From faad7c9a7c2fe20900b7797fb39daa0652bad768 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 13 Feb 2022 12:27:58 +0100 Subject: [PATCH] 4.9-stable patches added patches: bpf-add-kconfig-knob-for-disabling-unpriv-bpf-by-default.patch hwmon-dell-smm-speed-up-setting-of-fan-speed.patch n_tty-wake-up-poll-pollrdnorm-on-receiving-data.patch usb-dwc3-gadget-prevent-core-from-processing-stale-trbs.patch usb-gadget-rndis-check-size-of-rndis_msg_set-command.patch usb-gadget-validate-interface-os-descriptor-requests.patch usb-serial-ch341-add-support-for-gw-instek-usb2.0-serial-devices.patch usb-serial-cp210x-add-cpi-bulk-coin-recycler-id.patch usb-serial-cp210x-add-ncr-retail-io-box-id.patch usb-serial-ftdi_sio-add-support-for-brainboxes-us-159-235-320.patch usb-serial-option-add-zte-mf286d-modem.patch vt_ioctl-add-array_index_nospec-to-vt_activate.patch vt_ioctl-fix-array_index_nospec-in-vt_setactivate.patch --- ...-for-disabling-unpriv-bpf-by-default.patch | 148 ++++++++++++++++++ ...ll-smm-speed-up-setting-of-fan-speed.patch | 73 +++++++++ ...up-poll-pollrdnorm-on-receiving-data.patch | 85 ++++++++++ queue-4.9/series | 13 ++ ...vent-core-from-processing-stale-trbs.patch | 51 ++++++ ...-check-size-of-rndis_msg_set-command.patch | 43 +++++ ...ate-interface-os-descriptor-requests.patch | 31 ++++ ...-for-gw-instek-usb2.0-serial-devices.patch | 39 +++++ ...cp210x-add-cpi-bulk-coin-recycler-id.patch | 33 ++++ ...rial-cp210x-add-ncr-retail-io-box-id.patch | 33 ++++ ...upport-for-brainboxes-us-159-235-320.patch | 58 +++++++ ...b-serial-option-add-zte-mf286d-modem.patch | 62 ++++++++ ...dd-array_index_nospec-to-vt_activate.patch | 39 +++++ ...array_index_nospec-in-vt_setactivate.patch | 42 +++++ 14 files changed, 750 insertions(+) create mode 100644 queue-4.9/bpf-add-kconfig-knob-for-disabling-unpriv-bpf-by-default.patch create mode 100644 queue-4.9/hwmon-dell-smm-speed-up-setting-of-fan-speed.patch create mode 100644 queue-4.9/n_tty-wake-up-poll-pollrdnorm-on-receiving-data.patch create mode 100644 queue-4.9/usb-dwc3-gadget-prevent-core-from-processing-stale-trbs.patch create mode 100644 queue-4.9/usb-gadget-rndis-check-size-of-rndis_msg_set-command.patch create mode 100644 queue-4.9/usb-gadget-validate-interface-os-descriptor-requests.patch create mode 100644 queue-4.9/usb-serial-ch341-add-support-for-gw-instek-usb2.0-serial-devices.patch create mode 100644 queue-4.9/usb-serial-cp210x-add-cpi-bulk-coin-recycler-id.patch create mode 100644 queue-4.9/usb-serial-cp210x-add-ncr-retail-io-box-id.patch create mode 100644 queue-4.9/usb-serial-ftdi_sio-add-support-for-brainboxes-us-159-235-320.patch create mode 100644 queue-4.9/usb-serial-option-add-zte-mf286d-modem.patch create mode 100644 queue-4.9/vt_ioctl-add-array_index_nospec-to-vt_activate.patch create mode 100644 queue-4.9/vt_ioctl-fix-array_index_nospec-in-vt_setactivate.patch diff --git a/queue-4.9/bpf-add-kconfig-knob-for-disabling-unpriv-bpf-by-default.patch b/queue-4.9/bpf-add-kconfig-knob-for-disabling-unpriv-bpf-by-default.patch new file mode 100644 index 00000000000..4ff1bf6ea71 --- /dev/null +++ b/queue-4.9/bpf-add-kconfig-knob-for-disabling-unpriv-bpf-by-default.patch @@ -0,0 +1,148 @@ +From 08389d888287c3823f80b0216766b71e17f0aba5 Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Tue, 11 May 2021 22:35:17 +0200 +Subject: bpf: Add kconfig knob for disabling unpriv bpf by default + +From: Daniel Borkmann + +commit 08389d888287c3823f80b0216766b71e17f0aba5 upstream. + +Add a kconfig knob which allows for unprivileged bpf to be disabled by default. +If set, the knob sets /proc/sys/kernel/unprivileged_bpf_disabled to value of 2. + +This still allows a transition of 2 -> {0,1} through an admin. Similarly, +this also still keeps 1 -> {1} behavior intact, so that once set to permanently +disabled, it cannot be undone aside from a reboot. + +We've also added extra2 with max of 2 for the procfs handler, so that an admin +still has a chance to toggle between 0 <-> 2. + +Either way, as an additional alternative, applications can make use of CAP_BPF +that we added a while ago. + +Signed-off-by: Daniel Borkmann +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/74ec548079189e4e4dffaeb42b8987bb3c852eee.1620765074.git.daniel@iogearbox.net +[fllinden@amazon.com: backported to 4.9] +Signed-off-by: Frank van der Linden +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/sysctl/kernel.txt | 21 +++++++++++++++++++++ + init/Kconfig | 10 ++++++++++ + kernel/bpf/syscall.c | 3 ++- + kernel/sysctl.c | 29 +++++++++++++++++++++++++---- + 4 files changed, 58 insertions(+), 5 deletions(-) + +--- a/Documentation/sysctl/kernel.txt ++++ b/Documentation/sysctl/kernel.txt +@@ -90,6 +90,7 @@ show up in /proc/sys/kernel: + - sysctl_writes_strict + - tainted + - threads-max ++- unprivileged_bpf_disabled + - unknown_nmi_panic + - watchdog + - watchdog_thresh +@@ -995,6 +996,26 @@ available RAM pages threads-max is reduc + + ============================================================== + ++unprivileged_bpf_disabled: ++ ++Writing 1 to this entry will disable unprivileged calls to bpf(); ++once disabled, calling bpf() without CAP_SYS_ADMIN will return ++-EPERM. Once set to 1, this can't be cleared from the running kernel ++anymore. ++ ++Writing 2 to this entry will also disable unprivileged calls to bpf(), ++however, an admin can still change this setting later on, if needed, by ++writing 0 or 1 to this entry. ++ ++If BPF_UNPRIV_DEFAULT_OFF is enabled in the kernel config, then this ++entry will default to 2 instead of 0. ++ ++ 0 - Unprivileged calls to bpf() are enabled ++ 1 - Unprivileged calls to bpf() are disabled without recovery ++ 2 - Unprivileged calls to bpf() are disabled ++ ++============================================================== ++ + unknown_nmi_panic: + + The value in this file affects behavior of handling NMI. When the +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1645,6 +1645,16 @@ config ADVISE_SYSCALLS + applications use these syscalls, you can disable this option to save + space. + ++config BPF_UNPRIV_DEFAULT_OFF ++ bool "Disable unprivileged BPF by default" ++ depends on BPF_SYSCALL ++ help ++ Disables unprivileged BPF by default by setting the corresponding ++ /proc/sys/kernel/unprivileged_bpf_disabled knob to 2. An admin can ++ still reenable it by setting it to 0 later on, or permanently ++ disable it by setting it to 1 (from which no other transition to ++ 0 is possible anymore). ++ + config USERFAULTFD + bool "Enable userfaultfd() system call" + select ANON_INODES +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -22,7 +22,8 @@ + + DEFINE_PER_CPU(int, bpf_prog_active); + +-int sysctl_unprivileged_bpf_disabled __read_mostly; ++int sysctl_unprivileged_bpf_disabled __read_mostly = ++ IS_BUILTIN(CONFIG_BPF_UNPRIV_DEFAULT_OFF) ? 2 : 0; + + static LIST_HEAD(bpf_map_types); + +--- a/kernel/sysctl.c ++++ b/kernel/sysctl.c +@@ -221,6 +221,28 @@ static int sysrq_sysctl_handler(struct c + + #endif + ++#ifdef CONFIG_BPF_SYSCALL ++static int bpf_unpriv_handler(struct ctl_table *table, int write, ++ void *buffer, size_t *lenp, loff_t *ppos) ++{ ++ int ret, unpriv_enable = *(int *)table->data; ++ bool locked_state = unpriv_enable == 1; ++ struct ctl_table tmp = *table; ++ ++ if (write && !capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ ++ tmp.data = &unpriv_enable; ++ ret = proc_dointvec_minmax(&tmp, write, buffer, lenp, ppos); ++ if (write && !ret) { ++ if (locked_state && unpriv_enable != 1) ++ return -EPERM; ++ *(int *)table->data = unpriv_enable; ++ } ++ return ret; ++} ++#endif ++ + static struct ctl_table kern_table[]; + static struct ctl_table vm_table[]; + static struct ctl_table fs_table[]; +@@ -1202,10 +1224,9 @@ static struct ctl_table kern_table[] = { + .data = &sysctl_unprivileged_bpf_disabled, + .maxlen = sizeof(sysctl_unprivileged_bpf_disabled), + .mode = 0644, +- /* only handle a transition from default "0" to "1" */ +- .proc_handler = proc_dointvec_minmax, +- .extra1 = &one, +- .extra2 = &one, ++ .proc_handler = bpf_unpriv_handler, ++ .extra1 = &zero, ++ .extra2 = &two, + }, + #endif + #if defined(CONFIG_TREE_RCU) || defined(CONFIG_PREEMPT_RCU) diff --git a/queue-4.9/hwmon-dell-smm-speed-up-setting-of-fan-speed.patch b/queue-4.9/hwmon-dell-smm-speed-up-setting-of-fan-speed.patch new file mode 100644 index 00000000000..7c131e03ff9 --- /dev/null +++ b/queue-4.9/hwmon-dell-smm-speed-up-setting-of-fan-speed.patch @@ -0,0 +1,73 @@ +From c0d79987a0d82671bff374c07f2201f9bdf4aaa2 Mon Sep 17 00:00:00 2001 +From: Armin Wolf +Date: Thu, 21 Oct 2021 21:05:31 +0200 +Subject: hwmon: (dell-smm) Speed up setting of fan speed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +commit c0d79987a0d82671bff374c07f2201f9bdf4aaa2 upstream. + +When setting the fan speed, i8k_set_fan() calls i8k_get_fan_status(), +causing an unnecessary SMM call since from the two users of this +function, only i8k_ioctl_unlocked() needs to know the new fan status +while dell_smm_write() ignores the new fan status. +Since SMM calls can be very slow while also making error reporting +difficult for dell_smm_write(), remove the function call from +i8k_set_fan() and call it separately in i8k_ioctl_unlocked(). + +Tested on a Dell Inspiron 3505. + +Signed-off-by: Armin Wolf +Reviewed-by: Pali Rohár +Link: https://lore.kernel.org/r/20211021190531.17379-6-W_Armin@gmx.de +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwmon/dell-smm-hwmon.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/hwmon/dell-smm-hwmon.c ++++ b/drivers/hwmon/dell-smm-hwmon.c +@@ -294,7 +294,7 @@ static int i8k_get_fan_nominal_speed(int + } + + /* +- * Set the fan speed (off, low, high). Returns the new fan status. ++ * Set the fan speed (off, low, high, ...). + */ + static int i8k_set_fan(int fan, int speed) + { +@@ -303,7 +303,7 @@ static int i8k_set_fan(int fan, int spee + speed = (speed < 0) ? 0 : ((speed > i8k_fan_max) ? i8k_fan_max : speed); + regs.ebx = (fan & 0xff) | (speed << 8); + +- return i8k_smm(®s) ? : i8k_get_fan_status(fan); ++ return i8k_smm(®s); + } + + static int i8k_get_temp_type(int sensor) +@@ -417,7 +417,7 @@ static int + i8k_ioctl_unlocked(struct file *fp, unsigned int cmd, unsigned long arg) + { + int val = 0; +- int speed; ++ int speed, err; + unsigned char buff[16]; + int __user *argp = (int __user *)arg; + +@@ -478,7 +478,11 @@ i8k_ioctl_unlocked(struct file *fp, unsi + if (copy_from_user(&speed, argp + 1, sizeof(int))) + return -EFAULT; + +- val = i8k_set_fan(val, speed); ++ err = i8k_set_fan(val, speed); ++ if (err < 0) ++ return err; ++ ++ val = i8k_get_fan_status(val); + break; + + default: diff --git a/queue-4.9/n_tty-wake-up-poll-pollrdnorm-on-receiving-data.patch b/queue-4.9/n_tty-wake-up-poll-pollrdnorm-on-receiving-data.patch new file mode 100644 index 00000000000..1e3a84dfba4 --- /dev/null +++ b/queue-4.9/n_tty-wake-up-poll-pollrdnorm-on-receiving-data.patch @@ -0,0 +1,85 @@ +From c816b2e65b0e86b95011418cad334f0524fc33b8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?TATSUKAWA=20KOSUKE=20=28=E7=AB=8B=E5=B7=9D=20=E6=B1=9F?= + =?UTF-8?q?=E4=BB=8B=29?= +Date: Wed, 26 Jan 2022 23:35:02 +0000 +Subject: n_tty: wake up poll(POLLRDNORM) on receiving data + +From: TATSUKAWA KOSUKE (立川 江介) + +commit c816b2e65b0e86b95011418cad334f0524fc33b8 upstream. + +The poll man page says POLLRDNORM is equivalent to POLLIN when used as +an event. +$ man poll + + POLLRDNORM + Equivalent to POLLIN. + +However, in n_tty driver, POLLRDNORM does not return until timeout even +if there is terminal input, whereas POLLIN returns. + +The following test program works until kernel-3.17, but the test stops +in poll() after commit 57087d515441 ("tty: Fix spurious poll() wakeups"). + +[Steps to run test program] + $ cc -o test-pollrdnorm test-pollrdnorm.c + $ ./test-pollrdnorm + foo <-- Type in something from the terminal followed by [RET]. + The string should be echoed back. + + ------------------------< test-pollrdnorm.c >------------------------ + #include + #include + #include + #include + + void main(void) + { + int n; + unsigned char buf[8]; + struct pollfd fds[1] = {{ 0, POLLRDNORM, 0 }}; + + n = poll(fds, 1, -1); + if (n < 0) + perror("poll"); + n = read(0, buf, 8); + if (n < 0) + perror("read"); + if (n > 0) + write(1, buf, n); + } + ------------------------------------------------------------------------ + +The attached patch fixes this problem. Many calls to +wake_up_interruptible_poll() in the kernel source code already specify +"POLLIN | POLLRDNORM". + +Fixes: 57087d515441 ("tty: Fix spurious poll() wakeups") +Cc: stable@vger.kernel.org +Signed-off-by: Kosuke Tatsukawa +Link: https://lore.kernel.org/r/TYCPR01MB81901C0F932203D30E452B3EA5209@TYCPR01MB8190.jpnprd01.prod.outlook.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/n_tty.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/n_tty.c ++++ b/drivers/tty/n_tty.c +@@ -1377,7 +1377,7 @@ handle_newline: + put_tty_queue(c, ldata); + smp_store_release(&ldata->canon_head, ldata->read_head); + kill_fasync(&tty->fasync, SIGIO, POLL_IN); +- wake_up_interruptible_poll(&tty->read_wait, POLLIN); ++ wake_up_interruptible_poll(&tty->read_wait, POLLIN | POLLRDNORM); + return 0; + } + } +@@ -1658,7 +1658,7 @@ static void __receive_buf(struct tty_str + + if (read_cnt(ldata)) { + kill_fasync(&tty->fasync, SIGIO, POLL_IN); +- wake_up_interruptible_poll(&tty->read_wait, POLLIN); ++ wake_up_interruptible_poll(&tty->read_wait, POLLIN | POLLRDNORM); + } + } + diff --git a/queue-4.9/series b/queue-4.9/series index 964b4dfd19f..4e987bc03f2 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -19,3 +19,16 @@ ipmr-ip6mr-acquire-rtnl-before-calling-ip-6-mr_free_.patch net-do-not-keep-the-dst-cache-when-uncloning-an-skb-.patch net-fix-a-memleak-when-uncloning-an-skb-dst-and-its-.patch tipc-rate-limit-warning-for-received-illegal-binding.patch +vt_ioctl-fix-array_index_nospec-in-vt_setactivate.patch +vt_ioctl-add-array_index_nospec-to-vt_activate.patch +bpf-add-kconfig-knob-for-disabling-unpriv-bpf-by-default.patch +n_tty-wake-up-poll-pollrdnorm-on-receiving-data.patch +usb-dwc3-gadget-prevent-core-from-processing-stale-trbs.patch +usb-gadget-validate-interface-os-descriptor-requests.patch +usb-gadget-rndis-check-size-of-rndis_msg_set-command.patch +usb-serial-ftdi_sio-add-support-for-brainboxes-us-159-235-320.patch +usb-serial-option-add-zte-mf286d-modem.patch +usb-serial-ch341-add-support-for-gw-instek-usb2.0-serial-devices.patch +usb-serial-cp210x-add-ncr-retail-io-box-id.patch +usb-serial-cp210x-add-cpi-bulk-coin-recycler-id.patch +hwmon-dell-smm-speed-up-setting-of-fan-speed.patch diff --git a/queue-4.9/usb-dwc3-gadget-prevent-core-from-processing-stale-trbs.patch b/queue-4.9/usb-dwc3-gadget-prevent-core-from-processing-stale-trbs.patch new file mode 100644 index 00000000000..6129924854e --- /dev/null +++ b/queue-4.9/usb-dwc3-gadget-prevent-core-from-processing-stale-trbs.patch @@ -0,0 +1,51 @@ +From 117b4e96c7f362eb6459543883fc07f77662472c Mon Sep 17 00:00:00 2001 +From: Udipto Goswami +Date: Mon, 7 Feb 2022 09:55:58 +0530 +Subject: usb: dwc3: gadget: Prevent core from processing stale TRBs + +From: Udipto Goswami + +commit 117b4e96c7f362eb6459543883fc07f77662472c upstream. + +With CPU re-ordering on write instructions, there might +be a chance that the HWO is set before the TRB is updated +with the new mapped buffer address. +And in the case where core is processing a list of TRBs +it is possible that it fetched the TRBs when the HWO is set +but before the buffer address is updated. +Prevent this by adding a memory barrier before the HWO +is updated to ensure that the core always process the +updated TRBs. + +Fixes: f6bafc6a1c9d ("usb: dwc3: convert TRBs into bitshifts") +Cc: stable +Reviewed-by: Pavankumar Kondeti +Signed-off-by: Udipto Goswami +Link: https://lore.kernel.org/r/1644207958-18287-1-git-send-email-quic_ugoswami@quicinc.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -902,6 +902,19 @@ static void dwc3_prepare_one_trb(struct + if (usb_endpoint_xfer_bulk(dep->endpoint.desc) && dep->stream_capable) + trb->ctrl |= DWC3_TRB_CTRL_SID_SOFN(req->request.stream_id); + ++ /* ++ * As per data book 4.2.3.2TRB Control Bit Rules section ++ * ++ * The controller autonomously checks the HWO field of a TRB to determine if the ++ * entire TRB is valid. Therefore, software must ensure that the rest of the TRB ++ * is valid before setting the HWO field to '1'. In most systems, this means that ++ * software must update the fourth DWORD of a TRB last. ++ * ++ * However there is a possibility of CPU re-ordering here which can cause ++ * controller to observe the HWO bit set prematurely. ++ * Add a write memory barrier to prevent CPU re-ordering. ++ */ ++ wmb(); + trb->ctrl |= DWC3_TRB_CTRL_HWO; + + trace_dwc3_prepare_trb(dep, trb); diff --git a/queue-4.9/usb-gadget-rndis-check-size-of-rndis_msg_set-command.patch b/queue-4.9/usb-gadget-rndis-check-size-of-rndis_msg_set-command.patch new file mode 100644 index 00000000000..7473f637d89 --- /dev/null +++ b/queue-4.9/usb-gadget-rndis-check-size-of-rndis_msg_set-command.patch @@ -0,0 +1,43 @@ +From 38ea1eac7d88072bbffb630e2b3db83ca649b826 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Wed, 9 Feb 2022 16:37:53 +0100 +Subject: usb: gadget: rndis: check size of RNDIS_MSG_SET command + +From: Greg Kroah-Hartman + +commit 38ea1eac7d88072bbffb630e2b3db83ca649b826 upstream. + +Check the size of the RNDIS_MSG_SET command given to us before +attempting to respond to an invalid message size. + +Reported-by: Szymon Heidrich +Cc: stable@kernel.org +Tested-by: Szymon Heidrich +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/rndis.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/usb/gadget/function/rndis.c ++++ b/drivers/usb/gadget/function/rndis.c +@@ -642,14 +642,17 @@ static int rndis_set_response(struct rnd + rndis_set_cmplt_type *resp; + rndis_resp_t *r; + ++ BufLength = le32_to_cpu(buf->InformationBufferLength); ++ BufOffset = le32_to_cpu(buf->InformationBufferOffset); ++ if ((BufLength > RNDIS_MAX_TOTAL_SIZE) || ++ (BufOffset + 8 >= RNDIS_MAX_TOTAL_SIZE)) ++ return -EINVAL; ++ + r = rndis_add_response(params, sizeof(rndis_set_cmplt_type)); + if (!r) + return -ENOMEM; + resp = (rndis_set_cmplt_type *)r->buf; + +- BufLength = le32_to_cpu(buf->InformationBufferLength); +- BufOffset = le32_to_cpu(buf->InformationBufferOffset); +- + #ifdef VERBOSE_DEBUG + pr_debug("%s: Length: %d\n", __func__, BufLength); + pr_debug("%s: Offset: %d\n", __func__, BufOffset); diff --git a/queue-4.9/usb-gadget-validate-interface-os-descriptor-requests.patch b/queue-4.9/usb-gadget-validate-interface-os-descriptor-requests.patch new file mode 100644 index 00000000000..ce846848cad --- /dev/null +++ b/queue-4.9/usb-gadget-validate-interface-os-descriptor-requests.patch @@ -0,0 +1,31 @@ +From 75e5b4849b81e19e9efe1654b30d7f3151c33c2c Mon Sep 17 00:00:00 2001 +From: Szymon Heidrich +Date: Mon, 24 Jan 2022 12:14:00 +0100 +Subject: USB: gadget: validate interface OS descriptor requests + +From: Szymon Heidrich + +commit 75e5b4849b81e19e9efe1654b30d7f3151c33c2c upstream. + +Stall the control endpoint in case provided index exceeds array size of +MAX_CONFIG_INTERFACES or when the retrieved function pointer is null. + +Signed-off-by: Szymon Heidrich +Cc: stable@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/composite.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/gadget/composite.c ++++ b/drivers/usb/gadget/composite.c +@@ -1932,6 +1932,9 @@ unknown: + if (w_index != 0x5 || (w_value >> 8)) + break; + interface = w_value & 0xFF; ++ if (interface >= MAX_CONFIG_INTERFACES || ++ !os_desc_cfg->interface[interface]) ++ break; + buf[6] = w_index; + if (w_length == 0x0A) { + count = count_ext_prop(os_desc_cfg, diff --git a/queue-4.9/usb-serial-ch341-add-support-for-gw-instek-usb2.0-serial-devices.patch b/queue-4.9/usb-serial-ch341-add-support-for-gw-instek-usb2.0-serial-devices.patch new file mode 100644 index 00000000000..72967b3293d --- /dev/null +++ b/queue-4.9/usb-serial-ch341-add-support-for-gw-instek-usb2.0-serial-devices.patch @@ -0,0 +1,39 @@ +From fa77ce201f7f2d823b07753575122d1ae5597fbe Mon Sep 17 00:00:00 2001 +From: Stephan Brunner +Date: Sat, 8 Jan 2022 13:00:20 +0100 +Subject: USB: serial: ch341: add support for GW Instek USB2.0-Serial devices + +From: Stephan Brunner + +commit fa77ce201f7f2d823b07753575122d1ae5597fbe upstream. + +Programmable lab power supplies made by GW Instek, such as the +GPP-2323, have a USB port exposing a serial port to control the device. + +Stringing the supplied Windows driver, references to the ch341 chip are +found. Binding the existing ch341 driver to the VID/PID of the GPP-2323 +("GW Instek USB2.0-Serial" as per the USB product name) works out of the +box, communication and control is now possible. + +This patch should work with any GPP series power supply due to +similarities in the product line. + +Signed-off-by: Stephan Brunner +Link: https://lore.kernel.org/r/4a47b864-0816-6f6a-efee-aa20e74bcdc6@stephan-brunner.net +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/ch341.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/ch341.c ++++ b/drivers/usb/serial/ch341.c +@@ -74,6 +74,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x1a86, 0x5523) }, + { USB_DEVICE(0x1a86, 0x7522) }, + { USB_DEVICE(0x1a86, 0x7523) }, ++ { USB_DEVICE(0x2184, 0x0057) }, + { USB_DEVICE(0x4348, 0x5523) }, + { USB_DEVICE(0x9986, 0x7523) }, + { }, diff --git a/queue-4.9/usb-serial-cp210x-add-cpi-bulk-coin-recycler-id.patch b/queue-4.9/usb-serial-cp210x-add-cpi-bulk-coin-recycler-id.patch new file mode 100644 index 00000000000..2b06c5fee39 --- /dev/null +++ b/queue-4.9/usb-serial-cp210x-add-cpi-bulk-coin-recycler-id.patch @@ -0,0 +1,33 @@ +From 6ca0c6283340d819bf9c7d8e76be33c9fbd903ab Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 1 Feb 2022 11:42:53 +0100 +Subject: USB: serial: cp210x: add CPI Bulk Coin Recycler id + +From: Johan Hovold + +commit 6ca0c6283340d819bf9c7d8e76be33c9fbd903ab upstream. + +Add the device id for the Crane Payment Innovation / Money Controls Bulk +Coin Recycler: + + https://www.cranepi.com/en/system/files/Support/OM_BCR_EN_V1-04_0.pdf + +Reported-by: Scott Russell +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/cp210x.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -67,6 +67,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x0FCF, 0x1004) }, /* Dynastream ANT2USB */ + { USB_DEVICE(0x0FCF, 0x1006) }, /* Dynastream ANT development board */ + { USB_DEVICE(0x0FDE, 0xCA05) }, /* OWL Wireless Electricity Monitor CM-160 */ ++ { USB_DEVICE(0x106F, 0x0003) }, /* CPI / Money Controls Bulk Coin Recycler */ + { USB_DEVICE(0x10A6, 0xAA26) }, /* Knock-off DCU-11 cable */ + { USB_DEVICE(0x10AB, 0x10C5) }, /* Siemens MC60 Cable */ + { USB_DEVICE(0x10B5, 0xAC70) }, /* Nokia CA-42 USB */ diff --git a/queue-4.9/usb-serial-cp210x-add-ncr-retail-io-box-id.patch b/queue-4.9/usb-serial-cp210x-add-ncr-retail-io-box-id.patch new file mode 100644 index 00000000000..b357da519eb --- /dev/null +++ b/queue-4.9/usb-serial-cp210x-add-ncr-retail-io-box-id.patch @@ -0,0 +1,33 @@ +From b50f8f09c622297d3cf46e332e17ba8adedec9af Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 1 Feb 2022 11:42:52 +0100 +Subject: USB: serial: cp210x: add NCR Retail IO box id + +From: Johan Hovold + +commit b50f8f09c622297d3cf46e332e17ba8adedec9af upstream. + +Add the device id for NCR's Retail IO box (CP2105) used in NCR FastLane +SelfServ Checkout - R6C: + + https://www.ncr.com/product-catalog/ncr-fastlane-selfserv-checkout-r6c + +Reported-by: Scott Russell +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/cp210x.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -49,6 +49,7 @@ static int cp210x_port_remove(struct usb + static void cp210x_dtr_rts(struct usb_serial_port *p, int on); + + static const struct usb_device_id id_table[] = { ++ { USB_DEVICE(0x0404, 0x034C) }, /* NCR Retail IO Box */ + { USB_DEVICE(0x045B, 0x0053) }, /* Renesas RX610 RX-Stick */ + { USB_DEVICE(0x0471, 0x066A) }, /* AKTAKOM ACE-1001 cable */ + { USB_DEVICE(0x0489, 0xE000) }, /* Pirelli Broadband S.p.A, DP-L10 SIP/GSM Mobile */ diff --git a/queue-4.9/usb-serial-ftdi_sio-add-support-for-brainboxes-us-159-235-320.patch b/queue-4.9/usb-serial-ftdi_sio-add-support-for-brainboxes-us-159-235-320.patch new file mode 100644 index 00000000000..3af09160348 --- /dev/null +++ b/queue-4.9/usb-serial-ftdi_sio-add-support-for-brainboxes-us-159-235-320.patch @@ -0,0 +1,58 @@ +From fbb9b194e15a63c56c5664e76ccd0e85c6100cea Mon Sep 17 00:00:00 2001 +From: Cameron Williams +Date: Tue, 1 Feb 2022 10:12:51 +0000 +Subject: USB: serial: ftdi_sio: add support for Brainboxes US-159/235/320 + +From: Cameron Williams + +commit fbb9b194e15a63c56c5664e76ccd0e85c6100cea upstream. + +This patch adds support for the Brainboxes US-159, US-235 and US-320 +USB-to-Serial devices. + +Signed-off-by: Cameron Williams +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/ftdi_sio.c | 3 +++ + drivers/usb/serial/ftdi_sio_ids.h | 3 +++ + 2 files changed, 6 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -964,6 +964,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_VX_023_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_VX_034_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_101_PID) }, ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_159_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_1_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_2_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_3_PID) }, +@@ -972,12 +973,14 @@ static const struct usb_device_id id_tab + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_6_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_7_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_160_8_PID) }, ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_235_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_257_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_1_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_2_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_3_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_279_4_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_313_PID) }, ++ { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_320_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_324_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_346_1_PID) }, + { USB_DEVICE(BRAINBOXES_VID, BRAINBOXES_US_346_2_PID) }, +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -1505,6 +1505,9 @@ + #define BRAINBOXES_VX_023_PID 0x1003 /* VX-023 ExpressCard 1 Port RS422/485 */ + #define BRAINBOXES_VX_034_PID 0x1004 /* VX-034 ExpressCard 2 Port RS422/485 */ + #define BRAINBOXES_US_101_PID 0x1011 /* US-101 1xRS232 */ ++#define BRAINBOXES_US_159_PID 0x1021 /* US-159 1xRS232 */ ++#define BRAINBOXES_US_235_PID 0x1017 /* US-235 1xRS232 */ ++#define BRAINBOXES_US_320_PID 0x1019 /* US-320 1xRS422/485 */ + #define BRAINBOXES_US_324_PID 0x1013 /* US-324 1xRS422/485 1Mbaud */ + #define BRAINBOXES_US_606_1_PID 0x2001 /* US-606 6 Port RS232 Serial Port 1 and 2 */ + #define BRAINBOXES_US_606_2_PID 0x2002 /* US-606 6 Port RS232 Serial Port 3 and 4 */ diff --git a/queue-4.9/usb-serial-option-add-zte-mf286d-modem.patch b/queue-4.9/usb-serial-option-add-zte-mf286d-modem.patch new file mode 100644 index 00000000000..a8f56896396 --- /dev/null +++ b/queue-4.9/usb-serial-option-add-zte-mf286d-modem.patch @@ -0,0 +1,62 @@ +From d48384c7ed6c8fe4727eaa0f3048f62afd1cd715 Mon Sep 17 00:00:00 2001 +From: Pawel Dembicki +Date: Tue, 11 Jan 2022 23:12:05 +0100 +Subject: USB: serial: option: add ZTE MF286D modem + +From: Pawel Dembicki + +commit d48384c7ed6c8fe4727eaa0f3048f62afd1cd715 upstream. + +Modem from ZTE MF286D is an Qualcomm MDM9250 based 3G/4G modem. + +T: Bus=02 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 3 Spd=5000 MxCh= 0 +D: Ver= 3.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1 +P: Vendor=19d2 ProdID=1485 Rev=52.87 +S: Manufacturer=ZTE,Incorporated +S: Product=ZTE Technologies MSM +S: SerialNumber=MF286DZTED000000 +C:* #Ifs= 7 Cfg#= 1 Atr=80 MxPwr=896mA +A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=06 Prot=00 +I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=02 Prot=ff Driver=rndis_host +E: Ad=82(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=rndis_host +E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +E: Ad=83(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=84(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +I:* If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=usbfs +E: Ad=05(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms +E: Ad=89(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms + +Signed-off-by: Pawel Dembicki +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1625,6 +1625,8 @@ static const struct usb_device_id option + .driver_info = RSVD(2) }, + { USB_DEVICE_INTERFACE_CLASS(ZTE_VENDOR_ID, 0x1476, 0xff) }, /* GosunCn ZTE WeLink ME3630 (ECM/NCM mode) */ + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1481, 0xff, 0x00, 0x00) }, /* ZTE MF871A */ ++ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1485, 0xff, 0xff, 0xff), /* ZTE MF286D */ ++ .driver_info = RSVD(5) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1533, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1534, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1535, 0xff, 0xff, 0xff) }, diff --git a/queue-4.9/vt_ioctl-add-array_index_nospec-to-vt_activate.patch b/queue-4.9/vt_ioctl-add-array_index_nospec-to-vt_activate.patch new file mode 100644 index 00000000000..6ea19400f8e --- /dev/null +++ b/queue-4.9/vt_ioctl-add-array_index_nospec-to-vt_activate.patch @@ -0,0 +1,39 @@ +From 28cb138f559f8c1a1395f5564f86b8bbee83631b Mon Sep 17 00:00:00 2001 +From: Jakob Koschel +Date: Thu, 27 Jan 2022 15:44:05 +0100 +Subject: vt_ioctl: add array_index_nospec to VT_ACTIVATE + +From: Jakob Koschel + +commit 28cb138f559f8c1a1395f5564f86b8bbee83631b upstream. + +in vt_setactivate an almost identical code path has been patched +with array_index_nospec. In the VT_ACTIVATE path the user input +is from a system call argument instead of a usercopy. +For consistency both code paths should have the same mitigations +applied. + +Kasper Acknowledgements: Jakob Koschel, Brian Johannesmeyer, Kaveh +Razavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU +Amsterdam. + +Co-developed-by: Brian Johannesmeyer +Signed-off-by: Brian Johannesmeyer +Signed-off-by: Jakob Koschel +Link: https://lore.kernel.org/r/20220127144406.3589293-2-jakobkoschel@gmail.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/vt/vt_ioctl.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/vt/vt_ioctl.c ++++ b/drivers/tty/vt/vt_ioctl.c +@@ -694,6 +694,7 @@ int vt_ioctl(struct tty_struct *tty, + ret = -ENXIO; + else { + arg--; ++ arg = array_index_nospec(arg, MAX_NR_CONSOLES); + console_lock(); + ret = vc_allocate(arg); + console_unlock(); diff --git a/queue-4.9/vt_ioctl-fix-array_index_nospec-in-vt_setactivate.patch b/queue-4.9/vt_ioctl-fix-array_index_nospec-in-vt_setactivate.patch new file mode 100644 index 00000000000..4374f1f4ccb --- /dev/null +++ b/queue-4.9/vt_ioctl-fix-array_index_nospec-in-vt_setactivate.patch @@ -0,0 +1,42 @@ +From 61cc70d9e8ef5b042d4ed87994d20100ec8896d9 Mon Sep 17 00:00:00 2001 +From: Jakob Koschel +Date: Thu, 27 Jan 2022 15:44:04 +0100 +Subject: vt_ioctl: fix array_index_nospec in vt_setactivate + +From: Jakob Koschel + +commit 61cc70d9e8ef5b042d4ed87994d20100ec8896d9 upstream. + +array_index_nospec ensures that an out-of-bounds value is set to zero +on the transient path. Decreasing the value by one afterwards causes +a transient integer underflow. vsa.console should be decreased first +and then sanitized with array_index_nospec. + +Kasper Acknowledgements: Jakob Koschel, Brian Johannesmeyer, Kaveh +Razavi, Herbert Bos, Cristiano Giuffrida from the VUSec group at VU +Amsterdam. + +Co-developed-by: Brian Johannesmeyer +Signed-off-by: Brian Johannesmeyer +Signed-off-by: Jakob Koschel +Link: https://lore.kernel.org/r/20220127144406.3589293-1-jakobkoschel@gmail.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/vt/vt_ioctl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/vt/vt_ioctl.c ++++ b/drivers/tty/vt/vt_ioctl.c +@@ -718,9 +718,9 @@ int vt_ioctl(struct tty_struct *tty, + if (vsa.console == 0 || vsa.console > MAX_NR_CONSOLES) + ret = -ENXIO; + else { +- vsa.console = array_index_nospec(vsa.console, +- MAX_NR_CONSOLES + 1); + vsa.console--; ++ vsa.console = array_index_nospec(vsa.console, ++ MAX_NR_CONSOLES); + console_lock(); + ret = vc_allocate(vsa.console); + if (ret == 0) { -- 2.47.3