From: Greg Kroah-Hartman Date: Mon, 18 Oct 2021 09:31:00 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.14.252~32 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bb6d6cf926a66857aa60cd6593f82d0efd43dfaa;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: cb710-avoid-null-pointer-subtraction.patch efi-cper-use-stack-buffer-for-error-record-decoding.patch input-xpad-add-support-for-another-usb-id-of-nacon-gc-100.patch nvmem-fix-shift-out-of-bound-ubsan-with-byte-size-cells.patch usb-serial-option-add-telit-le910cx-composition-0x1204.patch usb-serial-qcserial-add-em9191-qdl-support.patch xhci-enable-trust-tx-length-quirk-for-fresco-fl11-usb-controller.patch --- diff --git a/queue-4.4/cb710-avoid-null-pointer-subtraction.patch b/queue-4.4/cb710-avoid-null-pointer-subtraction.patch new file mode 100644 index 00000000000..ec547f82598 --- /dev/null +++ b/queue-4.4/cb710-avoid-null-pointer-subtraction.patch @@ -0,0 +1,37 @@ +From 42641042c10c757fe10cc09088cf3f436cec5007 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 27 Sep 2021 14:13:57 +0200 +Subject: cb710: avoid NULL pointer subtraction + +From: Arnd Bergmann + +commit 42641042c10c757fe10cc09088cf3f436cec5007 upstream. + +clang-14 complains about an unusual way of converting a pointer to +an integer: + +drivers/misc/cb710/sgbuf2.c:50:15: error: performing pointer subtraction with a null pointer has undefined behavior [-Werror,-Wnull-pointer-subtraction] + return ((ptr - NULL) & 3) != 0; + +Replace this with a normal cast to uintptr_t. + +Fixes: 5f5bac8272be ("mmc: Driver for CB710/720 memory card reader (MMC part)") +Cc: stable +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20210927121408.939246-1-arnd@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/cb710/sgbuf2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/misc/cb710/sgbuf2.c ++++ b/drivers/misc/cb710/sgbuf2.c +@@ -50,7 +50,7 @@ static inline bool needs_unaligned_copy( + #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS + return false; + #else +- return ((ptr - NULL) & 3) != 0; ++ return ((uintptr_t)ptr & 3) != 0; + #endif + } + diff --git a/queue-4.4/efi-cper-use-stack-buffer-for-error-record-decoding.patch b/queue-4.4/efi-cper-use-stack-buffer-for-error-record-decoding.patch new file mode 100644 index 00000000000..1f5d15806cb --- /dev/null +++ b/queue-4.4/efi-cper-use-stack-buffer-for-error-record-decoding.patch @@ -0,0 +1,50 @@ +From b3a72ca80351917cc23f9e24c35f3c3979d3c121 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Wed, 1 Sep 2021 08:33:19 +0200 +Subject: efi/cper: use stack buffer for error record decoding + +From: Ard Biesheuvel + +commit b3a72ca80351917cc23f9e24c35f3c3979d3c121 upstream. + +Joe reports that using a statically allocated buffer for converting CPER +error records into human readable text is probably a bad idea. Even +though we are not aware of any actual issues, a stack buffer is clearly +a better choice here anyway, so let's move the buffer into the stack +frames of the two functions that refer to it. + +Cc: +Reported-by: Joe Perches +Signed-off-by: Ard Biesheuvel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/efi/cper.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/firmware/efi/cper.c ++++ b/drivers/firmware/efi/cper.c +@@ -35,8 +35,6 @@ + + #define INDENT_SP " " + +-static char rcd_decode_str[CPER_REC_LEN]; +- + /* + * CPER record ID need to be unique even after reboot, because record + * ID is used as index for ERST storage, while CPER records from +@@ -293,6 +291,7 @@ const char *cper_mem_err_unpack(struct t + struct cper_mem_err_compact *cmem) + { + const char *ret = trace_seq_buffer_ptr(p); ++ char rcd_decode_str[CPER_REC_LEN]; + + if (cper_mem_err_location(cmem, rcd_decode_str)) + trace_seq_printf(p, "%s", rcd_decode_str); +@@ -307,6 +306,7 @@ static void cper_print_mem(const char *p + int len) + { + struct cper_mem_err_compact cmem; ++ char rcd_decode_str[CPER_REC_LEN]; + + /* Don't trust UEFI 2.1/2.2 structure with bad validation bits */ + if (len == sizeof(struct cper_sec_mem_err_old) && diff --git a/queue-4.4/input-xpad-add-support-for-another-usb-id-of-nacon-gc-100.patch b/queue-4.4/input-xpad-add-support-for-another-usb-id-of-nacon-gc-100.patch new file mode 100644 index 00000000000..752dcc37605 --- /dev/null +++ b/queue-4.4/input-xpad-add-support-for-another-usb-id-of-nacon-gc-100.patch @@ -0,0 +1,39 @@ +From 3378a07daa6cdd11e042797454c706d1c69f9ca6 Mon Sep 17 00:00:00 2001 +From: Michael Cullen +Date: Fri, 15 Oct 2021 13:17:50 -0700 +Subject: Input: xpad - add support for another USB ID of Nacon GC-100 + +From: Michael Cullen + +commit 3378a07daa6cdd11e042797454c706d1c69f9ca6 upstream. + +The Nacon GX100XF is already mapped, but it seems there is a Nacon +GC-100 (identified as NC5136Wht PCGC-100WHITE though I believe other +colours exist) with a different USB ID when in XInput mode. + +Signed-off-by: Michael Cullen +Link: https://lore.kernel.org/r/20211015192051.5196-1-michael@michaelcullen.name +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/joystick/xpad.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -348,6 +348,7 @@ static const struct xpad_device { + { 0x24c6, 0x5b03, "Thrustmaster Ferrari 458 Racing Wheel", 0, XTYPE_XBOX360 }, + { 0x24c6, 0x5d04, "Razer Sabertooth", 0, XTYPE_XBOX360 }, + { 0x24c6, 0xfafe, "Rock Candy Gamepad for Xbox 360", 0, XTYPE_XBOX360 }, ++ { 0x3285, 0x0607, "Nacon GC-100", 0, XTYPE_XBOX360 }, + { 0x3767, 0x0101, "Fanatec Speedster 3 Forceshock Wheel", 0, XTYPE_XBOX }, + { 0xffff, 0xffff, "Chinese-made Xbox Controller", 0, XTYPE_XBOX }, + { 0x0000, 0x0000, "Generic X-Box pad", 0, XTYPE_UNKNOWN } +@@ -464,6 +465,7 @@ static const struct usb_device_id xpad_t + XPAD_XBOXONE_VENDOR(0x24c6), /* PowerA Controllers */ + XPAD_XBOXONE_VENDOR(0x2e24), /* Hyperkin Duke X-Box One pad */ + XPAD_XBOX360_VENDOR(0x2f24), /* GameSir Controllers */ ++ XPAD_XBOX360_VENDOR(0x3285), /* Nacon GC-100 */ + { } + }; + diff --git a/queue-4.4/nvmem-fix-shift-out-of-bound-ubsan-with-byte-size-cells.patch b/queue-4.4/nvmem-fix-shift-out-of-bound-ubsan-with-byte-size-cells.patch new file mode 100644 index 00000000000..cddba5227d6 --- /dev/null +++ b/queue-4.4/nvmem-fix-shift-out-of-bound-ubsan-with-byte-size-cells.patch @@ -0,0 +1,85 @@ +From 5d388fa01fa6eb310ac023a363a6cb216d9d8fe9 Mon Sep 17 00:00:00 2001 +From: Stephen Boyd +Date: Wed, 13 Oct 2021 13:45:11 +0100 +Subject: nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells + +From: Stephen Boyd + +commit 5d388fa01fa6eb310ac023a363a6cb216d9d8fe9 upstream. + +If a cell has 'nbits' equal to a multiple of BITS_PER_BYTE the logic + + *p &= GENMASK((cell->nbits%BITS_PER_BYTE) - 1, 0); + +will become undefined behavior because nbits modulo BITS_PER_BYTE is 0, and we +subtract one from that making a large number that is then shifted more than the +number of bits that fit into an unsigned long. + +UBSAN reports this problem: + + UBSAN: shift-out-of-bounds in drivers/nvmem/core.c:1386:8 + shift exponent 64 is too large for 64-bit type 'unsigned long' + CPU: 6 PID: 7 Comm: kworker/u16:0 Not tainted 5.15.0-rc3+ #9 + Hardware name: Google Lazor (rev3+) with KB Backlight (DT) + Workqueue: events_unbound deferred_probe_work_func + Call trace: + dump_backtrace+0x0/0x170 + show_stack+0x24/0x30 + dump_stack_lvl+0x64/0x7c + dump_stack+0x18/0x38 + ubsan_epilogue+0x10/0x54 + __ubsan_handle_shift_out_of_bounds+0x180/0x194 + __nvmem_cell_read+0x1ec/0x21c + nvmem_cell_read+0x58/0x94 + nvmem_cell_read_variable_common+0x4c/0xb0 + nvmem_cell_read_variable_le_u32+0x40/0x100 + a6xx_gpu_init+0x170/0x2f4 + adreno_bind+0x174/0x284 + component_bind_all+0xf0/0x264 + msm_drm_bind+0x1d8/0x7a0 + try_to_bring_up_master+0x164/0x1ac + __component_add+0xbc/0x13c + component_add+0x20/0x2c + dp_display_probe+0x340/0x384 + platform_probe+0xc0/0x100 + really_probe+0x110/0x304 + __driver_probe_device+0xb8/0x120 + driver_probe_device+0x4c/0xfc + __device_attach_driver+0xb0/0x128 + bus_for_each_drv+0x90/0xdc + __device_attach+0xc8/0x174 + device_initial_probe+0x20/0x2c + bus_probe_device+0x40/0xa4 + deferred_probe_work_func+0x7c/0xb8 + process_one_work+0x128/0x21c + process_scheduled_works+0x40/0x54 + worker_thread+0x1ec/0x2a8 + kthread+0x138/0x158 + ret_from_fork+0x10/0x20 + +Fix it by making sure there are any bits to mask out. + +Fixes: 69aba7948cbe ("nvmem: Add a simple NVMEM framework for consumers") +Cc: Douglas Anderson +Cc: stable@vger.kernel.org +Signed-off-by: Stephen Boyd +Signed-off-by: Srinivas Kandagatla +Link: https://lore.kernel.org/r/20211013124511.18726-1-srinivas.kandagatla@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman +--- + drivers/nvmem/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/nvmem/core.c ++++ b/drivers/nvmem/core.c +@@ -815,7 +815,8 @@ static inline void nvmem_shift_read_buff + *p-- = 0; + + /* clear msb bits if any leftover in the last byte */ +- *p &= GENMASK((cell->nbits%BITS_PER_BYTE) - 1, 0); ++ if (cell->nbits % BITS_PER_BYTE) ++ *p &= GENMASK((cell->nbits % BITS_PER_BYTE) - 1, 0); + } + + static int __nvmem_cell_read(struct nvmem_device *nvmem, diff --git a/queue-4.4/series b/queue-4.4/series index 9fa5ebe36dc..8349f78f312 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -1,2 +1,9 @@ alsa-seq-fix-a-potential-uaf-by-wrong-private_free-call-order.patch s390-fix-strrchr-implementation.patch +xhci-enable-trust-tx-length-quirk-for-fresco-fl11-usb-controller.patch +cb710-avoid-null-pointer-subtraction.patch +efi-cper-use-stack-buffer-for-error-record-decoding.patch +input-xpad-add-support-for-another-usb-id-of-nacon-gc-100.patch +usb-serial-qcserial-add-em9191-qdl-support.patch +usb-serial-option-add-telit-le910cx-composition-0x1204.patch +nvmem-fix-shift-out-of-bound-ubsan-with-byte-size-cells.patch diff --git a/queue-4.4/usb-serial-option-add-telit-le910cx-composition-0x1204.patch b/queue-4.4/usb-serial-option-add-telit-le910cx-composition-0x1204.patch new file mode 100644 index 00000000000..4b82ca2ca9a --- /dev/null +++ b/queue-4.4/usb-serial-option-add-telit-le910cx-composition-0x1204.patch @@ -0,0 +1,33 @@ +From f5a8a07edafed8bede17a95ef8940fe3a57a77d5 Mon Sep 17 00:00:00 2001 +From: Daniele Palmas +Date: Mon, 4 Oct 2021 12:56:55 +0200 +Subject: USB: serial: option: add Telit LE910Cx composition 0x1204 + +From: Daniele Palmas + +commit f5a8a07edafed8bede17a95ef8940fe3a57a77d5 upstream. + +Add the following Telit LE910Cx composition: + +0x1204: tty, adb, mbim, tty, tty, tty, tty + +Signed-off-by: Daniele Palmas +Link: https://lore.kernel.org/r/20211004105655.8515-1-dnlplm@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1209,6 +1209,8 @@ static const struct usb_device_id option + .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1203, 0xff), /* Telit LE910Cx (RNDIS) */ + .driver_info = NCTRL(2) | RSVD(3) }, ++ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1204, 0xff), /* Telit LE910Cx (MBIM) */ ++ .driver_info = NCTRL(0) | RSVD(1) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4), + .driver_info = NCTRL(0) | RSVD(1) | RSVD(2) | RSVD(3) }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920), diff --git a/queue-4.4/usb-serial-qcserial-add-em9191-qdl-support.patch b/queue-4.4/usb-serial-qcserial-add-em9191-qdl-support.patch new file mode 100644 index 00000000000..dd8fed7d4df --- /dev/null +++ b/queue-4.4/usb-serial-qcserial-add-em9191-qdl-support.patch @@ -0,0 +1,40 @@ +From 11c52d250b34a0862edc29db03fbec23b30db6da Mon Sep 17 00:00:00 2001 +From: Aleksander Morgado +Date: Thu, 7 Oct 2021 14:25:01 +0200 +Subject: USB: serial: qcserial: add EM9191 QDL support + +From: Aleksander Morgado + +commit 11c52d250b34a0862edc29db03fbec23b30db6da upstream. + +When the module boots into QDL download mode it exposes the 1199:90d2 +ids, which can be mapped to the qcserial driver, and used to run +firmware upgrades (e.g. with the qmi-firmware-update program). + + T: Bus=01 Lev=03 Prnt=08 Port=03 Cnt=01 Dev#= 10 Spd=480 MxCh= 0 + D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 + P: Vendor=1199 ProdID=90d2 Rev=00.00 + S: Manufacturer=Sierra Wireless, Incorporated + S: Product=Sierra Wireless EM9191 + S: SerialNumber=8W0382004102A109 + C: #Ifs= 1 Cfg#= 1 Atr=a0 MxPwr=2mA + I: If#=0x0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=10 Driver=qcserial + +Signed-off-by: Aleksander Morgado +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/qcserial.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -169,6 +169,7 @@ static const struct usb_device_id id_tab + {DEVICE_SWI(0x1199, 0x907b)}, /* Sierra Wireless EM74xx */ + {DEVICE_SWI(0x1199, 0x9090)}, /* Sierra Wireless EM7565 QDL */ + {DEVICE_SWI(0x1199, 0x9091)}, /* Sierra Wireless EM7565 */ ++ {DEVICE_SWI(0x1199, 0x90d2)}, /* Sierra Wireless EM9191 QDL */ + {DEVICE_SWI(0x413c, 0x81a2)}, /* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card */ + {DEVICE_SWI(0x413c, 0x81a3)}, /* Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card */ + {DEVICE_SWI(0x413c, 0x81a4)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */ diff --git a/queue-4.4/xhci-enable-trust-tx-length-quirk-for-fresco-fl11-usb-controller.patch b/queue-4.4/xhci-enable-trust-tx-length-quirk-for-fresco-fl11-usb-controller.patch new file mode 100644 index 00000000000..3f115f600ec --- /dev/null +++ b/queue-4.4/xhci-enable-trust-tx-length-quirk-for-fresco-fl11-usb-controller.patch @@ -0,0 +1,43 @@ +From ea0f69d8211963c4b2cc1998b86779a500adb502 Mon Sep 17 00:00:00 2001 +From: Nikolay Martynov +Date: Fri, 8 Oct 2021 12:25:47 +0300 +Subject: xhci: Enable trust tx length quirk for Fresco FL11 USB controller + +From: Nikolay Martynov + +commit ea0f69d8211963c4b2cc1998b86779a500adb502 upstream. + +Tested on SD5200T TB3 dock which has Fresco Logic FL1100 USB 3.0 Host +Controller. +Before this patch streaming video from USB cam made mouse and keyboard +connected to the same USB bus unusable. Also video was jerky. +With this patch streaming video doesn't have any effect on other +periferals and video is smooth. + +Cc: stable@vger.kernel.org +Signed-off-by: Nikolay Martynov +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20211008092547.3996295-6-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/host/xhci-pci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -38,6 +38,7 @@ + #define PCI_VENDOR_ID_FRESCO_LOGIC 0x1b73 + #define PCI_DEVICE_ID_FRESCO_LOGIC_PDK 0x1000 + #define PCI_DEVICE_ID_FRESCO_LOGIC_FL1009 0x1009 ++#define PCI_DEVICE_ID_FRESCO_LOGIC_FL1100 0x1100 + #define PCI_DEVICE_ID_FRESCO_LOGIC_FL1400 0x1400 + + #define PCI_VENDOR_ID_ETRON 0x1b6f +@@ -90,6 +91,7 @@ static void xhci_pci_quirks(struct devic + /* Look for vendor-specific quirks */ + if (pdev->vendor == PCI_VENDOR_ID_FRESCO_LOGIC && + (pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_PDK || ++ pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1100 || + pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_FL1400)) { + if (pdev->device == PCI_DEVICE_ID_FRESCO_LOGIC_PDK && + pdev->revision == 0x0) {