--- /dev/null
+From b08221c40febcbda9309dd70c61cf1b0ebb0e351 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Fri, 11 Dec 2020 10:18:14 +0800
+Subject: ACPI: PNP: compare the string length in the matching_id()
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit b08221c40febcbda9309dd70c61cf1b0ebb0e351 upstream.
+
+Recently we met a touchscreen problem on some Thinkpad machines, the
+touchscreen driver (i2c-hid) is not loaded and the touchscreen can't
+work.
+
+An i2c ACPI device with the name WACF2200 is defined in the BIOS, with
+the current rule in matching_id(), this device will be regarded as
+a PNP device since there is WACFXXX in the acpi_pnp_device_ids[] and
+this PNP device is attached to the acpi device as the 1st
+physical_node, this will make the i2c bus match fail when i2c bus
+calls acpi_companion_match() to match the acpi_id_table in the i2c-hid
+driver.
+
+WACF2200 is an i2c device instead of a PNP device, after adding the
+string length comparing, the matching_id() will return false when
+matching WACF2200 and WACFXXX, and it is reasonable to compare the
+string length when matching two IDs.
+
+Suggested-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/acpi_pnp.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/acpi/acpi_pnp.c
++++ b/drivers/acpi/acpi_pnp.c
+@@ -320,6 +320,9 @@ static bool matching_id(const char *idst
+ {
+ int i;
+
++ if (strlen(idstr) != strlen(list_id))
++ return false;
++
+ if (memcmp(idstr, list_id, 3))
+ return false;
+
--- /dev/null
+From 11cb881bf075cea41092a20236ba708b18e1dbb2 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 18 Dec 2020 17:17:30 +0100
+Subject: ALSA: pcm: oss: Fix a few more UBSAN fixes
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 11cb881bf075cea41092a20236ba708b18e1dbb2 upstream.
+
+There are a few places that call round{up|down}_pow_of_two() with the
+value zero, and this causes undefined behavior warnings. Avoid
+calling those macros if such a nonsense value is passed; it's a minor
+optimization as well, as we handle it as either an error or a value to
+be skipped, instead.
+
+Reported-by: syzbot+33ef0b6639a8d2d42b4c@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20201218161730.26596-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/oss/pcm_oss.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+--- a/sound/core/oss/pcm_oss.c
++++ b/sound/core/oss/pcm_oss.c
+@@ -718,6 +718,8 @@ static int snd_pcm_oss_period_size(struc
+
+ oss_buffer_size = snd_pcm_plug_client_size(substream,
+ snd_pcm_hw_param_value_max(slave_params, SNDRV_PCM_HW_PARAM_BUFFER_SIZE, NULL)) * oss_frame_size;
++ if (!oss_buffer_size)
++ return -EINVAL;
+ oss_buffer_size = rounddown_pow_of_two(oss_buffer_size);
+ if (atomic_read(&substream->mmap_count)) {
+ if (oss_buffer_size > runtime->oss.mmap_bytes)
+@@ -753,17 +755,21 @@ static int snd_pcm_oss_period_size(struc
+
+ min_period_size = snd_pcm_plug_client_size(substream,
+ snd_pcm_hw_param_value_min(slave_params, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, NULL));
+- min_period_size *= oss_frame_size;
+- min_period_size = roundup_pow_of_two(min_period_size);
+- if (oss_period_size < min_period_size)
+- oss_period_size = min_period_size;
++ if (min_period_size) {
++ min_period_size *= oss_frame_size;
++ min_period_size = roundup_pow_of_two(min_period_size);
++ if (oss_period_size < min_period_size)
++ oss_period_size = min_period_size;
++ }
+
+ max_period_size = snd_pcm_plug_client_size(substream,
+ snd_pcm_hw_param_value_max(slave_params, SNDRV_PCM_HW_PARAM_PERIOD_SIZE, NULL));
+- max_period_size *= oss_frame_size;
+- max_period_size = rounddown_pow_of_two(max_period_size);
+- if (oss_period_size > max_period_size)
+- oss_period_size = max_period_size;
++ if (max_period_size) {
++ max_period_size *= oss_frame_size;
++ max_period_size = rounddown_pow_of_two(max_period_size);
++ if (oss_period_size > max_period_size)
++ oss_period_size = max_period_size;
++ }
+
+ oss_periods = oss_buffer_size / oss_period_size;
+
--- /dev/null
+From f051ae4f6c732c231046945b36234e977f8467c6 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 14 Dec 2020 13:37:46 -0800
+Subject: Input: cyapa_gen6 - fix out-of-bounds stack access
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit f051ae4f6c732c231046945b36234e977f8467c6 upstream.
+
+gcc -Warray-bounds warns about a serious bug in
+cyapa_pip_retrieve_data_structure:
+
+drivers/input/mouse/cyapa_gen6.c: In function 'cyapa_pip_retrieve_data_structure.constprop':
+include/linux/unaligned/access_ok.h:40:17: warning: array subscript -1 is outside array bounds of 'struct retrieve_data_struct_cmd[1]' [-Warray-bounds]
+ 40 | *((__le16 *)p) = cpu_to_le16(val);
+drivers/input/mouse/cyapa_gen6.c:569:13: note: while referencing 'cmd'
+ 569 | } __packed cmd;
+ | ^~~
+
+Apparently the '-2' was added to the pointer instead of the value,
+writing garbage into the stack next to this variable.
+
+Fixes: c2c06c41f700 ("Input: cyapa - add gen6 device module support")
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20201026161332.3708389-1-arnd@kernel.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/cyapa_gen6.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/mouse/cyapa_gen6.c
++++ b/drivers/input/mouse/cyapa_gen6.c
+@@ -573,7 +573,7 @@ static int cyapa_pip_retrieve_data_struc
+
+ memset(&cmd, 0, sizeof(cmd));
+ put_unaligned_le16(PIP_OUTPUT_REPORT_ADDR, &cmd.head.addr);
+- put_unaligned_le16(sizeof(cmd), &cmd.head.length - 2);
++ put_unaligned_le16(sizeof(cmd) - 2, &cmd.head.length);
+ cmd.head.report_id = PIP_APP_CMD_REPORT_ID;
+ cmd.head.cmd_code = PIP_RETRIEVE_DATA_STRUCTURE;
+ put_unaligned_le16(read_offset, &cmd.read_offset);
--- /dev/null
+From e469d0b09a19496e1972a20974bbf55b728151eb Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Wed, 2 Dec 2020 18:20:04 +0100
+Subject: media: gspca: Fix memory leak in probe
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit e469d0b09a19496e1972a20974bbf55b728151eb upstream.
+
+The gspca driver leaks memory when a probe fails. gspca_dev_probe2()
+calls v4l2_device_register(), which takes a reference to the
+underlying device node (in this case, a USB interface). But the
+failure pathway neglects to call v4l2_device_unregister(), the routine
+responsible for dropping this reference. Consequently the memory for
+the USB interface and its device never gets released.
+
+This patch adds the missing function call.
+
+Reported-and-tested-by: syzbot+44e64397bd81d5e84cba@syzkaller.appspotmail.com
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+CC: <stable@vger.kernel.org>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/gspca/gspca.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/usb/gspca/gspca.c
++++ b/drivers/media/usb/gspca/gspca.c
+@@ -2130,6 +2130,7 @@ out:
+ input_unregister_device(gspca_dev->input_dev);
+ #endif
+ v4l2_ctrl_handler_free(gspca_dev->vdev.ctrl_handler);
++ v4l2_device_unregister(&gspca_dev->v4l2_dev);
+ kfree(gspca_dev->usb_buf);
+ kfree(gspca_dev);
+ return ret;
--- /dev/null
+From e297ddf296de35037fa97f4302782def196d350a Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Mon, 7 Dec 2020 09:17:12 +0100
+Subject: media: netup_unidvb: Don't leak SPI master in probe error path
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit e297ddf296de35037fa97f4302782def196d350a upstream.
+
+If the call to spi_register_master() fails on probe of the NetUP
+Universal DVB driver, the spi_master struct is erroneously not freed.
+
+Likewise, if spi_new_device() fails, the spi_controller struct is
+not unregistered. Plug the leaks.
+
+While at it, fix an ordering issue in netup_spi_release() wherein
+spi_unregister_master() is called after fiddling with the IRQ control
+register. The correct order is to call spi_unregister_master() *before*
+this teardown step because bus accesses may still be ongoing until that
+function returns.
+
+Fixes: 52b1eaf4c59a ("[media] netup_unidvb: NetUP Universal DVB-S/S2/T/T2/C PCI-E card driver")
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Reviewed-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Cc: <stable@vger.kernel.org> # v4.3+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation
+Cc: <stable@vger.kernel.org> # v4.3+
+Cc: Kozlov Sergey <serjk@netup.ru>
+Link: https://lore.kernel.org/r/c4c24f333fc7840f4a3db24789e6e10dd660bede.1607286887.git.lukas@wunner.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/pci/netup_unidvb/netup_unidvb_spi.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/pci/netup_unidvb/netup_unidvb_spi.c
++++ b/drivers/media/pci/netup_unidvb/netup_unidvb_spi.c
+@@ -184,7 +184,7 @@ int netup_spi_init(struct netup_unidvb_d
+ struct spi_master *master;
+ struct netup_spi *nspi;
+
+- master = spi_alloc_master(&ndev->pci_dev->dev,
++ master = devm_spi_alloc_master(&ndev->pci_dev->dev,
+ sizeof(struct netup_spi));
+ if (!master) {
+ dev_err(&ndev->pci_dev->dev,
+@@ -217,6 +217,7 @@ int netup_spi_init(struct netup_unidvb_d
+ ndev->pci_slot,
+ ndev->pci_func);
+ if (!spi_new_device(master, &netup_spi_board)) {
++ spi_unregister_master(master);
+ ndev->spi = NULL;
+ dev_err(&ndev->pci_dev->dev,
+ "%s(): unable to create SPI device\n", __func__);
+@@ -235,13 +236,13 @@ void netup_spi_release(struct netup_unid
+ if (!spi)
+ return;
+
++ spi_unregister_master(spi->master);
+ spin_lock_irqsave(&spi->lock, flags);
+ reg = readw(&spi->regs->control_stat);
+ writew(reg | NETUP_SPI_CTRL_IRQ, &spi->regs->control_stat);
+ reg = readw(&spi->regs->control_stat);
+ writew(reg & ~NETUP_SPI_CTRL_IMASK, &spi->regs->control_stat);
+ spin_unlock_irqrestore(&spi->lock, flags);
+- spi_unregister_master(spi->master);
+ ndev->spi = NULL;
+ }
+
--- /dev/null
+From 3f56df4c8ffeb120ed41906d3aae71799b7e726a Mon Sep 17 00:00:00 2001
+From: Sean Young <sean@mess.org>
+Date: Mon, 9 Nov 2020 23:16:52 +0100
+Subject: media: sunxi-cir: ensure IR is handled when it is continuous
+
+From: Sean Young <sean@mess.org>
+
+commit 3f56df4c8ffeb120ed41906d3aae71799b7e726a upstream.
+
+If a user holds a button down on a remote, then no ir idle interrupt will
+be generated until the user releases the button, depending on how quickly
+the remote repeats. No IR is processed until that point, which means that
+holding down a button may not do anything.
+
+This also resolves an issue on a Cubieboard 1 where the IR receiver is
+picking up ambient infrared as IR and spews out endless
+"rc rc0: IR event FIFO is full!" messages unless you choose to live in
+the dark.
+
+Cc: stable@vger.kernel.org
+Tested-by: Hans Verkuil <hverkuil@xs4all.nl>
+Acked-by: Maxime Ripard <mripard@kernel.org>
+Reported-by: Hans Verkuil <hverkuil@xs4all.nl>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/rc/sunxi-cir.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/media/rc/sunxi-cir.c
++++ b/drivers/media/rc/sunxi-cir.c
+@@ -132,6 +132,8 @@ static irqreturn_t sunxi_ir_irq(int irqn
+ } else if (status & REG_RXINT_RPEI_EN) {
+ ir_raw_event_set_idle(ir->rc, true);
+ ir_raw_event_handle(ir->rc);
++ } else {
++ ir_raw_event_handle(ir->rc);
+ }
+
+ spin_unlock(&ir->ir_lock);
--- /dev/null
+From aa8e21c053d72b6639ea5a7f1d3a1d0209534c94 Mon Sep 17 00:00:00 2001
+From: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Date: Wed, 25 Nov 2020 02:26:55 -0500
+Subject: powerpc/perf: Exclude kernel samples while counting events in user space.
+
+From: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+
+commit aa8e21c053d72b6639ea5a7f1d3a1d0209534c94 upstream.
+
+Perf event attritube supports exclude_kernel flag to avoid
+sampling/profiling in supervisor state (kernel). Based on this event
+attr flag, Monitor Mode Control Register bit is set to freeze on
+supervisor state. But sometimes (due to hardware limitation), Sampled
+Instruction Address Register (SIAR) locks on to kernel address even
+when freeze on supervisor is set. Patch here adds a check to drop
+those samples.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/1606289215-1433-1-git-send-email-atrajeev@linux.vnet.ibm.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/perf/core-book3s.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/arch/powerpc/perf/core-book3s.c
++++ b/arch/powerpc/perf/core-book3s.c
+@@ -2021,6 +2021,16 @@ static void record_and_restart(struct pe
+ perf_event_update_userpage(event);
+
+ /*
++ * Due to hardware limitation, sometimes SIAR could sample a kernel
++ * address even when freeze on supervisor state (kernel) is set in
++ * MMCR2. Check attr.exclude_kernel and address to drop the sample in
++ * these cases.
++ */
++ if (event->attr.exclude_kernel && record)
++ if (is_kernel_addr(mfspr(SPRN_SIAR)))
++ record = 0;
++
++ /*
+ * Finally record data if requested.
+ */
+ if (record) {
--- /dev/null
+From 12fc4dad94dfac25599f31257aac181c691ca96f Mon Sep 17 00:00:00 2001
+From: Daniel Scally <djrscally@gmail.com>
+Date: Sat, 5 Dec 2020 17:04:03 +0000
+Subject: Revert "ACPI / resources: Use AE_CTRL_TERMINATE to terminate resources walks"
+
+From: Daniel Scally <djrscally@gmail.com>
+
+commit 12fc4dad94dfac25599f31257aac181c691ca96f upstream.
+
+This reverts commit 8a66790b7850a6669129af078768a1d42076a0ef.
+
+Switching this function to AE_CTRL_TERMINATE broke the documented
+behaviour of acpi_dev_get_resources() - AE_CTRL_TERMINATE does not, in
+fact, terminate the resource walk because acpi_walk_resource_buffer()
+ignores it (specifically converting it to AE_OK), referring to that
+value as "an OK termination by the user function". This means that
+acpi_dev_get_resources() does not abort processing when the preproc
+function returns a negative value.
+
+Signed-off-by: Daniel Scally <djrscally@gmail.com>
+Cc: 3.10+ <stable@vger.kernel.org> # 3.10+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/resource.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/acpi/resource.c
++++ b/drivers/acpi/resource.c
+@@ -506,7 +506,7 @@ static acpi_status acpi_dev_process_reso
+ ret = c->preproc(ares, c->preproc_data);
+ if (ret < 0) {
+ c->error = ret;
+- return AE_CTRL_TERMINATE;
++ return AE_ABORT_METHOD;
+ } else if (ret > 0) {
+ return AE_OK;
+ }
--- /dev/null
+From 53a7f655834c7c335bf683f248208d4fbe4b47bc Mon Sep 17 00:00:00 2001
+From: Stefan Haberland <sth@linux.ibm.com>
+Date: Thu, 17 Dec 2020 16:59:07 +0100
+Subject: s390/dasd: fix list corruption of lcu list
+
+From: Stefan Haberland <sth@linux.ibm.com>
+
+commit 53a7f655834c7c335bf683f248208d4fbe4b47bc upstream.
+
+In dasd_alias_disconnect_device_from_lcu the device is removed from any
+list on the LCU. Afterwards the LCU is removed from the lcu list if it
+does not contain devices any longer.
+
+The lcu->lock protects the lcu from parallel updates. But to cancel all
+workers and wait for completion the lcu->lock has to be unlocked.
+
+If two devices are removed in parallel and both are removed from the LCU
+the first device that takes the lcu->lock again will delete the LCU because
+it is already empty but the second device also tries to free the LCU which
+leads to a list corruption of the lcu list.
+
+Fix by removing the device right before the lcu is checked without
+unlocking the lcu->lock in between.
+
+Fixes: 8e09f21574ea ("[S390] dasd: add hyper PAV support to DASD device driver, part 1")
+Cc: stable@vger.kernel.org
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/block/dasd_alias.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/s390/block/dasd_alias.c
++++ b/drivers/s390/block/dasd_alias.c
+@@ -258,7 +258,6 @@ void dasd_alias_disconnect_device_from_l
+ return;
+ device->discipline->get_uid(device, &uid);
+ spin_lock_irqsave(&lcu->lock, flags);
+- list_del_init(&device->alias_list);
+ /* make sure that the workers don't use this device */
+ if (device == lcu->suc_data.device) {
+ spin_unlock_irqrestore(&lcu->lock, flags);
+@@ -285,6 +284,7 @@ void dasd_alias_disconnect_device_from_l
+
+ spin_lock_irqsave(&aliastree.lock, flags);
+ spin_lock(&lcu->lock);
++ list_del_init(&device->alias_list);
+ if (list_empty(&lcu->grouplist) &&
+ list_empty(&lcu->active_devices) &&
+ list_empty(&lcu->inactive_devices)) {
--- /dev/null
+From 0ede91f83aa335da1c3ec68eb0f9e228f269f6d8 Mon Sep 17 00:00:00 2001
+From: Stefan Haberland <sth@linux.ibm.com>
+Date: Thu, 17 Dec 2020 16:59:06 +0100
+Subject: s390/dasd: fix list corruption of pavgroup group list
+
+From: Stefan Haberland <sth@linux.ibm.com>
+
+commit 0ede91f83aa335da1c3ec68eb0f9e228f269f6d8 upstream.
+
+dasd_alias_add_device() moves devices to the active_devices list in case
+of a scheduled LCU update regardless if they have previously been in a
+pavgroup or not.
+
+Example: device A and B are in the same pavgroup.
+
+Device A has already been in a pavgroup and the private->pavgroup pointer
+is set and points to a valid pavgroup. While going through dasd_add_device
+it is moved from the pavgroup to the active_devices list.
+
+In parallel device B might be removed from the same pavgroup in
+remove_device_from_lcu() which in turn checks if the group is empty
+and deletes it accordingly because device A has already been removed from
+there.
+
+When now device A enters remove_device_from_lcu() it is tried to remove it
+from the pavgroup again because the pavgroup pointer is still set and again
+the empty group will be cleaned up which leads to a list corruption.
+
+Fix by setting private->pavgroup to NULL in dasd_add_device.
+
+If the device has been the last device on the pavgroup an empty pavgroup
+remains but this will be cleaned up by the scheduled lcu_update which
+iterates over all existing pavgroups.
+
+Fixes: 8e09f21574ea ("[S390] dasd: add hyper PAV support to DASD device driver, part 1")
+Cc: stable@vger.kernel.org
+Signed-off-by: Stefan Haberland <sth@linux.ibm.com>
+Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/s390/block/dasd_alias.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/s390/block/dasd_alias.c
++++ b/drivers/s390/block/dasd_alias.c
+@@ -637,6 +637,7 @@ int dasd_alias_add_device(struct dasd_de
+ }
+ if (lcu->flags & UPDATE_PENDING) {
+ list_move(&device->alias_list, &lcu->active_devices);
++ private->pavgroup = NULL;
+ _schedule_lcu_update(lcu, device);
+ }
+ spin_unlock(&lcu->lock);
cfg80211-initialize-rekey_data.patch
input-cros_ec_keyb-send-scancodes-in-addition-to-key.patch
input-goodix-add-upside-down-quirk-for-teclast-x98-p.patch
+media-gspca-fix-memory-leak-in-probe.patch
+media-sunxi-cir-ensure-ir-is-handled-when-it-is-continuous.patch
+media-netup_unidvb-don-t-leak-spi-master-in-probe-error-path.patch
+input-cyapa_gen6-fix-out-of-bounds-stack-access.patch
+revert-acpi-resources-use-ae_ctrl_terminate-to-terminate-resources-walks.patch
+acpi-pnp-compare-the-string-length-in-the-matching_id.patch
+alsa-pcm-oss-fix-a-few-more-ubsan-fixes.patch
+s390-dasd-fix-list-corruption-of-pavgroup-group-list.patch
+s390-dasd-fix-list-corruption-of-lcu-list.patch
+staging-comedi-mf6x4-fix-ai-end-of-conversion-detection.patch
+powerpc-perf-exclude-kernel-samples-while-counting-events-in-user-space.patch
+usb-serial-mos7720-fix-parallel-port-state-restore.patch
+usb-serial-keyspan_pda-fix-dropped-unthrottle-interrupts.patch
+usb-serial-keyspan_pda-fix-write-deadlock.patch
+usb-serial-keyspan_pda-fix-stalled-writes.patch
+usb-serial-keyspan_pda-fix-write-wakeup-use-after-free.patch
+usb-serial-keyspan_pda-fix-tx-unthrottle-use-after-free.patch
+usb-serial-keyspan_pda-fix-write-unthrottling.patch
--- /dev/null
+From 56c90457ebfe9422496aac6ef3d3f0f0ea8b2ec2 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Mon, 7 Dec 2020 14:58:06 +0000
+Subject: staging: comedi: mf6x4: Fix AI end-of-conversion detection
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 56c90457ebfe9422496aac6ef3d3f0f0ea8b2ec2 upstream.
+
+I have had reports from two different people that attempts to read the
+analog input channels of the MF624 board fail with an `ETIMEDOUT` error.
+
+After triggering the conversion, the code calls `comedi_timeout()` with
+`mf6x4_ai_eoc()` as the callback function to check if the conversion is
+complete. The callback returns 0 if complete or `-EBUSY` if not yet
+complete. `comedi_timeout()` returns `-ETIMEDOUT` if it has not
+completed within a timeout period which is propagated as an error to the
+user application.
+
+The existing code considers the conversion to be complete when the EOLC
+bit is high. However, according to the user manuals for the MF624 and
+MF634 boards, this test is incorrect because EOLC is an active low
+signal that goes high when the conversion is triggered, and goes low
+when the conversion is complete. Fix the problem by inverting the test
+of the EOLC bit state.
+
+Fixes: 04b565021a83 ("comedi: Humusoft MF634 and MF624 DAQ cards driver")
+Cc: <stable@vger.kernel.org> # v4.4+
+Cc: Rostislav Lisovy <lisovy@gmail.com>
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20201207145806.4046-1-abbotti@mev.co.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/drivers/mf6x4.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/mf6x4.c
++++ b/drivers/staging/comedi/drivers/mf6x4.c
+@@ -121,8 +121,9 @@ static int mf6x4_ai_eoc(struct comedi_de
+ struct mf6x4_private *devpriv = dev->private;
+ unsigned int status;
+
++ /* EOLC goes low at end of conversion. */
+ status = ioread32(devpriv->gpioc_reg);
+- if (status & MF6X4_GPIOC_EOLC)
++ if ((status & MF6X4_GPIOC_EOLC) == 0)
+ return 0;
+ return -EBUSY;
+ }
--- /dev/null
+From 696c541c8c6cfa05d65aa24ae2b9e720fc01766e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Sun, 25 Oct 2020 18:45:47 +0100
+Subject: USB: serial: keyspan_pda: fix dropped unthrottle interrupts
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 696c541c8c6cfa05d65aa24ae2b9e720fc01766e upstream.
+
+Commit c528fcb116e6 ("USB: serial: keyspan_pda: fix receive sanity
+checks") broke write-unthrottle handling by dropping well-formed
+unthrottle-interrupt packets which are precisely two bytes long. This
+could lead to blocked writers not being woken up when buffer space again
+becomes available.
+
+Instead, stop unconditionally printing the third byte which is
+(presumably) only valid on modem-line changes.
+
+Fixes: c528fcb116e6 ("USB: serial: keyspan_pda: fix receive sanity checks")
+Cc: stable <stable@vger.kernel.org> # 4.11
+Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/keyspan_pda.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/serial/keyspan_pda.c
++++ b/drivers/usb/serial/keyspan_pda.c
+@@ -176,11 +176,11 @@ static void keyspan_pda_rx_interrupt(str
+ break;
+ case 1:
+ /* status interrupt */
+- if (len < 3) {
++ if (len < 2) {
+ dev_warn(&port->dev, "short interrupt message received\n");
+ break;
+ }
+- dev_dbg(&port->dev, "rx int, d1=%d, d2=%d\n", data[1], data[2]);
++ dev_dbg(&port->dev, "rx int, d1=%d\n", data[1]);
+ switch (data[1]) {
+ case 1: /* modemline change */
+ break;
--- /dev/null
+From c01d2c58698f710c9e13ba3e2d296328606f74fd Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Sun, 25 Oct 2020 18:45:49 +0100
+Subject: USB: serial: keyspan_pda: fix stalled writes
+
+From: Johan Hovold <johan@kernel.org>
+
+commit c01d2c58698f710c9e13ba3e2d296328606f74fd upstream.
+
+Make sure to clear the write-busy flag also in case no new data was
+submitted due to lack of device buffer space so that writing is
+resumed once space again becomes available.
+
+Fixes: 507ca9bc0476 ("[PATCH] USB: add ability for usb-serial drivers to determine if their write urb is currently being used.")
+Cc: stable <stable@vger.kernel.org> # 2.6.13
+Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/keyspan_pda.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/keyspan_pda.c
++++ b/drivers/usb/serial/keyspan_pda.c
+@@ -552,7 +552,7 @@ static int keyspan_pda_write(struct tty_
+
+ rc = count;
+ exit:
+- if (rc < 0)
++ if (rc <= 0)
+ set_bit(0, &port->write_urbs_free);
+ return rc;
+ }
--- /dev/null
+From 49fbb8e37a961396a5b6c82937c70df91de45e9d Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Sun, 25 Oct 2020 18:45:51 +0100
+Subject: USB: serial: keyspan_pda: fix tx-unthrottle use-after-free
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 49fbb8e37a961396a5b6c82937c70df91de45e9d upstream.
+
+The driver's transmit-unthrottle work was never flushed on disconnect,
+something which could lead to the driver port data being freed while the
+unthrottle work is still scheduled.
+
+Fix this by cancelling the unthrottle work when shutting down the port.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/keyspan_pda.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/serial/keyspan_pda.c
++++ b/drivers/usb/serial/keyspan_pda.c
+@@ -651,8 +651,12 @@ error:
+ }
+ static void keyspan_pda_close(struct usb_serial_port *port)
+ {
++ struct keyspan_pda_private *priv = usb_get_serial_port_data(port);
++
+ usb_kill_urb(port->write_urb);
+ usb_kill_urb(port->interrupt_in_urb);
++
++ cancel_work_sync(&priv->unthrottle_work);
+ }
+
+
--- /dev/null
+From 7353cad7ee4deaefc16e94727e69285563e219f6 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Sun, 25 Oct 2020 18:45:48 +0100
+Subject: USB: serial: keyspan_pda: fix write deadlock
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 7353cad7ee4deaefc16e94727e69285563e219f6 upstream.
+
+The write() callback can be called in interrupt context (e.g. when used
+as a console) so interrupts must be disabled while holding the port lock
+to prevent a possible deadlock.
+
+Fixes: e81ee637e4ae ("usb-serial: possible irq lock inversion (PPP vs. usb/serial)")
+Fixes: 507ca9bc0476 ("[PATCH] USB: add ability for usb-serial drivers to determine if their write urb is currently being used.")
+Cc: stable <stable@vger.kernel.org> # 2.6.19
+Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/keyspan_pda.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/serial/keyspan_pda.c
++++ b/drivers/usb/serial/keyspan_pda.c
+@@ -447,6 +447,7 @@ static int keyspan_pda_write(struct tty_
+ int request_unthrottle = 0;
+ int rc = 0;
+ struct keyspan_pda_private *priv;
++ unsigned long flags;
+
+ priv = usb_get_serial_port_data(port);
+ /* guess how much room is left in the device's ring buffer, and if we
+@@ -466,13 +467,13 @@ static int keyspan_pda_write(struct tty_
+ the TX urb is in-flight (wait until it completes)
+ the device is full (wait until it says there is room)
+ */
+- spin_lock_bh(&port->lock);
++ spin_lock_irqsave(&port->lock, flags);
+ if (!test_bit(0, &port->write_urbs_free) || priv->tx_throttled) {
+- spin_unlock_bh(&port->lock);
++ spin_unlock_irqrestore(&port->lock, flags);
+ return 0;
+ }
+ clear_bit(0, &port->write_urbs_free);
+- spin_unlock_bh(&port->lock);
++ spin_unlock_irqrestore(&port->lock, flags);
+
+ /* At this point the URB is in our control, nobody else can submit it
+ again (the only sudden transition was the one from EINPROGRESS to
--- /dev/null
+From 320f9028c7873c3c7710e8e93e5c979f4c857490 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Sun, 25 Oct 2020 18:45:52 +0100
+Subject: USB: serial: keyspan_pda: fix write unthrottling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 320f9028c7873c3c7710e8e93e5c979f4c857490 upstream.
+
+The driver did not update its view of the available device buffer space
+until write() was called in task context. This meant that write_room()
+would return 0 even after the device had sent a write-unthrottle
+notification, something which could lead to blocked writers not being
+woken up (e.g. when using OPOST).
+
+Note that we must also request an unthrottle notification is case a
+write() request fills the device buffer exactly.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/keyspan_pda.c | 29 ++++++++++++++++++++---------
+ 1 file changed, 20 insertions(+), 9 deletions(-)
+
+--- a/drivers/usb/serial/keyspan_pda.c
++++ b/drivers/usb/serial/keyspan_pda.c
+@@ -44,6 +44,8 @@
+ #define DRIVER_AUTHOR "Brian Warner <warner@lothar.com>"
+ #define DRIVER_DESC "USB Keyspan PDA Converter driver"
+
++#define KEYSPAN_TX_THRESHOLD 16
++
+ struct keyspan_pda_private {
+ int tx_room;
+ int tx_throttled;
+@@ -114,7 +116,7 @@ static void keyspan_pda_request_unthrott
+ 7, /* request_unthrottle */
+ USB_TYPE_VENDOR | USB_RECIP_INTERFACE
+ | USB_DIR_OUT,
+- 16, /* value: threshold */
++ KEYSPAN_TX_THRESHOLD,
+ 0, /* index */
+ NULL,
+ 0,
+@@ -133,6 +135,8 @@ static void keyspan_pda_rx_interrupt(str
+ int retval;
+ int status = urb->status;
+ struct keyspan_pda_private *priv;
++ unsigned long flags;
++
+ priv = usb_get_serial_port_data(port);
+
+ switch (status) {
+@@ -175,7 +179,10 @@ static void keyspan_pda_rx_interrupt(str
+ case 1: /* modemline change */
+ break;
+ case 2: /* tx unthrottle interrupt */
++ spin_lock_irqsave(&port->lock, flags);
+ priv->tx_throttled = 0;
++ priv->tx_room = max(priv->tx_room, KEYSPAN_TX_THRESHOLD);
++ spin_unlock_irqrestore(&port->lock, flags);
+ /* queue up a wakeup at scheduler time */
+ usb_serial_port_softint(port);
+ break;
+@@ -509,7 +516,8 @@ static int keyspan_pda_write(struct tty_
+ goto exit;
+ }
+ }
+- if (count > priv->tx_room) {
++
++ if (count >= priv->tx_room) {
+ /* we're about to completely fill the Tx buffer, so
+ we'll be throttled afterwards. */
+ count = priv->tx_room;
+@@ -564,14 +572,17 @@ static void keyspan_pda_write_bulk_callb
+ static int keyspan_pda_write_room(struct tty_struct *tty)
+ {
+ struct usb_serial_port *port = tty->driver_data;
+- struct keyspan_pda_private *priv;
+- priv = usb_get_serial_port_data(port);
+- /* used by n_tty.c for processing of tabs and such. Giving it our
+- conservative guess is probably good enough, but needs testing by
+- running a console through the device. */
+- return priv->tx_room;
+-}
++ struct keyspan_pda_private *priv = usb_get_serial_port_data(port);
++ unsigned long flags;
++ int room = 0;
++
++ spin_lock_irqsave(&port->lock, flags);
++ if (test_bit(0, &port->write_urbs_free) && !priv->tx_throttled)
++ room = priv->tx_room;
++ spin_unlock_irqrestore(&port->lock, flags);
+
++ return room;
++}
+
+ static int keyspan_pda_chars_in_buffer(struct tty_struct *tty)
+ {
--- /dev/null
+From 37faf50615412947868c49aee62f68233307f4e4 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Sun, 25 Oct 2020 18:45:50 +0100
+Subject: USB: serial: keyspan_pda: fix write-wakeup use-after-free
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 37faf50615412947868c49aee62f68233307f4e4 upstream.
+
+The driver's deferred write wakeup was never flushed on disconnect,
+something which could lead to the driver port data being freed while the
+wakeup work is still scheduled.
+
+Fix this by using the usb-serial write wakeup which gets cancelled
+properly on disconnect.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable@vger.kernel.org
+Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/keyspan_pda.c | 17 +++--------------
+ 1 file changed, 3 insertions(+), 14 deletions(-)
+
+--- a/drivers/usb/serial/keyspan_pda.c
++++ b/drivers/usb/serial/keyspan_pda.c
+@@ -47,8 +47,7 @@
+ struct keyspan_pda_private {
+ int tx_room;
+ int tx_throttled;
+- struct work_struct wakeup_work;
+- struct work_struct unthrottle_work;
++ struct work_struct unthrottle_work;
+ struct usb_serial *serial;
+ struct usb_serial_port *port;
+ };
+@@ -101,15 +100,6 @@ static const struct usb_device_id id_tab
+ };
+ #endif
+
+-static void keyspan_pda_wakeup_write(struct work_struct *work)
+-{
+- struct keyspan_pda_private *priv =
+- container_of(work, struct keyspan_pda_private, wakeup_work);
+- struct usb_serial_port *port = priv->port;
+-
+- tty_port_tty_wakeup(&port->port);
+-}
+-
+ static void keyspan_pda_request_unthrottle(struct work_struct *work)
+ {
+ struct keyspan_pda_private *priv =
+@@ -187,7 +177,7 @@ static void keyspan_pda_rx_interrupt(str
+ case 2: /* tx unthrottle interrupt */
+ priv->tx_throttled = 0;
+ /* queue up a wakeup at scheduler time */
+- schedule_work(&priv->wakeup_work);
++ usb_serial_port_softint(port);
+ break;
+ default:
+ break;
+@@ -567,7 +557,7 @@ static void keyspan_pda_write_bulk_callb
+ priv = usb_get_serial_port_data(port);
+
+ /* queue up a wakeup at scheduler time */
+- schedule_work(&priv->wakeup_work);
++ usb_serial_port_softint(port);
+ }
+
+
+@@ -733,7 +723,6 @@ static int keyspan_pda_port_probe(struct
+ if (!priv)
+ return -ENOMEM;
+
+- INIT_WORK(&priv->wakeup_work, keyspan_pda_wakeup_write);
+ INIT_WORK(&priv->unthrottle_work, keyspan_pda_request_unthrottle);
+ priv->serial = port->serial;
+ priv->port = port;
--- /dev/null
+From 975323ab8f116667676c30ca3502a6757bd89e8d Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 4 Nov 2020 17:47:27 +0100
+Subject: USB: serial: mos7720: fix parallel-port state restore
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 975323ab8f116667676c30ca3502a6757bd89e8d upstream.
+
+The parallel-port restore operations is called when a driver claims the
+port and is supposed to restore the provided state (e.g. saved when
+releasing the port).
+
+Fixes: b69578df7e98 ("USB: usbserial: mos7720: add support for parallel port on moschip 7715")
+Cc: stable <stable@vger.kernel.org> # 2.6.35
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/mos7720.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/mos7720.c
++++ b/drivers/usb/serial/mos7720.c
+@@ -640,6 +640,8 @@ static void parport_mos7715_restore_stat
+ spin_unlock(&release_lock);
+ return;
+ }
++ mos_parport->shadowDCR = s->u.pc.ctr;
++ mos_parport->shadowECR = s->u.pc.ecr;
+ write_parport_reg_nonblock(mos_parport, MOS7720_DCR,
+ mos_parport->shadowDCR);
+ write_parport_reg_nonblock(mos_parport, MOS7720_ECR,
projects / thirdparty / kernel / stable-queue.git / commitdiff
