--- /dev/null
+From d4a8061a7c5f7c27a2dc002ee4cb89b3e6637e44 Mon Sep 17 00:00:00 2001
+From: Heyi Guo <guoheyi@huawei.com>
+Date: Tue, 27 Aug 2019 12:26:50 +0100
+Subject: KVM: arm/arm64: vgic: Fix potential deadlock when ap_list is long
+
+From: Heyi Guo <guoheyi@huawei.com>
+
+commit d4a8061a7c5f7c27a2dc002ee4cb89b3e6637e44 upstream.
+
+If the ap_list is longer than 256 entries, merge_final() in list_sort()
+will call the comparison callback with the same element twice, causing
+a deadlock in vgic_irq_cmp().
+
+Fix it by returning early when irqa == irqb.
+
+Cc: stable@vger.kernel.org # 4.7+
+Fixes: 8e4447457965 ("KVM: arm/arm64: vgic-new: Add IRQ sorting")
+Signed-off-by: Zenghui Yu <yuzenghui@huawei.com>
+Signed-off-by: Heyi Guo <guoheyi@huawei.com>
+[maz: massaged commit log and patch, added Fixes and Cc-stable]
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/arm/vgic/vgic.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/virt/kvm/arm/vgic/vgic.c
++++ b/virt/kvm/arm/vgic/vgic.c
+@@ -254,6 +254,13 @@ static int vgic_irq_cmp(void *priv, stru
+ bool penda, pendb;
+ int ret;
+
++ /*
++ * list_sort may call this function with the same element when
++ * the list is fairly long.
++ */
++ if (unlikely(irqa == irqb))
++ return 0;
++
+ raw_spin_lock(&irqa->irq_lock);
+ raw_spin_lock_nested(&irqb->irq_lock, SINGLE_DEPTH_NESTING);
+
--- /dev/null
+From 82e40f558de566fdee214bec68096bbd5e64a6a4 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <maz@kernel.org>
+Date: Wed, 28 Aug 2019 11:10:16 +0100
+Subject: KVM: arm/arm64: vgic-v2: Handle SGI bits in GICD_I{S,C}PENDR0 as WI
+
+From: Marc Zyngier <maz@kernel.org>
+
+commit 82e40f558de566fdee214bec68096bbd5e64a6a4 upstream.
+
+A guest is not allowed to inject a SGI (or clear its pending state)
+by writing to GICD_ISPENDR0 (resp. GICD_ICPENDR0), as these bits are
+defined as WI (as per ARM IHI 0048B 4.3.7 and 4.3.8).
+
+Make sure we correctly emulate the architecture.
+
+Fixes: 96b298000db4 ("KVM: arm/arm64: vgic-new: Add PENDING registers handlers")
+Cc: stable@vger.kernel.org # 4.7+
+Reported-by: Andre Przywara <andre.przywara@arm.com>
+Signed-off-by: Marc Zyngier <maz@kernel.org>
+Signed-off-by: Will Deacon <will@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/arm/vgic/vgic-mmio.c | 18 ++++++++++++++++++
+ virt/kvm/arm/vgic/vgic-v2.c | 5 ++++-
+ virt/kvm/arm/vgic/vgic-v3.c | 5 ++++-
+ 3 files changed, 26 insertions(+), 2 deletions(-)
+
+--- a/virt/kvm/arm/vgic/vgic-mmio.c
++++ b/virt/kvm/arm/vgic/vgic-mmio.c
+@@ -195,6 +195,12 @@ static void vgic_hw_irq_spending(struct
+ vgic_irq_set_phys_active(irq, true);
+ }
+
++static bool is_vgic_v2_sgi(struct kvm_vcpu *vcpu, struct vgic_irq *irq)
++{
++ return (vgic_irq_is_sgi(irq->intid) &&
++ vcpu->kvm->arch.vgic.vgic_model == KVM_DEV_TYPE_ARM_VGIC_V2);
++}
++
+ void vgic_mmio_write_spending(struct kvm_vcpu *vcpu,
+ gpa_t addr, unsigned int len,
+ unsigned long val)
+@@ -207,6 +213,12 @@ void vgic_mmio_write_spending(struct kvm
+ for_each_set_bit(i, &val, len * 8) {
+ struct vgic_irq *irq = vgic_get_irq(vcpu->kvm, vcpu, intid + i);
+
++ /* GICD_ISPENDR0 SGI bits are WI */
++ if (is_vgic_v2_sgi(vcpu, irq)) {
++ vgic_put_irq(vcpu->kvm, irq);
++ continue;
++ }
++
+ raw_spin_lock_irqsave(&irq->irq_lock, flags);
+ if (irq->hw)
+ vgic_hw_irq_spending(vcpu, irq, is_uaccess);
+@@ -254,6 +266,12 @@ void vgic_mmio_write_cpending(struct kvm
+ for_each_set_bit(i, &val, len * 8) {
+ struct vgic_irq *irq = vgic_get_irq(vcpu->kvm, vcpu, intid + i);
+
++ /* GICD_ICPENDR0 SGI bits are WI */
++ if (is_vgic_v2_sgi(vcpu, irq)) {
++ vgic_put_irq(vcpu->kvm, irq);
++ continue;
++ }
++
+ raw_spin_lock_irqsave(&irq->irq_lock, flags);
+
+ if (irq->hw)
+--- a/virt/kvm/arm/vgic/vgic-v2.c
++++ b/virt/kvm/arm/vgic/vgic-v2.c
+@@ -184,7 +184,10 @@ void vgic_v2_populate_lr(struct kvm_vcpu
+ if (vgic_irq_is_sgi(irq->intid)) {
+ u32 src = ffs(irq->source);
+
+- BUG_ON(!src);
++ if (WARN_RATELIMIT(!src, "No SGI source for INTID %d\n",
++ irq->intid))
++ return;
++
+ val |= (src - 1) << GICH_LR_PHYSID_CPUID_SHIFT;
+ irq->source &= ~(1 << (src - 1));
+ if (irq->source) {
+--- a/virt/kvm/arm/vgic/vgic-v3.c
++++ b/virt/kvm/arm/vgic/vgic-v3.c
+@@ -167,7 +167,10 @@ void vgic_v3_populate_lr(struct kvm_vcpu
+ model == KVM_DEV_TYPE_ARM_VGIC_V2) {
+ u32 src = ffs(irq->source);
+
+- BUG_ON(!src);
++ if (WARN_RATELIMIT(!src, "No SGI source for INTID %d\n",
++ irq->intid))
++ return;
++
+ val |= (src - 1) << GICH_LR_PHYSID_CPUID_SHIFT;
+ irq->source &= ~(1 << (src - 1));
+ if (irq->source) {
--- /dev/null
+From ddfd151f3def9258397fcde7a372205a2d661903 Mon Sep 17 00:00:00 2001
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+Date: Mon, 26 Aug 2019 14:55:20 +1000
+Subject: KVM: PPC: Book3S: Fix incorrect guest-to-user-translation error handling
+
+From: Alexey Kardashevskiy <aik@ozlabs.ru>
+
+commit ddfd151f3def9258397fcde7a372205a2d661903 upstream.
+
+H_PUT_TCE_INDIRECT handlers receive a page with up to 512 TCEs from
+a guest. Although we verify correctness of TCEs before we do anything
+with the existing tables, there is a small window when a check in
+kvmppc_tce_validate might pass and right after that the guest alters
+the page of TCEs, causing an early exit from the handler and leaving
+srcu_read_lock(&vcpu->kvm->srcu) (virtual mode) or lock_rmap(rmap)
+(real mode) locked.
+
+This fixes the bug by jumping to the common exit code with an appropriate
+unlock.
+
+Cc: stable@vger.kernel.org # v4.11+
+Fixes: 121f80ba68f1 ("KVM: PPC: VFIO: Add in-kernel acceleration for VFIO")
+Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
+Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/powerpc/kvm/book3s_64_vio.c | 6 ++++--
+ arch/powerpc/kvm/book3s_64_vio_hv.c | 6 ++++--
+ 2 files changed, 8 insertions(+), 4 deletions(-)
+
+--- a/arch/powerpc/kvm/book3s_64_vio.c
++++ b/arch/powerpc/kvm/book3s_64_vio.c
+@@ -696,8 +696,10 @@ long kvmppc_h_put_tce_indirect(struct kv
+ }
+ tce = be64_to_cpu(tce);
+
+- if (kvmppc_tce_to_ua(vcpu->kvm, tce, &ua))
+- return H_PARAMETER;
++ if (kvmppc_tce_to_ua(vcpu->kvm, tce, &ua)) {
++ ret = H_PARAMETER;
++ goto unlock_exit;
++ }
+
+ list_for_each_entry_lockless(stit, &stt->iommu_tables, next) {
+ ret = kvmppc_tce_iommu_map(vcpu->kvm, stt,
+--- a/arch/powerpc/kvm/book3s_64_vio_hv.c
++++ b/arch/powerpc/kvm/book3s_64_vio_hv.c
+@@ -556,8 +556,10 @@ long kvmppc_rm_h_put_tce_indirect(struct
+ unsigned long tce = be64_to_cpu(((u64 *)tces)[i]);
+
+ ua = 0;
+- if (kvmppc_rm_tce_to_ua(vcpu->kvm, tce, &ua, NULL))
+- return H_PARAMETER;
++ if (kvmppc_rm_tce_to_ua(vcpu->kvm, tce, &ua, NULL)) {
++ ret = H_PARAMETER;
++ goto unlock_exit;
++ }
+
+ list_for_each_entry_lockless(stit, &stt->iommu_tables, next) {
+ ret = kvmppc_rm_tce_iommu_map(vcpu->kvm, stt,
--- /dev/null
+From 587f17407741a5be07f8a2d1809ec946c8120962 Mon Sep 17 00:00:00 2001
+From: Tomas Winkler <tomas.winkler@intel.com>
+Date: Mon, 19 Aug 2019 13:32:10 +0300
+Subject: mei: me: add Tiger Lake point LP device ID
+
+From: Tomas Winkler <tomas.winkler@intel.com>
+
+commit 587f17407741a5be07f8a2d1809ec946c8120962 upstream.
+
+Add Tiger Lake Point device ID for TGP LP.
+
+Signed-off-by: Tomas Winkler <tomas.winkler@intel.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190819103210.32748-1-tomas.winkler@intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/mei/hw-me-regs.h | 2 ++
+ drivers/misc/mei/pci-me.c | 2 ++
+ 2 files changed, 4 insertions(+)
+
+--- a/drivers/misc/mei/hw-me-regs.h
++++ b/drivers/misc/mei/hw-me-regs.h
+@@ -81,6 +81,8 @@
+
+ #define MEI_DEV_ID_ICP_LP 0x34E0 /* Ice Lake Point LP */
+
++#define MEI_DEV_ID_TGP_LP 0xA0E0 /* Tiger Lake Point LP */
++
+ #define MEI_DEV_ID_MCC 0x4B70 /* Mule Creek Canyon (EHL) */
+ #define MEI_DEV_ID_MCC_4 0x4B75 /* Mule Creek Canyon 4 (EHL) */
+
+--- a/drivers/misc/mei/pci-me.c
++++ b/drivers/misc/mei/pci-me.c
+@@ -98,6 +98,8 @@ static const struct pci_device_id mei_me
+
+ {MEI_PCI_DEVICE(MEI_DEV_ID_ICP_LP, MEI_ME_PCH12_CFG)},
+
++ {MEI_PCI_DEVICE(MEI_DEV_ID_TGP_LP, MEI_ME_PCH12_CFG)},
++
+ {MEI_PCI_DEVICE(MEI_DEV_ID_MCC, MEI_ME_PCH12_CFG)},
+ {MEI_PCI_DEVICE(MEI_DEV_ID_MCC_4, MEI_ME_PCH8_CFG)},
+
--- /dev/null
+From 0f686ca933597cfcc0636253fc1740423c062ec7 Mon Sep 17 00:00:00 2001
+From: Dmitry Osipenko <digetx@gmail.com>
+Date: Fri, 9 Aug 2019 01:24:30 +0300
+Subject: Revert "mmc: sdhci-tegra: drop ->get_ro() implementation"
+
+From: Dmitry Osipenko <digetx@gmail.com>
+
+commit 0f686ca933597cfcc0636253fc1740423c062ec7 upstream.
+
+The WRITE_PROTECT bit is always in a "protected mode" on Tegra and
+WP-GPIO state need to be used instead. In a case of the GPIO absence,
+write-enable should be assumed. External SD is writable once again as
+a result of this patch because the offending commit changed behaviour for
+the case of a missing WP-GPIO to fall back to WRITE_PROTECT bit-checking,
+which is incorrect for Tegra.
+
+Cc: stable@vger.kernel.org # v5.1+
+Fixes: e8391453e27f ("mmc: sdhci-tegra: drop ->get_ro() implementation")
+Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
+Acked-by: Thierry Reding <treding@nvidia.com>
+Acked-by: Adrian Hunter <adrian.hunter@intel.com>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-tegra.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/drivers/mmc/host/sdhci-tegra.c
++++ b/drivers/mmc/host/sdhci-tegra.c
+@@ -258,6 +258,16 @@ static void tegra210_sdhci_writew(struct
+ }
+ }
+
++static unsigned int tegra_sdhci_get_ro(struct sdhci_host *host)
++{
++ /*
++ * Write-enable shall be assumed if GPIO is missing in a board's
++ * device-tree because SDHCI's WRITE_PROTECT bit doesn't work on
++ * Tegra.
++ */
++ return mmc_gpio_get_ro(host->mmc);
++}
++
+ static bool tegra_sdhci_is_pad_and_regulator_valid(struct sdhci_host *host)
+ {
+ struct sdhci_pltfm_host *pltfm_host = sdhci_priv(host);
+@@ -1224,6 +1234,7 @@ static const struct cqhci_host_ops sdhci
+ };
+
+ static const struct sdhci_ops tegra_sdhci_ops = {
++ .get_ro = tegra_sdhci_get_ro,
+ .read_w = tegra_sdhci_readw,
+ .write_l = tegra_sdhci_writel,
+ .set_clock = tegra_sdhci_set_clock,
+@@ -1279,6 +1290,7 @@ static const struct sdhci_tegra_soc_data
+ };
+
+ static const struct sdhci_ops tegra114_sdhci_ops = {
++ .get_ro = tegra_sdhci_get_ro,
+ .read_w = tegra_sdhci_readw,
+ .write_w = tegra_sdhci_writew,
+ .write_l = tegra_sdhci_writel,
+@@ -1332,6 +1344,7 @@ static const struct sdhci_tegra_soc_data
+ };
+
+ static const struct sdhci_ops tegra210_sdhci_ops = {
++ .get_ro = tegra_sdhci_get_ro,
+ .read_w = tegra_sdhci_readw,
+ .write_w = tegra210_sdhci_writew,
+ .write_l = tegra_sdhci_writel,
+@@ -1366,6 +1379,7 @@ static const struct sdhci_tegra_soc_data
+ };
+
+ static const struct sdhci_ops tegra186_sdhci_ops = {
++ .get_ro = tegra_sdhci_get_ro,
+ .read_w = tegra_sdhci_readw,
+ .write_l = tegra_sdhci_writel,
+ .set_clock = tegra_sdhci_set_clock,
ftrace-fix-null-pointer-dereference-in-t_probe_next.patch
ftrace-check-for-successful-allocation-of-hash.patch
ftrace-check-for-empty-hash-and-comment-the-race-with-registering-probes.patch
+usbtmc-more-sanity-checking-for-packet-size.patch
+usb-storage-add-new-jms567-revision-to-unusual_devs.patch
+usb-cdc-wdm-fix-race-between-write-and-disconnect-due-to-flag-abuse.patch
+usb-hcd-use-managed-device-resources.patch
+usb-chipidea-udc-don-t-do-hardware-access-if-gadget-has-stopped.patch
+usb-host-ohci-fix-a-race-condition-between-shutdown-and-irq.patch
+usb-host-xhci-rcar-fix-typo-in-compatible-string-matching.patch
+usb-storage-ums-realtek-update-module-parameter-description-for-auto_delink_en.patch
+usb-storage-ums-realtek-whitelist-auto-delink-support.patch
+tools-power-turbostat-fix-caller-parameter-of-get_tdp_amd.patch
+kvm-ppc-book3s-fix-incorrect-guest-to-user-translation-error-handling.patch
+kvm-arm-arm64-vgic-fix-potential-deadlock-when-ap_list-is-long.patch
+kvm-arm-arm64-vgic-v2-handle-sgi-bits-in-gicd_i-s-c-pendr0-as-wi.patch
+mei-me-add-tiger-lake-point-lp-device-id.patch
+revert-mmc-sdhci-tegra-drop-get_ro-implementation.patch
--- /dev/null
+From 9cfa8e042f7cbb1994cc5923e46c78b36f6054f4 Mon Sep 17 00:00:00 2001
+From: Pu Wen <puwen@hygon.cn>
+Date: Sat, 31 Aug 2019 10:19:58 +0800
+Subject: tools/power turbostat: Fix caller parameter of get_tdp_amd()
+
+From: Pu Wen <puwen@hygon.cn>
+
+commit 9cfa8e042f7cbb1994cc5923e46c78b36f6054f4 upstream.
+
+Commit 9392bd98bba760be96ee ("tools/power turbostat: Add support for AMD
+Fam 17h (Zen) RAPL") add a function get_tdp_amd(), the parameter is CPU
+family. But the rapl_probe_amd() function use wrong model parameter.
+Fix the wrong caller parameter of get_tdp_amd() to use family.
+
+Cc: <stable@vger.kernel.org> # v5.1+
+Signed-off-by: Pu Wen <puwen@hygon.cn>
+Reviewed-by: Calvin Walton <calvin.walton@kepstin.ca>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/power/x86/turbostat/turbostat.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/power/x86/turbostat/turbostat.c
++++ b/tools/power/x86/turbostat/turbostat.c
+@@ -4002,7 +4002,7 @@ void rapl_probe_amd(unsigned int family,
+ rapl_energy_units = ldexp(1.0, -(msr >> 8 & 0x1f));
+ rapl_power_units = ldexp(1.0, -(msr & 0xf));
+
+- tdp = get_tdp_amd(model);
++ tdp = get_tdp_amd(family);
+
+ rapl_joule_counter_range = 0xFFFFFFFF * rapl_energy_units / tdp;
+ if (!quiet)
--- /dev/null
+From 1426bd2c9f7e3126e2678e7469dca9fd9fc6dd3e Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 27 Aug 2019 12:34:36 +0200
+Subject: USB: cdc-wdm: fix race between write and disconnect due to flag abuse
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 1426bd2c9f7e3126e2678e7469dca9fd9fc6dd3e upstream.
+
+In case of a disconnect an ongoing flush() has to be made fail.
+Nevertheless we cannot be sure that any pending URB has already
+finished, so although they will never succeed, they still must
+not be touched.
+The clean solution for this is to check for WDM_IN_USE
+and WDM_DISCONNECTED in flush(). There is no point in ever
+clearing WDM_IN_USE, as no further writes make sense.
+
+The issue is as old as the driver.
+
+Fixes: afba937e540c9 ("USB: CDC WDM driver")
+Reported-by: syzbot+d232cca6ec42c2edb3fc@syzkaller.appspotmail.com
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190827103436.21143-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-wdm.c | 16 ++++++++++++----
+ 1 file changed, 12 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/class/cdc-wdm.c
++++ b/drivers/usb/class/cdc-wdm.c
+@@ -587,10 +587,20 @@ static int wdm_flush(struct file *file,
+ {
+ struct wdm_device *desc = file->private_data;
+
+- wait_event(desc->wait, !test_bit(WDM_IN_USE, &desc->flags));
++ wait_event(desc->wait,
++ /*
++ * needs both flags. We cannot do with one
++ * because resetting it would cause a race
++ * with write() yet we need to signal
++ * a disconnect
++ */
++ !test_bit(WDM_IN_USE, &desc->flags) ||
++ test_bit(WDM_DISCONNECTING, &desc->flags));
+
+ /* cannot dereference desc->intf if WDM_DISCONNECTING */
+- if (desc->werr < 0 && !test_bit(WDM_DISCONNECTING, &desc->flags))
++ if (test_bit(WDM_DISCONNECTING, &desc->flags))
++ return -ENODEV;
++ if (desc->werr < 0)
+ dev_err(&desc->intf->dev, "Error in flush path: %d\n",
+ desc->werr);
+
+@@ -974,8 +984,6 @@ static void wdm_disconnect(struct usb_in
+ spin_lock_irqsave(&desc->iuspin, flags);
+ set_bit(WDM_DISCONNECTING, &desc->flags);
+ set_bit(WDM_READ, &desc->flags);
+- /* to terminate pending flushes */
+- clear_bit(WDM_IN_USE, &desc->flags);
+ spin_unlock_irqrestore(&desc->iuspin, flags);
+ wake_up_all(&desc->wait);
+ mutex_lock(&desc->rlock);
--- /dev/null
+From cbe85c88ce80fb92956a0793518d415864dcead8 Mon Sep 17 00:00:00 2001
+From: Peter Chen <peter.chen@nxp.com>
+Date: Tue, 20 Aug 2019 02:07:58 +0000
+Subject: usb: chipidea: udc: don't do hardware access if gadget has stopped
+
+From: Peter Chen <peter.chen@nxp.com>
+
+commit cbe85c88ce80fb92956a0793518d415864dcead8 upstream.
+
+After _gadget_stop_activity is executed, we can consider the hardware
+operation for gadget has finished, and the udc can be stopped and enter
+low power mode. So, any later hardware operations (from usb_ep_ops APIs
+or usb_gadget_ops APIs) should be considered invalid, any deinitializatons
+has been covered at _gadget_stop_activity.
+
+I meet this problem when I plug out usb cable from PC using mass_storage
+gadget, my callstack like: vbus interrupt->.vbus_session->
+composite_disconnect ->pm_runtime_put_sync(&_gadget->dev),
+the composite_disconnect will call fsg_disable, but fsg_disable calls
+usb_ep_disable using async way, there are register accesses for
+usb_ep_disable. So sometimes, I get system hang due to visit register
+without clock, sometimes not.
+
+The Linux Kernel USB maintainer Alan Stern suggests this kinds of solution.
+See: http://marc.info/?l=linux-usb&m=138541769810983&w=2.
+
+Cc: <stable@vger.kernel.org> #v4.9+
+Signed-off-by: Peter Chen <peter.chen@nxp.com>
+Link: https://lore.kernel.org/r/20190820020503.27080-2-peter.chen@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/chipidea/udc.c | 32 ++++++++++++++++++++++++--------
+ 1 file changed, 24 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/chipidea/udc.c
++++ b/drivers/usb/chipidea/udc.c
+@@ -709,12 +709,6 @@ static int _gadget_stop_activity(struct
+ struct ci_hdrc *ci = container_of(gadget, struct ci_hdrc, gadget);
+ unsigned long flags;
+
+- spin_lock_irqsave(&ci->lock, flags);
+- ci->gadget.speed = USB_SPEED_UNKNOWN;
+- ci->remote_wakeup = 0;
+- ci->suspended = 0;
+- spin_unlock_irqrestore(&ci->lock, flags);
+-
+ /* flush all endpoints */
+ gadget_for_each_ep(ep, gadget) {
+ usb_ep_fifo_flush(ep);
+@@ -732,6 +726,12 @@ static int _gadget_stop_activity(struct
+ ci->status = NULL;
+ }
+
++ spin_lock_irqsave(&ci->lock, flags);
++ ci->gadget.speed = USB_SPEED_UNKNOWN;
++ ci->remote_wakeup = 0;
++ ci->suspended = 0;
++ spin_unlock_irqrestore(&ci->lock, flags);
++
+ return 0;
+ }
+
+@@ -1303,6 +1303,10 @@ static int ep_disable(struct usb_ep *ep)
+ return -EBUSY;
+
+ spin_lock_irqsave(hwep->lock, flags);
++ if (hwep->ci->gadget.speed == USB_SPEED_UNKNOWN) {
++ spin_unlock_irqrestore(hwep->lock, flags);
++ return 0;
++ }
+
+ /* only internal SW should disable ctrl endpts */
+
+@@ -1392,6 +1396,10 @@ static int ep_queue(struct usb_ep *ep, s
+ return -EINVAL;
+
+ spin_lock_irqsave(hwep->lock, flags);
++ if (hwep->ci->gadget.speed == USB_SPEED_UNKNOWN) {
++ spin_unlock_irqrestore(hwep->lock, flags);
++ return 0;
++ }
+ retval = _ep_queue(ep, req, gfp_flags);
+ spin_unlock_irqrestore(hwep->lock, flags);
+ return retval;
+@@ -1415,8 +1423,8 @@ static int ep_dequeue(struct usb_ep *ep,
+ return -EINVAL;
+
+ spin_lock_irqsave(hwep->lock, flags);
+-
+- hw_ep_flush(hwep->ci, hwep->num, hwep->dir);
++ if (hwep->ci->gadget.speed != USB_SPEED_UNKNOWN)
++ hw_ep_flush(hwep->ci, hwep->num, hwep->dir);
+
+ list_for_each_entry_safe(node, tmpnode, &hwreq->tds, td) {
+ dma_pool_free(hwep->td_pool, node->ptr, node->dma);
+@@ -1487,6 +1495,10 @@ static void ep_fifo_flush(struct usb_ep
+ }
+
+ spin_lock_irqsave(hwep->lock, flags);
++ if (hwep->ci->gadget.speed == USB_SPEED_UNKNOWN) {
++ spin_unlock_irqrestore(hwep->lock, flags);
++ return;
++ }
+
+ hw_ep_flush(hwep->ci, hwep->num, hwep->dir);
+
+@@ -1559,6 +1571,10 @@ static int ci_udc_wakeup(struct usb_gadg
+ int ret = 0;
+
+ spin_lock_irqsave(&ci->lock, flags);
++ if (ci->gadget.speed == USB_SPEED_UNKNOWN) {
++ spin_unlock_irqrestore(&ci->lock, flags);
++ return 0;
++ }
+ if (!ci->remote_wakeup) {
+ ret = -EOPNOTSUPP;
+ goto out;
--- /dev/null
+From 76da906ad727048a74bb8067031ee99fc070c7da Mon Sep 17 00:00:00 2001
+From: "Schmid, Carsten" <Carsten_Schmid@mentor.com>
+Date: Fri, 23 Aug 2019 14:11:28 +0000
+Subject: usb: hcd: use managed device resources
+
+From: Schmid, Carsten <Carsten_Schmid@mentor.com>
+
+commit 76da906ad727048a74bb8067031ee99fc070c7da upstream.
+
+Using managed device resources in usb_hcd_pci_probe() allows devm usage for
+resource subranges, such as the mmio resource for the platform device
+created to control host/device mode mux, which is a xhci extended
+capability, and sits inside the xhci mmio region.
+
+If managed device resources are not used then "parent" resource
+is released before subrange at driver removal as .remove callback is
+called before the devres list of resources for this device is walked
+and released.
+
+This has been observed with the xhci extended capability driver causing a
+use-after-free which is now fixed.
+
+An additional nice benefit is that error handling on driver initialisation
+is simplified much.
+
+Signed-off-by: Carsten Schmid <carsten_schmid@mentor.com>
+Tested-by: Carsten Schmid <carsten_schmid@mentor.com>
+Reviewed-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Fixes: fa31b3cb2ae1 ("xhci: Add Intel extended cap / otg phy mux handling")
+Cc: <stable@vger.kernel.org> # v4.19+
+Link: https://lore.kernel.org/r/1566569488679.31808@mentor.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hcd-pci.c | 30 ++++++++----------------------
+ 1 file changed, 8 insertions(+), 22 deletions(-)
+
+--- a/drivers/usb/core/hcd-pci.c
++++ b/drivers/usb/core/hcd-pci.c
+@@ -216,17 +216,18 @@ int usb_hcd_pci_probe(struct pci_dev *de
+ /* EHCI, OHCI */
+ hcd->rsrc_start = pci_resource_start(dev, 0);
+ hcd->rsrc_len = pci_resource_len(dev, 0);
+- if (!request_mem_region(hcd->rsrc_start, hcd->rsrc_len,
+- driver->description)) {
++ if (!devm_request_mem_region(&dev->dev, hcd->rsrc_start,
++ hcd->rsrc_len, driver->description)) {
+ dev_dbg(&dev->dev, "controller already in use\n");
+ retval = -EBUSY;
+ goto put_hcd;
+ }
+- hcd->regs = ioremap_nocache(hcd->rsrc_start, hcd->rsrc_len);
++ hcd->regs = devm_ioremap_nocache(&dev->dev, hcd->rsrc_start,
++ hcd->rsrc_len);
+ if (hcd->regs == NULL) {
+ dev_dbg(&dev->dev, "error mapping memory\n");
+ retval = -EFAULT;
+- goto release_mem_region;
++ goto put_hcd;
+ }
+
+ } else {
+@@ -240,8 +241,8 @@ int usb_hcd_pci_probe(struct pci_dev *de
+
+ hcd->rsrc_start = pci_resource_start(dev, region);
+ hcd->rsrc_len = pci_resource_len(dev, region);
+- if (request_region(hcd->rsrc_start, hcd->rsrc_len,
+- driver->description))
++ if (devm_request_region(&dev->dev, hcd->rsrc_start,
++ hcd->rsrc_len, driver->description))
+ break;
+ }
+ if (region == PCI_ROM_RESOURCE) {
+@@ -275,20 +276,13 @@ int usb_hcd_pci_probe(struct pci_dev *de
+ }
+
+ if (retval != 0)
+- goto unmap_registers;
++ goto put_hcd;
+ device_wakeup_enable(hcd->self.controller);
+
+ if (pci_dev_run_wake(dev))
+ pm_runtime_put_noidle(&dev->dev);
+ return retval;
+
+-unmap_registers:
+- if (driver->flags & HCD_MEMORY) {
+- iounmap(hcd->regs);
+-release_mem_region:
+- release_mem_region(hcd->rsrc_start, hcd->rsrc_len);
+- } else
+- release_region(hcd->rsrc_start, hcd->rsrc_len);
+ put_hcd:
+ usb_put_hcd(hcd);
+ disable_pci:
+@@ -347,14 +341,6 @@ void usb_hcd_pci_remove(struct pci_dev *
+ dev_set_drvdata(&dev->dev, NULL);
+ up_read(&companions_rwsem);
+ }
+-
+- if (hcd->driver->flags & HCD_MEMORY) {
+- iounmap(hcd->regs);
+- release_mem_region(hcd->rsrc_start, hcd->rsrc_len);
+- } else {
+- release_region(hcd->rsrc_start, hcd->rsrc_len);
+- }
+-
+ usb_put_hcd(hcd);
+ pci_disable_device(dev);
+ }
--- /dev/null
+From a349b95d7ca0cea71be4a7dac29830703de7eb62 Mon Sep 17 00:00:00 2001
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Date: Tue, 27 Aug 2019 12:51:50 +0900
+Subject: usb: host: ohci: fix a race condition between shutdown and irq
+
+From: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+
+commit a349b95d7ca0cea71be4a7dac29830703de7eb62 upstream.
+
+This patch fixes an issue that the following error is
+possible to happen when ohci hardware causes an interruption
+and the system is shutting down at the same time.
+
+[ 34.851754] usb 2-1: USB disconnect, device number 2
+[ 35.166658] irq 156: nobody cared (try booting with the "irqpoll" option)
+[ 35.173445] CPU: 0 PID: 22 Comm: kworker/0:1 Not tainted 5.3.0-rc5 #85
+[ 35.179964] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)
+[ 35.187886] Workqueue: usb_hub_wq hub_event
+[ 35.192063] Call trace:
+[ 35.194509] dump_backtrace+0x0/0x150
+[ 35.198165] show_stack+0x14/0x20
+[ 35.201475] dump_stack+0xa0/0xc4
+[ 35.204785] __report_bad_irq+0x34/0xe8
+[ 35.208614] note_interrupt+0x2cc/0x318
+[ 35.212446] handle_irq_event_percpu+0x5c/0x88
+[ 35.216883] handle_irq_event+0x48/0x78
+[ 35.220712] handle_fasteoi_irq+0xb4/0x188
+[ 35.224802] generic_handle_irq+0x24/0x38
+[ 35.228804] __handle_domain_irq+0x5c/0xb0
+[ 35.232893] gic_handle_irq+0x58/0xa8
+[ 35.236548] el1_irq+0xb8/0x180
+[ 35.239681] __do_softirq+0x94/0x23c
+[ 35.243253] irq_exit+0xd0/0xd8
+[ 35.246387] __handle_domain_irq+0x60/0xb0
+[ 35.250475] gic_handle_irq+0x58/0xa8
+[ 35.254130] el1_irq+0xb8/0x180
+[ 35.257268] kernfs_find_ns+0x5c/0x120
+[ 35.261010] kernfs_find_and_get_ns+0x3c/0x60
+[ 35.265361] sysfs_unmerge_group+0x20/0x68
+[ 35.269454] dpm_sysfs_remove+0x2c/0x68
+[ 35.273284] device_del+0x80/0x370
+[ 35.276683] hid_destroy_device+0x28/0x60
+[ 35.280686] usbhid_disconnect+0x4c/0x80
+[ 35.284602] usb_unbind_interface+0x6c/0x268
+[ 35.288867] device_release_driver_internal+0xe4/0x1b0
+[ 35.293998] device_release_driver+0x14/0x20
+[ 35.298261] bus_remove_device+0x110/0x128
+[ 35.302350] device_del+0x148/0x370
+[ 35.305832] usb_disable_device+0x8c/0x1d0
+[ 35.309921] usb_disconnect+0xc8/0x2d0
+[ 35.313663] hub_event+0x6e0/0x1128
+[ 35.317146] process_one_work+0x1e0/0x320
+[ 35.321148] worker_thread+0x40/0x450
+[ 35.324805] kthread+0x124/0x128
+[ 35.328027] ret_from_fork+0x10/0x18
+[ 35.331594] handlers:
+[ 35.333862] [<0000000079300c1d>] usb_hcd_irq
+[ 35.338126] [<0000000079300c1d>] usb_hcd_irq
+[ 35.342389] Disabling IRQ #156
+
+ohci_shutdown() disables all the interrupt and rh_state is set to
+OHCI_RH_HALTED. In other hand, ohci_irq() is possible to enable
+OHCI_INTR_SF and OHCI_INTR_MIE on ohci_irq(). Note that OHCI_INTR_SF
+is possible to be set by start_ed_unlink() which is called:
+ ohci_irq()
+ -> process_done_list()
+ -> takeback_td()
+ -> start_ed_unlink()
+
+So, ohci_irq() has the following condition, the issue happens by
+&ohci->regs->intrenable = OHCI_INTR_MIE | OHCI_INTR_SF and
+ohci->rh_state = OHCI_RH_HALTED:
+
+ /* interrupt for some other device? */
+ if (ints == 0 || unlikely(ohci->rh_state == OHCI_RH_HALTED))
+ return IRQ_NOTMINE;
+
+To fix the issue, ohci_shutdown() holds the spin lock while disabling
+the interruption and changing the rh_state flag to prevent reenable
+the OHCI_INTR_MIE unexpectedly. Note that io_watchdog_func() also
+calls the ohci_shutdown() and it already held the spin lock, so that
+the patch makes a new function as _ohci_shutdown().
+
+This patch is inspired by a Renesas R-Car Gen3 BSP patch
+from Tho Vu.
+
+Signed-off-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/1566877910-6020-1-git-send-email-yoshihiro.shimoda.uh@renesas.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/ohci-hcd.c | 15 ++++++++++++---
+ 1 file changed, 12 insertions(+), 3 deletions(-)
+
+--- a/drivers/usb/host/ohci-hcd.c
++++ b/drivers/usb/host/ohci-hcd.c
+@@ -418,8 +418,7 @@ static void ohci_usb_reset (struct ohci_
+ * other cases where the next software may expect clean state from the
+ * "firmware". this is bus-neutral, unlike shutdown() methods.
+ */
+-static void
+-ohci_shutdown (struct usb_hcd *hcd)
++static void _ohci_shutdown(struct usb_hcd *hcd)
+ {
+ struct ohci_hcd *ohci;
+
+@@ -435,6 +434,16 @@ ohci_shutdown (struct usb_hcd *hcd)
+ ohci->rh_state = OHCI_RH_HALTED;
+ }
+
++static void ohci_shutdown(struct usb_hcd *hcd)
++{
++ struct ohci_hcd *ohci = hcd_to_ohci(hcd);
++ unsigned long flags;
++
++ spin_lock_irqsave(&ohci->lock, flags);
++ _ohci_shutdown(hcd);
++ spin_unlock_irqrestore(&ohci->lock, flags);
++}
++
+ /*-------------------------------------------------------------------------*
+ * HC functions
+ *-------------------------------------------------------------------------*/
+@@ -752,7 +761,7 @@ static void io_watchdog_func(struct time
+ died:
+ usb_hc_died(ohci_to_hcd(ohci));
+ ohci_dump(ohci);
+- ohci_shutdown(ohci_to_hcd(ohci));
++ _ohci_shutdown(ohci_to_hcd(ohci));
+ goto done;
+ } else {
+ /* No write back because the done queue was empty */
--- /dev/null
+From 636bd02a7ba9025ff851d0cfb92768c8fa865859 Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Tue, 27 Aug 2019 14:51:12 +0200
+Subject: usb: host: xhci: rcar: Fix typo in compatible string matching
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit 636bd02a7ba9025ff851d0cfb92768c8fa865859 upstream.
+
+It's spelled "renesas", not "renensas".
+
+Due to this typo, RZ/G1M and RZ/G1N were not covered by the check.
+
+Fixes: 2dc240a3308b ("usb: host: xhci: rcar: retire use of xhci_plat_type_is()")
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Cc: stable <stable@vger.kernel.org>
+Reviewed-by: Yoshihiro Shimoda <yoshihiro.shimoda.uh@renesas.com>
+Link: https://lore.kernel.org/r/20190827125112.12192-1-geert+renesas@glider.be
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-rcar.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/host/xhci-rcar.c
++++ b/drivers/usb/host/xhci-rcar.c
+@@ -104,7 +104,7 @@ static int xhci_rcar_is_gen2(struct devi
+ return of_device_is_compatible(node, "renesas,xhci-r8a7790") ||
+ of_device_is_compatible(node, "renesas,xhci-r8a7791") ||
+ of_device_is_compatible(node, "renesas,xhci-r8a7793") ||
+- of_device_is_compatible(node, "renensas,rcar-gen2-xhci");
++ of_device_is_compatible(node, "renesas,rcar-gen2-xhci");
+ }
+
+ static int xhci_rcar_is_gen3(struct device *dev)
--- /dev/null
+From 08d676d1685c2a29e4d0e1b0242324e564d4589e Mon Sep 17 00:00:00 2001
+From: Henk van der Laan <opensource@henkvdlaan.com>
+Date: Fri, 16 Aug 2019 22:08:47 +0200
+Subject: usb-storage: Add new JMS567 revision to unusual_devs
+
+From: Henk van der Laan <opensource@henkvdlaan.com>
+
+commit 08d676d1685c2a29e4d0e1b0242324e564d4589e upstream.
+
+Revision 0x0117 suffers from an identical issue to earlier revisions,
+therefore it should be added to the quirks list.
+
+Signed-off-by: Henk van der Laan <opensource@henkvdlaan.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190816200847.21366-1-opensource@henkvdlaan.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/unusual_devs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/storage/unusual_devs.h
++++ b/drivers/usb/storage/unusual_devs.h
+@@ -2100,7 +2100,7 @@ UNUSUAL_DEV( 0x14cd, 0x6600, 0x0201, 0x
+ US_FL_IGNORE_RESIDUE ),
+
+ /* Reported by Michael Büsch <m@bues.ch> */
+-UNUSUAL_DEV( 0x152d, 0x0567, 0x0114, 0x0116,
++UNUSUAL_DEV( 0x152d, 0x0567, 0x0114, 0x0117,
+ "JMicron",
+ "USB to ATA/ATAPI Bridge",
+ USB_SC_DEVICE, USB_PR_DEVICE, NULL,
--- /dev/null
+From f6445b6b2f2bb1745080af4a0926049e8bca2617 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Wed, 28 Aug 2019 01:34:49 +0800
+Subject: USB: storage: ums-realtek: Update module parameter description for auto_delink_en
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit f6445b6b2f2bb1745080af4a0926049e8bca2617 upstream.
+
+The option named "auto_delink_en" is a bit misleading, as setting it to
+false doesn't really disable auto-delink but let auto-delink be firmware
+controlled.
+
+Update the description to reflect the real usage of this parameter.
+
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190827173450.13572-1-kai.heng.feng@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/realtek_cr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/storage/realtek_cr.c
++++ b/drivers/usb/storage/realtek_cr.c
+@@ -38,7 +38,7 @@ MODULE_LICENSE("GPL");
+
+ static int auto_delink_en = 1;
+ module_param(auto_delink_en, int, S_IRUGO | S_IWUSR);
+-MODULE_PARM_DESC(auto_delink_en, "enable auto delink");
++MODULE_PARM_DESC(auto_delink_en, "auto delink mode (0=firmware, 1=software [default])");
+
+ #ifdef CONFIG_REALTEK_AUTOPM
+ static int ss_en = 1;
--- /dev/null
+From 1902a01e2bcc3abd7c9a18dc05e78c7ab4a53c54 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Wed, 28 Aug 2019 01:34:50 +0800
+Subject: USB: storage: ums-realtek: Whitelist auto-delink support
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 1902a01e2bcc3abd7c9a18dc05e78c7ab4a53c54 upstream.
+
+Auto-delink requires writing special registers to ums-realtek devices.
+Unconditionally enable auto-delink may break newer devices.
+
+So only enable auto-delink by default for the original three IDs,
+0x0138, 0x0158 and 0x0159.
+
+Realtek is working on a patch to properly support auto-delink for other
+IDs.
+
+BugLink: https://bugs.launchpad.net/bugs/1838886
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190827173450.13572-2-kai.heng.feng@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/storage/realtek_cr.c | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+--- a/drivers/usb/storage/realtek_cr.c
++++ b/drivers/usb/storage/realtek_cr.c
+@@ -996,12 +996,15 @@ static int init_realtek_cr(struct us_dat
+ goto INIT_FAIL;
+ }
+
+- if (CHECK_FW_VER(chip, 0x5888) || CHECK_FW_VER(chip, 0x5889) ||
+- CHECK_FW_VER(chip, 0x5901))
+- SET_AUTO_DELINK(chip);
+- if (STATUS_LEN(chip) == 16) {
+- if (SUPPORT_AUTO_DELINK(chip))
++ if (CHECK_PID(chip, 0x0138) || CHECK_PID(chip, 0x0158) ||
++ CHECK_PID(chip, 0x0159)) {
++ if (CHECK_FW_VER(chip, 0x5888) || CHECK_FW_VER(chip, 0x5889) ||
++ CHECK_FW_VER(chip, 0x5901))
+ SET_AUTO_DELINK(chip);
++ if (STATUS_LEN(chip) == 16) {
++ if (SUPPORT_AUTO_DELINK(chip))
++ SET_AUTO_DELINK(chip);
++ }
+ }
+ #ifdef CONFIG_REALTEK_AUTOPM
+ if (ss_en)
--- /dev/null
+From de7b9aa633b693e77942e12f1769506efae6917b Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Tue, 20 Aug 2019 11:28:25 +0200
+Subject: usbtmc: more sanity checking for packet size
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit de7b9aa633b693e77942e12f1769506efae6917b upstream.
+
+A malicious device can make the driver divide ny zero
+with a nonsense maximum packet size.
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20190820092826.17694-1-oneukum@suse.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/usbtmc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/usb/class/usbtmc.c
++++ b/drivers/usb/class/usbtmc.c
+@@ -2362,8 +2362,11 @@ static int usbtmc_probe(struct usb_inter
+ goto err_put;
+ }
+
++ retcode = -EINVAL;
+ data->bulk_in = bulk_in->bEndpointAddress;
+ data->wMaxPacketSize = usb_endpoint_maxp(bulk_in);
++ if (!data->wMaxPacketSize)
++ goto err_put;
+ dev_dbg(&intf->dev, "Found bulk in endpoint at %u\n", data->bulk_in);
+
+ data->bulk_out = bulk_out->bEndpointAddress;
projects / thirdparty / kernel / stable-queue.git / commitdiff
