From: Greg Kroah-Hartman Date: Thu, 13 Jan 2022 10:53:35 +0000 (+0100) Subject: 5.16-stable patches X-Git-Tag: v5.16.1~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2636cb566f409c3913b88669ccce8f98ecbdb92b;p=thirdparty%2Fkernel%2Fstable-queue.git 5.16-stable patches added patches: arm-dts-exynos-fix-bcm4330-bluetooth-reset-polarity-in-i9100.patch ath11k-fix-buffer-overflow-when-scanning-with-extraie.patch bluetooth-bfusb-fix-division-by-zero-in-send-path.patch bluetooth-btintel-fix-broken-led-quirk-for-legacy-rom-devices.patch bluetooth-btusb-add-one-more-bluetooth-part-for-the-realtek-rtl8852ae.patch bluetooth-btusb-add-one-more-bluetooth-part-for-wcn6855.patch bluetooth-btusb-add-support-for-foxconn-mt7922a.patch bluetooth-btusb-add-support-for-foxconn-qca-0xe0d0.patch bluetooth-btusb-add-the-new-support-ids-for-wcn6855.patch bluetooth-btusb-add-two-more-bluetooth-parts-for-wcn6855.patch bluetooth-btusb-enable-mediatek-to-support-aosp-extension.patch bluetooth-btusb-fix-application-of-sizeof-to-pointer.patch bluetooth-btusb-fix-memory-leak-in-btusb_mtk_submit_wmt_recv_urb.patch bpf-fix-out-of-bounds-access-from-invalid-_or_null-type-verification.patch mmc-sdhci-pci-add-pci-id-for-intel-adl.patch staging-r8188eu-switch-the-led-off-during-deinit.patch usb-core-fix-bug-in-resuming-hub-s-handling-of-wakeup-requests.patch usb-fix-slab-out-of-bounds-write-bug-in-usb_hcd_poll_rh_status.patch --- diff --git a/queue-5.16/arm-dts-exynos-fix-bcm4330-bluetooth-reset-polarity-in-i9100.patch b/queue-5.16/arm-dts-exynos-fix-bcm4330-bluetooth-reset-polarity-in-i9100.patch new file mode 100644 index 00000000000..01a65a6b353 --- /dev/null +++ b/queue-5.16/arm-dts-exynos-fix-bcm4330-bluetooth-reset-polarity-in-i9100.patch @@ -0,0 +1,34 @@ +From 9cb6de45a006a9799ec399bce60d64b6d4fcc4af Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Sun, 31 Oct 2021 23:41:36 +0000 +Subject: ARM: dts: exynos: Fix BCM4330 Bluetooth reset polarity in I9100 + +From: Paul Cercueil + +commit 9cb6de45a006a9799ec399bce60d64b6d4fcc4af upstream. + +The reset GPIO was marked active-high, which is against what's specified +in the documentation. Mark the reset GPIO as active-low. With this +change, Bluetooth can now be used on the i9100. + +Fixes: 8620cc2f99b7 ("ARM: dts: exynos: Add devicetree file for the Galaxy S2") +Cc: stable@vger.kernel.org +Signed-off-by: Paul Cercueil +Link: https://lore.kernel.org/r/20211031234137.87070-1-paul@crapouillou.net +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/exynos4210-i9100.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/exynos4210-i9100.dts ++++ b/arch/arm/boot/dts/exynos4210-i9100.dts +@@ -828,7 +828,7 @@ + compatible = "brcm,bcm4330-bt"; + + shutdown-gpios = <&gpl0 4 GPIO_ACTIVE_HIGH>; +- reset-gpios = <&gpl1 0 GPIO_ACTIVE_HIGH>; ++ reset-gpios = <&gpl1 0 GPIO_ACTIVE_LOW>; + device-wakeup-gpios = <&gpx3 1 GPIO_ACTIVE_HIGH>; + host-wakeup-gpios = <&gpx2 6 GPIO_ACTIVE_HIGH>; + }; diff --git a/queue-5.16/ath11k-fix-buffer-overflow-when-scanning-with-extraie.patch b/queue-5.16/ath11k-fix-buffer-overflow-when-scanning-with-extraie.patch new file mode 100644 index 00000000000..b30ad2c8166 --- /dev/null +++ b/queue-5.16/ath11k-fix-buffer-overflow-when-scanning-with-extraie.patch @@ -0,0 +1,76 @@ +From a658c929ded7ea3aee324c8c2a9635a5e5a38e7f Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Wed, 8 Dec 2021 10:43:59 +0200 +Subject: ath11k: Fix buffer overflow when scanning with extraie + +From: Sven Eckelmann + +commit a658c929ded7ea3aee324c8c2a9635a5e5a38e7f upstream. + +If cfg80211 is providing extraie's for a scanning process then ath11k will +copy that over to the firmware. The extraie.len is a 32 bit value in struct +element_info and describes the amount of bytes for the vendor information +elements. + +The WMI_TLV packet is having a special WMI_TAG_ARRAY_BYTE section. This +section can have a (payload) length up to 65535 bytes because the +WMI_TLV_LEN can store up to 16 bits. The code was missing such a check and +could have created a scan request which cannot be parsed correctly by the +firmware. + +But the bigger problem was the allocation of the buffer. It has to align +the TLV sections by 4 bytes. But the code was using an u8 to store the +newly calculated length of this section (with alignment). And the new +calculated length was then used to allocate the skbuff. But the actual code +to copy in the data is using the extraie.len and not the calculated +"aligned" length. + +The length of extraie with IEEE80211_HW_SINGLE_SCAN_ON_ALL_BANDS enabled +was 264 bytes during tests with a QCA Milan card. But it only allocated 8 +bytes (264 bytes % 256) for it. As consequence, the code to memcpy the +extraie into the skb was then just overwriting data after skb->end. Things +like shinfo were therefore corrupted. This could usually be seen by a crash +in skb_zcopy_clear which tried to call a ubuf_info callback (using a bogus +address). + +Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-02892.1-QCAHSPSWPL_V1_V2_SILICONZ_LITE-1 + +Cc: stable@vger.kernel.org +Fixes: d5c65159f289 ("ath11k: driver for Qualcomm IEEE 802.11ax devices") +Signed-off-by: Sven Eckelmann +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211207142913.1734635-1-sven@narfation.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/ath/ath11k/wmi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ath/ath11k/wmi.c ++++ b/drivers/net/wireless/ath/ath11k/wmi.c +@@ -2069,7 +2069,7 @@ int ath11k_wmi_send_scan_start_cmd(struc + void *ptr; + int i, ret, len; + u32 *tmp_ptr; +- u8 extraie_len_with_pad = 0; ++ u16 extraie_len_with_pad = 0; + struct hint_short_ssid *s_ssid = NULL; + struct hint_bssid *hint_bssid = NULL; + +@@ -2088,7 +2088,7 @@ int ath11k_wmi_send_scan_start_cmd(struc + len += sizeof(*bssid) * params->num_bssid; + + len += TLV_HDR_SIZE; +- if (params->extraie.len) ++ if (params->extraie.len && params->extraie.len <= 0xFFFF) + extraie_len_with_pad = + roundup(params->extraie.len, sizeof(u32)); + len += extraie_len_with_pad; +@@ -2195,7 +2195,7 @@ int ath11k_wmi_send_scan_start_cmd(struc + FIELD_PREP(WMI_TLV_LEN, len); + ptr += TLV_HDR_SIZE; + +- if (params->extraie.len) ++ if (extraie_len_with_pad) + memcpy(ptr, params->extraie.ptr, + params->extraie.len); + diff --git a/queue-5.16/bluetooth-bfusb-fix-division-by-zero-in-send-path.patch b/queue-5.16/bluetooth-bfusb-fix-division-by-zero-in-send-path.patch new file mode 100644 index 00000000000..84d137848e7 --- /dev/null +++ b/queue-5.16/bluetooth-bfusb-fix-division-by-zero-in-send-path.patch @@ -0,0 +1,38 @@ +From b5e6fa7a12572c82f1e7f2f51fbb02a322291291 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:39:44 +0200 +Subject: Bluetooth: bfusb: fix division by zero in send path + +From: Johan Hovold + +commit b5e6fa7a12572c82f1e7f2f51fbb02a322291291 upstream. + +Add the missing bulk-out endpoint sanity check to probe() to avoid +division by zero in bfusb_send_frame() in case a malicious device has +broken descriptors (or when doing descriptor fuzz testing). + +Note that USB core will reject URBs submitted for endpoints with zero +wMaxPacketSize but that drivers doing packet-size calculations still +need to handle this (cf. commit 2548288b4fb0 ("USB: Fix: Don't skip +endpoint descriptors with maxpacket=0")). + +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/bfusb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/bluetooth/bfusb.c ++++ b/drivers/bluetooth/bfusb.c +@@ -628,6 +628,9 @@ static int bfusb_probe(struct usb_interf + data->bulk_out_ep = bulk_out_ep->desc.bEndpointAddress; + data->bulk_pkt_size = le16_to_cpu(bulk_out_ep->desc.wMaxPacketSize); + ++ if (!data->bulk_pkt_size) ++ goto done; ++ + rwlock_init(&data->lock); + + data->reassembly = NULL; diff --git a/queue-5.16/bluetooth-btintel-fix-broken-led-quirk-for-legacy-rom-devices.patch b/queue-5.16/bluetooth-btintel-fix-broken-led-quirk-for-legacy-rom-devices.patch new file mode 100644 index 00000000000..3d919376eaf --- /dev/null +++ b/queue-5.16/bluetooth-btintel-fix-broken-led-quirk-for-legacy-rom-devices.patch @@ -0,0 +1,127 @@ +From 95655456e7cee858a23793f67025765b4c4c227b Mon Sep 17 00:00:00 2001 +From: Tedd Ho-Jeong An +Date: Thu, 6 Jan 2022 16:34:54 -0800 +Subject: Bluetooth: btintel: Fix broken LED quirk for legacy ROM devices + +From: Tedd Ho-Jeong An + +commit 95655456e7cee858a23793f67025765b4c4c227b upstream. + +This patch fixes the broken LED quirk for Intel legacy ROM devices. +To fix the LED issue that doesn't turn off immediately, the host sends +the SW RFKILL command while shutting down the interface and it puts the +devices in SW RFKILL state. + +Once the device is in SW RFKILL state, it can only accept HCI_Reset to +exit from the SW RFKILL state. This patch checks the quirk for broken +LED and sends the HCI_Reset before sending the HCI_Intel_Read_Version +command. + +The affected legacy ROM devices are + - 8087:07dc + - 8087:0a2a + - 8087:0aa7 + +Fixes: ffcba827c0a1d ("Bluetooth: btintel: Fix the LED is not turning off immediately") +Signed-off-by: Tedd Ho-Jeong An +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btintel.c | 20 +++++++++++--------- + drivers/bluetooth/btintel.h | 2 +- + drivers/bluetooth/btusb.c | 13 ++++++++++--- + 3 files changed, 22 insertions(+), 13 deletions(-) + +--- a/drivers/bluetooth/btintel.c ++++ b/drivers/bluetooth/btintel.c +@@ -2353,8 +2353,15 @@ static int btintel_setup_combined(struct + * As a workaround, send HCI Reset command first which will reset the + * number of completed commands and allow normal command processing + * from now on. ++ * ++ * Regarding the INTEL_BROKEN_SHUTDOWN_LED flag, these devices maybe ++ * in the SW_RFKILL ON state as a workaround of fixing LED issue during ++ * the shutdown() procedure, and once the device is in SW_RFKILL ON ++ * state, the only way to exit out of it is sending the HCI_Reset ++ * command. + */ +- if (btintel_test_flag(hdev, INTEL_BROKEN_INITIAL_NCMD)) { ++ if (btintel_test_flag(hdev, INTEL_BROKEN_INITIAL_NCMD) || ++ btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) { + skb = __hci_cmd_sync(hdev, HCI_OP_RESET, 0, NULL, + HCI_INIT_TIMEOUT); + if (IS_ERR(skb)) { +@@ -2426,12 +2433,6 @@ static int btintel_setup_combined(struct + set_bit(HCI_QUIRK_WIDEBAND_SPEECH_SUPPORTED, + &hdev->quirks); + +- /* These devices have an issue with LED which doesn't +- * go off immediately during shutdown. Set the flag +- * here to send the LED OFF command during shutdown. +- */ +- btintel_set_flag(hdev, INTEL_BROKEN_LED); +- + err = btintel_legacy_rom_setup(hdev, &ver); + break; + case 0x0b: /* SfP */ +@@ -2562,9 +2563,10 @@ static int btintel_shutdown_combined(str + + /* Some platforms have an issue with BT LED when the interface is + * down or BT radio is turned off, which takes 5 seconds to BT LED +- * goes off. This command turns off the BT LED immediately. ++ * goes off. As a workaround, sends HCI_Intel_SW_RFKILL to put the ++ * device in the RFKILL ON state which turns off the BT LED immediately. + */ +- if (btintel_test_flag(hdev, INTEL_BROKEN_LED)) { ++ if (btintel_test_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED)) { + skb = __hci_cmd_sync(hdev, 0xfc3f, 0, NULL, HCI_INIT_TIMEOUT); + if (IS_ERR(skb)) { + ret = PTR_ERR(skb); +--- a/drivers/bluetooth/btintel.h ++++ b/drivers/bluetooth/btintel.h +@@ -150,7 +150,7 @@ enum { + INTEL_FIRMWARE_FAILED, + INTEL_BOOTING, + INTEL_BROKEN_INITIAL_NCMD, +- INTEL_BROKEN_LED, ++ INTEL_BROKEN_SHUTDOWN_LED, + INTEL_ROM_LEGACY, + + __INTEL_NUM_FLAGS, +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -59,6 +59,7 @@ static struct usb_driver btusb_driver; + #define BTUSB_WIDEBAND_SPEECH 0x400000 + #define BTUSB_VALID_LE_STATES 0x800000 + #define BTUSB_QCA_WCN6855 0x1000000 ++#define BTUSB_INTEL_BROKEN_SHUTDOWN_LED 0x2000000 + #define BTUSB_INTEL_BROKEN_INITIAL_NCMD 0x4000000 + + static const struct usb_device_id btusb_table[] = { +@@ -380,10 +381,13 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x8087, 0x0033), .driver_info = BTUSB_INTEL_COMBINED }, + { USB_DEVICE(0x8087, 0x07da), .driver_info = BTUSB_CSR }, + { USB_DEVICE(0x8087, 0x07dc), .driver_info = BTUSB_INTEL_COMBINED | +- BTUSB_INTEL_BROKEN_INITIAL_NCMD }, +- { USB_DEVICE(0x8087, 0x0a2a), .driver_info = BTUSB_INTEL_COMBINED }, ++ BTUSB_INTEL_BROKEN_INITIAL_NCMD | ++ BTUSB_INTEL_BROKEN_SHUTDOWN_LED }, ++ { USB_DEVICE(0x8087, 0x0a2a), .driver_info = BTUSB_INTEL_COMBINED | ++ BTUSB_INTEL_BROKEN_SHUTDOWN_LED }, + { USB_DEVICE(0x8087, 0x0a2b), .driver_info = BTUSB_INTEL_COMBINED }, +- { USB_DEVICE(0x8087, 0x0aa7), .driver_info = BTUSB_INTEL_COMBINED }, ++ { USB_DEVICE(0x8087, 0x0aa7), .driver_info = BTUSB_INTEL_COMBINED | ++ BTUSB_INTEL_BROKEN_SHUTDOWN_LED }, + { USB_DEVICE(0x8087, 0x0aaa), .driver_info = BTUSB_INTEL_COMBINED }, + + /* Other Intel Bluetooth devices */ +@@ -3888,6 +3892,9 @@ static int btusb_probe(struct usb_interf + + if (id->driver_info & BTUSB_INTEL_BROKEN_INITIAL_NCMD) + btintel_set_flag(hdev, INTEL_BROKEN_INITIAL_NCMD); ++ ++ if (id->driver_info & BTUSB_INTEL_BROKEN_SHUTDOWN_LED) ++ btintel_set_flag(hdev, INTEL_BROKEN_SHUTDOWN_LED); + } + + if (id->driver_info & BTUSB_MARVELL) diff --git a/queue-5.16/bluetooth-btusb-add-one-more-bluetooth-part-for-the-realtek-rtl8852ae.patch b/queue-5.16/bluetooth-btusb-add-one-more-bluetooth-part-for-the-realtek-rtl8852ae.patch new file mode 100644 index 00000000000..293dde50b11 --- /dev/null +++ b/queue-5.16/bluetooth-btusb-add-one-more-bluetooth-part-for-the-realtek-rtl8852ae.patch @@ -0,0 +1,63 @@ +From 27fe097bc60a344ccd8107522184c2750f45df5c Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Sun, 21 Nov 2021 10:51:48 -0600 +Subject: Bluetooth: btusb: Add one more Bluetooth part for the Realtek RTL8852AE + +From: Larry Finger + +commit 27fe097bc60a344ccd8107522184c2750f45df5c upstream. + +The Realtek RTL8852AE has both wifi and BT components. The latter reports +a USB ID of 0bda:385a, which is not in the table. + +The portion of /sys/kernel/debug/usb/devices pertaining to this device is + +T: Bus=01 Lev=01 Prnt=01 Port=03 Cnt=02 Dev#= 3 Spd=12 MxCh= 0 +D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0bda ProdID=385a Rev= 0.00 +S: Manufacturer=Realtek +S: Product=Bluetooth Radio +S: SerialNumber=00e04c000001 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Signed-off-by: Larry Finger +Cc: Stable +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -384,6 +384,8 @@ static const struct usb_device_id blackl + /* Realtek 8852AE Bluetooth devices */ + { USB_DEVICE(0x0bda, 0xc852), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, ++ { USB_DEVICE(0x0bda, 0x385a), .driver_info = BTUSB_REALTEK | ++ BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x0bda, 0x4852), .driver_info = BTUSB_REALTEK | + BTUSB_WIDEBAND_SPEECH }, + { USB_DEVICE(0x04c5, 0x165c), .driver_info = BTUSB_REALTEK | diff --git a/queue-5.16/bluetooth-btusb-add-one-more-bluetooth-part-for-wcn6855.patch b/queue-5.16/bluetooth-btusb-add-one-more-bluetooth-part-for-wcn6855.patch new file mode 100644 index 00000000000..7b105da4a56 --- /dev/null +++ b/queue-5.16/bluetooth-btusb-add-one-more-bluetooth-part-for-wcn6855.patch @@ -0,0 +1,64 @@ +From e8c42585dc6032624a9728d8cf99d974e931d4bc Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Fri, 3 Dec 2021 18:01:37 +0800 +Subject: Bluetooth: btusb: Add one more Bluetooth part for WCN6855 + +From: Zijun Hu + +commit e8c42585dc6032624a9728d8cf99d974e931d4bc upstream. + +Add a USB ID 0489:e0e3 of HP to usb_device_id table for WCN6855. + +-Device(0489:e0e3) from /sys/kernel/debug/usb/devices +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0489 ProdID=e0e3 Rev= 0.01 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms +I: If#= 1 Alt= 7 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 65 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 65 Ivl=1ms + +Signed-off-by: Zijun Hu +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -301,6 +301,9 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x0489, 0xe0d6), .driver_info = BTUSB_QCA_WCN6855 | + BTUSB_WIDEBAND_SPEECH | + BTUSB_VALID_LE_STATES }, ++ { USB_DEVICE(0x0489, 0xe0e3), .driver_info = BTUSB_QCA_WCN6855 | ++ BTUSB_WIDEBAND_SPEECH | ++ BTUSB_VALID_LE_STATES }, + + /* Broadcom BCM2035 */ + { USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 }, diff --git a/queue-5.16/bluetooth-btusb-add-support-for-foxconn-mt7922a.patch b/queue-5.16/bluetooth-btusb-add-support-for-foxconn-mt7922a.patch new file mode 100644 index 00000000000..4477761dbf6 --- /dev/null +++ b/queue-5.16/bluetooth-btusb-add-support-for-foxconn-mt7922a.patch @@ -0,0 +1,80 @@ +From 6932627425d6d3849aecd43c02158a5312895ad4 Mon Sep 17 00:00:00 2001 +From: Aaron Ma +Date: Fri, 17 Dec 2021 17:51:50 +0800 +Subject: Bluetooth: btusb: Add support for Foxconn MT7922A + +From: Aaron Ma + +commit 6932627425d6d3849aecd43c02158a5312895ad4 upstream. + +Add 2 USB IDs for MT7922A chip. +These 2 devices got the same description. + +T: Bus=01 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 2 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0489 ProdID=e0d8 Rev= 1.00 + +T: Bus=03 Lev=01 Prnt=01 Port=02 Cnt=02 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0489 ProdID=e0d9 Rev= 1.00 +S: Manufacturer=MediaTek Inc. +S: Product=Wireless_Device +S: SerialNumber=000000000 +C:* #Ifs= 3 Cfg#= 1 Atr=e0 MxPwr=100mA +A: FirstIf#= 0 IfCount= 3 Cls=e0(wlcon) Sub=01 Prot=01 +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=125us +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms +I:* If#= 2 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none) +E: Ad=8a(I) Atr=03(Int.) MxPS= 64 Ivl=125us +E: Ad=0a(O) Atr=03(Int.) MxPS= 64 Ivl=125us +I: If#= 2 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=(none) +E: Ad=8a(I) Atr=03(Int.) MxPS= 512 Ivl=125us +E: Ad=0a(O) Atr=03(Int.) MxPS= 512 Ivl=125us + +Signed-off-by: Aaron Ma +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -440,6 +440,14 @@ static const struct usb_device_id blackl + BTUSB_WIDEBAND_SPEECH | + BTUSB_VALID_LE_STATES }, + ++ /* MediaTek MT7922A Bluetooth devices */ ++ { USB_DEVICE(0x0489, 0xe0d8), .driver_info = BTUSB_MEDIATEK | ++ BTUSB_WIDEBAND_SPEECH | ++ BTUSB_VALID_LE_STATES }, ++ { USB_DEVICE(0x0489, 0xe0d9), .driver_info = BTUSB_MEDIATEK | ++ BTUSB_WIDEBAND_SPEECH | ++ BTUSB_VALID_LE_STATES }, ++ + /* Additional Realtek 8723AE Bluetooth devices */ + { USB_DEVICE(0x0930, 0x021d), .driver_info = BTUSB_REALTEK }, + { USB_DEVICE(0x13d3, 0x3394), .driver_info = BTUSB_REALTEK }, diff --git a/queue-5.16/bluetooth-btusb-add-support-for-foxconn-qca-0xe0d0.patch b/queue-5.16/bluetooth-btusb-add-support-for-foxconn-qca-0xe0d0.patch new file mode 100644 index 00000000000..794ef85d207 --- /dev/null +++ b/queue-5.16/bluetooth-btusb-add-support-for-foxconn-qca-0xe0d0.patch @@ -0,0 +1,63 @@ +From 1cd563ebd0dc062127a85e84f934f4c697bb43ef Mon Sep 17 00:00:00 2001 +From: Aaron Ma +Date: Fri, 7 Jan 2022 11:59:09 +0800 +Subject: Bluetooth: btusb: Add support for Foxconn QCA 0xe0d0 + +From: Aaron Ma + +commit 1cd563ebd0dc062127a85e84f934f4c697bb43ef upstream. + +Add an ID of Qualcomm Bluetooth SoC WCN6855. + +T: Bus=05 Lev=01 Prnt=01 Port=03 Cnt=02 Dev#= 4 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0489 ProdID=e0d0 Rev= 0.01 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I:* If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms +I: If#= 1 Alt= 7 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 65 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 65 Ivl=1ms + +Signed-off-by: Aaron Ma +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -311,6 +311,9 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x10ab, 0x9409), .driver_info = BTUSB_QCA_WCN6855 | + BTUSB_WIDEBAND_SPEECH | + BTUSB_VALID_LE_STATES }, ++ { USB_DEVICE(0x0489, 0xe0d0), .driver_info = BTUSB_QCA_WCN6855 | ++ BTUSB_WIDEBAND_SPEECH | ++ BTUSB_VALID_LE_STATES }, + + /* Broadcom BCM2035 */ + { USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 }, diff --git a/queue-5.16/bluetooth-btusb-add-the-new-support-ids-for-wcn6855.patch b/queue-5.16/bluetooth-btusb-add-the-new-support-ids-for-wcn6855.patch new file mode 100644 index 00000000000..149b9d3b020 --- /dev/null +++ b/queue-5.16/bluetooth-btusb-add-the-new-support-ids-for-wcn6855.patch @@ -0,0 +1,101 @@ +From 21a241b3bc153b346987a28cc132674646589e02 Mon Sep 17 00:00:00 2001 +From: "tjiang@codeaurora.org" +Date: Tue, 16 Nov 2021 19:02:16 +0800 +Subject: Bluetooth: btusb: Add the new support IDs for WCN6855 + +From: tjiang@codeaurora.org + +commit 21a241b3bc153b346987a28cc132674646589e02 upstream. + +Add the more IDs of HP to usb_device_id table for WCN6855. + +-Device(0489:e0cc) from /sys/kernel/debug/usb/devices +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0489 ProdID=e0cc Rev= 0.01 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms +I: If#= 1 Alt= 7 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 65 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 65 Ivl=1ms + +-Device(0489:e0d6) from /sys/kernel/debug/usb/devices +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0489 ProdID=e0d6 Rev= 0.01 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms +I: If#= 1 Alt= 7 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 65 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 65 Ivl=1ms + +Signed-off-by: Tim Jiang +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -295,6 +295,12 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x0cf3, 0xe600), .driver_info = BTUSB_QCA_WCN6855 | + BTUSB_WIDEBAND_SPEECH | + BTUSB_VALID_LE_STATES }, ++ { USB_DEVICE(0x0489, 0xe0cc), .driver_info = BTUSB_QCA_WCN6855 | ++ BTUSB_WIDEBAND_SPEECH | ++ BTUSB_VALID_LE_STATES }, ++ { USB_DEVICE(0x0489, 0xe0d6), .driver_info = BTUSB_QCA_WCN6855 | ++ BTUSB_WIDEBAND_SPEECH | ++ BTUSB_VALID_LE_STATES }, + + /* Broadcom BCM2035 */ + { USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 }, diff --git a/queue-5.16/bluetooth-btusb-add-two-more-bluetooth-parts-for-wcn6855.patch b/queue-5.16/bluetooth-btusb-add-two-more-bluetooth-parts-for-wcn6855.patch new file mode 100644 index 00000000000..e99ad60a03d --- /dev/null +++ b/queue-5.16/bluetooth-btusb-add-two-more-bluetooth-parts-for-wcn6855.patch @@ -0,0 +1,102 @@ +From d2666be51d5f09662929888dd84d1f4d38c97127 Mon Sep 17 00:00:00 2001 +From: Zijun Hu +Date: Thu, 9 Dec 2021 14:34:01 +0800 +Subject: Bluetooth: btusb: Add two more Bluetooth parts for WCN6855 + +From: Zijun Hu + +commit d2666be51d5f09662929888dd84d1f4d38c97127 upstream. + +Add USB IDs (0x10ab, 0x9309) and (0x10ab, 0x9409) to +usb_device_id table for WCN6855. + +* /sys/kernel/debug/usb/devices +T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 10 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=10ab ProdID=9309 Rev= 0.01 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms +I: If#= 1 Alt= 7 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 65 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 65 Ivl=1ms + +T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 11 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=10ab ProdID=9409 Rev= 0.01 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms +I: If#= 1 Alt= 6 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 63 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 63 Ivl=1ms +I: If#= 1 Alt= 7 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 65 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 65 Ivl=1ms + +Signed-off-by: Zijun Hu +Signed-off-by: Marcel Holtmann +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -304,6 +304,12 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x0489, 0xe0e3), .driver_info = BTUSB_QCA_WCN6855 | + BTUSB_WIDEBAND_SPEECH | + BTUSB_VALID_LE_STATES }, ++ { USB_DEVICE(0x10ab, 0x9309), .driver_info = BTUSB_QCA_WCN6855 | ++ BTUSB_WIDEBAND_SPEECH | ++ BTUSB_VALID_LE_STATES }, ++ { USB_DEVICE(0x10ab, 0x9409), .driver_info = BTUSB_QCA_WCN6855 | ++ BTUSB_WIDEBAND_SPEECH | ++ BTUSB_VALID_LE_STATES }, + + /* Broadcom BCM2035 */ + { USB_DEVICE(0x0a5c, 0x2009), .driver_info = BTUSB_BCM92035 }, diff --git a/queue-5.16/bluetooth-btusb-enable-mediatek-to-support-aosp-extension.patch b/queue-5.16/bluetooth-btusb-enable-mediatek-to-support-aosp-extension.patch new file mode 100644 index 00000000000..a552c4f52af --- /dev/null +++ b/queue-5.16/bluetooth-btusb-enable-mediatek-to-support-aosp-extension.patch @@ -0,0 +1,28 @@ +From 28491d7ef4af471841e454f8c1f77384f93c6fef Mon Sep 17 00:00:00 2001 +From: "mark-yw.chen" +Date: Fri, 5 Nov 2021 02:26:05 +0800 +Subject: Bluetooth: btusb: enable Mediatek to support AOSP extension + +From: mark-yw.chen + +commit 28491d7ef4af471841e454f8c1f77384f93c6fef upstream. + +This patch enables AOSP extension for Mediatek Chip (MT7921 & MT7922). + +Signed-off-by: mark-yw.chen +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -2884,6 +2884,7 @@ static int btusb_mtk_setup(struct hci_de + } + + hci_set_msft_opcode(hdev, 0xFD30); ++ hci_set_aosp_capable(hdev); + goto done; + default: + bt_dev_err(hdev, "Unsupported hardware variant (%08x)", diff --git a/queue-5.16/bluetooth-btusb-fix-application-of-sizeof-to-pointer.patch b/queue-5.16/bluetooth-btusb-fix-application-of-sizeof-to-pointer.patch new file mode 100644 index 00000000000..15d418a515d --- /dev/null +++ b/queue-5.16/bluetooth-btusb-fix-application-of-sizeof-to-pointer.patch @@ -0,0 +1,34 @@ +From dc1650fc94a8566fb89f3fd14a26d1cec7865f16 Mon Sep 17 00:00:00 2001 +From: David Yang +Date: Wed, 13 Oct 2021 08:56:33 +0800 +Subject: Bluetooth: btusb: Fix application of sizeof to pointer + +From: David Yang + +commit dc1650fc94a8566fb89f3fd14a26d1cec7865f16 upstream. + +The coccinelle check report: +"./drivers/bluetooth/btusb.c:2239:36-42: +ERROR: application of sizeof to pointer". +Using the real size to fix it. + +Fixes: 5a87679ffd443 ("Bluetooth: btusb: Support public address configuration for MediaTek Chip.") +Reported-by: Zeal Robot +Signed-off-by: David Yang +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -2238,7 +2238,7 @@ static int btusb_set_bdaddr_mtk(struct h + struct sk_buff *skb; + long ret; + +- skb = __hci_cmd_sync(hdev, 0xfc1a, sizeof(bdaddr), bdaddr, HCI_INIT_TIMEOUT); ++ skb = __hci_cmd_sync(hdev, 0xfc1a, 6, bdaddr, HCI_INIT_TIMEOUT); + if (IS_ERR(skb)) { + ret = PTR_ERR(skb); + bt_dev_err(hdev, "changing Mediatek device address failed (%ld)", diff --git a/queue-5.16/bluetooth-btusb-fix-memory-leak-in-btusb_mtk_submit_wmt_recv_urb.patch b/queue-5.16/bluetooth-btusb-fix-memory-leak-in-btusb_mtk_submit_wmt_recv_urb.patch new file mode 100644 index 00000000000..db409715812 --- /dev/null +++ b/queue-5.16/bluetooth-btusb-fix-memory-leak-in-btusb_mtk_submit_wmt_recv_urb.patch @@ -0,0 +1,77 @@ +From 60c6a63a3d3080a62f3e0e20084f58dbeff16748 Mon Sep 17 00:00:00 2001 +From: "Mark-YW.Chen" +Date: Thu, 14 Oct 2021 00:22:04 +0800 +Subject: Bluetooth: btusb: fix memory leak in btusb_mtk_submit_wmt_recv_urb() + +From: Mark-YW.Chen + +commit 60c6a63a3d3080a62f3e0e20084f58dbeff16748 upstream. + +Driver should free `usb->setup_packet` to avoid the leak. + +$ cat /sys/kernel/debug/kmemleak +unreferenced object 0xffffffa564a58080 (size 128): + backtrace: + [<000000007eb8dd70>] kmem_cache_alloc_trace+0x22c/0x384 + [<000000008a44191d>] btusb_mtk_hci_wmt_sync+0x1ec/0x994 + [btusb] + [<00000000ca7189a3>] btusb_mtk_setup+0x6b8/0x13cc + [btusb] + [<00000000c6105069>] hci_dev_do_open+0x290/0x974 + [bluetooth] + [<00000000a583f8b8>] hci_power_on+0xdc/0x3cc [bluetooth] + [<000000005d80e687>] process_one_work+0x514/0xc80 + [<00000000f4d57637>] worker_thread+0x818/0xd0c + [<00000000dc7bdb55>] kthread+0x2f8/0x3b8 + [<00000000f9999513>] ret_from_fork+0x10/0x30 + +Fixes: a1c49c434e150 ("Bluetooth: btusb: Add protocol support for MediaTek MT7668U USB devices") +Signed-off-by: Mark-YW.Chen +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman +--- + drivers/bluetooth/btusb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -2267,6 +2267,7 @@ static void btusb_mtk_wmt_recv(struct ur + skb = bt_skb_alloc(HCI_WMT_MAX_EVENT_SIZE, GFP_ATOMIC); + if (!skb) { + hdev->stat.err_rx++; ++ kfree(urb->setup_packet); + return; + } + +@@ -2287,6 +2288,7 @@ static void btusb_mtk_wmt_recv(struct ur + data->evt_skb = skb_clone(skb, GFP_ATOMIC); + if (!data->evt_skb) { + kfree_skb(skb); ++ kfree(urb->setup_packet); + return; + } + } +@@ -2295,6 +2297,7 @@ static void btusb_mtk_wmt_recv(struct ur + if (err < 0) { + kfree_skb(data->evt_skb); + data->evt_skb = NULL; ++ kfree(urb->setup_packet); + return; + } + +@@ -2305,6 +2308,7 @@ static void btusb_mtk_wmt_recv(struct ur + wake_up_bit(&data->flags, + BTUSB_TX_WAIT_VND_EVT); + } ++ kfree(urb->setup_packet); + return; + } else if (urb->status == -ENOENT) { + /* Avoid suspend failed when usb_kill_urb */ +@@ -2325,6 +2329,7 @@ static void btusb_mtk_wmt_recv(struct ur + usb_anchor_urb(urb, &data->ctrl_anchor); + err = usb_submit_urb(urb, GFP_ATOMIC); + if (err < 0) { ++ kfree(urb->setup_packet); + /* -EPERM: urb is being killed; + * -ENODEV: device got disconnected + */ diff --git a/queue-5.16/bpf-fix-out-of-bounds-access-from-invalid-_or_null-type-verification.patch b/queue-5.16/bpf-fix-out-of-bounds-access-from-invalid-_or_null-type-verification.patch new file mode 100644 index 00000000000..0838ce66405 --- /dev/null +++ b/queue-5.16/bpf-fix-out-of-bounds-access-from-invalid-_or_null-type-verification.patch @@ -0,0 +1,102 @@ +From 51cf0a9e6f1c842efa768d3079b16a80cbf871c3 Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Tue, 4 Jan 2022 14:16:03 +0000 +Subject: bpf: Fix out of bounds access from invalid *_or_null type verification + +From: Daniel Borkmann + +[ no upstream commit given implicitly fixed through the larger refactoring + in c25b2ae136039ffa820c26138ed4a5e5f3ab3841 ] + +While auditing some other code, I noticed missing checks inside the pointer +arithmetic simulation, more specifically, adjust_ptr_min_max_vals(). Several +*_OR_NULL types are not rejected whereas they are _required_ to be rejected +given the expectation is that they get promoted into a 'real' pointer type +for the success case, that is, after an explicit != NULL check. + +One case which stands out and is accessible from unprivileged (iff enabled +given disabled by default) is BPF ring buffer. From crafting a PoC, the NULL +check can be bypassed through an offset, and its id marking will then lead +to promotion of mem_or_null to a mem type. + +bpf_ringbuf_reserve() helper can trigger this case through passing of reserved +flags, for example. + + func#0 @0 + 0: R1=ctx(id=0,off=0,imm=0) R10=fp0 + 0: (7a) *(u64 *)(r10 -8) = 0 + 1: R1=ctx(id=0,off=0,imm=0) R10=fp0 fp-8_w=mmmmmmmm + 1: (18) r1 = 0x0 + 3: R1_w=map_ptr(id=0,off=0,ks=0,vs=0,imm=0) R10=fp0 fp-8_w=mmmmmmmm + 3: (b7) r2 = 8 + 4: R1_w=map_ptr(id=0,off=0,ks=0,vs=0,imm=0) R2_w=invP8 R10=fp0 fp-8_w=mmmmmmmm + 4: (b7) r3 = 0 + 5: R1_w=map_ptr(id=0,off=0,ks=0,vs=0,imm=0) R2_w=invP8 R3_w=invP0 R10=fp0 fp-8_w=mmmmmmmm + 5: (85) call bpf_ringbuf_reserve#131 + 6: R0_w=mem_or_null(id=2,ref_obj_id=2,off=0,imm=0) R10=fp0 fp-8_w=mmmmmmmm refs=2 + 6: (bf) r6 = r0 + 7: R0_w=mem_or_null(id=2,ref_obj_id=2,off=0,imm=0) R6_w=mem_or_null(id=2,ref_obj_id=2,off=0,imm=0) R10=fp0 fp-8_w=mmmmmmmm refs=2 + 7: (07) r0 += 1 + 8: R0_w=mem_or_null(id=2,ref_obj_id=2,off=1,imm=0) R6_w=mem_or_null(id=2,ref_obj_id=2,off=0,imm=0) R10=fp0 fp-8_w=mmmmmmmm refs=2 + 8: (15) if r0 == 0x0 goto pc+4 + R0_w=mem(id=0,ref_obj_id=0,off=0,imm=0) R6_w=mem(id=0,ref_obj_id=2,off=0,imm=0) R10=fp0 fp-8_w=mmmmmmmm refs=2 + 9: R0_w=mem(id=0,ref_obj_id=0,off=0,imm=0) R6_w=mem(id=0,ref_obj_id=2,off=0,imm=0) R10=fp0 fp-8_w=mmmmmmmm refs=2 + 9: (62) *(u32 *)(r6 +0) = 0 + R0_w=mem(id=0,ref_obj_id=0,off=0,imm=0) R6_w=mem(id=0,ref_obj_id=2,off=0,imm=0) R10=fp0 fp-8_w=mmmmmmmm refs=2 + 10: R0_w=mem(id=0,ref_obj_id=0,off=0,imm=0) R6_w=mem(id=0,ref_obj_id=2,off=0,imm=0) R10=fp0 fp-8_w=mmmmmmmm refs=2 + 10: (bf) r1 = r6 + 11: R0_w=mem(id=0,ref_obj_id=0,off=0,imm=0) R1_w=mem(id=0,ref_obj_id=2,off=0,imm=0) R6_w=mem(id=0,ref_obj_id=2,off=0,imm=0) R10=fp0 fp-8_w=mmmmmmmm refs=2 + 11: (b7) r2 = 0 + 12: R0_w=mem(id=0,ref_obj_id=0,off=0,imm=0) R1_w=mem(id=0,ref_obj_id=2,off=0,imm=0) R2_w=invP0 R6_w=mem(id=0,ref_obj_id=2,off=0,imm=0) R10=fp0 fp-8_w=mmmmmmmm refs=2 + 12: (85) call bpf_ringbuf_submit#132 + 13: R6=invP(id=0) R10=fp0 fp-8=mmmmmmmm + 13: (b7) r0 = 0 + 14: R0_w=invP0 R6=invP(id=0) R10=fp0 fp-8=mmmmmmmm + 14: (95) exit + + from 8 to 13: safe + processed 15 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 0 + OK + +All three commits, that is b121b341e598 ("bpf: Add PTR_TO_BTF_ID_OR_NULL support"), +457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it"), and the +afbf21dce668 ("bpf: Support readonly/readwrite buffers in verifier") suffer the same +cause and their *_OR_NULL type pendants must be rejected in adjust_ptr_min_max_vals(). + +Make the test more robust by reusing reg_type_may_be_null() helper such that we catch +all *_OR_NULL types we have today and in future. + +Note that pointer arithmetic on PTR_TO_BTF_ID, PTR_TO_RDONLY_BUF, and PTR_TO_RDWR_BUF +is generally allowed. + +Fixes: b121b341e598 ("bpf: Add PTR_TO_BTF_ID_OR_NULL support") +Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") +Fixes: afbf21dce668 ("bpf: Support readonly/readwrite buffers in verifier") +Signed-off-by: Daniel Borkmann +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -7229,16 +7229,16 @@ static int adjust_ptr_min_max_vals(struc + fallthrough; + case PTR_TO_PACKET_END: + case PTR_TO_SOCKET: +- case PTR_TO_SOCKET_OR_NULL: + case PTR_TO_SOCK_COMMON: +- case PTR_TO_SOCK_COMMON_OR_NULL: + case PTR_TO_TCP_SOCK: +- case PTR_TO_TCP_SOCK_OR_NULL: + case PTR_TO_XDP_SOCK: ++reject: + verbose(env, "R%d pointer arithmetic on %s prohibited\n", + dst, reg_type_str[ptr_reg->type]); + return -EACCES; + default: ++ if (reg_type_may_be_null(ptr_reg->type)) ++ goto reject; + break; + } + diff --git a/queue-5.16/mmc-sdhci-pci-add-pci-id-for-intel-adl.patch b/queue-5.16/mmc-sdhci-pci-add-pci-id-for-intel-adl.patch new file mode 100644 index 00000000000..3e1fecf24b5 --- /dev/null +++ b/queue-5.16/mmc-sdhci-pci-add-pci-id-for-intel-adl.patch @@ -0,0 +1,41 @@ +From e53e97f805cb1abeea000a61549d42f92cb10804 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Wed, 24 Nov 2021 11:48:50 +0200 +Subject: mmc: sdhci-pci: Add PCI ID for Intel ADL + +From: Adrian Hunter + +commit e53e97f805cb1abeea000a61549d42f92cb10804 upstream. + +Add PCI ID for Intel ADL eMMC host controller. + +Signed-off-by: Adrian Hunter +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20211124094850.1783220-1-adrian.hunter@intel.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/sdhci-pci-core.c | 1 + + drivers/mmc/host/sdhci-pci.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/mmc/host/sdhci-pci-core.c ++++ b/drivers/mmc/host/sdhci-pci-core.c +@@ -1866,6 +1866,7 @@ static const struct pci_device_id pci_id + SDHCI_PCI_DEVICE(INTEL, JSL_SD, intel_byt_sd), + SDHCI_PCI_DEVICE(INTEL, LKF_EMMC, intel_glk_emmc), + SDHCI_PCI_DEVICE(INTEL, LKF_SD, intel_byt_sd), ++ SDHCI_PCI_DEVICE(INTEL, ADL_EMMC, intel_glk_emmc), + SDHCI_PCI_DEVICE(O2, 8120, o2), + SDHCI_PCI_DEVICE(O2, 8220, o2), + SDHCI_PCI_DEVICE(O2, 8221, o2), +--- a/drivers/mmc/host/sdhci-pci.h ++++ b/drivers/mmc/host/sdhci-pci.h +@@ -59,6 +59,7 @@ + #define PCI_DEVICE_ID_INTEL_JSL_SD 0x4df8 + #define PCI_DEVICE_ID_INTEL_LKF_EMMC 0x98c4 + #define PCI_DEVICE_ID_INTEL_LKF_SD 0x98f8 ++#define PCI_DEVICE_ID_INTEL_ADL_EMMC 0x54c4 + + #define PCI_DEVICE_ID_SYSKONNECT_8000 0x8000 + #define PCI_DEVICE_ID_VIA_95D0 0x95d0 diff --git a/queue-5.16/series b/queue-5.16/series index a6e21c97abb..2bb06510a39 100644 --- a/queue-5.16/series +++ b/queue-5.16/series @@ -1,2 +1,20 @@ workqueue-fix-unbind_workers-vs-wq_worker_running-race.patch workqueue-fix-unbind_workers-vs-wq_worker_sleeping-race.patch +staging-r8188eu-switch-the-led-off-during-deinit.patch +bpf-fix-out-of-bounds-access-from-invalid-_or_null-type-verification.patch +bluetooth-btusb-add-one-more-bluetooth-part-for-the-realtek-rtl8852ae.patch +bluetooth-btusb-fix-application-of-sizeof-to-pointer.patch +bluetooth-btusb-fix-memory-leak-in-btusb_mtk_submit_wmt_recv_urb.patch +bluetooth-btusb-enable-mediatek-to-support-aosp-extension.patch +bluetooth-btusb-add-the-new-support-ids-for-wcn6855.patch +bluetooth-btusb-add-one-more-bluetooth-part-for-wcn6855.patch +bluetooth-btusb-add-two-more-bluetooth-parts-for-wcn6855.patch +bluetooth-btusb-add-support-for-foxconn-mt7922a.patch +bluetooth-btintel-fix-broken-led-quirk-for-legacy-rom-devices.patch +bluetooth-btusb-add-support-for-foxconn-qca-0xe0d0.patch +bluetooth-bfusb-fix-division-by-zero-in-send-path.patch +arm-dts-exynos-fix-bcm4330-bluetooth-reset-polarity-in-i9100.patch +usb-core-fix-bug-in-resuming-hub-s-handling-of-wakeup-requests.patch +usb-fix-slab-out-of-bounds-write-bug-in-usb_hcd_poll_rh_status.patch +ath11k-fix-buffer-overflow-when-scanning-with-extraie.patch +mmc-sdhci-pci-add-pci-id-for-intel-adl.patch diff --git a/queue-5.16/staging-r8188eu-switch-the-led-off-during-deinit.patch b/queue-5.16/staging-r8188eu-switch-the-led-off-during-deinit.patch new file mode 100644 index 00000000000..a8f83cebb4a --- /dev/null +++ b/queue-5.16/staging-r8188eu-switch-the-led-off-during-deinit.patch @@ -0,0 +1,35 @@ +From 9d36de31130542fc060f7cd17e72db670202c682 Mon Sep 17 00:00:00 2001 +From: Martin Kaiser +Date: Sun, 26 Dec 2021 20:55:36 +0100 +Subject: staging: r8188eu: switch the led off during deinit + +From: Martin Kaiser + +commit 9d36de31130542fc060f7cd17e72db670202c682 upstream. + +When the driver is unloaded or when the system goes into standby mode, +DeInitLed871x is called to stop the led layer. In this case, we stop +the blinking worker but we do not switch the led off explicitly. On my +system, I can go into standby mode with the LED enabled. + +Add a call to SwLedOff to fix this. + +Fixes: 15865124feed ("staging: r8188eu: introduce new core dir for RTL8188eu driver") +Cc: stable@vger.kernel.org +Signed-off-by: Martin Kaiser +Link: https://lore.kernel.org/r/20211226195556.159471-2-martin@kaiser.cx +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/r8188eu/core/rtw_led.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/staging/r8188eu/core/rtw_led.c ++++ b/drivers/staging/r8188eu/core/rtw_led.c +@@ -54,6 +54,7 @@ void DeInitLed871x(struct LED_871x *pLed + _cancel_workitem_sync(&pLed->BlinkWorkItem); + _cancel_timer_ex(&pLed->BlinkTimer); + ResetLedStatus(pLed); ++ SwLedOff(pLed->padapter, pLed); + } + + static void SwLedBlink1(struct LED_871x *pLed) diff --git a/queue-5.16/usb-core-fix-bug-in-resuming-hub-s-handling-of-wakeup-requests.patch b/queue-5.16/usb-core-fix-bug-in-resuming-hub-s-handling-of-wakeup-requests.patch new file mode 100644 index 00000000000..6097304b6d7 --- /dev/null +++ b/queue-5.16/usb-core-fix-bug-in-resuming-hub-s-handling-of-wakeup-requests.patch @@ -0,0 +1,69 @@ +From 0f663729bb4afc92a9986b66131ebd5b8a9254d1 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Sat, 1 Jan 2022 14:52:14 -0500 +Subject: USB: core: Fix bug in resuming hub's handling of wakeup requests + +From: Alan Stern + +commit 0f663729bb4afc92a9986b66131ebd5b8a9254d1 upstream. + +Bugzilla #213839 reports a 7-port hub that doesn't work properly when +devices are plugged into some of the ports; the kernel goes into an +unending disconnect/reinitialize loop as shown in the bug report. + +This "7-port hub" comprises two four-port hubs with one plugged into +the other; the failures occur when a device is plugged into one of the +downstream hub's ports. (These hubs have other problems too. For +example, they bill themselves as USB-2.0 compliant but they only run +at full speed.) + +It turns out that the failures are caused by bugs in both the kernel +and the hub. The hub's bug is that it reports a different +bmAttributes value in its configuration descriptor following a remote +wakeup (0xe0 before, 0xc0 after -- the wakeup-support bit has +changed). + +The kernel's bug is inside the hub driver's resume handler. When +hub_activate() sees that one of the hub's downstream ports got a +wakeup request from a child device, it notes this fact by setting the +corresponding bit in the hub->change_bits variable. But this variable +is meant for connection changes, not wakeup events; setting it causes +the driver to believe the downstream port has been disconnected and +then connected again (in addition to having received a wakeup +request). + +Because of this, the hub driver then tries to check whether the device +currently plugged into the downstream port is the same as the device +that had been attached there before. Normally this check succeeds and +wakeup handling continues with no harm done (which is why the bug +remained undetected until now). But with these dodgy hubs, the check +fails because the config descriptor has changed. This causes the hub +driver to reinitialize the child device, leading to the +disconnect/reinitialize loop described in the bug report. + +The proper way to note reception of a downstream wakeup request is +to set a bit in the hub->event_bits variable instead of +hub->change_bits. That way the hub driver will realize that something +has happened to the port but will not think the port and child device +have been disconnected. This patch makes that change. + +Cc: +Tested-by: Jonathan McDowell +Signed-off-by: Alan Stern +Link: https://lore.kernel.org/r/YdCw7nSfWYPKWQoD@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/hub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -1225,7 +1225,7 @@ static void hub_activate(struct usb_hub + */ + if (portchange || (hub_is_superspeed(hub->hdev) && + port_resumed)) +- set_bit(port1, hub->change_bits); ++ set_bit(port1, hub->event_bits); + + } else if (udev->persist_enabled) { + #ifdef CONFIG_PM diff --git a/queue-5.16/usb-fix-slab-out-of-bounds-write-bug-in-usb_hcd_poll_rh_status.patch b/queue-5.16/usb-fix-slab-out-of-bounds-write-bug-in-usb_hcd_poll_rh_status.patch new file mode 100644 index 00000000000..1a9a38e7b50 --- /dev/null +++ b/queue-5.16/usb-fix-slab-out-of-bounds-write-bug-in-usb_hcd_poll_rh_status.patch @@ -0,0 +1,65 @@ +From 1d7d4c07932e04355d6e6528d44a2f2c9e354346 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 31 Dec 2021 21:07:12 -0500 +Subject: USB: Fix "slab-out-of-bounds Write" bug in usb_hcd_poll_rh_status + +From: Alan Stern + +commit 1d7d4c07932e04355d6e6528d44a2f2c9e354346 upstream. + +When the USB core code for getting root-hub status reports was +originally written, it was assumed that the hub driver would be its +only caller. But this isn't true now; user programs can use usbfs to +communicate with root hubs and get status reports. When they do this, +they may use a transfer_buffer that is smaller than the data returned +by the HCD, which will lead to a buffer overflow error when +usb_hcd_poll_rh_status() tries to store the status data. This was +discovered by syzbot: + +BUG: KASAN: slab-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline] +BUG: KASAN: slab-out-of-bounds in usb_hcd_poll_rh_status+0x5f4/0x780 drivers/usb/core/hcd.c:776 +Write of size 2 at addr ffff88801da403c0 by task syz-executor133/4062 + +This patch fixes the bug by reducing the amount of status data if it +won't fit in the transfer_buffer. If some data gets discarded then +the URB's completion status is set to -EOVERFLOW rather than 0, to let +the user know what happened. + +Reported-and-tested-by: syzbot+3ae6a2b06f131ab9849f@syzkaller.appspotmail.com +Signed-off-by: Alan Stern +Cc: +Link: https://lore.kernel.org/r/Yc+3UIQJ2STbxNua@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/core/hcd.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -753,6 +753,7 @@ void usb_hcd_poll_rh_status(struct usb_h + { + struct urb *urb; + int length; ++ int status; + unsigned long flags; + char buffer[6]; /* Any root hubs with > 31 ports? */ + +@@ -770,11 +771,17 @@ void usb_hcd_poll_rh_status(struct usb_h + if (urb) { + clear_bit(HCD_FLAG_POLL_PENDING, &hcd->flags); + hcd->status_urb = NULL; ++ if (urb->transfer_buffer_length >= length) { ++ status = 0; ++ } else { ++ status = -EOVERFLOW; ++ length = urb->transfer_buffer_length; ++ } + urb->actual_length = length; + memcpy(urb->transfer_buffer, buffer, length); + + usb_hcd_unlink_urb_from_ep(hcd, urb); +- usb_hcd_giveback_urb(hcd, urb, 0); ++ usb_hcd_giveback_urb(hcd, urb, status); + } else { + length = 0; + set_bit(HCD_FLAG_POLL_PENDING, &hcd->flags);