--- /dev/null
+From e2cb6b891ad2b8caa9131e3be70f45243df82a80 Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Mon, 12 Apr 2021 19:17:57 +0800
+Subject: bluetooth: eliminate the potential race condition when removing the HCI controller
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit e2cb6b891ad2b8caa9131e3be70f45243df82a80 upstream.
+
+There is a possible race condition vulnerability between issuing a HCI
+command and removing the cont. Specifically, functions hci_req_sync()
+and hci_dev_do_close() can race each other like below:
+
+thread-A in hci_req_sync() | thread-B in hci_dev_do_close()
+ | hci_req_sync_lock(hdev);
+test_bit(HCI_UP, &hdev->flags); |
+... | test_and_clear_bit(HCI_UP, &hdev->flags)
+hci_req_sync_lock(hdev); |
+ |
+In this commit we alter the sequence in function hci_req_sync(). Hence,
+the thread-A cannot issue th.
+
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Cc: Marcel Holtmann <marcel@holtmann.org>
+Fixes: 7c6a329e4447 ("[Bluetooth] Fix regression from using default link policy")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_request.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/bluetooth/hci_request.c
++++ b/net/bluetooth/hci_request.c
+@@ -271,12 +271,16 @@ int hci_req_sync(struct hci_dev *hdev, i
+ {
+ int ret;
+
+- if (!test_bit(HCI_UP, &hdev->flags))
+- return -ENETDOWN;
+-
+ /* Serialize all requests */
+ hci_req_sync_lock(hdev);
+- ret = __hci_req_sync(hdev, req, opt, timeout, hci_status);
++ /* check the state after obtaing the lock to protect the HCI_UP
++ * against any races from hci_dev_do_close when the controller
++ * gets removed.
++ */
++ if (test_bit(HCI_UP, &hdev->flags))
++ ret = __hci_req_sync(hdev, req, opt, timeout, hci_status);
++ else
++ ret = -ENETDOWN;
+ hci_req_sync_unlock(hdev);
+
+ return ret;
--- /dev/null
+From 5c4c8c9544099bb9043a10a5318130a943e32fc3 Mon Sep 17 00:00:00 2001
+From: Archie Pusaka <apusaka@chromium.org>
+Date: Mon, 22 Mar 2021 14:03:11 +0800
+Subject: Bluetooth: verify AMP hci_chan before amp_destroy
+
+From: Archie Pusaka <apusaka@chromium.org>
+
+commit 5c4c8c9544099bb9043a10a5318130a943e32fc3 upstream.
+
+hci_chan can be created in 2 places: hci_loglink_complete_evt() if
+it is an AMP hci_chan, or l2cap_conn_add() otherwise. In theory,
+Only AMP hci_chan should be removed by a call to
+hci_disconn_loglink_complete_evt(). However, the controller might mess
+up, call that function, and destroy an hci_chan which is not initiated
+by hci_loglink_complete_evt().
+
+This patch adds a verification that the destroyed hci_chan must have
+been init'd by hci_loglink_complete_evt().
+
+Example crash call trace:
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xe3/0x144 lib/dump_stack.c:118
+ print_address_description+0x67/0x22a mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report mm/kasan/report.c:412 [inline]
+ kasan_report+0x251/0x28f mm/kasan/report.c:396
+ hci_send_acl+0x3b/0x56e net/bluetooth/hci_core.c:4072
+ l2cap_send_cmd+0x5af/0x5c2 net/bluetooth/l2cap_core.c:877
+ l2cap_send_move_chan_cfm_icid+0x8e/0xb1 net/bluetooth/l2cap_core.c:4661
+ l2cap_move_fail net/bluetooth/l2cap_core.c:5146 [inline]
+ l2cap_move_channel_rsp net/bluetooth/l2cap_core.c:5185 [inline]
+ l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:5464 [inline]
+ l2cap_sig_channel net/bluetooth/l2cap_core.c:5799 [inline]
+ l2cap_recv_frame+0x1d12/0x51aa net/bluetooth/l2cap_core.c:7023
+ l2cap_recv_acldata+0x2ea/0x693 net/bluetooth/l2cap_core.c:7596
+ hci_acldata_packet net/bluetooth/hci_core.c:4606 [inline]
+ hci_rx_work+0x2bd/0x45e net/bluetooth/hci_core.c:4796
+ process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175
+ worker_thread+0x4fc/0x670 kernel/workqueue.c:2321
+ kthread+0x2f0/0x304 kernel/kthread.c:253
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415
+
+Allocated by task 38:
+ set_track mm/kasan/kasan.c:460 [inline]
+ kasan_kmalloc+0x8d/0x9a mm/kasan/kasan.c:553
+ kmem_cache_alloc_trace+0x102/0x129 mm/slub.c:2787
+ kmalloc include/linux/slab.h:515 [inline]
+ kzalloc include/linux/slab.h:709 [inline]
+ hci_chan_create+0x86/0x26d net/bluetooth/hci_conn.c:1674
+ l2cap_conn_add.part.0+0x1c/0x814 net/bluetooth/l2cap_core.c:7062
+ l2cap_conn_add net/bluetooth/l2cap_core.c:7059 [inline]
+ l2cap_connect_cfm+0x134/0x852 net/bluetooth/l2cap_core.c:7381
+ hci_connect_cfm+0x9d/0x122 include/net/bluetooth/hci_core.h:1404
+ hci_remote_ext_features_evt net/bluetooth/hci_event.c:4161 [inline]
+ hci_event_packet+0x463f/0x72fa net/bluetooth/hci_event.c:5981
+ hci_rx_work+0x197/0x45e net/bluetooth/hci_core.c:4791
+ process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175
+ worker_thread+0x4fc/0x670 kernel/workqueue.c:2321
+ kthread+0x2f0/0x304 kernel/kthread.c:253
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415
+
+Freed by task 1732:
+ set_track mm/kasan/kasan.c:460 [inline]
+ __kasan_slab_free mm/kasan/kasan.c:521 [inline]
+ __kasan_slab_free+0x106/0x128 mm/kasan/kasan.c:493
+ slab_free_hook mm/slub.c:1409 [inline]
+ slab_free_freelist_hook+0xaa/0xf6 mm/slub.c:1436
+ slab_free mm/slub.c:3009 [inline]
+ kfree+0x182/0x21e mm/slub.c:3972
+ hci_disconn_loglink_complete_evt net/bluetooth/hci_event.c:4891 [inline]
+ hci_event_packet+0x6a1c/0x72fa net/bluetooth/hci_event.c:6050
+ hci_rx_work+0x197/0x45e net/bluetooth/hci_core.c:4791
+ process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175
+ worker_thread+0x4fc/0x670 kernel/workqueue.c:2321
+ kthread+0x2f0/0x304 kernel/kthread.c:253
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415
+
+The buggy address belongs to the object at ffff8881d7af9180
+ which belongs to the cache kmalloc-128 of size 128
+The buggy address is located 24 bytes inside of
+ 128-byte region [ffff8881d7af9180, ffff8881d7af9200)
+The buggy address belongs to the page:
+page:ffffea00075ebe40 count:1 mapcount:0 mapping:ffff8881da403200 index:0x0
+flags: 0x8000000000000200(slab)
+raw: 8000000000000200 dead000000000100 dead000000000200 ffff8881da403200
+raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8881d7af9080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
+ ffff8881d7af9100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+>ffff8881d7af9180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+ ^
+ ffff8881d7af9200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff8881d7af9280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+
+Signed-off-by: Archie Pusaka <apusaka@chromium.org>
+Reported-by: syzbot+98228e7407314d2d4ba2@syzkaller.appspotmail.com
+Reviewed-by: Alain Michaud <alainm@chromium.org>
+Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Cc: George Kennedy <george.kennedy@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/bluetooth/hci_core.h | 1 +
+ net/bluetooth/hci_event.c | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -540,6 +540,7 @@ struct hci_chan {
+ struct sk_buff_head data_q;
+ unsigned int sent;
+ __u8 state;
++ bool amp;
+ };
+
+ struct hci_conn_params {
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -4840,6 +4840,7 @@ static void hci_loglink_complete_evt(str
+ return;
+
+ hchan->handle = le16_to_cpu(ev->handle);
++ hchan->amp = true;
+
+ BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
+
+@@ -4872,7 +4873,7 @@ static void hci_disconn_loglink_complete
+ hci_dev_lock(hdev);
+
+ hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
+- if (!hchan)
++ if (!hchan || !hchan->amp)
+ goto unlock;
+
+ amp_destroy_logical_link(hchan, ev->reason);
--- /dev/null
+From 4b793acdca0050739b99ace6a8b9e7f717f57c6b Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Fri, 28 Feb 2020 18:01:46 +0000
+Subject: hsr: use netdev_err() instead of WARN_ONCE()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+commit 4b793acdca0050739b99ace6a8b9e7f717f57c6b upstream.
+
+When HSR interface is sending a frame, it finds a node with
+the destination ethernet address from the list.
+If there is no node, it calls WARN_ONCE().
+But, using WARN_ONCE() for this situation is a little bit overdoing.
+So, in this patch, the netdev_err() is used instead.
+
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: George Kennedy <george.kennedy@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/hsr/hsr_framereg.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/hsr/hsr_framereg.c
++++ b/net/hsr/hsr_framereg.c
+@@ -318,7 +318,8 @@ void hsr_addr_subst_dest(struct hsr_node
+ node_dst = find_node_by_addr_A(&port->hsr->node_db,
+ eth_hdr(skb)->h_dest);
+ if (!node_dst) {
+- WARN_ONCE(1, "%s: Unknown node\n", __func__);
++ if (net_ratelimit())
++ netdev_err(skb->dev, "%s: Unknown node\n", __func__);
+ return;
+ }
+ if (port->type != node_dst->addr_B_port)
--- /dev/null
+From c61760e6940dd4039a7f5e84a6afc9cdbf4d82b6 Mon Sep 17 00:00:00 2001
+From: Or Cohen <orcohen@paloaltonetworks.com>
+Date: Tue, 4 May 2021 10:16:46 +0300
+Subject: net/nfc: fix use-after-free llcp_sock_bind/connect
+
+From: Or Cohen <orcohen@paloaltonetworks.com>
+
+commit c61760e6940dd4039a7f5e84a6afc9cdbf4d82b6 upstream.
+
+Commits 8a4cd82d ("nfc: fix refcount leak in llcp_sock_connect()")
+and c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()")
+fixed a refcount leak bug in bind/connect but introduced a
+use-after-free if the same local is assigned to 2 different sockets.
+
+This can be triggered by the following simple program:
+ int sock1 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP );
+ int sock2 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP );
+ memset( &addr, 0, sizeof(struct sockaddr_nfc_llcp) );
+ addr.sa_family = AF_NFC;
+ addr.nfc_protocol = NFC_PROTO_NFC_DEP;
+ bind( sock1, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) )
+ bind( sock2, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) )
+ close(sock1);
+ close(sock2);
+
+Fix this by assigning NULL to llcp_sock->local after calling
+nfc_llcp_local_put.
+
+This addresses CVE-2021-23134.
+
+Reported-by: Or Cohen <orcohen@paloaltonetworks.com>
+Reported-by: Nadav Markus <nmarkus@paloaltonetworks.com>
+Fixes: c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()")
+Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/llcp_sock.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -109,12 +109,14 @@ static int llcp_sock_bind(struct socket
+ GFP_KERNEL);
+ if (!llcp_sock->service_name) {
+ nfc_llcp_local_put(llcp_sock->local);
++ llcp_sock->local = NULL;
+ ret = -ENOMEM;
+ goto put_dev;
+ }
+ llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock);
+ if (llcp_sock->ssap == LLCP_SAP_MAX) {
+ nfc_llcp_local_put(llcp_sock->local);
++ llcp_sock->local = NULL;
+ kfree(llcp_sock->service_name);
+ llcp_sock->service_name = NULL;
+ ret = -EADDRINUSE;
+@@ -709,6 +711,7 @@ static int llcp_sock_connect(struct sock
+ llcp_sock->ssap = nfc_llcp_get_local_ssap(local);
+ if (llcp_sock->ssap == LLCP_SAP_MAX) {
+ nfc_llcp_local_put(llcp_sock->local);
++ llcp_sock->local = NULL;
+ ret = -ENOMEM;
+ goto put_dev;
+ }
+@@ -756,6 +759,7 @@ sock_unlink:
+ sock_llcp_release:
+ nfc_llcp_put_ssap(local, llcp_sock->ssap);
+ nfc_llcp_local_put(llcp_sock->local);
++ llcp_sock->local = NULL;
+
+ put_dev:
+ nfc_put_device(dev);
--- /dev/null
+From 729f7955cb987c5b7d7e54c87c5ad71c789934f7 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 8 Apr 2021 15:16:00 +0200
+Subject: Revert "USB: cdc-acm: fix rounding error in TIOCSSERIAL"
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 729f7955cb987c5b7d7e54c87c5ad71c789934f7 upstream.
+
+This reverts commit b401f8c4f492cbf74f3f59c9141e5be3071071bb.
+
+The offending commit claimed that trying to set the values reported back
+by TIOCGSERIAL as a regular user could result in an -EPERM error when HZ
+is 250, but that was never the case.
+
+With HZ=250, the default 0.5 second value of close_delay is converted to
+125 jiffies when set and is converted back to 50 centiseconds by
+TIOCGSERIAL as expected (not 12 cs as was claimed, even if that was the
+case before an earlier fix).
+
+Comparing the internal current and new jiffies values is just fine to
+determine if the value is about to change so drop the bogus workaround
+(which was also backported to stable).
+
+For completeness: With different default values for these parameters or
+with a HZ value not divisible by two, the lack of rounding when setting
+the default values in tty_port_init() could result in an -EPERM being
+returned, but this is hardly something we need to worry about.
+
+Cc: Anthony Mallet <anthony.mallet@laas.fr>
+Cc: stable@vger.kernel.org
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210408131602.27956-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/cdc-acm.c | 11 ++---------
+ 1 file changed, 2 insertions(+), 9 deletions(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -941,7 +941,6 @@ static int set_serial_info(struct tty_st
+ {
+ struct acm *acm = tty->driver_data;
+ unsigned int closing_wait, close_delay;
+- unsigned int old_closing_wait, old_close_delay;
+ int retval = 0;
+
+ close_delay = msecs_to_jiffies(ss->close_delay * 10);
+@@ -949,17 +948,11 @@ static int set_serial_info(struct tty_st
+ ASYNC_CLOSING_WAIT_NONE :
+ msecs_to_jiffies(ss->closing_wait * 10);
+
+- /* we must redo the rounding here, so that the values match */
+- old_close_delay = jiffies_to_msecs(acm->port.close_delay) / 10;
+- old_closing_wait = acm->port.closing_wait == ASYNC_CLOSING_WAIT_NONE ?
+- ASYNC_CLOSING_WAIT_NONE :
+- jiffies_to_msecs(acm->port.closing_wait) / 10;
+-
+ mutex_lock(&acm->port.mutex);
+
+ if (!capable(CAP_SYS_ADMIN)) {
+- if ((ss->close_delay != old_close_delay) ||
+- (ss->closing_wait != old_closing_wait))
++ if ((close_delay != acm->port.close_delay) ||
++ (closing_wait != acm->port.closing_wait))
+ retval = -EPERM;
+ else
+ retval = -EOPNOTSUPP;
--- /dev/null
+From 7a3791afdbd5a951b09a7689bba856bd9f6c6a9f Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 7 Apr 2021 12:23:19 +0200
+Subject: staging: fwserial: fix TIOCSSERIAL jiffies conversions
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 7a3791afdbd5a951b09a7689bba856bd9f6c6a9f upstream.
+
+The port close_delay parameter set by TIOCSSERIAL is specified in
+jiffies, while the value returned by TIOCGSERIAL is specified in
+centiseconds.
+
+Add the missing conversions so that TIOCGSERIAL works as expected also
+when HZ is not 100.
+
+Fixes: 7355ba3445f2 ("staging: fwserial: Add TTY-over-Firewire serial driver")
+Cc: stable@vger.kernel.org # 3.8
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210407102334.32361-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/fwserial/fwserial.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/fwserial/fwserial.c
++++ b/drivers/staging/fwserial/fwserial.c
+@@ -1223,7 +1223,7 @@ static int get_serial_info(struct tty_st
+ ss->flags = port->port.flags;
+ ss->xmit_fifo_size = FWTTY_PORT_TXFIFO_LEN;
+ ss->baud_base = 400000000;
+- ss->close_delay = port->port.close_delay;
++ ss->close_delay = jiffies_to_msecs(port->port.close_delay) / 10;
+ mutex_unlock(&port->port.mutex);
+ return 0;
+ }
+@@ -1245,7 +1245,7 @@ static int set_serial_info(struct tty_st
+ return -EPERM;
+ }
+ }
+- port->port.close_delay = ss->close_delay * HZ / 100;
++ port->port.close_delay = msecs_to_jiffies(ss->close_delay * 10);
+ mutex_unlock(&port->port.mutex);
+
+ return 0;
--- /dev/null
+From 2104eb283df66a482b60254299acbe3c68c03412 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 7 Apr 2021 12:23:20 +0200
+Subject: staging: fwserial: fix TIOCSSERIAL permission check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 2104eb283df66a482b60254299acbe3c68c03412 upstream.
+
+Changing the port close-delay parameter is a privileged operation so
+make sure to return -EPERM if a regular user tries to change it.
+
+Fixes: 7355ba3445f2 ("staging: fwserial: Add TTY-over-Firewire serial driver")
+Cc: stable@vger.kernel.org # 3.8
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210407102334.32361-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/fwserial/fwserial.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/fwserial/fwserial.c
++++ b/drivers/staging/fwserial/fwserial.c
+@@ -1232,20 +1232,24 @@ static int set_serial_info(struct tty_st
+ struct serial_struct *ss)
+ {
+ struct fwtty_port *port = tty->driver_data;
++ unsigned int cdelay;
+
+ if (ss->irq != 0 || ss->port != 0 || ss->custom_divisor != 0 ||
+ ss->baud_base != 400000000)
+ return -EPERM;
+
++ cdelay = msecs_to_jiffies(ss->close_delay * 10);
++
+ mutex_lock(&port->port.mutex);
+ if (!capable(CAP_SYS_ADMIN)) {
+- if (((ss->flags & ~ASYNC_USR_MASK) !=
++ if (cdelay != port->port.close_delay ||
++ ((ss->flags & ~ASYNC_USR_MASK) !=
+ (port->port.flags & ~ASYNC_USR_MASK))) {
+ mutex_unlock(&port->port.mutex);
+ return -EPERM;
+ }
+ }
+- port->port.close_delay = msecs_to_jiffies(ss->close_delay * 10);
++ port->port.close_delay = cdelay;
+ mutex_unlock(&port->port.mutex);
+
+ return 0;
--- /dev/null
+From b71e571adaa58be4fd289abebc8997e05b4c6b40 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 7 Apr 2021 12:23:23 +0200
+Subject: staging: greybus: uart: fix TIOCSSERIAL jiffies conversions
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b71e571adaa58be4fd289abebc8997e05b4c6b40 upstream.
+
+The port close_delay and closing_wait parameters set by TIOCSSERIAL are
+specified in jiffies and not milliseconds.
+
+Add the missing conversions so that TIOCSSERIAL works as expected also
+when HZ is not 1000.
+
+Fixes: e68453ed28c5 ("greybus: uart-gb: now builds, more framework added")
+Cc: stable@vger.kernel.org # 4.9
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210407102334.32361-6-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/greybus/uart.c | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/staging/greybus/uart.c
++++ b/drivers/staging/greybus/uart.c
+@@ -625,10 +625,12 @@ static int get_serial_info(struct tty_st
+ ss->line = gb_tty->minor;
+ ss->xmit_fifo_size = 16;
+ ss->baud_base = 9600;
+- ss->close_delay = gb_tty->port.close_delay / 10;
++ ss->close_delay = jiffies_to_msecs(gb_tty->port.close_delay) / 10;
+ ss->closing_wait =
+ gb_tty->port.closing_wait == ASYNC_CLOSING_WAIT_NONE ?
+- ASYNC_CLOSING_WAIT_NONE : gb_tty->port.closing_wait / 10;
++ ASYNC_CLOSING_WAIT_NONE :
++ jiffies_to_msecs(gb_tty->port.closing_wait) / 10;
++
+ return 0;
+ }
+
+@@ -640,9 +642,10 @@ static int set_serial_info(struct tty_st
+ unsigned int close_delay;
+ int retval = 0;
+
+- close_delay = ss->close_delay * 10;
++ close_delay = msecs_to_jiffies(ss->close_delay * 10);
+ closing_wait = ss->closing_wait == ASYNC_CLOSING_WAIT_NONE ?
+- ASYNC_CLOSING_WAIT_NONE : ss->closing_wait * 10;
++ ASYNC_CLOSING_WAIT_NONE :
++ msecs_to_jiffies(ss->closing_wait * 10);
+
+ mutex_lock(&gb_tty->port.mutex);
+ if (!capable(CAP_SYS_ADMIN)) {
--- /dev/null
+From 1d31a831cc04f5f942de3e7d91edaa52310d3c99 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 7 Apr 2021 12:23:26 +0200
+Subject: tty: amiserial: fix TIOCSSERIAL permission check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1d31a831cc04f5f942de3e7d91edaa52310d3c99 upstream.
+
+Changing the port closing_wait parameter is a privileged operation.
+
+Add the missing check to TIOCSSERIAL so that -EPERM is returned in case
+an unprivileged user tries to change the closing-wait setting.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210407102334.32361-9-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/amiserial.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/tty/amiserial.c
++++ b/drivers/tty/amiserial.c
+@@ -1032,6 +1032,7 @@ static int set_serial_info(struct tty_st
+ if (!serial_isroot()) {
+ if ((ss->baud_base != state->baud_base) ||
+ (ss->close_delay != port->close_delay) ||
++ (ss->closing_wait != port->closing_wait) ||
+ (ss->xmit_fifo_size != state->xmit_fifo_size) ||
+ ((ss->flags & ~ASYNC_USR_MASK) !=
+ (port->flags & ~ASYNC_USR_MASK))) {
--- /dev/null
+From 6e70b73ca5240c0059a1fbf8ccd4276d6cf71956 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 7 Apr 2021 12:23:28 +0200
+Subject: tty: moxa: fix TIOCSSERIAL jiffies conversions
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 6e70b73ca5240c0059a1fbf8ccd4276d6cf71956 upstream.
+
+The port close_delay parameter set by TIOCSSERIAL is specified in
+jiffies, while the value returned by TIOCGSERIAL is specified in
+centiseconds.
+
+Add the missing conversions so that TIOCGSERIAL works as expected also
+when HZ is not 100.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210407102334.32361-11-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/moxa.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/moxa.c
++++ b/drivers/tty/moxa.c
+@@ -2040,7 +2040,7 @@ static int moxa_get_serial_info(struct t
+ ss->line = info->port.tty->index,
+ ss->flags = info->port.flags,
+ ss->baud_base = 921600,
+- ss->close_delay = info->port.close_delay;
++ ss->close_delay = jiffies_to_msecs(info->port.close_delay) / 10;
+ mutex_unlock(&info->port.mutex);
+ return 0;
+ }
+@@ -2069,7 +2069,7 @@ static int moxa_set_serial_info(struct t
+ return -EPERM;
+ }
+ }
+- info->port.close_delay = ss->close_delay * HZ / 100;
++ info->port.close_delay = msecs_to_jiffies(ss->close_delay * 10);
+
+ MoxaSetFifo(info, ss->type == PORT_16550A);
+
--- /dev/null
+From dc8c8437658667be9b11ec25c4b5482ed2becdaa Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 7 Apr 2021 12:23:29 +0200
+Subject: tty: moxa: fix TIOCSSERIAL permission check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit dc8c8437658667be9b11ec25c4b5482ed2becdaa upstream.
+
+Changing the port close delay or type are privileged operations so make
+sure to return -EPERM if a regular user tries to change them.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210407102334.32361-12-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/moxa.c | 16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/drivers/tty/moxa.c
++++ b/drivers/tty/moxa.c
+@@ -2050,6 +2050,7 @@ static int moxa_set_serial_info(struct t
+ struct serial_struct *ss)
+ {
+ struct moxa_port *info = tty->driver_data;
++ unsigned int close_delay;
+
+ if (tty->index == MAX_PORTS)
+ return -EINVAL;
+@@ -2061,19 +2062,24 @@ static int moxa_set_serial_info(struct t
+ ss->baud_base != 921600)
+ return -EPERM;
+
++ close_delay = msecs_to_jiffies(ss->close_delay * 10);
++
+ mutex_lock(&info->port.mutex);
+ if (!capable(CAP_SYS_ADMIN)) {
+- if (((ss->flags & ~ASYNC_USR_MASK) !=
++ if (close_delay != info->port.close_delay ||
++ ss->type != info->type ||
++ ((ss->flags & ~ASYNC_USR_MASK) !=
+ (info->port.flags & ~ASYNC_USR_MASK))) {
+ mutex_unlock(&info->port.mutex);
+ return -EPERM;
+ }
+- }
+- info->port.close_delay = msecs_to_jiffies(ss->close_delay * 10);
++ } else {
++ info->port.close_delay = close_delay;
+
+- MoxaSetFifo(info, ss->type == PORT_16550A);
++ MoxaSetFifo(info, ss->type == PORT_16550A);
+
+- info->type = ss->type;
++ info->type = ss->type;
++ }
+ mutex_unlock(&info->port.mutex);
+ return 0;
+ }
--- /dev/null
+From d370c90dcd64e427a79a093a070117a1571d4cd8 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 7 Apr 2021 12:39:15 +0200
+Subject: USB: serial: ti_usb_3410_5052: fix TIOCSSERIAL permission check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit d370c90dcd64e427a79a093a070117a1571d4cd8 upstream.
+
+Changing the port closing-wait parameter is a privileged operation so
+make sure to return -EPERM if a regular user tries to change it.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/ti_usb_3410_5052.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/serial/ti_usb_3410_5052.c
++++ b/drivers/usb/serial/ti_usb_3410_5052.c
+@@ -1420,14 +1420,19 @@ static int ti_set_serial_info(struct tty
+ struct serial_struct *ss)
+ {
+ struct usb_serial_port *port = tty->driver_data;
+- struct ti_port *tport = usb_get_serial_port_data(port);
++ struct tty_port *tport = &port->port;
+ unsigned cwait;
+
+ cwait = ss->closing_wait;
+ if (cwait != ASYNC_CLOSING_WAIT_NONE)
+ cwait = msecs_to_jiffies(10 * ss->closing_wait);
+
+- tport->tp_port->port.closing_wait = cwait;
++ if (!capable(CAP_SYS_ADMIN)) {
++ if (cwait != tport->closing_wait)
++ return -EPERM;
++ }
++
++ tport->closing_wait = cwait;
+
+ return 0;
+ }
--- /dev/null
+From 3d732690d2267f4d0e19077b178dffbedafdf0c9 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 7 Apr 2021 12:39:16 +0200
+Subject: USB: serial: usb_wwan: fix TIOCSSERIAL jiffies conversions
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 3d732690d2267f4d0e19077b178dffbedafdf0c9 upstream.
+
+The port close_delay and closing_wait parameters set by TIOCSSERIAL are
+specified in jiffies and not milliseconds.
+
+Add the missing conversions so that the TIOCSSERIAL works as expected
+also when HZ is not 1000.
+
+Fixes: 02303f73373a ("usb-wwan: implement TIOCGSERIAL and TIOCSSERIAL to avoid blocking close(2)")
+Cc: stable@vger.kernel.org # 2.6.38
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/usb_wwan.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/serial/usb_wwan.c
++++ b/drivers/usb/serial/usb_wwan.c
+@@ -140,10 +140,10 @@ int usb_wwan_get_serial_info(struct tty_
+ ss->line = port->minor;
+ ss->port = port->port_number;
+ ss->baud_base = tty_get_baud_rate(port->port.tty);
+- ss->close_delay = port->port.close_delay / 10;
++ ss->close_delay = jiffies_to_msecs(port->port.close_delay) / 10;
+ ss->closing_wait = port->port.closing_wait == ASYNC_CLOSING_WAIT_NONE ?
+ ASYNC_CLOSING_WAIT_NONE :
+- port->port.closing_wait / 10;
++ jiffies_to_msecs(port->port.closing_wait) / 10;
+ return 0;
+ }
+ EXPORT_SYMBOL(usb_wwan_get_serial_info);
+@@ -155,9 +155,10 @@ int usb_wwan_set_serial_info(struct tty_
+ unsigned int closing_wait, close_delay;
+ int retval = 0;
+
+- close_delay = ss->close_delay * 10;
++ close_delay = msecs_to_jiffies(ss->close_delay * 10);
+ closing_wait = ss->closing_wait == ASYNC_CLOSING_WAIT_NONE ?
+- ASYNC_CLOSING_WAIT_NONE : ss->closing_wait * 10;
++ ASYNC_CLOSING_WAIT_NONE :
++ msecs_to_jiffies(ss->closing_wait * 10);
+
+ mutex_lock(&port->port.mutex);
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
