5.4-stable patches

added patches:
	ath9k-fix-storage-endpoint-lookup.patch
	binder-fix-log-spam-for-existing-debugfs-file-creation.patch
	bluetooth-btusb-fix-non-atomic-allocation-in-completion-handler.patch
	brcmfmac-fix-interface-sanity-check.patch
	cifs-fix-memory-allocation-in-__smb2_handle_cancelled_cmd.patch
	cifs-fix-task-struct-use-after-free-on-reconnect.patch
	cifs-set-correct-max-buffer-size-for-smb2_ioctl_init.patch
	component-do-not-dereference-opaque-pointer-in-debugfs.patch
	crypto-chelsio-fix-writing-tfm-flags-to-wrong-place.patch
	debugfs-return-eperm-when-locked-down.patch
	driver-core-fix-test_async_driver_probe-if-numa-is-disabled.patch
	iio-adc-stm32-dfsdm-fix-single-conversion.patch
	iio-st_gyro-correct-data-for-lsm9ds0-gyro.patch
	mei-hdcp-bind-only-with-i915-on-the-same-pch.patch
	mei-me-add-comet-point-lake-h-device-ids.patch
	orinoco_usb-fix-interface-sanity-check.patch
	rsi_91x_usb-fix-interface-sanity-check.patch
	rtl8xxxu-fix-interface-sanity-check.patch
	serial-8250_bcm2835aux-fix-line-mismatch-on-driver-unbind.patch
	serial-imx-fix-a-race-condition-in-receive-path.patch
	staging-most-net-fix-buffer-overflow.patch
	staging-vt6656-correct-packet-types-for-cts-protect-mode.patch
	staging-vt6656-fix-false-tx-excessive-retries-reporting.patch
	staging-vt6656-use-nullfuction-stack-on-mac80211.patch
	staging-wlan-ng-ensure-error-return-is-actually-returned.patch
	usb-dwc3-pci-add-id-for-the-intel-comet-lake-v-variant.patch
	usb-dwc3-turn-off-vbus-when-leaving-host-mode.patch
	usb-host-xhci-tegra-set-module_firmware-for-tegra186.patch
	usb-serial-ir-usb-add-missing-endpoint-sanity-check.patch
	usb-serial-ir-usb-fix-irlap-framing.patch
	usb-serial-ir-usb-fix-link-speed-handling.patch
	usb-typec-fusb302-fix-op-sink-microwatt-default-that-was-in-mw.patch
	usb-typec-wcove-fix-op-sink-microwatt-default-that-was-in-mw.patch
	zd1211rw-fix-storage-endpoint-lookup.patch

diff --git a/queue-5.4/ath9k-fix-storage-endpoint-lookup.patch b/queue-5.4/ath9k-fix-storage-endpoint-lookup.patch
new file mode 100644 (file)
index 0000000..908a3cd
--- /dev/null
+++ b/queue-5.4/ath9k-fix-storage-endpoint-lookup.patch
@@ -0,0 +1,37 @@
+From 0ef332951e856efa89507cdd13ba8f4fb8d4db12 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:44:20 +0100
+Subject: ath9k: fix storage endpoint lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 0ef332951e856efa89507cdd13ba8f4fb8d4db12 upstream.
+
+Make sure to use the current alternate setting when verifying the
+storage interface descriptors to avoid submitting an URB to an invalid
+endpoint.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 36bcce430657 ("ath9k_htc: Handle storage devices")
+Cc: stable <stable@vger.kernel.org>     # 2.6.39
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/hif_usb.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
+@@ -1216,7 +1216,7 @@ err_fw:
+ static int send_eject_command(struct usb_interface *interface)
+ {
+       struct usb_device *udev = interface_to_usbdev(interface);
+-      struct usb_host_interface *iface_desc = &interface->altsetting[0];
++      struct usb_host_interface *iface_desc = interface->cur_altsetting;
+       struct usb_endpoint_descriptor *endpoint;
+       unsigned char *cmd;
+       u8 bulk_out_ep;

diff --git a/queue-5.4/binder-fix-log-spam-for-existing-debugfs-file-creation.patch b/queue-5.4/binder-fix-log-spam-for-existing-debugfs-file-creation.patch
new file mode 100644 (file)
index 0000000..ae867b5
--- /dev/null
+++ b/queue-5.4/binder-fix-log-spam-for-existing-debugfs-file-creation.patch
@@ -0,0 +1,116 @@
+From eb143f8756e77c8fcfc4d574922ae9efd3a43ca9 Mon Sep 17 00:00:00 2001
+From: Martin Fuzzey <martin.fuzzey@flowbird.group>
+Date: Fri, 10 Jan 2020 16:44:01 +0100
+Subject: binder: fix log spam for existing debugfs file creation.
+
+From: Martin Fuzzey <martin.fuzzey@flowbird.group>
+
+commit eb143f8756e77c8fcfc4d574922ae9efd3a43ca9 upstream.
+
+Since commit 43e23b6c0b01 ("debugfs: log errors when something goes wrong")
+debugfs logs attempts to create existing files.
+
+However binder attempts to create multiple debugfs files with
+the same name when a single PID has multiple contexts, this leads
+to log spamming during an Android boot (17 such messages during
+boot on my system).
+
+Fix this by checking if we already know the PID and only create
+the debugfs entry for the first context per PID.
+
+Do the same thing for binderfs for symmetry.
+
+Signed-off-by: Martin Fuzzey <martin.fuzzey@flowbird.group>
+Acked-by: Todd Kjos <tkjos@google.com>
+Fixes: 43e23b6c0b01 ("debugfs: log errors when something goes wrong")
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/1578671054-5982-1-git-send-email-martin.fuzzey@flowbird.group
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c |   37 +++++++++++++++++++------------------
+ 1 file changed, 19 insertions(+), 18 deletions(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -5203,10 +5203,11 @@ err_bad_arg:
+ 
+ static int binder_open(struct inode *nodp, struct file *filp)
+ {
+-      struct binder_proc *proc;
++      struct binder_proc *proc, *itr;
+       struct binder_device *binder_dev;
+       struct binderfs_info *info;
+       struct dentry *binder_binderfs_dir_entry_proc = NULL;
++      bool existing_pid = false;
+ 
+       binder_debug(BINDER_DEBUG_OPEN_CLOSE, "%s: %d:%d\n", __func__,
+                    current->group_leader->pid, current->pid);
+@@ -5239,19 +5240,24 @@ static int binder_open(struct inode *nod
+       filp->private_data = proc;
+ 
+       mutex_lock(&binder_procs_lock);
++      hlist_for_each_entry(itr, &binder_procs, proc_node) {
++              if (itr->pid == proc->pid) {
++                      existing_pid = true;
++                      break;
++              }
++      }
+       hlist_add_head(&proc->proc_node, &binder_procs);
+       mutex_unlock(&binder_procs_lock);
+ 
+-      if (binder_debugfs_dir_entry_proc) {
++      if (binder_debugfs_dir_entry_proc && !existing_pid) {
+               char strbuf[11];
+ 
+               snprintf(strbuf, sizeof(strbuf), "%u", proc->pid);
+               /*
+-               * proc debug entries are shared between contexts, so
+-               * this will fail if the process tries to open the driver
+-               * again with a different context. The priting code will
+-               * anyway print all contexts that a given PID has, so this
+-               * is not a problem.
++               * proc debug entries are shared between contexts.
++               * Only create for the first PID to avoid debugfs log spamming
++               * The printing code will anyway print all contexts for a given
++               * PID so this is not a problem.
+                */
+               proc->debugfs_entry = debugfs_create_file(strbuf, 0444,
+                       binder_debugfs_dir_entry_proc,
+@@ -5259,19 +5265,16 @@ static int binder_open(struct inode *nod
+                       &proc_fops);
+       }
+ 
+-      if (binder_binderfs_dir_entry_proc) {
++      if (binder_binderfs_dir_entry_proc && !existing_pid) {
+               char strbuf[11];
+               struct dentry *binderfs_entry;
+ 
+               snprintf(strbuf, sizeof(strbuf), "%u", proc->pid);
+               /*
+                * Similar to debugfs, the process specific log file is shared
+-               * between contexts. If the file has already been created for a
+-               * process, the following binderfs_create_file() call will
+-               * fail with error code EEXIST if another context of the same
+-               * process invoked binder_open(). This is ok since same as
+-               * debugfs, the log file will contain information on all
+-               * contexts of a given PID.
++               * between contexts. Only create for the first PID.
++               * This is ok since same as debugfs, the log file will contain
++               * information on all contexts of a given PID.
+                */
+               binderfs_entry = binderfs_create_file(binder_binderfs_dir_entry_proc,
+                       strbuf, &proc_fops, (void *)(unsigned long)proc->pid);
+@@ -5281,10 +5284,8 @@ static int binder_open(struct inode *nod
+                       int error;
+ 
+                       error = PTR_ERR(binderfs_entry);
+-                      if (error != -EEXIST) {
+-                              pr_warn("Unable to create file %s in binderfs (error %d)\n",
+-                                      strbuf, error);
+-                      }
++                      pr_warn("Unable to create file %s in binderfs (error %d)\n",
++                              strbuf, error);
+               }
+       }
+ 

diff --git a/queue-5.4/bluetooth-btusb-fix-non-atomic-allocation-in-completion-handler.patch b/queue-5.4/bluetooth-btusb-fix-non-atomic-allocation-in-completion-handler.patch
new file mode 100644 (file)
index 0000000..b2cf201
--- /dev/null
+++ b/queue-5.4/bluetooth-btusb-fix-non-atomic-allocation-in-completion-handler.patch
@@ -0,0 +1,34 @@
+From 22cc6b7a1dbb58da4afc539d9b7d470b23a25eea Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 28 Nov 2019 19:24:27 +0100
+Subject: Bluetooth: btusb: fix non-atomic allocation in completion handler
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 22cc6b7a1dbb58da4afc539d9b7d470b23a25eea upstream.
+
+USB completion handlers are called in atomic context and must
+specifically not allocate memory using GFP_KERNEL.
+
+Fixes: a1c49c434e15 ("Bluetooth: btusb: Add protocol support for MediaTek MT7668U USB devices")
+Cc: stable <stable@vger.kernel.org>     # 5.3
+Cc: Sean Wang <sean.wang@mediatek.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/btusb.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -2585,7 +2585,7 @@ static void btusb_mtk_wmt_recv(struct ur
+                * and being processed the events from there then.
+                */
+               if (test_bit(BTUSB_TX_WAIT_VND_EVT, &data->flags)) {
+-                      data->evt_skb = skb_clone(skb, GFP_KERNEL);
++                      data->evt_skb = skb_clone(skb, GFP_ATOMIC);
+                       if (!data->evt_skb)
+                               goto err_out;
+               }

diff --git a/queue-5.4/brcmfmac-fix-interface-sanity-check.patch b/queue-5.4/brcmfmac-fix-interface-sanity-check.patch
new file mode 100644 (file)
index 0000000..f7c17f0
--- /dev/null
+++ b/queue-5.4/brcmfmac-fix-interface-sanity-check.patch
@@ -0,0 +1,46 @@
+From 3428fbcd6e6c0850b1a8b2a12082b7b2aabb3da3 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:44:22 +0100
+Subject: brcmfmac: fix interface sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 3428fbcd6e6c0850b1a8b2a12082b7b2aabb3da3 upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid binding to an invalid interface.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 71bb244ba2fd ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets")
+Cc: stable <stable@vger.kernel.org>     # 3.4
+Cc: Arend van Spriel <arend@broadcom.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c
+@@ -1348,7 +1348,7 @@ brcmf_usb_probe(struct usb_interface *in
+               goto fail;
+       }
+ 
+-      desc = &intf->altsetting[0].desc;
++      desc = &intf->cur_altsetting->desc;
+       if ((desc->bInterfaceClass != USB_CLASS_VENDOR_SPEC) ||
+           (desc->bInterfaceSubClass != 2) ||
+           (desc->bInterfaceProtocol != 0xff)) {
+@@ -1361,7 +1361,7 @@ brcmf_usb_probe(struct usb_interface *in
+ 
+       num_of_eps = desc->bNumEndpoints;
+       for (ep = 0; ep < num_of_eps; ep++) {
+-              endpoint = &intf->altsetting[0].endpoint[ep].desc;
++              endpoint = &intf->cur_altsetting->endpoint[ep].desc;
+               endpoint_num = usb_endpoint_num(endpoint);
+               if (!usb_endpoint_xfer_bulk(endpoint))
+                       continue;

diff --git a/queue-5.4/cifs-fix-memory-allocation-in-__smb2_handle_cancelled_cmd.patch b/queue-5.4/cifs-fix-memory-allocation-in-__smb2_handle_cancelled_cmd.patch
new file mode 100644 (file)
index 0000000..8e2b483
--- /dev/null
+++ b/queue-5.4/cifs-fix-memory-allocation-in-__smb2_handle_cancelled_cmd.patch
@@ -0,0 +1,62 @@
+From 0a5a98863c9debc02387b3d23c46d187756f5e2b Mon Sep 17 00:00:00 2001
+From: "Paulo Alcantara (SUSE)" <pc@cjr.nz>
+Date: Mon, 13 Jan 2020 17:46:59 -0300
+Subject: cifs: Fix memory allocation in __smb2_handle_cancelled_cmd()
+
+From: Paulo Alcantara (SUSE) <pc@cjr.nz>
+
+commit 0a5a98863c9debc02387b3d23c46d187756f5e2b upstream.
+
+__smb2_handle_cancelled_cmd() is called under a spin lock held in
+cifs_mid_q_entry_release(), so make its memory allocation GFP_ATOMIC.
+
+This issue was observed when running xfstests generic/028:
+
+[ 1722.589204] CIFS VFS: \\192.168.30.26 Cancelling wait for mid 72064 cmd: 5
+[ 1722.590687] CIFS VFS: \\192.168.30.26 Cancelling wait for mid 72065 cmd: 17
+[ 1722.593529] CIFS VFS: \\192.168.30.26 Cancelling wait for mid 72066 cmd: 6
+[ 1723.039014] BUG: sleeping function called from invalid context at mm/slab.h:565
+[ 1723.040710] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 30877, name: cifsd
+[ 1723.045098] CPU: 3 PID: 30877 Comm: cifsd Not tainted 5.5.0-rc4+ #313
+[ 1723.046256] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba527-rebuilt.opensuse.org 04/01/2014
+[ 1723.048221] Call Trace:
+[ 1723.048689]  dump_stack+0x97/0xe0
+[ 1723.049268]  ___might_sleep.cold+0xd1/0xe1
+[ 1723.050069]  kmem_cache_alloc_trace+0x204/0x2b0
+[ 1723.051051]  __smb2_handle_cancelled_cmd+0x40/0x140 [cifs]
+[ 1723.052137]  smb2_handle_cancelled_mid+0xf6/0x120 [cifs]
+[ 1723.053247]  cifs_mid_q_entry_release+0x44d/0x630 [cifs]
+[ 1723.054351]  ? cifs_reconnect+0x26a/0x1620 [cifs]
+[ 1723.055325]  cifs_demultiplex_thread+0xad4/0x14a0 [cifs]
+[ 1723.056458]  ? cifs_handle_standard+0x2c0/0x2c0 [cifs]
+[ 1723.057365]  ? kvm_sched_clock_read+0x14/0x30
+[ 1723.058197]  ? sched_clock+0x5/0x10
+[ 1723.058838]  ? sched_clock_cpu+0x18/0x110
+[ 1723.059629]  ? lockdep_hardirqs_on+0x17d/0x250
+[ 1723.060456]  kthread+0x1ab/0x200
+[ 1723.061149]  ? cifs_handle_standard+0x2c0/0x2c0 [cifs]
+[ 1723.062078]  ? kthread_create_on_node+0xd0/0xd0
+[ 1723.062897]  ret_from_fork+0x3a/0x50
+
+Signed-off-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Fixes: 9150c3adbf24 ("CIFS: Close open handle after interrupted close")
+Cc: Stable <stable@vger.kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2misc.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/cifs/smb2misc.c
++++ b/fs/cifs/smb2misc.c
+@@ -750,7 +750,7 @@ __smb2_handle_cancelled_close(struct cif
+ {
+       struct close_cancelled_open *cancelled;
+ 
+-      cancelled = kzalloc(sizeof(*cancelled), GFP_KERNEL);
++      cancelled = kzalloc(sizeof(*cancelled), GFP_ATOMIC);
+       if (!cancelled)
+               return -ENOMEM;
+ 

diff --git a/queue-5.4/cifs-fix-task-struct-use-after-free-on-reconnect.patch b/queue-5.4/cifs-fix-task-struct-use-after-free-on-reconnect.patch
new file mode 100644 (file)
index 0000000..f938895
--- /dev/null
+++ b/queue-5.4/cifs-fix-task-struct-use-after-free-on-reconnect.patch
@@ -0,0 +1,173 @@
+From f1f27ad74557e39f67a8331a808b860f89254f2d Mon Sep 17 00:00:00 2001
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Date: Thu, 23 Jan 2020 17:09:06 +0100
+Subject: CIFS: Fix task struct use-after-free on reconnect
+
+From: Vincent Whitchurch <vincent.whitchurch@axis.com>
+
+commit f1f27ad74557e39f67a8331a808b860f89254f2d upstream.
+
+The task which created the MID may be gone by the time cifsd attempts to
+call the callbacks on MIDs from cifs_reconnect().
+
+This leads to a use-after-free of the task struct in cifs_wake_up_task:
+
+ ==================================================================
+ BUG: KASAN: use-after-free in __lock_acquire+0x31a0/0x3270
+ Read of size 8 at addr ffff8880103e3a68 by task cifsd/630
+
+ CPU: 0 PID: 630 Comm: cifsd Not tainted 5.5.0-rc6+ #119
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
+ Call Trace:
+  dump_stack+0x8e/0xcb
+  print_address_description.constprop.5+0x1d3/0x3c0
+  ? __lock_acquire+0x31a0/0x3270
+  __kasan_report+0x152/0x1aa
+  ? __lock_acquire+0x31a0/0x3270
+  ? __lock_acquire+0x31a0/0x3270
+  kasan_report+0xe/0x20
+  __lock_acquire+0x31a0/0x3270
+  ? __wake_up_common+0x1dc/0x630
+  ? _raw_spin_unlock_irqrestore+0x4c/0x60
+  ? mark_held_locks+0xf0/0xf0
+  ? _raw_spin_unlock_irqrestore+0x39/0x60
+  ? __wake_up_common_lock+0xd5/0x130
+  ? __wake_up_common+0x630/0x630
+  lock_acquire+0x13f/0x330
+  ? try_to_wake_up+0xa3/0x19e0
+  _raw_spin_lock_irqsave+0x38/0x50
+  ? try_to_wake_up+0xa3/0x19e0
+  try_to_wake_up+0xa3/0x19e0
+  ? cifs_compound_callback+0x178/0x210
+  ? set_cpus_allowed_ptr+0x10/0x10
+  cifs_reconnect+0xa1c/0x15d0
+  ? generic_ip_connect+0x1860/0x1860
+  ? rwlock_bug.part.0+0x90/0x90
+  cifs_readv_from_socket+0x479/0x690
+  cifs_read_from_socket+0x9d/0xe0
+  ? cifs_readv_from_socket+0x690/0x690
+  ? mempool_resize+0x690/0x690
+  ? rwlock_bug.part.0+0x90/0x90
+  ? memset+0x1f/0x40
+  ? allocate_buffers+0xff/0x340
+  cifs_demultiplex_thread+0x388/0x2a50
+  ? cifs_handle_standard+0x610/0x610
+  ? rcu_read_lock_held_common+0x120/0x120
+  ? mark_lock+0x11b/0xc00
+  ? __lock_acquire+0x14ed/0x3270
+  ? __kthread_parkme+0x78/0x100
+  ? lockdep_hardirqs_on+0x3e8/0x560
+  ? lock_downgrade+0x6a0/0x6a0
+  ? lockdep_hardirqs_on+0x3e8/0x560
+  ? _raw_spin_unlock_irqrestore+0x39/0x60
+  ? cifs_handle_standard+0x610/0x610
+  kthread+0x2bb/0x3a0
+  ? kthread_create_worker_on_cpu+0xc0/0xc0
+  ret_from_fork+0x3a/0x50
+
+ Allocated by task 649:
+  save_stack+0x19/0x70
+  __kasan_kmalloc.constprop.5+0xa6/0xf0
+  kmem_cache_alloc+0x107/0x320
+  copy_process+0x17bc/0x5370
+  _do_fork+0x103/0xbf0
+  __x64_sys_clone+0x168/0x1e0
+  do_syscall_64+0x9b/0xec0
+  entry_SYSCALL_64_after_hwframe+0x49/0xbe
+
+ Freed by task 0:
+  save_stack+0x19/0x70
+  __kasan_slab_free+0x11d/0x160
+  kmem_cache_free+0xb5/0x3d0
+  rcu_core+0x52f/0x1230
+  __do_softirq+0x24d/0x962
+
+ The buggy address belongs to the object at ffff8880103e32c0
+  which belongs to the cache task_struct of size 6016
+ The buggy address is located 1960 bytes inside of
+  6016-byte region [ffff8880103e32c0, ffff8880103e4a40)
+ The buggy address belongs to the page:
+ page:ffffea000040f800 refcount:1 mapcount:0 mapping:ffff8880108da5c0
+ index:0xffff8880103e4c00 compound_mapcount: 0
+ raw: 4000000000010200 ffffea00001f2208 ffffea00001e3408 ffff8880108da5c0
+ raw: ffff8880103e4c00 0000000000050003 00000001ffffffff 0000000000000000
+ page dumped because: kasan: bad access detected
+
+ Memory state around the buggy address:
+  ffff8880103e3900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+  ffff8880103e3980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ >ffff8880103e3a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+                                                           ^
+  ffff8880103e3a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+  ffff8880103e3b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ==================================================================
+
+This can be reliably reproduced by adding the below delay to
+cifs_reconnect(), running find(1) on the mount, restarting the samba
+server while find is running, and killing find during the delay:
+
+       spin_unlock(&GlobalMid_Lock);
+       mutex_unlock(&server->srv_mutex);
+
+ +     msleep(10000);
+ +
+       cifs_dbg(FYI, "%s: issuing mid callbacks\n", __func__);
+       list_for_each_safe(tmp, tmp2, &retry_list) {
+               mid_entry = list_entry(tmp, struct mid_q_entry, qhead);
+
+Fix this by holding a reference to the task struct until the MID is
+freed.
+
+Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/cifsglob.h      |    1 +
+ fs/cifs/smb2transport.c |    2 ++
+ fs/cifs/transport.c     |    3 +++
+ 3 files changed, 6 insertions(+)
+
+--- a/fs/cifs/cifsglob.h
++++ b/fs/cifs/cifsglob.h
+@@ -1538,6 +1538,7 @@ struct mid_q_entry {
+       mid_callback_t *callback; /* call completion callback */
+       mid_handle_t *handle; /* call handle mid callback */
+       void *callback_data;      /* general purpose pointer for callback */
++      struct task_struct *creator;
+       void *resp_buf;         /* pointer to received SMB header */
+       unsigned int resp_buf_size;
+       int mid_state;  /* wish this were enum but can not pass to wait_event */
+--- a/fs/cifs/smb2transport.c
++++ b/fs/cifs/smb2transport.c
+@@ -599,6 +599,8 @@ smb2_mid_entry_alloc(const struct smb2_s
+        * The default is for the mid to be synchronous, so the
+        * default callback just wakes up the current task.
+        */
++      get_task_struct(current);
++      temp->creator = current;
+       temp->callback = cifs_wake_up_task;
+       temp->callback_data = current;
+ 
+--- a/fs/cifs/transport.c
++++ b/fs/cifs/transport.c
+@@ -76,6 +76,8 @@ AllocMidQEntry(const struct smb_hdr *smb
+        * The default is for the mid to be synchronous, so the
+        * default callback just wakes up the current task.
+        */
++      get_task_struct(current);
++      temp->creator = current;
+       temp->callback = cifs_wake_up_task;
+       temp->callback_data = current;
+ 
+@@ -158,6 +160,7 @@ static void _cifs_mid_q_entry_release(st
+               }
+       }
+ #endif
++      put_task_struct(midEntry->creator);
+ 
+       mempool_free(midEntry, cifs_mid_poolp);
+ }

diff --git a/queue-5.4/cifs-set-correct-max-buffer-size-for-smb2_ioctl_init.patch b/queue-5.4/cifs-set-correct-max-buffer-size-for-smb2_ioctl_init.patch
new file mode 100644 (file)
index 0000000..27fa3dc
--- /dev/null
+++ b/queue-5.4/cifs-set-correct-max-buffer-size-for-smb2_ioctl_init.patch
@@ -0,0 +1,47 @@
+From 731b82bb1750a906c1e7f070aedf5505995ebea7 Mon Sep 17 00:00:00 2001
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+Date: Wed, 8 Jan 2020 13:08:07 +1000
+Subject: cifs: set correct max-buffer-size for smb2_ioctl_init()
+
+From: Ronnie Sahlberg <lsahlber@redhat.com>
+
+commit 731b82bb1750a906c1e7f070aedf5505995ebea7 upstream.
+
+Fix two places where we need to adjust down the max response size for
+ioctl when it is used together with compounding.
+
+Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/cifs/smb2ops.c |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/smb2ops.c
++++ b/fs/cifs/smb2ops.c
+@@ -1461,7 +1461,9 @@ smb2_ioctl_query_info(const unsigned int
+                                            COMPOUND_FID, COMPOUND_FID,
+                                            qi.info_type, true, buffer,
+                                            qi.output_buffer_length,
+-                                           CIFSMaxBufSize);
++                                           CIFSMaxBufSize -
++                                           MAX_SMB2_CREATE_RESPONSE_SIZE -
++                                           MAX_SMB2_CLOSE_RESPONSE_SIZE);
+               }
+       } else if (qi.flags == PASSTHRU_SET_INFO) {
+               /* Can eventually relax perm check since server enforces too */
+@@ -2634,7 +2636,10 @@ smb2_query_symlink(const unsigned int xi
+ 
+       rc = SMB2_ioctl_init(tcon, &rqst[1], fid.persistent_fid,
+                            fid.volatile_fid, FSCTL_GET_REPARSE_POINT,
+-                           true /* is_fctl */, NULL, 0, CIFSMaxBufSize);
++                           true /* is_fctl */, NULL, 0,
++                           CIFSMaxBufSize -
++                           MAX_SMB2_CREATE_RESPONSE_SIZE -
++                           MAX_SMB2_CLOSE_RESPONSE_SIZE);
+       if (rc)
+               goto querty_exit;
+ 

diff --git a/queue-5.4/component-do-not-dereference-opaque-pointer-in-debugfs.patch b/queue-5.4/component-do-not-dereference-opaque-pointer-in-debugfs.patch
new file mode 100644 (file)
index 0000000..32efbad
--- /dev/null
+++ b/queue-5.4/component-do-not-dereference-opaque-pointer-in-debugfs.patch
@@ -0,0 +1,46 @@
+From ef9ffc1e5f1ac73ecd2fb3b70db2a3b2472ff2f7 Mon Sep 17 00:00:00 2001
+From: Lubomir Rintel <lkundrak@v3.sk>
+Date: Mon, 18 Nov 2019 12:54:31 +0100
+Subject: component: do not dereference opaque pointer in debugfs
+
+From: Lubomir Rintel <lkundrak@v3.sk>
+
+commit ef9ffc1e5f1ac73ecd2fb3b70db2a3b2472ff2f7 upstream.
+
+The match data does not have to be a struct device pointer, and indeed
+very often is not. Attempt to treat it as such easily results in a
+crash.
+
+For the components that are not registered, we don't know which device
+is missing. Once it it is there, we can use the struct component to get
+the device and whether it's bound or not.
+
+Fixes: 59e73854b5fd ('component: add debugfs support')
+Signed-off-by: Lubomir Rintel <lkundrak@v3.sk>
+Cc: stable <stable@vger.kernel.org>
+Cc: Arnaud Pouliquen <arnaud.pouliquen@st.com>
+Link: https://lore.kernel.org/r/20191118115431.63626-1-lkundrak@v3.sk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/component.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/base/component.c
++++ b/drivers/base/component.c
+@@ -102,11 +102,11 @@ static int component_devices_show(struct
+       seq_printf(s, "%-40s %20s\n", "device name", "status");
+       seq_puts(s, "-------------------------------------------------------------\n");
+       for (i = 0; i < match->num; i++) {
+-              struct device *d = (struct device *)match->compare[i].data;
++              struct component *component = match->compare[i].component;
+ 
+-              seq_printf(s, "%-40s %20s\n", dev_name(d),
+-                         match->compare[i].component ?
+-                         "registered" : "not registered");
++              seq_printf(s, "%-40s %20s\n",
++                         component ? dev_name(component->dev) : "(unknown)",
++                         component ? (component->bound ? "bound" : "not bound") : "not registered");
+       }
+       mutex_unlock(&component_mutex);
+ 

diff --git a/queue-5.4/crypto-chelsio-fix-writing-tfm-flags-to-wrong-place.patch b/queue-5.4/crypto-chelsio-fix-writing-tfm-flags-to-wrong-place.patch
new file mode 100644 (file)
index 0000000..642a7b5
--- /dev/null
+++ b/queue-5.4/crypto-chelsio-fix-writing-tfm-flags-to-wrong-place.patch
@@ -0,0 +1,92 @@
+From bd56cea012fc2d6381e8cd3209510ce09f9de8c9 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 30 Dec 2019 21:19:31 -0600
+Subject: crypto: chelsio - fix writing tfm flags to wrong place
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit bd56cea012fc2d6381e8cd3209510ce09f9de8c9 upstream.
+
+The chelsio crypto driver is casting 'struct crypto_aead' directly to
+'struct crypto_tfm', which is incorrect because the crypto_tfm isn't the
+first field of 'struct crypto_aead'.  Consequently, the calls to
+crypto_tfm_set_flags() are modifying some other field in the struct.
+
+Also, the driver is setting CRYPTO_TFM_RES_BAD_KEY_LEN in
+->setauthsize(), not just in ->setkey().  This is incorrect since this
+flag is for bad key lengths, not for bad authentication tag lengths.
+
+Fix these bugs by removing the broken crypto_tfm_set_flags() calls from
+->setauthsize() and by fixing them in ->setkey().
+
+Fixes: 324429d74127 ("chcr: Support for Chelsio's Crypto Hardware")
+Cc: <stable@vger.kernel.org> # v4.9+
+Cc: Atul Gupta <atul.gupta@chelsio.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/chelsio/chcr_algo.c |   16 +++-------------
+ 1 file changed, 3 insertions(+), 13 deletions(-)
+
+--- a/drivers/crypto/chelsio/chcr_algo.c
++++ b/drivers/crypto/chelsio/chcr_algo.c
+@@ -3194,9 +3194,6 @@ static int chcr_gcm_setauthsize(struct c
+               aeadctx->mayverify = VERIFY_SW;
+               break;
+       default:
+-
+-                crypto_tfm_set_flags((struct crypto_tfm *) tfm,
+-                      CRYPTO_TFM_RES_BAD_KEY_LEN);
+               return -EINVAL;
+       }
+       return crypto_aead_setauthsize(aeadctx->sw_cipher, authsize);
+@@ -3221,8 +3218,6 @@ static int chcr_4106_4309_setauthsize(st
+               aeadctx->mayverify = VERIFY_HW;
+               break;
+       default:
+-              crypto_tfm_set_flags((struct crypto_tfm *)tfm,
+-                                   CRYPTO_TFM_RES_BAD_KEY_LEN);
+               return -EINVAL;
+       }
+       return crypto_aead_setauthsize(aeadctx->sw_cipher, authsize);
+@@ -3263,8 +3258,6 @@ static int chcr_ccm_setauthsize(struct c
+               aeadctx->mayverify = VERIFY_HW;
+               break;
+       default:
+-              crypto_tfm_set_flags((struct crypto_tfm *)tfm,
+-                                   CRYPTO_TFM_RES_BAD_KEY_LEN);
+               return -EINVAL;
+       }
+       return crypto_aead_setauthsize(aeadctx->sw_cipher, authsize);
+@@ -3289,8 +3282,7 @@ static int chcr_ccm_common_setkey(struct
+               ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_256;
+               mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_256;
+       } else {
+-              crypto_tfm_set_flags((struct crypto_tfm *)aead,
+-                                   CRYPTO_TFM_RES_BAD_KEY_LEN);
++              crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_KEY_LEN);
+               aeadctx->enckey_len = 0;
+               return  -EINVAL;
+       }
+@@ -3328,8 +3320,7 @@ static int chcr_aead_rfc4309_setkey(stru
+       int error;
+ 
+       if (keylen < 3) {
+-              crypto_tfm_set_flags((struct crypto_tfm *)aead,
+-                                   CRYPTO_TFM_RES_BAD_KEY_LEN);
++              crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_KEY_LEN);
+               aeadctx->enckey_len = 0;
+               return  -EINVAL;
+       }
+@@ -3379,8 +3370,7 @@ static int chcr_gcm_setkey(struct crypto
+       } else if (keylen == AES_KEYSIZE_256) {
+               ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_256;
+       } else {
+-              crypto_tfm_set_flags((struct crypto_tfm *)aead,
+-                                   CRYPTO_TFM_RES_BAD_KEY_LEN);
++              crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_KEY_LEN);
+               pr_err("GCM: Invalid key length %d\n", keylen);
+               ret = -EINVAL;
+               goto out;

diff --git a/queue-5.4/debugfs-return-eperm-when-locked-down.patch b/queue-5.4/debugfs-return-eperm-when-locked-down.patch
new file mode 100644 (file)
index 0000000..482968f
--- /dev/null
+++ b/queue-5.4/debugfs-return-eperm-when-locked-down.patch
@@ -0,0 +1,112 @@
+From a37f4958f7b63d2b3cd17a76151fdfc29ce1da5f Mon Sep 17 00:00:00 2001
+From: Eric Snowberg <eric.snowberg@oracle.com>
+Date: Sat, 7 Dec 2019 11:16:03 -0500
+Subject: debugfs: Return -EPERM when locked down
+
+From: Eric Snowberg <eric.snowberg@oracle.com>
+
+commit a37f4958f7b63d2b3cd17a76151fdfc29ce1da5f upstream.
+
+When lockdown is enabled, debugfs_is_locked_down returns 1. It will then
+trigger the following:
+
+WARNING: CPU: 48 PID: 3747
+CPU: 48 PID: 3743 Comm: bash Not tainted 5.4.0-1946.x86_64 #1
+Hardware name: Oracle Corporation ORACLE SERVER X7-2/ASM, MB, X7-2, BIOS 41060400 05/20/2019
+RIP: 0010:do_dentry_open+0x343/0x3a0
+Code: 00 40 08 00 45 31 ff 48 c7 43 28 40 5b e7 89 e9 02 ff ff ff 48 8b 53 28 4c 8b 72 70 4d 85 f6 0f 84 10 fe ff ff e9 f5 fd ff ff <0f> 0b 41 bf ea ff ff ff e9 3b ff ff ff 41 bf e6 ff ff ff e9 b4 fe
+RSP: 0018:ffffb8740dde7ca0 EFLAGS: 00010202
+RAX: ffffffff89e88a40 RBX: ffff928c8e6b6f00 RCX: 0000000000000000
+RDX: 0000000000000000 RSI: ffff928dbfd97778 RDI: ffff9285cff685c0
+RBP: ffffb8740dde7cc8 R08: 0000000000000821 R09: 0000000000000030
+R10: 0000000000000057 R11: ffffb8740dde7a98 R12: ffff926ec781c900
+R13: ffff928c8e6b6f10 R14: ffffffff8936e190 R15: 0000000000000001
+FS:  00007f45f6777740(0000) GS:ffff928dbfd80000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007fff95e0d5d8 CR3: 0000001ece562006 CR4: 00000000007606e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+PKRU: 55555554
+Call Trace:
+ vfs_open+0x2d/0x30
+ path_openat+0x2d4/0x1680
+ ? tty_mode_ioctl+0x298/0x4c0
+ do_filp_open+0x93/0x100
+ ? strncpy_from_user+0x57/0x1b0
+ ? __alloc_fd+0x46/0x150
+ do_sys_open+0x182/0x230
+ __x64_sys_openat+0x20/0x30
+ do_syscall_64+0x60/0x1b0
+ entry_SYSCALL_64_after_hwframe+0x170/0x1d5
+RIP: 0033:0x7f45f5e5ce02
+Code: 25 00 00 41 00 3d 00 00 41 00 74 4c 48 8d 05 25 59 2d 00 8b 00 85 c0 75 6d 89 f2 b8 01 01 00 00 48 89 fe bf 9c ff ff ff 0f 05 <48> 3d 00 f0 ff ff 0f 87 a2 00 00 00 48 8b 4c 24 28 64 48 33 0c 25
+RSP: 002b:00007fff95e0d2e0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101
+RAX: ffffffffffffffda RBX: 0000561178c069b0 RCX: 00007f45f5e5ce02
+RDX: 0000000000000241 RSI: 0000561178c08800 RDI: 00000000ffffff9c
+RBP: 00007fff95e0d3e0 R08: 0000000000000020 R09: 0000000000000005
+R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000000
+R13: 0000000000000003 R14: 0000000000000001 R15: 0000561178c08800
+
+Change the return type to int and return -EPERM when lockdown is enabled
+to remove the warning above. Also rename debugfs_is_locked_down to
+debugfs_locked_down to make it sound less like it returns a boolean.
+
+Fixes: 5496197f9b08 ("debugfs: Restrict debugfs when the kernel is locked down")
+Signed-off-by: Eric Snowberg <eric.snowberg@oracle.com>
+Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: James Morris <jamorris@linux.microsoft.com>
+Link: https://lore.kernel.org/r/20191207161603.35907-1-eric.snowberg@oracle.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/debugfs/file.c |   17 ++++++++++-------
+ 1 file changed, 10 insertions(+), 7 deletions(-)
+
+--- a/fs/debugfs/file.c
++++ b/fs/debugfs/file.c
+@@ -142,18 +142,21 @@ EXPORT_SYMBOL_GPL(debugfs_file_put);
+  * We also need to exclude any file that has ways to write or alter it as root
+  * can bypass the permissions check.
+  */
+-static bool debugfs_is_locked_down(struct inode *inode,
+-                                 struct file *filp,
+-                                 const struct file_operations *real_fops)
++static int debugfs_locked_down(struct inode *inode,
++                             struct file *filp,
++                             const struct file_operations *real_fops)
+ {
+       if ((inode->i_mode & 07777) == 0444 &&
+           !(filp->f_mode & FMODE_WRITE) &&
+           !real_fops->unlocked_ioctl &&
+           !real_fops->compat_ioctl &&
+           !real_fops->mmap)
+-              return false;
++              return 0;
+ 
+-      return security_locked_down(LOCKDOWN_DEBUGFS);
++      if (security_locked_down(LOCKDOWN_DEBUGFS))
++              return -EPERM;
++
++      return 0;
+ }
+ 
+ static int open_proxy_open(struct inode *inode, struct file *filp)
+@@ -168,7 +171,7 @@ static int open_proxy_open(struct inode
+ 
+       real_fops = debugfs_real_fops(filp);
+ 
+-      r = debugfs_is_locked_down(inode, filp, real_fops);
++      r = debugfs_locked_down(inode, filp, real_fops);
+       if (r)
+               goto out;
+ 
+@@ -298,7 +301,7 @@ static int full_proxy_open(struct inode
+ 
+       real_fops = debugfs_real_fops(filp);
+ 
+-      r = debugfs_is_locked_down(inode, filp, real_fops);
++      r = debugfs_locked_down(inode, filp, real_fops);
+       if (r)
+               goto out;
+ 

diff --git a/queue-5.4/driver-core-fix-test_async_driver_probe-if-numa-is-disabled.patch b/queue-5.4/driver-core-fix-test_async_driver_probe-if-numa-is-disabled.patch
new file mode 100644 (file)
index 0000000..10281f7
--- /dev/null
+++ b/queue-5.4/driver-core-fix-test_async_driver_probe-if-numa-is-disabled.patch
@@ -0,0 +1,44 @@
+From 264d25275a46fce5da501874fa48a2ae5ec571c8 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Wed, 27 Nov 2019 12:24:53 -0800
+Subject: driver core: Fix test_async_driver_probe if NUMA is disabled
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 264d25275a46fce5da501874fa48a2ae5ec571c8 upstream.
+
+Since commit 57ea974fb871 ("driver core: Rewrite test_async_driver_probe
+to cover serialization and NUMA affinity"), running the test with NUMA
+disabled results in warning messages similar to the following.
+
+test_async_driver test_async_driver.12: NUMA node mismatch -1 != 0
+
+If CONFIG_NUMA=n, dev_to_node(dev) returns -1, and numa_node_id()
+returns 0. Both are widely used, so it appears risky to change return
+values. Augment the check with IS_ENABLED(CONFIG_NUMA) instead
+to fix the problem.
+
+Cc: Alexander Duyck <alexander.h.duyck@linux.intel.com>
+Fixes: 57ea974fb871 ("driver core: Rewrite test_async_driver_probe to cover serialization and NUMA affinity")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Alexander Duyck <alexander.h.duyck@linux.intel.com>
+Link: https://lore.kernel.org/r/20191127202453.28087-1-linux@roeck-us.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/test/test_async_driver_probe.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/base/test/test_async_driver_probe.c
++++ b/drivers/base/test/test_async_driver_probe.c
+@@ -44,7 +44,8 @@ static int test_probe(struct platform_de
+        * performing an async init on that node.
+        */
+       if (dev->driver->probe_type == PROBE_PREFER_ASYNCHRONOUS) {
+-              if (dev_to_node(dev) != numa_node_id()) {
++              if (IS_ENABLED(CONFIG_NUMA) &&
++                  dev_to_node(dev) != numa_node_id()) {
+                       dev_warn(dev, "NUMA node mismatch %d != %d\n",
+                                dev_to_node(dev), numa_node_id());
+                       atomic_inc(&warnings);

diff --git a/queue-5.4/iio-adc-stm32-dfsdm-fix-single-conversion.patch b/queue-5.4/iio-adc-stm32-dfsdm-fix-single-conversion.patch
new file mode 100644 (file)
index 0000000..705aff3
--- /dev/null
+++ b/queue-5.4/iio-adc-stm32-dfsdm-fix-single-conversion.patch
@@ -0,0 +1,35 @@
+From dc26935fb60e8da8d59655dd2ec0de47b20d7d8f Mon Sep 17 00:00:00 2001
+From: Olivier Moysan <olivier.moysan@st.com>
+Date: Wed, 27 Nov 2019 14:07:29 +0100
+Subject: iio: adc: stm32-dfsdm: fix single conversion
+
+From: Olivier Moysan <olivier.moysan@st.com>
+
+commit dc26935fb60e8da8d59655dd2ec0de47b20d7d8f upstream.
+
+Apply data formatting to single conversion,
+as this is already done in continuous and trigger modes.
+
+Fixes: 102afde62937 ("iio: adc: stm32-dfsdm: manage data resolution in trigger mode")
+
+Signed-off-by: Olivier Moysan <olivier.moysan@st.com>
+Cc: <Stable@vger.kernel.org>
+Acked-by: Fabrice Gasnier <fabrice.gasnier@st.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/stm32-dfsdm-adc.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/iio/adc/stm32-dfsdm-adc.c
++++ b/drivers/iio/adc/stm32-dfsdm-adc.c
+@@ -1204,6 +1204,8 @@ static int stm32_dfsdm_single_conv(struc
+ 
+       stm32_dfsdm_stop_conv(adc);
+ 
++      stm32_dfsdm_process_data(adc, res);
++
+ stop_dfsdm:
+       stm32_dfsdm_stop_dfsdm(adc->dfsdm);
+ 

diff --git a/queue-5.4/iio-st_gyro-correct-data-for-lsm9ds0-gyro.patch b/queue-5.4/iio-st_gyro-correct-data-for-lsm9ds0-gyro.patch
new file mode 100644 (file)
index 0000000..6c24dbd
--- /dev/null
+++ b/queue-5.4/iio-st_gyro-correct-data-for-lsm9ds0-gyro.patch
@@ -0,0 +1,120 @@
+From e825070f697abddf3b9b0a675ed0ff1884114818 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Tue, 17 Dec 2019 19:10:38 +0200
+Subject: iio: st_gyro: Correct data for LSM9DS0 gyro
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit e825070f697abddf3b9b0a675ed0ff1884114818 upstream.
+
+The commit 41c128cb25ce ("iio: st_gyro: Add lsm9ds0-gyro support")
+assumes that gyro in LSM9DS0 is the same as others with 0xd4 WAI ID,
+but datasheet tells slight different story, i.e. the first scale factor
+for the chip is 245 dps, and not 250 dps.
+
+Correct this by introducing a separate settings for LSM9DS0.
+
+Fixes: 41c128cb25ce ("iio: st_gyro: Add lsm9ds0-gyro support")
+Depends-on: 45a4e4220bf4 ("iio: gyro: st_gyro: fix L3GD20H support")
+Cc: Leonard Crestez <leonard.crestez@nxp.com>
+Cc: Lorenzo Bianconi <lorenzo.bianconi83@gmail.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/gyro/st_gyro_core.c |   75 +++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 74 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/gyro/st_gyro_core.c
++++ b/drivers/iio/gyro/st_gyro_core.c
+@@ -139,7 +139,6 @@ static const struct st_sensor_settings s
+                       [2] = LSM330DLC_GYRO_DEV_NAME,
+                       [3] = L3G4IS_GYRO_DEV_NAME,
+                       [4] = LSM330_GYRO_DEV_NAME,
+-                      [5] = LSM9DS0_GYRO_DEV_NAME,
+               },
+               .ch = (struct iio_chan_spec *)st_gyro_16bit_channels,
+               .odr = {
+@@ -203,6 +202,80 @@ static const struct st_sensor_settings s
+                       },
+               },
+               .sim = {
++                      .addr = 0x23,
++                      .value = BIT(0),
++              },
++              .multi_read_bit = true,
++              .bootime = 2,
++      },
++      {
++              .wai = 0xd4,
++              .wai_addr = ST_SENSORS_DEFAULT_WAI_ADDRESS,
++              .sensors_supported = {
++                      [0] = LSM9DS0_GYRO_DEV_NAME,
++              },
++              .ch = (struct iio_chan_spec *)st_gyro_16bit_channels,
++              .odr = {
++                      .addr = 0x20,
++                      .mask = GENMASK(7, 6),
++                      .odr_avl = {
++                              { .hz = 95, .value = 0x00, },
++                              { .hz = 190, .value = 0x01, },
++                              { .hz = 380, .value = 0x02, },
++                              { .hz = 760, .value = 0x03, },
++                      },
++              },
++              .pw = {
++                      .addr = 0x20,
++                      .mask = BIT(3),
++                      .value_on = ST_SENSORS_DEFAULT_POWER_ON_VALUE,
++                      .value_off = ST_SENSORS_DEFAULT_POWER_OFF_VALUE,
++              },
++              .enable_axis = {
++                      .addr = ST_SENSORS_DEFAULT_AXIS_ADDR,
++                      .mask = ST_SENSORS_DEFAULT_AXIS_MASK,
++              },
++              .fs = {
++                      .addr = 0x23,
++                      .mask = GENMASK(5, 4),
++                      .fs_avl = {
++                              [0] = {
++                                      .num = ST_GYRO_FS_AVL_245DPS,
++                                      .value = 0x00,
++                                      .gain = IIO_DEGREE_TO_RAD(8750),
++                              },
++                              [1] = {
++                                      .num = ST_GYRO_FS_AVL_500DPS,
++                                      .value = 0x01,
++                                      .gain = IIO_DEGREE_TO_RAD(17500),
++                              },
++                              [2] = {
++                                      .num = ST_GYRO_FS_AVL_2000DPS,
++                                      .value = 0x02,
++                                      .gain = IIO_DEGREE_TO_RAD(70000),
++                              },
++                      },
++              },
++              .bdu = {
++                      .addr = 0x23,
++                      .mask = BIT(7),
++              },
++              .drdy_irq = {
++                      .int2 = {
++                              .addr = 0x22,
++                              .mask = BIT(3),
++                      },
++                      /*
++                       * The sensor has IHL (active low) and open
++                       * drain settings, but only for INT1 and not
++                       * for the DRDY line on INT2.
++                       */
++                      .stat_drdy = {
++                              .addr = ST_SENSORS_DEFAULT_STAT_ADDR,
++                              .mask = GENMASK(2, 0),
++                      },
++              },
++              .sim = {
+                       .addr = 0x23,
+                       .value = BIT(0),
+               },

diff --git a/queue-5.4/mei-hdcp-bind-only-with-i915-on-the-same-pch.patch b/queue-5.4/mei-hdcp-bind-only-with-i915-on-the-same-pch.patch
new file mode 100644 (file)
index 0000000..c7feac6
--- /dev/null
+++ b/queue-5.4/mei-hdcp-bind-only-with-i915-on-the-same-pch.patch
@@ -0,0 +1,82 @@
+From 1e8d19d9b0dfcf11b61bac627203a290577e807a Mon Sep 17 00:00:00 2001
+From: Tomas Winkler <tomas.winkler@intel.com>
+Date: Thu, 12 Dec 2019 10:41:03 +0200
+Subject: mei: hdcp: bind only with i915 on the same PCH
+
+From: Tomas Winkler <tomas.winkler@intel.com>
+
+commit 1e8d19d9b0dfcf11b61bac627203a290577e807a upstream.
+
+The mei device and i915 must reside on the same
+PCH in order for HDCP to work. Make the component
+matching function enforce this requirement.
+
+                   hdcp
+                    |
+   i915            mei
+    |               |
+    +----= PCH =----+
+
+Cc: <stable@vger.kernel.org> v5.0+
+Cc: Ramalingam C <ramalingam.c@intel.com>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Reviewed-by: Alexander Usyskin <alexander.usyskin@intel.com>
+Link: https://lore.kernel.org/r/20191212084103.2893-1-tomas.winkler@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/mei/hdcp/mei_hdcp.c |   33 ++++++++++++++++++++++++++++++---
+ 1 file changed, 30 insertions(+), 3 deletions(-)
+
+--- a/drivers/misc/mei/hdcp/mei_hdcp.c
++++ b/drivers/misc/mei/hdcp/mei_hdcp.c
+@@ -758,11 +758,38 @@ static const struct component_master_ops
+       .unbind = mei_component_master_unbind,
+ };
+ 
++/**
++ * mei_hdcp_component_match - compare function for matching mei hdcp.
++ *
++ *    The function checks if the driver is i915, the subcomponent is HDCP
++ *    and the grand parent of hdcp and the parent of i915 are the same
++ *    PCH device.
++ *
++ * @dev: master device
++ * @subcomponent: subcomponent to match (I915_COMPONENT_HDCP)
++ * @data: compare data (mei hdcp device)
++ *
++ * Return:
++ * * 1 - if components match
++ * * 0 - otherwise
++ */
+ static int mei_hdcp_component_match(struct device *dev, int subcomponent,
+                                   void *data)
+ {
+-      return !strcmp(dev->driver->name, "i915") &&
+-             subcomponent == I915_COMPONENT_HDCP;
++      struct device *base = data;
++
++      if (strcmp(dev->driver->name, "i915") ||
++          subcomponent != I915_COMPONENT_HDCP)
++              return 0;
++
++      base = base->parent;
++      if (!base)
++              return 0;
++
++      base = base->parent;
++      dev = dev->parent;
++
++      return (base && dev && dev == base);
+ }
+ 
+ static int mei_hdcp_probe(struct mei_cl_device *cldev,
+@@ -786,7 +813,7 @@ static int mei_hdcp_probe(struct mei_cl_
+ 
+       master_match = NULL;
+       component_match_add_typed(&cldev->dev, &master_match,
+-                                mei_hdcp_component_match, comp_master);
++                                mei_hdcp_component_match, &cldev->dev);
+       if (IS_ERR_OR_NULL(master_match)) {
+               ret = -ENOMEM;
+               goto err_exit;

diff --git a/queue-5.4/mei-me-add-comet-point-lake-h-device-ids.patch b/queue-5.4/mei-me-add-comet-point-lake-h-device-ids.patch
new file mode 100644 (file)
index 0000000..2e128be
--- /dev/null
+++ b/queue-5.4/mei-me-add-comet-point-lake-h-device-ids.patch
@@ -0,0 +1,47 @@
+From 559e575a8946a6561dfe8880de341d4ef78d5994 Mon Sep 17 00:00:00 2001
+From: Tomas Winkler <tomas.winkler@intel.com>
+Date: Sun, 19 Jan 2020 11:42:29 +0200
+Subject: mei: me: add comet point (lake) H device ids
+
+From: Tomas Winkler <tomas.winkler@intel.com>
+
+commit 559e575a8946a6561dfe8880de341d4ef78d5994 upstream.
+
+Add Comet Point device IDs for Comet Lake H platforms.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Link: https://lore.kernel.org/r/20200119094229.20116-1-tomas.winkler@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/mei/hw-me-regs.h |    4 ++++
+ drivers/misc/mei/pci-me.c     |    2 ++
+ 2 files changed, 6 insertions(+)
+
+--- a/drivers/misc/mei/hw-me-regs.h
++++ b/drivers/misc/mei/hw-me-regs.h
+@@ -81,8 +81,12 @@
+ 
+ #define MEI_DEV_ID_CMP_LP     0x02e0  /* Comet Point LP */
+ #define MEI_DEV_ID_CMP_LP_3   0x02e4  /* Comet Point LP 3 (iTouch) */
++
+ #define MEI_DEV_ID_CMP_V      0xA3BA  /* Comet Point Lake V */
+ 
++#define MEI_DEV_ID_CMP_H      0x06e0  /* Comet Lake H */
++#define MEI_DEV_ID_CMP_H_3    0x06e4  /* Comet Lake H 3 (iTouch) */
++
+ #define MEI_DEV_ID_ICP_LP     0x34E0  /* Ice Lake Point LP */
+ 
+ #define MEI_DEV_ID_TGP_LP     0xA0E0  /* Tiger Lake Point LP */
+--- a/drivers/misc/mei/pci-me.c
++++ b/drivers/misc/mei/pci-me.c
+@@ -99,6 +99,8 @@ static const struct pci_device_id mei_me
+       {MEI_PCI_DEVICE(MEI_DEV_ID_CMP_LP, MEI_ME_PCH12_CFG)},
+       {MEI_PCI_DEVICE(MEI_DEV_ID_CMP_LP_3, MEI_ME_PCH8_CFG)},
+       {MEI_PCI_DEVICE(MEI_DEV_ID_CMP_V, MEI_ME_PCH12_CFG)},
++      {MEI_PCI_DEVICE(MEI_DEV_ID_CMP_H, MEI_ME_PCH12_CFG)},
++      {MEI_PCI_DEVICE(MEI_DEV_ID_CMP_H_3, MEI_ME_PCH8_CFG)},
+ 
+       {MEI_PCI_DEVICE(MEI_DEV_ID_ICP_LP, MEI_ME_PCH12_CFG)},
+ 

diff --git a/queue-5.4/orinoco_usb-fix-interface-sanity-check.patch b/queue-5.4/orinoco_usb-fix-interface-sanity-check.patch
new file mode 100644 (file)
index 0000000..5b73786
--- /dev/null
+++ b/queue-5.4/orinoco_usb-fix-interface-sanity-check.patch
@@ -0,0 +1,39 @@
+From b73e05aa543cf8db4f4927e36952360d71291d41 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:44:23 +0100
+Subject: orinoco_usb: fix interface sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b73e05aa543cf8db4f4927e36952360d71291d41 upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid binding to an invalid interface.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 9afac70a7305 ("orinoco: add orinoco_usb driver")
+Cc: stable <stable@vger.kernel.org>     # 2.6.35
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intersil/orinoco/orinoco_usb.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/intersil/orinoco/orinoco_usb.c
++++ b/drivers/net/wireless/intersil/orinoco/orinoco_usb.c
+@@ -1608,9 +1608,9 @@ static int ezusb_probe(struct usb_interf
+       /* set up the endpoint information */
+       /* check out the endpoints */
+ 
+-      iface_desc = &interface->altsetting[0].desc;
++      iface_desc = &interface->cur_altsetting->desc;
+       for (i = 0; i < iface_desc->bNumEndpoints; ++i) {
+-              ep = &interface->altsetting[0].endpoint[i].desc;
++              ep = &interface->cur_altsetting->endpoint[i].desc;
+ 
+               if (usb_endpoint_is_bulk_in(ep)) {
+                       /* we found a bulk in endpoint */

diff --git a/queue-5.4/rsi_91x_usb-fix-interface-sanity-check.patch b/queue-5.4/rsi_91x_usb-fix-interface-sanity-check.patch
new file mode 100644 (file)
index 0000000..88ed564
--- /dev/null
+++ b/queue-5.4/rsi_91x_usb-fix-interface-sanity-check.patch
@@ -0,0 +1,37 @@
+From 3139b180906af43bc09bd3373fc2338a8271d9d9 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:44:25 +0100
+Subject: rsi_91x_usb: fix interface sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 3139b180906af43bc09bd3373fc2338a8271d9d9 upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid binding to an invalid interface.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver")
+Cc: stable <stable@vger.kernel.org>     # 3.15
+Cc: Fariya Fatima <fariyaf@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rsi/rsi_91x_usb.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/rsi/rsi_91x_usb.c
++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c
+@@ -117,7 +117,7 @@ static int rsi_find_bulk_in_and_out_endp
+       __le16 buffer_size;
+       int ii, bin_found = 0, bout_found = 0;
+ 
+-      iface_desc = &(interface->altsetting[0]);
++      iface_desc = interface->cur_altsetting;
+ 
+       for (ii = 0; ii < iface_desc->desc.bNumEndpoints; ++ii) {
+               endpoint = &(iface_desc->endpoint[ii].desc);

diff --git a/queue-5.4/rtl8xxxu-fix-interface-sanity-check.patch b/queue-5.4/rtl8xxxu-fix-interface-sanity-check.patch
new file mode 100644 (file)
index 0000000..9ae6d4b
--- /dev/null
+++ b/queue-5.4/rtl8xxxu-fix-interface-sanity-check.patch
@@ -0,0 +1,37 @@
+From 39a4281c312f2d226c710bc656ce380c621a2b16 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:44:24 +0100
+Subject: rtl8xxxu: fix interface sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 39a4281c312f2d226c710bc656ce380c621a2b16 upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid binding to an invalid interface.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)")
+Cc: stable <stable@vger.kernel.org>     # 4.4
+Cc: Jes Sorensen <Jes.Sorensen@redhat.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c
+@@ -5915,7 +5915,7 @@ static int rtl8xxxu_parse_usb(struct rtl
+       u8 dir, xtype, num;
+       int ret = 0;
+ 
+-      host_interface = &interface->altsetting[0];
++      host_interface = interface->cur_altsetting;
+       interface_desc = &host_interface->desc;
+       endpoints = interface_desc->bNumEndpoints;
+ 

diff --git a/queue-5.4/serial-8250_bcm2835aux-fix-line-mismatch-on-driver-unbind.patch b/queue-5.4/serial-8250_bcm2835aux-fix-line-mismatch-on-driver-unbind.patch
new file mode 100644 (file)
index 0000000..a7ed7de
--- /dev/null
+++ b/queue-5.4/serial-8250_bcm2835aux-fix-line-mismatch-on-driver-unbind.patch
@@ -0,0 +1,49 @@
+From dc76697d7e933d5e299116f219c890568785ea15 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Thu, 16 Jan 2020 13:14:01 +0100
+Subject: serial: 8250_bcm2835aux: Fix line mismatch on driver unbind
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit dc76697d7e933d5e299116f219c890568785ea15 upstream.
+
+Unbinding the bcm2835aux UART driver raises the following error if the
+maximum number of 8250 UARTs is set to 1 (via the 8250.nr_uarts module
+parameter or CONFIG_SERIAL_8250_RUNTIME_UARTS):
+
+(NULL device *): Removing wrong port: a6f80333 != fa20408b
+
+That's because bcm2835aux_serial_probe() retrieves UART line number 1
+from the devicetree and stores it in data->uart.port.line, while
+serial8250_register_8250_port() instead uses UART line number 0,
+which is stored in data->line.
+
+On driver unbind, bcm2835aux_serial_remove() uses data->uart.port.line,
+which contains the wrong number.  Fix it.
+
+The issue does not occur if the maximum number of 8250 UARTs is >= 2.
+
+Fixes: bdc5f3009580 ("serial: bcm2835: add driver for bcm2835-aux-uart")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: stable@vger.kernel.org # v4.6+
+Cc: Martin Sperl <kernel@martin.sperl.org>
+Reviewed-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Tested-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Link: https://lore.kernel.org/r/912ccf553c5258135c6d7e8f404a101ef320f0f4.1579175223.git.lukas@wunner.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_bcm2835aux.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/8250/8250_bcm2835aux.c
++++ b/drivers/tty/serial/8250/8250_bcm2835aux.c
+@@ -113,7 +113,7 @@ static int bcm2835aux_serial_remove(stru
+ {
+       struct bcm2835aux_data *data = platform_get_drvdata(pdev);
+ 
+-      serial8250_unregister_port(data->uart.port.line);
++      serial8250_unregister_port(data->line);
+       clk_disable_unprepare(data->clk);
+ 
+       return 0;

diff --git a/queue-5.4/serial-imx-fix-a-race-condition-in-receive-path.patch b/queue-5.4/serial-imx-fix-a-race-condition-in-receive-path.patch
new file mode 100644 (file)
index 0000000..47b9aae
--- /dev/null
+++ b/queue-5.4/serial-imx-fix-a-race-condition-in-receive-path.patch
@@ -0,0 +1,180 @@
+From 101aa46bd221b768dfff8ef3745173fc8dbb85ee Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig@pengutronix.de>
+Date: Tue, 21 Jan 2020 08:17:02 +0100
+Subject: serial: imx: fix a race condition in receive path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+commit 101aa46bd221b768dfff8ef3745173fc8dbb85ee upstream.
+
+The main irq handler function starts by first masking disabled
+interrupts in the status register values to ensure to only handle
+enabled interrupts. This is important as when the RX path in the
+hardware is disabled reading the RX fifo results in an external abort.
+
+This checking must be done under the port lock, otherwise the following
+can happen:
+
+     CPU1                            | CPU2
+                                     |
+     irq triggers as there are chars |
+     in the RX fifo                  |
+                                    | grab port lock
+     imx_uart_int finds RRDY enabled |
+     and calls imx_uart_rxint which  |
+     has to wait for port lock       |
+                                     | disable RX (e.g. because we're
+                                     | using RS485 with !RX_DURING_TX)
+                                     |
+                                     | release port lock
+     read from RX fifo with RX       |
+     disabled => exception           |
+
+So take the port lock only once in imx_uart_int() instead of in the
+functions called from there.
+
+Reported-by: Andre Renaud <arenaud@designa-electronics.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Link: https://lore.kernel.org/r/20200121071702.20150-1-u.kleine-koenig@pengutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/imx.c |   51 +++++++++++++++++++++++++++++++++++------------
+ 1 file changed, 38 insertions(+), 13 deletions(-)
+
+--- a/drivers/tty/serial/imx.c
++++ b/drivers/tty/serial/imx.c
+@@ -700,22 +700,33 @@ static void imx_uart_start_tx(struct uar
+       }
+ }
+ 
+-static irqreturn_t imx_uart_rtsint(int irq, void *dev_id)
++static irqreturn_t __imx_uart_rtsint(int irq, void *dev_id)
+ {
+       struct imx_port *sport = dev_id;
+       u32 usr1;
+ 
+-      spin_lock(&sport->port.lock);
+-
+       imx_uart_writel(sport, USR1_RTSD, USR1);
+       usr1 = imx_uart_readl(sport, USR1) & USR1_RTSS;
+       uart_handle_cts_change(&sport->port, !!usr1);
+       wake_up_interruptible(&sport->port.state->port.delta_msr_wait);
+ 
+-      spin_unlock(&sport->port.lock);
+       return IRQ_HANDLED;
+ }
+ 
++static irqreturn_t imx_uart_rtsint(int irq, void *dev_id)
++{
++      struct imx_port *sport = dev_id;
++      irqreturn_t ret;
++
++      spin_lock(&sport->port.lock);
++
++      ret = __imx_uart_rtsint(irq, dev_id);
++
++      spin_unlock(&sport->port.lock);
++
++      return ret;
++}
++
+ static irqreturn_t imx_uart_txint(int irq, void *dev_id)
+ {
+       struct imx_port *sport = dev_id;
+@@ -726,14 +737,12 @@ static irqreturn_t imx_uart_txint(int ir
+       return IRQ_HANDLED;
+ }
+ 
+-static irqreturn_t imx_uart_rxint(int irq, void *dev_id)
++static irqreturn_t __imx_uart_rxint(int irq, void *dev_id)
+ {
+       struct imx_port *sport = dev_id;
+       unsigned int rx, flg, ignored = 0;
+       struct tty_port *port = &sport->port.state->port;
+ 
+-      spin_lock(&sport->port.lock);
+-
+       while (imx_uart_readl(sport, USR2) & USR2_RDR) {
+               u32 usr2;
+ 
+@@ -792,11 +801,25 @@ static irqreturn_t imx_uart_rxint(int ir
+       }
+ 
+ out:
+-      spin_unlock(&sport->port.lock);
+       tty_flip_buffer_push(port);
++
+       return IRQ_HANDLED;
+ }
+ 
++static irqreturn_t imx_uart_rxint(int irq, void *dev_id)
++{
++      struct imx_port *sport = dev_id;
++      irqreturn_t ret;
++
++      spin_lock(&sport->port.lock);
++
++      ret = __imx_uart_rxint(irq, dev_id);
++
++      spin_unlock(&sport->port.lock);
++
++      return ret;
++}
++
+ static void imx_uart_clear_rx_errors(struct imx_port *sport);
+ 
+ /*
+@@ -855,6 +878,8 @@ static irqreturn_t imx_uart_int(int irq,
+       unsigned int usr1, usr2, ucr1, ucr2, ucr3, ucr4;
+       irqreturn_t ret = IRQ_NONE;
+ 
++      spin_lock(&sport->port.lock);
++
+       usr1 = imx_uart_readl(sport, USR1);
+       usr2 = imx_uart_readl(sport, USR2);
+       ucr1 = imx_uart_readl(sport, UCR1);
+@@ -888,27 +913,25 @@ static irqreturn_t imx_uart_int(int irq,
+               usr2 &= ~USR2_ORE;
+ 
+       if (usr1 & (USR1_RRDY | USR1_AGTIM)) {
+-              imx_uart_rxint(irq, dev_id);
++              __imx_uart_rxint(irq, dev_id);
+               ret = IRQ_HANDLED;
+       }
+ 
+       if ((usr1 & USR1_TRDY) || (usr2 & USR2_TXDC)) {
+-              imx_uart_txint(irq, dev_id);
++              imx_uart_transmit_buffer(sport);
+               ret = IRQ_HANDLED;
+       }
+ 
+       if (usr1 & USR1_DTRD) {
+               imx_uart_writel(sport, USR1_DTRD, USR1);
+ 
+-              spin_lock(&sport->port.lock);
+               imx_uart_mctrl_check(sport);
+-              spin_unlock(&sport->port.lock);
+ 
+               ret = IRQ_HANDLED;
+       }
+ 
+       if (usr1 & USR1_RTSD) {
+-              imx_uart_rtsint(irq, dev_id);
++              __imx_uart_rtsint(irq, dev_id);
+               ret = IRQ_HANDLED;
+       }
+ 
+@@ -923,6 +946,8 @@ static irqreturn_t imx_uart_int(int irq,
+               ret = IRQ_HANDLED;
+       }
+ 
++      spin_unlock(&sport->port.lock);
++
+       return ret;
+ }
+ 

diff --git a/queue-5.4/staging-most-net-fix-buffer-overflow.patch b/queue-5.4/staging-most-net-fix-buffer-overflow.patch
new file mode 100644 (file)
index 0000000..7a77458
--- /dev/null
+++ b/queue-5.4/staging-most-net-fix-buffer-overflow.patch
@@ -0,0 +1,58 @@
+From 4d1356ac12f4d5180d0df345d85ff0ee42b89c72 Mon Sep 17 00:00:00 2001
+From: Andrey Shvetsov <andrey.shvetsov@k2l.de>
+Date: Thu, 16 Jan 2020 18:22:39 +0100
+Subject: staging: most: net: fix buffer overflow
+
+From: Andrey Shvetsov <andrey.shvetsov@k2l.de>
+
+commit 4d1356ac12f4d5180d0df345d85ff0ee42b89c72 upstream.
+
+If the length of the socket buffer is 0xFFFFFFFF (max size for an
+unsigned int), then payload_len becomes 0xFFFFFFF1 after subtracting 14
+(ETH_HLEN).  Then, mdp_len is set to payload_len + 16 (MDP_HDR_LEN)
+which overflows and results in a value of 2.  These values for
+payload_len and mdp_len will pass current buffer size checks.
+
+This patch checks if derived from skb->len sum may overflow.
+
+The check is based on the following idea:
+
+For any `unsigned V1, V2` and derived `unsigned SUM = V1 + V2`,
+`V1 + V2` overflows iif `SUM < V1`.
+
+Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andrey Shvetsov <andrey.shvetsov@k2l.de>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200116172238.6046-1-andrey.shvetsov@microchip.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/most/net/net.c |   10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/staging/most/net/net.c
++++ b/drivers/staging/most/net/net.c
+@@ -81,6 +81,11 @@ static int skb_to_mamac(const struct sk_
+       unsigned int payload_len = skb->len - ETH_HLEN;
+       unsigned int mdp_len = payload_len + MDP_HDR_LEN;
+ 
++      if (mdp_len < skb->len) {
++              pr_err("drop: too large packet! (%u)\n", skb->len);
++              return -EINVAL;
++      }
++
+       if (mbo->buffer_length < mdp_len) {
+               pr_err("drop: too small buffer! (%d for %d)\n",
+                      mbo->buffer_length, mdp_len);
+@@ -128,6 +133,11 @@ static int skb_to_mep(const struct sk_bu
+       u8 *buff = mbo->virt_address;
+       unsigned int mep_len = skb->len + MEP_HDR_LEN;
+ 
++      if (mep_len < skb->len) {
++              pr_err("drop: too large packet! (%u)\n", skb->len);
++              return -EINVAL;
++      }
++
+       if (mbo->buffer_length < mep_len) {
+               pr_err("drop: too small buffer! (%d for %d)\n",
+                      mbo->buffer_length, mep_len);

diff --git a/queue-5.4/staging-vt6656-correct-packet-types-for-cts-protect-mode.patch b/queue-5.4/staging-vt6656-correct-packet-types-for-cts-protect-mode.patch
new file mode 100644 (file)
index 0000000..fa02b2d
--- /dev/null
+++ b/queue-5.4/staging-vt6656-correct-packet-types-for-cts-protect-mode.patch
@@ -0,0 +1,60 @@
+From d971fdd3412f8342747778fb59b8803720ed82b1 Mon Sep 17 00:00:00 2001
+From: Malcolm Priestley <tvboxspy@gmail.com>
+Date: Wed, 8 Jan 2020 21:40:58 +0000
+Subject: staging: vt6656: correct packet types for CTS protect, mode.
+
+From: Malcolm Priestley <tvboxspy@gmail.com>
+
+commit d971fdd3412f8342747778fb59b8803720ed82b1 upstream.
+
+It appears that the driver still transmits in CTS protect mode even
+though it is not enabled in mac80211.
+
+That is both packet types PK_TYPE_11GA and PK_TYPE_11GB both use CTS protect.
+The only difference between them GA does not use B rates.
+
+Find if only B rate in GB or GA in protect mode otherwise transmit packets
+as PK_TYPE_11A.
+
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
+Link: https://lore.kernel.org/r/9c1323ff-dbb3-0eaa-43e1-9453f7390dc0@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/vt6656/device.h |    2 ++
+ drivers/staging/vt6656/rxtx.c   |   12 ++++++++----
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/staging/vt6656/device.h
++++ b/drivers/staging/vt6656/device.h
+@@ -52,6 +52,8 @@
+ #define RATE_AUTO     12
+ 
+ #define MAX_RATE                      12
++#define VNT_B_RATES   (BIT(RATE_1M) | BIT(RATE_2M) |\
++                      BIT(RATE_5M) | BIT(RATE_11M))
+ 
+ /*
+  * device specific
+--- a/drivers/staging/vt6656/rxtx.c
++++ b/drivers/staging/vt6656/rxtx.c
+@@ -815,10 +815,14 @@ int vnt_tx_packet(struct vnt_private *pr
+               if (info->band == NL80211_BAND_5GHZ) {
+                       pkt_type = PK_TYPE_11A;
+               } else {
+-                      if (tx_rate->flags & IEEE80211_TX_RC_USE_CTS_PROTECT)
+-                              pkt_type = PK_TYPE_11GB;
+-                      else
+-                              pkt_type = PK_TYPE_11GA;
++                      if (tx_rate->flags & IEEE80211_TX_RC_USE_CTS_PROTECT) {
++                              if (priv->basic_rates & VNT_B_RATES)
++                                      pkt_type = PK_TYPE_11GB;
++                              else
++                                      pkt_type = PK_TYPE_11GA;
++                      } else {
++                              pkt_type = PK_TYPE_11A;
++                      }
+               }
+       } else {
+               pkt_type = PK_TYPE_11B;

diff --git a/queue-5.4/staging-vt6656-fix-false-tx-excessive-retries-reporting.patch b/queue-5.4/staging-vt6656-fix-false-tx-excessive-retries-reporting.patch
new file mode 100644 (file)
index 0000000..c0d3454
--- /dev/null
+++ b/queue-5.4/staging-vt6656-fix-false-tx-excessive-retries-reporting.patch
@@ -0,0 +1,39 @@
+From 9dd631fa99dc0a0dfbd191173bf355ba30ea786a Mon Sep 17 00:00:00 2001
+From: Malcolm Priestley <tvboxspy@gmail.com>
+Date: Wed, 8 Jan 2020 21:41:36 +0000
+Subject: staging: vt6656: Fix false Tx excessive retries reporting.
+
+From: Malcolm Priestley <tvboxspy@gmail.com>
+
+commit 9dd631fa99dc0a0dfbd191173bf355ba30ea786a upstream.
+
+The driver reporting  IEEE80211_TX_STAT_ACK is not being handled
+correctly. The driver should only report on TSR_TMO flag is not
+set indicating no transmission errors and when not IEEE80211_TX_CTL_NO_ACK
+is being requested.
+
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
+Link: https://lore.kernel.org/r/340f1f7f-c310-dca5-476f-abc059b9cd97@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/vt6656/int.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/vt6656/int.c
++++ b/drivers/staging/vt6656/int.c
+@@ -99,9 +99,11 @@ static int vnt_int_report_rate(struct vn
+ 
+       info->status.rates[0].count = tx_retry;
+ 
+-      if (!(tsr & (TSR_TMO | TSR_RETRYTMO))) {
++      if (!(tsr & TSR_TMO)) {
+               info->status.rates[0].idx = idx;
+-              info->flags |= IEEE80211_TX_STAT_ACK;
++
++              if (!(info->flags & IEEE80211_TX_CTL_NO_ACK))
++                      info->flags |= IEEE80211_TX_STAT_ACK;
+       }
+ 
+       ieee80211_tx_status_irqsafe(priv->hw, context->skb);

diff --git a/queue-5.4/staging-vt6656-use-nullfuction-stack-on-mac80211.patch b/queue-5.4/staging-vt6656-use-nullfuction-stack-on-mac80211.patch
new file mode 100644 (file)
index 0000000..dd35d60
--- /dev/null
+++ b/queue-5.4/staging-vt6656-use-nullfuction-stack-on-mac80211.patch
@@ -0,0 +1,66 @@
+From d579c43c82f093e63639151625b2139166c730fd Mon Sep 17 00:00:00 2001
+From: Malcolm Priestley <tvboxspy@gmail.com>
+Date: Wed, 8 Jan 2020 21:41:20 +0000
+Subject: staging: vt6656: use NULLFUCTION stack on mac80211
+
+From: Malcolm Priestley <tvboxspy@gmail.com>
+
+commit d579c43c82f093e63639151625b2139166c730fd upstream.
+
+It appears that the drivers does not go into power save correctly the
+NULL data packets are not being transmitted because it not enabled
+in mac80211.
+
+The driver needs to capture ieee80211_is_nullfunc headers and
+copy the duration_id to it's own duration data header.
+
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
+Link: https://lore.kernel.org/r/610971ae-555b-a6c3-61b3-444a0c1e35b4@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/vt6656/main_usb.c |    1 +
+ drivers/staging/vt6656/rxtx.c     |   14 +++++---------
+ 2 files changed, 6 insertions(+), 9 deletions(-)
+
+--- a/drivers/staging/vt6656/main_usb.c
++++ b/drivers/staging/vt6656/main_usb.c
+@@ -1016,6 +1016,7 @@ vt6656_probe(struct usb_interface *intf,
+       ieee80211_hw_set(priv->hw, RX_INCLUDES_FCS);
+       ieee80211_hw_set(priv->hw, REPORTS_TX_ACK_STATUS);
+       ieee80211_hw_set(priv->hw, SUPPORTS_PS);
++      ieee80211_hw_set(priv->hw, PS_NULLFUNC_STACK);
+ 
+       priv->hw->max_signal = 100;
+ 
+--- a/drivers/staging/vt6656/rxtx.c
++++ b/drivers/staging/vt6656/rxtx.c
+@@ -278,11 +278,9 @@ static u16 vnt_rxtx_datahead_g(struct vn
+                         PK_TYPE_11B, &buf->b);
+ 
+       /* Get Duration and TimeStamp */
+-      if (ieee80211_is_pspoll(hdr->frame_control)) {
+-              __le16 dur = cpu_to_le16(priv->current_aid | BIT(14) | BIT(15));
+-
+-              buf->duration_a = dur;
+-              buf->duration_b = dur;
++      if (ieee80211_is_nullfunc(hdr->frame_control)) {
++              buf->duration_a = hdr->duration_id;
++              buf->duration_b = hdr->duration_id;
+       } else {
+               buf->duration_a = vnt_get_duration_le(priv,
+                                               tx_context->pkt_type, need_ack);
+@@ -371,10 +369,8 @@ static u16 vnt_rxtx_datahead_ab(struct v
+                         tx_context->pkt_type, &buf->ab);
+ 
+       /* Get Duration and TimeStampOff */
+-      if (ieee80211_is_pspoll(hdr->frame_control)) {
+-              __le16 dur = cpu_to_le16(priv->current_aid | BIT(14) | BIT(15));
+-
+-              buf->duration = dur;
++      if (ieee80211_is_nullfunc(hdr->frame_control)) {
++              buf->duration = hdr->duration_id;
+       } else {
+               buf->duration = vnt_get_duration_le(priv, tx_context->pkt_type,
+                                                   need_ack);

diff --git a/queue-5.4/staging-wlan-ng-ensure-error-return-is-actually-returned.patch b/queue-5.4/staging-wlan-ng-ensure-error-return-is-actually-returned.patch
new file mode 100644 (file)
index 0000000..2b6eb50
--- /dev/null
+++ b/queue-5.4/staging-wlan-ng-ensure-error-return-is-actually-returned.patch
@@ -0,0 +1,37 @@
+From 4cc41cbce536876678b35e03c4a8a7bb72c78fa9 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Tue, 14 Jan 2020 18:16:04 +0000
+Subject: staging: wlan-ng: ensure error return is actually returned
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 4cc41cbce536876678b35e03c4a8a7bb72c78fa9 upstream.
+
+Currently when the call to prism2sta_ifst fails a netdev_err error
+is reported, error return variable result is set to -1 but the
+function always returns 0 for success.  Fix this by returning
+the error value in variable result rather than 0.
+
+Addresses-Coverity: ("Unused value")
+Fixes: 00b3ed168508 ("Staging: add wlan-ng prism2 usb driver")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200114181604.390235-1-colin.king@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/wlan-ng/prism2mgmt.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/wlan-ng/prism2mgmt.c
++++ b/drivers/staging/wlan-ng/prism2mgmt.c
+@@ -959,7 +959,7 @@ int prism2mgmt_flashdl_state(struct wlan
+               }
+       }
+ 
+-      return 0;
++      return result;
+ }
+ 
+ /*----------------------------------------------------------------

diff --git a/queue-5.4/usb-dwc3-pci-add-id-for-the-intel-comet-lake-v-variant.patch b/queue-5.4/usb-dwc3-pci-add-id-for-the-intel-comet-lake-v-variant.patch
new file mode 100644 (file)
index 0000000..ca017cd
--- /dev/null
+++ b/queue-5.4/usb-dwc3-pci-add-id-for-the-intel-comet-lake-v-variant.patch
@@ -0,0 +1,41 @@
+From f5ae8869095552e3396ee3e404f9586cc6a828f0 Mon Sep 17 00:00:00 2001
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Date: Fri, 17 Jan 2020 12:30:33 +0300
+Subject: usb: dwc3: pci: add ID for the Intel Comet Lake -V variant
+
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+
+commit f5ae8869095552e3396ee3e404f9586cc6a828f0 upstream.
+
+There is one more Comet Lake PCH variant, CML-V, that has
+its own PCI ID.
+
+Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200117093033.48616-1-heikki.krogerus@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/dwc3-pci.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/dwc3/dwc3-pci.c
++++ b/drivers/usb/dwc3/dwc3-pci.c
+@@ -34,6 +34,7 @@
+ #define PCI_DEVICE_ID_INTEL_GLK                       0x31aa
+ #define PCI_DEVICE_ID_INTEL_CNPLP             0x9dee
+ #define PCI_DEVICE_ID_INTEL_CNPH              0xa36e
++#define PCI_DEVICE_ID_INTEL_CNPV              0xa3b0
+ #define PCI_DEVICE_ID_INTEL_ICLLP             0x34ee
+ #define PCI_DEVICE_ID_INTEL_EHLLP             0x4b7e
+ #define PCI_DEVICE_ID_INTEL_TGPLP             0xa0ee
+@@ -342,6 +343,9 @@ static const struct pci_device_id dwc3_p
+       { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_CNPH),
+         (kernel_ulong_t) &dwc3_pci_intel_properties, },
+ 
++      { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_CNPV),
++        (kernel_ulong_t) &dwc3_pci_intel_properties, },
++
+       { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_ICLLP),
+         (kernel_ulong_t) &dwc3_pci_intel_properties, },
+ 

diff --git a/queue-5.4/usb-dwc3-turn-off-vbus-when-leaving-host-mode.patch b/queue-5.4/usb-dwc3-turn-off-vbus-when-leaving-host-mode.patch
new file mode 100644 (file)
index 0000000..4596910
--- /dev/null
+++ b/queue-5.4/usb-dwc3-turn-off-vbus-when-leaving-host-mode.patch
@@ -0,0 +1,35 @@
+From 09ed259fac621634d51cd986aa8d65f035662658 Mon Sep 17 00:00:00 2001
+From: Bin Liu <b-liu@ti.com>
+Date: Wed, 11 Dec 2019 10:10:03 -0600
+Subject: usb: dwc3: turn off VBUS when leaving host mode
+
+From: Bin Liu <b-liu@ti.com>
+
+commit 09ed259fac621634d51cd986aa8d65f035662658 upstream.
+
+VBUS should be turned off when leaving the host mode.
+Set GCTL_PRTCAP to device mode in teardown to de-assert DRVVBUS pin to
+turn off VBUS power.
+
+Fixes: 5f94adfeed97 ("usb: dwc3: core: refactor mode initialization to its own function")
+Cc: stable@vger.kernel.org
+Signed-off-by: Bin Liu <b-liu@ti.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/core.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -1209,6 +1209,9 @@ static void dwc3_core_exit_mode(struct d
+               /* do nothing */
+               break;
+       }
++
++      /* de-assert DRVVBUS for HOST and OTG mode */
++      dwc3_set_prtcap(dwc, DWC3_GCTL_PRTCAP_DEVICE);
+ }
+ 
+ static void dwc3_get_properties(struct dwc3 *dwc)

diff --git a/queue-5.4/usb-host-xhci-tegra-set-module_firmware-for-tegra186.patch b/queue-5.4/usb-host-xhci-tegra-set-module_firmware-for-tegra186.patch
new file mode 100644 (file)
index 0000000..6e26e79
--- /dev/null
+++ b/queue-5.4/usb-host-xhci-tegra-set-module_firmware-for-tegra186.patch
@@ -0,0 +1,40 @@
+From e1f236efd9c579a29d7df75aa052127d0d975267 Mon Sep 17 00:00:00 2001
+From: Peter Robinson <pbrobinson@gmail.com>
+Date: Mon, 20 Jan 2020 14:19:10 +0000
+Subject: usb: host: xhci-tegra: set MODULE_FIRMWARE for tegra186
+
+From: Peter Robinson <pbrobinson@gmail.com>
+
+commit e1f236efd9c579a29d7df75aa052127d0d975267 upstream.
+
+Set the MODULE_FIRMWARE for tegra186, it's registered for 124/210 and
+ensures the firmware is available at the appropriate time such as in
+the initrd, else if the firmware is unavailable the driver fails with
+the following errors:
+
+tegra-xusb 3530000.usb: Direct firmware load for nvidia/tegra186/xusb.bin failed with error -2
+tegra-xusb 3530000.usb: failed to request firmware: -2
+tegra-xusb 3530000.usb: failed to load firmware: -2
+tegra-xusb: probe of 3530000.usb failed with error -2
+
+Fixes: 5f9be5f3f899 ("usb: host: xhci-tegra: Add Tegra186 XUSB support")
+Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200120141910.116097-1-pbrobinson@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-tegra.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/host/xhci-tegra.c
++++ b/drivers/usb/host/xhci-tegra.c
+@@ -1413,6 +1413,7 @@ MODULE_FIRMWARE("nvidia/tegra210/xusb.bi
+ 
+ static const char * const tegra186_supply_names[] = {
+ };
++MODULE_FIRMWARE("nvidia/tegra186/xusb.bin");
+ 
+ static const struct tegra_xusb_phy_type tegra186_phy_types[] = {
+       { .name = "usb3", .num = 3, },

diff --git a/queue-5.4/usb-serial-ir-usb-add-missing-endpoint-sanity-check.patch b/queue-5.4/usb-serial-ir-usb-add-missing-endpoint-sanity-check.patch
new file mode 100644 (file)
index 0000000..b3c514b
--- /dev/null
+++ b/queue-5.4/usb-serial-ir-usb-add-missing-endpoint-sanity-check.patch
@@ -0,0 +1,40 @@
+From 2988a8ae7476fe9535ab620320790d1714bdad1d Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 22 Jan 2020 11:15:26 +0100
+Subject: USB: serial: ir-usb: add missing endpoint sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 2988a8ae7476fe9535ab620320790d1714bdad1d upstream.
+
+Add missing endpoint sanity check to avoid dereferencing a NULL-pointer
+on open() in case a device lacks a bulk-out endpoint.
+
+Note that prior to commit f4a4cbb2047e ("USB: ir-usb: reimplement using
+generic framework") the oops would instead happen on open() if the
+device lacked a bulk-in endpoint and on write() if it lacked a bulk-out
+endpoint.
+
+Fixes: f4a4cbb2047e ("USB: ir-usb: reimplement using generic framework")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ir-usb.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/serial/ir-usb.c
++++ b/drivers/usb/serial/ir-usb.c
+@@ -195,6 +195,9 @@ static int ir_startup(struct usb_serial
+       struct usb_irda_cs_descriptor *irda_desc;
+       int rates;
+ 
++      if (serial->num_bulk_in < 1 || serial->num_bulk_out < 1)
++              return -ENODEV;
++
+       irda_desc = irda_usb_find_class_desc(serial, 0);
+       if (!irda_desc) {
+               dev_err(&serial->dev->dev,

diff --git a/queue-5.4/usb-serial-ir-usb-fix-irlap-framing.patch b/queue-5.4/usb-serial-ir-usb-fix-irlap-framing.patch
new file mode 100644 (file)
index 0000000..66a543c
--- /dev/null
+++ b/queue-5.4/usb-serial-ir-usb-fix-irlap-framing.patch
@@ -0,0 +1,173 @@
+From 38c0d5bdf4973f9f5a888166e9d3e9ed0d32057a Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 22 Jan 2020 11:15:28 +0100
+Subject: USB: serial: ir-usb: fix IrLAP framing
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 38c0d5bdf4973f9f5a888166e9d3e9ed0d32057a upstream.
+
+Commit f4a4cbb2047e ("USB: ir-usb: reimplement using generic framework")
+switched to using the generic write implementation which may combine
+multiple write requests into larger transfers. This can break the IrLAP
+protocol where end-of-frame is determined using the USB short packet
+mechanism, for example, if multiple frames are sent in rapid succession.
+
+Fixes: f4a4cbb2047e ("USB: ir-usb: reimplement using generic framework")
+Cc: stable <stable@vger.kernel.org>     # 2.6.35
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ir-usb.c |  113 +++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 91 insertions(+), 22 deletions(-)
+
+--- a/drivers/usb/serial/ir-usb.c
++++ b/drivers/usb/serial/ir-usb.c
+@@ -45,9 +45,10 @@ static int buffer_size;
+ static int xbof = -1;
+ 
+ static int  ir_startup (struct usb_serial *serial);
+-static int  ir_open(struct tty_struct *tty, struct usb_serial_port *port);
+-static int ir_prepare_write_buffer(struct usb_serial_port *port,
+-                                              void *dest, size_t size);
++static int ir_write(struct tty_struct *tty, struct usb_serial_port *port,
++              const unsigned char *buf, int count);
++static int ir_write_room(struct tty_struct *tty);
++static void ir_write_bulk_callback(struct urb *urb);
+ static void ir_process_read_urb(struct urb *urb);
+ static void ir_set_termios(struct tty_struct *tty,
+               struct usb_serial_port *port, struct ktermios *old_termios);
+@@ -77,8 +78,9 @@ static struct usb_serial_driver ir_devic
+       .num_ports              = 1,
+       .set_termios            = ir_set_termios,
+       .attach                 = ir_startup,
+-      .open                   = ir_open,
+-      .prepare_write_buffer   = ir_prepare_write_buffer,
++      .write                  = ir_write,
++      .write_room             = ir_write_room,
++      .write_bulk_callback    = ir_write_bulk_callback,
+       .process_read_urb       = ir_process_read_urb,
+ };
+ 
+@@ -254,35 +256,102 @@ static int ir_startup(struct usb_serial
+       return 0;
+ }
+ 
+-static int ir_open(struct tty_struct *tty, struct usb_serial_port *port)
++static int ir_write(struct tty_struct *tty, struct usb_serial_port *port,
++              const unsigned char *buf, int count)
+ {
+-      int i;
++      struct urb *urb = NULL;
++      unsigned long flags;
++      int ret;
+ 
+-      for (i = 0; i < ARRAY_SIZE(port->write_urbs); ++i)
+-              port->write_urbs[i]->transfer_flags = URB_ZERO_PACKET;
++      if (port->bulk_out_size == 0)
++              return -EINVAL;
+ 
+-      /* Start reading from the device */
+-      return usb_serial_generic_open(tty, port);
+-}
++      if (count == 0)
++              return 0;
+ 
+-static int ir_prepare_write_buffer(struct usb_serial_port *port,
+-                                              void *dest, size_t size)
+-{
+-      unsigned char *buf = dest;
+-      int count;
++      count = min(count, port->bulk_out_size - 1);
++
++      spin_lock_irqsave(&port->lock, flags);
++      if (__test_and_clear_bit(0, &port->write_urbs_free)) {
++              urb = port->write_urbs[0];
++              port->tx_bytes += count;
++      }
++      spin_unlock_irqrestore(&port->lock, flags);
++
++      if (!urb)
++              return 0;
+ 
+       /*
+        * The first byte of the packet we send to the device contains an
+-       * inbound header which indicates an additional number of BOFs and
++       * outbound header which indicates an additional number of BOFs and
+        * a baud rate change.
+        *
+        * See section 5.4.2.2 of the USB IrDA spec.
+        */
+-      *buf = ir_xbof | ir_baud;
++      *(u8 *)urb->transfer_buffer = ir_xbof | ir_baud;
++
++      memcpy(urb->transfer_buffer + 1, buf, count);
++
++      urb->transfer_buffer_length = count + 1;
++      urb->transfer_flags = URB_ZERO_PACKET;
++
++      ret = usb_submit_urb(urb, GFP_ATOMIC);
++      if (ret) {
++              dev_err(&port->dev, "failed to submit write urb: %d\n", ret);
++
++              spin_lock_irqsave(&port->lock, flags);
++              __set_bit(0, &port->write_urbs_free);
++              port->tx_bytes -= count;
++              spin_unlock_irqrestore(&port->lock, flags);
++
++              return ret;
++      }
++
++      return count;
++}
++
++static void ir_write_bulk_callback(struct urb *urb)
++{
++      struct usb_serial_port *port = urb->context;
++      int status = urb->status;
++      unsigned long flags;
++
++      spin_lock_irqsave(&port->lock, flags);
++      __set_bit(0, &port->write_urbs_free);
++      port->tx_bytes -= urb->transfer_buffer_length - 1;
++      spin_unlock_irqrestore(&port->lock, flags);
++
++      switch (status) {
++      case 0:
++              break;
++      case -ENOENT:
++      case -ECONNRESET:
++      case -ESHUTDOWN:
++              dev_dbg(&port->dev, "write urb stopped: %d\n", status);
++              return;
++      case -EPIPE:
++              dev_err(&port->dev, "write urb stopped: %d\n", status);
++              return;
++      default:
++              dev_err(&port->dev, "nonzero write-urb status: %d\n", status);
++              break;
++      }
++
++      usb_serial_port_softint(port);
++}
++
++static int ir_write_room(struct tty_struct *tty)
++{
++      struct usb_serial_port *port = tty->driver_data;
++      int count = 0;
++
++      if (port->bulk_out_size == 0)
++              return 0;
++
++      if (test_bit(0, &port->write_urbs_free))
++              count = port->bulk_out_size - 1;
+ 
+-      count = kfifo_out_locked(&port->write_fifo, buf + 1, size - 1,
+-                                                              &port->lock);
+-      return count + 1;
++      return count;
+ }
+ 
+ static void ir_process_read_urb(struct urb *urb)

diff --git a/queue-5.4/usb-serial-ir-usb-fix-link-speed-handling.patch b/queue-5.4/usb-serial-ir-usb-fix-link-speed-handling.patch
new file mode 100644 (file)
index 0000000..14270a3
--- /dev/null
+++ b/queue-5.4/usb-serial-ir-usb-fix-link-speed-handling.patch
@@ -0,0 +1,102 @@
+From 17a0184ca17e288decdca8b2841531e34d49285f Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 22 Jan 2020 11:15:27 +0100
+Subject: USB: serial: ir-usb: fix link-speed handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 17a0184ca17e288decdca8b2841531e34d49285f upstream.
+
+Commit e0d795e4f36c ("usb: irda: cleanup on ir-usb module") added a USB
+IrDA header with common defines, but mistakingly switched to using the
+class-descriptor baud-rate bitmask values for the outbound header.
+
+This broke link-speed handling for rates above 9600 baud, but a device
+would also be able to operate at the default 9600 baud until a
+link-speed request was issued (e.g. using the TCGETS ioctl).
+
+Fixes: e0d795e4f36c ("usb: irda: cleanup on ir-usb module")
+Cc: stable <stable@vger.kernel.org>     # 2.6.27
+Cc: Felipe Balbi <balbi@kernel.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ir-usb.c |   20 ++++++++++----------
+ include/linux/usb/irda.h    |   13 ++++++++++++-
+ 2 files changed, 22 insertions(+), 11 deletions(-)
+
+--- a/drivers/usb/serial/ir-usb.c
++++ b/drivers/usb/serial/ir-usb.c
+@@ -335,34 +335,34 @@ static void ir_set_termios(struct tty_st
+ 
+       switch (baud) {
+       case 2400:
+-              ir_baud = USB_IRDA_BR_2400;
++              ir_baud = USB_IRDA_LS_2400;
+               break;
+       case 9600:
+-              ir_baud = USB_IRDA_BR_9600;
++              ir_baud = USB_IRDA_LS_9600;
+               break;
+       case 19200:
+-              ir_baud = USB_IRDA_BR_19200;
++              ir_baud = USB_IRDA_LS_19200;
+               break;
+       case 38400:
+-              ir_baud = USB_IRDA_BR_38400;
++              ir_baud = USB_IRDA_LS_38400;
+               break;
+       case 57600:
+-              ir_baud = USB_IRDA_BR_57600;
++              ir_baud = USB_IRDA_LS_57600;
+               break;
+       case 115200:
+-              ir_baud = USB_IRDA_BR_115200;
++              ir_baud = USB_IRDA_LS_115200;
+               break;
+       case 576000:
+-              ir_baud = USB_IRDA_BR_576000;
++              ir_baud = USB_IRDA_LS_576000;
+               break;
+       case 1152000:
+-              ir_baud = USB_IRDA_BR_1152000;
++              ir_baud = USB_IRDA_LS_1152000;
+               break;
+       case 4000000:
+-              ir_baud = USB_IRDA_BR_4000000;
++              ir_baud = USB_IRDA_LS_4000000;
+               break;
+       default:
+-              ir_baud = USB_IRDA_BR_9600;
++              ir_baud = USB_IRDA_LS_9600;
+               baud = 9600;
+       }
+ 
+--- a/include/linux/usb/irda.h
++++ b/include/linux/usb/irda.h
+@@ -119,11 +119,22 @@ struct usb_irda_cs_descriptor {
+  * 6 - 115200 bps
+  * 7 - 576000 bps
+  * 8 - 1.152 Mbps
+- * 9 - 5 mbps
++ * 9 - 4 Mbps
+  * 10..15 - Reserved
+  */
+ #define USB_IRDA_STATUS_LINK_SPEED    0x0f
+ 
++#define USB_IRDA_LS_NO_CHANGE         0
++#define USB_IRDA_LS_2400              1
++#define USB_IRDA_LS_9600              2
++#define USB_IRDA_LS_19200             3
++#define USB_IRDA_LS_38400             4
++#define USB_IRDA_LS_57600             5
++#define USB_IRDA_LS_115200            6
++#define USB_IRDA_LS_576000            7
++#define USB_IRDA_LS_1152000           8
++#define USB_IRDA_LS_4000000           9
++
+ /* The following is a 4-bit value used only for
+  * outbound header:
+  *

diff --git a/queue-5.4/usb-typec-fusb302-fix-op-sink-microwatt-default-that-was-in-mw.patch b/queue-5.4/usb-typec-fusb302-fix-op-sink-microwatt-default-that-was-in-mw.patch
new file mode 100644 (file)
index 0000000..80aedda
--- /dev/null
+++ b/queue-5.4/usb-typec-fusb302-fix-op-sink-microwatt-default-that-was-in-mw.patch
@@ -0,0 +1,36 @@
+From eb7a3bb8c955b3694e0e0998413ce1563c02f90c Mon Sep 17 00:00:00 2001
+From: Thomas Hebb <tommyhebb@gmail.com>
+Date: Mon, 20 Jan 2020 06:09:06 -0800
+Subject: usb: typec: fusb302: fix "op-sink-microwatt" default that was in mW
+
+From: Thomas Hebb <tommyhebb@gmail.com>
+
+commit eb7a3bb8c955b3694e0e0998413ce1563c02f90c upstream.
+
+commit 8f6244055bd3 ("usb: typec: fusb302: Always provide fwnode for the
+port") didn't convert this value from mW to uW when migrating to a new
+specification format like it should have.
+
+Fixes: 8f6244055bd3 ("usb: typec: fusb302: Always provide fwnode for the port")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Hebb <tommyhebb@gmail.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/0da564559af75ec829c6c7e3aa4024f857c91bee.1579529334.git.tommyhebb@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/typec/tcpm/fusb302.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/typec/tcpm/fusb302.c
++++ b/drivers/usb/typec/tcpm/fusb302.c
+@@ -1666,7 +1666,7 @@ static const struct property_entry port_
+       PROPERTY_ENTRY_STRING("try-power-role", "sink"),
+       PROPERTY_ENTRY_U32_ARRAY("source-pdos", src_pdo),
+       PROPERTY_ENTRY_U32_ARRAY("sink-pdos", snk_pdo),
+-      PROPERTY_ENTRY_U32("op-sink-microwatt", 2500),
++      PROPERTY_ENTRY_U32("op-sink-microwatt", 2500000),
+       { }
+ };
+ 

diff --git a/queue-5.4/usb-typec-wcove-fix-op-sink-microwatt-default-that-was-in-mw.patch b/queue-5.4/usb-typec-wcove-fix-op-sink-microwatt-default-that-was-in-mw.patch
new file mode 100644 (file)
index 0000000..3a1cc15
--- /dev/null
+++ b/queue-5.4/usb-typec-wcove-fix-op-sink-microwatt-default-that-was-in-mw.patch
@@ -0,0 +1,36 @@
+From 0e64350bf4668d0fbbfec66fd8e637b971b4e976 Mon Sep 17 00:00:00 2001
+From: Thomas Hebb <tommyhebb@gmail.com>
+Date: Mon, 20 Jan 2020 06:09:05 -0800
+Subject: usb: typec: wcove: fix "op-sink-microwatt" default that was in mW
+
+From: Thomas Hebb <tommyhebb@gmail.com>
+
+commit 0e64350bf4668d0fbbfec66fd8e637b971b4e976 upstream.
+
+commit 4c912bff46cc ("usb: typec: wcove: Provide fwnode for the port")
+didn't convert this value from mW to uW when migrating to a new
+specification format like it should have.
+
+Fixes: 4c912bff46cc ("usb: typec: wcove: Provide fwnode for the port")
+Cc: stable@vger.kernel.org
+Signed-off-by: Thomas Hebb <tommyhebb@gmail.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Link: https://lore.kernel.org/r/d8be32512efd31995ad7d65b27df9d443131b07c.1579529334.git.tommyhebb@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/typec/tcpm/wcove.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/typec/tcpm/wcove.c
++++ b/drivers/usb/typec/tcpm/wcove.c
+@@ -597,7 +597,7 @@ static const struct property_entry wcove
+       PROPERTY_ENTRY_STRING("try-power-role", "sink"),
+       PROPERTY_ENTRY_U32_ARRAY("source-pdos", src_pdo),
+       PROPERTY_ENTRY_U32_ARRAY("sink-pdos", snk_pdo),
+-      PROPERTY_ENTRY_U32("op-sink-microwatt", 15000),
++      PROPERTY_ENTRY_U32("op-sink-microwatt", 15000000),
+       { }
+ };
+ 

diff --git a/queue-5.4/zd1211rw-fix-storage-endpoint-lookup.patch b/queue-5.4/zd1211rw-fix-storage-endpoint-lookup.patch
new file mode 100644 (file)
index 0000000..0e216a3
--- /dev/null
+++ b/queue-5.4/zd1211rw-fix-storage-endpoint-lookup.patch
@@ -0,0 +1,37 @@
+From 2d68bb2687abb747558b933e80845ff31570a49c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:44:26 +0100
+Subject: zd1211rw: fix storage endpoint lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 2d68bb2687abb747558b933e80845ff31570a49c upstream.
+
+Make sure to use the current alternate setting when verifying the
+storage interface descriptors to avoid submitting an URB to an invalid
+endpoint.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: a1030e92c150 ("[PATCH] zd1211rw: Convert installer CDROM device into WLAN device")
+Cc: stable <stable@vger.kernel.org>     # 2.6.19
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/zydas/zd1211rw/zd_usb.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/zydas/zd1211rw/zd_usb.c
++++ b/drivers/net/wireless/zydas/zd1211rw/zd_usb.c
+@@ -1263,7 +1263,7 @@ static void print_id(struct usb_device *
+ static int eject_installer(struct usb_interface *intf)
+ {
+       struct usb_device *udev = interface_to_usbdev(intf);
+-      struct usb_host_interface *iface_desc = &intf->altsetting[0];
++      struct usb_host_interface *iface_desc = intf->cur_altsetting;
+       struct usb_endpoint_descriptor *endpoint;
+       unsigned char *cmd;
+       u8 bulk_out_ep;