--- /dev/null
+From 0ef332951e856efa89507cdd13ba8f4fb8d4db12 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:44:20 +0100
+Subject: ath9k: fix storage endpoint lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 0ef332951e856efa89507cdd13ba8f4fb8d4db12 upstream.
+
+Make sure to use the current alternate setting when verifying the
+storage interface descriptors to avoid submitting an URB to an invalid
+endpoint.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 36bcce430657 ("ath9k_htc: Handle storage devices")
+Cc: stable <stable@vger.kernel.org> # 2.6.39
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/hif_usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
+@@ -1211,7 +1211,7 @@ err_fw:
+ static int send_eject_command(struct usb_interface *interface)
+ {
+ struct usb_device *udev = interface_to_usbdev(interface);
+- struct usb_host_interface *iface_desc = &interface->altsetting[0];
++ struct usb_host_interface *iface_desc = interface->cur_altsetting;
+ struct usb_endpoint_descriptor *endpoint;
+ unsigned char *cmd;
+ u8 bulk_out_ep;
--- /dev/null
+From 3428fbcd6e6c0850b1a8b2a12082b7b2aabb3da3 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:44:22 +0100
+Subject: brcmfmac: fix interface sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 3428fbcd6e6c0850b1a8b2a12082b7b2aabb3da3 upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid binding to an invalid interface.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 71bb244ba2fd ("brcm80211: fmac: add USB support for bcm43235/6/8 chipsets")
+Cc: stable <stable@vger.kernel.org> # 3.4
+Cc: Arend van Spriel <arend@broadcom.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/brcm80211/brcmfmac/usb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/brcm80211/brcmfmac/usb.c
++++ b/drivers/net/wireless/brcm80211/brcmfmac/usb.c
+@@ -1352,7 +1352,7 @@ brcmf_usb_probe(struct usb_interface *in
+ goto fail;
+ }
+
+- desc = &intf->altsetting[0].desc;
++ desc = &intf->cur_altsetting->desc;
+ if ((desc->bInterfaceClass != USB_CLASS_VENDOR_SPEC) ||
+ (desc->bInterfaceSubClass != 2) ||
+ (desc->bInterfaceProtocol != 0xff)) {
+@@ -1365,7 +1365,7 @@ brcmf_usb_probe(struct usb_interface *in
+
+ num_of_eps = desc->bNumEndpoints;
+ for (ep = 0; ep < num_of_eps; ep++) {
+- endpoint = &intf->altsetting[0].endpoint[ep].desc;
++ endpoint = &intf->cur_altsetting->endpoint[ep].desc;
+ endpoint_num = usb_endpoint_num(endpoint);
+ if (!usb_endpoint_xfer_bulk(endpoint))
+ continue;
--- /dev/null
+From b73e05aa543cf8db4f4927e36952360d71291d41 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:44:23 +0100
+Subject: orinoco_usb: fix interface sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b73e05aa543cf8db4f4927e36952360d71291d41 upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid binding to an invalid interface.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 9afac70a7305 ("orinoco: add orinoco_usb driver")
+Cc: stable <stable@vger.kernel.org> # 2.6.35
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/orinoco/orinoco_usb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/wireless/orinoco/orinoco_usb.c
++++ b/drivers/net/wireless/orinoco/orinoco_usb.c
+@@ -1601,9 +1601,9 @@ static int ezusb_probe(struct usb_interf
+ /* set up the endpoint information */
+ /* check out the endpoints */
+
+- iface_desc = &interface->altsetting[0].desc;
++ iface_desc = &interface->cur_altsetting->desc;
+ for (i = 0; i < iface_desc->bNumEndpoints; ++i) {
+- ep = &interface->altsetting[0].endpoint[i].desc;
++ ep = &interface->cur_altsetting->endpoint[i].desc;
+
+ if (usb_endpoint_is_bulk_in(ep)) {
+ /* we found a bulk in endpoint */
--- /dev/null
+From 3139b180906af43bc09bd3373fc2338a8271d9d9 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:44:25 +0100
+Subject: rsi_91x_usb: fix interface sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 3139b180906af43bc09bd3373fc2338a8271d9d9 upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid binding to an invalid interface.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: dad0d04fa7ba ("rsi: Add RS9113 wireless driver")
+Cc: stable <stable@vger.kernel.org> # 3.15
+Cc: Fariya Fatima <fariyaf@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/rsi/rsi_91x_usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/rsi/rsi_91x_usb.c
++++ b/drivers/net/wireless/rsi/rsi_91x_usb.c
+@@ -103,7 +103,7 @@ static int rsi_find_bulk_in_and_out_endp
+ __le16 buffer_size;
+ int ii, bep_found = 0;
+
+- iface_desc = &(interface->altsetting[0]);
++ iface_desc = interface->cur_altsetting;
+
+ for (ii = 0; ii < iface_desc->desc.bNumEndpoints; ++ii) {
+ endpoint = &(iface_desc->endpoint[ii].desc);
--- /dev/null
+From 39a4281c312f2d226c710bc656ce380c621a2b16 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:44:24 +0100
+Subject: rtl8xxxu: fix interface sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 39a4281c312f2d226c710bc656ce380c621a2b16 upstream.
+
+Make sure to use the current alternate setting when verifying the
+interface descriptors to avoid binding to an invalid interface.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)")
+Cc: stable <stable@vger.kernel.org> # 4.4
+Cc: Jes Sorensen <Jes.Sorensen@redhat.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c
++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c
+@@ -5555,7 +5555,7 @@ static int rtl8xxxu_parse_usb(struct rtl
+ u8 dir, xtype, num;
+ int ret = 0;
+
+- host_interface = &interface->altsetting[0];
++ host_interface = interface->cur_altsetting;
+ interface_desc = &host_interface->desc;
+ endpoints = interface_desc->bNumEndpoints;
+
alsa-pcm-add-missing-copy-ops-check-before-clearing-buffer.patch
+orinoco_usb-fix-interface-sanity-check.patch
+rsi_91x_usb-fix-interface-sanity-check.patch
+usb-serial-ir-usb-add-missing-endpoint-sanity-check.patch
+usb-serial-ir-usb-fix-link-speed-handling.patch
+usb-serial-ir-usb-fix-irlap-framing.patch
+usb-dwc3-turn-off-vbus-when-leaving-host-mode.patch
+staging-most-net-fix-buffer-overflow.patch
+staging-wlan-ng-ensure-error-return-is-actually-returned.patch
+staging-vt6656-correct-packet-types-for-cts-protect-mode.patch
+staging-vt6656-use-nullfuction-stack-on-mac80211.patch
+staging-vt6656-fix-false-tx-excessive-retries-reporting.patch
+ath9k-fix-storage-endpoint-lookup.patch
+brcmfmac-fix-interface-sanity-check.patch
+rtl8xxxu-fix-interface-sanity-check.patch
+zd1211rw-fix-storage-endpoint-lookup.patch
--- /dev/null
+From 4d1356ac12f4d5180d0df345d85ff0ee42b89c72 Mon Sep 17 00:00:00 2001
+From: Andrey Shvetsov <andrey.shvetsov@k2l.de>
+Date: Thu, 16 Jan 2020 18:22:39 +0100
+Subject: staging: most: net: fix buffer overflow
+
+From: Andrey Shvetsov <andrey.shvetsov@k2l.de>
+
+commit 4d1356ac12f4d5180d0df345d85ff0ee42b89c72 upstream.
+
+If the length of the socket buffer is 0xFFFFFFFF (max size for an
+unsigned int), then payload_len becomes 0xFFFFFFF1 after subtracting 14
+(ETH_HLEN). Then, mdp_len is set to payload_len + 16 (MDP_HDR_LEN)
+which overflows and results in a value of 2. These values for
+payload_len and mdp_len will pass current buffer size checks.
+
+This patch checks if derived from skb->len sum may overflow.
+
+The check is based on the following idea:
+
+For any `unsigned V1, V2` and derived `unsigned SUM = V1 + V2`,
+`V1 + V2` overflows iif `SUM < V1`.
+
+Reported-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andrey Shvetsov <andrey.shvetsov@k2l.de>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200116172238.6046-1-andrey.shvetsov@microchip.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/most/aim-network/networking.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+--- a/drivers/staging/most/aim-network/networking.c
++++ b/drivers/staging/most/aim-network/networking.c
+@@ -87,6 +87,11 @@ static int skb_to_mamac(const struct sk_
+ unsigned int payload_len = skb->len - ETH_HLEN;
+ unsigned int mdp_len = payload_len + MDP_HDR_LEN;
+
++ if (mdp_len < skb->len) {
++ pr_err("drop: too large packet! (%u)\n", skb->len);
++ return -EINVAL;
++ }
++
+ if (mbo->buffer_length < mdp_len) {
+ pr_err("drop: too small buffer! (%d for %d)\n",
+ mbo->buffer_length, mdp_len);
+@@ -134,6 +139,11 @@ static int skb_to_mep(const struct sk_bu
+ u8 *buff = mbo->virt_address;
+ unsigned int mep_len = skb->len + MEP_HDR_LEN;
+
++ if (mep_len < skb->len) {
++ pr_err("drop: too large packet! (%u)\n", skb->len);
++ return -EINVAL;
++ }
++
+ if (mbo->buffer_length < mep_len) {
+ pr_err("drop: too small buffer! (%d for %d)\n",
+ mbo->buffer_length, mep_len);
--- /dev/null
+From d971fdd3412f8342747778fb59b8803720ed82b1 Mon Sep 17 00:00:00 2001
+From: Malcolm Priestley <tvboxspy@gmail.com>
+Date: Wed, 8 Jan 2020 21:40:58 +0000
+Subject: staging: vt6656: correct packet types for CTS protect, mode.
+
+From: Malcolm Priestley <tvboxspy@gmail.com>
+
+commit d971fdd3412f8342747778fb59b8803720ed82b1 upstream.
+
+It appears that the driver still transmits in CTS protect mode even
+though it is not enabled in mac80211.
+
+That is both packet types PK_TYPE_11GA and PK_TYPE_11GB both use CTS protect.
+The only difference between them GA does not use B rates.
+
+Find if only B rate in GB or GA in protect mode otherwise transmit packets
+as PK_TYPE_11A.
+
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
+Link: https://lore.kernel.org/r/9c1323ff-dbb3-0eaa-43e1-9453f7390dc0@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/vt6656/device.h | 2 ++
+ drivers/staging/vt6656/rxtx.c | 12 ++++++++----
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+--- a/drivers/staging/vt6656/device.h
++++ b/drivers/staging/vt6656/device.h
+@@ -65,6 +65,8 @@
+ #define RATE_AUTO 12
+
+ #define MAX_RATE 12
++#define VNT_B_RATES (BIT(RATE_1M) | BIT(RATE_2M) |\
++ BIT(RATE_5M) | BIT(RATE_11M))
+
+ /*
+ * device specific
+--- a/drivers/staging/vt6656/rxtx.c
++++ b/drivers/staging/vt6656/rxtx.c
+@@ -815,10 +815,14 @@ int vnt_tx_packet(struct vnt_private *pr
+ if (info->band == IEEE80211_BAND_5GHZ) {
+ pkt_type = PK_TYPE_11A;
+ } else {
+- if (tx_rate->flags & IEEE80211_TX_RC_USE_CTS_PROTECT)
+- pkt_type = PK_TYPE_11GB;
+- else
+- pkt_type = PK_TYPE_11GA;
++ if (tx_rate->flags & IEEE80211_TX_RC_USE_CTS_PROTECT) {
++ if (priv->basic_rates & VNT_B_RATES)
++ pkt_type = PK_TYPE_11GB;
++ else
++ pkt_type = PK_TYPE_11GA;
++ } else {
++ pkt_type = PK_TYPE_11A;
++ }
+ }
+ } else {
+ pkt_type = PK_TYPE_11B;
--- /dev/null
+From 9dd631fa99dc0a0dfbd191173bf355ba30ea786a Mon Sep 17 00:00:00 2001
+From: Malcolm Priestley <tvboxspy@gmail.com>
+Date: Wed, 8 Jan 2020 21:41:36 +0000
+Subject: staging: vt6656: Fix false Tx excessive retries reporting.
+
+From: Malcolm Priestley <tvboxspy@gmail.com>
+
+commit 9dd631fa99dc0a0dfbd191173bf355ba30ea786a upstream.
+
+The driver reporting IEEE80211_TX_STAT_ACK is not being handled
+correctly. The driver should only report on TSR_TMO flag is not
+set indicating no transmission errors and when not IEEE80211_TX_CTL_NO_ACK
+is being requested.
+
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
+Link: https://lore.kernel.org/r/340f1f7f-c310-dca5-476f-abc059b9cd97@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/vt6656/int.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/staging/vt6656/int.c
++++ b/drivers/staging/vt6656/int.c
+@@ -111,9 +111,11 @@ static int vnt_int_report_rate(struct vn
+
+ info->status.rates[0].count = tx_retry;
+
+- if (!(tsr & (TSR_TMO | TSR_RETRYTMO))) {
++ if (!(tsr & TSR_TMO)) {
+ info->status.rates[0].idx = idx;
+- info->flags |= IEEE80211_TX_STAT_ACK;
++
++ if (!(info->flags & IEEE80211_TX_CTL_NO_ACK))
++ info->flags |= IEEE80211_TX_STAT_ACK;
+ }
+
+ ieee80211_tx_status_irqsafe(priv->hw, context->skb);
--- /dev/null
+From d579c43c82f093e63639151625b2139166c730fd Mon Sep 17 00:00:00 2001
+From: Malcolm Priestley <tvboxspy@gmail.com>
+Date: Wed, 8 Jan 2020 21:41:20 +0000
+Subject: staging: vt6656: use NULLFUCTION stack on mac80211
+
+From: Malcolm Priestley <tvboxspy@gmail.com>
+
+commit d579c43c82f093e63639151625b2139166c730fd upstream.
+
+It appears that the drivers does not go into power save correctly the
+NULL data packets are not being transmitted because it not enabled
+in mac80211.
+
+The driver needs to capture ieee80211_is_nullfunc headers and
+copy the duration_id to it's own duration data header.
+
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Malcolm Priestley <tvboxspy@gmail.com>
+Link: https://lore.kernel.org/r/610971ae-555b-a6c3-61b3-444a0c1e35b4@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/vt6656/main_usb.c | 1 +
+ drivers/staging/vt6656/rxtx.c | 14 +++++---------
+ 2 files changed, 6 insertions(+), 9 deletions(-)
+
+--- a/drivers/staging/vt6656/main_usb.c
++++ b/drivers/staging/vt6656/main_usb.c
+@@ -1002,6 +1002,7 @@ vt6656_probe(struct usb_interface *intf,
+ ieee80211_hw_set(priv->hw, RX_INCLUDES_FCS);
+ ieee80211_hw_set(priv->hw, REPORTS_TX_ACK_STATUS);
+ ieee80211_hw_set(priv->hw, SUPPORTS_PS);
++ ieee80211_hw_set(priv->hw, PS_NULLFUNC_STACK);
+
+ priv->hw->max_signal = 100;
+
+--- a/drivers/staging/vt6656/rxtx.c
++++ b/drivers/staging/vt6656/rxtx.c
+@@ -280,11 +280,9 @@ static u16 vnt_rxtx_datahead_g(struct vn
+ PK_TYPE_11B, &buf->b);
+
+ /* Get Duration and TimeStamp */
+- if (ieee80211_is_pspoll(hdr->frame_control)) {
+- __le16 dur = cpu_to_le16(priv->current_aid | BIT(14) | BIT(15));
+-
+- buf->duration_a = dur;
+- buf->duration_b = dur;
++ if (ieee80211_is_nullfunc(hdr->frame_control)) {
++ buf->duration_a = hdr->duration_id;
++ buf->duration_b = hdr->duration_id;
+ } else {
+ buf->duration_a = vnt_get_duration_le(priv,
+ tx_context->pkt_type, need_ack);
+@@ -373,10 +371,8 @@ static u16 vnt_rxtx_datahead_ab(struct v
+ tx_context->pkt_type, &buf->ab);
+
+ /* Get Duration and TimeStampOff */
+- if (ieee80211_is_pspoll(hdr->frame_control)) {
+- __le16 dur = cpu_to_le16(priv->current_aid | BIT(14) | BIT(15));
+-
+- buf->duration = dur;
++ if (ieee80211_is_nullfunc(hdr->frame_control)) {
++ buf->duration = hdr->duration_id;
+ } else {
+ buf->duration = vnt_get_duration_le(priv, tx_context->pkt_type,
+ need_ack);
--- /dev/null
+From 4cc41cbce536876678b35e03c4a8a7bb72c78fa9 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Tue, 14 Jan 2020 18:16:04 +0000
+Subject: staging: wlan-ng: ensure error return is actually returned
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 4cc41cbce536876678b35e03c4a8a7bb72c78fa9 upstream.
+
+Currently when the call to prism2sta_ifst fails a netdev_err error
+is reported, error return variable result is set to -1 but the
+function always returns 0 for success. Fix this by returning
+the error value in variable result rather than 0.
+
+Addresses-Coverity: ("Unused value")
+Fixes: 00b3ed168508 ("Staging: add wlan-ng prism2 usb driver")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200114181604.390235-1-colin.king@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/wlan-ng/prism2mgmt.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/wlan-ng/prism2mgmt.c
++++ b/drivers/staging/wlan-ng/prism2mgmt.c
+@@ -940,7 +940,7 @@ int prism2mgmt_flashdl_state(wlandevice_
+ }
+ }
+
+- return 0;
++ return result;
+ }
+
+ /*----------------------------------------------------------------
--- /dev/null
+From 09ed259fac621634d51cd986aa8d65f035662658 Mon Sep 17 00:00:00 2001
+From: Bin Liu <b-liu@ti.com>
+Date: Wed, 11 Dec 2019 10:10:03 -0600
+Subject: usb: dwc3: turn off VBUS when leaving host mode
+
+From: Bin Liu <b-liu@ti.com>
+
+commit 09ed259fac621634d51cd986aa8d65f035662658 upstream.
+
+VBUS should be turned off when leaving the host mode.
+Set GCTL_PRTCAP to device mode in teardown to de-assert DRVVBUS pin to
+turn off VBUS power.
+
+Fixes: 5f94adfeed97 ("usb: dwc3: core: refactor mode initialization to its own function")
+Cc: stable@vger.kernel.org
+Signed-off-by: Bin Liu <b-liu@ti.com>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/dwc3/core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/dwc3/core.c
++++ b/drivers/usb/dwc3/core.c
+@@ -801,6 +801,9 @@ static void dwc3_core_exit_mode(struct d
+ /* do nothing */
+ break;
+ }
++
++ /* de-assert DRVVBUS for HOST and OTG mode */
++ dwc3_set_prtcap(dwc, DWC3_GCTL_PRTCAP_DEVICE);
+ }
+
+ #define DWC3_ALIGN_MASK (16 - 1)
--- /dev/null
+From 2988a8ae7476fe9535ab620320790d1714bdad1d Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 22 Jan 2020 11:15:26 +0100
+Subject: USB: serial: ir-usb: add missing endpoint sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 2988a8ae7476fe9535ab620320790d1714bdad1d upstream.
+
+Add missing endpoint sanity check to avoid dereferencing a NULL-pointer
+on open() in case a device lacks a bulk-out endpoint.
+
+Note that prior to commit f4a4cbb2047e ("USB: ir-usb: reimplement using
+generic framework") the oops would instead happen on open() if the
+device lacked a bulk-in endpoint and on write() if it lacked a bulk-out
+endpoint.
+
+Fixes: f4a4cbb2047e ("USB: ir-usb: reimplement using generic framework")
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ir-usb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/serial/ir-usb.c
++++ b/drivers/usb/serial/ir-usb.c
+@@ -198,6 +198,9 @@ static int ir_startup(struct usb_serial
+ {
+ struct usb_irda_cs_descriptor *irda_desc;
+
++ if (serial->num_bulk_in < 1 || serial->num_bulk_out < 1)
++ return -ENODEV;
++
+ irda_desc = irda_usb_find_class_desc(serial, 0);
+ if (!irda_desc) {
+ dev_err(&serial->dev->dev,
--- /dev/null
+From 38c0d5bdf4973f9f5a888166e9d3e9ed0d32057a Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 22 Jan 2020 11:15:28 +0100
+Subject: USB: serial: ir-usb: fix IrLAP framing
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 38c0d5bdf4973f9f5a888166e9d3e9ed0d32057a upstream.
+
+Commit f4a4cbb2047e ("USB: ir-usb: reimplement using generic framework")
+switched to using the generic write implementation which may combine
+multiple write requests into larger transfers. This can break the IrLAP
+protocol where end-of-frame is determined using the USB short packet
+mechanism, for example, if multiple frames are sent in rapid succession.
+
+Fixes: f4a4cbb2047e ("USB: ir-usb: reimplement using generic framework")
+Cc: stable <stable@vger.kernel.org> # 2.6.35
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ir-usb.c | 113 +++++++++++++++++++++++++++++++++++---------
+ 1 file changed, 91 insertions(+), 22 deletions(-)
+
+--- a/drivers/usb/serial/ir-usb.c
++++ b/drivers/usb/serial/ir-usb.c
+@@ -49,9 +49,10 @@ static int buffer_size;
+ static int xbof = -1;
+
+ static int ir_startup (struct usb_serial *serial);
+-static int ir_open(struct tty_struct *tty, struct usb_serial_port *port);
+-static int ir_prepare_write_buffer(struct usb_serial_port *port,
+- void *dest, size_t size);
++static int ir_write(struct tty_struct *tty, struct usb_serial_port *port,
++ const unsigned char *buf, int count);
++static int ir_write_room(struct tty_struct *tty);
++static void ir_write_bulk_callback(struct urb *urb);
+ static void ir_process_read_urb(struct urb *urb);
+ static void ir_set_termios(struct tty_struct *tty,
+ struct usb_serial_port *port, struct ktermios *old_termios);
+@@ -81,8 +82,9 @@ static struct usb_serial_driver ir_devic
+ .num_ports = 1,
+ .set_termios = ir_set_termios,
+ .attach = ir_startup,
+- .open = ir_open,
+- .prepare_write_buffer = ir_prepare_write_buffer,
++ .write = ir_write,
++ .write_room = ir_write_room,
++ .write_bulk_callback = ir_write_bulk_callback,
+ .process_read_urb = ir_process_read_urb,
+ };
+
+@@ -255,35 +257,102 @@ static int ir_startup(struct usb_serial
+ return 0;
+ }
+
+-static int ir_open(struct tty_struct *tty, struct usb_serial_port *port)
++static int ir_write(struct tty_struct *tty, struct usb_serial_port *port,
++ const unsigned char *buf, int count)
+ {
+- int i;
++ struct urb *urb = NULL;
++ unsigned long flags;
++ int ret;
+
+- for (i = 0; i < ARRAY_SIZE(port->write_urbs); ++i)
+- port->write_urbs[i]->transfer_flags = URB_ZERO_PACKET;
++ if (port->bulk_out_size == 0)
++ return -EINVAL;
+
+- /* Start reading from the device */
+- return usb_serial_generic_open(tty, port);
+-}
++ if (count == 0)
++ return 0;
+
+-static int ir_prepare_write_buffer(struct usb_serial_port *port,
+- void *dest, size_t size)
+-{
+- unsigned char *buf = dest;
+- int count;
++ count = min(count, port->bulk_out_size - 1);
++
++ spin_lock_irqsave(&port->lock, flags);
++ if (__test_and_clear_bit(0, &port->write_urbs_free)) {
++ urb = port->write_urbs[0];
++ port->tx_bytes += count;
++ }
++ spin_unlock_irqrestore(&port->lock, flags);
++
++ if (!urb)
++ return 0;
+
+ /*
+ * The first byte of the packet we send to the device contains an
+- * inbound header which indicates an additional number of BOFs and
++ * outbound header which indicates an additional number of BOFs and
+ * a baud rate change.
+ *
+ * See section 5.4.2.2 of the USB IrDA spec.
+ */
+- *buf = ir_xbof | ir_baud;
++ *(u8 *)urb->transfer_buffer = ir_xbof | ir_baud;
++
++ memcpy(urb->transfer_buffer + 1, buf, count);
++
++ urb->transfer_buffer_length = count + 1;
++ urb->transfer_flags = URB_ZERO_PACKET;
++
++ ret = usb_submit_urb(urb, GFP_ATOMIC);
++ if (ret) {
++ dev_err(&port->dev, "failed to submit write urb: %d\n", ret);
++
++ spin_lock_irqsave(&port->lock, flags);
++ __set_bit(0, &port->write_urbs_free);
++ port->tx_bytes -= count;
++ spin_unlock_irqrestore(&port->lock, flags);
++
++ return ret;
++ }
++
++ return count;
++}
++
++static void ir_write_bulk_callback(struct urb *urb)
++{
++ struct usb_serial_port *port = urb->context;
++ int status = urb->status;
++ unsigned long flags;
++
++ spin_lock_irqsave(&port->lock, flags);
++ __set_bit(0, &port->write_urbs_free);
++ port->tx_bytes -= urb->transfer_buffer_length - 1;
++ spin_unlock_irqrestore(&port->lock, flags);
++
++ switch (status) {
++ case 0:
++ break;
++ case -ENOENT:
++ case -ECONNRESET:
++ case -ESHUTDOWN:
++ dev_dbg(&port->dev, "write urb stopped: %d\n", status);
++ return;
++ case -EPIPE:
++ dev_err(&port->dev, "write urb stopped: %d\n", status);
++ return;
++ default:
++ dev_err(&port->dev, "nonzero write-urb status: %d\n", status);
++ break;
++ }
++
++ usb_serial_port_softint(port);
++}
++
++static int ir_write_room(struct tty_struct *tty)
++{
++ struct usb_serial_port *port = tty->driver_data;
++ int count = 0;
++
++ if (port->bulk_out_size == 0)
++ return 0;
++
++ if (test_bit(0, &port->write_urbs_free))
++ count = port->bulk_out_size - 1;
+
+- count = kfifo_out_locked(&port->write_fifo, buf + 1, size - 1,
+- &port->lock);
+- return count + 1;
++ return count;
+ }
+
+ static void ir_process_read_urb(struct urb *urb)
--- /dev/null
+From 17a0184ca17e288decdca8b2841531e34d49285f Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 22 Jan 2020 11:15:27 +0100
+Subject: USB: serial: ir-usb: fix link-speed handling
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 17a0184ca17e288decdca8b2841531e34d49285f upstream.
+
+Commit e0d795e4f36c ("usb: irda: cleanup on ir-usb module") added a USB
+IrDA header with common defines, but mistakingly switched to using the
+class-descriptor baud-rate bitmask values for the outbound header.
+
+This broke link-speed handling for rates above 9600 baud, but a device
+would also be able to operate at the default 9600 baud until a
+link-speed request was issued (e.g. using the TCGETS ioctl).
+
+Fixes: e0d795e4f36c ("usb: irda: cleanup on ir-usb module")
+Cc: stable <stable@vger.kernel.org> # 2.6.27
+Cc: Felipe Balbi <balbi@kernel.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ir-usb.c | 20 ++++++++++----------
+ include/linux/usb/irda.h | 13 ++++++++++++-
+ 2 files changed, 22 insertions(+), 11 deletions(-)
+
+--- a/drivers/usb/serial/ir-usb.c
++++ b/drivers/usb/serial/ir-usb.c
+@@ -336,34 +336,34 @@ static void ir_set_termios(struct tty_st
+
+ switch (baud) {
+ case 2400:
+- ir_baud = USB_IRDA_BR_2400;
++ ir_baud = USB_IRDA_LS_2400;
+ break;
+ case 9600:
+- ir_baud = USB_IRDA_BR_9600;
++ ir_baud = USB_IRDA_LS_9600;
+ break;
+ case 19200:
+- ir_baud = USB_IRDA_BR_19200;
++ ir_baud = USB_IRDA_LS_19200;
+ break;
+ case 38400:
+- ir_baud = USB_IRDA_BR_38400;
++ ir_baud = USB_IRDA_LS_38400;
+ break;
+ case 57600:
+- ir_baud = USB_IRDA_BR_57600;
++ ir_baud = USB_IRDA_LS_57600;
+ break;
+ case 115200:
+- ir_baud = USB_IRDA_BR_115200;
++ ir_baud = USB_IRDA_LS_115200;
+ break;
+ case 576000:
+- ir_baud = USB_IRDA_BR_576000;
++ ir_baud = USB_IRDA_LS_576000;
+ break;
+ case 1152000:
+- ir_baud = USB_IRDA_BR_1152000;
++ ir_baud = USB_IRDA_LS_1152000;
+ break;
+ case 4000000:
+- ir_baud = USB_IRDA_BR_4000000;
++ ir_baud = USB_IRDA_LS_4000000;
+ break;
+ default:
+- ir_baud = USB_IRDA_BR_9600;
++ ir_baud = USB_IRDA_LS_9600;
+ baud = 9600;
+ }
+
+--- a/include/linux/usb/irda.h
++++ b/include/linux/usb/irda.h
+@@ -118,11 +118,22 @@ struct usb_irda_cs_descriptor {
+ * 6 - 115200 bps
+ * 7 - 576000 bps
+ * 8 - 1.152 Mbps
+- * 9 - 5 mbps
++ * 9 - 4 Mbps
+ * 10..15 - Reserved
+ */
+ #define USB_IRDA_STATUS_LINK_SPEED 0x0f
+
++#define USB_IRDA_LS_NO_CHANGE 0
++#define USB_IRDA_LS_2400 1
++#define USB_IRDA_LS_9600 2
++#define USB_IRDA_LS_19200 3
++#define USB_IRDA_LS_38400 4
++#define USB_IRDA_LS_57600 5
++#define USB_IRDA_LS_115200 6
++#define USB_IRDA_LS_576000 7
++#define USB_IRDA_LS_1152000 8
++#define USB_IRDA_LS_4000000 9
++
+ /* The following is a 4-bit value used only for
+ * outbound header:
+ *
--- /dev/null
+From 2d68bb2687abb747558b933e80845ff31570a49c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 10 Dec 2019 12:44:26 +0100
+Subject: zd1211rw: fix storage endpoint lookup
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 2d68bb2687abb747558b933e80845ff31570a49c upstream.
+
+Make sure to use the current alternate setting when verifying the
+storage interface descriptors to avoid submitting an URB to an invalid
+endpoint.
+
+Failing to do so could cause the driver to misbehave or trigger a WARN()
+in usb_submit_urb() that kernels with panic_on_warn set would choke on.
+
+Fixes: a1030e92c150 ("[PATCH] zd1211rw: Convert installer CDROM device into WLAN device")
+Cc: stable <stable@vger.kernel.org> # 2.6.19
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/zd1211rw/zd_usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/zd1211rw/zd_usb.c
++++ b/drivers/net/wireless/zd1211rw/zd_usb.c
+@@ -1272,7 +1272,7 @@ static void print_id(struct usb_device *
+ static int eject_installer(struct usb_interface *intf)
+ {
+ struct usb_device *udev = interface_to_usbdev(intf);
+- struct usb_host_interface *iface_desc = &intf->altsetting[0];
++ struct usb_host_interface *iface_desc = intf->cur_altsetting;
+ struct usb_endpoint_descriptor *endpoint;
+ unsigned char *cmd;
+ u8 bulk_out_ep;
projects / thirdparty / kernel / stable-queue.git / commitdiff
