--- /dev/null
+From 1909a671dbc3606685b1daf8b22a16f65ea7edda Mon Sep 17 00:00:00 2001
+From: Todd Kjos <tkjos@android.com>
+Date: Fri, 21 Jun 2019 10:54:15 -0700
+Subject: binder: fix memory leak in error path
+
+From: Todd Kjos <tkjos@android.com>
+
+commit 1909a671dbc3606685b1daf8b22a16f65ea7edda upstream.
+
+syzkallar found a 32-byte memory leak in a rarely executed error
+case. The transaction complete work item was not freed if put_user()
+failed when writing the BR_TRANSACTION_COMPLETE to the user command
+buffer. Fixed by freeing it before put_user() is called.
+
+Reported-by: syzbot+182ce46596c3f2e1eb24@syzkaller.appspotmail.com
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -4268,6 +4268,8 @@ retry:
+ case BINDER_WORK_TRANSACTION_COMPLETE: {
+ binder_inner_proc_unlock(proc);
+ cmd = BR_TRANSACTION_COMPLETE;
++ kfree(w);
++ binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
+ if (put_user(cmd, (uint32_t __user *)ptr))
+ return -EFAULT;
+ ptr += sizeof(uint32_t);
+@@ -4276,8 +4278,6 @@ retry:
+ binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE,
+ "%d:%d BR_TRANSACTION_COMPLETE\n",
+ proc->pid, thread->pid);
+- kfree(w);
+- binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE);
+ } break;
+ case BINDER_WORK_NODE: {
+ struct binder_node *node = container_of(w, struct binder_node, work);
--- /dev/null
+From bb4a2e48d5100ed3ff614df158a636bca3c6bf9f Mon Sep 17 00:00:00 2001
+From: Todd Kjos <tkjos@android.com>
+Date: Fri, 28 Jun 2019 09:50:12 -0700
+Subject: binder: return errors from buffer copy functions
+
+From: Todd Kjos <tkjos@android.com>
+
+commit bb4a2e48d5100ed3ff614df158a636bca3c6bf9f upstream.
+
+The buffer copy functions assumed the caller would ensure
+correct alignment and that the memory to be copied was
+completely within the binder buffer. There have been
+a few cases discovered by syzkallar where a malformed
+transaction created by a user could violated the
+assumptions and resulted in a BUG_ON.
+
+The fix is to remove the BUG_ON and always return the
+error to be handled appropriately by the caller.
+
+Acked-by: Martijn Coenen <maco@android.com>
+Reported-by: syzbot+3ae18325f96190606754@syzkaller.appspotmail.com
+Fixes: bde4a19fc04f ("binder: use userspace pointer as base of buffer space")
+Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c | 151 ++++++++++++++++++++++++-----------------
+ drivers/android/binder_alloc.c | 44 ++++++-----
+ drivers/android/binder_alloc.h | 20 ++---
+ 3 files changed, 124 insertions(+), 91 deletions(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -2059,10 +2059,9 @@ static size_t binder_get_object(struct b
+
+ read_size = min_t(size_t, sizeof(*object), buffer->data_size - offset);
+ if (offset > buffer->data_size || read_size < sizeof(*hdr) ||
+- !IS_ALIGNED(offset, sizeof(u32)))
++ binder_alloc_copy_from_buffer(&proc->alloc, object, buffer,
++ offset, read_size))
+ return 0;
+- binder_alloc_copy_from_buffer(&proc->alloc, object, buffer,
+- offset, read_size);
+
+ /* Ok, now see if we read a complete object. */
+ hdr = &object->hdr;
+@@ -2131,8 +2130,10 @@ static struct binder_buffer_object *bind
+ return NULL;
+
+ buffer_offset = start_offset + sizeof(binder_size_t) * index;
+- binder_alloc_copy_from_buffer(&proc->alloc, &object_offset,
+- b, buffer_offset, sizeof(object_offset));
++ if (binder_alloc_copy_from_buffer(&proc->alloc, &object_offset,
++ b, buffer_offset,
++ sizeof(object_offset)))
++ return NULL;
+ object_size = binder_get_object(proc, b, object_offset, object);
+ if (!object_size || object->hdr.type != BINDER_TYPE_PTR)
+ return NULL;
+@@ -2212,10 +2213,12 @@ static bool binder_validate_fixup(struct
+ return false;
+ last_min_offset = last_bbo->parent_offset + sizeof(uintptr_t);
+ buffer_offset = objects_start_offset +
+- sizeof(binder_size_t) * last_bbo->parent,
+- binder_alloc_copy_from_buffer(&proc->alloc, &last_obj_offset,
+- b, buffer_offset,
+- sizeof(last_obj_offset));
++ sizeof(binder_size_t) * last_bbo->parent;
++ if (binder_alloc_copy_from_buffer(&proc->alloc,
++ &last_obj_offset,
++ b, buffer_offset,
++ sizeof(last_obj_offset)))
++ return false;
+ }
+ return (fixup_offset >= last_min_offset);
+ }
+@@ -2301,15 +2304,15 @@ static void binder_transaction_buffer_re
+ for (buffer_offset = off_start_offset; buffer_offset < off_end_offset;
+ buffer_offset += sizeof(binder_size_t)) {
+ struct binder_object_header *hdr;
+- size_t object_size;
++ size_t object_size = 0;
+ struct binder_object object;
+ binder_size_t object_offset;
+
+- binder_alloc_copy_from_buffer(&proc->alloc, &object_offset,
+- buffer, buffer_offset,
+- sizeof(object_offset));
+- object_size = binder_get_object(proc, buffer,
+- object_offset, &object);
++ if (!binder_alloc_copy_from_buffer(&proc->alloc, &object_offset,
++ buffer, buffer_offset,
++ sizeof(object_offset)))
++ object_size = binder_get_object(proc, buffer,
++ object_offset, &object);
+ if (object_size == 0) {
+ pr_err("transaction release %d bad object at offset %lld, size %zd\n",
+ debug_id, (u64)object_offset, buffer->data_size);
+@@ -2432,15 +2435,16 @@ static void binder_transaction_buffer_re
+ for (fd_index = 0; fd_index < fda->num_fds;
+ fd_index++) {
+ u32 fd;
++ int err;
+ binder_size_t offset = fda_offset +
+ fd_index * sizeof(fd);
+
+- binder_alloc_copy_from_buffer(&proc->alloc,
+- &fd,
+- buffer,
+- offset,
+- sizeof(fd));
+- binder_deferred_fd_close(fd);
++ err = binder_alloc_copy_from_buffer(
++ &proc->alloc, &fd, buffer,
++ offset, sizeof(fd));
++ WARN_ON(err);
++ if (!err)
++ binder_deferred_fd_close(fd);
+ }
+ } break;
+ default:
+@@ -2683,11 +2687,12 @@ static int binder_translate_fd_array(str
+ int ret;
+ binder_size_t offset = fda_offset + fdi * sizeof(fd);
+
+- binder_alloc_copy_from_buffer(&target_proc->alloc,
+- &fd, t->buffer,
+- offset, sizeof(fd));
+- ret = binder_translate_fd(fd, offset, t, thread,
+- in_reply_to);
++ ret = binder_alloc_copy_from_buffer(&target_proc->alloc,
++ &fd, t->buffer,
++ offset, sizeof(fd));
++ if (!ret)
++ ret = binder_translate_fd(fd, offset, t, thread,
++ in_reply_to);
+ if (ret < 0)
+ return ret;
+ }
+@@ -2740,8 +2745,12 @@ static int binder_fixup_parent(struct bi
+ }
+ buffer_offset = bp->parent_offset +
+ (uintptr_t)parent->buffer - (uintptr_t)b->user_data;
+- binder_alloc_copy_to_buffer(&target_proc->alloc, b, buffer_offset,
+- &bp->buffer, sizeof(bp->buffer));
++ if (binder_alloc_copy_to_buffer(&target_proc->alloc, b, buffer_offset,
++ &bp->buffer, sizeof(bp->buffer))) {
++ binder_user_error("%d:%d got transaction with invalid parent offset\n",
++ proc->pid, thread->pid);
++ return -EINVAL;
++ }
+
+ return 0;
+ }
+@@ -3160,15 +3169,20 @@ static void binder_transaction(struct bi
+ goto err_binder_alloc_buf_failed;
+ }
+ if (secctx) {
++ int err;
+ size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) +
+ ALIGN(tr->offsets_size, sizeof(void *)) +
+ ALIGN(extra_buffers_size, sizeof(void *)) -
+ ALIGN(secctx_sz, sizeof(u64));
+
+ t->security_ctx = (uintptr_t)t->buffer->user_data + buf_offset;
+- binder_alloc_copy_to_buffer(&target_proc->alloc,
+- t->buffer, buf_offset,
+- secctx, secctx_sz);
++ err = binder_alloc_copy_to_buffer(&target_proc->alloc,
++ t->buffer, buf_offset,
++ secctx, secctx_sz);
++ if (err) {
++ t->security_ctx = 0;
++ WARN_ON(1);
++ }
+ security_release_secctx(secctx, secctx_sz);
+ secctx = NULL;
+ }
+@@ -3234,11 +3248,16 @@ static void binder_transaction(struct bi
+ struct binder_object object;
+ binder_size_t object_offset;
+
+- binder_alloc_copy_from_buffer(&target_proc->alloc,
+- &object_offset,
+- t->buffer,
+- buffer_offset,
+- sizeof(object_offset));
++ if (binder_alloc_copy_from_buffer(&target_proc->alloc,
++ &object_offset,
++ t->buffer,
++ buffer_offset,
++ sizeof(object_offset))) {
++ return_error = BR_FAILED_REPLY;
++ return_error_param = -EINVAL;
++ return_error_line = __LINE__;
++ goto err_bad_offset;
++ }
+ object_size = binder_get_object(target_proc, t->buffer,
+ object_offset, &object);
+ if (object_size == 0 || object_offset < off_min) {
+@@ -3262,15 +3281,17 @@ static void binder_transaction(struct bi
+
+ fp = to_flat_binder_object(hdr);
+ ret = binder_translate_binder(fp, t, thread);
+- if (ret < 0) {
++
++ if (ret < 0 ||
++ binder_alloc_copy_to_buffer(&target_proc->alloc,
++ t->buffer,
++ object_offset,
++ fp, sizeof(*fp))) {
+ return_error = BR_FAILED_REPLY;
+ return_error_param = ret;
+ return_error_line = __LINE__;
+ goto err_translate_failed;
+ }
+- binder_alloc_copy_to_buffer(&target_proc->alloc,
+- t->buffer, object_offset,
+- fp, sizeof(*fp));
+ } break;
+ case BINDER_TYPE_HANDLE:
+ case BINDER_TYPE_WEAK_HANDLE: {
+@@ -3278,15 +3299,16 @@ static void binder_transaction(struct bi
+
+ fp = to_flat_binder_object(hdr);
+ ret = binder_translate_handle(fp, t, thread);
+- if (ret < 0) {
++ if (ret < 0 ||
++ binder_alloc_copy_to_buffer(&target_proc->alloc,
++ t->buffer,
++ object_offset,
++ fp, sizeof(*fp))) {
+ return_error = BR_FAILED_REPLY;
+ return_error_param = ret;
+ return_error_line = __LINE__;
+ goto err_translate_failed;
+ }
+- binder_alloc_copy_to_buffer(&target_proc->alloc,
+- t->buffer, object_offset,
+- fp, sizeof(*fp));
+ } break;
+
+ case BINDER_TYPE_FD: {
+@@ -3296,16 +3318,17 @@ static void binder_transaction(struct bi
+ int ret = binder_translate_fd(fp->fd, fd_offset, t,
+ thread, in_reply_to);
+
+- if (ret < 0) {
++ fp->pad_binder = 0;
++ if (ret < 0 ||
++ binder_alloc_copy_to_buffer(&target_proc->alloc,
++ t->buffer,
++ object_offset,
++ fp, sizeof(*fp))) {
+ return_error = BR_FAILED_REPLY;
+ return_error_param = ret;
+ return_error_line = __LINE__;
+ goto err_translate_failed;
+ }
+- fp->pad_binder = 0;
+- binder_alloc_copy_to_buffer(&target_proc->alloc,
+- t->buffer, object_offset,
+- fp, sizeof(*fp));
+ } break;
+ case BINDER_TYPE_FDA: {
+ struct binder_object ptr_object;
+@@ -3393,15 +3416,16 @@ static void binder_transaction(struct bi
+ num_valid,
+ last_fixup_obj_off,
+ last_fixup_min_off);
+- if (ret < 0) {
++ if (ret < 0 ||
++ binder_alloc_copy_to_buffer(&target_proc->alloc,
++ t->buffer,
++ object_offset,
++ bp, sizeof(*bp))) {
+ return_error = BR_FAILED_REPLY;
+ return_error_param = ret;
+ return_error_line = __LINE__;
+ goto err_translate_failed;
+ }
+- binder_alloc_copy_to_buffer(&target_proc->alloc,
+- t->buffer, object_offset,
+- bp, sizeof(*bp));
+ last_fixup_obj_off = object_offset;
+ last_fixup_min_off = 0;
+ } break;
+@@ -4140,20 +4164,27 @@ static int binder_apply_fd_fixups(struct
+ trace_binder_transaction_fd_recv(t, fd, fixup->offset);
+ fd_install(fd, fixup->file);
+ fixup->file = NULL;
+- binder_alloc_copy_to_buffer(&proc->alloc, t->buffer,
+- fixup->offset, &fd,
+- sizeof(u32));
++ if (binder_alloc_copy_to_buffer(&proc->alloc, t->buffer,
++ fixup->offset, &fd,
++ sizeof(u32))) {
++ ret = -EINVAL;
++ break;
++ }
+ }
+ list_for_each_entry_safe(fixup, tmp, &t->fd_fixups, fixup_entry) {
+ if (fixup->file) {
+ fput(fixup->file);
+ } else if (ret) {
+ u32 fd;
++ int err;
+
+- binder_alloc_copy_from_buffer(&proc->alloc, &fd,
+- t->buffer, fixup->offset,
+- sizeof(fd));
+- binder_deferred_fd_close(fd);
++ err = binder_alloc_copy_from_buffer(&proc->alloc, &fd,
++ t->buffer,
++ fixup->offset,
++ sizeof(fd));
++ WARN_ON(err);
++ if (!err)
++ binder_deferred_fd_close(fd);
+ }
+ list_del(&fixup->fixup_entry);
+ kfree(fixup);
+--- a/drivers/android/binder_alloc.c
++++ b/drivers/android/binder_alloc.c
+@@ -1119,15 +1119,16 @@ binder_alloc_copy_user_to_buffer(struct
+ return 0;
+ }
+
+-static void binder_alloc_do_buffer_copy(struct binder_alloc *alloc,
+- bool to_buffer,
+- struct binder_buffer *buffer,
+- binder_size_t buffer_offset,
+- void *ptr,
+- size_t bytes)
++static int binder_alloc_do_buffer_copy(struct binder_alloc *alloc,
++ bool to_buffer,
++ struct binder_buffer *buffer,
++ binder_size_t buffer_offset,
++ void *ptr,
++ size_t bytes)
+ {
+ /* All copies must be 32-bit aligned and 32-bit size */
+- BUG_ON(!check_buffer(alloc, buffer, buffer_offset, bytes));
++ if (!check_buffer(alloc, buffer, buffer_offset, bytes))
++ return -EINVAL;
+
+ while (bytes) {
+ unsigned long size;
+@@ -1155,25 +1156,26 @@ static void binder_alloc_do_buffer_copy(
+ ptr = ptr + size;
+ buffer_offset += size;
+ }
++ return 0;
+ }
+
+-void binder_alloc_copy_to_buffer(struct binder_alloc *alloc,
+- struct binder_buffer *buffer,
+- binder_size_t buffer_offset,
+- void *src,
+- size_t bytes)
++int binder_alloc_copy_to_buffer(struct binder_alloc *alloc,
++ struct binder_buffer *buffer,
++ binder_size_t buffer_offset,
++ void *src,
++ size_t bytes)
+ {
+- binder_alloc_do_buffer_copy(alloc, true, buffer, buffer_offset,
+- src, bytes);
++ return binder_alloc_do_buffer_copy(alloc, true, buffer, buffer_offset,
++ src, bytes);
+ }
+
+-void binder_alloc_copy_from_buffer(struct binder_alloc *alloc,
+- void *dest,
+- struct binder_buffer *buffer,
+- binder_size_t buffer_offset,
+- size_t bytes)
++int binder_alloc_copy_from_buffer(struct binder_alloc *alloc,
++ void *dest,
++ struct binder_buffer *buffer,
++ binder_size_t buffer_offset,
++ size_t bytes)
+ {
+- binder_alloc_do_buffer_copy(alloc, false, buffer, buffer_offset,
+- dest, bytes);
++ return binder_alloc_do_buffer_copy(alloc, false, buffer, buffer_offset,
++ dest, bytes);
+ }
+
+--- a/drivers/android/binder_alloc.h
++++ b/drivers/android/binder_alloc.h
+@@ -159,17 +159,17 @@ binder_alloc_copy_user_to_buffer(struct
+ const void __user *from,
+ size_t bytes);
+
+-void binder_alloc_copy_to_buffer(struct binder_alloc *alloc,
+- struct binder_buffer *buffer,
+- binder_size_t buffer_offset,
+- void *src,
+- size_t bytes);
++int binder_alloc_copy_to_buffer(struct binder_alloc *alloc,
++ struct binder_buffer *buffer,
++ binder_size_t buffer_offset,
++ void *src,
++ size_t bytes);
+
+-void binder_alloc_copy_from_buffer(struct binder_alloc *alloc,
+- void *dest,
+- struct binder_buffer *buffer,
+- binder_size_t buffer_offset,
+- size_t bytes);
++int binder_alloc_copy_from_buffer(struct binder_alloc *alloc,
++ void *dest,
++ struct binder_buffer *buffer,
++ binder_size_t buffer_offset,
++ size_t bytes);
+
+ #endif /* _LINUX_BINDER_ALLOC_H */
+
--- /dev/null
+From 2681795b5e7a5bf336537661010072f4c22cea31 Mon Sep 17 00:00:00 2001
+From: Nikolaus Voss <nikolaus.voss@loewensteinmedical.de>
+Date: Fri, 28 Jun 2019 11:01:09 +0200
+Subject: drivers/usb/typec/tps6598x.c: fix 4CC cmd write
+
+From: Nikolaus Voss <nikolaus.voss@loewensteinmedical.de>
+
+commit 2681795b5e7a5bf336537661010072f4c22cea31 upstream.
+
+Writing 4CC commands with tps6598x_write_4cc() already has
+a pointer arg, don't reference it when using as arg to
+tps6598x_block_write(). Correcting this enforces the constness
+of the pointer to propagate to tps6598x_block_write(), so add
+the const qualifier there to avoid the warning.
+
+Fixes: 0a4c005bd171 ("usb: typec: driver for TI TPS6598x USB Power Delivery controllers")
+Signed-off-by: Nikolaus Voss <nikolaus.voss@loewensteinmedical.de>
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/typec/tps6598x.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/typec/tps6598x.c
++++ b/drivers/usb/typec/tps6598x.c
+@@ -127,7 +127,7 @@ tps6598x_block_read(struct tps6598x *tps
+ }
+
+ static int tps6598x_block_write(struct tps6598x *tps, u8 reg,
+- void *val, size_t len)
++ const void *val, size_t len)
+ {
+ u8 data[TPS_MAX_LEN + 1];
+
+@@ -173,7 +173,7 @@ static inline int tps6598x_write64(struc
+ static inline int
+ tps6598x_write_4cc(struct tps6598x *tps, u8 reg, const char *val)
+ {
+- return tps6598x_block_write(tps, reg, &val, sizeof(u32));
++ return tps6598x_block_write(tps, reg, val, 4);
+ }
+
+ static int tps6598x_read_partner_identity(struct tps6598x *tps)
--- /dev/null
+From 05da75fc651138e51ff74ace97174349910463f5 Mon Sep 17 00:00:00 2001
+From: Nikolaus Voss <nikolaus.voss@loewensteinmedical.de>
+Date: Fri, 28 Jun 2019 11:01:08 +0200
+Subject: drivers/usb/typec/tps6598x.c: fix portinfo width
+
+From: Nikolaus Voss <nikolaus.voss@loewensteinmedical.de>
+
+commit 05da75fc651138e51ff74ace97174349910463f5 upstream.
+
+Portinfo bit field is 3 bits wide, not 2 bits. This led to
+a wrong driver configuration for some tps6598x configurations.
+
+Fixes: 0a4c005bd171 ("usb: typec: driver for TI TPS6598x USB Power Delivery controllers")
+Signed-off-by: Nikolaus Voss <nikolaus.voss@loewensteinmedical.de>
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/typec/tps6598x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/typec/tps6598x.c
++++ b/drivers/usb/typec/tps6598x.c
+@@ -41,7 +41,7 @@
+ #define TPS_STATUS_VCONN(s) (!!((s) & BIT(7)))
+
+ /* TPS_REG_SYSTEM_CONF bits */
+-#define TPS_SYSCONF_PORTINFO(c) ((c) & 3)
++#define TPS_SYSCONF_PORTINFO(c) ((c) & 7)
+
+ enum {
+ TPS_PORTINFO_SINK,
--- /dev/null
+From 4c12954965fdf33d8ae3883c1931fc29ca023cfb Mon Sep 17 00:00:00 2001
+From: Sebastian Parschauer <s.parschauer@gmx.de>
+Date: Mon, 1 Jul 2019 07:48:17 +0200
+Subject: HID: Add another Primax PIXART OEM mouse quirk
+
+From: Sebastian Parschauer <s.parschauer@gmx.de>
+
+commit 4c12954965fdf33d8ae3883c1931fc29ca023cfb upstream.
+
+The PixArt OEM mice are known for disconnecting every minute in
+runlevel 1 or 3 if they are not always polled. So add quirk
+ALWAYS_POLL for this Alienware branded Primax mouse as well.
+
+Daniel Schepler (@dschepler) reported and tested the quirk.
+Reference: https://github.com/sriemer/fix-linux-mouse/issues/15
+
+Signed-off-by: Sebastian Parschauer <s.parschauer@gmx.de>
+CC: stable@vger.kernel.org
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-ids.h | 1 +
+ drivers/hid/hid-quirks.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/hid/hid-ids.h
++++ b/drivers/hid/hid-ids.h
+@@ -1241,6 +1241,7 @@
+ #define USB_DEVICE_ID_PRIMAX_KEYBOARD 0x4e05
+ #define USB_DEVICE_ID_PRIMAX_REZEL 0x4e72
+ #define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F 0x4d0f
++#define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D65 0x4d65
+ #define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4E22 0x4e22
+
+
+--- a/drivers/hid/hid-quirks.c
++++ b/drivers/hid/hid-quirks.c
+@@ -130,6 +130,7 @@ static const struct hid_device_id hid_qu
+ { HID_USB_DEVICE(USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_USB_OPTICAL_MOUSE), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_MOUSE_4D22), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F), HID_QUIRK_ALWAYS_POLL },
++ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D65), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4E22), HID_QUIRK_ALWAYS_POLL },
+ { HID_USB_DEVICE(USB_VENDOR_ID_PRODIGE, USB_DEVICE_ID_PRODIGE_CORDLESS), HID_QUIRK_NOGET },
+ { HID_USB_DEVICE(USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3001), HID_QUIRK_NOGET },
--- /dev/null
+From 7685010fca2ba0284f31fd1380df3cffc96d847e Mon Sep 17 00:00:00 2001
+From: Fabrice Gasnier <fabrice.gasnier@st.com>
+Date: Wed, 19 Jun 2019 14:29:55 +0200
+Subject: iio: adc: stm32-adc: add missing vdda-supply
+
+From: Fabrice Gasnier <fabrice.gasnier@st.com>
+
+commit 7685010fca2ba0284f31fd1380df3cffc96d847e upstream.
+
+Add missing vdda-supply, analog power supply, to STM32 ADC. When vdda is
+an independent supply, it needs to be properly turned on or off to supply
+the ADC.
+
+Signed-off-by: Fabrice Gasnier <fabrice.gasnier@st.com>
+Fixes: 1add69880240 ("iio: adc: Add support for STM32 ADC core").
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/stm32-adc-core.c | 21 ++++++++++++++++++++-
+ 1 file changed, 20 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/stm32-adc-core.c
++++ b/drivers/iio/adc/stm32-adc-core.c
+@@ -87,6 +87,7 @@ struct stm32_adc_priv_cfg {
+ * @domain: irq domain reference
+ * @aclk: clock reference for the analog circuitry
+ * @bclk: bus clock common for all ADCs, depends on part used
++ * @vdda: vdda analog supply reference
+ * @vref: regulator reference
+ * @cfg: compatible configuration data
+ * @common: common data for all ADC instances
+@@ -97,6 +98,7 @@ struct stm32_adc_priv {
+ struct irq_domain *domain;
+ struct clk *aclk;
+ struct clk *bclk;
++ struct regulator *vdda;
+ struct regulator *vref;
+ const struct stm32_adc_priv_cfg *cfg;
+ struct stm32_adc_common common;
+@@ -394,10 +396,16 @@ static int stm32_adc_core_hw_start(struc
+ struct stm32_adc_priv *priv = to_stm32_adc_priv(common);
+ int ret;
+
++ ret = regulator_enable(priv->vdda);
++ if (ret < 0) {
++ dev_err(dev, "vdda enable failed %d\n", ret);
++ return ret;
++ }
++
+ ret = regulator_enable(priv->vref);
+ if (ret < 0) {
+ dev_err(dev, "vref enable failed\n");
+- return ret;
++ goto err_vdda_disable;
+ }
+
+ if (priv->bclk) {
+@@ -425,6 +433,8 @@ err_bclk_disable:
+ clk_disable_unprepare(priv->bclk);
+ err_regulator_disable:
+ regulator_disable(priv->vref);
++err_vdda_disable:
++ regulator_disable(priv->vdda);
+
+ return ret;
+ }
+@@ -441,6 +451,7 @@ static void stm32_adc_core_hw_stop(struc
+ if (priv->bclk)
+ clk_disable_unprepare(priv->bclk);
+ regulator_disable(priv->vref);
++ regulator_disable(priv->vdda);
+ }
+
+ static int stm32_adc_probe(struct platform_device *pdev)
+@@ -468,6 +479,14 @@ static int stm32_adc_probe(struct platfo
+ return PTR_ERR(priv->common.base);
+ priv->common.phys_base = res->start;
+
++ priv->vdda = devm_regulator_get(&pdev->dev, "vdda");
++ if (IS_ERR(priv->vdda)) {
++ ret = PTR_ERR(priv->vdda);
++ if (ret != -EPROBE_DEFER)
++ dev_err(&pdev->dev, "vdda get failed, %d\n", ret);
++ return ret;
++ }
++
+ priv->vref = devm_regulator_get(&pdev->dev, "vref");
+ if (IS_ERR(priv->vref)) {
+ ret = PTR_ERR(priv->vref);
--- /dev/null
+From e9e08a07385e08f1a7f85c5d1e345c21c9564963 Mon Sep 17 00:00:00 2001
+From: Nick Desaulniers <ndesaulniers@google.com>
+Date: Wed, 15 May 2019 11:24:41 -0700
+Subject: lkdtm: support llvm-objcopy
+
+From: Nick Desaulniers <ndesaulniers@google.com>
+
+commit e9e08a07385e08f1a7f85c5d1e345c21c9564963 upstream.
+
+With CONFIG_LKDTM=y and make OBJCOPY=llvm-objcopy, llvm-objcopy errors:
+llvm-objcopy: error: --set-section-flags=.text conflicts with
+--rename-section=.text=.rodata
+
+Rather than support setting flags then renaming sections vs renaming
+then setting flags, it's simpler to just change both at the same time
+via --rename-section. Adding the load flag is required for GNU objcopy
+to mark .rodata Type as PROGBITS after the rename.
+
+This can be verified with:
+$ readelf -S drivers/misc/lkdtm/rodata_objcopy.o
+...
+Section Headers:
+ [Nr] Name Type Address Offset
+ Size EntSize Flags Link Info Align
+...
+ [ 1] .rodata PROGBITS 0000000000000000 00000040
+ 0000000000000004 0000000000000000 A 0 0 4
+...
+
+Which shows that .text is now renamed .rodata, the alloc flag A is set,
+the type is PROGBITS, and the section is not flagged as writeable W.
+
+Cc: stable@vger.kernel.org
+Link: https://sourceware.org/bugzilla/show_bug.cgi?id=24554
+Link: https://github.com/ClangBuiltLinux/linux/issues/448
+Reported-by: Nathan Chancellor <natechancellor@gmail.com>
+Suggested-by: Alan Modra <amodra@gmail.com>
+Suggested-by: Jordan Rupprect <rupprecht@google.com>
+Suggested-by: Kees Cook <keescook@chromium.org>
+Acked-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
+Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/lkdtm/Makefile | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/misc/lkdtm/Makefile
++++ b/drivers/misc/lkdtm/Makefile
+@@ -15,8 +15,7 @@ KCOV_INSTRUMENT_rodata.o := n
+
+ OBJCOPYFLAGS :=
+ OBJCOPYFLAGS_rodata_objcopy.o := \
+- --set-section-flags .text=alloc,readonly \
+- --rename-section .text=.rodata
++ --rename-section .text=.rodata,alloc,readonly,load
+ targets += rodata.o rodata_objcopy.o
+ $(obj)/rodata_objcopy.o: $(obj)/rodata.o FORCE
+ $(call if_changed,objcopy)
--- /dev/null
+From 1645ab931998b39aed5761f095956f0b10a6362f Mon Sep 17 00:00:00 2001
+From: Christian Lamparter <chunkeey@gmail.com>
+Date: Sat, 18 May 2019 22:05:48 +0200
+Subject: p54: fix crash during initialization
+
+From: Christian Lamparter <chunkeey@gmail.com>
+
+commit 1645ab931998b39aed5761f095956f0b10a6362f upstream.
+
+This patch fixes a crash that got introduced when the
+mentioned patch replaced the direct list_head access
+with skb_peek_tail(). When the device is starting up,
+there are no entries in the queue, so previously to
+"Use skb_peek_tail() instead..." the target_skb would
+end up as the tail and head pointer which then could
+be used by __skb_queue_after to fill the empty queue.
+
+With skb_peek_tail() in its place will instead just
+return NULL which then causes a crash in the
+__skb_queue_after().
+
+| BUG: unable to handle kernel NULL pointer dereference at 000000
+| #PF error: [normal kernel read fault]
+| PGD 0 P4D 0
+| Oops: 0000 [#1] SMP PTI
+| CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: GO 5.1.0-rc7-wt+ #218
+| Hardware name: MSI MS-7816/Z87-G43 (MS-7816), BIOS V1.11 05/09/2015
+| Workqueue: events request_firmware_work_func
+| RIP: 0010:p54_tx_pending+0x10f/0x1b0 [p54common]
+| Code: 78 06 80 78 28 00 74 6d <48> 8b 07 49 89 7c 24 08 49 89 04 24 4
+| RSP: 0018:ffffa81c81927d90 EFLAGS: 00010086
+| RAX: ffff9bbaaf131048 RBX: 0000000000020670 RCX: 0000000000020264
+| RDX: ffff9bbaa976d660 RSI: 0000000000000202 RDI: 0000000000000000
+| RBP: ffff9bbaa976d620 R08: 00000000000006c0 R09: ffff9bbaa976d660
+| R10: 0000000000000000 R11: ffffe8480dbc5900 R12: ffff9bbb45e87700
+| R13: ffff9bbaa976d648 R14: ffff9bbaa976d674 R15: ffff9bbaaf131048
+| FS: 0000000000000000(0000) GS:ffff9bbb5ec00000(0000) knlGS:00000
+| CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+| CR2: 0000000000000000 CR3: 00000003695fc003 CR4: 00000000001606f0
+| Call Trace:
+| p54_download_eeprom+0xbe/0x120 [p54common]
+| p54_read_eeprom+0x7f/0xc0 [p54common]
+| p54u_load_firmware_cb+0xe0/0x160 [p54usb]
+| request_firmware_work_func+0x42/0x80
+| process_one_work+0x1f5/0x3f0
+| worker_thread+0x28/0x3c0
+
+Cc: stable@vger.kernel.org
+Fixes: e3554197fc8f ("p54: Use skb_peek_tail() instead of direct head pointer accesses.")
+Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intersil/p54/txrx.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/intersil/p54/txrx.c
++++ b/drivers/net/wireless/intersil/p54/txrx.c
+@@ -139,7 +139,10 @@ static int p54_assign_address(struct p54
+ unlikely(GET_HW_QUEUE(skb) == P54_QUEUE_BEACON))
+ priv->beacon_req_id = data->req_id;
+
+- __skb_queue_after(&priv->tx_queue, target_skb, skb);
++ if (target_skb)
++ __skb_queue_after(&priv->tx_queue, target_skb, skb);
++ else
++ __skb_queue_head(&priv->tx_queue, skb);
+ spin_unlock_irqrestore(&priv->tx_queue.lock, flags);
+ return 0;
+ }
--- /dev/null
+From 6e41e2257f1094acc37618bf6c856115374c6922 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 20 May 2019 10:44:21 -0400
+Subject: p54usb: Fix race between disconnect and firmware loading
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 6e41e2257f1094acc37618bf6c856115374c6922 upstream.
+
+The syzbot fuzzer found a bug in the p54 USB wireless driver. The
+issue involves a race between disconnect and the firmware-loader
+callback routine, and it has several aspects.
+
+One big problem is that when the firmware can't be loaded, the
+callback routine tries to unbind the driver from the USB _device_ (by
+calling device_release_driver) instead of from the USB _interface_ to
+which it is actually bound (by calling usb_driver_release_interface).
+
+The race involves access to the private data structure. The driver's
+disconnect handler waits for a completion that is signalled by the
+firmware-loader callback routine. As soon as the completion is
+signalled, you have to assume that the private data structure may have
+been deallocated by the disconnect handler -- even if the firmware was
+loaded without errors. However, the callback routine does access the
+private data several times after that point.
+
+Another problem is that, in order to ensure that the USB device
+structure hasn't been freed when the callback routine runs, the driver
+takes a reference to it. This isn't good enough any more, because now
+that the callback routine calls usb_driver_release_interface, it has
+to ensure that the interface structure hasn't been freed.
+
+Finally, the driver takes an unnecessary reference to the USB device
+structure in the probe function and drops the reference in the
+disconnect handler. This extra reference doesn't accomplish anything,
+because the USB core already guarantees that a device structure won't
+be deallocated while a driver is still bound to any of its interfaces.
+
+To fix these problems, this patch makes the following changes:
+
+ Call usb_driver_release_interface() rather than
+ device_release_driver().
+
+ Don't signal the completion until after the important
+ information has been copied out of the private data structure,
+ and don't refer to the private data at all thereafter.
+
+ Lock udev (the interface's parent) before unbinding the driver
+ instead of locking udev->parent.
+
+ During the firmware loading process, take a reference to the
+ USB interface instead of the USB device.
+
+ Don't take an unnecessary reference to the device during probe
+ (and then don't drop it during disconnect).
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-and-tested-by: syzbot+200d4bb11b23d929335f@syzkaller.appspotmail.com
+CC: <stable@vger.kernel.org>
+Acked-by: Christian Lamparter <chunkeey@gmail.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/intersil/p54/p54usb.c | 43 ++++++++++++-----------------
+ 1 file changed, 18 insertions(+), 25 deletions(-)
+
+--- a/drivers/net/wireless/intersil/p54/p54usb.c
++++ b/drivers/net/wireless/intersil/p54/p54usb.c
+@@ -30,6 +30,8 @@ MODULE_ALIAS("prism54usb");
+ MODULE_FIRMWARE("isl3886usb");
+ MODULE_FIRMWARE("isl3887usb");
+
++static struct usb_driver p54u_driver;
++
+ /*
+ * Note:
+ *
+@@ -918,9 +920,9 @@ static void p54u_load_firmware_cb(const
+ {
+ struct p54u_priv *priv = context;
+ struct usb_device *udev = priv->udev;
++ struct usb_interface *intf = priv->intf;
+ int err;
+
+- complete(&priv->fw_wait_load);
+ if (firmware) {
+ priv->fw = firmware;
+ err = p54u_start_ops(priv);
+@@ -929,26 +931,22 @@ static void p54u_load_firmware_cb(const
+ dev_err(&udev->dev, "Firmware not found.\n");
+ }
+
+- if (err) {
+- struct device *parent = priv->udev->dev.parent;
+-
+- dev_err(&udev->dev, "failed to initialize device (%d)\n", err);
+-
+- if (parent)
+- device_lock(parent);
++ complete(&priv->fw_wait_load);
++ /*
++ * At this point p54u_disconnect may have already freed
++ * the "priv" context. Do not use it anymore!
++ */
++ priv = NULL;
+
+- device_release_driver(&udev->dev);
+- /*
+- * At this point p54u_disconnect has already freed
+- * the "priv" context. Do not use it anymore!
+- */
+- priv = NULL;
++ if (err) {
++ dev_err(&intf->dev, "failed to initialize device (%d)\n", err);
+
+- if (parent)
+- device_unlock(parent);
++ usb_lock_device(udev);
++ usb_driver_release_interface(&p54u_driver, intf);
++ usb_unlock_device(udev);
+ }
+
+- usb_put_dev(udev);
++ usb_put_intf(intf);
+ }
+
+ static int p54u_load_firmware(struct ieee80211_hw *dev,
+@@ -969,14 +967,14 @@ static int p54u_load_firmware(struct iee
+ dev_info(&priv->udev->dev, "Loading firmware file %s\n",
+ p54u_fwlist[i].fw);
+
+- usb_get_dev(udev);
++ usb_get_intf(intf);
+ err = request_firmware_nowait(THIS_MODULE, 1, p54u_fwlist[i].fw,
+ device, GFP_KERNEL, priv,
+ p54u_load_firmware_cb);
+ if (err) {
+ dev_err(&priv->udev->dev, "(p54usb) cannot load firmware %s "
+ "(%d)!\n", p54u_fwlist[i].fw, err);
+- usb_put_dev(udev);
++ usb_put_intf(intf);
+ }
+
+ return err;
+@@ -1008,8 +1006,6 @@ static int p54u_probe(struct usb_interfa
+ skb_queue_head_init(&priv->rx_queue);
+ init_usb_anchor(&priv->submitted);
+
+- usb_get_dev(udev);
+-
+ /* really lazy and simple way of figuring out if we're a 3887 */
+ /* TODO: should just stick the identification in the device table */
+ i = intf->altsetting->desc.bNumEndpoints;
+@@ -1050,10 +1046,8 @@ static int p54u_probe(struct usb_interfa
+ priv->upload_fw = p54u_upload_firmware_net2280;
+ }
+ err = p54u_load_firmware(dev, intf);
+- if (err) {
+- usb_put_dev(udev);
++ if (err)
+ p54_free_common(dev);
+- }
+ return err;
+ }
+
+@@ -1069,7 +1063,6 @@ static void p54u_disconnect(struct usb_i
+ wait_for_completion(&priv->fw_wait_load);
+ p54_unregister_common(dev);
+
+- usb_put_dev(interface_to_usbdev(intf));
+ release_firmware(priv->fw);
+ p54_free_common(dev);
+ }
--- /dev/null
+From 3f2640ed7be838c3f05c0d2b0f7c7508e7431e48 Mon Sep 17 00:00:00 2001
+From: Oliver Barta <o.barta89@gmail.com>
+Date: Wed, 19 Jun 2019 10:16:39 +0200
+Subject: Revert "serial: 8250: Don't service RX FIFO if interrupts are disabled"
+
+From: Oliver Barta <o.barta89@gmail.com>
+
+commit 3f2640ed7be838c3f05c0d2b0f7c7508e7431e48 upstream.
+
+This reverts commit 2e9fe539108320820016f78ca7704a7342788380.
+
+Reading LSR unconditionally but processing the error flags only if
+UART_IIR_RDI bit was set before in IIR may lead to a loss of transmission
+error information on UARTs where the transmission error flags are cleared
+by a read of LSR. Information are lost in case an error is detected right
+before the read of LSR while processing e.g. an UART_IIR_THRI interrupt.
+
+Signed-off-by: Oliver Barta <o.barta89@gmail.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Fixes: 2e9fe5391083 ("serial: 8250: Don't service RX FIFO if interrupts are disabled")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_port.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -1869,8 +1869,7 @@ int serial8250_handle_irq(struct uart_po
+
+ status = serial_port_in(port, UART_LSR);
+
+- if (status & (UART_LSR_DR | UART_LSR_BI) &&
+- iir & UART_IIR_RDI) {
++ if (status & (UART_LSR_DR | UART_LSR_BI)) {
+ if (!up->dma || handle_rx_dma(up, iir))
+ status = serial8250_rx_chars(up, status);
+ }
documentation-add-section-about-cpu-vulnerabilities-for-spectre.patch
documentation-admin-remove-the-vsyscall-native-documentation.patch
mwifiex-don-t-abort-on-small-spec-compliant-vendor-ies.patch
+usb-serial-ftdi_sio-add-id-for-isodebug-v1.patch
+usb-serial-option-add-support-for-gosuncn-me3630-rndis-mode.patch
+revert-serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch
+p54usb-fix-race-between-disconnect-and-firmware-loading.patch
+usb-gadget-f_fs-data_len-used-before-properly-set.patch
+usb-gadget-ether-fix-race-between-gether_disconnect-and-rx_submit.patch
+usb-dwc2-use-a-longer-ahb-idle-timeout-in-dwc2_core_reset.patch
+usb-renesas_usbhs-add-a-workaround-for-a-race-condition-of-workqueue.patch
+drivers-usb-typec-tps6598x.c-fix-portinfo-width.patch
+drivers-usb-typec-tps6598x.c-fix-4cc-cmd-write.patch
+p54-fix-crash-during-initialization.patch
+staging-comedi-dt282x-fix-a-null-pointer-deref-on-interrupt.patch
+staging-wilc1000-fix-error-path-cleanup-in-wilc_wlan_initialize.patch
+staging-bcm2835-camera-restore-return-behavior-of-ctrl_set_bitrate.patch
+staging-comedi-amplc_pci230-fix-null-pointer-deref-on-interrupt.patch
+staging-mt7621-pci-fix-pcie_fts_num_lo-macro.patch
+hid-add-another-primax-pixart-oem-mouse-quirk.patch
+lkdtm-support-llvm-objcopy.patch
+binder-fix-memory-leak-in-error-path.patch
+binder-return-errors-from-buffer-copy-functions.patch
+iio-adc-stm32-adc-add-missing-vdda-supply.patch
--- /dev/null
+From f816db1dc17b99b059325f41ed5a78f85d15368c Mon Sep 17 00:00:00 2001
+From: Stefan Wahren <wahrenst@gmx.net>
+Date: Wed, 26 Jun 2019 17:48:11 +0200
+Subject: staging: bcm2835-camera: Restore return behavior of ctrl_set_bitrate()
+
+From: Stefan Wahren <wahrenst@gmx.net>
+
+commit f816db1dc17b99b059325f41ed5a78f85d15368c upstream.
+
+The commit 52c4dfcead49 ("Staging: vc04_services: Cleanup in
+ctrl_set_bitrate()") changed the return behavior of ctrl_set_bitrate().
+We cannot do this because of a bug in the firmware, which breaks probing
+of bcm2835-camera:
+
+ bcm2835-v4l2: mmal_init: failed to set all camera controls: -3
+ Cleanup: Destroy video encoder
+ Cleanup: Destroy image encoder
+ Cleanup: Destroy video render
+ Cleanup: Destroy camera
+ bcm2835-v4l2: bcm2835_mmal_probe: mmal init failed: -3
+ bcm2835-camera: probe of bcm2835-camera failed with error -3
+
+So restore the old behavior, add an explaining comment and a debug message
+to verify that the bug has been fixed in firmware.
+
+Fixes: 52c4dfcead49 ("Staging: vc04_services: Cleanup in ctrl_set_bitrate()")
+Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/vc04_services/bcm2835-camera/controls.c | 19 +++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+--- a/drivers/staging/vc04_services/bcm2835-camera/controls.c
++++ b/drivers/staging/vc04_services/bcm2835-camera/controls.c
+@@ -603,15 +603,28 @@ static int ctrl_set_bitrate(struct bm283
+ struct v4l2_ctrl *ctrl,
+ const struct bm2835_mmal_v4l2_ctrl *mmal_ctrl)
+ {
++ int ret;
+ struct vchiq_mmal_port *encoder_out;
+
+ dev->capture.encode_bitrate = ctrl->val;
+
+ encoder_out = &dev->component[MMAL_COMPONENT_VIDEO_ENCODE]->output[0];
+
+- return vchiq_mmal_port_parameter_set(dev->instance, encoder_out,
+- mmal_ctrl->mmal_id, &ctrl->val,
+- sizeof(ctrl->val));
++ ret = vchiq_mmal_port_parameter_set(dev->instance, encoder_out,
++ mmal_ctrl->mmal_id, &ctrl->val,
++ sizeof(ctrl->val));
++
++ v4l2_dbg(1, bcm2835_v4l2_debug, &dev->v4l2_dev,
++ "%s: After: mmal_ctrl:%p ctrl id:0x%x ctrl val:%d ret %d(%d)\n",
++ __func__, mmal_ctrl, ctrl->id, ctrl->val, ret,
++ (ret == 0 ? 0 : -EINVAL));
++
++ /*
++ * Older firmware versions (pre July 2019) have a bug in handling
++ * MMAL_PARAMETER_VIDEO_BIT_RATE that result in the call
++ * returning -MMAL_MSG_STATUS_EINVAL. So ignore errors from this call.
++ */
++ return 0;
+ }
+
+ static int ctrl_set_bitrate_mode(struct bm2835_mmal_dev *dev,
--- /dev/null
+From 7379e6baeddf580d01feca650ec1ad508b6ea8ee Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Wed, 26 Jun 2019 14:17:39 +0100
+Subject: staging: comedi: amplc_pci230: fix null pointer deref on interrupt
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 7379e6baeddf580d01feca650ec1ad508b6ea8ee upstream.
+
+The interrupt handler `pci230_interrupt()` causes a null pointer
+dereference for a PCI260 card. There is no analog output subdevice for
+a PCI260. The `dev->write_subdev` subdevice pointer and therefore the
+`s_ao` subdevice pointer variable will be `NULL` for a PCI260. The
+following call near the end of the interrupt handler results in the null
+pointer dereference for a PCI260:
+
+ comedi_handle_events(dev, s_ao);
+
+Fix it by only calling the above function if `s_ao` is valid.
+
+Note that the other uses of `s_ao` in the calls
+`pci230_handle_ao_nofifo(dev, s_ao);` and `pci230_handle_ao_fifo(dev,
+s_ao);` will never be reached for a PCI260, so they are safe.
+
+Fixes: 39064f23284c ("staging: comedi: amplc_pci230: use comedi_handle_events()")
+Cc: <stable@vger.kernel.org> # v3.19+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/drivers/amplc_pci230.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/amplc_pci230.c
++++ b/drivers/staging/comedi/drivers/amplc_pci230.c
+@@ -2330,7 +2330,8 @@ static irqreturn_t pci230_interrupt(int
+ devpriv->intr_running = false;
+ spin_unlock_irqrestore(&devpriv->isr_spinlock, irqflags);
+
+- comedi_handle_events(dev, s_ao);
++ if (s_ao)
++ comedi_handle_events(dev, s_ao);
+ comedi_handle_events(dev, s_ai);
+
+ return IRQ_HANDLED;
--- /dev/null
+From b8336be66dec06bef518030a0df9847122053ec5 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Wed, 26 Jun 2019 14:18:04 +0100
+Subject: staging: comedi: dt282x: fix a null pointer deref on interrupt
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit b8336be66dec06bef518030a0df9847122053ec5 upstream.
+
+The interrupt handler `dt282x_interrupt()` causes a null pointer
+dereference for those supported boards that have no analog output
+support. For these boards, `dev->write_subdev` will be `NULL` and
+therefore the `s_ao` subdevice pointer variable will be `NULL`. In that
+case, the following call near the end of the interrupt handler results
+in a null pointer dereference:
+
+ comedi_handle_events(dev, s_ao);
+
+Fix it by only calling the above function if `s_ao` is valid.
+
+(There are other uses of `s_ao` by the interrupt handler that may or may
+not be reached depending on values of hardware registers. Trust that
+they are reliable for now.)
+
+Note:
+commit 4f6f009b204f ("staging: comedi: dt282x: use comedi_handle_events()")
+propagates an earlier error from
+commit f21c74fa4cfe ("staging: comedi: dt282x: use cfc_handle_events()").
+
+Fixes: 4f6f009b204f ("staging: comedi: dt282x: use comedi_handle_events()")
+Cc: <stable@vger.kernel.org> # v3.19+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/drivers/dt282x.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/dt282x.c
++++ b/drivers/staging/comedi/drivers/dt282x.c
+@@ -557,7 +557,8 @@ static irqreturn_t dt282x_interrupt(int
+ }
+ #endif
+ comedi_handle_events(dev, s);
+- comedi_handle_events(dev, s_ao);
++ if (s_ao)
++ comedi_handle_events(dev, s_ao);
+
+ return IRQ_RETVAL(handled);
+ }
--- /dev/null
+From 0ae0cf509d28d8539b88b5f7f24558f5bfe57cdf Mon Sep 17 00:00:00 2001
+From: Sergio Paracuellos <sergio.paracuellos@gmail.com>
+Date: Wed, 26 Jun 2019 14:43:18 +0200
+Subject: staging: mt7621-pci: fix PCIE_FTS_NUM_LO macro
+
+From: Sergio Paracuellos <sergio.paracuellos@gmail.com>
+
+commit 0ae0cf509d28d8539b88b5f7f24558f5bfe57cdf upstream.
+
+Add missing parenthesis to PCIE_FTS_NUM_LO macro to do the
+same it was being done in original code.
+
+Fixes: a4b2eb912bb1 ("staging: mt7621-pci: rewrite RC FTS configuration")
+Signed-off-by: Sergio Paracuellos <sergio.paracuellos@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/mt7621-pci/pci-mt7621.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/mt7621-pci/pci-mt7621.c
++++ b/drivers/staging/mt7621-pci/pci-mt7621.c
+@@ -40,7 +40,7 @@
+ /* MediaTek specific configuration registers */
+ #define PCIE_FTS_NUM 0x70c
+ #define PCIE_FTS_NUM_MASK GENMASK(15, 8)
+-#define PCIE_FTS_NUM_L0(x) ((x) & 0xff << 8)
++#define PCIE_FTS_NUM_L0(x) (((x) & 0xff) << 8)
+
+ /* rt_sysc_membase relative registers */
+ #define RALINK_PCIE_CLK_GEN 0x7c
--- /dev/null
+From 6419f818ababebc1116fb2d0e220bd4fe835d0e3 Mon Sep 17 00:00:00 2001
+From: Ajay Singh <ajay.kathat@microchip.com>
+Date: Wed, 26 Jun 2019 12:40:48 +0000
+Subject: staging: wilc1000: fix error path cleanup in wilc_wlan_initialize()
+
+From: Ajay Singh <ajay.kathat@microchip.com>
+
+commit 6419f818ababebc1116fb2d0e220bd4fe835d0e3 upstream.
+
+For the error path in wilc_wlan_initialize(), the resources are not
+cleanup in the correct order. Reverted the previous changes and use the
+correct order to free during error condition.
+
+Fixes: b46d68825c2d ("staging: wilc1000: remove COMPLEMENT_BOOT")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Ajay Singh <ajay.kathat@microchip.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/wilc1000/wilc_netdev.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/staging/wilc1000/wilc_netdev.c
++++ b/drivers/staging/wilc1000/wilc_netdev.c
+@@ -530,17 +530,17 @@ static int wilc_wlan_initialize(struct n
+ goto fail_locks;
+ }
+
+- if (wl->gpio_irq && init_irq(dev)) {
+- ret = -EIO;
+- goto fail_locks;
+- }
+-
+ ret = wlan_initialize_threads(dev);
+ if (ret < 0) {
+ ret = -EIO;
+ goto fail_wilc_wlan;
+ }
+
++ if (wl->gpio_irq && init_irq(dev)) {
++ ret = -EIO;
++ goto fail_threads;
++ }
++
+ if (!wl->dev_irq_num &&
+ wl->hif_func->enable_interrupt &&
+ wl->hif_func->enable_interrupt(wl)) {
+@@ -596,7 +596,7 @@ fail_irq_enable:
+ fail_irq_init:
+ if (wl->dev_irq_num)
+ deinit_irq(dev);
+-
++fail_threads:
+ wlan_deinitialize_threads(dev);
+ fail_wilc_wlan:
+ wilc_wlan_cleanup(dev);
--- /dev/null
+From dfc4fdebc5d62ac4e2fe5428e59b273675515fb2 Mon Sep 17 00:00:00 2001
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Date: Thu, 20 Jun 2019 19:50:22 +0200
+Subject: usb: dwc2: use a longer AHB idle timeout in dwc2_core_reset()
+
+From: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+
+commit dfc4fdebc5d62ac4e2fe5428e59b273675515fb2 upstream.
+
+Use a 10000us AHB idle timeout in dwc2_core_reset() and make it
+consistent with the other "wait for AHB master IDLE state" ocurrences.
+
+This fixes a problem for me where dwc2 would not want to initialize when
+updating to 4.19 on a MIPS Lantiq VRX200 SoC. dwc2 worked fine with
+4.14.
+Testing on my board shows that it takes 180us until AHB master IDLE
+state is signalled. The very old vendor driver for this SoC (ifxhcd)
+used a 1 second timeout.
+Use the same timeout that is used everywhere when polling for
+GRSTCTL_AHBIDLE instead of using a timeout that "works for one board"
+(180us in my case) to have consistent behavior across the dwc2 driver.
+
+Cc: linux-stable <stable@vger.kernel.org> # 4.19+
+Acked-by: Minas Harutyunyan <hminas@synopsys.com>
+Signed-off-by: Martin Blumenstingl <martin.blumenstingl@googlemail.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc2/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc2/core.c
++++ b/drivers/usb/dwc2/core.c
+@@ -531,7 +531,7 @@ int dwc2_core_reset(struct dwc2_hsotg *h
+ }
+
+ /* Wait for AHB master IDLE state */
+- if (dwc2_hsotg_wait_bit_set(hsotg, GRSTCTL, GRSTCTL_AHBIDLE, 50)) {
++ if (dwc2_hsotg_wait_bit_set(hsotg, GRSTCTL, GRSTCTL_AHBIDLE, 10000)) {
+ dev_warn(hsotg->dev, "%s: HANG! AHB Idle timeout GRSTCTL GRSTCTL_AHBIDLE\n",
+ __func__);
+ return -EBUSY;
--- /dev/null
+From d29fcf7078bc8be2b6366cbd4418265b53c94fac Mon Sep 17 00:00:00 2001
+From: Kiruthika Varadarajan <Kiruthika.Varadarajan@harman.com>
+Date: Tue, 18 Jun 2019 08:39:06 +0000
+Subject: usb: gadget: ether: Fix race between gether_disconnect and rx_submit
+
+From: Kiruthika Varadarajan <Kiruthika.Varadarajan@harman.com>
+
+commit d29fcf7078bc8be2b6366cbd4418265b53c94fac upstream.
+
+On spin lock release in rx_submit, gether_disconnect get a chance to
+run, it makes port_usb NULL, rx_submit access NULL port USB, hence null
+pointer crash.
+
+Fixed by releasing the lock in rx_submit after port_usb is used.
+
+Fixes: 2b3d942c4878 ("usb ethernet gadget: split out network core")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Kiruthika Varadarajan <Kiruthika.Varadarajan@harman.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/u_ether.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/function/u_ether.c
++++ b/drivers/usb/gadget/function/u_ether.c
+@@ -186,11 +186,12 @@ rx_submit(struct eth_dev *dev, struct us
+ out = dev->port_usb->out_ep;
+ else
+ out = NULL;
+- spin_unlock_irqrestore(&dev->lock, flags);
+
+ if (!out)
++ {
++ spin_unlock_irqrestore(&dev->lock, flags);
+ return -ENOTCONN;
+-
++ }
+
+ /* Padding up to RX_EXTRA handles minor disagreements with host.
+ * Normally we use the USB "terminate on short read" convention;
+@@ -214,6 +215,7 @@ rx_submit(struct eth_dev *dev, struct us
+
+ if (dev->port_usb->is_fixed)
+ size = max_t(size_t, size, dev->port_usb->fixed_out_len);
++ spin_unlock_irqrestore(&dev->lock, flags);
+
+ skb = __netdev_alloc_skb(dev->net, size + NET_IP_ALIGN, gfp_flags);
+ if (skb == NULL) {
--- /dev/null
+From 4833a94eb383f5b22775077ff92ddaae90440921 Mon Sep 17 00:00:00 2001
+From: Fei Yang <fei.yang@intel.com>
+Date: Wed, 12 Jun 2019 15:13:26 -0700
+Subject: usb: gadget: f_fs: data_len used before properly set
+
+From: Fei Yang <fei.yang@intel.com>
+
+commit 4833a94eb383f5b22775077ff92ddaae90440921 upstream.
+
+The following line of code in function ffs_epfile_io is trying to set
+flag io_data->use_sg in case buffer required is larger than one page.
+
+ io_data->use_sg = gadget->sg_supported && data_len > PAGE_SIZE;
+
+However at this point of time the variable data_len has not been set
+to the proper buffer size yet. The consequence is that io_data->use_sg
+is always set regardless what buffer size really is, because the condition
+(data_len > PAGE_SIZE) is effectively an unsigned comparison between
+-EINVAL and PAGE_SIZE which would always result in TRUE.
+
+Fixes: 772a7a724f69 ("usb: gadget: f_fs: Allow scatter-gather buffers")
+Signed-off-by: Fei Yang <fei.yang@intel.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_fs.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -997,7 +997,6 @@ static ssize_t ffs_epfile_io(struct file
+ * earlier
+ */
+ gadget = epfile->ffs->gadget;
+- io_data->use_sg = gadget->sg_supported && data_len > PAGE_SIZE;
+
+ spin_lock_irq(&epfile->ffs->eps_lock);
+ /* In the meantime, endpoint got disabled or changed. */
+@@ -1012,6 +1011,8 @@ static ssize_t ffs_epfile_io(struct file
+ */
+ if (io_data->read)
+ data_len = usb_ep_align_maybe(gadget, ep->ep, data_len);
++
++ io_data->use_sg = gadget->sg_supported && data_len > PAGE_SIZE;
+ spin_unlock_irq(&epfile->ffs->eps_lock);
+
+ data = ffs_alloc_buffer(io_data, data_len);
--- /dev/null
+From b2357839c56ab7d06bcd4e866ebc2d0e2b7997f3 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Wed, 26 Jun 2019 22:06:33 +0900
+Subject: usb: renesas_usbhs: add a workaround for a race condition of workqueue
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit b2357839c56ab7d06bcd4e866ebc2d0e2b7997f3 upstream.
+
+The old commit 6e4b74e4690d ("usb: renesas: fix scheduling in atomic
+context bug") fixed an atomic issue by using workqueue for the shdmac
+dmaengine driver. However, this has a potential race condition issue
+between the work pending and usbhsg_ep_free_request() in gadget mode.
+When usbhsg_ep_free_request() is called while pending the queue,
+since the work_struct will be freed and then the work handler is
+called, kernel panic happens on process_one_work().
+
+To fix the issue, if we could call cancel_work_sync() at somewhere
+before the free request, it could be easy. However,
+the usbhsg_ep_free_request() is called on atomic (e.g. f_ncm driver
+calls free request via gether_disconnect()).
+
+For now, almost all users are having "USB-DMAC" and the DMAengine
+driver can be used on atomic. So, this patch adds a workaround for
+a race condition to call the DMAengine APIs without the workqueue.
+
+This means we still have TODO on shdmac environment (SH7724), but
+since it doesn't have SMP, the race condition might not happen.
+
+Fixes: ab330cf3888d ("usb: renesas_usbhs: add support for USB-DMAC")
+Cc: <stable@vger.kernel.org> # v4.1+
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/renesas_usbhs/fifo.c | 34 ++++++++++++++++++++++------------
+ 1 file changed, 22 insertions(+), 12 deletions(-)
+
+--- a/drivers/usb/renesas_usbhs/fifo.c
++++ b/drivers/usb/renesas_usbhs/fifo.c
+@@ -802,9 +802,8 @@ static int __usbhsf_dma_map_ctrl(struct
+ }
+
+ static void usbhsf_dma_complete(void *arg);
+-static void xfer_work(struct work_struct *work)
++static void usbhsf_dma_xfer_preparing(struct usbhs_pkt *pkt)
+ {
+- struct usbhs_pkt *pkt = container_of(work, struct usbhs_pkt, work);
+ struct usbhs_pipe *pipe = pkt->pipe;
+ struct usbhs_fifo *fifo;
+ struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe);
+@@ -812,12 +811,10 @@ static void xfer_work(struct work_struct
+ struct dma_chan *chan;
+ struct device *dev = usbhs_priv_to_dev(priv);
+ enum dma_transfer_direction dir;
+- unsigned long flags;
+
+- usbhs_lock(priv, flags);
+ fifo = usbhs_pipe_to_fifo(pipe);
+ if (!fifo)
+- goto xfer_work_end;
++ return;
+
+ chan = usbhsf_dma_chan_get(fifo, pkt);
+ dir = usbhs_pipe_is_dir_in(pipe) ? DMA_DEV_TO_MEM : DMA_MEM_TO_DEV;
+@@ -826,7 +823,7 @@ static void xfer_work(struct work_struct
+ pkt->trans, dir,
+ DMA_PREP_INTERRUPT | DMA_CTRL_ACK);
+ if (!desc)
+- goto xfer_work_end;
++ return;
+
+ desc->callback = usbhsf_dma_complete;
+ desc->callback_param = pipe;
+@@ -834,7 +831,7 @@ static void xfer_work(struct work_struct
+ pkt->cookie = dmaengine_submit(desc);
+ if (pkt->cookie < 0) {
+ dev_err(dev, "Failed to submit dma descriptor\n");
+- goto xfer_work_end;
++ return;
+ }
+
+ dev_dbg(dev, " %s %d (%d/ %d)\n",
+@@ -845,8 +842,17 @@ static void xfer_work(struct work_struct
+ dma_async_issue_pending(chan);
+ usbhsf_dma_start(pipe, fifo);
+ usbhs_pipe_enable(pipe);
++}
++
++static void xfer_work(struct work_struct *work)
++{
++ struct usbhs_pkt *pkt = container_of(work, struct usbhs_pkt, work);
++ struct usbhs_pipe *pipe = pkt->pipe;
++ struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe);
++ unsigned long flags;
+
+-xfer_work_end:
++ usbhs_lock(priv, flags);
++ usbhsf_dma_xfer_preparing(pkt);
+ usbhs_unlock(priv, flags);
+ }
+
+@@ -899,8 +905,13 @@ static int usbhsf_dma_prepare_push(struc
+ pkt->trans = len;
+
+ usbhsf_tx_irq_ctrl(pipe, 0);
+- INIT_WORK(&pkt->work, xfer_work);
+- schedule_work(&pkt->work);
++ /* FIXME: Workaound for usb dmac that driver can be used in atomic */
++ if (usbhs_get_dparam(priv, has_usb_dmac)) {
++ usbhsf_dma_xfer_preparing(pkt);
++ } else {
++ INIT_WORK(&pkt->work, xfer_work);
++ schedule_work(&pkt->work);
++ }
+
+ return 0;
+
+@@ -1006,8 +1017,7 @@ static int usbhsf_dma_prepare_pop_with_u
+
+ pkt->trans = pkt->length;
+
+- INIT_WORK(&pkt->work, xfer_work);
+- schedule_work(&pkt->work);
++ usbhsf_dma_xfer_preparing(pkt);
+
+ return 0;
+
--- /dev/null
+From f8377eff548170e8ea8022c067a1fbdf9e1c46a8 Mon Sep 17 00:00:00 2001
+From: Andreas Fritiofson <andreas.fritiofson@unjo.com>
+Date: Fri, 28 Jun 2019 15:08:34 +0200
+Subject: USB: serial: ftdi_sio: add ID for isodebug v1
+
+From: Andreas Fritiofson <andreas.fritiofson@unjo.com>
+
+commit f8377eff548170e8ea8022c067a1fbdf9e1c46a8 upstream.
+
+This adds the vid:pid of the isodebug v1 isolated JTAG/SWD+UART. Only the
+second channel is available for use as a serial port.
+
+Signed-off-by: Andreas Fritiofson <andreas.fritiofson@unjo.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ftdi_sio.c | 1 +
+ drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -1029,6 +1029,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(AIRBUS_DS_VID, AIRBUS_DS_P8GR) },
+ /* EZPrototypes devices */
+ { USB_DEVICE(EZPROTOTYPES_VID, HJELMSLUND_USB485_ISO_PID) },
++ { USB_DEVICE_INTERFACE_NUMBER(UNJO_VID, UNJO_ISODEBUG_V1_PID, 1) },
+ { } /* Terminating entry */
+ };
+
+--- a/drivers/usb/serial/ftdi_sio_ids.h
++++ b/drivers/usb/serial/ftdi_sio_ids.h
+@@ -1543,3 +1543,9 @@
+ #define CHETCO_SEASMART_DISPLAY_PID 0xA5AD /* SeaSmart NMEA2000 Display */
+ #define CHETCO_SEASMART_LITE_PID 0xA5AE /* SeaSmart Lite USB Adapter */
+ #define CHETCO_SEASMART_ANALOG_PID 0xA5AF /* SeaSmart Analog Adapter */
++
++/*
++ * Unjo AB
++ */
++#define UNJO_VID 0x22B7
++#define UNJO_ISODEBUG_V1_PID 0x150D
--- /dev/null
+From aed2a26283528fb69c38e414f649411aa48fb391 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rgen=20Storvist?= <jorgen.storvist@gmail.com>
+Date: Wed, 19 Jun 2019 00:30:19 +0200
+Subject: USB: serial: option: add support for GosunCn ME3630 RNDIS mode
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jörgen Storvist <jorgen.storvist@gmail.com>
+
+commit aed2a26283528fb69c38e414f649411aa48fb391 upstream.
+
+Added USB IDs for GosunCn ME3630 cellular module in RNDIS mode.
+
+T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=03 Dev#= 18 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=19d2 ProdID=0601 Rev=03.18
+S: Manufacturer=Android
+S: Product=Android
+S: SerialNumber=b950269c
+C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#=0x0 Alt= 0 #EPs= 1 Cls=e0(wlcon) Sub=01 Prot=03 Driver=rndis_host
+I: If#=0x1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
+I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+
+Signed-off-by: Jörgen Storvist <jorgen.storvist@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1343,6 +1343,7 @@ static const struct usb_device_id option
+ .driver_info = RSVD(4) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0414, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0417, 0xff, 0xff, 0xff) },
++ { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x0601, 0xff) }, /* GosunCn ZTE WeLink ME3630 (RNDIS mode) */
+ { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x0602, 0xff) }, /* GosunCn ZTE WeLink ME3630 (MBIM mode) */
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1008, 0xff, 0xff, 0xff),
+ .driver_info = RSVD(4) },
projects / thirdparty / kernel / stable-queue.git / commitdiff
