebcaae4138f8f4c8eaa20 upstream. + +syzbot is reporting crashes triggered by memory allocation fault injection +at tty_ldisc_get() [1]. As an attempt to handle OOM in a graceful way, we +have tried commit 5362544bebe85071 ("tty: don't panic on OOM in +tty_set_ldisc()"). But we reverted that attempt by commit a8983d01f9b7d600 +("Revert "tty: don't panic on OOM in tty_set_ldisc()"") due to reproducible +crash. We should spend resource for finding and fixing race condition bugs +rather than complicate error paths for 2 * sizeof(void *) bytes allocation +failure. + +[1] https://syzkaller.appspot.com/bug?id=489d33fa386453859ead58ff5171d43772b13aa3 + +Signed-off-by: Tetsuo Handa +Reported-by: syzbot +Cc: Michal Hocko +Cc: Vegard Nossum +Cc: Dmitry Vyukov +Cc: Jiri Slaby +Cc: Peter Hurley +Cc: One Thousand Gnomes +Cc: Linus Torvalds +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_ldisc.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/tty/tty_ldisc.c ++++ b/drivers/tty/tty_ldisc.c +@@ -176,12 +176,11 @@ static struct tty_ldisc *tty_ldisc_get(s + return ERR_CAST(ldops); + } + +- ld = kmalloc(sizeof(struct tty_ldisc), GFP_KERNEL); +- if (ld == NULL) { +- put_ldops(ldops); +- return ERR_PTR(-ENOMEM); +- } +- ++ /* ++ * There is no way to handle allocation failure of only 16 bytes. ++ * Let's simplify error handling and save more memory. ++ */ ++ ld = kmalloc(sizeof(struct tty_ldisc), GFP_KERNEL | __GFP_NOFAIL); + ld->ops = ldops; + ld->tty = tty; + diff --git a/queue-4.16/usb-core-add-quirk-for-hp-v222w-16gb-mini.patch b/queue-4.16/usb-core-add-quirk-for-hp-v222w-16gb-mini.patch new file mode 100644 index 00000000000..9c6a9b5e31b --- /dev/null +++ b/queue-4.16/usb-core-add-quirk-for-hp-v222w-16gb-mini.patch @@ -0,0 +1,37 @@ +From 3180dabe08e3653bf0a838553905d88f3773f29c Mon Sep 17 00:00:00 2001 +From: Kamil Lulko +Date: Thu, 19 Apr 2018 16:54:02 -0700 +Subject: usb: core: Add quirk for HP v222w 16GB Mini + +From: Kamil Lulko + +commit 3180dabe08e3653bf0a838553905d88f3773f29c upstream. + +Add DELAY_INIT quirk to fix the following problem with HP +v222w 16GB Mini: + +usb 1-3: unable to read config index 0 descriptor/start: -110 +usb 1-3: can't read configurations, error -110 +usb 1-3: can't set config #1, error -110 + +Signed-off-by: Kamil Lulko +Signed-off-by: Kuppuswamy Sathyanarayanan +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -40,6 +40,9 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x03f0, 0x0701), .driver_info = + USB_QUIRK_STRING_FETCH_255 }, + ++ /* HP v222w 16GB Mini USB Drive */ ++ { USB_DEVICE(0x03f0, 0x3f40), .driver_info = USB_QUIRK_DELAY_INIT }, ++ + /* Creative SB Audigy 2 NX */ + { USB_DEVICE(0x041e, 0x3020), .driver_info = USB_QUIRK_RESET_RESUME }, + diff --git a/queue-4.16/usb-increment-wakeup-count-on-remote-wakeup.patch b/queue-4.16/usb-increment-wakeup-count-on-remote-wakeup.patch new file mode 100644 index 00000000000..b144cccf3c5 --- /dev/null +++ b/queue-4.16/usb-increment-wakeup-count-on-remote-wakeup.patch @@ -0,0 +1,82 @@ +From 83a62c51ba7b3c0bf45150c4eac7aefc6c785e94 Mon Sep 17 00:00:00 2001 +From: Ravi Chandra Sadineni +Date: Fri, 20 Apr 2018 11:08:21 -0700 +Subject: USB: Increment wakeup count on remote wakeup. + +From: Ravi Chandra Sadineni + +commit 83a62c51ba7b3c0bf45150c4eac7aefc6c785e94 upstream. + +On chromebooks we depend on wakeup count to identify the wakeup source. +But currently USB devices do not increment the wakeup count when they +trigger the remote wake. This patch addresses the same. + +Resume condition is reported differently on USB 2.0 and USB 3.0 devices. + +On USB 2.0 devices, a wake capable device, if wake enabled, drives +resume signal to indicate a remote wake (USB 2.0 spec section 7.1.7.7). +The upstream facing port then sets C_PORT_SUSPEND bit and reports a +port change event (USB 2.0 spec section 11.24.2.7.2.3). Thus if a port +has resumed before driving the resume signal from the host and +C_PORT_SUSPEND is set, then the device attached to the given port might +be the reason for the last system wakeup. Increment the wakeup count for +the same. + +On USB 3.0 devices, a function may signal that it wants to exit from device +suspend by sending a Function Wake Device Notification to the host (USB3.0 +spec section 8.5.6.4) Thus on receiving the Function Wake, increment the +wakeup count. + +Signed-off-by: Ravi Chandra Sadineni +Acked-by: Alan Stern +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hcd.c | 1 + + drivers/usb/core/hub.c | 10 +++++++++- + 2 files changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -2365,6 +2365,7 @@ void usb_hcd_resume_root_hub (struct usb + + spin_lock_irqsave (&hcd_root_hub_lock, flags); + if (hcd->rh_registered) { ++ pm_wakeup_event(&hcd->self.root_hub->dev, 0); + set_bit(HCD_FLAG_WAKEUP_PENDING, &hcd->flags); + queue_work(pm_wq, &hcd->wakeup_work); + } +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -653,12 +653,17 @@ void usb_wakeup_notification(struct usb_ + unsigned int portnum) + { + struct usb_hub *hub; ++ struct usb_port *port_dev; + + if (!hdev) + return; + + hub = usb_hub_to_struct_hub(hdev); + if (hub) { ++ port_dev = hub->ports[portnum - 1]; ++ if (port_dev && port_dev->child) ++ pm_wakeup_event(&port_dev->child->dev, 0); ++ + set_bit(portnum, hub->wakeup_bits); + kick_hub_wq(hub); + } +@@ -3430,8 +3435,11 @@ int usb_port_resume(struct usb_device *u + + /* Skip the initial Clear-Suspend step for a remote wakeup */ + status = hub_port_status(hub, port1, &portstatus, &portchange); +- if (status == 0 && !port_is_suspended(hub, portstatus)) ++ if (status == 0 && !port_is_suspended(hub, portstatus)) { ++ if (portchange & USB_PORT_STAT_C_SUSPEND) ++ pm_wakeup_event(&udev->dev, 0); + goto SuspendCleared; ++ } + + /* see 7.1.7.7; affects power usage, but not budgeting */ + if (hub_is_superspeed(hub->hdev)) diff --git a/queue-4.16/usb-serial-cp210x-add-id-for-ni-usb-serial-console.patch b/queue-4.16/usb-serial-cp210x-add-id-for-ni-usb-serial-console.patch new file mode 100644 index 00000000000..9e90d6c0b67 --- /dev/null +++ b/queue-4.16/usb-serial-cp210x-add-id-for-ni-usb-serial-console.patch @@ -0,0 +1,31 @@ +From 1e23aace21515a8f7615a1de016c0ea8d4e0cc6e Mon Sep 17 00:00:00 2001 +From: Kyle Roeschley +Date: Mon, 9 Apr 2018 10:23:55 -0500 +Subject: USB: serial: cp210x: add ID for NI USB serial console + +From: Kyle Roeschley + +commit 1e23aace21515a8f7615a1de016c0ea8d4e0cc6e upstream. + +Added the USB VID and PID for the USB serial console on some National +Instruments devices. + +Signed-off-by: Kyle Roeschley +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/cp210x.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -214,6 +214,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x3195, 0xF190) }, /* Link Instruments MSO-19 */ + { USB_DEVICE(0x3195, 0xF280) }, /* Link Instruments MSO-28 */ + { USB_DEVICE(0x3195, 0xF281) }, /* Link Instruments MSO-28 */ ++ { USB_DEVICE(0x3923, 0x7A0B) }, /* National Instruments USB Serial Console */ + { USB_DEVICE(0x413C, 0x9500) }, /* DW700 GPS USB interface */ + { } /* Terminating Entry */ + }; diff --git a/queue-4.16/usb-serial-ftdi_sio-use-jtag-quirk-for-arrow-usb-blaster.patch b/queue-4.16/usb-serial-ftdi_sio-use-jtag-quirk-for-arrow-usb-blaster.patch new file mode 100644 index 00000000000..7eb68b392aa --- /dev/null +++ b/queue-4.16/usb-serial-ftdi_sio-use-jtag-quirk-for-arrow-usb-blaster.patch @@ -0,0 +1,37 @@ +From 470b5d6f0cf4674be2d1ec94e54283a1770b6a1a Mon Sep 17 00:00:00 2001 +From: Vasyl Vavrychuk +Date: Wed, 11 Apr 2018 17:05:13 +0300 +Subject: USB: serial: ftdi_sio: use jtag quirk for Arrow USB Blaster + +From: Vasyl Vavrychuk + +commit 470b5d6f0cf4674be2d1ec94e54283a1770b6a1a upstream. + +Arrow USB Blaster integrated on MAX1000 board uses the same vendor ID +(0x0403) and product ID (0x6010) as the "original" FTDI device. + +This patch avoids picking up by ftdi_sio of the first interface of this +USB device. After that this device can be used by Arrow user-space JTAG +driver. + +Signed-off-by: Vasyl Vavrychuk +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1898,7 +1898,8 @@ static int ftdi_8u2232c_probe(struct usb + return ftdi_jtag_probe(serial); + + if (udev->product && +- (!strcmp(udev->product, "BeagleBone/XDS100V2") || ++ (!strcmp(udev->product, "Arrow USB Blaster") || ++ !strcmp(udev->product, "BeagleBone/XDS100V2") || + !strcmp(udev->product, "SNAP Connect E10"))) + return ftdi_jtag_probe(serial); + diff --git a/queue-4.16/usb-serial-simple-add-libtransistor-console.patch b/queue-4.16/usb-serial-simple-add-libtransistor-console.patch new file mode 100644 index 00000000000..2b22ba44885 --- /dev/null +++ b/queue-4.16/usb-serial-simple-add-libtransistor-console.patch @@ -0,0 +1,63 @@ +From fe710508b6ba9d28730f3021fed70e7043433b2e Mon Sep 17 00:00:00 2001 +From: Collin May +Date: Sat, 7 Apr 2018 14:32:48 -0700 +Subject: USB: serial: simple: add libtransistor console + +From: Collin May + +commit fe710508b6ba9d28730f3021fed70e7043433b2e upstream. + +Add simple driver for libtransistor USB console. +This device is implemented in software: +https://github.com/reswitched/libtransistor/blob/development/lib/usb_serial.c + +Signed-off-by: Collin May +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/Kconfig | 1 + + drivers/usb/serial/usb-serial-simple.c | 7 +++++++ + 2 files changed, 8 insertions(+) + +--- a/drivers/usb/serial/Kconfig ++++ b/drivers/usb/serial/Kconfig +@@ -62,6 +62,7 @@ config USB_SERIAL_SIMPLE + - Fundamental Software dongle. + - Google USB serial devices + - HP4x calculators ++ - Libtransistor USB console + - a number of Motorola phones + - Motorola Tetra devices + - Novatel Wireless GPS receivers +--- a/drivers/usb/serial/usb-serial-simple.c ++++ b/drivers/usb/serial/usb-serial-simple.c +@@ -63,6 +63,11 @@ DEVICE(flashloader, FLASHLOADER_IDS); + 0x01) } + DEVICE(google, GOOGLE_IDS); + ++/* Libtransistor USB console */ ++#define LIBTRANSISTOR_IDS() \ ++ { USB_DEVICE(0x1209, 0x8b00) } ++DEVICE(libtransistor, LIBTRANSISTOR_IDS); ++ + /* ViVOpay USB Serial Driver */ + #define VIVOPAY_IDS() \ + { USB_DEVICE(0x1d5f, 0x1004) } /* ViVOpay 8800 */ +@@ -110,6 +115,7 @@ static struct usb_serial_driver * const + &funsoft_device, + &flashloader_device, + &google_device, ++ &libtransistor_device, + &vivopay_device, + &moto_modem_device, + &motorola_tetra_device, +@@ -126,6 +132,7 @@ static const struct usb_device_id id_tab + FUNSOFT_IDS(), + FLASHLOADER_IDS(), + GOOGLE_IDS(), ++ LIBTRANSISTOR_IDS(), + VIVOPAY_IDS(), + MOTO_IDS(), + MOTOROLA_TETRA_IDS(), diff --git a/queue-4.16/usb-typec-ucsi-increase-command-completion-timeout-value.patch b/queue-4.16/usb-typec-ucsi-increase-command-completion-timeout-value.patch new file mode 100644 index 00000000000..f157c4dcb2c --- /dev/null +++ b/queue-4.16/usb-typec-ucsi-increase-command-completion-timeout-value.patch @@ -0,0 +1,34 @@ +From b1b59e16075f5e5da2943ce8de724ab96bc3c6c2 Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Wed, 18 Apr 2018 15:34:10 +0300 +Subject: usb: typec: ucsi: Increase command completion timeout value + +From: Heikki Krogerus + +commit b1b59e16075f5e5da2943ce8de724ab96bc3c6c2 upstream. + +On some boards, under heavy load, the EC firmware is +unable to complete commands even in one second. Increasing +the command completion timeout value to five seconds. + +Reported-by: Quanxian Wang +Fixes: c1b0bc2dabfa ("usb: typec: Add support for UCSI interface") +Cc: +Signed-off-by: Heikki Krogerus +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/typec/ucsi/ucsi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/typec/ucsi/ucsi.c ++++ b/drivers/usb/typec/ucsi/ucsi.c +@@ -28,7 +28,7 @@ + * difficult to estimate the time it takes for the system to process the command + * before it is actually passed to the PPM. + */ +-#define UCSI_TIMEOUT_MS 1000 ++#define UCSI_TIMEOUT_MS 5000 + + /* + * UCSI_SWAP_TIMEOUT_MS - Timeout for role swap requests diff --git a/queue-4.16/usbip-usbip_event-fix-to-not-print-kernel-pointer-address.patch b/queue-4.16/usbip-usbip_event-fix-to-not-print-kernel-pointer-address.patch new file mode 100644 index 00000000000..4e888f400b5 --- /dev/null +++ b/queue-4.16/usbip-usbip_event-fix-to-not-print-kernel-pointer-address.patch @@ -0,0 +1,33 @@ +From 4c982482341c64f55daf69b6caa5a2bcd9b43824 Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Thu, 5 Apr 2018 16:29:50 -0600 +Subject: usbip: usbip_event: fix to not print kernel pointer address + +From: Shuah Khan + +commit 4c982482341c64f55daf69b6caa5a2bcd9b43824 upstream. + +Fix it to not print kernel pointer address. Remove the conditional +and debug message as it isn't very useful. + +Signed-off-by: Shuah Khan +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/usbip/usbip_event.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/usb/usbip/usbip_event.c ++++ b/drivers/usb/usbip/usbip_event.c +@@ -91,10 +91,6 @@ static void event_handler(struct work_st + unset_event(ud, USBIP_EH_UNUSABLE); + } + +- /* Stop the error handler. */ +- if (ud->event & USBIP_EH_BYE) +- usbip_dbg_eh("removed %p\n", ud); +- + wake_up(&ud->eh_waitq); + } + } diff --git a/queue-4.16/usbip-usbip_host-fix-to-hold-parent-lock-for-device_attach-calls.patch b/queue-4.16/usbip-usbip_host-fix-to-hold-parent-lock-for-device_attach-calls.patch new file mode 100644 index 00000000000..e611e6b39a9 --- /dev/null +++ b/queue-4.16/usbip-usbip_host-fix-to-hold-parent-lock-for-device_attach-calls.patch @@ -0,0 +1,35 @@ +From 4bfb141bc01312a817d36627cc47c93f801c216d Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Thu, 5 Apr 2018 16:29:04 -0600 +Subject: usbip: usbip_host: fix to hold parent lock for device_attach() calls + +From: Shuah Khan + +commit 4bfb141bc01312a817d36627cc47c93f801c216d upstream. + +usbip_host calls device_attach() without holding dev->parent lock. +Fix it. + +Signed-off-by: Shuah Khan +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/usbip/stub_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/usbip/stub_main.c ++++ b/drivers/usb/usbip/stub_main.c +@@ -186,7 +186,12 @@ static ssize_t rebind_store(struct devic + if (!bid) + return -ENODEV; + ++ /* device_attach() callers should hold parent lock for USB */ ++ if (bid->udev->dev.parent) ++ device_lock(bid->udev->dev.parent); + ret = device_attach(&bid->udev->dev); ++ if (bid->udev->dev.parent) ++ device_unlock(bid->udev->dev.parent); + if (ret < 0) { + dev_err(&bid->udev->dev, "rebind failed\n"); + return ret; diff --git a/queue-4.16/usbip-vhci_hcd-check-rhport-before-using-in-vhci_hub_control.patch b/queue-4.16/usbip-vhci_hcd-check-rhport-before-using-in-vhci_hub_control.patch new file mode 100644 index 00000000000..b5688b37543 --- /dev/null +++ b/queue-4.16/usbip-vhci_hcd-check-rhport-before-using-in-vhci_hub_control.patch @@ -0,0 +1,74 @@ +From 5b22f676118ff25049382041da0db8012e57c9e8 Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Thu, 5 Apr 2018 16:31:49 -0600 +Subject: usbip: vhci_hcd: check rhport before using in vhci_hub_control() + +From: Shuah Khan + +commit 5b22f676118ff25049382041da0db8012e57c9e8 upstream. + +Validate !rhport < 0 before using it to access port_status array. + +Signed-off-by: Shuah Khan +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/usbip/vhci_hcd.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/usb/usbip/vhci_hcd.c ++++ b/drivers/usb/usbip/vhci_hcd.c +@@ -354,6 +354,8 @@ static int vhci_hub_control(struct usb_h + usbip_dbg_vhci_rh(" ClearHubFeature\n"); + break; + case ClearPortFeature: ++ if (rhport < 0) ++ goto error; + switch (wValue) { + case USB_PORT_FEAT_SUSPEND: + if (hcd->speed == HCD_USB3) { +@@ -511,11 +513,16 @@ static int vhci_hub_control(struct usb_h + goto error; + } + ++ if (rhport < 0) ++ goto error; ++ + vhci_hcd->port_status[rhport] |= USB_PORT_STAT_SUSPEND; + break; + case USB_PORT_FEAT_POWER: + usbip_dbg_vhci_rh( + " SetPortFeature: USB_PORT_FEAT_POWER\n"); ++ if (rhport < 0) ++ goto error; + if (hcd->speed == HCD_USB3) + vhci_hcd->port_status[rhport] |= USB_SS_PORT_STAT_POWER; + else +@@ -524,6 +531,8 @@ static int vhci_hub_control(struct usb_h + case USB_PORT_FEAT_BH_PORT_RESET: + usbip_dbg_vhci_rh( + " SetPortFeature: USB_PORT_FEAT_BH_PORT_RESET\n"); ++ if (rhport < 0) ++ goto error; + /* Applicable only for USB3.0 hub */ + if (hcd->speed != HCD_USB3) { + pr_err("USB_PORT_FEAT_BH_PORT_RESET req not " +@@ -534,6 +543,8 @@ static int vhci_hub_control(struct usb_h + case USB_PORT_FEAT_RESET: + usbip_dbg_vhci_rh( + " SetPortFeature: USB_PORT_FEAT_RESET\n"); ++ if (rhport < 0) ++ goto error; + /* if it's already enabled, disable */ + if (hcd->speed == HCD_USB3) { + vhci_hcd->port_status[rhport] = 0; +@@ -554,6 +565,8 @@ static int vhci_hub_control(struct usb_h + default: + usbip_dbg_vhci_rh(" SetPortFeature: default %d\n", + wValue); ++ if (rhport < 0) ++ goto error; + if (hcd->speed == HCD_USB3) { + if ((vhci_hcd->port_status[rhport] & + USB_SS_PORT_STAT_POWER) != 0) { diff --git a/queue-4.16/usbip-vhci_hcd-fix-usb-device-and-sockfd-leaks.patch b/queue-4.16/usbip-vhci_hcd-fix-usb-device-and-sockfd-leaks.patch new file mode 100644 index 00000000000..12dbc3b2865 --- /dev/null +++ b/queue-4.16/usbip-vhci_hcd-fix-usb-device-and-sockfd-leaks.patch @@ -0,0 +1,31 @@ +From 9020a7efe537856eb3e826ebebdf38a5d07a7857 Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Mon, 2 Apr 2018 14:52:32 -0600 +Subject: usbip: vhci_hcd: Fix usb device and sockfd leaks + +From: Shuah Khan + +commit 9020a7efe537856eb3e826ebebdf38a5d07a7857 upstream. + +vhci_hcd fails to do reset to put usb device and sockfd in the +module remove/stop paths. Fix the leak. + +Signed-off-by: Shuah Khan +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/usbip/usbip_common.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/usbip/usbip_common.h ++++ b/drivers/usb/usbip/usbip_common.h +@@ -243,7 +243,7 @@ enum usbip_side { + #define VUDC_EVENT_ERROR_USB (USBIP_EH_SHUTDOWN | USBIP_EH_UNUSABLE) + #define VUDC_EVENT_ERROR_MALLOC (USBIP_EH_SHUTDOWN | USBIP_EH_UNUSABLE) + +-#define VDEV_EVENT_REMOVED (USBIP_EH_SHUTDOWN | USBIP_EH_BYE) ++#define VDEV_EVENT_REMOVED (USBIP_EH_SHUTDOWN | USBIP_EH_RESET | USBIP_EH_BYE) + #define VDEV_EVENT_DOWN (USBIP_EH_SHUTDOWN | USBIP_EH_RESET) + #define VDEV_EVENT_ERROR_TCP (USBIP_EH_SHUTDOWN | USBIP_EH_RESET) + #define VDEV_EVENT_ERROR_MALLOC (USBIP_EH_SHUTDOWN | USBIP_EH_UNUSABLE) diff --git a/queue-4.16/virtio-add-ability-to-iterate-over-vqs.patch b/queue-4.16/virtio-add-ability-to-iterate-over-vqs.patch new file mode 100644 index 00000000000..6613a33067a --- /dev/null +++ b/queue-4.16/virtio-add-ability-to-iterate-over-vqs.patch @@ -0,0 +1,32 @@ +From 24a7e4d20783c0514850f24a5c41ede46ab058f0 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Fri, 20 Apr 2018 20:22:40 +0300 +Subject: virtio: add ability to iterate over vqs + +From: Michael S. Tsirkin + +commit 24a7e4d20783c0514850f24a5c41ede46ab058f0 upstream. + +For cleanup it's helpful to be able to simply scan all vqs and discard +all data. Add an iterator to do that. + +Cc: stable@vger.kernel.org +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/virtio.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/include/linux/virtio.h ++++ b/include/linux/virtio.h +@@ -157,6 +157,9 @@ int virtio_device_freeze(struct virtio_d + int virtio_device_restore(struct virtio_device *dev); + #endif + ++#define virtio_device_for_each_vq(vdev, vq) \ ++ list_for_each_entry(vq, &vdev->vqs, list) ++ + /** + * virtio_driver - operations for a virtio I/O driver + * @driver: underlying device driver (populate name and owner). diff --git a/queue-4.16/virtio_console-don-t-tie-bufs-to-a-vq.patch b/queue-4.16/virtio_console-don-t-tie-bufs-to-a-vq.patch new file mode 100644 index 00000000000..c3ce6e636e5 --- /dev/null +++ b/queue-4.16/virtio_console-don-t-tie-bufs-to-a-vq.patch @@ -0,0 +1,79 @@ +From 2855b33514d290c51d52d94e25d3ef942cd4d578 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Fri, 20 Apr 2018 19:54:23 +0300 +Subject: virtio_console: don't tie bufs to a vq + +From: Michael S. Tsirkin + +commit 2855b33514d290c51d52d94e25d3ef942cd4d578 upstream. + +an allocated buffer doesn't need to be tied to a vq - +only vq->vdev is ever used. Pass the function the +just what it needs - the vdev. + +Cc: stable@vger.kernel.org +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/virtio_console.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -422,7 +422,7 @@ static void reclaim_dma_bufs(void) + } + } + +-static struct port_buffer *alloc_buf(struct virtqueue *vq, size_t buf_size, ++static struct port_buffer *alloc_buf(struct virtio_device *vdev, size_t buf_size, + int pages) + { + struct port_buffer *buf; +@@ -445,16 +445,16 @@ static struct port_buffer *alloc_buf(str + return buf; + } + +- if (is_rproc_serial(vq->vdev)) { ++ if (is_rproc_serial(vdev)) { + /* + * Allocate DMA memory from ancestor. When a virtio + * device is created by remoteproc, the DMA memory is + * associated with the grandparent device: + * vdev => rproc => platform-dev. + */ +- if (!vq->vdev->dev.parent || !vq->vdev->dev.parent->parent) ++ if (!vdev->dev.parent || !vdev->dev.parent->parent) + goto free_buf; +- buf->dev = vq->vdev->dev.parent->parent; ++ buf->dev = vdev->dev.parent->parent; + + /* Increase device refcnt to avoid freeing it */ + get_device(buf->dev); +@@ -838,7 +838,7 @@ static ssize_t port_fops_write(struct fi + + count = min((size_t)(32 * 1024), count); + +- buf = alloc_buf(port->out_vq, count, 0); ++ buf = alloc_buf(port->portdev->vdev, count, 0); + if (!buf) + return -ENOMEM; + +@@ -957,7 +957,7 @@ static ssize_t port_fops_splice_write(st + if (ret < 0) + goto error_out; + +- buf = alloc_buf(port->out_vq, 0, pipe->nrbufs); ++ buf = alloc_buf(port->portdev->vdev, 0, pipe->nrbufs); + if (!buf) { + ret = -ENOMEM; + goto error_out; +@@ -1374,7 +1374,7 @@ static unsigned int fill_queue(struct vi + + nr_added_bufs = 0; + do { +- buf = alloc_buf(vq, PAGE_SIZE, 0); ++ buf = alloc_buf(vq->vdev, PAGE_SIZE, 0); + if (!buf) + break; + diff --git a/queue-4.16/virtio_console-drop-custom-control-queue-cleanup.patch b/queue-4.16/virtio_console-drop-custom-control-queue-cleanup.patch new file mode 100644 index 00000000000..5cf2d27c8c5 --- /dev/null +++ b/queue-4.16/virtio_console-drop-custom-control-queue-cleanup.patch @@ -0,0 +1,60 @@ +From 61a8950c5c5708cf2068b29ffde94e454e528208 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Fri, 20 Apr 2018 20:49:04 +0300 +Subject: virtio_console: drop custom control queue cleanup + +From: Michael S. Tsirkin + +commit 61a8950c5c5708cf2068b29ffde94e454e528208 upstream. + +We now cleanup all VQs on device removal - no need +to handle the control VQ specially. + +Cc: stable@vger.kernel.org +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/virtio_console.c | 17 ----------------- + 1 file changed, 17 deletions(-) + +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -1988,21 +1988,6 @@ static void remove_vqs(struct ports_devi + kfree(portdev->out_vqs); + } + +-static void remove_controlq_data(struct ports_device *portdev) +-{ +- struct port_buffer *buf; +- unsigned int len; +- +- if (!use_multiport(portdev)) +- return; +- +- while ((buf = virtqueue_get_buf(portdev->c_ivq, &len))) +- free_buf(buf, true); +- +- while ((buf = virtqueue_detach_unused_buf(portdev->c_ivq))) +- free_buf(buf, true); +-} +- + /* + * Once we're further in boot, we get probed like any other virtio + * device. +@@ -2163,7 +2148,6 @@ static void virtcons_remove(struct virti + * have to just stop using the port, as the vqs are going + * away. + */ +- remove_controlq_data(portdev); + remove_vqs(portdev); + kfree(portdev); + } +@@ -2208,7 +2192,6 @@ static int virtcons_freeze(struct virtio + */ + if (use_multiport(portdev)) + virtqueue_disable_cb(portdev->c_ivq); +- remove_controlq_data(portdev); + + list_for_each_entry(port, &portdev->ports, list) { + virtqueue_disable_cb(port->in_vq); diff --git a/queue-4.16/virtio_console-free-buffers-after-reset.patch b/queue-4.16/virtio_console-free-buffers-after-reset.patch new file mode 100644 index 00000000000..4fe75450ef4 --- /dev/null +++ b/queue-4.16/virtio_console-free-buffers-after-reset.patch @@ -0,0 +1,142 @@ +From a7a69ec0d8e4a58be7db88d33cbfa2912807bb2b Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Fri, 20 Apr 2018 20:24:23 +0300 +Subject: virtio_console: free buffers after reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michael S. Tsirkin + +commit a7a69ec0d8e4a58be7db88d33cbfa2912807bb2b upstream. + +Console driver is out of spec. The spec says: + A driver MUST NOT decrement the available idx on a live + virtqueue (ie. there is no way to “unexpose” buffers). +and it does exactly that by trying to detach unused buffers +without doing a device reset first. + +Defer detaching the buffers until device unplug. + +Of course this means we might get an interrupt for +a vq without an attached port now. Handle that by +discarding the consumed buffer. + +Reported-by: Tiwei Bie +Fixes: b3258ff1d6 ("virtio: Decrement avail idx on buffer detach") +Cc: stable@vger.kernel.org +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/virtio_console.c | 49 ++++++++++++++++++++---------------------- + 1 file changed, 24 insertions(+), 25 deletions(-) + +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -1402,7 +1402,6 @@ static int add_port(struct ports_device + { + char debugfs_name[16]; + struct port *port; +- struct port_buffer *buf; + dev_t devt; + unsigned int nr_added_bufs; + int err; +@@ -1513,8 +1512,6 @@ static int add_port(struct ports_device + return 0; + + free_inbufs: +- while ((buf = virtqueue_detach_unused_buf(port->in_vq))) +- free_buf(buf, true); + free_device: + device_destroy(pdrvdata.class, port->dev->devt); + free_cdev: +@@ -1539,34 +1536,14 @@ static void remove_port(struct kref *kre + + static void remove_port_data(struct port *port) + { +- struct port_buffer *buf; +- + spin_lock_irq(&port->inbuf_lock); + /* Remove unused data this port might have received. */ + discard_port_data(port); + spin_unlock_irq(&port->inbuf_lock); + +- /* Remove buffers we queued up for the Host to send us data in. */ +- do { +- spin_lock_irq(&port->inbuf_lock); +- buf = virtqueue_detach_unused_buf(port->in_vq); +- spin_unlock_irq(&port->inbuf_lock); +- if (buf) +- free_buf(buf, true); +- } while (buf); +- + spin_lock_irq(&port->outvq_lock); + reclaim_consumed_buffers(port); + spin_unlock_irq(&port->outvq_lock); +- +- /* Free pending buffers from the out-queue. */ +- do { +- spin_lock_irq(&port->outvq_lock); +- buf = virtqueue_detach_unused_buf(port->out_vq); +- spin_unlock_irq(&port->outvq_lock); +- if (buf) +- free_buf(buf, true); +- } while (buf); + } + + /* +@@ -1791,13 +1768,24 @@ static void control_work_handler(struct + spin_unlock(&portdev->c_ivq_lock); + } + ++static void flush_bufs(struct virtqueue *vq, bool can_sleep) ++{ ++ struct port_buffer *buf; ++ unsigned int len; ++ ++ while ((buf = virtqueue_get_buf(vq, &len))) ++ free_buf(buf, can_sleep); ++} ++ + static void out_intr(struct virtqueue *vq) + { + struct port *port; + + port = find_port_by_vq(vq->vdev->priv, vq); +- if (!port) ++ if (!port) { ++ flush_bufs(vq, false); + return; ++ } + + wake_up_interruptible(&port->waitqueue); + } +@@ -1808,8 +1796,10 @@ static void in_intr(struct virtqueue *vq + unsigned long flags; + + port = find_port_by_vq(vq->vdev->priv, vq); +- if (!port) ++ if (!port) { ++ flush_bufs(vq, false); + return; ++ } + + spin_lock_irqsave(&port->inbuf_lock, flags); + port->inbuf = get_inbuf(port); +@@ -1984,6 +1974,15 @@ static const struct file_operations port + + static void remove_vqs(struct ports_device *portdev) + { ++ struct virtqueue *vq; ++ ++ virtio_device_for_each_vq(portdev->vdev, vq) { ++ struct port_buffer *buf; ++ ++ flush_bufs(vq, true); ++ while ((buf = virtqueue_detach_unused_buf(vq))) ++ free_buf(buf, true); ++ } + portdev->vdev->config->del_vqs(portdev->vdev); + kfree(portdev->in_vqs); + kfree(portdev->out_vqs); diff --git a/queue-4.16/virtio_console-move-removal-code.patch b/queue-4.16/virtio_console-move-removal-code.patch new file mode 100644 index 00000000000..98fe78a1744 --- /dev/null +++ b/queue-4.16/virtio_console-move-removal-code.patch @@ -0,0 +1,107 @@ +From aa44ec867030a72e8aa127977e37dec551d8df19 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Fri, 20 Apr 2018 20:51:18 +0300 +Subject: virtio_console: move removal code + +From: Michael S. Tsirkin + +commit aa44ec867030a72e8aa127977e37dec551d8df19 upstream. + +Will make it reusable for error handling. + +Cc: stable@vger.kernel.org +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/virtio_console.c | 72 +++++++++++++++++++++--------------------- + 1 file changed, 36 insertions(+), 36 deletions(-) + +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -1988,6 +1988,42 @@ static void remove_vqs(struct ports_devi + kfree(portdev->out_vqs); + } + ++static void virtcons_remove(struct virtio_device *vdev) ++{ ++ struct ports_device *portdev; ++ struct port *port, *port2; ++ ++ portdev = vdev->priv; ++ ++ spin_lock_irq(&pdrvdata_lock); ++ list_del(&portdev->list); ++ spin_unlock_irq(&pdrvdata_lock); ++ ++ /* Disable interrupts for vqs */ ++ vdev->config->reset(vdev); ++ /* Finish up work that's lined up */ ++ if (use_multiport(portdev)) ++ cancel_work_sync(&portdev->control_work); ++ else ++ cancel_work_sync(&portdev->config_work); ++ ++ list_for_each_entry_safe(port, port2, &portdev->ports, list) ++ unplug_port(port); ++ ++ unregister_chrdev(portdev->chr_major, "virtio-portsdev"); ++ ++ /* ++ * When yanking out a device, we immediately lose the ++ * (device-side) queues. So there's no point in keeping the ++ * guest side around till we drop our final reference. This ++ * also means that any ports which are in an open state will ++ * have to just stop using the port, as the vqs are going ++ * away. ++ */ ++ remove_vqs(portdev); ++ kfree(portdev); ++} ++ + /* + * Once we're further in boot, we get probed like any other virtio + * device. +@@ -2116,42 +2152,6 @@ fail: + return err; + } + +-static void virtcons_remove(struct virtio_device *vdev) +-{ +- struct ports_device *portdev; +- struct port *port, *port2; +- +- portdev = vdev->priv; +- +- spin_lock_irq(&pdrvdata_lock); +- list_del(&portdev->list); +- spin_unlock_irq(&pdrvdata_lock); +- +- /* Disable interrupts for vqs */ +- vdev->config->reset(vdev); +- /* Finish up work that's lined up */ +- if (use_multiport(portdev)) +- cancel_work_sync(&portdev->control_work); +- else +- cancel_work_sync(&portdev->config_work); +- +- list_for_each_entry_safe(port, port2, &portdev->ports, list) +- unplug_port(port); +- +- unregister_chrdev(portdev->chr_major, "virtio-portsdev"); +- +- /* +- * When yanking out a device, we immediately lose the +- * (device-side) queues. So there's no point in keeping the +- * guest side around till we drop our final reference. This +- * also means that any ports which are in an open state will +- * have to just stop using the port, as the vqs are going +- * away. +- */ +- remove_vqs(portdev); +- kfree(portdev); +-} +- + static struct virtio_device_id id_table[] = { + { VIRTIO_ID_CONSOLE, VIRTIO_DEV_ANY_ID }, + { 0 }, diff --git a/queue-4.16/virtio_console-reset-on-out-of-memory.patch b/queue-4.16/virtio_console-reset-on-out-of-memory.patch new file mode 100644 index 00000000000..5f2d7f435df --- /dev/null +++ b/queue-4.16/virtio_console-reset-on-out-of-memory.patch @@ -0,0 +1,64 @@ +From 5c60300d68da32ca77f7f978039dc72bfc78b06b Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Fri, 20 Apr 2018 21:00:13 +0300 +Subject: virtio_console: reset on out of memory + +From: Michael S. Tsirkin + +commit 5c60300d68da32ca77f7f978039dc72bfc78b06b upstream. + +When out of memory and we can't add ctrl vq buffers, +probe fails. Unfortunately the error handling is +out of spec: it calls del_vqs without bothering +to reset the device first. + +To fix, call the full cleanup function in this case. + +Cc: stable@vger.kernel.org +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/virtio_console.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/drivers/char/virtio_console.c ++++ b/drivers/char/virtio_console.c +@@ -2090,6 +2090,7 @@ static int virtcons_probe(struct virtio_ + + spin_lock_init(&portdev->ports_lock); + INIT_LIST_HEAD(&portdev->ports); ++ INIT_LIST_HEAD(&portdev->list); + + virtio_device_ready(portdev->vdev); + +@@ -2107,8 +2108,15 @@ static int virtcons_probe(struct virtio_ + if (!nr_added_bufs) { + dev_err(&vdev->dev, + "Error allocating buffers for control queue\n"); +- err = -ENOMEM; +- goto free_vqs; ++ /* ++ * The host might want to notify mgmt sw about device ++ * add failure. ++ */ ++ __send_control_msg(portdev, VIRTIO_CONSOLE_BAD_ID, ++ VIRTIO_CONSOLE_DEVICE_READY, 0); ++ /* Device was functional: we need full cleanup. */ ++ virtcons_remove(vdev); ++ return -ENOMEM; + } + } else { + /* +@@ -2139,11 +2147,6 @@ static int virtcons_probe(struct virtio_ + + return 0; + +-free_vqs: +- /* The host might want to notify mgmt sw about device add failure */ +- __send_control_msg(portdev, VIRTIO_CONSOLE_BAD_ID, +- VIRTIO_CONSOLE_DEVICE_READY, 0); +- remove_vqs(portdev); + free_chrdev: + unregister_chrdev(portdev->chr_major, "virtio-portsdev"); + free: diff --git a/queue-4.16/xhci-fix-kernel-oops-in-xhci-dbgtty.patch b/queue-4.16/xhci-fix-kernel-oops-in-xhci-dbgtty.patch new file mode 100644 index 00000000000..c422af4904a --- /dev/null +++ b/queue-4.16/xhci-fix-kernel-oops-in-xhci-dbgtty.patch @@ -0,0 +1,88 @@ +From 7fc65d4c2ba9e5006c629669146c6876b65aa233 Mon Sep 17 00:00:00 2001 +From: Zhengjun Xing +Date: Fri, 13 Apr 2018 15:55:34 +0300 +Subject: xhci: Fix Kernel oops in xhci dbgtty + +From: Zhengjun Xing + +commit 7fc65d4c2ba9e5006c629669146c6876b65aa233 upstream. + +tty_unregister_driver may be called more than 1 time in some +hotplug cases,it will cause the kernel oops. This patch checked +dbc_tty_driver to make sure it is unregistered only 1 time. + +[ 175.741404] BUG: unable to handle kernel NULL pointer dereference at 0000000000000034 +[ 175.742309] IP: tty_unregister_driver+0x9/0x70 +[ 175.743148] PGD 0 P4D 0 +[ 175.743981] Oops: 0000 [#1] SMP PTI +[ 175.753904] RIP: 0010:tty_unregister_driver+0x9/0x70 +[ 175.754817] RSP: 0018:ffffa8ff831d3bb0 EFLAGS: 00010246 +[ 175.755753] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 +[ 175.756685] RDX: ffff92089c616000 RSI: ffffe64fe1b26080 RDI: 0000000000000000 +[ 175.757608] RBP: ffff92086c988230 R08: 000000006c982701 R09: 00000001801e0016 +[ 175.758533] R10: ffffa8ff831d3b48 R11: ffff92086c982100 R12: ffff92086c98827c +[ 175.759462] R13: ffff92086c988398 R14: 0000000000000060 R15: ffff92089c5e9b40 +[ 175.760401] FS: 0000000000000000(0000) GS:ffff9208a0100000(0000) knlGS:0000000000000000 +[ 175.761334] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 175.762270] CR2: 0000000000000034 CR3: 000000011800a003 CR4: 00000000003606e0 +[ 175.763225] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 175.764164] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 175.765091] Call Trace: +[ 175.766014] xhci_dbc_tty_unregister_driver+0x11/0x30 +[ 175.766960] xhci_dbc_exit+0x2a/0x40 +[ 175.767889] xhci_stop+0x57/0x1c0 +[ 175.768824] usb_remove_hcd+0x100/0x250 +[ 175.769708] usb_hcd_pci_remove+0x68/0x130 +[ 175.770574] pci_device_remove+0x3b/0xc0 +[ 175.771435] device_release_driver_internal+0x157/0x230 +[ 175.772343] pci_stop_bus_device+0x74/0xa0 +[ 175.773205] pci_stop_bus_device+0x2b/0xa0 +[ 175.774061] pci_stop_bus_device+0x2b/0xa0 +[ 175.774907] pci_stop_bus_device+0x2b/0xa0 +[ 175.775741] pci_stop_bus_device+0x2b/0xa0 +[ 175.776618] pci_stop_bus_device+0x2b/0xa0 +[ 175.777452] pci_stop_bus_device+0x2b/0xa0 +[ 175.778273] pci_stop_bus_device+0x2b/0xa0 +[ 175.779092] pci_stop_bus_device+0x2b/0xa0 +[ 175.779908] pci_stop_bus_device+0x2b/0xa0 +[ 175.780750] pci_stop_bus_device+0x2b/0xa0 +[ 175.781543] pci_stop_and_remove_bus_device+0xe/0x20 +[ 175.782338] pciehp_unconfigure_device+0xb8/0x160 +[ 175.783128] pciehp_disable_slot+0x4f/0xd0 +[ 175.783920] pciehp_power_thread+0x82/0xa0 +[ 175.784766] process_one_work+0x147/0x3c0 +[ 175.785564] worker_thread+0x4a/0x440 +[ 175.786376] kthread+0xf8/0x130 +[ 175.787174] ? rescuer_thread+0x360/0x360 +[ 175.787964] ? kthread_associate_blkcg+0x90/0x90 +[ 175.788798] ret_from_fork+0x35/0x40 + +Cc: # 4.16 +Fixes: dfba2174dc42 ("usb: xhci: Add DbC support in xHCI driver") +Signed-off-by: Zhengjun Xing +Tested-by: Christian Kellner +Reviewed-by: Christian Kellner +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-dbgtty.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/xhci-dbgtty.c ++++ b/drivers/usb/host/xhci-dbgtty.c +@@ -320,9 +320,11 @@ int xhci_dbc_tty_register_driver(struct + + void xhci_dbc_tty_unregister_driver(void) + { +- tty_unregister_driver(dbc_tty_driver); +- put_tty_driver(dbc_tty_driver); +- dbc_tty_driver = NULL; ++ if (dbc_tty_driver) { ++ tty_unregister_driver(dbc_tty_driver); ++ put_tty_driver(dbc_tty_driver); ++ dbc_tty_driver = NULL; ++ } + } + + static void dbc_rx_push(unsigned long _port) diff --git a/queue-4.16/xhci-fix-usb-ports-for-dell-inspiron-5775.patch b/queue-4.16/xhci-fix-usb-ports-for-dell-inspiron-5775.patch new file mode 100644 index 00000000000..1c935a7c3b3 --- /dev/null +++ b/queue-4.16/xhci-fix-usb-ports-for-dell-inspiron-5775.patch @@ -0,0 +1,43 @@ +From 621faf4f6a181b6e012c1d1865213f36f4159b7f Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Fri, 20 Apr 2018 16:52:50 +0300 +Subject: xhci: Fix USB ports for Dell Inspiron 5775 + +From: Kai-Heng Feng + +commit 621faf4f6a181b6e012c1d1865213f36f4159b7f upstream. + +The Dell Inspiron 5775 is a Raven Ridge. The Enable Slot command timed +out when a USB device gets plugged: +[ 212.156326] xhci_hcd 0000:03:00.3: Error while assigning device slot ID +[ 212.156340] xhci_hcd 0000:03:00.3: Max number of devices this xHCI host supports is 64. +[ 212.156348] usb usb2-port3: couldn't allocate usb_device + +AMD suggests that a delay before xHC suspends can fix the issue. + +I can confirm it fixes the issue, so use the suspend delay quirk for +Raven Ridge's xHC. + +Cc: stable@vger.kernel.org +Signed-off-by: Kai-Heng Feng +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-pci.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -126,7 +126,10 @@ static void xhci_pci_quirks(struct devic + if (pdev->vendor == PCI_VENDOR_ID_AMD && usb_amd_find_chipset_info()) + xhci->quirks |= XHCI_AMD_PLL_FIX; + +- if (pdev->vendor == PCI_VENDOR_ID_AMD && pdev->device == 0x43bb) ++ if (pdev->vendor == PCI_VENDOR_ID_AMD && ++ (pdev->device == 0x15e0 || ++ pdev->device == 0x15e1 || ++ pdev->device == 0x43bb)) + xhci->quirks |= XHCI_SUSPEND_DELAY; + + if (pdev->vendor == PCI_VENDOR_ID_AMD) -- 2.47.3