From dc8e23464ce57d66e03ef99f1dadee46448d57a9 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 27 Nov 2019 21:09:19 +0100 Subject: [PATCH] 4.19-stable patches added patches: appledisplay-fix-error-handling-in-the-scheduled-work.patch kvm-ppc-book3s-hv-flush-link-stack-on-guest-exit-to-host-kernel.patch powerpc-64s-support-nospectre_v2-cmdline-option.patch powerpc-book3s64-fix-link-stack-flush-on-context-switch.patch staging-comedi-usbduxfast-usbduxfast_ai_cmdtest-rounding-error.patch usb-chaoskey-fix-error-case-of-a-timeout.patch usb-serial-cp201x-support-mark-10-digital-force-gauge.patch usb-serial-mos7720-fix-remote-wakeup.patch usb-serial-mos7840-add-usb-id-to-support-moxa-uport-2210.patch usb-serial-mos7840-fix-remote-wakeup.patch usb-serial-option-add-support-for-dw5821e-with-esim-support.patch usb-serial-option-add-support-for-foxconn-t77w968-lte-modules.patch usbip-add-config-dependency-for-sgl_alloc.patch usbip-fix-uninitialized-symbol-nents-in-stub_recv_cmd_submit.patch usbip-tools-fix-fd-leakage-in-the-function-of-read_attr_usbip_status.patch --- ...error-handling-in-the-scheduled-work.patch | 51 +++++ ...k-stack-on-guest-exit-to-host-kernel.patch | 121 +++++++++++ ...-support-nospectre_v2-cmdline-option.patch | 73 +++++++ ...x-link-stack-flush-on-context-switch.patch | 196 ++++++++++++++++++ queue-4.19/series | 15 ++ ...usbduxfast_ai_cmdtest-rounding-error.patch | 87 ++++++++ ...chaoskey-fix-error-case-of-a-timeout.patch | 68 ++++++ ...-support-mark-10-digital-force-gauge.patch | 34 +++ ...usb-serial-mos7720-fix-remote-wakeup.patch | 40 ++++ ...dd-usb-id-to-support-moxa-uport-2210.patch | 72 +++++++ ...usb-serial-mos7840-fix-remote-wakeup.patch | 41 ++++ ...upport-for-dw5821e-with-esim-support.patch | 66 ++++++ ...port-for-foxconn-t77w968-lte-modules.patch | 61 ++++++ ...-add-config-dependency-for-sgl_alloc.patch | 32 +++ ...symbol-nents-in-stub_recv_cmd_submit.patch | 118 +++++++++++ ...e-function-of-read_attr_usbip_status.patch | 32 +++ 16 files changed, 1107 insertions(+) create mode 100644 queue-4.19/appledisplay-fix-error-handling-in-the-scheduled-work.patch create mode 100644 queue-4.19/kvm-ppc-book3s-hv-flush-link-stack-on-guest-exit-to-host-kernel.patch create mode 100644 queue-4.19/powerpc-64s-support-nospectre_v2-cmdline-option.patch create mode 100644 queue-4.19/powerpc-book3s64-fix-link-stack-flush-on-context-switch.patch create mode 100644 queue-4.19/staging-comedi-usbduxfast-usbduxfast_ai_cmdtest-rounding-error.patch create mode 100644 queue-4.19/usb-chaoskey-fix-error-case-of-a-timeout.patch create mode 100644 queue-4.19/usb-serial-cp201x-support-mark-10-digital-force-gauge.patch create mode 100644 queue-4.19/usb-serial-mos7720-fix-remote-wakeup.patch create mode 100644 queue-4.19/usb-serial-mos7840-add-usb-id-to-support-moxa-uport-2210.patch create mode 100644 queue-4.19/usb-serial-mos7840-fix-remote-wakeup.patch create mode 100644 queue-4.19/usb-serial-option-add-support-for-dw5821e-with-esim-support.patch create mode 100644 queue-4.19/usb-serial-option-add-support-for-foxconn-t77w968-lte-modules.patch create mode 100644 queue-4.19/usbip-add-config-dependency-for-sgl_alloc.patch create mode 100644 queue-4.19/usbip-fix-uninitialized-symbol-nents-in-stub_recv_cmd_submit.patch create mode 100644 queue-4.19/usbip-tools-fix-fd-leakage-in-the-function-of-read_attr_usbip_status.patch diff --git a/queue-4.19/appledisplay-fix-error-handling-in-the-scheduled-work.patch b/queue-4.19/appledisplay-fix-error-handling-in-the-scheduled-work.patch new file mode 100644 index 00000000000..4b7f96186b1 --- /dev/null +++ b/queue-4.19/appledisplay-fix-error-handling-in-the-scheduled-work.patch @@ -0,0 +1,51 @@ +From 91feb01596e5efc0cc922cc73f5583114dccf4d2 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Wed, 6 Nov 2019 13:49:01 +0100 +Subject: appledisplay: fix error handling in the scheduled work + +From: Oliver Neukum + +commit 91feb01596e5efc0cc922cc73f5583114dccf4d2 upstream. + +The work item can operate on + +1. stale memory left over from the last transfer +the actual length of the data transfered needs to be checked +2. memory already freed +the error handling in appledisplay_probe() needs +to cancel the work in that case + +Reported-and-tested-by: syzbot+495dab1f175edc9c2f13@syzkaller.appspotmail.com +Signed-off-by: Oliver Neukum +Cc: stable +Link: https://lore.kernel.org/r/20191106124902.7765-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/appledisplay.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/usb/misc/appledisplay.c ++++ b/drivers/usb/misc/appledisplay.c +@@ -170,7 +170,12 @@ static int appledisplay_bl_get_brightnes + 0, + pdata->msgdata, 2, + ACD_USB_TIMEOUT); +- brightness = pdata->msgdata[1]; ++ if (retval < 2) { ++ if (retval >= 0) ++ retval = -EMSGSIZE; ++ } else { ++ brightness = pdata->msgdata[1]; ++ } + mutex_unlock(&pdata->sysfslock); + + if (retval < 0) +@@ -305,6 +310,7 @@ error: + if (pdata) { + if (pdata->urb) { + usb_kill_urb(pdata->urb); ++ cancel_delayed_work_sync(&pdata->work); + if (pdata->urbdata) + usb_free_coherent(pdata->udev, ACD_URB_BUFFER_LEN, + pdata->urbdata, pdata->urb->transfer_dma); diff --git a/queue-4.19/kvm-ppc-book3s-hv-flush-link-stack-on-guest-exit-to-host-kernel.patch b/queue-4.19/kvm-ppc-book3s-hv-flush-link-stack-on-guest-exit-to-host-kernel.patch new file mode 100644 index 00000000000..5b8c01fbc5e --- /dev/null +++ b/queue-4.19/kvm-ppc-book3s-hv-flush-link-stack-on-guest-exit-to-host-kernel.patch @@ -0,0 +1,121 @@ +From 8eaabfbb03eae954cfdc6fcfa9d8bf0670cd09db Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Wed, 13 Nov 2019 21:05:44 +1100 +Subject: KVM: PPC: Book3S HV: Flush link stack on guest exit to host kernel + +From: Michael Ellerman + +commit af2e8c68b9c5403f77096969c516f742f5bb29e0 upstream. + +On some systems that are vulnerable to Spectre v2, it is up to +software to flush the link stack (return address stack), in order to +protect against Spectre-RSB. + +When exiting from a guest we do some house keeping and then +potentially exit to C code which is several stack frames deep in the +host kernel. We will then execute a series of returns without +preceeding calls, opening up the possiblity that the guest could have +poisoned the link stack, and direct speculative execution of the host +to a gadget of some sort. + +To prevent this we add a flush of the link stack on exit from a guest. + +Signed-off-by: Michael Ellerman +[dja: straightforward backport to v4.19] +Signed-off-by: Daniel Axtens +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/asm-prototypes.h | 2 ++ + arch/powerpc/kernel/security.c | 9 +++++++++ + arch/powerpc/kvm/book3s_hv_rmhandlers.S | 28 ++++++++++++++++++++++++++++ + 3 files changed, 39 insertions(+) + +--- a/arch/powerpc/include/asm/asm-prototypes.h ++++ b/arch/powerpc/include/asm/asm-prototypes.h +@@ -147,8 +147,10 @@ void _kvmppc_save_tm_pr(struct kvm_vcpu + extern s32 patch__call_flush_count_cache; + extern s32 patch__flush_count_cache_return; + extern s32 patch__flush_link_stack_return; ++extern s32 patch__call_kvm_flush_link_stack; + extern s32 patch__memset_nocache, patch__memcpy_nocache; + + extern long flush_count_cache; ++extern long kvm_flush_link_stack; + + #endif /* _ASM_POWERPC_ASM_PROTOTYPES_H */ +--- a/arch/powerpc/kernel/security.c ++++ b/arch/powerpc/kernel/security.c +@@ -392,6 +392,9 @@ static void toggle_count_cache_flush(boo + + if (!enable) { + patch_instruction_site(&patch__call_flush_count_cache, PPC_INST_NOP); ++#ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE ++ patch_instruction_site(&patch__call_kvm_flush_link_stack, PPC_INST_NOP); ++#endif + pr_info("link-stack-flush: software flush disabled.\n"); + link_stack_flush_enabled = false; + no_count_cache_flush(); +@@ -402,6 +405,12 @@ static void toggle_count_cache_flush(boo + patch_branch_site(&patch__call_flush_count_cache, + (u64)&flush_count_cache, BRANCH_SET_LINK); + ++#ifdef CONFIG_KVM_BOOK3S_HV_POSSIBLE ++ // This enables the branch from guest_exit_cont to kvm_flush_link_stack ++ patch_branch_site(&patch__call_kvm_flush_link_stack, ++ (u64)&kvm_flush_link_stack, BRANCH_SET_LINK); ++#endif ++ + pr_info("link-stack-flush: software flush enabled.\n"); + link_stack_flush_enabled = true; + +--- a/arch/powerpc/kvm/book3s_hv_rmhandlers.S ++++ b/arch/powerpc/kvm/book3s_hv_rmhandlers.S +@@ -18,6 +18,7 @@ + */ + + #include ++#include + #include + #include + #include +@@ -1559,6 +1560,10 @@ mc_cont: + 1: + #endif /* CONFIG_KVM_XICS */ + ++ /* Possibly flush the link stack here. */ ++1: nop ++ patch_site 1b patch__call_kvm_flush_link_stack ++ + /* For hash guest, read the guest SLB and save it away */ + ld r5, VCPU_KVM(r9) + lbz r0, KVM_RADIX(r5) +@@ -2107,6 +2112,29 @@ END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300) + mtlr r0 + blr + ++.balign 32 ++.global kvm_flush_link_stack ++kvm_flush_link_stack: ++ /* Save LR into r0 */ ++ mflr r0 ++ ++ /* Flush the link stack. On Power8 it's up to 32 entries in size. */ ++ .rept 32 ++ bl .+4 ++ .endr ++ ++ /* And on Power9 it's up to 64. */ ++BEGIN_FTR_SECTION ++ .rept 32 ++ bl .+4 ++ .endr ++END_FTR_SECTION_IFSET(CPU_FTR_ARCH_300) ++ ++ /* Restore LR */ ++ mtlr r0 ++ blr ++ ++ + #ifdef CONFIG_PPC_TRANSACTIONAL_MEM + /* + * Softpatch interrupt for transactional memory emulation cases diff --git a/queue-4.19/powerpc-64s-support-nospectre_v2-cmdline-option.patch b/queue-4.19/powerpc-64s-support-nospectre_v2-cmdline-option.patch new file mode 100644 index 00000000000..5273020c344 --- /dev/null +++ b/queue-4.19/powerpc-64s-support-nospectre_v2-cmdline-option.patch @@ -0,0 +1,73 @@ +From a9fc317555b4393b075e3e8b66cd407ea6d52826 Mon Sep 17 00:00:00 2001 +From: "Christopher M. Riedl" +Date: Thu, 23 May 2019 21:46:48 -0500 +Subject: powerpc/64s: support nospectre_v2 cmdline option + +From: "Christopher M. Riedl" + +commit d8f0e0b073e1ec52a05f0c2a56318b47387d2f10 upstream. + +Add support for disabling the kernel implemented spectre v2 mitigation +(count cache flush on context switch) via the nospectre_v2 and +mitigations=off cmdline options. + +Suggested-by: Michael Ellerman +Signed-off-by: Christopher M. Riedl +Reviewed-by: Andrew Donnellan +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20190524024647.381-1-cmr@informatik.wtf +Signed-off-by: Daniel Axtens +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/security.c | 19 ++++++++++++++++--- + 1 file changed, 16 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/kernel/security.c ++++ b/arch/powerpc/kernel/security.c +@@ -28,7 +28,7 @@ static enum count_cache_flush_type count + bool barrier_nospec_enabled; + static bool no_nospec; + static bool btb_flush_enabled; +-#ifdef CONFIG_PPC_FSL_BOOK3E ++#if defined(CONFIG_PPC_FSL_BOOK3E) || defined(CONFIG_PPC_BOOK3S_64) + static bool no_spectrev2; + #endif + +@@ -106,7 +106,7 @@ static __init int barrier_nospec_debugfs + device_initcall(barrier_nospec_debugfs_init); + #endif /* CONFIG_DEBUG_FS */ + +-#ifdef CONFIG_PPC_FSL_BOOK3E ++#if defined(CONFIG_PPC_FSL_BOOK3E) || defined(CONFIG_PPC_BOOK3S_64) + static int __init handle_nospectre_v2(char *p) + { + no_spectrev2 = true; +@@ -114,6 +114,9 @@ static int __init handle_nospectre_v2(ch + return 0; + } + early_param("nospectre_v2", handle_nospectre_v2); ++#endif /* CONFIG_PPC_FSL_BOOK3E || CONFIG_PPC_BOOK3S_64 */ ++ ++#ifdef CONFIG_PPC_FSL_BOOK3E + void setup_spectre_v2(void) + { + if (no_spectrev2 || cpu_mitigations_off()) +@@ -391,7 +394,17 @@ static void toggle_count_cache_flush(boo + + void setup_count_cache_flush(void) + { +- toggle_count_cache_flush(true); ++ bool enable = true; ++ ++ if (no_spectrev2 || cpu_mitigations_off()) { ++ if (security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED) || ++ security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED)) ++ pr_warn("Spectre v2 mitigations not under software control, can't disable\n"); ++ ++ enable = false; ++ } ++ ++ toggle_count_cache_flush(enable); + } + + #ifdef CONFIG_DEBUG_FS diff --git a/queue-4.19/powerpc-book3s64-fix-link-stack-flush-on-context-switch.patch b/queue-4.19/powerpc-book3s64-fix-link-stack-flush-on-context-switch.patch new file mode 100644 index 00000000000..4e8e7d1a56b --- /dev/null +++ b/queue-4.19/powerpc-book3s64-fix-link-stack-flush-on-context-switch.patch @@ -0,0 +1,196 @@ +From 0a74b0783d62800ed2fd4b267076e9ff93569848 Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Wed, 13 Nov 2019 21:05:41 +1100 +Subject: powerpc/book3s64: Fix link stack flush on context switch + +From: Michael Ellerman + +commit 39e72bf96f5847ba87cc5bd7a3ce0fed813dc9ad upstream. + +In commit ee13cb249fab ("powerpc/64s: Add support for software count +cache flush"), I added support for software to flush the count +cache (indirect branch cache) on context switch if firmware told us +that was the required mitigation for Spectre v2. + +As part of that code we also added a software flush of the link +stack (return address stack), which protects against Spectre-RSB +between user processes. + +That is all correct for CPUs that activate that mitigation, which is +currently Power9 Nimbus DD2.3. + +What I got wrong is that on older CPUs, where firmware has disabled +the count cache, we also need to flush the link stack on context +switch. + +To fix it we create a new feature bit which is not set by firmware, +which tells us we need to flush the link stack. We set that when +firmware tells us that either of the existing Spectre v2 mitigations +are enabled. + +Then we adjust the patching code so that if we see that feature bit we +enable the link stack flush. If we're also told to flush the count +cache in software then we fall through and do that also. + +On the older CPUs we don't need to do do the software count cache +flush, firmware has disabled it, so in that case we patch in an early +return after the link stack flush. + +The naming of some of the functions is awkward after this patch, +because they're called "count cache" but they also do link stack. But +we'll fix that up in a later commit to ease backporting. + +This is the fix for CVE-2019-18660. + +Reported-by: Anthony Steinhauser +Fixes: ee13cb249fab ("powerpc/64s: Add support for software count cache flush") +Cc: stable@vger.kernel.org # v4.4+ +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/include/asm/asm-prototypes.h | 1 + arch/powerpc/include/asm/security_features.h | 3 + + arch/powerpc/kernel/entry_64.S | 6 +++ + arch/powerpc/kernel/security.c | 48 ++++++++++++++++++++++++--- + 4 files changed, 54 insertions(+), 4 deletions(-) + +--- a/arch/powerpc/include/asm/asm-prototypes.h ++++ b/arch/powerpc/include/asm/asm-prototypes.h +@@ -146,6 +146,7 @@ void _kvmppc_save_tm_pr(struct kvm_vcpu + /* Patch sites */ + extern s32 patch__call_flush_count_cache; + extern s32 patch__flush_count_cache_return; ++extern s32 patch__flush_link_stack_return; + extern s32 patch__memset_nocache, patch__memcpy_nocache; + + extern long flush_count_cache; +--- a/arch/powerpc/include/asm/security_features.h ++++ b/arch/powerpc/include/asm/security_features.h +@@ -81,6 +81,9 @@ static inline bool security_ftr_enabled( + // Software required to flush count cache on context switch + #define SEC_FTR_FLUSH_COUNT_CACHE 0x0000000000000400ull + ++// Software required to flush link stack on context switch ++#define SEC_FTR_FLUSH_LINK_STACK 0x0000000000001000ull ++ + + // Features enabled by default + #define SEC_FTR_DEFAULT \ +--- a/arch/powerpc/kernel/entry_64.S ++++ b/arch/powerpc/kernel/entry_64.S +@@ -533,6 +533,7 @@ flush_count_cache: + /* Save LR into r9 */ + mflr r9 + ++ // Flush the link stack + .rept 64 + bl .+4 + .endr +@@ -542,6 +543,11 @@ flush_count_cache: + .balign 32 + /* Restore LR */ + 1: mtlr r9 ++ ++ // If we're just flushing the link stack, return here ++3: nop ++ patch_site 3b patch__flush_link_stack_return ++ + li r9,0x7fff + mtctr r9 + +--- a/arch/powerpc/kernel/security.c ++++ b/arch/powerpc/kernel/security.c +@@ -24,6 +24,7 @@ enum count_cache_flush_type { + COUNT_CACHE_FLUSH_HW = 0x4, + }; + static enum count_cache_flush_type count_cache_flush_type = COUNT_CACHE_FLUSH_NONE; ++static bool link_stack_flush_enabled; + + bool barrier_nospec_enabled; + static bool no_nospec; +@@ -204,11 +205,19 @@ ssize_t cpu_show_spectre_v2(struct devic + + if (ccd) + seq_buf_printf(&s, "Indirect branch cache disabled"); ++ ++ if (link_stack_flush_enabled) ++ seq_buf_printf(&s, ", Software link stack flush"); ++ + } else if (count_cache_flush_type != COUNT_CACHE_FLUSH_NONE) { + seq_buf_printf(&s, "Mitigation: Software count cache flush"); + + if (count_cache_flush_type == COUNT_CACHE_FLUSH_HW) + seq_buf_printf(&s, " (hardware accelerated)"); ++ ++ if (link_stack_flush_enabled) ++ seq_buf_printf(&s, ", Software link stack flush"); ++ + } else if (btb_flush_enabled) { + seq_buf_printf(&s, "Mitigation: Branch predictor state flush"); + } else { +@@ -369,18 +378,40 @@ static __init int stf_barrier_debugfs_in + device_initcall(stf_barrier_debugfs_init); + #endif /* CONFIG_DEBUG_FS */ + ++static void no_count_cache_flush(void) ++{ ++ count_cache_flush_type = COUNT_CACHE_FLUSH_NONE; ++ pr_info("count-cache-flush: software flush disabled.\n"); ++} ++ + static void toggle_count_cache_flush(bool enable) + { +- if (!enable || !security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE)) { ++ if (!security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE) && ++ !security_ftr_enabled(SEC_FTR_FLUSH_LINK_STACK)) ++ enable = false; ++ ++ if (!enable) { + patch_instruction_site(&patch__call_flush_count_cache, PPC_INST_NOP); +- count_cache_flush_type = COUNT_CACHE_FLUSH_NONE; +- pr_info("count-cache-flush: software flush disabled.\n"); ++ pr_info("link-stack-flush: software flush disabled.\n"); ++ link_stack_flush_enabled = false; ++ no_count_cache_flush(); + return; + } + ++ // This enables the branch from _switch to flush_count_cache + patch_branch_site(&patch__call_flush_count_cache, + (u64)&flush_count_cache, BRANCH_SET_LINK); + ++ pr_info("link-stack-flush: software flush enabled.\n"); ++ link_stack_flush_enabled = true; ++ ++ // If we just need to flush the link stack, patch an early return ++ if (!security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE)) { ++ patch_instruction_site(&patch__flush_link_stack_return, PPC_INST_BLR); ++ no_count_cache_flush(); ++ return; ++ } ++ + if (!security_ftr_enabled(SEC_FTR_BCCTR_FLUSH_ASSIST)) { + count_cache_flush_type = COUNT_CACHE_FLUSH_SW; + pr_info("count-cache-flush: full software flush sequence enabled.\n"); +@@ -399,11 +430,20 @@ void setup_count_cache_flush(void) + if (no_spectrev2 || cpu_mitigations_off()) { + if (security_ftr_enabled(SEC_FTR_BCCTRL_SERIALISED) || + security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED)) +- pr_warn("Spectre v2 mitigations not under software control, can't disable\n"); ++ pr_warn("Spectre v2 mitigations not fully under software control, can't disable\n"); + + enable = false; + } + ++ /* ++ * There's no firmware feature flag/hypervisor bit to tell us we need to ++ * flush the link stack on context switch. So we set it here if we see ++ * either of the Spectre v2 mitigations that aim to protect userspace. ++ */ ++ if (security_ftr_enabled(SEC_FTR_COUNT_CACHE_DISABLED) || ++ security_ftr_enabled(SEC_FTR_FLUSH_COUNT_CACHE)) ++ security_ftr_set(SEC_FTR_FLUSH_LINK_STACK); ++ + toggle_count_cache_flush(enable); + } + diff --git a/queue-4.19/series b/queue-4.19/series index 66323fc634d..224c6b60c36 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -289,3 +289,18 @@ media-b2c2-flexcop-usb-add-sanity-checking.patch media-cxusb-detect-cxusb_ctrl_msg-error-in-query.patch media-imon-invalid-dereference-in-imon_touch_event.patch virtio_ring-fix-return-code-on-dma-mapping-fails.patch +usbip-add-config-dependency-for-sgl_alloc.patch +usbip-tools-fix-fd-leakage-in-the-function-of-read_attr_usbip_status.patch +usbip-fix-uninitialized-symbol-nents-in-stub_recv_cmd_submit.patch +usb-serial-cp201x-support-mark-10-digital-force-gauge.patch +usb-chaoskey-fix-error-case-of-a-timeout.patch +appledisplay-fix-error-handling-in-the-scheduled-work.patch +usb-serial-mos7840-add-usb-id-to-support-moxa-uport-2210.patch +usb-serial-mos7720-fix-remote-wakeup.patch +usb-serial-mos7840-fix-remote-wakeup.patch +usb-serial-option-add-support-for-dw5821e-with-esim-support.patch +usb-serial-option-add-support-for-foxconn-t77w968-lte-modules.patch +staging-comedi-usbduxfast-usbduxfast_ai_cmdtest-rounding-error.patch +powerpc-64s-support-nospectre_v2-cmdline-option.patch +powerpc-book3s64-fix-link-stack-flush-on-context-switch.patch +kvm-ppc-book3s-hv-flush-link-stack-on-guest-exit-to-host-kernel.patch diff --git a/queue-4.19/staging-comedi-usbduxfast-usbduxfast_ai_cmdtest-rounding-error.patch b/queue-4.19/staging-comedi-usbduxfast-usbduxfast_ai_cmdtest-rounding-error.patch new file mode 100644 index 00000000000..6e501260ab1 --- /dev/null +++ b/queue-4.19/staging-comedi-usbduxfast-usbduxfast_ai_cmdtest-rounding-error.patch @@ -0,0 +1,87 @@ +From 5618332e5b955b4bff06d0b88146b971c8dd7b32 Mon Sep 17 00:00:00 2001 +From: Bernd Porr +Date: Mon, 18 Nov 2019 23:07:59 +0000 +Subject: staging: comedi: usbduxfast: usbduxfast_ai_cmdtest rounding error + +From: Bernd Porr + +commit 5618332e5b955b4bff06d0b88146b971c8dd7b32 upstream. + +The userspace comedilib function 'get_cmd_generic_timed' fills +the cmd structure with an informed guess and then calls the +function 'usbduxfast_ai_cmdtest' in this driver repeatedly while +'usbduxfast_ai_cmdtest' is modifying the cmd struct until it +no longer changes. However, because of rounding errors this never +converged because 'steps = (cmd->convert_arg * 30) / 1000' and then +back to 'cmd->convert_arg = (steps * 1000) / 30' won't be the same +because of rounding errors. 'Steps' should only be converted back to +the 'convert_arg' if 'steps' has actually been modified. In addition +the case of steps being 0 wasn't checked which is also now done. + +Signed-off-by: Bernd Porr +Cc: # 4.4+ +Reviewed-by: Ian Abbott +Link: https://lore.kernel.org/r/20191118230759.1727-1-mail@berndporr.me.uk +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/usbduxfast.c | 21 ++++++++++++++------- + 1 file changed, 14 insertions(+), 7 deletions(-) + +--- a/drivers/staging/comedi/drivers/usbduxfast.c ++++ b/drivers/staging/comedi/drivers/usbduxfast.c +@@ -1,6 +1,6 @@ + // SPDX-License-Identifier: GPL-2.0+ + /* +- * Copyright (C) 2004-2014 Bernd Porr, mail@berndporr.me.uk ++ * Copyright (C) 2004-2019 Bernd Porr, mail@berndporr.me.uk + */ + + /* +@@ -8,7 +8,7 @@ + * Description: University of Stirling USB DAQ & INCITE Technology Limited + * Devices: [ITL] USB-DUX-FAST (usbduxfast) + * Author: Bernd Porr +- * Updated: 10 Oct 2014 ++ * Updated: 16 Nov 2019 + * Status: stable + */ + +@@ -22,6 +22,7 @@ + * + * + * Revision history: ++ * 1.0: Fixed a rounding error in usbduxfast_ai_cmdtest + * 0.9: Dropping the first data packet which seems to be from the last transfer. + * Buffer overflows in the FX2 are handed over to comedi. + * 0.92: Dropping now 4 packets. The quad buffer has to be emptied. +@@ -350,6 +351,7 @@ static int usbduxfast_ai_cmdtest(struct + struct comedi_cmd *cmd) + { + int err = 0; ++ int err2 = 0; + unsigned int steps; + unsigned int arg; + +@@ -399,11 +401,16 @@ static int usbduxfast_ai_cmdtest(struct + */ + steps = (cmd->convert_arg * 30) / 1000; + if (cmd->chanlist_len != 1) +- err |= comedi_check_trigger_arg_min(&steps, +- MIN_SAMPLING_PERIOD); +- err |= comedi_check_trigger_arg_max(&steps, MAX_SAMPLING_PERIOD); +- arg = (steps * 1000) / 30; +- err |= comedi_check_trigger_arg_is(&cmd->convert_arg, arg); ++ err2 |= comedi_check_trigger_arg_min(&steps, ++ MIN_SAMPLING_PERIOD); ++ else ++ err2 |= comedi_check_trigger_arg_min(&steps, 1); ++ err2 |= comedi_check_trigger_arg_max(&steps, MAX_SAMPLING_PERIOD); ++ if (err2) { ++ err |= err2; ++ arg = (steps * 1000) / 30; ++ err |= comedi_check_trigger_arg_is(&cmd->convert_arg, arg); ++ } + + if (cmd->stop_src == TRIG_COUNT) + err |= comedi_check_trigger_arg_min(&cmd->stop_arg, 1); diff --git a/queue-4.19/usb-chaoskey-fix-error-case-of-a-timeout.patch b/queue-4.19/usb-chaoskey-fix-error-case-of-a-timeout.patch new file mode 100644 index 00000000000..13f11c74724 --- /dev/null +++ b/queue-4.19/usb-chaoskey-fix-error-case-of-a-timeout.patch @@ -0,0 +1,68 @@ +From 92aa5986f4f7b5a8bf282ca0f50967f4326559f5 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 7 Nov 2019 15:28:55 +0100 +Subject: USB: chaoskey: fix error case of a timeout + +From: Oliver Neukum + +commit 92aa5986f4f7b5a8bf282ca0f50967f4326559f5 upstream. + +In case of a timeout or if a signal aborts a read +communication with the device needs to be ended +lest we overwrite an active URB the next time we +do IO to the device, as the URB may still be active. + +Signed-off-by: Oliver Neukum +Cc: stable +Link: https://lore.kernel.org/r/20191107142856.16774-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/chaoskey.c | 24 +++++++++++++++++++++--- + 1 file changed, 21 insertions(+), 3 deletions(-) + +--- a/drivers/usb/misc/chaoskey.c ++++ b/drivers/usb/misc/chaoskey.c +@@ -384,13 +384,17 @@ static int _chaoskey_fill(struct chaoske + !dev->reading, + (started ? NAK_TIMEOUT : ALEA_FIRST_TIMEOUT) ); + +- if (result < 0) ++ if (result < 0) { ++ usb_kill_urb(dev->urb); + goto out; ++ } + +- if (result == 0) ++ if (result == 0) { + result = -ETIMEDOUT; +- else ++ usb_kill_urb(dev->urb); ++ } else { + result = dev->valid; ++ } + out: + /* Let the device go back to sleep eventually */ + usb_autopm_put_interface(dev->interface); +@@ -526,7 +530,21 @@ static int chaoskey_suspend(struct usb_i + + static int chaoskey_resume(struct usb_interface *interface) + { ++ struct chaoskey *dev; ++ struct usb_device *udev = interface_to_usbdev(interface); ++ + usb_dbg(interface, "resume"); ++ dev = usb_get_intfdata(interface); ++ ++ /* ++ * We may have lost power. ++ * In that case the device that needs a long time ++ * for the first requests needs an extended timeout ++ * again ++ */ ++ if (le16_to_cpu(udev->descriptor.idVendor) == ALEA_VENDOR_ID) ++ dev->reads_started = false; ++ + return 0; + } + #else diff --git a/queue-4.19/usb-serial-cp201x-support-mark-10-digital-force-gauge.patch b/queue-4.19/usb-serial-cp201x-support-mark-10-digital-force-gauge.patch new file mode 100644 index 00000000000..d6eedc63ca6 --- /dev/null +++ b/queue-4.19/usb-serial-cp201x-support-mark-10-digital-force-gauge.patch @@ -0,0 +1,34 @@ +From 347bc8cb26388791c5881a3775cb14a3f765a674 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Mon, 18 Nov 2019 10:21:19 +0100 +Subject: usb-serial: cp201x: support Mark-10 digital force gauge + +From: Greg Kroah-Hartman + +commit 347bc8cb26388791c5881a3775cb14a3f765a674 upstream. + +Add support for the Mark-10 digital force gauge device to the cp201x +driver. + +Based on a report and a larger patch from Joel Jennings + +Reported-by: Joel Jennings +Cc: stable +Acked-by: Johan Hovold +Link: https://lore.kernel.org/r/20191118092119.GA153852@kroah.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/cp210x.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -125,6 +125,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x10C4, 0x8341) }, /* Siemens MC35PU GPRS Modem */ + { USB_DEVICE(0x10C4, 0x8382) }, /* Cygnal Integrated Products, Inc. */ + { USB_DEVICE(0x10C4, 0x83A8) }, /* Amber Wireless AMB2560 */ ++ { USB_DEVICE(0x10C4, 0x83AA) }, /* Mark-10 Digital Force Gauge */ + { USB_DEVICE(0x10C4, 0x83D8) }, /* DekTec DTA Plus VHF/UHF Booster/Attenuator */ + { USB_DEVICE(0x10C4, 0x8411) }, /* Kyocera GPS Module */ + { USB_DEVICE(0x10C4, 0x8418) }, /* IRZ Automation Teleport SG-10 GSM/GPRS Modem */ diff --git a/queue-4.19/usb-serial-mos7720-fix-remote-wakeup.patch b/queue-4.19/usb-serial-mos7720-fix-remote-wakeup.patch new file mode 100644 index 00000000000..462ddeeee3d --- /dev/null +++ b/queue-4.19/usb-serial-mos7720-fix-remote-wakeup.patch @@ -0,0 +1,40 @@ +From ea422312a462696093b5db59d294439796cba4ad Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 7 Nov 2019 14:21:18 +0100 +Subject: USB: serial: mos7720: fix remote wakeup + +From: Johan Hovold + +commit ea422312a462696093b5db59d294439796cba4ad upstream. + +The driver was setting the device remote-wakeup feature during probe in +violation of the USB specification (which says it should only be set +just prior to suspending the device). This could potentially waste +power during suspend as well as lead to spurious wakeups. + +Note that USB core would clear the remote-wakeup feature at first +resume. + +Fixes: 0f64478cbc7a ("USB: add USB serial mos7720 driver") +Cc: stable # 2.6.19 +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/mos7720.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/drivers/usb/serial/mos7720.c ++++ b/drivers/usb/serial/mos7720.c +@@ -1894,10 +1894,6 @@ static int mos7720_startup(struct usb_se + product = le16_to_cpu(serial->dev->descriptor.idProduct); + dev = serial->dev; + +- /* setting configuration feature to one */ +- usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0), +- (__u8)0x03, 0x00, 0x01, 0x00, NULL, 0x00, 5000); +- + if (product == MOSCHIP_DEVICE_ID_7715) { + struct urb *urb = serial->port[0]->interrupt_in_urb; + diff --git a/queue-4.19/usb-serial-mos7840-add-usb-id-to-support-moxa-uport-2210.patch b/queue-4.19/usb-serial-mos7840-add-usb-id-to-support-moxa-uport-2210.patch new file mode 100644 index 00000000000..41b4c67096d --- /dev/null +++ b/queue-4.19/usb-serial-mos7840-add-usb-id-to-support-moxa-uport-2210.patch @@ -0,0 +1,72 @@ +From e696d00e65e81d46e911f24b12e441037bf11b38 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pavel=20L=C3=B6bl?= +Date: Fri, 1 Nov 2019 08:01:50 +0100 +Subject: USB: serial: mos7840: add USB ID to support Moxa UPort 2210 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pavel Löbl + +commit e696d00e65e81d46e911f24b12e441037bf11b38 upstream. + +Add USB ID for MOXA UPort 2210. This device contains mos7820 but +it passes GPIO0 check implemented by driver and it's detected as +mos7840. Hence product id check is added to force mos7820 mode. + +Signed-off-by: Pavel Löbl +Cc: stable +[ johan: rename id defines and add vendor-id check ] +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/mos7840.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/usb/serial/mos7840.c ++++ b/drivers/usb/serial/mos7840.c +@@ -118,11 +118,15 @@ + /* This driver also supports + * ATEN UC2324 device using Moschip MCS7840 + * ATEN UC2322 device using Moschip MCS7820 ++ * MOXA UPort 2210 device using Moschip MCS7820 + */ + #define USB_VENDOR_ID_ATENINTL 0x0557 + #define ATENINTL_DEVICE_ID_UC2324 0x2011 + #define ATENINTL_DEVICE_ID_UC2322 0x7820 + ++#define USB_VENDOR_ID_MOXA 0x110a ++#define MOXA_DEVICE_ID_2210 0x2210 ++ + /* Interrupt Routine Defines */ + + #define SERIAL_IIR_RLS 0x06 +@@ -193,6 +197,7 @@ static const struct usb_device_id id_tab + {USB_DEVICE(USB_VENDOR_ID_BANDB, BANDB_DEVICE_ID_USOPTL2_4)}, + {USB_DEVICE(USB_VENDOR_ID_ATENINTL, ATENINTL_DEVICE_ID_UC2324)}, + {USB_DEVICE(USB_VENDOR_ID_ATENINTL, ATENINTL_DEVICE_ID_UC2322)}, ++ {USB_DEVICE(USB_VENDOR_ID_MOXA, MOXA_DEVICE_ID_2210)}, + {} /* terminating entry */ + }; + MODULE_DEVICE_TABLE(usb, id_table); +@@ -2053,6 +2058,7 @@ static int mos7840_probe(struct usb_seri + const struct usb_device_id *id) + { + u16 product = le16_to_cpu(serial->dev->descriptor.idProduct); ++ u16 vid = le16_to_cpu(serial->dev->descriptor.idVendor); + u8 *buf; + int device_type; + +@@ -2062,6 +2068,11 @@ static int mos7840_probe(struct usb_seri + goto out; + } + ++ if (vid == USB_VENDOR_ID_MOXA && product == MOXA_DEVICE_ID_2210) { ++ device_type = MOSCHIP_DEVICE_ID_7820; ++ goto out; ++ } ++ + buf = kzalloc(VENDOR_READ_LENGTH, GFP_KERNEL); + if (!buf) + return -ENOMEM; diff --git a/queue-4.19/usb-serial-mos7840-fix-remote-wakeup.patch b/queue-4.19/usb-serial-mos7840-fix-remote-wakeup.patch new file mode 100644 index 00000000000..201e5452067 --- /dev/null +++ b/queue-4.19/usb-serial-mos7840-fix-remote-wakeup.patch @@ -0,0 +1,41 @@ +From 92fe35fb9c70a00d8fbbf5bd6172c921dd9c7815 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 7 Nov 2019 14:21:19 +0100 +Subject: USB: serial: mos7840: fix remote wakeup + +From: Johan Hovold + +commit 92fe35fb9c70a00d8fbbf5bd6172c921dd9c7815 upstream. + +The driver was setting the device remote-wakeup feature during probe in +violation of the USB specification (which says it should only be set +just prior to suspending the device). This could potentially waste +power during suspend as well as lead to spurious wakeups. + +Note that USB core would clear the remote-wakeup feature at first +resume. + +Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver") +Cc: stable # 2.6.19 +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/mos7840.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/drivers/usb/serial/mos7840.c ++++ b/drivers/usb/serial/mos7840.c +@@ -2325,11 +2325,6 @@ out: + goto error; + } else + dev_dbg(&port->dev, "ZLP_REG5 Writing success status%d\n", status); +- +- /* setting configuration feature to one */ +- usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0), +- 0x03, 0x00, 0x01, 0x00, NULL, 0x00, +- MOS_WDR_TIMEOUT); + } + return 0; + error: diff --git a/queue-4.19/usb-serial-option-add-support-for-dw5821e-with-esim-support.patch b/queue-4.19/usb-serial-option-add-support-for-dw5821e-with-esim-support.patch new file mode 100644 index 00000000000..c0d2fbbfc3f --- /dev/null +++ b/queue-4.19/usb-serial-option-add-support-for-dw5821e-with-esim-support.patch @@ -0,0 +1,66 @@ +From 957c31ea082e3fe5196f46d5b04018b10de47400 Mon Sep 17 00:00:00 2001 +From: Aleksander Morgado +Date: Thu, 7 Nov 2019 11:55:08 +0100 +Subject: USB: serial: option: add support for DW5821e with eSIM support + +From: Aleksander Morgado + +commit 957c31ea082e3fe5196f46d5b04018b10de47400 upstream. + +The device exposes AT, NMEA and DIAG ports in both USB configurations. +Exactly same layout as the default DW5821e module, just a different +vid/pid. + +P: Vendor=413c ProdID=81e0 Rev=03.18 +S: Manufacturer=Dell Inc. +S: Product=DW5821e-eSIM Snapdragon X20 LTE +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +I: If#=0x1 Alt= 0 #EPs= 1 Cls=03(HID ) Sub=00 Prot=00 Driver=usbhid +I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option + +P: Vendor=413c ProdID=81e0 Rev=03.18 +S: Manufacturer=Dell Inc. +S: Product=DW5821e-eSIM Snapdragon X20 LTE +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 7 Cfg#= 2 Atr=a0 MxPwr=500mA +I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#=0x6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) + +Signed-off-by: Aleksander Morgado +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -197,6 +197,7 @@ static void option_instat_callback(struc + #define DELL_PRODUCT_5804_MINICARD_ATT 0x819b /* Novatel E371 */ + + #define DELL_PRODUCT_5821E 0x81d7 ++#define DELL_PRODUCT_5821E_ESIM 0x81e0 + + #define KYOCERA_VENDOR_ID 0x0c88 + #define KYOCERA_PRODUCT_KPC650 0x17da +@@ -1044,6 +1045,8 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(DELL_VENDOR_ID, DELL_PRODUCT_5804_MINICARD_ATT, 0xff, 0xff, 0xff) }, + { USB_DEVICE(DELL_VENDOR_ID, DELL_PRODUCT_5821E), + .driver_info = RSVD(0) | RSVD(1) | RSVD(6) }, ++ { USB_DEVICE(DELL_VENDOR_ID, DELL_PRODUCT_5821E_ESIM), ++ .driver_info = RSVD(0) | RSVD(1) | RSVD(6) }, + { USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_E100A) }, /* ADU-E100, ADU-310 */ + { USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_500A) }, + { USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_620UW) }, diff --git a/queue-4.19/usb-serial-option-add-support-for-foxconn-t77w968-lte-modules.patch b/queue-4.19/usb-serial-option-add-support-for-foxconn-t77w968-lte-modules.patch new file mode 100644 index 00000000000..a3c4fcbf34e --- /dev/null +++ b/queue-4.19/usb-serial-option-add-support-for-foxconn-t77w968-lte-modules.patch @@ -0,0 +1,61 @@ +From f0797095423e6ea3b4be61134ee353c7f504d440 Mon Sep 17 00:00:00 2001 +From: Aleksander Morgado +Date: Wed, 13 Nov 2019 11:14:05 +0100 +Subject: USB: serial: option: add support for Foxconn T77W968 LTE modules + +From: Aleksander Morgado + +commit f0797095423e6ea3b4be61134ee353c7f504d440 upstream. + +These are the Foxconn-branded variants of the Dell DW5821e modules, +same USB layout as those. The device exposes AT, NMEA and DIAG ports +in both USB configurations. + +P: Vendor=0489 ProdID=e0b4 Rev=03.18 +S: Manufacturer=FII +S: Product=T77W968 LTE +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +I: If#=0x1 Alt= 0 #EPs= 1 Cls=03(HID ) Sub=00 Prot=00 Driver=usbhid +I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option + +P: Vendor=0489 ProdID=e0b4 Rev=03.18 +S: Manufacturer=FII +S: Product=T77W968 LTE +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 7 Cfg#= 2 Atr=a0 MxPwr=500mA +I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim +I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim +I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#=0x6 Alt= 0 #EPs= 1 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) + +Signed-off-by: Aleksander Morgado +[ johan: drop id defines ] +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1993,6 +1993,10 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x13) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x14) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x03f0, 0xa31d, 0xff, 0x06, 0x1b) }, ++ { USB_DEVICE(0x0489, 0xe0b4), /* Foxconn T77W968 */ ++ .driver_info = RSVD(0) | RSVD(1) | RSVD(6) }, ++ { USB_DEVICE(0x0489, 0xe0b5), /* Foxconn T77W968 ESIM */ ++ .driver_info = RSVD(0) | RSVD(1) | RSVD(6) }, + { USB_DEVICE(0x1508, 0x1001), /* Fibocom NL668 */ + .driver_info = RSVD(4) | RSVD(5) | RSVD(6) }, + { USB_DEVICE(0x2cb7, 0x0104), /* Fibocom NL678 series */ diff --git a/queue-4.19/usbip-add-config-dependency-for-sgl_alloc.patch b/queue-4.19/usbip-add-config-dependency-for-sgl_alloc.patch new file mode 100644 index 00000000000..0349c1330b6 --- /dev/null +++ b/queue-4.19/usbip-add-config-dependency-for-sgl_alloc.patch @@ -0,0 +1,32 @@ +From 1ec13abac58b6f24e32f0d3081ef4e7456e62ed8 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 12 Nov 2019 16:49:39 +0100 +Subject: USBIP: add config dependency for SGL_ALLOC + +From: Oliver Neukum + +commit 1ec13abac58b6f24e32f0d3081ef4e7456e62ed8 upstream. + +USBIP uses lib/scatterlist.h +Hence it needs to set CONFIG_SGL_ALLOC + +Signed-off-by: Oliver Neukum +Cc: stable +Acked-by: Shuah Khan +Link: https://lore.kernel.org/r/20191112154939.21217-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/usbip/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/usbip/Kconfig ++++ b/drivers/usb/usbip/Kconfig +@@ -2,6 +2,7 @@ config USBIP_CORE + tristate "USB/IP support" + depends on NET + select USB_COMMON ++ select SGL_ALLOC + ---help--- + This enables pushing USB packets over IP to allow remote + machines direct access to USB devices. It provides the diff --git a/queue-4.19/usbip-fix-uninitialized-symbol-nents-in-stub_recv_cmd_submit.patch b/queue-4.19/usbip-fix-uninitialized-symbol-nents-in-stub_recv_cmd_submit.patch new file mode 100644 index 00000000000..1aa8cf793c7 --- /dev/null +++ b/queue-4.19/usbip-fix-uninitialized-symbol-nents-in-stub_recv_cmd_submit.patch @@ -0,0 +1,118 @@ +From 2a9125317b247f2cf35c196f968906dcf062ae2d Mon Sep 17 00:00:00 2001 +From: Suwan Kim +Date: Mon, 11 Nov 2019 23:10:35 +0900 +Subject: usbip: Fix uninitialized symbol 'nents' in stub_recv_cmd_submit() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Suwan Kim + +commit 2a9125317b247f2cf35c196f968906dcf062ae2d upstream. + +Smatch reported that nents is not initialized and used in +stub_recv_cmd_submit(). nents is currently initialized by sgl_alloc() +and used to allocate multiple URBs when host controller doesn't +support scatter-gather DMA. The use of uninitialized nents means that +buf_len is zero and use_sg is true. But buffer length should not be +zero when an URB uses scatter-gather DMA. + +To prevent this situation, add the conditional that checks buf_len +and use_sg. And move the use of nents right after the sgl_alloc() to +avoid the use of uninitialized nents. + +If the error occurs, it adds SDEV_EVENT_ERROR_MALLOC and stub_priv +will be released by stub event handler and connection will be shut +down. + +Fixes: ea44d190764b ("usbip: Implement SG support to vhci-hcd and stub driver") +Reported-by: kbuild test robot +Reported-by: Dan Carpenter +Signed-off-by: Suwan Kim +Acked-by: Shuah Khan +Cc: stable +Link: https://lore.kernel.org/r/20191111141035.27788-1-suwan.kim027@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/usbip/stub_rx.c | 50 ++++++++++++++++++++++++++++---------------- + 1 file changed, 32 insertions(+), 18 deletions(-) + +--- a/drivers/usb/usbip/stub_rx.c ++++ b/drivers/usb/usbip/stub_rx.c +@@ -470,18 +470,50 @@ static void stub_recv_cmd_submit(struct + if (pipe == -1) + return; + ++ /* ++ * Smatch reported the error case where use_sg is true and buf_len is 0. ++ * In this case, It adds SDEV_EVENT_ERROR_MALLOC and stub_priv will be ++ * released by stub event handler and connection will be shut down. ++ */ + priv = stub_priv_alloc(sdev, pdu); + if (!priv) + return; + + buf_len = (unsigned long long)pdu->u.cmd_submit.transfer_buffer_length; + ++ if (use_sg && !buf_len) { ++ dev_err(&udev->dev, "sg buffer with zero length\n"); ++ goto err_malloc; ++ } ++ + /* allocate urb transfer buffer, if needed */ + if (buf_len) { + if (use_sg) { + sgl = sgl_alloc(buf_len, GFP_KERNEL, &nents); + if (!sgl) + goto err_malloc; ++ ++ /* Check if the server's HCD supports SG */ ++ if (!udev->bus->sg_tablesize) { ++ /* ++ * If the server's HCD doesn't support SG, break ++ * a single SG request into several URBs and map ++ * each SG list entry to corresponding URB ++ * buffer. The previously allocated SG list is ++ * stored in priv->sgl (If the server's HCD ++ * support SG, SG list is stored only in ++ * urb->sg) and it is used as an indicator that ++ * the server split single SG request into ++ * several URBs. Later, priv->sgl is used by ++ * stub_complete() and stub_send_ret_submit() to ++ * reassemble the divied URBs. ++ */ ++ support_sg = 0; ++ num_urbs = nents; ++ priv->completed_urbs = 0; ++ pdu->u.cmd_submit.transfer_flags &= ++ ~URB_DMA_MAP_SG; ++ } + } else { + buffer = kzalloc(buf_len, GFP_KERNEL); + if (!buffer) +@@ -489,24 +521,6 @@ static void stub_recv_cmd_submit(struct + } + } + +- /* Check if the server's HCD supports SG */ +- if (use_sg && !udev->bus->sg_tablesize) { +- /* +- * If the server's HCD doesn't support SG, break a single SG +- * request into several URBs and map each SG list entry to +- * corresponding URB buffer. The previously allocated SG +- * list is stored in priv->sgl (If the server's HCD support SG, +- * SG list is stored only in urb->sg) and it is used as an +- * indicator that the server split single SG request into +- * several URBs. Later, priv->sgl is used by stub_complete() and +- * stub_send_ret_submit() to reassemble the divied URBs. +- */ +- support_sg = 0; +- num_urbs = nents; +- priv->completed_urbs = 0; +- pdu->u.cmd_submit.transfer_flags &= ~URB_DMA_MAP_SG; +- } +- + /* allocate urb array */ + priv->num_urbs = num_urbs; + priv->urbs = kmalloc_array(num_urbs, sizeof(*priv->urbs), GFP_KERNEL); diff --git a/queue-4.19/usbip-tools-fix-fd-leakage-in-the-function-of-read_attr_usbip_status.patch b/queue-4.19/usbip-tools-fix-fd-leakage-in-the-function-of-read_attr_usbip_status.patch new file mode 100644 index 00000000000..609a6472559 --- /dev/null +++ b/queue-4.19/usbip-tools-fix-fd-leakage-in-the-function-of-read_attr_usbip_status.patch @@ -0,0 +1,32 @@ +From 26a4d4c00f85cb844dd11dd35e848b079c2f5e8f Mon Sep 17 00:00:00 2001 +From: Hewenliang +Date: Fri, 25 Oct 2019 00:35:15 -0400 +Subject: usbip: tools: fix fd leakage in the function of read_attr_usbip_status + +From: Hewenliang + +commit 26a4d4c00f85cb844dd11dd35e848b079c2f5e8f upstream. + +We should close the fd before the return of read_attr_usbip_status. + +Fixes: 3391ba0e2792 ("usbip: tools: Extract generic code to be shared with vudc backend") +Signed-off-by: Hewenliang +Cc: stable +Link: https://lore.kernel.org/r/20191025043515.20053-1-hewenliang4@huawei.com +Signed-off-by: Greg Kroah-Hartman + +--- + tools/usb/usbip/libsrc/usbip_host_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/usb/usbip/libsrc/usbip_host_common.c ++++ b/tools/usb/usbip/libsrc/usbip_host_common.c +@@ -69,7 +69,7 @@ static int32_t read_attr_usbip_status(st + } + + value = atoi(status); +- ++ close(fd); + return value; + } + -- 2.47.3