--- /dev/null
+From 91feb01596e5efc0cc922cc73f5583114dccf4d2 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Wed, 6 Nov 2019 13:49:01 +0100
+Subject: appledisplay: fix error handling in the scheduled work
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 91feb01596e5efc0cc922cc73f5583114dccf4d2 upstream.
+
+The work item can operate on
+
+1. stale memory left over from the last transfer
+the actual length of the data transfered needs to be checked
+2. memory already freed
+the error handling in appledisplay_probe() needs
+to cancel the work in that case
+
+Reported-and-tested-by: syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191106124902.7765-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/appledisplay.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/misc/appledisplay.c
++++ b/drivers/usb/misc/appledisplay.c
+@@ -170,7 +170,12 @@ static int appledisplay_bl_get_brightnes
+ 0,
+ pdata->msgdata, 2,
+ ACD_USB_TIMEOUT);
+- brightness = pdata->msgdata[1];
++ if (retval < 2) {
++ if (retval >= 0)
++ retval = -EMSGSIZE;
++ } else {
++ brightness = pdata->msgdata[1];
++ }
+ mutex_unlock(&pdata->sysfslock);
+
+ if (retval < 0)
+@@ -305,6 +310,7 @@ error:
+ if (pdata) {
+ if (pdata->urb) {
+ usb_kill_urb(pdata->urb);
++ cancel_delayed_work_sync(&pdata->work);
+ if (pdata->urbdata)
+ usb_free_coherent(pdata->udev, ACD_URB_BUFFER_LEN,
+ pdata->urbdata, pdata->urb->transfer_dma);
--- /dev/null
+From 8eaabfbb03eae954cfdc6fcfa9d8bf0670cd09db Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Wed, 13 Nov 2019 21:05:44 +1100
+Subject: KVM: PPC: Book3S HV: Flush link stack on guest exit to host kernel
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit af2e8c68b9c5403f77096969c516f742f5bb29e0 upstream.
+
+On some systems that are vulnerable to Spectre v2, it is up to
+software to flush the link stack (return address stack), in order to
+protect against Spectre-RSB.
+
+When exiting from a guest we do some house keeping and then
+potentially exit to C code which is several stack frames deep in the
+host kernel. We will then execute a series of returns without
+preceeding calls, opening up the possiblity that the guest could have
+poisoned the link stack, and direct speculative execution of the host
+to a gadget of some sort.
+
+To prevent this we add a flush of the link stack on exit from a guest.
+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+[dja: straightforward backport to v4.19]
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/asm-prototypes.h | 2 ++
+ arch/powerpc/kernel/security.c | 9 +++++++++
+ arch/powerpc/kvm/book3s_hv_rmhandlers.S | 28 ++++++++++++++++++++++++++++
+ 3 files changed, 39 insertions(+)
+
+--- a/arch/powerpc/include/asm/asm-prototypes.h
++++ b/arch/powerpc/include/asm/asm-prototypes.h
+@@ -147,8 +147,10 @@ void _kvmppc_save_tm_pr(struct kvm_vcpu
+ extern s32 patch__call_flush_count_cache;
+ extern s32 patch__flush_count_cache_return;
+ extern s32 patch__flush_link_stack_return;
++extern s32 patch__call_kvm_flush_link_stack;
+ extern s32 patch__memset_nocache, patch__memcpy_nocache;
+
+ extern long flush_count_cache;
++extern long kvm_flush_link_stack;
+
+ #endif /* _ASM_POWERPC_ASM_PROTOTYPES_H */
+--- a/arch/powerpc/kernel/security.c
++++ b/arch/powerpc/kernel/security.c
+@@ -392,6 +392,9 @@ static void toggle_count_cache_flush(boo
+
+ if (!enable) {
+ patch_instruction_site(&patch__call_flush_count_cache, PPC_INST_NOP);
++#ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE
++ patch_instruction_site(&patch__call_kvm_flush_link_stack, PPC_INST_NOP);
++#endif
+ pr_info("link-stack-flush: software flush disabled.\n");
+ link_stack_flush_enabled = false;
+ no_count_cache_flush();
+@@ -402,6 +405,12 @@ static void toggle_count_cache_flush(boo
+ patch_branch_site(&patch__call_flush_count_cache,
+ (u64)&flush_count_cache, BRANCH_SET_LINK);
+
++#ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE
++ // This enables the branch from guest_exit_cont to kvm_flush_link_stack
++ patch_branch_site(&patch__call_kvm_flush_link_stack,
++ (u64)&kvm_flush_link_stack, BRANCH_SET_LINK);
++#endif
++
+ pr_info("link-stack-flush: software flush enabled.\n");
+ link_stack_flush_enabled = true;
+
+--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S
++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S
+@@ -18,6 +18,7 @@
+ */
+
+ #include <asm/ppc_asm.h>
++#include <asm/code-patching-asm.h>
+ #include <asm/kvm_asm.h>
+ #include <asm/reg.h>
+ #include <asm/mmu.h>
+@@ -1559,6 +1560,10 @@ mc_cont:
+ 1:
+ #endif /* CONFIG_KVM_XICS */
+
++ /* Possibly flush the link stack here. */
++1: nop
++ patch_site 1b patch__call_kvm_flush_link_stack
++
+ /* For hash guest, read the guest SLB and save it away */
+ ld r5, VCPU_KVM(r9)
+ lbz r0, KVM_RADIX(r5)
+@@ -2107,6 +2112,29 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
+ mtlr r0
+ blr
+
++.balign 32
++.global kvm_flush_link_stack
++kvm_flush_link_stack:
++ /* Save LR into r0 */
++ mflr r0
++
++ /* Flush the link stack. On Power8 it's up to 32 entries in size. */
++ .rept 32
++ bl .+4
++ .endr
++
++ /* And on Power9 it's up to 64. */
++BEGIN_FTR_SECTION
++ .rept 32
++ bl .+4
++ .endr
++END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300)
++
++ /* Restore LR */
++ mtlr r0
++ blr
++
++
+ #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+ /*
+ * Softpatch interrupt for transactional memory emulation cases
--- /dev/null
+From a9fc317555b4393b075e3e8b66cd407ea6d52826 Mon Sep 17 00:00:00 2001
+From: "Christopher M. Riedl" <cmr@informatik.wtf>
+Date: Thu, 23 May 2019 21:46:48 -0500
+Subject: powerpc/64s: support nospectre_v2 cmdline option
+
+From: "Christopher M. Riedl" <cmr@informatik.wtf>
+
+commit d8f0e0b073e1ec52a05f0c2a56318b47387d2f10 upstream.
+
+Add support for disabling the kernel implemented spectre v2 mitigation
+(count cache flush on context switch) via the nospectre_v2 and
+mitigations=off cmdline options.
+
+Suggested-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Christopher M. Riedl <cmr@informatik.wtf>
+Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20190524024647.381-1-cmr@informatik.wtf
+Signed-off-by: Daniel Axtens <dja@axtens.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/kernel/security.c | 19 ++++++++++++++++---
+ 1 file changed, 16 insertions(+), 3 deletions(-)
+
+--- a/arch/powerpc/kernel/security.c
++++ b/arch/powerpc/kernel/security.c
+@@ -28,7 +28,7 @@ static enum count_cache_flush_type count
+ bool barrier_nospec_enabled;
+ static bool no_nospec;
+ static bool btb_flush_enabled;
+-#ifdef CONFIG_PPC_FSL_BOOK3E
++#if defined(CONFIG_PPC_FSL_BOOK3E) || defined(CONFIG_PPC_BOOK3S_64)
+ static bool no_spectrev2;
+ #endif
+
+@@ -106,7 +106,7 @@ static __init int barrier_nospec_debugfs
+ device_initcall(barrier_nospec_debugfs_init);
+ #endif /* CONFIG_DEBUG_FS */
+
+-#ifdef CONFIG_PPC_FSL_BOOK3E
++#if defined(CONFIG_PPC_FSL_BOOK3E) || defined(CONFIG_PPC_BOOK3S_64)
+ static int __init handle_nospectre_v2(char *p)
+ {
+ no_spectrev2 = true;
+@@ -114,6 +114,9 @@ static int __init handle_nospectre_v2(ch
+ return 0;
+ }
+ early_param("nospectre_v2", handle_nospectre_v2);
++#endif /* CONFIG_PPC_FSL_BOOK3E || CONFIG_PPC_BOOK3S_64 */
++
++#ifdef CONFIG_PPC_FSL_BOOK3E
+ void setup_spectre_v2(void)
+ {
+ if (no_spectrev2 || cpu_mitigations_off())
+@@ -391,7 +394,17 @@ static void toggle_count_cache_flush(boo
+
+ void setup_count_cache_flush(void)
+ {
+- toggle_count_cache_flush(true);
++ bool enable = true;
++
++ if (no_spectrev2 || cpu_mitigations_off()) {
++ if (security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED) ||
++ security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED))
++ pr_warn("Spectre v2 mitigations not under software control, can't disable\n");
++
++ enable = false;
++ }
++
++ toggle_count_cache_flush(enable);
+ }
+
+ #ifdef CONFIG_DEBUG_FS
--- /dev/null
+From 0a74b0783d62800ed2fd4b267076e9ff93569848 Mon Sep 17 00:00:00 2001
+From: Michael Ellerman <mpe@ellerman.id.au>
+Date: Wed, 13 Nov 2019 21:05:41 +1100
+Subject: powerpc/book3s64: Fix link stack flush on context switch
+
+From: Michael Ellerman <mpe@ellerman.id.au>
+
+commit 39e72bf96f5847ba87cc5bd7a3ce0fed813dc9ad upstream.
+
+In commit ee13cb249fab ("powerpc/64s: Add support for software count
+cache flush"), I added support for software to flush the count
+cache (indirect branch cache) on context switch if firmware told us
+that was the required mitigation for Spectre v2.
+
+As part of that code we also added a software flush of the link
+stack (return address stack), which protects against Spectre-RSB
+between user processes.
+
+That is all correct for CPUs that activate that mitigation, which is
+currently Power9 Nimbus DD2.3.
+
+What I got wrong is that on older CPUs, where firmware has disabled
+the count cache, we also need to flush the link stack on context
+switch.
+
+To fix it we create a new feature bit which is not set by firmware,
+which tells us we need to flush the link stack. We set that when
+firmware tells us that either of the existing Spectre v2 mitigations
+are enabled.
+
+Then we adjust the patching code so that if we see that feature bit we
+enable the link stack flush. If we're also told to flush the count
+cache in software then we fall through and do that also.
+
+On the older CPUs we don't need to do do the software count cache
+flush, firmware has disabled it, so in that case we patch in an early
+return after the link stack flush.
+
+The naming of some of the functions is awkward after this patch,
+because they're called "count cache" but they also do link stack. But
+we'll fix that up in a later commit to ease backporting.
+
+This is the fix for CVE-2019-18660.
+
+Reported-by: Anthony Steinhauser <asteinhauser@google.com>
+Fixes: ee13cb249fab ("powerpc/64s: Add support for software count cache flush")
+Cc: stable@vger.kernel.org # v4.4+
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/powerpc/include/asm/asm-prototypes.h | 1
+ arch/powerpc/include/asm/security_features.h | 3 +
+ arch/powerpc/kernel/entry_64.S | 6 +++
+ arch/powerpc/kernel/security.c | 48 ++++++++++++++++++++++++---
+ 4 files changed, 54 insertions(+), 4 deletions(-)
+
+--- a/arch/powerpc/include/asm/asm-prototypes.h
++++ b/arch/powerpc/include/asm/asm-prototypes.h
+@@ -146,6 +146,7 @@ void _kvmppc_save_tm_pr(struct kvm_vcpu
+ /* Patch sites */
+ extern s32 patch__call_flush_count_cache;
+ extern s32 patch__flush_count_cache_return;
++extern s32 patch__flush_link_stack_return;
+ extern s32 patch__memset_nocache, patch__memcpy_nocache;
+
+ extern long flush_count_cache;
+--- a/arch/powerpc/include/asm/security_features.h
++++ b/arch/powerpc/include/asm/security_features.h
+@@ -81,6 +81,9 @@ static inline bool security_ftr_enabled(
+ // Software required to flush count cache on context switch
+ #define SEC_FTR_FLUSH_COUNT_CACHE 0x0000000000000400ull
+
++// Software required to flush link stack on context switch
++#define SEC_FTR_FLUSH_LINK_STACK 0x0000000000001000ull
++
+
+ // Features enabled by default
+ #define SEC_FTR_DEFAULT \
+--- a/arch/powerpc/kernel/entry_64.S
++++ b/arch/powerpc/kernel/entry_64.S
+@@ -533,6 +533,7 @@ flush_count_cache:
+ /* Save LR into r9 */
+ mflr r9
+
++ // Flush the link stack
+ .rept 64
+ bl .+4
+ .endr
+@@ -542,6 +543,11 @@ flush_count_cache:
+ .balign 32
+ /* Restore LR */
+ 1: mtlr r9
++
++ // If we're just flushing the link stack, return here
++3: nop
++ patch_site 3b patch__flush_link_stack_return
++
+ li r9,0x7fff
+ mtctr r9
+
+--- a/arch/powerpc/kernel/security.c
++++ b/arch/powerpc/kernel/security.c
+@@ -24,6 +24,7 @@ enum count_cache_flush_type {
+ COUNT_CACHE_FLUSH_HW = 0x4,
+ };
+ static enum count_cache_flush_type count_cache_flush_type = COUNT_CACHE_FLUSH_NONE;
++static bool link_stack_flush_enabled;
+
+ bool barrier_nospec_enabled;
+ static bool no_nospec;
+@@ -204,11 +205,19 @@ ssize_t cpu_show_spectre_v2(struct devic
+
+ if (ccd)
+ seq_buf_printf(&s, "Indirect branch cache disabled");
++
++ if (link_stack_flush_enabled)
++ seq_buf_printf(&s, ", Software link stack flush");
++
+ } else if (count_cache_flush_type != COUNT_CACHE_FLUSH_NONE) {
+ seq_buf_printf(&s, "Mitigation: Software count cache flush");
+
+ if (count_cache_flush_type == COUNT_CACHE_FLUSH_HW)
+ seq_buf_printf(&s, " (hardware accelerated)");
++
++ if (link_stack_flush_enabled)
++ seq_buf_printf(&s, ", Software link stack flush");
++
+ } else if (btb_flush_enabled) {
+ seq_buf_printf(&s, "Mitigation: Branch predictor state flush");
+ } else {
+@@ -369,18 +378,40 @@ static __init int stf_barrier_debugfs_in
+ device_initcall(stf_barrier_debugfs_init);
+ #endif /* CONFIG_DEBUG_FS */
+
++static void no_count_cache_flush(void)
++{
++ count_cache_flush_type = COUNT_CACHE_FLUSH_NONE;
++ pr_info("count-cache-flush: software flush disabled.\n");
++}
++
+ static void toggle_count_cache_flush(bool enable)
+ {
+- if (!enable || !security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE)) {
++ if (!security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE) &&
++ !security_ftr_enabled(SEC_FTR_FLUSH_LINK_STACK))
++ enable = false;
++
++ if (!enable) {
+ patch_instruction_site(&patch__call_flush_count_cache, PPC_INST_NOP);
+- count_cache_flush_type = COUNT_CACHE_FLUSH_NONE;
+- pr_info("count-cache-flush: software flush disabled.\n");
++ pr_info("link-stack-flush: software flush disabled.\n");
++ link_stack_flush_enabled = false;
++ no_count_cache_flush();
+ return;
+ }
+
++ // This enables the branch from _switch to flush_count_cache
+ patch_branch_site(&patch__call_flush_count_cache,
+ (u64)&flush_count_cache, BRANCH_SET_LINK);
+
++ pr_info("link-stack-flush: software flush enabled.\n");
++ link_stack_flush_enabled = true;
++
++ // If we just need to flush the link stack, patch an early return
++ if (!security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE)) {
++ patch_instruction_site(&patch__flush_link_stack_return, PPC_INST_BLR);
++ no_count_cache_flush();
++ return;
++ }
++
+ if (!security_ftr_enabled(SEC_FTR_BCCTR_FLUSH_ASSIST)) {
+ count_cache_flush_type = COUNT_CACHE_FLUSH_SW;
+ pr_info("count-cache-flush: full software flush sequence enabled.\n");
+@@ -399,11 +430,20 @@ void setup_count_cache_flush(void)
+ if (no_spectrev2 || cpu_mitigations_off()) {
+ if (security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED) ||
+ security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED))
+- pr_warn("Spectre v2 mitigations not under software control, can't disable\n");
++ pr_warn("Spectre v2 mitigations not fully under software control, can't disable\n");
+
+ enable = false;
+ }
+
++ /*
++ * There's no firmware feature flag/hypervisor bit to tell us we need to
++ * flush the link stack on context switch. So we set it here if we see
++ * either of the Spectre v2 mitigations that aim to protect userspace.
++ */
++ if (security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED) ||
++ security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE))
++ security_ftr_set(SEC_FTR_FLUSH_LINK_STACK);
++
+ toggle_count_cache_flush(enable);
+ }
+
media-cxusb-detect-cxusb_ctrl_msg-error-in-query.patch
media-imon-invalid-dereference-in-imon_touch_event.patch
virtio_ring-fix-return-code-on-dma-mapping-fails.patch
+usbip-add-config-dependency-for-sgl_alloc.patch
+usbip-tools-fix-fd-leakage-in-the-function-of-read_attr_usbip_status.patch
+usbip-fix-uninitialized-symbol-nents-in-stub_recv_cmd_submit.patch
+usb-serial-cp201x-support-mark-10-digital-force-gauge.patch
+usb-chaoskey-fix-error-case-of-a-timeout.patch
+appledisplay-fix-error-handling-in-the-scheduled-work.patch
+usb-serial-mos7840-add-usb-id-to-support-moxa-uport-2210.patch
+usb-serial-mos7720-fix-remote-wakeup.patch
+usb-serial-mos7840-fix-remote-wakeup.patch
+usb-serial-option-add-support-for-dw5821e-with-esim-support.patch
+usb-serial-option-add-support-for-foxconn-t77w968-lte-modules.patch
+staging-comedi-usbduxfast-usbduxfast_ai_cmdtest-rounding-error.patch
+powerpc-64s-support-nospectre_v2-cmdline-option.patch
+powerpc-book3s64-fix-link-stack-flush-on-context-switch.patch
+kvm-ppc-book3s-hv-flush-link-stack-on-guest-exit-to-host-kernel.patch
--- /dev/null
+From 5618332e5b955b4bff06d0b88146b971c8dd7b32 Mon Sep 17 00:00:00 2001
+From: Bernd Porr <mail@berndporr.me.uk>
+Date: Mon, 18 Nov 2019 23:07:59 +0000
+Subject: staging: comedi: usbduxfast: usbduxfast_ai_cmdtest rounding error
+
+From: Bernd Porr <mail@berndporr.me.uk>
+
+commit 5618332e5b955b4bff06d0b88146b971c8dd7b32 upstream.
+
+The userspace comedilib function 'get_cmd_generic_timed' fills
+the cmd structure with an informed guess and then calls the
+function 'usbduxfast_ai_cmdtest' in this driver repeatedly while
+'usbduxfast_ai_cmdtest' is modifying the cmd struct until it
+no longer changes. However, because of rounding errors this never
+converged because 'steps = (cmd->convert_arg * 30) / 1000' and then
+back to 'cmd->convert_arg = (steps * 1000) / 30' won't be the same
+because of rounding errors. 'Steps' should only be converted back to
+the 'convert_arg' if 'steps' has actually been modified. In addition
+the case of steps being 0 wasn't checked which is also now done.
+
+Signed-off-by: Bernd Porr <mail@berndporr.me.uk>
+Cc: <stable@vger.kernel.org> # 4.4+
+Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20191118230759.1727-1-mail@berndporr.me.uk
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/drivers/usbduxfast.c | 21 ++++++++++++++-------
+ 1 file changed, 14 insertions(+), 7 deletions(-)
+
+--- a/drivers/staging/comedi/drivers/usbduxfast.c
++++ b/drivers/staging/comedi/drivers/usbduxfast.c
+@@ -1,6 +1,6 @@
+ // SPDX-License-Identifier: GPL-2.0+
+ /*
+- * Copyright (C) 2004-2014 Bernd Porr, mail@berndporr.me.uk
++ * Copyright (C) 2004-2019 Bernd Porr, mail@berndporr.me.uk
+ */
+
+ /*
+@@ -8,7 +8,7 @@
+ * Description: University of Stirling USB DAQ & INCITE Technology Limited
+ * Devices: [ITL] USB-DUX-FAST (usbduxfast)
+ * Author: Bernd Porr <mail@berndporr.me.uk>
+- * Updated: 10 Oct 2014
++ * Updated: 16 Nov 2019
+ * Status: stable
+ */
+
+@@ -22,6 +22,7 @@
+ *
+ *
+ * Revision history:
++ * 1.0: Fixed a rounding error in usbduxfast_ai_cmdtest
+ * 0.9: Dropping the first data packet which seems to be from the last transfer.
+ * Buffer overflows in the FX2 are handed over to comedi.
+ * 0.92: Dropping now 4 packets. The quad buffer has to be emptied.
+@@ -350,6 +351,7 @@ static int usbduxfast_ai_cmdtest(struct
+ struct comedi_cmd *cmd)
+ {
+ int err = 0;
++ int err2 = 0;
+ unsigned int steps;
+ unsigned int arg;
+
+@@ -399,11 +401,16 @@ static int usbduxfast_ai_cmdtest(struct
+ */
+ steps = (cmd->convert_arg * 30) / 1000;
+ if (cmd->chanlist_len != 1)
+- err |= comedi_check_trigger_arg_min(&steps,
+- MIN_SAMPLING_PERIOD);
+- err |= comedi_check_trigger_arg_max(&steps, MAX_SAMPLING_PERIOD);
+- arg = (steps * 1000) / 30;
+- err |= comedi_check_trigger_arg_is(&cmd->convert_arg, arg);
++ err2 |= comedi_check_trigger_arg_min(&steps,
++ MIN_SAMPLING_PERIOD);
++ else
++ err2 |= comedi_check_trigger_arg_min(&steps, 1);
++ err2 |= comedi_check_trigger_arg_max(&steps, MAX_SAMPLING_PERIOD);
++ if (err2) {
++ err |= err2;
++ arg = (steps * 1000) / 30;
++ err |= comedi_check_trigger_arg_is(&cmd->convert_arg, arg);
++ }
+
+ if (cmd->stop_src == TRIG_COUNT)
+ err |= comedi_check_trigger_arg_min(&cmd->stop_arg, 1);
--- /dev/null
+From 92aa5986f4f7b5a8bf282ca0f50967f4326559f5 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 7 Nov 2019 15:28:55 +0100
+Subject: USB: chaoskey: fix error case of a timeout
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 92aa5986f4f7b5a8bf282ca0f50967f4326559f5 upstream.
+
+In case of a timeout or if a signal aborts a read
+communication with the device needs to be ended
+lest we overwrite an active URB the next time we
+do IO to the device, as the URB may still be active.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.de>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191107142856.16774-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/chaoskey.c | 24 +++++++++++++++++++++---
+ 1 file changed, 21 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/misc/chaoskey.c
++++ b/drivers/usb/misc/chaoskey.c
+@@ -384,13 +384,17 @@ static int _chaoskey_fill(struct chaoske
+ !dev->reading,
+ (started ? NAK_TIMEOUT : ALEA_FIRST_TIMEOUT) );
+
+- if (result < 0)
++ if (result < 0) {
++ usb_kill_urb(dev->urb);
+ goto out;
++ }
+
+- if (result == 0)
++ if (result == 0) {
+ result = -ETIMEDOUT;
+- else
++ usb_kill_urb(dev->urb);
++ } else {
+ result = dev->valid;
++ }
+ out:
+ /* Let the device go back to sleep eventually */
+ usb_autopm_put_interface(dev->interface);
+@@ -526,7 +530,21 @@ static int chaoskey_suspend(struct usb_i
+
+ static int chaoskey_resume(struct usb_interface *interface)
+ {
++ struct chaoskey *dev;
++ struct usb_device *udev = interface_to_usbdev(interface);
++
+ usb_dbg(interface, "resume");
++ dev = usb_get_intfdata(interface);
++
++ /*
++ * We may have lost power.
++ * In that case the device that needs a long time
++ * for the first requests needs an extended timeout
++ * again
++ */
++ if (le16_to_cpu(udev->descriptor.idVendor) == ALEA_VENDOR_ID)
++ dev->reads_started = false;
++
+ return 0;
+ }
+ #else
--- /dev/null
+From 347bc8cb26388791c5881a3775cb14a3f765a674 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 18 Nov 2019 10:21:19 +0100
+Subject: usb-serial: cp201x: support Mark-10 digital force gauge
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 347bc8cb26388791c5881a3775cb14a3f765a674 upstream.
+
+Add support for the Mark-10 digital force gauge device to the cp201x
+driver.
+
+Based on a report and a larger patch from Joel Jennings
+
+Reported-by: Joel Jennings <joel.jennings@makeitlabs.com>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20191118092119.GA153852@kroah.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/cp210x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -125,6 +125,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(0x10C4, 0x8341) }, /* Siemens MC35PU GPRS Modem */
+ { USB_DEVICE(0x10C4, 0x8382) }, /* Cygnal Integrated Products, Inc. */
+ { USB_DEVICE(0x10C4, 0x83A8) }, /* Amber Wireless AMB2560 */
++ { USB_DEVICE(0x10C4, 0x83AA) }, /* Mark-10 Digital Force Gauge */
+ { USB_DEVICE(0x10C4, 0x83D8) }, /* DekTec DTA Plus VHF/UHF Booster/Attenuator */
+ { USB_DEVICE(0x10C4, 0x8411) }, /* Kyocera GPS Module */
+ { USB_DEVICE(0x10C4, 0x8418) }, /* IRZ Automation Teleport SG-10 GSM/GPRS Modem */
--- /dev/null
+From ea422312a462696093b5db59d294439796cba4ad Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 7 Nov 2019 14:21:18 +0100
+Subject: USB: serial: mos7720: fix remote wakeup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit ea422312a462696093b5db59d294439796cba4ad upstream.
+
+The driver was setting the device remote-wakeup feature during probe in
+violation of the USB specification (which says it should only be set
+just prior to suspending the device). This could potentially waste
+power during suspend as well as lead to spurious wakeups.
+
+Note that USB core would clear the remote-wakeup feature at first
+resume.
+
+Fixes: 0f64478cbc7a ("USB: add USB serial mos7720 driver")
+Cc: stable <stable@vger.kernel.org> # 2.6.19
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/mos7720.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/drivers/usb/serial/mos7720.c
++++ b/drivers/usb/serial/mos7720.c
+@@ -1894,10 +1894,6 @@ static int mos7720_startup(struct usb_se
+ product = le16_to_cpu(serial->dev->descriptor.idProduct);
+ dev = serial->dev;
+
+- /* setting configuration feature to one */
+- usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0),
+- (__u8)0x03, 0x00, 0x01, 0x00, NULL, 0x00, 5000);
+-
+ if (product == MOSCHIP_DEVICE_ID_7715) {
+ struct urb *urb = serial->port[0]->interrupt_in_urb;
+
--- /dev/null
+From e696d00e65e81d46e911f24b12e441037bf11b38 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pavel=20L=C3=B6bl?= <pavel@loebl.cz>
+Date: Fri, 1 Nov 2019 08:01:50 +0100
+Subject: USB: serial: mos7840: add USB ID to support Moxa UPort 2210
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pavel Löbl <pavel@loebl.cz>
+
+commit e696d00e65e81d46e911f24b12e441037bf11b38 upstream.
+
+Add USB ID for MOXA UPort 2210. This device contains mos7820 but
+it passes GPIO0 check implemented by driver and it's detected as
+mos7840. Hence product id check is added to force mos7820 mode.
+
+Signed-off-by: Pavel Löbl <pavel@loebl.cz>
+Cc: stable <stable@vger.kernel.org>
+[ johan: rename id defines and add vendor-id check ]
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/mos7840.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/usb/serial/mos7840.c
++++ b/drivers/usb/serial/mos7840.c
+@@ -118,11 +118,15 @@
+ /* This driver also supports
+ * ATEN UC2324 device using Moschip MCS7840
+ * ATEN UC2322 device using Moschip MCS7820
++ * MOXA UPort 2210 device using Moschip MCS7820
+ */
+ #define USB_VENDOR_ID_ATENINTL 0x0557
+ #define ATENINTL_DEVICE_ID_UC2324 0x2011
+ #define ATENINTL_DEVICE_ID_UC2322 0x7820
+
++#define USB_VENDOR_ID_MOXA 0x110a
++#define MOXA_DEVICE_ID_2210 0x2210
++
+ /* Interrupt Routine Defines */
+
+ #define SERIAL_IIR_RLS 0x06
+@@ -193,6 +197,7 @@ static const struct usb_device_id id_tab
+ {USB_DEVICE(USB_VENDOR_ID_BANDB, BANDB_DEVICE_ID_USOPTL2_4)},
+ {USB_DEVICE(USB_VENDOR_ID_ATENINTL, ATENINTL_DEVICE_ID_UC2324)},
+ {USB_DEVICE(USB_VENDOR_ID_ATENINTL, ATENINTL_DEVICE_ID_UC2322)},
++ {USB_DEVICE(USB_VENDOR_ID_MOXA, MOXA_DEVICE_ID_2210)},
+ {} /* terminating entry */
+ };
+ MODULE_DEVICE_TABLE(usb, id_table);
+@@ -2053,6 +2058,7 @@ static int mos7840_probe(struct usb_seri
+ const struct usb_device_id *id)
+ {
+ u16 product = le16_to_cpu(serial->dev->descriptor.idProduct);
++ u16 vid = le16_to_cpu(serial->dev->descriptor.idVendor);
+ u8 *buf;
+ int device_type;
+
+@@ -2062,6 +2068,11 @@ static int mos7840_probe(struct usb_seri
+ goto out;
+ }
+
++ if (vid == USB_VENDOR_ID_MOXA && product == MOXA_DEVICE_ID_2210) {
++ device_type = MOSCHIP_DEVICE_ID_7820;
++ goto out;
++ }
++
+ buf = kzalloc(VENDOR_READ_LENGTH, GFP_KERNEL);
+ if (!buf)
+ return -ENOMEM;
--- /dev/null
+From 92fe35fb9c70a00d8fbbf5bd6172c921dd9c7815 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 7 Nov 2019 14:21:19 +0100
+Subject: USB: serial: mos7840: fix remote wakeup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 92fe35fb9c70a00d8fbbf5bd6172c921dd9c7815 upstream.
+
+The driver was setting the device remote-wakeup feature during probe in
+violation of the USB specification (which says it should only be set
+just prior to suspending the device). This could potentially waste
+power during suspend as well as lead to spurious wakeups.
+
+Note that USB core would clear the remote-wakeup feature at first
+resume.
+
+Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver")
+Cc: stable <stable@vger.kernel.org> # 2.6.19
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/mos7840.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/drivers/usb/serial/mos7840.c
++++ b/drivers/usb/serial/mos7840.c
+@@ -2325,11 +2325,6 @@ out:
+ goto error;
+ } else
+ dev_dbg(&port->dev, "ZLP_REG5 Writing success status%d\n", status);
+-
+- /* setting configuration feature to one */
+- usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0),
+- 0x03, 0x00, 0x01, 0x00, NULL, 0x00,
+- MOS_WDR_TIMEOUT);
+ }
+ return 0;
+ error:
--- /dev/null
+From 957c31ea082e3fe5196f46d5b04018b10de47400 Mon Sep 17 00:00:00 2001
+From: Aleksander Morgado <aleksander@aleksander.es>
+Date: Thu, 7 Nov 2019 11:55:08 +0100
+Subject: USB: serial: option: add support for DW5821e with eSIM support
+
+From: Aleksander Morgado <aleksander@aleksander.es>
+
+commit 957c31ea082e3fe5196f46d5b04018b10de47400 upstream.
+
+The device exposes AT, NMEA and DIAG ports in both USB configurations.
+Exactly same layout as the default DW5821e module, just a different
+vid/pid.
+
+P: Vendor=413c ProdID=81e0 Rev=03.18
+S: Manufacturer=Dell Inc.
+S: Product=DW5821e-eSIM Snapdragon X20 LTE
+S: SerialNumber=0123456789ABCDEF
+C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+I: If#=0x1 Alt= 0 #EPs= 1 Cls=03(HID ) Sub=00 Prot=00 Driver=usbhid
+I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+
+P: Vendor=413c ProdID=81e0 Rev=03.18
+S: Manufacturer=Dell Inc.
+S: Product=DW5821e-eSIM Snapdragon X20 LTE
+S: SerialNumber=0123456789ABCDEF
+C: #Ifs= 7 Cfg#= 2 Atr=a0 MxPwr=500mA
+I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
+I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+I: If#=0x6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+
+Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -197,6 +197,7 @@ static void option_instat_callback(struc
+ #define DELL_PRODUCT_5804_MINICARD_ATT 0x819b /* Novatel E371 */
+
+ #define DELL_PRODUCT_5821E 0x81d7
++#define DELL_PRODUCT_5821E_ESIM 0x81e0
+
+ #define KYOCERA_VENDOR_ID 0x0c88
+ #define KYOCERA_PRODUCT_KPC650 0x17da
+@@ -1044,6 +1045,8 @@ static const struct usb_device_id option
+ { USB_DEVICE_AND_INTERFACE_INFO(DELL_VENDOR_ID, DELL_PRODUCT_5804_MINICARD_ATT, 0xff, 0xff, 0xff) },
+ { USB_DEVICE(DELL_VENDOR_ID, DELL_PRODUCT_5821E),
+ .driver_info = RSVD(0) | RSVD(1) | RSVD(6) },
++ { USB_DEVICE(DELL_VENDOR_ID, DELL_PRODUCT_5821E_ESIM),
++ .driver_info = RSVD(0) | RSVD(1) | RSVD(6) },
+ { USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_E100A) }, /* ADU-E100, ADU-310 */
+ { USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_500A) },
+ { USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_620UW) },
--- /dev/null
+From f0797095423e6ea3b4be61134ee353c7f504d440 Mon Sep 17 00:00:00 2001
+From: Aleksander Morgado <aleksander@aleksander.es>
+Date: Wed, 13 Nov 2019 11:14:05 +0100
+Subject: USB: serial: option: add support for Foxconn T77W968 LTE modules
+
+From: Aleksander Morgado <aleksander@aleksander.es>
+
+commit f0797095423e6ea3b4be61134ee353c7f504d440 upstream.
+
+These are the Foxconn-branded variants of the Dell DW5821e modules,
+same USB layout as those. The device exposes AT, NMEA and DIAG ports
+in both USB configurations.
+
+P: Vendor=0489 ProdID=e0b4 Rev=03.18
+S: Manufacturer=FII
+S: Product=T77W968 LTE
+S: SerialNumber=0123456789ABCDEF
+C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+I: If#=0x1 Alt= 0 #EPs= 1 Cls=03(HID ) Sub=00 Prot=00 Driver=usbhid
+I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+
+P: Vendor=0489 ProdID=e0b4 Rev=03.18
+S: Manufacturer=FII
+S: Product=T77W968 LTE
+S: SerialNumber=0123456789ABCDEF
+C: #Ifs= 7 Cfg#= 2 Atr=a0 MxPwr=500mA
+I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
+I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
+I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+I: If#=0x6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+
+Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
+[ johan: drop id defines ]
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1993,6 +1993,10 @@ static const struct usb_device_id option
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x13) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x14) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) },
++ { USB_DEVICE(0x0489, 0xe0b4), /* Foxconn T77W968 */
++ .driver_info = RSVD(0) | RSVD(1) | RSVD(6) },
++ { USB_DEVICE(0x0489, 0xe0b5), /* Foxconn T77W968 ESIM */
++ .driver_info = RSVD(0) | RSVD(1) | RSVD(6) },
+ { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 */
+ .driver_info = RSVD(4) | RSVD(5) | RSVD(6) },
+ { USB_DEVICE(0x2cb7, 0x0104), /* Fibocom NL678 series */
--- /dev/null
+From 1ec13abac58b6f24e32f0d3081ef4e7456e62ed8 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 12 Nov 2019 16:49:39 +0100
+Subject: USBIP: add config dependency for SGL_ALLOC
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 1ec13abac58b6f24e32f0d3081ef4e7456e62ed8 upstream.
+
+USBIP uses lib/scatterlist.h
+Hence it needs to set CONFIG_SGL_ALLOC
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Shuah Khan <skhan@linuxfoundation.org>
+Link: https://lore.kernel.org/r/20191112154939.21217-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usbip/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/usbip/Kconfig
++++ b/drivers/usb/usbip/Kconfig
+@@ -2,6 +2,7 @@ config USBIP_CORE
+ tristate "USB/IP support"
+ depends on NET
+ select USB_COMMON
++ select SGL_ALLOC
+ ---help---
+ This enables pushing USB packets over IP to allow remote
+ machines direct access to USB devices. It provides the
--- /dev/null
+From 2a9125317b247f2cf35c196f968906dcf062ae2d Mon Sep 17 00:00:00 2001
+From: Suwan Kim <suwan.kim027@gmail.com>
+Date: Mon, 11 Nov 2019 23:10:35 +0900
+Subject: usbip: Fix uninitialized symbol 'nents' in stub_recv_cmd_submit()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Suwan Kim <suwan.kim027@gmail.com>
+
+commit 2a9125317b247f2cf35c196f968906dcf062ae2d upstream.
+
+Smatch reported that nents is not initialized and used in
+stub_recv_cmd_submit(). nents is currently initialized by sgl_alloc()
+and used to allocate multiple URBs when host controller doesn't
+support scatter-gather DMA. The use of uninitialized nents means that
+buf_len is zero and use_sg is true. But buffer length should not be
+zero when an URB uses scatter-gather DMA.
+
+To prevent this situation, add the conditional that checks buf_len
+and use_sg. And move the use of nents right after the sgl_alloc() to
+avoid the use of uninitialized nents.
+
+If the error occurs, it adds SDEV_EVENT_ERROR_MALLOC and stub_priv
+will be released by stub event handler and connection will be shut
+down.
+
+Fixes: ea44d190764b ("usbip: Implement SG support to vhci-hcd and stub driver")
+Reported-by: kbuild test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Suwan Kim <suwan.kim027@gmail.com>
+Acked-by: Shuah Khan <skhan@linuxfoundation.org>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191111141035.27788-1-suwan.kim027@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usbip/stub_rx.c | 50 ++++++++++++++++++++++++++++----------------
+ 1 file changed, 32 insertions(+), 18 deletions(-)
+
+--- a/drivers/usb/usbip/stub_rx.c
++++ b/drivers/usb/usbip/stub_rx.c
+@@ -470,18 +470,50 @@ static void stub_recv_cmd_submit(struct
+ if (pipe == -1)
+ return;
+
++ /*
++ * Smatch reported the error case where use_sg is true and buf_len is 0.
++ * In this case, It adds SDEV_EVENT_ERROR_MALLOC and stub_priv will be
++ * released by stub event handler and connection will be shut down.
++ */
+ priv = stub_priv_alloc(sdev, pdu);
+ if (!priv)
+ return;
+
+ buf_len = (unsigned long long)pdu->u.cmd_submit.transfer_buffer_length;
+
++ if (use_sg && !buf_len) {
++ dev_err(&udev->dev, "sg buffer with zero length\n");
++ goto err_malloc;
++ }
++
+ /* allocate urb transfer buffer, if needed */
+ if (buf_len) {
+ if (use_sg) {
+ sgl = sgl_alloc(buf_len, GFP_KERNEL, &nents);
+ if (!sgl)
+ goto err_malloc;
++
++ /* Check if the server's HCD supports SG */
++ if (!udev->bus->sg_tablesize) {
++ /*
++ * If the server's HCD doesn't support SG, break
++ * a single SG request into several URBs and map
++ * each SG list entry to corresponding URB
++ * buffer. The previously allocated SG list is
++ * stored in priv->sgl (If the server's HCD
++ * support SG, SG list is stored only in
++ * urb->sg) and it is used as an indicator that
++ * the server split single SG request into
++ * several URBs. Later, priv->sgl is used by
++ * stub_complete() and stub_send_ret_submit() to
++ * reassemble the divied URBs.
++ */
++ support_sg = 0;
++ num_urbs = nents;
++ priv->completed_urbs = 0;
++ pdu->u.cmd_submit.transfer_flags &=
++ ~URB_DMA_MAP_SG;
++ }
+ } else {
+ buffer = kzalloc(buf_len, GFP_KERNEL);
+ if (!buffer)
+@@ -489,24 +521,6 @@ static void stub_recv_cmd_submit(struct
+ }
+ }
+
+- /* Check if the server's HCD supports SG */
+- if (use_sg && !udev->bus->sg_tablesize) {
+- /*
+- * If the server's HCD doesn't support SG, break a single SG
+- * request into several URBs and map each SG list entry to
+- * corresponding URB buffer. The previously allocated SG
+- * list is stored in priv->sgl (If the server's HCD support SG,
+- * SG list is stored only in urb->sg) and it is used as an
+- * indicator that the server split single SG request into
+- * several URBs. Later, priv->sgl is used by stub_complete() and
+- * stub_send_ret_submit() to reassemble the divied URBs.
+- */
+- support_sg = 0;
+- num_urbs = nents;
+- priv->completed_urbs = 0;
+- pdu->u.cmd_submit.transfer_flags &= ~URB_DMA_MAP_SG;
+- }
+-
+ /* allocate urb array */
+ priv->num_urbs = num_urbs;
+ priv->urbs = kmalloc_array(num_urbs, sizeof(*priv->urbs), GFP_KERNEL);
--- /dev/null
+From 26a4d4c00f85cb844dd11dd35e848b079c2f5e8f Mon Sep 17 00:00:00 2001
+From: Hewenliang <hewenliang4@huawei.com>
+Date: Fri, 25 Oct 2019 00:35:15 -0400
+Subject: usbip: tools: fix fd leakage in the function of read_attr_usbip_status
+
+From: Hewenliang <hewenliang4@huawei.com>
+
+commit 26a4d4c00f85cb844dd11dd35e848b079c2f5e8f upstream.
+
+We should close the fd before the return of read_attr_usbip_status.
+
+Fixes: 3391ba0e2792 ("usbip: tools: Extract generic code to be shared with vudc backend")
+Signed-off-by: Hewenliang <hewenliang4@huawei.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20191025043515.20053-1-hewenliang4@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/usb/usbip/libsrc/usbip_host_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/usb/usbip/libsrc/usbip_host_common.c
++++ b/tools/usb/usbip/libsrc/usbip_host_common.c
+@@ -69,7 +69,7 @@ static int32_t read_attr_usbip_status(st
+ }
+
+ value = atoi(status);
+-
++ close(fd);
+ return value;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
