From: Greg Kroah-Hartman Date: Sat, 9 Apr 2016 23:39:43 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v4.5.1~34 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=96079e12b3aa99ba3a56cdeb17405efa01f486d6;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: aacraid-fix-memory-leak-in-aac_fib_map_free.patch alsa-usb-audio-add-sanity-checks-for-endpoint-accesses.patch alsa-usb-audio-fix-double-free-in-error-paths-after-snd_usb_add_audio_stream-call.patch alsa-usb-audio-fix-null-dereference-in-create_fixed_stream_quirk.patch alsa-usb-audio-minor-code-cleanup-in-create_fixed_stream_quirk.patch be2iscsi-set-the-boot_kset-pointer-to-null-in-case-of-failure.patch bluetooth-btusb-add-a-new-ar3012-id-04ca-3014.patch bluetooth-btusb-add-a-new-ar3012-id-13d3-3472.patch bluetooth-btusb-add-new-ar3012-id-13d3-3395.patch input-powermate-fix-oops-with-malicious-usb-descriptors.patch pwc-add-usb-id-for-philips-spc880nc-webcam.patch sg-fix-dxferp-in-from_to-case.patch usb-cdc-acm-more-sanity-checking.patch usb-cypress_m8-add-endpoint-sanity-check.patch usb-digi_acceleport-do-sanity-checking-for-the-number-of-ports.patch usb-hub-fix-a-typo-in-hub_port_init-leading-to-wrong-logic.patch usb-iowarrior-fix-oops-with-malicious-usb-descriptors.patch usb-mct_u232-add-sanity-checking-in-probe.patch usb-option-add-d-link-dwm-221-b1-device-id.patch usb-retry-reset-if-a-device-times-out.patch usb-serial-cp210x-adding-ge-healthcare-device-id.patch usb-serial-ftdi_sio-add-support-for-icp-das-i-756xu-devices.patch usb-uas-reduce-can_queue-to-max_cmnds.patch usb-usb_driver_claim_interface-add-sanity-checking.patch --- diff --git a/queue-3.14/aacraid-fix-memory-leak-in-aac_fib_map_free.patch b/queue-3.14/aacraid-fix-memory-leak-in-aac_fib_map_free.patch new file mode 100644 index 00000000000..918e14ce6b1 --- /dev/null +++ b/queue-3.14/aacraid-fix-memory-leak-in-aac_fib_map_free.patch @@ -0,0 +1,47 @@ +From f88fa79a61726ce9434df9b4aede36961f709f17 Mon Sep 17 00:00:00 2001 +From: Raghava Aditya Renukunta +Date: Wed, 3 Feb 2016 15:06:02 -0800 +Subject: aacraid: Fix memory leak in aac_fib_map_free + +From: Raghava Aditya Renukunta + +commit f88fa79a61726ce9434df9b4aede36961f709f17 upstream. + +aac_fib_map_free() calls pci_free_consistent() without checking that +dev->hw_fib_va is not NULL and dev->max_fib_size is not zero.If they are +indeed NULL/0, this will result in a hang as pci_free_consistent() will +attempt to invalidate cache for the entire 64-bit address space +(which would take a very long time). + +Fixed by adding a check to make sure that dev->hw_fib_va and +dev->max_fib_size are not NULL and 0 respectively. + +Fixes: 9ad5204d6 - "[SCSI]aacraid: incorrect dma mapping mask during blinked recover or user initiated reset" +Signed-off-by: Raghava Aditya Renukunta +Reviewed-by: Johannes Thumshirn +Reviewed-by: Tomas Henzl +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/aacraid/commsup.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/aacraid/commsup.c ++++ b/drivers/scsi/aacraid/commsup.c +@@ -83,9 +83,12 @@ static int fib_map_alloc(struct aac_dev + + void aac_fib_map_free(struct aac_dev *dev) + { +- pci_free_consistent(dev->pdev, +- dev->max_fib_size * (dev->scsi_host_ptr->can_queue + AAC_NUM_MGT_FIB), +- dev->hw_fib_va, dev->hw_fib_pa); ++ if (dev->hw_fib_va && dev->max_fib_size) { ++ pci_free_consistent(dev->pdev, ++ (dev->max_fib_size * ++ (dev->scsi_host_ptr->can_queue + AAC_NUM_MGT_FIB)), ++ dev->hw_fib_va, dev->hw_fib_pa); ++ } + dev->hw_fib_va = NULL; + dev->hw_fib_pa = 0; + } diff --git a/queue-3.14/alsa-usb-audio-add-sanity-checks-for-endpoint-accesses.patch b/queue-3.14/alsa-usb-audio-add-sanity-checks-for-endpoint-accesses.patch new file mode 100644 index 00000000000..1d2fc5b396f --- /dev/null +++ b/queue-3.14/alsa-usb-audio-add-sanity-checks-for-endpoint-accesses.patch @@ -0,0 +1,74 @@ +From 447d6275f0c21f6cc97a88b3a0c601436a4cdf2a Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 15 Mar 2016 15:20:58 +0100 +Subject: ALSA: usb-audio: Add sanity checks for endpoint accesses + +From: Takashi Iwai + +commit 447d6275f0c21f6cc97a88b3a0c601436a4cdf2a upstream. + +Add some sanity check codes before actually accessing the endpoint via +get_endpoint() in order to avoid the invalid access through a +malformed USB descriptor. Mostly just checking bNumEndpoints, but in +one place (snd_microii_spdif_default_get()), the validity of iface and +altsetting index is checked as well. + +Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125 +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/clock.c | 2 ++ + sound/usb/endpoint.c | 3 +++ + sound/usb/mixer_quirks.c | 4 ++++ + sound/usb/pcm.c | 2 ++ + 4 files changed, 11 insertions(+) + +--- a/sound/usb/clock.c ++++ b/sound/usb/clock.c +@@ -283,6 +283,8 @@ static int set_sample_rate_v1(struct snd + unsigned char data[3]; + int err, crate; + ++ if (get_iface_desc(alts)->bNumEndpoints < 1) ++ return -EINVAL; + ep = get_endpoint(alts, 0)->bEndpointAddress; + + /* if endpoint doesn't have sampling rate control, bail out */ +--- a/sound/usb/endpoint.c ++++ b/sound/usb/endpoint.c +@@ -409,6 +409,9 @@ exit_clear: + * + * New endpoints will be added to chip->ep_list and must be freed by + * calling snd_usb_endpoint_free(). ++ * ++ * For SND_USB_ENDPOINT_TYPE_SYNC, the caller needs to guarantee that ++ * bNumEndpoints > 1 beforehand. + */ + struct snd_usb_endpoint *snd_usb_add_endpoint(struct snd_usb_audio *chip, + struct usb_host_interface *alts, +--- a/sound/usb/mixer_quirks.c ++++ b/sound/usb/mixer_quirks.c +@@ -1455,7 +1455,11 @@ static int snd_microii_spdif_default_get + + /* use known values for that card: interface#1 altsetting#1 */ + iface = usb_ifnum_to_if(mixer->chip->dev, 1); ++ if (!iface || iface->num_altsetting < 2) ++ return -EINVAL; + alts = &iface->altsetting[1]; ++ if (get_iface_desc(alts)->bNumEndpoints < 1) ++ return -EINVAL; + ep = get_endpoint(alts, 0)->bEndpointAddress; + + err = snd_usb_ctl_msg(mixer->chip->dev, +--- a/sound/usb/pcm.c ++++ b/sound/usb/pcm.c +@@ -159,6 +159,8 @@ static int init_pitch_v1(struct snd_usb_ + unsigned char data[1]; + int err; + ++ if (get_iface_desc(alts)->bNumEndpoints < 1) ++ return -EINVAL; + ep = get_endpoint(alts, 0)->bEndpointAddress; + + data[0] = 1; diff --git a/queue-3.14/alsa-usb-audio-fix-double-free-in-error-paths-after-snd_usb_add_audio_stream-call.patch b/queue-3.14/alsa-usb-audio-fix-double-free-in-error-paths-after-snd_usb_add_audio_stream-call.patch new file mode 100644 index 00000000000..5c16ae0ab37 --- /dev/null +++ b/queue-3.14/alsa-usb-audio-fix-double-free-in-error-paths-after-snd_usb_add_audio_stream-call.patch @@ -0,0 +1,98 @@ +From 836b34a935abc91e13e63053d0a83b24dfb5ea78 Mon Sep 17 00:00:00 2001 +From: Vladis Dronov +Date: Thu, 31 Mar 2016 12:05:43 -0400 +Subject: ALSA: usb-audio: Fix double-free in error paths after snd_usb_add_audio_stream() call + +From: Vladis Dronov + +commit 836b34a935abc91e13e63053d0a83b24dfb5ea78 upstream. + +create_fixed_stream_quirk(), snd_usb_parse_audio_interface() and +create_uaxx_quirk() functions allocate the audioformat object by themselves +and free it upon error before returning. However, once the object is linked +to a stream, it's freed again in snd_usb_audio_pcm_free(), thus it'll be +double-freed, eventually resulting in a memory corruption. + +This patch fixes these failures in the error paths by unlinking the audioformat +object before freeing it. + +Based on a patch by Takashi Iwai + +[Note for stable backports: + this patch requires the commit 902eb7fd1e4a ('ALSA: usb-audio: Minor + code cleanup in create_fixed_stream_quirk()')] + +Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1283358 +Reported-by: Ralf Spenneberg +Signed-off-by: Vladis Dronov +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/quirks.c | 4 ++++ + sound/usb/stream.c | 6 +++++- + 2 files changed, 9 insertions(+), 1 deletion(-) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -138,6 +138,7 @@ static int create_fixed_stream_quirk(str + snd_printk(KERN_ERR "cannot memdup\n"); + return -ENOMEM; + } ++ INIT_LIST_HEAD(&fp->list); + if (fp->nr_rates > MAX_NR_RATES) { + kfree(fp); + return -EINVAL; +@@ -181,6 +182,7 @@ static int create_fixed_stream_quirk(str + return 0; + + error: ++ list_del(&fp->list); /* unlink for avoiding double-free */ + kfree(fp); + kfree(rate_table); + return err; +@@ -456,6 +458,7 @@ static int create_uaxx_quirk(struct snd_ + fp->ep_attr = get_endpoint(alts, 0)->bmAttributes; + fp->datainterval = 0; + fp->maxpacksize = le16_to_cpu(get_endpoint(alts, 0)->wMaxPacketSize); ++ INIT_LIST_HEAD(&fp->list); + + switch (fp->maxpacksize) { + case 0x120: +@@ -479,6 +482,7 @@ static int create_uaxx_quirk(struct snd_ + ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK; + err = snd_usb_add_audio_stream(chip, stream, fp); + if (err < 0) { ++ list_del(&fp->list); /* unlink for avoiding double-free */ + kfree(fp); + return err; + } +--- a/sound/usb/stream.c ++++ b/sound/usb/stream.c +@@ -315,7 +315,9 @@ static struct snd_pcm_chmap_elem *conver + /* + * add this endpoint to the chip instance. + * if a stream with the same endpoint already exists, append to it. +- * if not, create a new pcm stream. ++ * if not, create a new pcm stream. note, fp is added to the substream ++ * fmt_list and will be freed on the chip instance release. do not free ++ * fp or do remove it from the substream fmt_list to avoid double-free. + */ + int snd_usb_add_audio_stream(struct snd_usb_audio *chip, + int stream, +@@ -662,6 +664,7 @@ int snd_usb_parse_audio_interface(struct + * (fp->maxpacksize & 0x7ff); + fp->attributes = parse_uac_endpoint_attributes(chip, alts, protocol, iface_no); + fp->clock = clock; ++ INIT_LIST_HEAD(&fp->list); + + /* some quirks for attributes here */ + +@@ -710,6 +713,7 @@ int snd_usb_parse_audio_interface(struct + snd_printdd(KERN_INFO "%d:%u:%d: add audio endpoint %#x\n", dev->devnum, iface_no, altno, fp->endpoint); + err = snd_usb_add_audio_stream(chip, stream, fp); + if (err < 0) { ++ list_del(&fp->list); /* unlink for avoiding double-free */ + kfree(fp->rate_table); + kfree(fp->chmap); + kfree(fp); diff --git a/queue-3.14/alsa-usb-audio-fix-null-dereference-in-create_fixed_stream_quirk.patch b/queue-3.14/alsa-usb-audio-fix-null-dereference-in-create_fixed_stream_quirk.patch new file mode 100644 index 00000000000..5215c57a6ee --- /dev/null +++ b/queue-3.14/alsa-usb-audio-fix-null-dereference-in-create_fixed_stream_quirk.patch @@ -0,0 +1,39 @@ +From 0f886ca12765d20124bd06291c82951fd49a33be Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 15 Mar 2016 12:09:10 +0100 +Subject: ALSA: usb-audio: Fix NULL dereference in create_fixed_stream_quirk() + +From: Takashi Iwai + +commit 0f886ca12765d20124bd06291c82951fd49a33be upstream. + +create_fixed_stream_quirk() may cause a NULL-pointer dereference by +accessing the non-existing endpoint when a USB device with a malformed +USB descriptor is used. + +This patch avoids it simply by adding a sanity check of bNumEndpoints +before the accesses. + +Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=971125 +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/quirks.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -168,6 +168,12 @@ static int create_fixed_stream_quirk(str + } + alts = &iface->altsetting[fp->altset_idx]; + altsd = get_iface_desc(alts); ++ if (altsd->bNumEndpoints < 1) { ++ kfree(fp); ++ kfree(rate_table); ++ return -EINVAL; ++ } ++ + fp->protocol = altsd->bInterfaceProtocol; + + if (fp->datainterval == 0) diff --git a/queue-3.14/alsa-usb-audio-minor-code-cleanup-in-create_fixed_stream_quirk.patch b/queue-3.14/alsa-usb-audio-minor-code-cleanup-in-create_fixed_stream_quirk.patch new file mode 100644 index 00000000000..047d4f9da88 --- /dev/null +++ b/queue-3.14/alsa-usb-audio-minor-code-cleanup-in-create_fixed_stream_quirk.patch @@ -0,0 +1,62 @@ +From 902eb7fd1e4af3ac69b9b30f8373f118c92b9729 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 15 Mar 2016 12:14:49 +0100 +Subject: ALSA: usb-audio: Minor code cleanup in create_fixed_stream_quirk() + +From: Takashi Iwai + +commit 902eb7fd1e4af3ac69b9b30f8373f118c92b9729 upstream. + +Just a minor code cleanup: unify the error paths. + +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/quirks.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +--- a/sound/usb/quirks.c ++++ b/sound/usb/quirks.c +@@ -155,23 +155,18 @@ static int create_fixed_stream_quirk(str + stream = (fp->endpoint & USB_DIR_IN) + ? SNDRV_PCM_STREAM_CAPTURE : SNDRV_PCM_STREAM_PLAYBACK; + err = snd_usb_add_audio_stream(chip, stream, fp); +- if (err < 0) { +- kfree(fp); +- kfree(rate_table); +- return err; +- } ++ if (err < 0) ++ goto error; + if (fp->iface != get_iface_desc(&iface->altsetting[0])->bInterfaceNumber || + fp->altset_idx >= iface->num_altsetting) { +- kfree(fp); +- kfree(rate_table); +- return -EINVAL; ++ err = -EINVAL; ++ goto error; + } + alts = &iface->altsetting[fp->altset_idx]; + altsd = get_iface_desc(alts); + if (altsd->bNumEndpoints < 1) { +- kfree(fp); +- kfree(rate_table); +- return -EINVAL; ++ err = -EINVAL; ++ goto error; + } + + fp->protocol = altsd->bInterfaceProtocol; +@@ -184,6 +179,11 @@ static int create_fixed_stream_quirk(str + snd_usb_init_pitch(chip, fp->iface, alts, fp); + snd_usb_init_sample_rate(chip, fp->iface, alts, fp, fp->rate_max); + return 0; ++ ++ error: ++ kfree(fp); ++ kfree(rate_table); ++ return err; + } + + static int create_auto_pcm_quirk(struct snd_usb_audio *chip, diff --git a/queue-3.14/be2iscsi-set-the-boot_kset-pointer-to-null-in-case-of-failure.patch b/queue-3.14/be2iscsi-set-the-boot_kset-pointer-to-null-in-case-of-failure.patch new file mode 100644 index 00000000000..ad287741db6 --- /dev/null +++ b/queue-3.14/be2iscsi-set-the-boot_kset-pointer-to-null-in-case-of-failure.patch @@ -0,0 +1,33 @@ +From 84bd64993f916bcf86270c67686ecf4cea7b8933 Mon Sep 17 00:00:00 2001 +From: Maurizio Lombardi +Date: Fri, 4 Mar 2016 10:41:49 +0100 +Subject: be2iscsi: set the boot_kset pointer to NULL in case of failure + +From: Maurizio Lombardi + +commit 84bd64993f916bcf86270c67686ecf4cea7b8933 upstream. + +In beiscsi_setup_boot_info(), the boot_kset pointer should be set to +NULL in case of failure otherwise an invalid pointer dereference may +occur later. + +Signed-off-by: Maurizio Lombardi +Reviewed-by: Johannes Thumshirn +Reviewed-by: Jitendra Bhivare +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/be2iscsi/be_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/be2iscsi/be_main.c ++++ b/drivers/scsi/be2iscsi/be_main.c +@@ -4432,6 +4432,7 @@ put_shost: + scsi_host_put(phba->shost); + free_kset: + iscsi_boot_destroy_kset(phba->boot_kset); ++ phba->boot_kset = NULL; + return -ENOMEM; + } + diff --git a/queue-3.14/bluetooth-btusb-add-a-new-ar3012-id-04ca-3014.patch b/queue-3.14/bluetooth-btusb-add-a-new-ar3012-id-04ca-3014.patch new file mode 100644 index 00000000000..42a4af6e38f --- /dev/null +++ b/queue-3.14/bluetooth-btusb-add-a-new-ar3012-id-04ca-3014.patch @@ -0,0 +1,55 @@ +From 81d90442eac779938217c3444b240aa51fd3db47 Mon Sep 17 00:00:00 2001 +From: Dmitry Tunin +Date: Sun, 28 Feb 2016 11:04:06 +0300 +Subject: Bluetooth: btusb: Add a new AR3012 ID 04ca:3014 + +From: Dmitry Tunin + +commit 81d90442eac779938217c3444b240aa51fd3db47 upstream. + +T: Bus=01 Lev=01 Prnt=01 Port=04 Cnt=03 Dev#= 5 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=04ca ProdID=3014 Rev=00.02 +C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + +BugLink: https://bugs.launchpad.net/bugs/1546694 + +Signed-off-by: Dmitry Tunin +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/ath3k.c | 2 ++ + drivers/bluetooth/btusb.c | 1 + + 2 files changed, 3 insertions(+) + +--- a/drivers/bluetooth/ath3k.c ++++ b/drivers/bluetooth/ath3k.c +@@ -89,6 +89,7 @@ static const struct usb_device_id ath3k_ + { USB_DEVICE(0x04CA, 0x3008) }, + { USB_DEVICE(0x04CA, 0x300b) }, + { USB_DEVICE(0x04CA, 0x3010) }, ++ { USB_DEVICE(0x04CA, 0x3014) }, + { USB_DEVICE(0x0930, 0x0219) }, + { USB_DEVICE(0x0930, 0x021c) }, + { USB_DEVICE(0x0930, 0x0220) }, +@@ -148,6 +149,7 @@ static const struct usb_device_id ath3k_ + { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x04ca, 0x3014), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -167,6 +167,7 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x300b), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x04ca, 0x3010), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x04ca, 0x3014), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0219), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x021c), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x0930, 0x0220), .driver_info = BTUSB_ATH3012 }, diff --git a/queue-3.14/bluetooth-btusb-add-a-new-ar3012-id-13d3-3472.patch b/queue-3.14/bluetooth-btusb-add-a-new-ar3012-id-13d3-3472.patch new file mode 100644 index 00000000000..a03f8d7d601 --- /dev/null +++ b/queue-3.14/bluetooth-btusb-add-a-new-ar3012-id-13d3-3472.patch @@ -0,0 +1,55 @@ +From 75c6aca4765dbe3d0c1507ab5052f2e373dc2331 Mon Sep 17 00:00:00 2001 +From: Dmitry Tunin +Date: Fri, 4 Mar 2016 01:32:19 +0300 +Subject: Bluetooth: btusb: Add a new AR3012 ID 13d3:3472 + +From: Dmitry Tunin + +commit 75c6aca4765dbe3d0c1507ab5052f2e373dc2331 upstream. + +T: Bus=01 Lev=01 Prnt=01 Port=04 Cnt=01 Dev#= 4 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=13d3 ProdID=3472 Rev=00.01 +C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + +BugLink: https://bugs.launchpad.net/bugs/1552925 + +Signed-off-by: Dmitry Tunin +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/ath3k.c | 2 ++ + drivers/bluetooth/btusb.c | 1 + + 2 files changed, 3 insertions(+) + +--- a/drivers/bluetooth/ath3k.c ++++ b/drivers/bluetooth/ath3k.c +@@ -114,6 +114,7 @@ static const struct usb_device_id ath3k_ + { USB_DEVICE(0x13d3, 0x3402) }, + { USB_DEVICE(0x13d3, 0x3408) }, + { USB_DEVICE(0x13d3, 0x3432) }, ++ { USB_DEVICE(0x13d3, 0x3472) }, + { USB_DEVICE(0x13d3, 0x3474) }, + + /* Atheros AR5BBU12 with sflash firmware */ +@@ -174,6 +175,7 @@ static const struct usb_device_id ath3k_ + { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 }, + + /* Atheros AR5BBU22 with sflash firmware */ +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -192,6 +192,7 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x13d3, 0x3472), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3474), .driver_info = BTUSB_ATH3012 }, + + /* Atheros AR5BBU12 with sflash firmware */ diff --git a/queue-3.14/bluetooth-btusb-add-new-ar3012-id-13d3-3395.patch b/queue-3.14/bluetooth-btusb-add-new-ar3012-id-13d3-3395.patch new file mode 100644 index 00000000000..3d88ac5722a --- /dev/null +++ b/queue-3.14/bluetooth-btusb-add-new-ar3012-id-13d3-3395.patch @@ -0,0 +1,56 @@ +From 609574eb46335cfac1421a07c0505627cbbab1f0 Mon Sep 17 00:00:00 2001 +From: Dmitry Tunin +Date: Wed, 10 Feb 2016 15:33:17 +0300 +Subject: Bluetooth: btusb: Add new AR3012 ID 13d3:3395 + +From: Dmitry Tunin + +commit 609574eb46335cfac1421a07c0505627cbbab1f0 upstream. + +T: Bus=03 Lev=02 Prnt=02 Port=00 Cnt=01 Dev#= 3 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=13d3 ProdID=3395 Rev=00.01 +C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb + +BugLink: https://bugs.launchpad.net/bugs/1542564 + +Reported-and-tested-by: Christopher Simerly +Signed-off-by: Dmitry Tunin +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/ath3k.c | 2 ++ + drivers/bluetooth/btusb.c | 1 + + 2 files changed, 3 insertions(+) + +--- a/drivers/bluetooth/ath3k.c ++++ b/drivers/bluetooth/ath3k.c +@@ -109,6 +109,7 @@ static const struct usb_device_id ath3k_ + { USB_DEVICE(0x13d3, 0x3362) }, + { USB_DEVICE(0x13d3, 0x3375) }, + { USB_DEVICE(0x13d3, 0x3393) }, ++ { USB_DEVICE(0x13d3, 0x3395) }, + { USB_DEVICE(0x13d3, 0x3402) }, + { USB_DEVICE(0x13d3, 0x3408) }, + { USB_DEVICE(0x13d3, 0x3432) }, +@@ -167,6 +168,7 @@ static const struct usb_device_id ath3k_ + { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x13d3, 0x3395), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 }, +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -187,6 +187,7 @@ static const struct usb_device_id blackl + { USB_DEVICE(0x13d3, 0x3362), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3393), .driver_info = BTUSB_ATH3012 }, ++ { USB_DEVICE(0x13d3, 0x3395), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3402), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3408), .driver_info = BTUSB_ATH3012 }, + { USB_DEVICE(0x13d3, 0x3432), .driver_info = BTUSB_ATH3012 }, diff --git a/queue-3.14/input-powermate-fix-oops-with-malicious-usb-descriptors.patch b/queue-3.14/input-powermate-fix-oops-with-malicious-usb-descriptors.patch new file mode 100644 index 00000000000..c798e8f9ede --- /dev/null +++ b/queue-3.14/input-powermate-fix-oops-with-malicious-usb-descriptors.patch @@ -0,0 +1,38 @@ +From 9c6ba456711687b794dcf285856fc14e2c76074f Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Mon, 14 Mar 2016 09:33:40 -0700 +Subject: Input: powermate - fix oops with malicious USB descriptors + +From: Josh Boyer + +commit 9c6ba456711687b794dcf285856fc14e2c76074f upstream. + +The powermate driver expects at least one valid USB endpoint in its +probe function. If given malicious descriptors that specify 0 for +the number of endpoints, it will crash. Validate the number of +endpoints on the interface before using them. + +The full report for this issue can be found here: +http://seclists.org/bugtraq/2016/Mar/85 + +Reported-by: Ralf Spenneberg +Signed-off-by: Josh Boyer +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/misc/powermate.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/input/misc/powermate.c ++++ b/drivers/input/misc/powermate.c +@@ -307,6 +307,9 @@ static int powermate_probe(struct usb_in + int error = -ENOMEM; + + interface = intf->cur_altsetting; ++ if (interface->desc.bNumEndpoints < 1) ++ return -EINVAL; ++ + endpoint = &interface->endpoint[0].desc; + if (!usb_endpoint_is_int_in(endpoint)) + return -EIO; diff --git a/queue-3.14/pwc-add-usb-id-for-philips-spc880nc-webcam.patch b/queue-3.14/pwc-add-usb-id-for-philips-spc880nc-webcam.patch new file mode 100644 index 00000000000..7ef14f9e66e --- /dev/null +++ b/queue-3.14/pwc-add-usb-id-for-philips-spc880nc-webcam.patch @@ -0,0 +1,43 @@ +From 7445e45d19a09e5269dc85f17f9635be29d2f76c Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Fri, 22 Jan 2016 08:53:55 -0200 +Subject: [media] pwc: Add USB id for Philips Spc880nc webcam + +From: Hans de Goede + +commit 7445e45d19a09e5269dc85f17f9635be29d2f76c upstream. + +SPC 880NC PC camera discussions: + http://www.pclinuxos.com/forum/index.php/topic,135688.0.html + +Reported-by: Kikim +Signed-off-by: Hans de Goede +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/pwc/pwc-if.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/media/usb/pwc/pwc-if.c ++++ b/drivers/media/usb/pwc/pwc-if.c +@@ -91,6 +91,7 @@ static const struct usb_device_id pwc_de + { USB_DEVICE(0x0471, 0x0312) }, + { USB_DEVICE(0x0471, 0x0313) }, /* the 'new' 720K */ + { USB_DEVICE(0x0471, 0x0329) }, /* Philips SPC 900NC PC Camera */ ++ { USB_DEVICE(0x0471, 0x032C) }, /* Philips SPC 880NC PC Camera */ + { USB_DEVICE(0x069A, 0x0001) }, /* Askey */ + { USB_DEVICE(0x046D, 0x08B0) }, /* Logitech QuickCam Pro 3000 */ + { USB_DEVICE(0x046D, 0x08B1) }, /* Logitech QuickCam Notebook Pro */ +@@ -799,6 +800,11 @@ static int usb_pwc_probe(struct usb_inte + name = "Philips SPC 900NC webcam"; + type_id = 740; + break; ++ case 0x032C: ++ PWC_INFO("Philips SPC 880NC USB webcam detected.\n"); ++ name = "Philips SPC 880NC webcam"; ++ type_id = 740; ++ break; + default: + return -ENODEV; + break; diff --git a/queue-3.14/series b/queue-3.14/series index 4a4749bf10f..65fed41d6dd 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -7,3 +7,27 @@ edac-amd64_edac-shift-wrapping-issue-in-f1x_get_norm_dct_addr.patch pci-disable-io-mem-decoding-for-devices-with-non-compliant-bars.patch x86-apic-fix-suspicious-rcu-usage-in-smp_trace_call_function_interrupt.patch x86-iopl-fix-iopl-capability-check-on-xen-pv.patch +sg-fix-dxferp-in-from_to-case.patch +aacraid-fix-memory-leak-in-aac_fib_map_free.patch +be2iscsi-set-the-boot_kset-pointer-to-null-in-case-of-failure.patch +usb-retry-reset-if-a-device-times-out.patch +usb-hub-fix-a-typo-in-hub_port_init-leading-to-wrong-logic.patch +usb-uas-reduce-can_queue-to-max_cmnds.patch +usb-cdc-acm-more-sanity-checking.patch +usb-iowarrior-fix-oops-with-malicious-usb-descriptors.patch +usb-usb_driver_claim_interface-add-sanity-checking.patch +usb-mct_u232-add-sanity-checking-in-probe.patch +usb-digi_acceleport-do-sanity-checking-for-the-number-of-ports.patch +usb-cypress_m8-add-endpoint-sanity-check.patch +usb-serial-cp210x-adding-ge-healthcare-device-id.patch +usb-serial-ftdi_sio-add-support-for-icp-das-i-756xu-devices.patch +usb-option-add-d-link-dwm-221-b1-device-id.patch +pwc-add-usb-id-for-philips-spc880nc-webcam.patch +input-powermate-fix-oops-with-malicious-usb-descriptors.patch +alsa-usb-audio-fix-null-dereference-in-create_fixed_stream_quirk.patch +alsa-usb-audio-add-sanity-checks-for-endpoint-accesses.patch +alsa-usb-audio-minor-code-cleanup-in-create_fixed_stream_quirk.patch +alsa-usb-audio-fix-double-free-in-error-paths-after-snd_usb_add_audio_stream-call.patch +bluetooth-btusb-add-new-ar3012-id-13d3-3395.patch +bluetooth-btusb-add-a-new-ar3012-id-04ca-3014.patch +bluetooth-btusb-add-a-new-ar3012-id-13d3-3472.patch diff --git a/queue-3.14/sg-fix-dxferp-in-from_to-case.patch b/queue-3.14/sg-fix-dxferp-in-from_to-case.patch new file mode 100644 index 00000000000..26da30be653 --- /dev/null +++ b/queue-3.14/sg-fix-dxferp-in-from_to-case.patch @@ -0,0 +1,47 @@ +From 5ecee0a3ee8d74b6950cb41e8989b0c2174568d4 Mon Sep 17 00:00:00 2001 +From: Douglas Gilbert +Date: Thu, 3 Mar 2016 00:31:29 -0500 +Subject: sg: fix dxferp in from_to case + +From: Douglas Gilbert + +commit 5ecee0a3ee8d74b6950cb41e8989b0c2174568d4 upstream. + +One of the strange things that the original sg driver did was let the +user provide both a data-out buffer (it followed the sg_header+cdb) +_and_ specify a reply length greater than zero. What happened was that +the user data-out buffer was copied into some kernel buffers and then +the mid level was told a read type operation would take place with the +data from the device overwriting the same kernel buffers. The user would +then read those kernel buffers back into the user space. + +From what I can tell, the above action was broken by commit fad7f01e61bf +("sg: set dxferp to NULL for READ with the older SG interface") in 2008 +and syzkaller found that out recently. + +Make sure that a user space pointer is passed through when data follows +the sg_header structure and command. Fix the abnormal case when a +non-zero reply_len is also given. + +Fixes: fad7f01e61bf737fe8a3740d803f000db57ecac6 +Signed-off-by: Douglas Gilbert +Reviewed-by: Ewan Milne +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sg.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/sg.c ++++ b/drivers/scsi/sg.c +@@ -633,7 +633,8 @@ sg_write(struct file *filp, const char _ + else + hp->dxfer_direction = (mxsize > 0) ? SG_DXFER_FROM_DEV : SG_DXFER_NONE; + hp->dxfer_len = mxsize; +- if (hp->dxfer_direction == SG_DXFER_TO_DEV) ++ if ((hp->dxfer_direction == SG_DXFER_TO_DEV) || ++ (hp->dxfer_direction == SG_DXFER_TO_FROM_DEV)) + hp->dxferp = (char __user *)buf + cmd_size; + else + hp->dxferp = NULL; diff --git a/queue-3.14/usb-cdc-acm-more-sanity-checking.patch b/queue-3.14/usb-cdc-acm-more-sanity-checking.patch new file mode 100644 index 00000000000..9ff4bfe08b8 --- /dev/null +++ b/queue-3.14/usb-cdc-acm-more-sanity-checking.patch @@ -0,0 +1,33 @@ +From 8835ba4a39cf53f705417b3b3a94eb067673f2c9 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 15 Mar 2016 10:14:04 +0100 +Subject: USB: cdc-acm: more sanity checking + +From: Oliver Neukum + +commit 8835ba4a39cf53f705417b3b3a94eb067673f2c9 upstream. + +An attack has become available which pretends to be a quirky +device circumventing normal sanity checks and crashes the kernel +by an insufficient number of interfaces. This patch adds a check +to the code path for quirky devices. + +Signed-off-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-acm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1079,6 +1079,9 @@ static int acm_probe(struct usb_interfac + if (quirks == NO_UNION_NORMAL) { + data_interface = usb_ifnum_to_if(usb_dev, 1); + control_interface = usb_ifnum_to_if(usb_dev, 0); ++ /* we would crash */ ++ if (!data_interface || !control_interface) ++ return -ENODEV; + goto skip_normal_probe; + } + diff --git a/queue-3.14/usb-cypress_m8-add-endpoint-sanity-check.patch b/queue-3.14/usb-cypress_m8-add-endpoint-sanity-check.patch new file mode 100644 index 00000000000..5be14d8253f --- /dev/null +++ b/queue-3.14/usb-cypress_m8-add-endpoint-sanity-check.patch @@ -0,0 +1,48 @@ +From c55aee1bf0e6b6feec8b2927b43f7a09a6d5f754 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 31 Mar 2016 12:04:25 -0400 +Subject: USB: cypress_m8: add endpoint sanity check + +From: Oliver Neukum + +commit c55aee1bf0e6b6feec8b2927b43f7a09a6d5f754 upstream. + +An attack using missing endpoints exists. + +CVE-2016-3137 + +Signed-off-by: Oliver Neukum +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/cypress_m8.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/usb/serial/cypress_m8.c ++++ b/drivers/usb/serial/cypress_m8.c +@@ -447,6 +447,11 @@ static int cypress_generic_port_probe(st + struct usb_serial *serial = port->serial; + struct cypress_private *priv; + ++ if (!port->interrupt_out_urb || !port->interrupt_in_urb) { ++ dev_err(&port->dev, "required endpoint is missing\n"); ++ return -ENODEV; ++ } ++ + priv = kzalloc(sizeof(struct cypress_private), GFP_KERNEL); + if (!priv) + return -ENOMEM; +@@ -606,12 +611,6 @@ static int cypress_open(struct tty_struc + cypress_set_termios(tty, port, &priv->tmp_termios); + + /* setup the port and start reading from the device */ +- if (!port->interrupt_in_urb) { +- dev_err(&port->dev, "%s - interrupt_in_urb is empty!\n", +- __func__); +- return -1; +- } +- + usb_fill_int_urb(port->interrupt_in_urb, serial->dev, + usb_rcvintpipe(serial->dev, port->interrupt_in_endpointAddress), + port->interrupt_in_urb->transfer_buffer, diff --git a/queue-3.14/usb-digi_acceleport-do-sanity-checking-for-the-number-of-ports.patch b/queue-3.14/usb-digi_acceleport-do-sanity-checking-for-the-number-of-ports.patch new file mode 100644 index 00000000000..61e0805d0d7 --- /dev/null +++ b/queue-3.14/usb-digi_acceleport-do-sanity-checking-for-the-number-of-ports.patch @@ -0,0 +1,53 @@ +From 5a07975ad0a36708c6b0a5b9fea1ff811d0b0c1f Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 31 Mar 2016 12:04:26 -0400 +Subject: USB: digi_acceleport: do sanity checking for the number of ports + +From: Oliver Neukum + +commit 5a07975ad0a36708c6b0a5b9fea1ff811d0b0c1f upstream. + +The driver can be crashed with devices that expose crafted descriptors +with too few endpoints. + +See: http://seclists.org/bugtraq/2016/Mar/61 + +Signed-off-by: Oliver Neukum +[johan: fix OOB endpoint check and add error messages ] +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/digi_acceleport.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/drivers/usb/serial/digi_acceleport.c ++++ b/drivers/usb/serial/digi_acceleport.c +@@ -1252,8 +1252,27 @@ static int digi_port_init(struct usb_ser + + static int digi_startup(struct usb_serial *serial) + { ++ struct device *dev = &serial->interface->dev; + struct digi_serial *serial_priv; + int ret; ++ int i; ++ ++ /* check whether the device has the expected number of endpoints */ ++ if (serial->num_port_pointers < serial->type->num_ports + 1) { ++ dev_err(dev, "OOB endpoints missing\n"); ++ return -ENODEV; ++ } ++ ++ for (i = 0; i < serial->type->num_ports + 1 ; i++) { ++ if (!serial->port[i]->read_urb) { ++ dev_err(dev, "bulk-in endpoint missing\n"); ++ return -ENODEV; ++ } ++ if (!serial->port[i]->write_urb) { ++ dev_err(dev, "bulk-out endpoint missing\n"); ++ return -ENODEV; ++ } ++ } + + serial_priv = kzalloc(sizeof(*serial_priv), GFP_KERNEL); + if (!serial_priv) diff --git a/queue-3.14/usb-hub-fix-a-typo-in-hub_port_init-leading-to-wrong-logic.patch b/queue-3.14/usb-hub-fix-a-typo-in-hub_port_init-leading-to-wrong-logic.patch new file mode 100644 index 00000000000..a40b0179d80 --- /dev/null +++ b/queue-3.14/usb-hub-fix-a-typo-in-hub_port_init-leading-to-wrong-logic.patch @@ -0,0 +1,66 @@ +From 0d5ce778c43bf888328231bcdce05d5c860655aa Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Wed, 17 Feb 2016 11:52:43 +0100 +Subject: usb: hub: fix a typo in hub_port_init() leading to wrong logic + +From: Oliver Neukum + +commit 0d5ce778c43bf888328231bcdce05d5c860655aa upstream. + +A typo of j for i led to a logic bug. To rule out future +confusion, the variable names are made meaningful. + +Signed-off-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -4079,7 +4079,7 @@ hub_port_init (struct usb_hub *hub, stru + + struct usb_device *hdev = hub->hdev; + struct usb_hcd *hcd = bus_to_hcd(hdev->bus); +- int i, j, retval; ++ int retries, operations, retval, i; + unsigned delay = HUB_SHORT_RESET_TIME; + enum usb_device_speed oldspeed = udev->speed; + const char *speed; +@@ -4181,7 +4181,7 @@ hub_port_init (struct usb_hub *hub, stru + * first 8 bytes of the device descriptor to get the ep0 maxpacket + * value. + */ +- for (i = 0; i < GET_DESCRIPTOR_TRIES; (++i, msleep(100))) { ++ for (retries = 0; retries < GET_DESCRIPTOR_TRIES; (++retries, msleep(100))) { + bool did_new_scheme = false; + + if (use_new_scheme(udev, retry_counter)) { +@@ -4204,7 +4204,7 @@ hub_port_init (struct usb_hub *hub, stru + * 255 is for WUSB devices, we actually need to use + * 512 (WUSB1.0[4.8.1]). + */ +- for (j = 0; j < 3; ++j) { ++ for (operations = 0; operations < 3; ++operations) { + buf->bMaxPacketSize0 = 0; + r = usb_control_msg(udev, usb_rcvaddr0pipe(), + USB_REQ_GET_DESCRIPTOR, USB_DIR_IN, +@@ -4230,7 +4230,7 @@ hub_port_init (struct usb_hub *hub, stru + * reset. But only on the first attempt, + * lest we get into a time out/reset loop + */ +- if (r == 0 || (r == -ETIMEDOUT && j == 0)) ++ if (r == 0 || (r == -ETIMEDOUT && retries == 0)) + break; + } + udev->descriptor.bMaxPacketSize0 = +@@ -4262,7 +4262,7 @@ hub_port_init (struct usb_hub *hub, stru + * authorization will assign the final address. + */ + if (udev->wusb == 0) { +- for (j = 0; j < SET_ADDRESS_TRIES; ++j) { ++ for (operations = 0; operations < SET_ADDRESS_TRIES; ++operations) { + retval = hub_set_address(udev, devnum); + if (retval >= 0) + break; diff --git a/queue-3.14/usb-iowarrior-fix-oops-with-malicious-usb-descriptors.patch b/queue-3.14/usb-iowarrior-fix-oops-with-malicious-usb-descriptors.patch new file mode 100644 index 00000000000..878f366fbaa --- /dev/null +++ b/queue-3.14/usb-iowarrior-fix-oops-with-malicious-usb-descriptors.patch @@ -0,0 +1,40 @@ +From 4ec0ef3a82125efc36173062a50624550a900ae0 Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Mon, 14 Mar 2016 10:42:38 -0400 +Subject: USB: iowarrior: fix oops with malicious USB descriptors + +From: Josh Boyer + +commit 4ec0ef3a82125efc36173062a50624550a900ae0 upstream. + +The iowarrior driver expects at least one valid endpoint. If given +malicious descriptors that specify 0 for the number of endpoints, +it will crash in the probe function. Ensure there is at least +one endpoint on the interface before using it. + +The full report of this issue can be found here: +http://seclists.org/bugtraq/2016/Mar/87 + +Reported-by: Ralf Spenneberg +Signed-off-by: Josh Boyer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/iowarrior.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -791,6 +791,12 @@ static int iowarrior_probe(struct usb_in + iface_desc = interface->cur_altsetting; + dev->product_id = le16_to_cpu(udev->descriptor.idProduct); + ++ if (iface_desc->desc.bNumEndpoints < 1) { ++ dev_err(&interface->dev, "Invalid number of endpoints\n"); ++ retval = -EINVAL; ++ goto error; ++ } ++ + /* set up the endpoint information */ + for (i = 0; i < iface_desc->desc.bNumEndpoints; ++i) { + endpoint = &iface_desc->endpoint[i].desc; diff --git a/queue-3.14/usb-mct_u232-add-sanity-checking-in-probe.patch b/queue-3.14/usb-mct_u232-add-sanity-checking-in-probe.patch new file mode 100644 index 00000000000..2ff48d0078b --- /dev/null +++ b/queue-3.14/usb-mct_u232-add-sanity-checking-in-probe.patch @@ -0,0 +1,48 @@ +From 4e9a0b05257f29cf4b75f3209243ed71614d062e Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Thu, 31 Mar 2016 12:04:24 -0400 +Subject: USB: mct_u232: add sanity checking in probe + +From: Oliver Neukum + +commit 4e9a0b05257f29cf4b75f3209243ed71614d062e upstream. + +An attack using the lack of sanity checking in probe is known. This +patch checks for the existence of a second port. + +CVE-2016-3136 + +Signed-off-by: Oliver Neukum +[johan: add error message ] +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/mct_u232.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/mct_u232.c ++++ b/drivers/usb/serial/mct_u232.c +@@ -376,14 +376,21 @@ static void mct_u232_msr_to_state(struct + + static int mct_u232_port_probe(struct usb_serial_port *port) + { ++ struct usb_serial *serial = port->serial; + struct mct_u232_private *priv; + ++ /* check first to simplify error handling */ ++ if (!serial->port[1] || !serial->port[1]->interrupt_in_urb) { ++ dev_err(&port->dev, "expected endpoint missing\n"); ++ return -ENODEV; ++ } ++ + priv = kzalloc(sizeof(*priv), GFP_KERNEL); + if (!priv) + return -ENOMEM; + + /* Use second interrupt-in endpoint for reading. */ +- priv->read_urb = port->serial->port[1]->interrupt_in_urb; ++ priv->read_urb = serial->port[1]->interrupt_in_urb; + priv->read_urb->context = port; + + spin_lock_init(&priv->lock); diff --git a/queue-3.14/usb-option-add-d-link-dwm-221-b1-device-id.patch b/queue-3.14/usb-option-add-d-link-dwm-221-b1-device-id.patch new file mode 100644 index 00000000000..81887176c0b --- /dev/null +++ b/queue-3.14/usb-option-add-d-link-dwm-221-b1-device-id.patch @@ -0,0 +1,57 @@ +From d48d5691ebf88a15d95ba96486917ffc79256536 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Thu, 7 Apr 2016 12:09:17 +0200 +Subject: USB: option: add "D-Link DWM-221 B1" device id +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bjørn Mork + +commit d48d5691ebf88a15d95ba96486917ffc79256536 upstream. + +Thomas reports: +"Windows: + +00 diagnostics +01 modem +02 at-port +03 nmea +04 nic + +Linux: + +T: Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#= 4 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2001 ProdID=7e19 Rev=02.32 +S: Manufacturer=Mobile Connect +S: Product=Mobile Connect +S: SerialNumber=0123456789ABCDEF +C: #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option +I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +I: If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +I: If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage" + +Reported-by: Thomas Schäfer +Signed-off-by: Bjørn Mork +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -1818,6 +1818,8 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d02, 0xff, 0x00, 0x00) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x02, 0x01) }, + { USB_DEVICE_AND_INTERFACE_INFO(0x2001, 0x7d03, 0xff, 0x00, 0x00) }, ++ { USB_DEVICE_INTERFACE_CLASS(0x2001, 0x7e19, 0xff), /* D-Link DWM-221 B1 */ ++ .driver_info = (kernel_ulong_t)&net_intf4_blacklist }, + { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e01, 0xff, 0xff, 0xff) }, /* D-Link DWM-152/C1 */ + { USB_DEVICE_AND_INTERFACE_INFO(0x07d1, 0x3e02, 0xff, 0xff, 0xff) }, /* D-Link DWM-156/C1 */ + { USB_DEVICE_INTERFACE_CLASS(0x2020, 0x4000, 0xff) }, /* OLICARD300 - MT6225 */ diff --git a/queue-3.14/usb-retry-reset-if-a-device-times-out.patch b/queue-3.14/usb-retry-reset-if-a-device-times-out.patch new file mode 100644 index 00000000000..d226640b1f9 --- /dev/null +++ b/queue-3.14/usb-retry-reset-if-a-device-times-out.patch @@ -0,0 +1,43 @@ +From 264904ccc33c604d4b3141bbd33808152dfac45b Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Wed, 10 Feb 2016 11:33:18 +0100 +Subject: usb: retry reset if a device times out + +From: Oliver Neukum + +commit 264904ccc33c604d4b3141bbd33808152dfac45b upstream. + +Some devices I got show an inability to operate right after +power on if they are already connected. They are beyond recovery +if the descriptors are requested multiple times. So in case of +a timeout we rather bail early and reset again. But it must be +done only on the first loop lest we get into a reset/time out +spiral that can be overcome with a retry. + +This patch is a rework of a patch that fell through the cracks. +http://www.spinics.net/lists/linux-usb/msg103263.html + +Signed-off-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -4224,7 +4224,13 @@ hub_port_init (struct usb_hub *hub, stru + r = -EPROTO; + break; + } +- if (r == 0) ++ /* ++ * Some devices time out if they are powered on ++ * when already connected. They need a second ++ * reset. But only on the first attempt, ++ * lest we get into a time out/reset loop ++ */ ++ if (r == 0 || (r == -ETIMEDOUT && j == 0)) + break; + } + udev->descriptor.bMaxPacketSize0 = diff --git a/queue-3.14/usb-serial-cp210x-adding-ge-healthcare-device-id.patch b/queue-3.14/usb-serial-cp210x-adding-ge-healthcare-device-id.patch new file mode 100644 index 00000000000..b2a7c2e4393 --- /dev/null +++ b/queue-3.14/usb-serial-cp210x-adding-ge-healthcare-device-id.patch @@ -0,0 +1,30 @@ +From cddc9434e3dcc37a85c4412fb8e277d3a582e456 Mon Sep 17 00:00:00 2001 +From: Martyn Welch +Date: Tue, 29 Mar 2016 17:47:29 +0100 +Subject: USB: serial: cp210x: Adding GE Healthcare Device ID + +From: Martyn Welch + +commit cddc9434e3dcc37a85c4412fb8e277d3a582e456 upstream. + +The CP2105 is used in the GE Healthcare Remote Alarm Box, with the +Manufacturer ID of 0x1901 and Product ID of 0x0194. + +Signed-off-by: Martyn Welch +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/cp210x.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -164,6 +164,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x18EF, 0xE025) }, /* ELV Marble Sound Board 1 */ + { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */ + { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */ ++ { USB_DEVICE(0x1901, 0x0194) }, /* GE Healthcare Remote Alarm Box */ + { USB_DEVICE(0x19CF, 0x3000) }, /* Parrot NMEA GPS Flight Recorder */ + { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */ + { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */ diff --git a/queue-3.14/usb-serial-ftdi_sio-add-support-for-icp-das-i-756xu-devices.patch b/queue-3.14/usb-serial-ftdi_sio-add-support-for-icp-das-i-756xu-devices.patch new file mode 100644 index 00000000000..6f64cd03cad --- /dev/null +++ b/queue-3.14/usb-serial-ftdi_sio-add-support-for-icp-das-i-756xu-devices.patch @@ -0,0 +1,57 @@ +From ea6db90e750328068837bed34cb1302b7a177339 Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Thu, 10 Mar 2016 09:48:52 -0500 +Subject: USB: serial: ftdi_sio: Add support for ICP DAS I-756xU devices + +From: Josh Boyer + +commit ea6db90e750328068837bed34cb1302b7a177339 upstream. + +A Fedora user reports that the ftdi_sio driver works properly for the +ICP DAS I-7561U device. Further, the user manual for these devices +instructs users to load the driver and add the ids using the sysfs +interface. + +Add support for these in the driver directly so that the devices work +out of the box instead of needing manual configuration. + +Reported-by: +Signed-off-by: Josh Boyer +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 4 ++++ + drivers/usb/serial/ftdi_sio_ids.h | 8 ++++++++ + 2 files changed, 12 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1017,6 +1017,10 @@ static const struct usb_device_id id_tab + { USB_DEVICE(FTDI_VID, CHETCO_SEASMART_DISPLAY_PID) }, + { USB_DEVICE(FTDI_VID, CHETCO_SEASMART_LITE_PID) }, + { USB_DEVICE(FTDI_VID, CHETCO_SEASMART_ANALOG_PID) }, ++ /* ICP DAS I-756xU devices */ ++ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7560U_PID) }, ++ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7561U_PID) }, ++ { USB_DEVICE(ICPDAS_VID, ICPDAS_I7563U_PID) }, + { } /* Terminating entry */ + }; + +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -872,6 +872,14 @@ + #define NOVITUS_BONO_E_PID 0x6010 + + /* ++ * ICPDAS I-756*U devices ++ */ ++#define ICPDAS_VID 0x1b5c ++#define ICPDAS_I7560U_PID 0x0103 ++#define ICPDAS_I7561U_PID 0x0104 ++#define ICPDAS_I7563U_PID 0x0105 ++ ++/* + * RT Systems programming cables for various ham radios + */ + #define RTSYSTEMS_VID 0x2100 /* Vendor ID */ diff --git a/queue-3.14/usb-uas-reduce-can_queue-to-max_cmnds.patch b/queue-3.14/usb-uas-reduce-can_queue-to-max_cmnds.patch new file mode 100644 index 00000000000..3d17ea02772 --- /dev/null +++ b/queue-3.14/usb-uas-reduce-can_queue-to-max_cmnds.patch @@ -0,0 +1,37 @@ +From 55ff8cfbc4e12a7d2187df523938cc671fbebdd1 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 7 Mar 2016 20:11:52 +0100 +Subject: USB: uas: Reduce can_queue to MAX_CMNDS + +From: Hans de Goede + +commit 55ff8cfbc4e12a7d2187df523938cc671fbebdd1 upstream. + +The uas driver can never queue more then MAX_CMNDS (- 1) tags and tags +are shared between luns, so there is no need to claim that we can_queue +some random large number. + +Not claiming that we can_queue 65536 commands, fixes the uas driver +failing to initialize while allocating the tag map with a "Page allocation +failure (order 7)" error on systems which have been running for a while +and thus have fragmented memory. + +Reported-and-tested-by: Yves-Alexis Perez +Signed-off-by: Hans de Goede +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/uas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -835,7 +835,7 @@ static struct scsi_host_template uas_hos + .eh_abort_handler = uas_eh_abort_handler, + .eh_device_reset_handler = uas_eh_device_reset_handler, + .eh_bus_reset_handler = uas_eh_bus_reset_handler, +- .can_queue = 65536, /* Is there a limit on the _host_ ? */ ++ .can_queue = MAX_CMNDS, + .this_id = -1, + .sg_tablesize = SG_NONE, + .cmd_per_lun = 1, /* until we override it */ diff --git a/queue-3.14/usb-usb_driver_claim_interface-add-sanity-checking.patch b/queue-3.14/usb-usb_driver_claim_interface-add-sanity-checking.patch new file mode 100644 index 00000000000..c9d586085cc --- /dev/null +++ b/queue-3.14/usb-usb_driver_claim_interface-add-sanity-checking.patch @@ -0,0 +1,39 @@ +From 0b818e3956fc1ad976bee791eadcbb3b5fec5bfd Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Wed, 16 Mar 2016 13:26:17 +0100 +Subject: USB: usb_driver_claim_interface: add sanity checking + +From: Oliver Neukum + +commit 0b818e3956fc1ad976bee791eadcbb3b5fec5bfd upstream. + +Attacks that trick drivers into passing a NULL pointer +to usb_driver_claim_interface() using forged descriptors are +known. This thwarts them by sanity checking. + +Signed-off-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/driver.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/core/driver.c ++++ b/drivers/usb/core/driver.c +@@ -494,11 +494,15 @@ static int usb_unbind_interface(struct d + int usb_driver_claim_interface(struct usb_driver *driver, + struct usb_interface *iface, void *priv) + { +- struct device *dev = &iface->dev; ++ struct device *dev; + struct usb_device *udev; + int retval = 0; + int lpm_disable_error; + ++ if (!iface) ++ return -ENODEV; ++ ++ dev = &iface->dev; + if (dev->driver) + return -EBUSY; +