This is the start of the stable review cycle for the 4.13.15 release. There are 28 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Tue Nov 21 14:42:57 UTC 2017. Anything received after that time might be too late.
The whole patch series can be found in one patch at: kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.13.15-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.13.y and the diffstat can be found below.
thanks,
greg k-h
------------- Pseudo-Shortlog of commits:
Greg Kroah-Hartman gregkh@linuxfoundation.org Linux 4.13.15-rc1
Hans de Goede hdegoede@redhat.com staging: rtl8188eu: Revert 4 commits breaking ARP
Hans de Goede hdegoede@redhat.com staging: vboxvideo: Fix reporting invalid suggested-offset-properties
Johan Hovold johan@kernel.org staging: greybus: spilib: fix use-after-free after deregistration
Gilad Ben-Yossef gilad@benyossef.com staging: ccree: fix 64 bit scatter/gather DMA ops
Huacai Chen chenhc@lemote.com staging: sm750fb: Fix parameter mistake in poke32
Aditya Shankar aditya.shankar@microchip.com staging: wilc1000: Fix bssid buffer offset in Txq
Jason Gerecke killertofu@gmail.com HID: wacom: generic: Recognize WACOM_HID_WD_PEN as a type of pen collection
Sébastien Szymanski sebastien.szymanski@armadeus.com HID: cp2112: add HIDRAW dependency
Hans de Goede hdegoede@redhat.com platform/x86: peaq_wmi: Fix missing terminating entry for peaq_dmi_table
Hans de Goede hdegoede@redhat.com platform/x86: peaq-wmi: Add DMI check before binding to the WMI interface
Yazen Ghannam yazen.ghannam@amd.com x86/MCE/AMD: Always give panic severity for UC errors in kernel context
Andy Lutomirski luto@kernel.org selftests/x86/protection_keys: Fix syscall NR redefinition warnings
Johan Hovold johan@kernel.org USB: serial: garmin_gps: fix memory leak on probe errors
Johan Hovold johan@kernel.org USB: serial: garmin_gps: fix I/O after failed probe and remove
Douglas Fischer douglas.fischer@outlook.com USB: serial: qcserial: add pid/vid for Sierra Wireless EM7355 fw update
Lu Baolu baolu.lu@linux.intel.com USB: serial: Change DbC debug device binding ID
Johan Hovold johan@kernel.org USB: serial: metro-usb: stop I/O after failed open
Andrew Gabbasov andrew_gabbasov@mentor.com usb: gadget: f_fs: Fix use-after-free in ffs_free_inst
Bernhard Rosenkraenzer bernhard.rosenkranzer@linaro.org USB: Add delay-init quirk for Corsair K70 LUX keyboards
Alan Stern stern@rowland.harvard.edu USB: usbfs: compute urb->actual_length for isochronous
Lu Baolu baolu.lu@linux.intel.com USB: early: Use new USB product ID and strings for DbC device
raveendra padasalagi raveendra.padasalagi@broadcom.com crypto: brcm - Explicity ACK mailbox message
Eric Biggers ebiggers@google.com crypto: dh - Don't permit 'key' or 'g' size longer than 'p'
Eric Biggers ebiggers@google.com crypto: dh - Don't permit 'p' to be 0
Eric Biggers ebiggers@google.com crypto: dh - Fix double free of ctx->p
Leif Liddy leif.linux@gmail.com Bluetooth: btusb: fix QCA Rome suspend/resume
Andrey Konovalov andreyknvl@google.com media: dib0700: fix invalid dvb_detach argument
Arvind Yadav arvind.yadav.cs@gmail.com media: imon: Fix null-ptr-deref in imon_probe
-------------
Diffstat:
Makefile | 4 +- arch/x86/kernel/cpu/mcheck/mce-severity.c | 7 +- crypto/dh.c | 33 ++++----- crypto/dh_helper.c | 16 ++++ drivers/bluetooth/btusb.c | 6 ++ drivers/crypto/bcm/cipher.c | 101 ++++++++++++-------------- drivers/hid/Kconfig | 2 +- drivers/hid/wacom_wac.h | 1 + drivers/media/rc/imon.c | 5 ++ drivers/media/usb/dvb-usb/dib0700_devices.c | 24 +++--- drivers/platform/x86/peaq-wmi.c | 19 +++++ drivers/staging/ccree/cc_lli_defs.h | 2 +- drivers/staging/greybus/spilib.c | 8 +- drivers/staging/rtl8188eu/core/rtw_recv.c | 83 ++++++++++++--------- drivers/staging/rtl8188eu/os_dep/mon.c | 34 ++------- drivers/staging/sm750fb/ddk750_chip.h | 2 +- drivers/staging/vboxvideo/vbox_drv.h | 8 +- drivers/staging/vboxvideo/vbox_irq.c | 4 +- drivers/staging/vboxvideo/vbox_mode.c | 26 +++++-- drivers/staging/wilc1000/wilc_wlan.c | 2 +- drivers/usb/core/devio.c | 14 ++++ drivers/usb/core/quirks.c | 3 + drivers/usb/early/xhci-dbc.h | 6 +- drivers/usb/gadget/function/f_fs.c | 1 + drivers/usb/serial/garmin_gps.c | 22 +++++- drivers/usb/serial/metro-usb.c | 11 ++- drivers/usb/serial/qcserial.c | 1 + drivers/usb/serial/usb_debug.c | 4 +- tools/testing/selftests/x86/protection_keys.c | 24 ++++-- 29 files changed, 280 insertions(+), 193 deletions(-)
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arvind Yadav arvind.yadav.cs@gmail.com
commit 58fd55e838276a0c13d1dc7c387f90f25063cbf3 upstream.
It seems that the return value of usb_ifnum_to_if() can be NULL and needs to be checked.
Signed-off-by: Arvind Yadav arvind.yadav.cs@gmail.com Tested-by: Andrey Konovalov andreyknvl@google.com Signed-off-by: Sean Young sean@mess.org Signed-off-by: Mauro Carvalho Chehab mchehab@osg.samsung.com Cc: Ben Hutchings ben.hutchings@codethink.co.uk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/media/rc/imon.c | 5 +++++ 1 file changed, 5 insertions(+)
--- a/drivers/media/rc/imon.c +++ b/drivers/media/rc/imon.c @@ -2516,6 +2516,11 @@ static int imon_probe(struct usb_interfa mutex_lock(&driver_lock);
first_if = usb_ifnum_to_if(usbdev, 0); + if (!first_if) { + ret = -ENODEV; + goto fail; + } + first_if_ctx = usb_get_intfdata(first_if);
if (ifnum == 0) {
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrey Konovalov andreyknvl@google.com
commit eb0c19942288569e0ae492476534d5a485fb8ab4 upstream.
dvb_detach(arg) calls symbol_put_addr(arg), where arg should be a pointer to a function. Right now a pointer to state->dib7000p_ops is passed to dvb_detach(), which causes a BUG() in symbol_put_addr() as discovered by syzkaller. Pass state->dib7000p_ops.set_wbd_ref instead.
------------[ cut here ]------------ kernel BUG at kernel/module.c:1081! invalid opcode: 0000 [#1] PREEMPT SMP KASAN Modules linked in: CPU: 1 PID: 1151 Comm: kworker/1:1 Tainted: G W 4.14.0-rc1-42251-gebb2c2437d80 #224 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Workqueue: usb_hub_wq hub_event task: ffff88006a336300 task.stack: ffff88006a7c8000 RIP: 0010:symbol_put_addr+0x54/0x60 kernel/module.c:1083 RSP: 0018:ffff88006a7ce210 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff880062a8d190 RCX: 0000000000000000 RDX: dffffc0000000020 RSI: ffffffff85876d60 RDI: ffff880062a8d190 RBP: ffff88006a7ce218 R08: 1ffff1000d4f9c12 R09: 1ffff1000d4f9ae4 R10: 1ffff1000d4f9bed R11: 0000000000000000 R12: ffff880062a8d180 R13: 00000000ffffffed R14: ffff880062a8d190 R15: ffff88006947c000 FS: 0000000000000000(0000) GS:ffff88006c900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f6416532000 CR3: 00000000632f5000 CR4: 00000000000006e0 Call Trace: stk7070p_frontend_attach+0x515/0x610 drivers/media/usb/dvb-usb/dib0700_devices.c:1013 dvb_usb_adapter_frontend_init+0x32b/0x660 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:286 dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86 dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:162 dvb_usb_device_init+0xf70/0x17f0 drivers/media/usb/dvb-usb/dvb-usb-init.c:277 dib0700_probe+0x171/0x5a0 drivers/media/usb/dvb-usb/dib0700_core.c:886 usb_probe_interface+0x35d/0x8e0 drivers/usb/core/driver.c:361 really_probe drivers/base/dd.c:413 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 device_add+0xd0b/0x1660 drivers/base/core.c:1835 usb_set_configuration+0x104e/0x1870 drivers/usb/core/message.c:1932 generic_probe+0x73/0xe0 drivers/usb/core/generic.c:174 usb_probe_device+0xaf/0xe0 drivers/usb/core/driver.c:266 really_probe drivers/base/dd.c:413 driver_probe_device+0x610/0xa00 drivers/base/dd.c:557 __device_attach_driver+0x230/0x290 drivers/base/dd.c:653 bus_for_each_drv+0x161/0x210 drivers/base/bus.c:463 __device_attach+0x26e/0x3d0 drivers/base/dd.c:710 device_initial_probe+0x1f/0x30 drivers/base/dd.c:757 bus_probe_device+0x1eb/0x290 drivers/base/bus.c:523 device_add+0xd0b/0x1660 drivers/base/core.c:1835 usb_new_device+0x7b8/0x1020 drivers/usb/core/hub.c:2457 hub_port_connect drivers/usb/core/hub.c:4903 hub_port_connect_change drivers/usb/core/hub.c:5009 port_event drivers/usb/core/hub.c:5115 hub_event+0x194d/0x3740 drivers/usb/core/hub.c:5195 process_one_work+0xc7f/0x1db0 kernel/workqueue.c:2119 worker_thread+0x221/0x1850 kernel/workqueue.c:2253 kthread+0x3a1/0x470 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:431 Code: ff ff 48 85 c0 74 24 48 89 c7 e8 48 ea ff ff bf 01 00 00 00 e8 de 20 e3 ff 65 8b 05 b7 2f c2 7e 85 c0 75 c9 e8 f9 0b c1 ff eb c2 <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 b8 00 00 RIP: symbol_put_addr+0x54/0x60 RSP: ffff88006a7ce210 ---[ end trace b75b357739e7e116 ]---
Signed-off-by: Andrey Konovalov andreyknvl@google.com Cc: Ben Hutchings ben.hutchings@codethink.co.uk Signed-off-by: Mauro Carvalho Chehab mchehab@s-opensource.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/media/usb/dvb-usb/dib0700_devices.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-)
--- a/drivers/media/usb/dvb-usb/dib0700_devices.c +++ b/drivers/media/usb/dvb-usb/dib0700_devices.c @@ -291,7 +291,7 @@ static int stk7700P2_frontend_attach(str stk7700d_dib7000p_mt2266_config) != 0) { err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); - dvb_detach(&state->dib7000p_ops); + dvb_detach(state->dib7000p_ops.set_wbd_ref); return -ENODEV; } } @@ -325,7 +325,7 @@ static int stk7700d_frontend_attach(stru stk7700d_dib7000p_mt2266_config) != 0) { err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); - dvb_detach(&state->dib7000p_ops); + dvb_detach(state->dib7000p_ops.set_wbd_ref); return -ENODEV; } } @@ -478,7 +478,7 @@ static int stk7700ph_frontend_attach(str &stk7700ph_dib7700_xc3028_config) != 0) { err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); - dvb_detach(&state->dib7000p_ops); + dvb_detach(state->dib7000p_ops.set_wbd_ref); return -ENODEV; }
@@ -1010,7 +1010,7 @@ static int stk7070p_frontend_attach(stru &dib7070p_dib7000p_config) != 0) { err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); - dvb_detach(&state->dib7000p_ops); + dvb_detach(state->dib7000p_ops.set_wbd_ref); return -ENODEV; }
@@ -1068,7 +1068,7 @@ static int stk7770p_frontend_attach(stru &dib7770p_dib7000p_config) != 0) { err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); - dvb_detach(&state->dib7000p_ops); + dvb_detach(state->dib7000p_ops.set_wbd_ref); return -ENODEV; }
@@ -3056,7 +3056,7 @@ static int nim7090_frontend_attach(struc
if (state->dib7000p_ops.i2c_enumeration(&adap->dev->i2c_adap, 1, 0x10, &nim7090_dib7000p_config) != 0) { err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); - dvb_detach(&state->dib7000p_ops); + dvb_detach(state->dib7000p_ops.set_wbd_ref); return -ENODEV; } adap->fe_adap[0].fe = state->dib7000p_ops.init(&adap->dev->i2c_adap, 0x80, &nim7090_dib7000p_config); @@ -3109,7 +3109,7 @@ static int tfe7090pvr_frontend0_attach(s /* initialize IC 0 */ if (state->dib7000p_ops.i2c_enumeration(&adap->dev->i2c_adap, 1, 0x20, &tfe7090pvr_dib7000p_config[0]) != 0) { err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); - dvb_detach(&state->dib7000p_ops); + dvb_detach(state->dib7000p_ops.set_wbd_ref); return -ENODEV; }
@@ -3139,7 +3139,7 @@ static int tfe7090pvr_frontend1_attach(s i2c = state->dib7000p_ops.get_i2c_master(adap->dev->adapter[0].fe_adap[0].fe, DIBX000_I2C_INTERFACE_GPIO_6_7, 1); if (state->dib7000p_ops.i2c_enumeration(i2c, 1, 0x10, &tfe7090pvr_dib7000p_config[1]) != 0) { err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); - dvb_detach(&state->dib7000p_ops); + dvb_detach(state->dib7000p_ops.set_wbd_ref); return -ENODEV; }
@@ -3214,7 +3214,7 @@ static int tfe7790p_frontend_attach(stru 1, 0x10, &tfe7790p_dib7000p_config) != 0) { err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); - dvb_detach(&state->dib7000p_ops); + dvb_detach(state->dib7000p_ops.set_wbd_ref); return -ENODEV; } adap->fe_adap[0].fe = state->dib7000p_ops.init(&adap->dev->i2c_adap, @@ -3309,7 +3309,7 @@ static int stk7070pd_frontend_attach0(st stk7070pd_dib7000p_config) != 0) { err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); - dvb_detach(&state->dib7000p_ops); + dvb_detach(state->dib7000p_ops.set_wbd_ref); return -ENODEV; }
@@ -3384,7 +3384,7 @@ static int novatd_frontend_attach(struct stk7070pd_dib7000p_config) != 0) { err("%s: state->dib7000p_ops.i2c_enumeration failed. Cannot continue\n", __func__); - dvb_detach(&state->dib7000p_ops); + dvb_detach(state->dib7000p_ops.set_wbd_ref); return -ENODEV; } } @@ -3620,7 +3620,7 @@ static int pctv340e_frontend_attach(stru
if (state->dib7000p_ops.dib7000pc_detection(&adap->dev->i2c_adap) == 0) { /* Demodulator not found for some reason? */ - dvb_detach(&state->dib7000p_ops); + dvb_detach(state->dib7000p_ops.set_wbd_ref); return -ENODEV; }
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Leif Liddy leif.linux@gmail.com
commit fd865802c66bc451dc515ed89360f84376ce1a56 upstream.
There's been numerous reported instances where BTUSB_QCA_ROME bluetooth controllers stop functioning upon resume from suspend. These devices seem to be losing power during suspend. Patch will detect a status change on resume and perform a reset.
Signed-off-by: Leif Liddy leif.linux@gmail.com Signed-off-by: Marcel Holtmann marcel@holtmann.org Cc: Kai Heng Feng kai.heng.feng@canonical.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/bluetooth/btusb.c | 6 ++++++ 1 file changed, 6 insertions(+)
--- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -3068,6 +3068,12 @@ static int btusb_probe(struct usb_interf if (id->driver_info & BTUSB_QCA_ROME) { data->setup_on_usb = btusb_setup_qca; hdev->set_bdaddr = btusb_set_bdaddr_ath3012; + + /* QCA Rome devices lose their updated firmware over suspend, + * but the USB hub doesn't notice any status change. + * Explicitly request a device reset on resume. + */ + set_bit(BTUSB_RESET_RESUME, &data->flags); }
#ifdef CONFIG_BT_HCIBTUSB_RTL
Hi,
El Sun, Nov 19, 2017 at 03:43:50PM +0100 Greg Kroah-Hartman ha dit:
4.13-stable review patch. If anyone has any objections, please let me know.
From: Leif Liddy leif.linux@gmail.com
commit fd865802c66bc451dc515ed89360f84376ce1a56 upstream.
There's been numerous reported instances where BTUSB_QCA_ROME bluetooth controllers stop functioning upon resume from suspend. These devices seem to be losing power during suspend. Patch will detect a status change on resume and perform a reset.
Signed-off-by: Leif Liddy leif.linux@gmail.com Signed-off-by: Marcel Holtmann marcel@holtmann.org Cc: Kai Heng Feng kai.heng.feng@canonical.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
drivers/bluetooth/btusb.c | 6 ++++++ 1 file changed, 6 insertions(+)
--- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -3068,6 +3068,12 @@ static int btusb_probe(struct usb_interf if (id->driver_info & BTUSB_QCA_ROME) { data->setup_on_usb = btusb_setup_qca; hdev->set_bdaddr = btusb_set_bdaddr_ath3012;
/* QCA Rome devices lose their updated firmware over suspend,* but the USB hub doesn't notice any status change.* Explicitly request a device reset on resume.*/set_bit(BTUSB_RESET_RESUME, &data->flags);#ifdef CONFIG_BT_HCIBTUSB_RTL
On Chrome OS QCA Bluetooth stopped working after a merge from v4.4-stable:
[ 124.789298] usb 2-1.1: reset full-speed USB device number 3 using ehci-platform [ 126.624274] Bluetooth: hci0 command 0x2005 tx timeout [ 128.672262] Bluetooth: hci0 command 0x200b tx timeout [ 130.720264] Bluetooth: hci0 command 0x200c tx timeout
We identified the above patch as the culprit, in combination with USB autosuspend being enabled for the Bluetooth controller.
We found that the following (recent) upstream patch fixes the issue on most devices (we are still investigating one case on a specific device):
commit a0085f2510e8976614ad8f766b209448b385492f Author: Sukumar Ghorai sukumar.ghorai@intel.com Date: Wed Aug 16 14:46:55 2017 -0700
Bluetooth: btusb: driver to enable the usb-wakeup feature
BT-Controller connected as platform non-root-hub device and usb-driver initialize such device with wakeup disabled, Ref. usb_new_device().
At present wakeup-capability get enabled by hid-input device from usb function driver(e.g. BT HID device) at runtime. Again some functional driver does not set usb-wakeup capability(e.g LE HID device implement as HID-over-GATT), and can't wakeup the host on USB.
Most of the device operation (such as mass storage) initiated from host (except HID) and USB wakeup aligned with host resume procedure. For BT device, usb-wakeup capability need to enable form btusc driver as a generic solution for multiple profile use case and required for USB remote wakeup (in-bus wakeup) while host is suspended. Also usb-wakeup feature need to enable/disable with HCI interface up and down.
stable branches are currently broken for BTUSB_QCA_ROME with USB autosuspend enabled, since the above patch is not included (I only checked v4.4 and v4.9), so we probably want to integrate it.
Thanks
Matthias
Hi,
On 16 Dec 2017, at 11:05 AM, Matthias Kaehlcke mka@chromium.org wrote: stable branches are currently broken for BTUSB_QCA_ROME with USB autosuspend enabled, since the above patch is not included (I only checked v4.4 and v4.9), so we probably want to integrate it.
Thanks for this information.
I just found the same issue and I can confirm your finding.
I was testing with runtime suspend disabled. Once the runtime suspend gets enabled, the additional patch is needed.
I’ll remember to enable runtime pm next time.
Thanks again.
Kai-Heng
Thanks
Matthias
On Fri, Dec 15, 2017 at 07:05:39PM -0800, Matthias Kaehlcke wrote:
Hi,
El Sun, Nov 19, 2017 at 03:43:50PM +0100 Greg Kroah-Hartman ha dit:
4.13-stable review patch. If anyone has any objections, please let me know.
From: Leif Liddy leif.linux@gmail.com
commit fd865802c66bc451dc515ed89360f84376ce1a56 upstream.
There's been numerous reported instances where BTUSB_QCA_ROME bluetooth controllers stop functioning upon resume from suspend. These devices seem to be losing power during suspend. Patch will detect a status change on resume and perform a reset.
Signed-off-by: Leif Liddy leif.linux@gmail.com Signed-off-by: Marcel Holtmann marcel@holtmann.org Cc: Kai Heng Feng kai.heng.feng@canonical.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
drivers/bluetooth/btusb.c | 6 ++++++ 1 file changed, 6 insertions(+)
--- a/drivers/bluetooth/btusb.c +++ b/drivers/bluetooth/btusb.c @@ -3068,6 +3068,12 @@ static int btusb_probe(struct usb_interf if (id->driver_info & BTUSB_QCA_ROME) { data->setup_on_usb = btusb_setup_qca; hdev->set_bdaddr = btusb_set_bdaddr_ath3012;
/* QCA Rome devices lose their updated firmware over suspend,* but the USB hub doesn't notice any status change.* Explicitly request a device reset on resume.*/set_bit(BTUSB_RESET_RESUME, &data->flags);#ifdef CONFIG_BT_HCIBTUSB_RTL
On Chrome OS QCA Bluetooth stopped working after a merge from v4.4-stable:
[ 124.789298] usb 2-1.1: reset full-speed USB device number 3 using ehci-platform [ 126.624274] Bluetooth: hci0 command 0x2005 tx timeout [ 128.672262] Bluetooth: hci0 command 0x200b tx timeout [ 130.720264] Bluetooth: hci0 command 0x200c tx timeout
We identified the above patch as the culprit, in combination with USB autosuspend being enabled for the Bluetooth controller.
We found that the following (recent) upstream patch fixes the issue on most devices (we are still investigating one case on a specific device):
commit a0085f2510e8976614ad8f766b209448b385492f Author: Sukumar Ghorai sukumar.ghorai@intel.com Date: Wed Aug 16 14:46:55 2017 -0700
Bluetooth: btusb: driver to enable the usb-wakeup feature BT-Controller connected as platform non-root-hub device and usb-driver initialize such device with wakeup disabled, Ref. usb_new_device(). At present wakeup-capability get enabled by hid-input device from usb function driver(e.g. BT HID device) at runtime. Again some functional driver does not set usb-wakeup capability(e.g LE HID device implement as HID-over-GATT), and can't wakeup the host on USB. Most of the device operation (such as mass storage) initiated from host (except HID) and USB wakeup aligned with host resume procedure. For BT device, usb-wakeup capability need to enable form btusc driver as a generic solution for multiple profile use case and required for USB remote wakeup (in-bus wakeup) while host is suspended. Also usb-wakeup feature need to enable/disable with HCI interface up and down.stable branches are currently broken for BTUSB_QCA_ROME with USB autosuspend enabled, since the above patch is not included (I only checked v4.4 and v4.9), so we probably want to integrate it.
Now queued up, thanks for letting me know.
greg k-h
Hi Greg,
On Mon, Dec 18, 2017 at 12:43:48PM +0100, Greg Kroah-Hartman wrote:
On Fri, Dec 15, 2017 at 07:05:39PM -0800, Matthias Kaehlcke wrote:
We identified the above patch as the culprit, in combination with USB autosuspend being enabled for the Bluetooth controller.
We found that the following (recent) upstream patch fixes the issue on most devices (we are still investigating one case on a specific device):
A key word to highlight here is "most". I have at least one device that is consistently having problems even with both patches included; the only way things work reliably so far is to simply revert the $subject patch in 4.4.x.
I'll try to investigate further, since this result is a bit confusing still. If there's a real problem with the patch (and I suspect there might be), it probably shouldn't be in mainline either...
commit a0085f2510e8976614ad8f766b209448b385492f Author: Sukumar Ghorai sukumar.ghorai@intel.com Date: Wed Aug 16 14:46:55 2017 -0700
Bluetooth: btusb: driver to enable the usb-wakeup feature
[...]
stable branches are currently broken for BTUSB_QCA_ROME with USB autosuspend enabled, since the above patch is not included (I only checked v4.4 and v4.9), so we probably want to integrate it.
Now queued up, thanks for letting me know.
I think you have almost as much information as I do at this point, and I'll try to reply back here if I figure out anything more, so I'll leave you to your decisions. But I would personally revert, not backport more patches.
Among the reasons: (a) I have at least one device that does not work better with both patches [1] (b) So far, I haven't seen any explanation why commit a0085f2510e8 should be a dependency for $subject patch; the closest I can imagine would be that commit a0085f2510e8 could effectively neutralize $subject patch -- if the device is marked as a wakeup source, then it will never try to RESET on resume -- but that's still a fuzzy signal; just because it's marked a wakeup source sometimes doesn't mean it always will be. We can disable it in user space too. (c) Isn't it safer to revert than to backport more? You're delving into feature-land, not bugfix-land...
Brian
[1] Before you ask: this particular device is not quite fully supported on upstream yet, though its sibling devices are. With a bit of effort, I might be able to test a clean upstream. At the moment, I'm using our Chrom{e,ium}OS 4.4 kernel, where we regularly merge in -stable updates.
Hi Brian,
On 19 Dec 2017, at 2:13 AM, Brian Norris briannorris@chromium.org wrote:
Hi Greg,
On Mon, Dec 18, 2017 at 12:43:48PM +0100, Greg Kroah-Hartman wrote:
On Fri, Dec 15, 2017 at 07:05:39PM -0800, Matthias Kaehlcke wrote:
We identified the above patch as the culprit, in combination with USB autosuspend being enabled for the Bluetooth controller.
We found that the following (recent) upstream patch fixes the issue on most devices (we are still investigating one case on a specific device):
A key word to highlight here is "most". I have at least one device that is consistently having problems even with both patches included; the only way things work reliably so far is to simply revert the $subject patch in 4.4.x.
The problem we have is that the QCA Rome Bluetooth stops working after system S3. The reset resume quirk workaround the issue on both mainline and 4.4.x (at least for me).
I'll try to investigate further, since this result is a bit confusing still. If there's a real problem with the patch (and I suspect there might be), it probably shouldn't be in mainline either…
Do you have the same issue on mainline?
commit a0085f2510e8976614ad8f766b209448b385492f Author: Sukumar Ghorai sukumar.ghorai@intel.com Date: Wed Aug 16 14:46:55 2017 -0700
Bluetooth: btusb: driver to enable the usb-wakeup feature
[...]
stable branches are currently broken for BTUSB_QCA_ROME with USB autosuspend enabled, since the above patch is not included (I only checked v4.4 and v4.9), so we probably want to integrate it.
Now queued up, thanks for letting me know.
I think you have almost as much information as I do at this point, and I'll try to reply back here if I figure out anything more, so I'll leave you to your decisions. But I would personally revert, not backport more patches.
Among the reasons: (a) I have at least one device that does not work better with both patches [1] (b) So far, I haven't seen any explanation why commit a0085f2510e8 should be a dependency for $subject patch; the closest I can imagine would be that commit a0085f2510e8 could effectively neutralize $subject patch -- if the device is marked as a wakeup source, then it will never try to RESET on resume -- but that's still a fuzzy signal; just because it's marked a wakeup source sometimes doesn't mean it always will be. We can disable it in user space too.
Hi Leif,
Can you try if a0085f2510e8 breaks your $subject commit? If it’s a yes, then what Brian suggests is correct.
Also, can you share the output of "usb-device” for your btusb device?
(c) Isn't it safer to revert than to backport more? You're delving into feature-land, not bugfix-land…
Sounds reasonable.
We’ll need more information from Leif if we need to do ID-specific quirks.
Kai-Heng
Brian
[1] Before you ask: this particular device is not quite fully supported on upstream yet, though its sibling devices are. With a bit of effort, I might be able to test a clean upstream. At the moment, I'm using our Chrom{e,ium}OS 4.4 kernel, where we regularly merge in -stable updates.
Hi Kai,
On Tue, Dec 19, 2017 at 12:28:17PM +0800, Kai Heng Feng wrote:
On 19 Dec 2017, at 2:13 AM, Brian Norris briannorris@chromium.org wrote: On Mon, Dec 18, 2017 at 12:43:48PM +0100, Greg Kroah-Hartman wrote:
On Fri, Dec 15, 2017 at 07:05:39PM -0800, Matthias Kaehlcke wrote:
We identified the above patch as the culprit, in combination with USB autosuspend being enabled for the Bluetooth controller.
We found that the following (recent) upstream patch fixes the issue on most devices (we are still investigating one case on a specific device):
A key word to highlight here is "most". I have at least one device that is consistently having problems even with both patches included; the only way things work reliably so far is to simply revert the $subject patch in 4.4.x.
The problem we have is that the QCA Rome Bluetooth stops working after system S3. The reset resume quirk workaround the issue on both mainline and 4.4.x (at least for me).
Understood. But that's not the case for all systems, and on some, you're regressing functionality.
Many systems keep power enabled for system suspend, and so that "fix" is not necessary for them. It's also not very precise, because it seems to act in many cases where it need not -- for one, it takes effect on *all* resume attempts, even resuming from autosuspend. I really doubt your system is losing USB power in S0 + USB autosuspend?
So, if you really need this patch for some systems, it seems like it should be much better targeted. You're currently adding a lot of unnecessary overhead and fragility.
I'll try to investigate further, since this result is a bit confusing still. If there's a real problem with the patch (and I suspect there might be), it probably shouldn't be in mainline either…
Do you have the same issue on mainline?
Refer to my note [1] :)
But because you asked, I did the work necessary to boot mainline on this system, and in fact, I see the same problem. I think that's enough reason to revert your patch in all branches (upstream, and any -stable branch that already took it).
To be clear, here's the kernel logs on 4.15-rc4+, where the 55-second mark is around where I try to power on and scan for BT devices (power-on and scan both fail):
[ 2.323475] usb 3-1: new full-speed USB device number 2 using ohci-platform ... [ 2.731719] usb 3-1: New USB device found, idVendor=0cf3, idProduct=e300 ... [ 2.867870] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 ...(udev doesn't run until here)... [ 35.733139] usbcore: registered new interface driver btusb [ 35.740912] Bluetooth: hci0: using rampatch file: qca/rampatch_usb_00000302.bin [ 35.749216] Bluetooth: hci0: QCA: patch rome 0x302 build 0x3e8, firmware rome 0x302 build 0x111 ... [ 35.816104] Bluetooth: hci0: using NVM file: qca/nvm_usb_00000302.bin ... [ 55.073503] usb 3-1: reset full-speed USB device number 2 using ohci-platform ... [ 57.772513] Bluetooth: hci0: urb 00000000ec39086b failed to resubmit (113) [ 57.780217] Bluetooth: hci0: urb 0000000066228fda failed to resubmit (113)
Whereas reverting the $subject patch yields no reset and URB failure; Bluetooth seems to work fine.
commit a0085f2510e8976614ad8f766b209448b385492f Author: Sukumar Ghorai sukumar.ghorai@intel.com Date: Wed Aug 16 14:46:55 2017 -0700
Bluetooth: btusb: driver to enable the usb-wakeup feature
[...]
stable branches are currently broken for BTUSB_QCA_ROME with USB autosuspend enabled, since the above patch is not included (I only checked v4.4 and v4.9), so we probably want to integrate it.
Now queued up, thanks for letting me know.
I think you have almost as much information as I do at this point, and I'll try to reply back here if I figure out anything more, so I'll leave you to your decisions. But I would personally revert, not backport more patches.
Among the reasons: (a) I have at least one device that does not work better with both patches [1] (b) So far, I haven't seen any explanation why commit a0085f2510e8 should be a dependency for $subject patch; the closest I can imagine would be that commit a0085f2510e8 could effectively neutralize $subject patch -- if the device is marked as a wakeup source, then it will never try to RESET on resume -- but that's still a fuzzy signal; just because it's marked a wakeup source sometimes doesn't mean it always will be. We can disable it in user space too.
Hi Leif,
Can you try if a0085f2510e8 breaks your $subject commit? If it’s a yes, then what Brian suggests is correct.
Also, can you share the output of "usb-device” for your btusb device?
FWIW, here's mine:
T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 D: Ver= 2.01 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0cf3 ProdID=e300 Rev=00.01 C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
This is an integrated Wifi+BT QCA6174A-5 M.2 module.
(c) Isn't it safer to revert than to backport more? You're delving into feature-land, not bugfix-land…
Sounds reasonable.
Shall I post a proper revert for mainline, with Fixes tags and CC stable? Or did one of you want to do that?
We’ll need more information from Leif if we need to do ID-specific quirks.
As I see it, this probably isn't just an ID-specific thing; this patch looks bad for its intended purpose, per my comments above (it's overkill, for one). I think there are many factors involved here, and it needs more study than "I just booted, suspended/resumed once, and it worked better."
Among the things to consider: * How do we determine the likelihood that the device gets powered off in S3? The device_may_wakeup() check can be influenced (among other things) by user space policy, so that doesn't really look right to me. (ID-based checks might help a little, since you can probably differentiate chips that are likely used on discrete/removable USB parts, rather than internal chips?) * The ordering: right now, you're enabling "reset on resume" at probe time, but QCA ROME devices only load their firmware in btusb_open(). This gives a window of time in which you're adding weird reset behavior while the device may be running its ROM firmware, not the patched firmware loaded from /lib/firmware/. That might be one reason things don't work out so well? I also suspect that might be one reason that Matthias sometimes saw the problem disappear on his devices, where I didn't. I have my device configured to cold reset the BT device on every reboot, whereas his isn't; it might retain the FW in the BT device's RAM across reboot. So my behavior was more deterministic :) * The behavior here is affected by USB autosuspend, not just S3. I mentioned this above, but more specifically, ChromeOS has udev rules like this, to enable autosuspend on various sorts of devices (including bluetooth controllers + BT HID devices):
<udev rule snippet> ATTR{idVendor}=="0cf3", ATTR{idProduct}=="e300", GOTO="autosuspend_enable" ... # Enable autosuspend LABEL="autosuspend_enable" TEST=="power/control", ATTR{power/control}="auto", GOTO="autosuspend_end"
LABEL="autosuspend_end" </udev rule snippet>
I suspect some desktop systems might not have the same policies, so you're not testing autosuspend in the same way I am?
Brian
Kai-Heng
Brian
[1] Before you ask: this particular device is not quite fully supported on upstream yet, though its sibling devices are. With a bit of effort, I might be able to test a clean upstream. At the moment, I'm using our Chrom{e,ium}OS 4.4 kernel, where we regularly merge in -stable updates.
On 20 Dec 2017, at 7:11 AM, Brian Norris briannorris@chromium.org wrote:
Hi Kai,
On Tue, Dec 19, 2017 at 12:28:17PM +0800, Kai Heng Feng wrote:
On 19 Dec 2017, at 2:13 AM, Brian Norris briannorris@chromium.org wrote: On Mon, Dec 18, 2017 at 12:43:48PM +0100, Greg Kroah-Hartman wrote:
On Fri, Dec 15, 2017 at 07:05:39PM -0800, Matthias Kaehlcke wrote:
We identified the above patch as the culprit, in combination with USB autosuspend being enabled for the Bluetooth controller.
We found that the following (recent) upstream patch fixes the issue on most devices (we are still investigating one case on a specific device):
A key word to highlight here is "most". I have at least one device that is consistently having problems even with both patches included; the only way things work reliably so far is to simply revert the $subject patch in 4.4.x.
The problem we have is that the QCA Rome Bluetooth stops working after system S3. The reset resume quirk workaround the issue on both mainline and 4.4.x (at least for me).
Understood. But that's not the case for all systems, and on some, you're regressing functionality.
Yes. So reverting the commit is a reasonable path we should take.
Many systems keep power enabled for system suspend, and so that "fix" is not necessary for them. It's also not very precise, because it seems to act in many cases where it need not -- for one, it takes effect on *all* resume attempts, even resuming from autosuspend. I really doubt your system is losing USB power in S0 + USB autosuspend?
No, USB power is on. Not seeing my XHCI gets put to D3cold.
So, if you really need this patch for some systems, it seems like it should be much better targeted. You're currently adding a lot of unnecessary overhead and fragility.
You are right. Applying this unconditionally to all QCA Rome may be overkill.
I'll try to investigate further, since this result is a bit confusing still. If there's a real problem with the patch (and I suspect there might be), it probably shouldn't be in mainline either…
Do you have the same issue on mainline?
Refer to my note [1] :)
But because you asked, I did the work necessary to boot mainline on this system, and in fact, I see the same problem. I think that's enough reason to revert your patch in all branches (upstream, and any -stable branch that already took it).
To be clear, here's the kernel logs on 4.15-rc4+, where the 55-second mark is around where I try to power on and scan for BT devices (power-on and scan both fail):
[ 2.323475] usb 3-1: new full-speed USB device number 2 using ohci-platform ... [ 2.731719] usb 3-1: New USB device found, idVendor=0cf3, idProduct=e300 ... [ 2.867870] usb 3-1: New USB device strings: Mfr=0, Product=0, SerialNumber=0 ...(udev doesn't run until here)... [ 35.733139] usbcore: registered new interface driver btusb [ 35.740912] Bluetooth: hci0: using rampatch file: qca/rampatch_usb_00000302.bin [ 35.749216] Bluetooth: hci0: QCA: patch rome 0x302 build 0x3e8, firmware rome 0x302 build 0x111 ... [ 35.816104] Bluetooth: hci0: using NVM file: qca/nvm_usb_00000302.bin ... [ 55.073503] usb 3-1: reset full-speed USB device number 2 using ohci-platform ... [ 57.772513] Bluetooth: hci0: urb 00000000ec39086b failed to resubmit (113) [ 57.780217] Bluetooth: hci0: urb 0000000066228fda failed to resubmit (113)
Whereas reverting the $subject patch yields no reset and URB failure; Bluetooth seems to work fine.
Thanks for your testing on mainline!
commit a0085f2510e8976614ad8f766b209448b385492f Author: Sukumar Ghorai sukumar.ghorai@intel.com Date: Wed Aug 16 14:46:55 2017 -0700
Bluetooth: btusb: driver to enable the usb-wakeup feature
[...]
stable branches are currently broken for BTUSB_QCA_ROME with USB autosuspend enabled, since the above patch is not included (I only checked v4.4 and v4.9), so we probably want to integrate it.
Now queued up, thanks for letting me know.
I think you have almost as much information as I do at this point, and I'll try to reply back here if I figure out anything more, so I'll leave you to your decisions. But I would personally revert, not backport more patches.
Among the reasons: (a) I have at least one device that does not work better with both patches [1] (b) So far, I haven't seen any explanation why commit a0085f2510e8 should be a dependency for $subject patch; the closest I can imagine would be that commit a0085f2510e8 could effectively neutralize $subject patch -- if the device is marked as a wakeup source, then it will never try to RESET on resume -- but that's still a fuzzy signal; just because it's marked a wakeup source sometimes doesn't mean it always will be. We can disable it in user space too.
Hi Leif,
Can you try if a0085f2510e8 breaks your $subject commit? If it’s a yes, then what Brian suggests is correct.
Also, can you share the output of "usb-device” for your btusb device?
FWIW, here's mine:
T: Bus=03 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 D: Ver= 2.01 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 P: Vendor=0cf3 ProdID=e300 Rev=00.01 C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
This is an integrated Wifi+BT QCA6174A-5 M.2 module.
Thanks for the info. I found the same BT on a Killer Wireless, I’ll do some testing on it.
(c) Isn't it safer to revert than to backport more? You're delving into feature-land, not bugfix-land…
Sounds reasonable.
Shall I post a proper revert for mainline, with Fixes tags and CC stable? Or did one of you want to do that?
Let me clean my own mess ;)
We’ll need more information from Leif if we need to do ID-specific quirks.
As I see it, this probably isn't just an ID-specific thing; this patch looks bad for its intended purpose, per my comments above (it's overkill, for one). I think there are many factors involved here, and it needs more study than "I just booted, suspended/resumed once, and it worked better."
Among the things to consider:
- How do we determine the likelihood that the device gets powered off in
S3? The device_may_wakeup() check can be influenced (among other things) by user space policy, so that doesn't really look right to me. (ID-based checks might help a little, since you can probably differentiate chips that are likely used on discrete/removable USB parts, rather than internal chips?)
Actually, I think we can’t know for sure. From my own experience, it’s pretty ODM specific. Some external chips keep its power under S3.
- The ordering: right now, you're enabling "reset on resume" at probe
time, but QCA ROME devices only load their firmware in btusb_open(). This gives a window of time in which you're adding weird reset behavior while the device may be running its ROM firmware, not the patched firmware loaded from /lib/firmware/. That might be one reason things don't work out so well?
You are right, the reset on resume should be used when USB probing, instead of in the middle of btusb_open().
I also suspect that might be one reason that Matthias sometimes saw the problem disappear on his devices, where I didn't. I have my device configured to cold reset the BT device on every reboot, whereas his isn't; it might retain the FW in the BT device's RAM across reboot. So my behavior was more deterministic :)
- The behavior here is affected by USB autosuspend, not just S3. I
mentioned this above, but more specifically, ChromeOS has udev rules like this, to enable autosuspend on various sorts of devices (including bluetooth controllers + BT HID devices):
<udev rule snippet> ATTR{idVendor}=="0cf3", ATTR{idProduct}=="e300", GOTO="autosuspend_enable" ... # Enable autosuspend LABEL="autosuspend_enable" TEST=="power/control", ATTR{power/control}="auto", GOTO="autosuspend_end"
LABEL="autosuspend_end" </udev rule snippet>
I suspect some desktop systems might not have the same policies, so you're not testing autosuspend in the same way I am?
Actually it’s same from kernel’s perspective. I use TLP, it does the same thing to the power/control knob.
Kai-Heng
Brian
Kai-Heng
Brian
[1] Before you ask: this particular device is not quite fully supported on upstream yet, though its sibling devices are. With a bit of effort, I might be able to test a clean upstream. At the moment, I'm using our Chrom{e,ium}OS 4.4 kernel, where we regularly merge in -stable updates.
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers ebiggers@google.com
commit 12d41a023efb01b846457ccdbbcbe2b65a87d530 upstream.
When setting the secret with the software Diffie-Hellman implementation, if allocating 'g' failed (e.g. if it was longer than MAX_EXTERN_MPI_BITS), then 'p' was freed twice: once immediately, and once later when the crypto_kpp tfm was destroyed.
Fix it by using dh_free_ctx() (renamed to dh_clear_ctx()) in the error paths, as that correctly sets the pointers to NULL.
KASAN report:
MPI: mpi too large (32760 bits) ================================================================== BUG: KASAN: use-after-free in mpi_free+0x131/0x170 Read of size 4 at addr ffff88006c7cdf90 by task reproduce_doubl/367
CPU: 1 PID: 367 Comm: reproduce_doubl Not tainted 4.14.0-rc7-00040-g05298abde6fe #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 Call Trace: dump_stack+0xb3/0x10b ? mpi_free+0x131/0x170 print_address_description+0x79/0x2a0 ? mpi_free+0x131/0x170 kasan_report+0x236/0x340 ? akcipher_register_instance+0x90/0x90 __asan_report_load4_noabort+0x14/0x20 mpi_free+0x131/0x170 ? akcipher_register_instance+0x90/0x90 dh_exit_tfm+0x3d/0x140 crypto_kpp_exit_tfm+0x52/0x70 crypto_destroy_tfm+0xb3/0x250 __keyctl_dh_compute+0x640/0xe90 ? kasan_slab_free+0x12f/0x180 ? dh_data_from_key+0x240/0x240 ? key_create_or_update+0x1ee/0xb20 ? key_instantiate_and_link+0x440/0x440 ? lock_contended+0xee0/0xee0 ? kfree+0xcf/0x210 ? SyS_add_key+0x268/0x340 keyctl_dh_compute+0xb3/0xf1 ? __keyctl_dh_compute+0xe90/0xe90 ? SyS_add_key+0x26d/0x340 ? entry_SYSCALL_64_fastpath+0x5/0xbe ? trace_hardirqs_on_caller+0x3f4/0x560 SyS_keyctl+0x72/0x2c0 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x43ccf9 RSP: 002b:00007ffeeec96158 EFLAGS: 00000246 ORIG_RAX: 00000000000000fa RAX: ffffffffffffffda RBX: 000000000248b9b9 RCX: 000000000043ccf9 RDX: 00007ffeeec96170 RSI: 00007ffeeec96160 RDI: 0000000000000017 RBP: 0000000000000046 R08: 0000000000000000 R09: 0248b9b9143dc936 R10: 0000000000001000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000409670 R14: 0000000000409700 R15: 0000000000000000
Allocated by task 367: save_stack_trace+0x16/0x20 kasan_kmalloc+0xeb/0x180 kmem_cache_alloc_trace+0x114/0x300 mpi_alloc+0x4b/0x230 mpi_read_raw_data+0xbe/0x360 dh_set_secret+0x1dc/0x460 __keyctl_dh_compute+0x623/0xe90 keyctl_dh_compute+0xb3/0xf1 SyS_keyctl+0x72/0x2c0 entry_SYSCALL_64_fastpath+0x1f/0xbe
Freed by task 367: save_stack_trace+0x16/0x20 kasan_slab_free+0xab/0x180 kfree+0xb5/0x210 mpi_free+0xcb/0x170 dh_set_secret+0x2d7/0x460 __keyctl_dh_compute+0x623/0xe90 keyctl_dh_compute+0xb3/0xf1 SyS_keyctl+0x72/0x2c0 entry_SYSCALL_64_fastpath+0x1f/0xbe
Fixes: 802c7f1c84e4 ("crypto: dh - Add DH software implementation") Signed-off-by: Eric Biggers ebiggers@google.com Reviewed-by: Tudor Ambarus tudor.ambarus@microchip.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- crypto/dh.c | 33 +++++++++++++-------------------- 1 file changed, 13 insertions(+), 20 deletions(-)
--- a/crypto/dh.c +++ b/crypto/dh.c @@ -21,19 +21,12 @@ struct dh_ctx { MPI xa; };
-static inline void dh_clear_params(struct dh_ctx *ctx) +static void dh_clear_ctx(struct dh_ctx *ctx) { mpi_free(ctx->p); mpi_free(ctx->g); - ctx->p = NULL; - ctx->g = NULL; -} - -static void dh_free_ctx(struct dh_ctx *ctx) -{ - dh_clear_params(ctx); mpi_free(ctx->xa); - ctx->xa = NULL; + memset(ctx, 0, sizeof(*ctx)); }
/* @@ -71,10 +64,8 @@ static int dh_set_params(struct dh_ctx * return -EINVAL;
ctx->g = mpi_read_raw_data(params->g, params->g_size); - if (!ctx->g) { - mpi_free(ctx->p); + if (!ctx->g) return -EINVAL; - }
return 0; } @@ -86,21 +77,23 @@ static int dh_set_secret(struct crypto_k struct dh params;
/* Free the old MPI key if any */ - dh_free_ctx(ctx); + dh_clear_ctx(ctx);
if (crypto_dh_decode_key(buf, len, ¶ms) < 0) - return -EINVAL; + goto err_clear_ctx;
if (dh_set_params(ctx, ¶ms) < 0) - return -EINVAL; + goto err_clear_ctx;
ctx->xa = mpi_read_raw_data(params.key, params.key_size); - if (!ctx->xa) { - dh_clear_params(ctx); - return -EINVAL; - } + if (!ctx->xa) + goto err_clear_ctx;
return 0; + +err_clear_ctx: + dh_clear_ctx(ctx); + return -EINVAL; }
static int dh_compute_value(struct kpp_request *req) @@ -158,7 +151,7 @@ static void dh_exit_tfm(struct crypto_kp { struct dh_ctx *ctx = dh_get_ctx(tfm);
- dh_free_ctx(ctx); + dh_clear_ctx(ctx); }
static struct kpp_alg dh = {
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers ebiggers@google.com
commit 199512b1234f09e44d592153ec82b44212b2f0c4 upstream.
If 'p' is 0 for the software Diffie-Hellman implementation, then dh_max_size() returns 0. In the case of KEYCTL_DH_COMPUTE, this causes ZERO_SIZE_PTR to be passed to sg_init_one(), which with CONFIG_DEBUG_SG=y triggers the 'BUG_ON(!virt_addr_valid(buf));' in sg_set_buf().
Fix this by making crypto_dh_decode_key() reject 0 for 'p'. p=0 makes no sense for any DH implementation because 'p' is supposed to be a prime number. Moreover, 'mod 0' is not mathematically defined.
Bug report:
kernel BUG at ./include/linux/scatterlist.h:140! invalid opcode: 0000 [#1] SMP KASAN CPU: 0 PID: 27112 Comm: syz-executor2 Not tainted 4.14.0-rc7-00010-gf5dbb5d0ce32-dirty #7 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.3-20171021_125229-anatol 04/01/2014 task: ffff88006caac0c0 task.stack: ffff88006c7c8000 RIP: 0010:sg_set_buf include/linux/scatterlist.h:140 [inline] RIP: 0010:sg_init_one+0x1b3/0x240 lib/scatterlist.c:156 RSP: 0018:ffff88006c7cfb08 EFLAGS: 00010216 RAX: 0000000000010000 RBX: ffff88006c7cfe30 RCX: 00000000000064ee RDX: ffffffff81cf64c3 RSI: ffffc90000d72000 RDI: ffffffff92e937e0 RBP: ffff88006c7cfb30 R08: ffffed000d8f9fab R09: ffff88006c7cfd30 R10: 0000000000000005 R11: ffffed000d8f9faa R12: ffff88006c7cfd30 R13: 0000000000000000 R14: 0000000000000010 R15: ffff88006c7cfc50 FS: 00007fce190fa700(0000) GS:ffff88003ea00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fffc6b33db8 CR3: 000000003cf64000 CR4: 00000000000006f0 Call Trace: __keyctl_dh_compute+0xa95/0x19b0 security/keys/dh.c:360 keyctl_dh_compute+0xac/0x100 security/keys/dh.c:434 SYSC_keyctl security/keys/keyctl.c:1745 [inline] SyS_keyctl+0x72/0x2c0 security/keys/keyctl.c:1641 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x4585c9 RSP: 002b:00007fce190f9bd8 EFLAGS: 00000216 ORIG_RAX: 00000000000000fa RAX: ffffffffffffffda RBX: 0000000000738020 RCX: 00000000004585c9 RDX: 000000002000d000 RSI: 0000000020000ff4 RDI: 0000000000000017 RBP: 0000000000000046 R08: 0000000020008000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000216 R12: 00007fff6e610cde R13: 00007fff6e610cdf R14: 00007fce190fa700 R15: 0000000000000000 Code: 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 33 5b 45 89 6c 24 14 41 5c 41 5d 41 5e 41 5f 5d c3 e8 fd 8f 68 ff <0f> 0b e8 f6 8f 68 ff 0f 0b e8 ef 8f 68 ff 0f 0b e8 e8 8f 68 ff 20 RIP: sg_set_buf include/linux/scatterlist.h:140 [inline] RSP: ffff88006c7cfb08 RIP: sg_init_one+0x1b3/0x240 lib/scatterlist.c:156 RSP: ffff88006c7cfb08
Fixes: 802c7f1c84e4 ("crypto: dh - Add DH software implementation") Reviewed-by: Tudor Ambarus tudor.ambarus@microchip.com Signed-off-by: Eric Biggers ebiggers@google.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- crypto/dh_helper.c | 8 ++++++++ 1 file changed, 8 insertions(+)
--- a/crypto/dh_helper.c +++ b/crypto/dh_helper.c @@ -90,6 +90,14 @@ int crypto_dh_decode_key(const char *buf params->p = (void *)(ptr + params->key_size); params->g = (void *)(ptr + params->key_size + params->p_size);
+ /* + * Don't permit 'p' to be 0. It's not a prime number, and it's subject + * to corner cases such as 'mod 0' being undefined or + * crypto_kpp_maxsize() returning 0. + */ + if (memchr_inv(params->p, 0, params->p_size) == NULL) + return -EINVAL; + return 0; } EXPORT_SYMBOL_GPL(crypto_dh_decode_key);
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Biggers ebiggers@google.com
commit ccd9888f14a8019c0bbdeeae758aba1f58693712 upstream.
The "qat-dh" DH implementation assumes that 'key' and 'g' can be copied into a buffer with size 'p_size'. However it was never checked that that was actually the case, which most likely allowed users to cause a buffer underflow via KEYCTL_DH_COMPUTE.
Fix this by updating crypto_dh_decode_key() to verify this precondition for all DH implementations.
Fixes: c9839143ebbf ("crypto: qat - Add DH support") Signed-off-by: Eric Biggers ebiggers@google.com Reviewed-by: Tudor Ambarus tudor.ambarus@microchip.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- crypto/dh_helper.c | 8 ++++++++ 1 file changed, 8 insertions(+)
--- a/crypto/dh_helper.c +++ b/crypto/dh_helper.c @@ -83,6 +83,14 @@ int crypto_dh_decode_key(const char *buf if (secret.len != crypto_dh_key_len(params)) return -EINVAL;
+ /* + * Don't permit the buffer for 'key' or 'g' to be larger than 'p', since + * some drivers assume otherwise. + */ + if (params->key_size > params->p_size || + params->g_size > params->p_size) + return -EINVAL; + /* Don't allocate memory. Set pointers to data within * the given buffer */
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: raveendra padasalagi raveendra.padasalagi@broadcom.com
commit f0e2ce58f853634d7ad1a418a49bd5fbd556227c upstream.
Add support to explicity ACK mailbox message because after sending message we can know the send status via error attribute of brcm_message.
This is needed to support "txdone_ack" supported in mailbox controller driver.
Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") Signed-off-by: Raveendra Padasalagi raveendra.padasalagi@broadcom.com Reviewed-by: Anup Patel anup.patel@broadcom.com Reviewed-by: Scott Branden scott.branden@broadcom.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/crypto/bcm/cipher.c | 101 ++++++++++++++++++++------------------------ 1 file changed, 46 insertions(+), 55 deletions(-)
--- a/drivers/crypto/bcm/cipher.c +++ b/drivers/crypto/bcm/cipher.c @@ -258,6 +258,44 @@ spu_ablkcipher_tx_sg_create(struct brcm_ return 0; }
+static int mailbox_send_message(struct brcm_message *mssg, u32 flags, + u8 chan_idx) +{ + int err; + int retry_cnt = 0; + struct device *dev = &(iproc_priv.pdev->dev); + + err = mbox_send_message(iproc_priv.mbox[chan_idx], mssg); + if (flags & CRYPTO_TFM_REQ_MAY_SLEEP) { + while ((err == -ENOBUFS) && (retry_cnt < SPU_MB_RETRY_MAX)) { + /* + * Mailbox queue is full. Since MAY_SLEEP is set, assume + * not in atomic context and we can wait and try again. + */ + retry_cnt++; + usleep_range(MBOX_SLEEP_MIN, MBOX_SLEEP_MAX); + err = mbox_send_message(iproc_priv.mbox[chan_idx], + mssg); + atomic_inc(&iproc_priv.mb_no_spc); + } + } + if (err < 0) { + atomic_inc(&iproc_priv.mb_send_fail); + return err; + } + + /* Check error returned by mailbox controller */ + err = mssg->error; + if (unlikely(err < 0)) { + dev_err(dev, "message error %d", err); + /* Signal txdone for mailbox channel */ + } + + /* Signal txdone for mailbox channel */ + mbox_client_txdone(iproc_priv.mbox[chan_idx], err); + return err; +} + /** * handle_ablkcipher_req() - Submit as much of a block cipher request as fits in * a single SPU request message, starting at the current position in the request @@ -295,7 +333,6 @@ static int handle_ablkcipher_req(struct u32 pad_len; /* total length of all padding */ bool update_key = false; struct brcm_message *mssg; /* mailbox message */ - int retry_cnt = 0;
/* number of entries in src and dst sg in mailbox message. */ u8 rx_frag_num = 2; /* response header and STATUS */ @@ -464,24 +501,9 @@ static int handle_ablkcipher_req(struct if (err) return err;
- err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx], mssg); - if (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) { - while ((err == -ENOBUFS) && (retry_cnt < SPU_MB_RETRY_MAX)) { - /* - * Mailbox queue is full. Since MAY_SLEEP is set, assume - * not in atomic context and we can wait and try again. - */ - retry_cnt++; - usleep_range(MBOX_SLEEP_MIN, MBOX_SLEEP_MAX); - err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx], - mssg); - atomic_inc(&iproc_priv.mb_no_spc); - } - } - if (unlikely(err < 0)) { - atomic_inc(&iproc_priv.mb_send_fail); + err = mailbox_send_message(mssg, req->base.flags, rctx->chan_idx); + if (unlikely(err < 0)) return err; - }
return -EINPROGRESS; } @@ -712,7 +734,6 @@ static int handle_ahash_req(struct iproc u32 spu_hdr_len; unsigned int digestsize; u16 rem = 0; - int retry_cnt = 0;
/* * number of entries in src and dst sg. Always includes SPU msg header. @@ -906,24 +927,10 @@ static int handle_ahash_req(struct iproc if (err) return err;
- err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx], mssg); - if (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) { - while ((err == -ENOBUFS) && (retry_cnt < SPU_MB_RETRY_MAX)) { - /* - * Mailbox queue is full. Since MAY_SLEEP is set, assume - * not in atomic context and we can wait and try again. - */ - retry_cnt++; - usleep_range(MBOX_SLEEP_MIN, MBOX_SLEEP_MAX); - err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx], - mssg); - atomic_inc(&iproc_priv.mb_no_spc); - } - } - if (err < 0) { - atomic_inc(&iproc_priv.mb_send_fail); + err = mailbox_send_message(mssg, req->base.flags, rctx->chan_idx); + if (unlikely(err < 0)) return err; - } + return -EINPROGRESS; }
@@ -1322,7 +1329,6 @@ static int handle_aead_req(struct iproc_ int assoc_nents = 0; bool incl_icv = false; unsigned int digestsize = ctx->digestsize; - int retry_cnt = 0;
/* number of entries in src and dst sg. Always includes SPU msg header. */ @@ -1560,24 +1566,9 @@ static int handle_aead_req(struct iproc_ if (err) return err;
- err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx], mssg); - if (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) { - while ((err == -ENOBUFS) && (retry_cnt < SPU_MB_RETRY_MAX)) { - /* - * Mailbox queue is full. Since MAY_SLEEP is set, assume - * not in atomic context and we can wait and try again. - */ - retry_cnt++; - usleep_range(MBOX_SLEEP_MIN, MBOX_SLEEP_MAX); - err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx], - mssg); - atomic_inc(&iproc_priv.mb_no_spc); - } - } - if (err < 0) { - atomic_inc(&iproc_priv.mb_send_fail); + err = mailbox_send_message(mssg, req->base.flags, rctx->chan_idx); + if (unlikely(err < 0)) return err; - }
return -EINPROGRESS; } @@ -4534,7 +4525,7 @@ static int spu_mb_init(struct device *de mcl->dev = dev; mcl->tx_block = false; mcl->tx_tout = 0; - mcl->knows_txdone = false; + mcl->knows_txdone = true; mcl->rx_callback = spu_rx_callback; mcl->tx_done = NULL;
Nope, this patch breaks the build as it relies on a previous patch that is not in 4.13-stable, so I'm dropping it. If anyone wants it there, well, it really feels like it shouldn't be included in a stable tree anyway...
thanks,
greg k-h
On Sun, Nov 19, 2017 at 03:43:54PM +0100, Greg Kroah-Hartman wrote:
4.13-stable review patch. If anyone has any objections, please let me know.
From: raveendra padasalagi raveendra.padasalagi@broadcom.com
commit f0e2ce58f853634d7ad1a418a49bd5fbd556227c upstream.
Add support to explicity ACK mailbox message because after sending message we can know the send status via error attribute of brcm_message.
This is needed to support "txdone_ack" supported in mailbox controller driver.
Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") Signed-off-by: Raveendra Padasalagi raveendra.padasalagi@broadcom.com Reviewed-by: Anup Patel anup.patel@broadcom.com Reviewed-by: Scott Branden scott.branden@broadcom.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
drivers/crypto/bcm/cipher.c | 101 ++++++++++++++++++++------------------------ 1 file changed, 46 insertions(+), 55 deletions(-)
--- a/drivers/crypto/bcm/cipher.c +++ b/drivers/crypto/bcm/cipher.c @@ -258,6 +258,44 @@ spu_ablkcipher_tx_sg_create(struct brcm_ return 0; } +static int mailbox_send_message(struct brcm_message *mssg, u32 flags,
u8 chan_idx)+{
- int err;
- int retry_cnt = 0;
- struct device *dev = &(iproc_priv.pdev->dev);
- err = mbox_send_message(iproc_priv.mbox[chan_idx], mssg);
- if (flags & CRYPTO_TFM_REQ_MAY_SLEEP) {
while ((err == -ENOBUFS) && (retry_cnt < SPU_MB_RETRY_MAX)) {/** Mailbox queue is full. Since MAY_SLEEP is set, assume* not in atomic context and we can wait and try again.*/retry_cnt++;usleep_range(MBOX_SLEEP_MIN, MBOX_SLEEP_MAX);err = mbox_send_message(iproc_priv.mbox[chan_idx],mssg);atomic_inc(&iproc_priv.mb_no_spc);}- }
- if (err < 0) {
atomic_inc(&iproc_priv.mb_send_fail);return err;- }
- /* Check error returned by mailbox controller */
- err = mssg->error;
- if (unlikely(err < 0)) {
dev_err(dev, "message error %d", err);/* Signal txdone for mailbox channel */- }
- /* Signal txdone for mailbox channel */
- mbox_client_txdone(iproc_priv.mbox[chan_idx], err);
- return err;
+}
/**
- handle_ablkcipher_req() - Submit as much of a block cipher request as fits in
- a single SPU request message, starting at the current position in the request
@@ -295,7 +333,6 @@ static int handle_ablkcipher_req(struct u32 pad_len; /* total length of all padding */ bool update_key = false; struct brcm_message *mssg; /* mailbox message */
- int retry_cnt = 0;
/* number of entries in src and dst sg in mailbox message. */ u8 rx_frag_num = 2; /* response header and STATUS */ @@ -464,24 +501,9 @@ static int handle_ablkcipher_req(struct if (err) return err;
- err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx], mssg);
- if (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) {
while ((err == -ENOBUFS) && (retry_cnt < SPU_MB_RETRY_MAX)) {/** Mailbox queue is full. Since MAY_SLEEP is set, assume* not in atomic context and we can wait and try again.*/retry_cnt++;usleep_range(MBOX_SLEEP_MIN, MBOX_SLEEP_MAX);err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx],mssg);atomic_inc(&iproc_priv.mb_no_spc);}- }
- if (unlikely(err < 0)) {
atomic_inc(&iproc_priv.mb_send_fail);
- err = mailbox_send_message(mssg, req->base.flags, rctx->chan_idx);
- if (unlikely(err < 0)) return err;
- }
return -EINPROGRESS; } @@ -712,7 +734,6 @@ static int handle_ahash_req(struct iproc u32 spu_hdr_len; unsigned int digestsize; u16 rem = 0;
- int retry_cnt = 0;
/* * number of entries in src and dst sg. Always includes SPU msg header. @@ -906,24 +927,10 @@ static int handle_ahash_req(struct iproc if (err) return err;
- err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx], mssg);
- if (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) {
while ((err == -ENOBUFS) && (retry_cnt < SPU_MB_RETRY_MAX)) {/** Mailbox queue is full. Since MAY_SLEEP is set, assume* not in atomic context and we can wait and try again.*/retry_cnt++;usleep_range(MBOX_SLEEP_MIN, MBOX_SLEEP_MAX);err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx],mssg);atomic_inc(&iproc_priv.mb_no_spc);}- }
- if (err < 0) {
atomic_inc(&iproc_priv.mb_send_fail);
- err = mailbox_send_message(mssg, req->base.flags, rctx->chan_idx);
- if (unlikely(err < 0)) return err;
- }
- return -EINPROGRESS;
} @@ -1322,7 +1329,6 @@ static int handle_aead_req(struct iproc_ int assoc_nents = 0; bool incl_icv = false; unsigned int digestsize = ctx->digestsize;
- int retry_cnt = 0;
/* number of entries in src and dst sg. Always includes SPU msg header. */ @@ -1560,24 +1566,9 @@ static int handle_aead_req(struct iproc_ if (err) return err;
- err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx], mssg);
- if (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) {
while ((err == -ENOBUFS) && (retry_cnt < SPU_MB_RETRY_MAX)) {/** Mailbox queue is full. Since MAY_SLEEP is set, assume* not in atomic context and we can wait and try again.*/retry_cnt++;usleep_range(MBOX_SLEEP_MIN, MBOX_SLEEP_MAX);err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx],mssg);atomic_inc(&iproc_priv.mb_no_spc);}- }
- if (err < 0) {
atomic_inc(&iproc_priv.mb_send_fail);
- err = mailbox_send_message(mssg, req->base.flags, rctx->chan_idx);
- if (unlikely(err < 0)) return err;
- }
return -EINPROGRESS; } @@ -4534,7 +4525,7 @@ static int spu_mb_init(struct device *de mcl->dev = dev; mcl->tx_block = false; mcl->tx_tout = 0;
- mcl->knows_txdone = false;
- mcl->knows_txdone = true; mcl->rx_callback = spu_rx_callback; mcl->tx_done = NULL;
Hi Greg,
Thanks for notifying the issue. This patch is supposed to be applied on top of the below patch
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?h...
which is not present in stable, I missed to keep stable mailing list in cc when this patch sent. It's ok if you drop this patch for now in 4.13-stable.
For 4.14 stable release we need the current patch and the dependent patch is already present in 4.14.
Regards, Raveendra On Tue, Nov 21, 2017 at 1:21 PM, Greg Kroah-Hartman gregkh@linuxfoundation.org wrote:
Nope, this patch breaks the build as it relies on a previous patch that is not in 4.13-stable, so I'm dropping it. If anyone wants it there, well, it really feels like it shouldn't be included in a stable tree anyway...
thanks,
greg k-h
On Sun, Nov 19, 2017 at 03:43:54PM +0100, Greg Kroah-Hartman wrote:
4.13-stable review patch. If anyone has any objections, please let me know.
From: raveendra padasalagi raveendra.padasalagi@broadcom.com
commit f0e2ce58f853634d7ad1a418a49bd5fbd556227c upstream.
Add support to explicity ACK mailbox message because after sending message we can know the send status via error attribute of brcm_message.
This is needed to support "txdone_ack" supported in mailbox controller driver.
Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver") Signed-off-by: Raveendra Padasalagi raveendra.padasalagi@broadcom.com Reviewed-by: Anup Patel anup.patel@broadcom.com Reviewed-by: Scott Branden scott.branden@broadcom.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
drivers/crypto/bcm/cipher.c | 101 ++++++++++++++++++++------------------------ 1 file changed, 46 insertions(+), 55 deletions(-)
--- a/drivers/crypto/bcm/cipher.c +++ b/drivers/crypto/bcm/cipher.c @@ -258,6 +258,44 @@ spu_ablkcipher_tx_sg_create(struct brcm_ return 0; }
+static int mailbox_send_message(struct brcm_message *mssg, u32 flags,
u8 chan_idx)+{
int err;int retry_cnt = 0;struct device *dev = &(iproc_priv.pdev->dev);err = mbox_send_message(iproc_priv.mbox[chan_idx], mssg);if (flags & CRYPTO_TFM_REQ_MAY_SLEEP) {while ((err == -ENOBUFS) && (retry_cnt < SPU_MB_RETRY_MAX)) {/** Mailbox queue is full. Since MAY_SLEEP is set, assume* not in atomic context and we can wait and try again.*/retry_cnt++;usleep_range(MBOX_SLEEP_MIN, MBOX_SLEEP_MAX);err = mbox_send_message(iproc_priv.mbox[chan_idx],mssg);atomic_inc(&iproc_priv.mb_no_spc);}}if (err < 0) {atomic_inc(&iproc_priv.mb_send_fail);return err;}/* Check error returned by mailbox controller */err = mssg->error;if (unlikely(err < 0)) {dev_err(dev, "message error %d", err);/* Signal txdone for mailbox channel */}/* Signal txdone for mailbox channel */mbox_client_txdone(iproc_priv.mbox[chan_idx], err);return err;+}
/**
- handle_ablkcipher_req() - Submit as much of a block cipher request as fits in
- a single SPU request message, starting at the current position in the request
@@ -295,7 +333,6 @@ static int handle_ablkcipher_req(struct u32 pad_len; /* total length of all padding */ bool update_key = false; struct brcm_message *mssg; /* mailbox message */
int retry_cnt = 0; /* number of entries in src and dst sg in mailbox message. */ u8 rx_frag_num = 2; /* response header and STATUS */@@ -464,24 +501,9 @@ static int handle_ablkcipher_req(struct if (err) return err;
err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx], mssg);if (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) {while ((err == -ENOBUFS) && (retry_cnt < SPU_MB_RETRY_MAX)) {/** Mailbox queue is full. Since MAY_SLEEP is set, assume* not in atomic context and we can wait and try again.*/retry_cnt++;usleep_range(MBOX_SLEEP_MIN, MBOX_SLEEP_MAX);err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx],mssg);atomic_inc(&iproc_priv.mb_no_spc);}}if (unlikely(err < 0)) {atomic_inc(&iproc_priv.mb_send_fail);
err = mailbox_send_message(mssg, req->base.flags, rctx->chan_idx);if (unlikely(err < 0)) return err;
} return -EINPROGRESS;} @@ -712,7 +734,6 @@ static int handle_ahash_req(struct iproc u32 spu_hdr_len; unsigned int digestsize; u16 rem = 0;
int retry_cnt = 0; /* * number of entries in src and dst sg. Always includes SPU msg header.@@ -906,24 +927,10 @@ static int handle_ahash_req(struct iproc if (err) return err;
err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx], mssg);if (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) {while ((err == -ENOBUFS) && (retry_cnt < SPU_MB_RETRY_MAX)) {/** Mailbox queue is full. Since MAY_SLEEP is set, assume* not in atomic context and we can wait and try again.*/retry_cnt++;usleep_range(MBOX_SLEEP_MIN, MBOX_SLEEP_MAX);err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx],mssg);atomic_inc(&iproc_priv.mb_no_spc);}}if (err < 0) {atomic_inc(&iproc_priv.mb_send_fail);
err = mailbox_send_message(mssg, req->base.flags, rctx->chan_idx);if (unlikely(err < 0)) return err;
}
return -EINPROGRESS;}
@@ -1322,7 +1329,6 @@ static int handle_aead_req(struct iproc_ int assoc_nents = 0; bool incl_icv = false; unsigned int digestsize = ctx->digestsize;
int retry_cnt = 0; /* number of entries in src and dst sg. Always includes SPU msg header. */@@ -1560,24 +1566,9 @@ static int handle_aead_req(struct iproc_ if (err) return err;
err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx], mssg);if (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) {while ((err == -ENOBUFS) && (retry_cnt < SPU_MB_RETRY_MAX)) {/** Mailbox queue is full. Since MAY_SLEEP is set, assume* not in atomic context and we can wait and try again.*/retry_cnt++;usleep_range(MBOX_SLEEP_MIN, MBOX_SLEEP_MAX);err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx],mssg);atomic_inc(&iproc_priv.mb_no_spc);}}if (err < 0) {atomic_inc(&iproc_priv.mb_send_fail);
err = mailbox_send_message(mssg, req->base.flags, rctx->chan_idx);if (unlikely(err < 0)) return err;
} return -EINPROGRESS;} @@ -4534,7 +4525,7 @@ static int spu_mb_init(struct device *de mcl->dev = dev; mcl->tx_block = false; mcl->tx_tout = 0;
mcl->knows_txdone = false;
mcl->knows_txdone = true; mcl->rx_callback = spu_rx_callback; mcl->tx_done = NULL;
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lu Baolu baolu.lu@linux.intel.com
commit c67678ec78eff9cf1e7e997fe6c37c9fcccfc5b8 upstream.
The DbC register set defines an interface for system software to specify the vendor id and product id for the debug device. These two values will be presented by the debug device in its device descriptor idVendor and idProduct fields.
The current used product ID is a place holder. We now have a valid one. The description strings are changed accordingly.
This patch should be back-ported to kernels as old as v4.12, that contain the commit aeb9dd1de98c ("usb/early: Add driver for xhci debug capability").
Signed-off-by: Lu Baolu baolu.lu@linux.intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/usb/early/xhci-dbc.h | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/usb/early/xhci-dbc.h +++ b/drivers/usb/early/xhci-dbc.h @@ -90,8 +90,8 @@ struct xdbc_context {
#define XDBC_INFO_CONTEXT_SIZE 48 #define XDBC_MAX_STRING_LENGTH 64 -#define XDBC_STRING_MANUFACTURER "Linux" -#define XDBC_STRING_PRODUCT "Remote GDB" +#define XDBC_STRING_MANUFACTURER "Linux Foundation" +#define XDBC_STRING_PRODUCT "Linux USB GDB Target" #define XDBC_STRING_SERIAL "0001"
struct xdbc_strings { @@ -103,7 +103,7 @@ struct xdbc_strings {
#define XDBC_PROTOCOL 1 /* GNU Remote Debug Command Set */ #define XDBC_VENDOR_ID 0x1d6b /* Linux Foundation 0x1d6b */ -#define XDBC_PRODUCT_ID 0x0004 /* __le16 idProduct; device 0004 */ +#define XDBC_PRODUCT_ID 0x0011 /* __le16 idProduct; device 0011 */ #define XDBC_DEVICE_REV 0x0010 /* 0.10 */
/*
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alan Stern stern@rowland.harvard.edu
commit 2ef47001b3ee3ded579b7532ebdcf8680e4d8c54 upstream.
The USB kerneldoc says that the actual_length field "is read in non-iso completion functions", but the usbfs driver uses it for all URB types in processcompl(). Since not all of the host controller drivers set actual_length for isochronous URBs, programs using usbfs with some host controllers don't work properly. For example, Minas reports that a USB camera controlled by libusb doesn't work properly with a dwc2 controller.
It doesn't seem worthwhile to change the HCDs and the documentation, since the in-kernel USB class drivers evidently don't rely on actual_length for isochronous transfers. The easiest solution is for usbfs to calculate the actual_length value for itself, by adding up the lengths of the individual packets in an isochronous transfer.
Signed-off-by: Alan Stern stern@rowland.harvard.edu CC: Minas Harutyunyan Minas.Harutyunyan@synopsys.com Reported-and-tested-by: wlf wulf@rock-chips.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/usb/core/devio.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+)
--- a/drivers/usb/core/devio.c +++ b/drivers/usb/core/devio.c @@ -1833,6 +1833,18 @@ static int proc_unlinkurb(struct usb_dev return 0; }
+static void compute_isochronous_actual_length(struct urb *urb) +{ + unsigned int i; + + if (urb->number_of_packets > 0) { + urb->actual_length = 0; + for (i = 0; i < urb->number_of_packets; i++) + urb->actual_length += + urb->iso_frame_desc[i].actual_length; + } +} + static int processcompl(struct async *as, void __user * __user *arg) { struct urb *urb = as->urb; @@ -1840,6 +1852,7 @@ static int processcompl(struct async *as void __user *addr = as->userurb; unsigned int i;
+ compute_isochronous_actual_length(urb); if (as->userbuffer && urb->actual_length) { if (copy_urb_data_to_user(as->userbuffer, urb)) goto err_out; @@ -2008,6 +2021,7 @@ static int processcompl_compat(struct as void __user *addr = as->userurb; unsigned int i;
+ compute_isochronous_actual_length(urb); if (as->userbuffer && urb->actual_length) { if (copy_urb_data_to_user(as->userbuffer, urb)) return -EFAULT;
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bernhard Rosenkraenzer bernhard.rosenkranzer@linaro.org
commit a0fea6027f19c62727315aba1a7fae75a9caa842 upstream.
Without this patch, K70 LUX keyboards don't work, saying usb 3-3: unable to read config index 0 descriptor/all usb 3-3: can't read configurations, error -110 usb usb3-port3: unable to enumerate USB device
Signed-off-by: Bernhard Rosenkraenzer Bernhard.Rosenkranzer@linaro.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/usb/core/quirks.c | 3 +++ 1 file changed, 3 insertions(+)
--- a/drivers/usb/core/quirks.c +++ b/drivers/usb/core/quirks.c @@ -221,6 +221,9 @@ static const struct usb_device_id usb_qu /* Corsair Strafe RGB */ { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT },
+ /* Corsair K70 LUX */ + { USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT }, + /* MIDI keyboard WORLDE MINI */ { USB_DEVICE(0x1c75, 0x0204), .driver_info = USB_QUIRK_CONFIG_INTF_STRINGS },
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Gabbasov andrew_gabbasov@mentor.com
commit cdafb6d8b8da7fde266f79b3287ac221aa841879 upstream.
KASAN enabled configuration reports an error
BUG: KASAN: use-after-free in ffs_free_inst+... [usb_f_fs] at addr ... Write of size 8 by task ...
This is observed after "ffs-test" is run and interrupted. If after that functionfs is unmounted and g_ffs module is unloaded, that use-after-free occurs during g_ffs module removal.
Although the report indicates ffs_free_inst() function, the actual use-after-free condition occurs in _ffs_free_dev() function, which is probably inlined into ffs_free_inst().
This happens due to keeping the ffs_data reference in device structure during functionfs unmounting, while ffs_data itself is freed as no longer needed. The fix is to clear that reference in ffs_closed() function, which is a counterpart of ffs_ready(), where the reference is stored.
Fixes: 3262ad824307 ("usb: gadget: f_fs: Stop ffs_closed NULL pointer dereference") Signed-off-by: Andrew Gabbasov andrew_gabbasov@mentor.com Acked-by: Felipe Balbi felipe.balbi@linux.intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/usb/gadget/function/f_fs.c | 1 + 1 file changed, 1 insertion(+)
--- a/drivers/usb/gadget/function/f_fs.c +++ b/drivers/usb/gadget/function/f_fs.c @@ -3669,6 +3669,7 @@ static void ffs_closed(struct ffs_data * goto done;
ffs_obj->desc_ready = false; + ffs_obj->ffs_data = NULL;
if (test_and_clear_bit(FFS_FL_CALL_CLOSED_CALLBACK, &ffs->flags) && ffs_obj->ffs_closed_callback)
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold johan@kernel.org
commit 2339536d229df25c71c0900fc619289229bfecf6 upstream.
Make sure to kill the interrupt-in URB after a failed open request. Apart from saving power (and avoiding stale input after a later successful open), this also prevents a NULL-deref in the completion handler if the port is manually unbound.
Reviewed-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Fixes: 704577861d5e ("USB: serial: metro-usb: get data from device in Uni-Directional mode.") Signed-off-by: Johan Hovold johan@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/usb/serial/metro-usb.c | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-)
--- a/drivers/usb/serial/metro-usb.c +++ b/drivers/usb/serial/metro-usb.c @@ -189,7 +189,7 @@ static int metrousb_open(struct tty_stru dev_err(&port->dev, "%s - failed submitting interrupt in urb, error code=%d\n", __func__, result); - goto exit; + return result; }
/* Send activate cmd to device */ @@ -198,9 +198,14 @@ static int metrousb_open(struct tty_stru dev_err(&port->dev, "%s - failed to configure device, error code=%d\n", __func__, result); - goto exit; + goto err_kill_urb; } -exit: + + return 0; + +err_kill_urb: + usb_kill_urb(port->interrupt_in_urb); + return result; }
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lu Baolu baolu.lu@linux.intel.com
commit 12f28144cf2cf69e1520e238eee7c384719ca44b upstream.
The product ID for "Linux USB GDB Target device" has been changed. Change the driver binding table accordingly.
This patch should be back-ported to kernels as old as v4.12, that contain the commit 57fb47279a04 ("usb/serial: Add DBC debug device support to usb_debug").
Cc: Johan Hovold johan@kernel.org Signed-off-by: Lu Baolu baolu.lu@linux.intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/usb/serial/usb_debug.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/usb/serial/usb_debug.c +++ b/drivers/usb/serial/usb_debug.c @@ -34,13 +34,13 @@ static const struct usb_device_id id_tab };
static const struct usb_device_id dbc_id_table[] = { - { USB_DEVICE(0x1d6b, 0x0004) }, + { USB_DEVICE(0x1d6b, 0x0011) }, { }, };
static const struct usb_device_id id_table_combined[] = { { USB_DEVICE(0x0525, 0x127a) }, - { USB_DEVICE(0x1d6b, 0x0004) }, + { USB_DEVICE(0x1d6b, 0x0011) }, { }, }; MODULE_DEVICE_TABLE(usb, id_table_combined);
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Fischer douglas.fischer@outlook.com
commit 771394a54148f18926ca86414e51c69eda27d0cd upstream.
Add USB PID/VID for Sierra Wireless EM7355 LTE modem QDL firmware update mode.
Signed-off-by: Douglas Fischer douglas.fischer@outlook.com Signed-off-by: Johan Hovold johan@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/usb/serial/qcserial.c | 1 + 1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/qcserial.c +++ b/drivers/usb/serial/qcserial.c @@ -148,6 +148,7 @@ static const struct usb_device_id id_tab {DEVICE_SWI(0x1199, 0x68a2)}, /* Sierra Wireless MC7710 */ {DEVICE_SWI(0x1199, 0x68c0)}, /* Sierra Wireless MC7304/MC7354 */ {DEVICE_SWI(0x1199, 0x901c)}, /* Sierra Wireless EM7700 */ + {DEVICE_SWI(0x1199, 0x901e)}, /* Sierra Wireless EM7355 QDL */ {DEVICE_SWI(0x1199, 0x901f)}, /* Sierra Wireless EM7355 */ {DEVICE_SWI(0x1199, 0x9040)}, /* Sierra Wireless Modem */ {DEVICE_SWI(0x1199, 0x9041)}, /* Sierra Wireless MC7305/MC7355 */
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold johan@kernel.org
commit 19a565d9af6e0d828bd0d521d3bafd5017f4ce52 upstream.
Make sure to stop any submitted interrupt and bulk-out URBs before returning after failed probe and when the port is being unbound to avoid later NULL-pointer dereferences in the completion callbacks.
Also fix up the related and broken I/O cancellation on failed open and on close. (Note that port->write_urb was never submitted.)
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reviewed-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Johan Hovold johan@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/usb/serial/garmin_gps.c | 16 +++++++++++++--- 1 file changed, 13 insertions(+), 3 deletions(-)
--- a/drivers/usb/serial/garmin_gps.c +++ b/drivers/usb/serial/garmin_gps.c @@ -138,6 +138,7 @@ struct garmin_data { __u8 privpkt[4*6]; spinlock_t lock; struct list_head pktlist; + struct usb_anchor write_urbs; };
@@ -905,7 +906,7 @@ static int garmin_init_session(struct us sizeof(GARMIN_START_SESSION_REQ), 0);
if (status < 0) - break; + goto err_kill_urbs; }
if (status > 0) @@ -913,6 +914,12 @@ static int garmin_init_session(struct us }
return status; + +err_kill_urbs: + usb_kill_anchored_urbs(&garmin_data_p->write_urbs); + usb_kill_urb(port->interrupt_in_urb); + + return status; }
@@ -930,7 +937,6 @@ static int garmin_open(struct tty_struct spin_unlock_irqrestore(&garmin_data_p->lock, flags);
/* shutdown any bulk reads that might be going on */ - usb_kill_urb(port->write_urb); usb_kill_urb(port->read_urb);
if (garmin_data_p->state == STATE_RESET) @@ -953,7 +959,7 @@ static void garmin_close(struct usb_seri
/* shutdown our urbs */ usb_kill_urb(port->read_urb); - usb_kill_urb(port->write_urb); + usb_kill_anchored_urbs(&garmin_data_p->write_urbs);
/* keep reset state so we know that we must start a new session */ if (garmin_data_p->state != STATE_RESET) @@ -1037,12 +1043,14 @@ static int garmin_write_bulk(struct usb_ }
/* send it down the pipe */ + usb_anchor_urb(urb, &garmin_data_p->write_urbs); status = usb_submit_urb(urb, GFP_ATOMIC); if (status) { dev_err(&port->dev, "%s - usb_submit_urb(write bulk) failed with status = %d\n", __func__, status); count = status; + usb_unanchor_urb(urb); kfree(buffer); }
@@ -1401,6 +1409,7 @@ static int garmin_port_probe(struct usb_ garmin_data_p->state = 0; garmin_data_p->flags = 0; garmin_data_p->count = 0; + init_usb_anchor(&garmin_data_p->write_urbs); usb_set_serial_port_data(port, garmin_data_p);
status = garmin_init_session(port); @@ -1413,6 +1422,7 @@ static int garmin_port_remove(struct usb { struct garmin_data *garmin_data_p = usb_get_serial_port_data(port);
+ usb_kill_anchored_urbs(&garmin_data_p->write_urbs); usb_kill_urb(port->interrupt_in_urb); del_timer_sync(&garmin_data_p->timer); kfree(garmin_data_p);
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold johan@kernel.org
commit 74d471b598444b7f2d964930f7234779c80960a0 upstream.
Make sure to free the port private data before returning after a failed probe attempt.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Reviewed-by: Greg Kroah-Hartman gregkh@linuxfoundation.org Signed-off-by: Johan Hovold johan@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/usb/serial/garmin_gps.c | 6 ++++++ 1 file changed, 6 insertions(+)
--- a/drivers/usb/serial/garmin_gps.c +++ b/drivers/usb/serial/garmin_gps.c @@ -1413,6 +1413,12 @@ static int garmin_port_probe(struct usb_ usb_set_serial_port_data(port, garmin_data_p);
status = garmin_init_session(port); + if (status) + goto err_free; + + return 0; +err_free: + kfree(garmin_data_p);
return status; }
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Lutomirski luto@kernel.org
commit 693cb5580fdb026922363aa103add64b3ecd572e upstream.
On new enough glibc, the pkey syscalls numbers are available. Check first before defining them to avoid warnings like:
protection_keys.c:198:0: warning: "SYS_pkey_alloc" redefined
Signed-off-by: Andy Lutomirski luto@kernel.org Cc: Borislav Petkov bpetkov@suse.de Cc: Dave Hansen dave.hansen@intel.com Cc: Linus Torvalds torvalds@linux-foundation.org Cc: Peter Zijlstra peterz@infradead.org Cc: Thomas Gleixner tglx@linutronix.de Link: http://lkml.kernel.org/r/1fbef53a9e6befb7165ff855fc1a7d4788a191d6.1509794321... Signed-off-by: Ingo Molnar mingo@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- tools/testing/selftests/x86/protection_keys.c | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-)
--- a/tools/testing/selftests/x86/protection_keys.c +++ b/tools/testing/selftests/x86/protection_keys.c @@ -188,17 +188,29 @@ void lots_o_noops_around_write(int *writ #define u64 uint64_t
#ifdef __i386__ -#define SYS_mprotect_key 380 -#define SYS_pkey_alloc 381 -#define SYS_pkey_free 382 + +#ifndef SYS_mprotect_key +# define SYS_mprotect_key 380 +#endif +#ifndef SYS_pkey_alloc +# define SYS_pkey_alloc 381 +# define SYS_pkey_free 382 +#endif #define REG_IP_IDX REG_EIP #define si_pkey_offset 0x14 + #else -#define SYS_mprotect_key 329 -#define SYS_pkey_alloc 330 -#define SYS_pkey_free 331 + +#ifndef SYS_mprotect_key +# define SYS_mprotect_key 329 +#endif +#ifndef SYS_pkey_alloc +# define SYS_pkey_alloc 330 +# define SYS_pkey_free 331 +#endif #define REG_IP_IDX REG_RIP #define si_pkey_offset 0x20 + #endif
void dump_mem(void *dumpme, int len_bytes)
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yazen Ghannam yazen.ghannam@amd.com
commit d65dfc81bb3894fdb68cbc74bbf5fb48d2354071 upstream.
The AMD severity grading function was introduced in kernel 4.1. The current logic can possibly give MCE_AR_SEVERITY for uncorrectable errors in kernel context. The system may then get stuck in a loop as memory_failure() will try to handle the bad kernel memory and find it busy.
Return MCE_PANIC_SEVERITY for all UC errors IN_KERNEL context on AMD systems.
After:
b2f9d678e28c ("x86/mce: Check for faults tagged in EXTABLE_CLASS_FAULT exception table entries")
was accepted in v4.6, this issue was masked because of the tail-end attempt at kernel mode recovery in the #MC handler.
However, uncorrectable errors IN_KERNEL context should always be considered unrecoverable and cause a panic.
Signed-off-by: Yazen Ghannam yazen.ghannam@amd.com Signed-off-by: Borislav Petkov bp@suse.de Cc: Linus Torvalds torvalds@linux-foundation.org Cc: Peter Zijlstra peterz@infradead.org Cc: Thomas Gleixner tglx@linutronix.de Cc: Tony Luck tony.luck@intel.com Cc: linux-edac linux-edac@vger.kernel.org Fixes: bf80bbd7dcf5 (x86/mce: Add an AMD severities-grading function) Link: http://lkml.kernel.org/r/20171106174633.13576-1-bp@alien8.de Signed-off-by: Ingo Molnar mingo@kernel.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- arch/x86/kernel/cpu/mcheck/mce-severity.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-)
--- a/arch/x86/kernel/cpu/mcheck/mce-severity.c +++ b/arch/x86/kernel/cpu/mcheck/mce-severity.c @@ -245,6 +245,9 @@ static int mce_severity_amd(struct mce *
if (m->status & MCI_STATUS_UC) {
+ if (ctx == IN_KERNEL) + return MCE_PANIC_SEVERITY; + /* * On older systems where overflow_recov flag is not present, we * should simply panic if an error overflow occurs. If @@ -255,10 +258,6 @@ static int mce_severity_amd(struct mce * if (mce_flags.smca) return mce_severity_amd_smca(m, ctx);
- /* software can try to contain */ - if (!(m->mcgstatus & MCG_STATUS_RIPV) && (ctx == IN_KERNEL)) - return MCE_PANIC_SEVERITY; - /* kill current process */ return MCE_AR_SEVERITY; } else {
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede hdegoede@redhat.com
commit 3b95206110a2c13076c3a7fa8ddeae36c2dbcf42 upstream.
It seems that the WMI GUID used by the PEAQ 2-in-1 WMI hotkeys is not as unique as a GUID should be and is used on some other devices too.
This is causing spurious key-press reports on these other devices.
This commits adds a DMI check to the PEAQ 2-in-1 WMI hotkeys driver to ensure that it is actually running on a PEAQ 2-in-1, fixing the spurious key-presses on these other devices.
BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=1497861 BugLink: https://bugzilla.suse.com/attachment.cgi?id=743182 Signed-off-by: Hans de Goede hdegoede@redhat.com Signed-off-by: Andy Shevchenko andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/platform/x86/peaq-wmi.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+)
--- a/drivers/platform/x86/peaq-wmi.c +++ b/drivers/platform/x86/peaq-wmi.c @@ -8,6 +8,7 @@ */
#include <linux/acpi.h> +#include <linux/dmi.h> #include <linux/input-polldev.h> #include <linux/kernel.h> #include <linux/module.h> @@ -64,8 +65,22 @@ static void peaq_wmi_poll(struct input_p } }
+/* Some other devices (Shuttle XS35) use the same WMI GUID for other purposes */ +static const struct dmi_system_id peaq_dmi_table[] = { + { + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "PEAQ"), + DMI_MATCH(DMI_PRODUCT_NAME, "PEAQ PMM C1010 MD99187"), + }, + }, +}; + static int __init peaq_wmi_init(void) { + /* WMI GUID is not unique, also check for a DMI match */ + if (!dmi_check_system(peaq_dmi_table)) + return -ENODEV; + if (!wmi_has_guid(PEAQ_DOLBY_BUTTON_GUID)) return -ENODEV;
@@ -86,6 +101,9 @@ static int __init peaq_wmi_init(void)
static void __exit peaq_wmi_exit(void) { + if (!dmi_check_system(peaq_dmi_table)) + return; + if (!wmi_has_guid(PEAQ_DOLBY_BUTTON_GUID)) return;
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede hdegoede@redhat.com
commit d6fa71f1c003fb2bc824276bb424a4171f9a717f upstream.
Add missing terminating entry to peaq_dmi_table.
Fixes: 3b95206110a2 ("platform/x86: peaq-wmi: Add DMI check before ...") Reported-by: Fengguang Wu fengguang.wu@intel.com Signed-off-by: Hans de Goede hdegoede@redhat.com Signed-off-by: Andy Shevchenko andriy.shevchenko@linux.intel.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/platform/x86/peaq-wmi.c | 1 + 1 file changed, 1 insertion(+)
--- a/drivers/platform/x86/peaq-wmi.c +++ b/drivers/platform/x86/peaq-wmi.c @@ -73,6 +73,7 @@ static const struct dmi_system_id peaq_d DMI_MATCH(DMI_PRODUCT_NAME, "PEAQ PMM C1010 MD99187"), }, }, + {} };
static int __init peaq_wmi_init(void)
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gerecke killertofu@gmail.com
commit 885e89f601a52cc6fb025b009df58ba83d142734 upstream.
The WACOM_PEN_FIELD macro is used to determine if a given HID field should be associated with pen input. This field includes several known collection types that Wacom pen data is contained in, but the WACOM_HID_WD_PEN application collection type is notably missing. This can result in fields within this kind of collection being completely ignored by the `wacom_usage_mapping` function, preventing the later '*_event' functions from being notified about changes to their value.
Fixes: c9c095874a ("HID: wacom: generic: Support and use 'Custom HID' mode and usages") Fixes: ac2423c975 ("HID: wacom: generic: add vendor defined touch") Reviewed-by: Ping Cheng ping.cheng@wacom.com Reviewed-by: Benjamin Tissoires benjamin.tissoires@redhat.com Signed-off-by: Jason Gerecke jason.gerecke@wacom.com Signed-off-by: Jiri Kosina jkosina@suse.cz Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/hid/wacom_wac.h | 1 + 1 file changed, 1 insertion(+)
--- a/drivers/hid/wacom_wac.h +++ b/drivers/hid/wacom_wac.h @@ -166,6 +166,7 @@ ((f)->physical == HID_DG_PEN) || \ ((f)->application == HID_DG_PEN) || \ ((f)->application == HID_DG_DIGITIZER) || \ + ((f)->application == WACOM_HID_WD_PEN) || \ ((f)->application == WACOM_HID_WD_DIGITIZER) || \ ((f)->application == WACOM_HID_G9_PEN) || \ ((f)->application == WACOM_HID_G11_PEN))
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aditya Shankar aditya.shankar@microchip.com
commit 1bbf6a6d4091affb27ec0a19d7aa7887ce72f610 upstream.
Commit 46949b48568b ("staging: wilc1000: New cfg packet format in handle_set_wfi_drv_handler") updated the frame format sent from host to the firmware. The code to update the bssid offset in the new frame was part of a second patch in the series which did not make it in and thus causes connection problems after associating to an AP.
This fix adds the proper offset of the bssid value in the Tx queue buffer to fix the connection issues.
Fixes: 46949b48568b ("staging: wilc1000: New cfg packet format in handle_set_wfi_drv_handler") Signed-off-by: Aditya Shankar Aditya.Shankar@microchip.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/staging/wilc1000/wilc_wlan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/wilc1000/wilc_wlan.c +++ b/drivers/staging/wilc1000/wilc_wlan.c @@ -714,7 +714,7 @@ int wilc_wlan_handle_txq(struct net_devi char *bssid = ((struct tx_complete_data *)(tqe->priv))->bssid;
buffer_offset = ETH_ETHERNET_HDR_OFFSET; - memcpy(&txb[offset + 4], bssid, 6); + memcpy(&txb[offset + 8], bssid, 6); } else { buffer_offset = HOST_HDR_OFFSET; }
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huacai Chen chenhc@lemote.com
commit 16808dcf605e6302319a8c3266789b76d4c0983b upstream.
In commit c075b6f2d357ea9 ("staging: sm750fb: Replace POKE32 and PEEK32 by inline functions"), POKE32 has been replaced by the inline function poke32. But it exchange the "addr" and "data" parameters by mistake, so fix it.
Fixes: c075b6f2d357ea9 ("staging: sm750fb: Replace POKE32 and PEEK32 by inline functions"), Signed-off-by: Huacai Chen chenhc@lemote.com Signed-off-by: Liangliang Huang huangll@lemote.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/staging/sm750fb/ddk750_chip.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/sm750fb/ddk750_chip.h +++ b/drivers/staging/sm750fb/ddk750_chip.h @@ -17,7 +17,7 @@ static inline u32 peek32(u32 addr) return readl(addr + mmio750); }
-static inline void poke32(u32 data, u32 addr) +static inline void poke32(u32 addr, u32 data) { writel(data, addr + mmio750); }
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gilad Ben-Yossef gilad@benyossef.com
commit e0b3f39092a1cff5548cbaf40096ec25e7721de6 upstream.
Fix a wrong offset used in splitting a 64 DMA address to MSB/LSB parts needed for scatter/gather HW descriptors causing operations relying on them to fail on 64 bit platforms.
Fixes: c6f7f2f4591f ("staging: ccree: refactor LLI access macros") Reported-by: Stuart Yoder stuart.yoder@arm.com Signed-off-by: Gilad Ben-Yossef gilad@benyossef.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/staging/ccree/cc_lli_defs.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/staging/ccree/cc_lli_defs.h +++ b/drivers/staging/ccree/cc_lli_defs.h @@ -59,7 +59,7 @@ static inline void cc_lli_set_addr(u32 * lli_p[LLI_WORD0_OFFSET] = (addr & U32_MAX); #ifdef CONFIG_ARCH_DMA_ADDR_T_64BIT lli_p[LLI_WORD1_OFFSET] &= ~LLI_HADDR_MASK; - lli_p[LLI_WORD1_OFFSET] |= FIELD_PREP(LLI_HADDR_MASK, (addr >> 16)); + lli_p[LLI_WORD1_OFFSET] |= FIELD_PREP(LLI_HADDR_MASK, (addr >> 32)); #endif /* CONFIG_ARCH_DMA_ADDR_T_64BIT */ }
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold johan@kernel.org
commit 770b03c2ca4aa44d226cf248f86aa23e546147d0 upstream.
Remove erroneous spi_master_put() after controller deregistration which would access the already freed spi controller.
Note that spi_unregister_master() drops our only controller reference.
Fixes: ba3e67001b42 ("greybus: SPI: convert to a gpbridge driver") Signed-off-by: Johan Hovold johan@kernel.org Reviewed-by: Rui Miguel Silva rmfrfs@gmail.com Acked-by: Viresh Kumar viresh.kumar@linaro.org Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/staging/greybus/spilib.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-)
--- a/drivers/staging/greybus/spilib.c +++ b/drivers/staging/greybus/spilib.c @@ -544,12 +544,15 @@ int gb_spilib_master_init(struct gb_conn
return 0;
-exit_spi_unregister: - spi_unregister_master(master); exit_spi_put: spi_master_put(master);
return ret; + +exit_spi_unregister: + spi_unregister_master(master); + + return ret; } EXPORT_SYMBOL_GPL(gb_spilib_master_init);
@@ -558,7 +561,6 @@ void gb_spilib_master_exit(struct gb_con struct spi_master *master = gb_connection_get_data(connection);
spi_unregister_master(master); - spi_master_put(master); } EXPORT_SYMBOL_GPL(gb_spilib_master_exit);
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede hdegoede@redhat.com
commit ce10d7b4e8e3574b9616e54a09d64521b9aeb8b6 upstream.
The x and y hints receives from the host are unsigned 32 bit integers and they get set to -1 (0xffffffff) when invalid. Before this commit the vboxvideo driver was storing them in an u16 causing the -1 to be truncated to 65535 which, once reported to userspace, was breaking gnome 3.26+ in Wayland mode.
This commit stores the host values in 32 bit variables, removing the truncation and checks for -1, replacing it with 0 as -1 is not a valid suggested-offset-property value. Likewise the properties are now initialized to 0 instead of -1, since -1 is not a valid value. This fixes gnome 3.26+ in Wayland mode not working with the vboxvideo driver.
Reported-by: Gianfranco Costamagna locutusofborg@debian.org Cc: Michael Thayer michael.thayer@oracle.com Signed-off-by: Hans de Goede hdegoede@redhat.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/staging/vboxvideo/vbox_drv.h | 8 ++++---- drivers/staging/vboxvideo/vbox_irq.c | 4 ++-- drivers/staging/vboxvideo/vbox_mode.c | 26 ++++++++++++++++++-------- 3 files changed, 24 insertions(+), 14 deletions(-)
--- a/drivers/staging/vboxvideo/vbox_drv.h +++ b/drivers/staging/vboxvideo/vbox_drv.h @@ -137,8 +137,8 @@ struct vbox_connector { char name[32]; struct vbox_crtc *vbox_crtc; struct { - u16 width; - u16 height; + u32 width; + u32 height; bool disconnected; } mode_hint; }; @@ -150,8 +150,8 @@ struct vbox_crtc { unsigned int crtc_id; u32 fb_offset; bool cursor_enabled; - u16 x_hint; - u16 y_hint; + u32 x_hint; + u32 y_hint; };
struct vbox_encoder { --- a/drivers/staging/vboxvideo/vbox_irq.c +++ b/drivers/staging/vboxvideo/vbox_irq.c @@ -150,8 +150,8 @@ static void vbox_update_mode_hints(struc
disconnected = !(hints->enabled); crtc_id = vbox_conn->vbox_crtc->crtc_id; - vbox_conn->mode_hint.width = hints->cx & 0x8fff; - vbox_conn->mode_hint.height = hints->cy & 0x8fff; + vbox_conn->mode_hint.width = hints->cx; + vbox_conn->mode_hint.height = hints->cy; vbox_conn->vbox_crtc->x_hint = hints->dx; vbox_conn->vbox_crtc->y_hint = hints->dy; vbox_conn->mode_hint.disconnected = disconnected; --- a/drivers/staging/vboxvideo/vbox_mode.c +++ b/drivers/staging/vboxvideo/vbox_mode.c @@ -560,12 +560,22 @@ static int vbox_get_modes(struct drm_con ++num_modes; } vbox_set_edid(connector, preferred_width, preferred_height); - drm_object_property_set_value( - &connector->base, vbox->dev->mode_config.suggested_x_property, - vbox_connector->vbox_crtc->x_hint); - drm_object_property_set_value( - &connector->base, vbox->dev->mode_config.suggested_y_property, - vbox_connector->vbox_crtc->y_hint); + + if (vbox_connector->vbox_crtc->x_hint != -1) + drm_object_property_set_value(&connector->base, + vbox->dev->mode_config.suggested_x_property, + vbox_connector->vbox_crtc->x_hint); + else + drm_object_property_set_value(&connector->base, + vbox->dev->mode_config.suggested_x_property, 0); + + if (vbox_connector->vbox_crtc->y_hint != -1) + drm_object_property_set_value(&connector->base, + vbox->dev->mode_config.suggested_y_property, + vbox_connector->vbox_crtc->y_hint); + else + drm_object_property_set_value(&connector->base, + vbox->dev->mode_config.suggested_y_property, 0);
return num_modes; } @@ -650,9 +660,9 @@ static int vbox_connector_init(struct dr
drm_mode_create_suggested_offset_properties(dev); drm_object_attach_property(&connector->base, - dev->mode_config.suggested_x_property, -1); + dev->mode_config.suggested_x_property, 0); drm_object_attach_property(&connector->base, - dev->mode_config.suggested_y_property, -1); + dev->mode_config.suggested_y_property, 0); drm_connector_register(connector);
drm_mode_connector_attach_encoder(connector, encoder);
4.13-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede hdegoede@redhat.com
commit 66d32fdcbf03851724a8b551d490ae1ddfe6eef2 upstream.
Commit 2ba8444c97b1 ("staging:r8188eu: move IV/ICV trimming into decrypt() and also place it after rtl88eu_mon_recv_hook()") breaks ARP.
After this commit ssh-ing to a laptop with r8188eu wifi no longer works if the machine connecting has never communicated with the laptop before. This is 100% reproducable using "arp -d <ipv4> && ssh <ipv4>" to ssh to a laptop with r8188eu wifi.
This commit reverts 4 commits in total:
1. Commit 79650ffde38e ("staging:r8188eu: trim IV/ICV fields in validate_recv_data_frame()") This commit depends on 2 of the other commits being reverted.
2. Commit 02b19b4c4920 ("staging:r8188eu: inline unprotect_frame() in mon_recv_decrypted_recv()") The inline code is wrong the un-inlined version contains: if (skb->len < hdr_len + iv_len + icv_len) return; ... Where as the inline-ed code introduced by this commit does: if (skb->len < hdr_len + iv_len + icv_len) { ... Note the same check, but now to actually continue doing ... instead of to not do it, so this commit is no good.
3. Commit d86e16da6a5d ("staging:r8188eu: use different mon_recv_decrypted() inside rtl88eu_mon_recv_hook() and rtl88eu_mon_xmit_hook().") This commit introduced a 1:1 copy of a function so that one of the 2 copies can be modified in the 2 commits we're already reverting.
4. Commit 2ba8444c97b1 ("staging:r8188eu: move IV/ICV trimming into decrypt() and also place it after rtl88eu_mon_recv_hook()") This is the commit actually breaking ARP.
Note this commit is a straight-forward squash of the revert of these 4 commits, without any changes.
Cc: Ivan Safonov insafonov@gmail.com Signed-off-by: Hans de Goede hdegoede@redhat.com Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- drivers/staging/rtl8188eu/core/rtw_recv.c | 83 ++++++++++++++++++------------ drivers/staging/rtl8188eu/os_dep/mon.c | 34 +----------- 2 files changed, 55 insertions(+), 62 deletions(-)
--- a/drivers/staging/rtl8188eu/core/rtw_recv.c +++ b/drivers/staging/rtl8188eu/core/rtw_recv.c @@ -259,10 +259,12 @@ static int recvframe_chkmic(struct adapt }
/* icv_len included the mic code */ - datalen = precvframe->pkt->len-prxattrib->hdrlen - 8; + datalen = precvframe->pkt->len-prxattrib->hdrlen - + prxattrib->iv_len-prxattrib->icv_len-8; pframe = precvframe->pkt->data; - payload = pframe+prxattrib->hdrlen; + payload = pframe+prxattrib->hdrlen+prxattrib->iv_len;
+ RT_TRACE(_module_rtl871x_recv_c_, _drv_info_, ("\n prxattrib->iv_len=%d prxattrib->icv_len=%d\n", prxattrib->iv_len, prxattrib->icv_len)); rtw_seccalctkipmic(mickey, pframe, payload, datalen, &miccode[0], (unsigned char)prxattrib->priority); /* care the length of the data */
@@ -407,15 +409,9 @@ static struct recv_frame *decryptor(stru default: break; } - if (res != _FAIL) { - memmove(precv_frame->pkt->data + precv_frame->attrib.iv_len, precv_frame->pkt->data, precv_frame->attrib.hdrlen); - skb_pull(precv_frame->pkt, precv_frame->attrib.iv_len); - skb_trim(precv_frame->pkt, precv_frame->pkt->len - precv_frame->attrib.icv_len); - } } else if (prxattrib->bdecrypted == 1 && prxattrib->encrypt > 0 && - (psecuritypriv->busetkipkey == 1 || prxattrib->encrypt != _TKIP_)) { - psecuritypriv->hw_decrypted = true; - } + (psecuritypriv->busetkipkey == 1 || prxattrib->encrypt != _TKIP_)) + psecuritypriv->hw_decrypted = true;
if (res == _FAIL) { rtw_free_recvframe(return_packet, &padapter->recvpriv.free_recv_queue); @@ -456,7 +452,7 @@ static struct recv_frame *portctrl(struc
if (auth_alg == 2) { /* get ether_type */ - ptr = ptr + pfhdr->attrib.hdrlen + LLC_HEADER_SIZE; + ptr = ptr + pfhdr->attrib.hdrlen + LLC_HEADER_SIZE + pfhdr->attrib.iv_len; memcpy(&be_tmp, ptr, 2); ether_type = ntohs(be_tmp);
@@ -1138,8 +1134,6 @@ static int validate_recv_data_frame(stru }
if (pattrib->privacy) { - struct sk_buff *skb = precv_frame->pkt; - RT_TRACE(_module_rtl871x_recv_c_, _drv_info_, ("validate_recv_data_frame:pattrib->privacy=%x\n", pattrib->privacy)); RT_TRACE(_module_rtl871x_recv_c_, _drv_info_, ("\n ^^^^^^^^^^^IS_MCAST(pattrib->ra(0x%02x))=%d^^^^^^^^^^^^^^^6\n", pattrib->ra[0], IS_MCAST(pattrib->ra)));
@@ -1148,13 +1142,6 @@ static int validate_recv_data_frame(stru RT_TRACE(_module_rtl871x_recv_c_, _drv_info_, ("\n pattrib->encrypt=%d\n", pattrib->encrypt));
SET_ICE_IV_LEN(pattrib->iv_len, pattrib->icv_len, pattrib->encrypt); - - if (pattrib->bdecrypted == 1 && pattrib->encrypt > 0) { - memmove(skb->data + pattrib->iv_len, - skb->data, pattrib->hdrlen); - skb_pull(skb, pattrib->iv_len); - skb_trim(skb, skb->len - pattrib->icv_len); - } } else { pattrib->encrypt = 0; pattrib->iv_len = 0; @@ -1274,7 +1261,6 @@ static int validate_recv_frame(struct ad * Hence forward the frame to the monitor anyway to preserve the order * in which frames were received. */ - rtl88eu_mon_recv_hook(adapter->pmondev, precv_frame);
exit: @@ -1296,8 +1282,11 @@ static int wlanhdr_to_ethhdr(struct recv u8 *ptr = precvframe->pkt->data; struct rx_pkt_attrib *pattrib = &precvframe->attrib;
- psnap = (struct ieee80211_snap_hdr *)(ptr+pattrib->hdrlen); - psnap_type = ptr+pattrib->hdrlen + SNAP_SIZE; + if (pattrib->encrypt) + skb_trim(precvframe->pkt, precvframe->pkt->len - pattrib->icv_len); + + psnap = (struct ieee80211_snap_hdr *)(ptr+pattrib->hdrlen + pattrib->iv_len); + psnap_type = ptr+pattrib->hdrlen + pattrib->iv_len+SNAP_SIZE; /* convert hdr + possible LLC headers into Ethernet header */ if ((!memcmp(psnap, rtw_rfc1042_header, SNAP_SIZE) && (!memcmp(psnap_type, SNAP_ETH_TYPE_IPX, 2) == false) && @@ -1310,9 +1299,12 @@ static int wlanhdr_to_ethhdr(struct recv bsnaphdr = false; }
- rmv_len = pattrib->hdrlen + (bsnaphdr ? SNAP_SIZE : 0); + rmv_len = pattrib->hdrlen + pattrib->iv_len + (bsnaphdr ? SNAP_SIZE : 0); len = precvframe->pkt->len - rmv_len;
+ RT_TRACE(_module_rtl871x_recv_c_, _drv_info_, + ("\n===pattrib->hdrlen: %x, pattrib->iv_len:%x===\n\n", pattrib->hdrlen, pattrib->iv_len)); + memcpy(&be_tmp, ptr+rmv_len, 2); eth_type = ntohs(be_tmp); /* pattrib->ether_type */ pattrib->eth_type = eth_type; @@ -1337,6 +1329,7 @@ static struct recv_frame *recvframe_defr struct __queue *defrag_q) { struct list_head *plist, *phead; + u8 wlanhdr_offset; u8 curfragnum; struct recv_frame *pfhdr, *pnfhdr; struct recv_frame *prframe, *pnextrframe; @@ -1385,7 +1378,12 @@ static struct recv_frame *recvframe_defr /* copy the 2nd~n fragment frame's payload to the first fragment */ /* get the 2nd~last fragment frame's payload */
- skb_pull(pnextrframe->pkt, pnfhdr->attrib.hdrlen); + wlanhdr_offset = pnfhdr->attrib.hdrlen + pnfhdr->attrib.iv_len; + + skb_pull(pnextrframe->pkt, wlanhdr_offset); + + /* append to first fragment frame's tail (if privacy frame, pull the ICV) */ + skb_trim(prframe->pkt, prframe->pkt->len - pfhdr->attrib.icv_len);
/* memcpy */ memcpy(skb_tail_pointer(pfhdr->pkt), pnfhdr->pkt->data, @@ -1393,7 +1391,7 @@ static struct recv_frame *recvframe_defr
skb_put(prframe->pkt, pnfhdr->pkt->len);
- pfhdr->attrib.icv_len = 0; + pfhdr->attrib.icv_len = pnfhdr->attrib.icv_len; plist = plist->next; }
@@ -1519,6 +1517,11 @@ static int amsdu_to_msdu(struct adapter nr_subframes = 0; pattrib = &prframe->attrib;
+ skb_pull(prframe->pkt, prframe->attrib.hdrlen); + + if (prframe->attrib.iv_len > 0) + skb_pull(prframe->pkt, prframe->attrib.iv_len); + a_len = prframe->pkt->len;
pdata = prframe->pkt->data; @@ -1887,6 +1890,24 @@ static int process_recv_indicatepkts(str return retval; }
+static int recv_func_prehandle(struct adapter *padapter, + struct recv_frame *rframe) +{ + int ret = _SUCCESS; + struct __queue *pfree_recv_queue = &padapter->recvpriv.free_recv_queue; + + /* check the frame crtl field and decache */ + ret = validate_recv_frame(padapter, rframe); + if (ret != _SUCCESS) { + RT_TRACE(_module_rtl871x_recv_c_, _drv_info_, ("recv_func: validate_recv_frame fail! drop pkt\n")); + rtw_free_recvframe(rframe, pfree_recv_queue);/* free this recv_frame */ + goto exit; + } + +exit: + return ret; +} + static int recv_func_posthandle(struct adapter *padapter, struct recv_frame *prframe) { @@ -1939,7 +1960,6 @@ static int recv_func(struct adapter *pad struct rx_pkt_attrib *prxattrib = &rframe->attrib; struct security_priv *psecuritypriv = &padapter->securitypriv; struct mlme_priv *mlmepriv = &padapter->mlmepriv; - struct __queue *pfree_recv_queue = &padapter->recvpriv.free_recv_queue;
/* check if need to handle uc_swdec_pending_queue*/ if (check_fwstate(mlmepriv, WIFI_STATION_STATE) && psecuritypriv->busetkipkey) { @@ -1951,12 +1971,9 @@ static int recv_func(struct adapter *pad } }
- /* check the frame crtl field and decache */ - ret = validate_recv_frame(padapter, rframe); - if (ret != _SUCCESS) { - RT_TRACE(_module_rtl871x_recv_c_, _drv_info_, ("recv_func: validate_recv_frame fail! drop pkt\n")); - rtw_free_recvframe(rframe, pfree_recv_queue);/* free this recv_frame */ - } else { + ret = recv_func_prehandle(padapter, rframe); + + if (ret == _SUCCESS) { /* check if need to enqueue into uc_swdec_pending_queue*/ if (check_fwstate(mlmepriv, WIFI_STATION_STATE) && !IS_MCAST(prxattrib->ra) && prxattrib->encrypt > 0 && --- a/drivers/staging/rtl8188eu/os_dep/mon.c +++ b/drivers/staging/rtl8188eu/os_dep/mon.c @@ -66,34 +66,6 @@ static void mon_recv_decrypted(struct ne netif_rx(skb); }
-static void mon_recv_decrypted_recv(struct net_device *dev, const u8 *data, - int data_len) -{ - struct sk_buff *skb; - struct ieee80211_hdr *hdr; - int hdr_len; - - skb = netdev_alloc_skb(dev, data_len); - if (!skb) - return; - memcpy(skb_put(skb, data_len), data, data_len); - - /* - * Frame data is not encrypted. Strip off protection so - * userspace doesn't think that it is. - */ - - hdr = (struct ieee80211_hdr *)skb->data; - hdr_len = ieee80211_hdrlen(hdr->frame_control); - - if (ieee80211_has_protected(hdr->frame_control)) - hdr->frame_control &= ~cpu_to_le16(IEEE80211_FCTL_PROTECTED); - - skb->ip_summed = CHECKSUM_UNNECESSARY; - skb->protocol = eth_type_trans(skb, dev); - netif_rx(skb); -} - static void mon_recv_encrypted(struct net_device *dev, const u8 *data, int data_len) { @@ -110,6 +82,7 @@ static void mon_recv_encrypted(struct ne void rtl88eu_mon_recv_hook(struct net_device *dev, struct recv_frame *frame) { struct rx_pkt_attrib *attr; + int iv_len, icv_len; int data_len; u8 *data;
@@ -122,8 +95,11 @@ void rtl88eu_mon_recv_hook(struct net_de data = frame->pkt->data; data_len = frame->pkt->len;
+ /* Broadcast and multicast frames don't have attr->{iv,icv}_len set */ + SET_ICE_IV_LEN(iv_len, icv_len, attr->encrypt); + if (attr->bdecrypted) - mon_recv_decrypted_recv(dev, data, data_len); + mon_recv_decrypted(dev, data, data_len, iv_len, icv_len); else mon_recv_encrypted(dev, data, data_len); }
On 11/19/2017 06:43 AM, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 4.13.15 release. There are 28 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Tue Nov 21 14:42:57 UTC 2017. Anything received after that time might be too late.
Build reference: v4.13.14-29-g6493632
Building arm:allmodconfig ... failed -------------- Error log: /opt/buildbot/slave/stable-queue-4.13/build/drivers/crypto/bcm/cipher.c: In function 'mailbox_send_message': /opt/buildbot/slave/stable-queue-4.13/build/drivers/crypto/bcm/cipher.c:266:40: error: request for member 'dev' in something not a structure or union struct device *dev = &(iproc_priv.pdev->dev); ^ make[4]: *** [drivers/crypto/bcm/cipher.o] Error 1 make[3]: *** [drivers/crypto/bcm] Error 2
Building arm64:allmodconfig ... failed -------------- Error log: arch/arm64/Makefile:23: ld does not support --fix-cortex-a53-843419; kernel may be susceptible to erratum arch/arm64/Makefile:36: LSE atomics not supported by binutils /opt/buildbot/slave/stable-queue-4.13/build/drivers/crypto/bcm/cipher.c: In function ‘mailbox_send_message’: /opt/buildbot/slave/stable-queue-4.13/build/drivers/crypto/bcm/cipher.c:266:40: error: request for member ‘dev’ in something not a structure or union struct device *dev = &(iproc_priv.pdev->dev); ^ make[4]: *** [drivers/crypto/bcm/cipher.o] Error 1 make[3]: *** [drivers/crypto/bcm] Error 2
Early report; builds are incomplete. I do see that another pull is scheduled, so it may well be that this has already been fixed. If so, apologies for the noise.
Guenter
On 11/19/2017 06:43 AM, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 4.13.15 release. There are 28 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Tue Nov 21 14:42:57 UTC 2017. Anything received after that time might be too late.
Build results: total: 145 pass: 143 fail: 2 Failed builds: arm:allmodconfig arm64:allmodconfig Qemu test results: total: 123 pass: 107 fail: 16 Failed tests: arm:beagle:multi_v7_defconfig:omap3-beagle arm:beaglexm:multi_v7_defconfig:omap3-beagle-xm arm:overo:multi_v7_defconfig:omap3-overo-tobi arm:sabrelite:multi_v7_defconfig:imx6dl-sabrelite arm:vexpress-a9:multi_v7_defconfig:vexpress-v2p-ca9 arm:vexpress-a15:multi_v7_defconfig:vexpress-v2p-ca15-tc1 arm:vexpress-a15-a7:multi_v7_defconfig:vexpress-v2p-ca15_a7 arm:xilinx-zynq-a9:multi_v7_defconfig:zynq-zc702 arm:xilinx-zynq-a9:multi_v7_defconfig:zynq-zc706 arm:xilinx-zynq-a9:multi_v7_defconfig:zynq-zed arm:midway:multi_v7_defconfig:ecx-2000 arm:smdkc210:multi_v7_defconfig:exynos4210-smdkv310 arm64:virt:smp:defconfig arm64:xlnx-ep108:smp:defconfig:zynqmp-ep108 arm64:virt:nosmp:defconfig arm64:xlnx-ep108:nosmp:defconfig:zynqmp-ep108
Error ias always the same.
Building arm:allmodconfig ... failed -------------- Error log: /opt/buildbot/slave/stable-queue-4.13/build/drivers/crypto/bcm/cipher.c: In function 'mailbox_send_message': /opt/buildbot/slave/stable-queue-4.13/build/drivers/crypto/bcm/cipher.c:266:40: error: request for member 'dev' in something not a structure or union struct device *dev = &(iproc_priv.pdev->dev); ^
Details are available at http://kerneltests.org/builders.
Guenter
On Mon, Nov 20, 2017 at 06:13:42AM -0800, Guenter Roeck wrote:
On 11/19/2017 06:43 AM, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 4.13.15 release. There are 28 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Tue Nov 21 14:42:57 UTC 2017. Anything received after that time might be too late.
Build results: total: 145 pass: 143 fail: 2 Failed builds: arm:allmodconfig arm64:allmodconfig Qemu test results: total: 123 pass: 107 fail: 16 Failed tests: arm:beagle:multi_v7_defconfig:omap3-beagle arm:beaglexm:multi_v7_defconfig:omap3-beagle-xm arm:overo:multi_v7_defconfig:omap3-overo-tobi arm:sabrelite:multi_v7_defconfig:imx6dl-sabrelite arm:vexpress-a9:multi_v7_defconfig:vexpress-v2p-ca9 arm:vexpress-a15:multi_v7_defconfig:vexpress-v2p-ca15-tc1 arm:vexpress-a15-a7:multi_v7_defconfig:vexpress-v2p-ca15_a7 arm:xilinx-zynq-a9:multi_v7_defconfig:zynq-zc702 arm:xilinx-zynq-a9:multi_v7_defconfig:zynq-zc706 arm:xilinx-zynq-a9:multi_v7_defconfig:zynq-zed arm:midway:multi_v7_defconfig:ecx-2000 arm:smdkc210:multi_v7_defconfig:exynos4210-smdkv310 arm64:virt:smp:defconfig arm64:xlnx-ep108:smp:defconfig:zynqmp-ep108 arm64:virt:nosmp:defconfig arm64:xlnx-ep108:nosmp:defconfig:zynqmp-ep108
Error ias always the same.
Building arm:allmodconfig ... failed
Error log: /opt/buildbot/slave/stable-queue-4.13/build/drivers/crypto/bcm/cipher.c: In function 'mailbox_send_message': /opt/buildbot/slave/stable-queue-4.13/build/drivers/crypto/bcm/cipher.c:266:40: error: request for member 'dev' in something not a structure or union struct device *dev = &(iproc_priv.pdev->dev);
Ugh, I missed this yesterday, I'll go try to figure out how I broke this, and how my test builds missed this...
greg k-h
On Tue, Nov 21, 2017 at 08:23:20AM +0100, Greg Kroah-Hartman wrote:
On Mon, Nov 20, 2017 at 06:13:42AM -0800, Guenter Roeck wrote:
On 11/19/2017 06:43 AM, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 4.13.15 release. There are 28 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Tue Nov 21 14:42:57 UTC 2017. Anything received after that time might be too late.
Build results: total: 145 pass: 143 fail: 2 Failed builds: arm:allmodconfig arm64:allmodconfig Qemu test results: total: 123 pass: 107 fail: 16 Failed tests: arm:beagle:multi_v7_defconfig:omap3-beagle arm:beaglexm:multi_v7_defconfig:omap3-beagle-xm arm:overo:multi_v7_defconfig:omap3-overo-tobi arm:sabrelite:multi_v7_defconfig:imx6dl-sabrelite arm:vexpress-a9:multi_v7_defconfig:vexpress-v2p-ca9 arm:vexpress-a15:multi_v7_defconfig:vexpress-v2p-ca15-tc1 arm:vexpress-a15-a7:multi_v7_defconfig:vexpress-v2p-ca15_a7 arm:xilinx-zynq-a9:multi_v7_defconfig:zynq-zc702 arm:xilinx-zynq-a9:multi_v7_defconfig:zynq-zc706 arm:xilinx-zynq-a9:multi_v7_defconfig:zynq-zed arm:midway:multi_v7_defconfig:ecx-2000 arm:smdkc210:multi_v7_defconfig:exynos4210-smdkv310 arm64:virt:smp:defconfig arm64:xlnx-ep108:smp:defconfig:zynqmp-ep108 arm64:virt:nosmp:defconfig arm64:xlnx-ep108:nosmp:defconfig:zynqmp-ep108
Error ias always the same.
Building arm:allmodconfig ... failed
Error log: /opt/buildbot/slave/stable-queue-4.13/build/drivers/crypto/bcm/cipher.c: In function 'mailbox_send_message': /opt/buildbot/slave/stable-queue-4.13/build/drivers/crypto/bcm/cipher.c:266:40: error: request for member 'dev' in something not a structure or union struct device *dev = &(iproc_priv.pdev->dev);
Ugh, I missed this yesterday, I'll go try to figure out how I broke this, and how my test builds missed this...
Ok, I think I've found it, and now dropped the offending patch.
greg k-h
On 11/20/2017 11:51 PM, Greg Kroah-Hartman wrote:
On Tue, Nov 21, 2017 at 08:23:20AM +0100, Greg Kroah-Hartman wrote:
On Mon, Nov 20, 2017 at 06:13:42AM -0800, Guenter Roeck wrote:
On 11/19/2017 06:43 AM, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 4.13.15 release. There are 28 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Tue Nov 21 14:42:57 UTC 2017. Anything received after that time might be too late.
Build results: total: 145 pass: 143 fail: 2 Failed builds: arm:allmodconfig arm64:allmodconfig Qemu test results: total: 123 pass: 107 fail: 16 Failed tests: arm:beagle:multi_v7_defconfig:omap3-beagle arm:beaglexm:multi_v7_defconfig:omap3-beagle-xm arm:overo:multi_v7_defconfig:omap3-overo-tobi arm:sabrelite:multi_v7_defconfig:imx6dl-sabrelite arm:vexpress-a9:multi_v7_defconfig:vexpress-v2p-ca9 arm:vexpress-a15:multi_v7_defconfig:vexpress-v2p-ca15-tc1 arm:vexpress-a15-a7:multi_v7_defconfig:vexpress-v2p-ca15_a7 arm:xilinx-zynq-a9:multi_v7_defconfig:zynq-zc702 arm:xilinx-zynq-a9:multi_v7_defconfig:zynq-zc706 arm:xilinx-zynq-a9:multi_v7_defconfig:zynq-zed arm:midway:multi_v7_defconfig:ecx-2000 arm:smdkc210:multi_v7_defconfig:exynos4210-smdkv310 arm64:virt:smp:defconfig arm64:xlnx-ep108:smp:defconfig:zynqmp-ep108 arm64:virt:nosmp:defconfig arm64:xlnx-ep108:nosmp:defconfig:zynqmp-ep108
Error ias always the same.
Building arm:allmodconfig ... failed
Error log: /opt/buildbot/slave/stable-queue-4.13/build/drivers/crypto/bcm/cipher.c: In function 'mailbox_send_message': /opt/buildbot/slave/stable-queue-4.13/build/drivers/crypto/bcm/cipher.c:266:40: error: request for member 'dev' in something not a structure or union struct device *dev = &(iproc_priv.pdev->dev);
Ugh, I missed this yesterday, I'll go try to figure out how I broke this, and how my test builds missed this...
Ok, I think I've found it, and now dropped the offending patch.
With v4.13.14-28-g92df2ce:
Build results: total: 145 pass: 145 fail: 0 Qemu test results: total: 123 pass: 123 fail: 0
Guenter
On Tue, Nov 21, 2017 at 02:06:25AM -0800, Guenter Roeck wrote:
On 11/20/2017 11:51 PM, Greg Kroah-Hartman wrote:
On Tue, Nov 21, 2017 at 08:23:20AM +0100, Greg Kroah-Hartman wrote:
On Mon, Nov 20, 2017 at 06:13:42AM -0800, Guenter Roeck wrote:
On 11/19/2017 06:43 AM, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 4.13.15 release. There are 28 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Tue Nov 21 14:42:57 UTC 2017. Anything received after that time might be too late.
Build results: total: 145 pass: 143 fail: 2 Failed builds: arm:allmodconfig arm64:allmodconfig Qemu test results: total: 123 pass: 107 fail: 16 Failed tests: arm:beagle:multi_v7_defconfig:omap3-beagle arm:beaglexm:multi_v7_defconfig:omap3-beagle-xm arm:overo:multi_v7_defconfig:omap3-overo-tobi arm:sabrelite:multi_v7_defconfig:imx6dl-sabrelite arm:vexpress-a9:multi_v7_defconfig:vexpress-v2p-ca9 arm:vexpress-a15:multi_v7_defconfig:vexpress-v2p-ca15-tc1 arm:vexpress-a15-a7:multi_v7_defconfig:vexpress-v2p-ca15_a7 arm:xilinx-zynq-a9:multi_v7_defconfig:zynq-zc702 arm:xilinx-zynq-a9:multi_v7_defconfig:zynq-zc706 arm:xilinx-zynq-a9:multi_v7_defconfig:zynq-zed arm:midway:multi_v7_defconfig:ecx-2000 arm:smdkc210:multi_v7_defconfig:exynos4210-smdkv310 arm64:virt:smp:defconfig arm64:xlnx-ep108:smp:defconfig:zynqmp-ep108 arm64:virt:nosmp:defconfig arm64:xlnx-ep108:nosmp:defconfig:zynqmp-ep108
Error ias always the same.
Building arm:allmodconfig ... failed
Error log: /opt/buildbot/slave/stable-queue-4.13/build/drivers/crypto/bcm/cipher.c: In function 'mailbox_send_message': /opt/buildbot/slave/stable-queue-4.13/build/drivers/crypto/bcm/cipher.c:266:40: error: request for member 'dev' in something not a structure or union struct device *dev = &(iproc_priv.pdev->dev);
Ugh, I missed this yesterday, I'll go try to figure out how I broke this, and how my test builds missed this...
Ok, I think I've found it, and now dropped the offending patch.
With v4.13.14-28-g92df2ce:
Build results: total: 145 pass: 145 fail: 0 Qemu test results: total: 123 pass: 123 fail: 0
Great, thanks for confirming that this was resolved.
greg k-h
On 11/19/2017 07:43 AM, Greg Kroah-Hartman wrote:
This is the start of the stable review cycle for the 4.13.15 release. There are 28 patches in this series, all will be posted as a response to this one. If anyone has any issues with these being applied, please let me know.
Responses should be made by Tue Nov 21 14:42:57 UTC 2017. Anything received after that time might be too late.
The whole patch series can be found in one patch at: kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.13.15-rc1.gz or in the git tree and branch at: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.13.y and the diffstat can be found below.
thanks,
greg k-h
Compiled and booted on my test system. No dmesg regressions.
thanks, -- Shuah
linux-stable-mirror@lists.linaro.org
-
Brian Norris -
Greg Kroah-Hartman -
Guenter Roeck -
Kai Heng Feng -
Matthias Kaehlcke -
Raveendra Padasalagi -
Shuah Khan