--- /dev/null
+From a9e840a2081ed28c2b7caa6a9a0041c950b3c37d Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 19 Apr 2017 09:59:22 -0700
+Subject: cx82310_eth: use skb_cow_head() to deal with cloned skbs
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit a9e840a2081ed28c2b7caa6a9a0041c950b3c37d upstream.
+
+We need to ensure there is enough headroom to push extra header,
+but we also need to check if we are allowed to change headers.
+
+skb_cow_head() is the proper helper to deal with this.
+
+Fixes: cc28a20e77b2 ("introduce cx82310_eth: Conexant CX82310-based ADSL router USB ethernet driver")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: James Hughes <james.hughes@raspberrypi.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/cx82310_eth.c | 7 ++-----
+ 1 file changed, 2 insertions(+), 5 deletions(-)
+
+--- a/drivers/net/usb/cx82310_eth.c
++++ b/drivers/net/usb/cx82310_eth.c
+@@ -293,12 +293,9 @@ static struct sk_buff *cx82310_tx_fixup(
+ {
+ int len = skb->len;
+
+- if (skb_headroom(skb) < 2) {
+- struct sk_buff *skb2 = skb_copy_expand(skb, 2, 0, flags);
++ if (skb_cow_head(skb, 2)) {
+ dev_kfree_skb_any(skb);
+- skb = skb2;
+- if (!skb)
+- return NULL;
++ return NULL;
+ }
+ skb_push(skb, 2);
+
--- /dev/null
+From 1ab87298cb59b649d8d648d25dc15b36ab865f5a Mon Sep 17 00:00:00 2001
+From: Jiri Slaby <jslaby@suse.cz>
+Date: Fri, 27 Nov 2015 16:50:43 +0100
+Subject: hwrng: core - sleep interruptible in read
+
+From: Jiri Slaby <jslaby@suse.cz>
+
+commit 1ab87298cb59b649d8d648d25dc15b36ab865f5a upstream.
+
+hwrng kthread can be waiting via hwrng_fillfn for some data from a rng
+like virtio-rng:
+hwrng D ffff880093e17798 0 382 2 0x00000000
+...
+Call Trace:
+ [<ffffffff817339c6>] wait_for_completion_killable+0x96/0x210
+ [<ffffffffa00aa1b7>] virtio_read+0x57/0xf0 [virtio_rng]
+ [<ffffffff814f4a35>] hwrng_fillfn+0x75/0x130
+ [<ffffffff810aa243>] kthread+0xf3/0x110
+
+And when some user program tries to read the /dev node in this state,
+we get:
+rngd D ffff880093e17798 0 762 1 0x00000004
+...
+Call Trace:
+ [<ffffffff817351ac>] mutex_lock_nested+0x15c/0x3e0
+ [<ffffffff814f478e>] rng_dev_read+0x6e/0x240
+ [<ffffffff81231958>] __vfs_read+0x28/0xe0
+ [<ffffffff81232393>] vfs_read+0x83/0x130
+
+And this is indeed unkillable. So use mutex_lock_interruptible
+instead of mutex_lock in rng_dev_read and exit immediatelly when
+interrupted. And possibly return already read data, if any (as POSIX
+allows).
+
+v2: use ERESTARTSYS instead of EINTR
+
+Signed-off-by: Jiri Slaby <jslaby@suse.cz>
+Cc: Matt Mackall <mpm@selenic.com>
+Cc: Herbert Xu <herbert@gondor.apana.org.au>
+Cc: <linux-crypto@vger.kernel.org>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/hw_random/core.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/hw_random/core.c
++++ b/drivers/char/hw_random/core.c
+@@ -238,7 +238,10 @@ static ssize_t rng_dev_read(struct file
+ goto out;
+ }
+
+- mutex_lock(&reading_mutex);
++ if (mutex_lock_interruptible(&reading_mutex)) {
++ err = -ERESTARTSYS;
++ goto out_put;
++ }
+ if (!data_avail) {
+ bytes_read = rng_get_data(rng, rng_buffer,
+ rng_buffer_size(),
+@@ -288,6 +291,7 @@ out:
+
+ out_unlock_reading:
+ mutex_unlock(&reading_mutex);
++out_put:
+ put_rng(rng);
+ goto out;
+ }
--- /dev/null
+From d4ca73591916b760478d2b04334d5dcadc028e9c Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 19 Apr 2017 09:59:24 -0700
+Subject: lan78xx: use skb_cow_head() to deal with cloned skbs
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit d4ca73591916b760478d2b04334d5dcadc028e9c upstream.
+
+We need to ensure there is enough headroom to push extra header,
+but we also need to check if we are allowed to change headers.
+
+skb_cow_head() is the proper helper to deal with this.
+
+Fixes: 55d7de9de6c3 ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: James Hughes <james.hughes@raspberrypi.org>
+Cc: Woojung Huh <woojung.huh@microchip.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/lan78xx.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/usb/lan78xx.c
++++ b/drivers/net/usb/lan78xx.c
+@@ -2050,14 +2050,9 @@ static struct sk_buff *lan78xx_tx_prep(s
+ {
+ u32 tx_cmd_a, tx_cmd_b;
+
+- if (skb_headroom(skb) < TX_OVERHEAD) {
+- struct sk_buff *skb2;
+-
+- skb2 = skb_copy_expand(skb, TX_OVERHEAD, 0, flags);
++ if (skb_cow_head(skb, TX_OVERHEAD)) {
+ dev_kfree_skb_any(skb);
+- skb = skb2;
+- if (!skb)
+- return NULL;
++ return NULL;
+ }
+
+ if (lan78xx_linearize(skb) < 0)
--- /dev/null
+From cda9fb01dc3cafd718b2865b447e869bf6624ddd Mon Sep 17 00:00:00 2001
+From: hayeswang <hayeswang@realtek.com>
+Date: Thu, 7 Jan 2016 17:51:12 +0800
+Subject: r8152: adjust ALDPS function
+
+From: hayeswang <hayeswang@realtek.com>
+
+commit cda9fb01dc3cafd718b2865b447e869bf6624ddd upstream.
+
+Replace disable_aldps() and enable_aldps() with aldps_en().
+
+Signed-off-by: Hayes Wang <hayeswang@realtek.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/r8152.c | 72 ++++++++++++++++++++++--------------------------
+ 1 file changed, 34 insertions(+), 38 deletions(-)
+
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -2461,23 +2461,23 @@ static void r8153_teredo_off(struct r815
+ ocp_write_dword(tp, MCU_TYPE_PLA, PLA_TEREDO_TIMER, 0);
+ }
+
+-static void r8152b_disable_aldps(struct r8152 *tp)
++static void r8152_aldps_en(struct r8152 *tp, bool enable)
+ {
+- ocp_reg_write(tp, OCP_ALDPS_CONFIG, ENPDNPS | LINKENA | DIS_SDSAVE);
+- msleep(20);
+-}
+-
+-static inline void r8152b_enable_aldps(struct r8152 *tp)
+-{
+- ocp_reg_write(tp, OCP_ALDPS_CONFIG, ENPWRSAVE | ENPDNPS |
+- LINKENA | DIS_SDSAVE);
++ if (enable) {
++ ocp_reg_write(tp, OCP_ALDPS_CONFIG, ENPWRSAVE | ENPDNPS |
++ LINKENA | DIS_SDSAVE);
++ } else {
++ ocp_reg_write(tp, OCP_ALDPS_CONFIG, ENPDNPS | LINKENA |
++ DIS_SDSAVE);
++ msleep(20);
++ }
+ }
+
+ static void rtl8152_disable(struct r8152 *tp)
+ {
+- r8152b_disable_aldps(tp);
++ r8152_aldps_en(tp, false);
+ rtl_disable(tp);
+- r8152b_enable_aldps(tp);
++ r8152_aldps_en(tp, true);
+ }
+
+ static void r8152b_hw_phy_cfg(struct r8152 *tp)
+@@ -2789,30 +2789,26 @@ static void r8153_enter_oob(struct r8152
+ ocp_write_dword(tp, MCU_TYPE_PLA, PLA_RCR, ocp_data);
+ }
+
+-static void r8153_disable_aldps(struct r8152 *tp)
++static void r8153_aldps_en(struct r8152 *tp, bool enable)
+ {
+ u16 data;
+
+ data = ocp_reg_read(tp, OCP_POWER_CFG);
+- data &= ~EN_ALDPS;
+- ocp_reg_write(tp, OCP_POWER_CFG, data);
+- msleep(20);
+-}
+-
+-static void r8153_enable_aldps(struct r8152 *tp)
+-{
+- u16 data;
+-
+- data = ocp_reg_read(tp, OCP_POWER_CFG);
+- data |= EN_ALDPS;
+- ocp_reg_write(tp, OCP_POWER_CFG, data);
++ if (enable) {
++ data |= EN_ALDPS;
++ ocp_reg_write(tp, OCP_POWER_CFG, data);
++ } else {
++ data &= ~EN_ALDPS;
++ ocp_reg_write(tp, OCP_POWER_CFG, data);
++ msleep(20);
++ }
+ }
+
+ static void rtl8153_disable(struct r8152 *tp)
+ {
+- r8153_disable_aldps(tp);
++ r8153_aldps_en(tp, false);
+ rtl_disable(tp);
+- r8153_enable_aldps(tp);
++ r8153_aldps_en(tp, true);
+ usb_enable_lpm(tp->udev);
+ }
+
+@@ -2909,9 +2905,9 @@ static void rtl8152_up(struct r8152 *tp)
+ if (test_bit(RTL8152_UNPLUG, &tp->flags))
+ return;
+
+- r8152b_disable_aldps(tp);
++ r8152_aldps_en(tp, false);
+ r8152b_exit_oob(tp);
+- r8152b_enable_aldps(tp);
++ r8152_aldps_en(tp, true);
+ }
+
+ static void rtl8152_down(struct r8152 *tp)
+@@ -2922,9 +2918,9 @@ static void rtl8152_down(struct r8152 *t
+ }
+
+ r8152_power_cut_en(tp, false);
+- r8152b_disable_aldps(tp);
++ r8152_aldps_en(tp, false);
+ r8152b_enter_oob(tp);
+- r8152b_enable_aldps(tp);
++ r8152_aldps_en(tp, true);
+ }
+
+ static void rtl8153_up(struct r8152 *tp)
+@@ -2933,9 +2929,9 @@ static void rtl8153_up(struct r8152 *tp)
+ return;
+
+ r8153_u1u2en(tp, false);
+- r8153_disable_aldps(tp);
++ r8153_aldps_en(tp, false);
+ r8153_first_init(tp);
+- r8153_enable_aldps(tp);
++ r8153_aldps_en(tp, true);
+ r8153_u2p3en(tp, true);
+ r8153_u1u2en(tp, true);
+ usb_enable_lpm(tp->udev);
+@@ -2951,9 +2947,9 @@ static void rtl8153_down(struct r8152 *t
+ r8153_u1u2en(tp, false);
+ r8153_u2p3en(tp, false);
+ r8153_power_cut_en(tp, false);
+- r8153_disable_aldps(tp);
++ r8153_aldps_en(tp, false);
+ r8153_enter_oob(tp);
+- r8153_enable_aldps(tp);
++ r8153_aldps_en(tp, true);
+ }
+
+ static bool rtl8152_in_nway(struct r8152 *tp)
+@@ -3280,7 +3276,7 @@ static void r8152b_init(struct r8152 *tp
+ if (test_bit(RTL8152_UNPLUG, &tp->flags))
+ return;
+
+- r8152b_disable_aldps(tp);
++ r8152_aldps_en(tp, false);
+
+ if (tp->version == RTL_VER_01) {
+ ocp_data = ocp_read_word(tp, MCU_TYPE_PLA, PLA_LED_FEATURE);
+@@ -3302,7 +3298,7 @@ static void r8152b_init(struct r8152 *tp
+ ocp_write_word(tp, MCU_TYPE_PLA, PLA_GPHY_INTR_IMR, ocp_data);
+
+ r8152b_enable_eee(tp);
+- r8152b_enable_aldps(tp);
++ r8152_aldps_en(tp, true);
+ r8152b_enable_fc(tp);
+ rtl_tally_reset(tp);
+
+@@ -3320,7 +3316,7 @@ static void r8153_init(struct r8152 *tp)
+ if (test_bit(RTL8152_UNPLUG, &tp->flags))
+ return;
+
+- r8153_disable_aldps(tp);
++ r8153_aldps_en(tp, false);
+ r8153_u1u2en(tp, false);
+
+ for (i = 0; i < 500; i++) {
+@@ -3409,7 +3405,7 @@ static void r8153_init(struct r8152 *tp)
+ EEE_SPDWN_EN);
+
+ r8153_enable_eee(tp);
+- r8153_enable_aldps(tp);
++ r8153_aldps_en(tp, true);
+ r8152b_enable_fc(tp);
+ rtl_tally_reset(tp);
+ r8153_u2p3en(tp, true);
--- /dev/null
+From 5ee3c60c8d3b88cab6496c9b7d49a01576dd9cf9 Mon Sep 17 00:00:00 2001
+From: hayeswang <hayeswang@realtek.com>
+Date: Thu, 7 Jan 2016 17:12:17 +0800
+Subject: r8152: fix the wake event
+
+From: hayeswang <hayeswang@realtek.com>
+
+commit 5ee3c60c8d3b88cab6496c9b7d49a01576dd9cf9 upstream.
+
+When the autosuspend is enabled and occurs before system suspend, we should
+wake the device before running system syspend. Then, we could change the wake
+event for system suspend. Otherwise, the device would resume the system when
+receiving any packet.
+
+Signed-off-by: Hayes Wang <hayeswang@realtek.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/r8152.c | 40 +++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 39 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -25,12 +25,13 @@
+ #include <uapi/linux/mdio.h>
+ #include <linux/mdio.h>
+ #include <linux/usb/cdc.h>
++#include <linux/suspend.h>
+
+ /* Information for net-next */
+ #define NETNEXT_VERSION "08"
+
+ /* Information for net */
+-#define NET_VERSION "2"
++#define NET_VERSION "3"
+
+ #define DRIVER_VERSION "v1." NETNEXT_VERSION "." NET_VERSION
+ #define DRIVER_AUTHOR "Realtek linux nic maintainers <nic_swsd@realtek.com>"
+@@ -604,6 +605,9 @@ struct r8152 {
+ struct delayed_work schedule;
+ struct mii_if_info mii;
+ struct mutex control; /* use for hw setting */
++#ifdef CONFIG_PM_SLEEP
++ struct notifier_block pm_notifier;
++#endif
+
+ struct rtl_ops {
+ void (*init)(struct r8152 *);
+@@ -3060,6 +3064,33 @@ out1:
+ usb_autopm_put_interface(tp->intf);
+ }
+
++#ifdef CONFIG_PM_SLEEP
++static int rtl_notifier(struct notifier_block *nb, unsigned long action,
++ void *data)
++{
++ struct r8152 *tp = container_of(nb, struct r8152, pm_notifier);
++
++ switch (action) {
++ case PM_HIBERNATION_PREPARE:
++ case PM_SUSPEND_PREPARE:
++ usb_autopm_get_interface(tp->intf);
++ break;
++
++ case PM_POST_HIBERNATION:
++ case PM_POST_SUSPEND:
++ usb_autopm_put_interface(tp->intf);
++ break;
++
++ case PM_POST_RESTORE:
++ case PM_RESTORE_PREPARE:
++ default:
++ break;
++ }
++
++ return NOTIFY_DONE;
++}
++#endif
++
+ static int rtl8152_open(struct net_device *netdev)
+ {
+ struct r8152 *tp = netdev_priv(netdev);
+@@ -3102,6 +3133,10 @@ static int rtl8152_open(struct net_devic
+ mutex_unlock(&tp->control);
+
+ usb_autopm_put_interface(tp->intf);
++#ifdef CONFIG_PM_SLEEP
++ tp->pm_notifier.notifier_call = rtl_notifier;
++ register_pm_notifier(&tp->pm_notifier);
++#endif
+
+ out:
+ return res;
+@@ -3112,6 +3147,9 @@ static int rtl8152_close(struct net_devi
+ struct r8152 *tp = netdev_priv(netdev);
+ int res = 0;
+
++#ifdef CONFIG_PM_SLEEP
++ unregister_pm_notifier(&tp->pm_notifier);
++#endif
+ napi_disable(&tp->napi);
+ clear_bit(WORK_ENABLE, &tp->flags);
+ usb_kill_urb(tp->intr_urb);
--- /dev/null
+From 216a8349d3a0dd1bc2afbcc821e374c8f929bd62 Mon Sep 17 00:00:00 2001
+From: hayeswang <hayeswang@realtek.com>
+Date: Thu, 7 Jan 2016 17:51:11 +0800
+Subject: r8152: use test_and_clear_bit
+
+From: hayeswang <hayeswang@realtek.com>
+
+commit 216a8349d3a0dd1bc2afbcc821e374c8f929bd62 upstream.
+
+Replace test_bit() followed by clear_bit() with test_and_clear_bit().
+
+Signed-off-by: Hayes Wang <hayeswang@realtek.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/r8152.c | 20 ++++++--------------
+ 1 file changed, 6 insertions(+), 14 deletions(-)
+
+--- a/drivers/net/usb/r8152.c
++++ b/drivers/net/usb/r8152.c
+@@ -1947,7 +1947,6 @@ static void _rtl8152_set_rx_mode(struct
+ __le32 tmp[2];
+ u32 ocp_data;
+
+- clear_bit(RTL8152_SET_RX_MODE, &tp->flags);
+ netif_stop_queue(netdev);
+ ocp_data = ocp_read_dword(tp, MCU_TYPE_PLA, PLA_RCR);
+ ocp_data &= ~RCR_ACPT_ALL;
+@@ -2433,8 +2432,6 @@ static void rtl_phy_reset(struct r8152 *
+ u16 data;
+ int i;
+
+- clear_bit(PHY_RESET, &tp->flags);
+-
+ data = r8152_mdio_read(tp, MII_BMCR);
+
+ /* don't reset again before the previous one complete */
+@@ -2893,10 +2890,9 @@ static int rtl8152_set_speed(struct r815
+ r8152_mdio_write(tp, MII_ADVERTISE, anar);
+ r8152_mdio_write(tp, MII_BMCR, bmcr);
+
+- if (test_bit(PHY_RESET, &tp->flags)) {
++ if (test_and_clear_bit(PHY_RESET, &tp->flags)) {
+ int i;
+
+- clear_bit(PHY_RESET, &tp->flags);
+ for (i = 0; i < 50; i++) {
+ msleep(20);
+ if ((r8152_mdio_read(tp, MII_BMCR) & BMCR_RESET) == 0)
+@@ -2905,7 +2901,6 @@ static int rtl8152_set_speed(struct r815
+ }
+
+ out:
+-
+ return ret;
+ }
+
+@@ -2992,7 +2987,6 @@ static void set_carrier(struct r8152 *tp
+ struct net_device *netdev = tp->netdev;
+ u8 speed;
+
+- clear_bit(RTL8152_LINK_CHG, &tp->flags);
+ speed = rtl8152_get_speed(tp);
+
+ if (speed & LINK_STATUS) {
+@@ -3042,20 +3036,18 @@ static void rtl_work_func_t(struct work_
+ goto out1;
+ }
+
+- if (test_bit(RTL8152_LINK_CHG, &tp->flags))
++ if (test_and_clear_bit(RTL8152_LINK_CHG, &tp->flags))
+ set_carrier(tp);
+
+- if (test_bit(RTL8152_SET_RX_MODE, &tp->flags))
++ if (test_and_clear_bit(RTL8152_SET_RX_MODE, &tp->flags))
+ _rtl8152_set_rx_mode(tp->netdev);
+
+ /* don't schedule napi before linking */
+- if (test_bit(SCHEDULE_NAPI, &tp->flags) &&
+- netif_carrier_ok(tp->netdev)) {
+- clear_bit(SCHEDULE_NAPI, &tp->flags);
++ if (test_and_clear_bit(SCHEDULE_NAPI, &tp->flags) &&
++ netif_carrier_ok(tp->netdev))
+ napi_schedule(&tp->napi);
+- }
+
+- if (test_bit(PHY_RESET, &tp->flags))
++ if (test_and_clear_bit(PHY_RESET, &tp->flags))
+ rtl_phy_reset(tp);
+
+ mutex_unlock(&tp->control);
locks-don-t-check-for-race-with-close-when-setting-ofd-lock.patch
futex-replace-barrier-in-unqueue_me-with-read_once.patch
locking-mutex-allow-next-waiter-lockless-wakeup.patch
+usbvision-fix-overflow-of-interfaces-array.patch
+usb-musb-ux500-fix-null-pointer-dereference-at-system-pm.patch
+r8152-fix-the-wake-event.patch
+r8152-use-test_and_clear_bit.patch
+r8152-adjust-aldps-function.patch
+lan78xx-use-skb_cow_head-to-deal-with-cloned-skbs.patch
+sr9700-use-skb_cow_head-to-deal-with-cloned-skbs.patch
+smsc75xx-use-skb_cow_head-to-deal-with-cloned-skbs.patch
+cx82310_eth-use-skb_cow_head-to-deal-with-cloned-skbs.patch
+x86-mm-pat-dev-mem-remove-superfluous-error-message.patch
+hwrng-core-sleep-interruptible-in-read.patch
+sysrq-fix-warning-in-sysrq-generated-crash.patch
--- /dev/null
+From b7c6d2675899cfff0180412c63fc9cbd5bacdb4d Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 19 Apr 2017 09:59:21 -0700
+Subject: smsc75xx: use skb_cow_head() to deal with cloned skbs
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit b7c6d2675899cfff0180412c63fc9cbd5bacdb4d upstream.
+
+We need to ensure there is enough headroom to push extra header,
+but we also need to check if we are allowed to change headers.
+
+skb_cow_head() is the proper helper to deal with this.
+
+Fixes: d0cad871703b ("smsc75xx: SMSC LAN75xx USB gigabit ethernet adapter driver")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: James Hughes <james.hughes@raspberrypi.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/smsc75xx.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/drivers/net/usb/smsc75xx.c
++++ b/drivers/net/usb/smsc75xx.c
+@@ -2193,13 +2193,9 @@ static struct sk_buff *smsc75xx_tx_fixup
+ {
+ u32 tx_cmd_a, tx_cmd_b;
+
+- if (skb_headroom(skb) < SMSC75XX_TX_OVERHEAD) {
+- struct sk_buff *skb2 =
+- skb_copy_expand(skb, SMSC75XX_TX_OVERHEAD, 0, flags);
++ if (skb_cow_head(skb, SMSC75XX_TX_OVERHEAD)) {
+ dev_kfree_skb_any(skb);
+- skb = skb2;
+- if (!skb)
+- return NULL;
++ return NULL;
+ }
+
+ tx_cmd_a = (u32)(skb->len & TX_CMD_A_LEN) | TX_CMD_A_FCS;
--- /dev/null
+From d532c1082f68176363ed766d09bf187616e282fe Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Wed, 19 Apr 2017 09:59:23 -0700
+Subject: sr9700: use skb_cow_head() to deal with cloned skbs
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit d532c1082f68176363ed766d09bf187616e282fe upstream.
+
+We need to ensure there is enough headroom to push extra header,
+but we also need to check if we are allowed to change headers.
+
+skb_cow_head() is the proper helper to deal with this.
+
+Fixes: c9b37458e956 ("USB2NET : SR9700 : One chip USB 1.1 USB2NET SR9700Device Driver Support")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: James Hughes <james.hughes@raspberrypi.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/usb/sr9700.c | 9 ++-------
+ 1 file changed, 2 insertions(+), 7 deletions(-)
+
+--- a/drivers/net/usb/sr9700.c
++++ b/drivers/net/usb/sr9700.c
+@@ -456,14 +456,9 @@ static struct sk_buff *sr9700_tx_fixup(s
+
+ len = skb->len;
+
+- if (skb_headroom(skb) < SR_TX_OVERHEAD) {
+- struct sk_buff *skb2;
+-
+- skb2 = skb_copy_expand(skb, SR_TX_OVERHEAD, 0, flags);
++ if (skb_cow_head(skb, SR_TX_OVERHEAD)) {
+ dev_kfree_skb_any(skb);
+- skb = skb2;
+- if (!skb)
+- return NULL;
++ return NULL;
+ }
+
+ __skb_push(skb, SR_TX_OVERHEAD);
--- /dev/null
+From 984cf355aeaa8f2eda3861b50d0e8d3e3f77e83b Mon Sep 17 00:00:00 2001
+From: Ani Sinha <ani@arista.com>
+Date: Thu, 17 Dec 2015 17:15:10 -0800
+Subject: sysrq: Fix warning in sysrq generated crash.
+
+From: Ani Sinha <ani@arista.com>
+
+commit 984cf355aeaa8f2eda3861b50d0e8d3e3f77e83b upstream.
+
+Commit 984d74a72076a1 ("sysrq: rcu-ify __handle_sysrq") replaced
+spin_lock_irqsave() calls with rcu_read_lock() calls in sysrq. Since
+rcu_read_lock() does not disable preemption, faulthandler_disabled() in
+__do_page_fault() in x86/fault.c returns false. When the code later calls
+might_sleep() in the pagefault handler, we get the following warning:
+
+BUG: sleeping function called from invalid context at ../arch/x86/mm/fault.c:1187
+in_atomic(): 0, irqs_disabled(): 0, pid: 4706, name: bash
+Preemption disabled at:[<ffffffff81484339>] printk+0x48/0x4a
+
+To fix this, we release the RCU read lock before we crash.
+
+Tested this patch on linux 3.18 by booting off one of our boards.
+
+Fixes: 984d74a72076a1 ("sysrq: rcu-ify __handle_sysrq")
+
+Signed-off-by: Ani Sinha <ani@arista.com>
+Reviewed-by: Rik van Riel <riel@redhat.com>
+Signed-off-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
+Signed-off-by: Davidlohr Bueso <dbueso@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/sysrq.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/tty/sysrq.c
++++ b/drivers/tty/sysrq.c
+@@ -133,6 +133,12 @@ static void sysrq_handle_crash(int key)
+ {
+ char *killer = NULL;
+
++ /* we need to release the RCU read lock here,
++ * otherwise we get an annoying
++ * 'BUG: sleeping function called from invalid context'
++ * complaint from the kernel before the panic.
++ */
++ rcu_read_unlock();
+ panic_on_oops = 1; /* force panic */
+ wmb();
+ *killer = 1;
--- /dev/null
+From 79c5623f1cb85f33403eb9f1e45124e9f56181f8 Mon Sep 17 00:00:00 2001
+From: Ulf Hansson <ulf.hansson@linaro.org>
+Date: Mon, 25 Jan 2016 13:01:29 +0100
+Subject: usb: musb: ux500: Fix NULL pointer dereference at system PM
+
+From: Ulf Hansson <ulf.hansson@linaro.org>
+
+commit 79c5623f1cb85f33403eb9f1e45124e9f56181f8 upstream.
+
+The commit 7d32cdef5356 ("usb: musb: fail with error when no DMA
+controller set"), caused the core platform driver to correctly return an
+error code when fail probing.
+
+Unfurtante it also caused bug for a NULL pointer dereference, during
+system suspend for the ux500 driver. The reason is a lacking validation
+of the corresponding ->driver_data pointer, which won't be set when the
+musb core driver fails to probe (or haven't yet been probed).
+
+Fixes: 7d32cdef5356 ("usb: musb: fail with error when no DMA...")
+Acked-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/musb/ux500.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/musb/ux500.c
++++ b/drivers/usb/musb/ux500.c
+@@ -348,7 +348,9 @@ static int ux500_suspend(struct device *
+ struct ux500_glue *glue = dev_get_drvdata(dev);
+ struct musb *musb = glue_to_musb(glue);
+
+- usb_phy_set_suspend(musb->xceiv, 1);
++ if (musb)
++ usb_phy_set_suspend(musb->xceiv, 1);
++
+ clk_disable_unprepare(glue->clk);
+
+ return 0;
+@@ -366,7 +368,8 @@ static int ux500_resume(struct device *d
+ return ret;
+ }
+
+- usb_phy_set_suspend(musb->xceiv, 0);
++ if (musb)
++ usb_phy_set_suspend(musb->xceiv, 0);
+
+ return 0;
+ }
--- /dev/null
+From 588afcc1c0e45358159090d95bf7b246fb67565f Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 27 Oct 2015 09:51:34 -0200
+Subject: [media] usbvision fix overflow of interfaces array
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 588afcc1c0e45358159090d95bf7b246fb67565f upstream.
+
+This fixes the crash reported in:
+http://seclists.org/bugtraq/2015/Oct/35
+The interface number needs a sanity check.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Cc: Vladis Dronov <vdronov@redhat.com>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/usbvision/usbvision-video.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/media/usb/usbvision/usbvision-video.c
++++ b/drivers/media/usb/usbvision/usbvision-video.c
+@@ -1461,6 +1461,13 @@ static int usbvision_probe(struct usb_in
+ printk(KERN_INFO "%s: %s found\n", __func__,
+ usbvision_device_data[model].model_string);
+
++ /*
++ * this is a security check.
++ * an exploit using an incorrect bInterfaceNumber is known
++ */
++ if (ifnum >= USB_MAXINTERFACES || !dev->actconfig->interface[ifnum])
++ return -ENODEV;
++
+ if (usbvision_device_data[model].interface >= 0)
+ interface = &dev->actconfig->interface[usbvision_device_data[model].interface]->altsetting[0];
+ else if (ifnum < dev->actconfig->desc.bNumInterfaces)
--- /dev/null
+From 39380b80d72723282f0ea1d1bbf2294eae45013e Mon Sep 17 00:00:00 2001
+From: Jiri Kosina <jkosina@suse.cz>
+Date: Fri, 8 Jul 2016 11:38:28 +0200
+Subject: x86/mm/pat, /dev/mem: Remove superfluous error message
+
+From: Jiri Kosina <jkosina@suse.cz>
+
+commit 39380b80d72723282f0ea1d1bbf2294eae45013e upstream.
+
+Currently it's possible for broken (or malicious) userspace to flood a
+kernel log indefinitely with messages a-la
+
+ Program dmidecode tried to access /dev/mem between f0000->100000
+
+because range_is_allowed() is case of CONFIG_STRICT_DEVMEM being turned on
+dumps this information each and every time devmem_is_allowed() fails.
+
+Reportedly userspace that is able to trigger contignuous flow of these
+messages exists.
+
+It would be possible to rate limit this message, but that'd have a
+questionable value; the administrator wouldn't get information about all
+the failing accessess, so then the information would be both superfluous
+and incomplete at the same time :)
+
+Returning EPERM (which is what is actually happening) is enough indication
+for userspace what has happened; no need to log this particular error as
+some sort of special condition.
+
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Cc: Andrew Morton <akpm@linux-foundation.org>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Borislav Petkov <bp@alien8.de>
+Cc: Brian Gerst <brgerst@gmail.com>
+Cc: Denys Vlasenko <dvlasenk@redhat.com>
+Cc: H. Peter Anvin <hpa@zytor.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Luis R. Rodriguez <mcgrof@suse.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Toshi Kani <toshi.kani@hp.com>
+Link: http://lkml.kernel.org/r/alpine.LNX.2.00.1607081137020.24757@cbobk.fhfr.pm
+Signed-off-by: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/mm/pat.c | 5 +----
+ drivers/char/mem.c | 6 +-----
+ 2 files changed, 2 insertions(+), 9 deletions(-)
+
+--- a/arch/x86/mm/pat.c
++++ b/arch/x86/mm/pat.c
+@@ -750,11 +750,8 @@ static inline int range_is_allowed(unsig
+ return 1;
+
+ while (cursor < to) {
+- if (!devmem_is_allowed(pfn)) {
+- pr_info("x86/PAT: Program %s tried to access /dev/mem between [mem %#010Lx-%#010Lx], PAT prevents it\n",
+- current->comm, from, to - 1);
++ if (!devmem_is_allowed(pfn))
+ return 0;
+- }
+ cursor += PAGE_SIZE;
+ pfn++;
+ }
+--- a/drivers/char/mem.c
++++ b/drivers/char/mem.c
+@@ -70,12 +70,8 @@ static inline int range_is_allowed(unsig
+ u64 cursor = from;
+
+ while (cursor < to) {
+- if (!devmem_is_allowed(pfn)) {
+- printk(KERN_INFO
+- "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
+- current->comm, from, to);
++ if (!devmem_is_allowed(pfn))
+ return 0;
+- }
+ cursor += PAGE_SIZE;
+ pfn++;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
