--- /dev/null
+From f88fa79a61726ce9434df9b4aede36961f709f17 Mon Sep 17 00:00:00 2001
+From: Raghava Aditya Renukunta <raghavaaditya.renukunta@pmcs.com>
+Date: Wed, 3 Feb 2016 15:06:02 -0800
+Subject: aacraid: Fix memory leak in aac_fib_map_free
+
+From: Raghava Aditya Renukunta <raghavaaditya.renukunta@pmcs.com>
+
+commit f88fa79a61726ce9434df9b4aede36961f709f17 upstream.
+
+aac_fib_map_free() calls pci_free_consistent() without checking that
+dev->hw_fib_va is not NULL and dev->max_fib_size is not zero.If they are
+indeed NULL/0, this will result in a hang as pci_free_consistent() will
+attempt to invalidate cache for the entire 64-bit address space
+(which would take a very long time).
+
+Fixed by adding a check to make sure that dev->hw_fib_va and
+dev->max_fib_size are not NULL and 0 respectively.
+
+Fixes: 9ad5204d6 - "[SCSI]aacraid: incorrect dma mapping mask during blinked recover or user initiated reset"
+Signed-off-by: Raghava Aditya Renukunta <raghavaaditya.renukunta@pmcs.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Reviewed-by: Tomas Henzl <thenzl@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/aacraid/commsup.c | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+--- a/drivers/scsi/aacraid/commsup.c
++++ b/drivers/scsi/aacraid/commsup.c
+@@ -83,9 +83,12 @@ static int fib_map_alloc(struct aac_dev
+
+ void aac_fib_map_free(struct aac_dev *dev)
+ {
+- pci_free_consistent(dev->pdev,
+- dev->max_fib_size * (dev->scsi_host_ptr->can_queue + AAC_NUM_MGT_FIB),
+- dev->hw_fib_va, dev->hw_fib_pa);
++ if (dev->hw_fib_va && dev->max_fib_size) {
++ pci_free_consistent(dev->pdev,
++ (dev->max_fib_size *
++ (dev->scsi_host_ptr->can_queue + AAC_NUM_MGT_FIB)),
++ dev->hw_fib_va, dev->hw_fib_pa);
++ }
+ dev->hw_fib_va = NULL;
+ dev->hw_fib_pa = 0;
+ }
--- /dev/null
+From 447d6275f0c21f6cc97a88b3a0c601436a4cdf2a Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 15 Mar 2016 15:20:58 +0100
+Subject: ALSA: usb-audio: Add sanity checks for endpoint accesses
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 447d6275f0c21f6cc97a88b3a0c601436a4cdf2a upstream.
+
+Add some sanity check codes before actually accessing the endpoint via
+get_endpoint() in order to avoid the invalid access through a
+malformed USB descriptor. Mostly just checking bNumEndpoints, but in
+one place (snd_microii_spdif_default_get()), the validity of iface and
+altsetting index is checked as well.
+
+Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/clock.c | 2 ++
+ sound/usb/endpoint.c | 3 +++
+ sound/usb/mixer_quirks.c | 4 ++++
+ sound/usb/pcm.c | 2 ++
+ 4 files changed, 11 insertions(+)
+
+--- a/sound/usb/clock.c
++++ b/sound/usb/clock.c
+@@ -283,6 +283,8 @@ static int set_sample_rate_v1(struct snd
+ unsigned char data[3];
+ int err, crate;
+
++ if (get_iface_desc(alts)->bNumEndpoints < 1)
++ return -EINVAL;
+ ep = get_endpoint(alts, 0)->bEndpointAddress;
+
+ /* if endpoint doesn't have sampling rate control, bail out */
+--- a/sound/usb/endpoint.c
++++ b/sound/usb/endpoint.c
+@@ -409,6 +409,9 @@ exit_clear:
+ *
+ * New endpoints will be added to chip->ep_list and must be freed by
+ * calling snd_usb_endpoint_free().
++ *
++ * For SND_USB_ENDPOINT_TYPE_SYNC, the caller needs to guarantee that
++ * bNumEndpoints > 1 beforehand.
+ */
+ struct snd_usb_endpoint *snd_usb_add_endpoint(struct snd_usb_audio *chip,
+ struct usb_host_interface *alts,
+--- a/sound/usb/mixer_quirks.c
++++ b/sound/usb/mixer_quirks.c
+@@ -1455,7 +1455,11 @@ static int snd_microii_spdif_default_get
+
+ /* use known values for that card: interface#1 altsetting#1 */
+ iface = usb_ifnum_to_if(mixer->chip->dev, 1);
++ if (!iface || iface->num_altsetting < 2)
++ return -EINVAL;
+ alts = &iface->altsetting[1];
++ if (get_iface_desc(alts)->bNumEndpoints < 1)
++ return -EINVAL;
+ ep = get_endpoint(alts, 0)->bEndpointAddress;
+
+ err = snd_usb_ctl_msg(mixer->chip->dev,
+--- a/sound/usb/pcm.c
++++ b/sound/usb/pcm.c
+@@ -159,6 +159,8 @@ static int init_pitch_v1(struct snd_usb_
+ unsigned char data[1];
+ int err;
+
++ if (get_iface_desc(alts)->bNumEndpoints < 1)
++ return -EINVAL;
+ ep = get_endpoint(alts, 0)->bEndpointAddress;
+
+ data[0] = 1;
--- /dev/null
+From 836b34a935abc91e13e63053d0a83b24dfb5ea78 Mon Sep 17 00:00:00 2001
+From: Vladis Dronov <vdronov@redhat.com>
+Date: Thu, 31 Mar 2016 12:05:43 -0400
+Subject: ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call
+
+From: Vladis Dronov <vdronov@redhat.com>
+
+commit 836b34a935abc91e13e63053d0a83b24dfb5ea78 upstream.
+
+create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and
+create_uaxx_quirk() functions allocate the audioformat object by themselves
+and free it upon error before returning. However, once the object is linked
+to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be
+double-freed, eventually resulting in a memory corruption.
+
+This patch fixes these failures in the error paths by unlinking the audioformat
+object before freeing it.
+
+Based on a patch by Takashi Iwai <tiwai@suse.de>
+
+[Note for stable backports:
+ this patch requires the commit 902eb7fd1e4a ('ALSA: usb-audio: Minor
+ code cleanup in create_fixed_stream_quirk()')]
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283358
+Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
+Signed-off-by: Vladis Dronov <vdronov@redhat.com>
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/quirks.c | 4 ++++
+ sound/usb/stream.c | 6 +++++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -138,6 +138,7 @@ static int create_fixed_stream_quirk(str
+ snd_printk(KERN_ERR "cannot memdup\n");
+ return -ENOMEM;
+ }
++ INIT_LIST_HEAD(&fp->list);
+ if (fp->nr_rates > MAX_NR_RATES) {
+ kfree(fp);
+ return -EINVAL;
+@@ -181,6 +182,7 @@ static int create_fixed_stream_quirk(str
+ return 0;
+
+ error:
++ list_del(&fp->list); /* unlink for avoiding double-free */
+ kfree(fp);
+ kfree(rate_table);
+ return err;
+@@ -456,6 +458,7 @@ static int create_uaxx_quirk(struct snd_
+ fp->ep_attr = get_endpoint(alts, 0)->bmAttributes;
+ fp->datainterval = 0;
+ fp->maxpacksize = le16_to_cpu(get_endpoint(alts, 0)->wMaxPacketSize);
++ INIT_LIST_HEAD(&fp->list);
+
+ switch (fp->maxpacksize) {
+ case 0x120:
+@@ -479,6 +482,7 @@ static int create_uaxx_quirk(struct snd_
+ ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK;
+ err = snd_usb_add_audio_stream(chip, stream, fp);
+ if (err < 0) {
++ list_del(&fp->list); /* unlink for avoiding double-free */
+ kfree(fp);
+ return err;
+ }
+--- a/sound/usb/stream.c
++++ b/sound/usb/stream.c
+@@ -315,7 +315,9 @@ static struct snd_pcm_chmap_elem *conver
+ /*
+ * add this endpoint to the chip instance.
+ * if a stream with the same endpoint already exists, append to it.
+- * if not, create a new pcm stream.
++ * if not, create a new pcm stream. note, fp is added to the substream
++ * fmt_list and will be freed on the chip instance release. do not free
++ * fp or do remove it from the substream fmt_list to avoid double-free.
+ */
+ int snd_usb_add_audio_stream(struct snd_usb_audio *chip,
+ int stream,
+@@ -662,6 +664,7 @@ int snd_usb_parse_audio_interface(struct
+ * (fp->maxpacksize & 0x7ff);
+ fp->attributes = parse_uac_endpoint_attributes(chip, alts, protocol, iface_no);
+ fp->clock = clock;
++ INIT_LIST_HEAD(&fp->list);
+
+ /* some quirks for attributes here */
+
+@@ -710,6 +713,7 @@ int snd_usb_parse_audio_interface(struct
+ snd_printdd(KERN_INFO "%d:%u:%d: add audio endpoint %#x\n", dev->devnum, iface_no, altno, fp->endpoint);
+ err = snd_usb_add_audio_stream(chip, stream, fp);
+ if (err < 0) {
++ list_del(&fp->list); /* unlink for avoiding double-free */
+ kfree(fp->rate_table);
+ kfree(fp->chmap);
+ kfree(fp);
--- /dev/null
+From 0f886ca12765d20124bd06291c82951fd49a33be Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 15 Mar 2016 12:09:10 +0100
+Subject: ALSA: usb-audio: Fix NULL dereference in create_fixed_stream_quirk()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 0f886ca12765d20124bd06291c82951fd49a33be upstream.
+
+create_fixed_stream_quirk() may cause a NULL-pointer dereference by
+accessing the non-existing endpoint when a USB device with a malformed
+USB descriptor is used.
+
+This patch avoids it simply by adding a sanity check of bNumEndpoints
+before the accesses.
+
+Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/quirks.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -168,6 +168,12 @@ static int create_fixed_stream_quirk(str
+ }
+ alts = &iface->altsetting[fp->altset_idx];
+ altsd = get_iface_desc(alts);
++ if (altsd->bNumEndpoints < 1) {
++ kfree(fp);
++ kfree(rate_table);
++ return -EINVAL;
++ }
++
+ fp->protocol = altsd->bInterfaceProtocol;
+
+ if (fp->datainterval == 0)
--- /dev/null
+From 902eb7fd1e4af3ac69b9b30f8373f118c92b9729 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Tue, 15 Mar 2016 12:14:49 +0100
+Subject: ALSA: usb-audio: Minor code cleanup in create_fixed_stream_quirk()
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 902eb7fd1e4af3ac69b9b30f8373f118c92b9729 upstream.
+
+Just a minor code cleanup: unify the error paths.
+
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/quirks.c | 22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -155,23 +155,18 @@ static int create_fixed_stream_quirk(str
+ stream = (fp->endpoint & USB_DIR_IN)
+ ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK;
+ err = snd_usb_add_audio_stream(chip, stream, fp);
+- if (err < 0) {
+- kfree(fp);
+- kfree(rate_table);
+- return err;
+- }
++ if (err < 0)
++ goto error;
+ if (fp->iface != get_iface_desc(&iface->altsetting[0])->bInterfaceNumber ||
+ fp->altset_idx >= iface->num_altsetting) {
+- kfree(fp);
+- kfree(rate_table);
+- return -EINVAL;
++ err = -EINVAL;
++ goto error;
+ }
+ alts = &iface->altsetting[fp->altset_idx];
+ altsd = get_iface_desc(alts);
+ if (altsd->bNumEndpoints < 1) {
+- kfree(fp);
+- kfree(rate_table);
+- return -EINVAL;
++ err = -EINVAL;
++ goto error;
+ }
+
+ fp->protocol = altsd->bInterfaceProtocol;
+@@ -184,6 +179,11 @@ static int create_fixed_stream_quirk(str
+ snd_usb_init_pitch(chip, fp->iface, alts, fp);
+ snd_usb_init_sample_rate(chip, fp->iface, alts, fp, fp->rate_max);
+ return 0;
++
++ error:
++ kfree(fp);
++ kfree(rate_table);
++ return err;
+ }
+
+ static int create_auto_pcm_quirk(struct snd_usb_audio *chip,
--- /dev/null
+From 84bd64993f916bcf86270c67686ecf4cea7b8933 Mon Sep 17 00:00:00 2001
+From: Maurizio Lombardi <mlombard@redhat.com>
+Date: Fri, 4 Mar 2016 10:41:49 +0100
+Subject: be2iscsi: set the boot_kset pointer to NULL in case of failure
+
+From: Maurizio Lombardi <mlombard@redhat.com>
+
+commit 84bd64993f916bcf86270c67686ecf4cea7b8933 upstream.
+
+In beiscsi_setup_boot_info(), the boot_kset pointer should be set to
+NULL in case of failure otherwise an invalid pointer dereference may
+occur later.
+
+Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Reviewed-by: Jitendra Bhivare <jitendra.bhivare@broadcom.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/be2iscsi/be_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/be2iscsi/be_main.c
++++ b/drivers/scsi/be2iscsi/be_main.c
+@@ -4432,6 +4432,7 @@ put_shost:
+ scsi_host_put(phba->shost);
+ free_kset:
+ iscsi_boot_destroy_kset(phba->boot_kset);
++ phba->boot_kset = NULL;
+ return -ENOMEM;
+ }
+
--- /dev/null
+From 81d90442eac779938217c3444b240aa51fd3db47 Mon Sep 17 00:00:00 2001
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+Date: Sun, 28 Feb 2016 11:04:06 +0300
+Subject: Bluetooth: btusb: Add a new AR3012 ID 04ca:3014
+
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+
+commit 81d90442eac779938217c3444b240aa51fd3db47 upstream.
+
+T: Bus=01 Lev=01 Prnt=01 Port=04 Cnt=03 Dev#= 5 Spd=12 MxCh= 0
+D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=04ca ProdID=3014 Rev=00.02
+C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+
+BugLink: https://bugs.launchpad.net/bugs/1546694
+
+Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/ath3k.c | 2 ++
+ drivers/bluetooth/btusb.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+--- a/drivers/bluetooth/ath3k.c
++++ b/drivers/bluetooth/ath3k.c
+@@ -89,6 +89,7 @@ static const struct usb_device_id ath3k_
+ { USB_DEVICE(0x04CA, 0x3008) },
+ { USB_DEVICE(0x04CA, 0x300b) },
+ { USB_DEVICE(0x04CA, 0x3010) },
++ { USB_DEVICE(0x04CA, 0x3014) },
+ { USB_DEVICE(0x0930, 0x0219) },
+ { USB_DEVICE(0x0930, 0x021c) },
+ { USB_DEVICE(0x0930, 0x0220) },
+@@ -148,6 +149,7 @@ static const struct usb_device_id ath3k_
+ { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x04ca, 0x3014), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -167,6 +167,7 @@ static const struct usb_device_id blackl
+ { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x04ca, 0x3014), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 },
--- /dev/null
+From 75c6aca4765dbe3d0c1507ab5052f2e373dc2331 Mon Sep 17 00:00:00 2001
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+Date: Fri, 4 Mar 2016 01:32:19 +0300
+Subject: Bluetooth: btusb: Add a new AR3012 ID 13d3:3472
+
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+
+commit 75c6aca4765dbe3d0c1507ab5052f2e373dc2331 upstream.
+
+T: Bus=01 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#= 4 Spd=12 MxCh= 0
+D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=13d3 ProdID=3472 Rev=00.01
+C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+
+BugLink: https://bugs.launchpad.net/bugs/1552925
+
+Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/ath3k.c | 2 ++
+ drivers/bluetooth/btusb.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+--- a/drivers/bluetooth/ath3k.c
++++ b/drivers/bluetooth/ath3k.c
+@@ -114,6 +114,7 @@ static const struct usb_device_id ath3k_
+ { USB_DEVICE(0x13d3, 0x3402) },
+ { USB_DEVICE(0x13d3, 0x3408) },
+ { USB_DEVICE(0x13d3, 0x3432) },
++ { USB_DEVICE(0x13d3, 0x3472) },
+ { USB_DEVICE(0x13d3, 0x3474) },
+
+ /* Atheros AR5BBU12 with sflash firmware */
+@@ -174,6 +175,7 @@ static const struct usb_device_id ath3k_
+ { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
+
+ /* Atheros AR5BBU22 with sflash firmware */
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -192,6 +192,7 @@ static const struct usb_device_id blackl
+ { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 },
+
+ /* Atheros AR5BBU12 with sflash firmware */
--- /dev/null
+From 609574eb46335cfac1421a07c0505627cbbab1f0 Mon Sep 17 00:00:00 2001
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+Date: Wed, 10 Feb 2016 15:33:17 +0300
+Subject: Bluetooth: btusb: Add new AR3012 ID 13d3:3395
+
+From: Dmitry Tunin <hanipouspilot@gmail.com>
+
+commit 609574eb46335cfac1421a07c0505627cbbab1f0 upstream.
+
+T: Bus=03 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 3 Spd=12 MxCh= 0
+D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
+P: Vendor=13d3 ProdID=3395 Rev=00.01
+C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA
+I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
+
+BugLink: https://bugs.launchpad.net/bugs/1542564
+
+Reported-and-tested-by: Christopher Simerly <kilikopela29@gmail.com>
+Signed-off-by: Dmitry Tunin <hanipouspilot@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/ath3k.c | 2 ++
+ drivers/bluetooth/btusb.c | 1 +
+ 2 files changed, 3 insertions(+)
+
+--- a/drivers/bluetooth/ath3k.c
++++ b/drivers/bluetooth/ath3k.c
+@@ -109,6 +109,7 @@ static const struct usb_device_id ath3k_
+ { USB_DEVICE(0x13d3, 0x3362) },
+ { USB_DEVICE(0x13d3, 0x3375) },
+ { USB_DEVICE(0x13d3, 0x3393) },
++ { USB_DEVICE(0x13d3, 0x3395) },
+ { USB_DEVICE(0x13d3, 0x3402) },
+ { USB_DEVICE(0x13d3, 0x3408) },
+ { USB_DEVICE(0x13d3, 0x3432) },
+@@ -167,6 +168,7 @@ static const struct usb_device_id ath3k_
+ { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x13d3, 0x3395), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
+--- a/drivers/bluetooth/btusb.c
++++ b/drivers/bluetooth/btusb.c
+@@ -187,6 +187,7 @@ static const struct usb_device_id blackl
+ { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 },
++ { USB_DEVICE(0x13d3, 0x3395), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 },
+ { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 },
--- /dev/null
+From 9c6ba456711687b794dcf285856fc14e2c76074f Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Mon, 14 Mar 2016 09:33:40 -0700
+Subject: Input: powermate - fix oops with malicious USB descriptors
+
+From: Josh Boyer <jwboyer@fedoraproject.org>
+
+commit 9c6ba456711687b794dcf285856fc14e2c76074f upstream.
+
+The powermate driver expects at least one valid USB endpoint in its
+probe function. If given malicious descriptors that specify 0 for
+the number of endpoints, it will crash. Validate the number of
+endpoints on the interface before using them.
+
+The full report for this issue can be found here:
+http://seclists.org/bugtraq/2016/Mar/85
+
+Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/misc/powermate.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/input/misc/powermate.c
++++ b/drivers/input/misc/powermate.c
+@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_in
+ int error = -ENOMEM;
+
+ interface = intf->cur_altsetting;
++ if (interface->desc.bNumEndpoints < 1)
++ return -EINVAL;
++
+ endpoint = &interface->endpoint[0].desc;
+ if (!usb_endpoint_is_int_in(endpoint))
+ return -EIO;
--- /dev/null
+From 7445e45d19a09e5269dc85f17f9635be29d2f76c Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Fri, 22 Jan 2016 08:53:55 -0200
+Subject: [media] pwc: Add USB id for Philips Spc880nc webcam
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 7445e45d19a09e5269dc85f17f9635be29d2f76c upstream.
+
+SPC 880NC PC camera discussions:
+ http://www.pclinuxos.com/forum/index.php/topic,135688.0.html
+
+Reported-by: Kikim <klucznik0@op.pl>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@osg.samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/pwc/pwc-if.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/media/usb/pwc/pwc-if.c
++++ b/drivers/media/usb/pwc/pwc-if.c
+@@ -91,6 +91,7 @@ static const struct usb_device_id pwc_de
+ { USB_DEVICE(0x0471, 0x0312) },
+ { USB_DEVICE(0x0471, 0x0313) }, /* the 'new' 720K */
+ { USB_DEVICE(0x0471, 0x0329) }, /* Philips SPC 900NC PC Camera */
++ { USB_DEVICE(0x0471, 0x032C) }, /* Philips SPC 880NC PC Camera */
+ { USB_DEVICE(0x069A, 0x0001) }, /* Askey */
+ { USB_DEVICE(0x046D, 0x08B0) }, /* Logitech QuickCam Pro 3000 */
+ { USB_DEVICE(0x046D, 0x08B1) }, /* Logitech QuickCam Notebook Pro */
+@@ -799,6 +800,11 @@ static int usb_pwc_probe(struct usb_inte
+ name = "Philips SPC 900NC webcam";
+ type_id = 740;
+ break;
++ case 0x032C:
++ PWC_INFO("Philips SPC 880NC USB webcam detected.\n");
++ name = "Philips SPC 880NC webcam";
++ type_id = 740;
++ break;
+ default:
+ return -ENODEV;
+ break;
pci-disable-io-mem-decoding-for-devices-with-non-compliant-bars.patch
x86-apic-fix-suspicious-rcu-usage-in-smp_trace_call_function_interrupt.patch
x86-iopl-fix-iopl-capability-check-on-xen-pv.patch
+sg-fix-dxferp-in-from_to-case.patch
+aacraid-fix-memory-leak-in-aac_fib_map_free.patch
+be2iscsi-set-the-boot_kset-pointer-to-null-in-case-of-failure.patch
+usb-retry-reset-if-a-device-times-out.patch
+usb-hub-fix-a-typo-in-hub_port_init-leading-to-wrong-logic.patch
+usb-uas-reduce-can_queue-to-max_cmnds.patch
+usb-cdc-acm-more-sanity-checking.patch
+usb-iowarrior-fix-oops-with-malicious-usb-descriptors.patch
+usb-usb_driver_claim_interface-add-sanity-checking.patch
+usb-mct_u232-add-sanity-checking-in-probe.patch
+usb-digi_acceleport-do-sanity-checking-for-the-number-of-ports.patch
+usb-cypress_m8-add-endpoint-sanity-check.patch
+usb-serial-cp210x-adding-ge-healthcare-device-id.patch
+usb-serial-ftdi_sio-add-support-for-icp-das-i-756xu-devices.patch
+usb-option-add-d-link-dwm-221-b1-device-id.patch
+pwc-add-usb-id-for-philips-spc880nc-webcam.patch
+input-powermate-fix-oops-with-malicious-usb-descriptors.patch
+alsa-usb-audio-fix-null-dereference-in-create_fixed_stream_quirk.patch
+alsa-usb-audio-add-sanity-checks-for-endpoint-accesses.patch
+alsa-usb-audio-minor-code-cleanup-in-create_fixed_stream_quirk.patch
+alsa-usb-audio-fix-double-free-in-error-paths-after-snd_usb_add_audio_stream-call.patch
+bluetooth-btusb-add-new-ar3012-id-13d3-3395.patch
+bluetooth-btusb-add-a-new-ar3012-id-04ca-3014.patch
+bluetooth-btusb-add-a-new-ar3012-id-13d3-3472.patch
--- /dev/null
+From 5ecee0a3ee8d74b6950cb41e8989b0c2174568d4 Mon Sep 17 00:00:00 2001
+From: Douglas Gilbert <dgilbert@interlog.com>
+Date: Thu, 3 Mar 2016 00:31:29 -0500
+Subject: sg: fix dxferp in from_to case
+
+From: Douglas Gilbert <dgilbert@interlog.com>
+
+commit 5ecee0a3ee8d74b6950cb41e8989b0c2174568d4 upstream.
+
+One of the strange things that the original sg driver did was let the
+user provide both a data-out buffer (it followed the sg_header+cdb)
+_and_ specify a reply length greater than zero. What happened was that
+the user data-out buffer was copied into some kernel buffers and then
+the mid level was told a read type operation would take place with the
+data from the device overwriting the same kernel buffers. The user would
+then read those kernel buffers back into the user space.
+
+From what I can tell, the above action was broken by commit fad7f01e61bf
+("sg: set dxferp to NULL for READ with the older SG interface") in 2008
+and syzkaller found that out recently.
+
+Make sure that a user space pointer is passed through when data follows
+the sg_header structure and command. Fix the abnormal case when a
+non-zero reply_len is also given.
+
+Fixes: fad7f01e61bf737fe8a3740d803f000db57ecac6
+Signed-off-by: Douglas Gilbert <dgilbert@interlog.com>
+Reviewed-by: Ewan Milne <emilne@redhat.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/sg.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/sg.c
++++ b/drivers/scsi/sg.c
+@@ -633,7 +633,8 @@ sg_write(struct file *filp, const char _
+ else
+ hp->dxfer_direction = (mxsize > 0) ? SG_DXFER_FROM_DEV : SG_DXFER_NONE;
+ hp->dxfer_len = mxsize;
+- if (hp->dxfer_direction == SG_DXFER_TO_DEV)
++ if ((hp->dxfer_direction == SG_DXFER_TO_DEV) ||
++ (hp->dxfer_direction == SG_DXFER_TO_FROM_DEV))
+ hp->dxferp = (char __user *)buf + cmd_size;
+ else
+ hp->dxferp = NULL;
--- /dev/null
+From 8835ba4a39cf53f705417b3b3a94eb067673f2c9 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 15 Mar 2016 10:14:04 +0100
+Subject: USB: cdc-acm: more sanity checking
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 8835ba4a39cf53f705417b3b3a94eb067673f2c9 upstream.
+
+An attack has become available which pretends to be a quirky
+device circumventing normal sanity checks and crashes the kernel
+by an insufficient number of interfaces. This patch adds a check
+to the code path for quirky devices.
+
+Signed-off-by: Oliver Neukum <ONeukum@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-acm.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -1079,6 +1079,9 @@ static int acm_probe(struct usb_interfac
+ if (quirks == NO_UNION_NORMAL) {
+ data_interface = usb_ifnum_to_if(usb_dev, 1);
+ control_interface = usb_ifnum_to_if(usb_dev, 0);
++ /* we would crash */
++ if (!data_interface || !control_interface)
++ return -ENODEV;
+ goto skip_normal_probe;
+ }
+
--- /dev/null
+From c55aee1bf0e6b6feec8b2927b43f7a09a6d5f754 Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 31 Mar 2016 12:04:25 -0400
+Subject: USB: cypress_m8: add endpoint sanity check
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit c55aee1bf0e6b6feec8b2927b43f7a09a6d5f754 upstream.
+
+An attack using missing endpoints exists.
+
+CVE-2016-3137
+
+Signed-off-by: Oliver Neukum <ONeukum@suse.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/cypress_m8.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/serial/cypress_m8.c
++++ b/drivers/usb/serial/cypress_m8.c
+@@ -447,6 +447,11 @@ static int cypress_generic_port_probe(st
+ struct usb_serial *serial = port->serial;
+ struct cypress_private *priv;
+
++ if (!port->interrupt_out_urb || !port->interrupt_in_urb) {
++ dev_err(&port->dev, "required endpoint is missing\n");
++ return -ENODEV;
++ }
++
+ priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL);
+ if (!priv)
+ return -ENOMEM;
+@@ -606,12 +611,6 @@ static int cypress_open(struct tty_struc
+ cypress_set_termios(tty, port, &priv->tmp_termios);
+
+ /* setup the port and start reading from the device */
+- if (!port->interrupt_in_urb) {
+- dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n",
+- __func__);
+- return -1;
+- }
+-
+ usb_fill_int_urb(port->interrupt_in_urb, serial->dev,
+ usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress),
+ port->interrupt_in_urb->transfer_buffer,
--- /dev/null
+From 5a07975ad0a36708c6b0a5b9fea1ff811d0b0c1f Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 31 Mar 2016 12:04:26 -0400
+Subject: USB: digi_acceleport: do sanity checking for the number of ports
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 5a07975ad0a36708c6b0a5b9fea1ff811d0b0c1f upstream.
+
+The driver can be crashed with devices that expose crafted descriptors
+with too few endpoints.
+
+See: http://seclists.org/bugtraq/2016/Mar/61
+
+Signed-off-by: Oliver Neukum <ONeukum@suse.com>
+[johan: fix OOB endpoint check and add error messages ]
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/digi_acceleport.c | 19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/drivers/usb/serial/digi_acceleport.c
++++ b/drivers/usb/serial/digi_acceleport.c
+@@ -1252,8 +1252,27 @@ static int digi_port_init(struct usb_ser
+
+ static int digi_startup(struct usb_serial *serial)
+ {
++ struct device *dev = &serial->interface->dev;
+ struct digi_serial *serial_priv;
+ int ret;
++ int i;
++
++ /* check whether the device has the expected number of endpoints */
++ if (serial->num_port_pointers < serial->type->num_ports + 1) {
++ dev_err(dev, "OOB endpoints missing\n");
++ return -ENODEV;
++ }
++
++ for (i = 0; i < serial->type->num_ports + 1 ; i++) {
++ if (!serial->port[i]->read_urb) {
++ dev_err(dev, "bulk-in endpoint missing\n");
++ return -ENODEV;
++ }
++ if (!serial->port[i]->write_urb) {
++ dev_err(dev, "bulk-out endpoint missing\n");
++ return -ENODEV;
++ }
++ }
+
+ serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL);
+ if (!serial_priv)
--- /dev/null
+From 0d5ce778c43bf888328231bcdce05d5c860655aa Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Wed, 17 Feb 2016 11:52:43 +0100
+Subject: usb: hub: fix a typo in hub_port_init() leading to wrong logic
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 0d5ce778c43bf888328231bcdce05d5c860655aa upstream.
+
+A typo of j for i led to a logic bug. To rule out future
+confusion, the variable names are made meaningful.
+
+Signed-off-by: Oliver Neukum <ONeukum@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hub.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -4079,7 +4079,7 @@ hub_port_init (struct usb_hub *hub, stru
+
+ struct usb_device *hdev = hub->hdev;
+ struct usb_hcd *hcd = bus_to_hcd(hdev->bus);
+- int i, j, retval;
++ int retries, operations, retval, i;
+ unsigned delay = HUB_SHORT_RESET_TIME;
+ enum usb_device_speed oldspeed = udev->speed;
+ const char *speed;
+@@ -4181,7 +4181,7 @@ hub_port_init (struct usb_hub *hub, stru
+ * first 8 bytes of the device descriptor to get the ep0 maxpacket
+ * value.
+ */
+- for (i = 0; i < GET_DESCRIPTOR_TRIES; (++i, msleep(100))) {
++ for (retries = 0; retries < GET_DESCRIPTOR_TRIES; (++retries, msleep(100))) {
+ bool did_new_scheme = false;
+
+ if (use_new_scheme(udev, retry_counter)) {
+@@ -4204,7 +4204,7 @@ hub_port_init (struct usb_hub *hub, stru
+ * 255 is for WUSB devices, we actually need to use
+ * 512 (WUSB1.0[4.8.1]).
+ */
+- for (j = 0; j < 3; ++j) {
++ for (operations = 0; operations < 3; ++operations) {
+ buf->bMaxPacketSize0 = 0;
+ r = usb_control_msg(udev, usb_rcvaddr0pipe(),
+ USB_REQ_GET_DESCRIPTOR, USB_DIR_IN,
+@@ -4230,7 +4230,7 @@ hub_port_init (struct usb_hub *hub, stru
+ * reset. But only on the first attempt,
+ * lest we get into a time out/reset loop
+ */
+- if (r == 0 || (r == -ETIMEDOUT && j == 0))
++ if (r == 0 || (r == -ETIMEDOUT && retries == 0))
+ break;
+ }
+ udev->descriptor.bMaxPacketSize0 =
+@@ -4262,7 +4262,7 @@ hub_port_init (struct usb_hub *hub, stru
+ * authorization will assign the final address.
+ */
+ if (udev->wusb == 0) {
+- for (j = 0; j < SET_ADDRESS_TRIES; ++j) {
++ for (operations = 0; operations < SET_ADDRESS_TRIES; ++operations) {
+ retval = hub_set_address(udev, devnum);
+ if (retval >= 0)
+ break;
--- /dev/null
+From 4ec0ef3a82125efc36173062a50624550a900ae0 Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Mon, 14 Mar 2016 10:42:38 -0400
+Subject: USB: iowarrior: fix oops with malicious USB descriptors
+
+From: Josh Boyer <jwboyer@fedoraproject.org>
+
+commit 4ec0ef3a82125efc36173062a50624550a900ae0 upstream.
+
+The iowarrior driver expects at least one valid endpoint. If given
+malicious descriptors that specify 0 for the number of endpoints,
+it will crash in the probe function. Ensure there is at least
+one endpoint on the interface before using it.
+
+The full report of this issue can be found here:
+http://seclists.org/bugtraq/2016/Mar/87
+
+Reported-by: Ralf Spenneberg <ralf@spenneberg.net>
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/iowarrior.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -791,6 +791,12 @@ static int iowarrior_probe(struct usb_in
+ iface_desc = interface->cur_altsetting;
+ dev->product_id = le16_to_cpu(udev->descriptor.idProduct);
+
++ if (iface_desc->desc.bNumEndpoints < 1) {
++ dev_err(&interface->dev, "Invalid number of endpoints\n");
++ retval = -EINVAL;
++ goto error;
++ }
++
+ /* set up the endpoint information */
+ for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) {
+ endpoint = &iface_desc->endpoint[i].desc;
--- /dev/null
+From 4e9a0b05257f29cf4b75f3209243ed71614d062e Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 31 Mar 2016 12:04:24 -0400
+Subject: USB: mct_u232: add sanity checking in probe
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 4e9a0b05257f29cf4b75f3209243ed71614d062e upstream.
+
+An attack using the lack of sanity checking in probe is known. This
+patch checks for the existence of a second port.
+
+CVE-2016-3136
+
+Signed-off-by: Oliver Neukum <ONeukum@suse.com>
+[johan: add error message ]
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/mct_u232.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/mct_u232.c
++++ b/drivers/usb/serial/mct_u232.c
+@@ -376,14 +376,21 @@ static void mct_u232_msr_to_state(struct
+
+ static int mct_u232_port_probe(struct usb_serial_port *port)
+ {
++ struct usb_serial *serial = port->serial;
+ struct mct_u232_private *priv;
+
++ /* check first to simplify error handling */
++ if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) {
++ dev_err(&port->dev, "expected endpoint missing\n");
++ return -ENODEV;
++ }
++
+ priv = kzalloc(sizeof(*priv), GFP_KERNEL);
+ if (!priv)
+ return -ENOMEM;
+
+ /* Use second interrupt-in endpoint for reading. */
+- priv->read_urb = port->serial->port[1]->interrupt_in_urb;
++ priv->read_urb = serial->port[1]->interrupt_in_urb;
+ priv->read_urb->context = port;
+
+ spin_lock_init(&priv->lock);
--- /dev/null
+From d48d5691ebf88a15d95ba96486917ffc79256536 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= <bjorn@mork.no>
+Date: Thu, 7 Apr 2016 12:09:17 +0200
+Subject: USB: option: add "D-Link DWM-221 B1" device id
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Bjørn Mork <bjorn@mork.no>
+
+commit d48d5691ebf88a15d95ba96486917ffc79256536 upstream.
+
+Thomas reports:
+"Windows:
+
+00 diagnostics
+01 modem
+02 at-port
+03 nmea
+04 nic
+
+Linux:
+
+T: Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 4 Spd=480 MxCh= 0
+D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1
+P: Vendor=2001 ProdID=7e19 Rev=02.32
+S: Manufacturer=Mobile Connect
+S: Product=Mobile Connect
+S: SerialNumber=0123456789ABCDEF
+C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
+I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
+I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
+I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
+I: If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage"
+
+Reported-by: Thomas Schäfer <tschaefer@t-online.de>
+Signed-off-by: Bjørn Mork <bjorn@mork.no>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/option.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/option.c
++++ b/drivers/usb/serial/option.c
+@@ -1818,6 +1818,8 @@ static const struct usb_device_id option
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d02, 0xff, 0x00, 0x00) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x02, 0x01) },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x00, 0x00) },
++ { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7e19, 0xff), /* D-Link DWM-221 B1 */
++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist },
+ { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */
+ { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */
+ { USB_DEVICE_INTERFACE_CLASS(0x2020, 0x4000, 0xff) }, /* OLICARD300 - MT6225 */
--- /dev/null
+From 264904ccc33c604d4b3141bbd33808152dfac45b Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Wed, 10 Feb 2016 11:33:18 +0100
+Subject: usb: retry reset if a device times out
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 264904ccc33c604d4b3141bbd33808152dfac45b upstream.
+
+Some devices I got show an inability to operate right after
+power on if they are already connected. They are beyond recovery
+if the descriptors are requested multiple times. So in case of
+a timeout we rather bail early and reset again. But it must be
+done only on the first loop lest we get into a reset/time out
+spiral that can be overcome with a retry.
+
+This patch is a rework of a patch that fell through the cracks.
+http://www.spinics.net/lists/linux-usb/msg103263.html
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hub.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/core/hub.c
++++ b/drivers/usb/core/hub.c
+@@ -4224,7 +4224,13 @@ hub_port_init (struct usb_hub *hub, stru
+ r = -EPROTO;
+ break;
+ }
+- if (r == 0)
++ /*
++ * Some devices time out if they are powered on
++ * when already connected. They need a second
++ * reset. But only on the first attempt,
++ * lest we get into a time out/reset loop
++ */
++ if (r == 0 || (r == -ETIMEDOUT && j == 0))
+ break;
+ }
+ udev->descriptor.bMaxPacketSize0 =
--- /dev/null
+From cddc9434e3dcc37a85c4412fb8e277d3a582e456 Mon Sep 17 00:00:00 2001
+From: Martyn Welch <martyn.welch@collabora.co.uk>
+Date: Tue, 29 Mar 2016 17:47:29 +0100
+Subject: USB: serial: cp210x: Adding GE Healthcare Device ID
+
+From: Martyn Welch <martyn.welch@collabora.co.uk>
+
+commit cddc9434e3dcc37a85c4412fb8e277d3a582e456 upstream.
+
+The CP2105 is used in the GE Healthcare Remote Alarm Box, with the
+Manufacturer ID of 0x1901 and Product ID of 0x0194.
+
+Signed-off-by: Martyn Welch <martyn.welch@collabora.co.uk>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/cp210x.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -164,6 +164,7 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */
+ { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */
+ { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */
++ { USB_DEVICE(0x1901, 0x0194) }, /* GE Healthcare Remote Alarm Box */
+ { USB_DEVICE(0x19CF, 0x3000) }, /* Parrot NMEA GPS Flight Recorder */
+ { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */
+ { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */
--- /dev/null
+From ea6db90e750328068837bed34cb1302b7a177339 Mon Sep 17 00:00:00 2001
+From: Josh Boyer <jwboyer@fedoraproject.org>
+Date: Thu, 10 Mar 2016 09:48:52 -0500
+Subject: USB: serial: ftdi_sio: Add support for ICP DAS I-756xU devices
+
+From: Josh Boyer <jwboyer@fedoraproject.org>
+
+commit ea6db90e750328068837bed34cb1302b7a177339 upstream.
+
+A Fedora user reports that the ftdi_sio driver works properly for the
+ICP DAS I-7561U device. Further, the user manual for these devices
+instructs users to load the driver and add the ids using the sysfs
+interface.
+
+Add support for these in the driver directly so that the devices work
+out of the box instead of needing manual configuration.
+
+Reported-by: <thesource@mail.ru>
+Signed-off-by: Josh Boyer <jwboyer@fedoraproject.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ftdi_sio.c | 4 ++++
+ drivers/usb/serial/ftdi_sio_ids.h | 8 ++++++++
+ 2 files changed, 12 insertions(+)
+
+--- a/drivers/usb/serial/ftdi_sio.c
++++ b/drivers/usb/serial/ftdi_sio.c
+@@ -1017,6 +1017,10 @@ static const struct usb_device_id id_tab
+ { USB_DEVICE(FTDI_VID, CHETCO_SEASMART_DISPLAY_PID) },
+ { USB_DEVICE(FTDI_VID, CHETCO_SEASMART_LITE_PID) },
+ { USB_DEVICE(FTDI_VID, CHETCO_SEASMART_ANALOG_PID) },
++ /* ICP DAS I-756xU devices */
++ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7560U_PID) },
++ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) },
++ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) },
+ { } /* Terminating entry */
+ };
+
+--- a/drivers/usb/serial/ftdi_sio_ids.h
++++ b/drivers/usb/serial/ftdi_sio_ids.h
+@@ -872,6 +872,14 @@
+ #define NOVITUS_BONO_E_PID 0x6010
+
+ /*
++ * ICPDAS I-756*U devices
++ */
++#define ICPDAS_VID 0x1b5c
++#define ICPDAS_I7560U_PID 0x0103
++#define ICPDAS_I7561U_PID 0x0104
++#define ICPDAS_I7563U_PID 0x0105
++
++/*
+ * RT Systems programming cables for various ham radios
+ */
+ #define RTSYSTEMS_VID 0x2100 /* Vendor ID */
--- /dev/null
+From 55ff8cfbc4e12a7d2187df523938cc671fbebdd1 Mon Sep 17 00:00:00 2001
+From: Hans de Goede <hdegoede@redhat.com>
+Date: Mon, 7 Mar 2016 20:11:52 +0100
+Subject: USB: uas: Reduce can_queue to MAX_CMNDS
+
+From: Hans de Goede <hdegoede@redhat.com>
+
+commit 55ff8cfbc4e12a7d2187df523938cc671fbebdd1 upstream.
+
+The uas driver can never queue more then MAX_CMNDS (- 1) tags and tags
+are shared between luns, so there is no need to claim that we can_queue
+some random large number.
+
+Not claiming that we can_queue 65536 commands, fixes the uas driver
+failing to initialize while allocating the tag map with a "Page allocation
+failure (order 7)" error on systems which have been running for a while
+and thus have fragmented memory.
+
+Reported-and-tested-by: Yves-Alexis Perez <corsac@corsac.net>
+Signed-off-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/uas.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/storage/uas.c
++++ b/drivers/usb/storage/uas.c
+@@ -835,7 +835,7 @@ static struct scsi_host_template uas_hos
+ .eh_abort_handler = uas_eh_abort_handler,
+ .eh_device_reset_handler = uas_eh_device_reset_handler,
+ .eh_bus_reset_handler = uas_eh_bus_reset_handler,
+- .can_queue = 65536, /* Is there a limit on the _host_ ? */
++ .can_queue = MAX_CMNDS,
+ .this_id = -1,
+ .sg_tablesize = SG_NONE,
+ .cmd_per_lun = 1, /* until we override it */
--- /dev/null
+From 0b818e3956fc1ad976bee791eadcbb3b5fec5bfd Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Wed, 16 Mar 2016 13:26:17 +0100
+Subject: USB: usb_driver_claim_interface: add sanity checking
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 0b818e3956fc1ad976bee791eadcbb3b5fec5bfd upstream.
+
+Attacks that trick drivers into passing a NULL pointer
+to usb_driver_claim_interface() using forged descriptors are
+known. This thwarts them by sanity checking.
+
+Signed-off-by: Oliver Neukum <ONeukum@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/driver.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/core/driver.c
++++ b/drivers/usb/core/driver.c
+@@ -494,11 +494,15 @@ static int usb_unbind_interface(struct d
+ int usb_driver_claim_interface(struct usb_driver *driver,
+ struct usb_interface *iface, void *priv)
+ {
+- struct device *dev = &iface->dev;
++ struct device *dev;
+ struct usb_device *udev;
+ int retval = 0;
+ int lpm_disable_error;
+
++ if (!iface)
++ return -ENODEV;
++
++ dev = &iface->dev;
+ if (dev->driver)
+ return -EBUSY;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
