--- /dev/null
+From e4c3e133294c0a292d21073899b05ebf530169bd Mon Sep 17 00:00:00 2001
+From: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+Date: Tue, 2 Mar 2021 15:43:55 +0100
+Subject: counter: stm32-timer-cnt: fix ceiling write max value
+
+From: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+
+commit e4c3e133294c0a292d21073899b05ebf530169bd upstream.
+
+The ceiling value isn't checked before writing it into registers. The user
+could write a value higher than the counter resolution (e.g. 16 or 32 bits
+indicated by max_arr). This makes most significant bits to be truncated.
+Fix it by checking the max_arr to report a range error [1] to the user.
+
+[1] https://lkml.org/lkml/2021/2/12/358
+
+Fixes: ad29937e206f ("counter: Add STM32 Timer quadrature encoder")
+Signed-off-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+Acked-by: William Breathitt Gray <vilhelm.gray@gmail.com>
+Cc: <Stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/1614696235-24088-1-git-send-email-fabrice.gasnier@foss.st.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/counter/stm32-timer-cnt.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/counter/stm32-timer-cnt.c
++++ b/drivers/counter/stm32-timer-cnt.c
+@@ -25,6 +25,7 @@ struct stm32_timer_cnt {
+ struct regmap *regmap;
+ struct clk *clk;
+ u32 ceiling;
++ u32 max_arr;
+ };
+
+ /**
+@@ -189,6 +190,9 @@ static ssize_t stm32_count_ceiling_write
+ if (ret)
+ return ret;
+
++ if (ceiling > priv->max_arr)
++ return -ERANGE;
++
+ /* TIMx_ARR register shouldn't be buffered (ARPE=0) */
+ regmap_update_bits(priv->regmap, TIM_CR1, TIM_CR1_ARPE, 0);
+ regmap_write(priv->regmap, TIM_ARR, ceiling);
+@@ -366,6 +370,7 @@ static int stm32_timer_cnt_probe(struct
+ priv->regmap = ddata->regmap;
+ priv->clk = ddata->clk;
+ priv->ceiling = ddata->max_arr;
++ priv->max_arr = ddata->max_arr;
+
+ priv->counter.name = dev_name(dev);
+ priv->counter.parent = dev;
--- /dev/null
+From f890987fac8153227258121740a9609668c427f3 Mon Sep 17 00:00:00 2001
+From: Wilfried Wessner <wilfried.wessner@gmail.com>
+Date: Mon, 8 Feb 2021 15:27:05 +0100
+Subject: iio: adc: ad7949: fix wrong ADC result due to incorrect bit mask
+
+From: Wilfried Wessner <wilfried.wessner@gmail.com>
+
+commit f890987fac8153227258121740a9609668c427f3 upstream.
+
+Fixes a wrong bit mask used for the ADC's result, which was caused by an
+improper usage of the GENMASK() macro. The bits higher than ADC's
+resolution are undefined and if not masked out correctly, a wrong result
+can be given. The GENMASK() macro indexing is zero based, so the mask has
+to go from [resolution - 1 , 0].
+
+Fixes: 7f40e0614317f ("iio:adc:ad7949: Add AD7949 ADC driver family")
+Signed-off-by: Wilfried Wessner <wilfried.wessner@gmail.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Reviewed-by: Charles-Antoine Couret <charles-antoine.couret@essensium.com>
+Cc: <Stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210208142705.GA51260@ubuntu
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/ad7949.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/ad7949.c
++++ b/drivers/iio/adc/ad7949.c
+@@ -91,7 +91,7 @@ static int ad7949_spi_read_channel(struc
+ int ret;
+ int i;
+ int bits_per_word = ad7949_adc->resolution;
+- int mask = GENMASK(ad7949_adc->resolution, 0);
++ int mask = GENMASK(ad7949_adc->resolution - 1, 0);
+ struct spi_message msg;
+ struct spi_transfer tx[] = {
+ {
--- /dev/null
+From 7d200b283aa049fcda0d43dd6e03e9e783d2799c Mon Sep 17 00:00:00 2001
+From: Jonathan Albrieux <jonathan.albrieux@gmail.com>
+Date: Wed, 13 Jan 2021 16:18:07 +0100
+Subject: iio:adc:qcom-spmi-vadc: add default scale to LR_MUX2_BAT_ID channel
+
+From: Jonathan Albrieux <jonathan.albrieux@gmail.com>
+
+commit 7d200b283aa049fcda0d43dd6e03e9e783d2799c upstream.
+
+Checking at both msm8909-pm8916.dtsi and msm8916.dtsi from downstream
+it is indicated that "batt_id" channel has to be scaled with the default
+function:
+
+ chan@31 {
+ label = "batt_id";
+ reg = <0x31>;
+ qcom,decimation = <0>;
+ qcom,pre-div-channel-scaling = <0>;
+ qcom,calibration-type = "ratiometric";
+ qcom,scale-function = <0>;
+ qcom,hw-settle-time = <0xb>;
+ qcom,fast-avg-setup = <0>;
+ };
+
+Change LR_MUX2_BAT_ID scaling accordingly.
+
+Signed-off-by: Jonathan Albrieux <jonathan.albrieux@gmail.com>
+Acked-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Fixes: 7c271eea7b8a ("iio: adc: spmi-vadc: Changes to support different scaling")
+Link: https://lore.kernel.org/r/20210113151808.4628-2-jonathan.albrieux@gmail.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/qcom-spmi-vadc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/qcom-spmi-vadc.c
++++ b/drivers/iio/adc/qcom-spmi-vadc.c
+@@ -598,7 +598,7 @@ static const struct vadc_channels vadc_c
+ VADC_CHAN_NO_SCALE(P_MUX16_1_3, 1)
+
+ VADC_CHAN_NO_SCALE(LR_MUX1_BAT_THERM, 0)
+- VADC_CHAN_NO_SCALE(LR_MUX2_BAT_ID, 0)
++ VADC_CHAN_VOLT(LR_MUX2_BAT_ID, 0, SCALE_DEFAULT)
+ VADC_CHAN_NO_SCALE(LR_MUX3_XO_THERM, 0)
+ VADC_CHAN_NO_SCALE(LR_MUX4_AMUX_THM1, 0)
+ VADC_CHAN_NO_SCALE(LR_MUX5_AMUX_THM2, 0)
--- /dev/null
+From 121875b28e3bd7519a675bf8ea2c2e793452c2bd Mon Sep 17 00:00:00 2001
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Date: Sun, 24 Jan 2021 19:50:34 +0000
+Subject: iio:adc:stm32-adc: Add HAS_IOMEM dependency
+
+From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+
+commit 121875b28e3bd7519a675bf8ea2c2e793452c2bd upstream.
+
+Seems that there are config combinations in which this driver gets enabled
+and hence selects the MFD, but with out HAS_IOMEM getting pulled in
+via some other route. MFD is entirely contained in an
+if HAS_IOMEM block, leading to the build issue in this bugzilla.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=209889
+
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Link: https://lore.kernel.org/r/20210124195034.22576-1-jic23@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/adc/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/iio/adc/Kconfig
++++ b/drivers/iio/adc/Kconfig
+@@ -784,6 +784,7 @@ config STM32_ADC_CORE
+ depends on ARCH_STM32 || COMPILE_TEST
+ depends on OF
+ depends on REGULATOR
++ depends on HAS_IOMEM
+ select IIO_BUFFER
+ select MFD_STM32_TIMERS
+ select IIO_STM32_TIMER_TRIGGER
--- /dev/null
+From a71266e454b5df10d019b06f5ebacd579f76be28 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 16 Feb 2021 22:42:13 +0300
+Subject: iio: adis16400: Fix an error code in adis16400_initial_setup()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit a71266e454b5df10d019b06f5ebacd579f76be28 upstream.
+
+This is to silence a new Smatch warning:
+
+ drivers/iio/imu/adis16400.c:492 adis16400_initial_setup()
+ warn: sscanf doesn't return error codes
+
+If the condition "if (st->variant->flags & ADIS16400_HAS_SLOW_MODE) {"
+is false then we return 1 instead of returning 0 and probe will fail.
+
+Fixes: 72a868b38bdd ("iio: imu: check sscanf return value")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: <Stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/YCwgFb3JVG6qrlQ+@mwanda
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/imu/adis16400.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/iio/imu/adis16400.c
++++ b/drivers/iio/imu/adis16400.c
+@@ -464,8 +464,7 @@ static int adis16400_initial_setup(struc
+ if (ret)
+ goto err_ret;
+
+- ret = sscanf(indio_dev->name, "adis%u\n", &device_id);
+- if (ret != 1) {
++ if (sscanf(indio_dev->name, "adis%u\n", &device_id) != 1) {
+ ret = -EINVAL;
+ goto err_ret;
+ }
--- /dev/null
+From 6dbbbe4cfd398704b72b21c1d4a5d3807e909d60 Mon Sep 17 00:00:00 2001
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Date: Mon, 1 Mar 2021 16:04:21 +0800
+Subject: iio: gyro: mpu3050: Fix error handling in mpu3050_trigger_handler
+
+From: Dinghao Liu <dinghao.liu@zju.edu.cn>
+
+commit 6dbbbe4cfd398704b72b21c1d4a5d3807e909d60 upstream.
+
+There is one regmap_bulk_read() call in mpu3050_trigger_handler
+that we have caught its return value bug lack further handling.
+Check and terminate the execution flow just like the other three
+regmap_bulk_read() calls in this function.
+
+Fixes: 3904b28efb2c7 ("iio: gyro: Add driver for the MPU-3050 gyroscope")
+Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Link: https://lore.kernel.org/r/20210301080421.13436-1-dinghao.liu@zju.edu.cn
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/gyro/mpu3050-core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/iio/gyro/mpu3050-core.c
++++ b/drivers/iio/gyro/mpu3050-core.c
+@@ -550,6 +550,8 @@ static irqreturn_t mpu3050_trigger_handl
+ MPU3050_FIFO_R,
+ &fifo_values[offset],
+ toread);
++ if (ret)
++ goto out_trigger_unlock;
+
+ dev_dbg(mpu3050->dev,
+ "%04x %04x %04x %04x %04x\n",
--- /dev/null
+From 37e89e574dc238a4ebe439543c5ab4fbb2f0311b Mon Sep 17 00:00:00 2001
+From: Ye Xiang <xiang.ye@intel.com>
+Date: Wed, 3 Mar 2021 14:36:12 +0800
+Subject: iio: hid-sensor-humidity: Fix alignment issue of timestamp channel
+
+From: Ye Xiang <xiang.ye@intel.com>
+
+commit 37e89e574dc238a4ebe439543c5ab4fbb2f0311b upstream.
+
+This patch ensures that, there is sufficient space and correct
+alignment for the timestamp.
+
+Fixes: d7ed89d5aadf ("iio: hid: Add humidity sensor support")
+Signed-off-by: Ye Xiang <xiang.ye@intel.com>
+Cc: <Stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210303063615.12130-2-xiang.ye@intel.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/humidity/hid-sensor-humidity.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/iio/humidity/hid-sensor-humidity.c
++++ b/drivers/iio/humidity/hid-sensor-humidity.c
+@@ -17,7 +17,10 @@
+ struct hid_humidity_state {
+ struct hid_sensor_common common_attributes;
+ struct hid_sensor_hub_attribute_info humidity_attr;
+- s32 humidity_data;
++ struct {
++ s32 humidity_data;
++ u64 timestamp __aligned(8);
++ } scan;
+ int scale_pre_decml;
+ int scale_post_decml;
+ int scale_precision;
+@@ -127,9 +130,8 @@ static int humidity_proc_event(struct hi
+ struct hid_humidity_state *humid_st = iio_priv(indio_dev);
+
+ if (atomic_read(&humid_st->common_attributes.data_ready))
+- iio_push_to_buffers_with_timestamp(indio_dev,
+- &humid_st->humidity_data,
+- iio_get_time_ns(indio_dev));
++ iio_push_to_buffers_with_timestamp(indio_dev, &humid_st->scan,
++ iio_get_time_ns(indio_dev));
+
+ return 0;
+ }
+@@ -144,7 +146,7 @@ static int humidity_capture_sample(struc
+
+ switch (usage_id) {
+ case HID_USAGE_SENSOR_ATMOSPHERIC_HUMIDITY:
+- humid_st->humidity_data = *(s32 *)raw_data;
++ humid_st->scan.humidity_data = *(s32 *)raw_data;
+
+ return 0;
+ default:
--- /dev/null
+From d68c592e02f6f49a88e705f13dfc1883432cf300 Mon Sep 17 00:00:00 2001
+From: Ye Xiang <xiang.ye@intel.com>
+Date: Sat, 30 Jan 2021 18:25:30 +0800
+Subject: iio: hid-sensor-prox: Fix scale not correct issue
+
+From: Ye Xiang <xiang.ye@intel.com>
+
+commit d68c592e02f6f49a88e705f13dfc1883432cf300 upstream.
+
+Currently, the proxy sensor scale is zero because it just return the
+exponent directly. To fix this issue, this patch use
+hid_sensor_format_scale to process the scale first then return the
+output.
+
+Fixes: 39a3a0138f61 ("iio: hid-sensors: Added Proximity Sensor Driver")
+Signed-off-by: Ye Xiang <xiang.ye@intel.com>
+Link: https://lore.kernel.org/r/20210130102530.31064-1-xiang.ye@intel.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/hid-sensor-prox.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/light/hid-sensor-prox.c
++++ b/drivers/iio/light/hid-sensor-prox.c
+@@ -25,6 +25,9 @@ struct prox_state {
+ struct hid_sensor_common common_attributes;
+ struct hid_sensor_hub_attribute_info prox_attr;
+ u32 human_presence;
++ int scale_pre_decml;
++ int scale_post_decml;
++ int scale_precision;
+ };
+
+ /* Channel definitions */
+@@ -95,8 +98,9 @@ static int prox_read_raw(struct iio_dev
+ ret_type = IIO_VAL_INT;
+ break;
+ case IIO_CHAN_INFO_SCALE:
+- *val = prox_state->prox_attr.units;
+- ret_type = IIO_VAL_INT;
++ *val = prox_state->scale_pre_decml;
++ *val2 = prox_state->scale_post_decml;
++ ret_type = prox_state->scale_precision;
+ break;
+ case IIO_CHAN_INFO_OFFSET:
+ *val = hid_sensor_convert_exponent(
+@@ -236,6 +240,11 @@ static int prox_parse_report(struct plat
+ HID_USAGE_SENSOR_HUMAN_PRESENCE,
+ &st->common_attributes.sensitivity);
+
++ st->scale_precision = hid_sensor_format_scale(
++ hsdev->usage,
++ &st->prox_attr,
++ &st->scale_pre_decml, &st->scale_post_decml);
++
+ return ret;
+ }
+
--- /dev/null
+From 141e7633aa4d2838d1f6ad5c74cccc53547c16ac Mon Sep 17 00:00:00 2001
+From: Ye Xiang <xiang.ye@intel.com>
+Date: Wed, 3 Mar 2021 14:36:14 +0800
+Subject: iio: hid-sensor-temperature: Fix issues of timestamp channel
+
+From: Ye Xiang <xiang.ye@intel.com>
+
+commit 141e7633aa4d2838d1f6ad5c74cccc53547c16ac upstream.
+
+This patch fixes 2 issues of timestamp channel:
+1. This patch ensures that there is sufficient space and correct
+alignment for the timestamp.
+2. Correct the timestamp channel scan index.
+
+Fixes: 59d0f2da3569 ("iio: hid: Add temperature sensor support")
+Signed-off-by: Ye Xiang <xiang.ye@intel.com>
+Cc: <Stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210303063615.12130-4-xiang.ye@intel.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/temperature/hid-sensor-temperature.c | 14 ++++++++------
+ 1 file changed, 8 insertions(+), 6 deletions(-)
+
+--- a/drivers/iio/temperature/hid-sensor-temperature.c
++++ b/drivers/iio/temperature/hid-sensor-temperature.c
+@@ -17,7 +17,10 @@
+ struct temperature_state {
+ struct hid_sensor_common common_attributes;
+ struct hid_sensor_hub_attribute_info temperature_attr;
+- s32 temperature_data;
++ struct {
++ s32 temperature_data;
++ u64 timestamp __aligned(8);
++ } scan;
+ int scale_pre_decml;
+ int scale_post_decml;
+ int scale_precision;
+@@ -34,7 +37,7 @@ static const struct iio_chan_spec temper
+ BIT(IIO_CHAN_INFO_SAMP_FREQ) |
+ BIT(IIO_CHAN_INFO_HYSTERESIS),
+ },
+- IIO_CHAN_SOFT_TIMESTAMP(3),
++ IIO_CHAN_SOFT_TIMESTAMP(1),
+ };
+
+ /* Adjust channel real bits based on report descriptor */
+@@ -125,9 +128,8 @@ static int temperature_proc_event(struct
+ struct temperature_state *temp_st = iio_priv(indio_dev);
+
+ if (atomic_read(&temp_st->common_attributes.data_ready))
+- iio_push_to_buffers_with_timestamp(indio_dev,
+- &temp_st->temperature_data,
+- iio_get_time_ns(indio_dev));
++ iio_push_to_buffers_with_timestamp(indio_dev, &temp_st->scan,
++ iio_get_time_ns(indio_dev));
+
+ return 0;
+ }
+@@ -142,7 +144,7 @@ static int temperature_capture_sample(st
+
+ switch (usage_id) {
+ case HID_USAGE_SENSOR_DATA_ENVIRONMENTAL_TEMPERATURE:
+- temp_st->temperature_data = *(s32 *)raw_data;
++ temp_st->scan.temperature_data = *(s32 *)raw_data;
+ return 0;
+ default:
+ return -EINVAL;
scsi-myrs-fix-a-double-free-in-myrs_cleanup.patch
counter-stm32-timer-cnt-report-count-function-when-s.patch
nvme-rdma-fix-possible-hang-when-failing-to-set-io-q.patch
+usb-storage-add-quirk-to-defeat-kindle-s-automatic-unload.patch
+usbip-fix-incorrect-double-assignment-to-udc-ud.tcp_rx.patch
+usb-replace-hardcode-maximum-usb-string-length-by-definition.patch
+usb-gadget-configfs-fix-kasan-use-after-free.patch
+usb-typec-remove-vdo-part-of-tps6598x_rx_identity_reg-struct.patch
+usb-typec-tcpm-invoke-power_supply_changed-for-tcpm-source-psy.patch
+iio-adc-stm32-adc-add-has_iomem-dependency.patch
+iio-adc-qcom-spmi-vadc-add-default-scale-to-lr_mux2_bat_id-channel.patch
+iio-adis16400-fix-an-error-code-in-adis16400_initial_setup.patch
+iio-gyro-mpu3050-fix-error-handling-in-mpu3050_trigger_handler.patch
+iio-adc-ad7949-fix-wrong-adc-result-due-to-incorrect-bit-mask.patch
+iio-hid-sensor-humidity-fix-alignment-issue-of-timestamp-channel.patch
+iio-hid-sensor-prox-fix-scale-not-correct-issue.patch
+iio-hid-sensor-temperature-fix-issues-of-timestamp-channel.patch
+counter-stm32-timer-cnt-fix-ceiling-write-max-value.patch
--- /dev/null
+From 98f153a10da403ddd5e9d98a3c8c2bb54bb5a0b6 Mon Sep 17 00:00:00 2001
+From: Jim Lin <jilin@nvidia.com>
+Date: Thu, 11 Mar 2021 14:42:41 +0800
+Subject: usb: gadget: configfs: Fix KASAN use-after-free
+
+From: Jim Lin <jilin@nvidia.com>
+
+commit 98f153a10da403ddd5e9d98a3c8c2bb54bb5a0b6 upstream.
+
+When gadget is disconnected, running sequence is like this.
+. composite_disconnect
+. Call trace:
+ usb_string_copy+0xd0/0x128
+ gadget_config_name_configuration_store+0x4
+ gadget_config_name_attr_store+0x40/0x50
+ configfs_write_file+0x198/0x1f4
+ vfs_write+0x100/0x220
+ SyS_write+0x58/0xa8
+. configfs_composite_unbind
+. configfs_composite_bind
+
+In configfs_composite_bind, it has
+"cn->strings.s = cn->configuration;"
+
+When usb_string_copy is invoked. it would
+allocate memory, copy input string, release previous pointed memory space,
+and use new allocated memory.
+
+When gadget is connected, host sends down request to get information.
+Call trace:
+ usb_gadget_get_string+0xec/0x168
+ lookup_string+0x64/0x98
+ composite_setup+0xa34/0x1ee8
+
+If gadget is disconnected and connected quickly, in the failed case,
+cn->configuration memory has been released by usb_string_copy kfree but
+configfs_composite_bind hasn't been run in time to assign new allocated
+"cn->configuration" pointer to "cn->strings.s".
+
+When "strlen(s->s) of usb_gadget_get_string is being executed, the dangling
+memory is accessed, "BUG: KASAN: use-after-free" error occurs.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Jim Lin <jilin@nvidia.com>
+Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
+Link: https://lore.kernel.org/r/1615444961-13376-1-git-send-email-macpaul.lin@mediatek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/configfs.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -109,6 +109,8 @@ struct gadget_config_name {
+ struct list_head list;
+ };
+
++#define USB_MAX_STRING_WITH_NULL_LEN (USB_MAX_STRING_LEN+1)
++
+ static int usb_string_copy(const char *s, char **s_copy)
+ {
+ int ret;
+@@ -118,12 +120,16 @@ static int usb_string_copy(const char *s
+ if (ret > USB_MAX_STRING_LEN)
+ return -EOVERFLOW;
+
+- str = kstrdup(s, GFP_KERNEL);
+- if (!str)
+- return -ENOMEM;
++ if (copy) {
++ str = copy;
++ } else {
++ str = kmalloc(USB_MAX_STRING_WITH_NULL_LEN, GFP_KERNEL);
++ if (!str)
++ return -ENOMEM;
++ }
++ strcpy(str, s);
+ if (str[ret - 1] == '\n')
+ str[ret - 1] = '\0';
+- kfree(copy);
+ *s_copy = str;
+ return 0;
+ }
--- /dev/null
+From 81c7462883b0cc0a4eeef0687f80ad5b5baee5f6 Mon Sep 17 00:00:00 2001
+From: Macpaul Lin <macpaul.lin@mediatek.com>
+Date: Thu, 18 Jun 2020 17:13:38 +0800
+Subject: USB: replace hardcode maximum usb string length by definition
+
+From: Macpaul Lin <macpaul.lin@mediatek.com>
+
+commit 81c7462883b0cc0a4eeef0687f80ad5b5baee5f6 upstream.
+
+Replace hardcoded maximum USB string length (126 bytes) by definition
+"USB_MAX_STRING_LEN".
+
+Signed-off-by: Macpaul Lin <macpaul.lin@mediatek.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/1592471618-29428-1-git-send-email-macpaul.lin@mediatek.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/composite.c | 4 ++--
+ drivers/usb/gadget/configfs.c | 2 +-
+ drivers/usb/gadget/usbstring.c | 4 ++--
+ include/uapi/linux/usb/ch9.h | 3 +++
+ 4 files changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -1091,7 +1091,7 @@ static void collect_langs(struct usb_gad
+ while (*sp) {
+ s = *sp;
+ language = cpu_to_le16(s->language);
+- for (tmp = buf; *tmp && tmp < &buf[126]; tmp++) {
++ for (tmp = buf; *tmp && tmp < &buf[USB_MAX_STRING_LEN]; tmp++) {
+ if (*tmp == language)
+ goto repeat;
+ }
+@@ -1166,7 +1166,7 @@ static int get_string(struct usb_composi
+ collect_langs(sp, s->wData);
+ }
+
+- for (len = 0; len <= 126 && s->wData[len]; len++)
++ for (len = 0; len <= USB_MAX_STRING_LEN && s->wData[len]; len++)
+ continue;
+ if (!len)
+ return -EINVAL;
+--- a/drivers/usb/gadget/configfs.c
++++ b/drivers/usb/gadget/configfs.c
+@@ -115,7 +115,7 @@ static int usb_string_copy(const char *s
+ char *str;
+ char *copy = *s_copy;
+ ret = strlen(s);
+- if (ret > 126)
++ if (ret > USB_MAX_STRING_LEN)
+ return -EOVERFLOW;
+
+ str = kstrdup(s, GFP_KERNEL);
+--- a/drivers/usb/gadget/usbstring.c
++++ b/drivers/usb/gadget/usbstring.c
+@@ -55,9 +55,9 @@ usb_gadget_get_string (const struct usb_
+ return -EINVAL;
+
+ /* string descriptors have length, tag, then UTF16-LE text */
+- len = min ((size_t) 126, strlen (s->s));
++ len = min((size_t)USB_MAX_STRING_LEN, strlen(s->s));
+ len = utf8s_to_utf16s(s->s, len, UTF16_LITTLE_ENDIAN,
+- (wchar_t *) &buf[2], 126);
++ (wchar_t *) &buf[2], USB_MAX_STRING_LEN);
+ if (len < 0)
+ return -EINVAL;
+ buf [0] = (len + 1) * 2;
+--- a/include/uapi/linux/usb/ch9.h
++++ b/include/uapi/linux/usb/ch9.h
+@@ -364,6 +364,9 @@ struct usb_config_descriptor {
+
+ /*-------------------------------------------------------------------------*/
+
++/* USB String descriptors can contain at most 126 characters. */
++#define USB_MAX_STRING_LEN 126
++
+ /* USB_DT_STRING: String descriptor */
+ struct usb_string_descriptor {
+ __u8 bLength;
--- /dev/null
+From 546aa0e4ea6ed81b6c51baeebc4364542fa3f3a7 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Wed, 17 Mar 2021 15:06:54 -0400
+Subject: usb-storage: Add quirk to defeat Kindle's automatic unload
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 546aa0e4ea6ed81b6c51baeebc4364542fa3f3a7 upstream.
+
+Matthias reports that the Amazon Kindle automatically removes its
+emulated media if it doesn't receive another SCSI command within about
+one second after a SYNCHRONIZE CACHE. It does so even when the host
+has sent a PREVENT MEDIUM REMOVAL command. The reason for this
+behavior isn't clear, although it's not hard to make some guesses.
+
+At any rate, the results can be unexpected for anyone who tries to
+access the Kindle in an unusual fashion, and in theory they can lead
+to data loss (for example, if one file is closed and synchronized
+while other files are still in the middle of being written).
+
+To avoid such problems, this patch creates a new usb-storage quirks
+flag telling the driver always to issue a REQUEST SENSE following a
+SYNCHRONIZE CACHE command, and adds an unusual_devs entry for the
+Kindle with the flag set. This is sufficient to prevent the Kindle
+from doing its automatic unload, without interfering with proper
+operation.
+
+Another possible way to deal with this would be to increase the
+frequency of TEST UNIT READY polling that the kernel normally carries
+out for removable-media storage devices. However that would increase
+the overall load on the system and it is not as reliable, because the
+user can override the polling interval. Changing the driver's
+behavior is safer and has minimal overhead.
+
+CC: <stable@vger.kernel.org>
+Reported-and-tested-by: Matthias Schwarzott <zzam@gentoo.org>
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20210317190654.GA497856@rowland.harvard.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/storage/transport.c | 7 +++++++
+ drivers/usb/storage/unusual_devs.h | 12 ++++++++++++
+ include/linux/usb_usual.h | 2 ++
+ 3 files changed, 21 insertions(+)
+
+--- a/drivers/usb/storage/transport.c
++++ b/drivers/usb/storage/transport.c
+@@ -651,6 +651,13 @@ void usb_stor_invoke_transport(struct sc
+ need_auto_sense = 1;
+ }
+
++ /* Some devices (Kindle) require another command after SYNC CACHE */
++ if ((us->fflags & US_FL_SENSE_AFTER_SYNC) &&
++ srb->cmnd[0] == SYNCHRONIZE_CACHE) {
++ usb_stor_dbg(us, "-- sense after SYNC CACHE\n");
++ need_auto_sense = 1;
++ }
++
+ /*
+ * If we have a failure, we're going to do a REQUEST_SENSE
+ * automatically. Note that we differentiate between a command
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -2212,6 +2212,18 @@ UNUSUAL_DEV( 0x1908, 0x3335, 0x0200, 0x0
+ US_FL_NO_READ_DISC_INFO ),
+
+ /*
++ * Reported by Matthias Schwarzott <zzam@gentoo.org>
++ * The Amazon Kindle treats SYNCHRONIZE CACHE as an indication that
++ * the host may be finished with it, and automatically ejects its
++ * emulated media unless it receives another command within one second.
++ */
++UNUSUAL_DEV( 0x1949, 0x0004, 0x0000, 0x9999,
++ "Amazon",
++ "Kindle",
++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
++ US_FL_SENSE_AFTER_SYNC ),
++
++/*
+ * Reported by Oliver Neukum <oneukum@suse.com>
+ * This device morphes spontaneously into another device if the access
+ * pattern of Windows isn't followed. Thus writable media would be dirty
+--- a/include/linux/usb_usual.h
++++ b/include/linux/usb_usual.h
+@@ -86,6 +86,8 @@
+ /* lies about caching, so always sync */ \
+ US_FLAG(NO_SAME, 0x40000000) \
+ /* Cannot handle WRITE_SAME */ \
++ US_FLAG(SENSE_AFTER_SYNC, 0x80000000) \
++ /* Do REQUEST_SENSE after SYNCHRONIZE_CACHE */ \
+
+ #define US_FLAG(name, value) US_FL_##name = value ,
+ enum { US_DO_ALL_FLAGS };
--- /dev/null
+From 3cac9104bea41099cf622091f0c0538bcb19050d Mon Sep 17 00:00:00 2001
+From: Elias Rudberg <mail@eliasrudberg.se>
+Date: Thu, 11 Mar 2021 13:47:10 +0100
+Subject: usb: typec: Remove vdo[3] part of tps6598x_rx_identity_reg struct
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Elias Rudberg <mail@eliasrudberg.se>
+
+commit 3cac9104bea41099cf622091f0c0538bcb19050d upstream.
+
+Remove the unused "u32 vdo[3]" part in the tps6598x_rx_identity_reg
+struct. This helps avoid "failed to register partner" errors which
+happen when tps6598x_read_partner_identity() fails because the
+amount of data read is 12 bytes smaller than the struct size.
+Note that vdo[3] is already in usb_pd_identity and hence
+shouldn't be added to tps6598x_rx_identity_reg as well.
+
+Fixes: f6c56ca91b92 ("usb: typec: Add the Product Type VDOs to struct usb_pd_identity")
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Guido Günther <agx@sigxcpu.org>
+Signed-off-by: Elias Rudberg <mail@eliasrudberg.se>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210311124710.6563-1-mail@eliasrudberg.se
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tps6598x.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/usb/typec/tps6598x.c
++++ b/drivers/usb/typec/tps6598x.c
+@@ -61,7 +61,6 @@ enum {
+ struct tps6598x_rx_identity_reg {
+ u8 status;
+ struct usb_pd_identity identity;
+- u32 vdo[3];
+ } __packed;
+
+ /* Standard Task return codes */
--- /dev/null
+From 86629e098a077922438efa98dc80917604dfd317 Mon Sep 17 00:00:00 2001
+From: Badhri Jagan Sridharan <badhri@google.com>
+Date: Wed, 17 Mar 2021 11:12:48 -0700
+Subject: usb: typec: tcpm: Invoke power_supply_changed for tcpm-source-psy-
+
+From: Badhri Jagan Sridharan <badhri@google.com>
+
+commit 86629e098a077922438efa98dc80917604dfd317 upstream.
+
+tcpm-source-psy- does not invoke power_supply_changed API when
+one of the published power supply properties is changed.
+power_supply_changed needs to be called to notify
+userspace clients(uevents) and kernel clients.
+
+Fixes: f2a8aa053c176 ("typec: tcpm: Represent source supply through power_supply")
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210317181249.1062995-1-badhri@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/tcpm.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/typec/tcpm/tcpm.c
++++ b/drivers/usb/typec/tcpm/tcpm.c
+@@ -739,6 +739,7 @@ static int tcpm_set_current_limit(struct
+
+ port->supply_voltage = mv;
+ port->current_limit = max_ma;
++ power_supply_changed(port->psy);
+
+ if (port->tcpc->set_current_limit)
+ ret = port->tcpc->set_current_limit(port->tcpc, max_ma, mv);
+@@ -2138,6 +2139,7 @@ static int tcpm_pd_select_pdo(struct tcp
+
+ port->pps_data.supported = false;
+ port->usb_type = POWER_SUPPLY_USB_TYPE_PD;
++ power_supply_changed(port->psy);
+
+ /*
+ * Select the source PDO providing the most power which has a
+@@ -2162,6 +2164,7 @@ static int tcpm_pd_select_pdo(struct tcp
+ port->pps_data.supported = true;
+ port->usb_type =
+ POWER_SUPPLY_USB_TYPE_PD_PPS;
++ power_supply_changed(port->psy);
+ }
+ continue;
+ default:
+@@ -2319,6 +2322,7 @@ static unsigned int tcpm_pd_select_pps_a
+ port->pps_data.out_volt));
+ port->pps_data.op_curr = min(port->pps_data.max_curr,
+ port->pps_data.op_curr);
++ power_supply_changed(port->psy);
+ }
+
+ return src_pdo;
+@@ -2554,6 +2558,7 @@ static int tcpm_set_charge(struct tcpm_p
+ return ret;
+ }
+ port->vbus_charge = charge;
++ power_supply_changed(port->psy);
+ return 0;
+ }
+
+@@ -4665,7 +4670,7 @@ static int tcpm_psy_set_prop(struct powe
+ ret = -EINVAL;
+ break;
+ }
+-
++ power_supply_changed(port->psy);
+ return ret;
+ }
+
+@@ -4816,6 +4821,7 @@ struct tcpm_port *tcpm_register_port(str
+ err = devm_tcpm_psy_register(port);
+ if (err)
+ goto out_role_sw_put;
++ power_supply_changed(port->psy);
+
+ port->typec_port = typec_register_port(port->dev, &port->typec_caps);
+ if (IS_ERR(port->typec_port)) {
--- /dev/null
+From 9858af27e69247c5d04c3b093190a93ca365f33d Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Thu, 11 Mar 2021 10:44:45 +0000
+Subject: usbip: Fix incorrect double assignment to udc->ud.tcp_rx
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 9858af27e69247c5d04c3b093190a93ca365f33d upstream.
+
+Currently udc->ud.tcp_rx is being assigned twice, the second assignment
+is incorrect, it should be to udc->ud.tcp_tx instead of rx. Fix this.
+
+Fixes: 46613c9dfa96 ("usbip: fix vudc usbip_sockfd_store races leading to gpf")
+Acked-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Cc: stable <stable@vger.kernel.org>
+Addresses-Coverity: ("Unused value")
+Link: https://lore.kernel.org/r/20210311104445.7811-1-colin.king@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/usbip/vudc_sysfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/usbip/vudc_sysfs.c
++++ b/drivers/usb/usbip/vudc_sysfs.c
+@@ -174,7 +174,7 @@ static ssize_t usbip_sockfd_store(struct
+
+ udc->ud.tcp_socket = socket;
+ udc->ud.tcp_rx = tcp_rx;
+- udc->ud.tcp_rx = tcp_tx;
++ udc->ud.tcp_tx = tcp_tx;
+ udc->ud.status = SDEV_ST_USED;
+
+ spin_unlock_irq(&udc->ud.lock);
projects / thirdparty / kernel / stable-queue.git / commitdiff
