--- /dev/null
+From 21b200d091826a83aafc95d847139b2b0582f6d1 Mon Sep 17 00:00:00 2001
+From: Aurelien Aptel <aaptel@suse.com>
+Date: Fri, 5 Feb 2021 15:42:48 +0100
+Subject: cifs: report error instead of invalid when revalidating a dentry fails
+
+From: Aurelien Aptel <aaptel@suse.com>
+
+commit 21b200d091826a83aafc95d847139b2b0582f6d1 upstream.
+
+Assuming
+- //HOST/a is mounted on /mnt
+- //HOST/b is mounted on /mnt/b
+
+On a slow connection, running 'df' and killing it while it's
+processing /mnt/b can make cifs_get_inode_info() returns -ERESTARTSYS.
+
+This triggers the following chain of events:
+=> the dentry revalidation fail
+=> dentry is put and released
+=> superblock associated with the dentry is put
+=> /mnt/b is unmounted
+
+This patch makes cifs_d_revalidate() return the error instead of 0
+(invalid) when cifs_revalidate_dentry() fails, except for ENOENT (file
+deleted) and ESTALE (file recreated).
+
+Signed-off-by: Aurelien Aptel <aaptel@suse.com>
+Suggested-by: Shyam Prasad N <nspmangalore@gmail.com>
+Reviewed-by: Shyam Prasad N <nspmangalore@gmail.com>
+CC: stable@vger.kernel.org
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/dir.c | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/dir.c
++++ b/fs/cifs/dir.c
+@@ -840,6 +840,7 @@ static int
+ cifs_d_revalidate(struct dentry *direntry, unsigned int flags)
+ {
+ struct inode *inode;
++ int rc;
+
+ if (flags & LOOKUP_RCU)
+ return -ECHILD;
+@@ -849,8 +850,25 @@ cifs_d_revalidate(struct dentry *direntr
+ if ((flags & LOOKUP_REVAL) && !CIFS_CACHE_READ(CIFS_I(inode)))
+ CIFS_I(inode)->time = 0; /* force reval */
+
+- if (cifs_revalidate_dentry(direntry))
+- return 0;
++ rc = cifs_revalidate_dentry(direntry);
++ if (rc) {
++ cifs_dbg(FYI, "cifs_revalidate_dentry failed with rc=%d", rc);
++ switch (rc) {
++ case -ENOENT:
++ case -ESTALE:
++ /*
++ * Those errors mean the dentry is invalid
++ * (file was deleted or recreated)
++ */
++ return 0;
++ default:
++ /*
++ * Otherwise some unexpected error happened
++ * report it as-is to VFS layer
++ */
++ return rc;
++ }
++ }
+ else {
+ /*
+ * If the inode wasn't known to be a dfs entry when
--- /dev/null
+From 4c457e8cb75eda91906a4f89fc39bde3f9a43922 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Sat, 23 Jan 2021 12:27:59 +0000
+Subject: genirq/msi: Activate Multi-MSI early when MSI_FLAG_ACTIVATE_EARLY is set
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit 4c457e8cb75eda91906a4f89fc39bde3f9a43922 upstream.
+
+When MSI_FLAG_ACTIVATE_EARLY is set (which is the case for PCI),
+__msi_domain_alloc_irqs() performs the activation of the interrupt (which
+in the case of PCI results in the endpoint being programmed) as soon as the
+interrupt is allocated.
+
+But it appears that this is only done for the first vector, introducing an
+inconsistent behaviour for PCI Multi-MSI.
+
+Fix it by iterating over the number of vectors allocated to each MSI
+descriptor. This is easily achieved by introducing a new
+"for_each_msi_vector" iterator, together with a tiny bit of refactoring.
+
+Fixes: f3b0946d629c ("genirq/msi: Make sure PCI MSIs are activated early")
+Reported-by: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Tested-by: Shameer Kolothum <shameerali.kolothum.thodi@huawei.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20210123122759.1781359-1-maz@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/msi.h | 6 ++++++
+ kernel/irq/msi.c | 44 ++++++++++++++++++++------------------------
+ 2 files changed, 26 insertions(+), 24 deletions(-)
+
+--- a/include/linux/msi.h
++++ b/include/linux/msi.h
+@@ -118,6 +118,12 @@ struct msi_desc {
+ list_for_each_entry((desc), dev_to_msi_list((dev)), list)
+ #define for_each_msi_entry_safe(desc, tmp, dev) \
+ list_for_each_entry_safe((desc), (tmp), dev_to_msi_list((dev)), list)
++#define for_each_msi_vector(desc, __irq, dev) \
++ for_each_msi_entry((desc), (dev)) \
++ if ((desc)->irq) \
++ for (__irq = (desc)->irq; \
++ __irq < ((desc)->irq + (desc)->nvec_used); \
++ __irq++)
+
+ #ifdef CONFIG_PCI_MSI
+ #define first_pci_msi_entry(pdev) first_msi_entry(&(pdev)->dev)
+--- a/kernel/irq/msi.c
++++ b/kernel/irq/msi.c
+@@ -437,22 +437,22 @@ int msi_domain_alloc_irqs(struct irq_dom
+
+ can_reserve = msi_check_reservation_mode(domain, info, dev);
+
+- for_each_msi_entry(desc, dev) {
+- virq = desc->irq;
+- if (desc->nvec_used == 1)
+- dev_dbg(dev, "irq %d for MSI\n", virq);
+- else
++ /*
++ * This flag is set by the PCI layer as we need to activate
++ * the MSI entries before the PCI layer enables MSI in the
++ * card. Otherwise the card latches a random msi message.
++ */
++ if (!(info->flags & MSI_FLAG_ACTIVATE_EARLY))
++ goto skip_activate;
++
++ for_each_msi_vector(desc, i, dev) {
++ if (desc->irq == i) {
++ virq = desc->irq;
+ dev_dbg(dev, "irq [%d-%d] for MSI\n",
+ virq, virq + desc->nvec_used - 1);
+- /*
+- * This flag is set by the PCI layer as we need to activate
+- * the MSI entries before the PCI layer enables MSI in the
+- * card. Otherwise the card latches a random msi message.
+- */
+- if (!(info->flags & MSI_FLAG_ACTIVATE_EARLY))
+- continue;
++ }
+
+- irq_data = irq_domain_get_irq_data(domain, desc->irq);
++ irq_data = irq_domain_get_irq_data(domain, i);
+ if (!can_reserve) {
+ irqd_clr_can_reserve(irq_data);
+ if (domain->flags & IRQ_DOMAIN_MSI_NOMASK_QUIRK)
+@@ -463,28 +463,24 @@ int msi_domain_alloc_irqs(struct irq_dom
+ goto cleanup;
+ }
+
++skip_activate:
+ /*
+ * If these interrupts use reservation mode, clear the activated bit
+ * so request_irq() will assign the final vector.
+ */
+ if (can_reserve) {
+- for_each_msi_entry(desc, dev) {
+- irq_data = irq_domain_get_irq_data(domain, desc->irq);
++ for_each_msi_vector(desc, i, dev) {
++ irq_data = irq_domain_get_irq_data(domain, i);
+ irqd_clr_activated(irq_data);
+ }
+ }
+ return 0;
+
+ cleanup:
+- for_each_msi_entry(desc, dev) {
+- struct irq_data *irqd;
+-
+- if (desc->irq == virq)
+- break;
+-
+- irqd = irq_domain_get_irq_data(domain, desc->irq);
+- if (irqd_is_activated(irqd))
+- irq_domain_deactivate_irq(irqd);
++ for_each_msi_vector(desc, i, dev) {
++ irq_data = irq_domain_get_irq_data(domain, i);
++ if (irqd_is_activated(irq_data))
++ irq_domain_deactivate_irq(irq_data);
+ }
+ msi_domain_free_irqs(domain, dev);
+ return ret;
--- /dev/null
+From 0188b87899ffc4a1d36a0badbe77d56c92fd91dc Mon Sep 17 00:00:00 2001
+From: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Date: Thu, 28 Jan 2021 20:44:27 +0800
+Subject: kretprobe: Avoid re-registration of the same kretprobe earlier
+
+From: Wang ShaoBo <bobo.shaobowang@huawei.com>
+
+commit 0188b87899ffc4a1d36a0badbe77d56c92fd91dc upstream.
+
+Our system encountered a re-init error when re-registering same kretprobe,
+where the kretprobe_instance in rp->free_instances is illegally accessed
+after re-init.
+
+Implementation to avoid re-registration has been introduced for kprobe
+before, but lags for register_kretprobe(). We must check if kprobe has
+been re-registered before re-initializing kretprobe, otherwise it will
+destroy the data struct of kretprobe registered, which can lead to memory
+leak, system crash, also some unexpected behaviors.
+
+We use check_kprobe_rereg() to check if kprobe has been re-registered
+before running register_kretprobe()'s body, for giving a warning message
+and terminate registration process.
+
+Link: https://lkml.kernel.org/r/20210128124427.2031088-1-bobo.shaobowang@huawei.com
+
+Cc: stable@vger.kernel.org
+Fixes: 1f0ab40976460 ("kprobes: Prevent re-registration of the same kprobe")
+[ The above commit should have been done for kretprobes too ]
+Acked-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
+Acked-by: Ananth N Mavinakayanahalli <ananth@linux.ibm.com>
+Acked-by: Masami Hiramatsu <mhiramat@kernel.org>
+Signed-off-by: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Signed-off-by: Cheng Jian <cj.chengjian@huawei.com>
+Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/kprobes.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/kernel/kprobes.c
++++ b/kernel/kprobes.c
+@@ -1945,6 +1945,10 @@ int register_kretprobe(struct kretprobe
+ if (!kprobe_on_func_entry(rp->kp.addr, rp->kp.symbol_name, rp->kp.offset))
+ return -EINVAL;
+
++ /* If only rp->kp.addr is specified, check reregistering kprobes */
++ if (rp->kp.addr && check_kprobe_rereg(&rp->kp))
++ return -EINVAL;
++
+ if (kretprobe_blacklist_size) {
+ addr = kprobe_addr(&rp->kp);
+ if (IS_ERR(addr))
--- /dev/null
+From 18fe0fae61252b5ae6e26553e2676b5fac555951 Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Mon, 1 Feb 2021 09:33:24 +0100
+Subject: mac80211: fix station rate table updates on assoc
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 18fe0fae61252b5ae6e26553e2676b5fac555951 upstream.
+
+If the driver uses .sta_add, station entries are only uploaded after the sta
+is in assoc state. Fix early station rate table updates by deferring them
+until the sta has been uploaded.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Link: https://lore.kernel.org/r/20210201083324.3134-1-nbd@nbd.name
+[use rcu_access_pointer() instead since we won't dereference here]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mac80211/driver-ops.c | 5 ++++-
+ net/mac80211/rate.c | 3 ++-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/driver-ops.c
++++ b/net/mac80211/driver-ops.c
+@@ -128,8 +128,11 @@ int drv_sta_state(struct ieee80211_local
+ } else if (old_state == IEEE80211_STA_AUTH &&
+ new_state == IEEE80211_STA_ASSOC) {
+ ret = drv_sta_add(local, sdata, &sta->sta);
+- if (ret == 0)
++ if (ret == 0) {
+ sta->uploaded = true;
++ if (rcu_access_pointer(sta->sta.rates))
++ drv_sta_rate_tbl_update(local, sdata, &sta->sta);
++ }
+ } else if (old_state == IEEE80211_STA_ASSOC &&
+ new_state == IEEE80211_STA_AUTH) {
+ drv_sta_remove(local, sdata, &sta->sta);
+--- a/net/mac80211/rate.c
++++ b/net/mac80211/rate.c
+@@ -941,7 +941,8 @@ int rate_control_set_rates(struct ieee80
+ if (old)
+ kfree_rcu(old, rcu_head);
+
+- drv_sta_rate_tbl_update(hw_to_local(hw), sta->sdata, pubsta);
++ if (sta->uploaded)
++ drv_sta_rate_tbl_update(hw_to_local(hw), sta->sdata, pubsta);
+
+ ieee80211_sta_set_expected_throughput(pubsta, sta_get_expected_throughput(sta));
+
--- /dev/null
+From e04527fefba6e4e66492f122cf8cc6314f3cf3bf Mon Sep 17 00:00:00 2001
+From: Liangyan <liangyan.peng@linux.alibaba.com>
+Date: Tue, 22 Dec 2020 11:06:26 +0800
+Subject: ovl: fix dentry leak in ovl_get_redirect
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Liangyan <liangyan.peng@linux.alibaba.com>
+
+commit e04527fefba6e4e66492f122cf8cc6314f3cf3bf upstream.
+
+We need to lock d_parent->d_lock before dget_dlock, or this may
+have d_lockref updated parallelly like calltrace below which will
+cause dentry->d_lockref leak and risk a crash.
+
+ CPU 0 CPU 1
+ovl_set_redirect lookup_fast
+ ovl_get_redirect __d_lookup
+ dget_dlock
+ //no lock protection here spin_lock(&dentry->d_lock)
+ dentry->d_lockref.count++ dentry->d_lockref.count++
+
+[ 49.799059] PGD 800000061fed7067 P4D 800000061fed7067 PUD 61fec5067 PMD 0
+[ 49.799689] Oops: 0002 [#1] SMP PTI
+[ 49.800019] CPU: 2 PID: 2332 Comm: node Not tainted 4.19.24-7.20.al7.x86_64 #1
+[ 49.800678] Hardware name: Alibaba Cloud Alibaba Cloud ECS, BIOS 8a46cfe 04/01/2014
+[ 49.801380] RIP: 0010:_raw_spin_lock+0xc/0x20
+[ 49.803470] RSP: 0018:ffffac6fc5417e98 EFLAGS: 00010246
+[ 49.803949] RAX: 0000000000000000 RBX: ffff93b8da3446c0 RCX: 0000000a00000000
+[ 49.804600] RDX: 0000000000000001 RSI: 000000000000000a RDI: 0000000000000088
+[ 49.805252] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff993cf040
+[ 49.805898] R10: ffff93b92292e580 R11: ffffd27f188a4b80 R12: 0000000000000000
+[ 49.806548] R13: 00000000ffffff9c R14: 00000000fffffffe R15: ffff93b8da3446c0
+[ 49.807200] FS: 00007ffbedffb700(0000) GS:ffff93b927880000(0000) knlGS:0000000000000000
+[ 49.807935] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 49.808461] CR2: 0000000000000088 CR3: 00000005e3f74006 CR4: 00000000003606a0
+[ 49.809113] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 49.809758] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+[ 49.810410] Call Trace:
+[ 49.810653] d_delete+0x2c/0xb0
+[ 49.810951] vfs_rmdir+0xfd/0x120
+[ 49.811264] do_rmdir+0x14f/0x1a0
+[ 49.811573] do_syscall_64+0x5b/0x190
+[ 49.811917] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 49.812385] RIP: 0033:0x7ffbf505ffd7
+[ 49.814404] RSP: 002b:00007ffbedffada8 EFLAGS: 00000297 ORIG_RAX: 0000000000000054
+[ 49.815098] RAX: ffffffffffffffda RBX: 00007ffbedffb640 RCX: 00007ffbf505ffd7
+[ 49.815744] RDX: 0000000004449700 RSI: 0000000000000000 RDI: 0000000006c8cd50
+[ 49.816394] RBP: 00007ffbedffaea0 R08: 0000000000000000 R09: 0000000000017d0b
+[ 49.817038] R10: 0000000000000000 R11: 0000000000000297 R12: 0000000000000012
+[ 49.817687] R13: 00000000072823d8 R14: 00007ffbedffb700 R15: 00000000072823d8
+[ 49.818338] Modules linked in: pvpanic cirrusfb button qemu_fw_cfg atkbd libps2 i8042
+[ 49.819052] CR2: 0000000000000088
+[ 49.819368] ---[ end trace 4e652b8aa299aa2d ]---
+[ 49.819796] RIP: 0010:_raw_spin_lock+0xc/0x20
+[ 49.821880] RSP: 0018:ffffac6fc5417e98 EFLAGS: 00010246
+[ 49.822363] RAX: 0000000000000000 RBX: ffff93b8da3446c0 RCX: 0000000a00000000
+[ 49.823008] RDX: 0000000000000001 RSI: 000000000000000a RDI: 0000000000000088
+[ 49.823658] RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffff993cf040
+[ 49.825404] R10: ffff93b92292e580 R11: ffffd27f188a4b80 R12: 0000000000000000
+[ 49.827147] R13: 00000000ffffff9c R14: 00000000fffffffe R15: ffff93b8da3446c0
+[ 49.828890] FS: 00007ffbedffb700(0000) GS:ffff93b927880000(0000) knlGS:0000000000000000
+[ 49.830725] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 49.832359] CR2: 0000000000000088 CR3: 00000005e3f74006 CR4: 00000000003606a0
+[ 49.834085] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 49.835792] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+Cc: <stable@vger.kernel.org>
+Fixes: a6c606551141 ("ovl: redirect on rename-dir")
+Signed-off-by: Liangyan <liangyan.peng@linux.alibaba.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/overlayfs/dir.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/overlayfs/dir.c
++++ b/fs/overlayfs/dir.c
+@@ -946,8 +946,8 @@ static char *ovl_get_redirect(struct den
+
+ buflen -= thislen;
+ memcpy(&buf[buflen], name, thislen);
+- tmp = dget_dlock(d->d_parent);
+ spin_unlock(&d->d_lock);
++ tmp = dget_parent(d);
+
+ dput(d);
+ d = tmp;
net-lapb-copy-the-skb-before-sending-a-packet.patch
net-mvpp2-tcam-entry-enable-should-be-written-after-.patch
memblock-do-not-start-bottom-up-allocations-with-ker.patch
+usb-gadget-legacy-fix-an-error-code-in-eth_bind.patch
+usb-usblp-don-t-call-usb_set_interface-if-there-s-a-single-alt.patch
+usb-renesas_usbhs-clear-pipe-running-flag-in-usbhs_pkt_pop.patch
+usb-dwc2-fix-endpoint-direction-check-in-ep_from_windex.patch
+usb-dwc3-fix-clock-issue-during-resume-in-otg-mode.patch
+ovl-fix-dentry-leak-in-ovl_get_redirect.patch
+mac80211-fix-station-rate-table-updates-on-assoc.patch
+kretprobe-avoid-re-registration-of-the-same-kretprobe-earlier.patch
+genirq-msi-activate-multi-msi-early-when-msi_flag_activate_early-is-set.patch
+xhci-fix-bounce-buffer-usage-for-non-sg-list-case.patch
+cifs-report-error-instead-of-invalid-when-revalidating-a-dentry-fails.patch
--- /dev/null
+From f670e9f9c8cac716c3506c6bac9e997b27ad441a Mon Sep 17 00:00:00 2001
+From: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
+Date: Wed, 27 Jan 2021 11:39:19 +0100
+Subject: usb: dwc2: Fix endpoint direction check in ep_from_windex
+
+From: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
+
+commit f670e9f9c8cac716c3506c6bac9e997b27ad441a upstream.
+
+dwc2_hsotg_process_req_status uses ep_from_windex() to retrieve
+the endpoint for the index provided in the wIndex request param.
+
+In a test-case with a rndis gadget running and sending a malformed
+packet to it like:
+ dev.ctrl_transfer(
+ 0x82, # bmRequestType
+ 0x00, # bRequest
+ 0x0000, # wValue
+ 0x0001, # wIndex
+ 0x00 # wLength
+ )
+it is possible to cause a crash:
+
+[ 217.533022] dwc2 ff300000.usb: dwc2_hsotg_process_req_status: USB_REQ_GET_STATUS
+[ 217.559003] Unable to handle kernel read from unreadable memory at virtual address 0000000000000088
+...
+[ 218.313189] Call trace:
+[ 218.330217] ep_from_windex+0x3c/0x54
+[ 218.348565] usb_gadget_giveback_request+0x10/0x20
+[ 218.368056] dwc2_hsotg_complete_request+0x144/0x184
+
+This happens because ep_from_windex wants to compare the endpoint
+direction even if index_to_ep() didn't return an endpoint due to
+the direction not matching.
+
+The fix is easy insofar that the actual direction check is already
+happening when calling index_to_ep() which will return NULL if there
+is no endpoint for the targeted direction, so the offending check
+can go away completely.
+
+Fixes: c6f5c050e2a7 ("usb: dwc2: gadget: add bi-directional endpoint support")
+Cc: stable@vger.kernel.org
+Reported-by: Gerhard Klostermeier <gerhard.klostermeier@syss.de>
+Signed-off-by: Heiko Stuebner <heiko.stuebner@theobroma-systems.com>
+Link: https://lore.kernel.org/r/20210127103919.58215-1-heiko@sntech.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc2/gadget.c | 8 +-------
+ 1 file changed, 1 insertion(+), 7 deletions(-)
+
+--- a/drivers/usb/dwc2/gadget.c
++++ b/drivers/usb/dwc2/gadget.c
+@@ -1453,7 +1453,6 @@ static void dwc2_hsotg_complete_oursetup
+ static struct dwc2_hsotg_ep *ep_from_windex(struct dwc2_hsotg *hsotg,
+ u32 windex)
+ {
+- struct dwc2_hsotg_ep *ep;
+ int dir = (windex & USB_DIR_IN) ? 1 : 0;
+ int idx = windex & 0x7F;
+
+@@ -1463,12 +1462,7 @@ static struct dwc2_hsotg_ep *ep_from_win
+ if (idx > hsotg->num_of_eps)
+ return NULL;
+
+- ep = index_to_ep(hsotg, idx, dir);
+-
+- if (idx && ep->dir_in != dir)
+- return NULL;
+-
+- return ep;
++ return index_to_ep(hsotg, idx, dir);
+ }
+
+ /**
--- /dev/null
+From 0e5a3c8284a30f4c43fd81d7285528ece74563b5 Mon Sep 17 00:00:00 2001
+From: Gary Bisson <gary.bisson@boundarydevices.com>
+Date: Mon, 25 Jan 2021 17:19:34 +0100
+Subject: usb: dwc3: fix clock issue during resume in OTG mode
+
+From: Gary Bisson <gary.bisson@boundarydevices.com>
+
+commit 0e5a3c8284a30f4c43fd81d7285528ece74563b5 upstream.
+
+Commit fe8abf332b8f ("usb: dwc3: support clocks and resets for DWC3
+core") introduced clock support and a new function named
+dwc3_core_init_for_resume() which enables the clock before calling
+dwc3_core_init() during resume as clocks get disabled during suspend.
+
+Unfortunately in this commit the DWC3_GCTL_PRTCAP_OTG case was forgotten
+and therefore during resume, a platform could call dwc3_core_init()
+without re-enabling the clocks first, preventing to resume properly.
+
+So update the resume path to call dwc3_core_init_for_resume() as it
+should.
+
+Fixes: fe8abf332b8f ("usb: dwc3: support clocks and resets for DWC3 core")
+Cc: stable@vger.kernel.org
+Signed-off-by: Gary Bisson <gary.bisson@boundarydevices.com>
+Link: https://lore.kernel.org/r/20210125161934.527820-1-gary.bisson@boundarydevices.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -1700,7 +1700,7 @@ static int dwc3_resume_common(struct dwc
+ if (PMSG_IS_AUTO(msg))
+ break;
+
+- ret = dwc3_core_init(dwc);
++ ret = dwc3_core_init_for_resume(dwc);
+ if (ret)
+ return ret;
+
--- /dev/null
+From 3e1f4a2e1184ae6ad7f4caf682ced9554141a0f4 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 28 Jan 2021 12:33:42 +0300
+Subject: USB: gadget: legacy: fix an error code in eth_bind()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 3e1f4a2e1184ae6ad7f4caf682ced9554141a0f4 upstream.
+
+This code should return -ENOMEM if the allocation fails but it currently
+returns success.
+
+Fixes: 9b95236eebdb ("usb: gadget: ether: allocate and init otg descriptor by otg capabilities")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/YBKE9rqVuJEOUWpW@mwanda
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/legacy/ether.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/legacy/ether.c
++++ b/drivers/usb/gadget/legacy/ether.c
+@@ -403,8 +403,10 @@ static int eth_bind(struct usb_composite
+ struct usb_descriptor_header *usb_desc;
+
+ usb_desc = usb_otg_descriptor_alloc(gadget);
+- if (!usb_desc)
++ if (!usb_desc) {
++ status = -ENOMEM;
+ goto fail1;
++ }
+ usb_otg_descriptor_init(gadget, usb_desc);
+ otg_desc[0] = usb_desc;
+ otg_desc[1] = NULL;
--- /dev/null
+From 9917f0e3cdba7b9f1a23f70e3f70b1a106be54a8 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Mon, 1 Feb 2021 21:47:20 +0900
+Subject: usb: renesas_usbhs: Clear pipe running flag in usbhs_pkt_pop()
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 9917f0e3cdba7b9f1a23f70e3f70b1a106be54a8 upstream.
+
+Should clear the pipe running flag in usbhs_pkt_pop(). Otherwise,
+we cannot use this pipe after dequeue was called while the pipe was
+running.
+
+Fixes: 8355b2b3082d ("usb: renesas_usbhs: fix the behavior of some usbhs_pkt_handle")
+Reported-by: Tho Vu <tho.vu.wh@renesas.com>
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Link: https://lore.kernel.org/r/1612183640-8898-1-git-send-email-yoshihiro.shimoda.uh@renesas.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/renesas_usbhs/fifo.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/renesas_usbhs/fifo.c
++++ b/drivers/usb/renesas_usbhs/fifo.c
+@@ -126,6 +126,7 @@ struct usbhs_pkt *usbhs_pkt_pop(struct u
+ }
+
+ usbhs_pipe_clear_without_sequence(pipe, 0, 0);
++ usbhs_pipe_running(pipe, 0);
+
+ __usbhsf_pkt_del(pkt);
+ }
--- /dev/null
+From d8c6edfa3f4ee0d45d7ce5ef18d1245b78774b9d Mon Sep 17 00:00:00 2001
+From: Jeremy Figgins <kernel@jeremyfiggins.com>
+Date: Sat, 23 Jan 2021 18:21:36 -0600
+Subject: USB: usblp: don't call usb_set_interface if there's a single alt
+
+From: Jeremy Figgins <kernel@jeremyfiggins.com>
+
+commit d8c6edfa3f4ee0d45d7ce5ef18d1245b78774b9d upstream.
+
+Some devices, such as the Winbond Electronics Corp. Virtual Com Port
+(Vendor=0416, ProdId=5011), lockup when usb_set_interface() or
+usb_clear_halt() are called. This device has only a single
+altsetting, so it should not be necessary to call usb_set_interface().
+
+Acked-by: Pete Zaitcev <zaitcev@redhat.com>
+Signed-off-by: Jeremy Figgins <kernel@jeremyfiggins.com>
+Link: https://lore.kernel.org/r/YAy9kJhM/rG8EQXC@watson
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/usblp.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/class/usblp.c
++++ b/drivers/usb/class/usblp.c
+@@ -1327,14 +1327,17 @@ static int usblp_set_protocol(struct usb
+ if (protocol < USBLP_FIRST_PROTOCOL || protocol > USBLP_LAST_PROTOCOL)
+ return -EINVAL;
+
+- alts = usblp->protocol[protocol].alt_setting;
+- if (alts < 0)
+- return -EINVAL;
+- r = usb_set_interface(usblp->dev, usblp->ifnum, alts);
+- if (r < 0) {
+- printk(KERN_ERR "usblp: can't set desired altsetting %d on interface %d\n",
+- alts, usblp->ifnum);
+- return r;
++ /* Don't unnecessarily set the interface if there's a single alt. */
++ if (usblp->intf->num_altsetting > 1) {
++ alts = usblp->protocol[protocol].alt_setting;
++ if (alts < 0)
++ return -EINVAL;
++ r = usb_set_interface(usblp->dev, usblp->ifnum, alts);
++ if (r < 0) {
++ printk(KERN_ERR "usblp: can't set desired altsetting %d on interface %d\n",
++ alts, usblp->ifnum);
++ return r;
++ }
+ }
+
+ usblp->bidir = (usblp->protocol[protocol].epread != NULL);
--- /dev/null
+From d4a610635400ccc382792f6be69427078541c678 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Wed, 3 Feb 2021 13:37:02 +0200
+Subject: xhci: fix bounce buffer usage for non-sg list case
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit d4a610635400ccc382792f6be69427078541c678 upstream.
+
+xhci driver may in some special cases need to copy small amounts
+of payload data to a bounce buffer in order to meet the boundary
+and alignment restrictions set by the xHCI specification.
+
+In the majority of these cases the data is in a sg list, and
+driver incorrectly assumed data is always in urb->sg when using
+the bounce buffer.
+
+If data instead is contiguous, and in urb->transfer_buffer, we may still
+need to bounce buffer a small part if data starts very close (less than
+packet size) to a 64k boundary.
+
+Check if sg list is used before copying data to/from it.
+
+Fixes: f9c589e142d0 ("xhci: TD-fragment, align the unsplittable case with a bounce buffer")
+Cc: stable@vger.kernel.org
+Reported-by: Andreas Hartmann <andihartmann@01019freenet.de>
+Tested-by: Andreas Hartmann <andihartmann@01019freenet.de>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20210203113702.436762-2-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-ring.c | 31 ++++++++++++++++++++-----------
+ 1 file changed, 20 insertions(+), 11 deletions(-)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -670,11 +670,16 @@ static void xhci_unmap_td_bounce_buffer(
+ dma_unmap_single(dev, seg->bounce_dma, ring->bounce_buf_len,
+ DMA_FROM_DEVICE);
+ /* for in tranfers we need to copy the data from bounce to sg */
+- len = sg_pcopy_from_buffer(urb->sg, urb->num_sgs, seg->bounce_buf,
+- seg->bounce_len, seg->bounce_offs);
+- if (len != seg->bounce_len)
+- xhci_warn(xhci, "WARN Wrong bounce buffer read length: %zu != %d\n",
+- len, seg->bounce_len);
++ if (urb->num_sgs) {
++ len = sg_pcopy_from_buffer(urb->sg, urb->num_sgs, seg->bounce_buf,
++ seg->bounce_len, seg->bounce_offs);
++ if (len != seg->bounce_len)
++ xhci_warn(xhci, "WARN Wrong bounce buffer read length: %zu != %d\n",
++ len, seg->bounce_len);
++ } else {
++ memcpy(urb->transfer_buffer + seg->bounce_offs, seg->bounce_buf,
++ seg->bounce_len);
++ }
+ seg->bounce_len = 0;
+ seg->bounce_offs = 0;
+ }
+@@ -3180,12 +3185,16 @@ static int xhci_align_td(struct xhci_hcd
+
+ /* create a max max_pkt sized bounce buffer pointed to by last trb */
+ if (usb_urb_dir_out(urb)) {
+- len = sg_pcopy_to_buffer(urb->sg, urb->num_sgs,
+- seg->bounce_buf, new_buff_len, enqd_len);
+- if (len != new_buff_len)
+- xhci_warn(xhci,
+- "WARN Wrong bounce buffer write length: %zu != %d\n",
+- len, new_buff_len);
++ if (urb->num_sgs) {
++ len = sg_pcopy_to_buffer(urb->sg, urb->num_sgs,
++ seg->bounce_buf, new_buff_len, enqd_len);
++ if (len != new_buff_len)
++ xhci_warn(xhci, "WARN Wrong bounce buffer write length: %zu != %d\n",
++ len, new_buff_len);
++ } else {
++ memcpy(seg->bounce_buf, urb->transfer_buffer + enqd_len, new_buff_len);
++ }
++
+ seg->bounce_dma = dma_map_single(dev, seg->bounce_buf,
+ max_pkt, DMA_TO_DEVICE);
+ } else {