From: Greg Kroah-Hartman Date: Mon, 22 Mar 2021 09:14:00 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.4.263~40 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a5f3684882d42ca36e906ed83189c6c1292a6f34;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: counter-stm32-timer-cnt-fix-ceiling-write-max-value.patch iio-adc-ad7949-fix-wrong-adc-result-due-to-incorrect-bit-mask.patch iio-adc-qcom-spmi-vadc-add-default-scale-to-lr_mux2_bat_id-channel.patch iio-adc-stm32-adc-add-has_iomem-dependency.patch iio-adis16400-fix-an-error-code-in-adis16400_initial_setup.patch iio-gyro-mpu3050-fix-error-handling-in-mpu3050_trigger_handler.patch iio-hid-sensor-humidity-fix-alignment-issue-of-timestamp-channel.patch iio-hid-sensor-prox-fix-scale-not-correct-issue.patch iio-hid-sensor-temperature-fix-issues-of-timestamp-channel.patch usb-gadget-configfs-fix-kasan-use-after-free.patch usb-replace-hardcode-maximum-usb-string-length-by-definition.patch usb-storage-add-quirk-to-defeat-kindle-s-automatic-unload.patch usb-typec-remove-vdo-part-of-tps6598x_rx_identity_reg-struct.patch usb-typec-tcpm-invoke-power_supply_changed-for-tcpm-source-psy.patch usbip-fix-incorrect-double-assignment-to-udc-ud.tcp_rx.patch --- diff --git a/queue-5.4/counter-stm32-timer-cnt-fix-ceiling-write-max-value.patch b/queue-5.4/counter-stm32-timer-cnt-fix-ceiling-write-max-value.patch new file mode 100644 index 00000000000..1a6174c3cf3 --- /dev/null +++ b/queue-5.4/counter-stm32-timer-cnt-fix-ceiling-write-max-value.patch @@ -0,0 +1,55 @@ +From e4c3e133294c0a292d21073899b05ebf530169bd Mon Sep 17 00:00:00 2001 +From: Fabrice Gasnier +Date: Tue, 2 Mar 2021 15:43:55 +0100 +Subject: counter: stm32-timer-cnt: fix ceiling write max value + +From: Fabrice Gasnier + +commit e4c3e133294c0a292d21073899b05ebf530169bd upstream. + +The ceiling value isn't checked before writing it into registers. The user +could write a value higher than the counter resolution (e.g. 16 or 32 bits +indicated by max_arr). This makes most significant bits to be truncated. +Fix it by checking the max_arr to report a range error [1] to the user. + +[1] https://lkml.org/lkml/2021/2/12/358 + +Fixes: ad29937e206f ("counter: Add STM32 Timer quadrature encoder") +Signed-off-by: Fabrice Gasnier +Acked-by: William Breathitt Gray +Cc: +Link: https://lore.kernel.org/r/1614696235-24088-1-git-send-email-fabrice.gasnier@foss.st.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/counter/stm32-timer-cnt.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/counter/stm32-timer-cnt.c ++++ b/drivers/counter/stm32-timer-cnt.c +@@ -25,6 +25,7 @@ struct stm32_timer_cnt { + struct regmap *regmap; + struct clk *clk; + u32 ceiling; ++ u32 max_arr; + }; + + /** +@@ -189,6 +190,9 @@ static ssize_t stm32_count_ceiling_write + if (ret) + return ret; + ++ if (ceiling > priv->max_arr) ++ return -ERANGE; ++ + /* TIMx_ARR register shouldn't be buffered (ARPE=0) */ + regmap_update_bits(priv->regmap, TIM_CR1, TIM_CR1_ARPE, 0); + regmap_write(priv->regmap, TIM_ARR, ceiling); +@@ -366,6 +370,7 @@ static int stm32_timer_cnt_probe(struct + priv->regmap = ddata->regmap; + priv->clk = ddata->clk; + priv->ceiling = ddata->max_arr; ++ priv->max_arr = ddata->max_arr; + + priv->counter.name = dev_name(dev); + priv->counter.parent = dev; diff --git a/queue-5.4/iio-adc-ad7949-fix-wrong-adc-result-due-to-incorrect-bit-mask.patch b/queue-5.4/iio-adc-ad7949-fix-wrong-adc-result-due-to-incorrect-bit-mask.patch new file mode 100644 index 00000000000..8f7bcfcaa48 --- /dev/null +++ b/queue-5.4/iio-adc-ad7949-fix-wrong-adc-result-due-to-incorrect-bit-mask.patch @@ -0,0 +1,38 @@ +From f890987fac8153227258121740a9609668c427f3 Mon Sep 17 00:00:00 2001 +From: Wilfried Wessner +Date: Mon, 8 Feb 2021 15:27:05 +0100 +Subject: iio: adc: ad7949: fix wrong ADC result due to incorrect bit mask + +From: Wilfried Wessner + +commit f890987fac8153227258121740a9609668c427f3 upstream. + +Fixes a wrong bit mask used for the ADC's result, which was caused by an +improper usage of the GENMASK() macro. The bits higher than ADC's +resolution are undefined and if not masked out correctly, a wrong result +can be given. The GENMASK() macro indexing is zero based, so the mask has +to go from [resolution - 1 , 0]. + +Fixes: 7f40e0614317f ("iio:adc:ad7949: Add AD7949 ADC driver family") +Signed-off-by: Wilfried Wessner +Reviewed-by: Andy Shevchenko +Reviewed-by: Charles-Antoine Couret +Cc: +Link: https://lore.kernel.org/r/20210208142705.GA51260@ubuntu +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad7949.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/ad7949.c ++++ b/drivers/iio/adc/ad7949.c +@@ -91,7 +91,7 @@ static int ad7949_spi_read_channel(struc + int ret; + int i; + int bits_per_word = ad7949_adc->resolution; +- int mask = GENMASK(ad7949_adc->resolution, 0); ++ int mask = GENMASK(ad7949_adc->resolution - 1, 0); + struct spi_message msg; + struct spi_transfer tx[] = { + { diff --git a/queue-5.4/iio-adc-qcom-spmi-vadc-add-default-scale-to-lr_mux2_bat_id-channel.patch b/queue-5.4/iio-adc-qcom-spmi-vadc-add-default-scale-to-lr_mux2_bat_id-channel.patch new file mode 100644 index 00000000000..dfb7e2ced5b --- /dev/null +++ b/queue-5.4/iio-adc-qcom-spmi-vadc-add-default-scale-to-lr_mux2_bat_id-channel.patch @@ -0,0 +1,48 @@ +From 7d200b283aa049fcda0d43dd6e03e9e783d2799c Mon Sep 17 00:00:00 2001 +From: Jonathan Albrieux +Date: Wed, 13 Jan 2021 16:18:07 +0100 +Subject: iio:adc:qcom-spmi-vadc: add default scale to LR_MUX2_BAT_ID channel + +From: Jonathan Albrieux + +commit 7d200b283aa049fcda0d43dd6e03e9e783d2799c upstream. + +Checking at both msm8909-pm8916.dtsi and msm8916.dtsi from downstream +it is indicated that "batt_id" channel has to be scaled with the default +function: + + chan@31 { + label = "batt_id"; + reg = <0x31>; + qcom,decimation = <0>; + qcom,pre-div-channel-scaling = <0>; + qcom,calibration-type = "ratiometric"; + qcom,scale-function = <0>; + qcom,hw-settle-time = <0xb>; + qcom,fast-avg-setup = <0>; + }; + +Change LR_MUX2_BAT_ID scaling accordingly. + +Signed-off-by: Jonathan Albrieux +Acked-by: Bjorn Andersson +Fixes: 7c271eea7b8a ("iio: adc: spmi-vadc: Changes to support different scaling") +Link: https://lore.kernel.org/r/20210113151808.4628-2-jonathan.albrieux@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/qcom-spmi-vadc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/qcom-spmi-vadc.c ++++ b/drivers/iio/adc/qcom-spmi-vadc.c +@@ -598,7 +598,7 @@ static const struct vadc_channels vadc_c + VADC_CHAN_NO_SCALE(P_MUX16_1_3, 1) + + VADC_CHAN_NO_SCALE(LR_MUX1_BAT_THERM, 0) +- VADC_CHAN_NO_SCALE(LR_MUX2_BAT_ID, 0) ++ VADC_CHAN_VOLT(LR_MUX2_BAT_ID, 0, SCALE_DEFAULT) + VADC_CHAN_NO_SCALE(LR_MUX3_XO_THERM, 0) + VADC_CHAN_NO_SCALE(LR_MUX4_AMUX_THM1, 0) + VADC_CHAN_NO_SCALE(LR_MUX5_AMUX_THM2, 0) diff --git a/queue-5.4/iio-adc-stm32-adc-add-has_iomem-dependency.patch b/queue-5.4/iio-adc-stm32-adc-add-has_iomem-dependency.patch new file mode 100644 index 00000000000..3c3338e6a2b --- /dev/null +++ b/queue-5.4/iio-adc-stm32-adc-add-has_iomem-dependency.patch @@ -0,0 +1,34 @@ +From 121875b28e3bd7519a675bf8ea2c2e793452c2bd Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Sun, 24 Jan 2021 19:50:34 +0000 +Subject: iio:adc:stm32-adc: Add HAS_IOMEM dependency + +From: Jonathan Cameron + +commit 121875b28e3bd7519a675bf8ea2c2e793452c2bd upstream. + +Seems that there are config combinations in which this driver gets enabled +and hence selects the MFD, but with out HAS_IOMEM getting pulled in +via some other route. MFD is entirely contained in an +if HAS_IOMEM block, leading to the build issue in this bugzilla. + +https://bugzilla.kernel.org/show_bug.cgi?id=209889 + +Cc: +Signed-off-by: Jonathan Cameron +Link: https://lore.kernel.org/r/20210124195034.22576-1-jic23@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/adc/Kconfig ++++ b/drivers/iio/adc/Kconfig +@@ -784,6 +784,7 @@ config STM32_ADC_CORE + depends on ARCH_STM32 || COMPILE_TEST + depends on OF + depends on REGULATOR ++ depends on HAS_IOMEM + select IIO_BUFFER + select MFD_STM32_TIMERS + select IIO_STM32_TIMER_TRIGGER diff --git a/queue-5.4/iio-adis16400-fix-an-error-code-in-adis16400_initial_setup.patch b/queue-5.4/iio-adis16400-fix-an-error-code-in-adis16400_initial_setup.patch new file mode 100644 index 00000000000..979dd89670d --- /dev/null +++ b/queue-5.4/iio-adis16400-fix-an-error-code-in-adis16400_initial_setup.patch @@ -0,0 +1,39 @@ +From a71266e454b5df10d019b06f5ebacd579f76be28 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 16 Feb 2021 22:42:13 +0300 +Subject: iio: adis16400: Fix an error code in adis16400_initial_setup() + +From: Dan Carpenter + +commit a71266e454b5df10d019b06f5ebacd579f76be28 upstream. + +This is to silence a new Smatch warning: + + drivers/iio/imu/adis16400.c:492 adis16400_initial_setup() + warn: sscanf doesn't return error codes + +If the condition "if (st->variant->flags & ADIS16400_HAS_SLOW_MODE) {" +is false then we return 1 instead of returning 0 and probe will fail. + +Fixes: 72a868b38bdd ("iio: imu: check sscanf return value") +Signed-off-by: Dan Carpenter +Cc: +Link: https://lore.kernel.org/r/YCwgFb3JVG6qrlQ+@mwanda +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/adis16400.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/iio/imu/adis16400.c ++++ b/drivers/iio/imu/adis16400.c +@@ -464,8 +464,7 @@ static int adis16400_initial_setup(struc + if (ret) + goto err_ret; + +- ret = sscanf(indio_dev->name, "adis%u\n", &device_id); +- if (ret != 1) { ++ if (sscanf(indio_dev->name, "adis%u\n", &device_id) != 1) { + ret = -EINVAL; + goto err_ret; + } diff --git a/queue-5.4/iio-gyro-mpu3050-fix-error-handling-in-mpu3050_trigger_handler.patch b/queue-5.4/iio-gyro-mpu3050-fix-error-handling-in-mpu3050_trigger_handler.patch new file mode 100644 index 00000000000..017a801647c --- /dev/null +++ b/queue-5.4/iio-gyro-mpu3050-fix-error-handling-in-mpu3050_trigger_handler.patch @@ -0,0 +1,36 @@ +From 6dbbbe4cfd398704b72b21c1d4a5d3807e909d60 Mon Sep 17 00:00:00 2001 +From: Dinghao Liu +Date: Mon, 1 Mar 2021 16:04:21 +0800 +Subject: iio: gyro: mpu3050: Fix error handling in mpu3050_trigger_handler + +From: Dinghao Liu + +commit 6dbbbe4cfd398704b72b21c1d4a5d3807e909d60 upstream. + +There is one regmap_bulk_read() call in mpu3050_trigger_handler +that we have caught its return value bug lack further handling. +Check and terminate the execution flow just like the other three +regmap_bulk_read() calls in this function. + +Fixes: 3904b28efb2c7 ("iio: gyro: Add driver for the MPU-3050 gyroscope") +Signed-off-by: Dinghao Liu +Reviewed-by: Linus Walleij +Link: https://lore.kernel.org/r/20210301080421.13436-1-dinghao.liu@zju.edu.cn +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/gyro/mpu3050-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/iio/gyro/mpu3050-core.c ++++ b/drivers/iio/gyro/mpu3050-core.c +@@ -550,6 +550,8 @@ static irqreturn_t mpu3050_trigger_handl + MPU3050_FIFO_R, + &fifo_values[offset], + toread); ++ if (ret) ++ goto out_trigger_unlock; + + dev_dbg(mpu3050->dev, + "%04x %04x %04x %04x %04x\n", diff --git a/queue-5.4/iio-hid-sensor-humidity-fix-alignment-issue-of-timestamp-channel.patch b/queue-5.4/iio-hid-sensor-humidity-fix-alignment-issue-of-timestamp-channel.patch new file mode 100644 index 00000000000..c1855317bf5 --- /dev/null +++ b/queue-5.4/iio-hid-sensor-humidity-fix-alignment-issue-of-timestamp-channel.patch @@ -0,0 +1,57 @@ +From 37e89e574dc238a4ebe439543c5ab4fbb2f0311b Mon Sep 17 00:00:00 2001 +From: Ye Xiang +Date: Wed, 3 Mar 2021 14:36:12 +0800 +Subject: iio: hid-sensor-humidity: Fix alignment issue of timestamp channel + +From: Ye Xiang + +commit 37e89e574dc238a4ebe439543c5ab4fbb2f0311b upstream. + +This patch ensures that, there is sufficient space and correct +alignment for the timestamp. + +Fixes: d7ed89d5aadf ("iio: hid: Add humidity sensor support") +Signed-off-by: Ye Xiang +Cc: +Link: https://lore.kernel.org/r/20210303063615.12130-2-xiang.ye@intel.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/humidity/hid-sensor-humidity.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/iio/humidity/hid-sensor-humidity.c ++++ b/drivers/iio/humidity/hid-sensor-humidity.c +@@ -17,7 +17,10 @@ + struct hid_humidity_state { + struct hid_sensor_common common_attributes; + struct hid_sensor_hub_attribute_info humidity_attr; +- s32 humidity_data; ++ struct { ++ s32 humidity_data; ++ u64 timestamp __aligned(8); ++ } scan; + int scale_pre_decml; + int scale_post_decml; + int scale_precision; +@@ -127,9 +130,8 @@ static int humidity_proc_event(struct hi + struct hid_humidity_state *humid_st = iio_priv(indio_dev); + + if (atomic_read(&humid_st->common_attributes.data_ready)) +- iio_push_to_buffers_with_timestamp(indio_dev, +- &humid_st->humidity_data, +- iio_get_time_ns(indio_dev)); ++ iio_push_to_buffers_with_timestamp(indio_dev, &humid_st->scan, ++ iio_get_time_ns(indio_dev)); + + return 0; + } +@@ -144,7 +146,7 @@ static int humidity_capture_sample(struc + + switch (usage_id) { + case HID_USAGE_SENSOR_ATMOSPHERIC_HUMIDITY: +- humid_st->humidity_data = *(s32 *)raw_data; ++ humid_st->scan.humidity_data = *(s32 *)raw_data; + + return 0; + default: diff --git a/queue-5.4/iio-hid-sensor-prox-fix-scale-not-correct-issue.patch b/queue-5.4/iio-hid-sensor-prox-fix-scale-not-correct-issue.patch new file mode 100644 index 00000000000..41433d2821d --- /dev/null +++ b/queue-5.4/iio-hid-sensor-prox-fix-scale-not-correct-issue.patch @@ -0,0 +1,60 @@ +From d68c592e02f6f49a88e705f13dfc1883432cf300 Mon Sep 17 00:00:00 2001 +From: Ye Xiang +Date: Sat, 30 Jan 2021 18:25:30 +0800 +Subject: iio: hid-sensor-prox: Fix scale not correct issue + +From: Ye Xiang + +commit d68c592e02f6f49a88e705f13dfc1883432cf300 upstream. + +Currently, the proxy sensor scale is zero because it just return the +exponent directly. To fix this issue, this patch use +hid_sensor_format_scale to process the scale first then return the +output. + +Fixes: 39a3a0138f61 ("iio: hid-sensors: Added Proximity Sensor Driver") +Signed-off-by: Ye Xiang +Link: https://lore.kernel.org/r/20210130102530.31064-1-xiang.ye@intel.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/hid-sensor-prox.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/iio/light/hid-sensor-prox.c ++++ b/drivers/iio/light/hid-sensor-prox.c +@@ -25,6 +25,9 @@ struct prox_state { + struct hid_sensor_common common_attributes; + struct hid_sensor_hub_attribute_info prox_attr; + u32 human_presence; ++ int scale_pre_decml; ++ int scale_post_decml; ++ int scale_precision; + }; + + /* Channel definitions */ +@@ -95,8 +98,9 @@ static int prox_read_raw(struct iio_dev + ret_type = IIO_VAL_INT; + break; + case IIO_CHAN_INFO_SCALE: +- *val = prox_state->prox_attr.units; +- ret_type = IIO_VAL_INT; ++ *val = prox_state->scale_pre_decml; ++ *val2 = prox_state->scale_post_decml; ++ ret_type = prox_state->scale_precision; + break; + case IIO_CHAN_INFO_OFFSET: + *val = hid_sensor_convert_exponent( +@@ -236,6 +240,11 @@ static int prox_parse_report(struct plat + HID_USAGE_SENSOR_HUMAN_PRESENCE, + &st->common_attributes.sensitivity); + ++ st->scale_precision = hid_sensor_format_scale( ++ hsdev->usage, ++ &st->prox_attr, ++ &st->scale_pre_decml, &st->scale_post_decml); ++ + return ret; + } + diff --git a/queue-5.4/iio-hid-sensor-temperature-fix-issues-of-timestamp-channel.patch b/queue-5.4/iio-hid-sensor-temperature-fix-issues-of-timestamp-channel.patch new file mode 100644 index 00000000000..099fb3d9ff4 --- /dev/null +++ b/queue-5.4/iio-hid-sensor-temperature-fix-issues-of-timestamp-channel.patch @@ -0,0 +1,68 @@ +From 141e7633aa4d2838d1f6ad5c74cccc53547c16ac Mon Sep 17 00:00:00 2001 +From: Ye Xiang +Date: Wed, 3 Mar 2021 14:36:14 +0800 +Subject: iio: hid-sensor-temperature: Fix issues of timestamp channel + +From: Ye Xiang + +commit 141e7633aa4d2838d1f6ad5c74cccc53547c16ac upstream. + +This patch fixes 2 issues of timestamp channel: +1. This patch ensures that there is sufficient space and correct +alignment for the timestamp. +2. Correct the timestamp channel scan index. + +Fixes: 59d0f2da3569 ("iio: hid: Add temperature sensor support") +Signed-off-by: Ye Xiang +Cc: +Link: https://lore.kernel.org/r/20210303063615.12130-4-xiang.ye@intel.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/temperature/hid-sensor-temperature.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/iio/temperature/hid-sensor-temperature.c ++++ b/drivers/iio/temperature/hid-sensor-temperature.c +@@ -17,7 +17,10 @@ + struct temperature_state { + struct hid_sensor_common common_attributes; + struct hid_sensor_hub_attribute_info temperature_attr; +- s32 temperature_data; ++ struct { ++ s32 temperature_data; ++ u64 timestamp __aligned(8); ++ } scan; + int scale_pre_decml; + int scale_post_decml; + int scale_precision; +@@ -34,7 +37,7 @@ static const struct iio_chan_spec temper + BIT(IIO_CHAN_INFO_SAMP_FREQ) | + BIT(IIO_CHAN_INFO_HYSTERESIS), + }, +- IIO_CHAN_SOFT_TIMESTAMP(3), ++ IIO_CHAN_SOFT_TIMESTAMP(1), + }; + + /* Adjust channel real bits based on report descriptor */ +@@ -125,9 +128,8 @@ static int temperature_proc_event(struct + struct temperature_state *temp_st = iio_priv(indio_dev); + + if (atomic_read(&temp_st->common_attributes.data_ready)) +- iio_push_to_buffers_with_timestamp(indio_dev, +- &temp_st->temperature_data, +- iio_get_time_ns(indio_dev)); ++ iio_push_to_buffers_with_timestamp(indio_dev, &temp_st->scan, ++ iio_get_time_ns(indio_dev)); + + return 0; + } +@@ -142,7 +144,7 @@ static int temperature_capture_sample(st + + switch (usage_id) { + case HID_USAGE_SENSOR_DATA_ENVIRONMENTAL_TEMPERATURE: +- temp_st->temperature_data = *(s32 *)raw_data; ++ temp_st->scan.temperature_data = *(s32 *)raw_data; + return 0; + default: + return -EINVAL; diff --git a/queue-5.4/series b/queue-5.4/series index a3df0c8b7ac..88f7be3f0d4 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -31,3 +31,18 @@ scsi-lpfc-fix-some-error-codes-in-debugfs.patch scsi-myrs-fix-a-double-free-in-myrs_cleanup.patch counter-stm32-timer-cnt-report-count-function-when-s.patch nvme-rdma-fix-possible-hang-when-failing-to-set-io-q.patch +usb-storage-add-quirk-to-defeat-kindle-s-automatic-unload.patch +usbip-fix-incorrect-double-assignment-to-udc-ud.tcp_rx.patch +usb-replace-hardcode-maximum-usb-string-length-by-definition.patch +usb-gadget-configfs-fix-kasan-use-after-free.patch +usb-typec-remove-vdo-part-of-tps6598x_rx_identity_reg-struct.patch +usb-typec-tcpm-invoke-power_supply_changed-for-tcpm-source-psy.patch +iio-adc-stm32-adc-add-has_iomem-dependency.patch +iio-adc-qcom-spmi-vadc-add-default-scale-to-lr_mux2_bat_id-channel.patch +iio-adis16400-fix-an-error-code-in-adis16400_initial_setup.patch +iio-gyro-mpu3050-fix-error-handling-in-mpu3050_trigger_handler.patch +iio-adc-ad7949-fix-wrong-adc-result-due-to-incorrect-bit-mask.patch +iio-hid-sensor-humidity-fix-alignment-issue-of-timestamp-channel.patch +iio-hid-sensor-prox-fix-scale-not-correct-issue.patch +iio-hid-sensor-temperature-fix-issues-of-timestamp-channel.patch +counter-stm32-timer-cnt-fix-ceiling-write-max-value.patch diff --git a/queue-5.4/usb-gadget-configfs-fix-kasan-use-after-free.patch b/queue-5.4/usb-gadget-configfs-fix-kasan-use-after-free.patch new file mode 100644 index 00000000000..a29959607ea --- /dev/null +++ b/queue-5.4/usb-gadget-configfs-fix-kasan-use-after-free.patch @@ -0,0 +1,83 @@ +From 98f153a10da403ddd5e9d98a3c8c2bb54bb5a0b6 Mon Sep 17 00:00:00 2001 +From: Jim Lin +Date: Thu, 11 Mar 2021 14:42:41 +0800 +Subject: usb: gadget: configfs: Fix KASAN use-after-free + +From: Jim Lin + +commit 98f153a10da403ddd5e9d98a3c8c2bb54bb5a0b6 upstream. + +When gadget is disconnected, running sequence is like this. +. composite_disconnect +. Call trace: + usb_string_copy+0xd0/0x128 + gadget_config_name_configuration_store+0x4 + gadget_config_name_attr_store+0x40/0x50 + configfs_write_file+0x198/0x1f4 + vfs_write+0x100/0x220 + SyS_write+0x58/0xa8 +. configfs_composite_unbind +. configfs_composite_bind + +In configfs_composite_bind, it has +"cn->strings.s = cn->configuration;" + +When usb_string_copy is invoked. it would +allocate memory, copy input string, release previous pointed memory space, +and use new allocated memory. + +When gadget is connected, host sends down request to get information. +Call trace: + usb_gadget_get_string+0xec/0x168 + lookup_string+0x64/0x98 + composite_setup+0xa34/0x1ee8 + +If gadget is disconnected and connected quickly, in the failed case, +cn->configuration memory has been released by usb_string_copy kfree but +configfs_composite_bind hasn't been run in time to assign new allocated +"cn->configuration" pointer to "cn->strings.s". + +When "strlen(s->s) of usb_gadget_get_string is being executed, the dangling +memory is accessed, "BUG: KASAN: use-after-free" error occurs. + +Cc: stable@vger.kernel.org +Signed-off-by: Jim Lin +Signed-off-by: Macpaul Lin +Link: https://lore.kernel.org/r/1615444961-13376-1-git-send-email-macpaul.lin@mediatek.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/configfs.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/usb/gadget/configfs.c ++++ b/drivers/usb/gadget/configfs.c +@@ -109,6 +109,8 @@ struct gadget_config_name { + struct list_head list; + }; + ++#define USB_MAX_STRING_WITH_NULL_LEN (USB_MAX_STRING_LEN+1) ++ + static int usb_string_copy(const char *s, char **s_copy) + { + int ret; +@@ -118,12 +120,16 @@ static int usb_string_copy(const char *s + if (ret > USB_MAX_STRING_LEN) + return -EOVERFLOW; + +- str = kstrdup(s, GFP_KERNEL); +- if (!str) +- return -ENOMEM; ++ if (copy) { ++ str = copy; ++ } else { ++ str = kmalloc(USB_MAX_STRING_WITH_NULL_LEN, GFP_KERNEL); ++ if (!str) ++ return -ENOMEM; ++ } ++ strcpy(str, s); + if (str[ret - 1] == '\n') + str[ret - 1] = '\0'; +- kfree(copy); + *s_copy = str; + return 0; + } diff --git a/queue-5.4/usb-replace-hardcode-maximum-usb-string-length-by-definition.patch b/queue-5.4/usb-replace-hardcode-maximum-usb-string-length-by-definition.patch new file mode 100644 index 00000000000..609194e943d --- /dev/null +++ b/queue-5.4/usb-replace-hardcode-maximum-usb-string-length-by-definition.patch @@ -0,0 +1,80 @@ +From 81c7462883b0cc0a4eeef0687f80ad5b5baee5f6 Mon Sep 17 00:00:00 2001 +From: Macpaul Lin +Date: Thu, 18 Jun 2020 17:13:38 +0800 +Subject: USB: replace hardcode maximum usb string length by definition + +From: Macpaul Lin + +commit 81c7462883b0cc0a4eeef0687f80ad5b5baee5f6 upstream. + +Replace hardcoded maximum USB string length (126 bytes) by definition +"USB_MAX_STRING_LEN". + +Signed-off-by: Macpaul Lin +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/1592471618-29428-1-git-send-email-macpaul.lin@mediatek.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/composite.c | 4 ++-- + drivers/usb/gadget/configfs.c | 2 +- + drivers/usb/gadget/usbstring.c | 4 ++-- + include/uapi/linux/usb/ch9.h | 3 +++ + 4 files changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -1091,7 +1091,7 @@ static void collect_langs(struct usb_gad + while (*sp) { + s = *sp; + language = cpu_to_le16(s->language); +- for (tmp = buf; *tmp && tmp < &buf[126]; tmp++) { ++ for (tmp = buf; *tmp && tmp < &buf[USB_MAX_STRING_LEN]; tmp++) { + if (*tmp == language) + goto repeat; + } +@@ -1166,7 +1166,7 @@ static int get_string(struct usb_composi + collect_langs(sp, s->wData); + } + +- for (len = 0; len <= 126 && s->wData[len]; len++) ++ for (len = 0; len <= USB_MAX_STRING_LEN && s->wData[len]; len++) + continue; + if (!len) + return -EINVAL; +--- a/drivers/usb/gadget/configfs.c ++++ b/drivers/usb/gadget/configfs.c +@@ -115,7 +115,7 @@ static int usb_string_copy(const char *s + char *str; + char *copy = *s_copy; + ret = strlen(s); +- if (ret > 126) ++ if (ret > USB_MAX_STRING_LEN) + return -EOVERFLOW; + + str = kstrdup(s, GFP_KERNEL); +--- a/drivers/usb/gadget/usbstring.c ++++ b/drivers/usb/gadget/usbstring.c +@@ -55,9 +55,9 @@ usb_gadget_get_string (const struct usb_ + return -EINVAL; + + /* string descriptors have length, tag, then UTF16-LE text */ +- len = min ((size_t) 126, strlen (s->s)); ++ len = min((size_t)USB_MAX_STRING_LEN, strlen(s->s)); + len = utf8s_to_utf16s(s->s, len, UTF16_LITTLE_ENDIAN, +- (wchar_t *) &buf[2], 126); ++ (wchar_t *) &buf[2], USB_MAX_STRING_LEN); + if (len < 0) + return -EINVAL; + buf [0] = (len + 1) * 2; +--- a/include/uapi/linux/usb/ch9.h ++++ b/include/uapi/linux/usb/ch9.h +@@ -364,6 +364,9 @@ struct usb_config_descriptor { + + /*-------------------------------------------------------------------------*/ + ++/* USB String descriptors can contain at most 126 characters. */ ++#define USB_MAX_STRING_LEN 126 ++ + /* USB_DT_STRING: String descriptor */ + struct usb_string_descriptor { + __u8 bLength; diff --git a/queue-5.4/usb-storage-add-quirk-to-defeat-kindle-s-automatic-unload.patch b/queue-5.4/usb-storage-add-quirk-to-defeat-kindle-s-automatic-unload.patch new file mode 100644 index 00000000000..6a75242dc7e --- /dev/null +++ b/queue-5.4/usb-storage-add-quirk-to-defeat-kindle-s-automatic-unload.patch @@ -0,0 +1,93 @@ +From 546aa0e4ea6ed81b6c51baeebc4364542fa3f3a7 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 17 Mar 2021 15:06:54 -0400 +Subject: usb-storage: Add quirk to defeat Kindle's automatic unload + +From: Alan Stern + +commit 546aa0e4ea6ed81b6c51baeebc4364542fa3f3a7 upstream. + +Matthias reports that the Amazon Kindle automatically removes its +emulated media if it doesn't receive another SCSI command within about +one second after a SYNCHRONIZE CACHE. It does so even when the host +has sent a PREVENT MEDIUM REMOVAL command. The reason for this +behavior isn't clear, although it's not hard to make some guesses. + +At any rate, the results can be unexpected for anyone who tries to +access the Kindle in an unusual fashion, and in theory they can lead +to data loss (for example, if one file is closed and synchronized +while other files are still in the middle of being written). + +To avoid such problems, this patch creates a new usb-storage quirks +flag telling the driver always to issue a REQUEST SENSE following a +SYNCHRONIZE CACHE command, and adds an unusual_devs entry for the +Kindle with the flag set. This is sufficient to prevent the Kindle +from doing its automatic unload, without interfering with proper +operation. + +Another possible way to deal with this would be to increase the +frequency of TEST UNIT READY polling that the kernel normally carries +out for removable-media storage devices. However that would increase +the overall load on the system and it is not as reliable, because the +user can override the polling interval. Changing the driver's +behavior is safer and has minimal overhead. + +CC: +Reported-and-tested-by: Matthias Schwarzott +Signed-off-by: Alan Stern +Link: https://lore.kernel.org/r/20210317190654.GA497856@rowland.harvard.edu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/transport.c | 7 +++++++ + drivers/usb/storage/unusual_devs.h | 12 ++++++++++++ + include/linux/usb_usual.h | 2 ++ + 3 files changed, 21 insertions(+) + +--- a/drivers/usb/storage/transport.c ++++ b/drivers/usb/storage/transport.c +@@ -651,6 +651,13 @@ void usb_stor_invoke_transport(struct sc + need_auto_sense = 1; + } + ++ /* Some devices (Kindle) require another command after SYNC CACHE */ ++ if ((us->fflags & US_FL_SENSE_AFTER_SYNC) && ++ srb->cmnd[0] == SYNCHRONIZE_CACHE) { ++ usb_stor_dbg(us, "-- sense after SYNC CACHE\n"); ++ need_auto_sense = 1; ++ } ++ + /* + * If we have a failure, we're going to do a REQUEST_SENSE + * automatically. Note that we differentiate between a command +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -2212,6 +2212,18 @@ UNUSUAL_DEV( 0x1908, 0x3335, 0x0200, 0x0 + US_FL_NO_READ_DISC_INFO ), + + /* ++ * Reported by Matthias Schwarzott ++ * The Amazon Kindle treats SYNCHRONIZE CACHE as an indication that ++ * the host may be finished with it, and automatically ejects its ++ * emulated media unless it receives another command within one second. ++ */ ++UNUSUAL_DEV( 0x1949, 0x0004, 0x0000, 0x9999, ++ "Amazon", ++ "Kindle", ++ USB_SC_DEVICE, USB_PR_DEVICE, NULL, ++ US_FL_SENSE_AFTER_SYNC ), ++ ++/* + * Reported by Oliver Neukum + * This device morphes spontaneously into another device if the access + * pattern of Windows isn't followed. Thus writable media would be dirty +--- a/include/linux/usb_usual.h ++++ b/include/linux/usb_usual.h +@@ -86,6 +86,8 @@ + /* lies about caching, so always sync */ \ + US_FLAG(NO_SAME, 0x40000000) \ + /* Cannot handle WRITE_SAME */ \ ++ US_FLAG(SENSE_AFTER_SYNC, 0x80000000) \ ++ /* Do REQUEST_SENSE after SYNCHRONIZE_CACHE */ \ + + #define US_FLAG(name, value) US_FL_##name = value , + enum { US_DO_ALL_FLAGS }; diff --git a/queue-5.4/usb-typec-remove-vdo-part-of-tps6598x_rx_identity_reg-struct.patch b/queue-5.4/usb-typec-remove-vdo-part-of-tps6598x_rx_identity_reg-struct.patch new file mode 100644 index 00000000000..b7d6484c0f6 --- /dev/null +++ b/queue-5.4/usb-typec-remove-vdo-part-of-tps6598x_rx_identity_reg-struct.patch @@ -0,0 +1,40 @@ +From 3cac9104bea41099cf622091f0c0538bcb19050d Mon Sep 17 00:00:00 2001 +From: Elias Rudberg +Date: Thu, 11 Mar 2021 13:47:10 +0100 +Subject: usb: typec: Remove vdo[3] part of tps6598x_rx_identity_reg struct +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Elias Rudberg + +commit 3cac9104bea41099cf622091f0c0538bcb19050d upstream. + +Remove the unused "u32 vdo[3]" part in the tps6598x_rx_identity_reg +struct. This helps avoid "failed to register partner" errors which +happen when tps6598x_read_partner_identity() fails because the +amount of data read is 12 bytes smaller than the struct size. +Note that vdo[3] is already in usb_pd_identity and hence +shouldn't be added to tps6598x_rx_identity_reg as well. + +Fixes: f6c56ca91b92 ("usb: typec: Add the Product Type VDOs to struct usb_pd_identity") +Reviewed-by: Heikki Krogerus +Reviewed-by: Guido Günther +Signed-off-by: Elias Rudberg +Cc: stable +Link: https://lore.kernel.org/r/20210311124710.6563-1-mail@eliasrudberg.se +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tps6598x.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/usb/typec/tps6598x.c ++++ b/drivers/usb/typec/tps6598x.c +@@ -61,7 +61,6 @@ enum { + struct tps6598x_rx_identity_reg { + u8 status; + struct usb_pd_identity identity; +- u32 vdo[3]; + } __packed; + + /* Standard Task return codes */ diff --git a/queue-5.4/usb-typec-tcpm-invoke-power_supply_changed-for-tcpm-source-psy.patch b/queue-5.4/usb-typec-tcpm-invoke-power_supply_changed-for-tcpm-source-psy.patch new file mode 100644 index 00000000000..eb5c8d7106e --- /dev/null +++ b/queue-5.4/usb-typec-tcpm-invoke-power_supply_changed-for-tcpm-source-psy.patch @@ -0,0 +1,84 @@ +From 86629e098a077922438efa98dc80917604dfd317 Mon Sep 17 00:00:00 2001 +From: Badhri Jagan Sridharan +Date: Wed, 17 Mar 2021 11:12:48 -0700 +Subject: usb: typec: tcpm: Invoke power_supply_changed for tcpm-source-psy- + +From: Badhri Jagan Sridharan + +commit 86629e098a077922438efa98dc80917604dfd317 upstream. + +tcpm-source-psy- does not invoke power_supply_changed API when +one of the published power supply properties is changed. +power_supply_changed needs to be called to notify +userspace clients(uevents) and kernel clients. + +Fixes: f2a8aa053c176 ("typec: tcpm: Represent source supply through power_supply") +Reviewed-by: Guenter Roeck +Reviewed-by: Heikki Krogerus +Signed-off-by: Badhri Jagan Sridharan +Cc: stable +Link: https://lore.kernel.org/r/20210317181249.1062995-1-badhri@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/typec/tcpm/tcpm.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/usb/typec/tcpm/tcpm.c ++++ b/drivers/usb/typec/tcpm/tcpm.c +@@ -739,6 +739,7 @@ static int tcpm_set_current_limit(struct + + port->supply_voltage = mv; + port->current_limit = max_ma; ++ power_supply_changed(port->psy); + + if (port->tcpc->set_current_limit) + ret = port->tcpc->set_current_limit(port->tcpc, max_ma, mv); +@@ -2138,6 +2139,7 @@ static int tcpm_pd_select_pdo(struct tcp + + port->pps_data.supported = false; + port->usb_type = POWER_SUPPLY_USB_TYPE_PD; ++ power_supply_changed(port->psy); + + /* + * Select the source PDO providing the most power which has a +@@ -2162,6 +2164,7 @@ static int tcpm_pd_select_pdo(struct tcp + port->pps_data.supported = true; + port->usb_type = + POWER_SUPPLY_USB_TYPE_PD_PPS; ++ power_supply_changed(port->psy); + } + continue; + default: +@@ -2319,6 +2322,7 @@ static unsigned int tcpm_pd_select_pps_a + port->pps_data.out_volt)); + port->pps_data.op_curr = min(port->pps_data.max_curr, + port->pps_data.op_curr); ++ power_supply_changed(port->psy); + } + + return src_pdo; +@@ -2554,6 +2558,7 @@ static int tcpm_set_charge(struct tcpm_p + return ret; + } + port->vbus_charge = charge; ++ power_supply_changed(port->psy); + return 0; + } + +@@ -4665,7 +4670,7 @@ static int tcpm_psy_set_prop(struct powe + ret = -EINVAL; + break; + } +- ++ power_supply_changed(port->psy); + return ret; + } + +@@ -4816,6 +4821,7 @@ struct tcpm_port *tcpm_register_port(str + err = devm_tcpm_psy_register(port); + if (err) + goto out_role_sw_put; ++ power_supply_changed(port->psy); + + port->typec_port = typec_register_port(port->dev, &port->typec_caps); + if (IS_ERR(port->typec_port)) { diff --git a/queue-5.4/usbip-fix-incorrect-double-assignment-to-udc-ud.tcp_rx.patch b/queue-5.4/usbip-fix-incorrect-double-assignment-to-udc-ud.tcp_rx.patch new file mode 100644 index 00000000000..0d47e886d53 --- /dev/null +++ b/queue-5.4/usbip-fix-incorrect-double-assignment-to-udc-ud.tcp_rx.patch @@ -0,0 +1,34 @@ +From 9858af27e69247c5d04c3b093190a93ca365f33d Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Thu, 11 Mar 2021 10:44:45 +0000 +Subject: usbip: Fix incorrect double assignment to udc->ud.tcp_rx + +From: Colin Ian King + +commit 9858af27e69247c5d04c3b093190a93ca365f33d upstream. + +Currently udc->ud.tcp_rx is being assigned twice, the second assignment +is incorrect, it should be to udc->ud.tcp_tx instead of rx. Fix this. + +Fixes: 46613c9dfa96 ("usbip: fix vudc usbip_sockfd_store races leading to gpf") +Acked-by: Shuah Khan +Signed-off-by: Colin Ian King +Cc: stable +Addresses-Coverity: ("Unused value") +Link: https://lore.kernel.org/r/20210311104445.7811-1-colin.king@canonical.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/usbip/vudc_sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/usbip/vudc_sysfs.c ++++ b/drivers/usb/usbip/vudc_sysfs.c +@@ -174,7 +174,7 @@ static ssize_t usbip_sockfd_store(struct + + udc->ud.tcp_socket = socket; + udc->ud.tcp_rx = tcp_rx; +- udc->ud.tcp_rx = tcp_tx; ++ udc->ud.tcp_tx = tcp_tx; + udc->ud.status = SDEV_ST_USED; + + spin_unlock_irq(&udc->ud.lock);