--- /dev/null
+From 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e Mon Sep 17 00:00:00 2001
+From: Andy Whitcroft <apw@canonical.com>
+Date: Thu, 20 Sep 2018 09:09:48 -0600
+Subject: floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
+
+From: Andy Whitcroft <apw@canonical.com>
+
+commit 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e upstream.
+
+The final field of a floppy_struct is the field "name", which is a pointer
+to a string in kernel memory. The kernel pointer should not be copied to
+user memory. The FDGETPRM ioctl copies a floppy_struct to user memory,
+including this "name" field. This pointer cannot be used by the user
+and it will leak a kernel address to user-space, which will reveal the
+location of kernel code and data and undermine KASLR protection.
+
+Model this code after the compat ioctl which copies the returned data
+to a previously cleared temporary structure on the stack (excluding the
+name pointer) and copy out to userspace from there. As we already have
+an inparam union with an appropriate member and that memory is already
+cleared even for read only calls make use of that as a temporary store.
+
+Based on an initial patch by Brian Belleville.
+
+CVE-2018-7755
+Signed-off-by: Andy Whitcroft <apw@canonical.com>
+Broke up long line.
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/floppy.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3459,6 +3459,9 @@ static int fd_locked_ioctl(struct block_
+ (struct floppy_struct **)&outparam);
+ if (ret)
+ return ret;
++ memcpy(&inparam.g, outparam,
++ offsetof(struct floppy_struct, name));
++ outparam = &inparam.g;
+ break;
+ case FDMSGON:
+ UDP->flags |= FTD_MSG;
--- /dev/null
+From fb6de923ca3358a91525552b4907d4cb38730bdd Mon Sep 17 00:00:00 2001
+From: Yu Zhao <yuzhao@google.com>
+Date: Wed, 19 Sep 2018 15:30:51 -0600
+Subject: regulator: fix crash caused by null driver data
+
+From: Yu Zhao <yuzhao@google.com>
+
+commit fb6de923ca3358a91525552b4907d4cb38730bdd upstream.
+
+dev_set_drvdata() needs to be called before device_register()
+exposes device to userspace. Otherwise kernel crashes after it
+gets null pointer from dev_get_drvdata() when userspace tries
+to access sysfs entries.
+
+[Removed backtrace for length -- broonie]
+
+Signed-off-by: Yu Zhao <yuzhao@google.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/regulator/core.c
++++ b/drivers/regulator/core.c
+@@ -4054,13 +4054,13 @@ regulator_register(const struct regulato
+ !rdev->desc->fixed_uV)
+ rdev->is_switch = true;
+
++ dev_set_drvdata(&rdev->dev, rdev);
+ ret = device_register(&rdev->dev);
+ if (ret != 0) {
+ put_device(&rdev->dev);
+ goto unset_supplies;
+ }
+
+- dev_set_drvdata(&rdev->dev, rdev);
+ rdev_init_debugfs(rdev);
+
+ /* try to resolve regulators supply since a new one was registered */
--- /dev/null
+From be28c1e3ca29887e207f0cbcd294cefe5074bab6 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Fri, 14 Sep 2018 10:32:50 +0000
+Subject: serial: cpm_uart: return immediately from console poll
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+commit be28c1e3ca29887e207f0cbcd294cefe5074bab6 upstream.
+
+kgdb expects poll function to return immediately and
+returning NO_POLL_CHAR when no character is available.
+
+Fixes: f5316b4aea024 ("kgdb,8250,pl011: Return immediately from console poll")
+Cc: Jason Wessel <jason.wessel@windriver.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/cpm_uart/cpm_uart_core.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/serial/cpm_uart/cpm_uart_core.c
++++ b/drivers/tty/serial/cpm_uart/cpm_uart_core.c
+@@ -1068,8 +1068,8 @@ static int poll_wait_key(char *obuf, str
+ /* Get the address of the host memory buffer.
+ */
+ bdp = pinfo->rx_cur;
+- while (bdp->cbd_sc & BD_SC_EMPTY)
+- ;
++ if (bdp->cbd_sc & BD_SC_EMPTY)
++ return NO_POLL_CHAR;
+
+ /* If the buffer address is in the CPM DPRAM, don't
+ * convert it.
+@@ -1104,7 +1104,11 @@ static int cpm_get_poll_char(struct uart
+ poll_chars = 0;
+ }
+ if (poll_chars <= 0) {
+- poll_chars = poll_wait_key(poll_buf, pinfo);
++ int ret = poll_wait_key(poll_buf, pinfo);
++
++ if (ret == NO_POLL_CHAR)
++ return ret;
++ poll_chars = ret;
+ pollp = poll_buf;
+ }
+ poll_chars--;
--- /dev/null
+From 7e620984b62532783912312e334f3c48cdacbd5d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig@pengutronix.de>
+Date: Thu, 20 Sep 2018 14:11:17 +0200
+Subject: serial: imx: restore handshaking irq for imx1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+commit 7e620984b62532783912312e334f3c48cdacbd5d upstream.
+
+Back in 2015 when irda was dropped from the driver imx1 was broken. This
+change reintroduces the support for the third interrupt of the UART.
+
+Fixes: afe9cbb1a6ad ("serial: imx: drop support for IRDA")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Reviewed-by: Leonard Crestez <leonard.crestez@nxp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/imx.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/tty/serial/imx.c
++++ b/drivers/tty/serial/imx.c
+@@ -2197,6 +2197,14 @@ static int serial_imx_probe(struct platf
+ ret);
+ return ret;
+ }
++
++ ret = devm_request_irq(&pdev->dev, rtsirq, imx_uart_rtsint, 0,
++ dev_name(&pdev->dev), sport);
++ if (ret) {
++ dev_err(&pdev->dev, "failed to request rts irq: %d\n",
++ ret);
++ return ret;
++ }
+ } else {
+ ret = devm_request_irq(&pdev->dev, rxirq, imx_int, 0,
+ dev_name(&pdev->dev), sport);
nfsd-fix-corrupted-reply-to-badly-ordered-compound.patch
edac-fix-memleak-in-module-init-error-path.patch
arm-dts-dra7-fix-dcan-node-addresses.patch
+floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch
+tty-serial-lpuart-avoid-leaking-struct-tty_struct.patch
+serial-imx-restore-handshaking-irq-for-imx1.patch
+serial-cpm_uart-return-immediately-from-console-poll.patch
+spi-tegra20-slink-explicitly-enable-disable-clock.patch
+spi-sh-msiof-fix-invalid-spi-use-during-system-suspend.patch
+spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch
+spi-rspi-fix-invalid-spi-use-during-system-suspend.patch
+spi-rspi-fix-interrupted-dma-transfers.patch
+regulator-fix-crash-caused-by-null-driver-data.patch
+usb-fix-error-handling-in-usb_driver_claim_interface.patch
+usb-handle-null-config-in-usb_find_alt_setting.patch
--- /dev/null
+From 8dbbaa47b96f6ea5f09f922b4effff3c505cd8cf Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Wed, 5 Sep 2018 10:49:39 +0200
+Subject: spi: rspi: Fix interrupted DMA transfers
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit 8dbbaa47b96f6ea5f09f922b4effff3c505cd8cf upstream.
+
+When interrupted, wait_event_interruptible_timeout() returns
+-ERESTARTSYS, and the SPI transfer in progress will fail, as expected:
+
+ m25p80 spi0.0: SPI transfer failed: -512
+ spi_master spi0: failed to transfer one message from queue
+
+However, as the underlying DMA transfers may not have completed, all
+subsequent SPI transfers may start to fail:
+
+ spi_master spi0: receive timeout
+ qspi_transfer_out_in() returned -110
+ m25p80 spi0.0: SPI transfer failed: -110
+ spi_master spi0: failed to transfer one message from queue
+
+Fix this by calling dmaengine_terminate_all() not only for timeouts, but
+also for errors.
+
+This can be reproduced on r8a7991/koelsch, using "hd /dev/mtd0" followed
+by CTRL-C.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-rspi.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/spi/spi-rspi.c
++++ b/drivers/spi/spi-rspi.c
+@@ -597,11 +597,13 @@ static int rspi_dma_transfer(struct rspi
+
+ ret = wait_event_interruptible_timeout(rspi->wait,
+ rspi->dma_callbacked, HZ);
+- if (ret > 0 && rspi->dma_callbacked)
++ if (ret > 0 && rspi->dma_callbacked) {
+ ret = 0;
+- else if (!ret) {
+- dev_err(&rspi->master->dev, "DMA timeout\n");
+- ret = -ETIMEDOUT;
++ } else {
++ if (!ret) {
++ dev_err(&rspi->master->dev, "DMA timeout\n");
++ ret = -ETIMEDOUT;
++ }
+ if (tx)
+ dmaengine_terminate_all(rspi->master->dma_tx);
+ if (rx)
--- /dev/null
+From c1ca59c22c56930b377a665fdd1b43351887830b Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Wed, 5 Sep 2018 10:49:38 +0200
+Subject: spi: rspi: Fix invalid SPI use during system suspend
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit c1ca59c22c56930b377a665fdd1b43351887830b upstream.
+
+If the SPI queue is running during system suspend, the system may lock
+up.
+
+Fix this by stopping/restarting the queue during system suspend/resume,
+by calling spi_master_suspend()/spi_master_resume() from the PM
+callbacks. In-kernel users will receive an -ESHUTDOWN error while
+system suspend/resume is in progress.
+
+Based on a patch for sh-msiof by Gaku Inami.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-rspi.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+--- a/drivers/spi/spi-rspi.c
++++ b/drivers/spi/spi-rspi.c
+@@ -1313,12 +1313,36 @@ static const struct platform_device_id s
+
+ MODULE_DEVICE_TABLE(platform, spi_driver_ids);
+
++#ifdef CONFIG_PM_SLEEP
++static int rspi_suspend(struct device *dev)
++{
++ struct platform_device *pdev = to_platform_device(dev);
++ struct rspi_data *rspi = platform_get_drvdata(pdev);
++
++ return spi_master_suspend(rspi->master);
++}
++
++static int rspi_resume(struct device *dev)
++{
++ struct platform_device *pdev = to_platform_device(dev);
++ struct rspi_data *rspi = platform_get_drvdata(pdev);
++
++ return spi_master_resume(rspi->master);
++}
++
++static SIMPLE_DEV_PM_OPS(rspi_pm_ops, rspi_suspend, rspi_resume);
++#define DEV_PM_OPS &rspi_pm_ops
++#else
++#define DEV_PM_OPS NULL
++#endif /* CONFIG_PM_SLEEP */
++
+ static struct platform_driver rspi_driver = {
+ .probe = rspi_probe,
+ .remove = rspi_remove,
+ .id_table = spi_driver_ids,
+ .driver = {
+ .name = "renesas_spi",
++ .pm = DEV_PM_OPS,
+ .of_match_table = of_match_ptr(rspi_of_match),
+ },
+ };
--- /dev/null
+From 31a5fae4c5a009898da6d177901d5328051641ff Mon Sep 17 00:00:00 2001
+From: Hiromitsu Yamasaki <hiromitsu.yamasaki.ym@renesas.com>
+Date: Wed, 5 Sep 2018 10:49:37 +0200
+Subject: spi: sh-msiof: Fix handling of write value for SISTR register
+
+From: Hiromitsu Yamasaki <hiromitsu.yamasaki.ym@renesas.com>
+
+commit 31a5fae4c5a009898da6d177901d5328051641ff upstream.
+
+This patch changes writing to the SISTR register according to the H/W
+user's manual.
+
+The TDREQ bit and RDREQ bits of SISTR are read-only, and must be written
+their initial values of zero.
+
+Signed-off-by: Hiromitsu Yamasaki <hiromitsu.yamasaki.ym@renesas.com>
+[geert: reword]
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-sh-msiof.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-sh-msiof.c
++++ b/drivers/spi/spi-sh-msiof.c
+@@ -373,7 +373,8 @@ static void sh_msiof_spi_set_mode_regs(s
+
+ static void sh_msiof_reset_str(struct sh_msiof_spi_priv *p)
+ {
+- sh_msiof_write(p, STR, sh_msiof_read(p, STR));
++ sh_msiof_write(p, STR,
++ sh_msiof_read(p, STR) & ~(STR_TDREQ | STR_RDREQ));
+ }
+
+ static void sh_msiof_spi_write_fifo_8(struct sh_msiof_spi_priv *p,
--- /dev/null
+From ffa69d6a16f686efe45269342474e421f2aa58b2 Mon Sep 17 00:00:00 2001
+From: Gaku Inami <gaku.inami.xw@bp.renesas.com>
+Date: Wed, 5 Sep 2018 10:49:36 +0200
+Subject: spi: sh-msiof: Fix invalid SPI use during system suspend
+
+From: Gaku Inami <gaku.inami.xw@bp.renesas.com>
+
+commit ffa69d6a16f686efe45269342474e421f2aa58b2 upstream.
+
+If the SPI queue is running during system suspend, the system may lock
+up.
+
+Fix this by stopping/restarting the queue during system suspend/resume
+by calling spi_master_suspend()/spi_master_resume() from the PM
+callbacks. In-kernel users will receive an -ESHUTDOWN error while
+system suspend/resume is in progress.
+
+Signed-off-by: Gaku Inami <gaku.inami.xw@bp.renesas.com>
+Signed-off-by: Hiromitsu Yamasaki <hiromitsu.yamasaki.ym@renesas.com>
+[geert: Cleanup, reword]
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-sh-msiof.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+--- a/drivers/spi/spi-sh-msiof.c
++++ b/drivers/spi/spi-sh-msiof.c
+@@ -1275,12 +1275,37 @@ static const struct platform_device_id s
+ };
+ MODULE_DEVICE_TABLE(platform, spi_driver_ids);
+
++#ifdef CONFIG_PM_SLEEP
++static int sh_msiof_spi_suspend(struct device *dev)
++{
++ struct platform_device *pdev = to_platform_device(dev);
++ struct sh_msiof_spi_priv *p = platform_get_drvdata(pdev);
++
++ return spi_master_suspend(p->master);
++}
++
++static int sh_msiof_spi_resume(struct device *dev)
++{
++ struct platform_device *pdev = to_platform_device(dev);
++ struct sh_msiof_spi_priv *p = platform_get_drvdata(pdev);
++
++ return spi_master_resume(p->master);
++}
++
++static SIMPLE_DEV_PM_OPS(sh_msiof_spi_pm_ops, sh_msiof_spi_suspend,
++ sh_msiof_spi_resume);
++#define DEV_PM_OPS &sh_msiof_spi_pm_ops
++#else
++#define DEV_PM_OPS NULL
++#endif /* CONFIG_PM_SLEEP */
++
+ static struct platform_driver sh_msiof_spi_drv = {
+ .probe = sh_msiof_spi_probe,
+ .remove = sh_msiof_spi_remove,
+ .id_table = spi_driver_ids,
+ .driver = {
+ .name = "spi_sh_msiof",
++ .pm = DEV_PM_OPS,
+ .of_match_table = of_match_ptr(sh_msiof_match),
+ },
+ };
--- /dev/null
+From 7001cab1dabc0b72b2b672ef58a90ab64f5e2343 Mon Sep 17 00:00:00 2001
+From: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+Date: Wed, 29 Aug 2018 08:47:57 +0200
+Subject: spi: tegra20-slink: explicitly enable/disable clock
+
+From: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+
+commit 7001cab1dabc0b72b2b672ef58a90ab64f5e2343 upstream.
+
+Depending on the SPI instance one may get an interrupt storm upon
+requesting resp. interrupt unless the clock is explicitly enabled
+beforehand. This has been observed trying to bring up instance 4 on
+T20.
+
+Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-tegra20-slink.c | 31 +++++++++++++++++++++++--------
+ 1 file changed, 23 insertions(+), 8 deletions(-)
+
+--- a/drivers/spi/spi-tegra20-slink.c
++++ b/drivers/spi/spi-tegra20-slink.c
+@@ -1063,6 +1063,24 @@ static int tegra_slink_probe(struct plat
+ goto exit_free_master;
+ }
+
++ /* disabled clock may cause interrupt storm upon request */
++ tspi->clk = devm_clk_get(&pdev->dev, NULL);
++ if (IS_ERR(tspi->clk)) {
++ ret = PTR_ERR(tspi->clk);
++ dev_err(&pdev->dev, "Can not get clock %d\n", ret);
++ goto exit_free_master;
++ }
++ ret = clk_prepare(tspi->clk);
++ if (ret < 0) {
++ dev_err(&pdev->dev, "Clock prepare failed %d\n", ret);
++ goto exit_free_master;
++ }
++ ret = clk_enable(tspi->clk);
++ if (ret < 0) {
++ dev_err(&pdev->dev, "Clock enable failed %d\n", ret);
++ goto exit_free_master;
++ }
++
+ spi_irq = platform_get_irq(pdev, 0);
+ tspi->irq = spi_irq;
+ ret = request_threaded_irq(tspi->irq, tegra_slink_isr,
+@@ -1071,14 +1089,7 @@ static int tegra_slink_probe(struct plat
+ if (ret < 0) {
+ dev_err(&pdev->dev, "Failed to register ISR for IRQ %d\n",
+ tspi->irq);
+- goto exit_free_master;
+- }
+-
+- tspi->clk = devm_clk_get(&pdev->dev, NULL);
+- if (IS_ERR(tspi->clk)) {
+- dev_err(&pdev->dev, "can not get clock\n");
+- ret = PTR_ERR(tspi->clk);
+- goto exit_free_irq;
++ goto exit_clk_disable;
+ }
+
+ tspi->rst = devm_reset_control_get(&pdev->dev, "spi");
+@@ -1138,6 +1149,8 @@ exit_rx_dma_free:
+ tegra_slink_deinit_dma_param(tspi, true);
+ exit_free_irq:
+ free_irq(spi_irq, tspi);
++exit_clk_disable:
++ clk_disable(tspi->clk);
+ exit_free_master:
+ spi_master_put(master);
+ return ret;
+@@ -1150,6 +1163,8 @@ static int tegra_slink_remove(struct pla
+
+ free_irq(tspi->irq, tspi);
+
++ clk_disable(tspi->clk);
++
+ if (tspi->tx_dma_chan)
+ tegra_slink_deinit_dma_param(tspi, false);
+
--- /dev/null
+From 3216c622a24b0ebb9c159a8d1daf7f17a106b3f5 Mon Sep 17 00:00:00 2001
+From: Stefan Agner <stefan@agner.ch>
+Date: Tue, 28 Aug 2018 12:44:24 +0200
+Subject: tty: serial: lpuart: avoid leaking struct tty_struct
+
+From: Stefan Agner <stefan@agner.ch>
+
+commit 3216c622a24b0ebb9c159a8d1daf7f17a106b3f5 upstream.
+
+The function tty_port_tty_get() gets a reference to the tty. Since
+the code is not using tty_port_tty_set(), the reference is kept
+even after closing the tty.
+
+Avoid using tty_port_tty_get() by directly access the tty instance.
+Since lpuart_start_rx_dma() is called from the .startup() and
+.set_termios() callback, it is safe to assume the tty instance is
+valid.
+
+Cc: stable@vger.kernel.org # v4.9+
+Fixes: 5887ad43ee02 ("tty: serial: fsl_lpuart: Use cyclic DMA for Rx")
+Signed-off-by: Stefan Agner <stefan@agner.ch>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/fsl_lpuart.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -833,7 +833,8 @@ static inline int lpuart_start_rx_dma(st
+ struct circ_buf *ring = &sport->rx_ring;
+ int ret, nent;
+ int bits, baud;
+- struct tty_struct *tty = tty_port_tty_get(&sport->port.state->port);
++ struct tty_port *port = &sport->port.state->port;
++ struct tty_struct *tty = port->tty;
+ struct ktermios *termios = &tty->termios;
+
+ baud = tty_get_baud_rate(tty);
--- /dev/null
+From bd729f9d67aa9a303d8925bb8c4f06af25f407d1 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 10 Sep 2018 13:59:59 -0400
+Subject: USB: fix error handling in usb_driver_claim_interface()
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit bd729f9d67aa9a303d8925bb8c4f06af25f407d1 upstream.
+
+The syzbot fuzzing project found a use-after-free bug in the USB
+core. The bug was caused by usbfs not unbinding from an interface
+when the USB device file was closed, which led another process to
+attempt the unbind later on, after the private data structure had been
+deallocated.
+
+The reason usbfs did not unbind the interface at the appropriate time
+was because it thought the interface had never been claimed in the
+first place. This was caused by the fact that
+usb_driver_claim_interface() does not clean up properly when
+device_bind_driver() returns an error. Although the error code gets
+passed back to the caller, the iface->dev.driver pointer remains set
+and iface->condition remains equal to USB_INTERFACE_BOUND.
+
+This patch adds proper error handling to usb_driver_claim_interface().
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: syzbot+f84aa7209ccec829536f@syzkaller.appspotmail.com
+CC: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/driver.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/drivers/usb/core/driver.c
++++ b/drivers/usb/core/driver.c
+@@ -562,6 +562,21 @@ int usb_driver_claim_interface(struct us
+ if (!lpm_disable_error)
+ usb_unlocked_enable_lpm(udev);
+
++ if (retval) {
++ dev->driver = NULL;
++ usb_set_intfdata(iface, NULL);
++ iface->needs_remote_wakeup = 0;
++ iface->condition = USB_INTERFACE_UNBOUND;
++
++ /*
++ * Unbound interfaces are always runtime-PM-disabled
++ * and runtime-PM-suspended
++ */
++ if (driver->supports_autosuspend)
++ pm_runtime_disable(dev);
++ pm_runtime_set_suspended(dev);
++ }
++
+ return retval;
+ }
+ EXPORT_SYMBOL_GPL(usb_driver_claim_interface);
--- /dev/null
+From c9a4cb204e9eb7fa7dfbe3f7d3a674fa530aa193 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 10 Sep 2018 14:00:53 -0400
+Subject: USB: handle NULL config in usb_find_alt_setting()
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit c9a4cb204e9eb7fa7dfbe3f7d3a674fa530aa193 upstream.
+
+usb_find_alt_setting() takes a pointer to a struct usb_host_config as
+an argument; it searches for an interface with specified interface and
+alternate setting numbers in that config. However, it crashes if the
+usb_host_config pointer argument is NULL.
+
+Since this is a general-purpose routine, available for use in many
+places, we want to to be more robust. This patch makes it return NULL
+whenever the config argument is NULL.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: syzbot+19c3aaef85a89d451eac@syzkaller.appspotmail.com
+CC: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/usb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/core/usb.c
++++ b/drivers/usb/core/usb.c
+@@ -91,6 +91,8 @@ struct usb_host_interface *usb_find_alt_
+ struct usb_interface_cache *intf_cache = NULL;
+ int i;
+
++ if (!config)
++ return NULL;
+ for (i = 0; i < config->desc.bNumInterfaces; i++) {
+ if (config->intf_cache[i]->altsetting[0].desc.bInterfaceNumber
+ == iface_num) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
