--- /dev/null
+From cdd7928df0d2efaa3270d711963773a08a4cc8ab Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 14 Mar 2017 12:09:56 +0100
+Subject: ACM gadget: fix endianness in notifications
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit cdd7928df0d2efaa3270d711963773a08a4cc8ab upstream.
+
+The gadget code exports the bitfield for serial status changes
+over the wire in its internal endianness. The fix is to convert
+to little endian before sending it over the wire.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Tested-by: 家瑋 <momo1208@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_acm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_acm.c
++++ b/drivers/usb/gadget/function/f_acm.c
+@@ -535,13 +535,15 @@ static int acm_notify_serial_state(struc
+ {
+ struct usb_composite_dev *cdev = acm->port.func.config->cdev;
+ int status;
++ __le16 serial_state;
+
+ spin_lock(&acm->lock);
+ if (acm->notify_req) {
+ dev_dbg(&cdev->gadget->dev, "acm ttyGS%d serial state %04x\n",
+ acm->port_num, acm->serial_state);
++ serial_state = cpu_to_le16(acm->serial_state);
+ status = acm_cdc_notify(acm, USB_CDC_NOTIFY_SERIAL_STATE,
+- 0, &acm->serial_state, sizeof(acm->serial_state));
++ 0, &serial_state, sizeof(acm->serial_state));
+ } else {
+ acm->pending = true;
+ status = 0;
--- /dev/null
+From f363a06642f28caaa78cb6446bbad90c73fe183c Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 20 Mar 2017 10:08:19 +0100
+Subject: ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit f363a06642f28caaa78cb6446bbad90c73fe183c upstream.
+
+In the commit [15c75b09f8d1: ALSA: ctxfi: Fallback DMA mask to 32bit],
+I forgot to put "!" at dam_set_mask() call check in cthw20k1.c (while
+cthw20k2.c is OK). This patch fixes that obvious bug.
+
+(As a side note: although the original commit was completely wrong,
+ it's still working for most of machines, as it sets to 32bit DMA mask
+ in the end. So the bug severity is low.)
+
+Fixes: 15c75b09f8d1 ("ALSA: ctxfi: Fallback DMA mask to 32bit")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/ctxfi/cthw20k1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/ctxfi/cthw20k1.c
++++ b/sound/pci/ctxfi/cthw20k1.c
+@@ -1905,7 +1905,7 @@ static int hw_card_start(struct hw *hw)
+ return err;
+
+ /* Set DMA transfer mask */
+- if (dma_set_mask(&pci->dev, DMA_BIT_MASK(dma_bits))) {
++ if (!dma_set_mask(&pci->dev, DMA_BIT_MASK(dma_bits))) {
+ dma_set_coherent_mask(&pci->dev, DMA_BIT_MASK(dma_bits));
+ } else {
+ dma_set_mask(&pci->dev, DMA_BIT_MASK(32));
--- /dev/null
+From 3f307834e695f59dac4337a40316bdecfb9d0508 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Thu, 23 Mar 2017 10:00:25 +0800
+Subject: ALSA: hda - Adding a group of pin definition to fix headset problem
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit 3f307834e695f59dac4337a40316bdecfb9d0508 upstream.
+
+A new Dell laptop needs to apply ALC269_FIXUP_DELL1_MIC_NO_PRESENCE to
+fix the headset problem, and the pin definiton of this machine is not
+in the pin quirk table yet, now adding it to the table.
+
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6040,6 +6040,8 @@ static const struct snd_hda_pin_quirk al
+ ALC295_STANDARD_PINS,
+ {0x17, 0x21014040},
+ {0x18, 0x21a19050}),
++ SND_HDA_PIN_QUIRK(0x10ec0295, 0x1028, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE,
++ ALC295_STANDARD_PINS),
+ SND_HDA_PIN_QUIRK(0x10ec0298, 0x1028, "Dell", ALC298_FIXUP_DELL1_MIC_NO_PRESENCE,
+ ALC298_STANDARD_PINS,
+ {0x17, 0x90170110}),
--- /dev/null
+From c520ff3d03f0b5db7146d9beed6373ad5d2a5e0e Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 21 Mar 2017 13:56:04 +0100
+Subject: ALSA: seq: Fix racy cell insertions during snd_seq_pool_done()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit c520ff3d03f0b5db7146d9beed6373ad5d2a5e0e upstream.
+
+When snd_seq_pool_done() is called, it marks the closing flag to
+refuse the further cell insertions. But snd_seq_pool_done() itself
+doesn't clear the cells but just waits until all cells are cleared by
+the caller side. That is, it's racy, and this leads to the endless
+stall as syzkaller spotted.
+
+This patch addresses the racy by splitting the setup of pool->closing
+flag out of snd_seq_pool_done(), and calling it properly before
+snd_seq_pool_done().
+
+BugLink: http://lkml.kernel.org/r/CACT4Y+aqqy8bZA1fFieifNxR2fAfFQQABcBHj801+u5ePV0URw@mail.gmail.com
+Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_clientmgr.c | 1 +
+ sound/core/seq/seq_fifo.c | 3 +++
+ sound/core/seq/seq_memory.c | 17 +++++++++++++----
+ sound/core/seq/seq_memory.h | 1 +
+ 4 files changed, 18 insertions(+), 4 deletions(-)
+
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -1921,6 +1921,7 @@ static int snd_seq_ioctl_set_client_pool
+ info.output_pool != client->pool->size)) {
+ if (snd_seq_write_pool_allocated(client)) {
+ /* remove all existing cells */
++ snd_seq_pool_mark_closing(client->pool);
+ snd_seq_queue_client_leave_cells(client->number);
+ snd_seq_pool_done(client->pool);
+ }
+--- a/sound/core/seq/seq_fifo.c
++++ b/sound/core/seq/seq_fifo.c
+@@ -70,6 +70,9 @@ void snd_seq_fifo_delete(struct snd_seq_
+ return;
+ *fifo = NULL;
+
++ if (f->pool)
++ snd_seq_pool_mark_closing(f->pool);
++
+ snd_seq_fifo_clear(f);
+
+ /* wake up clients if any */
+--- a/sound/core/seq/seq_memory.c
++++ b/sound/core/seq/seq_memory.c
+@@ -414,6 +414,18 @@ int snd_seq_pool_init(struct snd_seq_poo
+ return 0;
+ }
+
++/* refuse the further insertion to the pool */
++void snd_seq_pool_mark_closing(struct snd_seq_pool *pool)
++{
++ unsigned long flags;
++
++ if (snd_BUG_ON(!pool))
++ return;
++ spin_lock_irqsave(&pool->lock, flags);
++ pool->closing = 1;
++ spin_unlock_irqrestore(&pool->lock, flags);
++}
++
+ /* remove events */
+ int snd_seq_pool_done(struct snd_seq_pool *pool)
+ {
+@@ -424,10 +436,6 @@ int snd_seq_pool_done(struct snd_seq_poo
+ return -EINVAL;
+
+ /* wait for closing all threads */
+- spin_lock_irqsave(&pool->lock, flags);
+- pool->closing = 1;
+- spin_unlock_irqrestore(&pool->lock, flags);
+-
+ if (waitqueue_active(&pool->output_sleep))
+ wake_up(&pool->output_sleep);
+
+@@ -484,6 +492,7 @@ int snd_seq_pool_delete(struct snd_seq_p
+ *ppool = NULL;
+ if (pool == NULL)
+ return 0;
++ snd_seq_pool_mark_closing(pool);
+ snd_seq_pool_done(pool);
+ kfree(pool);
+ return 0;
+--- a/sound/core/seq/seq_memory.h
++++ b/sound/core/seq/seq_memory.h
+@@ -84,6 +84,7 @@ static inline int snd_seq_total_cells(st
+ int snd_seq_pool_init(struct snd_seq_pool *pool);
+
+ /* done pool - free events */
++void snd_seq_pool_mark_closing(struct snd_seq_pool *pool);
+ int snd_seq_pool_done(struct snd_seq_pool *pool);
+
+ /* create pool */
--- /dev/null
+From ac2ee9ba953afe88f7a673e1c0c839227b1d7891 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 16 Mar 2017 11:35:12 -0700
+Subject: Input: cm109 - validate number of endpoints before using them
+
+From: Johan Hovold <johan@kernel.org>
+
+commit ac2ee9ba953afe88f7a673e1c0c839227b1d7891 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer should a malicious device lack endpoints.
+
+Fixes: c04148f915e5 ("Input: add driver for USB VoIP phones with CM109...")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/cm109.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/input/misc/cm109.c
++++ b/drivers/input/misc/cm109.c
+@@ -675,6 +675,10 @@ static int cm109_usb_probe(struct usb_in
+ int error = -ENOMEM;
+
+ interface = intf->cur_altsetting;
++
++ if (interface->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ endpoint = &interface->endpoint[0].desc;
+
+ if (!usb_endpoint_is_int_in(endpoint))
--- /dev/null
+From 92ef6f97a66e580189a41a132d0f8a9f78d6ddce Mon Sep 17 00:00:00 2001
+From: Matjaz Hegedic <matjaz.hegedic@gmail.com>
+Date: Fri, 10 Mar 2017 14:33:09 -0800
+Subject: Input: elan_i2c - add ASUS EeeBook X205TA special touchpad fw
+
+From: Matjaz Hegedic <matjaz.hegedic@gmail.com>
+
+commit 92ef6f97a66e580189a41a132d0f8a9f78d6ddce upstream.
+
+EeeBook X205TA is yet another ASUS device with a special touchpad
+firmware that needs to be accounted for during initialization, or
+else the touchpad will go into an invalid state upon suspend/resume.
+Adding the appropriate ic_type and product_id check fixes the problem.
+
+Signed-off-by: Matjaz Hegedic <matjaz.hegedic@gmail.com>
+Acked-by: KT Liao <kt.liao@emc.com.tw>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elan_i2c_core.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -218,17 +218,19 @@ static int elan_query_product(struct ela
+
+ static int elan_check_ASUS_special_fw(struct elan_tp_data *data)
+ {
+- if (data->ic_type != 0x0E)
+- return false;
+-
+- switch (data->product_id) {
+- case 0x05 ... 0x07:
+- case 0x09:
+- case 0x13:
++ if (data->ic_type == 0x0E) {
++ switch (data->product_id) {
++ case 0x05 ... 0x07:
++ case 0x09:
++ case 0x13:
++ return true;
++ }
++ } else if (data->ic_type == 0x08 && data->product_id == 0x26) {
++ /* ASUS EeeBook X205TA */
+ return true;
+- default:
+- return false;
+ }
++
++ return false;
+ }
+
+ static int __elan_initialize(struct elan_tp_data *data)
--- /dev/null
+From ba340d7b83703768ce566f53f857543359aa1b98 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 16 Mar 2017 11:39:29 -0700
+Subject: Input: hanwang - validate number of endpoints before using them
+
+From: Johan Hovold <johan@kernel.org>
+
+commit ba340d7b83703768ce566f53f857543359aa1b98 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer should a malicious device lack endpoints.
+
+Fixes: bba5394ad3bd ("Input: add support for Hanwang tablets")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/tablet/hanwang.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/input/tablet/hanwang.c
++++ b/drivers/input/tablet/hanwang.c
+@@ -340,6 +340,9 @@ static int hanwang_probe(struct usb_inte
+ int error;
+ int i;
+
++ if (intf->cur_altsetting->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ hanwang = kzalloc(sizeof(struct hanwang), GFP_KERNEL);
+ input_dev = input_allocate_device();
+ if (!hanwang || !input_dev) {
--- /dev/null
+From 45838660e34d90db8d4f7cbc8fd66e8aff79f4fe Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Tue, 7 Mar 2017 09:31:29 -0800
+Subject: Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 45838660e34d90db8d4f7cbc8fd66e8aff79f4fe upstream.
+
+The aux port does not get detected without noloop quirk, so external PS/2
+mouse cannot work as result.
+
+The PS/2 mouse can work with this quirk.
+
+BugLink: https://bugs.launchpad.net/bugs/1591053
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Reviewed-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/serio/i8042-x86ia64io.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/input/serio/i8042-x86ia64io.h
++++ b/drivers/input/serio/i8042-x86ia64io.h
+@@ -120,6 +120,13 @@ static const struct dmi_system_id __init
+ },
+ },
+ {
++ /* Dell Embedded Box PC 3000 */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Embedded Box PC 3000"),
++ },
++ },
++ {
+ /* OQO Model 01 */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "OQO"),
--- /dev/null
+From 59cf8bed44a79ec42303151dd014fdb6434254bb Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 16 Mar 2017 11:34:02 -0700
+Subject: Input: iforce - validate number of endpoints before using them
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 59cf8bed44a79ec42303151dd014fdb6434254bb upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer or accessing memory that lie beyond the end of the endpoint
+array should a malicious device lack the expected endpoints.
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/joystick/iforce/iforce-usb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/input/joystick/iforce/iforce-usb.c
++++ b/drivers/input/joystick/iforce/iforce-usb.c
+@@ -141,6 +141,9 @@ static int iforce_usb_probe(struct usb_i
+
+ interface = intf->cur_altsetting;
+
++ if (interface->desc.bNumEndpoints < 2)
++ return -ENODEV;
++
+ epirq = &interface->endpoint[0].desc;
+ epout = &interface->endpoint[1].desc;
+
--- /dev/null
+From 1916d319271664241b7aa0cd2b05e32bdb310ce9 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 16 Mar 2017 11:36:13 -0700
+Subject: Input: ims-pcu - validate number of endpoints before using them
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1916d319271664241b7aa0cd2b05e32bdb310ce9 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer should a malicious device lack control-interface endpoints.
+
+Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/ims-pcu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/input/misc/ims-pcu.c
++++ b/drivers/input/misc/ims-pcu.c
+@@ -1667,6 +1667,10 @@ static int ims_pcu_parse_cdc_data(struct
+ return -EINVAL;
+
+ alt = pcu->ctrl_intf->cur_altsetting;
++
++ if (alt->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ pcu->ep_ctrl = &alt->endpoint[0].desc;
+ pcu->max_ctrl_size = usb_endpoint_maxp(pcu->ep_ctrl);
+
--- /dev/null
+From cb1b494663e037253337623bf1ef2df727883cb7 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 16 Mar 2017 11:41:55 -0700
+Subject: Input: kbtab - validate number of endpoints before using them
+
+From: Johan Hovold <johan@kernel.org>
+
+commit cb1b494663e037253337623bf1ef2df727883cb7 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer should a malicious device lack endpoints.
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/tablet/kbtab.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/input/tablet/kbtab.c
++++ b/drivers/input/tablet/kbtab.c
+@@ -122,6 +122,9 @@ static int kbtab_probe(struct usb_interf
+ struct input_dev *input_dev;
+ int error = -ENOMEM;
+
++ if (intf->cur_altsetting->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ kbtab = kzalloc(sizeof(struct kbtab), GFP_KERNEL);
+ input_dev = input_allocate_device();
+ if (!kbtab || !input_dev)
--- /dev/null
+From 92461f5d723037530c1f36cce93640770037812c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 16 Mar 2017 11:43:09 -0700
+Subject: Input: sur40 - validate number of endpoints before using them
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 92461f5d723037530c1f36cce93640770037812c upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer or accessing memory that lie beyond the end of the endpoint
+array should a malicious device lack the expected endpoints.
+
+Fixes: bdb5c57f209c ("Input: add sur40 driver for Samsung SUR40... ")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/sur40.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/input/touchscreen/sur40.c
++++ b/drivers/input/touchscreen/sur40.c
+@@ -500,6 +500,9 @@ static int sur40_probe(struct usb_interf
+ if (iface_desc->desc.bInterfaceClass != 0xFF)
+ return -ENODEV;
+
++ if (iface_desc->desc.bNumEndpoints < 5)
++ return -ENODEV;
++
+ /* Use endpoint #4 (0x86). */
+ endpoint = &iface_desc->endpoint[4].desc;
+ if (endpoint->bEndpointAddress != TOUCH_ENDPOINT)
--- /dev/null
+From 5cc4a1a9f5c179795c8a1f2b0f4361829d6a070e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 16 Mar 2017 11:37:01 -0700
+Subject: Input: yealink - validate number of endpoints before using them
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 5cc4a1a9f5c179795c8a1f2b0f4361829d6a070e upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer should a malicious device lack endpoints.
+
+Fixes: aca951a22a1d ("[PATCH] input-driver-yealink-P1K-usb-phone")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/yealink.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/input/misc/yealink.c
++++ b/drivers/input/misc/yealink.c
+@@ -875,6 +875,10 @@ static int usb_probe(struct usb_interfac
+ int ret, pipe, i;
+
+ interface = intf->cur_altsetting;
++
++ if (interface->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ endpoint = &interface->endpoint[0].desc;
+ if (!usb_endpoint_is_int_in(endpoint))
+ return -ENODEV;
--- /dev/null
+From 181302dc7239add8ab1449c23ecab193f52ee6ab Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 13:40:22 +0100
+Subject: mmc: ushc: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 181302dc7239add8ab1449c23ecab193f52ee6ab upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer should a malicious device lack endpoints.
+
+Fixes: 53f3a9e26ed5 ("mmc: USB SD Host Controller (USHC) driver")
+Cc: David Vrabel <david.vrabel@csr.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/ushc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/mmc/host/ushc.c
++++ b/drivers/mmc/host/ushc.c
+@@ -426,6 +426,9 @@ static int ushc_probe(struct usb_interfa
+ struct ushc_data *ushc;
+ int ret;
+
++ if (intf->cur_altsetting->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ mmc = mmc_alloc_host(sizeof(struct ushc_data), &intf->dev);
+ if (mmc == NULL)
+ return -ENOMEM;
ipv4-provide-stronger-user-input-validation-in-nl_fib_input.patch
socket-bpf-fix-sk_filter-use-after-free-in-sk_clone_lock.patch
tcp-initialize-icsk_ack.lrcvtime-at-session-start-time.patch
+input-elan_i2c-add-asus-eeebook-x205ta-special-touchpad-fw.patch
+input-i8042-add-noloop-quirk-for-dell-embedded-box-pc-3000.patch
+input-iforce-validate-number-of-endpoints-before-using-them.patch
+input-ims-pcu-validate-number-of-endpoints-before-using-them.patch
+input-hanwang-validate-number-of-endpoints-before-using-them.patch
+input-yealink-validate-number-of-endpoints-before-using-them.patch
+input-cm109-validate-number-of-endpoints-before-using-them.patch
+input-kbtab-validate-number-of-endpoints-before-using-them.patch
+input-sur40-validate-number-of-endpoints-before-using-them.patch
+alsa-seq-fix-racy-cell-insertions-during-snd_seq_pool_done.patch
+alsa-ctxfi-fix-the-incorrect-check-of-dma_set_mask-call.patch
+alsa-hda-adding-a-group-of-pin-definition-to-fix-headset-problem.patch
+usb-serial-option-add-quectel-uc15-uc20-ec21-and-ec25-modems.patch
+usb-serial-qcserial-add-dell-dw5811e.patch
+acm-gadget-fix-endianness-in-notifications.patch
+usb-gadget-f_uvc-fix-superspeed-companion-descriptor-s-wbytesperinterval.patch
+usb-core-add-linear_frame_intr_binterval-usb-quirk.patch
+usb-uss720-fix-null-deref-at-probe.patch
+usb-lvtest-fix-null-deref-at-probe.patch
+usb-idmouse-fix-null-deref-at-probe.patch
+usb-wusbcore-fix-null-deref-at-probe.patch
+usb-musb-cppi41-don-t-check-early-tx-interrupt-for-isoch-transfer.patch
+usb-hub-fix-crash-after-failure-to-read-bos-descriptor.patch
+uwb-i1480-dfu-fix-null-deref-at-probe.patch
+uwb-hwa-rc-fix-null-deref-at-probe.patch
+mmc-ushc-fix-null-deref-at-probe.patch
--- /dev/null
+From 3243367b209faed5c320a4e5f9a565ee2a2ba958 Mon Sep 17 00:00:00 2001
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Date: Mon, 13 Mar 2017 20:50:08 +0100
+Subject: usb-core: Add LINEAR_FRAME_INTR_BINTERVAL USB quirk
+
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+
+commit 3243367b209faed5c320a4e5f9a565ee2a2ba958 upstream.
+
+Some USB 2.0 devices erroneously report millisecond values in
+bInterval. The generic config code manages to catch most of them,
+but in some cases it's not completely enough.
+
+The case at stake here is a USB 2.0 braille device, which wants to
+announce 10ms and thus sets bInterval to 10, but with the USB 2.0
+computation that yields to 64ms. It happens that one can type fast
+enough to reach this interval and get the device buffers overflown,
+leading to problematic latencies. The generic config code does not
+catch this case because the 64ms is considered a sane enough value.
+
+This change thus adds a USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL quirk
+to mark devices which actually report milliseconds in bInterval,
+and marks Vario Ultra devices as needing it.
+
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/config.c | 10 ++++++++++
+ drivers/usb/core/quirks.c | 8 ++++++++
+ include/linux/usb/quirks.h | 6 ++++++
+ 3 files changed, 24 insertions(+)
+
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -246,6 +246,16 @@ static int usb_parse_endpoint(struct dev
+
+ /*
+ * Adjust bInterval for quirked devices.
++ */
++ /*
++ * This quirk fixes bIntervals reported in ms.
++ */
++ if (to_usb_device(ddev)->quirks &
++ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL) {
++ n = clamp(fls(d->bInterval) + 3, i, j);
++ i = j = n;
++ }
++ /*
+ * This quirk fixes bIntervals reported in
+ * linear microframes.
+ */
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -170,6 +170,14 @@ static const struct usb_device_id usb_qu
+ /* M-Systems Flash Disk Pioneers */
+ { USB_DEVICE(0x08ec, 0x1000), .driver_info = USB_QUIRK_RESET_RESUME },
+
++ /* Baum Vario Ultra */
++ { USB_DEVICE(0x0904, 0x6101), .driver_info =
++ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL },
++ { USB_DEVICE(0x0904, 0x6102), .driver_info =
++ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL },
++ { USB_DEVICE(0x0904, 0x6103), .driver_info =
++ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL },
++
+ /* Keytouch QWERTY Panel keyboard */
+ { USB_DEVICE(0x0926, 0x3333), .driver_info =
+ USB_QUIRK_CONFIG_INTF_STRINGS },
+--- a/include/linux/usb/quirks.h
++++ b/include/linux/usb/quirks.h
+@@ -50,4 +50,10 @@
+ /* device can't handle Link Power Management */
+ #define USB_QUIRK_NO_LPM BIT(10)
+
++/*
++ * Device reports its bInterval as linear frames instead of the
++ * USB 2.0 calculation.
++ */
++#define USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL BIT(11)
++
+ #endif /* __LINUX_USB_QUIRKS_H */
--- /dev/null
+From 09424c50b7dff40cb30011c09114404a4656e023 Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@ti.com>
+Date: Wed, 8 Mar 2017 16:05:43 +0200
+Subject: usb: gadget: f_uvc: Fix SuperSpeed companion descriptor's wBytesPerInterval
+
+From: Roger Quadros <rogerq@ti.com>
+
+commit 09424c50b7dff40cb30011c09114404a4656e023 upstream.
+
+The streaming_maxburst module parameter is 0 offset (0..15)
+so we must add 1 while using it for wBytesPerInterval
+calculation for the SuperSpeed companion descriptor.
+
+Without this host uvcvideo driver will always see the wrong
+wBytesPerInterval for SuperSpeed uvc gadget and may not find
+a suitable video interface endpoint.
+e.g. for streaming_maxburst = 0 case it will always
+fail as wBytePerInterval was evaluating to 0.
+
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_uvc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_uvc.c
++++ b/drivers/usb/gadget/function/f_uvc.c
+@@ -625,7 +625,7 @@ uvc_function_bind(struct usb_configurati
+ uvc_ss_streaming_comp.bMaxBurst = opts->streaming_maxburst;
+ uvc_ss_streaming_comp.wBytesPerInterval =
+ cpu_to_le16(max_packet_size * max_packet_mult *
+- opts->streaming_maxburst);
++ (opts->streaming_maxburst + 1));
+
+ /* Allocate endpoints. */
+ ep = usb_ep_autoconfig(cdev->gadget, &uvc_control_ep);
--- /dev/null
+From 7b2db29fbb4e766fcd02207eb2e2087170bd6ebc Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Wed, 8 Mar 2017 10:19:36 -0800
+Subject: usb: hub: Fix crash after failure to read BOS descriptor
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 7b2db29fbb4e766fcd02207eb2e2087170bd6ebc upstream.
+
+If usb_get_bos_descriptor() returns an error, usb->bos will be NULL.
+Nevertheless, it is dereferenced unconditionally in
+hub_set_initial_usb2_lpm_policy() if usb2_hw_lpm_capable is set.
+This results in a crash.
+
+usb 5-1: unable to get BOS descriptor
+...
+Unable to handle kernel NULL pointer dereference at virtual address 00000008
+pgd = ffffffc00165f000
+[00000008] *pgd=000000000174f003, *pud=000000000174f003,
+ *pmd=0000000001750003, *pte=00e8000001751713
+Internal error: Oops: 96000005 [#1] PREEMPT SMP
+Modules linked in: uinput uvcvideo videobuf2_vmalloc cmac [ ... ]
+CPU: 5 PID: 3353 Comm: kworker/5:3 Tainted: G B 4.4.52 #480
+Hardware name: Google Kevin (DT)
+Workqueue: events driver_set_config_work
+task: ffffffc0c3690000 ti: ffffffc0ae9a8000 task.ti: ffffffc0ae9a8000
+PC is at hub_port_init+0xc3c/0xd10
+LR is at hub_port_init+0xc3c/0xd10
+...
+Call trace:
+[<ffffffc0007fbbfc>] hub_port_init+0xc3c/0xd10
+[<ffffffc0007fbe2c>] usb_reset_and_verify_device+0x15c/0x82c
+[<ffffffc0007fc5e0>] usb_reset_device+0xe4/0x298
+[<ffffffbffc0e3fcc>] rtl8152_probe+0x84/0x9b0 [r8152]
+[<ffffffc00080ca8c>] usb_probe_interface+0x244/0x2f8
+[<ffffffc000774a24>] driver_probe_device+0x180/0x3b4
+[<ffffffc000774e48>] __device_attach_driver+0xb4/0xe0
+[<ffffffc000772168>] bus_for_each_drv+0xb4/0xe4
+[<ffffffc0007747ec>] __device_attach+0xd0/0x158
+[<ffffffc000775080>] device_initial_probe+0x24/0x30
+[<ffffffc0007739d4>] bus_probe_device+0x50/0xe4
+[<ffffffc000770bd0>] device_add+0x414/0x738
+[<ffffffc000809fe8>] usb_set_configuration+0x89c/0x914
+[<ffffffc00080a120>] driver_set_config_work+0xc0/0xf0
+[<ffffffc000249bb8>] process_one_work+0x390/0x6b8
+[<ffffffc00024abcc>] worker_thread+0x480/0x610
+[<ffffffc000251a80>] kthread+0x164/0x178
+[<ffffffc0002045d0>] ret_from_fork+0x10/0x40
+
+Since we don't know anything about LPM capabilities without BOS descriptor,
+don't attempt to enable LPM if it is not available.
+
+Fixes: 890dae886721 ("xhci: Enable LPM support only for hardwired ...")
+Cc: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hub.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -4199,7 +4199,7 @@ static void hub_set_initial_usb2_lpm_pol
+ struct usb_hub *hub = usb_hub_to_struct_hub(udev->parent);
+ int connect_type = USB_PORT_CONNECT_TYPE_UNKNOWN;
+
+- if (!udev->usb2_hw_lpm_capable)
++ if (!udev->usb2_hw_lpm_capable || !udev->bos)
+ return;
+
+ if (hub)
--- /dev/null
+From b0addd3fa6bcd119be9428996d5d4522479ab240 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 13:47:48 +0100
+Subject: USB: idmouse: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b0addd3fa6bcd119be9428996d5d4522479ab240 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer should a malicious device lack endpoints.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/idmouse.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/misc/idmouse.c
++++ b/drivers/usb/misc/idmouse.c
+@@ -346,6 +346,9 @@ static int idmouse_probe(struct usb_inte
+ if (iface_desc->desc.bInterfaceClass != 0x0A)
+ return -ENODEV;
+
++ if (iface_desc->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ /* allocate memory for our device state and initialize it */
+ dev = kzalloc(sizeof(*dev), GFP_KERNEL);
+ if (dev == NULL)
--- /dev/null
+From 1dc56c52d2484be09c7398a5207d6b11a4256be9 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 13:47:49 +0100
+Subject: USB: lvtest: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1dc56c52d2484be09c7398a5207d6b11a4256be9 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer should the probed device lack endpoints.
+
+Note that this driver does not bind to any devices by default.
+
+Fixes: ce21bfe603b3 ("USB: Add LVS Test device driver")
+Cc: Pratyush Anand <pratyush.anand@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/lvstest.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/misc/lvstest.c
++++ b/drivers/usb/misc/lvstest.c
+@@ -370,6 +370,10 @@ static int lvs_rh_probe(struct usb_inter
+
+ hdev = interface_to_usbdev(intf);
+ desc = intf->cur_altsetting;
++
++ if (desc->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ endpoint = &desc->endpoint[0].desc;
+
+ /* valid only for SS root hub */
--- /dev/null
+From 0090114d336a9604aa2d90bc83f20f7cd121b76c Mon Sep 17 00:00:00 2001
+From: Bin Liu <b-liu@ti.com>
+Date: Fri, 10 Mar 2017 14:43:35 -0600
+Subject: usb: musb: cppi41: don't check early-TX-interrupt for Isoch transfer
+
+From: Bin Liu <b-liu@ti.com>
+
+commit 0090114d336a9604aa2d90bc83f20f7cd121b76c upstream.
+
+The CPPI 4.1 driver polls register to workaround the premature TX
+interrupt issue, but it causes audio playback underrun when triggered in
+Isoch transfers.
+
+Isoch doesn't do back-to-back transfers, the TX should be done by the
+time the next transfer is scheduled. So skip this polling workaround for
+Isoch transfer.
+
+Fixes: a655f481d83d6 ("usb: musb: musb_cppi41: handle pre-mature TX complete interrupt")
+Reported-by: Alexandre Bailon <abailon@baylibre.com>
+Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Tested-by: Alexandre Bailon <abailon@baylibre.com>
+Signed-off-by: Bin Liu <b-liu@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/musb/musb_cppi41.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/musb/musb_cppi41.c
++++ b/drivers/usb/musb/musb_cppi41.c
+@@ -250,8 +250,27 @@ static void cppi41_dma_callback(void *pr
+ transferred < cppi41_channel->packet_sz)
+ cppi41_channel->prog_len = 0;
+
+- if (cppi41_channel->is_tx)
+- empty = musb_is_tx_fifo_empty(hw_ep);
++ if (cppi41_channel->is_tx) {
++ u8 type;
++
++ if (is_host_active(musb))
++ type = hw_ep->out_qh->type;
++ else
++ type = hw_ep->ep_in.type;
++
++ if (type == USB_ENDPOINT_XFER_ISOC)
++ /*
++ * Don't use the early-TX-interrupt workaround below
++ * for Isoch transfter. Since Isoch are periodic
++ * transfer, by the time the next transfer is
++ * scheduled, the current one should be done already.
++ *
++ * This avoids audio playback underrun issue.
++ */
++ empty = true;
++ else
++ empty = musb_is_tx_fifo_empty(hw_ep);
++ }
+
+ if (!cppi41_channel->is_tx || empty) {
+ cppi41_trans_done(cppi41_channel);
--- /dev/null
+From 6e9f44eaaef0df7b846e9316fa9ca72a02025d44 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dcbw@redhat.com>
+Date: Thu, 9 Mar 2017 11:32:28 -0600
+Subject: USB: serial: option: add Quectel UC15, UC20, EC21, and EC25 modems
+
+From: Dan Williams <dcbw@redhat.com>
+
+commit 6e9f44eaaef0df7b846e9316fa9ca72a02025d44 upstream.
+
+Add Quectel UC15, UC20, EC21, and EC25. The EC20 is handled by
+qcserial due to a USB VID/PID conflict with an existing Acer
+device.
+
+Signed-off-by: Dan Williams <dcbw@redhat.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -233,6 +233,14 @@ static void option_instat_callback(struc
+ #define BANDRICH_PRODUCT_1012 0x1012
+
+ #define QUALCOMM_VENDOR_ID 0x05C6
++/* These Quectel products use Qualcomm's vendor ID */
++#define QUECTEL_PRODUCT_UC20 0x9003
++#define QUECTEL_PRODUCT_UC15 0x9090
++
++#define QUECTEL_VENDOR_ID 0x2c7c
++/* These Quectel products use Quectel's vendor ID */
++#define QUECTEL_PRODUCT_EC21 0x0121
++#define QUECTEL_PRODUCT_EC25 0x0125
+
+ #define CMOTECH_VENDOR_ID 0x16d8
+ #define CMOTECH_PRODUCT_6001 0x6001
+@@ -1161,7 +1169,14 @@ static const struct usb_device_id option
+ { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6613)}, /* Onda H600/ZTE MF330 */
+ { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x0023)}, /* ONYX 3G device */
+ { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */
+- { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9003), /* Quectel UC20 */
++ /* Quectel products using Qualcomm vendor ID */
++ { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC15)},
++ { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC20),
++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
++ /* Quectel products using Quectel vendor ID */
++ { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC21),
++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
++ { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC25),
+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) },
+ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) },
--- /dev/null
+From 436ecf5519d892397af133a79ccd38a17c25fa51 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Fri, 17 Mar 2017 17:21:28 +0100
+Subject: USB: serial: qcserial: add Dell DW5811e
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bjørn Mork <bjorn@mork.no>
+
+commit 436ecf5519d892397af133a79ccd38a17c25fa51 upstream.
+
+This is a Dell branded Sierra Wireless EM7455.
+
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/qcserial.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/qcserial.c
++++ b/drivers/usb/serial/qcserial.c
+@@ -169,6 +169,8 @@ static const struct usb_device_id id_tab
+ {DEVICE_SWI(0x413c, 0x81a9)}, /* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */
+ {DEVICE_SWI(0x413c, 0x81b1)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card */
+ {DEVICE_SWI(0x413c, 0x81b3)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */
++ {DEVICE_SWI(0x413c, 0x81b5)}, /* Dell Wireless 5811e QDL */
++ {DEVICE_SWI(0x413c, 0x81b6)}, /* Dell Wireless 5811e QDL */
+
+ /* Huawei devices */
+ {DEVICE_HWI(0x03f0, 0x581d)}, /* HP lt4112 LTE/HSPA+ Gobi 4G Modem (Huawei me906e) */
--- /dev/null
+From f259ca3eed6e4b79ac3d5c5c9fb259fb46e86217 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 13:47:50 +0100
+Subject: USB: uss720: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit f259ca3eed6e4b79ac3d5c5c9fb259fb46e86217 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer or accessing memory beyond the endpoint array should a
+malicious device lack the expected endpoints.
+
+Note that the endpoint access that causes the NULL-deref is currently
+only used for debugging purposes during probe so the oops only happens
+when dynamic debugging is enabled. This means the driver could be
+rewritten to continue to accept device with only two endpoints, should
+such devices exist.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/uss720.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/misc/uss720.c
++++ b/drivers/usb/misc/uss720.c
+@@ -711,6 +711,11 @@ static int uss720_probe(struct usb_inter
+
+ interface = intf->cur_altsetting;
+
++ if (interface->desc.bNumEndpoints < 3) {
++ usb_put_dev(usbdev);
++ return -ENODEV;
++ }
++
+ /*
+ * Allocate parport interface
+ */
--- /dev/null
+From 03ace948a4eb89d1cf51c06afdfc41ebca5fdb27 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 13:47:51 +0100
+Subject: USB: wusbcore: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 03ace948a4eb89d1cf51c06afdfc41ebca5fdb27 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer or accessing memory beyond the endpoint array should a
+malicious device lack the expected endpoints.
+
+This specifically fixes the NULL-pointer dereference when probing HWA HC
+devices.
+
+Fixes: df3654236e31 ("wusb: add the Wire Adapter (WA) core")
+Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
+Cc: David Vrabel <david.vrabel@csr.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/wusbcore/wa-hc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/wusbcore/wa-hc.c
++++ b/drivers/usb/wusbcore/wa-hc.c
+@@ -39,6 +39,9 @@ int wa_create(struct wahc *wa, struct us
+ int result;
+ struct device *dev = &iface->dev;
+
++ if (iface->cur_altsetting->desc.bNumEndpoints < 3)
++ return -ENODEV;
++
+ result = wa_rpipes_create(wa);
+ if (result < 0)
+ goto error_rpipes_create;
--- /dev/null
+From daf229b15907fbfdb6ee183aac8ca428cb57e361 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 13:47:52 +0100
+Subject: uwb: hwa-rc: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit daf229b15907fbfdb6ee183aac8ca428cb57e361 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer should a malicious device lack endpoints.
+
+Note that the dereference happens in the start callback which is called
+during probe.
+
+Fixes: de520b8bd552 ("uwb: add HWA radio controller driver")
+Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
+Cc: David Vrabel <david.vrabel@csr.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/uwb/hwa-rc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/uwb/hwa-rc.c
++++ b/drivers/uwb/hwa-rc.c
+@@ -825,6 +825,9 @@ static int hwarc_probe(struct usb_interf
+ struct hwarc *hwarc;
+ struct device *dev = &iface->dev;
+
++ if (iface->cur_altsetting->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ result = -ENOMEM;
+ uwb_rc = uwb_rc_alloc();
+ if (uwb_rc == NULL) {
--- /dev/null
+From 4ce362711d78a4999011add3115b8f4b0bc25e8c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 13:47:53 +0100
+Subject: uwb: i1480-dfu: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 4ce362711d78a4999011add3115b8f4b0bc25e8c upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer should a malicious device lack endpoints.
+
+Note that the dereference happens in the cmd and wait_init_done
+callbacks which are called during probe.
+
+Fixes: 1ba47da52712 ("uwb: add the i1480 DFU driver")
+Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
+Cc: David Vrabel <david.vrabel@csr.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/uwb/i1480/dfu/usb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/uwb/i1480/dfu/usb.c
++++ b/drivers/uwb/i1480/dfu/usb.c
+@@ -362,6 +362,9 @@ int i1480_usb_probe(struct usb_interface
+ result);
+ }
+
++ if (iface->cur_altsetting->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ result = -ENOMEM;
+ i1480_usb = kzalloc(sizeof(*i1480_usb), GFP_KERNEL);
+ if (i1480_usb == NULL) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
