--- /dev/null
+From 18abf874367456540846319574864e6ff32752e2 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Mon, 26 Apr 2021 11:26:22 +0200
+Subject: cdc-wdm: untangle a circular dependency between callback and softint
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 18abf874367456540846319574864e6ff32752e2 upstream.
+
+We have a cycle of callbacks scheduling works which submit
+URBs with those callbacks. This needs to be blocked, stopped
+and unblocked to untangle the circle.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Link: https://lore.kernel.org/r/20210426092622.20433-1-oneukum@suse.com
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/class/cdc-wdm.c | 30 ++++++++++++++++++++++--------
+ 1 file changed, 22 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -321,12 +321,23 @@ exit:
+
+ }
+
+-static void kill_urbs(struct wdm_device *desc)
++static void poison_urbs(struct wdm_device *desc)
+ {
+ /* the order here is essential */
+- usb_kill_urb(desc->command);
+- usb_kill_urb(desc->validity);
+- usb_kill_urb(desc->response);
++ usb_poison_urb(desc->command);
++ usb_poison_urb(desc->validity);
++ usb_poison_urb(desc->response);
++}
++
++static void unpoison_urbs(struct wdm_device *desc)
++{
++ /*
++ * the order here is not essential
++ * it is symmetrical just to be nice
++ */
++ usb_unpoison_urb(desc->response);
++ usb_unpoison_urb(desc->validity);
++ usb_unpoison_urb(desc->command);
+ }
+
+ static void free_urbs(struct wdm_device *desc)
+@@ -741,11 +752,12 @@ static int wdm_release(struct inode *ino
+ if (!desc->count) {
+ if (!test_bit(WDM_DISCONNECTING, &desc->flags)) {
+ dev_dbg(&desc->intf->dev, "wdm_release: cleanup\n");
+- kill_urbs(desc);
++ poison_urbs(desc);
+ spin_lock_irq(&desc->iuspin);
+ desc->resp_count = 0;
+ spin_unlock_irq(&desc->iuspin);
+ desc->manage_power(desc->intf, 0);
++ unpoison_urbs(desc);
+ } else {
+ /* must avoid dev_printk here as desc->intf is invalid */
+ pr_debug(KBUILD_MODNAME " %s: device gone - cleaning up\n", __func__);
+@@ -1036,9 +1048,9 @@ static void wdm_disconnect(struct usb_in
+ wake_up_all(&desc->wait);
+ mutex_lock(&desc->rlock);
+ mutex_lock(&desc->wlock);
++ poison_urbs(desc);
+ cancel_work_sync(&desc->rxwork);
+ cancel_work_sync(&desc->service_outs_intr);
+- kill_urbs(desc);
+ mutex_unlock(&desc->wlock);
+ mutex_unlock(&desc->rlock);
+
+@@ -1079,9 +1091,10 @@ static int wdm_suspend(struct usb_interf
+ set_bit(WDM_SUSPENDING, &desc->flags);
+ spin_unlock_irq(&desc->iuspin);
+ /* callback submits work - order is essential */
+- kill_urbs(desc);
++ poison_urbs(desc);
+ cancel_work_sync(&desc->rxwork);
+ cancel_work_sync(&desc->service_outs_intr);
++ unpoison_urbs(desc);
+ }
+ if (!PMSG_IS_AUTO(message)) {
+ mutex_unlock(&desc->wlock);
+@@ -1139,7 +1152,7 @@ static int wdm_pre_reset(struct usb_inte
+ wake_up_all(&desc->wait);
+ mutex_lock(&desc->rlock);
+ mutex_lock(&desc->wlock);
+- kill_urbs(desc);
++ poison_urbs(desc);
+ cancel_work_sync(&desc->rxwork);
+ cancel_work_sync(&desc->service_outs_intr);
+ return 0;
+@@ -1150,6 +1163,7 @@ static int wdm_post_reset(struct usb_int
+ struct wdm_device *desc = wdm_find_device(intf);
+ int rv;
+
++ unpoison_urbs(desc);
+ clear_bit(WDM_OVERFLOW, &desc->flags);
+ clear_bit(WDM_RESETTING, &desc->flags);
+ rv = recover_from_urb_loss(desc);
--- /dev/null
+From f73c730774d88a14d7b60feee6d0e13570f99499 Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Fri, 23 Apr 2021 05:09:59 +0300
+Subject: iio: gyro: mpu3050: Fix reported temperature value
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+commit f73c730774d88a14d7b60feee6d0e13570f99499 upstream.
+
+The raw temperature value is a 16-bit signed integer. The sign casting
+is missing in the code, which results in a wrong temperature reported
+by userspace tools, fix it.
+
+Cc: stable@vger.kernel.org
+Fixes: 3904b28efb2c ("iio: gyro: Add driver for the MPU-3050 gyroscope")
+Datasheet: https://www.cdiweb.com/datasheets/invensense/mpu-3000a.pdf
+Tested-by: Maxim Schwalm <maxim.schwalm@gmail.com> # Asus TF700T
+Tested-by: Svyatoslav Ryhel <clamor95@gmail.com> # Asus TF201
+Reported-by: Svyatoslav Ryhel <clamor95@gmail.com>
+Reviewed-by: Andy Shevchenko <Andy.Shevchenko@gmail.com>
+Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Acked-by: Jean-Baptiste Maneyrol <jmaneyrol@invensense.com>
+Link: https://lore.kernel.org/r/20210423020959.5023-1-digetx@gmail.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/gyro/mpu3050-core.c | 13 +++++++++++--
+ 1 file changed, 11 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/gyro/mpu3050-core.c
++++ b/drivers/iio/gyro/mpu3050-core.c
+@@ -270,7 +270,16 @@ static int mpu3050_read_raw(struct iio_d
+ case IIO_CHAN_INFO_OFFSET:
+ switch (chan->type) {
+ case IIO_TEMP:
+- /* The temperature scaling is (x+23000)/280 Celsius */
++ /*
++ * The temperature scaling is (x+23000)/280 Celsius
++ * for the "best fit straight line" temperature range
++ * of -30C..85C. The 23000 includes room temperature
++ * offset of +35C, 280 is the precision scale and x is
++ * the 16-bit signed integer reported by hardware.
++ *
++ * Temperature value itself represents temperature of
++ * the sensor die.
++ */
+ *val = 23000;
+ return IIO_VAL_INT;
+ default:
+@@ -327,7 +336,7 @@ static int mpu3050_read_raw(struct iio_d
+ goto out_read_raw_unlock;
+ }
+
+- *val = be16_to_cpu(raw_val);
++ *val = (s16)be16_to_cpu(raw_val);
+ ret = IIO_VAL_INT;
+
+ goto out_read_raw_unlock;
--- /dev/null
+From af0e1871d79cfbb91f732d2c6fa7558e45c31038 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Fri, 7 May 2021 19:30:41 +0100
+Subject: iio: tsl2583: Fix division by a zero lux_val
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit af0e1871d79cfbb91f732d2c6fa7558e45c31038 upstream.
+
+The lux_val returned from tsl2583_get_lux can potentially be zero,
+so check for this to avoid a division by zero and an overflowed
+gain_trim_val.
+
+Fixes clang scan-build warning:
+
+drivers/iio/light/tsl2583.c:345:40: warning: Either the
+condition 'lux_val<0' is redundant or there is division
+by zero at line 345. [zerodivcond]
+
+Fixes: ac4f6eee8fe8 ("staging: iio: TAOS tsl258x: Device driver")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/light/tsl2583.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/iio/light/tsl2583.c
++++ b/drivers/iio/light/tsl2583.c
+@@ -350,6 +350,14 @@ static int tsl2583_als_calibrate(struct
+ return lux_val;
+ }
+
++ /* Avoid division by zero of lux_value later on */
++ if (lux_val == 0) {
++ dev_err(&chip->client->dev,
++ "%s: lux_val of 0 will produce out of range trim_value\n",
++ __func__);
++ return -ENODATA;
++ }
++
+ gain_trim_val = (unsigned int)(((chip->als_settings.als_cal_target)
+ * chip->als_settings.als_gain_trim) / lux_val);
+ if ((gain_trim_val < 250) || (gain_trim_val > 4000)) {
--- /dev/null
+From 594b27e677b35f9734b1969d175ebc6146741109 Mon Sep 17 00:00:00 2001
+From: Thomas Gleixner <tglx@linutronix.de>
+Date: Wed, 5 May 2021 23:48:17 +0200
+Subject: KVM: x86: Cancel pvclock_gtod_work on module removal
+
+From: Thomas Gleixner <tglx@linutronix.de>
+
+commit 594b27e677b35f9734b1969d175ebc6146741109 upstream.
+
+Nothing prevents the following:
+
+ pvclock_gtod_notify()
+ queue_work(system_long_wq, &pvclock_gtod_work);
+ ...
+ remove_module(kvm);
+ ...
+ work_queue_run()
+ pvclock_gtod_work() <- UAF
+
+Ditto for any other operation on that workqueue list head which touches
+pvclock_gtod_work after module removal.
+
+Cancel the work in kvm_arch_exit() to prevent that.
+
+Fixes: 16e8d74d2da9 ("KVM: x86: notifier for clocksource changes")
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Message-Id: <87czu4onry.ffs@nanos.tec.linutronix.de>
+Cc: stable@vger.kernel.org
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kvm/x86.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/x86/kvm/x86.c
++++ b/arch/x86/kvm/x86.c
+@@ -6911,6 +6911,7 @@ void kvm_arch_exit(void)
+ cpuhp_remove_state_nocalls(CPUHP_AP_X86_KVM_CLK_ONLINE);
+ #ifdef CONFIG_X86_64
+ pvclock_gtod_unregister_notifier(&pvclock_gtod_notifier);
++ cancel_work_sync(&pvclock_gtod_work);
+ #endif
+ kvm_x86_ops = NULL;
+ kvm_mmu_module_exit();
usb-dwc2-fix-gadget-dma-unmap-direction.patch
usb-core-hub-fix-race-condition-about-trsmrcy-of-resume.patch
usb-dwc3-gadget-return-success-always-for-kick-transfer-in-ep-queue.patch
+xhci-do-not-use-gfp_kernel-in-potentially-atomic-context.patch
+xhci-add-reset-resume-quirk-for-amd-xhci-controller.patch
+iio-gyro-mpu3050-fix-reported-temperature-value.patch
+iio-tsl2583-fix-division-by-a-zero-lux_val.patch
+cdc-wdm-untangle-a-circular-dependency-between-callback-and-softint.patch
+kvm-x86-cancel-pvclock_gtod_work-on-module-removal.patch
--- /dev/null
+From 3c128781d8da463761495aaf8898c9ecb4e71528 Mon Sep 17 00:00:00 2001
+From: Sandeep Singh <sandeep.singh@amd.com>
+Date: Wed, 12 May 2021 11:08:16 +0300
+Subject: xhci: Add reset resume quirk for AMD xhci controller.
+
+From: Sandeep Singh <sandeep.singh@amd.com>
+
+commit 3c128781d8da463761495aaf8898c9ecb4e71528 upstream.
+
+One of AMD xhci controller require reset on resume.
+Occasionally AMD xhci controller does not respond to
+Stop endpoint command.
+Once the issue happens controller goes into bad state
+and in that case controller needs to be reset.
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Sandeep Singh <sandeep.singh@amd.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20210512080816.866037-6-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-pci.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -144,8 +144,10 @@ static void xhci_pci_quirks(struct devic
+ (pdev->device == 0x15e0 || pdev->device == 0x15e1))
+ xhci->quirks |= XHCI_SNPS_BROKEN_SUSPEND;
+
+- if (pdev->vendor == PCI_VENDOR_ID_AMD && pdev->device == 0x15e5)
++ if (pdev->vendor == PCI_VENDOR_ID_AMD && pdev->device == 0x15e5) {
+ xhci->quirks |= XHCI_DISABLE_SPARSE;
++ xhci->quirks |= XHCI_RESET_ON_RESUME;
++ }
+
+ if (pdev->vendor == PCI_VENDOR_ID_AMD)
+ xhci->quirks |= XHCI_TRUST_TX_LENGTH;
--- /dev/null
+From dda32c00c9a0fa103b5d54ef72c477b7aa993679 Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Wed, 12 May 2021 11:08:14 +0300
+Subject: xhci: Do not use GFP_KERNEL in (potentially) atomic context
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit dda32c00c9a0fa103b5d54ef72c477b7aa993679 upstream.
+
+'xhci_urb_enqueue()' is passed a 'mem_flags' argument, because "URBs may be
+submitted in interrupt context" (see comment related to 'usb_submit_urb()'
+in 'drivers/usb/core/urb.c')
+
+So this flag should be used in all the calling chain.
+Up to now, 'xhci_check_maxpacket()' which is only called from
+'xhci_urb_enqueue()', uses GFP_KERNEL.
+
+Be safe and pass the mem_flags to this function as well.
+
+Fixes: ddba5cd0aeff ("xhci: Use command structures when queuing commands on the command ring")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20210512080816.866037-4-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -1374,7 +1374,7 @@ static int xhci_configure_endpoint(struc
+ * we need to issue an evaluate context command and wait on it.
+ */
+ static int xhci_check_maxpacket(struct xhci_hcd *xhci, unsigned int slot_id,
+- unsigned int ep_index, struct urb *urb)
++ unsigned int ep_index, struct urb *urb, gfp_t mem_flags)
+ {
+ struct xhci_container_ctx *out_ctx;
+ struct xhci_input_control_ctx *ctrl_ctx;
+@@ -1405,7 +1405,7 @@ static int xhci_check_maxpacket(struct x
+ * changes max packet sizes.
+ */
+
+- command = xhci_alloc_command(xhci, true, GFP_KERNEL);
++ command = xhci_alloc_command(xhci, true, mem_flags);
+ if (!command)
+ return -ENOMEM;
+
+@@ -1502,7 +1502,7 @@ static int xhci_urb_enqueue(struct usb_h
+ */
+ if (urb->dev->speed == USB_SPEED_FULL) {
+ ret = xhci_check_maxpacket(xhci, slot_id,
+- ep_index, urb);
++ ep_index, urb, mem_flags);
+ if (ret < 0) {
+ xhci_urb_free_priv(urb_priv);
+ urb->hcpriv = NULL;
projects / thirdparty / kernel / stable-queue.git / commitdiff
