--- /dev/null
+From 18a1b06e5b91d47dc86c0a66a762646ea7c5d141 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Date: Tue, 17 Dec 2019 14:50:21 -0800
+Subject: HID: hiddev: fix mess in hiddev_open()
+
+From: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+
+commit 18a1b06e5b91d47dc86c0a66a762646ea7c5d141 upstream.
+
+The open method of hiddev handler fails to bring the device out of
+autosuspend state as was promised in 0361a28d3f9a, as it actually has 2
+blocks that try to start the transport (call hid_hw_open()) with both
+being guarded by the "open" counter, so the 2nd block is never executed as
+the first block increments the counter so it is never at 0 when we check
+it for the second block.
+
+Additionally hiddev_open() was leaving counter incremented on errors,
+causing the device to never be reopened properly if there was ever an
+error.
+
+Let's fix all of this by factoring out code that creates client structure
+and powers up the device into a separate function that is being called
+from usbhid_open() with the "existancelock" being held.
+
+Fixes: 0361a28d3f9a ("HID: autosuspend support for USB HID")
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/usbhid/hiddev.c | 97 +++++++++++++++++++-------------------------
+ 1 file changed, 42 insertions(+), 55 deletions(-)
+
+--- a/drivers/hid/usbhid/hiddev.c
++++ b/drivers/hid/usbhid/hiddev.c
+@@ -241,12 +241,51 @@ static int hiddev_release(struct inode *
+ return 0;
+ }
+
++static int __hiddev_open(struct hiddev *hiddev, struct file *file)
++{
++ struct hiddev_list *list;
++ int error;
++
++ lockdep_assert_held(&hiddev->existancelock);
++
++ list = vzalloc(sizeof(*list));
++ if (!list)
++ return -ENOMEM;
++
++ mutex_init(&list->thread_lock);
++ list->hiddev = hiddev;
++
++ if (!hiddev->open++) {
++ error = hid_hw_power(hiddev->hid, PM_HINT_FULLON);
++ if (error < 0)
++ goto err_drop_count;
++
++ error = hid_hw_open(hiddev->hid);
++ if (error < 0)
++ goto err_normal_power;
++ }
++
++ spin_lock_irq(&hiddev->list_lock);
++ list_add_tail(&list->node, &hiddev->list);
++ spin_unlock_irq(&hiddev->list_lock);
++
++ file->private_data = list;
++
++ return 0;
++
++err_normal_power:
++ hid_hw_power(hiddev->hid, PM_HINT_NORMAL);
++err_drop_count:
++ hiddev->open--;
++ vfree(list);
++ return error;
++}
++
+ /*
+ * open file op
+ */
+ static int hiddev_open(struct inode *inode, struct file *file)
+ {
+- struct hiddev_list *list;
+ struct usb_interface *intf;
+ struct hid_device *hid;
+ struct hiddev *hiddev;
+@@ -255,66 +294,14 @@ static int hiddev_open(struct inode *ino
+ intf = usbhid_find_interface(iminor(inode));
+ if (!intf)
+ return -ENODEV;
++
+ hid = usb_get_intfdata(intf);
+ hiddev = hid->hiddev;
+
+- if (!(list = vzalloc(sizeof(struct hiddev_list))))
+- return -ENOMEM;
+- mutex_init(&list->thread_lock);
+- list->hiddev = hiddev;
+- file->private_data = list;
+-
+- /*
+- * no need for locking because the USB major number
+- * is shared which usbcore guards against disconnect
+- */
+- if (list->hiddev->exist) {
+- if (!list->hiddev->open++) {
+- res = hid_hw_open(hiddev->hid);
+- if (res < 0)
+- goto bail;
+- }
+- } else {
+- res = -ENODEV;
+- goto bail;
+- }
+-
+- spin_lock_irq(&list->hiddev->list_lock);
+- list_add_tail(&list->node, &hiddev->list);
+- spin_unlock_irq(&list->hiddev->list_lock);
+-
+ mutex_lock(&hiddev->existancelock);
+- /*
+- * recheck exist with existance lock held to
+- * avoid opening a disconnected device
+- */
+- if (!list->hiddev->exist) {
+- res = -ENODEV;
+- goto bail_unlock;
+- }
+- if (!list->hiddev->open++)
+- if (list->hiddev->exist) {
+- struct hid_device *hid = hiddev->hid;
+- res = hid_hw_power(hid, PM_HINT_FULLON);
+- if (res < 0)
+- goto bail_unlock;
+- res = hid_hw_open(hid);
+- if (res < 0)
+- goto bail_normal_power;
+- }
+- mutex_unlock(&hiddev->existancelock);
+- return 0;
+-bail_normal_power:
+- hid_hw_power(hid, PM_HINT_NORMAL);
+-bail_unlock:
++ res = hiddev->exist ? __hiddev_open(hiddev, file) : -ENODEV;
+ mutex_unlock(&hiddev->existancelock);
+
+- spin_lock_irq(&list->hiddev->list_lock);
+- list_del(&list->node);
+- spin_unlock_irq(&list->hiddev->list_lock);
+-bail:
+- file->private_data = NULL;
+- vfree(list);
+ return res;
+ }
+
--- /dev/null
+From 1b789577f655060d98d20ed0c6f9fbd469d6ba63 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 27 Dec 2019 01:33:10 +0100
+Subject: netfilter: arp_tables: init netns pointer in xt_tgchk_param struct
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 1b789577f655060d98d20ed0c6f9fbd469d6ba63 upstream.
+
+We get crash when the targets checkentry function tries to make
+use of the network namespace pointer for arptables.
+
+When the net pointer got added back in 2010, only ip/ip6/ebtables were
+changed to initialize it, so arptables has this set to NULL.
+
+This isn't a problem for normal arptables because no existing
+arptables target has a checkentry function that makes use of par->net.
+
+However, direct users of the setsockopt interface can provide any
+target they want as long as its registered for ARP or UNPSEC protocols.
+
+syzkaller managed to send a semi-valid arptables rule for RATEEST target
+which is enough to trigger NULL deref:
+
+kasan: GPF could be caused by NULL-ptr deref or user memory access
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+RIP: xt_rateest_tg_checkentry+0x11d/0xb40 net/netfilter/xt_RATEEST.c:109
+[..]
+ xt_check_target+0x283/0x690 net/netfilter/x_tables.c:1019
+ check_target net/ipv4/netfilter/arp_tables.c:399 [inline]
+ find_check_entry net/ipv4/netfilter/arp_tables.c:422 [inline]
+ translate_table+0x1005/0x1d70 net/ipv4/netfilter/arp_tables.c:572
+ do_replace net/ipv4/netfilter/arp_tables.c:977 [inline]
+ do_arpt_set_ctl+0x310/0x640 net/ipv4/netfilter/arp_tables.c:1456
+
+Fixes: add67461240c1d ("netfilter: add struct net * to target parameters")
+Reported-by: syzbot+d7358a458d8a81aee898@syzkaller.appspotmail.com
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/netfilter/arp_tables.c | 27 ++++++++++++++++-----------
+ 1 file changed, 16 insertions(+), 11 deletions(-)
+
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -384,10 +384,11 @@ next: ;
+ return 1;
+ }
+
+-static inline int check_target(struct arpt_entry *e, const char *name)
++static int check_target(struct arpt_entry *e, struct net *net, const char *name)
+ {
+ struct xt_entry_target *t = arpt_get_target(e);
+ struct xt_tgchk_param par = {
++ .net = net,
+ .table = name,
+ .entryinfo = e,
+ .target = t->u.kernel.target,
+@@ -399,8 +400,9 @@ static inline int check_target(struct ar
+ return xt_check_target(&par, t->u.target_size - sizeof(*t), 0, false);
+ }
+
+-static inline int
+-find_check_entry(struct arpt_entry *e, const char *name, unsigned int size,
++static int
++find_check_entry(struct arpt_entry *e, struct net *net, const char *name,
++ unsigned int size,
+ struct xt_percpu_counter_alloc_state *alloc_state)
+ {
+ struct xt_entry_target *t;
+@@ -419,7 +421,7 @@ find_check_entry(struct arpt_entry *e, c
+ }
+ t->u.kernel.target = target;
+
+- ret = check_target(e, name);
++ ret = check_target(e, net, name);
+ if (ret)
+ goto err;
+ return 0;
+@@ -512,7 +514,9 @@ static inline void cleanup_entry(struct
+ /* Checks and translates the user-supplied table segment (held in
+ * newinfo).
+ */
+-static int translate_table(struct xt_table_info *newinfo, void *entry0,
++static int translate_table(struct net *net,
++ struct xt_table_info *newinfo,
++ void *entry0,
+ const struct arpt_replace *repl)
+ {
+ struct xt_percpu_counter_alloc_state alloc_state = { 0 };
+@@ -569,7 +573,7 @@ static int translate_table(struct xt_tab
+ /* Finally, each sanity check must pass */
+ i = 0;
+ xt_entry_foreach(iter, entry0, newinfo->size) {
+- ret = find_check_entry(iter, repl->name, repl->size,
++ ret = find_check_entry(iter, net, repl->name, repl->size,
+ &alloc_state);
+ if (ret != 0)
+ break;
+@@ -974,7 +978,7 @@ static int do_replace(struct net *net, c
+ goto free_newinfo;
+ }
+
+- ret = translate_table(newinfo, loc_cpu_entry, &tmp);
++ ret = translate_table(net, newinfo, loc_cpu_entry, &tmp);
+ if (ret != 0)
+ goto free_newinfo;
+
+@@ -1149,7 +1153,8 @@ compat_copy_entry_from_user(struct compa
+ }
+ }
+
+-static int translate_compat_table(struct xt_table_info **pinfo,
++static int translate_compat_table(struct net *net,
++ struct xt_table_info **pinfo,
+ void **pentry0,
+ const struct compat_arpt_replace *compatr)
+ {
+@@ -1217,7 +1222,7 @@ static int translate_compat_table(struct
+ repl.num_counters = 0;
+ repl.counters = NULL;
+ repl.size = newinfo->size;
+- ret = translate_table(newinfo, entry1, &repl);
++ ret = translate_table(net, newinfo, entry1, &repl);
+ if (ret)
+ goto free_newinfo;
+
+@@ -1270,7 +1275,7 @@ static int compat_do_replace(struct net
+ goto free_newinfo;
+ }
+
+- ret = translate_compat_table(&newinfo, &loc_cpu_entry, &tmp);
++ ret = translate_compat_table(net, &newinfo, &loc_cpu_entry, &tmp);
+ if (ret != 0)
+ goto free_newinfo;
+
+@@ -1546,7 +1551,7 @@ int arpt_register_table(struct net *net,
+ loc_cpu_entry = newinfo->entries;
+ memcpy(loc_cpu_entry, repl->entries, repl->size);
+
+- ret = translate_table(newinfo, loc_cpu_entry, repl);
++ ret = translate_table(net, newinfo, loc_cpu_entry, repl);
+ if (ret != 0)
+ goto out_free;
+
--- /dev/null
+From 1d9a7acd3d1e74c2d150d8934f7f55bed6d70858 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 6 Jan 2020 23:34:17 +0100
+Subject: netfilter: conntrack: dccp, sctp: handle null timeout argument
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 1d9a7acd3d1e74c2d150d8934f7f55bed6d70858 upstream.
+
+The timeout pointer can be NULL which means we should modify the
+per-nets timeout instead.
+
+All do this, except sctp and dccp which instead give:
+
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+net/netfilter/nf_conntrack_proto_dccp.c:682
+ ctnl_timeout_parse_policy+0x150/0x1d0 net/netfilter/nfnetlink_cttimeout.c:67
+ cttimeout_default_set+0x150/0x1c0 net/netfilter/nfnetlink_cttimeout.c:368
+ nfnetlink_rcv_msg+0xcf2/0xfb0 net/netfilter/nfnetlink.c:229
+ netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
+
+Reported-by: syzbot+46a4ad33f345d1dd346e@syzkaller.appspotmail.com
+Fixes: c779e849608a8 ("netfilter: conntrack: remove get_timeout() indirection")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_proto_dccp.c | 3 +++
+ net/netfilter/nf_conntrack_proto_sctp.c | 3 +++
+ 2 files changed, 6 insertions(+)
+
+--- a/net/netfilter/nf_conntrack_proto_dccp.c
++++ b/net/netfilter/nf_conntrack_proto_dccp.c
+@@ -677,6 +677,9 @@ static int dccp_timeout_nlattr_to_obj(st
+ unsigned int *timeouts = data;
+ int i;
+
++ if (!timeouts)
++ timeouts = dn->dccp_timeout;
++
+ /* set default DCCP timeouts. */
+ for (i=0; i<CT_DCCP_MAX; i++)
+ timeouts[i] = dn->dccp_timeout[i];
+--- a/net/netfilter/nf_conntrack_proto_sctp.c
++++ b/net/netfilter/nf_conntrack_proto_sctp.c
+@@ -594,6 +594,9 @@ static int sctp_timeout_nlattr_to_obj(st
+ struct nf_sctp_net *sn = nf_sctp_pernet(net);
+ int i;
+
++ if (!timeouts)
++ timeouts = sn->timeouts;
++
+ /* set default SCTP timeouts. */
+ for (i=0; i<SCTP_CONNTRACK_MAX; i++)
+ timeouts[i] = sn->timeouts[i];
--- /dev/null
+From 22dad713b8a5ff488e07b821195270672f486eb2 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Wed, 8 Jan 2020 10:59:38 +0100
+Subject: netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 22dad713b8a5ff488e07b821195270672f486eb2 upstream.
+
+The set uadt functions assume lineno is never NULL, but it is in
+case of ip_set_utest().
+
+syzkaller managed to generate a netlink message that calls this with
+LINENO attr present:
+
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+RIP: 0010:hash_mac4_uadt+0x1bc/0x470 net/netfilter/ipset/ip_set_hash_mac.c:104
+Call Trace:
+ ip_set_utest+0x55b/0x890 net/netfilter/ipset/ip_set_core.c:1867
+ nfnetlink_rcv_msg+0xcf2/0xfb0 net/netfilter/nfnetlink.c:229
+ netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
+ nfnetlink_rcv+0x1ba/0x460 net/netfilter/nfnetlink.c:563
+
+pass a dummy lineno storage, its easier than patching all set
+implementations.
+
+This seems to be a day-0 bug.
+
+Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Reported-by: syzbot+34bd2369d38707f3f4a7@syzkaller.appspotmail.com
+Fixes: a7b4f989a6294 ("netfilter: ipset: IP set core support")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipset/ip_set_core.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/ipset/ip_set_core.c
++++ b/net/netfilter/ipset/ip_set_core.c
+@@ -1658,6 +1658,7 @@ static int ip_set_utest(struct net *net,
+ struct ip_set *set;
+ struct nlattr *tb[IPSET_ATTR_ADT_MAX + 1] = {};
+ int ret = 0;
++ u32 lineno;
+
+ if (unlikely(protocol_min_failed(attr) ||
+ !attr[IPSET_ATTR_SETNAME] ||
+@@ -1674,7 +1675,7 @@ static int ip_set_utest(struct net *net,
+ return -IPSET_ERR_PROTOCOL;
+
+ rcu_read_lock_bh();
+- ret = set->variant->uadt(set, tb, IPSET_TEST, NULL, 0, 0);
++ ret = set->variant->uadt(set, tb, IPSET_TEST, &lineno, 0, 0);
+ rcu_read_unlock_bh();
+ /* Userspace can't trigger element to be re-added */
+ if (ret == -EAGAIN)
--- /dev/null
+From 4acb0200ab2b07843e3ef5599add3454c7440f03 Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Fri, 20 Dec 2019 16:21:40 +0530
+Subject: phy: cpcap-usb: Fix error path when no host driver is loaded
+
+From: Tony Lindgren <tony@atomide.com>
+
+commit 4acb0200ab2b07843e3ef5599add3454c7440f03 upstream.
+
+If musb_mailbox() returns an error, we must still continue to finish
+configuring the phy.
+
+Otherwise the phy state may end up only half initialized, and this can
+cause the debug serial console to stop working. And this will happen if the
+usb driver musb controller is not loaded.
+
+Let's fix the issue by adding helper for cpcap_usb_try_musb_mailbox().
+
+Fixes: 6d6ce40f63af ("phy: cpcap-usb: Add CPCAP PMIC USB support")
+Cc: Merlijn Wajer <merlijn@wizzup.org>
+Cc: Pavel Machek <pavel@ucw.cz>
+Cc: Sebastian Reichel <sre@kernel.org>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/phy/motorola/phy-cpcap-usb.c | 33 ++++++++++++++++++---------------
+ 1 file changed, 18 insertions(+), 15 deletions(-)
+
+--- a/drivers/phy/motorola/phy-cpcap-usb.c
++++ b/drivers/phy/motorola/phy-cpcap-usb.c
+@@ -207,6 +207,19 @@ static int cpcap_phy_get_ints_state(stru
+ static int cpcap_usb_set_uart_mode(struct cpcap_phy_ddata *ddata);
+ static int cpcap_usb_set_usb_mode(struct cpcap_phy_ddata *ddata);
+
++static void cpcap_usb_try_musb_mailbox(struct cpcap_phy_ddata *ddata,
++ enum musb_vbus_id_status status)
++{
++ int error;
++
++ error = musb_mailbox(status);
++ if (!error)
++ return;
++
++ dev_dbg(ddata->dev, "%s: musb_mailbox failed: %i\n",
++ __func__, error);
++}
++
+ static void cpcap_usb_detect(struct work_struct *work)
+ {
+ struct cpcap_phy_ddata *ddata;
+@@ -226,9 +239,7 @@ static void cpcap_usb_detect(struct work
+ if (error)
+ goto out_err;
+
+- error = musb_mailbox(MUSB_ID_GROUND);
+- if (error)
+- goto out_err;
++ cpcap_usb_try_musb_mailbox(ddata, MUSB_ID_GROUND);
+
+ error = regmap_update_bits(ddata->reg, CPCAP_REG_USBC3,
+ CPCAP_BIT_VBUSSTBY_EN |
+@@ -257,9 +268,7 @@ static void cpcap_usb_detect(struct work
+ error = cpcap_usb_set_usb_mode(ddata);
+ if (error)
+ goto out_err;
+- error = musb_mailbox(MUSB_ID_GROUND);
+- if (error)
+- goto out_err;
++ cpcap_usb_try_musb_mailbox(ddata, MUSB_ID_GROUND);
+
+ return;
+ }
+@@ -269,9 +278,7 @@ static void cpcap_usb_detect(struct work
+ error = cpcap_usb_set_usb_mode(ddata);
+ if (error)
+ goto out_err;
+- error = musb_mailbox(MUSB_VBUS_VALID);
+- if (error)
+- goto out_err;
++ cpcap_usb_try_musb_mailbox(ddata, MUSB_VBUS_VALID);
+
+ return;
+ }
+@@ -281,9 +288,7 @@ static void cpcap_usb_detect(struct work
+ if (error)
+ goto out_err;
+
+- error = musb_mailbox(MUSB_VBUS_OFF);
+- if (error)
+- goto out_err;
++ cpcap_usb_try_musb_mailbox(ddata, MUSB_VBUS_OFF);
+
+ dev_dbg(ddata->dev, "set UART mode\n");
+
+@@ -649,9 +654,7 @@ static int cpcap_usb_phy_remove(struct p
+ if (error)
+ dev_err(ddata->dev, "could not set UART mode\n");
+
+- error = musb_mailbox(MUSB_VBUS_OFF);
+- if (error)
+- dev_err(ddata->dev, "could not set mailbox\n");
++ cpcap_usb_try_musb_mailbox(ddata, MUSB_VBUS_OFF);
+
+ usb_remove_phy(&ddata->phy);
+ cancel_delayed_work_sync(&ddata->detect_work);
--- /dev/null
+From 049226b9fd7442149dcbcf55f15408f5973cceda Mon Sep 17 00:00:00 2001
+From: Tony Lindgren <tony@atomide.com>
+Date: Sun, 22 Dec 2019 10:00:19 -0800
+Subject: phy: cpcap-usb: Fix flakey host idling and enumerating of devices
+
+From: Tony Lindgren <tony@atomide.com>
+
+commit 049226b9fd7442149dcbcf55f15408f5973cceda upstream.
+
+We must let the USB host idle things properly before we switch to debug
+UART mode. Otherwise the USB host may never idle after disconnecting
+devices, and that causes the next enumeration to be flakey.
+
+Cc: Jacopo Mondi <jacopo@jmondi.org>
+Cc: Marcel Partap <mpartap@gmx.net>
+Cc: Merlijn Wajer <merlijn@wizzup.org>
+Cc: Michael Scott <hashcode0f@gmail.com>
+Cc: NeKit <nekit1000@gmail.com>
+Cc: Pavel Machek <pavel@ucw.cz>
+Cc: Sebastian Reichel <sre@kernel.org>
+Acked-by: Pavel Machek <pavel@ucw.cz>
+Fixes: 6d6ce40f63af ("phy: cpcap-usb: Add CPCAP PMIC USB support")
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Kishon Vijay Abraham I <kishon@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/phy/motorola/phy-cpcap-usb.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/phy/motorola/phy-cpcap-usb.c
++++ b/drivers/phy/motorola/phy-cpcap-usb.c
+@@ -283,13 +283,13 @@ static void cpcap_usb_detect(struct work
+ return;
+ }
+
++ cpcap_usb_try_musb_mailbox(ddata, MUSB_VBUS_OFF);
++
+ /* Default to debug UART mode */
+ error = cpcap_usb_set_uart_mode(ddata);
+ if (error)
+ goto out_err;
+
+- cpcap_usb_try_musb_mailbox(ddata, MUSB_VBUS_OFF);
+-
+ dev_dbg(ddata->dev, "set UART mode\n");
+
+ return;
scsi-bfa-release-allocated-memory-in-case-of-error.patch
rtl8xxxu-prevent-leaking-urb.patch
ath10k-fix-memory-leak.patch
+hid-hiddev-fix-mess-in-hiddev_open.patch
+usb-fix-don-t-skip-endpoint-descriptors-with-maxpacket-0.patch
+phy-cpcap-usb-fix-error-path-when-no-host-driver-is-loaded.patch
+phy-cpcap-usb-fix-flakey-host-idling-and-enumerating-of-devices.patch
+netfilter-arp_tables-init-netns-pointer-in-xt_tgchk_param-struct.patch
+netfilter-conntrack-dccp-sctp-handle-null-timeout-argument.patch
+netfilter-ipset-avoid-null-deref-when-ipset_attr_lineno-is-present.patch
--- /dev/null
+From 2548288b4fb059b2da9ceada172ef763077e8a59 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 6 Jan 2020 10:43:42 -0500
+Subject: USB: Fix: Don't skip endpoint descriptors with maxpacket=0
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 2548288b4fb059b2da9ceada172ef763077e8a59 upstream.
+
+It turns out that even though endpoints with a maxpacket length of 0
+aren't useful for data transfer, the descriptors do serve other
+purposes. In particular, skipping them will also skip over other
+class-specific descriptors for classes such as UVC. This unexpected
+side effect has caused some UVC cameras to stop working.
+
+In addition, the USB spec requires that when isochronous endpoint
+descriptors are present in an interface's altsetting 0 (which is true
+on some devices), the maxpacket size _must_ be set to 0. Warning
+about such things seems like a bad idea.
+
+This patch updates an earlier commit which would log a warning and
+skip these endpoint descriptors. Now we only log a warning, and we
+don't even do that for isochronous endpoints in altsetting 0.
+
+We don't need to worry about preventing endpoints with maxpacket = 0
+from ever being used for data transfers; usb_submit_urb() already
+checks for this.
+
+Reported-and-tested-by: Roger Whittaker <Roger.Whittaker@suse.com>
+Fixes: d482c7bb0541 ("USB: Skip endpoints with 0 maxpacket length")
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+CC: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Link: https://marc.info/?l=linux-usb&m=157790377329882&w=2
+Link: https://lore.kernel.org/r/Pine.LNX.4.44L0.2001061040270.1514-100000@iolanthe.rowland.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/config.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -392,12 +392,16 @@ static int usb_parse_endpoint(struct dev
+ endpoint->desc.wMaxPacketSize = cpu_to_le16(8);
+ }
+
+- /* Validate the wMaxPacketSize field */
++ /*
++ * Validate the wMaxPacketSize field.
++ * Some devices have isochronous endpoints in altsetting 0;
++ * the USB-2 spec requires such endpoints to have wMaxPacketSize = 0
++ * (see the end of section 5.6.3), so don't warn about them.
++ */
+ maxp = usb_endpoint_maxp(&endpoint->desc);
+- if (maxp == 0) {
+- dev_warn(ddev, "config %d interface %d altsetting %d endpoint 0x%X has wMaxPacketSize 0, skipping\n",
++ if (maxp == 0 && !(usb_endpoint_xfer_isoc(d) && asnum == 0)) {
++ dev_warn(ddev, "config %d interface %d altsetting %d endpoint 0x%X has invalid wMaxPacketSize 0\n",
+ cfgno, inum, asnum, d->bEndpointAddress);
+- goto skip_to_next_endpoint_or_interface_descriptor;
+ }
+
+ /* Find the highest legal maxpacket size for this endpoint */
projects / thirdparty / kernel / stable-queue.git / commitdiff
