user/sven/linux.git, branch v3.18.100 Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v3.18.100 2018-03-18T10:15:45Z Linux 3.18.100 2018-03-18T10:15:45Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2018-03-18T10:15:45Z urn:sha1:5fcd9374919e35f015c283d6900a1f0fca00477e fixup: sctp: verify size of a new chunk in _sctp_make_chunk() 2018-03-18T10:15:45Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2018-03-13T09:56:00Z urn:sha1:d8930f132b54a3abf0d12d506e9e9204ce23abb8 Ben writes: > > + int chunklen; > > + > > + chunklen = sizeof(*chunk_hdr) + paylen; > > I think this length still needs to be rounded up (with WORD_ROUND here, > instead of SCTP_PAD4 upstream). So here's a fix for this problem. Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> serial: 8250_pci: Add Brainboxes UC-260 4 port serial device 2018-03-18T10:15:45Z Nikola Ciprich nikola.ciprich@linuxbox.cz 2018-02-13T14:04:46Z urn:sha1:502319ce91249e578323190ee7332c8b43ca9202 commit 9f2068f35729948bde84d87a40d135015911345d upstream. Add PCI ids for two variants of Brainboxes UC-260 quad port PCI serial cards. Suggested-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Signed-off-by: Nikola Ciprich <nikola.ciprich@linuxbox.cz> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> usb: usbmon: Read text within supplied buffer size 2018-03-18T10:15:45Z Pete Zaitcev zaitcev@kotori.zaitcev.us 2018-03-09T06:21:14Z urn:sha1:d6d68ab0ad44f6cf7c8621c91f29d351618ac96e commit a5f596830e27e15f7a0ecd6be55e433d776986d8 upstream. This change fixes buffer overflows and silent data corruption with the usbmon device driver text file read operations. Signed-off-by: Fredrik Noring <noring@nocrew.org> Signed-off-by: Pete Zaitcev <zaitcev@redhat.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> USB: usbmon: remove assignment from IS_ERR argument 2018-03-18T10:15:44Z Julia Lawall Julia.Lawall@lip6.fr 2015-12-26T21:57:44Z urn:sha1:c3d114a94f9691e6619ca8486aa5baa938e386b0 commit 46c236dc7d1212d7417e6fb0317f91c44c719322 upstream. The semantic patch that makes this change is as follows: (http://coccinelle.lip6.fr/) // <smpl> @@ expression e1,e2; statement S1,S2; @@ +e1 = e2; if (IS_ERR( e1 - = e2 )) S1 else S2 // </smpl> Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> usb: quirks: add control message delay for 1b1c:1b20 2018-03-18T10:15:44Z Danilo Krummrich danilokrummrich@dk-develop.de 2018-03-06T08:38:49Z urn:sha1:5ad9d27c1244b3444de02396e1fffe99d21b8d90 commit cb88a0588717ba6c756cb5972d75766b273a6817 upstream. Corsair Strafe RGB keyboard does not respond to usb control messages sometimes and hence generates timeouts. Commit de3af5bf259d ("usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard") tried to fix those timeouts by adding USB_QUIRK_DELAY_INIT. Unfortunately, even with this quirk timeouts of usb_control_msg() can still be seen, but with a lower frequency (approx. 1 out of 15): [ 29.103520] usb 1-8: string descriptor 0 read error: -110 [ 34.363097] usb 1-8: can't set config #1, error -110 Adding further delays to different locations where usb control messages are issued just moves the timeouts to other locations, e.g.: [ 35.400533] usbhid 1-8:1.0: can't add hid device: -110 [ 35.401014] usbhid: probe of 1-8:1.0 failed with error -110 The only way to reliably avoid those issues is having a pause after each usb control message. In approx. 200 boot cycles no more timeouts were seen. Addionaly, keep USB_QUIRK_DELAY_INIT as it turned out to be necessary to have the delay in hub_port_connect() after hub_port_init(). The overall boot time seems not to be influenced by these additional delays, even on fast machines and lightweight distributions. Fixes: de3af5bf259d ("usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard") Cc: stable@vger.kernel.org Signed-off-by: Danilo Krummrich <danilokrummrich@dk-develop.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> staging: android: ashmem: Fix lockdep issue during llseek 2018-03-18T10:15:44Z Joel Fernandes joelaf@google.com 2018-02-16T19:02:01Z urn:sha1:0a40db9bb69656032e48df4b8d611f162bbb91ee commit cb57469c9573f6018cd1302953dd45d6e05aba7b upstream. ashmem_mutex create a chain of dependencies like so: (1) mmap syscall -> mmap_sem -> (acquired) ashmem_mmap ashmem_mutex (try to acquire) (block) (2) llseek syscall -> ashmem_llseek -> ashmem_mutex -> (acquired) inode_lock -> inode->i_rwsem (try to acquire) (block) (3) getdents -> iterate_dir -> inode_lock -> inode->i_rwsem (acquired) copy_to_user -> mmap_sem (try to acquire) There is a lock ordering created between mmap_sem and inode->i_rwsem causing a lockdep splat [2] during a syzcaller test, this patch fixes the issue by unlocking the mutex earlier. Functionally that's Ok since we don't need to protect vfs_llseek. [1] https://patchwork.kernel.org/patch/10185031/ [2] https://lkml.org/lkml/2018/1/10/48 Acked-by: Todd Kjos <tkjos@google.com> Cc: Arve Hjonnevag <arve@android.com> Cc: stable@vger.kernel.org Reported-by: syzbot+8ec30bb7bf1a981a2012@syzkaller.appspotmail.com Signed-off-by: Joel Fernandes <joelaf@google.com> Acked-by: Greg Hackmann <ghackmann@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> uas: fix comparison for error code 2018-03-18T10:15:44Z Oliver Neukum oneukum@suse.com 2018-03-06T14:04:24Z urn:sha1:8d5ac33dba6b5a01163b3a722bb0ee58448476a8 commit 9a513c905bb95bef79d96feb08621c1ec8d8c4bb upstream. A typo broke the comparison. Fixes: cbeef22fd611 ("usb: uas: unconditionally bring back host after reset") Signed-off-by: Oliver Neukum <oneukum@suse.com> CC: stable@kernel.org Acked-by: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> tty/serial: atmel: add new version check for usart 2018-03-18T10:15:44Z Jonas Danielsson jonas@orbital-systems.com 2018-01-29T11:39:15Z urn:sha1:6515f2dd23e3e6ab6076afb04e57efdbee74462a commit fd63a8903a2c40425a9811c3371dd4d0f42c0ad3 upstream. On our at91sam9260 based board the usart0 and usart1 ports report their versions (ATMEL_US_VERSION) as 0x10302. This version is not included in the current checks in the driver. Signed-off-by: Jonas Danielsson <jonas@orbital-systems.com> Acked-by: Richard Genoud <richard.genoud@gmail.com> Acked-by: Nicolas Ferre <nicolas.ferre@microchip.com> Cc: stable <stable@vger.kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> serial: sh-sci: prevent lockup on full TTY buffers 2018-03-18T10:15:44Z Ulrich Hecht ulrich.hecht+renesas@gmail.com 2018-02-15T12:02:27Z urn:sha1:7353f81f6cc4909019a729f32f2e822895aba845 commit 7842055bfce4bf0170d0f61df8b2add8399697be upstream. When the TTY buffers fill up to the configured maximum, a system lockup occurs: [ 598.820128] INFO: rcu_preempt detected stalls on CPUs/tasks: [ 598.825796] 0-...!: (1 GPs behind) idle=5a6/2/0 softirq=1974/1974 fqs=1 [ 598.832577] (detected by 3, t=62517 jiffies, g=296, c=295, q=126) [ 598.838755] Task dump for CPU 0: [ 598.841977] swapper/0 R running task 0 0 0 0x00000022 [ 598.849023] Call trace: [ 598.851476] __switch_to+0x98/0xb0 [ 598.854870] (null) This can be prevented by doing a dummy read of the RX data register. This issue affects both HSCIF and SCIF ports. Reported for R-Car H3 ES2.0; reproduced and fixed on H3 ES1.1. Probably affects other R-Car platforms as well. Reported-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com> Signed-off-by: Ulrich Hecht <ulrich.hecht+renesas@gmail.com> Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be> Cc: stable <stable@vger.kernel.org> Tested-by: Nguyen Viet Dung <dung.nguyen.aj@renesas.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>