5.12-stable patches

added patches:
	bluetooth-eliminate-the-potential-race-condition-when-removing-the-hci-controller.patch
	bluetooth-verify-amp-hci_chan-before-amp_destroy.patch
	coresight-etm-perf-fix-define-build-issue-when-built-as-module.patch
	drm-bridge-fix-lontium-use-of-mipi_dsi_-functions.patch
	io_uring-truncate-lengths-larger-than-max_rw_count-on-provide-buffers.patch
	net-nfc-fix-use-after-free-llcp_sock_bind-connect.patch
	revert-usb-cdc-acm-fix-rounding-error-in-tiocsserial.patch
	software-node-allow-node-addition-to-already-existing-device.patch
	staging-fwserial-fix-tiocsserial-jiffies-conversions.patch
	staging-fwserial-fix-tiocsserial-permission-check.patch
	staging-greybus-uart-fix-tiocsserial-jiffies-conversions.patch
	tty-amiserial-fix-tiocsserial-permission-check.patch
	tty-moxa-fix-tiocsserial-jiffies-conversions.patch
	tty-moxa-fix-tiocsserial-permission-check.patch
	tty-mxser-fix-tiocsserial-jiffies-conversions.patch
	tty-mxser-fix-tiocsserial-permission-check.patch
	usb-roles-call-try_module_get-from-usb_role_switch_find_by_fwnode.patch
	usb-serial-ti_usb_3410_5052-fix-tiocsserial-permission-check.patch
	usb-serial-usb_wwan-fix-tiocsserial-jiffies-conversions.patch

diff --git a/queue-5.12/bluetooth-eliminate-the-potential-race-condition-when-removing-the-hci-controller.patch b/queue-5.12/bluetooth-eliminate-the-potential-race-condition-when-removing-the-hci-controller.patch
new file mode 100644 (file)
index 0000000..96362f0
--- /dev/null
+++ b/queue-5.12/bluetooth-eliminate-the-potential-race-condition-when-removing-the-hci-controller.patch
@@ -0,0 +1,53 @@
+From e2cb6b891ad2b8caa9131e3be70f45243df82a80 Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Mon, 12 Apr 2021 19:17:57 +0800
+Subject: bluetooth: eliminate the potential race condition when removing the HCI controller
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit e2cb6b891ad2b8caa9131e3be70f45243df82a80 upstream.
+
+There is a possible race condition vulnerability between issuing a HCI
+command and removing the cont.  Specifically, functions hci_req_sync()
+and hci_dev_do_close() can race each other like below:
+
+thread-A in hci_req_sync()      |   thread-B in hci_dev_do_close()
+                                |   hci_req_sync_lock(hdev);
+test_bit(HCI_UP, &hdev->flags); |
+...                             |   test_and_clear_bit(HCI_UP, &hdev->flags)
+hci_req_sync_lock(hdev);        |
+                                |
+In this commit we alter the sequence in function hci_req_sync(). Hence,
+the thread-A cannot issue th.
+
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Cc: Marcel Holtmann <marcel@holtmann.org>
+Fixes: 7c6a329e4447 ("[Bluetooth] Fix regression from using default link policy")
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/hci_request.c |   12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/net/bluetooth/hci_request.c
++++ b/net/bluetooth/hci_request.c
+@@ -272,12 +272,16 @@ int hci_req_sync(struct hci_dev *hdev, i
+ {
+       int ret;
+ 
+-      if (!test_bit(HCI_UP, &hdev->flags))
+-              return -ENETDOWN;
+-
+       /* Serialize all requests */
+       hci_req_sync_lock(hdev);
+-      ret = __hci_req_sync(hdev, req, opt, timeout, hci_status);
++      /* check the state after obtaing the lock to protect the HCI_UP
++       * against any races from hci_dev_do_close when the controller
++       * gets removed.
++       */
++      if (test_bit(HCI_UP, &hdev->flags))
++              ret = __hci_req_sync(hdev, req, opt, timeout, hci_status);
++      else
++              ret = -ENETDOWN;
+       hci_req_sync_unlock(hdev);
+ 
+       return ret;

diff --git a/queue-5.12/bluetooth-verify-amp-hci_chan-before-amp_destroy.patch b/queue-5.12/bluetooth-verify-amp-hci_chan-before-amp_destroy.patch
new file mode 100644 (file)
index 0000000..06aaf12
--- /dev/null
+++ b/queue-5.12/bluetooth-verify-amp-hci_chan-before-amp_destroy.patch
@@ -0,0 +1,138 @@
+From 5c4c8c9544099bb9043a10a5318130a943e32fc3 Mon Sep 17 00:00:00 2001
+From: Archie Pusaka <apusaka@chromium.org>
+Date: Mon, 22 Mar 2021 14:03:11 +0800
+Subject: Bluetooth: verify AMP hci_chan before amp_destroy
+
+From: Archie Pusaka <apusaka@chromium.org>
+
+commit 5c4c8c9544099bb9043a10a5318130a943e32fc3 upstream.
+
+hci_chan can be created in 2 places: hci_loglink_complete_evt() if
+it is an AMP hci_chan, or l2cap_conn_add() otherwise. In theory,
+Only AMP hci_chan should be removed by a call to
+hci_disconn_loglink_complete_evt(). However, the controller might mess
+up, call that function, and destroy an hci_chan which is not initiated
+by hci_loglink_complete_evt().
+
+This patch adds a verification that the destroyed hci_chan must have
+been init'd by hci_loglink_complete_evt().
+
+Example crash call trace:
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0xe3/0x144 lib/dump_stack.c:118
+ print_address_description+0x67/0x22a mm/kasan/report.c:256
+ kasan_report_error mm/kasan/report.c:354 [inline]
+ kasan_report mm/kasan/report.c:412 [inline]
+ kasan_report+0x251/0x28f mm/kasan/report.c:396
+ hci_send_acl+0x3b/0x56e net/bluetooth/hci_core.c:4072
+ l2cap_send_cmd+0x5af/0x5c2 net/bluetooth/l2cap_core.c:877
+ l2cap_send_move_chan_cfm_icid+0x8e/0xb1 net/bluetooth/l2cap_core.c:4661
+ l2cap_move_fail net/bluetooth/l2cap_core.c:5146 [inline]
+ l2cap_move_channel_rsp net/bluetooth/l2cap_core.c:5185 [inline]
+ l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:5464 [inline]
+ l2cap_sig_channel net/bluetooth/l2cap_core.c:5799 [inline]
+ l2cap_recv_frame+0x1d12/0x51aa net/bluetooth/l2cap_core.c:7023
+ l2cap_recv_acldata+0x2ea/0x693 net/bluetooth/l2cap_core.c:7596
+ hci_acldata_packet net/bluetooth/hci_core.c:4606 [inline]
+ hci_rx_work+0x2bd/0x45e net/bluetooth/hci_core.c:4796
+ process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175
+ worker_thread+0x4fc/0x670 kernel/workqueue.c:2321
+ kthread+0x2f0/0x304 kernel/kthread.c:253
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415
+
+Allocated by task 38:
+ set_track mm/kasan/kasan.c:460 [inline]
+ kasan_kmalloc+0x8d/0x9a mm/kasan/kasan.c:553
+ kmem_cache_alloc_trace+0x102/0x129 mm/slub.c:2787
+ kmalloc include/linux/slab.h:515 [inline]
+ kzalloc include/linux/slab.h:709 [inline]
+ hci_chan_create+0x86/0x26d net/bluetooth/hci_conn.c:1674
+ l2cap_conn_add.part.0+0x1c/0x814 net/bluetooth/l2cap_core.c:7062
+ l2cap_conn_add net/bluetooth/l2cap_core.c:7059 [inline]
+ l2cap_connect_cfm+0x134/0x852 net/bluetooth/l2cap_core.c:7381
+ hci_connect_cfm+0x9d/0x122 include/net/bluetooth/hci_core.h:1404
+ hci_remote_ext_features_evt net/bluetooth/hci_event.c:4161 [inline]
+ hci_event_packet+0x463f/0x72fa net/bluetooth/hci_event.c:5981
+ hci_rx_work+0x197/0x45e net/bluetooth/hci_core.c:4791
+ process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175
+ worker_thread+0x4fc/0x670 kernel/workqueue.c:2321
+ kthread+0x2f0/0x304 kernel/kthread.c:253
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415
+
+Freed by task 1732:
+ set_track mm/kasan/kasan.c:460 [inline]
+ __kasan_slab_free mm/kasan/kasan.c:521 [inline]
+ __kasan_slab_free+0x106/0x128 mm/kasan/kasan.c:493
+ slab_free_hook mm/slub.c:1409 [inline]
+ slab_free_freelist_hook+0xaa/0xf6 mm/slub.c:1436
+ slab_free mm/slub.c:3009 [inline]
+ kfree+0x182/0x21e mm/slub.c:3972
+ hci_disconn_loglink_complete_evt net/bluetooth/hci_event.c:4891 [inline]
+ hci_event_packet+0x6a1c/0x72fa net/bluetooth/hci_event.c:6050
+ hci_rx_work+0x197/0x45e net/bluetooth/hci_core.c:4791
+ process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175
+ worker_thread+0x4fc/0x670 kernel/workqueue.c:2321
+ kthread+0x2f0/0x304 kernel/kthread.c:253
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415
+
+The buggy address belongs to the object at ffff8881d7af9180
+ which belongs to the cache kmalloc-128 of size 128
+The buggy address is located 24 bytes inside of
+ 128-byte region [ffff8881d7af9180, ffff8881d7af9200)
+The buggy address belongs to the page:
+page:ffffea00075ebe40 count:1 mapcount:0 mapping:ffff8881da403200 index:0x0
+flags: 0x8000000000000200(slab)
+raw: 8000000000000200 dead000000000100 dead000000000200 ffff8881da403200
+raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000
+page dumped because: kasan: bad access detected
+
+Memory state around the buggy address:
+ ffff8881d7af9080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
+ ffff8881d7af9100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
+>ffff8881d7af9180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
+                            ^
+ ffff8881d7af9200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff8881d7af9280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+
+Signed-off-by: Archie Pusaka <apusaka@chromium.org>
+Reported-by: syzbot+98228e7407314d2d4ba2@syzkaller.appspotmail.com
+Reviewed-by: Alain Michaud <alainm@chromium.org>
+Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Cc: George Kennedy <george.kennedy@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/bluetooth/hci_core.h |    1 +
+ net/bluetooth/hci_event.c        |    3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -704,6 +704,7 @@ struct hci_chan {
+       struct sk_buff_head data_q;
+       unsigned int    sent;
+       __u8            state;
++      bool            amp;
+ };
+ 
+ struct hci_conn_params {
+--- a/net/bluetooth/hci_event.c
++++ b/net/bluetooth/hci_event.c
+@@ -5005,6 +5005,7 @@ static void hci_loglink_complete_evt(str
+               return;
+ 
+       hchan->handle = le16_to_cpu(ev->handle);
++      hchan->amp = true;
+ 
+       BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan);
+ 
+@@ -5037,7 +5038,7 @@ static void hci_disconn_loglink_complete
+       hci_dev_lock(hdev);
+ 
+       hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle));
+-      if (!hchan)
++      if (!hchan || !hchan->amp)
+               goto unlock;
+ 
+       amp_destroy_logical_link(hchan, ev->reason);

diff --git a/queue-5.12/coresight-etm-perf-fix-define-build-issue-when-built-as-module.patch b/queue-5.12/coresight-etm-perf-fix-define-build-issue-when-built-as-module.patch
new file mode 100644 (file)
index 0000000..4cc4956
--- /dev/null
+++ b/queue-5.12/coresight-etm-perf-fix-define-build-issue-when-built-as-module.patch
@@ -0,0 +1,40 @@
+From 9204ff94868496f2d9b8b173af52ec455160c364 Mon Sep 17 00:00:00 2001
+From: Mike Leach <mike.leach@linaro.org>
+Date: Thu, 15 Apr 2021 14:24:04 -0600
+Subject: coresight: etm-perf: Fix define build issue when built as module
+
+From: Mike Leach <mike.leach@linaro.org>
+
+commit 9204ff94868496f2d9b8b173af52ec455160c364 upstream.
+
+CONFIG_CORESIGHT_SOURCE_ETM4X is undefined when built as module,
+CONFIG_CORESIGHT_SOURCE_ETM4X_MODULE is defined instead.
+
+Therefore code in format_attr_contextid_show() not correctly complied
+when coresight built as module.
+
+Use IS_ENABLED(CONFIG_CORESIGHT_SOURCE_ETM4X) to correct this.
+
+Link: https://lore.kernel.org/r/20210414194808.22872-1-mike.leach@linaro.org
+Fixes: 88f11864cf1d ("coresight: etm-perf: Support PID tracing for kernel at EL2")
+Reviewed-by: Leo Yan <leo.yan@linaro.org>
+Signed-off-by: Mike Leach <mike.leach@linaro.org>
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210415202404.945368-2-mathieu.poirier@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/coresight/coresight-etm-perf.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwtracing/coresight/coresight-etm-perf.c
++++ b/drivers/hwtracing/coresight/coresight-etm-perf.c
+@@ -52,7 +52,7 @@ static ssize_t format_attr_contextid_sho
+ {
+       int pid_fmt = ETM_OPT_CTXTID;
+ 
+-#if defined(CONFIG_CORESIGHT_SOURCE_ETM4X)
++#if IS_ENABLED(CONFIG_CORESIGHT_SOURCE_ETM4X)
+       pid_fmt = is_kernel_in_hyp_mode() ? ETM_OPT_CTXTID2 : ETM_OPT_CTXTID;
+ #endif
+       return sprintf(page, "config:%d\n", pid_fmt);

diff --git a/queue-5.12/drm-bridge-fix-lontium-use-of-mipi_dsi_-functions.patch b/queue-5.12/drm-bridge-fix-lontium-use-of-mipi_dsi_-functions.patch
new file mode 100644 (file)
index 0000000..d68c320
--- /dev/null
+++ b/queue-5.12/drm-bridge-fix-lontium-use-of-mipi_dsi_-functions.patch
@@ -0,0 +1,74 @@
+From ad085b3a712a89e4a48472121b231add7a8362e4 Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Thu, 15 Apr 2021 11:36:39 -0700
+Subject: drm: bridge: fix LONTIUM use of mipi_dsi_() functions
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit ad085b3a712a89e4a48472121b231add7a8362e4 upstream.
+
+The Lontium DRM bridge drivers use mipi_dsi_() function interfaces so
+they need to select DRM_MIPI_DSI to prevent build errors.
+
+ERROR: modpost: "mipi_dsi_attach" [drivers/gpu/drm/bridge/lontium-lt9611uxc.ko] undefined!
+ERROR: modpost: "mipi_dsi_device_register_full" [drivers/gpu/drm/bridge/lontium-lt9611uxc.ko] undefined!
+ERROR: modpost: "of_find_mipi_dsi_host_by_node" [drivers/gpu/drm/bridge/lontium-lt9611uxc.ko] undefined!
+ERROR: modpost: "mipi_dsi_device_unregister" [drivers/gpu/drm/bridge/lontium-lt9611uxc.ko] undefined!
+ERROR: modpost: "mipi_dsi_detach" [drivers/gpu/drm/bridge/lontium-lt9611uxc.ko] undefined!
+ERROR: modpost: "mipi_dsi_attach" [drivers/gpu/drm/bridge/lontium-lt9611.ko] undefined!
+ERROR: modpost: "mipi_dsi_device_register_full" [drivers/gpu/drm/bridge/lontium-lt9611.ko] undefined!
+ERROR: modpost: "of_find_mipi_dsi_host_by_node" [drivers/gpu/drm/bridge/lontium-lt9611.ko] undefined!
+ERROR: modpost: "mipi_dsi_device_unregister" [drivers/gpu/drm/bridge/lontium-lt9611.ko] undefined!
+ERROR: modpost: "mipi_dsi_detach" [drivers/gpu/drm/bridge/lontium-lt9611.ko] undefined!
+WARNING: modpost: suppressed 5 unresolved symbol warnings because there were too many)
+
+Fixes: 23278bf54afe ("drm/bridge: Introduce LT9611 DSI to HDMI bridge")
+Fixes: 0cbbd5b1a012 ("drm: bridge: add support for lontium LT9611UXC bridge")
+Fixes: 30e2ae943c26 ("drm/bridge: Introduce LT8912B DSI to HDMI bridge")
+Reported-by: kernel test robot <lkp@intel.com>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reviewed-by: Adren Grassein <adrien.grassein@gmail.com>
+Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Cc: Sam Ravnborg <sam@ravnborg.org>
+Cc: Vinod Koul <vkoul@kernel.org>
+Cc: Bjorn Andersson <bjorn.andersson@linaro.org>
+Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Cc: Adrien Grassein <adrien.grassein@gmail.com>
+Cc: Andrzej Hajda <a.hajda@samsung.com>
+Cc: Neil Armstrong <narmstrong@baylibre.com>
+Cc: Robert Foss <robert.foss@linaro.org>
+Cc: dri-devel@lists.freedesktop.org
+Cc: stable@vger.kernel.org
+Signed-off-by: Robert Foss <robert.foss@linaro.org>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210415183639.1487-1-rdunlap@infradead.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/bridge/Kconfig |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/bridge/Kconfig
++++ b/drivers/gpu/drm/bridge/Kconfig
+@@ -67,6 +67,7 @@ config DRM_LONTIUM_LT9611UXC
+       depends on OF
+       select DRM_PANEL_BRIDGE
+       select DRM_KMS_HELPER
++      select DRM_MIPI_DSI
+       select REGMAP_I2C
+       help
+         Driver for Lontium LT9611UXC DSI to HDMI bridge
+@@ -151,6 +152,7 @@ config DRM_SII902X
+       tristate "Silicon Image sii902x RGB/HDMI bridge"
+       depends on OF
+       select DRM_KMS_HELPER
++      select DRM_MIPI_DSI
+       select REGMAP_I2C
+       select I2C_MUX
+       select SND_SOC_HDMI_CODEC if SND_SOC
+@@ -200,6 +202,7 @@ config DRM_TOSHIBA_TC358767
+       tristate "Toshiba TC358767 eDP bridge"
+       depends on OF
+       select DRM_KMS_HELPER
++      select DRM_MIPI_DSI
+       select REGMAP_I2C
+       select DRM_PANEL
+       help

diff --git a/queue-5.12/io_uring-truncate-lengths-larger-than-max_rw_count-on-provide-buffers.patch b/queue-5.12/io_uring-truncate-lengths-larger-than-max_rw_count-on-provide-buffers.patch
new file mode 100644 (file)
index 0000000..8efad1f
--- /dev/null
+++ b/queue-5.12/io_uring-truncate-lengths-larger-than-max_rw_count-on-provide-buffers.patch
@@ -0,0 +1,49 @@
+From d1f82808877bb10d3deee7cf3374a4eb3fb582db Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Wed, 5 May 2021 09:47:06 -0300
+Subject: io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers
+
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+
+commit d1f82808877bb10d3deee7cf3374a4eb3fb582db upstream.
+
+Read and write operations are capped to MAX_RW_COUNT. Some read ops rely on
+that limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS.
+
+Truncate those lengths when doing io_add_buffers, so buffer addresses still
+use the uncapped length.
+
+Also, take the chance and change struct io_buffer len member to __u32, so
+it matches struct io_provide_buffer len member.
+
+This fixes CVE-2021-3491, also reported as ZDI-CAN-13546.
+
+Fixes: ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS")
+Reported-by: Billy Jheng Bing-Jhong (@st424204)
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io_uring.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/fs/io_uring.c
++++ b/fs/io_uring.c
+@@ -238,7 +238,7 @@ struct fixed_rsrc_data {
+ struct io_buffer {
+       struct list_head list;
+       __u64 addr;
+-      __s32 len;
++      __u32 len;
+       __u16 bid;
+ };
+ 
+@@ -4017,7 +4017,7 @@ static int io_add_buffers(struct io_prov
+                       break;
+ 
+               buf->addr = addr;
+-              buf->len = pbuf->len;
++              buf->len = min_t(__u32, pbuf->len, MAX_RW_COUNT);
+               buf->bid = bid;
+               addr += pbuf->len;
+               bid++;

diff --git a/queue-5.12/net-nfc-fix-use-after-free-llcp_sock_bind-connect.patch b/queue-5.12/net-nfc-fix-use-after-free-llcp_sock_bind-connect.patch
new file mode 100644 (file)
index 0000000..25c57d1
--- /dev/null
+++ b/queue-5.12/net-nfc-fix-use-after-free-llcp_sock_bind-connect.patch
@@ -0,0 +1,73 @@
+From c61760e6940dd4039a7f5e84a6afc9cdbf4d82b6 Mon Sep 17 00:00:00 2001
+From: Or Cohen <orcohen@paloaltonetworks.com>
+Date: Tue, 4 May 2021 10:16:46 +0300
+Subject: net/nfc: fix use-after-free llcp_sock_bind/connect
+
+From: Or Cohen <orcohen@paloaltonetworks.com>
+
+commit c61760e6940dd4039a7f5e84a6afc9cdbf4d82b6 upstream.
+
+Commits 8a4cd82d ("nfc: fix refcount leak in llcp_sock_connect()")
+and c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()")
+fixed a refcount leak bug in bind/connect but introduced a
+use-after-free if the same local is assigned to 2 different sockets.
+
+This can be triggered by the following simple program:
+    int sock1 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP );
+    int sock2 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP );
+    memset( &addr, 0, sizeof(struct sockaddr_nfc_llcp) );
+    addr.sa_family = AF_NFC;
+    addr.nfc_protocol = NFC_PROTO_NFC_DEP;
+    bind( sock1, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) )
+    bind( sock2, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) )
+    close(sock1);
+    close(sock2);
+
+Fix this by assigning NULL to llcp_sock->local after calling
+nfc_llcp_local_put.
+
+This addresses CVE-2021-23134.
+
+Reported-by: Or Cohen <orcohen@paloaltonetworks.com>
+Reported-by: Nadav Markus <nmarkus@paloaltonetworks.com>
+Fixes: c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()")
+Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/llcp_sock.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -109,12 +109,14 @@ static int llcp_sock_bind(struct socket
+                                         GFP_KERNEL);
+       if (!llcp_sock->service_name) {
+               nfc_llcp_local_put(llcp_sock->local);
++              llcp_sock->local = NULL;
+               ret = -ENOMEM;
+               goto put_dev;
+       }
+       llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock);
+       if (llcp_sock->ssap == LLCP_SAP_MAX) {
+               nfc_llcp_local_put(llcp_sock->local);
++              llcp_sock->local = NULL;
+               kfree(llcp_sock->service_name);
+               llcp_sock->service_name = NULL;
+               ret = -EADDRINUSE;
+@@ -709,6 +711,7 @@ static int llcp_sock_connect(struct sock
+       llcp_sock->ssap = nfc_llcp_get_local_ssap(local);
+       if (llcp_sock->ssap == LLCP_SAP_MAX) {
+               nfc_llcp_local_put(llcp_sock->local);
++              llcp_sock->local = NULL;
+               ret = -ENOMEM;
+               goto put_dev;
+       }
+@@ -756,6 +759,7 @@ sock_unlink:
+ sock_llcp_release:
+       nfc_llcp_put_ssap(local, llcp_sock->ssap);
+       nfc_llcp_local_put(llcp_sock->local);
++      llcp_sock->local = NULL;
+ 
+ put_dev:
+       nfc_put_device(dev);

diff --git a/queue-5.12/revert-usb-cdc-acm-fix-rounding-error-in-tiocsserial.patch b/queue-5.12/revert-usb-cdc-acm-fix-rounding-error-in-tiocsserial.patch
new file mode 100644 (file)
index 0000000..0ff7737
--- /dev/null
+++ b/queue-5.12/revert-usb-cdc-acm-fix-rounding-error-in-tiocsserial.patch
@@ -0,0 +1,69 @@
+From 729f7955cb987c5b7d7e54c87c5ad71c789934f7 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 8 Apr 2021 15:16:00 +0200
+Subject: Revert "USB: cdc-acm: fix rounding error in TIOCSSERIAL"
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 729f7955cb987c5b7d7e54c87c5ad71c789934f7 upstream.
+
+This reverts commit b401f8c4f492cbf74f3f59c9141e5be3071071bb.
+
+The offending commit claimed that trying to set the values reported back
+by TIOCGSERIAL as a regular user could result in an -EPERM error when HZ
+is 250, but that was never the case.
+
+With HZ=250, the default 0.5 second value of close_delay is converted to
+125 jiffies when set and is converted back to 50 centiseconds by
+TIOCGSERIAL as expected (not 12 cs as was claimed, even if that was the
+case before an earlier fix).
+
+Comparing the internal current and new jiffies values is just fine to
+determine if the value is about to change so drop the bogus workaround
+(which was also backported to stable).
+
+For completeness: With different default values for these parameters or
+with a HZ value not divisible by two, the lack of rounding when setting
+the default values in tty_port_init() could result in an -EPERM being
+returned, but this is hardly something we need to worry about.
+
+Cc: Anthony Mallet <anthony.mallet@laas.fr>
+Cc: stable@vger.kernel.org
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210408131602.27956-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/cdc-acm.c |   11 ++---------
+ 1 file changed, 2 insertions(+), 9 deletions(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -942,7 +942,6 @@ static int set_serial_info(struct tty_st
+ {
+       struct acm *acm = tty->driver_data;
+       unsigned int closing_wait, close_delay;
+-      unsigned int old_closing_wait, old_close_delay;
+       int retval = 0;
+ 
+       close_delay = msecs_to_jiffies(ss->close_delay * 10);
+@@ -950,17 +949,11 @@ static int set_serial_info(struct tty_st
+                       ASYNC_CLOSING_WAIT_NONE :
+                       msecs_to_jiffies(ss->closing_wait * 10);
+ 
+-      /* we must redo the rounding here, so that the values match */
+-      old_close_delay = jiffies_to_msecs(acm->port.close_delay) / 10;
+-      old_closing_wait = acm->port.closing_wait == ASYNC_CLOSING_WAIT_NONE ?
+-                              ASYNC_CLOSING_WAIT_NONE :
+-                              jiffies_to_msecs(acm->port.closing_wait) / 10;
+-
+       mutex_lock(&acm->port.mutex);
+ 
+       if (!capable(CAP_SYS_ADMIN)) {
+-              if ((ss->close_delay != old_close_delay) ||
+-                  (ss->closing_wait != old_closing_wait))
++              if ((close_delay != acm->port.close_delay) ||
++                  (closing_wait != acm->port.closing_wait))
+                       retval = -EPERM;
+               else
+                       retval = -EOPNOTSUPP;

diff --git a/queue-5.12/software-node-allow-node-addition-to-already-existing-device.patch b/queue-5.12/software-node-allow-node-addition-to-already-existing-device.patch
new file mode 100644 (file)
index 0000000..08364f3
--- /dev/null
+++ b/queue-5.12/software-node-allow-node-addition-to-already-existing-device.patch
@@ -0,0 +1,46 @@
+From b622b24519f5b008f6d4e20e5675eaffa8fbd87b Mon Sep 17 00:00:00 2001
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Date: Wed, 14 Apr 2021 10:54:38 +0300
+Subject: software node: Allow node addition to already existing device
+
+From: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+
+commit b622b24519f5b008f6d4e20e5675eaffa8fbd87b upstream.
+
+If the node is added to an already exiting device, the node
+needs to be also linked to the device separately.
+
+This will make sure the reference count is kept in balance
+also when the node is injected to a device afterwards.
+
+Fixes: e68d0119e328 ("software node: Introduce device_add_software_node()")
+Reported-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
+Signed-off-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210414075438.64547-1-heikki.krogerus@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/swnode.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/base/swnode.c
++++ b/drivers/base/swnode.c
+@@ -1032,6 +1032,7 @@ int device_add_software_node(struct devi
+       }
+ 
+       set_secondary_fwnode(dev, &swnode->fwnode);
++      software_node_notify(dev, KOBJ_ADD);
+ 
+       return 0;
+ }
+@@ -1105,8 +1106,8 @@ int software_node_notify(struct device *
+ 
+       switch (action) {
+       case KOBJ_ADD:
+-              ret = sysfs_create_link(&dev->kobj, &swnode->kobj,
+-                                      "software_node");
++              ret = sysfs_create_link_nowarn(&dev->kobj, &swnode->kobj,
++                                             "software_node");
+               if (ret)
+                       break;
+ 

diff --git a/queue-5.12/staging-fwserial-fix-tiocsserial-jiffies-conversions.patch b/queue-5.12/staging-fwserial-fix-tiocsserial-jiffies-conversions.patch
new file mode 100644 (file)
index 0000000..865e83b
--- /dev/null
+++ b/queue-5.12/staging-fwserial-fix-tiocsserial-jiffies-conversions.patch
@@ -0,0 +1,45 @@
+From 7a3791afdbd5a951b09a7689bba856bd9f6c6a9f Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 7 Apr 2021 12:23:19 +0200
+Subject: staging: fwserial: fix TIOCSSERIAL jiffies conversions
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 7a3791afdbd5a951b09a7689bba856bd9f6c6a9f upstream.
+
+The port close_delay parameter set by TIOCSSERIAL is specified in
+jiffies, while the value returned by TIOCGSERIAL is specified in
+centiseconds.
+
+Add the missing conversions so that TIOCGSERIAL works as expected also
+when HZ is not 100.
+
+Fixes: 7355ba3445f2 ("staging: fwserial: Add TTY-over-Firewire serial driver")
+Cc: stable@vger.kernel.org      # 3.8
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210407102334.32361-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/fwserial/fwserial.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/fwserial/fwserial.c
++++ b/drivers/staging/fwserial/fwserial.c
+@@ -1223,7 +1223,7 @@ static int get_serial_info(struct tty_st
+       ss->flags = port->port.flags;
+       ss->xmit_fifo_size = FWTTY_PORT_TXFIFO_LEN;
+       ss->baud_base = 400000000;
+-      ss->close_delay = port->port.close_delay;
++      ss->close_delay = jiffies_to_msecs(port->port.close_delay) / 10;
+       mutex_unlock(&port->port.mutex);
+       return 0;
+ }
+@@ -1245,7 +1245,7 @@ static int set_serial_info(struct tty_st
+                       return -EPERM;
+               }
+       }
+-      port->port.close_delay = ss->close_delay * HZ / 100;
++      port->port.close_delay = msecs_to_jiffies(ss->close_delay * 10);
+       mutex_unlock(&port->port.mutex);
+ 
+       return 0;

diff --git a/queue-5.12/staging-fwserial-fix-tiocsserial-permission-check.patch b/queue-5.12/staging-fwserial-fix-tiocsserial-permission-check.patch
new file mode 100644 (file)
index 0000000..52f3cdb
--- /dev/null
+++ b/queue-5.12/staging-fwserial-fix-tiocsserial-permission-check.patch
@@ -0,0 +1,50 @@
+From 2104eb283df66a482b60254299acbe3c68c03412 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 7 Apr 2021 12:23:20 +0200
+Subject: staging: fwserial: fix TIOCSSERIAL permission check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 2104eb283df66a482b60254299acbe3c68c03412 upstream.
+
+Changing the port close-delay parameter is a privileged operation so
+make sure to return -EPERM if a regular user tries to change it.
+
+Fixes: 7355ba3445f2 ("staging: fwserial: Add TTY-over-Firewire serial driver")
+Cc: stable@vger.kernel.org      # 3.8
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210407102334.32361-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/fwserial/fwserial.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/fwserial/fwserial.c
++++ b/drivers/staging/fwserial/fwserial.c
+@@ -1232,20 +1232,24 @@ static int set_serial_info(struct tty_st
+                          struct serial_struct *ss)
+ {
+       struct fwtty_port *port = tty->driver_data;
++      unsigned int cdelay;
+ 
+       if (ss->irq != 0 || ss->port != 0 || ss->custom_divisor != 0 ||
+           ss->baud_base != 400000000)
+               return -EPERM;
+ 
++      cdelay = msecs_to_jiffies(ss->close_delay * 10);
++
+       mutex_lock(&port->port.mutex);
+       if (!capable(CAP_SYS_ADMIN)) {
+-              if (((ss->flags & ~ASYNC_USR_MASK) !=
++              if (cdelay != port->port.close_delay ||
++                  ((ss->flags & ~ASYNC_USR_MASK) !=
+                    (port->port.flags & ~ASYNC_USR_MASK))) {
+                       mutex_unlock(&port->port.mutex);
+                       return -EPERM;
+               }
+       }
+-      port->port.close_delay = msecs_to_jiffies(ss->close_delay * 10);
++      port->port.close_delay = cdelay;
+       mutex_unlock(&port->port.mutex);
+ 
+       return 0;

diff --git a/queue-5.12/staging-greybus-uart-fix-tiocsserial-jiffies-conversions.patch b/queue-5.12/staging-greybus-uart-fix-tiocsserial-jiffies-conversions.patch
new file mode 100644 (file)
index 0000000..fadfffb
--- /dev/null
+++ b/queue-5.12/staging-greybus-uart-fix-tiocsserial-jiffies-conversions.patch
@@ -0,0 +1,54 @@
+From b71e571adaa58be4fd289abebc8997e05b4c6b40 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 7 Apr 2021 12:23:23 +0200
+Subject: staging: greybus: uart: fix TIOCSSERIAL jiffies conversions
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b71e571adaa58be4fd289abebc8997e05b4c6b40 upstream.
+
+The port close_delay and closing_wait parameters set by TIOCSSERIAL are
+specified in jiffies and not milliseconds.
+
+Add the missing conversions so that TIOCSSERIAL works as expected also
+when HZ is not 1000.
+
+Fixes: e68453ed28c5 ("greybus: uart-gb: now builds, more framework added")
+Cc: stable@vger.kernel.org     # 4.9
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210407102334.32361-6-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/greybus/uart.c |   11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+--- a/drivers/staging/greybus/uart.c
++++ b/drivers/staging/greybus/uart.c
+@@ -614,10 +614,12 @@ static int get_serial_info(struct tty_st
+       ss->line = gb_tty->minor;
+       ss->xmit_fifo_size = 16;
+       ss->baud_base = 9600;
+-      ss->close_delay = gb_tty->port.close_delay / 10;
++      ss->close_delay = jiffies_to_msecs(gb_tty->port.close_delay) / 10;
+       ss->closing_wait =
+               gb_tty->port.closing_wait == ASYNC_CLOSING_WAIT_NONE ?
+-              ASYNC_CLOSING_WAIT_NONE : gb_tty->port.closing_wait / 10;
++              ASYNC_CLOSING_WAIT_NONE :
++              jiffies_to_msecs(gb_tty->port.closing_wait) / 10;
++
+       return 0;
+ }
+ 
+@@ -629,9 +631,10 @@ static int set_serial_info(struct tty_st
+       unsigned int close_delay;
+       int retval = 0;
+ 
+-      close_delay = ss->close_delay * 10;
++      close_delay = msecs_to_jiffies(ss->close_delay * 10);
+       closing_wait = ss->closing_wait == ASYNC_CLOSING_WAIT_NONE ?
+-                      ASYNC_CLOSING_WAIT_NONE : ss->closing_wait * 10;
++                      ASYNC_CLOSING_WAIT_NONE :
++                      msecs_to_jiffies(ss->closing_wait * 10);
+ 
+       mutex_lock(&gb_tty->port.mutex);
+       if (!capable(CAP_SYS_ADMIN)) {

diff --git a/queue-5.12/tty-amiserial-fix-tiocsserial-permission-check.patch b/queue-5.12/tty-amiserial-fix-tiocsserial-permission-check.patch
new file mode 100644 (file)
index 0000000..868596f
--- /dev/null
+++ b/queue-5.12/tty-amiserial-fix-tiocsserial-permission-check.patch
@@ -0,0 +1,32 @@
+From 1d31a831cc04f5f942de3e7d91edaa52310d3c99 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 7 Apr 2021 12:23:26 +0200
+Subject: tty: amiserial: fix TIOCSSERIAL permission check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1d31a831cc04f5f942de3e7d91edaa52310d3c99 upstream.
+
+Changing the port closing_wait parameter is a privileged operation.
+
+Add the missing check to TIOCSSERIAL so that -EPERM is returned in case
+an unprivileged user tries to change the closing-wait setting.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210407102334.32361-9-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/amiserial.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/tty/amiserial.c
++++ b/drivers/tty/amiserial.c
+@@ -970,6 +970,7 @@ static int set_serial_info(struct tty_st
+       if (!serial_isroot()) {
+               if ((ss->baud_base != state->baud_base) ||
+                   (ss->close_delay != port->close_delay) ||
++                  (ss->closing_wait != port->closing_wait) ||
+                   (ss->xmit_fifo_size != state->xmit_fifo_size) ||
+                   ((ss->flags & ~ASYNC_USR_MASK) !=
+                    (port->flags & ~ASYNC_USR_MASK))) {

diff --git a/queue-5.12/tty-moxa-fix-tiocsserial-jiffies-conversions.patch b/queue-5.12/tty-moxa-fix-tiocsserial-jiffies-conversions.patch
new file mode 100644 (file)
index 0000000..0d8d557
--- /dev/null
+++ b/queue-5.12/tty-moxa-fix-tiocsserial-jiffies-conversions.patch
@@ -0,0 +1,44 @@
+From 6e70b73ca5240c0059a1fbf8ccd4276d6cf71956 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 7 Apr 2021 12:23:28 +0200
+Subject: tty: moxa: fix TIOCSSERIAL jiffies conversions
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 6e70b73ca5240c0059a1fbf8ccd4276d6cf71956 upstream.
+
+The port close_delay parameter set by TIOCSSERIAL is specified in
+jiffies, while the value returned by TIOCGSERIAL is specified in
+centiseconds.
+
+Add the missing conversions so that TIOCGSERIAL works as expected also
+when HZ is not 100.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210407102334.32361-11-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/moxa.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/moxa.c
++++ b/drivers/tty/moxa.c
+@@ -2040,7 +2040,7 @@ static int moxa_get_serial_info(struct t
+       ss->line = info->port.tty->index,
+       ss->flags = info->port.flags,
+       ss->baud_base = 921600,
+-      ss->close_delay = info->port.close_delay;
++      ss->close_delay = jiffies_to_msecs(info->port.close_delay) / 10;
+       mutex_unlock(&info->port.mutex);
+       return 0;
+ }
+@@ -2069,7 +2069,7 @@ static int moxa_set_serial_info(struct t
+                       return -EPERM;
+               }
+       }
+-      info->port.close_delay = ss->close_delay * HZ / 100;
++      info->port.close_delay = msecs_to_jiffies(ss->close_delay * 10);
+ 
+       MoxaSetFifo(info, ss->type == PORT_16550A);
+ 

diff --git a/queue-5.12/tty-moxa-fix-tiocsserial-permission-check.patch b/queue-5.12/tty-moxa-fix-tiocsserial-permission-check.patch
new file mode 100644 (file)
index 0000000..f497aad
--- /dev/null
+++ b/queue-5.12/tty-moxa-fix-tiocsserial-permission-check.patch
@@ -0,0 +1,60 @@
+From dc8c8437658667be9b11ec25c4b5482ed2becdaa Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 7 Apr 2021 12:23:29 +0200
+Subject: tty: moxa: fix TIOCSSERIAL permission check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit dc8c8437658667be9b11ec25c4b5482ed2becdaa upstream.
+
+Changing the port close delay or type are privileged operations so make
+sure to return -EPERM if a regular user tries to change them.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210407102334.32361-12-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/moxa.c |   16 +++++++++++-----
+ 1 file changed, 11 insertions(+), 5 deletions(-)
+
+--- a/drivers/tty/moxa.c
++++ b/drivers/tty/moxa.c
+@@ -2050,6 +2050,7 @@ static int moxa_set_serial_info(struct t
+               struct serial_struct *ss)
+ {
+       struct moxa_port *info = tty->driver_data;
++      unsigned int close_delay;
+ 
+       if (tty->index == MAX_PORTS)
+               return -EINVAL;
+@@ -2061,19 +2062,24 @@ static int moxa_set_serial_info(struct t
+                       ss->baud_base != 921600)
+               return -EPERM;
+ 
++      close_delay = msecs_to_jiffies(ss->close_delay * 10);
++
+       mutex_lock(&info->port.mutex);
+       if (!capable(CAP_SYS_ADMIN)) {
+-              if (((ss->flags & ~ASYNC_USR_MASK) !=
++              if (close_delay != info->port.close_delay ||
++                  ss->type != info->type ||
++                  ((ss->flags & ~ASYNC_USR_MASK) !=
+                    (info->port.flags & ~ASYNC_USR_MASK))) {
+                       mutex_unlock(&info->port.mutex);
+                       return -EPERM;
+               }
+-      }
+-      info->port.close_delay = msecs_to_jiffies(ss->close_delay * 10);
++      } else {
++              info->port.close_delay = close_delay;
+ 
+-      MoxaSetFifo(info, ss->type == PORT_16550A);
++              MoxaSetFifo(info, ss->type == PORT_16550A);
+ 
+-      info->type = ss->type;
++              info->type = ss->type;
++      }
+       mutex_unlock(&info->port.mutex);
+       return 0;
+ }

diff --git a/queue-5.12/tty-mxser-fix-tiocsserial-jiffies-conversions.patch b/queue-5.12/tty-mxser-fix-tiocsserial-jiffies-conversions.patch
new file mode 100644 (file)
index 0000000..de37950
--- /dev/null
+++ b/queue-5.12/tty-mxser-fix-tiocsserial-jiffies-conversions.patch
@@ -0,0 +1,91 @@
+From be6cf583d24dfe87324dd2830d90fc056e0a6648 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 7 Apr 2021 12:23:31 +0200
+Subject: tty: mxser: fix TIOCSSERIAL jiffies conversions
+
+From: Johan Hovold <johan@kernel.org>
+
+commit be6cf583d24dfe87324dd2830d90fc056e0a6648 upstream.
+
+The port close_delay and closing wait parameters set by TIOCSSERIAL are
+specified in jiffies, while the values returned by TIOCGSERIAL are
+specified in centiseconds.
+
+Add the missing conversions so that TIOCSSERIAL works as expected also
+when HZ is not 100.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210407102334.32361-14-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/mxser.c |   24 ++++++++++++++++++------
+ 1 file changed, 18 insertions(+), 6 deletions(-)
+
+--- a/drivers/tty/mxser.c
++++ b/drivers/tty/mxser.c
+@@ -1208,19 +1208,26 @@ static int mxser_get_serial_info(struct
+ {
+       struct mxser_port *info = tty->driver_data;
+       struct tty_port *port = &info->port;
++      unsigned int closing_wait, close_delay;
+ 
+       if (tty->index == MXSER_PORTS)
+               return -ENOTTY;
+ 
+       mutex_lock(&port->mutex);
++
++      close_delay = jiffies_to_msecs(info->port.close_delay) / 10;
++      closing_wait = info->port.closing_wait;
++      if (closing_wait != ASYNC_CLOSING_WAIT_NONE)
++              closing_wait = jiffies_to_msecs(closing_wait) / 10;
++
+       ss->type = info->type,
+       ss->line = tty->index,
+       ss->port = info->ioaddr,
+       ss->irq = info->board->irq,
+       ss->flags = info->port.flags,
+       ss->baud_base = info->baud_base,
+-      ss->close_delay = info->port.close_delay,
+-      ss->closing_wait = info->port.closing_wait,
++      ss->close_delay = close_delay;
++      ss->closing_wait = closing_wait;
+       ss->custom_divisor = info->custom_divisor,
+       mutex_unlock(&port->mutex);
+       return 0;
+@@ -1233,7 +1240,7 @@ static int mxser_set_serial_info(struct
+       struct tty_port *port = &info->port;
+       speed_t baud;
+       unsigned long sl_flags;
+-      unsigned int flags;
++      unsigned int flags, close_delay, closing_wait;
+       int retval = 0;
+ 
+       if (tty->index == MXSER_PORTS)
+@@ -1255,9 +1262,14 @@ static int mxser_set_serial_info(struct
+ 
+       flags = port->flags & ASYNC_SPD_MASK;
+ 
++      close_delay = msecs_to_jiffies(ss->close_delay * 10);
++      closing_wait = ss->closing_wait;
++      if (closing_wait != ASYNC_CLOSING_WAIT_NONE)
++              closing_wait = msecs_to_jiffies(closing_wait * 10);
++
+       if (!capable(CAP_SYS_ADMIN)) {
+               if ((ss->baud_base != info->baud_base) ||
+-                              (ss->close_delay != info->port.close_delay) ||
++                              (close_delay != info->port.close_delay) ||
+                               ((ss->flags & ~ASYNC_USR_MASK) != (info->port.flags & ~ASYNC_USR_MASK))) {
+                       mutex_unlock(&port->mutex);
+                       return -EPERM;
+@@ -1271,8 +1283,8 @@ static int mxser_set_serial_info(struct
+                */
+               port->flags = ((port->flags & ~ASYNC_FLAGS) |
+                               (ss->flags & ASYNC_FLAGS));
+-              port->close_delay = ss->close_delay * HZ / 100;
+-              port->closing_wait = ss->closing_wait * HZ / 100;
++              port->close_delay = close_delay;
++              port->closing_wait = closing_wait;
+               if ((port->flags & ASYNC_SPD_MASK) == ASYNC_SPD_CUST &&
+                               (ss->baud_base != info->baud_base ||
+                               ss->custom_divisor !=

diff --git a/queue-5.12/tty-mxser-fix-tiocsserial-permission-check.patch b/queue-5.12/tty-mxser-fix-tiocsserial-permission-check.patch
new file mode 100644 (file)
index 0000000..a399df8
--- /dev/null
+++ b/queue-5.12/tty-mxser-fix-tiocsserial-permission-check.patch
@@ -0,0 +1,49 @@
+From b91cfb2573aeb5ab426fc3c35bcfe9e0d2a7ecbc Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 7 Apr 2021 12:23:32 +0200
+Subject: tty: mxser: fix TIOCSSERIAL permission check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b91cfb2573aeb5ab426fc3c35bcfe9e0d2a7ecbc upstream.
+
+Changing the port type and closing_wait parameter are privileged
+operations so make sure to return -EPERM if a regular user tries to
+change them.
+
+Note that the closing_wait parameter would not actually have been
+changed but the return value did not indicate that.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20210407102334.32361-15-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/mxser.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/mxser.c
++++ b/drivers/tty/mxser.c
+@@ -1270,6 +1270,7 @@ static int mxser_set_serial_info(struct
+       if (!capable(CAP_SYS_ADMIN)) {
+               if ((ss->baud_base != info->baud_base) ||
+                               (close_delay != info->port.close_delay) ||
++                              (closing_wait != info->port.closing_wait) ||
+                               ((ss->flags & ~ASYNC_USR_MASK) != (info->port.flags & ~ASYNC_USR_MASK))) {
+                       mutex_unlock(&port->mutex);
+                       return -EPERM;
+@@ -1296,11 +1297,11 @@ static int mxser_set_serial_info(struct
+                       baud = ss->baud_base / ss->custom_divisor;
+                       tty_encode_baud_rate(tty, baud, baud);
+               }
+-      }
+ 
+-      info->type = ss->type;
++              info->type = ss->type;
+ 
+-      process_txrx_fifo(info);
++              process_txrx_fifo(info);
++      }
+ 
+       if (tty_port_initialized(port)) {
+               if (flags != (port->flags & ASYNC_SPD_MASK)) {

diff --git a/queue-5.12/usb-roles-call-try_module_get-from-usb_role_switch_find_by_fwnode.patch b/queue-5.12/usb-roles-call-try_module_get-from-usb_role_switch_find_by_fwnode.patch
new file mode 100644 (file)
index 0000000..ad74421
--- /dev/null
+++ b/queue-5.12/usb-roles-call-try_module_get-from-usb_role_switch_find_by_fwnode.patch
@@ -0,0 +1,42 @@
+From 3a2a91a2d51761557843996a66098eb7182b48b4 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 9 Apr 2021 14:41:36 +0200
+Subject: usb: roles: Call try_module_get() from usb_role_switch_find_by_fwnode()
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 3a2a91a2d51761557843996a66098eb7182b48b4 upstream.
+
+usb_role_switch_find_by_fwnode() returns a reference to the role-switch
+which must be put by calling usb_role_switch_put().
+
+usb_role_switch_put() calls module_put(sw->dev.parent->driver->owner),
+add a matching try_module_get() to usb_role_switch_find_by_fwnode(),
+making it behave the same as the other usb_role_switch functions
+which return a reference.
+
+This avoids a WARN_ON being hit at kernel/module.c:1158 due to the
+module-refcount going below 0.
+
+Fixes: c6919d5e0cd1 ("usb: roles: Add usb_role_switch_find_by_fwnode()")
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Link: https://lore.kernel.org/r/20210409124136.65591-1-hdegoede@redhat.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/roles/class.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/roles/class.c
++++ b/drivers/usb/roles/class.c
+@@ -189,6 +189,8 @@ usb_role_switch_find_by_fwnode(const str
+               return NULL;
+ 
+       dev = class_find_device_by_fwnode(role_class, fwnode);
++      if (dev)
++              WARN_ON(!try_module_get(dev->parent->driver->owner));
+ 
+       return dev ? to_role_switch(dev) : NULL;
+ }

diff --git a/queue-5.12/usb-serial-ti_usb_3410_5052-fix-tiocsserial-permission-check.patch b/queue-5.12/usb-serial-ti_usb_3410_5052-fix-tiocsserial-permission-check.patch
new file mode 100644 (file)
index 0000000..77c8cbb
--- /dev/null
+++ b/queue-5.12/usb-serial-ti_usb_3410_5052-fix-tiocsserial-permission-check.patch
@@ -0,0 +1,44 @@
+From d370c90dcd64e427a79a093a070117a1571d4cd8 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 7 Apr 2021 12:39:15 +0200
+Subject: USB: serial: ti_usb_3410_5052: fix TIOCSSERIAL permission check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit d370c90dcd64e427a79a093a070117a1571d4cd8 upstream.
+
+Changing the port closing-wait parameter is a privileged operation so
+make sure to return -EPERM if a regular user tries to change it.
+
+Cc: stable@vger.kernel.org
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/ti_usb_3410_5052.c |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/serial/ti_usb_3410_5052.c
++++ b/drivers/usb/serial/ti_usb_3410_5052.c
+@@ -1418,14 +1418,19 @@ static int ti_set_serial_info(struct tty
+       struct serial_struct *ss)
+ {
+       struct usb_serial_port *port = tty->driver_data;
+-      struct ti_port *tport = usb_get_serial_port_data(port);
++      struct tty_port *tport = &port->port;
+       unsigned cwait;
+ 
+       cwait = ss->closing_wait;
+       if (cwait != ASYNC_CLOSING_WAIT_NONE)
+               cwait = msecs_to_jiffies(10 * ss->closing_wait);
+ 
+-      tport->tp_port->port.closing_wait = cwait;
++      if (!capable(CAP_SYS_ADMIN)) {
++              if (cwait != tport->closing_wait)
++                      return -EPERM;
++      }
++
++      tport->closing_wait = cwait;
+ 
+       return 0;
+ }

diff --git a/queue-5.12/usb-serial-usb_wwan-fix-tiocsserial-jiffies-conversions.patch b/queue-5.12/usb-serial-usb_wwan-fix-tiocsserial-jiffies-conversions.patch
new file mode 100644 (file)
index 0000000..9db81df
--- /dev/null
+++ b/queue-5.12/usb-serial-usb_wwan-fix-tiocsserial-jiffies-conversions.patch
@@ -0,0 +1,52 @@
+From 3d732690d2267f4d0e19077b178dffbedafdf0c9 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 7 Apr 2021 12:39:16 +0200
+Subject: USB: serial: usb_wwan: fix TIOCSSERIAL jiffies conversions
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 3d732690d2267f4d0e19077b178dffbedafdf0c9 upstream.
+
+The port close_delay and closing_wait parameters set by TIOCSSERIAL are
+specified in jiffies and not milliseconds.
+
+Add the missing conversions so that the TIOCSSERIAL works as expected
+also when HZ is not 1000.
+
+Fixes: 02303f73373a ("usb-wwan: implement TIOCGSERIAL and TIOCSSERIAL to avoid blocking close(2)")
+Cc: stable@vger.kernel.org      # 2.6.38
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/usb_wwan.c |    9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/serial/usb_wwan.c
++++ b/drivers/usb/serial/usb_wwan.c
+@@ -140,10 +140,10 @@ int usb_wwan_get_serial_info(struct tty_
+       ss->line            = port->minor;
+       ss->port            = port->port_number;
+       ss->baud_base       = tty_get_baud_rate(port->port.tty);
+-      ss->close_delay     = port->port.close_delay / 10;
++      ss->close_delay     = jiffies_to_msecs(port->port.close_delay) / 10;
+       ss->closing_wait    = port->port.closing_wait == ASYNC_CLOSING_WAIT_NONE ?
+                                ASYNC_CLOSING_WAIT_NONE :
+-                               port->port.closing_wait / 10;
++                               jiffies_to_msecs(port->port.closing_wait) / 10;
+       return 0;
+ }
+ EXPORT_SYMBOL(usb_wwan_get_serial_info);
+@@ -155,9 +155,10 @@ int usb_wwan_set_serial_info(struct tty_
+       unsigned int closing_wait, close_delay;
+       int retval = 0;
+ 
+-      close_delay = ss->close_delay * 10;
++      close_delay = msecs_to_jiffies(ss->close_delay * 10);
+       closing_wait = ss->closing_wait == ASYNC_CLOSING_WAIT_NONE ?
+-                      ASYNC_CLOSING_WAIT_NONE : ss->closing_wait * 10;
++                      ASYNC_CLOSING_WAIT_NONE :
++                      msecs_to_jiffies(ss->closing_wait * 10);
+ 
+       mutex_lock(&port->port.mutex);
+