From: Greg Kroah-Hartman Date: Mon, 27 Mar 2017 16:38:10 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.4.58~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=74f7e0eeb51e57ef2fbc3d9c3de3855514a6bca8;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: acm-gadget-fix-endianness-in-notifications.patch alsa-ctxfi-fix-the-incorrect-check-of-dma_set_mask-call.patch alsa-hda-adding-a-group-of-pin-definition-to-fix-headset-problem.patch alsa-seq-fix-racy-cell-insertions-during-snd_seq_pool_done.patch input-cm109-validate-number-of-endpoints-before-using-them.patch input-elan_i2c-add-asus-eeebook-x205ta-special-touchpad-fw.patch input-hanwang-validate-number-of-endpoints-before-using-them.patch input-i8042-add-noloop-quirk-for-dell-embedded-box-pc-3000.patch input-iforce-validate-number-of-endpoints-before-using-them.patch input-ims-pcu-validate-number-of-endpoints-before-using-them.patch input-kbtab-validate-number-of-endpoints-before-using-them.patch input-sur40-validate-number-of-endpoints-before-using-them.patch input-yealink-validate-number-of-endpoints-before-using-them.patch mmc-ushc-fix-null-deref-at-probe.patch usb-core-add-linear_frame_intr_binterval-usb-quirk.patch usb-gadget-f_uvc-fix-superspeed-companion-descriptor-s-wbytesperinterval.patch usb-hub-fix-crash-after-failure-to-read-bos-descriptor.patch usb-idmouse-fix-null-deref-at-probe.patch usb-lvtest-fix-null-deref-at-probe.patch usb-musb-cppi41-don-t-check-early-tx-interrupt-for-isoch-transfer.patch usb-serial-option-add-quectel-uc15-uc20-ec21-and-ec25-modems.patch usb-serial-qcserial-add-dell-dw5811e.patch usb-uss720-fix-null-deref-at-probe.patch usb-wusbcore-fix-null-deref-at-probe.patch uwb-hwa-rc-fix-null-deref-at-probe.patch uwb-i1480-dfu-fix-null-deref-at-probe.patch --- diff --git a/queue-4.4/acm-gadget-fix-endianness-in-notifications.patch b/queue-4.4/acm-gadget-fix-endianness-in-notifications.patch new file mode 100644 index 00000000000..f1a7a2b5614 --- /dev/null +++ b/queue-4.4/acm-gadget-fix-endianness-in-notifications.patch @@ -0,0 +1,43 @@ +From cdd7928df0d2efaa3270d711963773a08a4cc8ab Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 14 Mar 2017 12:09:56 +0100 +Subject: ACM gadget: fix endianness in notifications +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Oliver Neukum + +commit cdd7928df0d2efaa3270d711963773a08a4cc8ab upstream. + +The gadget code exports the bitfield for serial status changes +over the wire in its internal endianness. The fix is to convert +to little endian before sending it over the wire. + +Signed-off-by: Oliver Neukum +Tested-by: 家瑋 +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_acm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_acm.c ++++ b/drivers/usb/gadget/function/f_acm.c +@@ -535,13 +535,15 @@ static int acm_notify_serial_state(struc + { + struct usb_composite_dev *cdev = acm->port.func.config->cdev; + int status; ++ __le16 serial_state; + + spin_lock(&acm->lock); + if (acm->notify_req) { + dev_dbg(&cdev->gadget->dev, "acm ttyGS%d serial state %04x\n", + acm->port_num, acm->serial_state); ++ serial_state = cpu_to_le16(acm->serial_state); + status = acm_cdc_notify(acm, USB_CDC_NOTIFY_SERIAL_STATE, +- 0, &acm->serial_state, sizeof(acm->serial_state)); ++ 0, &serial_state, sizeof(acm->serial_state)); + } else { + acm->pending = true; + status = 0; diff --git a/queue-4.4/alsa-ctxfi-fix-the-incorrect-check-of-dma_set_mask-call.patch b/queue-4.4/alsa-ctxfi-fix-the-incorrect-check-of-dma_set_mask-call.patch new file mode 100644 index 00000000000..a89092d48db --- /dev/null +++ b/queue-4.4/alsa-ctxfi-fix-the-incorrect-check-of-dma_set_mask-call.patch @@ -0,0 +1,36 @@ +From f363a06642f28caaa78cb6446bbad90c73fe183c Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 20 Mar 2017 10:08:19 +0100 +Subject: ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call + +From: Takashi Iwai + +commit f363a06642f28caaa78cb6446bbad90c73fe183c upstream. + +In the commit [15c75b09f8d1: ALSA: ctxfi: Fallback DMA mask to 32bit], +I forgot to put "!" at dam_set_mask() call check in cthw20k1.c (while +cthw20k2.c is OK). This patch fixes that obvious bug. + +(As a side note: although the original commit was completely wrong, + it's still working for most of machines, as it sets to 32bit DMA mask + in the end. So the bug severity is low.) + +Fixes: 15c75b09f8d1 ("ALSA: ctxfi: Fallback DMA mask to 32bit") +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/ctxfi/cthw20k1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/ctxfi/cthw20k1.c ++++ b/sound/pci/ctxfi/cthw20k1.c +@@ -1905,7 +1905,7 @@ static int hw_card_start(struct hw *hw) + return err; + + /* Set DMA transfer mask */ +- if (dma_set_mask(&pci->dev, DMA_BIT_MASK(dma_bits))) { ++ if (!dma_set_mask(&pci->dev, DMA_BIT_MASK(dma_bits))) { + dma_set_coherent_mask(&pci->dev, DMA_BIT_MASK(dma_bits)); + } else { + dma_set_mask(&pci->dev, DMA_BIT_MASK(32)); diff --git a/queue-4.4/alsa-hda-adding-a-group-of-pin-definition-to-fix-headset-problem.patch b/queue-4.4/alsa-hda-adding-a-group-of-pin-definition-to-fix-headset-problem.patch new file mode 100644 index 00000000000..59275ebe2fe --- /dev/null +++ b/queue-4.4/alsa-hda-adding-a-group-of-pin-definition-to-fix-headset-problem.patch @@ -0,0 +1,32 @@ +From 3f307834e695f59dac4337a40316bdecfb9d0508 Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Thu, 23 Mar 2017 10:00:25 +0800 +Subject: ALSA: hda - Adding a group of pin definition to fix headset problem + +From: Hui Wang + +commit 3f307834e695f59dac4337a40316bdecfb9d0508 upstream. + +A new Dell laptop needs to apply ALC269_FIXUP_DELL1_MIC_NO_PRESENCE to +fix the headset problem, and the pin definiton of this machine is not +in the pin quirk table yet, now adding it to the table. + +Signed-off-by: Hui Wang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6040,6 +6040,8 @@ static const struct snd_hda_pin_quirk al + ALC295_STANDARD_PINS, + {0x17, 0x21014040}, + {0x18, 0x21a19050}), ++ SND_HDA_PIN_QUIRK(0x10ec0295, 0x1028, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE, ++ ALC295_STANDARD_PINS), + SND_HDA_PIN_QUIRK(0x10ec0298, 0x1028, "Dell", ALC298_FIXUP_DELL1_MIC_NO_PRESENCE, + ALC298_STANDARD_PINS, + {0x17, 0x90170110}), diff --git a/queue-4.4/alsa-seq-fix-racy-cell-insertions-during-snd_seq_pool_done.patch b/queue-4.4/alsa-seq-fix-racy-cell-insertions-during-snd_seq_pool_done.patch new file mode 100644 index 00000000000..9180ca92430 --- /dev/null +++ b/queue-4.4/alsa-seq-fix-racy-cell-insertions-during-snd_seq_pool_done.patch @@ -0,0 +1,103 @@ +From c520ff3d03f0b5db7146d9beed6373ad5d2a5e0e Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 21 Mar 2017 13:56:04 +0100 +Subject: ALSA: seq: Fix racy cell insertions during snd_seq_pool_done() + +From: Takashi Iwai + +commit c520ff3d03f0b5db7146d9beed6373ad5d2a5e0e upstream. + +When snd_seq_pool_done() is called, it marks the closing flag to +refuse the further cell insertions. But snd_seq_pool_done() itself +doesn't clear the cells but just waits until all cells are cleared by +the caller side. That is, it's racy, and this leads to the endless +stall as syzkaller spotted. + +This patch addresses the racy by splitting the setup of pool->closing +flag out of snd_seq_pool_done(), and calling it properly before +snd_seq_pool_done(). + +BugLink: http://lkml.kernel.org/r/CACT4Y+aqqy8bZA1fFieifNxR2fAfFQQABcBHj801+u5ePV0URw@mail.gmail.com +Reported-and-tested-by: Dmitry Vyukov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_clientmgr.c | 1 + + sound/core/seq/seq_fifo.c | 3 +++ + sound/core/seq/seq_memory.c | 17 +++++++++++++---- + sound/core/seq/seq_memory.h | 1 + + 4 files changed, 18 insertions(+), 4 deletions(-) + +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -1921,6 +1921,7 @@ static int snd_seq_ioctl_set_client_pool + info.output_pool != client->pool->size)) { + if (snd_seq_write_pool_allocated(client)) { + /* remove all existing cells */ ++ snd_seq_pool_mark_closing(client->pool); + snd_seq_queue_client_leave_cells(client->number); + snd_seq_pool_done(client->pool); + } +--- a/sound/core/seq/seq_fifo.c ++++ b/sound/core/seq/seq_fifo.c +@@ -70,6 +70,9 @@ void snd_seq_fifo_delete(struct snd_seq_ + return; + *fifo = NULL; + ++ if (f->pool) ++ snd_seq_pool_mark_closing(f->pool); ++ + snd_seq_fifo_clear(f); + + /* wake up clients if any */ +--- a/sound/core/seq/seq_memory.c ++++ b/sound/core/seq/seq_memory.c +@@ -414,6 +414,18 @@ int snd_seq_pool_init(struct snd_seq_poo + return 0; + } + ++/* refuse the further insertion to the pool */ ++void snd_seq_pool_mark_closing(struct snd_seq_pool *pool) ++{ ++ unsigned long flags; ++ ++ if (snd_BUG_ON(!pool)) ++ return; ++ spin_lock_irqsave(&pool->lock, flags); ++ pool->closing = 1; ++ spin_unlock_irqrestore(&pool->lock, flags); ++} ++ + /* remove events */ + int snd_seq_pool_done(struct snd_seq_pool *pool) + { +@@ -424,10 +436,6 @@ int snd_seq_pool_done(struct snd_seq_poo + return -EINVAL; + + /* wait for closing all threads */ +- spin_lock_irqsave(&pool->lock, flags); +- pool->closing = 1; +- spin_unlock_irqrestore(&pool->lock, flags); +- + if (waitqueue_active(&pool->output_sleep)) + wake_up(&pool->output_sleep); + +@@ -484,6 +492,7 @@ int snd_seq_pool_delete(struct snd_seq_p + *ppool = NULL; + if (pool == NULL) + return 0; ++ snd_seq_pool_mark_closing(pool); + snd_seq_pool_done(pool); + kfree(pool); + return 0; +--- a/sound/core/seq/seq_memory.h ++++ b/sound/core/seq/seq_memory.h +@@ -84,6 +84,7 @@ static inline int snd_seq_total_cells(st + int snd_seq_pool_init(struct snd_seq_pool *pool); + + /* done pool - free events */ ++void snd_seq_pool_mark_closing(struct snd_seq_pool *pool); + int snd_seq_pool_done(struct snd_seq_pool *pool); + + /* create pool */ diff --git a/queue-4.4/input-cm109-validate-number-of-endpoints-before-using-them.patch b/queue-4.4/input-cm109-validate-number-of-endpoints-before-using-them.patch new file mode 100644 index 00000000000..1b7036362c8 --- /dev/null +++ b/queue-4.4/input-cm109-validate-number-of-endpoints-before-using-them.patch @@ -0,0 +1,34 @@ +From ac2ee9ba953afe88f7a673e1c0c839227b1d7891 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 16 Mar 2017 11:35:12 -0700 +Subject: Input: cm109 - validate number of endpoints before using them + +From: Johan Hovold + +commit ac2ee9ba953afe88f7a673e1c0c839227b1d7891 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Fixes: c04148f915e5 ("Input: add driver for USB VoIP phones with CM109...") +Signed-off-by: Johan Hovold +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/misc/cm109.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/input/misc/cm109.c ++++ b/drivers/input/misc/cm109.c +@@ -675,6 +675,10 @@ static int cm109_usb_probe(struct usb_in + int error = -ENOMEM; + + interface = intf->cur_altsetting; ++ ++ if (interface->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + endpoint = &interface->endpoint[0].desc; + + if (!usb_endpoint_is_int_in(endpoint)) diff --git a/queue-4.4/input-elan_i2c-add-asus-eeebook-x205ta-special-touchpad-fw.patch b/queue-4.4/input-elan_i2c-add-asus-eeebook-x205ta-special-touchpad-fw.patch new file mode 100644 index 00000000000..da7ddba699e --- /dev/null +++ b/queue-4.4/input-elan_i2c-add-asus-eeebook-x205ta-special-touchpad-fw.patch @@ -0,0 +1,54 @@ +From 92ef6f97a66e580189a41a132d0f8a9f78d6ddce Mon Sep 17 00:00:00 2001 +From: Matjaz Hegedic +Date: Fri, 10 Mar 2017 14:33:09 -0800 +Subject: Input: elan_i2c - add ASUS EeeBook X205TA special touchpad fw + +From: Matjaz Hegedic + +commit 92ef6f97a66e580189a41a132d0f8a9f78d6ddce upstream. + +EeeBook X205TA is yet another ASUS device with a special touchpad +firmware that needs to be accounted for during initialization, or +else the touchpad will go into an invalid state upon suspend/resume. +Adding the appropriate ic_type and product_id check fixes the problem. + +Signed-off-by: Matjaz Hegedic +Acked-by: KT Liao +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/elan_i2c_core.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -218,17 +218,19 @@ static int elan_query_product(struct ela + + static int elan_check_ASUS_special_fw(struct elan_tp_data *data) + { +- if (data->ic_type != 0x0E) +- return false; +- +- switch (data->product_id) { +- case 0x05 ... 0x07: +- case 0x09: +- case 0x13: ++ if (data->ic_type == 0x0E) { ++ switch (data->product_id) { ++ case 0x05 ... 0x07: ++ case 0x09: ++ case 0x13: ++ return true; ++ } ++ } else if (data->ic_type == 0x08 && data->product_id == 0x26) { ++ /* ASUS EeeBook X205TA */ + return true; +- default: +- return false; + } ++ ++ return false; + } + + static int __elan_initialize(struct elan_tp_data *data) diff --git a/queue-4.4/input-hanwang-validate-number-of-endpoints-before-using-them.patch b/queue-4.4/input-hanwang-validate-number-of-endpoints-before-using-them.patch new file mode 100644 index 00000000000..c97f2800495 --- /dev/null +++ b/queue-4.4/input-hanwang-validate-number-of-endpoints-before-using-them.patch @@ -0,0 +1,33 @@ +From ba340d7b83703768ce566f53f857543359aa1b98 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 16 Mar 2017 11:39:29 -0700 +Subject: Input: hanwang - validate number of endpoints before using them + +From: Johan Hovold + +commit ba340d7b83703768ce566f53f857543359aa1b98 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Fixes: bba5394ad3bd ("Input: add support for Hanwang tablets") +Signed-off-by: Johan Hovold +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/tablet/hanwang.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/input/tablet/hanwang.c ++++ b/drivers/input/tablet/hanwang.c +@@ -340,6 +340,9 @@ static int hanwang_probe(struct usb_inte + int error; + int i; + ++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + hanwang = kzalloc(sizeof(struct hanwang), GFP_KERNEL); + input_dev = input_allocate_device(); + if (!hanwang || !input_dev) { diff --git a/queue-4.4/input-i8042-add-noloop-quirk-for-dell-embedded-box-pc-3000.patch b/queue-4.4/input-i8042-add-noloop-quirk-for-dell-embedded-box-pc-3000.patch new file mode 100644 index 00000000000..252ab274579 --- /dev/null +++ b/queue-4.4/input-i8042-add-noloop-quirk-for-dell-embedded-box-pc-3000.patch @@ -0,0 +1,40 @@ +From 45838660e34d90db8d4f7cbc8fd66e8aff79f4fe Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Tue, 7 Mar 2017 09:31:29 -0800 +Subject: Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000 + +From: Kai-Heng Feng + +commit 45838660e34d90db8d4f7cbc8fd66e8aff79f4fe upstream. + +The aux port does not get detected without noloop quirk, so external PS/2 +mouse cannot work as result. + +The PS/2 mouse can work with this quirk. + +BugLink: https://bugs.launchpad.net/bugs/1591053 +Signed-off-by: Kai-Heng Feng +Reviewed-by: Marcos Paulo de Souza +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/serio/i8042-x86ia64io.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -120,6 +120,13 @@ static const struct dmi_system_id __init + }, + }, + { ++ /* Dell Embedded Box PC 3000 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Embedded Box PC 3000"), ++ }, ++ }, ++ { + /* OQO Model 01 */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "OQO"), diff --git a/queue-4.4/input-iforce-validate-number-of-endpoints-before-using-them.patch b/queue-4.4/input-iforce-validate-number-of-endpoints-before-using-them.patch new file mode 100644 index 00000000000..d93dffa2ead --- /dev/null +++ b/queue-4.4/input-iforce-validate-number-of-endpoints-before-using-them.patch @@ -0,0 +1,33 @@ +From 59cf8bed44a79ec42303151dd014fdb6434254bb Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 16 Mar 2017 11:34:02 -0700 +Subject: Input: iforce - validate number of endpoints before using them + +From: Johan Hovold + +commit 59cf8bed44a79ec42303151dd014fdb6434254bb upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer or accessing memory that lie beyond the end of the endpoint +array should a malicious device lack the expected endpoints. + +Signed-off-by: Johan Hovold +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/joystick/iforce/iforce-usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/input/joystick/iforce/iforce-usb.c ++++ b/drivers/input/joystick/iforce/iforce-usb.c +@@ -141,6 +141,9 @@ static int iforce_usb_probe(struct usb_i + + interface = intf->cur_altsetting; + ++ if (interface->desc.bNumEndpoints < 2) ++ return -ENODEV; ++ + epirq = &interface->endpoint[0].desc; + epout = &interface->endpoint[1].desc; + diff --git a/queue-4.4/input-ims-pcu-validate-number-of-endpoints-before-using-them.patch b/queue-4.4/input-ims-pcu-validate-number-of-endpoints-before-using-them.patch new file mode 100644 index 00000000000..725bacfaa12 --- /dev/null +++ b/queue-4.4/input-ims-pcu-validate-number-of-endpoints-before-using-them.patch @@ -0,0 +1,34 @@ +From 1916d319271664241b7aa0cd2b05e32bdb310ce9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 16 Mar 2017 11:36:13 -0700 +Subject: Input: ims-pcu - validate number of endpoints before using them + +From: Johan Hovold + +commit 1916d319271664241b7aa0cd2b05e32bdb310ce9 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack control-interface endpoints. + +Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver") +Signed-off-by: Johan Hovold +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/misc/ims-pcu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/input/misc/ims-pcu.c ++++ b/drivers/input/misc/ims-pcu.c +@@ -1667,6 +1667,10 @@ static int ims_pcu_parse_cdc_data(struct + return -EINVAL; + + alt = pcu->ctrl_intf->cur_altsetting; ++ ++ if (alt->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + pcu->ep_ctrl = &alt->endpoint[0].desc; + pcu->max_ctrl_size = usb_endpoint_maxp(pcu->ep_ctrl); + diff --git a/queue-4.4/input-kbtab-validate-number-of-endpoints-before-using-them.patch b/queue-4.4/input-kbtab-validate-number-of-endpoints-before-using-them.patch new file mode 100644 index 00000000000..35c645a1da1 --- /dev/null +++ b/queue-4.4/input-kbtab-validate-number-of-endpoints-before-using-them.patch @@ -0,0 +1,32 @@ +From cb1b494663e037253337623bf1ef2df727883cb7 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 16 Mar 2017 11:41:55 -0700 +Subject: Input: kbtab - validate number of endpoints before using them + +From: Johan Hovold + +commit cb1b494663e037253337623bf1ef2df727883cb7 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Signed-off-by: Johan Hovold +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/tablet/kbtab.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/input/tablet/kbtab.c ++++ b/drivers/input/tablet/kbtab.c +@@ -122,6 +122,9 @@ static int kbtab_probe(struct usb_interf + struct input_dev *input_dev; + int error = -ENOMEM; + ++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + kbtab = kzalloc(sizeof(struct kbtab), GFP_KERNEL); + input_dev = input_allocate_device(); + if (!kbtab || !input_dev) diff --git a/queue-4.4/input-sur40-validate-number-of-endpoints-before-using-them.patch b/queue-4.4/input-sur40-validate-number-of-endpoints-before-using-them.patch new file mode 100644 index 00000000000..5a5ec5358cc --- /dev/null +++ b/queue-4.4/input-sur40-validate-number-of-endpoints-before-using-them.patch @@ -0,0 +1,34 @@ +From 92461f5d723037530c1f36cce93640770037812c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 16 Mar 2017 11:43:09 -0700 +Subject: Input: sur40 - validate number of endpoints before using them + +From: Johan Hovold + +commit 92461f5d723037530c1f36cce93640770037812c upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer or accessing memory that lie beyond the end of the endpoint +array should a malicious device lack the expected endpoints. + +Fixes: bdb5c57f209c ("Input: add sur40 driver for Samsung SUR40... ") +Signed-off-by: Johan Hovold +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/sur40.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/input/touchscreen/sur40.c ++++ b/drivers/input/touchscreen/sur40.c +@@ -500,6 +500,9 @@ static int sur40_probe(struct usb_interf + if (iface_desc->desc.bInterfaceClass != 0xFF) + return -ENODEV; + ++ if (iface_desc->desc.bNumEndpoints < 5) ++ return -ENODEV; ++ + /* Use endpoint #4 (0x86). */ + endpoint = &iface_desc->endpoint[4].desc; + if (endpoint->bEndpointAddress != TOUCH_ENDPOINT) diff --git a/queue-4.4/input-yealink-validate-number-of-endpoints-before-using-them.patch b/queue-4.4/input-yealink-validate-number-of-endpoints-before-using-them.patch new file mode 100644 index 00000000000..ed8a6543ea9 --- /dev/null +++ b/queue-4.4/input-yealink-validate-number-of-endpoints-before-using-them.patch @@ -0,0 +1,34 @@ +From 5cc4a1a9f5c179795c8a1f2b0f4361829d6a070e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 16 Mar 2017 11:37:01 -0700 +Subject: Input: yealink - validate number of endpoints before using them + +From: Johan Hovold + +commit 5cc4a1a9f5c179795c8a1f2b0f4361829d6a070e upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Fixes: aca951a22a1d ("[PATCH] input-driver-yealink-P1K-usb-phone") +Signed-off-by: Johan Hovold +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/misc/yealink.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/input/misc/yealink.c ++++ b/drivers/input/misc/yealink.c +@@ -875,6 +875,10 @@ static int usb_probe(struct usb_interfac + int ret, pipe, i; + + interface = intf->cur_altsetting; ++ ++ if (interface->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + endpoint = &interface->endpoint[0].desc; + if (!usb_endpoint_is_int_in(endpoint)) + return -ENODEV; diff --git a/queue-4.4/mmc-ushc-fix-null-deref-at-probe.patch b/queue-4.4/mmc-ushc-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..ca5b219b5e5 --- /dev/null +++ b/queue-4.4/mmc-ushc-fix-null-deref-at-probe.patch @@ -0,0 +1,34 @@ +From 181302dc7239add8ab1449c23ecab193f52ee6ab Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:40:22 +0100 +Subject: mmc: ushc: fix NULL-deref at probe + +From: Johan Hovold + +commit 181302dc7239add8ab1449c23ecab193f52ee6ab upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Fixes: 53f3a9e26ed5 ("mmc: USB SD Host Controller (USHC) driver") +Cc: David Vrabel +Signed-off-by: Johan Hovold +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/ushc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/mmc/host/ushc.c ++++ b/drivers/mmc/host/ushc.c +@@ -426,6 +426,9 @@ static int ushc_probe(struct usb_interfa + struct ushc_data *ushc; + int ret; + ++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + mmc = mmc_alloc_host(sizeof(struct ushc_data), &intf->dev); + if (mmc == NULL) + return -ENOMEM; diff --git a/queue-4.4/series b/queue-4.4/series index 57f63b52232..1f6527983d9 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -9,3 +9,29 @@ net-bcmgenet-remove-bcmgenet_internal_phy_setup.patch ipv4-provide-stronger-user-input-validation-in-nl_fib_input.patch socket-bpf-fix-sk_filter-use-after-free-in-sk_clone_lock.patch tcp-initialize-icsk_ack.lrcvtime-at-session-start-time.patch +input-elan_i2c-add-asus-eeebook-x205ta-special-touchpad-fw.patch +input-i8042-add-noloop-quirk-for-dell-embedded-box-pc-3000.patch +input-iforce-validate-number-of-endpoints-before-using-them.patch +input-ims-pcu-validate-number-of-endpoints-before-using-them.patch +input-hanwang-validate-number-of-endpoints-before-using-them.patch +input-yealink-validate-number-of-endpoints-before-using-them.patch +input-cm109-validate-number-of-endpoints-before-using-them.patch +input-kbtab-validate-number-of-endpoints-before-using-them.patch +input-sur40-validate-number-of-endpoints-before-using-them.patch +alsa-seq-fix-racy-cell-insertions-during-snd_seq_pool_done.patch +alsa-ctxfi-fix-the-incorrect-check-of-dma_set_mask-call.patch +alsa-hda-adding-a-group-of-pin-definition-to-fix-headset-problem.patch +usb-serial-option-add-quectel-uc15-uc20-ec21-and-ec25-modems.patch +usb-serial-qcserial-add-dell-dw5811e.patch +acm-gadget-fix-endianness-in-notifications.patch +usb-gadget-f_uvc-fix-superspeed-companion-descriptor-s-wbytesperinterval.patch +usb-core-add-linear_frame_intr_binterval-usb-quirk.patch +usb-uss720-fix-null-deref-at-probe.patch +usb-lvtest-fix-null-deref-at-probe.patch +usb-idmouse-fix-null-deref-at-probe.patch +usb-wusbcore-fix-null-deref-at-probe.patch +usb-musb-cppi41-don-t-check-early-tx-interrupt-for-isoch-transfer.patch +usb-hub-fix-crash-after-failure-to-read-bos-descriptor.patch +uwb-i1480-dfu-fix-null-deref-at-probe.patch +uwb-hwa-rc-fix-null-deref-at-probe.patch +mmc-ushc-fix-null-deref-at-probe.patch diff --git a/queue-4.4/usb-core-add-linear_frame_intr_binterval-usb-quirk.patch b/queue-4.4/usb-core-add-linear_frame_intr_binterval-usb-quirk.patch new file mode 100644 index 00000000000..6219cb6d4fc --- /dev/null +++ b/queue-4.4/usb-core-add-linear_frame_intr_binterval-usb-quirk.patch @@ -0,0 +1,83 @@ +From 3243367b209faed5c320a4e5f9a565ee2a2ba958 Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Mon, 13 Mar 2017 20:50:08 +0100 +Subject: usb-core: Add LINEAR_FRAME_INTR_BINTERVAL USB quirk + +From: Samuel Thibault + +commit 3243367b209faed5c320a4e5f9a565ee2a2ba958 upstream. + +Some USB 2.0 devices erroneously report millisecond values in +bInterval. The generic config code manages to catch most of them, +but in some cases it's not completely enough. + +The case at stake here is a USB 2.0 braille device, which wants to +announce 10ms and thus sets bInterval to 10, but with the USB 2.0 +computation that yields to 64ms. It happens that one can type fast +enough to reach this interval and get the device buffers overflown, +leading to problematic latencies. The generic config code does not +catch this case because the 64ms is considered a sane enough value. + +This change thus adds a USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL quirk +to mark devices which actually report milliseconds in bInterval, +and marks Vario Ultra devices as needing it. + +Signed-off-by: Samuel Thibault +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/config.c | 10 ++++++++++ + drivers/usb/core/quirks.c | 8 ++++++++ + include/linux/usb/quirks.h | 6 ++++++ + 3 files changed, 24 insertions(+) + +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -246,6 +246,16 @@ static int usb_parse_endpoint(struct dev + + /* + * Adjust bInterval for quirked devices. ++ */ ++ /* ++ * This quirk fixes bIntervals reported in ms. ++ */ ++ if (to_usb_device(ddev)->quirks & ++ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL) { ++ n = clamp(fls(d->bInterval) + 3, i, j); ++ i = j = n; ++ } ++ /* + * This quirk fixes bIntervals reported in + * linear microframes. + */ +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -170,6 +170,14 @@ static const struct usb_device_id usb_qu + /* M-Systems Flash Disk Pioneers */ + { USB_DEVICE(0x08ec, 0x1000), .driver_info = USB_QUIRK_RESET_RESUME }, + ++ /* Baum Vario Ultra */ ++ { USB_DEVICE(0x0904, 0x6101), .driver_info = ++ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL }, ++ { USB_DEVICE(0x0904, 0x6102), .driver_info = ++ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL }, ++ { USB_DEVICE(0x0904, 0x6103), .driver_info = ++ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL }, ++ + /* Keytouch QWERTY Panel keyboard */ + { USB_DEVICE(0x0926, 0x3333), .driver_info = + USB_QUIRK_CONFIG_INTF_STRINGS }, +--- a/include/linux/usb/quirks.h ++++ b/include/linux/usb/quirks.h +@@ -50,4 +50,10 @@ + /* device can't handle Link Power Management */ + #define USB_QUIRK_NO_LPM BIT(10) + ++/* ++ * Device reports its bInterval as linear frames instead of the ++ * USB 2.0 calculation. ++ */ ++#define USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL BIT(11) ++ + #endif /* __LINUX_USB_QUIRKS_H */ diff --git a/queue-4.4/usb-gadget-f_uvc-fix-superspeed-companion-descriptor-s-wbytesperinterval.patch b/queue-4.4/usb-gadget-f_uvc-fix-superspeed-companion-descriptor-s-wbytesperinterval.patch new file mode 100644 index 00000000000..bba2c7b83f9 --- /dev/null +++ b/queue-4.4/usb-gadget-f_uvc-fix-superspeed-companion-descriptor-s-wbytesperinterval.patch @@ -0,0 +1,39 @@ +From 09424c50b7dff40cb30011c09114404a4656e023 Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Wed, 8 Mar 2017 16:05:43 +0200 +Subject: usb: gadget: f_uvc: Fix SuperSpeed companion descriptor's wBytesPerInterval + +From: Roger Quadros + +commit 09424c50b7dff40cb30011c09114404a4656e023 upstream. + +The streaming_maxburst module parameter is 0 offset (0..15) +so we must add 1 while using it for wBytesPerInterval +calculation for the SuperSpeed companion descriptor. + +Without this host uvcvideo driver will always see the wrong +wBytesPerInterval for SuperSpeed uvc gadget and may not find +a suitable video interface endpoint. +e.g. for streaming_maxburst = 0 case it will always +fail as wBytePerInterval was evaluating to 0. + +Reviewed-by: Laurent Pinchart +Signed-off-by: Roger Quadros +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_uvc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_uvc.c ++++ b/drivers/usb/gadget/function/f_uvc.c +@@ -625,7 +625,7 @@ uvc_function_bind(struct usb_configurati + uvc_ss_streaming_comp.bMaxBurst = opts->streaming_maxburst; + uvc_ss_streaming_comp.wBytesPerInterval = + cpu_to_le16(max_packet_size * max_packet_mult * +- opts->streaming_maxburst); ++ (opts->streaming_maxburst + 1)); + + /* Allocate endpoints. */ + ep = usb_ep_autoconfig(cdev->gadget, &uvc_control_ep); diff --git a/queue-4.4/usb-hub-fix-crash-after-failure-to-read-bos-descriptor.patch b/queue-4.4/usb-hub-fix-crash-after-failure-to-read-bos-descriptor.patch new file mode 100644 index 00000000000..ac65cd57dad --- /dev/null +++ b/queue-4.4/usb-hub-fix-crash-after-failure-to-read-bos-descriptor.patch @@ -0,0 +1,73 @@ +From 7b2db29fbb4e766fcd02207eb2e2087170bd6ebc Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Wed, 8 Mar 2017 10:19:36 -0800 +Subject: usb: hub: Fix crash after failure to read BOS descriptor + +From: Guenter Roeck + +commit 7b2db29fbb4e766fcd02207eb2e2087170bd6ebc upstream. + +If usb_get_bos_descriptor() returns an error, usb->bos will be NULL. +Nevertheless, it is dereferenced unconditionally in +hub_set_initial_usb2_lpm_policy() if usb2_hw_lpm_capable is set. +This results in a crash. + +usb 5-1: unable to get BOS descriptor +... +Unable to handle kernel NULL pointer dereference at virtual address 00000008 +pgd = ffffffc00165f000 +[00000008] *pgd=000000000174f003, *pud=000000000174f003, + *pmd=0000000001750003, *pte=00e8000001751713 +Internal error: Oops: 96000005 [#1] PREEMPT SMP +Modules linked in: uinput uvcvideo videobuf2_vmalloc cmac [ ... ] +CPU: 5 PID: 3353 Comm: kworker/5:3 Tainted: G B 4.4.52 #480 +Hardware name: Google Kevin (DT) +Workqueue: events driver_set_config_work +task: ffffffc0c3690000 ti: ffffffc0ae9a8000 task.ti: ffffffc0ae9a8000 +PC is at hub_port_init+0xc3c/0xd10 +LR is at hub_port_init+0xc3c/0xd10 +... +Call trace: +[] hub_port_init+0xc3c/0xd10 +[] usb_reset_and_verify_device+0x15c/0x82c +[] usb_reset_device+0xe4/0x298 +[] rtl8152_probe+0x84/0x9b0 [r8152] +[] usb_probe_interface+0x244/0x2f8 +[] driver_probe_device+0x180/0x3b4 +[] __device_attach_driver+0xb4/0xe0 +[] bus_for_each_drv+0xb4/0xe4 +[] __device_attach+0xd0/0x158 +[] device_initial_probe+0x24/0x30 +[] bus_probe_device+0x50/0xe4 +[] device_add+0x414/0x738 +[] usb_set_configuration+0x89c/0x914 +[] driver_set_config_work+0xc0/0xf0 +[] process_one_work+0x390/0x6b8 +[] worker_thread+0x480/0x610 +[] kthread+0x164/0x178 +[] ret_from_fork+0x10/0x40 + +Since we don't know anything about LPM capabilities without BOS descriptor, +don't attempt to enable LPM if it is not available. + +Fixes: 890dae886721 ("xhci: Enable LPM support only for hardwired ...") +Cc: Mathias Nyman +Signed-off-by: Guenter Roeck +Acked-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -4199,7 +4199,7 @@ static void hub_set_initial_usb2_lpm_pol + struct usb_hub *hub = usb_hub_to_struct_hub(udev->parent); + int connect_type = USB_PORT_CONNECT_TYPE_UNKNOWN; + +- if (!udev->usb2_hw_lpm_capable) ++ if (!udev->usb2_hw_lpm_capable || !udev->bos) + return; + + if (hub) diff --git a/queue-4.4/usb-idmouse-fix-null-deref-at-probe.patch b/queue-4.4/usb-idmouse-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..93dc6ec9323 --- /dev/null +++ b/queue-4.4/usb-idmouse-fix-null-deref-at-probe.patch @@ -0,0 +1,32 @@ +From b0addd3fa6bcd119be9428996d5d4522479ab240 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:47:48 +0100 +Subject: USB: idmouse: fix NULL-deref at probe + +From: Johan Hovold + +commit b0addd3fa6bcd119be9428996d5d4522479ab240 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/idmouse.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/misc/idmouse.c ++++ b/drivers/usb/misc/idmouse.c +@@ -346,6 +346,9 @@ static int idmouse_probe(struct usb_inte + if (iface_desc->desc.bInterfaceClass != 0x0A) + return -ENODEV; + ++ if (iface_desc->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + /* allocate memory for our device state and initialize it */ + dev = kzalloc(sizeof(*dev), GFP_KERNEL); + if (dev == NULL) diff --git a/queue-4.4/usb-lvtest-fix-null-deref-at-probe.patch b/queue-4.4/usb-lvtest-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..49987c93e32 --- /dev/null +++ b/queue-4.4/usb-lvtest-fix-null-deref-at-probe.patch @@ -0,0 +1,36 @@ +From 1dc56c52d2484be09c7398a5207d6b11a4256be9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:47:49 +0100 +Subject: USB: lvtest: fix NULL-deref at probe + +From: Johan Hovold + +commit 1dc56c52d2484be09c7398a5207d6b11a4256be9 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should the probed device lack endpoints. + +Note that this driver does not bind to any devices by default. + +Fixes: ce21bfe603b3 ("USB: Add LVS Test device driver") +Cc: Pratyush Anand +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/lvstest.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/misc/lvstest.c ++++ b/drivers/usb/misc/lvstest.c +@@ -370,6 +370,10 @@ static int lvs_rh_probe(struct usb_inter + + hdev = interface_to_usbdev(intf); + desc = intf->cur_altsetting; ++ ++ if (desc->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + endpoint = &desc->endpoint[0].desc; + + /* valid only for SS root hub */ diff --git a/queue-4.4/usb-musb-cppi41-don-t-check-early-tx-interrupt-for-isoch-transfer.patch b/queue-4.4/usb-musb-cppi41-don-t-check-early-tx-interrupt-for-isoch-transfer.patch new file mode 100644 index 00000000000..d051a1df75b --- /dev/null +++ b/queue-4.4/usb-musb-cppi41-don-t-check-early-tx-interrupt-for-isoch-transfer.patch @@ -0,0 +1,60 @@ +From 0090114d336a9604aa2d90bc83f20f7cd121b76c Mon Sep 17 00:00:00 2001 +From: Bin Liu +Date: Fri, 10 Mar 2017 14:43:35 -0600 +Subject: usb: musb: cppi41: don't check early-TX-interrupt for Isoch transfer + +From: Bin Liu + +commit 0090114d336a9604aa2d90bc83f20f7cd121b76c upstream. + +The CPPI 4.1 driver polls register to workaround the premature TX +interrupt issue, but it causes audio playback underrun when triggered in +Isoch transfers. + +Isoch doesn't do back-to-back transfers, the TX should be done by the +time the next transfer is scheduled. So skip this polling workaround for +Isoch transfer. + +Fixes: a655f481d83d6 ("usb: musb: musb_cppi41: handle pre-mature TX complete interrupt") +Reported-by: Alexandre Bailon +Acked-by: Sebastian Andrzej Siewior +Tested-by: Alexandre Bailon +Signed-off-by: Bin Liu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/musb/musb_cppi41.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +--- a/drivers/usb/musb/musb_cppi41.c ++++ b/drivers/usb/musb/musb_cppi41.c +@@ -250,8 +250,27 @@ static void cppi41_dma_callback(void *pr + transferred < cppi41_channel->packet_sz) + cppi41_channel->prog_len = 0; + +- if (cppi41_channel->is_tx) +- empty = musb_is_tx_fifo_empty(hw_ep); ++ if (cppi41_channel->is_tx) { ++ u8 type; ++ ++ if (is_host_active(musb)) ++ type = hw_ep->out_qh->type; ++ else ++ type = hw_ep->ep_in.type; ++ ++ if (type == USB_ENDPOINT_XFER_ISOC) ++ /* ++ * Don't use the early-TX-interrupt workaround below ++ * for Isoch transfter. Since Isoch are periodic ++ * transfer, by the time the next transfer is ++ * scheduled, the current one should be done already. ++ * ++ * This avoids audio playback underrun issue. ++ */ ++ empty = true; ++ else ++ empty = musb_is_tx_fifo_empty(hw_ep); ++ } + + if (!cppi41_channel->is_tx || empty) { + cppi41_trans_done(cppi41_channel); diff --git a/queue-4.4/usb-serial-option-add-quectel-uc15-uc20-ec21-and-ec25-modems.patch b/queue-4.4/usb-serial-option-add-quectel-uc15-uc20-ec21-and-ec25-modems.patch new file mode 100644 index 00000000000..18a588bd43f --- /dev/null +++ b/queue-4.4/usb-serial-option-add-quectel-uc15-uc20-ec21-and-ec25-modems.patch @@ -0,0 +1,54 @@ +From 6e9f44eaaef0df7b846e9316fa9ca72a02025d44 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Thu, 9 Mar 2017 11:32:28 -0600 +Subject: USB: serial: option: add Quectel UC15, UC20, EC21, and EC25 modems + +From: Dan Williams + +commit 6e9f44eaaef0df7b846e9316fa9ca72a02025d44 upstream. + +Add Quectel UC15, UC20, EC21, and EC25. The EC20 is handled by +qcserial due to a USB VID/PID conflict with an existing Acer +device. + +Signed-off-by: Dan Williams +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -233,6 +233,14 @@ static void option_instat_callback(struc + #define BANDRICH_PRODUCT_1012 0x1012 + + #define QUALCOMM_VENDOR_ID 0x05C6 ++/* These Quectel products use Qualcomm's vendor ID */ ++#define QUECTEL_PRODUCT_UC20 0x9003 ++#define QUECTEL_PRODUCT_UC15 0x9090 ++ ++#define QUECTEL_VENDOR_ID 0x2c7c ++/* These Quectel products use Quectel's vendor ID */ ++#define QUECTEL_PRODUCT_EC21 0x0121 ++#define QUECTEL_PRODUCT_EC25 0x0125 + + #define CMOTECH_VENDOR_ID 0x16d8 + #define CMOTECH_PRODUCT_6001 0x6001 +@@ -1161,7 +1169,14 @@ static const struct usb_device_id option + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6613)}, /* Onda H600/ZTE MF330 */ + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x0023)}, /* ONYX 3G device */ + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */ +- { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9003), /* Quectel UC20 */ ++ /* Quectel products using Qualcomm vendor ID */ ++ { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC15)}, ++ { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC20), ++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ /* Quectel products using Quectel vendor ID */ ++ { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC21), ++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC25), + .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) }, diff --git a/queue-4.4/usb-serial-qcserial-add-dell-dw5811e.patch b/queue-4.4/usb-serial-qcserial-add-dell-dw5811e.patch new file mode 100644 index 00000000000..ac5fb007db8 --- /dev/null +++ b/queue-4.4/usb-serial-qcserial-add-dell-dw5811e.patch @@ -0,0 +1,33 @@ +From 436ecf5519d892397af133a79ccd38a17c25fa51 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Fri, 17 Mar 2017 17:21:28 +0100 +Subject: USB: serial: qcserial: add Dell DW5811e +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bjørn Mork + +commit 436ecf5519d892397af133a79ccd38a17c25fa51 upstream. + +This is a Dell branded Sierra Wireless EM7455. + +Signed-off-by: Bjørn Mork +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/qcserial.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -169,6 +169,8 @@ static const struct usb_device_id id_tab + {DEVICE_SWI(0x413c, 0x81a9)}, /* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */ + {DEVICE_SWI(0x413c, 0x81b1)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card */ + {DEVICE_SWI(0x413c, 0x81b3)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */ ++ {DEVICE_SWI(0x413c, 0x81b5)}, /* Dell Wireless 5811e QDL */ ++ {DEVICE_SWI(0x413c, 0x81b6)}, /* Dell Wireless 5811e QDL */ + + /* Huawei devices */ + {DEVICE_HWI(0x03f0, 0x581d)}, /* HP lt4112 LTE/HSPA+ Gobi 4G Modem (Huawei me906e) */ diff --git a/queue-4.4/usb-uss720-fix-null-deref-at-probe.patch b/queue-4.4/usb-uss720-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..aedc5673fad --- /dev/null +++ b/queue-4.4/usb-uss720-fix-null-deref-at-probe.patch @@ -0,0 +1,41 @@ +From f259ca3eed6e4b79ac3d5c5c9fb259fb46e86217 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:47:50 +0100 +Subject: USB: uss720: fix NULL-deref at probe + +From: Johan Hovold + +commit f259ca3eed6e4b79ac3d5c5c9fb259fb46e86217 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer or accessing memory beyond the endpoint array should a +malicious device lack the expected endpoints. + +Note that the endpoint access that causes the NULL-deref is currently +only used for debugging purposes during probe so the oops only happens +when dynamic debugging is enabled. This means the driver could be +rewritten to continue to accept device with only two endpoints, should +such devices exist. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/uss720.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/misc/uss720.c ++++ b/drivers/usb/misc/uss720.c +@@ -711,6 +711,11 @@ static int uss720_probe(struct usb_inter + + interface = intf->cur_altsetting; + ++ if (interface->desc.bNumEndpoints < 3) { ++ usb_put_dev(usbdev); ++ return -ENODEV; ++ } ++ + /* + * Allocate parport interface + */ diff --git a/queue-4.4/usb-wusbcore-fix-null-deref-at-probe.patch b/queue-4.4/usb-wusbcore-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..76a4c8df156 --- /dev/null +++ b/queue-4.4/usb-wusbcore-fix-null-deref-at-probe.patch @@ -0,0 +1,38 @@ +From 03ace948a4eb89d1cf51c06afdfc41ebca5fdb27 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:47:51 +0100 +Subject: USB: wusbcore: fix NULL-deref at probe + +From: Johan Hovold + +commit 03ace948a4eb89d1cf51c06afdfc41ebca5fdb27 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer or accessing memory beyond the endpoint array should a +malicious device lack the expected endpoints. + +This specifically fixes the NULL-pointer dereference when probing HWA HC +devices. + +Fixes: df3654236e31 ("wusb: add the Wire Adapter (WA) core") +Cc: Inaky Perez-Gonzalez +Cc: David Vrabel +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/wusbcore/wa-hc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/wusbcore/wa-hc.c ++++ b/drivers/usb/wusbcore/wa-hc.c +@@ -39,6 +39,9 @@ int wa_create(struct wahc *wa, struct us + int result; + struct device *dev = &iface->dev; + ++ if (iface->cur_altsetting->desc.bNumEndpoints < 3) ++ return -ENODEV; ++ + result = wa_rpipes_create(wa); + if (result < 0) + goto error_rpipes_create; diff --git a/queue-4.4/uwb-hwa-rc-fix-null-deref-at-probe.patch b/queue-4.4/uwb-hwa-rc-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..faa92f9bd55 --- /dev/null +++ b/queue-4.4/uwb-hwa-rc-fix-null-deref-at-probe.patch @@ -0,0 +1,37 @@ +From daf229b15907fbfdb6ee183aac8ca428cb57e361 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:47:52 +0100 +Subject: uwb: hwa-rc: fix NULL-deref at probe + +From: Johan Hovold + +commit daf229b15907fbfdb6ee183aac8ca428cb57e361 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Note that the dereference happens in the start callback which is called +during probe. + +Fixes: de520b8bd552 ("uwb: add HWA radio controller driver") +Cc: Inaky Perez-Gonzalez +Cc: David Vrabel +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/uwb/hwa-rc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/uwb/hwa-rc.c ++++ b/drivers/uwb/hwa-rc.c +@@ -825,6 +825,9 @@ static int hwarc_probe(struct usb_interf + struct hwarc *hwarc; + struct device *dev = &iface->dev; + ++ if (iface->cur_altsetting->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + result = -ENOMEM; + uwb_rc = uwb_rc_alloc(); + if (uwb_rc == NULL) { diff --git a/queue-4.4/uwb-i1480-dfu-fix-null-deref-at-probe.patch b/queue-4.4/uwb-i1480-dfu-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..297901ebbae --- /dev/null +++ b/queue-4.4/uwb-i1480-dfu-fix-null-deref-at-probe.patch @@ -0,0 +1,37 @@ +From 4ce362711d78a4999011add3115b8f4b0bc25e8c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:47:53 +0100 +Subject: uwb: i1480-dfu: fix NULL-deref at probe + +From: Johan Hovold + +commit 4ce362711d78a4999011add3115b8f4b0bc25e8c upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Note that the dereference happens in the cmd and wait_init_done +callbacks which are called during probe. + +Fixes: 1ba47da52712 ("uwb: add the i1480 DFU driver") +Cc: Inaky Perez-Gonzalez +Cc: David Vrabel +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/uwb/i1480/dfu/usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/uwb/i1480/dfu/usb.c ++++ b/drivers/uwb/i1480/dfu/usb.c +@@ -362,6 +362,9 @@ int i1480_usb_probe(struct usb_interface + result); + } + ++ if (iface->cur_altsetting->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + result = -ENOMEM; + i1480_usb = kzalloc(sizeof(*i1480_usb), GFP_KERNEL); + if (i1480_usb == NULL) {