From: Greg Kroah-Hartman Date: Wed, 17 Aug 2016 12:53:32 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.14.77~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1234b04ec663d535656ddcef66fa3a74bb4cfed5;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: arm64-debug-unmask-pstate.d-earlier.patch arm64-kernel-save-and-restore-uao-and-addr_limit-on-exception-entry.patch usb-dwc3-fix-for-the-isoc-transfer-ep_busy-flag.patch usb-f_fs-off-by-one-bug-in-_ffs_func_bind.patch usb-gadget-avoid-exposing-kernel-stack.patch usb-quirks-add-no-lpm-quirk-for-elan.patch usb-renesas_usbhs-fix-null-pointer-dereference-in-xfer_work.patch usb-renesas_usbhs-protect-the-cfifosel-setting-in-usbhsg_ep_enable.patch usb-serial-option-add-support-for-telit-le910-pid-0x1206.patch usb-usbfs-fix-potential-infoleak-in-devio.patch --- diff --git a/queue-4.4/arm64-debug-unmask-pstate.d-earlier.patch b/queue-4.4/arm64-debug-unmask-pstate.d-earlier.patch new file mode 100644 index 00000000000..932d8f9c250 --- /dev/null +++ b/queue-4.4/arm64-debug-unmask-pstate.d-earlier.patch @@ -0,0 +1,89 @@ +From 2ce39ad15182604beb6c8fa8bed5e46b59fd1082 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Tue, 19 Jul 2016 15:07:37 +0100 +Subject: arm64: debug: unmask PSTATE.D earlier + +From: Will Deacon + +commit 2ce39ad15182604beb6c8fa8bed5e46b59fd1082 upstream. + +Clearing PSTATE.D is one of the requirements for generating a debug +exception. The arm64 booting protocol requires that PSTATE.D is set, +since many of the debug registers (for example, the hw_breakpoint +registers) are UNKNOWN out of reset and could potentially generate +spurious, fatal debug exceptions in early boot code if PSTATE.D was +clear. Once the debug registers have been safely initialised, PSTATE.D +is cleared, however this is currently broken for two reasons: + +(1) The boot CPU clears PSTATE.D in a postcore_initcall and secondary + CPUs clear PSTATE.D in secondary_start_kernel. Since the initcall + runs after SMP (and the scheduler) have been initialised, there is + no guarantee that it is actually running on the boot CPU. In this + case, the boot CPU is left with PSTATE.D set and is not capable of + generating debug exceptions. + +(2) In a preemptible kernel, we may explicitly schedule on the IRQ + return path to EL1. If an IRQ occurs with PSTATE.D set in the idle + thread, then we may schedule the kthread_init thread, run the + postcore_initcall to clear PSTATE.D and then context switch back + to the idle thread before returning from the IRQ. The exception + return path will then restore PSTATE.D from the stack, and set it + again. + +This patch fixes the problem by moving the clearing of PSTATE.D earlier +to proc.S. This has the desirable effect of clearing it in one place for +all CPUs, long before we have to worry about the scheduler or any +exception handling. We ensure that the previous reset of MDSCR_EL1 has +completed before unmasking the exception, so that any spurious +exceptions resulting from UNKNOWN debug registers are not generated. + +Without this patch applied, the kprobes selftests have been seen to fail +under KVM, where we end up attempting to step the OOL instruction buffer +with PSTATE.D set and therefore fail to complete the step. + +Acked-by: Mark Rutland +Reported-by: Catalin Marinas +Tested-by: Marc Zyngier +Signed-off-by: Will Deacon +Reviewed-by: Catalin Marinas +Tested-by: Catalin Marinas +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/debug-monitors.c | 1 - + arch/arm64/kernel/smp.c | 1 - + arch/arm64/mm/proc.S | 2 ++ + 3 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kernel/debug-monitors.c ++++ b/arch/arm64/kernel/debug-monitors.c +@@ -152,7 +152,6 @@ static int debug_monitors_init(void) + /* Clear the OS lock. */ + on_each_cpu(clear_os_lock, NULL, 1); + isb(); +- local_dbg_enable(); + + /* Register hotplug handler. */ + __register_cpu_notifier(&os_lock_nb); +--- a/arch/arm64/kernel/smp.c ++++ b/arch/arm64/kernel/smp.c +@@ -188,7 +188,6 @@ asmlinkage void secondary_start_kernel(v + set_cpu_online(cpu, true); + complete(&cpu_running); + +- local_dbg_enable(); + local_irq_enable(); + local_async_enable(); + +--- a/arch/arm64/mm/proc.S ++++ b/arch/arm64/mm/proc.S +@@ -156,6 +156,8 @@ ENTRY(__cpu_setup) + msr cpacr_el1, x0 // Enable FP/ASIMD + mov x0, #1 << 12 // Reset mdscr_el1 and disable + msr mdscr_el1, x0 // access to the DCC from EL0 ++ isb // Unmask debug exceptions now, ++ enable_dbg // since this is per-cpu + reset_pmuserenr_el0 x0 // Disable PMU access from EL0 + /* + * Memory region attributes for LPAE: diff --git a/queue-4.4/arm64-kernel-save-and-restore-uao-and-addr_limit-on-exception-entry.patch b/queue-4.4/arm64-kernel-save-and-restore-uao-and-addr_limit-on-exception-entry.patch new file mode 100644 index 00000000000..f265a7939ef --- /dev/null +++ b/queue-4.4/arm64-kernel-save-and-restore-uao-and-addr_limit-on-exception-entry.patch @@ -0,0 +1,91 @@ +From e19a6ee2460bdd0d0055a6029383422773f9999a Mon Sep 17 00:00:00 2001 +From: James Morse +Date: Mon, 20 Jun 2016 18:28:01 +0100 +Subject: arm64: kernel: Save and restore UAO and addr_limit on exception entry + +From: James Morse + +commit e19a6ee2460bdd0d0055a6029383422773f9999a upstream. + +If we take an exception while at EL1, the exception handler inherits +the original context's addr_limit and PSTATE.UAO values. To be consistent +always reset addr_limit and PSTATE.UAO on (re-)entry to EL1. This +prevents accidental re-use of the original context's addr_limit. + +Based on a similar patch for arm from Russell King. + +Cc: # 4.6- +Acked-by: Will Deacon +Reviewed-by: Mark Rutland +Signed-off-by: James Morse +Signed-off-by: Will Deacon +[ backport to stop perf misusing inherited addr_limit. + Removed code interacting with UAO and the irqstack ] +Link: https://bugs.chromium.org/p/project-zero/issues/detail?id=822 +Signed-off-by: James Morse +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm64/include/asm/ptrace.h | 2 ++ + arch/arm64/kernel/asm-offsets.c | 1 + + arch/arm64/kernel/entry.S | 15 ++++++++++++++- + 3 files changed, 17 insertions(+), 1 deletion(-) + +--- a/arch/arm64/include/asm/ptrace.h ++++ b/arch/arm64/include/asm/ptrace.h +@@ -117,6 +117,8 @@ struct pt_regs { + }; + u64 orig_x0; + u64 syscallno; ++ u64 orig_addr_limit; ++ u64 unused; // maintain 16 byte alignment + }; + + #define arch_has_single_step() (1) +--- a/arch/arm64/kernel/asm-offsets.c ++++ b/arch/arm64/kernel/asm-offsets.c +@@ -58,6 +58,7 @@ int main(void) + DEFINE(S_PC, offsetof(struct pt_regs, pc)); + DEFINE(S_ORIG_X0, offsetof(struct pt_regs, orig_x0)); + DEFINE(S_SYSCALLNO, offsetof(struct pt_regs, syscallno)); ++ DEFINE(S_ORIG_ADDR_LIMIT, offsetof(struct pt_regs, orig_addr_limit)); + DEFINE(S_FRAME_SIZE, sizeof(struct pt_regs)); + BLANK(); + DEFINE(MM_CONTEXT_ID, offsetof(struct mm_struct, context.id.counter)); +--- a/arch/arm64/kernel/entry.S ++++ b/arch/arm64/kernel/entry.S +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -93,7 +94,13 @@ + disable_step_tsk x19, x20 // exceptions when scheduling. + .else + add x21, sp, #S_FRAME_SIZE +- .endif ++ get_thread_info tsk ++ /* Save the task's original addr_limit and set USER_DS (TASK_SIZE_64) */ ++ ldr x20, [tsk, #TI_ADDR_LIMIT] ++ str x20, [sp, #S_ORIG_ADDR_LIMIT] ++ mov x20, #TASK_SIZE_64 ++ str x20, [tsk, #TI_ADDR_LIMIT] ++ .endif /* \el == 0 */ + mrs x22, elr_el1 + mrs x23, spsr_el1 + stp lr, x21, [sp, #S_LR] +@@ -117,6 +124,12 @@ + .endm + + .macro kernel_exit, el ++ .if \el != 0 ++ /* Restore the task's original addr_limit. */ ++ ldr x20, [sp, #S_ORIG_ADDR_LIMIT] ++ str x20, [tsk, #TI_ADDR_LIMIT] ++ .endif ++ + ldp x21, x22, [sp, #S_PC] // load ELR, SPSR + .if \el == 0 + ct_user_enter diff --git a/queue-4.4/usb-dwc3-fix-for-the-isoc-transfer-ep_busy-flag.patch b/queue-4.4/usb-dwc3-fix-for-the-isoc-transfer-ep_busy-flag.patch new file mode 100644 index 00000000000..e9eba0c8ff3 --- /dev/null +++ b/queue-4.4/usb-dwc3-fix-for-the-isoc-transfer-ep_busy-flag.patch @@ -0,0 +1,42 @@ +From 9cad39fe4e4a4fe95d8ea5a7b0692b0a6e89e38b Mon Sep 17 00:00:00 2001 +From: Konrad Leszczynski +Date: Mon, 8 Feb 2016 16:13:12 +0100 +Subject: usb: dwc3: fix for the isoc transfer EP_BUSY flag + +From: Konrad Leszczynski + +commit 9cad39fe4e4a4fe95d8ea5a7b0692b0a6e89e38b upstream. + +commit f3af36511e60 ("usb: dwc3: gadget: always +enable IOC on bulk/interrupt transfers") ended up +regressing Isochronous endpoints by clearing +DWC3_EP_BUSY flag too early, which resulted in +choppy audio playback over USB. + +Fix that by partially reverting original commit and +making sure that we check for isochronous endpoints. + +Fixes: f3af36511e60 ("usb: dwc3: gadget: always enable IOC + on bulk/interrupt transfers") +Signed-off-by: Konrad Leszczynski +Signed-off-by: Rafal Redzimski +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1965,6 +1965,10 @@ static int dwc3_cleanup_done_reqs(struct + return 1; + } + ++ if (usb_endpoint_xfer_isoc(dep->endpoint.desc)) ++ if ((event->status & DEPEVT_STATUS_IOC) && ++ (trb->ctrl & DWC3_TRB_CTRL_IOC)) ++ return 0; + return 1; + } + diff --git a/queue-4.4/usb-f_fs-off-by-one-bug-in-_ffs_func_bind.patch b/queue-4.4/usb-f_fs-off-by-one-bug-in-_ffs_func_bind.patch new file mode 100644 index 00000000000..b9803f7faff --- /dev/null +++ b/queue-4.4/usb-f_fs-off-by-one-bug-in-_ffs_func_bind.patch @@ -0,0 +1,51 @@ +From 0015f9156092d07b3ec06d37d014328419d5832e Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sat, 28 May 2016 07:48:10 +0300 +Subject: usb: f_fs: off by one bug in _ffs_func_bind() + +From: Dan Carpenter + +commit 0015f9156092d07b3ec06d37d014328419d5832e upstream. + +This loop is supposed to set all the .num[] values to -1 but it's off by +one so it skips the first element and sets one element past the end of +the array. + +I've cleaned up the loop a little as well. + +Fixes: ddf8abd25994 ('USB: f_fs: the FunctionFS driver') +Acked-by: Michal Nazarewicz +Signed-off-by: Dan Carpenter +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_fs.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -2740,6 +2740,7 @@ static int _ffs_func_bind(struct usb_con + func->ffs->ss_descs_count; + + int fs_len, hs_len, ss_len, ret, i; ++ struct ffs_ep *eps_ptr; + + /* Make it a single chunk, less management later on */ + vla_group(d); +@@ -2788,12 +2789,9 @@ static int _ffs_func_bind(struct usb_con + ffs->raw_descs_length); + + memset(vla_ptr(vlabuf, d, inums), 0xff, d_inums__sz); +- for (ret = ffs->eps_count; ret; --ret) { +- struct ffs_ep *ptr; +- +- ptr = vla_ptr(vlabuf, d, eps); +- ptr[ret].num = -1; +- } ++ eps_ptr = vla_ptr(vlabuf, d, eps); ++ for (i = 0; i < ffs->eps_count; i++) ++ eps_ptr[i].num = -1; + + /* Save pointers + * d_eps == vlabuf, func->eps used to kfree vlabuf later diff --git a/queue-4.4/usb-gadget-avoid-exposing-kernel-stack.patch b/queue-4.4/usb-gadget-avoid-exposing-kernel-stack.patch new file mode 100644 index 00000000000..9d7029c2720 --- /dev/null +++ b/queue-4.4/usb-gadget-avoid-exposing-kernel-stack.patch @@ -0,0 +1,31 @@ +From ffeee83aa0461992e8a99a59db2df31933e60362 Mon Sep 17 00:00:00 2001 +From: Heinrich Schuchardt +Date: Sun, 8 May 2016 23:20:59 +0200 +Subject: usb: gadget: avoid exposing kernel stack + +From: Heinrich Schuchardt + +commit ffeee83aa0461992e8a99a59db2df31933e60362 upstream. + +Function in_rq_cur copies random bytes from the stack. +Zero the memory instead. + +Fixes: 132fcb460839 ("usb: gadget: Add Audio Class 2.0 Driver") +Signed-off-by: Heinrich Schuchardt +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_uac2.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/gadget/function/f_uac2.c ++++ b/drivers/usb/gadget/function/f_uac2.c +@@ -1291,6 +1291,7 @@ in_rq_cur(struct usb_function *fn, const + + if (control_selector == UAC2_CS_CONTROL_SAM_FREQ) { + struct cntrl_cur_lay3 c; ++ memset(&c, 0, sizeof(struct cntrl_cur_lay3)); + + if (entity_id == USB_IN_CLK_ID) + c.dCUR = p_srate; diff --git a/queue-4.4/usb-quirks-add-no-lpm-quirk-for-elan.patch b/queue-4.4/usb-quirks-add-no-lpm-quirk-for-elan.patch new file mode 100644 index 00000000000..a0912bd52dd --- /dev/null +++ b/queue-4.4/usb-quirks-add-no-lpm-quirk-for-elan.patch @@ -0,0 +1,35 @@ +From 25b1f9acc452209ae0fcc8c1332be852b5c52f53 Mon Sep 17 00:00:00 2001 +From: Joseph Salisbury +Date: Wed, 6 Jul 2016 21:18:51 -0400 +Subject: usb: quirks: Add no-lpm quirk for Elan + +From: Joseph Salisbury + +commit 25b1f9acc452209ae0fcc8c1332be852b5c52f53 upstream. + +BugLink: http://bugs.launchpad.net/bugs/1498667 + +As reported in BugLink, this device has an issue with Linux Power +Management so adding a quirk. This quirk was reccomended by Alan Stern: + +http://lkml.iu.edu/hypermail/linux/kernel/1606.2/05590.html + +Signed-off-by: Joseph Salisbury +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -128,6 +128,9 @@ static const struct usb_device_id usb_qu + { USB_DEVICE(0x04f3, 0x016f), .driver_info = + USB_QUIRK_DEVICE_QUALIFIER }, + ++ { USB_DEVICE(0x04f3, 0x0381), .driver_info = ++ USB_QUIRK_NO_LPM }, ++ + { USB_DEVICE(0x04f3, 0x21b8), .driver_info = + USB_QUIRK_DEVICE_QUALIFIER }, + diff --git a/queue-4.4/usb-renesas_usbhs-fix-null-pointer-dereference-in-xfer_work.patch b/queue-4.4/usb-renesas_usbhs-fix-null-pointer-dereference-in-xfer_work.patch new file mode 100644 index 00000000000..ae985b304e0 --- /dev/null +++ b/queue-4.4/usb-renesas_usbhs-fix-null-pointer-dereference-in-xfer_work.patch @@ -0,0 +1,79 @@ +From 4fdef698383db07d829da567e0e405fc41ff3a89 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Wed, 8 Jun 2016 16:32:49 +0900 +Subject: usb: renesas_usbhs: fix NULL pointer dereference in xfer_work() + +From: Yoshihiro Shimoda + +commit 4fdef698383db07d829da567e0e405fc41ff3a89 upstream. + +This patch fixes an issue that the xfer_work() is possible to cause +NULL pointer dereference if the usb cable is disconnected while data +transfer is running. + +In such case, a gadget driver may call usb_ep_disable()) before +xfer_work() is actually called. In this case, the usbhs_pkt_pop() +will call usbhsf_fifo_unselect(), and then usbhs_pipe_to_fifo() +in xfer_work() will return NULL. + +Fixes: e73a989 ("usb: renesas_usbhs: add DMAEngine support") +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/renesas_usbhs/fifo.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/drivers/usb/renesas_usbhs/fifo.c ++++ b/drivers/usb/renesas_usbhs/fifo.c +@@ -808,20 +808,27 @@ static void xfer_work(struct work_struct + { + struct usbhs_pkt *pkt = container_of(work, struct usbhs_pkt, work); + struct usbhs_pipe *pipe = pkt->pipe; +- struct usbhs_fifo *fifo = usbhs_pipe_to_fifo(pipe); ++ struct usbhs_fifo *fifo; + struct usbhs_priv *priv = usbhs_pipe_to_priv(pipe); + struct dma_async_tx_descriptor *desc; +- struct dma_chan *chan = usbhsf_dma_chan_get(fifo, pkt); ++ struct dma_chan *chan; + struct device *dev = usbhs_priv_to_dev(priv); + enum dma_transfer_direction dir; ++ unsigned long flags; + ++ usbhs_lock(priv, flags); ++ fifo = usbhs_pipe_to_fifo(pipe); ++ if (!fifo) ++ goto xfer_work_end; ++ ++ chan = usbhsf_dma_chan_get(fifo, pkt); + dir = usbhs_pipe_is_dir_in(pipe) ? DMA_DEV_TO_MEM : DMA_MEM_TO_DEV; + + desc = dmaengine_prep_slave_single(chan, pkt->dma + pkt->actual, + pkt->trans, dir, + DMA_PREP_INTERRUPT | DMA_CTRL_ACK); + if (!desc) +- return; ++ goto xfer_work_end; + + desc->callback = usbhsf_dma_complete; + desc->callback_param = pipe; +@@ -829,7 +836,7 @@ static void xfer_work(struct work_struct + pkt->cookie = dmaengine_submit(desc); + if (pkt->cookie < 0) { + dev_err(dev, "Failed to submit dma descriptor\n"); +- return; ++ goto xfer_work_end; + } + + dev_dbg(dev, " %s %d (%d/ %d)\n", +@@ -840,6 +847,9 @@ static void xfer_work(struct work_struct + usbhs_pipe_set_trans_count_if_bulk(pipe, pkt->trans); + dma_async_issue_pending(chan); + usbhs_pipe_enable(pipe); ++ ++xfer_work_end: ++ usbhs_unlock(priv, flags); + } + + /* diff --git a/queue-4.4/usb-renesas_usbhs-protect-the-cfifosel-setting-in-usbhsg_ep_enable.patch b/queue-4.4/usb-renesas_usbhs-protect-the-cfifosel-setting-in-usbhsg_ep_enable.patch new file mode 100644 index 00000000000..b76f05282b7 --- /dev/null +++ b/queue-4.4/usb-renesas_usbhs-protect-the-cfifosel-setting-in-usbhsg_ep_enable.patch @@ -0,0 +1,69 @@ +From 15e4292a2d21e9997fdb2b8c014cc461b3f268f0 Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Wed, 8 Jun 2016 16:32:50 +0900 +Subject: usb: renesas_usbhs: protect the CFIFOSEL setting in usbhsg_ep_enable() + +From: Yoshihiro Shimoda + +commit 15e4292a2d21e9997fdb2b8c014cc461b3f268f0 upstream. + +This patch fixes an issue that the CFIFOSEL register value is possible +to be changed by usbhsg_ep_enable() wrongly. And then, a data transfer +using CFIFO may not work correctly. + +For example: + # modprobe g_multi file=usb-storage.bin + # ifconfig usb0 192.168.1.1 up + (During the USB host is sending file to the mass storage) + # ifconfig usb0 down + +In this case, since the u_ether.c may call usb_ep_enable() in +eth_stop(), if the renesas_usbhs driver is also using CFIFO for +mass storage, the mass storage may not work correctly. + +So, this patch adds usbhs_lock() and usbhs_unlock() calling in +usbhsg_ep_enable() to protect CFIFOSEL register. This is because: + - CFIFOSEL.CURPIPE = 0 is also needed for the pipe configuration + - The CFIFOSEL (fifo->sel) is already protected by usbhs_lock() + +Fixes: 97664a207bc2 ("usb: renesas_usbhs: shrink spin lock area") +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/renesas_usbhs/mod_gadget.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/usb/renesas_usbhs/mod_gadget.c ++++ b/drivers/usb/renesas_usbhs/mod_gadget.c +@@ -586,6 +586,9 @@ static int usbhsg_ep_enable(struct usb_e + struct usbhs_priv *priv = usbhsg_gpriv_to_priv(gpriv); + struct usbhs_pipe *pipe; + int ret = -EIO; ++ unsigned long flags; ++ ++ usbhs_lock(priv, flags); + + /* + * if it already have pipe, +@@ -594,7 +597,8 @@ static int usbhsg_ep_enable(struct usb_e + if (uep->pipe) { + usbhs_pipe_clear(uep->pipe); + usbhs_pipe_sequence_data0(uep->pipe); +- return 0; ++ ret = 0; ++ goto usbhsg_ep_enable_end; + } + + pipe = usbhs_pipe_malloc(priv, +@@ -622,6 +626,9 @@ static int usbhsg_ep_enable(struct usb_e + ret = 0; + } + ++usbhsg_ep_enable_end: ++ usbhs_unlock(priv, flags); ++ + return ret; + } + diff --git a/queue-4.4/usb-serial-option-add-support-for-telit-le910-pid-0x1206.patch b/queue-4.4/usb-serial-option-add-support-for-telit-le910-pid-0x1206.patch new file mode 100644 index 00000000000..93b2eba8bc0 --- /dev/null +++ b/queue-4.4/usb-serial-option-add-support-for-telit-le910-pid-0x1206.patch @@ -0,0 +1,41 @@ +From 3c0415fa08548e3bc63ef741762664497ab187ed Mon Sep 17 00:00:00 2001 +From: Daniele Palmas +Date: Mon, 6 Jun 2016 12:38:17 +0200 +Subject: USB: serial: option: add support for Telit LE910 PID 0x1206 + +From: Daniele Palmas + +commit 3c0415fa08548e3bc63ef741762664497ab187ed upstream. + +This patch adds support for 0x1206 PID of Telit LE910. + +Since the interfaces positions are the same than the ones for +0x1043 PID of Telit LE922, telit_le922_blacklist_usbcfg3 is used. + +Signed-off-by: Daniele Palmas +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -273,6 +273,7 @@ static void option_instat_callback(struc + #define TELIT_PRODUCT_LE922_USBCFG5 0x1045 + #define TELIT_PRODUCT_LE920 0x1200 + #define TELIT_PRODUCT_LE910 0x1201 ++#define TELIT_PRODUCT_LE910_USBCFG4 0x1206 + + /* ZTE PRODUCTS */ + #define ZTE_VENDOR_ID 0x19d2 +@@ -1198,6 +1199,8 @@ static const struct usb_device_id option + .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910), + .driver_info = (kernel_ulong_t)&telit_le910_blacklist }, ++ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4), ++ .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE920), + .driver_info = (kernel_ulong_t)&telit_le920_blacklist }, + { USB_DEVICE_AND_INTERFACE_INFO(ZTE_VENDOR_ID, ZTE_PRODUCT_MF622, 0xff, 0xff, 0xff) }, /* ZTE WCDMA products */ diff --git a/queue-4.4/usb-usbfs-fix-potential-infoleak-in-devio.patch b/queue-4.4/usb-usbfs-fix-potential-infoleak-in-devio.patch new file mode 100644 index 00000000000..f786de4f81c --- /dev/null +++ b/queue-4.4/usb-usbfs-fix-potential-infoleak-in-devio.patch @@ -0,0 +1,42 @@ +From 681fef8380eb818c0b845fca5d2ab1dcbab114ee Mon Sep 17 00:00:00 2001 +From: Kangjie Lu +Date: Tue, 3 May 2016 16:32:16 -0400 +Subject: USB: usbfs: fix potential infoleak in devio +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kangjie Lu + +commit 681fef8380eb818c0b845fca5d2ab1dcbab114ee upstream. + +The stack object “ci” has a total size of 8 bytes. Its last 3 bytes +are padding bytes which are not initialized and leaked to userland +via “copy_to_user”. + +Signed-off-by: Kangjie Lu +Signed-off-by: Chas Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/devio.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -1203,10 +1203,11 @@ static int proc_getdriver(struct usb_dev + + static int proc_connectinfo(struct usb_dev_state *ps, void __user *arg) + { +- struct usbdevfs_connectinfo ci = { +- .devnum = ps->dev->devnum, +- .slow = ps->dev->speed == USB_SPEED_LOW +- }; ++ struct usbdevfs_connectinfo ci; ++ ++ memset(&ci, 0, sizeof(ci)); ++ ci.devnum = ps->dev->devnum; ++ ci.slow = ps->dev->speed == USB_SPEED_LOW; + + if (copy_to_user(arg, &ci, sizeof(ci))) + return -EFAULT;