From: Greg Kroah-Hartman Date: Fri, 12 Jul 2019 08:59:24 +0000 (+0200) Subject: 5.1-stable patches X-Git-Tag: v5.2.1~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f40865e3309aa5680fbf8c0f680d96ab1b4d3aeb;p=thirdparty%2Fkernel%2Fstable-queue.git 5.1-stable patches added patches: binder-fix-memory-leak-in-error-path.patch binder-return-errors-from-buffer-copy-functions.patch drivers-usb-typec-tps6598x.c-fix-4cc-cmd-write.patch drivers-usb-typec-tps6598x.c-fix-portinfo-width.patch hid-add-another-primax-pixart-oem-mouse-quirk.patch iio-adc-stm32-adc-add-missing-vdda-supply.patch lkdtm-support-llvm-objcopy.patch p54-fix-crash-during-initialization.patch p54usb-fix-race-between-disconnect-and-firmware-loading.patch revert-serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch staging-comedi-amplc_pci230-fix-null-pointer-deref-on-interrupt.patch staging-comedi-dt282x-fix-a-null-pointer-deref-on-interrupt.patch staging-mt7621-pci-fix-pcie_fts_num_lo-macro.patch staging-wilc1000-fix-error-path-cleanup-in-wilc_wlan_initialize.patch usb-dwc2-use-a-longer-ahb-idle-timeout-in-dwc2_core_reset.patch usb-gadget-ether-fix-race-between-gether_disconnect-and-rx_submit.patch usb-gadget-f_fs-data_len-used-before-properly-set.patch usb-renesas_usbhs-add-a-workaround-for-a-race-condition-of-workqueue.patch usb-serial-ftdi_sio-add-id-for-isodebug-v1.patch usb-serial-option-add-support-for-gosuncn-me3630-rndis-mode.patch --- diff --git a/queue-5.1/binder-fix-memory-leak-in-error-path.patch b/queue-5.1/binder-fix-memory-leak-in-error-path.patch new file mode 100644 index 00000000000..3111e7af3ce --- /dev/null +++ b/queue-5.1/binder-fix-memory-leak-in-error-path.patch @@ -0,0 +1,43 @@ +From 1909a671dbc3606685b1daf8b22a16f65ea7edda Mon Sep 17 00:00:00 2001 +From: Todd Kjos +Date: Fri, 21 Jun 2019 10:54:15 -0700 +Subject: binder: fix memory leak in error path + +From: Todd Kjos + +commit 1909a671dbc3606685b1daf8b22a16f65ea7edda upstream. + +syzkallar found a 32-byte memory leak in a rarely executed error +case. The transaction complete work item was not freed if put_user() +failed when writing the BR_TRANSACTION_COMPLETE to the user command +buffer. Fixed by freeing it before put_user() is called. + +Reported-by: syzbot+182ce46596c3f2e1eb24@syzkaller.appspotmail.com +Signed-off-by: Todd Kjos +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -4267,6 +4267,8 @@ retry: + case BINDER_WORK_TRANSACTION_COMPLETE: { + binder_inner_proc_unlock(proc); + cmd = BR_TRANSACTION_COMPLETE; ++ kfree(w); ++ binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); + if (put_user(cmd, (uint32_t __user *)ptr)) + return -EFAULT; + ptr += sizeof(uint32_t); +@@ -4275,8 +4277,6 @@ retry: + binder_debug(BINDER_DEBUG_TRANSACTION_COMPLETE, + "%d:%d BR_TRANSACTION_COMPLETE\n", + proc->pid, thread->pid); +- kfree(w); +- binder_stats_deleted(BINDER_STAT_TRANSACTION_COMPLETE); + } break; + case BINDER_WORK_NODE: { + struct binder_node *node = container_of(w, struct binder_node, work); diff --git a/queue-5.1/binder-return-errors-from-buffer-copy-functions.patch b/queue-5.1/binder-return-errors-from-buffer-copy-functions.patch new file mode 100644 index 00000000000..e06263a81a2 --- /dev/null +++ b/queue-5.1/binder-return-errors-from-buffer-copy-functions.patch @@ -0,0 +1,421 @@ +From bb4a2e48d5100ed3ff614df158a636bca3c6bf9f Mon Sep 17 00:00:00 2001 +From: Todd Kjos +Date: Fri, 28 Jun 2019 09:50:12 -0700 +Subject: binder: return errors from buffer copy functions + +From: Todd Kjos + +commit bb4a2e48d5100ed3ff614df158a636bca3c6bf9f upstream. + +The buffer copy functions assumed the caller would ensure +correct alignment and that the memory to be copied was +completely within the binder buffer. There have been +a few cases discovered by syzkallar where a malformed +transaction created by a user could violated the +assumptions and resulted in a BUG_ON. + +The fix is to remove the BUG_ON and always return the +error to be handled appropriately by the caller. + +Acked-by: Martijn Coenen +Reported-by: syzbot+3ae18325f96190606754@syzkaller.appspotmail.com +Fixes: bde4a19fc04f ("binder: use userspace pointer as base of buffer space") +Suggested-by: Dan Carpenter +Signed-off-by: Todd Kjos +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 151 ++++++++++++++++++++++++----------------- + drivers/android/binder_alloc.c | 44 ++++++----- + drivers/android/binder_alloc.h | 20 ++--- + 3 files changed, 124 insertions(+), 91 deletions(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -2068,10 +2068,9 @@ static size_t binder_get_object(struct b + + read_size = min_t(size_t, sizeof(*object), buffer->data_size - offset); + if (offset > buffer->data_size || read_size < sizeof(*hdr) || +- !IS_ALIGNED(offset, sizeof(u32))) ++ binder_alloc_copy_from_buffer(&proc->alloc, object, buffer, ++ offset, read_size)) + return 0; +- binder_alloc_copy_from_buffer(&proc->alloc, object, buffer, +- offset, read_size); + + /* Ok, now see if we read a complete object. */ + hdr = &object->hdr; +@@ -2140,8 +2139,10 @@ static struct binder_buffer_object *bind + return NULL; + + buffer_offset = start_offset + sizeof(binder_size_t) * index; +- binder_alloc_copy_from_buffer(&proc->alloc, &object_offset, +- b, buffer_offset, sizeof(object_offset)); ++ if (binder_alloc_copy_from_buffer(&proc->alloc, &object_offset, ++ b, buffer_offset, ++ sizeof(object_offset))) ++ return NULL; + object_size = binder_get_object(proc, b, object_offset, object); + if (!object_size || object->hdr.type != BINDER_TYPE_PTR) + return NULL; +@@ -2221,10 +2222,12 @@ static bool binder_validate_fixup(struct + return false; + last_min_offset = last_bbo->parent_offset + sizeof(uintptr_t); + buffer_offset = objects_start_offset + +- sizeof(binder_size_t) * last_bbo->parent, +- binder_alloc_copy_from_buffer(&proc->alloc, &last_obj_offset, +- b, buffer_offset, +- sizeof(last_obj_offset)); ++ sizeof(binder_size_t) * last_bbo->parent; ++ if (binder_alloc_copy_from_buffer(&proc->alloc, ++ &last_obj_offset, ++ b, buffer_offset, ++ sizeof(last_obj_offset))) ++ return false; + } + return (fixup_offset >= last_min_offset); + } +@@ -2310,15 +2313,15 @@ static void binder_transaction_buffer_re + for (buffer_offset = off_start_offset; buffer_offset < off_end_offset; + buffer_offset += sizeof(binder_size_t)) { + struct binder_object_header *hdr; +- size_t object_size; ++ size_t object_size = 0; + struct binder_object object; + binder_size_t object_offset; + +- binder_alloc_copy_from_buffer(&proc->alloc, &object_offset, +- buffer, buffer_offset, +- sizeof(object_offset)); +- object_size = binder_get_object(proc, buffer, +- object_offset, &object); ++ if (!binder_alloc_copy_from_buffer(&proc->alloc, &object_offset, ++ buffer, buffer_offset, ++ sizeof(object_offset))) ++ object_size = binder_get_object(proc, buffer, ++ object_offset, &object); + if (object_size == 0) { + pr_err("transaction release %d bad object at offset %lld, size %zd\n", + debug_id, (u64)object_offset, buffer->data_size); +@@ -2441,15 +2444,16 @@ static void binder_transaction_buffer_re + for (fd_index = 0; fd_index < fda->num_fds; + fd_index++) { + u32 fd; ++ int err; + binder_size_t offset = fda_offset + + fd_index * sizeof(fd); + +- binder_alloc_copy_from_buffer(&proc->alloc, +- &fd, +- buffer, +- offset, +- sizeof(fd)); +- binder_deferred_fd_close(fd); ++ err = binder_alloc_copy_from_buffer( ++ &proc->alloc, &fd, buffer, ++ offset, sizeof(fd)); ++ WARN_ON(err); ++ if (!err) ++ binder_deferred_fd_close(fd); + } + } break; + default: +@@ -2692,11 +2696,12 @@ static int binder_translate_fd_array(str + int ret; + binder_size_t offset = fda_offset + fdi * sizeof(fd); + +- binder_alloc_copy_from_buffer(&target_proc->alloc, +- &fd, t->buffer, +- offset, sizeof(fd)); +- ret = binder_translate_fd(fd, offset, t, thread, +- in_reply_to); ++ ret = binder_alloc_copy_from_buffer(&target_proc->alloc, ++ &fd, t->buffer, ++ offset, sizeof(fd)); ++ if (!ret) ++ ret = binder_translate_fd(fd, offset, t, thread, ++ in_reply_to); + if (ret < 0) + return ret; + } +@@ -2749,8 +2754,12 @@ static int binder_fixup_parent(struct bi + } + buffer_offset = bp->parent_offset + + (uintptr_t)parent->buffer - (uintptr_t)b->user_data; +- binder_alloc_copy_to_buffer(&target_proc->alloc, b, buffer_offset, +- &bp->buffer, sizeof(bp->buffer)); ++ if (binder_alloc_copy_to_buffer(&target_proc->alloc, b, buffer_offset, ++ &bp->buffer, sizeof(bp->buffer))) { ++ binder_user_error("%d:%d got transaction with invalid parent offset\n", ++ proc->pid, thread->pid); ++ return -EINVAL; ++ } + + return 0; + } +@@ -3160,15 +3169,20 @@ static void binder_transaction(struct bi + goto err_binder_alloc_buf_failed; + } + if (secctx) { ++ int err; + size_t buf_offset = ALIGN(tr->data_size, sizeof(void *)) + + ALIGN(tr->offsets_size, sizeof(void *)) + + ALIGN(extra_buffers_size, sizeof(void *)) - + ALIGN(secctx_sz, sizeof(u64)); + + t->security_ctx = (uintptr_t)t->buffer->user_data + buf_offset; +- binder_alloc_copy_to_buffer(&target_proc->alloc, +- t->buffer, buf_offset, +- secctx, secctx_sz); ++ err = binder_alloc_copy_to_buffer(&target_proc->alloc, ++ t->buffer, buf_offset, ++ secctx, secctx_sz); ++ if (err) { ++ t->security_ctx = 0; ++ WARN_ON(1); ++ } + security_release_secctx(secctx, secctx_sz); + secctx = NULL; + } +@@ -3234,11 +3248,16 @@ static void binder_transaction(struct bi + struct binder_object object; + binder_size_t object_offset; + +- binder_alloc_copy_from_buffer(&target_proc->alloc, +- &object_offset, +- t->buffer, +- buffer_offset, +- sizeof(object_offset)); ++ if (binder_alloc_copy_from_buffer(&target_proc->alloc, ++ &object_offset, ++ t->buffer, ++ buffer_offset, ++ sizeof(object_offset))) { ++ return_error = BR_FAILED_REPLY; ++ return_error_param = -EINVAL; ++ return_error_line = __LINE__; ++ goto err_bad_offset; ++ } + object_size = binder_get_object(target_proc, t->buffer, + object_offset, &object); + if (object_size == 0 || object_offset < off_min) { +@@ -3262,15 +3281,17 @@ static void binder_transaction(struct bi + + fp = to_flat_binder_object(hdr); + ret = binder_translate_binder(fp, t, thread); +- if (ret < 0) { ++ ++ if (ret < 0 || ++ binder_alloc_copy_to_buffer(&target_proc->alloc, ++ t->buffer, ++ object_offset, ++ fp, sizeof(*fp))) { + return_error = BR_FAILED_REPLY; + return_error_param = ret; + return_error_line = __LINE__; + goto err_translate_failed; + } +- binder_alloc_copy_to_buffer(&target_proc->alloc, +- t->buffer, object_offset, +- fp, sizeof(*fp)); + } break; + case BINDER_TYPE_HANDLE: + case BINDER_TYPE_WEAK_HANDLE: { +@@ -3278,15 +3299,16 @@ static void binder_transaction(struct bi + + fp = to_flat_binder_object(hdr); + ret = binder_translate_handle(fp, t, thread); +- if (ret < 0) { ++ if (ret < 0 || ++ binder_alloc_copy_to_buffer(&target_proc->alloc, ++ t->buffer, ++ object_offset, ++ fp, sizeof(*fp))) { + return_error = BR_FAILED_REPLY; + return_error_param = ret; + return_error_line = __LINE__; + goto err_translate_failed; + } +- binder_alloc_copy_to_buffer(&target_proc->alloc, +- t->buffer, object_offset, +- fp, sizeof(*fp)); + } break; + + case BINDER_TYPE_FD: { +@@ -3296,16 +3318,17 @@ static void binder_transaction(struct bi + int ret = binder_translate_fd(fp->fd, fd_offset, t, + thread, in_reply_to); + +- if (ret < 0) { ++ fp->pad_binder = 0; ++ if (ret < 0 || ++ binder_alloc_copy_to_buffer(&target_proc->alloc, ++ t->buffer, ++ object_offset, ++ fp, sizeof(*fp))) { + return_error = BR_FAILED_REPLY; + return_error_param = ret; + return_error_line = __LINE__; + goto err_translate_failed; + } +- fp->pad_binder = 0; +- binder_alloc_copy_to_buffer(&target_proc->alloc, +- t->buffer, object_offset, +- fp, sizeof(*fp)); + } break; + case BINDER_TYPE_FDA: { + struct binder_object ptr_object; +@@ -3393,15 +3416,16 @@ static void binder_transaction(struct bi + num_valid, + last_fixup_obj_off, + last_fixup_min_off); +- if (ret < 0) { ++ if (ret < 0 || ++ binder_alloc_copy_to_buffer(&target_proc->alloc, ++ t->buffer, ++ object_offset, ++ bp, sizeof(*bp))) { + return_error = BR_FAILED_REPLY; + return_error_param = ret; + return_error_line = __LINE__; + goto err_translate_failed; + } +- binder_alloc_copy_to_buffer(&target_proc->alloc, +- t->buffer, object_offset, +- bp, sizeof(*bp)); + last_fixup_obj_off = object_offset; + last_fixup_min_off = 0; + } break; +@@ -4139,20 +4163,27 @@ static int binder_apply_fd_fixups(struct + trace_binder_transaction_fd_recv(t, fd, fixup->offset); + fd_install(fd, fixup->file); + fixup->file = NULL; +- binder_alloc_copy_to_buffer(&proc->alloc, t->buffer, +- fixup->offset, &fd, +- sizeof(u32)); ++ if (binder_alloc_copy_to_buffer(&proc->alloc, t->buffer, ++ fixup->offset, &fd, ++ sizeof(u32))) { ++ ret = -EINVAL; ++ break; ++ } + } + list_for_each_entry_safe(fixup, tmp, &t->fd_fixups, fixup_entry) { + if (fixup->file) { + fput(fixup->file); + } else if (ret) { + u32 fd; ++ int err; + +- binder_alloc_copy_from_buffer(&proc->alloc, &fd, +- t->buffer, fixup->offset, +- sizeof(fd)); +- binder_deferred_fd_close(fd); ++ err = binder_alloc_copy_from_buffer(&proc->alloc, &fd, ++ t->buffer, ++ fixup->offset, ++ sizeof(fd)); ++ WARN_ON(err); ++ if (!err) ++ binder_deferred_fd_close(fd); + } + list_del(&fixup->fixup_entry); + kfree(fixup); +--- a/drivers/android/binder_alloc.c ++++ b/drivers/android/binder_alloc.c +@@ -1128,15 +1128,16 @@ binder_alloc_copy_user_to_buffer(struct + return 0; + } + +-static void binder_alloc_do_buffer_copy(struct binder_alloc *alloc, +- bool to_buffer, +- struct binder_buffer *buffer, +- binder_size_t buffer_offset, +- void *ptr, +- size_t bytes) ++static int binder_alloc_do_buffer_copy(struct binder_alloc *alloc, ++ bool to_buffer, ++ struct binder_buffer *buffer, ++ binder_size_t buffer_offset, ++ void *ptr, ++ size_t bytes) + { + /* All copies must be 32-bit aligned and 32-bit size */ +- BUG_ON(!check_buffer(alloc, buffer, buffer_offset, bytes)); ++ if (!check_buffer(alloc, buffer, buffer_offset, bytes)) ++ return -EINVAL; + + while (bytes) { + unsigned long size; +@@ -1164,25 +1165,26 @@ static void binder_alloc_do_buffer_copy( + ptr = ptr + size; + buffer_offset += size; + } ++ return 0; + } + +-void binder_alloc_copy_to_buffer(struct binder_alloc *alloc, +- struct binder_buffer *buffer, +- binder_size_t buffer_offset, +- void *src, +- size_t bytes) ++int binder_alloc_copy_to_buffer(struct binder_alloc *alloc, ++ struct binder_buffer *buffer, ++ binder_size_t buffer_offset, ++ void *src, ++ size_t bytes) + { +- binder_alloc_do_buffer_copy(alloc, true, buffer, buffer_offset, +- src, bytes); ++ return binder_alloc_do_buffer_copy(alloc, true, buffer, buffer_offset, ++ src, bytes); + } + +-void binder_alloc_copy_from_buffer(struct binder_alloc *alloc, +- void *dest, +- struct binder_buffer *buffer, +- binder_size_t buffer_offset, +- size_t bytes) ++int binder_alloc_copy_from_buffer(struct binder_alloc *alloc, ++ void *dest, ++ struct binder_buffer *buffer, ++ binder_size_t buffer_offset, ++ size_t bytes) + { +- binder_alloc_do_buffer_copy(alloc, false, buffer, buffer_offset, +- dest, bytes); ++ return binder_alloc_do_buffer_copy(alloc, false, buffer, buffer_offset, ++ dest, bytes); + } + +--- a/drivers/android/binder_alloc.h ++++ b/drivers/android/binder_alloc.h +@@ -168,17 +168,17 @@ binder_alloc_copy_user_to_buffer(struct + const void __user *from, + size_t bytes); + +-void binder_alloc_copy_to_buffer(struct binder_alloc *alloc, +- struct binder_buffer *buffer, +- binder_size_t buffer_offset, +- void *src, +- size_t bytes); ++int binder_alloc_copy_to_buffer(struct binder_alloc *alloc, ++ struct binder_buffer *buffer, ++ binder_size_t buffer_offset, ++ void *src, ++ size_t bytes); + +-void binder_alloc_copy_from_buffer(struct binder_alloc *alloc, +- void *dest, +- struct binder_buffer *buffer, +- binder_size_t buffer_offset, +- size_t bytes); ++int binder_alloc_copy_from_buffer(struct binder_alloc *alloc, ++ void *dest, ++ struct binder_buffer *buffer, ++ binder_size_t buffer_offset, ++ size_t bytes); + + #endif /* _LINUX_BINDER_ALLOC_H */ + diff --git a/queue-5.1/drivers-usb-typec-tps6598x.c-fix-4cc-cmd-write.patch b/queue-5.1/drivers-usb-typec-tps6598x.c-fix-4cc-cmd-write.patch new file mode 100644 index 00000000000..99a12f47e58 --- /dev/null +++ b/queue-5.1/drivers-usb-typec-tps6598x.c-fix-4cc-cmd-write.patch @@ -0,0 +1,45 @@ +From 2681795b5e7a5bf336537661010072f4c22cea31 Mon Sep 17 00:00:00 2001 +From: Nikolaus Voss +Date: Fri, 28 Jun 2019 11:01:09 +0200 +Subject: drivers/usb/typec/tps6598x.c: fix 4CC cmd write + +From: Nikolaus Voss + +commit 2681795b5e7a5bf336537661010072f4c22cea31 upstream. + +Writing 4CC commands with tps6598x_write_4cc() already has +a pointer arg, don't reference it when using as arg to +tps6598x_block_write(). Correcting this enforces the constness +of the pointer to propagate to tps6598x_block_write(), so add +the const qualifier there to avoid the warning. + +Fixes: 0a4c005bd171 ("usb: typec: driver for TI TPS6598x USB Power Delivery controllers") +Signed-off-by: Nikolaus Voss +Acked-by: Heikki Krogerus +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/typec/tps6598x.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/typec/tps6598x.c ++++ b/drivers/usb/typec/tps6598x.c +@@ -127,7 +127,7 @@ tps6598x_block_read(struct tps6598x *tps + } + + static int tps6598x_block_write(struct tps6598x *tps, u8 reg, +- void *val, size_t len) ++ const void *val, size_t len) + { + u8 data[TPS_MAX_LEN + 1]; + +@@ -173,7 +173,7 @@ static inline int tps6598x_write64(struc + static inline int + tps6598x_write_4cc(struct tps6598x *tps, u8 reg, const char *val) + { +- return tps6598x_block_write(tps, reg, &val, sizeof(u32)); ++ return tps6598x_block_write(tps, reg, val, 4); + } + + static int tps6598x_read_partner_identity(struct tps6598x *tps) diff --git a/queue-5.1/drivers-usb-typec-tps6598x.c-fix-portinfo-width.patch b/queue-5.1/drivers-usb-typec-tps6598x.c-fix-portinfo-width.patch new file mode 100644 index 00000000000..52811374a31 --- /dev/null +++ b/queue-5.1/drivers-usb-typec-tps6598x.c-fix-portinfo-width.patch @@ -0,0 +1,33 @@ +From 05da75fc651138e51ff74ace97174349910463f5 Mon Sep 17 00:00:00 2001 +From: Nikolaus Voss +Date: Fri, 28 Jun 2019 11:01:08 +0200 +Subject: drivers/usb/typec/tps6598x.c: fix portinfo width + +From: Nikolaus Voss + +commit 05da75fc651138e51ff74ace97174349910463f5 upstream. + +Portinfo bit field is 3 bits wide, not 2 bits. This led to +a wrong driver configuration for some tps6598x configurations. + +Fixes: 0a4c005bd171 ("usb: typec: driver for TI TPS6598x USB Power Delivery controllers") +Signed-off-by: Nikolaus Voss +Acked-by: Heikki Krogerus +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/typec/tps6598x.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/typec/tps6598x.c ++++ b/drivers/usb/typec/tps6598x.c +@@ -41,7 +41,7 @@ + #define TPS_STATUS_VCONN(s) (!!((s) & BIT(7))) + + /* TPS_REG_SYSTEM_CONF bits */ +-#define TPS_SYSCONF_PORTINFO(c) ((c) & 3) ++#define TPS_SYSCONF_PORTINFO(c) ((c) & 7) + + enum { + TPS_PORTINFO_SINK, diff --git a/queue-5.1/hid-add-another-primax-pixart-oem-mouse-quirk.patch b/queue-5.1/hid-add-another-primax-pixart-oem-mouse-quirk.patch new file mode 100644 index 00000000000..95683de4fb8 --- /dev/null +++ b/queue-5.1/hid-add-another-primax-pixart-oem-mouse-quirk.patch @@ -0,0 +1,46 @@ +From 4c12954965fdf33d8ae3883c1931fc29ca023cfb Mon Sep 17 00:00:00 2001 +From: Sebastian Parschauer +Date: Mon, 1 Jul 2019 07:48:17 +0200 +Subject: HID: Add another Primax PIXART OEM mouse quirk + +From: Sebastian Parschauer + +commit 4c12954965fdf33d8ae3883c1931fc29ca023cfb upstream. + +The PixArt OEM mice are known for disconnecting every minute in +runlevel 1 or 3 if they are not always polled. So add quirk +ALWAYS_POLL for this Alienware branded Primax mouse as well. + +Daniel Schepler (@dschepler) reported and tested the quirk. +Reference: https://github.com/sriemer/fix-linux-mouse/issues/15 + +Signed-off-by: Sebastian Parschauer +CC: stable@vger.kernel.org +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -1235,6 +1235,7 @@ + #define USB_DEVICE_ID_PRIMAX_KEYBOARD 0x4e05 + #define USB_DEVICE_ID_PRIMAX_REZEL 0x4e72 + #define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F 0x4d0f ++#define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D65 0x4d65 + #define USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4E22 0x4e22 + + +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -132,6 +132,7 @@ static const struct hid_device_id hid_qu + { HID_USB_DEVICE(USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_USB_OPTICAL_MOUSE), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_MOUSE_4D22), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D0F), HID_QUIRK_ALWAYS_POLL }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4D65), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRIMAX, USB_DEVICE_ID_PRIMAX_PIXART_MOUSE_4E22), HID_QUIRK_ALWAYS_POLL }, + { HID_USB_DEVICE(USB_VENDOR_ID_PRODIGE, USB_DEVICE_ID_PRODIGE_CORDLESS), HID_QUIRK_NOGET }, + { HID_USB_DEVICE(USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3001), HID_QUIRK_NOGET }, diff --git a/queue-5.1/iio-adc-stm32-adc-add-missing-vdda-supply.patch b/queue-5.1/iio-adc-stm32-adc-add-missing-vdda-supply.patch new file mode 100644 index 00000000000..cc95e2c055a --- /dev/null +++ b/queue-5.1/iio-adc-stm32-adc-add-missing-vdda-supply.patch @@ -0,0 +1,91 @@ +From 7685010fca2ba0284f31fd1380df3cffc96d847e Mon Sep 17 00:00:00 2001 +From: Fabrice Gasnier +Date: Wed, 19 Jun 2019 14:29:55 +0200 +Subject: iio: adc: stm32-adc: add missing vdda-supply + +From: Fabrice Gasnier + +commit 7685010fca2ba0284f31fd1380df3cffc96d847e upstream. + +Add missing vdda-supply, analog power supply, to STM32 ADC. When vdda is +an independent supply, it needs to be properly turned on or off to supply +the ADC. + +Signed-off-by: Fabrice Gasnier +Fixes: 1add69880240 ("iio: adc: Add support for STM32 ADC core"). +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/stm32-adc-core.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +--- a/drivers/iio/adc/stm32-adc-core.c ++++ b/drivers/iio/adc/stm32-adc-core.c +@@ -87,6 +87,7 @@ struct stm32_adc_priv_cfg { + * @domain: irq domain reference + * @aclk: clock reference for the analog circuitry + * @bclk: bus clock common for all ADCs, depends on part used ++ * @vdda: vdda analog supply reference + * @vref: regulator reference + * @cfg: compatible configuration data + * @common: common data for all ADC instances +@@ -97,6 +98,7 @@ struct stm32_adc_priv { + struct irq_domain *domain; + struct clk *aclk; + struct clk *bclk; ++ struct regulator *vdda; + struct regulator *vref; + const struct stm32_adc_priv_cfg *cfg; + struct stm32_adc_common common; +@@ -394,10 +396,16 @@ static int stm32_adc_core_hw_start(struc + struct stm32_adc_priv *priv = to_stm32_adc_priv(common); + int ret; + ++ ret = regulator_enable(priv->vdda); ++ if (ret < 0) { ++ dev_err(dev, "vdda enable failed %d\n", ret); ++ return ret; ++ } ++ + ret = regulator_enable(priv->vref); + if (ret < 0) { + dev_err(dev, "vref enable failed\n"); +- return ret; ++ goto err_vdda_disable; + } + + if (priv->bclk) { +@@ -425,6 +433,8 @@ err_bclk_disable: + clk_disable_unprepare(priv->bclk); + err_regulator_disable: + regulator_disable(priv->vref); ++err_vdda_disable: ++ regulator_disable(priv->vdda); + + return ret; + } +@@ -441,6 +451,7 @@ static void stm32_adc_core_hw_stop(struc + if (priv->bclk) + clk_disable_unprepare(priv->bclk); + regulator_disable(priv->vref); ++ regulator_disable(priv->vdda); + } + + static int stm32_adc_probe(struct platform_device *pdev) +@@ -468,6 +479,14 @@ static int stm32_adc_probe(struct platfo + return PTR_ERR(priv->common.base); + priv->common.phys_base = res->start; + ++ priv->vdda = devm_regulator_get(&pdev->dev, "vdda"); ++ if (IS_ERR(priv->vdda)) { ++ ret = PTR_ERR(priv->vdda); ++ if (ret != -EPROBE_DEFER) ++ dev_err(&pdev->dev, "vdda get failed, %d\n", ret); ++ return ret; ++ } ++ + priv->vref = devm_regulator_get(&pdev->dev, "vref"); + if (IS_ERR(priv->vref)) { + ret = PTR_ERR(priv->vref); diff --git a/queue-5.1/lkdtm-support-llvm-objcopy.patch b/queue-5.1/lkdtm-support-llvm-objcopy.patch new file mode 100644 index 00000000000..f765c99aaa3 --- /dev/null +++ b/queue-5.1/lkdtm-support-llvm-objcopy.patch @@ -0,0 +1,60 @@ +From e9e08a07385e08f1a7f85c5d1e345c21c9564963 Mon Sep 17 00:00:00 2001 +From: Nick Desaulniers +Date: Wed, 15 May 2019 11:24:41 -0700 +Subject: lkdtm: support llvm-objcopy + +From: Nick Desaulniers + +commit e9e08a07385e08f1a7f85c5d1e345c21c9564963 upstream. + +With CONFIG_LKDTM=y and make OBJCOPY=llvm-objcopy, llvm-objcopy errors: +llvm-objcopy: error: --set-section-flags=.text conflicts with +--rename-section=.text=.rodata + +Rather than support setting flags then renaming sections vs renaming +then setting flags, it's simpler to just change both at the same time +via --rename-section. Adding the load flag is required for GNU objcopy +to mark .rodata Type as PROGBITS after the rename. + +This can be verified with: +$ readelf -S drivers/misc/lkdtm/rodata_objcopy.o +... +Section Headers: + [Nr] Name Type Address Offset + Size EntSize Flags Link Info Align +... + [ 1] .rodata PROGBITS 0000000000000000 00000040 + 0000000000000004 0000000000000000 A 0 0 4 +... + +Which shows that .text is now renamed .rodata, the alloc flag A is set, +the type is PROGBITS, and the section is not flagged as writeable W. + +Cc: stable@vger.kernel.org +Link: https://sourceware.org/bugzilla/show_bug.cgi?id=24554 +Link: https://github.com/ClangBuiltLinux/linux/issues/448 +Reported-by: Nathan Chancellor +Suggested-by: Alan Modra +Suggested-by: Jordan Rupprect +Suggested-by: Kees Cook +Acked-by: Kees Cook +Reviewed-by: Nathan Chancellor +Signed-off-by: Nick Desaulniers +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/lkdtm/Makefile | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/misc/lkdtm/Makefile ++++ b/drivers/misc/lkdtm/Makefile +@@ -15,8 +15,7 @@ KCOV_INSTRUMENT_rodata.o := n + + OBJCOPYFLAGS := + OBJCOPYFLAGS_rodata_objcopy.o := \ +- --set-section-flags .text=alloc,readonly \ +- --rename-section .text=.rodata ++ --rename-section .text=.rodata,alloc,readonly,load + targets += rodata.o rodata_objcopy.o + $(obj)/rodata_objcopy.o: $(obj)/rodata.o FORCE + $(call if_changed,objcopy) diff --git a/queue-5.1/p54-fix-crash-during-initialization.patch b/queue-5.1/p54-fix-crash-during-initialization.patch new file mode 100644 index 00000000000..99d185cbc31 --- /dev/null +++ b/queue-5.1/p54-fix-crash-during-initialization.patch @@ -0,0 +1,71 @@ +From 1645ab931998b39aed5761f095956f0b10a6362f Mon Sep 17 00:00:00 2001 +From: Christian Lamparter +Date: Sat, 18 May 2019 22:05:48 +0200 +Subject: p54: fix crash during initialization + +From: Christian Lamparter + +commit 1645ab931998b39aed5761f095956f0b10a6362f upstream. + +This patch fixes a crash that got introduced when the +mentioned patch replaced the direct list_head access +with skb_peek_tail(). When the device is starting up, +there are no entries in the queue, so previously to +"Use skb_peek_tail() instead..." the target_skb would +end up as the tail and head pointer which then could +be used by __skb_queue_after to fill the empty queue. + +With skb_peek_tail() in its place will instead just +return NULL which then causes a crash in the +__skb_queue_after(). + +| BUG: unable to handle kernel NULL pointer dereference at 000000 +| #PF error: [normal kernel read fault] +| PGD 0 P4D 0 +| Oops: 0000 [#1] SMP PTI +| CPU: 0 PID: 12 Comm: kworker/0:1 Tainted: GO 5.1.0-rc7-wt+ #218 +| Hardware name: MSI MS-7816/Z87-G43 (MS-7816), BIOS V1.11 05/09/2015 +| Workqueue: events request_firmware_work_func +| RIP: 0010:p54_tx_pending+0x10f/0x1b0 [p54common] +| Code: 78 06 80 78 28 00 74 6d <48> 8b 07 49 89 7c 24 08 49 89 04 24 4 +| RSP: 0018:ffffa81c81927d90 EFLAGS: 00010086 +| RAX: ffff9bbaaf131048 RBX: 0000000000020670 RCX: 0000000000020264 +| RDX: ffff9bbaa976d660 RSI: 0000000000000202 RDI: 0000000000000000 +| RBP: ffff9bbaa976d620 R08: 00000000000006c0 R09: ffff9bbaa976d660 +| R10: 0000000000000000 R11: ffffe8480dbc5900 R12: ffff9bbb45e87700 +| R13: ffff9bbaa976d648 R14: ffff9bbaa976d674 R15: ffff9bbaaf131048 +| FS: 0000000000000000(0000) GS:ffff9bbb5ec00000(0000) knlGS:00000 +| CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +| CR2: 0000000000000000 CR3: 00000003695fc003 CR4: 00000000001606f0 +| Call Trace: +| p54_download_eeprom+0xbe/0x120 [p54common] +| p54_read_eeprom+0x7f/0xc0 [p54common] +| p54u_load_firmware_cb+0xe0/0x160 [p54usb] +| request_firmware_work_func+0x42/0x80 +| process_one_work+0x1f5/0x3f0 +| worker_thread+0x28/0x3c0 + +Cc: stable@vger.kernel.org +Fixes: e3554197fc8f ("p54: Use skb_peek_tail() instead of direct head pointer accesses.") +Signed-off-by: Christian Lamparter +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intersil/p54/txrx.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/intersil/p54/txrx.c ++++ b/drivers/net/wireless/intersil/p54/txrx.c +@@ -142,7 +142,10 @@ static int p54_assign_address(struct p54 + unlikely(GET_HW_QUEUE(skb) == P54_QUEUE_BEACON)) + priv->beacon_req_id = data->req_id; + +- __skb_queue_after(&priv->tx_queue, target_skb, skb); ++ if (target_skb) ++ __skb_queue_after(&priv->tx_queue, target_skb, skb); ++ else ++ __skb_queue_head(&priv->tx_queue, skb); + spin_unlock_irqrestore(&priv->tx_queue.lock, flags); + return 0; + } diff --git a/queue-5.1/p54usb-fix-race-between-disconnect-and-firmware-loading.patch b/queue-5.1/p54usb-fix-race-between-disconnect-and-firmware-loading.patch new file mode 100644 index 00000000000..f289c0d42d7 --- /dev/null +++ b/queue-5.1/p54usb-fix-race-between-disconnect-and-firmware-loading.patch @@ -0,0 +1,174 @@ +From 6e41e2257f1094acc37618bf6c856115374c6922 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 20 May 2019 10:44:21 -0400 +Subject: p54usb: Fix race between disconnect and firmware loading + +From: Alan Stern + +commit 6e41e2257f1094acc37618bf6c856115374c6922 upstream. + +The syzbot fuzzer found a bug in the p54 USB wireless driver. The +issue involves a race between disconnect and the firmware-loader +callback routine, and it has several aspects. + +One big problem is that when the firmware can't be loaded, the +callback routine tries to unbind the driver from the USB _device_ (by +calling device_release_driver) instead of from the USB _interface_ to +which it is actually bound (by calling usb_driver_release_interface). + +The race involves access to the private data structure. The driver's +disconnect handler waits for a completion that is signalled by the +firmware-loader callback routine. As soon as the completion is +signalled, you have to assume that the private data structure may have +been deallocated by the disconnect handler -- even if the firmware was +loaded without errors. However, the callback routine does access the +private data several times after that point. + +Another problem is that, in order to ensure that the USB device +structure hasn't been freed when the callback routine runs, the driver +takes a reference to it. This isn't good enough any more, because now +that the callback routine calls usb_driver_release_interface, it has +to ensure that the interface structure hasn't been freed. + +Finally, the driver takes an unnecessary reference to the USB device +structure in the probe function and drops the reference in the +disconnect handler. This extra reference doesn't accomplish anything, +because the USB core already guarantees that a device structure won't +be deallocated while a driver is still bound to any of its interfaces. + +To fix these problems, this patch makes the following changes: + + Call usb_driver_release_interface() rather than + device_release_driver(). + + Don't signal the completion until after the important + information has been copied out of the private data structure, + and don't refer to the private data at all thereafter. + + Lock udev (the interface's parent) before unbinding the driver + instead of locking udev->parent. + + During the firmware loading process, take a reference to the + USB interface instead of the USB device. + + Don't take an unnecessary reference to the device during probe + (and then don't drop it during disconnect). + +Signed-off-by: Alan Stern +Reported-and-tested-by: syzbot+200d4bb11b23d929335f@syzkaller.appspotmail.com +CC: +Acked-by: Christian Lamparter +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/intersil/p54/p54usb.c | 43 ++++++++++++----------------- + 1 file changed, 18 insertions(+), 25 deletions(-) + +--- a/drivers/net/wireless/intersil/p54/p54usb.c ++++ b/drivers/net/wireless/intersil/p54/p54usb.c +@@ -33,6 +33,8 @@ MODULE_ALIAS("prism54usb"); + MODULE_FIRMWARE("isl3886usb"); + MODULE_FIRMWARE("isl3887usb"); + ++static struct usb_driver p54u_driver; ++ + /* + * Note: + * +@@ -921,9 +923,9 @@ static void p54u_load_firmware_cb(const + { + struct p54u_priv *priv = context; + struct usb_device *udev = priv->udev; ++ struct usb_interface *intf = priv->intf; + int err; + +- complete(&priv->fw_wait_load); + if (firmware) { + priv->fw = firmware; + err = p54u_start_ops(priv); +@@ -932,26 +934,22 @@ static void p54u_load_firmware_cb(const + dev_err(&udev->dev, "Firmware not found.\n"); + } + +- if (err) { +- struct device *parent = priv->udev->dev.parent; +- +- dev_err(&udev->dev, "failed to initialize device (%d)\n", err); +- +- if (parent) +- device_lock(parent); ++ complete(&priv->fw_wait_load); ++ /* ++ * At this point p54u_disconnect may have already freed ++ * the "priv" context. Do not use it anymore! ++ */ ++ priv = NULL; + +- device_release_driver(&udev->dev); +- /* +- * At this point p54u_disconnect has already freed +- * the "priv" context. Do not use it anymore! +- */ +- priv = NULL; ++ if (err) { ++ dev_err(&intf->dev, "failed to initialize device (%d)\n", err); + +- if (parent) +- device_unlock(parent); ++ usb_lock_device(udev); ++ usb_driver_release_interface(&p54u_driver, intf); ++ usb_unlock_device(udev); + } + +- usb_put_dev(udev); ++ usb_put_intf(intf); + } + + static int p54u_load_firmware(struct ieee80211_hw *dev, +@@ -972,14 +970,14 @@ static int p54u_load_firmware(struct iee + dev_info(&priv->udev->dev, "Loading firmware file %s\n", + p54u_fwlist[i].fw); + +- usb_get_dev(udev); ++ usb_get_intf(intf); + err = request_firmware_nowait(THIS_MODULE, 1, p54u_fwlist[i].fw, + device, GFP_KERNEL, priv, + p54u_load_firmware_cb); + if (err) { + dev_err(&priv->udev->dev, "(p54usb) cannot load firmware %s " + "(%d)!\n", p54u_fwlist[i].fw, err); +- usb_put_dev(udev); ++ usb_put_intf(intf); + } + + return err; +@@ -1011,8 +1009,6 @@ static int p54u_probe(struct usb_interfa + skb_queue_head_init(&priv->rx_queue); + init_usb_anchor(&priv->submitted); + +- usb_get_dev(udev); +- + /* really lazy and simple way of figuring out if we're a 3887 */ + /* TODO: should just stick the identification in the device table */ + i = intf->altsetting->desc.bNumEndpoints; +@@ -1053,10 +1049,8 @@ static int p54u_probe(struct usb_interfa + priv->upload_fw = p54u_upload_firmware_net2280; + } + err = p54u_load_firmware(dev, intf); +- if (err) { +- usb_put_dev(udev); ++ if (err) + p54_free_common(dev); +- } + return err; + } + +@@ -1072,7 +1066,6 @@ static void p54u_disconnect(struct usb_i + wait_for_completion(&priv->fw_wait_load); + p54_unregister_common(dev); + +- usb_put_dev(interface_to_usbdev(intf)); + release_firmware(priv->fw); + p54_free_common(dev); + } diff --git a/queue-5.1/revert-serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch b/queue-5.1/revert-serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch new file mode 100644 index 00000000000..d4430b68b37 --- /dev/null +++ b/queue-5.1/revert-serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch @@ -0,0 +1,39 @@ +From 3f2640ed7be838c3f05c0d2b0f7c7508e7431e48 Mon Sep 17 00:00:00 2001 +From: Oliver Barta +Date: Wed, 19 Jun 2019 10:16:39 +0200 +Subject: Revert "serial: 8250: Don't service RX FIFO if interrupts are disabled" + +From: Oliver Barta + +commit 3f2640ed7be838c3f05c0d2b0f7c7508e7431e48 upstream. + +This reverts commit 2e9fe539108320820016f78ca7704a7342788380. + +Reading LSR unconditionally but processing the error flags only if +UART_IIR_RDI bit was set before in IIR may lead to a loss of transmission +error information on UARTs where the transmission error flags are cleared +by a read of LSR. Information are lost in case an error is detected right +before the read of LSR while processing e.g. an UART_IIR_THRI interrupt. + +Signed-off-by: Oliver Barta +Reviewed-by: Andy Shevchenko +Fixes: 2e9fe5391083 ("serial: 8250: Don't service RX FIFO if interrupts are disabled") +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/8250/8250_port.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -1869,8 +1869,7 @@ int serial8250_handle_irq(struct uart_po + + status = serial_port_in(port, UART_LSR); + +- if (status & (UART_LSR_DR | UART_LSR_BI) && +- iir & UART_IIR_RDI) { ++ if (status & (UART_LSR_DR | UART_LSR_BI)) { + if (!up->dma || handle_rx_dma(up, iir)) + status = serial8250_rx_chars(up, status); + } diff --git a/queue-5.1/series b/queue-5.1/series index df6f57624df..8f6405da328 100644 --- a/queue-5.1/series +++ b/queue-5.1/series @@ -105,3 +105,23 @@ documentation-add-section-about-cpu-vulnerabilities-for-spectre.patch documentation-admin-remove-the-vsyscall-native-documentation.patch mwifiex-abort-at-too-short-bss-descriptor-element.patch mwifiex-don-t-abort-on-small-spec-compliant-vendor-ies.patch +usb-serial-ftdi_sio-add-id-for-isodebug-v1.patch +usb-serial-option-add-support-for-gosuncn-me3630-rndis-mode.patch +revert-serial-8250-don-t-service-rx-fifo-if-interrupts-are-disabled.patch +p54usb-fix-race-between-disconnect-and-firmware-loading.patch +usb-gadget-f_fs-data_len-used-before-properly-set.patch +usb-gadget-ether-fix-race-between-gether_disconnect-and-rx_submit.patch +usb-dwc2-use-a-longer-ahb-idle-timeout-in-dwc2_core_reset.patch +usb-renesas_usbhs-add-a-workaround-for-a-race-condition-of-workqueue.patch +drivers-usb-typec-tps6598x.c-fix-portinfo-width.patch +drivers-usb-typec-tps6598x.c-fix-4cc-cmd-write.patch +p54-fix-crash-during-initialization.patch +staging-comedi-dt282x-fix-a-null-pointer-deref-on-interrupt.patch +staging-wilc1000-fix-error-path-cleanup-in-wilc_wlan_initialize.patch +staging-comedi-amplc_pci230-fix-null-pointer-deref-on-interrupt.patch +staging-mt7621-pci-fix-pcie_fts_num_lo-macro.patch +hid-add-another-primax-pixart-oem-mouse-quirk.patch +lkdtm-support-llvm-objcopy.patch +binder-fix-memory-leak-in-error-path.patch +binder-return-errors-from-buffer-copy-functions.patch +iio-adc-stm32-adc-add-missing-vdda-supply.patch diff --git a/queue-5.1/staging-comedi-amplc_pci230-fix-null-pointer-deref-on-interrupt.patch b/queue-5.1/staging-comedi-amplc_pci230-fix-null-pointer-deref-on-interrupt.patch new file mode 100644 index 00000000000..0da84a9e1b7 --- /dev/null +++ b/queue-5.1/staging-comedi-amplc_pci230-fix-null-pointer-deref-on-interrupt.patch @@ -0,0 +1,45 @@ +From 7379e6baeddf580d01feca650ec1ad508b6ea8ee Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Wed, 26 Jun 2019 14:17:39 +0100 +Subject: staging: comedi: amplc_pci230: fix null pointer deref on interrupt + +From: Ian Abbott + +commit 7379e6baeddf580d01feca650ec1ad508b6ea8ee upstream. + +The interrupt handler `pci230_interrupt()` causes a null pointer +dereference for a PCI260 card. There is no analog output subdevice for +a PCI260. The `dev->write_subdev` subdevice pointer and therefore the +`s_ao` subdevice pointer variable will be `NULL` for a PCI260. The +following call near the end of the interrupt handler results in the null +pointer dereference for a PCI260: + + comedi_handle_events(dev, s_ao); + +Fix it by only calling the above function if `s_ao` is valid. + +Note that the other uses of `s_ao` in the calls +`pci230_handle_ao_nofifo(dev, s_ao);` and `pci230_handle_ao_fifo(dev, +s_ao);` will never be reached for a PCI260, so they are safe. + +Fixes: 39064f23284c ("staging: comedi: amplc_pci230: use comedi_handle_events()") +Cc: # v3.19+ +Signed-off-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/amplc_pci230.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/staging/comedi/drivers/amplc_pci230.c ++++ b/drivers/staging/comedi/drivers/amplc_pci230.c +@@ -2330,7 +2330,8 @@ static irqreturn_t pci230_interrupt(int + devpriv->intr_running = false; + spin_unlock_irqrestore(&devpriv->isr_spinlock, irqflags); + +- comedi_handle_events(dev, s_ao); ++ if (s_ao) ++ comedi_handle_events(dev, s_ao); + comedi_handle_events(dev, s_ai); + + return IRQ_HANDLED; diff --git a/queue-5.1/staging-comedi-dt282x-fix-a-null-pointer-deref-on-interrupt.patch b/queue-5.1/staging-comedi-dt282x-fix-a-null-pointer-deref-on-interrupt.patch new file mode 100644 index 00000000000..84e6d9eedd1 --- /dev/null +++ b/queue-5.1/staging-comedi-dt282x-fix-a-null-pointer-deref-on-interrupt.patch @@ -0,0 +1,50 @@ +From b8336be66dec06bef518030a0df9847122053ec5 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Wed, 26 Jun 2019 14:18:04 +0100 +Subject: staging: comedi: dt282x: fix a null pointer deref on interrupt + +From: Ian Abbott + +commit b8336be66dec06bef518030a0df9847122053ec5 upstream. + +The interrupt handler `dt282x_interrupt()` causes a null pointer +dereference for those supported boards that have no analog output +support. For these boards, `dev->write_subdev` will be `NULL` and +therefore the `s_ao` subdevice pointer variable will be `NULL`. In that +case, the following call near the end of the interrupt handler results +in a null pointer dereference: + + comedi_handle_events(dev, s_ao); + +Fix it by only calling the above function if `s_ao` is valid. + +(There are other uses of `s_ao` by the interrupt handler that may or may +not be reached depending on values of hardware registers. Trust that +they are reliable for now.) + +Note: +commit 4f6f009b204f ("staging: comedi: dt282x: use comedi_handle_events()") +propagates an earlier error from +commit f21c74fa4cfe ("staging: comedi: dt282x: use cfc_handle_events()"). + +Fixes: 4f6f009b204f ("staging: comedi: dt282x: use comedi_handle_events()") +Cc: # v3.19+ +Signed-off-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/dt282x.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/staging/comedi/drivers/dt282x.c ++++ b/drivers/staging/comedi/drivers/dt282x.c +@@ -557,7 +557,8 @@ static irqreturn_t dt282x_interrupt(int + } + #endif + comedi_handle_events(dev, s); +- comedi_handle_events(dev, s_ao); ++ if (s_ao) ++ comedi_handle_events(dev, s_ao); + + return IRQ_RETVAL(handled); + } diff --git a/queue-5.1/staging-mt7621-pci-fix-pcie_fts_num_lo-macro.patch b/queue-5.1/staging-mt7621-pci-fix-pcie_fts_num_lo-macro.patch new file mode 100644 index 00000000000..f3f7164a506 --- /dev/null +++ b/queue-5.1/staging-mt7621-pci-fix-pcie_fts_num_lo-macro.patch @@ -0,0 +1,32 @@ +From 0ae0cf509d28d8539b88b5f7f24558f5bfe57cdf Mon Sep 17 00:00:00 2001 +From: Sergio Paracuellos +Date: Wed, 26 Jun 2019 14:43:18 +0200 +Subject: staging: mt7621-pci: fix PCIE_FTS_NUM_LO macro + +From: Sergio Paracuellos + +commit 0ae0cf509d28d8539b88b5f7f24558f5bfe57cdf upstream. + +Add missing parenthesis to PCIE_FTS_NUM_LO macro to do the +same it was being done in original code. + +Fixes: a4b2eb912bb1 ("staging: mt7621-pci: rewrite RC FTS configuration") +Signed-off-by: Sergio Paracuellos +Cc: stable +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/mt7621-pci/pci-mt7621.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/mt7621-pci/pci-mt7621.c ++++ b/drivers/staging/mt7621-pci/pci-mt7621.c +@@ -40,7 +40,7 @@ + /* MediaTek specific configuration registers */ + #define PCIE_FTS_NUM 0x70c + #define PCIE_FTS_NUM_MASK GENMASK(15, 8) +-#define PCIE_FTS_NUM_L0(x) ((x) & 0xff << 8) ++#define PCIE_FTS_NUM_L0(x) (((x) & 0xff) << 8) + + /* rt_sysc_membase relative registers */ + #define RALINK_PCIE_CLK_GEN 0x7c diff --git a/queue-5.1/staging-wilc1000-fix-error-path-cleanup-in-wilc_wlan_initialize.patch b/queue-5.1/staging-wilc1000-fix-error-path-cleanup-in-wilc_wlan_initialize.patch new file mode 100644 index 00000000000..d3585e2a73b --- /dev/null +++ b/queue-5.1/staging-wilc1000-fix-error-path-cleanup-in-wilc_wlan_initialize.patch @@ -0,0 +1,56 @@ +From 6419f818ababebc1116fb2d0e220bd4fe835d0e3 Mon Sep 17 00:00:00 2001 +From: Ajay Singh +Date: Wed, 26 Jun 2019 12:40:48 +0000 +Subject: staging: wilc1000: fix error path cleanup in wilc_wlan_initialize() + +From: Ajay Singh + +commit 6419f818ababebc1116fb2d0e220bd4fe835d0e3 upstream. + +For the error path in wilc_wlan_initialize(), the resources are not +cleanup in the correct order. Reverted the previous changes and use the +correct order to free during error condition. + +Fixes: b46d68825c2d ("staging: wilc1000: remove COMPLEMENT_BOOT") +Cc: +Signed-off-by: Ajay Singh +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/wilc1000/wilc_netdev.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/staging/wilc1000/wilc_netdev.c ++++ b/drivers/staging/wilc1000/wilc_netdev.c +@@ -530,17 +530,17 @@ static int wilc_wlan_initialize(struct n + goto fail_locks; + } + +- if (wl->gpio_irq && init_irq(dev)) { +- ret = -EIO; +- goto fail_locks; +- } +- + ret = wlan_initialize_threads(dev); + if (ret < 0) { + ret = -EIO; + goto fail_wilc_wlan; + } + ++ if (wl->gpio_irq && init_irq(dev)) { ++ ret = -EIO; ++ goto fail_threads; ++ } ++ + if (!wl->dev_irq_num && + wl->hif_func->enable_interrupt && + wl->hif_func->enable_interrupt(wl)) { +@@ -596,7 +596,7 @@ fail_irq_enable: + fail_irq_init: + if (wl->dev_irq_num) + deinit_irq(dev); +- ++fail_threads: + wlan_deinitialize_threads(dev); + fail_wilc_wlan: + wilc_wlan_cleanup(dev); diff --git a/queue-5.1/usb-dwc2-use-a-longer-ahb-idle-timeout-in-dwc2_core_reset.patch b/queue-5.1/usb-dwc2-use-a-longer-ahb-idle-timeout-in-dwc2_core_reset.patch new file mode 100644 index 00000000000..178d22b6e34 --- /dev/null +++ b/queue-5.1/usb-dwc2-use-a-longer-ahb-idle-timeout-in-dwc2_core_reset.patch @@ -0,0 +1,43 @@ +From dfc4fdebc5d62ac4e2fe5428e59b273675515fb2 Mon Sep 17 00:00:00 2001 +From: Martin Blumenstingl +Date: Thu, 20 Jun 2019 19:50:22 +0200 +Subject: usb: dwc2: use a longer AHB idle timeout in dwc2_core_reset() + +From: Martin Blumenstingl + +commit dfc4fdebc5d62ac4e2fe5428e59b273675515fb2 upstream. + +Use a 10000us AHB idle timeout in dwc2_core_reset() and make it +consistent with the other "wait for AHB master IDLE state" ocurrences. + +This fixes a problem for me where dwc2 would not want to initialize when +updating to 4.19 on a MIPS Lantiq VRX200 SoC. dwc2 worked fine with +4.14. +Testing on my board shows that it takes 180us until AHB master IDLE +state is signalled. The very old vendor driver for this SoC (ifxhcd) +used a 1 second timeout. +Use the same timeout that is used everywhere when polling for +GRSTCTL_AHBIDLE instead of using a timeout that "works for one board" +(180us in my case) to have consistent behavior across the dwc2 driver. + +Cc: linux-stable # 4.19+ +Acked-by: Minas Harutyunyan +Signed-off-by: Martin Blumenstingl +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc2/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/dwc2/core.c ++++ b/drivers/usb/dwc2/core.c +@@ -531,7 +531,7 @@ int dwc2_core_reset(struct dwc2_hsotg *h + } + + /* Wait for AHB master IDLE state */ +- if (dwc2_hsotg_wait_bit_set(hsotg, GRSTCTL, GRSTCTL_AHBIDLE, 50)) { ++ if (dwc2_hsotg_wait_bit_set(hsotg, GRSTCTL, GRSTCTL_AHBIDLE, 10000)) { + dev_warn(hsotg->dev, "%s: HANG! AHB Idle timeout GRSTCTL GRSTCTL_AHBIDLE\n", + __func__); + return -EBUSY; diff --git a/queue-5.1/usb-gadget-ether-fix-race-between-gether_disconnect-and-rx_submit.patch b/queue-5.1/usb-gadget-ether-fix-race-between-gether_disconnect-and-rx_submit.patch new file mode 100644 index 00000000000..73ac1522728 --- /dev/null +++ b/queue-5.1/usb-gadget-ether-fix-race-between-gether_disconnect-and-rx_submit.patch @@ -0,0 +1,50 @@ +From d29fcf7078bc8be2b6366cbd4418265b53c94fac Mon Sep 17 00:00:00 2001 +From: Kiruthika Varadarajan +Date: Tue, 18 Jun 2019 08:39:06 +0000 +Subject: usb: gadget: ether: Fix race between gether_disconnect and rx_submit + +From: Kiruthika Varadarajan + +commit d29fcf7078bc8be2b6366cbd4418265b53c94fac upstream. + +On spin lock release in rx_submit, gether_disconnect get a chance to +run, it makes port_usb NULL, rx_submit access NULL port USB, hence null +pointer crash. + +Fixed by releasing the lock in rx_submit after port_usb is used. + +Fixes: 2b3d942c4878 ("usb ethernet gadget: split out network core") +Cc: +Signed-off-by: Kiruthika Varadarajan +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/u_ether.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/function/u_ether.c ++++ b/drivers/usb/gadget/function/u_ether.c +@@ -186,11 +186,12 @@ rx_submit(struct eth_dev *dev, struct us + out = dev->port_usb->out_ep; + else + out = NULL; +- spin_unlock_irqrestore(&dev->lock, flags); + + if (!out) ++ { ++ spin_unlock_irqrestore(&dev->lock, flags); + return -ENOTCONN; +- ++ } + + /* Padding up to RX_EXTRA handles minor disagreements with host. + * Normally we use the USB "terminate on short read" convention; +@@ -214,6 +215,7 @@ rx_submit(struct eth_dev *dev, struct us + + if (dev->port_usb->is_fixed) + size = max_t(size_t, size, dev->port_usb->fixed_out_len); ++ spin_unlock_irqrestore(&dev->lock, flags); + + skb = __netdev_alloc_skb(dev->net, size + NET_IP_ALIGN, gfp_flags); + if (skb == NULL) { diff --git a/queue-5.1/usb-gadget-f_fs-data_len-used-before-properly-set.patch b/queue-5.1/usb-gadget-f_fs-data_len-used-before-properly-set.patch new file mode 100644 index 00000000000..2b20d517fcd --- /dev/null +++ b/queue-5.1/usb-gadget-f_fs-data_len-used-before-properly-set.patch @@ -0,0 +1,49 @@ +From 4833a94eb383f5b22775077ff92ddaae90440921 Mon Sep 17 00:00:00 2001 +From: Fei Yang +Date: Wed, 12 Jun 2019 15:13:26 -0700 +Subject: usb: gadget: f_fs: data_len used before properly set + +From: Fei Yang + +commit 4833a94eb383f5b22775077ff92ddaae90440921 upstream. + +The following line of code in function ffs_epfile_io is trying to set +flag io_data->use_sg in case buffer required is larger than one page. + + io_data->use_sg = gadget->sg_supported && data_len > PAGE_SIZE; + +However at this point of time the variable data_len has not been set +to the proper buffer size yet. The consequence is that io_data->use_sg +is always set regardless what buffer size really is, because the condition +(data_len > PAGE_SIZE) is effectively an unsigned comparison between +-EINVAL and PAGE_SIZE which would always result in TRUE. + +Fixes: 772a7a724f69 ("usb: gadget: f_fs: Allow scatter-gather buffers") +Signed-off-by: Fei Yang +Cc: stable +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_fs.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -997,7 +997,6 @@ static ssize_t ffs_epfile_io(struct file + * earlier + */ + gadget = epfile->ffs->gadget; +- io_data->use_sg = gadget->sg_supported && data_len > PAGE_SIZE; + + spin_lock_irq(&epfile->ffs->eps_lock); + /* In the meantime, endpoint got disabled or changed. */ +@@ -1012,6 +1011,8 @@ static ssize_t ffs_epfile_io(struct file + */ + if (io_data->read) + data_len = usb_ep_align_maybe(gadget, ep->ep, data_len); ++ ++ io_data->use_sg = gadget->sg_supported && data_len > PAGE_SIZE; + spin_unlock_irq(&epfile->ffs->eps_lock); + + data = ffs_alloc_buffer(io_data, data_len); diff --git a/queue-5.1/usb-renesas_usbhs-add-a-workaround-for-a-race-condition-of-workqueue.patch b/queue-5.1/usb-renesas_usbhs-add-a-workaround-for-a-race-condition-of-workqueue.patch new file mode 100644 index 00000000000..5c43a5f5da1 --- /dev/null +++ b/queue-5.1/usb-renesas_usbhs-add-a-workaround-for-a-race-condition-of-workqueue.patch @@ -0,0 +1,129 @@ +From b2357839c56ab7d06bcd4e866ebc2d0e2b7997f3 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Wed, 26 Jun 2019 22:06:33 +0900 +Subject: usb: renesas_usbhs: add a workaround for a race condition of workqueue + +From: Yoshihiro Shimoda + +commit b2357839c56ab7d06bcd4e866ebc2d0e2b7997f3 upstream. + +The old commit 6e4b74e4690d ("usb: renesas: fix scheduling in atomic +context bug") fixed an atomic issue by using workqueue for the shdmac +dmaengine driver. However, this has a potential race condition issue +between the work pending and usbhsg_ep_free_request() in gadget mode. +When usbhsg_ep_free_request() is called while pending the queue, +since the work_struct will be freed and then the work handler is +called, kernel panic happens on process_one_work(). + +To fix the issue, if we could call cancel_work_sync() at somewhere +before the free request, it could be easy. However, +the usbhsg_ep_free_request() is called on atomic (e.g. f_ncm driver +calls free request via gether_disconnect()). + +For now, almost all users are having "USB-DMAC" and the DMAengine +driver can be used on atomic. So, this patch adds a workaround for +a race condition to call the DMAengine APIs without the workqueue. + +This means we still have TODO on shdmac environment (SH7724), but +since it doesn't have SMP, the race condition might not happen. + +Fixes: ab330cf3888d ("usb: renesas_usbhs: add support for USB-DMAC") +Cc: # v4.1+ +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/renesas_usbhs/fifo.c | 34 ++++++++++++++++++++++------------ + 1 file changed, 22 insertions(+), 12 deletions(-) + +--- a/drivers/usb/renesas_usbhs/fifo.c ++++ b/drivers/usb/renesas_usbhs/fifo.c +@@ -802,9 +802,8 @@ static int __usbhsf_dma_map_ctrl(struct + } + + static void usbhsf_dma_complete(void *arg); +-static void xfer_work(struct work_struct *work) ++static void usbhsf_dma_xfer_preparing(struct usbhs_pkt *pkt) + { +- struct usbhs_pkt *pkt = container_of(work, struct usbhs_pkt, work); + struct usbhs_pipe *pipe = pkt->pipe; + struct usbhs_fifo *fifo; + struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe); +@@ -812,12 +811,10 @@ static void xfer_work(struct work_struct + struct dma_chan *chan; + struct device *dev = usbhs_priv_to_dev(priv); + enum dma_transfer_direction dir; +- unsigned long flags; + +- usbhs_lock(priv, flags); + fifo = usbhs_pipe_to_fifo(pipe); + if (!fifo) +- goto xfer_work_end; ++ return; + + chan = usbhsf_dma_chan_get(fifo, pkt); + dir = usbhs_pipe_is_dir_in(pipe) ? DMA_DEV_TO_MEM : DMA_MEM_TO_DEV; +@@ -826,7 +823,7 @@ static void xfer_work(struct work_struct + pkt->trans, dir, + DMA_PREP_INTERRUPT | DMA_CTRL_ACK); + if (!desc) +- goto xfer_work_end; ++ return; + + desc->callback = usbhsf_dma_complete; + desc->callback_param = pipe; +@@ -834,7 +831,7 @@ static void xfer_work(struct work_struct + pkt->cookie = dmaengine_submit(desc); + if (pkt->cookie < 0) { + dev_err(dev, "Failed to submit dma descriptor\n"); +- goto xfer_work_end; ++ return; + } + + dev_dbg(dev, " %s %d (%d/ %d)\n", +@@ -845,8 +842,17 @@ static void xfer_work(struct work_struct + dma_async_issue_pending(chan); + usbhsf_dma_start(pipe, fifo); + usbhs_pipe_enable(pipe); ++} ++ ++static void xfer_work(struct work_struct *work) ++{ ++ struct usbhs_pkt *pkt = container_of(work, struct usbhs_pkt, work); ++ struct usbhs_pipe *pipe = pkt->pipe; ++ struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe); ++ unsigned long flags; + +-xfer_work_end: ++ usbhs_lock(priv, flags); ++ usbhsf_dma_xfer_preparing(pkt); + usbhs_unlock(priv, flags); + } + +@@ -899,8 +905,13 @@ static int usbhsf_dma_prepare_push(struc + pkt->trans = len; + + usbhsf_tx_irq_ctrl(pipe, 0); +- INIT_WORK(&pkt->work, xfer_work); +- schedule_work(&pkt->work); ++ /* FIXME: Workaound for usb dmac that driver can be used in atomic */ ++ if (usbhs_get_dparam(priv, has_usb_dmac)) { ++ usbhsf_dma_xfer_preparing(pkt); ++ } else { ++ INIT_WORK(&pkt->work, xfer_work); ++ schedule_work(&pkt->work); ++ } + + return 0; + +@@ -1006,8 +1017,7 @@ static int usbhsf_dma_prepare_pop_with_u + + pkt->trans = pkt->length; + +- INIT_WORK(&pkt->work, xfer_work); +- schedule_work(&pkt->work); ++ usbhsf_dma_xfer_preparing(pkt); + + return 0; + diff --git a/queue-5.1/usb-serial-ftdi_sio-add-id-for-isodebug-v1.patch b/queue-5.1/usb-serial-ftdi_sio-add-id-for-isodebug-v1.patch new file mode 100644 index 00000000000..8e33ed3d4dc --- /dev/null +++ b/queue-5.1/usb-serial-ftdi_sio-add-id-for-isodebug-v1.patch @@ -0,0 +1,44 @@ +From f8377eff548170e8ea8022c067a1fbdf9e1c46a8 Mon Sep 17 00:00:00 2001 +From: Andreas Fritiofson +Date: Fri, 28 Jun 2019 15:08:34 +0200 +Subject: USB: serial: ftdi_sio: add ID for isodebug v1 + +From: Andreas Fritiofson + +commit f8377eff548170e8ea8022c067a1fbdf9e1c46a8 upstream. + +This adds the vid:pid of the isodebug v1 isolated JTAG/SWD+UART. Only the +second channel is available for use as a serial port. + +Signed-off-by: Andreas Fritiofson +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 1 + + drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++ + 2 files changed, 7 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1029,6 +1029,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(AIRBUS_DS_VID, AIRBUS_DS_P8GR) }, + /* EZPrototypes devices */ + { USB_DEVICE(EZPROTOTYPES_VID, HJELMSLUND_USB485_ISO_PID) }, ++ { USB_DEVICE_INTERFACE_NUMBER(UNJO_VID, UNJO_ISODEBUG_V1_PID, 1) }, + { } /* Terminating entry */ + }; + +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -1543,3 +1543,9 @@ + #define CHETCO_SEASMART_DISPLAY_PID 0xA5AD /* SeaSmart NMEA2000 Display */ + #define CHETCO_SEASMART_LITE_PID 0xA5AE /* SeaSmart Lite USB Adapter */ + #define CHETCO_SEASMART_ANALOG_PID 0xA5AF /* SeaSmart Analog Adapter */ ++ ++/* ++ * Unjo AB ++ */ ++#define UNJO_VID 0x22B7 ++#define UNJO_ISODEBUG_V1_PID 0x150D diff --git a/queue-5.1/usb-serial-option-add-support-for-gosuncn-me3630-rndis-mode.patch b/queue-5.1/usb-serial-option-add-support-for-gosuncn-me3630-rndis-mode.patch new file mode 100644 index 00000000000..03556decee3 --- /dev/null +++ b/queue-5.1/usb-serial-option-add-support-for-gosuncn-me3630-rndis-mode.patch @@ -0,0 +1,46 @@ +From aed2a26283528fb69c38e414f649411aa48fb391 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?J=C3=B6rgen=20Storvist?= +Date: Wed, 19 Jun 2019 00:30:19 +0200 +Subject: USB: serial: option: add support for GosunCn ME3630 RNDIS mode +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jörgen Storvist + +commit aed2a26283528fb69c38e414f649411aa48fb391 upstream. + +Added USB IDs for GosunCn ME3630 cellular module in RNDIS mode. + +T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=03 Dev#= 18 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=19d2 ProdID=0601 Rev=03.18 +S: Manufacturer=Android +S: Product=Android +S: SerialNumber=b950269c +C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#=0x0 Alt= 0 #EPs= 1 Cls=e0(wlcon) Sub=01 Prot=03 Driver=rndis_host +I: If#=0x1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host +I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option + +Signed-off-by: Jörgen Storvist +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1343,6 +1343,7 @@ static const struct usb_device_id option + .driver_info = RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0414, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x0417, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x0601, 0xff) }, /* GosunCn ZTE WeLink ME3630 (RNDIS mode) */ + { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x0602, 0xff) }, /* GosunCn ZTE WeLink ME3630 (MBIM mode) */ + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1008, 0xff, 0xff, 0xff), + .driver_info = RSVD(4) },