commit 68ae960f6d2aac4289d8872cbc4e1d79d4934e70 Author: Greg Kroah-Hartman Date: Sat Dec 1 09:44:27 2018 +0100 Linux 4.9.142 commit 1f89834896bb627dd54931519e148ea74ef53d05 Author: Mimi Zohar Date: Tue Jan 23 10:00:41 2018 -0500 ima: re-initialize iint->atomic_flags commit e2598077dc6a26c9644393e5c21f22a90dbdccdb upstream. Intermittently security.ima is not being written for new files. This patch re-initializes the new slab iint->atomic_flags field before freeing it. Fixes: commit 0d73a55208e9 ("ima: re-introduce own integrity cache lock") Signed-off-by: Mimi Zohar Signed-off-by: James Morris Cc: Aditya Kali Signed-off-by: Greg Kroah-Hartman commit 166f4542ec59d1856a558f3b1ec482730c2a9b7f Author: Dmitry Kasatkin Date: Tue Dec 5 21:06:34 2017 +0200 ima: re-introduce own integrity cache lock commit 0d73a55208e94fc9fb6deaeea61438cd3280d4c0 upstream. Before IMA appraisal was introduced, IMA was using own integrity cache lock along with i_mutex. process_measurement and ima_file_free took the iint->mutex first and then the i_mutex, while setxattr, chmod and chown took the locks in reverse order. To resolve the potential deadlock, i_mutex was moved to protect entire IMA functionality and the redundant iint->mutex was eliminated. Solution was based on the assumption that filesystem code does not take i_mutex further. But when file is opened with O_DIRECT flag, direct-io implementation takes i_mutex and produces deadlock. Furthermore, certain other filesystem operations, such as llseek, also take i_mutex. More recently some filesystems have replaced their filesystem specific lock with the global i_rwsem to read a file. As a result, when IMA attempts to calculate the file hash, reading the file attempts to take the i_rwsem again. To resolve O_DIRECT related deadlock problem, this patch re-introduces iint->mutex. But to eliminate the original chmod() related deadlock problem, this patch eliminates the requirement for chmod hooks to take the iint->mutex by introducing additional atomic iint->attr_flags to indicate calling of the hooks. The allowed locking order is to take the iint->mutex first and then the i_rwsem. Original flags were cleared in chmod(), setxattr() or removwxattr() hooks and tested when file was closed or opened again. New atomic flags are set or cleared in those hooks and tested to clear iint->flags on close or on open. Atomic flags are following: * IMA_CHANGE_ATTR - indicates that chATTR() was called (chmod, chown, chgrp) and file attributes have changed. On file open, it causes IMA to clear iint->flags to re-evaluate policy and perform IMA functions again. * IMA_CHANGE_XATTR - indicates that setxattr or removexattr was called and extended attributes have changed. On file open, it causes IMA to clear iint->flags IMA_DONE_MASK to re-appraise. * IMA_UPDATE_XATTR - indicates that security.ima needs to be updated. It is cleared if file policy changes and no update is needed. * IMA_DIGSIG - indicates that file security.ima has signature and file security.ima must not update to file has on file close. * IMA_MUST_MEASURE - indicates the file is in the measurement policy. Fixes: Commit 6552321831dc ("xfs: remove i_iolock and use i_rwsem in the VFS inode instead") Signed-off-by: Dmitry Kasatkin Signed-off-by: Mimi Zohar Cc: Aditya Kali Signed-off-by: Greg Kroah-Hartman commit 87043e4ca018a4bc667aa4285f2d4f588e999a84 Author: Matthew Garrett Date: Tue Nov 7 07:17:42 2017 -0800 EVM: Add support for portable signature format commit 50b977481fce90aa5fbda55e330b9d722733e358 upstream. The EVM signature includes the inode number and (optionally) the filesystem UUID, making it impractical to ship EVM signatures in packages. This patch adds a new portable format intended to allow distributions to include EVM signatures. It is identical to the existing format but hardcodes the inode and generation numbers to 0 and does not include the filesystem UUID even if the kernel is configured to do so. Removing the inode means that the metadata and signature from one file could be copied to another file without invalidating it. This is avoided by ensuring that an IMA xattr is present during EVM validation. Portable signatures are intended to be immutable - ie, they will never be transformed into HMACs. Based on earlier work by Dmitry Kasatkin and Mikhail Kurinnoi. Signed-off-by: Matthew Garrett Cc: Dmitry Kasatkin Cc: Mikhail Kurinnoi Signed-off-by: Mimi Zohar Cc: Aditya Kali Signed-off-by: Greg Kroah-Hartman commit 5f9fb1a0a59a94c431e5f3b215e7c6697aaf9cc3 Author: Mimi Zohar Date: Sat Jun 17 23:56:23 2017 -0400 ima: always measure and audit files in policy commit f3cc6b25dcc5616f0d5c720009b2ac66f97df2ff upstream. All files matching a "measure" rule must be included in the IMA measurement list, even when the file hash cannot be calculated. Similarly, all files matching an "audit" rule must be audited, even when the file hash can not be calculated. The file data hash field contained in the IMA measurement list template data will contain 0's instead of the actual file hash digest. Note: In general, adding, deleting or in anyway changing which files are included in the IMA measurement list is not a good idea, as it might result in not being able to unseal trusted keys sealed to a specific TPM PCR value. This patch not only adds file measurements that were not previously measured, but specifies that the file hash value for these files will be 0's. As the IMA measurement list ordering is not consistent from one boot to the next, it is unlikely that anyone is sealing keys based on the IMA measurement list. Remote attestation servers should be able to process these new measurement records, but might complain about these unknown records. Signed-off-by: Mimi Zohar Reviewed-by: Dmitry Kasatkin Cc: Aditya Kali Signed-off-by: Greg Kroah-Hartman commit 5fed1ff84587669fa55c21233ccb621f1c81369f Author: Eric W. Biederman Date: Fri Dec 2 09:35:31 2016 -0600 Revert "evm: Translate user/group ids relative to s_user_ns when computing HMAC" commit 19339c251607a3defc7f089511ce8561936fee45 upstream. This reverts commit 0b3c9761d1e405514a551ed24d3ea89aea26ce14. Seth Forshee writes: > All right, I think 0b3c9761d1e405514a551ed24d3ea89aea26ce14 should be > reverted then. EVM is a machine-local integrity mechanism, and so it > makes sense that the signature would be based on the kernel's notion of > the uid and not the filesystem's. I added a commment explaining why the EVM hmac needs to be in the kernel's notion of uid and gid, not the filesystems to prevent remounting the filesystem and gaining unwaranted trust in files. Acked-by: Seth Forshee Signed-off-by: "Eric W. Biederman" Cc: Aditya Kali Signed-off-by: Greg Kroah-Hartman commit a49f03472b50a2e52be939b2ba0da2d8b3af5c40 Author: Alexander Aring Date: Fri Apr 20 14:54:13 2018 -0400 net: ieee802154: 6lowpan: fix frag reassembly commit f18fa5de5ba7f1d6650951502bb96a6e4715a948 upstream. This patch initialize stack variables which are used in frag_lowpan_compare_key to zero. In my case there are padding bytes in the structures ieee802154_addr as well in frag_lowpan_compare_key. Otherwise the key variable contains random bytes. The result is that a compare of two keys by memcmp works incorrect. Fixes: 648700f76b03 ("inet: frags: use rhashtables for reassembly units") Signed-off-by: Alexander Aring Reported-by: Stefan Schmidt Signed-off-by: Stefan Schmidt Signed-off-by: Greg Kroah-Hartman commit 2188cf062e566e1d8c350ccafd5f29c9be97e506 Author: Janosch Frank Date: Thu Aug 16 09:02:31 2018 +0100 s390/mm: Check for valid vma before zapping in gmap_discard commit 1843abd03250115af6cec0892683e70cf2297c25 upstream. Userspace could have munmapped the area before doing unmapping from the gmap. This would leave us with a valid vmaddr, but an invalid vma from which we would try to zap memory. Let's check before using the vma. Fixes: 1e133ab296f3 ("s390/mm: split arch/s390/mm/pgtable.c") Signed-off-by: Janosch Frank Reviewed-by: David Hildenbrand Reported-by: Dan Carpenter Message-Id: <20180816082432.78828-1-frankja@linux.ibm.com> Signed-off-by: Janosch Frank Signed-off-by: Greg Kroah-Hartman commit a1b53b1b06be2e46f17d6330cc1721d0752042df Author: Phil Elwell Date: Thu Apr 19 17:59:38 2018 +0100 lan78xx: Read MAC address from DT if present commit 760db29bdc97b73ff60b091315ad787b1deb5cf5 upstream. There is a standard mechanism for locating and using a MAC address from the Device Tree. Use this facility in the lan78xx driver to support applications without programmed EEPROM or OTP. At the same time, regularise the handling of the different address sources. Signed-off-by: Phil Elwell Signed-off-by: David S. Miller Tested-by: Paolo Pisati Signed-off-by: Greg Kroah-Hartman commit 0c41beebcdf9b0142eb774eae13352c76c9eea9f Author: Salvatore Mesoraca Date: Thu Aug 23 17:00:35 2018 -0700 namei: allow restricted O_CREAT of FIFOs and regular files commit 30aba6656f61ed44cba445a3c0d38b296fa9e8f5 upstream. Disallows open of FIFOs or regular files not owned by the user in world writable sticky directories, unless the owner is the same as that of the directory or the file is opened without the O_CREAT flag. The purpose is to make data spoofing attacks harder. This protection can be turned on and off separately for FIFOs and regular files via sysctl, just like the symlinks/hardlinks protection. This patch is based on Openwall's "HARDEN_FIFO" feature by Solar Designer. This is a brief list of old vulnerabilities that could have been prevented by this feature, some of them even allow for privilege escalation: CVE-2000-1134 CVE-2007-3852 CVE-2008-0525 CVE-2009-0416 CVE-2011-4834 CVE-2015-1838 CVE-2015-7442 CVE-2016-7489 This list is not meant to be complete. It's difficult to track down all vulnerabilities of this kind because they were often reported without any mention of this particular attack vector. In fact, before hardlinks/symlinks restrictions, fifos/regular files weren't the favorite vehicle to exploit them. [s.mesoraca16@gmail.com: fix bug reported by Dan Carpenter] Link: https://lkml.kernel.org/r/20180426081456.GA7060@mwanda Link: http://lkml.kernel.org/r/1524829819-11275-1-git-send-email-s.mesoraca16@gmail.com [keescook@chromium.org: drop pr_warn_ratelimited() in favor of audit changes in the future] [keescook@chromium.org: adjust commit subjet] Link: http://lkml.kernel.org/r/20180416175918.GA13494@beast Signed-off-by: Salvatore Mesoraca Signed-off-by: Kees Cook Suggested-by: Solar Designer Suggested-by: Kees Cook Cc: Al Viro Cc: Dan Carpenter Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Loic Signed-off-by: Greg Kroah-Hartman commit 5a416ed93d0b6a1a8cb83cc036154e66fd83d042 Author: Steven Rostedt (VMware) Date: Thu Mar 9 10:18:42 2017 -0500 sched/core: Allow __sched_setscheduler() in interrupts when PI is not used commit 896bbb2522587e3b8eb2a0d204d43ccc1042a00d upstream. When priority inheritance was added back in 2.6.18 to sched_setscheduler(), it added a path to taking an rt-mutex wait_lock, which is not IRQ safe. As PI is not a common occurrence, lockdep will likely never trigger if sched_setscheduler was called from interrupt context. A BUG_ON() was added to trigger if __sched_setscheduler() was ever called from interrupt context because there was a possibility to take the wait_lock. Today the wait_lock is irq safe, but the path to taking it in sched_setscheduler() is the same as the path to taking it from normal context. The wait_lock is taken with raw_spin_lock_irq() and released with raw_spin_unlock_irq() which will indiscriminately enable interrupts, which would be bad in interrupt context. The problem is that normalize_rt_tasks, which is called by triggering the sysrq nice-all-RT-tasks was changed to call __sched_setscheduler(), and this is done from interrupt context! Now __sched_setscheduler() takes a "pi" parameter that is used to know if the priority inheritance should be called or not. As the BUG_ON() only cares about calling the PI code, it should only bug if called from interrupt context with the "pi" parameter set to true. Reported-by: Laurent Dufour Tested-by: Laurent Dufour Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Peter Zijlstra (Intel) Cc: Andrew Morton Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: dbc7f069b93a ("sched: Use replace normalize_task() with __sched_setscheduler()") Link: http://lkml.kernel.org/r/20170308124654.10e598f2@gandalf.local.home Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 0c9aa4da453033461b4cb8387def8111b83c424b Author: Aaron Ma Date: Fri Nov 9 17:21:20 2018 +0200 usb: xhci: fix uninitialized completion when USB3 port got wrong status commit 958c0bd86075d4ef1c936998deefe1947e539240 upstream. Realtek USB3.0 Card Reader [0bda:0328] reports wrong port status on Cannon lake PCH USB3.1 xHCI [8086:a36d] after resume from S3, after clear port reset it works fine. Since this device is registered on USB3 roothub at boot, when port status reports not superspeed, xhci_get_port_status will call an uninitialized completion in bus_state[0]. Kernel will hang because of NULL pointer. Restrict the USB2 resume status check in USB2 roothub to fix hang issue. Cc: stable@vger.kernel.org Signed-off-by: Aaron Ma Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit e2e3a814194c453ca8bac45f42f8c9f43a475ced Author: Greg Kroah-Hartman Date: Thu Oct 4 11:06:14 2018 -0700 tty: wipe buffer if not echoing data commit b97b3d9fb57860a60592859e332de7759fd54c2e upstream. If we are not echoing the data to userspace or the console is in icanon mode, then perhaps it is a "secret" so we should wipe it once we are done with it. This mirrors the logic that the audit code has. Reported-by: aszlig Tested-by: Milan Broz Tested-by: Daniel Zatovic Tested-by: aszlig Cc: Willy Tarreau Signed-off-by: Greg Kroah-Hartman commit 3540460e924b3fd975c2a824d33776ed04ba445e Author: Linus Torvalds Date: Thu Oct 4 11:06:13 2018 -0700 tty: wipe buffer. commit c9a8e5fce009e3c601a43c49ea9dbcb25d1ffac5 upstream. After we are done with the tty buffer, zero it out. Reported-by: aszlig Tested-by: Milan Broz Tested-by: Daniel Zatovic Tested-by: aszlig Cc: Willy Tarreau Signed-off-by: Greg Kroah-Hartman commit 674004e6c4fcf6b7a9a70cdefec2f2fd0069fa0a Author: Sebastien Boisvert Date: Fri Oct 26 15:02:23 2018 -0700 include/linux/pfn_t.h: force '~' to be parsed as an unary operator commit 4d54954a197175c0dcb3c82af0c0740d0c5f827a upstream. Tracing the event "fs_dax:dax_pmd_insert_mapping" with perf produces this warning: [fs_dax:dax_pmd_insert_mapping] unknown op '~' It is printed in process_op (tools/lib/traceevent/event-parse.c) because '~' is parsed as a binary operator. perf reads the format of fs_dax:dax_pmd_insert_mapping ("print fmt") from /sys/kernel/debug/tracing/events/fs_dax/dax_pmd_insert_mapping/format . The format contains: ~(((u64) ~(~(((1UL) << 12)-1))) ^ \ interpreted as a binary operator by process_op(). This part is generated in the declaration of the event class dax_pmd_insert_mapping_class in include/trace/events/fs_dax.h : __print_flags_u64(__entry->pfn_val & PFN_FLAGS_MASK, "|", PFN_FLAGS_TRACE), This patch adds a pair of parentheses in the declaration of PFN_FLAGS_MASK to make sure that '~' is parsed as a unary operator by perf. The part of the format that was problematic is now: ~(((u64) (~(~(((1UL) << 12)-1)))) Now, all the '~' are parsed as unary operators. Link: http://lkml.kernel.org/r/20181021145939.8760-1-sebhtml@videotron.qc.ca Signed-off-by: Sebastien Boisvert Acked-by: Dan Williams Cc: "Steven Rostedt (VMware)" Cc: Arnaldo Carvalho de Melo Cc: "Tzvetomir Stoyanov (VMware)" Cc: Namhyung Kim Cc: Ross Zwisler Cc: Elenie Godzaridis Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f8c66aba27fa9aef4aa0560bea3e6ba48a546f63 Author: Subhash Jadavani Date: Thu Oct 27 17:25:58 2016 -0700 scsi: ufshcd: release resources if probe fails commit afa3dfd42d205b106787476647735aa1de1a5d02 upstream. If ufshcd pltfrm/pci driver's probe fails for some reason then ensure that scsi host is released to avoid memory leak but managed memory allocations (via devm_* calls) need not to be freed explicitly on probe failure as memory allocated with these functions is automatically freed on driver detach. Reviewed-by: Sahitya Tummala Signed-off-by: Subhash Jadavani Signed-off-by: Martin K. Petersen Signed-off-by: Amit Pundir Signed-off-by: Greg Kroah-Hartman commit 99a3bd3d00a1bd6e583149cf36460e3e4c505012 Author: Subhash Jadavani Date: Thu Oct 27 17:25:47 2016 -0700 scsi: ufs: fix race between clock gating and devfreq scaling work commit 30fc33f1ef475480dc5bea4fe1bda84b003b992c upstream. UFS devfreq clock scaling work may require clocks to be ON if it need to execute some UFS commands hence it may request for clock hold before issuing the command. But if UFS clock gating work is already running in parallel, ungate work would end up waiting for the clock gating work to finish and as clock gating work would also wait for the clock scaling work to finish, we would enter in deadlock state. Here is the call trace during this deadlock state: Workqueue: devfreq_wq devfreq_monitor __switch_to __schedule schedule schedule_timeout wait_for_common wait_for_completion flush_work ufshcd_hold ufshcd_send_uic_cmd ufshcd_dme_get_attr ufs_qcom_set_dme_vs_core_clk_ctrl_clear_div ufs_qcom_clk_scale_notify ufshcd_scale_clks ufshcd_devfreq_target update_devfreq devfreq_monitor process_one_work worker_thread kthread ret_from_fork Workqueue: events ufshcd_gate_work __switch_to __schedule schedule schedule_preempt_disabled __mutex_lock_slowpath mutex_lock devfreq_monitor_suspend devfreq_simple_ondemand_handler devfreq_suspend_device ufshcd_gate_work process_one_work worker_thread kthread ret_from_fork Workqueue: events ufshcd_ungate_work __switch_to __schedule schedule schedule_timeout wait_for_common wait_for_completion flush_work __cancel_work_timer cancel_delayed_work_sync ufshcd_ungate_work process_one_work worker_thread kthread ret_from_fork This change fixes this deadlock by doing this in devfreq work (devfreq_wq): Try cancelling clock gating work. If we are able to cancel gating work or it wasn't scheduled, hold the clock reference count until scaling is in progress. If gate work is already running in parallel, let's skip the frequecy scaling at this time and it will be retried once next scaling window expires. Reviewed-by: Sahitya Tummala Signed-off-by: Subhash Jadavani Signed-off-by: Martin K. Petersen Signed-off-by: Amit Pundir Signed-off-by: Greg Kroah-Hartman commit 0967f4de8e46f8e0767855ef5320feeffd3bc2de Author: Venkat Gopalakrishnan Date: Mon Oct 17 17:10:53 2016 -0700 scsi: ufshcd: Fix race between clk scaling and ungate work commit f2a785ac23125fa0774327d39e837e45cf28fe92 upstream. The ungate work turns on the clock before it exits hibern8, if the link was put in hibern8 during clock gating work. There occurs a race condition when clock scaling work calls ufshcd_hold() to make sure low power states cannot be entered, but that returns by checking only whether the clocks are on. This causes the clock scaling work to issue UIC commands when the link is in hibern8 causing failures. Make sure we exit hibern8 state before returning from ufshcd_hold(). Callstacks for race condition: ufshcd_scale_gear ufshcd_devfreq_scale ufshcd_devfreq_target update_devfreq devfreq_monitor process_one_work worker_thread kthread ret_from_fork ufshcd_uic_hibern8_exit ufshcd_ungate_work process_one_work worker_thread kthread ret_from_fork Signed-off-by: Venkat Gopalakrishnan Signed-off-by: Subhash Jadavani Signed-off-by: Martin K. Petersen Signed-off-by: Amit Pundir Signed-off-by: Greg Kroah-Hartman commit 675d91966d1ab9ea0371c66b126d1427aaac0415 Author: Yaniv Gardi Date: Mon Oct 17 17:09:24 2016 -0700 scsi: ufs: fix bugs related to null pointer access and array size commit e3ce73d69aff44421d7899b235fec5ac2c306ff4 upstream. In this change there are a few fixes of possible NULL pointer access and possible access to index that exceeds array boundaries. Signed-off-by: Yaniv Gardi Signed-off-by: Subhash Jadavani Signed-off-by: Martin K. Petersen Signed-off-by: Amit Pundir Signed-off-by: Greg Kroah-Hartman commit 6bea268e0c3c6807db4c67f37a883aeabebef12a Author: Karthik D A Date: Wed Sep 28 18:18:28 2016 +0530 mwifiex: fix p2p device doesn't find in scan problem commit 3d8bd85c2c9e47ed2c82348aa5b6029ed48376ae upstream. Marvell p2p device disappears from the list of p2p peers on the other p2p device after disconnection. It happens due to a bug in driver. When interface is changed from p2p to station, certain variables(bss_type, bss_role etc.) aren't correctly updated. This patch corrects them to fix the issue. Signed-off-by: Karthik D A Signed-off-by: Amitkumar Karwar Signed-off-by: Kalle Valo Signed-off-by: Amit Pundir Signed-off-by: Greg Kroah-Hartman commit c8144277c0ad48c5633e91f979874632a0032084 Author: Amitkumar Karwar Date: Wed Sep 28 18:18:23 2016 +0530 mwifiex: Fix NULL pointer dereference in skb_dequeue() commit c44c040300d7afd79294710313a4989683e2afb1 upstream. At couple of places in cleanup path, we are just going through the skb queue and freeing them without unlinking. This leads to a crash when other thread tries to do skb_dequeue() and use already freed node. The problem is freed by unlinking skb before freeing it. Signed-off-by: Amitkumar Karwar Signed-off-by: Kalle Valo Signed-off-by: Amit Pundir Signed-off-by: Greg Kroah-Hartman commit c34774ea1bc322560d401e55f5cc1438c2c3cf30 Author: Amitkumar Karwar Date: Wed Sep 28 18:18:22 2016 +0530 mwifiex: report error to PCIe for suspend failure commit 5190f2e405919cd30ba2f12c58129fb2d71cd6b6 upstream. When host_sleep_config command fails, we should return an error to PCIe, instead of continuing (and possibly panicking, when we try to keep processing a timed-out ioctl after we return "successfully" from suspend). Signed-off-by: Amitkumar Karwar Reviewed-by: Brian Norris Tested-by: Brian Norris Signed-off-by: Kalle Valo Signed-off-by: Amit Pundir Signed-off-by: Greg Kroah-Hartman commit b4f8e4c870b73f3f48a2951584c739cc40ccf366 Author: Amitkumar Karwar Date: Wed Sep 28 18:18:21 2016 +0530 mwifiex: prevent register accesses after host is sleeping commit ec815dd2a5f110f627d7955e0027a3a008f68166 upstream. Following is mwifiex driver-firmware host sleep handshake. It involves three threads. suspend handler, interrupt handler, interrupt processing in main work queue. 1) Enter suspend handler 2) Download HS_CFG command 3) Response from firmware for HS_CFG 4) Suspend thread waits until handshake completes(i.e hs_activate becomes true) 5) SLEEP from firmware 6) SLEEP confirm downloaded to firmware. 7) SLEEP confirm response from firmware 8) Driver processes SLEEP confirm response and set hs_activate to wake up suspend thread 9) Exit suspend handler 10) Read sleep cookie in loop and wait until it indicates firmware is sleep. 11) After processing SLEEP confirm response, we are at the end of interrupt processing routine. Recheck if there are interrupts received while we were processing them. During suspend-resume stress test, it's been observed that we may end up acessing PCIe hardware(in 10 and 11) when PCIe bus is closed which leads to a kernel crash. This patch solves the problem with below changes. a) action 10 above can be done before 8 b) Skip 11 if hs_activated is true. SLEEP confirm response is the last interrupt from firmware. No need to recheck for pending interrupts. c) Add flush_workqueue() in suspend handler. Signed-off-by: Amitkumar Karwar Reviewed-by: Brian Norris Tested-by: Brian Norris Signed-off-by: Kalle Valo Signed-off-by: Amit Pundir Signed-off-by: Greg Kroah-Hartman commit 2091b8cd4b4b702b7057e2eeb64e73ce3706cc58 Author: Johannes Thumshirn Date: Fri Sep 30 14:39:17 2016 +0200 cw1200: Don't leak memory if krealloc failes commit 9afdd6128c39f42398041bb2e017d8df0dcebcd1 upstream. The call to krealloc() in wsm_buf_reserve() directly assigns the newly returned memory to buf->begin. This is all fine except when krealloc() failes we loose the ability to free the old memory pointed to by buf->begin. If we just create a temporary variable to assign memory to and assign the memory to it we can mitigate the memory leak. Signed-off-by: Johannes Thumshirn Cc: Johannes Berg Signed-off-by: Kalle Valo Signed-off-by: Amit Pundir Signed-off-by: Greg Kroah-Hartman commit bf390abe940e4678d83a6f5924b4b2f396e7d3cf Author: Ramses Ramírez Date: Fri Sep 28 16:59:26 2018 -0700 Input: xpad - add support for Xbox1 PDP Camo series gamepad [ Upstream commit 9735082a7cbae572c2eabdc45acecc8c9fa0759b ] The "Xbox One PDP Wired Controller - Camo series" has a different product-id than the regular PDP controller and the PDP stealth series, but it uses the same initialization sequence. This patch adds the product-id of the camo series to the structures that handle the other PDP Xbox One controllers. Signed-off-by: Ramses Ramírez Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 29956d84355e0b42cedc2287567be79190f85d16 Author: Enno Boland Date: Tue Jun 19 11:55:33 2018 -0700 Input: xpad - fix GPD Win 2 controller name [ Upstream commit dd6bee81c942c0ea01030da9356026afb88f9d18 ] This fixes using the controller with SDL2. SDL2 has a naive algorithm to apply the correct settings to a controller. For X-Box compatible controllers it expects that the controller name contains a variation of a 'XBOX'-string. This patch changes the identifier to contain "X-Box" as substring. Tested with Steam and C-Dogs-SDL which both detect the controller properly after adding this patch. Fixes: c1ba08390a8b ("Input: xpad - add GPD Win 2 Controller USB IDs") Cc: stable@vger.kernel.org Signed-off-by: Enno Boland Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit dd15a17fd023d318230f960ed98743dab7cc5159 Author: Ethan Lee Date: Fri Jun 1 11:46:08 2018 -0700 Input: xpad - add GPD Win 2 Controller USB IDs [ Upstream commit c1ba08390a8bb13c927e699330896adc15b78205 ] GPD Win 2 Website: http://www.gpd.hk/gpdwin2.asp Tested on a unit from the first production run sent to Indiegogo backers Signed-off-by: Ethan Lee Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit ad897a4649dfb3bd467daba2ad5f801ed906fb51 Author: Marcus Folkesson Date: Tue May 8 15:17:07 2018 -0700 Input: xpad - avoid using __set_bit() for capabilities [ Upstream commit a01308031c2647ed5f1c845104b73a8820a958a9 ] input_set_capability() and input_set_abs_param() will do it for you. Signed-off-by: Marcus Folkesson Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit cade531f0a82b7e016dac62bf029f1bb3fde610e Author: Leo Sperling Date: Wed Aug 3 17:31:09 2016 -0700 Input: xpad - fix some coding style issues [ Upstream commit 68c78d0155e37992268664e134996d2b140ddf38 ] Fix some coding style issues reported by checkpatch.pl. Mostly brackets in macros, spacing and comment style. Signed-off-by: Leo Sperling Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 7044e32b333fc2be4b14438281b58b4216a9a6ea Author: Francis Therien Date: Mon Mar 26 15:59:00 2018 -0700 Input: xpad - add PDP device id 0x02a4 [ Upstream commit c6c848572f4da0e34ffe0a35364b4db871e13e42 ] Adds support for a PDP Xbox One controller with device ID (0x06ef:0x02a4). The Product string for this device is "PDP Wired Controller for Xbox One - Stealth Series | Phantom Black". Signed-off-by: Francis Therien Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit edcfecdc9a3d7efd845853ad9557bd8145ad2f7e Author: Mark Furneaux Date: Mon Jan 22 11:24:17 2018 -0800 Input: xpad - add support for PDP Xbox One controllers [ Upstream commit e5c9c6a885fad00aa559b49d8fc23a60e290824e ] Adds support for the current lineup of Xbox One controllers from PDP (Performance Designed Products). These controllers are very picky with their initialization sequence and require an additional 2 packets before they send any input reports. Signed-off-by: Mark Furneaux Reviewed-by: Cameron Gutman Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit ac8f836e6d6d200a23849c7642a709e80d03c880 Author: Cameron Gutman Date: Tue Sep 12 11:27:44 2017 -0700 Input: xpad - validate USB endpoint type during probe [ Upstream commit 122d6a347329818419b032c5a1776e6b3866d9b9 ] We should only see devices with interrupt endpoints. Ignore any other endpoints that we find, so we don't send try to send them interrupt URBs and trigger a WARN down in the USB stack. Reported-by: Andrey Konovalov Tested-by: Andrey Konovalov Cc: # c01b5e7464f0 Input: xpad - don't depend on endpoint order Signed-off-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 7d6d5fc8b6575080970416c0a9ae1f055fb0ffdd Author: Cameron Gutman Date: Thu Aug 31 11:52:20 2017 -0700 Input: xpad - fix PowerA init quirk for some gamepad models [ Upstream commit f5308d1b83eba20e69df5e0926ba7257c8dd9074 ] The PowerA gamepad initialization quirk worked with the PowerA wired gamepad I had around (0x24c6:0x543a), but a user reported [0] that it didn't work for him, even though our gamepads shared the same vendor and product IDs. When I initially implemented the PowerA quirk, I wanted to avoid actually triggering the rumble action during init. My tests showed that my gamepad would work correctly even if it received a rumble of 0 intensity, so that's what I went with. Unfortunately, this apparently isn't true for all models (perhaps a firmware difference?). This non-working gamepad seems to require the real magic rumble packet that the Microsoft driver sends, which actually vibrates the gamepad. To counteract this effect, I still send the old zero-rumble PowerA quirk packet which cancels the rumble effect before the motors can spin up enough to vibrate. [0]: https://github.com/paroj/xpad/issues/48#issuecomment-313904867 Reported-by: Kyle Beauchamp Tested-by: Kyle Beauchamp Fixes: 81093c9848a7 ("Input: xpad - support some quirky Xbox One pads") Cc: stable@vger.kernel.org # v4.12 Signed-off-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 8b20c25842c9db2b0146b6b4a51a13230473fd8d Author: Arvind Yadav Date: Mon Aug 7 20:04:13 2017 -0700 Input: xpad - constify usb_device_id [ Upstream commit 94aef061c796d3d47f1a2eed41e651ffaaade402 ] usb_device_id are not supposed to change at runtime. All functions working with usb_device_id provided by work with const usb_device_id. So mark the non-const structs as const. Signed-off-by: Arvind Yadav Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 70f356afc4651f0c77aacb3eb1b248f4ce072788 Author: Benjamin Valentin Date: Sun Jun 18 15:41:20 2017 -0700 Input: xpad - sync supported devices with XBCD [ Upstream commit be19788c73d382f66dd3fba3c5ccef59cf12a126 ] XBCD [0][1] is an OpenSource driver for Xbox controllers on Windows. Later it also started supporting Xbox360 controllers (presumably before the official Windows driver was released). It contains a couple device IDs unknown to the Linux driver, so I extracted those from xbcd.inf and added them to our list. It has a special type for Wheels and I have the feeling they might need some extra handling. They all have 'Wheel' in their name, so that information is available for future improvements. [0] https://www.s-config.com/xbcd-original-xbox-controllers-win10/ [1] http://www.redcl0ud.com/xbcd.html Reviewed-by: Cameron Gutman Signed-off-by: Benjamin Valentin Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit e7bb7516b6d8cfe968fab0f0fe775e9ba6d1cd82 Author: Benjamin Valentin Date: Sun Jun 18 15:40:37 2017 -0700 Input: xpad - sync supported devices with 360Controller [ Upstream commit c225370e01b87d3c4ef40d98295ac0bb1e5a3116 ] 360Controller [0] is an OpenSource driver for Xbox/Xbox360/XboxOne controllers on macOS. It contains a couple device IDs unknown to the Linux driver, so I wrote a small Python script [1] to extract them and feed them into my previous script [2] to compare them with the IDs known to Linux. For most devices, this information is not really needed as xpad is able to automatically detect the type of an unknown Xbox Controller at run-time. I've therefore stripped all the generic/vague entries. I've excluded the Logitech G920, it's handled by a HID driver already. I've also excluded the Scene It! Big Button IR, it's handled by an out-of-tree driver. [3] [0] https://github.com/360Controller/360Controller [1] http://codepad.org/v9GyLKMq [2] http://codepad.org/qh7jclpD [3] https://github.com/micolous/xbox360bb Reviewed-by: Cameron Gutman Signed-off-by: Benjamin Valentin Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 34784d6d7ec701618f2928b1d05dbfaa7115c245 Author: Benjamin Valentin Date: Sun May 7 14:49:09 2017 -0700 Input: xpad - add USB IDs for Mad Catz Brawlstick and Razer Sabertooth [ Upstream commit 4706aa075662fe3cad29c3f49b50878de53f4f3b ] Add USB IDs for two more Xbox 360 controllers. I found them in the pull requests for the xboxdrv userspace driver, which seems abandoned. Thanks to psychogony and mkaito for reporting the IDs there! Signed-off-by: Benjamin Valentin Reviewed-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit c5b83f357f303fdabb40a2d142aca4f76a0f3bb8 Author: Benjamin Valentin Date: Sun May 7 14:48:14 2017 -0700 Input: xpad - sync supported devices with xboxdrv [ Upstream commit 44bc722593201da43862b7200ee0b98155410b07 ] The userspace xboxdrv driver [0] contains some USB IDs unknown to the kernel driver. I have created a simple script [1] to extract the missing devices and add them to xpad. A quick google search confirmed that all the new devices called Fightstick/pad are Arcade-type devices [2] where the MAP_TRIGGERS_TO_BUTTONS option should apply. There are some similar devices in the existing device table where this flag is not set, but I did refrain from changing those. [0] https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp [1] http://codepad.org/CHV98BNH [2] https://www.google.com/search?q=SFxT+Fightstick+Pro&tbm=isch Signed-off-by: Benjamin Valentin Reviewed-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 5ff2a1a88102be773796ccdf3ecf3f3b40323a47 Author: Benjamin Valentin Date: Sun May 7 14:45:08 2017 -0700 Input: xpad - sort supported devices by USB ID [ Upstream commit 873cb582738fde338ecaeaca594560cde2ba42c3 ] Some entries in the table of supported devices are out of order. To not create a mess when adding new ones using a script, sort them first. Signed-off-by: Benjamin Valentin Reviewed-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 574d843969d4cd267bcd0eb2f7154df6d86cdd22 Author: Cameron Gutman Date: Mon Apr 10 20:43:04 2017 -0700 Input: xpad - support some quirky Xbox One pads [ Upstream commit 81093c9848a781b85163d06de92ef8f84528cf6a ] There are several quirky Xbox One pads that depend on initialization packets that the Microsoft pads don't require. To deal with these, I've added a mechanism for issuing device-specific initialization packets using a VID/PID-based quirks list. For the initial set of init quirks, I have added quirk handling from Valve's Steam Link xpad driver[0] and the 360Controller project[1] for macOS to enable some new pads to work properly. This should enable full functionality on the following quirky pads: 0x0e6f:0x0165 - Titanfall 2 gamepad (previously fully non-functional) 0x0f0d:0x0067 - Hori Horipad (analog sticks previously non-functional) 0x24c6:0x541a - PowerA Xbox One pad (previously fully non-functional) 0x24c6:0x542a - PowerA Xbox One pad (previously fully non-functional) 0x24c6:0x543a - PowerA Xbox One pad (previously fully non-functional) [0]: https://github.com/ValveSoftware/steamlink-sdk/blob/master/kernel/drivers/input/joystick/xpad.c [1]: https://github.com/360Controller/360Controller Signed-off-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 51b54b80fbc06790f10b34b5fb0e85e9d4eda5b9 Author: Cameron Gutman Date: Mon Feb 6 17:03:03 2017 -0800 Input: xpad - restore LED state after device resume [ Upstream commit a1fbf5bbef025b4844162b3b8868888003a7ee9c ] Set the LED_CORE_SUSPENDRESUME flag on our LED device so the LED state will be automatically restored by LED core on resume. Since Xbox One pads stop flashing only when reinitialized, we'll send them the initialization packet so they calm down too. Signed-off-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit e9c7ce1389f0e52959ad5a7360aa5c7b542a041c Author: Cameron Gutman Date: Mon Feb 6 13:56:10 2017 -0800 Input: xpad - fix stuck mode button on Xbox One S pad [ Upstream commit 57b8443d3e5bd046a519ff714ca31c64c7f04309 ] The Xbox One S requires an ack to its mode button report, otherwise it continuously retransmits the report. This makes the mode button appear to be stuck down after it is pressed for the first time. Signed-off-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 82e3ce0fd874a54dfe15da32bb092bc3558b17d2 Author: Cameron Gutman Date: Tue Jan 3 22:40:38 2017 -0800 Input: xpad - don't depend on endpoint order [ Upstream commit c01b5e7464f0cf20936d7467c7528163c4e2782d ] The order of endpoints is well defined on official Xbox pads, but we have found at least one 3rd-party pad that doesn't follow the standard ("Titanfall 2 Xbox One controller" 0e6f:0165). Fortunately, we get lucky with this specific pad because it uses endpoint addresses that differ only by direction. We know that there are other pads out where this is not true, so let's go ahead and fix this. Signed-off-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 31abdb63b18584aee54a610468dc790e8fa822fb Author: Pavel Rojtberg Date: Fri May 27 16:26:33 2016 -0700 Input: xpad - simplify error condition in init_output [ Upstream commit a8c34e27fb1ece928ec728bfe596aa6ca0b1928a ] Replace first goto with simple returns as we really are just returning one error code. Signed-off-by: Pavel Rojtberg Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 69f7143da0507677b78c3d62f1479ea9df6d74aa Author: Daniel Tobias Date: Fri May 27 16:25:32 2016 -0700 Input: xpad - move reporting xbox one home button to common function [ Upstream commit 4f88476c75429ba9ab71c428b4cd2f67575bc9c1 ] xbox one was the only device that has a *_process_buttons routine. Signed-off-by: Pavel Rojtberg Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit b05c3b911eb551f16fca565baba5b946ead469fe Author: Daniel Tobias Date: Fri May 27 16:25:10 2016 -0700 Input: xpad - correctly sort vendor id's [ Upstream commit c02fc1d9e5d9f093296e43e13ec7f35f140784bd ] Signed-off-by: Daniel Tobias Signed-off-by: Pavel Rojtberg Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit cf82f5ff44828f5bf8ec808962130600e00f5117 Author: Cameron Gutman Date: Sun Nov 27 20:37:56 2016 -0800 Input: xpad - fix Xbox One rumble stopping after 2.5 secs [ Upstream commit ae3b4469dbcd3b842a9fd20940946e4d092d8731 ] Unlike previous Xbox pads, the Xbox One pad doesn't have "sticky" rumble packets. The duration is encoded into the command and expiration is handled by the pad firmware. ff-memless needs pseudo-sticky behavior for rumble effects to behave properly for long duration effects. We already specify the maximum rumble on duration in the command packets, but it's still only good for about 2.5 seconds of rumble. This is easily reproducible running fftest's sine vibration test. It turns out there's a repeat count encoded in the rumble command. We can abuse that to get the pseudo-sticky behavior needed for rumble to behave as expected for effects with long duration. By my math, this change should allow a single ff_effect to rumble for 10 minutes straight, which should be more than enough for most needs. Signed-off-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit d6418e12132768320ed571b1f3e47cd8d8ae466b Author: Cameron Gutman Date: Sun Nov 27 20:37:31 2016 -0800 Input: xpad - add product ID for Xbox One S pad [ Upstream commit 599b8c09d974d6e4d85a8f7bc8ed7442977866a8 ] This is the new gamepad that ships with the Xbox One S which includes Bluetooth functionality. Signed-off-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 5f0de882e77fd578d7c5bb5fbc8c92c1169e80c0 Author: Vasanthakumar Thiagarajan Date: Mon Oct 10 19:51:18 2016 +0530 ath10k: fix kernel panic due to race in accessing arvif list commit ebaa4b1620bf69f2bc43cb45ea85fbafdaec23c3 upstream. arvifs list is traversed within data_lock spin_lock in tasklet context to fill channel information from the corresponding vif. This means any access to arvifs list for add/del operations should also be protected with the same spin_lock to avoid the race. Fix this by performing list add/del on arvfis within the data_lock. This could fix kernel panic something like the below. LR is at ath10k_htt_rx_pktlog_completion_handler+0x100/0xb6c [ath10k_core] PC is at ath10k_htt_rx_pktlog_completion_handler+0x1c0/0xb6c [ath10k_core] Internal error: Oops: 17 [#1] PREEMPT SMP ARM [] (ath10k_htt_rx_pktlog_completion_handler+0x2f4/0xb6c [ath10k_core]) [] (ath10k_htt_txrx_compl_task+0x8b4/0x1188 [ath10k_core]) [] (tasklet_action+0x8c/0xec) [] (__do_softirq+0xdc/0x208) [] (irq_exit+0x84/0xe0) [] (__handle_domain_irq+0x80/0xa0) [] (gic_handle_irq+0x38/0x5c) [] (__irq_svc+0x40/0x74) (gdb) list *(ath10k_htt_rx_pktlog_completion_handler+0x1c0) 0x136c0 is in ath10k_htt_rx_h_channel (drivers/net/wireless/ath/ath10k/htt_rx.c:769) 764 struct cfg80211_chan_def def; 765 766 lockdep_assert_held(&ar->data_lock); 767 768 list_for_each_entry(arvif, &ar->arvifs, list) { 769 if (arvif->vdev_id == vdev_id && 770 ath10k_mac_vif_chan(arvif->vif, &def) == 0) 771 return def.chan; 772 } 773 Signed-off-by: Vasanthakumar Thiagarajan Signed-off-by: Kalle Valo Signed-off-by: Amit Pundir Signed-off-by: Greg Kroah-Hartman commit 272991176af2335b37be8fc3f0ab17ff96cace9d Author: Greg Hackmann Date: Tue Nov 27 11:15:20 2018 -0800 arm64: remove no-op -p linker flag (commit 1a381d4a0a9a0f999a13faaba22bf6b3fc80dcb9 upstream) Linking the ARM64 defconfig kernel with LLVM lld fails with the error: ld.lld: error: unknown argument: -p Makefile:1015: recipe for target 'vmlinux' failed Without this flag, the ARM64 defconfig kernel successfully links with lld and boots on Dragonboard 410c. After digging through binutils source and changelogs, it turns out that -p is only relevant to ancient binutils installations targeting 32-bit ARM. binutils accepts -p for AArch64 too, but it's always been undocumented and silently ignored. A comment in ld/emultempl/aarch64elf.em explains that it's "Only here for backwards compatibility". Since this flag is a no-op on ARM64, we can safely drop it. Acked-by: Will Deacon Reviewed-by: Nick Desaulniers Signed-off-by: Greg Hackmann Signed-off-by: Catalin Marinas Signed-off-by: Nick Desaulniers Signed-off-by: Sasha Levin commit ab076d20c28cc0b8a5db5a81148aa93acd7888ba Author: Johan Hovold Date: Mon Aug 27 10:21:50 2018 +0200 net: bcmgenet: fix OF child-node lookup [ Upstream commit d397dbe606120a1ea1b11b0020c3f7a3852da5ac ] Use the new of_get_compatible_child() helper to lookup the mdio child node instead of using of_find_compatible_node(), which searches the entire tree from a given start node and thus can return an unrelated (i.e. non-child) node. This also addresses a potential use-after-free (e.g. after probe deferral) as the tree-wide helper drops a reference to its first argument (i.e. the node of the device being probed). Fixes: aa09677cba42 ("net: bcmgenet: add MDIO routines") Cc: stable # 3.15 Cc: David S. Miller Reviewed-by: Florian Fainelli Signed-off-by: Johan Hovold Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit b694d8d9ece3644d9e99d821564fc90e017a79d0 Author: Johan Hovold Date: Mon Aug 27 10:21:52 2018 +0200 NFC: nfcmrvl_uart: fix OF child-node lookup [ Upstream commit 5bf59773aaf36dd62117dc83d50e1bbf9ef432da ] Use the new of_get_compatible_child() helper to lookup the nfc child node instead of using of_find_compatible_node(), which searches the entire tree from a given start node and thus can return an unrelated (i.e. non-child) node. This also addresses a potential use-after-free (e.g. after probe deferral) as the tree-wide helper drops a reference to its first argument (i.e. the parent node). Fixes: e097dc624f78 ("NFC: nfcmrvl: add UART driver") Fixes: d8e018c0b321 ("NFC: nfcmrvl: update device tree bindings for Marvell NFC") Cc: stable # 4.2 Cc: Vincent Cuissard Cc: Samuel Ortiz Signed-off-by: Johan Hovold Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit 95cd1aacf9cea9b9ec86a24493a021e08356b5d0 Author: Johan Hovold Date: Mon Aug 27 10:21:45 2018 +0200 of: add helper to lookup compatible child node [ Upstream commit 36156f9241cb0f9e37d998052873ca7501ad4b36 ] Add of_get_compatible_child() helper that can be used to lookup compatible child nodes. Several drivers currently use of_find_compatible_node() to lookup child nodes while failing to notice that the of_find_ functions search the entire tree depth-first (from a given start node) and therefore can match unrelated nodes. The fact that these functions also drop a reference to the node they start searching from (e.g. the parent node) is typically also overlooked, something which can lead to use-after-free bugs. Signed-off-by: Johan Hovold Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit d77eacdb1e30fbed315c2e09ba7a4e919d5f3348 Author: Yufen Yu Date: Fri Nov 16 15:08:39 2018 -0800 tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with a negative offset [ Upstream commit 1a413646931cb14442065cfc17561e50f5b5bb44 ] Other filesystems such as ext4, f2fs and ubifs all return ENXIO when lseek (SEEK_DATA or SEEK_HOLE) requests a negative offset. man 2 lseek says : EINVAL whence is not valid. Or: the resulting file offset would be : negative, or beyond the end of a seekable device. : : ENXIO whence is SEEK_DATA or SEEK_HOLE, and the file offset is beyond : the end of the file. Make tmpfs return ENXIO under these circumstances as well. After this, tmpfs also passes xfstests's generic/448. [akpm@linux-foundation.org: rewrite changelog] Link: http://lkml.kernel.org/r/1540434176-14349-1-git-send-email-yuyufen@huawei.com Signed-off-by: Yufen Yu Reviewed-by: Andrew Morton Cc: Al Viro Cc: Hugh Dickins Cc: William Kucharski Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit b57951ed2b6d5a064be3956dbc0c0271ca13657a Author: Ard Biesheuvel Date: Wed Nov 14 09:55:41 2018 -0800 efi/arm: Revert deferred unmap of early memmap mapping [ Upstream commit 33412b8673135b18ea42beb7f5117ed0091798b6 ] Commit: 3ea86495aef2 ("efi/arm: preserve early mapping of UEFI memory map longer for BGRT") deferred the unmap of the early mapping of the UEFI memory map to accommodate the ACPI BGRT code, which looks up the memory type that backs the BGRT table to validate it against the requirements of the UEFI spec. Unfortunately, this causes problems on ARM, which does not permit early mappings to persist after paging_init() is called, resulting in a WARN() splat. Since we don't support the BGRT table on ARM anway, let's revert ARM to the old behaviour, which is to take down the early mapping at the end of efi_init(). Signed-off-by: Ard Biesheuvel Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: linux-efi@vger.kernel.org Fixes: 3ea86495aef2 ("efi/arm: preserve early mapping of UEFI memory ...") Link: http://lkml.kernel.org/r/20181114175544.12860-3-ard.biesheuvel@linaro.org Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 636374c50312db9d6cebab8466dbfc7dbb2a5591 Author: Satheesh Rajendran Date: Thu Nov 8 10:47:56 2018 +0530 powerpc/numa: Suppress "VPHN is not supported" messages [ Upstream commit 437ccdc8ce629470babdda1a7086e2f477048cbd ] When VPHN function is not supported and during cpu hotplug event, kernel prints message 'VPHN function not supported. Disabling polling...'. Currently it prints on every hotplug event, it floods dmesg when a KVM guest tries to hotplug huge number of vcpus, let's just print once and suppress further kernel prints. Signed-off-by: Satheesh Rajendran Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit 8f9b3dd5a72de54958523d8096ab60b2bae96d38 Author: Prarit Bhargava Date: Thu Sep 20 08:59:14 2018 -0400 kdb: Use strscpy with destination buffer size [ Upstream commit c2b94c72d93d0929f48157eef128c4f9d2e603ce ] gcc 8.1.0 warns with: kernel/debug/kdb/kdb_support.c: In function ‘kallsyms_symbol_next’: kernel/debug/kdb/kdb_support.c:239:4: warning: ‘strncpy’ specified bound depends on the length of the source argument [-Wstringop-overflow=] strncpy(prefix_name, name, strlen(name)+1); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ kernel/debug/kdb/kdb_support.c:239:31: note: length computed here Use strscpy() with the destination buffer size, and use ellipses when displaying truncated symbols. v2: Use strscpy() Signed-off-by: Prarit Bhargava Cc: Jonathan Toppins Cc: Jason Wessel Cc: Daniel Thompson Cc: kgdb-bugreport@lists.sourceforge.net Reviewed-by: Daniel Thompson Signed-off-by: Daniel Thompson Signed-off-by: Sasha Levin commit 35a0620fec6b6bf07914710b71f1580327c0317d Author: Trond Myklebust Date: Mon Nov 12 16:06:51 2018 -0500 SUNRPC: Fix a bogus get/put in generic_key_to_expire() [ Upstream commit e3d5e573a54dabdc0f9f3cb039d799323372b251 ] Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 19b7cd1bc134ba7c2db982f3d3e462e81c68dda4 Author: Kan Liang Date: Fri Oct 19 10:04:18 2018 -0700 perf/x86/intel/uncore: Add more IMC PCI IDs for KabyLake and CoffeeLake CPUs [ Upstream commit c10a8de0d32e95b0b8c7c17b6dc09baea5a5a899 ] KabyLake and CoffeeLake CPUs have the same client uncore events as SkyLake. Add the PCI IDs for the KabyLake Y, U, S processor lines and CoffeeLake U, H, S processor lines. Signed-off-by: Kan Liang Signed-off-by: Peter Zijlstra (Intel) Cc: Alexander Shishkin Cc: Arnaldo Carvalho de Melo Cc: Jiri Olsa Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Stephane Eranian Cc: Thomas Gleixner Cc: Vince Weaver Link: http://lkml.kernel.org/r/20181019170419.378-1-kan.liang@linux.intel.com Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 99bfbe579c19d91917a81f4d2b9f092cf8bb7278 Author: Michael Ellerman Date: Tue Nov 6 23:37:58 2018 +1100 powerpc/io: Fix the IO workarounds code to work with Radix [ Upstream commit 43c6494fa1499912c8177e71450c0279041152a6 ] Back in 2006 Ben added some workarounds for a misbehaviour in the Spider IO bridge used on early Cell machines, see commit 014da7ff47b5 ("[POWERPC] Cell "Spider" MMIO workarounds"). Later these were made to be generic, ie. not tied specifically to Spider. The code stashes a token in the high bits (59-48) of virtual addresses used for IO (eg. returned from ioremap()). This works fine when using the Hash MMU, but when we're using the Radix MMU the bits used for the token overlap with some of the bits of the virtual address. This is because the maximum virtual address is larger with Radix, up to c00fffffffffffff, and in fact we use that high part of the address range for ioremap(), see RADIX_KERN_IO_START. As it happens the bits that are used overlap with the bits that differentiate an IO address vs a linear map address. If the resulting address lies outside the linear mapping we will crash (see below), if not we just corrupt memory. virtio-pci 0000:00:00.0: Using 64-bit direct DMA at offset 800000000000000 Unable to handle kernel paging request for data at address 0xc000000080000014 ... CFAR: c000000000626b98 DAR: c000000080000014 DSISR: 42000000 IRQMASK: 0 GPR00: c0000000006c54fc c00000003e523378 c0000000016de600 0000000000000000 GPR04: c00c000080000014 0000000000000007 0fffffff000affff 0000000000000030 ^^^^ ... NIP [c000000000626c5c] .iowrite8+0xec/0x100 LR [c0000000006c992c] .vp_reset+0x2c/0x90 Call Trace: .pci_bus_read_config_dword+0xc4/0x120 (unreliable) .register_virtio_device+0x13c/0x1c0 .virtio_pci_probe+0x148/0x1f0 .local_pci_probe+0x68/0x140 .pci_device_probe+0x164/0x220 .really_probe+0x274/0x3b0 .driver_probe_device+0x80/0x170 .__driver_attach+0x14c/0x150 .bus_for_each_dev+0xb8/0x130 .driver_attach+0x34/0x50 .bus_add_driver+0x178/0x2f0 .driver_register+0x90/0x1a0 .__pci_register_driver+0x6c/0x90 .virtio_pci_driver_init+0x2c/0x40 .do_one_initcall+0x64/0x280 .kernel_init_freeable+0x36c/0x474 .kernel_init+0x24/0x160 .ret_from_kernel_thread+0x58/0x7c This hasn't been a problem because CONFIG_PPC_IO_WORKAROUNDS which enables this code is usually not enabled. It is only enabled when it's selected by PPC_CELL_NATIVE which is only selected by PPC_IBM_CELL_BLADE and that in turn depends on BIG_ENDIAN. So in order to hit the bug you need to build a big endian kernel, with IBM Cell Blade support enabled, as well as Radix MMU support, and then boot that on Power9 using Radix MMU. Still we can fix the bug, so let's do that. We simply use fewer bits for the token, taking the union of the restrictions on the address from both Hash and Radix, we end up with 8 bits we can use for the token. The only user of the token is iowa_mem_find_bus() which only supports 8 token values, so 8 bits is plenty for that. Fixes: 566ca99af026 ("powerpc/mm/radix: Add dummy radix_enabled()") Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit 03781eb59c0872d6a60602f06a5bfe59c0b271fb Author: Jens Axboe Date: Fri Nov 9 15:58:40 2018 -0700 floppy: fix race condition in __floppy_read_block_0() [ Upstream commit de7b75d82f70c5469675b99ad632983c50b6f7e7 ] LKP recently reported a hang at bootup in the floppy code: [ 245.678853] INFO: task mount:580 blocked for more than 120 seconds. [ 245.679906] Tainted: G T 4.19.0-rc6-00172-ga9f38e1 #1 [ 245.680959] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. [ 245.682181] mount D 6372 580 1 0x00000004 [ 245.683023] Call Trace: [ 245.683425] __schedule+0x2df/0x570 [ 245.683975] schedule+0x2d/0x80 [ 245.684476] schedule_timeout+0x19d/0x330 [ 245.685090] ? wait_for_common+0xa5/0x170 [ 245.685735] wait_for_common+0xac/0x170 [ 245.686339] ? do_sched_yield+0x90/0x90 [ 245.686935] wait_for_completion+0x12/0x20 [ 245.687571] __floppy_read_block_0+0xfb/0x150 [ 245.688244] ? floppy_resume+0x40/0x40 [ 245.688844] floppy_revalidate+0x20f/0x240 [ 245.689486] check_disk_change+0x43/0x60 [ 245.690087] floppy_open+0x1ea/0x360 [ 245.690653] __blkdev_get+0xb4/0x4d0 [ 245.691212] ? blkdev_get+0x1db/0x370 [ 245.691777] blkdev_get+0x1f3/0x370 [ 245.692351] ? path_put+0x15/0x20 [ 245.692871] ? lookup_bdev+0x4b/0x90 [ 245.693539] blkdev_get_by_path+0x3d/0x80 [ 245.694165] mount_bdev+0x2a/0x190 [ 245.694695] squashfs_mount+0x10/0x20 [ 245.695271] ? squashfs_alloc_inode+0x30/0x30 [ 245.695960] mount_fs+0xf/0x90 [ 245.696451] vfs_kern_mount+0x43/0x130 [ 245.697036] do_mount+0x187/0xc40 [ 245.697563] ? memdup_user+0x28/0x50 [ 245.698124] ksys_mount+0x60/0xc0 [ 245.698639] sys_mount+0x19/0x20 [ 245.699167] do_int80_syscall_32+0x61/0x130 [ 245.699813] entry_INT80_32+0xc7/0xc7 showing that we never complete that read request. The reason is that the completion setup is racy - it initializes the completion event AFTER submitting the IO, which means that the IO could complete before/during the init. If it does, we are passing garbage to complete() and we may sleep forever waiting for the event to occur. Fixes: 7b7b68bba5ef ("floppy: bail out in open() if drive is not responding to block0 read") Reviewed-by: Omar Sandoval Signed-off-by: Jens Axboe Signed-off-by: Sasha Levin commit ab509b4f9507c208148fe5bbbc234989729f1d7d Author: Xulin Sun Date: Tue Nov 6 16:42:19 2018 +0800 rtc: pcf2127: fix a kmemleak caused in pcf2127_i2c_gather_write [ Upstream commit 9bde0afb7a906f1dabdba37162551565740b862d ] pcf2127_i2c_gather_write() allocates memory as local variable for i2c_master_send(), after finishing the master transfer, the allocated memory should be freed. The kmemleak is reported: unreferenced object 0xffff80231e7dba80 (size 64): comm "hwclock", pid 27762, jiffies 4296880075 (age 356.944s) hex dump (first 32 bytes): 03 00 12 03 19 02 11 13 00 80 98 18 00 00 ff ff ................ 00 50 00 00 00 00 00 00 02 00 00 00 00 00 00 00 .P.............. backtrace: [] create_object+0xf8/0x278 [] kmemleak_alloc+0x74/0xa0 [] __kmalloc+0x1ac/0x348 [] pcf2127_i2c_gather_write+0x54/0xf8 [] _regmap_raw_write+0x464/0x850 [] regmap_bulk_write+0x1a4/0x348 [] pcf2127_rtc_set_time+0xac/0xe8 [] rtc_set_time+0x80/0x138 [] rtc_dev_ioctl+0x398/0x610 [] do_vfs_ioctl+0xb0/0x848 [] SyS_ioctl+0x8c/0xa8 [] el0_svc_naked+0x34/0x38 [] 0xffffffffffffffff Signed-off-by: Xulin Sun Signed-off-by: Alexandre Belloni Signed-off-by: Sasha Levin commit 3955562527ee530e88c3197d1809f90b5dcc45f5 Author: Anson Huang Date: Mon Nov 5 00:59:28 2018 +0000 cpufreq: imx6q: add return value check for voltage scale [ Upstream commit 6ef28a04d1ccf718eee069b72132ce4aa1e52ab9 ] Add return value check for voltage scale when ARM clock rate change fail. Signed-off-by: Anson Huang Acked-by: Viresh Kumar Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit c57911f06591a2255c66d37880078d202d568f9e Author: Scott Wood Date: Tue Nov 6 19:49:34 2018 -0600 KVM: PPC: Move and undef TRACE_INCLUDE_PATH/FILE [ Upstream commit 28c5bcf74fa07c25d5bd118d1271920f51ce2a98 ] TRACE_INCLUDE_PATH and TRACE_INCLUDE_FILE are used by , so like that #include, they should be outside #ifdef protection. They also need to be #undefed before defining, in case multiple trace headers are included by the same C file. This became the case on book3e after commit cf4a6085151a ("powerpc/mm: Add missing tracepoint for tlbie"), leading to the following build error: CC arch/powerpc/kvm/powerpc.o In file included from arch/powerpc/kvm/powerpc.c:51:0: arch/powerpc/kvm/trace.h:9:0: error: "TRACE_INCLUDE_PATH" redefined [-Werror] #define TRACE_INCLUDE_PATH . ^ In file included from arch/powerpc/kvm/../mm/mmu_decl.h:25:0, from arch/powerpc/kvm/powerpc.c:48: ./arch/powerpc/include/asm/trace.h:224:0: note: this is the location of the previous definition #define TRACE_INCLUDE_PATH asm ^ cc1: all warnings being treated as errors Reported-by: Christian Zigotzky Signed-off-by: Scott Wood Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit 0c7c4c4ae9fef2806ff0c4f5a57e51e3e778b5ac Author: Jerome Brunet Date: Tue Oct 23 18:03:19 2018 +0200 pinctrl: meson: fix pinconf bias disable [ Upstream commit e39f9dd8206ad66992ac0e6218ef1ba746f2cce9 ] If a bias is enabled on a pin of an Amlogic SoC, calling .pin_config_set() with PIN_CONFIG_BIAS_DISABLE will not disable the bias. Instead it will force a pull-down bias on the pin. Instead of the pull type register bank, the driver should access the pull enable register bank. Fixes: 6ac730951104 ("pinctrl: add driver for Amlogic Meson SoCs") Signed-off-by: Jerome Brunet Acked-by: Neil Armstrong Signed-off-by: Linus Walleij Signed-off-by: Sasha Levin commit 1a8174028d894936a21260975047bff64a392f1f Author: Mathias Nyman Date: Thu Nov 15 11:38:41 2018 +0200 usb: xhci: Prevent bus suspend if a port connect change or polling state is detected commit 2f31a67f01a8beb22cae754c53522cb61a005750 upstream. USB3 roothub might autosuspend before a plugged USB3 device is detected, causing USB3 device enumeration failure. USB3 devices don't show up as connected and enabled until USB3 link trainig completes. On a fast booting platform with a slow USB3 link training the link might reach the connected enabled state just as the bus is suspending. If this device is discovered first time by the xhci_bus_suspend() routine it will be put to U3 suspended state like the other ports which failed to suspend earlier. The hub thread will notice the connect change and resume the bus, moving the port back to U0 This U0 -> U3 -> U0 transition right after being connected seems to be too much for some devices, causing them to first go to SS.Inactive state, and finally end up stuck in a polling state with reset asserted Fix this by failing the bus suspend if a port has a connect change or is in a polling state in xhci_bus_suspend(). Don't do any port changes until all ports are checked, buffer all port changes and only write them in the end if suspend can proceed Cc: stable@vger.kernel.org Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 415592434d912ef06109149d6b480e5911b55eb8 Author: Michael J. Ruhl Date: Mon Sep 10 09:39:03 2018 -0700 IB/hfi1: Eliminate races in the SDMA send error path commit a0e0cb82804a6a21d9067022c2dfdf80d11da429 upstream. pq_update() can only be called in two places: from the completion function when the complete (npkts) sequence of packets has been submitted and processed, or from setup function if a subset of the packets were submitted (i.e. the error path). Currently both paths can call pq_update() if an error occurrs. This race will cause the n_req value to go negative, hanging file_close(), or cause a crash by freeing the txlist more than once. Several variables are used to determine SDMA send state. Most of these are unnecessary, and have code inspectible races between the setup function and the completion function, in both the send path and the error path. The request 'status' value can be set by the setup or by the completion function. This is code inspectibly racy. Since the status is not needed in the completion code or by the caller it has been removed. The request 'done' value races between usage by the setup and the completion function. The completion function does not need this. When the number of processed packets matches npkts, it is done. The 'has_error' value races between usage of the setup and the completion function. This can cause incorrect error handling and leave the n_req in an incorrect value (i.e. negative). Simplify the code by removing all of the unneeded state checks and variables. Clean up iovs node when it is freed. Eliminate race conditions in the error path: If all packets are submitted, the completion handler will set the completion status correctly (ok or aborted). If all packets are not submitted, the caller must wait until the submitted packets have completed, and then set the completion status. These two change eliminate the race condition in the error path. Reviewed-by: Mitko Haralanov Reviewed-by: Mike Marciniszyn Signed-off-by: Michael J. Ruhl Signed-off-by: Dennis Dalessandro Signed-off-by: Jason Gunthorpe Signed-off-by: Greg Kroah-Hartman commit 7f6a5410f5419d8144988b6b31ffe0b300fd341e Author: Alex Estrin Date: Thu Aug 31 09:30:34 2017 -0700 IB/core: Fix for core panic commit e6f9bc34d3779cb7b6a337afed5de8be3f0fab77 upstream. Build with the latest patches resulted in panic: 11384.486289] BUG: unable to handle kernel NULL pointer dereference at (null) [11384.486293] IP: (null) [11384.486295] PGD 0 [11384.486295] P4D 0 [11384.486296] [11384.486299] Oops: 0010 [#1] SMP ......... snip ...... [11384.486401] CPU: 0 PID: 968 Comm: kworker/0:1H Tainted: G W O 4.13.0-a-stream-20170825 #1 [11384.486402] Hardware name: Intel Corporation S2600WT2R/S2600WT2R, BIOS SE5C610.86B.01.01.0014.121820151719 12/18/2015 [11384.486418] Workqueue: ib-comp-wq ib_cq_poll_work [ib_core] [11384.486419] task: ffff880850579680 task.stack: ffffc90007fec000 [11384.486420] RIP: 0010: (null) [11384.486420] RSP: 0018:ffffc90007fef970 EFLAGS: 00010206 [11384.486421] RAX: ffff88084cfe8000 RBX: ffff88084dce4000 RCX: ffffc90007fef978 [11384.486422] RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff88084cfe8000 [11384.486422] RBP: ffffc90007fefab0 R08: 0000000000000000 R09: ffff88084dce4080 [11384.486423] R10: ffffffffa02d7f60 R11: 0000000000000000 R12: ffff88105af65a00 [11384.486423] R13: ffff88084dce4000 R14: 000000000000c000 R15: 000000000000c000 [11384.486424] FS: 0000000000000000(0000) GS:ffff88085f400000(0000) knlGS:0000000000000000 [11384.486425] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [11384.486425] CR2: 0000000000000000 CR3: 0000000001c09000 CR4: 00000000001406f0 [11384.486426] Call Trace: [11384.486431] ? is_valid_mcast_lid.isra.21+0xfb/0x110 [ib_core] [11384.486436] ib_attach_mcast+0x6f/0xa0 [ib_core] [11384.486441] ipoib_mcast_attach+0x81/0x190 [ib_ipoib] [11384.486443] ipoib_mcast_join_complete+0x354/0xb40 [ib_ipoib] [11384.486448] mcast_work_handler+0x330/0x6c0 [ib_core] [11384.486452] join_handler+0x101/0x220 [ib_core] [11384.486455] ib_sa_mcmember_rec_callback+0x54/0x80 [ib_core] [11384.486459] recv_handler+0x3a/0x60 [ib_core] [11384.486462] ib_mad_recv_done+0x423/0x9b0 [ib_core] [11384.486466] __ib_process_cq+0x5d/0xb0 [ib_core] [11384.486469] ib_cq_poll_work+0x20/0x60 [ib_core] [11384.486472] process_one_work+0x149/0x360 [11384.486474] worker_thread+0x4d/0x3c0 [11384.486487] kthread+0x109/0x140 [11384.486488] ? rescuer_thread+0x380/0x380 [11384.486489] ? kthread_park+0x60/0x60 [11384.486490] ? kthread_park+0x60/0x60 [11384.486493] ret_from_fork+0x25/0x30 [11384.486493] Code: Bad RIP value. [11384.486493] Code: Bad RIP value. [11384.486496] RIP: (null) RSP: ffffc90007fef970 [11384.486497] CR2: 0000000000000000 [11384.486531] ---[ end trace b1acec6fb4ff6e75 ]--- [11384.532133] Kernel panic - not syncing: Fatal exception [11384.536541] Kernel Offset: disabled [11384.969491] ---[ end Kernel panic - not syncing: Fatal exception [11384.976875] sched: Unexpected reschedule of offline CPU#1! [11384.983646] ------------[ cut here ]------------ Rdma device driver may not have implemented (*get_link_layer)() so it can not be called directly. Should use appropriate helper function. Reviewed-by: Yuval Shaia Fixes: 523633359224 ("IB/core: Fix the validations of a multicast LID in attach or detach operations") Cc: stable@kernel.org # 4.13 Reviewed-by: Dennis Dalessandro Signed-off-by: Alex Estrin Signed-off-by: Dennis Dalessandro Reviewed-by: Leon Romanovsky Signed-off-by: Doug Ledford Cc: Mike Marciniszyn Signed-off-by: Greg Kroah-Hartman commit c4c2c2870a8c0ba25b7871ec2f3d573031e8429a Author: Marc Kleine-Budde Date: Wed Oct 31 14:15:13 2018 +0100 can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb commit 7da11ba5c5066dadc2e96835a6233d56d7b7764a upstream. Prior to echoing a successfully transmitted CAN frame (by calling can_get_echo_skb()), CAN drivers have to put the CAN frame (by calling can_put_echo_skb() in the transmit function). These put and get function take an index as parameter, which is used to identify the CAN frame. A driver calling can_get_echo_skb() with a index not pointing to a skb is a BUG, so add an appropriate error message. Cc: linux-stable Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 8aa60a6d605d1598fc3a3a36c37d9f568db5b0fc Author: Marc Kleine-Budde Date: Wed Oct 31 14:05:26 2018 +0100 can: dev: __can_get_echo_skb(): Don't crash the kernel if can_priv::echo_skb is accessed out of bounds commit e7a6994d043a1e31d5b17706a22ce33d2a3e4cdc upstream. If the "struct can_priv::echo_skb" is accessed out of bounds would lead to a kernel crash. Better print a sensible warning message instead and try to recover. Cc: linux-stable Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 5adc1c548aa5e684fd312c8a7c822f2f47a04b4e Author: Marc Kleine-Budde Date: Wed Oct 31 11:08:21 2018 +0100 can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length commit 200f5c49f7a2cd694436bfc6cb0662b794c96736 upstream. This patch replaces the use of "struct can_frame::can_dlc" by "struct canfd_frame::len" to access the frame's length. As it is ensured that both structures have a compatible memory layout for this member this is no functional change. Futher, this compatibility is documented in a comment. Cc: linux-stable Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 8bcd10db1c4f8ee531407ad8b200fc9a79b49e3b Author: Marc Kleine-Budde Date: Wed Oct 31 10:37:46 2018 +0100 can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb() commit a4310fa2f24687888ce80fdb0e88583561a23700 upstream. This patch factors out all non sending parts of can_get_echo_skb() into a seperate function __can_get_echo_skb(), so that it can be re-used in an upcoming patch. Cc: linux-stable Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 0bf67de5daa4c6de5ad8bb9f4349de98d94d9b82 Author: Thomas Zimmermann Date: Thu Nov 15 11:42:16 2018 +0100 drm/ast: Remove existing framebuffers before loading driver commit 5478ad10e7850ce3d8b7056db05ddfa3c9ddad9a upstream. If vesafb attaches to the AST device, it configures the framebuffer memory for uncached access by default. When ast.ko later tries to attach itself to the device, it wants to use write-combining on the framebuffer memory, but vesefb's existing configuration for uncached access takes precedence. This results in reduced performance. Removing the framebuffer's configuration before loding the AST driver fixes the problem. Other DRM drivers already contain equivalent code. Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1112963 Signed-off-by: Thomas Zimmermann Cc: Tested-by: Y.C. Chen Reviewed-by: Jean Delvare Tested-by: Jean Delvare Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 7fdaacc08451580b4dc2514e37d08ea5b4f09ef3 Author: Y.C. Chen Date: Tue Oct 30 11:34:46 2018 +0800 drm/ast: fixed cursor may disappear sometimes commit 7989b9ee8bafe5cc625381dd0c3c4586de27ca26 upstream. Signed-off-by: Y.C. Chen Cc: Reviewed-by: Dave Airlie Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit f1c32bab45f366b268b10c8a00ef15d3a699b4f3 Author: Y.C. Chen Date: Wed Oct 3 14:57:47 2018 +0800 drm/ast: change resolution may cause screen blurred commit 1a37bd823891568f8721989aed0615835632d81a upstream. The value of pitches is not correct while calling mode_set. The issue we found so far on following system: - Debian8 with XFCE Desktop - Ubuntu with KDE Desktop - SUSE15 with KDE Desktop Signed-off-by: Y.C. Chen Cc: Tested-by: Jean Delvare Reviewed-by: Jean Delvare Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 789c6944efa0e39bbad9d91b7f7c2632e871823d Author: Dmitry Vyukov Date: Fri Oct 26 15:03:12 2018 -0700 mm: don't warn about large allocations for slab commit 61448479a9f2c954cde0cfe778cb6bec5d0a748d upstream. Slub does not call kmalloc_slab() for sizes > KMALLOC_MAX_CACHE_SIZE, instead it falls back to kmalloc_large(). For slab KMALLOC_MAX_CACHE_SIZE == KMALLOC_MAX_SIZE and it calls kmalloc_slab() for all allocations relying on NULL return value for over-sized allocations. This inconsistency leads to unwanted warnings from kmalloc_slab() for over-sized allocations for slab. Returning NULL for failed allocations is the expected behavior. Make slub and slab code consistent by checking size > KMALLOC_MAX_CACHE_SIZE in slab before calling kmalloc_slab(). While we are here also fix the check in kmalloc_slab(). We should check against KMALLOC_MAX_CACHE_SIZE rather than KMALLOC_MAX_SIZE. It all kinda worked because for slab the constants are the same, and slub always checks the size against KMALLOC_MAX_CACHE_SIZE before kmalloc_slab(). But if we get there with size > KMALLOC_MAX_CACHE_SIZE anyhow bad things will happen. For example, in case of a newly introduced bug in slub code. Also move the check in kmalloc_slab() from function entry to the size > 192 case. This partially compensates for the additional check in slab code and makes slub code a bit faster (at least theoretically). Also drop __GFP_NOWARN in the warning check. This warning means a bug in slab code itself, user-passed flags have nothing to do with it. Nothing of this affects slob. Link: http://lkml.kernel.org/r/20180927171502.226522-1-dvyukov@gmail.com Signed-off-by: Dmitry Vyukov Reported-by: syzbot+87829a10073277282ad1@syzkaller.appspotmail.com Reported-by: syzbot+ef4e8fc3a06e9019bb40@syzkaller.appspotmail.com Reported-by: syzbot+6e438f4036df52cbb863@syzkaller.appspotmail.com Reported-by: syzbot+8574471d8734457d98aa@syzkaller.appspotmail.com Reported-by: syzbot+af1504df0807a083dbd9@syzkaller.appspotmail.com Acked-by: Christoph Lameter Acked-by: Vlastimil Babka Cc: Pekka Enberg Cc: David Rientjes Cc: Joonsoo Kim Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2a1220041c3d819fee7f61e198f012bb19baa212 Author: Eric Dumazet Date: Mon Oct 22 09:24:27 2018 -0700 llc: do not use sk_eat_skb() commit 604d415e2bd642b7e02c80e719e0396b9d4a77a6 upstream. syzkaller triggered a use-after-free [1], caused by a combination of skb_get() in llc_conn_state_process() and usage of sk_eat_skb() sk_eat_skb() is assuming the skb about to be freed is only used by the current thread. TCP/DCCP stacks enforce this because current thread holds the socket lock. llc_conn_state_process() wants to make sure skb does not disappear, and holds a reference on the skb it manipulates. But as soon as this skb is added to socket receive queue, another thread can consume it. This means that llc must use regular skb_unlink() and kfree_skb() so that both producer and consumer can safely work on the same skb. [1] BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:43 [inline] BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:967 [inline] BUG: KASAN: use-after-free in kfree_skb+0xb7/0x580 net/core/skbuff.c:655 Read of size 4 at addr ffff8801d1f6fba4 by task ksoftirqd/1/18 CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.19.0-rc8+ #295 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c4/0x2b6 lib/dump_stack.c:113 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272 atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] refcount_read include/linux/refcount.h:43 [inline] skb_unref include/linux/skbuff.h:967 [inline] kfree_skb+0xb7/0x580 net/core/skbuff.c:655 llc_sap_state_process+0x9b/0x550 net/llc/llc_sap.c:224 llc_sap_rcv+0x156/0x1f0 net/llc/llc_sap.c:297 llc_sap_handler+0x65e/0xf80 net/llc/llc_sap.c:438 llc_rcv+0x79e/0xe20 net/llc/llc_input.c:208 __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023 process_backlog+0x218/0x6f0 net/core/dev.c:5829 napi_poll net/core/dev.c:6249 [inline] net_rx_action+0x7c5/0x1950 net/core/dev.c:6315 __do_softirq+0x30c/0xb03 kernel/softirq.c:292 run_ksoftirqd+0x94/0x100 kernel/softirq.c:653 smpboot_thread_fn+0x68b/0xa00 kernel/smpboot.c:164 kthread+0x35a/0x420 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413 Allocated by task 18: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 kmem_cache_alloc_node+0x144/0x730 mm/slab.c:3644 __alloc_skb+0x119/0x770 net/core/skbuff.c:193 alloc_skb include/linux/skbuff.h:995 [inline] llc_alloc_frame+0xbc/0x370 net/llc/llc_sap.c:54 llc_station_ac_send_xid_r net/llc/llc_station.c:52 [inline] llc_station_rcv+0x1dc/0x1420 net/llc/llc_station.c:111 llc_rcv+0xc32/0xe20 net/llc/llc_input.c:220 __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023 process_backlog+0x218/0x6f0 net/core/dev.c:5829 napi_poll net/core/dev.c:6249 [inline] net_rx_action+0x7c5/0x1950 net/core/dev.c:6315 __do_softirq+0x30c/0xb03 kernel/softirq.c:292 Freed by task 16383: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kmem_cache_free+0x83/0x290 mm/slab.c:3756 kfree_skbmem+0x154/0x230 net/core/skbuff.c:582 __kfree_skb+0x1d/0x20 net/core/skbuff.c:642 sk_eat_skb include/net/sock.h:2366 [inline] llc_ui_recvmsg+0xec2/0x1610 net/llc/af_llc.c:882 sock_recvmsg_nosec net/socket.c:794 [inline] sock_recvmsg+0xd0/0x110 net/socket.c:801 ___sys_recvmsg+0x2b6/0x680 net/socket.c:2278 __sys_recvmmsg+0x303/0xb90 net/socket.c:2390 do_sys_recvmmsg+0x181/0x1a0 net/socket.c:2466 __do_sys_recvmmsg net/socket.c:2484 [inline] __se_sys_recvmmsg net/socket.c:2480 [inline] __x64_sys_recvmmsg+0xbe/0x150 net/socket.c:2480 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8801d1f6fac0 which belongs to the cache skbuff_head_cache of size 232 The buggy address is located 228 bytes inside of 232-byte region [ffff8801d1f6fac0, ffff8801d1f6fba8) The buggy address belongs to the page: page:ffffea000747dbc0 count:1 mapcount:0 mapping:ffff8801d9be7680 index:0xffff8801d1f6fe80 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffffea0007346e88 ffffea000705b108 ffff8801d9be7680 raw: ffff8801d1f6fe80 ffff8801d1f6f0c0 000000010000000b 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801d1f6fa80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8801d1f6fb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801d1f6fb80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801d1f6fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d1f6fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 50c00054ebd9096fc2232c65d1ba11575c16e13c Author: Andrew Price Date: Mon Oct 8 07:52:43 2018 -0500 gfs2: Don't leave s_fs_info pointing to freed memory in init_sbd commit 4c62bd9cea7bcf10292f7e4c57a2bca332942697 upstream. When alloc_percpu() fails, sdp gets freed but sb->s_fs_info still points to the same address. Move the assignment after that error check so that s_fs_info can only point to a valid sdp or NULL, which is checked for later in the error path, in gfs2_kill_super(). Reported-by: syzbot+dcb8b3587445007f5808@syzkaller.appspotmail.com Signed-off-by: Andrew Price Signed-off-by: Bob Peterson Signed-off-by: Greg Kroah-Hartman commit e044554e97e812eb257d073bcc130e0ea653858f Author: Xin Long Date: Mon Oct 29 23:10:29 2018 +0800 sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer commit df132eff463873e14e019a07f387b4d577d6d1f9 upstream. If a transport is removed by asconf but there still are some chunks with this transport queuing on out_chunk_list, later an use-after-free issue will be caused when accessing this transport from these chunks in sctp_outq_flush(). This is an old bug, we fix it by clearing the transport of these chunks in out_chunk_list when removing a transport in sctp_assoc_rm_peer(). Reported-by: syzbot+56a40ceee5fb35932f4d@syzkaller.appspotmail.com Signed-off-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ecfcb85cd637e1c6e855323e7195cd7242faa894 Author: Tetsuo Handa Date: Fri Nov 2 15:48:42 2018 -0700 bfs: add sanity check at bfs_fill_super() commit 9f2df09a33aa2c76ce6385d382693f98d7f2f07e upstream. syzbot is reporting too large memory allocation at bfs_fill_super() [1]. Since file system image is corrupted such that bfs_sb->s_start == 0, bfs_fill_super() is trying to allocate 8MB of continuous memory. Fix this by adding a sanity check on bfs_sb->s_start, __GFP_NOWARN and printf(). [1] https://syzkaller.appspot.com/bug?id=16a87c236b951351374a84c8a32f40edbc034e96 Link: http://lkml.kernel.org/r/1525862104-3407-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp Signed-off-by: Tetsuo Handa Reported-by: syzbot Reviewed-by: Andrew Morton Cc: Tigran Aivazian Cc: Matthew Wilcox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 47ff7629822ee2e1767f9c2886a47b1b075549f5 Author: Tetsuo Handa Date: Sat Sep 8 01:42:58 2018 +0900 selinux: Add __GFP_NOWARN to allocation at str_read() commit 4458bba09788e70e8fb39ad003f087cd9dfbd6ac upstream. syzbot is hitting warning at str_read() [1] because len parameter can become larger than KMALLOC_MAX_SIZE. We don't need to emit warning for this case. [1] https://syzkaller.appspot.com/bug?id=7f2f5aad79ea8663c296a2eedb81978401a908f0 Signed-off-by: Tetsuo Handa Reported-by: syzbot Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit 3a0e8e3587454c5f1c02b8450a4b71e517a7a1be Author: Dominique Martinet Date: Mon Aug 27 15:12:05 2018 +0900 v9fs_dir_readdir: fix double-free on p9stat_read error commit 81c99089bce693b94b775b6eb888115d2d540086 upstream. p9stat_read will call p9stat_free on error, we should only free the struct content on success. There also is no need to "p9stat_init" st as the read function will zero the whole struct for us anyway, so clean up the code a bit while we are here. Link: http://lkml.kernel.org/r/1535410108-20650-1-git-send-email-asmadeus@codewreck.org Signed-off-by: Dominique Martinet Reported-by: syzbot+d4252148d198410b864f@syzkaller.appspotmail.com Signed-off-by: Greg Kroah-Hartman commit 8af78a66b255b80c5ffd2c6ce3bb7f2f48ec4437 Author: Konstantin Khlebnikov Date: Tue Oct 16 11:56:26 2018 +0300 tools/power/cpupower: fix compilation with STATIC=true commit 9de9aa45e9bd67232e000cca42ceb134b8ae51b6 upstream. Rename duplicate sysfs_read_file into cpupower_read_sysfs and fix linking. Signed-off-by: Konstantin Khlebnikov Acked-by: Thomas Renninger Cc: Signed-off-by: Shuah Khan (Samsung OSG) Signed-off-by: Greg Kroah-Hartman commit a62e87afaaa8d4915062540e5bef69ec426754d8 Author: Rafał Miłecki Date: Thu Nov 8 16:08:29 2018 +0100 brcmfmac: fix reporting support for 160 MHz channels commit d1fe6ad6f6bd61c84788d3a7b11e459a439c6169 upstream. Driver can report IEEE80211_VHT_CAP_SUPP_CHAN_WIDTH_160MHZ so it's important to provide valid & complete info about supported bands for each channel. By default no support for 160 MHz should be assumed unless firmware reports it for a given channel later. This fixes info passed to the userspace. Without that change userspace could try to use invalid channel and fail to start an interface. Signed-off-by: Rafał Miłecki Cc: stable@vger.kernel.org Signed-off-by: Kalle Valo Signed-off-by: Greg Kroah-Hartman commit 3d44c295310216685a12023d910b474dff38799d Author: Emmanuel Grumbach Date: Wed Oct 3 11:16:54 2018 +0300 iwlwifi: mvm: fix regulatory domain update when the firmware starts commit 82715ac71e6b94a2c2136e31f3a8e6748e33aa8c upstream. When the firmware starts, it doesn't have any regulatory information, hence it uses the world wide limitations. The driver can feed the firmware with previous knowledge that was kept in the driver, but the firmware may still not update its internal tables. This happens when we start a BSS interface, and then the firmware can change the regulatory tables based on our location and it'll use more lenient, location specific rules. Then, if the firmware is shut down (when the interface is brought down), and then an AP interface is created, the firmware will forget the country specific rules. The host will think that we are in a certain country that may allow channels and will try to teach the firmware about our location, but the firmware may still not allow to drop the world wide limitations and apply country specific rules because it was just re-started. In this case, the firmware will reply with MCC_RESP_ILLEGAL to the MCC_UPDATE_CMD. In that case, iwlwifi needs to let the upper layers (cfg80211 / hostapd) know that the channel list they know about has been updated. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=201105 Cc: stable@vger.kernel.org Signed-off-by: Emmanuel Grumbach Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit 91a292b850cbb8ccfffb6ef66402ff452cdab48c Author: Emmanuel Grumbach Date: Thu Aug 16 13:25:48 2018 +0300 iwlwifi: mvm: support sta_statistics() even on older firmware commit ec484d03ef0df8d34086b95710e355a259cbe1f2 upstream. The oldest firmware supported by iwlmvm do support getting the average beacon RSSI. Enable the sta_statistics() call from mac80211 even on older firmware versions. Fixes: 33cef9256342 ("iwlwifi: mvm: support beacon statistics for BSS client") Cc: stable@vger.kernel.org # 4.2+ Signed-off-by: Emmanuel Grumbach Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit 2e668d7f1ab5963375798157e8d45c982b1f3d89 Author: Vladimir Zapolskiy Date: Fri Nov 2 15:39:43 2018 +0200 gpio: don't free unallocated ida on gpiochip_add_data_with_key() error path commit a05a14049999598a3bb6fab12db6b768a0215522 upstream. The change corrects the error path in gpiochip_add_data_with_key() by avoiding to call ida_simple_remove(), if ida_simple_get() returns an error. Note that ida_simple_remove()/ida_free() throws a BUG(), if id argument is negative, it allows to easily check the correctness of the fix by fuzzing the return value from ida_simple_get(). Fixes: ff2b13592299 ("gpio: make the gpiochip a real device") Cc: stable@vger.kernel.org # v4.6+ Signed-off-by: Vladimir Zapolskiy Signed-off-by: Linus Walleij Signed-off-by: Greg Kroah-Hartman commit 1b90193990ac928c58f282cc26e7c75e34f20c28 Author: Greg Kroah-Hartman Date: Thu Nov 15 15:03:24 2018 -0800 MAINTAINERS: Add Sasha as a stable branch maintainer commit cb5d21946d2a2f4687c482ab4604af1d29dac35a upstream. Sasha has somehow been convinced into helping me with the stable kernel maintenance. Codify this slip in good judgement before he realizes what he really signed up for :) Signed-off-by: Greg Kroah-Hartman Acked-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit 43bc9c671e5e6fe4d994972f2c5b981b78bc7115 Author: Aaron Ma Date: Fri Nov 9 17:21:21 2018 +0200 usb: xhci: fix timeout for transition from RExit to U0 commit a5baeaeabcca3244782a9b6382ebab6f8a58f583 upstream. This definition is used by msecs_to_jiffies in milliseconds. According to the comments, max rexit timeout should be 20ms. Align with the comments to properly calculate the delay. Verified on Sunrise Point-LP and Cannon Lake. Cc: stable@vger.kernel.org Signed-off-by: Aaron Ma Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 6d5da206d6fa16ba75ea22a7e2a31b180f4e7b02 Author: Andy Shevchenko Date: Mon Aug 27 18:30:16 2018 +0300 usb: dwc3: core: Clean up ULPI device commit 08fd9a82fda86529bb2f2af3c2f7cb657b4d3066 upstream. If dwc3_core_init_mode() fails with deferred probe, next probe fails on sysfs with sysfs: cannot create duplicate filename '/devices/pci0000:00/0000:00:11.0/dwc3.0.auto/dwc3.0.auto.ulpi' To avoid this failure, clean up ULPI device. Cc: Signed-off-by: Andy Shevchenko Signed-off-by: Felipe Balbi Signed-off-by: Greg Kroah-Hartman commit b7e04483ba7c3f5c9da0bf83da3f7ffdb4f60fb3 Author: Dennis Wassenberg Date: Tue Nov 13 14:40:34 2018 +0100 usb: core: Fix hub port connection events lost commit 22454b79e6de05fa61a2a72d00d2eed798abbb75 upstream. This will clear the USB_PORT_FEAT_C_CONNECTION bit in case of a hub port reset only if a device is was attached to the hub port before resetting the hub port. Using a Lenovo T480s attached to the ultra dock it was not possible to detect some usb-c devices at the dock usb-c ports because the hub_port_reset code will clear the USB_PORT_FEAT_C_CONNECTION bit after the actual hub port reset. Using this device combo the USB_PORT_FEAT_C_CONNECTION bit was set between the actual hub port reset and the clear of the USB_PORT_FEAT_C_CONNECTION bit. This ends up with clearing the USB_PORT_FEAT_C_CONNECTION bit after the new device was attached such that it was not detected. This patch will not clear the USB_PORT_FEAT_C_CONNECTION bit if there is currently no device attached to the port before the hub port reset. This will avoid clearing the connection bit for new attached devices. Signed-off-by: Dennis Wassenberg Acked-by: Mathias Nyman Cc: stable Signed-off-by: Greg Kroah-Hartman