From: Greg Kroah-Hartman Date: Mon, 27 Mar 2017 16:37:10 +0000 (+0200) Subject: 4.10-stable patches X-Git-Tag: v4.4.58~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=905942010d8051fab02c4c2a31aaf2c8e3928252;p=thirdparty%2Fkernel%2Fstable-queue.git 4.10-stable patches added patches: acm-gadget-fix-endianness-in-notifications.patch alsa-ctxfi-fix-the-incorrect-check-of-dma_set_mask-call.patch alsa-hda-adding-a-group-of-pin-definition-to-fix-headset-problem.patch alsa-seq-fix-racy-cell-insertions-during-snd_seq_pool_done.patch dvb-usb-firmware-don-t-do-dma-on-stack.patch hid-sony-fix-input-device-leak-when-connecting-a-ds4-twice-using-usb-bt.patch input-alps-fix-trackstick-button-handling-on-v8-devices.patch input-alps-fix-v8-protocol-handling-73-03-28.patch input-cm109-validate-number-of-endpoints-before-using-them.patch input-elan_i2c-add-asus-eeebook-x205ta-special-touchpad-fw.patch input-hanwang-validate-number-of-endpoints-before-using-them.patch input-i8042-add-noloop-quirk-for-dell-embedded-box-pc-3000.patch input-iforce-validate-number-of-endpoints-before-using-them.patch input-ims-pcu-validate-number-of-endpoints-before-using-them.patch input-kbtab-validate-number-of-endpoints-before-using-them.patch input-sur40-validate-number-of-endpoints-before-using-them.patch input-yealink-validate-number-of-endpoints-before-using-them.patch mmc-core-fix-access-to-hs400-es-devices.patch mmc-ushc-fix-null-deref-at-probe.patch nl80211-fix-dumpit-error-path-rtnl-deadlocks.patch usb-core-add-linear_frame_intr_binterval-usb-quirk.patch usb-gadget-f_uvc-fix-superspeed-companion-descriptor-s-wbytesperinterval.patch usb-hub-fix-crash-after-failure-to-read-bos-descriptor.patch usb-idmouse-fix-null-deref-at-probe.patch usb-lvtest-fix-null-deref-at-probe.patch usb-musb-cppi41-don-t-check-early-tx-interrupt-for-isoch-transfer.patch usb-serial-option-add-quectel-uc15-uc20-ec21-and-ec25-modems.patch usb-serial-qcserial-add-dell-dw5811e.patch usb-usbtmc-add-missing-endpoint-sanity-check.patch usb-usbtmc-fix-probe-error-path.patch usb-uss720-fix-null-deref-at-probe.patch usb-wusbcore-fix-null-deref-at-probe.patch uwb-hwa-rc-fix-null-deref-at-probe.patch uwb-i1480-dfu-fix-null-deref-at-probe.patch --- diff --git a/queue-4.10/acm-gadget-fix-endianness-in-notifications.patch b/queue-4.10/acm-gadget-fix-endianness-in-notifications.patch new file mode 100644 index 00000000000..f1a7a2b5614 --- /dev/null +++ b/queue-4.10/acm-gadget-fix-endianness-in-notifications.patch @@ -0,0 +1,43 @@ +From cdd7928df0d2efaa3270d711963773a08a4cc8ab Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 14 Mar 2017 12:09:56 +0100 +Subject: ACM gadget: fix endianness in notifications +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Oliver Neukum + +commit cdd7928df0d2efaa3270d711963773a08a4cc8ab upstream. + +The gadget code exports the bitfield for serial status changes +over the wire in its internal endianness. The fix is to convert +to little endian before sending it over the wire. + +Signed-off-by: Oliver Neukum +Tested-by: 家瑋 +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_acm.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_acm.c ++++ b/drivers/usb/gadget/function/f_acm.c +@@ -535,13 +535,15 @@ static int acm_notify_serial_state(struc + { + struct usb_composite_dev *cdev = acm->port.func.config->cdev; + int status; ++ __le16 serial_state; + + spin_lock(&acm->lock); + if (acm->notify_req) { + dev_dbg(&cdev->gadget->dev, "acm ttyGS%d serial state %04x\n", + acm->port_num, acm->serial_state); ++ serial_state = cpu_to_le16(acm->serial_state); + status = acm_cdc_notify(acm, USB_CDC_NOTIFY_SERIAL_STATE, +- 0, &acm->serial_state, sizeof(acm->serial_state)); ++ 0, &serial_state, sizeof(acm->serial_state)); + } else { + acm->pending = true; + status = 0; diff --git a/queue-4.10/alsa-ctxfi-fix-the-incorrect-check-of-dma_set_mask-call.patch b/queue-4.10/alsa-ctxfi-fix-the-incorrect-check-of-dma_set_mask-call.patch new file mode 100644 index 00000000000..a89092d48db --- /dev/null +++ b/queue-4.10/alsa-ctxfi-fix-the-incorrect-check-of-dma_set_mask-call.patch @@ -0,0 +1,36 @@ +From f363a06642f28caaa78cb6446bbad90c73fe183c Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 20 Mar 2017 10:08:19 +0100 +Subject: ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call + +From: Takashi Iwai + +commit f363a06642f28caaa78cb6446bbad90c73fe183c upstream. + +In the commit [15c75b09f8d1: ALSA: ctxfi: Fallback DMA mask to 32bit], +I forgot to put "!" at dam_set_mask() call check in cthw20k1.c (while +cthw20k2.c is OK). This patch fixes that obvious bug. + +(As a side note: although the original commit was completely wrong, + it's still working for most of machines, as it sets to 32bit DMA mask + in the end. So the bug severity is low.) + +Fixes: 15c75b09f8d1 ("ALSA: ctxfi: Fallback DMA mask to 32bit") +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/ctxfi/cthw20k1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/ctxfi/cthw20k1.c ++++ b/sound/pci/ctxfi/cthw20k1.c +@@ -1905,7 +1905,7 @@ static int hw_card_start(struct hw *hw) + return err; + + /* Set DMA transfer mask */ +- if (dma_set_mask(&pci->dev, DMA_BIT_MASK(dma_bits))) { ++ if (!dma_set_mask(&pci->dev, DMA_BIT_MASK(dma_bits))) { + dma_set_coherent_mask(&pci->dev, DMA_BIT_MASK(dma_bits)); + } else { + dma_set_mask(&pci->dev, DMA_BIT_MASK(32)); diff --git a/queue-4.10/alsa-hda-adding-a-group-of-pin-definition-to-fix-headset-problem.patch b/queue-4.10/alsa-hda-adding-a-group-of-pin-definition-to-fix-headset-problem.patch new file mode 100644 index 00000000000..ccc363eb838 --- /dev/null +++ b/queue-4.10/alsa-hda-adding-a-group-of-pin-definition-to-fix-headset-problem.patch @@ -0,0 +1,32 @@ +From 3f307834e695f59dac4337a40316bdecfb9d0508 Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Thu, 23 Mar 2017 10:00:25 +0800 +Subject: ALSA: hda - Adding a group of pin definition to fix headset problem + +From: Hui Wang + +commit 3f307834e695f59dac4337a40316bdecfb9d0508 upstream. + +A new Dell laptop needs to apply ALC269_FIXUP_DELL1_MIC_NO_PRESENCE to +fix the headset problem, and the pin definiton of this machine is not +in the pin quirk table yet, now adding it to the table. + +Signed-off-by: Hui Wang +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6058,6 +6058,8 @@ static const struct snd_hda_pin_quirk al + ALC295_STANDARD_PINS, + {0x17, 0x21014040}, + {0x18, 0x21a19050}), ++ SND_HDA_PIN_QUIRK(0x10ec0295, 0x1028, "Dell", ALC269_FIXUP_DELL1_MIC_NO_PRESENCE, ++ ALC295_STANDARD_PINS), + SND_HDA_PIN_QUIRK(0x10ec0298, 0x1028, "Dell", ALC298_FIXUP_DELL1_MIC_NO_PRESENCE, + ALC298_STANDARD_PINS, + {0x17, 0x90170110}), diff --git a/queue-4.10/alsa-seq-fix-racy-cell-insertions-during-snd_seq_pool_done.patch b/queue-4.10/alsa-seq-fix-racy-cell-insertions-during-snd_seq_pool_done.patch new file mode 100644 index 00000000000..b1ee82795bd --- /dev/null +++ b/queue-4.10/alsa-seq-fix-racy-cell-insertions-during-snd_seq_pool_done.patch @@ -0,0 +1,103 @@ +From c520ff3d03f0b5db7146d9beed6373ad5d2a5e0e Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 21 Mar 2017 13:56:04 +0100 +Subject: ALSA: seq: Fix racy cell insertions during snd_seq_pool_done() + +From: Takashi Iwai + +commit c520ff3d03f0b5db7146d9beed6373ad5d2a5e0e upstream. + +When snd_seq_pool_done() is called, it marks the closing flag to +refuse the further cell insertions. But snd_seq_pool_done() itself +doesn't clear the cells but just waits until all cells are cleared by +the caller side. That is, it's racy, and this leads to the endless +stall as syzkaller spotted. + +This patch addresses the racy by splitting the setup of pool->closing +flag out of snd_seq_pool_done(), and calling it properly before +snd_seq_pool_done(). + +BugLink: http://lkml.kernel.org/r/CACT4Y+aqqy8bZA1fFieifNxR2fAfFQQABcBHj801+u5ePV0URw@mail.gmail.com +Reported-and-tested-by: Dmitry Vyukov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/seq/seq_clientmgr.c | 1 + + sound/core/seq/seq_fifo.c | 3 +++ + sound/core/seq/seq_memory.c | 17 +++++++++++++---- + sound/core/seq/seq_memory.h | 1 + + 4 files changed, 18 insertions(+), 4 deletions(-) + +--- a/sound/core/seq/seq_clientmgr.c ++++ b/sound/core/seq/seq_clientmgr.c +@@ -1832,6 +1832,7 @@ static int snd_seq_ioctl_set_client_pool + info->output_pool != client->pool->size)) { + if (snd_seq_write_pool_allocated(client)) { + /* remove all existing cells */ ++ snd_seq_pool_mark_closing(client->pool); + snd_seq_queue_client_leave_cells(client->number); + snd_seq_pool_done(client->pool); + } +--- a/sound/core/seq/seq_fifo.c ++++ b/sound/core/seq/seq_fifo.c +@@ -70,6 +70,9 @@ void snd_seq_fifo_delete(struct snd_seq_ + return; + *fifo = NULL; + ++ if (f->pool) ++ snd_seq_pool_mark_closing(f->pool); ++ + snd_seq_fifo_clear(f); + + /* wake up clients if any */ +--- a/sound/core/seq/seq_memory.c ++++ b/sound/core/seq/seq_memory.c +@@ -414,6 +414,18 @@ int snd_seq_pool_init(struct snd_seq_poo + return 0; + } + ++/* refuse the further insertion to the pool */ ++void snd_seq_pool_mark_closing(struct snd_seq_pool *pool) ++{ ++ unsigned long flags; ++ ++ if (snd_BUG_ON(!pool)) ++ return; ++ spin_lock_irqsave(&pool->lock, flags); ++ pool->closing = 1; ++ spin_unlock_irqrestore(&pool->lock, flags); ++} ++ + /* remove events */ + int snd_seq_pool_done(struct snd_seq_pool *pool) + { +@@ -424,10 +436,6 @@ int snd_seq_pool_done(struct snd_seq_poo + return -EINVAL; + + /* wait for closing all threads */ +- spin_lock_irqsave(&pool->lock, flags); +- pool->closing = 1; +- spin_unlock_irqrestore(&pool->lock, flags); +- + if (waitqueue_active(&pool->output_sleep)) + wake_up(&pool->output_sleep); + +@@ -484,6 +492,7 @@ int snd_seq_pool_delete(struct snd_seq_p + *ppool = NULL; + if (pool == NULL) + return 0; ++ snd_seq_pool_mark_closing(pool); + snd_seq_pool_done(pool); + kfree(pool); + return 0; +--- a/sound/core/seq/seq_memory.h ++++ b/sound/core/seq/seq_memory.h +@@ -84,6 +84,7 @@ static inline int snd_seq_total_cells(st + int snd_seq_pool_init(struct snd_seq_pool *pool); + + /* done pool - free events */ ++void snd_seq_pool_mark_closing(struct snd_seq_pool *pool); + int snd_seq_pool_done(struct snd_seq_pool *pool); + + /* create pool */ diff --git a/queue-4.10/dvb-usb-firmware-don-t-do-dma-on-stack.patch b/queue-4.10/dvb-usb-firmware-don-t-do-dma-on-stack.patch new file mode 100644 index 00000000000..fe36dd62f82 --- /dev/null +++ b/queue-4.10/dvb-usb-firmware-don-t-do-dma-on-stack.patch @@ -0,0 +1,78 @@ +From 67b0503db9c29b04eadfeede6bebbfe5ddad94ef Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Stefan=20Br=C3=BCns?= +Date: Sun, 12 Feb 2017 13:02:13 -0200 +Subject: [media] dvb-usb-firmware: don't do DMA on stack +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Stefan Brüns + +commit 67b0503db9c29b04eadfeede6bebbfe5ddad94ef upstream. + +The buffer allocation for the firmware data was changed in +commit 43fab9793c1f ("[media] dvb-usb: don't use stack for firmware load") +but the same applies for the reset value. + +Fixes: 43fab9793c1f ("[media] dvb-usb: don't use stack for firmware load") +Signed-off-by: Stefan Brüns +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/dvb-usb-firmware.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +--- a/drivers/media/usb/dvb-usb/dvb-usb-firmware.c ++++ b/drivers/media/usb/dvb-usb/dvb-usb-firmware.c +@@ -36,16 +36,18 @@ static int usb_cypress_writemem(struct u + int usb_cypress_load_firmware(struct usb_device *udev, const struct firmware *fw, int type) + { + struct hexline *hx; +- u8 reset; +- int ret,pos=0; ++ u8 *buf; ++ int ret, pos = 0; ++ u16 cpu_cs_register = cypress[type].cpu_cs_register; + +- hx = kmalloc(sizeof(*hx), GFP_KERNEL); +- if (!hx) ++ buf = kmalloc(sizeof(*hx), GFP_KERNEL); ++ if (!buf) + return -ENOMEM; ++ hx = (struct hexline *)buf; + + /* stop the CPU */ +- reset = 1; +- if ((ret = usb_cypress_writemem(udev,cypress[type].cpu_cs_register,&reset,1)) != 1) ++ buf[0] = 1; ++ if (usb_cypress_writemem(udev, cpu_cs_register, buf, 1) != 1) + err("could not stop the USB controller CPU."); + + while ((ret = dvb_usb_get_hexline(fw, hx, &pos)) > 0) { +@@ -61,21 +63,21 @@ int usb_cypress_load_firmware(struct usb + } + if (ret < 0) { + err("firmware download failed at %d with %d",pos,ret); +- kfree(hx); ++ kfree(buf); + return ret; + } + + if (ret == 0) { + /* restart the CPU */ +- reset = 0; +- if (ret || usb_cypress_writemem(udev,cypress[type].cpu_cs_register,&reset,1) != 1) { ++ buf[0] = 0; ++ if (usb_cypress_writemem(udev, cpu_cs_register, buf, 1) != 1) { + err("could not restart the USB controller CPU."); + ret = -EINVAL; + } + } else + ret = -EIO; + +- kfree(hx); ++ kfree(buf); + + return ret; + } diff --git a/queue-4.10/hid-sony-fix-input-device-leak-when-connecting-a-ds4-twice-using-usb-bt.patch b/queue-4.10/hid-sony-fix-input-device-leak-when-connecting-a-ds4-twice-using-usb-bt.patch new file mode 100644 index 00000000000..0fbd070f5ff --- /dev/null +++ b/queue-4.10/hid-sony-fix-input-device-leak-when-connecting-a-ds4-twice-using-usb-bt.patch @@ -0,0 +1,39 @@ +From a687c5765b5ae19fe559e14615ddc87ebb46d409 Mon Sep 17 00:00:00 2001 +From: Roderick Colenbrander +Date: Fri, 24 Feb 2017 16:14:15 -0800 +Subject: HID: sony: Fix input device leak when connecting a DS4 twice using USB/BT + +From: Roderick Colenbrander + +commit a687c5765b5ae19fe559e14615ddc87ebb46d409 upstream. + +When a user connects a DS4 twice using USB and BT, we reject the +second device connection after the setup work. We then perform +a cleanup, but during cleanup we are not removing the touchpad +device. This leads to leakage of an input device, which we would +never remove. It can likely result into a kernel oops as well +when the touchpad evdev node is accessed and the underlaying HID +device has been removed from the system. + +[jkosina@suse.cz: added stable annotation] +Fixes: ac797b95f532 ("HID: sony: Make the DS4 touchpad a separate device") +Signed-off-by: Roderick Colenbrander +Reviewed-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-sony.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/hid/hid-sony.c ++++ b/drivers/hid/hid-sony.c +@@ -2632,6 +2632,8 @@ err_stop: + sony_leds_remove(sc); + if (sc->quirks & SONY_BATTERY_SUPPORT) + sony_battery_remove(sc); ++ if (sc->touchpad) ++ sony_unregister_touchpad(sc); + sony_cancel_work_sync(sc); + kfree(sc->output_report_dmabuf); + sony_remove_dev_list(sc); diff --git a/queue-4.10/input-alps-fix-trackstick-button-handling-on-v8-devices.patch b/queue-4.10/input-alps-fix-trackstick-button-handling-on-v8-devices.patch new file mode 100644 index 00000000000..1a51e7e1d2b --- /dev/null +++ b/queue-4.10/input-alps-fix-trackstick-button-handling-on-v8-devices.patch @@ -0,0 +1,39 @@ +From 47e6fb4212d09f325c0847d05985dd3d71553095 Mon Sep 17 00:00:00 2001 +From: Masaki Ota +Date: Fri, 17 Mar 2017 14:19:40 -0700 +Subject: Input: ALPS - fix trackstick button handling on V8 devices + +From: Masaki Ota + +commit 47e6fb4212d09f325c0847d05985dd3d71553095 upstream. + +Alps stick devices always have physical buttons, so we should not check +ALPS_BUTTONPAD flag to decide whether we should report them. + +Fixes: 4777ac220c43 ("Input: ALPS - add touchstick support for SS5 hardware") +Signed-off-by: Masaki Ota +Acked-by: Pali Rohar +Tested-by: Paul Donohue +Tested-by: Nick Fletcher +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/alps.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/input/mouse/alps.c ++++ b/drivers/input/mouse/alps.c +@@ -1282,10 +1282,8 @@ static int alps_decode_ss4_v2(struct alp + /* handle buttons */ + if (pkt_id == SS4_PACKET_ID_STICK) { + f->ts_left = !!(SS4_BTN_V2(p) & 0x01); +- if (!(priv->flags & ALPS_BUTTONPAD)) { +- f->ts_right = !!(SS4_BTN_V2(p) & 0x02); +- f->ts_middle = !!(SS4_BTN_V2(p) & 0x04); +- } ++ f->ts_right = !!(SS4_BTN_V2(p) & 0x02); ++ f->ts_middle = !!(SS4_BTN_V2(p) & 0x04); + } else { + f->left = !!(SS4_BTN_V2(p) & 0x01); + if (!(priv->flags & ALPS_BUTTONPAD)) { diff --git a/queue-4.10/input-alps-fix-v8-protocol-handling-73-03-28.patch b/queue-4.10/input-alps-fix-v8-protocol-handling-73-03-28.patch new file mode 100644 index 00000000000..1f65613de92 --- /dev/null +++ b/queue-4.10/input-alps-fix-v8-protocol-handling-73-03-28.patch @@ -0,0 +1,173 @@ +From e7348396c6d51b57c95c6646c390cd078e038e19 Mon Sep 17 00:00:00 2001 +From: Masaki Ota +Date: Fri, 17 Mar 2017 14:10:57 -0700 +Subject: Input: ALPS - fix V8+ protocol handling (73 03 28) + +From: Masaki Ota + +commit e7348396c6d51b57c95c6646c390cd078e038e19 upstream. + +Devices identified as E7="73 03 28" use slightly modified version of V8 +protocol, with lower count per electrode, different offsets, and different +feature bits in OTP data. + +Fixes: aeaa881f9b17 ("Input: ALPS - set DualPoint flag for 74 03 28 devices") +Signed-off-by: Masaki Ota +Acked-by: Pali Rohar +Tested-by: Paul Donohue +Tested-by: Nick Fletcher +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/alps.c | 68 +++++++++++++++++++++++++++++++++------------ + drivers/input/mouse/alps.h | 11 +++++++ + 2 files changed, 62 insertions(+), 17 deletions(-) + +--- a/drivers/input/mouse/alps.c ++++ b/drivers/input/mouse/alps.c +@@ -2462,14 +2462,34 @@ static int alps_update_device_area_ss4_v + int num_y_electrode; + int x_pitch, y_pitch, x_phys, y_phys; + +- num_x_electrode = SS4_NUMSENSOR_XOFFSET + (otp[1][0] & 0x0F); +- num_y_electrode = SS4_NUMSENSOR_YOFFSET + ((otp[1][0] >> 4) & 0x0F); ++ if (IS_SS4PLUS_DEV(priv->dev_id)) { ++ num_x_electrode = ++ SS4PLUS_NUMSENSOR_XOFFSET + (otp[0][2] & 0x0F); ++ num_y_electrode = ++ SS4PLUS_NUMSENSOR_YOFFSET + ((otp[0][2] >> 4) & 0x0F); ++ ++ priv->x_max = ++ (num_x_electrode - 1) * SS4PLUS_COUNT_PER_ELECTRODE; ++ priv->y_max = ++ (num_y_electrode - 1) * SS4PLUS_COUNT_PER_ELECTRODE; ++ ++ x_pitch = (otp[0][1] & 0x0F) + SS4PLUS_MIN_PITCH_MM; ++ y_pitch = ((otp[0][1] >> 4) & 0x0F) + SS4PLUS_MIN_PITCH_MM; ++ ++ } else { ++ num_x_electrode = ++ SS4_NUMSENSOR_XOFFSET + (otp[1][0] & 0x0F); ++ num_y_electrode = ++ SS4_NUMSENSOR_YOFFSET + ((otp[1][0] >> 4) & 0x0F); ++ ++ priv->x_max = ++ (num_x_electrode - 1) * SS4_COUNT_PER_ELECTRODE; ++ priv->y_max = ++ (num_y_electrode - 1) * SS4_COUNT_PER_ELECTRODE; + +- priv->x_max = (num_x_electrode - 1) * SS4_COUNT_PER_ELECTRODE; +- priv->y_max = (num_y_electrode - 1) * SS4_COUNT_PER_ELECTRODE; +- +- x_pitch = ((otp[1][2] >> 2) & 0x07) + SS4_MIN_PITCH_MM; +- y_pitch = ((otp[1][2] >> 5) & 0x07) + SS4_MIN_PITCH_MM; ++ x_pitch = ((otp[1][2] >> 2) & 0x07) + SS4_MIN_PITCH_MM; ++ y_pitch = ((otp[1][2] >> 5) & 0x07) + SS4_MIN_PITCH_MM; ++ } + + x_phys = x_pitch * (num_x_electrode - 1); /* In 0.1 mm units */ + y_phys = y_pitch * (num_y_electrode - 1); /* In 0.1 mm units */ +@@ -2485,7 +2505,10 @@ static int alps_update_btn_info_ss4_v2(u + { + unsigned char is_btnless; + +- is_btnless = (otp[1][1] >> 3) & 0x01; ++ if (IS_SS4PLUS_DEV(priv->dev_id)) ++ is_btnless = (otp[1][0] >> 1) & 0x01; ++ else ++ is_btnless = (otp[1][1] >> 3) & 0x01; + + if (is_btnless) + priv->flags |= ALPS_BUTTONPAD; +@@ -2493,6 +2516,21 @@ static int alps_update_btn_info_ss4_v2(u + return 0; + } + ++static int alps_update_dual_info_ss4_v2(unsigned char otp[][4], ++ struct alps_data *priv) ++{ ++ bool is_dual = false; ++ ++ if (IS_SS4PLUS_DEV(priv->dev_id)) ++ is_dual = (otp[0][0] >> 4) & 0x01; ++ ++ if (is_dual) ++ priv->flags |= ALPS_DUALPOINT | ++ ALPS_DUALPOINT_WITH_PRESSURE; ++ ++ return 0; ++} ++ + static int alps_set_defaults_ss4_v2(struct psmouse *psmouse, + struct alps_data *priv) + { +@@ -2508,6 +2546,8 @@ static int alps_set_defaults_ss4_v2(stru + + alps_update_btn_info_ss4_v2(otp, priv); + ++ alps_update_dual_info_ss4_v2(otp, priv); ++ + return 0; + } + +@@ -2753,10 +2793,6 @@ static int alps_set_protocol(struct psmo + if (alps_set_defaults_ss4_v2(psmouse, priv)) + return -EIO; + +- if (priv->fw_ver[1] == 0x1) +- priv->flags |= ALPS_DUALPOINT | +- ALPS_DUALPOINT_WITH_PRESSURE; +- + break; + } + +@@ -2827,10 +2863,7 @@ static int alps_identify(struct psmouse + ec[2] >= 0x90 && ec[2] <= 0x9d) { + protocol = &alps_v3_protocol_data; + } else if (e7[0] == 0x73 && e7[1] == 0x03 && +- e7[2] == 0x14 && ec[1] == 0x02) { +- protocol = &alps_v8_protocol_data; +- } else if (e7[0] == 0x73 && e7[1] == 0x03 && +- e7[2] == 0x28 && ec[1] == 0x01) { ++ (e7[2] == 0x14 || e7[2] == 0x28)) { + protocol = &alps_v8_protocol_data; + } else { + psmouse_dbg(psmouse, +@@ -2840,7 +2873,8 @@ static int alps_identify(struct psmouse + } + + if (priv) { +- /* Save the Firmware version */ ++ /* Save Device ID and Firmware version */ ++ memcpy(priv->dev_id, e7, 3); + memcpy(priv->fw_ver, ec, 3); + error = alps_set_protocol(psmouse, priv, protocol); + if (error) +--- a/drivers/input/mouse/alps.h ++++ b/drivers/input/mouse/alps.h +@@ -54,6 +54,16 @@ enum SS4_PACKET_ID { + + #define SS4_MASK_NORMAL_BUTTONS 0x07 + ++#define SS4PLUS_COUNT_PER_ELECTRODE 128 ++#define SS4PLUS_NUMSENSOR_XOFFSET 16 ++#define SS4PLUS_NUMSENSOR_YOFFSET 5 ++#define SS4PLUS_MIN_PITCH_MM 37 ++ ++#define IS_SS4PLUS_DEV(_b) (((_b[0]) == 0x73) && \ ++ ((_b[1]) == 0x03) && \ ++ ((_b[2]) == 0x28) \ ++ ) ++ + #define SS4_IS_IDLE_V2(_b) (((_b[0]) == 0x18) && \ + ((_b[1]) == 0x10) && \ + ((_b[2]) == 0x00) && \ +@@ -283,6 +293,7 @@ struct alps_data { + int addr_command; + u16 proto_version; + u8 byte0, mask0; ++ u8 dev_id[3]; + u8 fw_ver[3]; + int flags; + int x_max; diff --git a/queue-4.10/input-cm109-validate-number-of-endpoints-before-using-them.patch b/queue-4.10/input-cm109-validate-number-of-endpoints-before-using-them.patch new file mode 100644 index 00000000000..e84b1049a2b --- /dev/null +++ b/queue-4.10/input-cm109-validate-number-of-endpoints-before-using-them.patch @@ -0,0 +1,34 @@ +From ac2ee9ba953afe88f7a673e1c0c839227b1d7891 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 16 Mar 2017 11:35:12 -0700 +Subject: Input: cm109 - validate number of endpoints before using them + +From: Johan Hovold + +commit ac2ee9ba953afe88f7a673e1c0c839227b1d7891 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Fixes: c04148f915e5 ("Input: add driver for USB VoIP phones with CM109...") +Signed-off-by: Johan Hovold +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/misc/cm109.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/input/misc/cm109.c ++++ b/drivers/input/misc/cm109.c +@@ -700,6 +700,10 @@ static int cm109_usb_probe(struct usb_in + int error = -ENOMEM; + + interface = intf->cur_altsetting; ++ ++ if (interface->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + endpoint = &interface->endpoint[0].desc; + + if (!usb_endpoint_is_int_in(endpoint)) diff --git a/queue-4.10/input-elan_i2c-add-asus-eeebook-x205ta-special-touchpad-fw.patch b/queue-4.10/input-elan_i2c-add-asus-eeebook-x205ta-special-touchpad-fw.patch new file mode 100644 index 00000000000..da7ddba699e --- /dev/null +++ b/queue-4.10/input-elan_i2c-add-asus-eeebook-x205ta-special-touchpad-fw.patch @@ -0,0 +1,54 @@ +From 92ef6f97a66e580189a41a132d0f8a9f78d6ddce Mon Sep 17 00:00:00 2001 +From: Matjaz Hegedic +Date: Fri, 10 Mar 2017 14:33:09 -0800 +Subject: Input: elan_i2c - add ASUS EeeBook X205TA special touchpad fw + +From: Matjaz Hegedic + +commit 92ef6f97a66e580189a41a132d0f8a9f78d6ddce upstream. + +EeeBook X205TA is yet another ASUS device with a special touchpad +firmware that needs to be accounted for during initialization, or +else the touchpad will go into an invalid state upon suspend/resume. +Adding the appropriate ic_type and product_id check fixes the problem. + +Signed-off-by: Matjaz Hegedic +Acked-by: KT Liao +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/elan_i2c_core.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +--- a/drivers/input/mouse/elan_i2c_core.c ++++ b/drivers/input/mouse/elan_i2c_core.c +@@ -218,17 +218,19 @@ static int elan_query_product(struct ela + + static int elan_check_ASUS_special_fw(struct elan_tp_data *data) + { +- if (data->ic_type != 0x0E) +- return false; +- +- switch (data->product_id) { +- case 0x05 ... 0x07: +- case 0x09: +- case 0x13: ++ if (data->ic_type == 0x0E) { ++ switch (data->product_id) { ++ case 0x05 ... 0x07: ++ case 0x09: ++ case 0x13: ++ return true; ++ } ++ } else if (data->ic_type == 0x08 && data->product_id == 0x26) { ++ /* ASUS EeeBook X205TA */ + return true; +- default: +- return false; + } ++ ++ return false; + } + + static int __elan_initialize(struct elan_tp_data *data) diff --git a/queue-4.10/input-hanwang-validate-number-of-endpoints-before-using-them.patch b/queue-4.10/input-hanwang-validate-number-of-endpoints-before-using-them.patch new file mode 100644 index 00000000000..c97f2800495 --- /dev/null +++ b/queue-4.10/input-hanwang-validate-number-of-endpoints-before-using-them.patch @@ -0,0 +1,33 @@ +From ba340d7b83703768ce566f53f857543359aa1b98 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 16 Mar 2017 11:39:29 -0700 +Subject: Input: hanwang - validate number of endpoints before using them + +From: Johan Hovold + +commit ba340d7b83703768ce566f53f857543359aa1b98 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Fixes: bba5394ad3bd ("Input: add support for Hanwang tablets") +Signed-off-by: Johan Hovold +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/tablet/hanwang.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/input/tablet/hanwang.c ++++ b/drivers/input/tablet/hanwang.c +@@ -340,6 +340,9 @@ static int hanwang_probe(struct usb_inte + int error; + int i; + ++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + hanwang = kzalloc(sizeof(struct hanwang), GFP_KERNEL); + input_dev = input_allocate_device(); + if (!hanwang || !input_dev) { diff --git a/queue-4.10/input-i8042-add-noloop-quirk-for-dell-embedded-box-pc-3000.patch b/queue-4.10/input-i8042-add-noloop-quirk-for-dell-embedded-box-pc-3000.patch new file mode 100644 index 00000000000..252ab274579 --- /dev/null +++ b/queue-4.10/input-i8042-add-noloop-quirk-for-dell-embedded-box-pc-3000.patch @@ -0,0 +1,40 @@ +From 45838660e34d90db8d4f7cbc8fd66e8aff79f4fe Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Tue, 7 Mar 2017 09:31:29 -0800 +Subject: Input: i8042 - add noloop quirk for Dell Embedded Box PC 3000 + +From: Kai-Heng Feng + +commit 45838660e34d90db8d4f7cbc8fd66e8aff79f4fe upstream. + +The aux port does not get detected without noloop quirk, so external PS/2 +mouse cannot work as result. + +The PS/2 mouse can work with this quirk. + +BugLink: https://bugs.launchpad.net/bugs/1591053 +Signed-off-by: Kai-Heng Feng +Reviewed-by: Marcos Paulo de Souza +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/serio/i8042-x86ia64io.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -120,6 +120,13 @@ static const struct dmi_system_id __init + }, + }, + { ++ /* Dell Embedded Box PC 3000 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Embedded Box PC 3000"), ++ }, ++ }, ++ { + /* OQO Model 01 */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "OQO"), diff --git a/queue-4.10/input-iforce-validate-number-of-endpoints-before-using-them.patch b/queue-4.10/input-iforce-validate-number-of-endpoints-before-using-them.patch new file mode 100644 index 00000000000..d93dffa2ead --- /dev/null +++ b/queue-4.10/input-iforce-validate-number-of-endpoints-before-using-them.patch @@ -0,0 +1,33 @@ +From 59cf8bed44a79ec42303151dd014fdb6434254bb Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 16 Mar 2017 11:34:02 -0700 +Subject: Input: iforce - validate number of endpoints before using them + +From: Johan Hovold + +commit 59cf8bed44a79ec42303151dd014fdb6434254bb upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer or accessing memory that lie beyond the end of the endpoint +array should a malicious device lack the expected endpoints. + +Signed-off-by: Johan Hovold +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/joystick/iforce/iforce-usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/input/joystick/iforce/iforce-usb.c ++++ b/drivers/input/joystick/iforce/iforce-usb.c +@@ -141,6 +141,9 @@ static int iforce_usb_probe(struct usb_i + + interface = intf->cur_altsetting; + ++ if (interface->desc.bNumEndpoints < 2) ++ return -ENODEV; ++ + epirq = &interface->endpoint[0].desc; + epout = &interface->endpoint[1].desc; + diff --git a/queue-4.10/input-ims-pcu-validate-number-of-endpoints-before-using-them.patch b/queue-4.10/input-ims-pcu-validate-number-of-endpoints-before-using-them.patch new file mode 100644 index 00000000000..725bacfaa12 --- /dev/null +++ b/queue-4.10/input-ims-pcu-validate-number-of-endpoints-before-using-them.patch @@ -0,0 +1,34 @@ +From 1916d319271664241b7aa0cd2b05e32bdb310ce9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 16 Mar 2017 11:36:13 -0700 +Subject: Input: ims-pcu - validate number of endpoints before using them + +From: Johan Hovold + +commit 1916d319271664241b7aa0cd2b05e32bdb310ce9 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack control-interface endpoints. + +Fixes: 628329d52474 ("Input: add IMS Passenger Control Unit driver") +Signed-off-by: Johan Hovold +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/misc/ims-pcu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/input/misc/ims-pcu.c ++++ b/drivers/input/misc/ims-pcu.c +@@ -1667,6 +1667,10 @@ static int ims_pcu_parse_cdc_data(struct + return -EINVAL; + + alt = pcu->ctrl_intf->cur_altsetting; ++ ++ if (alt->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + pcu->ep_ctrl = &alt->endpoint[0].desc; + pcu->max_ctrl_size = usb_endpoint_maxp(pcu->ep_ctrl); + diff --git a/queue-4.10/input-kbtab-validate-number-of-endpoints-before-using-them.patch b/queue-4.10/input-kbtab-validate-number-of-endpoints-before-using-them.patch new file mode 100644 index 00000000000..35c645a1da1 --- /dev/null +++ b/queue-4.10/input-kbtab-validate-number-of-endpoints-before-using-them.patch @@ -0,0 +1,32 @@ +From cb1b494663e037253337623bf1ef2df727883cb7 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 16 Mar 2017 11:41:55 -0700 +Subject: Input: kbtab - validate number of endpoints before using them + +From: Johan Hovold + +commit cb1b494663e037253337623bf1ef2df727883cb7 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Signed-off-by: Johan Hovold +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/tablet/kbtab.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/input/tablet/kbtab.c ++++ b/drivers/input/tablet/kbtab.c +@@ -122,6 +122,9 @@ static int kbtab_probe(struct usb_interf + struct input_dev *input_dev; + int error = -ENOMEM; + ++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + kbtab = kzalloc(sizeof(struct kbtab), GFP_KERNEL); + input_dev = input_allocate_device(); + if (!kbtab || !input_dev) diff --git a/queue-4.10/input-sur40-validate-number-of-endpoints-before-using-them.patch b/queue-4.10/input-sur40-validate-number-of-endpoints-before-using-them.patch new file mode 100644 index 00000000000..aabed37b69b --- /dev/null +++ b/queue-4.10/input-sur40-validate-number-of-endpoints-before-using-them.patch @@ -0,0 +1,34 @@ +From 92461f5d723037530c1f36cce93640770037812c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 16 Mar 2017 11:43:09 -0700 +Subject: Input: sur40 - validate number of endpoints before using them + +From: Johan Hovold + +commit 92461f5d723037530c1f36cce93640770037812c upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer or accessing memory that lie beyond the end of the endpoint +array should a malicious device lack the expected endpoints. + +Fixes: bdb5c57f209c ("Input: add sur40 driver for Samsung SUR40... ") +Signed-off-by: Johan Hovold +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/sur40.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/input/touchscreen/sur40.c ++++ b/drivers/input/touchscreen/sur40.c +@@ -527,6 +527,9 @@ static int sur40_probe(struct usb_interf + if (iface_desc->desc.bInterfaceClass != 0xFF) + return -ENODEV; + ++ if (iface_desc->desc.bNumEndpoints < 5) ++ return -ENODEV; ++ + /* Use endpoint #4 (0x86). */ + endpoint = &iface_desc->endpoint[4].desc; + if (endpoint->bEndpointAddress != TOUCH_ENDPOINT) diff --git a/queue-4.10/input-yealink-validate-number-of-endpoints-before-using-them.patch b/queue-4.10/input-yealink-validate-number-of-endpoints-before-using-them.patch new file mode 100644 index 00000000000..ed8a6543ea9 --- /dev/null +++ b/queue-4.10/input-yealink-validate-number-of-endpoints-before-using-them.patch @@ -0,0 +1,34 @@ +From 5cc4a1a9f5c179795c8a1f2b0f4361829d6a070e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 16 Mar 2017 11:37:01 -0700 +Subject: Input: yealink - validate number of endpoints before using them + +From: Johan Hovold + +commit 5cc4a1a9f5c179795c8a1f2b0f4361829d6a070e upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Fixes: aca951a22a1d ("[PATCH] input-driver-yealink-P1K-usb-phone") +Signed-off-by: Johan Hovold +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/misc/yealink.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/input/misc/yealink.c ++++ b/drivers/input/misc/yealink.c +@@ -875,6 +875,10 @@ static int usb_probe(struct usb_interfac + int ret, pipe, i; + + interface = intf->cur_altsetting; ++ ++ if (interface->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + endpoint = &interface->endpoint[0].desc; + if (!usb_endpoint_is_int_in(endpoint)) + return -ENODEV; diff --git a/queue-4.10/mmc-core-fix-access-to-hs400-es-devices.patch b/queue-4.10/mmc-core-fix-access-to-hs400-es-devices.patch new file mode 100644 index 00000000000..bd3c17b07a2 --- /dev/null +++ b/queue-4.10/mmc-core-fix-access-to-hs400-es-devices.patch @@ -0,0 +1,46 @@ +From 773dc118756b1f38766063e90e582016be868f09 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Wed, 1 Mar 2017 14:11:47 -0800 +Subject: mmc: core: Fix access to HS400-ES devices + +From: Guenter Roeck + +commit 773dc118756b1f38766063e90e582016be868f09 upstream. + +HS400-ES devices fail to initialize with the following error messages. + +mmc1: power class selection to bus width 8 ddr 0 failed +mmc1: error -110 whilst initialising MMC card + +This was seen on Samsung Chromebook Plus. Code analysis points to +commit 3d4ef329757c ("mmc: core: fix multi-bit bus width without +high-speed mode"), which attempts to set the bus width for all but +HS200 devices unconditionally. However, for HS400-ES, the bus width +is already selected. + +Cc: Anssi Hannula +Cc: Douglas Anderson +Cc: Brian Norris +Fixes: 3d4ef329757c ("mmc: core: fix multi-bit bus width ...") +Signed-off-by: Guenter Roeck +Reviewed-by: Douglas Anderson +Reviewed-by: Shawn Lin +Tested-by: Heiko Stuebner +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/core/mmc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mmc/core/mmc.c ++++ b/drivers/mmc/core/mmc.c +@@ -1706,7 +1706,7 @@ static int mmc_init_card(struct mmc_host + err = mmc_select_hs400(card); + if (err) + goto free_card; +- } else { ++ } else if (!mmc_card_hs400es(card)) { + /* Select the desired bus width optionally */ + err = mmc_select_bus_width(card); + if (err > 0 && mmc_card_hs(card)) { diff --git a/queue-4.10/mmc-ushc-fix-null-deref-at-probe.patch b/queue-4.10/mmc-ushc-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..ca5b219b5e5 --- /dev/null +++ b/queue-4.10/mmc-ushc-fix-null-deref-at-probe.patch @@ -0,0 +1,34 @@ +From 181302dc7239add8ab1449c23ecab193f52ee6ab Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:40:22 +0100 +Subject: mmc: ushc: fix NULL-deref at probe + +From: Johan Hovold + +commit 181302dc7239add8ab1449c23ecab193f52ee6ab upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Fixes: 53f3a9e26ed5 ("mmc: USB SD Host Controller (USHC) driver") +Cc: David Vrabel +Signed-off-by: Johan Hovold +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/ushc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/mmc/host/ushc.c ++++ b/drivers/mmc/host/ushc.c +@@ -426,6 +426,9 @@ static int ushc_probe(struct usb_interfa + struct ushc_data *ushc; + int ret; + ++ if (intf->cur_altsetting->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + mmc = mmc_alloc_host(sizeof(struct ushc_data), &intf->dev); + if (mmc == NULL) + return -ENOMEM; diff --git a/queue-4.10/nl80211-fix-dumpit-error-path-rtnl-deadlocks.patch b/queue-4.10/nl80211-fix-dumpit-error-path-rtnl-deadlocks.patch new file mode 100644 index 00000000000..158f6eb977c --- /dev/null +++ b/queue-4.10/nl80211-fix-dumpit-error-path-rtnl-deadlocks.patch @@ -0,0 +1,361 @@ +From ea90e0dc8cecba6359b481e24d9c37160f6f524f Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 15 Mar 2017 14:26:04 +0100 +Subject: nl80211: fix dumpit error path RTNL deadlocks + +From: Johannes Berg + +commit ea90e0dc8cecba6359b481e24d9c37160f6f524f upstream. + +Sowmini pointed out Dmitry's RTNL deadlock report to me, and it turns out +to be perfectly accurate - there are various error paths that miss unlock +of the RTNL. + +To fix those, change the locking a bit to not be conditional in all those +nl80211_prepare_*_dump() functions, but make those require the RTNL to +start with, and fix the buggy error paths. This also let me use sparse +(by appropriately overriding the rtnl_lock/rtnl_unlock functions) to +validate the changes. + +Reported-by: Sowmini Varadhan +Reported-by: Dmitry Vyukov +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 127 +++++++++++++++++++++---------------------------- + 1 file changed, 56 insertions(+), 71 deletions(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -540,22 +540,18 @@ static int nl80211_prepare_wdev_dump(str + { + int err; + +- rtnl_lock(); +- + if (!cb->args[0]) { + err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize, + genl_family_attrbuf(&nl80211_fam), + nl80211_fam.maxattr, nl80211_policy); + if (err) +- goto out_unlock; ++ return err; + + *wdev = __cfg80211_wdev_from_attrs( + sock_net(skb->sk), + genl_family_attrbuf(&nl80211_fam)); +- if (IS_ERR(*wdev)) { +- err = PTR_ERR(*wdev); +- goto out_unlock; +- } ++ if (IS_ERR(*wdev)) ++ return PTR_ERR(*wdev); + *rdev = wiphy_to_rdev((*wdev)->wiphy); + /* 0 is the first index - add 1 to parse only once */ + cb->args[0] = (*rdev)->wiphy_idx + 1; +@@ -565,10 +561,8 @@ static int nl80211_prepare_wdev_dump(str + struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1); + struct wireless_dev *tmp; + +- if (!wiphy) { +- err = -ENODEV; +- goto out_unlock; +- } ++ if (!wiphy) ++ return -ENODEV; + *rdev = wiphy_to_rdev(wiphy); + *wdev = NULL; + +@@ -579,21 +573,11 @@ static int nl80211_prepare_wdev_dump(str + } + } + +- if (!*wdev) { +- err = -ENODEV; +- goto out_unlock; +- } ++ if (!*wdev) ++ return -ENODEV; + } + + return 0; +- out_unlock: +- rtnl_unlock(); +- return err; +-} +- +-static void nl80211_finish_wdev_dump(struct cfg80211_registered_device *rdev) +-{ +- rtnl_unlock(); + } + + /* IE validation */ +@@ -2599,17 +2583,17 @@ static int nl80211_dump_interface(struct + int filter_wiphy = -1; + struct cfg80211_registered_device *rdev; + struct wireless_dev *wdev; ++ int ret; + + rtnl_lock(); + if (!cb->args[2]) { + struct nl80211_dump_wiphy_state state = { + .filter_wiphy = -1, + }; +- int ret; + + ret = nl80211_dump_wiphy_parse(skb, cb, &state); + if (ret) +- return ret; ++ goto out_unlock; + + filter_wiphy = state.filter_wiphy; + +@@ -2654,12 +2638,14 @@ static int nl80211_dump_interface(struct + wp_idx++; + } + out: +- rtnl_unlock(); +- + cb->args[0] = wp_idx; + cb->args[1] = if_idx; + +- return skb->len; ++ ret = skb->len; ++ out_unlock: ++ rtnl_unlock(); ++ ++ return ret; + } + + static int nl80211_get_interface(struct sk_buff *skb, struct genl_info *info) +@@ -4398,9 +4384,10 @@ static int nl80211_dump_station(struct s + int sta_idx = cb->args[2]; + int err; + ++ rtnl_lock(); + err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev); + if (err) +- return err; ++ goto out_err; + + if (!wdev->netdev) { + err = -EINVAL; +@@ -4435,7 +4422,7 @@ static int nl80211_dump_station(struct s + cb->args[2] = sta_idx; + err = skb->len; + out_err: +- nl80211_finish_wdev_dump(rdev); ++ rtnl_unlock(); + + return err; + } +@@ -5221,9 +5208,10 @@ static int nl80211_dump_mpath(struct sk_ + int path_idx = cb->args[2]; + int err; + ++ rtnl_lock(); + err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev); + if (err) +- return err; ++ goto out_err; + + if (!rdev->ops->dump_mpath) { + err = -EOPNOTSUPP; +@@ -5256,7 +5244,7 @@ static int nl80211_dump_mpath(struct sk_ + cb->args[2] = path_idx; + err = skb->len; + out_err: +- nl80211_finish_wdev_dump(rdev); ++ rtnl_unlock(); + return err; + } + +@@ -5416,9 +5404,10 @@ static int nl80211_dump_mpp(struct sk_bu + int path_idx = cb->args[2]; + int err; + ++ rtnl_lock(); + err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev); + if (err) +- return err; ++ goto out_err; + + if (!rdev->ops->dump_mpp) { + err = -EOPNOTSUPP; +@@ -5451,7 +5440,7 @@ static int nl80211_dump_mpp(struct sk_bu + cb->args[2] = path_idx; + err = skb->len; + out_err: +- nl80211_finish_wdev_dump(rdev); ++ rtnl_unlock(); + return err; + } + +@@ -7596,9 +7585,12 @@ static int nl80211_dump_scan(struct sk_b + int start = cb->args[2], idx = 0; + int err; + ++ rtnl_lock(); + err = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev); +- if (err) ++ if (err) { ++ rtnl_unlock(); + return err; ++ } + + wdev_lock(wdev); + spin_lock_bh(&rdev->bss_lock); +@@ -7621,7 +7613,7 @@ static int nl80211_dump_scan(struct sk_b + wdev_unlock(wdev); + + cb->args[2] = idx; +- nl80211_finish_wdev_dump(rdev); ++ rtnl_unlock(); + + return skb->len; + } +@@ -7706,9 +7698,10 @@ static int nl80211_dump_survey(struct sk + int res; + bool radio_stats; + ++ rtnl_lock(); + res = nl80211_prepare_wdev_dump(skb, cb, &rdev, &wdev); + if (res) +- return res; ++ goto out_err; + + /* prepare_wdev_dump parsed the attributes */ + radio_stats = attrbuf[NL80211_ATTR_SURVEY_RADIO_STATS]; +@@ -7749,7 +7742,7 @@ static int nl80211_dump_survey(struct sk + cb->args[2] = survey_idx; + res = skb->len; + out_err: +- nl80211_finish_wdev_dump(rdev); ++ rtnl_unlock(); + return res; + } + +@@ -11378,17 +11371,13 @@ static int nl80211_prepare_vendor_dump(s + void *data = NULL; + unsigned int data_len = 0; + +- rtnl_lock(); +- + if (cb->args[0]) { + /* subtract the 1 again here */ + struct wiphy *wiphy = wiphy_idx_to_wiphy(cb->args[0] - 1); + struct wireless_dev *tmp; + +- if (!wiphy) { +- err = -ENODEV; +- goto out_unlock; +- } ++ if (!wiphy) ++ return -ENODEV; + *rdev = wiphy_to_rdev(wiphy); + *wdev = NULL; + +@@ -11408,23 +11397,19 @@ static int nl80211_prepare_vendor_dump(s + err = nlmsg_parse(cb->nlh, GENL_HDRLEN + nl80211_fam.hdrsize, + attrbuf, nl80211_fam.maxattr, nl80211_policy); + if (err) +- goto out_unlock; ++ return err; + + if (!attrbuf[NL80211_ATTR_VENDOR_ID] || +- !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) { +- err = -EINVAL; +- goto out_unlock; +- } ++ !attrbuf[NL80211_ATTR_VENDOR_SUBCMD]) ++ return -EINVAL; + + *wdev = __cfg80211_wdev_from_attrs(sock_net(skb->sk), attrbuf); + if (IS_ERR(*wdev)) + *wdev = NULL; + + *rdev = __cfg80211_rdev_from_attrs(sock_net(skb->sk), attrbuf); +- if (IS_ERR(*rdev)) { +- err = PTR_ERR(*rdev); +- goto out_unlock; +- } ++ if (IS_ERR(*rdev)) ++ return PTR_ERR(*rdev); + + vid = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_ID]); + subcmd = nla_get_u32(attrbuf[NL80211_ATTR_VENDOR_SUBCMD]); +@@ -11437,19 +11422,15 @@ static int nl80211_prepare_vendor_dump(s + if (vcmd->info.vendor_id != vid || vcmd->info.subcmd != subcmd) + continue; + +- if (!vcmd->dumpit) { +- err = -EOPNOTSUPP; +- goto out_unlock; +- } ++ if (!vcmd->dumpit) ++ return -EOPNOTSUPP; + + vcmd_idx = i; + break; + } + +- if (vcmd_idx < 0) { +- err = -EOPNOTSUPP; +- goto out_unlock; +- } ++ if (vcmd_idx < 0) ++ return -EOPNOTSUPP; + + if (attrbuf[NL80211_ATTR_VENDOR_DATA]) { + data = nla_data(attrbuf[NL80211_ATTR_VENDOR_DATA]); +@@ -11466,9 +11447,6 @@ static int nl80211_prepare_vendor_dump(s + + /* keep rtnl locked in successful case */ + return 0; +- out_unlock: +- rtnl_unlock(); +- return err; + } + + static int nl80211_vendor_cmd_dump(struct sk_buff *skb, +@@ -11483,9 +11461,10 @@ static int nl80211_vendor_cmd_dump(struc + int err; + struct nlattr *vendor_data; + ++ rtnl_lock(); + err = nl80211_prepare_vendor_dump(skb, cb, &rdev, &wdev); + if (err) +- return err; ++ goto out; + + vcmd_idx = cb->args[2]; + data = (void *)cb->args[3]; +@@ -11494,15 +11473,21 @@ static int nl80211_vendor_cmd_dump(struc + + if (vcmd->flags & (WIPHY_VENDOR_CMD_NEED_WDEV | + WIPHY_VENDOR_CMD_NEED_NETDEV)) { +- if (!wdev) +- return -EINVAL; ++ if (!wdev) { ++ err = -EINVAL; ++ goto out; ++ } + if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_NETDEV && +- !wdev->netdev) +- return -EINVAL; ++ !wdev->netdev) { ++ err = -EINVAL; ++ goto out; ++ } + + if (vcmd->flags & WIPHY_VENDOR_CMD_NEED_RUNNING) { +- if (!wdev_running(wdev)) +- return -ENETDOWN; ++ if (!wdev_running(wdev)) { ++ err = -ENETDOWN; ++ goto out; ++ } + } + } + diff --git a/queue-4.10/series b/queue-4.10/series index d1fb48b27de..9f47770f485 100644 --- a/queue-4.10/series +++ b/queue-4.10/series @@ -22,3 +22,37 @@ genetlink-fix-counting-regression-on-ctrl_dumpfamily.patch tcp-initialize-icsk_ack.lrcvtime-at-session-start-time.patch amd-xgbe-fix-the-ecc-related-bit-position-definitions.patch net-solve-a-napi-race.patch +hid-sony-fix-input-device-leak-when-connecting-a-ds4-twice-using-usb-bt.patch +input-alps-fix-v8-protocol-handling-73-03-28.patch +input-alps-fix-trackstick-button-handling-on-v8-devices.patch +input-elan_i2c-add-asus-eeebook-x205ta-special-touchpad-fw.patch +input-i8042-add-noloop-quirk-for-dell-embedded-box-pc-3000.patch +input-iforce-validate-number-of-endpoints-before-using-them.patch +input-ims-pcu-validate-number-of-endpoints-before-using-them.patch +input-hanwang-validate-number-of-endpoints-before-using-them.patch +input-yealink-validate-number-of-endpoints-before-using-them.patch +input-cm109-validate-number-of-endpoints-before-using-them.patch +input-kbtab-validate-number-of-endpoints-before-using-them.patch +input-sur40-validate-number-of-endpoints-before-using-them.patch +alsa-seq-fix-racy-cell-insertions-during-snd_seq_pool_done.patch +alsa-ctxfi-fix-the-incorrect-check-of-dma_set_mask-call.patch +alsa-hda-adding-a-group-of-pin-definition-to-fix-headset-problem.patch +usb-serial-option-add-quectel-uc15-uc20-ec21-and-ec25-modems.patch +usb-serial-qcserial-add-dell-dw5811e.patch +acm-gadget-fix-endianness-in-notifications.patch +usb-gadget-f_uvc-fix-superspeed-companion-descriptor-s-wbytesperinterval.patch +dvb-usb-firmware-don-t-do-dma-on-stack.patch +usb-core-add-linear_frame_intr_binterval-usb-quirk.patch +usb-uss720-fix-null-deref-at-probe.patch +usb-lvtest-fix-null-deref-at-probe.patch +usb-idmouse-fix-null-deref-at-probe.patch +usb-wusbcore-fix-null-deref-at-probe.patch +usb-musb-cppi41-don-t-check-early-tx-interrupt-for-isoch-transfer.patch +usb-hub-fix-crash-after-failure-to-read-bos-descriptor.patch +usb-usbtmc-add-missing-endpoint-sanity-check.patch +usb-usbtmc-fix-probe-error-path.patch +uwb-i1480-dfu-fix-null-deref-at-probe.patch +uwb-hwa-rc-fix-null-deref-at-probe.patch +mmc-ushc-fix-null-deref-at-probe.patch +nl80211-fix-dumpit-error-path-rtnl-deadlocks.patch +mmc-core-fix-access-to-hs400-es-devices.patch diff --git a/queue-4.10/usb-core-add-linear_frame_intr_binterval-usb-quirk.patch b/queue-4.10/usb-core-add-linear_frame_intr_binterval-usb-quirk.patch new file mode 100644 index 00000000000..c0d901b93da --- /dev/null +++ b/queue-4.10/usb-core-add-linear_frame_intr_binterval-usb-quirk.patch @@ -0,0 +1,83 @@ +From 3243367b209faed5c320a4e5f9a565ee2a2ba958 Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Mon, 13 Mar 2017 20:50:08 +0100 +Subject: usb-core: Add LINEAR_FRAME_INTR_BINTERVAL USB quirk + +From: Samuel Thibault + +commit 3243367b209faed5c320a4e5f9a565ee2a2ba958 upstream. + +Some USB 2.0 devices erroneously report millisecond values in +bInterval. The generic config code manages to catch most of them, +but in some cases it's not completely enough. + +The case at stake here is a USB 2.0 braille device, which wants to +announce 10ms and thus sets bInterval to 10, but with the USB 2.0 +computation that yields to 64ms. It happens that one can type fast +enough to reach this interval and get the device buffers overflown, +leading to problematic latencies. The generic config code does not +catch this case because the 64ms is considered a sane enough value. + +This change thus adds a USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL quirk +to mark devices which actually report milliseconds in bInterval, +and marks Vario Ultra devices as needing it. + +Signed-off-by: Samuel Thibault +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/config.c | 10 ++++++++++ + drivers/usb/core/quirks.c | 8 ++++++++ + include/linux/usb/quirks.h | 6 ++++++ + 3 files changed, 24 insertions(+) + +--- a/drivers/usb/core/config.c ++++ b/drivers/usb/core/config.c +@@ -280,6 +280,16 @@ static int usb_parse_endpoint(struct dev + + /* + * Adjust bInterval for quirked devices. ++ */ ++ /* ++ * This quirk fixes bIntervals reported in ms. ++ */ ++ if (to_usb_device(ddev)->quirks & ++ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL) { ++ n = clamp(fls(d->bInterval) + 3, i, j); ++ i = j = n; ++ } ++ /* + * This quirk fixes bIntervals reported in + * linear microframes. + */ +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -170,6 +170,14 @@ static const struct usb_device_id usb_qu + /* M-Systems Flash Disk Pioneers */ + { USB_DEVICE(0x08ec, 0x1000), .driver_info = USB_QUIRK_RESET_RESUME }, + ++ /* Baum Vario Ultra */ ++ { USB_DEVICE(0x0904, 0x6101), .driver_info = ++ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL }, ++ { USB_DEVICE(0x0904, 0x6102), .driver_info = ++ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL }, ++ { USB_DEVICE(0x0904, 0x6103), .driver_info = ++ USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL }, ++ + /* Keytouch QWERTY Panel keyboard */ + { USB_DEVICE(0x0926, 0x3333), .driver_info = + USB_QUIRK_CONFIG_INTF_STRINGS }, +--- a/include/linux/usb/quirks.h ++++ b/include/linux/usb/quirks.h +@@ -50,4 +50,10 @@ + /* device can't handle Link Power Management */ + #define USB_QUIRK_NO_LPM BIT(10) + ++/* ++ * Device reports its bInterval as linear frames instead of the ++ * USB 2.0 calculation. ++ */ ++#define USB_QUIRK_LINEAR_FRAME_INTR_BINTERVAL BIT(11) ++ + #endif /* __LINUX_USB_QUIRKS_H */ diff --git a/queue-4.10/usb-gadget-f_uvc-fix-superspeed-companion-descriptor-s-wbytesperinterval.patch b/queue-4.10/usb-gadget-f_uvc-fix-superspeed-companion-descriptor-s-wbytesperinterval.patch new file mode 100644 index 00000000000..bba2c7b83f9 --- /dev/null +++ b/queue-4.10/usb-gadget-f_uvc-fix-superspeed-companion-descriptor-s-wbytesperinterval.patch @@ -0,0 +1,39 @@ +From 09424c50b7dff40cb30011c09114404a4656e023 Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Wed, 8 Mar 2017 16:05:43 +0200 +Subject: usb: gadget: f_uvc: Fix SuperSpeed companion descriptor's wBytesPerInterval + +From: Roger Quadros + +commit 09424c50b7dff40cb30011c09114404a4656e023 upstream. + +The streaming_maxburst module parameter is 0 offset (0..15) +so we must add 1 while using it for wBytesPerInterval +calculation for the SuperSpeed companion descriptor. + +Without this host uvcvideo driver will always see the wrong +wBytesPerInterval for SuperSpeed uvc gadget and may not find +a suitable video interface endpoint. +e.g. for streaming_maxburst = 0 case it will always +fail as wBytePerInterval was evaluating to 0. + +Reviewed-by: Laurent Pinchart +Signed-off-by: Roger Quadros +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_uvc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/gadget/function/f_uvc.c ++++ b/drivers/usb/gadget/function/f_uvc.c +@@ -625,7 +625,7 @@ uvc_function_bind(struct usb_configurati + uvc_ss_streaming_comp.bMaxBurst = opts->streaming_maxburst; + uvc_ss_streaming_comp.wBytesPerInterval = + cpu_to_le16(max_packet_size * max_packet_mult * +- opts->streaming_maxburst); ++ (opts->streaming_maxburst + 1)); + + /* Allocate endpoints. */ + ep = usb_ep_autoconfig(cdev->gadget, &uvc_control_ep); diff --git a/queue-4.10/usb-hub-fix-crash-after-failure-to-read-bos-descriptor.patch b/queue-4.10/usb-hub-fix-crash-after-failure-to-read-bos-descriptor.patch new file mode 100644 index 00000000000..4061efd35d8 --- /dev/null +++ b/queue-4.10/usb-hub-fix-crash-after-failure-to-read-bos-descriptor.patch @@ -0,0 +1,73 @@ +From 7b2db29fbb4e766fcd02207eb2e2087170bd6ebc Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Wed, 8 Mar 2017 10:19:36 -0800 +Subject: usb: hub: Fix crash after failure to read BOS descriptor + +From: Guenter Roeck + +commit 7b2db29fbb4e766fcd02207eb2e2087170bd6ebc upstream. + +If usb_get_bos_descriptor() returns an error, usb->bos will be NULL. +Nevertheless, it is dereferenced unconditionally in +hub_set_initial_usb2_lpm_policy() if usb2_hw_lpm_capable is set. +This results in a crash. + +usb 5-1: unable to get BOS descriptor +... +Unable to handle kernel NULL pointer dereference at virtual address 00000008 +pgd = ffffffc00165f000 +[00000008] *pgd=000000000174f003, *pud=000000000174f003, + *pmd=0000000001750003, *pte=00e8000001751713 +Internal error: Oops: 96000005 [#1] PREEMPT SMP +Modules linked in: uinput uvcvideo videobuf2_vmalloc cmac [ ... ] +CPU: 5 PID: 3353 Comm: kworker/5:3 Tainted: G B 4.4.52 #480 +Hardware name: Google Kevin (DT) +Workqueue: events driver_set_config_work +task: ffffffc0c3690000 ti: ffffffc0ae9a8000 task.ti: ffffffc0ae9a8000 +PC is at hub_port_init+0xc3c/0xd10 +LR is at hub_port_init+0xc3c/0xd10 +... +Call trace: +[] hub_port_init+0xc3c/0xd10 +[] usb_reset_and_verify_device+0x15c/0x82c +[] usb_reset_device+0xe4/0x298 +[] rtl8152_probe+0x84/0x9b0 [r8152] +[] usb_probe_interface+0x244/0x2f8 +[] driver_probe_device+0x180/0x3b4 +[] __device_attach_driver+0xb4/0xe0 +[] bus_for_each_drv+0xb4/0xe4 +[] __device_attach+0xd0/0x158 +[] device_initial_probe+0x24/0x30 +[] bus_probe_device+0x50/0xe4 +[] device_add+0x414/0x738 +[] usb_set_configuration+0x89c/0x914 +[] driver_set_config_work+0xc0/0xf0 +[] process_one_work+0x390/0x6b8 +[] worker_thread+0x480/0x610 +[] kthread+0x164/0x178 +[] ret_from_fork+0x10/0x40 + +Since we don't know anything about LPM capabilities without BOS descriptor, +don't attempt to enable LPM if it is not available. + +Fixes: 890dae886721 ("xhci: Enable LPM support only for hardwired ...") +Cc: Mathias Nyman +Signed-off-by: Guenter Roeck +Acked-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -4275,7 +4275,7 @@ static void hub_set_initial_usb2_lpm_pol + struct usb_hub *hub = usb_hub_to_struct_hub(udev->parent); + int connect_type = USB_PORT_CONNECT_TYPE_UNKNOWN; + +- if (!udev->usb2_hw_lpm_capable) ++ if (!udev->usb2_hw_lpm_capable || !udev->bos) + return; + + if (hub) diff --git a/queue-4.10/usb-idmouse-fix-null-deref-at-probe.patch b/queue-4.10/usb-idmouse-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..93dc6ec9323 --- /dev/null +++ b/queue-4.10/usb-idmouse-fix-null-deref-at-probe.patch @@ -0,0 +1,32 @@ +From b0addd3fa6bcd119be9428996d5d4522479ab240 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:47:48 +0100 +Subject: USB: idmouse: fix NULL-deref at probe + +From: Johan Hovold + +commit b0addd3fa6bcd119be9428996d5d4522479ab240 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/idmouse.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/misc/idmouse.c ++++ b/drivers/usb/misc/idmouse.c +@@ -346,6 +346,9 @@ static int idmouse_probe(struct usb_inte + if (iface_desc->desc.bInterfaceClass != 0x0A) + return -ENODEV; + ++ if (iface_desc->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + /* allocate memory for our device state and initialize it */ + dev = kzalloc(sizeof(*dev), GFP_KERNEL); + if (dev == NULL) diff --git a/queue-4.10/usb-lvtest-fix-null-deref-at-probe.patch b/queue-4.10/usb-lvtest-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..a901f4d956b --- /dev/null +++ b/queue-4.10/usb-lvtest-fix-null-deref-at-probe.patch @@ -0,0 +1,36 @@ +From 1dc56c52d2484be09c7398a5207d6b11a4256be9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:47:49 +0100 +Subject: USB: lvtest: fix NULL-deref at probe + +From: Johan Hovold + +commit 1dc56c52d2484be09c7398a5207d6b11a4256be9 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should the probed device lack endpoints. + +Note that this driver does not bind to any devices by default. + +Fixes: ce21bfe603b3 ("USB: Add LVS Test device driver") +Cc: Pratyush Anand +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/lvstest.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/misc/lvstest.c ++++ b/drivers/usb/misc/lvstest.c +@@ -366,6 +366,10 @@ static int lvs_rh_probe(struct usb_inter + + hdev = interface_to_usbdev(intf); + desc = intf->cur_altsetting; ++ ++ if (desc->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + endpoint = &desc->endpoint[0].desc; + + /* valid only for SS root hub */ diff --git a/queue-4.10/usb-musb-cppi41-don-t-check-early-tx-interrupt-for-isoch-transfer.patch b/queue-4.10/usb-musb-cppi41-don-t-check-early-tx-interrupt-for-isoch-transfer.patch new file mode 100644 index 00000000000..a51949ceb9a --- /dev/null +++ b/queue-4.10/usb-musb-cppi41-don-t-check-early-tx-interrupt-for-isoch-transfer.patch @@ -0,0 +1,60 @@ +From 0090114d336a9604aa2d90bc83f20f7cd121b76c Mon Sep 17 00:00:00 2001 +From: Bin Liu +Date: Fri, 10 Mar 2017 14:43:35 -0600 +Subject: usb: musb: cppi41: don't check early-TX-interrupt for Isoch transfer + +From: Bin Liu + +commit 0090114d336a9604aa2d90bc83f20f7cd121b76c upstream. + +The CPPI 4.1 driver polls register to workaround the premature TX +interrupt issue, but it causes audio playback underrun when triggered in +Isoch transfers. + +Isoch doesn't do back-to-back transfers, the TX should be done by the +time the next transfer is scheduled. So skip this polling workaround for +Isoch transfer. + +Fixes: a655f481d83d6 ("usb: musb: musb_cppi41: handle pre-mature TX complete interrupt") +Reported-by: Alexandre Bailon +Acked-by: Sebastian Andrzej Siewior +Tested-by: Alexandre Bailon +Signed-off-by: Bin Liu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/musb/musb_cppi41.c | 23 +++++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +--- a/drivers/usb/musb/musb_cppi41.c ++++ b/drivers/usb/musb/musb_cppi41.c +@@ -231,8 +231,27 @@ static void cppi41_dma_callback(void *pr + transferred < cppi41_channel->packet_sz) + cppi41_channel->prog_len = 0; + +- if (cppi41_channel->is_tx) +- empty = musb_is_tx_fifo_empty(hw_ep); ++ if (cppi41_channel->is_tx) { ++ u8 type; ++ ++ if (is_host_active(musb)) ++ type = hw_ep->out_qh->type; ++ else ++ type = hw_ep->ep_in.type; ++ ++ if (type == USB_ENDPOINT_XFER_ISOC) ++ /* ++ * Don't use the early-TX-interrupt workaround below ++ * for Isoch transfter. Since Isoch are periodic ++ * transfer, by the time the next transfer is ++ * scheduled, the current one should be done already. ++ * ++ * This avoids audio playback underrun issue. ++ */ ++ empty = true; ++ else ++ empty = musb_is_tx_fifo_empty(hw_ep); ++ } + + if (!cppi41_channel->is_tx || empty) { + cppi41_trans_done(cppi41_channel); diff --git a/queue-4.10/usb-serial-option-add-quectel-uc15-uc20-ec21-and-ec25-modems.patch b/queue-4.10/usb-serial-option-add-quectel-uc15-uc20-ec21-and-ec25-modems.patch new file mode 100644 index 00000000000..18a588bd43f --- /dev/null +++ b/queue-4.10/usb-serial-option-add-quectel-uc15-uc20-ec21-and-ec25-modems.patch @@ -0,0 +1,54 @@ +From 6e9f44eaaef0df7b846e9316fa9ca72a02025d44 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Thu, 9 Mar 2017 11:32:28 -0600 +Subject: USB: serial: option: add Quectel UC15, UC20, EC21, and EC25 modems + +From: Dan Williams + +commit 6e9f44eaaef0df7b846e9316fa9ca72a02025d44 upstream. + +Add Quectel UC15, UC20, EC21, and EC25. The EC20 is handled by +qcserial due to a USB VID/PID conflict with an existing Acer +device. + +Signed-off-by: Dan Williams +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -233,6 +233,14 @@ static void option_instat_callback(struc + #define BANDRICH_PRODUCT_1012 0x1012 + + #define QUALCOMM_VENDOR_ID 0x05C6 ++/* These Quectel products use Qualcomm's vendor ID */ ++#define QUECTEL_PRODUCT_UC20 0x9003 ++#define QUECTEL_PRODUCT_UC15 0x9090 ++ ++#define QUECTEL_VENDOR_ID 0x2c7c ++/* These Quectel products use Quectel's vendor ID */ ++#define QUECTEL_PRODUCT_EC21 0x0121 ++#define QUECTEL_PRODUCT_EC25 0x0125 + + #define CMOTECH_VENDOR_ID 0x16d8 + #define CMOTECH_PRODUCT_6001 0x6001 +@@ -1161,7 +1169,14 @@ static const struct usb_device_id option + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x6613)}, /* Onda H600/ZTE MF330 */ + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x0023)}, /* ONYX 3G device */ + { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9000)}, /* SIMCom SIM5218 */ +- { USB_DEVICE(QUALCOMM_VENDOR_ID, 0x9003), /* Quectel UC20 */ ++ /* Quectel products using Qualcomm vendor ID */ ++ { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC15)}, ++ { USB_DEVICE(QUALCOMM_VENDOR_ID, QUECTEL_PRODUCT_UC20), ++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ /* Quectel products using Quectel vendor ID */ ++ { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC21), ++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, ++ { USB_DEVICE(QUECTEL_VENDOR_ID, QUECTEL_PRODUCT_EC25), + .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_6001) }, + { USB_DEVICE(CMOTECH_VENDOR_ID, CMOTECH_PRODUCT_CMU_300) }, diff --git a/queue-4.10/usb-serial-qcserial-add-dell-dw5811e.patch b/queue-4.10/usb-serial-qcserial-add-dell-dw5811e.patch new file mode 100644 index 00000000000..ac5fb007db8 --- /dev/null +++ b/queue-4.10/usb-serial-qcserial-add-dell-dw5811e.patch @@ -0,0 +1,33 @@ +From 436ecf5519d892397af133a79ccd38a17c25fa51 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Fri, 17 Mar 2017 17:21:28 +0100 +Subject: USB: serial: qcserial: add Dell DW5811e +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bjørn Mork + +commit 436ecf5519d892397af133a79ccd38a17c25fa51 upstream. + +This is a Dell branded Sierra Wireless EM7455. + +Signed-off-by: Bjørn Mork +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/qcserial.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -169,6 +169,8 @@ static const struct usb_device_id id_tab + {DEVICE_SWI(0x413c, 0x81a9)}, /* Dell Wireless 5808e Gobi(TM) 4G LTE Mobile Broadband Card */ + {DEVICE_SWI(0x413c, 0x81b1)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card */ + {DEVICE_SWI(0x413c, 0x81b3)}, /* Dell Wireless 5809e Gobi(TM) 4G LTE Mobile Broadband Card (rev3) */ ++ {DEVICE_SWI(0x413c, 0x81b5)}, /* Dell Wireless 5811e QDL */ ++ {DEVICE_SWI(0x413c, 0x81b6)}, /* Dell Wireless 5811e QDL */ + + /* Huawei devices */ + {DEVICE_HWI(0x03f0, 0x581d)}, /* HP lt4112 LTE/HSPA+ Gobi 4G Modem (Huawei me906e) */ diff --git a/queue-4.10/usb-usbtmc-add-missing-endpoint-sanity-check.patch b/queue-4.10/usb-usbtmc-add-missing-endpoint-sanity-check.patch new file mode 100644 index 00000000000..ec01d0bdc71 --- /dev/null +++ b/queue-4.10/usb-usbtmc-add-missing-endpoint-sanity-check.patch @@ -0,0 +1,64 @@ +From 687e0687f71ec00e0132a21fef802dee88c2f1ad Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 14 Mar 2017 17:55:45 +0100 +Subject: USB: usbtmc: add missing endpoint sanity check + +From: Johan Hovold + +commit 687e0687f71ec00e0132a21fef802dee88c2f1ad upstream. + +USBTMC devices are required to have a bulk-in and a bulk-out endpoint, +but the driver failed to verify this, something which could lead to the +endpoint addresses being taken from uninitialised memory. + +Make sure to zero all private data as part of allocation, and add the +missing endpoint sanity check. + +Note that this also addresses a more recently introduced issue, where +the interrupt-in-presence flag would also be uninitialised whenever the +optional interrupt-in endpoint is not present. This in turn could lead +to an interrupt urb being allocated, initialised and submitted based on +uninitialised values. + +Fixes: dbf3e7f654c0 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation.") +Fixes: 5b775f672cc9 ("USB: add USB test and measurement class driver") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/usbtmc.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/usb/class/usbtmc.c ++++ b/drivers/usb/class/usbtmc.c +@@ -1381,7 +1381,7 @@ static int usbtmc_probe(struct usb_inter + + dev_dbg(&intf->dev, "%s called\n", __func__); + +- data = kmalloc(sizeof(*data), GFP_KERNEL); ++ data = kzalloc(sizeof(*data), GFP_KERNEL); + if (!data) + return -ENOMEM; + +@@ -1444,6 +1444,13 @@ static int usbtmc_probe(struct usb_inter + break; + } + } ++ ++ if (!data->bulk_out || !data->bulk_in) { ++ dev_err(&intf->dev, "bulk endpoints not found\n"); ++ retcode = -ENODEV; ++ goto err_put; ++ } ++ + /* Find int endpoint */ + for (n = 0; n < iface_desc->desc.bNumEndpoints; n++) { + endpoint = &iface_desc->endpoint[n].desc; +@@ -1512,6 +1519,7 @@ error_register: + sysfs_remove_group(&intf->dev.kobj, &capability_attr_grp); + sysfs_remove_group(&intf->dev.kobj, &data_attr_grp); + usbtmc_free_int(data); ++err_put: + kref_put(&data->kref, usbtmc_delete); + return retcode; + } diff --git a/queue-4.10/usb-usbtmc-fix-probe-error-path.patch b/queue-4.10/usb-usbtmc-fix-probe-error-path.patch new file mode 100644 index 00000000000..dd0f2f87af2 --- /dev/null +++ b/queue-4.10/usb-usbtmc-fix-probe-error-path.patch @@ -0,0 +1,49 @@ +From 2e47c53503eb9faff42b3cfa144a833344dd1f89 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 14 Mar 2017 17:55:46 +0100 +Subject: USB: usbtmc: fix probe error path + +From: Johan Hovold + +commit 2e47c53503eb9faff42b3cfa144a833344dd1f89 upstream. + +Make sure to initialise the return value to avoid having allocation +failures going unnoticed when allocating interrupt-endpoint resources. + +This prevents use-after-free or worse when the device is later unbound. + +Fixes: dbf3e7f654c0 ("Implement an ioctl to support the USMTMC-USB488 READ_STATUS_BYTE operation.") +Cc: Dave Penkler +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/usbtmc.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/usb/class/usbtmc.c ++++ b/drivers/usb/class/usbtmc.c +@@ -1476,8 +1476,10 @@ static int usbtmc_probe(struct usb_inter + if (data->iin_ep_present) { + /* allocate int urb */ + data->iin_urb = usb_alloc_urb(0, GFP_KERNEL); +- if (!data->iin_urb) ++ if (!data->iin_urb) { ++ retcode = -ENOMEM; + goto error_register; ++ } + + /* Protect interrupt in endpoint data until iin_urb is freed */ + kref_get(&data->kref); +@@ -1485,8 +1487,10 @@ static int usbtmc_probe(struct usb_inter + /* allocate buffer for interrupt in */ + data->iin_buffer = kmalloc(data->iin_wMaxPacketSize, + GFP_KERNEL); +- if (!data->iin_buffer) ++ if (!data->iin_buffer) { ++ retcode = -ENOMEM; + goto error_register; ++ } + + /* fill interrupt urb */ + usb_fill_int_urb(data->iin_urb, data->usb_dev, diff --git a/queue-4.10/usb-uss720-fix-null-deref-at-probe.patch b/queue-4.10/usb-uss720-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..9ea76eb0dac --- /dev/null +++ b/queue-4.10/usb-uss720-fix-null-deref-at-probe.patch @@ -0,0 +1,41 @@ +From f259ca3eed6e4b79ac3d5c5c9fb259fb46e86217 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:47:50 +0100 +Subject: USB: uss720: fix NULL-deref at probe + +From: Johan Hovold + +commit f259ca3eed6e4b79ac3d5c5c9fb259fb46e86217 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer or accessing memory beyond the endpoint array should a +malicious device lack the expected endpoints. + +Note that the endpoint access that causes the NULL-deref is currently +only used for debugging purposes during probe so the oops only happens +when dynamic debugging is enabled. This means the driver could be +rewritten to continue to accept device with only two endpoints, should +such devices exist. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/uss720.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/usb/misc/uss720.c ++++ b/drivers/usb/misc/uss720.c +@@ -708,6 +708,11 @@ static int uss720_probe(struct usb_inter + + interface = intf->cur_altsetting; + ++ if (interface->desc.bNumEndpoints < 3) { ++ usb_put_dev(usbdev); ++ return -ENODEV; ++ } ++ + /* + * Allocate parport interface + */ diff --git a/queue-4.10/usb-wusbcore-fix-null-deref-at-probe.patch b/queue-4.10/usb-wusbcore-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..76a4c8df156 --- /dev/null +++ b/queue-4.10/usb-wusbcore-fix-null-deref-at-probe.patch @@ -0,0 +1,38 @@ +From 03ace948a4eb89d1cf51c06afdfc41ebca5fdb27 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:47:51 +0100 +Subject: USB: wusbcore: fix NULL-deref at probe + +From: Johan Hovold + +commit 03ace948a4eb89d1cf51c06afdfc41ebca5fdb27 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer or accessing memory beyond the endpoint array should a +malicious device lack the expected endpoints. + +This specifically fixes the NULL-pointer dereference when probing HWA HC +devices. + +Fixes: df3654236e31 ("wusb: add the Wire Adapter (WA) core") +Cc: Inaky Perez-Gonzalez +Cc: David Vrabel +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/wusbcore/wa-hc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/wusbcore/wa-hc.c ++++ b/drivers/usb/wusbcore/wa-hc.c +@@ -39,6 +39,9 @@ int wa_create(struct wahc *wa, struct us + int result; + struct device *dev = &iface->dev; + ++ if (iface->cur_altsetting->desc.bNumEndpoints < 3) ++ return -ENODEV; ++ + result = wa_rpipes_create(wa); + if (result < 0) + goto error_rpipes_create; diff --git a/queue-4.10/uwb-hwa-rc-fix-null-deref-at-probe.patch b/queue-4.10/uwb-hwa-rc-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..e2601c62c77 --- /dev/null +++ b/queue-4.10/uwb-hwa-rc-fix-null-deref-at-probe.patch @@ -0,0 +1,37 @@ +From daf229b15907fbfdb6ee183aac8ca428cb57e361 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:47:52 +0100 +Subject: uwb: hwa-rc: fix NULL-deref at probe + +From: Johan Hovold + +commit daf229b15907fbfdb6ee183aac8ca428cb57e361 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Note that the dereference happens in the start callback which is called +during probe. + +Fixes: de520b8bd552 ("uwb: add HWA radio controller driver") +Cc: Inaky Perez-Gonzalez +Cc: David Vrabel +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/uwb/hwa-rc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/uwb/hwa-rc.c ++++ b/drivers/uwb/hwa-rc.c +@@ -823,6 +823,9 @@ static int hwarc_probe(struct usb_interf + struct hwarc *hwarc; + struct device *dev = &iface->dev; + ++ if (iface->cur_altsetting->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + result = -ENOMEM; + uwb_rc = uwb_rc_alloc(); + if (uwb_rc == NULL) { diff --git a/queue-4.10/uwb-i1480-dfu-fix-null-deref-at-probe.patch b/queue-4.10/uwb-i1480-dfu-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..297901ebbae --- /dev/null +++ b/queue-4.10/uwb-i1480-dfu-fix-null-deref-at-probe.patch @@ -0,0 +1,37 @@ +From 4ce362711d78a4999011add3115b8f4b0bc25e8c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:47:53 +0100 +Subject: uwb: i1480-dfu: fix NULL-deref at probe + +From: Johan Hovold + +commit 4ce362711d78a4999011add3115b8f4b0bc25e8c upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Note that the dereference happens in the cmd and wait_init_done +callbacks which are called during probe. + +Fixes: 1ba47da52712 ("uwb: add the i1480 DFU driver") +Cc: Inaky Perez-Gonzalez +Cc: David Vrabel +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/uwb/i1480/dfu/usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/uwb/i1480/dfu/usb.c ++++ b/drivers/uwb/i1480/dfu/usb.c +@@ -362,6 +362,9 @@ int i1480_usb_probe(struct usb_interface + result); + } + ++ if (iface->cur_altsetting->desc.bNumEndpoints < 1) ++ return -ENODEV; ++ + result = -ENOMEM; + i1480_usb = kzalloc(sizeof(*i1480_usb), GFP_KERNEL); + if (i1480_usb == NULL) {