Commit cdbe07ad authored Oct 12, 2017 by Greg Kroah-Hartman

Merge 4.9.55 into android-4.9



Changes in 4.9.55
	USB: gadgetfs: Fix crash caused by inadequate synchronization
	USB: gadgetfs: fix copy_to_user while holding spinlock
	usb: gadget: udc: atmel: set vbus irqflags explicitly
	usb: gadget: udc: renesas_usb3: fix for no-data control transfer
	usb: gadget: udc: renesas_usb3: fix Pn_RAMMAP.Pn_MPKT value
	usb: gadget: udc: renesas_usb3: Fix return value of usb3_write_pipe()
	usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives
	usb-storage: fix bogus hardware error messages for ATA pass-thru devices
	usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe
	usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction
	ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
	usb: pci-quirks.c: Corrected timeout values used in handshake
	USB: cdc-wdm: ignore -EPIPE from GetEncapsulatedResponse
	USB: dummy-hcd: fix connection failures (wrong speed)
	USB: dummy-hcd: fix infinite-loop resubmission bug
	USB: dummy-hcd: Fix erroneous synchronization change
	USB: devio: Don't corrupt user memory
	usb: gadget: mass_storage: set msg_registered after msg registered
	USB: g_mass_storage: Fix deadlock when driver is unbound
	USB: uas: fix bug in handling of alternate settings
	USB: core: harden cdc_parse_cdc_header
	usb: Increase quirk delay for USB devices
	USB: fix out-of-bounds in usb_set_configuration
	xhci: fix finding correct bus_state structure for USB 3.1 hosts
	xhci: Fix sleeping with spin_lock_irq() held in ASmedia 1042A workaround
	xhci: set missing SuperSpeedPlus Link Protocol bit in roothub descriptor
	Revert "xhci: Limit USB2 port wake support for AMD Promontory hosts"
	iio: adc: twl4030: Fix an error handling path in 'twl4030_madc_probe()'
	iio: adc: twl4030: Disable the vusb3v1 rugulator in the error handling path of 'twl4030_madc_probe()'
	iio: ad_sigma_delta: Implement a dedicated reset function
	staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma from stack.
	iio: core: Return error for failed read_reg
	IIO: BME280: Updates to Humidity readings need ctrl_reg write!
	iio: ad7793: Fix the serial interface reset
	iio: adc: mcp320x: Fix readout of negative voltages
	iio: adc: mcp320x: Fix oops on module unload
	uwb: properly check kthread_run return value
	uwb: ensure that endpoint is interrupt
	staging: vchiq_2835_arm: Fix NULL ptr dereference in free_pagelist
	mm, oom_reaper: skip mm structs with mmu notifiers
	lib/ratelimit.c: use deferred printk() version
	lsm: fix smack_inode_removexattr and xattr_getsecurity memleak
	ALSA: compress: Remove unused variable
	Revert "ALSA: echoaudio: purge contradictions between dimension matrix members and total number of members"
	ALSA: usx2y: Suppress kernel warning at page allocation failures
	mlxsw: spectrum: Prevent mirred-related crash on removal
	net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker
	sctp: potential read out of bounds in sctp_ulpevent_type_enabled()
	tcp: update skb->skb_mstamp more carefully
	bpf/verifier: reject BPF_ALU64|BPF_END
	tcp: fix data delivery rate
	udpv6: Fix the checksum computation when HW checksum does not apply
	ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header
	net: phy: Fix mask value write on gmii2rgmii converter speed register
	ip6_tunnel: do not allow loading ip6_tunnel if ipv6 is disabled in cmdline
	net/sched: cls_matchall: fix crash when used with classful qdisc
	tcp: fastopen: fix on syn-data transmit failure
	net: emac: Fix napi poll list corruption
	packet: hold bind lock when rebinding to fanout hook
	bpf: one perf event close won't free bpf program attached by another perf event
	isdn/i4l: fetch the ppp_write buffer in one shot
	net_sched: always reset qdisc backlog in qdisc_reset()
	net: qcom/emac: specify the correct size when mapping a DMA buffer
	vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit
	l2tp: Avoid schedule while atomic in exit_net
	l2tp: fix race condition in l2tp_tunnel_delete
	tun: bail out from tun_get_user() if the skb is empty
	net: dsa: Fix network device registration order
	packet: in packet_do_bind, test fanout with bind_lock held
	packet: only test po->has_vnet_hdr once in packet_snd
	net: Set sk_prot_creator when cloning sockets to the right proto
	netlink: do not proceed if dump's start() errs
	ip6_gre: ip6gre_tap device should keep dst
	ip6_tunnel: update mtu properly for ARPHRD_ETHER tunnel device in tx path
	tipc: use only positive error codes in messages
	net: rtnetlink: fix info leak in RTM_GETSTATS call
	socket, bpf: fix possible use after free
	powerpc/64s: Use emergency stack for kernel TM Bad Thing program checks
	powerpc/tm: Fix illegal TM state in signal handler
	percpu: make this_cpu_generic_read() atomic w.r.t. interrupts
	driver core: platform: Don't read past the end of "driver_override" buffer
	Drivers: hv: fcopy: restore correct transfer length
	stm class: Fix a use-after-free
	ftrace: Fix kmemleak in unregister_ftrace_graph
	HID: i2c-hid: allocate hid buffers for real worst case
	HID: wacom: leds: Don't try to control the EKR's read-only LEDs
	HID: wacom: Always increment hdev refcount within wacom_get_hdev_data
	HID: wacom: bits shifted too much for 9th and 10th buttons
	rocker: fix rocker_tlv_put_* functions for KASAN
	netlink: fix nla_put_{u8,u16,u32} for KASAN
	iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD
	iwlwifi: add workaround to disable wide channels in 5GHz
	scsi: sd: Do not override max_sectors_kb sysfs setting
	brcmfmac: add length check in brcmf_cfg80211_escan_handler()
	brcmfmac: setup passive scan if requested by user-space
	drm/i915/bios: ignore HDMI on port A
	nvme-pci: Use PCI bus address for data/queues in CMB
	mmc: core: add driver strength selection when selecting hs400es
	sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs
	vfs: deny copy_file_range() for non regular files
	ext4: fix data corruption for mmap writes
	ext4: Don't clear SGID when inheriting ACLs
	ext4: don't allow encrypted operations without keys
	f2fs: don't allow encrypted operations without keys
	KVM: x86: fix singlestepping over syscall
	Linux 4.9.55

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>

parents 6cd26315 f82786d7

Makefile

+1 −1

Original line number	Diff line number	Diff line
		VERSION = 4
		PATCHLEVEL = 9
		SUBLEVEL = 54
		SUBLEVEL = 55
		EXTRAVERSION =
		NAME = Roaring Lionus

arch/powerpc/kernel/exceptions-64s.S

+23 −1

Original line number	Diff line number	Diff line
		@@ -764,7 +764,29 @@ EXC_REAL(program_check, 0x700, 0x800)
		EXC_VIRT(program_check, 0x4700, 0x4800, 0x700)
		TRAMP_KVM(PACA_EXGEN, 0x700)
		EXC_COMMON_BEGIN(program_check_common)
		EXCEPTION_PROLOG_COMMON(0x700, PACA_EXGEN)
		/*
		* It's possible to receive a TM Bad Thing type program check with
		* userspace register values (in particular r1), but with SRR1 reporting
		* that we came from the kernel. Normally that would confuse the bad
		* stack logic, and we would report a bad kernel stack pointer. Instead
		* we switch to the emergency stack if we're taking a TM Bad Thing from
		* the kernel.
		*/
		li r10,MSR_PR /* Build a mask of MSR_PR .. */
		oris r10,r10,0x200000@h /* .. and SRR1_PROGTM */
		and r10,r10,r12 /* Mask SRR1 with that. */
		srdi r10,r10,8 /* Shift it so we can compare */
		cmpldi r10,(0x200000 >> 8) /* .. with an immediate. */
		bne 1f /* If != go to normal path. */

		/* SRR1 had PR=0 and SRR1_PROGTM=1, so use the emergency stack */
		andi. r10,r12,MSR_PR; /* Set CR0 correctly for label */
		/* 3 in EXCEPTION_PROLOG_COMMON */
		mr r10,r1 /* Save r1 */
		ld r1,PACAEMERGSP(r13) /* Use emergency stack */
		subi r1,r1,INT_FRAME_SIZE /* alloc stack frame */
		b 3f /* Jump into the macro !! */
		1: EXCEPTION_PROLOG_COMMON(0x700, PACA_EXGEN)
		bl save_nvgprs
		RECONCILE_IRQ_STATE(r10, r11)
		addi r3,r1,STACK_FRAME_OVERHEAD

arch/powerpc/kernel/signal_64.c

+12 −1

Original line number	Diff line number	Diff line
		@@ -452,9 +452,20 @@ static long restore_tm_sigcontexts(struct task_struct *tsk,
		if (MSR_TM_RESV(msr))
		return -EINVAL;

		/* pull in MSR TM from user context */
		/* pull in MSR TS bits from user context */
		regs->msr = (regs->msr & ~MSR_TS_MASK) \| (msr & MSR_TS_MASK);

		/*
		* Ensure that TM is enabled in regs->msr before we leave the signal
		* handler. It could be the case that (a) user disabled the TM bit
		* through the manipulation of the MSR bits in uc_mcontext or (b) the
		* TM bit was disabled because a sufficient number of context switches
		* happened whilst in the signal handler and load_tm overflowed,
		* disabling the TM bit. In either case we can end up with an illegal
		* TM state leading to a TM Bad Thing when we return to userspace.
		*/
		regs->msr \|= MSR_TM;

		/* pull in MSR LE from user context */
		regs->msr = (regs->msr & ~MSR_LE) \| (msr & MSR_LE);

arch/x86/include/asm/kvm_emulate.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -296,6 +296,7 @@ struct x86_emulate_ctxt {

		bool perm_ok; /* do not check permissions if true */
		bool ud; /* inject an #UD if host doesn't support insn */
		bool tf; /* TF value before instruction (after for syscall/sysret) */

		bool have_exception;
		struct x86_exception exception;

arch/x86/kvm/emulate.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -2738,6 +2738,7 @@ static int em_syscall(struct x86_emulate_ctxt *ctxt)
		ctxt->eflags &= ~(X86_EFLAGS_VM \| X86_EFLAGS_IF);
		}

		ctxt->tf = (ctxt->eflags & X86_EFLAGS_TF) != 0;
		return X86EMUL_CONTINUE;
		}