commit 5915b0ea674673d13d2755f7e7f843fe286d85ec Author: Greg Kroah-Hartman Date: Fri Nov 12 14:43:05 2021 +0100 Linux 5.4.159 Link: https://lore.kernel.org/r/20211110182002.206203228@linuxfoundation.org Tested-by: Florian Fainelli Tested-by: Linux Kernel Functional Testing Tested-by: Sudip Mukherjee Tested-by: Shuah Khan Tested-by: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit abc49cc45d0ada0b9d147f2873ef439ba5c7e2b7 Author: Johan Hovold Date: Mon Oct 25 14:05:22 2021 +0200 rsi: fix control-message timeout commit 541fd20c3ce5b0bc39f0c6a52414b6b92416831c upstream. USB control-message timeouts are specified in milliseconds and should specifically not vary with CONFIG_HZ. Use the common control-message timeout define for the five-second timeout. Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver") Cc: stable@vger.kernel.org # 3.15 Signed-off-by: Johan Hovold Signed-off-by: Kalle Valo Link: https://lore.kernel.org/r/20211025120522.6045-5-johan@kernel.org Signed-off-by: Greg Kroah-Hartman commit 64e6632ab4c11dde13083f9529d4fa9a9e919ae4 Author: Gustavo A. R. Silva Date: Tue Aug 10 19:09:55 2021 +0200 media: staging/intel-ipu3: css: Fix wrong size comparison imgu_css_fw_init commit a44f9d6f9dc1fb314a3f1ed2dcd4fbbcc3d9f892 upstream. There is a wrong comparison of the total size of the loaded firmware css->fw->size with the size of a pointer to struct imgu_fw_header. Turn binary_header into a flexible-array member[1][2], use the struct_size() helper and fix the wrong size comparison. Notice that the loaded firmware needs to contain at least one 'struct imgu_fw_info' item in the binary_header[] array. It's also worth mentioning that "css->fw->size < struct_size(css->fwp, binary_header, 1)" with binary_header declared as a flexible-array member is equivalent to "css->fw->size < sizeof(struct imgu_fw_header)" with binary_header declared as a one-element array (as in the original code). The replacement of the one-element array with a flexible-array member also helps with the ongoing efforts to globally enable -Warray-bounds and get us closer to being able to tighten the FORTIFY_SOURCE routines on memcpy(). [1] https://en.wikipedia.org/wiki/Flexible_array_member [2] https://www.kernel.org/doc/html/v5.10/process/deprecated.html#zero-length-and-one-element-arrays Link: https://github.com/KSPP/linux/issues/79 Link: https://github.com/KSPP/linux/issues/109 Fixes: 09d290f0ba21 ("media: staging/intel-ipu3: css: Add support for firmware management") Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva Signed-off-by: Sakari Ailus Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 6c382b63658ed8feb7d092c7a45199c665ffc018 Author: Johan Hovold Date: Mon Oct 25 14:09:09 2021 +0200 staging: rtl8192u: fix control-message timeouts commit 4cfa36d312d6789448b59a7aae770ac8425017a3 upstream. USB control-message timeouts are specified in milliseconds and should specifically not vary with CONFIG_HZ. Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging") Cc: stable@vger.kernel.org # 2.6.33 Acked-by: Larry Finger Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20211025120910.6339-2-johan@kernel.org Signed-off-by: Greg Kroah-Hartman commit f66258cb60e4abbc71211adb46996838a768f690 Author: Johan Hovold Date: Mon Oct 25 14:09:10 2021 +0200 staging: r8712u: fix control-message timeout commit ce4940525f36ffdcf4fa623bcedab9c2a6db893a upstream. USB control-message timeouts are specified in milliseconds and should specifically not vary with CONFIG_HZ. Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel") Cc: stable@vger.kernel.org # 2.6.37 Acked-by: Larry Finger Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20211025120910.6339-3-johan@kernel.org Signed-off-by: Greg Kroah-Hartman commit 88a252ff782ce9683ef8657d52c8fd913b2e1488 Author: Johan Hovold Date: Mon Oct 25 13:45:32 2021 +0200 comedi: vmk80xx: fix bulk and interrupt message timeouts commit a56d3e40bda460edf3f8d6aac00ec0b322b4ab83 upstream. USB bulk and interrupt message timeouts are specified in milliseconds and should specifically not vary with CONFIG_HZ. Note that the bulk-out transfer timeout was set to the endpoint bInterval value, which should be ignored for bulk endpoints and is typically set to zero. This meant that a failing bulk-out transfer would never time out. Assume that the 10 second timeout used for all other transfers is more than enough also for the bulk-out endpoint. Fixes: 985cafccbf9b ("Staging: Comedi: vmk80xx: Add k8061 support") Fixes: 951348b37738 ("staging: comedi: vmk80xx: wait for URBs to complete") Cc: stable@vger.kernel.org # 2.6.31 Signed-off-by: Johan Hovold Reviewed-by: Ian Abbott Link: https://lore.kernel.org/r/20211025114532.4599-6-johan@kernel.org Signed-off-by: Greg Kroah-Hartman commit 1ae4715121a57bc6fa29fd992127b01907f2f993 Author: Johan Hovold Date: Mon Oct 25 13:45:31 2021 +0200 comedi: vmk80xx: fix bulk-buffer overflow commit 78cdfd62bd54af615fba9e3ca1ba35de39d3871d upstream. The driver is using endpoint-sized buffers but must not assume that the tx and rx buffers are of equal size or a malicious device could overflow the slab-allocated receive buffer when doing bulk transfers. Fixes: 985cafccbf9b ("Staging: Comedi: vmk80xx: Add k8061 support") Cc: stable@vger.kernel.org # 2.6.31 Signed-off-by: Johan Hovold Reviewed-by: Ian Abbott Link: https://lore.kernel.org/r/20211025114532.4599-5-johan@kernel.org Signed-off-by: Greg Kroah-Hartman commit 199acd8c110e3ae62833c24f632b0bb1c9f012a9 Author: Johan Hovold Date: Mon Oct 25 13:45:30 2021 +0200 comedi: vmk80xx: fix transfer-buffer overflows commit a23461c47482fc232ffc9b819539d1f837adf2b1 upstream. The driver uses endpoint-sized USB transfer buffers but up until recently had no sanity checks on the sizes. Commit e1f13c879a7c ("staging: comedi: check validity of wMaxPacketSize of usb endpoints found") inadvertently fixed NULL-pointer dereferences when accessing the transfer buffers in case a malicious device has a zero wMaxPacketSize. Make sure to allocate buffers large enough to handle also the other accesses that are done without a size check (e.g. byte 18 in vmk80xx_cnt_insn_read() for the VMK8061_MODEL) to avoid writing beyond the buffers, for example, when doing descriptor fuzzing. The original driver was for a low-speed device with 8-byte buffers. Support was later added for a device that uses bulk transfers and is presumably a full-speed device with a maximum 64-byte wMaxPacketSize. Fixes: 985cafccbf9b ("Staging: Comedi: vmk80xx: Add k8061 support") Cc: stable@vger.kernel.org # 2.6.31 Signed-off-by: Johan Hovold Reviewed-by: Ian Abbott Link: https://lore.kernel.org/r/20211025114532.4599-4-johan@kernel.org Signed-off-by: Greg Kroah-Hartman commit b0156b7c9649d8f55a2ce3d3258509f1b2a181c3 Author: Johan Hovold Date: Wed Oct 27 11:35:28 2021 +0200 comedi: ni_usb6501: fix NULL-deref in command paths commit 907767da8f3a925b060c740e0b5c92ea7dbec440 upstream. The driver uses endpoint-sized USB transfer buffers but had no sanity checks on the sizes. This can lead to zero-size-pointer dereferences or overflowed transfer buffers in ni6501_port_command() and ni6501_counter_command() if a (malicious) device has smaller max-packet sizes than expected (or when doing descriptor fuzz testing). Add the missing sanity checks to probe(). Fixes: a03bb00e50ab ("staging: comedi: add NI USB-6501 support") Cc: stable@vger.kernel.org # 3.18 Cc: Luca Ellero Reviewed-by: Ian Abbott Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20211027093529.30896-2-johan@kernel.org Signed-off-by: Greg Kroah-Hartman commit 3efb7af8ac437085b6c776e5b54830b149d86efe Author: Johan Hovold Date: Wed Oct 27 11:35:29 2021 +0200 comedi: dt9812: fix DMA buffers on stack commit 536de747bc48262225889a533db6650731ab25d3 upstream. USB transfer buffers are typically mapped for DMA and must not be allocated on the stack or transfers will fail. Allocate proper transfer buffers in the various command helpers and return an error on short transfers instead of acting on random stack data. Note that this also fixes a stack info leak on systems where DMA is not used as 32 bytes are always sent to the device regardless of how short the command is. Fixes: 63274cd7d38a ("Staging: comedi: add usb dt9812 driver") Cc: stable@vger.kernel.org # 2.6.29 Reviewed-by: Ian Abbott Signed-off-by: Johan Hovold Link: https://lore.kernel.org/r/20211027093529.30896-3-johan@kernel.org Signed-off-by: Greg Kroah-Hartman commit 6e80e9314f8bb52d9eabe1907698718ff01120f5 Author: Jan Kara Date: Mon Oct 18 12:37:41 2021 +0200 isofs: Fix out of bound access for corrupted isofs image commit e96a1866b40570b5950cda8602c2819189c62a48 upstream. When isofs image is suitably corrupted isofs_read_inode() can read data beyond the end of buffer. Sanity-check the directory entry length before using it. Reported-and-tested-by: syzbot+6fc7fb214625d82af7d1@syzkaller.appspotmail.com CC: stable@vger.kernel.org Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit adc56dbfc4aa2e46aa256a36b3d44f10de1bdc37 Author: Petr Mladek Date: Wed Nov 11 14:54:50 2020 +0100 printk/console: Allow to disable console output by using console="" or console=null commit 3cffa06aeef7ece30f6b5ac0ea51f264e8fea4d0 upstream. The commit 48021f98130880dd74 ("printk: handle blank console arguments passed in.") prevented crash caused by empty console= parameter value. Unfortunately, this value is widely used on Chromebooks to disable the console output. The above commit caused performance regression because the messages were pushed on slow console even though nobody was watching it. Use ttynull driver explicitly for console="" and console=null parameters. It has been created for exactly this purpose. It causes that preferred_console is set. As a result, ttySX and ttyX are not used as a fallback. And only ttynull console gets registered by default. It still allows to register other consoles either by additional console= parameters or SPCR. It prevents regression because it worked this way even before. Also it is a sane semantic. Preventing output on all consoles should be done another way, for example, by introducing mute_console parameter. Link: https://lore.kernel.org/r/20201006025935.GA597@jagdpanzerIV.localdomain Suggested-by: Sergey Senozhatsky Reviewed-by: Guenter Roeck Tested-by: Guenter Roeck Acked-by: Sergey Senozhatsky Signed-off-by: Petr Mladek Link: https://lore.kernel.org/r/20201111135450.11214-3-pmladek@suse.com Cc: Yi Fan Signed-off-by: Greg Kroah-Hartman commit 589ac131b3abb3beba51782d62ace557b8a314ee Author: Todd Kjos Date: Fri Oct 15 16:38:11 2021 -0700 binder: don't detect sender/target during buffer cleanup commit 32e9f56a96d8d0f23cb2aeb2a3cd18d40393e787 upstream. When freeing txn buffers, binder_transaction_buffer_release() attempts to detect whether the current context is the target by comparing current->group_leader to proc->tsk. This is an unreliable test. Instead explicitly pass an 'is_failure' boolean. Detecting the sender was being used as a way to tell if the transaction failed to be sent. When cleaning up after failing to send a transaction, there is no need to close the fds associated with a BINDER_TYPE_FDA object. Now 'is_failure' can be used to accurately detect this case. Fixes: 44d8047f1d87 ("binder: use standard functions to allocate fds") Cc: stable Acked-by: Christian Brauner Signed-off-by: Todd Kjos Link: https://lore.kernel.org/r/20211015233811.3532235-1-tkjos@google.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit b60e89b63eb9ff02881905952d15f77bdb3971bd Author: James Buren Date: Wed Oct 13 20:55:04 2021 -0500 usb-storage: Add compatibility quirk flags for iODD 2531/2541 commit 05c8f1b67e67dcd786ae3fe44492bbc617b4bd12 upstream. These drive enclosures have firmware bugs that make it impossible to mount a new virtual ISO image after Linux ejects the old one if the device is locked by Linux. Windows bypasses this problem by the fact that they do not lock the device. Add a quirk to disable device locking for these drive enclosures. Acked-by: Alan Stern Signed-off-by: James Buren Cc: stable Link: https://lore.kernel.org/r/20211014015504.2695089-1-braewoods+lkml@braewoods.net Signed-off-by: Greg Kroah-Hartman commit 5c3eba29047918e5174f309ca2051ff6b585f9cf Author: Viraj Shah Date: Thu Oct 21 11:36:44 2021 +0200 usb: musb: Balance list entry in musb_gadget_queue commit 21b5fcdccb32ff09b6b63d4a83c037150665a83f upstream. musb_gadget_queue() adds the passed request to musb_ep::req_list. If the endpoint is idle and it is the first request then it invokes musb_queue_resume_work(). If the function returns an error then the error is passed to the caller without any clean-up and the request remains enqueued on the list. If the caller enqueues the request again then the list corrupts. Remove the request from the list on error. Fixes: ea2f35c01d5ea ("usb: musb: Fix sleeping function called from invalid context for hdrc glue") Cc: stable Signed-off-by: Viraj Shah Link: https://lore.kernel.org/r/20211021093644.4734-1-viraj.shah@linutronix.de Signed-off-by: Greg Kroah-Hartman commit 161571745de126d2dc6685aee3d6d83fbe7928bb Author: Geert Uytterhoeven Date: Wed Oct 27 10:08:49 2021 +0200 usb: gadget: Mark USB_FSL_QE broken on 64-bit commit a0548b26901f082684ad1fb3ba397d2de3a1406a upstream. On 64-bit: drivers/usb/gadget/udc/fsl_qe_udc.c: In function ‘qe_ep0_rx’: drivers/usb/gadget/udc/fsl_qe_udc.c:842:13: error: cast from pointer to integer of different size [-Werror=pointer-to-int-cast] 842 | vaddr = (u32)phys_to_virt(in_be32(&bd->buf)); | ^ In file included from drivers/usb/gadget/udc/fsl_qe_udc.c:41: drivers/usb/gadget/udc/fsl_qe_udc.c:843:28: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast] 843 | frame_set_data(pframe, (u8 *)vaddr); | ^ The driver assumes physical and virtual addresses are 32-bit, hence it cannot work on 64-bit platforms. Acked-by: Li Yang Signed-off-by: Geert Uytterhoeven Link: https://lore.kernel.org/r/20211027080849.3276289-1-geert@linux-m68k.org Cc: stable Signed-off-by: Greg Kroah-Hartman commit d6013265a779d685a6e88b3f2af065e8855c2877 Author: Neal Liu Date: Fri Sep 10 15:36:19 2021 +0800 usb: ehci: handshake CMD_RUN instead of STS_HALT commit 7f2d73788d9067fd4f677ac5f60ffd25945af7af upstream. For Aspeed, HCHalted status depends on not only Run/Stop but also ASS/PSS status. Handshake CMD_RUN on startup instead. Tested-by: Tao Ren Reviewed-by: Tao Ren Acked-by: Alan Stern Signed-off-by: Neal Liu Link: https://lore.kernel.org/r/20210910073619.26095-1-neal_liu@aspeedtech.com Cc: Joel Stanley Signed-off-by: Greg Kroah-Hartman commit 6d000e1c16250f0dd60d88fa91e4b30aae193c98 Author: Juergen Gross Date: Mon Sep 13 15:57:43 2021 +0200 Revert "x86/kvm: fix vcpu-id indexed array sizes" commit 1e254d0d86a0f2efd4190a89d5204b37c18c6381 upstream. This reverts commit 76b4f357d0e7d8f6f0013c733e6cba1773c266d3. The commit has the wrong reasoning, as KVM_MAX_VCPU_ID is not defining the maximum allowed vcpu-id as its name suggests, but the number of vcpu-ids. So revert this patch again. Suggested-by: Eduardo Habkost Signed-off-by: Juergen Gross Signed-off-by: Paolo Bonzini Message-Id: <20210913135745.13944-2-jgross@suse.com> Signed-off-by: Paolo Bonzini Signed-off-by: Greg Kroah-Hartman