From f4825980e868f5cce084ae13c60568c0b4e277ba Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 1 Mar 2021 11:48:59 +0100 Subject: [PATCH] 4.14-stable patches added patches: acpi-configfs-add-missing-check-after-configfs_register_default_group.patch acpi-property-fix-fwnode-string-properties-matching.patch alsa-hda-realtek-modify-eapd-in-the-alc886.patch blk-settings-align-max_sectors-on-logical_block_size-boundary.patch btrfs-abort-the-transaction-if-we-fail-to-inc-ref-in-btrfs_copy_root.patch btrfs-fix-extent-buffer-leak-on-failure-to-copy-root.patch btrfs-fix-reloc-root-leak-with-0-ref-reloc-roots-on-recovery.patch crypto-sun4i-ss-checking-sg-length-is-not-sufficient.patch crypto-sun4i-ss-handle-bigendian-for-cipher.patch crypto-sun4i-ss-iv-register-does-not-work-on-a10-and-a13.patch drivers-misc-vmw_vmci-restrict-too-big-queue-size-in-qp_host_alloc_queue.patch hid-wacom-ignore-attempts-to-overwrite-the-touch_max-value-from-hid.patch input-i8042-add-asus-zenbook-flip-to-noselftest-list.patch input-joydev-prevent-potential-read-overflow-in-ioctl.patch input-raydium_ts_i2c-do-not-send-zero-length.patch input-xpad-add-support-for-powera-enhanced-wired-controller-for-xbox-series-x-s.patch keys-trusted-fix-migratable-1-failing.patch seccomp-add-missing-return-in-non-void-function.patch staging-rtl8188eu-add-edimax-ew-7811un-v2-to-device-table.patch tpm_tis-fix-check_locality-for-correct-locality-acquisition.patch usb-dwc3-gadget-fix-dep-interval-for-fullspeed-interrupt.patch usb-dwc3-gadget-fix-setting-of-depcfg.binterval_m1.patch usb-musb-fix-runtime-pm-race-in-musb_queue_resume_work.patch usb-serial-mos7720-fix-error-code-in-mos7720_write.patch usb-serial-mos7840-fix-error-code-in-mos7840_write.patch usb-serial-option-update-interface-mapping-for-zte-p685m.patch --- ...fter-configfs_register_default_group.patch | 53 +++++++ ...ix-fwnode-string-properties-matching.patch | 146 ++++++++++++++++++ ...da-realtek-modify-eapd-in-the-alc886.patch | 54 +++++++ ...ctors-on-logical_block_size-boundary.patch | 68 ++++++++ ...e-fail-to-inc-ref-in-btrfs_copy_root.patch | 56 +++++++ ...-buffer-leak-on-failure-to-copy-root.patch | 37 +++++ ...k-with-0-ref-reloc-roots-on-recovery.patch | 48 ++++++ ...checking-sg-length-is-not-sufficient.patch | 40 +++++ ...sun4i-ss-handle-bigendian-for-cipher.patch | 57 +++++++ ...egister-does-not-work-on-a10-and-a13.patch | 101 ++++++++++++ ...ig-queue-size-in-qp_host_alloc_queue.patch | 50 ++++++ ...erwrite-the-touch_max-value-from-hid.patch | 67 ++++++++ ...asus-zenbook-flip-to-noselftest-list.patch | 41 +++++ ...ent-potential-read-overflow-in-ioctl.patch | 53 +++++++ ...ydium_ts_i2c-do-not-send-zero-length.patch | 40 +++++ ...wired-controller-for-xbox-series-x-s.patch | 31 ++++ ...eys-trusted-fix-migratable-1-failing.patch | 46 ++++++ ...-missing-return-in-non-void-function.patch | 34 ++++ queue-4.14/series | 26 ++++ ...-edimax-ew-7811un-v2-to-device-table.patch | 30 ++++ ...ity-for-correct-locality-acquisition.patch | 41 +++++ ...dep-interval-for-fullspeed-interrupt.patch | 41 +++++ ...t-fix-setting-of-depcfg.binterval_m1.patch | 43 ++++++ ...me-pm-race-in-musb_queue_resume_work.patch | 88 +++++++++++ ...7720-fix-error-code-in-mos7720_write.patch | 35 +++++ ...7840-fix-error-code-in-mos7840_write.patch | 34 ++++ ...date-interface-mapping-for-zte-p685m.patch | 78 ++++++++++ 27 files changed, 1438 insertions(+) create mode 100644 queue-4.14/acpi-configfs-add-missing-check-after-configfs_register_default_group.patch create mode 100644 queue-4.14/acpi-property-fix-fwnode-string-properties-matching.patch create mode 100644 queue-4.14/alsa-hda-realtek-modify-eapd-in-the-alc886.patch create mode 100644 queue-4.14/blk-settings-align-max_sectors-on-logical_block_size-boundary.patch create mode 100644 queue-4.14/btrfs-abort-the-transaction-if-we-fail-to-inc-ref-in-btrfs_copy_root.patch create mode 100644 queue-4.14/btrfs-fix-extent-buffer-leak-on-failure-to-copy-root.patch create mode 100644 queue-4.14/btrfs-fix-reloc-root-leak-with-0-ref-reloc-roots-on-recovery.patch create mode 100644 queue-4.14/crypto-sun4i-ss-checking-sg-length-is-not-sufficient.patch create mode 100644 queue-4.14/crypto-sun4i-ss-handle-bigendian-for-cipher.patch create mode 100644 queue-4.14/crypto-sun4i-ss-iv-register-does-not-work-on-a10-and-a13.patch create mode 100644 queue-4.14/drivers-misc-vmw_vmci-restrict-too-big-queue-size-in-qp_host_alloc_queue.patch create mode 100644 queue-4.14/hid-wacom-ignore-attempts-to-overwrite-the-touch_max-value-from-hid.patch create mode 100644 queue-4.14/input-i8042-add-asus-zenbook-flip-to-noselftest-list.patch create mode 100644 queue-4.14/input-joydev-prevent-potential-read-overflow-in-ioctl.patch create mode 100644 queue-4.14/input-raydium_ts_i2c-do-not-send-zero-length.patch create mode 100644 queue-4.14/input-xpad-add-support-for-powera-enhanced-wired-controller-for-xbox-series-x-s.patch create mode 100644 queue-4.14/keys-trusted-fix-migratable-1-failing.patch create mode 100644 queue-4.14/seccomp-add-missing-return-in-non-void-function.patch create mode 100644 queue-4.14/staging-rtl8188eu-add-edimax-ew-7811un-v2-to-device-table.patch create mode 100644 queue-4.14/tpm_tis-fix-check_locality-for-correct-locality-acquisition.patch create mode 100644 queue-4.14/usb-dwc3-gadget-fix-dep-interval-for-fullspeed-interrupt.patch create mode 100644 queue-4.14/usb-dwc3-gadget-fix-setting-of-depcfg.binterval_m1.patch create mode 100644 queue-4.14/usb-musb-fix-runtime-pm-race-in-musb_queue_resume_work.patch create mode 100644 queue-4.14/usb-serial-mos7720-fix-error-code-in-mos7720_write.patch create mode 100644 queue-4.14/usb-serial-mos7840-fix-error-code-in-mos7840_write.patch create mode 100644 queue-4.14/usb-serial-option-update-interface-mapping-for-zte-p685m.patch diff --git a/queue-4.14/acpi-configfs-add-missing-check-after-configfs_register_default_group.patch b/queue-4.14/acpi-configfs-add-missing-check-after-configfs_register_default_group.patch new file mode 100644 index 00000000000..eef43dbea5f --- /dev/null +++ b/queue-4.14/acpi-configfs-add-missing-check-after-configfs_register_default_group.patch @@ -0,0 +1,53 @@ +From 67e40054de86aae520ddc2a072d7f6951812a14f Mon Sep 17 00:00:00 2001 +From: Qinglang Miao +Date: Fri, 15 Jan 2021 10:22:50 +0800 +Subject: ACPI: configfs: add missing check after configfs_register_default_group() + +From: Qinglang Miao + +commit 67e40054de86aae520ddc2a072d7f6951812a14f upstream. + +A list_add corruption is reported by Hulk Robot like this: +============== +list_add corruption. +Call Trace: +link_obj+0xc0/0x1c0 +link_group+0x21/0x140 +configfs_register_subsystem+0xdb/0x380 +acpi_configfs_init+0x25/0x1000 [acpi_configfs] +do_one_initcall+0x149/0x820 +do_init_module+0x1ef/0x720 +load_module+0x35c8/0x4380 +__do_sys_finit_module+0x10d/0x1a0 +do_syscall_64+0x34/0x80 + +It's because of the missing check after configfs_register_default_group, +where configfs_unregister_subsystem should be called once failure. + +Fixes: 612bd01fc6e0 ("ACPI: add support for loading SSDTs via configfs") +Reported-by: Hulk Robot +Suggested-by: Hanjun Guo +Signed-off-by: Qinglang Miao +Cc: 4.10+ # 4.10+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpi_configfs.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/acpi_configfs.c ++++ b/drivers/acpi/acpi_configfs.c +@@ -269,7 +269,12 @@ static int __init acpi_configfs_init(voi + + acpi_table_group = configfs_register_default_group(root, "table", + &acpi_tables_type); +- return PTR_ERR_OR_ZERO(acpi_table_group); ++ if (IS_ERR(acpi_table_group)) { ++ configfs_unregister_subsystem(&acpi_configfs); ++ return PTR_ERR(acpi_table_group); ++ } ++ ++ return 0; + } + module_init(acpi_configfs_init); + diff --git a/queue-4.14/acpi-property-fix-fwnode-string-properties-matching.patch b/queue-4.14/acpi-property-fix-fwnode-string-properties-matching.patch new file mode 100644 index 00000000000..82dd5865b02 --- /dev/null +++ b/queue-4.14/acpi-property-fix-fwnode-string-properties-matching.patch @@ -0,0 +1,146 @@ +From e1e6bd2995ac0e1ad0c2a2d906a06f59ce2ed293 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Thu, 11 Feb 2021 19:30:01 +0100 +Subject: ACPI: property: Fix fwnode string properties matching + +From: Rafael J. Wysocki + +commit e1e6bd2995ac0e1ad0c2a2d906a06f59ce2ed293 upstream. + +Property matching does not work for ACPI fwnodes if the value of the +given property is not represented as a package in the _DSD package +containing it. For example, the "compatible" property in the _DSD +below + + Name (_DSD, Package () { + ToUUID("daffd814-6eba-4d8c-8a91-bc9bbf4aa301"), + Package () { + Package () {"compatible", "ethernet-phy-ieee802.3-c45"} + } + }) + +will not be found by fwnode_property_match_string(), because the ACPI +code handling device properties does not regard the single value as a +"list" in that case. + +Namely, fwnode_property_match_string() invoked to match a given +string property value first calls fwnode_property_read_string_array() +with the last two arguments equal to NULL and 0, respectively, in +order to count the items in the value of the given property, with the +assumption that this value may be an array. For ACPI fwnodes, that +operation is carried out by acpi_node_prop_read() which calls +acpi_data_prop_read() for this purpose. However, when the return +(val) pointer is NULL, that function only looks for a property whose +value is a package without checking the single-value case at all. + +To fix that, make acpi_data_prop_read() check the single-value +case if its return pointer argument is NULL and modify +acpi_data_prop_read_single() handling that case to attempt to +read the value of the property if the return pointer is NULL +and return 1 if that succeeds. + +Fixes: 3708184afc77 ("device property: Move FW type specific functionality to FW specific files") +Reported-by: Calvin Johnson +Cc: 4.13+ # 4.13+ +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Sakari Ailus +Reviewed-by: Mika Westerberg +Reviewed-by: Andy Shevchenko +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/property.c | 44 +++++++++++++++++++++++++++++++++----------- + 1 file changed, 33 insertions(+), 11 deletions(-) + +--- a/drivers/acpi/property.c ++++ b/drivers/acpi/property.c +@@ -688,9 +688,6 @@ static int acpi_data_prop_read_single(co + const union acpi_object *obj; + int ret; + +- if (!val) +- return -EINVAL; +- + if (proptype >= DEV_PROP_U8 && proptype <= DEV_PROP_U64) { + ret = acpi_data_get_property(data, propname, ACPI_TYPE_INTEGER, &obj); + if (ret) +@@ -700,28 +697,43 @@ static int acpi_data_prop_read_single(co + case DEV_PROP_U8: + if (obj->integer.value > U8_MAX) + return -EOVERFLOW; +- *(u8 *)val = obj->integer.value; ++ ++ if (val) ++ *(u8 *)val = obj->integer.value; ++ + break; + case DEV_PROP_U16: + if (obj->integer.value > U16_MAX) + return -EOVERFLOW; +- *(u16 *)val = obj->integer.value; ++ ++ if (val) ++ *(u16 *)val = obj->integer.value; ++ + break; + case DEV_PROP_U32: + if (obj->integer.value > U32_MAX) + return -EOVERFLOW; +- *(u32 *)val = obj->integer.value; ++ ++ if (val) ++ *(u32 *)val = obj->integer.value; ++ + break; + default: +- *(u64 *)val = obj->integer.value; ++ if (val) ++ *(u64 *)val = obj->integer.value; ++ + break; + } ++ ++ if (!val) ++ return 1; + } else if (proptype == DEV_PROP_STRING) { + ret = acpi_data_get_property(data, propname, ACPI_TYPE_STRING, &obj); + if (ret) + return ret; + +- *(char **)val = obj->string.pointer; ++ if (val) ++ *(char **)val = obj->string.pointer; + + return 1; + } else { +@@ -735,7 +747,7 @@ int acpi_dev_prop_read_single(struct acp + { + int ret; + +- if (!adev) ++ if (!adev || !val) + return -EINVAL; + + ret = acpi_data_prop_read_single(&adev->data, propname, proptype, val); +@@ -829,10 +841,20 @@ static int acpi_data_prop_read(const str + const union acpi_object *items; + int ret; + +- if (val && nval == 1) { ++ if (nval == 1 || !val) { + ret = acpi_data_prop_read_single(data, propname, proptype, val); +- if (ret >= 0) ++ /* ++ * The overflow error means that the property is there and it is ++ * single-value, but its type does not match, so return. ++ */ ++ if (ret >= 0 || ret == -EOVERFLOW) + return ret; ++ ++ /* ++ * Reading this property as a single-value one failed, but its ++ * value may still be represented as one-element array, so ++ * continue. ++ */ + } + + ret = acpi_data_get_property_array(data, propname, ACPI_TYPE_ANY, &obj); diff --git a/queue-4.14/alsa-hda-realtek-modify-eapd-in-the-alc886.patch b/queue-4.14/alsa-hda-realtek-modify-eapd-in-the-alc886.patch new file mode 100644 index 00000000000..e401f5b0ffd --- /dev/null +++ b/queue-4.14/alsa-hda-realtek-modify-eapd-in-the-alc886.patch @@ -0,0 +1,54 @@ +From 4841b8e6318a7f0ae57c4e5ec09032ea057c97a8 Mon Sep 17 00:00:00 2001 +From: PeiSen Hou +Date: Tue, 2 Feb 2021 10:30:22 +0100 +Subject: ALSA: hda/realtek: modify EAPD in the ALC886 + +From: PeiSen Hou + +commit 4841b8e6318a7f0ae57c4e5ec09032ea057c97a8 upstream. + +Modify 0x20 index 7 bit 5 to 1, make the 0x15 EAPD the same as 0x14. + +Signed-off-by: PeiSen Hou +Cc: +Link: https://lore.kernel.org/r/e62c5058957f48d8b8953e97135ff108@realtek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -1792,6 +1792,7 @@ enum { + ALC889_FIXUP_FRONT_HP_NO_PRESENCE, + ALC889_FIXUP_VAIO_TT, + ALC888_FIXUP_EEE1601, ++ ALC886_FIXUP_EAPD, + ALC882_FIXUP_EAPD, + ALC883_FIXUP_EAPD, + ALC883_FIXUP_ACER_EAPD, +@@ -2100,6 +2101,15 @@ static const struct hda_fixup alc882_fix + { } + } + }, ++ [ALC886_FIXUP_EAPD] = { ++ .type = HDA_FIXUP_VERBS, ++ .v.verbs = (const struct hda_verb[]) { ++ /* change to EAPD mode */ ++ { 0x20, AC_VERB_SET_COEF_INDEX, 0x07 }, ++ { 0x20, AC_VERB_SET_PROC_COEF, 0x0068 }, ++ { } ++ } ++ }, + [ALC882_FIXUP_EAPD] = { + .type = HDA_FIXUP_VERBS, + .v.verbs = (const struct hda_verb[]) { +@@ -2340,6 +2350,7 @@ static const struct snd_pci_quirk alc882 + SND_PCI_QUIRK(0x106b, 0x4a00, "Macbook 5,2", ALC889_FIXUP_MBA11_VREF), + + SND_PCI_QUIRK(0x1071, 0x8258, "Evesham Voyaeger", ALC882_FIXUP_EAPD), ++ SND_PCI_QUIRK(0x13fe, 0x1009, "Advantech MIT-W101", ALC886_FIXUP_EAPD), + SND_PCI_QUIRK(0x1458, 0xa002, "Gigabyte EP45-DS3/Z87X-UD3H", ALC889_FIXUP_FRONT_HP_NO_PRESENCE), + SND_PCI_QUIRK(0x1458, 0xa0b8, "Gigabyte AZ370-Gaming", ALC1220_FIXUP_GB_DUAL_CODECS), + SND_PCI_QUIRK(0x1462, 0x7350, "MSI-7350", ALC889_FIXUP_CD), diff --git a/queue-4.14/blk-settings-align-max_sectors-on-logical_block_size-boundary.patch b/queue-4.14/blk-settings-align-max_sectors-on-logical_block_size-boundary.patch new file mode 100644 index 00000000000..59ced2e3a63 --- /dev/null +++ b/queue-4.14/blk-settings-align-max_sectors-on-logical_block_size-boundary.patch @@ -0,0 +1,68 @@ +From 97f433c3601a24d3513d06f575a389a2ca4e11e4 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 23 Feb 2021 19:25:30 -0700 +Subject: blk-settings: align max_sectors on "logical_block_size" boundary + +From: Mikulas Patocka + +commit 97f433c3601a24d3513d06f575a389a2ca4e11e4 upstream. + +We get I/O errors when we run md-raid1 on the top of dm-integrity on the +top of ramdisk. +device-mapper: integrity: Bio not aligned on 8 sectors: 0xff00, 0xff +device-mapper: integrity: Bio not aligned on 8 sectors: 0xff00, 0xff +device-mapper: integrity: Bio not aligned on 8 sectors: 0xffff, 0x1 +device-mapper: integrity: Bio not aligned on 8 sectors: 0xffff, 0x1 +device-mapper: integrity: Bio not aligned on 8 sectors: 0x8048, 0xff +device-mapper: integrity: Bio not aligned on 8 sectors: 0x8147, 0xff +device-mapper: integrity: Bio not aligned on 8 sectors: 0x8246, 0xff +device-mapper: integrity: Bio not aligned on 8 sectors: 0x8345, 0xbb + +The ramdisk device has logical_block_size 512 and max_sectors 255. The +dm-integrity device uses logical_block_size 4096 and it doesn't affect the +"max_sectors" value - thus, it inherits 255 from the ramdisk. So, we have +a device with max_sectors not aligned on logical_block_size. + +The md-raid device sees that the underlying leg has max_sectors 255 and it +will split the bios on 255-sector boundary, making the bios unaligned on +logical_block_size. + +In order to fix the bug, we round down max_sectors to logical_block_size. + +Cc: stable@vger.kernel.org +Reviewed-by: Ming Lei +Signed-off-by: Mikulas Patocka +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-settings.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/block/blk-settings.c ++++ b/block/blk-settings.c +@@ -513,6 +513,14 @@ void blk_queue_io_opt(struct request_que + } + EXPORT_SYMBOL(blk_queue_io_opt); + ++static unsigned int blk_round_down_sectors(unsigned int sectors, unsigned int lbs) ++{ ++ sectors = round_down(sectors, lbs >> SECTOR_SHIFT); ++ if (sectors < PAGE_SIZE >> SECTOR_SHIFT) ++ sectors = PAGE_SIZE >> SECTOR_SHIFT; ++ return sectors; ++} ++ + /** + * blk_queue_stack_limits - inherit underlying queue limits for stacked drivers + * @t: the stacking driver (top) +@@ -639,6 +647,10 @@ int blk_stack_limits(struct queue_limits + ret = -1; + } + ++ t->max_sectors = blk_round_down_sectors(t->max_sectors, t->logical_block_size); ++ t->max_hw_sectors = blk_round_down_sectors(t->max_hw_sectors, t->logical_block_size); ++ t->max_dev_sectors = blk_round_down_sectors(t->max_dev_sectors, t->logical_block_size); ++ + /* Discard alignment and granularity */ + if (b->discard_granularity) { + alignment = queue_limit_discard_alignment(b, start); diff --git a/queue-4.14/btrfs-abort-the-transaction-if-we-fail-to-inc-ref-in-btrfs_copy_root.patch b/queue-4.14/btrfs-abort-the-transaction-if-we-fail-to-inc-ref-in-btrfs_copy_root.patch new file mode 100644 index 00000000000..1e8d0bd5d04 --- /dev/null +++ b/queue-4.14/btrfs-abort-the-transaction-if-we-fail-to-inc-ref-in-btrfs_copy_root.patch @@ -0,0 +1,56 @@ +From 867ed321f90d06aaba84e2c91de51cd3038825ef Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Thu, 14 Jan 2021 14:02:46 -0500 +Subject: btrfs: abort the transaction if we fail to inc ref in btrfs_copy_root + +From: Josef Bacik + +commit 867ed321f90d06aaba84e2c91de51cd3038825ef upstream. + +While testing my error handling patches, I added a error injection site +at btrfs_inc_extent_ref, to validate the error handling I added was +doing the correct thing. However I hit a pretty ugly corruption while +doing this check, with the following error injection stack trace: + +btrfs_inc_extent_ref + btrfs_copy_root + create_reloc_root + btrfs_init_reloc_root + btrfs_record_root_in_trans + btrfs_start_transaction + btrfs_update_inode + btrfs_update_time + touch_atime + file_accessed + btrfs_file_mmap + +This is because we do not catch the error from btrfs_inc_extent_ref, +which in practice would be ENOMEM, which means we lose the extent +references for a root that has already been allocated and inserted, +which is the problem. Fix this by aborting the transaction if we fail +to do the reference modification. + +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ctree.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -282,9 +282,10 @@ int btrfs_copy_root(struct btrfs_trans_h + ret = btrfs_inc_ref(trans, root, cow, 1); + else + ret = btrfs_inc_ref(trans, root, cow, 0); +- +- if (ret) ++ if (ret) { ++ btrfs_abort_transaction(trans, ret); + return ret; ++ } + + btrfs_mark_buffer_dirty(cow); + *cow_ret = cow; diff --git a/queue-4.14/btrfs-fix-extent-buffer-leak-on-failure-to-copy-root.patch b/queue-4.14/btrfs-fix-extent-buffer-leak-on-failure-to-copy-root.patch new file mode 100644 index 00000000000..b6a8ed3522d --- /dev/null +++ b/queue-4.14/btrfs-fix-extent-buffer-leak-on-failure-to-copy-root.patch @@ -0,0 +1,37 @@ +From 72c9925f87c8b74f36f8e75a4cd93d964538d3ca Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Thu, 4 Feb 2021 14:35:44 +0000 +Subject: btrfs: fix extent buffer leak on failure to copy root + +From: Filipe Manana + +commit 72c9925f87c8b74f36f8e75a4cd93d964538d3ca upstream. + +At btrfs_copy_root(), if the call to btrfs_inc_ref() fails we end up +returning without unlocking and releasing our reference on the extent +buffer named "cow" we previously allocated with btrfs_alloc_tree_block(). + +So fix that by unlocking the extent buffer and dropping our reference on +it before returning. + +Fixes: be20aa9dbadc8c ("Btrfs: Add mount option to turn off data cow") +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ctree.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -283,6 +283,8 @@ int btrfs_copy_root(struct btrfs_trans_h + else + ret = btrfs_inc_ref(trans, root, cow, 0); + if (ret) { ++ btrfs_tree_unlock(cow); ++ free_extent_buffer(cow); + btrfs_abort_transaction(trans, ret); + return ret; + } diff --git a/queue-4.14/btrfs-fix-reloc-root-leak-with-0-ref-reloc-roots-on-recovery.patch b/queue-4.14/btrfs-fix-reloc-root-leak-with-0-ref-reloc-roots-on-recovery.patch new file mode 100644 index 00000000000..fe26a414068 --- /dev/null +++ b/queue-4.14/btrfs-fix-reloc-root-leak-with-0-ref-reloc-roots-on-recovery.patch @@ -0,0 +1,48 @@ +From c78a10aebb275c38d0cfccae129a803fe622e305 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Thu, 14 Jan 2021 14:02:42 -0500 +Subject: btrfs: fix reloc root leak with 0 ref reloc roots on recovery + +From: Josef Bacik + +commit c78a10aebb275c38d0cfccae129a803fe622e305 upstream. + +When recovering a relocation, if we run into a reloc root that has 0 +refs we simply add it to the reloc_control->reloc_roots list, and then +clean it up later. The problem with this is __del_reloc_root() doesn't +do anything if the root isn't in the radix tree, which in this case it +won't be because we never call __add_reloc_root() on the reloc_root. + +This exit condition simply isn't correct really. During normal +operation we can remove ourselves from the rb tree and then we're meant +to clean up later at merge_reloc_roots() time, and this happens +correctly. During recovery we're depending on free_reloc_roots() to +drop our references, but we're short-circuiting. + +Fix this by continuing to check if we're on the list and dropping +ourselves from the reloc_control root list and dropping our reference +appropriately. Change the corresponding BUG_ON() to an ASSERT() that +does the correct thing if we aren't in the rb tree. + +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/relocation.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -1344,9 +1344,7 @@ static void __del_reloc_root(struct btrf + RB_CLEAR_NODE(&node->rb_node); + } + spin_unlock(&rc->reloc_root_tree.lock); +- if (!node) +- return; +- BUG_ON((struct btrfs_root *)node->data != root); ++ ASSERT(!node || (struct btrfs_root *)node->data == root); + } + + spin_lock(&fs_info->trans_lock); diff --git a/queue-4.14/crypto-sun4i-ss-checking-sg-length-is-not-sufficient.patch b/queue-4.14/crypto-sun4i-ss-checking-sg-length-is-not-sufficient.patch new file mode 100644 index 00000000000..723de82ce20 --- /dev/null +++ b/queue-4.14/crypto-sun4i-ss-checking-sg-length-is-not-sufficient.patch @@ -0,0 +1,40 @@ +From 7bdcd851fa7eb66e8922aa7f6cba9e2f2427a7cf Mon Sep 17 00:00:00 2001 +From: Corentin Labbe +Date: Mon, 14 Dec 2020 20:02:26 +0000 +Subject: crypto: sun4i-ss - checking sg length is not sufficient + +From: Corentin Labbe + +commit 7bdcd851fa7eb66e8922aa7f6cba9e2f2427a7cf upstream. + +The optimized cipher function need length multiple of 4 bytes. +But it get sometimes odd length. +This is due to SG data could be stored with an offset. + +So the fix is to check also if the offset is aligned with 4 bytes. +Fixes: 6298e948215f2 ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator") +Cc: +Signed-off-by: Corentin Labbe +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/sunxi-ss/sun4i-ss-cipher.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c ++++ b/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c +@@ -189,12 +189,12 @@ static int sun4i_ss_cipher_poll(struct s + * we can use the SS optimized function + */ + while (in_sg && no_chunk == 1) { +- if (in_sg->length % 4) ++ if ((in_sg->length | in_sg->offset) & 3u) + no_chunk = 0; + in_sg = sg_next(in_sg); + } + while (out_sg && no_chunk == 1) { +- if (out_sg->length % 4) ++ if ((out_sg->length | out_sg->offset) & 3u) + no_chunk = 0; + out_sg = sg_next(out_sg); + } diff --git a/queue-4.14/crypto-sun4i-ss-handle-bigendian-for-cipher.patch b/queue-4.14/crypto-sun4i-ss-handle-bigendian-for-cipher.patch new file mode 100644 index 00000000000..71fe3627921 --- /dev/null +++ b/queue-4.14/crypto-sun4i-ss-handle-bigendian-for-cipher.patch @@ -0,0 +1,57 @@ +From 5ab6177fa02df15cd8a02a1f1fb361d2d5d8b946 Mon Sep 17 00:00:00 2001 +From: Corentin Labbe +Date: Mon, 14 Dec 2020 20:02:28 +0000 +Subject: crypto: sun4i-ss - handle BigEndian for cipher + +From: Corentin Labbe + +commit 5ab6177fa02df15cd8a02a1f1fb361d2d5d8b946 upstream. + +Ciphers produce invalid results on BE. +Key and IV need to be written in LE. + +Fixes: 6298e948215f2 ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator") +Cc: +Signed-off-by: Corentin Labbe +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/sunxi-ss/sun4i-ss-cipher.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c ++++ b/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c +@@ -63,13 +63,13 @@ static int sun4i_ss_opti_poll(struct skc + + spin_lock_irqsave(&ss->slock, flags); + +- for (i = 0; i < op->keylen; i += 4) +- writel(*(op->key + i / 4), ss->base + SS_KEY0 + i); ++ for (i = 0; i < op->keylen / 4; i++) ++ writesl(ss->base + SS_KEY0 + i * 4, &op->key[i], 1); + + if (areq->iv) { + for (i = 0; i < 4 && i < ivsize / 4; i++) { + v = *(u32 *)(areq->iv + i * 4); +- writel(v, ss->base + SS_IV0 + i * 4); ++ writesl(ss->base + SS_IV0 + i * 4, &v, 1); + } + } + writel(mode, ss->base + SS_CTL); +@@ -223,13 +223,13 @@ static int sun4i_ss_cipher_poll(struct s + + spin_lock_irqsave(&ss->slock, flags); + +- for (i = 0; i < op->keylen; i += 4) +- writel(*(op->key + i / 4), ss->base + SS_KEY0 + i); ++ for (i = 0; i < op->keylen / 4; i++) ++ writesl(ss->base + SS_KEY0 + i * 4, &op->key[i], 1); + + if (areq->iv) { + for (i = 0; i < 4 && i < ivsize / 4; i++) { + v = *(u32 *)(areq->iv + i * 4); +- writel(v, ss->base + SS_IV0 + i * 4); ++ writesl(ss->base + SS_IV0 + i * 4, &v, 1); + } + } + writel(mode, ss->base + SS_CTL); diff --git a/queue-4.14/crypto-sun4i-ss-iv-register-does-not-work-on-a10-and-a13.patch b/queue-4.14/crypto-sun4i-ss-iv-register-does-not-work-on-a10-and-a13.patch new file mode 100644 index 00000000000..d7b1efe3ffe --- /dev/null +++ b/queue-4.14/crypto-sun4i-ss-iv-register-does-not-work-on-a10-and-a13.patch @@ -0,0 +1,101 @@ +From b756f1c8fc9d84e3f546d7ffe056c5352f4aab05 Mon Sep 17 00:00:00 2001 +From: Corentin Labbe +Date: Mon, 14 Dec 2020 20:02:27 +0000 +Subject: crypto: sun4i-ss - IV register does not work on A10 and A13 + +From: Corentin Labbe + +commit b756f1c8fc9d84e3f546d7ffe056c5352f4aab05 upstream. + +Allwinner A10 and A13 SoC have a version of the SS which produce +invalid IV in IVx register. + +Instead of adding a variant for those, let's convert SS to produce IV +directly from data. +Fixes: 6298e948215f2 ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator") +Cc: +Signed-off-by: Corentin Labbe +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/sunxi-ss/sun4i-ss-cipher.c | 34 ++++++++++++++++++++++++------ + 1 file changed, 28 insertions(+), 6 deletions(-) + +--- a/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c ++++ b/drivers/crypto/sunxi-ss/sun4i-ss-cipher.c +@@ -24,6 +24,7 @@ static int sun4i_ss_opti_poll(struct skc + unsigned int ivsize = crypto_skcipher_ivsize(tfm); + struct sun4i_cipher_req_ctx *ctx = skcipher_request_ctx(areq); + u32 mode = ctx->mode; ++ void *backup_iv = NULL; + /* when activating SS, the default FIFO space is SS_RX_DEFAULT(32) */ + u32 rx_cnt = SS_RX_DEFAULT; + u32 tx_cnt = 0; +@@ -53,6 +54,13 @@ static int sun4i_ss_opti_poll(struct skc + return -EINVAL; + } + ++ if (areq->iv && ivsize > 0 && mode & SS_DECRYPTION) { ++ backup_iv = kzalloc(ivsize, GFP_KERNEL); ++ if (!backup_iv) ++ return -ENOMEM; ++ scatterwalk_map_and_copy(backup_iv, areq->src, areq->cryptlen - ivsize, ivsize, 0); ++ } ++ + spin_lock_irqsave(&ss->slock, flags); + + for (i = 0; i < op->keylen; i += 4) +@@ -126,9 +134,12 @@ static int sun4i_ss_opti_poll(struct skc + } while (oleft); + + if (areq->iv) { +- for (i = 0; i < 4 && i < ivsize / 4; i++) { +- v = readl(ss->base + SS_IV0 + i * 4); +- *(u32 *)(areq->iv + i * 4) = v; ++ if (mode & SS_DECRYPTION) { ++ memcpy(areq->iv, backup_iv, ivsize); ++ kfree_sensitive(backup_iv); ++ } else { ++ scatterwalk_map_and_copy(areq->iv, areq->dst, areq->cryptlen - ivsize, ++ ivsize, 0); + } + } + +@@ -160,6 +171,7 @@ static int sun4i_ss_cipher_poll(struct s + unsigned int ileft = areq->cryptlen; + unsigned int oleft = areq->cryptlen; + unsigned int todo; ++ void *backup_iv = NULL; + struct sg_mapping_iter mi, mo; + unsigned long pi = 0, po = 0; /* progress for in and out */ + bool miter_err; +@@ -202,6 +214,13 @@ static int sun4i_ss_cipher_poll(struct s + if (no_chunk == 1) + return sun4i_ss_opti_poll(areq); + ++ if (areq->iv && ivsize > 0 && mode & SS_DECRYPTION) { ++ backup_iv = kzalloc(ivsize, GFP_KERNEL); ++ if (!backup_iv) ++ return -ENOMEM; ++ scatterwalk_map_and_copy(backup_iv, areq->src, areq->cryptlen - ivsize, ivsize, 0); ++ } ++ + spin_lock_irqsave(&ss->slock, flags); + + for (i = 0; i < op->keylen; i += 4) +@@ -330,9 +349,12 @@ static int sun4i_ss_cipher_poll(struct s + sg_miter_stop(&mo); + } + if (areq->iv) { +- for (i = 0; i < 4 && i < ivsize / 4; i++) { +- v = readl(ss->base + SS_IV0 + i * 4); +- *(u32 *)(areq->iv + i * 4) = v; ++ if (mode & SS_DECRYPTION) { ++ memcpy(areq->iv, backup_iv, ivsize); ++ kfree_sensitive(backup_iv); ++ } else { ++ scatterwalk_map_and_copy(areq->iv, areq->dst, areq->cryptlen - ivsize, ++ ivsize, 0); + } + } + diff --git a/queue-4.14/drivers-misc-vmw_vmci-restrict-too-big-queue-size-in-qp_host_alloc_queue.patch b/queue-4.14/drivers-misc-vmw_vmci-restrict-too-big-queue-size-in-qp_host_alloc_queue.patch new file mode 100644 index 00000000000..4d0627065bc --- /dev/null +++ b/queue-4.14/drivers-misc-vmw_vmci-restrict-too-big-queue-size-in-qp_host_alloc_queue.patch @@ -0,0 +1,50 @@ +From 2fd10bcf0310b9525b2af9e1f7aa9ddd87c3772e Mon Sep 17 00:00:00 2001 +From: Sabyrzhan Tasbolatov +Date: Tue, 9 Feb 2021 16:26:12 +0600 +Subject: drivers/misc/vmw_vmci: restrict too big queue size in qp_host_alloc_queue + +From: Sabyrzhan Tasbolatov + +commit 2fd10bcf0310b9525b2af9e1f7aa9ddd87c3772e upstream. + +syzbot found WARNING in qp_broker_alloc[1] in qp_host_alloc_queue() +when num_pages is 0x100001, giving queue_size + queue_page_size +bigger than KMALLOC_MAX_SIZE for kzalloc(), resulting order >= MAX_ORDER +condition. + +queue_size + queue_page_size=0x8000d8, where KMALLOC_MAX_SIZE=0x400000. + +[1] +Call Trace: + alloc_pages include/linux/gfp.h:547 [inline] + kmalloc_order+0x40/0x130 mm/slab_common.c:837 + kmalloc_order_trace+0x15/0x70 mm/slab_common.c:853 + kmalloc_large include/linux/slab.h:481 [inline] + __kmalloc+0x257/0x330 mm/slub.c:3959 + kmalloc include/linux/slab.h:557 [inline] + kzalloc include/linux/slab.h:682 [inline] + qp_host_alloc_queue drivers/misc/vmw_vmci/vmci_queue_pair.c:540 [inline] + qp_broker_create drivers/misc/vmw_vmci/vmci_queue_pair.c:1351 [inline] + qp_broker_alloc+0x936/0x2740 drivers/misc/vmw_vmci/vmci_queue_pair.c:1739 + +Reported-by: syzbot+15ec7391f3d6a1a7cc7d@syzkaller.appspotmail.com +Signed-off-by: Sabyrzhan Tasbolatov +Link: https://lore.kernel.org/r/20210209102612.2112247-1-snovitoll@gmail.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/vmw_vmci/vmci_queue_pair.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c ++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c +@@ -639,6 +639,9 @@ static struct vmci_queue *qp_host_alloc_ + + queue_page_size = num_pages * sizeof(*queue->kernel_if->u.h.page); + ++ if (queue_size + queue_page_size > KMALLOC_MAX_SIZE) ++ return NULL; ++ + queue = kzalloc(queue_size + queue_page_size, GFP_KERNEL); + if (queue) { + queue->q_header = NULL; diff --git a/queue-4.14/hid-wacom-ignore-attempts-to-overwrite-the-touch_max-value-from-hid.patch b/queue-4.14/hid-wacom-ignore-attempts-to-overwrite-the-touch_max-value-from-hid.patch new file mode 100644 index 00000000000..a9293c5fe76 --- /dev/null +++ b/queue-4.14/hid-wacom-ignore-attempts-to-overwrite-the-touch_max-value-from-hid.patch @@ -0,0 +1,67 @@ +From 88f38846bfb1a452a3d47e38aeab20a4ceb74294 Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Tue, 16 Feb 2021 11:41:54 -0800 +Subject: HID: wacom: Ignore attempts to overwrite the touch_max value from HID + +From: Jason Gerecke + +commit 88f38846bfb1a452a3d47e38aeab20a4ceb74294 upstream. + +The `wacom_feature_mapping` function is careful to only set the the +touch_max value a single time, but this care does not extend to the +`wacom_wac_finger_event` function. In particular, if a device sends +multiple HID_DG_CONTACTMAX items in a single feature report, the +driver will end up retaining the value of last item. + +The HID descriptor for the Cintiq Companion 2 does exactly this. It +incorrectly sets a "Report Count" of 2, which will cause the driver +to process two HID_DG_CONTACTCOUNT items. The first item has the actual +count, while the second item should have been declared as a constant +zero. The constant zero is the value the driver ends up using, however, +since it is the last HID_DG_CONTACTCOUNT in the report. + + Report ID (16), + Usage (Contact Count Maximum), ; Contact count maximum (55h, static value) + Report Count (2), + Logical Maximum (10), + Feature (Variable), + +To address this, we add a check that the touch_max is not already set +within the `wacom_wac_finger_event` function that processes the +HID_DG_TOUCHMAX item. We emit a warning if the value is set and ignore +the updated value. + +This could potentially cause problems if there is a tablet which has +a similar issue but requires the last item to be used. This is unlikely, +however, since it would have to have a different non-zero value for +HID_DG_CONTACTMAX earlier in the same report, which makes no sense +except in the case of a firmware bug. Note that cases where the +HID_DG_CONTACTMAX items are in different reports is already handled +(and similarly ignored) by `wacom_feature_mapping` as mentioned above. + +Link: https://github.com/linuxwacom/input-wacom/issues/223 +Fixes: 184eccd40389 ("HID: wacom: generic: read HID_DG_CONTACTMAX from any feature report") +Signed-off-by: Jason Gerecke +CC: stable@vger.kernel.org +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_wac.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -2452,7 +2452,12 @@ static void wacom_wac_finger_event(struc + wacom_wac->hid_data.tipswitch = value; + break; + case HID_DG_CONTACTMAX: +- features->touch_max = value; ++ if (!features->touch_max) { ++ features->touch_max = value; ++ } else { ++ hid_warn(hdev, "%s: ignoring attempt to overwrite non-zero touch_max " ++ "%d -> %d\n", __func__, features->touch_max, value); ++ } + return; + } + diff --git a/queue-4.14/input-i8042-add-asus-zenbook-flip-to-noselftest-list.patch b/queue-4.14/input-i8042-add-asus-zenbook-flip-to-noselftest-list.patch new file mode 100644 index 00000000000..bfc9cd89e90 --- /dev/null +++ b/queue-4.14/input-i8042-add-asus-zenbook-flip-to-noselftest-list.patch @@ -0,0 +1,41 @@ +From b5d6e7ab7fe7d186878142e9fc1a05e4c3b65eb9 Mon Sep 17 00:00:00 2001 +From: Marcos Paulo de Souza +Date: Fri, 19 Feb 2021 10:37:13 -0800 +Subject: Input: i8042 - add ASUS Zenbook Flip to noselftest list + +From: Marcos Paulo de Souza + +commit b5d6e7ab7fe7d186878142e9fc1a05e4c3b65eb9 upstream. + +After commit 77b425399f6d ("Input: i8042 - use chassis info to skip +selftest on Asus laptops"), all modern Asus laptops have the i8042 +selftest disabled. It has done by using chassys type "10" (laptop). + +The Asus Zenbook Flip suffers from similar suspend/resume issues, but +it _sometimes_ work and sometimes it doesn't. Setting noselftest makes +it work reliably. In this case, we need to add chassis type "31" +(convertible) in order to avoid selftest in this device. + +Reported-by: Ludvig Norgren Guldhag +Signed-off-by: Marcos Paulo de Souza +Link: https://lore.kernel.org/r/20210219164638.761-1-mpdesouza@suse.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/serio/i8042-x86ia64io.h | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -592,6 +592,10 @@ static const struct dmi_system_id i8042_ + DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), + DMI_MATCH(DMI_CHASSIS_TYPE, "10"), /* Notebook */ + }, ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_CHASSIS_TYPE, "31"), /* Convertible Notebook */ ++ }, + }, + { } + }; diff --git a/queue-4.14/input-joydev-prevent-potential-read-overflow-in-ioctl.patch b/queue-4.14/input-joydev-prevent-potential-read-overflow-in-ioctl.patch new file mode 100644 index 00000000000..f7243aa1c7e --- /dev/null +++ b/queue-4.14/input-joydev-prevent-potential-read-overflow-in-ioctl.patch @@ -0,0 +1,53 @@ +From 182d679b2298d62bf42bb14b12a8067b8e17b617 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 17 Feb 2021 12:21:10 -0800 +Subject: Input: joydev - prevent potential read overflow in ioctl + +From: Dan Carpenter + +commit 182d679b2298d62bf42bb14b12a8067b8e17b617 upstream. + +The problem here is that "len" might be less than "joydev->nabs" so the +loops which verfy abspam[i] and keypam[] might read beyond the buffer. + +Fixes: 999b874f4aa3 ("Input: joydev - validate axis/button maps before clobbering current ones") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YCyzR8WvFRw4HWw6@mwanda +[dtor: additional check for len being even in joydev_handle_JSIOCSBTNMAP] +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/joydev.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/input/joydev.c ++++ b/drivers/input/joydev.c +@@ -460,7 +460,7 @@ static int joydev_handle_JSIOCSAXMAP(str + if (IS_ERR(abspam)) + return PTR_ERR(abspam); + +- for (i = 0; i < joydev->nabs; i++) { ++ for (i = 0; i < len && i < joydev->nabs; i++) { + if (abspam[i] > ABS_MAX) { + retval = -EINVAL; + goto out; +@@ -484,6 +484,9 @@ static int joydev_handle_JSIOCSBTNMAP(st + int i; + int retval = 0; + ++ if (len % sizeof(*keypam)) ++ return -EINVAL; ++ + len = min(len, sizeof(joydev->keypam)); + + /* Validate the map. */ +@@ -491,7 +494,7 @@ static int joydev_handle_JSIOCSBTNMAP(st + if (IS_ERR(keypam)) + return PTR_ERR(keypam); + +- for (i = 0; i < joydev->nkey; i++) { ++ for (i = 0; i < (len / 2) && i < joydev->nkey; i++) { + if (keypam[i] > KEY_MAX || keypam[i] < BTN_MISC) { + retval = -EINVAL; + goto out; diff --git a/queue-4.14/input-raydium_ts_i2c-do-not-send-zero-length.patch b/queue-4.14/input-raydium_ts_i2c-do-not-send-zero-length.patch new file mode 100644 index 00000000000..7c5c9478813 --- /dev/null +++ b/queue-4.14/input-raydium_ts_i2c-do-not-send-zero-length.patch @@ -0,0 +1,40 @@ +From fafd320ae51b9c72d371585b2501f86640ea7b7d Mon Sep 17 00:00:00 2001 +From: "jeffrey.lin" +Date: Tue, 15 Dec 2020 10:50:12 -0800 +Subject: Input: raydium_ts_i2c - do not send zero length + +From: jeffrey.lin + +commit fafd320ae51b9c72d371585b2501f86640ea7b7d upstream. + +Add default write command package to prevent i2c quirk error of zero +data length as Raydium touch firmware update is executed. + +Signed-off-by: jeffrey.lin +Link: https://lore.kernel.org/r/1608031217-7247-1-git-send-email-jeffrey.lin@raydium.corp-partner.google.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/raydium_i2c_ts.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/raydium_i2c_ts.c ++++ b/drivers/input/touchscreen/raydium_i2c_ts.c +@@ -419,6 +419,7 @@ static int raydium_i2c_write_object(stru + enum raydium_bl_ack state) + { + int error; ++ static const u8 cmd[] = { 0xFF, 0x39 }; + + error = raydium_i2c_send(client, RM_CMD_BOOT_WRT, data, len); + if (error) { +@@ -427,7 +428,7 @@ static int raydium_i2c_write_object(stru + return error; + } + +- error = raydium_i2c_send(client, RM_CMD_BOOT_ACK, NULL, 0); ++ error = raydium_i2c_send(client, RM_CMD_BOOT_ACK, cmd, sizeof(cmd)); + if (error) { + dev_err(&client->dev, "Ack obj command failed: %d\n", error); + return error; diff --git a/queue-4.14/input-xpad-add-support-for-powera-enhanced-wired-controller-for-xbox-series-x-s.patch b/queue-4.14/input-xpad-add-support-for-powera-enhanced-wired-controller-for-xbox-series-x-s.patch new file mode 100644 index 00000000000..487a3ba2a9b --- /dev/null +++ b/queue-4.14/input-xpad-add-support-for-powera-enhanced-wired-controller-for-xbox-series-x-s.patch @@ -0,0 +1,31 @@ +From 42ffcd1dba1796bcda386eb6f260df9fc23c90af Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Olivier=20Cr=C3=AAte?= +Date: Fri, 5 Feb 2021 11:59:08 -0800 +Subject: Input: xpad - add support for PowerA Enhanced Wired Controller for Xbox Series X|S +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Olivier Crête + +commit 42ffcd1dba1796bcda386eb6f260df9fc23c90af upstream. + +Signed-off-by: Olivier Crête +Link: https://lore.kernel.org/r/20210204005318.615647-1-olivier.crete@collabora.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/joystick/xpad.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -322,6 +322,7 @@ static const struct xpad_device { + { 0x1bad, 0xfd00, "Razer Onza TE", 0, XTYPE_XBOX360 }, + { 0x1bad, 0xfd01, "Razer Onza", 0, XTYPE_XBOX360 }, + { 0x20d6, 0x2001, "BDA Xbox Series X Wired Controller", 0, XTYPE_XBOXONE }, ++ { 0x20d6, 0x2009, "PowerA Enhanced Wired Controller for Xbox Series X|S", 0, XTYPE_XBOXONE }, + { 0x20d6, 0x281f, "PowerA Wired Controller For Xbox 360", 0, XTYPE_XBOX360 }, + { 0x2e24, 0x0652, "Hyperkin Duke X-Box One pad", 0, XTYPE_XBOXONE }, + { 0x24c6, 0x5000, "Razer Atrox Arcade Stick", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX360 }, diff --git a/queue-4.14/keys-trusted-fix-migratable-1-failing.patch b/queue-4.14/keys-trusted-fix-migratable-1-failing.patch new file mode 100644 index 00000000000..3c2cf366c2e --- /dev/null +++ b/queue-4.14/keys-trusted-fix-migratable-1-failing.patch @@ -0,0 +1,46 @@ +From 8da7520c80468c48f981f0b81fc1be6599e3b0ad Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Fri, 29 Jan 2021 01:56:20 +0200 +Subject: KEYS: trusted: Fix migratable=1 failing + +From: Jarkko Sakkinen + +commit 8da7520c80468c48f981f0b81fc1be6599e3b0ad upstream. + +Consider the following transcript: + +$ keyctl add trusted kmk "new 32 blobauth=helloworld keyhandle=80000000 migratable=1" @u +add_key: Invalid argument + +The documentation has the following description: + + migratable= 0|1 indicating permission to reseal to new PCR values, + default 1 (resealing allowed) + +The consequence is that "migratable=1" should succeed. Fix this by +allowing this condition to pass instead of return -EINVAL. + +[*] Documentation/security/keys/trusted-encrypted.rst + +Cc: stable@vger.kernel.org +Cc: "James E.J. Bottomley" +Cc: Mimi Zohar +Cc: David Howells +Fixes: d00a1c72f7f4 ("keys: add new trusted key-type") +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/trusted.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/keys/trusted.c ++++ b/security/keys/trusted.c +@@ -797,7 +797,7 @@ static int getoptions(char *c, struct tr + case Opt_migratable: + if (*args[0].from == '0') + pay->migratable = 0; +- else ++ else if (*args[0].from != '1') + return -EINVAL; + break; + case Opt_pcrlock: diff --git a/queue-4.14/seccomp-add-missing-return-in-non-void-function.patch b/queue-4.14/seccomp-add-missing-return-in-non-void-function.patch new file mode 100644 index 00000000000..a44bcb98b04 --- /dev/null +++ b/queue-4.14/seccomp-add-missing-return-in-non-void-function.patch @@ -0,0 +1,34 @@ +From 04b38d012556199ba4c31195940160e0c44c64f0 Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Mon, 11 Jan 2021 17:28:39 +0000 +Subject: seccomp: Add missing return in non-void function + +From: Paul Cercueil + +commit 04b38d012556199ba4c31195940160e0c44c64f0 upstream. + +We don't actually care about the value, since the kernel will panic +before that; but a value should nonetheless be returned, otherwise the +compiler will complain. + +Fixes: 8112c4f140fa ("seccomp: remove 2-phase API") +Cc: stable@vger.kernel.org # 4.7+ +Signed-off-by: Paul Cercueil +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20210111172839.640914-1-paul@crapouillou.net +Signed-off-by: Greg Kroah-Hartman +--- + kernel/seccomp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/seccomp.c ++++ b/kernel/seccomp.c +@@ -775,6 +775,8 @@ static int __seccomp_filter(int this_sys + const bool recheck_after_trace) + { + BUG(); ++ ++ return -1; + } + #endif + diff --git a/queue-4.14/series b/queue-4.14/series index df009b8901e..ff96a866e0c 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -118,3 +118,29 @@ arm64-add-missing-isb-after-invalidating-tlb-in-__pr.patch i2c-brcmstb-fix-brcmstd_send_i2c_cmd-condition.patch mm-rmap-fix-potential-pte_unmap-on-an-not-mapped-pte.patch scsi-bnx2fc-fix-kconfig-warning-cnic-build-errors.patch +blk-settings-align-max_sectors-on-logical_block_size-boundary.patch +acpi-property-fix-fwnode-string-properties-matching.patch +acpi-configfs-add-missing-check-after-configfs_register_default_group.patch +hid-wacom-ignore-attempts-to-overwrite-the-touch_max-value-from-hid.patch +input-raydium_ts_i2c-do-not-send-zero-length.patch +input-xpad-add-support-for-powera-enhanced-wired-controller-for-xbox-series-x-s.patch +input-joydev-prevent-potential-read-overflow-in-ioctl.patch +input-i8042-add-asus-zenbook-flip-to-noselftest-list.patch +usb-serial-option-update-interface-mapping-for-zte-p685m.patch +usb-musb-fix-runtime-pm-race-in-musb_queue_resume_work.patch +usb-serial-mos7840-fix-error-code-in-mos7840_write.patch +usb-serial-mos7720-fix-error-code-in-mos7720_write.patch +usb-dwc3-gadget-fix-setting-of-depcfg.binterval_m1.patch +usb-dwc3-gadget-fix-dep-interval-for-fullspeed-interrupt.patch +alsa-hda-realtek-modify-eapd-in-the-alc886.patch +tpm_tis-fix-check_locality-for-correct-locality-acquisition.patch +keys-trusted-fix-migratable-1-failing.patch +btrfs-abort-the-transaction-if-we-fail-to-inc-ref-in-btrfs_copy_root.patch +btrfs-fix-reloc-root-leak-with-0-ref-reloc-roots-on-recovery.patch +btrfs-fix-extent-buffer-leak-on-failure-to-copy-root.patch +crypto-sun4i-ss-checking-sg-length-is-not-sufficient.patch +crypto-sun4i-ss-iv-register-does-not-work-on-a10-and-a13.patch +crypto-sun4i-ss-handle-bigendian-for-cipher.patch +seccomp-add-missing-return-in-non-void-function.patch +drivers-misc-vmw_vmci-restrict-too-big-queue-size-in-qp_host_alloc_queue.patch +staging-rtl8188eu-add-edimax-ew-7811un-v2-to-device-table.patch diff --git a/queue-4.14/staging-rtl8188eu-add-edimax-ew-7811un-v2-to-device-table.patch b/queue-4.14/staging-rtl8188eu-add-edimax-ew-7811un-v2-to-device-table.patch new file mode 100644 index 00000000000..4456c7156ec --- /dev/null +++ b/queue-4.14/staging-rtl8188eu-add-edimax-ew-7811un-v2-to-device-table.patch @@ -0,0 +1,30 @@ +From 7a8d2f1908a59003e55ef8691d09efb7fbc51625 Mon Sep 17 00:00:00 2001 +From: Martin Kaiser +Date: Thu, 4 Feb 2021 09:52:17 +0100 +Subject: staging: rtl8188eu: Add Edimax EW-7811UN V2 to device table + +From: Martin Kaiser + +commit 7a8d2f1908a59003e55ef8691d09efb7fbc51625 upstream. + +The Edimax EW-7811UN V2 uses an RTL8188EU chipset and works with this +driver. + +Signed-off-by: Martin Kaiser +Cc: stable +Link: https://lore.kernel.org/r/20210204085217.9743-1-martin@kaiser.cx +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c ++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c +@@ -49,6 +49,7 @@ static const struct usb_device_id rtw_us + {USB_DEVICE(0x2357, 0x0111)}, /* TP-Link TL-WN727N v5.21 */ + {USB_DEVICE(0x2C4E, 0x0102)}, /* MERCUSYS MW150US v2 */ + {USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */ ++ {USB_DEVICE(0x7392, 0xb811)}, /* Edimax EW-7811UN V2 */ + {USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */ + {} /* Terminating entry */ + }; diff --git a/queue-4.14/tpm_tis-fix-check_locality-for-correct-locality-acquisition.patch b/queue-4.14/tpm_tis-fix-check_locality-for-correct-locality-acquisition.patch new file mode 100644 index 00000000000..2ca91749f20 --- /dev/null +++ b/queue-4.14/tpm_tis-fix-check_locality-for-correct-locality-acquisition.patch @@ -0,0 +1,41 @@ +From 3d9ae54af1d02a7c0edc55c77d7df2b921e58a87 Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Thu, 1 Oct 2020 11:09:21 -0700 +Subject: tpm_tis: Fix check_locality for correct locality acquisition + +From: James Bottomley + +commit 3d9ae54af1d02a7c0edc55c77d7df2b921e58a87 upstream. + +The TPM TIS specification says the TPM signals the acquisition of locality +when the TMP_ACCESS_REQUEST_USE bit goes to one *and* the +TPM_ACCESS_REQUEST_USE bit goes to zero. Currently we only check the +former not the latter, so check both. Adding the check on +TPM_ACCESS_REQUEST_USE should fix the case where the locality is +re-requested before the TPM has released it. In this case the locality may +get released briefly before it is reacquired, which causes all sorts of +problems. However, with the added check, TPM_ACCESS_REQUEST_USE should +remain 1 until the second request for the locality is granted. + +Cc: stable@ger.kernel.org +Fixes: 27084efee0c3 ("[PATCH] tpm: driver for next generation TPM chips") +Signed-off-by: James Bottomley +Reviewed-by: Jerry Snitselaar +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm_tis_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/char/tpm/tpm_tis_core.c ++++ b/drivers/char/tpm/tpm_tis_core.c +@@ -68,7 +68,8 @@ static bool check_locality(struct tpm_ch + if (rc < 0) + return false; + +- if ((access & (TPM_ACCESS_ACTIVE_LOCALITY | TPM_ACCESS_VALID)) == ++ if ((access & (TPM_ACCESS_ACTIVE_LOCALITY | TPM_ACCESS_VALID ++ | TPM_ACCESS_REQUEST_USE)) == + (TPM_ACCESS_ACTIVE_LOCALITY | TPM_ACCESS_VALID)) { + priv->locality = l; + return true; diff --git a/queue-4.14/usb-dwc3-gadget-fix-dep-interval-for-fullspeed-interrupt.patch b/queue-4.14/usb-dwc3-gadget-fix-dep-interval-for-fullspeed-interrupt.patch new file mode 100644 index 00000000000..3ee49af02c7 --- /dev/null +++ b/queue-4.14/usb-dwc3-gadget-fix-dep-interval-for-fullspeed-interrupt.patch @@ -0,0 +1,41 @@ +From 4b049f55ed95cd889bcdb3034fd75e1f01852b38 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Mon, 8 Feb 2021 13:53:16 -0800 +Subject: usb: dwc3: gadget: Fix dep->interval for fullspeed interrupt + +From: Thinh Nguyen + +commit 4b049f55ed95cd889bcdb3034fd75e1f01852b38 upstream. + +The dep->interval captures the number of frames/microframes per interval +from bInterval. Fullspeed interrupt endpoint bInterval is the number of +frames per interval and not 2^(bInterval - 1). So fix it here. This +change is only for debugging purpose and should not affect the interrupt +endpoint operation. + +Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") +Cc: +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/1263b563dedc4ab8b0fb854fba06ce4bc56bd495.1612820995.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -616,8 +616,13 @@ static int dwc3_gadget_set_ep_config(str + if (dwc->gadget.speed == USB_SPEED_FULL) + bInterval_m1 = 0; + ++ if (usb_endpoint_type(desc) == USB_ENDPOINT_XFER_INT && ++ dwc->gadget.speed == USB_SPEED_FULL) ++ dep->interval = desc->bInterval; ++ else ++ dep->interval = 1 << (desc->bInterval - 1); ++ + params.param1 |= DWC3_DEPCFG_BINTERVAL_M1(bInterval_m1); +- dep->interval = 1 << (desc->bInterval - 1); + } + + return dwc3_send_gadget_ep_cmd(dep, DWC3_DEPCMD_SETEPCONFIG, ¶ms); diff --git a/queue-4.14/usb-dwc3-gadget-fix-setting-of-depcfg.binterval_m1.patch b/queue-4.14/usb-dwc3-gadget-fix-setting-of-depcfg.binterval_m1.patch new file mode 100644 index 00000000000..f6aea726962 --- /dev/null +++ b/queue-4.14/usb-dwc3-gadget-fix-setting-of-depcfg.binterval_m1.patch @@ -0,0 +1,43 @@ +From a1679af85b2ae35a2b78ad04c18bb069c37330cc Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Mon, 8 Feb 2021 13:53:10 -0800 +Subject: usb: dwc3: gadget: Fix setting of DEPCFG.bInterval_m1 + +From: Thinh Nguyen + +commit a1679af85b2ae35a2b78ad04c18bb069c37330cc upstream. + +Valid range for DEPCFG.bInterval_m1 is from 0 to 13, and it must be set +to 0 when the controller operates in full-speed. See the programming +guide for DEPCFG command section 3.2.2.1 (v3.30a). + +Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") +Cc: +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/3f57026f993c0ce71498dbb06e49b3a47c4d0265.1612820995.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -606,7 +606,17 @@ static int dwc3_gadget_set_ep_config(str + params.param0 |= DWC3_DEPCFG_FIFO_NUMBER(dep->number >> 1); + + if (desc->bInterval) { +- params.param1 |= DWC3_DEPCFG_BINTERVAL_M1(desc->bInterval - 1); ++ u8 bInterval_m1; ++ ++ /* ++ * Valid range for DEPCFG.bInterval_m1 is from 0 to 13, and it ++ * must be set to 0 when the controller operates in full-speed. ++ */ ++ bInterval_m1 = min_t(u8, desc->bInterval - 1, 13); ++ if (dwc->gadget.speed == USB_SPEED_FULL) ++ bInterval_m1 = 0; ++ ++ params.param1 |= DWC3_DEPCFG_BINTERVAL_M1(bInterval_m1); + dep->interval = 1 << (desc->bInterval - 1); + } + diff --git a/queue-4.14/usb-musb-fix-runtime-pm-race-in-musb_queue_resume_work.patch b/queue-4.14/usb-musb-fix-runtime-pm-race-in-musb_queue_resume_work.patch new file mode 100644 index 00000000000..6688d2acf95 --- /dev/null +++ b/queue-4.14/usb-musb-fix-runtime-pm-race-in-musb_queue_resume_work.patch @@ -0,0 +1,88 @@ +From 0eaa1a3714db34a59ce121de5733c3909c529463 Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Sat, 23 Jan 2021 14:24:59 +0000 +Subject: usb: musb: Fix runtime PM race in musb_queue_resume_work + +From: Paul Cercueil + +commit 0eaa1a3714db34a59ce121de5733c3909c529463 upstream. + +musb_queue_resume_work() would call the provided callback if the runtime +PM status was 'active'. Otherwise, it would enqueue the request if the +hardware was still suspended (musb->is_runtime_suspended is true). + +This causes a race with the runtime PM handlers, as it is possible to be +in the case where the runtime PM status is not yet 'active', but the +hardware has been awaken (PM resume function has been called). + +When hitting the race, the resume work was not enqueued, which probably +triggered other bugs further down the stack. For instance, a telnet +connection on Ingenic SoCs would result in a 50/50 chance of a +segmentation fault somewhere in the musb code. + +Rework the code so that either we call the callback directly if +(musb->is_runtime_suspended == 0), or enqueue the query otherwise. + +Fixes: ea2f35c01d5e ("usb: musb: Fix sleeping function called from invalid context for hdrc glue") +Cc: stable@vger.kernel.org # v4.9+ +Tested-by: Tony Lindgren +Reviewed-by: Tony Lindgren +Signed-off-by: Paul Cercueil +Link: https://lore.kernel.org/r/20210123142502.16980-1-paul@crapouillou.net +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/musb/musb_core.c | 31 +++++++++++++++++-------------- + 1 file changed, 17 insertions(+), 14 deletions(-) + +--- a/drivers/usb/musb/musb_core.c ++++ b/drivers/usb/musb/musb_core.c +@@ -2104,32 +2104,35 @@ int musb_queue_resume_work(struct musb * + { + struct musb_pending_work *w; + unsigned long flags; ++ bool is_suspended; + int error; + + if (WARN_ON(!callback)) + return -EINVAL; + +- if (pm_runtime_active(musb->controller)) +- return callback(musb, data); ++ spin_lock_irqsave(&musb->list_lock, flags); ++ is_suspended = musb->is_runtime_suspended; + +- w = devm_kzalloc(musb->controller, sizeof(*w), GFP_ATOMIC); +- if (!w) +- return -ENOMEM; ++ if (is_suspended) { ++ w = devm_kzalloc(musb->controller, sizeof(*w), GFP_ATOMIC); ++ if (!w) { ++ error = -ENOMEM; ++ goto out_unlock; ++ } ++ ++ w->callback = callback; ++ w->data = data; + +- w->callback = callback; +- w->data = data; +- spin_lock_irqsave(&musb->list_lock, flags); +- if (musb->is_runtime_suspended) { + list_add_tail(&w->node, &musb->pending_list); + error = 0; +- } else { +- dev_err(musb->controller, "could not add resume work %p\n", +- callback); +- devm_kfree(musb->controller, w); +- error = -EINPROGRESS; + } ++ ++out_unlock: + spin_unlock_irqrestore(&musb->list_lock, flags); + ++ if (!is_suspended) ++ error = callback(musb, data); ++ + return error; + } + EXPORT_SYMBOL_GPL(musb_queue_resume_work); diff --git a/queue-4.14/usb-serial-mos7720-fix-error-code-in-mos7720_write.patch b/queue-4.14/usb-serial-mos7720-fix-error-code-in-mos7720_write.patch new file mode 100644 index 00000000000..10ec2b4c0cf --- /dev/null +++ b/queue-4.14/usb-serial-mos7720-fix-error-code-in-mos7720_write.patch @@ -0,0 +1,35 @@ +From fea7372cbc40869876df0f045e367f6f97a1666c Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 28 Jan 2021 12:35:23 +0300 +Subject: USB: serial: mos7720: fix error code in mos7720_write() + +From: Dan Carpenter + +commit fea7372cbc40869876df0f045e367f6f97a1666c upstream. + +This code should return -ENOMEM if the kmalloc() fails but instead +it returns success. + +Signed-off-by: Dan Carpenter +Fixes: 0f64478cbc7a ("USB: add USB serial mos7720 driver") +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/mos7720.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/mos7720.c ++++ b/drivers/usb/serial/mos7720.c +@@ -1252,8 +1252,10 @@ static int mos7720_write(struct tty_stru + if (urb->transfer_buffer == NULL) { + urb->transfer_buffer = kmalloc(URB_TRANSFER_BUFFER_SIZE, + GFP_ATOMIC); +- if (!urb->transfer_buffer) ++ if (!urb->transfer_buffer) { ++ bytes_sent = -ENOMEM; + goto exit; ++ } + } + transfer_size = min(count, URB_TRANSFER_BUFFER_SIZE); + diff --git a/queue-4.14/usb-serial-mos7840-fix-error-code-in-mos7840_write.patch b/queue-4.14/usb-serial-mos7840-fix-error-code-in-mos7840_write.patch new file mode 100644 index 00000000000..ee70eb7cd30 --- /dev/null +++ b/queue-4.14/usb-serial-mos7840-fix-error-code-in-mos7840_write.patch @@ -0,0 +1,34 @@ +From a70aa7dc60099bbdcbd6faca42a915d80f31161e Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 26 Jan 2021 13:26:54 +0300 +Subject: USB: serial: mos7840: fix error code in mos7840_write() + +From: Dan Carpenter + +commit a70aa7dc60099bbdcbd6faca42a915d80f31161e upstream. + +This should return -ENOMEM instead of 0 if the kmalloc() fails. + +Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver") +Signed-off-by: Dan Carpenter +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/mos7840.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/mos7840.c ++++ b/drivers/usb/serial/mos7840.c +@@ -1352,8 +1352,10 @@ static int mos7840_write(struct tty_stru + if (urb->transfer_buffer == NULL) { + urb->transfer_buffer = kmalloc(URB_TRANSFER_BUFFER_SIZE, + GFP_ATOMIC); +- if (!urb->transfer_buffer) ++ if (!urb->transfer_buffer) { ++ bytes_sent = -ENOMEM; + goto exit; ++ } + } + transfer_size = min(count, URB_TRANSFER_BUFFER_SIZE); + diff --git a/queue-4.14/usb-serial-option-update-interface-mapping-for-zte-p685m.patch b/queue-4.14/usb-serial-option-update-interface-mapping-for-zte-p685m.patch new file mode 100644 index 00000000000..69b129a5322 --- /dev/null +++ b/queue-4.14/usb-serial-option-update-interface-mapping-for-zte-p685m.patch @@ -0,0 +1,78 @@ +From 6420a569504e212d618d4a4736e2c59ed80a8478 Mon Sep 17 00:00:00 2001 +From: Lech Perczak +Date: Sun, 7 Feb 2021 01:54:43 +0100 +Subject: USB: serial: option: update interface mapping for ZTE P685M +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lech Perczak + +commit 6420a569504e212d618d4a4736e2c59ed80a8478 upstream. + +This patch prepares for qmi_wwan driver support for the device. +Previously "option" driver mapped itself to interfaces 0 and 3 (matching +ff/ff/ff), while interface 3 is in fact a QMI port. +Interfaces 1 and 2 (matching ff/00/00) expose AT commands, +and weren't supported previously at all. +Without this patch, a possible conflict would exist if device ID was +added to qmi_wwan driver for interface 3. + +Update and simplify device ID to match interfaces 0-2 directly, +to expose QCDM (0), PCUI (1), and modem (2) ports and avoid conflict +with QMI (3), and ADB (4). + +The modem is used inside ZTE MF283+ router and carriers identify it as +such. +Interface mapping is: +0: QCDM, 1: AT (PCUI), 2: AT (Modem), 3: QMI, 4: ADB + +T: Bus=02 Lev=02 Prnt=02 Port=05 Cnt=01 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=19d2 ProdID=1275 Rev=f0.00 +S: Manufacturer=ZTE,Incorporated +S: Product=ZTE Technologies MSM +S: SerialNumber=P685M510ZTED0000CP&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&0 +C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +E: Ad=87(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) +E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Cc: Johan Hovold +Cc: Bjørn Mork +Signed-off-by: Lech Perczak +Link: https://lore.kernel.org/r/20210207005443.12936-1-lech.perczak@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1572,7 +1572,8 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1272, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1273, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1274, 0xff, 0xff, 0xff) }, +- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1275, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE(ZTE_VENDOR_ID, 0x1275), /* ZTE P685M */ ++ .driver_info = RSVD(3) | RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1276, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1277, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1278, 0xff, 0xff, 0xff) }, -- 2.47.3