--- /dev/null
+From 175b8d89fe292796811fdee87fa39799a5b6b87a Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 9 Dec 2020 09:45:52 +0100
+Subject: ALSA: pcm: oss: Fix potential out-of-bounds shift
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 175b8d89fe292796811fdee87fa39799a5b6b87a upstream.
+
+syzbot spotted a potential out-of-bounds shift in the PCM OSS layer
+where it calculates the buffer size with the arbitrary shift value
+given via an ioctl.
+
+Add a range check for avoiding the undefined behavior.
+As the value can be treated by a signed integer, the max shift should
+be 30.
+
+Reported-by: syzbot+df7dc146ebdd6435eea3@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20201209084552.17109-2-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/oss/pcm_oss.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/sound/core/oss/pcm_oss.c
++++ b/sound/core/oss/pcm_oss.c
+@@ -2000,11 +2000,15 @@ static int snd_pcm_oss_set_subdivide(str
+ static int snd_pcm_oss_set_fragment1(struct snd_pcm_substream *substream, unsigned int val)
+ {
+ struct snd_pcm_runtime *runtime;
++ int fragshift;
+
+ runtime = substream->runtime;
+ if (runtime->oss.subdivision || runtime->oss.fragshift)
+ return -EINVAL;
+- runtime->oss.fragshift = val & 0xffff;
++ fragshift = val & 0xffff;
++ if (fragshift >= 31)
++ return -EINVAL;
++ runtime->oss.fragshift = fragshift;
+ runtime->oss.maxfrags = (val >> 16) & 0xffff;
+ if (runtime->oss.fragshift < 4) /* < 16 */
+ runtime->oss.fragshift = 4;
--- /dev/null
+From c6dde8ffd071aea9d1ce64279178e470977b235c Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Fri, 11 Dec 2020 14:00:48 +0100
+Subject: ALSA: usb-audio: Fix control 'access overflow' errors from chmap
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit c6dde8ffd071aea9d1ce64279178e470977b235c upstream.
+
+The current channel-map control implementation in USB-audio driver may
+lead to an error message like
+ "control 3:0:0:Playback Channel Map:0: access overflow"
+when CONFIG_SND_CTL_VALIDATION is set. It's because the chmap get
+callback clears the whole array no matter which count is set, and
+rather the false-positive detection.
+
+This patch fixes the problem by clearing only the needed array range
+at usb_chmap_ctl_get().
+
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20201211130048.6358-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/stream.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/sound/usb/stream.c
++++ b/sound/usb/stream.c
+@@ -187,16 +187,16 @@ static int usb_chmap_ctl_get(struct snd_
+ struct snd_pcm_chmap *info = snd_kcontrol_chip(kcontrol);
+ struct snd_usb_substream *subs = info->private_data;
+ struct snd_pcm_chmap_elem *chmap = NULL;
+- int i;
++ int i = 0;
+
+- memset(ucontrol->value.integer.value, 0,
+- sizeof(ucontrol->value.integer.value));
+ if (subs->cur_audiofmt)
+ chmap = subs->cur_audiofmt->chmap;
+ if (chmap) {
+ for (i = 0; i < chmap->channels; i++)
+ ucontrol->value.integer.value[i] = chmap->map[i];
+ }
++ for (; i < subs->channels_max; i++)
++ ucontrol->value.integer.value[i] = 0;
+ return 0;
+ }
+
--- /dev/null
+From 43d5ca88dfcd35e43010fdd818e067aa9a55f5ba Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 9 Dec 2020 09:45:51 +0100
+Subject: ALSA: usb-audio: Fix potential out-of-bounds shift
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 43d5ca88dfcd35e43010fdd818e067aa9a55f5ba upstream.
+
+syzbot spotted a potential out-of-bounds shift in the USB-audio format
+parser that receives the arbitrary shift value from the USB
+descriptor.
+
+Add a range check for avoiding the undefined behavior.
+
+Reported-by: syzbot+df7dc146ebdd6435eea3@syzkaller.appspotmail.com
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20201209084552.17109-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/format.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/usb/format.c
++++ b/sound/usb/format.c
+@@ -52,6 +52,8 @@ static u64 parse_audio_format_i_type(str
+ case UAC_VERSION_1:
+ default: {
+ struct uac_format_type_i_discrete_descriptor *fmt = _fmt;
++ if (format >= 64)
++ return 0; /* invalid format */
+ sample_width = fmt->bBitResolution;
+ sample_bytes = fmt->bSubframeSize;
+ format = 1 << format;
--- /dev/null
+From d96f04d347e4011977abdbb4da5d8f303ebd26f8 Mon Sep 17 00:00:00 2001
+From: Alexander Sverdlin <alexander.sverdlin@gmail.com>
+Date: Thu, 10 Dec 2020 06:52:57 +0100
+Subject: serial: 8250_omap: Avoid FIFO corruption caused by MDR1 access
+
+From: Alexander Sverdlin <alexander.sverdlin@gmail.com>
+
+commit d96f04d347e4011977abdbb4da5d8f303ebd26f8 upstream.
+
+It has been observed that once per 300-1300 port openings the first
+transmitted byte is being corrupted on AM3352 ("v" written to FIFO appeared
+as "e" on the wire). It only happened if single byte has been transmitted
+right after port open, which means, DMA is not used for this transfer and
+the corruption never happened afterwards.
+
+Therefore I've carefully re-read the MDR1 errata (link below), which says
+"when accessing the MDR1 registers that causes a dummy under-run condition
+that will freeze the UART in IrDA transmission. In UART mode, this may
+corrupt the transferred data". Strictly speaking,
+omap_8250_mdr1_errataset() performs a read access and if the value is the
+same as should be written, exits without errata-recommended FIFO reset.
+
+A brief check of the serial_omap_mdr1_errataset() from the competing
+omap-serial driver showed it has no read access of MDR1. After removing the
+read access from omap_8250_mdr1_errataset() the data corruption never
+happened any more.
+
+Link: https://www.ti.com/lit/er/sprz360i/sprz360i.pdf
+Fixes: 61929cf0169d ("tty: serial: Add 8250-core based omap driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Alexander Sverdlin <alexander.sverdlin@gmail.com>
+Link: https://lore.kernel.org/r/20201210055257.1053028-1-alexander.sverdlin@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/8250/8250_omap.c | 5 -----
+ 1 file changed, 5 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250_omap.c
++++ b/drivers/tty/serial/8250/8250_omap.c
+@@ -155,11 +155,6 @@ static void omap_8250_mdr1_errataset(str
+ struct omap8250_priv *priv)
+ {
+ u8 timeout = 255;
+- u8 old_mdr1;
+-
+- old_mdr1 = serial_in(up, UART_OMAP_MDR1);
+- if (old_mdr1 == priv->mdr1)
+- return;
+
+ serial_out(up, UART_OMAP_MDR1, priv->mdr1);
+ udelay(2);
tcp-fix-cwnd-limited-bug-for-tso-deferral-where-we-send-nothing.patch
net-stmmac-delete-the-eee_ctrl_timer-after-napi-disabled.patch
net-bridge-vlan-fix-error-return-code-in-__vlan_add.patch
+usb-dummy-hcd-fix-uninitialized-array-use-in-init.patch
+usb-add-reset_resume-quirk-for-snapscan-1212.patch
+alsa-usb-audio-fix-potential-out-of-bounds-shift.patch
+alsa-usb-audio-fix-control-access-overflow-errors-from-chmap.patch
+xhci-give-usb2-ports-time-to-enter-u3-in-bus-suspend.patch
+usb-sisusbvga-make-console-support-depend-on-broken.patch
+alsa-pcm-oss-fix-potential-out-of-bounds-shift.patch
+serial-8250_omap-avoid-fifo-corruption-caused-by-mdr1-access.patch
--- /dev/null
+From 08a02f954b0def3ada8ed6d4b2c7bcb67e885e9c Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Mon, 7 Dec 2020 14:03:23 +0100
+Subject: USB: add RESET_RESUME quirk for Snapscan 1212
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 08a02f954b0def3ada8ed6d4b2c7bcb67e885e9c upstream.
+
+I got reports that some models of this old scanner need
+this when using runtime PM.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20201207130323.23857-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/quirks.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -189,6 +189,9 @@ static const struct usb_device_id usb_qu
+ { USB_DEVICE(0x06a3, 0x0006), .driver_info =
+ USB_QUIRK_CONFIG_INTF_STRINGS },
+
++ /* Agfa SNAPSCAN 1212U */
++ { USB_DEVICE(0x06bd, 0x0001), .driver_info = USB_QUIRK_RESET_RESUME },
++
+ /* Guillemot Webcam Hercules Dualpix Exchange (2nd ID) */
+ { USB_DEVICE(0x06f8, 0x0804), .driver_info = USB_QUIRK_RESET_RESUME },
+
--- /dev/null
+From e90cfa813da7a527785033a0b247594c2de93dd8 Mon Sep 17 00:00:00 2001
+From: Bui Quang Minh <minhquangbui99@gmail.com>
+Date: Fri, 4 Dec 2020 06:24:49 +0000
+Subject: USB: dummy-hcd: Fix uninitialized array use in init()
+
+From: Bui Quang Minh <minhquangbui99@gmail.com>
+
+commit e90cfa813da7a527785033a0b247594c2de93dd8 upstream.
+
+This error path
+
+ err_add_pdata:
+ for (i = 0; i < mod_data.num; i++)
+ kfree(dum[i]);
+
+can be triggered when not all dum's elements are initialized.
+
+Fix this by initializing all dum's elements to NULL.
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com>
+Link: https://lore.kernel.org/r/1607063090-3426-1-git-send-email-minhquangbui99@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/udc/dummy_hcd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/udc/dummy_hcd.c
++++ b/drivers/usb/gadget/udc/dummy_hcd.c
+@@ -2741,7 +2741,7 @@ static int __init init(void)
+ {
+ int retval = -ENOMEM;
+ int i;
+- struct dummy *dum[MAX_NUM_UDC];
++ struct dummy *dum[MAX_NUM_UDC] = {};
+
+ if (usb_disabled())
+ return -ENODEV;
--- /dev/null
+From 862ee699fefe1e6d6f2c1518395f0b999b8beb15 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Mon, 19 Oct 2020 12:06:30 +0200
+Subject: USB: sisusbvga: Make console support depend on BROKEN
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 862ee699fefe1e6d6f2c1518395f0b999b8beb15 upstream.
+
+The console part of sisusbvga is broken vs. printk(). It uses in_atomic()
+to detect contexts in which it cannot sleep despite the big fat comment in
+preempt.h which says: Do not use in_atomic() in driver code.
+
+in_atomic() does not work on kernels with CONFIG_PREEMPT_COUNT=n which
+means that spin/rw_lock held regions are not detected by it.
+
+There is no way to make this work by handing context information through to
+the driver and this only can be solved once the core printk infrastructure
+supports sleepable console drivers.
+
+Make it depend on BROKEN for now.
+
+Fixes: 1bbb4f2035d9 ("[PATCH] USB: sisusb[vga] update")
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Cc: Thomas Winischhofer <thomas@winischhofer.net>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: linux-usb@vger.kernel.org
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20201019101109.603244207@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/sisusbvga/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/misc/sisusbvga/Kconfig
++++ b/drivers/usb/misc/sisusbvga/Kconfig
+@@ -15,7 +15,7 @@ config USB_SISUSBVGA
+
+ config USB_SISUSBVGA_CON
+ bool "Text console and mode switching support" if USB_SISUSBVGA
+- depends on VT
++ depends on VT && BROKEN
+ select FONT_8x16
+ ---help---
+ Say Y here if you want a VGA text console via the USB dongle or
--- /dev/null
+From c1373f10479b624fb6dba0805d673e860f1b421d Mon Sep 17 00:00:00 2001
+From: Li Jun <jun.li@nxp.com>
+Date: Tue, 8 Dec 2020 11:29:12 +0200
+Subject: xhci: Give USB2 ports time to enter U3 in bus suspend
+
+From: Li Jun <jun.li@nxp.com>
+
+commit c1373f10479b624fb6dba0805d673e860f1b421d upstream.
+
+If a USB2 device wakeup is not enabled/supported the link state may
+still be in U0 in xhci_bus_suspend(), where it's then manually put
+to suspended U3 state.
+
+Just as with selective suspend the device needs time to enter U3
+suspend before continuing with further suspend operations
+(e.g. system suspend), otherwise we may enter system suspend with link
+state in U0.
+
+[commit message rewording -Mathias]
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Li Jun <jun.li@nxp.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20201208092912.1773650-6-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-hub.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/host/xhci-hub.c
++++ b/drivers/usb/host/xhci-hub.c
+@@ -1400,6 +1400,10 @@ int xhci_bus_suspend(struct usb_hcd *hcd
+ hcd->state = HC_STATE_SUSPENDED;
+ bus_state->next_statechange = jiffies + msecs_to_jiffies(10);
+ spin_unlock_irqrestore(&xhci->lock, flags);
++
++ if (bus_state->bus_suspended)
++ usleep_range(5000, 10000);
++
+ return 0;
+ }
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
