--- /dev/null
+From 4f9007d692017cef38baf2a9b82b7879d5b2407b Mon Sep 17 00:00:00 2001
+From: "H. Nikolaus Schaller" <hns@goldelico.com>
+Date: Thu, 7 Nov 2019 11:30:36 +0100
+Subject: ARM: dts: pandora-common: define wl1251 as child node of mmc3
+
+From: H. Nikolaus Schaller <hns@goldelico.com>
+
+commit 4f9007d692017cef38baf2a9b82b7879d5b2407b upstream.
+
+Since v4.7 the dma initialization requires that there is a
+device tree property for "rx" and "tx" channels which is
+not provided by the pdata-quirks initialization.
+
+By conversion of the mmc3 setup to device tree this will
+finally allows to remove the OpenPandora wlan specific omap3
+data-quirks.
+
+Fixes: 81eef6ca9201 ("mmc: omap_hsmmc: Use dma_request_chan() for requesting DMA channel")
+Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
+Cc: <stable@vger.kernel.org> # v4.7+
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/boot/dts/omap3-pandora-common.dtsi | 36 ++++++++++++++++++++++++++--
+ 1 file changed, 34 insertions(+), 2 deletions(-)
+
+--- a/arch/arm/boot/dts/omap3-pandora-common.dtsi
++++ b/arch/arm/boot/dts/omap3-pandora-common.dtsi
+@@ -226,6 +226,17 @@
+ gpio = <&gpio6 4 GPIO_ACTIVE_HIGH>; /* GPIO_164 */
+ };
+
++ /* wl1251 wifi+bt module */
++ wlan_en: fixed-regulator-wg7210_en {
++ compatible = "regulator-fixed";
++ regulator-name = "vwlan";
++ regulator-min-microvolt = <1800000>;
++ regulator-max-microvolt = <1800000>;
++ startup-delay-us = <50000>;
++ enable-active-high;
++ gpio = <&gpio1 23 GPIO_ACTIVE_HIGH>;
++ };
++
+ /* wg7210 (wifi+bt module) 32k clock buffer */
+ wg7210_32k: fixed-regulator-wg7210_32k {
+ compatible = "regulator-fixed";
+@@ -522,9 +533,30 @@
+ /*wp-gpios = <&gpio4 31 GPIO_ACTIVE_HIGH>;*/ /* GPIO_127 */
+ };
+
+-/* mmc3 is probed using pdata-quirks to pass wl1251 card data */
+ &mmc3 {
+- status = "disabled";
++ vmmc-supply = <&wlan_en>;
++
++ bus-width = <4>;
++ non-removable;
++ ti,non-removable;
++ cap-power-off-card;
++
++ pinctrl-names = "default";
++ pinctrl-0 = <&mmc3_pins>;
++
++ #address-cells = <1>;
++ #size-cells = <0>;
++
++ wlan: wifi@1 {
++ compatible = "ti,wl1251";
++
++ reg = <1>;
++
++ interrupt-parent = <&gpio1>;
++ interrupts = <21 IRQ_TYPE_LEVEL_HIGH>; /* GPIO_21 */
++
++ ti,wl1251-has-eeprom;
++ };
+ };
+
+ /* bluetooth*/
--- /dev/null
+From 16981742717b04644a41052570fb502682a315d2 Mon Sep 17 00:00:00 2001
+From: Todd Kjos <tkjos@android.com>
+Date: Fri, 13 Dec 2019 12:25:31 -0800
+Subject: binder: fix incorrect calculation for num_valid
+
+From: Todd Kjos <tkjos@android.com>
+
+commit 16981742717b04644a41052570fb502682a315d2 upstream.
+
+For BINDER_TYPE_PTR and BINDER_TYPE_FDA transactions, the
+num_valid local was calculated incorrectly causing the
+range check in binder_validate_ptr() to miss out-of-bounds
+offsets.
+
+Fixes: bde4a19fc04f ("binder: use userspace pointer as base of buffer space")
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191213202531.55010-1-tkjos@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -3332,7 +3332,7 @@ static void binder_transaction(struct bi
+ binder_size_t parent_offset;
+ struct binder_fd_array_object *fda =
+ to_binder_fd_array_object(hdr);
+- size_t num_valid = (buffer_offset - off_start_offset) *
++ size_t num_valid = (buffer_offset - off_start_offset) /
+ sizeof(binder_size_t);
+ struct binder_buffer_object *parent =
+ binder_validate_ptr(target_proc, t->buffer,
+@@ -3406,7 +3406,7 @@ static void binder_transaction(struct bi
+ t->buffer->user_data + sg_buf_offset;
+ sg_buf_offset += ALIGN(bp->length, sizeof(u64));
+
+- num_valid = (buffer_offset - off_start_offset) *
++ num_valid = (buffer_offset - off_start_offset) /
+ sizeof(binder_size_t);
+ ret = binder_fixup_parent(t, thread, bp,
+ off_start_offset,
--- /dev/null
+From 11d7c8d3b1259c303fb52789febed58f0bc35ad1 Mon Sep 17 00:00:00 2001
+From: Mircea Caprioru <mircea.caprioru@analog.com>
+Date: Mon, 18 Nov 2019 10:38:57 +0200
+Subject: iio: adc: ad7124: Enable internal reference
+
+From: Mircea Caprioru <mircea.caprioru@analog.com>
+
+commit 11d7c8d3b1259c303fb52789febed58f0bc35ad1 upstream.
+
+When the internal reference was selected by a channel it was not enabled.
+This patch fixes that and enables it.
+
+Fixes: b3af341bbd96 ("iio: adc: Add ad7124 support")
+Signed-off-by: Mircea Caprioru <mircea.caprioru@analog.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/ad7124.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/ad7124.c
++++ b/drivers/iio/adc/ad7124.c
+@@ -39,6 +39,8 @@
+ #define AD7124_STATUS_POR_FLAG_MSK BIT(4)
+
+ /* AD7124_ADC_CONTROL */
++#define AD7124_ADC_CTRL_REF_EN_MSK BIT(8)
++#define AD7124_ADC_CTRL_REF_EN(x) FIELD_PREP(AD7124_ADC_CTRL_REF_EN_MSK, x)
+ #define AD7124_ADC_CTRL_PWR_MSK GENMASK(7, 6)
+ #define AD7124_ADC_CTRL_PWR(x) FIELD_PREP(AD7124_ADC_CTRL_PWR_MSK, x)
+ #define AD7124_ADC_CTRL_MODE_MSK GENMASK(5, 2)
+@@ -424,7 +426,10 @@ static int ad7124_init_channel_vref(stru
+ break;
+ case AD7124_INT_REF:
+ st->channel_config[channel_number].vref_mv = 2500;
+- break;
++ st->adc_control &= ~AD7124_ADC_CTRL_REF_EN_MSK;
++ st->adc_control |= AD7124_ADC_CTRL_REF_EN(1);
++ return ad_sd_write_reg(&st->sd, AD7124_ADC_CONTROL,
++ 2, st->adc_control);
+ default:
+ dev_err(&st->sd.spi->dev, "Invalid reference %d\n", refsel);
+ return -EINVAL;
--- /dev/null
+From 341826a065660d1b77d89e6335b6095cd654271c Mon Sep 17 00:00:00 2001
+From: Beniamin Bia <beniamin.bia@analog.com>
+Date: Mon, 4 Nov 2019 18:26:34 +0200
+Subject: iio: adc: ad7606: fix reading unnecessary data from device
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Beniamin Bia <beniamin.bia@analog.com>
+
+commit 341826a065660d1b77d89e6335b6095cd654271c upstream.
+
+When a conversion result is being read from ADC, the driver reads the
+number of channels + 1 because it thinks that IIO_CHAN_SOFT_TIMESTAMP
+is also a physical channel. This patch fixes this issue.
+
+Fixes: 2985a5d88455 ("staging: iio: adc: ad7606: Move out of staging")
+Reported-by: Robert Wörle <rwoerle@mibtec.de>
+Signed-off-by: Beniamin Bia <beniamin.bia@analog.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/ad7606.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/ad7606.c
++++ b/drivers/iio/adc/ad7606.c
+@@ -57,7 +57,7 @@ static int ad7606_reset(struct ad7606_st
+
+ static int ad7606_read_samples(struct ad7606_state *st)
+ {
+- unsigned int num = st->chip_info->num_channels;
++ unsigned int num = st->chip_info->num_channels - 1;
+ u16 *data = st->data;
+ int ret;
+
--- /dev/null
+From 4c35b7a51e2f291471f7221d112c6a45c63e83bc Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nuno=20S=C3=A1?= <nuno.sa@analog.com>
+Date: Mon, 28 Oct 2019 17:33:49 +0100
+Subject: iio: adis16480: Add debugfs_reg_access entry
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nuno Sá <nuno.sa@analog.com>
+
+commit 4c35b7a51e2f291471f7221d112c6a45c63e83bc upstream.
+
+The driver is defining debugfs entries by calling
+`adis16480_debugfs_init()`. However, those entries are attached to the
+iio_dev debugfs entry which won't exist if no debugfs_reg_access
+callback is provided.
+
+Fixes: 2f3abe6cbb6c ("iio:imu: Add support for the ADIS16480 and similar IMUs")
+Signed-off-by: Nuno Sá <nuno.sa@analog.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/imu/adis16480.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iio/imu/adis16480.c
++++ b/drivers/iio/imu/adis16480.c
+@@ -919,6 +919,7 @@ static const struct iio_info adis16480_i
+ .read_raw = &adis16480_read_raw,
+ .write_raw = &adis16480_write_raw,
+ .update_scan_mode = adis_update_scan_mode,
++ .debugfs_reg_access = adis_debugfs_reg_access,
+ };
+
+ static int adis16480_stop_device(struct iio_dev *indio_dev)
--- /dev/null
+From 49549cb23a2926eba70bb634e361daea0f319794 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nuno=20S=C3=A1?= <nuno.sa@analog.com>
+Date: Mon, 28 Oct 2019 17:33:48 +0100
+Subject: iio: adis16480: Fix scales factors
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nuno Sá <nuno.sa@analog.com>
+
+commit 49549cb23a2926eba70bb634e361daea0f319794 upstream.
+
+This patch fixes the scales for the gyroscope, accelerometer and
+barometer. The pressure scale was just wrong. For the others, the scale
+factors were not taking into account that a 32bit word is being read
+from the device.
+
+Fixes: 7abad1063deb ("iio: adis16480: Fix scale factors")
+Fixes: 82e7a1b25017 ("iio: imu: adis16480: Add support for ADIS1649x family of devices")
+Signed-off-by: Nuno Sá <nuno.sa@analog.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/imu/adis16480.c | 77 +++++++++++++++++++++++---------------------
+ 1 file changed, 41 insertions(+), 36 deletions(-)
+
+--- a/drivers/iio/imu/adis16480.c
++++ b/drivers/iio/imu/adis16480.c
+@@ -623,9 +623,13 @@ static int adis16480_read_raw(struct iio
+ *val2 = (st->chip_info->temp_scale % 1000) * 1000;
+ return IIO_VAL_INT_PLUS_MICRO;
+ case IIO_PRESSURE:
+- *val = 0;
+- *val2 = 4000; /* 40ubar = 0.004 kPa */
+- return IIO_VAL_INT_PLUS_MICRO;
++ /*
++ * max scale is 1310 mbar
++ * max raw value is 32767 shifted for 32bits
++ */
++ *val = 131; /* 1310mbar = 131 kPa */
++ *val2 = 32767 << 16;
++ return IIO_VAL_FRACTIONAL;
+ default:
+ return -EINVAL;
+ }
+@@ -786,13 +790,14 @@ static const struct adis16480_chip_info
+ .channels = adis16485_channels,
+ .num_channels = ARRAY_SIZE(adis16485_channels),
+ /*
+- * storing the value in rad/degree and the scale in degree
+- * gives us the result in rad and better precession than
+- * storing the scale directly in rad.
++ * Typically we do IIO_RAD_TO_DEGREE in the denominator, which
++ * is exactly the same as IIO_DEGREE_TO_RAD in numerator, since
++ * it gives better approximation. However, in this case we
++ * cannot do it since it would not fit in a 32bit variable.
+ */
+- .gyro_max_val = IIO_RAD_TO_DEGREE(22887),
+- .gyro_max_scale = 300,
+- .accel_max_val = IIO_M_S_2_TO_G(21973),
++ .gyro_max_val = 22887 << 16,
++ .gyro_max_scale = IIO_DEGREE_TO_RAD(300),
++ .accel_max_val = IIO_M_S_2_TO_G(21973 << 16),
+ .accel_max_scale = 18,
+ .temp_scale = 5650, /* 5.65 milli degree Celsius */
+ .int_clk = 2460000,
+@@ -802,9 +807,9 @@ static const struct adis16480_chip_info
+ [ADIS16480] = {
+ .channels = adis16480_channels,
+ .num_channels = ARRAY_SIZE(adis16480_channels),
+- .gyro_max_val = IIO_RAD_TO_DEGREE(22500),
+- .gyro_max_scale = 450,
+- .accel_max_val = IIO_M_S_2_TO_G(12500),
++ .gyro_max_val = 22500 << 16,
++ .gyro_max_scale = IIO_DEGREE_TO_RAD(450),
++ .accel_max_val = IIO_M_S_2_TO_G(12500 << 16),
+ .accel_max_scale = 10,
+ .temp_scale = 5650, /* 5.65 milli degree Celsius */
+ .int_clk = 2460000,
+@@ -814,9 +819,9 @@ static const struct adis16480_chip_info
+ [ADIS16485] = {
+ .channels = adis16485_channels,
+ .num_channels = ARRAY_SIZE(adis16485_channels),
+- .gyro_max_val = IIO_RAD_TO_DEGREE(22500),
+- .gyro_max_scale = 450,
+- .accel_max_val = IIO_M_S_2_TO_G(20000),
++ .gyro_max_val = 22500 << 16,
++ .gyro_max_scale = IIO_DEGREE_TO_RAD(450),
++ .accel_max_val = IIO_M_S_2_TO_G(20000 << 16),
+ .accel_max_scale = 5,
+ .temp_scale = 5650, /* 5.65 milli degree Celsius */
+ .int_clk = 2460000,
+@@ -826,9 +831,9 @@ static const struct adis16480_chip_info
+ [ADIS16488] = {
+ .channels = adis16480_channels,
+ .num_channels = ARRAY_SIZE(adis16480_channels),
+- .gyro_max_val = IIO_RAD_TO_DEGREE(22500),
+- .gyro_max_scale = 450,
+- .accel_max_val = IIO_M_S_2_TO_G(22500),
++ .gyro_max_val = 22500 << 16,
++ .gyro_max_scale = IIO_DEGREE_TO_RAD(450),
++ .accel_max_val = IIO_M_S_2_TO_G(22500 << 16),
+ .accel_max_scale = 18,
+ .temp_scale = 5650, /* 5.65 milli degree Celsius */
+ .int_clk = 2460000,
+@@ -838,9 +843,9 @@ static const struct adis16480_chip_info
+ [ADIS16495_1] = {
+ .channels = adis16485_channels,
+ .num_channels = ARRAY_SIZE(adis16485_channels),
+- .gyro_max_val = IIO_RAD_TO_DEGREE(20000),
+- .gyro_max_scale = 125,
+- .accel_max_val = IIO_M_S_2_TO_G(32000),
++ .gyro_max_val = 20000 << 16,
++ .gyro_max_scale = IIO_DEGREE_TO_RAD(125),
++ .accel_max_val = IIO_M_S_2_TO_G(32000 << 16),
+ .accel_max_scale = 8,
+ .temp_scale = 12500, /* 12.5 milli degree Celsius */
+ .int_clk = 4250000,
+@@ -851,9 +856,9 @@ static const struct adis16480_chip_info
+ [ADIS16495_2] = {
+ .channels = adis16485_channels,
+ .num_channels = ARRAY_SIZE(adis16485_channels),
+- .gyro_max_val = IIO_RAD_TO_DEGREE(18000),
+- .gyro_max_scale = 450,
+- .accel_max_val = IIO_M_S_2_TO_G(32000),
++ .gyro_max_val = 18000 << 16,
++ .gyro_max_scale = IIO_DEGREE_TO_RAD(450),
++ .accel_max_val = IIO_M_S_2_TO_G(32000 << 16),
+ .accel_max_scale = 8,
+ .temp_scale = 12500, /* 12.5 milli degree Celsius */
+ .int_clk = 4250000,
+@@ -864,9 +869,9 @@ static const struct adis16480_chip_info
+ [ADIS16495_3] = {
+ .channels = adis16485_channels,
+ .num_channels = ARRAY_SIZE(adis16485_channels),
+- .gyro_max_val = IIO_RAD_TO_DEGREE(20000),
+- .gyro_max_scale = 2000,
+- .accel_max_val = IIO_M_S_2_TO_G(32000),
++ .gyro_max_val = 20000 << 16,
++ .gyro_max_scale = IIO_DEGREE_TO_RAD(2000),
++ .accel_max_val = IIO_M_S_2_TO_G(32000 << 16),
+ .accel_max_scale = 8,
+ .temp_scale = 12500, /* 12.5 milli degree Celsius */
+ .int_clk = 4250000,
+@@ -877,9 +882,9 @@ static const struct adis16480_chip_info
+ [ADIS16497_1] = {
+ .channels = adis16485_channels,
+ .num_channels = ARRAY_SIZE(adis16485_channels),
+- .gyro_max_val = IIO_RAD_TO_DEGREE(20000),
+- .gyro_max_scale = 125,
+- .accel_max_val = IIO_M_S_2_TO_G(32000),
++ .gyro_max_val = 20000 << 16,
++ .gyro_max_scale = IIO_DEGREE_TO_RAD(125),
++ .accel_max_val = IIO_M_S_2_TO_G(32000 << 16),
+ .accel_max_scale = 40,
+ .temp_scale = 12500, /* 12.5 milli degree Celsius */
+ .int_clk = 4250000,
+@@ -890,9 +895,9 @@ static const struct adis16480_chip_info
+ [ADIS16497_2] = {
+ .channels = adis16485_channels,
+ .num_channels = ARRAY_SIZE(adis16485_channels),
+- .gyro_max_val = IIO_RAD_TO_DEGREE(18000),
+- .gyro_max_scale = 450,
+- .accel_max_val = IIO_M_S_2_TO_G(32000),
++ .gyro_max_val = 18000 << 16,
++ .gyro_max_scale = IIO_DEGREE_TO_RAD(450),
++ .accel_max_val = IIO_M_S_2_TO_G(32000 << 16),
+ .accel_max_scale = 40,
+ .temp_scale = 12500, /* 12.5 milli degree Celsius */
+ .int_clk = 4250000,
+@@ -903,9 +908,9 @@ static const struct adis16480_chip_info
+ [ADIS16497_3] = {
+ .channels = adis16485_channels,
+ .num_channels = ARRAY_SIZE(adis16485_channels),
+- .gyro_max_val = IIO_RAD_TO_DEGREE(20000),
+- .gyro_max_scale = 2000,
+- .accel_max_val = IIO_M_S_2_TO_G(32000),
++ .gyro_max_val = 20000 << 16,
++ .gyro_max_scale = IIO_DEGREE_TO_RAD(2000),
++ .accel_max_val = IIO_M_S_2_TO_G(32000 << 16),
+ .accel_max_scale = 40,
+ .temp_scale = 12500, /* 12.5 milli degree Celsius */
+ .int_clk = 4250000,
--- /dev/null
+From 342a6928bd5017edbdae376042d8ad6af3d3b943 Mon Sep 17 00:00:00 2001
+From: Chris Lesiak <chris.lesiak@licor.com>
+Date: Thu, 21 Nov 2019 20:39:42 +0000
+Subject: iio: humidity: hdc100x: fix IIO_HUMIDITYRELATIVE channel reporting
+
+From: Chris Lesiak <chris.lesiak@licor.com>
+
+commit 342a6928bd5017edbdae376042d8ad6af3d3b943 upstream.
+
+The IIO_HUMIDITYRELATIVE channel was being incorrectly reported back
+as percent when it should have been milli percent. This is via an
+incorrect scale value being returned to userspace.
+
+Signed-off-by: Chris Lesiak <chris.lesiak@licor.com>
+Acked-by: Matt Ranostay <matt.ranostay@konsulko.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/humidity/hdc100x.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/humidity/hdc100x.c
++++ b/drivers/iio/humidity/hdc100x.c
+@@ -229,7 +229,7 @@ static int hdc100x_read_raw(struct iio_d
+ *val2 = 65536;
+ return IIO_VAL_FRACTIONAL;
+ } else {
+- *val = 100;
++ *val = 100000;
+ *val2 = 65536;
+ return IIO_VAL_FRACTIONAL;
+ }
--- /dev/null
+From 53eaa9c27fdc01b4f4d885223e29f97393409e7e Mon Sep 17 00:00:00 2001
+From: Jean-Baptiste Maneyrol <jmaneyrol@invensense.com>
+Date: Tue, 26 Nov 2019 17:19:12 +0100
+Subject: iio: imu: inv_mpu6050: fix temperature reporting using bad unit
+
+From: Jean-Baptiste Maneyrol <jmaneyrol@invensense.com>
+
+commit 53eaa9c27fdc01b4f4d885223e29f97393409e7e upstream.
+
+Temperature should be reported in milli-degrees, not degrees. Fix
+scale and offset values to use the correct unit.
+
+This is a fix for an issue that has been present for a long time.
+The fixes tag reflects the point at which the code last changed in a
+fashion that would make this fix patch no longer apply. Backports
+will be necessary to fix those elements that predate that patch.
+
+Fixes: 1615fe41a195 ("iio: imu: mpu6050: Fix FIFO layout for ICM20602")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jean-Baptiste Maneyrol <jmaneyrol@invensense.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/imu/inv_mpu6050/inv_mpu_core.c | 23 ++++++++++++-----------
+ drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h | 16 ++++++++++++----
+ 2 files changed, 24 insertions(+), 15 deletions(-)
+
+--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
+@@ -115,6 +115,7 @@ static const struct inv_mpu6050_hw hw_in
+ .reg = ®_set_6050,
+ .config = &chip_config_6050,
+ .fifo_size = 1024,
++ .temp = {INV_MPU6050_TEMP_OFFSET, INV_MPU6050_TEMP_SCALE},
+ },
+ {
+ .whoami = INV_MPU6500_WHOAMI_VALUE,
+@@ -122,6 +123,7 @@ static const struct inv_mpu6050_hw hw_in
+ .reg = ®_set_6500,
+ .config = &chip_config_6050,
+ .fifo_size = 512,
++ .temp = {INV_MPU6500_TEMP_OFFSET, INV_MPU6500_TEMP_SCALE},
+ },
+ {
+ .whoami = INV_MPU6515_WHOAMI_VALUE,
+@@ -129,6 +131,7 @@ static const struct inv_mpu6050_hw hw_in
+ .reg = ®_set_6500,
+ .config = &chip_config_6050,
+ .fifo_size = 512,
++ .temp = {INV_MPU6500_TEMP_OFFSET, INV_MPU6500_TEMP_SCALE},
+ },
+ {
+ .whoami = INV_MPU6000_WHOAMI_VALUE,
+@@ -136,6 +139,7 @@ static const struct inv_mpu6050_hw hw_in
+ .reg = ®_set_6050,
+ .config = &chip_config_6050,
+ .fifo_size = 1024,
++ .temp = {INV_MPU6050_TEMP_OFFSET, INV_MPU6050_TEMP_SCALE},
+ },
+ {
+ .whoami = INV_MPU9150_WHOAMI_VALUE,
+@@ -143,6 +147,7 @@ static const struct inv_mpu6050_hw hw_in
+ .reg = ®_set_6050,
+ .config = &chip_config_6050,
+ .fifo_size = 1024,
++ .temp = {INV_MPU6050_TEMP_OFFSET, INV_MPU6050_TEMP_SCALE},
+ },
+ {
+ .whoami = INV_MPU9250_WHOAMI_VALUE,
+@@ -150,6 +155,7 @@ static const struct inv_mpu6050_hw hw_in
+ .reg = ®_set_6500,
+ .config = &chip_config_6050,
+ .fifo_size = 512,
++ .temp = {INV_MPU6500_TEMP_OFFSET, INV_MPU6500_TEMP_SCALE},
+ },
+ {
+ .whoami = INV_MPU9255_WHOAMI_VALUE,
+@@ -157,6 +163,7 @@ static const struct inv_mpu6050_hw hw_in
+ .reg = ®_set_6500,
+ .config = &chip_config_6050,
+ .fifo_size = 512,
++ .temp = {INV_MPU6500_TEMP_OFFSET, INV_MPU6500_TEMP_SCALE},
+ },
+ {
+ .whoami = INV_ICM20608_WHOAMI_VALUE,
+@@ -164,6 +171,7 @@ static const struct inv_mpu6050_hw hw_in
+ .reg = ®_set_6500,
+ .config = &chip_config_6050,
+ .fifo_size = 512,
++ .temp = {INV_ICM20608_TEMP_OFFSET, INV_ICM20608_TEMP_SCALE},
+ },
+ {
+ .whoami = INV_ICM20602_WHOAMI_VALUE,
+@@ -171,6 +179,7 @@ static const struct inv_mpu6050_hw hw_in
+ .reg = ®_set_icm20602,
+ .config = &chip_config_6050,
+ .fifo_size = 1008,
++ .temp = {INV_ICM20608_TEMP_OFFSET, INV_ICM20608_TEMP_SCALE},
+ },
+ };
+
+@@ -471,12 +480,8 @@ inv_mpu6050_read_raw(struct iio_dev *ind
+
+ return IIO_VAL_INT_PLUS_MICRO;
+ case IIO_TEMP:
+- *val = 0;
+- if (st->chip_type == INV_ICM20602)
+- *val2 = INV_ICM20602_TEMP_SCALE;
+- else
+- *val2 = INV_MPU6050_TEMP_SCALE;
+-
++ *val = st->hw->temp.scale / 1000000;
++ *val2 = st->hw->temp.scale % 1000000;
+ return IIO_VAL_INT_PLUS_MICRO;
+ default:
+ return -EINVAL;
+@@ -484,11 +489,7 @@ inv_mpu6050_read_raw(struct iio_dev *ind
+ case IIO_CHAN_INFO_OFFSET:
+ switch (chan->type) {
+ case IIO_TEMP:
+- if (st->chip_type == INV_ICM20602)
+- *val = INV_ICM20602_TEMP_OFFSET;
+- else
+- *val = INV_MPU6050_TEMP_OFFSET;
+-
++ *val = st->hw->temp.offset;
+ return IIO_VAL_INT;
+ default:
+ return -EINVAL;
+--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h
++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_iio.h
+@@ -101,6 +101,7 @@ struct inv_mpu6050_chip_config {
+ * @reg: register map of the chip.
+ * @config: configuration of the chip.
+ * @fifo_size: size of the FIFO in bytes.
++ * @temp: offset and scale to apply to raw temperature.
+ */
+ struct inv_mpu6050_hw {
+ u8 whoami;
+@@ -108,6 +109,10 @@ struct inv_mpu6050_hw {
+ const struct inv_mpu6050_reg_map *reg;
+ const struct inv_mpu6050_chip_config *config;
+ size_t fifo_size;
++ struct {
++ int offset;
++ int scale;
++ } temp;
+ };
+
+ /*
+@@ -218,16 +223,19 @@ struct inv_mpu6050_state {
+ #define INV_MPU6050_REG_UP_TIME_MIN 5000
+ #define INV_MPU6050_REG_UP_TIME_MAX 10000
+
+-#define INV_MPU6050_TEMP_OFFSET 12421
+-#define INV_MPU6050_TEMP_SCALE 2941
++#define INV_MPU6050_TEMP_OFFSET 12420
++#define INV_MPU6050_TEMP_SCALE 2941176
+ #define INV_MPU6050_MAX_GYRO_FS_PARAM 3
+ #define INV_MPU6050_MAX_ACCL_FS_PARAM 3
+ #define INV_MPU6050_THREE_AXIS 3
+ #define INV_MPU6050_GYRO_CONFIG_FSR_SHIFT 3
+ #define INV_MPU6050_ACCL_CONFIG_FSR_SHIFT 3
+
+-#define INV_ICM20602_TEMP_OFFSET 8170
+-#define INV_ICM20602_TEMP_SCALE 3060
++#define INV_MPU6500_TEMP_OFFSET 7011
++#define INV_MPU6500_TEMP_SCALE 2995178
++
++#define INV_ICM20608_TEMP_OFFSET 8170
++#define INV_ICM20608_TEMP_SCALE 3059976
+
+ /* 6 + 6 round up and plus 8 */
+ #define INV_MPU6050_OUTPUT_DATA_SIZE 24
--- /dev/null
+From b29b8113bb41285eb7ed55ce0c65017b5c0240f7 Mon Sep 17 00:00:00 2001
+From: Georgi Djakov <georgi.djakov@linaro.org>
+Date: Thu, 12 Dec 2019 09:53:30 +0200
+Subject: interconnect: qcom: sdm845: Walk the list safely on node removal
+
+From: Georgi Djakov <georgi.djakov@linaro.org>
+
+commit b29b8113bb41285eb7ed55ce0c65017b5c0240f7 upstream.
+
+As we will remove items off the list using list_del(), we need to use the
+safe version of list_for_each_entry().
+
+Fixes: b5d2f741077a ("interconnect: qcom: Add sdm845 interconnect provider driver")
+Reported-by: Dmitry Osipenko <digetx@gmail.com>
+Reviewed-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Signed-off-by: Georgi Djakov <georgi.djakov@linaro.org>
+Cc: <stable@vger.kernel.org> # v5.3+
+Link: https://lore.kernel.org/r/20191212075332.16202-3-georgi.djakov@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/interconnect/qcom/sdm845.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/interconnect/qcom/sdm845.c
++++ b/drivers/interconnect/qcom/sdm845.c
+@@ -807,9 +807,9 @@ static int qnoc_remove(struct platform_d
+ {
+ struct qcom_icc_provider *qp = platform_get_drvdata(pdev);
+ struct icc_provider *provider = &qp->provider;
+- struct icc_node *n;
++ struct icc_node *n, *tmp;
+
+- list_for_each_entry(n, &provider->nodes, node_list) {
++ list_for_each_entry_safe(n, tmp, &provider->nodes, node_list) {
+ icc_node_del(n);
+ icc_node_destroy(n->id);
+ }
usb-documentation-flags-on-usb-storage-versus-uas.patch
usb-allow-usb-device-to-be-warm-reset-in-suspended-state.patch
usb-host-xhci-tegra-correct-phy-enable-sequence.patch
+binder-fix-incorrect-calculation-for-num_valid.patch
+staging-rtl8188eu-fix-interface-sanity-check.patch
+staging-rtl8712-fix-interface-sanity-check.patch
+staging-vchiq-call-unregister_chrdev_region-when-driver-registration-fails.patch
+staging-gigaset-fix-general-protection-fault-on-probe.patch
+staging-gigaset-fix-illegal-free-on-probe-errors.patch
+staging-gigaset-add-endpoint-type-sanity-check.patch
+usb-xhci-only-set-d3hot-for-pci-device.patch
+xhci-fix-memory-leak-in-xhci_add_in_port.patch
+xhci-fix-usb3-device-initiated-resume-race-with-roothub-autosuspend.patch
+xhci-increase-sts_halt-timeout-in-xhci_suspend.patch
+xhci-handle-some-xhci_trust_tx_length-quirks-cases-as-default-behaviour.patch
+xhci-make-sure-interrupts-are-restored-to-correct-state.patch
+interconnect-qcom-sdm845-walk-the-list-safely-on-node-removal.patch
+arm-dts-pandora-common-define-wl1251-as-child-node-of-mmc3.patch
+iio-adis16480-add-debugfs_reg_access-entry.patch
+iio-adis16480-fix-scales-factors.patch
+iio-humidity-hdc100x-fix-iio_humidityrelative-channel-reporting.patch
+iio-imu-inv_mpu6050-fix-temperature-reporting-using-bad-unit.patch
+iio-adc-ad7606-fix-reading-unnecessary-data-from-device.patch
+iio-adc-ad7124-enable-internal-reference.patch
+usb-atm-ueagle-atm-add-missing-endpoint-check.patch
+usb-idmouse-fix-interface-sanity-checks.patch
+usb-serial-io_edgeport-fix-epic-endpoint-lookup.patch
+usb-roles-fix-a-potential-use-after-free.patch
+usb-adutux-fix-interface-sanity-check.patch
--- /dev/null
+From ed9ed5a89acba51b82bdff61144d4e4a4245ec8a Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 2 Dec 2019 09:56:10 +0100
+Subject: staging: gigaset: add endpoint-type sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit ed9ed5a89acba51b82bdff61144d4e4a4245ec8a upstream.
+
+Add missing endpoint-type sanity checks to probe.
+
+This specifically prevents a warning in USB core on URB submission when
+fuzzing USB descriptors.
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191202085610.12719-4-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/isdn/gigaset/usb-gigaset.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/staging/isdn/gigaset/usb-gigaset.c
++++ b/drivers/staging/isdn/gigaset/usb-gigaset.c
+@@ -705,6 +705,12 @@ static int gigaset_probe(struct usb_inte
+
+ endpoint = &hostif->endpoint[0].desc;
+
++ if (!usb_endpoint_is_bulk_out(endpoint)) {
++ dev_err(&interface->dev, "missing bulk-out endpoint\n");
++ retval = -ENODEV;
++ goto error;
++ }
++
+ buffer_size = le16_to_cpu(endpoint->wMaxPacketSize);
+ ucs->bulk_out_size = buffer_size;
+ ucs->bulk_out_epnum = usb_endpoint_num(endpoint);
+@@ -724,6 +730,12 @@ static int gigaset_probe(struct usb_inte
+
+ endpoint = &hostif->endpoint[1].desc;
+
++ if (!usb_endpoint_is_int_in(endpoint)) {
++ dev_err(&interface->dev, "missing int-in endpoint\n");
++ retval = -ENODEV;
++ goto error;
++ }
++
+ ucs->busy = 0;
+
+ ucs->read_urb = usb_alloc_urb(0, GFP_KERNEL);
--- /dev/null
+From 53f35a39c3860baac1e5ca80bf052751cfb24a99 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 2 Dec 2019 09:56:08 +0100
+Subject: staging: gigaset: fix general protection fault on probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 53f35a39c3860baac1e5ca80bf052751cfb24a99 upstream.
+
+Fix a general protection fault when accessing the endpoint descriptors
+which could be triggered by a malicious device due to missing sanity
+checks on the number of endpoints.
+
+Reported-by: syzbot+35b1c403a14f5c89eba7@syzkaller.appspotmail.com
+Fixes: 07dc1f9f2f80 ("[PATCH] isdn4linux: Siemens Gigaset drivers - M105 USB DECT adapter")
+Cc: stable <stable@vger.kernel.org> # 2.6.17
+Cc: Hansjoerg Lipp <hjlipp@web.de>
+Cc: Tilman Schmidt <tilman@imap.cc>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191202085610.12719-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/isdn/gigaset/usb-gigaset.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/staging/isdn/gigaset/usb-gigaset.c
++++ b/drivers/staging/isdn/gigaset/usb-gigaset.c
+@@ -685,6 +685,11 @@ static int gigaset_probe(struct usb_inte
+ return -ENODEV;
+ }
+
++ if (hostif->desc.bNumEndpoints < 2) {
++ dev_err(&interface->dev, "missing endpoints\n");
++ return -ENODEV;
++ }
++
+ dev_info(&udev->dev, "%s: Device matched ... !\n", __func__);
+
+ /* allocate memory for our device state and initialize it */
--- /dev/null
+From 84f60ca7b326ed8c08582417493982fe2573a9ad Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 2 Dec 2019 09:56:09 +0100
+Subject: staging: gigaset: fix illegal free on probe errors
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 84f60ca7b326ed8c08582417493982fe2573a9ad upstream.
+
+The driver failed to initialise its receive-buffer pointer, something
+which could lead to an illegal free on late probe errors.
+
+Fix this by making sure to clear all driver data at allocation.
+
+Fixes: 2032e2c2309d ("usb_gigaset: code cleanup")
+Cc: stable <stable@vger.kernel.org> # 2.6.33
+Cc: Tilman Schmidt <tilman@imap.cc>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191202085610.12719-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/isdn/gigaset/usb-gigaset.c | 6 +-----
+ 1 file changed, 1 insertion(+), 5 deletions(-)
+
+--- a/drivers/staging/isdn/gigaset/usb-gigaset.c
++++ b/drivers/staging/isdn/gigaset/usb-gigaset.c
+@@ -571,8 +571,7 @@ static int gigaset_initcshw(struct cards
+ {
+ struct usb_cardstate *ucs;
+
+- cs->hw.usb = ucs =
+- kmalloc(sizeof(struct usb_cardstate), GFP_KERNEL);
++ cs->hw.usb = ucs = kzalloc(sizeof(struct usb_cardstate), GFP_KERNEL);
+ if (!ucs) {
+ pr_err("out of memory\n");
+ return -ENOMEM;
+@@ -584,9 +583,6 @@ static int gigaset_initcshw(struct cards
+ ucs->bchars[3] = 0;
+ ucs->bchars[4] = 0x11;
+ ucs->bchars[5] = 0x13;
+- ucs->bulk_out_buffer = NULL;
+- ucs->bulk_out_urb = NULL;
+- ucs->read_urb = NULL;
+ tasklet_init(&cs->write_tasklet,
+ gigaset_modem_fill, (unsigned long) cs);
+
--- /dev/null
+From 74ca34118a0e05793935d804ccffcedd6eb56596 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:47:50 +0100
+Subject: staging: rtl8188eu: fix interface sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 74ca34118a0e05793935d804ccffcedd6eb56596 upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid binding to an invalid interface.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: c2478d39076b ("staging: r8188eu: Add files for new driver - part 20")
+Cc: stable <stable@vger.kernel.org> # 3.12
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191210114751.5119-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8188eu/os_dep/usb_intf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+@@ -70,7 +70,7 @@ static struct dvobj_priv *usb_dvobj_init
+ phost_conf = pusbd->actconfig;
+ pconf_desc = &phost_conf->desc;
+
+- phost_iface = &usb_intf->altsetting[0];
++ phost_iface = usb_intf->cur_altsetting;
+ piface_desc = &phost_iface->desc;
+
+ pdvobjpriv->NumInterfaces = pconf_desc->bNumInterfaces;
--- /dev/null
+From c724f776f048538ecfdf53a52b7a522309f5c504 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:47:51 +0100
+Subject: staging: rtl8712: fix interface sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit c724f776f048538ecfdf53a52b7a522309f5c504 upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid binding to an invalid interface.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel")
+Cc: stable <stable@vger.kernel.org> # 2.6.37
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191210114751.5119-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8712/usb_intf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8712/usb_intf.c
++++ b/drivers/staging/rtl8712/usb_intf.c
+@@ -247,7 +247,7 @@ static uint r8712_usb_dvobj_init(struct
+
+ pdvobjpriv->padapter = padapter;
+ padapter->eeprom_address_size = 6;
+- phost_iface = &pintf->altsetting[0];
++ phost_iface = pintf->cur_altsetting;
+ piface_desc = &phost_iface->desc;
+ pdvobjpriv->nr_endpoint = piface_desc->bNumEndpoints;
+ if (pusbd->speed == USB_SPEED_HIGH) {
--- /dev/null
+From d2cdb20507fe2079a146459f9718b45d78cbbe61 Mon Sep 17 00:00:00 2001
+From: Marcelo Diop-Gonzalez <marcgonzalez@google.com>
+Date: Tue, 3 Dec 2019 10:39:21 -0500
+Subject: staging: vchiq: call unregister_chrdev_region() when driver registration fails
+
+From: Marcelo Diop-Gonzalez <marcgonzalez@google.com>
+
+commit d2cdb20507fe2079a146459f9718b45d78cbbe61 upstream.
+
+This undoes the previous call to alloc_chrdev_region() on failure,
+and is probably what was meant originally given the label name.
+
+Signed-off-by: Marcelo Diop-Gonzalez <marcgonzalez@google.com>
+Cc: stable <stable@vger.kernel.org>
+Fixes: 187ac53e590c ("staging: vchiq_arm: rework probe and init functions")
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Nicolas Saenz Julienne <nsaenzjulienne@suse.de>
+Link: https://lore.kernel.org/r/20191203153921.70540-1-marcgonzalez@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
++++ b/drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c
+@@ -3300,7 +3300,7 @@ static int __init vchiq_driver_init(void
+ return 0;
+
+ region_unregister:
+- platform_driver_unregister(&vchiq_driver);
++ unregister_chrdev_region(vchiq_devid, 1);
+
+ class_destroy:
+ class_destroy(vchiq_class);
--- /dev/null
+From 3c11c4bed02b202e278c0f5c319ae435d7fb9815 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:25:59 +0100
+Subject: USB: adutux: fix interface sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 3c11c4bed02b202e278c0f5c319ae435d7fb9815 upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid binding to an invalid interface.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 03270634e242 ("USB: Add ADU support for Ontrak ADU devices")
+Cc: stable <stable@vger.kernel.org> # 2.6.19
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191210112601.3561-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/adutux.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/misc/adutux.c
++++ b/drivers/usb/misc/adutux.c
+@@ -669,7 +669,7 @@ static int adu_probe(struct usb_interfac
+ init_waitqueue_head(&dev->read_wait);
+ init_waitqueue_head(&dev->write_wait);
+
+- res = usb_find_common_endpoints_reverse(&interface->altsetting[0],
++ res = usb_find_common_endpoints_reverse(interface->cur_altsetting,
+ NULL, NULL,
+ &dev->interrupt_in_endpoint,
+ &dev->interrupt_out_endpoint);
--- /dev/null
+From 09068c1ad53fb077bdac288869dec2435420bdc4 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:25:58 +0100
+Subject: USB: atm: ueagle-atm: add missing endpoint check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 09068c1ad53fb077bdac288869dec2435420bdc4 upstream.
+
+Make sure that the interrupt interface has an endpoint before trying to
+access its endpoint descriptors to avoid dereferencing a NULL pointer.
+
+The driver binds to the interrupt interface with interface number 0, but
+must not assume that this interface or its current alternate setting are
+the first entries in the corresponding configuration arrays.
+
+Fixes: b72458a80c75 ("[PATCH] USB: Eagle and ADI 930 usb adsl modem driver")
+Cc: stable <stable@vger.kernel.org> # 2.6.16
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191210112601.3561-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/atm/ueagle-atm.c | 18 ++++++++++++------
+ 1 file changed, 12 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/atm/ueagle-atm.c
++++ b/drivers/usb/atm/ueagle-atm.c
+@@ -2124,10 +2124,11 @@ resubmit:
+ /*
+ * Start the modem : init the data and start kernel thread
+ */
+-static int uea_boot(struct uea_softc *sc)
++static int uea_boot(struct uea_softc *sc, struct usb_interface *intf)
+ {
+- int ret, size;
+ struct intr_pkt *intr;
++ int ret = -ENOMEM;
++ int size;
+
+ uea_enters(INS_TO_USBDEV(sc));
+
+@@ -2152,6 +2153,11 @@ static int uea_boot(struct uea_softc *sc
+ if (UEA_CHIP_VERSION(sc) == ADI930)
+ load_XILINX_firmware(sc);
+
++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) {
++ ret = -ENODEV;
++ goto err0;
++ }
++
+ intr = kmalloc(size, GFP_KERNEL);
+ if (!intr)
+ goto err0;
+@@ -2163,8 +2169,7 @@ static int uea_boot(struct uea_softc *sc
+ usb_fill_int_urb(sc->urb_int, sc->usb_dev,
+ usb_rcvintpipe(sc->usb_dev, UEA_INTR_PIPE),
+ intr, size, uea_intr, sc,
+- sc->usb_dev->actconfig->interface[0]->altsetting[0].
+- endpoint[0].desc.bInterval);
++ intf->cur_altsetting->endpoint[0].desc.bInterval);
+
+ ret = usb_submit_urb(sc->urb_int, GFP_KERNEL);
+ if (ret < 0) {
+@@ -2179,6 +2184,7 @@ static int uea_boot(struct uea_softc *sc
+ sc->kthread = kthread_create(uea_kthread, sc, "ueagle-atm");
+ if (IS_ERR(sc->kthread)) {
+ uea_err(INS_TO_USBDEV(sc), "failed to create thread\n");
++ ret = PTR_ERR(sc->kthread);
+ goto err2;
+ }
+
+@@ -2193,7 +2199,7 @@ err1:
+ kfree(intr);
+ err0:
+ uea_leaves(INS_TO_USBDEV(sc));
+- return -ENOMEM;
++ return ret;
+ }
+
+ /*
+@@ -2554,7 +2560,7 @@ static int uea_bind(struct usbatm_data *
+ if (ret < 0)
+ goto error;
+
+- ret = uea_boot(sc);
++ ret = uea_boot(sc, intf);
+ if (ret < 0)
+ goto error_rm_grp;
+
--- /dev/null
+From 59920635b89d74b9207ea803d5e91498d39e8b69 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:26:00 +0100
+Subject: USB: idmouse: fix interface sanity checks
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 59920635b89d74b9207ea803d5e91498d39e8b69 upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid binding to an invalid interface.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191210112601.3561-4-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/idmouse.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/misc/idmouse.c
++++ b/drivers/usb/misc/idmouse.c
+@@ -337,7 +337,7 @@ static int idmouse_probe(struct usb_inte
+ int result;
+
+ /* check if we have gotten the data or the hid interface */
+- iface_desc = &interface->altsetting[0];
++ iface_desc = interface->cur_altsetting;
+ if (iface_desc->desc.bInterfaceClass != 0x0A)
+ return -ENODEV;
+
--- /dev/null
+From 1848a543191ae32e558bb0a5974ae7c38ebd86fc Mon Sep 17 00:00:00 2001
+From: Wen Yang <wenyang@linux.alibaba.com>
+Date: Sun, 24 Nov 2019 22:22:36 +0800
+Subject: usb: roles: fix a potential use after free
+
+From: Wen Yang <wenyang@linux.alibaba.com>
+
+commit 1848a543191ae32e558bb0a5974ae7c38ebd86fc upstream.
+
+Free the sw structure only after we are done using it.
+This patch just moves the put_device() down a bit to avoid the
+use after free.
+
+Fixes: 5c54fcac9a9d ("usb: roles: Take care of driver module reference counting")
+Signed-off-by: Wen Yang <wenyang@linux.alibaba.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Peter Chen <peter.chen@nxp.com>
+Cc: stable <stable@vger.kernel.org>
+Cc: Hans de Goede <hdegoede@redhat.com>
+Cc: Chunfeng Yun <chunfeng.yun@mediatek.com>
+Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
+Cc: linux-usb@vger.kernel.org
+Cc: linux-kernel@vger.kernel.org
+Link: https://lore.kernel.org/r/20191124142236.25671-1-wenyang@linux.alibaba.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/roles/class.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/roles/class.c
++++ b/drivers/usb/roles/class.c
+@@ -144,8 +144,8 @@ EXPORT_SYMBOL_GPL(usb_role_switch_get);
+ void usb_role_switch_put(struct usb_role_switch *sw)
+ {
+ if (!IS_ERR_OR_NULL(sw)) {
+- put_device(&sw->dev);
+ module_put(sw->dev.parent->driver->owner);
++ put_device(&sw->dev);
+ }
+ }
+ EXPORT_SYMBOL_GPL(usb_role_switch_put);
--- /dev/null
+From 7c5a2df3367a2c4984f1300261345817d95b71f8 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:26:01 +0100
+Subject: USB: serial: io_edgeport: fix epic endpoint lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 7c5a2df3367a2c4984f1300261345817d95b71f8 upstream.
+
+Make sure to use the current alternate setting when looking up the
+endpoints on epic devices to avoid binding to an invalid interface.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 6e8cf7751f9f ("USB: add EPIC support to the io_edgeport driver")
+Cc: stable <stable@vger.kernel.org> # 2.6.21
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191210112601.3561-5-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/io_edgeport.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/serial/io_edgeport.c
++++ b/drivers/usb/serial/io_edgeport.c
+@@ -2901,16 +2901,18 @@ static int edge_startup(struct usb_seria
+ response = 0;
+
+ if (edge_serial->is_epic) {
++ struct usb_host_interface *alt;
++
++ alt = serial->interface->cur_altsetting;
++
+ /* EPIC thing, set up our interrupt polling now and our read
+ * urb, so that the device knows it really is connected. */
+ interrupt_in_found = bulk_in_found = bulk_out_found = false;
+- for (i = 0; i < serial->interface->altsetting[0]
+- .desc.bNumEndpoints; ++i) {
++ for (i = 0; i < alt->desc.bNumEndpoints; ++i) {
+ struct usb_endpoint_descriptor *endpoint;
+ int buffer_size;
+
+- endpoint = &serial->interface->altsetting[0].
+- endpoint[i].desc;
++ endpoint = &alt->endpoint[i].desc;
+ buffer_size = usb_endpoint_maxp(endpoint);
+ if (!interrupt_in_found &&
+ (usb_endpoint_is_int_in(endpoint))) {
--- /dev/null
+From f2c710f7dca8457e88b4ac9de2060f011254f9dd Mon Sep 17 00:00:00 2001
+From: Henry Lin <henryl@nvidia.com>
+Date: Wed, 11 Dec 2019 16:20:04 +0200
+Subject: usb: xhci: only set D3hot for pci device
+
+From: Henry Lin <henryl@nvidia.com>
+
+commit f2c710f7dca8457e88b4ac9de2060f011254f9dd upstream.
+
+Xhci driver cannot call pci_set_power_state() on non-pci xhci host
+controllers. For example, NVIDIA Tegra XHCI host controller which acts
+as platform device with XHCI_SPURIOUS_WAKEUP quirk set in some platform
+hits this issue during shutdown.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 638298dc66ea ("xhci: Fix spurious wakeups after S5 on Haswell")
+Signed-off-by: Henry Lin <henryl@nvidia.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20191211142007.8847-4-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-pci.c | 13 +++++++++++++
+ drivers/usb/host/xhci.c | 7 ++-----
+ drivers/usb/host/xhci.h | 1 +
+ 3 files changed, 16 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -519,6 +519,18 @@ static int xhci_pci_resume(struct usb_hc
+ }
+ #endif /* CONFIG_PM */
+
++static void xhci_pci_shutdown(struct usb_hcd *hcd)
++{
++ struct xhci_hcd *xhci = hcd_to_xhci(hcd);
++ struct pci_dev *pdev = to_pci_dev(hcd->self.controller);
++
++ xhci_shutdown(hcd);
++
++ /* Yet another workaround for spurious wakeups at shutdown with HSW */
++ if (xhci->quirks & XHCI_SPURIOUS_WAKEUP)
++ pci_set_power_state(pdev, PCI_D3hot);
++}
++
+ /*-------------------------------------------------------------------------*/
+
+ /* PCI driver selection metadata; PCI hotplugging uses this */
+@@ -554,6 +566,7 @@ static int __init xhci_pci_init(void)
+ #ifdef CONFIG_PM
+ xhci_pci_hc_driver.pci_suspend = xhci_pci_suspend;
+ xhci_pci_hc_driver.pci_resume = xhci_pci_resume;
++ xhci_pci_hc_driver.shutdown = xhci_pci_shutdown;
+ #endif
+ return pci_register_driver(&xhci_pci_driver);
+ }
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -770,7 +770,7 @@ static void xhci_stop(struct usb_hcd *hc
+ *
+ * This will only ever be called with the main usb_hcd (the USB3 roothub).
+ */
+-static void xhci_shutdown(struct usb_hcd *hcd)
++void xhci_shutdown(struct usb_hcd *hcd)
+ {
+ struct xhci_hcd *xhci = hcd_to_xhci(hcd);
+
+@@ -789,11 +789,8 @@ static void xhci_shutdown(struct usb_hcd
+ xhci_dbg_trace(xhci, trace_xhci_dbg_init,
+ "xhci_shutdown completed - status = %x",
+ readl(&xhci->op_regs->status));
+-
+- /* Yet another workaround for spurious wakeups at shutdown with HSW */
+- if (xhci->quirks & XHCI_SPURIOUS_WAKEUP)
+- pci_set_power_state(to_pci_dev(hcd->self.sysdev), PCI_D3hot);
+ }
++EXPORT_SYMBOL_GPL(xhci_shutdown);
+
+ #ifdef CONFIG_PM
+ static void xhci_save_registers(struct xhci_hcd *xhci)
+--- a/drivers/usb/host/xhci.h
++++ b/drivers/usb/host/xhci.h
+@@ -2050,6 +2050,7 @@ int xhci_start(struct xhci_hcd *xhci);
+ int xhci_reset(struct xhci_hcd *xhci);
+ int xhci_run(struct usb_hcd *hcd);
+ int xhci_gen_setup(struct usb_hcd *hcd, xhci_get_quirks_t get_quirks);
++void xhci_shutdown(struct usb_hcd *hcd);
+ void xhci_init_driver(struct hc_driver *drv,
+ const struct xhci_driver_overrides *over);
+ int xhci_disable_slot(struct xhci_hcd *xhci, u32 slot_id);
--- /dev/null
+From ce91f1a43b37463f517155bdfbd525eb43adbd1a Mon Sep 17 00:00:00 2001
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+Date: Wed, 11 Dec 2019 16:20:02 +0200
+Subject: xhci: Fix memory leak in xhci_add_in_port()
+
+From: Mika Westerberg <mika.westerberg@linux.intel.com>
+
+commit ce91f1a43b37463f517155bdfbd525eb43adbd1a upstream.
+
+When xHCI is part of Alpine or Titan Ridge Thunderbolt controller and
+the xHCI device is hot-removed as a result of unplugging a dock for
+example, the driver leaks memory it allocates for xhci->usb3_rhub.psi
+and xhci->usb2_rhub.psi in xhci_add_in_port() as reported by kmemleak:
+
+unreferenced object 0xffff922c24ef42f0 (size 16):
+ comm "kworker/u16:2", pid 178, jiffies 4294711640 (age 956.620s)
+ hex dump (first 16 bytes):
+ 21 00 0c 00 12 00 dc 05 23 00 e0 01 00 00 00 00 !.......#.......
+ backtrace:
+ [<000000007ac80914>] xhci_mem_init+0xcf8/0xeb7
+ [<0000000001b6d775>] xhci_init+0x7c/0x160
+ [<00000000db443fe3>] xhci_gen_setup+0x214/0x340
+ [<00000000fdffd320>] xhci_pci_setup+0x48/0x110
+ [<00000000541e1e03>] usb_add_hcd.cold+0x265/0x747
+ [<00000000ca47a56b>] usb_hcd_pci_probe+0x219/0x3b4
+ [<0000000021043861>] xhci_pci_probe+0x24/0x1c0
+ [<00000000b9231f25>] local_pci_probe+0x3d/0x70
+ [<000000006385c9d7>] pci_device_probe+0xd0/0x150
+ [<0000000070241068>] really_probe+0xf5/0x3c0
+ [<0000000061f35c0a>] driver_probe_device+0x58/0x100
+ [<000000009da11198>] bus_for_each_drv+0x79/0xc0
+ [<000000009ce45f69>] __device_attach+0xda/0x160
+ [<00000000df201aaf>] pci_bus_add_device+0x46/0x70
+ [<0000000088a1bc48>] pci_bus_add_devices+0x27/0x60
+ [<00000000ad9ee708>] pci_bus_add_devices+0x52/0x60
+unreferenced object 0xffff922c24ef3318 (size 8):
+ comm "kworker/u16:2", pid 178, jiffies 4294711640 (age 956.620s)
+ hex dump (first 8 bytes):
+ 34 01 05 00 35 41 0a 00 4...5A..
+ backtrace:
+ [<000000007ac80914>] xhci_mem_init+0xcf8/0xeb7
+ [<0000000001b6d775>] xhci_init+0x7c/0x160
+ [<00000000db443fe3>] xhci_gen_setup+0x214/0x340
+ [<00000000fdffd320>] xhci_pci_setup+0x48/0x110
+ [<00000000541e1e03>] usb_add_hcd.cold+0x265/0x747
+ [<00000000ca47a56b>] usb_hcd_pci_probe+0x219/0x3b4
+ [<0000000021043861>] xhci_pci_probe+0x24/0x1c0
+ [<00000000b9231f25>] local_pci_probe+0x3d/0x70
+ [<000000006385c9d7>] pci_device_probe+0xd0/0x150
+ [<0000000070241068>] really_probe+0xf5/0x3c0
+ [<0000000061f35c0a>] driver_probe_device+0x58/0x100
+ [<000000009da11198>] bus_for_each_drv+0x79/0xc0
+ [<000000009ce45f69>] __device_attach+0xda/0x160
+ [<00000000df201aaf>] pci_bus_add_device+0x46/0x70
+ [<0000000088a1bc48>] pci_bus_add_devices+0x27/0x60
+ [<00000000ad9ee708>] pci_bus_add_devices+0x52/0x60
+
+Fix this by calling kfree() for the both psi objects in
+xhci_mem_cleanup().
+
+Cc: <stable@vger.kernel.org> # 4.4+
+Fixes: 47189098f8be ("xhci: parse xhci protocol speed ID list for usb 3.1 usage")
+Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20191211142007.8847-2-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-mem.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -1909,13 +1909,17 @@ no_bw:
+ xhci->usb3_rhub.num_ports = 0;
+ xhci->num_active_eps = 0;
+ kfree(xhci->usb2_rhub.ports);
++ kfree(xhci->usb2_rhub.psi);
+ kfree(xhci->usb3_rhub.ports);
++ kfree(xhci->usb3_rhub.psi);
+ kfree(xhci->hw_ports);
+ kfree(xhci->rh_bw);
+ kfree(xhci->ext_caps);
+
+ xhci->usb2_rhub.ports = NULL;
++ xhci->usb2_rhub.psi = NULL;
+ xhci->usb3_rhub.ports = NULL;
++ xhci->usb3_rhub.psi = NULL;
+ xhci->hw_ports = NULL;
+ xhci->rh_bw = NULL;
+ xhci->ext_caps = NULL;
--- /dev/null
+From 057d476fff778f1d3b9f861fdb5437ea1a3cfc99 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Wed, 11 Dec 2019 16:20:03 +0200
+Subject: xhci: fix USB3 device initiated resume race with roothub autosuspend
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 057d476fff778f1d3b9f861fdb5437ea1a3cfc99 upstream.
+
+A race in xhci USB3 remote wake handling may force device back to suspend
+after it initiated resume siganaling, causing a missed resume event or warm
+reset of device.
+
+When a USB3 link completes resume signaling and goes to enabled (UO)
+state a interrupt is issued and the interrupt handler will clear the
+bus_state->port_remote_wakeup resume flag, allowing bus suspend.
+
+If the USB3 roothub thread just finished reading port status before
+the interrupt, finding ports still in suspended (U3) state, but hasn't
+yet started suspending the hub, then the xhci interrupt handler will clear
+the flag that prevented roothub suspend and allow bus to suspend, forcing
+all port links back to suspended (U3) state.
+
+Example case:
+usb_runtime_suspend() # because all ports still show suspended U3
+ usb_suspend_both()
+ hub_suspend(); # successful as hub->wakeup_bits not set yet
+==> INTERRUPT
+xhci_irq()
+ handle_port_status()
+ clear bus_state->port_remote_wakeup
+ usb_wakeup_notification()
+ sets hub->wakeup_bits;
+ kick_hub_wq()
+<== END INTERRUPT
+ hcd_bus_suspend()
+ xhci_bus_suspend() # success as port_remote_wakeup bits cleared
+
+Fix this by increasing roothub usage count during port resume to prevent
+roothub autosuspend, and by making sure bus_state->port_remote_wakeup
+flag is only cleared after resume completion is visible, i.e.
+after xhci roothub returned U0 or other non-U3 link state link on a
+get port status request.
+
+Issue rootcaused by Chiasheng Lee
+
+Cc: <stable@vger.kernel.org>
+Cc: Lee, Hou-hsun <hou-hsun.lee@intel.com>
+Reported-by: Lee, Chiasheng <chiasheng.lee@intel.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20191211142007.8847-3-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-hub.c | 10 ++++++++++
+ drivers/usb/host/xhci-ring.c | 3 +--
+ 2 files changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/host/xhci-hub.c
++++ b/drivers/usb/host/xhci-hub.c
+@@ -920,11 +920,13 @@ static void xhci_get_usb3_port_status(st
+ {
+ struct xhci_bus_state *bus_state;
+ struct xhci_hcd *xhci;
++ struct usb_hcd *hcd;
+ u32 link_state;
+ u32 portnum;
+
+ bus_state = &port->rhub->bus_state;
+ xhci = hcd_to_xhci(port->rhub->hcd);
++ hcd = port->rhub->hcd;
+ link_state = portsc & PORT_PLS_MASK;
+ portnum = port->hcd_portnum;
+
+@@ -952,6 +954,14 @@ static void xhci_get_usb3_port_status(st
+ bus_state->suspended_ports &= ~(1 << portnum);
+ }
+
++ /* remote wake resume signaling complete */
++ if (bus_state->port_remote_wakeup & (1 << portnum) &&
++ link_state != XDEV_RESUME &&
++ link_state != XDEV_RECOVERY) {
++ bus_state->port_remote_wakeup &= ~(1 << portnum);
++ usb_hcd_end_port_resume(&hcd->self, portnum);
++ }
++
+ xhci_hub_report_usb3_link_state(xhci, status, portsc);
+ xhci_del_comp_mod_timer(xhci, portsc, portnum);
+ }
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -1624,7 +1624,6 @@ static void handle_port_status(struct xh
+ slot_id = xhci_find_slot_id_by_port(hcd, xhci, hcd_portnum + 1);
+ if (slot_id && xhci->devs[slot_id])
+ xhci->devs[slot_id]->flags |= VDEV_PORT_ERROR;
+- bus_state->port_remote_wakeup &= ~(1 << hcd_portnum);
+ }
+
+ if ((portsc & PORT_PLC) && (portsc & PORT_PLS_MASK) == XDEV_RESUME) {
+@@ -1644,6 +1643,7 @@ static void handle_port_status(struct xh
+ */
+ bus_state->port_remote_wakeup |= 1 << hcd_portnum;
+ xhci_test_and_clear_bit(xhci, port, PORT_PLC);
++ usb_hcd_start_port_resume(&hcd->self, hcd_portnum);
+ xhci_set_link_state(xhci, port, XDEV_U0);
+ /* Need to wait until the next link state change
+ * indicates the device is actually in U0.
+@@ -1684,7 +1684,6 @@ static void handle_port_status(struct xh
+ if (slot_id && xhci->devs[slot_id])
+ xhci_ring_device(xhci, slot_id);
+ if (bus_state->port_remote_wakeup & (1 << hcd_portnum)) {
+- bus_state->port_remote_wakeup &= ~(1 << hcd_portnum);
+ xhci_test_and_clear_bit(xhci, port, PORT_PLC);
+ usb_wakeup_notification(hcd->self.root_hub,
+ hcd_portnum + 1);
--- /dev/null
+From 7ff11162808cc2ec66353fc012c58bb449c892c3 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Wed, 11 Dec 2019 16:20:06 +0200
+Subject: xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour.
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit 7ff11162808cc2ec66353fc012c58bb449c892c3 upstream.
+
+xhci driver claims it needs XHCI_TRUST_TX_LENGTH quirk for both
+Broadcom/Cavium and a Renesas xHC controllers.
+
+The quirk was inteded for handling false "success" complete event for
+transfers that had data left untransferred.
+These transfers should complete with "short packet" events instead.
+
+In these two new cases the false "success" completion is reported
+after a "short packet" if the TD consists of several TRBs.
+xHCI specs 4.10.1.1.2 say remaining TRBs should report "short packet"
+as well after the first short packet in a TD, but this issue seems so
+common it doesn't make sense to add the quirk for all vendors.
+
+Turn these events into short packets automatically instead.
+
+This gets rid of the "The WARN Successful completion on short TX for
+slot 1 ep 1: needs XHCI_TRUST_TX_LENGTH quirk" warning in many cases.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: Eli Billauer <eli.billauer@gmail.com>
+Reported-by: Ard Biesheuvel <ardb@kernel.org>
+Tested-by: Eli Billauer <eli.billauer@gmail.com>
+Tested-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20191211142007.8847-6-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-ring.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -2377,7 +2377,8 @@ static int handle_tx_event(struct xhci_h
+ case COMP_SUCCESS:
+ if (EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)) == 0)
+ break;
+- if (xhci->quirks & XHCI_TRUST_TX_LENGTH)
++ if (xhci->quirks & XHCI_TRUST_TX_LENGTH ||
++ ep_ring->last_td_was_short)
+ trb_comp_code = COMP_SHORT_PACKET;
+ else
+ xhci_warn_ratelimited(xhci,
--- /dev/null
+From 7c67cf6658cec70d8a43229f2ce74ca1443dc95e Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Wed, 11 Dec 2019 16:20:05 +0200
+Subject: xhci: Increase STS_HALT timeout in xhci_suspend()
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 7c67cf6658cec70d8a43229f2ce74ca1443dc95e upstream.
+
+I've recently observed failed xHCI suspend attempt on AMD Raven Ridge
+system:
+kernel: xhci_hcd 0000:04:00.4: WARN: xHC CMD_RUN timeout
+kernel: PM: suspend_common(): xhci_pci_suspend+0x0/0xd0 returns -110
+kernel: PM: pci_pm_suspend(): hcd_pci_suspend+0x0/0x30 returns -110
+kernel: PM: dpm_run_callback(): pci_pm_suspend+0x0/0x150 returns -110
+kernel: PM: Device 0000:04:00.4 failed to suspend async: error -110
+
+Similar to commit ac343366846a ("xhci: Increase STS_SAVE timeout in
+xhci_suspend()") we also need to increase the HALT timeout to make it be
+able to suspend again.
+
+Cc: <stable@vger.kernel.org> # 5.2+
+Fixes: f7fac17ca925 ("xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic()")
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20191211142007.8847-5-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -970,7 +970,7 @@ static bool xhci_pending_portevent(struc
+ int xhci_suspend(struct xhci_hcd *xhci, bool do_wakeup)
+ {
+ int rc = 0;
+- unsigned int delay = XHCI_MAX_HALT_USEC;
++ unsigned int delay = XHCI_MAX_HALT_USEC * 2;
+ struct usb_hcd *hcd = xhci_to_hcd(xhci);
+ u32 command;
+ u32 res;
--- /dev/null
+From bd82873f23c9a6ad834348f8b83f3b6a5bca2c65 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Wed, 11 Dec 2019 16:20:07 +0200
+Subject: xhci: make sure interrupts are restored to correct state
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit bd82873f23c9a6ad834348f8b83f3b6a5bca2c65 upstream.
+
+spin_unlock_irqrestore() might be called with stale flags after
+reading port status, possibly restoring interrupts to a incorrect
+state.
+
+If a usb2 port just finished resuming while the port status is read
+the spin lock will be temporary released and re-acquired in a separate
+function. The flags parameter is passed as value instead of a pointer,
+not updating flags properly before the final spin_unlock_irqrestore()
+is called.
+
+Cc: <stable@vger.kernel.org> # v3.12+
+Fixes: 8b3d45705e54 ("usb: Fix xHCI host issues on remote wakeup.")
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20191211142007.8847-7-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-hub.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/host/xhci-hub.c
++++ b/drivers/usb/host/xhci-hub.c
+@@ -806,7 +806,7 @@ static void xhci_del_comp_mod_timer(stru
+
+ static int xhci_handle_usb2_port_link_resume(struct xhci_port *port,
+ u32 *status, u32 portsc,
+- unsigned long flags)
++ unsigned long *flags)
+ {
+ struct xhci_bus_state *bus_state;
+ struct xhci_hcd *xhci;
+@@ -860,11 +860,11 @@ static int xhci_handle_usb2_port_link_re
+ xhci_test_and_clear_bit(xhci, port, PORT_PLC);
+ xhci_set_link_state(xhci, port, XDEV_U0);
+
+- spin_unlock_irqrestore(&xhci->lock, flags);
++ spin_unlock_irqrestore(&xhci->lock, *flags);
+ time_left = wait_for_completion_timeout(
+ &bus_state->rexit_done[wIndex],
+ msecs_to_jiffies(XHCI_MAX_REXIT_TIMEOUT_MS));
+- spin_lock_irqsave(&xhci->lock, flags);
++ spin_lock_irqsave(&xhci->lock, *flags);
+
+ if (time_left) {
+ slot_id = xhci_find_slot_id_by_port(hcd, xhci,
+@@ -967,7 +967,7 @@ static void xhci_get_usb3_port_status(st
+ }
+
+ static void xhci_get_usb2_port_status(struct xhci_port *port, u32 *status,
+- u32 portsc, unsigned long flags)
++ u32 portsc, unsigned long *flags)
+ {
+ struct xhci_bus_state *bus_state;
+ u32 link_state;
+@@ -1017,7 +1017,7 @@ static void xhci_get_usb2_port_status(st
+ static u32 xhci_get_port_status(struct usb_hcd *hcd,
+ struct xhci_bus_state *bus_state,
+ u16 wIndex, u32 raw_port_status,
+- unsigned long flags)
++ unsigned long *flags)
+ __releases(&xhci->lock)
+ __acquires(&xhci->lock)
+ {
+@@ -1140,7 +1140,7 @@ int xhci_hub_control(struct usb_hcd *hcd
+ }
+ trace_xhci_get_port_status(wIndex, temp);
+ status = xhci_get_port_status(hcd, bus_state, wIndex, temp,
+- flags);
++ &flags);
+ if (status == 0xffffffff)
+ goto error;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
