+target-fileio-fix-zero-length-read-and-write-handling.patch
+usb-host-xhci-print-correct-command-ring-address.patch
+usb-serial-ftdi_sio-add-device-id-for-microsemi-arrow-sf2plus-dev-kit.patch
+usb-proper-handling-of-race-condition-when-two-usb-class-drivers-try-to-call-init_usb_class-simultaneously.patch
+staging-vt6656-use-off-stack-for-in-buffer-usb-transfers.patch
+staging-vt6656-use-off-stack-for-out-buffer-usb-transfers.patch
+staging-gdm724x-gdm_mux-fix-use-after-free-on-module-unload.patch
+staging-comedi-jr3_pci-fix-possible-null-pointer-dereference.patch
+staging-comedi-jr3_pci-cope-with-jiffies-wraparound.patch
+usb-misc-add-missing-continue-in-switch.patch
+usb-hub-do-not-attempt-to-autosuspend-disconnected-devices.patch
+usb-misc-legousbtower-fix-buffers-on-stack.patch
--- /dev/null
+From 8ec04a491825e08068e92bed0bba7821893b6433 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Fri, 17 Feb 2017 11:09:09 +0000
+Subject: staging: comedi: jr3_pci: cope with jiffies wraparound
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 8ec04a491825e08068e92bed0bba7821893b6433 upstream.
+
+The timer expiry routine `jr3_pci_poll_dev()` checks for expiry by
+checking whether the absolute value of `jiffies` (stored in local
+variable `now`) is greater than the expected expiry time in jiffy units.
+This will fail when `jiffies` wraps around. Also, it seems to make
+sense to handle the expiry one jiffy earlier than the current test. Use
+`time_after_eq()` to check for expiry.
+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/drivers/jr3_pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/comedi/drivers/jr3_pci.c
++++ b/drivers/staging/comedi/drivers/jr3_pci.c
+@@ -611,7 +611,7 @@ static void jr3_pci_poll_dev(unsigned lo
+ s = &dev->subdevices[i];
+ spriv = s->private;
+
+- if (now > spriv->next_time_min) {
++ if (time_after_eq(now, spriv->next_time_min)) {
+ struct jr3_pci_poll_delay sub_delay;
+
+ sub_delay = jr3_pci_poll_subdevice(s);
--- /dev/null
+From 45292be0b3db0b7f8286683b376e2d9f949d11f9 Mon Sep 17 00:00:00 2001
+From: Ian Abbott <abbotti@mev.co.uk>
+Date: Fri, 17 Feb 2017 11:09:08 +0000
+Subject: staging: comedi: jr3_pci: fix possible null pointer dereference
+
+From: Ian Abbott <abbotti@mev.co.uk>
+
+commit 45292be0b3db0b7f8286683b376e2d9f949d11f9 upstream.
+
+For some reason, the driver does not consider allocation of the
+subdevice private data to be a fatal error when attaching the COMEDI
+device. It tests the subdevice private data pointer for validity at
+certain points, but omits some crucial tests. In particular,
+`jr3_pci_auto_attach()` calls `jr3_pci_alloc_spriv()` to allocate and
+initialize the subdevice private data, but the same function
+subsequently dereferences the pointer to access the `next_time_min` and
+`next_time_max` members without checking it first. The other missing
+test is in the timer expiry routine `jr3_pci_poll_dev()`, but it will
+crash before it gets that far.
+
+Fix the bug by returning `-ENOMEM` from `jr3_pci_auto_attach()` as soon
+as one of the calls to `jr3_pci_alloc_spriv()` returns `NULL`. The
+COMEDI core will subsequently call `jr3_pci_detach()` to clean up.
+
+Signed-off-by: Ian Abbott <abbotti@mev.co.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/comedi/drivers/jr3_pci.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+--- a/drivers/staging/comedi/drivers/jr3_pci.c
++++ b/drivers/staging/comedi/drivers/jr3_pci.c
+@@ -729,11 +729,12 @@ static int jr3_pci_auto_attach(struct co
+ s->insn_read = jr3_pci_ai_insn_read;
+
+ spriv = jr3_pci_alloc_spriv(dev, s);
+- if (spriv) {
+- /* Channel specific range and maxdata */
+- s->range_table_list = spriv->range_table_list;
+- s->maxdata_list = spriv->maxdata_list;
+- }
++ if (!spriv)
++ return -ENOMEM;
++
++ /* Channel specific range and maxdata */
++ s->range_table_list = spriv->range_table_list;
++ s->maxdata_list = spriv->maxdata_list;
+ }
+
+ /* Reset DSP card */
--- /dev/null
+From b58f45c8fc301fe83ee28cad3e64686c19e78f1c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 26 Apr 2017 12:23:04 +0200
+Subject: staging: gdm724x: gdm_mux: fix use-after-free on module unload
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b58f45c8fc301fe83ee28cad3e64686c19e78f1c upstream.
+
+Make sure to deregister the USB driver before releasing the tty driver
+to avoid use-after-free in the USB disconnect callback where the tty
+devices are deregistered.
+
+Fixes: 61e121047645 ("staging: gdm7240: adding LTE USB driver")
+Cc: Won Kang <wkang77@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/gdm724x/gdm_mux.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/staging/gdm724x/gdm_mux.c
++++ b/drivers/staging/gdm724x/gdm_mux.c
+@@ -674,14 +674,13 @@ static int __init gdm_usb_mux_init(void)
+
+ static void __exit gdm_usb_mux_exit(void)
+ {
+- unregister_lte_tty_driver();
+-
+ if (mux_rx_wq) {
+ flush_workqueue(mux_rx_wq);
+ destroy_workqueue(mux_rx_wq);
+ }
+
+ usb_deregister(&gdm_mux_driver);
++ unregister_lte_tty_driver();
+ }
+
+ module_init(gdm_usb_mux_init);
--- /dev/null
+From 05c0cf88bec588a7cb34de569acd871ceef26760 Mon Sep 17 00:00:00 2001
+From: Malcolm Priestley <tvboxspy@gmail.com>
+Date: Sat, 22 Apr 2017 11:14:58 +0100
+Subject: staging: vt6656: use off stack for in buffer USB transfers.
+
+From: Malcolm Priestley <tvboxspy@gmail.com>
+
+commit 05c0cf88bec588a7cb34de569acd871ceef26760 upstream.
+
+Since 4.9 mandated USB buffers to be heap allocated. This causes
+the driver to fail.
+
+Create buffer for USB transfers.
+
+Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/vt6656/usbpipe.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/vt6656/usbpipe.c
++++ b/drivers/staging/vt6656/usbpipe.c
+@@ -78,15 +78,28 @@ int vnt_control_in(struct vnt_private *p
+ u16 index, u16 length, u8 *buffer)
+ {
+ int status;
++ u8 *usb_buffer;
+
+ if (test_bit(DEVICE_FLAGS_DISCONNECTED, &priv->flags))
+ return STATUS_FAILURE;
+
+ mutex_lock(&priv->usb_lock);
+
++ usb_buffer = kmalloc(length, GFP_KERNEL);
++ if (!usb_buffer) {
++ mutex_unlock(&priv->usb_lock);
++ return -ENOMEM;
++ }
++
+ status = usb_control_msg(priv->usb,
+- usb_rcvctrlpipe(priv->usb, 0), request, 0xc0, value,
+- index, buffer, length, USB_CTL_WAIT);
++ usb_rcvctrlpipe(priv->usb, 0),
++ request, 0xc0, value,
++ index, usb_buffer, length, USB_CTL_WAIT);
++
++ if (status == length)
++ memcpy(buffer, usb_buffer, length);
++
++ kfree(usb_buffer);
+
+ mutex_unlock(&priv->usb_lock);
+
--- /dev/null
+From 12ecd24ef93277e4e5feaf27b0b18f2d3828bc5e Mon Sep 17 00:00:00 2001
+From: Malcolm Priestley <tvboxspy@gmail.com>
+Date: Sat, 22 Apr 2017 11:14:57 +0100
+Subject: staging: vt6656: use off stack for out buffer USB transfers.
+
+From: Malcolm Priestley <tvboxspy@gmail.com>
+
+commit 12ecd24ef93277e4e5feaf27b0b18f2d3828bc5e upstream.
+
+Since 4.9 mandated USB buffers be heap allocated this causes the driver
+to fail.
+
+Since there is a wide range of buffer sizes use kmemdup to create
+allocated buffer.
+
+Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/vt6656/usbpipe.c | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/vt6656/usbpipe.c
++++ b/drivers/staging/vt6656/usbpipe.c
+@@ -50,15 +50,25 @@ int vnt_control_out(struct vnt_private *
+ u16 index, u16 length, u8 *buffer)
+ {
+ int status = 0;
++ u8 *usb_buffer;
+
+ if (test_bit(DEVICE_FLAGS_DISCONNECTED, &priv->flags))
+ return STATUS_FAILURE;
+
+ mutex_lock(&priv->usb_lock);
+
++ usb_buffer = kmemdup(buffer, length, GFP_KERNEL);
++ if (!usb_buffer) {
++ mutex_unlock(&priv->usb_lock);
++ return -ENOMEM;
++ }
++
+ status = usb_control_msg(priv->usb,
+- usb_sndctrlpipe(priv->usb, 0), request, 0x40, value,
+- index, buffer, length, USB_CTL_WAIT);
++ usb_sndctrlpipe(priv->usb, 0),
++ request, 0x40, value,
++ index, usb_buffer, length, USB_CTL_WAIT);
++
++ kfree(usb_buffer);
+
+ mutex_unlock(&priv->usb_lock);
+
--- /dev/null
+From 59ac9c078141b8fd0186c0b18660a1b2c24e724e Mon Sep 17 00:00:00 2001
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+Date: Thu, 4 May 2017 15:50:47 -0700
+Subject: target/fileio: Fix zero-length READ and WRITE handling
+
+From: Bart Van Assche <bart.vanassche@sandisk.com>
+
+commit 59ac9c078141b8fd0186c0b18660a1b2c24e724e upstream.
+
+This patch fixes zero-length READ and WRITE handling in target/FILEIO,
+which was broken a long time back by:
+
+Since:
+
+ commit d81cb44726f050d7cf1be4afd9cb45d153b52066
+ Author: Paolo Bonzini <pbonzini@redhat.com>
+ Date: Mon Sep 17 16:36:11 2012 -0700
+
+ target: go through normal processing for all zero-length commands
+
+which moved zero-length READ and WRITE completion out of target-core,
+to doing submission into backend driver code.
+
+To address this, go ahead and invoke target_complete_cmd() for any
+non negative return value in fd_do_rw().
+
+Signed-off-by: Bart Van Assche <bart.vanassche@sandisk.com>
+Reviewed-by: Hannes Reinecke <hare@suse.com>
+Reviewed-by: Christoph Hellwig <hch@lst.de>
+Cc: Andy Grover <agrover@redhat.com>
+Cc: David Disseldorp <ddiss@suse.de>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/target_core_file.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/target/target_core_file.c
++++ b/drivers/target/target_core_file.c
+@@ -760,8 +760,7 @@ fd_execute_rw(struct se_cmd *cmd, struct
+ return TCM_LOGICAL_UNIT_COMMUNICATION_FAILURE;
+ }
+
+- if (ret)
+- target_complete_cmd(cmd, SAM_STAT_GOOD);
++ target_complete_cmd(cmd, SAM_STAT_GOOD);
+ return 0;
+ }
+
--- /dev/null
+From 6fc091fb0459ade939a795bfdcaf645385b951d4 Mon Sep 17 00:00:00 2001
+From: Peter Chen <peter.chen@nxp.com>
+Date: Wed, 19 Apr 2017 16:55:52 +0300
+Subject: usb: host: xhci: print correct command ring address
+
+From: Peter Chen <peter.chen@nxp.com>
+
+commit 6fc091fb0459ade939a795bfdcaf645385b951d4 upstream.
+
+Print correct command ring address using 'val_64'.
+
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-mem.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -2428,7 +2428,7 @@ int xhci_mem_init(struct xhci_hcd *xhci,
+ (xhci->cmd_ring->first_seg->dma & (u64) ~CMD_RING_RSVD_BITS) |
+ xhci->cmd_ring->cycle_state;
+ xhci_dbg_trace(xhci, trace_xhci_dbg_init,
+- "// Setting command ring address to 0x%x", val);
++ "// Setting command ring address to 0x%016llx", val_64);
+ xhci_write_64(xhci, val_64, &xhci->op_regs->cmd_ring);
+ xhci_dbg_cmd_ptrs(xhci);
+
--- /dev/null
+From f5cccf49428447dfbc9edb7a04bb8fc316269781 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Mon, 20 Mar 2017 14:30:50 -0700
+Subject: usb: hub: Do not attempt to autosuspend disconnected devices
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit f5cccf49428447dfbc9edb7a04bb8fc316269781 upstream.
+
+While running a bind/unbind stress test with the dwc3 usb driver on rk3399,
+the following crash was observed.
+
+Unable to handle kernel NULL pointer dereference at virtual address 00000218
+pgd = ffffffc00165f000
+[00000218] *pgd=000000000174f003, *pud=000000000174f003,
+ *pmd=0000000001750003, *pte=00e8000001751713
+Internal error: Oops: 96000005 [#1] PREEMPT SMP
+Modules linked in: uinput uvcvideo videobuf2_vmalloc cmac
+ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_nat_ipv4 nf_nat rfcomm
+xt_mark fuse bridge stp llc zram btusb btrtl btbcm btintel bluetooth
+ip6table_filter mwifiex_pcie mwifiex cfg80211 cdc_ether usbnet r8152 mii joydev
+snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device ppp_async
+ppp_generic slhc tun
+CPU: 1 PID: 29814 Comm: kworker/1:1 Not tainted 4.4.52 #507
+Hardware name: Google Kevin (DT)
+Workqueue: pm pm_runtime_work
+task: ffffffc0ac540000 ti: ffffffc0af4d4000 task.ti: ffffffc0af4d4000
+PC is at autosuspend_check+0x74/0x174
+LR is at autosuspend_check+0x70/0x174
+...
+Call trace:
+[<ffffffc00080dcc0>] autosuspend_check+0x74/0x174
+[<ffffffc000810500>] usb_runtime_idle+0x20/0x40
+[<ffffffc000785ae0>] __rpm_callback+0x48/0x7c
+[<ffffffc000786af0>] rpm_idle+0x1e8/0x498
+[<ffffffc000787cdc>] pm_runtime_work+0x88/0xcc
+[<ffffffc000249bb8>] process_one_work+0x390/0x6b8
+[<ffffffc00024abcc>] worker_thread+0x480/0x610
+[<ffffffc000251a80>] kthread+0x164/0x178
+[<ffffffc0002045d0>] ret_from_fork+0x10/0x40
+
+Source:
+
+(gdb) l *0xffffffc00080dcc0
+0xffffffc00080dcc0 is in autosuspend_check
+(drivers/usb/core/driver.c:1778).
+1773 /* We don't need to check interfaces that are
+1774 * disabled for runtime PM. Either they are unbound
+1775 * or else their drivers don't support autosuspend
+1776 * and so they are permanently active.
+1777 */
+1778 if (intf->dev.power.disable_depth)
+1779 continue;
+1780 if (atomic_read(&intf->dev.power.usage_count) > 0)
+1781 return -EBUSY;
+1782 w |= intf->needs_remote_wakeup;
+
+Code analysis shows that intf is set to NULL in usb_disable_device() prior
+to setting actconfig to NULL. At the same time, usb_runtime_idle() does not
+lock the usb device, and neither does any of the functions in the
+traceback. This means that there is no protection against a race condition
+where usb_disable_device() is removing dev->actconfig->interface[] pointers
+while those are being accessed from autosuspend_check().
+
+To solve the problem, synchronize and validate device state between
+autosuspend_check() and usb_disconnect().
+
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/driver.c | 3 +++
+ drivers/usb/core/hub.c | 6 ++++++
+ 2 files changed, 9 insertions(+)
+
+--- a/drivers/usb/core/driver.c
++++ b/drivers/usb/core/driver.c
+@@ -1757,6 +1757,9 @@ static int autosuspend_check(struct usb_
+ int w, i;
+ struct usb_interface *intf;
+
++ if (udev->state == USB_STATE_NOTATTACHED)
++ return -ENODEV;
++
+ /* Fail if autosuspend is disabled, or any interfaces are in use, or
+ * any interface drivers require remote wakeup but it isn't available.
+ */
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -2100,6 +2100,12 @@ void usb_disconnect(struct usb_device **
+ dev_info(&udev->dev, "USB disconnect, device number %d\n",
+ udev->devnum);
+
++ /*
++ * Ensure that the pm runtime code knows that the USB device
++ * is in the process of being disconnected.
++ */
++ pm_runtime_barrier(&udev->dev);
++
+ usb_lock_device(udev);
+
+ hub_disconnect_children(udev);
--- /dev/null
+From 2c930e3d0aed1505e86e0928d323df5027817740 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <garsilva@embeddedor.com>
+Date: Mon, 3 Apr 2017 22:48:40 -0500
+Subject: usb: misc: add missing continue in switch
+
+From: Gustavo A. R. Silva <garsilva@embeddedor.com>
+
+commit 2c930e3d0aed1505e86e0928d323df5027817740 upstream.
+
+Add missing continue in switch.
+
+Addresses-Coverity-ID: 1248733
+Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/usbtest.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/misc/usbtest.c
++++ b/drivers/usb/misc/usbtest.c
+@@ -133,6 +133,7 @@ get_endpoints(struct usbtest_dev *dev, s
+ case USB_ENDPOINT_XFER_INT:
+ if (dev->info->intr)
+ goto try_intr;
++ continue;
+ case USB_ENDPOINT_XFER_ISOC:
+ if (dev->info->iso)
+ goto try_iso;
--- /dev/null
+From 942a48730faf149ccbf3e12ac718aee120bb3529 Mon Sep 17 00:00:00 2001
+From: Maksim Salau <maksim.salau@gmail.com>
+Date: Tue, 25 Apr 2017 22:49:21 +0300
+Subject: usb: misc: legousbtower: Fix buffers on stack
+
+From: Maksim Salau <maksim.salau@gmail.com>
+
+commit 942a48730faf149ccbf3e12ac718aee120bb3529 upstream.
+
+Allocate buffers on HEAP instead of STACK for local structures
+that are to be received using usb_control_msg().
+
+Signed-off-by: Maksim Salau <maksim.salau@gmail.com>
+Tested-by: Alfredo Rafael Vicente Boix <alviboi@gmail.com>;
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/legousbtower.c | 37 +++++++++++++++++++++++++++----------
+ 1 file changed, 27 insertions(+), 10 deletions(-)
+
+--- a/drivers/usb/misc/legousbtower.c
++++ b/drivers/usb/misc/legousbtower.c
+@@ -317,9 +317,16 @@ static int tower_open (struct inode *ino
+ int subminor;
+ int retval = 0;
+ struct usb_interface *interface;
+- struct tower_reset_reply reset_reply;
++ struct tower_reset_reply *reset_reply;
+ int result;
+
++ reset_reply = kmalloc(sizeof(*reset_reply), GFP_KERNEL);
++
++ if (!reset_reply) {
++ retval = -ENOMEM;
++ goto exit;
++ }
++
+ nonseekable_open(inode, file);
+ subminor = iminor(inode);
+
+@@ -364,8 +371,8 @@ static int tower_open (struct inode *ino
+ USB_TYPE_VENDOR | USB_DIR_IN | USB_RECIP_DEVICE,
+ 0,
+ 0,
+- &reset_reply,
+- sizeof(reset_reply),
++ reset_reply,
++ sizeof(*reset_reply),
+ 1000);
+ if (result < 0) {
+ dev_err(&dev->udev->dev,
+@@ -406,6 +413,7 @@ unlock_exit:
+ mutex_unlock(&dev->lock);
+
+ exit:
++ kfree(reset_reply);
+ return retval;
+ }
+
+@@ -808,7 +816,7 @@ static int tower_probe (struct usb_inter
+ struct lego_usb_tower *dev = NULL;
+ struct usb_host_interface *iface_desc;
+ struct usb_endpoint_descriptor* endpoint;
+- struct tower_get_version_reply get_version_reply;
++ struct tower_get_version_reply *get_version_reply = NULL;
+ int i;
+ int retval = -ENOMEM;
+ int result;
+@@ -916,6 +924,13 @@ static int tower_probe (struct usb_inter
+ "%d minor %d\n", (dev->minor - LEGO_USB_TOWER_MINOR_BASE),
+ USB_MAJOR, dev->minor);
+
++ get_version_reply = kmalloc(sizeof(*get_version_reply), GFP_KERNEL);
++
++ if (!get_version_reply) {
++ retval = -ENOMEM;
++ goto error;
++ }
++
+ /* get the firmware version and log it */
+ result = usb_control_msg (udev,
+ usb_rcvctrlpipe(udev, 0),
+@@ -923,24 +938,26 @@ static int tower_probe (struct usb_inter
+ USB_TYPE_VENDOR | USB_DIR_IN | USB_RECIP_DEVICE,
+ 0,
+ 0,
+- &get_version_reply,
+- sizeof(get_version_reply),
++ get_version_reply,
++ sizeof(*get_version_reply),
+ 1000);
+ if (result < 0) {
+ dev_err(idev, "LEGO USB Tower get version control request failed\n");
+ retval = result;
+ goto error;
+ }
+- dev_info(&interface->dev, "LEGO USB Tower firmware version is %d.%d "
+- "build %d\n", get_version_reply.major,
+- get_version_reply.minor,
+- le16_to_cpu(get_version_reply.build_no));
++ dev_info(&interface->dev,
++ "LEGO USB Tower firmware version is %d.%d build %d\n",
++ get_version_reply->major,
++ get_version_reply->minor,
++ le16_to_cpu(get_version_reply->build_no));
+
+
+ exit:
+ return retval;
+
+ error:
++ kfree(get_version_reply);
+ tower_delete(dev);
+ return retval;
+ }
--- /dev/null
+From 2f86a96be0ccb1302b7eee7855dbee5ce4dc5dfb Mon Sep 17 00:00:00 2001
+From: Ajay Kaher <ajay.kaher@samsung.com>
+Date: Tue, 28 Mar 2017 08:09:32 -0400
+Subject: USB: Proper handling of Race Condition when two USB class drivers try to call init_usb_class simultaneously
+
+From: Ajay Kaher <ajay.kaher@samsung.com>
+
+commit 2f86a96be0ccb1302b7eee7855dbee5ce4dc5dfb upstream.
+
+There is race condition when two USB class drivers try to call
+init_usb_class at the same time and leads to crash.
+code path: probe->usb_register_dev->init_usb_class
+
+To solve this, mutex locking has been added in init_usb_class() and
+destroy_usb_class().
+
+As pointed by Alan, removed "if (usb_class)" test from destroy_usb_class()
+because usb_class can never be NULL there.
+
+Signed-off-by: Ajay Kaher <ajay.kaher@samsung.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/file.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/core/file.c
++++ b/drivers/usb/core/file.c
+@@ -26,6 +26,7 @@
+ #define MAX_USB_MINORS 256
+ static const struct file_operations *usb_minors[MAX_USB_MINORS];
+ static DECLARE_RWSEM(minor_rwsem);
++static DEFINE_MUTEX(init_usb_class_mutex);
+
+ static int usb_open(struct inode *inode, struct file *file)
+ {
+@@ -108,8 +109,9 @@ static void release_usb_class(struct kre
+
+ static void destroy_usb_class(void)
+ {
+- if (usb_class)
+- kref_put(&usb_class->kref, release_usb_class);
++ mutex_lock(&init_usb_class_mutex);
++ kref_put(&usb_class->kref, release_usb_class);
++ mutex_unlock(&init_usb_class_mutex);
+ }
+
+ int usb_major_init(void)
+@@ -171,7 +173,10 @@ int usb_register_dev(struct usb_interfac
+ if (intf->minor >= 0)
+ return -EADDRINUSE;
+
++ mutex_lock(&init_usb_class_mutex);
+ retval = init_usb_class();
++ mutex_unlock(&init_usb_class_mutex);
++
+ if (retval)
+ return retval;
+
--- /dev/null
+From 31c5d1922b90ddc1da6a6ddecef7cd31f17aa32b Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@denx.de>
+Date: Tue, 18 Apr 2017 20:07:56 +0200
+Subject: USB: serial: ftdi_sio: add device ID for Microsemi/Arrow SF2PLUS Dev Kit
+
+From: Marek Vasut <marex@denx.de>
+
+commit 31c5d1922b90ddc1da6a6ddecef7cd31f17aa32b upstream.
+
+This development kit has an FT4232 on it with a custom USB VID/PID.
+The FT4232 provides four UARTs, but only two are used. The UART 0
+is used by the FlashPro5 programmer and UART 2 is connected to the
+SmartFusion2 CortexM3 SoC UART port.
+
+Note that the USB VID is registered to Actel according to Linux USB
+VID database, but that was acquired by Microsemi.
+
+Signed-off-by: Marek Vasut <marex@denx.de>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ftdi_sio.c | 1 +
+ drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++
+ 2 files changed, 7 insertions(+)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -873,6 +873,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE_AND_INTERFACE_INFO(MICROCHIP_VID, MICROCHIP_USB_BOARD_PID,
+ USB_CLASS_VENDOR_SPEC,
+ USB_SUBCLASS_VENDOR_SPEC, 0x00) },
++ { USB_DEVICE_INTERFACE_NUMBER(ACTEL_VID, MICROSEMI_ARROW_SF2PLUS_BOARD_PID, 2) },
+ { USB_DEVICE(JETI_VID, JETI_SPC1201_PID) },
+ { USB_DEVICE(MARVELL_VID, MARVELL_SHEEVAPLUG_PID),
+ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk },
+--- a/drivers/usb/serial/ftdi_sio_ids.h
++++ b/drivers/usb/serial/ftdi_sio_ids.h
+@@ -867,6 +867,12 @@
+ #define FIC_VID 0x1457
+ #define FIC_NEO1973_DEBUG_PID 0x5118
+
++/*
++ * Actel / Microsemi
++ */
++#define ACTEL_VID 0x1514
++#define MICROSEMI_ARROW_SF2PLUS_BOARD_PID 0x2008
++
+ /* Olimex */
+ #define OLIMEX_VID 0x15BA
+ #define OLIMEX_ARM_USB_OCD_PID 0x0003
projects / thirdparty / kernel / stable-queue.git / commitdiff
