--- /dev/null
+From cdd7928df0d2efaa3270d711963773a08a4cc8ab Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 14 Mar 2017 12:09:56 +0100
+Subject: ACM gadget: fix endianness in notifications
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit cdd7928df0d2efaa3270d711963773a08a4cc8ab upstream.
+
+The gadget code exports the bitfield for serial status changes
+over the wire in its internal endianness. The fix is to convert
+to little endian before sending it over the wire.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Tested-by: 家瑋 <momo1208@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_acm.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_acm.c
++++ b/drivers/usb/gadget/function/f_acm.c
+@@ -535,13 +535,15 @@ static int acm_notify_serial_state(struc
+ {
+ struct usb_composite_dev *cdev = acm->port.func.config->cdev;
+ int status;
++ __le16 serial_state;
+
+ spin_lock(&acm->lock);
+ if (acm->notify_req) {
+ dev_dbg(&cdev->gadget->dev, "acm ttyGS%d serial state %04x\n",
+ acm->port_num, acm->serial_state);
++ serial_state = cpu_to_le16(acm->serial_state);
+ status = acm_cdc_notify(acm, USB_CDC_NOTIFY_SERIAL_STATE,
+- 0, &acm->serial_state, sizeof(acm->serial_state));
++ 0, &serial_state, sizeof(acm->serial_state));
+ } else {
+ acm->pending = true;
+ status = 0;
--- /dev/null
+From f363a06642f28caaa78cb6446bbad90c73fe183c Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Mon, 20 Mar 2017 10:08:19 +0100
+Subject: ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit f363a06642f28caaa78cb6446bbad90c73fe183c upstream.
+
+In the commit [15c75b09f8d1: ALSA: ctxfi: Fallback DMA mask to 32bit],
+I forgot to put "!" at dam_set_mask() call check in cthw20k1.c (while
+cthw20k2.c is OK). This patch fixes that obvious bug.
+
+(As a side note: although the original commit was completely wrong,
+ it's still working for most of machines, as it sets to 32bit DMA mask
+ in the end. So the bug severity is low.)
+
+Fixes: 15c75b09f8d1 ("ALSA: ctxfi: Fallback DMA mask to 32bit")
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/ctxfi/cthw20k1.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/pci/ctxfi/cthw20k1.c
++++ b/sound/pci/ctxfi/cthw20k1.c
+@@ -1905,7 +1905,7 @@ static int hw_card_start(struct hw *hw)
+ return err;
+
+ /* Set DMA transfer mask */
+- if (dma_set_mask(&pci->dev, DMA_BIT_MASK(dma_bits))) {
++ if (!dma_set_mask(&pci->dev, DMA_BIT_MASK(dma_bits))) {
+ dma_set_coherent_mask(&pci->dev, DMA_BIT_MASK(dma_bits));
+ } else {
+ dma_set_mask(&pci->dev, DMA_BIT_MASK(32));
--- /dev/null
+From 3f307834e695f59dac4337a40316bdecfb9d0508 Mon Sep 17 00:00:00 2001
+From: Hui Wang <hui.wang@canonical.com>
+Date: Thu, 23 Mar 2017 10:00:25 +0800
+Subject: ALSA: hda - Adding a group of pin definition to fix headset problem
+
+From: Hui Wang <hui.wang@canonical.com>
+
+commit 3f307834e695f59dac4337a40316bdecfb9d0508 upstream.
+
+A new Dell laptop needs to apply ALC269_FIXUP_DELL1_MIC_NO_PRESENCE to
+fix the headset problem, and the pin definiton of this machine is not
+in the pin quirk table yet, now adding it to the table.
+
+Signed-off-by: Hui Wang <hui.wang@canonical.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/pci/hda/patch_realtek.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -6058,6 +6058,8 @@ static const struct snd_hda_pin_quirk al
+ ALC295_STANDARD_PINS,
+ {0x17, 0x21014040},
+ {0x18, 0x21a19050}),
++ SND_HDA_PIN_QUIRK(0x10ec0295, 0x1028, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE,
++ ALC295_STANDARD_PINS),
+ SND_HDA_PIN_QUIRK(0x10ec0298, 0x1028, "Dell", ALC298_FIXUP_DELL1_MIC_NO_PRESENCE,
+ ALC298_STANDARD_PINS,
+ {0x17, 0x90170110}),
--- /dev/null
+From c520ff3d03f0b5db7146d9beed6373ad5d2a5e0e Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 21 Mar 2017 13:56:04 +0100
+Subject: ALSA: seq: Fix racy cell insertions during snd_seq_pool_done()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit c520ff3d03f0b5db7146d9beed6373ad5d2a5e0e upstream.
+
+When snd_seq_pool_done() is called, it marks the closing flag to
+refuse the further cell insertions. But snd_seq_pool_done() itself
+doesn't clear the cells but just waits until all cells are cleared by
+the caller side. That is, it's racy, and this leads to the endless
+stall as syzkaller spotted.
+
+This patch addresses the racy by splitting the setup of pool->closing
+flag out of snd_seq_pool_done(), and calling it properly before
+snd_seq_pool_done().
+
+BugLink: http://lkml.kernel.org/r/CACT4Y+aqqy8bZA1fFieifNxR2fAfFQQABcBHj801+u5ePV0URw@mail.gmail.com
+Reported-and-tested-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_clientmgr.c | 1 +
+ sound/core/seq/seq_fifo.c | 3 +++
+ sound/core/seq/seq_memory.c | 17 +++++++++++++----
+ sound/core/seq/seq_memory.h | 1 +
+ 4 files changed, 18 insertions(+), 4 deletions(-)
+
+--- a/sound/core/seq/seq_clientmgr.c
++++ b/sound/core/seq/seq_clientmgr.c
+@@ -1832,6 +1832,7 @@ static int snd_seq_ioctl_set_client_pool
+ info->output_pool != client->pool->size)) {
+ if (snd_seq_write_pool_allocated(client)) {
+ /* remove all existing cells */
++ snd_seq_pool_mark_closing(client->pool);
+ snd_seq_queue_client_leave_cells(client->number);
+ snd_seq_pool_done(client->pool);
+ }
+--- a/sound/core/seq/seq_fifo.c
++++ b/sound/core/seq/seq_fifo.c
+@@ -70,6 +70,9 @@ void snd_seq_fifo_delete(struct snd_seq_
+ return;
+ *fifo = NULL;
+
++ if (f->pool)
++ snd_seq_pool_mark_closing(f->pool);
++
+ snd_seq_fifo_clear(f);
+
+ /* wake up clients if any */
+--- a/sound/core/seq/seq_memory.c
++++ b/sound/core/seq/seq_memory.c
+@@ -414,6 +414,18 @@ int snd_seq_pool_init(struct snd_seq_poo
+ return 0;
+ }
+
++/* refuse the further insertion to the pool */
++void snd_seq_pool_mark_closing(struct snd_seq_pool *pool)
++{
++ unsigned long flags;
++
++ if (snd_BUG_ON(!pool))
++ return;
++ spin_lock_irqsave(&pool->lock, flags);
++ pool->closing = 1;
++ spin_unlock_irqrestore(&pool->lock, flags);
++}
++
+ /* remove events */
+ int snd_seq_pool_done(struct snd_seq_pool *pool)
+ {
+@@ -424,10 +436,6 @@ int snd_seq_pool_done(struct snd_seq_poo
+ return -EINVAL;
+
+ /* wait for closing all threads */
+- spin_lock_irqsave(&pool->lock, flags);
+- pool->closing = 1;
+- spin_unlock_irqrestore(&pool->lock, flags);
+-
+ if (waitqueue_active(&pool->output_sleep))
+ wake_up(&pool->output_sleep);
+
+@@ -484,6 +492,7 @@ int snd_seq_pool_delete(struct snd_seq_p
+ *ppool = NULL;
+ if (pool == NULL)
+ return 0;
++ snd_seq_pool_mark_closing(pool);
+ snd_seq_pool_done(pool);
+ kfree(pool);
+ return 0;
+--- a/sound/core/seq/seq_memory.h
++++ b/sound/core/seq/seq_memory.h
+@@ -84,6 +84,7 @@ static inline int snd_seq_total_cells(st
+ int snd_seq_pool_init(struct snd_seq_pool *pool);
+
+ /* done pool - free events */
++void snd_seq_pool_mark_closing(struct snd_seq_pool *pool);
+ int snd_seq_pool_done(struct snd_seq_pool *pool);
+
+ /* create pool */
--- /dev/null
+From 67b0503db9c29b04eadfeede6bebbfe5ddad94ef Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Stefan=20Br=C3=BCns?= <stefan.bruens@rwth-aachen.de>
+Date: Sun, 12 Feb 2017 13:02:13 -0200
+Subject: [media] dvb-usb-firmware: don't do DMA on stack
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Stefan Brüns <stefan.bruens@rwth-aachen.de>
+
+commit 67b0503db9c29b04eadfeede6bebbfe5ddad94ef upstream.
+
+The buffer allocation for the firmware data was changed in
+commit 43fab9793c1f ("[media] dvb-usb: don't use stack for firmware load")
+but the same applies for the reset value.
+
+Fixes: 43fab9793c1f ("[media] dvb-usb: don't use stack for firmware load")
+Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/dvb-usb-firmware.c | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+--- a/drivers/media/usb/dvb-usb/dvb-usb-firmware.c
++++ b/drivers/media/usb/dvb-usb/dvb-usb-firmware.c
+@@ -36,16 +36,18 @@ static int usb_cypress_writemem(struct u
+ int usb_cypress_load_firmware(struct usb_device *udev, const struct firmware *fw, int type)
+ {
+ struct hexline *hx;
+- u8 reset;
+- int ret,pos=0;
++ u8 *buf;
++ int ret, pos = 0;
++ u16 cpu_cs_register = cypress[type].cpu_cs_register;
+
+- hx = kmalloc(sizeof(*hx), GFP_KERNEL);
+- if (!hx)
++ buf = kmalloc(sizeof(*hx), GFP_KERNEL);
++ if (!buf)
+ return -ENOMEM;
++ hx = (struct hexline *)buf;
+
+ /* stop the CPU */
+- reset = 1;
+- if ((ret = usb_cypress_writemem(udev,cypress[type].cpu_cs_register,&reset,1)) != 1)
++ buf[0] = 1;
++ if (usb_cypress_writemem(udev, cpu_cs_register, buf, 1) != 1)
+ err("could not stop the USB controller CPU.");
+
+ while ((ret = dvb_usb_get_hexline(fw, hx, &pos)) > 0) {
+@@ -61,21 +63,21 @@ int usb_cypress_load_firmware(struct usb
+ }
+ if (ret < 0) {
+ err("firmware download failed at %d with %d",pos,ret);
+- kfree(hx);
++ kfree(buf);
+ return ret;
+ }
+
+ if (ret == 0) {
+ /* restart the CPU */
+- reset = 0;
+- if (ret || usb_cypress_writemem(udev,cypress[type].cpu_cs_register,&reset,1) != 1) {
++ buf[0] = 0;
++ if (usb_cypress_writemem(udev, cpu_cs_register, buf, 1) != 1) {
+ err("could not restart the USB controller CPU.");
+ ret = -EINVAL;
+ }
+ } else
+ ret = -EIO;
+
+- kfree(hx);
++ kfree(buf);
+
+ return ret;
+ }
--- /dev/null
+From a687c5765b5ae19fe559e14615ddc87ebb46d409 Mon Sep 17 00:00:00 2001
+From: Roderick Colenbrander <roderick.colenbrander@sony.com>
+Date: Fri, 24 Feb 2017 16:14:15 -0800
+Subject: HID: sony: Fix input device leak when connecting a DS4 twice using USB/BT
+
+From: Roderick Colenbrander <roderick.colenbrander@sony.com>
+
+commit a687c5765b5ae19fe559e14615ddc87ebb46d409 upstream.
+
+When a user connects a DS4 twice using USB and BT, we reject the
+second device connection after the setup work. We then perform
+a cleanup, but during cleanup we are not removing the touchpad
+device. This leads to leakage of an input device, which we would
+never remove. It can likely result into a kernel oops as well
+when the touchpad evdev node is accessed and the underlaying HID
+device has been removed from the system.
+
+[jkosina@suse.cz: added stable annotation]
+Fixes: ac797b95f532 ("HID: sony: Make the DS4 touchpad a separate device")
+Signed-off-by: Roderick Colenbrander <roderick.colenbrander@sony.com>
+Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hid/hid-sony.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/hid/hid-sony.c
++++ b/drivers/hid/hid-sony.c
+@@ -2632,6 +2632,8 @@ err_stop:
+ sony_leds_remove(sc);
+ if (sc->quirks & SONY_BATTERY_SUPPORT)
+ sony_battery_remove(sc);
++ if (sc->touchpad)
++ sony_unregister_touchpad(sc);
+ sony_cancel_work_sync(sc);
+ kfree(sc->output_report_dmabuf);
+ sony_remove_dev_list(sc);
--- /dev/null
+From 47e6fb4212d09f325c0847d05985dd3d71553095 Mon Sep 17 00:00:00 2001
+From: Masaki Ota <masaki.ota@jp.alps.com>
+Date: Fri, 17 Mar 2017 14:19:40 -0700
+Subject: Input: ALPS - fix trackstick button handling on V8 devices
+
+From: Masaki Ota <masaki.ota@jp.alps.com>
+
+commit 47e6fb4212d09f325c0847d05985dd3d71553095 upstream.
+
+Alps stick devices always have physical buttons, so we should not check
+ALPS_BUTTONPAD flag to decide whether we should report them.
+
+Fixes: 4777ac220c43 ("Input: ALPS - add touchstick support for SS5 hardware")
+Signed-off-by: Masaki Ota <masaki.ota@jp.alps.com>
+Acked-by: Pali Rohar <pali.rohar@gmail.com>
+Tested-by: Paul Donohue <linux-kernel@PaulSD.com>
+Tested-by: Nick Fletcher <nick.m.fletcher@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/alps.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/input/mouse/alps.c
++++ b/drivers/input/mouse/alps.c
+@@ -1282,10 +1282,8 @@ static int alps_decode_ss4_v2(struct alp
+ /* handle buttons */
+ if (pkt_id == SS4_PACKET_ID_STICK) {
+ f->ts_left = !!(SS4_BTN_V2(p) & 0x01);
+- if (!(priv->flags & ALPS_BUTTONPAD)) {
+- f->ts_right = !!(SS4_BTN_V2(p) & 0x02);
+- f->ts_middle = !!(SS4_BTN_V2(p) & 0x04);
+- }
++ f->ts_right = !!(SS4_BTN_V2(p) & 0x02);
++ f->ts_middle = !!(SS4_BTN_V2(p) & 0x04);
+ } else {
+ f->left = !!(SS4_BTN_V2(p) & 0x01);
+ if (!(priv->flags & ALPS_BUTTONPAD)) {
--- /dev/null
+From e7348396c6d51b57c95c6646c390cd078e038e19 Mon Sep 17 00:00:00 2001
+From: Masaki Ota <masaki.ota@jp.alps.com>
+Date: Fri, 17 Mar 2017 14:10:57 -0700
+Subject: Input: ALPS - fix V8+ protocol handling (73 03 28)
+
+From: Masaki Ota <masaki.ota@jp.alps.com>
+
+commit e7348396c6d51b57c95c6646c390cd078e038e19 upstream.
+
+Devices identified as E7="73 03 28" use slightly modified version of V8
+protocol, with lower count per electrode, different offsets, and different
+feature bits in OTP data.
+
+Fixes: aeaa881f9b17 ("Input: ALPS - set DualPoint flag for 74 03 28 devices")
+Signed-off-by: Masaki Ota <masaki.ota@jp.alps.com>
+Acked-by: Pali Rohar <pali.rohar@gmail.com>
+Tested-by: Paul Donohue <linux-kernel@PaulSD.com>
+Tested-by: Nick Fletcher <nick.m.fletcher@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/alps.c | 68 +++++++++++++++++++++++++++++++++------------
+ drivers/input/mouse/alps.h | 11 +++++++
+ 2 files changed, 62 insertions(+), 17 deletions(-)
+
+--- a/drivers/input/mouse/alps.c
++++ b/drivers/input/mouse/alps.c
+@@ -2462,14 +2462,34 @@ static int alps_update_device_area_ss4_v
+ int num_y_electrode;
+ int x_pitch, y_pitch, x_phys, y_phys;
+
+- num_x_electrode = SS4_NUMSENSOR_XOFFSET + (otp[1][0] & 0x0F);
+- num_y_electrode = SS4_NUMSENSOR_YOFFSET + ((otp[1][0] >> 4) & 0x0F);
++ if (IS_SS4PLUS_DEV(priv->dev_id)) {
++ num_x_electrode =
++ SS4PLUS_NUMSENSOR_XOFFSET + (otp[0][2] & 0x0F);
++ num_y_electrode =
++ SS4PLUS_NUMSENSOR_YOFFSET + ((otp[0][2] >> 4) & 0x0F);
++
++ priv->x_max =
++ (num_x_electrode - 1) * SS4PLUS_COUNT_PER_ELECTRODE;
++ priv->y_max =
++ (num_y_electrode - 1) * SS4PLUS_COUNT_PER_ELECTRODE;
++
++ x_pitch = (otp[0][1] & 0x0F) + SS4PLUS_MIN_PITCH_MM;
++ y_pitch = ((otp[0][1] >> 4) & 0x0F) + SS4PLUS_MIN_PITCH_MM;
++
++ } else {
++ num_x_electrode =
++ SS4_NUMSENSOR_XOFFSET + (otp[1][0] & 0x0F);
++ num_y_electrode =
++ SS4_NUMSENSOR_YOFFSET + ((otp[1][0] >> 4) & 0x0F);
++
++ priv->x_max =
++ (num_x_electrode - 1) * SS4_COUNT_PER_ELECTRODE;
++ priv->y_max =
++ (num_y_electrode - 1) * SS4_COUNT_PER_ELECTRODE;
+
+- priv->x_max = (num_x_electrode - 1) * SS4_COUNT_PER_ELECTRODE;
+- priv->y_max = (num_y_electrode - 1) * SS4_COUNT_PER_ELECTRODE;
+-
+- x_pitch = ((otp[1][2] >> 2) & 0x07) + SS4_MIN_PITCH_MM;
+- y_pitch = ((otp[1][2] >> 5) & 0x07) + SS4_MIN_PITCH_MM;
++ x_pitch = ((otp[1][2] >> 2) & 0x07) + SS4_MIN_PITCH_MM;
++ y_pitch = ((otp[1][2] >> 5) & 0x07) + SS4_MIN_PITCH_MM;
++ }
+
+ x_phys = x_pitch * (num_x_electrode - 1); /* In 0.1 mm units */
+ y_phys = y_pitch * (num_y_electrode - 1); /* In 0.1 mm units */
+@@ -2485,7 +2505,10 @@ static int alps_update_btn_info_ss4_v2(u
+ {
+ unsigned char is_btnless;
+
+- is_btnless = (otp[1][1] >> 3) & 0x01;
++ if (IS_SS4PLUS_DEV(priv->dev_id))
++ is_btnless = (otp[1][0] >> 1) & 0x01;
++ else
++ is_btnless = (otp[1][1] >> 3) & 0x01;
+
+ if (is_btnless)
+ priv->flags |= ALPS_BUTTONPAD;
+@@ -2493,6 +2516,21 @@ static int alps_update_btn_info_ss4_v2(u
+ return 0;
+ }
+
++static int alps_update_dual_info_ss4_v2(unsigned char otp[][4],
++ struct alps_data *priv)
++{
++ bool is_dual = false;
++
++ if (IS_SS4PLUS_DEV(priv->dev_id))
++ is_dual = (otp[0][0] >> 4) & 0x01;
++
++ if (is_dual)
++ priv->flags |= ALPS_DUALPOINT |
++ ALPS_DUALPOINT_WITH_PRESSURE;
++
++ return 0;
++}
++
+ static int alps_set_defaults_ss4_v2(struct psmouse *psmouse,
+ struct alps_data *priv)
+ {
+@@ -2508,6 +2546,8 @@ static int alps_set_defaults_ss4_v2(stru
+
+ alps_update_btn_info_ss4_v2(otp, priv);
+
++ alps_update_dual_info_ss4_v2(otp, priv);
++
+ return 0;
+ }
+
+@@ -2753,10 +2793,6 @@ static int alps_set_protocol(struct psmo
+ if (alps_set_defaults_ss4_v2(psmouse, priv))
+ return -EIO;
+
+- if (priv->fw_ver[1] == 0x1)
+- priv->flags |= ALPS_DUALPOINT |
+- ALPS_DUALPOINT_WITH_PRESSURE;
+-
+ break;
+ }
+
+@@ -2827,10 +2863,7 @@ static int alps_identify(struct psmouse
+ ec[2] >= 0x90 && ec[2] <= 0x9d) {
+ protocol = &alps_v3_protocol_data;
+ } else if (e7[0] == 0x73 && e7[1] == 0x03 &&
+- e7[2] == 0x14 && ec[1] == 0x02) {
+- protocol = &alps_v8_protocol_data;
+- } else if (e7[0] == 0x73 && e7[1] == 0x03 &&
+- e7[2] == 0x28 && ec[1] == 0x01) {
++ (e7[2] == 0x14 || e7[2] == 0x28)) {
+ protocol = &alps_v8_protocol_data;
+ } else {
+ psmouse_dbg(psmouse,
+@@ -2840,7 +2873,8 @@ static int alps_identify(struct psmouse
+ }
+
+ if (priv) {
+- /* Save the Firmware version */
++ /* Save Device ID and Firmware version */
++ memcpy(priv->dev_id, e7, 3);
+ memcpy(priv->fw_ver, ec, 3);
+ error = alps_set_protocol(psmouse, priv, protocol);
+ if (error)
+--- a/drivers/input/mouse/alps.h
++++ b/drivers/input/mouse/alps.h
+@@ -54,6 +54,16 @@ enum SS4_PACKET_ID {
+
+ #define SS4_MASK_NORMAL_BUTTONS 0x07
+
++#define SS4PLUS_COUNT_PER_ELECTRODE 128
++#define SS4PLUS_NUMSENSOR_XOFFSET 16
++#define SS4PLUS_NUMSENSOR_YOFFSET 5
++#define SS4PLUS_MIN_PITCH_MM 37
++
++#define IS_SS4PLUS_DEV(_b) (((_b[0]) == 0x73) && \
++ ((_b[1]) == 0x03) && \
++ ((_b[2]) == 0x28) \
++ )
++
+ #define SS4_IS_IDLE_V2(_b) (((_b[0]) == 0x18) && \
+ ((_b[1]) == 0x10) && \
+ ((_b[2]) == 0x00) && \
+@@ -283,6 +293,7 @@ struct alps_data {
+ int addr_command;
+ u16 proto_version;
+ u8 byte0, mask0;
++ u8 dev_id[3];
+ u8 fw_ver[3];
+ int flags;
+ int x_max;
--- /dev/null
+From ac2ee9ba953afe88f7a673e1c0c839227b1d7891 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 16 Mar 2017 11:35:12 -0700
+Subject: Input: cm109 - validate number of endpoints before using them
+
+From: Johan Hovold <johan@kernel.org>
+
+commit ac2ee9ba953afe88f7a673e1c0c839227b1d7891 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer should a malicious device lack endpoints.
+
+Fixes: c04148f915e5 ("Input: add driver for USB VoIP phones with CM109...")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/cm109.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/input/misc/cm109.c
++++ b/drivers/input/misc/cm109.c
+@@ -700,6 +700,10 @@ static int cm109_usb_probe(struct usb_in
+ int error = -ENOMEM;
+
+ interface = intf->cur_altsetting;
++
++ if (interface->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ endpoint = &interface->endpoint[0].desc;
+
+ if (!usb_endpoint_is_int_in(endpoint))
--- /dev/null
+From 92ef6f97a66e580189a41a132d0f8a9f78d6ddce Mon Sep 17 00:00:00 2001
+From: Matjaz Hegedic <matjaz.hegedic@gmail.com>
+Date: Fri, 10 Mar 2017 14:33:09 -0800
+Subject: Input: elan_i2c - add ASUS EeeBook X205TA special touchpad fw
+
+From: Matjaz Hegedic <matjaz.hegedic@gmail.com>
+
+commit 92ef6f97a66e580189a41a132d0f8a9f78d6ddce upstream.
+
+EeeBook X205TA is yet another ASUS device with a special touchpad
+firmware that needs to be accounted for during initialization, or
+else the touchpad will go into an invalid state upon suspend/resume.
+Adding the appropriate ic_type and product_id check fixes the problem.
+
+Signed-off-by: Matjaz Hegedic <matjaz.hegedic@gmail.com>
+Acked-by: KT Liao <kt.liao@emc.com.tw>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/mouse/elan_i2c_core.c | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+--- a/drivers/input/mouse/elan_i2c_core.c
++++ b/drivers/input/mouse/elan_i2c_core.c
+@@ -218,17 +218,19 @@ static int elan_query_product(struct ela
+
+ static int elan_check_ASUS_special_fw(struct elan_tp_data *data)
+ {
+- if (data->ic_type != 0x0E)
+- return false;
+-
+- switch (data->product_id) {
+- case 0x05 ... 0x07:
+- case 0x09:
+- case 0x13:
++ if (data->ic_type == 0x0E) {
++ switch (data->product_id) {
++ case 0x05 ... 0x07:
++ case 0x09:
++ case 0x13:
++ return true;
++ }
++ } else if (data->ic_type == 0x08 && data->product_id == 0x26) {
++ /* ASUS EeeBook X205TA */
+ return true;
+- default:
+- return false;
+ }
++
++ return false;
+ }
+
+ static int __elan_initialize(struct elan_tp_data *data)
--- /dev/null
+From ba340d7b83703768ce566f53f857543359aa1b98 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 16 Mar 2017 11:39:29 -0700
+Subject: Input: hanwang - validate number of endpoints before using them
+
+From: Johan Hovold <johan@kernel.org>
+
+commit ba340d7b83703768ce566f53f857543359aa1b98 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer should a malicious device lack endpoints.
+
+Fixes: bba5394ad3bd ("Input: add support for Hanwang tablets")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/tablet/hanwang.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/input/tablet/hanwang.c
++++ b/drivers/input/tablet/hanwang.c
+@@ -340,6 +340,9 @@ static int hanwang_probe(struct usb_inte
+ int error;
+ int i;
+
++ if (intf->cur_altsetting->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ hanwang = kzalloc(sizeof(struct hanwang), GFP_KERNEL);
+ input_dev = input_allocate_device();
+ if (!hanwang || !input_dev) {
--- /dev/null
+From 45838660e34d90db8d4f7cbc8fd66e8aff79f4fe Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Tue, 7 Mar 2017 09:31:29 -0800
+Subject: Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 45838660e34d90db8d4f7cbc8fd66e8aff79f4fe upstream.
+
+The aux port does not get detected without noloop quirk, so external PS/2
+mouse cannot work as result.
+
+The PS/2 mouse can work with this quirk.
+
+BugLink: https://bugs.launchpad.net/bugs/1591053
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Reviewed-by: Marcos Paulo de Souza <marcos.souza.org@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/serio/i8042-x86ia64io.h | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/drivers/input/serio/i8042-x86ia64io.h
++++ b/drivers/input/serio/i8042-x86ia64io.h
+@@ -120,6 +120,13 @@ static const struct dmi_system_id __init
+ },
+ },
+ {
++ /* Dell Embedded Box PC 3000 */
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Embedded Box PC 3000"),
++ },
++ },
++ {
+ /* OQO Model 01 */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "OQO"),
--- /dev/null
+From 59cf8bed44a79ec42303151dd014fdb6434254bb Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 16 Mar 2017 11:34:02 -0700
+Subject: Input: iforce - validate number of endpoints before using them
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 59cf8bed44a79ec42303151dd014fdb6434254bb upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer or accessing memory that lie beyond the end of the endpoint
+array should a malicious device lack the expected endpoints.
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/joystick/iforce/iforce-usb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/input/joystick/iforce/iforce-usb.c
++++ b/drivers/input/joystick/iforce/iforce-usb.c
+@@ -141,6 +141,9 @@ static int iforce_usb_probe(struct usb_i
+
+ interface = intf->cur_altsetting;
+
++ if (interface->desc.bNumEndpoints < 2)
++ return -ENODEV;
++
+ epirq = &interface->endpoint[0].desc;
+ epout = &interface->endpoint[1].desc;
+
--- /dev/null
+From 1916d319271664241b7aa0cd2b05e32bdb310ce9 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 16 Mar 2017 11:36:13 -0700
+Subject: Input: ims-pcu - validate number of endpoints before using them
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1916d319271664241b7aa0cd2b05e32bdb310ce9 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer should a malicious device lack control-interface endpoints.
+
+Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/ims-pcu.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/input/misc/ims-pcu.c
++++ b/drivers/input/misc/ims-pcu.c
+@@ -1667,6 +1667,10 @@ static int ims_pcu_parse_cdc_data(struct
+ return -EINVAL;
+
+ alt = pcu->ctrl_intf->cur_altsetting;
++
++ if (alt->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ pcu->ep_ctrl = &alt->endpoint[0].desc;
+ pcu->max_ctrl_size = usb_endpoint_maxp(pcu->ep_ctrl);
+
--- /dev/null
+From cb1b494663e037253337623bf1ef2df727883cb7 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 16 Mar 2017 11:41:55 -0700
+Subject: Input: kbtab - validate number of endpoints before using them
+
+From: Johan Hovold <johan@kernel.org>
+
+commit cb1b494663e037253337623bf1ef2df727883cb7 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer should a malicious device lack endpoints.
+
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/tablet/kbtab.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/input/tablet/kbtab.c
++++ b/drivers/input/tablet/kbtab.c
+@@ -122,6 +122,9 @@ static int kbtab_probe(struct usb_interf
+ struct input_dev *input_dev;
+ int error = -ENOMEM;
+
++ if (intf->cur_altsetting->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ kbtab = kzalloc(sizeof(struct kbtab), GFP_KERNEL);
+ input_dev = input_allocate_device();
+ if (!kbtab || !input_dev)
--- /dev/null
+From 92461f5d723037530c1f36cce93640770037812c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 16 Mar 2017 11:43:09 -0700
+Subject: Input: sur40 - validate number of endpoints before using them
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 92461f5d723037530c1f36cce93640770037812c upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer or accessing memory that lie beyond the end of the endpoint
+array should a malicious device lack the expected endpoints.
+
+Fixes: bdb5c57f209c ("Input: add sur40 driver for Samsung SUR40... ")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/sur40.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/input/touchscreen/sur40.c
++++ b/drivers/input/touchscreen/sur40.c
+@@ -527,6 +527,9 @@ static int sur40_probe(struct usb_interf
+ if (iface_desc->desc.bInterfaceClass != 0xFF)
+ return -ENODEV;
+
++ if (iface_desc->desc.bNumEndpoints < 5)
++ return -ENODEV;
++
+ /* Use endpoint #4 (0x86). */
+ endpoint = &iface_desc->endpoint[4].desc;
+ if (endpoint->bEndpointAddress != TOUCH_ENDPOINT)
--- /dev/null
+From 5cc4a1a9f5c179795c8a1f2b0f4361829d6a070e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 16 Mar 2017 11:37:01 -0700
+Subject: Input: yealink - validate number of endpoints before using them
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 5cc4a1a9f5c179795c8a1f2b0f4361829d6a070e upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer should a malicious device lack endpoints.
+
+Fixes: aca951a22a1d ("[PATCH] input-driver-yealink-P1K-usb-phone")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/yealink.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/input/misc/yealink.c
++++ b/drivers/input/misc/yealink.c
+@@ -875,6 +875,10 @@ static int usb_probe(struct usb_interfac
+ int ret, pipe, i;
+
+ interface = intf->cur_altsetting;
++
++ if (interface->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ endpoint = &interface->endpoint[0].desc;
+ if (!usb_endpoint_is_int_in(endpoint))
+ return -ENODEV;
--- /dev/null
+From 773dc118756b1f38766063e90e582016be868f09 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Wed, 1 Mar 2017 14:11:47 -0800
+Subject: mmc: core: Fix access to HS400-ES devices
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 773dc118756b1f38766063e90e582016be868f09 upstream.
+
+HS400-ES devices fail to initialize with the following error messages.
+
+mmc1: power class selection to bus width 8 ddr 0 failed
+mmc1: error -110 whilst initialising MMC card
+
+This was seen on Samsung Chromebook Plus. Code analysis points to
+commit 3d4ef329757c ("mmc: core: fix multi-bit bus width without
+high-speed mode"), which attempts to set the bus width for all but
+HS200 devices unconditionally. However, for HS400-ES, the bus width
+is already selected.
+
+Cc: Anssi Hannula <anssi.hannula@bitwise.fi>
+Cc: Douglas Anderson <dianders@chromium.org>
+Cc: Brian Norris <briannorris@chromium.org>
+Fixes: 3d4ef329757c ("mmc: core: fix multi-bit bus width ...")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Douglas Anderson <dianders@chromium.org>
+Reviewed-by: Shawn Lin <shawn.lin@rock-chip.com>
+Tested-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/core/mmc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/core/mmc.c
++++ b/drivers/mmc/core/mmc.c
+@@ -1706,7 +1706,7 @@ static int mmc_init_card(struct mmc_host
+ err = mmc_select_hs400(card);
+ if (err)
+ goto free_card;
+- } else {
++ } else if (!mmc_card_hs400es(card)) {
+ /* Select the desired bus width optionally */
+ err = mmc_select_bus_width(card);
+ if (err > 0 && mmc_card_hs(card)) {
--- /dev/null
+From 181302dc7239add8ab1449c23ecab193f52ee6ab Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 13:40:22 +0100
+Subject: mmc: ushc: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 181302dc7239add8ab1449c23ecab193f52ee6ab upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer should a malicious device lack endpoints.
+
+Fixes: 53f3a9e26ed5 ("mmc: USB SD Host Controller (USHC) driver")
+Cc: David Vrabel <david.vrabel@csr.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/ushc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/mmc/host/ushc.c
++++ b/drivers/mmc/host/ushc.c
+@@ -426,6 +426,9 @@ static int ushc_probe(struct usb_interfa
+ struct ushc_data *ushc;
+ int ret;
+
++ if (intf->cur_altsetting->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ mmc = mmc_alloc_host(sizeof(struct ushc_data), &intf->dev);
+ if (mmc == NULL)
+ return -ENOMEM;
--- /dev/null
+From ea90e0dc8cecba6359b481e24d9c37160f6f524f Mon Sep 17 00:00:00 2001
+From: Johannes Berg <johannes.berg@intel.com>
+Date: Wed, 15 Mar 2017 14:26:04 +0100
+Subject: nl80211: fix dumpit error path RTNL deadlocks
+
+From: Johannes Berg <johannes.berg@intel.com>
+
+commit ea90e0dc8cecba6359b481e24d9c37160f6f524f upstream.
+
+Sowmini pointed out Dmitry's RTNL deadlock report to me, and it turns out
+to be perfectly accurate - there are various error paths that miss unlock
+of the RTNL.
+
+To fix those, change the locking a bit to not be conditional in all those
+nl80211_prepare_*_dump() functions, but make those require the RTNL to
+start with, and fix the buggy error paths. This also let me use sparse
+(by appropriately overriding the rtnl_lock/rtnl_unlock functions) to
+validate the changes.
+
+Reported-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/nl80211.c | 127 +++++++++++++++++++++----------------------------
+ 1 file changed, 56 insertions(+), 71 deletions(-)
+
+--- a/net/wireless/nl80211.c
++++ b/net/wireless/nl80211.c
+@@ -540,22 +540,18 @@ static int nl80211_prepare_wdev_dump(str
+ {
+ int err;
+
+- rtnl_lock();
+-
+ if (!cb->args[0]) {
+ err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
+ genl_family_attrbuf(&nl80211_fam),
+ nl80211_fam.maxattr, nl80211_policy);
+ if (err)
+- goto out_unlock;
++ return err;
+
+ *wdev = __cfg80211_wdev_from_attrs(
+ sock_net(skb->sk),
+ genl_family_attrbuf(&nl80211_fam));
+- if (IS_ERR(*wdev)) {
+- err = PTR_ERR(*wdev);
+- goto out_unlock;
+- }
++ if (IS_ERR(*wdev))
++ return PTR_ERR(*wdev);
+ *rdev = wiphy_to_rdev((*wdev)->wiphy);
+ /* 0 is the first index - add 1 to parse only once */
+ cb->args[0] = (*rdev)->wiphy_idx + 1;
+@@ -565,10 +561,8 @@ static int nl80211_prepare_wdev_dump(str
+ struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
+ struct wireless_dev *tmp;
+
+- if (!wiphy) {
+- err = -ENODEV;
+- goto out_unlock;
+- }
++ if (!wiphy)
++ return -ENODEV;
+ *rdev = wiphy_to_rdev(wiphy);
+ *wdev = NULL;
+
+@@ -579,21 +573,11 @@ static int nl80211_prepare_wdev_dump(str
+ }
+ }
+
+- if (!*wdev) {
+- err = -ENODEV;
+- goto out_unlock;
+- }
++ if (!*wdev)
++ return -ENODEV;
+ }
+
+ return 0;
+- out_unlock:
+- rtnl_unlock();
+- return err;
+-}
+-
+-static void nl80211_finish_wdev_dump(struct cfg80211_registered_device *rdev)
+-{
+- rtnl_unlock();
+ }
+
+ /* IE validation */
+@@ -2599,17 +2583,17 @@ static int nl80211_dump_interface(struct
+ int filter_wiphy = -1;
+ struct cfg80211_registered_device *rdev;
+ struct wireless_dev *wdev;
++ int ret;
+
+ rtnl_lock();
+ if (!cb->args[2]) {
+ struct nl80211_dump_wiphy_state state = {
+ .filter_wiphy = -1,
+ };
+- int ret;
+
+ ret = nl80211_dump_wiphy_parse(skb, cb, &state);
+ if (ret)
+- return ret;
++ goto out_unlock;
+
+ filter_wiphy = state.filter_wiphy;
+
+@@ -2654,12 +2638,14 @@ static int nl80211_dump_interface(struct
+ wp_idx++;
+ }
+ out:
+- rtnl_unlock();
+-
+ cb->args[0] = wp_idx;
+ cb->args[1] = if_idx;
+
+- return skb->len;
++ ret = skb->len;
++ out_unlock:
++ rtnl_unlock();
++
++ return ret;
+ }
+
+ static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info)
+@@ -4398,9 +4384,10 @@ static int nl80211_dump_station(struct s
+ int sta_idx = cb->args[2];
+ int err;
+
++ rtnl_lock();
+ err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
+ if (err)
+- return err;
++ goto out_err;
+
+ if (!wdev->netdev) {
+ err = -EINVAL;
+@@ -4435,7 +4422,7 @@ static int nl80211_dump_station(struct s
+ cb->args[2] = sta_idx;
+ err = skb->len;
+ out_err:
+- nl80211_finish_wdev_dump(rdev);
++ rtnl_unlock();
+
+ return err;
+ }
+@@ -5221,9 +5208,10 @@ static int nl80211_dump_mpath(struct sk_
+ int path_idx = cb->args[2];
+ int err;
+
++ rtnl_lock();
+ err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
+ if (err)
+- return err;
++ goto out_err;
+
+ if (!rdev->ops->dump_mpath) {
+ err = -EOPNOTSUPP;
+@@ -5256,7 +5244,7 @@ static int nl80211_dump_mpath(struct sk_
+ cb->args[2] = path_idx;
+ err = skb->len;
+ out_err:
+- nl80211_finish_wdev_dump(rdev);
++ rtnl_unlock();
+ return err;
+ }
+
+@@ -5416,9 +5404,10 @@ static int nl80211_dump_mpp(struct sk_bu
+ int path_idx = cb->args[2];
+ int err;
+
++ rtnl_lock();
+ err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
+ if (err)
+- return err;
++ goto out_err;
+
+ if (!rdev->ops->dump_mpp) {
+ err = -EOPNOTSUPP;
+@@ -5451,7 +5440,7 @@ static int nl80211_dump_mpp(struct sk_bu
+ cb->args[2] = path_idx;
+ err = skb->len;
+ out_err:
+- nl80211_finish_wdev_dump(rdev);
++ rtnl_unlock();
+ return err;
+ }
+
+@@ -7596,9 +7585,12 @@ static int nl80211_dump_scan(struct sk_b
+ int start = cb->args[2], idx = 0;
+ int err;
+
++ rtnl_lock();
+ err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
+- if (err)
++ if (err) {
++ rtnl_unlock();
+ return err;
++ }
+
+ wdev_lock(wdev);
+ spin_lock_bh(&rdev->bss_lock);
+@@ -7621,7 +7613,7 @@ static int nl80211_dump_scan(struct sk_b
+ wdev_unlock(wdev);
+
+ cb->args[2] = idx;
+- nl80211_finish_wdev_dump(rdev);
++ rtnl_unlock();
+
+ return skb->len;
+ }
+@@ -7706,9 +7698,10 @@ static int nl80211_dump_survey(struct sk
+ int res;
+ bool radio_stats;
+
++ rtnl_lock();
+ res = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev);
+ if (res)
+- return res;
++ goto out_err;
+
+ /* prepare_wdev_dump parsed the attributes */
+ radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS];
+@@ -7749,7 +7742,7 @@ static int nl80211_dump_survey(struct sk
+ cb->args[2] = survey_idx;
+ res = skb->len;
+ out_err:
+- nl80211_finish_wdev_dump(rdev);
++ rtnl_unlock();
+ return res;
+ }
+
+@@ -11378,17 +11371,13 @@ static int nl80211_prepare_vendor_dump(s
+ void *data = NULL;
+ unsigned int data_len = 0;
+
+- rtnl_lock();
+-
+ if (cb->args[0]) {
+ /* subtract the 1 again here */
+ struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1);
+ struct wireless_dev *tmp;
+
+- if (!wiphy) {
+- err = -ENODEV;
+- goto out_unlock;
+- }
++ if (!wiphy)
++ return -ENODEV;
+ *rdev = wiphy_to_rdev(wiphy);
+ *wdev = NULL;
+
+@@ -11408,23 +11397,19 @@ static int nl80211_prepare_vendor_dump(s
+ err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize,
+ attrbuf, nl80211_fam.maxattr, nl80211_policy);
+ if (err)
+- goto out_unlock;
++ return err;
+
+ if (!attrbuf[NL80211_ATTR_VENDOR_ID] ||
+- !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) {
+- err = -EINVAL;
+- goto out_unlock;
+- }
++ !attrbuf[NL80211_ATTR_VENDOR_SUBCMD])
++ return -EINVAL;
+
+ *wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk), attrbuf);
+ if (IS_ERR(*wdev))
+ *wdev = NULL;
+
+ *rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf);
+- if (IS_ERR(*rdev)) {
+- err = PTR_ERR(*rdev);
+- goto out_unlock;
+- }
++ if (IS_ERR(*rdev))
++ return PTR_ERR(*rdev);
+
+ vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]);
+ subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]);
+@@ -11437,19 +11422,15 @@ static int nl80211_prepare_vendor_dump(s
+ if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd)
+ continue;
+
+- if (!vcmd->dumpit) {
+- err = -EOPNOTSUPP;
+- goto out_unlock;
+- }
++ if (!vcmd->dumpit)
++ return -EOPNOTSUPP;
+
+ vcmd_idx = i;
+ break;
+ }
+
+- if (vcmd_idx < 0) {
+- err = -EOPNOTSUPP;
+- goto out_unlock;
+- }
++ if (vcmd_idx < 0)
++ return -EOPNOTSUPP;
+
+ if (attrbuf[NL80211_ATTR_VENDOR_DATA]) {
+ data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]);
+@@ -11466,9 +11447,6 @@ static int nl80211_prepare_vendor_dump(s
+
+ /* keep rtnl locked in successful case */
+ return 0;
+- out_unlock:
+- rtnl_unlock();
+- return err;
+ }
+
+ static int nl80211_vendor_cmd_dump(struct sk_buff *skb,
+@@ -11483,9 +11461,10 @@ static int nl80211_vendor_cmd_dump(struc
+ int err;
+ struct nlattr *vendor_data;
+
++ rtnl_lock();
+ err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev);
+ if (err)
+- return err;
++ goto out;
+
+ vcmd_idx = cb->args[2];
+ data = (void *)cb->args[3];
+@@ -11494,15 +11473,21 @@ static int nl80211_vendor_cmd_dump(struc
+
+ if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV |
+ WIPHY_VENDOR_CMD_NEED_NETDEV)) {
+- if (!wdev)
+- return -EINVAL;
++ if (!wdev) {
++ err = -EINVAL;
++ goto out;
++ }
+ if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV &&
+- !wdev->netdev)
+- return -EINVAL;
++ !wdev->netdev) {
++ err = -EINVAL;
++ goto out;
++ }
+
+ if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) {
+- if (!wdev_running(wdev))
+- return -ENETDOWN;
++ if (!wdev_running(wdev)) {
++ err = -ENETDOWN;
++ goto out;
++ }
+ }
+ }
+
tcp-initialize-icsk_ack.lrcvtime-at-session-start-time.patch
amd-xgbe-fix-the-ecc-related-bit-position-definitions.patch
net-solve-a-napi-race.patch
+hid-sony-fix-input-device-leak-when-connecting-a-ds4-twice-using-usb-bt.patch
+input-alps-fix-v8-protocol-handling-73-03-28.patch
+input-alps-fix-trackstick-button-handling-on-v8-devices.patch
+input-elan_i2c-add-asus-eeebook-x205ta-special-touchpad-fw.patch
+input-i8042-add-noloop-quirk-for-dell-embedded-box-pc-3000.patch
+input-iforce-validate-number-of-endpoints-before-using-them.patch
+input-ims-pcu-validate-number-of-endpoints-before-using-them.patch
+input-hanwang-validate-number-of-endpoints-before-using-them.patch
+input-yealink-validate-number-of-endpoints-before-using-them.patch
+input-cm109-validate-number-of-endpoints-before-using-them.patch
+input-kbtab-validate-number-of-endpoints-before-using-them.patch
+input-sur40-validate-number-of-endpoints-before-using-them.patch
+alsa-seq-fix-racy-cell-insertions-during-snd_seq_pool_done.patch
+alsa-ctxfi-fix-the-incorrect-check-of-dma_set_mask-call.patch
+alsa-hda-adding-a-group-of-pin-definition-to-fix-headset-problem.patch
+usb-serial-option-add-quectel-uc15-uc20-ec21-and-ec25-modems.patch
+usb-serial-qcserial-add-dell-dw5811e.patch
+acm-gadget-fix-endianness-in-notifications.patch
+usb-gadget-f_uvc-fix-superspeed-companion-descriptor-s-wbytesperinterval.patch
+dvb-usb-firmware-don-t-do-dma-on-stack.patch
+usb-core-add-linear_frame_intr_binterval-usb-quirk.patch
+usb-uss720-fix-null-deref-at-probe.patch
+usb-lvtest-fix-null-deref-at-probe.patch
+usb-idmouse-fix-null-deref-at-probe.patch
+usb-wusbcore-fix-null-deref-at-probe.patch
+usb-musb-cppi41-don-t-check-early-tx-interrupt-for-isoch-transfer.patch
+usb-hub-fix-crash-after-failure-to-read-bos-descriptor.patch
+usb-usbtmc-add-missing-endpoint-sanity-check.patch
+usb-usbtmc-fix-probe-error-path.patch
+uwb-i1480-dfu-fix-null-deref-at-probe.patch
+uwb-hwa-rc-fix-null-deref-at-probe.patch
+mmc-ushc-fix-null-deref-at-probe.patch
+nl80211-fix-dumpit-error-path-rtnl-deadlocks.patch
+mmc-core-fix-access-to-hs400-es-devices.patch
--- /dev/null
+From 3243367b209faed5c320a4e5f9a565ee2a2ba958 Mon Sep 17 00:00:00 2001
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Date: Mon, 13 Mar 2017 20:50:08 +0100
+Subject: usb-core: Add LINEAR_FRAME_INTR_BINTERVAL USB quirk
+
+From: Samuel Thibault <samuel.thibault@ens-lyon.org>
+
+commit 3243367b209faed5c320a4e5f9a565ee2a2ba958 upstream.
+
+Some USB 2.0 devices erroneously report millisecond values in
+bInterval. The generic config code manages to catch most of them,
+but in some cases it's not completely enough.
+
+The case at stake here is a USB 2.0 braille device, which wants to
+announce 10ms and thus sets bInterval to 10, but with the USB 2.0
+computation that yields to 64ms. It happens that one can type fast
+enough to reach this interval and get the device buffers overflown,
+leading to problematic latencies. The generic config code does not
+catch this case because the 64ms is considered a sane enough value.
+
+This change thus adds a USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL quirk
+to mark devices which actually report milliseconds in bInterval,
+and marks Vario Ultra devices as needing it.
+
+Signed-off-by: Samuel Thibault <samuel.thibault@ens-lyon.org>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/config.c | 10 ++++++++++
+ drivers/usb/core/quirks.c | 8 ++++++++
+ include/linux/usb/quirks.h | 6 ++++++
+ 3 files changed, 24 insertions(+)
+
+--- a/drivers/usb/core/config.c
++++ b/drivers/usb/core/config.c
+@@ -280,6 +280,16 @@ static int usb_parse_endpoint(struct dev
+
+ /*
+ * Adjust bInterval for quirked devices.
++ */
++ /*
++ * This quirk fixes bIntervals reported in ms.
++ */
++ if (to_usb_device(ddev)->quirks &
++ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL) {
++ n = clamp(fls(d->bInterval) + 3, i, j);
++ i = j = n;
++ }
++ /*
+ * This quirk fixes bIntervals reported in
+ * linear microframes.
+ */
+--- a/drivers/usb/core/quirks.c
++++ b/drivers/usb/core/quirks.c
+@@ -170,6 +170,14 @@ static const struct usb_device_id usb_qu
+ /* M-Systems Flash Disk Pioneers */
+ { USB_DEVICE(0x08ec, 0x1000), .driver_info = USB_QUIRK_RESET_RESUME },
+
++ /* Baum Vario Ultra */
++ { USB_DEVICE(0x0904, 0x6101), .driver_info =
++ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL },
++ { USB_DEVICE(0x0904, 0x6102), .driver_info =
++ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL },
++ { USB_DEVICE(0x0904, 0x6103), .driver_info =
++ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL },
++
+ /* Keytouch QWERTY Panel keyboard */
+ { USB_DEVICE(0x0926, 0x3333), .driver_info =
+ USB_QUIRK_CONFIG_INTF_STRINGS },
+--- a/include/linux/usb/quirks.h
++++ b/include/linux/usb/quirks.h
+@@ -50,4 +50,10 @@
+ /* device can't handle Link Power Management */
+ #define USB_QUIRK_NO_LPM BIT(10)
+
++/*
++ * Device reports its bInterval as linear frames instead of the
++ * USB 2.0 calculation.
++ */
++#define USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL BIT(11)
++
+ #endif /* __LINUX_USB_QUIRKS_H */
--- /dev/null
+From 09424c50b7dff40cb30011c09114404a4656e023 Mon Sep 17 00:00:00 2001
+From: Roger Quadros <rogerq@ti.com>
+Date: Wed, 8 Mar 2017 16:05:43 +0200
+Subject: usb: gadget: f_uvc: Fix SuperSpeed companion descriptor's wBytesPerInterval
+
+From: Roger Quadros <rogerq@ti.com>
+
+commit 09424c50b7dff40cb30011c09114404a4656e023 upstream.
+
+The streaming_maxburst module parameter is 0 offset (0..15)
+so we must add 1 while using it for wBytesPerInterval
+calculation for the SuperSpeed companion descriptor.
+
+Without this host uvcvideo driver will always see the wrong
+wBytesPerInterval for SuperSpeed uvc gadget and may not find
+a suitable video interface endpoint.
+e.g. for streaming_maxburst = 0 case it will always
+fail as wBytePerInterval was evaluating to 0.
+
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Signed-off-by: Roger Quadros <rogerq@ti.com>
+Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_uvc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/gadget/function/f_uvc.c
++++ b/drivers/usb/gadget/function/f_uvc.c
+@@ -625,7 +625,7 @@ uvc_function_bind(struct usb_configurati
+ uvc_ss_streaming_comp.bMaxBurst = opts->streaming_maxburst;
+ uvc_ss_streaming_comp.wBytesPerInterval =
+ cpu_to_le16(max_packet_size * max_packet_mult *
+- opts->streaming_maxburst);
++ (opts->streaming_maxburst + 1));
+
+ /* Allocate endpoints. */
+ ep = usb_ep_autoconfig(cdev->gadget, &uvc_control_ep);
--- /dev/null
+From 7b2db29fbb4e766fcd02207eb2e2087170bd6ebc Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Wed, 8 Mar 2017 10:19:36 -0800
+Subject: usb: hub: Fix crash after failure to read BOS descriptor
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 7b2db29fbb4e766fcd02207eb2e2087170bd6ebc upstream.
+
+If usb_get_bos_descriptor() returns an error, usb->bos will be NULL.
+Nevertheless, it is dereferenced unconditionally in
+hub_set_initial_usb2_lpm_policy() if usb2_hw_lpm_capable is set.
+This results in a crash.
+
+usb 5-1: unable to get BOS descriptor
+...
+Unable to handle kernel NULL pointer dereference at virtual address 00000008
+pgd = ffffffc00165f000
+[00000008] *pgd=000000000174f003, *pud=000000000174f003,
+ *pmd=0000000001750003, *pte=00e8000001751713
+Internal error: Oops: 96000005 [#1] PREEMPT SMP
+Modules linked in: uinput uvcvideo videobuf2_vmalloc cmac [ ... ]
+CPU: 5 PID: 3353 Comm: kworker/5:3 Tainted: G B 4.4.52 #480
+Hardware name: Google Kevin (DT)
+Workqueue: events driver_set_config_work
+task: ffffffc0c3690000 ti: ffffffc0ae9a8000 task.ti: ffffffc0ae9a8000
+PC is at hub_port_init+0xc3c/0xd10
+LR is at hub_port_init+0xc3c/0xd10
+...
+Call trace:
+[<ffffffc0007fbbfc>] hub_port_init+0xc3c/0xd10
+[<ffffffc0007fbe2c>] usb_reset_and_verify_device+0x15c/0x82c
+[<ffffffc0007fc5e0>] usb_reset_device+0xe4/0x298
+[<ffffffbffc0e3fcc>] rtl8152_probe+0x84/0x9b0 [r8152]
+[<ffffffc00080ca8c>] usb_probe_interface+0x244/0x2f8
+[<ffffffc000774a24>] driver_probe_device+0x180/0x3b4
+[<ffffffc000774e48>] __device_attach_driver+0xb4/0xe0
+[<ffffffc000772168>] bus_for_each_drv+0xb4/0xe4
+[<ffffffc0007747ec>] __device_attach+0xd0/0x158
+[<ffffffc000775080>] device_initial_probe+0x24/0x30
+[<ffffffc0007739d4>] bus_probe_device+0x50/0xe4
+[<ffffffc000770bd0>] device_add+0x414/0x738
+[<ffffffc000809fe8>] usb_set_configuration+0x89c/0x914
+[<ffffffc00080a120>] driver_set_config_work+0xc0/0xf0
+[<ffffffc000249bb8>] process_one_work+0x390/0x6b8
+[<ffffffc00024abcc>] worker_thread+0x480/0x610
+[<ffffffc000251a80>] kthread+0x164/0x178
+[<ffffffc0002045d0>] ret_from_fork+0x10/0x40
+
+Since we don't know anything about LPM capabilities without BOS descriptor,
+don't attempt to enable LPM if it is not available.
+
+Fixes: 890dae886721 ("xhci: Enable LPM support only for hardwired ...")
+Cc: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Acked-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hub.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -4275,7 +4275,7 @@ static void hub_set_initial_usb2_lpm_pol
+ struct usb_hub *hub = usb_hub_to_struct_hub(udev->parent);
+ int connect_type = USB_PORT_CONNECT_TYPE_UNKNOWN;
+
+- if (!udev->usb2_hw_lpm_capable)
++ if (!udev->usb2_hw_lpm_capable || !udev->bos)
+ return;
+
+ if (hub)
--- /dev/null
+From b0addd3fa6bcd119be9428996d5d4522479ab240 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 13:47:48 +0100
+Subject: USB: idmouse: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit b0addd3fa6bcd119be9428996d5d4522479ab240 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer should a malicious device lack endpoints.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/idmouse.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/misc/idmouse.c
++++ b/drivers/usb/misc/idmouse.c
+@@ -346,6 +346,9 @@ static int idmouse_probe(struct usb_inte
+ if (iface_desc->desc.bInterfaceClass != 0x0A)
+ return -ENODEV;
+
++ if (iface_desc->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ /* allocate memory for our device state and initialize it */
+ dev = kzalloc(sizeof(*dev), GFP_KERNEL);
+ if (dev == NULL)
--- /dev/null
+From 1dc56c52d2484be09c7398a5207d6b11a4256be9 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 13:47:49 +0100
+Subject: USB: lvtest: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 1dc56c52d2484be09c7398a5207d6b11a4256be9 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer should the probed device lack endpoints.
+
+Note that this driver does not bind to any devices by default.
+
+Fixes: ce21bfe603b3 ("USB: Add LVS Test device driver")
+Cc: Pratyush Anand <pratyush.anand@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/lvstest.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/usb/misc/lvstest.c
++++ b/drivers/usb/misc/lvstest.c
+@@ -366,6 +366,10 @@ static int lvs_rh_probe(struct usb_inter
+
+ hdev = interface_to_usbdev(intf);
+ desc = intf->cur_altsetting;
++
++ if (desc->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ endpoint = &desc->endpoint[0].desc;
+
+ /* valid only for SS root hub */
--- /dev/null
+From 0090114d336a9604aa2d90bc83f20f7cd121b76c Mon Sep 17 00:00:00 2001
+From: Bin Liu <b-liu@ti.com>
+Date: Fri, 10 Mar 2017 14:43:35 -0600
+Subject: usb: musb: cppi41: don't check early-TX-interrupt for Isoch transfer
+
+From: Bin Liu <b-liu@ti.com>
+
+commit 0090114d336a9604aa2d90bc83f20f7cd121b76c upstream.
+
+The CPPI 4.1 driver polls register to workaround the premature TX
+interrupt issue, but it causes audio playback underrun when triggered in
+Isoch transfers.
+
+Isoch doesn't do back-to-back transfers, the TX should be done by the
+time the next transfer is scheduled. So skip this polling workaround for
+Isoch transfer.
+
+Fixes: a655f481d83d6 ("usb: musb: musb_cppi41: handle pre-mature TX complete interrupt")
+Reported-by: Alexandre Bailon <abailon@baylibre.com>
+Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
+Tested-by: Alexandre Bailon <abailon@baylibre.com>
+Signed-off-by: Bin Liu <b-liu@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/musb/musb_cppi41.c | 23 +++++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/musb/musb_cppi41.c
++++ b/drivers/usb/musb/musb_cppi41.c
+@@ -231,8 +231,27 @@ static void cppi41_dma_callback(void *pr
+ transferred < cppi41_channel->packet_sz)
+ cppi41_channel->prog_len = 0;
+
+- if (cppi41_channel->is_tx)
+- empty = musb_is_tx_fifo_empty(hw_ep);
++ if (cppi41_channel->is_tx) {
++ u8 type;
++
++ if (is_host_active(musb))
++ type = hw_ep->out_qh->type;
++ else
++ type = hw_ep->ep_in.type;
++
++ if (type == USB_ENDPOINT_XFER_ISOC)
++ /*
++ * Don't use the early-TX-interrupt workaround below
++ * for Isoch transfter. Since Isoch are periodic
++ * transfer, by the time the next transfer is
++ * scheduled, the current one should be done already.
++ *
++ * This avoids audio playback underrun issue.
++ */
++ empty = true;
++ else
++ empty = musb_is_tx_fifo_empty(hw_ep);
++ }
+
+ if (!cppi41_channel->is_tx || empty) {
+ cppi41_trans_done(cppi41_channel);
--- /dev/null
+From 6e9f44eaaef0df7b846e9316fa9ca72a02025d44 Mon Sep 17 00:00:00 2001
+From: Dan Williams <dcbw@redhat.com>
+Date: Thu, 9 Mar 2017 11:32:28 -0600
+Subject: USB: serial: option: add Quectel UC15, UC20, EC21, and EC25 modems
+
+From: Dan Williams <dcbw@redhat.com>
+
+commit 6e9f44eaaef0df7b846e9316fa9ca72a02025d44 upstream.
+
+Add Quectel UC15, UC20, EC21, and EC25. The EC20 is handled by
+qcserial due to a USB VID/PID conflict with an existing Acer
+device.
+
+Signed-off-by: Dan Williams <dcbw@redhat.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c | 17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -233,6 +233,14 @@ static void option_instat_callback(struc
+ #define BANDRICH_PRODUCT_1012 0x1012
+
+ #define QUALCOMM_VENDOR_ID 0x05C6
++/* These Quectel products use Qualcomm's vendor ID */
++#define QUECTEL_PRODUCT_UC20 0x9003
++#define QUECTEL_PRODUCT_UC15 0x9090
++
++#define QUECTEL_VENDOR_ID 0x2c7c
++/* These Quectel products use Quectel's vendor ID */
++#define QUECTEL_PRODUCT_EC21 0x0121
++#define QUECTEL_PRODUCT_EC25 0x0125
+
+ #define CMOTECH_VENDOR_ID 0x16d8
+ #define CMOTECH_PRODUCT_6001 0x6001
+@@ -1161,7 +1169,14 @@ static const struct usb_device_id option
+ { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6613)}, /* Onda H600/ZTE MF330 */
+ { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x0023)}, /* ONYX 3G device */
+ { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */
+- { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9003), /* Quectel UC20 */
++ /* Quectel products using Qualcomm vendor ID */
++ { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC15)},
++ { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC20),
++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
++ /* Quectel products using Quectel vendor ID */
++ { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC21),
++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
++ { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC25),
+ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) },
+ { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) },
--- /dev/null
+From 436ecf5519d892397af133a79ccd38a17c25fa51 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Fri, 17 Mar 2017 17:21:28 +0100
+Subject: USB: serial: qcserial: add Dell DW5811e
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bjørn Mork <bjorn@mork.no>
+
+commit 436ecf5519d892397af133a79ccd38a17c25fa51 upstream.
+
+This is a Dell branded Sierra Wireless EM7455.
+
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/qcserial.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/qcserial.c
++++ b/drivers/usb/serial/qcserial.c
+@@ -169,6 +169,8 @@ static const struct usb_device_id id_tab
+ {DEVICE_SWI(0x413c, 0x81a9)}, /* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */
+ {DEVICE_SWI(0x413c, 0x81b1)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card */
+ {DEVICE_SWI(0x413c, 0x81b3)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */
++ {DEVICE_SWI(0x413c, 0x81b5)}, /* Dell Wireless 5811e QDL */
++ {DEVICE_SWI(0x413c, 0x81b6)}, /* Dell Wireless 5811e QDL */
+
+ /* Huawei devices */
+ {DEVICE_HWI(0x03f0, 0x581d)}, /* HP lt4112 LTE/HSPA+ Gobi 4G Modem (Huawei me906e) */
--- /dev/null
+From 687e0687f71ec00e0132a21fef802dee88c2f1ad Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 14 Mar 2017 17:55:45 +0100
+Subject: USB: usbtmc: add missing endpoint sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 687e0687f71ec00e0132a21fef802dee88c2f1ad upstream.
+
+USBTMC devices are required to have a bulk-in and a bulk-out endpoint,
+but the driver failed to verify this, something which could lead to the
+endpoint addresses being taken from uninitialised memory.
+
+Make sure to zero all private data as part of allocation, and add the
+missing endpoint sanity check.
+
+Note that this also addresses a more recently introduced issue, where
+the interrupt-in-presence flag would also be uninitialised whenever the
+optional interrupt-in endpoint is not present. This in turn could lead
+to an interrupt urb being allocated, initialised and submitted based on
+uninitialised values.
+
+Fixes: dbf3e7f654c0 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation.")
+Fixes: 5b775f672cc9 ("USB: add USB test and measurement class driver")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/usbtmc.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/class/usbtmc.c
++++ b/drivers/usb/class/usbtmc.c
+@@ -1381,7 +1381,7 @@ static int usbtmc_probe(struct usb_inter
+
+ dev_dbg(&intf->dev, "%s called\n", __func__);
+
+- data = kmalloc(sizeof(*data), GFP_KERNEL);
++ data = kzalloc(sizeof(*data), GFP_KERNEL);
+ if (!data)
+ return -ENOMEM;
+
+@@ -1444,6 +1444,13 @@ static int usbtmc_probe(struct usb_inter
+ break;
+ }
+ }
++
++ if (!data->bulk_out || !data->bulk_in) {
++ dev_err(&intf->dev, "bulk endpoints not found\n");
++ retcode = -ENODEV;
++ goto err_put;
++ }
++
+ /* Find int endpoint */
+ for (n = 0; n < iface_desc->desc.bNumEndpoints; n++) {
+ endpoint = &iface_desc->endpoint[n].desc;
+@@ -1512,6 +1519,7 @@ error_register:
+ sysfs_remove_group(&intf->dev.kobj, &capability_attr_grp);
+ sysfs_remove_group(&intf->dev.kobj, &data_attr_grp);
+ usbtmc_free_int(data);
++err_put:
+ kref_put(&data->kref, usbtmc_delete);
+ return retcode;
+ }
--- /dev/null
+From 2e47c53503eb9faff42b3cfa144a833344dd1f89 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Tue, 14 Mar 2017 17:55:46 +0100
+Subject: USB: usbtmc: fix probe error path
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 2e47c53503eb9faff42b3cfa144a833344dd1f89 upstream.
+
+Make sure to initialise the return value to avoid having allocation
+failures going unnoticed when allocating interrupt-endpoint resources.
+
+This prevents use-after-free or worse when the device is later unbound.
+
+Fixes: dbf3e7f654c0 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation.")
+Cc: Dave Penkler <dpenkler@gmail.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/usbtmc.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/class/usbtmc.c
++++ b/drivers/usb/class/usbtmc.c
+@@ -1476,8 +1476,10 @@ static int usbtmc_probe(struct usb_inter
+ if (data->iin_ep_present) {
+ /* allocate int urb */
+ data->iin_urb = usb_alloc_urb(0, GFP_KERNEL);
+- if (!data->iin_urb)
++ if (!data->iin_urb) {
++ retcode = -ENOMEM;
+ goto error_register;
++ }
+
+ /* Protect interrupt in endpoint data until iin_urb is freed */
+ kref_get(&data->kref);
+@@ -1485,8 +1487,10 @@ static int usbtmc_probe(struct usb_inter
+ /* allocate buffer for interrupt in */
+ data->iin_buffer = kmalloc(data->iin_wMaxPacketSize,
+ GFP_KERNEL);
+- if (!data->iin_buffer)
++ if (!data->iin_buffer) {
++ retcode = -ENOMEM;
+ goto error_register;
++ }
+
+ /* fill interrupt urb */
+ usb_fill_int_urb(data->iin_urb, data->usb_dev,
--- /dev/null
+From f259ca3eed6e4b79ac3d5c5c9fb259fb46e86217 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 13:47:50 +0100
+Subject: USB: uss720: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit f259ca3eed6e4b79ac3d5c5c9fb259fb46e86217 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer or accessing memory beyond the endpoint array should a
+malicious device lack the expected endpoints.
+
+Note that the endpoint access that causes the NULL-deref is currently
+only used for debugging purposes during probe so the oops only happens
+when dynamic debugging is enabled. This means the driver could be
+rewritten to continue to accept device with only two endpoints, should
+such devices exist.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/uss720.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/misc/uss720.c
++++ b/drivers/usb/misc/uss720.c
+@@ -708,6 +708,11 @@ static int uss720_probe(struct usb_inter
+
+ interface = intf->cur_altsetting;
+
++ if (interface->desc.bNumEndpoints < 3) {
++ usb_put_dev(usbdev);
++ return -ENODEV;
++ }
++
+ /*
+ * Allocate parport interface
+ */
--- /dev/null
+From 03ace948a4eb89d1cf51c06afdfc41ebca5fdb27 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 13:47:51 +0100
+Subject: USB: wusbcore: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 03ace948a4eb89d1cf51c06afdfc41ebca5fdb27 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer or accessing memory beyond the endpoint array should a
+malicious device lack the expected endpoints.
+
+This specifically fixes the NULL-pointer dereference when probing HWA HC
+devices.
+
+Fixes: df3654236e31 ("wusb: add the Wire Adapter (WA) core")
+Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
+Cc: David Vrabel <david.vrabel@csr.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/wusbcore/wa-hc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/wusbcore/wa-hc.c
++++ b/drivers/usb/wusbcore/wa-hc.c
+@@ -39,6 +39,9 @@ int wa_create(struct wahc *wa, struct us
+ int result;
+ struct device *dev = &iface->dev;
+
++ if (iface->cur_altsetting->desc.bNumEndpoints < 3)
++ return -ENODEV;
++
+ result = wa_rpipes_create(wa);
+ if (result < 0)
+ goto error_rpipes_create;
--- /dev/null
+From daf229b15907fbfdb6ee183aac8ca428cb57e361 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 13:47:52 +0100
+Subject: uwb: hwa-rc: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit daf229b15907fbfdb6ee183aac8ca428cb57e361 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer should a malicious device lack endpoints.
+
+Note that the dereference happens in the start callback which is called
+during probe.
+
+Fixes: de520b8bd552 ("uwb: add HWA radio controller driver")
+Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
+Cc: David Vrabel <david.vrabel@csr.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/uwb/hwa-rc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/uwb/hwa-rc.c
++++ b/drivers/uwb/hwa-rc.c
+@@ -823,6 +823,9 @@ static int hwarc_probe(struct usb_interf
+ struct hwarc *hwarc;
+ struct device *dev = &iface->dev;
+
++ if (iface->cur_altsetting->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ result = -ENOMEM;
+ uwb_rc = uwb_rc_alloc();
+ if (uwb_rc == NULL) {
--- /dev/null
+From 4ce362711d78a4999011add3115b8f4b0bc25e8c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 13:47:53 +0100
+Subject: uwb: i1480-dfu: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 4ce362711d78a4999011add3115b8f4b0bc25e8c upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer should a malicious device lack endpoints.
+
+Note that the dereference happens in the cmd and wait_init_done
+callbacks which are called during probe.
+
+Fixes: 1ba47da52712 ("uwb: add the i1480 DFU driver")
+Cc: Inaky Perez-Gonzalez <inaky.perez-gonzalez@intel.com>
+Cc: David Vrabel <david.vrabel@csr.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/uwb/i1480/dfu/usb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/uwb/i1480/dfu/usb.c
++++ b/drivers/uwb/i1480/dfu/usb.c
+@@ -362,6 +362,9 @@ int i1480_usb_probe(struct usb_interface
+ result);
+ }
+
++ if (iface->cur_altsetting->desc.bNumEndpoints < 1)
++ return -ENODEV;
++
+ result = -ENOMEM;
+ i1480_usb = kzalloc(sizeof(*i1480_usb), GFP_KERNEL);
+ if (i1480_usb == NULL) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
