--- /dev/null
+From 42641042c10c757fe10cc09088cf3f436cec5007 Mon Sep 17 00:00:00 2001
+From: Arnd Bergmann <arnd@arndb.de>
+Date: Mon, 27 Sep 2021 14:13:57 +0200
+Subject: cb710: avoid NULL pointer subtraction
+
+From: Arnd Bergmann <arnd@arndb.de>
+
+commit 42641042c10c757fe10cc09088cf3f436cec5007 upstream.
+
+clang-14 complains about an unusual way of converting a pointer to
+an integer:
+
+drivers/misc/cb710/sgbuf2.c:50:15: error: performing pointer subtraction with a null pointer has undefined behavior [-Werror,-Wnull-pointer-subtraction]
+ return ((ptr - NULL) & 3) != 0;
+
+Replace this with a normal cast to uintptr_t.
+
+Fixes: 5f5bac8272be ("mmc: Driver for CB710/720 memory card reader (MMC part)")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Arnd Bergmann <arnd@arndb.de>
+Link: https://lore.kernel.org/r/20210927121408.939246-1-arnd@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/cb710/sgbuf2.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/cb710/sgbuf2.c
++++ b/drivers/misc/cb710/sgbuf2.c
+@@ -47,7 +47,7 @@ static inline bool needs_unaligned_copy(
+ #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
+ return false;
+ #else
+- return ((ptr - NULL) & 3) != 0;
++ return ((uintptr_t)ptr & 3) != 0;
+ #endif
+ }
+
--- /dev/null
+From d9b7748ffc45250b4d7bcf22404383229bc495f5 Mon Sep 17 00:00:00 2001
+From: Hans Potsch <hans.potsch@nokia.com>
+Date: Wed, 6 Oct 2021 14:13:32 +0200
+Subject: EDAC/armada-xp: Fix output of uncorrectable error counter
+
+From: Hans Potsch <hans.potsch@nokia.com>
+
+commit d9b7748ffc45250b4d7bcf22404383229bc495f5 upstream.
+
+The number of correctable errors is displayed as uncorrectable
+errors because the "SBE" error count is passed to both calls of
+edac_mc_handle_error().
+
+Pass the correct uncorrectable error count to the second
+edac_mc_handle_error() call when logging uncorrectable errors.
+
+ [ bp: Massage commit message. ]
+
+Fixes: 7f6998a41257 ("ARM: 8888/1: EDAC: Add driver for the Marvell Armada XP SDRAM and L2 cache ECC")
+Signed-off-by: Hans Potsch <hans.potsch@nokia.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: <stable@vger.kernel.org>
+Link: https://lkml.kernel.org/r/20211006121332.58788-1-hans.potsch@nokia.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/edac/armada_xp_edac.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/edac/armada_xp_edac.c
++++ b/drivers/edac/armada_xp_edac.c
+@@ -178,7 +178,7 @@ static void axp_mc_check(struct mem_ctl_
+ "details unavailable (multiple errors)");
+ if (cnt_dbe)
+ edac_mc_handle_error(HW_EVENT_ERR_UNCORRECTED, mci,
+- cnt_sbe, /* error count */
++ cnt_dbe, /* error count */
+ 0, 0, 0, /* pfn, offset, syndrome */
+ -1, -1, -1, /* top, mid, low layer */
+ mci->ctl_name,
--- /dev/null
+From 38fa3206bf441911258e5001ac8b6738693f8d82 Mon Sep 17 00:00:00 2001
+From: Zhang Jianhua <chris.zjh@huawei.com>
+Date: Thu, 23 Sep 2021 10:53:40 +0800
+Subject: efi: Change down_interruptible() in virt_efi_reset_system() to down_trylock()
+
+From: Zhang Jianhua <chris.zjh@huawei.com>
+
+commit 38fa3206bf441911258e5001ac8b6738693f8d82 upstream.
+
+While reboot the system by sysrq, the following bug will be occur.
+
+BUG: sleeping function called from invalid context at kernel/locking/semaphore.c:90
+in_atomic(): 0, irqs_disabled(): 128, non_block: 0, pid: 10052, name: rc.shutdown
+CPU: 3 PID: 10052 Comm: rc.shutdown Tainted: G W O 5.10.0 #1
+Call trace:
+ dump_backtrace+0x0/0x1c8
+ show_stack+0x18/0x28
+ dump_stack+0xd0/0x110
+ ___might_sleep+0x14c/0x160
+ __might_sleep+0x74/0x88
+ down_interruptible+0x40/0x118
+ virt_efi_reset_system+0x3c/0xd0
+ efi_reboot+0xd4/0x11c
+ machine_restart+0x60/0x9c
+ emergency_restart+0x1c/0x2c
+ sysrq_handle_reboot+0x1c/0x2c
+ __handle_sysrq+0xd0/0x194
+ write_sysrq_trigger+0xbc/0xe4
+ proc_reg_write+0xd4/0xf0
+ vfs_write+0xa8/0x148
+ ksys_write+0x6c/0xd8
+ __arm64_sys_write+0x18/0x28
+ el0_svc_common.constprop.3+0xe4/0x16c
+ do_el0_svc+0x1c/0x2c
+ el0_svc+0x20/0x30
+ el0_sync_handler+0x80/0x17c
+ el0_sync+0x158/0x180
+
+The reason for this problem is that irq has been disabled in
+machine_restart() and then it calls down_interruptible() in
+virt_efi_reset_system(), which would occur sleep in irq context,
+it is dangerous! Commit 99409b935c9a("locking/semaphore: Add
+might_sleep() to down_*() family") add might_sleep() in
+down_interruptible(), so the bug info is here. down_trylock()
+can solve this problem, cause there is no might_sleep.
+
+--------
+
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Zhang Jianhua <chris.zjh@huawei.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/efi/runtime-wrappers.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/firmware/efi/runtime-wrappers.c
++++ b/drivers/firmware/efi/runtime-wrappers.c
+@@ -414,7 +414,7 @@ static void virt_efi_reset_system(int re
+ unsigned long data_size,
+ efi_char16_t *data)
+ {
+- if (down_interruptible(&efi_runtime_lock)) {
++ if (down_trylock(&efi_runtime_lock)) {
+ pr_warn("failed to invoke the reset_system() runtime service:\n"
+ "could not get exclusive access to the firmware\n");
+ return;
--- /dev/null
+From b3a72ca80351917cc23f9e24c35f3c3979d3c121 Mon Sep 17 00:00:00 2001
+From: Ard Biesheuvel <ardb@kernel.org>
+Date: Wed, 1 Sep 2021 08:33:19 +0200
+Subject: efi/cper: use stack buffer for error record decoding
+
+From: Ard Biesheuvel <ardb@kernel.org>
+
+commit b3a72ca80351917cc23f9e24c35f3c3979d3c121 upstream.
+
+Joe reports that using a statically allocated buffer for converting CPER
+error records into human readable text is probably a bad idea. Even
+though we are not aware of any actual issues, a stack buffer is clearly
+a better choice here anyway, so let's move the buffer into the stack
+frames of the two functions that refer to it.
+
+Cc: <stable@vger.kernel.org>
+Reported-by: Joe Perches <joe@perches.com>
+Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firmware/efi/cper.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/firmware/efi/cper.c
++++ b/drivers/firmware/efi/cper.c
+@@ -25,8 +25,6 @@
+ #include <acpi/ghes.h>
+ #include <ras/ras_event.h>
+
+-static char rcd_decode_str[CPER_REC_LEN];
+-
+ /*
+ * CPER record ID need to be unique even after reboot, because record
+ * ID is used as index for ERST storage, while CPER records from
+@@ -299,6 +297,7 @@ const char *cper_mem_err_unpack(struct t
+ struct cper_mem_err_compact *cmem)
+ {
+ const char *ret = trace_seq_buffer_ptr(p);
++ char rcd_decode_str[CPER_REC_LEN];
+
+ if (cper_mem_err_location(cmem, rcd_decode_str))
+ trace_seq_printf(p, "%s", rcd_decode_str);
+@@ -313,6 +312,7 @@ static void cper_print_mem(const char *p
+ int len)
+ {
+ struct cper_mem_err_compact cmem;
++ char rcd_decode_str[CPER_REC_LEN];
+
+ /* Don't trust UEFI 2.1/2.2 structure with bad validation bits */
+ if (len == sizeof(struct cper_sec_mem_err_old) &&
--- /dev/null
+From 3378a07daa6cdd11e042797454c706d1c69f9ca6 Mon Sep 17 00:00:00 2001
+From: Michael Cullen <michael@michaelcullen.name>
+Date: Fri, 15 Oct 2021 13:17:50 -0700
+Subject: Input: xpad - add support for another USB ID of Nacon GC-100
+
+From: Michael Cullen <michael@michaelcullen.name>
+
+commit 3378a07daa6cdd11e042797454c706d1c69f9ca6 upstream.
+
+The Nacon GX100XF is already mapped, but it seems there is a Nacon
+GC-100 (identified as NC5136Wht PCGC-100WHITE though I believe other
+colours exist) with a different USB ID when in XInput mode.
+
+Signed-off-by: Michael Cullen <michael@michaelcullen.name>
+Link: https://lore.kernel.org/r/20211015192051.5196-1-michael@michaelcullen.name
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/joystick/xpad.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -331,6 +331,7 @@ static const struct xpad_device {
+ { 0x24c6, 0x5b03, "Thrustmaster Ferrari 458 Racing Wheel", 0, XTYPE_XBOX360 },
+ { 0x24c6, 0x5d04, "Razer Sabertooth", 0, XTYPE_XBOX360 },
+ { 0x24c6, 0xfafe, "Rock Candy Gamepad for Xbox 360", 0, XTYPE_XBOX360 },
++ { 0x3285, 0x0607, "Nacon GC-100", 0, XTYPE_XBOX360 },
+ { 0x3767, 0x0101, "Fanatec Speedster 3 Forceshock Wheel", 0, XTYPE_XBOX },
+ { 0xffff, 0xffff, "Chinese-made Xbox Controller", 0, XTYPE_XBOX },
+ { 0x0000, 0x0000, "Generic X-Box pad", 0, XTYPE_UNKNOWN }
+@@ -447,6 +448,7 @@ static const struct usb_device_id xpad_t
+ XPAD_XBOXONE_VENDOR(0x24c6), /* PowerA Controllers */
+ XPAD_XBOXONE_VENDOR(0x2e24), /* Hyperkin Duke X-Box One pad */
+ XPAD_XBOX360_VENDOR(0x2f24), /* GameSir Controllers */
++ XPAD_XBOX360_VENDOR(0x3285), /* Nacon GC-100 */
+ { }
+ };
+
--- /dev/null
+From 75c10c5e7a715550afdd51ef8cfd1d975f48f9e1 Mon Sep 17 00:00:00 2001
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Date: Fri, 1 Oct 2021 20:36:44 +0300
+Subject: mei: me: add Ice Lake-N device id.
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+commit 75c10c5e7a715550afdd51ef8cfd1d975f48f9e1 upstream.
+
+Add Ice Lake-N device ID.
+
+The device can be found on MacBookPro16,2 [1].
+
+[1]: https://linux-hardware.org/?probe=f1c5cf0c43
+
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211001173644.16068-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/misc/mei/hw-me-regs.h | 1 +
+ drivers/misc/mei/pci-me.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/misc/mei/hw-me-regs.h
++++ b/drivers/misc/mei/hw-me-regs.h
+@@ -90,6 +90,7 @@
+ #define MEI_DEV_ID_CDF 0x18D3 /* Cedar Fork */
+
+ #define MEI_DEV_ID_ICP_LP 0x34E0 /* Ice Lake Point LP */
++#define MEI_DEV_ID_ICP_N 0x38E0 /* Ice Lake Point N */
+
+ #define MEI_DEV_ID_TGP_LP 0xA0E0 /* Tiger Lake Point LP */
+
+--- a/drivers/misc/mei/pci-me.c
++++ b/drivers/misc/mei/pci-me.c
+@@ -103,6 +103,7 @@ static const struct pci_device_id mei_me
+ {MEI_PCI_DEVICE(MEI_DEV_ID_CMP_H_3, MEI_ME_PCH8_CFG)},
+
+ {MEI_PCI_DEVICE(MEI_DEV_ID_ICP_LP, MEI_ME_PCH12_CFG)},
++ {MEI_PCI_DEVICE(MEI_DEV_ID_ICP_N, MEI_ME_PCH12_CFG)},
+
+ {MEI_PCI_DEVICE(MEI_DEV_ID_TGP_LP, MEI_ME_PCH12_CFG)},
+
--- /dev/null
+From 5d388fa01fa6eb310ac023a363a6cb216d9d8fe9 Mon Sep 17 00:00:00 2001
+From: Stephen Boyd <swboyd@chromium.org>
+Date: Wed, 13 Oct 2021 13:45:11 +0100
+Subject: nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells
+
+From: Stephen Boyd <swboyd@chromium.org>
+
+commit 5d388fa01fa6eb310ac023a363a6cb216d9d8fe9 upstream.
+
+If a cell has 'nbits' equal to a multiple of BITS_PER_BYTE the logic
+
+ *p &= GENMASK((cell->nbits%BITS_PER_BYTE) - 1, 0);
+
+will become undefined behavior because nbits modulo BITS_PER_BYTE is 0, and we
+subtract one from that making a large number that is then shifted more than the
+number of bits that fit into an unsigned long.
+
+UBSAN reports this problem:
+
+ UBSAN: shift-out-of-bounds in drivers/nvmem/core.c:1386:8
+ shift exponent 64 is too large for 64-bit type 'unsigned long'
+ CPU: 6 PID: 7 Comm: kworker/u16:0 Not tainted 5.15.0-rc3+ #9
+ Hardware name: Google Lazor (rev3+) with KB Backlight (DT)
+ Workqueue: events_unbound deferred_probe_work_func
+ Call trace:
+ dump_backtrace+0x0/0x170
+ show_stack+0x24/0x30
+ dump_stack_lvl+0x64/0x7c
+ dump_stack+0x18/0x38
+ ubsan_epilogue+0x10/0x54
+ __ubsan_handle_shift_out_of_bounds+0x180/0x194
+ __nvmem_cell_read+0x1ec/0x21c
+ nvmem_cell_read+0x58/0x94
+ nvmem_cell_read_variable_common+0x4c/0xb0
+ nvmem_cell_read_variable_le_u32+0x40/0x100
+ a6xx_gpu_init+0x170/0x2f4
+ adreno_bind+0x174/0x284
+ component_bind_all+0xf0/0x264
+ msm_drm_bind+0x1d8/0x7a0
+ try_to_bring_up_master+0x164/0x1ac
+ __component_add+0xbc/0x13c
+ component_add+0x20/0x2c
+ dp_display_probe+0x340/0x384
+ platform_probe+0xc0/0x100
+ really_probe+0x110/0x304
+ __driver_probe_device+0xb8/0x120
+ driver_probe_device+0x4c/0xfc
+ __device_attach_driver+0xb0/0x128
+ bus_for_each_drv+0x90/0xdc
+ __device_attach+0xc8/0x174
+ device_initial_probe+0x20/0x2c
+ bus_probe_device+0x40/0xa4
+ deferred_probe_work_func+0x7c/0xb8
+ process_one_work+0x128/0x21c
+ process_scheduled_works+0x40/0x54
+ worker_thread+0x1ec/0x2a8
+ kthread+0x138/0x158
+ ret_from_fork+0x10/0x20
+
+Fix it by making sure there are any bits to mask out.
+
+Fixes: 69aba7948cbe ("nvmem: Add a simple NVMEM framework for consumers")
+Cc: Douglas Anderson <dianders@chromium.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Stephen Boyd <swboyd@chromium.org>
+Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20211013124511.18726-1-srinivas.kandagatla@linaro.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvmem/core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/nvmem/core.c
++++ b/drivers/nvmem/core.c
+@@ -954,7 +954,8 @@ static void nvmem_shift_read_buffer_in_p
+ *p-- = 0;
+
+ /* clear msb bits if any leftover in the last byte */
+- *p &= GENMASK((cell->nbits%BITS_PER_BYTE) - 1, 0);
++ if (cell->nbits % BITS_PER_BYTE)
++ *p &= GENMASK((cell->nbits % BITS_PER_BYTE) - 1, 0);
+ }
+
+ static int __nvmem_cell_read(struct nvmem_device *nvmem,
btrfs-check-for-error-when-looking-up-inode-during-dir-entry-replay.patch
watchdog-orion-use-0-for-unset-heartbeat.patch
x86-resctrl-free-the-ctrlval-arrays-when-domain_setup_mon_state-fails.patch
+mei-me-add-ice-lake-n-device-id.patch
+xhci-guard-accesses-to-ep_state-in-xhci_endpoint_reset.patch
+xhci-fix-command-ring-pointer-corruption-while-aborting-a-command.patch
+xhci-enable-trust-tx-length-quirk-for-fresco-fl11-usb-controller.patch
+cb710-avoid-null-pointer-subtraction.patch
+efi-cper-use-stack-buffer-for-error-record-decoding.patch
+efi-change-down_interruptible-in-virt_efi_reset_system-to-down_trylock.patch
+usb-musb-dsps-fix-the-probe-error-path.patch
+input-xpad-add-support-for-another-usb-id-of-nacon-gc-100.patch
+usb-serial-qcserial-add-em9191-qdl-support.patch
+usb-serial-option-add-quectel-ec200s-cn-module-support.patch
+usb-serial-option-add-telit-le910cx-composition-0x1204.patch
+usb-serial-option-add-prod.-id-for-quectel-eg91.patch
+virtio-write-back-f_version_1-before-validate.patch
+edac-armada-xp-fix-output-of-uncorrectable-error-counter.patch
+nvmem-fix-shift-out-of-bound-ubsan-with-byte-size-cells.patch
--- /dev/null
+From c2115b2b16421d93d4993f3fe4c520e91d6fe801 Mon Sep 17 00:00:00 2001
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+Date: Wed, 6 Oct 2021 00:16:31 +0200
+Subject: usb: musb: dsps: Fix the probe error path
+
+From: Miquel Raynal <miquel.raynal@bootlin.com>
+
+commit c2115b2b16421d93d4993f3fe4c520e91d6fe801 upstream.
+
+Commit 7c75bde329d7 ("usb: musb: musb_dsps: request_irq() after
+initializing musb") has inverted the calls to
+dsps_setup_optional_vbus_irq() and dsps_create_musb_pdev() without
+updating correctly the error path. dsps_create_musb_pdev() allocates and
+registers a new platform device which must be unregistered and freed
+with platform_device_unregister(), and this is missing upon
+dsps_setup_optional_vbus_irq() error.
+
+While on the master branch it seems not to trigger any issue, I observed
+a kernel crash because of a NULL pointer dereference with a v5.10.70
+stable kernel where the patch mentioned above was backported. With this
+kernel version, -EPROBE_DEFER is returned the first time
+dsps_setup_optional_vbus_irq() is called which triggers the probe to
+error out without unregistering the platform device. Unfortunately, on
+the Beagle Bone Black Wireless, the platform device still living in the
+system is being used by the USB Ethernet gadget driver, which during the
+boot phase triggers the crash.
+
+My limited knowledge of the musb world prevents me to revert this commit
+which was sent to silence a robot warning which, as far as I understand,
+does not make sense. The goal of this patch was to prevent an IRQ to
+fire before the platform device being registered. I think this cannot
+ever happen due to the fact that enabling the interrupts is done by the
+->enable() callback of the platform musb device, and this platform
+device must be already registered in order for the core or any other
+user to use this callback.
+
+Hence, I decided to fix the error path, which might prevent future
+errors on mainline kernels while also fixing older ones.
+
+Fixes: 7c75bde329d7 ("usb: musb: musb_dsps: request_irq() after initializing musb")
+Cc: stable@vger.kernel.org
+Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
+Link: https://lore.kernel.org/r/20211005221631.1529448-1-miquel.raynal@bootlin.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/musb/musb_dsps.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/musb/musb_dsps.c
++++ b/drivers/usb/musb/musb_dsps.c
+@@ -899,11 +899,13 @@ static int dsps_probe(struct platform_de
+ if (usb_get_dr_mode(&pdev->dev) == USB_DR_MODE_PERIPHERAL) {
+ ret = dsps_setup_optional_vbus_irq(pdev, glue);
+ if (ret)
+- goto err;
++ goto unregister_pdev;
+ }
+
+ return 0;
+
++unregister_pdev:
++ platform_device_unregister(glue->musb);
+ err:
+ pm_runtime_disable(&pdev->dev);
+ iounmap(glue->usbss_base);
--- /dev/null
+From c184accc4a42c7872dc8e8d0fc97a740dc61fe24 Mon Sep 17 00:00:00 2001
+From: Tomaz Solc <tomaz.solc@tablix.org>
+Date: Wed, 6 Oct 2021 14:57:50 +0200
+Subject: USB: serial: option: add prod. id for Quectel EG91
+
+From: Tomaz Solc <tomaz.solc@tablix.org>
+
+commit c184accc4a42c7872dc8e8d0fc97a740dc61fe24 upstream.
+
+Adding support for Quectel EG91 LTE module.
+
+The interface layout is same as for EG95.
+
+usb-devices output:
+T: Bus=01 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=2c7c ProdID=0191 Rev=03.18
+S: Manufacturer=Android
+S: Product=Android
+C: #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#=0x0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none)
+I: If#=0x1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
+I: If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
+I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
+I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+
+Interfaces:
+
+0: Diag
+1: GNSS
+2: AT-command interface/modem
+3: Modem
+4: QMI
+
+Signed-off-by: Tomaz Solc <tomaz.solc@tablix.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -246,6 +246,7 @@ static void option_instat_callback(struc
+ /* These Quectel products use Quectel's vendor ID */
+ #define QUECTEL_PRODUCT_EC21 0x0121
+ #define QUECTEL_PRODUCT_EC25 0x0125
++#define QUECTEL_PRODUCT_EG91 0x0191
+ #define QUECTEL_PRODUCT_EG95 0x0195
+ #define QUECTEL_PRODUCT_BG96 0x0296
+ #define QUECTEL_PRODUCT_EP06 0x0306
+@@ -1112,6 +1113,9 @@ static const struct usb_device_id option
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC25, 0xff, 0xff, 0xff),
+ .driver_info = NUMEP2 },
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC25, 0xff, 0, 0) },
++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG91, 0xff, 0xff, 0xff),
++ .driver_info = NUMEP2 },
++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG91, 0xff, 0, 0) },
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG95, 0xff, 0xff, 0xff),
+ .driver_info = NUMEP2 },
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EG95, 0xff, 0, 0) },
--- /dev/null
+From 2263eb7370060bdb0013bc14e1a7c9bf33617a55 Mon Sep 17 00:00:00 2001
+From: Yu-Tung Chang <mtwget@gmail.com>
+Date: Thu, 30 Sep 2021 10:11:12 +0800
+Subject: USB: serial: option: add Quectel EC200S-CN module support
+
+From: Yu-Tung Chang <mtwget@gmail.com>
+
+commit 2263eb7370060bdb0013bc14e1a7c9bf33617a55 upstream.
+
+Add usb product id of the Quectel EC200S-CN module.
+
+usb-devices output for 0x6002:
+T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 3 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=2c7c ProdID=6002 Rev=03.18
+S: Manufacturer=Android
+S: Product=Android
+S: SerialNumber=0000
+C: #Ifs= 5 Cfg#= 1 Atr=e0 MxPwr=500mA
+I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
+I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
+I: If#=0x2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
+I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
+I: If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none)
+
+Signed-off-by: Yu-Tung Chang <mtwget@gmail.com>
+Link: https://lore.kernel.org/r/20210930021112.330396-1-mtwget@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -251,6 +251,7 @@ static void option_instat_callback(struc
+ #define QUECTEL_PRODUCT_EP06 0x0306
+ #define QUECTEL_PRODUCT_EM12 0x0512
+ #define QUECTEL_PRODUCT_RM500Q 0x0800
++#define QUECTEL_PRODUCT_EC200S_CN 0x6002
+ #define QUECTEL_PRODUCT_EC200T 0x6026
+
+ #define CMOTECH_VENDOR_ID 0x16d8
+@@ -1128,6 +1129,7 @@ static const struct usb_device_id option
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0, 0) },
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_RM500Q, 0xff, 0xff, 0x10),
+ .driver_info = ZLP },
++ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200S_CN, 0xff, 0, 0) },
+ { USB_DEVICE_AND_INTERFACE_INFO(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC200T, 0xff, 0, 0) },
+
+ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) },
--- /dev/null
+From f5a8a07edafed8bede17a95ef8940fe3a57a77d5 Mon Sep 17 00:00:00 2001
+From: Daniele Palmas <dnlplm@gmail.com>
+Date: Mon, 4 Oct 2021 12:56:55 +0200
+Subject: USB: serial: option: add Telit LE910Cx composition 0x1204
+
+From: Daniele Palmas <dnlplm@gmail.com>
+
+commit f5a8a07edafed8bede17a95ef8940fe3a57a77d5 upstream.
+
+Add the following Telit LE910Cx composition:
+
+0x1204: tty, adb, mbim, tty, tty, tty, tty
+
+Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
+Link: https://lore.kernel.org/r/20211004105655.8515-1-dnlplm@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/option.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1229,6 +1229,8 @@ static const struct usb_device_id option
+ .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1203, 0xff), /* Telit LE910Cx (RNDIS) */
+ .driver_info = NCTRL(2) | RSVD(3) },
++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1204, 0xff), /* Telit LE910Cx (MBIM) */
++ .driver_info = NCTRL(0) | RSVD(1) },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4),
+ .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) | RSVD(3) },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920),
--- /dev/null
+From 11c52d250b34a0862edc29db03fbec23b30db6da Mon Sep 17 00:00:00 2001
+From: Aleksander Morgado <aleksander@aleksander.es>
+Date: Thu, 7 Oct 2021 14:25:01 +0200
+Subject: USB: serial: qcserial: add EM9191 QDL support
+
+From: Aleksander Morgado <aleksander@aleksander.es>
+
+commit 11c52d250b34a0862edc29db03fbec23b30db6da upstream.
+
+When the module boots into QDL download mode it exposes the 1199:90d2
+ids, which can be mapped to the qcserial driver, and used to run
+firmware upgrades (e.g. with the qmi-firmware-update program).
+
+ T: Bus=01 Lev=03 Prnt=08 Port=03 Cnt=01 Dev#= 10 Spd=480 MxCh= 0
+ D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+ P: Vendor=1199 ProdID=90d2 Rev=00.00
+ S: Manufacturer=Sierra Wireless, Incorporated
+ S: Product=Sierra Wireless EM9191
+ S: SerialNumber=8W0382004102A109
+ C: #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr=2mA
+ I: If#=0x0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=10 Driver=qcserial
+
+Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
+Cc: stable@vger.kernel.org
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/qcserial.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/qcserial.c
++++ b/drivers/usb/serial/qcserial.c
+@@ -165,6 +165,7 @@ static const struct usb_device_id id_tab
+ {DEVICE_SWI(0x1199, 0x907b)}, /* Sierra Wireless EM74xx */
+ {DEVICE_SWI(0x1199, 0x9090)}, /* Sierra Wireless EM7565 QDL */
+ {DEVICE_SWI(0x1199, 0x9091)}, /* Sierra Wireless EM7565 */
++ {DEVICE_SWI(0x1199, 0x90d2)}, /* Sierra Wireless EM9191 QDL */
+ {DEVICE_SWI(0x413c, 0x81a2)}, /* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card */
+ {DEVICE_SWI(0x413c, 0x81a3)}, /* Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card */
+ {DEVICE_SWI(0x413c, 0x81a4)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */
--- /dev/null
+From 2f9a174f918e29608564c7a4e8329893ab604fb4 Mon Sep 17 00:00:00 2001
+From: Halil Pasic <pasic@linux.ibm.com>
+Date: Mon, 11 Oct 2021 07:39:21 +0200
+Subject: virtio: write back F_VERSION_1 before validate
+
+From: Halil Pasic <pasic@linux.ibm.com>
+
+commit 2f9a174f918e29608564c7a4e8329893ab604fb4 upstream.
+
+The virtio specification virtio-v1.1-cs01 states: "Transitional devices
+MUST detect Legacy drivers by detecting that VIRTIO_F_VERSION_1 has not
+been acknowledged by the driver." This is exactly what QEMU as of 6.1
+has done relying solely on VIRTIO_F_VERSION_1 for detecting that.
+
+However, the specification also says: "... the driver MAY read (but MUST
+NOT write) the device-specific configuration fields to check that it can
+support the device ..." before setting FEATURES_OK.
+
+In that case, any transitional device relying solely on
+VIRTIO_F_VERSION_1 for detecting legacy drivers will return data in
+legacy format. In particular, this implies that it is in big endian
+format for big endian guests. This naturally confuses the driver which
+expects little endian in the modern mode.
+
+It is probably a good idea to amend the spec to clarify that
+VIRTIO_F_VERSION_1 can only be relied on after the feature negotiation
+is complete. Before validate callback existed, config space was only
+read after FEATURES_OK. However, we already have two regressions, so
+let's address this here as well.
+
+The regressions affect the VIRTIO_NET_F_MTU feature of virtio-net and
+the VIRTIO_BLK_F_BLK_SIZE feature of virtio-blk for BE guests when
+virtio 1.0 is used on both sides. The latter renders virtio-blk unusable
+with DASD backing, because things simply don't work with the default.
+See Fixes tags for relevant commits.
+
+For QEMU, we can work around the issue by writing out the feature bits
+with VIRTIO_F_VERSION_1 bit set. We (ab)use the finalize_features
+config op for this. This isn't enough to address all vhost devices since
+these do not get the features until FEATURES_OK, however it looks like
+the affected devices actually never handled the endianness for legacy
+mode correctly, so at least that's not a regression.
+
+No devices except virtio net and virtio blk seem to be affected.
+
+Long term the right thing to do is to fix the hypervisors.
+
+Cc: <stable@vger.kernel.org> #v4.11
+Signed-off-by: Halil Pasic <pasic@linux.ibm.com>
+Fixes: 82e89ea077b9 ("virtio-blk: Add validation for block size in config space")
+Fixes: fe36cbe0671e ("virtio_net: clear MTU when out of range")
+Reported-by: markver@us.ibm.com
+Reviewed-by: Cornelia Huck <cohuck@redhat.com>
+Link: https://lore.kernel.org/r/20211011053921.1198936-1-pasic@linux.ibm.com
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/virtio/virtio.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/drivers/virtio/virtio.c
++++ b/drivers/virtio/virtio.c
+@@ -225,6 +225,17 @@ static int virtio_dev_probe(struct devic
+ driver_features_legacy = driver_features;
+ }
+
++ /*
++ * Some devices detect legacy solely via F_VERSION_1. Write
++ * F_VERSION_1 to force LE config space accesses before FEATURES_OK for
++ * these when needed.
++ */
++ if (drv->validate && !virtio_legacy_is_little_endian()
++ && device_features & BIT_ULL(VIRTIO_F_VERSION_1)) {
++ dev->features = BIT_ULL(VIRTIO_F_VERSION_1);
++ dev->config->finalize_features(dev);
++ }
++
+ if (device_features & (1ULL << VIRTIO_F_VERSION_1))
+ dev->features = driver_features & device_features;
+ else
--- /dev/null
+From ea0f69d8211963c4b2cc1998b86779a500adb502 Mon Sep 17 00:00:00 2001
+From: Nikolay Martynov <mar.kolya@gmail.com>
+Date: Fri, 8 Oct 2021 12:25:47 +0300
+Subject: xhci: Enable trust tx length quirk for Fresco FL11 USB controller
+
+From: Nikolay Martynov <mar.kolya@gmail.com>
+
+commit ea0f69d8211963c4b2cc1998b86779a500adb502 upstream.
+
+Tested on SD5200T TB3 dock which has Fresco Logic FL1100 USB 3.0 Host
+Controller.
+Before this patch streaming video from USB cam made mouse and keyboard
+connected to the same USB bus unusable. Also video was jerky.
+With this patch streaming video doesn't have any effect on other
+periferals and video is smooth.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Nikolay Martynov <mar.kolya@gmail.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20211008092547.3996295-6-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-pci.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/host/xhci-pci.c
++++ b/drivers/usb/host/xhci-pci.c
+@@ -28,6 +28,7 @@
+ #define PCI_VENDOR_ID_FRESCO_LOGIC 0x1b73
+ #define PCI_DEVICE_ID_FRESCO_LOGIC_PDK 0x1000
+ #define PCI_DEVICE_ID_FRESCO_LOGIC_FL1009 0x1009
++#define PCI_DEVICE_ID_FRESCO_LOGIC_FL1100 0x1100
+ #define PCI_DEVICE_ID_FRESCO_LOGIC_FL1400 0x1400
+
+ #define PCI_VENDOR_ID_ETRON 0x1b6f
+@@ -98,6 +99,7 @@ static void xhci_pci_quirks(struct devic
+ /* Look for vendor-specific quirks */
+ if (pdev->vendor == PCI_VENDOR_ID_FRESCO_LOGIC &&
+ (pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_PDK ||
++ pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1100 ||
+ pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1400)) {
+ if (pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_PDK &&
+ pdev->revision == 0x0) {
--- /dev/null
+From ff0e50d3564f33b7f4b35cadeabd951d66cfc570 Mon Sep 17 00:00:00 2001
+From: Pavankumar Kondeti <pkondeti@codeaurora.org>
+Date: Fri, 8 Oct 2021 12:25:46 +0300
+Subject: xhci: Fix command ring pointer corruption while aborting a command
+
+From: Pavankumar Kondeti <pkondeti@codeaurora.org>
+
+commit ff0e50d3564f33b7f4b35cadeabd951d66cfc570 upstream.
+
+The command ring pointer is located at [6:63] bits of the command
+ring control register (CRCR). All the control bits like command stop,
+abort are located at [0:3] bits. While aborting a command, we read the
+CRCR and set the abort bit and write to the CRCR. The read will always
+give command ring pointer as all zeros. So we essentially write only
+the control bits. Since we split the 64 bit write into two 32 bit writes,
+there is a possibility of xHC command ring stopped before the upper
+dword (all zeros) is written. If that happens, xHC updates the upper
+dword of its internal command ring pointer with all zeros. Next time,
+when the command ring is restarted, we see xHC memory access failures.
+Fix this issue by only writing to the lower dword of CRCR where all
+control bits are located.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Pavankumar Kondeti <pkondeti@codeaurora.org>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20211008092547.3996295-5-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci-ring.c | 14 ++++++++++----
+ 1 file changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/host/xhci-ring.c
++++ b/drivers/usb/host/xhci-ring.c
+@@ -339,16 +339,22 @@ static void xhci_handle_stopped_cmd_ring
+ /* Must be called with xhci->lock held, releases and aquires lock back */
+ static int xhci_abort_cmd_ring(struct xhci_hcd *xhci, unsigned long flags)
+ {
+- u64 temp_64;
++ u32 temp_32;
+ int ret;
+
+ xhci_dbg(xhci, "Abort command ring\n");
+
+ reinit_completion(&xhci->cmd_ring_stop_completion);
+
+- temp_64 = xhci_read_64(xhci, &xhci->op_regs->cmd_ring);
+- xhci_write_64(xhci, temp_64 | CMD_RING_ABORT,
+- &xhci->op_regs->cmd_ring);
++ /*
++ * The control bits like command stop, abort are located in lower
++ * dword of the command ring control register. Limit the write
++ * to the lower dword to avoid corrupting the command ring pointer
++ * in case if the command ring is stopped by the time upper dword
++ * is written.
++ */
++ temp_32 = readl(&xhci->op_regs->cmd_ring);
++ writel(temp_32 | CMD_RING_ABORT, &xhci->op_regs->cmd_ring);
+
+ /* Section 4.6.1.2 of xHCI 1.0 spec says software should also time the
+ * completion of the Command Abort operation. If CRR is not negated in 5
--- /dev/null
+From a01ba2a3378be85538e0183ae5367c1bc1d5aaf3 Mon Sep 17 00:00:00 2001
+From: Jonathan Bell <jonathan@raspberrypi.com>
+Date: Fri, 8 Oct 2021 12:25:43 +0300
+Subject: xhci: guard accesses to ep_state in xhci_endpoint_reset()
+
+From: Jonathan Bell <jonathan@raspberrypi.com>
+
+commit a01ba2a3378be85538e0183ae5367c1bc1d5aaf3 upstream.
+
+See https://github.com/raspberrypi/linux/issues/3981
+
+Two read-modify-write cycles on ep->ep_state are not guarded by
+xhci->lock. Fix these.
+
+Fixes: f5249461b504 ("xhci: Clear the host side toggle manually when endpoint is soft reset")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jonathan Bell <jonathan@raspberrypi.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Link: https://lore.kernel.org/r/20211008092547.3996295-2-mathias.nyman@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/host/xhci.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/host/xhci.c
++++ b/drivers/usb/host/xhci.c
+@@ -3173,10 +3173,13 @@ static void xhci_endpoint_reset(struct u
+ return;
+
+ /* Bail out if toggle is already being cleared by a endpoint reset */
++ spin_lock_irqsave(&xhci->lock, flags);
+ if (ep->ep_state & EP_HARD_CLEAR_TOGGLE) {
+ ep->ep_state &= ~EP_HARD_CLEAR_TOGGLE;
++ spin_unlock_irqrestore(&xhci->lock, flags);
+ return;
+ }
++ spin_unlock_irqrestore(&xhci->lock, flags);
+ /* Only interrupt and bulk ep's use data toggle, USB2 spec 5.5.4-> */
+ if (usb_endpoint_xfer_control(&host_ep->desc) ||
+ usb_endpoint_xfer_isoc(&host_ep->desc))
+@@ -3262,8 +3265,10 @@ static void xhci_endpoint_reset(struct u
+ xhci_free_command(xhci, cfg_cmd);
+ cleanup:
+ xhci_free_command(xhci, stop_cmd);
++ spin_lock_irqsave(&xhci->lock, flags);
+ if (ep->ep_state & EP_SOFT_CLEAR_TOGGLE)
+ ep->ep_state &= ~EP_SOFT_CLEAR_TOGGLE;
++ spin_unlock_irqrestore(&xhci->lock, flags);
+ }
+
+ static int xhci_check_streams_endpoint(struct xhci_hcd *xhci,
projects / thirdparty / kernel / stable-queue.git / commitdiff
