From: Greg Kroah-Hartman Date: Sun, 11 Jul 2021 12:11:00 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v5.4.132~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=17d091c032522e02072a8530c9493003eddf3781;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: alsa-hda-realtek-add-another-alc236-variant-support.patch alsa-hda-realtek-apply-led-fixup-for-hp-dragonfly-g1-too.patch alsa-hda-realtek-fix-bass-speaker-dac-mapping-for-asus-um431d.patch alsa-hda-realtek-improve-fixup-for-hp-spectre-x360-15-df0xxx.patch alsa-intel8x0-fix-breakage-at-ac97-clock-measurement.patch alsa-usb-audio-fix-oob-access-at-proc-output.patch alsa-usb-audio-fix-rate-on-ozone-z90-usb-headset.patch alsa-usb-audio-scarlett2-fix-wrong-resume-call.patch copy_page_to_iter-fix-iter_discard-case.patch input-joydev-prevent-use-of-not-validated-data-in-jsiocsbtnmap-ioctl.patch input-usbtouchscreen-fix-control-request-directions.patch iov_iter_fault_in_readable-should-do-nothing-in-xarray-case.patch media-dvb-usb-fix-wrong-definition.patch net-can-ems_usb-fix-use-after-free-in-ems_usb_disconnect.patch ntfs-fix-validity-check-for-file-name-attribute.patch usb-cdc-acm-blacklist-heimann-usb-appset-device.patch usb-dwc3-fix-debugfs-creation-flow.patch usb-gadget-eem-fix-echo-command-packet-response-issue.patch usb-typec-add-the-missed-altmode_id_remove-in-typec_register_altmode.patch xhci-solve-a-double-free-problem-while-doing-s4.patch --- diff --git a/queue-5.4/alsa-hda-realtek-add-another-alc236-variant-support.patch b/queue-5.4/alsa-hda-realtek-add-another-alc236-variant-support.patch new file mode 100644 index 00000000000..8e5c84764d2 --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-add-another-alc236-variant-support.patch @@ -0,0 +1,128 @@ +From 1948fc065a89f18d057b8ffaef6d7242ad99edb8 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 18 Jun 2021 18:17:20 +0200 +Subject: ALSA: hda/realtek: Add another ALC236 variant support + +From: Takashi Iwai + +commit 1948fc065a89f18d057b8ffaef6d7242ad99edb8 upstream. + +The codec chip 10ec:0230 is another variant of ALC236, combined with a +card reader. Apply the equivalent setup as 10ec:0236. + +BugLink: https://bugzilla.suse.com/show_bug.cgi?id=1184869 +Cc: +Link: https://lore.kernel.org/r/20210618161720.28694-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -375,6 +375,7 @@ static void alc_fill_eapd_coef(struct hd + alc_update_coef_idx(codec, 0x67, 0xf000, 0x3000); + /* fallthrough */ + case 0x10ec0215: ++ case 0x10ec0230: + case 0x10ec0233: + case 0x10ec0235: + case 0x10ec0236: +@@ -3143,6 +3144,7 @@ static void alc_disable_headset_jack_key + alc_update_coef_idx(codec, 0x49, 0x0045, 0x0); + alc_update_coef_idx(codec, 0x44, 0x0045 << 8, 0x0); + break; ++ case 0x10ec0230: + case 0x10ec0236: + case 0x10ec0256: + alc_write_coef_idx(codec, 0x48, 0x0); +@@ -3170,6 +3172,7 @@ static void alc_enable_headset_jack_key( + alc_update_coef_idx(codec, 0x49, 0x007f, 0x0045); + alc_update_coef_idx(codec, 0x44, 0x007f << 8, 0x0045 << 8); + break; ++ case 0x10ec0230: + case 0x10ec0236: + case 0x10ec0256: + alc_write_coef_idx(codec, 0x48, 0xd011); +@@ -4630,6 +4633,7 @@ static void alc_headset_mode_unplugged(s + case 0x10ec0255: + alc_process_coef_fw(codec, coef0255); + break; ++ case 0x10ec0230: + case 0x10ec0236: + case 0x10ec0256: + alc_process_coef_fw(codec, coef0256); +@@ -4744,6 +4748,7 @@ static void alc_headset_mode_mic_in(stru + alc_process_coef_fw(codec, coef0255); + snd_hda_set_pin_ctl_cache(codec, mic_pin, PIN_VREF50); + break; ++ case 0x10ec0230: + case 0x10ec0236: + case 0x10ec0256: + alc_write_coef_idx(codec, 0x45, 0xc489); +@@ -4893,6 +4898,7 @@ static void alc_headset_mode_default(str + case 0x10ec0255: + alc_process_coef_fw(codec, coef0255); + break; ++ case 0x10ec0230: + case 0x10ec0236: + case 0x10ec0256: + alc_write_coef_idx(codec, 0x1b, 0x0e4b); +@@ -4991,6 +4997,7 @@ static void alc_headset_mode_ctia(struct + case 0x10ec0255: + alc_process_coef_fw(codec, coef0255); + break; ++ case 0x10ec0230: + case 0x10ec0236: + case 0x10ec0256: + alc_process_coef_fw(codec, coef0256); +@@ -5104,6 +5111,7 @@ static void alc_headset_mode_omtp(struct + case 0x10ec0255: + alc_process_coef_fw(codec, coef0255); + break; ++ case 0x10ec0230: + case 0x10ec0236: + case 0x10ec0256: + alc_process_coef_fw(codec, coef0256); +@@ -5199,6 +5207,7 @@ static void alc_determine_headset_type(s + val = alc_read_coef_idx(codec, 0x46); + is_ctia = (val & 0x0070) == 0x0070; + break; ++ case 0x10ec0230: + case 0x10ec0236: + case 0x10ec0256: + alc_write_coef_idx(codec, 0x1b, 0x0e4b); +@@ -5492,6 +5501,7 @@ static void alc255_set_default_jack_type + case 0x10ec0255: + alc_process_coef_fw(codec, alc255fw); + break; ++ case 0x10ec0230: + case 0x10ec0236: + case 0x10ec0256: + alc_process_coef_fw(codec, alc256fw); +@@ -6092,6 +6102,7 @@ static void alc_combo_jack_hp_jd_restart + alc_update_coef_idx(codec, 0x4a, 0x8000, 1 << 15); /* Reset HP JD */ + alc_update_coef_idx(codec, 0x4a, 0x8000, 0 << 15); + break; ++ case 0x10ec0230: + case 0x10ec0235: + case 0x10ec0236: + case 0x10ec0255: +@@ -9063,6 +9074,7 @@ static int patch_alc269(struct hda_codec + spec->shutup = alc256_shutup; + spec->init_hook = alc256_init; + break; ++ case 0x10ec0230: + case 0x10ec0236: + case 0x10ec0256: + spec->codec_variant = ALC269_TYPE_ALC256; +@@ -10354,6 +10366,7 @@ static const struct hda_device_id snd_hd + HDA_CODEC_ENTRY(0x10ec0221, "ALC221", patch_alc269), + HDA_CODEC_ENTRY(0x10ec0222, "ALC222", patch_alc269), + HDA_CODEC_ENTRY(0x10ec0225, "ALC225", patch_alc269), ++ HDA_CODEC_ENTRY(0x10ec0230, "ALC236", patch_alc269), + HDA_CODEC_ENTRY(0x10ec0231, "ALC231", patch_alc269), + HDA_CODEC_ENTRY(0x10ec0233, "ALC233", patch_alc269), + HDA_CODEC_ENTRY(0x10ec0234, "ALC234", patch_alc269), diff --git a/queue-5.4/alsa-hda-realtek-apply-led-fixup-for-hp-dragonfly-g1-too.patch b/queue-5.4/alsa-hda-realtek-apply-led-fixup-for-hp-dragonfly-g1-too.patch new file mode 100644 index 00000000000..ef5d6794e95 --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-apply-led-fixup-for-hp-dragonfly-g1-too.patch @@ -0,0 +1,32 @@ +From 0ac05b25c3dd8299204ae9d50c1c2f7f05eef08f Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 23 Jun 2021 14:20:22 +0200 +Subject: ALSA: hda/realtek: Apply LED fixup for HP Dragonfly G1, too + +From: Takashi Iwai + +commit 0ac05b25c3dd8299204ae9d50c1c2f7f05eef08f upstream. + +HP Dragonfly G1 (SSID 103c:861f) also requires the same quirk for the +mute and mic-mute LED just as Dragonfly G2 model. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=213329 +Cc: +Link: https://lore.kernel.org/r/20210623122022.26179-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8093,6 +8093,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x84da, "HP OMEN dc0019-ur", ALC295_FIXUP_HP_OMEN), + SND_PCI_QUIRK(0x103c, 0x84e7, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3), + SND_PCI_QUIRK(0x103c, 0x8519, "HP Spectre x360 15-df0xxx", ALC285_FIXUP_HP_SPECTRE_X360), ++ SND_PCI_QUIRK(0x103c, 0x861f, "HP Elite Dragonfly G1", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x869d, "HP", ALC236_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x8724, "HP EliteBook 850 G7", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8729, "HP", ALC285_FIXUP_HP_GPIO_LED), diff --git a/queue-5.4/alsa-hda-realtek-fix-bass-speaker-dac-mapping-for-asus-um431d.patch b/queue-5.4/alsa-hda-realtek-fix-bass-speaker-dac-mapping-for-asus-um431d.patch new file mode 100644 index 00000000000..36985778e6e --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-fix-bass-speaker-dac-mapping-for-asus-um431d.patch @@ -0,0 +1,42 @@ +From f8fbcdfb0665de60997d9746809e1704ed782bbc Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Sun, 20 Jun 2021 08:59:52 +0200 +Subject: ALSA: hda/realtek: Fix bass speaker DAC mapping for Asus UM431D + +From: Takashi Iwai + +commit f8fbcdfb0665de60997d9746809e1704ed782bbc upstream. + +Asus Zenbook 14 UM431D has two speaker pins and a headphone pin, and +the auto-parser ends up assigning the bass to the third DAC 0x06. +Although the tone comes out, it's inconvenient because this DAC has no +volume control unlike two other DACs. + +For obtaining the volume control for the bass speaker, this patch +enforces the mapping to let both front and bass speaker pins sharing +the same DAC. It's not ideal but a little bit of improvement. + +Since we've already applied the same workaround for another ASUS +machine, we just need to hook the chain to the existing quirk. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=212547 +Cc: +Link: https://lore.kernel.org/r/20210620065952.18948-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -7681,6 +7681,8 @@ static const struct hda_fixup alc269_fix + { 0x20, AC_VERB_SET_PROC_COEF, 0x4e4b }, + { } + }, ++ .chained = true, ++ .chain_id = ALC289_FIXUP_ASUS_GA401, + }, + [ALC285_FIXUP_HP_GPIO_LED] = { + .type = HDA_FIXUP_FUNC, diff --git a/queue-5.4/alsa-hda-realtek-improve-fixup-for-hp-spectre-x360-15-df0xxx.patch b/queue-5.4/alsa-hda-realtek-improve-fixup-for-hp-spectre-x360-15-df0xxx.patch new file mode 100644 index 00000000000..8e5b40bbac6 --- /dev/null +++ b/queue-5.4/alsa-hda-realtek-improve-fixup-for-hp-spectre-x360-15-df0xxx.patch @@ -0,0 +1,74 @@ +From 434591b2a77def0e78abfa38e5d7c4bca954e68a Mon Sep 17 00:00:00 2001 +From: Elia Devito +Date: Sat, 19 Jun 2021 22:41:04 +0200 +Subject: ALSA: hda/realtek: Improve fixup for HP Spectre x360 15-df0xxx + +From: Elia Devito + +commit 434591b2a77def0e78abfa38e5d7c4bca954e68a upstream. + +On HP Spectre x360 15-df0xxx, after system boot with plugged headset, the +headset mic are not detected. +Moving pincfg and DAC's config to single fixup function fix this. + +[ The actual bug in the original code was that it used a chain to + ALC286_FIXUP_SPEAKER2_TO_DAC1, and it contains not only the DAC1 + route fix but also another chain to ALC269_FIXUP_THINKPAD_ACPI. + I thought the latter one is harmless for non-Thinkpad, but it + doesn't seem so; it contains again yet another chain to + ALC269_FIXUP_SKI_IGNORE, and this might be bad for some machines, + including this HP machine. -- tiwai ] + +Signed-off-by: Elia Devito +Cc: +Link: https://lore.kernel.org/r/20210619204105.5682-1-eliadevito@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 27 ++++++++++++++++++++------- + 1 file changed, 20 insertions(+), 7 deletions(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6218,6 +6218,24 @@ static void alc274_fixup_hp_headset_mic( + } + } + ++static void alc285_fixup_hp_spectre_x360(struct hda_codec *codec, ++ const struct hda_fixup *fix, int action) ++{ ++ static const hda_nid_t conn[] = { 0x02 }; ++ static const struct hda_pintbl pincfgs[] = { ++ { 0x14, 0x90170110 }, /* rear speaker */ ++ { } ++ }; ++ ++ switch (action) { ++ case HDA_FIXUP_ACT_PRE_PROBE: ++ snd_hda_apply_pincfgs(codec, pincfgs); ++ /* force front speaker to DAC1 */ ++ snd_hda_override_conn_list(codec, 0x17, ARRAY_SIZE(conn), conn); ++ break; ++ } ++} ++ + /* for hda_fixup_thinkpad_acpi() */ + #include "thinkpad_helper.c" + +@@ -7916,13 +7934,8 @@ static const struct hda_fixup alc269_fix + .chain_id = ALC269_FIXUP_HP_LINE1_MIC1_LED, + }, + [ALC285_FIXUP_HP_SPECTRE_X360] = { +- .type = HDA_FIXUP_PINS, +- .v.pins = (const struct hda_pintbl[]) { +- { 0x14, 0x90170110 }, /* enable top speaker */ +- {} +- }, +- .chained = true, +- .chain_id = ALC285_FIXUP_SPEAKER2_TO_DAC1, ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc285_fixup_hp_spectre_x360, + }, + }; + diff --git a/queue-5.4/alsa-intel8x0-fix-breakage-at-ac97-clock-measurement.patch b/queue-5.4/alsa-intel8x0-fix-breakage-at-ac97-clock-measurement.patch new file mode 100644 index 00000000000..8f8bb867203 --- /dev/null +++ b/queue-5.4/alsa-intel8x0-fix-breakage-at-ac97-clock-measurement.patch @@ -0,0 +1,39 @@ +From 24d1e49415be546470b20429d748e240d0518b7e Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 8 Jul 2021 11:07:38 +0200 +Subject: ALSA: intel8x0: Fix breakage at ac97 clock measurement + +From: Takashi Iwai + +commit 24d1e49415be546470b20429d748e240d0518b7e upstream. + +The recent workaround for the wild interrupts in commit c1f0616124c4 +("ALSA: intel8x0: Don't update period unless prepared") leaded to a +regression, causing the interrupt storm during ac97 clock measurement +at the driver probe. We need to handle the interrupt while the clock +measurement as well as the proper PCM streams. + +Fixes: c1f0616124c4 ("ALSA: intel8x0: Don't update period unless prepared") +Reported-and-tested-by: Max Filippov +Tested-by: Sergey Senozhatsky +Cc: +Link: https://lore.kernel.org/r/CAMo8BfKKMQkcsbOQaeEjq_FsJhdK=fn598dvh7YOcZshUSOH=g@mail.gmail.com +Link: https://lore.kernel.org/r/20210708090738.1569-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/intel8x0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/intel8x0.c ++++ b/sound/pci/intel8x0.c +@@ -715,7 +715,7 @@ static inline void snd_intel8x0_update(s + int status, civ, i, step; + int ack = 0; + +- if (!ichdev->prepared || ichdev->suspended) ++ if (!(ichdev->prepared || chip->in_measurement) || ichdev->suspended) + return; + + spin_lock_irqsave(&chip->reg_lock, flags); diff --git a/queue-5.4/alsa-usb-audio-fix-oob-access-at-proc-output.patch b/queue-5.4/alsa-usb-audio-fix-oob-access-at-proc-output.patch new file mode 100644 index 00000000000..1f39814b7ce --- /dev/null +++ b/queue-5.4/alsa-usb-audio-fix-oob-access-at-proc-output.patch @@ -0,0 +1,37 @@ +From 362372ceb6556f338e230f2d90af27b47f82365a Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 22 Jun 2021 11:06:47 +0200 +Subject: ALSA: usb-audio: Fix OOB access at proc output + +From: Takashi Iwai + +commit 362372ceb6556f338e230f2d90af27b47f82365a upstream. + +At extending the available mixer values for 32bit types, we forgot to +add the corresponding entries for the format dump in the proc output. +This may result in OOB access. Here adds the missing entries. + +Fixes: bc18e31c3042 ("ALSA: usb-audio: Fix parameter block size for UAC2 control requests") +Cc: +Link: https://lore.kernel.org/r/20210622090647.14021-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -3241,8 +3241,9 @@ static void snd_usb_mixer_dump_cval(stru + struct usb_mixer_elem_list *list) + { + struct usb_mixer_elem_info *cval = mixer_elem_list_to_info(list); +- static const char * const val_types[] = {"BOOLEAN", "INV_BOOLEAN", +- "S8", "U8", "S16", "U16"}; ++ static const char * const val_types[] = { ++ "BOOLEAN", "INV_BOOLEAN", "S8", "U8", "S16", "U16", "S32", "U32", ++ }; + snd_iprintf(buffer, " Info: id=%i, control=%i, cmask=0x%x, " + "channels=%i, type=\"%s\"\n", cval->head.id, + cval->control, cval->cmask, cval->channels, diff --git a/queue-5.4/alsa-usb-audio-fix-rate-on-ozone-z90-usb-headset.patch b/queue-5.4/alsa-usb-audio-fix-rate-on-ozone-z90-usb-headset.patch new file mode 100644 index 00000000000..c9fe60e64a8 --- /dev/null +++ b/queue-5.4/alsa-usb-audio-fix-rate-on-ozone-z90-usb-headset.patch @@ -0,0 +1,35 @@ +From aecc19ec404bdc745c781058ac97a373731c3089 Mon Sep 17 00:00:00 2001 +From: Daehwan Jung +Date: Wed, 16 Jun 2021 18:34:55 +0900 +Subject: ALSA: usb-audio: fix rate on Ozone Z90 USB headset + +From: Daehwan Jung + +commit aecc19ec404bdc745c781058ac97a373731c3089 upstream. + +It mislabels its 96 kHz altsetting and that's why it causes some noise + +Signed-off-by: Daehwan Jung +Cc: +Link: https://lore.kernel.org/r/1623836097-61918-1-git-send-email-dh10.jung@samsung.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/format.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/usb/format.c ++++ b/sound/usb/format.c +@@ -195,9 +195,11 @@ static int parse_audio_format_rates_v1(s + continue; + /* C-Media CM6501 mislabels its 96 kHz altsetting */ + /* Terratec Aureon 7.1 USB C-Media 6206, too */ ++ /* Ozone Z90 USB C-Media, too */ + if (rate == 48000 && nr_rates == 1 && + (chip->usb_id == USB_ID(0x0d8c, 0x0201) || + chip->usb_id == USB_ID(0x0d8c, 0x0102) || ++ chip->usb_id == USB_ID(0x0d8c, 0x0078) || + chip->usb_id == USB_ID(0x0ccd, 0x00b1)) && + fp->altsetting == 5 && fp->maxpacksize == 392) + rate = 96000; diff --git a/queue-5.4/alsa-usb-audio-scarlett2-fix-wrong-resume-call.patch b/queue-5.4/alsa-usb-audio-scarlett2-fix-wrong-resume-call.patch new file mode 100644 index 00000000000..f088512210b --- /dev/null +++ b/queue-5.4/alsa-usb-audio-scarlett2-fix-wrong-resume-call.patch @@ -0,0 +1,76 @@ +From 785b6f29a795f109685f286b91e0250c206fbffb Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 23 Jun 2021 02:30:49 +0930 +Subject: ALSA: usb-audio: scarlett2: Fix wrong resume call + +From: Takashi Iwai + +commit 785b6f29a795f109685f286b91e0250c206fbffb upstream. + +The current way of the scarlett2 mixer code managing the +usb_mixer_elem_info object is wrong in two ways: it passes its +internal index to the head.id field, and the val_type field is +uninitialized. This ended up with the wrong execution at the resume +because a bogus unit id is passed wrongly. Also, in the later code +extensions, we'll have more mixer elements, and passing the index will +overflow the unit id size (of 256). + +This patch corrects those issues. It introduces a new value type, +USB_MIXER_BESPOKEN, which indicates a non-standard mixer element, and +use this type for all scarlett2 mixer elements, as well as +initializing the fixed unit id 0 for avoiding the overflow. + +Tested-by: Geoffrey D. Bennett +Signed-off-by: Geoffrey D. Bennett +Cc: +Link: https://lore.kernel.org/r/49721219f45b7e175e729b0d9d9c142fd8f4342a.1624379707.git.g@b4.vu +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/mixer.c | 3 +++ + sound/usb/mixer.h | 1 + + sound/usb/mixer_scarlett_gen2.c | 7 ++++++- + 3 files changed, 10 insertions(+), 1 deletion(-) + +--- a/sound/usb/mixer.c ++++ b/sound/usb/mixer.c +@@ -3599,6 +3599,9 @@ static int restore_mixer_value(struct us + struct usb_mixer_elem_info *cval = mixer_elem_list_to_info(list); + int c, err, idx; + ++ if (cval->val_type == USB_MIXER_BESPOKEN) ++ return 0; ++ + if (cval->cmask) { + idx = 0; + for (c = 0; c < MAX_CHANNELS; c++) { +--- a/sound/usb/mixer.h ++++ b/sound/usb/mixer.h +@@ -55,6 +55,7 @@ enum { + USB_MIXER_U16, + USB_MIXER_S32, + USB_MIXER_U32, ++ USB_MIXER_BESPOKEN, /* non-standard type */ + }; + + typedef void (*usb_mixer_elem_dump_func_t)(struct snd_info_buffer *buffer, +--- a/sound/usb/mixer_scarlett_gen2.c ++++ b/sound/usb/mixer_scarlett_gen2.c +@@ -949,10 +949,15 @@ static int scarlett2_add_new_ctl(struct + if (!elem) + return -ENOMEM; + ++ /* We set USB_MIXER_BESPOKEN type, so that the core USB mixer code ++ * ignores them for resume and other operations. ++ * Also, the head.id field is set to 0, as we don't use this field. ++ */ + elem->head.mixer = mixer; + elem->control = index; +- elem->head.id = index; ++ elem->head.id = 0; + elem->channels = channels; ++ elem->val_type = USB_MIXER_BESPOKEN; + + kctl = snd_ctl_new1(ncontrol, elem); + if (!kctl) { diff --git a/queue-5.4/copy_page_to_iter-fix-iter_discard-case.patch b/queue-5.4/copy_page_to_iter-fix-iter_discard-case.patch new file mode 100644 index 00000000000..1c0941889b6 --- /dev/null +++ b/queue-5.4/copy_page_to_iter-fix-iter_discard-case.patch @@ -0,0 +1,36 @@ +From a506abc7b644d71966a75337d5a534f531b3cdc4 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Tue, 27 Apr 2021 12:34:04 -0400 +Subject: copy_page_to_iter(): fix ITER_DISCARD case + +From: Al Viro + +commit a506abc7b644d71966a75337d5a534f531b3cdc4 upstream. + +we need to advance the iterator... + +Cc: stable@vger.kernel.org +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + lib/iov_iter.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/lib/iov_iter.c ++++ b/lib/iov_iter.c +@@ -896,9 +896,12 @@ size_t copy_page_to_iter(struct page *pa + size_t wanted = copy_to_iter(kaddr + offset, bytes, i); + kunmap_atomic(kaddr); + return wanted; +- } else if (unlikely(iov_iter_is_discard(i))) ++ } else if (unlikely(iov_iter_is_discard(i))) { ++ if (unlikely(i->count < bytes)) ++ bytes = i->count; ++ i->count -= bytes; + return bytes; +- else if (likely(!iov_iter_is_pipe(i))) ++ } else if (likely(!iov_iter_is_pipe(i))) + return copy_page_to_iter_iovec(page, offset, bytes, i); + else + return copy_page_to_iter_pipe(page, offset, bytes, i); diff --git a/queue-5.4/input-joydev-prevent-use-of-not-validated-data-in-jsiocsbtnmap-ioctl.patch b/queue-5.4/input-joydev-prevent-use-of-not-validated-data-in-jsiocsbtnmap-ioctl.patch new file mode 100644 index 00000000000..c0bfba7e8aa --- /dev/null +++ b/queue-5.4/input-joydev-prevent-use-of-not-validated-data-in-jsiocsbtnmap-ioctl.patch @@ -0,0 +1,54 @@ +From f8f84af5da9ee04ef1d271528656dac42a090d00 Mon Sep 17 00:00:00 2001 +From: Alexander Larkin +Date: Sun, 4 Jul 2021 22:39:36 -0700 +Subject: Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl + +From: Alexander Larkin + +commit f8f84af5da9ee04ef1d271528656dac42a090d00 upstream. + +Even though we validate user-provided inputs we then traverse past +validated data when applying the new map. The issue was originally +discovered by Murray McAllister with this simple POC (if the following +is executed by an unprivileged user it will instantly panic the system): + +int main(void) { + int fd, ret; + unsigned int buffer[10000]; + + fd = open("/dev/input/js0", O_RDONLY); + if (fd == -1) + printf("Error opening file\n"); + + ret = ioctl(fd, JSIOCSBTNMAP & ~IOCSIZE_MASK, &buffer); + printf("%d\n", ret); +} + +The solution is to traverse internal buffer which is guaranteed to only +contain valid date when constructing the map. + +Fixes: 182d679b2298 ("Input: joydev - prevent potential read overflow in ioctl") +Fixes: 999b874f4aa3 ("Input: joydev - validate axis/button maps before clobbering current ones") +Reported-by: Murray McAllister +Suggested-by: Linus Torvalds +Signed-off-by: Alexander Larkin +Link: https://lore.kernel.org/r/20210620120030.1513655-1-avlarkin82@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/joydev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/joydev.c ++++ b/drivers/input/joydev.c +@@ -500,7 +500,7 @@ static int joydev_handle_JSIOCSBTNMAP(st + memcpy(joydev->keypam, keypam, len); + + for (i = 0; i < joydev->nkey; i++) +- joydev->keymap[keypam[i] - BTN_MISC] = i; ++ joydev->keymap[joydev->keypam[i] - BTN_MISC] = i; + + out: + kfree(keypam); diff --git a/queue-5.4/input-usbtouchscreen-fix-control-request-directions.patch b/queue-5.4/input-usbtouchscreen-fix-control-request-directions.patch new file mode 100644 index 00000000000..97d3a58fc30 --- /dev/null +++ b/queue-5.4/input-usbtouchscreen-fix-control-request-directions.patch @@ -0,0 +1,66 @@ +From 41e81022a04a0294c55cfa7e366bc14b9634c66e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 24 May 2021 10:02:59 -0700 +Subject: Input: usbtouchscreen - fix control-request directions + +From: Johan Hovold + +commit 41e81022a04a0294c55cfa7e366bc14b9634c66e upstream. + +The direction of the pipe argument must match the request-type direction +bit or control requests may fail depending on the host-controller-driver +implementation. + +Fix the four control requests which erroneously used usb_rcvctrlpipe(). + +Fixes: 1d3e20236d7a ("[PATCH] USB: usbtouchscreen: unified USB touchscreen driver") +Fixes: 24ced062a296 ("usbtouchscreen: add support for DMC TSC-10/25 devices") +Fixes: 9e3b25837a20 ("Input: usbtouchscreen - add support for e2i touchscreen controller") +Signed-off-by: Johan Hovold +Cc: stable@vger.kernel.org # 2.6.17 +Link: https://lore.kernel.org/r/20210524092048.4443-1-johan@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/usbtouchscreen.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/input/touchscreen/usbtouchscreen.c ++++ b/drivers/input/touchscreen/usbtouchscreen.c +@@ -251,7 +251,7 @@ static int e2i_init(struct usbtouch_usb + int ret; + struct usb_device *udev = interface_to_usbdev(usbtouch->interface); + +- ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), ++ ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), + 0x01, 0x02, 0x0000, 0x0081, + NULL, 0, USB_CTRL_SET_TIMEOUT); + +@@ -531,7 +531,7 @@ static int mtouch_init(struct usbtouch_u + if (ret) + return ret; + +- ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), ++ ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), + MTOUCHUSB_RESET, + USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE, + 1, 0, NULL, 0, USB_CTRL_SET_TIMEOUT); +@@ -543,7 +543,7 @@ static int mtouch_init(struct usbtouch_u + msleep(150); + + for (i = 0; i < 3; i++) { +- ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0), ++ ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0), + MTOUCHUSB_ASYNC_REPORT, + USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE, + 1, 1, NULL, 0, USB_CTRL_SET_TIMEOUT); +@@ -722,7 +722,7 @@ static int dmc_tsc10_init(struct usbtouc + } + + /* start sending data */ +- ret = usb_control_msg(dev, usb_rcvctrlpipe (dev, 0), ++ ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0), + TSC10_CMD_DATA1, + USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE, + 0, 0, NULL, 0, USB_CTRL_SET_TIMEOUT); diff --git a/queue-5.4/iov_iter_fault_in_readable-should-do-nothing-in-xarray-case.patch b/queue-5.4/iov_iter_fault_in_readable-should-do-nothing-in-xarray-case.patch new file mode 100644 index 00000000000..4a93d14d37f --- /dev/null +++ b/queue-5.4/iov_iter_fault_in_readable-should-do-nothing-in-xarray-case.patch @@ -0,0 +1,31 @@ +From 0e8f0d67401589a141950856902c7d0ec8d9c985 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Wed, 2 Jun 2021 14:48:21 -0400 +Subject: [xarray] iov_iter_fault_in_readable() should do nothing in xarray case + +From: Al Viro + +commit 0e8f0d67401589a141950856902c7d0ec8d9c985 upstream. + +... and actually should just check it's given an iovec-backed iterator +in the first place. + +Cc: stable@vger.kernel.org +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + lib/iov_iter.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/iov_iter.c ++++ b/lib/iov_iter.c +@@ -422,7 +422,7 @@ int iov_iter_fault_in_readable(struct io + int err; + struct iovec v; + +- if (!(i->type & (ITER_BVEC|ITER_KVEC))) { ++ if (iter_is_iovec(i)) { + iterate_iovec(i, bytes, v, iov, skip, ({ + err = fault_in_pages_readable(v.iov_base, v.iov_len); + if (unlikely(err)) diff --git a/queue-5.4/media-dvb-usb-fix-wrong-definition.patch b/queue-5.4/media-dvb-usb-fix-wrong-definition.patch new file mode 100644 index 00000000000..c0dded9fcee --- /dev/null +++ b/queue-5.4/media-dvb-usb-fix-wrong-definition.patch @@ -0,0 +1,49 @@ +From c680ed46e418e9c785d76cf44eb33bfd1e8cf3f6 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Fri, 7 May 2021 14:50:43 +0200 +Subject: media: dvb-usb: fix wrong definition + +From: Pavel Skripkin + +commit c680ed46e418e9c785d76cf44eb33bfd1e8cf3f6 upstream. + +syzbot reported WARNING in vmalloc. The problem +was in zero size passed to vmalloc. + +The root case was in wrong cxusb_bluebird_lgz201_properties +definition. adapter array has only 1 entry, but num_adapters was +2. + +Call Trace: + __vmalloc_node mm/vmalloc.c:2963 [inline] + vmalloc+0x67/0x80 mm/vmalloc.c:2996 + dvb_dmx_init+0xe4/0xb90 drivers/media/dvb-core/dvb_demux.c:1251 + dvb_usb_adapter_dvb_init+0x564/0x860 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:184 + dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86 [inline] + dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline] + dvb_usb_device_init.cold+0xc94/0x146e drivers/media/usb/dvb-usb/dvb-usb-init.c:308 + cxusb_probe+0x159/0x5e0 drivers/media/usb/dvb-usb/cxusb.c:1634 + +Fixes: 4d43e13f723e ("V4L/DVB (4643): Multi-input patch for DVB-USB device") +Cc: stable@vger.kernel.org +Reported-by: syzbot+7336195c02c1bd2f64e1@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/cxusb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/usb/dvb-usb/cxusb.c ++++ b/drivers/media/usb/dvb-usb/cxusb.c +@@ -1950,7 +1950,7 @@ static struct dvb_usb_device_properties + + .size_of_priv = sizeof(struct cxusb_state), + +- .num_adapters = 2, ++ .num_adapters = 1, + .adapter = { + { + .num_frontends = 1, diff --git a/queue-5.4/net-can-ems_usb-fix-use-after-free-in-ems_usb_disconnect.patch b/queue-5.4/net-can-ems_usb-fix-use-after-free-in-ems_usb_disconnect.patch new file mode 100644 index 00000000000..be905ac3d95 --- /dev/null +++ b/queue-5.4/net-can-ems_usb-fix-use-after-free-in-ems_usb_disconnect.patch @@ -0,0 +1,68 @@ +From ab4a0b8fcb9a95c02909b62049811bd2e586aaa4 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Thu, 17 Jun 2021 21:51:30 +0300 +Subject: net: can: ems_usb: fix use-after-free in ems_usb_disconnect() + +From: Pavel Skripkin + +commit ab4a0b8fcb9a95c02909b62049811bd2e586aaa4 upstream. + +In ems_usb_disconnect() dev pointer, which is netdev private data, is +used after free_candev() call: +| if (dev) { +| unregister_netdev(dev->netdev); +| free_candev(dev->netdev); +| +| unlink_all_urbs(dev); +| +| usb_free_urb(dev->intr_urb); +| +| kfree(dev->intr_in_buffer); +| kfree(dev->tx_msg_buffer); +| } + +Fix it by simply moving free_candev() at the end of the block. + +Fail log: +| BUG: KASAN: use-after-free in ems_usb_disconnect +| Read of size 8 at addr ffff88804e041008 by task kworker/1:2/2895 +| +| CPU: 1 PID: 2895 Comm: kworker/1:2 Not tainted 5.13.0-rc5+ #164 +| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.4 +| Workqueue: usb_hub_wq hub_event +| Call Trace: +| dump_stack (lib/dump_stack.c:122) +| print_address_description.constprop.0.cold (mm/kasan/report.c:234) +| kasan_report.cold (mm/kasan/report.c:420 mm/kasan/report.c:436) +| ems_usb_disconnect (drivers/net/can/usb/ems_usb.c:683 drivers/net/can/usb/ems_usb.c:1058) + +Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface") +Link: https://lore.kernel.org/r/20210617185130.5834-1-paskripkin@gmail.com +Cc: linux-stable +Signed-off-by: Pavel Skripkin +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/usb/ems_usb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/can/usb/ems_usb.c ++++ b/drivers/net/can/usb/ems_usb.c +@@ -1053,7 +1053,6 @@ static void ems_usb_disconnect(struct us + + if (dev) { + unregister_netdev(dev->netdev); +- free_candev(dev->netdev); + + unlink_all_urbs(dev); + +@@ -1061,6 +1060,8 @@ static void ems_usb_disconnect(struct us + + kfree(dev->intr_in_buffer); + kfree(dev->tx_msg_buffer); ++ ++ free_candev(dev->netdev); + } + } + diff --git a/queue-5.4/ntfs-fix-validity-check-for-file-name-attribute.patch b/queue-5.4/ntfs-fix-validity-check-for-file-name-attribute.patch new file mode 100644 index 00000000000..8b14f7d96f9 --- /dev/null +++ b/queue-5.4/ntfs-fix-validity-check-for-file-name-attribute.patch @@ -0,0 +1,52 @@ +From d98e4d95411bbde2220a7afa38dcc9c14d71acbe Mon Sep 17 00:00:00 2001 +From: Desmond Cheong Zhi Xi +Date: Mon, 28 Jun 2021 19:33:52 -0700 +Subject: ntfs: fix validity check for file name attribute + +From: Desmond Cheong Zhi Xi + +commit d98e4d95411bbde2220a7afa38dcc9c14d71acbe upstream. + +When checking the file name attribute, we want to ensure that it fits +within the bounds of ATTR_RECORD. To do this, we should check that (attr +record + file name offset + file name length) < (attr record + attr record +length). + +However, the original check did not include the file name offset in the +calculation. This means that corrupted on-disk metadata might not caught +by the incorrect file name check, and lead to an invalid memory access. + +An example can be seen in the crash report of a memory corruption error +found by Syzbot: +https://syzkaller.appspot.com/bug?id=a1a1e379b225812688566745c3e2f7242bffc246 + +Adding the file name offset to the validity check fixes this error and +passes the Syzbot reproducer test. + +Link: https://lkml.kernel.org/r/20210614050540.289494-1-desmondcheongzx@gmail.com +Signed-off-by: Desmond Cheong Zhi Xi +Reported-by: syzbot+213ac8bb98f7f4420840@syzkaller.appspotmail.com +Tested-by: syzbot+213ac8bb98f7f4420840@syzkaller.appspotmail.com +Acked-by: Anton Altaparmakov +Cc: Shuah Khan +Cc: Greg Kroah-Hartman +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ntfs/inode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ntfs/inode.c ++++ b/fs/ntfs/inode.c +@@ -476,7 +476,7 @@ err_corrupt_attr: + } + file_name_attr = (FILE_NAME_ATTR*)((u8*)attr + + le16_to_cpu(attr->data.resident.value_offset)); +- p2 = (u8*)attr + le32_to_cpu(attr->data.resident.value_length); ++ p2 = (u8 *)file_name_attr + le32_to_cpu(attr->data.resident.value_length); + if (p2 < (u8*)attr || p2 > p) + goto err_corrupt_attr; + /* This attribute is ok, but is it in the $Extend directory? */ diff --git a/queue-5.4/usb-cdc-acm-blacklist-heimann-usb-appset-device.patch b/queue-5.4/usb-cdc-acm-blacklist-heimann-usb-appset-device.patch new file mode 100644 index 00000000000..ceb837c3325 --- /dev/null +++ b/queue-5.4/usb-cdc-acm-blacklist-heimann-usb-appset-device.patch @@ -0,0 +1,43 @@ +From 4897807753e078655a78de39ed76044d784f3e63 Mon Sep 17 00:00:00 2001 +From: Hannu Hartikainen +Date: Tue, 22 Jun 2021 17:14:54 +0300 +Subject: USB: cdc-acm: blacklist Heimann USB Appset device + +From: Hannu Hartikainen + +commit 4897807753e078655a78de39ed76044d784f3e63 upstream. + +The device (32a7:0000 Heimann Sensor GmbH USB appset demo) claims to be +a CDC-ACM device in its descriptors but in fact is not. If it is run +with echo disabled it returns garbled data, probably due to something +that happens in the TTY layer. And when run with echo enabled (the +default), it will mess up the calibration data of the sensor the first +time any data is sent to the device. + +In short, I had a bad time after connecting the sensor and trying to get +it to work. I hope blacklisting it in the cdc-acm driver will save +someone else a bit of trouble. + +Signed-off-by: Hannu Hartikainen +Cc: stable +Link: https://lore.kernel.org/r/20210622141454.337948-1-hannu@hrtk.in +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-acm.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1960,6 +1960,11 @@ static const struct usb_device_id acm_id + .driver_info = IGNORE_DEVICE, + }, + ++ /* Exclude Heimann Sensor GmbH USB appset demo */ ++ { USB_DEVICE(0x32a7, 0x0000), ++ .driver_info = IGNORE_DEVICE, ++ }, ++ + /* control interfaces without any protocol set */ + { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM, + USB_CDC_PROTO_NONE) }, diff --git a/queue-5.4/usb-dwc3-fix-debugfs-creation-flow.patch b/queue-5.4/usb-dwc3-fix-debugfs-creation-flow.patch new file mode 100644 index 00000000000..216cfe2bd6d --- /dev/null +++ b/queue-5.4/usb-dwc3-fix-debugfs-creation-flow.patch @@ -0,0 +1,50 @@ +From 84524d1232ecca7cf8678e851b254f05cff4040a Mon Sep 17 00:00:00 2001 +From: Minas Harutyunyan +Date: Thu, 17 Jun 2021 09:55:24 -0700 +Subject: usb: dwc3: Fix debugfs creation flow + +From: Minas Harutyunyan + +commit 84524d1232ecca7cf8678e851b254f05cff4040a upstream. + +Creation EP's debugfs called earlier than debugfs folder for dwc3 +device created. As result EP's debugfs are created in '/sys/kernel/debug' +instead of '/sys/kernel/debug/usb/dwc3.1.auto'. + +Moved dwc3_debugfs_init() function call before calling +dwc3_core_init_mode() to allow create dwc3 debugfs parent before +creating EP's debugfs's. + +Fixes: 8d396bb0a5b6 ("usb: dwc3: debugfs: Add and remove endpoint dirs dynamically") +Cc: stable +Reviewed-by: Jack Pham +Signed-off-by: Minas Harutyunyan +Link: https://lore.kernel.org/r/01fafb5b2d8335e98e6eadbac61fc796bdf3ec1a.1623948457.git.Minas.Harutyunyan@synopsys.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1523,17 +1523,18 @@ static int dwc3_probe(struct platform_de + } + + dwc3_check_params(dwc); ++ dwc3_debugfs_init(dwc); + + ret = dwc3_core_init_mode(dwc); + if (ret) + goto err5; + +- dwc3_debugfs_init(dwc); + pm_runtime_put(dev); + + return 0; + + err5: ++ dwc3_debugfs_exit(dwc); + dwc3_event_buffers_cleanup(dwc); + + usb_phy_shutdown(dwc->usb2_phy); diff --git a/queue-5.4/usb-gadget-eem-fix-echo-command-packet-response-issue.patch b/queue-5.4/usb-gadget-eem-fix-echo-command-packet-response-issue.patch new file mode 100644 index 00000000000..70be08ab878 --- /dev/null +++ b/queue-5.4/usb-gadget-eem-fix-echo-command-packet-response-issue.patch @@ -0,0 +1,111 @@ +From 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 Mon Sep 17 00:00:00 2001 +From: Linyu Yuan +Date: Wed, 16 Jun 2021 19:51:42 +0800 +Subject: usb: gadget: eem: fix echo command packet response issue + +From: Linyu Yuan + +commit 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 upstream. + +when receive eem echo command, it will send a response, +but queue this response to the usb request which allocate +from gadget device endpoint zero, +and transmit the request to IN endpoint of eem interface. + +on dwc3 gadget, it will trigger following warning in function +__dwc3_gadget_ep_queue(), + + if (WARN(req->dep != dep, "request %pK belongs to '%s'\n", + &req->request, req->dep->name)) + return -EINVAL; + +fix it by allocating a usb request from IN endpoint of eem interface, +and transmit the usb request to same IN endpoint of eem interface. + +Signed-off-by: Linyu Yuan +Cc: stable +Link: https://lore.kernel.org/r/20210616115142.34075-1-linyyuan@codeaurora.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_eem.c | 43 ++++++++++++++++++++++++++++++++---- + 1 file changed, 39 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/function/f_eem.c ++++ b/drivers/usb/gadget/function/f_eem.c +@@ -30,6 +30,11 @@ struct f_eem { + u8 ctrl_id; + }; + ++struct in_context { ++ struct sk_buff *skb; ++ struct usb_ep *ep; ++}; ++ + static inline struct f_eem *func_to_eem(struct usb_function *f) + { + return container_of(f, struct f_eem, port.func); +@@ -322,9 +327,12 @@ fail: + + static void eem_cmd_complete(struct usb_ep *ep, struct usb_request *req) + { +- struct sk_buff *skb = (struct sk_buff *)req->context; ++ struct in_context *ctx = req->context; + +- dev_kfree_skb_any(skb); ++ dev_kfree_skb_any(ctx->skb); ++ kfree(req->buf); ++ usb_ep_free_request(ctx->ep, req); ++ kfree(ctx); + } + + /* +@@ -412,7 +420,9 @@ static int eem_unwrap(struct gether *por + * b15: bmType (0 == data, 1 == command) + */ + if (header & BIT(15)) { +- struct usb_request *req = cdev->req; ++ struct usb_request *req; ++ struct in_context *ctx; ++ struct usb_ep *ep; + u16 bmEEMCmd; + + /* EEM command packet format: +@@ -441,11 +451,36 @@ static int eem_unwrap(struct gether *por + skb_trim(skb2, len); + put_unaligned_le16(BIT(15) | BIT(11) | len, + skb_push(skb2, 2)); ++ ++ ep = port->in_ep; ++ req = usb_ep_alloc_request(ep, GFP_ATOMIC); ++ if (!req) { ++ dev_kfree_skb_any(skb2); ++ goto next; ++ } ++ ++ req->buf = kmalloc(skb2->len, GFP_KERNEL); ++ if (!req->buf) { ++ usb_ep_free_request(ep, req); ++ dev_kfree_skb_any(skb2); ++ goto next; ++ } ++ ++ ctx = kmalloc(sizeof(*ctx), GFP_KERNEL); ++ if (!ctx) { ++ kfree(req->buf); ++ usb_ep_free_request(ep, req); ++ dev_kfree_skb_any(skb2); ++ goto next; ++ } ++ ctx->skb = skb2; ++ ctx->ep = ep; ++ + skb_copy_bits(skb2, 0, req->buf, skb2->len); + req->length = skb2->len; + req->complete = eem_cmd_complete; + req->zero = 1; +- req->context = skb2; ++ req->context = ctx; + if (usb_ep_queue(port->in_ep, req, GFP_ATOMIC)) + DBG(cdev, "echo response queue fail\n"); + break; diff --git a/queue-5.4/usb-typec-add-the-missed-altmode_id_remove-in-typec_register_altmode.patch b/queue-5.4/usb-typec-add-the-missed-altmode_id_remove-in-typec_register_altmode.patch new file mode 100644 index 00000000000..7cfd12478b4 --- /dev/null +++ b/queue-5.4/usb-typec-add-the-missed-altmode_id_remove-in-typec_register_altmode.patch @@ -0,0 +1,37 @@ +From 03026197bb657d784220b040c6173267a0375741 Mon Sep 17 00:00:00 2001 +From: Jing Xiangfeng +Date: Thu, 17 Jun 2021 15:32:26 +0800 +Subject: usb: typec: Add the missed altmode_id_remove() in typec_register_altmode() + +From: Jing Xiangfeng + +commit 03026197bb657d784220b040c6173267a0375741 upstream. + +typec_register_altmode() misses to call altmode_id_remove() in an error +path. Add the missed function call to fix it. + +Fixes: 8a37d87d72f0 ("usb: typec: Bus type for alternate modes") +Cc: stable +Acked-by: Heikki Krogerus +Signed-off-by: Jing Xiangfeng +Link: https://lore.kernel.org/r/20210617073226.47599-1-jingxiangfeng@huawei.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/typec/class.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/typec/class.c ++++ b/drivers/usb/typec/class.c +@@ -487,8 +487,10 @@ typec_register_altmode(struct device *pa + int ret; + + alt = kzalloc(sizeof(*alt), GFP_KERNEL); +- if (!alt) ++ if (!alt) { ++ altmode_id_remove(parent, id); + return ERR_PTR(-ENOMEM); ++ } + + alt->adev.svid = desc->svid; + alt->adev.mode = desc->mode; diff --git a/queue-5.4/xhci-solve-a-double-free-problem-while-doing-s4.patch b/queue-5.4/xhci-solve-a-double-free-problem-while-doing-s4.patch new file mode 100644 index 00000000000..550b7658776 --- /dev/null +++ b/queue-5.4/xhci-solve-a-double-free-problem-while-doing-s4.patch @@ -0,0 +1,70 @@ +From b31d9d6d7abbf6483b871b6370bc31c930d53f54 Mon Sep 17 00:00:00 2001 +From: "Zhangjiantao (Kirin, nanjing)" +Date: Thu, 17 Jun 2021 18:03:54 +0300 +Subject: xhci: solve a double free problem while doing s4 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Zhangjiantao (Kirin, nanjing) + +commit b31d9d6d7abbf6483b871b6370bc31c930d53f54 upstream. + +when system is doing s4, the process of xhci_resume may be as below: +1、xhci_mem_cleanup +2、xhci_init->xhci_mem_init->xhci_mem_cleanup(when memory is not enough). +xhci_mem_cleanup will be executed twice when system is out of memory. +xhci->port_caps is freed in xhci_mem_cleanup,but it isn't set to NULL. +It will be freed twice when xhci_mem_cleanup is called the second time. + +We got following bug when system resumes from s4: + +kernel BUG at mm/slub.c:309! +Internal error: Oops - BUG: 0 [#1] PREEMPT SMP +CPU: 0 PID: 5929 Tainted: G S W 5.4.96-arm64-desktop #1 +pc : __slab_free+0x5c/0x424 +lr : kfree+0x30c/0x32c + +Call trace: + __slab_free+0x5c/0x424 + kfree+0x30c/0x32c + xhci_mem_cleanup+0x394/0x3cc + xhci_mem_init+0x9ac/0x1070 + xhci_init+0x8c/0x1d0 + xhci_resume+0x1cc/0x5fc + xhci_plat_resume+0x64/0x70 + platform_pm_thaw+0x28/0x60 + dpm_run_callback+0x54/0x24c + device_resume+0xd0/0x200 + async_resume+0x24/0x60 + async_run_entry_fn+0x44/0x110 + process_one_work+0x1f0/0x490 + worker_thread+0x5c/0x450 + kthread+0x158/0x160 + ret_from_fork+0x10/0x24 + +Original patch that caused this issue was backported to 4.4 stable, +so this should be backported to 4.4 stabe as well. + +Fixes: cf0ee7c60c89 ("xhci: Fix memory leak when caching protocol extended capability PSI tables - take 2") +Cc: stable@vger.kernel.org # v4.4+ +Signed-off-by: Jiantao Zhang +Signed-off-by: Tao Xue +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20210617150354.1512157-5-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-mem.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -1929,6 +1929,7 @@ no_bw: + xhci->hw_ports = NULL; + xhci->rh_bw = NULL; + xhci->ext_caps = NULL; ++ xhci->port_caps = NULL; + + xhci->page_size = 0; + xhci->page_shift = 0;