--- /dev/null
+From b564171ade70570b7f335fa8ed17adb28409e3ac Mon Sep 17 00:00:00 2001
+From: Li Li <dualli@google.com>
+Date: Fri, 10 Sep 2021 09:42:10 -0700
+Subject: binder: fix freeze race
+
+From: Li Li <dualli@google.com>
+
+commit b564171ade70570b7f335fa8ed17adb28409e3ac upstream.
+
+Currently cgroup freezer is used to freeze the application threads, and
+BINDER_FREEZE is used to freeze the corresponding binder interface.
+There's already a mechanism in ioctl(BINDER_FREEZE) to wait for any
+existing transactions to drain out before actually freezing the binder
+interface.
+
+But freezing an app requires 2 steps, freezing the binder interface with
+ioctl(BINDER_FREEZE) and then freezing the application main threads with
+cgroupfs. This is not an atomic operation. The following race issue
+might happen.
+
+1) Binder interface is frozen by ioctl(BINDER_FREEZE);
+2) Main thread A initiates a new sync binder transaction to process B;
+3) Main thread A is frozen by "echo 1 > cgroup.freeze";
+4) The response from process B reaches the frozen thread, which will
+unexpectedly fail.
+
+This patch provides a mechanism to check if there's any new pending
+transaction happening between ioctl(BINDER_FREEZE) and freezing the
+main thread. If there's any, the main thread freezing operation can
+be rolled back to finish the pending transaction.
+
+Furthermore, the response might reach the binder driver before the
+rollback actually happens. That will still cause failed transaction.
+
+As the other process doesn't wait for another response of the response,
+the response transaction failure can be fixed by treating the response
+transaction like an oneway/async one, allowing it to reach the frozen
+thread. And it will be consumed when the thread gets unfrozen later.
+
+NOTE: This patch reuses the existing definition of struct
+binder_frozen_status_info but expands the bit assignments of __u32
+member sync_recv.
+
+To ensure backward compatibility, bit 0 of sync_recv still indicates
+there's an outstanding sync binder transaction. This patch adds new
+information to bit 1 of sync_recv, indicating the binder transaction
+happens exactly when there's a race.
+
+If an existing userspace app runs on a new kernel, a sync binder call
+will set bit 0 of sync_recv so ioctl(BINDER_GET_FROZEN_INFO) still
+return the expected value (true). The app just doesn't check bit 1
+intentionally so it doesn't have the ability to tell if there's a race.
+This behavior is aligned with what happens on an old kernel which
+doesn't set bit 1 at all.
+
+A new userspace app can 1) check bit 0 to know if there's a sync binder
+transaction happened when being frozen - same as before; and 2) check
+bit 1 to know if that sync binder transaction happened exactly when
+there's a race - a new information for rollback decision.
+
+the same time, confirmed the pending transactions succeeded.
+
+Fixes: 432ff1e91694 ("binder: BINDER_FREEZE ioctl")
+Acked-by: Todd Kjos <tkjos@google.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Li Li <dualli@google.com>
+Test: stress test with apps being frozen and initiating binder calls at
+Link: https://lore.kernel.org/r/20210910164210.2282716-2-dualli@chromium.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder.c | 35 +++++++++++++++++++++++++++++------
+ drivers/android/binder_internal.h | 2 ++
+ include/uapi/linux/android/binder.h | 7 +++++++
+ 3 files changed, 38 insertions(+), 6 deletions(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -3047,9 +3047,8 @@ static void binder_transaction(struct bi
+ if (reply) {
+ binder_enqueue_thread_work(thread, tcomplete);
+ binder_inner_proc_lock(target_proc);
+- if (target_thread->is_dead || target_proc->is_frozen) {
+- return_error = target_thread->is_dead ?
+- BR_DEAD_REPLY : BR_FROZEN_REPLY;
++ if (target_thread->is_dead) {
++ return_error = BR_DEAD_REPLY;
+ binder_inner_proc_unlock(target_proc);
+ goto err_dead_proc_or_thread;
+ }
+@@ -4659,6 +4658,22 @@ static int binder_ioctl_get_node_debug_i
+ return 0;
+ }
+
++static bool binder_txns_pending_ilocked(struct binder_proc *proc)
++{
++ struct rb_node *n;
++ struct binder_thread *thread;
++
++ if (proc->outstanding_txns > 0)
++ return true;
++
++ for (n = rb_first(&proc->threads); n; n = rb_next(n)) {
++ thread = rb_entry(n, struct binder_thread, rb_node);
++ if (thread->transaction_stack)
++ return true;
++ }
++ return false;
++}
++
+ static int binder_ioctl_freeze(struct binder_freeze_info *info,
+ struct binder_proc *target_proc)
+ {
+@@ -4690,8 +4705,13 @@ static int binder_ioctl_freeze(struct bi
+ (!target_proc->outstanding_txns),
+ msecs_to_jiffies(info->timeout_ms));
+
+- if (!ret && target_proc->outstanding_txns)
+- ret = -EAGAIN;
++ /* Check pending transactions that wait for reply */
++ if (ret >= 0) {
++ binder_inner_proc_lock(target_proc);
++ if (binder_txns_pending_ilocked(target_proc))
++ ret = -EAGAIN;
++ binder_inner_proc_unlock(target_proc);
++ }
+
+ if (ret < 0) {
+ binder_inner_proc_lock(target_proc);
+@@ -4707,6 +4727,7 @@ static int binder_ioctl_get_freezer_info
+ {
+ struct binder_proc *target_proc;
+ bool found = false;
++ __u32 txns_pending;
+
+ info->sync_recv = 0;
+ info->async_recv = 0;
+@@ -4716,7 +4737,9 @@ static int binder_ioctl_get_freezer_info
+ if (target_proc->pid == info->pid) {
+ found = true;
+ binder_inner_proc_lock(target_proc);
+- info->sync_recv |= target_proc->sync_recv;
++ txns_pending = binder_txns_pending_ilocked(target_proc);
++ info->sync_recv |= target_proc->sync_recv |
++ (txns_pending << 1);
+ info->async_recv |= target_proc->async_recv;
+ binder_inner_proc_unlock(target_proc);
+ }
+--- a/drivers/android/binder_internal.h
++++ b/drivers/android/binder_internal.h
+@@ -378,6 +378,8 @@ struct binder_ref {
+ * binder transactions
+ * (protected by @inner_lock)
+ * @sync_recv: process received sync transactions since last frozen
++ * bit 0: received sync transaction after being frozen
++ * bit 1: new pending sync transaction during freezing
+ * (protected by @inner_lock)
+ * @async_recv: process received async transactions since last frozen
+ * (protected by @inner_lock)
+--- a/include/uapi/linux/android/binder.h
++++ b/include/uapi/linux/android/binder.h
+@@ -225,7 +225,14 @@ struct binder_freeze_info {
+
+ struct binder_frozen_status_info {
+ __u32 pid;
++
++ /* process received sync transactions since last frozen
++ * bit 0: received sync transaction after being frozen
++ * bit 1: new pending sync transaction during freezing
++ */
+ __u32 sync_recv;
++
++ /* process received async transactions since last frozen */
+ __u32 async_recv;
+ };
+
--- /dev/null
+From 5fdb55c1ac9585eb23bb2541d5819224429e103d Mon Sep 17 00:00:00 2001
+From: Todd Kjos <tkjos@google.com>
+Date: Mon, 30 Aug 2021 12:51:46 -0700
+Subject: binder: make sure fd closes complete
+
+From: Todd Kjos <tkjos@google.com>
+
+commit 5fdb55c1ac9585eb23bb2541d5819224429e103d upstream.
+
+During BC_FREE_BUFFER processing, the BINDER_TYPE_FDA object
+cleanup may close 1 or more fds. The close operations are
+completed using the task work mechanism -- which means the thread
+needs to return to userspace or the file object may never be
+dereferenced -- which can lead to hung processes.
+
+Force the binder thread back to userspace if an fd is closed during
+BC_FREE_BUFFER handling.
+
+Fixes: 80cd795630d6 ("binder: fix use-after-free due to ksys_close() during fdget()")
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Martijn Coenen <maco@android.com>
+Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
+Signed-off-by: Todd Kjos <tkjos@google.com>
+Link: https://lore.kernel.org/r/20210830195146.587206-1-tkjos@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/android/binder.c | 23 +++++++++++++++++------
+ 1 file changed, 17 insertions(+), 6 deletions(-)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -1852,6 +1852,7 @@ static void binder_deferred_fd_close(int
+ }
+
+ static void binder_transaction_buffer_release(struct binder_proc *proc,
++ struct binder_thread *thread,
+ struct binder_buffer *buffer,
+ binder_size_t failed_at,
+ bool is_failure)
+@@ -2011,8 +2012,16 @@ static void binder_transaction_buffer_re
+ &proc->alloc, &fd, buffer,
+ offset, sizeof(fd));
+ WARN_ON(err);
+- if (!err)
++ if (!err) {
+ binder_deferred_fd_close(fd);
++ /*
++ * Need to make sure the thread goes
++ * back to userspace to complete the
++ * deferred close
++ */
++ if (thread)
++ thread->looper_need_return = true;
++ }
+ }
+ } break;
+ default:
+@@ -3105,7 +3114,7 @@ err_bad_parent:
+ err_copy_data_failed:
+ binder_free_txn_fixups(t);
+ trace_binder_transaction_failed_buffer_release(t->buffer);
+- binder_transaction_buffer_release(target_proc, t->buffer,
++ binder_transaction_buffer_release(target_proc, NULL, t->buffer,
+ buffer_offset, true);
+ if (target_node)
+ binder_dec_node_tmpref(target_node);
+@@ -3184,7 +3193,9 @@ err_invalid_target_handle:
+ * Cleanup buffer and free it.
+ */
+ static void
+-binder_free_buf(struct binder_proc *proc, struct binder_buffer *buffer)
++binder_free_buf(struct binder_proc *proc,
++ struct binder_thread *thread,
++ struct binder_buffer *buffer)
+ {
+ binder_inner_proc_lock(proc);
+ if (buffer->transaction) {
+@@ -3212,7 +3223,7 @@ binder_free_buf(struct binder_proc *proc
+ binder_node_inner_unlock(buf_node);
+ }
+ trace_binder_transaction_buffer_release(buffer);
+- binder_transaction_buffer_release(proc, buffer, 0, false);
++ binder_transaction_buffer_release(proc, thread, buffer, 0, false);
+ binder_alloc_free_buf(&proc->alloc, buffer);
+ }
+
+@@ -3414,7 +3425,7 @@ static int binder_thread_write(struct bi
+ proc->pid, thread->pid, (u64)data_ptr,
+ buffer->debug_id,
+ buffer->transaction ? "active" : "finished");
+- binder_free_buf(proc, buffer);
++ binder_free_buf(proc, thread, buffer);
+ break;
+ }
+
+@@ -4107,7 +4118,7 @@ retry:
+ buffer->transaction = NULL;
+ binder_cleanup_transaction(t, "fd fixups failed",
+ BR_FAILED_REPLY);
+- binder_free_buf(proc, buffer);
++ binder_free_buf(proc, thread, buffer);
+ binder_debug(BINDER_DEBUG_FAILED_TRANSACTION,
+ "%d:%d %stransaction %d fd fixups failed %d/%d, line %d\n",
+ proc->pid, thread->pid,
--- /dev/null
+From 9ed38fd4a15417cac83967360cf20b853bfab9b6 Mon Sep 17 00:00:00 2001
+From: Steve French <stfrench@microsoft.com>
+Date: Thu, 23 Sep 2021 19:18:37 -0500
+Subject: cifs: fix incorrect check for null pointer in header_assemble
+
+From: Steve French <stfrench@microsoft.com>
+
+commit 9ed38fd4a15417cac83967360cf20b853bfab9b6 upstream.
+
+Although very unlikely that the tlink pointer would be null in this case,
+get_next_mid function can in theory return null (but not an error)
+so need to check for null (not for IS_ERR, which can not be returned
+here).
+
+Address warning:
+
+ fs/smbfs_client/connect.c:2392 cifs_match_super()
+ warn: 'tlink' isn't an ERR_PTR
+
+Pointed out by Dan Carpenter via smatch code analysis tool
+
+CC: stable@vger.kernel.org
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Ronnie Sahlberg <lsahlber@redhat.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/connect.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/connect.c
++++ b/fs/cifs/connect.c
+@@ -2382,9 +2382,10 @@ cifs_match_super(struct super_block *sb,
+ spin_lock(&cifs_tcp_ses_lock);
+ cifs_sb = CIFS_SB(sb);
+ tlink = cifs_get_tlink(cifs_sb_master_tlink(cifs_sb));
+- if (IS_ERR(tlink)) {
++ if (tlink == NULL) {
++ /* can not match superblock if tlink were ever null */
+ spin_unlock(&cifs_tcp_ses_lock);
+- return rc;
++ return 0;
+ }
+ tcon = tlink_tcon(tlink);
+ ses = tcon->ses;
--- /dev/null
+From 71826b068884050d5fdd37fda857ba1539c513d3 Mon Sep 17 00:00:00 2001
+From: Rohith Surabattula <rohiths@microsoft.com>
+Date: Fri, 17 Sep 2021 17:29:42 +0000
+Subject: cifs: Fix soft lockup during fsstress
+
+From: Rohith Surabattula <rohiths@microsoft.com>
+
+commit 71826b068884050d5fdd37fda857ba1539c513d3 upstream.
+
+Below traces are observed during fsstress and system got hung.
+[ 130.698396] watchdog: BUG: soft lockup - CPU#6 stuck for 26s!
+
+Cc: stable@vger.kernel.org # 5.13+
+Signed-off-by: Rohith Surabattula <rohiths@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/misc.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/cifs/misc.c
++++ b/fs/cifs/misc.c
+@@ -736,7 +736,7 @@ cifs_close_deferred_file(struct cifsInod
+ if (cancel_delayed_work(&cfile->deferred)) {
+ tmp_list = kmalloc(sizeof(struct file_list), GFP_ATOMIC);
+ if (tmp_list == NULL)
+- continue;
++ break;
+ tmp_list->cfile = cfile;
+ list_add_tail(&tmp_list->list, &file_head);
+ }
+@@ -767,7 +767,7 @@ cifs_close_all_deferred_files(struct cif
+ if (cancel_delayed_work(&cfile->deferred)) {
+ tmp_list = kmalloc(sizeof(struct file_list), GFP_ATOMIC);
+ if (tmp_list == NULL)
+- continue;
++ break;
+ tmp_list->cfile = cfile;
+ list_add_tail(&tmp_list->list, &file_head);
+ }
--- /dev/null
+From 35866f3f779aef5e7ba84e4d1023fe2e2a0e219e Mon Sep 17 00:00:00 2001
+From: Rohith Surabattula <rohiths@microsoft.com>
+Date: Fri, 17 Sep 2021 16:50:40 -0500
+Subject: cifs: Not to defer close on file when lock is set
+
+From: Rohith Surabattula <rohiths@microsoft.com>
+
+commit 35866f3f779aef5e7ba84e4d1023fe2e2a0e219e upstream.
+
+Close file immediately when lock is set.
+
+Cc: stable@vger.kernel.org # 5.13+
+Signed-off-by: Rohith Surabattula <rohiths@microsoft.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/cifs/cifsglob.h | 1 +
+ fs/cifs/file.c | 2 ++
+ 2 files changed, 3 insertions(+)
+
+--- a/fs/cifs/cifsglob.h
++++ b/fs/cifs/cifsglob.h
+@@ -1403,6 +1403,7 @@ struct cifsInodeInfo {
+ #define CIFS_INO_INVALID_MAPPING (4) /* pagecache is invalid */
+ #define CIFS_INO_LOCK (5) /* lock bit for synchronization */
+ #define CIFS_INO_MODIFIED_ATTR (6) /* Indicate change in mtime/ctime */
++#define CIFS_INO_CLOSE_ON_LOCK (7) /* Not to defer the close when lock is set */
+ unsigned long flags;
+ spinlock_t writers_lock;
+ unsigned int writers; /* Number of writers on this inode */
+--- a/fs/cifs/file.c
++++ b/fs/cifs/file.c
+@@ -881,6 +881,7 @@ int cifs_close(struct inode *inode, stru
+ dclose = kmalloc(sizeof(struct cifs_deferred_close), GFP_KERNEL);
+ if ((cinode->oplock == CIFS_CACHE_RHW_FLG) &&
+ cinode->lease_granted &&
++ !test_bit(CIFS_INO_CLOSE_ON_LOCK, &cinode->flags) &&
+ dclose) {
+ if (test_bit(CIFS_INO_MODIFIED_ATTR, &cinode->flags))
+ inode->i_ctime = inode->i_mtime = current_time(inode);
+@@ -1861,6 +1862,7 @@ int cifs_lock(struct file *file, int cmd
+ cifs_read_flock(flock, &type, &lock, &unlock, &wait_flag,
+ tcon->ses->server);
+ cifs_sb = CIFS_FILE_SB(file);
++ set_bit(CIFS_INO_CLOSE_ON_LOCK, &CIFS_I(d_inode(cfile->dentry))->flags);
+
+ if (cap_unix(tcon->ses) &&
+ (CIFS_UNIX_FCNTL_CAP & le64_to_cpu(tcon->fsUnixInfo.Capability)) &&
--- /dev/null
+From ce1c42b4dacfe7d71c852d8bf3371067ccba865c Mon Sep 17 00:00:00 2001
+From: Julian Sikorski <belegdol@gmail.com>
+Date: Mon, 13 Sep 2021 20:14:55 +0200
+Subject: Re-enable UAS for LaCie Rugged USB3-FW with fk quirk
+
+From: Julian Sikorski <belegdol@gmail.com>
+
+commit ce1c42b4dacfe7d71c852d8bf3371067ccba865c upstream.
+
+Further testing has revealed that LaCie Rugged USB3-FW does work with
+uas as long as US_FL_NO_REPORT_OPCODES and US_FL_NO_SAME are enabled.
+
+Link: https://lore.kernel.org/linux-usb/2167ea48-e273-a336-a4e0-10a4e883e75e@redhat.com/
+Cc: stable <stable@vger.kernel.org>
+Suggested-by: Hans de Goede <hdegoede@redhat.com>
+Reviewed-by: Hans de Goede <hdegoede@redhat.com>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Julian Sikorski <belegdol+github@gmail.com>
+Link: https://lore.kernel.org/r/20210913181454.7365-1-belegdol+github@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/storage/unusual_uas.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/storage/unusual_uas.h
++++ b/drivers/usb/storage/unusual_uas.h
+@@ -50,7 +50,7 @@ UNUSUAL_DEV(0x059f, 0x1061, 0x0000, 0x99
+ "LaCie",
+ "Rugged USB3-FW",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+- US_FL_IGNORE_UAS),
++ US_FL_NO_REPORT_OPCODES | US_FL_NO_SAME),
+
+ /*
+ * Apricorn USB3 dongle sometimes returns "USBSUSBSUSBS" in response to SCSI
--- /dev/null
+From 8646e53633f314e4d746a988240d3b951a92f94a Mon Sep 17 00:00:00 2001
+From: Sean Christopherson <seanjc@google.com>
+Date: Wed, 1 Sep 2021 13:30:26 -0700
+Subject: KVM: rseq: Update rseq when processing NOTIFY_RESUME on xfer to KVM guest
+
+From: Sean Christopherson <seanjc@google.com>
+
+commit 8646e53633f314e4d746a988240d3b951a92f94a upstream.
+
+Invoke rseq's NOTIFY_RESUME handler when processing the flag prior to
+transferring to a KVM guest, which is roughly equivalent to an exit to
+userspace and processes many of the same pending actions. While the task
+cannot be in an rseq critical section as the KVM path is reachable only
+by via ioctl(KVM_RUN), the side effects that apply to rseq outside of a
+critical section still apply, e.g. the current CPU needs to be updated if
+the task is migrated.
+
+Clearing TIF_NOTIFY_RESUME without informing rseq can lead to segfaults
+and other badness in userspace VMMs that use rseq in combination with KVM,
+e.g. due to the CPU ID being stale after task migration.
+
+Fixes: 72c3c0fe54a3 ("x86/kvm: Use generic xfer to guest work function")
+Reported-by: Peter Foley <pefoley@google.com>
+Bisected-by: Doug Evans <dje@google.com>
+Acked-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
+Cc: Shakeel Butt <shakeelb@google.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sean Christopherson <seanjc@google.com>
+Message-Id: <20210901203030.1292304-2-seanjc@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/entry/kvm.c | 4 +++-
+ kernel/rseq.c | 14 +++++++++++---
+ 2 files changed, 14 insertions(+), 4 deletions(-)
+
+--- a/kernel/entry/kvm.c
++++ b/kernel/entry/kvm.c
+@@ -19,8 +19,10 @@ static int xfer_to_guest_mode_work(struc
+ if (ti_work & _TIF_NEED_RESCHED)
+ schedule();
+
+- if (ti_work & _TIF_NOTIFY_RESUME)
++ if (ti_work & _TIF_NOTIFY_RESUME) {
+ tracehook_notify_resume(NULL);
++ rseq_handle_notify_resume(NULL, NULL);
++ }
+
+ ret = arch_xfer_to_guest_mode_handle_work(vcpu, ti_work);
+ if (ret)
+--- a/kernel/rseq.c
++++ b/kernel/rseq.c
+@@ -282,9 +282,17 @@ void __rseq_handle_notify_resume(struct
+
+ if (unlikely(t->flags & PF_EXITING))
+ return;
+- ret = rseq_ip_fixup(regs);
+- if (unlikely(ret < 0))
+- goto error;
++
++ /*
++ * regs is NULL if and only if the caller is in a syscall path. Skip
++ * fixup and leave rseq_cs as is so that rseq_sycall() will detect and
++ * kill a misbehaving userspace on debug kernels.
++ */
++ if (regs) {
++ ret = rseq_ip_fixup(regs);
++ if (unlikely(ret < 0))
++ goto error;
++ }
+ if (unlikely(rseq_update_cpu_id(t)))
+ goto error;
+ return;
--- /dev/null
+From 25a1433216489de4abc889910f744e952cb6dbae Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 6 Sep 2021 21:35:48 +0900
+Subject: mcb: fix error handling in mcb_alloc_bus()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 25a1433216489de4abc889910f744e952cb6dbae upstream.
+
+There are two bugs:
+1) If ida_simple_get() fails then this code calls put_device(carrier)
+ but we haven't yet called get_device(carrier) and probably that
+ leads to a use after free.
+2) After device_initialize() then we need to use put_device() to
+ release the bus. This will free the internal resources tied to the
+ device and call mcb_free_bus() which will free the rest.
+
+Fixes: 5d9e2ab9fea4 ("mcb: Implement bus->dev.release callback")
+Fixes: 18d288198099 ("mcb: Correctly initialize the bus's device")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Johannes Thumshirn <jth@kernel.org>
+Link: https://lore.kernel.org/r/32e160cf6864ce77f9d62948338e24db9fd8ead9.1630931319.git.johannes.thumshirn@wdc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mcb/mcb-core.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/mcb/mcb-core.c
++++ b/drivers/mcb/mcb-core.c
+@@ -277,8 +277,8 @@ struct mcb_bus *mcb_alloc_bus(struct dev
+
+ bus_nr = ida_simple_get(&mcb_ida, 0, 0, GFP_KERNEL);
+ if (bus_nr < 0) {
+- rc = bus_nr;
+- goto err_free;
++ kfree(bus);
++ return ERR_PTR(bus_nr);
+ }
+
+ bus->bus_nr = bus_nr;
+@@ -293,12 +293,12 @@ struct mcb_bus *mcb_alloc_bus(struct dev
+ dev_set_name(&bus->dev, "mcb:%d", bus_nr);
+ rc = device_add(&bus->dev);
+ if (rc)
+- goto err_free;
++ goto err_put;
+
+ return bus;
+-err_free:
+- put_device(carrier);
+- kfree(bus);
++
++err_put:
++ put_device(&bus->dev);
+ return ERR_PTR(rc);
+ }
+ EXPORT_SYMBOL_NS_GPL(mcb_alloc_bus, MCB);
--- /dev/null
+From d9d1232b48344c6c72dbdf89fae1e7638e5df757 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 17 Sep 2021 13:57:36 +0200
+Subject: misc: bcm-vk: fix tty registration race
+
+From: Johan Hovold <johan@kernel.org>
+
+commit d9d1232b48344c6c72dbdf89fae1e7638e5df757 upstream.
+
+Make sure to set the tty class-device driver data before registering the
+tty to avoid having a racing open() dereference a NULL pointer.
+
+Fixes: 91ca10d6fa07 ("misc: bcm-vk: add ttyVK support")
+Cc: stable@vger.kernel.org # 5.12
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210917115736.5816-1-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/bcm-vk/bcm_vk_tty.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/misc/bcm-vk/bcm_vk_tty.c
++++ b/drivers/misc/bcm-vk/bcm_vk_tty.c
+@@ -267,13 +267,13 @@ int bcm_vk_tty_init(struct bcm_vk *vk, c
+ struct device *tty_dev;
+
+ tty_port_init(&vk->tty[i].port);
+- tty_dev = tty_port_register_device(&vk->tty[i].port, tty_drv,
+- i, dev);
++ tty_dev = tty_port_register_device_attr(&vk->tty[i].port,
++ tty_drv, i, dev, vk,
++ NULL);
+ if (IS_ERR(tty_dev)) {
+ err = PTR_ERR(tty_dev);
+ goto unwind;
+ }
+- dev_set_drvdata(tty_dev, vk);
+ vk->tty[i].is_opened = false;
+ }
+
--- /dev/null
+From 8d753db5c227d1f403c4bc9cae4ae02c862413cd Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Wed, 8 Sep 2021 21:55:56 +0200
+Subject: misc: genwqe: Fixes DMA mask setting
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 8d753db5c227d1f403c4bc9cae4ae02c862413cd upstream.
+
+Commit 505b08777d78 ("misc: genwqe: Use dma_set_mask_and_coherent to simplify code")
+changed the logic in the code.
+
+Instead of a ||, a && should have been used to keep the code the same.
+
+Fixes: 505b08777d78 ("misc: genwqe: Use dma_set_mask_and_coherent to simplify code")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Link: https://lore.kernel.org/r/be49835baa8ba6daba5813b399edf6300f7fdbda.1631130862.git.christophe.jaillet@wanadoo.fr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/genwqe/card_base.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/genwqe/card_base.c
++++ b/drivers/misc/genwqe/card_base.c
+@@ -1090,7 +1090,7 @@ static int genwqe_pci_setup(struct genwq
+
+ /* check for 64-bit DMA address supported (DAC) */
+ /* check for 32-bit DMA address supported (SAC) */
+- if (dma_set_mask_and_coherent(&pci_dev->dev, DMA_BIT_MASK(64)) ||
++ if (dma_set_mask_and_coherent(&pci_dev->dev, DMA_BIT_MASK(64)) &&
+ dma_set_mask_and_coherent(&pci_dev->dev, DMA_BIT_MASK(32))) {
+ dev_err(&pci_dev->dev,
+ "err: neither DMA32 nor DMA64 supported\n");
--- /dev/null
+From a4ce73910427e960b2c7f4d83229153c327d0ee7 Mon Sep 17 00:00:00 2001
+From: Weizhao Ouyang <o451686892@gmail.com>
+Date: Fri, 24 Sep 2021 15:43:50 -0700
+Subject: mm/debug: sync up MR_CONTIG_RANGE and MR_LONGTERM_PIN
+
+From: Weizhao Ouyang <o451686892@gmail.com>
+
+commit a4ce73910427e960b2c7f4d83229153c327d0ee7 upstream.
+
+Sync up MR_CONTIG_RANGE and MR_LONGTERM_PIN to migrate_reason_names.
+
+Link: https://lkml.kernel.org/r/20210921064553.293905-2-o451686892@gmail.com
+Fixes: 310253514bbf ("mm/migrate: rename migration reason MR_CMA to MR_CONTIG_RANGE")
+Fixes: d1e153fea2a8 ("mm/gup: migrate pinned pages out of movable zone")
+Signed-off-by: Weizhao Ouyang <o451686892@gmail.com>
+Reviewed-by: "Huang, Ying" <ying.huang@intel.com>
+Reviewed-by: John Hubbard <jhubbard@nvidia.com>
+Cc: Anshuman Khandual <khandual@linux.vnet.ibm.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
+Cc: Yang Shi <yang.shi@linux.alibaba.com>
+Cc: Zi Yan <ziy@nvidia.com>
+Cc: Dave Hansen <dave.hansen@linux.intel.com>
+Cc: Minchan Kim <minchan@kernel.org>
+Cc: Mina Almasry <almasrymina@google.com>
+Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Wei Xu <weixugc@google.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/debug.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/mm/debug.c
++++ b/mm/debug.c
+@@ -24,7 +24,8 @@ const char *migrate_reason_names[MR_TYPE
+ "syscall_or_cpuset",
+ "mempolicy_mbind",
+ "numa_misplaced",
+- "cma",
++ "contig_range",
++ "longterm_pin",
+ };
+
+ const struct trace_print_flags pageflag_names[] = {
--- /dev/null
+From bcbda81020c3ee77e2c098cadf3e84f99ca3de17 Mon Sep 17 00:00:00 2001
+From: Chen Jun <chenjun102@huawei.com>
+Date: Fri, 24 Sep 2021 15:44:06 -0700
+Subject: mm: fix uninitialized use in overcommit_policy_handler
+
+From: Chen Jun <chenjun102@huawei.com>
+
+commit bcbda81020c3ee77e2c098cadf3e84f99ca3de17 upstream.
+
+We get an unexpected value of /proc/sys/vm/overcommit_memory after
+running the following program:
+
+ int main()
+ {
+ int fd = open("/proc/sys/vm/overcommit_memory", O_RDWR);
+ write(fd, "1", 1);
+ write(fd, "2", 1);
+ close(fd);
+ }
+
+write(fd, "2", 1) will pass *ppos = 1 to proc_dointvec_minmax.
+proc_dointvec_minmax will return 0 without setting new_policy.
+
+ t.data = &new_policy;
+ ret = proc_dointvec_minmax(&t, write, buffer, lenp, ppos)
+ -->do_proc_dointvec
+ -->__do_proc_dointvec
+ if (write) {
+ if (proc_first_pos_non_zero_ignore(ppos, table))
+ goto out;
+
+ sysctl_overcommit_memory = new_policy;
+
+so sysctl_overcommit_memory will be set to an uninitialized value.
+
+Check whether new_policy has been changed by proc_dointvec_minmax.
+
+Link: https://lkml.kernel.org/r/20210923020524.13289-1-chenjun102@huawei.com
+Fixes: 56f3547bfa4d ("mm: adjust vm_committed_as_batch according to vm overcommit policy")
+Signed-off-by: Chen Jun <chenjun102@huawei.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: Feng Tang <feng.tang@intel.com>
+Reviewed-by: Kefeng Wang <wangkefeng.wang@huawei.com>
+Cc: Rui Xiang <rui.xiang@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/util.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/mm/util.c
++++ b/mm/util.c
+@@ -768,7 +768,7 @@ int overcommit_policy_handler(struct ctl
+ size_t *lenp, loff_t *ppos)
+ {
+ struct ctl_table t;
+- int new_policy;
++ int new_policy = -1;
+ int ret;
+
+ /*
+@@ -786,7 +786,7 @@ int overcommit_policy_handler(struct ctl
+ t = *table;
+ t.data = &new_policy;
+ ret = proc_dointvec_minmax(&t, write, buffer, lenp, ppos);
+- if (ret)
++ if (ret || new_policy == -1)
+ return ret;
+
+ mm_compute_batch(new_policy);
--- /dev/null
+From acfa299a4a63a58e5e81a87cb16798f20d35f7d7 Mon Sep 17 00:00:00 2001
+From: Naoya Horiguchi <naoya.horiguchi@nec.com>
+Date: Fri, 24 Sep 2021 15:43:20 -0700
+Subject: mm, hwpoison: add is_free_buddy_page() in HWPoisonHandlable()
+
+From: Naoya Horiguchi <naoya.horiguchi@nec.com>
+
+commit acfa299a4a63a58e5e81a87cb16798f20d35f7d7 upstream.
+
+Commit fcc00621d88b ("mm/hwpoison: retry with shake_page() for
+unhandlable pages") changed the return value of __get_hwpoison_page() to
+retry for transiently unhandlable cases. However, __get_hwpoison_page()
+currently fails to properly judge buddy pages as handlable, so hard/soft
+offline for buddy pages always fail as "unhandlable page". This is
+totally regrettable.
+
+So let's add is_free_buddy_page() in HWPoisonHandlable(), so that
+__get_hwpoison_page() returns different return values between buddy
+pages and unhandlable pages as intended.
+
+Link: https://lkml.kernel.org/r/20210909004131.163221-1-naoya.horiguchi@linux.dev
+Fixes: fcc00621d88b ("mm/hwpoison: retry with shake_page() for unhandlable pages")
+Signed-off-by: Naoya Horiguchi <naoya.horiguchi@nec.com>
+Acked-by: David Hildenbrand <david@redhat.com>
+Reviewed-by: Yang Shi <shy828301@gmail.com>
+Cc: Tony Luck <tony.luck@intel.com>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Mike Kravetz <mike.kravetz@oracle.com>
+Cc: Michal Hocko <mhocko@suse.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/memory-failure.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/memory-failure.c
++++ b/mm/memory-failure.c
+@@ -1127,7 +1127,7 @@ static int page_action(struct page_state
+ */
+ static inline bool HWPoisonHandlable(struct page *page)
+ {
+- return PageLRU(page) || __PageMovable(page);
++ return PageLRU(page) || __PageMovable(page) || is_free_buddy_page(page);
+ }
+
+ static int __get_hwpoison_page(struct page *page)
--- /dev/null
+From 9c0f0a03e386f4e1df33db676401547e1b7800c6 Mon Sep 17 00:00:00 2001
+From: Wengang Wang <wen.gang.wang@oracle.com>
+Date: Fri, 24 Sep 2021 15:43:35 -0700
+Subject: ocfs2: drop acl cache for directories too
+
+From: Wengang Wang <wen.gang.wang@oracle.com>
+
+commit 9c0f0a03e386f4e1df33db676401547e1b7800c6 upstream.
+
+ocfs2_data_convert_worker() is currently dropping any cached acl info
+for FILE before down-converting meta lock. It should also drop for
+DIRECTORY. Otherwise the second acl lookup returns the cached one (from
+VFS layer) which could be already stale.
+
+The problem we are seeing is that the acl changes on one node doesn't
+get refreshed on other nodes in the following case:
+
+ Node 1 Node 2
+ -------------- ----------------
+ getfacl dir1
+
+ getfacl dir1 <-- this is OK
+
+ setfacl -m u:user1:rwX dir1
+ getfacl dir1 <-- see the change for user1
+
+ getfacl dir1 <-- can't see change for user1
+
+Link: https://lkml.kernel.org/r/20210903012631.6099-1-wen.gang.wang@oracle.com
+Signed-off-by: Wengang Wang <wen.gang.wang@oracle.com>
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Gang He <ghe@suse.com>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/dlmglue.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/fs/ocfs2/dlmglue.c
++++ b/fs/ocfs2/dlmglue.c
+@@ -3939,7 +3939,7 @@ static int ocfs2_data_convert_worker(str
+ oi = OCFS2_I(inode);
+ oi->ip_dir_lock_gen++;
+ mlog(0, "generation: %u\n", oi->ip_dir_lock_gen);
+- goto out;
++ goto out_forget;
+ }
+
+ if (!S_ISREG(inode->i_mode))
+@@ -3970,6 +3970,7 @@ static int ocfs2_data_convert_worker(str
+ filemap_fdatawait(mapping);
+ }
+
++out_forget:
+ forget_all_cached_acls(inode);
+
+ out:
--- /dev/null
+From d91adc5322ab53df4b6d1989242bfb6c63163eb2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Tue, 31 Aug 2021 08:54:19 +0200
+Subject: Revert "USB: bcma: Add a check for devm_gpiod_get"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafał Miłecki <rafal@milecki.pl>
+
+commit d91adc5322ab53df4b6d1989242bfb6c63163eb2 upstream.
+
+This reverts commit f3de5d857bb2362b00e2a8d4bc886cd49dcb66db.
+
+That commit broke USB on all routers that have USB always powered on and
+don't require toggling any GPIO. It's a majority of devices actually.
+
+The original code worked and seemed safe: vcc GPIO is optional and
+bcma_hci_platform_power_gpio() takes care of checking the pointer before
+using it.
+
+This revert fixes:
+[ 10.801127] bcma_hcd: probe of bcma0:11 failed with error -2
+
+Fixes: f3de5d857bb2 ("USB: bcma: Add a check for devm_gpiod_get")
+Cc: stable <stable@vger.kernel.org>
+Cc: Chuhong Yuan <hslester96@gmail.com>
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Link: https://lore.kernel.org/r/20210831065419.18371-1-zajec5@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/bcma-hcd.c | 5 +----
+ 1 file changed, 1 insertion(+), 4 deletions(-)
+
+--- a/drivers/usb/host/bcma-hcd.c
++++ b/drivers/usb/host/bcma-hcd.c
+@@ -406,12 +406,9 @@ static int bcma_hcd_probe(struct bcma_de
+ return -ENOMEM;
+ usb_dev->core = core;
+
+- if (core->dev.of_node) {
++ if (core->dev.of_node)
+ usb_dev->gpio_desc = devm_gpiod_get(&core->dev, "vcc",
+ GPIOD_OUT_HIGH);
+- if (IS_ERR(usb_dev->gpio_desc))
+- return PTR_ERR(usb_dev->gpio_desc);
+- }
+
+ switch (core->id.id) {
+ case BCMA_CORE_USB20_HOST:
--- /dev/null
+mm-hwpoison-add-is_free_buddy_page-in-hwpoisonhandlable.patch
+ocfs2-drop-acl-cache-for-directories-too.patch
+mm-debug-sync-up-mr_contig_range-and-mr_longterm_pin.patch
+mm-fix-uninitialized-use-in-overcommit_policy_handler.patch
+usb-gadget-r8a66597-fix-a-loop-in-set_feature.patch
+usb-gadget-u_audio-ep-out-binterval-in-fback-frequency.patch
+usb-dwc2-gadget-fix-isoc-flow-for-bdma-and-slave.patch
+usb-dwc2-gadget-fix-isoc-transfer-complete-handling-for-ddma.patch
+usb-musb-tusb6010-uninitialized-data-in-tusb_fifo_write_unaligned.patch
+cifs-not-to-defer-close-on-file-when-lock-is-set.patch
+cifs-fix-soft-lockup-during-fsstress.patch
+cifs-fix-incorrect-check-for-null-pointer-in-header_assemble.patch
+xen-x86-fix-pv-trap-handling-on-secondary-processors.patch
+usb-storage-add-quirk-for-scanlogic-sl11r-ide-older-than-2.6c.patch
+usb-serial-cp210x-add-id-for-gw-instek-gdm-834x-digital-multimeter.patch
+usb-cdc-acm-fix-minor-number-release.patch
+revert-usb-bcma-add-a-check-for-devm_gpiod_get.patch
+binder-make-sure-fd-closes-complete.patch
+binder-fix-freeze-race.patch
+staging-greybus-uart-fix-tty-use-after-free.patch
+usb-isp1760-do-not-sleep-in-field-register-poll.patch
+enable-uas-for-lacie-rugged-usb3-fw-with-fk-quirk.patch
+usb-dwc3-core-balance-phy-init-and-exit.patch
+usb-cdns3-fix-race-condition-before-setting-doorbell.patch
+usb-core-hcd-add-support-for-deferring-roothub-registration.patch
+usb-serial-mos7840-remove-duplicated-0xac24-device-id.patch
+usb-serial-option-add-telit-ln920-compositions.patch
+usb-serial-option-remove-duplicate-usb-device-id.patch
+usb-serial-option-add-device-id-for-foxconn-t99w265.patch
+misc-bcm-vk-fix-tty-registration-race.patch
+misc-genwqe-fixes-dma-mask-setting.patch
+mcb-fix-error-handling-in-mcb_alloc_bus.patch
+kvm-rseq-update-rseq-when-processing-notify_resume-on-xfer-to-kvm-guest.patch
--- /dev/null
+From 92dc0b1f46e12cfabd28d709bb34f7a39431b44f Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 6 Sep 2021 14:45:38 +0200
+Subject: staging: greybus: uart: fix tty use after free
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 92dc0b1f46e12cfabd28d709bb34f7a39431b44f upstream.
+
+User space can hold a tty open indefinitely and tty drivers must not
+release the underlying structures until the last user is gone.
+
+Switch to using the tty-port reference counter to manage the life time
+of the greybus tty state to avoid use after free after a disconnect.
+
+Fixes: a18e15175708 ("greybus: more uart work")
+Cc: stable@vger.kernel.org # 4.9
+Reviewed-by: Alex Elder <elder@linaro.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210906124538.22358-1-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/greybus/uart.c | 62 +++++++++++++++++++++--------------------
+ 1 file changed, 32 insertions(+), 30 deletions(-)
+
+--- a/drivers/staging/greybus/uart.c
++++ b/drivers/staging/greybus/uart.c
+@@ -761,6 +761,17 @@ out:
+ gbphy_runtime_put_autosuspend(gb_tty->gbphy_dev);
+ }
+
++static void gb_tty_port_destruct(struct tty_port *port)
++{
++ struct gb_tty *gb_tty = container_of(port, struct gb_tty, port);
++
++ if (gb_tty->minor != GB_NUM_MINORS)
++ release_minor(gb_tty);
++ kfifo_free(&gb_tty->write_fifo);
++ kfree(gb_tty->buffer);
++ kfree(gb_tty);
++}
++
+ static const struct tty_operations gb_ops = {
+ .install = gb_tty_install,
+ .open = gb_tty_open,
+@@ -786,6 +797,7 @@ static const struct tty_port_operations
+ .dtr_rts = gb_tty_dtr_rts,
+ .activate = gb_tty_port_activate,
+ .shutdown = gb_tty_port_shutdown,
++ .destruct = gb_tty_port_destruct,
+ };
+
+ static int gb_uart_probe(struct gbphy_device *gbphy_dev,
+@@ -798,17 +810,11 @@ static int gb_uart_probe(struct gbphy_de
+ int retval;
+ int minor;
+
+- gb_tty = kzalloc(sizeof(*gb_tty), GFP_KERNEL);
+- if (!gb_tty)
+- return -ENOMEM;
+-
+ connection = gb_connection_create(gbphy_dev->bundle,
+ le16_to_cpu(gbphy_dev->cport_desc->id),
+ gb_uart_request_handler);
+- if (IS_ERR(connection)) {
+- retval = PTR_ERR(connection);
+- goto exit_tty_free;
+- }
++ if (IS_ERR(connection))
++ return PTR_ERR(connection);
+
+ max_payload = gb_operation_get_payload_size_max(connection);
+ if (max_payload < sizeof(struct gb_uart_send_data_request)) {
+@@ -816,13 +822,23 @@ static int gb_uart_probe(struct gbphy_de
+ goto exit_connection_destroy;
+ }
+
++ gb_tty = kzalloc(sizeof(*gb_tty), GFP_KERNEL);
++ if (!gb_tty) {
++ retval = -ENOMEM;
++ goto exit_connection_destroy;
++ }
++
++ tty_port_init(&gb_tty->port);
++ gb_tty->port.ops = &gb_port_ops;
++ gb_tty->minor = GB_NUM_MINORS;
++
+ gb_tty->buffer_payload_max = max_payload -
+ sizeof(struct gb_uart_send_data_request);
+
+ gb_tty->buffer = kzalloc(gb_tty->buffer_payload_max, GFP_KERNEL);
+ if (!gb_tty->buffer) {
+ retval = -ENOMEM;
+- goto exit_connection_destroy;
++ goto exit_put_port;
+ }
+
+ INIT_WORK(&gb_tty->tx_work, gb_uart_tx_write_work);
+@@ -830,7 +846,7 @@ static int gb_uart_probe(struct gbphy_de
+ retval = kfifo_alloc(&gb_tty->write_fifo, GB_UART_WRITE_FIFO_SIZE,
+ GFP_KERNEL);
+ if (retval)
+- goto exit_buf_free;
++ goto exit_put_port;
+
+ gb_tty->credits = GB_UART_FIRMWARE_CREDITS;
+ init_completion(&gb_tty->credits_complete);
+@@ -844,7 +860,7 @@ static int gb_uart_probe(struct gbphy_de
+ } else {
+ retval = minor;
+ }
+- goto exit_kfifo_free;
++ goto exit_put_port;
+ }
+
+ gb_tty->minor = minor;
+@@ -853,9 +869,6 @@ static int gb_uart_probe(struct gbphy_de
+ init_waitqueue_head(&gb_tty->wioctl);
+ mutex_init(&gb_tty->mutex);
+
+- tty_port_init(&gb_tty->port);
+- gb_tty->port.ops = &gb_port_ops;
+-
+ gb_tty->connection = connection;
+ gb_tty->gbphy_dev = gbphy_dev;
+ gb_connection_set_data(connection, gb_tty);
+@@ -863,7 +876,7 @@ static int gb_uart_probe(struct gbphy_de
+
+ retval = gb_connection_enable_tx(connection);
+ if (retval)
+- goto exit_release_minor;
++ goto exit_put_port;
+
+ send_control(gb_tty, gb_tty->ctrlout);
+
+@@ -890,16 +903,10 @@ static int gb_uart_probe(struct gbphy_de
+
+ exit_connection_disable:
+ gb_connection_disable(connection);
+-exit_release_minor:
+- release_minor(gb_tty);
+-exit_kfifo_free:
+- kfifo_free(&gb_tty->write_fifo);
+-exit_buf_free:
+- kfree(gb_tty->buffer);
++exit_put_port:
++ tty_port_put(&gb_tty->port);
+ exit_connection_destroy:
+ gb_connection_destroy(connection);
+-exit_tty_free:
+- kfree(gb_tty);
+
+ return retval;
+ }
+@@ -930,15 +937,10 @@ static void gb_uart_remove(struct gbphy_
+ gb_connection_disable_rx(connection);
+ tty_unregister_device(gb_tty_driver, gb_tty->minor);
+
+- /* FIXME - free transmit / receive buffers */
+-
+ gb_connection_disable(connection);
+- tty_port_destroy(&gb_tty->port);
+ gb_connection_destroy(connection);
+- release_minor(gb_tty);
+- kfifo_free(&gb_tty->write_fifo);
+- kfree(gb_tty->buffer);
+- kfree(gb_tty);
++
++ tty_port_put(&gb_tty->port);
+ }
+
+ static int gb_tty_init(void)
--- /dev/null
+From 91fac0741d4817945c6ee0a17591421e7f5ecb86 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 7 Sep 2021 10:23:18 +0200
+Subject: USB: cdc-acm: fix minor-number release
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 91fac0741d4817945c6ee0a17591421e7f5ecb86 upstream.
+
+If the driver runs out of minor numbers it would release minor 0 and
+allow another device to claim the minor while still in use.
+
+Fortunately, registering the tty class device of the second device would
+fail (with a stack dump) due to the sysfs name collision so no memory is
+leaked.
+
+Fixes: cae2bc768d17 ("usb: cdc-acm: Decrement tty port's refcount if probe() fail")
+Cc: stable@vger.kernel.org # 4.19
+Cc: Jaejoong Kim <climbbb.kim@gmail.com>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210907082318.7757-1-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/cdc-acm.c | 7 +++++--
+ drivers/usb/class/cdc-acm.h | 2 ++
+ 2 files changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -726,7 +726,8 @@ static void acm_port_destruct(struct tty
+ {
+ struct acm *acm = container_of(port, struct acm, port);
+
+- acm_release_minor(acm);
++ if (acm->minor != ACM_MINOR_INVALID)
++ acm_release_minor(acm);
+ usb_put_intf(acm->control);
+ kfree(acm->country_codes);
+ kfree(acm);
+@@ -1323,8 +1324,10 @@ made_compressed_probe:
+ usb_get_intf(acm->control); /* undone in destruct() */
+
+ minor = acm_alloc_minor(acm);
+- if (minor < 0)
++ if (minor < 0) {
++ acm->minor = ACM_MINOR_INVALID;
+ goto err_put_port;
++ }
+
+ acm->minor = minor;
+ acm->dev = usb_dev;
+--- a/drivers/usb/class/cdc-acm.h
++++ b/drivers/usb/class/cdc-acm.h
+@@ -22,6 +22,8 @@
+ #define ACM_TTY_MAJOR 166
+ #define ACM_TTY_MINORS 256
+
++#define ACM_MINOR_INVALID ACM_TTY_MINORS
++
+ /*
+ * Requests.
+ */
--- /dev/null
+From b69ec50b3e55c4b2a85c8bc46763eaf330605847 Mon Sep 17 00:00:00 2001
+From: Pawel Laszczak <pawell@cadence.com>
+Date: Tue, 7 Sep 2021 08:26:19 +0200
+Subject: usb: cdns3: fix race condition before setting doorbell
+
+From: Pawel Laszczak <pawell@cadence.com>
+
+commit b69ec50b3e55c4b2a85c8bc46763eaf330605847 upstream.
+
+For DEV_VER_V3 version there exist race condition between clearing
+ep_sts.EP_STS_TRBERR and setting ep_cmd.EP_CMD_DRDY bit.
+Setting EP_CMD_DRDY will be ignored by controller when
+EP_STS_TRBERR is set. So, between these two instructions we have
+a small time gap in which the EP_STSS_TRBERR can be set. In such case
+the transfer will not start after setting doorbell.
+
+Fixes: 7733f6c32e36 ("usb: cdns3: Add Cadence USB3 DRD Driver")
+cc: <stable@vger.kernel.org> # 5.12.x
+Tested-by: Aswath Govindraju <a-govindraju@ti.com>
+Reviewed-by: Aswath Govindraju <a-govindraju@ti.com>
+Signed-off-by: Pawel Laszczak <pawell@cadence.com>
+Link: https://lore.kernel.org/r/20210907062619.34622-1-pawell@gli-login.cadence.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/cdns3/cdns3-gadget.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/usb/cdns3/cdns3-gadget.c
++++ b/drivers/usb/cdns3/cdns3-gadget.c
+@@ -1100,6 +1100,19 @@ static int cdns3_ep_run_stream_transfer(
+ return 0;
+ }
+
++static void cdns3_rearm_drdy_if_needed(struct cdns3_endpoint *priv_ep)
++{
++ struct cdns3_device *priv_dev = priv_ep->cdns3_dev;
++
++ if (priv_dev->dev_ver < DEV_VER_V3)
++ return;
++
++ if (readl(&priv_dev->regs->ep_sts) & EP_STS_TRBERR) {
++ writel(EP_STS_TRBERR, &priv_dev->regs->ep_sts);
++ writel(EP_CMD_DRDY, &priv_dev->regs->ep_cmd);
++ }
++}
++
+ /**
+ * cdns3_ep_run_transfer - start transfer on no-default endpoint hardware
+ * @priv_ep: endpoint object
+@@ -1351,6 +1364,7 @@ static int cdns3_ep_run_transfer(struct
+ /*clearing TRBERR and EP_STS_DESCMIS before seting DRDY*/
+ writel(EP_STS_TRBERR | EP_STS_DESCMIS, &priv_dev->regs->ep_sts);
+ writel(EP_CMD_DRDY, &priv_dev->regs->ep_cmd);
++ cdns3_rearm_drdy_if_needed(priv_ep);
+ trace_cdns3_doorbell_epx(priv_ep->name,
+ readl(&priv_dev->regs->ep_traddr));
+ }
--- /dev/null
+From 58877b0824da15698bd85a0a9dbfa8c354e6ecb7 Mon Sep 17 00:00:00 2001
+From: Kishon Vijay Abraham I <kishon@ti.com>
+Date: Thu, 9 Sep 2021 12:11:58 +0530
+Subject: usb: core: hcd: Add support for deferring roothub registration
+
+From: Kishon Vijay Abraham I <kishon@ti.com>
+
+commit 58877b0824da15698bd85a0a9dbfa8c354e6ecb7 upstream.
+
+It has been observed with certain PCIe USB cards (like Inateck connected
+to AM64 EVM or J7200 EVM) that as soon as the primary roothub is
+registered, port status change is handled even before xHC is running
+leading to cold plug USB devices not detected. For such cases, registering
+both the root hubs along with the second HCD is required. Add support for
+deferring roothub registration in usb_add_hcd(), so that both primary and
+secondary roothubs are registered along with the second HCD.
+
+CC: stable@vger.kernel.org # 5.4+
+Suggested-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Tested-by: Chris Chiu <chris.chiu@canonical.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Link: https://lore.kernel.org/r/20210909064200.16216-2-kishon@ti.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/core/hcd.c | 29 +++++++++++++++++++++++------
+ include/linux/usb/hcd.h | 2 ++
+ 2 files changed, 25 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/core/hcd.c
++++ b/drivers/usb/core/hcd.c
+@@ -2775,6 +2775,7 @@ int usb_add_hcd(struct usb_hcd *hcd,
+ {
+ int retval;
+ struct usb_device *rhdev;
++ struct usb_hcd *shared_hcd;
+
+ if (!hcd->skip_phy_initialization && usb_hcd_is_primary_hcd(hcd)) {
+ hcd->phy_roothub = usb_phy_roothub_alloc(hcd->self.sysdev);
+@@ -2935,13 +2936,26 @@ int usb_add_hcd(struct usb_hcd *hcd,
+ goto err_hcd_driver_start;
+ }
+
++ /* starting here, usbcore will pay attention to the shared HCD roothub */
++ shared_hcd = hcd->shared_hcd;
++ if (!usb_hcd_is_primary_hcd(hcd) && shared_hcd && HCD_DEFER_RH_REGISTER(shared_hcd)) {
++ retval = register_root_hub(shared_hcd);
++ if (retval != 0)
++ goto err_register_root_hub;
++
++ if (shared_hcd->uses_new_polling && HCD_POLL_RH(shared_hcd))
++ usb_hcd_poll_rh_status(shared_hcd);
++ }
++
+ /* starting here, usbcore will pay attention to this root hub */
+- retval = register_root_hub(hcd);
+- if (retval != 0)
+- goto err_register_root_hub;
++ if (!HCD_DEFER_RH_REGISTER(hcd)) {
++ retval = register_root_hub(hcd);
++ if (retval != 0)
++ goto err_register_root_hub;
+
+- if (hcd->uses_new_polling && HCD_POLL_RH(hcd))
+- usb_hcd_poll_rh_status(hcd);
++ if (hcd->uses_new_polling && HCD_POLL_RH(hcd))
++ usb_hcd_poll_rh_status(hcd);
++ }
+
+ return retval;
+
+@@ -2985,6 +2999,7 @@ EXPORT_SYMBOL_GPL(usb_add_hcd);
+ void usb_remove_hcd(struct usb_hcd *hcd)
+ {
+ struct usb_device *rhdev = hcd->self.root_hub;
++ bool rh_registered;
+
+ dev_info(hcd->self.controller, "remove, state %x\n", hcd->state);
+
+@@ -2995,6 +3010,7 @@ void usb_remove_hcd(struct usb_hcd *hcd)
+
+ dev_dbg(hcd->self.controller, "roothub graceful disconnect\n");
+ spin_lock_irq (&hcd_root_hub_lock);
++ rh_registered = hcd->rh_registered;
+ hcd->rh_registered = 0;
+ spin_unlock_irq (&hcd_root_hub_lock);
+
+@@ -3004,7 +3020,8 @@ void usb_remove_hcd(struct usb_hcd *hcd)
+ cancel_work_sync(&hcd->died_work);
+
+ mutex_lock(&usb_bus_idr_lock);
+- usb_disconnect(&rhdev); /* Sets rhdev to NULL */
++ if (rh_registered)
++ usb_disconnect(&rhdev); /* Sets rhdev to NULL */
+ mutex_unlock(&usb_bus_idr_lock);
+
+ /*
+--- a/include/linux/usb/hcd.h
++++ b/include/linux/usb/hcd.h
+@@ -124,6 +124,7 @@ struct usb_hcd {
+ #define HCD_FLAG_RH_RUNNING 5 /* root hub is running? */
+ #define HCD_FLAG_DEAD 6 /* controller has died? */
+ #define HCD_FLAG_INTF_AUTHORIZED 7 /* authorize interfaces? */
++#define HCD_FLAG_DEFER_RH_REGISTER 8 /* Defer roothub registration */
+
+ /* The flags can be tested using these macros; they are likely to
+ * be slightly faster than test_bit().
+@@ -134,6 +135,7 @@ struct usb_hcd {
+ #define HCD_WAKEUP_PENDING(hcd) ((hcd)->flags & (1U << HCD_FLAG_WAKEUP_PENDING))
+ #define HCD_RH_RUNNING(hcd) ((hcd)->flags & (1U << HCD_FLAG_RH_RUNNING))
+ #define HCD_DEAD(hcd) ((hcd)->flags & (1U << HCD_FLAG_DEAD))
++#define HCD_DEFER_RH_REGISTER(hcd) ((hcd)->flags & (1U << HCD_FLAG_DEFER_RH_REGISTER))
+
+ /*
+ * Specifies if interfaces are authorized by default
--- /dev/null
+From 91bb163e1e4f88092f50dfaa5a816b658753e4b2 Mon Sep 17 00:00:00 2001
+From: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+Date: Thu, 9 Sep 2021 14:45:15 +0400
+Subject: usb: dwc2: gadget: Fix ISOC flow for BDMA and Slave
+
+From: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+
+commit 91bb163e1e4f88092f50dfaa5a816b658753e4b2 upstream.
+
+According USB spec each ISOC transaction should be performed in a
+designated for that transaction interval. On bus errors or delays
+in operating system scheduling of client software can result in no
+packet being transferred for a (micro)frame. An error indication
+should be returned as status to the client software in such a case.
+
+Current implementation in case of missed/dropped interval send same
+data in next possible interval instead of reporting missed isoc.
+
+This fix complete requests with -ENODATA if interval elapsed.
+
+HSOTG core in BDMA and Slave modes haven't HW support for
+(micro)frames tracking, this is why SW should care about tracking
+of (micro)frames. Because of that method and consider operating
+system scheduling delays, added few additional checking's of elapsed
+target (micro)frame:
+1. Immediately before enabling EP to start transfer.
+2. With any transfer completion interrupt.
+3. With incomplete isoc in/out interrupt.
+4. With EP disabled interrupt because of incomplete transfer.
+5. With OUT token received while EP disabled interrupt (for OUT
+transfers).
+6. With NAK replied to IN token interrupt (for IN transfers).
+
+As part of ISOC flow, additionally fixed 'current' and 'target' frame
+calculation functions. In HS mode SOF limits provided by DSTS register
+is 0x3fff, but in non HS mode this limit is 0x7ff.
+
+Tested by internal tool which also using for dwc3 testing.
+
+Signed-off-by: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/95d1423adf4b0f68187c9894820c4b7e964a3f7f.1631175721.git.Minas.Harutyunyan@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc2/gadget.c | 189 +++++++++++++++++++++++++---------------------
+ 1 file changed, 106 insertions(+), 83 deletions(-)
+
+--- a/drivers/usb/dwc2/gadget.c
++++ b/drivers/usb/dwc2/gadget.c
+@@ -115,10 +115,16 @@ static inline bool using_desc_dma(struct
+ */
+ static inline void dwc2_gadget_incr_frame_num(struct dwc2_hsotg_ep *hs_ep)
+ {
++ struct dwc2_hsotg *hsotg = hs_ep->parent;
++ u16 limit = DSTS_SOFFN_LIMIT;
++
++ if (hsotg->gadget.speed != USB_SPEED_HIGH)
++ limit >>= 3;
++
+ hs_ep->target_frame += hs_ep->interval;
+- if (hs_ep->target_frame > DSTS_SOFFN_LIMIT) {
++ if (hs_ep->target_frame > limit) {
+ hs_ep->frame_overrun = true;
+- hs_ep->target_frame &= DSTS_SOFFN_LIMIT;
++ hs_ep->target_frame &= limit;
+ } else {
+ hs_ep->frame_overrun = false;
+ }
+@@ -136,10 +142,16 @@ static inline void dwc2_gadget_incr_fram
+ */
+ static inline void dwc2_gadget_dec_frame_num_by_one(struct dwc2_hsotg_ep *hs_ep)
+ {
++ struct dwc2_hsotg *hsotg = hs_ep->parent;
++ u16 limit = DSTS_SOFFN_LIMIT;
++
++ if (hsotg->gadget.speed != USB_SPEED_HIGH)
++ limit >>= 3;
++
+ if (hs_ep->target_frame)
+ hs_ep->target_frame -= 1;
+ else
+- hs_ep->target_frame = DSTS_SOFFN_LIMIT;
++ hs_ep->target_frame = limit;
+ }
+
+ /**
+@@ -1018,6 +1030,12 @@ static void dwc2_gadget_start_isoc_ddma(
+ dwc2_writel(hsotg, ctrl, depctl);
+ }
+
++static bool dwc2_gadget_target_frame_elapsed(struct dwc2_hsotg_ep *hs_ep);
++static void dwc2_hsotg_complete_request(struct dwc2_hsotg *hsotg,
++ struct dwc2_hsotg_ep *hs_ep,
++ struct dwc2_hsotg_req *hs_req,
++ int result);
++
+ /**
+ * dwc2_hsotg_start_req - start a USB request from an endpoint's queue
+ * @hsotg: The controller state.
+@@ -1170,14 +1188,19 @@ static void dwc2_hsotg_start_req(struct
+ }
+ }
+
+- if (hs_ep->isochronous && hs_ep->interval == 1) {
+- hs_ep->target_frame = dwc2_hsotg_read_frameno(hsotg);
+- dwc2_gadget_incr_frame_num(hs_ep);
+-
+- if (hs_ep->target_frame & 0x1)
+- ctrl |= DXEPCTL_SETODDFR;
+- else
+- ctrl |= DXEPCTL_SETEVENFR;
++ if (hs_ep->isochronous) {
++ if (!dwc2_gadget_target_frame_elapsed(hs_ep)) {
++ if (hs_ep->interval == 1) {
++ if (hs_ep->target_frame & 0x1)
++ ctrl |= DXEPCTL_SETODDFR;
++ else
++ ctrl |= DXEPCTL_SETEVENFR;
++ }
++ ctrl |= DXEPCTL_CNAK;
++ } else {
++ dwc2_hsotg_complete_request(hsotg, hs_ep, hs_req, -ENODATA);
++ return;
++ }
+ }
+
+ ctrl |= DXEPCTL_EPENA; /* ensure ep enabled */
+@@ -1325,12 +1348,16 @@ static bool dwc2_gadget_target_frame_ela
+ u32 target_frame = hs_ep->target_frame;
+ u32 current_frame = hsotg->frame_number;
+ bool frame_overrun = hs_ep->frame_overrun;
++ u16 limit = DSTS_SOFFN_LIMIT;
++
++ if (hsotg->gadget.speed != USB_SPEED_HIGH)
++ limit >>= 3;
+
+ if (!frame_overrun && current_frame >= target_frame)
+ return true;
+
+ if (frame_overrun && current_frame >= target_frame &&
+- ((current_frame - target_frame) < DSTS_SOFFN_LIMIT / 2))
++ ((current_frame - target_frame) < limit / 2))
+ return true;
+
+ return false;
+@@ -1713,11 +1740,9 @@ static struct dwc2_hsotg_req *get_ep_hea
+ */
+ static void dwc2_gadget_start_next_request(struct dwc2_hsotg_ep *hs_ep)
+ {
+- u32 mask;
+ struct dwc2_hsotg *hsotg = hs_ep->parent;
+ int dir_in = hs_ep->dir_in;
+ struct dwc2_hsotg_req *hs_req;
+- u32 epmsk_reg = dir_in ? DIEPMSK : DOEPMSK;
+
+ if (!list_empty(&hs_ep->queue)) {
+ hs_req = get_ep_head(hs_ep);
+@@ -1733,9 +1758,6 @@ static void dwc2_gadget_start_next_reque
+ } else {
+ dev_dbg(hsotg->dev, "%s: No more ISOC-OUT requests\n",
+ __func__);
+- mask = dwc2_readl(hsotg, epmsk_reg);
+- mask |= DOEPMSK_OUTTKNEPDISMSK;
+- dwc2_writel(hsotg, mask, epmsk_reg);
+ }
+ }
+
+@@ -2305,19 +2327,6 @@ static void dwc2_hsotg_ep0_zlp(struct dw
+ dwc2_hsotg_program_zlp(hsotg, hsotg->eps_out[0]);
+ }
+
+-static void dwc2_hsotg_change_ep_iso_parity(struct dwc2_hsotg *hsotg,
+- u32 epctl_reg)
+-{
+- u32 ctrl;
+-
+- ctrl = dwc2_readl(hsotg, epctl_reg);
+- if (ctrl & DXEPCTL_EOFRNUM)
+- ctrl |= DXEPCTL_SETEVENFR;
+- else
+- ctrl |= DXEPCTL_SETODDFR;
+- dwc2_writel(hsotg, ctrl, epctl_reg);
+-}
+-
+ /*
+ * dwc2_gadget_get_xfersize_ddma - get transferred bytes amount from desc
+ * @hs_ep - The endpoint on which transfer went
+@@ -2438,20 +2447,11 @@ static void dwc2_hsotg_handle_outdone(st
+ dwc2_hsotg_ep0_zlp(hsotg, true);
+ }
+
+- /*
+- * Slave mode OUT transfers do not go through XferComplete so
+- * adjust the ISOC parity here.
+- */
+- if (!using_dma(hsotg)) {
+- if (hs_ep->isochronous && hs_ep->interval == 1)
+- dwc2_hsotg_change_ep_iso_parity(hsotg, DOEPCTL(epnum));
+- else if (hs_ep->isochronous && hs_ep->interval > 1)
+- dwc2_gadget_incr_frame_num(hs_ep);
+- }
+-
+ /* Set actual frame number for completed transfers */
+- if (!using_desc_dma(hsotg) && hs_ep->isochronous)
+- req->frame_number = hsotg->frame_number;
++ if (!using_desc_dma(hsotg) && hs_ep->isochronous) {
++ req->frame_number = hs_ep->target_frame;
++ dwc2_gadget_incr_frame_num(hs_ep);
++ }
+
+ dwc2_hsotg_complete_request(hsotg, hs_ep, hs_req, result);
+ }
+@@ -2765,6 +2765,12 @@ static void dwc2_hsotg_complete_in(struc
+ return;
+ }
+
++ /* Set actual frame number for completed transfers */
++ if (!using_desc_dma(hsotg) && hs_ep->isochronous) {
++ hs_req->req.frame_number = hs_ep->target_frame;
++ dwc2_gadget_incr_frame_num(hs_ep);
++ }
++
+ dwc2_hsotg_complete_request(hsotg, hs_ep, hs_req, 0);
+ }
+
+@@ -2825,23 +2831,18 @@ static void dwc2_gadget_handle_ep_disabl
+
+ dwc2_hsotg_txfifo_flush(hsotg, hs_ep->fifo_index);
+
+- if (hs_ep->isochronous) {
+- dwc2_hsotg_complete_in(hsotg, hs_ep);
+- return;
+- }
+-
+ if ((epctl & DXEPCTL_STALL) && (epctl & DXEPCTL_EPTYPE_BULK)) {
+ int dctl = dwc2_readl(hsotg, DCTL);
+
+ dctl |= DCTL_CGNPINNAK;
+ dwc2_writel(hsotg, dctl, DCTL);
+ }
+- return;
+- }
++ } else {
+
+- if (dctl & DCTL_GOUTNAKSTS) {
+- dctl |= DCTL_CGOUTNAK;
+- dwc2_writel(hsotg, dctl, DCTL);
++ if (dctl & DCTL_GOUTNAKSTS) {
++ dctl |= DCTL_CGOUTNAK;
++ dwc2_writel(hsotg, dctl, DCTL);
++ }
+ }
+
+ if (!hs_ep->isochronous)
+@@ -2862,8 +2863,6 @@ static void dwc2_gadget_handle_ep_disabl
+ /* Update current frame number value. */
+ hsotg->frame_number = dwc2_hsotg_read_frameno(hsotg);
+ } while (dwc2_gadget_target_frame_elapsed(hs_ep));
+-
+- dwc2_gadget_start_next_request(hs_ep);
+ }
+
+ /**
+@@ -2880,8 +2879,8 @@ static void dwc2_gadget_handle_ep_disabl
+ static void dwc2_gadget_handle_out_token_ep_disabled(struct dwc2_hsotg_ep *ep)
+ {
+ struct dwc2_hsotg *hsotg = ep->parent;
++ struct dwc2_hsotg_req *hs_req;
+ int dir_in = ep->dir_in;
+- u32 doepmsk;
+
+ if (dir_in || !ep->isochronous)
+ return;
+@@ -2895,28 +2894,39 @@ static void dwc2_gadget_handle_out_token
+ return;
+ }
+
+- if (ep->interval > 1 &&
+- ep->target_frame == TARGET_FRAME_INITIAL) {
++ if (ep->target_frame == TARGET_FRAME_INITIAL) {
+ u32 ctrl;
+
+ ep->target_frame = hsotg->frame_number;
+- dwc2_gadget_incr_frame_num(ep);
++ if (ep->interval > 1) {
++ ctrl = dwc2_readl(hsotg, DOEPCTL(ep->index));
++ if (ep->target_frame & 0x1)
++ ctrl |= DXEPCTL_SETODDFR;
++ else
++ ctrl |= DXEPCTL_SETEVENFR;
+
+- ctrl = dwc2_readl(hsotg, DOEPCTL(ep->index));
+- if (ep->target_frame & 0x1)
+- ctrl |= DXEPCTL_SETODDFR;
+- else
+- ctrl |= DXEPCTL_SETEVENFR;
++ dwc2_writel(hsotg, ctrl, DOEPCTL(ep->index));
++ }
++ }
++
++ while (dwc2_gadget_target_frame_elapsed(ep)) {
++ hs_req = get_ep_head(ep);
++ if (hs_req)
++ dwc2_hsotg_complete_request(hsotg, ep, hs_req, -ENODATA);
+
+- dwc2_writel(hsotg, ctrl, DOEPCTL(ep->index));
++ dwc2_gadget_incr_frame_num(ep);
++ /* Update current frame number value. */
++ hsotg->frame_number = dwc2_hsotg_read_frameno(hsotg);
+ }
+
+- dwc2_gadget_start_next_request(ep);
+- doepmsk = dwc2_readl(hsotg, DOEPMSK);
+- doepmsk &= ~DOEPMSK_OUTTKNEPDISMSK;
+- dwc2_writel(hsotg, doepmsk, DOEPMSK);
++ if (!ep->req)
++ dwc2_gadget_start_next_request(ep);
++
+ }
+
++static void dwc2_hsotg_ep_stop_xfr(struct dwc2_hsotg *hsotg,
++ struct dwc2_hsotg_ep *hs_ep);
++
+ /**
+ * dwc2_gadget_handle_nak - handle NAK interrupt
+ * @hs_ep: The endpoint on which interrupt is asserted.
+@@ -2934,7 +2944,9 @@ static void dwc2_gadget_handle_out_token
+ static void dwc2_gadget_handle_nak(struct dwc2_hsotg_ep *hs_ep)
+ {
+ struct dwc2_hsotg *hsotg = hs_ep->parent;
++ struct dwc2_hsotg_req *hs_req;
+ int dir_in = hs_ep->dir_in;
++ u32 ctrl;
+
+ if (!dir_in || !hs_ep->isochronous)
+ return;
+@@ -2976,13 +2988,29 @@ static void dwc2_gadget_handle_nak(struc
+
+ dwc2_writel(hsotg, ctrl, DIEPCTL(hs_ep->index));
+ }
+-
+- dwc2_hsotg_complete_request(hsotg, hs_ep,
+- get_ep_head(hs_ep), 0);
+ }
+
+- if (!using_desc_dma(hsotg))
++ if (using_desc_dma(hsotg))
++ return;
++
++ ctrl = dwc2_readl(hsotg, DIEPCTL(hs_ep->index));
++ if (ctrl & DXEPCTL_EPENA)
++ dwc2_hsotg_ep_stop_xfr(hsotg, hs_ep);
++ else
++ dwc2_hsotg_txfifo_flush(hsotg, hs_ep->fifo_index);
++
++ while (dwc2_gadget_target_frame_elapsed(hs_ep)) {
++ hs_req = get_ep_head(hs_ep);
++ if (hs_req)
++ dwc2_hsotg_complete_request(hsotg, hs_ep, hs_req, -ENODATA);
++
+ dwc2_gadget_incr_frame_num(hs_ep);
++ /* Update current frame number value. */
++ hsotg->frame_number = dwc2_hsotg_read_frameno(hsotg);
++ }
++
++ if (!hs_ep->req)
++ dwc2_gadget_start_next_request(hs_ep);
+ }
+
+ /**
+@@ -3047,12 +3075,8 @@ static void dwc2_hsotg_epint(struct dwc2
+ * need to look at completing IN requests here
+ * if operating slave mode
+ */
+- if (hs_ep->isochronous && hs_ep->interval > 1)
+- dwc2_gadget_incr_frame_num(hs_ep);
+-
+- dwc2_hsotg_complete_in(hsotg, hs_ep);
+- if (ints & DXEPINT_NAKINTRPT)
+- ints &= ~DXEPINT_NAKINTRPT;
++ if (!hs_ep->isochronous || !(ints & DXEPINT_NAKINTRPT))
++ dwc2_hsotg_complete_in(hsotg, hs_ep);
+
+ if (idx == 0 && !hs_ep->req)
+ dwc2_hsotg_enqueue_setup(hsotg);
+@@ -3061,10 +3085,8 @@ static void dwc2_hsotg_epint(struct dwc2
+ * We're using DMA, we need to fire an OutDone here
+ * as we ignore the RXFIFO.
+ */
+- if (hs_ep->isochronous && hs_ep->interval > 1)
+- dwc2_gadget_incr_frame_num(hs_ep);
+-
+- dwc2_hsotg_handle_outdone(hsotg, idx);
++ if (!hs_ep->isochronous || !(ints & DXEPINT_OUTTKNEPDIS))
++ dwc2_hsotg_handle_outdone(hsotg, idx);
+ }
+ }
+
+@@ -4083,6 +4105,7 @@ static int dwc2_hsotg_ep_enable(struct u
+ mask |= DIEPMSK_NAKMSK;
+ dwc2_writel(hsotg, mask, DIEPMSK);
+ } else {
++ epctrl |= DXEPCTL_SNAK;
+ mask = dwc2_readl(hsotg, DOEPMSK);
+ mask |= DOEPMSK_OUTTKNEPDISMSK;
+ dwc2_writel(hsotg, mask, DOEPMSK);
--- /dev/null
+From dbe2518b2d8eabffa74dbf7d9fdd7dacddab7fc0 Mon Sep 17 00:00:00 2001
+From: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+Date: Sat, 11 Sep 2021 22:58:30 +0400
+Subject: usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA
+
+From: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+
+commit dbe2518b2d8eabffa74dbf7d9fdd7dacddab7fc0 upstream.
+
+When last descriptor in a descriptor list completed with XferComplete
+interrupt, core switching to handle next descriptor and assert BNA
+interrupt. Both these interrupts are set while dwc2_hsotg_epint()
+handler called. Each interrupt should be handled separately: first
+XferComplete interrupt then BNA interrupt, otherwise last completed
+transfer will not be giveback to function driver as completed
+request.
+
+Fixes: 729cac693eec ("usb: dwc2: Change ISOC DDMA flow")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+Link: https://lore.kernel.org/r/a36981accc26cd674c5d8f8da6164344b94ec1fe.1631386531.git.Minas.Harutyunyan@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc2/gadget.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/usb/dwc2/gadget.c
++++ b/drivers/usb/dwc2/gadget.c
+@@ -3066,9 +3066,7 @@ static void dwc2_hsotg_epint(struct dwc2
+
+ /* In DDMA handle isochronous requests separately */
+ if (using_desc_dma(hsotg) && hs_ep->isochronous) {
+- /* XferCompl set along with BNA */
+- if (!(ints & DXEPINT_BNAINTR))
+- dwc2_gadget_complete_isoc_request_ddma(hs_ep);
++ dwc2_gadget_complete_isoc_request_ddma(hs_ep);
+ } else if (dir_in) {
+ /*
+ * We get OutDone from the FIFO, so we only
--- /dev/null
+From 8cfac9a6744fcb143cb3e94ce002f09fd17fadbb Mon Sep 17 00:00:00 2001
+From: Li Jun <jun.li@nxp.com>
+Date: Wed, 8 Sep 2021 10:28:19 +0800
+Subject: usb: dwc3: core: balance phy init and exit
+
+From: Li Jun <jun.li@nxp.com>
+
+commit 8cfac9a6744fcb143cb3e94ce002f09fd17fadbb upstream.
+
+After we start to do core soft reset while usb role switch,
+the phy init is invoked at every switch to device mode, but
+its counter part de-init is missing, this causes the actual
+phy init can not be done when we really want to re-init phy
+like system resume, because the counter maintained by phy
+core is not 0. considering phy init is actually redundant for
+role switch, so move out the phy init from core soft reset to
+dwc3 core init where is the only place required.
+
+Fixes: f88359e1588b ("usb: dwc3: core: Do core softreset when switch mode")
+Cc: <stable@vger.kernel.org>
+Tested-by: faqiang.zhu <faqiang.zhu@nxp.com>
+Tested-by: John Stultz <john.stultz@linaro.org> #HiKey960
+Acked-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Li Jun <jun.li@nxp.com>
+Link: https://lore.kernel.org/r/1631068099-13559-1-git-send-email-jun.li@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/core.c | 30 +++++++++++++-----------------
+ 1 file changed, 13 insertions(+), 17 deletions(-)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -264,19 +264,6 @@ static int dwc3_core_soft_reset(struct d
+ {
+ u32 reg;
+ int retries = 1000;
+- int ret;
+-
+- usb_phy_init(dwc->usb2_phy);
+- usb_phy_init(dwc->usb3_phy);
+- ret = phy_init(dwc->usb2_generic_phy);
+- if (ret < 0)
+- return ret;
+-
+- ret = phy_init(dwc->usb3_generic_phy);
+- if (ret < 0) {
+- phy_exit(dwc->usb2_generic_phy);
+- return ret;
+- }
+
+ /*
+ * We're resetting only the device side because, if we're in host mode,
+@@ -310,9 +297,6 @@ static int dwc3_core_soft_reset(struct d
+ udelay(1);
+ } while (--retries);
+
+- phy_exit(dwc->usb3_generic_phy);
+- phy_exit(dwc->usb2_generic_phy);
+-
+ return -ETIMEDOUT;
+
+ done:
+@@ -982,9 +966,21 @@ static int dwc3_core_init(struct dwc3 *d
+ dwc->phys_ready = true;
+ }
+
++ usb_phy_init(dwc->usb2_phy);
++ usb_phy_init(dwc->usb3_phy);
++ ret = phy_init(dwc->usb2_generic_phy);
++ if (ret < 0)
++ goto err0a;
++
++ ret = phy_init(dwc->usb3_generic_phy);
++ if (ret < 0) {
++ phy_exit(dwc->usb2_generic_phy);
++ goto err0a;
++ }
++
+ ret = dwc3_core_soft_reset(dwc);
+ if (ret)
+- goto err0a;
++ goto err1;
+
+ if (hw_mode == DWC3_GHWPARAMS0_MODE_DRD &&
+ !DWC3_VER_IS_WITHIN(DWC3, ANY, 194A)) {
--- /dev/null
+From 17956b53ebff6a490baf580a836cbd3eae94892b Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 6 Sep 2021 12:42:21 +0300
+Subject: usb: gadget: r8a66597: fix a loop in set_feature()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 17956b53ebff6a490baf580a836cbd3eae94892b upstream.
+
+This loop is supposed to loop until if reads something other than
+CS_IDST or until it times out after 30,000 attempts. But because of
+the || vs && bug, it will never time out and instead it will loop a
+minimum of 30,000 times.
+
+This bug is quite old but the code is only used in USB_DEVICE_TEST_MODE
+so it probably doesn't affect regular usage.
+
+Fixes: 96fe53ef5498 ("usb: gadget: r8a66597-udc: add support for TEST_MODE")
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Acked-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20210906094221.GA10957@kili
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/r8a66597-udc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/udc/r8a66597-udc.c
++++ b/drivers/usb/gadget/udc/r8a66597-udc.c
+@@ -1250,7 +1250,7 @@ static void set_feature(struct r8a66597
+ do {
+ tmp = r8a66597_read(r8a66597, INTSTS0) & CTSQ;
+ udelay(1);
+- } while (tmp != CS_IDST || timeout-- > 0);
++ } while (tmp != CS_IDST && timeout-- > 0);
+
+ if (tmp == CS_IDST)
+ r8a66597_bset(r8a66597,
--- /dev/null
+From f5dfd98a80ff8d50cf4ae2820857d7f5a46cbab9 Mon Sep 17 00:00:00 2001
+From: Pavel Hofman <pavel.hofman@ivitera.com>
+Date: Mon, 6 Sep 2021 15:08:22 +0200
+Subject: usb: gadget: u_audio: EP-OUT bInterval in fback frequency
+
+From: Pavel Hofman <pavel.hofman@ivitera.com>
+
+commit f5dfd98a80ff8d50cf4ae2820857d7f5a46cbab9 upstream.
+
+The patch increases the bitshift in feedback frequency
+calculation with EP-OUT bInterval value.
+
+Tests have revealed that Win10 and OSX UAC2 drivers require
+the feedback frequency to be based on the actual packet
+interval instead of on the USB2 microframe. Otherwise they
+ignore the feedback value. Linux snd-usb-audio driver
+detects the applied bitshift automatically.
+
+Tested-by: Henrik Enquist <henrik.enquist@gmail.com>
+Signed-off-by: Pavel Hofman <pavel.hofman@ivitera.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210906130822.12256-1-pavel.hofman@ivitera.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/u_audio.c | 13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/gadget/function/u_audio.c
++++ b/drivers/usb/gadget/function/u_audio.c
+@@ -76,11 +76,13 @@ static const struct snd_pcm_hardware uac
+ };
+
+ static void u_audio_set_fback_frequency(enum usb_device_speed speed,
++ struct usb_ep *out_ep,
+ unsigned long long freq,
+ unsigned int pitch,
+ void *buf)
+ {
+ u32 ff = 0;
++ const struct usb_endpoint_descriptor *ep_desc;
+
+ /*
+ * Because the pitch base is 1000000, the final divider here
+@@ -108,8 +110,13 @@ static void u_audio_set_fback_frequency(
+ * byte fromat (that is Q16.16)
+ *
+ * ff = (freq << 16) / 8000
++ *
++ * Win10 and OSX UAC2 drivers require number of samples per packet
++ * in order to honor the feedback value.
++ * Linux snd-usb-audio detects the applied bit-shift automatically.
+ */
+- freq <<= 4;
++ ep_desc = out_ep->desc;
++ freq <<= 4 + (ep_desc->bInterval - 1);
+ }
+
+ ff = DIV_ROUND_CLOSEST_ULL((freq * pitch), 1953125);
+@@ -247,7 +254,7 @@ static void u_audio_iso_fback_complete(s
+ pr_debug("%s: iso_complete status(%d) %d/%d\n",
+ __func__, status, req->actual, req->length);
+
+- u_audio_set_fback_frequency(audio_dev->gadget->speed,
++ u_audio_set_fback_frequency(audio_dev->gadget->speed, audio_dev->out_ep,
+ params->c_srate, prm->pitch,
+ req->buf);
+
+@@ -506,7 +513,7 @@ int u_audio_start_capture(struct g_audio
+ * be meauserd at start of playback
+ */
+ prm->pitch = 1000000;
+- u_audio_set_fback_frequency(audio_dev->gadget->speed,
++ u_audio_set_fback_frequency(audio_dev->gadget->speed, ep,
+ params->c_srate, prm->pitch,
+ req_fback->buf);
+
--- /dev/null
+From 41f673183862a183d4ea0522c045fabfbd1b28c8 Mon Sep 17 00:00:00 2001
+From: Rui Miguel Silva <rui.silva@linaro.org>
+Date: Tue, 27 Jul 2021 11:05:15 +0100
+Subject: usb: isp1760: do not sleep in field register poll
+
+From: Rui Miguel Silva <rui.silva@linaro.org>
+
+commit 41f673183862a183d4ea0522c045fabfbd1b28c8 upstream.
+
+When polling for a setup or clear of a register field we were sleeping
+in atomic context but using a very tight sleep interval.
+
+Since the use cases for this poll mechanism are only in setup and
+stop paths, and in practice this poll is not used most of the times
+but needs to be there to comply to hardware setup times, remove the
+sleep time and make the poll loop tighter.
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Rui Miguel Silva <rui.silva@linaro.org>
+Link: https://lore.kernel.org/r/20210727100516.4190681-3-rui.silva@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/isp1760/isp1760-hcd.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/isp1760/isp1760-hcd.c
++++ b/drivers/usb/isp1760/isp1760-hcd.c
+@@ -251,7 +251,7 @@ static int isp1760_hcd_set_and_wait(stru
+ isp1760_hcd_set(hcd, field);
+
+ return regmap_field_read_poll_timeout(priv->fields[field], val,
+- val, 10, timeout_us);
++ val, 0, timeout_us);
+ }
+
+ static int isp1760_hcd_set_and_wait_swap(struct usb_hcd *hcd, u32 field,
+@@ -263,7 +263,7 @@ static int isp1760_hcd_set_and_wait_swap
+ isp1760_hcd_set(hcd, field);
+
+ return regmap_field_read_poll_timeout(priv->fields[field], val,
+- !val, 10, timeout_us);
++ !val, 0, timeout_us);
+ }
+
+ static int isp1760_hcd_clear_and_wait(struct usb_hcd *hcd, u32 field,
+@@ -275,7 +275,7 @@ static int isp1760_hcd_clear_and_wait(st
+ isp1760_hcd_clear(hcd, field);
+
+ return regmap_field_read_poll_timeout(priv->fields[field], val,
+- !val, 10, timeout_us);
++ !val, 0, timeout_us);
+ }
+
+ static bool isp1760_hcd_is_set(struct usb_hcd *hcd, u32 field)
--- /dev/null
+From 517c7bf99bad3d6b9360558414aae634b7472d80 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 16 Sep 2021 16:57:37 +0300
+Subject: usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 517c7bf99bad3d6b9360558414aae634b7472d80 upstream.
+
+This is writing to the first 1 - 3 bytes of "val" and then writing all
+four bytes to musb_writel(). The last byte is always going to be
+garbage. Zero out the last bytes instead.
+
+Fixes: 550a7375fe72 ("USB: Add MUSB and TUSB support")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210916135737.GI25094@kili
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/musb/tusb6010.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/musb/tusb6010.c
++++ b/drivers/usb/musb/tusb6010.c
+@@ -190,6 +190,7 @@ tusb_fifo_write_unaligned(void __iomem *
+ }
+ if (len > 0) {
+ /* Write the rest 1 - 3 bytes to FIFO */
++ val = 0;
+ memcpy(&val, buf, len);
+ musb_writel(fifo, 0, val);
+ }
--- /dev/null
+From 3bd18ba7d859eb1fbef3beb1e80c24f6f7d7596c Mon Sep 17 00:00:00 2001
+From: Uwe Brandt <uwe.brandt@gmail.com>
+Date: Tue, 21 Sep 2021 19:54:46 +0200
+Subject: USB: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter
+
+From: Uwe Brandt <uwe.brandt@gmail.com>
+
+commit 3bd18ba7d859eb1fbef3beb1e80c24f6f7d7596c upstream.
+
+Add the USB serial device ID for the GW Instek GDM-834x Digital Multimeter.
+
+Signed-off-by: Uwe Brandt <uwe.brandt@gmail.com>
+Link: https://lore.kernel.org/r/YUxFl3YUCPGJZd8Y@hovoldconsulting.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/cp210x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -233,6 +233,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(0x1FB9, 0x0602) }, /* Lake Shore Model 648 Magnet Power Supply */
+ { USB_DEVICE(0x1FB9, 0x0700) }, /* Lake Shore Model 737 VSM Controller */
+ { USB_DEVICE(0x1FB9, 0x0701) }, /* Lake Shore Model 776 Hall Matrix */
++ { USB_DEVICE(0x2184, 0x0030) }, /* GW Instek GDM-834x Digital Multimeter */
+ { USB_DEVICE(0x2626, 0xEA60) }, /* Aruba Networks 7xxx USB Serial Console */
+ { USB_DEVICE(0x3195, 0xF190) }, /* Link Instruments MSO-19 */
+ { USB_DEVICE(0x3195, 0xF280) }, /* Link Instruments MSO-28 */
--- /dev/null
+From 211f323768a25b30c106fd38f15a0f62c7c2b5f4 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Date: Fri, 17 Sep 2021 11:18:47 +0200
+Subject: USB: serial: mos7840: remove duplicated 0xac24 device ID
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+commit 211f323768a25b30c106fd38f15a0f62c7c2b5f4 upstream.
+
+0xac24 device ID is already defined and used via
+BANDB_DEVICE_ID_USO9ML2_4. Remove the duplicate from the list.
+
+Fixes: 27f1281d5f72 ("USB: serial: Extra device/vendor ID for mos7840 driver")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/mos7840.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/usb/serial/mos7840.c
++++ b/drivers/usb/serial/mos7840.c
+@@ -107,7 +107,6 @@
+ #define BANDB_DEVICE_ID_USOPTL4_2P 0xBC02
+ #define BANDB_DEVICE_ID_USOPTL4_4 0xAC44
+ #define BANDB_DEVICE_ID_USOPTL4_4P 0xBC03
+-#define BANDB_DEVICE_ID_USOPTL2_4 0xAC24
+
+ /* Interrupt Routine Defines */
+
+@@ -186,7 +185,6 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(USB_VENDOR_ID_BANDB, BANDB_DEVICE_ID_USOPTL4_2P) },
+ { USB_DEVICE(USB_VENDOR_ID_BANDB, BANDB_DEVICE_ID_USOPTL4_4) },
+ { USB_DEVICE(USB_VENDOR_ID_BANDB, BANDB_DEVICE_ID_USOPTL4_4P) },
+- { USB_DEVICE(USB_VENDOR_ID_BANDB, BANDB_DEVICE_ID_USOPTL2_4) },
+ {} /* terminating entry */
+ };
+ MODULE_DEVICE_TABLE(usb, id_table);
--- /dev/null
+From 9e3eed534f8235a4a596a9dae5b8a6425d81ea1a Mon Sep 17 00:00:00 2001
+From: Slark Xiao <slark_xiao@163.com>
+Date: Fri, 17 Sep 2021 19:01:06 +0800
+Subject: USB: serial: option: add device id for Foxconn T99W265
+
+From: Slark Xiao <slark_xiao@163.com>
+
+commit 9e3eed534f8235a4a596a9dae5b8a6425d81ea1a upstream.
+
+Adding support for Foxconn device T99W265 for enumeration with
+PID 0xe0db.
+
+usb-devices output for 0xe0db
+T: Bus=04 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 19 Spd=5000 MxCh= 0
+D: Ver= 3.20 Cls=ef(misc ) Sub=02 Prot=01 MxPS= 9 #Cfgs= 1
+P: Vendor=0489 ProdID=e0db Rev=05.04
+S: Manufacturer=Microsoft
+S: Product=Generic Mobile Broadband Adapter
+S: SerialNumber=6c50f452
+C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=896mA
+I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
+I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+I: If#=0x3 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+
+if0/1: MBIM, if2:Diag, if3:GNSS, if4: Modem
+
+Signed-off-by: Slark Xiao <slark_xiao@163.com>
+Link: https://lore.kernel.org/r/20210917110106.9852-1-slark_xiao@163.com
+[ johan: use USB_DEVICE_INTERFACE_CLASS(), amend comment ]
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -2075,6 +2075,8 @@ static const struct usb_device_id option
+ .driver_info = RSVD(0) | RSVD(1) | RSVD(6) },
+ { USB_DEVICE(0x0489, 0xe0b5), /* Foxconn T77W968 ESIM */
+ .driver_info = RSVD(0) | RSVD(1) | RSVD(6) },
++ { USB_DEVICE_INTERFACE_CLASS(0x0489, 0xe0db, 0xff), /* Foxconn T99W265 MBIM */
++ .driver_info = RSVD(3) },
+ { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 (IOT version) */
+ .driver_info = RSVD(4) | RSVD(5) | RSVD(6) },
+ { USB_DEVICE(0x2cb7, 0x0104), /* Fibocom NL678 series */
--- /dev/null
+From 7bb057134d609b9c038a00b6876cf0d37d0118ce Mon Sep 17 00:00:00 2001
+From: Carlo Lobrano <c.lobrano@gmail.com>
+Date: Fri, 3 Sep 2021 14:39:13 +0200
+Subject: USB: serial: option: add Telit LN920 compositions
+
+From: Carlo Lobrano <c.lobrano@gmail.com>
+
+commit 7bb057134d609b9c038a00b6876cf0d37d0118ce upstream.
+
+This patch adds the following Telit LN920 compositions:
+
+0x1060: tty, adb, rmnet, tty, tty, tty, tty
+0x1061: tty, adb, mbim, tty, tty, tty, tty
+0x1062: rndis, tty, adb, tty, tty, tty, tty
+0x1063: tty, adb, ecm, tty, tty, tty, tty
+
+Signed-off-by: Carlo Lobrano <c.lobrano@gmail.com>
+Link: https://lore.kernel.org/r/20210903123913.1086513-1-c.lobrano@gmail.com
+Reviewed-by: Daniele Palmas <dnlplm@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1205,6 +1205,14 @@ static const struct usb_device_id option
+ .driver_info = NCTRL(0) | RSVD(1) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1056, 0xff), /* Telit FD980 */
+ .driver_info = NCTRL(2) | RSVD(3) },
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1060, 0xff), /* Telit LN920 (rmnet) */
++ .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) },
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1061, 0xff), /* Telit LN920 (MBIM) */
++ .driver_info = NCTRL(0) | RSVD(1) },
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1062, 0xff), /* Telit LN920 (RNDIS) */
++ .driver_info = NCTRL(2) | RSVD(3) },
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1063, 0xff), /* Telit LN920 (ECM) */
++ .driver_info = NCTRL(0) | RSVD(1) },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910),
+ .driver_info = NCTRL(0) | RSVD(1) | RSVD(3) },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910_DUAL_MODEM),
--- /dev/null
+From 1ca200a8c6f079950a04ea3c3380fe8cf78e95a2 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Date: Fri, 17 Sep 2021 11:18:48 +0200
+Subject: USB: serial: option: remove duplicate USB device ID
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+commit 1ca200a8c6f079950a04ea3c3380fe8cf78e95a2 upstream.
+
+The device ZTE 0x0094 is already on the list.
+
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Fixes: b9e44fe5ecda ("USB: option: cleanup zte 3g-dongle's pid in option.c")
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1658,7 +1658,6 @@ static const struct usb_device_id option
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0060, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0070, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0073, 0xff, 0xff, 0xff) },
+- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0094, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0130, 0xff, 0xff, 0xff),
+ .driver_info = RSVD(1) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0133, 0xff, 0xff, 0xff),
--- /dev/null
+From b55d37ef6b7db3eda9b4495a8d9b0a944ee8c67d Mon Sep 17 00:00:00 2001
+From: Ondrej Zary <linux@zary.sk>
+Date: Mon, 13 Sep 2021 23:01:06 +0200
+Subject: usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c
+
+From: Ondrej Zary <linux@zary.sk>
+
+commit b55d37ef6b7db3eda9b4495a8d9b0a944ee8c67d upstream.
+
+ScanLogic SL11R-IDE with firmware older than 2.6c (the latest one) has
+broken tag handling, preventing the device from working at all:
+usb 1-1: new full-speed USB device number 2 using uhci_hcd
+usb 1-1: New USB device found, idVendor=04ce, idProduct=0002, bcdDevice= 2.60
+usb 1-1: New USB device strings: Mfr=1, Product=1, SerialNumber=0
+usb 1-1: Product: USB Device
+usb 1-1: Manufacturer: USB Device
+usb-storage 1-1:1.0: USB Mass Storage device detected
+scsi host2: usb-storage 1-1:1.0
+usbcore: registered new interface driver usb-storage
+usb 1-1: reset full-speed USB device number 2 using uhci_hcd
+usb 1-1: reset full-speed USB device number 2 using uhci_hcd
+usb 1-1: reset full-speed USB device number 2 using uhci_hcd
+usb 1-1: reset full-speed USB device number 2 using uhci_hcd
+
+Add US_FL_BULK_IGNORE_TAG to fix it. Also update my e-mail address.
+
+2.6c is the only firmware that claims Linux compatibility.
+The firmware can be upgraded using ezotgdbg utility:
+https://github.com/asciilifeform/ezotgdbg
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Ondrej Zary <linux@zary.sk>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210913210106.12717-1-linux@zary.sk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/storage/unusual_devs.h | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -416,9 +416,16 @@ UNUSUAL_DEV( 0x04cb, 0x0100, 0x0000, 0x
+ USB_SC_UFI, USB_PR_DEVICE, NULL, US_FL_FIX_INQUIRY | US_FL_SINGLE_LUN),
+
+ /*
+- * Reported by Ondrej Zary <linux@rainbow-software.org>
++ * Reported by Ondrej Zary <linux@zary.sk>
+ * The device reports one sector more and breaks when that sector is accessed
++ * Firmwares older than 2.6c (the latest one and the only that claims Linux
++ * support) have also broken tag handling
+ */
++UNUSUAL_DEV( 0x04ce, 0x0002, 0x0000, 0x026b,
++ "ScanLogic",
++ "SL11R-IDE",
++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
++ US_FL_FIX_CAPACITY | US_FL_BULK_IGNORE_TAG),
+ UNUSUAL_DEV( 0x04ce, 0x0002, 0x026c, 0x026c,
+ "ScanLogic",
+ "SL11R-IDE",
--- /dev/null
+From 0594c58161b6e0f3da8efa9c6e3d4ba52b652717 Mon Sep 17 00:00:00 2001
+From: Jan Beulich <jbeulich@suse.com>
+Date: Mon, 20 Sep 2021 18:15:11 +0200
+Subject: xen/x86: fix PV trap handling on secondary processors
+
+From: Jan Beulich <jbeulich@suse.com>
+
+commit 0594c58161b6e0f3da8efa9c6e3d4ba52b652717 upstream.
+
+The initial observation was that in PV mode under Xen 32-bit user space
+didn't work anymore. Attempts of system calls ended in #GP(0x402). All
+of the sudden the vector 0x80 handler was not in place anymore. As it
+turns out up to 5.13 redundant initialization did occur: Once from
+cpu_initialize_context() (through its VCPUOP_initialise hypercall) and a
+2nd time while each CPU was brought fully up. This 2nd initialization is
+now gone, uncovering that the 1st one was flawed: Unlike for the
+set_trap_table hypercall, a full virtual IDT needs to be specified here;
+the "vector" fields of the individual entries are of no interest. With
+many (kernel) IDT entries still(?) (i.e. at that point at least) empty,
+the syscall vector 0x80 ended up in slot 0x20 of the virtual IDT, thus
+becoming the domain's handler for vector 0x20.
+
+Make xen_convert_trap_info() fit for either purpose, leveraging the fact
+that on the xen_copy_trap_info() path the table starts out zero-filled.
+This includes moving out the writing of the sentinel, which would also
+have lead to a buffer overrun in the xen_copy_trap_info() case if all
+(kernel) IDT entries were populated. Convert the writing of the sentinel
+to clearing of the entire table entry rather than just the address
+field.
+
+(I didn't bother trying to identify the commit which uncovered the issue
+in 5.14; the commit named below is the one which actually introduced the
+bad code.)
+
+Fixes: f87e4cac4f4e ("xen: SMP guest support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jan Beulich <jbeulich@suse.com>
+Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
+Link: https://lore.kernel.org/r/7a266932-092e-b68f-f2bb-1473b61adc6e@suse.com
+Signed-off-by: Juergen Gross <jgross@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/xen/enlighten_pv.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/arch/x86/xen/enlighten_pv.c
++++ b/arch/x86/xen/enlighten_pv.c
+@@ -756,8 +756,8 @@ static void xen_write_idt_entry(gate_des
+ preempt_enable();
+ }
+
+-static void xen_convert_trap_info(const struct desc_ptr *desc,
+- struct trap_info *traps)
++static unsigned xen_convert_trap_info(const struct desc_ptr *desc,
++ struct trap_info *traps, bool full)
+ {
+ unsigned in, out, count;
+
+@@ -767,17 +767,18 @@ static void xen_convert_trap_info(const
+ for (in = out = 0; in < count; in++) {
+ gate_desc *entry = (gate_desc *)(desc->address) + in;
+
+- if (cvt_gate_to_trap(in, entry, &traps[out]))
++ if (cvt_gate_to_trap(in, entry, &traps[out]) || full)
+ out++;
+ }
+- traps[out].address = 0;
++
++ return out;
+ }
+
+ void xen_copy_trap_info(struct trap_info *traps)
+ {
+ const struct desc_ptr *desc = this_cpu_ptr(&idt_desc);
+
+- xen_convert_trap_info(desc, traps);
++ xen_convert_trap_info(desc, traps, true);
+ }
+
+ /* Load a new IDT into Xen. In principle this can be per-CPU, so we
+@@ -787,6 +788,7 @@ static void xen_load_idt(const struct de
+ {
+ static DEFINE_SPINLOCK(lock);
+ static struct trap_info traps[257];
++ unsigned out;
+
+ trace_xen_cpu_load_idt(desc);
+
+@@ -794,7 +796,8 @@ static void xen_load_idt(const struct de
+
+ memcpy(this_cpu_ptr(&idt_desc), desc, sizeof(idt_desc));
+
+- xen_convert_trap_info(desc, traps);
++ out = xen_convert_trap_info(desc, traps, false);
++ memset(&traps[out], 0, sizeof(traps[0]));
+
+ xen_mc_flush();
+ if (HYPERVISOR_set_trap_table(traps))
projects / thirdparty / kernel / stable-queue.git / commitdiff
