From 84e2ae3fa108e5494ef3cfce52d902b3cb94d543 Mon Sep 17 00:00:00 2001
From: Mark Weiman <mark.weiman@markzz.com>
Date: Fri, 27 Oct 2017 19:55:50 -0400
Subject: [PATCH] Update to 4.13.9-1

---
 .SRCINFO                    | 16 +++++----
 PKGBUILD                    | 16 +++++----
 config                      |  4 +--
 config.x86_64               |  4 +--
 revert-usb-memory-fix.patch | 69 +++++++++++++++++++++++++++++++++++++
 5 files changed, 92 insertions(+), 17 deletions(-)
 create mode 100644 revert-usb-memory-fix.patch

diff --git a/.SRCINFO b/.SRCINFO
index 50ca2b6..d49118b 100644
--- a/.SRCINFO
+++ b/.SRCINFO
@@ -1,7 +1,7 @@
 # Generated by mksrcinfo v8
-# Tue Oct 17 15:09:58 UTC 2017
+# Fri Oct 27 23:55:37 UTC 2017
 pkgbase = linux-vfio
-	pkgver = 4.13.7
+	pkgver = 4.13.9
 	pkgrel = 1
 	url = http://www.kernel.org/
 	arch = i686
@@ -16,24 +16,26 @@ pkgbase = linux-vfio
 	options = !strip
 	source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.13.tar.xz
 	source = https://www.kernel.org/pub/linux/kernel/v4.x/linux-4.13.tar.sign
-	source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.13.7.xz
-	source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.13.7.sign
+	source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.13.9.xz
+	source = https://www.kernel.org/pub/linux/kernel/v4.x/patch-4.13.9.sign
 	source = config
 	source = config.x86_64
 	source = 90-linux.hook
 	source = linux.preset
 	source = add-acs-overrides.patch
 	source = i915-vga-arbiter.patch
+	source = revert-usb-memory-fix.patch
 	sha256sums = 2db3d6066c3ad93eb25b973a3d2951e022a7e975ee2fa7cbe5bddf84d9a49a2c
 	sha256sums = SKIP
-	sha256sums = 0fe89c96e956efbded576214eef0c8e43cabe41dfca245e3ebb79fff9bc8715d
+	sha256sums = 22156e82467c7911d226a0a887eba19103434efc104439a3b426a3fa551fb8f2
 	sha256sums = SKIP
-	sha256sums = f68bb8bccbbd6b86dc9f182ee25b2953638aec2729387c70d2787318ad4ea16c
-	sha256sums = 9be58e0adea94ccd51aabdd568fa65ba84097f31589de57c5fcc7c71c257a6e0
+	sha256sums = 9b1d9fcb55782e6149aca4dc2d3b250dd4cedf1bf4bd8c6f0968acab0e2e0ee4
+	sha256sums = 9c6c4d27d59638d0569ea09a97138bfcfb219f17cdf1138be141380e6654f302
 	sha256sums = 8f407ad5ff6eff106562ba001c36a281134ac9aa468a596aea660a4fe1fd60b5
 	sha256sums = 99d0102c8065793096b8ea2ccc01c41fa3dcb96855f9f6f2c583b2372208c6f9
 	sha256sums = 05467ff4108e13c8a1fed9e2cc5b4e7b50c83e97e39b82d5478ea89b4af475ea
 	sha256sums = 19fd3b81b4b081ceb100c89fb6bab012a8d708da6ca8cee53d771abca4770236
+	sha256sums = 20acfd8fc32fe7c53342d345aa969bc448a0d9022ebbfdf82a06e2d2e22ebfb9
 
 pkgname = linux-vfio
 	pkgdesc = The Linux kernel and modules with patches to enable GPU passthrough with KVM
diff --git a/PKGBUILD b/PKGBUILD
index 850148e..40b1ba9 100644
--- a/PKGBUILD
+++ b/PKGBUILD
@@ -3,7 +3,7 @@
 
 pkgbase=linux-vfio
 _srcname=linux-4.13
-pkgver=4.13.7
+pkgver=4.13.9
 pkgrel=1
 arch=('i686' 'x86_64')
 url="http://www.kernel.org/"
@@ -22,17 +22,19 @@ source=("https://www.kernel.org/pub/linux/kernel/v4.x/${_srcname}.tar.xz"
         'linux.preset'
         # patches for pci passthrough
         'add-acs-overrides.patch'
-        'i915-vga-arbiter.patch')
+        'i915-vga-arbiter.patch'
+        'revert-usb-memory-fix.patch')
 sha256sums=('2db3d6066c3ad93eb25b973a3d2951e022a7e975ee2fa7cbe5bddf84d9a49a2c'
             'SKIP'
-            '0fe89c96e956efbded576214eef0c8e43cabe41dfca245e3ebb79fff9bc8715d'
+            '22156e82467c7911d226a0a887eba19103434efc104439a3b426a3fa551fb8f2'
             'SKIP'
-            'f68bb8bccbbd6b86dc9f182ee25b2953638aec2729387c70d2787318ad4ea16c'
-            '9be58e0adea94ccd51aabdd568fa65ba84097f31589de57c5fcc7c71c257a6e0'
+            '9b1d9fcb55782e6149aca4dc2d3b250dd4cedf1bf4bd8c6f0968acab0e2e0ee4'
+            '9c6c4d27d59638d0569ea09a97138bfcfb219f17cdf1138be141380e6654f302'
             '8f407ad5ff6eff106562ba001c36a281134ac9aa468a596aea660a4fe1fd60b5'
             '99d0102c8065793096b8ea2ccc01c41fa3dcb96855f9f6f2c583b2372208c6f9'
             '05467ff4108e13c8a1fed9e2cc5b4e7b50c83e97e39b82d5478ea89b4af475ea'
-            '19fd3b81b4b081ceb100c89fb6bab012a8d708da6ca8cee53d771abca4770236')
+            '19fd3b81b4b081ceb100c89fb6bab012a8d708da6ca8cee53d771abca4770236'
+            '20acfd8fc32fe7c53342d345aa969bc448a0d9022ebbfdf82a06e2d2e22ebfb9')
 validpgpkeys=(
               'ABAF11C65A2970B130ABE3C479BE3E4300411886' # Linus Torvalds
               '647F28654894E3BD457199BE38DBBDC86092693E' # Greg Kroah-Hartman
@@ -63,6 +65,8 @@ prepare() {
   echo '==> Applying ACS override patch'
   patch -p1 -i "${srcdir}/add-acs-overrides.patch"
 
+  patch -p1 -i "${srcdir}/revert-usb-memory-fix.patch"
+
   if [ "${_kernelname}" != "" ]; then
     sed -i "s|CONFIG_LOCALVERSION=.*|CONFIG_LOCALVERSION=\"${_kernelname}\"|g" ./.config
     sed -i "s|CONFIG_LOCALVERSION_AUTO=.*|CONFIG_LOCALVERSION_AUTO=n|" ./.config
diff --git a/config b/config
index 097a52f..c3fd576 100644
--- a/config
+++ b/config
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.13.5-1 Kernel Configuration
+# Linux/x86 4.13.9-1 Kernel Configuration
 #
 # CONFIG_64BIT is not set
 CONFIG_X86_32=y
@@ -7453,7 +7453,7 @@ CONFIG_ACPI_ALS=m
 # CONFIG_CM36651 is not set
 # CONFIG_IIO_CROS_EC_LIGHT_PROX is not set
 # CONFIG_GP2AP020A00F is not set
-# CONFIG_SENSORS_ISL29018 is not set
+CONFIG_SENSORS_ISL29018=m
 # CONFIG_SENSORS_ISL29028 is not set
 # CONFIG_ISL29125 is not set
 CONFIG_HID_SENSOR_ALS=m
diff --git a/config.x86_64 b/config.x86_64
index c0f39ae..8da88c2 100644
--- a/config.x86_64
+++ b/config.x86_64
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.13.5-1 Kernel Configuration
+# Linux/x86 4.13.9-1 Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -7170,7 +7170,7 @@ CONFIG_ACPI_ALS=m
 # CONFIG_CM36651 is not set
 # CONFIG_IIO_CROS_EC_LIGHT_PROX is not set
 # CONFIG_GP2AP020A00F is not set
-# CONFIG_SENSORS_ISL29018 is not set
+CONFIG_SENSORS_ISL29018=m
 # CONFIG_SENSORS_ISL29028 is not set
 # CONFIG_ISL29125 is not set
 CONFIG_HID_SENSOR_ALS=m
diff --git a/revert-usb-memory-fix.patch b/revert-usb-memory-fix.patch
new file mode 100644
index 0000000..120ebc3
--- /dev/null
+++ b/revert-usb-memory-fix.patch
@@ -0,0 +1,69 @@
+From a9fdf6354267d92b57bfb96fbcccbe5d5c163d8e Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 16 Oct 2017 16:21:19 +0200
+Subject: USB: devio: Revert "USB: devio: Don't corrupt user memory"
+
+commit 845d584f41eac3475c21e4a7d5e88d0f6e410cf7 upstream.
+
+Taking the uurb->buffer_length userspace passes in as a maximum for the
+actual urbs transfer_buffer_length causes 2 serious issues:
+
+1) It breaks isochronous support for all userspace apps using libusb,
+   as existing libusb versions pass in 0 for uurb->buffer_length,
+   relying on the kernel using the lenghts of the usbdevfs_iso_packet_desc
+   descriptors passed in added together as buffer length.
+
+   This for example causes redirection of USB audio and Webcam's into
+   virtual machines using qemu-kvm to no longer work. This is a userspace
+   ABI break and as such must be reverted.
+
+   Note that the original commit does not protect other users / the
+   kernels memory, it only stops the userspace process making the call
+   from shooting itself in the foot.
+
+2) It may cause the kernel to program host controllers to DMA over random
+   memory. Just as the devio code used to only look at the iso_packet_desc
+   lenghts, the host drivers do the same, relying on the submitter of the
+   urbs to make sure the entire buffer is large enough and not checking
+   transfer_buffer_length.
+
+   But the "USB: devio: Don't corrupt user memory" commit now takes the
+   userspace provided uurb->buffer_length for the buffer-size while copying
+   over the user-provided iso_packet_desc lengths 1:1, allowing the user
+   to specify a small buffer size while programming the host controller to
+   dma a lot more data.
+
+   (Atleast the ohci, uhci, xhci and fhci drivers do not check
+    transfer_buffer_length for isoc transfers.)
+
+This reverts commit fa1ed74eb1c2 ("USB: devio: Don't corrupt user memory")
+fixing both these issues.
+
+Cc: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/devio.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c
+index 1d4dfde..066b58c 100644
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1576,11 +1576,7 @@ static int proc_do_submiturb(struct usb_dev_state *ps, struct usbdevfs_urb *uurb
+ 			totlen += isopkt[u].length;
+ 		}
+ 		u *= sizeof(struct usb_iso_packet_descriptor);
+-		if (totlen <= uurb->buffer_length)
+-			uurb->buffer_length = totlen;
+-		else
+-			WARN_ONCE(1, "uurb->buffer_length is too short %d vs %d",
+-				  totlen, uurb->buffer_length);
++		uurb->buffer_length = totlen;
+ 		break;
+ 
+ 	default:
+-- 
+cgit v1.1
+