From 967ed32cd68c23bd875a6105e76e58a23f9530e9 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 23 May 2017 14:40:29 +0200 Subject: [PATCH] 4.11-stable patches added patches: dvb-usb-dibusb-mc-common-add-module_license.patch mceusb-fix-null-deref-at-probe.patch net-irda-irda-usb-fix-firmware-name-on-big-endian-hosts.patch ttusb2-limit-messages-to-buffer-size.patch usb-dwc3-gadget-prevent-losing-events-in-event-cache.patch usb-ehci-platform-fix-companion-device-leak.patch usb-host-ehci-platform-fix-usb-1.1-device-is-not-connected-in-system-resume.patch usb-hub-fix-non-ss-hub-descriptor-handling.patch usb-hub-fix-ss-hub-descriptor-handling.patch usb-iowarrior-fix-info-ioctl-on-big-endian-hosts.patch usb-musb-fix-trying-to-suspend-while-active-for-otg-configurations.patch usb-musb-tusb6010_omap-do-not-reset-the-other-direction-s-packet-size.patch usb-serial-io_ti-fix-div-by-zero-in-set_termios.patch usb-serial-mct_u232-fix-big-endian-baud-rate-handling.patch usb-serial-option-add-telit-me910-support.patch usb-serial-qcserial-add-more-lenovo-em74xx-device-ids.patch usbvision-fix-null-deref-at-probe.patch --- ...-dibusb-mc-common-add-module_license.patch | 34 ++++++++++ .../mceusb-fix-null-deref-at-probe.patch | 37 ++++++++++ ...ix-firmware-name-on-big-endian-hosts.patch | 33 +++++++++ queue-4.11/series | 17 +++++ ...ttusb2-limit-messages-to-buffer-size.patch | 55 +++++++++++++++ ...prevent-losing-events-in-event-cache.patch | 55 +++++++++++++++ ...i-platform-fix-companion-device-leak.patch | 36 ++++++++++ ...ce-is-not-connected-in-system-resume.patch | 61 +++++++++++++++++ ...b-fix-non-ss-hub-descriptor-handling.patch | 68 +++++++++++++++++++ ...b-hub-fix-ss-hub-descriptor-handling.patch | 50 ++++++++++++++ ...r-fix-info-ioctl-on-big-endian-hosts.patch | 35 ++++++++++ ...-while-active-for-otg-configurations.patch | 55 +++++++++++++++ ...et-the-other-direction-s-packet-size.patch | 60 ++++++++++++++++ ...io_ti-fix-div-by-zero-in-set_termios.patch | 40 +++++++++++ ...32-fix-big-endian-baud-rate-handling.patch | 39 +++++++++++ ...erial-option-add-telit-me910-support.patch | 50 ++++++++++++++ ...al-add-more-lenovo-em74xx-device-ids.patch | 36 ++++++++++ .../usbvision-fix-null-deref-at-probe.patch | 44 ++++++++++++ 18 files changed, 805 insertions(+) create mode 100644 queue-4.11/dvb-usb-dibusb-mc-common-add-module_license.patch create mode 100644 queue-4.11/mceusb-fix-null-deref-at-probe.patch create mode 100644 queue-4.11/net-irda-irda-usb-fix-firmware-name-on-big-endian-hosts.patch create mode 100644 queue-4.11/ttusb2-limit-messages-to-buffer-size.patch create mode 100644 queue-4.11/usb-dwc3-gadget-prevent-losing-events-in-event-cache.patch create mode 100644 queue-4.11/usb-ehci-platform-fix-companion-device-leak.patch create mode 100644 queue-4.11/usb-host-ehci-platform-fix-usb-1.1-device-is-not-connected-in-system-resume.patch create mode 100644 queue-4.11/usb-hub-fix-non-ss-hub-descriptor-handling.patch create mode 100644 queue-4.11/usb-hub-fix-ss-hub-descriptor-handling.patch create mode 100644 queue-4.11/usb-iowarrior-fix-info-ioctl-on-big-endian-hosts.patch create mode 100644 queue-4.11/usb-musb-fix-trying-to-suspend-while-active-for-otg-configurations.patch create mode 100644 queue-4.11/usb-musb-tusb6010_omap-do-not-reset-the-other-direction-s-packet-size.patch create mode 100644 queue-4.11/usb-serial-io_ti-fix-div-by-zero-in-set_termios.patch create mode 100644 queue-4.11/usb-serial-mct_u232-fix-big-endian-baud-rate-handling.patch create mode 100644 queue-4.11/usb-serial-option-add-telit-me910-support.patch create mode 100644 queue-4.11/usb-serial-qcserial-add-more-lenovo-em74xx-device-ids.patch create mode 100644 queue-4.11/usbvision-fix-null-deref-at-probe.patch diff --git a/queue-4.11/dvb-usb-dibusb-mc-common-add-module_license.patch b/queue-4.11/dvb-usb-dibusb-mc-common-add-module_license.patch new file mode 100644 index 00000000000..b4bfbe15bca --- /dev/null +++ b/queue-4.11/dvb-usb-dibusb-mc-common-add-module_license.patch @@ -0,0 +1,34 @@ +From bf05b65a9fe5f6a6dd3e72cab2aacd8b5b96e41d Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Fri, 17 Feb 2017 22:30:51 -0200 +Subject: [media] dvb-usb-dibusb-mc-common: Add MODULE_LICENSE + +From: Ben Hutchings + +commit bf05b65a9fe5f6a6dd3e72cab2aacd8b5b96e41d upstream. + +dvb-usb-dibusb-mc-common is licensed under GPLv2, and if we don't say +so then it won't even load since it needs a GPL-only symbol. + +Fixes: e91455a1495a ("[media] dvb-usb: split out common parts of dibusb") + +Reported-by: Dominique Dumont +Signed-off-by: Ben Hutchings +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/dibusb-mc-common.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/usb/dvb-usb/dibusb-mc-common.c ++++ b/drivers/media/usb/dvb-usb/dibusb-mc-common.c +@@ -11,6 +11,8 @@ + + #include "dibusb.h" + ++MODULE_LICENSE("GPL"); ++ + /* 3000MC/P stuff */ + // Config Adjacent channels Perf -cal22 + static struct dibx000_agc_config dib3000p_mt2060_agc_config = { diff --git a/queue-4.11/mceusb-fix-null-deref-at-probe.patch b/queue-4.11/mceusb-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..e5bd04188d8 --- /dev/null +++ b/queue-4.11/mceusb-fix-null-deref-at-probe.patch @@ -0,0 +1,37 @@ +From 03eb2a557ed552e920a0942b774aaf931596eec1 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 7 Mar 2017 15:14:13 -0300 +Subject: [media] mceusb: fix NULL-deref at probe + +From: Johan Hovold + +commit 03eb2a557ed552e920a0942b774aaf931596eec1 upstream. + +Make sure to check for the required out endpoint to avoid dereferencing +a NULL-pointer in mce_request_packet should a malicious device lack such +an endpoint. Note that this path is hit during probe. + +Fixes: 66e89522aff7 ("V4L/DVB: IR: add mceusb IR receiver driver") + +Signed-off-by: Johan Hovold +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/rc/mceusb.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/rc/mceusb.c ++++ b/drivers/media/rc/mceusb.c +@@ -1288,8 +1288,8 @@ static int mceusb_dev_probe(struct usb_i + } + } + } +- if (ep_in == NULL) { +- dev_dbg(&intf->dev, "inbound and/or endpoint not found"); ++ if (!ep_in || !ep_out) { ++ dev_dbg(&intf->dev, "required endpoints not found\n"); + return -ENODEV; + } + diff --git a/queue-4.11/net-irda-irda-usb-fix-firmware-name-on-big-endian-hosts.patch b/queue-4.11/net-irda-irda-usb-fix-firmware-name-on-big-endian-hosts.patch new file mode 100644 index 00000000000..c1ae2caa209 --- /dev/null +++ b/queue-4.11/net-irda-irda-usb-fix-firmware-name-on-big-endian-hosts.patch @@ -0,0 +1,33 @@ +From 75cf067953d5ee543b3bda90bbfcbee5e1f94ae8 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 12 May 2017 12:11:13 +0200 +Subject: net: irda: irda-usb: fix firmware name on big-endian hosts + +From: Johan Hovold + +commit 75cf067953d5ee543b3bda90bbfcbee5e1f94ae8 upstream. + +Add missing endianness conversion when using the USB device-descriptor +bcdDevice field to construct a firmware file name. + +Fixes: 8ef80aef118e ("[IRDA]: irda-usb.c: STIR421x cleanups") +Cc: Nick Fedchik +Signed-off-by: Johan Hovold +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/irda/irda-usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/irda/irda-usb.c ++++ b/drivers/net/irda/irda-usb.c +@@ -1077,7 +1077,7 @@ static int stir421x_patch_device(struct + * are "42101001.sb" or "42101002.sb" + */ + sprintf(stir421x_fw_name, "4210%4X.sb", +- self->usbdev->descriptor.bcdDevice); ++ le16_to_cpu(self->usbdev->descriptor.bcdDevice)); + ret = request_firmware(&fw, stir421x_fw_name, &self->usbdev->dev); + if (ret < 0) + return ret; diff --git a/queue-4.11/series b/queue-4.11/series index dc8b44aa9fc..ac9fd697545 100644 --- a/queue-4.11/series +++ b/queue-4.11/series @@ -90,3 +90,20 @@ usb-host-xhci-plat-propagate-return-value-of-platform_get_irq.patch usb-xhci-fix-lock-inversion-problem.patch xhci-apply-pme_stuck_quirk-and-missing_cas-quirk-for-denverton.patch usb-host-xhci-mem-allocate-zeroed-scratchpad-buffer.patch +net-irda-irda-usb-fix-firmware-name-on-big-endian-hosts.patch +usbvision-fix-null-deref-at-probe.patch +mceusb-fix-null-deref-at-probe.patch +ttusb2-limit-messages-to-buffer-size.patch +dvb-usb-dibusb-mc-common-add-module_license.patch +usb-dwc3-gadget-prevent-losing-events-in-event-cache.patch +usb-musb-tusb6010_omap-do-not-reset-the-other-direction-s-packet-size.patch +usb-musb-fix-trying-to-suspend-while-active-for-otg-configurations.patch +usb-host-ehci-platform-fix-usb-1.1-device-is-not-connected-in-system-resume.patch +usb-ehci-platform-fix-companion-device-leak.patch +usb-iowarrior-fix-info-ioctl-on-big-endian-hosts.patch +usb-serial-option-add-telit-me910-support.patch +usb-serial-qcserial-add-more-lenovo-em74xx-device-ids.patch +usb-serial-mct_u232-fix-big-endian-baud-rate-handling.patch +usb-serial-io_ti-fix-div-by-zero-in-set_termios.patch +usb-hub-fix-ss-hub-descriptor-handling.patch +usb-hub-fix-non-ss-hub-descriptor-handling.patch diff --git a/queue-4.11/ttusb2-limit-messages-to-buffer-size.patch b/queue-4.11/ttusb2-limit-messages-to-buffer-size.patch new file mode 100644 index 00000000000..4a94eebd77d --- /dev/null +++ b/queue-4.11/ttusb2-limit-messages-to-buffer-size.patch @@ -0,0 +1,55 @@ +From a12b8ab8c5ff7ccd7b107a564743507c850a441d Mon Sep 17 00:00:00 2001 +From: Alyssa Milburn +Date: Sat, 1 Apr 2017 14:34:32 -0300 +Subject: [media] ttusb2: limit messages to buffer size + +From: Alyssa Milburn + +commit a12b8ab8c5ff7ccd7b107a564743507c850a441d upstream. + +Otherwise ttusb2_i2c_xfer can read or write beyond the end of static and +heap buffers. + +Signed-off-by: Alyssa Milburn +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/ttusb2.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/drivers/media/usb/dvb-usb/ttusb2.c ++++ b/drivers/media/usb/dvb-usb/ttusb2.c +@@ -78,6 +78,9 @@ static int ttusb2_msg(struct dvb_usb_dev + u8 *s, *r = NULL; + int ret = 0; + ++ if (4 + rlen > 64) ++ return -EIO; ++ + s = kzalloc(wlen+4, GFP_KERNEL); + if (!s) + return -ENOMEM; +@@ -381,6 +384,22 @@ static int ttusb2_i2c_xfer(struct i2c_ad + write_read = i+1 < num && (msg[i+1].flags & I2C_M_RD); + read = msg[i].flags & I2C_M_RD; + ++ if (3 + msg[i].len > sizeof(obuf)) { ++ err("i2c wr len=%d too high", msg[i].len); ++ break; ++ } ++ if (write_read) { ++ if (3 + msg[i+1].len > sizeof(ibuf)) { ++ err("i2c rd len=%d too high", msg[i+1].len); ++ break; ++ } ++ } else if (read) { ++ if (3 + msg[i].len > sizeof(ibuf)) { ++ err("i2c rd len=%d too high", msg[i].len); ++ break; ++ } ++ } ++ + obuf[0] = (msg[i].addr << 1) | (write_read | read); + if (read) + obuf[1] = 0; diff --git a/queue-4.11/usb-dwc3-gadget-prevent-losing-events-in-event-cache.patch b/queue-4.11/usb-dwc3-gadget-prevent-losing-events-in-event-cache.patch new file mode 100644 index 00000000000..3542b9cdd50 --- /dev/null +++ b/queue-4.11/usb-dwc3-gadget-prevent-losing-events-in-event-cache.patch @@ -0,0 +1,55 @@ +From d325a1de49d61ee11aca58a529571c91ecea7879 Mon Sep 17 00:00:00 2001 +From: Thinh Nguyen +Date: Thu, 11 May 2017 17:26:47 -0700 +Subject: usb: dwc3: gadget: Prevent losing events in event cache + +From: Thinh Nguyen + +commit d325a1de49d61ee11aca58a529571c91ecea7879 upstream. + +The dwc3 driver can overwite its previous events if its top-half IRQ +handler (TH) gets invoked again before processing the events in the +cache. We see this as a hang in the file transfer and the host will +attempt to reset the device. TH gets the event count and deasserts the +interrupt line by writing DWC3_GEVNTSIZ_INTMASK to DWC3_GEVNTSIZ. If +there's a new event coming between reading the event count and interrupt +deassertion, dwc3 will lose previous pending events. More generally, we +will see 0 event count, which should not affect anything. + +This shouldn't be possible in the current dwc3 implementation. However, +through testing and reading the PCIe trace, the TH occasionally still +gets invoked one more time after HW interrupt deassertion. (With PCIe +legacy interrupts, TH is called repeatedly as long as the interrupt line +is asserted). We suspect that there is a small detection delay in the +SW. + +To avoid this issue, Check DWC3_EVENT_PENDING flag to determine if the +events are processed in the bottom-half IRQ handler. If not, return +IRQ_HANDLED and don't process new event. + +Signed-off-by: Thinh Nguyen +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -3078,6 +3078,15 @@ static irqreturn_t dwc3_check_event_buf( + return IRQ_HANDLED; + } + ++ /* ++ * With PCIe legacy interrupt, test shows that top-half irq handler can ++ * be called again after HW interrupt deassertion. Check if bottom-half ++ * irq event handler completes before caching new event to prevent ++ * losing events. ++ */ ++ if (evt->flags & DWC3_EVENT_PENDING) ++ return IRQ_HANDLED; ++ + count = dwc3_readl(dwc->regs, DWC3_GEVNTCOUNT(0)); + count &= DWC3_GEVNTCOUNT_MASK; + if (!count) diff --git a/queue-4.11/usb-ehci-platform-fix-companion-device-leak.patch b/queue-4.11/usb-ehci-platform-fix-companion-device-leak.patch new file mode 100644 index 00000000000..336f025eb5e --- /dev/null +++ b/queue-4.11/usb-ehci-platform-fix-companion-device-leak.patch @@ -0,0 +1,36 @@ +From a7415477a20448bbb7d13765784c0b29249a176f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 16 May 2017 16:26:13 +0200 +Subject: USB: ehci-platform: fix companion-device leak + +From: Johan Hovold + +commit a7415477a20448bbb7d13765784c0b29249a176f upstream. + +Make sure do drop the reference taken to the companion device during +resume. + +Fixes: d4d75128b8fd ("usb: host: ehci-platform: fix usb 1.1 device is not connected in system resume") +Signed-off-by: Johan Hovold +Acked-by: Yoshihiro Shimoda +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ehci-platform.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/ehci-platform.c ++++ b/drivers/usb/host/ehci-platform.c +@@ -381,8 +381,10 @@ static int ehci_platform_resume(struct d + } + + companion_dev = usb_of_get_companion_dev(hcd->self.controller); +- if (companion_dev) ++ if (companion_dev) { + device_pm_wait_for_dev(hcd->self.controller, companion_dev); ++ put_device(companion_dev); ++ } + + ehci_resume(hcd, priv->reset_on_resume); + return 0; diff --git a/queue-4.11/usb-host-ehci-platform-fix-usb-1.1-device-is-not-connected-in-system-resume.patch b/queue-4.11/usb-host-ehci-platform-fix-usb-1.1-device-is-not-connected-in-system-resume.patch new file mode 100644 index 00000000000..73ec80ad086 --- /dev/null +++ b/queue-4.11/usb-host-ehci-platform-fix-usb-1.1-device-is-not-connected-in-system-resume.patch @@ -0,0 +1,61 @@ +From d4d75128b8fd727d42c775a16b41634d09409dba Mon Sep 17 00:00:00 2001 +From: Yoshihiro Shimoda +Date: Tue, 21 Feb 2017 19:59:48 +0900 +Subject: usb: host: ehci-platform: fix usb 1.1 device is not connected in system resume + +From: Yoshihiro Shimoda + +commit d4d75128b8fd727d42c775a16b41634d09409dba upstream. + +This patch fixes an issue that a usb 1.1 device is not connected in +system resume and then the following message appeared if debug messages +are enabled: + usb 2-1: Waited 2000ms for CONNECT + +To resolve this issue, the EHCI controller must be resumed after its +companion controllers. So, this patch adds such code on the driver. + +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ehci-platform.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/usb/host/ehci-platform.c ++++ b/drivers/usb/host/ehci-platform.c +@@ -34,6 +34,7 @@ + #include + #include + #include ++#include + + #include "ehci.h" + +@@ -297,6 +298,7 @@ static int ehci_platform_probe(struct pl + goto err_power; + + device_wakeup_enable(hcd->self.controller); ++ device_enable_async_suspend(hcd->self.controller); + platform_set_drvdata(dev, hcd); + + return err; +@@ -370,6 +372,7 @@ static int ehci_platform_resume(struct d + struct usb_ehci_pdata *pdata = dev_get_platdata(dev); + struct platform_device *pdev = to_platform_device(dev); + struct ehci_platform_priv *priv = hcd_to_ehci_priv(hcd); ++ struct device *companion_dev; + + if (pdata->power_on) { + int err = pdata->power_on(pdev); +@@ -377,6 +380,10 @@ static int ehci_platform_resume(struct d + return err; + } + ++ companion_dev = usb_of_get_companion_dev(hcd->self.controller); ++ if (companion_dev) ++ device_pm_wait_for_dev(hcd->self.controller, companion_dev); ++ + ehci_resume(hcd, priv->reset_on_resume); + return 0; + } diff --git a/queue-4.11/usb-hub-fix-non-ss-hub-descriptor-handling.patch b/queue-4.11/usb-hub-fix-non-ss-hub-descriptor-handling.patch new file mode 100644 index 00000000000..1f901ac315a --- /dev/null +++ b/queue-4.11/usb-hub-fix-non-ss-hub-descriptor-handling.patch @@ -0,0 +1,68 @@ +From bec444cd1c94c48df409a35ad4e5b143c245c3f7 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 10 May 2017 18:18:28 +0200 +Subject: USB: hub: fix non-SS hub-descriptor handling + +From: Johan Hovold + +commit bec444cd1c94c48df409a35ad4e5b143c245c3f7 upstream. + +Add missing sanity check on the non-SuperSpeed hub-descriptor length in +order to avoid parsing and leaking two bytes of uninitialised slab data +through sysfs removable-attributes (or a compound-device debug +statement). + +Note that we only make sure that the DeviceRemovable field is always +present (and specifically ignore the unused PortPwrCtrlMask field) in +order to continue support any hubs with non-compliant descriptors. As a +further safeguard, the descriptor buffer is also cleared. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -362,7 +362,8 @@ static void usb_set_lpm_parameters(struc + } + + /* USB 2.0 spec Section 11.24.4.5 */ +-static int get_hub_descriptor(struct usb_device *hdev, void *data) ++static int get_hub_descriptor(struct usb_device *hdev, ++ struct usb_hub_descriptor *desc) + { + int i, ret, size; + unsigned dtype; +@@ -378,12 +379,16 @@ static int get_hub_descriptor(struct usb + for (i = 0; i < 3; i++) { + ret = usb_control_msg(hdev, usb_rcvctrlpipe(hdev, 0), + USB_REQ_GET_DESCRIPTOR, USB_DIR_IN | USB_RT_HUB, +- dtype << 8, 0, data, size, ++ dtype << 8, 0, desc, size, + USB_CTRL_GET_TIMEOUT); + if (hub_is_superspeed(hdev)) { + if (ret == size) + return ret; +- } else if (ret >= (USB_DT_HUB_NONVAR_SIZE + 2)) { ++ } else if (ret >= USB_DT_HUB_NONVAR_SIZE + 2) { ++ /* Make sure we have the DeviceRemovable field. */ ++ size = USB_DT_HUB_NONVAR_SIZE + desc->bNbrPorts / 8 + 1; ++ if (ret < size) ++ return -EMSGSIZE; + return ret; + } + } +@@ -1317,7 +1322,7 @@ static int hub_configure(struct usb_hub + } + mutex_init(&hub->status_mutex); + +- hub->descriptor = kmalloc(sizeof(*hub->descriptor), GFP_KERNEL); ++ hub->descriptor = kzalloc(sizeof(*hub->descriptor), GFP_KERNEL); + if (!hub->descriptor) { + ret = -ENOMEM; + goto fail; diff --git a/queue-4.11/usb-hub-fix-ss-hub-descriptor-handling.patch b/queue-4.11/usb-hub-fix-ss-hub-descriptor-handling.patch new file mode 100644 index 00000000000..97e83cff43b --- /dev/null +++ b/queue-4.11/usb-hub-fix-ss-hub-descriptor-handling.patch @@ -0,0 +1,50 @@ +From 2c25a2c818023df64463aac3288a9f969491e507 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 10 May 2017 18:18:27 +0200 +Subject: USB: hub: fix SS hub-descriptor handling + +From: Johan Hovold + +commit 2c25a2c818023df64463aac3288a9f969491e507 upstream. + +A SuperSpeed hub descriptor does not have any variable-length fields so +bail out when reading a short descriptor. + +This avoids parsing and leaking two bytes of uninitialised slab data +through sysfs removable-attributes. + +Fixes: dbe79bbe9dcb ("USB 3.0 Hub Changes") +Cc: John Youn +Acked-by: Alan Stern +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -380,8 +380,12 @@ static int get_hub_descriptor(struct usb + USB_REQ_GET_DESCRIPTOR, USB_DIR_IN | USB_RT_HUB, + dtype << 8, 0, data, size, + USB_CTRL_GET_TIMEOUT); +- if (ret >= (USB_DT_HUB_NONVAR_SIZE + 2)) ++ if (hub_is_superspeed(hdev)) { ++ if (ret == size) ++ return ret; ++ } else if (ret >= (USB_DT_HUB_NONVAR_SIZE + 2)) { + return ret; ++ } + } + return -EINVAL; + } +@@ -1321,7 +1325,7 @@ static int hub_configure(struct usb_hub + + /* Request the entire hub descriptor. + * hub->descriptor can handle USB_MAXCHILDREN ports, +- * but the hub can/will return fewer bytes here. ++ * but a (non-SS) hub can/will return fewer bytes here. + */ + ret = get_hub_descriptor(hdev, hub->descriptor); + if (ret < 0) { diff --git a/queue-4.11/usb-iowarrior-fix-info-ioctl-on-big-endian-hosts.patch b/queue-4.11/usb-iowarrior-fix-info-ioctl-on-big-endian-hosts.patch new file mode 100644 index 00000000000..48529bbec30 --- /dev/null +++ b/queue-4.11/usb-iowarrior-fix-info-ioctl-on-big-endian-hosts.patch @@ -0,0 +1,35 @@ +From dd5ca753fa92fb736b1395db892bd29f78e6d408 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 11 May 2017 11:36:02 +0200 +Subject: USB: iowarrior: fix info ioctl on big-endian hosts + +From: Johan Hovold + +commit dd5ca753fa92fb736b1395db892bd29f78e6d408 upstream. + +Drop erroneous le16_to_cpu when returning the USB device speed which is +already in host byte order. + +Found using sparse: + + warning: cast to restricted __le16 + +Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/iowarrior.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -554,7 +554,7 @@ static long iowarrior_ioctl(struct file + info.revision = le16_to_cpu(dev->udev->descriptor.bcdDevice); + + /* 0==UNKNOWN, 1==LOW(usb1.1) ,2=FULL(usb1.1), 3=HIGH(usb2.0) */ +- info.speed = le16_to_cpu(dev->udev->speed); ++ info.speed = dev->udev->speed; + info.if_num = dev->interface->cur_altsetting->desc.bInterfaceNumber; + info.report_size = dev->report_size; + diff --git a/queue-4.11/usb-musb-fix-trying-to-suspend-while-active-for-otg-configurations.patch b/queue-4.11/usb-musb-fix-trying-to-suspend-while-active-for-otg-configurations.patch new file mode 100644 index 00000000000..d8ba545a087 --- /dev/null +++ b/queue-4.11/usb-musb-fix-trying-to-suspend-while-active-for-otg-configurations.patch @@ -0,0 +1,55 @@ +From 3c50ffef25855a9d9e4b07b02d756a8cdd653069 Mon Sep 17 00:00:00 2001 +From: Tony Lindgren +Date: Wed, 17 May 2017 11:23:10 -0500 +Subject: usb: musb: Fix trying to suspend while active for OTG configurations + +From: Tony Lindgren + +commit 3c50ffef25855a9d9e4b07b02d756a8cdd653069 upstream. + +Commit d8e5f0eca1e8 ("usb: musb: Fix hardirq-safe hardirq-unsafe +lock order error") caused a regression where musb keeps trying to +enable host mode with no cable connected. This seems to be caused +by the fact that now phy is enabled earlier, and we are wrongly +trying to force USB host mode on an OTG port. The errors we are +getting are "trying to suspend as a_idle while active". + +For ports configured as OTG, we should not need to do anything +to try to force USB host mode on it's OTG port. Trying to force host +mode in this case just seems to completely confuse the musb state +machine. + +Let's fix the issue by making musb_host_setup() attempt to force the +mode only if port_mode is configured for host mode. + +Fixes: d8e5f0eca1e8 ("usb: musb: Fix hardirq-safe hardirq-unsafe lock order error") +Cc: Johan Hovold +Reported-by: Laurent Pinchart +Reported-by: Peter Ujfalusi +Tested-by: Peter Ujfalusi +Signed-off-by: Tony Lindgren +Signed-off-by: Bin Liu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/musb/musb_host.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/usb/musb/musb_host.c ++++ b/drivers/usb/musb/musb_host.c +@@ -2780,10 +2780,11 @@ int musb_host_setup(struct musb *musb, i + int ret; + struct usb_hcd *hcd = musb->hcd; + +- MUSB_HST_MODE(musb); +- musb->xceiv->otg->default_a = 1; +- musb->xceiv->otg->state = OTG_STATE_A_IDLE; +- ++ if (musb->port_mode == MUSB_PORT_MODE_HOST) { ++ MUSB_HST_MODE(musb); ++ musb->xceiv->otg->default_a = 1; ++ musb->xceiv->otg->state = OTG_STATE_A_IDLE; ++ } + otg_set_host(musb->xceiv->otg, &hcd->self); + hcd->self.otg_port = 1; + musb->xceiv->otg->host = &hcd->self; diff --git a/queue-4.11/usb-musb-tusb6010_omap-do-not-reset-the-other-direction-s-packet-size.patch b/queue-4.11/usb-musb-tusb6010_omap-do-not-reset-the-other-direction-s-packet-size.patch new file mode 100644 index 00000000000..10116fdb8af --- /dev/null +++ b/queue-4.11/usb-musb-tusb6010_omap-do-not-reset-the-other-direction-s-packet-size.patch @@ -0,0 +1,60 @@ +From 6df2b42f7c040d57d9ecb67244e04e905ab87ac6 Mon Sep 17 00:00:00 2001 +From: Peter Ujfalusi +Date: Wed, 17 May 2017 11:23:11 -0500 +Subject: usb: musb: tusb6010_omap: Do not reset the other direction's packet size + +From: Peter Ujfalusi + +commit 6df2b42f7c040d57d9ecb67244e04e905ab87ac6 upstream. + +We have one register for each EP to set the maximum packet size for both +TX and RX. +If for example an RX programming would happen before the previous TX +transfer finishes we would reset the TX packet side. + +To fix this issue, only modify the TX or RX part of the register. + +Fixes: 550a7375fe72 ("USB: Add MUSB and TUSB support") +Signed-off-by: Peter Ujfalusi +Tested-by: Tony Lindgren +Signed-off-by: Bin Liu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/musb/tusb6010_omap.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/usb/musb/tusb6010_omap.c ++++ b/drivers/usb/musb/tusb6010_omap.c +@@ -219,6 +219,7 @@ static int tusb_omap_dma_program(struct + u32 dma_remaining; + int src_burst, dst_burst; + u16 csr; ++ u32 psize; + int ch; + s8 dmareq; + s8 sync_dev; +@@ -390,15 +391,19 @@ static int tusb_omap_dma_program(struct + + if (chdat->tx) { + /* Send transfer_packet_sz packets at a time */ +- musb_writel(ep_conf, TUSB_EP_MAX_PACKET_SIZE_OFFSET, +- chdat->transfer_packet_sz); ++ psize = musb_readl(ep_conf, TUSB_EP_MAX_PACKET_SIZE_OFFSET); ++ psize &= ~0x7ff; ++ psize |= chdat->transfer_packet_sz; ++ musb_writel(ep_conf, TUSB_EP_MAX_PACKET_SIZE_OFFSET, psize); + + musb_writel(ep_conf, TUSB_EP_TX_OFFSET, + TUSB_EP_CONFIG_XFR_SIZE(chdat->transfer_len)); + } else { + /* Receive transfer_packet_sz packets at a time */ +- musb_writel(ep_conf, TUSB_EP_MAX_PACKET_SIZE_OFFSET, +- chdat->transfer_packet_sz << 16); ++ psize = musb_readl(ep_conf, TUSB_EP_MAX_PACKET_SIZE_OFFSET); ++ psize &= ~(0x7ff << 16); ++ psize |= (chdat->transfer_packet_sz << 16); ++ musb_writel(ep_conf, TUSB_EP_MAX_PACKET_SIZE_OFFSET, psize); + + musb_writel(ep_conf, TUSB_EP_RX_OFFSET, + TUSB_EP_CONFIG_XFR_SIZE(chdat->transfer_len)); diff --git a/queue-4.11/usb-serial-io_ti-fix-div-by-zero-in-set_termios.patch b/queue-4.11/usb-serial-io_ti-fix-div-by-zero-in-set_termios.patch new file mode 100644 index 00000000000..53eadc176b0 --- /dev/null +++ b/queue-4.11/usb-serial-io_ti-fix-div-by-zero-in-set_termios.patch @@ -0,0 +1,40 @@ +From 6aeb75e6adfaed16e58780309613a578fe1ee90b Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 11 May 2017 11:41:21 +0200 +Subject: USB: serial: io_ti: fix div-by-zero in set_termios + +From: Johan Hovold + +commit 6aeb75e6adfaed16e58780309613a578fe1ee90b upstream. + +Fix a division-by-zero in set_termios when debugging is enabled and a +high-enough speed has been requested so that the divisor value becomes +zero. + +Instead of just fixing the offending debug statement, cap the baud rate +at the base as a zero divisor value also appears to crash the firmware. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/io_ti.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/io_ti.c ++++ b/drivers/usb/serial/io_ti.c +@@ -2349,8 +2349,11 @@ static void change_port_settings(struct + if (!baud) { + /* pick a default, any default... */ + baud = 9600; +- } else ++ } else { ++ /* Avoid a zero divisor. */ ++ baud = min(baud, 461550); + tty_encode_baud_rate(tty, baud, baud); ++ } + + edge_port->baud_rate = baud; + config->wBaudRate = (__u16)((461550L + baud/2) / baud); diff --git a/queue-4.11/usb-serial-mct_u232-fix-big-endian-baud-rate-handling.patch b/queue-4.11/usb-serial-mct_u232-fix-big-endian-baud-rate-handling.patch new file mode 100644 index 00000000000..4420affca4d --- /dev/null +++ b/queue-4.11/usb-serial-mct_u232-fix-big-endian-baud-rate-handling.patch @@ -0,0 +1,39 @@ +From 26cede343656c0bc2c33cdc783771282405c7fb2 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 11 May 2017 11:41:20 +0200 +Subject: USB: serial: mct_u232: fix big-endian baud-rate handling + +From: Johan Hovold + +commit 26cede343656c0bc2c33cdc783771282405c7fb2 upstream. + +Drop erroneous cpu_to_le32 when setting the baud rate, something which +corrupted the divisor on big-endian hosts. + +Found using sparse: + + warning: incorrect type in argument 1 (different base types) + expected unsigned int [unsigned] [usertype] val + got restricted __le32 [usertype] + +Fixes: af2ac1a091bc ("USB: serial mct_usb232: move DMA buffers to heap") +Reviewed-by: Greg Kroah-Hartman +Acked-By: Pete Zaitcev +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/mct_u232.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/serial/mct_u232.c ++++ b/drivers/usb/serial/mct_u232.c +@@ -189,7 +189,7 @@ static int mct_u232_set_baud_rate(struct + return -ENOMEM; + + divisor = mct_u232_calculate_baud_rate(serial, value, &speed); +- put_unaligned_le32(cpu_to_le32(divisor), buf); ++ put_unaligned_le32(divisor, buf); + rc = usb_control_msg(serial->dev, usb_sndctrlpipe(serial->dev, 0), + MCT_U232_SET_BAUD_RATE_REQUEST, + MCT_U232_SET_REQUEST_TYPE, diff --git a/queue-4.11/usb-serial-option-add-telit-me910-support.patch b/queue-4.11/usb-serial-option-add-telit-me910-support.patch new file mode 100644 index 00000000000..cddff6cc745 --- /dev/null +++ b/queue-4.11/usb-serial-option-add-telit-me910-support.patch @@ -0,0 +1,50 @@ +From 40dd46048c155b8f0683f468c950a1c107f77a7c Mon Sep 17 00:00:00 2001 +From: Daniele Palmas +Date: Wed, 3 May 2017 10:28:54 +0200 +Subject: usb: serial: option: add Telit ME910 support + +From: Daniele Palmas + +commit 40dd46048c155b8f0683f468c950a1c107f77a7c upstream. + +This patch adds support for Telit ME910 PID 0x1100. + +Signed-off-by: Daniele Palmas +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -281,6 +281,7 @@ static void option_instat_callback(struc + #define TELIT_PRODUCT_LE922_USBCFG0 0x1042 + #define TELIT_PRODUCT_LE922_USBCFG3 0x1043 + #define TELIT_PRODUCT_LE922_USBCFG5 0x1045 ++#define TELIT_PRODUCT_ME910 0x1100 + #define TELIT_PRODUCT_LE920 0x1200 + #define TELIT_PRODUCT_LE910 0x1201 + #define TELIT_PRODUCT_LE910_USBCFG4 0x1206 +@@ -640,6 +641,11 @@ static const struct option_blacklist_inf + .reserved = BIT(5) | BIT(6), + }; + ++static const struct option_blacklist_info telit_me910_blacklist = { ++ .sendsetup = BIT(0), ++ .reserved = BIT(1) | BIT(3), ++}; ++ + static const struct option_blacklist_info telit_le910_blacklist = { + .sendsetup = BIT(0), + .reserved = BIT(1) | BIT(2), +@@ -1235,6 +1241,8 @@ static const struct usb_device_id option + .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg3 }, + { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG5, 0xff), + .driver_info = (kernel_ulong_t)&telit_le922_blacklist_usbcfg0 }, ++ { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_ME910), ++ .driver_info = (kernel_ulong_t)&telit_me910_blacklist }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910), + .driver_info = (kernel_ulong_t)&telit_le910_blacklist }, + { USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE910_USBCFG4), diff --git a/queue-4.11/usb-serial-qcserial-add-more-lenovo-em74xx-device-ids.patch b/queue-4.11/usb-serial-qcserial-add-more-lenovo-em74xx-device-ids.patch new file mode 100644 index 00000000000..cfdca04fde6 --- /dev/null +++ b/queue-4.11/usb-serial-qcserial-add-more-lenovo-em74xx-device-ids.patch @@ -0,0 +1,36 @@ +From 8d7a10dd323993cc40bd37bce8bc570133b0c396 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Wed, 17 May 2017 16:30:50 +0200 +Subject: USB: serial: qcserial: add more Lenovo EM74xx device IDs +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bjørn Mork + +commit 8d7a10dd323993cc40bd37bce8bc570133b0c396 upstream. + +In their infinite wisdom, and never ending quest for end user frustration, +Lenovo has decided to use new USB device IDs for the wwan modules in +their 2017 laptops. The actual hardware is still the Sierra Wireless +EM7455 or EM7430, depending on region. + +Signed-off-by: Bjørn Mork +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/qcserial.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -162,6 +162,8 @@ static const struct usb_device_id id_tab + {DEVICE_SWI(0x1199, 0x9071)}, /* Sierra Wireless MC74xx */ + {DEVICE_SWI(0x1199, 0x9078)}, /* Sierra Wireless EM74xx */ + {DEVICE_SWI(0x1199, 0x9079)}, /* Sierra Wireless EM74xx */ ++ {DEVICE_SWI(0x1199, 0x907a)}, /* Sierra Wireless EM74xx QDL */ ++ {DEVICE_SWI(0x1199, 0x907b)}, /* Sierra Wireless EM74xx */ + {DEVICE_SWI(0x413c, 0x81a2)}, /* Dell Wireless 5806 Gobi(TM) 4G LTE Mobile Broadband Card */ + {DEVICE_SWI(0x413c, 0x81a3)}, /* Dell Wireless 5570 HSPA+ (42Mbps) Mobile Broadband Card */ + {DEVICE_SWI(0x413c, 0x81a4)}, /* Dell Wireless 5570e HSPA+ (42Mbps) Mobile Broadband Card */ diff --git a/queue-4.11/usbvision-fix-null-deref-at-probe.patch b/queue-4.11/usbvision-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..1cb2b2aa49a --- /dev/null +++ b/queue-4.11/usbvision-fix-null-deref-at-probe.patch @@ -0,0 +1,44 @@ +From eacb975b48272f54532b62f515a3cf7eefa35123 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 09:53:55 -0300 +Subject: [media] usbvision: fix NULL-deref at probe + +From: Johan Hovold + +commit eacb975b48272f54532b62f515a3cf7eefa35123 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer or accessing memory beyond the endpoint array should a +malicious device lack the expected endpoints. + +Fixes: 2a9f8b5d25be ("V4L/DVB (5206): Usbvision: set alternate interface +modification") + +Cc: Thierry MERLE +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/usbvision/usbvision-video.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/media/usb/usbvision/usbvision-video.c ++++ b/drivers/media/usb/usbvision/usbvision-video.c +@@ -1501,7 +1501,14 @@ static int usbvision_probe(struct usb_in + } + + for (i = 0; i < usbvision->num_alt; i++) { +- u16 tmp = le16_to_cpu(uif->altsetting[i].endpoint[1].desc. ++ u16 tmp; ++ ++ if (uif->altsetting[i].desc.bNumEndpoints < 2) { ++ ret = -ENODEV; ++ goto err_pkt; ++ } ++ ++ tmp = le16_to_cpu(uif->altsetting[i].endpoint[1].desc. + wMaxPacketSize); + usbvision->alt_max_pkt_size[i] = + (tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1); -- 2.47.3