This is a note to let you know that I've just added the patch titled USB: serial: ssu100: fix control-message error handling to the 4.4-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: usb-serial-ssu100-fix-control-message-error-handling.patch and it can be found in the queue-4.4 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 1eac5c244f705182d1552a53e2f74e2775ed95d6 Mon Sep 17 00:00:00 2001 From: Johan Hovold <johan@xxxxxxxxxx> Date: Thu, 12 Jan 2017 14:56:22 +0100 Subject: USB: serial: ssu100: fix control-message error handling From: Johan Hovold <johan@xxxxxxxxxx> commit 1eac5c244f705182d1552a53e2f74e2775ed95d6 upstream. Make sure to detect short control-message transfers rather than continue with zero-initialised data when retrieving modem status and during device initialisation. Fixes: 52af95459939 ("USB: add USB serial ssu100 driver") Reviewed-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> Signed-off-by: Johan Hovold <johan@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- drivers/usb/serial/ssu100.c | 31 ++++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) --- a/drivers/usb/serial/ssu100.c +++ b/drivers/usb/serial/ssu100.c @@ -80,9 +80,17 @@ static inline int ssu100_setdevice(struc static inline int ssu100_getdevice(struct usb_device *dev, u8 *data) { - return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), - QT_SET_GET_DEVICE, 0xc0, 0, 0, - data, 3, 300); + int ret; + + ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), + QT_SET_GET_DEVICE, 0xc0, 0, 0, + data, 3, 300); + if (ret < 3) { + if (ret >= 0) + ret = -EIO; + } + + return ret; } static inline int ssu100_getregister(struct usb_device *dev, @@ -90,10 +98,17 @@ static inline int ssu100_getregister(str unsigned short reg, u8 *data) { - return usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), - QT_SET_GET_REGISTER, 0xc0, reg, - uart, data, sizeof(*data), 300); + int ret; + ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), + QT_SET_GET_REGISTER, 0xc0, reg, + uart, data, sizeof(*data), 300); + if (ret < sizeof(*data)) { + if (ret >= 0) + ret = -EIO; + } + + return ret; } @@ -289,8 +304,10 @@ static int ssu100_open(struct tty_struct QT_OPEN_CLOSE_CHANNEL, QT_TRANSFER_IN, 0x01, 0, data, 2, 300); - if (result < 0) { + if (result < 2) { dev_dbg(&port->dev, "%s - open failed %i\n", __func__, result); + if (result >= 0) + result = -EIO; kfree(data); return result; } Patches currently in stable-queue which might be from johan@xxxxxxxxxx are queue-4.4/usb-serial-mct_u232-fix-modem-status-error-handling.patch queue-4.4/usb-serial-ark3116-fix-open-error-handling.patch queue-4.4/usb-serial-io_edgeport-fix-epic-descriptor-handling.patch queue-4.4/usb-serial-ti_usb_3410_5052-fix-control-message-error-handling.patch queue-4.4/usb-serial-keyspan_pda-fix-receive-sanity-checks.patch queue-4.4/usb-serial-sierra-fix-bogus-alternate-setting-assumption.patch queue-4.4/usb-serial-ssu100-fix-control-message-error-handling.patch queue-4.4/usb-serial-digi_acceleport-fix-incomplete-rx-sanity-check.patch queue-4.4/usb-serial-io_edgeport-fix-descriptor-error-handling.patch queue-4.4/usb-serial-quatech2-fix-control-message-error-handling.patch queue-4.4/usb-serial-ftdi_sio-fix-latency-timer-error-handling.patch