From: Greg Kroah-Hartman Date: Tue, 23 May 2017 12:39:34 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.55~32 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=23ed66b5b6bf8bbb8b828e0c278bd787809b3bb1;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: mceusb-fix-null-deref-at-probe.patch net-irda-irda-usb-fix-firmware-name-on-big-endian-hosts.patch ttusb2-limit-messages-to-buffer-size.patch tty-prevent-ldisc-drivers-from-re-using-stale-tty-fields.patch usb-hub-fix-non-ss-hub-descriptor-handling.patch usb-hub-fix-ss-hub-descriptor-handling.patch usb-iowarrior-fix-info-ioctl-on-big-endian-hosts.patch usb-musb-tusb6010_omap-do-not-reset-the-other-direction-s-packet-size.patch usb-serial-io_ti-fix-div-by-zero-in-set_termios.patch usb-serial-mct_u232-fix-big-endian-baud-rate-handling.patch usb-serial-option-add-telit-me910-support.patch usb-serial-qcserial-add-more-lenovo-em74xx-device-ids.patch usbvision-fix-null-deref-at-probe.patch --- diff --git a/queue-3.18/mceusb-fix-null-deref-at-probe.patch b/queue-3.18/mceusb-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..1e244384670 --- /dev/null +++ b/queue-3.18/mceusb-fix-null-deref-at-probe.patch @@ -0,0 +1,37 @@ +From 03eb2a557ed552e920a0942b774aaf931596eec1 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 7 Mar 2017 15:14:13 -0300 +Subject: [media] mceusb: fix NULL-deref at probe + +From: Johan Hovold + +commit 03eb2a557ed552e920a0942b774aaf931596eec1 upstream. + +Make sure to check for the required out endpoint to avoid dereferencing +a NULL-pointer in mce_request_packet should a malicious device lack such +an endpoint. Note that this path is hit during probe. + +Fixes: 66e89522aff7 ("V4L/DVB: IR: add mceusb IR receiver driver") + +Signed-off-by: Johan Hovold +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/rc/mceusb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/rc/mceusb.c ++++ b/drivers/media/rc/mceusb.c +@@ -1321,8 +1321,8 @@ static int mceusb_dev_probe(struct usb_i + } + } + } +- if (ep_in == NULL) { +- dev_dbg(&intf->dev, "inbound and/or endpoint not found"); ++ if (!ep_in || !ep_out) { ++ dev_dbg(&intf->dev, "required endpoints not found\n"); + return -ENODEV; + } + diff --git a/queue-3.18/net-irda-irda-usb-fix-firmware-name-on-big-endian-hosts.patch b/queue-3.18/net-irda-irda-usb-fix-firmware-name-on-big-endian-hosts.patch new file mode 100644 index 00000000000..db8dd00dfaa --- /dev/null +++ b/queue-3.18/net-irda-irda-usb-fix-firmware-name-on-big-endian-hosts.patch @@ -0,0 +1,33 @@ +From 75cf067953d5ee543b3bda90bbfcbee5e1f94ae8 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 12 May 2017 12:11:13 +0200 +Subject: net: irda: irda-usb: fix firmware name on big-endian hosts + +From: Johan Hovold + +commit 75cf067953d5ee543b3bda90bbfcbee5e1f94ae8 upstream. + +Add missing endianness conversion when using the USB device-descriptor +bcdDevice field to construct a firmware file name. + +Fixes: 8ef80aef118e ("[IRDA]: irda-usb.c: STIR421x cleanups") +Cc: Nick Fedchik +Signed-off-by: Johan Hovold +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/irda/irda-usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/irda/irda-usb.c ++++ b/drivers/net/irda/irda-usb.c +@@ -1082,7 +1082,7 @@ static int stir421x_patch_device(struct + * are "42101001.sb" or "42101002.sb" + */ + sprintf(stir421x_fw_name, "4210%4X.sb", +- self->usbdev->descriptor.bcdDevice); ++ le16_to_cpu(self->usbdev->descriptor.bcdDevice)); + ret = request_firmware(&fw, stir421x_fw_name, &self->usbdev->dev); + if (ret < 0) + return ret; diff --git a/queue-3.18/series b/queue-3.18/series index 308687cae7e..85c74f47dd9 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -19,3 +19,16 @@ usb-serial-ftdi_sio-fix-setting-latency-for-unprivileged-users.patch usb-serial-ftdi_sio-add-olimex-arm-usb-tiny-h-pids.patch usb-host-xhci-plat-propagate-return-value-of-platform_get_irq.patch usb-host-xhci-mem-allocate-zeroed-scratchpad-buffer.patch +net-irda-irda-usb-fix-firmware-name-on-big-endian-hosts.patch +usbvision-fix-null-deref-at-probe.patch +mceusb-fix-null-deref-at-probe.patch +ttusb2-limit-messages-to-buffer-size.patch +usb-musb-tusb6010_omap-do-not-reset-the-other-direction-s-packet-size.patch +usb-iowarrior-fix-info-ioctl-on-big-endian-hosts.patch +usb-serial-option-add-telit-me910-support.patch +usb-serial-qcserial-add-more-lenovo-em74xx-device-ids.patch +usb-serial-mct_u232-fix-big-endian-baud-rate-handling.patch +usb-serial-io_ti-fix-div-by-zero-in-set_termios.patch +usb-hub-fix-ss-hub-descriptor-handling.patch +usb-hub-fix-non-ss-hub-descriptor-handling.patch +tty-prevent-ldisc-drivers-from-re-using-stale-tty-fields.patch diff --git a/queue-3.18/ttusb2-limit-messages-to-buffer-size.patch b/queue-3.18/ttusb2-limit-messages-to-buffer-size.patch new file mode 100644 index 00000000000..4a94eebd77d --- /dev/null +++ b/queue-3.18/ttusb2-limit-messages-to-buffer-size.patch @@ -0,0 +1,55 @@ +From a12b8ab8c5ff7ccd7b107a564743507c850a441d Mon Sep 17 00:00:00 2001 +From: Alyssa Milburn +Date: Sat, 1 Apr 2017 14:34:32 -0300 +Subject: [media] ttusb2: limit messages to buffer size + +From: Alyssa Milburn + +commit a12b8ab8c5ff7ccd7b107a564743507c850a441d upstream. + +Otherwise ttusb2_i2c_xfer can read or write beyond the end of static and +heap buffers. + +Signed-off-by: Alyssa Milburn +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/ttusb2.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/drivers/media/usb/dvb-usb/ttusb2.c ++++ b/drivers/media/usb/dvb-usb/ttusb2.c +@@ -78,6 +78,9 @@ static int ttusb2_msg(struct dvb_usb_dev + u8 *s, *r = NULL; + int ret = 0; + ++ if (4 + rlen > 64) ++ return -EIO; ++ + s = kzalloc(wlen+4, GFP_KERNEL); + if (!s) + return -ENOMEM; +@@ -381,6 +384,22 @@ static int ttusb2_i2c_xfer(struct i2c_ad + write_read = i+1 < num && (msg[i+1].flags & I2C_M_RD); + read = msg[i].flags & I2C_M_RD; + ++ if (3 + msg[i].len > sizeof(obuf)) { ++ err("i2c wr len=%d too high", msg[i].len); ++ break; ++ } ++ if (write_read) { ++ if (3 + msg[i+1].len > sizeof(ibuf)) { ++ err("i2c rd len=%d too high", msg[i+1].len); ++ break; ++ } ++ } else if (read) { ++ if (3 + msg[i].len > sizeof(ibuf)) { ++ err("i2c rd len=%d too high", msg[i].len); ++ break; ++ } ++ } ++ + obuf[0] = (msg[i].addr << 1) | (write_read | read); + if (read) + obuf[1] = 0; diff --git a/queue-3.18/tty-prevent-ldisc-drivers-from-re-using-stale-tty-fields.patch b/queue-3.18/tty-prevent-ldisc-drivers-from-re-using-stale-tty-fields.patch new file mode 100644 index 00000000000..9480e2ac1ca --- /dev/null +++ b/queue-3.18/tty-prevent-ldisc-drivers-from-re-using-stale-tty-fields.patch @@ -0,0 +1,79 @@ +From dd42bf1197144ede075a9d4793123f7689e164bc Mon Sep 17 00:00:00 2001 +From: Peter Hurley +Date: Fri, 27 Nov 2015 14:30:21 -0500 +Subject: tty: Prevent ldisc drivers from re-using stale tty fields + +From: Peter Hurley + +commit dd42bf1197144ede075a9d4793123f7689e164bc upstream. + +Line discipline drivers may mistakenly misuse ldisc-related fields +when initializing. For example, a failure to initialize tty->receive_room +in the N_GIGASET_M101 line discipline was recently found and fixed [1]. +Now, the N_X25 line discipline has been discovered accessing the previous +line discipline's already-freed private data [2]. + +Harden the ldisc interface against misuse by initializing revelant +tty fields before instancing the new line discipline. + +[1] + commit fd98e9419d8d622a4de91f76b306af6aa627aa9c + Author: Tilman Schmidt + Date: Tue Jul 14 00:37:13 2015 +0200 + + isdn/gigaset: reset tty->receive_room when attaching ser_gigaset + +[2] Report from Sasha Levin + [ 634.336761] ================================================================== + [ 634.338226] BUG: KASAN: use-after-free in x25_asy_open_tty+0x13d/0x490 at addr ffff8800a743efd0 + [ 634.339558] Read of size 4 by task syzkaller_execu/8981 + [ 634.340359] ============================================================================= + [ 634.341598] BUG kmalloc-512 (Not tainted): kasan: bad access detected + ... + [ 634.405018] Call Trace: + [ 634.405277] dump_stack (lib/dump_stack.c:52) + [ 634.405775] print_trailer (mm/slub.c:655) + [ 634.406361] object_err (mm/slub.c:662) + [ 634.406824] kasan_report_error (mm/kasan/report.c:138 mm/kasan/report.c:236) + [ 634.409581] __asan_report_load4_noabort (mm/kasan/report.c:279) + [ 634.411355] x25_asy_open_tty (drivers/net/wan/x25_asy.c:559 (discriminator 1)) + [ 634.413997] tty_ldisc_open.isra.2 (drivers/tty/tty_ldisc.c:447) + [ 634.414549] tty_set_ldisc (drivers/tty/tty_ldisc.c:567) + [ 634.415057] tty_ioctl (drivers/tty/tty_io.c:2646 drivers/tty/tty_io.c:2879) + [ 634.423524] do_vfs_ioctl (fs/ioctl.c:43 fs/ioctl.c:607) + [ 634.427491] SyS_ioctl (fs/ioctl.c:622 fs/ioctl.c:613) + [ 634.427945] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:188) + +Cc: Tilman Schmidt +Cc: Sasha Levin +Signed-off-by: Peter Hurley +Signed-off-by: Amit Pundir +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_ldisc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/tty/tty_ldisc.c ++++ b/drivers/tty/tty_ldisc.c +@@ -414,6 +414,10 @@ EXPORT_SYMBOL_GPL(tty_ldisc_flush); + * they are not on hot paths so a little discipline won't do + * any harm. + * ++ * The line discipline-related tty_struct fields are reset to ++ * prevent the ldisc driver from re-using stale information for ++ * the new ldisc instance. ++ * + * Locking: takes termios_rwsem + */ + +@@ -422,6 +426,9 @@ static void tty_set_termios_ldisc(struct + down_write(&tty->termios_rwsem); + tty->termios.c_line = num; + up_write(&tty->termios_rwsem); ++ ++ tty->disc_data = NULL; ++ tty->receive_room = 0; + } + + /** diff --git a/queue-3.18/usb-hub-fix-non-ss-hub-descriptor-handling.patch b/queue-3.18/usb-hub-fix-non-ss-hub-descriptor-handling.patch new file mode 100644 index 00000000000..4a28ae5fa4c --- /dev/null +++ b/queue-3.18/usb-hub-fix-non-ss-hub-descriptor-handling.patch @@ -0,0 +1,68 @@ +From bec444cd1c94c48df409a35ad4e5b143c245c3f7 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 10 May 2017 18:18:28 +0200 +Subject: USB: hub: fix non-SS hub-descriptor handling + +From: Johan Hovold + +commit bec444cd1c94c48df409a35ad4e5b143c245c3f7 upstream. + +Add missing sanity check on the non-SuperSpeed hub-descriptor length in +order to avoid parsing and leaking two bytes of uninitialised slab data +through sysfs removable-attributes (or a compound-device debug +statement). + +Note that we only make sure that the DeviceRemovable field is always +present (and specifically ignore the unused PortPwrCtrlMask field) in +order to continue support any hubs with non-compliant descriptors. As a +further safeguard, the descriptor buffer is also cleared. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -359,7 +359,8 @@ static void usb_set_lpm_parameters(struc + } + + /* USB 2.0 spec Section 11.24.4.5 */ +-static int get_hub_descriptor(struct usb_device *hdev, void *data) ++static int get_hub_descriptor(struct usb_device *hdev, ++ struct usb_hub_descriptor *desc) + { + int i, ret, size; + unsigned dtype; +@@ -375,12 +376,16 @@ static int get_hub_descriptor(struct usb + for (i = 0; i < 3; i++) { + ret = usb_control_msg(hdev, usb_rcvctrlpipe(hdev, 0), + USB_REQ_GET_DESCRIPTOR, USB_DIR_IN | USB_RT_HUB, +- dtype << 8, 0, data, size, ++ dtype << 8, 0, desc, size, + USB_CTRL_GET_TIMEOUT); + if (hub_is_superspeed(hdev)) { + if (ret == size) + return ret; +- } else if (ret >= (USB_DT_HUB_NONVAR_SIZE + 2)) { ++ } else if (ret >= USB_DT_HUB_NONVAR_SIZE + 2) { ++ /* Make sure we have the DeviceRemovable field. */ ++ size = USB_DT_HUB_NONVAR_SIZE + desc->bNbrPorts / 8 + 1; ++ if (ret < size) ++ return -EMSGSIZE; + return ret; + } + } +@@ -1327,7 +1332,7 @@ static int hub_configure(struct usb_hub + } + mutex_init(&hub->status_mutex); + +- hub->descriptor = kmalloc(sizeof(*hub->descriptor), GFP_KERNEL); ++ hub->descriptor = kzalloc(sizeof(*hub->descriptor), GFP_KERNEL); + if (!hub->descriptor) { + ret = -ENOMEM; + goto fail; diff --git a/queue-3.18/usb-hub-fix-ss-hub-descriptor-handling.patch b/queue-3.18/usb-hub-fix-ss-hub-descriptor-handling.patch new file mode 100644 index 00000000000..126abb08b26 --- /dev/null +++ b/queue-3.18/usb-hub-fix-ss-hub-descriptor-handling.patch @@ -0,0 +1,50 @@ +From 2c25a2c818023df64463aac3288a9f969491e507 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 10 May 2017 18:18:27 +0200 +Subject: USB: hub: fix SS hub-descriptor handling + +From: Johan Hovold + +commit 2c25a2c818023df64463aac3288a9f969491e507 upstream. + +A SuperSpeed hub descriptor does not have any variable-length fields so +bail out when reading a short descriptor. + +This avoids parsing and leaking two bytes of uninitialised slab data +through sysfs removable-attributes. + +Fixes: dbe79bbe9dcb ("USB 3.0 Hub Changes") +Cc: John Youn +Acked-by: Alan Stern +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -377,8 +377,12 @@ static int get_hub_descriptor(struct usb + USB_REQ_GET_DESCRIPTOR, USB_DIR_IN | USB_RT_HUB, + dtype << 8, 0, data, size, + USB_CTRL_GET_TIMEOUT); +- if (ret >= (USB_DT_HUB_NONVAR_SIZE + 2)) ++ if (hub_is_superspeed(hdev)) { ++ if (ret == size) ++ return ret; ++ } else if (ret >= (USB_DT_HUB_NONVAR_SIZE + 2)) { + return ret; ++ } + } + return -EINVAL; + } +@@ -1331,7 +1335,7 @@ static int hub_configure(struct usb_hub + + /* Request the entire hub descriptor. + * hub->descriptor can handle USB_MAXCHILDREN ports, +- * but the hub can/will return fewer bytes here. ++ * but a (non-SS) hub can/will return fewer bytes here. + */ + ret = get_hub_descriptor(hdev, hub->descriptor); + if (ret < 0) { diff --git a/queue-3.18/usb-iowarrior-fix-info-ioctl-on-big-endian-hosts.patch b/queue-3.18/usb-iowarrior-fix-info-ioctl-on-big-endian-hosts.patch new file mode 100644 index 00000000000..b9d8f403f0d --- /dev/null +++ b/queue-3.18/usb-iowarrior-fix-info-ioctl-on-big-endian-hosts.patch @@ -0,0 +1,35 @@ +From dd5ca753fa92fb736b1395db892bd29f78e6d408 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 11 May 2017 11:36:02 +0200 +Subject: USB: iowarrior: fix info ioctl on big-endian hosts + +From: Johan Hovold + +commit dd5ca753fa92fb736b1395db892bd29f78e6d408 upstream. + +Drop erroneous le16_to_cpu when returning the USB device speed which is +already in host byte order. + +Found using sparse: + + warning: cast to restricted __le16 + +Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/iowarrior.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -557,7 +557,7 @@ static long iowarrior_ioctl(struct file + info.revision = le16_to_cpu(dev->udev->descriptor.bcdDevice); + + /* 0==UNKNOWN, 1==LOW(usb1.1) ,2=FULL(usb1.1), 3=HIGH(usb2.0) */ +- info.speed = le16_to_cpu(dev->udev->speed); ++ info.speed = dev->udev->speed; + info.if_num = dev->interface->cur_altsetting->desc.bInterfaceNumber; + info.report_size = dev->report_size; + diff --git a/queue-3.18/usb-musb-tusb6010_omap-do-not-reset-the-other-direction-s-packet-size.patch b/queue-3.18/usb-musb-tusb6010_omap-do-not-reset-the-other-direction-s-packet-size.patch new file mode 100644 index 00000000000..4be488ffb07 --- /dev/null +++ b/queue-3.18/usb-musb-tusb6010_omap-do-not-reset-the-other-direction-s-packet-size.patch @@ -0,0 +1,60 @@ +From 6df2b42f7c040d57d9ecb67244e04e905ab87ac6 Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Wed, 17 May 2017 11:23:11 -0500 +Subject: usb: musb: tusb6010_omap: Do not reset the other direction's packet size + +From: Peter Ujfalusi + +commit 6df2b42f7c040d57d9ecb67244e04e905ab87ac6 upstream. + +We have one register for each EP to set the maximum packet size for both +TX and RX. +If for example an RX programming would happen before the previous TX +transfer finishes we would reset the TX packet side. + +To fix this issue, only modify the TX or RX part of the register. + +Fixes: 550a7375fe72 ("USB: Add MUSB and TUSB support") +Signed-off-by: Peter Ujfalusi +Tested-by: Tony Lindgren +Signed-off-by: Bin Liu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/musb/tusb6010_omap.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/usb/musb/tusb6010_omap.c ++++ b/drivers/usb/musb/tusb6010_omap.c +@@ -220,6 +220,7 @@ static int tusb_omap_dma_program(struct + u32 dma_remaining; + int src_burst, dst_burst; + u16 csr; ++ u32 psize; + int ch; + s8 dmareq; + s8 sync_dev; +@@ -391,15 +392,19 @@ static int tusb_omap_dma_program(struct + + if (chdat->tx) { + /* Send transfer_packet_sz packets at a time */ +- musb_writel(ep_conf, TUSB_EP_MAX_PACKET_SIZE_OFFSET, +- chdat->transfer_packet_sz); ++ psize = musb_readl(ep_conf, TUSB_EP_MAX_PACKET_SIZE_OFFSET); ++ psize &= ~0x7ff; ++ psize |= chdat->transfer_packet_sz; ++ musb_writel(ep_conf, TUSB_EP_MAX_PACKET_SIZE_OFFSET, psize); + + musb_writel(ep_conf, TUSB_EP_TX_OFFSET, + TUSB_EP_CONFIG_XFR_SIZE(chdat->transfer_len)); + } else { + /* Receive transfer_packet_sz packets at a time */ +- musb_writel(ep_conf, TUSB_EP_MAX_PACKET_SIZE_OFFSET, +- chdat->transfer_packet_sz << 16); ++ psize = musb_readl(ep_conf, TUSB_EP_MAX_PACKET_SIZE_OFFSET); ++ psize &= ~(0x7ff << 16); ++ psize |= (chdat->transfer_packet_sz << 16); ++ musb_writel(ep_conf, TUSB_EP_MAX_PACKET_SIZE_OFFSET, psize); + + musb_writel(ep_conf, TUSB_EP_RX_OFFSET, + TUSB_EP_CONFIG_XFR_SIZE(chdat->transfer_len)); diff --git a/queue-3.18/usb-serial-io_ti-fix-div-by-zero-in-set_termios.patch b/queue-3.18/usb-serial-io_ti-fix-div-by-zero-in-set_termios.patch new file mode 100644 index 00000000000..ddeace34ae6 --- /dev/null +++ b/queue-3.18/usb-serial-io_ti-fix-div-by-zero-in-set_termios.patch @@ -0,0 +1,40 @@ +From 6aeb75e6adfaed16e58780309613a578fe1ee90b Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 11 May 2017 11:41:21 +0200 +Subject: USB: serial: io_ti: fix div-by-zero in set_termios + +From: Johan Hovold + +commit 6aeb75e6adfaed16e58780309613a578fe1ee90b upstream. + +Fix a division-by-zero in set_termios when debugging is enabled and a +high-enough speed has been requested so that the divisor value becomes +zero. + +Instead of just fixing the offending debug statement, cap the baud rate +at the base as a zero divisor value also appears to crash the firmware. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/io_ti.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/io_ti.c ++++ b/drivers/usb/serial/io_ti.c +@@ -2210,8 +2210,11 @@ static void change_port_settings(struct + if (!baud) { + /* pick a default, any default... */ + baud = 9600; +- } else ++ } else { ++ /* Avoid a zero divisor. */ ++ baud = min(baud, 461550); + tty_encode_baud_rate(tty, baud, baud); ++ } + + edge_port->baud_rate = baud; + config->wBaudRate = (__u16)((461550L + baud/2) / baud); diff --git a/queue-3.18/usb-serial-mct_u232-fix-big-endian-baud-rate-handling.patch b/queue-3.18/usb-serial-mct_u232-fix-big-endian-baud-rate-handling.patch new file mode 100644 index 00000000000..4420affca4d --- /dev/null +++ b/queue-3.18/usb-serial-mct_u232-fix-big-endian-baud-rate-handling.patch @@ -0,0 +1,39 @@ +From 26cede343656c0bc2c33cdc783771282405c7fb2 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 11 May 2017 11:41:20 +0200 +Subject: USB: serial: mct_u232: fix big-endian baud-rate handling + +From: Johan Hovold + +commit 26cede343656c0bc2c33cdc783771282405c7fb2 upstream. + +Drop erroneous cpu_to_le32 when setting the baud rate, something which +corrupted the divisor on big-endian hosts. + +Found using sparse: + + warning: incorrect type in argument 1 (different base types) + expected unsigned int [unsigned] [usertype] val + got restricted __le32 [usertype] + +Fixes: af2ac1a091bc ("USB: serial mct_usb232: move DMA buffers to heap") +Reviewed-by: Greg Kroah-Hartman +Acked-By: Pete Zaitcev +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/mct_u232.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/serial/mct_u232.c ++++ b/drivers/usb/serial/mct_u232.c +@@ -189,7 +189,7 @@ static int mct_u232_set_baud_rate(struct + return -ENOMEM; + + divisor = mct_u232_calculate_baud_rate(serial, value, &speed); +- put_unaligned_le32(cpu_to_le32(divisor), buf); ++ put_unaligned_le32(divisor, buf); + rc = usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0), + MCT_U232_SET_BAUD_RATE_REQUEST, + MCT_U232_SET_REQUEST_TYPE, diff --git a/queue-3.18/usb-serial-option-add-telit-me910-support.patch b/queue-3.18/usb-serial-option-add-telit-me910-support.patch new file mode 100644 index 00000000000..338965d321b --- /dev/null +++ b/queue-3.18/usb-serial-option-add-telit-me910-support.patch @@ -0,0 +1,50 @@ +From 40dd46048c155b8f0683f468c950a1c107f77a7c Mon Sep 17 00:00:00 2001 +From: Daniele Palmas +Date: Wed, 3 May 2017 10:28:54 +0200 +Subject: usb: serial: option: add Telit ME910 support + +From: Daniele Palmas + +commit 40dd46048c155b8f0683f468c950a1c107f77a7c upstream. + +This patch adds support for Telit ME910 PID 0x1100. + +Signed-off-by: Daniele Palmas +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -275,6 +275,7 @@ static void option_instat_callback(struc + #define TELIT_PRODUCT_LE922_USBCFG0 0x1042 + #define TELIT_PRODUCT_LE922_USBCFG3 0x1043 + #define TELIT_PRODUCT_LE922_USBCFG5 0x1045 ++#define TELIT_PRODUCT_ME910 0x1100 + #define TELIT_PRODUCT_LE920 0x1200 + #define TELIT_PRODUCT_LE910 0x1201 + #define TELIT_PRODUCT_LE910_USBCFG4 0x1206 +@@ -637,6 +638,11 @@ static const struct option_blacklist_inf + .reserved = BIT(5) | BIT(6), + }; + ++static const struct option_blacklist_info telit_me910_blacklist = { ++ .sendsetup = BIT(0), ++ .reserved = BIT(1) | BIT(3), ++}; ++ + static const struct option_blacklist_info telit_le910_blacklist = { + .sendsetup = BIT(0), + .reserved = BIT(1) | BIT(2), +@@ -1233,6 +1239,8 @@ static const struct usb_device_id option + .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG5, 0xff), + .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 }, ++ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910), ++ .driver_info = (kernel_ulong_t)&telit_me910_blacklist }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910), + .driver_info = (kernel_ulong_t)&telit_le910_blacklist }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4), diff --git a/queue-3.18/usb-serial-qcserial-add-more-lenovo-em74xx-device-ids.patch b/queue-3.18/usb-serial-qcserial-add-more-lenovo-em74xx-device-ids.patch new file mode 100644 index 00000000000..8c5211c280c --- /dev/null +++ b/queue-3.18/usb-serial-qcserial-add-more-lenovo-em74xx-device-ids.patch @@ -0,0 +1,36 @@ +From 8d7a10dd323993cc40bd37bce8bc570133b0c396 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Wed, 17 May 2017 16:30:50 +0200 +Subject: USB: serial: qcserial: add more Lenovo EM74xx device IDs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bjørn Mork + +commit 8d7a10dd323993cc40bd37bce8bc570133b0c396 upstream. + +In their infinite wisdom, and never ending quest for end user frustration, +Lenovo has decided to use new USB device IDs for the wwan modules in +their 2017 laptops. The actual hardware is still the Sierra Wireless +EM7455 or EM7430, depending on region. + +Signed-off-by: Bjørn Mork +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/qcserial.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -156,6 +156,8 @@ static const struct usb_device_id id_tab + {DEVICE_SWI(0x1199, 0x9071)}, /* Sierra Wireless MC74xx */ + {DEVICE_SWI(0x1199, 0x9078)}, /* Sierra Wireless EM74xx */ + {DEVICE_SWI(0x1199, 0x9079)}, /* Sierra Wireless EM74xx */ ++ {DEVICE_SWI(0x1199, 0x907a)}, /* Sierra Wireless EM74xx QDL */ ++ {DEVICE_SWI(0x1199, 0x907b)}, /* Sierra Wireless EM74xx */ + {DEVICE_SWI(0x413c, 0x81a2)}, /* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card */ + {DEVICE_SWI(0x413c, 0x81a3)}, /* Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card */ + {DEVICE_SWI(0x413c, 0x81a4)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */ diff --git a/queue-3.18/usbvision-fix-null-deref-at-probe.patch b/queue-3.18/usbvision-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..451396ab0b5 --- /dev/null +++ b/queue-3.18/usbvision-fix-null-deref-at-probe.patch @@ -0,0 +1,44 @@ +From eacb975b48272f54532b62f515a3cf7eefa35123 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 09:53:55 -0300 +Subject: [media] usbvision: fix NULL-deref at probe + +From: Johan Hovold + +commit eacb975b48272f54532b62f515a3cf7eefa35123 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer or accessing memory beyond the endpoint array should a +malicious device lack the expected endpoints. + +Fixes: 2a9f8b5d25be ("V4L/DVB (5206): Usbvision: set alternate interface +modification") + +Cc: Thierry MERLE +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/usbvision/usbvision-video.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/usbvision/usbvision-video.c ++++ b/drivers/media/usb/usbvision/usbvision-video.c +@@ -1583,7 +1583,14 @@ static int usbvision_probe(struct usb_in + } + + for (i = 0; i < usbvision->num_alt; i++) { +- u16 tmp = le16_to_cpu(uif->altsetting[i].endpoint[1].desc. ++ u16 tmp; ++ ++ if (uif->altsetting[i].desc.bNumEndpoints < 2) { ++ ret = -ENODEV; ++ goto err_pkt; ++ } ++ ++ tmp = le16_to_cpu(uif->altsetting[i].endpoint[1].desc. + wMaxPacketSize); + usbvision->alt_max_pkt_size[i] = + (tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);