--- /dev/null
+From 03eb2a557ed552e920a0942b774aaf931596eec1 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 7 Mar 2017 15:14:13 -0300
+Subject: [media] mceusb: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 03eb2a557ed552e920a0942b774aaf931596eec1 upstream.
+
+Make sure to check for the required out endpoint to avoid dereferencing
+a NULL-pointer in mce_request_packet should a malicious device lack such
+an endpoint. Note that this path is hit during probe.
+
+Fixes: 66e89522aff7 ("V4L/DVB: IR: add mceusb IR receiver driver")
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/rc/mceusb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/rc/mceusb.c
++++ b/drivers/media/rc/mceusb.c
+@@ -1321,8 +1321,8 @@ static int mceusb_dev_probe(struct usb_i
+ }
+ }
+ }
+- if (ep_in == NULL) {
+- dev_dbg(&intf->dev, "inbound and/or endpoint not found");
++ if (!ep_in || !ep_out) {
++ dev_dbg(&intf->dev, "required endpoints not found\n");
+ return -ENODEV;
+ }
+
--- /dev/null
+From 75cf067953d5ee543b3bda90bbfcbee5e1f94ae8 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 12 May 2017 12:11:13 +0200
+Subject: net: irda: irda-usb: fix firmware name on big-endian hosts
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 75cf067953d5ee543b3bda90bbfcbee5e1f94ae8 upstream.
+
+Add missing endianness conversion when using the USB device-descriptor
+bcdDevice field to construct a firmware file name.
+
+Fixes: 8ef80aef118e ("[IRDA]: irda-usb.c: STIR421x cleanups")
+Cc: Nick Fedchik <nfedchik@atlantic-link.com.ua>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/irda/irda-usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/irda/irda-usb.c
++++ b/drivers/net/irda/irda-usb.c
+@@ -1082,7 +1082,7 @@ static int stir421x_patch_device(struct
+ * are "42101001.sb" or "42101002.sb"
+ */
+ sprintf(stir421x_fw_name, "4210%4X.sb",
+- self->usbdev->descriptor.bcdDevice);
++ le16_to_cpu(self->usbdev->descriptor.bcdDevice));
+ ret = request_firmware(&fw, stir421x_fw_name, &self->usbdev->dev);
+ if (ret < 0)
+ return ret;
usb-serial-ftdi_sio-add-olimex-arm-usb-tiny-h-pids.patch
usb-host-xhci-plat-propagate-return-value-of-platform_get_irq.patch
usb-host-xhci-mem-allocate-zeroed-scratchpad-buffer.patch
+net-irda-irda-usb-fix-firmware-name-on-big-endian-hosts.patch
+usbvision-fix-null-deref-at-probe.patch
+mceusb-fix-null-deref-at-probe.patch
+ttusb2-limit-messages-to-buffer-size.patch
+usb-musb-tusb6010_omap-do-not-reset-the-other-direction-s-packet-size.patch
+usb-iowarrior-fix-info-ioctl-on-big-endian-hosts.patch
+usb-serial-option-add-telit-me910-support.patch
+usb-serial-qcserial-add-more-lenovo-em74xx-device-ids.patch
+usb-serial-mct_u232-fix-big-endian-baud-rate-handling.patch
+usb-serial-io_ti-fix-div-by-zero-in-set_termios.patch
+usb-hub-fix-ss-hub-descriptor-handling.patch
+usb-hub-fix-non-ss-hub-descriptor-handling.patch
+tty-prevent-ldisc-drivers-from-re-using-stale-tty-fields.patch
--- /dev/null
+From a12b8ab8c5ff7ccd7b107a564743507c850a441d Mon Sep 17 00:00:00 2001
+From: Alyssa Milburn <amilburn@zall.org>
+Date: Sat, 1 Apr 2017 14:34:32 -0300
+Subject: [media] ttusb2: limit messages to buffer size
+
+From: Alyssa Milburn <amilburn@zall.org>
+
+commit a12b8ab8c5ff7ccd7b107a564743507c850a441d upstream.
+
+Otherwise ttusb2_i2c_xfer can read or write beyond the end of static and
+heap buffers.
+
+Signed-off-by: Alyssa Milburn <amilburn@zall.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/ttusb2.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/drivers/media/usb/dvb-usb/ttusb2.c
++++ b/drivers/media/usb/dvb-usb/ttusb2.c
+@@ -78,6 +78,9 @@ static int ttusb2_msg(struct dvb_usb_dev
+ u8 *s, *r = NULL;
+ int ret = 0;
+
++ if (4 + rlen > 64)
++ return -EIO;
++
+ s = kzalloc(wlen+4, GFP_KERNEL);
+ if (!s)
+ return -ENOMEM;
+@@ -381,6 +384,22 @@ static int ttusb2_i2c_xfer(struct i2c_ad
+ write_read = i+1 < num && (msg[i+1].flags & I2C_M_RD);
+ read = msg[i].flags & I2C_M_RD;
+
++ if (3 + msg[i].len > sizeof(obuf)) {
++ err("i2c wr len=%d too high", msg[i].len);
++ break;
++ }
++ if (write_read) {
++ if (3 + msg[i+1].len > sizeof(ibuf)) {
++ err("i2c rd len=%d too high", msg[i+1].len);
++ break;
++ }
++ } else if (read) {
++ if (3 + msg[i].len > sizeof(ibuf)) {
++ err("i2c rd len=%d too high", msg[i].len);
++ break;
++ }
++ }
++
+ obuf[0] = (msg[i].addr << 1) | (write_read | read);
+ if (read)
+ obuf[1] = 0;
--- /dev/null
+From dd42bf1197144ede075a9d4793123f7689e164bc Mon Sep 17 00:00:00 2001
+From: Peter Hurley <peter@hurleysoftware.com>
+Date: Fri, 27 Nov 2015 14:30:21 -0500
+Subject: tty: Prevent ldisc drivers from re-using stale tty fields
+
+From: Peter Hurley <peter@hurleysoftware.com>
+
+commit dd42bf1197144ede075a9d4793123f7689e164bc upstream.
+
+Line discipline drivers may mistakenly misuse ldisc-related fields
+when initializing. For example, a failure to initialize tty->receive_room
+in the N_GIGASET_M101 line discipline was recently found and fixed [1].
+Now, the N_X25 line discipline has been discovered accessing the previous
+line discipline's already-freed private data [2].
+
+Harden the ldisc interface against misuse by initializing revelant
+tty fields before instancing the new line discipline.
+
+[1]
+ commit fd98e9419d8d622a4de91f76b306af6aa627aa9c
+ Author: Tilman Schmidt <tilman@imap.cc>
+ Date: Tue Jul 14 00:37:13 2015 +0200
+
+ isdn/gigaset: reset tty->receive_room when attaching ser_gigaset
+
+[2] Report from Sasha Levin <sasha.levin@oracle.com>
+ [ 634.336761] ==================================================================
+ [ 634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0
+ [ 634.339558] Read of size 4 by task syzkaller_execu/8981
+ [ 634.340359] =============================================================================
+ [ 634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected
+ ...
+ [ 634.405018] Call Trace:
+ [ 634.405277] dump_stack (lib/dump_stack.c:52)
+ [ 634.405775] print_trailer (mm/slub.c:655)
+ [ 634.406361] object_err (mm/slub.c:662)
+ [ 634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236)
+ [ 634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279)
+ [ 634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1))
+ [ 634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447)
+ [ 634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567)
+ [ 634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879)
+ [ 634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607)
+ [ 634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613)
+ [ 634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188)
+
+Cc: Tilman Schmidt <tilman@imap.cc>
+Cc: Sasha Levin <sasha.levin@oracle.com>
+Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/tty_ldisc.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/tty/tty_ldisc.c
++++ b/drivers/tty/tty_ldisc.c
+@@ -414,6 +414,10 @@ EXPORT_SYMBOL_GPL(tty_ldisc_flush);
+ * they are not on hot paths so a little discipline won't do
+ * any harm.
+ *
++ * The line discipline-related tty_struct fields are reset to
++ * prevent the ldisc driver from re-using stale information for
++ * the new ldisc instance.
++ *
+ * Locking: takes termios_rwsem
+ */
+
+@@ -422,6 +426,9 @@ static void tty_set_termios_ldisc(struct
+ down_write(&tty->termios_rwsem);
+ tty->termios.c_line = num;
+ up_write(&tty->termios_rwsem);
++
++ tty->disc_data = NULL;
++ tty->receive_room = 0;
+ }
+
+ /**
--- /dev/null
+From bec444cd1c94c48df409a35ad4e5b143c245c3f7 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 10 May 2017 18:18:28 +0200
+Subject: USB: hub: fix non-SS hub-descriptor handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit bec444cd1c94c48df409a35ad4e5b143c245c3f7 upstream.
+
+Add missing sanity check on the non-SuperSpeed hub-descriptor length in
+order to avoid parsing and leaking two bytes of uninitialised slab data
+through sysfs removable-attributes (or a compound-device debug
+statement).
+
+Note that we only make sure that the DeviceRemovable field is always
+present (and specifically ignore the unused PortPwrCtrlMask field) in
+order to continue support any hubs with non-compliant descriptors. As a
+further safeguard, the descriptor buffer is also cleared.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hub.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -359,7 +359,8 @@ static void usb_set_lpm_parameters(struc
+ }
+
+ /* USB 2.0 spec Section 11.24.4.5 */
+-static int get_hub_descriptor(struct usb_device *hdev, void *data)
++static int get_hub_descriptor(struct usb_device *hdev,
++ struct usb_hub_descriptor *desc)
+ {
+ int i, ret, size;
+ unsigned dtype;
+@@ -375,12 +376,16 @@ static int get_hub_descriptor(struct usb
+ for (i = 0; i < 3; i++) {
+ ret = usb_control_msg(hdev, usb_rcvctrlpipe(hdev, 0),
+ USB_REQ_GET_DESCRIPTOR, USB_DIR_IN | USB_RT_HUB,
+- dtype << 8, 0, data, size,
++ dtype << 8, 0, desc, size,
+ USB_CTRL_GET_TIMEOUT);
+ if (hub_is_superspeed(hdev)) {
+ if (ret == size)
+ return ret;
+- } else if (ret >= (USB_DT_HUB_NONVAR_SIZE + 2)) {
++ } else if (ret >= USB_DT_HUB_NONVAR_SIZE + 2) {
++ /* Make sure we have the DeviceRemovable field. */
++ size = USB_DT_HUB_NONVAR_SIZE + desc->bNbrPorts / 8 + 1;
++ if (ret < size)
++ return -EMSGSIZE;
+ return ret;
+ }
+ }
+@@ -1327,7 +1332,7 @@ static int hub_configure(struct usb_hub
+ }
+ mutex_init(&hub->status_mutex);
+
+- hub->descriptor = kmalloc(sizeof(*hub->descriptor), GFP_KERNEL);
++ hub->descriptor = kzalloc(sizeof(*hub->descriptor), GFP_KERNEL);
+ if (!hub->descriptor) {
+ ret = -ENOMEM;
+ goto fail;
--- /dev/null
+From 2c25a2c818023df64463aac3288a9f969491e507 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 10 May 2017 18:18:27 +0200
+Subject: USB: hub: fix SS hub-descriptor handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 2c25a2c818023df64463aac3288a9f969491e507 upstream.
+
+A SuperSpeed hub descriptor does not have any variable-length fields so
+bail out when reading a short descriptor.
+
+This avoids parsing and leaking two bytes of uninitialised slab data
+through sysfs removable-attributes.
+
+Fixes: dbe79bbe9dcb ("USB 3.0 Hub Changes")
+Cc: John Youn <John.Youn@synopsys.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hub.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -377,8 +377,12 @@ static int get_hub_descriptor(struct usb
+ USB_REQ_GET_DESCRIPTOR, USB_DIR_IN | USB_RT_HUB,
+ dtype << 8, 0, data, size,
+ USB_CTRL_GET_TIMEOUT);
+- if (ret >= (USB_DT_HUB_NONVAR_SIZE + 2))
++ if (hub_is_superspeed(hdev)) {
++ if (ret == size)
++ return ret;
++ } else if (ret >= (USB_DT_HUB_NONVAR_SIZE + 2)) {
+ return ret;
++ }
+ }
+ return -EINVAL;
+ }
+@@ -1331,7 +1335,7 @@ static int hub_configure(struct usb_hub
+
+ /* Request the entire hub descriptor.
+ * hub->descriptor can handle USB_MAXCHILDREN ports,
+- * but the hub can/will return fewer bytes here.
++ * but a (non-SS) hub can/will return fewer bytes here.
+ */
+ ret = get_hub_descriptor(hdev, hub->descriptor);
+ if (ret < 0) {
--- /dev/null
+From dd5ca753fa92fb736b1395db892bd29f78e6d408 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 11 May 2017 11:36:02 +0200
+Subject: USB: iowarrior: fix info ioctl on big-endian hosts
+
+From: Johan Hovold <johan@kernel.org>
+
+commit dd5ca753fa92fb736b1395db892bd29f78e6d408 upstream.
+
+Drop erroneous le16_to_cpu when returning the USB device speed which is
+already in host byte order.
+
+Found using sparse:
+
+ warning: cast to restricted __le16
+
+Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/iowarrior.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -557,7 +557,7 @@ static long iowarrior_ioctl(struct file
+ info.revision = le16_to_cpu(dev->udev->descriptor.bcdDevice);
+
+ /* 0==UNKNOWN, 1==LOW(usb1.1) ,2=FULL(usb1.1), 3=HIGH(usb2.0) */
+- info.speed = le16_to_cpu(dev->udev->speed);
++ info.speed = dev->udev->speed;
+ info.if_num = dev->interface->cur_altsetting->desc.bInterfaceNumber;
+ info.report_size = dev->report_size;
+
--- /dev/null
+From 6df2b42f7c040d57d9ecb67244e04e905ab87ac6 Mon Sep 17 00:00:00 2001
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Date: Wed, 17 May 2017 11:23:11 -0500
+Subject: usb: musb: tusb6010_omap: Do not reset the other direction's packet size
+
+From: Peter Ujfalusi <peter.ujfalusi@ti.com>
+
+commit 6df2b42f7c040d57d9ecb67244e04e905ab87ac6 upstream.
+
+We have one register for each EP to set the maximum packet size for both
+TX and RX.
+If for example an RX programming would happen before the previous TX
+transfer finishes we would reset the TX packet side.
+
+To fix this issue, only modify the TX or RX part of the register.
+
+Fixes: 550a7375fe72 ("USB: Add MUSB and TUSB support")
+Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
+Tested-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Bin Liu <b-liu@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/musb/tusb6010_omap.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/musb/tusb6010_omap.c
++++ b/drivers/usb/musb/tusb6010_omap.c
+@@ -220,6 +220,7 @@ static int tusb_omap_dma_program(struct
+ u32 dma_remaining;
+ int src_burst, dst_burst;
+ u16 csr;
++ u32 psize;
+ int ch;
+ s8 dmareq;
+ s8 sync_dev;
+@@ -391,15 +392,19 @@ static int tusb_omap_dma_program(struct
+
+ if (chdat->tx) {
+ /* Send transfer_packet_sz packets at a time */
+- musb_writel(ep_conf, TUSB_EP_MAX_PACKET_SIZE_OFFSET,
+- chdat->transfer_packet_sz);
++ psize = musb_readl(ep_conf, TUSB_EP_MAX_PACKET_SIZE_OFFSET);
++ psize &= ~0x7ff;
++ psize |= chdat->transfer_packet_sz;
++ musb_writel(ep_conf, TUSB_EP_MAX_PACKET_SIZE_OFFSET, psize);
+
+ musb_writel(ep_conf, TUSB_EP_TX_OFFSET,
+ TUSB_EP_CONFIG_XFR_SIZE(chdat->transfer_len));
+ } else {
+ /* Receive transfer_packet_sz packets at a time */
+- musb_writel(ep_conf, TUSB_EP_MAX_PACKET_SIZE_OFFSET,
+- chdat->transfer_packet_sz << 16);
++ psize = musb_readl(ep_conf, TUSB_EP_MAX_PACKET_SIZE_OFFSET);
++ psize &= ~(0x7ff << 16);
++ psize |= (chdat->transfer_packet_sz << 16);
++ musb_writel(ep_conf, TUSB_EP_MAX_PACKET_SIZE_OFFSET, psize);
+
+ musb_writel(ep_conf, TUSB_EP_RX_OFFSET,
+ TUSB_EP_CONFIG_XFR_SIZE(chdat->transfer_len));
--- /dev/null
+From 6aeb75e6adfaed16e58780309613a578fe1ee90b Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 11 May 2017 11:41:21 +0200
+Subject: USB: serial: io_ti: fix div-by-zero in set_termios
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 6aeb75e6adfaed16e58780309613a578fe1ee90b upstream.
+
+Fix a division-by-zero in set_termios when debugging is enabled and a
+high-enough speed has been requested so that the divisor value becomes
+zero.
+
+Instead of just fixing the offending debug statement, cap the baud rate
+at the base as a zero divisor value also appears to crash the firmware.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/io_ti.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/io_ti.c
++++ b/drivers/usb/serial/io_ti.c
+@@ -2210,8 +2210,11 @@ static void change_port_settings(struct
+ if (!baud) {
+ /* pick a default, any default... */
+ baud = 9600;
+- } else
++ } else {
++ /* Avoid a zero divisor. */
++ baud = min(baud, 461550);
+ tty_encode_baud_rate(tty, baud, baud);
++ }
+
+ edge_port->baud_rate = baud;
+ config->wBaudRate = (__u16)((461550L + baud/2) / baud);
--- /dev/null
+From 26cede343656c0bc2c33cdc783771282405c7fb2 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 11 May 2017 11:41:20 +0200
+Subject: USB: serial: mct_u232: fix big-endian baud-rate handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 26cede343656c0bc2c33cdc783771282405c7fb2 upstream.
+
+Drop erroneous cpu_to_le32 when setting the baud rate, something which
+corrupted the divisor on big-endian hosts.
+
+Found using sparse:
+
+ warning: incorrect type in argument 1 (different base types)
+ expected unsigned int [unsigned] [usertype] val
+ got restricted __le32 [usertype] <noident>
+
+Fixes: af2ac1a091bc ("USB: serial mct_usb232: move DMA buffers to heap")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Acked-By: Pete Zaitcev <zaitcev@yahoo.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/mct_u232.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/mct_u232.c
++++ b/drivers/usb/serial/mct_u232.c
+@@ -189,7 +189,7 @@ static int mct_u232_set_baud_rate(struct
+ return -ENOMEM;
+
+ divisor = mct_u232_calculate_baud_rate(serial, value, &speed);
+- put_unaligned_le32(cpu_to_le32(divisor), buf);
++ put_unaligned_le32(divisor, buf);
+ rc = usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0),
+ MCT_U232_SET_BAUD_RATE_REQUEST,
+ MCT_U232_SET_REQUEST_TYPE,
--- /dev/null
+From 40dd46048c155b8f0683f468c950a1c107f77a7c Mon Sep 17 00:00:00 2001
+From: Daniele Palmas <dnlplm@gmail.com>
+Date: Wed, 3 May 2017 10:28:54 +0200
+Subject: usb: serial: option: add Telit ME910 support
+
+From: Daniele Palmas <dnlplm@gmail.com>
+
+commit 40dd46048c155b8f0683f468c950a1c107f77a7c upstream.
+
+This patch adds support for Telit ME910 PID 0x1100.
+
+Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -275,6 +275,7 @@ static void option_instat_callback(struc
+ #define TELIT_PRODUCT_LE922_USBCFG0 0x1042
+ #define TELIT_PRODUCT_LE922_USBCFG3 0x1043
+ #define TELIT_PRODUCT_LE922_USBCFG5 0x1045
++#define TELIT_PRODUCT_ME910 0x1100
+ #define TELIT_PRODUCT_LE920 0x1200
+ #define TELIT_PRODUCT_LE910 0x1201
+ #define TELIT_PRODUCT_LE910_USBCFG4 0x1206
+@@ -637,6 +638,11 @@ static const struct option_blacklist_inf
+ .reserved = BIT(5) | BIT(6),
+ };
+
++static const struct option_blacklist_info telit_me910_blacklist = {
++ .sendsetup = BIT(0),
++ .reserved = BIT(1) | BIT(3),
++};
++
+ static const struct option_blacklist_info telit_le910_blacklist = {
+ .sendsetup = BIT(0),
+ .reserved = BIT(1) | BIT(2),
+@@ -1233,6 +1239,8 @@ static const struct usb_device_id option
+ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG5, 0xff),
+ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 },
++ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910),
++ .driver_info = (kernel_ulong_t)&telit_me910_blacklist },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910),
+ .driver_info = (kernel_ulong_t)&telit_le910_blacklist },
+ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4),
--- /dev/null
+From 8d7a10dd323993cc40bd37bce8bc570133b0c396 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Wed, 17 May 2017 16:30:50 +0200
+Subject: USB: serial: qcserial: add more Lenovo EM74xx device IDs
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bjørn Mork <bjorn@mork.no>
+
+commit 8d7a10dd323993cc40bd37bce8bc570133b0c396 upstream.
+
+In their infinite wisdom, and never ending quest for end user frustration,
+Lenovo has decided to use new USB device IDs for the wwan modules in
+their 2017 laptops. The actual hardware is still the Sierra Wireless
+EM7455 or EM7430, depending on region.
+
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/qcserial.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/qcserial.c
++++ b/drivers/usb/serial/qcserial.c
+@@ -156,6 +156,8 @@ static const struct usb_device_id id_tab
+ {DEVICE_SWI(0x1199, 0x9071)}, /* Sierra Wireless MC74xx */
+ {DEVICE_SWI(0x1199, 0x9078)}, /* Sierra Wireless EM74xx */
+ {DEVICE_SWI(0x1199, 0x9079)}, /* Sierra Wireless EM74xx */
++ {DEVICE_SWI(0x1199, 0x907a)}, /* Sierra Wireless EM74xx QDL */
++ {DEVICE_SWI(0x1199, 0x907b)}, /* Sierra Wireless EM74xx */
+ {DEVICE_SWI(0x413c, 0x81a2)}, /* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card */
+ {DEVICE_SWI(0x413c, 0x81a3)}, /* Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card */
+ {DEVICE_SWI(0x413c, 0x81a4)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */
--- /dev/null
+From eacb975b48272f54532b62f515a3cf7eefa35123 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 09:53:55 -0300
+Subject: [media] usbvision: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit eacb975b48272f54532b62f515a3cf7eefa35123 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer or accessing memory beyond the endpoint array should a
+malicious device lack the expected endpoints.
+
+Fixes: 2a9f8b5d25be ("V4L/DVB (5206): Usbvision: set alternate interface
+modification")
+
+Cc: Thierry MERLE <thierry.merle@free.fr>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/usbvision/usbvision-video.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/usb/usbvision/usbvision-video.c
++++ b/drivers/media/usb/usbvision/usbvision-video.c
+@@ -1583,7 +1583,14 @@ static int usbvision_probe(struct usb_in
+ }
+
+ for (i = 0; i < usbvision->num_alt; i++) {
+- u16 tmp = le16_to_cpu(uif->altsetting[i].endpoint[1].desc.
++ u16 tmp;
++
++ if (uif->altsetting[i].desc.bNumEndpoints < 2) {
++ ret = -ENODEV;
++ goto err_pkt;
++ }
++
++ tmp = le16_to_cpu(uif->altsetting[i].endpoint[1].desc.
+ wMaxPacketSize);
+ usbvision->alt_max_pkt_size[i] =
+ (tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);
projects / thirdparty / kernel / stable-queue.git / commitdiff
