From: Greg Kroah-Hartman Date: Thu, 30 Jan 2020 09:39:22 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v5.5.1~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=707f7f2e76500d3e052accb69f870178aa0e70a9;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: ath9k-fix-storage-endpoint-lookup.patch binder-fix-log-spam-for-existing-debugfs-file-creation.patch bluetooth-btusb-fix-non-atomic-allocation-in-completion-handler.patch brcmfmac-fix-interface-sanity-check.patch cifs-fix-memory-allocation-in-__smb2_handle_cancelled_cmd.patch cifs-fix-task-struct-use-after-free-on-reconnect.patch cifs-set-correct-max-buffer-size-for-smb2_ioctl_init.patch component-do-not-dereference-opaque-pointer-in-debugfs.patch crypto-chelsio-fix-writing-tfm-flags-to-wrong-place.patch debugfs-return-eperm-when-locked-down.patch driver-core-fix-test_async_driver_probe-if-numa-is-disabled.patch iio-adc-stm32-dfsdm-fix-single-conversion.patch iio-st_gyro-correct-data-for-lsm9ds0-gyro.patch mei-hdcp-bind-only-with-i915-on-the-same-pch.patch mei-me-add-comet-point-lake-h-device-ids.patch orinoco_usb-fix-interface-sanity-check.patch rsi_91x_usb-fix-interface-sanity-check.patch rtl8xxxu-fix-interface-sanity-check.patch serial-8250_bcm2835aux-fix-line-mismatch-on-driver-unbind.patch serial-imx-fix-a-race-condition-in-receive-path.patch staging-most-net-fix-buffer-overflow.patch staging-vt6656-correct-packet-types-for-cts-protect-mode.patch staging-vt6656-fix-false-tx-excessive-retries-reporting.patch staging-vt6656-use-nullfuction-stack-on-mac80211.patch staging-wlan-ng-ensure-error-return-is-actually-returned.patch usb-dwc3-pci-add-id-for-the-intel-comet-lake-v-variant.patch usb-dwc3-turn-off-vbus-when-leaving-host-mode.patch usb-host-xhci-tegra-set-module_firmware-for-tegra186.patch usb-serial-ir-usb-add-missing-endpoint-sanity-check.patch usb-serial-ir-usb-fix-irlap-framing.patch usb-serial-ir-usb-fix-link-speed-handling.patch usb-typec-fusb302-fix-op-sink-microwatt-default-that-was-in-mw.patch usb-typec-wcove-fix-op-sink-microwatt-default-that-was-in-mw.patch zd1211rw-fix-storage-endpoint-lookup.patch --- diff --git a/queue-5.4/ath9k-fix-storage-endpoint-lookup.patch b/queue-5.4/ath9k-fix-storage-endpoint-lookup.patch new file mode 100644 index 00000000000..908a3cd5b0a --- /dev/null +++ b/queue-5.4/ath9k-fix-storage-endpoint-lookup.patch @@ -0,0 +1,37 @@ +From 0ef332951e856efa89507cdd13ba8f4fb8d4db12 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:44:20 +0100 +Subject: ath9k: fix storage endpoint lookup + +From: Johan Hovold + +commit 0ef332951e856efa89507cdd13ba8f4fb8d4db12 upstream. + +Make sure to use the current alternate setting when verifying the +storage interface descriptors to avoid submitting an URB to an invalid +endpoint. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 36bcce430657 ("ath9k_htc: Handle storage devices") +Cc: stable # 2.6.39 +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -1216,7 +1216,7 @@ err_fw: + static int send_eject_command(struct usb_interface *interface) + { + struct usb_device *udev = interface_to_usbdev(interface); +- struct usb_host_interface *iface_desc = &interface->altsetting[0]; ++ struct usb_host_interface *iface_desc = interface->cur_altsetting; + struct usb_endpoint_descriptor *endpoint; + unsigned char *cmd; + u8 bulk_out_ep; diff --git a/queue-5.4/binder-fix-log-spam-for-existing-debugfs-file-creation.patch b/queue-5.4/binder-fix-log-spam-for-existing-debugfs-file-creation.patch new file mode 100644 index 00000000000..ae867b5136a --- /dev/null +++ b/queue-5.4/binder-fix-log-spam-for-existing-debugfs-file-creation.patch @@ -0,0 +1,116 @@ +From eb143f8756e77c8fcfc4d574922ae9efd3a43ca9 Mon Sep 17 00:00:00 2001 +From: Martin Fuzzey +Date: Fri, 10 Jan 2020 16:44:01 +0100 +Subject: binder: fix log spam for existing debugfs file creation. + +From: Martin Fuzzey + +commit eb143f8756e77c8fcfc4d574922ae9efd3a43ca9 upstream. + +Since commit 43e23b6c0b01 ("debugfs: log errors when something goes wrong") +debugfs logs attempts to create existing files. + +However binder attempts to create multiple debugfs files with +the same name when a single PID has multiple contexts, this leads +to log spamming during an Android boot (17 such messages during +boot on my system). + +Fix this by checking if we already know the PID and only create +the debugfs entry for the first context per PID. + +Do the same thing for binderfs for symmetry. + +Signed-off-by: Martin Fuzzey +Acked-by: Todd Kjos +Fixes: 43e23b6c0b01 ("debugfs: log errors when something goes wrong") +Cc: stable +Link: https://lore.kernel.org/r/1578671054-5982-1-git-send-email-martin.fuzzey@flowbird.group +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 37 +++++++++++++++++++------------------ + 1 file changed, 19 insertions(+), 18 deletions(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -5203,10 +5203,11 @@ err_bad_arg: + + static int binder_open(struct inode *nodp, struct file *filp) + { +- struct binder_proc *proc; ++ struct binder_proc *proc, *itr; + struct binder_device *binder_dev; + struct binderfs_info *info; + struct dentry *binder_binderfs_dir_entry_proc = NULL; ++ bool existing_pid = false; + + binder_debug(BINDER_DEBUG_OPEN_CLOSE, "%s: %d:%d\n", __func__, + current->group_leader->pid, current->pid); +@@ -5239,19 +5240,24 @@ static int binder_open(struct inode *nod + filp->private_data = proc; + + mutex_lock(&binder_procs_lock); ++ hlist_for_each_entry(itr, &binder_procs, proc_node) { ++ if (itr->pid == proc->pid) { ++ existing_pid = true; ++ break; ++ } ++ } + hlist_add_head(&proc->proc_node, &binder_procs); + mutex_unlock(&binder_procs_lock); + +- if (binder_debugfs_dir_entry_proc) { ++ if (binder_debugfs_dir_entry_proc && !existing_pid) { + char strbuf[11]; + + snprintf(strbuf, sizeof(strbuf), "%u", proc->pid); + /* +- * proc debug entries are shared between contexts, so +- * this will fail if the process tries to open the driver +- * again with a different context. The priting code will +- * anyway print all contexts that a given PID has, so this +- * is not a problem. ++ * proc debug entries are shared between contexts. ++ * Only create for the first PID to avoid debugfs log spamming ++ * The printing code will anyway print all contexts for a given ++ * PID so this is not a problem. + */ + proc->debugfs_entry = debugfs_create_file(strbuf, 0444, + binder_debugfs_dir_entry_proc, +@@ -5259,19 +5265,16 @@ static int binder_open(struct inode *nod + &proc_fops); + } + +- if (binder_binderfs_dir_entry_proc) { ++ if (binder_binderfs_dir_entry_proc && !existing_pid) { + char strbuf[11]; + struct dentry *binderfs_entry; + + snprintf(strbuf, sizeof(strbuf), "%u", proc->pid); + /* + * Similar to debugfs, the process specific log file is shared +- * between contexts. If the file has already been created for a +- * process, the following binderfs_create_file() call will +- * fail with error code EEXIST if another context of the same +- * process invoked binder_open(). This is ok since same as +- * debugfs, the log file will contain information on all +- * contexts of a given PID. ++ * between contexts. Only create for the first PID. ++ * This is ok since same as debugfs, the log file will contain ++ * information on all contexts of a given PID. + */ + binderfs_entry = binderfs_create_file(binder_binderfs_dir_entry_proc, + strbuf, &proc_fops, (void *)(unsigned long)proc->pid); +@@ -5281,10 +5284,8 @@ static int binder_open(struct inode *nod + int error; + + error = PTR_ERR(binderfs_entry); +- if (error != -EEXIST) { +- pr_warn("Unable to create file %s in binderfs (error %d)\n", +- strbuf, error); +- } ++ pr_warn("Unable to create file %s in binderfs (error %d)\n", ++ strbuf, error); + } + } + diff --git a/queue-5.4/bluetooth-btusb-fix-non-atomic-allocation-in-completion-handler.patch b/queue-5.4/bluetooth-btusb-fix-non-atomic-allocation-in-completion-handler.patch new file mode 100644 index 00000000000..b2cf20101f2 --- /dev/null +++ b/queue-5.4/bluetooth-btusb-fix-non-atomic-allocation-in-completion-handler.patch @@ -0,0 +1,34 @@ +From 22cc6b7a1dbb58da4afc539d9b7d470b23a25eea Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 28 Nov 2019 19:24:27 +0100 +Subject: Bluetooth: btusb: fix non-atomic allocation in completion handler + +From: Johan Hovold + +commit 22cc6b7a1dbb58da4afc539d9b7d470b23a25eea upstream. + +USB completion handlers are called in atomic context and must +specifically not allocate memory using GFP_KERNEL. + +Fixes: a1c49c434e15 ("Bluetooth: btusb: Add protocol support for MediaTek MT7668U USB devices") +Cc: stable # 5.3 +Cc: Sean Wang +Signed-off-by: Johan Hovold +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/btusb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -2585,7 +2585,7 @@ static void btusb_mtk_wmt_recv(struct ur + * and being processed the events from there then. + */ + if (test_bit(BTUSB_TX_WAIT_VND_EVT, &data->flags)) { +- data->evt_skb = skb_clone(skb, GFP_KERNEL); ++ data->evt_skb = skb_clone(skb, GFP_ATOMIC); + if (!data->evt_skb) + goto err_out; + } diff --git a/queue-5.4/brcmfmac-fix-interface-sanity-check.patch b/queue-5.4/brcmfmac-fix-interface-sanity-check.patch new file mode 100644 index 00000000000..f7c17f01d04 --- /dev/null +++ b/queue-5.4/brcmfmac-fix-interface-sanity-check.patch @@ -0,0 +1,46 @@ +From 3428fbcd6e6c0850b1a8b2a12082b7b2aabb3da3 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:44:22 +0100 +Subject: brcmfmac: fix interface sanity check + +From: Johan Hovold + +commit 3428fbcd6e6c0850b1a8b2a12082b7b2aabb3da3 upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 71bb244ba2fd ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets") +Cc: stable # 3.4 +Cc: Arend van Spriel +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/usb.c +@@ -1348,7 +1348,7 @@ brcmf_usb_probe(struct usb_interface *in + goto fail; + } + +- desc = &intf->altsetting[0].desc; ++ desc = &intf->cur_altsetting->desc; + if ((desc->bInterfaceClass != USB_CLASS_VENDOR_SPEC) || + (desc->bInterfaceSubClass != 2) || + (desc->bInterfaceProtocol != 0xff)) { +@@ -1361,7 +1361,7 @@ brcmf_usb_probe(struct usb_interface *in + + num_of_eps = desc->bNumEndpoints; + for (ep = 0; ep < num_of_eps; ep++) { +- endpoint = &intf->altsetting[0].endpoint[ep].desc; ++ endpoint = &intf->cur_altsetting->endpoint[ep].desc; + endpoint_num = usb_endpoint_num(endpoint); + if (!usb_endpoint_xfer_bulk(endpoint)) + continue; diff --git a/queue-5.4/cifs-fix-memory-allocation-in-__smb2_handle_cancelled_cmd.patch b/queue-5.4/cifs-fix-memory-allocation-in-__smb2_handle_cancelled_cmd.patch new file mode 100644 index 00000000000..8e2b4831978 --- /dev/null +++ b/queue-5.4/cifs-fix-memory-allocation-in-__smb2_handle_cancelled_cmd.patch @@ -0,0 +1,62 @@ +From 0a5a98863c9debc02387b3d23c46d187756f5e2b Mon Sep 17 00:00:00 2001 +From: "Paulo Alcantara (SUSE)" +Date: Mon, 13 Jan 2020 17:46:59 -0300 +Subject: cifs: Fix memory allocation in __smb2_handle_cancelled_cmd() + +From: Paulo Alcantara (SUSE) + +commit 0a5a98863c9debc02387b3d23c46d187756f5e2b upstream. + +__smb2_handle_cancelled_cmd() is called under a spin lock held in +cifs_mid_q_entry_release(), so make its memory allocation GFP_ATOMIC. + +This issue was observed when running xfstests generic/028: + +[ 1722.589204] CIFS VFS: \\192.168.30.26 Cancelling wait for mid 72064 cmd: 5 +[ 1722.590687] CIFS VFS: \\192.168.30.26 Cancelling wait for mid 72065 cmd: 17 +[ 1722.593529] CIFS VFS: \\192.168.30.26 Cancelling wait for mid 72066 cmd: 6 +[ 1723.039014] BUG: sleeping function called from invalid context at mm/slab.h:565 +[ 1723.040710] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 30877, name: cifsd +[ 1723.045098] CPU: 3 PID: 30877 Comm: cifsd Not tainted 5.5.0-rc4+ #313 +[ 1723.046256] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba527-rebuilt.opensuse.org 04/01/2014 +[ 1723.048221] Call Trace: +[ 1723.048689] dump_stack+0x97/0xe0 +[ 1723.049268] ___might_sleep.cold+0xd1/0xe1 +[ 1723.050069] kmem_cache_alloc_trace+0x204/0x2b0 +[ 1723.051051] __smb2_handle_cancelled_cmd+0x40/0x140 [cifs] +[ 1723.052137] smb2_handle_cancelled_mid+0xf6/0x120 [cifs] +[ 1723.053247] cifs_mid_q_entry_release+0x44d/0x630 [cifs] +[ 1723.054351] ? cifs_reconnect+0x26a/0x1620 [cifs] +[ 1723.055325] cifs_demultiplex_thread+0xad4/0x14a0 [cifs] +[ 1723.056458] ? cifs_handle_standard+0x2c0/0x2c0 [cifs] +[ 1723.057365] ? kvm_sched_clock_read+0x14/0x30 +[ 1723.058197] ? sched_clock+0x5/0x10 +[ 1723.058838] ? sched_clock_cpu+0x18/0x110 +[ 1723.059629] ? lockdep_hardirqs_on+0x17d/0x250 +[ 1723.060456] kthread+0x1ab/0x200 +[ 1723.061149] ? cifs_handle_standard+0x2c0/0x2c0 [cifs] +[ 1723.062078] ? kthread_create_on_node+0xd0/0xd0 +[ 1723.062897] ret_from_fork+0x3a/0x50 + +Signed-off-by: Paulo Alcantara (SUSE) +Fixes: 9150c3adbf24 ("CIFS: Close open handle after interrupted close") +Cc: Stable +Signed-off-by: Steve French +Reviewed-by: Pavel Shilovsky +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2misc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/cifs/smb2misc.c ++++ b/fs/cifs/smb2misc.c +@@ -750,7 +750,7 @@ __smb2_handle_cancelled_close(struct cif + { + struct close_cancelled_open *cancelled; + +- cancelled = kzalloc(sizeof(*cancelled), GFP_KERNEL); ++ cancelled = kzalloc(sizeof(*cancelled), GFP_ATOMIC); + if (!cancelled) + return -ENOMEM; + diff --git a/queue-5.4/cifs-fix-task-struct-use-after-free-on-reconnect.patch b/queue-5.4/cifs-fix-task-struct-use-after-free-on-reconnect.patch new file mode 100644 index 00000000000..f93889552a8 --- /dev/null +++ b/queue-5.4/cifs-fix-task-struct-use-after-free-on-reconnect.patch @@ -0,0 +1,173 @@ +From f1f27ad74557e39f67a8331a808b860f89254f2d Mon Sep 17 00:00:00 2001 +From: Vincent Whitchurch +Date: Thu, 23 Jan 2020 17:09:06 +0100 +Subject: CIFS: Fix task struct use-after-free on reconnect + +From: Vincent Whitchurch + +commit f1f27ad74557e39f67a8331a808b860f89254f2d upstream. + +The task which created the MID may be gone by the time cifsd attempts to +call the callbacks on MIDs from cifs_reconnect(). + +This leads to a use-after-free of the task struct in cifs_wake_up_task: + + ================================================================== + BUG: KASAN: use-after-free in __lock_acquire+0x31a0/0x3270 + Read of size 8 at addr ffff8880103e3a68 by task cifsd/630 + + CPU: 0 PID: 630 Comm: cifsd Not tainted 5.5.0-rc6+ #119 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 + Call Trace: + dump_stack+0x8e/0xcb + print_address_description.constprop.5+0x1d3/0x3c0 + ? __lock_acquire+0x31a0/0x3270 + __kasan_report+0x152/0x1aa + ? __lock_acquire+0x31a0/0x3270 + ? __lock_acquire+0x31a0/0x3270 + kasan_report+0xe/0x20 + __lock_acquire+0x31a0/0x3270 + ? __wake_up_common+0x1dc/0x630 + ? _raw_spin_unlock_irqrestore+0x4c/0x60 + ? mark_held_locks+0xf0/0xf0 + ? _raw_spin_unlock_irqrestore+0x39/0x60 + ? __wake_up_common_lock+0xd5/0x130 + ? __wake_up_common+0x630/0x630 + lock_acquire+0x13f/0x330 + ? try_to_wake_up+0xa3/0x19e0 + _raw_spin_lock_irqsave+0x38/0x50 + ? try_to_wake_up+0xa3/0x19e0 + try_to_wake_up+0xa3/0x19e0 + ? cifs_compound_callback+0x178/0x210 + ? set_cpus_allowed_ptr+0x10/0x10 + cifs_reconnect+0xa1c/0x15d0 + ? generic_ip_connect+0x1860/0x1860 + ? rwlock_bug.part.0+0x90/0x90 + cifs_readv_from_socket+0x479/0x690 + cifs_read_from_socket+0x9d/0xe0 + ? cifs_readv_from_socket+0x690/0x690 + ? mempool_resize+0x690/0x690 + ? rwlock_bug.part.0+0x90/0x90 + ? memset+0x1f/0x40 + ? allocate_buffers+0xff/0x340 + cifs_demultiplex_thread+0x388/0x2a50 + ? cifs_handle_standard+0x610/0x610 + ? rcu_read_lock_held_common+0x120/0x120 + ? mark_lock+0x11b/0xc00 + ? __lock_acquire+0x14ed/0x3270 + ? __kthread_parkme+0x78/0x100 + ? lockdep_hardirqs_on+0x3e8/0x560 + ? lock_downgrade+0x6a0/0x6a0 + ? lockdep_hardirqs_on+0x3e8/0x560 + ? _raw_spin_unlock_irqrestore+0x39/0x60 + ? cifs_handle_standard+0x610/0x610 + kthread+0x2bb/0x3a0 + ? kthread_create_worker_on_cpu+0xc0/0xc0 + ret_from_fork+0x3a/0x50 + + Allocated by task 649: + save_stack+0x19/0x70 + __kasan_kmalloc.constprop.5+0xa6/0xf0 + kmem_cache_alloc+0x107/0x320 + copy_process+0x17bc/0x5370 + _do_fork+0x103/0xbf0 + __x64_sys_clone+0x168/0x1e0 + do_syscall_64+0x9b/0xec0 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + + Freed by task 0: + save_stack+0x19/0x70 + __kasan_slab_free+0x11d/0x160 + kmem_cache_free+0xb5/0x3d0 + rcu_core+0x52f/0x1230 + __do_softirq+0x24d/0x962 + + The buggy address belongs to the object at ffff8880103e32c0 + which belongs to the cache task_struct of size 6016 + The buggy address is located 1960 bytes inside of + 6016-byte region [ffff8880103e32c0, ffff8880103e4a40) + The buggy address belongs to the page: + page:ffffea000040f800 refcount:1 mapcount:0 mapping:ffff8880108da5c0 + index:0xffff8880103e4c00 compound_mapcount: 0 + raw: 4000000000010200 ffffea00001f2208 ffffea00001e3408 ffff8880108da5c0 + raw: ffff8880103e4c00 0000000000050003 00000001ffffffff 0000000000000000 + page dumped because: kasan: bad access detected + + Memory state around the buggy address: + ffff8880103e3900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880103e3980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + >ffff8880103e3a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8880103e3a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff8880103e3b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ================================================================== + +This can be reliably reproduced by adding the below delay to +cifs_reconnect(), running find(1) on the mount, restarting the samba +server while find is running, and killing find during the delay: + + spin_unlock(&GlobalMid_Lock); + mutex_unlock(&server->srv_mutex); + + + msleep(10000); + + + cifs_dbg(FYI, "%s: issuing mid callbacks\n", __func__); + list_for_each_safe(tmp, tmp2, &retry_list) { + mid_entry = list_entry(tmp, struct mid_q_entry, qhead); + +Fix this by holding a reference to the task struct until the MID is +freed. + +Signed-off-by: Vincent Whitchurch +Signed-off-by: Steve French +CC: Stable +Reviewed-by: Paulo Alcantara (SUSE) +Reviewed-by: Pavel Shilovsky +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifsglob.h | 1 + + fs/cifs/smb2transport.c | 2 ++ + fs/cifs/transport.c | 3 +++ + 3 files changed, 6 insertions(+) + +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -1538,6 +1538,7 @@ struct mid_q_entry { + mid_callback_t *callback; /* call completion callback */ + mid_handle_t *handle; /* call handle mid callback */ + void *callback_data; /* general purpose pointer for callback */ ++ struct task_struct *creator; + void *resp_buf; /* pointer to received SMB header */ + unsigned int resp_buf_size; + int mid_state; /* wish this were enum but can not pass to wait_event */ +--- a/fs/cifs/smb2transport.c ++++ b/fs/cifs/smb2transport.c +@@ -599,6 +599,8 @@ smb2_mid_entry_alloc(const struct smb2_s + * The default is for the mid to be synchronous, so the + * default callback just wakes up the current task. + */ ++ get_task_struct(current); ++ temp->creator = current; + temp->callback = cifs_wake_up_task; + temp->callback_data = current; + +--- a/fs/cifs/transport.c ++++ b/fs/cifs/transport.c +@@ -76,6 +76,8 @@ AllocMidQEntry(const struct smb_hdr *smb + * The default is for the mid to be synchronous, so the + * default callback just wakes up the current task. + */ ++ get_task_struct(current); ++ temp->creator = current; + temp->callback = cifs_wake_up_task; + temp->callback_data = current; + +@@ -158,6 +160,7 @@ static void _cifs_mid_q_entry_release(st + } + } + #endif ++ put_task_struct(midEntry->creator); + + mempool_free(midEntry, cifs_mid_poolp); + } diff --git a/queue-5.4/cifs-set-correct-max-buffer-size-for-smb2_ioctl_init.patch b/queue-5.4/cifs-set-correct-max-buffer-size-for-smb2_ioctl_init.patch new file mode 100644 index 00000000000..27fa3dc6f3e --- /dev/null +++ b/queue-5.4/cifs-set-correct-max-buffer-size-for-smb2_ioctl_init.patch @@ -0,0 +1,47 @@ +From 731b82bb1750a906c1e7f070aedf5505995ebea7 Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Wed, 8 Jan 2020 13:08:07 +1000 +Subject: cifs: set correct max-buffer-size for smb2_ioctl_init() + +From: Ronnie Sahlberg + +commit 731b82bb1750a906c1e7f070aedf5505995ebea7 upstream. + +Fix two places where we need to adjust down the max response size for +ioctl when it is used together with compounding. + +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Reviewed-by: Pavel Shilovsky +CC: Stable +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/smb2ops.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -1461,7 +1461,9 @@ smb2_ioctl_query_info(const unsigned int + COMPOUND_FID, COMPOUND_FID, + qi.info_type, true, buffer, + qi.output_buffer_length, +- CIFSMaxBufSize); ++ CIFSMaxBufSize - ++ MAX_SMB2_CREATE_RESPONSE_SIZE - ++ MAX_SMB2_CLOSE_RESPONSE_SIZE); + } + } else if (qi.flags == PASSTHRU_SET_INFO) { + /* Can eventually relax perm check since server enforces too */ +@@ -2634,7 +2636,10 @@ smb2_query_symlink(const unsigned int xi + + rc = SMB2_ioctl_init(tcon, &rqst[1], fid.persistent_fid, + fid.volatile_fid, FSCTL_GET_REPARSE_POINT, +- true /* is_fctl */, NULL, 0, CIFSMaxBufSize); ++ true /* is_fctl */, NULL, 0, ++ CIFSMaxBufSize - ++ MAX_SMB2_CREATE_RESPONSE_SIZE - ++ MAX_SMB2_CLOSE_RESPONSE_SIZE); + if (rc) + goto querty_exit; + diff --git a/queue-5.4/component-do-not-dereference-opaque-pointer-in-debugfs.patch b/queue-5.4/component-do-not-dereference-opaque-pointer-in-debugfs.patch new file mode 100644 index 00000000000..32efbad4c52 --- /dev/null +++ b/queue-5.4/component-do-not-dereference-opaque-pointer-in-debugfs.patch @@ -0,0 +1,46 @@ +From ef9ffc1e5f1ac73ecd2fb3b70db2a3b2472ff2f7 Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Mon, 18 Nov 2019 12:54:31 +0100 +Subject: component: do not dereference opaque pointer in debugfs + +From: Lubomir Rintel + +commit ef9ffc1e5f1ac73ecd2fb3b70db2a3b2472ff2f7 upstream. + +The match data does not have to be a struct device pointer, and indeed +very often is not. Attempt to treat it as such easily results in a +crash. + +For the components that are not registered, we don't know which device +is missing. Once it it is there, we can use the struct component to get +the device and whether it's bound or not. + +Fixes: 59e73854b5fd ('component: add debugfs support') +Signed-off-by: Lubomir Rintel +Cc: stable +Cc: Arnaud Pouliquen +Link: https://lore.kernel.org/r/20191118115431.63626-1-lkundrak@v3.sk +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/component.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/base/component.c ++++ b/drivers/base/component.c +@@ -102,11 +102,11 @@ static int component_devices_show(struct + seq_printf(s, "%-40s %20s\n", "device name", "status"); + seq_puts(s, "-------------------------------------------------------------\n"); + for (i = 0; i < match->num; i++) { +- struct device *d = (struct device *)match->compare[i].data; ++ struct component *component = match->compare[i].component; + +- seq_printf(s, "%-40s %20s\n", dev_name(d), +- match->compare[i].component ? +- "registered" : "not registered"); ++ seq_printf(s, "%-40s %20s\n", ++ component ? dev_name(component->dev) : "(unknown)", ++ component ? (component->bound ? "bound" : "not bound") : "not registered"); + } + mutex_unlock(&component_mutex); + diff --git a/queue-5.4/crypto-chelsio-fix-writing-tfm-flags-to-wrong-place.patch b/queue-5.4/crypto-chelsio-fix-writing-tfm-flags-to-wrong-place.patch new file mode 100644 index 00000000000..642a7b51c13 --- /dev/null +++ b/queue-5.4/crypto-chelsio-fix-writing-tfm-flags-to-wrong-place.patch @@ -0,0 +1,92 @@ +From bd56cea012fc2d6381e8cd3209510ce09f9de8c9 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 30 Dec 2019 21:19:31 -0600 +Subject: crypto: chelsio - fix writing tfm flags to wrong place + +From: Eric Biggers + +commit bd56cea012fc2d6381e8cd3209510ce09f9de8c9 upstream. + +The chelsio crypto driver is casting 'struct crypto_aead' directly to +'struct crypto_tfm', which is incorrect because the crypto_tfm isn't the +first field of 'struct crypto_aead'. Consequently, the calls to +crypto_tfm_set_flags() are modifying some other field in the struct. + +Also, the driver is setting CRYPTO_TFM_RES_BAD_KEY_LEN in +->setauthsize(), not just in ->setkey(). This is incorrect since this +flag is for bad key lengths, not for bad authentication tag lengths. + +Fix these bugs by removing the broken crypto_tfm_set_flags() calls from +->setauthsize() and by fixing them in ->setkey(). + +Fixes: 324429d74127 ("chcr: Support for Chelsio's Crypto Hardware") +Cc: # v4.9+ +Cc: Atul Gupta +Signed-off-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/chelsio/chcr_algo.c | 16 +++------------- + 1 file changed, 3 insertions(+), 13 deletions(-) + +--- a/drivers/crypto/chelsio/chcr_algo.c ++++ b/drivers/crypto/chelsio/chcr_algo.c +@@ -3194,9 +3194,6 @@ static int chcr_gcm_setauthsize(struct c + aeadctx->mayverify = VERIFY_SW; + break; + default: +- +- crypto_tfm_set_flags((struct crypto_tfm *) tfm, +- CRYPTO_TFM_RES_BAD_KEY_LEN); + return -EINVAL; + } + return crypto_aead_setauthsize(aeadctx->sw_cipher, authsize); +@@ -3221,8 +3218,6 @@ static int chcr_4106_4309_setauthsize(st + aeadctx->mayverify = VERIFY_HW; + break; + default: +- crypto_tfm_set_flags((struct crypto_tfm *)tfm, +- CRYPTO_TFM_RES_BAD_KEY_LEN); + return -EINVAL; + } + return crypto_aead_setauthsize(aeadctx->sw_cipher, authsize); +@@ -3263,8 +3258,6 @@ static int chcr_ccm_setauthsize(struct c + aeadctx->mayverify = VERIFY_HW; + break; + default: +- crypto_tfm_set_flags((struct crypto_tfm *)tfm, +- CRYPTO_TFM_RES_BAD_KEY_LEN); + return -EINVAL; + } + return crypto_aead_setauthsize(aeadctx->sw_cipher, authsize); +@@ -3289,8 +3282,7 @@ static int chcr_ccm_common_setkey(struct + ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_256; + mk_size = CHCR_KEYCTX_MAC_KEY_SIZE_256; + } else { +- crypto_tfm_set_flags((struct crypto_tfm *)aead, +- CRYPTO_TFM_RES_BAD_KEY_LEN); ++ crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_KEY_LEN); + aeadctx->enckey_len = 0; + return -EINVAL; + } +@@ -3328,8 +3320,7 @@ static int chcr_aead_rfc4309_setkey(stru + int error; + + if (keylen < 3) { +- crypto_tfm_set_flags((struct crypto_tfm *)aead, +- CRYPTO_TFM_RES_BAD_KEY_LEN); ++ crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_KEY_LEN); + aeadctx->enckey_len = 0; + return -EINVAL; + } +@@ -3379,8 +3370,7 @@ static int chcr_gcm_setkey(struct crypto + } else if (keylen == AES_KEYSIZE_256) { + ck_size = CHCR_KEYCTX_CIPHER_KEY_SIZE_256; + } else { +- crypto_tfm_set_flags((struct crypto_tfm *)aead, +- CRYPTO_TFM_RES_BAD_KEY_LEN); ++ crypto_aead_set_flags(aead, CRYPTO_TFM_RES_BAD_KEY_LEN); + pr_err("GCM: Invalid key length %d\n", keylen); + ret = -EINVAL; + goto out; diff --git a/queue-5.4/debugfs-return-eperm-when-locked-down.patch b/queue-5.4/debugfs-return-eperm-when-locked-down.patch new file mode 100644 index 00000000000..482968f4833 --- /dev/null +++ b/queue-5.4/debugfs-return-eperm-when-locked-down.patch @@ -0,0 +1,112 @@ +From a37f4958f7b63d2b3cd17a76151fdfc29ce1da5f Mon Sep 17 00:00:00 2001 +From: Eric Snowberg +Date: Sat, 7 Dec 2019 11:16:03 -0500 +Subject: debugfs: Return -EPERM when locked down + +From: Eric Snowberg + +commit a37f4958f7b63d2b3cd17a76151fdfc29ce1da5f upstream. + +When lockdown is enabled, debugfs_is_locked_down returns 1. It will then +trigger the following: + +WARNING: CPU: 48 PID: 3747 +CPU: 48 PID: 3743 Comm: bash Not tainted 5.4.0-1946.x86_64 #1 +Hardware name: Oracle Corporation ORACLE SERVER X7-2/ASM, MB, X7-2, BIOS 41060400 05/20/2019 +RIP: 0010:do_dentry_open+0x343/0x3a0 +Code: 00 40 08 00 45 31 ff 48 c7 43 28 40 5b e7 89 e9 02 ff ff ff 48 8b 53 28 4c 8b 72 70 4d 85 f6 0f 84 10 fe ff ff e9 f5 fd ff ff <0f> 0b 41 bf ea ff ff ff e9 3b ff ff ff 41 bf e6 ff ff ff e9 b4 fe +RSP: 0018:ffffb8740dde7ca0 EFLAGS: 00010202 +RAX: ffffffff89e88a40 RBX: ffff928c8e6b6f00 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: ffff928dbfd97778 RDI: ffff9285cff685c0 +RBP: ffffb8740dde7cc8 R08: 0000000000000821 R09: 0000000000000030 +R10: 0000000000000057 R11: ffffb8740dde7a98 R12: ffff926ec781c900 +R13: ffff928c8e6b6f10 R14: ffffffff8936e190 R15: 0000000000000001 +FS: 00007f45f6777740(0000) GS:ffff928dbfd80000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007fff95e0d5d8 CR3: 0000001ece562006 CR4: 00000000007606e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +PKRU: 55555554 +Call Trace: + vfs_open+0x2d/0x30 + path_openat+0x2d4/0x1680 + ? tty_mode_ioctl+0x298/0x4c0 + do_filp_open+0x93/0x100 + ? strncpy_from_user+0x57/0x1b0 + ? __alloc_fd+0x46/0x150 + do_sys_open+0x182/0x230 + __x64_sys_openat+0x20/0x30 + do_syscall_64+0x60/0x1b0 + entry_SYSCALL_64_after_hwframe+0x170/0x1d5 +RIP: 0033:0x7f45f5e5ce02 +Code: 25 00 00 41 00 3d 00 00 41 00 74 4c 48 8d 05 25 59 2d 00 8b 00 85 c0 75 6d 89 f2 b8 01 01 00 00 48 89 fe bf 9c ff ff ff 0f 05 <48> 3d 00 f0 ff ff 0f 87 a2 00 00 00 48 8b 4c 24 28 64 48 33 0c 25 +RSP: 002b:00007fff95e0d2e0 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 +RAX: ffffffffffffffda RBX: 0000561178c069b0 RCX: 00007f45f5e5ce02 +RDX: 0000000000000241 RSI: 0000561178c08800 RDI: 00000000ffffff9c +RBP: 00007fff95e0d3e0 R08: 0000000000000020 R09: 0000000000000005 +R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000000 +R13: 0000000000000003 R14: 0000000000000001 R15: 0000561178c08800 + +Change the return type to int and return -EPERM when lockdown is enabled +to remove the warning above. Also rename debugfs_is_locked_down to +debugfs_locked_down to make it sound less like it returns a boolean. + +Fixes: 5496197f9b08 ("debugfs: Restrict debugfs when the kernel is locked down") +Signed-off-by: Eric Snowberg +Reviewed-by: Matthew Wilcox (Oracle) +Cc: stable +Acked-by: James Morris +Link: https://lore.kernel.org/r/20191207161603.35907-1-eric.snowberg@oracle.com +Signed-off-by: Greg Kroah-Hartman + +--- + fs/debugfs/file.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/fs/debugfs/file.c ++++ b/fs/debugfs/file.c +@@ -142,18 +142,21 @@ EXPORT_SYMBOL_GPL(debugfs_file_put); + * We also need to exclude any file that has ways to write or alter it as root + * can bypass the permissions check. + */ +-static bool debugfs_is_locked_down(struct inode *inode, +- struct file *filp, +- const struct file_operations *real_fops) ++static int debugfs_locked_down(struct inode *inode, ++ struct file *filp, ++ const struct file_operations *real_fops) + { + if ((inode->i_mode & 07777) == 0444 && + !(filp->f_mode & FMODE_WRITE) && + !real_fops->unlocked_ioctl && + !real_fops->compat_ioctl && + !real_fops->mmap) +- return false; ++ return 0; + +- return security_locked_down(LOCKDOWN_DEBUGFS); ++ if (security_locked_down(LOCKDOWN_DEBUGFS)) ++ return -EPERM; ++ ++ return 0; + } + + static int open_proxy_open(struct inode *inode, struct file *filp) +@@ -168,7 +171,7 @@ static int open_proxy_open(struct inode + + real_fops = debugfs_real_fops(filp); + +- r = debugfs_is_locked_down(inode, filp, real_fops); ++ r = debugfs_locked_down(inode, filp, real_fops); + if (r) + goto out; + +@@ -298,7 +301,7 @@ static int full_proxy_open(struct inode + + real_fops = debugfs_real_fops(filp); + +- r = debugfs_is_locked_down(inode, filp, real_fops); ++ r = debugfs_locked_down(inode, filp, real_fops); + if (r) + goto out; + diff --git a/queue-5.4/driver-core-fix-test_async_driver_probe-if-numa-is-disabled.patch b/queue-5.4/driver-core-fix-test_async_driver_probe-if-numa-is-disabled.patch new file mode 100644 index 00000000000..10281f7ab2b --- /dev/null +++ b/queue-5.4/driver-core-fix-test_async_driver_probe-if-numa-is-disabled.patch @@ -0,0 +1,44 @@ +From 264d25275a46fce5da501874fa48a2ae5ec571c8 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Wed, 27 Nov 2019 12:24:53 -0800 +Subject: driver core: Fix test_async_driver_probe if NUMA is disabled + +From: Guenter Roeck + +commit 264d25275a46fce5da501874fa48a2ae5ec571c8 upstream. + +Since commit 57ea974fb871 ("driver core: Rewrite test_async_driver_probe +to cover serialization and NUMA affinity"), running the test with NUMA +disabled results in warning messages similar to the following. + +test_async_driver test_async_driver.12: NUMA node mismatch -1 != 0 + +If CONFIG_NUMA=n, dev_to_node(dev) returns -1, and numa_node_id() +returns 0. Both are widely used, so it appears risky to change return +values. Augment the check with IS_ENABLED(CONFIG_NUMA) instead +to fix the problem. + +Cc: Alexander Duyck +Fixes: 57ea974fb871 ("driver core: Rewrite test_async_driver_probe to cover serialization and NUMA affinity") +Signed-off-by: Guenter Roeck +Cc: stable +Acked-by: Alexander Duyck +Link: https://lore.kernel.org/r/20191127202453.28087-1-linux@roeck-us.net +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/test/test_async_driver_probe.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/base/test/test_async_driver_probe.c ++++ b/drivers/base/test/test_async_driver_probe.c +@@ -44,7 +44,8 @@ static int test_probe(struct platform_de + * performing an async init on that node. + */ + if (dev->driver->probe_type == PROBE_PREFER_ASYNCHRONOUS) { +- if (dev_to_node(dev) != numa_node_id()) { ++ if (IS_ENABLED(CONFIG_NUMA) && ++ dev_to_node(dev) != numa_node_id()) { + dev_warn(dev, "NUMA node mismatch %d != %d\n", + dev_to_node(dev), numa_node_id()); + atomic_inc(&warnings); diff --git a/queue-5.4/iio-adc-stm32-dfsdm-fix-single-conversion.patch b/queue-5.4/iio-adc-stm32-dfsdm-fix-single-conversion.patch new file mode 100644 index 00000000000..705aff3a5b2 --- /dev/null +++ b/queue-5.4/iio-adc-stm32-dfsdm-fix-single-conversion.patch @@ -0,0 +1,35 @@ +From dc26935fb60e8da8d59655dd2ec0de47b20d7d8f Mon Sep 17 00:00:00 2001 +From: Olivier Moysan +Date: Wed, 27 Nov 2019 14:07:29 +0100 +Subject: iio: adc: stm32-dfsdm: fix single conversion + +From: Olivier Moysan + +commit dc26935fb60e8da8d59655dd2ec0de47b20d7d8f upstream. + +Apply data formatting to single conversion, +as this is already done in continuous and trigger modes. + +Fixes: 102afde62937 ("iio: adc: stm32-dfsdm: manage data resolution in trigger mode") + +Signed-off-by: Olivier Moysan +Cc: +Acked-by: Fabrice Gasnier +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/stm32-dfsdm-adc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iio/adc/stm32-dfsdm-adc.c ++++ b/drivers/iio/adc/stm32-dfsdm-adc.c +@@ -1204,6 +1204,8 @@ static int stm32_dfsdm_single_conv(struc + + stm32_dfsdm_stop_conv(adc); + ++ stm32_dfsdm_process_data(adc, res); ++ + stop_dfsdm: + stm32_dfsdm_stop_dfsdm(adc->dfsdm); + diff --git a/queue-5.4/iio-st_gyro-correct-data-for-lsm9ds0-gyro.patch b/queue-5.4/iio-st_gyro-correct-data-for-lsm9ds0-gyro.patch new file mode 100644 index 00000000000..6c24dbdf32a --- /dev/null +++ b/queue-5.4/iio-st_gyro-correct-data-for-lsm9ds0-gyro.patch @@ -0,0 +1,120 @@ +From e825070f697abddf3b9b0a675ed0ff1884114818 Mon Sep 17 00:00:00 2001 +From: Andy Shevchenko +Date: Tue, 17 Dec 2019 19:10:38 +0200 +Subject: iio: st_gyro: Correct data for LSM9DS0 gyro + +From: Andy Shevchenko + +commit e825070f697abddf3b9b0a675ed0ff1884114818 upstream. + +The commit 41c128cb25ce ("iio: st_gyro: Add lsm9ds0-gyro support") +assumes that gyro in LSM9DS0 is the same as others with 0xd4 WAI ID, +but datasheet tells slight different story, i.e. the first scale factor +for the chip is 245 dps, and not 250 dps. + +Correct this by introducing a separate settings for LSM9DS0. + +Fixes: 41c128cb25ce ("iio: st_gyro: Add lsm9ds0-gyro support") +Depends-on: 45a4e4220bf4 ("iio: gyro: st_gyro: fix L3GD20H support") +Cc: Leonard Crestez +Cc: Lorenzo Bianconi +Cc: +Signed-off-by: Andy Shevchenko +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/gyro/st_gyro_core.c | 75 +++++++++++++++++++++++++++++++++++++++- + 1 file changed, 74 insertions(+), 1 deletion(-) + +--- a/drivers/iio/gyro/st_gyro_core.c ++++ b/drivers/iio/gyro/st_gyro_core.c +@@ -139,7 +139,6 @@ static const struct st_sensor_settings s + [2] = LSM330DLC_GYRO_DEV_NAME, + [3] = L3G4IS_GYRO_DEV_NAME, + [4] = LSM330_GYRO_DEV_NAME, +- [5] = LSM9DS0_GYRO_DEV_NAME, + }, + .ch = (struct iio_chan_spec *)st_gyro_16bit_channels, + .odr = { +@@ -203,6 +202,80 @@ static const struct st_sensor_settings s + }, + }, + .sim = { ++ .addr = 0x23, ++ .value = BIT(0), ++ }, ++ .multi_read_bit = true, ++ .bootime = 2, ++ }, ++ { ++ .wai = 0xd4, ++ .wai_addr = ST_SENSORS_DEFAULT_WAI_ADDRESS, ++ .sensors_supported = { ++ [0] = LSM9DS0_GYRO_DEV_NAME, ++ }, ++ .ch = (struct iio_chan_spec *)st_gyro_16bit_channels, ++ .odr = { ++ .addr = 0x20, ++ .mask = GENMASK(7, 6), ++ .odr_avl = { ++ { .hz = 95, .value = 0x00, }, ++ { .hz = 190, .value = 0x01, }, ++ { .hz = 380, .value = 0x02, }, ++ { .hz = 760, .value = 0x03, }, ++ }, ++ }, ++ .pw = { ++ .addr = 0x20, ++ .mask = BIT(3), ++ .value_on = ST_SENSORS_DEFAULT_POWER_ON_VALUE, ++ .value_off = ST_SENSORS_DEFAULT_POWER_OFF_VALUE, ++ }, ++ .enable_axis = { ++ .addr = ST_SENSORS_DEFAULT_AXIS_ADDR, ++ .mask = ST_SENSORS_DEFAULT_AXIS_MASK, ++ }, ++ .fs = { ++ .addr = 0x23, ++ .mask = GENMASK(5, 4), ++ .fs_avl = { ++ [0] = { ++ .num = ST_GYRO_FS_AVL_245DPS, ++ .value = 0x00, ++ .gain = IIO_DEGREE_TO_RAD(8750), ++ }, ++ [1] = { ++ .num = ST_GYRO_FS_AVL_500DPS, ++ .value = 0x01, ++ .gain = IIO_DEGREE_TO_RAD(17500), ++ }, ++ [2] = { ++ .num = ST_GYRO_FS_AVL_2000DPS, ++ .value = 0x02, ++ .gain = IIO_DEGREE_TO_RAD(70000), ++ }, ++ }, ++ }, ++ .bdu = { ++ .addr = 0x23, ++ .mask = BIT(7), ++ }, ++ .drdy_irq = { ++ .int2 = { ++ .addr = 0x22, ++ .mask = BIT(3), ++ }, ++ /* ++ * The sensor has IHL (active low) and open ++ * drain settings, but only for INT1 and not ++ * for the DRDY line on INT2. ++ */ ++ .stat_drdy = { ++ .addr = ST_SENSORS_DEFAULT_STAT_ADDR, ++ .mask = GENMASK(2, 0), ++ }, ++ }, ++ .sim = { + .addr = 0x23, + .value = BIT(0), + }, diff --git a/queue-5.4/mei-hdcp-bind-only-with-i915-on-the-same-pch.patch b/queue-5.4/mei-hdcp-bind-only-with-i915-on-the-same-pch.patch new file mode 100644 index 00000000000..c7feac65f4d --- /dev/null +++ b/queue-5.4/mei-hdcp-bind-only-with-i915-on-the-same-pch.patch @@ -0,0 +1,82 @@ +From 1e8d19d9b0dfcf11b61bac627203a290577e807a Mon Sep 17 00:00:00 2001 +From: Tomas Winkler +Date: Thu, 12 Dec 2019 10:41:03 +0200 +Subject: mei: hdcp: bind only with i915 on the same PCH + +From: Tomas Winkler + +commit 1e8d19d9b0dfcf11b61bac627203a290577e807a upstream. + +The mei device and i915 must reside on the same +PCH in order for HDCP to work. Make the component +matching function enforce this requirement. + + hdcp + | + i915 mei + | | + +----= PCH =----+ + +Cc: v5.0+ +Cc: Ramalingam C +Signed-off-by: Tomas Winkler +Reviewed-by: Alexander Usyskin +Link: https://lore.kernel.org/r/20191212084103.2893-1-tomas.winkler@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/hdcp/mei_hdcp.c | 33 ++++++++++++++++++++++++++++++--- + 1 file changed, 30 insertions(+), 3 deletions(-) + +--- a/drivers/misc/mei/hdcp/mei_hdcp.c ++++ b/drivers/misc/mei/hdcp/mei_hdcp.c +@@ -758,11 +758,38 @@ static const struct component_master_ops + .unbind = mei_component_master_unbind, + }; + ++/** ++ * mei_hdcp_component_match - compare function for matching mei hdcp. ++ * ++ * The function checks if the driver is i915, the subcomponent is HDCP ++ * and the grand parent of hdcp and the parent of i915 are the same ++ * PCH device. ++ * ++ * @dev: master device ++ * @subcomponent: subcomponent to match (I915_COMPONENT_HDCP) ++ * @data: compare data (mei hdcp device) ++ * ++ * Return: ++ * * 1 - if components match ++ * * 0 - otherwise ++ */ + static int mei_hdcp_component_match(struct device *dev, int subcomponent, + void *data) + { +- return !strcmp(dev->driver->name, "i915") && +- subcomponent == I915_COMPONENT_HDCP; ++ struct device *base = data; ++ ++ if (strcmp(dev->driver->name, "i915") || ++ subcomponent != I915_COMPONENT_HDCP) ++ return 0; ++ ++ base = base->parent; ++ if (!base) ++ return 0; ++ ++ base = base->parent; ++ dev = dev->parent; ++ ++ return (base && dev && dev == base); + } + + static int mei_hdcp_probe(struct mei_cl_device *cldev, +@@ -786,7 +813,7 @@ static int mei_hdcp_probe(struct mei_cl_ + + master_match = NULL; + component_match_add_typed(&cldev->dev, &master_match, +- mei_hdcp_component_match, comp_master); ++ mei_hdcp_component_match, &cldev->dev); + if (IS_ERR_OR_NULL(master_match)) { + ret = -ENOMEM; + goto err_exit; diff --git a/queue-5.4/mei-me-add-comet-point-lake-h-device-ids.patch b/queue-5.4/mei-me-add-comet-point-lake-h-device-ids.patch new file mode 100644 index 00000000000..2e128bed831 --- /dev/null +++ b/queue-5.4/mei-me-add-comet-point-lake-h-device-ids.patch @@ -0,0 +1,47 @@ +From 559e575a8946a6561dfe8880de341d4ef78d5994 Mon Sep 17 00:00:00 2001 +From: Tomas Winkler +Date: Sun, 19 Jan 2020 11:42:29 +0200 +Subject: mei: me: add comet point (lake) H device ids + +From: Tomas Winkler + +commit 559e575a8946a6561dfe8880de341d4ef78d5994 upstream. + +Add Comet Point device IDs for Comet Lake H platforms. + +Cc: +Signed-off-by: Tomas Winkler +Link: https://lore.kernel.org/r/20200119094229.20116-1-tomas.winkler@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/mei/hw-me-regs.h | 4 ++++ + drivers/misc/mei/pci-me.c | 2 ++ + 2 files changed, 6 insertions(+) + +--- a/drivers/misc/mei/hw-me-regs.h ++++ b/drivers/misc/mei/hw-me-regs.h +@@ -81,8 +81,12 @@ + + #define MEI_DEV_ID_CMP_LP 0x02e0 /* Comet Point LP */ + #define MEI_DEV_ID_CMP_LP_3 0x02e4 /* Comet Point LP 3 (iTouch) */ ++ + #define MEI_DEV_ID_CMP_V 0xA3BA /* Comet Point Lake V */ + ++#define MEI_DEV_ID_CMP_H 0x06e0 /* Comet Lake H */ ++#define MEI_DEV_ID_CMP_H_3 0x06e4 /* Comet Lake H 3 (iTouch) */ ++ + #define MEI_DEV_ID_ICP_LP 0x34E0 /* Ice Lake Point LP */ + + #define MEI_DEV_ID_TGP_LP 0xA0E0 /* Tiger Lake Point LP */ +--- a/drivers/misc/mei/pci-me.c ++++ b/drivers/misc/mei/pci-me.c +@@ -99,6 +99,8 @@ static const struct pci_device_id mei_me + {MEI_PCI_DEVICE(MEI_DEV_ID_CMP_LP, MEI_ME_PCH12_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_CMP_LP_3, MEI_ME_PCH8_CFG)}, + {MEI_PCI_DEVICE(MEI_DEV_ID_CMP_V, MEI_ME_PCH12_CFG)}, ++ {MEI_PCI_DEVICE(MEI_DEV_ID_CMP_H, MEI_ME_PCH12_CFG)}, ++ {MEI_PCI_DEVICE(MEI_DEV_ID_CMP_H_3, MEI_ME_PCH8_CFG)}, + + {MEI_PCI_DEVICE(MEI_DEV_ID_ICP_LP, MEI_ME_PCH12_CFG)}, + diff --git a/queue-5.4/orinoco_usb-fix-interface-sanity-check.patch b/queue-5.4/orinoco_usb-fix-interface-sanity-check.patch new file mode 100644 index 00000000000..5b737863bc6 --- /dev/null +++ b/queue-5.4/orinoco_usb-fix-interface-sanity-check.patch @@ -0,0 +1,39 @@ +From b73e05aa543cf8db4f4927e36952360d71291d41 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:44:23 +0100 +Subject: orinoco_usb: fix interface sanity check + +From: Johan Hovold + +commit b73e05aa543cf8db4f4927e36952360d71291d41 upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 9afac70a7305 ("orinoco: add orinoco_usb driver") +Cc: stable # 2.6.35 +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intersil/orinoco/orinoco_usb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/intersil/orinoco/orinoco_usb.c ++++ b/drivers/net/wireless/intersil/orinoco/orinoco_usb.c +@@ -1608,9 +1608,9 @@ static int ezusb_probe(struct usb_interf + /* set up the endpoint information */ + /* check out the endpoints */ + +- iface_desc = &interface->altsetting[0].desc; ++ iface_desc = &interface->cur_altsetting->desc; + for (i = 0; i < iface_desc->bNumEndpoints; ++i) { +- ep = &interface->altsetting[0].endpoint[i].desc; ++ ep = &interface->cur_altsetting->endpoint[i].desc; + + if (usb_endpoint_is_bulk_in(ep)) { + /* we found a bulk in endpoint */ diff --git a/queue-5.4/rsi_91x_usb-fix-interface-sanity-check.patch b/queue-5.4/rsi_91x_usb-fix-interface-sanity-check.patch new file mode 100644 index 00000000000..88ed5645af2 --- /dev/null +++ b/queue-5.4/rsi_91x_usb-fix-interface-sanity-check.patch @@ -0,0 +1,37 @@ +From 3139b180906af43bc09bd3373fc2338a8271d9d9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:44:25 +0100 +Subject: rsi_91x_usb: fix interface sanity check + +From: Johan Hovold + +commit 3139b180906af43bc09bd3373fc2338a8271d9d9 upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver") +Cc: stable # 3.15 +Cc: Fariya Fatima +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rsi/rsi_91x_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/rsi/rsi_91x_usb.c ++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c +@@ -117,7 +117,7 @@ static int rsi_find_bulk_in_and_out_endp + __le16 buffer_size; + int ii, bin_found = 0, bout_found = 0; + +- iface_desc = &(interface->altsetting[0]); ++ iface_desc = interface->cur_altsetting; + + for (ii = 0; ii < iface_desc->desc.bNumEndpoints; ++ii) { + endpoint = &(iface_desc->endpoint[ii].desc); diff --git a/queue-5.4/rtl8xxxu-fix-interface-sanity-check.patch b/queue-5.4/rtl8xxxu-fix-interface-sanity-check.patch new file mode 100644 index 00000000000..9ae6d4b571e --- /dev/null +++ b/queue-5.4/rtl8xxxu-fix-interface-sanity-check.patch @@ -0,0 +1,37 @@ +From 39a4281c312f2d226c710bc656ce380c621a2b16 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:44:24 +0100 +Subject: rtl8xxxu: fix interface sanity check + +From: Johan Hovold + +commit 39a4281c312f2d226c710bc656ce380c621a2b16 upstream. + +Make sure to use the current alternate setting when verifying the +interface descriptors to avoid binding to an invalid interface. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)") +Cc: stable # 4.4 +Cc: Jes Sorensen +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -5915,7 +5915,7 @@ static int rtl8xxxu_parse_usb(struct rtl + u8 dir, xtype, num; + int ret = 0; + +- host_interface = &interface->altsetting[0]; ++ host_interface = interface->cur_altsetting; + interface_desc = &host_interface->desc; + endpoints = interface_desc->bNumEndpoints; + diff --git a/queue-5.4/serial-8250_bcm2835aux-fix-line-mismatch-on-driver-unbind.patch b/queue-5.4/serial-8250_bcm2835aux-fix-line-mismatch-on-driver-unbind.patch new file mode 100644 index 00000000000..a7ed7de424b --- /dev/null +++ b/queue-5.4/serial-8250_bcm2835aux-fix-line-mismatch-on-driver-unbind.patch @@ -0,0 +1,49 @@ +From dc76697d7e933d5e299116f219c890568785ea15 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Thu, 16 Jan 2020 13:14:01 +0100 +Subject: serial: 8250_bcm2835aux: Fix line mismatch on driver unbind + +From: Lukas Wunner + +commit dc76697d7e933d5e299116f219c890568785ea15 upstream. + +Unbinding the bcm2835aux UART driver raises the following error if the +maximum number of 8250 UARTs is set to 1 (via the 8250.nr_uarts module +parameter or CONFIG_SERIAL_8250_RUNTIME_UARTS): + +(NULL device *): Removing wrong port: a6f80333 != fa20408b + +That's because bcm2835aux_serial_probe() retrieves UART line number 1 +from the devicetree and stores it in data->uart.port.line, while +serial8250_register_8250_port() instead uses UART line number 0, +which is stored in data->line. + +On driver unbind, bcm2835aux_serial_remove() uses data->uart.port.line, +which contains the wrong number. Fix it. + +The issue does not occur if the maximum number of 8250 UARTs is >= 2. + +Fixes: bdc5f3009580 ("serial: bcm2835: add driver for bcm2835-aux-uart") +Signed-off-by: Lukas Wunner +Cc: stable@vger.kernel.org # v4.6+ +Cc: Martin Sperl +Reviewed-by: Nicolas Saenz Julienne +Tested-by: Nicolas Saenz Julienne +Link: https://lore.kernel.org/r/912ccf553c5258135c6d7e8f404a101ef320f0f4.1579175223.git.lukas@wunner.de +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_bcm2835aux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/serial/8250/8250_bcm2835aux.c ++++ b/drivers/tty/serial/8250/8250_bcm2835aux.c +@@ -113,7 +113,7 @@ static int bcm2835aux_serial_remove(stru + { + struct bcm2835aux_data *data = platform_get_drvdata(pdev); + +- serial8250_unregister_port(data->uart.port.line); ++ serial8250_unregister_port(data->line); + clk_disable_unprepare(data->clk); + + return 0; diff --git a/queue-5.4/serial-imx-fix-a-race-condition-in-receive-path.patch b/queue-5.4/serial-imx-fix-a-race-condition-in-receive-path.patch new file mode 100644 index 00000000000..47b9aae8d7e --- /dev/null +++ b/queue-5.4/serial-imx-fix-a-race-condition-in-receive-path.patch @@ -0,0 +1,180 @@ +From 101aa46bd221b768dfff8ef3745173fc8dbb85ee Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Tue, 21 Jan 2020 08:17:02 +0100 +Subject: serial: imx: fix a race condition in receive path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +commit 101aa46bd221b768dfff8ef3745173fc8dbb85ee upstream. + +The main irq handler function starts by first masking disabled +interrupts in the status register values to ensure to only handle +enabled interrupts. This is important as when the RX path in the +hardware is disabled reading the RX fifo results in an external abort. + +This checking must be done under the port lock, otherwise the following +can happen: + + CPU1 | CPU2 + | + irq triggers as there are chars | + in the RX fifo | + | grab port lock + imx_uart_int finds RRDY enabled | + and calls imx_uart_rxint which | + has to wait for port lock | + | disable RX (e.g. because we're + | using RS485 with !RX_DURING_TX) + | + | release port lock + read from RX fifo with RX | + disabled => exception | + +So take the port lock only once in imx_uart_int() instead of in the +functions called from there. + +Reported-by: Andre Renaud +Cc: stable@vger.kernel.org +Signed-off-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20200121071702.20150-1-u.kleine-koenig@pengutronix.de +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/imx.c | 51 +++++++++++++++++++++++++++++++++++------------ + 1 file changed, 38 insertions(+), 13 deletions(-) + +--- a/drivers/tty/serial/imx.c ++++ b/drivers/tty/serial/imx.c +@@ -700,22 +700,33 @@ static void imx_uart_start_tx(struct uar + } + } + +-static irqreturn_t imx_uart_rtsint(int irq, void *dev_id) ++static irqreturn_t __imx_uart_rtsint(int irq, void *dev_id) + { + struct imx_port *sport = dev_id; + u32 usr1; + +- spin_lock(&sport->port.lock); +- + imx_uart_writel(sport, USR1_RTSD, USR1); + usr1 = imx_uart_readl(sport, USR1) & USR1_RTSS; + uart_handle_cts_change(&sport->port, !!usr1); + wake_up_interruptible(&sport->port.state->port.delta_msr_wait); + +- spin_unlock(&sport->port.lock); + return IRQ_HANDLED; + } + ++static irqreturn_t imx_uart_rtsint(int irq, void *dev_id) ++{ ++ struct imx_port *sport = dev_id; ++ irqreturn_t ret; ++ ++ spin_lock(&sport->port.lock); ++ ++ ret = __imx_uart_rtsint(irq, dev_id); ++ ++ spin_unlock(&sport->port.lock); ++ ++ return ret; ++} ++ + static irqreturn_t imx_uart_txint(int irq, void *dev_id) + { + struct imx_port *sport = dev_id; +@@ -726,14 +737,12 @@ static irqreturn_t imx_uart_txint(int ir + return IRQ_HANDLED; + } + +-static irqreturn_t imx_uart_rxint(int irq, void *dev_id) ++static irqreturn_t __imx_uart_rxint(int irq, void *dev_id) + { + struct imx_port *sport = dev_id; + unsigned int rx, flg, ignored = 0; + struct tty_port *port = &sport->port.state->port; + +- spin_lock(&sport->port.lock); +- + while (imx_uart_readl(sport, USR2) & USR2_RDR) { + u32 usr2; + +@@ -792,11 +801,25 @@ static irqreturn_t imx_uart_rxint(int ir + } + + out: +- spin_unlock(&sport->port.lock); + tty_flip_buffer_push(port); ++ + return IRQ_HANDLED; + } + ++static irqreturn_t imx_uart_rxint(int irq, void *dev_id) ++{ ++ struct imx_port *sport = dev_id; ++ irqreturn_t ret; ++ ++ spin_lock(&sport->port.lock); ++ ++ ret = __imx_uart_rxint(irq, dev_id); ++ ++ spin_unlock(&sport->port.lock); ++ ++ return ret; ++} ++ + static void imx_uart_clear_rx_errors(struct imx_port *sport); + + /* +@@ -855,6 +878,8 @@ static irqreturn_t imx_uart_int(int irq, + unsigned int usr1, usr2, ucr1, ucr2, ucr3, ucr4; + irqreturn_t ret = IRQ_NONE; + ++ spin_lock(&sport->port.lock); ++ + usr1 = imx_uart_readl(sport, USR1); + usr2 = imx_uart_readl(sport, USR2); + ucr1 = imx_uart_readl(sport, UCR1); +@@ -888,27 +913,25 @@ static irqreturn_t imx_uart_int(int irq, + usr2 &= ~USR2_ORE; + + if (usr1 & (USR1_RRDY | USR1_AGTIM)) { +- imx_uart_rxint(irq, dev_id); ++ __imx_uart_rxint(irq, dev_id); + ret = IRQ_HANDLED; + } + + if ((usr1 & USR1_TRDY) || (usr2 & USR2_TXDC)) { +- imx_uart_txint(irq, dev_id); ++ imx_uart_transmit_buffer(sport); + ret = IRQ_HANDLED; + } + + if (usr1 & USR1_DTRD) { + imx_uart_writel(sport, USR1_DTRD, USR1); + +- spin_lock(&sport->port.lock); + imx_uart_mctrl_check(sport); +- spin_unlock(&sport->port.lock); + + ret = IRQ_HANDLED; + } + + if (usr1 & USR1_RTSD) { +- imx_uart_rtsint(irq, dev_id); ++ __imx_uart_rtsint(irq, dev_id); + ret = IRQ_HANDLED; + } + +@@ -923,6 +946,8 @@ static irqreturn_t imx_uart_int(int irq, + ret = IRQ_HANDLED; + } + ++ spin_unlock(&sport->port.lock); ++ + return ret; + } + diff --git a/queue-5.4/staging-most-net-fix-buffer-overflow.patch b/queue-5.4/staging-most-net-fix-buffer-overflow.patch new file mode 100644 index 00000000000..7a774582b0d --- /dev/null +++ b/queue-5.4/staging-most-net-fix-buffer-overflow.patch @@ -0,0 +1,58 @@ +From 4d1356ac12f4d5180d0df345d85ff0ee42b89c72 Mon Sep 17 00:00:00 2001 +From: Andrey Shvetsov +Date: Thu, 16 Jan 2020 18:22:39 +0100 +Subject: staging: most: net: fix buffer overflow + +From: Andrey Shvetsov + +commit 4d1356ac12f4d5180d0df345d85ff0ee42b89c72 upstream. + +If the length of the socket buffer is 0xFFFFFFFF (max size for an +unsigned int), then payload_len becomes 0xFFFFFFF1 after subtracting 14 +(ETH_HLEN). Then, mdp_len is set to payload_len + 16 (MDP_HDR_LEN) +which overflows and results in a value of 2. These values for +payload_len and mdp_len will pass current buffer size checks. + +This patch checks if derived from skb->len sum may overflow. + +The check is based on the following idea: + +For any `unsigned V1, V2` and derived `unsigned SUM = V1 + V2`, +`V1 + V2` overflows iif `SUM < V1`. + +Reported-by: Greg Kroah-Hartman +Signed-off-by: Andrey Shvetsov +Cc: stable +Link: https://lore.kernel.org/r/20200116172238.6046-1-andrey.shvetsov@microchip.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/most/net/net.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/staging/most/net/net.c ++++ b/drivers/staging/most/net/net.c +@@ -81,6 +81,11 @@ static int skb_to_mamac(const struct sk_ + unsigned int payload_len = skb->len - ETH_HLEN; + unsigned int mdp_len = payload_len + MDP_HDR_LEN; + ++ if (mdp_len < skb->len) { ++ pr_err("drop: too large packet! (%u)\n", skb->len); ++ return -EINVAL; ++ } ++ + if (mbo->buffer_length < mdp_len) { + pr_err("drop: too small buffer! (%d for %d)\n", + mbo->buffer_length, mdp_len); +@@ -128,6 +133,11 @@ static int skb_to_mep(const struct sk_bu + u8 *buff = mbo->virt_address; + unsigned int mep_len = skb->len + MEP_HDR_LEN; + ++ if (mep_len < skb->len) { ++ pr_err("drop: too large packet! (%u)\n", skb->len); ++ return -EINVAL; ++ } ++ + if (mbo->buffer_length < mep_len) { + pr_err("drop: too small buffer! (%d for %d)\n", + mbo->buffer_length, mep_len); diff --git a/queue-5.4/staging-vt6656-correct-packet-types-for-cts-protect-mode.patch b/queue-5.4/staging-vt6656-correct-packet-types-for-cts-protect-mode.patch new file mode 100644 index 00000000000..fa02b2d5fd0 --- /dev/null +++ b/queue-5.4/staging-vt6656-correct-packet-types-for-cts-protect-mode.patch @@ -0,0 +1,60 @@ +From d971fdd3412f8342747778fb59b8803720ed82b1 Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Wed, 8 Jan 2020 21:40:58 +0000 +Subject: staging: vt6656: correct packet types for CTS protect, mode. + +From: Malcolm Priestley + +commit d971fdd3412f8342747778fb59b8803720ed82b1 upstream. + +It appears that the driver still transmits in CTS protect mode even +though it is not enabled in mac80211. + +That is both packet types PK_TYPE_11GA and PK_TYPE_11GB both use CTS protect. +The only difference between them GA does not use B rates. + +Find if only B rate in GB or GA in protect mode otherwise transmit packets +as PK_TYPE_11A. + +Cc: stable +Signed-off-by: Malcolm Priestley +Link: https://lore.kernel.org/r/9c1323ff-dbb3-0eaa-43e1-9453f7390dc0@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/vt6656/device.h | 2 ++ + drivers/staging/vt6656/rxtx.c | 12 ++++++++---- + 2 files changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/staging/vt6656/device.h ++++ b/drivers/staging/vt6656/device.h +@@ -52,6 +52,8 @@ + #define RATE_AUTO 12 + + #define MAX_RATE 12 ++#define VNT_B_RATES (BIT(RATE_1M) | BIT(RATE_2M) |\ ++ BIT(RATE_5M) | BIT(RATE_11M)) + + /* + * device specific +--- a/drivers/staging/vt6656/rxtx.c ++++ b/drivers/staging/vt6656/rxtx.c +@@ -815,10 +815,14 @@ int vnt_tx_packet(struct vnt_private *pr + if (info->band == NL80211_BAND_5GHZ) { + pkt_type = PK_TYPE_11A; + } else { +- if (tx_rate->flags & IEEE80211_TX_RC_USE_CTS_PROTECT) +- pkt_type = PK_TYPE_11GB; +- else +- pkt_type = PK_TYPE_11GA; ++ if (tx_rate->flags & IEEE80211_TX_RC_USE_CTS_PROTECT) { ++ if (priv->basic_rates & VNT_B_RATES) ++ pkt_type = PK_TYPE_11GB; ++ else ++ pkt_type = PK_TYPE_11GA; ++ } else { ++ pkt_type = PK_TYPE_11A; ++ } + } + } else { + pkt_type = PK_TYPE_11B; diff --git a/queue-5.4/staging-vt6656-fix-false-tx-excessive-retries-reporting.patch b/queue-5.4/staging-vt6656-fix-false-tx-excessive-retries-reporting.patch new file mode 100644 index 00000000000..c0d34544368 --- /dev/null +++ b/queue-5.4/staging-vt6656-fix-false-tx-excessive-retries-reporting.patch @@ -0,0 +1,39 @@ +From 9dd631fa99dc0a0dfbd191173bf355ba30ea786a Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Wed, 8 Jan 2020 21:41:36 +0000 +Subject: staging: vt6656: Fix false Tx excessive retries reporting. + +From: Malcolm Priestley + +commit 9dd631fa99dc0a0dfbd191173bf355ba30ea786a upstream. + +The driver reporting IEEE80211_TX_STAT_ACK is not being handled +correctly. The driver should only report on TSR_TMO flag is not +set indicating no transmission errors and when not IEEE80211_TX_CTL_NO_ACK +is being requested. + +Cc: stable +Signed-off-by: Malcolm Priestley +Link: https://lore.kernel.org/r/340f1f7f-c310-dca5-476f-abc059b9cd97@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/vt6656/int.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/staging/vt6656/int.c ++++ b/drivers/staging/vt6656/int.c +@@ -99,9 +99,11 @@ static int vnt_int_report_rate(struct vn + + info->status.rates[0].count = tx_retry; + +- if (!(tsr & (TSR_TMO | TSR_RETRYTMO))) { ++ if (!(tsr & TSR_TMO)) { + info->status.rates[0].idx = idx; +- info->flags |= IEEE80211_TX_STAT_ACK; ++ ++ if (!(info->flags & IEEE80211_TX_CTL_NO_ACK)) ++ info->flags |= IEEE80211_TX_STAT_ACK; + } + + ieee80211_tx_status_irqsafe(priv->hw, context->skb); diff --git a/queue-5.4/staging-vt6656-use-nullfuction-stack-on-mac80211.patch b/queue-5.4/staging-vt6656-use-nullfuction-stack-on-mac80211.patch new file mode 100644 index 00000000000..dd35d605853 --- /dev/null +++ b/queue-5.4/staging-vt6656-use-nullfuction-stack-on-mac80211.patch @@ -0,0 +1,66 @@ +From d579c43c82f093e63639151625b2139166c730fd Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Wed, 8 Jan 2020 21:41:20 +0000 +Subject: staging: vt6656: use NULLFUCTION stack on mac80211 + +From: Malcolm Priestley + +commit d579c43c82f093e63639151625b2139166c730fd upstream. + +It appears that the drivers does not go into power save correctly the +NULL data packets are not being transmitted because it not enabled +in mac80211. + +The driver needs to capture ieee80211_is_nullfunc headers and +copy the duration_id to it's own duration data header. + +Cc: stable +Signed-off-by: Malcolm Priestley +Link: https://lore.kernel.org/r/610971ae-555b-a6c3-61b3-444a0c1e35b4@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/vt6656/main_usb.c | 1 + + drivers/staging/vt6656/rxtx.c | 14 +++++--------- + 2 files changed, 6 insertions(+), 9 deletions(-) + +--- a/drivers/staging/vt6656/main_usb.c ++++ b/drivers/staging/vt6656/main_usb.c +@@ -1016,6 +1016,7 @@ vt6656_probe(struct usb_interface *intf, + ieee80211_hw_set(priv->hw, RX_INCLUDES_FCS); + ieee80211_hw_set(priv->hw, REPORTS_TX_ACK_STATUS); + ieee80211_hw_set(priv->hw, SUPPORTS_PS); ++ ieee80211_hw_set(priv->hw, PS_NULLFUNC_STACK); + + priv->hw->max_signal = 100; + +--- a/drivers/staging/vt6656/rxtx.c ++++ b/drivers/staging/vt6656/rxtx.c +@@ -278,11 +278,9 @@ static u16 vnt_rxtx_datahead_g(struct vn + PK_TYPE_11B, &buf->b); + + /* Get Duration and TimeStamp */ +- if (ieee80211_is_pspoll(hdr->frame_control)) { +- __le16 dur = cpu_to_le16(priv->current_aid | BIT(14) | BIT(15)); +- +- buf->duration_a = dur; +- buf->duration_b = dur; ++ if (ieee80211_is_nullfunc(hdr->frame_control)) { ++ buf->duration_a = hdr->duration_id; ++ buf->duration_b = hdr->duration_id; + } else { + buf->duration_a = vnt_get_duration_le(priv, + tx_context->pkt_type, need_ack); +@@ -371,10 +369,8 @@ static u16 vnt_rxtx_datahead_ab(struct v + tx_context->pkt_type, &buf->ab); + + /* Get Duration and TimeStampOff */ +- if (ieee80211_is_pspoll(hdr->frame_control)) { +- __le16 dur = cpu_to_le16(priv->current_aid | BIT(14) | BIT(15)); +- +- buf->duration = dur; ++ if (ieee80211_is_nullfunc(hdr->frame_control)) { ++ buf->duration = hdr->duration_id; + } else { + buf->duration = vnt_get_duration_le(priv, tx_context->pkt_type, + need_ack); diff --git a/queue-5.4/staging-wlan-ng-ensure-error-return-is-actually-returned.patch b/queue-5.4/staging-wlan-ng-ensure-error-return-is-actually-returned.patch new file mode 100644 index 00000000000..2b6eb507af1 --- /dev/null +++ b/queue-5.4/staging-wlan-ng-ensure-error-return-is-actually-returned.patch @@ -0,0 +1,37 @@ +From 4cc41cbce536876678b35e03c4a8a7bb72c78fa9 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Tue, 14 Jan 2020 18:16:04 +0000 +Subject: staging: wlan-ng: ensure error return is actually returned + +From: Colin Ian King + +commit 4cc41cbce536876678b35e03c4a8a7bb72c78fa9 upstream. + +Currently when the call to prism2sta_ifst fails a netdev_err error +is reported, error return variable result is set to -1 but the +function always returns 0 for success. Fix this by returning +the error value in variable result rather than 0. + +Addresses-Coverity: ("Unused value") +Fixes: 00b3ed168508 ("Staging: add wlan-ng prism2 usb driver") +Signed-off-by: Colin Ian King +Cc: stable +Link: https://lore.kernel.org/r/20200114181604.390235-1-colin.king@canonical.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/wlan-ng/prism2mgmt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/wlan-ng/prism2mgmt.c ++++ b/drivers/staging/wlan-ng/prism2mgmt.c +@@ -959,7 +959,7 @@ int prism2mgmt_flashdl_state(struct wlan + } + } + +- return 0; ++ return result; + } + + /*---------------------------------------------------------------- diff --git a/queue-5.4/usb-dwc3-pci-add-id-for-the-intel-comet-lake-v-variant.patch b/queue-5.4/usb-dwc3-pci-add-id-for-the-intel-comet-lake-v-variant.patch new file mode 100644 index 00000000000..ca017cd3f80 --- /dev/null +++ b/queue-5.4/usb-dwc3-pci-add-id-for-the-intel-comet-lake-v-variant.patch @@ -0,0 +1,41 @@ +From f5ae8869095552e3396ee3e404f9586cc6a828f0 Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Fri, 17 Jan 2020 12:30:33 +0300 +Subject: usb: dwc3: pci: add ID for the Intel Comet Lake -V variant + +From: Heikki Krogerus + +commit f5ae8869095552e3396ee3e404f9586cc6a828f0 upstream. + +There is one more Comet Lake PCH variant, CML-V, that has +its own PCI ID. + +Signed-off-by: Heikki Krogerus +Cc: stable +Link: https://lore.kernel.org/r/20200117093033.48616-1-heikki.krogerus@linux.intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/dwc3-pci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -34,6 +34,7 @@ + #define PCI_DEVICE_ID_INTEL_GLK 0x31aa + #define PCI_DEVICE_ID_INTEL_CNPLP 0x9dee + #define PCI_DEVICE_ID_INTEL_CNPH 0xa36e ++#define PCI_DEVICE_ID_INTEL_CNPV 0xa3b0 + #define PCI_DEVICE_ID_INTEL_ICLLP 0x34ee + #define PCI_DEVICE_ID_INTEL_EHLLP 0x4b7e + #define PCI_DEVICE_ID_INTEL_TGPLP 0xa0ee +@@ -342,6 +343,9 @@ static const struct pci_device_id dwc3_p + { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_CNPH), + (kernel_ulong_t) &dwc3_pci_intel_properties, }, + ++ { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_CNPV), ++ (kernel_ulong_t) &dwc3_pci_intel_properties, }, ++ + { PCI_VDEVICE(INTEL, PCI_DEVICE_ID_INTEL_ICLLP), + (kernel_ulong_t) &dwc3_pci_intel_properties, }, + diff --git a/queue-5.4/usb-dwc3-turn-off-vbus-when-leaving-host-mode.patch b/queue-5.4/usb-dwc3-turn-off-vbus-when-leaving-host-mode.patch new file mode 100644 index 00000000000..45969102735 --- /dev/null +++ b/queue-5.4/usb-dwc3-turn-off-vbus-when-leaving-host-mode.patch @@ -0,0 +1,35 @@ +From 09ed259fac621634d51cd986aa8d65f035662658 Mon Sep 17 00:00:00 2001 +From: Bin Liu +Date: Wed, 11 Dec 2019 10:10:03 -0600 +Subject: usb: dwc3: turn off VBUS when leaving host mode + +From: Bin Liu + +commit 09ed259fac621634d51cd986aa8d65f035662658 upstream. + +VBUS should be turned off when leaving the host mode. +Set GCTL_PRTCAP to device mode in teardown to de-assert DRVVBUS pin to +turn off VBUS power. + +Fixes: 5f94adfeed97 ("usb: dwc3: core: refactor mode initialization to its own function") +Cc: stable@vger.kernel.org +Signed-off-by: Bin Liu +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -1209,6 +1209,9 @@ static void dwc3_core_exit_mode(struct d + /* do nothing */ + break; + } ++ ++ /* de-assert DRVVBUS for HOST and OTG mode */ ++ dwc3_set_prtcap(dwc, DWC3_GCTL_PRTCAP_DEVICE); + } + + static void dwc3_get_properties(struct dwc3 *dwc) diff --git a/queue-5.4/usb-host-xhci-tegra-set-module_firmware-for-tegra186.patch b/queue-5.4/usb-host-xhci-tegra-set-module_firmware-for-tegra186.patch new file mode 100644 index 00000000000..6e26e792ac6 --- /dev/null +++ b/queue-5.4/usb-host-xhci-tegra-set-module_firmware-for-tegra186.patch @@ -0,0 +1,40 @@ +From e1f236efd9c579a29d7df75aa052127d0d975267 Mon Sep 17 00:00:00 2001 +From: Peter Robinson +Date: Mon, 20 Jan 2020 14:19:10 +0000 +Subject: usb: host: xhci-tegra: set MODULE_FIRMWARE for tegra186 + +From: Peter Robinson + +commit e1f236efd9c579a29d7df75aa052127d0d975267 upstream. + +Set the MODULE_FIRMWARE for tegra186, it's registered for 124/210 and +ensures the firmware is available at the appropriate time such as in +the initrd, else if the firmware is unavailable the driver fails with +the following errors: + +tegra-xusb 3530000.usb: Direct firmware load for nvidia/tegra186/xusb.bin failed with error -2 +tegra-xusb 3530000.usb: failed to request firmware: -2 +tegra-xusb 3530000.usb: failed to load firmware: -2 +tegra-xusb: probe of 3530000.usb failed with error -2 + +Fixes: 5f9be5f3f899 ("usb: host: xhci-tegra: Add Tegra186 XUSB support") +Signed-off-by: Peter Robinson +Acked-by: Thierry Reding +Cc: stable +Link: https://lore.kernel.org/r/20200120141910.116097-1-pbrobinson@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-tegra.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/host/xhci-tegra.c ++++ b/drivers/usb/host/xhci-tegra.c +@@ -1413,6 +1413,7 @@ MODULE_FIRMWARE("nvidia/tegra210/xusb.bi + + static const char * const tegra186_supply_names[] = { + }; ++MODULE_FIRMWARE("nvidia/tegra186/xusb.bin"); + + static const struct tegra_xusb_phy_type tegra186_phy_types[] = { + { .name = "usb3", .num = 3, }, diff --git a/queue-5.4/usb-serial-ir-usb-add-missing-endpoint-sanity-check.patch b/queue-5.4/usb-serial-ir-usb-add-missing-endpoint-sanity-check.patch new file mode 100644 index 00000000000..b3c514b7ce3 --- /dev/null +++ b/queue-5.4/usb-serial-ir-usb-add-missing-endpoint-sanity-check.patch @@ -0,0 +1,40 @@ +From 2988a8ae7476fe9535ab620320790d1714bdad1d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 22 Jan 2020 11:15:26 +0100 +Subject: USB: serial: ir-usb: add missing endpoint sanity check + +From: Johan Hovold + +commit 2988a8ae7476fe9535ab620320790d1714bdad1d upstream. + +Add missing endpoint sanity check to avoid dereferencing a NULL-pointer +on open() in case a device lacks a bulk-out endpoint. + +Note that prior to commit f4a4cbb2047e ("USB: ir-usb: reimplement using +generic framework") the oops would instead happen on open() if the +device lacked a bulk-in endpoint and on write() if it lacked a bulk-out +endpoint. + +Fixes: f4a4cbb2047e ("USB: ir-usb: reimplement using generic framework") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Cc: stable +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ir-usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/ir-usb.c ++++ b/drivers/usb/serial/ir-usb.c +@@ -195,6 +195,9 @@ static int ir_startup(struct usb_serial + struct usb_irda_cs_descriptor *irda_desc; + int rates; + ++ if (serial->num_bulk_in < 1 || serial->num_bulk_out < 1) ++ return -ENODEV; ++ + irda_desc = irda_usb_find_class_desc(serial, 0); + if (!irda_desc) { + dev_err(&serial->dev->dev, diff --git a/queue-5.4/usb-serial-ir-usb-fix-irlap-framing.patch b/queue-5.4/usb-serial-ir-usb-fix-irlap-framing.patch new file mode 100644 index 00000000000..66a543c0597 --- /dev/null +++ b/queue-5.4/usb-serial-ir-usb-fix-irlap-framing.patch @@ -0,0 +1,173 @@ +From 38c0d5bdf4973f9f5a888166e9d3e9ed0d32057a Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 22 Jan 2020 11:15:28 +0100 +Subject: USB: serial: ir-usb: fix IrLAP framing + +From: Johan Hovold + +commit 38c0d5bdf4973f9f5a888166e9d3e9ed0d32057a upstream. + +Commit f4a4cbb2047e ("USB: ir-usb: reimplement using generic framework") +switched to using the generic write implementation which may combine +multiple write requests into larger transfers. This can break the IrLAP +protocol where end-of-frame is determined using the USB short packet +mechanism, for example, if multiple frames are sent in rapid succession. + +Fixes: f4a4cbb2047e ("USB: ir-usb: reimplement using generic framework") +Cc: stable # 2.6.35 +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ir-usb.c | 113 +++++++++++++++++++++++++++++++++++--------- + 1 file changed, 91 insertions(+), 22 deletions(-) + +--- a/drivers/usb/serial/ir-usb.c ++++ b/drivers/usb/serial/ir-usb.c +@@ -45,9 +45,10 @@ static int buffer_size; + static int xbof = -1; + + static int ir_startup (struct usb_serial *serial); +-static int ir_open(struct tty_struct *tty, struct usb_serial_port *port); +-static int ir_prepare_write_buffer(struct usb_serial_port *port, +- void *dest, size_t size); ++static int ir_write(struct tty_struct *tty, struct usb_serial_port *port, ++ const unsigned char *buf, int count); ++static int ir_write_room(struct tty_struct *tty); ++static void ir_write_bulk_callback(struct urb *urb); + static void ir_process_read_urb(struct urb *urb); + static void ir_set_termios(struct tty_struct *tty, + struct usb_serial_port *port, struct ktermios *old_termios); +@@ -77,8 +78,9 @@ static struct usb_serial_driver ir_devic + .num_ports = 1, + .set_termios = ir_set_termios, + .attach = ir_startup, +- .open = ir_open, +- .prepare_write_buffer = ir_prepare_write_buffer, ++ .write = ir_write, ++ .write_room = ir_write_room, ++ .write_bulk_callback = ir_write_bulk_callback, + .process_read_urb = ir_process_read_urb, + }; + +@@ -254,35 +256,102 @@ static int ir_startup(struct usb_serial + return 0; + } + +-static int ir_open(struct tty_struct *tty, struct usb_serial_port *port) ++static int ir_write(struct tty_struct *tty, struct usb_serial_port *port, ++ const unsigned char *buf, int count) + { +- int i; ++ struct urb *urb = NULL; ++ unsigned long flags; ++ int ret; + +- for (i = 0; i < ARRAY_SIZE(port->write_urbs); ++i) +- port->write_urbs[i]->transfer_flags = URB_ZERO_PACKET; ++ if (port->bulk_out_size == 0) ++ return -EINVAL; + +- /* Start reading from the device */ +- return usb_serial_generic_open(tty, port); +-} ++ if (count == 0) ++ return 0; + +-static int ir_prepare_write_buffer(struct usb_serial_port *port, +- void *dest, size_t size) +-{ +- unsigned char *buf = dest; +- int count; ++ count = min(count, port->bulk_out_size - 1); ++ ++ spin_lock_irqsave(&port->lock, flags); ++ if (__test_and_clear_bit(0, &port->write_urbs_free)) { ++ urb = port->write_urbs[0]; ++ port->tx_bytes += count; ++ } ++ spin_unlock_irqrestore(&port->lock, flags); ++ ++ if (!urb) ++ return 0; + + /* + * The first byte of the packet we send to the device contains an +- * inbound header which indicates an additional number of BOFs and ++ * outbound header which indicates an additional number of BOFs and + * a baud rate change. + * + * See section 5.4.2.2 of the USB IrDA spec. + */ +- *buf = ir_xbof | ir_baud; ++ *(u8 *)urb->transfer_buffer = ir_xbof | ir_baud; ++ ++ memcpy(urb->transfer_buffer + 1, buf, count); ++ ++ urb->transfer_buffer_length = count + 1; ++ urb->transfer_flags = URB_ZERO_PACKET; ++ ++ ret = usb_submit_urb(urb, GFP_ATOMIC); ++ if (ret) { ++ dev_err(&port->dev, "failed to submit write urb: %d\n", ret); ++ ++ spin_lock_irqsave(&port->lock, flags); ++ __set_bit(0, &port->write_urbs_free); ++ port->tx_bytes -= count; ++ spin_unlock_irqrestore(&port->lock, flags); ++ ++ return ret; ++ } ++ ++ return count; ++} ++ ++static void ir_write_bulk_callback(struct urb *urb) ++{ ++ struct usb_serial_port *port = urb->context; ++ int status = urb->status; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&port->lock, flags); ++ __set_bit(0, &port->write_urbs_free); ++ port->tx_bytes -= urb->transfer_buffer_length - 1; ++ spin_unlock_irqrestore(&port->lock, flags); ++ ++ switch (status) { ++ case 0: ++ break; ++ case -ENOENT: ++ case -ECONNRESET: ++ case -ESHUTDOWN: ++ dev_dbg(&port->dev, "write urb stopped: %d\n", status); ++ return; ++ case -EPIPE: ++ dev_err(&port->dev, "write urb stopped: %d\n", status); ++ return; ++ default: ++ dev_err(&port->dev, "nonzero write-urb status: %d\n", status); ++ break; ++ } ++ ++ usb_serial_port_softint(port); ++} ++ ++static int ir_write_room(struct tty_struct *tty) ++{ ++ struct usb_serial_port *port = tty->driver_data; ++ int count = 0; ++ ++ if (port->bulk_out_size == 0) ++ return 0; ++ ++ if (test_bit(0, &port->write_urbs_free)) ++ count = port->bulk_out_size - 1; + +- count = kfifo_out_locked(&port->write_fifo, buf + 1, size - 1, +- &port->lock); +- return count + 1; ++ return count; + } + + static void ir_process_read_urb(struct urb *urb) diff --git a/queue-5.4/usb-serial-ir-usb-fix-link-speed-handling.patch b/queue-5.4/usb-serial-ir-usb-fix-link-speed-handling.patch new file mode 100644 index 00000000000..14270a38b76 --- /dev/null +++ b/queue-5.4/usb-serial-ir-usb-fix-link-speed-handling.patch @@ -0,0 +1,102 @@ +From 17a0184ca17e288decdca8b2841531e34d49285f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 22 Jan 2020 11:15:27 +0100 +Subject: USB: serial: ir-usb: fix link-speed handling + +From: Johan Hovold + +commit 17a0184ca17e288decdca8b2841531e34d49285f upstream. + +Commit e0d795e4f36c ("usb: irda: cleanup on ir-usb module") added a USB +IrDA header with common defines, but mistakingly switched to using the +class-descriptor baud-rate bitmask values for the outbound header. + +This broke link-speed handling for rates above 9600 baud, but a device +would also be able to operate at the default 9600 baud until a +link-speed request was issued (e.g. using the TCGETS ioctl). + +Fixes: e0d795e4f36c ("usb: irda: cleanup on ir-usb module") +Cc: stable # 2.6.27 +Cc: Felipe Balbi +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ir-usb.c | 20 ++++++++++---------- + include/linux/usb/irda.h | 13 ++++++++++++- + 2 files changed, 22 insertions(+), 11 deletions(-) + +--- a/drivers/usb/serial/ir-usb.c ++++ b/drivers/usb/serial/ir-usb.c +@@ -335,34 +335,34 @@ static void ir_set_termios(struct tty_st + + switch (baud) { + case 2400: +- ir_baud = USB_IRDA_BR_2400; ++ ir_baud = USB_IRDA_LS_2400; + break; + case 9600: +- ir_baud = USB_IRDA_BR_9600; ++ ir_baud = USB_IRDA_LS_9600; + break; + case 19200: +- ir_baud = USB_IRDA_BR_19200; ++ ir_baud = USB_IRDA_LS_19200; + break; + case 38400: +- ir_baud = USB_IRDA_BR_38400; ++ ir_baud = USB_IRDA_LS_38400; + break; + case 57600: +- ir_baud = USB_IRDA_BR_57600; ++ ir_baud = USB_IRDA_LS_57600; + break; + case 115200: +- ir_baud = USB_IRDA_BR_115200; ++ ir_baud = USB_IRDA_LS_115200; + break; + case 576000: +- ir_baud = USB_IRDA_BR_576000; ++ ir_baud = USB_IRDA_LS_576000; + break; + case 1152000: +- ir_baud = USB_IRDA_BR_1152000; ++ ir_baud = USB_IRDA_LS_1152000; + break; + case 4000000: +- ir_baud = USB_IRDA_BR_4000000; ++ ir_baud = USB_IRDA_LS_4000000; + break; + default: +- ir_baud = USB_IRDA_BR_9600; ++ ir_baud = USB_IRDA_LS_9600; + baud = 9600; + } + +--- a/include/linux/usb/irda.h ++++ b/include/linux/usb/irda.h +@@ -119,11 +119,22 @@ struct usb_irda_cs_descriptor { + * 6 - 115200 bps + * 7 - 576000 bps + * 8 - 1.152 Mbps +- * 9 - 5 mbps ++ * 9 - 4 Mbps + * 10..15 - Reserved + */ + #define USB_IRDA_STATUS_LINK_SPEED 0x0f + ++#define USB_IRDA_LS_NO_CHANGE 0 ++#define USB_IRDA_LS_2400 1 ++#define USB_IRDA_LS_9600 2 ++#define USB_IRDA_LS_19200 3 ++#define USB_IRDA_LS_38400 4 ++#define USB_IRDA_LS_57600 5 ++#define USB_IRDA_LS_115200 6 ++#define USB_IRDA_LS_576000 7 ++#define USB_IRDA_LS_1152000 8 ++#define USB_IRDA_LS_4000000 9 ++ + /* The following is a 4-bit value used only for + * outbound header: + * diff --git a/queue-5.4/usb-typec-fusb302-fix-op-sink-microwatt-default-that-was-in-mw.patch b/queue-5.4/usb-typec-fusb302-fix-op-sink-microwatt-default-that-was-in-mw.patch new file mode 100644 index 00000000000..80aedda5b0a --- /dev/null +++ b/queue-5.4/usb-typec-fusb302-fix-op-sink-microwatt-default-that-was-in-mw.patch @@ -0,0 +1,36 @@ +From eb7a3bb8c955b3694e0e0998413ce1563c02f90c Mon Sep 17 00:00:00 2001 +From: Thomas Hebb +Date: Mon, 20 Jan 2020 06:09:06 -0800 +Subject: usb: typec: fusb302: fix "op-sink-microwatt" default that was in mW + +From: Thomas Hebb + +commit eb7a3bb8c955b3694e0e0998413ce1563c02f90c upstream. + +commit 8f6244055bd3 ("usb: typec: fusb302: Always provide fwnode for the +port") didn't convert this value from mW to uW when migrating to a new +specification format like it should have. + +Fixes: 8f6244055bd3 ("usb: typec: fusb302: Always provide fwnode for the port") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Hebb +Reviewed-by: Heikki Krogerus +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/0da564559af75ec829c6c7e3aa4024f857c91bee.1579529334.git.tommyhebb@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/typec/tcpm/fusb302.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/typec/tcpm/fusb302.c ++++ b/drivers/usb/typec/tcpm/fusb302.c +@@ -1666,7 +1666,7 @@ static const struct property_entry port_ + PROPERTY_ENTRY_STRING("try-power-role", "sink"), + PROPERTY_ENTRY_U32_ARRAY("source-pdos", src_pdo), + PROPERTY_ENTRY_U32_ARRAY("sink-pdos", snk_pdo), +- PROPERTY_ENTRY_U32("op-sink-microwatt", 2500), ++ PROPERTY_ENTRY_U32("op-sink-microwatt", 2500000), + { } + }; + diff --git a/queue-5.4/usb-typec-wcove-fix-op-sink-microwatt-default-that-was-in-mw.patch b/queue-5.4/usb-typec-wcove-fix-op-sink-microwatt-default-that-was-in-mw.patch new file mode 100644 index 00000000000..3a1cc1583c7 --- /dev/null +++ b/queue-5.4/usb-typec-wcove-fix-op-sink-microwatt-default-that-was-in-mw.patch @@ -0,0 +1,36 @@ +From 0e64350bf4668d0fbbfec66fd8e637b971b4e976 Mon Sep 17 00:00:00 2001 +From: Thomas Hebb +Date: Mon, 20 Jan 2020 06:09:05 -0800 +Subject: usb: typec: wcove: fix "op-sink-microwatt" default that was in mW + +From: Thomas Hebb + +commit 0e64350bf4668d0fbbfec66fd8e637b971b4e976 upstream. + +commit 4c912bff46cc ("usb: typec: wcove: Provide fwnode for the port") +didn't convert this value from mW to uW when migrating to a new +specification format like it should have. + +Fixes: 4c912bff46cc ("usb: typec: wcove: Provide fwnode for the port") +Cc: stable@vger.kernel.org +Signed-off-by: Thomas Hebb +Reviewed-by: Heikki Krogerus +Reviewed-by: Guenter Roeck +Link: https://lore.kernel.org/r/d8be32512efd31995ad7d65b27df9d443131b07c.1579529334.git.tommyhebb@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/typec/tcpm/wcove.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/typec/tcpm/wcove.c ++++ b/drivers/usb/typec/tcpm/wcove.c +@@ -597,7 +597,7 @@ static const struct property_entry wcove + PROPERTY_ENTRY_STRING("try-power-role", "sink"), + PROPERTY_ENTRY_U32_ARRAY("source-pdos", src_pdo), + PROPERTY_ENTRY_U32_ARRAY("sink-pdos", snk_pdo), +- PROPERTY_ENTRY_U32("op-sink-microwatt", 15000), ++ PROPERTY_ENTRY_U32("op-sink-microwatt", 15000000), + { } + }; + diff --git a/queue-5.4/zd1211rw-fix-storage-endpoint-lookup.patch b/queue-5.4/zd1211rw-fix-storage-endpoint-lookup.patch new file mode 100644 index 00000000000..0e216a3e6c6 --- /dev/null +++ b/queue-5.4/zd1211rw-fix-storage-endpoint-lookup.patch @@ -0,0 +1,37 @@ +From 2d68bb2687abb747558b933e80845ff31570a49c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 10 Dec 2019 12:44:26 +0100 +Subject: zd1211rw: fix storage endpoint lookup + +From: Johan Hovold + +commit 2d68bb2687abb747558b933e80845ff31570a49c upstream. + +Make sure to use the current alternate setting when verifying the +storage interface descriptors to avoid submitting an URB to an invalid +endpoint. + +Failing to do so could cause the driver to misbehave or trigger a WARN() +in usb_submit_urb() that kernels with panic_on_warn set would choke on. + +Fixes: a1030e92c150 ("[PATCH] zd1211rw: Convert installer CDROM device into WLAN device") +Cc: stable # 2.6.19 +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/zydas/zd1211rw/zd_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/zydas/zd1211rw/zd_usb.c ++++ b/drivers/net/wireless/zydas/zd1211rw/zd_usb.c +@@ -1263,7 +1263,7 @@ static void print_id(struct usb_device * + static int eject_installer(struct usb_interface *intf) + { + struct usb_device *udev = interface_to_usbdev(intf); +- struct usb_host_interface *iface_desc = &intf->altsetting[0]; ++ struct usb_host_interface *iface_desc = intf->cur_altsetting; + struct usb_endpoint_descriptor *endpoint; + unsigned char *cmd; + u8 bulk_out_ep;