--- /dev/null
+From aecc19ec404bdc745c781058ac97a373731c3089 Mon Sep 17 00:00:00 2001
+From: Daehwan Jung <dh10.jung@samsung.com>
+Date: Wed, 16 Jun 2021 18:34:55 +0900
+Subject: ALSA: usb-audio: fix rate on Ozone Z90 USB headset
+
+From: Daehwan Jung <dh10.jung@samsung.com>
+
+commit aecc19ec404bdc745c781058ac97a373731c3089 upstream.
+
+It mislabels its 96 kHz altsetting and that's why it causes some noise
+
+Signed-off-by: Daehwan Jung <dh10.jung@samsung.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/1623836097-61918-1-git-send-email-dh10.jung@samsung.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/format.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/sound/usb/format.c
++++ b/sound/usb/format.c
+@@ -189,9 +189,11 @@ static int parse_audio_format_rates_v1(s
+ continue;
+ /* C-Media CM6501 mislabels its 96 kHz altsetting */
+ /* Terratec Aureon 7.1 USB C-Media 6206, too */
++ /* Ozone Z90 USB C-Media, too */
+ if (rate == 48000 && nr_rates == 1 &&
+ (chip->usb_id == USB_ID(0x0d8c, 0x0201) ||
+ chip->usb_id == USB_ID(0x0d8c, 0x0102) ||
++ chip->usb_id == USB_ID(0x0d8c, 0x0078) ||
+ chip->usb_id == USB_ID(0x0ccd, 0x00b1)) &&
+ fp->altsetting == 5 && fp->maxpacksize == 392)
+ rate = 96000;
--- /dev/null
+From f8f84af5da9ee04ef1d271528656dac42a090d00 Mon Sep 17 00:00:00 2001
+From: Alexander Larkin <avlarkin82@gmail.com>
+Date: Sun, 4 Jul 2021 22:39:36 -0700
+Subject: Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl
+
+From: Alexander Larkin <avlarkin82@gmail.com>
+
+commit f8f84af5da9ee04ef1d271528656dac42a090d00 upstream.
+
+Even though we validate user-provided inputs we then traverse past
+validated data when applying the new map. The issue was originally
+discovered by Murray McAllister with this simple POC (if the following
+is executed by an unprivileged user it will instantly panic the system):
+
+int main(void) {
+ int fd, ret;
+ unsigned int buffer[10000];
+
+ fd = open("/dev/input/js0", O_RDONLY);
+ if (fd == -1)
+ printf("Error opening file\n");
+
+ ret = ioctl(fd, JSIOCSBTNMAP & ~IOCSIZE_MASK, &buffer);
+ printf("%d\n", ret);
+}
+
+The solution is to traverse internal buffer which is guaranteed to only
+contain valid date when constructing the map.
+
+Fixes: 182d679b2298 ("Input: joydev - prevent potential read overflow in ioctl")
+Fixes: 999b874f4aa3 ("Input: joydev - validate axis/button maps before clobbering current ones")
+Reported-by: Murray McAllister <murray.mcallister@gmail.com>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Alexander Larkin <avlarkin82@gmail.com>
+Link: https://lore.kernel.org/r/20210620120030.1513655-1-avlarkin82@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/joydev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/joydev.c
++++ b/drivers/input/joydev.c
+@@ -504,7 +504,7 @@ static int joydev_handle_JSIOCSBTNMAP(st
+ memcpy(joydev->keypam, keypam, len);
+
+ for (i = 0; i < joydev->nkey; i++)
+- joydev->keymap[keypam[i] - BTN_MISC] = i;
++ joydev->keymap[joydev->keypam[i] - BTN_MISC] = i;
+
+ out:
+ kfree(keypam);
--- /dev/null
+From 41e81022a04a0294c55cfa7e366bc14b9634c66e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 24 May 2021 10:02:59 -0700
+Subject: Input: usbtouchscreen - fix control-request directions
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 41e81022a04a0294c55cfa7e366bc14b9634c66e upstream.
+
+The direction of the pipe argument must match the request-type direction
+bit or control requests may fail depending on the host-controller-driver
+implementation.
+
+Fix the four control requests which erroneously used usb_rcvctrlpipe().
+
+Fixes: 1d3e20236d7a ("[PATCH] USB: usbtouchscreen: unified USB touchscreen driver")
+Fixes: 24ced062a296 ("usbtouchscreen: add support for DMC TSC-10/25 devices")
+Fixes: 9e3b25837a20 ("Input: usbtouchscreen - add support for e2i touchscreen controller")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Cc: stable@vger.kernel.org # 2.6.17
+Link: https://lore.kernel.org/r/20210524092048.4443-1-johan@kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/usbtouchscreen.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/input/touchscreen/usbtouchscreen.c
++++ b/drivers/input/touchscreen/usbtouchscreen.c
+@@ -266,7 +266,7 @@ static int e2i_init(struct usbtouch_usb
+ int ret;
+ struct usb_device *udev = interface_to_usbdev(usbtouch->interface);
+
+- ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
++ ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
+ 0x01, 0x02, 0x0000, 0x0081,
+ NULL, 0, USB_CTRL_SET_TIMEOUT);
+
+@@ -462,7 +462,7 @@ static int mtouch_init(struct usbtouch_u
+ int ret, i;
+ struct usb_device *udev = interface_to_usbdev(usbtouch->interface);
+
+- ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
++ ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
+ MTOUCHUSB_RESET,
+ USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 1, 0, NULL, 0, USB_CTRL_SET_TIMEOUT);
+@@ -474,7 +474,7 @@ static int mtouch_init(struct usbtouch_u
+ msleep(150);
+
+ for (i = 0; i < 3; i++) {
+- ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
++ ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
+ MTOUCHUSB_ASYNC_REPORT,
+ USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 1, 1, NULL, 0, USB_CTRL_SET_TIMEOUT);
+@@ -645,7 +645,7 @@ static int dmc_tsc10_init(struct usbtouc
+ }
+
+ /* start sending data */
+- ret = usb_control_msg(dev, usb_rcvctrlpipe (dev, 0),
++ ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
+ TSC10_CMD_DATA1,
+ USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
+ 0, 0, NULL, 0, USB_CTRL_SET_TIMEOUT);
--- /dev/null
+From 0e8f0d67401589a141950856902c7d0ec8d9c985 Mon Sep 17 00:00:00 2001
+From: Al Viro <viro@zeniv.linux.org.uk>
+Date: Wed, 2 Jun 2021 14:48:21 -0400
+Subject: [xarray] iov_iter_fault_in_readable() should do nothing in xarray case
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+commit 0e8f0d67401589a141950856902c7d0ec8d9c985 upstream.
+
+... and actually should just check it's given an iovec-backed iterator
+in the first place.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/iov_iter.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/lib/iov_iter.c
++++ b/lib/iov_iter.c
+@@ -417,7 +417,7 @@ int iov_iter_fault_in_readable(struct io
+ int err;
+ struct iovec v;
+
+- if (!(i->type & (ITER_BVEC|ITER_KVEC))) {
++ if (iter_is_iovec(i)) {
+ iterate_iovec(i, bytes, v, iov, skip, ({
+ err = fault_in_pages_readable(v.iov_base, v.iov_len);
+ if (unlikely(err))
--- /dev/null
+From c680ed46e418e9c785d76cf44eb33bfd1e8cf3f6 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Fri, 7 May 2021 14:50:43 +0200
+Subject: media: dvb-usb: fix wrong definition
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit c680ed46e418e9c785d76cf44eb33bfd1e8cf3f6 upstream.
+
+syzbot reported WARNING in vmalloc. The problem
+was in zero size passed to vmalloc.
+
+The root case was in wrong cxusb_bluebird_lgz201_properties
+definition. adapter array has only 1 entry, but num_adapters was
+2.
+
+Call Trace:
+ __vmalloc_node mm/vmalloc.c:2963 [inline]
+ vmalloc+0x67/0x80 mm/vmalloc.c:2996
+ dvb_dmx_init+0xe4/0xb90 drivers/media/dvb-core/dvb_demux.c:1251
+ dvb_usb_adapter_dvb_init+0x564/0x860 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:184
+ dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86 [inline]
+ dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline]
+ dvb_usb_device_init.cold+0xc94/0x146e drivers/media/usb/dvb-usb/dvb-usb-init.c:308
+ cxusb_probe+0x159/0x5e0 drivers/media/usb/dvb-usb/cxusb.c:1634
+
+Fixes: 4d43e13f723e ("V4L/DVB (4643): Multi-input patch for DVB-USB device")
+Cc: stable@vger.kernel.org
+Reported-by: syzbot+7336195c02c1bd2f64e1@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Sean Young <sean@mess.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/cxusb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/dvb-usb/cxusb.c
++++ b/drivers/media/usb/dvb-usb/cxusb.c
+@@ -1739,7 +1739,7 @@ static struct dvb_usb_device_properties
+
+ .size_of_priv = sizeof(struct cxusb_state),
+
+- .num_adapters = 2,
++ .num_adapters = 1,
+ .adapter = {
+ {
+ .num_frontends = 1,
--- /dev/null
+From ab4a0b8fcb9a95c02909b62049811bd2e586aaa4 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 17 Jun 2021 21:51:30 +0300
+Subject: net: can: ems_usb: fix use-after-free in ems_usb_disconnect()
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit ab4a0b8fcb9a95c02909b62049811bd2e586aaa4 upstream.
+
+In ems_usb_disconnect() dev pointer, which is netdev private data, is
+used after free_candev() call:
+| if (dev) {
+| unregister_netdev(dev->netdev);
+| free_candev(dev->netdev);
+|
+| unlink_all_urbs(dev);
+|
+| usb_free_urb(dev->intr_urb);
+|
+| kfree(dev->intr_in_buffer);
+| kfree(dev->tx_msg_buffer);
+| }
+
+Fix it by simply moving free_candev() at the end of the block.
+
+Fail log:
+| BUG: KASAN: use-after-free in ems_usb_disconnect
+| Read of size 8 at addr ffff88804e041008 by task kworker/1:2/2895
+|
+| CPU: 1 PID: 2895 Comm: kworker/1:2 Not tainted 5.13.0-rc5+ #164
+| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.4
+| Workqueue: usb_hub_wq hub_event
+| Call Trace:
+| dump_stack (lib/dump_stack.c:122)
+| print_address_description.constprop.0.cold (mm/kasan/report.c:234)
+| kasan_report.cold (mm/kasan/report.c:420 mm/kasan/report.c:436)
+| ems_usb_disconnect (drivers/net/can/usb/ems_usb.c:683 drivers/net/can/usb/ems_usb.c:1058)
+
+Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface")
+Link: https://lore.kernel.org/r/20210617185130.5834-1-paskripkin@gmail.com
+Cc: linux-stable <stable@vger.kernel.org>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/can/usb/ems_usb.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/can/usb/ems_usb.c
++++ b/drivers/net/can/usb/ems_usb.c
+@@ -1064,7 +1064,6 @@ static void ems_usb_disconnect(struct us
+
+ if (dev) {
+ unregister_netdev(dev->netdev);
+- free_candev(dev->netdev);
+
+ unlink_all_urbs(dev);
+
+@@ -1072,6 +1071,8 @@ static void ems_usb_disconnect(struct us
+
+ kfree(dev->intr_in_buffer);
+ kfree(dev->tx_msg_buffer);
++
++ free_candev(dev->netdev);
+ }
+ }
+
--- /dev/null
+From d98e4d95411bbde2220a7afa38dcc9c14d71acbe Mon Sep 17 00:00:00 2001
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Date: Mon, 28 Jun 2021 19:33:52 -0700
+Subject: ntfs: fix validity check for file name attribute
+
+From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+
+commit d98e4d95411bbde2220a7afa38dcc9c14d71acbe upstream.
+
+When checking the file name attribute, we want to ensure that it fits
+within the bounds of ATTR_RECORD. To do this, we should check that (attr
+record + file name offset + file name length) < (attr record + attr record
+length).
+
+However, the original check did not include the file name offset in the
+calculation. This means that corrupted on-disk metadata might not caught
+by the incorrect file name check, and lead to an invalid memory access.
+
+An example can be seen in the crash report of a memory corruption error
+found by Syzbot:
+https://syzkaller.appspot.com/bug?id=a1a1e379b225812688566745c3e2f7242bffc246
+
+Adding the file name offset to the validity check fixes this error and
+passes the Syzbot reproducer test.
+
+Link: https://lkml.kernel.org/r/20210614050540.289494-1-desmondcheongzx@gmail.com
+Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
+Reported-by: syzbot+213ac8bb98f7f4420840@syzkaller.appspotmail.com
+Tested-by: syzbot+213ac8bb98f7f4420840@syzkaller.appspotmail.com
+Acked-by: Anton Altaparmakov <anton@tuxera.com>
+Cc: Shuah Khan <skhan@linuxfoundation.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/ntfs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/ntfs/inode.c
++++ b/fs/ntfs/inode.c
+@@ -502,7 +502,7 @@ err_corrupt_attr:
+ }
+ file_name_attr = (FILE_NAME_ATTR*)((u8*)attr +
+ le16_to_cpu(attr->data.resident.value_offset));
+- p2 = (u8*)attr + le32_to_cpu(attr->data.resident.value_length);
++ p2 = (u8 *)file_name_attr + le32_to_cpu(attr->data.resident.value_length);
+ if (p2 < (u8*)attr || p2 > p)
+ goto err_corrupt_attr;
+ /* This attribute is ok, but is it in the $Extend directory? */
--- /dev/null
+alsa-usb-audio-fix-rate-on-ozone-z90-usb-headset.patch
+media-dvb-usb-fix-wrong-definition.patch
+input-usbtouchscreen-fix-control-request-directions.patch
+net-can-ems_usb-fix-use-after-free-in-ems_usb_disconnect.patch
+usb-gadget-eem-fix-echo-command-packet-response-issue.patch
+usb-cdc-acm-blacklist-heimann-usb-appset-device.patch
+ntfs-fix-validity-check-for-file-name-attribute.patch
+iov_iter_fault_in_readable-should-do-nothing-in-xarray-case.patch
+input-joydev-prevent-use-of-not-validated-data-in-jsiocsbtnmap-ioctl.patch
--- /dev/null
+From 4897807753e078655a78de39ed76044d784f3e63 Mon Sep 17 00:00:00 2001
+From: Hannu Hartikainen <hannu@hrtk.in>
+Date: Tue, 22 Jun 2021 17:14:54 +0300
+Subject: USB: cdc-acm: blacklist Heimann USB Appset device
+
+From: Hannu Hartikainen <hannu@hrtk.in>
+
+commit 4897807753e078655a78de39ed76044d784f3e63 upstream.
+
+The device (32a7:0000 Heimann Sensor GmbH USB appset demo) claims to be
+a CDC-ACM device in its descriptors but in fact is not. If it is run
+with echo disabled it returns garbled data, probably due to something
+that happens in the TTY layer. And when run with echo enabled (the
+default), it will mess up the calibration data of the sensor the first
+time any data is sent to the device.
+
+In short, I had a bad time after connecting the sensor and trying to get
+it to work. I hope blacklisting it in the cdc-acm driver will save
+someone else a bit of trouble.
+
+Signed-off-by: Hannu Hartikainen <hannu@hrtk.in>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210622141454.337948-1-hannu@hrtk.in
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-acm.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -2014,6 +2014,11 @@ static const struct usb_device_id acm_id
+ .driver_info = IGNORE_DEVICE,
+ },
+
++ /* Exclude Heimann Sensor GmbH USB appset demo */
++ { USB_DEVICE(0x32a7, 0x0000),
++ .driver_info = IGNORE_DEVICE,
++ },
++
+ /* control interfaces without any protocol set */
+ { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
+ USB_CDC_PROTO_NONE) },
--- /dev/null
+From 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 Mon Sep 17 00:00:00 2001
+From: Linyu Yuan <linyyuan@codeaurora.com>
+Date: Wed, 16 Jun 2021 19:51:42 +0800
+Subject: usb: gadget: eem: fix echo command packet response issue
+
+From: Linyu Yuan <linyyuan@codeaurora.com>
+
+commit 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 upstream.
+
+when receive eem echo command, it will send a response,
+but queue this response to the usb request which allocate
+from gadget device endpoint zero,
+and transmit the request to IN endpoint of eem interface.
+
+on dwc3 gadget, it will trigger following warning in function
+__dwc3_gadget_ep_queue(),
+
+ if (WARN(req->dep != dep, "request %pK belongs to '%s'\n",
+ &req->request, req->dep->name))
+ return -EINVAL;
+
+fix it by allocating a usb request from IN endpoint of eem interface,
+and transmit the usb request to same IN endpoint of eem interface.
+
+Signed-off-by: Linyu Yuan <linyyuan@codeaurora.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210616115142.34075-1-linyyuan@codeaurora.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/gadget/function/f_eem.c | 43 ++++++++++++++++++++++++++++++++----
+ 1 file changed, 39 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/gadget/function/f_eem.c
++++ b/drivers/usb/gadget/function/f_eem.c
+@@ -34,6 +34,11 @@ struct f_eem {
+ u8 ctrl_id;
+ };
+
++struct in_context {
++ struct sk_buff *skb;
++ struct usb_ep *ep;
++};
++
+ static inline struct f_eem *func_to_eem(struct usb_function *f)
+ {
+ return container_of(f, struct f_eem, port.func);
+@@ -327,9 +332,12 @@ fail:
+
+ static void eem_cmd_complete(struct usb_ep *ep, struct usb_request *req)
+ {
+- struct sk_buff *skb = (struct sk_buff *)req->context;
++ struct in_context *ctx = req->context;
+
+- dev_kfree_skb_any(skb);
++ dev_kfree_skb_any(ctx->skb);
++ kfree(req->buf);
++ usb_ep_free_request(ctx->ep, req);
++ kfree(ctx);
+ }
+
+ /*
+@@ -417,7 +425,9 @@ static int eem_unwrap(struct gether *por
+ * b15: bmType (0 == data, 1 == command)
+ */
+ if (header & BIT(15)) {
+- struct usb_request *req = cdev->req;
++ struct usb_request *req;
++ struct in_context *ctx;
++ struct usb_ep *ep;
+ u16 bmEEMCmd;
+
+ /* EEM command packet format:
+@@ -446,11 +456,36 @@ static int eem_unwrap(struct gether *por
+ skb_trim(skb2, len);
+ put_unaligned_le16(BIT(15) | BIT(11) | len,
+ skb_push(skb2, 2));
++
++ ep = port->in_ep;
++ req = usb_ep_alloc_request(ep, GFP_ATOMIC);
++ if (!req) {
++ dev_kfree_skb_any(skb2);
++ goto next;
++ }
++
++ req->buf = kmalloc(skb2->len, GFP_KERNEL);
++ if (!req->buf) {
++ usb_ep_free_request(ep, req);
++ dev_kfree_skb_any(skb2);
++ goto next;
++ }
++
++ ctx = kmalloc(sizeof(*ctx), GFP_KERNEL);
++ if (!ctx) {
++ kfree(req->buf);
++ usb_ep_free_request(ep, req);
++ dev_kfree_skb_any(skb2);
++ goto next;
++ }
++ ctx->skb = skb2;
++ ctx->ep = ep;
++
+ skb_copy_bits(skb2, 0, req->buf, skb2->len);
+ req->length = skb2->len;
+ req->complete = eem_cmd_complete;
+ req->zero = 1;
+- req->context = skb2;
++ req->context = ctx;
+ if (usb_ep_queue(port->in_ep, req, GFP_ATOMIC))
+ DBG(cdev, "echo response queue fail\n");
+ break;
--- /dev/null
+alsa-usb-audio-fix-rate-on-ozone-z90-usb-headset.patch
+alsa-usb-audio-fix-oob-access-at-proc-output.patch
+media-dvb-usb-fix-wrong-definition.patch
+input-usbtouchscreen-fix-control-request-directions.patch
+net-can-ems_usb-fix-use-after-free-in-ems_usb_disconnect.patch
+usb-gadget-eem-fix-echo-command-packet-response-issue.patch
+usb-cdc-acm-blacklist-heimann-usb-appset-device.patch
+usb-dwc3-fix-debugfs-creation-flow.patch
+usb-typec-add-the-missed-altmode_id_remove-in-typec_register_altmode.patch
+xhci-solve-a-double-free-problem-while-doing-s4.patch
+ntfs-fix-validity-check-for-file-name-attribute.patch
+iov_iter_fault_in_readable-should-do-nothing-in-xarray-case.patch
+input-joydev-prevent-use-of-not-validated-data-in-jsiocsbtnmap-ioctl.patch
--- /dev/null
+bluetooth-hci_qca-fix-potential-gpf.patch
+bluetooth-btqca-don-t-modify-firmware-contents-in-place.patch
+bluetooth-remove-spurious-error-message.patch
+alsa-usb-audio-fix-rate-on-ozone-z90-usb-headset.patch
+alsa-usb-audio-fix-oob-access-at-proc-output.patch
+alsa-firewire-motu-fix-stream-format-for-motu-8pre-firewire.patch
+alsa-usb-audio-scarlett2-fix-wrong-resume-call.patch
+alsa-intel8x0-fix-breakage-at-ac97-clock-measurement.patch
+alsa-hda-realtek-fix-mute-micmute-leds-for-hp-probook-450-g8.patch
+alsa-hda-realtek-fix-mute-micmute-leds-for-hp-probook-445-g8.patch
+alsa-hda-realtek-fix-mute-micmute-leds-for-hp-probook-630-g8.patch
+alsa-hda-realtek-add-another-alc236-variant-support.patch
+alsa-hda-realtek-fix-mute-micmute-leds-for-hp-elitebook-x360-830-g8.patch
+alsa-hda-realtek-improve-fixup-for-hp-spectre-x360-15-df0xxx.patch
+alsa-hda-realtek-fix-bass-speaker-dac-mapping-for-asus-um431d.patch
+alsa-hda-realtek-apply-led-fixup-for-hp-dragonfly-g1-too.patch
+alsa-hda-realtek-fix-mute-micmute-leds-for-hp-elitebook-830-g8-notebook-pc.patch
+media-dvb-usb-fix-wrong-definition.patch
+input-usbtouchscreen-fix-control-request-directions.patch
+net-can-ems_usb-fix-use-after-free-in-ems_usb_disconnect.patch
+usb-gadget-eem-fix-echo-command-packet-response-issue.patch
+usb-renesas-xhci-fix-handling-of-unknown-rom-state.patch
+usb-cdc-acm-blacklist-heimann-usb-appset-device.patch
+usb-dwc3-fix-debugfs-creation-flow.patch
+usb-typec-add-the-missed-altmode_id_remove-in-typec_register_altmode.patch
+xhci-solve-a-double-free-problem-while-doing-s4.patch
+gfs2-fix-underflow-in-gfs2_page_mkwrite.patch
+gfs2-fix-error-handling-in-init_statfs.patch
+ntfs-fix-validity-check-for-file-name-attribute.patch
+selftests-lkdtm-avoid-needing-explicit-sub-shell.patch
+copy_page_to_iter-fix-iter_discard-case.patch
+iov_iter_fault_in_readable-should-do-nothing-in-xarray-case.patch
+input-joydev-prevent-use-of-not-validated-data-in-jsiocsbtnmap-ioctl.patch
--- /dev/null
+bluetooth-hci_qca-fix-potential-gpf.patch
+bluetooth-btqca-don-t-modify-firmware-contents-in-place.patch
+bluetooth-remove-spurious-error-message.patch
+alsa-usb-audio-fix-rate-on-ozone-z90-usb-headset.patch
+alsa-usb-audio-fix-oob-access-at-proc-output.patch
+alsa-firewire-motu-fix-stream-format-for-motu-8pre-firewire.patch
+alsa-usb-audio-scarlett2-fix-wrong-resume-call.patch
+alsa-intel8x0-fix-breakage-at-ac97-clock-measurement.patch
+alsa-hda-realtek-fix-mute-micmute-leds-for-hp-probook-450-g8.patch
+alsa-hda-realtek-fix-mute-micmute-leds-for-hp-probook-445-g8.patch
+alsa-hda-realtek-fix-mute-micmute-leds-for-hp-probook-630-g8.patch
+alsa-hda-realtek-add-another-alc236-variant-support.patch
+alsa-hda-realtek-fix-mute-micmute-leds-for-hp-elitebook-x360-830-g8.patch
+alsa-hda-realtek-improve-fixup-for-hp-spectre-x360-15-df0xxx.patch
+alsa-hda-realtek-fix-bass-speaker-dac-mapping-for-asus-um431d.patch
+alsa-hda-realtek-apply-led-fixup-for-hp-dragonfly-g1-too.patch
+alsa-hda-realtek-fix-mute-micmute-leds-for-hp-elitebook-830-g8-notebook-pc.patch
+media-dvb-usb-fix-wrong-definition.patch
+input-usbtouchscreen-fix-control-request-directions.patch
+net-can-ems_usb-fix-use-after-free-in-ems_usb_disconnect.patch
+usb-gadget-eem-fix-echo-command-packet-response-issue.patch
+usb-renesas-xhci-fix-handling-of-unknown-rom-state.patch
+usb-cdc-acm-blacklist-heimann-usb-appset-device.patch
+usb-dwc3-fix-debugfs-creation-flow.patch
+usb-typec-tcpci-fix-up-sink-disconnect-thresholds-for-pd.patch
+usb-typec-tcpm-relax-disconnect-threshold-during-power-negotiation.patch
+usb-typec-add-the-missed-altmode_id_remove-in-typec_register_altmode.patch
+xhci-solve-a-double-free-problem-while-doing-s4.patch
+mm-page_alloc-fix-memory-map-initialization-for-descending-nodes.patch
+gfs2-fix-underflow-in-gfs2_page_mkwrite.patch
+gfs2-fix-error-handling-in-init_statfs.patch
+ntfs-fix-validity-check-for-file-name-attribute.patch
+selftests-lkdtm-avoid-needing-explicit-sub-shell.patch
+copy_page_to_iter-fix-iter_discard-case.patch
+iov_iter_fault_in_readable-should-do-nothing-in-xarray-case.patch
+input-elants_i2c-fix-null-dereference-at-probing.patch
+input-joydev-prevent-use-of-not-validated-data-in-jsiocsbtnmap-ioctl.patch
--- /dev/null
+alsa-usb-audio-fix-rate-on-ozone-z90-usb-headset.patch
+alsa-usb-audio-fix-oob-access-at-proc-output.patch
+alsa-usb-audio-scarlett2-fix-wrong-resume-call.patch
+alsa-intel8x0-fix-breakage-at-ac97-clock-measurement.patch
+alsa-hda-realtek-add-another-alc236-variant-support.patch
+alsa-hda-realtek-improve-fixup-for-hp-spectre-x360-15-df0xxx.patch
+alsa-hda-realtek-fix-bass-speaker-dac-mapping-for-asus-um431d.patch
+alsa-hda-realtek-apply-led-fixup-for-hp-dragonfly-g1-too.patch
+media-dvb-usb-fix-wrong-definition.patch
+input-usbtouchscreen-fix-control-request-directions.patch
+net-can-ems_usb-fix-use-after-free-in-ems_usb_disconnect.patch
+usb-gadget-eem-fix-echo-command-packet-response-issue.patch
+usb-cdc-acm-blacklist-heimann-usb-appset-device.patch
+usb-dwc3-fix-debugfs-creation-flow.patch
+usb-typec-add-the-missed-altmode_id_remove-in-typec_register_altmode.patch
+xhci-solve-a-double-free-problem-while-doing-s4.patch
+ntfs-fix-validity-check-for-file-name-attribute.patch
+copy_page_to_iter-fix-iter_discard-case.patch
+iov_iter_fault_in_readable-should-do-nothing-in-xarray-case.patch
+input-joydev-prevent-use-of-not-validated-data-in-jsiocsbtnmap-ioctl.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
