]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
4.14-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 1 Mar 2021 10:48:59 +0000 (11:48 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 1 Mar 2021 10:48:59 +0000 (11:48 +0100)
added patches:
acpi-configfs-add-missing-check-after-configfs_register_default_group.patch
acpi-property-fix-fwnode-string-properties-matching.patch
alsa-hda-realtek-modify-eapd-in-the-alc886.patch
blk-settings-align-max_sectors-on-logical_block_size-boundary.patch
btrfs-abort-the-transaction-if-we-fail-to-inc-ref-in-btrfs_copy_root.patch
btrfs-fix-extent-buffer-leak-on-failure-to-copy-root.patch
btrfs-fix-reloc-root-leak-with-0-ref-reloc-roots-on-recovery.patch
crypto-sun4i-ss-checking-sg-length-is-not-sufficient.patch
crypto-sun4i-ss-handle-bigendian-for-cipher.patch
crypto-sun4i-ss-iv-register-does-not-work-on-a10-and-a13.patch
drivers-misc-vmw_vmci-restrict-too-big-queue-size-in-qp_host_alloc_queue.patch
hid-wacom-ignore-attempts-to-overwrite-the-touch_max-value-from-hid.patch
input-i8042-add-asus-zenbook-flip-to-noselftest-list.patch
input-joydev-prevent-potential-read-overflow-in-ioctl.patch
input-raydium_ts_i2c-do-not-send-zero-length.patch
input-xpad-add-support-for-powera-enhanced-wired-controller-for-xbox-series-x-s.patch
keys-trusted-fix-migratable-1-failing.patch
seccomp-add-missing-return-in-non-void-function.patch
staging-rtl8188eu-add-edimax-ew-7811un-v2-to-device-table.patch
tpm_tis-fix-check_locality-for-correct-locality-acquisition.patch
usb-dwc3-gadget-fix-dep-interval-for-fullspeed-interrupt.patch
usb-dwc3-gadget-fix-setting-of-depcfg.binterval_m1.patch
usb-musb-fix-runtime-pm-race-in-musb_queue_resume_work.patch
usb-serial-mos7720-fix-error-code-in-mos7720_write.patch
usb-serial-mos7840-fix-error-code-in-mos7840_write.patch
usb-serial-option-update-interface-mapping-for-zte-p685m.patch

27 files changed:
queue-4.14/acpi-configfs-add-missing-check-after-configfs_register_default_group.patch [new file with mode: 0644]
queue-4.14/acpi-property-fix-fwnode-string-properties-matching.patch [new file with mode: 0644]
queue-4.14/alsa-hda-realtek-modify-eapd-in-the-alc886.patch [new file with mode: 0644]
queue-4.14/blk-settings-align-max_sectors-on-logical_block_size-boundary.patch [new file with mode: 0644]
queue-4.14/btrfs-abort-the-transaction-if-we-fail-to-inc-ref-in-btrfs_copy_root.patch [new file with mode: 0644]
queue-4.14/btrfs-fix-extent-buffer-leak-on-failure-to-copy-root.patch [new file with mode: 0644]
queue-4.14/btrfs-fix-reloc-root-leak-with-0-ref-reloc-roots-on-recovery.patch [new file with mode: 0644]
queue-4.14/crypto-sun4i-ss-checking-sg-length-is-not-sufficient.patch [new file with mode: 0644]
queue-4.14/crypto-sun4i-ss-handle-bigendian-for-cipher.patch [new file with mode: 0644]
queue-4.14/crypto-sun4i-ss-iv-register-does-not-work-on-a10-and-a13.patch [new file with mode: 0644]
queue-4.14/drivers-misc-vmw_vmci-restrict-too-big-queue-size-in-qp_host_alloc_queue.patch [new file with mode: 0644]
queue-4.14/hid-wacom-ignore-attempts-to-overwrite-the-touch_max-value-from-hid.patch [new file with mode: 0644]
queue-4.14/input-i8042-add-asus-zenbook-flip-to-noselftest-list.patch [new file with mode: 0644]
queue-4.14/input-joydev-prevent-potential-read-overflow-in-ioctl.patch [new file with mode: 0644]
queue-4.14/input-raydium_ts_i2c-do-not-send-zero-length.patch [new file with mode: 0644]
queue-4.14/input-xpad-add-support-for-powera-enhanced-wired-controller-for-xbox-series-x-s.patch [new file with mode: 0644]
queue-4.14/keys-trusted-fix-migratable-1-failing.patch [new file with mode: 0644]
queue-4.14/seccomp-add-missing-return-in-non-void-function.patch [new file with mode: 0644]
queue-4.14/series
queue-4.14/staging-rtl8188eu-add-edimax-ew-7811un-v2-to-device-table.patch [new file with mode: 0644]
queue-4.14/tpm_tis-fix-check_locality-for-correct-locality-acquisition.patch [new file with mode: 0644]
queue-4.14/usb-dwc3-gadget-fix-dep-interval-for-fullspeed-interrupt.patch [new file with mode: 0644]
queue-4.14/usb-dwc3-gadget-fix-setting-of-depcfg.binterval_m1.patch [new file with mode: 0644]
queue-4.14/usb-musb-fix-runtime-pm-race-in-musb_queue_resume_work.patch [new file with mode: 0644]
queue-4.14/usb-serial-mos7720-fix-error-code-in-mos7720_write.patch [new file with mode: 0644]
queue-4.14/usb-serial-mos7840-fix-error-code-in-mos7840_write.patch [new file with mode: 0644]
queue-4.14/usb-serial-option-update-interface-mapping-for-zte-p685m.patch [new file with mode: 0644]

diff --git a/queue-4.14/acpi-configfs-add-missing-check-after-configfs_register_default_group.patch b/queue-4.14/acpi-configfs-add-missing-check-after-configfs_register_default_group.patch
new file mode 100644 (file)
index 0000000..eef43db
--- /dev/null
@@ -0,0 +1,53 @@
+From 67e40054de86aae520ddc2a072d7f6951812a14f Mon Sep 17 00:00:00 2001
+From: Qinglang Miao <miaoqinglang@huawei.com>
+Date: Fri, 15 Jan 2021 10:22:50 +0800
+Subject: ACPI: configfs: add missing check after configfs_register_default_group()
+
+From: Qinglang Miao <miaoqinglang@huawei.com>
+
+commit 67e40054de86aae520ddc2a072d7f6951812a14f upstream.
+
+A list_add corruption is reported by Hulk Robot like this:
+==============
+list_add corruption.
+Call Trace:
+link_obj+0xc0/0x1c0
+link_group+0x21/0x140
+configfs_register_subsystem+0xdb/0x380
+acpi_configfs_init+0x25/0x1000 [acpi_configfs]
+do_one_initcall+0x149/0x820
+do_init_module+0x1ef/0x720
+load_module+0x35c8/0x4380
+__do_sys_finit_module+0x10d/0x1a0
+do_syscall_64+0x34/0x80
+
+It's because of the missing check after configfs_register_default_group,
+where configfs_unregister_subsystem should be called once failure.
+
+Fixes: 612bd01fc6e0 ("ACPI: add support for loading SSDTs via configfs")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Suggested-by: Hanjun Guo <guohanjun@huawei.com>
+Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com>
+Cc: 4.10+ <stable@vger.kernel.org> # 4.10+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpi_configfs.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/acpi_configfs.c
++++ b/drivers/acpi/acpi_configfs.c
+@@ -269,7 +269,12 @@ static int __init acpi_configfs_init(voi
+       acpi_table_group = configfs_register_default_group(root, "table",
+                                                          &acpi_tables_type);
+-      return PTR_ERR_OR_ZERO(acpi_table_group);
++      if (IS_ERR(acpi_table_group)) {
++              configfs_unregister_subsystem(&acpi_configfs);
++              return PTR_ERR(acpi_table_group);
++      }
++
++      return 0;
+ }
+ module_init(acpi_configfs_init);
diff --git a/queue-4.14/acpi-property-fix-fwnode-string-properties-matching.patch b/queue-4.14/acpi-property-fix-fwnode-string-properties-matching.patch
new file mode 100644 (file)
index 0000000..82dd586
--- /dev/null
@@ -0,0 +1,146 @@
+From e1e6bd2995ac0e1ad0c2a2d906a06f59ce2ed293 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Thu, 11 Feb 2021 19:30:01 +0100
+Subject: ACPI: property: Fix fwnode string properties matching
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit e1e6bd2995ac0e1ad0c2a2d906a06f59ce2ed293 upstream.
+
+Property matching does not work for ACPI fwnodes if the value of the
+given property is not represented as a package in the _DSD package
+containing it.  For example, the "compatible" property in the _DSD
+below
+
+  Name (_DSD, Package () {
+    ToUUID("daffd814-6eba-4d8c-8a91-bc9bbf4aa301"),
+    Package () {
+      Package () {"compatible", "ethernet-phy-ieee802.3-c45"}
+    }
+  })
+
+will not be found by fwnode_property_match_string(), because the ACPI
+code handling device properties does not regard the single value as a
+"list" in that case.
+
+Namely, fwnode_property_match_string() invoked to match a given
+string property value first calls fwnode_property_read_string_array()
+with the last two arguments equal to NULL and 0, respectively, in
+order to count the items in the value of the given property, with the
+assumption that this value may be an array.  For ACPI fwnodes, that
+operation is carried out by acpi_node_prop_read() which calls
+acpi_data_prop_read() for this purpose.  However, when the return
+(val) pointer is NULL, that function only looks for a property whose
+value is a package without checking the single-value case at all.
+
+To fix that, make acpi_data_prop_read() check the single-value
+case if its return pointer argument is NULL and modify
+acpi_data_prop_read_single() handling that case to attempt to
+read the value of the property if the return pointer is NULL
+and return 1 if that succeeds.
+
+Fixes: 3708184afc77 ("device property: Move FW type specific functionality to FW specific files")
+Reported-by: Calvin Johnson <calvin.johnson@oss.nxp.com>
+Cc: 4.13+ <stable@vger.kernel.org> # 4.13+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/property.c |   44 +++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 33 insertions(+), 11 deletions(-)
+
+--- a/drivers/acpi/property.c
++++ b/drivers/acpi/property.c
+@@ -688,9 +688,6 @@ static int acpi_data_prop_read_single(co
+       const union acpi_object *obj;
+       int ret;
+-      if (!val)
+-              return -EINVAL;
+-
+       if (proptype >= DEV_PROP_U8 && proptype <= DEV_PROP_U64) {
+               ret = acpi_data_get_property(data, propname, ACPI_TYPE_INTEGER, &obj);
+               if (ret)
+@@ -700,28 +697,43 @@ static int acpi_data_prop_read_single(co
+               case DEV_PROP_U8:
+                       if (obj->integer.value > U8_MAX)
+                               return -EOVERFLOW;
+-                      *(u8 *)val = obj->integer.value;
++
++                      if (val)
++                              *(u8 *)val = obj->integer.value;
++
+                       break;
+               case DEV_PROP_U16:
+                       if (obj->integer.value > U16_MAX)
+                               return -EOVERFLOW;
+-                      *(u16 *)val = obj->integer.value;
++
++                      if (val)
++                              *(u16 *)val = obj->integer.value;
++
+                       break;
+               case DEV_PROP_U32:
+                       if (obj->integer.value > U32_MAX)
+                               return -EOVERFLOW;
+-                      *(u32 *)val = obj->integer.value;
++
++                      if (val)
++                              *(u32 *)val = obj->integer.value;
++
+                       break;
+               default:
+-                      *(u64 *)val = obj->integer.value;
++                      if (val)
++                              *(u64 *)val = obj->integer.value;
++
+                       break;
+               }
++
++              if (!val)
++                      return 1;
+       } else if (proptype == DEV_PROP_STRING) {
+               ret = acpi_data_get_property(data, propname, ACPI_TYPE_STRING, &obj);
+               if (ret)
+                       return ret;
+-              *(char **)val = obj->string.pointer;
++              if (val)
++                      *(char **)val = obj->string.pointer;
+               return 1;
+       } else {
+@@ -735,7 +747,7 @@ int acpi_dev_prop_read_single(struct acp
+ {
+       int ret;
+-      if (!adev)
++      if (!adev || !val)
+               return -EINVAL;
+       ret = acpi_data_prop_read_single(&adev->data, propname, proptype, val);
+@@ -829,10 +841,20 @@ static int acpi_data_prop_read(const str
+       const union acpi_object *items;
+       int ret;
+-      if (val && nval == 1) {
++      if (nval == 1 || !val) {
+               ret = acpi_data_prop_read_single(data, propname, proptype, val);
+-              if (ret >= 0)
++              /*
++               * The overflow error means that the property is there and it is
++               * single-value, but its type does not match, so return.
++               */
++              if (ret >= 0 || ret == -EOVERFLOW)
+                       return ret;
++
++              /*
++               * Reading this property as a single-value one failed, but its
++               * value may still be represented as one-element array, so
++               * continue.
++               */
+       }
+       ret = acpi_data_get_property_array(data, propname, ACPI_TYPE_ANY, &obj);
diff --git a/queue-4.14/alsa-hda-realtek-modify-eapd-in-the-alc886.patch b/queue-4.14/alsa-hda-realtek-modify-eapd-in-the-alc886.patch
new file mode 100644 (file)
index 0000000..e401f5b
--- /dev/null
@@ -0,0 +1,54 @@
+From 4841b8e6318a7f0ae57c4e5ec09032ea057c97a8 Mon Sep 17 00:00:00 2001
+From: PeiSen Hou <pshou@realtek.com>
+Date: Tue, 2 Feb 2021 10:30:22 +0100
+Subject: ALSA: hda/realtek: modify EAPD in the ALC886
+
+From: PeiSen Hou <pshou@realtek.com>
+
+commit 4841b8e6318a7f0ae57c4e5ec09032ea057c97a8 upstream.
+
+Modify 0x20 index 7 bit 5 to 1, make the 0x15 EAPD the same as 0x14.
+
+Signed-off-by: PeiSen Hou <pshou@realtek.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/e62c5058957f48d8b8953e97135ff108@realtek.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c |   11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -1792,6 +1792,7 @@ enum {
+       ALC889_FIXUP_FRONT_HP_NO_PRESENCE,
+       ALC889_FIXUP_VAIO_TT,
+       ALC888_FIXUP_EEE1601,
++      ALC886_FIXUP_EAPD,
+       ALC882_FIXUP_EAPD,
+       ALC883_FIXUP_EAPD,
+       ALC883_FIXUP_ACER_EAPD,
+@@ -2100,6 +2101,15 @@ static const struct hda_fixup alc882_fix
+                       { }
+               }
+       },
++      [ALC886_FIXUP_EAPD] = {
++              .type = HDA_FIXUP_VERBS,
++              .v.verbs = (const struct hda_verb[]) {
++                      /* change to EAPD mode */
++                      { 0x20, AC_VERB_SET_COEF_INDEX, 0x07 },
++                      { 0x20, AC_VERB_SET_PROC_COEF, 0x0068 },
++                      { }
++              }
++      },
+       [ALC882_FIXUP_EAPD] = {
+               .type = HDA_FIXUP_VERBS,
+               .v.verbs = (const struct hda_verb[]) {
+@@ -2340,6 +2350,7 @@ static const struct snd_pci_quirk alc882
+       SND_PCI_QUIRK(0x106b, 0x4a00, "Macbook 5,2", ALC889_FIXUP_MBA11_VREF),
+       SND_PCI_QUIRK(0x1071, 0x8258, "Evesham Voyaeger", ALC882_FIXUP_EAPD),
++      SND_PCI_QUIRK(0x13fe, 0x1009, "Advantech MIT-W101", ALC886_FIXUP_EAPD),
+       SND_PCI_QUIRK(0x1458, 0xa002, "Gigabyte EP45-DS3/Z87X-UD3H", ALC889_FIXUP_FRONT_HP_NO_PRESENCE),
+       SND_PCI_QUIRK(0x1458, 0xa0b8, "Gigabyte AZ370-Gaming", ALC1220_FIXUP_GB_DUAL_CODECS),
+       SND_PCI_QUIRK(0x1462, 0x7350, "MSI-7350", ALC889_FIXUP_CD),
diff --git a/queue-4.14/blk-settings-align-max_sectors-on-logical_block_size-boundary.patch b/queue-4.14/blk-settings-align-max_sectors-on-logical_block_size-boundary.patch
new file mode 100644 (file)
index 0000000..59ced2e
--- /dev/null
@@ -0,0 +1,68 @@
+From 97f433c3601a24d3513d06f575a389a2ca4e11e4 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 23 Feb 2021 19:25:30 -0700
+Subject: blk-settings: align max_sectors on "logical_block_size" boundary
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 97f433c3601a24d3513d06f575a389a2ca4e11e4 upstream.
+
+We get I/O errors when we run md-raid1 on the top of dm-integrity on the
+top of ramdisk.
+device-mapper: integrity: Bio not aligned on 8 sectors: 0xff00, 0xff
+device-mapper: integrity: Bio not aligned on 8 sectors: 0xff00, 0xff
+device-mapper: integrity: Bio not aligned on 8 sectors: 0xffff, 0x1
+device-mapper: integrity: Bio not aligned on 8 sectors: 0xffff, 0x1
+device-mapper: integrity: Bio not aligned on 8 sectors: 0x8048, 0xff
+device-mapper: integrity: Bio not aligned on 8 sectors: 0x8147, 0xff
+device-mapper: integrity: Bio not aligned on 8 sectors: 0x8246, 0xff
+device-mapper: integrity: Bio not aligned on 8 sectors: 0x8345, 0xbb
+
+The ramdisk device has logical_block_size 512 and max_sectors 255. The
+dm-integrity device uses logical_block_size 4096 and it doesn't affect the
+"max_sectors" value - thus, it inherits 255 from the ramdisk. So, we have
+a device with max_sectors not aligned on logical_block_size.
+
+The md-raid device sees that the underlying leg has max_sectors 255 and it
+will split the bios on 255-sector boundary, making the bios unaligned on
+logical_block_size.
+
+In order to fix the bug, we round down max_sectors to logical_block_size.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-settings.c |   12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/block/blk-settings.c
++++ b/block/blk-settings.c
+@@ -513,6 +513,14 @@ void blk_queue_io_opt(struct request_que
+ }
+ EXPORT_SYMBOL(blk_queue_io_opt);
++static unsigned int blk_round_down_sectors(unsigned int sectors, unsigned int lbs)
++{
++      sectors = round_down(sectors, lbs >> SECTOR_SHIFT);
++      if (sectors < PAGE_SIZE >> SECTOR_SHIFT)
++              sectors = PAGE_SIZE >> SECTOR_SHIFT;
++      return sectors;
++}
++
+ /**
+  * blk_queue_stack_limits - inherit underlying queue limits for stacked drivers
+  * @t:        the stacking driver (top)
+@@ -639,6 +647,10 @@ int blk_stack_limits(struct queue_limits
+               ret = -1;
+       }
++      t->max_sectors = blk_round_down_sectors(t->max_sectors, t->logical_block_size);
++      t->max_hw_sectors = blk_round_down_sectors(t->max_hw_sectors, t->logical_block_size);
++      t->max_dev_sectors = blk_round_down_sectors(t->max_dev_sectors, t->logical_block_size);
++
+       /* Discard alignment and granularity */
+       if (b->discard_granularity) {
+               alignment = queue_limit_discard_alignment(b, start);
diff --git a/queue-4.14/btrfs-abort-the-transaction-if-we-fail-to-inc-ref-in-btrfs_copy_root.patch b/queue-4.14/btrfs-abort-the-transaction-if-we-fail-to-inc-ref-in-btrfs_copy_root.patch
new file mode 100644 (file)
index 0000000..1e8d0bd
--- /dev/null
@@ -0,0 +1,56 @@
+From 867ed321f90d06aaba84e2c91de51cd3038825ef Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Thu, 14 Jan 2021 14:02:46 -0500
+Subject: btrfs: abort the transaction if we fail to inc ref in btrfs_copy_root
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit 867ed321f90d06aaba84e2c91de51cd3038825ef upstream.
+
+While testing my error handling patches, I added a error injection site
+at btrfs_inc_extent_ref, to validate the error handling I added was
+doing the correct thing.  However I hit a pretty ugly corruption while
+doing this check, with the following error injection stack trace:
+
+btrfs_inc_extent_ref
+  btrfs_copy_root
+    create_reloc_root
+      btrfs_init_reloc_root
+       btrfs_record_root_in_trans
+         btrfs_start_transaction
+           btrfs_update_inode
+             btrfs_update_time
+               touch_atime
+                 file_accessed
+                   btrfs_file_mmap
+
+This is because we do not catch the error from btrfs_inc_extent_ref,
+which in practice would be ENOMEM, which means we lose the extent
+references for a root that has already been allocated and inserted,
+which is the problem.  Fix this by aborting the transaction if we fail
+to do the reference modification.
+
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ctree.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -282,9 +282,10 @@ int btrfs_copy_root(struct btrfs_trans_h
+               ret = btrfs_inc_ref(trans, root, cow, 1);
+       else
+               ret = btrfs_inc_ref(trans, root, cow, 0);
+-
+-      if (ret)
++      if (ret) {
++              btrfs_abort_transaction(trans, ret);
+               return ret;
++      }
+       btrfs_mark_buffer_dirty(cow);
+       *cow_ret = cow;
diff --git a/queue-4.14/btrfs-fix-extent-buffer-leak-on-failure-to-copy-root.patch b/queue-4.14/btrfs-fix-extent-buffer-leak-on-failure-to-copy-root.patch
new file mode 100644 (file)
index 0000000..b6a8ed3
--- /dev/null
@@ -0,0 +1,37 @@
+From 72c9925f87c8b74f36f8e75a4cd93d964538d3ca Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Thu, 4 Feb 2021 14:35:44 +0000
+Subject: btrfs: fix extent buffer leak on failure to copy root
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 72c9925f87c8b74f36f8e75a4cd93d964538d3ca upstream.
+
+At btrfs_copy_root(), if the call to btrfs_inc_ref() fails we end up
+returning without unlocking and releasing our reference on the extent
+buffer named "cow" we previously allocated with btrfs_alloc_tree_block().
+
+So fix that by unlocking the extent buffer and dropping our reference on
+it before returning.
+
+Fixes: be20aa9dbadc8c ("Btrfs: Add mount option to turn off data cow")
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ctree.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -283,6 +283,8 @@ int btrfs_copy_root(struct btrfs_trans_h
+       else
+               ret = btrfs_inc_ref(trans, root, cow, 0);
+       if (ret) {
++              btrfs_tree_unlock(cow);
++              free_extent_buffer(cow);
+               btrfs_abort_transaction(trans, ret);
+               return ret;
+       }
diff --git a/queue-4.14/btrfs-fix-reloc-root-leak-with-0-ref-reloc-roots-on-recovery.patch b/queue-4.14/btrfs-fix-reloc-root-leak-with-0-ref-reloc-roots-on-recovery.patch
new file mode 100644 (file)
index 0000000..fe26a41
--- /dev/null
@@ -0,0 +1,48 @@
+From c78a10aebb275c38d0cfccae129a803fe622e305 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Thu, 14 Jan 2021 14:02:42 -0500
+Subject: btrfs: fix reloc root leak with 0 ref reloc roots on recovery
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit c78a10aebb275c38d0cfccae129a803fe622e305 upstream.
+
+When recovering a relocation, if we run into a reloc root that has 0
+refs we simply add it to the reloc_control->reloc_roots list, and then
+clean it up later.  The problem with this is __del_reloc_root() doesn't
+do anything if the root isn't in the radix tree, which in this case it
+won't be because we never call __add_reloc_root() on the reloc_root.
+
+This exit condition simply isn't correct really.  During normal
+operation we can remove ourselves from the rb tree and then we're meant
+to clean up later at merge_reloc_roots() time, and this happens
+correctly.  During recovery we're depending on free_reloc_roots() to
+drop our references, but we're short-circuiting.
+
+Fix this by continuing to check if we're on the list and dropping
+ourselves from the reloc_control root list and dropping our reference
+appropriately.  Change the corresponding BUG_ON() to an ASSERT() that
+does the correct thing if we aren't in the rb tree.
+
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/relocation.c |    4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -1344,9 +1344,7 @@ static void __del_reloc_root(struct btrf
+                       RB_CLEAR_NODE(&node->rb_node);
+               }
+               spin_unlock(&rc->reloc_root_tree.lock);
+-              if (!node)
+-                      return;
+-              BUG_ON((struct btrfs_root *)node->data != root);
++              ASSERT(!node || (struct btrfs_root *)node->data == root);
+       }
+       spin_lock(&fs_info->trans_lock);
diff --git a/queue-4.14/crypto-sun4i-ss-checking-sg-length-is-not-sufficient.patch b/queue-4.14/crypto-sun4i-ss-checking-sg-length-is-not-sufficient.patch
new file mode 100644 (file)
index 0000000..723de82
--- /dev/null
@@ -0,0 +1,40 @@
+From 7bdcd851fa7eb66e8922aa7f6cba9e2f2427a7cf Mon Sep 17 00:00:00 2001
+From: Corentin Labbe <clabbe@baylibre.com>
+Date: Mon, 14 Dec 2020 20:02:26 +0000
+Subject: crypto: sun4i-ss - checking sg length is not sufficient
+
+From: Corentin Labbe <clabbe@baylibre.com>
+
+commit 7bdcd851fa7eb66e8922aa7f6cba9e2f2427a7cf upstream.
+
+The optimized cipher function need length multiple of 4 bytes.
+But it get sometimes odd length.
+This is due to SG data could be stored with an offset.
+
+So the fix is to check also if the offset is aligned with 4 bytes.
+Fixes: 6298e948215f2 ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/sunxi-ss/sun4i-ss-cipher.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c
++++ b/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c
+@@ -189,12 +189,12 @@ static int sun4i_ss_cipher_poll(struct s
+        * we can use the SS optimized function
+        */
+       while (in_sg && no_chunk == 1) {
+-              if (in_sg->length % 4)
++              if ((in_sg->length | in_sg->offset) & 3u)
+                       no_chunk = 0;
+               in_sg = sg_next(in_sg);
+       }
+       while (out_sg && no_chunk == 1) {
+-              if (out_sg->length % 4)
++              if ((out_sg->length | out_sg->offset) & 3u)
+                       no_chunk = 0;
+               out_sg = sg_next(out_sg);
+       }
diff --git a/queue-4.14/crypto-sun4i-ss-handle-bigendian-for-cipher.patch b/queue-4.14/crypto-sun4i-ss-handle-bigendian-for-cipher.patch
new file mode 100644 (file)
index 0000000..71fe362
--- /dev/null
@@ -0,0 +1,57 @@
+From 5ab6177fa02df15cd8a02a1f1fb361d2d5d8b946 Mon Sep 17 00:00:00 2001
+From: Corentin Labbe <clabbe@baylibre.com>
+Date: Mon, 14 Dec 2020 20:02:28 +0000
+Subject: crypto: sun4i-ss - handle BigEndian for cipher
+
+From: Corentin Labbe <clabbe@baylibre.com>
+
+commit 5ab6177fa02df15cd8a02a1f1fb361d2d5d8b946 upstream.
+
+Ciphers produce invalid results on BE.
+Key and IV need to be written in LE.
+
+Fixes: 6298e948215f2 ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/sunxi-ss/sun4i-ss-cipher.c |   12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c
++++ b/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c
+@@ -63,13 +63,13 @@ static int sun4i_ss_opti_poll(struct skc
+       spin_lock_irqsave(&ss->slock, flags);
+-      for (i = 0; i < op->keylen; i += 4)
+-              writel(*(op->key + i / 4), ss->base + SS_KEY0 + i);
++      for (i = 0; i < op->keylen / 4; i++)
++              writesl(ss->base + SS_KEY0 + i * 4, &op->key[i], 1);
+       if (areq->iv) {
+               for (i = 0; i < 4 && i < ivsize / 4; i++) {
+                       v = *(u32 *)(areq->iv + i * 4);
+-                      writel(v, ss->base + SS_IV0 + i * 4);
++                      writesl(ss->base + SS_IV0 + i * 4, &v, 1);
+               }
+       }
+       writel(mode, ss->base + SS_CTL);
+@@ -223,13 +223,13 @@ static int sun4i_ss_cipher_poll(struct s
+       spin_lock_irqsave(&ss->slock, flags);
+-      for (i = 0; i < op->keylen; i += 4)
+-              writel(*(op->key + i / 4), ss->base + SS_KEY0 + i);
++      for (i = 0; i < op->keylen / 4; i++)
++              writesl(ss->base + SS_KEY0 + i * 4, &op->key[i], 1);
+       if (areq->iv) {
+               for (i = 0; i < 4 && i < ivsize / 4; i++) {
+                       v = *(u32 *)(areq->iv + i * 4);
+-                      writel(v, ss->base + SS_IV0 + i * 4);
++                      writesl(ss->base + SS_IV0 + i * 4, &v, 1);
+               }
+       }
+       writel(mode, ss->base + SS_CTL);
diff --git a/queue-4.14/crypto-sun4i-ss-iv-register-does-not-work-on-a10-and-a13.patch b/queue-4.14/crypto-sun4i-ss-iv-register-does-not-work-on-a10-and-a13.patch
new file mode 100644 (file)
index 0000000..d7b1efe
--- /dev/null
@@ -0,0 +1,101 @@
+From b756f1c8fc9d84e3f546d7ffe056c5352f4aab05 Mon Sep 17 00:00:00 2001
+From: Corentin Labbe <clabbe@baylibre.com>
+Date: Mon, 14 Dec 2020 20:02:27 +0000
+Subject: crypto: sun4i-ss - IV register does not work on A10 and A13
+
+From: Corentin Labbe <clabbe@baylibre.com>
+
+commit b756f1c8fc9d84e3f546d7ffe056c5352f4aab05 upstream.
+
+Allwinner A10 and A13 SoC have a version of the SS which produce
+invalid IV in IVx register.
+
+Instead of adding a variant for those, let's convert SS to produce IV
+directly from data.
+Fixes: 6298e948215f2 ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/sunxi-ss/sun4i-ss-cipher.c |   34 ++++++++++++++++++++++++------
+ 1 file changed, 28 insertions(+), 6 deletions(-)
+
+--- a/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c
++++ b/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c
+@@ -24,6 +24,7 @@ static int sun4i_ss_opti_poll(struct skc
+       unsigned int ivsize = crypto_skcipher_ivsize(tfm);
+       struct sun4i_cipher_req_ctx *ctx = skcipher_request_ctx(areq);
+       u32 mode = ctx->mode;
++      void *backup_iv = NULL;
+       /* when activating SS, the default FIFO space is SS_RX_DEFAULT(32) */
+       u32 rx_cnt = SS_RX_DEFAULT;
+       u32 tx_cnt = 0;
+@@ -53,6 +54,13 @@ static int sun4i_ss_opti_poll(struct skc
+               return -EINVAL;
+       }
++      if (areq->iv && ivsize > 0 && mode & SS_DECRYPTION) {
++              backup_iv = kzalloc(ivsize, GFP_KERNEL);
++              if (!backup_iv)
++                      return -ENOMEM;
++              scatterwalk_map_and_copy(backup_iv, areq->src, areq->cryptlen - ivsize, ivsize, 0);
++      }
++
+       spin_lock_irqsave(&ss->slock, flags);
+       for (i = 0; i < op->keylen; i += 4)
+@@ -126,9 +134,12 @@ static int sun4i_ss_opti_poll(struct skc
+       } while (oleft);
+       if (areq->iv) {
+-              for (i = 0; i < 4 && i < ivsize / 4; i++) {
+-                      v = readl(ss->base + SS_IV0 + i * 4);
+-                      *(u32 *)(areq->iv + i * 4) = v;
++              if (mode & SS_DECRYPTION) {
++                      memcpy(areq->iv, backup_iv, ivsize);
++                      kfree_sensitive(backup_iv);
++              } else {
++                      scatterwalk_map_and_copy(areq->iv, areq->dst, areq->cryptlen - ivsize,
++                                               ivsize, 0);
+               }
+       }
+@@ -160,6 +171,7 @@ static int sun4i_ss_cipher_poll(struct s
+       unsigned int ileft = areq->cryptlen;
+       unsigned int oleft = areq->cryptlen;
+       unsigned int todo;
++      void *backup_iv = NULL;
+       struct sg_mapping_iter mi, mo;
+       unsigned long pi = 0, po = 0; /* progress for in and out */
+       bool miter_err;
+@@ -202,6 +214,13 @@ static int sun4i_ss_cipher_poll(struct s
+       if (no_chunk == 1)
+               return sun4i_ss_opti_poll(areq);
++      if (areq->iv && ivsize > 0 && mode & SS_DECRYPTION) {
++              backup_iv = kzalloc(ivsize, GFP_KERNEL);
++              if (!backup_iv)
++                      return -ENOMEM;
++              scatterwalk_map_and_copy(backup_iv, areq->src, areq->cryptlen - ivsize, ivsize, 0);
++      }
++
+       spin_lock_irqsave(&ss->slock, flags);
+       for (i = 0; i < op->keylen; i += 4)
+@@ -330,9 +349,12 @@ static int sun4i_ss_cipher_poll(struct s
+               sg_miter_stop(&mo);
+       }
+       if (areq->iv) {
+-              for (i = 0; i < 4 && i < ivsize / 4; i++) {
+-                      v = readl(ss->base + SS_IV0 + i * 4);
+-                      *(u32 *)(areq->iv + i * 4) = v;
++              if (mode & SS_DECRYPTION) {
++                      memcpy(areq->iv, backup_iv, ivsize);
++                      kfree_sensitive(backup_iv);
++              } else {
++                      scatterwalk_map_and_copy(areq->iv, areq->dst, areq->cryptlen - ivsize,
++                                               ivsize, 0);
+               }
+       }
diff --git a/queue-4.14/drivers-misc-vmw_vmci-restrict-too-big-queue-size-in-qp_host_alloc_queue.patch b/queue-4.14/drivers-misc-vmw_vmci-restrict-too-big-queue-size-in-qp_host_alloc_queue.patch
new file mode 100644 (file)
index 0000000..4d06270
--- /dev/null
@@ -0,0 +1,50 @@
+From 2fd10bcf0310b9525b2af9e1f7aa9ddd87c3772e Mon Sep 17 00:00:00 2001
+From: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
+Date: Tue, 9 Feb 2021 16:26:12 +0600
+Subject: drivers/misc/vmw_vmci: restrict too big queue size in qp_host_alloc_queue
+
+From: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
+
+commit 2fd10bcf0310b9525b2af9e1f7aa9ddd87c3772e upstream.
+
+syzbot found WARNING in qp_broker_alloc[1] in qp_host_alloc_queue()
+when num_pages is 0x100001, giving queue_size + queue_page_size
+bigger than KMALLOC_MAX_SIZE for kzalloc(), resulting order >= MAX_ORDER
+condition.
+
+queue_size + queue_page_size=0x8000d8, where KMALLOC_MAX_SIZE=0x400000.
+
+[1]
+Call Trace:
+ alloc_pages include/linux/gfp.h:547 [inline]
+ kmalloc_order+0x40/0x130 mm/slab_common.c:837
+ kmalloc_order_trace+0x15/0x70 mm/slab_common.c:853
+ kmalloc_large include/linux/slab.h:481 [inline]
+ __kmalloc+0x257/0x330 mm/slub.c:3959
+ kmalloc include/linux/slab.h:557 [inline]
+ kzalloc include/linux/slab.h:682 [inline]
+ qp_host_alloc_queue drivers/misc/vmw_vmci/vmci_queue_pair.c:540 [inline]
+ qp_broker_create drivers/misc/vmw_vmci/vmci_queue_pair.c:1351 [inline]
+ qp_broker_alloc+0x936/0x2740 drivers/misc/vmw_vmci/vmci_queue_pair.c:1739
+
+Reported-by: syzbot+15ec7391f3d6a1a7cc7d@syzkaller.appspotmail.com
+Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
+Link: https://lore.kernel.org/r/20210209102612.2112247-1-snovitoll@gmail.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/vmw_vmci/vmci_queue_pair.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c
++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c
+@@ -639,6 +639,9 @@ static struct vmci_queue *qp_host_alloc_
+       queue_page_size = num_pages * sizeof(*queue->kernel_if->u.h.page);
++      if (queue_size + queue_page_size > KMALLOC_MAX_SIZE)
++              return NULL;
++
+       queue = kzalloc(queue_size + queue_page_size, GFP_KERNEL);
+       if (queue) {
+               queue->q_header = NULL;
diff --git a/queue-4.14/hid-wacom-ignore-attempts-to-overwrite-the-touch_max-value-from-hid.patch b/queue-4.14/hid-wacom-ignore-attempts-to-overwrite-the-touch_max-value-from-hid.patch
new file mode 100644 (file)
index 0000000..a9293c5
--- /dev/null
@@ -0,0 +1,67 @@
+From 88f38846bfb1a452a3d47e38aeab20a4ceb74294 Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <killertofu@gmail.com>
+Date: Tue, 16 Feb 2021 11:41:54 -0800
+Subject: HID: wacom: Ignore attempts to overwrite the touch_max value from HID
+
+From: Jason Gerecke <killertofu@gmail.com>
+
+commit 88f38846bfb1a452a3d47e38aeab20a4ceb74294 upstream.
+
+The `wacom_feature_mapping` function is careful to only set the the
+touch_max value a single time, but this care does not extend to the
+`wacom_wac_finger_event` function. In particular, if a device sends
+multiple HID_DG_CONTACTMAX items in a single feature report, the
+driver will end up retaining the value of last item.
+
+The HID descriptor for the Cintiq Companion 2 does exactly this. It
+incorrectly sets a "Report Count" of 2, which will cause the driver
+to process two HID_DG_CONTACTCOUNT items. The first item has the actual
+count, while the second item should have been declared as a constant
+zero. The constant zero is the value the driver ends up using, however,
+since it is the last HID_DG_CONTACTCOUNT in the report.
+
+    Report ID (16),
+    Usage (Contact Count Maximum),  ; Contact count maximum (55h, static value)
+    Report Count (2),
+    Logical Maximum (10),
+    Feature (Variable),
+
+To address this, we add a check that the touch_max is not already set
+within the `wacom_wac_finger_event` function that processes the
+HID_DG_TOUCHMAX item. We emit a warning if the value is set and ignore
+the updated value.
+
+This could potentially cause problems if there is a tablet which has
+a similar issue but requires the last item to be used. This is unlikely,
+however, since it would have to have a different non-zero value for
+HID_DG_CONTACTMAX earlier in the same report, which makes no sense
+except in the case of a firmware bug. Note that cases where the
+HID_DG_CONTACTMAX items are in different reports is already handled
+(and similarly ignored) by `wacom_feature_mapping` as mentioned above.
+
+Link: https://github.com/linuxwacom/input-wacom/issues/223
+Fixes: 184eccd40389 ("HID: wacom: generic: read HID_DG_CONTACTMAX from any feature report")
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+CC: stable@vger.kernel.org
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/wacom_wac.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -2452,7 +2452,12 @@ static void wacom_wac_finger_event(struc
+               wacom_wac->hid_data.tipswitch = value;
+               break;
+       case HID_DG_CONTACTMAX:
+-              features->touch_max = value;
++              if (!features->touch_max) {
++                      features->touch_max = value;
++              } else {
++                      hid_warn(hdev, "%s: ignoring attempt to overwrite non-zero touch_max "
++                               "%d -> %d\n", __func__, features->touch_max, value);
++              }
+               return;
+       }
diff --git a/queue-4.14/input-i8042-add-asus-zenbook-flip-to-noselftest-list.patch b/queue-4.14/input-i8042-add-asus-zenbook-flip-to-noselftest-list.patch
new file mode 100644 (file)
index 0000000..bfc9cd8
--- /dev/null
@@ -0,0 +1,41 @@
+From b5d6e7ab7fe7d186878142e9fc1a05e4c3b65eb9 Mon Sep 17 00:00:00 2001
+From: Marcos Paulo de Souza <mpdesouza@suse.com>
+Date: Fri, 19 Feb 2021 10:37:13 -0800
+Subject: Input: i8042 - add ASUS Zenbook Flip to noselftest list
+
+From: Marcos Paulo de Souza <mpdesouza@suse.com>
+
+commit b5d6e7ab7fe7d186878142e9fc1a05e4c3b65eb9 upstream.
+
+After commit 77b425399f6d ("Input: i8042 - use chassis info to skip
+selftest on Asus laptops"), all modern Asus laptops have the i8042
+selftest disabled. It has done by using chassys type "10" (laptop).
+
+The Asus Zenbook Flip suffers from similar suspend/resume issues, but
+it _sometimes_ work and sometimes it doesn't. Setting noselftest makes
+it work reliably. In this case, we need to add chassis type "31"
+(convertible) in order to avoid selftest in this device.
+
+Reported-by: Ludvig Norgren Guldhag <ludvigng@gmail.com>
+Signed-off-by: Marcos Paulo de Souza <mpdesouza@suse.com>
+Link: https://lore.kernel.org/r/20210219164638.761-1-mpdesouza@suse.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/serio/i8042-x86ia64io.h |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/input/serio/i8042-x86ia64io.h
++++ b/drivers/input/serio/i8042-x86ia64io.h
+@@ -592,6 +592,10 @@ static const struct dmi_system_id i8042_
+                       DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+                       DMI_MATCH(DMI_CHASSIS_TYPE, "10"), /* Notebook */
+               },
++              .matches = {
++                      DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
++                      DMI_MATCH(DMI_CHASSIS_TYPE, "31"), /* Convertible Notebook */
++              },
+       },
+       { }
+ };
diff --git a/queue-4.14/input-joydev-prevent-potential-read-overflow-in-ioctl.patch b/queue-4.14/input-joydev-prevent-potential-read-overflow-in-ioctl.patch
new file mode 100644 (file)
index 0000000..f7243aa
--- /dev/null
@@ -0,0 +1,53 @@
+From 182d679b2298d62bf42bb14b12a8067b8e17b617 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 17 Feb 2021 12:21:10 -0800
+Subject: Input: joydev - prevent potential read overflow in ioctl
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 182d679b2298d62bf42bb14b12a8067b8e17b617 upstream.
+
+The problem here is that "len" might be less than "joydev->nabs" so the
+loops which verfy abspam[i] and keypam[] might read beyond the buffer.
+
+Fixes: 999b874f4aa3 ("Input: joydev - validate axis/button maps before clobbering current ones")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/YCyzR8WvFRw4HWw6@mwanda
+[dtor: additional check for len being even in joydev_handle_JSIOCSBTNMAP]
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/joydev.c |    7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/joydev.c
++++ b/drivers/input/joydev.c
+@@ -460,7 +460,7 @@ static int joydev_handle_JSIOCSAXMAP(str
+       if (IS_ERR(abspam))
+               return PTR_ERR(abspam);
+-      for (i = 0; i < joydev->nabs; i++) {
++      for (i = 0; i < len && i < joydev->nabs; i++) {
+               if (abspam[i] > ABS_MAX) {
+                       retval = -EINVAL;
+                       goto out;
+@@ -484,6 +484,9 @@ static int joydev_handle_JSIOCSBTNMAP(st
+       int i;
+       int retval = 0;
++      if (len % sizeof(*keypam))
++              return -EINVAL;
++
+       len = min(len, sizeof(joydev->keypam));
+       /* Validate the map. */
+@@ -491,7 +494,7 @@ static int joydev_handle_JSIOCSBTNMAP(st
+       if (IS_ERR(keypam))
+               return PTR_ERR(keypam);
+-      for (i = 0; i < joydev->nkey; i++) {
++      for (i = 0; i < (len / 2) && i < joydev->nkey; i++) {
+               if (keypam[i] > KEY_MAX || keypam[i] < BTN_MISC) {
+                       retval = -EINVAL;
+                       goto out;
diff --git a/queue-4.14/input-raydium_ts_i2c-do-not-send-zero-length.patch b/queue-4.14/input-raydium_ts_i2c-do-not-send-zero-length.patch
new file mode 100644 (file)
index 0000000..7c5c947
--- /dev/null
@@ -0,0 +1,40 @@
+From fafd320ae51b9c72d371585b2501f86640ea7b7d Mon Sep 17 00:00:00 2001
+From: "jeffrey.lin" <jeffrey.lin@rad-ic.com>
+Date: Tue, 15 Dec 2020 10:50:12 -0800
+Subject: Input: raydium_ts_i2c - do not send zero length
+
+From: jeffrey.lin <jeffrey.lin@rad-ic.com>
+
+commit fafd320ae51b9c72d371585b2501f86640ea7b7d upstream.
+
+Add default write command package to prevent i2c quirk error of zero
+data length as Raydium touch firmware update is executed.
+
+Signed-off-by: jeffrey.lin <jeffrey.lin@rad-ic.com>
+Link: https://lore.kernel.org/r/1608031217-7247-1-git-send-email-jeffrey.lin@raydium.corp-partner.google.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/raydium_i2c_ts.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/raydium_i2c_ts.c
++++ b/drivers/input/touchscreen/raydium_i2c_ts.c
+@@ -419,6 +419,7 @@ static int raydium_i2c_write_object(stru
+                                   enum raydium_bl_ack state)
+ {
+       int error;
++      static const u8 cmd[] = { 0xFF, 0x39 };
+       error = raydium_i2c_send(client, RM_CMD_BOOT_WRT, data, len);
+       if (error) {
+@@ -427,7 +428,7 @@ static int raydium_i2c_write_object(stru
+               return error;
+       }
+-      error = raydium_i2c_send(client, RM_CMD_BOOT_ACK, NULL, 0);
++      error = raydium_i2c_send(client, RM_CMD_BOOT_ACK, cmd, sizeof(cmd));
+       if (error) {
+               dev_err(&client->dev, "Ack obj command failed: %d\n", error);
+               return error;
diff --git a/queue-4.14/input-xpad-add-support-for-powera-enhanced-wired-controller-for-xbox-series-x-s.patch b/queue-4.14/input-xpad-add-support-for-powera-enhanced-wired-controller-for-xbox-series-x-s.patch
new file mode 100644 (file)
index 0000000..487a3ba
--- /dev/null
@@ -0,0 +1,31 @@
+From 42ffcd1dba1796bcda386eb6f260df9fc23c90af Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Olivier=20Cr=C3=AAte?= <olivier.crete@ocrete.ca>
+Date: Fri, 5 Feb 2021 11:59:08 -0800
+Subject: Input: xpad - add support for PowerA Enhanced Wired Controller for Xbox Series X|S
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Olivier Crête <olivier.crete@ocrete.ca>
+
+commit 42ffcd1dba1796bcda386eb6f260df9fc23c90af upstream.
+
+Signed-off-by: Olivier Crête <olivier.crete@ocrete.ca>
+Link: https://lore.kernel.org/r/20210204005318.615647-1-olivier.crete@collabora.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/joystick/xpad.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -322,6 +322,7 @@ static const struct xpad_device {
+       { 0x1bad, 0xfd00, "Razer Onza TE", 0, XTYPE_XBOX360 },
+       { 0x1bad, 0xfd01, "Razer Onza", 0, XTYPE_XBOX360 },
+       { 0x20d6, 0x2001, "BDA Xbox Series X Wired Controller", 0, XTYPE_XBOXONE },
++      { 0x20d6, 0x2009, "PowerA Enhanced Wired Controller for Xbox Series X|S", 0, XTYPE_XBOXONE },
+       { 0x20d6, 0x281f, "PowerA Wired Controller For Xbox 360", 0, XTYPE_XBOX360 },
+       { 0x2e24, 0x0652, "Hyperkin Duke X-Box One pad", 0, XTYPE_XBOXONE },
+       { 0x24c6, 0x5000, "Razer Atrox Arcade Stick", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX360 },
diff --git a/queue-4.14/keys-trusted-fix-migratable-1-failing.patch b/queue-4.14/keys-trusted-fix-migratable-1-failing.patch
new file mode 100644 (file)
index 0000000..3c2cf36
--- /dev/null
@@ -0,0 +1,46 @@
+From 8da7520c80468c48f981f0b81fc1be6599e3b0ad Mon Sep 17 00:00:00 2001
+From: Jarkko Sakkinen <jarkko@kernel.org>
+Date: Fri, 29 Jan 2021 01:56:20 +0200
+Subject: KEYS: trusted: Fix migratable=1 failing
+
+From: Jarkko Sakkinen <jarkko@kernel.org>
+
+commit 8da7520c80468c48f981f0b81fc1be6599e3b0ad upstream.
+
+Consider the following transcript:
+
+$ keyctl add trusted kmk "new 32 blobauth=helloworld keyhandle=80000000 migratable=1" @u
+add_key: Invalid argument
+
+The documentation has the following description:
+
+  migratable=   0|1 indicating permission to reseal to new PCR values,
+                default 1 (resealing allowed)
+
+The consequence is that "migratable=1" should succeed. Fix this by
+allowing this condition to pass instead of return -EINVAL.
+
+[*] Documentation/security/keys/trusted-encrypted.rst
+
+Cc: stable@vger.kernel.org
+Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
+Cc: Mimi Zohar <zohar@linux.ibm.com>
+Cc: David Howells <dhowells@redhat.com>
+Fixes: d00a1c72f7f4 ("keys: add new trusted key-type")
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/keys/trusted.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/keys/trusted.c
++++ b/security/keys/trusted.c
+@@ -797,7 +797,7 @@ static int getoptions(char *c, struct tr
+               case Opt_migratable:
+                       if (*args[0].from == '0')
+                               pay->migratable = 0;
+-                      else
++                      else if (*args[0].from != '1')
+                               return -EINVAL;
+                       break;
+               case Opt_pcrlock:
diff --git a/queue-4.14/seccomp-add-missing-return-in-non-void-function.patch b/queue-4.14/seccomp-add-missing-return-in-non-void-function.patch
new file mode 100644 (file)
index 0000000..a44bcb9
--- /dev/null
@@ -0,0 +1,34 @@
+From 04b38d012556199ba4c31195940160e0c44c64f0 Mon Sep 17 00:00:00 2001
+From: Paul Cercueil <paul@crapouillou.net>
+Date: Mon, 11 Jan 2021 17:28:39 +0000
+Subject: seccomp: Add missing return in non-void function
+
+From: Paul Cercueil <paul@crapouillou.net>
+
+commit 04b38d012556199ba4c31195940160e0c44c64f0 upstream.
+
+We don't actually care about the value, since the kernel will panic
+before that; but a value should nonetheless be returned, otherwise the
+compiler will complain.
+
+Fixes: 8112c4f140fa ("seccomp: remove 2-phase API")
+Cc: stable@vger.kernel.org # 4.7+
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20210111172839.640914-1-paul@crapouillou.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/seccomp.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/seccomp.c
++++ b/kernel/seccomp.c
+@@ -775,6 +775,8 @@ static int __seccomp_filter(int this_sys
+                           const bool recheck_after_trace)
+ {
+       BUG();
++
++      return -1;
+ }
+ #endif
index df009b8901e00940da7f20bec6902e4092e3c6b2..ff96a866e0cede28de5acdca4f7dd273f24614c8 100644 (file)
@@ -118,3 +118,29 @@ arm64-add-missing-isb-after-invalidating-tlb-in-__pr.patch
 i2c-brcmstb-fix-brcmstd_send_i2c_cmd-condition.patch
 mm-rmap-fix-potential-pte_unmap-on-an-not-mapped-pte.patch
 scsi-bnx2fc-fix-kconfig-warning-cnic-build-errors.patch
+blk-settings-align-max_sectors-on-logical_block_size-boundary.patch
+acpi-property-fix-fwnode-string-properties-matching.patch
+acpi-configfs-add-missing-check-after-configfs_register_default_group.patch
+hid-wacom-ignore-attempts-to-overwrite-the-touch_max-value-from-hid.patch
+input-raydium_ts_i2c-do-not-send-zero-length.patch
+input-xpad-add-support-for-powera-enhanced-wired-controller-for-xbox-series-x-s.patch
+input-joydev-prevent-potential-read-overflow-in-ioctl.patch
+input-i8042-add-asus-zenbook-flip-to-noselftest-list.patch
+usb-serial-option-update-interface-mapping-for-zte-p685m.patch
+usb-musb-fix-runtime-pm-race-in-musb_queue_resume_work.patch
+usb-serial-mos7840-fix-error-code-in-mos7840_write.patch
+usb-serial-mos7720-fix-error-code-in-mos7720_write.patch
+usb-dwc3-gadget-fix-setting-of-depcfg.binterval_m1.patch
+usb-dwc3-gadget-fix-dep-interval-for-fullspeed-interrupt.patch
+alsa-hda-realtek-modify-eapd-in-the-alc886.patch
+tpm_tis-fix-check_locality-for-correct-locality-acquisition.patch
+keys-trusted-fix-migratable-1-failing.patch
+btrfs-abort-the-transaction-if-we-fail-to-inc-ref-in-btrfs_copy_root.patch
+btrfs-fix-reloc-root-leak-with-0-ref-reloc-roots-on-recovery.patch
+btrfs-fix-extent-buffer-leak-on-failure-to-copy-root.patch
+crypto-sun4i-ss-checking-sg-length-is-not-sufficient.patch
+crypto-sun4i-ss-iv-register-does-not-work-on-a10-and-a13.patch
+crypto-sun4i-ss-handle-bigendian-for-cipher.patch
+seccomp-add-missing-return-in-non-void-function.patch
+drivers-misc-vmw_vmci-restrict-too-big-queue-size-in-qp_host_alloc_queue.patch
+staging-rtl8188eu-add-edimax-ew-7811un-v2-to-device-table.patch
diff --git a/queue-4.14/staging-rtl8188eu-add-edimax-ew-7811un-v2-to-device-table.patch b/queue-4.14/staging-rtl8188eu-add-edimax-ew-7811un-v2-to-device-table.patch
new file mode 100644 (file)
index 0000000..4456c71
--- /dev/null
@@ -0,0 +1,30 @@
+From 7a8d2f1908a59003e55ef8691d09efb7fbc51625 Mon Sep 17 00:00:00 2001
+From: Martin Kaiser <martin@kaiser.cx>
+Date: Thu, 4 Feb 2021 09:52:17 +0100
+Subject: staging: rtl8188eu: Add Edimax EW-7811UN V2 to device table
+
+From: Martin Kaiser <martin@kaiser.cx>
+
+commit 7a8d2f1908a59003e55ef8691d09efb7fbc51625 upstream.
+
+The Edimax EW-7811UN V2 uses an RTL8188EU chipset and works with this
+driver.
+
+Signed-off-by: Martin Kaiser <martin@kaiser.cx>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210204085217.9743-1-martin@kaiser.cx
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8188eu/os_dep/usb_intf.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+@@ -49,6 +49,7 @@ static const struct usb_device_id rtw_us
+       {USB_DEVICE(0x2357, 0x0111)}, /* TP-Link TL-WN727N v5.21 */
+       {USB_DEVICE(0x2C4E, 0x0102)}, /* MERCUSYS MW150US v2 */
+       {USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */
++      {USB_DEVICE(0x7392, 0xb811)}, /* Edimax EW-7811UN V2 */
+       {USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */
+       {}      /* Terminating entry */
+ };
diff --git a/queue-4.14/tpm_tis-fix-check_locality-for-correct-locality-acquisition.patch b/queue-4.14/tpm_tis-fix-check_locality-for-correct-locality-acquisition.patch
new file mode 100644 (file)
index 0000000..2ca9174
--- /dev/null
@@ -0,0 +1,41 @@
+From 3d9ae54af1d02a7c0edc55c77d7df2b921e58a87 Mon Sep 17 00:00:00 2001
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+Date: Thu, 1 Oct 2020 11:09:21 -0700
+Subject: tpm_tis: Fix check_locality for correct locality acquisition
+
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+
+commit 3d9ae54af1d02a7c0edc55c77d7df2b921e58a87 upstream.
+
+The TPM TIS specification says the TPM signals the acquisition of locality
+when the TMP_ACCESS_REQUEST_USE bit goes to one *and* the
+TPM_ACCESS_REQUEST_USE bit goes to zero.  Currently we only check the
+former not the latter, so check both.  Adding the check on
+TPM_ACCESS_REQUEST_USE should fix the case where the locality is
+re-requested before the TPM has released it.  In this case the locality may
+get released briefly before it is reacquired, which causes all sorts of
+problems. However, with the added check, TPM_ACCESS_REQUEST_USE should
+remain 1 until the second request for the locality is granted.
+
+Cc: stable@ger.kernel.org
+Fixes: 27084efee0c3 ("[PATCH] tpm: driver for next generation TPM chips")
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/tpm/tpm_tis_core.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/tpm/tpm_tis_core.c
++++ b/drivers/char/tpm/tpm_tis_core.c
+@@ -68,7 +68,8 @@ static bool check_locality(struct tpm_ch
+       if (rc < 0)
+               return false;
+-      if ((access & (TPM_ACCESS_ACTIVE_LOCALITY | TPM_ACCESS_VALID)) ==
++      if ((access & (TPM_ACCESS_ACTIVE_LOCALITY | TPM_ACCESS_VALID
++                     | TPM_ACCESS_REQUEST_USE)) ==
+           (TPM_ACCESS_ACTIVE_LOCALITY | TPM_ACCESS_VALID)) {
+               priv->locality = l;
+               return true;
diff --git a/queue-4.14/usb-dwc3-gadget-fix-dep-interval-for-fullspeed-interrupt.patch b/queue-4.14/usb-dwc3-gadget-fix-dep-interval-for-fullspeed-interrupt.patch
new file mode 100644 (file)
index 0000000..3ee49af
--- /dev/null
@@ -0,0 +1,41 @@
+From 4b049f55ed95cd889bcdb3034fd75e1f01852b38 Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Mon, 8 Feb 2021 13:53:16 -0800
+Subject: usb: dwc3: gadget: Fix dep->interval for fullspeed interrupt
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+commit 4b049f55ed95cd889bcdb3034fd75e1f01852b38 upstream.
+
+The dep->interval captures the number of frames/microframes per interval
+from bInterval. Fullspeed interrupt endpoint bInterval is the number of
+frames per interval and not 2^(bInterval - 1). So fix it here. This
+change is only for debugging purpose and should not affect the interrupt
+endpoint operation.
+
+Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/1263b563dedc4ab8b0fb854fba06ce4bc56bd495.1612820995.git.Thinh.Nguyen@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/gadget.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -616,8 +616,13 @@ static int dwc3_gadget_set_ep_config(str
+               if (dwc->gadget.speed == USB_SPEED_FULL)
+                       bInterval_m1 = 0;
++              if (usb_endpoint_type(desc) == USB_ENDPOINT_XFER_INT &&
++                  dwc->gadget.speed == USB_SPEED_FULL)
++                      dep->interval = desc->bInterval;
++              else
++                      dep->interval = 1 << (desc->bInterval - 1);
++
+               params.param1 |= DWC3_DEPCFG_BINTERVAL_M1(bInterval_m1);
+-              dep->interval = 1 << (desc->bInterval - 1);
+       }
+       return dwc3_send_gadget_ep_cmd(dep, DWC3_DEPCMD_SETEPCONFIG, &params);
diff --git a/queue-4.14/usb-dwc3-gadget-fix-setting-of-depcfg.binterval_m1.patch b/queue-4.14/usb-dwc3-gadget-fix-setting-of-depcfg.binterval_m1.patch
new file mode 100644 (file)
index 0000000..f6aea72
--- /dev/null
@@ -0,0 +1,43 @@
+From a1679af85b2ae35a2b78ad04c18bb069c37330cc Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Mon, 8 Feb 2021 13:53:10 -0800
+Subject: usb: dwc3: gadget: Fix setting of DEPCFG.bInterval_m1
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+commit a1679af85b2ae35a2b78ad04c18bb069c37330cc upstream.
+
+Valid range for DEPCFG.bInterval_m1 is from 0 to 13, and it must be set
+to 0 when the controller operates in full-speed. See the programming
+guide for DEPCFG command section 3.2.2.1 (v3.30a).
+
+Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/3f57026f993c0ce71498dbb06e49b3a47c4d0265.1612820995.git.Thinh.Nguyen@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/gadget.c |   12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -606,7 +606,17 @@ static int dwc3_gadget_set_ep_config(str
+               params.param0 |= DWC3_DEPCFG_FIFO_NUMBER(dep->number >> 1);
+       if (desc->bInterval) {
+-              params.param1 |= DWC3_DEPCFG_BINTERVAL_M1(desc->bInterval - 1);
++              u8 bInterval_m1;
++
++              /*
++               * Valid range for DEPCFG.bInterval_m1 is from 0 to 13, and it
++               * must be set to 0 when the controller operates in full-speed.
++               */
++              bInterval_m1 = min_t(u8, desc->bInterval - 1, 13);
++              if (dwc->gadget.speed == USB_SPEED_FULL)
++                      bInterval_m1 = 0;
++
++              params.param1 |= DWC3_DEPCFG_BINTERVAL_M1(bInterval_m1);
+               dep->interval = 1 << (desc->bInterval - 1);
+       }
diff --git a/queue-4.14/usb-musb-fix-runtime-pm-race-in-musb_queue_resume_work.patch b/queue-4.14/usb-musb-fix-runtime-pm-race-in-musb_queue_resume_work.patch
new file mode 100644 (file)
index 0000000..6688d2a
--- /dev/null
@@ -0,0 +1,88 @@
+From 0eaa1a3714db34a59ce121de5733c3909c529463 Mon Sep 17 00:00:00 2001
+From: Paul Cercueil <paul@crapouillou.net>
+Date: Sat, 23 Jan 2021 14:24:59 +0000
+Subject: usb: musb: Fix runtime PM race in musb_queue_resume_work
+
+From: Paul Cercueil <paul@crapouillou.net>
+
+commit 0eaa1a3714db34a59ce121de5733c3909c529463 upstream.
+
+musb_queue_resume_work() would call the provided callback if the runtime
+PM status was 'active'. Otherwise, it would enqueue the request if the
+hardware was still suspended (musb->is_runtime_suspended is true).
+
+This causes a race with the runtime PM handlers, as it is possible to be
+in the case where the runtime PM status is not yet 'active', but the
+hardware has been awaken (PM resume function has been called).
+
+When hitting the race, the resume work was not enqueued, which probably
+triggered other bugs further down the stack. For instance, a telnet
+connection on Ingenic SoCs would result in a 50/50 chance of a
+segmentation fault somewhere in the musb code.
+
+Rework the code so that either we call the callback directly if
+(musb->is_runtime_suspended == 0), or enqueue the query otherwise.
+
+Fixes: ea2f35c01d5e ("usb: musb: Fix sleeping function called from invalid context for hdrc glue")
+Cc: stable@vger.kernel.org # v4.9+
+Tested-by: Tony Lindgren <tony@atomide.com>
+Reviewed-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Link: https://lore.kernel.org/r/20210123142502.16980-1-paul@crapouillou.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/musb/musb_core.c |   31 +++++++++++++++++--------------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+--- a/drivers/usb/musb/musb_core.c
++++ b/drivers/usb/musb/musb_core.c
+@@ -2104,32 +2104,35 @@ int musb_queue_resume_work(struct musb *
+ {
+       struct musb_pending_work *w;
+       unsigned long flags;
++      bool is_suspended;
+       int error;
+       if (WARN_ON(!callback))
+               return -EINVAL;
+-      if (pm_runtime_active(musb->controller))
+-              return callback(musb, data);
++      spin_lock_irqsave(&musb->list_lock, flags);
++      is_suspended = musb->is_runtime_suspended;
+-      w = devm_kzalloc(musb->controller, sizeof(*w), GFP_ATOMIC);
+-      if (!w)
+-              return -ENOMEM;
++      if (is_suspended) {
++              w = devm_kzalloc(musb->controller, sizeof(*w), GFP_ATOMIC);
++              if (!w) {
++                      error = -ENOMEM;
++                      goto out_unlock;
++              }
++
++              w->callback = callback;
++              w->data = data;
+-      w->callback = callback;
+-      w->data = data;
+-      spin_lock_irqsave(&musb->list_lock, flags);
+-      if (musb->is_runtime_suspended) {
+               list_add_tail(&w->node, &musb->pending_list);
+               error = 0;
+-      } else {
+-              dev_err(musb->controller, "could not add resume work %p\n",
+-                      callback);
+-              devm_kfree(musb->controller, w);
+-              error = -EINPROGRESS;
+       }
++
++out_unlock:
+       spin_unlock_irqrestore(&musb->list_lock, flags);
++      if (!is_suspended)
++              error = callback(musb, data);
++
+       return error;
+ }
+ EXPORT_SYMBOL_GPL(musb_queue_resume_work);
diff --git a/queue-4.14/usb-serial-mos7720-fix-error-code-in-mos7720_write.patch b/queue-4.14/usb-serial-mos7720-fix-error-code-in-mos7720_write.patch
new file mode 100644 (file)
index 0000000..10ec2b4
--- /dev/null
@@ -0,0 +1,35 @@
+From fea7372cbc40869876df0f045e367f6f97a1666c Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 28 Jan 2021 12:35:23 +0300
+Subject: USB: serial: mos7720: fix error code in mos7720_write()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit fea7372cbc40869876df0f045e367f6f97a1666c upstream.
+
+This code should return -ENOMEM if the kmalloc() fails but instead
+it returns success.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Fixes: 0f64478cbc7a ("USB: add USB serial mos7720 driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/mos7720.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/mos7720.c
++++ b/drivers/usb/serial/mos7720.c
+@@ -1252,8 +1252,10 @@ static int mos7720_write(struct tty_stru
+       if (urb->transfer_buffer == NULL) {
+               urb->transfer_buffer = kmalloc(URB_TRANSFER_BUFFER_SIZE,
+                                              GFP_ATOMIC);
+-              if (!urb->transfer_buffer)
++              if (!urb->transfer_buffer) {
++                      bytes_sent = -ENOMEM;
+                       goto exit;
++              }
+       }
+       transfer_size = min(count, URB_TRANSFER_BUFFER_SIZE);
diff --git a/queue-4.14/usb-serial-mos7840-fix-error-code-in-mos7840_write.patch b/queue-4.14/usb-serial-mos7840-fix-error-code-in-mos7840_write.patch
new file mode 100644 (file)
index 0000000..ee70eb7
--- /dev/null
@@ -0,0 +1,34 @@
+From a70aa7dc60099bbdcbd6faca42a915d80f31161e Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 26 Jan 2021 13:26:54 +0300
+Subject: USB: serial: mos7840: fix error code in mos7840_write()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit a70aa7dc60099bbdcbd6faca42a915d80f31161e upstream.
+
+This should return -ENOMEM instead of 0 if the kmalloc() fails.
+
+Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/mos7840.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/mos7840.c
++++ b/drivers/usb/serial/mos7840.c
+@@ -1352,8 +1352,10 @@ static int mos7840_write(struct tty_stru
+       if (urb->transfer_buffer == NULL) {
+               urb->transfer_buffer = kmalloc(URB_TRANSFER_BUFFER_SIZE,
+                                              GFP_ATOMIC);
+-              if (!urb->transfer_buffer)
++              if (!urb->transfer_buffer) {
++                      bytes_sent = -ENOMEM;
+                       goto exit;
++              }
+       }
+       transfer_size = min(count, URB_TRANSFER_BUFFER_SIZE);
diff --git a/queue-4.14/usb-serial-option-update-interface-mapping-for-zte-p685m.patch b/queue-4.14/usb-serial-option-update-interface-mapping-for-zte-p685m.patch
new file mode 100644 (file)
index 0000000..69b129a
--- /dev/null
@@ -0,0 +1,78 @@
+From 6420a569504e212d618d4a4736e2c59ed80a8478 Mon Sep 17 00:00:00 2001
+From: Lech Perczak <lech.perczak@gmail.com>
+Date: Sun, 7 Feb 2021 01:54:43 +0100
+Subject: USB: serial: option: update interface mapping for ZTE P685M
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lech Perczak <lech.perczak@gmail.com>
+
+commit 6420a569504e212d618d4a4736e2c59ed80a8478 upstream.
+
+This patch prepares for qmi_wwan driver support for the device.
+Previously "option" driver mapped itself to interfaces 0 and 3 (matching
+ff/ff/ff), while interface 3 is in fact a QMI port.
+Interfaces 1 and 2 (matching ff/00/00) expose AT commands,
+and weren't supported previously at all.
+Without this patch, a possible conflict would exist if device ID was
+added to qmi_wwan driver for interface 3.
+
+Update and simplify device ID to match interfaces 0-2 directly,
+to expose QCDM (0), PCUI (1), and modem (2) ports and avoid conflict
+with QMI (3), and ADB (4).
+
+The modem is used inside ZTE MF283+ router and carriers identify it as
+such.
+Interface mapping is:
+0: QCDM, 1: AT (PCUI), 2: AT (Modem), 3: QMI, 4: ADB
+
+T:  Bus=02 Lev=02 Prnt=02 Port=05 Cnt=01 Dev#=  3 Spd=480  MxCh= 0
+D:  Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
+P:  Vendor=19d2 ProdID=1275 Rev=f0.00
+S:  Manufacturer=ZTE,Incorporated
+S:  Product=ZTE Technologies MSM
+S:  SerialNumber=P685M510ZTED0000CP&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&0
+C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
+I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+E:  Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E:  Ad=83(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
+E:  Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E:  Ad=85(I) Atr=03(Int.) MxPS=  10 Ivl=32ms
+E:  Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+E:  Ad=87(I) Atr=03(Int.) MxPS=   8 Ivl=32ms
+E:  Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
+E:  Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E:  Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+Cc: Johan Hovold <johan@kernel.org>
+Cc: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
+Link: https://lore.kernel.org/r/20210207005443.12936-1-lech.perczak@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1572,7 +1572,8 @@ static const struct usb_device_id option
+       { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1272, 0xff, 0xff, 0xff) },
+       { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1273, 0xff, 0xff, 0xff) },
+       { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1274, 0xff, 0xff, 0xff) },
+-      { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1275, 0xff, 0xff, 0xff) },
++      { USB_DEVICE(ZTE_VENDOR_ID, 0x1275),    /* ZTE P685M */
++        .driver_info = RSVD(3) | RSVD(4) },
+       { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1276, 0xff, 0xff, 0xff) },
+       { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1277, 0xff, 0xff, 0xff) },
+       { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1278, 0xff, 0xff, 0xff) },