--- /dev/null
+From ace149e0830c380ddfce7e466fe860ca502fe4ee Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+Date: Fri, 13 Sep 2024 13:57:04 -0400
+Subject: filemap: Fix bounds checking in filemap_read()
+
+From: Trond Myklebust <trond.myklebust@hammerspace.com>
+
+commit ace149e0830c380ddfce7e466fe860ca502fe4ee upstream.
+
+If the caller supplies an iocb->ki_pos value that is close to the
+filesystem upper limit, and an iterator with a count that causes us to
+overflow that limit, then filemap_read() enters an infinite loop.
+
+This behaviour was discovered when testing xfstests generic/525 with the
+"localio" optimisation for loopback NFS mounts.
+
+Reported-by: Mike Snitzer <snitzer@kernel.org>
+Fixes: c2a9737f45e2 ("vfs,mm: fix a dead loop in truncate_inode_pages_range()")
+Tested-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ mm/filemap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/filemap.c
++++ b/mm/filemap.c
+@@ -2660,7 +2660,7 @@ ssize_t filemap_read(struct kiocb *iocb,
+ if (unlikely(!iov_iter_count(iter)))
+ return 0;
+
+- iov_iter_truncate(iter, inode->i_sb->s_maxbytes);
++ iov_iter_truncate(iter, inode->i_sb->s_maxbytes - iocb->ki_pos);
+ folio_batch_init(&fbatch);
+
+ do {
--- /dev/null
+From b8ee299855f08539e04d6c1a6acb3dc9e5423c00 Mon Sep 17 00:00:00 2001
+From: Qi Xi <xiqi2@huawei.com>
+Date: Fri, 1 Nov 2024 11:48:03 +0800
+Subject: fs/proc: fix compile warning about variable 'vmcore_mmap_ops'
+
+From: Qi Xi <xiqi2@huawei.com>
+
+commit b8ee299855f08539e04d6c1a6acb3dc9e5423c00 upstream.
+
+When build with !CONFIG_MMU, the variable 'vmcore_mmap_ops'
+is defined but not used:
+
+>> fs/proc/vmcore.c:458:42: warning: unused variable 'vmcore_mmap_ops'
+ 458 | static const struct vm_operations_struct vmcore_mmap_ops = {
+
+Fix this by only defining it when CONFIG_MMU is enabled.
+
+Link: https://lkml.kernel.org/r/20241101034803.9298-1-xiqi2@huawei.com
+Fixes: 9cb218131de1 ("vmcore: introduce remap_oldmem_pfn_range()")
+Signed-off-by: Qi Xi <xiqi2@huawei.com>
+Reported-by: kernel test robot <lkp@intel.com>
+Closes: https://lore.kernel.org/lkml/202410301936.GcE8yUos-lkp@intel.com/
+Cc: Baoquan He <bhe@redhat.com>
+Cc: Dave Young <dyoung@redhat.com>
+Cc: Michael Holzheu <holzheu@linux.vnet.ibm.com>
+Cc: Vivek Goyal <vgoyal@redhat.com>
+Cc: Wang ShaoBo <bobo.shaobowang@huawei.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/proc/vmcore.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/fs/proc/vmcore.c
++++ b/fs/proc/vmcore.c
+@@ -457,10 +457,6 @@ static vm_fault_t mmap_vmcore_fault(stru
+ #endif
+ }
+
+-static const struct vm_operations_struct vmcore_mmap_ops = {
+- .fault = mmap_vmcore_fault,
+-};
+-
+ /**
+ * vmcore_alloc_buf - allocate buffer in vmalloc memory
+ * @size: size of buffer
+@@ -488,6 +484,11 @@ static inline char *vmcore_alloc_buf(siz
+ * virtually contiguous user-space in ELF layout.
+ */
+ #ifdef CONFIG_MMU
++
++static const struct vm_operations_struct vmcore_mmap_ops = {
++ .fault = mmap_vmcore_fault,
++};
++
+ /*
+ * remap_oldmem_pfn_checked - do remap_oldmem_pfn_range replacing all pages
+ * reported as not being ram with the zero page.
--- /dev/null
+From 8de3e97f3d3d62cd9f3067f073e8ac93261597db Mon Sep 17 00:00:00 2001
+From: Liu Peibao <loven.liu@jaguarmicro.com>
+Date: Fri, 1 Nov 2024 16:12:43 +0800
+Subject: i2c: designware: do not hold SCL low when I2C_DYNAMIC_TAR_UPDATE is not set
+
+From: Liu Peibao <loven.liu@jaguarmicro.com>
+
+commit 8de3e97f3d3d62cd9f3067f073e8ac93261597db upstream.
+
+When the Tx FIFO is empty and the last command has no STOP bit
+set, the master holds SCL low. If I2C_DYNAMIC_TAR_UPDATE is not
+set, BIT(13) MST_ON_HOLD of IC_RAW_INTR_STAT is not enabled,
+causing the __i2c_dw_disable() timeout. This is quite similar to
+commit 2409205acd3c ("i2c: designware: fix __i2c_dw_disable() in
+case master is holding SCL low"). Also check BIT(7)
+MST_HOLD_TX_FIFO_EMPTY in IC_STATUS, which is available when
+IC_STAT_FOR_CLK_STRETCH is set.
+
+Fixes: 2409205acd3c ("i2c: designware: fix __i2c_dw_disable() in case master is holding SCL low")
+Co-developed-by: Xiaowu Ding <xiaowu.ding@jaguarmicro.com>
+Signed-off-by: Xiaowu Ding <xiaowu.ding@jaguarmicro.com>
+Co-developed-by: Angus Chen <angus.chen@jaguarmicro.com>
+Signed-off-by: Angus Chen <angus.chen@jaguarmicro.com>
+Signed-off-by: Liu Peibao <loven.liu@jaguarmicro.com>
+Acked-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-designware-common.c | 6 ++++--
+ drivers/i2c/busses/i2c-designware-core.h | 1 +
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-designware-common.c
++++ b/drivers/i2c/busses/i2c-designware-common.c
+@@ -442,7 +442,7 @@ err_release_lock:
+ void __i2c_dw_disable(struct dw_i2c_dev *dev)
+ {
+ struct i2c_timings *t = &dev->timings;
+- unsigned int raw_intr_stats;
++ unsigned int raw_intr_stats, ic_stats;
+ unsigned int enable;
+ int timeout = 100;
+ bool abort_needed;
+@@ -450,9 +450,11 @@ void __i2c_dw_disable(struct dw_i2c_dev
+ int ret;
+
+ regmap_read(dev->map, DW_IC_RAW_INTR_STAT, &raw_intr_stats);
++ regmap_read(dev->map, DW_IC_STATUS, &ic_stats);
+ regmap_read(dev->map, DW_IC_ENABLE, &enable);
+
+- abort_needed = raw_intr_stats & DW_IC_INTR_MST_ON_HOLD;
++ abort_needed = (raw_intr_stats & DW_IC_INTR_MST_ON_HOLD) ||
++ (ic_stats & DW_IC_STATUS_MASTER_HOLD_TX_FIFO_EMPTY);
+ if (abort_needed) {
+ if (!(enable & DW_IC_ENABLE_ENABLE)) {
+ regmap_write(dev->map, DW_IC_ENABLE, DW_IC_ENABLE_ENABLE);
+--- a/drivers/i2c/busses/i2c-designware-core.h
++++ b/drivers/i2c/busses/i2c-designware-core.h
+@@ -117,6 +117,7 @@
+ #define DW_IC_STATUS_RFNE BIT(3)
+ #define DW_IC_STATUS_MASTER_ACTIVITY BIT(5)
+ #define DW_IC_STATUS_SLAVE_ACTIVITY BIT(6)
++#define DW_IC_STATUS_MASTER_HOLD_TX_FIFO_EMPTY BIT(7)
+
+ #define DW_IC_SDA_HOLD_RX_SHIFT 16
+ #define DW_IC_SDA_HOLD_RX_MASK GENMASK(23, 16)
--- /dev/null
+From 464cb98f1c07298c4c10e714ae0c36338d18d316 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Wed, 6 Nov 2024 08:44:18 +0000
+Subject: irqchip/gic-v3: Force propagation of the active state with a read-back
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit 464cb98f1c07298c4c10e714ae0c36338d18d316 upstream.
+
+Christoffer reports that on some implementations, writing to
+GICR_ISACTIVER0 (and similar GICD registers) can race badly with a guest
+issuing a deactivation of that interrupt via the system register interface.
+
+There are multiple reasons to this:
+
+ - this uses an early write-acknoledgement memory type (nGnRE), meaning
+ that the write may only have made it as far as some interconnect
+ by the time the store is considered "done"
+
+ - the GIC itself is allowed to buffer the write until it decides to
+ take it into account (as long as it is in finite time)
+
+The effects are that the activation may not have taken effect by the time
+the kernel enters the guest, forcing an immediate exit, or that a guest
+deactivation occurs before the interrupt is active, doing nothing.
+
+In order to guarantee that the write to the ISACTIVER register has taken
+effect, read back from it, forcing the interconnect to propagate the write,
+and the GIC to process the write before returning the read.
+
+Reported-by: Christoffer Dall <christoffer.dall@arm.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Acked-by: Christoffer Dall <christoffer.dall@arm.com>
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/all/20241106084418.3794612-1-maz@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/irqchip/irq-gic-v3.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/irqchip/irq-gic-v3.c
++++ b/drivers/irqchip/irq-gic-v3.c
+@@ -468,6 +468,13 @@ static int gic_irq_set_irqchip_state(str
+ }
+
+ gic_poke_irq(d, reg);
++
++ /*
++ * Force read-back to guarantee that the active state has taken
++ * effect, and won't race with a guest-driven deactivation.
++ */
++ if (reg == GICD_ISACTIVER)
++ gic_peek_irq(d, reg);
+ return 0;
+ }
+
--- /dev/null
+From 0b63c0e01fba40e3992bc627272ec7b618ccaef7 Mon Sep 17 00:00:00 2001
+From: Andrew Kanner <andrew.kanner@gmail.com>
+Date: Sun, 3 Nov 2024 20:38:45 +0100
+Subject: ocfs2: remove entry once instead of null-ptr-dereference in ocfs2_xa_remove()
+
+From: Andrew Kanner <andrew.kanner@gmail.com>
+
+commit 0b63c0e01fba40e3992bc627272ec7b618ccaef7 upstream.
+
+Syzkaller is able to provoke null-ptr-dereference in ocfs2_xa_remove():
+
+[ 57.319872] (a.out,1161,7):ocfs2_xa_remove:2028 ERROR: status = -12
+[ 57.320420] (a.out,1161,7):ocfs2_xa_cleanup_value_truncate:1999 ERROR: Partial truncate while removing xattr overlay.upper. Leaking 1 clusters and removing the entry
+[ 57.321727] BUG: kernel NULL pointer dereference, address: 0000000000000004
+[...]
+[ 57.325727] RIP: 0010:ocfs2_xa_block_wipe_namevalue+0x2a/0xc0
+[...]
+[ 57.331328] Call Trace:
+[ 57.331477] <TASK>
+[...]
+[ 57.333511] ? do_user_addr_fault+0x3e5/0x740
+[ 57.333778] ? exc_page_fault+0x70/0x170
+[ 57.334016] ? asm_exc_page_fault+0x2b/0x30
+[ 57.334263] ? __pfx_ocfs2_xa_block_wipe_namevalue+0x10/0x10
+[ 57.334596] ? ocfs2_xa_block_wipe_namevalue+0x2a/0xc0
+[ 57.334913] ocfs2_xa_remove_entry+0x23/0xc0
+[ 57.335164] ocfs2_xa_set+0x704/0xcf0
+[ 57.335381] ? _raw_spin_unlock+0x1a/0x40
+[ 57.335620] ? ocfs2_inode_cache_unlock+0x16/0x20
+[ 57.335915] ? trace_preempt_on+0x1e/0x70
+[ 57.336153] ? start_this_handle+0x16c/0x500
+[ 57.336410] ? preempt_count_sub+0x50/0x80
+[ 57.336656] ? _raw_read_unlock+0x20/0x40
+[ 57.336906] ? start_this_handle+0x16c/0x500
+[ 57.337162] ocfs2_xattr_block_set+0xa6/0x1e0
+[ 57.337424] __ocfs2_xattr_set_handle+0x1fd/0x5d0
+[ 57.337706] ? ocfs2_start_trans+0x13d/0x290
+[ 57.337971] ocfs2_xattr_set+0xb13/0xfb0
+[ 57.338207] ? dput+0x46/0x1c0
+[ 57.338393] ocfs2_xattr_trusted_set+0x28/0x30
+[ 57.338665] ? ocfs2_xattr_trusted_set+0x28/0x30
+[ 57.338948] __vfs_removexattr+0x92/0xc0
+[ 57.339182] __vfs_removexattr_locked+0xd5/0x190
+[ 57.339456] ? preempt_count_sub+0x50/0x80
+[ 57.339705] vfs_removexattr+0x5f/0x100
+[...]
+
+Reproducer uses faultinject facility to fail ocfs2_xa_remove() ->
+ocfs2_xa_value_truncate() with -ENOMEM.
+
+In this case the comment mentions that we can return 0 if
+ocfs2_xa_cleanup_value_truncate() is going to wipe the entry
+anyway. But the following 'rc' check is wrong and execution flow do
+'ocfs2_xa_remove_entry(loc);' twice:
+* 1st: in ocfs2_xa_cleanup_value_truncate();
+* 2nd: returning back to ocfs2_xa_remove() instead of going to 'out'.
+
+Fix this by skipping the 2nd removal of the same entry and making
+syzkaller repro happy.
+
+Link: https://lkml.kernel.org/r/20241103193845.2940988-1-andrew.kanner@gmail.com
+Fixes: 399ff3a748cf ("ocfs2: Handle errors while setting external xattr values.")
+Signed-off-by: Andrew Kanner <andrew.kanner@gmail.com>
+Reported-by: syzbot+386ce9e60fa1b18aac5b@syzkaller.appspotmail.com
+Closes: https://lore.kernel.org/all/671e13ab.050a0220.2b8c0f.01d0.GAE@google.com/T/
+Tested-by: syzbot+386ce9e60fa1b18aac5b@syzkaller.appspotmail.com
+Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
+Cc: Mark Fasheh <mark@fasheh.com>
+Cc: Joel Becker <jlbec@evilplan.org>
+Cc: Junxiao Bi <junxiao.bi@oracle.com>
+Cc: Changwei Ge <gechangwei@live.cn>
+Cc: Jun Piao <piaojun@huawei.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ocfs2/xattr.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/fs/ocfs2/xattr.c
++++ b/fs/ocfs2/xattr.c
+@@ -2036,8 +2036,7 @@ static int ocfs2_xa_remove(struct ocfs2_
+ rc = 0;
+ ocfs2_xa_cleanup_value_truncate(loc, "removing",
+ orig_clusters);
+- if (rc)
+- goto out;
++ goto out;
+ }
+ }
+
revert-wifi-mac80211-fix-rcu-list-iterations.patch
revert-selftests-bpf-implement-get_hw_ring_size-function-to-retrieve-current-and-max-interface-size.patch
media-uvcvideo-skip-parsing-frames-of-type-uvc_vs_undefined-in-uvc_parse_format.patch
+filemap-fix-bounds-checking-in-filemap_read.patch
+i2c-designware-do-not-hold-scl-low-when-i2c_dynamic_tar_update-is-not-set.patch
+fs-proc-fix-compile-warning-about-variable-vmcore_mmap_ops.patch
+signal-restore-the-override_rlimit-logic.patch
+usb-musb-sunxi-fix-accessing-an-released-usb-phy.patch
+usb-dwc3-fix-fault-at-system-suspend-if-device-was-already-runtime-suspended.patch
+usb-typec-qcom-pmic-init-value-of-hdr_len-txbuf_len-earlier.patch
+usb-typec-fix-potential-out-of-bounds-in-ucsi_ccg_update_set_new_cam_cmd.patch
+usb-serial-io_edgeport-fix-use-after-free-in-debug-printk.patch
+usb-serial-qcserial-add-support-for-sierra-wireless-em86xx.patch
+usb-serial-option-add-fibocom-fg132-0x0112-composition.patch
+usb-serial-option-add-quectel-rg650v.patch
+irqchip-gic-v3-force-propagation-of-the-active-state-with-a-read-back.patch
+ocfs2-remove-entry-once-instead-of-null-ptr-dereference-in-ocfs2_xa_remove.patch
+ucounts-fix-counter-leak-in-inc_rlimit_get_ucounts.patch
--- /dev/null
+From 9e05e5c7ee8758141d2db7e8fea2cab34500c6ed Mon Sep 17 00:00:00 2001
+From: Roman Gushchin <roman.gushchin@linux.dev>
+Date: Mon, 4 Nov 2024 19:54:19 +0000
+Subject: signal: restore the override_rlimit logic
+
+From: Roman Gushchin <roman.gushchin@linux.dev>
+
+commit 9e05e5c7ee8758141d2db7e8fea2cab34500c6ed upstream.
+
+Prior to commit d64696905554 ("Reimplement RLIMIT_SIGPENDING on top of
+ucounts") UCOUNT_RLIMIT_SIGPENDING rlimit was not enforced for a class of
+signals. However now it's enforced unconditionally, even if
+override_rlimit is set. This behavior change caused production issues.
+
+For example, if the limit is reached and a process receives a SIGSEGV
+signal, sigqueue_alloc fails to allocate the necessary resources for the
+signal delivery, preventing the signal from being delivered with siginfo.
+This prevents the process from correctly identifying the fault address and
+handling the error. From the user-space perspective, applications are
+unaware that the limit has been reached and that the siginfo is
+effectively 'corrupted'. This can lead to unpredictable behavior and
+crashes, as we observed with java applications.
+
+Fix this by passing override_rlimit into inc_rlimit_get_ucounts() and skip
+the comparison to max there if override_rlimit is set. This effectively
+restores the old behavior.
+
+Link: https://lkml.kernel.org/r/20241104195419.3962584-1-roman.gushchin@linux.dev
+Fixes: d64696905554 ("Reimplement RLIMIT_SIGPENDING on top of ucounts")
+Signed-off-by: Roman Gushchin <roman.gushchin@linux.dev>
+Co-developed-by: Andrei Vagin <avagin@google.com>
+Signed-off-by: Andrei Vagin <avagin@google.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Acked-by: Alexey Gladkov <legion@kernel.org>
+Cc: Kees Cook <kees@kernel.org>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/user_namespace.h | 3 ++-
+ kernel/signal.c | 3 ++-
+ kernel/ucount.c | 6 ++++--
+ 3 files changed, 8 insertions(+), 4 deletions(-)
+
+--- a/include/linux/user_namespace.h
++++ b/include/linux/user_namespace.h
+@@ -131,7 +131,8 @@ static inline long get_rlimit_value(stru
+
+ long inc_rlimit_ucounts(struct ucounts *ucounts, enum rlimit_type type, long v);
+ bool dec_rlimit_ucounts(struct ucounts *ucounts, enum rlimit_type type, long v);
+-long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type);
++long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type,
++ bool override_rlimit);
+ void dec_rlimit_put_ucounts(struct ucounts *ucounts, enum rlimit_type type);
+ bool is_rlimit_overlimit(struct ucounts *ucounts, enum rlimit_type type, unsigned long max);
+
+--- a/kernel/signal.c
++++ b/kernel/signal.c
+@@ -428,7 +428,8 @@ __sigqueue_alloc(int sig, struct task_st
+ */
+ rcu_read_lock();
+ ucounts = task_ucounts(t);
+- sigpending = inc_rlimit_get_ucounts(ucounts, UCOUNT_RLIMIT_SIGPENDING);
++ sigpending = inc_rlimit_get_ucounts(ucounts, UCOUNT_RLIMIT_SIGPENDING,
++ override_rlimit);
+ rcu_read_unlock();
+ if (!sigpending)
+ return NULL;
+--- a/kernel/ucount.c
++++ b/kernel/ucount.c
+@@ -308,7 +308,8 @@ void dec_rlimit_put_ucounts(struct ucoun
+ do_dec_rlimit_put_ucounts(ucounts, NULL, type);
+ }
+
+-long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type)
++long inc_rlimit_get_ucounts(struct ucounts *ucounts, enum rlimit_type type,
++ bool override_rlimit)
+ {
+ /* Caller must hold a reference to ucounts */
+ struct ucounts *iter;
+@@ -321,7 +322,8 @@ long inc_rlimit_get_ucounts(struct ucoun
+ goto unwind;
+ if (iter == ucounts)
+ ret = new;
+- max = get_userns_rlimit_max(iter->ns, type);
++ if (!override_rlimit)
++ max = get_userns_rlimit_max(iter->ns, type);
+ /*
+ * Grab an extra ucount reference for the caller when
+ * the rlimit count was previously 0.
--- /dev/null
+From 432dc0654c612457285a5dcf9bb13968ac6f0804 Mon Sep 17 00:00:00 2001
+From: Andrei Vagin <avagin@google.com>
+Date: Fri, 1 Nov 2024 19:19:40 +0000
+Subject: ucounts: fix counter leak in inc_rlimit_get_ucounts()
+
+From: Andrei Vagin <avagin@google.com>
+
+commit 432dc0654c612457285a5dcf9bb13968ac6f0804 upstream.
+
+The inc_rlimit_get_ucounts() increments the specified rlimit counter and
+then checks its limit. If the value exceeds the limit, the function
+returns an error without decrementing the counter.
+
+Link: https://lkml.kernel.org/r/20241101191940.3211128-1-roman.gushchin@linux.dev
+Fixes: 15bc01effefe ("ucounts: Fix signal ucount refcounting")
+Signed-off-by: Andrei Vagin <avagin@google.com>
+Co-developed-by: Roman Gushchin <roman.gushchin@linux.dev>
+Signed-off-by: Roman Gushchin <roman.gushchin@linux.dev>
+Tested-by: Roman Gushchin <roman.gushchin@linux.dev>
+Acked-by: Alexey Gladkov <legion@kernel.org>
+Cc: Kees Cook <kees@kernel.org>
+Cc: Andrei Vagin <avagin@google.com>
+Cc: "Eric W. Biederman" <ebiederm@xmission.com>
+Cc: Alexey Gladkov <legion@kernel.org>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/ucount.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/kernel/ucount.c
++++ b/kernel/ucount.c
+@@ -319,7 +319,7 @@ long inc_rlimit_get_ucounts(struct ucoun
+ for (iter = ucounts; iter; iter = iter->ns->ucounts) {
+ long new = atomic_long_add_return(1, &iter->rlimit[type]);
+ if (new < 0 || new > max)
+- goto unwind;
++ goto dec_unwind;
+ if (iter == ucounts)
+ ret = new;
+ if (!override_rlimit)
+@@ -337,7 +337,6 @@ long inc_rlimit_get_ucounts(struct ucoun
+ dec_unwind:
+ dec = atomic_long_sub_return(1, &iter->rlimit[type]);
+ WARN_ON_ONCE(dec < 0);
+-unwind:
+ do_dec_rlimit_put_ucounts(ucounts, iter, type);
+ return 0;
+ }
--- /dev/null
+From 9cfb31e4c89d200d8ab7cb1e0bb9e6e8d621ca0b Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@kernel.org>
+Date: Mon, 4 Nov 2024 16:00:11 +0200
+Subject: usb: dwc3: fix fault at system suspend if device was already runtime suspended
+
+From: Roger Quadros <rogerq@kernel.org>
+
+commit 9cfb31e4c89d200d8ab7cb1e0bb9e6e8d621ca0b upstream.
+
+If the device was already runtime suspended then during system suspend
+we cannot access the device registers else it will crash.
+
+Also we cannot access any registers after dwc3_core_exit() on some
+platforms so move the dwc3_enable_susphy() call to the top.
+
+Cc: stable@vger.kernel.org # v5.15+
+Reported-by: William McVicker <willmcvicker@google.com>
+Closes: https://lore.kernel.org/all/ZyVfcUuPq56R2m1Y@google.com
+Fixes: 705e3ce37bcc ("usb: dwc3: core: Fix system suspend on TI AM62 platforms")
+Signed-off-by: Roger Quadros <rogerq@kernel.org>
+Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Tested-by: Will McVicker <willmcvicker@google.com>
+Link: https://lore.kernel.org/r/20241104-am62-lpm-usb-fix-v1-1-e93df73a4f0d@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/core.c | 25 ++++++++++++-------------
+ 1 file changed, 12 insertions(+), 13 deletions(-)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -2106,10 +2106,18 @@ static int dwc3_suspend_common(struct dw
+ {
+ u32 reg;
+
+- dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) &
+- DWC3_GUSB2PHYCFG_SUSPHY) ||
+- (dwc3_readl(dwc->regs, DWC3_GUSB3PIPECTL(0)) &
+- DWC3_GUSB3PIPECTL_SUSPHY);
++ if (!pm_runtime_suspended(dwc->dev) && !PMSG_IS_AUTO(msg)) {
++ dwc->susphy_state = (dwc3_readl(dwc->regs, DWC3_GUSB2PHYCFG(0)) &
++ DWC3_GUSB2PHYCFG_SUSPHY) ||
++ (dwc3_readl(dwc->regs, DWC3_GUSB3PIPECTL(0)) &
++ DWC3_GUSB3PIPECTL_SUSPHY);
++ /*
++ * TI AM62 platform requires SUSPHY to be
++ * enabled for system suspend to work.
++ */
++ if (!dwc->susphy_state)
++ dwc3_enable_susphy(dwc, true);
++ }
+
+ switch (dwc->current_dr_role) {
+ case DWC3_GCTL_PRTCAP_DEVICE:
+@@ -2158,15 +2166,6 @@ static int dwc3_suspend_common(struct dw
+ break;
+ }
+
+- if (!PMSG_IS_AUTO(msg)) {
+- /*
+- * TI AM62 platform requires SUSPHY to be
+- * enabled for system suspend to work.
+- */
+- if (!dwc->susphy_state)
+- dwc3_enable_susphy(dwc, true);
+- }
+-
+ return 0;
+ }
+
--- /dev/null
+From 498dbd9aea205db9da674994b74c7bf8e18448bd Mon Sep 17 00:00:00 2001
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+Date: Tue, 29 Oct 2024 23:13:38 +0800
+Subject: usb: musb: sunxi: Fix accessing an released usb phy
+
+From: Zijun Hu <quic_zijuhu@quicinc.com>
+
+commit 498dbd9aea205db9da674994b74c7bf8e18448bd upstream.
+
+Commit 6ed05c68cbca ("usb: musb: sunxi: Explicitly release USB PHY on
+exit") will cause that usb phy @glue->xceiv is accessed after released.
+
+1) register platform driver @sunxi_musb_driver
+// get the usb phy @glue->xceiv
+sunxi_musb_probe() -> devm_usb_get_phy().
+
+2) register and unregister platform driver @musb_driver
+musb_probe() -> sunxi_musb_init()
+use the phy here
+//the phy is released here
+musb_remove() -> sunxi_musb_exit() -> devm_usb_put_phy()
+
+3) register @musb_driver again
+musb_probe() -> sunxi_musb_init()
+use the phy here but the phy has been released at 2).
+...
+
+Fixed by reverting the commit, namely, removing devm_usb_put_phy()
+from sunxi_musb_exit().
+
+Fixes: 6ed05c68cbca ("usb: musb: sunxi: Explicitly release USB PHY on exit")
+Cc: stable@vger.kernel.org
+Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
+Link: https://lore.kernel.org/r/20241029-sunxi_fix-v1-1-9431ed2ab826@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/musb/sunxi.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/usb/musb/sunxi.c
++++ b/drivers/usb/musb/sunxi.c
+@@ -293,8 +293,6 @@ static int sunxi_musb_exit(struct musb *
+ if (test_bit(SUNXI_MUSB_FL_HAS_SRAM, &glue->flags))
+ sunxi_sram_release(musb->controller->parent);
+
+- devm_usb_put_phy(glue->dev, glue->xceiv);
+-
+ return 0;
+ }
+
--- /dev/null
+From 37bb5628379295c1254c113a407cab03a0f4d0b4 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Thu, 31 Oct 2024 12:48:30 +0300
+Subject: USB: serial: io_edgeport: fix use after free in debug printk
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit 37bb5628379295c1254c113a407cab03a0f4d0b4 upstream.
+
+The "dev_dbg(&urb->dev->dev, ..." which happens after usb_free_urb(urb)
+is a use after free of the "urb" pointer. Store the "dev" pointer at the
+start of the function to avoid this issue.
+
+Fixes: 984f68683298 ("USB: serial: io_edgeport.c: remove dbg() usage")
+Cc: stable@vger.kernel.org
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/io_edgeport.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/serial/io_edgeport.c
++++ b/drivers/usb/serial/io_edgeport.c
+@@ -770,11 +770,12 @@ static void edge_bulk_out_data_callback(
+ static void edge_bulk_out_cmd_callback(struct urb *urb)
+ {
+ struct edgeport_port *edge_port = urb->context;
++ struct device *dev = &urb->dev->dev;
+ int status = urb->status;
+
+ atomic_dec(&CmdUrbs);
+- dev_dbg(&urb->dev->dev, "%s - FREE URB %p (outstanding %d)\n",
+- __func__, urb, atomic_read(&CmdUrbs));
++ dev_dbg(dev, "%s - FREE URB %p (outstanding %d)\n", __func__, urb,
++ atomic_read(&CmdUrbs));
+
+
+ /* clean up the transfer buffer */
+@@ -784,8 +785,7 @@ static void edge_bulk_out_cmd_callback(s
+ usb_free_urb(urb);
+
+ if (status) {
+- dev_dbg(&urb->dev->dev,
+- "%s - nonzero write bulk status received: %d\n",
++ dev_dbg(dev, "%s - nonzero write bulk status received: %d\n",
+ __func__, status);
+ return;
+ }
--- /dev/null
+From 393c74ccbd847bacf18865a01b422586fc7341cf Mon Sep 17 00:00:00 2001
+From: Reinhard Speyerer <rspmn@arcor.de>
+Date: Fri, 18 Oct 2024 23:07:06 +0200
+Subject: USB: serial: option: add Fibocom FG132 0x0112 composition
+
+From: Reinhard Speyerer <rspmn@arcor.de>
+
+commit 393c74ccbd847bacf18865a01b422586fc7341cf upstream.
+
+Add Fibocom FG132 0x0112 composition:
+
+T: Bus=03 Lev=02 Prnt=06 Port=01 Cnt=02 Dev#= 10 Spd=12 MxCh= 0
+D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=2cb7 ProdID=0112 Rev= 5.15
+S: Manufacturer=Fibocom Wireless Inc.
+S: Product=Fibocom Module
+S: SerialNumber=xxxxxxxx
+C:* #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=500mA
+I:* If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
+E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+E: Ad=01(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
+E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=84(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+E: Ad=03(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=86(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+E: Ad=04(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
+
+Signed-off-by: Reinhard Speyerer <rspmn@arcor.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -2320,6 +2320,9 @@ static const struct usb_device_id option
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2cb7, 0x010b, 0xff, 0xff, 0x30) }, /* Fibocom FG150 Diag */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2cb7, 0x010b, 0xff, 0, 0) }, /* Fibocom FG150 AT */
+ { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0111, 0xff) }, /* Fibocom FM160 (MBIM mode) */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x2cb7, 0x0112, 0xff, 0xff, 0x30) }, /* Fibocom FG132 Diag */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x2cb7, 0x0112, 0xff, 0xff, 0x40) }, /* Fibocom FG132 AT */
++ { USB_DEVICE_AND_INTERFACE_INFO(0x2cb7, 0x0112, 0xff, 0, 0) }, /* Fibocom FG132 NMEA */
+ { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x0115, 0xff), /* Fibocom FM135 (laptop MBIM) */
+ .driver_info = RSVD(5) },
+ { USB_DEVICE_INTERFACE_CLASS(0x2cb7, 0x01a0, 0xff) }, /* Fibocom NL668-AM/NL652-EU (laptop MBIM) */
--- /dev/null
+From 3b05949ba39f305b585452d0e177470607842165 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Beno=C3=AEt=20Monin?= <benoit.monin@gmx.fr>
+Date: Thu, 24 Oct 2024 17:09:19 +0200
+Subject: USB: serial: option: add Quectel RG650V
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Benoît Monin <benoit.monin@gmx.fr>
+
+commit 3b05949ba39f305b585452d0e177470607842165 upstream.
+
+Add support for Quectel RG650V which is based on Qualcomm SDX65 chip.
+The composition is DIAG / NMEA / AT / AT / QMI.
+
+T: Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 4 Spd=5000 MxCh= 0
+D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1
+P: Vendor=2c7c ProdID=0122 Rev=05.15
+S: Manufacturer=Quectel
+S: Product=RG650V-EU
+S: SerialNumber=xxxxxxx
+C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=896mA
+I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
+E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I: If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=9ms
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=85(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=86(I) Atr=03(Int.) MxPS= 10 Ivl=9ms
+I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+E: Ad=05(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=87(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=9ms
+
+Signed-off-by: Benoît Monin <benoit.monin@gmx.fr>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -251,6 +251,7 @@ static void option_instat_callback(struc
+ #define QUECTEL_VENDOR_ID 0x2c7c
+ /* These Quectel products use Quectel's vendor ID */
+ #define QUECTEL_PRODUCT_EC21 0x0121
++#define QUECTEL_PRODUCT_RG650V 0x0122
+ #define QUECTEL_PRODUCT_EM061K_LTA 0x0123
+ #define QUECTEL_PRODUCT_EM061K_LMS 0x0124
+ #define QUECTEL_PRODUCT_EC25 0x0125
+@@ -1273,6 +1274,8 @@ static const struct usb_device_id option
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG912Y, 0xff, 0, 0) },
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG916Q, 0xff, 0x00, 0x00) },
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500K, 0xff, 0x00, 0x00) },
++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RG650V, 0xff, 0xff, 0x30) },
++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RG650V, 0xff, 0, 0) },
+
+ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) },
+ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) },
--- /dev/null
+From 25eb47eed52979c2f5eee3f37e6c67714e02c49c Mon Sep 17 00:00:00 2001
+From: Jack Wu <wojackbb@gmail.com>
+Date: Wed, 6 Nov 2024 18:50:29 +0800
+Subject: USB: serial: qcserial: add support for Sierra Wireless EM86xx
+
+From: Jack Wu <wojackbb@gmail.com>
+
+commit 25eb47eed52979c2f5eee3f37e6c67714e02c49c upstream.
+
+Add support for Sierra Wireless EM86xx with USB-id 0x1199:0x90e5 and
+0x1199:0x90e4.
+
+0x1199:0x90e5
+T: Bus=03 Lev=01 Prnt=01 Port=05 Cnt=01 Dev#= 14 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=1199 ProdID=90e5 Rev= 5.15
+S: Manufacturer=Sierra Wireless, Incorporated
+S: Product=Semtech EM8695 Mobile Broadband Adapter
+S: SerialNumber=004403161882339
+C:* #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
+A: FirstIf#=12 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
+I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=qcserial
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=qcserial
+E: Ad=84(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 4 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+E: Ad=85(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
+I:* If#=12 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
+E: Ad=87(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
+I: If#=13 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+I:* If#=13 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+0x1199:0x90e4
+T: Bus=03 Lev=01 Prnt=01 Port=05 Cnt=01 Dev#= 16 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=1199 ProdID=90e4 Rev= 0.00
+S: Manufacturer=Sierra Wireless, Incorporated
+S: SerialNumber=004403161882339
+C:* #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr= 2mA
+I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=10 Driver=qcserial
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+Signed-off-by: Jack Wu <wojackbb@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/qcserial.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/qcserial.c
++++ b/drivers/usb/serial/qcserial.c
+@@ -166,6 +166,8 @@ static const struct usb_device_id id_tab
+ {DEVICE_SWI(0x1199, 0x9090)}, /* Sierra Wireless EM7565 QDL */
+ {DEVICE_SWI(0x1199, 0x9091)}, /* Sierra Wireless EM7565 */
+ {DEVICE_SWI(0x1199, 0x90d2)}, /* Sierra Wireless EM9191 QDL */
++ {DEVICE_SWI(0x1199, 0x90e4)}, /* Sierra Wireless EM86xx QDL*/
++ {DEVICE_SWI(0x1199, 0x90e5)}, /* Sierra Wireless EM86xx */
+ {DEVICE_SWI(0x1199, 0xc080)}, /* Sierra Wireless EM7590 QDL */
+ {DEVICE_SWI(0x1199, 0xc081)}, /* Sierra Wireless EM7590 */
+ {DEVICE_SWI(0x413c, 0x81a2)}, /* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card */
--- /dev/null
+From 7dd08a0b4193087976db6b3ee7807de7e8316f96 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@linaro.org>
+Date: Mon, 4 Nov 2024 20:16:42 +0300
+Subject: usb: typec: fix potential out of bounds in ucsi_ccg_update_set_new_cam_cmd()
+
+From: Dan Carpenter <dan.carpenter@linaro.org>
+
+commit 7dd08a0b4193087976db6b3ee7807de7e8316f96 upstream.
+
+The "*cmd" variable can be controlled by the user via debugfs. That means
+"new_cam" can be as high as 255 while the size of the uc->updated[] array
+is UCSI_MAX_ALTMODES (30).
+
+The call tree is:
+ucsi_cmd() // val comes from simple_attr_write_xsigned()
+-> ucsi_send_command()
+ -> ucsi_send_command_common()
+ -> ucsi_run_command() // calls ucsi->ops->sync_control()
+ -> ucsi_ccg_sync_control()
+
+Fixes: 170a6726d0e2 ("usb: typec: ucsi: add support for separate DP altmode devices")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Link: https://lore.kernel.org/r/325102b3-eaa8-4918-a947-22aca1146586@stanley.mountain
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/ucsi/ucsi_ccg.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/typec/ucsi/ucsi_ccg.c
++++ b/drivers/usb/typec/ucsi/ucsi_ccg.c
+@@ -441,6 +441,8 @@ static void ucsi_ccg_update_set_new_cam_
+
+ port = uc->orig;
+ new_cam = UCSI_SET_NEW_CAM_GET_AM(*cmd);
++ if (new_cam >= ARRAY_SIZE(uc->updated))
++ return;
+ new_port = &uc->updated[new_cam];
+ cam = new_port->linked_idx;
+ enter_new_mode = UCSI_SET_NEW_CAM_ENTER(*cmd);
--- /dev/null
+From 029778a4fd2c90c2e76a902b797c2348a722f1b8 Mon Sep 17 00:00:00 2001
+From: Rex Nie <rex.nie@jaguarmicro.com>
+Date: Wed, 30 Oct 2024 21:36:32 +0800
+Subject: usb: typec: qcom-pmic: init value of hdr_len/txbuf_len earlier
+
+From: Rex Nie <rex.nie@jaguarmicro.com>
+
+commit 029778a4fd2c90c2e76a902b797c2348a722f1b8 upstream.
+
+If the read of USB_PDPHY_RX_ACKNOWLEDGE_REG failed, then hdr_len and
+txbuf_len are uninitialized. This commit stops to print uninitialized
+value and misleading/false data.
+
+Cc: stable@vger.kernel.org
+Fixes: a4422ff22142 (" usb: typec: qcom: Add Qualcomm PMIC Type-C driver")
+Signed-off-by: Rex Nie <rex.nie@jaguarmicro.com>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Reviewed-by: Bjorn Andersson <andersson@kernel.org>
+Acked-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
+Link: https://lore.kernel.org/r/20241030133632.2116-1-rex.nie@jaguarmicro.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c
++++ b/drivers/usb/typec/tcpm/qcom/qcom_pmic_typec_pdphy.c
+@@ -161,6 +161,10 @@ qcom_pmic_typec_pdphy_pd_transmit_payloa
+
+ spin_lock_irqsave(&pmic_typec_pdphy->lock, flags);
+
++ hdr_len = sizeof(msg->header);
++ txbuf_len = pd_header_cnt_le(msg->header) * 4;
++ txsize_len = hdr_len + txbuf_len - 1;
++
+ ret = regmap_read(pmic_typec_pdphy->regmap,
+ pmic_typec_pdphy->base + USB_PDPHY_RX_ACKNOWLEDGE_REG,
+ &val);
+@@ -178,10 +182,6 @@ qcom_pmic_typec_pdphy_pd_transmit_payloa
+ if (ret)
+ goto done;
+
+- hdr_len = sizeof(msg->header);
+- txbuf_len = pd_header_cnt_le(msg->header) * 4;
+- txsize_len = hdr_len + txbuf_len - 1;
+-
+ /* Write message header sizeof(u16) to USB_PDPHY_TX_BUFFER_HDR_REG */
+ ret = regmap_bulk_write(pmic_typec_pdphy->regmap,
+ pmic_typec_pdphy->base + USB_PDPHY_TX_BUFFER_HDR_REG,
projects / thirdparty / kernel / stable-queue.git / commitdiff
