commit 56ccc3f7a7ee1f0ab64453794ebbc7d9a4c8ddf7 Author: Greg Kroah-Hartman Date: Sat Dec 1 09:46:41 2018 +0100 Linux 4.4.166 commit a3e507763dd09d5a325271fc2fb355f7084ba47f Author: Thomas Zimmermann Date: Thu Nov 15 11:42:16 2018 +0100 drm/ast: Remove existing framebuffers before loading driver commit 5478ad10e7850ce3d8b7056db05ddfa3c9ddad9a upstream. If vesafb attaches to the AST device, it configures the framebuffer memory for uncached access by default. When ast.ko later tries to attach itself to the device, it wants to use write-combining on the framebuffer memory, but vesefb's existing configuration for uncached access takes precedence. This results in reduced performance. Removing the framebuffer's configuration before loding the AST driver fixes the problem. Other DRM drivers already contain equivalent code. Link: https://bugzilla.opensuse.org/show_bug.cgi?id=1112963 Signed-off-by: Thomas Zimmermann Cc: Tested-by: Y.C. Chen Reviewed-by: Jean Delvare Tested-by: Jean Delvare Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 3921d5b8a189e3f82d1f1b5c54f4b2ed5a7551f7 Author: Janosch Frank Date: Thu Aug 16 09:02:31 2018 +0100 s390/mm: Check for valid vma before zapping in gmap_discard commit 1843abd03250115af6cec0892683e70cf2297c25 upstream. Userspace could have munmapped the area before doing unmapping from the gmap. This would leave us with a valid vmaddr, but an invalid vma from which we would try to zap memory. Let's check before using the vma. Fixes: 1e133ab296f3 ("s390/mm: split arch/s390/mm/pgtable.c") Signed-off-by: Janosch Frank Reviewed-by: David Hildenbrand Reported-by: Dan Carpenter Message-Id: <20180816082432.78828-1-frankja@linux.ibm.com> Signed-off-by: Janosch Frank Signed-off-by: Greg Kroah-Hartman commit 3658ccbbac39cc634e357ee08ff46d0893cbc111 Author: Salvatore Mesoraca Date: Thu Aug 23 17:00:35 2018 -0700 namei: allow restricted O_CREAT of FIFOs and regular files commit 30aba6656f61ed44cba445a3c0d38b296fa9e8f5 upstream. Disallows open of FIFOs or regular files not owned by the user in world writable sticky directories, unless the owner is the same as that of the directory or the file is opened without the O_CREAT flag. The purpose is to make data spoofing attacks harder. This protection can be turned on and off separately for FIFOs and regular files via sysctl, just like the symlinks/hardlinks protection. This patch is based on Openwall's "HARDEN_FIFO" feature by Solar Designer. This is a brief list of old vulnerabilities that could have been prevented by this feature, some of them even allow for privilege escalation: CVE-2000-1134 CVE-2007-3852 CVE-2008-0525 CVE-2009-0416 CVE-2011-4834 CVE-2015-1838 CVE-2015-7442 CVE-2016-7489 This list is not meant to be complete. It's difficult to track down all vulnerabilities of this kind because they were often reported without any mention of this particular attack vector. In fact, before hardlinks/symlinks restrictions, fifos/regular files weren't the favorite vehicle to exploit them. [s.mesoraca16@gmail.com: fix bug reported by Dan Carpenter] Link: https://lkml.kernel.org/r/20180426081456.GA7060@mwanda Link: http://lkml.kernel.org/r/1524829819-11275-1-git-send-email-s.mesoraca16@gmail.com [keescook@chromium.org: drop pr_warn_ratelimited() in favor of audit changes in the future] [keescook@chromium.org: adjust commit subjet] Link: http://lkml.kernel.org/r/20180416175918.GA13494@beast Signed-off-by: Salvatore Mesoraca Signed-off-by: Kees Cook Suggested-by: Solar Designer Suggested-by: Kees Cook Cc: Al Viro Cc: Dan Carpenter Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: Loic Signed-off-by: Greg Kroah-Hartman commit 4f29112ec9bd028e7fdacd39bac22d85ebdb1cb5 Author: Steven Rostedt (VMware) Date: Thu Mar 9 10:18:42 2017 -0500 sched/core: Allow __sched_setscheduler() in interrupts when PI is not used commit 896bbb2522587e3b8eb2a0d204d43ccc1042a00d upstream. When priority inheritance was added back in 2.6.18 to sched_setscheduler(), it added a path to taking an rt-mutex wait_lock, which is not IRQ safe. As PI is not a common occurrence, lockdep will likely never trigger if sched_setscheduler was called from interrupt context. A BUG_ON() was added to trigger if __sched_setscheduler() was ever called from interrupt context because there was a possibility to take the wait_lock. Today the wait_lock is irq safe, but the path to taking it in sched_setscheduler() is the same as the path to taking it from normal context. The wait_lock is taken with raw_spin_lock_irq() and released with raw_spin_unlock_irq() which will indiscriminately enable interrupts, which would be bad in interrupt context. The problem is that normalize_rt_tasks, which is called by triggering the sysrq nice-all-RT-tasks was changed to call __sched_setscheduler(), and this is done from interrupt context! Now __sched_setscheduler() takes a "pi" parameter that is used to know if the priority inheritance should be called or not. As the BUG_ON() only cares about calling the PI code, it should only bug if called from interrupt context with the "pi" parameter set to true. Reported-by: Laurent Dufour Tested-by: Laurent Dufour Signed-off-by: Steven Rostedt (VMware) Signed-off-by: Peter Zijlstra (Intel) Cc: Andrew Morton Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Fixes: dbc7f069b93a ("sched: Use replace normalize_task() with __sched_setscheduler()") Link: http://lkml.kernel.org/r/20170308124654.10e598f2@gandalf.local.home Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 522ac5232ad7b9cd644ebbd9d7ec476e0c148284 Author: Qu Wenruo Date: Fri Sep 7 14:16:24 2018 +0800 btrfs: Ensure btrfs_trim_fs can trim the whole filesystem commit 6ba9fc8e628becf0e3ec94083450d089b0dec5f5 upstream. [BUG] fstrim on some btrfs only trims the unallocated space, not trimming any space in existing block groups. [CAUSE] Before fstrim_range passed to btrfs_trim_fs(), it gets truncated to range [0, super->total_bytes). So later btrfs_trim_fs() will only be able to trim block groups in range [0, super->total_bytes). While for btrfs, any bytenr aligned to sectorsize is valid, since btrfs uses its logical address space, there is nothing limiting the location where we put block groups. For filesystem with frequent balance, it's quite easy to relocate all block groups and bytenr of block groups will start beyond super->total_bytes. In that case, btrfs will not trim existing block groups. [FIX] Just remove the truncation in btrfs_ioctl_fitrim(), so btrfs_trim_fs() can get the unmodified range, which is normally set to [0, U64_MAX]. Reported-by: Chris Murphy Fixes: f4c697e6406d ("btrfs: return EINVAL if start > total_bytes in fitrim ioctl") CC: # v4.4+ Signed-off-by: Qu Wenruo Reviewed-by: Nikolay Borisov Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman commit ae52c0d8586fc47a927c1e20a2abfb5afacd5553 Author: Aaron Ma Date: Fri Nov 9 17:21:20 2018 +0200 usb: xhci: fix uninitialized completion when USB3 port got wrong status commit 958c0bd86075d4ef1c936998deefe1947e539240 upstream. Realtek USB3.0 Card Reader [0bda:0328] reports wrong port status on Cannon lake PCH USB3.1 xHCI [8086:a36d] after resume from S3, after clear port reset it works fine. Since this device is registered on USB3 roothub at boot, when port status reports not superspeed, xhci_get_port_status will call an uninitialized completion in bus_state[0]. Kernel will hang because of NULL pointer. Restrict the USB2 resume status check in USB2 roothub to fix hang issue. Cc: stable@vger.kernel.org Signed-off-by: Aaron Ma Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 2b7e9180b4017a28867f27786266cbd4e4a7cf8b Author: Greg Kroah-Hartman Date: Thu Oct 4 11:06:14 2018 -0700 tty: wipe buffer if not echoing data commit b97b3d9fb57860a60592859e332de7759fd54c2e upstream. If we are not echoing the data to userspace or the console is in icanon mode, then perhaps it is a "secret" so we should wipe it once we are done with it. This mirrors the logic that the audit code has. Reported-by: aszlig Tested-by: Milan Broz Tested-by: Daniel Zatovic Tested-by: aszlig Cc: Willy Tarreau Signed-off-by: Greg Kroah-Hartman commit d196147ecf0951e15db959cac24d0ce8695a1897 Author: Linus Torvalds Date: Thu Oct 4 11:06:13 2018 -0700 tty: wipe buffer. commit c9a8e5fce009e3c601a43c49ea9dbcb25d1ffac5 upstream. After we are done with the tty buffer, zero it out. Reported-by: aszlig Tested-by: Milan Broz Tested-by: Daniel Zatovic Tested-by: aszlig Cc: Willy Tarreau Signed-off-by: Greg Kroah-Hartman commit 26350f8993680c9ed6e3007b7422aa6955856c40 Author: Emmanuel Grumbach Date: Wed Oct 3 11:16:54 2018 +0300 iwlwifi: mvm: fix regulatory domain update when the firmware starts commit 82715ac71e6b94a2c2136e31f3a8e6748e33aa8c upstream. When the firmware starts, it doesn't have any regulatory information, hence it uses the world wide limitations. The driver can feed the firmware with previous knowledge that was kept in the driver, but the firmware may still not update its internal tables. This happens when we start a BSS interface, and then the firmware can change the regulatory tables based on our location and it'll use more lenient, location specific rules. Then, if the firmware is shut down (when the interface is brought down), and then an AP interface is created, the firmware will forget the country specific rules. The host will think that we are in a certain country that may allow channels and will try to teach the firmware about our location, but the firmware may still not allow to drop the world wide limitations and apply country specific rules because it was just re-started. In this case, the firmware will reply with MCC_RESP_ILLEGAL to the MCC_UPDATE_CMD. In that case, iwlwifi needs to let the upper layers (cfg80211 / hostapd) know that the channel list they know about has been updated. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=201105 Cc: stable@vger.kernel.org Signed-off-by: Emmanuel Grumbach Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit c27b8a488ea7d5b2623247dbd175f606540ce81a Author: Mauricio Faria de Oliveira Date: Mon Nov 7 17:53:30 2016 -0200 scsi: qla2xxx: do not queue commands when unloading commit 04dfaa53a0b6e66b328a5bc549e3af8f8b6eac02 upstream. When the driver is unloading, in qla2x00_remove_one(), there is a single call/point in time to abort ongoing commands, qla2x00_abort_all_cmds(), which is still several steps away from the call to scsi_remove_host(). If more commands continue to arrive and be processed during that interval, when the driver is tearing down and releasing its structures, it might potentially hit an oops due to invalid memory access: Unable to handle kernel paging request for data at address 0x00000138 <...> NIP [d000000004700a40] qla2xxx_queuecommand+0x80/0x3f0 [qla2xxx] LR [d000000004700a10] qla2xxx_queuecommand+0x50/0x3f0 [qla2xxx] So, fail commands in qla2xxx_queuecommand() if the UNLOADING bit is set. Signed-off-by: Mauricio Faria de Oliveira Acked-by: Himanshu Madhani Signed-off-by: Martin K. Petersen Signed-off-by: Amit Pundir Signed-off-by: Greg Kroah-Hartman commit 4df61d87ad67dece3c0f70072d8b7cc3552f858a Author: Subhash Jadavani Date: Thu Oct 27 17:25:58 2016 -0700 scsi: ufshcd: release resources if probe fails commit afa3dfd42d205b106787476647735aa1de1a5d02 upstream. If ufshcd pltfrm/pci driver's probe fails for some reason then ensure that scsi host is released to avoid memory leak but managed memory allocations (via devm_* calls) need not to be freed explicitly on probe failure as memory allocated with these functions is automatically freed on driver detach. Reviewed-by: Sahitya Tummala Signed-off-by: Subhash Jadavani Signed-off-by: Martin K. Petersen Signed-off-by: Amit Pundir Signed-off-by: Greg Kroah-Hartman commit d43f955f2dd950a12a006e0d9f35389d75cbdddf Author: Subhash Jadavani Date: Thu Oct 27 17:25:47 2016 -0700 scsi: ufs: fix race between clock gating and devfreq scaling work commit 30fc33f1ef475480dc5bea4fe1bda84b003b992c upstream. UFS devfreq clock scaling work may require clocks to be ON if it need to execute some UFS commands hence it may request for clock hold before issuing the command. But if UFS clock gating work is already running in parallel, ungate work would end up waiting for the clock gating work to finish and as clock gating work would also wait for the clock scaling work to finish, we would enter in deadlock state. Here is the call trace during this deadlock state: Workqueue: devfreq_wq devfreq_monitor __switch_to __schedule schedule schedule_timeout wait_for_common wait_for_completion flush_work ufshcd_hold ufshcd_send_uic_cmd ufshcd_dme_get_attr ufs_qcom_set_dme_vs_core_clk_ctrl_clear_div ufs_qcom_clk_scale_notify ufshcd_scale_clks ufshcd_devfreq_target update_devfreq devfreq_monitor process_one_work worker_thread kthread ret_from_fork Workqueue: events ufshcd_gate_work __switch_to __schedule schedule schedule_preempt_disabled __mutex_lock_slowpath mutex_lock devfreq_monitor_suspend devfreq_simple_ondemand_handler devfreq_suspend_device ufshcd_gate_work process_one_work worker_thread kthread ret_from_fork Workqueue: events ufshcd_ungate_work __switch_to __schedule schedule schedule_timeout wait_for_common wait_for_completion flush_work __cancel_work_timer cancel_delayed_work_sync ufshcd_ungate_work process_one_work worker_thread kthread ret_from_fork This change fixes this deadlock by doing this in devfreq work (devfreq_wq): Try cancelling clock gating work. If we are able to cancel gating work or it wasn't scheduled, hold the clock reference count until scaling is in progress. If gate work is already running in parallel, let's skip the frequecy scaling at this time and it will be retried once next scaling window expires. Reviewed-by: Sahitya Tummala Signed-off-by: Subhash Jadavani Signed-off-by: Martin K. Petersen Signed-off-by: Amit Pundir Signed-off-by: Greg Kroah-Hartman commit 1304eb9075e7672abadc8bf8a5325f378bf20a58 Author: Venkat Gopalakrishnan Date: Mon Oct 17 17:10:53 2016 -0700 scsi: ufshcd: Fix race between clk scaling and ungate work commit f2a785ac23125fa0774327d39e837e45cf28fe92 upstream. The ungate work turns on the clock before it exits hibern8, if the link was put in hibern8 during clock gating work. There occurs a race condition when clock scaling work calls ufshcd_hold() to make sure low power states cannot be entered, but that returns by checking only whether the clocks are on. This causes the clock scaling work to issue UIC commands when the link is in hibern8 causing failures. Make sure we exit hibern8 state before returning from ufshcd_hold(). Callstacks for race condition: ufshcd_scale_gear ufshcd_devfreq_scale ufshcd_devfreq_target update_devfreq devfreq_monitor process_one_work worker_thread kthread ret_from_fork ufshcd_uic_hibern8_exit ufshcd_ungate_work process_one_work worker_thread kthread ret_from_fork Signed-off-by: Venkat Gopalakrishnan Signed-off-by: Subhash Jadavani Signed-off-by: Martin K. Petersen Signed-off-by: Amit Pundir Signed-off-by: Greg Kroah-Hartman commit 8e5f27df2a6a3457b58c9f93671b31995ee81f00 Author: Yaniv Gardi Date: Mon Oct 17 17:09:24 2016 -0700 scsi: ufs: fix bugs related to null pointer access and array size commit e3ce73d69aff44421d7899b235fec5ac2c306ff4 upstream. In this change there are a few fixes of possible NULL pointer access and possible access to index that exceeds array boundaries. Signed-off-by: Yaniv Gardi Signed-off-by: Subhash Jadavani Signed-off-by: Martin K. Petersen Signed-off-by: Amit Pundir Signed-off-by: Greg Kroah-Hartman commit 1c759b361b77fa566daf687b8dc3c2ab72251a6e Author: Liping Zhang Date: Sun Nov 6 14:40:01 2016 +0800 netfilter: nf_tables: fix oops when inserting an element into a verdict map commit 58c78e104d937c1f560fb10ed9bb2dcde0db4fcf upstream. Dalegaard says: The following ruleset, when loaded with 'nft -f bad.txt' ----snip---- flush ruleset table ip inlinenat { map sourcemap { type ipv4_addr : verdict; } chain postrouting { ip saddr vmap @sourcemap accept } } add chain inlinenat test add element inlinenat sourcemap { 100.123.10.2 : jump test } ----snip---- results in a kernel oops: BUG: unable to handle kernel paging request at 0000000000001344 IP: [] nf_tables_check_loops+0x114/0x1f0 [nf_tables] [...] Call Trace: [] ? nft_data_init+0x13e/0x1a0 [nf_tables] [] nft_validate_register_store+0x60/0xb0 [nf_tables] [] nft_add_set_elem+0x545/0x5e0 [nf_tables] [] ? nft_table_lookup+0x30/0x60 [nf_tables] [] ? nla_strcmp+0x40/0x50 [] nf_tables_newsetelem+0x11e/0x210 [nf_tables] [] ? nla_validate+0x60/0x80 [] nfnetlink_rcv+0x354/0x5a7 [nfnetlink] Because we forget to fill the net pointer in bind_ctx, so dereferencing it may cause kernel crash. Reported-by: Dalegaard Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso Signed-off-by: Amit Pundir Signed-off-by: Greg Kroah-Hartman commit 65c2ca730e2eed519853fcc8746b8a863eb7e1bc Author: Karthik D A Date: Wed Sep 28 18:18:28 2016 +0530 mwifiex: fix p2p device doesn't find in scan problem commit 3d8bd85c2c9e47ed2c82348aa5b6029ed48376ae upstream. Marvell p2p device disappears from the list of p2p peers on the other p2p device after disconnection. It happens due to a bug in driver. When interface is changed from p2p to station, certain variables(bss_type, bss_role etc.) aren't correctly updated. This patch corrects them to fix the issue. Signed-off-by: Karthik D A Signed-off-by: Amitkumar Karwar Signed-off-by: Kalle Valo [AmitP: Refactored to fix driver file path in linux-4.4.y] Signed-off-by: Amit Pundir Signed-off-by: Greg Kroah-Hartman commit e431c00b52af6449c5e84451437b74326ba21e6d Author: Amitkumar Karwar Date: Wed Sep 28 18:18:23 2016 +0530 mwifiex: Fix NULL pointer dereference in skb_dequeue() commit c44c040300d7afd79294710313a4989683e2afb1 upstream. At couple of places in cleanup path, we are just going through the skb queue and freeing them without unlinking. This leads to a crash when other thread tries to do skb_dequeue() and use already freed node. The problem is freed by unlinking skb before freeing it. Signed-off-by: Amitkumar Karwar Signed-off-by: Kalle Valo [AmitP: Refactored to fix driver file path in linux-4.4.y] Signed-off-by: Amit Pundir Signed-off-by: Greg Kroah-Hartman commit 63238079b4800af2d650ebbc0a215fb2a0b004e4 Author: Johannes Thumshirn Date: Fri Sep 30 14:39:17 2016 +0200 cw1200: Don't leak memory if krealloc failes commit 9afdd6128c39f42398041bb2e017d8df0dcebcd1 upstream. The call to krealloc() in wsm_buf_reserve() directly assigns the newly returned memory to buf->begin. This is all fine except when krealloc() failes we loose the ability to free the old memory pointed to by buf->begin. If we just create a temporary variable to assign memory to and assign the memory to it we can mitigate the memory leak. Signed-off-by: Johannes Thumshirn Cc: Johannes Berg Signed-off-by: Kalle Valo Signed-off-by: Amit Pundir Signed-off-by: Greg Kroah-Hartman commit 4dceeae8b863e880345e81975cd995ab372d95e3 Author: Ramses Ramírez Date: Fri Sep 28 16:59:26 2018 -0700 Input: xpad - add support for Xbox1 PDP Camo series gamepad [ Upstream commit 9735082a7cbae572c2eabdc45acecc8c9fa0759b ] The "Xbox One PDP Wired Controller - Camo series" has a different product-id than the regular PDP controller and the PDP stealth series, but it uses the same initialization sequence. This patch adds the product-id of the camo series to the structures that handle the other PDP Xbox One controllers. Signed-off-by: Ramses Ramírez Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 6541b3b657975944669ab8044f2fc18634ec2435 Author: Enno Boland Date: Tue Jun 19 11:55:33 2018 -0700 Input: xpad - fix GPD Win 2 controller name [ Upstream commit dd6bee81c942c0ea01030da9356026afb88f9d18 ] This fixes using the controller with SDL2. SDL2 has a naive algorithm to apply the correct settings to a controller. For X-Box compatible controllers it expects that the controller name contains a variation of a 'XBOX'-string. This patch changes the identifier to contain "X-Box" as substring. Tested with Steam and C-Dogs-SDL which both detect the controller properly after adding this patch. Fixes: c1ba08390a8b ("Input: xpad - add GPD Win 2 Controller USB IDs") Cc: stable@vger.kernel.org Signed-off-by: Enno Boland Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 3185e5bbde63a0f5d3ecff1b3a34bd5bb72f1209 Author: Ethan Lee Date: Fri Jun 1 11:46:08 2018 -0700 Input: xpad - add GPD Win 2 Controller USB IDs [ Upstream commit c1ba08390a8bb13c927e699330896adc15b78205 ] GPD Win 2 Website: http://www.gpd.hk/gpdwin2.asp Tested on a unit from the first production run sent to Indiegogo backers Signed-off-by: Ethan Lee Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit d8a7412e1fcc5d1e6b26ebf6b97eefd9ab2e4ede Author: Marcus Folkesson Date: Tue May 8 15:17:07 2018 -0700 Input: xpad - avoid using __set_bit() for capabilities [ Upstream commit a01308031c2647ed5f1c845104b73a8820a958a9 ] input_set_capability() and input_set_abs_param() will do it for you. Signed-off-by: Marcus Folkesson Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit b614fa7eec9356a83efd6dc3b331253140926ef8 Author: Leo Sperling Date: Wed Aug 3 17:31:09 2016 -0700 Input: xpad - fix some coding style issues [ Upstream commit 68c78d0155e37992268664e134996d2b140ddf38 ] Fix some coding style issues reported by checkpatch.pl. Mostly brackets in macros, spacing and comment style. Signed-off-by: Leo Sperling Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit da44d2ef6f216e1cbd81fc2955a20135195d5917 Author: Francis Therien Date: Mon Mar 26 15:59:00 2018 -0700 Input: xpad - add PDP device id 0x02a4 [ Upstream commit c6c848572f4da0e34ffe0a35364b4db871e13e42 ] Adds support for a PDP Xbox One controller with device ID (0x06ef:0x02a4). The Product string for this device is "PDP Wired Controller for Xbox One - Stealth Series | Phantom Black". Signed-off-by: Francis Therien Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 35abaab62c13d5eb1950acb561f2c6e8e0b967d4 Author: Mark Furneaux Date: Mon Jan 22 11:24:17 2018 -0800 Input: xpad - add support for PDP Xbox One controllers [ Upstream commit e5c9c6a885fad00aa559b49d8fc23a60e290824e ] Adds support for the current lineup of Xbox One controllers from PDP (Performance Designed Products). These controllers are very picky with their initialization sequence and require an additional 2 packets before they send any input reports. Signed-off-by: Mark Furneaux Reviewed-by: Cameron Gutman Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit a9fd0ecce400a7d8fe9e8dd4089a394f8b580df6 Author: Cameron Gutman Date: Tue Sep 12 11:27:44 2017 -0700 Input: xpad - validate USB endpoint type during probe [ Upstream commit 122d6a347329818419b032c5a1776e6b3866d9b9 ] We should only see devices with interrupt endpoints. Ignore any other endpoints that we find, so we don't send try to send them interrupt URBs and trigger a WARN down in the USB stack. Reported-by: Andrey Konovalov Tested-by: Andrey Konovalov Cc: # c01b5e7464f0 Input: xpad - don't depend on endpoint order Signed-off-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 0021e15690c466540a334da7db074f55b138c1fc Author: Cameron Gutman Date: Thu Aug 31 11:52:20 2017 -0700 Input: xpad - fix PowerA init quirk for some gamepad models [ Upstream commit f5308d1b83eba20e69df5e0926ba7257c8dd9074 ] The PowerA gamepad initialization quirk worked with the PowerA wired gamepad I had around (0x24c6:0x543a), but a user reported [0] that it didn't work for him, even though our gamepads shared the same vendor and product IDs. When I initially implemented the PowerA quirk, I wanted to avoid actually triggering the rumble action during init. My tests showed that my gamepad would work correctly even if it received a rumble of 0 intensity, so that's what I went with. Unfortunately, this apparently isn't true for all models (perhaps a firmware difference?). This non-working gamepad seems to require the real magic rumble packet that the Microsoft driver sends, which actually vibrates the gamepad. To counteract this effect, I still send the old zero-rumble PowerA quirk packet which cancels the rumble effect before the motors can spin up enough to vibrate. [0]: https://github.com/paroj/xpad/issues/48#issuecomment-313904867 Reported-by: Kyle Beauchamp Tested-by: Kyle Beauchamp Fixes: 81093c9848a7 ("Input: xpad - support some quirky Xbox One pads") Cc: stable@vger.kernel.org # v4.12 Signed-off-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 0eeff53be05de4c8658f6cb6fe6cccef65adb2c1 Author: Arvind Yadav Date: Mon Aug 7 20:04:13 2017 -0700 Input: xpad - constify usb_device_id [ Upstream commit 94aef061c796d3d47f1a2eed41e651ffaaade402 ] usb_device_id are not supposed to change at runtime. All functions working with usb_device_id provided by work with const usb_device_id. So mark the non-const structs as const. Signed-off-by: Arvind Yadav Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 2ee9b33fd01e49ff2bf65f8d476fd2fe98dd2834 Author: Benjamin Valentin Date: Sun Jun 18 15:41:20 2017 -0700 Input: xpad - sync supported devices with XBCD [ Upstream commit be19788c73d382f66dd3fba3c5ccef59cf12a126 ] XBCD [0][1] is an OpenSource driver for Xbox controllers on Windows. Later it also started supporting Xbox360 controllers (presumably before the official Windows driver was released). It contains a couple device IDs unknown to the Linux driver, so I extracted those from xbcd.inf and added them to our list. It has a special type for Wheels and I have the feeling they might need some extra handling. They all have 'Wheel' in their name, so that information is available for future improvements. [0] https://www.s-config.com/xbcd-original-xbox-controllers-win10/ [1] http://www.redcl0ud.com/xbcd.html Reviewed-by: Cameron Gutman Signed-off-by: Benjamin Valentin Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit acab19e01b4cf9ec57f49418e202dc9b0302355e Author: Benjamin Valentin Date: Sun Jun 18 15:40:37 2017 -0700 Input: xpad - sync supported devices with 360Controller [ Upstream commit c225370e01b87d3c4ef40d98295ac0bb1e5a3116 ] 360Controller [0] is an OpenSource driver for Xbox/Xbox360/XboxOne controllers on macOS. It contains a couple device IDs unknown to the Linux driver, so I wrote a small Python script [1] to extract them and feed them into my previous script [2] to compare them with the IDs known to Linux. For most devices, this information is not really needed as xpad is able to automatically detect the type of an unknown Xbox Controller at run-time. I've therefore stripped all the generic/vague entries. I've excluded the Logitech G920, it's handled by a HID driver already. I've also excluded the Scene It! Big Button IR, it's handled by an out-of-tree driver. [3] [0] https://github.com/360Controller/360Controller [1] http://codepad.org/v9GyLKMq [2] http://codepad.org/qh7jclpD [3] https://github.com/micolous/xbox360bb Reviewed-by: Cameron Gutman Signed-off-by: Benjamin Valentin Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit d5088203d9bd9b821d18635bc182017135101185 Author: Benjamin Valentin Date: Sun May 7 14:49:09 2017 -0700 Input: xpad - add USB IDs for Mad Catz Brawlstick and Razer Sabertooth [ Upstream commit 4706aa075662fe3cad29c3f49b50878de53f4f3b ] Add USB IDs for two more Xbox 360 controllers. I found them in the pull requests for the xboxdrv userspace driver, which seems abandoned. Thanks to psychogony and mkaito for reporting the IDs there! Signed-off-by: Benjamin Valentin Reviewed-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 4b8ef4e404541179fe42d37f8d13c4290ee85a63 Author: Benjamin Valentin Date: Sun May 7 14:48:14 2017 -0700 Input: xpad - sync supported devices with xboxdrv [ Upstream commit 44bc722593201da43862b7200ee0b98155410b07 ] The userspace xboxdrv driver [0] contains some USB IDs unknown to the kernel driver. I have created a simple script [1] to extract the missing devices and add them to xpad. A quick google search confirmed that all the new devices called Fightstick/pad are Arcade-type devices [2] where the MAP_TRIGGERS_TO_BUTTONS option should apply. There are some similar devices in the existing device table where this flag is not set, but I did refrain from changing those. [0] https://github.com/xboxdrv/xboxdrv/blob/stable/src/xpad_device.cpp [1] http://codepad.org/CHV98BNH [2] https://www.google.com/search?q=SFxT+Fightstick+Pro&tbm=isch Signed-off-by: Benjamin Valentin Reviewed-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 02fde8cb7c9fcdc58d0b3d9dc9987403a708b9cf Author: Benjamin Valentin Date: Sun May 7 14:45:08 2017 -0700 Input: xpad - sort supported devices by USB ID [ Upstream commit 873cb582738fde338ecaeaca594560cde2ba42c3 ] Some entries in the table of supported devices are out of order. To not create a mess when adding new ones using a script, sort them first. Signed-off-by: Benjamin Valentin Reviewed-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 7332686f51d58292dbe8b6bcc638a3ef700246d4 Author: Cameron Gutman Date: Mon Apr 10 20:43:04 2017 -0700 Input: xpad - support some quirky Xbox One pads [ Upstream commit 81093c9848a781b85163d06de92ef8f84528cf6a ] There are several quirky Xbox One pads that depend on initialization packets that the Microsoft pads don't require. To deal with these, I've added a mechanism for issuing device-specific initialization packets using a VID/PID-based quirks list. For the initial set of init quirks, I have added quirk handling from Valve's Steam Link xpad driver[0] and the 360Controller project[1] for macOS to enable some new pads to work properly. This should enable full functionality on the following quirky pads: 0x0e6f:0x0165 - Titanfall 2 gamepad (previously fully non-functional) 0x0f0d:0x0067 - Hori Horipad (analog sticks previously non-functional) 0x24c6:0x541a - PowerA Xbox One pad (previously fully non-functional) 0x24c6:0x542a - PowerA Xbox One pad (previously fully non-functional) 0x24c6:0x543a - PowerA Xbox One pad (previously fully non-functional) [0]: https://github.com/ValveSoftware/steamlink-sdk/blob/master/kernel/drivers/input/joystick/xpad.c [1]: https://github.com/360Controller/360Controller Signed-off-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 3f2199c0c0bc7e6ae2b194fdd099a57026b429d5 Author: Cameron Gutman Date: Mon Feb 6 17:03:03 2017 -0800 Input: xpad - restore LED state after device resume [ Upstream commit a1fbf5bbef025b4844162b3b8868888003a7ee9c ] Set the LED_CORE_SUSPENDRESUME flag on our LED device so the LED state will be automatically restored by LED core on resume. Since Xbox One pads stop flashing only when reinitialized, we'll send them the initialization packet so they calm down too. Signed-off-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 130b94290e1db30d953f882d4909470c098dea9f Author: Cameron Gutman Date: Mon Feb 6 13:56:10 2017 -0800 Input: xpad - fix stuck mode button on Xbox One S pad [ Upstream commit 57b8443d3e5bd046a519ff714ca31c64c7f04309 ] The Xbox One S requires an ack to its mode button report, otherwise it continuously retransmits the report. This makes the mode button appear to be stuck down after it is pressed for the first time. Signed-off-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 214f88f3ee3a86ee91b9840e9a4b21eef8137240 Author: Cameron Gutman Date: Tue Jan 3 22:40:38 2017 -0800 Input: xpad - don't depend on endpoint order [ Upstream commit c01b5e7464f0cf20936d7467c7528163c4e2782d ] The order of endpoints is well defined on official Xbox pads, but we have found at least one 3rd-party pad that doesn't follow the standard ("Titanfall 2 Xbox One controller" 0e6f:0165). Fortunately, we get lucky with this specific pad because it uses endpoint addresses that differ only by direction. We know that there are other pads out where this is not true, so let's go ahead and fix this. Signed-off-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit bb754dbcfadf425ee5999ae3d2dcb61e5c095066 Author: Pavel Rojtberg Date: Fri May 27 16:26:33 2016 -0700 Input: xpad - simplify error condition in init_output [ Upstream commit a8c34e27fb1ece928ec728bfe596aa6ca0b1928a ] Replace first goto with simple returns as we really are just returning one error code. Signed-off-by: Pavel Rojtberg Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit fbc530b741391084a80417dd0030fd1f8c6b0dfc Author: Daniel Tobias Date: Fri May 27 16:25:32 2016 -0700 Input: xpad - move reporting xbox one home button to common function [ Upstream commit 4f88476c75429ba9ab71c428b4cd2f67575bc9c1 ] xbox one was the only device that has a *_process_buttons routine. Signed-off-by: Pavel Rojtberg Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 912c57f0bdcccf9c4133de8d6191d45ce5b66b32 Author: Daniel Tobias Date: Fri May 27 16:25:10 2016 -0700 Input: xpad - correctly sort vendor id's [ Upstream commit c02fc1d9e5d9f093296e43e13ec7f35f140784bd ] Signed-off-by: Daniel Tobias Signed-off-by: Pavel Rojtberg Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit aadb3e12e2a2f0957312d7d69706a807d08666d4 Author: Cameron Gutman Date: Sun Nov 27 20:37:56 2016 -0800 Input: xpad - fix Xbox One rumble stopping after 2.5 secs [ Upstream commit ae3b4469dbcd3b842a9fd20940946e4d092d8731 ] Unlike previous Xbox pads, the Xbox One pad doesn't have "sticky" rumble packets. The duration is encoded into the command and expiration is handled by the pad firmware. ff-memless needs pseudo-sticky behavior for rumble effects to behave properly for long duration effects. We already specify the maximum rumble on duration in the command packets, but it's still only good for about 2.5 seconds of rumble. This is easily reproducible running fftest's sine vibration test. It turns out there's a repeat count encoded in the rumble command. We can abuse that to get the pseudo-sticky behavior needed for rumble to behave as expected for effects with long duration. By my math, this change should allow a single ff_effect to rumble for 10 minutes straight, which should be more than enough for most needs. Signed-off-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 59fbfc3b05450633c1da39708061ffeb538d9504 Author: Cameron Gutman Date: Sun Nov 27 20:37:31 2016 -0800 Input: xpad - add product ID for Xbox One S pad [ Upstream commit 599b8c09d974d6e4d85a8f7bc8ed7442977866a8 ] This is the new gamepad that ships with the Xbox One S which includes Bluetooth functionality. Signed-off-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 7588fdc32fd047cfc64c44a0ecb882344beead1f Author: Cameron Gutman Date: Wed Jul 27 14:24:55 2016 -0700 Input: xpad - power off wireless 360 controllers on suspend [ Upstream commit f712a5a05228058f6b74635546549d4a46e117fc ] When the USB wireless adapter is suspended, the controllers lose their connection. This causes them to start flashing their LED rings and searching for the wireless adapter again, wasting the controller's battery power. Instead, we will tell the controllers to power down when we suspend. This mirrors the behavior of the controllers when connected to the console itself and how the official Xbox One wireless adapter behaves on Windows. Signed-off-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 04bd6163b019b6166651f938d4da660bfb26a443 Author: Cameron Gutman Date: Wed Jun 1 11:32:51 2016 -0700 Input: xpad - fix rumble on Xbox One controllers with 2015 firmware [ Upstream commit 540c26087bfbad6ea72758b76b16ae6282a73fea ] Xbox One controllers that shipped with or were upgraded to the 2015 firmware discard the current rumble packets we send. This patch changes the Xbox One rumble packet to a form that both the newer and older firmware will accept. It is based on changes made to support newer Xbox One controllers in the SteamOS brewmaster-4.1 kernel branch. Signed-off-by: Cameron Gutman Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 333279f24f5ca5caebc2e17781543207b4ec39d6 Author: Pavel Rojtberg Date: Fri May 27 16:24:40 2016 -0700 Input: xpad - xbox one elite controller support [ Upstream commit 6f49a398b266d4895bd7e041db77a2b2ee1482a6 ] added the according id and incresed XPAD_PKT_LEN to 64 as the elite controller sends at least 33 byte messages [1]. Verified to be working by [2]. [1]: https://franticrain.github.io/sniffs/XboxOneSniff.html [2]: https://github.com/paroj/xpad/issues/23 Signed-off-by: Pierre-Loup A. Griffais Signed-off-by: Pavel Rojtberg Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 63c84c90cfb309b83e973f39abbb5a591213a054 Author: Pavel Rojtberg Date: Fri May 27 16:24:20 2016 -0700 Input: xpad - add more third-party controllers [ Upstream commit 6538c3b2d2d220a974e47928b165ea09b9cfa6b4 ] Signed-off-by: Pierre-Loup A. Griffais Signed-off-by: Thomas Debesse Signed-off-by: aronschatz Signed-off-by: Pavel Rojtberg Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 7013f7cacdd57a2a7a2ece80fd965f4bbb7bf468 Author: Cameron Gutman Date: Fri May 27 16:23:50 2016 -0700 Input: xpad - prevent spurious input from wired Xbox 360 controllers [ Upstream commit 1ff5fa3c6732f08e01ae12f12286d4728c9e4d86 ] After initially connecting a wired Xbox 360 controller or sending it a command to change LEDs, a status/response packet is interpreted as controller input. This causes the state of buttons represented in byte 2 of the controller data packet to be incorrect until the next valid input packet. Wireless Xbox 360 controllers are not affected. Writing a new value to the LED device while holding the Start button and running jstest is sufficient to reproduce this bug. An event will come through with the Start button released. Xboxdrv also won't attempt to read controller input from a packet where byte 0 is non-zero. It also checks that byte 1 is 0x14, but that value differs between wired and wireless controllers and this code is shared by both. I think just checking byte 0 is enough to eliminate unwanted packets. The following are some examples of 3-byte status packets I saw: 01 03 02 02 03 00 03 03 03 08 03 00 Signed-off-by: Cameron Gutman Signed-off-by: Pavel Rojtberg Cc: stable@vger.kernel.org Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 7e4b89527afcad04601e5f95869f5eea1689cfc8 Author: Silvan Jegen Date: Thu Mar 17 17:15:01 2016 -0700 Input: xpad - add Mad Catz FightStick TE 2 VID/PID [ Upstream commit d63b0f0c0f19dc8687387ead5a28148dcad1a4b9 ] This adds the VID/PID combination for the Xbox One version of the Mad Catz FightStick TE 2. The functionality that this provides is about on par with what the Windows drivers for the stick manage to deliver. What works: - Digital stick - 6 main buttons - Xbox button - The two buttons on the back - The locking buttons (preventing accidental Xbox button press) What doesn't work: - Two of the main buttons (don't work on Windows either) - The "Haptic" button setting does not have an effect (not sure if it works on Windows) I added the MAP_TRIGGERS_TO_BUTTONS option but in my (limited) testing there was no practical difference with or without. The FightStick does not have triggers though so adding it makes sense. Signed-off-by: Silvan Jegen Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 074573f86424ab4001f73d1e771d1d426f1762fb Author: Arnd Bergmann Date: Wed Jan 27 15:42:25 2016 -0800 Input: xpad - remove unused function [ Upstream commit a6ed4a18ba6a6f5a01e024b9d221d6439bf6ca4c ] There are two definitions of xpad_identify_controller(), one is used when CONFIG_JOYSTICK_XPAD_LEDS is set, but the other one is empty and never used, and we get a gcc warning about it: drivers/input/joystick/xpad.c:1210:13: warning: 'xpad_identify_controller' defined but not used [-Wunused-function] This removes the second definition. Signed-off-by: Arnd Bergmann Fixes: cae705baa40b ("Input: xpad - re-send LED command on present event") Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 7396f08f9046a3d97a331e3b46bf899db6490fd3 Author: Pavel Rojtberg Date: Tue Jan 12 14:35:51 2016 -0800 Input: xpad - correct xbox one pad device name [ Upstream commit 95162dc8493ed92e5f7dcc8874e58c2ba3836b43 ] Apparently the Covert Forces ID is not Covert Forces pad exclusive, but rather denotes a new firmware version that can be found on all new controllers and can be also updated on old hardware using Windows 10. see: https://github.com/paroj/xpad/issues/19 Signed-off-by: Pavel Rojtberg Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 95a5664d19396dc8a26d106b5898738a1bf9184e Author: Dmitry Torokhov Date: Wed Dec 16 14:24:58 2015 -0800 Input: xpad - use LED API when identifying wireless controllers [ Upstream commit d9be398afb2c3333716324352d062c50112e4e86 ] When lighting up the segment identifying wireless controller, Instead of sending command directly to the controller, let's do it via LED API (usinf led_set_brightness) so that LED object state is in sync with controller state and we'll light up the correct segment on resume as well. Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 40af28e5fa9c99a9e51ad3d1bd4d0e7a90352383 Author: Pavel Rojtberg Date: Wed Dec 9 13:30:34 2015 -0800 Input: xpad - workaround dead irq_out after suspend/ resume [ Upstream commit 4220f7db1e424f2a086ad41217b5770cc9f003a9 ] The irq_out urb is dead after suspend/ resume on my x360 wr pad. (also reproduced by Zachary Lund [0]) Work around this by implementing suspend, resume, and reset_resume callbacks and properly shutting down URBs on suspend and restarting them on resume. [0]: https://github.com/paroj/xpad/issues/6 Signed-off-by: Pavel Rojtberg Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 0d93b73df45bbb2d76d339f74df9e1569a58c4aa Author: Pierre-Loup A. Griffais Date: Wed Dec 9 13:40:37 2015 -0800 Input: xpad - update Xbox One Force Feedback Support [ Upstream commit 2a6d7527b35cf987260800807e328d167aef22ac ] There's apparently a serial number woven into both input and output packets; neglecting to specify a valid serial number causes the controller to ignore the rumble packets. The scale of the rumble was also apparently halved in the packets. The initialization packet had to be changed to allow force feedback to work. see https://github.com/paroj/xpad/issues/7 for details. Signed-off-by: Pavel Rojtberg Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 65d58b49932de70692bb079fad64bac641a61caa Author: Pierre-Loup A. Griffais Date: Wed Dec 9 11:46:25 2015 -0800 Input: xpad - handle "present" and "gone" correctly [ Upstream commit 09c8b00ae3e16c8d0fd4beb2ca064502a76c0f17 ] Handle the "a new device is present" message properly by dynamically creating the input device at this point in time. This means we now do not "preallocate" all 4 devices when a single wireless base station is seen. This requires a workqueue as we are in interrupt context when we learn about this. Also properly disconnect any devices that we are told are removed. Signed-off-by: "Pierre-Loup A. Griffais" Signed-off-by: Greg Kroah-Hartman Signed-off-by: Pavel Rojtberg Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit bec36000f898ade8261711cef6ceb7caf34ceae3 Author: Clement Calmels Date: Sat Dec 12 21:20:11 2015 -0800 Input: xpad - remove spurious events of wireless xpad 360 controller [ Upstream commit 93a017aa2f77291752e637bfd83f2459dba714cb ] When powering up a wireless xbox 360 controller, some wrong joystick events are generated. It is annoying because, for example, it makes unwanted moves in Steam big picture mode's menu. When my controller is powering up, this packet is received by the driver: 00000000: 00 0f 00 f0 00 cc ff cf 8b e0 86 6a 68 f0 00 20 ...........jh.. 00000010: 13 e3 20 1d 30 03 40 01 50 01 ff ff .. .0.@.P... According to xboxdrv userspace driver source code, this packet is only dumping a serial id and should not be interpreted as joystick events. This issue can be easily seen with jstest: $ jstest --event /dev/input/js0 This patch only adds a way to filter out this "serial" packet and as a result it removes the spurous events. Signed-off-by: Clement Calmels Signed-off-by: Dmitry Torokhov Signed-off-by: Sasha Levin commit 2ca8b2a88e7f222a5f2db30778eb99c113fc697a Author: Vasanthakumar Thiagarajan Date: Mon Oct 10 19:51:18 2016 +0530 ath10k: fix kernel panic due to race in accessing arvif list commit ebaa4b1620bf69f2bc43cb45ea85fbafdaec23c3 upstream. arvifs list is traversed within data_lock spin_lock in tasklet context to fill channel information from the corresponding vif. This means any access to arvifs list for add/del operations should also be protected with the same spin_lock to avoid the race. Fix this by performing list add/del on arvfis within the data_lock. This could fix kernel panic something like the below. LR is at ath10k_htt_rx_pktlog_completion_handler+0x100/0xb6c [ath10k_core] PC is at ath10k_htt_rx_pktlog_completion_handler+0x1c0/0xb6c [ath10k_core] Internal error: Oops: 17 [#1] PREEMPT SMP ARM [] (ath10k_htt_rx_pktlog_completion_handler+0x2f4/0xb6c [ath10k_core]) [] (ath10k_htt_txrx_compl_task+0x8b4/0x1188 [ath10k_core]) [] (tasklet_action+0x8c/0xec) [] (__do_softirq+0xdc/0x208) [] (irq_exit+0x84/0xe0) [] (__handle_domain_irq+0x80/0xa0) [] (gic_handle_irq+0x38/0x5c) [] (__irq_svc+0x40/0x74) (gdb) list *(ath10k_htt_rx_pktlog_completion_handler+0x1c0) 0x136c0 is in ath10k_htt_rx_h_channel (drivers/net/wireless/ath/ath10k/htt_rx.c:769) 764 struct cfg80211_chan_def def; 765 766 lockdep_assert_held(&ar->data_lock); 767 768 list_for_each_entry(arvif, &ar->arvifs, list) { 769 if (arvif->vdev_id == vdev_id && 770 ath10k_mac_vif_chan(arvif->vif, &def) == 0) 771 return def.chan; 772 } 773 Signed-off-by: Vasanthakumar Thiagarajan Signed-off-by: Kalle Valo Signed-off-by: Amit Pundir Signed-off-by: Greg Kroah-Hartman commit 69669503eb53fb88bbc818461e9043bb3e024bb3 Author: Greg Hackmann Date: Tue Nov 27 11:15:20 2018 -0800 arm64: remove no-op -p linker flag (commit 1a381d4a0a9a0f999a13faaba22bf6b3fc80dcb9 upstream) Linking the ARM64 defconfig kernel with LLVM lld fails with the error: ld.lld: error: unknown argument: -p Makefile:1015: recipe for target 'vmlinux' failed Without this flag, the ARM64 defconfig kernel successfully links with lld and boots on Dragonboard 410c. After digging through binutils source and changelogs, it turns out that -p is only relevant to ancient binutils installations targeting 32-bit ARM. binutils accepts -p for AArch64 too, but it's always been undocumented and silently ignored. A comment in ld/emultempl/aarch64elf.em explains that it's "Only here for backwards compatibility". Since this flag is a no-op on ARM64, we can safely drop it. Acked-by: Will Deacon Reviewed-by: Nick Desaulniers Signed-off-by: Greg Hackmann Signed-off-by: Catalin Marinas Signed-off-by: Nick Desaulniers Signed-off-by: Sasha Levin commit 9ee68ff9c6e350e43821c19642485466d9506e32 Author: Andy Lutomirski Date: Sun Jul 22 11:05:09 2018 -0700 x86/entry/64: Remove %ebx handling from error_entry/exit [ Upstream commit b3681dd548d06deb2e1573890829dff4b15abf46 ] error_entry and error_exit communicate the user vs. kernel status of the frame using %ebx. This is unnecessary -- the information is in regs->cs. Just use regs->cs. This makes error_entry simpler and makes error_exit more robust. It also fixes a nasty bug. Before all the Spectre nonsense, the xen_failsafe_callback entry point returned like this: ALLOC_PT_GPREGS_ON_STACK SAVE_C_REGS SAVE_EXTRA_REGS ENCODE_FRAME_POINTER jmp error_exit And it did not go through error_entry. This was bogus: RBX contained garbage, and error_exit expected a flag in RBX. Fortunately, it generally contained *nonzero* garbage, so the correct code path was used. As part of the Spectre fixes, code was added to clear RBX to mitigate certain speculation attacks. Now, depending on kernel configuration, RBX got zeroed and, when running some Wine workloads, the kernel crashes. This was introduced by: commit 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface") With this patch applied, RBX is no longer needed as a flag, and the problem goes away. I suspect that malicious userspace could use this bug to crash the kernel even without the offending patch applied, though. [ Historical note: I wrote this patch as a cleanup before I was aware of the bug it fixed. ] [ Note to stable maintainers: this should probably get applied to all kernels. If you're nervous about that, a more conservative fix to add xorl %ebx,%ebx; incl %ebx before the jump to error_exit should also fix the problem. ] Reported-and-tested-by: M. Vefa Bicakci Signed-off-by: Andy Lutomirski Cc: Boris Ostrovsky Cc: Borislav Petkov Cc: Brian Gerst Cc: Dave Hansen Cc: Denys Vlasenko Cc: Dominik Brodowski Cc: Greg KH Cc: H. Peter Anvin Cc: Josh Poimboeuf Cc: Juergen Gross Cc: Linus Torvalds Cc: Peter Zijlstra Cc: Thomas Gleixner Cc: stable@vger.kernel.org Cc: xen-devel@lists.xenproject.org Fixes: 3ac6d8c787b8 ("x86/entry/64: Clear registers for exceptions/interrupts, to reduce speculation attack surface") Link: http://lkml.kernel.org/r/b5010a090d3586b2d6e06c7ad3ec5542d1241c45.1532282627.git.luto@kernel.org Signed-off-by: Ingo Molnar Signed-off-by: Sasha Levin commit 00872569e861caae09230c5b2bd0fffbb038ec0d Author: Nicolas Iooss Date: Fri Jul 29 13:39:51 2016 +0200 x86/entry: spell EBX register correctly in documentation [ Upstream commit 75ca5b22260ef7b5ce39c6d521eee8b4cba44703 ] As EBS does not mean anything reasonable in the context it is used, it seems like a misspelling for EBX. Signed-off-by: Nicolas Iooss Acked-by: Borislav Petkov Signed-off-by: Jiri Kosina Signed-off-by: Sasha Levin commit 761497503744d860ec963ba991243373de964cea Author: Johan Hovold Date: Mon Aug 27 10:21:50 2018 +0200 net: bcmgenet: fix OF child-node lookup [ Upstream commit d397dbe606120a1ea1b11b0020c3f7a3852da5ac ] Use the new of_get_compatible_child() helper to lookup the mdio child node instead of using of_find_compatible_node(), which searches the entire tree from a given start node and thus can return an unrelated (i.e. non-child) node. This also addresses a potential use-after-free (e.g. after probe deferral) as the tree-wide helper drops a reference to its first argument (i.e. the node of the device being probed). Fixes: aa09677cba42 ("net: bcmgenet: add MDIO routines") Cc: stable # 3.15 Cc: David S. Miller Reviewed-by: Florian Fainelli Signed-off-by: Johan Hovold Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit 737d47bda3f26a0f20d5a344880d3151a45b4a85 Author: Johan Hovold Date: Mon Aug 27 10:21:52 2018 +0200 NFC: nfcmrvl_uart: fix OF child-node lookup [ Upstream commit 5bf59773aaf36dd62117dc83d50e1bbf9ef432da ] Use the new of_get_compatible_child() helper to lookup the nfc child node instead of using of_find_compatible_node(), which searches the entire tree from a given start node and thus can return an unrelated (i.e. non-child) node. This also addresses a potential use-after-free (e.g. after probe deferral) as the tree-wide helper drops a reference to its first argument (i.e. the parent node). Fixes: e097dc624f78 ("NFC: nfcmrvl: add UART driver") Fixes: d8e018c0b321 ("NFC: nfcmrvl: update device tree bindings for Marvell NFC") Cc: stable # 4.2 Cc: Vincent Cuissard Cc: Samuel Ortiz Signed-off-by: Johan Hovold Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit f3e3c50c364ce807ec818ea6337b411db94768f5 Author: Johan Hovold Date: Mon Aug 27 10:21:45 2018 +0200 of: add helper to lookup compatible child node [ Upstream commit 36156f9241cb0f9e37d998052873ca7501ad4b36 ] Add of_get_compatible_child() helper that can be used to lookup compatible child nodes. Several drivers currently use of_find_compatible_node() to lookup child nodes while failing to notice that the of_find_ functions search the entire tree depth-first (from a given start node) and therefore can match unrelated nodes. The fact that these functions also drop a reference to the node they start searching from (e.g. the parent node) is typically also overlooked, something which can lead to use-after-free bugs. Signed-off-by: Johan Hovold Signed-off-by: Rob Herring Signed-off-by: Sasha Levin commit 42c0c719eac64d7b4d6ea78cd216dd9f0b950772 Author: Yufen Yu Date: Fri Nov 16 15:08:39 2018 -0800 tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with a negative offset [ Upstream commit 1a413646931cb14442065cfc17561e50f5b5bb44 ] Other filesystems such as ext4, f2fs and ubifs all return ENXIO when lseek (SEEK_DATA or SEEK_HOLE) requests a negative offset. man 2 lseek says : EINVAL whence is not valid. Or: the resulting file offset would be : negative, or beyond the end of a seekable device. : : ENXIO whence is SEEK_DATA or SEEK_HOLE, and the file offset is beyond : the end of the file. Make tmpfs return ENXIO under these circumstances as well. After this, tmpfs also passes xfstests's generic/448. [akpm@linux-foundation.org: rewrite changelog] Link: http://lkml.kernel.org/r/1540434176-14349-1-git-send-email-yuyufen@huawei.com Signed-off-by: Yufen Yu Reviewed-by: Andrew Morton Cc: Al Viro Cc: Hugh Dickins Cc: William Kucharski Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin commit 222a723c06fb511d2d65d74b7b43272285020b21 Author: Satheesh Rajendran Date: Thu Nov 8 10:47:56 2018 +0530 powerpc/numa: Suppress "VPHN is not supported" messages [ Upstream commit 437ccdc8ce629470babdda1a7086e2f477048cbd ] When VPHN function is not supported and during cpu hotplug event, kernel prints message 'VPHN function not supported. Disabling polling...'. Currently it prints on every hotplug event, it floods dmesg when a KVM guest tries to hotplug huge number of vcpus, let's just print once and suppress further kernel prints. Signed-off-by: Satheesh Rajendran Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit a4cfd4595d98af7dd0e6efece9aa31ea464bec03 Author: Prarit Bhargava Date: Thu Sep 20 08:59:14 2018 -0400 kdb: Use strscpy with destination buffer size [ Upstream commit c2b94c72d93d0929f48157eef128c4f9d2e603ce ] gcc 8.1.0 warns with: kernel/debug/kdb/kdb_support.c: In function ‘kallsyms_symbol_next’: kernel/debug/kdb/kdb_support.c:239:4: warning: ‘strncpy’ specified bound depends on the length of the source argument [-Wstringop-overflow=] strncpy(prefix_name, name, strlen(name)+1); ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ kernel/debug/kdb/kdb_support.c:239:31: note: length computed here Use strscpy() with the destination buffer size, and use ellipses when displaying truncated symbols. v2: Use strscpy() Signed-off-by: Prarit Bhargava Cc: Jonathan Toppins Cc: Jason Wessel Cc: Daniel Thompson Cc: kgdb-bugreport@lists.sourceforge.net Reviewed-by: Daniel Thompson Signed-off-by: Daniel Thompson Signed-off-by: Sasha Levin commit 606576a969e704f4dbefae6fbcf3de17deb75a49 Author: Trond Myklebust Date: Mon Nov 12 16:06:51 2018 -0500 SUNRPC: Fix a bogus get/put in generic_key_to_expire() [ Upstream commit e3d5e573a54dabdc0f9f3cb039d799323372b251 ] Signed-off-by: Trond Myklebust Signed-off-by: Sasha Levin commit 6d39dd9c0db11dcd354b5e2170d34e67afb6b863 Author: Anson Huang Date: Mon Nov 5 00:59:28 2018 +0000 cpufreq: imx6q: add return value check for voltage scale [ Upstream commit 6ef28a04d1ccf718eee069b72132ce4aa1e52ab9 ] Add return value check for voltage scale when ARM clock rate change fail. Signed-off-by: Anson Huang Acked-by: Viresh Kumar Signed-off-by: Rafael J. Wysocki Signed-off-by: Sasha Levin commit 8bb923f515810bfffce78ad81f8ab8637dcf38ac Author: Scott Wood Date: Tue Nov 6 19:49:34 2018 -0600 KVM: PPC: Move and undef TRACE_INCLUDE_PATH/FILE [ Upstream commit 28c5bcf74fa07c25d5bd118d1271920f51ce2a98 ] TRACE_INCLUDE_PATH and TRACE_INCLUDE_FILE are used by , so like that #include, they should be outside #ifdef protection. They also need to be #undefed before defining, in case multiple trace headers are included by the same C file. This became the case on book3e after commit cf4a6085151a ("powerpc/mm: Add missing tracepoint for tlbie"), leading to the following build error: CC arch/powerpc/kvm/powerpc.o In file included from arch/powerpc/kvm/powerpc.c:51:0: arch/powerpc/kvm/trace.h:9:0: error: "TRACE_INCLUDE_PATH" redefined [-Werror] #define TRACE_INCLUDE_PATH . ^ In file included from arch/powerpc/kvm/../mm/mmu_decl.h:25:0, from arch/powerpc/kvm/powerpc.c:48: ./arch/powerpc/include/asm/trace.h:224:0: note: this is the location of the previous definition #define TRACE_INCLUDE_PATH asm ^ cc1: all warnings being treated as errors Reported-by: Christian Zigotzky Signed-off-by: Scott Wood Signed-off-by: Michael Ellerman Signed-off-by: Sasha Levin commit cf0f464facd6a3150f8bbaf3ce84d24e1b2b68ff Author: Mathias Nyman Date: Thu Nov 15 11:38:41 2018 +0200 usb: xhci: Prevent bus suspend if a port connect change or polling state is detected commit 2f31a67f01a8beb22cae754c53522cb61a005750 upstream. USB3 roothub might autosuspend before a plugged USB3 device is detected, causing USB3 device enumeration failure. USB3 devices don't show up as connected and enabled until USB3 link trainig completes. On a fast booting platform with a slow USB3 link training the link might reach the connected enabled state just as the bus is suspending. If this device is discovered first time by the xhci_bus_suspend() routine it will be put to U3 suspended state like the other ports which failed to suspend earlier. The hub thread will notice the connect change and resume the bus, moving the port back to U0 This U0 -> U3 -> U0 transition right after being connected seems to be too much for some devices, causing them to first go to SS.Inactive state, and finally end up stuck in a polling state with reset asserted Fix this by failing the bus suspend if a port has a connect change or is in a polling state in xhci_bus_suspend(). Don't do any port changes until all ports are checked, buffer all port changes and only write them in the end if suspend can proceed Cc: stable@vger.kernel.org Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit 3583903f9d8bbfc5402ac4f02d7f155b94f9ec5f Author: Marc Kleine-Budde Date: Wed Oct 31 14:15:13 2018 +0100 can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb commit 7da11ba5c5066dadc2e96835a6233d56d7b7764a upstream. Prior to echoing a successfully transmitted CAN frame (by calling can_get_echo_skb()), CAN drivers have to put the CAN frame (by calling can_put_echo_skb() in the transmit function). These put and get function take an index as parameter, which is used to identify the CAN frame. A driver calling can_get_echo_skb() with a index not pointing to a skb is a BUG, so add an appropriate error message. Cc: linux-stable Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit a48b4b9cd6714f899f05d2580c7efb3700d744f3 Author: Marc Kleine-Budde Date: Wed Oct 31 14:05:26 2018 +0100 can: dev: __can_get_echo_skb(): Don't crash the kernel if can_priv::echo_skb is accessed out of bounds commit e7a6994d043a1e31d5b17706a22ce33d2a3e4cdc upstream. If the "struct can_priv::echo_skb" is accessed out of bounds would lead to a kernel crash. Better print a sensible warning message instead and try to recover. Cc: linux-stable Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 385e1c3bbe57e13115153573747754ca39db80b0 Author: Marc Kleine-Budde Date: Wed Oct 31 11:08:21 2018 +0100 can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length commit 200f5c49f7a2cd694436bfc6cb0662b794c96736 upstream. This patch replaces the use of "struct can_frame::can_dlc" by "struct canfd_frame::len" to access the frame's length. As it is ensured that both structures have a compatible memory layout for this member this is no functional change. Futher, this compatibility is documented in a comment. Cc: linux-stable Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 1d8016389d026c3291588b40be10b8441f1ef2d5 Author: Marc Kleine-Budde Date: Wed Oct 31 10:37:46 2018 +0100 can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb() commit a4310fa2f24687888ce80fdb0e88583561a23700 upstream. This patch factors out all non sending parts of can_get_echo_skb() into a seperate function __can_get_echo_skb(), so that it can be re-used in an upcoming patch. Cc: linux-stable Signed-off-by: Marc Kleine-Budde Signed-off-by: Greg Kroah-Hartman commit 6c284c9ff8d82280a71c83fc88ac4db148f7cec2 Author: Y.C. Chen Date: Tue Oct 30 11:34:46 2018 +0800 drm/ast: fixed cursor may disappear sometimes commit 7989b9ee8bafe5cc625381dd0c3c4586de27ca26 upstream. Signed-off-by: Y.C. Chen Cc: Reviewed-by: Dave Airlie Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit a841f370dbe2bbb2c252748cc5148f6dfce02d63 Author: Y.C. Chen Date: Wed Oct 3 14:57:47 2018 +0800 drm/ast: change resolution may cause screen blurred commit 1a37bd823891568f8721989aed0615835632d81a upstream. The value of pitches is not correct while calling mode_set. The issue we found so far on following system: - Debian8 with XFCE Desktop - Ubuntu with KDE Desktop - SUSE15 with KDE Desktop Signed-off-by: Y.C. Chen Cc: Tested-by: Jean Delvare Reviewed-by: Jean Delvare Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 6f80fe0dc1830b2e50a2b9cc854f497a77561fca Author: Eric Dumazet Date: Mon Oct 22 09:24:27 2018 -0700 llc: do not use sk_eat_skb() commit 604d415e2bd642b7e02c80e719e0396b9d4a77a6 upstream. syzkaller triggered a use-after-free [1], caused by a combination of skb_get() in llc_conn_state_process() and usage of sk_eat_skb() sk_eat_skb() is assuming the skb about to be freed is only used by the current thread. TCP/DCCP stacks enforce this because current thread holds the socket lock. llc_conn_state_process() wants to make sure skb does not disappear, and holds a reference on the skb it manipulates. But as soon as this skb is added to socket receive queue, another thread can consume it. This means that llc must use regular skb_unlink() and kfree_skb() so that both producer and consumer can safely work on the same skb. [1] BUG: KASAN: use-after-free in atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] BUG: KASAN: use-after-free in refcount_read include/linux/refcount.h:43 [inline] BUG: KASAN: use-after-free in skb_unref include/linux/skbuff.h:967 [inline] BUG: KASAN: use-after-free in kfree_skb+0xb7/0x580 net/core/skbuff.c:655 Read of size 4 at addr ffff8801d1f6fba4 by task ksoftirqd/1/18 CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.19.0-rc8+ #295 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c4/0x2b6 lib/dump_stack.c:113 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 kasan_check_read+0x11/0x20 mm/kasan/kasan.c:272 atomic_read include/asm-generic/atomic-instrumented.h:21 [inline] refcount_read include/linux/refcount.h:43 [inline] skb_unref include/linux/skbuff.h:967 [inline] kfree_skb+0xb7/0x580 net/core/skbuff.c:655 llc_sap_state_process+0x9b/0x550 net/llc/llc_sap.c:224 llc_sap_rcv+0x156/0x1f0 net/llc/llc_sap.c:297 llc_sap_handler+0x65e/0xf80 net/llc/llc_sap.c:438 llc_rcv+0x79e/0xe20 net/llc/llc_input.c:208 __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023 process_backlog+0x218/0x6f0 net/core/dev.c:5829 napi_poll net/core/dev.c:6249 [inline] net_rx_action+0x7c5/0x1950 net/core/dev.c:6315 __do_softirq+0x30c/0xb03 kernel/softirq.c:292 run_ksoftirqd+0x94/0x100 kernel/softirq.c:653 smpboot_thread_fn+0x68b/0xa00 kernel/smpboot.c:164 kthread+0x35a/0x420 kernel/kthread.c:246 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413 Allocated by task 18: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 kmem_cache_alloc_node+0x144/0x730 mm/slab.c:3644 __alloc_skb+0x119/0x770 net/core/skbuff.c:193 alloc_skb include/linux/skbuff.h:995 [inline] llc_alloc_frame+0xbc/0x370 net/llc/llc_sap.c:54 llc_station_ac_send_xid_r net/llc/llc_station.c:52 [inline] llc_station_rcv+0x1dc/0x1420 net/llc/llc_station.c:111 llc_rcv+0xc32/0xe20 net/llc/llc_input.c:220 __netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4913 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5023 process_backlog+0x218/0x6f0 net/core/dev.c:5829 napi_poll net/core/dev.c:6249 [inline] net_rx_action+0x7c5/0x1950 net/core/dev.c:6315 __do_softirq+0x30c/0xb03 kernel/softirq.c:292 Freed by task 16383: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kmem_cache_free+0x83/0x290 mm/slab.c:3756 kfree_skbmem+0x154/0x230 net/core/skbuff.c:582 __kfree_skb+0x1d/0x20 net/core/skbuff.c:642 sk_eat_skb include/net/sock.h:2366 [inline] llc_ui_recvmsg+0xec2/0x1610 net/llc/af_llc.c:882 sock_recvmsg_nosec net/socket.c:794 [inline] sock_recvmsg+0xd0/0x110 net/socket.c:801 ___sys_recvmsg+0x2b6/0x680 net/socket.c:2278 __sys_recvmmsg+0x303/0xb90 net/socket.c:2390 do_sys_recvmmsg+0x181/0x1a0 net/socket.c:2466 __do_sys_recvmmsg net/socket.c:2484 [inline] __se_sys_recvmmsg net/socket.c:2480 [inline] __x64_sys_recvmmsg+0xbe/0x150 net/socket.c:2480 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8801d1f6fac0 which belongs to the cache skbuff_head_cache of size 232 The buggy address is located 228 bytes inside of 232-byte region [ffff8801d1f6fac0, ffff8801d1f6fba8) The buggy address belongs to the page: page:ffffea000747dbc0 count:1 mapcount:0 mapping:ffff8801d9be7680 index:0xffff8801d1f6fe80 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffffea0007346e88 ffffea000705b108 ffff8801d9be7680 raw: ffff8801d1f6fe80 ffff8801d1f6f0c0 000000010000000b 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801d1f6fa80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8801d1f6fb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8801d1f6fb80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801d1f6fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d1f6fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet Reported-by: syzbot Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b689a81a4c2ac139a3fdb92b08aab6dd73bc6108 Author: Andrew Price Date: Mon Oct 8 07:52:43 2018 -0500 gfs2: Don't leave s_fs_info pointing to freed memory in init_sbd commit 4c62bd9cea7bcf10292f7e4c57a2bca332942697 upstream. When alloc_percpu() fails, sdp gets freed but sb->s_fs_info still points to the same address. Move the assignment after that error check so that s_fs_info can only point to a valid sdp or NULL, which is checked for later in the error path, in gfs2_kill_super(). Reported-by: syzbot+dcb8b3587445007f5808@syzkaller.appspotmail.com Signed-off-by: Andrew Price Signed-off-by: Bob Peterson Signed-off-by: Greg Kroah-Hartman commit 8b97e045bd6d37f96f161e4d371ae174148e1587 Author: Xin Long Date: Mon Oct 29 23:10:29 2018 +0800 sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer commit df132eff463873e14e019a07f387b4d577d6d1f9 upstream. If a transport is removed by asconf but there still are some chunks with this transport queuing on out_chunk_list, later an use-after-free issue will be caused when accessing this transport from these chunks in sctp_outq_flush(). This is an old bug, we fix it by clearing the transport of these chunks in out_chunk_list when removing a transport in sctp_assoc_rm_peer(). Reported-by: syzbot+56a40ceee5fb35932f4d@syzkaller.appspotmail.com Signed-off-by: Xin Long Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 9891fda685f1a9da69012bb39aad81b67870cf5e Author: Tetsuo Handa Date: Fri Nov 2 15:48:42 2018 -0700 bfs: add sanity check at bfs_fill_super() commit 9f2df09a33aa2c76ce6385d382693f98d7f2f07e upstream. syzbot is reporting too large memory allocation at bfs_fill_super() [1]. Since file system image is corrupted such that bfs_sb->s_start == 0, bfs_fill_super() is trying to allocate 8MB of continuous memory. Fix this by adding a sanity check on bfs_sb->s_start, __GFP_NOWARN and printf(). [1] https://syzkaller.appspot.com/bug?id=16a87c236b951351374a84c8a32f40edbc034e96 Link: http://lkml.kernel.org/r/1525862104-3407-1-git-send-email-penguin-kernel@I-love.SAKURA.ne.jp Signed-off-by: Tetsuo Handa Reported-by: syzbot Reviewed-by: Andrew Morton Cc: Tigran Aivazian Cc: Matthew Wilcox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ebd55db37fa7856ddc182da5587dd2189940d987 Author: Dominique Martinet Date: Mon Aug 27 15:12:05 2018 +0900 v9fs_dir_readdir: fix double-free on p9stat_read error commit 81c99089bce693b94b775b6eb888115d2d540086 upstream. p9stat_read will call p9stat_free on error, we should only free the struct content on success. There also is no need to "p9stat_init" st as the read function will zero the whole struct for us anyway, so clean up the code a bit while we are here. Link: http://lkml.kernel.org/r/1535410108-20650-1-git-send-email-asmadeus@codewreck.org Signed-off-by: Dominique Martinet Reported-by: syzbot+d4252148d198410b864f@syzkaller.appspotmail.com Signed-off-by: Greg Kroah-Hartman commit 79faf409b184b586f05f0b5cdee60953f5541d0b Author: Emmanuel Grumbach Date: Thu Aug 16 13:25:48 2018 +0300 iwlwifi: mvm: support sta_statistics() even on older firmware commit ec484d03ef0df8d34086b95710e355a259cbe1f2 upstream. The oldest firmware supported by iwlmvm do support getting the average beacon RSSI. Enable the sta_statistics() call from mac80211 even on older firmware versions. Fixes: 33cef9256342 ("iwlwifi: mvm: support beacon statistics for BSS client") Cc: stable@vger.kernel.org # 4.2+ Signed-off-by: Emmanuel Grumbach Signed-off-by: Luca Coelho Signed-off-by: Greg Kroah-Hartman commit 9fefd2252c8efca78f578d478acedb360b9bdd2c Author: Greg Kroah-Hartman Date: Thu Nov 15 15:03:24 2018 -0800 MAINTAINERS: Add Sasha as a stable branch maintainer commit cb5d21946d2a2f4687c482ab4604af1d29dac35a upstream. Sasha has somehow been convinced into helping me with the stable kernel maintenance. Codify this slip in good judgement before he realizes what he really signed up for :) Signed-off-by: Greg Kroah-Hartman Acked-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman commit cb4cb3eab5388df1b9604baed7ad97c8509d97d5 Author: Aaron Ma Date: Fri Nov 9 17:21:21 2018 +0200 usb: xhci: fix timeout for transition from RExit to U0 commit a5baeaeabcca3244782a9b6382ebab6f8a58f583 upstream. This definition is used by msecs_to_jiffies in milliseconds. According to the comments, max rexit timeout should be 20ms. Align with the comments to properly calculate the delay. Verified on Sunrise Point-LP and Cannon Lake. Cc: stable@vger.kernel.org Signed-off-by: Aaron Ma Signed-off-by: Mathias Nyman Signed-off-by: Greg Kroah-Hartman commit de06a3146c1932aa0cf78a721f19d3daa6aca538 Author: Dennis Wassenberg Date: Tue Nov 13 14:40:34 2018 +0100 usb: core: Fix hub port connection events lost commit 22454b79e6de05fa61a2a72d00d2eed798abbb75 upstream. This will clear the USB_PORT_FEAT_C_CONNECTION bit in case of a hub port reset only if a device is was attached to the hub port before resetting the hub port. Using a Lenovo T480s attached to the ultra dock it was not possible to detect some usb-c devices at the dock usb-c ports because the hub_port_reset code will clear the USB_PORT_FEAT_C_CONNECTION bit after the actual hub port reset. Using this device combo the USB_PORT_FEAT_C_CONNECTION bit was set between the actual hub port reset and the clear of the USB_PORT_FEAT_C_CONNECTION bit. This ends up with clearing the USB_PORT_FEAT_C_CONNECTION bit after the new device was attached such that it was not detected. This patch will not clear the USB_PORT_FEAT_C_CONNECTION bit if there is currently no device attached to the port before the hub port reset. This will avoid clearing the connection bit for new attached devices. Signed-off-by: Dennis Wassenberg Acked-by: Mathias Nyman Cc: stable Signed-off-by: Greg Kroah-Hartman