From: Greg Kroah-Hartman Date: Sun, 13 Jun 2021 12:22:03 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.4.273~51 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=208ba951a2c319787232fd29124291fd1f58bf8d;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: btrfs-return-value-from-btrfs_mark_extent_written-in-case-of-error.patch cgroup1-don-t-allow-n-in-renaming.patch kvm-avoid-speculation-based-attacks-from-out-of-range-memslot-accesses.patch usb-dwc3-ep0-fix-null-pointer-exception.patch usb-f_ncm-ncm_bitrate-speed-is-unsigned.patch usb-gadget-eem-fix-wrong-eem-header-operation.patch usb-serial-ftdi_sio-add-novatech-orionmx-product-id.patch usb-serial-omninet-add-device-id-for-zyxel-omni-56k-plus.patch usb-serial-quatech2-fix-control-request-directions.patch --- diff --git a/queue-4.4/btrfs-return-value-from-btrfs_mark_extent_written-in-case-of-error.patch b/queue-4.4/btrfs-return-value-from-btrfs_mark_extent_written-in-case-of-error.patch new file mode 100644 index 00000000000..a1a32b434bb --- /dev/null +++ b/queue-4.4/btrfs-return-value-from-btrfs_mark_extent_written-in-case-of-error.patch @@ -0,0 +1,42 @@ +From e7b2ec3d3d4ebeb4cff7ae45cf430182fa6a49fb Mon Sep 17 00:00:00 2001 +From: Ritesh Harjani +Date: Sun, 30 May 2021 20:24:05 +0530 +Subject: btrfs: return value from btrfs_mark_extent_written() in case of error + +From: Ritesh Harjani + +commit e7b2ec3d3d4ebeb4cff7ae45cf430182fa6a49fb upstream. + +We always return 0 even in case of an error in btrfs_mark_extent_written(). +Fix it to return proper error value in case of a failure. All callers +handle it. + +CC: stable@vger.kernel.org # 4.4+ +Signed-off-by: Ritesh Harjani +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Greg Kroah-Hartman +--- + fs/btrfs/file.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/btrfs/file.c ++++ b/fs/btrfs/file.c +@@ -1089,7 +1089,7 @@ int btrfs_mark_extent_written(struct btr + int del_nr = 0; + int del_slot = 0; + int recow; +- int ret; ++ int ret = 0; + u64 ino = btrfs_ino(inode); + + path = btrfs_alloc_path(); +@@ -1284,7 +1284,7 @@ again: + } + out: + btrfs_free_path(path); +- return 0; ++ return ret; + } + + /* diff --git a/queue-4.4/cgroup1-don-t-allow-n-in-renaming.patch b/queue-4.4/cgroup1-don-t-allow-n-in-renaming.patch new file mode 100644 index 00000000000..53fce82f165 --- /dev/null +++ b/queue-4.4/cgroup1-don-t-allow-n-in-renaming.patch @@ -0,0 +1,57 @@ +From b7e24eb1caa5f8da20d405d262dba67943aedc42 Mon Sep 17 00:00:00 2001 +From: Alexander Kuznetsov +Date: Wed, 9 Jun 2021 10:17:19 +0300 +Subject: cgroup1: don't allow '\n' in renaming + +From: Alexander Kuznetsov + +commit b7e24eb1caa5f8da20d405d262dba67943aedc42 upstream. + +cgroup_mkdir() have restriction on newline usage in names: +$ mkdir $'/sys/fs/cgroup/cpu/test\ntest2' +mkdir: cannot create directory +'/sys/fs/cgroup/cpu/test\ntest2': Invalid argument + +But in cgroup1_rename() such check is missed. +This allows us to make /proc//cgroup unparsable: +$ mkdir /sys/fs/cgroup/cpu/test +$ mv /sys/fs/cgroup/cpu/test $'/sys/fs/cgroup/cpu/test\ntest2' +$ echo $$ > $'/sys/fs/cgroup/cpu/test\ntest2' +$ cat /proc/self/cgroup +11:pids:/ +10:freezer:/ +9:hugetlb:/ +8:cpuset:/ +7:blkio:/user.slice +6:memory:/user.slice +5:net_cls,net_prio:/ +4:perf_event:/ +3:devices:/user.slice +2:cpu,cpuacct:/test +test2 +1:name=systemd:/ +0::/ + +Signed-off-by: Alexander Kuznetsov +Reported-by: Andrey Krasichkov +Acked-by: Dmitry Yakunin +Cc: stable@vger.kernel.org +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman +--- + kernel/cgroup.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -3310,6 +3310,10 @@ static int cgroup_rename(struct kernfs_n + struct cgroup *cgrp = kn->priv; + int ret; + ++ /* do not accept '\n' to prevent making /proc//cgroup unparsable */ ++ if (strchr(new_name_str, '\n')) ++ return -EINVAL; ++ + if (kernfs_type(kn) != KERNFS_DIR) + return -ENOTDIR; + if (kn->parent != new_parent) diff --git a/queue-4.4/kvm-avoid-speculation-based-attacks-from-out-of-range-memslot-accesses.patch b/queue-4.4/kvm-avoid-speculation-based-attacks-from-out-of-range-memslot-accesses.patch new file mode 100644 index 00000000000..214fd660b46 --- /dev/null +++ b/queue-4.4/kvm-avoid-speculation-based-attacks-from-out-of-range-memslot-accesses.patch @@ -0,0 +1,83 @@ +From da27a83fd6cc7780fea190e1f5c19e87019da65c Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Tue, 8 Jun 2021 15:31:42 -0400 +Subject: kvm: avoid speculation-based attacks from out-of-range memslot accesses + +From: Paolo Bonzini + +commit da27a83fd6cc7780fea190e1f5c19e87019da65c upstream. + +KVM's mechanism for accessing guest memory translates a guest physical +address (gpa) to a host virtual address using the right-shifted gpa +(also known as gfn) and a struct kvm_memory_slot. The translation is +performed in __gfn_to_hva_memslot using the following formula: + + hva = slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE + +It is expected that gfn falls within the boundaries of the guest's +physical memory. However, a guest can access invalid physical addresses +in such a way that the gfn is invalid. + +__gfn_to_hva_memslot is called from kvm_vcpu_gfn_to_hva_prot, which first +retrieves a memslot through __gfn_to_memslot. While __gfn_to_memslot +does check that the gfn falls within the boundaries of the guest's +physical memory or not, a CPU can speculate the result of the check and +continue execution speculatively using an illegal gfn. The speculation +can result in calculating an out-of-bounds hva. If the resulting host +virtual address is used to load another guest physical address, this +is effectively a Spectre gadget consisting of two consecutive reads, +the second of which is data dependent on the first. + +Right now it's not clear if there are any cases in which this is +exploitable. One interesting case was reported by the original author +of this patch, and involves visiting guest page tables on x86. Right +now these are not vulnerable because the hva read goes through get_user(), +which contains an LFENCE speculation barrier. However, there are +patches in progress for x86 uaccess.h to mask kernel addresses instead of +using LFENCE; once these land, a guest could use speculation to read +from the VMM's ring 3 address space. Other architectures such as ARM +already use the address masking method, and would be susceptible to +this same kind of data-dependent access gadgets. Therefore, this patch +proactively protects from these attacks by masking out-of-bounds gfns +in __gfn_to_hva_memslot, which blocks speculation of invalid hvas. + +Sean Christopherson noted that this patch does not cover +kvm_read_guest_offset_cached. This however is limited to a few bytes +past the end of the cache, and therefore it is unlikely to be useful in +the context of building a chain of data dependent accesses. + +Reported-by: Artemiy Margaritov +Co-developed-by: Artemiy Margaritov +Signed-off-by: Paolo Bonzini +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/kvm_host.h | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/include/linux/kvm_host.h ++++ b/include/linux/kvm_host.h +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -952,7 +953,15 @@ __gfn_to_memslot(struct kvm_memslots *sl + static inline unsigned long + __gfn_to_hva_memslot(struct kvm_memory_slot *slot, gfn_t gfn) + { +- return slot->userspace_addr + (gfn - slot->base_gfn) * PAGE_SIZE; ++ /* ++ * The index was checked originally in search_memslots. To avoid ++ * that a malicious guest builds a Spectre gadget out of e.g. page ++ * table walks, do not let the processor speculate loads outside ++ * the guest's registered memslots. ++ */ ++ unsigned long offset = array_index_nospec(gfn - slot->base_gfn, ++ slot->npages); ++ return slot->userspace_addr + offset * PAGE_SIZE; + } + + static inline int memslot_id(struct kvm *kvm, gfn_t gfn) diff --git a/queue-4.4/series b/queue-4.4/series index e983b3a6dde..208d0e721a9 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -16,3 +16,12 @@ powerpc-fsl-set-fsl-i2c-erratum-a004447-flag-for-p20.patch powerpc-fsl-set-fsl-i2c-erratum-a004447-flag-for-p10.patch i2c-mpc-make-use-of-i2c_recover_bus.patch i2c-mpc-implement-erratum-a-004447-workaround.patch +kvm-avoid-speculation-based-attacks-from-out-of-range-memslot-accesses.patch +btrfs-return-value-from-btrfs_mark_extent_written-in-case-of-error.patch +cgroup1-don-t-allow-n-in-renaming.patch +usb-f_ncm-ncm_bitrate-speed-is-unsigned.patch +usb-dwc3-ep0-fix-null-pointer-exception.patch +usb-serial-ftdi_sio-add-novatech-orionmx-product-id.patch +usb-serial-omninet-add-device-id-for-zyxel-omni-56k-plus.patch +usb-serial-quatech2-fix-control-request-directions.patch +usb-gadget-eem-fix-wrong-eem-header-operation.patch diff --git a/queue-4.4/usb-dwc3-ep0-fix-null-pointer-exception.patch b/queue-4.4/usb-dwc3-ep0-fix-null-pointer-exception.patch new file mode 100644 index 00000000000..c93ade75c05 --- /dev/null +++ b/queue-4.4/usb-dwc3-ep0-fix-null-pointer-exception.patch @@ -0,0 +1,67 @@ +From d00889080ab60051627dab1d85831cd9db750e2a Mon Sep 17 00:00:00 2001 +From: Marian-Cristian Rotariu +Date: Tue, 8 Jun 2021 19:26:50 +0300 +Subject: usb: dwc3: ep0: fix NULL pointer exception + +From: Marian-Cristian Rotariu + +commit d00889080ab60051627dab1d85831cd9db750e2a upstream. + +There is no validation of the index from dwc3_wIndex_to_dep() and we might +be referring a non-existing ep and trigger a NULL pointer exception. In +certain configurations we might use fewer eps and the index might wrongly +indicate a larger ep index than existing. + +By adding this validation from the patch we can actually report a wrong +index back to the caller. + +In our usecase we are using a composite device on an older kernel, but +upstream might use this fix also. Unfortunately, I cannot describe the +hardware for others to reproduce the issue as it is a proprietary +implementation. + +[ 82.958261] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a4 +[ 82.966891] Mem abort info: +[ 82.969663] ESR = 0x96000006 +[ 82.972703] Exception class = DABT (current EL), IL = 32 bits +[ 82.978603] SET = 0, FnV = 0 +[ 82.981642] EA = 0, S1PTW = 0 +[ 82.984765] Data abort info: +[ 82.987631] ISV = 0, ISS = 0x00000006 +[ 82.991449] CM = 0, WnR = 0 +[ 82.994409] user pgtable: 4k pages, 39-bit VAs, pgdp = 00000000c6210ccc +[ 83.000999] [00000000000000a4] pgd=0000000053aa5003, pud=0000000053aa5003, pmd=0000000000000000 +[ 83.009685] Internal error: Oops: 96000006 [#1] PREEMPT SMP +[ 83.026433] Process irq/62-dwc3 (pid: 303, stack limit = 0x000000003985154c) +[ 83.033470] CPU: 0 PID: 303 Comm: irq/62-dwc3 Not tainted 4.19.124 #1 +[ 83.044836] pstate: 60000085 (nZCv daIf -PAN -UAO) +[ 83.049628] pc : dwc3_ep0_handle_feature+0x414/0x43c +[ 83.054558] lr : dwc3_ep0_interrupt+0x3b4/0xc94 + +... + +[ 83.141788] Call trace: +[ 83.144227] dwc3_ep0_handle_feature+0x414/0x43c +[ 83.148823] dwc3_ep0_interrupt+0x3b4/0xc94 +[ 83.181546] ---[ end trace aac6b5267d84c32f ]--- + +Signed-off-by: Marian-Cristian Rotariu +Cc: stable +Link: https://lore.kernel.org/r/20210608162650.58426-1-marian.c.rotariu@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/dwc3/ep0.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/dwc3/ep0.c ++++ b/drivers/usb/dwc3/ep0.c +@@ -331,6 +331,9 @@ static struct dwc3_ep *dwc3_wIndex_to_de + epnum |= 1; + + dep = dwc->eps[epnum]; ++ if (dep == NULL) ++ return NULL; ++ + if (dep->flags & DWC3_EP_ENABLED) + return dep; + diff --git a/queue-4.4/usb-f_ncm-ncm_bitrate-speed-is-unsigned.patch b/queue-4.4/usb-f_ncm-ncm_bitrate-speed-is-unsigned.patch new file mode 100644 index 00000000000..5b13503f1ff --- /dev/null +++ b/queue-4.4/usb-f_ncm-ncm_bitrate-speed-is-unsigned.patch @@ -0,0 +1,43 @@ +From 3370139745853f7826895293e8ac3aec1430508e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Maciej=20=C5=BBenczykowski?= +Date: Mon, 7 Jun 2021 17:53:44 -0700 +Subject: USB: f_ncm: ncm_bitrate (speed) is unsigned +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Maciej Żenczykowski + +commit 3370139745853f7826895293e8ac3aec1430508e upstream. + +[ 190.544755] configfs-gadget gadget: notify speed -44967296 + +This is because 4250000000 - 2**32 is -44967296. + +Fixes: 9f6ce4240a2b ("usb: gadget: f_ncm.c added") +Cc: Brooke Basile +Cc: Bryan O'Donoghue +Cc: Felipe Balbi +Cc: Lorenzo Colitti +Cc: Yauheni Kaliuta +Cc: Linux USB Mailing List +Acked-By: Lorenzo Colitti +Signed-off-by: Maciej Żenczykowski +Cc: stable +Link: https://lore.kernel.org/r/20210608005344.3762668-1-zenczykowski@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_ncm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_ncm.c ++++ b/drivers/usb/gadget/function/f_ncm.c +@@ -514,7 +514,7 @@ static void ncm_do_notify(struct f_ncm * + data[0] = cpu_to_le32(ncm_bitrate(cdev->gadget)); + data[1] = data[0]; + +- DBG(cdev, "notify speed %d\n", ncm_bitrate(cdev->gadget)); ++ DBG(cdev, "notify speed %u\n", ncm_bitrate(cdev->gadget)); + ncm->notify_state = NCM_NOTIFY_CONNECT; + break; + } diff --git a/queue-4.4/usb-gadget-eem-fix-wrong-eem-header-operation.patch b/queue-4.4/usb-gadget-eem-fix-wrong-eem-header-operation.patch new file mode 100644 index 00000000000..63adc90b34a --- /dev/null +++ b/queue-4.4/usb-gadget-eem-fix-wrong-eem-header-operation.patch @@ -0,0 +1,41 @@ +From 305f670846a31a261462577dd0b967c4fa796871 Mon Sep 17 00:00:00 2001 +From: Linyu Yuan +Date: Wed, 9 Jun 2021 07:35:47 +0800 +Subject: usb: gadget: eem: fix wrong eem header operation + +From: Linyu Yuan + +commit 305f670846a31a261462577dd0b967c4fa796871 upstream. + +when skb_clone() or skb_copy_expand() fail, +it should pull skb with lengh indicated by header, +or not it will read network data and check it as header. + +Cc: +Signed-off-by: Linyu Yuan +Link: https://lore.kernel.org/r/20210608233547.3767-1-linyyuan@codeaurora.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/gadget/function/f_eem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/gadget/function/f_eem.c ++++ b/drivers/usb/gadget/function/f_eem.c +@@ -498,7 +498,7 @@ static int eem_unwrap(struct gether *por + skb2 = skb_clone(skb, GFP_ATOMIC); + if (unlikely(!skb2)) { + DBG(cdev, "unable to unframe EEM packet\n"); +- continue; ++ goto next; + } + skb_trim(skb2, len - ETH_FCS_LEN); + +@@ -509,7 +509,7 @@ static int eem_unwrap(struct gether *por + if (unlikely(!skb3)) { + DBG(cdev, "unable to realign EEM packet\n"); + dev_kfree_skb_any(skb2); +- continue; ++ goto next; + } + dev_kfree_skb_any(skb2); + skb_queue_tail(list, skb3); diff --git a/queue-4.4/usb-serial-ftdi_sio-add-novatech-orionmx-product-id.patch b/queue-4.4/usb-serial-ftdi_sio-add-novatech-orionmx-product-id.patch new file mode 100644 index 00000000000..617496568e7 --- /dev/null +++ b/queue-4.4/usb-serial-ftdi_sio-add-novatech-orionmx-product-id.patch @@ -0,0 +1,40 @@ +From bc96c72df33ee81b24d87eab953c73f7bcc04f29 Mon Sep 17 00:00:00 2001 +From: George McCollister +Date: Thu, 3 Jun 2021 19:32:08 -0500 +Subject: USB: serial: ftdi_sio: add NovaTech OrionMX product ID + +From: George McCollister + +commit bc96c72df33ee81b24d87eab953c73f7bcc04f29 upstream. + +Add PID for the NovaTech OrionMX so it can be automatically detected. + +Signed-off-by: George McCollister +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/ftdi_sio.c | 1 + + drivers/usb/serial/ftdi_sio_ids.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -606,6 +606,7 @@ static const struct usb_device_id id_tab + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONLX_PLUS_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_NT_ORION_IO_PID) }, ++ { USB_DEVICE(FTDI_VID, FTDI_NT_ORIONMX_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_SYNAPSE_SS200_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_CUSTOMWARE_MINIPLEX2_PID) }, +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -580,6 +580,7 @@ + #define FTDI_NT_ORIONLXM_PID 0x7c90 /* OrionLXm Substation Automation Platform */ + #define FTDI_NT_ORIONLX_PLUS_PID 0x7c91 /* OrionLX+ Substation Automation Platform */ + #define FTDI_NT_ORION_IO_PID 0x7c92 /* Orion I/O */ ++#define FTDI_NT_ORIONMX_PID 0x7c93 /* OrionMX */ + + /* + * Synapse Wireless product ids (FTDI_VID) diff --git a/queue-4.4/usb-serial-omninet-add-device-id-for-zyxel-omni-56k-plus.patch b/queue-4.4/usb-serial-omninet-add-device-id-for-zyxel-omni-56k-plus.patch new file mode 100644 index 00000000000..5a16d7d766e --- /dev/null +++ b/queue-4.4/usb-serial-omninet-add-device-id-for-zyxel-omni-56k-plus.patch @@ -0,0 +1,48 @@ +From fc0b3dc9a11771c3919eaaaf9d649138b095aa0f Mon Sep 17 00:00:00 2001 +From: Alexandre GRIVEAUX +Date: Sun, 23 May 2021 18:35:21 +0200 +Subject: USB: serial: omninet: add device id for Zyxel Omni 56K Plus + +From: Alexandre GRIVEAUX + +commit fc0b3dc9a11771c3919eaaaf9d649138b095aa0f upstream. + +Add device id for Zyxel Omni 56K Plus modem, this modem include: + +USB chip: +NetChip +NET2888 + +Main chip: +901041A +F721501APGF + +Another modem using the same chips is the Zyxel Omni 56K DUO/NEO, +could be added with the right USB ID. + +Signed-off-by: Alexandre GRIVEAUX +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/omninet.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/omninet.c ++++ b/drivers/usb/serial/omninet.c +@@ -27,6 +27,7 @@ + + #define ZYXEL_VENDOR_ID 0x0586 + #define ZYXEL_OMNINET_ID 0x1000 ++#define ZYXEL_OMNI_56K_PLUS_ID 0x1500 + /* This one seems to be a re-branded ZyXEL device */ + #define BT_IGNITIONPRO_ID 0x2000 + +@@ -44,6 +45,7 @@ static int omninet_port_remove(struct us + + static const struct usb_device_id id_table[] = { + { USB_DEVICE(ZYXEL_VENDOR_ID, ZYXEL_OMNINET_ID) }, ++ { USB_DEVICE(ZYXEL_VENDOR_ID, ZYXEL_OMNI_56K_PLUS_ID) }, + { USB_DEVICE(ZYXEL_VENDOR_ID, BT_IGNITIONPRO_ID) }, + { } /* Terminating entry */ + }; diff --git a/queue-4.4/usb-serial-quatech2-fix-control-request-directions.patch b/queue-4.4/usb-serial-quatech2-fix-control-request-directions.patch new file mode 100644 index 00000000000..c059918751a --- /dev/null +++ b/queue-4.4/usb-serial-quatech2-fix-control-request-directions.patch @@ -0,0 +1,52 @@ +From eb8dbe80326c3d44c1e38ee4f40e0d8d3e06f2d0 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 24 May 2021 11:17:05 +0200 +Subject: USB: serial: quatech2: fix control-request directions + +From: Johan Hovold + +commit eb8dbe80326c3d44c1e38ee4f40e0d8d3e06f2d0 upstream. + +The direction of the pipe argument must match the request-type direction +bit or control requests may fail depending on the host-controller-driver +implementation. + +Fix the three requests which erroneously used usb_rcvctrlpipe(). + +Fixes: f7a33e608d9a ("USB: serial: add quatech2 usb to serial driver") +Cc: stable@vger.kernel.org # 3.5 +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/quatech2.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/serial/quatech2.c ++++ b/drivers/usb/serial/quatech2.c +@@ -419,7 +419,7 @@ static void qt2_close(struct usb_serial_ + + /* flush the port transmit buffer */ + i = usb_control_msg(serial->dev, +- usb_rcvctrlpipe(serial->dev, 0), ++ usb_sndctrlpipe(serial->dev, 0), + QT2_FLUSH_DEVICE, 0x40, 1, + port_priv->device_port, NULL, 0, QT2_USB_TIMEOUT); + +@@ -429,7 +429,7 @@ static void qt2_close(struct usb_serial_ + + /* flush the port receive buffer */ + i = usb_control_msg(serial->dev, +- usb_rcvctrlpipe(serial->dev, 0), ++ usb_sndctrlpipe(serial->dev, 0), + QT2_FLUSH_DEVICE, 0x40, 0, + port_priv->device_port, NULL, 0, QT2_USB_TIMEOUT); + +@@ -701,7 +701,7 @@ static int qt2_attach(struct usb_serial + int status; + + /* power on unit */ +- status = usb_control_msg(serial->dev, usb_rcvctrlpipe(serial->dev, 0), ++ status = usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0), + 0xc2, 0x40, 0x8000, 0, NULL, 0, + QT2_USB_TIMEOUT); + if (status < 0) {