From: Greg Kroah-Hartman Date: Fri, 23 Feb 2018 09:51:47 +0000 (+0100) Subject: 4.15-stable patches X-Git-Tag: v3.18.96~20 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=25b45f2f11acb29553e4a3549a3e8f5e8baae106;p=thirdparty%2Fkernel%2Fstable-queue.git 4.15-stable patches added patches: android-binder-remove-warn-for-redundant-txn-error.patch android-binder-synchronize_rcu-when-using-pollfree.patch binder-check-for-binder_thread-allocation-failure-in-binder_poll.patch binder-replace-p-with-pk.patch staging-android-ashmem-fix-a-race-condition-in-pin-ioctls.patch staging-fsl-mc-fix-build-testing-on-x86.patch staging-iio-ad5933-switch-buffer-mode-to-software.patch staging-iio-adc-ad7192-fix-external-frequency-setting.patch usbip-keep-usbip_device-sockfd-state-in-sync-with-tcp_socket.patch xhci-fix-null-pointer-in-xhci-debugfs.patch xhci-fix-xhci-debugfs-devices-node-disappearance-after-hibernation.patch xhci-fix-xhci-debugfs-errors-in-xhci_stop.patch xhci-xhci-debugfs-device-nodes-weren-t-removed-after-device-plugged-out.patch --- diff --git a/queue-4.15/android-binder-remove-warn-for-redundant-txn-error.patch b/queue-4.15/android-binder-remove-warn-for-redundant-txn-error.patch new file mode 100644 index 00000000000..c33009f9ec3 --- /dev/null +++ b/queue-4.15/android-binder-remove-warn-for-redundant-txn-error.patch @@ -0,0 +1,85 @@ +From e46a3b3ba7509cb7fda0e07bc7c63a2cd90f579b Mon Sep 17 00:00:00 2001 +From: Todd Kjos +Date: Wed, 7 Feb 2018 12:38:47 -0800 +Subject: ANDROID: binder: remove WARN() for redundant txn error + +From: Todd Kjos + +commit e46a3b3ba7509cb7fda0e07bc7c63a2cd90f579b upstream. + +binder_send_failed_reply() is called when a synchronous +transaction fails. It reports an error to the thread that +is waiting for the completion. Given that the transaction +is synchronous, there should never be more than 1 error +response to that thread -- this was being asserted with +a WARN(). + +However, when exercising the driver with syzbot tests, cases +were observed where multiple "synchronous" requests were +sent without waiting for responses, so it is possible that +multiple errors would be reported to the thread. This testing +was conducted with panic_on_warn set which forced the crash. + +This is easily reproduced by sending back-to-back +"synchronous" transactions without checking for any +response (eg, set read_size to 0): + + bwr.write_buffer = (uintptr_t)&bc1; + bwr.write_size = sizeof(bc1); + bwr.read_buffer = (uintptr_t)&br; + bwr.read_size = 0; + ioctl(fd, BINDER_WRITE_READ, &bwr); + sleep(1); + bwr2.write_buffer = (uintptr_t)&bc2; + bwr2.write_size = sizeof(bc2); + bwr2.read_buffer = (uintptr_t)&br; + bwr2.read_size = 0; + ioctl(fd, BINDER_WRITE_READ, &bwr2); + sleep(1); + +The first transaction is sent to the servicemanager and the reply +fails because no VMA is set up by this client. After +binder_send_failed_reply() is called, the BINDER_WORK_RETURN_ERROR +is sitting on the thread's todo list since the read_size was 0 and +the client is not waiting for a response. + +The 2nd transaction is sent and the BINDER_WORK_RETURN_ERROR has not +been consumed, so the thread's reply_error.cmd is still set (normally +cleared when the BINDER_WORK_RETURN_ERROR is handled). Therefore +when the servicemanager attempts to reply to the 2nd failed +transaction, the error is already set and it triggers this warning. + +This is a user error since it is not waiting for the synchronous +transaction to complete. If it ever does check, it will see an +error. + +Changed the WARN() to a pr_warn(). + +Signed-off-by: Todd Kjos +Reported-by: syzbot +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -1933,8 +1933,14 @@ static void binder_send_failed_reply(str + &target_thread->todo); + wake_up_interruptible(&target_thread->wait); + } else { +- WARN(1, "Unexpected reply error: %u\n", +- target_thread->reply_error.cmd); ++ /* ++ * Cannot get here for normal operation, but ++ * we can if multiple synchronous transactions ++ * are sent without blocking for responses. ++ * Just ignore the 2nd error in this case. ++ */ ++ pr_warn("Unexpected reply error: %u\n", ++ target_thread->reply_error.cmd); + } + binder_inner_proc_unlock(target_thread->proc); + binder_thread_dec_tmpref(target_thread); diff --git a/queue-4.15/android-binder-synchronize_rcu-when-using-pollfree.patch b/queue-4.15/android-binder-synchronize_rcu-when-using-pollfree.patch new file mode 100644 index 00000000000..d998730757e --- /dev/null +++ b/queue-4.15/android-binder-synchronize_rcu-when-using-pollfree.patch @@ -0,0 +1,39 @@ +From 5eeb2ca02a2f6084fc57ae5c244a38baab07033a Mon Sep 17 00:00:00 2001 +From: Martijn Coenen +Date: Fri, 16 Feb 2018 09:47:15 +0100 +Subject: ANDROID: binder: synchronize_rcu() when using POLLFREE. + +From: Martijn Coenen + +commit 5eeb2ca02a2f6084fc57ae5c244a38baab07033a upstream. + +To prevent races with ep_remove_waitqueue() removing the +waitqueue at the same time. + +Reported-by: syzbot+a2a3c4909716e271487e@syzkaller.appspotmail.com +Signed-off-by: Martijn Coenen +Cc: stable # 4.14+ +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -4322,6 +4322,15 @@ static int binder_thread_release(struct + + binder_inner_proc_unlock(thread->proc); + ++ /* ++ * This is needed to avoid races between wake_up_poll() above and ++ * and ep_remove_waitqueue() called for other reasons (eg the epoll file ++ * descriptor being closed); ep_remove_waitqueue() holds an RCU read ++ * lock, so we can be sure it's done after calling synchronize_rcu(). ++ */ ++ if (thread->looper & BINDER_LOOPER_STATE_POLL) ++ synchronize_rcu(); ++ + if (send_reply) + binder_send_failed_reply(send_reply, BR_DEAD_REPLY); + binder_release_work(proc, &thread->todo); diff --git a/queue-4.15/binder-check-for-binder_thread-allocation-failure-in-binder_poll.patch b/queue-4.15/binder-check-for-binder_thread-allocation-failure-in-binder_poll.patch new file mode 100644 index 00000000000..0477dd764fa --- /dev/null +++ b/queue-4.15/binder-check-for-binder_thread-allocation-failure-in-binder_poll.patch @@ -0,0 +1,37 @@ +From f88982679f54f75daa5b8eff3da72508f1e7422f Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 30 Jan 2018 23:11:24 -0800 +Subject: binder: check for binder_thread allocation failure in binder_poll() + +From: Eric Biggers + +commit f88982679f54f75daa5b8eff3da72508f1e7422f upstream. + +If the kzalloc() in binder_get_thread() fails, binder_poll() +dereferences the resulting NULL pointer. + +Fix it by returning POLLERR if the memory allocation failed. + +This bug was found by syzkaller using fault injection. + +Reported-by: syzbot +Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -4346,6 +4346,8 @@ static unsigned int binder_poll(struct f + bool wait_for_proc_work; + + thread = binder_get_thread(proc); ++ if (!thread) ++ return POLLERR; + + binder_inner_proc_lock(thread->proc); + thread->looper |= BINDER_LOOPER_STATE_POLL; diff --git a/queue-4.15/binder-replace-p-with-pk.patch b/queue-4.15/binder-replace-p-with-pk.patch new file mode 100644 index 00000000000..a9085ff83c8 --- /dev/null +++ b/queue-4.15/binder-replace-p-with-pk.patch @@ -0,0 +1,58 @@ +From 8ca86f1639ec5890d400fff9211aca22d0a392eb Mon Sep 17 00:00:00 2001 +From: Todd Kjos +Date: Wed, 7 Feb 2018 13:57:37 -0800 +Subject: binder: replace "%p" with "%pK" + +From: Todd Kjos + +commit 8ca86f1639ec5890d400fff9211aca22d0a392eb upstream. + +The format specifier "%p" can leak kernel addresses. Use +"%pK" instead. There were 4 remaining cases in binder.c. + +Signed-off-by: Todd Kjos +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -2141,7 +2141,7 @@ static void binder_transaction_buffer_re + int debug_id = buffer->debug_id; + + binder_debug(BINDER_DEBUG_TRANSACTION, +- "%d buffer release %d, size %zd-%zd, failed at %p\n", ++ "%d buffer release %d, size %zd-%zd, failed at %pK\n", + proc->pid, buffer->debug_id, + buffer->data_size, buffer->offsets_size, failed_at); + +@@ -3653,7 +3653,7 @@ static int binder_thread_write(struct bi + } + } + binder_debug(BINDER_DEBUG_DEAD_BINDER, +- "%d:%d BC_DEAD_BINDER_DONE %016llx found %p\n", ++ "%d:%d BC_DEAD_BINDER_DONE %016llx found %pK\n", + proc->pid, thread->pid, (u64)cookie, + death); + if (death == NULL) { +@@ -4991,7 +4991,7 @@ static void print_binder_transaction_ilo + spin_lock(&t->lock); + to_proc = t->to_proc; + seq_printf(m, +- "%s %d: %p from %d:%d to %d:%d code %x flags %x pri %ld r%d", ++ "%s %d: %pK from %d:%d to %d:%d code %x flags %x pri %ld r%d", + prefix, t->debug_id, t, + t->from ? t->from->proc->pid : 0, + t->from ? t->from->pid : 0, +@@ -5015,7 +5015,7 @@ static void print_binder_transaction_ilo + } + if (buffer->target_node) + seq_printf(m, " node %d", buffer->target_node->debug_id); +- seq_printf(m, " size %zd:%zd data %p\n", ++ seq_printf(m, " size %zd:%zd data %pK\n", + buffer->data_size, buffer->offsets_size, + buffer->data); + } diff --git a/queue-4.15/series b/queue-4.15/series index b49759a0c19..96edddf291d 100644 --- a/queue-4.15/series +++ b/queue-4.15/series @@ -26,3 +26,16 @@ video-fbdev-mmp-add-module_license.patch arm-8743-1-bl_switcher-add-module_license-tag.patch arm64-dts-add-cooling-cells-to-cpu-nodes.patch dn_getsockoptdecnet-move-nf_-get-set-sockopt-outside-sock-lock.patch +android-binder-remove-warn-for-redundant-txn-error.patch +android-binder-synchronize_rcu-when-using-pollfree.patch +staging-android-ashmem-fix-a-race-condition-in-pin-ioctls.patch +binder-check-for-binder_thread-allocation-failure-in-binder_poll.patch +binder-replace-p-with-pk.patch +staging-fsl-mc-fix-build-testing-on-x86.patch +staging-iio-adc-ad7192-fix-external-frequency-setting.patch +staging-iio-ad5933-switch-buffer-mode-to-software.patch +xhci-fix-null-pointer-in-xhci-debugfs.patch +xhci-fix-xhci-debugfs-devices-node-disappearance-after-hibernation.patch +xhci-xhci-debugfs-device-nodes-weren-t-removed-after-device-plugged-out.patch +xhci-fix-xhci-debugfs-errors-in-xhci_stop.patch +usbip-keep-usbip_device-sockfd-state-in-sync-with-tcp_socket.patch diff --git a/queue-4.15/staging-android-ashmem-fix-a-race-condition-in-pin-ioctls.patch b/queue-4.15/staging-android-ashmem-fix-a-race-condition-in-pin-ioctls.patch new file mode 100644 index 00000000000..e76a7404b55 --- /dev/null +++ b/queue-4.15/staging-android-ashmem-fix-a-race-condition-in-pin-ioctls.patch @@ -0,0 +1,72 @@ +From ce8a3a9e76d0193e2e8d74a06d275b3c324ca652 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Sun, 4 Feb 2018 02:06:27 +0000 +Subject: staging: android: ashmem: Fix a race condition in pin ioctls + +From: Ben Hutchings + +commit ce8a3a9e76d0193e2e8d74a06d275b3c324ca652 upstream. + +ashmem_pin_unpin() reads asma->file and asma->size before taking the +ashmem_mutex, so it can race with other operations that modify them. + +Build-tested only. + +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/android/ashmem.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +--- a/drivers/staging/android/ashmem.c ++++ b/drivers/staging/android/ashmem.c +@@ -710,30 +710,32 @@ static int ashmem_pin_unpin(struct ashme + size_t pgstart, pgend; + int ret = -EINVAL; + ++ mutex_lock(&ashmem_mutex); ++ + if (unlikely(!asma->file)) +- return -EINVAL; ++ goto out_unlock; + +- if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) +- return -EFAULT; ++ if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) { ++ ret = -EFAULT; ++ goto out_unlock; ++ } + + /* per custom, you can pass zero for len to mean "everything onward" */ + if (!pin.len) + pin.len = PAGE_ALIGN(asma->size) - pin.offset; + + if (unlikely((pin.offset | pin.len) & ~PAGE_MASK)) +- return -EINVAL; ++ goto out_unlock; + + if (unlikely(((__u32)-1) - pin.offset < pin.len)) +- return -EINVAL; ++ goto out_unlock; + + if (unlikely(PAGE_ALIGN(asma->size) < pin.offset + pin.len)) +- return -EINVAL; ++ goto out_unlock; + + pgstart = pin.offset / PAGE_SIZE; + pgend = pgstart + (pin.len / PAGE_SIZE) - 1; + +- mutex_lock(&ashmem_mutex); +- + switch (cmd) { + case ASHMEM_PIN: + ret = ashmem_pin(asma, pgstart, pgend); +@@ -746,6 +748,7 @@ static int ashmem_pin_unpin(struct ashme + break; + } + ++out_unlock: + mutex_unlock(&ashmem_mutex); + + return ret; diff --git a/queue-4.15/staging-fsl-mc-fix-build-testing-on-x86.patch b/queue-4.15/staging-fsl-mc-fix-build-testing-on-x86.patch new file mode 100644 index 00000000000..c8488c1534a --- /dev/null +++ b/queue-4.15/staging-fsl-mc-fix-build-testing-on-x86.patch @@ -0,0 +1,36 @@ +From 02b7b2844c2ffd3b614ec2b9293e8c7f041d60da Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Fri, 16 Feb 2018 16:36:04 +0100 +Subject: staging: fsl-mc: fix build testing on x86 + +From: Arnd Bergmann + +commit 02b7b2844c2ffd3b614ec2b9293e8c7f041d60da upstream. + +Selecting GENERIC_MSI_IRQ_DOMAIN on x86 causes a compile-time error in +some configurations: + +drivers/base/platform-msi.c:37:19: error: field 'arg' has incomplete type + +On the other architectures, we are fine, but here we should have an additional +dependency on X86_LOCAL_APIC so we can get the PCI_MSI_IRQ_DOMAIN symbol. + +Cc: stable@vger.kernel.org +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/fsl-mc/bus/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/fsl-mc/bus/Kconfig ++++ b/drivers/staging/fsl-mc/bus/Kconfig +@@ -8,7 +8,7 @@ + + config FSL_MC_BUS + bool "QorIQ DPAA2 fsl-mc bus driver" +- depends on OF && (ARCH_LAYERSCAPE || (COMPILE_TEST && (ARM || ARM64 || X86 || PPC))) ++ depends on OF && (ARCH_LAYERSCAPE || (COMPILE_TEST && (ARM || ARM64 || X86_LOCAL_APIC || PPC))) + select GENERIC_MSI_IRQ_DOMAIN + help + Driver to enable the bus infrastructure for the QorIQ DPAA2 diff --git a/queue-4.15/staging-iio-ad5933-switch-buffer-mode-to-software.patch b/queue-4.15/staging-iio-ad5933-switch-buffer-mode-to-software.patch new file mode 100644 index 00000000000..9e68d4434c2 --- /dev/null +++ b/queue-4.15/staging-iio-ad5933-switch-buffer-mode-to-software.patch @@ -0,0 +1,53 @@ +From 7d2b8e6aaf9ee87910c2337e1c59bb5d3e3ba8c5 Mon Sep 17 00:00:00 2001 +From: Alexandru Ardelean +Date: Thu, 25 Jan 2018 14:30:45 +0200 +Subject: staging: iio: ad5933: switch buffer mode to software + +From: Alexandru Ardelean + +commit 7d2b8e6aaf9ee87910c2337e1c59bb5d3e3ba8c5 upstream. + +Since commit 152a6a884ae1 ("staging:iio:accel:sca3000 move +to hybrid hard / soft buffer design.") +the buffer mechanism has changed and the +INDIO_BUFFER_HARDWARE flag has been unused. + +Since commit 2d6ca60f3284 ("iio: Add a DMAengine framework +based buffer") +the INDIO_BUFFER_HARDWARE flag has been re-purposed for +DMA buffers. + +This driver has lagged behind these changes, and +in order for buffers to work, the INDIO_BUFFER_SOFTWARE +needs to be used. + +Signed-off-by: Alexandru Ardelean +Fixes: 2d6ca60f3284 ("iio: Add a DMAengine framework based buffer") +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/iio/impedance-analyzer/ad5933.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/staging/iio/impedance-analyzer/ad5933.c ++++ b/drivers/staging/iio/impedance-analyzer/ad5933.c +@@ -648,8 +648,6 @@ static int ad5933_register_ring_funcs_an + /* Ring buffer functions - here trigger setup related */ + indio_dev->setup_ops = &ad5933_ring_setup_ops; + +- indio_dev->modes |= INDIO_BUFFER_HARDWARE; +- + return 0; + } + +@@ -762,7 +760,7 @@ static int ad5933_probe(struct i2c_clien + indio_dev->dev.parent = &client->dev; + indio_dev->info = &ad5933_info; + indio_dev->name = id->name; +- indio_dev->modes = INDIO_DIRECT_MODE; ++ indio_dev->modes = (INDIO_BUFFER_SOFTWARE | INDIO_DIRECT_MODE); + indio_dev->channels = ad5933_channels; + indio_dev->num_channels = ARRAY_SIZE(ad5933_channels); + diff --git a/queue-4.15/staging-iio-adc-ad7192-fix-external-frequency-setting.patch b/queue-4.15/staging-iio-adc-ad7192-fix-external-frequency-setting.patch new file mode 100644 index 00000000000..b19f5e2947e --- /dev/null +++ b/queue-4.15/staging-iio-adc-ad7192-fix-external-frequency-setting.patch @@ -0,0 +1,81 @@ +From e31b617d0a63c6558485aaa730fd162faa95a766 Mon Sep 17 00:00:00 2001 +From: Alexandru Ardelean +Date: Mon, 22 Jan 2018 11:53:12 +0200 +Subject: staging: iio: adc: ad7192: fix external frequency setting + +From: Alexandru Ardelean + +commit e31b617d0a63c6558485aaa730fd162faa95a766 upstream. + +The external clock frequency was set only when selecting +the internal clock, which is fixed at 4.9152 Mhz. + +This is incorrect, since it should be set when any of +the external clock or crystal settings is selected. + +Added range validation for the external (crystal/clock) +frequency setting. +Valid values are between 2.4576 and 5.12 Mhz. + +Signed-off-by: Alexandru Ardelean +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/iio/adc/ad7192.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +--- a/drivers/staging/iio/adc/ad7192.c ++++ b/drivers/staging/iio/adc/ad7192.c +@@ -141,6 +141,8 @@ + #define AD7192_GPOCON_P1DAT BIT(1) /* P1 state */ + #define AD7192_GPOCON_P0DAT BIT(0) /* P0 state */ + ++#define AD7192_EXT_FREQ_MHZ_MIN 2457600 ++#define AD7192_EXT_FREQ_MHZ_MAX 5120000 + #define AD7192_INT_FREQ_MHZ 4915200 + + /* NOTE: +@@ -218,6 +220,12 @@ static int ad7192_calibrate_all(struct a + ARRAY_SIZE(ad7192_calib_arr)); + } + ++static inline bool ad7192_valid_external_frequency(u32 freq) ++{ ++ return (freq >= AD7192_EXT_FREQ_MHZ_MIN && ++ freq <= AD7192_EXT_FREQ_MHZ_MAX); ++} ++ + static int ad7192_setup(struct ad7192_state *st, + const struct ad7192_platform_data *pdata) + { +@@ -243,17 +251,20 @@ static int ad7192_setup(struct ad7192_st + id); + + switch (pdata->clock_source_sel) { +- case AD7192_CLK_EXT_MCLK1_2: +- case AD7192_CLK_EXT_MCLK2: +- st->mclk = AD7192_INT_FREQ_MHZ; +- break; + case AD7192_CLK_INT: + case AD7192_CLK_INT_CO: +- if (pdata->ext_clk_hz) +- st->mclk = pdata->ext_clk_hz; +- else +- st->mclk = AD7192_INT_FREQ_MHZ; ++ st->mclk = AD7192_INT_FREQ_MHZ; + break; ++ case AD7192_CLK_EXT_MCLK1_2: ++ case AD7192_CLK_EXT_MCLK2: ++ if (ad7192_valid_external_frequency(pdata->ext_clk_hz)) { ++ st->mclk = pdata->ext_clk_hz; ++ break; ++ } ++ dev_err(&st->sd.spi->dev, "Invalid frequency setting %u\n", ++ pdata->ext_clk_hz); ++ ret = -EINVAL; ++ goto out; + default: + ret = -EINVAL; + goto out; diff --git a/queue-4.15/usbip-keep-usbip_device-sockfd-state-in-sync-with-tcp_socket.patch b/queue-4.15/usbip-keep-usbip_device-sockfd-state-in-sync-with-tcp_socket.patch new file mode 100644 index 00000000000..174c72832e1 --- /dev/null +++ b/queue-4.15/usbip-keep-usbip_device-sockfd-state-in-sync-with-tcp_socket.patch @@ -0,0 +1,65 @@ +From 009f41aed4b3e11e6dc1e3c07377a10c20f1a5ed Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Fri, 26 Jan 2018 11:56:50 -0700 +Subject: usbip: keep usbip_device sockfd state in sync with tcp_socket + +From: Shuah Khan + +commit 009f41aed4b3e11e6dc1e3c07377a10c20f1a5ed upstream. + +Keep usbip_device sockfd state in sync with tcp_socket. When tcp_socket +is reset to null, reset sockfd to -1 to keep it in sync. + +Signed-off-by: Shuah Khan +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/usbip/stub_dev.c | 3 +++ + drivers/usb/usbip/vhci_hcd.c | 2 ++ + 2 files changed, 5 insertions(+) + +--- a/drivers/usb/usbip/stub_dev.c ++++ b/drivers/usb/usbip/stub_dev.c +@@ -73,6 +73,7 @@ static ssize_t store_sockfd(struct devic + goto err; + + sdev->ud.tcp_socket = socket; ++ sdev->ud.sockfd = sockfd; + + spin_unlock_irq(&sdev->ud.lock); + +@@ -172,6 +173,7 @@ static void stub_shutdown_connection(str + if (ud->tcp_socket) { + sockfd_put(ud->tcp_socket); + ud->tcp_socket = NULL; ++ ud->sockfd = -1; + } + + /* 3. free used data */ +@@ -266,6 +268,7 @@ static struct stub_device *stub_device_a + sdev->ud.status = SDEV_ST_AVAILABLE; + spin_lock_init(&sdev->ud.lock); + sdev->ud.tcp_socket = NULL; ++ sdev->ud.sockfd = -1; + + INIT_LIST_HEAD(&sdev->priv_init); + INIT_LIST_HEAD(&sdev->priv_tx); +--- a/drivers/usb/usbip/vhci_hcd.c ++++ b/drivers/usb/usbip/vhci_hcd.c +@@ -984,6 +984,7 @@ static void vhci_shutdown_connection(str + if (vdev->ud.tcp_socket) { + sockfd_put(vdev->ud.tcp_socket); + vdev->ud.tcp_socket = NULL; ++ vdev->ud.sockfd = -1; + } + pr_info("release socket\n"); + +@@ -1030,6 +1031,7 @@ static void vhci_device_reset(struct usb + if (ud->tcp_socket) { + sockfd_put(ud->tcp_socket); + ud->tcp_socket = NULL; ++ ud->sockfd = -1; + } + ud->status = VDEV_ST_NULL; + diff --git a/queue-4.15/xhci-fix-null-pointer-in-xhci-debugfs.patch b/queue-4.15/xhci-fix-null-pointer-in-xhci-debugfs.patch new file mode 100644 index 00000000000..257d460954f --- /dev/null +++ b/queue-4.15/xhci-fix-null-pointer-in-xhci-debugfs.patch @@ -0,0 +1,78 @@ +From fa2dfd0ec22e0069c84dfae162972cbbc7c75488 Mon Sep 17 00:00:00 2001 +From: Zhengjun Xing +Date: Mon, 12 Feb 2018 14:24:48 +0200 +Subject: xhci: Fix NULL pointer in xhci debugfs + +From: Zhengjun Xing + +commit fa2dfd0ec22e0069c84dfae162972cbbc7c75488 upstream. + +Commit dde634057da7 ("xhci: Fix use-after-free in xhci debugfs") causes a +null pointer dereference while fixing xhci-debugfs usage of ring pointers +that were freed during hibernate. + +The fix passed addresses to ring pointers instead, but forgot to do this +change for the xhci_ring_trb_show function. + +The address of the ring pointer passed to xhci-debugfs was of a temporary +ring pointer "new_ring" instead of the actual ring "ring" pointer. The +temporary new_ring pointer will be set to NULL later causing the NULL +pointer dereference. + +This issue was seen when reading xhci related files in debugfs: + +cat /sys/kernel/debug/usb/xhci/*/devices/*/ep*/trbs + +[ 184.604861] BUG: unable to handle kernel NULL pointer dereference at (null) +[ 184.613776] IP: xhci_ring_trb_show+0x3a/0x890 +[ 184.618733] PGD 264193067 P4D 264193067 PUD 263238067 PMD 0 +[ 184.625184] Oops: 0000 [#1] SMP +[ 184.726410] RIP: 0010:xhci_ring_trb_show+0x3a/0x890 +[ 184.731944] RSP: 0018:ffffba8243c0fd90 EFLAGS: 00010246 +[ 184.737880] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 00000000000295d6 +[ 184.746020] RDX: 00000000000295d5 RSI: 0000000000000001 RDI: ffff971a6418d400 +[ 184.754121] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +[ 184.762222] R10: ffff971a64c98a80 R11: ffff971a62a00e40 R12: ffff971a62a85500 +[ 184.770325] R13: 0000000000020000 R14: ffff971a6418d400 R15: ffff971a6418d400 +[ 184.778448] FS: 00007fe725a79700(0000) GS:ffff971a6ec00000(0000) knlGS:0000000000000000 +[ 184.787644] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 184.794168] CR2: 0000000000000000 CR3: 000000025f365005 CR4: 00000000003606f0 +[ 184.802318] Call Trace: +[ 184.805094] ? seq_read+0x281/0x3b0 +[ 184.809068] seq_read+0xeb/0x3b0 +[ 184.812735] full_proxy_read+0x4d/0x70 +[ 184.817007] __vfs_read+0x23/0x120 +[ 184.820870] vfs_read+0x91/0x130 +[ 184.824538] SyS_read+0x42/0x90 +[ 184.828106] entry_SYSCALL_64_fastpath+0x1a/0x7d + +Fixes: dde634057da7 ("xhci: Fix use-after-free in xhci debugfs") +Cc: # v4.15 +Signed-off-by: Zhengjun Xing +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-debugfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/host/xhci-debugfs.c ++++ b/drivers/usb/host/xhci-debugfs.c +@@ -211,7 +211,7 @@ static void xhci_ring_dump_segment(struc + static int xhci_ring_trb_show(struct seq_file *s, void *unused) + { + int i; +- struct xhci_ring *ring = s->private; ++ struct xhci_ring *ring = *(struct xhci_ring **)s->private; + struct xhci_segment *seg = ring->first_seg; + + for (i = 0; i < ring->num_segs; i++) { +@@ -387,7 +387,7 @@ void xhci_debugfs_create_endpoint(struct + + snprintf(epriv->name, sizeof(epriv->name), "ep%02d", ep_index); + epriv->root = xhci_debugfs_create_ring_dir(xhci, +- &dev->eps[ep_index].new_ring, ++ &dev->eps[ep_index].ring, + epriv->name, + spriv->root); + spriv->eps[ep_index] = epriv; diff --git a/queue-4.15/xhci-fix-xhci-debugfs-devices-node-disappearance-after-hibernation.patch b/queue-4.15/xhci-fix-xhci-debugfs-devices-node-disappearance-after-hibernation.patch new file mode 100644 index 00000000000..569a9122614 --- /dev/null +++ b/queue-4.15/xhci-fix-xhci-debugfs-devices-node-disappearance-after-hibernation.patch @@ -0,0 +1,39 @@ +From d91676717261578f429d3577dbe9154b26e8abf7 Mon Sep 17 00:00:00 2001 +From: Zhengjun Xing +Date: Mon, 12 Feb 2018 14:24:49 +0200 +Subject: xhci: Fix xhci debugfs devices node disappearance after hibernation + +From: Zhengjun Xing + +commit d91676717261578f429d3577dbe9154b26e8abf7 upstream. + +During system resume from hibernation, xhci host is reset, all the +nodes in devices folder are removed in xhci_mem_cleanup function. +Later nodes in /sys/kernel/debug/usb/xhci/* are created again in +function xhci_run, but the nodes already exist, so the nodes still +keep the old ones, finally device nodes in xhci debugfs folder +/sys/kernel/debug/usb/xhci/*/devices/* are disappeared. + +This fix removed xhci debugfs nodes before the nodes are re-created, +so all the nodes in xhci debugfs can be re-created successfully. + +Fixes: 02b6fdc2a153 ("usb: xhci: Add debugfs interface for xHCI driver") +Cc: # v4.15 +Signed-off-by: Zhengjun Xing +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -1018,6 +1018,7 @@ int xhci_resume(struct xhci_hcd *xhci, b + + xhci_dbg(xhci, "cleaning up memory\n"); + xhci_mem_cleanup(xhci); ++ xhci_debugfs_exit(xhci); + xhci_dbg(xhci, "xhci_stop completed - status = %x\n", + readl(&xhci->op_regs->status)); + diff --git a/queue-4.15/xhci-fix-xhci-debugfs-errors-in-xhci_stop.patch b/queue-4.15/xhci-fix-xhci-debugfs-errors-in-xhci_stop.patch new file mode 100644 index 00000000000..558d17f4ebe --- /dev/null +++ b/queue-4.15/xhci-fix-xhci-debugfs-errors-in-xhci_stop.patch @@ -0,0 +1,49 @@ +From 11cd764dc9a030991880ad4d51db93918afa5822 Mon Sep 17 00:00:00 2001 +From: Zhengjun Xing +Date: Mon, 12 Feb 2018 14:24:51 +0200 +Subject: xhci: fix xhci debugfs errors in xhci_stop + +From: Zhengjun Xing + +commit 11cd764dc9a030991880ad4d51db93918afa5822 upstream. + +In function xhci_stop, xhci_debugfs_exit called before xhci_mem_cleanup. +xhci_debugfs_exit removed the xhci debugfs root nodes, xhci_mem_cleanup +called function xhci_free_virt_devices_depth_first which in turn called +function xhci_debugfs_remove_slot. +Function xhci_debugfs_remove_slot removed the nodes for devices, the nodes +folders are sub folder of xhci debugfs. + +It is unreasonable to remove xhci debugfs root folder before +xhci debugfs sub folder. Function xhci_mem_cleanup should be called +before function xhci_debugfs_exit. + +Fixes: 02b6fdc2a153 ("usb: xhci: Add debugfs interface for xHCI driver") +Cc: # v4.15 +Signed-off-by: Zhengjun Xing +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -652,8 +652,6 @@ static void xhci_stop(struct usb_hcd *hc + return; + } + +- xhci_debugfs_exit(xhci); +- + spin_lock_irq(&xhci->lock); + xhci->xhc_state |= XHCI_STATE_HALTED; + xhci->cmd_ring_state = CMD_RING_STATE_STOPPED; +@@ -685,6 +683,7 @@ static void xhci_stop(struct usb_hcd *hc + + xhci_dbg_trace(xhci, trace_xhci_dbg_init, "cleaning up memory"); + xhci_mem_cleanup(xhci); ++ xhci_debugfs_exit(xhci); + xhci_dbg_trace(xhci, trace_xhci_dbg_init, + "xhci_stop completed - status = %x", + readl(&xhci->op_regs->status)); diff --git a/queue-4.15/xhci-xhci-debugfs-device-nodes-weren-t-removed-after-device-plugged-out.patch b/queue-4.15/xhci-xhci-debugfs-device-nodes-weren-t-removed-after-device-plugged-out.patch new file mode 100644 index 00000000000..714d3d776b7 --- /dev/null +++ b/queue-4.15/xhci-xhci-debugfs-device-nodes-weren-t-removed-after-device-plugged-out.patch @@ -0,0 +1,40 @@ +From 8c5a93ebf7ac56d47f879b3c7c2f8c83b40c2cdb Mon Sep 17 00:00:00 2001 +From: Zhengjun Xing +Date: Mon, 12 Feb 2018 14:24:50 +0200 +Subject: xhci: xhci debugfs device nodes weren't removed after device plugged out + +From: Zhengjun Xing + +commit 8c5a93ebf7ac56d47f879b3c7c2f8c83b40c2cdb upstream. + +There is a bug after plugged out USB device, the device and its ep00 +nodes are still kept, we need to remove the nodes in xhci_free_dev when +USB device is plugged out. + +Fixes: 052f71e25a7e ("xhci: Fix xhci debugfs NULL pointer dereference in resume from hibernate") +Cc: # v4.15 +Signed-off-by: Zhengjun Xing +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -3552,12 +3552,10 @@ static void xhci_free_dev(struct usb_hcd + virt_dev->eps[i].ep_state &= ~EP_STOP_CMD_PENDING; + del_timer_sync(&virt_dev->eps[i].stop_cmd_timer); + } +- ++ xhci_debugfs_remove_slot(xhci, udev->slot_id); + ret = xhci_disable_slot(xhci, udev->slot_id); +- if (ret) { +- xhci_debugfs_remove_slot(xhci, udev->slot_id); ++ if (ret) + xhci_free_virt_device(xhci, udev->slot_id); +- } + } + + int xhci_disable_slot(struct xhci_hcd *xhci, u32 slot_id)