--- /dev/null
+From 2ce39ad15182604beb6c8fa8bed5e46b59fd1082 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will.deacon@arm.com>
+Date: Tue, 19 Jul 2016 15:07:37 +0100
+Subject: arm64: debug: unmask PSTATE.D earlier
+
+From: Will Deacon <will.deacon@arm.com>
+
+commit 2ce39ad15182604beb6c8fa8bed5e46b59fd1082 upstream.
+
+Clearing PSTATE.D is one of the requirements for generating a debug
+exception. The arm64 booting protocol requires that PSTATE.D is set,
+since many of the debug registers (for example, the hw_breakpoint
+registers) are UNKNOWN out of reset and could potentially generate
+spurious, fatal debug exceptions in early boot code if PSTATE.D was
+clear. Once the debug registers have been safely initialised, PSTATE.D
+is cleared, however this is currently broken for two reasons:
+
+(1) The boot CPU clears PSTATE.D in a postcore_initcall and secondary
+ CPUs clear PSTATE.D in secondary_start_kernel. Since the initcall
+ runs after SMP (and the scheduler) have been initialised, there is
+ no guarantee that it is actually running on the boot CPU. In this
+ case, the boot CPU is left with PSTATE.D set and is not capable of
+ generating debug exceptions.
+
+(2) In a preemptible kernel, we may explicitly schedule on the IRQ
+ return path to EL1. If an IRQ occurs with PSTATE.D set in the idle
+ thread, then we may schedule the kthread_init thread, run the
+ postcore_initcall to clear PSTATE.D and then context switch back
+ to the idle thread before returning from the IRQ. The exception
+ return path will then restore PSTATE.D from the stack, and set it
+ again.
+
+This patch fixes the problem by moving the clearing of PSTATE.D earlier
+to proc.S. This has the desirable effect of clearing it in one place for
+all CPUs, long before we have to worry about the scheduler or any
+exception handling. We ensure that the previous reset of MDSCR_EL1 has
+completed before unmasking the exception, so that any spurious
+exceptions resulting from UNKNOWN debug registers are not generated.
+
+Without this patch applied, the kprobes selftests have been seen to fail
+under KVM, where we end up attempting to step the OOL instruction buffer
+with PSTATE.D set and therefore fail to complete the step.
+
+Acked-by: Mark Rutland <mark.rutland@arm.com>
+Reported-by: Catalin Marinas <catalin.marinas@arm.com>
+Tested-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
+Tested-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kernel/debug-monitors.c | 1 -
+ arch/arm64/kernel/smp.c | 1 -
+ arch/arm64/mm/proc.S | 2 ++
+ 3 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/arm64/kernel/debug-monitors.c
++++ b/arch/arm64/kernel/debug-monitors.c
+@@ -152,7 +152,6 @@ static int debug_monitors_init(void)
+ /* Clear the OS lock. */
+ on_each_cpu(clear_os_lock, NULL, 1);
+ isb();
+- local_dbg_enable();
+
+ /* Register hotplug handler. */
+ __register_cpu_notifier(&os_lock_nb);
+--- a/arch/arm64/kernel/smp.c
++++ b/arch/arm64/kernel/smp.c
+@@ -188,7 +188,6 @@ asmlinkage void secondary_start_kernel(v
+ set_cpu_online(cpu, true);
+ complete(&cpu_running);
+
+- local_dbg_enable();
+ local_irq_enable();
+ local_async_enable();
+
+--- a/arch/arm64/mm/proc.S
++++ b/arch/arm64/mm/proc.S
+@@ -156,6 +156,8 @@ ENTRY(__cpu_setup)
+ msr cpacr_el1, x0 // Enable FP/ASIMD
+ mov x0, #1 << 12 // Reset mdscr_el1 and disable
+ msr mdscr_el1, x0 // access to the DCC from EL0
++ isb // Unmask debug exceptions now,
++ enable_dbg // since this is per-cpu
+ reset_pmuserenr_el0 x0 // Disable PMU access from EL0
+ /*
+ * Memory region attributes for LPAE:
--- /dev/null
+From e19a6ee2460bdd0d0055a6029383422773f9999a Mon Sep 17 00:00:00 2001
+From: James Morse <james.morse@arm.com>
+Date: Mon, 20 Jun 2016 18:28:01 +0100
+Subject: arm64: kernel: Save and restore UAO and addr_limit on exception entry
+
+From: James Morse <james.morse@arm.com>
+
+commit e19a6ee2460bdd0d0055a6029383422773f9999a upstream.
+
+If we take an exception while at EL1, the exception handler inherits
+the original context's addr_limit and PSTATE.UAO values. To be consistent
+always reset addr_limit and PSTATE.UAO on (re-)entry to EL1. This
+prevents accidental re-use of the original context's addr_limit.
+
+Based on a similar patch for arm from Russell King.
+
+Cc: <stable@vger.kernel.org> # 4.6-
+Acked-by: Will Deacon <will.deacon@arm.com>
+Reviewed-by: Mark Rutland <mark.rutland@arm.com>
+Signed-off-by: James Morse <james.morse@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+[ backport to stop perf misusing inherited addr_limit.
+ Removed code interacting with UAO and the irqstack ]
+Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=822
+Signed-off-by: James Morse <james.morse@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm64/include/asm/ptrace.h | 2 ++
+ arch/arm64/kernel/asm-offsets.c | 1 +
+ arch/arm64/kernel/entry.S | 15 ++++++++++++++-
+ 3 files changed, 17 insertions(+), 1 deletion(-)
+
+--- a/arch/arm64/include/asm/ptrace.h
++++ b/arch/arm64/include/asm/ptrace.h
+@@ -117,6 +117,8 @@ struct pt_regs {
+ };
+ u64 orig_x0;
+ u64 syscallno;
++ u64 orig_addr_limit;
++ u64 unused; // maintain 16 byte alignment
+ };
+
+ #define arch_has_single_step() (1)
+--- a/arch/arm64/kernel/asm-offsets.c
++++ b/arch/arm64/kernel/asm-offsets.c
+@@ -58,6 +58,7 @@ int main(void)
+ DEFINE(S_PC, offsetof(struct pt_regs, pc));
+ DEFINE(S_ORIG_X0, offsetof(struct pt_regs, orig_x0));
+ DEFINE(S_SYSCALLNO, offsetof(struct pt_regs, syscallno));
++ DEFINE(S_ORIG_ADDR_LIMIT, offsetof(struct pt_regs, orig_addr_limit));
+ DEFINE(S_FRAME_SIZE, sizeof(struct pt_regs));
+ BLANK();
+ DEFINE(MM_CONTEXT_ID, offsetof(struct mm_struct, context.id.counter));
+--- a/arch/arm64/kernel/entry.S
++++ b/arch/arm64/kernel/entry.S
+@@ -27,6 +27,7 @@
+ #include <asm/cpufeature.h>
+ #include <asm/errno.h>
+ #include <asm/esr.h>
++#include <asm/memory.h>
+ #include <asm/thread_info.h>
+ #include <asm/unistd.h>
+
+@@ -93,7 +94,13 @@
+ disable_step_tsk x19, x20 // exceptions when scheduling.
+ .else
+ add x21, sp, #S_FRAME_SIZE
+- .endif
++ get_thread_info tsk
++ /* Save the task's original addr_limit and set USER_DS (TASK_SIZE_64) */
++ ldr x20, [tsk, #TI_ADDR_LIMIT]
++ str x20, [sp, #S_ORIG_ADDR_LIMIT]
++ mov x20, #TASK_SIZE_64
++ str x20, [tsk, #TI_ADDR_LIMIT]
++ .endif /* \el == 0 */
+ mrs x22, elr_el1
+ mrs x23, spsr_el1
+ stp lr, x21, [sp, #S_LR]
+@@ -117,6 +124,12 @@
+ .endm
+
+ .macro kernel_exit, el
++ .if \el != 0
++ /* Restore the task's original addr_limit. */
++ ldr x20, [sp, #S_ORIG_ADDR_LIMIT]
++ str x20, [tsk, #TI_ADDR_LIMIT]
++ .endif
++
+ ldp x21, x22, [sp, #S_PC] // load ELR, SPSR
+ .if \el == 0
+ ct_user_enter
--- /dev/null
+From 9cad39fe4e4a4fe95d8ea5a7b0692b0a6e89e38b Mon Sep 17 00:00:00 2001
+From: Konrad Leszczynski <konrad.leszczynski@intel.com>
+Date: Mon, 8 Feb 2016 16:13:12 +0100
+Subject: usb: dwc3: fix for the isoc transfer EP_BUSY flag
+
+From: Konrad Leszczynski <konrad.leszczynski@intel.com>
+
+commit 9cad39fe4e4a4fe95d8ea5a7b0692b0a6e89e38b upstream.
+
+commit f3af36511e60 ("usb: dwc3: gadget: always
+enable IOC on bulk/interrupt transfers") ended up
+regressing Isochronous endpoints by clearing
+DWC3_EP_BUSY flag too early, which resulted in
+choppy audio playback over USB.
+
+Fix that by partially reverting original commit and
+making sure that we check for isochronous endpoints.
+
+Fixes: f3af36511e60 ("usb: dwc3: gadget: always enable IOC
+ on bulk/interrupt transfers")
+Signed-off-by: Konrad Leszczynski <konrad.leszczynski@intel.com>
+Signed-off-by: Rafal Redzimski <rafal.f.redzimski@intel.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/gadget.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/dwc3/gadget.c
++++ b/drivers/usb/dwc3/gadget.c
+@@ -1965,6 +1965,10 @@ static int dwc3_cleanup_done_reqs(struct
+ return 1;
+ }
+
++ if (usb_endpoint_xfer_isoc(dep->endpoint.desc))
++ if ((event->status & DEPEVT_STATUS_IOC) &&
++ (trb->ctrl & DWC3_TRB_CTRL_IOC))
++ return 0;
+ return 1;
+ }
+
--- /dev/null
+From 0015f9156092d07b3ec06d37d014328419d5832e Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Sat, 28 May 2016 07:48:10 +0300
+Subject: usb: f_fs: off by one bug in _ffs_func_bind()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 0015f9156092d07b3ec06d37d014328419d5832e upstream.
+
+This loop is supposed to set all the .num[] values to -1 but it's off by
+one so it skips the first element and sets one element past the end of
+the array.
+
+I've cleaned up the loop a little as well.
+
+Fixes: ddf8abd25994 ('USB: f_fs: the FunctionFS driver')
+Acked-by: Michal Nazarewicz <mina86@mina86.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_fs.c | 10 ++++------
+ 1 file changed, 4 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -2740,6 +2740,7 @@ static int _ffs_func_bind(struct usb_con
+ func->ffs->ss_descs_count;
+
+ int fs_len, hs_len, ss_len, ret, i;
++ struct ffs_ep *eps_ptr;
+
+ /* Make it a single chunk, less management later on */
+ vla_group(d);
+@@ -2788,12 +2789,9 @@ static int _ffs_func_bind(struct usb_con
+ ffs->raw_descs_length);
+
+ memset(vla_ptr(vlabuf, d, inums), 0xff, d_inums__sz);
+- for (ret = ffs->eps_count; ret; --ret) {
+- struct ffs_ep *ptr;
+-
+- ptr = vla_ptr(vlabuf, d, eps);
+- ptr[ret].num = -1;
+- }
++ eps_ptr = vla_ptr(vlabuf, d, eps);
++ for (i = 0; i < ffs->eps_count; i++)
++ eps_ptr[i].num = -1;
+
+ /* Save pointers
+ * d_eps == vlabuf, func->eps used to kfree vlabuf later
--- /dev/null
+From ffeee83aa0461992e8a99a59db2df31933e60362 Mon Sep 17 00:00:00 2001
+From: Heinrich Schuchardt <xypron.glpk@gmx.de>
+Date: Sun, 8 May 2016 23:20:59 +0200
+Subject: usb: gadget: avoid exposing kernel stack
+
+From: Heinrich Schuchardt <xypron.glpk@gmx.de>
+
+commit ffeee83aa0461992e8a99a59db2df31933e60362 upstream.
+
+Function in_rq_cur copies random bytes from the stack.
+Zero the memory instead.
+
+Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver")
+Signed-off-by: Heinrich Schuchardt <xypron.glpk@gmx.de>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_uac2.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/gadget/function/f_uac2.c
++++ b/drivers/usb/gadget/function/f_uac2.c
+@@ -1291,6 +1291,7 @@ in_rq_cur(struct usb_function *fn, const
+
+ if (control_selector == UAC2_CS_CONTROL_SAM_FREQ) {
+ struct cntrl_cur_lay3 c;
++ memset(&c, 0, sizeof(struct cntrl_cur_lay3));
+
+ if (entity_id == USB_IN_CLK_ID)
+ c.dCUR = p_srate;
--- /dev/null
+From 25b1f9acc452209ae0fcc8c1332be852b5c52f53 Mon Sep 17 00:00:00 2001
+From: Joseph Salisbury <joseph.salisbury@canonical.com>
+Date: Wed, 6 Jul 2016 21:18:51 -0400
+Subject: usb: quirks: Add no-lpm quirk for Elan
+
+From: Joseph Salisbury <joseph.salisbury@canonical.com>
+
+commit 25b1f9acc452209ae0fcc8c1332be852b5c52f53 upstream.
+
+BugLink: http://bugs.launchpad.net/bugs/1498667
+
+As reported in BugLink, this device has an issue with Linux Power
+Management so adding a quirk. This quirk was reccomended by Alan Stern:
+
+http://lkml.iu.edu/hypermail/linux/kernel/1606.2/05590.html
+
+Signed-off-by: Joseph Salisbury <joseph.salisbury@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/quirks.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -128,6 +128,9 @@ static const struct usb_device_id usb_qu
+ { USB_DEVICE(0x04f3, 0x016f), .driver_info =
+ USB_QUIRK_DEVICE_QUALIFIER },
+
++ { USB_DEVICE(0x04f3, 0x0381), .driver_info =
++ USB_QUIRK_NO_LPM },
++
+ { USB_DEVICE(0x04f3, 0x21b8), .driver_info =
+ USB_QUIRK_DEVICE_QUALIFIER },
+
--- /dev/null
+From 4fdef698383db07d829da567e0e405fc41ff3a89 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Wed, 8 Jun 2016 16:32:49 +0900
+Subject: usb: renesas_usbhs: fix NULL pointer dereference in xfer_work()
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 4fdef698383db07d829da567e0e405fc41ff3a89 upstream.
+
+This patch fixes an issue that the xfer_work() is possible to cause
+NULL pointer dereference if the usb cable is disconnected while data
+transfer is running.
+
+In such case, a gadget driver may call usb_ep_disable()) before
+xfer_work() is actually called. In this case, the usbhs_pkt_pop()
+will call usbhsf_fifo_unselect(), and then usbhs_pipe_to_fifo()
+in xfer_work() will return NULL.
+
+Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/renesas_usbhs/fifo.c | 18 ++++++++++++++----
+ 1 file changed, 14 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/renesas_usbhs/fifo.c
++++ b/drivers/usb/renesas_usbhs/fifo.c
+@@ -808,20 +808,27 @@ static void xfer_work(struct work_struct
+ {
+ struct usbhs_pkt *pkt = container_of(work, struct usbhs_pkt, work);
+ struct usbhs_pipe *pipe = pkt->pipe;
+- struct usbhs_fifo *fifo = usbhs_pipe_to_fifo(pipe);
++ struct usbhs_fifo *fifo;
+ struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe);
+ struct dma_async_tx_descriptor *desc;
+- struct dma_chan *chan = usbhsf_dma_chan_get(fifo, pkt);
++ struct dma_chan *chan;
+ struct device *dev = usbhs_priv_to_dev(priv);
+ enum dma_transfer_direction dir;
++ unsigned long flags;
+
++ usbhs_lock(priv, flags);
++ fifo = usbhs_pipe_to_fifo(pipe);
++ if (!fifo)
++ goto xfer_work_end;
++
++ chan = usbhsf_dma_chan_get(fifo, pkt);
+ dir = usbhs_pipe_is_dir_in(pipe) ? DMA_DEV_TO_MEM : DMA_MEM_TO_DEV;
+
+ desc = dmaengine_prep_slave_single(chan, pkt->dma + pkt->actual,
+ pkt->trans, dir,
+ DMA_PREP_INTERRUPT | DMA_CTRL_ACK);
+ if (!desc)
+- return;
++ goto xfer_work_end;
+
+ desc->callback = usbhsf_dma_complete;
+ desc->callback_param = pipe;
+@@ -829,7 +836,7 @@ static void xfer_work(struct work_struct
+ pkt->cookie = dmaengine_submit(desc);
+ if (pkt->cookie < 0) {
+ dev_err(dev, "Failed to submit dma descriptor\n");
+- return;
++ goto xfer_work_end;
+ }
+
+ dev_dbg(dev, " %s %d (%d/ %d)\n",
+@@ -840,6 +847,9 @@ static void xfer_work(struct work_struct
+ usbhs_pipe_set_trans_count_if_bulk(pipe, pkt->trans);
+ dma_async_issue_pending(chan);
+ usbhs_pipe_enable(pipe);
++
++xfer_work_end:
++ usbhs_unlock(priv, flags);
+ }
+
+ /*
--- /dev/null
+From 15e4292a2d21e9997fdb2b8c014cc461b3f268f0 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Wed, 8 Jun 2016 16:32:50 +0900
+Subject: usb: renesas_usbhs: protect the CFIFOSEL setting in usbhsg_ep_enable()
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit 15e4292a2d21e9997fdb2b8c014cc461b3f268f0 upstream.
+
+This patch fixes an issue that the CFIFOSEL register value is possible
+to be changed by usbhsg_ep_enable() wrongly. And then, a data transfer
+using CFIFO may not work correctly.
+
+For example:
+ # modprobe g_multi file=usb-storage.bin
+ # ifconfig usb0 192.168.1.1 up
+ (During the USB host is sending file to the mass storage)
+ # ifconfig usb0 down
+
+In this case, since the u_ether.c may call usb_ep_enable() in
+eth_stop(), if the renesas_usbhs driver is also using CFIFO for
+mass storage, the mass storage may not work correctly.
+
+So, this patch adds usbhs_lock() and usbhs_unlock() calling in
+usbhsg_ep_enable() to protect CFIFOSEL register. This is because:
+ - CFIFOSEL.CURPIPE = 0 is also needed for the pipe configuration
+ - The CFIFOSEL (fifo->sel) is already protected by usbhs_lock()
+
+Fixes: 97664a207bc2 ("usb: renesas_usbhs: shrink spin lock area")
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/renesas_usbhs/mod_gadget.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/renesas_usbhs/mod_gadget.c
++++ b/drivers/usb/renesas_usbhs/mod_gadget.c
+@@ -586,6 +586,9 @@ static int usbhsg_ep_enable(struct usb_e
+ struct usbhs_priv *priv = usbhsg_gpriv_to_priv(gpriv);
+ struct usbhs_pipe *pipe;
+ int ret = -EIO;
++ unsigned long flags;
++
++ usbhs_lock(priv, flags);
+
+ /*
+ * if it already have pipe,
+@@ -594,7 +597,8 @@ static int usbhsg_ep_enable(struct usb_e
+ if (uep->pipe) {
+ usbhs_pipe_clear(uep->pipe);
+ usbhs_pipe_sequence_data0(uep->pipe);
+- return 0;
++ ret = 0;
++ goto usbhsg_ep_enable_end;
+ }
+
+ pipe = usbhs_pipe_malloc(priv,
+@@ -622,6 +626,9 @@ static int usbhsg_ep_enable(struct usb_e
+ ret = 0;
+ }
+
++usbhsg_ep_enable_end:
++ usbhs_unlock(priv, flags);
++
+ return ret;
+ }
+
--- /dev/null
+From 3c0415fa08548e3bc63ef741762664497ab187ed Mon Sep 17 00:00:00 2001
+From: Daniele Palmas <dnlplm@gmail.com>
+Date: Mon, 6 Jun 2016 12:38:17 +0200
+Subject: USB: serial: option: add support for Telit LE910 PID 0x1206
+
+From: Daniele Palmas <dnlplm@gmail.com>
+
+commit 3c0415fa08548e3bc63ef741762664497ab187ed upstream.
+
+This patch adds support for 0x1206 PID of Telit LE910.
+
+Since the interfaces positions are the same than the ones for
+0x1043 PID of Telit LE922, telit_le922_blacklist_usbcfg3 is used.
+
+Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -273,6 +273,7 @@ static void option_instat_callback(struc
+ #define TELIT_PRODUCT_LE922_USBCFG5 0x1045
+ #define TELIT_PRODUCT_LE920 0x1200
+ #define TELIT_PRODUCT_LE910 0x1201
++#define TELIT_PRODUCT_LE910_USBCFG4 0x1206
+
+ /* ZTE PRODUCTS */
+ #define ZTE_VENDOR_ID 0x19d2
+@@ -1198,6 +1199,8 @@ static const struct usb_device_id option
+ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910),
+ .driver_info = (kernel_ulong_t)&telit_le910_blacklist },
++ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4),
++ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920),
+ .driver_info = (kernel_ulong_t)&telit_le920_blacklist },
+ { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */
--- /dev/null
+From 681fef8380eb818c0b845fca5d2ab1dcbab114ee Mon Sep 17 00:00:00 2001
+From: Kangjie Lu <kangjielu@gmail.com>
+Date: Tue, 3 May 2016 16:32:16 -0400
+Subject: USB: usbfs: fix potential infoleak in devio
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Kangjie Lu <kangjielu@gmail.com>
+
+commit 681fef8380eb818c0b845fca5d2ab1dcbab114ee upstream.
+
+The stack object “ci” has a total size of 8 bytes. Its last 3 bytes
+are padding bytes which are not initialized and leaked to userland
+via “copy_to_user”.
+
+Signed-off-by: Kangjie Lu <kjlu@gatech.edu>
+Signed-off-by: Chas Williams <ciwillia@brocade.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/devio.c | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1203,10 +1203,11 @@ static int proc_getdriver(struct usb_dev
+
+ static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg)
+ {
+- struct usbdevfs_connectinfo ci = {
+- .devnum = ps->dev->devnum,
+- .slow = ps->dev->speed == USB_SPEED_LOW
+- };
++ struct usbdevfs_connectinfo ci;
++
++ memset(&ci, 0, sizeof(ci));
++ ci.devnum = ps->dev->devnum;
++ ci.slow = ps->dev->speed == USB_SPEED_LOW;
+
+ if (copy_to_user(arg, &ci, sizeof(ci)))
+ return -EFAULT;
projects / thirdparty / kernel / stable-queue.git / commitdiff
