--- /dev/null
+From cc5edb1bd3f7bfe450f767b12423f6673822427b Mon Sep 17 00:00:00 2001
+From: Connor McAdams <conmanx360@gmail.com>
+Date: Sun, 2 Aug 2020 20:29:26 -0400
+Subject: ALSA: hda/ca0132 - Add new quirk ID for Recon3D.
+
+From: Connor McAdams <conmanx360@gmail.com>
+
+commit cc5edb1bd3f7bfe450f767b12423f6673822427b upstream.
+
+Add a new quirk ID for the Recon3D, as tested by me.
+
+Signed-off-by: Connor McAdams <conmanx360@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200803002928.8638-2-conmanx360@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_ca0132.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_ca0132.c
++++ b/sound/pci/hda/patch_ca0132.c
+@@ -1182,6 +1182,7 @@ static const struct snd_pci_quirk ca0132
+ SND_PCI_QUIRK(0x1458, 0xA036, "Gigabyte GA-Z170X-Gaming 7", QUIRK_R3DI),
+ SND_PCI_QUIRK(0x3842, 0x1038, "EVGA X99 Classified", QUIRK_R3DI),
+ SND_PCI_QUIRK(0x1102, 0x0013, "Recon3D", QUIRK_R3D),
++ SND_PCI_QUIRK(0x1102, 0x0018, "Recon3D", QUIRK_R3D),
+ SND_PCI_QUIRK(0x1102, 0x0051, "Sound Blaster AE-5", QUIRK_AE5),
+ {}
+ };
--- /dev/null
+From 7fe3530427e52dd53cd7366914864e29215180a4 Mon Sep 17 00:00:00 2001
+From: Connor McAdams <conmanx360@gmail.com>
+Date: Sun, 2 Aug 2020 20:29:27 -0400
+Subject: ALSA: hda/ca0132 - Fix AE-5 microphone selection commands.
+
+From: Connor McAdams <conmanx360@gmail.com>
+
+commit 7fe3530427e52dd53cd7366914864e29215180a4 upstream.
+
+The ca0113 command had the wrong group_id, 0x48 when it should've been
+0x30. The front microphone selection should now work.
+
+Signed-off-by: Connor McAdams <conmanx360@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200803002928.8638-3-conmanx360@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_ca0132.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/sound/pci/hda/patch_ca0132.c
++++ b/sound/pci/hda/patch_ca0132.c
+@@ -4672,7 +4672,7 @@ static int ca0132_alt_select_in(struct h
+ tmp = FLOAT_ONE;
+ break;
+ case QUIRK_AE5:
+- ca0113_mmio_command_set(codec, 0x48, 0x28, 0x00);
++ ca0113_mmio_command_set(codec, 0x30, 0x28, 0x00);
+ tmp = FLOAT_THREE;
+ break;
+ default:
+@@ -4718,7 +4718,7 @@ static int ca0132_alt_select_in(struct h
+ r3di_gpio_mic_set(codec, R3DI_REAR_MIC);
+ break;
+ case QUIRK_AE5:
+- ca0113_mmio_command_set(codec, 0x48, 0x28, 0x00);
++ ca0113_mmio_command_set(codec, 0x30, 0x28, 0x00);
+ break;
+ default:
+ break;
+@@ -4757,7 +4757,7 @@ static int ca0132_alt_select_in(struct h
+ tmp = FLOAT_ONE;
+ break;
+ case QUIRK_AE5:
+- ca0113_mmio_command_set(codec, 0x48, 0x28, 0x3f);
++ ca0113_mmio_command_set(codec, 0x30, 0x28, 0x3f);
+ tmp = FLOAT_THREE;
+ break;
+ default:
--- /dev/null
+From a00dc409de455b64e6cb2f6d40cdb8237cdb2e83 Mon Sep 17 00:00:00 2001
+From: Connor McAdams <conmanx360@gmail.com>
+Date: Sun, 2 Aug 2020 20:29:25 -0400
+Subject: ALSA: hda/ca0132 - Fix ZxR Headphone gain control get value.
+
+From: Connor McAdams <conmanx360@gmail.com>
+
+commit a00dc409de455b64e6cb2f6d40cdb8237cdb2e83 upstream.
+
+When the ZxR headphone gain control was added, the ca0132_switch_get
+function was not updated, which meant that the changes to the control
+state were not saved when entering/exiting alsamixer.
+
+Signed-off-by: Connor McAdams <conmanx360@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200803002928.8638-1-conmanx360@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_ca0132.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/sound/pci/hda/patch_ca0132.c
++++ b/sound/pci/hda/patch_ca0132.c
+@@ -5749,6 +5749,11 @@ static int ca0132_switch_get(struct snd_
+ return 0;
+ }
+
++ if (nid == ZXR_HEADPHONE_GAIN) {
++ *valp = spec->zxr_gain_set;
++ return 0;
++ }
++
+ return 0;
+ }
+
--- /dev/null
+From f1ec5be17b9aafbc5f573da023850566b43d8e5e Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Sun, 2 Aug 2020 17:26:40 +0800
+Subject: ALSA: hda/realtek: Add alc269/alc662 pin-tables for Loongson-3 laptops
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit f1ec5be17b9aafbc5f573da023850566b43d8e5e upstream.
+
+There are several Loongson-3 based laptops produced by CZC or Lemote,
+they use alc269/alc662 codecs and need specific pin-tables, this patch
+add their pin-tables.
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/1596360400-32425-1-git-send-email-chenhc@lemote.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 114 ++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 114 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6131,6 +6131,11 @@ enum {
+ ALC289_FIXUP_ASUS_GA502,
+ ALC256_FIXUP_ACER_MIC_NO_PRESENCE,
+ ALC285_FIXUP_HP_GPIO_AMP_INIT,
++ ALC269_FIXUP_CZC_B20,
++ ALC269_FIXUP_CZC_TMI,
++ ALC269_FIXUP_CZC_L101,
++ ALC269_FIXUP_LEMOTE_A1802,
++ ALC269_FIXUP_LEMOTE_A190X,
+ };
+
+ static const struct hda_fixup alc269_fixups[] = {
+@@ -7369,6 +7374,89 @@ static const struct hda_fixup alc269_fix
+ .chained = true,
+ .chain_id = ALC285_FIXUP_HP_GPIO_LED
+ },
++ [ALC269_FIXUP_CZC_B20] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ { 0x12, 0x411111f0 },
++ { 0x14, 0x90170110 }, /* speaker */
++ { 0x15, 0x032f1020 }, /* HP out */
++ { 0x17, 0x411111f0 },
++ { 0x18, 0x03ab1040 }, /* mic */
++ { 0x19, 0xb7a7013f },
++ { 0x1a, 0x0181305f },
++ { 0x1b, 0x411111f0 },
++ { 0x1d, 0x411111f0 },
++ { 0x1e, 0x411111f0 },
++ { }
++ },
++ .chain_id = ALC269_FIXUP_DMIC,
++ },
++ [ALC269_FIXUP_CZC_TMI] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ { 0x12, 0x4000c000 },
++ { 0x14, 0x90170110 }, /* speaker */
++ { 0x15, 0x0421401f }, /* HP out */
++ { 0x17, 0x411111f0 },
++ { 0x18, 0x04a19020 }, /* mic */
++ { 0x19, 0x411111f0 },
++ { 0x1a, 0x411111f0 },
++ { 0x1b, 0x411111f0 },
++ { 0x1d, 0x40448505 },
++ { 0x1e, 0x411111f0 },
++ { 0x20, 0x8000ffff },
++ { }
++ },
++ .chain_id = ALC269_FIXUP_DMIC,
++ },
++ [ALC269_FIXUP_CZC_L101] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ { 0x12, 0x40000000 },
++ { 0x14, 0x01014010 }, /* speaker */
++ { 0x15, 0x411111f0 }, /* HP out */
++ { 0x16, 0x411111f0 },
++ { 0x18, 0x01a19020 }, /* mic */
++ { 0x19, 0x02a19021 },
++ { 0x1a, 0x0181302f },
++ { 0x1b, 0x0221401f },
++ { 0x1c, 0x411111f0 },
++ { 0x1d, 0x4044c601 },
++ { 0x1e, 0x411111f0 },
++ { }
++ },
++ .chain_id = ALC269_FIXUP_DMIC,
++ },
++ [ALC269_FIXUP_LEMOTE_A1802] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ { 0x12, 0x40000000 },
++ { 0x14, 0x90170110 }, /* speaker */
++ { 0x17, 0x411111f0 },
++ { 0x18, 0x03a19040 }, /* mic1 */
++ { 0x19, 0x90a70130 }, /* mic2 */
++ { 0x1a, 0x411111f0 },
++ { 0x1b, 0x411111f0 },
++ { 0x1d, 0x40489d2d },
++ { 0x1e, 0x411111f0 },
++ { 0x20, 0x0003ffff },
++ { 0x21, 0x03214020 },
++ { }
++ },
++ .chain_id = ALC269_FIXUP_DMIC,
++ },
++ [ALC269_FIXUP_LEMOTE_A190X] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ { 0x14, 0x99130110 }, /* speaker */
++ { 0x15, 0x0121401f }, /* HP out */
++ { 0x18, 0x01a19c20 }, /* rear mic */
++ { 0x19, 0x99a3092f }, /* front mic */
++ { 0x1b, 0x0201401f }, /* front lineout */
++ { }
++ },
++ .chain_id = ALC269_FIXUP_DMIC,
++ },
+ };
+
+ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
+@@ -7658,9 +7746,14 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x17aa, 0x3bf8, "Quanta FL1", ALC269_FIXUP_PCM_44K),
+ SND_PCI_QUIRK(0x17aa, 0x9e54, "LENOVO NB", ALC269_FIXUP_LENOVO_EAPD),
+ SND_PCI_QUIRK(0x19e5, 0x3204, "Huawei MACH-WX9", ALC256_FIXUP_HUAWEI_MACH_WX9_PINS),
++ SND_PCI_QUIRK(0x1b35, 0x1235, "CZC B20", ALC269_FIXUP_CZC_B20),
++ SND_PCI_QUIRK(0x1b35, 0x1236, "CZC TMI", ALC269_FIXUP_CZC_TMI),
++ SND_PCI_QUIRK(0x1b35, 0x1237, "CZC L101", ALC269_FIXUP_CZC_L101),
+ SND_PCI_QUIRK(0x1b7d, 0xa831, "Ordissimo EVE2 ", ALC269VB_FIXUP_ORDISSIMO_EVE2), /* Also known as Malata PC-B1303 */
+ SND_PCI_QUIRK(0x1d72, 0x1901, "RedmiBook 14", ALC256_FIXUP_ASUS_HEADSET_MIC),
+ SND_PCI_QUIRK(0x10ec, 0x118c, "Medion EE4254 MD62100", ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE),
++ SND_PCI_QUIRK(0x1c06, 0x2013, "Lemote A1802", ALC269_FIXUP_LEMOTE_A1802),
++ SND_PCI_QUIRK(0x1c06, 0x2015, "Lemote A190X", ALC269_FIXUP_LEMOTE_A190X),
+
+ #if 0
+ /* Below is a quirk table taken from the old code.
+@@ -8916,6 +9009,7 @@ enum {
+ ALC662_FIXUP_LED_GPIO1,
+ ALC662_FIXUP_IDEAPAD,
+ ALC272_FIXUP_MARIO,
++ ALC662_FIXUP_CZC_ET26,
+ ALC662_FIXUP_CZC_P10T,
+ ALC662_FIXUP_SKU_IGNORE,
+ ALC662_FIXUP_HP_RP5800,
+@@ -8985,6 +9079,25 @@ static const struct hda_fixup alc662_fix
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc272_fixup_mario,
+ },
++ [ALC662_FIXUP_CZC_ET26] = {
++ .type = HDA_FIXUP_PINS,
++ .v.pins = (const struct hda_pintbl[]) {
++ {0x12, 0x403cc000},
++ {0x14, 0x90170110}, /* speaker */
++ {0x15, 0x411111f0},
++ {0x16, 0x411111f0},
++ {0x18, 0x01a19030}, /* mic */
++ {0x19, 0x90a7013f}, /* int-mic */
++ {0x1a, 0x01014020},
++ {0x1b, 0x0121401f},
++ {0x1c, 0x411111f0},
++ {0x1d, 0x411111f0},
++ {0x1e, 0x40478e35},
++ {}
++ },
++ .chained = true,
++ .chain_id = ALC662_FIXUP_SKU_IGNORE
++ },
+ [ALC662_FIXUP_CZC_P10T] = {
+ .type = HDA_FIXUP_VERBS,
+ .v.verbs = (const struct hda_verb[]) {
+@@ -9368,6 +9481,7 @@ static const struct snd_pci_quirk alc662
+ SND_PCI_QUIRK(0x1849, 0x5892, "ASRock B150M", ALC892_FIXUP_ASROCK_MOBO),
+ SND_PCI_QUIRK(0x19da, 0xa130, "Zotac Z68", ALC662_FIXUP_ZOTAC_Z68),
+ SND_PCI_QUIRK(0x1b0a, 0x01b8, "ACER Veriton", ALC662_FIXUP_ACER_VERITON),
++ SND_PCI_QUIRK(0x1b35, 0x1234, "CZC ET26", ALC662_FIXUP_CZC_ET26),
+ SND_PCI_QUIRK(0x1b35, 0x2206, "CZC P10T", ALC662_FIXUP_CZC_P10T),
+ SND_PCI_QUIRK(0x1025, 0x0566, "Acer Aspire Ethos 8951G", ALC669_FIXUP_ACER_ASPIRE_ETHOS),
+
--- /dev/null
+From 80982c7e834e5d4e325b6ce33757012ecafdf0bb Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 4 Aug 2020 20:58:15 +0200
+Subject: ALSA: seq: oss: Serialize ioctls
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 80982c7e834e5d4e325b6ce33757012ecafdf0bb upstream.
+
+Some ioctls via OSS sequencer API may race and lead to UAF when the
+port create and delete are performed concurrently, as spotted by a
+couple of syzkaller cases. This patch is an attempt to address it by
+serializing the ioctls with the existing register_mutex.
+
+Basically OSS sequencer API is an obsoleted interface and was designed
+without much consideration of the concurrency. There are very few
+applications with it, and the concurrent performance isn't asked,
+hence this "big hammer" approach should be good enough.
+
+Reported-by: syzbot+1a54a94bd32716796edd@syzkaller.appspotmail.com
+Reported-by: syzbot+9d2abfef257f3e2d4713@syzkaller.appspotmail.com
+Suggested-by: Hillf Danton <hdanton@sina.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200804185815.2453-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/oss/seq_oss.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/sound/core/seq/oss/seq_oss.c
++++ b/sound/core/seq/oss/seq_oss.c
+@@ -168,10 +168,16 @@ static long
+ odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+ {
+ struct seq_oss_devinfo *dp;
++ long rc;
++
+ dp = file->private_data;
+ if (snd_BUG_ON(!dp))
+ return -ENXIO;
+- return snd_seq_oss_ioctl(dp, cmd, arg);
++
++ mutex_lock(®ister_mutex);
++ rc = snd_seq_oss_ioctl(dp, cmd, arg);
++ mutex_unlock(®ister_mutex);
++ return rc;
+ }
+
+ #ifdef CONFIG_COMPAT
--- /dev/null
+From 4b836a1426cb0f1ef2a6e211d7e553221594f8fc Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Mon, 27 Jul 2020 14:04:24 +0200
+Subject: binder: Prevent context manager from incrementing ref 0
+
+From: Jann Horn <jannh@google.com>
+
+commit 4b836a1426cb0f1ef2a6e211d7e553221594f8fc upstream.
+
+Binder is designed such that a binder_proc never has references to
+itself. If this rule is violated, memory corruption can occur when a
+process sends a transaction to itself; see e.g.
+<https://syzkaller.appspot.com/bug?extid=09e05aba06723a94d43d>.
+
+There is a remaining edgecase through which such a transaction-to-self
+can still occur from the context of a task with BINDER_SET_CONTEXT_MGR
+access:
+
+ - task A opens /dev/binder twice, creating binder_proc instances P1
+ and P2
+ - P1 becomes context manager
+ - P2 calls ACQUIRE on the magic handle 0, allocating index 0 in its
+ handle table
+ - P1 dies (by closing the /dev/binder fd and waiting a bit)
+ - P2 becomes context manager
+ - P2 calls ACQUIRE on the magic handle 0, allocating index 1 in its
+ handle table
+ [this triggers a warning: "binder: 1974:1974 tried to acquire
+ reference to desc 0, got 1 instead"]
+ - task B opens /dev/binder once, creating binder_proc instance P3
+ - P3 calls P2 (via magic handle 0) with (void*)1 as argument (two-way
+ transaction)
+ - P2 receives the handle and uses it to call P3 (two-way transaction)
+ - P3 calls P2 (via magic handle 0) (two-way transaction)
+ - P2 calls P2 (via handle 1) (two-way transaction)
+
+And then, if P2 does *NOT* accept the incoming transaction work, but
+instead closes the binder fd, we get a crash.
+
+Solve it by preventing the context manager from using ACQUIRE on ref 0.
+There shouldn't be any legitimate reason for the context manager to do
+that.
+
+Additionally, print a warning if someone manages to find another way to
+trigger a transaction-to-self bug in the future.
+
+Cc: stable@vger.kernel.org
+Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
+Acked-by: Todd Kjos <tkjos@google.com>
+Signed-off-by: Jann Horn <jannh@google.com>
+Reviewed-by: Martijn Coenen <maco@android.com>
+Link: https://lore.kernel.org/r/20200727120424.1627555-1-jannh@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -2982,6 +2982,12 @@ static void binder_transaction(struct bi
+ goto err_dead_binder;
+ }
+ e->to_node = target_node->debug_id;
++ if (WARN_ON(proc == target_proc)) {
++ return_error = BR_FAILED_REPLY;
++ return_error_param = -EINVAL;
++ return_error_line = __LINE__;
++ goto err_invalid_target_handle;
++ }
+ if (security_binder_transaction(proc->tsk,
+ target_proc->tsk) < 0) {
+ return_error = BR_FAILED_REPLY;
+@@ -3635,10 +3641,17 @@ static int binder_thread_write(struct bi
+ struct binder_node *ctx_mgr_node;
+ mutex_lock(&context->context_mgr_node_lock);
+ ctx_mgr_node = context->binder_context_mgr_node;
+- if (ctx_mgr_node)
++ if (ctx_mgr_node) {
++ if (ctx_mgr_node->proc == proc) {
++ binder_user_error("%d:%d context manager tried to acquire desc 0\n",
++ proc->pid, thread->pid);
++ mutex_unlock(&context->context_mgr_node_lock);
++ return -EINVAL;
++ }
+ ret = binder_inc_ref_for_node(
+ proc, ctx_mgr_node,
+ strong, NULL, &rdata);
++ }
+ mutex_unlock(&context->context_mgr_node_lock);
+ }
+ if (ret)
--- /dev/null
+From 51c19bf3d5cfaa66571e4b88ba2a6f6295311101 Mon Sep 17 00:00:00 2001
+From: Peilin Ye <yepeilin.cs@gmail.com>
+Date: Fri, 10 Jul 2020 12:09:15 -0400
+Subject: Bluetooth: Fix slab-out-of-bounds read in hci_extended_inquiry_result_evt()
+
+From: Peilin Ye <yepeilin.cs@gmail.com>
+
+commit 51c19bf3d5cfaa66571e4b88ba2a6f6295311101 upstream.
+
+Check upon `num_rsp` is insufficient. A malformed event packet with a
+large `num_rsp` number makes hci_extended_inquiry_result_evt() go out
+of bounds. Fix it.
+
+This patch fixes the following syzbot bug:
+
+ https://syzkaller.appspot.com/bug?id=4bf11aa05c4ca51ce0df86e500fce486552dc8d2
+
+Reported-by: syzbot+d8489a79b781849b9c46@syzkaller.appspotmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
+Acked-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/hci_event.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -4346,7 +4346,7 @@ static void hci_extended_inquiry_result_
+
+ BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
+
+- if (!num_rsp)
++ if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1)
+ return;
+
+ if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
--- /dev/null
+From 75bbd2ea50ba1c5d9da878a17e92eac02fe0fd3a Mon Sep 17 00:00:00 2001
+From: Peilin Ye <yepeilin.cs@gmail.com>
+Date: Fri, 10 Jul 2020 17:39:18 -0400
+Subject: Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_evt()
+
+From: Peilin Ye <yepeilin.cs@gmail.com>
+
+commit 75bbd2ea50ba1c5d9da878a17e92eac02fe0fd3a upstream.
+
+Check `num_rsp` before using it as for-loop counter.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/hci_event.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -2487,7 +2487,7 @@ static void hci_inquiry_result_evt(struc
+
+ BT_DBG("%s num_rsp %d", hdev->name, num_rsp);
+
+- if (!num_rsp)
++ if (!num_rsp || skb->len < num_rsp * sizeof(*info) + 1)
+ return;
+
+ if (hci_dev_test_flag(hdev, HCI_PERIODIC_INQ))
--- /dev/null
+From 629b49c848ee71244203934347bd7730b0ddee8d Mon Sep 17 00:00:00 2001
+From: Peilin Ye <yepeilin.cs@gmail.com>
+Date: Fri, 10 Jul 2020 17:45:26 -0400
+Subject: Bluetooth: Prevent out-of-bounds read in hci_inquiry_result_with_rssi_evt()
+
+From: Peilin Ye <yepeilin.cs@gmail.com>
+
+commit 629b49c848ee71244203934347bd7730b0ddee8d upstream.
+
+Check `num_rsp` before using it as for-loop counter. Add `unlock` label.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Peilin Ye <yepeilin.cs@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bluetooth/hci_event.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -4143,6 +4143,9 @@ static void hci_inquiry_result_with_rssi
+ struct inquiry_info_with_rssi_and_pscan_mode *info;
+ info = (void *) (skb->data + 1);
+
++ if (skb->len < num_rsp * sizeof(*info) + 1)
++ goto unlock;
++
+ for (; num_rsp; num_rsp--, info++) {
+ u32 flags;
+
+@@ -4164,6 +4167,9 @@ static void hci_inquiry_result_with_rssi
+ } else {
+ struct inquiry_info_with_rssi *info = (void *) (skb->data + 1);
+
++ if (skb->len < num_rsp * sizeof(*info) + 1)
++ goto unlock;
++
+ for (; num_rsp; num_rsp--, info++) {
+ u32 flags;
+
+@@ -4184,6 +4190,7 @@ static void hci_inquiry_result_with_rssi
+ }
+ }
+
++unlock:
+ hci_dev_unlock(hdev);
+ }
+
--- /dev/null
+From 2a5e6f7eede8cd1c4bac0b8ec6491cec4e75c99a Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Thu, 9 Jul 2020 20:11:59 +0300
+Subject: gpio: max77620: Fix missing release of interrupt
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+commit 2a5e6f7eede8cd1c4bac0b8ec6491cec4e75c99a upstream.
+
+The requested interrupt is never released by the driver. Fix this by
+using the resource-managed variant of request_threaded_irq().
+
+Fixes: ab3dd9cc24d4 ("gpio: max77620: Fix interrupt handling")
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Acked-by: Laxman Dewangan <ldewangan@nvidia.com>
+Cc: <stable@vger.kernel.org> # 5.5+
+Link: https://lore.kernel.org/r/20200709171203.12950-3-digetx@gmail.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpio/gpio-max77620.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpio/gpio-max77620.c
++++ b/drivers/gpio/gpio-max77620.c
+@@ -305,8 +305,9 @@ static int max77620_gpio_probe(struct pl
+ gpiochip_irqchip_add_nested(&mgpio->gpio_chip, &max77620_gpio_irqchip,
+ 0, handle_edge_irq, IRQ_TYPE_NONE);
+
+- ret = request_threaded_irq(gpio_irq, NULL, max77620_gpio_irqhandler,
+- IRQF_ONESHOT, "max77620-gpio", mgpio);
++ ret = devm_request_threaded_irq(&pdev->dev, gpio_irq, NULL,
++ max77620_gpio_irqhandler, IRQF_ONESHOT,
++ "max77620-gpio", mgpio);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "failed to request IRQ: %d\n", ret);
+ return ret;
--- /dev/null
+From eca21c2d8655387823d695b26e6fe78cf3975c05 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 1 Jun 2020 15:39:45 +0200
+Subject: leds: 88pm860x: fix use-after-free on unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit eca21c2d8655387823d695b26e6fe78cf3975c05 upstream.
+
+Several MFD child drivers register their class devices directly under
+the parent device. This means you cannot blindly do devres conversions
+so that deregistration ends up being tied to the parent device,
+something which leads to use-after-free on driver unbind when the class
+device is released while still being registered.
+
+Fixes: 375446df95ee ("leds: 88pm860x: Use devm_led_classdev_register")
+Cc: stable <stable@vger.kernel.org> # 4.6
+Cc: Amitoj Kaur Chawla <amitoj1606@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/leds/leds-88pm860x.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/leds/leds-88pm860x.c
++++ b/drivers/leds/leds-88pm860x.c
+@@ -203,21 +203,33 @@ static int pm860x_led_probe(struct platf
+ data->cdev.brightness_set_blocking = pm860x_led_set;
+ mutex_init(&data->lock);
+
+- ret = devm_led_classdev_register(chip->dev, &data->cdev);
++ ret = led_classdev_register(chip->dev, &data->cdev);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "Failed to register LED: %d\n", ret);
+ return ret;
+ }
+ pm860x_led_set(&data->cdev, 0);
++
++ platform_set_drvdata(pdev, data);
++
+ return 0;
+ }
+
++static int pm860x_led_remove(struct platform_device *pdev)
++{
++ struct pm860x_led *data = platform_get_drvdata(pdev);
++
++ led_classdev_unregister(&data->cdev);
++
++ return 0;
++}
+
+ static struct platform_driver pm860x_led_driver = {
+ .driver = {
+ .name = "88pm860x-led",
+ },
+ .probe = pm860x_led_probe,
++ .remove = pm860x_led_remove,
+ };
+
+ module_platform_driver(pm860x_led_driver);
--- /dev/null
+From 6f4aa35744f69ed9b0bf5a736c9ca9b44bc1dcea Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 1 Jun 2020 15:39:46 +0200
+Subject: leds: da903x: fix use-after-free on unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 6f4aa35744f69ed9b0bf5a736c9ca9b44bc1dcea upstream.
+
+Several MFD child drivers register their class devices directly under
+the parent device. This means you cannot blindly do devres conversions
+so that deregistration ends up being tied to the parent device,
+something which leads to use-after-free on driver unbind when the class
+device is released while still being registered.
+
+Fixes: eed16255d66b ("leds: da903x: Use devm_led_classdev_register")
+Cc: stable <stable@vger.kernel.org> # 4.6
+Cc: Amitoj Kaur Chawla <amitoj1606@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/leds/leds-da903x.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/leds/leds-da903x.c
++++ b/drivers/leds/leds-da903x.c
+@@ -110,12 +110,23 @@ static int da903x_led_probe(struct platf
+ led->flags = pdata->flags;
+ led->master = pdev->dev.parent;
+
+- ret = devm_led_classdev_register(led->master, &led->cdev);
++ ret = led_classdev_register(led->master, &led->cdev);
+ if (ret) {
+ dev_err(&pdev->dev, "failed to register LED %d\n", id);
+ return ret;
+ }
+
++ platform_set_drvdata(pdev, led);
++
++ return 0;
++}
++
++static int da903x_led_remove(struct platform_device *pdev)
++{
++ struct da903x_led *led = platform_get_drvdata(pdev);
++
++ led_classdev_unregister(&led->cdev);
++
+ return 0;
+ }
+
+@@ -124,6 +135,7 @@ static struct platform_driver da903x_led
+ .name = "da903x-led",
+ },
+ .probe = da903x_led_probe,
++ .remove = da903x_led_remove,
+ };
+
+ module_platform_driver(da903x_led_driver);
--- /dev/null
+From d584221e683bbd173738603b83a315f27d27d043 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 1 Jun 2020 15:39:47 +0200
+Subject: leds: lm3533: fix use-after-free on unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit d584221e683bbd173738603b83a315f27d27d043 upstream.
+
+Several MFD child drivers register their class devices directly under
+the parent device. This means you cannot blindly do devres conversions
+so that deregistration ends up being tied to the parent device,
+something which leads to use-after-free on driver unbind when the class
+device is released while still being registered.
+
+Fixes: 50154e29e5cc ("leds: lm3533: Use devm_led_classdev_register")
+Cc: stable <stable@vger.kernel.org> # 4.6
+Cc: Amitoj Kaur Chawla <amitoj1606@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/leds/leds-lm3533.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+--- a/drivers/leds/leds-lm3533.c
++++ b/drivers/leds/leds-lm3533.c
+@@ -694,7 +694,7 @@ static int lm3533_led_probe(struct platf
+
+ platform_set_drvdata(pdev, led);
+
+- ret = devm_led_classdev_register(pdev->dev.parent, &led->cdev);
++ ret = led_classdev_register(pdev->dev.parent, &led->cdev);
+ if (ret) {
+ dev_err(&pdev->dev, "failed to register LED %d\n", pdev->id);
+ return ret;
+@@ -704,13 +704,18 @@ static int lm3533_led_probe(struct platf
+
+ ret = lm3533_led_setup(led, pdata);
+ if (ret)
+- return ret;
++ goto err_deregister;
+
+ ret = lm3533_ctrlbank_enable(&led->cb);
+ if (ret)
+- return ret;
++ goto err_deregister;
+
+ return 0;
++
++err_deregister:
++ led_classdev_unregister(&led->cdev);
++
++ return ret;
+ }
+
+ static int lm3533_led_remove(struct platform_device *pdev)
+@@ -720,6 +725,7 @@ static int lm3533_led_remove(struct plat
+ dev_dbg(&pdev->dev, "%s\n", __func__);
+
+ lm3533_ctrlbank_disable(&led->cb);
++ led_classdev_unregister(&led->cdev);
+
+ return 0;
+ }
--- /dev/null
+From a0972fff09479dd09b731360a3a0b09e4fb4d415 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 1 Jun 2020 15:39:48 +0200
+Subject: leds: lm36274: fix use-after-free on unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit a0972fff09479dd09b731360a3a0b09e4fb4d415 upstream.
+
+Several MFD child drivers register their class devices directly under
+the parent device. This means you cannot use devres so that
+deregistration ends up being tied to the parent device, something which
+leads to use-after-free on driver unbind when the class device is
+released while still being registered.
+
+Fixes: 11e1bbc116a7 ("leds: lm36274: Introduce the TI LM36274 LED driver")
+Cc: stable <stable@vger.kernel.org> # 5.3
+Cc: Dan Murphy <dmurphy@ti.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/leds/leds-lm36274.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/drivers/leds/leds-lm36274.c
++++ b/drivers/leds/leds-lm36274.c
+@@ -133,7 +133,7 @@ static int lm36274_probe(struct platform
+ lm36274_data->pdev = pdev;
+ lm36274_data->dev = lmu->dev;
+ lm36274_data->regmap = lmu->regmap;
+- dev_set_drvdata(&pdev->dev, lm36274_data);
++ platform_set_drvdata(pdev, lm36274_data);
+
+ ret = lm36274_parse_dt(lm36274_data);
+ if (ret) {
+@@ -147,8 +147,16 @@ static int lm36274_probe(struct platform
+ return ret;
+ }
+
+- return devm_led_classdev_register(lm36274_data->dev,
+- &lm36274_data->led_dev);
++ return led_classdev_register(lm36274_data->dev, &lm36274_data->led_dev);
++}
++
++static int lm36274_remove(struct platform_device *pdev)
++{
++ struct lm36274 *lm36274_data = platform_get_drvdata(pdev);
++
++ led_classdev_unregister(&lm36274_data->led_dev);
++
++ return 0;
+ }
+
+ static const struct of_device_id of_lm36274_leds_match[] = {
+@@ -159,6 +167,7 @@ MODULE_DEVICE_TABLE(of, of_lm36274_leds_
+
+ static struct platform_driver lm36274_driver = {
+ .probe = lm36274_probe,
++ .remove = lm36274_remove,
+ .driver = {
+ .name = "lm36274-leds",
+ },
--- /dev/null
+From 47a459ecc800a17109d0c496a4e21e478806ee40 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 1 Jun 2020 15:39:49 +0200
+Subject: leds: wm831x-status: fix use-after-free on unbind
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 47a459ecc800a17109d0c496a4e21e478806ee40 upstream.
+
+Several MFD child drivers register their class devices directly under
+the parent device. This means you cannot blindly do devres conversions
+so that deregistration ends up being tied to the parent device,
+something which leads to use-after-free on driver unbind when the class
+device is released while still being registered.
+
+Fixes: 8d3b6a4001ce ("leds: wm831x-status: Use devm_led_classdev_register")
+Cc: stable <stable@vger.kernel.org> # 4.6
+Cc: Amitoj Kaur Chawla <amitoj1606@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Pavel Machek <pavel@ucw.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/leds/leds-wm831x-status.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/leds/leds-wm831x-status.c
++++ b/drivers/leds/leds-wm831x-status.c
+@@ -269,12 +269,23 @@ static int wm831x_status_probe(struct pl
+ drvdata->cdev.blink_set = wm831x_status_blink_set;
+ drvdata->cdev.groups = wm831x_status_groups;
+
+- ret = devm_led_classdev_register(wm831x->dev, &drvdata->cdev);
++ ret = led_classdev_register(wm831x->dev, &drvdata->cdev);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "Failed to register LED: %d\n", ret);
+ return ret;
+ }
+
++ platform_set_drvdata(pdev, drvdata);
++
++ return 0;
++}
++
++static int wm831x_status_remove(struct platform_device *pdev)
++{
++ struct wm831x_status *drvdata = platform_get_drvdata(pdev);
++
++ led_classdev_unregister(&drvdata->cdev);
++
+ return 0;
+ }
+
+@@ -283,6 +294,7 @@ static struct platform_driver wm831x_sta
+ .name = "wm831x-status",
+ },
+ .probe = wm831x_status_probe,
++ .remove = wm831x_status_remove,
+ };
+
+ module_platform_driver(wm831x_status_driver);
--- /dev/null
+From e12145cf1c3a8077e6d9f575711e38dd7d8a3ebc Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Thu, 25 Jun 2020 13:37:02 -0700
+Subject: lkdtm/heap: Avoid edge and middle of slabs
+
+From: Kees Cook <keescook@chromium.org>
+
+commit e12145cf1c3a8077e6d9f575711e38dd7d8a3ebc upstream.
+
+Har har, after I moved the slab freelist pointer into the middle of the
+slab, now it looks like the contents are getting poisoned. Adjust the
+test to avoid the freelist pointer again.
+
+Fixes: 3202fa62fb43 ("slub: relocate freelist pointer to middle of object")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20200625203704.317097-3-keescook@chromium.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/lkdtm/heap.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/misc/lkdtm/heap.c
++++ b/drivers/misc/lkdtm/heap.c
+@@ -58,11 +58,12 @@ void lkdtm_READ_AFTER_FREE(void)
+ int *base, *val, saw;
+ size_t len = 1024;
+ /*
+- * The slub allocator uses the first word to store the free
+- * pointer in some configurations. Use the middle of the
+- * allocation to avoid running into the freelist
++ * The slub allocator will use the either the first word or
++ * the middle of the allocation to store the free pointer,
++ * depending on configurations. Store in the second word to
++ * avoid running into the freelist.
+ */
+- size_t offset = (len / sizeof(*base)) / 2;
++ size_t offset = sizeof(*base);
+
+ base = kmalloc(len, GFP_KERNEL);
+ if (!base) {
--- /dev/null
+From f7e6b19bc76471ba03725fe58e0c218a3d6266c3 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Thu, 16 Jul 2020 13:53:46 +0200
+Subject: mtd: properly check all write ioctls for permissions
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit f7e6b19bc76471ba03725fe58e0c218a3d6266c3 upstream.
+
+When doing a "write" ioctl call, properly check that we have permissions
+to do so before copying anything from userspace or anything else so we
+can "fail fast". This includes also covering the MEMWRITE ioctl which
+previously missed checking for this.
+
+Cc: Miquel Raynal <miquel.raynal@bootlin.com>
+Cc: Richard Weinberger <richard@nod.at>
+Cc: Vignesh Raghavendra <vigneshr@ti.com>
+Cc: stable <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[rw: Fixed locking issue]
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mtd/mtdchar.c | 56 +++++++++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 47 insertions(+), 9 deletions(-)
+
+--- a/drivers/mtd/mtdchar.c
++++ b/drivers/mtd/mtdchar.c
+@@ -355,9 +355,6 @@ static int mtdchar_writeoob(struct file
+ uint32_t retlen;
+ int ret = 0;
+
+- if (!(file->f_mode & FMODE_WRITE))
+- return -EPERM;
+-
+ if (length > 4096)
+ return -EINVAL;
+
+@@ -643,6 +640,48 @@ static int mtdchar_ioctl(struct file *fi
+
+ pr_debug("MTD_ioctl\n");
+
++ /*
++ * Check the file mode to require "dangerous" commands to have write
++ * permissions.
++ */
++ switch (cmd) {
++ /* "safe" commands */
++ case MEMGETREGIONCOUNT:
++ case MEMGETREGIONINFO:
++ case MEMGETINFO:
++ case MEMREADOOB:
++ case MEMREADOOB64:
++ case MEMLOCK:
++ case MEMUNLOCK:
++ case MEMISLOCKED:
++ case MEMGETOOBSEL:
++ case MEMGETBADBLOCK:
++ case MEMSETBADBLOCK:
++ case OTPSELECT:
++ case OTPGETREGIONCOUNT:
++ case OTPGETREGIONINFO:
++ case OTPLOCK:
++ case ECCGETLAYOUT:
++ case ECCGETSTATS:
++ case MTDFILEMODE:
++ case BLKPG:
++ case BLKRRPART:
++ break;
++
++ /* "dangerous" commands */
++ case MEMERASE:
++ case MEMERASE64:
++ case MEMWRITEOOB:
++ case MEMWRITEOOB64:
++ case MEMWRITE:
++ if (!(file->f_mode & FMODE_WRITE))
++ return -EPERM;
++ break;
++
++ default:
++ return -ENOTTY;
++ }
++
+ switch (cmd) {
+ case MEMGETREGIONCOUNT:
+ if (copy_to_user(argp, &(mtd->numeraseregions), sizeof(int)))
+@@ -690,9 +729,6 @@ static int mtdchar_ioctl(struct file *fi
+ {
+ struct erase_info *erase;
+
+- if(!(file->f_mode & FMODE_WRITE))
+- return -EPERM;
+-
+ erase=kzalloc(sizeof(struct erase_info),GFP_KERNEL);
+ if (!erase)
+ ret = -ENOMEM;
+@@ -985,9 +1021,6 @@ static int mtdchar_ioctl(struct file *fi
+ ret = 0;
+ break;
+ }
+-
+- default:
+- ret = -ENOTTY;
+ }
+
+ return ret;
+@@ -1031,6 +1064,11 @@ static long mtdchar_compat_ioctl(struct
+ struct mtd_oob_buf32 buf;
+ struct mtd_oob_buf32 __user *buf_user = argp;
+
++ if (!(file->f_mode & FMODE_WRITE)) {
++ ret = -EPERM;
++ break;
++ }
++
+ if (copy_from_user(&buf, argp, sizeof(buf)))
+ ret = -EFAULT;
+ else
--- /dev/null
+From 254503a2b186caa668a188dbbd7ab0d25149c0a5 Mon Sep 17 00:00:00 2001
+From: Adam Ford <aford173@gmail.com>
+Date: Tue, 30 Jun 2020 13:26:36 -0500
+Subject: omapfb: dss: Fix max fclk divider for omap36xx
+
+From: Adam Ford <aford173@gmail.com>
+
+commit 254503a2b186caa668a188dbbd7ab0d25149c0a5 upstream.
+
+The drm/omap driver was fixed to correct an issue where using a
+divider of 32 breaks the DSS despite the TRM stating 32 is a valid
+number. Through experimentation, it appears that 31 works, and
+it is consistent with the value used by the drm/omap driver.
+
+This patch fixes the divider for fbdev driver instead of the drm.
+
+Fixes: f76ee892a99e ("omapfb: copy omapdss & displays for omapfb")
+Cc: <stable@vger.kernel.org> #4.5+
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Reviewed-by: Tomi Valkeinen <tomi.valkeinen@ti.com>
+Cc: Dave Airlie <airlied@gmail.com>
+Cc: Rob Clark <robdclark@gmail.com>
+[b.zolnierkie: mark patch as applicable to stable 4.5+ (was 4.9+)]
+Signed-off-by: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20200630182636.439015-1-aford173@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/omap2/omapfb/dss/dss.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/omap2/omapfb/dss/dss.c
++++ b/drivers/video/fbdev/omap2/omapfb/dss/dss.c
+@@ -833,7 +833,7 @@ static const struct dss_features omap34x
+ };
+
+ static const struct dss_features omap3630_dss_feats = {
+- .fck_div_max = 32,
++ .fck_div_max = 31,
+ .dss_fck_multiplier = 1,
+ .parent_clk_name = "dpll4_ck",
+ .dpi_select_source = &dss_dpi_select_source_omap2_omap3,
--- /dev/null
+From 07c9983b567d0ef33aefc063299de95a987e12a8 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Mon, 3 Aug 2020 14:46:38 +0800
+Subject: Revert "ALSA: hda: call runtime_allow() for all hda controllers"
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit 07c9983b567d0ef33aefc063299de95a987e12a8 upstream.
+
+This reverts commit 9a6418487b56 ("ALSA: hda: call runtime_allow()
+for all hda controllers").
+
+The reverted patch already introduced some regressions on some
+machines:
+ - on gemini-lake machines, the error of "azx_get_response timeout"
+ happens in the hda driver.
+ - on the machines with alc662 codec, the audio jack detection doesn't
+ work anymore.
+
+Fixes: 9a6418487b56 ("ALSA: hda: call runtime_allow() for all hda controllers")
+BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=208511
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Link: https://lore.kernel.org/r/20200803064638.6139-1-hui.wang@canonical.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/hda_intel.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/sound/pci/hda/hda_intel.c
++++ b/sound/pci/hda/hda_intel.c
+@@ -2354,7 +2354,6 @@ static int azx_probe_continue(struct azx
+
+ if (azx_has_pm_runtime(chip)) {
+ pm_runtime_use_autosuspend(&pci->dev);
+- pm_runtime_allow(&pci->dev);
+ pm_runtime_put_autosuspend(&pci->dev);
+ }
+
--- /dev/null
+From 55c7549819e438f40a3ef1d8ac5c38b73390bcb7 Mon Sep 17 00:00:00 2001
+From: Matthias Maennich <maennich@google.com>
+Date: Thu, 4 Jun 2020 18:41:45 +0200
+Subject: scripts: add dummy report mode to add_namespace.cocci
+
+From: Matthias Maennich <maennich@google.com>
+
+commit 55c7549819e438f40a3ef1d8ac5c38b73390bcb7 upstream.
+
+When running `make coccicheck` in report mode using the
+add_namespace.cocci file, it will fail for files that contain
+MODULE_LICENSE. Those match the replacement precondition, but spatch
+errors out as virtual.ns is not set.
+
+In order to fix that, add the virtual rule nsdeps and only do search and
+replace if that rule has been explicitly requested.
+
+In order to make spatch happy in report mode, we also need a dummy rule,
+as otherwise it errors out with "No rules apply". Using a script:python
+rule appears unrelated and odd, but this is the shortest I could come up
+with.
+
+Adjust scripts/nsdeps accordingly to set the nsdeps rule when run trough
+`make nsdeps`.
+
+Suggested-by: Julia Lawall <julia.lawall@inria.fr>
+Fixes: c7c4e29fb5a4 ("scripts: add_namespace: Fix coccicheck failed")
+Cc: YueHaibing <yuehaibing@huawei.com>
+Cc: jeyu@kernel.org
+Cc: cocci@systeme.lip6.fr
+Cc: stable@vger.kernel.org
+Signed-off-by: Matthias Maennich <maennich@google.com>
+Reported-by: Shuah Khan <skhan@linuxfoundation.org>
+Acked-by: Julia Lawall <julia.lawall@inria.fr>
+Link: https://lore.kernel.org/r/20200604164145.173925-1-maennich@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ scripts/coccinelle/misc/add_namespace.cocci | 8 +++++++-
+ scripts/nsdeps | 2 +-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+--- a/scripts/coccinelle/misc/add_namespace.cocci
++++ b/scripts/coccinelle/misc/add_namespace.cocci
+@@ -6,6 +6,7 @@
+ /// add a missing namespace tag to a module source file.
+ ///
+
++virtual nsdeps
+ virtual report
+
+ @has_ns_import@
+@@ -16,10 +17,15 @@ MODULE_IMPORT_NS(ns);
+
+ // Add missing imports, but only adjacent to a MODULE_LICENSE statement.
+ // That ensures we are adding it only to the main module source file.
+-@do_import depends on !has_ns_import@
++@do_import depends on !has_ns_import && nsdeps@
+ declarer name MODULE_LICENSE;
+ expression license;
+ identifier virtual.ns;
+ @@
+ MODULE_LICENSE(license);
+ + MODULE_IMPORT_NS(ns);
++
++// Dummy rule for report mode that would otherwise be empty and make spatch
++// fail ("No rules apply.")
++@script:python depends on report@
++@@
+--- a/scripts/nsdeps
++++ b/scripts/nsdeps
+@@ -29,7 +29,7 @@ fi
+
+ generate_deps_for_ns() {
+ $SPATCH --very-quiet --in-place --sp-file \
+- $srctree/scripts/coccinelle/misc/add_namespace.cocci -D ns=$1 $2
++ $srctree/scripts/coccinelle/misc/add_namespace.cocci -D nsdeps -D ns=$1 $2
+ }
+
+ generate_deps() {
scsi-ufs-fix-and-simplify-setup_xfer_req-variant-operation.patch
usb-serial-qcserial-add-em7305-qdl-product-id.patch
+usb-iowarrior-fix-up-report-size-handling-for-some-devices.patch
+usb-xhci-define-ids-for-various-asmedia-host-controllers.patch
+usb-xhci-fix-asmedia-asm1142-dma-addressing.patch
+revert-alsa-hda-call-runtime_allow-for-all-hda-controllers.patch
+alsa-hda-realtek-add-alc269-alc662-pin-tables-for-loongson-3-laptops.patch
+alsa-hda-ca0132-add-new-quirk-id-for-recon3d.patch
+alsa-hda-ca0132-fix-zxr-headphone-gain-control-get-value.patch
+alsa-hda-ca0132-fix-ae-5-microphone-selection-commands.patch
+alsa-seq-oss-serialize-ioctls.patch
+staging-android-ashmem-fix-lockdep-warning-for-write-operation.patch
+staging-rtl8712-handle-firmware-load-failure.patch
+staging-rtl8188eu-rtw_mlme-fix-uninitialized-variable-authmode.patch
+bluetooth-fix-slab-out-of-bounds-read-in-hci_extended_inquiry_result_evt.patch
+bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_evt.patch
+bluetooth-prevent-out-of-bounds-read-in-hci_inquiry_result_with_rssi_evt.patch
+omapfb-dss-fix-max-fclk-divider-for-omap36xx.patch
+binder-prevent-context-manager-from-incrementing-ref-0.patch
+smack-fix-use-after-free-in-smk_write_relabel_self.patch
+scripts-add-dummy-report-mode-to-add_namespace.cocci.patch
+lkdtm-heap-avoid-edge-and-middle-of-slabs.patch
+vgacon-fix-for-missing-check-in-scrollback-handling.patch
+mtd-properly-check-all-write-ioctls-for-permissions.patch
+leds-wm831x-status-fix-use-after-free-on-unbind.patch
+leds-lm36274-fix-use-after-free-on-unbind.patch
+leds-da903x-fix-use-after-free-on-unbind.patch
+leds-lm3533-fix-use-after-free-on-unbind.patch
+leds-88pm860x-fix-use-after-free-on-unbind.patch
+gpio-max77620-fix-missing-release-of-interrupt.patch
--- /dev/null
+From beb4ee6770a89646659e6a2178538d2b13e2654e Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Wed, 8 Jul 2020 13:15:20 -0700
+Subject: Smack: fix use-after-free in smk_write_relabel_self()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit beb4ee6770a89646659e6a2178538d2b13e2654e upstream.
+
+smk_write_relabel_self() frees memory from the task's credentials with
+no locking, which can easily cause a use-after-free because multiple
+tasks can share the same credentials structure.
+
+Fix this by using prepare_creds() and commit_creds() to correctly modify
+the task's credentials.
+
+Reproducer for "BUG: KASAN: use-after-free in smk_write_relabel_self":
+
+ #include <fcntl.h>
+ #include <pthread.h>
+ #include <unistd.h>
+
+ static void *thrproc(void *arg)
+ {
+ int fd = open("/sys/fs/smackfs/relabel-self", O_WRONLY);
+ for (;;) write(fd, "foo", 3);
+ }
+
+ int main()
+ {
+ pthread_t t;
+ pthread_create(&t, NULL, thrproc, NULL);
+ thrproc(NULL);
+ }
+
+Reported-by: syzbot+e6416dabb497a650da40@syzkaller.appspotmail.com
+Fixes: 38416e53936e ("Smack: limited capability for changing process label")
+Cc: <stable@vger.kernel.org> # v4.4+
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/smack/smackfs.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -2720,7 +2720,6 @@ static int smk_open_relabel_self(struct
+ static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
+ size_t count, loff_t *ppos)
+ {
+- struct task_smack *tsp = smack_cred(current_cred());
+ char *data;
+ int rc;
+ LIST_HEAD(list_tmp);
+@@ -2745,11 +2744,21 @@ static ssize_t smk_write_relabel_self(st
+ kfree(data);
+
+ if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) {
++ struct cred *new;
++ struct task_smack *tsp;
++
++ new = prepare_creds();
++ if (!new) {
++ rc = -ENOMEM;
++ goto out;
++ }
++ tsp = smack_cred(new);
+ smk_destroy_label_list(&tsp->smk_relabel);
+ list_splice(&list_tmp, &tsp->smk_relabel);
++ commit_creds(new);
+ return count;
+ }
+-
++out:
+ smk_destroy_label_list(&list_tmp);
+ return rc;
+ }
--- /dev/null
+From 3e338d3c95c735dc3265a86016bb4c022ec7cadc Mon Sep 17 00:00:00 2001
+From: Suren Baghdasaryan <surenb@google.com>
+Date: Thu, 30 Jul 2020 12:26:32 -0700
+Subject: staging: android: ashmem: Fix lockdep warning for write operation
+
+From: Suren Baghdasaryan <surenb@google.com>
+
+commit 3e338d3c95c735dc3265a86016bb4c022ec7cadc upstream.
+
+syzbot report [1] describes a deadlock when write operation against an
+ashmem fd executed at the time when ashmem is shrinking its cache results
+in the following lock sequence:
+
+Possible unsafe locking scenario:
+
+ CPU0 CPU1
+ ---- ----
+ lock(fs_reclaim);
+ lock(&sb->s_type->i_mutex_key#13);
+ lock(fs_reclaim);
+ lock(&sb->s_type->i_mutex_key#13);
+
+kswapd takes fs_reclaim and then inode_lock while generic_perform_write
+takes inode_lock and then fs_reclaim. However ashmem does not support
+writing into backing shmem with a write syscall. The only way to change
+its content is to mmap it and operate on mapped memory. Therefore the race
+that lockdep is warning about is not valid. Resolve this by introducing a
+separate lockdep class for the backing shmem inodes.
+
+[1]: https://lkml.kernel.org/lkml/0000000000000b5f9d059aa2037f@google.com/
+
+Reported-by: syzbot+7a0d9d0b26efefe61780@syzkaller.appspotmail.com
+Signed-off-by: Suren Baghdasaryan <surenb@google.com>
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
+Link: https://lore.kernel.org/r/20200730192632.3088194-1-surenb@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/android/ashmem.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/drivers/staging/android/ashmem.c
++++ b/drivers/staging/android/ashmem.c
+@@ -95,6 +95,15 @@ static DEFINE_MUTEX(ashmem_mutex);
+ static struct kmem_cache *ashmem_area_cachep __read_mostly;
+ static struct kmem_cache *ashmem_range_cachep __read_mostly;
+
++/*
++ * A separate lockdep class for the backing shmem inodes to resolve the lockdep
++ * warning about the race between kswapd taking fs_reclaim before inode_lock
++ * and write syscall taking inode_lock and then fs_reclaim.
++ * Note that such race is impossible because ashmem does not support write
++ * syscalls operating on the backing shmem.
++ */
++static struct lock_class_key backing_shmem_inode_class;
++
+ static inline unsigned long range_size(struct ashmem_range *range)
+ {
+ return range->pgend - range->pgstart + 1;
+@@ -396,6 +405,7 @@ static int ashmem_mmap(struct file *file
+ if (!asma->file) {
+ char *name = ASHMEM_NAME_DEF;
+ struct file *vmfile;
++ struct inode *inode;
+
+ if (asma->name[ASHMEM_NAME_PREFIX_LEN] != '\0')
+ name = asma->name;
+@@ -407,6 +417,8 @@ static int ashmem_mmap(struct file *file
+ goto out;
+ }
+ vmfile->f_mode |= FMODE_LSEEK;
++ inode = file_inode(vmfile);
++ lockdep_set_class(&inode->i_rwsem, &backing_shmem_inode_class);
+ asma->file = vmfile;
+ /*
+ * override mmap operation of the vmfile so that it can't be
--- /dev/null
+From 11536442a3b4e1de6890ea5e805908debb74f94a Mon Sep 17 00:00:00 2001
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Date: Tue, 28 Jul 2020 15:21:51 +0800
+Subject: Staging: rtl8188eu: rtw_mlme: Fix uninitialized variable authmode
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+commit 11536442a3b4e1de6890ea5e805908debb74f94a upstream.
+
+The variable authmode can be uninitialized. The danger would be if
+it equals to _WPA_IE_ID_ (0xdd) or _WPA2_IE_ID_ (0x33). We can avoid
+this by setting it to zero instead. This is the approach that was
+used in the rtl8723bs driver.
+
+Fixes: 7b464c9fa5cc ("staging: r8188eu: Add files for new driver - part 4")
+Co-developed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200728072153.9202-1-dinghao.liu@zju.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8188eu/core/rtw_mlme.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/staging/rtl8188eu/core/rtw_mlme.c
++++ b/drivers/staging/rtl8188eu/core/rtw_mlme.c
+@@ -1729,9 +1729,11 @@ int rtw_restruct_sec_ie(struct adapter *
+ if ((ndisauthmode == Ndis802_11AuthModeWPA) ||
+ (ndisauthmode == Ndis802_11AuthModeWPAPSK))
+ authmode = _WPA_IE_ID_;
+- if ((ndisauthmode == Ndis802_11AuthModeWPA2) ||
++ else if ((ndisauthmode == Ndis802_11AuthModeWPA2) ||
+ (ndisauthmode == Ndis802_11AuthModeWPA2PSK))
+ authmode = _WPA2_IE_ID_;
++ else
++ authmode = 0x0;
+
+ if (check_fwstate(pmlmepriv, WIFI_UNDER_WPS)) {
+ memcpy(out_ie + ielength, psecuritypriv->wps_ie, psecuritypriv->wps_ie_len);
--- /dev/null
+From b4383c971bc5263efe2b0915ba67ebf2bf3f1ee5 Mon Sep 17 00:00:00 2001
+From: Rustam Kovhaev <rkovhaev@gmail.com>
+Date: Thu, 16 Jul 2020 08:13:26 -0700
+Subject: staging: rtl8712: handle firmware load failure
+
+From: Rustam Kovhaev <rkovhaev@gmail.com>
+
+commit b4383c971bc5263efe2b0915ba67ebf2bf3f1ee5 upstream.
+
+when firmware fails to load we should not call unregister_netdev()
+this patch fixes a race condition between rtl871x_load_fw_cb() and
+r871xu_dev_remove() and fixes the bug reported by syzbot
+
+Reported-by: syzbot+80899a8a8efe8968cde7@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?extid=80899a8a8efe8968cde7
+Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200716151324.1036204-1-rkovhaev@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/rtl8712/hal_init.c | 3 ++-
+ drivers/staging/rtl8712/usb_intf.c | 11 ++++++++---
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/staging/rtl8712/hal_init.c
++++ b/drivers/staging/rtl8712/hal_init.c
+@@ -33,7 +33,6 @@ static void rtl871x_load_fw_cb(const str
+ {
+ struct _adapter *adapter = context;
+
+- complete(&adapter->rtl8712_fw_ready);
+ if (!firmware) {
+ struct usb_device *udev = adapter->dvobjpriv.pusbdev;
+ struct usb_interface *usb_intf = adapter->pusb_intf;
+@@ -41,11 +40,13 @@ static void rtl871x_load_fw_cb(const str
+ dev_err(&udev->dev, "r8712u: Firmware request failed\n");
+ usb_put_dev(udev);
+ usb_set_intfdata(usb_intf, NULL);
++ complete(&adapter->rtl8712_fw_ready);
+ return;
+ }
+ adapter->fw = firmware;
+ /* firmware available - start netdev */
+ register_netdev(adapter->pnetdev);
++ complete(&adapter->rtl8712_fw_ready);
+ }
+
+ static const char firmware_file[] = "rtlwifi/rtl8712u.bin";
+--- a/drivers/staging/rtl8712/usb_intf.c
++++ b/drivers/staging/rtl8712/usb_intf.c
+@@ -595,13 +595,17 @@ static void r871xu_dev_remove(struct usb
+ if (pnetdev) {
+ struct _adapter *padapter = netdev_priv(pnetdev);
+
+- usb_set_intfdata(pusb_intf, NULL);
+- release_firmware(padapter->fw);
+ /* never exit with a firmware callback pending */
+ wait_for_completion(&padapter->rtl8712_fw_ready);
++ pnetdev = usb_get_intfdata(pusb_intf);
++ usb_set_intfdata(pusb_intf, NULL);
++ if (!pnetdev)
++ goto firmware_load_fail;
++ release_firmware(padapter->fw);
+ if (drvpriv.drv_registered)
+ padapter->surprise_removed = true;
+- unregister_netdev(pnetdev); /* will call netdev_close() */
++ if (pnetdev->reg_state != NETREG_UNINITIALIZED)
++ unregister_netdev(pnetdev); /* will call netdev_close() */
+ flush_scheduled_work();
+ udelay(1);
+ /* Stop driver mlme relation timer */
+@@ -614,6 +618,7 @@ static void r871xu_dev_remove(struct usb
+ */
+ usb_put_dev(udev);
+ }
++firmware_load_fail:
+ /* If we didn't unplug usb dongle and remove/insert module, driver
+ * fails on sitesurvey for the first time when device is up.
+ * Reset usb port for sitesurvey fail issue.
--- /dev/null
+From 17a82716587e9d7c3b246a789add490b2b5dcab6 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Sun, 26 Jul 2020 11:49:39 +0200
+Subject: USB: iowarrior: fix up report size handling for some devices
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 17a82716587e9d7c3b246a789add490b2b5dcab6 upstream.
+
+In previous patches that added support for new iowarrior devices, the
+handling of the report size was not done correct.
+
+Fix that up and update the copyright date for the driver
+
+Reworked from an original patch written by Christoph Jung.
+
+Fixes: bab5417f5f01 ("USB: misc: iowarrior: add support for the 100 device")
+Fixes: 5f6f8da2d7b5 ("USB: misc: iowarrior: add support for the 28 and 28L devices")
+Fixes: 461d8deb26a7 ("USB: misc: iowarrior: add support for 2 OEMed devices")
+Cc: stable <stable@kernel.org>
+Reported-by: Christoph Jung <jung@codemercs.com>
+Link: https://lore.kernel.org/r/20200726094939.1268978-1-gregkh@linuxfoundation.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/iowarrior.c | 35 +++++++++++++++++++++++++----------
+ 1 file changed, 25 insertions(+), 10 deletions(-)
+
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -2,8 +2,9 @@
+ /*
+ * Native support for the I/O-Warrior USB devices
+ *
+- * Copyright (c) 2003-2005 Code Mercenaries GmbH
+- * written by Christian Lucht <lucht@codemercs.com>
++ * Copyright (c) 2003-2005, 2020 Code Mercenaries GmbH
++ * written by Christian Lucht <lucht@codemercs.com> and
++ * Christoph Jung <jung@codemercs.com>
+ *
+ * based on
+
+@@ -802,14 +803,28 @@ static int iowarrior_probe(struct usb_in
+
+ /* we have to check the report_size often, so remember it in the endianness suitable for our machine */
+ dev->report_size = usb_endpoint_maxp(dev->int_in_endpoint);
+- if ((dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) &&
+- ((dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW56) ||
+- (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW56AM) ||
+- (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW28) ||
+- (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW28L) ||
+- (dev->product_id == USB_DEVICE_ID_CODEMERCS_IOW100)))
+- /* IOWarrior56 has wMaxPacketSize different from report size */
+- dev->report_size = 7;
++
++ /*
++ * Some devices need the report size to be different than the
++ * endpoint size.
++ */
++ if (dev->interface->cur_altsetting->desc.bInterfaceNumber == 0) {
++ switch (dev->product_id) {
++ case USB_DEVICE_ID_CODEMERCS_IOW56:
++ case USB_DEVICE_ID_CODEMERCS_IOW56AM:
++ dev->report_size = 7;
++ break;
++
++ case USB_DEVICE_ID_CODEMERCS_IOW28:
++ case USB_DEVICE_ID_CODEMERCS_IOW28L:
++ dev->report_size = 4;
++ break;
++
++ case USB_DEVICE_ID_CODEMERCS_IOW100:
++ dev->report_size = 13;
++ break;
++ }
++ }
+
+ /* create the urb and buffer for reading */
+ dev->int_in_urb = usb_alloc_urb(0, GFP_KERNEL);
--- /dev/null
+From 1841cb255da41e87bed9573915891d056f80e2e7 Mon Sep 17 00:00:00 2001
+From: Forest Crossman <cyrozap@gmail.com>
+Date: Mon, 27 Jul 2020 23:24:07 -0500
+Subject: usb: xhci: define IDs for various ASMedia host controllers
+
+From: Forest Crossman <cyrozap@gmail.com>
+
+commit 1841cb255da41e87bed9573915891d056f80e2e7 upstream.
+
+Not all ASMedia host controllers have a device ID that matches its part
+number. #define some of these IDs to make it clearer at a glance which
+chips require what quirks.
+
+Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Forest Crossman <cyrozap@gmail.com>
+Link: https://lore.kernel.org/r/20200728042408.180529-2-cyrozap@gmail.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-pci.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -56,7 +56,9 @@
+ #define PCI_DEVICE_ID_AMD_PROMONTORYA_3 0x43ba
+ #define PCI_DEVICE_ID_AMD_PROMONTORYA_2 0x43bb
+ #define PCI_DEVICE_ID_AMD_PROMONTORYA_1 0x43bc
++#define PCI_DEVICE_ID_ASMEDIA_1042_XHCI 0x1042
+ #define PCI_DEVICE_ID_ASMEDIA_1042A_XHCI 0x1142
++#define PCI_DEVICE_ID_ASMEDIA_2142_XHCI 0x2142
+
+ static const char hcd_name[] = "xhci_hcd";
+
+@@ -250,13 +252,13 @@ static void xhci_pci_quirks(struct devic
+ xhci->quirks |= XHCI_LPM_SUPPORT;
+
+ if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA &&
+- pdev->device == 0x1042)
++ pdev->device == PCI_DEVICE_ID_ASMEDIA_1042_XHCI)
+ xhci->quirks |= XHCI_BROKEN_STREAMS;
+ if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA &&
+- pdev->device == 0x1142)
++ pdev->device == PCI_DEVICE_ID_ASMEDIA_1042A_XHCI)
+ xhci->quirks |= XHCI_TRUST_TX_LENGTH;
+ if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA &&
+- pdev->device == 0x2142)
++ pdev->device == PCI_DEVICE_ID_ASMEDIA_2142_XHCI)
+ xhci->quirks |= XHCI_NO_64BIT_SUPPORT;
+
+ if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA &&
--- /dev/null
+From ec37198acca7b4c17b96247697406e47aafe0605 Mon Sep 17 00:00:00 2001
+From: Forest Crossman <cyrozap@gmail.com>
+Date: Mon, 27 Jul 2020 23:24:08 -0500
+Subject: usb: xhci: Fix ASMedia ASM1142 DMA addressing
+
+From: Forest Crossman <cyrozap@gmail.com>
+
+commit ec37198acca7b4c17b96247697406e47aafe0605 upstream.
+
+I've confirmed that the ASMedia ASM1142 has the same problem as the
+ASM2142/ASM3142, in that it too reports that it supports 64-bit DMA
+addresses when in fact it does not. As with the ASM2142/ASM3142, this
+can cause problems on systems where the upper bits matter, and adding
+the XHCI_NO_64BIT_SUPPORT quirk completely fixes the issue.
+
+Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Forest Crossman <cyrozap@gmail.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200728042408.180529-3-cyrozap@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-pci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -58,6 +58,7 @@
+ #define PCI_DEVICE_ID_AMD_PROMONTORYA_1 0x43bc
+ #define PCI_DEVICE_ID_ASMEDIA_1042_XHCI 0x1042
+ #define PCI_DEVICE_ID_ASMEDIA_1042A_XHCI 0x1142
++#define PCI_DEVICE_ID_ASMEDIA_1142_XHCI 0x1242
+ #define PCI_DEVICE_ID_ASMEDIA_2142_XHCI 0x2142
+
+ static const char hcd_name[] = "xhci_hcd";
+@@ -258,7 +259,8 @@ static void xhci_pci_quirks(struct devic
+ pdev->device == PCI_DEVICE_ID_ASMEDIA_1042A_XHCI)
+ xhci->quirks |= XHCI_TRUST_TX_LENGTH;
+ if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA &&
+- pdev->device == PCI_DEVICE_ID_ASMEDIA_2142_XHCI)
++ (pdev->device == PCI_DEVICE_ID_ASMEDIA_1142_XHCI ||
++ pdev->device == PCI_DEVICE_ID_ASMEDIA_2142_XHCI))
+ xhci->quirks |= XHCI_NO_64BIT_SUPPORT;
+
+ if (pdev->vendor == PCI_VENDOR_ID_ASMEDIA &&
--- /dev/null
+From ebfdfeeae8c01fcb2b3b74ffaf03876e20835d2d Mon Sep 17 00:00:00 2001
+From: Yunhai Zhang <zhangyunhai@nsfocus.com>
+Date: Tue, 28 Jul 2020 09:58:03 +0800
+Subject: vgacon: Fix for missing check in scrollback handling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Yunhai Zhang <zhangyunhai@nsfocus.com>
+
+commit ebfdfeeae8c01fcb2b3b74ffaf03876e20835d2d upstream.
+
+vgacon_scrollback_update() always leaves enbough room in the scrollback
+buffer for the next call, but if the console size changed that room
+might not actually be enough, and so we need to re-check.
+
+The check should be in the loop since vgacon_scrollback_cur->tail is
+updated in the loop and count may be more than 1 when triggered by CSI M,
+as Jiri's PoC:
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <sys/ioctl.h>
+#include <fcntl.h>
+
+int main(int argc, char** argv)
+{
+ int fd = open("/dev/tty1", O_RDWR);
+ unsigned short size[3] = {25, 200, 0};
+ ioctl(fd, 0x5609, size); // VT_RESIZE
+
+ write(fd, "\e[1;1H", 6);
+ for (int i = 0; i < 30; i++)
+ write(fd, "\e[10M", 5);
+}
+
+It leads to various crashes as vgacon_scrollback_update writes out of
+the buffer:
+ BUG: unable to handle page fault for address: ffffc900001752a0
+ #PF: supervisor write access in kernel mode
+ #PF: error_code(0x0002) - not-present page
+ RIP: 0010:mutex_unlock+0x13/0x30
+...
+ Call Trace:
+ n_tty_write+0x1a0/0x4d0
+ tty_write+0x1a0/0x2e0
+
+Or to KASAN reports:
+BUG: KASAN: slab-out-of-bounds in vgacon_scroll+0x57a/0x8ed
+
+This fixes CVE-2020-14331.
+
+Reported-by: 张云海 <zhangyunhai@nsfocus.com>
+Reported-by: Yang Yingliang <yangyingliang@huawei.com>
+Reported-by: Kyungtae Kim <kt0755@gmail.com>
+Fixes: 15bdab959c9b ([PATCH] vgacon: Add support for soft scrollback)
+Cc: stable@vger.kernel.org
+Cc: linux-fbdev@vger.kernel.org
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Solar Designer <solar@openwall.com>
+Cc: "Srivatsa S. Bhat" <srivatsa@csail.mit.edu>
+Cc: Anthony Liguori <aliguori@amazon.com>
+Cc: Yang Yingliang <yangyingliang@huawei.com>
+Cc: Bartlomiej Zolnierkiewicz <b.zolnierkie@samsung.com>
+Cc: Jiri Slaby <jirislaby@kernel.org>
+Signed-off-by: Yunhai Zhang <zhangyunhai@nsfocus.com>
+Link: https://lore.kernel.org/r/9fb43895-ca91-9b07-ebfd-808cf854ca95@nsfocus.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/console/vgacon.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/video/console/vgacon.c
++++ b/drivers/video/console/vgacon.c
+@@ -251,6 +251,10 @@ static void vgacon_scrollback_update(str
+ p = (void *) (c->vc_origin + t * c->vc_size_row);
+
+ while (count--) {
++ if ((vgacon_scrollback_cur->tail + c->vc_size_row) >
++ vgacon_scrollback_cur->size)
++ vgacon_scrollback_cur->tail = 0;
++
+ scr_memcpyw(vgacon_scrollback_cur->data +
+ vgacon_scrollback_cur->tail,
+ p, c->vc_size_row);
projects / thirdparty / kernel / stable-queue.git / commitdiff
