From 5f8140d65fe8fc7d4c11fcb8c1ce67365b5683bd Mon Sep 17 00:00:00 2001
From: Jaroslav Kysela <perex@perex.cz>
Date: Mon, 3 Aug 2015 18:53:41 +0200
Subject: [PATCH] kernel: fix USB bug (serial readers)

---
 kernel/drivers/usb/core/message.c | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/kernel/drivers/usb/core/message.c b/kernel/drivers/usb/core/message.c
index 409cc94a..e524d4e3 100644
--- a/kernel/drivers/usb/core/message.c
+++ b/kernel/drivers/usb/core/message.c
@@ -134,12 +134,23 @@ int usb_control_msg(struct usb_device *dev, unsigned int pipe, __u8 request,
 		    __u16 size, int timeout)
 {
 	struct usb_ctrlrequest *dr;
+	__u8 *data2;
 	int ret;
 
 	dr = kmalloc(sizeof(struct usb_ctrlrequest), GFP_NOIO);
 	if (!dr)
 		return -ENOMEM;
 
+	data2 = kmalloc(max(size, 2), GFP_KERNEL);
+	if (data2 == NULL) {
+		kfree(dr);
+		return -ENOMEM;
+	}
+	if (data == NULL)
+		size = 0;
+	data2[0] = data2[1] = 0;
+	memcpy(data2, data, size);
+
 	dr->bRequestType = requesttype;
 	dr->bRequest = request;
 	dr->wValue = cpu_to_le16(value);
@@ -148,8 +159,10 @@ int usb_control_msg(struct usb_device *dev, unsigned int pipe, __u8 request,
 
 	/* dbg("usb_control_msg"); */
 
-	ret = usb_internal_control_msg(dev, pipe, dr, data, size, timeout);
+	ret = usb_internal_control_msg(dev, pipe, dr, data2, size, timeout);
 
+	memcpy(data, data2, size);
+	kfree(data2);
 	kfree(dr);
 
 	return ret;