--- /dev/null
+From 08389d888287c3823f80b0216766b71e17f0aba5 Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Tue, 11 May 2021 22:35:17 +0200
+Subject: bpf: Add kconfig knob for disabling unpriv bpf by default
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+commit 08389d888287c3823f80b0216766b71e17f0aba5 upstream.
+
+Add a kconfig knob which allows for unprivileged bpf to be disabled by default.
+If set, the knob sets /proc/sys/kernel/unprivileged_bpf_disabled to value of 2.
+
+This still allows a transition of 2 -> {0,1} through an admin. Similarly,
+this also still keeps 1 -> {1} behavior intact, so that once set to permanently
+disabled, it cannot be undone aside from a reboot.
+
+We've also added extra2 with max of 2 for the procfs handler, so that an admin
+still has a chance to toggle between 0 <-> 2.
+
+Either way, as an additional alternative, applications can make use of CAP_BPF
+that we added a while ago.
+
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/74ec548079189e4e4dffaeb42b8987bb3c852eee.1620765074.git.daniel@iogearbox.net
+[fllinden@amazon.com: backported to 4.9]
+Signed-off-by: Frank van der Linden <fllinden@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/sysctl/kernel.txt | 21 +++++++++++++++++++++
+ init/Kconfig | 10 ++++++++++
+ kernel/bpf/syscall.c | 3 ++-
+ kernel/sysctl.c | 29 +++++++++++++++++++++++++----
+ 4 files changed, 58 insertions(+), 5 deletions(-)
+
+--- a/Documentation/sysctl/kernel.txt
++++ b/Documentation/sysctl/kernel.txt
+@@ -90,6 +90,7 @@ show up in /proc/sys/kernel:
+ - sysctl_writes_strict
+ - tainted
+ - threads-max
++- unprivileged_bpf_disabled
+ - unknown_nmi_panic
+ - watchdog
+ - watchdog_thresh
+@@ -995,6 +996,26 @@ available RAM pages threads-max is reduc
+
+ ==============================================================
+
++unprivileged_bpf_disabled:
++
++Writing 1 to this entry will disable unprivileged calls to bpf();
++once disabled, calling bpf() without CAP_SYS_ADMIN will return
++-EPERM. Once set to 1, this can't be cleared from the running kernel
++anymore.
++
++Writing 2 to this entry will also disable unprivileged calls to bpf(),
++however, an admin can still change this setting later on, if needed, by
++writing 0 or 1 to this entry.
++
++If BPF_UNPRIV_DEFAULT_OFF is enabled in the kernel config, then this
++entry will default to 2 instead of 0.
++
++ 0 - Unprivileged calls to bpf() are enabled
++ 1 - Unprivileged calls to bpf() are disabled without recovery
++ 2 - Unprivileged calls to bpf() are disabled
++
++==============================================================
++
+ unknown_nmi_panic:
+
+ The value in this file affects behavior of handling NMI. When the
+--- a/init/Kconfig
++++ b/init/Kconfig
+@@ -1645,6 +1645,16 @@ config ADVISE_SYSCALLS
+ applications use these syscalls, you can disable this option to save
+ space.
+
++config BPF_UNPRIV_DEFAULT_OFF
++ bool "Disable unprivileged BPF by default"
++ depends on BPF_SYSCALL
++ help
++ Disables unprivileged BPF by default by setting the corresponding
++ /proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can
++ still reenable it by setting it to 0 later on, or permanently
++ disable it by setting it to 1 (from which no other transition to
++ 0 is possible anymore).
++
+ config USERFAULTFD
+ bool "Enable userfaultfd() system call"
+ select ANON_INODES
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -22,7 +22,8 @@
+
+ DEFINE_PER_CPU(int, bpf_prog_active);
+
+-int sysctl_unprivileged_bpf_disabled __read_mostly;
++int sysctl_unprivileged_bpf_disabled __read_mostly =
++ IS_BUILTIN(CONFIG_BPF_UNPRIV_DEFAULT_OFF) ? 2 : 0;
+
+ static LIST_HEAD(bpf_map_types);
+
+--- a/kernel/sysctl.c
++++ b/kernel/sysctl.c
+@@ -221,6 +221,28 @@ static int sysrq_sysctl_handler(struct c
+
+ #endif
+
++#ifdef CONFIG_BPF_SYSCALL
++static int bpf_unpriv_handler(struct ctl_table *table, int write,
++ void *buffer, size_t *lenp, loff_t *ppos)
++{
++ int ret, unpriv_enable = *(int *)table->data;
++ bool locked_state = unpriv_enable == 1;
++ struct ctl_table tmp = *table;
++
++ if (write && !capable(CAP_SYS_ADMIN))
++ return -EPERM;
++
++ tmp.data = &unpriv_enable;
++ ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos);
++ if (write && !ret) {
++ if (locked_state && unpriv_enable != 1)
++ return -EPERM;
++ *(int *)table->data = unpriv_enable;
++ }
++ return ret;
++}
++#endif
++
+ static struct ctl_table kern_table[];
+ static struct ctl_table vm_table[];
+ static struct ctl_table fs_table[];
+@@ -1202,10 +1224,9 @@ static struct ctl_table kern_table[] = {
+ .data = &sysctl_unprivileged_bpf_disabled,
+ .maxlen = sizeof(sysctl_unprivileged_bpf_disabled),
+ .mode = 0644,
+- /* only handle a transition from default "0" to "1" */
+- .proc_handler = proc_dointvec_minmax,
+- .extra1 = &one,
+- .extra2 = &one,
++ .proc_handler = bpf_unpriv_handler,
++ .extra1 = &zero,
++ .extra2 = &two,
+ },
+ #endif
+ #if defined(CONFIG_TREE_RCU) || defined(CONFIG_PREEMPT_RCU)
--- /dev/null
+From c0d79987a0d82671bff374c07f2201f9bdf4aaa2 Mon Sep 17 00:00:00 2001
+From: Armin Wolf <W_Armin@gmx.de>
+Date: Thu, 21 Oct 2021 21:05:31 +0200
+Subject: hwmon: (dell-smm) Speed up setting of fan speed
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Armin Wolf <W_Armin@gmx.de>
+
+commit c0d79987a0d82671bff374c07f2201f9bdf4aaa2 upstream.
+
+When setting the fan speed, i8k_set_fan() calls i8k_get_fan_status(),
+causing an unnecessary SMM call since from the two users of this
+function, only i8k_ioctl_unlocked() needs to know the new fan status
+while dell_smm_write() ignores the new fan status.
+Since SMM calls can be very slow while also making error reporting
+difficult for dell_smm_write(), remove the function call from
+i8k_set_fan() and call it separately in i8k_ioctl_unlocked().
+
+Tested on a Dell Inspiron 3505.
+
+Signed-off-by: Armin Wolf <W_Armin@gmx.de>
+Reviewed-by: Pali Rohár <pali@kernel.org>
+Link: https://lore.kernel.org/r/20211021190531.17379-6-W_Armin@gmx.de
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwmon/dell-smm-hwmon.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/hwmon/dell-smm-hwmon.c
++++ b/drivers/hwmon/dell-smm-hwmon.c
+@@ -294,7 +294,7 @@ static int i8k_get_fan_nominal_speed(int
+ }
+
+ /*
+- * Set the fan speed (off, low, high). Returns the new fan status.
++ * Set the fan speed (off, low, high, ...).
+ */
+ static int i8k_set_fan(int fan, int speed)
+ {
+@@ -303,7 +303,7 @@ static int i8k_set_fan(int fan, int spee
+ speed = (speed < 0) ? 0 : ((speed > i8k_fan_max) ? i8k_fan_max : speed);
+ regs.ebx = (fan & 0xff) | (speed << 8);
+
+- return i8k_smm(®s) ? : i8k_get_fan_status(fan);
++ return i8k_smm(®s);
+ }
+
+ static int i8k_get_temp_type(int sensor)
+@@ -417,7 +417,7 @@ static int
+ i8k_ioctl_unlocked(struct file *fp, unsigned int cmd, unsigned long arg)
+ {
+ int val = 0;
+- int speed;
++ int speed, err;
+ unsigned char buff[16];
+ int __user *argp = (int __user *)arg;
+
+@@ -478,7 +478,11 @@ i8k_ioctl_unlocked(struct file *fp, unsi
+ if (copy_from_user(&speed, argp + 1, sizeof(int)))
+ return -EFAULT;
+
+- val = i8k_set_fan(val, speed);
++ err = i8k_set_fan(val, speed);
++ if (err < 0)
++ return err;
++
++ val = i8k_get_fan_status(val);
+ break;
+
+ default:
--- /dev/null
+From c816b2e65b0e86b95011418cad334f0524fc33b8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?TATSUKAWA=20KOSUKE=20=28=E7=AB=8B=E5=B7=9D=20=E6=B1=9F?=
+ =?UTF-8?q?=E4=BB=8B=29?= <tatsu-ab1@nec.com>
+Date: Wed, 26 Jan 2022 23:35:02 +0000
+Subject: n_tty: wake up poll(POLLRDNORM) on receiving data
+
+From: TATSUKAWA KOSUKE (立川 江介) <tatsu-ab1@nec.com>
+
+commit c816b2e65b0e86b95011418cad334f0524fc33b8 upstream.
+
+The poll man page says POLLRDNORM is equivalent to POLLIN when used as
+an event.
+$ man poll
+<snip>
+ POLLRDNORM
+ Equivalent to POLLIN.
+
+However, in n_tty driver, POLLRDNORM does not return until timeout even
+if there is terminal input, whereas POLLIN returns.
+
+The following test program works until kernel-3.17, but the test stops
+in poll() after commit 57087d515441 ("tty: Fix spurious poll() wakeups").
+
+[Steps to run test program]
+ $ cc -o test-pollrdnorm test-pollrdnorm.c
+ $ ./test-pollrdnorm
+ foo <-- Type in something from the terminal followed by [RET].
+ The string should be echoed back.
+
+ ------------------------< test-pollrdnorm.c >------------------------
+ #include <stdio.h>
+ #include <errno.h>
+ #include <poll.h>
+ #include <unistd.h>
+
+ void main(void)
+ {
+ int n;
+ unsigned char buf[8];
+ struct pollfd fds[1] = {{ 0, POLLRDNORM, 0 }};
+
+ n = poll(fds, 1, -1);
+ if (n < 0)
+ perror("poll");
+ n = read(0, buf, 8);
+ if (n < 0)
+ perror("read");
+ if (n > 0)
+ write(1, buf, n);
+ }
+ ------------------------------------------------------------------------
+
+The attached patch fixes this problem. Many calls to
+wake_up_interruptible_poll() in the kernel source code already specify
+"POLLIN | POLLRDNORM".
+
+Fixes: 57087d515441 ("tty: Fix spurious poll() wakeups")
+Cc: stable@vger.kernel.org
+Signed-off-by: Kosuke Tatsukawa <tatsu-ab1@nec.com>
+Link: https://lore.kernel.org/r/TYCPR01MB81901C0F932203D30E452B3EA5209@TYCPR01MB8190.jpnprd01.prod.outlook.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_tty.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/n_tty.c
++++ b/drivers/tty/n_tty.c
+@@ -1377,7 +1377,7 @@ handle_newline:
+ put_tty_queue(c, ldata);
+ smp_store_release(&ldata->canon_head, ldata->read_head);
+ kill_fasync(&tty->fasync, SIGIO, POLL_IN);
+- wake_up_interruptible_poll(&tty->read_wait, POLLIN);
++ wake_up_interruptible_poll(&tty->read_wait, POLLIN | POLLRDNORM);
+ return 0;
+ }
+ }
+@@ -1658,7 +1658,7 @@ static void __receive_buf(struct tty_str
+
+ if (read_cnt(ldata)) {
+ kill_fasync(&tty->fasync, SIGIO, POLL_IN);
+- wake_up_interruptible_poll(&tty->read_wait, POLLIN);
++ wake_up_interruptible_poll(&tty->read_wait, POLLIN | POLLRDNORM);
+ }
+ }
+
net-do-not-keep-the-dst-cache-when-uncloning-an-skb-.patch
net-fix-a-memleak-when-uncloning-an-skb-dst-and-its-.patch
tipc-rate-limit-warning-for-received-illegal-binding.patch
+vt_ioctl-fix-array_index_nospec-in-vt_setactivate.patch
+vt_ioctl-add-array_index_nospec-to-vt_activate.patch
+bpf-add-kconfig-knob-for-disabling-unpriv-bpf-by-default.patch
+n_tty-wake-up-poll-pollrdnorm-on-receiving-data.patch
+usb-dwc3-gadget-prevent-core-from-processing-stale-trbs.patch
+usb-gadget-validate-interface-os-descriptor-requests.patch
+usb-gadget-rndis-check-size-of-rndis_msg_set-command.patch
+usb-serial-ftdi_sio-add-support-for-brainboxes-us-159-235-320.patch
+usb-serial-option-add-zte-mf286d-modem.patch
+usb-serial-ch341-add-support-for-gw-instek-usb2.0-serial-devices.patch
+usb-serial-cp210x-add-ncr-retail-io-box-id.patch
+usb-serial-cp210x-add-cpi-bulk-coin-recycler-id.patch
+hwmon-dell-smm-speed-up-setting-of-fan-speed.patch
--- /dev/null
+From 117b4e96c7f362eb6459543883fc07f77662472c Mon Sep 17 00:00:00 2001
+From: Udipto Goswami <quic_ugoswami@quicinc.com>
+Date: Mon, 7 Feb 2022 09:55:58 +0530
+Subject: usb: dwc3: gadget: Prevent core from processing stale TRBs
+
+From: Udipto Goswami <quic_ugoswami@quicinc.com>
+
+commit 117b4e96c7f362eb6459543883fc07f77662472c upstream.
+
+With CPU re-ordering on write instructions, there might
+be a chance that the HWO is set before the TRB is updated
+with the new mapped buffer address.
+And in the case where core is processing a list of TRBs
+it is possible that it fetched the TRBs when the HWO is set
+but before the buffer address is updated.
+Prevent this by adding a memory barrier before the HWO
+is updated to ensure that the core always process the
+updated TRBs.
+
+Fixes: f6bafc6a1c9d ("usb: dwc3: convert TRBs into bitshifts")
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Pavankumar Kondeti <quic_pkondeti@quicinc.com>
+Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com>
+Link: https://lore.kernel.org/r/1644207958-18287-1-git-send-email-quic_ugoswami@quicinc.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/dwc3/gadget.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -902,6 +902,19 @@ static void dwc3_prepare_one_trb(struct
+ if (usb_endpoint_xfer_bulk(dep->endpoint.desc) && dep->stream_capable)
+ trb->ctrl |= DWC3_TRB_CTRL_SID_SOFN(req->request.stream_id);
+
++ /*
++ * As per data book 4.2.3.2TRB Control Bit Rules section
++ *
++ * The controller autonomously checks the HWO field of a TRB to determine if the
++ * entire TRB is valid. Therefore, software must ensure that the rest of the TRB
++ * is valid before setting the HWO field to '1'. In most systems, this means that
++ * software must update the fourth DWORD of a TRB last.
++ *
++ * However there is a possibility of CPU re-ordering here which can cause
++ * controller to observe the HWO bit set prematurely.
++ * Add a write memory barrier to prevent CPU re-ordering.
++ */
++ wmb();
+ trb->ctrl |= DWC3_TRB_CTRL_HWO;
+
+ trace_dwc3_prepare_trb(dep, trb);
--- /dev/null
+From 38ea1eac7d88072bbffb630e2b3db83ca649b826 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Wed, 9 Feb 2022 16:37:53 +0100
+Subject: usb: gadget: rndis: check size of RNDIS_MSG_SET command
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 38ea1eac7d88072bbffb630e2b3db83ca649b826 upstream.
+
+Check the size of the RNDIS_MSG_SET command given to us before
+attempting to respond to an invalid message size.
+
+Reported-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Cc: stable@kernel.org
+Tested-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/function/rndis.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/gadget/function/rndis.c
++++ b/drivers/usb/gadget/function/rndis.c
+@@ -642,14 +642,17 @@ static int rndis_set_response(struct rnd
+ rndis_set_cmplt_type *resp;
+ rndis_resp_t *r;
+
++ BufLength = le32_to_cpu(buf->InformationBufferLength);
++ BufOffset = le32_to_cpu(buf->InformationBufferOffset);
++ if ((BufLength > RNDIS_MAX_TOTAL_SIZE) ||
++ (BufOffset + 8 >= RNDIS_MAX_TOTAL_SIZE))
++ return -EINVAL;
++
+ r = rndis_add_response(params, sizeof(rndis_set_cmplt_type));
+ if (!r)
+ return -ENOMEM;
+ resp = (rndis_set_cmplt_type *)r->buf;
+
+- BufLength = le32_to_cpu(buf->InformationBufferLength);
+- BufOffset = le32_to_cpu(buf->InformationBufferOffset);
+-
+ #ifdef VERBOSE_DEBUG
+ pr_debug("%s: Length: %d\n", __func__, BufLength);
+ pr_debug("%s: Offset: %d\n", __func__, BufOffset);
--- /dev/null
+From 75e5b4849b81e19e9efe1654b30d7f3151c33c2c Mon Sep 17 00:00:00 2001
+From: Szymon Heidrich <szymon.heidrich@gmail.com>
+Date: Mon, 24 Jan 2022 12:14:00 +0100
+Subject: USB: gadget: validate interface OS descriptor requests
+
+From: Szymon Heidrich <szymon.heidrich@gmail.com>
+
+commit 75e5b4849b81e19e9efe1654b30d7f3151c33c2c upstream.
+
+Stall the control endpoint in case provided index exceeds array size of
+MAX_CONFIG_INTERFACES or when the retrieved function pointer is null.
+
+Signed-off-by: Szymon Heidrich <szymon.heidrich@gmail.com>
+Cc: stable@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/gadget/composite.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/gadget/composite.c
++++ b/drivers/usb/gadget/composite.c
+@@ -1932,6 +1932,9 @@ unknown:
+ if (w_index != 0x5 || (w_value >> 8))
+ break;
+ interface = w_value & 0xFF;
++ if (interface >= MAX_CONFIG_INTERFACES ||
++ !os_desc_cfg->interface[interface])
++ break;
+ buf[6] = w_index;
+ if (w_length == 0x0A) {
+ count = count_ext_prop(os_desc_cfg,
--- /dev/null
+From fa77ce201f7f2d823b07753575122d1ae5597fbe Mon Sep 17 00:00:00 2001
+From: Stephan Brunner <s.brunner@stephan-brunner.net>
+Date: Sat, 8 Jan 2022 13:00:20 +0100
+Subject: USB: serial: ch341: add support for GW Instek USB2.0-Serial devices
+
+From: Stephan Brunner <s.brunner@stephan-brunner.net>
+
+commit fa77ce201f7f2d823b07753575122d1ae5597fbe upstream.
+
+Programmable lab power supplies made by GW Instek, such as the
+GPP-2323, have a USB port exposing a serial port to control the device.
+
+Stringing the supplied Windows driver, references to the ch341 chip are
+found. Binding the existing ch341 driver to the VID/PID of the GPP-2323
+("GW Instek USB2.0-Serial" as per the USB product name) works out of the
+box, communication and control is now possible.
+
+This patch should work with any GPP series power supply due to
+similarities in the product line.
+
+Signed-off-by: Stephan Brunner <s.brunner@stephan-brunner.net>
+Link: https://lore.kernel.org/r/4a47b864-0816-6f6a-efee-aa20e74bcdc6@stephan-brunner.net
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/ch341.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/ch341.c
++++ b/drivers/usb/serial/ch341.c
+@@ -74,6 +74,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(0x1a86, 0x5523) },
+ { USB_DEVICE(0x1a86, 0x7522) },
+ { USB_DEVICE(0x1a86, 0x7523) },
++ { USB_DEVICE(0x2184, 0x0057) },
+ { USB_DEVICE(0x4348, 0x5523) },
+ { USB_DEVICE(0x9986, 0x7523) },
+ { },
--- /dev/null
+From 6ca0c6283340d819bf9c7d8e76be33c9fbd903ab Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 1 Feb 2022 11:42:53 +0100
+Subject: USB: serial: cp210x: add CPI Bulk Coin Recycler id
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 6ca0c6283340d819bf9c7d8e76be33c9fbd903ab upstream.
+
+Add the device id for the Crane Payment Innovation / Money Controls Bulk
+Coin Recycler:
+
+ https://www.cranepi.com/en/system/files/Support/OM_BCR_EN_V1-04_0.pdf
+
+Reported-by: Scott Russell <Scott.Russell2@ncr.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/cp210x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -67,6 +67,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(0x0FCF, 0x1004) }, /* Dynastream ANT2USB */
+ { USB_DEVICE(0x0FCF, 0x1006) }, /* Dynastream ANT development board */
+ { USB_DEVICE(0x0FDE, 0xCA05) }, /* OWL Wireless Electricity Monitor CM-160 */
++ { USB_DEVICE(0x106F, 0x0003) }, /* CPI / Money Controls Bulk Coin Recycler */
+ { USB_DEVICE(0x10A6, 0xAA26) }, /* Knock-off DCU-11 cable */
+ { USB_DEVICE(0x10AB, 0x10C5) }, /* Siemens MC60 Cable */
+ { USB_DEVICE(0x10B5, 0xAC70) }, /* Nokia CA-42 USB */
--- /dev/null
+From b50f8f09c622297d3cf46e332e17ba8adedec9af Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 1 Feb 2022 11:42:52 +0100
+Subject: USB: serial: cp210x: add NCR Retail IO box id
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b50f8f09c622297d3cf46e332e17ba8adedec9af upstream.
+
+Add the device id for NCR's Retail IO box (CP2105) used in NCR FastLane
+SelfServ Checkout - R6C:
+
+ https://www.ncr.com/product-catalog/ncr-fastlane-selfserv-checkout-r6c
+
+Reported-by: Scott Russell <Scott.Russell2@ncr.com>
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/cp210x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -49,6 +49,7 @@ static int cp210x_port_remove(struct usb
+ static void cp210x_dtr_rts(struct usb_serial_port *p, int on);
+
+ static const struct usb_device_id id_table[] = {
++ { USB_DEVICE(0x0404, 0x034C) }, /* NCR Retail IO Box */
+ { USB_DEVICE(0x045B, 0x0053) }, /* Renesas RX610 RX-Stick */
+ { USB_DEVICE(0x0471, 0x066A) }, /* AKTAKOM ACE-1001 cable */
+ { USB_DEVICE(0x0489, 0xE000) }, /* Pirelli Broadband S.p.A, DP-L10 SIP/GSM Mobile */
--- /dev/null
+From fbb9b194e15a63c56c5664e76ccd0e85c6100cea Mon Sep 17 00:00:00 2001
+From: Cameron Williams <cang1@live.co.uk>
+Date: Tue, 1 Feb 2022 10:12:51 +0000
+Subject: USB: serial: ftdi_sio: add support for Brainboxes US-159/235/320
+
+From: Cameron Williams <cang1@live.co.uk>
+
+commit fbb9b194e15a63c56c5664e76ccd0e85c6100cea upstream.
+
+This patch adds support for the Brainboxes US-159, US-235 and US-320
+USB-to-Serial devices.
+
+Signed-off-by: Cameron Williams <cang1@live.co.uk>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/ftdi_sio.c | 3 +++
+ drivers/usb/serial/ftdi_sio_ids.h | 3 +++
+ 2 files changed, 6 insertions(+)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -964,6 +964,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_VX_023_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_VX_034_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_101_PID) },
++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_159_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_1_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_2_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_3_PID) },
+@@ -972,12 +973,14 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_6_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_7_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_8_PID) },
++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_235_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_257_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_1_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_2_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_3_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_4_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_313_PID) },
++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_320_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_324_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_346_1_PID) },
+ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_346_2_PID) },
+--- a/drivers/usb/serial/ftdi_sio_ids.h
++++ b/drivers/usb/serial/ftdi_sio_ids.h
+@@ -1505,6 +1505,9 @@
+ #define BRAINBOXES_VX_023_PID 0x1003 /* VX-023 ExpressCard 1 Port RS422/485 */
+ #define BRAINBOXES_VX_034_PID 0x1004 /* VX-034 ExpressCard 2 Port RS422/485 */
+ #define BRAINBOXES_US_101_PID 0x1011 /* US-101 1xRS232 */
++#define BRAINBOXES_US_159_PID 0x1021 /* US-159 1xRS232 */
++#define BRAINBOXES_US_235_PID 0x1017 /* US-235 1xRS232 */
++#define BRAINBOXES_US_320_PID 0x1019 /* US-320 1xRS422/485 */
+ #define BRAINBOXES_US_324_PID 0x1013 /* US-324 1xRS422/485 1Mbaud */
+ #define BRAINBOXES_US_606_1_PID 0x2001 /* US-606 6 Port RS232 Serial Port 1 and 2 */
+ #define BRAINBOXES_US_606_2_PID 0x2002 /* US-606 6 Port RS232 Serial Port 3 and 4 */
--- /dev/null
+From d48384c7ed6c8fe4727eaa0f3048f62afd1cd715 Mon Sep 17 00:00:00 2001
+From: Pawel Dembicki <paweldembicki@gmail.com>
+Date: Tue, 11 Jan 2022 23:12:05 +0100
+Subject: USB: serial: option: add ZTE MF286D modem
+
+From: Pawel Dembicki <paweldembicki@gmail.com>
+
+commit d48384c7ed6c8fe4727eaa0f3048f62afd1cd715 upstream.
+
+Modem from ZTE MF286D is an Qualcomm MDM9250 based 3G/4G modem.
+
+T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 3 Spd=5000 MxCh= 0
+D: Ver= 3.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1
+P: Vendor=19d2 ProdID=1485 Rev=52.87
+S: Manufacturer=ZTE,Incorporated
+S: Product=ZTE Technologies MSM
+S: SerialNumber=MF286DZTED000000
+C:* #Ifs= 7 Cfg#= 1 Atr=80 MxPwr=896mA
+A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=06 Prot=00
+I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=02 Prot=ff Driver=rndis_host
+E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host
+E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+E: Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=84(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
+E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
+E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+I:* If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs
+E: Ad=05(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+E: Ad=89(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
+
+Signed-off-by: Pawel Dembicki <paweldembicki@gmail.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1625,6 +1625,8 @@ static const struct usb_device_id option
+ .driver_info = RSVD(2) },
+ { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x1476, 0xff) }, /* GosunCn ZTE WeLink ME3630 (ECM/NCM mode) */
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1481, 0xff, 0x00, 0x00) }, /* ZTE MF871A */
++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1485, 0xff, 0xff, 0xff), /* ZTE MF286D */
++ .driver_info = RSVD(5) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1533, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1534, 0xff, 0xff, 0xff) },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1535, 0xff, 0xff, 0xff) },
--- /dev/null
+From 28cb138f559f8c1a1395f5564f86b8bbee83631b Mon Sep 17 00:00:00 2001
+From: Jakob Koschel <jakobkoschel@gmail.com>
+Date: Thu, 27 Jan 2022 15:44:05 +0100
+Subject: vt_ioctl: add array_index_nospec to VT_ACTIVATE
+
+From: Jakob Koschel <jakobkoschel@gmail.com>
+
+commit 28cb138f559f8c1a1395f5564f86b8bbee83631b upstream.
+
+in vt_setactivate an almost identical code path has been patched
+with array_index_nospec. In the VT_ACTIVATE path the user input
+is from a system call argument instead of a usercopy.
+For consistency both code paths should have the same mitigations
+applied.
+
+Kasper Acknowledgements: Jakob Koschel, Brian Johannesmeyer, Kaveh
+Razavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU
+Amsterdam.
+
+Co-developed-by: Brian Johannesmeyer <bjohannesmeyer@gmail.com>
+Signed-off-by: Brian Johannesmeyer <bjohannesmeyer@gmail.com>
+Signed-off-by: Jakob Koschel <jakobkoschel@gmail.com>
+Link: https://lore.kernel.org/r/20220127144406.3589293-2-jakobkoschel@gmail.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/vt/vt_ioctl.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/tty/vt/vt_ioctl.c
++++ b/drivers/tty/vt/vt_ioctl.c
+@@ -694,6 +694,7 @@ int vt_ioctl(struct tty_struct *tty,
+ ret = -ENXIO;
+ else {
+ arg--;
++ arg = array_index_nospec(arg, MAX_NR_CONSOLES);
+ console_lock();
+ ret = vc_allocate(arg);
+ console_unlock();
--- /dev/null
+From 61cc70d9e8ef5b042d4ed87994d20100ec8896d9 Mon Sep 17 00:00:00 2001
+From: Jakob Koschel <jakobkoschel@gmail.com>
+Date: Thu, 27 Jan 2022 15:44:04 +0100
+Subject: vt_ioctl: fix array_index_nospec in vt_setactivate
+
+From: Jakob Koschel <jakobkoschel@gmail.com>
+
+commit 61cc70d9e8ef5b042d4ed87994d20100ec8896d9 upstream.
+
+array_index_nospec ensures that an out-of-bounds value is set to zero
+on the transient path. Decreasing the value by one afterwards causes
+a transient integer underflow. vsa.console should be decreased first
+and then sanitized with array_index_nospec.
+
+Kasper Acknowledgements: Jakob Koschel, Brian Johannesmeyer, Kaveh
+Razavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU
+Amsterdam.
+
+Co-developed-by: Brian Johannesmeyer <bjohannesmeyer@gmail.com>
+Signed-off-by: Brian Johannesmeyer <bjohannesmeyer@gmail.com>
+Signed-off-by: Jakob Koschel <jakobkoschel@gmail.com>
+Link: https://lore.kernel.org/r/20220127144406.3589293-1-jakobkoschel@gmail.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/vt/vt_ioctl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/vt/vt_ioctl.c
++++ b/drivers/tty/vt/vt_ioctl.c
+@@ -718,9 +718,9 @@ int vt_ioctl(struct tty_struct *tty,
+ if (vsa.console == 0 || vsa.console > MAX_NR_CONSOLES)
+ ret = -ENXIO;
+ else {
+- vsa.console = array_index_nospec(vsa.console,
+- MAX_NR_CONSOLES + 1);
+ vsa.console--;
++ vsa.console = array_index_nospec(vsa.console,
++ MAX_NR_CONSOLES);
+ console_lock();
+ ret = vc_allocate(vsa.console);
+ if (ret == 0) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
