--- /dev/null
+From f0e2ce58f853634d7ad1a418a49bd5fbd556227c Mon Sep 17 00:00:00 2001
+From: raveendra padasalagi <raveendra.padasalagi@broadcom.com>
+Date: Tue, 29 Aug 2017 15:08:10 +0530
+Subject: crypto: brcm - Explicity ACK mailbox message
+
+From: raveendra padasalagi <raveendra.padasalagi@broadcom.com>
+
+commit f0e2ce58f853634d7ad1a418a49bd5fbd556227c upstream.
+
+Add support to explicity ACK mailbox message
+because after sending message we can know
+the send status via error attribute of brcm_message.
+
+This is needed to support "txdone_ack" supported in
+mailbox controller driver.
+
+Fixes: 9d12ba86f818 ("crypto: brcm - Add Broadcom SPU driver")
+Signed-off-by: Raveendra Padasalagi <raveendra.padasalagi@broadcom.com>
+Reviewed-by: Anup Patel <anup.patel@broadcom.com>
+Reviewed-by: Scott Branden <scott.branden@broadcom.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/bcm/cipher.c | 101 ++++++++++++++++++++------------------------
+ 1 file changed, 46 insertions(+), 55 deletions(-)
+
+--- a/drivers/crypto/bcm/cipher.c
++++ b/drivers/crypto/bcm/cipher.c
+@@ -256,6 +256,44 @@ spu_ablkcipher_tx_sg_create(struct brcm_
+ return 0;
+ }
+
++static int mailbox_send_message(struct brcm_message *mssg, u32 flags,
++ u8 chan_idx)
++{
++ int err;
++ int retry_cnt = 0;
++ struct device *dev = &(iproc_priv.pdev->dev);
++
++ err = mbox_send_message(iproc_priv.mbox[chan_idx], mssg);
++ if (flags & CRYPTO_TFM_REQ_MAY_SLEEP) {
++ while ((err == -ENOBUFS) && (retry_cnt < SPU_MB_RETRY_MAX)) {
++ /*
++ * Mailbox queue is full. Since MAY_SLEEP is set, assume
++ * not in atomic context and we can wait and try again.
++ */
++ retry_cnt++;
++ usleep_range(MBOX_SLEEP_MIN, MBOX_SLEEP_MAX);
++ err = mbox_send_message(iproc_priv.mbox[chan_idx],
++ mssg);
++ atomic_inc(&iproc_priv.mb_no_spc);
++ }
++ }
++ if (err < 0) {
++ atomic_inc(&iproc_priv.mb_send_fail);
++ return err;
++ }
++
++ /* Check error returned by mailbox controller */
++ err = mssg->error;
++ if (unlikely(err < 0)) {
++ dev_err(dev, "message error %d", err);
++ /* Signal txdone for mailbox channel */
++ }
++
++ /* Signal txdone for mailbox channel */
++ mbox_client_txdone(iproc_priv.mbox[chan_idx], err);
++ return err;
++}
++
+ /**
+ * handle_ablkcipher_req() - Submit as much of a block cipher request as fits in
+ * a single SPU request message, starting at the current position in the request
+@@ -293,7 +331,6 @@ static int handle_ablkcipher_req(struct
+ u32 pad_len; /* total length of all padding */
+ bool update_key = false;
+ struct brcm_message *mssg; /* mailbox message */
+- int retry_cnt = 0;
+
+ /* number of entries in src and dst sg in mailbox message. */
+ u8 rx_frag_num = 2; /* response header and STATUS */
+@@ -462,24 +499,9 @@ static int handle_ablkcipher_req(struct
+ if (err)
+ return err;
+
+- err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx], mssg);
+- if (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) {
+- while ((err == -ENOBUFS) && (retry_cnt < SPU_MB_RETRY_MAX)) {
+- /*
+- * Mailbox queue is full. Since MAY_SLEEP is set, assume
+- * not in atomic context and we can wait and try again.
+- */
+- retry_cnt++;
+- usleep_range(MBOX_SLEEP_MIN, MBOX_SLEEP_MAX);
+- err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx],
+- mssg);
+- atomic_inc(&iproc_priv.mb_no_spc);
+- }
+- }
+- if (unlikely(err < 0)) {
+- atomic_inc(&iproc_priv.mb_send_fail);
++ err = mailbox_send_message(mssg, req->base.flags, rctx->chan_idx);
++ if (unlikely(err < 0))
+ return err;
+- }
+
+ return -EINPROGRESS;
+ }
+@@ -710,7 +732,6 @@ static int handle_ahash_req(struct iproc
+ u32 spu_hdr_len;
+ unsigned int digestsize;
+ u16 rem = 0;
+- int retry_cnt = 0;
+
+ /*
+ * number of entries in src and dst sg. Always includes SPU msg header.
+@@ -904,24 +925,10 @@ static int handle_ahash_req(struct iproc
+ if (err)
+ return err;
+
+- err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx], mssg);
+- if (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) {
+- while ((err == -ENOBUFS) && (retry_cnt < SPU_MB_RETRY_MAX)) {
+- /*
+- * Mailbox queue is full. Since MAY_SLEEP is set, assume
+- * not in atomic context and we can wait and try again.
+- */
+- retry_cnt++;
+- usleep_range(MBOX_SLEEP_MIN, MBOX_SLEEP_MAX);
+- err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx],
+- mssg);
+- atomic_inc(&iproc_priv.mb_no_spc);
+- }
+- }
+- if (err < 0) {
+- atomic_inc(&iproc_priv.mb_send_fail);
++ err = mailbox_send_message(mssg, req->base.flags, rctx->chan_idx);
++ if (unlikely(err < 0))
+ return err;
+- }
++
+ return -EINPROGRESS;
+ }
+
+@@ -1320,7 +1327,6 @@ static int handle_aead_req(struct iproc_
+ int assoc_nents = 0;
+ bool incl_icv = false;
+ unsigned int digestsize = ctx->digestsize;
+- int retry_cnt = 0;
+
+ /* number of entries in src and dst sg. Always includes SPU msg header.
+ */
+@@ -1558,24 +1564,9 @@ static int handle_aead_req(struct iproc_
+ if (err)
+ return err;
+
+- err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx], mssg);
+- if (req->base.flags & CRYPTO_TFM_REQ_MAY_SLEEP) {
+- while ((err == -ENOBUFS) && (retry_cnt < SPU_MB_RETRY_MAX)) {
+- /*
+- * Mailbox queue is full. Since MAY_SLEEP is set, assume
+- * not in atomic context and we can wait and try again.
+- */
+- retry_cnt++;
+- usleep_range(MBOX_SLEEP_MIN, MBOX_SLEEP_MAX);
+- err = mbox_send_message(iproc_priv.mbox[rctx->chan_idx],
+- mssg);
+- atomic_inc(&iproc_priv.mb_no_spc);
+- }
+- }
+- if (err < 0) {
+- atomic_inc(&iproc_priv.mb_send_fail);
++ err = mailbox_send_message(mssg, req->base.flags, rctx->chan_idx);
++ if (unlikely(err < 0))
+ return err;
+- }
+
+ return -EINPROGRESS;
+ }
+@@ -4537,7 +4528,7 @@ static int spu_mb_init(struct device *de
+ mcl->dev = dev;
+ mcl->tx_block = false;
+ mcl->tx_tout = 0;
+- mcl->knows_txdone = false;
++ mcl->knows_txdone = true;
+ mcl->rx_callback = spu_rx_callback;
+ mcl->tx_done = NULL;
+
--- /dev/null
+From ccd9888f14a8019c0bbdeeae758aba1f58693712 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Sun, 5 Nov 2017 18:30:46 -0800
+Subject: crypto: dh - Don't permit 'key' or 'g' size longer than 'p'
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit ccd9888f14a8019c0bbdeeae758aba1f58693712 upstream.
+
+The "qat-dh" DH implementation assumes that 'key' and 'g' can be copied
+into a buffer with size 'p_size'. However it was never checked that
+that was actually the case, which most likely allowed users to cause a
+buffer underflow via KEYCTL_DH_COMPUTE.
+
+Fix this by updating crypto_dh_decode_key() to verify this precondition
+for all DH implementations.
+
+Fixes: c9839143ebbf ("crypto: qat - Add DH support")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/dh_helper.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/crypto/dh_helper.c
++++ b/crypto/dh_helper.c
+@@ -83,6 +83,14 @@ int crypto_dh_decode_key(const char *buf
+ if (secret.len != crypto_dh_key_len(params))
+ return -EINVAL;
+
++ /*
++ * Don't permit the buffer for 'key' or 'g' to be larger than 'p', since
++ * some drivers assume otherwise.
++ */
++ if (params->key_size > params->p_size ||
++ params->g_size > params->p_size)
++ return -EINVAL;
++
+ /* Don't allocate memory. Set pointers to data within
+ * the given buffer
+ */
--- /dev/null
+From 199512b1234f09e44d592153ec82b44212b2f0c4 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Sun, 5 Nov 2017 18:30:45 -0800
+Subject: crypto: dh - Don't permit 'p' to be 0
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 199512b1234f09e44d592153ec82b44212b2f0c4 upstream.
+
+If 'p' is 0 for the software Diffie-Hellman implementation, then
+dh_max_size() returns 0. In the case of KEYCTL_DH_COMPUTE, this causes
+ZERO_SIZE_PTR to be passed to sg_init_one(), which with
+CONFIG_DEBUG_SG=y triggers the 'BUG_ON(!virt_addr_valid(buf));' in
+sg_set_buf().
+
+Fix this by making crypto_dh_decode_key() reject 0 for 'p'. p=0 makes
+no sense for any DH implementation because 'p' is supposed to be a prime
+number. Moreover, 'mod 0' is not mathematically defined.
+
+Bug report:
+
+ kernel BUG at ./include/linux/scatterlist.h:140!
+ invalid opcode: 0000 [#1] SMP KASAN
+ CPU: 0 PID: 27112 Comm: syz-executor2 Not tainted 4.14.0-rc7-00010-gf5dbb5d0ce32-dirty #7
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.3-20171021_125229-anatol 04/01/2014
+ task: ffff88006caac0c0 task.stack: ffff88006c7c8000
+ RIP: 0010:sg_set_buf include/linux/scatterlist.h:140 [inline]
+ RIP: 0010:sg_init_one+0x1b3/0x240 lib/scatterlist.c:156
+ RSP: 0018:ffff88006c7cfb08 EFLAGS: 00010216
+ RAX: 0000000000010000 RBX: ffff88006c7cfe30 RCX: 00000000000064ee
+ RDX: ffffffff81cf64c3 RSI: ffffc90000d72000 RDI: ffffffff92e937e0
+ RBP: ffff88006c7cfb30 R08: ffffed000d8f9fab R09: ffff88006c7cfd30
+ R10: 0000000000000005 R11: ffffed000d8f9faa R12: ffff88006c7cfd30
+ R13: 0000000000000000 R14: 0000000000000010 R15: ffff88006c7cfc50
+ FS: 00007fce190fa700(0000) GS:ffff88003ea00000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00007fffc6b33db8 CR3: 000000003cf64000 CR4: 00000000000006f0
+ Call Trace:
+ __keyctl_dh_compute+0xa95/0x19b0 security/keys/dh.c:360
+ keyctl_dh_compute+0xac/0x100 security/keys/dh.c:434
+ SYSC_keyctl security/keys/keyctl.c:1745 [inline]
+ SyS_keyctl+0x72/0x2c0 security/keys/keyctl.c:1641
+ entry_SYSCALL_64_fastpath+0x1f/0xbe
+ RIP: 0033:0x4585c9
+ RSP: 002b:00007fce190f9bd8 EFLAGS: 00000216 ORIG_RAX: 00000000000000fa
+ RAX: ffffffffffffffda RBX: 0000000000738020 RCX: 00000000004585c9
+ RDX: 000000002000d000 RSI: 0000000020000ff4 RDI: 0000000000000017
+ RBP: 0000000000000046 R08: 0000000020008000 R09: 0000000000000000
+ R10: 0000000000000000 R11: 0000000000000216 R12: 00007fff6e610cde
+ R13: 00007fff6e610cdf R14: 00007fce190fa700 R15: 0000000000000000
+ Code: 03 0f b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 33 5b 45 89 6c 24 14 41 5c 41 5d 41 5e 41 5f 5d c3 e8 fd 8f 68 ff <0f> 0b e8 f6 8f 68 ff 0f 0b e8 ef 8f 68 ff 0f 0b e8 e8 8f 68 ff 20
+ RIP: sg_set_buf include/linux/scatterlist.h:140 [inline] RSP: ffff88006c7cfb08
+ RIP: sg_init_one+0x1b3/0x240 lib/scatterlist.c:156 RSP: ffff88006c7cfb08
+
+Fixes: 802c7f1c84e4 ("crypto: dh - Add DH software implementation")
+Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/dh_helper.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/crypto/dh_helper.c
++++ b/crypto/dh_helper.c
+@@ -90,6 +90,14 @@ int crypto_dh_decode_key(const char *buf
+ params->p = (void *)(ptr + params->key_size);
+ params->g = (void *)(ptr + params->key_size + params->p_size);
+
++ /*
++ * Don't permit 'p' to be 0. It's not a prime number, and it's subject
++ * to corner cases such as 'mod 0' being undefined or
++ * crypto_kpp_maxsize() returning 0.
++ */
++ if (memchr_inv(params->p, 0, params->p_size) == NULL)
++ return -EINVAL;
++
+ return 0;
+ }
+ EXPORT_SYMBOL_GPL(crypto_dh_decode_key);
--- /dev/null
+From 12d41a023efb01b846457ccdbbcbe2b65a87d530 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Sun, 5 Nov 2017 18:30:44 -0800
+Subject: crypto: dh - Fix double free of ctx->p
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 12d41a023efb01b846457ccdbbcbe2b65a87d530 upstream.
+
+When setting the secret with the software Diffie-Hellman implementation,
+if allocating 'g' failed (e.g. if it was longer than
+MAX_EXTERN_MPI_BITS), then 'p' was freed twice: once immediately, and
+once later when the crypto_kpp tfm was destroyed.
+
+Fix it by using dh_free_ctx() (renamed to dh_clear_ctx()) in the error
+paths, as that correctly sets the pointers to NULL.
+
+KASAN report:
+
+ MPI: mpi too large (32760 bits)
+ ==================================================================
+ BUG: KASAN: use-after-free in mpi_free+0x131/0x170
+ Read of size 4 at addr ffff88006c7cdf90 by task reproduce_doubl/367
+
+ CPU: 1 PID: 367 Comm: reproduce_doubl Not tainted 4.14.0-rc7-00040-g05298abde6fe #7
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
+ Call Trace:
+ dump_stack+0xb3/0x10b
+ ? mpi_free+0x131/0x170
+ print_address_description+0x79/0x2a0
+ ? mpi_free+0x131/0x170
+ kasan_report+0x236/0x340
+ ? akcipher_register_instance+0x90/0x90
+ __asan_report_load4_noabort+0x14/0x20
+ mpi_free+0x131/0x170
+ ? akcipher_register_instance+0x90/0x90
+ dh_exit_tfm+0x3d/0x140
+ crypto_kpp_exit_tfm+0x52/0x70
+ crypto_destroy_tfm+0xb3/0x250
+ __keyctl_dh_compute+0x640/0xe90
+ ? kasan_slab_free+0x12f/0x180
+ ? dh_data_from_key+0x240/0x240
+ ? key_create_or_update+0x1ee/0xb20
+ ? key_instantiate_and_link+0x440/0x440
+ ? lock_contended+0xee0/0xee0
+ ? kfree+0xcf/0x210
+ ? SyS_add_key+0x268/0x340
+ keyctl_dh_compute+0xb3/0xf1
+ ? __keyctl_dh_compute+0xe90/0xe90
+ ? SyS_add_key+0x26d/0x340
+ ? entry_SYSCALL_64_fastpath+0x5/0xbe
+ ? trace_hardirqs_on_caller+0x3f4/0x560
+ SyS_keyctl+0x72/0x2c0
+ entry_SYSCALL_64_fastpath+0x1f/0xbe
+ RIP: 0033:0x43ccf9
+ RSP: 002b:00007ffeeec96158 EFLAGS: 00000246 ORIG_RAX: 00000000000000fa
+ RAX: ffffffffffffffda RBX: 000000000248b9b9 RCX: 000000000043ccf9
+ RDX: 00007ffeeec96170 RSI: 00007ffeeec96160 RDI: 0000000000000017
+ RBP: 0000000000000046 R08: 0000000000000000 R09: 0248b9b9143dc936
+ R10: 0000000000001000 R11: 0000000000000246 R12: 0000000000000000
+ R13: 0000000000409670 R14: 0000000000409700 R15: 0000000000000000
+
+ Allocated by task 367:
+ save_stack_trace+0x16/0x20
+ kasan_kmalloc+0xeb/0x180
+ kmem_cache_alloc_trace+0x114/0x300
+ mpi_alloc+0x4b/0x230
+ mpi_read_raw_data+0xbe/0x360
+ dh_set_secret+0x1dc/0x460
+ __keyctl_dh_compute+0x623/0xe90
+ keyctl_dh_compute+0xb3/0xf1
+ SyS_keyctl+0x72/0x2c0
+ entry_SYSCALL_64_fastpath+0x1f/0xbe
+
+ Freed by task 367:
+ save_stack_trace+0x16/0x20
+ kasan_slab_free+0xab/0x180
+ kfree+0xb5/0x210
+ mpi_free+0xcb/0x170
+ dh_set_secret+0x2d7/0x460
+ __keyctl_dh_compute+0x623/0xe90
+ keyctl_dh_compute+0xb3/0xf1
+ SyS_keyctl+0x72/0x2c0
+ entry_SYSCALL_64_fastpath+0x1f/0xbe
+
+Fixes: 802c7f1c84e4 ("crypto: dh - Add DH software implementation")
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Reviewed-by: Tudor Ambarus <tudor.ambarus@microchip.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/dh.c | 33 +++++++++++++--------------------
+ 1 file changed, 13 insertions(+), 20 deletions(-)
+
+--- a/crypto/dh.c
++++ b/crypto/dh.c
+@@ -21,19 +21,12 @@ struct dh_ctx {
+ MPI xa;
+ };
+
+-static inline void dh_clear_params(struct dh_ctx *ctx)
++static void dh_clear_ctx(struct dh_ctx *ctx)
+ {
+ mpi_free(ctx->p);
+ mpi_free(ctx->g);
+- ctx->p = NULL;
+- ctx->g = NULL;
+-}
+-
+-static void dh_free_ctx(struct dh_ctx *ctx)
+-{
+- dh_clear_params(ctx);
+ mpi_free(ctx->xa);
+- ctx->xa = NULL;
++ memset(ctx, 0, sizeof(*ctx));
+ }
+
+ /*
+@@ -71,10 +64,8 @@ static int dh_set_params(struct dh_ctx *
+ return -EINVAL;
+
+ ctx->g = mpi_read_raw_data(params->g, params->g_size);
+- if (!ctx->g) {
+- mpi_free(ctx->p);
++ if (!ctx->g)
+ return -EINVAL;
+- }
+
+ return 0;
+ }
+@@ -86,21 +77,23 @@ static int dh_set_secret(struct crypto_k
+ struct dh params;
+
+ /* Free the old MPI key if any */
+- dh_free_ctx(ctx);
++ dh_clear_ctx(ctx);
+
+ if (crypto_dh_decode_key(buf, len, ¶ms) < 0)
+- return -EINVAL;
++ goto err_clear_ctx;
+
+ if (dh_set_params(ctx, ¶ms) < 0)
+- return -EINVAL;
++ goto err_clear_ctx;
+
+ ctx->xa = mpi_read_raw_data(params.key, params.key_size);
+- if (!ctx->xa) {
+- dh_clear_params(ctx);
+- return -EINVAL;
+- }
++ if (!ctx->xa)
++ goto err_clear_ctx;
+
+ return 0;
++
++err_clear_ctx:
++ dh_clear_ctx(ctx);
++ return -EINVAL;
+ }
+
+ static int dh_compute_value(struct kpp_request *req)
+@@ -158,7 +151,7 @@ static void dh_exit_tfm(struct crypto_kp
+ {
+ struct dh_ctx *ctx = dh_get_ctx(tfm);
+
+- dh_free_ctx(ctx);
++ dh_clear_ctx(ctx);
+ }
+
+ static struct kpp_alg dh = {
dmaengine-dmatest-warn-user-when-dma-test-times-out.patch
media-imon-fix-null-ptr-deref-in-imon_probe.patch
media-dib0700-fix-invalid-dvb_detach-argument.patch
+crypto-dh-fix-double-free-of-ctx-p.patch
+crypto-dh-don-t-permit-p-to-be-0.patch
+crypto-dh-don-t-permit-key-or-g-size-longer-than-p.patch
+crypto-brcm-explicity-ack-mailbox-message.patch
+usb-early-use-new-usb-product-id-and-strings-for-dbc-device.patch
+usb-usbfs-compute-urb-actual_length-for-isochronous.patch
+usb-add-delay-init-quirk-for-corsair-k70-lux-keyboards.patch
+usb-gadget-f_fs-fix-use-after-free-in-ffs_free_inst.patch
+usb-serial-metro-usb-stop-i-o-after-failed-open.patch
+usb-serial-change-dbc-debug-device-binding-id.patch
+usb-serial-qcserial-add-pid-vid-for-sierra-wireless-em7355-fw-update.patch
+usb-serial-garmin_gps-fix-i-o-after-failed-probe-and-remove.patch
+usb-serial-garmin_gps-fix-memory-leak-on-probe-errors.patch
--- /dev/null
+From a0fea6027f19c62727315aba1a7fae75a9caa842 Mon Sep 17 00:00:00 2001
+From: Bernhard Rosenkraenzer <bernhard.rosenkranzer@linaro.org>
+Date: Fri, 3 Nov 2017 16:46:02 +0100
+Subject: USB: Add delay-init quirk for Corsair K70 LUX keyboards
+
+From: Bernhard Rosenkraenzer <bernhard.rosenkranzer@linaro.org>
+
+commit a0fea6027f19c62727315aba1a7fae75a9caa842 upstream.
+
+Without this patch, K70 LUX keyboards don't work, saying
+usb 3-3: unable to read config index 0 descriptor/all
+usb 3-3: can't read configurations, error -110
+usb usb3-port3: unable to enumerate USB device
+
+Signed-off-by: Bernhard Rosenkraenzer <Bernhard.Rosenkranzer@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/quirks.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -221,6 +221,9 @@ static const struct usb_device_id usb_qu
+ /* Corsair Strafe RGB */
+ { USB_DEVICE(0x1b1c, 0x1b20), .driver_info = USB_QUIRK_DELAY_INIT },
+
++ /* Corsair K70 LUX */
++ { USB_DEVICE(0x1b1c, 0x1b36), .driver_info = USB_QUIRK_DELAY_INIT },
++
+ /* MIDI keyboard WORLDE MINI */
+ { USB_DEVICE(0x1c75, 0x0204), .driver_info =
+ USB_QUIRK_CONFIG_INTF_STRINGS },
--- /dev/null
+From c67678ec78eff9cf1e7e997fe6c37c9fcccfc5b8 Mon Sep 17 00:00:00 2001
+From: Lu Baolu <baolu.lu@linux.intel.com>
+Date: Tue, 7 Nov 2017 10:28:15 +0800
+Subject: USB: early: Use new USB product ID and strings for DbC device
+
+From: Lu Baolu <baolu.lu@linux.intel.com>
+
+commit c67678ec78eff9cf1e7e997fe6c37c9fcccfc5b8 upstream.
+
+The DbC register set defines an interface for system software
+to specify the vendor id and product id for the debug device.
+These two values will be presented by the debug device in its
+device descriptor idVendor and idProduct fields.
+
+The current used product ID is a place holder. We now have a
+valid one. The description strings are changed accordingly.
+
+This patch should be back-ported to kernels as old as v4.12,
+that contain the commit aeb9dd1de98c ("usb/early: Add driver
+for xhci debug capability").
+
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/early/xhci-dbc.h | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/early/xhci-dbc.h
++++ b/drivers/usb/early/xhci-dbc.h
+@@ -90,8 +90,8 @@ struct xdbc_context {
+
+ #define XDBC_INFO_CONTEXT_SIZE 48
+ #define XDBC_MAX_STRING_LENGTH 64
+-#define XDBC_STRING_MANUFACTURER "Linux"
+-#define XDBC_STRING_PRODUCT "Remote GDB"
++#define XDBC_STRING_MANUFACTURER "Linux Foundation"
++#define XDBC_STRING_PRODUCT "Linux USB GDB Target"
+ #define XDBC_STRING_SERIAL "0001"
+
+ struct xdbc_strings {
+@@ -103,7 +103,7 @@ struct xdbc_strings {
+
+ #define XDBC_PROTOCOL 1 /* GNU Remote Debug Command Set */
+ #define XDBC_VENDOR_ID 0x1d6b /* Linux Foundation 0x1d6b */
+-#define XDBC_PRODUCT_ID 0x0004 /* __le16 idProduct; device 0004 */
++#define XDBC_PRODUCT_ID 0x0011 /* __le16 idProduct; device 0011 */
+ #define XDBC_DEVICE_REV 0x0010 /* 0.10 */
+
+ /*
--- /dev/null
+From cdafb6d8b8da7fde266f79b3287ac221aa841879 Mon Sep 17 00:00:00 2001
+From: Andrew Gabbasov <andrew_gabbasov@mentor.com>
+Date: Wed, 8 Nov 2017 10:13:15 -0700
+Subject: usb: gadget: f_fs: Fix use-after-free in ffs_free_inst
+
+From: Andrew Gabbasov <andrew_gabbasov@mentor.com>
+
+commit cdafb6d8b8da7fde266f79b3287ac221aa841879 upstream.
+
+KASAN enabled configuration reports an error
+
+BUG: KASAN: use-after-free in ffs_free_inst+... [usb_f_fs] at addr ...
+Write of size 8 by task ...
+
+This is observed after "ffs-test" is run and interrupted. If after that
+functionfs is unmounted and g_ffs module is unloaded, that use-after-free
+occurs during g_ffs module removal.
+
+Although the report indicates ffs_free_inst() function, the actual
+use-after-free condition occurs in _ffs_free_dev() function, which
+is probably inlined into ffs_free_inst().
+
+This happens due to keeping the ffs_data reference in device structure
+during functionfs unmounting, while ffs_data itself is freed as no longer
+needed. The fix is to clear that reference in ffs_closed() function,
+which is a counterpart of ffs_ready(), where the reference is stored.
+
+Fixes: 3262ad824307 ("usb: gadget: f_fs: Stop ffs_closed NULL pointer dereference")
+Signed-off-by: Andrew Gabbasov <andrew_gabbasov@mentor.com>
+Acked-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_fs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/gadget/function/f_fs.c
++++ b/drivers/usb/gadget/function/f_fs.c
+@@ -3677,6 +3677,7 @@ static void ffs_closed(struct ffs_data *
+ goto done;
+
+ ffs_obj->desc_ready = false;
++ ffs_obj->ffs_data = NULL;
+
+ if (test_and_clear_bit(FFS_FL_CALL_CLOSED_CALLBACK, &ffs->flags) &&
+ ffs_obj->ffs_closed_callback)
--- /dev/null
+From 12f28144cf2cf69e1520e238eee7c384719ca44b Mon Sep 17 00:00:00 2001
+From: Lu Baolu <baolu.lu@linux.intel.com>
+Date: Tue, 7 Nov 2017 10:28:16 +0800
+Subject: USB: serial: Change DbC debug device binding ID
+
+From: Lu Baolu <baolu.lu@linux.intel.com>
+
+commit 12f28144cf2cf69e1520e238eee7c384719ca44b upstream.
+
+The product ID for "Linux USB GDB Target device" has been
+changed. Change the driver binding table accordingly.
+
+This patch should be back-ported to kernels as old as v4.12,
+that contain the commit 57fb47279a04 ("usb/serial: Add DBC
+debug device support to usb_debug").
+
+Cc: Johan Hovold <johan@kernel.org>
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/usb_debug.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/serial/usb_debug.c
++++ b/drivers/usb/serial/usb_debug.c
+@@ -34,13 +34,13 @@ static const struct usb_device_id id_tab
+ };
+
+ static const struct usb_device_id dbc_id_table[] = {
+- { USB_DEVICE(0x1d6b, 0x0004) },
++ { USB_DEVICE(0x1d6b, 0x0011) },
+ { },
+ };
+
+ static const struct usb_device_id id_table_combined[] = {
+ { USB_DEVICE(0x0525, 0x127a) },
+- { USB_DEVICE(0x1d6b, 0x0004) },
++ { USB_DEVICE(0x1d6b, 0x0011) },
+ { },
+ };
+ MODULE_DEVICE_TABLE(usb, id_table_combined);
--- /dev/null
+From 19a565d9af6e0d828bd0d521d3bafd5017f4ce52 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 11 Oct 2017 14:02:57 +0200
+Subject: USB: serial: garmin_gps: fix I/O after failed probe and remove
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 19a565d9af6e0d828bd0d521d3bafd5017f4ce52 upstream.
+
+Make sure to stop any submitted interrupt and bulk-out URBs before
+returning after failed probe and when the port is being unbound to avoid
+later NULL-pointer dereferences in the completion callbacks.
+
+Also fix up the related and broken I/O cancellation on failed open and
+on close. (Note that port->write_urb was never submitted.)
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/garmin_gps.c | 16 +++++++++++++---
+ 1 file changed, 13 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/serial/garmin_gps.c
++++ b/drivers/usb/serial/garmin_gps.c
+@@ -138,6 +138,7 @@ struct garmin_data {
+ __u8 privpkt[4*6];
+ spinlock_t lock;
+ struct list_head pktlist;
++ struct usb_anchor write_urbs;
+ };
+
+
+@@ -905,7 +906,7 @@ static int garmin_init_session(struct us
+ sizeof(GARMIN_START_SESSION_REQ), 0);
+
+ if (status < 0)
+- break;
++ goto err_kill_urbs;
+ }
+
+ if (status > 0)
+@@ -913,6 +914,12 @@ static int garmin_init_session(struct us
+ }
+
+ return status;
++
++err_kill_urbs:
++ usb_kill_anchored_urbs(&garmin_data_p->write_urbs);
++ usb_kill_urb(port->interrupt_in_urb);
++
++ return status;
+ }
+
+
+@@ -930,7 +937,6 @@ static int garmin_open(struct tty_struct
+ spin_unlock_irqrestore(&garmin_data_p->lock, flags);
+
+ /* shutdown any bulk reads that might be going on */
+- usb_kill_urb(port->write_urb);
+ usb_kill_urb(port->read_urb);
+
+ if (garmin_data_p->state == STATE_RESET)
+@@ -953,7 +959,7 @@ static void garmin_close(struct usb_seri
+
+ /* shutdown our urbs */
+ usb_kill_urb(port->read_urb);
+- usb_kill_urb(port->write_urb);
++ usb_kill_anchored_urbs(&garmin_data_p->write_urbs);
+
+ /* keep reset state so we know that we must start a new session */
+ if (garmin_data_p->state != STATE_RESET)
+@@ -1037,12 +1043,14 @@ static int garmin_write_bulk(struct usb_
+ }
+
+ /* send it down the pipe */
++ usb_anchor_urb(urb, &garmin_data_p->write_urbs);
+ status = usb_submit_urb(urb, GFP_ATOMIC);
+ if (status) {
+ dev_err(&port->dev,
+ "%s - usb_submit_urb(write bulk) failed with status = %d\n",
+ __func__, status);
+ count = status;
++ usb_unanchor_urb(urb);
+ kfree(buffer);
+ }
+
+@@ -1401,6 +1409,7 @@ static int garmin_port_probe(struct usb_
+ garmin_data_p->state = 0;
+ garmin_data_p->flags = 0;
+ garmin_data_p->count = 0;
++ init_usb_anchor(&garmin_data_p->write_urbs);
+ usb_set_serial_port_data(port, garmin_data_p);
+
+ status = garmin_init_session(port);
+@@ -1413,6 +1422,7 @@ static int garmin_port_remove(struct usb
+ {
+ struct garmin_data *garmin_data_p = usb_get_serial_port_data(port);
+
++ usb_kill_anchored_urbs(&garmin_data_p->write_urbs);
+ usb_kill_urb(port->interrupt_in_urb);
+ del_timer_sync(&garmin_data_p->timer);
+ kfree(garmin_data_p);
--- /dev/null
+From 74d471b598444b7f2d964930f7234779c80960a0 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 11 Oct 2017 14:02:58 +0200
+Subject: USB: serial: garmin_gps: fix memory leak on probe errors
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 74d471b598444b7f2d964930f7234779c80960a0 upstream.
+
+Make sure to free the port private data before returning after a failed
+probe attempt.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/garmin_gps.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/usb/serial/garmin_gps.c
++++ b/drivers/usb/serial/garmin_gps.c
+@@ -1413,6 +1413,12 @@ static int garmin_port_probe(struct usb_
+ usb_set_serial_port_data(port, garmin_data_p);
+
+ status = garmin_init_session(port);
++ if (status)
++ goto err_free;
++
++ return 0;
++err_free:
++ kfree(garmin_data_p);
+
+ return status;
+ }
--- /dev/null
+From 2339536d229df25c71c0900fc619289229bfecf6 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 12 Oct 2017 10:54:21 +0200
+Subject: USB: serial: metro-usb: stop I/O after failed open
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 2339536d229df25c71c0900fc619289229bfecf6 upstream.
+
+Make sure to kill the interrupt-in URB after a failed open request.
+Apart from saving power (and avoiding stale input after a later
+successful open), this also prevents a NULL-deref in the completion
+handler if the port is manually unbound.
+
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Fixes: 704577861d5e ("USB: serial: metro-usb: get data from device in Uni-Directional mode.")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/metro-usb.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/serial/metro-usb.c
++++ b/drivers/usb/serial/metro-usb.c
+@@ -189,7 +189,7 @@ static int metrousb_open(struct tty_stru
+ dev_err(&port->dev,
+ "%s - failed submitting interrupt in urb, error code=%d\n",
+ __func__, result);
+- goto exit;
++ return result;
+ }
+
+ /* Send activate cmd to device */
+@@ -198,9 +198,14 @@ static int metrousb_open(struct tty_stru
+ dev_err(&port->dev,
+ "%s - failed to configure device, error code=%d\n",
+ __func__, result);
+- goto exit;
++ goto err_kill_urb;
+ }
+-exit:
++
++ return 0;
++
++err_kill_urb:
++ usb_kill_urb(port->interrupt_in_urb);
++
+ return result;
+ }
+
--- /dev/null
+From 771394a54148f18926ca86414e51c69eda27d0cd Mon Sep 17 00:00:00 2001
+From: Douglas Fischer <douglas.fischer@outlook.com>
+Date: Sun, 29 Oct 2017 23:29:55 +0000
+Subject: USB: serial: qcserial: add pid/vid for Sierra Wireless EM7355 fw update
+
+From: Douglas Fischer <douglas.fischer@outlook.com>
+
+commit 771394a54148f18926ca86414e51c69eda27d0cd upstream.
+
+Add USB PID/VID for Sierra Wireless EM7355 LTE modem QDL firmware update
+mode.
+
+Signed-off-by: Douglas Fischer <douglas.fischer@outlook.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/qcserial.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/qcserial.c
++++ b/drivers/usb/serial/qcserial.c
+@@ -148,6 +148,7 @@ static const struct usb_device_id id_tab
+ {DEVICE_SWI(0x1199, 0x68a2)}, /* Sierra Wireless MC7710 */
+ {DEVICE_SWI(0x1199, 0x68c0)}, /* Sierra Wireless MC7304/MC7354 */
+ {DEVICE_SWI(0x1199, 0x901c)}, /* Sierra Wireless EM7700 */
++ {DEVICE_SWI(0x1199, 0x901e)}, /* Sierra Wireless EM7355 QDL */
+ {DEVICE_SWI(0x1199, 0x901f)}, /* Sierra Wireless EM7355 */
+ {DEVICE_SWI(0x1199, 0x9040)}, /* Sierra Wireless Modem */
+ {DEVICE_SWI(0x1199, 0x9041)}, /* Sierra Wireless MC7305/MC7355 */
--- /dev/null
+From 2ef47001b3ee3ded579b7532ebdcf8680e4d8c54 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Wed, 8 Nov 2017 12:23:17 -0500
+Subject: USB: usbfs: compute urb->actual_length for isochronous
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 2ef47001b3ee3ded579b7532ebdcf8680e4d8c54 upstream.
+
+The USB kerneldoc says that the actual_length field "is read in
+non-iso completion functions", but the usbfs driver uses it for all
+URB types in processcompl(). Since not all of the host controller
+drivers set actual_length for isochronous URBs, programs using usbfs
+with some host controllers don't work properly. For example, Minas
+reports that a USB camera controlled by libusb doesn't work properly
+with a dwc2 controller.
+
+It doesn't seem worthwhile to change the HCDs and the documentation,
+since the in-kernel USB class drivers evidently don't rely on
+actual_length for isochronous transfers. The easiest solution is for
+usbfs to calculate the actual_length value for itself, by adding up
+the lengths of the individual packets in an isochronous transfer.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+CC: Minas Harutyunyan <Minas.Harutyunyan@synopsys.com>
+Reported-and-tested-by: wlf <wulf@rock-chips.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/devio.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/usb/core/devio.c
++++ b/drivers/usb/core/devio.c
+@@ -1833,6 +1833,18 @@ static int proc_unlinkurb(struct usb_dev
+ return 0;
+ }
+
++static void compute_isochronous_actual_length(struct urb *urb)
++{
++ unsigned int i;
++
++ if (urb->number_of_packets > 0) {
++ urb->actual_length = 0;
++ for (i = 0; i < urb->number_of_packets; i++)
++ urb->actual_length +=
++ urb->iso_frame_desc[i].actual_length;
++ }
++}
++
+ static int processcompl(struct async *as, void __user * __user *arg)
+ {
+ struct urb *urb = as->urb;
+@@ -1840,6 +1852,7 @@ static int processcompl(struct async *as
+ void __user *addr = as->userurb;
+ unsigned int i;
+
++ compute_isochronous_actual_length(urb);
+ if (as->userbuffer && urb->actual_length) {
+ if (copy_urb_data_to_user(as->userbuffer, urb))
+ goto err_out;
+@@ -2008,6 +2021,7 @@ static int processcompl_compat(struct as
+ void __user *addr = as->userurb;
+ unsigned int i;
+
++ compute_isochronous_actual_length(urb);
+ if (as->userbuffer && urb->actual_length) {
+ if (copy_urb_data_to_user(as->userbuffer, urb))
+ return -EFAULT;
projects / thirdparty / kernel / stable-queue.git / commitdiff
