--- /dev/null
+From 302ec300ef8a545a7fc7f667e5fd743b091c2eeb Mon Sep 17 00:00:00 2001
+From: NeilBrown <neilb@suse.com>
+Date: Thu, 14 Dec 2017 15:32:38 -0800
+Subject: autofs: fix careless error in recent commit
+
+From: NeilBrown <neilb@suse.com>
+
+commit 302ec300ef8a545a7fc7f667e5fd743b091c2eeb upstream.
+
+Commit ecc0c469f277 ("autofs: don't fail mount for transient error") was
+meant to replace an 'if' with a 'switch', but instead added the 'switch'
+leaving the case in place.
+
+Link: http://lkml.kernel.org/r/87zi6wstmw.fsf@notabene.neil.brown.name
+Fixes: ecc0c469f277 ("autofs: don't fail mount for transient error")
+Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: NeilBrown <neilb@suse.com>
+Cc: Ian Kent <raven@themaw.net>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/autofs4/waitq.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/fs/autofs4/waitq.c
++++ b/fs/autofs4/waitq.c
+@@ -174,7 +174,6 @@ static void autofs4_notify_daemon(struct
+
+ mutex_unlock(&sbi->wq_mutex);
+
+- if (autofs4_write(sbi, pipe, &pkt, pktsz))
+ switch (ret = autofs4_write(sbi, pipe, &pkt, pktsz)) {
+ case 0:
+ break;
--- /dev/null
+From a0085f2510e8976614ad8f766b209448b385492f Mon Sep 17 00:00:00 2001
+From: Sukumar Ghorai <sukumar.ghorai@intel.com>
+Date: Wed, 16 Aug 2017 14:46:55 -0700
+Subject: Bluetooth: btusb: driver to enable the usb-wakeup feature
+
+From: Sukumar Ghorai <sukumar.ghorai@intel.com>
+
+commit a0085f2510e8976614ad8f766b209448b385492f upstream.
+
+BT-Controller connected as platform non-root-hub device and
+usb-driver initialize such device with wakeup disabled,
+Ref. usb_new_device().
+
+At present wakeup-capability get enabled by hid-input device from usb
+function driver(e.g. BT HID device) at runtime. Again some functional
+driver does not set usb-wakeup capability(e.g LE HID device implement
+as HID-over-GATT), and can't wakeup the host on USB.
+
+Most of the device operation (such as mass storage) initiated from host
+(except HID) and USB wakeup aligned with host resume procedure. For BT
+device, usb-wakeup capability need to enable form btusc driver as a
+generic solution for multiple profile use case and required for USB remote
+wakeup (in-bus wakeup) while host is suspended. Also usb-wakeup feature
+need to enable/disable with HCI interface up and down.
+
+Signed-off-by: Sukumar Ghorai <sukumar.ghorai@intel.com>
+Signed-off-by: Amit K Bag <amit.k.bag@intel.com>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Cc: Matthias Kaehlcke <mka@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/btusb.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -1050,6 +1050,10 @@ static int btusb_open(struct hci_dev *hd
+ return err;
+
+ data->intf->needs_remote_wakeup = 1;
++ /* device specific wakeup source enabled and required for USB
++ * remote wakeup while host is suspended
++ */
++ device_wakeup_enable(&data->udev->dev);
+
+ if (test_and_set_bit(BTUSB_INTR_RUNNING, &data->flags))
+ goto done;
+@@ -1113,6 +1117,7 @@ static int btusb_close(struct hci_dev *h
+ goto failed;
+
+ data->intf->needs_remote_wakeup = 0;
++ device_wakeup_disable(&data->udev->dev);
+ usb_autopm_put_interface(data->intf);
+
+ failed:
--- /dev/null
+From 040d786032bf59002d374b86d75b04d97624005c Mon Sep 17 00:00:00 2001
+From: "Yan, Zheng" <zyan@redhat.com>
+Date: Thu, 30 Nov 2017 11:59:22 +0800
+Subject: ceph: drop negative child dentries before try pruning inode's alias
+
+From: Yan, Zheng <zyan@redhat.com>
+
+commit 040d786032bf59002d374b86d75b04d97624005c upstream.
+
+Negative child dentry holds reference on inode's alias, it makes
+d_prune_aliases() do nothing.
+
+Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ceph/mds_client.c | 42 ++++++++++++++++++++++++++++++++++++++----
+ 1 file changed, 38 insertions(+), 4 deletions(-)
+
+--- a/fs/ceph/mds_client.c
++++ b/fs/ceph/mds_client.c
+@@ -1400,6 +1400,29 @@ static int __close_session(struct ceph_m
+ return request_close_session(mdsc, session);
+ }
+
++static bool drop_negative_children(struct dentry *dentry)
++{
++ struct dentry *child;
++ bool all_negative = true;
++
++ if (!d_is_dir(dentry))
++ goto out;
++
++ spin_lock(&dentry->d_lock);
++ list_for_each_entry(child, &dentry->d_subdirs, d_child) {
++ if (d_really_is_positive(child)) {
++ all_negative = false;
++ break;
++ }
++ }
++ spin_unlock(&dentry->d_lock);
++
++ if (all_negative)
++ shrink_dcache_parent(dentry);
++out:
++ return all_negative;
++}
++
+ /*
+ * Trim old(er) caps.
+ *
+@@ -1445,16 +1468,27 @@ static int trim_caps_cb(struct inode *in
+ if ((used | wanted) & ~oissued & mine)
+ goto out; /* we need these caps */
+
+- session->s_trim_caps--;
+ if (oissued) {
+ /* we aren't the only cap.. just remove us */
+ __ceph_remove_cap(cap, true);
++ session->s_trim_caps--;
+ } else {
++ struct dentry *dentry;
+ /* try dropping referring dentries */
+ spin_unlock(&ci->i_ceph_lock);
+- d_prune_aliases(inode);
+- dout("trim_caps_cb %p cap %p pruned, count now %d\n",
+- inode, cap, atomic_read(&inode->i_count));
++ dentry = d_find_any_alias(inode);
++ if (dentry && drop_negative_children(dentry)) {
++ int count;
++ dput(dentry);
++ d_prune_aliases(inode);
++ count = atomic_read(&inode->i_count);
++ if (count == 1)
++ session->s_trim_caps--;
++ dout("trim_caps_cb %p cap %p pruned, count now %d\n",
++ inode, cap, count);
++ } else {
++ dput(dentry);
++ }
+ return 0;
+ }
+
crypto-hmac-require-that-the-underlying-hash-algorithm-is-unkeyed.patch
crypto-salsa20-fix-blkcipher_walk-api-usage.patch
+autofs-fix-careless-error-in-recent-commit.patch
+tracing-allocate-mask_str-buffer-dynamically.patch
+usb-uas-and-storage-add-us_fl_broken_fua-for-another-jmicron-jms567-id.patch
+usb-core-prevent-malicious-bnuminterfaces-overflow.patch
+usbip-fix-stub_send_ret_submit-vulnerability-to-null-transfer_buffer.patch
+ceph-drop-negative-child-dentries-before-try-pruning-inode-s-alias.patch
+bluetooth-btusb-driver-to-enable-the-usb-wakeup-feature.patch
--- /dev/null
+From 90e406f96f630c07d631a021fd4af10aac913e77 Mon Sep 17 00:00:00 2001
+From: Changbin Du <changbin.du@intel.com>
+Date: Thu, 30 Nov 2017 11:39:43 +0800
+Subject: tracing: Allocate mask_str buffer dynamically
+
+From: Changbin Du <changbin.du@intel.com>
+
+commit 90e406f96f630c07d631a021fd4af10aac913e77 upstream.
+
+The default NR_CPUS can be very large, but actual possible nr_cpu_ids
+usually is very small. For my x86 distribution, the NR_CPUS is 8192 and
+nr_cpu_ids is 4. About 2 pages are wasted.
+
+Most machines don't have so many CPUs, so define a array with NR_CPUS
+just wastes memory. So let's allocate the buffer dynamically when need.
+
+With this change, the mutext tracing_cpumask_update_lock also can be
+removed now, which was used to protect mask_str.
+
+Link: http://lkml.kernel.org/r/1512013183-19107-1-git-send-email-changbin.du@intel.com
+
+Fixes: 36dfe9252bd4c ("ftrace: make use of tracing_cpumask")
+Signed-off-by: Changbin Du <changbin.du@intel.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.c | 29 +++++++++--------------------
+ 1 file changed, 9 insertions(+), 20 deletions(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -3384,37 +3384,30 @@ static const struct file_operations show
+ .llseek = seq_lseek,
+ };
+
+-/*
+- * The tracer itself will not take this lock, but still we want
+- * to provide a consistent cpumask to user-space:
+- */
+-static DEFINE_MUTEX(tracing_cpumask_update_lock);
+-
+-/*
+- * Temporary storage for the character representation of the
+- * CPU bitmask (and one more byte for the newline):
+- */
+-static char mask_str[NR_CPUS + 1];
+-
+ static ssize_t
+ tracing_cpumask_read(struct file *filp, char __user *ubuf,
+ size_t count, loff_t *ppos)
+ {
+ struct trace_array *tr = file_inode(filp)->i_private;
++ char *mask_str;
+ int len;
+
+- mutex_lock(&tracing_cpumask_update_lock);
++ len = snprintf(NULL, 0, "%*pb\n",
++ cpumask_pr_args(tr->tracing_cpumask)) + 1;
++ mask_str = kmalloc(len, GFP_KERNEL);
++ if (!mask_str)
++ return -ENOMEM;
+
+- len = snprintf(mask_str, count, "%*pb\n",
++ len = snprintf(mask_str, len, "%*pb\n",
+ cpumask_pr_args(tr->tracing_cpumask));
+ if (len >= count) {
+ count = -EINVAL;
+ goto out_err;
+ }
+- count = simple_read_from_buffer(ubuf, count, ppos, mask_str, NR_CPUS+1);
++ count = simple_read_from_buffer(ubuf, count, ppos, mask_str, len);
+
+ out_err:
+- mutex_unlock(&tracing_cpumask_update_lock);
++ kfree(mask_str);
+
+ return count;
+ }
+@@ -3434,8 +3427,6 @@ tracing_cpumask_write(struct file *filp,
+ if (err)
+ goto err_unlock;
+
+- mutex_lock(&tracing_cpumask_update_lock);
+-
+ local_irq_disable();
+ arch_spin_lock(&tr->max_lock);
+ for_each_tracing_cpu(cpu) {
+@@ -3458,8 +3449,6 @@ tracing_cpumask_write(struct file *filp,
+ local_irq_enable();
+
+ cpumask_copy(tr->tracing_cpumask, tracing_cpumask_new);
+-
+- mutex_unlock(&tracing_cpumask_update_lock);
+ free_cpumask_var(tracing_cpumask_new);
+
+ return count;
--- /dev/null
+From 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Tue, 12 Dec 2017 14:25:13 -0500
+Subject: USB: core: prevent malicious bNumInterfaces overflow
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 48a4ff1c7bb5a32d2e396b03132d20d552c0eca7 upstream.
+
+A malicious USB device with crafted descriptors can cause the kernel
+to access unallocated memory by setting the bNumInterfaces value too
+high in a configuration descriptor. Although the value is adjusted
+during parsing, this adjustment is skipped in one of the error return
+paths.
+
+This patch prevents the problem by setting bNumInterfaces to 0
+initially. The existing code already sets it to the proper value
+after parsing is complete.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/config.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -521,6 +521,9 @@ static int usb_parse_configuration(struc
+ unsigned iad_num = 0;
+
+ memcpy(&config->desc, buffer, USB_DT_CONFIG_SIZE);
++ nintf = nintf_orig = config->desc.bNumInterfaces;
++ config->desc.bNumInterfaces = 0; // Adjusted later
++
+ if (config->desc.bDescriptorType != USB_DT_CONFIG ||
+ config->desc.bLength < USB_DT_CONFIG_SIZE ||
+ config->desc.bLength > size) {
+@@ -534,7 +537,6 @@ static int usb_parse_configuration(struc
+ buffer += config->desc.bLength;
+ size -= config->desc.bLength;
+
+- nintf = nintf_orig = config->desc.bNumInterfaces;
+ if (nintf > USB_MAXINTERFACES) {
+ dev_warn(ddev, "config %d has too many interfaces: %d, "
+ "using maximum allowed: %d\n",
--- /dev/null
+From 62354454625741f0569c2cbe45b2d192f8fd258e Mon Sep 17 00:00:00 2001
+From: David Kozub <zub@linux.fjfi.cvut.cz>
+Date: Tue, 5 Dec 2017 22:40:04 +0100
+Subject: USB: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 ID
+
+From: David Kozub <zub@linux.fjfi.cvut.cz>
+
+commit 62354454625741f0569c2cbe45b2d192f8fd258e upstream.
+
+There is another JMS567-based USB3 UAS enclosure (152d:0578) that fails
+with the following error:
+
+[sda] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE
+[sda] tag#0 Sense Key : Illegal Request [current]
+[sda] tag#0 Add. Sense: Invalid field in cdb
+
+The issue occurs both with UAS (occasionally) and mass storage
+(immediately after mounting a FS on a disk in the enclosure).
+
+Enabling US_FL_BROKEN_FUA quirk solves this issue.
+
+This patch adds an UNUSUAL_DEV with US_FL_BROKEN_FUA for the enclosure
+for both UAS and mass storage.
+
+Signed-off-by: David Kozub <zub@linux.fjfi.cvut.cz>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/unusual_devs.h | 7 +++++++
+ drivers/usb/storage/unusual_uas.h | 7 +++++++
+ 2 files changed, 14 insertions(+)
+
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -2149,6 +2149,13 @@ UNUSUAL_DEV(0x152d, 0x9561, 0x0000, 0x99
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_NO_REPORT_OPCODES),
+
++/* Reported by David Kozub <zub@linux.fjfi.cvut.cz> */
++UNUSUAL_DEV(0x152d, 0x0578, 0x0000, 0x9999,
++ "JMicron",
++ "JMS567",
++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
++ US_FL_BROKEN_FUA),
++
+ /*
+ * Patch by Constantin Baranov <const@tltsu.ru>
+ * Report by Andreas Koenecke.
+--- a/drivers/usb/storage/unusual_uas.h
++++ b/drivers/usb/storage/unusual_uas.h
+@@ -141,6 +141,13 @@ UNUSUAL_DEV(0x152d, 0x0567, 0x0000, 0x99
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_BROKEN_FUA | US_FL_NO_REPORT_OPCODES),
+
++/* Reported-by: David Kozub <zub@linux.fjfi.cvut.cz> */
++UNUSUAL_DEV(0x152d, 0x0578, 0x0000, 0x9999,
++ "JMicron",
++ "JMS567",
++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
++ US_FL_BROKEN_FUA),
++
+ /* Reported-by: Hans de Goede <hdegoede@redhat.com> */
+ UNUSUAL_DEV(0x2109, 0x0711, 0x0000, 0x9999,
+ "VIA",
--- /dev/null
+From be6123df1ea8f01ee2f896a16c2b7be3e4557a5a Mon Sep 17 00:00:00 2001
+From: Shuah Khan <shuahkh@osg.samsung.com>
+Date: Thu, 7 Dec 2017 14:16:50 -0700
+Subject: usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer
+
+From: Shuah Khan <shuahkh@osg.samsung.com>
+
+commit be6123df1ea8f01ee2f896a16c2b7be3e4557a5a upstream.
+
+stub_send_ret_submit() handles urb with a potential null transfer_buffer,
+when it replays a packet with potential malicious data that could contain
+a null buffer. Add a check for the condition when actual_length > 0 and
+transfer_buffer is null.
+
+Reported-by: Secunia Research <vuln@secunia.com>
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usbip/stub_tx.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/usbip/stub_tx.c
++++ b/drivers/usb/usbip/stub_tx.c
+@@ -178,6 +178,13 @@ static int stub_send_ret_submit(struct s
+ memset(&pdu_header, 0, sizeof(pdu_header));
+ memset(&msg, 0, sizeof(msg));
+
++ if (urb->actual_length > 0 && !urb->transfer_buffer) {
++ dev_err(&sdev->udev->dev,
++ "urb: actual_length %d transfer_buffer null\n",
++ urb->actual_length);
++ return -1;
++ }
++
+ if (usb_pipetype(urb->pipe) == PIPE_ISOCHRONOUS)
+ iovnum = 2 + urb->number_of_packets;
+ else
projects / thirdparty / kernel / stable-queue.git / commitdiff
