--- /dev/null
+From aefd7f7065567a4666f42c0fc8cdb379d2e036bf Mon Sep 17 00:00:00 2001
+From: Nikolay Borisov <nborisov@suse.com>
+Date: Mon, 31 May 2021 12:26:01 +0300
+Subject: btrfs: promote debugging asserts to full-fledged checks in validate_super
+
+From: Nikolay Borisov <nborisov@suse.com>
+
+commit aefd7f7065567a4666f42c0fc8cdb379d2e036bf upstream.
+
+Syzbot managed to trigger this assert while performing its fuzzing.
+Turns out it's better to have those asserts turned into full-fledged
+checks so that in case buggy btrfs images are mounted the users gets
+an error and mounting is stopped. Alternatively with CONFIG_BTRFS_ASSERT
+disabled such image would have been erroneously allowed to be mounted.
+
+Reported-by: syzbot+a6bf271c02e4fe66b4e4@syzkaller.appspotmail.com
+CC: stable@vger.kernel.org # 5.4+
+Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
+Reviewed-by: Qu Wenruo <wqu@suse.com>
+Signed-off-by: Nikolay Borisov <nborisov@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+[ add uuids to the messages ]
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/disk-io.c | 26 ++++++++++++++++++--------
+ 1 file changed, 18 insertions(+), 8 deletions(-)
+
+--- a/fs/btrfs/disk-io.c
++++ b/fs/btrfs/disk-io.c
+@@ -2463,6 +2463,24 @@ static int validate_super(struct btrfs_f
+ ret = -EINVAL;
+ }
+
++ if (memcmp(fs_info->fs_devices->fsid, fs_info->super_copy->fsid,
++ BTRFS_FSID_SIZE)) {
++ btrfs_err(fs_info,
++ "superblock fsid doesn't match fsid of fs_devices: %pU != %pU",
++ fs_info->super_copy->fsid, fs_info->fs_devices->fsid);
++ ret = -EINVAL;
++ }
++
++ if (btrfs_fs_incompat(fs_info, METADATA_UUID) &&
++ memcmp(fs_info->fs_devices->metadata_uuid,
++ fs_info->super_copy->metadata_uuid, BTRFS_FSID_SIZE)) {
++ btrfs_err(fs_info,
++"superblock metadata_uuid doesn't match metadata uuid of fs_devices: %pU != %pU",
++ fs_info->super_copy->metadata_uuid,
++ fs_info->fs_devices->metadata_uuid);
++ ret = -EINVAL;
++ }
++
+ if (memcmp(fs_info->fs_devices->metadata_uuid, sb->dev_item.fsid,
+ BTRFS_FSID_SIZE) != 0) {
+ btrfs_err(fs_info,
+@@ -2837,14 +2855,6 @@ int open_ctree(struct super_block *sb,
+
+ disk_super = fs_info->super_copy;
+
+- ASSERT(!memcmp(fs_info->fs_devices->fsid, fs_info->super_copy->fsid,
+- BTRFS_FSID_SIZE));
+-
+- if (btrfs_fs_incompat(fs_info, METADATA_UUID)) {
+- ASSERT(!memcmp(fs_info->fs_devices->metadata_uuid,
+- fs_info->super_copy->metadata_uuid,
+- BTRFS_FSID_SIZE));
+- }
+
+ features = btrfs_super_flags(disk_super);
+ if (features & BTRFS_SUPER_FLAG_CHANGING_FSID_V2) {
--- /dev/null
+From e7b2ec3d3d4ebeb4cff7ae45cf430182fa6a49fb Mon Sep 17 00:00:00 2001
+From: Ritesh Harjani <riteshh@linux.ibm.com>
+Date: Sun, 30 May 2021 20:24:05 +0530
+Subject: btrfs: return value from btrfs_mark_extent_written() in case of error
+
+From: Ritesh Harjani <riteshh@linux.ibm.com>
+
+commit e7b2ec3d3d4ebeb4cff7ae45cf430182fa6a49fb upstream.
+
+We always return 0 even in case of an error in btrfs_mark_extent_written().
+Fix it to return proper error value in case of a failure. All callers
+handle it.
+
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Ritesh Harjani <riteshh@linux.ibm.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/file.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/file.c
++++ b/fs/btrfs/file.c
+@@ -1163,7 +1163,7 @@ int btrfs_mark_extent_written(struct btr
+ int del_nr = 0;
+ int del_slot = 0;
+ int recow;
+- int ret;
++ int ret = 0;
+ u64 ino = btrfs_ino(inode);
+
+ path = btrfs_alloc_path();
+@@ -1384,7 +1384,7 @@ again:
+ }
+ out:
+ btrfs_free_path(path);
+- return 0;
++ return ret;
+ }
+
+ /*
--- /dev/null
+From b7e24eb1caa5f8da20d405d262dba67943aedc42 Mon Sep 17 00:00:00 2001
+From: Alexander Kuznetsov <wwfq@yandex-team.ru>
+Date: Wed, 9 Jun 2021 10:17:19 +0300
+Subject: cgroup1: don't allow '\n' in renaming
+
+From: Alexander Kuznetsov <wwfq@yandex-team.ru>
+
+commit b7e24eb1caa5f8da20d405d262dba67943aedc42 upstream.
+
+cgroup_mkdir() have restriction on newline usage in names:
+$ mkdir $'/sys/fs/cgroup/cpu/test\ntest2'
+mkdir: cannot create directory
+'/sys/fs/cgroup/cpu/test\ntest2': Invalid argument
+
+But in cgroup1_rename() such check is missed.
+This allows us to make /proc/<pid>/cgroup unparsable:
+$ mkdir /sys/fs/cgroup/cpu/test
+$ mv /sys/fs/cgroup/cpu/test $'/sys/fs/cgroup/cpu/test\ntest2'
+$ echo $$ > $'/sys/fs/cgroup/cpu/test\ntest2'
+$ cat /proc/self/cgroup
+11:pids:/
+10:freezer:/
+9:hugetlb:/
+8:cpuset:/
+7:blkio:/user.slice
+6:memory:/user.slice
+5:net_cls,net_prio:/
+4:perf_event:/
+3:devices:/user.slice
+2:cpu,cpuacct:/test
+test2
+1:name=systemd:/
+0::/
+
+Signed-off-by: Alexander Kuznetsov <wwfq@yandex-team.ru>
+Reported-by: Andrey Krasichkov <buglloc@yandex-team.ru>
+Acked-by: Dmitry Yakunin <zeil@yandex-team.ru>
+Cc: stable@vger.kernel.org
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/cgroup/cgroup-v1.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/kernel/cgroup/cgroup-v1.c
++++ b/kernel/cgroup/cgroup-v1.c
+@@ -821,6 +821,10 @@ static int cgroup1_rename(struct kernfs_
+ struct cgroup *cgrp = kn->priv;
+ int ret;
+
++ /* do not accept '\n' to prevent making /proc/<pid>/cgroup unparsable */
++ if (strchr(new_name_str, '\n'))
++ return -EINVAL;
++
+ if (kernfs_type(kn) != KERNFS_DIR)
+ return -ENOTDIR;
+ if (kn->parent != new_parent)
--- /dev/null
+From b436acd1cf7fac0ba987abd22955d98025c80c2b Mon Sep 17 00:00:00 2001
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Date: Tue, 8 Jun 2021 19:04:36 +0800
+Subject: drm: Fix use-after-free read in drm_getunique()
+
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+
+commit b436acd1cf7fac0ba987abd22955d98025c80c2b upstream.
+
+There is a time-of-check-to-time-of-use error in drm_getunique() due
+to retrieving file_priv->master prior to locking the device's master
+mutex.
+
+An example can be seen in the crash report of the use-after-free error
+found by Syzbot:
+https://syzkaller.appspot.com/bug?id=148d2f1dfac64af52ffd27b661981a540724f803
+
+In the report, the master pointer was used after being freed. This is
+because another process had acquired the device's master mutex in
+drm_setmaster_ioctl(), then overwrote fpriv->master in
+drm_new_set_master(). The old value of fpriv->master was subsequently
+freed before the mutex was unlocked.
+
+To fix this, we lock the device's master mutex before retrieving the
+pointer from from fpriv->master. This patch passes the Syzbot
+reproducer test.
+
+Reported-by: syzbot+c3a706cec1ea99e1c693@syzkaller.appspotmail.com
+Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210608110436.239583-1-desmondcheongzx@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_ioctl.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/gpu/drm/drm_ioctl.c
++++ b/drivers/gpu/drm/drm_ioctl.c
+@@ -118,17 +118,18 @@ int drm_getunique(struct drm_device *dev
+ struct drm_file *file_priv)
+ {
+ struct drm_unique *u = data;
+- struct drm_master *master = file_priv->master;
++ struct drm_master *master;
+
+- mutex_lock(&master->dev->master_mutex);
++ mutex_lock(&dev->master_mutex);
++ master = file_priv->master;
+ if (u->unique_len >= master->unique_len) {
+ if (copy_to_user(u->unique, master->unique, master->unique_len)) {
+- mutex_unlock(&master->dev->master_mutex);
++ mutex_unlock(&dev->master_mutex);
+ return -EFAULT;
+ }
+ }
+ u->unique_len = master->unique_len;
+- mutex_unlock(&master->dev->master_mutex);
++ mutex_unlock(&dev->master_mutex);
+
+ return 0;
+ }
--- /dev/null
+From c336a5ee984708db4826ef9e47d184e638e29717 Mon Sep 17 00:00:00 2001
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Date: Wed, 9 Jun 2021 17:21:19 +0800
+Subject: drm: Lock pointer access in drm_master_release()
+
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+
+commit c336a5ee984708db4826ef9e47d184e638e29717 upstream.
+
+This patch eliminates the following smatch warning:
+drivers/gpu/drm/drm_auth.c:320 drm_master_release() warn: unlocked access 'master' (line 318) expected lock '&dev->master_mutex'
+
+The 'file_priv->master' field should be protected by the mutex lock to
+'&dev->master_mutex'. This is because other processes can concurrently
+modify this field and free the current 'file_priv->master'
+pointer. This could result in a use-after-free error when 'master' is
+dereferenced in subsequent function calls to
+'drm_legacy_lock_master_cleanup()' or to 'drm_lease_revoke()'.
+
+An example of a scenario that would produce this error can be seen
+from a similar bug in 'drm_getunique()' that was reported by Syzbot:
+https://syzkaller.appspot.com/bug?id=148d2f1dfac64af52ffd27b661981a540724f803
+
+In the Syzbot report, another process concurrently acquired the
+device's master mutex in 'drm_setmaster_ioctl()', then overwrote
+'fpriv->master' in 'drm_new_set_master()'. The old value of
+'fpriv->master' was subsequently freed before the mutex was unlocked.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210609092119.173590-1-desmondcheongzx@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/drm_auth.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/drm_auth.c
++++ b/drivers/gpu/drm/drm_auth.c
+@@ -268,9 +268,10 @@ int drm_master_open(struct drm_file *fil
+ void drm_master_release(struct drm_file *file_priv)
+ {
+ struct drm_device *dev = file_priv->minor->dev;
+- struct drm_master *master = file_priv->master;
++ struct drm_master *master;
+
+ mutex_lock(&dev->master_mutex);
++ master = file_priv->master;
+ if (file_priv->magic)
+ idr_remove(&file_priv->master->magic_map, file_priv->magic);
+
--- /dev/null
+From da27a83fd6cc7780fea190e1f5c19e87019da65c Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Tue, 8 Jun 2021 15:31:42 -0400
+Subject: kvm: avoid speculation-based attacks from out-of-range memslot accesses
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit da27a83fd6cc7780fea190e1f5c19e87019da65c upstream.
+
+KVM's mechanism for accessing guest memory translates a guest physical
+address (gpa) to a host virtual address using the right-shifted gpa
+(also known as gfn) and a struct kvm_memory_slot. The translation is
+performed in __gfn_to_hva_memslot using the following formula:
+
+ hva = slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE
+
+It is expected that gfn falls within the boundaries of the guest's
+physical memory. However, a guest can access invalid physical addresses
+in such a way that the gfn is invalid.
+
+__gfn_to_hva_memslot is called from kvm_vcpu_gfn_to_hva_prot, which first
+retrieves a memslot through __gfn_to_memslot. While __gfn_to_memslot
+does check that the gfn falls within the boundaries of the guest's
+physical memory or not, a CPU can speculate the result of the check and
+continue execution speculatively using an illegal gfn. The speculation
+can result in calculating an out-of-bounds hva. If the resulting host
+virtual address is used to load another guest physical address, this
+is effectively a Spectre gadget consisting of two consecutive reads,
+the second of which is data dependent on the first.
+
+Right now it's not clear if there are any cases in which this is
+exploitable. One interesting case was reported by the original author
+of this patch, and involves visiting guest page tables on x86. Right
+now these are not vulnerable because the hva read goes through get_user(),
+which contains an LFENCE speculation barrier. However, there are
+patches in progress for x86 uaccess.h to mask kernel addresses instead of
+using LFENCE; once these land, a guest could use speculation to read
+from the VMM's ring 3 address space. Other architectures such as ARM
+already use the address masking method, and would be susceptible to
+this same kind of data-dependent access gadgets. Therefore, this patch
+proactively protects from these attacks by masking out-of-bounds gfns
+in __gfn_to_hva_memslot, which blocks speculation of invalid hvas.
+
+Sean Christopherson noted that this patch does not cover
+kvm_read_guest_offset_cached. This however is limited to a few bytes
+past the end of the cache, and therefore it is unlikely to be useful in
+the context of building a chain of data dependent accesses.
+
+Reported-by: Artemiy Margaritov <artemiy.margaritov@gmail.com>
+Co-developed-by: Artemiy Margaritov <artemiy.margaritov@gmail.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/kvm_host.h | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/include/linux/kvm_host.h
++++ b/include/linux/kvm_host.h
+@@ -1045,7 +1045,15 @@ __gfn_to_memslot(struct kvm_memslots *sl
+ static inline unsigned long
+ __gfn_to_hva_memslot(struct kvm_memory_slot *slot, gfn_t gfn)
+ {
+- return slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE;
++ /*
++ * The index was checked originally in search_memslots. To avoid
++ * that a malicious guest builds a Spectre gadget out of e.g. page
++ * table walks, do not let the processor speculate loads outside
++ * the guest's registered memslots.
++ */
++ unsigned long offset = array_index_nospec(gfn - slot->base_gfn,
++ slot->npages);
++ return slot->userspace_addr + offset * PAGE_SIZE;
+ }
+
+ static inline int memslot_id(struct kvm *kvm, gfn_t gfn)
i2c-mpc-make-use-of-i2c_recover_bus.patch
i2c-mpc-implement-erratum-a-004447-workaround.patch
x86-boot-add-.text.-to-setup.ld.patch
+spi-bcm2835-fix-out-of-bounds-access-with-more-than-4-slaves.patch
+drm-fix-use-after-free-read-in-drm_getunique.patch
+drm-lock-pointer-access-in-drm_master_release.patch
+kvm-avoid-speculation-based-attacks-from-out-of-range-memslot-accesses.patch
+staging-rtl8723bs-fix-uninitialized-variables.patch
+btrfs-return-value-from-btrfs_mark_extent_written-in-case-of-error.patch
+btrfs-promote-debugging-asserts-to-full-fledged-checks-in-validate_super.patch
+cgroup1-don-t-allow-n-in-renaming.patch
+usb-f_ncm-ncm_bitrate-speed-is-unsigned.patch
+usb-f_ncm-only-first-packet-of-aggregate-needs-to-start-timer.patch
+usb-pd-set-pd_t_sink_wait_cap-to-310ms.patch
+usb-dwc3-debugfs-add-and-remove-endpoint-dirs-dynamically.patch
+usb-dwc3-ep0-fix-null-pointer-exception.patch
+usb-musb-fix-musb_quirk_b_disconnect_99-handling.patch
+usb-typec-wcove-use-le-to-cpu-conversion-when-accessing-msg-header.patch
+usb-typec-ucsi-clear-ppm-capability-data-in-ucsi_init-error-path.patch
+usb-gadget-f_fs-ensure-io_completion_wq-is-idle-during-unbind.patch
+usb-serial-ftdi_sio-add-novatech-orionmx-product-id.patch
+usb-serial-omninet-add-device-id-for-zyxel-omni-56k-plus.patch
+usb-serial-quatech2-fix-control-request-directions.patch
+usb-serial-cp210x-fix-alternate-function-for-cp2102n-qfn20.patch
+usb-gadget-eem-fix-wrong-eem-header-operation.patch
+usb-fix-various-gadgets-null-ptr-deref-on-10gbps-cabling.patch
+usb-fix-various-gadget-panics-on-10gbps-cabling.patch
--- /dev/null
+From 13817d466eb8713a1ffd254f537402f091d48444 Mon Sep 17 00:00:00 2001
+From: Lukas Wunner <lukas@wunner.de>
+Date: Sat, 22 May 2021 19:49:50 +0200
+Subject: spi: bcm2835: Fix out-of-bounds access with more than 4 slaves
+
+From: Lukas Wunner <lukas@wunner.de>
+
+commit 13817d466eb8713a1ffd254f537402f091d48444 upstream.
+
+Commit 571e31fa60b3 ("spi: bcm2835: Cache CS register value for
+->prepare_message()") limited the number of slaves to 3 at compile-time.
+The limitation was necessitated by a statically-sized array prepare_cs[]
+in the driver private data which contains a per-slave register value.
+
+The commit sought to enforce the limitation at run-time by setting the
+controller's num_chipselect to 3: Slaves with a higher chipselect are
+rejected by spi_add_device().
+
+However the commit neglected that num_chipselect only limits the number
+of *native* chipselects. If GPIO chipselects are specified in the
+device tree for more than 3 slaves, num_chipselect is silently raised by
+of_spi_get_gpio_numbers() and the result are out-of-bounds accesses to
+the statically-sized array prepare_cs[].
+
+As a bandaid fix which is backportable to stable, raise the number of
+allowed slaves to 24 (which "ought to be enough for anybody"), enforce
+the limitation on slave ->setup and revert num_chipselect to 3 (which is
+the number of native chipselects supported by the controller).
+An upcoming for-next commit will allow an arbitrary number of slaves.
+
+Fixes: 571e31fa60b3 ("spi: bcm2835: Cache CS register value for ->prepare_message()")
+Reported-by: Joe Burmeister <joe.burmeister@devtank.co.uk>
+Signed-off-by: Lukas Wunner <lukas@wunner.de>
+Cc: stable@vger.kernel.org # v5.4+
+Cc: Phil Elwell <phil@raspberrypi.com>
+Link: https://lore.kernel.org/r/75854affc1923309fde05e47494263bde73e5592.1621703210.git.lukas@wunner.de
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/spi/spi-bcm2835.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+--- a/drivers/spi/spi-bcm2835.c
++++ b/drivers/spi/spi-bcm2835.c
+@@ -68,7 +68,7 @@
+ #define BCM2835_SPI_FIFO_SIZE 64
+ #define BCM2835_SPI_FIFO_SIZE_3_4 48
+ #define BCM2835_SPI_DMA_MIN_LENGTH 96
+-#define BCM2835_SPI_NUM_CS 3 /* raise as necessary */
++#define BCM2835_SPI_NUM_CS 24 /* raise as necessary */
+ #define BCM2835_SPI_MODE_BITS (SPI_CPOL | SPI_CPHA | SPI_CS_HIGH \
+ | SPI_NO_CS | SPI_3WIRE)
+
+@@ -1181,6 +1181,12 @@ static int bcm2835_spi_setup(struct spi_
+ struct gpio_chip *chip;
+ u32 cs;
+
++ if (spi->chip_select >= BCM2835_SPI_NUM_CS) {
++ dev_err(&spi->dev, "only %d chip-selects supported\n",
++ BCM2835_SPI_NUM_CS - 1);
++ return -EINVAL;
++ }
++
+ /*
+ * Precalculate SPI slave's CS register value for ->prepare_message():
+ * The driver always uses software-controlled GPIO chip select, hence
+@@ -1274,7 +1280,7 @@ static int bcm2835_spi_probe(struct plat
+ ctlr->use_gpio_descriptors = true;
+ ctlr->mode_bits = BCM2835_SPI_MODE_BITS;
+ ctlr->bits_per_word_mask = SPI_BPW_MASK(8);
+- ctlr->num_chipselect = BCM2835_SPI_NUM_CS;
++ ctlr->num_chipselect = 3;
+ ctlr->setup = bcm2835_spi_setup;
+ ctlr->transfer_one = bcm2835_spi_transfer_one;
+ ctlr->handle_err = bcm2835_spi_handle_err;
--- /dev/null
+From 43c85d770db80cb135f576f8fde6ff1a08e707a4 Mon Sep 17 00:00:00 2001
+From: Wenli Looi <wlooi@ucalgary.ca>
+Date: Mon, 7 Jun 2021 23:46:20 -0700
+Subject: staging: rtl8723bs: Fix uninitialized variables
+
+From: Wenli Looi <wlooi@ucalgary.ca>
+
+commit 43c85d770db80cb135f576f8fde6ff1a08e707a4 upstream.
+
+The sinfo.pertid and sinfo.generation variables are not initialized and
+it causes a crash when we use this as a wireless access point.
+
+[ 456.873025] ------------[ cut here ]------------
+[ 456.878198] kernel BUG at mm/slub.c:3968!
+[ 456.882680] Internal error: Oops - BUG: 0 [#1] PREEMPT SMP ARM
+
+ [ snip ]
+
+[ 457.271004] Backtrace:
+[ 457.273733] [<c02b7ee4>] (kfree) from [<c0e2a470>] (nl80211_send_station+0x954/0xfc4)
+[ 457.282481] r9:eccca0c0 r8:e8edfec0 r7:00000000 r6:00000011 r5:e80a9480 r4:e8edfe00
+[ 457.291132] [<c0e29b1c>] (nl80211_send_station) from [<c0e2b18c>] (cfg80211_new_sta+0x90/0x1cc)
+[ 457.300850] r10:e80a9480 r9:e8edfe00 r8:ea678cca r7:00000a20 r6:00000000 r5:ec46d000
+[ 457.309586] r4:ec46d9e0
+[ 457.312433] [<c0e2b0fc>] (cfg80211_new_sta) from [<bf086684>] (rtw_cfg80211_indicate_sta_assoc+0x80/0x9c [r8723bs])
+[ 457.324095] r10:00009930 r9:e85b9d80 r8:bf091050 r7:00000000 r6:00000000 r5:0000001c
+[ 457.332831] r4:c1606788
+[ 457.335692] [<bf086604>] (rtw_cfg80211_indicate_sta_assoc [r8723bs]) from [<bf03df38>] (rtw_stassoc_event_callback+0x1c8/0x1d4 [r8723bs])
+[ 457.349489] r7:ea678cc0 r6:000000a1 r5:f1225f84 r4:f086b000
+[ 457.355845] [<bf03dd70>] (rtw_stassoc_event_callback [r8723bs]) from [<bf048e4c>] (mlme_evt_hdl+0x8c/0xb4 [r8723bs])
+[ 457.367601] r7:c1604900 r6:f086c4b8 r5:00000000 r4:f086c000
+[ 457.373959] [<bf048dc0>] (mlme_evt_hdl [r8723bs]) from [<bf03693c>] (rtw_cmd_thread+0x198/0x3d8 [r8723bs])
+[ 457.384744] r5:f086e000 r4:f086c000
+[ 457.388754] [<bf0367a4>] (rtw_cmd_thread [r8723bs]) from [<c014a214>] (kthread+0x170/0x174)
+[ 457.398083] r10:ed7a57e8 r9:bf0367a4 r8:f086b000 r7:e8ede000 r6:00000000 r5:e9975200
+[ 457.406828] r4:e8369900
+[ 457.409653] [<c014a0a4>] (kthread) from [<c01010e8>] (ret_from_fork+0x14/0x2c)
+[ 457.417718] Exception stack(0xe8edffb0 to 0xe8edfff8)
+[ 457.423356] ffa0: 00000000 00000000 00000000 00000000
+[ 457.432492] ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
+[ 457.441618] ffe0: 00000000 00000000 00000000 00000000 00000013 00000000
+[ 457.449006] r10:00000000 r9:00000000 r8:00000000 r7:00000000 r6:00000000 r5:c014a0a4
+[ 457.457750] r4:e9975200
+[ 457.460574] Code: 1a000003 e5953004 e3130001 1a000000 (e7f001f2)
+[ 457.467381] ---[ end trace 4acbc8c15e9e6aa7 ]---
+
+Link: https://forum.armbian.com/topic/14727-wifi-ap-kernel-bug-in-kernel-5444/
+Fixes: 8689c051a201 ("cfg80211: dynamically allocate per-tid stats for station info")
+Fixes: f5ea9120be2e ("nl80211: add generation number to all dumps")
+Signed-off-by: Wenli Looi <wlooi@ucalgary.ca>
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210608064620.74059-1-wlooi@ucalgary.ca
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
++++ b/drivers/staging/rtl8723bs/os_dep/ioctl_cfg80211.c
+@@ -2406,7 +2406,7 @@ void rtw_cfg80211_indicate_sta_assoc(str
+ DBG_871X(FUNC_ADPT_FMT"\n", FUNC_ADPT_ARG(padapter));
+
+ {
+- struct station_info sinfo;
++ struct station_info sinfo = {};
+ u8 ie_offset;
+ if (GetFrameSubType(pmgmt_frame) == WIFI_ASSOCREQ)
+ ie_offset = _ASOCREQ_IE_OFFSET_;
--- /dev/null
+From 8d396bb0a5b62b326f6be7594d8bd46b088296bd Mon Sep 17 00:00:00 2001
+From: Jack Pham <jackp@codeaurora.org>
+Date: Sat, 29 May 2021 12:29:32 -0700
+Subject: usb: dwc3: debugfs: Add and remove endpoint dirs dynamically
+
+From: Jack Pham <jackp@codeaurora.org>
+
+commit 8d396bb0a5b62b326f6be7594d8bd46b088296bd upstream.
+
+The DWC3 DebugFS directory and files are currently created once
+during probe. This includes creation of subdirectories for each
+of the gadget's endpoints. This works fine for peripheral-only
+controllers, as dwc3_core_init_mode() calls dwc3_gadget_init()
+just prior to calling dwc3_debugfs_init().
+
+However, for dual-role controllers, dwc3_core_init_mode() will
+instead call dwc3_drd_init() which is problematic in a few ways.
+First, the initial state must be determined, then dwc3_set_mode()
+will have to schedule drd_work and by then dwc3_debugfs_init()
+could have already been invoked. Even if the initial mode is
+peripheral, dwc3_gadget_init() happens after the DebugFS files
+are created, and worse so if the initial state is host and the
+controller switches to peripheral much later. And secondly,
+even if the gadget endpoints' debug entries were successfully
+created, if the controller exits peripheral mode, its dwc3_eps
+are freed so the debug files would now hold stale references.
+
+So it is best if the DebugFS endpoint entries are created and
+removed dynamically at the same time the underlying dwc3_eps are.
+Do this by calling dwc3_debugfs_create_endpoint_dir() as each
+endpoint is created, and conversely remove the DebugFS entry when
+the endpoint is freed.
+
+Fixes: 41ce1456e1db ("usb: dwc3: core: make dwc3_set_mode() work properly")
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Peter Chen <peter.chen@kernel.org>
+Signed-off-by: Jack Pham <jackp@codeaurora.org>
+Link: https://lore.kernel.org/r/20210529192932.22912-1-jackp@codeaurora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/debug.h | 3 +++
+ drivers/usb/dwc3/debugfs.c | 21 ++-------------------
+ drivers/usb/dwc3/gadget.c | 3 +++
+ 3 files changed, 8 insertions(+), 19 deletions(-)
+
+--- a/drivers/usb/dwc3/debug.h
++++ b/drivers/usb/dwc3/debug.h
+@@ -409,9 +409,12 @@ static inline const char *dwc3_gadget_ge
+
+
+ #ifdef CONFIG_DEBUG_FS
++extern void dwc3_debugfs_create_endpoint_dir(struct dwc3_ep *dep);
+ extern void dwc3_debugfs_init(struct dwc3 *);
+ extern void dwc3_debugfs_exit(struct dwc3 *);
+ #else
++static inline void dwc3_debugfs_create_endpoint_dir(struct dwc3_ep *dep)
++{ }
+ static inline void dwc3_debugfs_init(struct dwc3 *d)
+ { }
+ static inline void dwc3_debugfs_exit(struct dwc3 *d)
+--- a/drivers/usb/dwc3/debugfs.c
++++ b/drivers/usb/dwc3/debugfs.c
+@@ -878,30 +878,14 @@ static void dwc3_debugfs_create_endpoint
+ }
+ }
+
+-static void dwc3_debugfs_create_endpoint_dir(struct dwc3_ep *dep,
+- struct dentry *parent)
++void dwc3_debugfs_create_endpoint_dir(struct dwc3_ep *dep)
+ {
+ struct dentry *dir;
+
+- dir = debugfs_create_dir(dep->name, parent);
++ dir = debugfs_create_dir(dep->name, dep->dwc->root);
+ dwc3_debugfs_create_endpoint_files(dep, dir);
+ }
+
+-static void dwc3_debugfs_create_endpoint_dirs(struct dwc3 *dwc,
+- struct dentry *parent)
+-{
+- int i;
+-
+- for (i = 0; i < dwc->num_eps; i++) {
+- struct dwc3_ep *dep = dwc->eps[i];
+-
+- if (!dep)
+- continue;
+-
+- dwc3_debugfs_create_endpoint_dir(dep, parent);
+- }
+-}
+-
+ void dwc3_debugfs_init(struct dwc3 *dwc)
+ {
+ struct dentry *root;
+@@ -935,7 +919,6 @@ void dwc3_debugfs_init(struct dwc3 *dwc)
+ &dwc3_testmode_fops);
+ debugfs_create_file("link_state", S_IRUGO | S_IWUSR, root, dwc,
+ &dwc3_link_state_fops);
+- dwc3_debugfs_create_endpoint_dirs(dwc, root);
+ }
+ }
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -2483,6 +2483,8 @@ static int dwc3_gadget_init_endpoint(str
+ INIT_LIST_HEAD(&dep->started_list);
+ INIT_LIST_HEAD(&dep->cancelled_list);
+
++ dwc3_debugfs_create_endpoint_dir(dep);
++
+ return 0;
+ }
+
+@@ -2526,6 +2528,7 @@ static void dwc3_gadget_free_endpoints(s
+ list_del(&dep->endpoint.ep_list);
+ }
+
++ debugfs_remove_recursive(debugfs_lookup(dep->name, dwc->root));
+ kfree(dep);
+ }
+ }
--- /dev/null
+From d00889080ab60051627dab1d85831cd9db750e2a Mon Sep 17 00:00:00 2001
+From: Marian-Cristian Rotariu <marian.c.rotariu@gmail.com>
+Date: Tue, 8 Jun 2021 19:26:50 +0300
+Subject: usb: dwc3: ep0: fix NULL pointer exception
+
+From: Marian-Cristian Rotariu <marian.c.rotariu@gmail.com>
+
+commit d00889080ab60051627dab1d85831cd9db750e2a upstream.
+
+There is no validation of the index from dwc3_wIndex_to_dep() and we might
+be referring a non-existing ep and trigger a NULL pointer exception. In
+certain configurations we might use fewer eps and the index might wrongly
+indicate a larger ep index than existing.
+
+By adding this validation from the patch we can actually report a wrong
+index back to the caller.
+
+In our usecase we are using a composite device on an older kernel, but
+upstream might use this fix also. Unfortunately, I cannot describe the
+hardware for others to reproduce the issue as it is a proprietary
+implementation.
+
+[ 82.958261] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a4
+[ 82.966891] Mem abort info:
+[ 82.969663] ESR = 0x96000006
+[ 82.972703] Exception class = DABT (current EL), IL = 32 bits
+[ 82.978603] SET = 0, FnV = 0
+[ 82.981642] EA = 0, S1PTW = 0
+[ 82.984765] Data abort info:
+[ 82.987631] ISV = 0, ISS = 0x00000006
+[ 82.991449] CM = 0, WnR = 0
+[ 82.994409] user pgtable: 4k pages, 39-bit VAs, pgdp = 00000000c6210ccc
+[ 83.000999] [00000000000000a4] pgd=0000000053aa5003, pud=0000000053aa5003, pmd=0000000000000000
+[ 83.009685] Internal error: Oops: 96000006 [#1] PREEMPT SMP
+[ 83.026433] Process irq/62-dwc3 (pid: 303, stack limit = 0x000000003985154c)
+[ 83.033470] CPU: 0 PID: 303 Comm: irq/62-dwc3 Not tainted 4.19.124 #1
+[ 83.044836] pstate: 60000085 (nZCv daIf -PAN -UAO)
+[ 83.049628] pc : dwc3_ep0_handle_feature+0x414/0x43c
+[ 83.054558] lr : dwc3_ep0_interrupt+0x3b4/0xc94
+
+...
+
+[ 83.141788] Call trace:
+[ 83.144227] dwc3_ep0_handle_feature+0x414/0x43c
+[ 83.148823] dwc3_ep0_interrupt+0x3b4/0xc94
+[ 83.181546] ---[ end trace aac6b5267d84c32f ]---
+
+Signed-off-by: Marian-Cristian Rotariu <marian.c.rotariu@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210608162650.58426-1-marian.c.rotariu@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/ep0.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/dwc3/ep0.c
++++ b/drivers/usb/dwc3/ep0.c
+@@ -292,6 +292,9 @@ static struct dwc3_ep *dwc3_wIndex_to_de
+ epnum |= 1;
+
+ dep = dwc->eps[epnum];
++ if (dep == NULL)
++ return NULL;
++
+ if (dep->flags & DWC3_EP_ENABLED)
+ return dep;
+
--- /dev/null
+From 3370139745853f7826895293e8ac3aec1430508e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= <maze@google.com>
+Date: Mon, 7 Jun 2021 17:53:44 -0700
+Subject: USB: f_ncm: ncm_bitrate (speed) is unsigned
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Żenczykowski <maze@google.com>
+
+commit 3370139745853f7826895293e8ac3aec1430508e upstream.
+
+[ 190.544755] configfs-gadget gadget: notify speed -44967296
+
+This is because 4250000000 - 2**32 is -44967296.
+
+Fixes: 9f6ce4240a2b ("usb: gadget: f_ncm.c added")
+Cc: Brooke Basile <brookebasile@gmail.com>
+Cc: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Cc: Felipe Balbi <balbi@kernel.org>
+Cc: Lorenzo Colitti <lorenzo@google.com>
+Cc: Yauheni Kaliuta <yauheni.kaliuta@nokia.com>
+Cc: Linux USB Mailing List <linux-usb@vger.kernel.org>
+Acked-By: Lorenzo Colitti <lorenzo@google.com>
+Signed-off-by: Maciej Żenczykowski <maze@google.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210608005344.3762668-1-zenczykowski@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_ncm.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_ncm.c
++++ b/drivers/usb/gadget/function/f_ncm.c
+@@ -583,7 +583,7 @@ static void ncm_do_notify(struct f_ncm *
+ data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget));
+ data[1] = data[0];
+
+- DBG(cdev, "notify speed %d\n", ncm_bitrate(cdev->gadget));
++ DBG(cdev, "notify speed %u\n", ncm_bitrate(cdev->gadget));
+ ncm->notify_state = NCM_NOTIFY_CONNECT;
+ break;
+ }
--- /dev/null
+From 1958ff5ad2d4908b44a72bcf564dfe67c981e7fe Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= <maze@google.com>
+Date: Tue, 8 Jun 2021 01:54:38 -0700
+Subject: usb: f_ncm: only first packet of aggregate needs to start timer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Żenczykowski <maze@google.com>
+
+commit 1958ff5ad2d4908b44a72bcf564dfe67c981e7fe upstream.
+
+The reasoning for this change is that if we already had
+a packet pending, then we also already had a pending timer,
+and as such there is no need to reschedule it.
+
+This also prevents packets getting delayed 60 ms worst case
+under a tiny packet every 290us transmit load, by keeping the
+timeout always relative to the first queued up packet.
+(300us delay * 16KB max aggregation / 80 byte packet =~ 60 ms)
+
+As such the first packet is now at most delayed by 300us.
+
+Under low transmit load, this will simply result in us sending
+a shorter aggregate, as originally intended.
+
+This patch has the benefit of greatly reducing (by ~10 factor
+with 1500 byte frames aggregated into 16 kiB) the number of
+(potentially pretty costly) updates to the hrtimer.
+
+Cc: Brooke Basile <brookebasile@gmail.com>
+Cc: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Cc: Felipe Balbi <balbi@kernel.org>
+Cc: Lorenzo Colitti <lorenzo@google.com>
+Signed-off-by: Maciej Żenczykowski <maze@google.com>
+Link: https://lore.kernel.org/r/20210608085438.813960-1-zenczykowski@gmail.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_ncm.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_ncm.c
++++ b/drivers/usb/gadget/function/f_ncm.c
+@@ -1101,11 +1101,11 @@ static struct sk_buff *ncm_wrap_ntb(stru
+ ncm->ndp_dgram_count = 1;
+
+ /* Note: we skip opts->next_ndp_index */
+- }
+
+- /* Delay the timer. */
+- hrtimer_start(&ncm->task_timer, TX_TIMEOUT_NSECS,
+- HRTIMER_MODE_REL_SOFT);
++ /* Start the timer. */
++ hrtimer_start(&ncm->task_timer, TX_TIMEOUT_NSECS,
++ HRTIMER_MODE_REL_SOFT);
++ }
+
+ /* Add the datagram position entries */
+ ntb_ndp = skb_put_zero(ncm->skb_tx_ndp, dgram_idx_len);
--- /dev/null
+From 032e288097a553db5653af552dd8035cd2a0ba96 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= <maze@google.com>
+Date: Tue, 8 Jun 2021 19:44:59 -0700
+Subject: usb: fix various gadget panics on 10gbps cabling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Żenczykowski <maze@google.com>
+
+commit 032e288097a553db5653af552dd8035cd2a0ba96 upstream.
+
+usb_assign_descriptors() is called with 5 parameters,
+the last 4 of which are the usb_descriptor_header for:
+ full-speed (USB1.1 - 12Mbps [including USB1.0 low-speed @ 1.5Mbps),
+ high-speed (USB2.0 - 480Mbps),
+ super-speed (USB3.0 - 5Gbps),
+ super-speed-plus (USB3.1 - 10Gbps).
+
+The differences between full/high/super-speed descriptors are usually
+substantial (due to changes in the maximum usb block size from 64 to 512
+to 1024 bytes and other differences in the specs), while the difference
+between 5 and 10Gbps descriptors may be as little as nothing
+(in many cases the same tuning is simply good enough).
+
+However if a gadget driver calls usb_assign_descriptors() with
+a NULL descriptor for super-speed-plus and is then used on a max 10gbps
+configuration, the kernel will crash with a null pointer dereference,
+when a 10gbps capable device port + cable + host port combination shows up.
+(This wouldn't happen if the gadget max-speed was set to 5gbps, but
+it of course defaults to the maximum, and there's no real reason to
+artificially limit it)
+
+The fix is to simply use the 5gbps descriptor as the 10gbps descriptor,
+if a 10gbps descriptor wasn't provided.
+
+Obviously this won't fix the problem if the 5gbps descriptor is also
+NULL, but such cases can't be so trivially solved (and any such gadgets
+are unlikely to be used with USB3 ports any way).
+
+Cc: Felipe Balbi <balbi@kernel.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Maciej Żenczykowski <maze@google.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210609024459.1126080-1-zenczykowski@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/config.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/usb/gadget/config.c
++++ b/drivers/usb/gadget/config.c
+@@ -164,6 +164,14 @@ int usb_assign_descriptors(struct usb_fu
+ {
+ struct usb_gadget *g = f->config->cdev->gadget;
+
++ /* super-speed-plus descriptor falls back to super-speed one,
++ * if such a descriptor was provided, thus avoiding a NULL
++ * pointer dereference if a 5gbps capable gadget is used with
++ * a 10gbps capable config (device port + cable + host port)
++ */
++ if (!ssp)
++ ssp = ss;
++
+ if (fs) {
+ f->fs_descriptors = usb_copy_descriptors(fs);
+ if (!f->fs_descriptors)
--- /dev/null
+From 90c4d05780d47e14a50e11a7f17373104cd47d25 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= <maze@google.com>
+Date: Mon, 7 Jun 2021 21:41:41 -0700
+Subject: usb: fix various gadgets null ptr deref on 10gbps cabling.
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Maciej Żenczykowski <maze@google.com>
+
+commit 90c4d05780d47e14a50e11a7f17373104cd47d25 upstream.
+
+This avoids a null pointer dereference in
+f_{ecm,eem,hid,loopback,printer,rndis,serial,sourcesink,subset,tcm}
+by simply reusing the 5gbps config for 10gbps.
+
+Fixes: eaef50c76057 ("usb: gadget: Update usb_assign_descriptors for SuperSpeedPlus")
+Cc: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Cc: Felipe Balbi <balbi@kernel.org>
+Cc: Gustavo A. R. Silva <gustavoars@kernel.org>
+Cc: Lorenzo Colitti <lorenzo@google.com>
+Cc: Martin K. Petersen <martin.petersen@oracle.com>
+Cc: Michael R Sweet <msweet@msweet.org>
+Cc: Mike Christie <michael.christie@oracle.com>
+Cc: Pawel Laszczak <pawell@cadence.com>
+Cc: Peter Chen <peter.chen@nxp.com>
+Cc: Sudhakar Panneerselvam <sudhakar.panneerselvam@oracle.com>
+Cc: Wei Ming Chen <jj251510319013@gmail.com>
+Cc: Will McVicker <willmcvicker@google.com>
+Cc: Zqiang <qiang.zhang@windriver.com>
+Reviewed-By: Lorenzo Colitti <lorenzo@google.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Maciej Żenczykowski <maze@google.com>
+Link: https://lore.kernel.org/r/20210608044141.3898496-1-zenczykowski@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_ecm.c | 2 +-
+ drivers/usb/gadget/function/f_eem.c | 2 +-
+ drivers/usb/gadget/function/f_hid.c | 3 ++-
+ drivers/usb/gadget/function/f_loopback.c | 2 +-
+ drivers/usb/gadget/function/f_printer.c | 3 ++-
+ drivers/usb/gadget/function/f_rndis.c | 2 +-
+ drivers/usb/gadget/function/f_serial.c | 2 +-
+ drivers/usb/gadget/function/f_sourcesink.c | 3 ++-
+ drivers/usb/gadget/function/f_subset.c | 2 +-
+ drivers/usb/gadget/function/f_tcm.c | 3 ++-
+ 10 files changed, 14 insertions(+), 10 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_ecm.c
++++ b/drivers/usb/gadget/function/f_ecm.c
+@@ -791,7 +791,7 @@ ecm_bind(struct usb_configuration *c, st
+ fs_ecm_notify_desc.bEndpointAddress;
+
+ status = usb_assign_descriptors(f, ecm_fs_function, ecm_hs_function,
+- ecm_ss_function, NULL);
++ ecm_ss_function, ecm_ss_function);
+ if (status)
+ goto fail;
+
+--- a/drivers/usb/gadget/function/f_eem.c
++++ b/drivers/usb/gadget/function/f_eem.c
+@@ -304,7 +304,7 @@ static int eem_bind(struct usb_configura
+ eem_ss_out_desc.bEndpointAddress = eem_fs_out_desc.bEndpointAddress;
+
+ status = usb_assign_descriptors(f, eem_fs_function, eem_hs_function,
+- eem_ss_function, NULL);
++ eem_ss_function, eem_ss_function);
+ if (status)
+ goto fail;
+
+--- a/drivers/usb/gadget/function/f_hid.c
++++ b/drivers/usb/gadget/function/f_hid.c
+@@ -808,7 +808,8 @@ static int hidg_bind(struct usb_configur
+ hidg_fs_out_ep_desc.bEndpointAddress;
+
+ status = usb_assign_descriptors(f, hidg_fs_descriptors,
+- hidg_hs_descriptors, hidg_ss_descriptors, NULL);
++ hidg_hs_descriptors, hidg_ss_descriptors,
++ hidg_ss_descriptors);
+ if (status)
+ goto fail;
+
+--- a/drivers/usb/gadget/function/f_loopback.c
++++ b/drivers/usb/gadget/function/f_loopback.c
+@@ -207,7 +207,7 @@ autoconf_fail:
+ ss_loop_sink_desc.bEndpointAddress = fs_loop_sink_desc.bEndpointAddress;
+
+ ret = usb_assign_descriptors(f, fs_loopback_descs, hs_loopback_descs,
+- ss_loopback_descs, NULL);
++ ss_loopback_descs, ss_loopback_descs);
+ if (ret)
+ return ret;
+
+--- a/drivers/usb/gadget/function/f_printer.c
++++ b/drivers/usb/gadget/function/f_printer.c
+@@ -1063,7 +1063,8 @@ autoconf_fail:
+ ss_ep_out_desc.bEndpointAddress = fs_ep_out_desc.bEndpointAddress;
+
+ ret = usb_assign_descriptors(f, fs_printer_function,
+- hs_printer_function, ss_printer_function, NULL);
++ hs_printer_function, ss_printer_function,
++ ss_printer_function);
+ if (ret)
+ return ret;
+
+--- a/drivers/usb/gadget/function/f_rndis.c
++++ b/drivers/usb/gadget/function/f_rndis.c
+@@ -789,7 +789,7 @@ rndis_bind(struct usb_configuration *c,
+ ss_notify_desc.bEndpointAddress = fs_notify_desc.bEndpointAddress;
+
+ status = usb_assign_descriptors(f, eth_fs_function, eth_hs_function,
+- eth_ss_function, NULL);
++ eth_ss_function, eth_ss_function);
+ if (status)
+ goto fail;
+
+--- a/drivers/usb/gadget/function/f_serial.c
++++ b/drivers/usb/gadget/function/f_serial.c
+@@ -233,7 +233,7 @@ static int gser_bind(struct usb_configur
+ gser_ss_out_desc.bEndpointAddress = gser_fs_out_desc.bEndpointAddress;
+
+ status = usb_assign_descriptors(f, gser_fs_function, gser_hs_function,
+- gser_ss_function, NULL);
++ gser_ss_function, gser_ss_function);
+ if (status)
+ goto fail;
+ dev_dbg(&cdev->gadget->dev, "generic ttyGS%d: %s speed IN/%s OUT/%s\n",
+--- a/drivers/usb/gadget/function/f_sourcesink.c
++++ b/drivers/usb/gadget/function/f_sourcesink.c
+@@ -431,7 +431,8 @@ no_iso:
+ ss_iso_sink_desc.bEndpointAddress = fs_iso_sink_desc.bEndpointAddress;
+
+ ret = usb_assign_descriptors(f, fs_source_sink_descs,
+- hs_source_sink_descs, ss_source_sink_descs, NULL);
++ hs_source_sink_descs, ss_source_sink_descs,
++ ss_source_sink_descs);
+ if (ret)
+ return ret;
+
+--- a/drivers/usb/gadget/function/f_subset.c
++++ b/drivers/usb/gadget/function/f_subset.c
+@@ -358,7 +358,7 @@ geth_bind(struct usb_configuration *c, s
+ fs_subset_out_desc.bEndpointAddress;
+
+ status = usb_assign_descriptors(f, fs_eth_function, hs_eth_function,
+- ss_eth_function, NULL);
++ ss_eth_function, ss_eth_function);
+ if (status)
+ goto fail;
+
+--- a/drivers/usb/gadget/function/f_tcm.c
++++ b/drivers/usb/gadget/function/f_tcm.c
+@@ -2056,7 +2056,8 @@ static int tcm_bind(struct usb_configura
+ uasp_fs_cmd_desc.bEndpointAddress = uasp_ss_cmd_desc.bEndpointAddress;
+
+ ret = usb_assign_descriptors(f, uasp_fs_function_desc,
+- uasp_hs_function_desc, uasp_ss_function_desc, NULL);
++ uasp_hs_function_desc, uasp_ss_function_desc,
++ uasp_ss_function_desc);
+ if (ret)
+ goto ep_fail;
+
--- /dev/null
+From 305f670846a31a261462577dd0b967c4fa796871 Mon Sep 17 00:00:00 2001
+From: Linyu Yuan <linyyuan@codeaurora.com>
+Date: Wed, 9 Jun 2021 07:35:47 +0800
+Subject: usb: gadget: eem: fix wrong eem header operation
+
+From: Linyu Yuan <linyyuan@codeaurora.com>
+
+commit 305f670846a31a261462577dd0b967c4fa796871 upstream.
+
+when skb_clone() or skb_copy_expand() fail,
+it should pull skb with lengh indicated by header,
+or not it will read network data and check it as header.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Linyu Yuan <linyyuan@codeaurora.com>
+Link: https://lore.kernel.org/r/20210608233547.3767-1-linyyuan@codeaurora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_eem.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_eem.c
++++ b/drivers/usb/gadget/function/f_eem.c
+@@ -497,7 +497,7 @@ static int eem_unwrap(struct gether *por
+ skb2 = skb_clone(skb, GFP_ATOMIC);
+ if (unlikely(!skb2)) {
+ DBG(cdev, "unable to unframe EEM packet\n");
+- continue;
++ goto next;
+ }
+ skb_trim(skb2, len - ETH_FCS_LEN);
+
+@@ -507,7 +507,7 @@ static int eem_unwrap(struct gether *por
+ GFP_ATOMIC);
+ if (unlikely(!skb3)) {
+ dev_kfree_skb_any(skb2);
+- continue;
++ goto next;
+ }
+ dev_kfree_skb_any(skb2);
+ skb_queue_tail(list, skb3);
--- /dev/null
+From 6fc1db5e6211e30fbb1cee8d7925d79d4ed2ae14 Mon Sep 17 00:00:00 2001
+From: Wesley Cheng <wcheng@codeaurora.org>
+Date: Fri, 21 May 2021 17:44:21 -0700
+Subject: usb: gadget: f_fs: Ensure io_completion_wq is idle during unbind
+
+From: Wesley Cheng <wcheng@codeaurora.org>
+
+commit 6fc1db5e6211e30fbb1cee8d7925d79d4ed2ae14 upstream.
+
+During unbind, ffs_func_eps_disable() will be executed, resulting in
+completion callbacks for any pending USB requests. When using AIO,
+irrespective of the completion status, io_data work is queued to
+io_completion_wq to evaluate and handle the completed requests. Since
+work runs asynchronously to the unbind() routine, there can be a
+scenario where the work runs after the USB gadget has been fully
+removed, resulting in accessing of a resource which has been already
+freed. (i.e. usb_ep_free_request() accessing the USB ep structure)
+
+Explicitly drain the io_completion_wq, instead of relying on the
+destroy_workqueue() (in ffs_data_put()) to make sure no pending
+completion work items are running.
+
+Signed-off-by: Wesley Cheng <wcheng@codeaurora.org>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/1621644261-1236-1-git-send-email-wcheng@codeaurora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_fs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -3585,6 +3585,9 @@ static void ffs_func_unbind(struct usb_c
+ ffs->func = NULL;
+ }
+
++ /* Drain any pending AIO completions */
++ drain_workqueue(ffs->io_completion_wq);
++
+ if (!--opts->refcnt)
+ functionfs_unbind(ffs);
+
--- /dev/null
+From b65ba0c362be665192381cc59e3ac3ef6f0dd1e1 Mon Sep 17 00:00:00 2001
+From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Date: Fri, 28 May 2021 16:04:46 +0200
+Subject: usb: musb: fix MUSB_QUIRK_B_DISCONNECT_99 handling
+
+From: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+
+commit b65ba0c362be665192381cc59e3ac3ef6f0dd1e1 upstream.
+
+In commit 92af4fc6ec33 ("usb: musb: Fix suspend with devices
+connected for a64"), the logic to support the
+MUSB_QUIRK_B_DISCONNECT_99 quirk was modified to only conditionally
+schedule the musb->irq_work delayed work.
+
+This commit badly breaks ECM Gadget on AM335X. Indeed, with this
+commit, one can observe massive packet loss:
+
+$ ping 192.168.0.100
+...
+15 packets transmitted, 3 received, 80% packet loss, time 14316ms
+
+Reverting this commit brings back a properly functioning ECM
+Gadget. An analysis of the commit seems to indicate that a mistake was
+made: the previous code was not falling through into the
+MUSB_QUIRK_B_INVALID_VBUS_91, but now it is, unless the condition is
+taken.
+
+Changing the logic to be as it was before the problematic commit *and*
+only conditionally scheduling musb->irq_work resolves the regression:
+
+$ ping 192.168.0.100
+...
+64 packets transmitted, 64 received, 0% packet loss, time 64475ms
+
+Fixes: 92af4fc6ec33 ("usb: musb: Fix suspend with devices connected for a64")
+Cc: stable@vger.kernel.org
+Tested-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Tested-by: Drew Fustini <drew@beagleboard.org>
+Acked-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+Link: https://lore.kernel.org/r/20210528140446.278076-1-thomas.petazzoni@bootlin.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/musb/musb_core.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/usb/musb/musb_core.c
++++ b/drivers/usb/musb/musb_core.c
+@@ -1871,9 +1871,8 @@ static void musb_pm_runtime_check_sessio
+ schedule_delayed_work(&musb->irq_work,
+ msecs_to_jiffies(1000));
+ musb->quirk_retries--;
+- break;
+ }
+- fallthrough;
++ break;
+ case MUSB_QUIRK_B_INVALID_VBUS_91:
+ if (musb->quirk_retries && !musb->flush_irq_work) {
+ musb_dbg(musb,
--- /dev/null
+From 6490fa565534fa83593278267785a694fd378a2b Mon Sep 17 00:00:00 2001
+From: Kyle Tso <kyletso@google.com>
+Date: Fri, 28 May 2021 16:16:13 +0800
+Subject: usb: pd: Set PD_T_SINK_WAIT_CAP to 310ms
+
+From: Kyle Tso <kyletso@google.com>
+
+commit 6490fa565534fa83593278267785a694fd378a2b upstream.
+
+Current timer PD_T_SINK_WAIT_CAP is set to 240ms which will violate the
+SinkWaitCapTimer (tTypeCSinkWaitCap 310 - 620 ms) defined in the PD
+Spec if the port is faster enough when running the state machine. Set it
+to the lower bound 310ms to ensure the timeout is in Spec.
+
+Fixes: f0690a25a140 ("staging: typec: USB Type-C Port Manager (tcpm)")
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Kyle Tso <kyletso@google.com>
+Link: https://lore.kernel.org/r/20210528081613.730661-1-kyletso@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/usb/pd.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/usb/pd.h
++++ b/include/linux/usb/pd.h
+@@ -425,7 +425,7 @@ static inline unsigned int rdo_max_power
+ #define PD_T_SENDER_RESPONSE 60 /* 24 - 30 ms, relaxed */
+ #define PD_T_SOURCE_ACTIVITY 45
+ #define PD_T_SINK_ACTIVITY 135
+-#define PD_T_SINK_WAIT_CAP 240
++#define PD_T_SINK_WAIT_CAP 310 /* 310 - 620 ms */
+ #define PD_T_PS_TRANSITION 500
+ #define PD_T_SRC_TRANSITION 35
+ #define PD_T_DRP_SNK 40
--- /dev/null
+From 6f7ec77cc8b64ff5037c1945e4650c65c458037d Mon Sep 17 00:00:00 2001
+From: Stefan Agner <stefan@agner.ch>
+Date: Fri, 28 May 2021 22:39:31 +0200
+Subject: USB: serial: cp210x: fix alternate function for CP2102N QFN20
+
+From: Stefan Agner <stefan@agner.ch>
+
+commit 6f7ec77cc8b64ff5037c1945e4650c65c458037d upstream.
+
+The QFN20 part has a different GPIO/port function assignment. The
+configuration struct bit field ordered as TX/RX/RS485/WAKEUP/CLK
+which exactly matches GPIO0-3 for QFN24/28. However, QFN20 has a
+different GPIO to primary function assignment.
+
+Special case QFN20 to follow to properly detect which GPIOs are
+available.
+
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Link: https://lore.kernel.org/r/51830b2b24118eb0f77c5c9ac64ffb2f519dbb1d.1622218300.git.stefan@agner.ch
+Fixes: c8acfe0aadbe ("USB: serial: cp210x: implement GPIO support for CP2102N")
+Cc: stable@vger.kernel.org # 4.19
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/cp210x.c | 20 +++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -507,6 +507,12 @@ struct cp210x_single_port_config {
+ #define CP210X_2NCONFIG_GPIO_RSTLATCH_IDX 587
+ #define CP210X_2NCONFIG_GPIO_CONTROL_IDX 600
+
++/* CP2102N QFN20 port configuration values */
++#define CP2102N_QFN20_GPIO2_TXLED_MODE BIT(2)
++#define CP2102N_QFN20_GPIO3_RXLED_MODE BIT(3)
++#define CP2102N_QFN20_GPIO1_RS485_MODE BIT(4)
++#define CP2102N_QFN20_GPIO0_CLK_MODE BIT(6)
++
+ /* CP210X_VENDOR_SPECIFIC, CP210X_WRITE_LATCH call writes these 0x2 bytes. */
+ struct cp210x_gpio_write {
+ u8 mask;
+@@ -1691,7 +1697,19 @@ static int cp2102n_gpioconf_init(struct
+ priv->gpio_pushpull = (gpio_pushpull >> 3) & 0x0f;
+
+ /* 0 indicates GPIO mode, 1 is alternate function */
+- priv->gpio_altfunc = (gpio_ctrl >> 2) & 0x0f;
++ if (priv->partnum == CP210X_PARTNUM_CP2102N_QFN20) {
++ /* QFN20 is special... */
++ if (gpio_ctrl & CP2102N_QFN20_GPIO0_CLK_MODE) /* GPIO 0 */
++ priv->gpio_altfunc |= BIT(0);
++ if (gpio_ctrl & CP2102N_QFN20_GPIO1_RS485_MODE) /* GPIO 1 */
++ priv->gpio_altfunc |= BIT(1);
++ if (gpio_ctrl & CP2102N_QFN20_GPIO2_TXLED_MODE) /* GPIO 2 */
++ priv->gpio_altfunc |= BIT(2);
++ if (gpio_ctrl & CP2102N_QFN20_GPIO3_RXLED_MODE) /* GPIO 3 */
++ priv->gpio_altfunc |= BIT(3);
++ } else {
++ priv->gpio_altfunc = (gpio_ctrl >> 2) & 0x0f;
++ }
+
+ if (priv->partnum == CP210X_PARTNUM_CP2102N_QFN28) {
+ /*
--- /dev/null
+From bc96c72df33ee81b24d87eab953c73f7bcc04f29 Mon Sep 17 00:00:00 2001
+From: George McCollister <george.mccollister@gmail.com>
+Date: Thu, 3 Jun 2021 19:32:08 -0500
+Subject: USB: serial: ftdi_sio: add NovaTech OrionMX product ID
+
+From: George McCollister <george.mccollister@gmail.com>
+
+commit bc96c72df33ee81b24d87eab953c73f7bcc04f29 upstream.
+
+Add PID for the NovaTech OrionMX so it can be automatically detected.
+
+Signed-off-by: George McCollister <george.mccollister@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/ftdi_sio.c | 1 +
+ drivers/usb/serial/ftdi_sio_ids.h | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -611,6 +611,7 @@ static const struct usb_device_id id_tab
+ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+ { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLX_PLUS_PID) },
+ { USB_DEVICE(FTDI_VID, FTDI_NT_ORION_IO_PID) },
++ { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONMX_PID) },
+ { USB_DEVICE(FTDI_VID, FTDI_SYNAPSE_SS200_PID) },
+ { USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX_PID) },
+ { USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX2_PID) },
+--- a/drivers/usb/serial/ftdi_sio_ids.h
++++ b/drivers/usb/serial/ftdi_sio_ids.h
+@@ -581,6 +581,7 @@
+ #define FTDI_NT_ORIONLXM_PID 0x7c90 /* OrionLXm Substation Automation Platform */
+ #define FTDI_NT_ORIONLX_PLUS_PID 0x7c91 /* OrionLX+ Substation Automation Platform */
+ #define FTDI_NT_ORION_IO_PID 0x7c92 /* Orion I/O */
++#define FTDI_NT_ORIONMX_PID 0x7c93 /* OrionMX */
+
+ /*
+ * Synapse Wireless product ids (FTDI_VID)
--- /dev/null
+From fc0b3dc9a11771c3919eaaaf9d649138b095aa0f Mon Sep 17 00:00:00 2001
+From: Alexandre GRIVEAUX <agriveaux@deutnet.info>
+Date: Sun, 23 May 2021 18:35:21 +0200
+Subject: USB: serial: omninet: add device id for Zyxel Omni 56K Plus
+
+From: Alexandre GRIVEAUX <agriveaux@deutnet.info>
+
+commit fc0b3dc9a11771c3919eaaaf9d649138b095aa0f upstream.
+
+Add device id for Zyxel Omni 56K Plus modem, this modem include:
+
+USB chip:
+NetChip
+NET2888
+
+Main chip:
+901041A
+F721501APGF
+
+Another modem using the same chips is the Zyxel Omni 56K DUO/NEO,
+could be added with the right USB ID.
+
+Signed-off-by: Alexandre GRIVEAUX <agriveaux@deutnet.info>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/omninet.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/omninet.c
++++ b/drivers/usb/serial/omninet.c
+@@ -26,6 +26,7 @@
+
+ #define ZYXEL_VENDOR_ID 0x0586
+ #define ZYXEL_OMNINET_ID 0x1000
++#define ZYXEL_OMNI_56K_PLUS_ID 0x1500
+ /* This one seems to be a re-branded ZyXEL device */
+ #define BT_IGNITIONPRO_ID 0x2000
+
+@@ -40,6 +41,7 @@ static int omninet_port_remove(struct us
+
+ static const struct usb_device_id id_table[] = {
+ { USB_DEVICE(ZYXEL_VENDOR_ID, ZYXEL_OMNINET_ID) },
++ { USB_DEVICE(ZYXEL_VENDOR_ID, ZYXEL_OMNI_56K_PLUS_ID) },
+ { USB_DEVICE(ZYXEL_VENDOR_ID, BT_IGNITIONPRO_ID) },
+ { } /* Terminating entry */
+ };
--- /dev/null
+From eb8dbe80326c3d44c1e38ee4f40e0d8d3e06f2d0 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 24 May 2021 11:17:05 +0200
+Subject: USB: serial: quatech2: fix control-request directions
+
+From: Johan Hovold <johan@kernel.org>
+
+commit eb8dbe80326c3d44c1e38ee4f40e0d8d3e06f2d0 upstream.
+
+The direction of the pipe argument must match the request-type direction
+bit or control requests may fail depending on the host-controller-driver
+implementation.
+
+Fix the three requests which erroneously used usb_rcvctrlpipe().
+
+Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver")
+Cc: stable@vger.kernel.org # 3.5
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/quatech2.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/serial/quatech2.c
++++ b/drivers/usb/serial/quatech2.c
+@@ -416,7 +416,7 @@ static void qt2_close(struct usb_serial_
+
+ /* flush the port transmit buffer */
+ i = usb_control_msg(serial->dev,
+- usb_rcvctrlpipe(serial->dev, 0),
++ usb_sndctrlpipe(serial->dev, 0),
+ QT2_FLUSH_DEVICE, 0x40, 1,
+ port_priv->device_port, NULL, 0, QT2_USB_TIMEOUT);
+
+@@ -426,7 +426,7 @@ static void qt2_close(struct usb_serial_
+
+ /* flush the port receive buffer */
+ i = usb_control_msg(serial->dev,
+- usb_rcvctrlpipe(serial->dev, 0),
++ usb_sndctrlpipe(serial->dev, 0),
+ QT2_FLUSH_DEVICE, 0x40, 0,
+ port_priv->device_port, NULL, 0, QT2_USB_TIMEOUT);
+
+@@ -670,7 +670,7 @@ static int qt2_attach(struct usb_serial
+ int status;
+
+ /* power on unit */
+- status = usb_control_msg(serial->dev, usb_rcvctrlpipe(serial->dev, 0),
++ status = usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0),
+ 0xc2, 0x40, 0x8000, 0, NULL, 0,
+ QT2_USB_TIMEOUT);
+ if (status < 0) {
--- /dev/null
+From f247f0a82a4f8c3bfed178d8fd9e069d1424ee4e Mon Sep 17 00:00:00 2001
+From: Mayank Rana <mrana@codeaurora.org>
+Date: Wed, 9 Jun 2021 00:35:35 -0700
+Subject: usb: typec: ucsi: Clear PPM capability data in ucsi_init() error path
+
+From: Mayank Rana <mrana@codeaurora.org>
+
+commit f247f0a82a4f8c3bfed178d8fd9e069d1424ee4e upstream.
+
+If ucsi_init() fails for some reason (e.g. ucsi_register_port()
+fails or general communication failure to the PPM), particularly at
+any point after the GET_CAPABILITY command had been issued, this
+results in unwinding the initialization and returning an error.
+However the ucsi structure's ucsi_capability member retains its
+current value, including likely a non-zero num_connectors.
+And because ucsi_init() itself is done in a workqueue a UCSI
+interface driver will be unaware that it failed and may think the
+ucsi_register() call was completely successful. Later, if
+ucsi_unregister() is called, due to this stale ucsi->cap value it
+would try to access the items in the ucsi->connector array which
+might not be in a proper state or not even allocated at all and
+results in NULL or invalid pointer dereference.
+
+Fix this by clearing the ucsi->cap value to 0 during the error
+path of ucsi_init() in order to prevent a later ucsi_unregister()
+from entering the connector cleanup loop.
+
+Fixes: c1b0bc2dabfa ("usb: typec: Add support for UCSI interface")
+Cc: stable@vger.kernel.org
+Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Mayank Rana <mrana@codeaurora.org>
+Signed-off-by: Jack Pham <jackp@codeaurora.org>
+Link: https://lore.kernel.org/r/20210609073535.5094-1-jackp@codeaurora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/ucsi/ucsi.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/typec/ucsi/ucsi.c
++++ b/drivers/usb/typec/ucsi/ucsi.c
+@@ -977,6 +977,7 @@ err_unregister:
+ }
+
+ err_reset:
++ memset(&ucsi->cap, 0, sizeof(ucsi->cap));
+ ucsi_reset_ppm(ucsi);
+ err:
+ mutex_unlock(&ucsi->ppm_lock);
--- /dev/null
+From d5ab95da2a41567440097c277c5771ad13928dad Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Wed, 9 Jun 2021 20:22:02 +0300
+Subject: usb: typec: wcove: Use LE to CPU conversion when accessing msg->header
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit d5ab95da2a41567440097c277c5771ad13928dad upstream.
+
+As LKP noticed the Sparse is not happy about strict type handling:
+ .../typec/tcpm/wcove.c:380:50: sparse: expected unsigned short [usertype] header
+ .../typec/tcpm/wcove.c:380:50: sparse: got restricted __le16 const [usertype] header
+
+Fix this by switching to use pd_header_cnt_le() instead of pd_header_cnt()
+in the affected code.
+
+Fixes: ae8a2ca8a221 ("usb: typec: Group all TCPCI/TCPM code together")
+Fixes: 3c4fb9f16921 ("usb: typec: wcove: start using tcpm for USB PD support")
+Reported-by: kernel test robot <lkp@intel.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Link: https://lore.kernel.org/r/20210609172202.83377-1-andriy.shevchenko@linux.intel.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/wcove.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/typec/tcpm/wcove.c
++++ b/drivers/usb/typec/tcpm/wcove.c
+@@ -377,7 +377,7 @@ static int wcove_pd_transmit(struct tcpc
+ const u8 *data = (void *)msg;
+ int i;
+
+- for (i = 0; i < pd_header_cnt(msg->header) * 4 + 2; i++) {
++ for (i = 0; i < pd_header_cnt_le(msg->header) * 4 + 2; i++) {
+ ret = regmap_write(wcove->regmap, USBC_TX_DATA + i,
+ data[i]);
+ if (ret)
projects / thirdparty / kernel / stable-queue.git / commitdiff
