From: Greg Kroah-Hartman Date: Mon, 1 Mar 2021 10:47:19 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.4.259~63 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d44fe790e41a73856f7cca9eebbdf27876679c2c;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: acpi-configfs-add-missing-check-after-configfs_register_default_group.patch blk-settings-align-max_sectors-on-logical_block_size-boundary.patch btrfs-abort-the-transaction-if-we-fail-to-inc-ref-in-btrfs_copy_root.patch btrfs-fix-extent-buffer-leak-on-failure-to-copy-root.patch btrfs-fix-reloc-root-leak-with-0-ref-reloc-roots-on-recovery.patch drivers-misc-vmw_vmci-restrict-too-big-queue-size-in-qp_host_alloc_queue.patch input-i8042-add-asus-zenbook-flip-to-noselftest-list.patch input-joydev-prevent-potential-read-overflow-in-ioctl.patch input-raydium_ts_i2c-do-not-send-zero-length.patch input-xpad-add-support-for-powera-enhanced-wired-controller-for-xbox-series-x-s.patch keys-trusted-fix-migratable-1-failing.patch seccomp-add-missing-return-in-non-void-function.patch staging-rtl8188eu-add-edimax-ew-7811un-v2-to-device-table.patch usb-dwc3-gadget-fix-dep-interval-for-fullspeed-interrupt.patch usb-dwc3-gadget-fix-setting-of-depcfg.binterval_m1.patch usb-musb-fix-runtime-pm-race-in-musb_queue_resume_work.patch usb-serial-mos7720-fix-error-code-in-mos7720_write.patch usb-serial-mos7840-fix-error-code-in-mos7840_write.patch usb-serial-option-update-interface-mapping-for-zte-p685m.patch --- diff --git a/queue-4.9/acpi-configfs-add-missing-check-after-configfs_register_default_group.patch b/queue-4.9/acpi-configfs-add-missing-check-after-configfs_register_default_group.patch new file mode 100644 index 00000000000..dd88f2bc684 --- /dev/null +++ b/queue-4.9/acpi-configfs-add-missing-check-after-configfs_register_default_group.patch @@ -0,0 +1,53 @@ +From 67e40054de86aae520ddc2a072d7f6951812a14f Mon Sep 17 00:00:00 2001 +From: Qinglang Miao +Date: Fri, 15 Jan 2021 10:22:50 +0800 +Subject: ACPI: configfs: add missing check after configfs_register_default_group() + +From: Qinglang Miao + +commit 67e40054de86aae520ddc2a072d7f6951812a14f upstream. + +A list_add corruption is reported by Hulk Robot like this: +============== +list_add corruption. +Call Trace: +link_obj+0xc0/0x1c0 +link_group+0x21/0x140 +configfs_register_subsystem+0xdb/0x380 +acpi_configfs_init+0x25/0x1000 [acpi_configfs] +do_one_initcall+0x149/0x820 +do_init_module+0x1ef/0x720 +load_module+0x35c8/0x4380 +__do_sys_finit_module+0x10d/0x1a0 +do_syscall_64+0x34/0x80 + +It's because of the missing check after configfs_register_default_group, +where configfs_unregister_subsystem should be called once failure. + +Fixes: 612bd01fc6e0 ("ACPI: add support for loading SSDTs via configfs") +Reported-by: Hulk Robot +Suggested-by: Hanjun Guo +Signed-off-by: Qinglang Miao +Cc: 4.10+ # 4.10+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/acpi_configfs.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/acpi_configfs.c ++++ b/drivers/acpi/acpi_configfs.c +@@ -251,7 +251,12 @@ static int __init acpi_configfs_init(voi + + acpi_table_group = configfs_register_default_group(root, "table", + &acpi_tables_type); +- return PTR_ERR_OR_ZERO(acpi_table_group); ++ if (IS_ERR(acpi_table_group)) { ++ configfs_unregister_subsystem(&acpi_configfs); ++ return PTR_ERR(acpi_table_group); ++ } ++ ++ return 0; + } + module_init(acpi_configfs_init); + diff --git a/queue-4.9/blk-settings-align-max_sectors-on-logical_block_size-boundary.patch b/queue-4.9/blk-settings-align-max_sectors-on-logical_block_size-boundary.patch new file mode 100644 index 00000000000..45a9b693a91 --- /dev/null +++ b/queue-4.9/blk-settings-align-max_sectors-on-logical_block_size-boundary.patch @@ -0,0 +1,68 @@ +From 97f433c3601a24d3513d06f575a389a2ca4e11e4 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 23 Feb 2021 19:25:30 -0700 +Subject: blk-settings: align max_sectors on "logical_block_size" boundary + +From: Mikulas Patocka + +commit 97f433c3601a24d3513d06f575a389a2ca4e11e4 upstream. + +We get I/O errors when we run md-raid1 on the top of dm-integrity on the +top of ramdisk. +device-mapper: integrity: Bio not aligned on 8 sectors: 0xff00, 0xff +device-mapper: integrity: Bio not aligned on 8 sectors: 0xff00, 0xff +device-mapper: integrity: Bio not aligned on 8 sectors: 0xffff, 0x1 +device-mapper: integrity: Bio not aligned on 8 sectors: 0xffff, 0x1 +device-mapper: integrity: Bio not aligned on 8 sectors: 0x8048, 0xff +device-mapper: integrity: Bio not aligned on 8 sectors: 0x8147, 0xff +device-mapper: integrity: Bio not aligned on 8 sectors: 0x8246, 0xff +device-mapper: integrity: Bio not aligned on 8 sectors: 0x8345, 0xbb + +The ramdisk device has logical_block_size 512 and max_sectors 255. The +dm-integrity device uses logical_block_size 4096 and it doesn't affect the +"max_sectors" value - thus, it inherits 255 from the ramdisk. So, we have +a device with max_sectors not aligned on logical_block_size. + +The md-raid device sees that the underlying leg has max_sectors 255 and it +will split the bios on 255-sector boundary, making the bios unaligned on +logical_block_size. + +In order to fix the bug, we round down max_sectors to logical_block_size. + +Cc: stable@vger.kernel.org +Reviewed-by: Ming Lei +Signed-off-by: Mikulas Patocka +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + block/blk-settings.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/block/blk-settings.c ++++ b/block/blk-settings.c +@@ -494,6 +494,14 @@ void blk_queue_stack_limits(struct reque + } + EXPORT_SYMBOL(blk_queue_stack_limits); + ++static unsigned int blk_round_down_sectors(unsigned int sectors, unsigned int lbs) ++{ ++ sectors = round_down(sectors, lbs >> SECTOR_SHIFT); ++ if (sectors < PAGE_SIZE >> SECTOR_SHIFT) ++ sectors = PAGE_SIZE >> SECTOR_SHIFT; ++ return sectors; ++} ++ + /** + * blk_stack_limits - adjust queue_limits for stacked devices + * @t: the stacking driver limits (top device) +@@ -606,6 +614,10 @@ int blk_stack_limits(struct queue_limits + ret = -1; + } + ++ t->max_sectors = blk_round_down_sectors(t->max_sectors, t->logical_block_size); ++ t->max_hw_sectors = blk_round_down_sectors(t->max_hw_sectors, t->logical_block_size); ++ t->max_dev_sectors = blk_round_down_sectors(t->max_dev_sectors, t->logical_block_size); ++ + /* Discard alignment and granularity */ + if (b->discard_granularity) { + alignment = queue_limit_discard_alignment(b, start); diff --git a/queue-4.9/btrfs-abort-the-transaction-if-we-fail-to-inc-ref-in-btrfs_copy_root.patch b/queue-4.9/btrfs-abort-the-transaction-if-we-fail-to-inc-ref-in-btrfs_copy_root.patch new file mode 100644 index 00000000000..748d89e99e5 --- /dev/null +++ b/queue-4.9/btrfs-abort-the-transaction-if-we-fail-to-inc-ref-in-btrfs_copy_root.patch @@ -0,0 +1,56 @@ +From 867ed321f90d06aaba84e2c91de51cd3038825ef Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Thu, 14 Jan 2021 14:02:46 -0500 +Subject: btrfs: abort the transaction if we fail to inc ref in btrfs_copy_root + +From: Josef Bacik + +commit 867ed321f90d06aaba84e2c91de51cd3038825ef upstream. + +While testing my error handling patches, I added a error injection site +at btrfs_inc_extent_ref, to validate the error handling I added was +doing the correct thing. However I hit a pretty ugly corruption while +doing this check, with the following error injection stack trace: + +btrfs_inc_extent_ref + btrfs_copy_root + create_reloc_root + btrfs_init_reloc_root + btrfs_record_root_in_trans + btrfs_start_transaction + btrfs_update_inode + btrfs_update_time + touch_atime + file_accessed + btrfs_file_mmap + +This is because we do not catch the error from btrfs_inc_extent_ref, +which in practice would be ENOMEM, which means we lose the extent +references for a root that has already been allocated and inserted, +which is the problem. Fix this by aborting the transaction if we fail +to do the reference modification. + +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ctree.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -279,9 +279,10 @@ int btrfs_copy_root(struct btrfs_trans_h + ret = btrfs_inc_ref(trans, root, cow, 1); + else + ret = btrfs_inc_ref(trans, root, cow, 0); +- +- if (ret) ++ if (ret) { ++ btrfs_abort_transaction(trans, ret); + return ret; ++ } + + btrfs_mark_buffer_dirty(cow); + *cow_ret = cow; diff --git a/queue-4.9/btrfs-fix-extent-buffer-leak-on-failure-to-copy-root.patch b/queue-4.9/btrfs-fix-extent-buffer-leak-on-failure-to-copy-root.patch new file mode 100644 index 00000000000..dba9bf267d0 --- /dev/null +++ b/queue-4.9/btrfs-fix-extent-buffer-leak-on-failure-to-copy-root.patch @@ -0,0 +1,37 @@ +From 72c9925f87c8b74f36f8e75a4cd93d964538d3ca Mon Sep 17 00:00:00 2001 +From: Filipe Manana +Date: Thu, 4 Feb 2021 14:35:44 +0000 +Subject: btrfs: fix extent buffer leak on failure to copy root + +From: Filipe Manana + +commit 72c9925f87c8b74f36f8e75a4cd93d964538d3ca upstream. + +At btrfs_copy_root(), if the call to btrfs_inc_ref() fails we end up +returning without unlocking and releasing our reference on the extent +buffer named "cow" we previously allocated with btrfs_alloc_tree_block(). + +So fix that by unlocking the extent buffer and dropping our reference on +it before returning. + +Fixes: be20aa9dbadc8c ("Btrfs: Add mount option to turn off data cow") +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Filipe Manana +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/ctree.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/ctree.c ++++ b/fs/btrfs/ctree.c +@@ -280,6 +280,8 @@ int btrfs_copy_root(struct btrfs_trans_h + else + ret = btrfs_inc_ref(trans, root, cow, 0); + if (ret) { ++ btrfs_tree_unlock(cow); ++ free_extent_buffer(cow); + btrfs_abort_transaction(trans, ret); + return ret; + } diff --git a/queue-4.9/btrfs-fix-reloc-root-leak-with-0-ref-reloc-roots-on-recovery.patch b/queue-4.9/btrfs-fix-reloc-root-leak-with-0-ref-reloc-roots-on-recovery.patch new file mode 100644 index 00000000000..6e373387074 --- /dev/null +++ b/queue-4.9/btrfs-fix-reloc-root-leak-with-0-ref-reloc-roots-on-recovery.patch @@ -0,0 +1,48 @@ +From c78a10aebb275c38d0cfccae129a803fe622e305 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Thu, 14 Jan 2021 14:02:42 -0500 +Subject: btrfs: fix reloc root leak with 0 ref reloc roots on recovery + +From: Josef Bacik + +commit c78a10aebb275c38d0cfccae129a803fe622e305 upstream. + +When recovering a relocation, if we run into a reloc root that has 0 +refs we simply add it to the reloc_control->reloc_roots list, and then +clean it up later. The problem with this is __del_reloc_root() doesn't +do anything if the root isn't in the radix tree, which in this case it +won't be because we never call __add_reloc_root() on the reloc_root. + +This exit condition simply isn't correct really. During normal +operation we can remove ourselves from the rb tree and then we're meant +to clean up later at merge_reloc_roots() time, and this happens +correctly. During recovery we're depending on free_reloc_roots() to +drop our references, but we're short-circuiting. + +Fix this by continuing to check if we're on the list and dropping +ourselves from the reloc_control root list and dropping our reference +appropriately. Change the corresponding BUG_ON() to an ASSERT() that +does the correct thing if we aren't in the rb tree. + +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/relocation.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -1335,9 +1335,7 @@ static void __del_reloc_root(struct btrf + RB_CLEAR_NODE(&node->rb_node); + } + spin_unlock(&rc->reloc_root_tree.lock); +- if (!node) +- return; +- BUG_ON((struct btrfs_root *)node->data != root); ++ ASSERT(!node || (struct btrfs_root *)node->data == root); + } + + spin_lock(&root->fs_info->trans_lock); diff --git a/queue-4.9/drivers-misc-vmw_vmci-restrict-too-big-queue-size-in-qp_host_alloc_queue.patch b/queue-4.9/drivers-misc-vmw_vmci-restrict-too-big-queue-size-in-qp_host_alloc_queue.patch new file mode 100644 index 00000000000..4d0627065bc --- /dev/null +++ b/queue-4.9/drivers-misc-vmw_vmci-restrict-too-big-queue-size-in-qp_host_alloc_queue.patch @@ -0,0 +1,50 @@ +From 2fd10bcf0310b9525b2af9e1f7aa9ddd87c3772e Mon Sep 17 00:00:00 2001 +From: Sabyrzhan Tasbolatov +Date: Tue, 9 Feb 2021 16:26:12 +0600 +Subject: drivers/misc/vmw_vmci: restrict too big queue size in qp_host_alloc_queue + +From: Sabyrzhan Tasbolatov + +commit 2fd10bcf0310b9525b2af9e1f7aa9ddd87c3772e upstream. + +syzbot found WARNING in qp_broker_alloc[1] in qp_host_alloc_queue() +when num_pages is 0x100001, giving queue_size + queue_page_size +bigger than KMALLOC_MAX_SIZE for kzalloc(), resulting order >= MAX_ORDER +condition. + +queue_size + queue_page_size=0x8000d8, where KMALLOC_MAX_SIZE=0x400000. + +[1] +Call Trace: + alloc_pages include/linux/gfp.h:547 [inline] + kmalloc_order+0x40/0x130 mm/slab_common.c:837 + kmalloc_order_trace+0x15/0x70 mm/slab_common.c:853 + kmalloc_large include/linux/slab.h:481 [inline] + __kmalloc+0x257/0x330 mm/slub.c:3959 + kmalloc include/linux/slab.h:557 [inline] + kzalloc include/linux/slab.h:682 [inline] + qp_host_alloc_queue drivers/misc/vmw_vmci/vmci_queue_pair.c:540 [inline] + qp_broker_create drivers/misc/vmw_vmci/vmci_queue_pair.c:1351 [inline] + qp_broker_alloc+0x936/0x2740 drivers/misc/vmw_vmci/vmci_queue_pair.c:1739 + +Reported-by: syzbot+15ec7391f3d6a1a7cc7d@syzkaller.appspotmail.com +Signed-off-by: Sabyrzhan Tasbolatov +Link: https://lore.kernel.org/r/20210209102612.2112247-1-snovitoll@gmail.com +Cc: stable +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/vmw_vmci/vmci_queue_pair.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c ++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c +@@ -639,6 +639,9 @@ static struct vmci_queue *qp_host_alloc_ + + queue_page_size = num_pages * sizeof(*queue->kernel_if->u.h.page); + ++ if (queue_size + queue_page_size > KMALLOC_MAX_SIZE) ++ return NULL; ++ + queue = kzalloc(queue_size + queue_page_size, GFP_KERNEL); + if (queue) { + queue->q_header = NULL; diff --git a/queue-4.9/input-i8042-add-asus-zenbook-flip-to-noselftest-list.patch b/queue-4.9/input-i8042-add-asus-zenbook-flip-to-noselftest-list.patch new file mode 100644 index 00000000000..311d6723704 --- /dev/null +++ b/queue-4.9/input-i8042-add-asus-zenbook-flip-to-noselftest-list.patch @@ -0,0 +1,41 @@ +From b5d6e7ab7fe7d186878142e9fc1a05e4c3b65eb9 Mon Sep 17 00:00:00 2001 +From: Marcos Paulo de Souza +Date: Fri, 19 Feb 2021 10:37:13 -0800 +Subject: Input: i8042 - add ASUS Zenbook Flip to noselftest list + +From: Marcos Paulo de Souza + +commit b5d6e7ab7fe7d186878142e9fc1a05e4c3b65eb9 upstream. + +After commit 77b425399f6d ("Input: i8042 - use chassis info to skip +selftest on Asus laptops"), all modern Asus laptops have the i8042 +selftest disabled. It has done by using chassys type "10" (laptop). + +The Asus Zenbook Flip suffers from similar suspend/resume issues, but +it _sometimes_ work and sometimes it doesn't. Setting noselftest makes +it work reliably. In this case, we need to add chassis type "31" +(convertible) in order to avoid selftest in this device. + +Reported-by: Ludvig Norgren Guldhag +Signed-off-by: Marcos Paulo de Souza +Link: https://lore.kernel.org/r/20210219164638.761-1-mpdesouza@suse.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/serio/i8042-x86ia64io.h | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -579,6 +579,10 @@ static const struct dmi_system_id i8042_ + DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"), + DMI_MATCH(DMI_PRODUCT_NAME, "VGN-CS"), + }, ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."), ++ DMI_MATCH(DMI_CHASSIS_TYPE, "31"), /* Convertible Notebook */ ++ }, + }, + { } + }; diff --git a/queue-4.9/input-joydev-prevent-potential-read-overflow-in-ioctl.patch b/queue-4.9/input-joydev-prevent-potential-read-overflow-in-ioctl.patch new file mode 100644 index 00000000000..fdb2945bc9a --- /dev/null +++ b/queue-4.9/input-joydev-prevent-potential-read-overflow-in-ioctl.patch @@ -0,0 +1,53 @@ +From 182d679b2298d62bf42bb14b12a8067b8e17b617 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 17 Feb 2021 12:21:10 -0800 +Subject: Input: joydev - prevent potential read overflow in ioctl + +From: Dan Carpenter + +commit 182d679b2298d62bf42bb14b12a8067b8e17b617 upstream. + +The problem here is that "len" might be less than "joydev->nabs" so the +loops which verfy abspam[i] and keypam[] might read beyond the buffer. + +Fixes: 999b874f4aa3 ("Input: joydev - validate axis/button maps before clobbering current ones") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YCyzR8WvFRw4HWw6@mwanda +[dtor: additional check for len being even in joydev_handle_JSIOCSBTNMAP] +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/joydev.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/input/joydev.c ++++ b/drivers/input/joydev.c +@@ -448,7 +448,7 @@ static int joydev_handle_JSIOCSAXMAP(str + if (IS_ERR(abspam)) + return PTR_ERR(abspam); + +- for (i = 0; i < joydev->nabs; i++) { ++ for (i = 0; i < len && i < joydev->nabs; i++) { + if (abspam[i] > ABS_MAX) { + retval = -EINVAL; + goto out; +@@ -472,6 +472,9 @@ static int joydev_handle_JSIOCSBTNMAP(st + int i; + int retval = 0; + ++ if (len % sizeof(*keypam)) ++ return -EINVAL; ++ + len = min(len, sizeof(joydev->keypam)); + + /* Validate the map. */ +@@ -479,7 +482,7 @@ static int joydev_handle_JSIOCSBTNMAP(st + if (IS_ERR(keypam)) + return PTR_ERR(keypam); + +- for (i = 0; i < joydev->nkey; i++) { ++ for (i = 0; i < (len / 2) && i < joydev->nkey; i++) { + if (keypam[i] > KEY_MAX || keypam[i] < BTN_MISC) { + retval = -EINVAL; + goto out; diff --git a/queue-4.9/input-raydium_ts_i2c-do-not-send-zero-length.patch b/queue-4.9/input-raydium_ts_i2c-do-not-send-zero-length.patch new file mode 100644 index 00000000000..7c5c9478813 --- /dev/null +++ b/queue-4.9/input-raydium_ts_i2c-do-not-send-zero-length.patch @@ -0,0 +1,40 @@ +From fafd320ae51b9c72d371585b2501f86640ea7b7d Mon Sep 17 00:00:00 2001 +From: "jeffrey.lin" +Date: Tue, 15 Dec 2020 10:50:12 -0800 +Subject: Input: raydium_ts_i2c - do not send zero length + +From: jeffrey.lin + +commit fafd320ae51b9c72d371585b2501f86640ea7b7d upstream. + +Add default write command package to prevent i2c quirk error of zero +data length as Raydium touch firmware update is executed. + +Signed-off-by: jeffrey.lin +Link: https://lore.kernel.org/r/1608031217-7247-1-git-send-email-jeffrey.lin@raydium.corp-partner.google.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/raydium_i2c_ts.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/raydium_i2c_ts.c ++++ b/drivers/input/touchscreen/raydium_i2c_ts.c +@@ -419,6 +419,7 @@ static int raydium_i2c_write_object(stru + enum raydium_bl_ack state) + { + int error; ++ static const u8 cmd[] = { 0xFF, 0x39 }; + + error = raydium_i2c_send(client, RM_CMD_BOOT_WRT, data, len); + if (error) { +@@ -427,7 +428,7 @@ static int raydium_i2c_write_object(stru + return error; + } + +- error = raydium_i2c_send(client, RM_CMD_BOOT_ACK, NULL, 0); ++ error = raydium_i2c_send(client, RM_CMD_BOOT_ACK, cmd, sizeof(cmd)); + if (error) { + dev_err(&client->dev, "Ack obj command failed: %d\n", error); + return error; diff --git a/queue-4.9/input-xpad-add-support-for-powera-enhanced-wired-controller-for-xbox-series-x-s.patch b/queue-4.9/input-xpad-add-support-for-powera-enhanced-wired-controller-for-xbox-series-x-s.patch new file mode 100644 index 00000000000..487a3ba2a9b --- /dev/null +++ b/queue-4.9/input-xpad-add-support-for-powera-enhanced-wired-controller-for-xbox-series-x-s.patch @@ -0,0 +1,31 @@ +From 42ffcd1dba1796bcda386eb6f260df9fc23c90af Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Olivier=20Cr=C3=AAte?= +Date: Fri, 5 Feb 2021 11:59:08 -0800 +Subject: Input: xpad - add support for PowerA Enhanced Wired Controller for Xbox Series X|S +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Olivier Crête + +commit 42ffcd1dba1796bcda386eb6f260df9fc23c90af upstream. + +Signed-off-by: Olivier Crête +Link: https://lore.kernel.org/r/20210204005318.615647-1-olivier.crete@collabora.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/joystick/xpad.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/input/joystick/xpad.c ++++ b/drivers/input/joystick/xpad.c +@@ -322,6 +322,7 @@ static const struct xpad_device { + { 0x1bad, 0xfd00, "Razer Onza TE", 0, XTYPE_XBOX360 }, + { 0x1bad, 0xfd01, "Razer Onza", 0, XTYPE_XBOX360 }, + { 0x20d6, 0x2001, "BDA Xbox Series X Wired Controller", 0, XTYPE_XBOXONE }, ++ { 0x20d6, 0x2009, "PowerA Enhanced Wired Controller for Xbox Series X|S", 0, XTYPE_XBOXONE }, + { 0x20d6, 0x281f, "PowerA Wired Controller For Xbox 360", 0, XTYPE_XBOX360 }, + { 0x2e24, 0x0652, "Hyperkin Duke X-Box One pad", 0, XTYPE_XBOXONE }, + { 0x24c6, 0x5000, "Razer Atrox Arcade Stick", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX360 }, diff --git a/queue-4.9/keys-trusted-fix-migratable-1-failing.patch b/queue-4.9/keys-trusted-fix-migratable-1-failing.patch new file mode 100644 index 00000000000..3c2cf366c2e --- /dev/null +++ b/queue-4.9/keys-trusted-fix-migratable-1-failing.patch @@ -0,0 +1,46 @@ +From 8da7520c80468c48f981f0b81fc1be6599e3b0ad Mon Sep 17 00:00:00 2001 +From: Jarkko Sakkinen +Date: Fri, 29 Jan 2021 01:56:20 +0200 +Subject: KEYS: trusted: Fix migratable=1 failing + +From: Jarkko Sakkinen + +commit 8da7520c80468c48f981f0b81fc1be6599e3b0ad upstream. + +Consider the following transcript: + +$ keyctl add trusted kmk "new 32 blobauth=helloworld keyhandle=80000000 migratable=1" @u +add_key: Invalid argument + +The documentation has the following description: + + migratable= 0|1 indicating permission to reseal to new PCR values, + default 1 (resealing allowed) + +The consequence is that "migratable=1" should succeed. Fix this by +allowing this condition to pass instead of return -EINVAL. + +[*] Documentation/security/keys/trusted-encrypted.rst + +Cc: stable@vger.kernel.org +Cc: "James E.J. Bottomley" +Cc: Mimi Zohar +Cc: David Howells +Fixes: d00a1c72f7f4 ("keys: add new trusted key-type") +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/trusted.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/keys/trusted.c ++++ b/security/keys/trusted.c +@@ -797,7 +797,7 @@ static int getoptions(char *c, struct tr + case Opt_migratable: + if (*args[0].from == '0') + pay->migratable = 0; +- else ++ else if (*args[0].from != '1') + return -EINVAL; + break; + case Opt_pcrlock: diff --git a/queue-4.9/mm-thp-make-do_huge_pmd_wp_page-lock-page-for-testin.patch b/queue-4.9/mm-thp-make-do_huge_pmd_wp_page-lock-page-for-testin.patch index 48251d5fca6..1fb1b23e41a 100644 --- a/queue-4.9/mm-thp-make-do_huge_pmd_wp_page-lock-page-for-testin.patch +++ b/queue-4.9/mm-thp-make-do_huge_pmd_wp_page-lock-page-for-testin.patch @@ -38,14 +38,12 @@ Reported-by: Nicolai Stange Signed-off-by: Vlastimil Babka Signed-off-by: Sasha Levin --- - mm/huge_memory.c | 15 +++++++++++++++ + mm/huge_memory.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) -diff --git a/mm/huge_memory.c b/mm/huge_memory.c -index 05ca01ef97f7f..14cd0ef33b628 100644 --- a/mm/huge_memory.c +++ b/mm/huge_memory.c -@@ -1022,6 +1022,19 @@ int do_huge_pmd_wp_page(struct fault_env *fe, pmd_t orig_pmd) +@@ -1022,6 +1022,19 @@ int do_huge_pmd_wp_page(struct fault_env * We can only reuse the page if nobody else maps the huge page or it's * part. */ @@ -65,7 +63,7 @@ index 05ca01ef97f7f..14cd0ef33b628 100644 if (page_trans_huge_mapcount(page, NULL) == 1) { pmd_t entry; entry = pmd_mkyoung(orig_pmd); -@@ -1029,8 +1042,10 @@ int do_huge_pmd_wp_page(struct fault_env *fe, pmd_t orig_pmd) +@@ -1029,8 +1042,10 @@ int do_huge_pmd_wp_page(struct fault_env if (pmdp_set_access_flags(vma, haddr, fe->pmd, entry, 1)) update_mmu_cache_pmd(vma, fe->address, fe->pmd); ret |= VM_FAULT_WRITE; @@ -76,6 +74,3 @@ index 05ca01ef97f7f..14cd0ef33b628 100644 get_page(page); spin_unlock(fe->ptl); alloc: --- -2.27.0 - diff --git a/queue-4.9/seccomp-add-missing-return-in-non-void-function.patch b/queue-4.9/seccomp-add-missing-return-in-non-void-function.patch new file mode 100644 index 00000000000..8d810207884 --- /dev/null +++ b/queue-4.9/seccomp-add-missing-return-in-non-void-function.patch @@ -0,0 +1,34 @@ +From 04b38d012556199ba4c31195940160e0c44c64f0 Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Mon, 11 Jan 2021 17:28:39 +0000 +Subject: seccomp: Add missing return in non-void function + +From: Paul Cercueil + +commit 04b38d012556199ba4c31195940160e0c44c64f0 upstream. + +We don't actually care about the value, since the kernel will panic +before that; but a value should nonetheless be returned, otherwise the +compiler will complain. + +Fixes: 8112c4f140fa ("seccomp: remove 2-phase API") +Cc: stable@vger.kernel.org # 4.7+ +Signed-off-by: Paul Cercueil +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20210111172839.640914-1-paul@crapouillou.net +Signed-off-by: Greg Kroah-Hartman +--- + kernel/seccomp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/seccomp.c ++++ b/kernel/seccomp.c +@@ -669,6 +669,8 @@ static int __seccomp_filter(int this_sys + const bool recheck_after_trace) + { + BUG(); ++ ++ return -1; + } + #endif + diff --git a/queue-4.9/series b/queue-4.9/series index a765e4744bb..599a741c95c 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -86,3 +86,22 @@ mm-hugetlb-fix-potential-double-free-in-hugetlb_regi.patch arm64-add-missing-isb-after-invalidating-tlb-in-__pr.patch i2c-brcmstb-fix-brcmstd_send_i2c_cmd-condition.patch scsi-bnx2fc-fix-kconfig-warning-cnic-build-errors.patch +blk-settings-align-max_sectors-on-logical_block_size-boundary.patch +acpi-configfs-add-missing-check-after-configfs_register_default_group.patch +input-raydium_ts_i2c-do-not-send-zero-length.patch +input-xpad-add-support-for-powera-enhanced-wired-controller-for-xbox-series-x-s.patch +input-joydev-prevent-potential-read-overflow-in-ioctl.patch +input-i8042-add-asus-zenbook-flip-to-noselftest-list.patch +usb-serial-option-update-interface-mapping-for-zte-p685m.patch +usb-musb-fix-runtime-pm-race-in-musb_queue_resume_work.patch +usb-serial-mos7840-fix-error-code-in-mos7840_write.patch +usb-serial-mos7720-fix-error-code-in-mos7720_write.patch +usb-dwc3-gadget-fix-setting-of-depcfg.binterval_m1.patch +usb-dwc3-gadget-fix-dep-interval-for-fullspeed-interrupt.patch +keys-trusted-fix-migratable-1-failing.patch +btrfs-abort-the-transaction-if-we-fail-to-inc-ref-in-btrfs_copy_root.patch +btrfs-fix-reloc-root-leak-with-0-ref-reloc-roots-on-recovery.patch +btrfs-fix-extent-buffer-leak-on-failure-to-copy-root.patch +seccomp-add-missing-return-in-non-void-function.patch +drivers-misc-vmw_vmci-restrict-too-big-queue-size-in-qp_host_alloc_queue.patch +staging-rtl8188eu-add-edimax-ew-7811un-v2-to-device-table.patch diff --git a/queue-4.9/staging-rtl8188eu-add-edimax-ew-7811un-v2-to-device-table.patch b/queue-4.9/staging-rtl8188eu-add-edimax-ew-7811un-v2-to-device-table.patch new file mode 100644 index 00000000000..7201953bf59 --- /dev/null +++ b/queue-4.9/staging-rtl8188eu-add-edimax-ew-7811un-v2-to-device-table.patch @@ -0,0 +1,30 @@ +From 7a8d2f1908a59003e55ef8691d09efb7fbc51625 Mon Sep 17 00:00:00 2001 +From: Martin Kaiser +Date: Thu, 4 Feb 2021 09:52:17 +0100 +Subject: staging: rtl8188eu: Add Edimax EW-7811UN V2 to device table + +From: Martin Kaiser + +commit 7a8d2f1908a59003e55ef8691d09efb7fbc51625 upstream. + +The Edimax EW-7811UN V2 uses an RTL8188EU chipset and works with this +driver. + +Signed-off-by: Martin Kaiser +Cc: stable +Link: https://lore.kernel.org/r/20210204085217.9743-1-martin@kaiser.cx +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c ++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c +@@ -49,6 +49,7 @@ static struct usb_device_id rtw_usb_id_t + {USB_DEVICE(0x2357, 0x0111)}, /* TP-Link TL-WN727N v5.21 */ + {USB_DEVICE(0x2C4E, 0x0102)}, /* MERCUSYS MW150US v2 */ + {USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */ ++ {USB_DEVICE(0x7392, 0xb811)}, /* Edimax EW-7811UN V2 */ + {USB_DEVICE(USB_VENDER_ID_REALTEK, 0xffef)}, /* Rosewill RNX-N150NUB */ + {} /* Terminating entry */ + }; diff --git a/queue-4.9/usb-dwc3-gadget-fix-dep-interval-for-fullspeed-interrupt.patch b/queue-4.9/usb-dwc3-gadget-fix-dep-interval-for-fullspeed-interrupt.patch new file mode 100644 index 00000000000..73c31ef4e6e --- /dev/null +++ b/queue-4.9/usb-dwc3-gadget-fix-dep-interval-for-fullspeed-interrupt.patch @@ -0,0 +1,41 @@ +From 4b049f55ed95cd889bcdb3034fd75e1f01852b38 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Mon, 8 Feb 2021 13:53:16 -0800 +Subject: usb: dwc3: gadget: Fix dep->interval for fullspeed interrupt + +From: Thinh Nguyen + +commit 4b049f55ed95cd889bcdb3034fd75e1f01852b38 upstream. + +The dep->interval captures the number of frames/microframes per interval +from bInterval. Fullspeed interrupt endpoint bInterval is the number of +frames per interval and not 2^(bInterval - 1). So fix it here. This +change is only for debugging purpose and should not affect the interrupt +endpoint operation. + +Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") +Cc: +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/1263b563dedc4ab8b0fb854fba06ce4bc56bd495.1612820995.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -538,8 +538,13 @@ static int dwc3_gadget_set_ep_config(str + if (dwc->gadget.speed == USB_SPEED_FULL) + bInterval_m1 = 0; + ++ if (usb_endpoint_type(desc) == USB_ENDPOINT_XFER_INT && ++ dwc->gadget.speed == USB_SPEED_FULL) ++ dep->interval = desc->bInterval; ++ else ++ dep->interval = 1 << (desc->bInterval - 1); ++ + params.param1 |= DWC3_DEPCFG_BINTERVAL_M1(bInterval_m1); +- dep->interval = 1 << (desc->bInterval - 1); + } + + return dwc3_send_gadget_ep_cmd(dep, DWC3_DEPCMD_SETEPCONFIG, ¶ms); diff --git a/queue-4.9/usb-dwc3-gadget-fix-setting-of-depcfg.binterval_m1.patch b/queue-4.9/usb-dwc3-gadget-fix-setting-of-depcfg.binterval_m1.patch new file mode 100644 index 00000000000..d214fe5709f --- /dev/null +++ b/queue-4.9/usb-dwc3-gadget-fix-setting-of-depcfg.binterval_m1.patch @@ -0,0 +1,43 @@ +From a1679af85b2ae35a2b78ad04c18bb069c37330cc Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Mon, 8 Feb 2021 13:53:10 -0800 +Subject: usb: dwc3: gadget: Fix setting of DEPCFG.bInterval_m1 + +From: Thinh Nguyen + +commit a1679af85b2ae35a2b78ad04c18bb069c37330cc upstream. + +Valid range for DEPCFG.bInterval_m1 is from 0 to 13, and it must be set +to 0 when the controller operates in full-speed. See the programming +guide for DEPCFG command section 3.2.2.1 (v3.30a). + +Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver") +Cc: +Signed-off-by: Thinh Nguyen +Link: https://lore.kernel.org/r/3f57026f993c0ce71498dbb06e49b3a47c4d0265.1612820995.git.Thinh.Nguyen@synopsys.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/gadget.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -528,7 +528,17 @@ static int dwc3_gadget_set_ep_config(str + params.param0 |= DWC3_DEPCFG_FIFO_NUMBER(dep->number >> 1); + + if (desc->bInterval) { +- params.param1 |= DWC3_DEPCFG_BINTERVAL_M1(desc->bInterval - 1); ++ u8 bInterval_m1; ++ ++ /* ++ * Valid range for DEPCFG.bInterval_m1 is from 0 to 13, and it ++ * must be set to 0 when the controller operates in full-speed. ++ */ ++ bInterval_m1 = min_t(u8, desc->bInterval - 1, 13); ++ if (dwc->gadget.speed == USB_SPEED_FULL) ++ bInterval_m1 = 0; ++ ++ params.param1 |= DWC3_DEPCFG_BINTERVAL_M1(bInterval_m1); + dep->interval = 1 << (desc->bInterval - 1); + } + diff --git a/queue-4.9/usb-musb-fix-runtime-pm-race-in-musb_queue_resume_work.patch b/queue-4.9/usb-musb-fix-runtime-pm-race-in-musb_queue_resume_work.patch new file mode 100644 index 00000000000..d885af52d2d --- /dev/null +++ b/queue-4.9/usb-musb-fix-runtime-pm-race-in-musb_queue_resume_work.patch @@ -0,0 +1,88 @@ +From 0eaa1a3714db34a59ce121de5733c3909c529463 Mon Sep 17 00:00:00 2001 +From: Paul Cercueil +Date: Sat, 23 Jan 2021 14:24:59 +0000 +Subject: usb: musb: Fix runtime PM race in musb_queue_resume_work + +From: Paul Cercueil + +commit 0eaa1a3714db34a59ce121de5733c3909c529463 upstream. + +musb_queue_resume_work() would call the provided callback if the runtime +PM status was 'active'. Otherwise, it would enqueue the request if the +hardware was still suspended (musb->is_runtime_suspended is true). + +This causes a race with the runtime PM handlers, as it is possible to be +in the case where the runtime PM status is not yet 'active', but the +hardware has been awaken (PM resume function has been called). + +When hitting the race, the resume work was not enqueued, which probably +triggered other bugs further down the stack. For instance, a telnet +connection on Ingenic SoCs would result in a 50/50 chance of a +segmentation fault somewhere in the musb code. + +Rework the code so that either we call the callback directly if +(musb->is_runtime_suspended == 0), or enqueue the query otherwise. + +Fixes: ea2f35c01d5e ("usb: musb: Fix sleeping function called from invalid context for hdrc glue") +Cc: stable@vger.kernel.org # v4.9+ +Tested-by: Tony Lindgren +Reviewed-by: Tony Lindgren +Signed-off-by: Paul Cercueil +Link: https://lore.kernel.org/r/20210123142502.16980-1-paul@crapouillou.net +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/musb/musb_core.c | 31 +++++++++++++++++-------------- + 1 file changed, 17 insertions(+), 14 deletions(-) + +--- a/drivers/usb/musb/musb_core.c ++++ b/drivers/usb/musb/musb_core.c +@@ -2097,32 +2097,35 @@ int musb_queue_resume_work(struct musb * + { + struct musb_pending_work *w; + unsigned long flags; ++ bool is_suspended; + int error; + + if (WARN_ON(!callback)) + return -EINVAL; + +- if (pm_runtime_active(musb->controller)) +- return callback(musb, data); ++ spin_lock_irqsave(&musb->list_lock, flags); ++ is_suspended = musb->is_runtime_suspended; + +- w = devm_kzalloc(musb->controller, sizeof(*w), GFP_ATOMIC); +- if (!w) +- return -ENOMEM; ++ if (is_suspended) { ++ w = devm_kzalloc(musb->controller, sizeof(*w), GFP_ATOMIC); ++ if (!w) { ++ error = -ENOMEM; ++ goto out_unlock; ++ } ++ ++ w->callback = callback; ++ w->data = data; + +- w->callback = callback; +- w->data = data; +- spin_lock_irqsave(&musb->list_lock, flags); +- if (musb->is_runtime_suspended) { + list_add_tail(&w->node, &musb->pending_list); + error = 0; +- } else { +- dev_err(musb->controller, "could not add resume work %p\n", +- callback); +- devm_kfree(musb->controller, w); +- error = -EINPROGRESS; + } ++ ++out_unlock: + spin_unlock_irqrestore(&musb->list_lock, flags); + ++ if (!is_suspended) ++ error = callback(musb, data); ++ + return error; + } + EXPORT_SYMBOL_GPL(musb_queue_resume_work); diff --git a/queue-4.9/usb-serial-mos7720-fix-error-code-in-mos7720_write.patch b/queue-4.9/usb-serial-mos7720-fix-error-code-in-mos7720_write.patch new file mode 100644 index 00000000000..ae2df5aad5d --- /dev/null +++ b/queue-4.9/usb-serial-mos7720-fix-error-code-in-mos7720_write.patch @@ -0,0 +1,35 @@ +From fea7372cbc40869876df0f045e367f6f97a1666c Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 28 Jan 2021 12:35:23 +0300 +Subject: USB: serial: mos7720: fix error code in mos7720_write() + +From: Dan Carpenter + +commit fea7372cbc40869876df0f045e367f6f97a1666c upstream. + +This code should return -ENOMEM if the kmalloc() fails but instead +it returns success. + +Signed-off-by: Dan Carpenter +Fixes: 0f64478cbc7a ("USB: add USB serial mos7720 driver") +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/mos7720.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/mos7720.c ++++ b/drivers/usb/serial/mos7720.c +@@ -1239,8 +1239,10 @@ static int mos7720_write(struct tty_stru + if (urb->transfer_buffer == NULL) { + urb->transfer_buffer = kmalloc(URB_TRANSFER_BUFFER_SIZE, + GFP_ATOMIC); +- if (!urb->transfer_buffer) ++ if (!urb->transfer_buffer) { ++ bytes_sent = -ENOMEM; + goto exit; ++ } + } + transfer_size = min(count, URB_TRANSFER_BUFFER_SIZE); + diff --git a/queue-4.9/usb-serial-mos7840-fix-error-code-in-mos7840_write.patch b/queue-4.9/usb-serial-mos7840-fix-error-code-in-mos7840_write.patch new file mode 100644 index 00000000000..e877b8efe98 --- /dev/null +++ b/queue-4.9/usb-serial-mos7840-fix-error-code-in-mos7840_write.patch @@ -0,0 +1,34 @@ +From a70aa7dc60099bbdcbd6faca42a915d80f31161e Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 26 Jan 2021 13:26:54 +0300 +Subject: USB: serial: mos7840: fix error code in mos7840_write() + +From: Dan Carpenter + +commit a70aa7dc60099bbdcbd6faca42a915d80f31161e upstream. + +This should return -ENOMEM instead of 0 if the kmalloc() fails. + +Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver") +Signed-off-by: Dan Carpenter +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/mos7840.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/mos7840.c ++++ b/drivers/usb/serial/mos7840.c +@@ -1362,8 +1362,10 @@ static int mos7840_write(struct tty_stru + if (urb->transfer_buffer == NULL) { + urb->transfer_buffer = kmalloc(URB_TRANSFER_BUFFER_SIZE, + GFP_ATOMIC); +- if (!urb->transfer_buffer) ++ if (!urb->transfer_buffer) { ++ bytes_sent = -ENOMEM; + goto exit; ++ } + } + transfer_size = min(count, URB_TRANSFER_BUFFER_SIZE); + diff --git a/queue-4.9/usb-serial-option-update-interface-mapping-for-zte-p685m.patch b/queue-4.9/usb-serial-option-update-interface-mapping-for-zte-p685m.patch new file mode 100644 index 00000000000..b0ec597edda --- /dev/null +++ b/queue-4.9/usb-serial-option-update-interface-mapping-for-zte-p685m.patch @@ -0,0 +1,78 @@ +From 6420a569504e212d618d4a4736e2c59ed80a8478 Mon Sep 17 00:00:00 2001 +From: Lech Perczak +Date: Sun, 7 Feb 2021 01:54:43 +0100 +Subject: USB: serial: option: update interface mapping for ZTE P685M +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lech Perczak + +commit 6420a569504e212d618d4a4736e2c59ed80a8478 upstream. + +This patch prepares for qmi_wwan driver support for the device. +Previously "option" driver mapped itself to interfaces 0 and 3 (matching +ff/ff/ff), while interface 3 is in fact a QMI port. +Interfaces 1 and 2 (matching ff/00/00) expose AT commands, +and weren't supported previously at all. +Without this patch, a possible conflict would exist if device ID was +added to qmi_wwan driver for interface 3. + +Update and simplify device ID to match interfaces 0-2 directly, +to expose QCDM (0), PCUI (1), and modem (2) ports and avoid conflict +with QMI (3), and ADB (4). + +The modem is used inside ZTE MF283+ router and carriers identify it as +such. +Interface mapping is: +0: QCDM, 1: AT (PCUI), 2: AT (Modem), 3: QMI, 4: ADB + +T: Bus=02 Lev=02 Prnt=02 Port=05 Cnt=01 Dev#= 3 Spd=480 MxCh= 0 +D: Ver= 2.01 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=19d2 ProdID=1275 Rev=f0.00 +S: Manufacturer=ZTE,Incorporated +S: Product=ZTE Technologies MSM +S: SerialNumber=P685M510ZTED0000CP&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&0 +C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +E: Ad=87(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none) +E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Cc: Johan Hovold +Cc: Bjørn Mork +Signed-off-by: Lech Perczak +Link: https://lore.kernel.org/r/20210207005443.12936-1-lech.perczak@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/option.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1551,7 +1551,8 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1272, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1273, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1274, 0xff, 0xff, 0xff) }, +- { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1275, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE(ZTE_VENDOR_ID, 0x1275), /* ZTE P685M */ ++ .driver_info = RSVD(3) | RSVD(4) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1276, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1277, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, 0x1278, 0xff, 0xff, 0xff) },