--- /dev/null
+From 610b15c50e86eb1e4b77274fabcaea29ac72d6a8 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Mon, 7 May 2018 16:47:02 -0700
+Subject: overflow.h: Add allocation size calculation helpers
+
+From: Kees Cook <keescook@chromium.org>
+
+commit 610b15c50e86eb1e4b77274fabcaea29ac72d6a8 upstream.
+
+In preparation for replacing unchecked overflows for memory allocations,
+this creates helpers for the 3 most common calculations:
+
+array_size(a, b): 2-dimensional array
+array3_size(a, b, c): 3-dimensional array
+struct_size(ptr, member, n): struct followed by n-many trailing members
+
+Each of these return SIZE_MAX on overflow instead of wrapping around.
+
+(Additionally renames a variable named "array_size" to avoid future
+collision.)
+
+Co-developed-by: Matthew Wilcox <mawilcox@microsoft.com>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/md/dm-table.c | 10 +++---
+ include/linux/overflow.h | 73 +++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 78 insertions(+), 5 deletions(-)
+
+--- a/drivers/md/dm-table.c
++++ b/drivers/md/dm-table.c
+@@ -547,14 +547,14 @@ static int adjoin(struct dm_table *table
+ * On the other hand, dm-switch needs to process bulk data using messages and
+ * excessive use of GFP_NOIO could cause trouble.
+ */
+-static char **realloc_argv(unsigned *array_size, char **old_argv)
++static char **realloc_argv(unsigned *size, char **old_argv)
+ {
+ char **argv;
+ unsigned new_size;
+ gfp_t gfp;
+
+- if (*array_size) {
+- new_size = *array_size * 2;
++ if (*size) {
++ new_size = *size * 2;
+ gfp = GFP_KERNEL;
+ } else {
+ new_size = 8;
+@@ -562,8 +562,8 @@ static char **realloc_argv(unsigned *arr
+ }
+ argv = kmalloc(new_size * sizeof(*argv), gfp);
+ if (argv) {
+- memcpy(argv, old_argv, *array_size * sizeof(*argv));
+- *array_size = new_size;
++ memcpy(argv, old_argv, *size * sizeof(*argv));
++ *size = new_size;
+ }
+
+ kfree(old_argv);
+--- a/include/linux/overflow.h
++++ b/include/linux/overflow.h
+@@ -233,4 +233,77 @@
+ (*_d >> _to_shift) != _a); \
+ })
+
++/**
++ * array_size() - Calculate size of 2-dimensional array.
++ *
++ * @a: dimension one
++ * @b: dimension two
++ *
++ * Calculates size of 2-dimensional array: @a * @b.
++ *
++ * Returns: number of bytes needed to represent the array or SIZE_MAX on
++ * overflow.
++ */
++static inline __must_check size_t array_size(size_t a, size_t b)
++{
++ size_t bytes;
++
++ if (check_mul_overflow(a, b, &bytes))
++ return SIZE_MAX;
++
++ return bytes;
++}
++
++/**
++ * array3_size() - Calculate size of 3-dimensional array.
++ *
++ * @a: dimension one
++ * @b: dimension two
++ * @c: dimension three
++ *
++ * Calculates size of 3-dimensional array: @a * @b * @c.
++ *
++ * Returns: number of bytes needed to represent the array or SIZE_MAX on
++ * overflow.
++ */
++static inline __must_check size_t array3_size(size_t a, size_t b, size_t c)
++{
++ size_t bytes;
++
++ if (check_mul_overflow(a, b, &bytes))
++ return SIZE_MAX;
++ if (check_mul_overflow(bytes, c, &bytes))
++ return SIZE_MAX;
++
++ return bytes;
++}
++
++static inline __must_check size_t __ab_c_size(size_t n, size_t size, size_t c)
++{
++ size_t bytes;
++
++ if (check_mul_overflow(n, size, &bytes))
++ return SIZE_MAX;
++ if (check_add_overflow(bytes, c, &bytes))
++ return SIZE_MAX;
++
++ return bytes;
++}
++
++/**
++ * struct_size() - Calculate size of structure with trailing array.
++ * @p: Pointer to the structure.
++ * @member: Name of the array member.
++ * @n: Number of elements in the array.
++ *
++ * Calculates size of memory needed for structure @p followed by an
++ * array of @n @member elements.
++ *
++ * Return: number of bytes needed or SIZE_MAX on overflow.
++ */
++#define struct_size(p, member, n) \
++ __ab_c_size(n, \
++ sizeof(*(p)->member) + __must_be_array((p)->member),\
++ sizeof(*(p)))
++
+ #endif /* __LINUX_OVERFLOW_H */
pm-sleep-core-fix-the-handling-of-pending-runtime-resume-requests.patch
device-property-fix-the-secondary-firmware-node-handling-in-set_primary_fwnode.patch
drm-amdgpu-fix-buffer-overflow-in-info-ioctl.patch
+usb-yurex-fix-bad-gfp-argument.patch
+usb-uas-add-quirk-for-pny-pro-elite.patch
+usb-quirks-add-no-lpm-quirk-for-another-raydium-touchscreen.patch
+usb-ignore-uas-for-jmicron-jms567-ata-atapi-bridge.patch
+usb-host-ohci-exynos-fix-error-handling-in-exynos_ohci_probe.patch
+overflow.h-add-allocation-size-calculation-helpers.patch
+usb-gadget-u_f-add-overflow-checks-to-vla-macros.patch
+usb-gadget-f_ncm-add-bounds-checks-to-ncm_unwrap_ntb.patch
+usb-gadget-u_f-unbreak-offset-calculation-in-vlas.patch
+usb-cdc-acm-rework-notification_buffer-resizing.patch
+usb-storage-add-unusual_uas-entry-for-sony-psz-drives.patch
--- /dev/null
+From f4b9d8a582f738c24ebeabce5cc15f4b8159d74e Mon Sep 17 00:00:00 2001
+From: Tom Rix <trix@redhat.com>
+Date: Sat, 1 Aug 2020 08:21:54 -0700
+Subject: USB: cdc-acm: rework notification_buffer resizing
+
+From: Tom Rix <trix@redhat.com>
+
+commit f4b9d8a582f738c24ebeabce5cc15f4b8159d74e upstream.
+
+Clang static analysis reports this error
+
+cdc-acm.c:409:3: warning: Use of memory after it is freed
+ acm_process_notification(acm, (unsigned char *)dr);
+
+There are three problems, the first one is that dr is not reset
+
+The variable dr is set with
+
+if (acm->nb_index)
+ dr = (struct usb_cdc_notification *)acm->notification_buffer;
+
+But if the notification_buffer is too small it is resized with
+
+ if (acm->nb_size) {
+ kfree(acm->notification_buffer);
+ acm->nb_size = 0;
+ }
+ alloc_size = roundup_pow_of_two(expected_size);
+ /*
+ * kmalloc ensures a valid notification_buffer after a
+ * use of kfree in case the previous allocation was too
+ * small. Final freeing is done on disconnect.
+ */
+ acm->notification_buffer =
+ kmalloc(alloc_size, GFP_ATOMIC);
+
+dr should point to the new acm->notification_buffer.
+
+The second problem is any data in the notification_buffer is lost
+when the pointer is freed. In the normal case, the current data
+is accumulated in the notification_buffer here.
+
+ memcpy(&acm->notification_buffer[acm->nb_index],
+ urb->transfer_buffer, copy_size);
+
+When a resize happens, anything before
+notification_buffer[acm->nb_index] is garbage.
+
+The third problem is the acm->nb_index is not reset on a
+resizing buffer error.
+
+So switch resizing to using krealloc and reassign dr and
+reset nb_index.
+
+Fixes: ea2583529cd1 ("cdc-acm: reassemble fragmented notifications")
+Signed-off-by: Tom Rix <trix@redhat.com>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/20200801152154.20683-1-trix@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-acm.c | 22 ++++++++++------------
+ 1 file changed, 10 insertions(+), 12 deletions(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -390,21 +390,19 @@ static void acm_ctrl_irq(struct urb *urb
+ if (current_size < expected_size) {
+ /* notification is transmitted fragmented, reassemble */
+ if (acm->nb_size < expected_size) {
+- if (acm->nb_size) {
+- kfree(acm->notification_buffer);
+- acm->nb_size = 0;
+- }
++ u8 *new_buffer;
+ alloc_size = roundup_pow_of_two(expected_size);
+- /*
+- * kmalloc ensures a valid notification_buffer after a
+- * use of kfree in case the previous allocation was too
+- * small. Final freeing is done on disconnect.
+- */
+- acm->notification_buffer =
+- kmalloc(alloc_size, GFP_ATOMIC);
+- if (!acm->notification_buffer)
++ /* Final freeing is done on disconnect. */
++ new_buffer = krealloc(acm->notification_buffer,
++ alloc_size, GFP_ATOMIC);
++ if (!new_buffer) {
++ acm->nb_index = 0;
+ goto exit;
++ }
++
++ acm->notification_buffer = new_buffer;
+ acm->nb_size = alloc_size;
++ dr = (struct usb_cdc_notification *)acm->notification_buffer;
+ }
+
+ copy_size = min(current_size,
--- /dev/null
+From 2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 Mon Sep 17 00:00:00 2001
+From: Brooke Basile <brookebasile@gmail.com>
+Date: Tue, 25 Aug 2020 09:07:27 -0400
+Subject: USB: gadget: f_ncm: add bounds checks to ncm_unwrap_ntb()
+
+From: Brooke Basile <brookebasile@gmail.com>
+
+commit 2b74b0a04d3e9f9f08ff026e5663dce88ff94e52 upstream.
+
+Some values extracted by ncm_unwrap_ntb() could possibly lead to several
+different out of bounds reads of memory. Specifically the values passed
+to netdev_alloc_skb_ip_align() need to be checked so that memory is not
+overflowed.
+
+Resolve this by applying bounds checking to a number of different
+indexes and lengths of the structure parsing logic.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Brooke Basile <brookebasile@gmail.com>
+Acked-by: Felipe Balbi <balbi@kernel.org>
+Cc: stable <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_ncm.c | 81 ++++++++++++++++++++++++++++++------
+ 1 file changed, 69 insertions(+), 12 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_ncm.c
++++ b/drivers/usb/gadget/function/f_ncm.c
+@@ -1202,12 +1202,15 @@ static int ncm_unwrap_ntb(struct gether
+ int ndp_index;
+ unsigned dg_len, dg_len2;
+ unsigned ndp_len;
++ unsigned block_len;
+ struct sk_buff *skb2;
+ int ret = -EINVAL;
+- unsigned max_size = le32_to_cpu(ntb_parameters.dwNtbOutMaxSize);
++ unsigned ntb_max = le32_to_cpu(ntb_parameters.dwNtbOutMaxSize);
++ unsigned frame_max = le16_to_cpu(ecm_desc.wMaxSegmentSize);
+ const struct ndp_parser_opts *opts = ncm->parser_opts;
+ unsigned crc_len = ncm->is_crc ? sizeof(uint32_t) : 0;
+ int dgram_counter;
++ bool ndp_after_header;
+
+ /* dwSignature */
+ if (get_unaligned_le32(tmp) != opts->nth_sign) {
+@@ -1226,25 +1229,37 @@ static int ncm_unwrap_ntb(struct gether
+ }
+ tmp++; /* skip wSequence */
+
++ block_len = get_ncm(&tmp, opts->block_length);
+ /* (d)wBlockLength */
+- if (get_ncm(&tmp, opts->block_length) > max_size) {
++ if (block_len > ntb_max) {
+ INFO(port->func.config->cdev, "OUT size exceeded\n");
+ goto err;
+ }
+
+ ndp_index = get_ncm(&tmp, opts->ndp_index);
++ ndp_after_header = false;
+
+ /* Run through all the NDP's in the NTB */
+ do {
+- /* NCM 3.2 */
+- if (((ndp_index % 4) != 0) &&
+- (ndp_index < opts->nth_size)) {
++ /*
++ * NCM 3.2
++ * dwNdpIndex
++ */
++ if (((ndp_index % 4) != 0) ||
++ (ndp_index < opts->nth_size) ||
++ (ndp_index > (block_len -
++ opts->ndp_size))) {
+ INFO(port->func.config->cdev, "Bad index: %#X\n",
+ ndp_index);
+ goto err;
+ }
++ if (ndp_index == opts->nth_size)
++ ndp_after_header = true;
+
+- /* walk through NDP */
++ /*
++ * walk through NDP
++ * dwSignature
++ */
+ tmp = (void *)(skb->data + ndp_index);
+ if (get_unaligned_le32(tmp) != ncm->ndp_sign) {
+ INFO(port->func.config->cdev, "Wrong NDP SIGN\n");
+@@ -1255,14 +1270,15 @@ static int ncm_unwrap_ntb(struct gether
+ ndp_len = get_unaligned_le16(tmp++);
+ /*
+ * NCM 3.3.1
++ * wLength
+ * entry is 2 items
+ * item size is 16/32 bits, opts->dgram_item_len * 2 bytes
+ * minimal: struct usb_cdc_ncm_ndpX + normal entry + zero entry
+ * Each entry is a dgram index and a dgram length.
+ */
+ if ((ndp_len < opts->ndp_size
+- + 2 * 2 * (opts->dgram_item_len * 2))
+- || (ndp_len % opts->ndplen_align != 0)) {
++ + 2 * 2 * (opts->dgram_item_len * 2)) ||
++ (ndp_len % opts->ndplen_align != 0)) {
+ INFO(port->func.config->cdev, "Bad NDP length: %#X\n",
+ ndp_len);
+ goto err;
+@@ -1279,8 +1295,21 @@ static int ncm_unwrap_ntb(struct gether
+
+ do {
+ index = index2;
++ /* wDatagramIndex[0] */
++ if ((index < opts->nth_size) ||
++ (index > block_len - opts->dpe_size)) {
++ INFO(port->func.config->cdev,
++ "Bad index: %#X\n", index);
++ goto err;
++ }
++
+ dg_len = dg_len2;
+- if (dg_len < 14 + crc_len) { /* ethernet hdr + crc */
++ /*
++ * wDatagramLength[0]
++ * ethernet hdr + crc or larger than max frame size
++ */
++ if ((dg_len < 14 + crc_len) ||
++ (dg_len > frame_max)) {
+ INFO(port->func.config->cdev,
+ "Bad dgram length: %#X\n", dg_len);
+ goto err;
+@@ -1304,6 +1333,37 @@ static int ncm_unwrap_ntb(struct gether
+ index2 = get_ncm(&tmp, opts->dgram_item_len);
+ dg_len2 = get_ncm(&tmp, opts->dgram_item_len);
+
++ if (index2 == 0 || dg_len2 == 0)
++ break;
++
++ /* wDatagramIndex[1] */
++ if (ndp_after_header) {
++ if (index2 < opts->nth_size + opts->ndp_size) {
++ INFO(port->func.config->cdev,
++ "Bad index: %#X\n", index2);
++ goto err;
++ }
++ } else {
++ if (index2 < opts->nth_size + opts->dpe_size) {
++ INFO(port->func.config->cdev,
++ "Bad index: %#X\n", index2);
++ goto err;
++ }
++ }
++ if (index2 > block_len - opts->dpe_size) {
++ INFO(port->func.config->cdev,
++ "Bad index: %#X\n", index2);
++ goto err;
++ }
++
++ /* wDatagramLength[1] */
++ if ((dg_len2 < 14 + crc_len) ||
++ (dg_len2 > frame_max)) {
++ INFO(port->func.config->cdev,
++ "Bad dgram length: %#X\n", dg_len);
++ goto err;
++ }
++
+ /*
+ * Copy the data into a new skb.
+ * This ensures the truesize is correct
+@@ -1320,9 +1380,6 @@ static int ncm_unwrap_ntb(struct gether
+ ndp_len -= 2 * (opts->dgram_item_len * 2);
+
+ dgram_counter++;
+-
+- if (index2 == 0 || dg_len2 == 0)
+- break;
+ } while (ndp_len > 2 * (opts->dgram_item_len * 2));
+ } while (ndp_index);
+
--- /dev/null
+From b1cd1b65afba95971fa457dfdb2c941c60d38c5b Mon Sep 17 00:00:00 2001
+From: Brooke Basile <brookebasile@gmail.com>
+Date: Tue, 25 Aug 2020 09:05:08 -0400
+Subject: USB: gadget: u_f: add overflow checks to VLA macros
+
+From: Brooke Basile <brookebasile@gmail.com>
+
+commit b1cd1b65afba95971fa457dfdb2c941c60d38c5b upstream.
+
+size can potentially hold an overflowed value if its assigned expression
+is left unchecked, leading to a smaller than needed allocation when
+vla_group_size() is used by callers to allocate memory.
+To fix this, add a test for saturation before declaring variables and an
+overflow check to (n) * sizeof(type).
+If the expression results in overflow, vla_group_size() will return SIZE_MAX.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Suggested-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Brooke Basile <brookebasile@gmail.com>
+Acked-by: Felipe Balbi <balbi@kernel.org>
+Cc: stable <stable@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/u_f.h | 38 +++++++++++++++++++++++++++-----------
+ 1 file changed, 27 insertions(+), 11 deletions(-)
+
+--- a/drivers/usb/gadget/u_f.h
++++ b/drivers/usb/gadget/u_f.h
+@@ -17,6 +17,7 @@
+ #define __U_F_H__
+
+ #include <linux/usb/gadget.h>
++#include <linux/overflow.h>
+
+ /* Variable Length Array Macros **********************************************/
+ #define vla_group(groupname) size_t groupname##__next = 0
+@@ -24,21 +25,36 @@
+
+ #define vla_item(groupname, type, name, n) \
+ size_t groupname##_##name##__offset = ({ \
+- size_t align_mask = __alignof__(type) - 1; \
+- size_t offset = (groupname##__next + align_mask) & ~align_mask;\
+- size_t size = (n) * sizeof(type); \
+- groupname##__next = offset + size; \
++ size_t offset = 0; \
++ if (groupname##__next != SIZE_MAX) { \
++ size_t align_mask = __alignof__(type) - 1; \
++ size_t offset = (groupname##__next + align_mask) \
++ & ~align_mask; \
++ size_t size = array_size(n, sizeof(type)); \
++ if (check_add_overflow(offset, size, \
++ &groupname##__next)) { \
++ groupname##__next = SIZE_MAX; \
++ offset = 0; \
++ } \
++ } \
+ offset; \
+ })
+
+ #define vla_item_with_sz(groupname, type, name, n) \
+- size_t groupname##_##name##__sz = (n) * sizeof(type); \
+- size_t groupname##_##name##__offset = ({ \
+- size_t align_mask = __alignof__(type) - 1; \
+- size_t offset = (groupname##__next + align_mask) & ~align_mask;\
+- size_t size = groupname##_##name##__sz; \
+- groupname##__next = offset + size; \
+- offset; \
++ size_t groupname##_##name##__sz = array_size(n, sizeof(type)); \
++ size_t groupname##_##name##__offset = ({ \
++ size_t offset = 0; \
++ if (groupname##__next != SIZE_MAX) { \
++ size_t align_mask = __alignof__(type) - 1; \
++ size_t offset = (groupname##__next + align_mask) \
++ & ~align_mask; \
++ if (check_add_overflow(offset, groupname##_##name##__sz,\
++ &groupname##__next)) { \
++ groupname##__next = SIZE_MAX; \
++ offset = 0; \
++ } \
++ } \
++ offset; \
+ })
+
+ #define vla_ptr(ptr, groupname, name) \
--- /dev/null
+From bfd08d06d978d0304eb6f7855b548aa2cd1c5486 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Wed, 26 Aug 2020 22:21:19 +0300
+Subject: USB: gadget: u_f: Unbreak offset calculation in VLAs
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit bfd08d06d978d0304eb6f7855b548aa2cd1c5486 upstream.
+
+Inadvertently the commit b1cd1b65afba ("USB: gadget: u_f: add overflow checks
+to VLA macros") makes VLA macros to always return 0 due to different scope of
+two variables of the same name. Obviously we need to have only one.
+
+Fixes: b1cd1b65afba ("USB: gadget: u_f: add overflow checks to VLA macros")
+Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Brooke Basile <brookebasile@gmail.com>
+Cc: stable <stable@kernel.org>
+Link: https://lore.kernel.org/r/20200826192119.56450-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/u_f.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/u_f.h
++++ b/drivers/usb/gadget/u_f.h
+@@ -28,9 +28,9 @@
+ size_t offset = 0; \
+ if (groupname##__next != SIZE_MAX) { \
+ size_t align_mask = __alignof__(type) - 1; \
+- size_t offset = (groupname##__next + align_mask) \
+- & ~align_mask; \
+ size_t size = array_size(n, sizeof(type)); \
++ offset = (groupname##__next + align_mask) & \
++ ~align_mask; \
+ if (check_add_overflow(offset, size, \
+ &groupname##__next)) { \
+ groupname##__next = SIZE_MAX; \
+@@ -46,8 +46,8 @@
+ size_t offset = 0; \
+ if (groupname##__next != SIZE_MAX) { \
+ size_t align_mask = __alignof__(type) - 1; \
+- size_t offset = (groupname##__next + align_mask) \
+- & ~align_mask; \
++ offset = (groupname##__next + align_mask) & \
++ ~align_mask; \
+ if (check_add_overflow(offset, groupname##_##name##__sz,\
+ &groupname##__next)) { \
+ groupname##__next = SIZE_MAX; \
--- /dev/null
+From 1d4169834628d18b2392a2da92b7fbf5e8e2ce89 Mon Sep 17 00:00:00 2001
+From: Tang Bin <tangbin@cmss.chinamobile.com>
+Date: Wed, 26 Aug 2020 22:49:31 +0800
+Subject: usb: host: ohci-exynos: Fix error handling in exynos_ohci_probe()
+
+From: Tang Bin <tangbin@cmss.chinamobile.com>
+
+commit 1d4169834628d18b2392a2da92b7fbf5e8e2ce89 upstream.
+
+If the function platform_get_irq() failed, the negative value
+returned will not be detected here. So fix error handling in
+exynos_ohci_probe(). And when get irq failed, the function
+platform_get_irq() logs an error message, so remove redundant
+message here.
+
+Fixes: 62194244cf87 ("USB: Add Samsung Exynos OHCI diver")
+Signed-off-by: Zhang Shengju <zhangshengju@cmss.chinamobile.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Tang Bin <tangbin@cmss.chinamobile.com>
+Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
+Link: https://lore.kernel.org/r/20200826144931.1828-1-tangbin@cmss.chinamobile.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/ohci-exynos.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/host/ohci-exynos.c
++++ b/drivers/usb/host/ohci-exynos.c
+@@ -166,9 +166,8 @@ skip_phy:
+ hcd->rsrc_len = resource_size(res);
+
+ irq = platform_get_irq(pdev, 0);
+- if (!irq) {
+- dev_err(&pdev->dev, "Failed to get IRQ\n");
+- err = -ENODEV;
++ if (irq < 0) {
++ err = irq;
+ goto fail_io;
+ }
+
--- /dev/null
+From 9aa37788e7ebb3f489fb4b71ce07adadd444264a Mon Sep 17 00:00:00 2001
+From: Cyril Roelandt <tipecaml@gmail.com>
+Date: Tue, 25 Aug 2020 23:22:31 +0200
+Subject: USB: Ignore UAS for JMicron JMS567 ATA/ATAPI Bridge
+
+From: Cyril Roelandt <tipecaml@gmail.com>
+
+commit 9aa37788e7ebb3f489fb4b71ce07adadd444264a upstream.
+
+This device does not support UAS properly and a similar entry already
+exists in drivers/usb/storage/unusual_uas.h. Without this patch,
+storage_probe() defers the handling of this device to UAS, which cannot
+handle it either.
+
+Tested-by: Brice Goglin <brice.goglin@gmail.com>
+Fixes: bc3bdb12bbb3 ("usb-storage: Disable UAS on JMicron SATA enclosure")
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+CC: <stable@vger.kernel.org>
+Signed-off-by: Cyril Roelandt <tipecaml@gmail.com>
+Link: https://lore.kernel.org/r/20200825212231.46309-1-tipecaml@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/unusual_devs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -2347,7 +2347,7 @@ UNUSUAL_DEV( 0x357d, 0x7788, 0x0114, 0x
+ "JMicron",
+ "USB to ATA/ATAPI Bridge",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+- US_FL_BROKEN_FUA ),
++ US_FL_BROKEN_FUA | US_FL_IGNORE_UAS ),
+
+ /* Reported by Andrey Rahmatullin <wrar@altlinux.org> */
+ UNUSUAL_DEV( 0x4102, 0x1020, 0x0100, 0x0100,
--- /dev/null
+From 5967116e8358899ebaa22702d09b0af57fef23e1 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Fri, 31 Jul 2020 13:16:20 +0800
+Subject: USB: quirks: Add no-lpm quirk for another Raydium touchscreen
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 5967116e8358899ebaa22702d09b0af57fef23e1 upstream.
+
+There's another Raydium touchscreen needs the no-lpm quirk:
+[ 1.339149] usb 1-9: New USB device found, idVendor=2386, idProduct=350e, bcdDevice= 0.00
+[ 1.339150] usb 1-9: New USB device strings: Mfr=1, Product=2, SerialNumber=0
+[ 1.339151] usb 1-9: Product: Raydium Touch System
+[ 1.339152] usb 1-9: Manufacturer: Raydium Corporation
+...
+[ 6.450497] usb 1-9: can't set config #1, error -110
+
+BugLink: https://bugs.launchpad.net/bugs/1889446
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200731051622.28643-1-kai.heng.feng@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/quirks.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -299,6 +299,8 @@ static const struct usb_device_id usb_qu
+
+ { USB_DEVICE(0x2386, 0x3119), .driver_info = USB_QUIRK_NO_LPM },
+
++ { USB_DEVICE(0x2386, 0x350e), .driver_info = USB_QUIRK_NO_LPM },
++
+ /* DJI CineSSD */
+ { USB_DEVICE(0x2ca3, 0x0031), .driver_info = USB_QUIRK_NO_LPM },
+
--- /dev/null
+From 20934c0de13b49a072fb1e0ca79fe0fe0e40eae5 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Wed, 26 Aug 2020 10:32:29 -0400
+Subject: usb: storage: Add unusual_uas entry for Sony PSZ drives
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 20934c0de13b49a072fb1e0ca79fe0fe0e40eae5 upstream.
+
+The PSZ-HA* family of USB disk drives from Sony can't handle the
+REPORT OPCODES command when using the UAS protocol. This patch adds
+an appropriate quirks entry.
+
+Reported-and-tested-by: Till Dörges <doerges@pre-sense.de>
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+CC: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200826143229.GB400430@rowland.harvard.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/unusual_uas.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/storage/unusual_uas.h
++++ b/drivers/usb/storage/unusual_uas.h
+@@ -41,6 +41,13 @@
+ * and don't forget to CC: the USB development list <linux-usb@vger.kernel.org>
+ */
+
++/* Reported-by: Till Dörges <doerges@pre-sense.de> */
++UNUSUAL_DEV(0x054c, 0x087d, 0x0000, 0x9999,
++ "Sony",
++ "PSZ-HA*",
++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
++ US_FL_NO_REPORT_OPCODES),
++
+ /* Reported-by: Julian Groß <julian.g@posteo.de> */
+ UNUSUAL_DEV(0x059f, 0x105f, 0x0000, 0x9999,
+ "LaCie",
--- /dev/null
+From 9a469bc9f32dd33c7aac5744669d21a023a719cd Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Tue, 18 Aug 2020 19:27:47 -0700
+Subject: usb: uas: Add quirk for PNY Pro Elite
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+commit 9a469bc9f32dd33c7aac5744669d21a023a719cd upstream.
+
+PNY Pro Elite USB 3.1 Gen 2 device (SSD) doesn't respond to ATA_12
+pass-through command (i.e. it just hangs). If it doesn't support this
+command, it should respond properly to the host. Let's just add a quirk
+to be able to move forward with other operations.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Thinh Nguyen <thinhn@synopsys.com>
+Link: https://lore.kernel.org/r/2b0585228b003eedcc82db84697b31477df152e0.1597803605.git.thinhn@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/unusual_uas.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/usb/storage/unusual_uas.h
++++ b/drivers/usb/storage/unusual_uas.h
+@@ -156,6 +156,13 @@ UNUSUAL_DEV(0x152d, 0x0578, 0x0000, 0x99
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
+ US_FL_BROKEN_FUA),
+
++/* Reported-by: Thinh Nguyen <thinhn@synopsys.com> */
++UNUSUAL_DEV(0x154b, 0xf00d, 0x0000, 0x9999,
++ "PNY",
++ "Pro Elite SSD",
++ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
++ US_FL_NO_ATA_1X),
++
+ /* Reported-by: Hans de Goede <hdegoede@redhat.com> */
+ UNUSUAL_DEV(0x2109, 0x0711, 0x0000, 0x9999,
+ "VIA",
--- /dev/null
+From f176ede3a3bde5b398a6777a7f9ff091baa2d3ff Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 10 Aug 2020 14:29:54 -0400
+Subject: USB: yurex: Fix bad gfp argument
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit f176ede3a3bde5b398a6777a7f9ff091baa2d3ff upstream.
+
+The syzbot fuzzer identified a bug in the yurex driver: It passes
+GFP_KERNEL as a memory-allocation flag to usb_submit_urb() at a time
+when its state is TASK_INTERRUPTIBLE, not TASK_RUNNING:
+
+do not call blocking ops when !TASK_RUNNING; state=1 set at [<00000000370c7c68>] prepare_to_wait+0xb1/0x2a0 kernel/sched/wait.c:247
+WARNING: CPU: 1 PID: 340 at kernel/sched/core.c:7253 __might_sleep+0x135/0x190
+kernel/sched/core.c:7253
+Kernel panic - not syncing: panic_on_warn set ...
+CPU: 1 PID: 340 Comm: syz-executor677 Not tainted 5.8.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
+01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xf6/0x16e lib/dump_stack.c:118
+ panic+0x2aa/0x6e1 kernel/panic.c:231
+ __warn.cold+0x20/0x50 kernel/panic.c:600
+ report_bug+0x1bd/0x210 lib/bug.c:198
+ handle_bug+0x41/0x80 arch/x86/kernel/traps.c:234
+ exc_invalid_op+0x14/0x40 arch/x86/kernel/traps.c:254
+ asm_exc_invalid_op+0x12/0x20 arch/x86/include/asm/idtentry.h:536
+RIP: 0010:__might_sleep+0x135/0x190 kernel/sched/core.c:7253
+Code: 65 48 8b 1c 25 40 ef 01 00 48 8d 7b 10 48 89 fe 48 c1 ee 03 80 3c 06 00 75
+2b 48 8b 73 10 48 c7 c7 e0 9e 06 86 e8 ed 12 f6 ff <0f> 0b e9 46 ff ff ff e8 1f
+b2 4b 00 e9 29 ff ff ff e8 15 b2 4b 00
+RSP: 0018:ffff8881cdb77a28 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: ffff8881c6458000 RCX: 0000000000000000
+RDX: ffff8881c6458000 RSI: ffffffff8129ec93 RDI: ffffed1039b6ef37
+RBP: ffffffff86fdade2 R08: 0000000000000001 R09: ffff8881db32f54f
+R10: 0000000000000000 R11: 0000000030343354 R12: 00000000000001f2
+R13: 0000000000000000 R14: 0000000000000068 R15: ffffffff83c1b1aa
+ slab_pre_alloc_hook.constprop.0+0xea/0x200 mm/slab.h:498
+ slab_alloc_node mm/slub.c:2816 [inline]
+ slab_alloc mm/slub.c:2900 [inline]
+ kmem_cache_alloc_trace+0x46/0x220 mm/slub.c:2917
+ kmalloc include/linux/slab.h:554 [inline]
+ dummy_urb_enqueue+0x7a/0x880 drivers/usb/gadget/udc/dummy_hcd.c:1251
+ usb_hcd_submit_urb+0x2b2/0x22d0 drivers/usb/core/hcd.c:1547
+ usb_submit_urb+0xb4e/0x13e0 drivers/usb/core/urb.c:570
+ yurex_write+0x3ea/0x820 drivers/usb/misc/yurex.c:495
+
+This patch changes the call to use GFP_ATOMIC instead of GFP_KERNEL.
+
+Reported-and-tested-by: syzbot+c2c3302f9c601a4b1be2@syzkaller.appspotmail.com
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+CC: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200810182954.GB307778@rowland.harvard.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/yurex.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/misc/yurex.c
++++ b/drivers/usb/misc/yurex.c
+@@ -496,7 +496,7 @@ static ssize_t yurex_write(struct file *
+ prepare_to_wait(&dev->waitq, &wait, TASK_INTERRUPTIBLE);
+ dev_dbg(&dev->interface->dev, "%s - submit %c\n", __func__,
+ dev->cntl_buffer[0]);
+- retval = usb_submit_urb(dev->cntl_urb, GFP_KERNEL);
++ retval = usb_submit_urb(dev->cntl_urb, GFP_ATOMIC);
+ if (retval >= 0)
+ timeout = schedule_timeout(YUREX_WRITE_TIMEOUT);
+ finish_wait(&dev->waitq, &wait);
projects / thirdparty / kernel / stable-queue.git / commitdiff
