From 47bd9b2ef370be9c33fa313e74966546cccd1ff0 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 13 Feb 2022 12:29:35 +0100 Subject: [PATCH] 5.10-stable patches added patches: eeprom-ee1004-limit-i2c-reads-to-i2c_smbus_block_max.patch hwmon-dell-smm-speed-up-setting-of-fan-speed.patch n_tty-wake-up-poll-pollrdnorm-on-receiving-data.patch net-usb-ax88179_178a-fix-out-of-bounds-accesses-in-rx-fixup.patch phy-ti-fix-missing-sentinel-for-clk_div_table.patch revert-usb-dwc2-drd-fix-soft-connect-when-gadget-is-unconfigured.patch speakup-dectlk-restore-pitch-setting.patch usb-dwc2-drd-fix-soft-connect-when-gadget-is-unconfigured.patch usb-dwc3-gadget-prevent-core-from-processing-stale-trbs.patch usb-gadget-f_uac2-define-specific-wterminaltype.patch usb-gadget-rndis-check-size-of-rndis_msg_set-command.patch usb-gadget-udc-renesas_usb3-fix-host-to-usb_role_none-transition.patch usb-gadget-validate-interface-os-descriptor-requests.patch usb-raw-gadget-fix-handling-of-dual-direction-capable-endpoints.patch usb-serial-ch341-add-support-for-gw-instek-usb2.0-serial-devices.patch usb-serial-cp210x-add-cpi-bulk-coin-recycler-id.patch usb-serial-cp210x-add-ncr-retail-io-box-id.patch usb-serial-ftdi_sio-add-support-for-brainboxes-us-159-235-320.patch usb-serial-option-add-zte-mf286d-modem.patch usb-ulpi-call-of_node_put-correctly.patch usb-ulpi-move-of_node_put-to-ulpi_dev_release.patch vt_ioctl-add-array_index_nospec-to-vt_activate.patch vt_ioctl-fix-array_index_nospec-in-vt_setactivate.patch --- ...mit-i2c-reads-to-i2c_smbus_block_max.patch | 43 ++++++ ...ll-smm-speed-up-setting-of-fan-speed.patch | 73 ++++++++++ ...up-poll-pollrdnorm-on-receiving-data.patch | 85 +++++++++++ ...x-out-of-bounds-accesses-in-rx-fixup.patch | 136 ++++++++++++++++++ ...x-missing-sentinel-for-clk_div_table.patch | 77 ++++++++++ ...-connect-when-gadget-is-unconfigured.patch | 40 ++++++ queue-5.10/series | 23 +++ ...speakup-dectlk-restore-pitch-setting.patch | 32 +++++ ...-connect-when-gadget-is-unconfigured.patch | 51 +++++++ ...vent-core-from-processing-stale-trbs.patch | 51 +++++++ ...f_uac2-define-specific-wterminaltype.patch | 49 +++++++ ...-check-size-of-rndis_msg_set-command.patch | 43 ++++++ ...fix-host-to-usb_role_none-transition.patch | 45 ++++++ ...ate-interface-os-descriptor-requests.patch | 31 ++++ ...-of-dual-direction-capable-endpoints.patch | 44 ++++++ ...-for-gw-instek-usb2.0-serial-devices.patch | 39 +++++ ...cp210x-add-cpi-bulk-coin-recycler-id.patch | 33 +++++ ...rial-cp210x-add-ncr-retail-io-box-id.patch | 33 +++++ ...upport-for-brainboxes-us-159-235-320.patch | 58 ++++++++ ...b-serial-option-add-zte-mf286d-modem.patch | 62 ++++++++ .../usb-ulpi-call-of_node_put-correctly.patch | 46 ++++++ ...move-of_node_put-to-ulpi_dev_release.patch | 41 ++++++ ...dd-array_index_nospec-to-vt_activate.patch | 39 +++++ ...array_index_nospec-in-vt_setactivate.patch | 40 ++++++ 24 files changed, 1214 insertions(+) create mode 100644 queue-5.10/eeprom-ee1004-limit-i2c-reads-to-i2c_smbus_block_max.patch create mode 100644 queue-5.10/hwmon-dell-smm-speed-up-setting-of-fan-speed.patch create mode 100644 queue-5.10/n_tty-wake-up-poll-pollrdnorm-on-receiving-data.patch create mode 100644 queue-5.10/net-usb-ax88179_178a-fix-out-of-bounds-accesses-in-rx-fixup.patch create mode 100644 queue-5.10/phy-ti-fix-missing-sentinel-for-clk_div_table.patch create mode 100644 queue-5.10/revert-usb-dwc2-drd-fix-soft-connect-when-gadget-is-unconfigured.patch create mode 100644 queue-5.10/speakup-dectlk-restore-pitch-setting.patch create mode 100644 queue-5.10/usb-dwc2-drd-fix-soft-connect-when-gadget-is-unconfigured.patch create mode 100644 queue-5.10/usb-dwc3-gadget-prevent-core-from-processing-stale-trbs.patch create mode 100644 queue-5.10/usb-gadget-f_uac2-define-specific-wterminaltype.patch create mode 100644 queue-5.10/usb-gadget-rndis-check-size-of-rndis_msg_set-command.patch create mode 100644 queue-5.10/usb-gadget-udc-renesas_usb3-fix-host-to-usb_role_none-transition.patch create mode 100644 queue-5.10/usb-gadget-validate-interface-os-descriptor-requests.patch create mode 100644 queue-5.10/usb-raw-gadget-fix-handling-of-dual-direction-capable-endpoints.patch create mode 100644 queue-5.10/usb-serial-ch341-add-support-for-gw-instek-usb2.0-serial-devices.patch create mode 100644 queue-5.10/usb-serial-cp210x-add-cpi-bulk-coin-recycler-id.patch create mode 100644 queue-5.10/usb-serial-cp210x-add-ncr-retail-io-box-id.patch create mode 100644 queue-5.10/usb-serial-ftdi_sio-add-support-for-brainboxes-us-159-235-320.patch create mode 100644 queue-5.10/usb-serial-option-add-zte-mf286d-modem.patch create mode 100644 queue-5.10/usb-ulpi-call-of_node_put-correctly.patch create mode 100644 queue-5.10/usb-ulpi-move-of_node_put-to-ulpi_dev_release.patch create mode 100644 queue-5.10/vt_ioctl-add-array_index_nospec-to-vt_activate.patch create mode 100644 queue-5.10/vt_ioctl-fix-array_index_nospec-in-vt_setactivate.patch diff --git a/queue-5.10/eeprom-ee1004-limit-i2c-reads-to-i2c_smbus_block_max.patch b/queue-5.10/eeprom-ee1004-limit-i2c-reads-to-i2c_smbus_block_max.patch new file mode 100644 index 00000000000..0355ca51fae --- /dev/null +++ b/queue-5.10/eeprom-ee1004-limit-i2c-reads-to-i2c_smbus_block_max.patch @@ -0,0 +1,43 @@ +From c0689e46be23160d925dca95dfc411f1a0462708 Mon Sep 17 00:00:00 2001 +From: Jonas Malaco +Date: Thu, 3 Feb 2022 13:49:52 -0300 +Subject: eeprom: ee1004: limit i2c reads to I2C_SMBUS_BLOCK_MAX + +From: Jonas Malaco + +commit c0689e46be23160d925dca95dfc411f1a0462708 upstream. + +Commit effa453168a7 ("i2c: i801: Don't silently correct invalid transfer +size") revealed that ee1004_eeprom_read() did not properly limit how +many bytes to read at once. + +In particular, i2c_smbus_read_i2c_block_data_or_emulated() takes the +length to read as an u8. If count == 256 after taking into account the +offset and page boundary, the cast to u8 overflows. And this is common +when user space tries to read the entire EEPROM at once. + +To fix it, limit each read to I2C_SMBUS_BLOCK_MAX (32) bytes, already +the maximum length i2c_smbus_read_i2c_block_data_or_emulated() allows. + +Fixes: effa453168a7 ("i2c: i801: Don't silently correct invalid transfer size") +Cc: stable@vger.kernel.org +Reviewed-by: Heiner Kallweit +Signed-off-by: Jonas Malaco +Link: https://lore.kernel.org/r/20220203165024.47767-1-jonas@protocubo.io +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/eeprom/ee1004.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/misc/eeprom/ee1004.c ++++ b/drivers/misc/eeprom/ee1004.c +@@ -82,6 +82,9 @@ static ssize_t ee1004_eeprom_read(struct + if (unlikely(offset + count > EE1004_PAGE_SIZE)) + count = EE1004_PAGE_SIZE - offset; + ++ if (count > I2C_SMBUS_BLOCK_MAX) ++ count = I2C_SMBUS_BLOCK_MAX; ++ + status = i2c_smbus_read_i2c_block_data_or_emulated(client, offset, + count, buf); + dev_dbg(&client->dev, "read %zu@%d --> %d\n", count, offset, status); diff --git a/queue-5.10/hwmon-dell-smm-speed-up-setting-of-fan-speed.patch b/queue-5.10/hwmon-dell-smm-speed-up-setting-of-fan-speed.patch new file mode 100644 index 00000000000..7f94c60856f --- /dev/null +++ b/queue-5.10/hwmon-dell-smm-speed-up-setting-of-fan-speed.patch @@ -0,0 +1,73 @@ +From c0d79987a0d82671bff374c07f2201f9bdf4aaa2 Mon Sep 17 00:00:00 2001 +From: Armin Wolf +Date: Thu, 21 Oct 2021 21:05:31 +0200 +Subject: hwmon: (dell-smm) Speed up setting of fan speed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +commit c0d79987a0d82671bff374c07f2201f9bdf4aaa2 upstream. + +When setting the fan speed, i8k_set_fan() calls i8k_get_fan_status(), +causing an unnecessary SMM call since from the two users of this +function, only i8k_ioctl_unlocked() needs to know the new fan status +while dell_smm_write() ignores the new fan status. +Since SMM calls can be very slow while also making error reporting +difficult for dell_smm_write(), remove the function call from +i8k_set_fan() and call it separately in i8k_ioctl_unlocked(). + +Tested on a Dell Inspiron 3505. + +Signed-off-by: Armin Wolf +Reviewed-by: Pali Rohár +Link: https://lore.kernel.org/r/20211021190531.17379-6-W_Armin@gmx.de +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/dell-smm-hwmon.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/hwmon/dell-smm-hwmon.c ++++ b/drivers/hwmon/dell-smm-hwmon.c +@@ -317,7 +317,7 @@ static int i8k_enable_fan_auto_mode(bool + } + + /* +- * Set the fan speed (off, low, high). Returns the new fan status. ++ * Set the fan speed (off, low, high, ...). + */ + static int i8k_set_fan(int fan, int speed) + { +@@ -329,7 +329,7 @@ static int i8k_set_fan(int fan, int spee + speed = (speed < 0) ? 0 : ((speed > i8k_fan_max) ? i8k_fan_max : speed); + regs.ebx = (fan & 0xff) | (speed << 8); + +- return i8k_smm(®s) ? : i8k_get_fan_status(fan); ++ return i8k_smm(®s); + } + + static int i8k_get_temp_type(int sensor) +@@ -443,7 +443,7 @@ static int + i8k_ioctl_unlocked(struct file *fp, unsigned int cmd, unsigned long arg) + { + int val = 0; +- int speed; ++ int speed, err; + unsigned char buff[16]; + int __user *argp = (int __user *)arg; + +@@ -504,7 +504,11 @@ i8k_ioctl_unlocked(struct file *fp, unsi + if (copy_from_user(&speed, argp + 1, sizeof(int))) + return -EFAULT; + +- val = i8k_set_fan(val, speed); ++ err = i8k_set_fan(val, speed); ++ if (err < 0) ++ return err; ++ ++ val = i8k_get_fan_status(val); + break; + + default: diff --git a/queue-5.10/n_tty-wake-up-poll-pollrdnorm-on-receiving-data.patch b/queue-5.10/n_tty-wake-up-poll-pollrdnorm-on-receiving-data.patch new file mode 100644 index 00000000000..82768da545e --- /dev/null +++ b/queue-5.10/n_tty-wake-up-poll-pollrdnorm-on-receiving-data.patch @@ -0,0 +1,85 @@ +From c816b2e65b0e86b95011418cad334f0524fc33b8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?TATSUKAWA=20KOSUKE=20=28=E7=AB=8B=E5=B7=9D=20=E6=B1=9F?= + =?UTF-8?q?=E4=BB=8B=29?= +Date: Wed, 26 Jan 2022 23:35:02 +0000 +Subject: n_tty: wake up poll(POLLRDNORM) on receiving data + +From: TATSUKAWA KOSUKE (立川 江介) + +commit c816b2e65b0e86b95011418cad334f0524fc33b8 upstream. + +The poll man page says POLLRDNORM is equivalent to POLLIN when used as +an event. +$ man poll + + POLLRDNORM + Equivalent to POLLIN. + +However, in n_tty driver, POLLRDNORM does not return until timeout even +if there is terminal input, whereas POLLIN returns. + +The following test program works until kernel-3.17, but the test stops +in poll() after commit 57087d515441 ("tty: Fix spurious poll() wakeups"). + +[Steps to run test program] + $ cc -o test-pollrdnorm test-pollrdnorm.c + $ ./test-pollrdnorm + foo <-- Type in something from the terminal followed by [RET]. + The string should be echoed back. + + ------------------------< test-pollrdnorm.c >------------------------ + #include + #include + #include + #include + + void main(void) + { + int n; + unsigned char buf[8]; + struct pollfd fds[1] = {{ 0, POLLRDNORM, 0 }}; + + n = poll(fds, 1, -1); + if (n < 0) + perror("poll"); + n = read(0, buf, 8); + if (n < 0) + perror("read"); + if (n > 0) + write(1, buf, n); + } + ------------------------------------------------------------------------ + +The attached patch fixes this problem. Many calls to +wake_up_interruptible_poll() in the kernel source code already specify +"POLLIN | POLLRDNORM". + +Fixes: 57087d515441 ("tty: Fix spurious poll() wakeups") +Cc: stable@vger.kernel.org +Signed-off-by: Kosuke Tatsukawa +Link: https://lore.kernel.org/r/TYCPR01MB81901C0F932203D30E452B3EA5209@TYCPR01MB8190.jpnprd01.prod.outlook.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/n_tty.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -1372,7 +1372,7 @@ handle_newline: + put_tty_queue(c, ldata); + smp_store_release(&ldata->canon_head, ldata->read_head); + kill_fasync(&tty->fasync, SIGIO, POLL_IN); +- wake_up_interruptible_poll(&tty->read_wait, EPOLLIN); ++ wake_up_interruptible_poll(&tty->read_wait, EPOLLIN | EPOLLRDNORM); + return 0; + } + } +@@ -1653,7 +1653,7 @@ static void __receive_buf(struct tty_str + + if (read_cnt(ldata)) { + kill_fasync(&tty->fasync, SIGIO, POLL_IN); +- wake_up_interruptible_poll(&tty->read_wait, EPOLLIN); ++ wake_up_interruptible_poll(&tty->read_wait, EPOLLIN | EPOLLRDNORM); + } + } + diff --git a/queue-5.10/net-usb-ax88179_178a-fix-out-of-bounds-accesses-in-rx-fixup.patch b/queue-5.10/net-usb-ax88179_178a-fix-out-of-bounds-accesses-in-rx-fixup.patch new file mode 100644 index 00000000000..1d45f55ae30 --- /dev/null +++ b/queue-5.10/net-usb-ax88179_178a-fix-out-of-bounds-accesses-in-rx-fixup.patch @@ -0,0 +1,136 @@ +From 57bc3d3ae8c14df3ceb4e17d26ddf9eeab304581 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 26 Jan 2022 14:14:52 +0100 +Subject: net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup + +From: Jann Horn + +commit 57bc3d3ae8c14df3ceb4e17d26ddf9eeab304581 upstream. + +ax88179_rx_fixup() contains several out-of-bounds accesses that can be +triggered by a malicious (or defective) USB device, in particular: + + - The metadata array (hdr_off..hdr_off+2*pkt_cnt) can be out of bounds, + causing OOB reads and (on big-endian systems) OOB endianness flips. + - A packet can overlap the metadata array, causing a later OOB + endianness flip to corrupt data used by a cloned SKB that has already + been handed off into the network stack. + - A packet SKB can be constructed whose tail is far beyond its end, + causing out-of-bounds heap data to be considered part of the SKB's + data. + +I have tested that this can be used by a malicious USB device to send a +bogus ICMPv6 Echo Request and receive an ICMPv6 Echo Reply in response +that contains random kernel heap data. +It's probably also possible to get OOB writes from this on a +little-endian system somehow - maybe by triggering skb_cow() via IP +options processing -, but I haven't tested that. + +Fixes: e2ca90c276e1 ("ax88179_178a: ASIX AX88179_178A USB 3.0/2.0 to gigabit ethernet adapter driver") +Cc: stable@kernel.org +Signed-off-by: Jann Horn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/ax88179_178a.c | 68 +++++++++++++++++++++++------------------ + 1 file changed, 39 insertions(+), 29 deletions(-) + +--- a/drivers/net/usb/ax88179_178a.c ++++ b/drivers/net/usb/ax88179_178a.c +@@ -1467,58 +1467,68 @@ static int ax88179_rx_fixup(struct usbne + u16 hdr_off; + u32 *pkt_hdr; + +- /* This check is no longer done by usbnet */ +- if (skb->len < dev->net->hard_header_len) ++ /* At the end of the SKB, there's a header telling us how many packets ++ * are bundled into this buffer and where we can find an array of ++ * per-packet metadata (which contains elements encoded into u16). ++ */ ++ if (skb->len < 4) + return 0; +- + skb_trim(skb, skb->len - 4); + rx_hdr = get_unaligned_le32(skb_tail_pointer(skb)); +- + pkt_cnt = (u16)rx_hdr; + hdr_off = (u16)(rx_hdr >> 16); ++ ++ if (pkt_cnt == 0) ++ return 0; ++ ++ /* Make sure that the bounds of the metadata array are inside the SKB ++ * (and in front of the counter at the end). ++ */ ++ if (pkt_cnt * 2 + hdr_off > skb->len) ++ return 0; + pkt_hdr = (u32 *)(skb->data + hdr_off); + +- while (pkt_cnt--) { ++ /* Packets must not overlap the metadata array */ ++ skb_trim(skb, hdr_off); ++ ++ for (; ; pkt_cnt--, pkt_hdr++) { + u16 pkt_len; + + le32_to_cpus(pkt_hdr); + pkt_len = (*pkt_hdr >> 16) & 0x1fff; + +- /* Check CRC or runt packet */ +- if ((*pkt_hdr & AX_RXHDR_CRC_ERR) || +- (*pkt_hdr & AX_RXHDR_DROP_ERR)) { +- skb_pull(skb, (pkt_len + 7) & 0xFFF8); +- pkt_hdr++; +- continue; +- } +- +- if (pkt_cnt == 0) { +- skb->len = pkt_len; +- /* Skip IP alignment pseudo header */ +- skb_pull(skb, 2); +- skb_set_tail_pointer(skb, skb->len); +- skb->truesize = pkt_len + sizeof(struct sk_buff); +- ax88179_rx_checksum(skb, pkt_hdr); +- return 1; +- } ++ if (pkt_len > skb->len) ++ return 0; + +- ax_skb = skb_clone(skb, GFP_ATOMIC); +- if (ax_skb) { ++ /* Check CRC or runt packet */ ++ if (((*pkt_hdr & (AX_RXHDR_CRC_ERR | AX_RXHDR_DROP_ERR)) == 0) && ++ pkt_len >= 2 + ETH_HLEN) { ++ bool last = (pkt_cnt == 0); ++ ++ if (last) { ++ ax_skb = skb; ++ } else { ++ ax_skb = skb_clone(skb, GFP_ATOMIC); ++ if (!ax_skb) ++ return 0; ++ } + ax_skb->len = pkt_len; + /* Skip IP alignment pseudo header */ + skb_pull(ax_skb, 2); + skb_set_tail_pointer(ax_skb, ax_skb->len); + ax_skb->truesize = pkt_len + sizeof(struct sk_buff); + ax88179_rx_checksum(ax_skb, pkt_hdr); ++ ++ if (last) ++ return 1; ++ + usbnet_skb_return(dev, ax_skb); +- } else { +- return 0; + } + +- skb_pull(skb, (pkt_len + 7) & 0xFFF8); +- pkt_hdr++; ++ /* Trim this packet away from the SKB */ ++ if (!skb_pull(skb, (pkt_len + 7) & 0xFFF8)) ++ return 0; + } +- return 1; + } + + static struct sk_buff * diff --git a/queue-5.10/phy-ti-fix-missing-sentinel-for-clk_div_table.patch b/queue-5.10/phy-ti-fix-missing-sentinel-for-clk_div_table.patch new file mode 100644 index 00000000000..8655ec2f3d4 --- /dev/null +++ b/queue-5.10/phy-ti-fix-missing-sentinel-for-clk_div_table.patch @@ -0,0 +1,77 @@ +From 6d1e6bcb31663ee83aaea1f171f3dbfe95dd4a69 Mon Sep 17 00:00:00 2001 +From: Kishon Vijay Abraham I +Date: Mon, 17 Jan 2022 16:31:08 +0530 +Subject: phy: ti: Fix missing sentinel for clk_div_table + +From: Kishon Vijay Abraham I + +commit 6d1e6bcb31663ee83aaea1f171f3dbfe95dd4a69 upstream. + +_get_table_maxdiv() tries to access "clk_div_table" array out of bound +defined in phy-j721e-wiz.c. Add a sentinel entry to prevent +the following global-out-of-bounds error reported by enabling KASAN. + +[ 9.552392] BUG: KASAN: global-out-of-bounds in _get_maxdiv+0xc0/0x148 +[ 9.558948] Read of size 4 at addr ffff8000095b25a4 by task kworker/u4:1/38 +[ 9.565926] +[ 9.567441] CPU: 1 PID: 38 Comm: kworker/u4:1 Not tainted 5.16.0-116492-gdaadb3bd0e8d-dirty #360 +[ 9.576242] Hardware name: Texas Instruments J721e EVM (DT) +[ 9.581832] Workqueue: events_unbound deferred_probe_work_func +[ 9.587708] Call trace: +[ 9.590174] dump_backtrace+0x20c/0x218 +[ 9.594038] show_stack+0x18/0x68 +[ 9.597375] dump_stack_lvl+0x9c/0xd8 +[ 9.601062] print_address_description.constprop.0+0x78/0x334 +[ 9.606830] kasan_report+0x1f0/0x260 +[ 9.610517] __asan_load4+0x9c/0xd8 +[ 9.614030] _get_maxdiv+0xc0/0x148 +[ 9.617540] divider_determine_rate+0x88/0x488 +[ 9.622005] divider_round_rate_parent+0xc8/0x124 +[ 9.626729] wiz_clk_div_round_rate+0x54/0x68 +[ 9.631113] clk_core_determine_round_nolock+0x124/0x158 +[ 9.636448] clk_core_round_rate_nolock+0x68/0x138 +[ 9.641260] clk_core_set_rate_nolock+0x268/0x3a8 +[ 9.645987] clk_set_rate+0x50/0xa8 +[ 9.649499] cdns_sierra_phy_init+0x88/0x248 +[ 9.653794] phy_init+0x98/0x108 +[ 9.657046] cdns_pcie_enable_phy+0xa0/0x170 +[ 9.661340] cdns_pcie_init_phy+0x250/0x2b0 +[ 9.665546] j721e_pcie_probe+0x4b8/0x798 +[ 9.669579] platform_probe+0x8c/0x108 +[ 9.673350] really_probe+0x114/0x630 +[ 9.677037] __driver_probe_device+0x18c/0x220 +[ 9.681505] driver_probe_device+0xac/0x150 +[ 9.685712] __device_attach_driver+0xec/0x170 +[ 9.690178] bus_for_each_drv+0xf0/0x158 +[ 9.694124] __device_attach+0x184/0x210 +[ 9.698070] device_initial_probe+0x14/0x20 +[ 9.702277] bus_probe_device+0xec/0x100 +[ 9.706223] deferred_probe_work_func+0x124/0x180 +[ 9.710951] process_one_work+0x4b0/0xbc0 +[ 9.714983] worker_thread+0x74/0x5d0 +[ 9.718668] kthread+0x214/0x230 +[ 9.721919] ret_from_fork+0x10/0x20 +[ 9.725520] +[ 9.727032] The buggy address belongs to the variable: +[ 9.732183] clk_div_table+0x24/0x440 + +Fixes: 091876cc355d ("phy: ti: j721e-wiz: Add support for WIZ module present in TI J721E SoC") +Cc: stable@vger.kernel.org # v5.10+ +Signed-off-by: Kishon Vijay Abraham I +Link: https://lore.kernel.org/r/20220117110108.4117-1-kishon@ti.com +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman +--- + drivers/phy/ti/phy-j721e-wiz.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/phy/ti/phy-j721e-wiz.c ++++ b/drivers/phy/ti/phy-j721e-wiz.c +@@ -177,6 +177,7 @@ static const struct clk_div_table clk_di + { .val = 1, .div = 2, }, + { .val = 2, .div = 4, }, + { .val = 3, .div = 8, }, ++ { /* sentinel */ }, + }; + + static struct wiz_clk_div_sel clk_div_sel[] = { diff --git a/queue-5.10/revert-usb-dwc2-drd-fix-soft-connect-when-gadget-is-unconfigured.patch b/queue-5.10/revert-usb-dwc2-drd-fix-soft-connect-when-gadget-is-unconfigured.patch new file mode 100644 index 00000000000..facf00da1c1 --- /dev/null +++ b/queue-5.10/revert-usb-dwc2-drd-fix-soft-connect-when-gadget-is-unconfigured.patch @@ -0,0 +1,40 @@ +From 736e8d89044c1c330967fb938fa766cd9e0d8af0 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Sat, 12 Feb 2022 10:08:54 +0100 +Subject: Revert "usb: dwc2: drd: fix soft connect when gadget is unconfigured" + +From: Greg Kroah-Hartman + +commit 736e8d89044c1c330967fb938fa766cd9e0d8af0 upstream. + +This reverts commit 269cbcf7b72de6f0016806d4a0cec1d689b55a87. + +It causes build errors as reported by the kernel test robot. + +Link: https://lore.kernel.org/r/202202112236.AwoOTtHO-lkp@intel.com +Reported-by: kernel test robot +Fixes: 269cbcf7b72d ("usb: dwc2: drd: fix soft connect when gadget is unconfigured") +Cc: stable@kernel.org +Cc: Amelie Delaunay +Cc: Minas Harutyunyan +Cc: Fabrice Gasnier +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc2/drd.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/usb/dwc2/drd.c ++++ b/drivers/usb/dwc2/drd.c +@@ -109,10 +109,8 @@ static int dwc2_drd_role_sw_set(struct u + already = dwc2_ovr_avalid(hsotg, true); + } else if (role == USB_ROLE_DEVICE) { + already = dwc2_ovr_bvalid(hsotg, true); +- if (hsotg->enabled) { +- /* This clear DCTL.SFTDISCON bit */ +- dwc2_hsotg_core_connect(hsotg); +- } ++ /* This clear DCTL.SFTDISCON bit */ ++ dwc2_hsotg_core_connect(hsotg); + } else { + if (dwc2_is_device_mode(hsotg)) { + if (!dwc2_ovr_bvalid(hsotg, false)) diff --git a/queue-5.10/series b/queue-5.10/series index 095bead9a2a..871f1e416e8 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -84,3 +84,26 @@ ice-fix-an-error-code-in-ice_cfg_phy_fec.patch ice-fix-ipip-and-sit-tso-offload.patch net-mscc-ocelot-fix-mutex-lock-error-during-ethtool-.patch net-dsa-mv88e6xxx-fix-use-after-free-in-mv88e6xxx_md.patch +vt_ioctl-fix-array_index_nospec-in-vt_setactivate.patch +vt_ioctl-add-array_index_nospec-to-vt_activate.patch +n_tty-wake-up-poll-pollrdnorm-on-receiving-data.patch +eeprom-ee1004-limit-i2c-reads-to-i2c_smbus_block_max.patch +usb-dwc2-drd-fix-soft-connect-when-gadget-is-unconfigured.patch +revert-usb-dwc2-drd-fix-soft-connect-when-gadget-is-unconfigured.patch +net-usb-ax88179_178a-fix-out-of-bounds-accesses-in-rx-fixup.patch +usb-ulpi-move-of_node_put-to-ulpi_dev_release.patch +usb-ulpi-call-of_node_put-correctly.patch +usb-dwc3-gadget-prevent-core-from-processing-stale-trbs.patch +usb-gadget-udc-renesas_usb3-fix-host-to-usb_role_none-transition.patch +usb-gadget-validate-interface-os-descriptor-requests.patch +usb-gadget-rndis-check-size-of-rndis_msg_set-command.patch +usb-gadget-f_uac2-define-specific-wterminaltype.patch +usb-raw-gadget-fix-handling-of-dual-direction-capable-endpoints.patch +usb-serial-ftdi_sio-add-support-for-brainboxes-us-159-235-320.patch +usb-serial-option-add-zte-mf286d-modem.patch +usb-serial-ch341-add-support-for-gw-instek-usb2.0-serial-devices.patch +usb-serial-cp210x-add-ncr-retail-io-box-id.patch +usb-serial-cp210x-add-cpi-bulk-coin-recycler-id.patch +speakup-dectlk-restore-pitch-setting.patch +phy-ti-fix-missing-sentinel-for-clk_div_table.patch +hwmon-dell-smm-speed-up-setting-of-fan-speed.patch diff --git a/queue-5.10/speakup-dectlk-restore-pitch-setting.patch b/queue-5.10/speakup-dectlk-restore-pitch-setting.patch new file mode 100644 index 00000000000..3ed198d7002 --- /dev/null +++ b/queue-5.10/speakup-dectlk-restore-pitch-setting.patch @@ -0,0 +1,32 @@ +From bca828ccdd6548d24613d0cede04ada4dfb2f89c Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Sun, 6 Feb 2022 02:56:26 +0100 +Subject: speakup-dectlk: Restore pitch setting + +From: Samuel Thibault + +commit bca828ccdd6548d24613d0cede04ada4dfb2f89c upstream. + +d97a9d7aea04 ("staging/speakup: Add inflection synth parameter") +introduced the inflection parameter, but happened to drop the pitch +parameter from the dectlk driver. This restores it. + +Cc: stable@vger.kernel.org +Fixes: d97a9d7aea04 ("staging/speakup: Add inflection synth parameter") +Signed-off-by: Samuel Thibault +Link: https://lore.kernel.org/r/20220206015626.aesbhvvdkmqsrbaw@begin +Signed-off-by: Greg Kroah-Hartman +--- + drivers/accessibility/speakup/speakup_dectlk.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/accessibility/speakup/speakup_dectlk.c ++++ b/drivers/accessibility/speakup/speakup_dectlk.c +@@ -44,6 +44,7 @@ static struct var_t vars[] = { + { CAPS_START, .u.s = {"[:dv ap 160] " } }, + { CAPS_STOP, .u.s = {"[:dv ap 100 ] " } }, + { RATE, .u.n = {"[:ra %d] ", 180, 75, 650, 0, 0, NULL } }, ++ { PITCH, .u.n = {"[:dv ap %d] ", 122, 50, 350, 0, 0, NULL } }, + { INFLECTION, .u.n = {"[:dv pr %d] ", 100, 0, 10000, 0, 0, NULL } }, + { VOL, .u.n = {"[:dv g5 %d] ", 86, 60, 86, 0, 0, NULL } }, + { PUNCT, .u.n = {"[:pu %c] ", 0, 0, 2, 0, 0, "nsa" } }, diff --git a/queue-5.10/usb-dwc2-drd-fix-soft-connect-when-gadget-is-unconfigured.patch b/queue-5.10/usb-dwc2-drd-fix-soft-connect-when-gadget-is-unconfigured.patch new file mode 100644 index 00000000000..180f448111c --- /dev/null +++ b/queue-5.10/usb-dwc2-drd-fix-soft-connect-when-gadget-is-unconfigured.patch @@ -0,0 +1,51 @@ +From 269cbcf7b72de6f0016806d4a0cec1d689b55a87 Mon Sep 17 00:00:00 2001 +From: Fabrice Gasnier +Date: Wed, 9 Feb 2022 17:15:53 +0100 +Subject: usb: dwc2: drd: fix soft connect when gadget is unconfigured + +From: Fabrice Gasnier + +commit 269cbcf7b72de6f0016806d4a0cec1d689b55a87 upstream. + +When the gadget driver hasn't been (yet) configured, and the cable is +connected to a HOST, the SFTDISCON gets cleared unconditionally, so the +HOST tries to enumerate it. +At the host side, this can result in a stuck USB port or worse. When +getting lucky, some dmesg can be observed at the host side: + new high-speed USB device number ... + device descriptor read/64, error -110 + +Fix it in drd, by checking the enabled flag before calling +dwc2_hsotg_core_connect(). It will be called later, once configured, +by the normal flow: +- udc_bind_to_driver + - usb_gadget_connect + - dwc2_hsotg_pullup + - dwc2_hsotg_core_connect + +Fixes: 17f934024e84 ("usb: dwc2: override PHY input signals with usb role switch support") +Cc: stable@kernel.org +Reviewed-by: Amelie Delaunay +Acked-by: Minas Harutyunyan +Signed-off-by: Fabrice Gasnier +Link: https://lore.kernel.org/r/1644423353-17859-1-git-send-email-fabrice.gasnier@foss.st.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc2/drd.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/usb/dwc2/drd.c ++++ b/drivers/usb/dwc2/drd.c +@@ -109,8 +109,10 @@ static int dwc2_drd_role_sw_set(struct u + already = dwc2_ovr_avalid(hsotg, true); + } else if (role == USB_ROLE_DEVICE) { + already = dwc2_ovr_bvalid(hsotg, true); +- /* This clear DCTL.SFTDISCON bit */ +- dwc2_hsotg_core_connect(hsotg); ++ if (hsotg->enabled) { ++ /* This clear DCTL.SFTDISCON bit */ ++ dwc2_hsotg_core_connect(hsotg); ++ } + } else { + if (dwc2_is_device_mode(hsotg)) { + if (!dwc2_ovr_bvalid(hsotg, false)) diff --git a/queue-5.10/usb-dwc3-gadget-prevent-core-from-processing-stale-trbs.patch b/queue-5.10/usb-dwc3-gadget-prevent-core-from-processing-stale-trbs.patch new file mode 100644 index 00000000000..28dfacb28f5 --- /dev/null +++ b/queue-5.10/usb-dwc3-gadget-prevent-core-from-processing-stale-trbs.patch @@ -0,0 +1,51 @@ +From 117b4e96c7f362eb6459543883fc07f77662472c Mon Sep 17 00:00:00 2001 +From: Udipto Goswami +Date: Mon, 7 Feb 2022 09:55:58 +0530 +Subject: usb: dwc3: gadget: Prevent core from processing stale TRBs + +From: Udipto Goswami + +commit 117b4e96c7f362eb6459543883fc07f77662472c upstream. + +With CPU re-ordering on write instructions, there might +be a chance that the HWO is set before the TRB is updated +with the new mapped buffer address. +And in the case where core is processing a list of TRBs +it is possible that it fetched the TRBs when the HWO is set +but before the buffer address is updated. +Prevent this by adding a memory barrier before the HWO +is updated to ensure that the core always process the +updated TRBs. + +Fixes: f6bafc6a1c9d ("usb: dwc3: convert TRBs into bitshifts") +Cc: stable +Reviewed-by: Pavankumar Kondeti +Signed-off-by: Udipto Goswami +Link: https://lore.kernel.org/r/1644207958-18287-1-git-send-email-quic_ugoswami@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1072,6 +1072,19 @@ static void __dwc3_prepare_one_trb(struc + if (usb_endpoint_xfer_bulk(dep->endpoint.desc) && dep->stream_capable) + trb->ctrl |= DWC3_TRB_CTRL_SID_SOFN(stream_id); + ++ /* ++ * As per data book 4.2.3.2TRB Control Bit Rules section ++ * ++ * The controller autonomously checks the HWO field of a TRB to determine if the ++ * entire TRB is valid. Therefore, software must ensure that the rest of the TRB ++ * is valid before setting the HWO field to '1'. In most systems, this means that ++ * software must update the fourth DWORD of a TRB last. ++ * ++ * However there is a possibility of CPU re-ordering here which can cause ++ * controller to observe the HWO bit set prematurely. ++ * Add a write memory barrier to prevent CPU re-ordering. ++ */ ++ wmb(); + trb->ctrl |= DWC3_TRB_CTRL_HWO; + + dwc3_ep_inc_enq(dep); diff --git a/queue-5.10/usb-gadget-f_uac2-define-specific-wterminaltype.patch b/queue-5.10/usb-gadget-f_uac2-define-specific-wterminaltype.patch new file mode 100644 index 00000000000..041d659c14a --- /dev/null +++ b/queue-5.10/usb-gadget-f_uac2-define-specific-wterminaltype.patch @@ -0,0 +1,49 @@ +From 5432184107cd0013761bdfa6cb6079527ef87b95 Mon Sep 17 00:00:00 2001 +From: Pavel Hofman +Date: Mon, 31 Jan 2022 08:18:13 +0100 +Subject: usb: gadget: f_uac2: Define specific wTerminalType + +From: Pavel Hofman + +commit 5432184107cd0013761bdfa6cb6079527ef87b95 upstream. + +Several users have reported that their Win10 does not enumerate UAC2 +gadget with the existing wTerminalType set to +UAC_INPUT_TERMINAL_UNDEFINED/UAC_INPUT_TERMINAL_UNDEFINED, e.g. +https://github.com/raspberrypi/linux/issues/4587#issuecomment-926567213. +While the constant is officially defined by the USB terminal types +document, e.g. XMOS firmware for UAC2 (commonly used for Win10) defines +no undefined output terminal type in its usbaudio20.h header. + +Therefore wTerminalType of EP-IN is set to +UAC_INPUT_TERMINAL_MICROPHONE and wTerminalType of EP-OUT to +UAC_OUTPUT_TERMINAL_SPEAKER for the UAC2 gadget. + +Signed-off-by: Pavel Hofman +Cc: stable +Link: https://lore.kernel.org/r/20220131071813.7433-1-pavel.hofman@ivitera.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_uac2.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/function/f_uac2.c ++++ b/drivers/usb/gadget/function/f_uac2.c +@@ -176,7 +176,7 @@ static struct uac2_input_terminal_descri + + .bDescriptorSubtype = UAC_INPUT_TERMINAL, + /* .bTerminalID = DYNAMIC */ +- .wTerminalType = cpu_to_le16(UAC_INPUT_TERMINAL_UNDEFINED), ++ .wTerminalType = cpu_to_le16(UAC_INPUT_TERMINAL_MICROPHONE), + .bAssocTerminal = 0, + /* .bCSourceID = DYNAMIC */ + .iChannelNames = 0, +@@ -204,7 +204,7 @@ static struct uac2_output_terminal_descr + + .bDescriptorSubtype = UAC_OUTPUT_TERMINAL, + /* .bTerminalID = DYNAMIC */ +- .wTerminalType = cpu_to_le16(UAC_OUTPUT_TERMINAL_UNDEFINED), ++ .wTerminalType = cpu_to_le16(UAC_OUTPUT_TERMINAL_SPEAKER), + .bAssocTerminal = 0, + /* .bSourceID = DYNAMIC */ + /* .bCSourceID = DYNAMIC */ diff --git a/queue-5.10/usb-gadget-rndis-check-size-of-rndis_msg_set-command.patch b/queue-5.10/usb-gadget-rndis-check-size-of-rndis_msg_set-command.patch new file mode 100644 index 00000000000..f06d27e0094 --- /dev/null +++ b/queue-5.10/usb-gadget-rndis-check-size-of-rndis_msg_set-command.patch @@ -0,0 +1,43 @@ +From 38ea1eac7d88072bbffb630e2b3db83ca649b826 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Wed, 9 Feb 2022 16:37:53 +0100 +Subject: usb: gadget: rndis: check size of RNDIS_MSG_SET command + +From: Greg Kroah-Hartman + +commit 38ea1eac7d88072bbffb630e2b3db83ca649b826 upstream. + +Check the size of the RNDIS_MSG_SET command given to us before +attempting to respond to an invalid message size. + +Reported-by: Szymon Heidrich +Cc: stable@kernel.org +Tested-by: Szymon Heidrich +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/rndis.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/usb/gadget/function/rndis.c ++++ b/drivers/usb/gadget/function/rndis.c +@@ -637,14 +637,17 @@ static int rndis_set_response(struct rnd + rndis_set_cmplt_type *resp; + rndis_resp_t *r; + ++ BufLength = le32_to_cpu(buf->InformationBufferLength); ++ BufOffset = le32_to_cpu(buf->InformationBufferOffset); ++ if ((BufLength > RNDIS_MAX_TOTAL_SIZE) || ++ (BufOffset + 8 >= RNDIS_MAX_TOTAL_SIZE)) ++ return -EINVAL; ++ + r = rndis_add_response(params, sizeof(rndis_set_cmplt_type)); + if (!r) + return -ENOMEM; + resp = (rndis_set_cmplt_type *)r->buf; + +- BufLength = le32_to_cpu(buf->InformationBufferLength); +- BufOffset = le32_to_cpu(buf->InformationBufferOffset); +- + #ifdef VERBOSE_DEBUG + pr_debug("%s: Length: %d\n", __func__, BufLength); + pr_debug("%s: Offset: %d\n", __func__, BufOffset); diff --git a/queue-5.10/usb-gadget-udc-renesas_usb3-fix-host-to-usb_role_none-transition.patch b/queue-5.10/usb-gadget-udc-renesas_usb3-fix-host-to-usb_role_none-transition.patch new file mode 100644 index 00000000000..2778b0d234e --- /dev/null +++ b/queue-5.10/usb-gadget-udc-renesas_usb3-fix-host-to-usb_role_none-transition.patch @@ -0,0 +1,45 @@ +From 459702eea6132888b5c5b64c0e9c626da4ec2493 Mon Sep 17 00:00:00 2001 +From: Adam Ford +Date: Fri, 28 Jan 2022 16:36:03 -0600 +Subject: usb: gadget: udc: renesas_usb3: Fix host to USB_ROLE_NONE transition + +From: Adam Ford + +commit 459702eea6132888b5c5b64c0e9c626da4ec2493 upstream. + +The support the external role switch a variety of situations were +addressed, but the transition from USB_ROLE_HOST to USB_ROLE_NONE +leaves the host up which can cause some error messages when +switching from host to none, to gadget, to none, and then back +to host again. + + xhci-hcd ee000000.usb: Abort failed to stop command ring: -110 + xhci-hcd ee000000.usb: xHCI host controller not responding, assume dead + xhci-hcd ee000000.usb: HC died; cleaning up + usb 4-1: device not accepting address 6, error -108 + usb usb4-port1: couldn't allocate usb_device + +After this happens it will not act as a host again. +Fix this by releasing the host mode when transitioning to USB_ROLE_NONE. + +Fixes: 0604160d8c0b ("usb: gadget: udc: renesas_usb3: Enhance role switch support") +Cc: stable +Reviewed-by: Yoshihiro Shimoda +Signed-off-by: Adam Ford +Link: https://lore.kernel.org/r/20220128223603.2362621-1-aford173@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/udc/renesas_usb3.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/gadget/udc/renesas_usb3.c ++++ b/drivers/usb/gadget/udc/renesas_usb3.c +@@ -2378,6 +2378,8 @@ static void handle_ext_role_switch_state + switch (role) { + case USB_ROLE_NONE: + usb3->connection_state = USB_ROLE_NONE; ++ if (cur_role == USB_ROLE_HOST) ++ device_release_driver(host); + if (usb3->driver) + usb3_disconnect(usb3); + usb3_vbus_out(usb3, false); diff --git a/queue-5.10/usb-gadget-validate-interface-os-descriptor-requests.patch b/queue-5.10/usb-gadget-validate-interface-os-descriptor-requests.patch new file mode 100644 index 00000000000..1fca28660c9 --- /dev/null +++ b/queue-5.10/usb-gadget-validate-interface-os-descriptor-requests.patch @@ -0,0 +1,31 @@ +From 75e5b4849b81e19e9efe1654b30d7f3151c33c2c Mon Sep 17 00:00:00 2001 +From: Szymon Heidrich +Date: Mon, 24 Jan 2022 12:14:00 +0100 +Subject: USB: gadget: validate interface OS descriptor requests + +From: Szymon Heidrich + +commit 75e5b4849b81e19e9efe1654b30d7f3151c33c2c upstream. + +Stall the control endpoint in case provided index exceeds array size of +MAX_CONFIG_INTERFACES or when the retrieved function pointer is null. + +Signed-off-by: Szymon Heidrich +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/composite.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -1944,6 +1944,9 @@ unknown: + if (w_index != 0x5 || (w_value >> 8)) + break; + interface = w_value & 0xFF; ++ if (interface >= MAX_CONFIG_INTERFACES || ++ !os_desc_cfg->interface[interface]) ++ break; + buf[6] = w_index; + count = count_ext_prop(os_desc_cfg, + interface); diff --git a/queue-5.10/usb-raw-gadget-fix-handling-of-dual-direction-capable-endpoints.patch b/queue-5.10/usb-raw-gadget-fix-handling-of-dual-direction-capable-endpoints.patch new file mode 100644 index 00000000000..de044f45198 --- /dev/null +++ b/queue-5.10/usb-raw-gadget-fix-handling-of-dual-direction-capable-endpoints.patch @@ -0,0 +1,44 @@ +From 292d2c82b105d92082c2120a44a58de9767e44f1 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 26 Jan 2022 21:52:14 +0100 +Subject: usb: raw-gadget: fix handling of dual-direction-capable endpoints + +From: Jann Horn + +commit 292d2c82b105d92082c2120a44a58de9767e44f1 upstream. + +Under dummy_hcd, every available endpoint is *either* IN or OUT capable. +But with some real hardware, there are endpoints that support both IN and +OUT. In particular, the PLX 2380 has four available endpoints that each +support both IN and OUT. + +raw-gadget currently gets confused and thinks that any endpoint that is +usable as an IN endpoint can never be used as an OUT endpoint. + +Fix it by looking at the direction in the configured endpoint descriptor +instead of looking at the hardware capabilities. + +With this change, I can use the PLX 2380 with raw-gadget. + +Fixes: f2c2e717642c ("usb: gadget: add raw-gadget interface") +Cc: stable +Tested-by: Andrey Konovalov +Reviewed-by: Andrey Konovalov +Signed-off-by: Jann Horn +Link: https://lore.kernel.org/r/20220126205214.2149936-1-jannh@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/legacy/raw_gadget.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/legacy/raw_gadget.c ++++ b/drivers/usb/gadget/legacy/raw_gadget.c +@@ -1003,7 +1003,7 @@ static int raw_process_ep_io(struct raw_ + ret = -EBUSY; + goto out_unlock; + } +- if ((in && !ep->ep->caps.dir_in) || (!in && ep->ep->caps.dir_in)) { ++ if (in != usb_endpoint_dir_in(ep->ep->desc)) { + dev_dbg(&dev->gadget->dev, "fail, wrong direction\n"); + ret = -EINVAL; + goto out_unlock; diff --git a/queue-5.10/usb-serial-ch341-add-support-for-gw-instek-usb2.0-serial-devices.patch b/queue-5.10/usb-serial-ch341-add-support-for-gw-instek-usb2.0-serial-devices.patch new file mode 100644 index 00000000000..d9d9bbdadca --- /dev/null +++ b/queue-5.10/usb-serial-ch341-add-support-for-gw-instek-usb2.0-serial-devices.patch @@ -0,0 +1,39 @@ +From fa77ce201f7f2d823b07753575122d1ae5597fbe Mon Sep 17 00:00:00 2001 +From: Stephan Brunner +Date: Sat, 8 Jan 2022 13:00:20 +0100 +Subject: USB: serial: ch341: add support for GW Instek USB2.0-Serial devices + +From: Stephan Brunner + +commit fa77ce201f7f2d823b07753575122d1ae5597fbe upstream. + +Programmable lab power supplies made by GW Instek, such as the +GPP-2323, have a USB port exposing a serial port to control the device. + +Stringing the supplied Windows driver, references to the ch341 chip are +found. Binding the existing ch341 driver to the VID/PID of the GPP-2323 +("GW Instek USB2.0-Serial" as per the USB product name) works out of the +box, communication and control is now possible. + +This patch should work with any GPP series power supply due to +similarities in the product line. + +Signed-off-by: Stephan Brunner +Link: https://lore.kernel.org/r/4a47b864-0816-6f6a-efee-aa20e74bcdc6@stephan-brunner.net +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/ch341.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/ch341.c ++++ b/drivers/usb/serial/ch341.c +@@ -85,6 +85,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x1a86, 0x5523) }, + { USB_DEVICE(0x1a86, 0x7522) }, + { USB_DEVICE(0x1a86, 0x7523) }, ++ { USB_DEVICE(0x2184, 0x0057) }, + { USB_DEVICE(0x4348, 0x5523) }, + { USB_DEVICE(0x9986, 0x7523) }, + { }, diff --git a/queue-5.10/usb-serial-cp210x-add-cpi-bulk-coin-recycler-id.patch b/queue-5.10/usb-serial-cp210x-add-cpi-bulk-coin-recycler-id.patch new file mode 100644 index 00000000000..df22264c654 --- /dev/null +++ b/queue-5.10/usb-serial-cp210x-add-cpi-bulk-coin-recycler-id.patch @@ -0,0 +1,33 @@ +From 6ca0c6283340d819bf9c7d8e76be33c9fbd903ab Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 1 Feb 2022 11:42:53 +0100 +Subject: USB: serial: cp210x: add CPI Bulk Coin Recycler id + +From: Johan Hovold + +commit 6ca0c6283340d819bf9c7d8e76be33c9fbd903ab upstream. + +Add the device id for the Crane Payment Innovation / Money Controls Bulk +Coin Recycler: + + https://www.cranepi.com/en/system/files/Support/OM_BCR_EN_V1-04_0.pdf + +Reported-by: Scott Russell +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/cp210x.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -73,6 +73,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x0FCF, 0x1004) }, /* Dynastream ANT2USB */ + { USB_DEVICE(0x0FCF, 0x1006) }, /* Dynastream ANT development board */ + { USB_DEVICE(0x0FDE, 0xCA05) }, /* OWL Wireless Electricity Monitor CM-160 */ ++ { USB_DEVICE(0x106F, 0x0003) }, /* CPI / Money Controls Bulk Coin Recycler */ + { USB_DEVICE(0x10A6, 0xAA26) }, /* Knock-off DCU-11 cable */ + { USB_DEVICE(0x10AB, 0x10C5) }, /* Siemens MC60 Cable */ + { USB_DEVICE(0x10B5, 0xAC70) }, /* Nokia CA-42 USB */ diff --git a/queue-5.10/usb-serial-cp210x-add-ncr-retail-io-box-id.patch b/queue-5.10/usb-serial-cp210x-add-ncr-retail-io-box-id.patch new file mode 100644 index 00000000000..f2276f909b0 --- /dev/null +++ b/queue-5.10/usb-serial-cp210x-add-ncr-retail-io-box-id.patch @@ -0,0 +1,33 @@ +From b50f8f09c622297d3cf46e332e17ba8adedec9af Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 1 Feb 2022 11:42:52 +0100 +Subject: USB: serial: cp210x: add NCR Retail IO box id + +From: Johan Hovold + +commit b50f8f09c622297d3cf46e332e17ba8adedec9af upstream. + +Add the device id for NCR's Retail IO box (CP2105) used in NCR FastLane +SelfServ Checkout - R6C: + + https://www.ncr.com/product-catalog/ncr-fastlane-selfserv-checkout-r6c + +Reported-by: Scott Russell +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/cp210x.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -55,6 +55,7 @@ static void cp210x_enable_event_mode(str + static void cp210x_disable_event_mode(struct usb_serial_port *port); + + static const struct usb_device_id id_table[] = { ++ { USB_DEVICE(0x0404, 0x034C) }, /* NCR Retail IO Box */ + { USB_DEVICE(0x045B, 0x0053) }, /* Renesas RX610 RX-Stick */ + { USB_DEVICE(0x0471, 0x066A) }, /* AKTAKOM ACE-1001 cable */ + { USB_DEVICE(0x0489, 0xE000) }, /* Pirelli Broadband S.p.A, DP-L10 SIP/GSM Mobile */ diff --git a/queue-5.10/usb-serial-ftdi_sio-add-support-for-brainboxes-us-159-235-320.patch b/queue-5.10/usb-serial-ftdi_sio-add-support-for-brainboxes-us-159-235-320.patch new file mode 100644 index 00000000000..7ea2dfe3b44 --- /dev/null +++ b/queue-5.10/usb-serial-ftdi_sio-add-support-for-brainboxes-us-159-235-320.patch @@ -0,0 +1,58 @@ +From fbb9b194e15a63c56c5664e76ccd0e85c6100cea Mon Sep 17 00:00:00 2001 +From: Cameron Williams +Date: Tue, 1 Feb 2022 10:12:51 +0000 +Subject: USB: serial: ftdi_sio: add support for Brainboxes US-159/235/320 + +From: Cameron Williams + +commit fbb9b194e15a63c56c5664e76ccd0e85c6100cea upstream. + +This patch adds support for the Brainboxes US-159, US-235 and US-320 +USB-to-Serial devices. + +Signed-off-by: Cameron Williams +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/ftdi_sio.c | 3 +++ + drivers/usb/serial/ftdi_sio_ids.h | 3 +++ + 2 files changed, 6 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -969,6 +969,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_VX_023_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_VX_034_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_101_PID) }, ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_159_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_1_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_2_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_3_PID) }, +@@ -977,12 +978,14 @@ static const struct usb_device_id id_tab + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_6_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_7_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_8_PID) }, ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_235_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_257_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_1_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_2_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_3_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_4_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_313_PID) }, ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_320_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_324_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_346_1_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_346_2_PID) }, +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -1506,6 +1506,9 @@ + #define BRAINBOXES_VX_023_PID 0x1003 /* VX-023 ExpressCard 1 Port RS422/485 */ + #define BRAINBOXES_VX_034_PID 0x1004 /* VX-034 ExpressCard 2 Port RS422/485 */ + #define BRAINBOXES_US_101_PID 0x1011 /* US-101 1xRS232 */ ++#define BRAINBOXES_US_159_PID 0x1021 /* US-159 1xRS232 */ ++#define BRAINBOXES_US_235_PID 0x1017 /* US-235 1xRS232 */ ++#define BRAINBOXES_US_320_PID 0x1019 /* US-320 1xRS422/485 */ + #define BRAINBOXES_US_324_PID 0x1013 /* US-324 1xRS422/485 1Mbaud */ + #define BRAINBOXES_US_606_1_PID 0x2001 /* US-606 6 Port RS232 Serial Port 1 and 2 */ + #define BRAINBOXES_US_606_2_PID 0x2002 /* US-606 6 Port RS232 Serial Port 3 and 4 */ diff --git a/queue-5.10/usb-serial-option-add-zte-mf286d-modem.patch b/queue-5.10/usb-serial-option-add-zte-mf286d-modem.patch new file mode 100644 index 00000000000..945cc768fce --- /dev/null +++ b/queue-5.10/usb-serial-option-add-zte-mf286d-modem.patch @@ -0,0 +1,62 @@ +From d48384c7ed6c8fe4727eaa0f3048f62afd1cd715 Mon Sep 17 00:00:00 2001 +From: Pawel Dembicki +Date: Tue, 11 Jan 2022 23:12:05 +0100 +Subject: USB: serial: option: add ZTE MF286D modem + +From: Pawel Dembicki + +commit d48384c7ed6c8fe4727eaa0f3048f62afd1cd715 upstream. + +Modem from ZTE MF286D is an Qualcomm MDM9250 based 3G/4G modem. + +T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 3 Spd=5000 MxCh= 0 +D: Ver= 3.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 +P: Vendor=19d2 ProdID=1485 Rev=52.87 +S: Manufacturer=ZTE,Incorporated +S: Product=ZTE Technologies MSM +S: SerialNumber=MF286DZTED000000 +C:* #Ifs= 7 Cfg#= 1 Atr=80 MxPwr=896mA +A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=06 Prot=00 +I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=02 Prot=ff Driver=rndis_host +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host +E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +E: Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=84(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs +E: Ad=05(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=89(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms + +Signed-off-by: Pawel Dembicki +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1649,6 +1649,8 @@ static const struct usb_device_id option + .driver_info = RSVD(2) }, + { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x1476, 0xff) }, /* GosunCn ZTE WeLink ME3630 (ECM/NCM mode) */ + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1481, 0xff, 0x00, 0x00) }, /* ZTE MF871A */ ++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1485, 0xff, 0xff, 0xff), /* ZTE MF286D */ ++ .driver_info = RSVD(5) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1533, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1534, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1535, 0xff, 0xff, 0xff) }, diff --git a/queue-5.10/usb-ulpi-call-of_node_put-correctly.patch b/queue-5.10/usb-ulpi-call-of_node_put-correctly.patch new file mode 100644 index 00000000000..33f7ce3d24f --- /dev/null +++ b/queue-5.10/usb-ulpi-call-of_node_put-correctly.patch @@ -0,0 +1,46 @@ +From 0a907ee9d95e3ac35eb023d71f29eae0aaa52d1b Mon Sep 17 00:00:00 2001 +From: Sean Anderson +Date: Thu, 27 Jan 2022 14:00:03 -0500 +Subject: usb: ulpi: Call of_node_put correctly + +From: Sean Anderson + +commit 0a907ee9d95e3ac35eb023d71f29eae0aaa52d1b upstream. + +of_node_put should always be called on device nodes gotten from +of_get_*. Additionally, it should only be called after there are no +remaining users. To address the first issue, call of_node_put if later +steps in ulpi_register fail. To address the latter, call put_device if +device_register fails, which will call ulpi_dev_release if necessary. + +Fixes: ef6a7bcfb01c ("usb: ulpi: Support device discovery via DT") +Cc: stable +Reviewed-by: Heikki Krogerus +Signed-off-by: Sean Anderson +Link: https://lore.kernel.org/r/20220127190004.1446909-3-sean.anderson@seco.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/common/ulpi.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/usb/common/ulpi.c ++++ b/drivers/usb/common/ulpi.c +@@ -250,12 +250,16 @@ static int ulpi_register(struct device * + return ret; + + ret = ulpi_read_id(ulpi); +- if (ret) ++ if (ret) { ++ of_node_put(ulpi->dev.of_node); + return ret; ++ } + + ret = device_register(&ulpi->dev); +- if (ret) ++ if (ret) { ++ put_device(&ulpi->dev); + return ret; ++ } + + dev_dbg(&ulpi->dev, "registered ULPI PHY: vendor %04x, product %04x\n", + ulpi->id.vendor, ulpi->id.product); diff --git a/queue-5.10/usb-ulpi-move-of_node_put-to-ulpi_dev_release.patch b/queue-5.10/usb-ulpi-move-of_node_put-to-ulpi_dev_release.patch new file mode 100644 index 00000000000..3484a258817 --- /dev/null +++ b/queue-5.10/usb-ulpi-move-of_node_put-to-ulpi_dev_release.patch @@ -0,0 +1,41 @@ +From 092f45b13e51666fe8ecbf2d6cd247aa7e6c1f74 Mon Sep 17 00:00:00 2001 +From: Sean Anderson +Date: Thu, 27 Jan 2022 14:00:02 -0500 +Subject: usb: ulpi: Move of_node_put to ulpi_dev_release + +From: Sean Anderson + +commit 092f45b13e51666fe8ecbf2d6cd247aa7e6c1f74 upstream. + +Drivers are not unbound from the device when ulpi_unregister_interface +is called. Move of_node-freeing code to ulpi_dev_release which is called +only after all users are gone. + +Fixes: ef6a7bcfb01c ("usb: ulpi: Support device discovery via DT") +Cc: stable +Reviewed-by: Heikki Krogerus +Signed-off-by: Sean Anderson +Link: https://lore.kernel.org/r/20220127190004.1446909-2-sean.anderson@seco.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/common/ulpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/common/ulpi.c ++++ b/drivers/usb/common/ulpi.c +@@ -132,6 +132,7 @@ static const struct attribute_group *ulp + + static void ulpi_dev_release(struct device *dev) + { ++ of_node_put(dev->of_node); + kfree(to_ulpi_dev(dev)); + } + +@@ -301,7 +302,6 @@ EXPORT_SYMBOL_GPL(ulpi_register_interfac + */ + void ulpi_unregister_interface(struct ulpi *ulpi) + { +- of_node_put(ulpi->dev.of_node); + device_unregister(&ulpi->dev); + } + EXPORT_SYMBOL_GPL(ulpi_unregister_interface); diff --git a/queue-5.10/vt_ioctl-add-array_index_nospec-to-vt_activate.patch b/queue-5.10/vt_ioctl-add-array_index_nospec-to-vt_activate.patch new file mode 100644 index 00000000000..e233ce0b9bd --- /dev/null +++ b/queue-5.10/vt_ioctl-add-array_index_nospec-to-vt_activate.patch @@ -0,0 +1,39 @@ +From 28cb138f559f8c1a1395f5564f86b8bbee83631b Mon Sep 17 00:00:00 2001 +From: Jakob Koschel +Date: Thu, 27 Jan 2022 15:44:05 +0100 +Subject: vt_ioctl: add array_index_nospec to VT_ACTIVATE + +From: Jakob Koschel + +commit 28cb138f559f8c1a1395f5564f86b8bbee83631b upstream. + +in vt_setactivate an almost identical code path has been patched +with array_index_nospec. In the VT_ACTIVATE path the user input +is from a system call argument instead of a usercopy. +For consistency both code paths should have the same mitigations +applied. + +Kasper Acknowledgements: Jakob Koschel, Brian Johannesmeyer, Kaveh +Razavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU +Amsterdam. + +Co-developed-by: Brian Johannesmeyer +Signed-off-by: Brian Johannesmeyer +Signed-off-by: Jakob Koschel +Link: https://lore.kernel.org/r/20220127144406.3589293-2-jakobkoschel@gmail.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/vt/vt_ioctl.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/vt/vt_ioctl.c ++++ b/drivers/tty/vt/vt_ioctl.c +@@ -945,6 +945,7 @@ int vt_ioctl(struct tty_struct *tty, + return -ENXIO; + + arg--; ++ arg = array_index_nospec(arg, MAX_NR_CONSOLES); + console_lock(); + ret = vc_allocate(arg); + console_unlock(); diff --git a/queue-5.10/vt_ioctl-fix-array_index_nospec-in-vt_setactivate.patch b/queue-5.10/vt_ioctl-fix-array_index_nospec-in-vt_setactivate.patch new file mode 100644 index 00000000000..0421da3d06e --- /dev/null +++ b/queue-5.10/vt_ioctl-fix-array_index_nospec-in-vt_setactivate.patch @@ -0,0 +1,40 @@ +From 61cc70d9e8ef5b042d4ed87994d20100ec8896d9 Mon Sep 17 00:00:00 2001 +From: Jakob Koschel +Date: Thu, 27 Jan 2022 15:44:04 +0100 +Subject: vt_ioctl: fix array_index_nospec in vt_setactivate + +From: Jakob Koschel + +commit 61cc70d9e8ef5b042d4ed87994d20100ec8896d9 upstream. + +array_index_nospec ensures that an out-of-bounds value is set to zero +on the transient path. Decreasing the value by one afterwards causes +a transient integer underflow. vsa.console should be decreased first +and then sanitized with array_index_nospec. + +Kasper Acknowledgements: Jakob Koschel, Brian Johannesmeyer, Kaveh +Razavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU +Amsterdam. + +Co-developed-by: Brian Johannesmeyer +Signed-off-by: Brian Johannesmeyer +Signed-off-by: Jakob Koschel +Link: https://lore.kernel.org/r/20220127144406.3589293-1-jakobkoschel@gmail.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/vt/vt_ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/tty/vt/vt_ioctl.c ++++ b/drivers/tty/vt/vt_ioctl.c +@@ -699,8 +699,8 @@ static int vt_setactivate(struct vt_seta + if (vsa.console == 0 || vsa.console > MAX_NR_CONSOLES) + return -ENXIO; + +- vsa.console = array_index_nospec(vsa.console, MAX_NR_CONSOLES + 1); + vsa.console--; ++ vsa.console = array_index_nospec(vsa.console, MAX_NR_CONSOLES); + console_lock(); + ret = vc_allocate(vsa.console); + if (ret) { -- 2.47.3