--- /dev/null
+From piotras@gmail.com Mon Apr 27 16:05:30 2020
+From: piotras@gmail.com
+Date: Mon, 27 Apr 2020 11:34:12 +0100
+Subject: fs/namespace.c: fix mountpoint reference counter race
+To: greg@kroah.com
+Cc: Piotr Krysiuk <piotras@gmail.com>
+Message-ID: <20200427103412.19144-1-piotras@gmail.com>
+
+
+From: Piotr Krysiuk <piotras@gmail.com>
+
+A race condition between threads updating mountpoint reference counter
+affects longterm releases 4.4.220, 4.9.220, 4.14.177 and 4.19.118.
+
+The mountpoint reference counter corruption may occur when:
+* one thread increments m_count member of struct mountpoint
+ [under namespace_sem, but not holding mount_lock]
+ pivot_root()
+* another thread simultaneously decrements the same m_count
+ [under mount_lock, but not holding namespace_sem]
+ put_mountpoint()
+ unhash_mnt()
+ umount_mnt()
+ mntput_no_expire()
+
+To fix this race condition, grab mount_lock before updating m_count in
+pivot_root().
+
+Reference: CVE-2020-12114
+Cc: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Piotr Krysiuk <piotras@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namespace.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/namespace.c
++++ b/fs/namespace.c
+@@ -3142,8 +3142,8 @@ SYSCALL_DEFINE2(pivot_root, const char _
+ /* make certain new is below the root */
+ if (!is_path_reachable(new_mnt, new.dentry, &root))
+ goto out4;
+- root_mp->m_count++; /* pin it so it won't go away */
+ lock_mount_hash();
++ root_mp->m_count++; /* pin it so it won't go away */
+ detach_mnt(new_mnt, &parent_path);
+ detach_mnt(root_mnt, &root_parent);
+ if (root_mnt->mnt.mnt_flags & MNT_LOCKED) {
--- /dev/null
+From e2042d2936dfc84e9c600fe9b9d0039ca0e54b7d Mon Sep 17 00:00:00 2001
+From: Olivier Moysan <olivier.moysan@st.com>
+Date: Mon, 9 Mar 2020 11:02:12 +0100
+Subject: iio: adc: stm32-adc: fix sleep in atomic context
+
+From: Olivier Moysan <olivier.moysan@st.com>
+
+commit e2042d2936dfc84e9c600fe9b9d0039ca0e54b7d upstream.
+
+This commit fixes the following error:
+"BUG: sleeping function called from invalid context at kernel/irq/chip.c"
+
+In DMA mode suppress the trigger irq handler, and make the buffer
+transfers directly in DMA callback, instead.
+
+Fixes: 2763ea0585c9 ("iio: adc: stm32: add optional dma support")
+Signed-off-by: Olivier Moysan <olivier.moysan@st.com>
+Acked-by: Fabrice Gasnier <fabrice.gasnier@st.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/stm32-adc.c | 31 ++++++++++++++++++++++++++++---
+ 1 file changed, 28 insertions(+), 3 deletions(-)
+
+--- a/drivers/iio/adc/stm32-adc.c
++++ b/drivers/iio/adc/stm32-adc.c
+@@ -1308,8 +1308,30 @@ static unsigned int stm32_adc_dma_residu
+ static void stm32_adc_dma_buffer_done(void *data)
+ {
+ struct iio_dev *indio_dev = data;
++ struct stm32_adc *adc = iio_priv(indio_dev);
++ int residue = stm32_adc_dma_residue(adc);
++
++ /*
++ * In DMA mode the trigger services of IIO are not used
++ * (e.g. no call to iio_trigger_poll).
++ * Calling irq handler associated to the hardware trigger is not
++ * relevant as the conversions have already been done. Data
++ * transfers are performed directly in DMA callback instead.
++ * This implementation avoids to call trigger irq handler that
++ * may sleep, in an atomic context (DMA irq handler context).
++ */
++ dev_dbg(&indio_dev->dev, "%s bufi=%d\n", __func__, adc->bufi);
++
++ while (residue >= indio_dev->scan_bytes) {
++ u16 *buffer = (u16 *)&adc->rx_buf[adc->bufi];
+
+- iio_trigger_poll_chained(indio_dev->trig);
++ iio_push_to_buffers(indio_dev, buffer);
++
++ residue -= indio_dev->scan_bytes;
++ adc->bufi += indio_dev->scan_bytes;
++ if (adc->bufi >= adc->rx_buf_sz)
++ adc->bufi = 0;
++ }
+ }
+
+ static int stm32_adc_dma_start(struct iio_dev *indio_dev)
+@@ -1703,6 +1725,7 @@ static int stm32_adc_probe(struct platfo
+ {
+ struct iio_dev *indio_dev;
+ struct device *dev = &pdev->dev;
++ irqreturn_t (*handler)(int irq, void *p) = NULL;
+ struct stm32_adc *adc;
+ int ret;
+
+@@ -1785,9 +1808,11 @@ static int stm32_adc_probe(struct platfo
+ if (ret < 0)
+ goto err_clk_disable;
+
++ if (!adc->dma_chan)
++ handler = &stm32_adc_trigger_handler;
++
+ ret = iio_triggered_buffer_setup(indio_dev,
+- &iio_pollfunc_store_time,
+- &stm32_adc_trigger_handler,
++ &iio_pollfunc_store_time, handler,
+ &stm32_adc_buffer_setup_ops);
+ if (ret) {
+ dev_err(&pdev->dev, "buffer setup failed\n");
--- /dev/null
+From a07479147be03d2450376ebaff9ea1a0682f25d6 Mon Sep 17 00:00:00 2001
+From: Lars Engebretsen <lars@engebretsen.ch>
+Date: Wed, 15 Apr 2020 12:10:43 +0200
+Subject: iio: core: remove extra semi-colon from devm_iio_device_register() macro
+
+From: Lars Engebretsen <lars@engebretsen.ch>
+
+commit a07479147be03d2450376ebaff9ea1a0682f25d6 upstream.
+
+This change removes the semi-colon from the devm_iio_device_register()
+macro which seems to have been added by accident.
+
+Fixes: 63b19547cc3d9 ("iio: Use macro magic to avoid manual assign of driver_module")
+Signed-off-by: Lars Engebretsen <lars@engebretsen.ch>
+Cc: <Stable@vger.kernel.org>
+Reviewed-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/iio/iio.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/linux/iio/iio.h
++++ b/include/linux/iio/iio.h
+@@ -599,7 +599,7 @@ void iio_device_unregister(struct iio_de
+ * 0 on success, negative error number on failure.
+ */
+ #define devm_iio_device_register(dev, indio_dev) \
+- __devm_iio_device_register((dev), (indio_dev), THIS_MODULE);
++ __devm_iio_device_register((dev), (indio_dev), THIS_MODULE)
+ int __devm_iio_device_register(struct device *dev, struct iio_dev *indio_dev,
+ struct module *this_mod);
+ void devm_iio_device_unregister(struct device *dev, struct iio_dev *indio_dev);
--- /dev/null
+From e450e07c14abae563ad13b064cbce9fdccc6bc8d Mon Sep 17 00:00:00 2001
+From: Lary Gibaud <yarl-baudig@mailoo.org>
+Date: Sat, 11 Apr 2020 17:16:06 +0200
+Subject: iio: st_sensors: rely on odr mask to know if odr can be set
+
+From: Lary Gibaud <yarl-baudig@mailoo.org>
+
+commit e450e07c14abae563ad13b064cbce9fdccc6bc8d upstream.
+
+Indeed, relying on addr being not 0 cannot work because some device have
+their register to set odr at address 0. As a matter of fact, if the odr
+can be set, then there is a mask.
+
+Sensors with ODR register at address 0 are: lsm303dlh, lsm303dlhc, lsm303dlm
+
+Fixes: 7d245172675a ("iio: common: st_sensors: check odr address value in st_sensors_set_odr()")
+Signed-off-by: Lary Gibaud <yarl-baudig@mailoo.org>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/common/st_sensors/st_sensors_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/common/st_sensors/st_sensors_core.c
++++ b/drivers/iio/common/st_sensors/st_sensors_core.c
+@@ -93,7 +93,7 @@ int st_sensors_set_odr(struct iio_dev *i
+ struct st_sensor_odr_avl odr_out = {0, 0};
+ struct st_sensor_data *sdata = iio_priv(indio_dev);
+
+- if (!sdata->sensor_settings->odr.addr)
++ if (!sdata->sensor_settings->odr.mask)
+ return 0;
+
+ err = st_sensors_match_odr(sdata->sensor_settings, odr, &odr_out);
--- /dev/null
+From e44ec7794d88f918805d700240211a9ec05ed89d Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Fri, 3 Apr 2020 15:27:13 +0200
+Subject: iio: xilinx-xadc: Fix ADC-B powerdown
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+commit e44ec7794d88f918805d700240211a9ec05ed89d upstream.
+
+The check for shutting down the second ADC is inverted. This causes it to
+be powered down when it should be enabled. As a result channels that are
+supposed to be handled by the second ADC return invalid conversion results.
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Fixes: bdc8cda1d010 ("iio:adc: Add Xilinx XADC driver")
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/xilinx-xadc-core.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/adc/xilinx-xadc-core.c
++++ b/drivers/iio/adc/xilinx-xadc-core.c
+@@ -723,13 +723,14 @@ static int xadc_power_adc_b(struct xadc
+ {
+ uint16_t val;
+
++ /* Powerdown the ADC-B when it is not needed. */
+ switch (seq_mode) {
+ case XADC_CONF1_SEQ_SIMULTANEOUS:
+ case XADC_CONF1_SEQ_INDEPENDENT:
+- val = XADC_CONF2_PD_ADC_B;
++ val = 0;
+ break;
+ default:
+- val = 0;
++ val = XADC_CONF2_PD_ADC_B;
+ break;
+ }
+
--- /dev/null
+From f954b098fbac4d183219ce5b42d76d6df2aed50a Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Fri, 3 Apr 2020 15:27:14 +0200
+Subject: iio: xilinx-xadc: Fix clearing interrupt when enabling trigger
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+commit f954b098fbac4d183219ce5b42d76d6df2aed50a upstream.
+
+When enabling the trigger and unmasking the end-of-sequence (EOS) interrupt
+the EOS interrupt should be cleared from the status register. Otherwise it
+is possible that it was still set from a previous capture. If that is the
+case the interrupt would fire immediately even though no conversion has
+been done yet and stale data is being read from the device.
+
+The old code only clears the interrupt if the interrupt was previously
+unmasked. Which does not make much sense since the interrupt is always
+masked at this point and in addition masking the interrupt does not clear
+the interrupt from the status register. So the clearing needs to be done
+unconditionally.
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Fixes: bdc8cda1d010 ("iio:adc: Add Xilinx XADC driver")
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/xilinx-xadc-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/adc/xilinx-xadc-core.c
++++ b/drivers/iio/adc/xilinx-xadc-core.c
+@@ -675,7 +675,7 @@ static int xadc_trigger_set_state(struct
+
+ spin_lock_irqsave(&xadc->lock, flags);
+ xadc_read_reg(xadc, XADC_AXI_REG_IPIER, &val);
+- xadc_write_reg(xadc, XADC_AXI_REG_IPISR, val & XADC_AXI_INT_EOS);
++ xadc_write_reg(xadc, XADC_AXI_REG_IPISR, XADC_AXI_INT_EOS);
+ if (state)
+ val |= XADC_AXI_INT_EOS;
+ else
--- /dev/null
+From 8bef455c8b1694547ee59e8b1939205ed9d901a6 Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Fri, 3 Apr 2020 15:27:15 +0200
+Subject: iio: xilinx-xadc: Fix sequencer configuration for aux channels in simultaneous mode
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+commit 8bef455c8b1694547ee59e8b1939205ed9d901a6 upstream.
+
+The XADC has two internal ADCs. Depending on the mode it is operating in
+either one or both of them are used. The device manual calls this
+continuous (one ADC) and simultaneous (both ADCs) mode.
+
+The meaning of the sequencing register for the aux channels changes
+depending on the mode.
+
+In continuous mode each bit corresponds to one of the 16 aux channels. And
+the single ADC will convert them one by one in order.
+
+In simultaneous mode the aux channels are split into two groups the first 8
+channels are assigned to the first ADC and the other 8 channels to the
+second ADC. The upper 8 bits of the sequencing register are unused and the
+lower 8 bits control both ADCs. This means a bit needs to be set if either
+the corresponding channel from the first group or the second group (or
+both) are set.
+
+Currently the driver does not have the special handling required for
+simultaneous mode. Add it.
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Fixes: bdc8cda1d010 ("iio:adc: Add Xilinx XADC driver")
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/xilinx-xadc-core.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/iio/adc/xilinx-xadc-core.c
++++ b/drivers/iio/adc/xilinx-xadc-core.c
+@@ -799,6 +799,16 @@ static int xadc_preenable(struct iio_dev
+ if (ret)
+ goto err;
+
++ /*
++ * In simultaneous mode the upper and lower aux channels are samples at
++ * the same time. In this mode the upper 8 bits in the sequencer
++ * register are don't care and the lower 8 bits control two channels
++ * each. As such we must set the bit if either the channel in the lower
++ * group or the upper group is enabled.
++ */
++ if (seq_mode == XADC_CONF1_SEQ_SIMULTANEOUS)
++ scan_mask = ((scan_mask >> 8) | scan_mask) & 0xff0000;
++
+ ret = xadc_write_adc_reg(xadc, XADC_REG_SEQ(1), scan_mask >> 16);
+ if (ret)
+ goto err;
--- /dev/null
+From 3b7f9dbb827ce8680b98490215e698b6079a9ec5 Mon Sep 17 00:00:00 2001
+From: Lars-Peter Clausen <lars@metafoo.de>
+Date: Fri, 3 Apr 2020 15:27:16 +0200
+Subject: iio: xilinx-xadc: Make sure not exceed maximum samplerate
+
+From: Lars-Peter Clausen <lars@metafoo.de>
+
+commit 3b7f9dbb827ce8680b98490215e698b6079a9ec5 upstream.
+
+The XADC supports a samplerate of up to 1MSPS. Unfortunately the hardware
+does not have a FIFO, which means it generates an interrupt for each
+conversion sequence. At one 1MSPS this creates an interrupt storm that
+causes the system to soft-lock.
+
+For this reason the driver limits the maximum samplerate to 150kSPS.
+Currently this check is only done when setting a new samplerate. But it is
+also possible that the initial samplerate configured in the FPGA bitstream
+exceeds the limit.
+
+In this case when starting to capture data without first changing the
+samplerate the system can overload.
+
+To prevent this check the currently configured samplerate in the probe
+function and reduce it to the maximum if necessary.
+
+Signed-off-by: Lars-Peter Clausen <lars@metafoo.de>
+Fixes: bdc8cda1d010 ("iio:adc: Add Xilinx XADC driver")
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/adc/xilinx-xadc-core.c | 78 ++++++++++++++++++++++++++++---------
+ 1 file changed, 60 insertions(+), 18 deletions(-)
+
+--- a/drivers/iio/adc/xilinx-xadc-core.c
++++ b/drivers/iio/adc/xilinx-xadc-core.c
+@@ -103,6 +103,16 @@ static const unsigned int XADC_ZYNQ_UNMA
+
+ #define XADC_FLAGS_BUFFERED BIT(0)
+
++/*
++ * The XADC hardware supports a samplerate of up to 1MSPS. Unfortunately it does
++ * not have a hardware FIFO. Which means an interrupt is generated for each
++ * conversion sequence. At 1MSPS sample rate the CPU in ZYNQ7000 is completely
++ * overloaded by the interrupts that it soft-lockups. For this reason the driver
++ * limits the maximum samplerate 150kSPS. At this rate the CPU is fairly busy,
++ * but still responsive.
++ */
++#define XADC_MAX_SAMPLERATE 150000
++
+ static void xadc_write_reg(struct xadc *xadc, unsigned int reg,
+ uint32_t val)
+ {
+@@ -835,11 +845,27 @@ static const struct iio_buffer_setup_ops
+ .postdisable = &xadc_postdisable,
+ };
+
++static int xadc_read_samplerate(struct xadc *xadc)
++{
++ unsigned int div;
++ uint16_t val16;
++ int ret;
++
++ ret = xadc_read_adc_reg(xadc, XADC_REG_CONF2, &val16);
++ if (ret)
++ return ret;
++
++ div = (val16 & XADC_CONF2_DIV_MASK) >> XADC_CONF2_DIV_OFFSET;
++ if (div < 2)
++ div = 2;
++
++ return xadc_get_dclk_rate(xadc) / div / 26;
++}
++
+ static int xadc_read_raw(struct iio_dev *indio_dev,
+ struct iio_chan_spec const *chan, int *val, int *val2, long info)
+ {
+ struct xadc *xadc = iio_priv(indio_dev);
+- unsigned int div;
+ uint16_t val16;
+ int ret;
+
+@@ -892,41 +918,31 @@ static int xadc_read_raw(struct iio_dev
+ *val = -((273150 << 12) / 503975);
+ return IIO_VAL_INT;
+ case IIO_CHAN_INFO_SAMP_FREQ:
+- ret = xadc_read_adc_reg(xadc, XADC_REG_CONF2, &val16);
+- if (ret)
++ ret = xadc_read_samplerate(xadc);
++ if (ret < 0)
+ return ret;
+
+- div = (val16 & XADC_CONF2_DIV_MASK) >> XADC_CONF2_DIV_OFFSET;
+- if (div < 2)
+- div = 2;
+-
+- *val = xadc_get_dclk_rate(xadc) / div / 26;
+-
++ *val = ret;
+ return IIO_VAL_INT;
+ default:
+ return -EINVAL;
+ }
+ }
+
+-static int xadc_write_raw(struct iio_dev *indio_dev,
+- struct iio_chan_spec const *chan, int val, int val2, long info)
++static int xadc_write_samplerate(struct xadc *xadc, int val)
+ {
+- struct xadc *xadc = iio_priv(indio_dev);
+ unsigned long clk_rate = xadc_get_dclk_rate(xadc);
+ unsigned int div;
+
+ if (!clk_rate)
+ return -EINVAL;
+
+- if (info != IIO_CHAN_INFO_SAMP_FREQ)
+- return -EINVAL;
+-
+ if (val <= 0)
+ return -EINVAL;
+
+ /* Max. 150 kSPS */
+- if (val > 150000)
+- val = 150000;
++ if (val > XADC_MAX_SAMPLERATE)
++ val = XADC_MAX_SAMPLERATE;
+
+ val *= 26;
+
+@@ -939,7 +955,7 @@ static int xadc_write_raw(struct iio_dev
+ * limit.
+ */
+ div = clk_rate / val;
+- if (clk_rate / div / 26 > 150000)
++ if (clk_rate / div / 26 > XADC_MAX_SAMPLERATE)
+ div++;
+ if (div < 2)
+ div = 2;
+@@ -950,6 +966,17 @@ static int xadc_write_raw(struct iio_dev
+ div << XADC_CONF2_DIV_OFFSET);
+ }
+
++static int xadc_write_raw(struct iio_dev *indio_dev,
++ struct iio_chan_spec const *chan, int val, int val2, long info)
++{
++ struct xadc *xadc = iio_priv(indio_dev);
++
++ if (info != IIO_CHAN_INFO_SAMP_FREQ)
++ return -EINVAL;
++
++ return xadc_write_samplerate(xadc, val);
++}
++
+ static const struct iio_event_spec xadc_temp_events[] = {
+ {
+ .type = IIO_EV_TYPE_THRESH,
+@@ -1237,6 +1264,21 @@ static int xadc_probe(struct platform_de
+ if (ret)
+ goto err_free_samplerate_trigger;
+
++ /*
++ * Make sure not to exceed the maximum samplerate since otherwise the
++ * resulting interrupt storm will soft-lock the system.
++ */
++ if (xadc->ops->flags & XADC_FLAGS_BUFFERED) {
++ ret = xadc_read_samplerate(xadc);
++ if (ret < 0)
++ goto err_free_samplerate_trigger;
++ if (ret > XADC_MAX_SAMPLERATE) {
++ ret = xadc_write_samplerate(xadc, XADC_MAX_SAMPLERATE);
++ if (ret < 0)
++ goto err_free_samplerate_trigger;
++ }
++ }
++
+ ret = request_irq(xadc->irq, xadc->ops->interrupt_handler, 0,
+ dev_name(&pdev->dev), indio_dev);
+ if (ret)
alsa-hda-remove-asus-rog-zenith-from-the-blacklist.patch
alsa-usb-audio-add-static-mapping-table-for-alc1220-.patch
alsa-usb-audio-add-connector-notifier-delegation.patch
+iio-core-remove-extra-semi-colon-from-devm_iio_device_register-macro.patch
+iio-st_sensors-rely-on-odr-mask-to-know-if-odr-can-be-set.patch
+iio-adc-stm32-adc-fix-sleep-in-atomic-context.patch
+iio-xilinx-xadc-fix-adc-b-powerdown.patch
+iio-xilinx-xadc-fix-clearing-interrupt-when-enabling-trigger.patch
+iio-xilinx-xadc-fix-sequencer-configuration-for-aux-channels-in-simultaneous-mode.patch
+iio-xilinx-xadc-make-sure-not-exceed-maximum-samplerate.patch
+fs-namespace.c-fix-mountpoint-reference-counter-race.patch
+usb-sisusbvga-change-port-variable-from-signed-to-unsigned.patch
+usb-add-usb_quirk_delay_ctrl_msg-and-usb_quirk_delay_init-for-corsair-k70-rgb-rapidfire.patch
+usb-early-handle-amd-s-spec-compliant-identifiers-too.patch
+usb-core-fix-free-while-in-use-bug-in-the-usb-s-glibrary.patch
+usb-hub-fix-handling-of-connect-changes-during-sleep.patch
--- /dev/null
+From be34a5854b4606bd7a160ad3cb43415d623596c7 Mon Sep 17 00:00:00 2001
+From: Jonathan Cox <jonathan@jdcox.net>
+Date: Fri, 10 Apr 2020 14:24:27 -0700
+Subject: USB: Add USB_QUIRK_DELAY_CTRL_MSG and USB_QUIRK_DELAY_INIT for Corsair K70 RGB RAPIDFIRE
+
+From: Jonathan Cox <jonathan@jdcox.net>
+
+commit be34a5854b4606bd7a160ad3cb43415d623596c7 upstream.
+
+The Corsair K70 RGB RAPIDFIRE needs the USB_QUIRK_DELAY_INIT and
+USB_QUIRK_DELAY_CTRL_MSG to function or it will randomly not
+respond on boot, just like other Corsair keyboards
+
+Signed-off-by: Jonathan Cox <jonathan@jdcox.net>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200410212427.2886-1-jonathan@jdcox.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/quirks.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -430,6 +430,10 @@ static const struct usb_device_id usb_qu
+ /* Corsair K70 LUX */
+ { USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT },
+
++ /* Corsair K70 RGB RAPDIFIRE */
++ { USB_DEVICE(0x1b1c, 0x1b38), .driver_info = USB_QUIRK_DELAY_INIT |
++ USB_QUIRK_DELAY_CTRL_MSG },
++
+ /* MIDI keyboard WORLDE MINI */
+ { USB_DEVICE(0x1c75, 0x0204), .driver_info =
+ USB_QUIRK_CONFIG_INTF_STRINGS },
--- /dev/null
+From 056ad39ee9253873522f6469c3364964a322912b Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Sat, 28 Mar 2020 16:18:11 -0400
+Subject: USB: core: Fix free-while-in-use bug in the USB S-Glibrary
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 056ad39ee9253873522f6469c3364964a322912b upstream.
+
+FuzzUSB (a variant of syzkaller) found a free-while-still-in-use bug
+in the USB scatter-gather library:
+
+BUG: KASAN: use-after-free in atomic_read
+include/asm-generic/atomic-instrumented.h:26 [inline]
+BUG: KASAN: use-after-free in usb_hcd_unlink_urb+0x5f/0x170
+drivers/usb/core/hcd.c:1607
+Read of size 4 at addr ffff888065379610 by task kworker/u4:1/27
+
+CPU: 1 PID: 27 Comm: kworker/u4:1 Not tainted 5.5.11 #2
+Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
+1.10.2-1ubuntu1 04/01/2014
+Workqueue: scsi_tmf_2 scmd_eh_abort_handler
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xce/0x128 lib/dump_stack.c:118
+ print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374
+ __kasan_report+0x153/0x1cb mm/kasan/report.c:506
+ kasan_report+0x12/0x20 mm/kasan/common.c:639
+ check_memory_region_inline mm/kasan/generic.c:185 [inline]
+ check_memory_region+0x152/0x1b0 mm/kasan/generic.c:192
+ __kasan_check_read+0x11/0x20 mm/kasan/common.c:95
+ atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
+ usb_hcd_unlink_urb+0x5f/0x170 drivers/usb/core/hcd.c:1607
+ usb_unlink_urb+0x72/0xb0 drivers/usb/core/urb.c:657
+ usb_sg_cancel+0x14e/0x290 drivers/usb/core/message.c:602
+ usb_stor_stop_transport+0x5e/0xa0 drivers/usb/storage/transport.c:937
+
+This bug occurs when cancellation of the S-G transfer races with
+transfer completion. When that happens, usb_sg_cancel() may continue
+to access the transfer's URBs after usb_sg_wait() has freed them.
+
+The bug is caused by the fact that usb_sg_cancel() does not take any
+sort of reference to the transfer, and so there is nothing to prevent
+the URBs from being deallocated while the routine is trying to use
+them. The fix is to take such a reference by incrementing the
+transfer's io->count field while the cancellation is in progres and
+decrementing it afterward. The transfer's URBs are not deallocated
+until io->complete is triggered, which happens when io->count reaches
+zero.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-and-tested-by: Kyungtae Kim <kt0755@gmail.com>
+CC: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2003281615140.14837-100000@netrider.rowland.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/message.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/core/message.c
++++ b/drivers/usb/core/message.c
+@@ -588,12 +588,13 @@ void usb_sg_cancel(struct usb_sg_request
+ int i, retval;
+
+ spin_lock_irqsave(&io->lock, flags);
+- if (io->status) {
++ if (io->status || io->count == 0) {
+ spin_unlock_irqrestore(&io->lock, flags);
+ return;
+ }
+ /* shut everything down */
+ io->status = -ECONNRESET;
++ io->count++; /* Keep the request alive until we're done */
+ spin_unlock_irqrestore(&io->lock, flags);
+
+ for (i = io->entries - 1; i >= 0; --i) {
+@@ -607,6 +608,12 @@ void usb_sg_cancel(struct usb_sg_request
+ dev_warn(&io->dev->dev, "%s, unlink --> %d\n",
+ __func__, retval);
+ }
++
++ spin_lock_irqsave(&io->lock, flags);
++ io->count--;
++ if (!io->count)
++ complete(&io->complete);
++ spin_unlock_irqrestore(&io->lock, flags);
+ }
+ EXPORT_SYMBOL_GPL(usb_sg_cancel);
+
--- /dev/null
+From 7dbdb53d72a51cea9b921d9dbba54be00752212a Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 1 Apr 2020 09:46:19 +0200
+Subject: USB: early: Handle AMD's spec-compliant identifiers, too
+
+From: Jann Horn <jannh@google.com>
+
+commit 7dbdb53d72a51cea9b921d9dbba54be00752212a upstream.
+
+This fixes a bug that causes the USB3 early console to freeze after
+printing a single line on AMD machines because it can't parse the
+Transfer TRB properly.
+
+The spec at
+https://www.intel.com/content/dam/www/public/us/en/documents/technical-specifications/extensible-host-controler-interface-usb-xhci.pdf
+says in section "4.5.1 Device Context Index" that the Context Index,
+also known as Endpoint ID according to
+section "1.6 Terms and Abbreviations", is normally computed as
+`DCI = (Endpoint Number * 2) + Direction`, which matches the current
+definitions of XDBC_EPID_OUT and XDBC_EPID_IN.
+
+However, the numbering in a Debug Capability Context data structure is
+supposed to be different:
+Section "7.6.3.2 Endpoint Contexts and Transfer Rings" explains that a
+Debug Capability Context data structure has the endpoints mapped to indices
+0 and 1.
+
+Change XDBC_EPID_OUT/XDBC_EPID_IN to the spec-compliant values, add
+XDBC_EPID_OUT_INTEL/XDBC_EPID_IN_INTEL with Intel's incorrect values, and
+let xdbc_handle_tx_event() handle both.
+
+I have verified that with this patch applied, the USB3 early console works
+on both an Intel and an AMD machine.
+
+Fixes: aeb9dd1de98c ("usb/early: Add driver for xhci debug capability")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jann Horn <jannh@google.com>
+Link: https://lore.kernel.org/r/20200401074619.8024-1-jannh@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/early/xhci-dbc.c | 8 ++++----
+ drivers/usb/early/xhci-dbc.h | 18 ++++++++++++++++--
+ 2 files changed, 20 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/early/xhci-dbc.c
++++ b/drivers/usb/early/xhci-dbc.c
+@@ -735,19 +735,19 @@ static void xdbc_handle_tx_event(struct
+ case COMP_USB_TRANSACTION_ERROR:
+ case COMP_STALL_ERROR:
+ default:
+- if (ep_id == XDBC_EPID_OUT)
++ if (ep_id == XDBC_EPID_OUT || ep_id == XDBC_EPID_OUT_INTEL)
+ xdbc.flags |= XDBC_FLAGS_OUT_STALL;
+- if (ep_id == XDBC_EPID_IN)
++ if (ep_id == XDBC_EPID_IN || ep_id == XDBC_EPID_IN_INTEL)
+ xdbc.flags |= XDBC_FLAGS_IN_STALL;
+
+ xdbc_trace("endpoint %d stalled\n", ep_id);
+ break;
+ }
+
+- if (ep_id == XDBC_EPID_IN) {
++ if (ep_id == XDBC_EPID_IN || ep_id == XDBC_EPID_IN_INTEL) {
+ xdbc.flags &= ~XDBC_FLAGS_IN_PROCESS;
+ xdbc_bulk_transfer(NULL, XDBC_MAX_PACKET, true);
+- } else if (ep_id == XDBC_EPID_OUT) {
++ } else if (ep_id == XDBC_EPID_OUT || ep_id == XDBC_EPID_OUT_INTEL) {
+ xdbc.flags &= ~XDBC_FLAGS_OUT_PROCESS;
+ } else {
+ xdbc_trace("invalid endpoint id %d\n", ep_id);
+--- a/drivers/usb/early/xhci-dbc.h
++++ b/drivers/usb/early/xhci-dbc.h
+@@ -120,8 +120,22 @@ struct xdbc_ring {
+ u32 cycle_state;
+ };
+
+-#define XDBC_EPID_OUT 2
+-#define XDBC_EPID_IN 3
++/*
++ * These are the "Endpoint ID" (also known as "Context Index") values for the
++ * OUT Transfer Ring and the IN Transfer Ring of a Debug Capability Context data
++ * structure.
++ * According to the "eXtensible Host Controller Interface for Universal Serial
++ * Bus (xHCI)" specification, section "7.6.3.2 Endpoint Contexts and Transfer
++ * Rings", these should be 0 and 1, and those are the values AMD machines give
++ * you; but Intel machines seem to use the formula from section "4.5.1 Device
++ * Context Index", which is supposed to be used for the Device Context only.
++ * Luckily the values from Intel don't overlap with those from AMD, so we can
++ * just test for both.
++ */
++#define XDBC_EPID_OUT 0
++#define XDBC_EPID_IN 1
++#define XDBC_EPID_OUT_INTEL 2
++#define XDBC_EPID_IN_INTEL 3
+
+ struct xdbc_state {
+ u16 vendor;
--- /dev/null
+From 9f952e26295d977dbfc6fedeaf8c4f112c818d37 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Wed, 22 Apr 2020 16:09:51 -0400
+Subject: USB: hub: Fix handling of connect changes during sleep
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 9f952e26295d977dbfc6fedeaf8c4f112c818d37 upstream.
+
+Commit 8099f58f1ecd ("USB: hub: Don't record a connect-change event
+during reset-resume") wasn't very well conceived. The problem it
+tried to fix was that if a connect-change event occurred while the
+system was asleep (such as a device disconnecting itself from the bus
+when it is suspended and then reconnecting when it resumes)
+requiring a reset-resume during the system wakeup transition, the hub
+port's change_bit entry would remain set afterward. This would cause
+the hub driver to believe another connect-change event had occurred
+after the reset-resume, which was wrong and would lead the driver to
+send unnecessary requests to the device (which could interfere with a
+firmware update).
+
+The commit tried to fix this by not setting the change_bit during the
+wakeup. But this was the wrong thing to do; it means that when a
+device is unplugged while the system is asleep, the hub driver doesn't
+realize anything has happened: The change_bit flag which would tell it
+to handle the disconnect event is clear.
+
+The commit needs to be reverted and the problem fixed in a different
+way. Fortunately an alternative solution was noted in the commit's
+Changelog: We can continue to set the change_bit entry in
+hub_activate() but then clear it when a reset-resume occurs. That way
+the the hub driver will see the change_bit when a device is
+disconnected but won't see it when the device is still present.
+
+That's what this patch does.
+
+Reported-and-tested-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Fixes: 8099f58f1ecd ("USB: hub: Don't record a connect-change event during reset-resume")
+Tested-by: Paul Zimmerman <pauldzim@gmail.com>
+CC: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2004221602480.11262-100000@iolanthe.rowland.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hub.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -1196,6 +1196,11 @@ static void hub_activate(struct usb_hub
+ #ifdef CONFIG_PM
+ udev->reset_resume = 1;
+ #endif
++ /* Don't set the change_bits when the device
++ * was powered off.
++ */
++ if (test_bit(port1, hub->power_bits))
++ set_bit(port1, hub->change_bits);
+
+ } else {
+ /* The power session is gone; tell hub_wq */
+@@ -3051,6 +3056,15 @@ static int check_port_resume_type(struct
+ if (portchange & USB_PORT_STAT_C_ENABLE)
+ usb_clear_port_feature(hub->hdev, port1,
+ USB_PORT_FEAT_C_ENABLE);
++
++ /*
++ * Whatever made this reset-resume necessary may have
++ * turned on the port1 bit in hub->change_bits. But after
++ * a successful reset-resume we want the bit to be clear;
++ * if it was on it would indicate that something happened
++ * following the reset-resume.
++ */
++ clear_bit(port1, hub->change_bits);
+ }
+
+ return status;
--- /dev/null
+From 2df7405f79ce1674d73c2786fe1a8727c905d65b Mon Sep 17 00:00:00 2001
+From: Changming Liu <liu.changm@northeastern.edu>
+Date: Mon, 20 Apr 2020 23:41:25 -0400
+Subject: USB: sisusbvga: Change port variable from signed to unsigned
+
+From: Changming Liu <liu.changm@northeastern.edu>
+
+commit 2df7405f79ce1674d73c2786fe1a8727c905d65b upstream.
+
+Change a bunch of arguments of wrapper functions which pass signed
+integer to an unsigned integer which might cause undefined behaviors
+when sign integer overflow.
+
+Signed-off-by: Changming Liu <liu.changm@northeastern.edu>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/BL0PR06MB45482D71EA822D75A0E60A2EE5D50@BL0PR06MB4548.namprd06.prod.outlook.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/sisusbvga/sisusb.c | 20 ++++++++++----------
+ drivers/usb/misc/sisusbvga/sisusb_init.h | 14 +++++++-------
+ 2 files changed, 17 insertions(+), 17 deletions(-)
+
+--- a/drivers/usb/misc/sisusbvga/sisusb.c
++++ b/drivers/usb/misc/sisusbvga/sisusb.c
+@@ -1199,18 +1199,18 @@ static int sisusb_read_mem_bulk(struct s
+ /* High level: Gfx (indexed) register access */
+
+ #ifdef INCL_SISUSB_CON
+-int sisusb_setreg(struct sisusb_usb_data *sisusb, int port, u8 data)
++int sisusb_setreg(struct sisusb_usb_data *sisusb, u32 port, u8 data)
+ {
+ return sisusb_write_memio_byte(sisusb, SISUSB_TYPE_IO, port, data);
+ }
+
+-int sisusb_getreg(struct sisusb_usb_data *sisusb, int port, u8 *data)
++int sisusb_getreg(struct sisusb_usb_data *sisusb, u32 port, u8 *data)
+ {
+ return sisusb_read_memio_byte(sisusb, SISUSB_TYPE_IO, port, data);
+ }
+ #endif
+
+-int sisusb_setidxreg(struct sisusb_usb_data *sisusb, int port,
++int sisusb_setidxreg(struct sisusb_usb_data *sisusb, u32 port,
+ u8 index, u8 data)
+ {
+ int ret;
+@@ -1220,7 +1220,7 @@ int sisusb_setidxreg(struct sisusb_usb_d
+ return ret;
+ }
+
+-int sisusb_getidxreg(struct sisusb_usb_data *sisusb, int port,
++int sisusb_getidxreg(struct sisusb_usb_data *sisusb, u32 port,
+ u8 index, u8 *data)
+ {
+ int ret;
+@@ -1230,7 +1230,7 @@ int sisusb_getidxreg(struct sisusb_usb_d
+ return ret;
+ }
+
+-int sisusb_setidxregandor(struct sisusb_usb_data *sisusb, int port, u8 idx,
++int sisusb_setidxregandor(struct sisusb_usb_data *sisusb, u32 port, u8 idx,
+ u8 myand, u8 myor)
+ {
+ int ret;
+@@ -1245,7 +1245,7 @@ int sisusb_setidxregandor(struct sisusb_
+ }
+
+ static int sisusb_setidxregmask(struct sisusb_usb_data *sisusb,
+- int port, u8 idx, u8 data, u8 mask)
++ u32 port, u8 idx, u8 data, u8 mask)
+ {
+ int ret;
+ u8 tmp;
+@@ -1258,13 +1258,13 @@ static int sisusb_setidxregmask(struct s
+ return ret;
+ }
+
+-int sisusb_setidxregor(struct sisusb_usb_data *sisusb, int port,
++int sisusb_setidxregor(struct sisusb_usb_data *sisusb, u32 port,
+ u8 index, u8 myor)
+ {
+ return sisusb_setidxregandor(sisusb, port, index, 0xff, myor);
+ }
+
+-int sisusb_setidxregand(struct sisusb_usb_data *sisusb, int port,
++int sisusb_setidxregand(struct sisusb_usb_data *sisusb, u32 port,
+ u8 idx, u8 myand)
+ {
+ return sisusb_setidxregandor(sisusb, port, idx, myand, 0x00);
+@@ -2787,8 +2787,8 @@ static loff_t sisusb_lseek(struct file *
+ static int sisusb_handle_command(struct sisusb_usb_data *sisusb,
+ struct sisusb_command *y, unsigned long arg)
+ {
+- int retval, port, length;
+- u32 address;
++ int retval, length;
++ u32 port, address;
+
+ /* All our commands require the device
+ * to be initialized.
+--- a/drivers/usb/misc/sisusbvga/sisusb_init.h
++++ b/drivers/usb/misc/sisusbvga/sisusb_init.h
+@@ -812,17 +812,17 @@ static const struct SiS_VCLKData SiSUSB_
+ int SiSUSBSetMode(struct SiS_Private *SiS_Pr, unsigned short ModeNo);
+ int SiSUSBSetVESAMode(struct SiS_Private *SiS_Pr, unsigned short VModeNo);
+
+-extern int sisusb_setreg(struct sisusb_usb_data *sisusb, int port, u8 data);
+-extern int sisusb_getreg(struct sisusb_usb_data *sisusb, int port, u8 * data);
+-extern int sisusb_setidxreg(struct sisusb_usb_data *sisusb, int port,
++extern int sisusb_setreg(struct sisusb_usb_data *sisusb, u32 port, u8 data);
++extern int sisusb_getreg(struct sisusb_usb_data *sisusb, u32 port, u8 * data);
++extern int sisusb_setidxreg(struct sisusb_usb_data *sisusb, u32 port,
+ u8 index, u8 data);
+-extern int sisusb_getidxreg(struct sisusb_usb_data *sisusb, int port,
++extern int sisusb_getidxreg(struct sisusb_usb_data *sisusb, u32 port,
+ u8 index, u8 * data);
+-extern int sisusb_setidxregandor(struct sisusb_usb_data *sisusb, int port,
++extern int sisusb_setidxregandor(struct sisusb_usb_data *sisusb, u32 port,
+ u8 idx, u8 myand, u8 myor);
+-extern int sisusb_setidxregor(struct sisusb_usb_data *sisusb, int port,
++extern int sisusb_setidxregor(struct sisusb_usb_data *sisusb, u32 port,
+ u8 index, u8 myor);
+-extern int sisusb_setidxregand(struct sisusb_usb_data *sisusb, int port,
++extern int sisusb_setidxregand(struct sisusb_usb_data *sisusb, u32 port,
+ u8 idx, u8 myand);
+
+ void sisusb_delete(struct kref *kref);
projects / thirdparty / kernel / stable-queue.git / commitdiff
