--- /dev/null
+From 05daa805a86c831ad9692f6f15e1b877c8f10638 Mon Sep 17 00:00:00 2001
+From: Slark Xiao <slark_xiao@163.com>
+Date: Sat, 5 Feb 2022 19:27:31 +0530
+Subject: bus: mhi: pci_generic: Add mru_default for Cinterion MV31-W
+
+From: Slark Xiao <slark_xiao@163.com>
+
+commit 05daa805a86c831ad9692f6f15e1b877c8f10638 upstream.
+
+For default mechanism, product would use default MRU 3500 if
+they didn't define it. But for Cinterion MV31-W, there is a known
+issue which MRU 3500 would lead to data connection lost.
+So we align it with Qualcomm default MRU settings.
+
+Link: https://lore.kernel.org/r/20220119102519.5342-1-slark_xiao@163.com
+[mani: Modified the commit message to reflect Cinterion MV31-W and CCed stable]
+Fixes: 87693e092bd0 ("bus: mhi: pci_generic: Add Cinterion MV31-W PCIe to MHI")
+Cc: stable@vger.kernel.org # v5.14 +
+Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
+Signed-off-by: Slark Xiao <slark_xiao@163.com>
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20220205135731.157871-3-manivannan.sadhasivam@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/mhi/pci_generic.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/bus/mhi/pci_generic.c
++++ b/drivers/bus/mhi/pci_generic.c
+@@ -402,6 +402,7 @@ static const struct mhi_pci_dev_info mhi
+ .config = &modem_mv31_config,
+ .bar_num = MHI_PCI_DEFAULT_BAR_NUM,
+ .dma_data_width = 32,
++ .mru_default = 32768,
+ };
+
+ static const struct pci_device_id mhi_pci_id_table[] = {
--- /dev/null
+From a0572cea8866230ac13da6358c88075f89e99b20 Mon Sep 17 00:00:00 2001
+From: Slark Xiao <slark_xiao@163.com>
+Date: Sat, 5 Feb 2022 19:27:30 +0530
+Subject: bus: mhi: pci_generic: Add mru_default for Foxconn SDX55
+
+From: Slark Xiao <slark_xiao@163.com>
+
+commit a0572cea8866230ac13da6358c88075f89e99b20 upstream.
+
+For default mechanism, product would use default MRU 3500 if
+they didn't define it. But for Foxconn SDX55, there is a known
+issue which MRU 3500 would lead to data connection lost.
+So we align it with Qualcomm default MRU settings.
+
+Link: https://lore.kernel.org/r/20220119101213.5008-1-slark_xiao@163.com
+[mani: Added pci_generic prefix to subject and CCed stable]
+Fixes: aac426562f56 ("bus: mhi: pci_generic: Introduce Foxconn T99W175 support")
+Cc: stable@vger.kernel.org # v5.12+
+Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
+Signed-off-by: Slark Xiao <slark_xiao@163.com>
+Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
+Link: https://lore.kernel.org/r/20220205135731.157871-2-manivannan.sadhasivam@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/bus/mhi/pci_generic.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/bus/mhi/pci_generic.c
++++ b/drivers/bus/mhi/pci_generic.c
+@@ -366,6 +366,7 @@ static const struct mhi_pci_dev_info mhi
+ .config = &modem_foxconn_sdx55_config,
+ .bar_num = MHI_PCI_DEFAULT_BAR_NUM,
+ .dma_data_width = 32,
++ .mru_default = 32768,
+ .sideband_wake = false,
+ };
+
--- /dev/null
+From c0689e46be23160d925dca95dfc411f1a0462708 Mon Sep 17 00:00:00 2001
+From: Jonas Malaco <jonas@protocubo.io>
+Date: Thu, 3 Feb 2022 13:49:52 -0300
+Subject: eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX
+
+From: Jonas Malaco <jonas@protocubo.io>
+
+commit c0689e46be23160d925dca95dfc411f1a0462708 upstream.
+
+Commit effa453168a7 ("i2c: i801: Don't silently correct invalid transfer
+size") revealed that ee1004_eeprom_read() did not properly limit how
+many bytes to read at once.
+
+In particular, i2c_smbus_read_i2c_block_data_or_emulated() takes the
+length to read as an u8. If count == 256 after taking into account the
+offset and page boundary, the cast to u8 overflows. And this is common
+when user space tries to read the entire EEPROM at once.
+
+To fix it, limit each read to I2C_SMBUS_BLOCK_MAX (32) bytes, already
+the maximum length i2c_smbus_read_i2c_block_data_or_emulated() allows.
+
+Fixes: effa453168a7 ("i2c: i801: Don't silently correct invalid transfer size")
+Cc: stable@vger.kernel.org
+Reviewed-by: Heiner Kallweit <hkallweit1@gmail.com>
+Signed-off-by: Jonas Malaco <jonas@protocubo.io>
+Link: https://lore.kernel.org/r/20220203165024.47767-1-jonas@protocubo.io
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/eeprom/ee1004.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/misc/eeprom/ee1004.c
++++ b/drivers/misc/eeprom/ee1004.c
+@@ -114,6 +114,9 @@ static ssize_t ee1004_eeprom_read(struct
+ if (offset + count > EE1004_PAGE_SIZE)
+ count = EE1004_PAGE_SIZE - offset;
+
++ if (count > I2C_SMBUS_BLOCK_MAX)
++ count = I2C_SMBUS_BLOCK_MAX;
++
+ return i2c_smbus_read_i2c_block_data_or_emulated(client, offset, count, buf);
+ }
+
--- /dev/null
+From c0d79987a0d82671bff374c07f2201f9bdf4aaa2 Mon Sep 17 00:00:00 2001
+From: Armin Wolf <W_Armin@gmx.de>
+Date: Thu, 21 Oct 2021 21:05:31 +0200
+Subject: hwmon: (dell-smm) Speed up setting of fan speed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Armin Wolf <W_Armin@gmx.de>
+
+commit c0d79987a0d82671bff374c07f2201f9bdf4aaa2 upstream.
+
+When setting the fan speed, i8k_set_fan() calls i8k_get_fan_status(),
+causing an unnecessary SMM call since from the two users of this
+function, only i8k_ioctl_unlocked() needs to know the new fan status
+while dell_smm_write() ignores the new fan status.
+Since SMM calls can be very slow while also making error reporting
+difficult for dell_smm_write(), remove the function call from
+i8k_set_fan() and call it separately in i8k_ioctl_unlocked().
+
+Tested on a Dell Inspiron 3505.
+
+Signed-off-by: Armin Wolf <W_Armin@gmx.de>
+Reviewed-by: Pali Rohár <pali@kernel.org>
+Link: https://lore.kernel.org/r/20211021190531.17379-6-W_Armin@gmx.de
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/dell-smm-hwmon.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/hwmon/dell-smm-hwmon.c
++++ b/drivers/hwmon/dell-smm-hwmon.c
+@@ -326,7 +326,7 @@ static int i8k_enable_fan_auto_mode(cons
+ }
+
+ /*
+- * Set the fan speed (off, low, high). Returns the new fan status.
++ * Set the fan speed (off, low, high, ...).
+ */
+ static int i8k_set_fan(const struct dell_smm_data *data, int fan, int speed)
+ {
+@@ -338,7 +338,7 @@ static int i8k_set_fan(const struct dell
+ speed = (speed < 0) ? 0 : ((speed > data->i8k_fan_max) ? data->i8k_fan_max : speed);
+ regs.ebx = (fan & 0xff) | (speed << 8);
+
+- return i8k_smm(®s) ? : i8k_get_fan_status(data, fan);
++ return i8k_smm(®s);
+ }
+
+ static int __init i8k_get_temp_type(int sensor)
+@@ -452,7 +452,7 @@ static int
+ i8k_ioctl_unlocked(struct file *fp, struct dell_smm_data *data, unsigned int cmd, unsigned long arg)
+ {
+ int val = 0;
+- int speed;
++ int speed, err;
+ unsigned char buff[16];
+ int __user *argp = (int __user *)arg;
+
+@@ -513,7 +513,11 @@ i8k_ioctl_unlocked(struct file *fp, stru
+ if (copy_from_user(&speed, argp + 1, sizeof(int)))
+ return -EFAULT;
+
+- val = i8k_set_fan(data, val, speed);
++ err = i8k_set_fan(data, val, speed);
++ if (err < 0)
++ return err;
++
++ val = i8k_get_fan_status(data, val);
+ break;
+
+ default:
--- /dev/null
+From c72ea20503610a4a7ba26c769357d31602769c01 Mon Sep 17 00:00:00 2001
+From: Mathias Krause <minipli@grsecurity.net>
+Date: Mon, 7 Feb 2022 16:01:19 +0100
+Subject: iio: buffer: Fix file related error handling in IIO_BUFFER_GET_FD_IOCTL
+
+From: Mathias Krause <minipli@grsecurity.net>
+
+commit c72ea20503610a4a7ba26c769357d31602769c01 upstream.
+
+If we fail to copy the just created file descriptor to userland, we
+try to clean up by putting back 'fd' and freeing 'ib'. The code uses
+put_unused_fd() for the former which is wrong, as the file descriptor
+was already published by fd_install() which gets called internally by
+anon_inode_getfd().
+
+This makes the error handling code leaving a half cleaned up file
+descriptor table around and a partially destructed 'file' object,
+allowing userland to play use-after-free tricks on us, by abusing
+the still usable fd and making the code operate on a dangling
+'file->private_data' pointer.
+
+Instead of leaving the kernel in a partially corrupted state, don't
+attempt to explicitly clean up and leave this to the process exit
+path that'll release any still valid fds, including the one created
+by the previous call to anon_inode_getfd(). Simply return -EFAULT to
+indicate the error.
+
+Fixes: f73f7f4da581 ("iio: buffer: add ioctl() to support opening extra buffers for IIO device")
+Cc: stable@kernel.org
+Cc: Jonathan Cameron <jic23@kernel.org>
+Cc: Alexandru Ardelean <ardeleanalex@gmail.com>
+Cc: Lars-Peter Clausen <lars@metafoo.de>
+Cc: Nuno Sa <Nuno.Sa@analog.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Mathias Krause <minipli@grsecurity.net>
+Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/industrialio-buffer.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+--- a/drivers/iio/industrialio-buffer.c
++++ b/drivers/iio/industrialio-buffer.c
+@@ -1446,9 +1446,17 @@ static long iio_device_buffer_getfd(stru
+ }
+
+ if (copy_to_user(ival, &fd, sizeof(fd))) {
+- put_unused_fd(fd);
+- ret = -EFAULT;
+- goto error_free_ib;
++ /*
++ * "Leak" the fd, as there's not much we can do about this
++ * anyway. 'fd' might have been closed already, as
++ * anon_inode_getfd() called fd_install() on it, which made
++ * it reachable by userland.
++ *
++ * Instead of allowing a malicious user to play tricks with
++ * us, rely on the process exit path to do any necessary
++ * cleanup, as in releasing the file, if still needed.
++ */
++ return -EFAULT;
+ }
+
+ return 0;
--- /dev/null
+From 0764db9b49c932b89ee4d9e3236dff4bb07b4a66 Mon Sep 17 00:00:00 2001
+From: Roman Gushchin <guro@fb.com>
+Date: Fri, 11 Feb 2022 16:32:32 -0800
+Subject: mm: memcg: synchronize objcg lists with a dedicated spinlock
+
+From: Roman Gushchin <guro@fb.com>
+
+commit 0764db9b49c932b89ee4d9e3236dff4bb07b4a66 upstream.
+
+Alexander reported a circular lock dependency revealed by the mmap1 ltp
+test:
+
+ LOCKDEP_CIRCULAR (suite: ltp, case: mtest06 (mmap1))
+ WARNING: possible circular locking dependency detected
+ 5.17.0-20220113.rc0.git0.f2211f194038.300.fc35.s390x+debug #1 Not tainted
+ ------------------------------------------------------
+ mmap1/202299 is trying to acquire lock:
+ 00000001892c0188 (css_set_lock){..-.}-{2:2}, at: obj_cgroup_release+0x4a/0xe0
+ but task is already holding lock:
+ 00000000ca3b3818 (&sighand->siglock){-.-.}-{2:2}, at: force_sig_info_to_task+0x38/0x180
+ which lock already depends on the new lock.
+ the existing dependency chain (in reverse order) is:
+ -> #1 (&sighand->siglock){-.-.}-{2:2}:
+ __lock_acquire+0x604/0xbd8
+ lock_acquire.part.0+0xe2/0x238
+ lock_acquire+0xb0/0x200
+ _raw_spin_lock_irqsave+0x6a/0xd8
+ __lock_task_sighand+0x90/0x190
+ cgroup_freeze_task+0x2e/0x90
+ cgroup_migrate_execute+0x11c/0x608
+ cgroup_update_dfl_csses+0x246/0x270
+ cgroup_subtree_control_write+0x238/0x518
+ kernfs_fop_write_iter+0x13e/0x1e0
+ new_sync_write+0x100/0x190
+ vfs_write+0x22c/0x2d8
+ ksys_write+0x6c/0xf8
+ __do_syscall+0x1da/0x208
+ system_call+0x82/0xb0
+ -> #0 (css_set_lock){..-.}-{2:2}:
+ check_prev_add+0xe0/0xed8
+ validate_chain+0x736/0xb20
+ __lock_acquire+0x604/0xbd8
+ lock_acquire.part.0+0xe2/0x238
+ lock_acquire+0xb0/0x200
+ _raw_spin_lock_irqsave+0x6a/0xd8
+ obj_cgroup_release+0x4a/0xe0
+ percpu_ref_put_many.constprop.0+0x150/0x168
+ drain_obj_stock+0x94/0xe8
+ refill_obj_stock+0x94/0x278
+ obj_cgroup_charge+0x164/0x1d8
+ kmem_cache_alloc+0xac/0x528
+ __sigqueue_alloc+0x150/0x308
+ __send_signal+0x260/0x550
+ send_signal+0x7e/0x348
+ force_sig_info_to_task+0x104/0x180
+ force_sig_fault+0x48/0x58
+ __do_pgm_check+0x120/0x1f0
+ pgm_check_handler+0x11e/0x180
+ other info that might help us debug this:
+ Possible unsafe locking scenario:
+ CPU0 CPU1
+ ---- ----
+ lock(&sighand->siglock);
+ lock(css_set_lock);
+ lock(&sighand->siglock);
+ lock(css_set_lock);
+ *** DEADLOCK ***
+ 2 locks held by mmap1/202299:
+ #0: 00000000ca3b3818 (&sighand->siglock){-.-.}-{2:2}, at: force_sig_info_to_task+0x38/0x180
+ #1: 00000001892ad560 (rcu_read_lock){....}-{1:2}, at: percpu_ref_put_many.constprop.0+0x0/0x168
+ stack backtrace:
+ CPU: 15 PID: 202299 Comm: mmap1 Not tainted 5.17.0-20220113.rc0.git0.f2211f194038.300.fc35.s390x+debug #1
+ Hardware name: IBM 3906 M04 704 (LPAR)
+ Call Trace:
+ dump_stack_lvl+0x76/0x98
+ check_noncircular+0x136/0x158
+ check_prev_add+0xe0/0xed8
+ validate_chain+0x736/0xb20
+ __lock_acquire+0x604/0xbd8
+ lock_acquire.part.0+0xe2/0x238
+ lock_acquire+0xb0/0x200
+ _raw_spin_lock_irqsave+0x6a/0xd8
+ obj_cgroup_release+0x4a/0xe0
+ percpu_ref_put_many.constprop.0+0x150/0x168
+ drain_obj_stock+0x94/0xe8
+ refill_obj_stock+0x94/0x278
+ obj_cgroup_charge+0x164/0x1d8
+ kmem_cache_alloc+0xac/0x528
+ __sigqueue_alloc+0x150/0x308
+ __send_signal+0x260/0x550
+ send_signal+0x7e/0x348
+ force_sig_info_to_task+0x104/0x180
+ force_sig_fault+0x48/0x58
+ __do_pgm_check+0x120/0x1f0
+ pgm_check_handler+0x11e/0x180
+ INFO: lockdep is turned off.
+
+In this example a slab allocation from __send_signal() caused a
+refilling and draining of a percpu objcg stock, resulted in a releasing
+of another non-related objcg. Objcg release path requires taking the
+css_set_lock, which is used to synchronize objcg lists.
+
+This can create a circular dependency with the sighandler lock, which is
+taken with the locked css_set_lock by the freezer code (to freeze a
+task).
+
+In general it seems that using css_set_lock to synchronize objcg lists
+makes any slab allocations and deallocation with the locked css_set_lock
+and any intervened locks risky.
+
+To fix the problem and make the code more robust let's stop using
+css_set_lock to synchronize objcg lists and use a new dedicated spinlock
+instead.
+
+Link: https://lkml.kernel.org/r/Yfm1IHmoGdyUR81T@carbon.dhcp.thefacebook.com
+Fixes: bf4f059954dc ("mm: memcg/slab: obj_cgroup API")
+Signed-off-by: Roman Gushchin <guro@fb.com>
+Reported-by: Alexander Egorenkov <egorenar@linux.ibm.com>
+Tested-by: Alexander Egorenkov <egorenar@linux.ibm.com>
+Reviewed-by: Waiman Long <longman@redhat.com>
+Acked-by: Tejun Heo <tj@kernel.org>
+Reviewed-by: Shakeel Butt <shakeelb@google.com>
+Reviewed-by: Jeremy Linton <jeremy.linton@arm.com>
+Tested-by: Jeremy Linton <jeremy.linton@arm.com>
+Cc: Johannes Weiner <hannes@cmpxchg.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/memcontrol.h | 5 +++--
+ mm/memcontrol.c | 10 +++++-----
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+--- a/include/linux/memcontrol.h
++++ b/include/linux/memcontrol.h
+@@ -223,7 +223,7 @@ struct obj_cgroup {
+ struct mem_cgroup *memcg;
+ atomic_t nr_charged_bytes;
+ union {
+- struct list_head list;
++ struct list_head list; /* protected by objcg_lock */
+ struct rcu_head rcu;
+ };
+ };
+@@ -320,7 +320,8 @@ struct mem_cgroup {
+ int kmemcg_id;
+ enum memcg_kmem_state kmem_state;
+ struct obj_cgroup __rcu *objcg;
+- struct list_head objcg_list; /* list of inherited objcgs */
++ /* list of inherited objcgs, protected by objcg_lock */
++ struct list_head objcg_list;
+ #endif
+
+ MEMCG_PADDING(_pad2_);
+--- a/mm/memcontrol.c
++++ b/mm/memcontrol.c
+@@ -254,7 +254,7 @@ struct mem_cgroup *vmpressure_to_memcg(s
+ }
+
+ #ifdef CONFIG_MEMCG_KMEM
+-extern spinlock_t css_set_lock;
++static DEFINE_SPINLOCK(objcg_lock);
+
+ bool mem_cgroup_kmem_disabled(void)
+ {
+@@ -298,9 +298,9 @@ static void obj_cgroup_release(struct pe
+ if (nr_pages)
+ obj_cgroup_uncharge_pages(objcg, nr_pages);
+
+- spin_lock_irqsave(&css_set_lock, flags);
++ spin_lock_irqsave(&objcg_lock, flags);
+ list_del(&objcg->list);
+- spin_unlock_irqrestore(&css_set_lock, flags);
++ spin_unlock_irqrestore(&objcg_lock, flags);
+
+ percpu_ref_exit(ref);
+ kfree_rcu(objcg, rcu);
+@@ -332,7 +332,7 @@ static void memcg_reparent_objcgs(struct
+
+ objcg = rcu_replace_pointer(memcg->objcg, NULL, true);
+
+- spin_lock_irq(&css_set_lock);
++ spin_lock_irq(&objcg_lock);
+
+ /* 1) Ready to reparent active objcg. */
+ list_add(&objcg->list, &memcg->objcg_list);
+@@ -342,7 +342,7 @@ static void memcg_reparent_objcgs(struct
+ /* 3) Move already reparented objcgs to the parent's list */
+ list_splice(&memcg->objcg_list, &parent->objcg_list);
+
+- spin_unlock_irq(&css_set_lock);
++ spin_unlock_irq(&objcg_lock);
+
+ percpu_ref_kill(&objcg->refcnt);
+ }
--- /dev/null
+From c816b2e65b0e86b95011418cad334f0524fc33b8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?TATSUKAWA=20KOSUKE=20=28=E7=AB=8B=E5=B7=9D=20=E6=B1=9F?=
+ =?UTF-8?q?=E4=BB=8B=29?= <tatsu-ab1@nec.com>
+Date: Wed, 26 Jan 2022 23:35:02 +0000
+Subject: n_tty: wake up poll(POLLRDNORM) on receiving data
+
+From: TATSUKAWA KOSUKE (立川 江介) <tatsu-ab1@nec.com>
+
+commit c816b2e65b0e86b95011418cad334f0524fc33b8 upstream.
+
+The poll man page says POLLRDNORM is equivalent to POLLIN when used as
+an event.
+$ man poll
+<snip>
+ POLLRDNORM
+ Equivalent to POLLIN.
+
+However, in n_tty driver, POLLRDNORM does not return until timeout even
+if there is terminal input, whereas POLLIN returns.
+
+The following test program works until kernel-3.17, but the test stops
+in poll() after commit 57087d515441 ("tty: Fix spurious poll() wakeups").
+
+[Steps to run test program]
+ $ cc -o test-pollrdnorm test-pollrdnorm.c
+ $ ./test-pollrdnorm
+ foo <-- Type in something from the terminal followed by [RET].
+ The string should be echoed back.
+
+ ------------------------< test-pollrdnorm.c >------------------------
+ #include <stdio.h>
+ #include <errno.h>
+ #include <poll.h>
+ #include <unistd.h>
+
+ void main(void)
+ {
+ int n;
+ unsigned char buf[8];
+ struct pollfd fds[1] = {{ 0, POLLRDNORM, 0 }};
+
+ n = poll(fds, 1, -1);
+ if (n < 0)
+ perror("poll");
+ n = read(0, buf, 8);
+ if (n < 0)
+ perror("read");
+ if (n > 0)
+ write(1, buf, n);
+ }
+ ------------------------------------------------------------------------
+
+The attached patch fixes this problem. Many calls to
+wake_up_interruptible_poll() in the kernel source code already specify
+"POLLIN | POLLRDNORM".
+
+Fixes: 57087d515441 ("tty: Fix spurious poll() wakeups")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kosuke Tatsukawa <tatsu-ab1@nec.com>
+Link: https://lore.kernel.org/r/TYCPR01MB81901C0F932203D30E452B3EA5209@TYCPR01MB8190.jpnprd01.prod.outlook.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_tty.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/n_tty.c
++++ b/drivers/tty/n_tty.c
+@@ -1369,7 +1369,7 @@ handle_newline:
+ put_tty_queue(c, ldata);
+ smp_store_release(&ldata->canon_head, ldata->read_head);
+ kill_fasync(&tty->fasync, SIGIO, POLL_IN);
+- wake_up_interruptible_poll(&tty->read_wait, EPOLLIN);
++ wake_up_interruptible_poll(&tty->read_wait, EPOLLIN | EPOLLRDNORM);
+ return;
+ }
+ }
+@@ -1589,7 +1589,7 @@ static void __receive_buf(struct tty_str
+
+ if (read_cnt(ldata)) {
+ kill_fasync(&tty->fasync, SIGIO, POLL_IN);
+- wake_up_interruptible_poll(&tty->read_wait, EPOLLIN);
++ wake_up_interruptible_poll(&tty->read_wait, EPOLLIN | EPOLLRDNORM);
+ }
+ }
+
--- /dev/null
+From 57bc3d3ae8c14df3ceb4e17d26ddf9eeab304581 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 26 Jan 2022 14:14:52 +0100
+Subject: net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup
+
+From: Jann Horn <jannh@google.com>
+
+commit 57bc3d3ae8c14df3ceb4e17d26ddf9eeab304581 upstream.
+
+ax88179_rx_fixup() contains several out-of-bounds accesses that can be
+triggered by a malicious (or defective) USB device, in particular:
+
+ - The metadata array (hdr_off..hdr_off+2*pkt_cnt) can be out of bounds,
+ causing OOB reads and (on big-endian systems) OOB endianness flips.
+ - A packet can overlap the metadata array, causing a later OOB
+ endianness flip to corrupt data used by a cloned SKB that has already
+ been handed off into the network stack.
+ - A packet SKB can be constructed whose tail is far beyond its end,
+ causing out-of-bounds heap data to be considered part of the SKB's
+ data.
+
+I have tested that this can be used by a malicious USB device to send a
+bogus ICMPv6 Echo Request and receive an ICMPv6 Echo Reply in response
+that contains random kernel heap data.
+It's probably also possible to get OOB writes from this on a
+little-endian system somehow - maybe by triggering skb_cow() via IP
+options processing -, but I haven't tested that.
+
+Fixes: e2ca90c276e1 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver")
+Cc: stable@kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/ax88179_178a.c | 68 +++++++++++++++++++++++------------------
+ 1 file changed, 39 insertions(+), 29 deletions(-)
+
+--- a/drivers/net/usb/ax88179_178a.c
++++ b/drivers/net/usb/ax88179_178a.c
+@@ -1467,58 +1467,68 @@ static int ax88179_rx_fixup(struct usbne
+ u16 hdr_off;
+ u32 *pkt_hdr;
+
+- /* This check is no longer done by usbnet */
+- if (skb->len < dev->net->hard_header_len)
++ /* At the end of the SKB, there's a header telling us how many packets
++ * are bundled into this buffer and where we can find an array of
++ * per-packet metadata (which contains elements encoded into u16).
++ */
++ if (skb->len < 4)
+ return 0;
+-
+ skb_trim(skb, skb->len - 4);
+ rx_hdr = get_unaligned_le32(skb_tail_pointer(skb));
+-
+ pkt_cnt = (u16)rx_hdr;
+ hdr_off = (u16)(rx_hdr >> 16);
++
++ if (pkt_cnt == 0)
++ return 0;
++
++ /* Make sure that the bounds of the metadata array are inside the SKB
++ * (and in front of the counter at the end).
++ */
++ if (pkt_cnt * 2 + hdr_off > skb->len)
++ return 0;
+ pkt_hdr = (u32 *)(skb->data + hdr_off);
+
+- while (pkt_cnt--) {
++ /* Packets must not overlap the metadata array */
++ skb_trim(skb, hdr_off);
++
++ for (; ; pkt_cnt--, pkt_hdr++) {
+ u16 pkt_len;
+
+ le32_to_cpus(pkt_hdr);
+ pkt_len = (*pkt_hdr >> 16) & 0x1fff;
+
+- /* Check CRC or runt packet */
+- if ((*pkt_hdr & AX_RXHDR_CRC_ERR) ||
+- (*pkt_hdr & AX_RXHDR_DROP_ERR)) {
+- skb_pull(skb, (pkt_len + 7) & 0xFFF8);
+- pkt_hdr++;
+- continue;
+- }
+-
+- if (pkt_cnt == 0) {
+- skb->len = pkt_len;
+- /* Skip IP alignment pseudo header */
+- skb_pull(skb, 2);
+- skb_set_tail_pointer(skb, skb->len);
+- skb->truesize = pkt_len + sizeof(struct sk_buff);
+- ax88179_rx_checksum(skb, pkt_hdr);
+- return 1;
+- }
++ if (pkt_len > skb->len)
++ return 0;
+
+- ax_skb = skb_clone(skb, GFP_ATOMIC);
+- if (ax_skb) {
++ /* Check CRC or runt packet */
++ if (((*pkt_hdr & (AX_RXHDR_CRC_ERR | AX_RXHDR_DROP_ERR)) == 0) &&
++ pkt_len >= 2 + ETH_HLEN) {
++ bool last = (pkt_cnt == 0);
++
++ if (last) {
++ ax_skb = skb;
++ } else {
++ ax_skb = skb_clone(skb, GFP_ATOMIC);
++ if (!ax_skb)
++ return 0;
++ }
+ ax_skb->len = pkt_len;
+ /* Skip IP alignment pseudo header */
+ skb_pull(ax_skb, 2);
+ skb_set_tail_pointer(ax_skb, ax_skb->len);
+ ax_skb->truesize = pkt_len + sizeof(struct sk_buff);
+ ax88179_rx_checksum(ax_skb, pkt_hdr);
++
++ if (last)
++ return 1;
++
+ usbnet_skb_return(dev, ax_skb);
+- } else {
+- return 0;
+ }
+
+- skb_pull(skb, (pkt_len + 7) & 0xFFF8);
+- pkt_hdr++;
++ /* Trim this packet away from the SKB */
++ if (!skb_pull(skb, (pkt_len + 7) & 0xFFF8))
++ return 0;
+ }
+- return 1;
+ }
+
+ static struct sk_buff *
--- /dev/null
+From 6d1e6bcb31663ee83aaea1f171f3dbfe95dd4a69 Mon Sep 17 00:00:00 2001
+From: Kishon Vijay Abraham I <kishon@ti.com>
+Date: Mon, 17 Jan 2022 16:31:08 +0530
+Subject: phy: ti: Fix missing sentinel for clk_div_table
+
+From: Kishon Vijay Abraham I <kishon@ti.com>
+
+commit 6d1e6bcb31663ee83aaea1f171f3dbfe95dd4a69 upstream.
+
+_get_table_maxdiv() tries to access "clk_div_table" array out of bound
+defined in phy-j721e-wiz.c. Add a sentinel entry to prevent
+the following global-out-of-bounds error reported by enabling KASAN.
+
+[ 9.552392] BUG: KASAN: global-out-of-bounds in _get_maxdiv+0xc0/0x148
+[ 9.558948] Read of size 4 at addr ffff8000095b25a4 by task kworker/u4:1/38
+[ 9.565926]
+[ 9.567441] CPU: 1 PID: 38 Comm: kworker/u4:1 Not tainted 5.16.0-116492-gdaadb3bd0e8d-dirty #360
+[ 9.576242] Hardware name: Texas Instruments J721e EVM (DT)
+[ 9.581832] Workqueue: events_unbound deferred_probe_work_func
+[ 9.587708] Call trace:
+[ 9.590174] dump_backtrace+0x20c/0x218
+[ 9.594038] show_stack+0x18/0x68
+[ 9.597375] dump_stack_lvl+0x9c/0xd8
+[ 9.601062] print_address_description.constprop.0+0x78/0x334
+[ 9.606830] kasan_report+0x1f0/0x260
+[ 9.610517] __asan_load4+0x9c/0xd8
+[ 9.614030] _get_maxdiv+0xc0/0x148
+[ 9.617540] divider_determine_rate+0x88/0x488
+[ 9.622005] divider_round_rate_parent+0xc8/0x124
+[ 9.626729] wiz_clk_div_round_rate+0x54/0x68
+[ 9.631113] clk_core_determine_round_nolock+0x124/0x158
+[ 9.636448] clk_core_round_rate_nolock+0x68/0x138
+[ 9.641260] clk_core_set_rate_nolock+0x268/0x3a8
+[ 9.645987] clk_set_rate+0x50/0xa8
+[ 9.649499] cdns_sierra_phy_init+0x88/0x248
+[ 9.653794] phy_init+0x98/0x108
+[ 9.657046] cdns_pcie_enable_phy+0xa0/0x170
+[ 9.661340] cdns_pcie_init_phy+0x250/0x2b0
+[ 9.665546] j721e_pcie_probe+0x4b8/0x798
+[ 9.669579] platform_probe+0x8c/0x108
+[ 9.673350] really_probe+0x114/0x630
+[ 9.677037] __driver_probe_device+0x18c/0x220
+[ 9.681505] driver_probe_device+0xac/0x150
+[ 9.685712] __device_attach_driver+0xec/0x170
+[ 9.690178] bus_for_each_drv+0xf0/0x158
+[ 9.694124] __device_attach+0x184/0x210
+[ 9.698070] device_initial_probe+0x14/0x20
+[ 9.702277] bus_probe_device+0xec/0x100
+[ 9.706223] deferred_probe_work_func+0x124/0x180
+[ 9.710951] process_one_work+0x4b0/0xbc0
+[ 9.714983] worker_thread+0x74/0x5d0
+[ 9.718668] kthread+0x214/0x230
+[ 9.721919] ret_from_fork+0x10/0x20
+[ 9.725520]
+[ 9.727032] The buggy address belongs to the variable:
+[ 9.732183] clk_div_table+0x24/0x440
+
+Fixes: 091876cc355d ("phy: ti: j721e-wiz: Add support for WIZ module present in TI J721E SoC")
+Cc: stable@vger.kernel.org # v5.10+
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Link: https://lore.kernel.org/r/20220117110108.4117-1-kishon@ti.com
+Signed-off-by: Vinod Koul <vkoul@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/phy/ti/phy-j721e-wiz.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/phy/ti/phy-j721e-wiz.c
++++ b/drivers/phy/ti/phy-j721e-wiz.c
+@@ -233,6 +233,7 @@ static const struct clk_div_table clk_di
+ { .val = 1, .div = 2, },
+ { .val = 2, .div = 4, },
+ { .val = 3, .div = 8, },
++ { /* sentinel */ },
+ };
+
+ static const struct wiz_clk_div_sel clk_div_sel[] = {
--- /dev/null
+From 736e8d89044c1c330967fb938fa766cd9e0d8af0 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Sat, 12 Feb 2022 10:08:54 +0100
+Subject: Revert "usb: dwc2: drd: fix soft connect when gadget is unconfigured"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 736e8d89044c1c330967fb938fa766cd9e0d8af0 upstream.
+
+This reverts commit 269cbcf7b72de6f0016806d4a0cec1d689b55a87.
+
+It causes build errors as reported by the kernel test robot.
+
+Link: https://lore.kernel.org/r/202202112236.AwoOTtHO-lkp@intel.com
+Reported-by: kernel test robot <lkp@intel.com>
+Fixes: 269cbcf7b72d ("usb: dwc2: drd: fix soft connect when gadget is unconfigured")
+Cc: stable@kernel.org
+Cc: Amelie Delaunay <amelie.delaunay@foss.st.com>
+Cc: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+Cc: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc2/drd.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/dwc2/drd.c
++++ b/drivers/usb/dwc2/drd.c
+@@ -109,10 +109,8 @@ static int dwc2_drd_role_sw_set(struct u
+ already = dwc2_ovr_avalid(hsotg, true);
+ } else if (role == USB_ROLE_DEVICE) {
+ already = dwc2_ovr_bvalid(hsotg, true);
+- if (hsotg->enabled) {
+- /* This clear DCTL.SFTDISCON bit */
+- dwc2_hsotg_core_connect(hsotg);
+- }
++ /* This clear DCTL.SFTDISCON bit */
++ dwc2_hsotg_core_connect(hsotg);
+ } else {
+ if (dwc2_is_device_mode(hsotg)) {
+ if (!dwc2_ovr_bvalid(hsotg, false))
--- /dev/null
+From dd9cb842fa9d90653a9b48aba52f89c069f3bc50 Mon Sep 17 00:00:00 2001
+From: Vineeth Vijayan <vneethv@linux.ibm.com>
+Date: Wed, 2 Feb 2022 21:45:56 +0100
+Subject: s390/cio: verify the driver availability for path_event call
+
+From: Vineeth Vijayan <vneethv@linux.ibm.com>
+
+commit dd9cb842fa9d90653a9b48aba52f89c069f3bc50 upstream.
+
+If no driver is attached to a device or the driver does not provide the
+path_event function, an FCES path-event on this device could end up in a
+kernel-panic. Verify the driver availability before the path_event
+function call.
+
+Fixes: 32ef938815c1 ("s390/cio: Add support for FCES status notification")
+Cc: stable@vger.kernel.org
+Signed-off-by: Vineeth Vijayan <vneethv@linux.ibm.com>
+Suggested-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Reviewed-by: Jan Hoeppner <hoeppner@linux.ibm.com>
+Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
+Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/s390/cio/device.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/s390/cio/device.c
++++ b/drivers/s390/cio/device.c
+@@ -1194,7 +1194,7 @@ static int io_subchannel_chp_event(struc
+ else
+ path_event[chpid] = PE_NONE;
+ }
+- if (cdev)
++ if (cdev && cdev->drv && cdev->drv->path_event)
+ cdev->drv->path_event(cdev, path_event);
+ break;
+ }
--- /dev/null
+From 495ac3069a6235bfdf516812a2a9b256671bbdf9 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 7 Feb 2022 20:21:13 -0800
+Subject: seccomp: Invalidate seccomp mode to catch death failures
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 495ac3069a6235bfdf516812a2a9b256671bbdf9 upstream.
+
+If seccomp tries to kill a process, it should never see that process
+again. To enforce this proactively, switch the mode to something
+impossible. If encountered: WARN, reject all syscalls, and attempt to
+kill the process again even harder.
+
+Cc: Andy Lutomirski <luto@amacapital.net>
+Cc: Will Drewry <wad@chromium.org>
+Fixes: 8112c4f140fa ("seccomp: remove 2-phase API")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/seccomp.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/kernel/seccomp.c
++++ b/kernel/seccomp.c
+@@ -29,6 +29,9 @@
+ #include <linux/syscalls.h>
+ #include <linux/sysctl.h>
+
++/* Not exposed in headers: strictly internal use only. */
++#define SECCOMP_MODE_DEAD (SECCOMP_MODE_FILTER + 1)
++
+ #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER
+ #include <asm/syscall.h>
+ #endif
+@@ -1010,6 +1013,7 @@ static void __secure_computing_strict(in
+ #ifdef SECCOMP_DEBUG
+ dump_stack();
+ #endif
++ current->seccomp.mode = SECCOMP_MODE_DEAD;
+ seccomp_log(this_syscall, SIGKILL, SECCOMP_RET_KILL_THREAD, true);
+ do_exit(SIGKILL);
+ }
+@@ -1261,6 +1265,7 @@ static int __seccomp_filter(int this_sys
+ case SECCOMP_RET_KILL_THREAD:
+ case SECCOMP_RET_KILL_PROCESS:
+ default:
++ current->seccomp.mode = SECCOMP_MODE_DEAD;
+ seccomp_log(this_syscall, SIGSYS, action, true);
+ /* Dump core only if this is the last remaining thread. */
+ if (action != SECCOMP_RET_KILL_THREAD ||
+@@ -1309,6 +1314,11 @@ int __secure_computing(const struct secc
+ return 0;
+ case SECCOMP_MODE_FILTER:
+ return __seccomp_filter(this_syscall, sd, false);
++ /* Surviving SECCOMP_RET_KILL_* must be proactively impossible. */
++ case SECCOMP_MODE_DEAD:
++ WARN_ON_ONCE(1);
++ do_exit(SIGKILL);
++ return -1;
+ default:
+ BUG();
+ }
ice-avoid-rtnl-lock-when-re-creating-auxiliary-devic.patch
net-mscc-ocelot-fix-mutex-lock-error-during-ethtool-.patch
net-dsa-mv88e6xxx-fix-use-after-free-in-mv88e6xxx_md.patch
+vt_ioctl-fix-array_index_nospec-in-vt_setactivate.patch
+vt_ioctl-add-array_index_nospec-to-vt_activate.patch
+n_tty-wake-up-poll-pollrdnorm-on-receiving-data.patch
+eeprom-ee1004-limit-i2c-reads-to-i2c_smbus_block_max.patch
+usb-dwc2-drd-fix-soft-connect-when-gadget-is-unconfigured.patch
+revert-usb-dwc2-drd-fix-soft-connect-when-gadget-is-unconfigured.patch
+net-usb-ax88179_178a-fix-out-of-bounds-accesses-in-rx-fixup.patch
+usb-ulpi-move-of_node_put-to-ulpi_dev_release.patch
+usb-ulpi-call-of_node_put-correctly.patch
+usb-dwc3-gadget-prevent-core-from-processing-stale-trbs.patch
+usb-gadget-udc-renesas_usb3-fix-host-to-usb_role_none-transition.patch
+usb-gadget-validate-interface-os-descriptor-requests.patch
+usb-gadget-rndis-check-size-of-rndis_msg_set-command.patch
+usb-gadget-f_uac2-define-specific-wterminaltype.patch
+usb-raw-gadget-fix-handling-of-dual-direction-capable-endpoints.patch
+usb-serial-ftdi_sio-add-support-for-brainboxes-us-159-235-320.patch
+usb-serial-option-add-zte-mf286d-modem.patch
+usb-serial-ch341-add-support-for-gw-instek-usb2.0-serial-devices.patch
+usb-serial-cp210x-add-ncr-retail-io-box-id.patch
+usb-serial-cp210x-add-cpi-bulk-coin-recycler-id.patch
+speakup-dectlk-restore-pitch-setting.patch
+phy-ti-fix-missing-sentinel-for-clk_div_table.patch
+iio-buffer-fix-file-related-error-handling-in-iio_buffer_get_fd_ioctl.patch
+mm-memcg-synchronize-objcg-lists-with-a-dedicated-spinlock.patch
+seccomp-invalidate-seccomp-mode-to-catch-death-failures.patch
+signal-handler_exit-should-clear-signal_unkillable.patch
+s390-cio-verify-the-driver-availability-for-path_event-call.patch
+bus-mhi-pci_generic-add-mru_default-for-foxconn-sdx55.patch
+bus-mhi-pci_generic-add-mru_default-for-cinterion-mv31-w.patch
+hwmon-dell-smm-speed-up-setting-of-fan-speed.patch
--- /dev/null
+From 5c72263ef2fbe99596848f03758ae2dc593adf2c Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Tue, 8 Feb 2022 00:57:17 -0800
+Subject: signal: HANDLER_EXIT should clear SIGNAL_UNKILLABLE
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 5c72263ef2fbe99596848f03758ae2dc593adf2c upstream.
+
+Fatal SIGSYS signals (i.e. seccomp RET_KILL_* syscall filter actions)
+were not being delivered to ptraced pid namespace init processes. Make
+sure the SIGNAL_UNKILLABLE doesn't get set for these cases.
+
+Reported-by: Robert Święcki <robert@swiecki.net>
+Suggested-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Fixes: 00b06da29cf9 ("signal: Add SA_IMMUTABLE to ensure forced siganls do not get changed")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: "Eric W. Biederman" <ebiederm@xmission.com>
+Link: https://lore.kernel.org/lkml/878rui8u4a.fsf@email.froward.int.ebiederm.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/signal.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -1339,9 +1339,10 @@ force_sig_info_to_task(struct kernel_sig
+ }
+ /*
+ * Don't clear SIGNAL_UNKILLABLE for traced tasks, users won't expect
+- * debugging to leave init killable.
++ * debugging to leave init killable. But HANDLER_EXIT is always fatal.
+ */
+- if (action->sa.sa_handler == SIG_DFL && !t->ptrace)
++ if (action->sa.sa_handler == SIG_DFL &&
++ (!t->ptrace || (handler == HANDLER_EXIT)))
+ t->signal->flags &= ~SIGNAL_UNKILLABLE;
+ ret = send_signal(sig, info, t, PIDTYPE_PID);
+ spin_unlock_irqrestore(&t->sighand->siglock, flags);
--- /dev/null
+From bca828ccdd6548d24613d0cede04ada4dfb2f89c Mon Sep 17 00:00:00 2001
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Date: Sun, 6 Feb 2022 02:56:26 +0100
+Subject: speakup-dectlk: Restore pitch setting
+
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+
+commit bca828ccdd6548d24613d0cede04ada4dfb2f89c upstream.
+
+d97a9d7aea04 ("staging/speakup: Add inflection synth parameter")
+introduced the inflection parameter, but happened to drop the pitch
+parameter from the dectlk driver. This restores it.
+
+Cc: stable@vger.kernel.org
+Fixes: d97a9d7aea04 ("staging/speakup: Add inflection synth parameter")
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Link: https://lore.kernel.org/r/20220206015626.aesbhvvdkmqsrbaw@begin
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/accessibility/speakup/speakup_dectlk.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/accessibility/speakup/speakup_dectlk.c
++++ b/drivers/accessibility/speakup/speakup_dectlk.c
+@@ -44,6 +44,7 @@ static struct var_t vars[] = {
+ { CAPS_START, .u.s = {"[:dv ap 160] " } },
+ { CAPS_STOP, .u.s = {"[:dv ap 100 ] " } },
+ { RATE, .u.n = {"[:ra %d] ", 180, 75, 650, 0, 0, NULL } },
++ { PITCH, .u.n = {"[:dv ap %d] ", 122, 50, 350, 0, 0, NULL } },
+ { INFLECTION, .u.n = {"[:dv pr %d] ", 100, 0, 10000, 0, 0, NULL } },
+ { VOL, .u.n = {"[:dv g5 %d] ", 86, 60, 86, 0, 0, NULL } },
+ { PUNCT, .u.n = {"[:pu %c] ", 0, 0, 2, 0, 0, "nsa" } },
--- /dev/null
+From 269cbcf7b72de6f0016806d4a0cec1d689b55a87 Mon Sep 17 00:00:00 2001
+From: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+Date: Wed, 9 Feb 2022 17:15:53 +0100
+Subject: usb: dwc2: drd: fix soft connect when gadget is unconfigured
+
+From: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+
+commit 269cbcf7b72de6f0016806d4a0cec1d689b55a87 upstream.
+
+When the gadget driver hasn't been (yet) configured, and the cable is
+connected to a HOST, the SFTDISCON gets cleared unconditionally, so the
+HOST tries to enumerate it.
+At the host side, this can result in a stuck USB port or worse. When
+getting lucky, some dmesg can be observed at the host side:
+ new high-speed USB device number ...
+ device descriptor read/64, error -110
+
+Fix it in drd, by checking the enabled flag before calling
+dwc2_hsotg_core_connect(). It will be called later, once configured,
+by the normal flow:
+- udc_bind_to_driver
+ - usb_gadget_connect
+ - dwc2_hsotg_pullup
+ - dwc2_hsotg_core_connect
+
+Fixes: 17f934024e84 ("usb: dwc2: override PHY input signals with usb role switch support")
+Cc: stable@kernel.org
+Reviewed-by: Amelie Delaunay <amelie.delaunay@foss.st.com>
+Acked-by: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+Signed-off-by: Fabrice Gasnier <fabrice.gasnier@foss.st.com>
+Link: https://lore.kernel.org/r/1644423353-17859-1-git-send-email-fabrice.gasnier@foss.st.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc2/drd.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/dwc2/drd.c
++++ b/drivers/usb/dwc2/drd.c
+@@ -109,8 +109,10 @@ static int dwc2_drd_role_sw_set(struct u
+ already = dwc2_ovr_avalid(hsotg, true);
+ } else if (role == USB_ROLE_DEVICE) {
+ already = dwc2_ovr_bvalid(hsotg, true);
+- /* This clear DCTL.SFTDISCON bit */
+- dwc2_hsotg_core_connect(hsotg);
++ if (hsotg->enabled) {
++ /* This clear DCTL.SFTDISCON bit */
++ dwc2_hsotg_core_connect(hsotg);
++ }
+ } else {
+ if (dwc2_is_device_mode(hsotg)) {
+ if (!dwc2_ovr_bvalid(hsotg, false))
--- /dev/null
+From 117b4e96c7f362eb6459543883fc07f77662472c Mon Sep 17 00:00:00 2001
+From: Udipto Goswami <quic_ugoswami@quicinc.com>
+Date: Mon, 7 Feb 2022 09:55:58 +0530
+Subject: usb: dwc3: gadget: Prevent core from processing stale TRBs
+
+From: Udipto Goswami <quic_ugoswami@quicinc.com>
+
+commit 117b4e96c7f362eb6459543883fc07f77662472c upstream.
+
+With CPU re-ordering on write instructions, there might
+be a chance that the HWO is set before the TRB is updated
+with the new mapped buffer address.
+And in the case where core is processing a list of TRBs
+it is possible that it fetched the TRBs when the HWO is set
+but before the buffer address is updated.
+Prevent this by adding a memory barrier before the HWO
+is updated to ensure that the core always process the
+updated TRBs.
+
+Fixes: f6bafc6a1c9d ("usb: dwc3: convert TRBs into bitshifts")
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Pavankumar Kondeti <quic_pkondeti@quicinc.com>
+Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com>
+Link: https://lore.kernel.org/r/1644207958-18287-1-git-send-email-quic_ugoswami@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/gadget.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -1271,6 +1271,19 @@ static void __dwc3_prepare_one_trb(struc
+ if (usb_endpoint_xfer_bulk(dep->endpoint.desc) && dep->stream_capable)
+ trb->ctrl |= DWC3_TRB_CTRL_SID_SOFN(stream_id);
+
++ /*
++ * As per data book 4.2.3.2TRB Control Bit Rules section
++ *
++ * The controller autonomously checks the HWO field of a TRB to determine if the
++ * entire TRB is valid. Therefore, software must ensure that the rest of the TRB
++ * is valid before setting the HWO field to '1'. In most systems, this means that
++ * software must update the fourth DWORD of a TRB last.
++ *
++ * However there is a possibility of CPU re-ordering here which can cause
++ * controller to observe the HWO bit set prematurely.
++ * Add a write memory barrier to prevent CPU re-ordering.
++ */
++ wmb();
+ trb->ctrl |= DWC3_TRB_CTRL_HWO;
+
+ dwc3_ep_inc_enq(dep);
--- /dev/null
+From 5432184107cd0013761bdfa6cb6079527ef87b95 Mon Sep 17 00:00:00 2001
+From: Pavel Hofman <pavel.hofman@ivitera.com>
+Date: Mon, 31 Jan 2022 08:18:13 +0100
+Subject: usb: gadget: f_uac2: Define specific wTerminalType
+
+From: Pavel Hofman <pavel.hofman@ivitera.com>
+
+commit 5432184107cd0013761bdfa6cb6079527ef87b95 upstream.
+
+Several users have reported that their Win10 does not enumerate UAC2
+gadget with the existing wTerminalType set to
+UAC_INPUT_TERMINAL_UNDEFINED/UAC_INPUT_TERMINAL_UNDEFINED, e.g.
+https://github.com/raspberrypi/linux/issues/4587#issuecomment-926567213.
+While the constant is officially defined by the USB terminal types
+document, e.g. XMOS firmware for UAC2 (commonly used for Win10) defines
+no undefined output terminal type in its usbaudio20.h header.
+
+Therefore wTerminalType of EP-IN is set to
+UAC_INPUT_TERMINAL_MICROPHONE and wTerminalType of EP-OUT to
+UAC_OUTPUT_TERMINAL_SPEAKER for the UAC2 gadget.
+
+Signed-off-by: Pavel Hofman <pavel.hofman@ivitera.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20220131071813.7433-1-pavel.hofman@ivitera.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/f_uac2.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_uac2.c
++++ b/drivers/usb/gadget/function/f_uac2.c
+@@ -202,7 +202,7 @@ static struct uac2_input_terminal_descri
+
+ .bDescriptorSubtype = UAC_INPUT_TERMINAL,
+ /* .bTerminalID = DYNAMIC */
+- .wTerminalType = cpu_to_le16(UAC_INPUT_TERMINAL_UNDEFINED),
++ .wTerminalType = cpu_to_le16(UAC_INPUT_TERMINAL_MICROPHONE),
+ .bAssocTerminal = 0,
+ /* .bCSourceID = DYNAMIC */
+ .iChannelNames = 0,
+@@ -230,7 +230,7 @@ static struct uac2_output_terminal_descr
+
+ .bDescriptorSubtype = UAC_OUTPUT_TERMINAL,
+ /* .bTerminalID = DYNAMIC */
+- .wTerminalType = cpu_to_le16(UAC_OUTPUT_TERMINAL_UNDEFINED),
++ .wTerminalType = cpu_to_le16(UAC_OUTPUT_TERMINAL_SPEAKER),
+ .bAssocTerminal = 0,
+ /* .bSourceID = DYNAMIC */
+ /* .bCSourceID = DYNAMIC */
--- /dev/null
+From 38ea1eac7d88072bbffb630e2b3db83ca649b826 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 9 Feb 2022 16:37:53 +0100
+Subject: usb: gadget: rndis: check size of RNDIS_MSG_SET command
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 38ea1eac7d88072bbffb630e2b3db83ca649b826 upstream.
+
+Check the size of the RNDIS_MSG_SET command given to us before
+attempting to respond to an invalid message size.
+
+Reported-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Cc: stable@kernel.org
+Tested-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/rndis.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/gadget/function/rndis.c
++++ b/drivers/usb/gadget/function/rndis.c
+@@ -637,14 +637,17 @@ static int rndis_set_response(struct rnd
+ rndis_set_cmplt_type *resp;
+ rndis_resp_t *r;
+
++ BufLength = le32_to_cpu(buf->InformationBufferLength);
++ BufOffset = le32_to_cpu(buf->InformationBufferOffset);
++ if ((BufLength > RNDIS_MAX_TOTAL_SIZE) ||
++ (BufOffset + 8 >= RNDIS_MAX_TOTAL_SIZE))
++ return -EINVAL;
++
+ r = rndis_add_response(params, sizeof(rndis_set_cmplt_type));
+ if (!r)
+ return -ENOMEM;
+ resp = (rndis_set_cmplt_type *)r->buf;
+
+- BufLength = le32_to_cpu(buf->InformationBufferLength);
+- BufOffset = le32_to_cpu(buf->InformationBufferOffset);
+-
+ #ifdef VERBOSE_DEBUG
+ pr_debug("%s: Length: %d\n", __func__, BufLength);
+ pr_debug("%s: Offset: %d\n", __func__, BufOffset);
--- /dev/null
+From 459702eea6132888b5c5b64c0e9c626da4ec2493 Mon Sep 17 00:00:00 2001
+From: Adam Ford <aford173@gmail.com>
+Date: Fri, 28 Jan 2022 16:36:03 -0600
+Subject: usb: gadget: udc: renesas_usb3: Fix host to USB_ROLE_NONE transition
+
+From: Adam Ford <aford173@gmail.com>
+
+commit 459702eea6132888b5c5b64c0e9c626da4ec2493 upstream.
+
+The support the external role switch a variety of situations were
+addressed, but the transition from USB_ROLE_HOST to USB_ROLE_NONE
+leaves the host up which can cause some error messages when
+switching from host to none, to gadget, to none, and then back
+to host again.
+
+ xhci-hcd ee000000.usb: Abort failed to stop command ring: -110
+ xhci-hcd ee000000.usb: xHCI host controller not responding, assume dead
+ xhci-hcd ee000000.usb: HC died; cleaning up
+ usb 4-1: device not accepting address 6, error -108
+ usb usb4-port1: couldn't allocate usb_device
+
+After this happens it will not act as a host again.
+Fix this by releasing the host mode when transitioning to USB_ROLE_NONE.
+
+Fixes: 0604160d8c0b ("usb: gadget: udc: renesas_usb3: Enhance role switch support")
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Adam Ford <aford173@gmail.com>
+Link: https://lore.kernel.org/r/20220128223603.2362621-1-aford173@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/udc/renesas_usb3.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/gadget/udc/renesas_usb3.c
++++ b/drivers/usb/gadget/udc/renesas_usb3.c
+@@ -2378,6 +2378,8 @@ static void handle_ext_role_switch_state
+ switch (role) {
+ case USB_ROLE_NONE:
+ usb3->connection_state = USB_ROLE_NONE;
++ if (cur_role == USB_ROLE_HOST)
++ device_release_driver(host);
+ if (usb3->driver)
+ usb3_disconnect(usb3);
+ usb3_vbus_out(usb3, false);
--- /dev/null
+From 75e5b4849b81e19e9efe1654b30d7f3151c33c2c Mon Sep 17 00:00:00 2001
+From: Szymon Heidrich <szymon.heidrich@gmail.com>
+Date: Mon, 24 Jan 2022 12:14:00 +0100
+Subject: USB: gadget: validate interface OS descriptor requests
+
+From: Szymon Heidrich <szymon.heidrich@gmail.com>
+
+commit 75e5b4849b81e19e9efe1654b30d7f3151c33c2c upstream.
+
+Stall the control endpoint in case provided index exceeds array size of
+MAX_CONFIG_INTERFACES or when the retrieved function pointer is null.
+
+Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/composite.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -1975,6 +1975,9 @@ unknown:
+ if (w_index != 0x5 || (w_value >> 8))
+ break;
+ interface = w_value & 0xFF;
++ if (interface >= MAX_CONFIG_INTERFACES ||
++ !os_desc_cfg->interface[interface])
++ break;
+ buf[6] = w_index;
+ count = count_ext_prop(os_desc_cfg,
+ interface);
--- /dev/null
+From 292d2c82b105d92082c2120a44a58de9767e44f1 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 26 Jan 2022 21:52:14 +0100
+Subject: usb: raw-gadget: fix handling of dual-direction-capable endpoints
+
+From: Jann Horn <jannh@google.com>
+
+commit 292d2c82b105d92082c2120a44a58de9767e44f1 upstream.
+
+Under dummy_hcd, every available endpoint is *either* IN or OUT capable.
+But with some real hardware, there are endpoints that support both IN and
+OUT. In particular, the PLX 2380 has four available endpoints that each
+support both IN and OUT.
+
+raw-gadget currently gets confused and thinks that any endpoint that is
+usable as an IN endpoint can never be used as an OUT endpoint.
+
+Fix it by looking at the direction in the configured endpoint descriptor
+instead of looking at the hardware capabilities.
+
+With this change, I can use the PLX 2380 with raw-gadget.
+
+Fixes: f2c2e717642c ("usb: gadget: add raw-gadget interface")
+Cc: stable <stable@vger.kernel.org>
+Tested-by: Andrey Konovalov <andreyknvl@gmail.com>
+Reviewed-by: Andrey Konovalov <andreyknvl@gmail.com>
+Signed-off-by: Jann Horn <jannh@google.com>
+Link: https://lore.kernel.org/r/20220126205214.2149936-1-jannh@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/legacy/raw_gadget.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/legacy/raw_gadget.c
++++ b/drivers/usb/gadget/legacy/raw_gadget.c
+@@ -1004,7 +1004,7 @@ static int raw_process_ep_io(struct raw_
+ ret = -EBUSY;
+ goto out_unlock;
+ }
+- if ((in && !ep->ep->caps.dir_in) || (!in && ep->ep->caps.dir_in)) {
++ if (in != usb_endpoint_dir_in(ep->ep->desc)) {
+ dev_dbg(&dev->gadget->dev, "fail, wrong direction\n");
+ ret = -EINVAL;
+ goto out_unlock;
--- /dev/null
+From fa77ce201f7f2d823b07753575122d1ae5597fbe Mon Sep 17 00:00:00 2001
+From: Stephan Brunner <s.brunner@stephan-brunner.net>
+Date: Sat, 8 Jan 2022 13:00:20 +0100
+Subject: USB: serial: ch341: add support for GW Instek USB2.0-Serial devices
+
+From: Stephan Brunner <s.brunner@stephan-brunner.net>
+
+commit fa77ce201f7f2d823b07753575122d1ae5597fbe upstream.
+
+Programmable lab power supplies made by GW Instek, such as the
+GPP-2323, have a USB port exposing a serial port to control the device.
+
+Stringing the supplied Windows driver, references to the ch341 chip are
+found. Binding the existing ch341 driver to the VID/PID of the GPP-2323
+("GW Instek USB2.0-Serial" as per the USB product name) works out of the
+box, communication and control is now possible.
+
+This patch should work with any GPP series power supply due to
+similarities in the product line.
+
+Signed-off-by: Stephan Brunner <s.brunner@stephan-brunner.net>
+Link: https://lore.kernel.org/r/4a47b864-0816-6f6a-efee-aa20e74bcdc6@stephan-brunner.net
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/ch341.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/ch341.c
++++ b/drivers/usb/serial/ch341.c
+@@ -85,6 +85,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(0x1a86, 0x5523) },
+ { USB_DEVICE(0x1a86, 0x7522) },
+ { USB_DEVICE(0x1a86, 0x7523) },
++ { USB_DEVICE(0x2184, 0x0057) },
+ { USB_DEVICE(0x4348, 0x5523) },
+ { USB_DEVICE(0x9986, 0x7523) },
+ { },
--- /dev/null
+From 6ca0c6283340d819bf9c7d8e76be33c9fbd903ab Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 1 Feb 2022 11:42:53 +0100
+Subject: USB: serial: cp210x: add CPI Bulk Coin Recycler id
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 6ca0c6283340d819bf9c7d8e76be33c9fbd903ab upstream.
+
+Add the device id for the Crane Payment Innovation / Money Controls Bulk
+Coin Recycler:
+
+ https://www.cranepi.com/en/system/files/Support/OM_BCR_EN_V1-04_0.pdf
+
+Reported-by: Scott Russell <Scott.Russell2@ncr.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/cp210x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -69,6 +69,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(0x0FCF, 0x1004) }, /* Dynastream ANT2USB */
+ { USB_DEVICE(0x0FCF, 0x1006) }, /* Dynastream ANT development board */
+ { USB_DEVICE(0x0FDE, 0xCA05) }, /* OWL Wireless Electricity Monitor CM-160 */
++ { USB_DEVICE(0x106F, 0x0003) }, /* CPI / Money Controls Bulk Coin Recycler */
+ { USB_DEVICE(0x10A6, 0xAA26) }, /* Knock-off DCU-11 cable */
+ { USB_DEVICE(0x10AB, 0x10C5) }, /* Siemens MC60 Cable */
+ { USB_DEVICE(0x10B5, 0xAC70) }, /* Nokia CA-42 USB */
--- /dev/null
+From b50f8f09c622297d3cf46e332e17ba8adedec9af Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 1 Feb 2022 11:42:52 +0100
+Subject: USB: serial: cp210x: add NCR Retail IO box id
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b50f8f09c622297d3cf46e332e17ba8adedec9af upstream.
+
+Add the device id for NCR's Retail IO box (CP2105) used in NCR FastLane
+SelfServ Checkout - R6C:
+
+ https://www.ncr.com/product-catalog/ncr-fastlane-selfserv-checkout-r6c
+
+Reported-by: Scott Russell <Scott.Russell2@ncr.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/cp210x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -51,6 +51,7 @@ static void cp210x_enable_event_mode(str
+ static void cp210x_disable_event_mode(struct usb_serial_port *port);
+
+ static const struct usb_device_id id_table[] = {
++ { USB_DEVICE(0x0404, 0x034C) }, /* NCR Retail IO Box */
+ { USB_DEVICE(0x045B, 0x0053) }, /* Renesas RX610 RX-Stick */
+ { USB_DEVICE(0x0471, 0x066A) }, /* AKTAKOM ACE-1001 cable */
+ { USB_DEVICE(0x0489, 0xE000) }, /* Pirelli Broadband S.p.A, DP-L10 SIP/GSM Mobile */
--- /dev/null
+From fbb9b194e15a63c56c5664e76ccd0e85c6100cea Mon Sep 17 00:00:00 2001
+From: Cameron Williams <cang1@live.co.uk>
+Date: Tue, 1 Feb 2022 10:12:51 +0000
+Subject: USB: serial: ftdi_sio: add support for Brainboxes US-159/235/320
+
+From: Cameron Williams <cang1@live.co.uk>
+
+commit fbb9b194e15a63c56c5664e76ccd0e85c6100cea upstream.
+
+This patch adds support for the Brainboxes US-159, US-235 and US-320
+USB-to-Serial devices.
+
+Signed-off-by: Cameron Williams <cang1@live.co.uk>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/ftdi_sio.c | 3 +++
+ drivers/usb/serial/ftdi_sio_ids.h | 3 +++
+ 2 files changed, 6 insertions(+)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -969,6 +969,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_VX_023_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_VX_034_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_101_PID) },
++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_159_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_1_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_2_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_3_PID) },
+@@ -977,12 +978,14 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_6_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_7_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_8_PID) },
++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_235_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_257_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_1_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_2_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_3_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_4_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_313_PID) },
++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_320_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_324_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_346_1_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_346_2_PID) },
+--- a/drivers/usb/serial/ftdi_sio_ids.h
++++ b/drivers/usb/serial/ftdi_sio_ids.h
+@@ -1506,6 +1506,9 @@
+ #define BRAINBOXES_VX_023_PID 0x1003 /* VX-023 ExpressCard 1 Port RS422/485 */
+ #define BRAINBOXES_VX_034_PID 0x1004 /* VX-034 ExpressCard 2 Port RS422/485 */
+ #define BRAINBOXES_US_101_PID 0x1011 /* US-101 1xRS232 */
++#define BRAINBOXES_US_159_PID 0x1021 /* US-159 1xRS232 */
++#define BRAINBOXES_US_235_PID 0x1017 /* US-235 1xRS232 */
++#define BRAINBOXES_US_320_PID 0x1019 /* US-320 1xRS422/485 */
+ #define BRAINBOXES_US_324_PID 0x1013 /* US-324 1xRS422/485 1Mbaud */
+ #define BRAINBOXES_US_606_1_PID 0x2001 /* US-606 6 Port RS232 Serial Port 1 and 2 */
+ #define BRAINBOXES_US_606_2_PID 0x2002 /* US-606 6 Port RS232 Serial Port 3 and 4 */
--- /dev/null
+From d48384c7ed6c8fe4727eaa0f3048f62afd1cd715 Mon Sep 17 00:00:00 2001
+From: Pawel Dembicki <paweldembicki@gmail.com>
+Date: Tue, 11 Jan 2022 23:12:05 +0100
+Subject: USB: serial: option: add ZTE MF286D modem
+
+From: Pawel Dembicki <paweldembicki@gmail.com>
+
+commit d48384c7ed6c8fe4727eaa0f3048f62afd1cd715 upstream.
+
+Modem from ZTE MF286D is an Qualcomm MDM9250 based 3G/4G modem.
+
+T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 3 Spd=5000 MxCh= 0
+D: Ver= 3.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1
+P: Vendor=19d2 ProdID=1485 Rev=52.87
+S: Manufacturer=ZTE,Incorporated
+S: Product=ZTE Technologies MSM
+S: SerialNumber=MF286DZTED000000
+C:* #Ifs= 7 Cfg#= 1 Atr=80 MxPwr=896mA
+A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=06 Prot=00
+I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=02 Prot=ff Driver=rndis_host
+E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
+E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+E: Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=84(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
+E: Ad=05(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=89(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+
+Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1649,6 +1649,8 @@ static const struct usb_device_id option
+ .driver_info = RSVD(2) },
+ { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x1476, 0xff) }, /* GosunCn ZTE WeLink ME3630 (ECM/NCM mode) */
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1481, 0xff, 0x00, 0x00) }, /* ZTE MF871A */
++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1485, 0xff, 0xff, 0xff), /* ZTE MF286D */
++ .driver_info = RSVD(5) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1533, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1534, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1535, 0xff, 0xff, 0xff) },
--- /dev/null
+From 0a907ee9d95e3ac35eb023d71f29eae0aaa52d1b Mon Sep 17 00:00:00 2001
+From: Sean Anderson <sean.anderson@seco.com>
+Date: Thu, 27 Jan 2022 14:00:03 -0500
+Subject: usb: ulpi: Call of_node_put correctly
+
+From: Sean Anderson <sean.anderson@seco.com>
+
+commit 0a907ee9d95e3ac35eb023d71f29eae0aaa52d1b upstream.
+
+of_node_put should always be called on device nodes gotten from
+of_get_*. Additionally, it should only be called after there are no
+remaining users. To address the first issue, call of_node_put if later
+steps in ulpi_register fail. To address the latter, call put_device if
+device_register fails, which will call ulpi_dev_release if necessary.
+
+Fixes: ef6a7bcfb01c ("usb: ulpi: Support device discovery via DT")
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Sean Anderson <sean.anderson@seco.com>
+Link: https://lore.kernel.org/r/20220127190004.1446909-3-sean.anderson@seco.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/common/ulpi.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/common/ulpi.c
++++ b/drivers/usb/common/ulpi.c
+@@ -248,12 +248,16 @@ static int ulpi_register(struct device *
+ return ret;
+
+ ret = ulpi_read_id(ulpi);
+- if (ret)
++ if (ret) {
++ of_node_put(ulpi->dev.of_node);
+ return ret;
++ }
+
+ ret = device_register(&ulpi->dev);
+- if (ret)
++ if (ret) {
++ put_device(&ulpi->dev);
+ return ret;
++ }
+
+ dev_dbg(&ulpi->dev, "registered ULPI PHY: vendor %04x, product %04x\n",
+ ulpi->id.vendor, ulpi->id.product);
--- /dev/null
+From 092f45b13e51666fe8ecbf2d6cd247aa7e6c1f74 Mon Sep 17 00:00:00 2001
+From: Sean Anderson <sean.anderson@seco.com>
+Date: Thu, 27 Jan 2022 14:00:02 -0500
+Subject: usb: ulpi: Move of_node_put to ulpi_dev_release
+
+From: Sean Anderson <sean.anderson@seco.com>
+
+commit 092f45b13e51666fe8ecbf2d6cd247aa7e6c1f74 upstream.
+
+Drivers are not unbound from the device when ulpi_unregister_interface
+is called. Move of_node-freeing code to ulpi_dev_release which is called
+only after all users are gone.
+
+Fixes: ef6a7bcfb01c ("usb: ulpi: Support device discovery via DT")
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Sean Anderson <sean.anderson@seco.com>
+Link: https://lore.kernel.org/r/20220127190004.1446909-2-sean.anderson@seco.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/common/ulpi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/common/ulpi.c
++++ b/drivers/usb/common/ulpi.c
+@@ -130,6 +130,7 @@ static const struct attribute_group *ulp
+
+ static void ulpi_dev_release(struct device *dev)
+ {
++ of_node_put(dev->of_node);
+ kfree(to_ulpi_dev(dev));
+ }
+
+@@ -299,7 +300,6 @@ EXPORT_SYMBOL_GPL(ulpi_register_interfac
+ */
+ void ulpi_unregister_interface(struct ulpi *ulpi)
+ {
+- of_node_put(ulpi->dev.of_node);
+ device_unregister(&ulpi->dev);
+ }
+ EXPORT_SYMBOL_GPL(ulpi_unregister_interface);
--- /dev/null
+From 28cb138f559f8c1a1395f5564f86b8bbee83631b Mon Sep 17 00:00:00 2001
+From: Jakob Koschel <jakobkoschel@gmail.com>
+Date: Thu, 27 Jan 2022 15:44:05 +0100
+Subject: vt_ioctl: add array_index_nospec to VT_ACTIVATE
+
+From: Jakob Koschel <jakobkoschel@gmail.com>
+
+commit 28cb138f559f8c1a1395f5564f86b8bbee83631b upstream.
+
+in vt_setactivate an almost identical code path has been patched
+with array_index_nospec. In the VT_ACTIVATE path the user input
+is from a system call argument instead of a usercopy.
+For consistency both code paths should have the same mitigations
+applied.
+
+Kasper Acknowledgements: Jakob Koschel, Brian Johannesmeyer, Kaveh
+Razavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU
+Amsterdam.
+
+Co-developed-by: Brian Johannesmeyer <bjohannesmeyer@gmail.com>
+Signed-off-by: Brian Johannesmeyer <bjohannesmeyer@gmail.com>
+Signed-off-by: Jakob Koschel <jakobkoschel@gmail.com>
+Link: https://lore.kernel.org/r/20220127144406.3589293-2-jakobkoschel@gmail.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/vt/vt_ioctl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/tty/vt/vt_ioctl.c
++++ b/drivers/tty/vt/vt_ioctl.c
+@@ -845,6 +845,7 @@ int vt_ioctl(struct tty_struct *tty,
+ return -ENXIO;
+
+ arg--;
++ arg = array_index_nospec(arg, MAX_NR_CONSOLES);
+ console_lock();
+ ret = vc_allocate(arg);
+ console_unlock();
--- /dev/null
+From 61cc70d9e8ef5b042d4ed87994d20100ec8896d9 Mon Sep 17 00:00:00 2001
+From: Jakob Koschel <jakobkoschel@gmail.com>
+Date: Thu, 27 Jan 2022 15:44:04 +0100
+Subject: vt_ioctl: fix array_index_nospec in vt_setactivate
+
+From: Jakob Koschel <jakobkoschel@gmail.com>
+
+commit 61cc70d9e8ef5b042d4ed87994d20100ec8896d9 upstream.
+
+array_index_nospec ensures that an out-of-bounds value is set to zero
+on the transient path. Decreasing the value by one afterwards causes
+a transient integer underflow. vsa.console should be decreased first
+and then sanitized with array_index_nospec.
+
+Kasper Acknowledgements: Jakob Koschel, Brian Johannesmeyer, Kaveh
+Razavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU
+Amsterdam.
+
+Co-developed-by: Brian Johannesmeyer <bjohannesmeyer@gmail.com>
+Signed-off-by: Brian Johannesmeyer <bjohannesmeyer@gmail.com>
+Signed-off-by: Jakob Koschel <jakobkoschel@gmail.com>
+Link: https://lore.kernel.org/r/20220127144406.3589293-1-jakobkoschel@gmail.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/vt/vt_ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/tty/vt/vt_ioctl.c
++++ b/drivers/tty/vt/vt_ioctl.c
+@@ -599,8 +599,8 @@ static int vt_setactivate(struct vt_seta
+ if (vsa.console == 0 || vsa.console > MAX_NR_CONSOLES)
+ return -ENXIO;
+
+- vsa.console = array_index_nospec(vsa.console, MAX_NR_CONSOLES + 1);
+ vsa.console--;
++ vsa.console = array_index_nospec(vsa.console, MAX_NR_CONSOLES);
+ console_lock();
+ ret = vc_allocate(vsa.console);
+ if (ret) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
