--- /dev/null
+From 67e40054de86aae520ddc2a072d7f6951812a14f Mon Sep 17 00:00:00 2001
+From: Qinglang Miao <miaoqinglang@huawei.com>
+Date: Fri, 15 Jan 2021 10:22:50 +0800
+Subject: ACPI: configfs: add missing check after configfs_register_default_group()
+
+From: Qinglang Miao <miaoqinglang@huawei.com>
+
+commit 67e40054de86aae520ddc2a072d7f6951812a14f upstream.
+
+A list_add corruption is reported by Hulk Robot like this:
+==============
+list_add corruption.
+Call Trace:
+link_obj+0xc0/0x1c0
+link_group+0x21/0x140
+configfs_register_subsystem+0xdb/0x380
+acpi_configfs_init+0x25/0x1000 [acpi_configfs]
+do_one_initcall+0x149/0x820
+do_init_module+0x1ef/0x720
+load_module+0x35c8/0x4380
+__do_sys_finit_module+0x10d/0x1a0
+do_syscall_64+0x34/0x80
+
+It's because of the missing check after configfs_register_default_group,
+where configfs_unregister_subsystem should be called once failure.
+
+Fixes: 612bd01fc6e0 ("ACPI: add support for loading SSDTs via configfs")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Suggested-by: Hanjun Guo <guohanjun@huawei.com>
+Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com>
+Cc: 4.10+ <stable@vger.kernel.org> # 4.10+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/acpi_configfs.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/acpi/acpi_configfs.c
++++ b/drivers/acpi/acpi_configfs.c
+@@ -269,7 +269,12 @@ static int __init acpi_configfs_init(voi
+
+ acpi_table_group = configfs_register_default_group(root, "table",
+ &acpi_tables_type);
+- return PTR_ERR_OR_ZERO(acpi_table_group);
++ if (IS_ERR(acpi_table_group)) {
++ configfs_unregister_subsystem(&acpi_configfs);
++ return PTR_ERR(acpi_table_group);
++ }
++
++ return 0;
+ }
+ module_init(acpi_configfs_init);
+
--- /dev/null
+From e1e6bd2995ac0e1ad0c2a2d906a06f59ce2ed293 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Thu, 11 Feb 2021 19:30:01 +0100
+Subject: ACPI: property: Fix fwnode string properties matching
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit e1e6bd2995ac0e1ad0c2a2d906a06f59ce2ed293 upstream.
+
+Property matching does not work for ACPI fwnodes if the value of the
+given property is not represented as a package in the _DSD package
+containing it. For example, the "compatible" property in the _DSD
+below
+
+ Name (_DSD, Package () {
+ ToUUID("daffd814-6eba-4d8c-8a91-bc9bbf4aa301"),
+ Package () {
+ Package () {"compatible", "ethernet-phy-ieee802.3-c45"}
+ }
+ })
+
+will not be found by fwnode_property_match_string(), because the ACPI
+code handling device properties does not regard the single value as a
+"list" in that case.
+
+Namely, fwnode_property_match_string() invoked to match a given
+string property value first calls fwnode_property_read_string_array()
+with the last two arguments equal to NULL and 0, respectively, in
+order to count the items in the value of the given property, with the
+assumption that this value may be an array. For ACPI fwnodes, that
+operation is carried out by acpi_node_prop_read() which calls
+acpi_data_prop_read() for this purpose. However, when the return
+(val) pointer is NULL, that function only looks for a property whose
+value is a package without checking the single-value case at all.
+
+To fix that, make acpi_data_prop_read() check the single-value
+case if its return pointer argument is NULL and modify
+acpi_data_prop_read_single() handling that case to attempt to
+read the value of the property if the return pointer is NULL
+and return 1 if that succeeds.
+
+Fixes: 3708184afc77 ("device property: Move FW type specific functionality to FW specific files")
+Reported-by: Calvin Johnson <calvin.johnson@oss.nxp.com>
+Cc: 4.13+ <stable@vger.kernel.org> # 4.13+
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Sakari Ailus <sakari.ailus@linux.intel.com>
+Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
+Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/acpi/property.c | 44 +++++++++++++++++++++++++++++++++-----------
+ 1 file changed, 33 insertions(+), 11 deletions(-)
+
+--- a/drivers/acpi/property.c
++++ b/drivers/acpi/property.c
+@@ -688,9 +688,6 @@ static int acpi_data_prop_read_single(co
+ const union acpi_object *obj;
+ int ret;
+
+- if (!val)
+- return -EINVAL;
+-
+ if (proptype >= DEV_PROP_U8 && proptype <= DEV_PROP_U64) {
+ ret = acpi_data_get_property(data, propname, ACPI_TYPE_INTEGER, &obj);
+ if (ret)
+@@ -700,28 +697,43 @@ static int acpi_data_prop_read_single(co
+ case DEV_PROP_U8:
+ if (obj->integer.value > U8_MAX)
+ return -EOVERFLOW;
+- *(u8 *)val = obj->integer.value;
++
++ if (val)
++ *(u8 *)val = obj->integer.value;
++
+ break;
+ case DEV_PROP_U16:
+ if (obj->integer.value > U16_MAX)
+ return -EOVERFLOW;
+- *(u16 *)val = obj->integer.value;
++
++ if (val)
++ *(u16 *)val = obj->integer.value;
++
+ break;
+ case DEV_PROP_U32:
+ if (obj->integer.value > U32_MAX)
+ return -EOVERFLOW;
+- *(u32 *)val = obj->integer.value;
++
++ if (val)
++ *(u32 *)val = obj->integer.value;
++
+ break;
+ default:
+- *(u64 *)val = obj->integer.value;
++ if (val)
++ *(u64 *)val = obj->integer.value;
++
+ break;
+ }
++
++ if (!val)
++ return 1;
+ } else if (proptype == DEV_PROP_STRING) {
+ ret = acpi_data_get_property(data, propname, ACPI_TYPE_STRING, &obj);
+ if (ret)
+ return ret;
+
+- *(char **)val = obj->string.pointer;
++ if (val)
++ *(char **)val = obj->string.pointer;
+
+ return 1;
+ } else {
+@@ -735,7 +747,7 @@ int acpi_dev_prop_read_single(struct acp
+ {
+ int ret;
+
+- if (!adev)
++ if (!adev || !val)
+ return -EINVAL;
+
+ ret = acpi_data_prop_read_single(&adev->data, propname, proptype, val);
+@@ -829,10 +841,20 @@ static int acpi_data_prop_read(const str
+ const union acpi_object *items;
+ int ret;
+
+- if (val && nval == 1) {
++ if (nval == 1 || !val) {
+ ret = acpi_data_prop_read_single(data, propname, proptype, val);
+- if (ret >= 0)
++ /*
++ * The overflow error means that the property is there and it is
++ * single-value, but its type does not match, so return.
++ */
++ if (ret >= 0 || ret == -EOVERFLOW)
+ return ret;
++
++ /*
++ * Reading this property as a single-value one failed, but its
++ * value may still be represented as one-element array, so
++ * continue.
++ */
+ }
+
+ ret = acpi_data_get_property_array(data, propname, ACPI_TYPE_ANY, &obj);
--- /dev/null
+From 4841b8e6318a7f0ae57c4e5ec09032ea057c97a8 Mon Sep 17 00:00:00 2001
+From: PeiSen Hou <pshou@realtek.com>
+Date: Tue, 2 Feb 2021 10:30:22 +0100
+Subject: ALSA: hda/realtek: modify EAPD in the ALC886
+
+From: PeiSen Hou <pshou@realtek.com>
+
+commit 4841b8e6318a7f0ae57c4e5ec09032ea057c97a8 upstream.
+
+Modify 0x20 index 7 bit 5 to 1, make the 0x15 EAPD the same as 0x14.
+
+Signed-off-by: PeiSen Hou <pshou@realtek.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/e62c5058957f48d8b8953e97135ff108@realtek.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -1792,6 +1792,7 @@ enum {
+ ALC889_FIXUP_FRONT_HP_NO_PRESENCE,
+ ALC889_FIXUP_VAIO_TT,
+ ALC888_FIXUP_EEE1601,
++ ALC886_FIXUP_EAPD,
+ ALC882_FIXUP_EAPD,
+ ALC883_FIXUP_EAPD,
+ ALC883_FIXUP_ACER_EAPD,
+@@ -2100,6 +2101,15 @@ static const struct hda_fixup alc882_fix
+ { }
+ }
+ },
++ [ALC886_FIXUP_EAPD] = {
++ .type = HDA_FIXUP_VERBS,
++ .v.verbs = (const struct hda_verb[]) {
++ /* change to EAPD mode */
++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x07 },
++ { 0x20, AC_VERB_SET_PROC_COEF, 0x0068 },
++ { }
++ }
++ },
+ [ALC882_FIXUP_EAPD] = {
+ .type = HDA_FIXUP_VERBS,
+ .v.verbs = (const struct hda_verb[]) {
+@@ -2340,6 +2350,7 @@ static const struct snd_pci_quirk alc882
+ SND_PCI_QUIRK(0x106b, 0x4a00, "Macbook 5,2", ALC889_FIXUP_MBA11_VREF),
+
+ SND_PCI_QUIRK(0x1071, 0x8258, "Evesham Voyaeger", ALC882_FIXUP_EAPD),
++ SND_PCI_QUIRK(0x13fe, 0x1009, "Advantech MIT-W101", ALC886_FIXUP_EAPD),
+ SND_PCI_QUIRK(0x1458, 0xa002, "Gigabyte EP45-DS3/Z87X-UD3H", ALC889_FIXUP_FRONT_HP_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1458, 0xa0b8, "Gigabyte AZ370-Gaming", ALC1220_FIXUP_GB_DUAL_CODECS),
+ SND_PCI_QUIRK(0x1462, 0x7350, "MSI-7350", ALC889_FIXUP_CD),
--- /dev/null
+From 97f433c3601a24d3513d06f575a389a2ca4e11e4 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 23 Feb 2021 19:25:30 -0700
+Subject: blk-settings: align max_sectors on "logical_block_size" boundary
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 97f433c3601a24d3513d06f575a389a2ca4e11e4 upstream.
+
+We get I/O errors when we run md-raid1 on the top of dm-integrity on the
+top of ramdisk.
+device-mapper: integrity: Bio not aligned on 8 sectors: 0xff00, 0xff
+device-mapper: integrity: Bio not aligned on 8 sectors: 0xff00, 0xff
+device-mapper: integrity: Bio not aligned on 8 sectors: 0xffff, 0x1
+device-mapper: integrity: Bio not aligned on 8 sectors: 0xffff, 0x1
+device-mapper: integrity: Bio not aligned on 8 sectors: 0x8048, 0xff
+device-mapper: integrity: Bio not aligned on 8 sectors: 0x8147, 0xff
+device-mapper: integrity: Bio not aligned on 8 sectors: 0x8246, 0xff
+device-mapper: integrity: Bio not aligned on 8 sectors: 0x8345, 0xbb
+
+The ramdisk device has logical_block_size 512 and max_sectors 255. The
+dm-integrity device uses logical_block_size 4096 and it doesn't affect the
+"max_sectors" value - thus, it inherits 255 from the ramdisk. So, we have
+a device with max_sectors not aligned on logical_block_size.
+
+The md-raid device sees that the underlying leg has max_sectors 255 and it
+will split the bios on 255-sector boundary, making the bios unaligned on
+logical_block_size.
+
+In order to fix the bug, we round down max_sectors to logical_block_size.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Ming Lei <ming.lei@redhat.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ block/blk-settings.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/block/blk-settings.c
++++ b/block/blk-settings.c
+@@ -513,6 +513,14 @@ void blk_queue_io_opt(struct request_que
+ }
+ EXPORT_SYMBOL(blk_queue_io_opt);
+
++static unsigned int blk_round_down_sectors(unsigned int sectors, unsigned int lbs)
++{
++ sectors = round_down(sectors, lbs >> SECTOR_SHIFT);
++ if (sectors < PAGE_SIZE >> SECTOR_SHIFT)
++ sectors = PAGE_SIZE >> SECTOR_SHIFT;
++ return sectors;
++}
++
+ /**
+ * blk_queue_stack_limits - inherit underlying queue limits for stacked drivers
+ * @t: the stacking driver (top)
+@@ -639,6 +647,10 @@ int blk_stack_limits(struct queue_limits
+ ret = -1;
+ }
+
++ t->max_sectors = blk_round_down_sectors(t->max_sectors, t->logical_block_size);
++ t->max_hw_sectors = blk_round_down_sectors(t->max_hw_sectors, t->logical_block_size);
++ t->max_dev_sectors = blk_round_down_sectors(t->max_dev_sectors, t->logical_block_size);
++
+ /* Discard alignment and granularity */
+ if (b->discard_granularity) {
+ alignment = queue_limit_discard_alignment(b, start);
--- /dev/null
+From 867ed321f90d06aaba84e2c91de51cd3038825ef Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Thu, 14 Jan 2021 14:02:46 -0500
+Subject: btrfs: abort the transaction if we fail to inc ref in btrfs_copy_root
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit 867ed321f90d06aaba84e2c91de51cd3038825ef upstream.
+
+While testing my error handling patches, I added a error injection site
+at btrfs_inc_extent_ref, to validate the error handling I added was
+doing the correct thing. However I hit a pretty ugly corruption while
+doing this check, with the following error injection stack trace:
+
+btrfs_inc_extent_ref
+ btrfs_copy_root
+ create_reloc_root
+ btrfs_init_reloc_root
+ btrfs_record_root_in_trans
+ btrfs_start_transaction
+ btrfs_update_inode
+ btrfs_update_time
+ touch_atime
+ file_accessed
+ btrfs_file_mmap
+
+This is because we do not catch the error from btrfs_inc_extent_ref,
+which in practice would be ENOMEM, which means we lose the extent
+references for a root that has already been allocated and inserted,
+which is the problem. Fix this by aborting the transaction if we fail
+to do the reference modification.
+
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ctree.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -282,9 +282,10 @@ int btrfs_copy_root(struct btrfs_trans_h
+ ret = btrfs_inc_ref(trans, root, cow, 1);
+ else
+ ret = btrfs_inc_ref(trans, root, cow, 0);
+-
+- if (ret)
++ if (ret) {
++ btrfs_abort_transaction(trans, ret);
+ return ret;
++ }
+
+ btrfs_mark_buffer_dirty(cow);
+ *cow_ret = cow;
--- /dev/null
+From 72c9925f87c8b74f36f8e75a4cd93d964538d3ca Mon Sep 17 00:00:00 2001
+From: Filipe Manana <fdmanana@suse.com>
+Date: Thu, 4 Feb 2021 14:35:44 +0000
+Subject: btrfs: fix extent buffer leak on failure to copy root
+
+From: Filipe Manana <fdmanana@suse.com>
+
+commit 72c9925f87c8b74f36f8e75a4cd93d964538d3ca upstream.
+
+At btrfs_copy_root(), if the call to btrfs_inc_ref() fails we end up
+returning without unlocking and releasing our reference on the extent
+buffer named "cow" we previously allocated with btrfs_alloc_tree_block().
+
+So fix that by unlocking the extent buffer and dropping our reference on
+it before returning.
+
+Fixes: be20aa9dbadc8c ("Btrfs: Add mount option to turn off data cow")
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ctree.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/btrfs/ctree.c
++++ b/fs/btrfs/ctree.c
+@@ -283,6 +283,8 @@ int btrfs_copy_root(struct btrfs_trans_h
+ else
+ ret = btrfs_inc_ref(trans, root, cow, 0);
+ if (ret) {
++ btrfs_tree_unlock(cow);
++ free_extent_buffer(cow);
+ btrfs_abort_transaction(trans, ret);
+ return ret;
+ }
--- /dev/null
+From c78a10aebb275c38d0cfccae129a803fe622e305 Mon Sep 17 00:00:00 2001
+From: Josef Bacik <josef@toxicpanda.com>
+Date: Thu, 14 Jan 2021 14:02:42 -0500
+Subject: btrfs: fix reloc root leak with 0 ref reloc roots on recovery
+
+From: Josef Bacik <josef@toxicpanda.com>
+
+commit c78a10aebb275c38d0cfccae129a803fe622e305 upstream.
+
+When recovering a relocation, if we run into a reloc root that has 0
+refs we simply add it to the reloc_control->reloc_roots list, and then
+clean it up later. The problem with this is __del_reloc_root() doesn't
+do anything if the root isn't in the radix tree, which in this case it
+won't be because we never call __add_reloc_root() on the reloc_root.
+
+This exit condition simply isn't correct really. During normal
+operation we can remove ourselves from the rb tree and then we're meant
+to clean up later at merge_reloc_roots() time, and this happens
+correctly. During recovery we're depending on free_reloc_roots() to
+drop our references, but we're short-circuiting.
+
+Fix this by continuing to check if we're on the list and dropping
+ourselves from the reloc_control root list and dropping our reference
+appropriately. Change the corresponding BUG_ON() to an ASSERT() that
+does the correct thing if we aren't in the rb tree.
+
+CC: stable@vger.kernel.org # 4.4+
+Signed-off-by: Josef Bacik <josef@toxicpanda.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/relocation.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/fs/btrfs/relocation.c
++++ b/fs/btrfs/relocation.c
+@@ -1344,9 +1344,7 @@ static void __del_reloc_root(struct btrf
+ RB_CLEAR_NODE(&node->rb_node);
+ }
+ spin_unlock(&rc->reloc_root_tree.lock);
+- if (!node)
+- return;
+- BUG_ON((struct btrfs_root *)node->data != root);
++ ASSERT(!node || (struct btrfs_root *)node->data == root);
+ }
+
+ spin_lock(&fs_info->trans_lock);
--- /dev/null
+From 7bdcd851fa7eb66e8922aa7f6cba9e2f2427a7cf Mon Sep 17 00:00:00 2001
+From: Corentin Labbe <clabbe@baylibre.com>
+Date: Mon, 14 Dec 2020 20:02:26 +0000
+Subject: crypto: sun4i-ss - checking sg length is not sufficient
+
+From: Corentin Labbe <clabbe@baylibre.com>
+
+commit 7bdcd851fa7eb66e8922aa7f6cba9e2f2427a7cf upstream.
+
+The optimized cipher function need length multiple of 4 bytes.
+But it get sometimes odd length.
+This is due to SG data could be stored with an offset.
+
+So the fix is to check also if the offset is aligned with 4 bytes.
+Fixes: 6298e948215f2 ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/sunxi-ss/sun4i-ss-cipher.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c
++++ b/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c
+@@ -189,12 +189,12 @@ static int sun4i_ss_cipher_poll(struct s
+ * we can use the SS optimized function
+ */
+ while (in_sg && no_chunk == 1) {
+- if (in_sg->length % 4)
++ if ((in_sg->length | in_sg->offset) & 3u)
+ no_chunk = 0;
+ in_sg = sg_next(in_sg);
+ }
+ while (out_sg && no_chunk == 1) {
+- if (out_sg->length % 4)
++ if ((out_sg->length | out_sg->offset) & 3u)
+ no_chunk = 0;
+ out_sg = sg_next(out_sg);
+ }
--- /dev/null
+From 5ab6177fa02df15cd8a02a1f1fb361d2d5d8b946 Mon Sep 17 00:00:00 2001
+From: Corentin Labbe <clabbe@baylibre.com>
+Date: Mon, 14 Dec 2020 20:02:28 +0000
+Subject: crypto: sun4i-ss - handle BigEndian for cipher
+
+From: Corentin Labbe <clabbe@baylibre.com>
+
+commit 5ab6177fa02df15cd8a02a1f1fb361d2d5d8b946 upstream.
+
+Ciphers produce invalid results on BE.
+Key and IV need to be written in LE.
+
+Fixes: 6298e948215f2 ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/sunxi-ss/sun4i-ss-cipher.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c
++++ b/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c
+@@ -63,13 +63,13 @@ static int sun4i_ss_opti_poll(struct skc
+
+ spin_lock_irqsave(&ss->slock, flags);
+
+- for (i = 0; i < op->keylen; i += 4)
+- writel(*(op->key + i / 4), ss->base + SS_KEY0 + i);
++ for (i = 0; i < op->keylen / 4; i++)
++ writesl(ss->base + SS_KEY0 + i * 4, &op->key[i], 1);
+
+ if (areq->iv) {
+ for (i = 0; i < 4 && i < ivsize / 4; i++) {
+ v = *(u32 *)(areq->iv + i * 4);
+- writel(v, ss->base + SS_IV0 + i * 4);
++ writesl(ss->base + SS_IV0 + i * 4, &v, 1);
+ }
+ }
+ writel(mode, ss->base + SS_CTL);
+@@ -223,13 +223,13 @@ static int sun4i_ss_cipher_poll(struct s
+
+ spin_lock_irqsave(&ss->slock, flags);
+
+- for (i = 0; i < op->keylen; i += 4)
+- writel(*(op->key + i / 4), ss->base + SS_KEY0 + i);
++ for (i = 0; i < op->keylen / 4; i++)
++ writesl(ss->base + SS_KEY0 + i * 4, &op->key[i], 1);
+
+ if (areq->iv) {
+ for (i = 0; i < 4 && i < ivsize / 4; i++) {
+ v = *(u32 *)(areq->iv + i * 4);
+- writel(v, ss->base + SS_IV0 + i * 4);
++ writesl(ss->base + SS_IV0 + i * 4, &v, 1);
+ }
+ }
+ writel(mode, ss->base + SS_CTL);
--- /dev/null
+From b756f1c8fc9d84e3f546d7ffe056c5352f4aab05 Mon Sep 17 00:00:00 2001
+From: Corentin Labbe <clabbe@baylibre.com>
+Date: Mon, 14 Dec 2020 20:02:27 +0000
+Subject: crypto: sun4i-ss - IV register does not work on A10 and A13
+
+From: Corentin Labbe <clabbe@baylibre.com>
+
+commit b756f1c8fc9d84e3f546d7ffe056c5352f4aab05 upstream.
+
+Allwinner A10 and A13 SoC have a version of the SS which produce
+invalid IV in IVx register.
+
+Instead of adding a variant for those, let's convert SS to produce IV
+directly from data.
+Fixes: 6298e948215f2 ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/crypto/sunxi-ss/sun4i-ss-cipher.c | 34 ++++++++++++++++++++++++------
+ 1 file changed, 28 insertions(+), 6 deletions(-)
+
+--- a/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c
++++ b/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c
+@@ -24,6 +24,7 @@ static int sun4i_ss_opti_poll(struct skc
+ unsigned int ivsize = crypto_skcipher_ivsize(tfm);
+ struct sun4i_cipher_req_ctx *ctx = skcipher_request_ctx(areq);
+ u32 mode = ctx->mode;
++ void *backup_iv = NULL;
+ /* when activating SS, the default FIFO space is SS_RX_DEFAULT(32) */
+ u32 rx_cnt = SS_RX_DEFAULT;
+ u32 tx_cnt = 0;
+@@ -53,6 +54,13 @@ static int sun4i_ss_opti_poll(struct skc
+ return -EINVAL;
+ }
+
++ if (areq->iv && ivsize > 0 && mode & SS_DECRYPTION) {
++ backup_iv = kzalloc(ivsize, GFP_KERNEL);
++ if (!backup_iv)
++ return -ENOMEM;
++ scatterwalk_map_and_copy(backup_iv, areq->src, areq->cryptlen - ivsize, ivsize, 0);
++ }
++
+ spin_lock_irqsave(&ss->slock, flags);
+
+ for (i = 0; i < op->keylen; i += 4)
+@@ -126,9 +134,12 @@ static int sun4i_ss_opti_poll(struct skc
+ } while (oleft);
+
+ if (areq->iv) {
+- for (i = 0; i < 4 && i < ivsize / 4; i++) {
+- v = readl(ss->base + SS_IV0 + i * 4);
+- *(u32 *)(areq->iv + i * 4) = v;
++ if (mode & SS_DECRYPTION) {
++ memcpy(areq->iv, backup_iv, ivsize);
++ kfree_sensitive(backup_iv);
++ } else {
++ scatterwalk_map_and_copy(areq->iv, areq->dst, areq->cryptlen - ivsize,
++ ivsize, 0);
+ }
+ }
+
+@@ -160,6 +171,7 @@ static int sun4i_ss_cipher_poll(struct s
+ unsigned int ileft = areq->cryptlen;
+ unsigned int oleft = areq->cryptlen;
+ unsigned int todo;
++ void *backup_iv = NULL;
+ struct sg_mapping_iter mi, mo;
+ unsigned long pi = 0, po = 0; /* progress for in and out */
+ bool miter_err;
+@@ -202,6 +214,13 @@ static int sun4i_ss_cipher_poll(struct s
+ if (no_chunk == 1)
+ return sun4i_ss_opti_poll(areq);
+
++ if (areq->iv && ivsize > 0 && mode & SS_DECRYPTION) {
++ backup_iv = kzalloc(ivsize, GFP_KERNEL);
++ if (!backup_iv)
++ return -ENOMEM;
++ scatterwalk_map_and_copy(backup_iv, areq->src, areq->cryptlen - ivsize, ivsize, 0);
++ }
++
+ spin_lock_irqsave(&ss->slock, flags);
+
+ for (i = 0; i < op->keylen; i += 4)
+@@ -330,9 +349,12 @@ static int sun4i_ss_cipher_poll(struct s
+ sg_miter_stop(&mo);
+ }
+ if (areq->iv) {
+- for (i = 0; i < 4 && i < ivsize / 4; i++) {
+- v = readl(ss->base + SS_IV0 + i * 4);
+- *(u32 *)(areq->iv + i * 4) = v;
++ if (mode & SS_DECRYPTION) {
++ memcpy(areq->iv, backup_iv, ivsize);
++ kfree_sensitive(backup_iv);
++ } else {
++ scatterwalk_map_and_copy(areq->iv, areq->dst, areq->cryptlen - ivsize,
++ ivsize, 0);
+ }
+ }
+
--- /dev/null
+From 2fd10bcf0310b9525b2af9e1f7aa9ddd87c3772e Mon Sep 17 00:00:00 2001
+From: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
+Date: Tue, 9 Feb 2021 16:26:12 +0600
+Subject: drivers/misc/vmw_vmci: restrict too big queue size in qp_host_alloc_queue
+
+From: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
+
+commit 2fd10bcf0310b9525b2af9e1f7aa9ddd87c3772e upstream.
+
+syzbot found WARNING in qp_broker_alloc[1] in qp_host_alloc_queue()
+when num_pages is 0x100001, giving queue_size + queue_page_size
+bigger than KMALLOC_MAX_SIZE for kzalloc(), resulting order >= MAX_ORDER
+condition.
+
+queue_size + queue_page_size=0x8000d8, where KMALLOC_MAX_SIZE=0x400000.
+
+[1]
+Call Trace:
+ alloc_pages include/linux/gfp.h:547 [inline]
+ kmalloc_order+0x40/0x130 mm/slab_common.c:837
+ kmalloc_order_trace+0x15/0x70 mm/slab_common.c:853
+ kmalloc_large include/linux/slab.h:481 [inline]
+ __kmalloc+0x257/0x330 mm/slub.c:3959
+ kmalloc include/linux/slab.h:557 [inline]
+ kzalloc include/linux/slab.h:682 [inline]
+ qp_host_alloc_queue drivers/misc/vmw_vmci/vmci_queue_pair.c:540 [inline]
+ qp_broker_create drivers/misc/vmw_vmci/vmci_queue_pair.c:1351 [inline]
+ qp_broker_alloc+0x936/0x2740 drivers/misc/vmw_vmci/vmci_queue_pair.c:1739
+
+Reported-by: syzbot+15ec7391f3d6a1a7cc7d@syzkaller.appspotmail.com
+Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
+Link: https://lore.kernel.org/r/20210209102612.2112247-1-snovitoll@gmail.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/vmw_vmci/vmci_queue_pair.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c
++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c
+@@ -639,6 +639,9 @@ static struct vmci_queue *qp_host_alloc_
+
+ queue_page_size = num_pages * sizeof(*queue->kernel_if->u.h.page);
+
++ if (queue_size + queue_page_size > KMALLOC_MAX_SIZE)
++ return NULL;
++
+ queue = kzalloc(queue_size + queue_page_size, GFP_KERNEL);
+ if (queue) {
+ queue->q_header = NULL;
--- /dev/null
+From 88f38846bfb1a452a3d47e38aeab20a4ceb74294 Mon Sep 17 00:00:00 2001
+From: Jason Gerecke <killertofu@gmail.com>
+Date: Tue, 16 Feb 2021 11:41:54 -0800
+Subject: HID: wacom: Ignore attempts to overwrite the touch_max value from HID
+
+From: Jason Gerecke <killertofu@gmail.com>
+
+commit 88f38846bfb1a452a3d47e38aeab20a4ceb74294 upstream.
+
+The `wacom_feature_mapping` function is careful to only set the the
+touch_max value a single time, but this care does not extend to the
+`wacom_wac_finger_event` function. In particular, if a device sends
+multiple HID_DG_CONTACTMAX items in a single feature report, the
+driver will end up retaining the value of last item.
+
+The HID descriptor for the Cintiq Companion 2 does exactly this. It
+incorrectly sets a "Report Count" of 2, which will cause the driver
+to process two HID_DG_CONTACTCOUNT items. The first item has the actual
+count, while the second item should have been declared as a constant
+zero. The constant zero is the value the driver ends up using, however,
+since it is the last HID_DG_CONTACTCOUNT in the report.
+
+ Report ID (16),
+ Usage (Contact Count Maximum), ; Contact count maximum (55h, static value)
+ Report Count (2),
+ Logical Maximum (10),
+ Feature (Variable),
+
+To address this, we add a check that the touch_max is not already set
+within the `wacom_wac_finger_event` function that processes the
+HID_DG_TOUCHMAX item. We emit a warning if the value is set and ignore
+the updated value.
+
+This could potentially cause problems if there is a tablet which has
+a similar issue but requires the last item to be used. This is unlikely,
+however, since it would have to have a different non-zero value for
+HID_DG_CONTACTMAX earlier in the same report, which makes no sense
+except in the case of a firmware bug. Note that cases where the
+HID_DG_CONTACTMAX items are in different reports is already handled
+(and similarly ignored) by `wacom_feature_mapping` as mentioned above.
+
+Link: https://github.com/linuxwacom/input-wacom/issues/223
+Fixes: 184eccd40389 ("HID: wacom: generic: read HID_DG_CONTACTMAX from any feature report")
+Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
+CC: stable@vger.kernel.org
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/wacom_wac.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/hid/wacom_wac.c
++++ b/drivers/hid/wacom_wac.c
+@@ -2452,7 +2452,12 @@ static void wacom_wac_finger_event(struc
+ wacom_wac->hid_data.tipswitch = value;
+ break;
+ case HID_DG_CONTACTMAX:
+- features->touch_max = value;
++ if (!features->touch_max) {
++ features->touch_max = value;
++ } else {
++ hid_warn(hdev, "%s: ignoring attempt to overwrite non-zero touch_max "
++ "%d -> %d\n", __func__, features->touch_max, value);
++ }
+ return;
+ }
+
--- /dev/null
+From b5d6e7ab7fe7d186878142e9fc1a05e4c3b65eb9 Mon Sep 17 00:00:00 2001
+From: Marcos Paulo de Souza <mpdesouza@suse.com>
+Date: Fri, 19 Feb 2021 10:37:13 -0800
+Subject: Input: i8042 - add ASUS Zenbook Flip to noselftest list
+
+From: Marcos Paulo de Souza <mpdesouza@suse.com>
+
+commit b5d6e7ab7fe7d186878142e9fc1a05e4c3b65eb9 upstream.
+
+After commit 77b425399f6d ("Input: i8042 - use chassis info to skip
+selftest on Asus laptops"), all modern Asus laptops have the i8042
+selftest disabled. It has done by using chassys type "10" (laptop).
+
+The Asus Zenbook Flip suffers from similar suspend/resume issues, but
+it _sometimes_ work and sometimes it doesn't. Setting noselftest makes
+it work reliably. In this case, we need to add chassis type "31"
+(convertible) in order to avoid selftest in this device.
+
+Reported-by: Ludvig Norgren Guldhag <ludvigng@gmail.com>
+Signed-off-by: Marcos Paulo de Souza <mpdesouza@suse.com>
+Link: https://lore.kernel.org/r/20210219164638.761-1-mpdesouza@suse.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/serio/i8042-x86ia64io.h | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/input/serio/i8042-x86ia64io.h
++++ b/drivers/input/serio/i8042-x86ia64io.h
+@@ -592,6 +592,10 @@ static const struct dmi_system_id i8042_
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_CHASSIS_TYPE, "10"), /* Notebook */
+ },
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
++ DMI_MATCH(DMI_CHASSIS_TYPE, "31"), /* Convertible Notebook */
++ },
+ },
+ { }
+ };
--- /dev/null
+From 182d679b2298d62bf42bb14b12a8067b8e17b617 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 17 Feb 2021 12:21:10 -0800
+Subject: Input: joydev - prevent potential read overflow in ioctl
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 182d679b2298d62bf42bb14b12a8067b8e17b617 upstream.
+
+The problem here is that "len" might be less than "joydev->nabs" so the
+loops which verfy abspam[i] and keypam[] might read beyond the buffer.
+
+Fixes: 999b874f4aa3 ("Input: joydev - validate axis/button maps before clobbering current ones")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/YCyzR8WvFRw4HWw6@mwanda
+[dtor: additional check for len being even in joydev_handle_JSIOCSBTNMAP]
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/joydev.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/joydev.c
++++ b/drivers/input/joydev.c
+@@ -460,7 +460,7 @@ static int joydev_handle_JSIOCSAXMAP(str
+ if (IS_ERR(abspam))
+ return PTR_ERR(abspam);
+
+- for (i = 0; i < joydev->nabs; i++) {
++ for (i = 0; i < len && i < joydev->nabs; i++) {
+ if (abspam[i] > ABS_MAX) {
+ retval = -EINVAL;
+ goto out;
+@@ -484,6 +484,9 @@ static int joydev_handle_JSIOCSBTNMAP(st
+ int i;
+ int retval = 0;
+
++ if (len % sizeof(*keypam))
++ return -EINVAL;
++
+ len = min(len, sizeof(joydev->keypam));
+
+ /* Validate the map. */
+@@ -491,7 +494,7 @@ static int joydev_handle_JSIOCSBTNMAP(st
+ if (IS_ERR(keypam))
+ return PTR_ERR(keypam);
+
+- for (i = 0; i < joydev->nkey; i++) {
++ for (i = 0; i < (len / 2) && i < joydev->nkey; i++) {
+ if (keypam[i] > KEY_MAX || keypam[i] < BTN_MISC) {
+ retval = -EINVAL;
+ goto out;
--- /dev/null
+From fafd320ae51b9c72d371585b2501f86640ea7b7d Mon Sep 17 00:00:00 2001
+From: "jeffrey.lin" <jeffrey.lin@rad-ic.com>
+Date: Tue, 15 Dec 2020 10:50:12 -0800
+Subject: Input: raydium_ts_i2c - do not send zero length
+
+From: jeffrey.lin <jeffrey.lin@rad-ic.com>
+
+commit fafd320ae51b9c72d371585b2501f86640ea7b7d upstream.
+
+Add default write command package to prevent i2c quirk error of zero
+data length as Raydium touch firmware update is executed.
+
+Signed-off-by: jeffrey.lin <jeffrey.lin@rad-ic.com>
+Link: https://lore.kernel.org/r/1608031217-7247-1-git-send-email-jeffrey.lin@raydium.corp-partner.google.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/raydium_i2c_ts.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/raydium_i2c_ts.c
++++ b/drivers/input/touchscreen/raydium_i2c_ts.c
+@@ -419,6 +419,7 @@ static int raydium_i2c_write_object(stru
+ enum raydium_bl_ack state)
+ {
+ int error;
++ static const u8 cmd[] = { 0xFF, 0x39 };
+
+ error = raydium_i2c_send(client, RM_CMD_BOOT_WRT, data, len);
+ if (error) {
+@@ -427,7 +428,7 @@ static int raydium_i2c_write_object(stru
+ return error;
+ }
+
+- error = raydium_i2c_send(client, RM_CMD_BOOT_ACK, NULL, 0);
++ error = raydium_i2c_send(client, RM_CMD_BOOT_ACK, cmd, sizeof(cmd));
+ if (error) {
+ dev_err(&client->dev, "Ack obj command failed: %d\n", error);
+ return error;
--- /dev/null
+From 42ffcd1dba1796bcda386eb6f260df9fc23c90af Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Olivier=20Cr=C3=AAte?= <olivier.crete@ocrete.ca>
+Date: Fri, 5 Feb 2021 11:59:08 -0800
+Subject: Input: xpad - add support for PowerA Enhanced Wired Controller for Xbox Series X|S
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Olivier Crête <olivier.crete@ocrete.ca>
+
+commit 42ffcd1dba1796bcda386eb6f260df9fc23c90af upstream.
+
+Signed-off-by: Olivier Crête <olivier.crete@ocrete.ca>
+Link: https://lore.kernel.org/r/20210204005318.615647-1-olivier.crete@collabora.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/joystick/xpad.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -322,6 +322,7 @@ static const struct xpad_device {
+ { 0x1bad, 0xfd00, "Razer Onza TE", 0, XTYPE_XBOX360 },
+ { 0x1bad, 0xfd01, "Razer Onza", 0, XTYPE_XBOX360 },
+ { 0x20d6, 0x2001, "BDA Xbox Series X Wired Controller", 0, XTYPE_XBOXONE },
++ { 0x20d6, 0x2009, "PowerA Enhanced Wired Controller for Xbox Series X|S", 0, XTYPE_XBOXONE },
+ { 0x20d6, 0x281f, "PowerA Wired Controller For Xbox 360", 0, XTYPE_XBOX360 },
+ { 0x2e24, 0x0652, "Hyperkin Duke X-Box One pad", 0, XTYPE_XBOXONE },
+ { 0x24c6, 0x5000, "Razer Atrox Arcade Stick", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX360 },
--- /dev/null
+From 8da7520c80468c48f981f0b81fc1be6599e3b0ad Mon Sep 17 00:00:00 2001
+From: Jarkko Sakkinen <jarkko@kernel.org>
+Date: Fri, 29 Jan 2021 01:56:20 +0200
+Subject: KEYS: trusted: Fix migratable=1 failing
+
+From: Jarkko Sakkinen <jarkko@kernel.org>
+
+commit 8da7520c80468c48f981f0b81fc1be6599e3b0ad upstream.
+
+Consider the following transcript:
+
+$ keyctl add trusted kmk "new 32 blobauth=helloworld keyhandle=80000000 migratable=1" @u
+add_key: Invalid argument
+
+The documentation has the following description:
+
+ migratable= 0|1 indicating permission to reseal to new PCR values,
+ default 1 (resealing allowed)
+
+The consequence is that "migratable=1" should succeed. Fix this by
+allowing this condition to pass instead of return -EINVAL.
+
+[*] Documentation/security/keys/trusted-encrypted.rst
+
+Cc: stable@vger.kernel.org
+Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
+Cc: Mimi Zohar <zohar@linux.ibm.com>
+Cc: David Howells <dhowells@redhat.com>
+Fixes: d00a1c72f7f4 ("keys: add new trusted key-type")
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ security/keys/trusted.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/security/keys/trusted.c
++++ b/security/keys/trusted.c
+@@ -797,7 +797,7 @@ static int getoptions(char *c, struct tr
+ case Opt_migratable:
+ if (*args[0].from == '0')
+ pay->migratable = 0;
+- else
++ else if (*args[0].from != '1')
+ return -EINVAL;
+ break;
+ case Opt_pcrlock:
--- /dev/null
+From 04b38d012556199ba4c31195940160e0c44c64f0 Mon Sep 17 00:00:00 2001
+From: Paul Cercueil <paul@crapouillou.net>
+Date: Mon, 11 Jan 2021 17:28:39 +0000
+Subject: seccomp: Add missing return in non-void function
+
+From: Paul Cercueil <paul@crapouillou.net>
+
+commit 04b38d012556199ba4c31195940160e0c44c64f0 upstream.
+
+We don't actually care about the value, since the kernel will panic
+before that; but a value should nonetheless be returned, otherwise the
+compiler will complain.
+
+Fixes: 8112c4f140fa ("seccomp: remove 2-phase API")
+Cc: stable@vger.kernel.org # 4.7+
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Link: https://lore.kernel.org/r/20210111172839.640914-1-paul@crapouillou.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/seccomp.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/seccomp.c
++++ b/kernel/seccomp.c
+@@ -775,6 +775,8 @@ static int __seccomp_filter(int this_sys
+ const bool recheck_after_trace)
+ {
+ BUG();
++
++ return -1;
+ }
+ #endif
+
i2c-brcmstb-fix-brcmstd_send_i2c_cmd-condition.patch
mm-rmap-fix-potential-pte_unmap-on-an-not-mapped-pte.patch
scsi-bnx2fc-fix-kconfig-warning-cnic-build-errors.patch
+blk-settings-align-max_sectors-on-logical_block_size-boundary.patch
+acpi-property-fix-fwnode-string-properties-matching.patch
+acpi-configfs-add-missing-check-after-configfs_register_default_group.patch
+hid-wacom-ignore-attempts-to-overwrite-the-touch_max-value-from-hid.patch
+input-raydium_ts_i2c-do-not-send-zero-length.patch
+input-xpad-add-support-for-powera-enhanced-wired-controller-for-xbox-series-x-s.patch
+input-joydev-prevent-potential-read-overflow-in-ioctl.patch
+input-i8042-add-asus-zenbook-flip-to-noselftest-list.patch
+usb-serial-option-update-interface-mapping-for-zte-p685m.patch
+usb-musb-fix-runtime-pm-race-in-musb_queue_resume_work.patch
+usb-serial-mos7840-fix-error-code-in-mos7840_write.patch
+usb-serial-mos7720-fix-error-code-in-mos7720_write.patch
+usb-dwc3-gadget-fix-setting-of-depcfg.binterval_m1.patch
+usb-dwc3-gadget-fix-dep-interval-for-fullspeed-interrupt.patch
+alsa-hda-realtek-modify-eapd-in-the-alc886.patch
+tpm_tis-fix-check_locality-for-correct-locality-acquisition.patch
+keys-trusted-fix-migratable-1-failing.patch
+btrfs-abort-the-transaction-if-we-fail-to-inc-ref-in-btrfs_copy_root.patch
+btrfs-fix-reloc-root-leak-with-0-ref-reloc-roots-on-recovery.patch
+btrfs-fix-extent-buffer-leak-on-failure-to-copy-root.patch
+crypto-sun4i-ss-checking-sg-length-is-not-sufficient.patch
+crypto-sun4i-ss-iv-register-does-not-work-on-a10-and-a13.patch
+crypto-sun4i-ss-handle-bigendian-for-cipher.patch
+seccomp-add-missing-return-in-non-void-function.patch
+drivers-misc-vmw_vmci-restrict-too-big-queue-size-in-qp_host_alloc_queue.patch
+staging-rtl8188eu-add-edimax-ew-7811un-v2-to-device-table.patch
--- /dev/null
+From 7a8d2f1908a59003e55ef8691d09efb7fbc51625 Mon Sep 17 00:00:00 2001
+From: Martin Kaiser <martin@kaiser.cx>
+Date: Thu, 4 Feb 2021 09:52:17 +0100
+Subject: staging: rtl8188eu: Add Edimax EW-7811UN V2 to device table
+
+From: Martin Kaiser <martin@kaiser.cx>
+
+commit 7a8d2f1908a59003e55ef8691d09efb7fbc51625 upstream.
+
+The Edimax EW-7811UN V2 uses an RTL8188EU chipset and works with this
+driver.
+
+Signed-off-by: Martin Kaiser <martin@kaiser.cx>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210204085217.9743-1-martin@kaiser.cx
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c
++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c
+@@ -49,6 +49,7 @@ static const struct usb_device_id rtw_us
+ {USB_DEVICE(0x2357, 0x0111)}, /* TP-Link TL-WN727N v5.21 */
+ {USB_DEVICE(0x2C4E, 0x0102)}, /* MERCUSYS MW150US v2 */
+ {USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */
++ {USB_DEVICE(0x7392, 0xb811)}, /* Edimax EW-7811UN V2 */
+ {USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */
+ {} /* Terminating entry */
+ };
--- /dev/null
+From 3d9ae54af1d02a7c0edc55c77d7df2b921e58a87 Mon Sep 17 00:00:00 2001
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+Date: Thu, 1 Oct 2020 11:09:21 -0700
+Subject: tpm_tis: Fix check_locality for correct locality acquisition
+
+From: James Bottomley <James.Bottomley@HansenPartnership.com>
+
+commit 3d9ae54af1d02a7c0edc55c77d7df2b921e58a87 upstream.
+
+The TPM TIS specification says the TPM signals the acquisition of locality
+when the TMP_ACCESS_REQUEST_USE bit goes to one *and* the
+TPM_ACCESS_REQUEST_USE bit goes to zero. Currently we only check the
+former not the latter, so check both. Adding the check on
+TPM_ACCESS_REQUEST_USE should fix the case where the locality is
+re-requested before the TPM has released it. In this case the locality may
+get released briefly before it is reacquired, which causes all sorts of
+problems. However, with the added check, TPM_ACCESS_REQUEST_USE should
+remain 1 until the second request for the locality is granted.
+
+Cc: stable@ger.kernel.org
+Fixes: 27084efee0c3 ("[PATCH] tpm: driver for next generation TPM chips")
+Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
+Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
+Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/tpm/tpm_tis_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/tpm/tpm_tis_core.c
++++ b/drivers/char/tpm/tpm_tis_core.c
+@@ -68,7 +68,8 @@ static bool check_locality(struct tpm_ch
+ if (rc < 0)
+ return false;
+
+- if ((access & (TPM_ACCESS_ACTIVE_LOCALITY | TPM_ACCESS_VALID)) ==
++ if ((access & (TPM_ACCESS_ACTIVE_LOCALITY | TPM_ACCESS_VALID
++ | TPM_ACCESS_REQUEST_USE)) ==
+ (TPM_ACCESS_ACTIVE_LOCALITY | TPM_ACCESS_VALID)) {
+ priv->locality = l;
+ return true;
--- /dev/null
+From 4b049f55ed95cd889bcdb3034fd75e1f01852b38 Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Mon, 8 Feb 2021 13:53:16 -0800
+Subject: usb: dwc3: gadget: Fix dep->interval for fullspeed interrupt
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+commit 4b049f55ed95cd889bcdb3034fd75e1f01852b38 upstream.
+
+The dep->interval captures the number of frames/microframes per interval
+from bInterval. Fullspeed interrupt endpoint bInterval is the number of
+frames per interval and not 2^(bInterval - 1). So fix it here. This
+change is only for debugging purpose and should not affect the interrupt
+endpoint operation.
+
+Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/1263b563dedc4ab8b0fb854fba06ce4bc56bd495.1612820995.git.Thinh.Nguyen@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/gadget.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -616,8 +616,13 @@ static int dwc3_gadget_set_ep_config(str
+ if (dwc->gadget.speed == USB_SPEED_FULL)
+ bInterval_m1 = 0;
+
++ if (usb_endpoint_type(desc) == USB_ENDPOINT_XFER_INT &&
++ dwc->gadget.speed == USB_SPEED_FULL)
++ dep->interval = desc->bInterval;
++ else
++ dep->interval = 1 << (desc->bInterval - 1);
++
+ params.param1 |= DWC3_DEPCFG_BINTERVAL_M1(bInterval_m1);
+- dep->interval = 1 << (desc->bInterval - 1);
+ }
+
+ return dwc3_send_gadget_ep_cmd(dep, DWC3_DEPCMD_SETEPCONFIG, ¶ms);
--- /dev/null
+From a1679af85b2ae35a2b78ad04c18bb069c37330cc Mon Sep 17 00:00:00 2001
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Date: Mon, 8 Feb 2021 13:53:10 -0800
+Subject: usb: dwc3: gadget: Fix setting of DEPCFG.bInterval_m1
+
+From: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+
+commit a1679af85b2ae35a2b78ad04c18bb069c37330cc upstream.
+
+Valid range for DEPCFG.bInterval_m1 is from 0 to 13, and it must be set
+to 0 when the controller operates in full-speed. See the programming
+guide for DEPCFG command section 3.2.2.1 (v3.30a).
+
+Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
+Link: https://lore.kernel.org/r/3f57026f993c0ce71498dbb06e49b3a47c4d0265.1612820995.git.Thinh.Nguyen@synopsys.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/gadget.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -606,7 +606,17 @@ static int dwc3_gadget_set_ep_config(str
+ params.param0 |= DWC3_DEPCFG_FIFO_NUMBER(dep->number >> 1);
+
+ if (desc->bInterval) {
+- params.param1 |= DWC3_DEPCFG_BINTERVAL_M1(desc->bInterval - 1);
++ u8 bInterval_m1;
++
++ /*
++ * Valid range for DEPCFG.bInterval_m1 is from 0 to 13, and it
++ * must be set to 0 when the controller operates in full-speed.
++ */
++ bInterval_m1 = min_t(u8, desc->bInterval - 1, 13);
++ if (dwc->gadget.speed == USB_SPEED_FULL)
++ bInterval_m1 = 0;
++
++ params.param1 |= DWC3_DEPCFG_BINTERVAL_M1(bInterval_m1);
+ dep->interval = 1 << (desc->bInterval - 1);
+ }
+
--- /dev/null
+From 0eaa1a3714db34a59ce121de5733c3909c529463 Mon Sep 17 00:00:00 2001
+From: Paul Cercueil <paul@crapouillou.net>
+Date: Sat, 23 Jan 2021 14:24:59 +0000
+Subject: usb: musb: Fix runtime PM race in musb_queue_resume_work
+
+From: Paul Cercueil <paul@crapouillou.net>
+
+commit 0eaa1a3714db34a59ce121de5733c3909c529463 upstream.
+
+musb_queue_resume_work() would call the provided callback if the runtime
+PM status was 'active'. Otherwise, it would enqueue the request if the
+hardware was still suspended (musb->is_runtime_suspended is true).
+
+This causes a race with the runtime PM handlers, as it is possible to be
+in the case where the runtime PM status is not yet 'active', but the
+hardware has been awaken (PM resume function has been called).
+
+When hitting the race, the resume work was not enqueued, which probably
+triggered other bugs further down the stack. For instance, a telnet
+connection on Ingenic SoCs would result in a 50/50 chance of a
+segmentation fault somewhere in the musb code.
+
+Rework the code so that either we call the callback directly if
+(musb->is_runtime_suspended == 0), or enqueue the query otherwise.
+
+Fixes: ea2f35c01d5e ("usb: musb: Fix sleeping function called from invalid context for hdrc glue")
+Cc: stable@vger.kernel.org # v4.9+
+Tested-by: Tony Lindgren <tony@atomide.com>
+Reviewed-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Paul Cercueil <paul@crapouillou.net>
+Link: https://lore.kernel.org/r/20210123142502.16980-1-paul@crapouillou.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/musb/musb_core.c | 31 +++++++++++++++++--------------
+ 1 file changed, 17 insertions(+), 14 deletions(-)
+
+--- a/drivers/usb/musb/musb_core.c
++++ b/drivers/usb/musb/musb_core.c
+@@ -2104,32 +2104,35 @@ int musb_queue_resume_work(struct musb *
+ {
+ struct musb_pending_work *w;
+ unsigned long flags;
++ bool is_suspended;
+ int error;
+
+ if (WARN_ON(!callback))
+ return -EINVAL;
+
+- if (pm_runtime_active(musb->controller))
+- return callback(musb, data);
++ spin_lock_irqsave(&musb->list_lock, flags);
++ is_suspended = musb->is_runtime_suspended;
+
+- w = devm_kzalloc(musb->controller, sizeof(*w), GFP_ATOMIC);
+- if (!w)
+- return -ENOMEM;
++ if (is_suspended) {
++ w = devm_kzalloc(musb->controller, sizeof(*w), GFP_ATOMIC);
++ if (!w) {
++ error = -ENOMEM;
++ goto out_unlock;
++ }
++
++ w->callback = callback;
++ w->data = data;
+
+- w->callback = callback;
+- w->data = data;
+- spin_lock_irqsave(&musb->list_lock, flags);
+- if (musb->is_runtime_suspended) {
+ list_add_tail(&w->node, &musb->pending_list);
+ error = 0;
+- } else {
+- dev_err(musb->controller, "could not add resume work %p\n",
+- callback);
+- devm_kfree(musb->controller, w);
+- error = -EINPROGRESS;
+ }
++
++out_unlock:
+ spin_unlock_irqrestore(&musb->list_lock, flags);
+
++ if (!is_suspended)
++ error = callback(musb, data);
++
+ return error;
+ }
+ EXPORT_SYMBOL_GPL(musb_queue_resume_work);
--- /dev/null
+From fea7372cbc40869876df0f045e367f6f97a1666c Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Thu, 28 Jan 2021 12:35:23 +0300
+Subject: USB: serial: mos7720: fix error code in mos7720_write()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit fea7372cbc40869876df0f045e367f6f97a1666c upstream.
+
+This code should return -ENOMEM if the kmalloc() fails but instead
+it returns success.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Fixes: 0f64478cbc7a ("USB: add USB serial mos7720 driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/mos7720.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/mos7720.c
++++ b/drivers/usb/serial/mos7720.c
+@@ -1252,8 +1252,10 @@ static int mos7720_write(struct tty_stru
+ if (urb->transfer_buffer == NULL) {
+ urb->transfer_buffer = kmalloc(URB_TRANSFER_BUFFER_SIZE,
+ GFP_ATOMIC);
+- if (!urb->transfer_buffer)
++ if (!urb->transfer_buffer) {
++ bytes_sent = -ENOMEM;
+ goto exit;
++ }
+ }
+ transfer_size = min(count, URB_TRANSFER_BUFFER_SIZE);
+
--- /dev/null
+From a70aa7dc60099bbdcbd6faca42a915d80f31161e Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 26 Jan 2021 13:26:54 +0300
+Subject: USB: serial: mos7840: fix error code in mos7840_write()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit a70aa7dc60099bbdcbd6faca42a915d80f31161e upstream.
+
+This should return -ENOMEM instead of 0 if the kmalloc() fails.
+
+Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/mos7840.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/mos7840.c
++++ b/drivers/usb/serial/mos7840.c
+@@ -1352,8 +1352,10 @@ static int mos7840_write(struct tty_stru
+ if (urb->transfer_buffer == NULL) {
+ urb->transfer_buffer = kmalloc(URB_TRANSFER_BUFFER_SIZE,
+ GFP_ATOMIC);
+- if (!urb->transfer_buffer)
++ if (!urb->transfer_buffer) {
++ bytes_sent = -ENOMEM;
+ goto exit;
++ }
+ }
+ transfer_size = min(count, URB_TRANSFER_BUFFER_SIZE);
+
--- /dev/null
+From 6420a569504e212d618d4a4736e2c59ed80a8478 Mon Sep 17 00:00:00 2001
+From: Lech Perczak <lech.perczak@gmail.com>
+Date: Sun, 7 Feb 2021 01:54:43 +0100
+Subject: USB: serial: option: update interface mapping for ZTE P685M
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lech Perczak <lech.perczak@gmail.com>
+
+commit 6420a569504e212d618d4a4736e2c59ed80a8478 upstream.
+
+This patch prepares for qmi_wwan driver support for the device.
+Previously "option" driver mapped itself to interfaces 0 and 3 (matching
+ff/ff/ff), while interface 3 is in fact a QMI port.
+Interfaces 1 and 2 (matching ff/00/00) expose AT commands,
+and weren't supported previously at all.
+Without this patch, a possible conflict would exist if device ID was
+added to qmi_wwan driver for interface 3.
+
+Update and simplify device ID to match interfaces 0-2 directly,
+to expose QCDM (0), PCUI (1), and modem (2) ports and avoid conflict
+with QMI (3), and ADB (4).
+
+The modem is used inside ZTE MF283+ router and carriers identify it as
+such.
+Interface mapping is:
+0: QCDM, 1: AT (PCUI), 2: AT (Modem), 3: QMI, 4: ADB
+
+T: Bus=02 Lev=02 Prnt=02 Port=05 Cnt=01 Dev#= 3 Spd=480 MxCh= 0
+D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=19d2 ProdID=1275 Rev=f0.00
+S: Manufacturer=ZTE,Incorporated
+S: Product=ZTE Technologies MSM
+S: SerialNumber=P685M510ZTED0000CP&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&0
+C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
+I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+E: Ad=87(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
+E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
+
+Cc: Johan Hovold <johan@kernel.org>
+Cc: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: Lech Perczak <lech.perczak@gmail.com>
+Link: https://lore.kernel.org/r/20210207005443.12936-1-lech.perczak@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1572,7 +1572,8 @@ static const struct usb_device_id option
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1272, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1273, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1274, 0xff, 0xff, 0xff) },
+- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1275, 0xff, 0xff, 0xff) },
++ { USB_DEVICE(ZTE_VENDOR_ID, 0x1275), /* ZTE P685M */
++ .driver_info = RSVD(3) | RSVD(4) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1276, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1277, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1278, 0xff, 0xff, 0xff) },