1. 06 Dec, 2018 1 commit
  2. 05 Dec, 2018 4 commits
    • Mathias Payer's avatar
      USB: check usb_get_extra_descriptor for proper size · 704620af
      Mathias Payer authored
      When reading an extra descriptor, we need to properly check the minimum
      and maximum size allowed, to prevent from invalid data being sent by a
      device.
      Reported-by: default avatarHui Peng <benquike@gmail.com>
      Reported-by: default avatarMathias Payer <mathias.payer@nebelwelt.net>
      Co-developed-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Signed-off-by: default avatarHui Peng <benquike@gmail.com>
      Signed-off-by: default avatarMathias Payer <mathias.payer@nebelwelt.net>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Cc: stable <stable@kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      704620af
    • Harry Pan's avatar
      usb: quirk: add no-LPM quirk on SanDisk Ultra Flair device · 2f2dde6b
      Harry Pan authored
      Some lower volume SanDisk Ultra Flair in 16GB, which the VID:PID is
      in 0781:5591, will aggressively request LPM of U1/U2 during runtime,
      when using this thumb drive as the OS installation key we found the
      device will generate failure during U1 exit path making it dropped
      from the USB bus, this causes a corrupted installation in system at
      the end.
      
      i.e.,
      [  166.918296] hub 2-0:1.0: state 7 ports 7 chg 0000 evt 0004
      [  166.918327] usb usb2-port2: link state change
      [  166.918337] usb usb2-port2: do warm reset
      [  166.970039] usb usb2-port2: not warm reset yet, waiting 50ms
      [  167.022040] usb usb2-port2: not warm reset yet, waiting 200ms
      [  167.276043] usb usb2-port2: status 02c0, change 0041, 5.0 Gb/s
      [  167.276050] usb 2-2: USB disconnect, device number 2
      [  167.276058] usb 2-2: unregistering device
      [  167.276060] usb 2-2: unregistering interface 2-2:1.0
      [  167.276170] xhci_hcd 0000:00:15.0: shutdown urb ffffa3c7cc695cc0 ep1in-bulk
      [  167.284055] sd 0:0:0:0: [sda] tag#0 FAILED Result: hostbyte=DID_NO_CONNECT driverbyte=DRIVER_OK
      [  167.284064] sd 0:0:0:0: [sda] tag#0 CDB: Read(10) 28 00 00 33 04 90 00 01 00 00
      ...
      
      Analyzed the USB trace in the link layer we realized it is because
      of the 6-ms timer of tRecoveryConfigurationTimeout which documented
      on the USB 3.2 Revision 1.0, the section 7.5.10.4.2 of "Exit from
      Recovery.Configuration"; device initiates U1 exit -> Recovery.Active
      -> Recovery.Configuration, then the host timer timeout makes the link
      transits to eSS.Inactive -> Rx.Detect follows by a Warm Reset.
      
      Interestingly, the other higher volume of SanDisk Ultra Flair sharing
      the same VID:PID, such as 64GB, would not request LPM during runtime,
      it sticks at U0 always, thus disabling LPM does not affect those thumb
      drives at all.
      
      The same odd occures in SanDisk Ultra Fit 16GB, VID:PID in 0781:5583.
      Signed-off-by: default avatarHarry Pan <harry.pan@intel.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      2f2dde6b
    • Alan Stern's avatar
      USB: Fix invalid-free bug in port_over_current_notify() · d81bb019
      Alan Stern authored
      Syzbot and KASAN found the following invalid-free bug in
      port_over_current_notify():
      
      --------------------------------------------------------------------------
      BUG: KASAN: double-free or invalid-free in port_over_current_notify
      drivers/usb/core/hub.c:5192 [inline]
      BUG: KASAN: double-free or invalid-free in port_event
      drivers/usb/core/hub.c:5241 [inline]
      BUG: KASAN: double-free or invalid-free in hub_event+0xd97/0x4140
      drivers/usb/core/hub.c:5384
      
      CPU: 1 PID: 32710 Comm: kworker/1:3 Not tainted 4.20.0-rc3+ #129
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
      Google 01/01/2011
      Workqueue: usb_hub_wq hub_event
      Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0x244/0x39d lib/dump_stack.c:113
        print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
        kasan_report_invalid_free+0x64/0xa0 mm/kasan/report.c:336
        __kasan_slab_free+0x13a/0x150 mm/kasan/kasan.c:501
        kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
        __cache_free mm/slab.c:3498 [inline]
        kfree+0xcf/0x230 mm/slab.c:3817
        port_over_current_notify drivers/usb/core/hub.c:5192 [inline]
        port_event drivers/usb/core/hub.c:5241 [inline]
        hub_event+0xd97/0x4140 drivers/usb/core/hub.c:5384
        process_one_work+0xc90/0x1c40 kernel/workqueue.c:2153
        worker_thread+0x17f/0x1390 kernel/workqueue.c:2296
        kthread+0x35a/0x440 kernel/kthread.c:246
        ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
      --------------------------------------------------------------------------
      
      The problem is caused by use of a static array to store
      environment-string pointers.  When the routine is called by multiple
      threads concurrently, the pointers from one thread can overwrite those
      from another.
      
      The solution is to use an ordinary automatic array instead of a static
      array.
      Signed-off-by: default avatarAlan Stern <stern@rowland.harvard.edu>
      Reported-by: syzbot+98881958e1410ec7e53c@syzkaller.appspotmail.com
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d81bb019
    • Alexander Theissen's avatar
      usb: appledisplay: Add 27" Apple Cinema Display · d7859905
      Alexander Theissen authored
      Add another Apple Cinema Display to the list of supported displays.
      Signed-off-by: default avatarAlexander Theissen <alex.theissen@me.com>
      Cc: stable <stable@vger.kernel.org>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      d7859905
  3. 02 Dec, 2018 4 commits
    • Linus Torvalds's avatar
      Linux 4.20-rc5 · 25956467
      Linus Torvalds authored
      25956467
    • Linus Torvalds's avatar
      Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · 6a512726
      Linus Torvalds authored
      Pull ARM SoC fixes from Olof Johansson:
       "Volume is a little higher than usual due to a set of gpio fixes for
        Davinci platforms that's been around a while, still seemed appropriate
        to not hold off until next merge window.
      
        Besides that it's the usual mix of minor fixes, mostly corrections of
        small stuff in device trees.
      
        Major stability-related one is the removal of a regulator from DT on
        Rock960, since DVFS caused undervoltage. I expect it'll be restored
        once they figure out the underlying issue"
      
      * tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc: (28 commits)
        MAINTAINERS: Remove unused Qualcomm SoC mailing list
        ARM: davinci: dm644x: set the GPIO base to 0
        ARM: davinci: da830: set the GPIO base to 0
        ARM: davinci: dm355: set the GPIO base to 0
        ARM: davinci: dm646x: set the GPIO base to 0
        ARM: davinci: dm365: set the GPIO base to 0
        ARM: davinci: da850: set the GPIO base to 0
        gpio: davinci: restore a way to manually specify the GPIO base
        ARM: davinci: dm644x: define gpio interrupts as separate resources
        ARM: davinci: dm355: define gpio interrupts as separate resources
        ARM: davinci: dm646x: define gpio interrupts as separate resources
        ARM: davinci: dm365: define gpio interrupts as separate resources
        ARM: davinci: da8xx: define gpio interrupts as separate resources
        ARM: dts: at91: sama5d2: use the divided clock for SMC
        ARM: dts: imx51-zii-rdu1: Remove EEPROM node
        ARM: dts: rockchip: Remove @0 from the veyron memory node
        arm64: dts: rockchip: Fix PCIe reset polarity for rk3399-puma-haikou.
        arm64: dts: qcom: msm8998: Reserve gpio ranges on MTP
        arm64: dts: sdm845-mtp: Reserve reserved gpios
        arm64: dts: ti: k3-am654: Fix wakeup_uart reg address
        ...
      6a512726
    • Linus Torvalds's avatar
      Merge tag 'for-linus-4.20a-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · 292974c5
      Linus Torvalds authored
      Pull xen fixes from Juergen Gross:
      
       - A revert of a previous commit as it is no longer necessary and has
         shown to cause problems in some memory hotplug cases.
      
       - Some small fixes and a minor cleanup.
      
       - A patch for adding better diagnostic data in a very rare failure
         case.
      
      * tag 'for-linus-4.20a-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        pvcalls-front: fixes incorrect error handling
        Revert "xen/balloon: Mark unallocated host memory as UNUSABLE"
        xen: xlate_mmu: add missing header to fix 'W=1' warning
        xen/x86: add diagnostic printout to xen_mc_flush() in case of error
        x86/xen: cleanup includes in arch/x86/xen/spinlock.c
      292974c5
    • Linus Torvalds's avatar
      Merge tag 'dmaengine-fix-4.20-rc5' of git://git.infradead.org/users/vkoul/slave-dma · a234c737
      Linus Torvalds authored
      Pull dmaengine fixes from Vinod Koul:
       "This contains two fixes to at_hdmac which fixes long standing bus
        reported recently on serial transfers causing memory leak. These fixes
        were done by Richard Genoud"
      
      * tag 'dmaengine-fix-4.20-rc5' of git://git.infradead.org/users/vkoul/slave-dma:
        dmaengine: at_hdmac: fix module unloading
        dmaengine: at_hdmac: fix memory leak in at_dma_xlate()
      a234c737
  4. 01 Dec, 2018 10 commits
    • Linus Torvalds's avatar
      Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 4b783176
      Linus Torvalds authored
      Pull STIBP fallout fixes from Thomas Gleixner:
       "The performance destruction department finally got it's act together
        and came up with a cure for the STIPB regression:
      
         - Provide a command line option to control the spectre v2 user space
           mitigations. Default is either seccomp or prctl (if seccomp is
           disabled in Kconfig). prctl allows mitigation opt-in, seccomp
           enables the migitation for sandboxed processes.
      
         - Rework the code to handle the conditional STIBP/IBPB control and
           remove the now unused ptrace_may_access_sched() optimization
           attempt
      
         - Disable STIBP automatically when SMT is disabled
      
         - Optimize the switch_to() logic to avoid MSR writes and invocations
           of __switch_to_xtra().
      
         - Make the asynchronous speculation TIF updates synchronous to
           prevent stale mitigation state.
      
        As a general cleanup this also makes retpoline directly depend on
        compiler support and removes the 'minimal retpoline' option which just
        pretended to provide some form of security while providing none"
      
      * 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (31 commits)
        x86/speculation: Provide IBPB always command line options
        x86/speculation: Add seccomp Spectre v2 user space protection mode
        x86/speculation: Enable prctl mode for spectre_v2_user
        x86/speculation: Add prctl() control for indirect branch speculation
        x86/speculation: Prepare arch_smt_update() for PRCTL mode
        x86/speculation: Prevent stale SPEC_CTRL msr content
        x86/speculation: Split out TIF update
        ptrace: Remove unused ptrace_may_access_sched() and MODE_IBRS
        x86/speculation: Prepare for conditional IBPB in switch_mm()
        x86/speculation: Avoid __switch_to_xtra() calls
        x86/process: Consolidate and simplify switch_to_xtra() code
        x86/speculation: Prepare for per task indirect branch speculation control
        x86/speculation: Add command line control for indirect branch speculation
        x86/speculation: Unify conditional spectre v2 print functions
        x86/speculataion: Mark command line parser data __initdata
        x86/speculation: Mark string arrays const correctly
        x86/speculation: Reorder the spec_v2 code
        x86/l1tf: Show actual SMT state
        x86/speculation: Rework SMT state change
        sched/smt: Expose sched_smt_present static key
        ...
      4b783176
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20181201' of git://git.kernel.dk/linux-block · 88058417
      Linus Torvalds authored
      Pull block layer fixes from Jens Axboe:
      
       - Single range elevator discard merge fix, that caused crashes (Ming)
      
       - Fix for a regression in O_DIRECT, where we could potentially lose the
         error value (Maximilian Heyne)
      
       - NVMe pull request from Christoph, with little fixes all over the map
         for NVMe.
      
      * tag 'for-linus-20181201' of git://git.kernel.dk/linux-block:
        block: fix single range discard merge
        nvme-rdma: fix double freeing of async event data
        nvme: flush namespace scanning work just before removing namespaces
        nvme: warn when finding multi-port subsystems without multipathing enabled
        fs: fix lost error code in dio_complete
        nvme-pci: fix surprise removal
        nvme-fc: initialize nvme_req(rq)->ctrl after calling __nvme_fc_init_request()
        nvme: Free ctrl device name on init failure
      88058417
    • Linus Torvalds's avatar
      Merge tag 'pci-v4.20-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · c734b425
      Linus Torvalds authored
      Pull PCI fixes from Bjorn Helgaas:
      
       - Fix a link speed checking interface that broke PCIe gen3 cards in
         gen1 slots (Mikulas Patocka)
      
       - Fix an imx6 link training error (Trent Piepho)
      
       - Fix a layerscape outbound window accessor calling error (Hou
         Zhiqiang)
      
       - Fix a DesignWare endpoint MSI-X address calculation error (Gustavo
         Pimentel)
      
      * tag 'pci-v4.20-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        PCI: Fix incorrect value returned from pcie_get_speed_cap()
        PCI: dwc: Fix MSI-X EP framework address calculation bug
        PCI: layerscape: Fix wrong invocation of outbound window disable accessor
        PCI: imx6: Fix link training status detection in link up check
      c734b425
    • Bjorn Helgaas's avatar
      Merge remote-tracking branch 'lorenzo/pci/controller-fixes' into for-linus · c74eadf8
      Bjorn Helgaas authored
        - Fix DesignWare endpoint MSI-X address calculation bug (Gustavo
          Pimentel)
      
        - Fix Layerscape outbound window disable usage (Hou Zhiqiang)
      
        - Fix imx6 link up detection (Trent Piepho)
      
      * lorenzo/pci/controller-fixes:
        PCI: dwc: Fix MSI-X EP framework address calculation bug
        PCI: layerscape: Fix wrong invocation of outbound window disable accessor
        PCI: imx6: Fix link training status detection in link up check
      c74eadf8
    • Mikulas Patocka's avatar
      PCI: Fix incorrect value returned from pcie_get_speed_cap() · f1f90e25
      Mikulas Patocka authored
      The macros PCI_EXP_LNKCAP_SLS_*GB are values, not bit masks.  We must mask
      the register and compare it against them.
      
      This fixes errors like this:
      
        amdgpu: [powerplay] failed to send message 261 ret is 0
      
      when a PCIe-v3 card is plugged into a PCIe-v1 slot, because the slot is
      being incorrectly reported as PCIe-v3 capable.
      
      6cf57be0, which appeared in v4.17, added pcie_get_speed_cap() with the
      incorrect test of PCI_EXP_LNKCAP_SLS as a bitmask.  5d9a6330, which
      appeared in v4.19, changed amdgpu to use pcie_get_speed_cap(), so the
      amdgpu bug reports below are regressions in v4.19.
      
      Fixes: 6cf57be0 ("PCI: Add pcie_get_speed_cap() to find max supported link speed")
      Fixes: 5d9a6330 ("drm/amdgpu: use pcie functions for link width and speed")
      Link: https://bugs.freedesktop.org/show_bug.cgi?id=108704
      Link: https://bugs.freedesktop.org/show_bug.cgi?id=108778Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      [bhelgaas: update comment, remove use of PCI_EXP_LNKCAP_SLS_8_0GB and
      PCI_EXP_LNKCAP_SLS_16_0GB since those should be covered by PCI_EXP_LNKCAP2,
      remove test of PCI_EXP_LNKCAP for zero, since that register is required]
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Acked-by: default avatarAlex Deucher <alexander.deucher@amd.com>
      Cc: stable@vger.kernel.org	# v4.17+
      f1f90e25
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · d8f190ee
      Linus Torvalds authored
      Merge misc fixes from Andrew Morton:
       "31 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>: (31 commits)
        ocfs2: fix potential use after free
        mm/khugepaged: fix the xas_create_range() error path
        mm/khugepaged: collapse_shmem() do not crash on Compound
        mm/khugepaged: collapse_shmem() without freezing new_page
        mm/khugepaged: minor reorderings in collapse_shmem()
        mm/khugepaged: collapse_shmem() remember to clear holes
        mm/khugepaged: fix crashes due to misaccounted holes
        mm/khugepaged: collapse_shmem() stop if punched or truncated
        mm/huge_memory: fix lockdep complaint on 32-bit i_size_read()
        mm/huge_memory: splitting set mapping+index before unfreeze
        mm/huge_memory: rename freeze_page() to unmap_page()
        initramfs: clean old path before creating a hardlink
        kernel/kcov.c: mark funcs in __sanitizer_cov_trace_pc() as notrace
        psi: make disabling/enabling easier for vendor kernels
        proc: fixup map_files test on arm
        debugobjects: avoid recursive calls with kmemleak
        userfaultfd: shmem: UFFDIO_COPY: set the page dirty if VM_WRITE is not set
        userfaultfd: shmem: add i_size checks
        userfaultfd: shmem/hugetlbfs: only allow to register VM_MAYWRITE vmas
        userfaultfd: shmem: allocate anonymous memory for MAP_PRIVATE shmem
        ...
      d8f190ee
    • Linus Torvalds's avatar
      Merge tag 'mips_fixes_4.20_4' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux · 6c7954b7
      Linus Torvalds authored
      Pull few more MIPS fixes from Paul Burton:
      
       - Fix mips_get_syscall_arg() to operate on the task specified when
         detecting o32 tasks running on MIPS64 kernels.
      
       - Fix some incorrect GPIO pin muxing for the MT7620 SoC.
      
       - Update the linux-mips mailing list address.
      
      * tag 'mips_fixes_4.20_4' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
        MAINTAINERS: Update linux-mips mailing list address
        MIPS: ralink: Fix mt7620 nd_sd pinmux
        mips: fix mips_get_syscall_arg o32 check
      6c7954b7
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 868dda00
      Linus Torvalds authored
      Pull arm64 fixes from Catalin Marinas:
      
       - Cortex-A76 erratum workaround
      
       - ftrace fix to enable syscall events on arm64
      
       - Fix uninitialised pointer in iort_get_platform_device_domain()
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        ACPI/IORT: Fix iort_get_platform_device_domain() uninitialized pointer value
        arm64: ftrace: Fix to enable syscall events on arm64
        arm64: Add workaround for Cortex-A76 erratum 1286807
      868dda00
    • Linus Torvalds's avatar
      Merge tag 'gcc-plugins-v4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · 1f817429
      Linus Torvalds authored
      Pull stackleak plugin fix from Kees Cook:
       "Fix crash by not allowing kprobing of stackleak_erase() (Alexander
        Popov)"
      
      * tag 'gcc-plugins-v4.20-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        stackleak: Disable function tracing and kprobes for stackleak_erase()
      1f817429
    • Linus Torvalds's avatar
      Merge tag 'fscache-fixes-20181130' of... · fd3b3e0e
      Linus Torvalds authored
      Merge tag 'fscache-fixes-20181130' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs
      
      Pull fscache and cachefiles fixes from David Howells:
       "Misc fixes:
      
         - Fix an assertion failure at fs/cachefiles/xattr.c:138 caused by a
           race between a cache object lookup failing and someone attempting
           to reenable that object, thereby triggering an update of the
           object's attributes.
      
         - Fix an assertion failure at fs/fscache/operation.c:449 caused by a
           split atomic subtract and atomic read that allows a race to happen.
      
         - Fix a leak of backing pages when simultaneously reading the same
           page from the same object from two or more threads.
      
         - Fix a hang due to a race between a cache object being discarded and
           the corresponding cookie being reenabled.
      
        There are also some minor cleanups:
      
         - Cast an enum value to a different enum type to prevent clang from
           generating a warning. This shouldn't cause any sort of change in
           the emitted code.
      
         - Use ktime_get_real_seconds() instead of get_seconds(). This is just
           used to uniquify a filename for an object to be placed in the
           graveyard. Objects placed there are deleted by cachfilesd in
           userspace immediately thereafter.
      
         - Remove an initialised, but otherwise unused variable. This should
           have been entirely optimised away anyway"
      
      * tag 'fscache-fixes-20181130' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
        fscache, cachefiles: remove redundant variable 'cache'
        cachefiles: avoid deprecated get_seconds()
        cachefiles: Explicitly cast enumerated type in put_object
        fscache: fix race between enablement and dropping of object
        cachefiles: Fix page leak in cachefiles_read_backing_file while vmscan is active
        fscache: Fix race in fscache_op_complete() due to split atomic_sub & read
        cachefiles: Fix an assertion failure when trying to update a failed object
      fd3b3e0e
  5. 30 Nov, 2018 21 commits