3.18-stable patches

added patches:
	usb-musb-host-fix-potential-null-pointer-dereference.patch
	usb-serial-visor-handle-potential-invalid-device-configuration.patch

diff --git a/queue-3.18/series b/queue-3.18/series
index c7e28fda0926cb623b99d049a7de0074f8e7326e..ae24b37f0fc77b4ad91b35bca6c09322908e9df0 100644 (file)
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -7,3 +7,5 @@ alsa-aloop-mark-paused-device-as-inactive.patch
 alsa-aloop-add-missing-cable-lock-to-ctl-api-callbacks.patch
 rdma-mlx5-protect-from-shift-operand-overflow.patch
 net-usb-qmi_wwan-add-support-for-ublox-r410m-pid-0x90b2.patch
+usb-serial-visor-handle-potential-invalid-device-configuration.patch
+usb-musb-host-fix-potential-null-pointer-dereference.patch

diff --git a/queue-3.18/usb-musb-host-fix-potential-null-pointer-dereference.patch b/queue-3.18/usb-musb-host-fix-potential-null-pointer-dereference.patch
new file mode 100644 (file)
index 0000000..1415d81
--- /dev/null
+++ b/queue-3.18/usb-musb-host-fix-potential-null-pointer-dereference.patch
@@ -0,0 +1,38 @@
+From 2b63f1329df2cd814c1f8353fae4853ace6521d1 Mon Sep 17 00:00:00 2001
+From: Bin Liu <b-liu@ti.com>
+Date: Mon, 30 Apr 2018 11:20:53 -0500
+Subject: usb: musb: host: fix potential NULL pointer dereference
+
+From: Bin Liu <b-liu@ti.com>
+
+commit 2b63f1329df2cd814c1f8353fae4853ace6521d1 upstream.
+
+musb_start_urb() doesn't check the pass-in parameter if it is NULL.  But
+in musb_bulk_nak_timeout() the parameter passed to musb_start_urb() is
+returned from first_qh(), which could be NULL.
+
+So wrap the musb_start_urb() call here with a if condition check to
+avoid the potential NULL pointer dereference.
+
+Fixes: f283862f3b5c ("usb: musb: NAK timeout scheme on bulk TX endpoint")
+Cc: stable@vger.kernel.org # v3.7+
+Signed-off-by: Bin Liu <b-liu@ti.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/musb/musb_host.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/musb/musb_host.c
++++ b/drivers/usb/musb/musb_host.c
+@@ -1002,7 +1002,9 @@ static void musb_bulk_nak_timeout(struct
+                       /* set tx_reinit and schedule the next qh */
+                       ep->tx_reinit = 1;
+               }
+-              musb_start_urb(musb, is_in, next_qh);
++
++              if (next_qh)
++                      musb_start_urb(musb, is_in, next_qh);
+       }
+ }
+ 

diff --git a/queue-3.18/usb-serial-visor-handle-potential-invalid-device-configuration.patch b/queue-3.18/usb-serial-visor-handle-potential-invalid-device-configuration.patch
new file mode 100644 (file)
index 0000000..3861d58
--- /dev/null
+++ b/queue-3.18/usb-serial-visor-handle-potential-invalid-device-configuration.patch
@@ -0,0 +1,115 @@
+From 4842ed5bfcb9daf6660537d70503c18d38dbdbb8 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Sun, 29 Apr 2018 17:41:55 +0200
+Subject: USB: serial: visor: handle potential invalid device configuration
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 4842ed5bfcb9daf6660537d70503c18d38dbdbb8 upstream.
+
+If we get an invalid device configuration from a palm 3 type device, we
+might incorrectly parse things, and we have the potential to crash in
+"interesting" ways.
+
+Fix this up by verifying the size of the configuration passed to us by
+the device, and only if it is correct, will we handle it.
+
+Note that this also fixes an information leak of slab data.
+
+Reported-by: Andrey Konovalov <andreyknvl@google.com>
+Reviewed-by: Andrey Konovalov <andreyknvl@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+[ johan: add comment about the info leak ]
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/visor.c |   69 ++++++++++++++++++++++-----------------------
+ 1 file changed, 35 insertions(+), 34 deletions(-)
+
+--- a/drivers/usb/serial/visor.c
++++ b/drivers/usb/serial/visor.c
+@@ -338,47 +338,48 @@ static int palm_os_3_probe(struct usb_se
+               goto exit;
+       }
+ 
+-      if (retval == sizeof(*connection_info)) {
+-                      connection_info = (struct visor_connection_info *)
+-                                                      transfer_buffer;
+-
+-              num_ports = le16_to_cpu(connection_info->num_ports);
+-              for (i = 0; i < num_ports; ++i) {
+-                      switch (
+-                         connection_info->connections[i].port_function_id) {
+-                      case VISOR_FUNCTION_GENERIC:
+-                              string = "Generic";
+-                              break;
+-                      case VISOR_FUNCTION_DEBUGGER:
+-                              string = "Debugger";
+-                              break;
+-                      case VISOR_FUNCTION_HOTSYNC:
+-                              string = "HotSync";
+-                              break;
+-                      case VISOR_FUNCTION_CONSOLE:
+-                              string = "Console";
+-                              break;
+-                      case VISOR_FUNCTION_REMOTE_FILE_SYS:
+-                              string = "Remote File System";
+-                              break;
+-                      default:
+-                              string = "unknown";
+-                              break;
+-                      }
+-                      dev_info(dev, "%s: port %d, is for %s use\n",
+-                              serial->type->description,
+-                              connection_info->connections[i].port, string);
+-              }
++      if (retval != sizeof(*connection_info)) {
++              dev_err(dev, "Invalid connection information received from device\n");
++              retval = -ENODEV;
++              goto exit;
+       }
+-      /*
+-      * Handle devices that report invalid stuff here.
+-      */
++
++      connection_info = (struct visor_connection_info *)transfer_buffer;
++
++      num_ports = le16_to_cpu(connection_info->num_ports);
++
++      /* Handle devices that report invalid stuff here. */
+       if (num_ports == 0 || num_ports > 2) {
+               dev_warn(dev, "%s: No valid connect info available\n",
+                       serial->type->description);
+               num_ports = 2;
+       }
+ 
++      for (i = 0; i < num_ports; ++i) {
++              switch (connection_info->connections[i].port_function_id) {
++              case VISOR_FUNCTION_GENERIC:
++                      string = "Generic";
++                      break;
++              case VISOR_FUNCTION_DEBUGGER:
++                      string = "Debugger";
++                      break;
++              case VISOR_FUNCTION_HOTSYNC:
++                      string = "HotSync";
++                      break;
++              case VISOR_FUNCTION_CONSOLE:
++                      string = "Console";
++                      break;
++              case VISOR_FUNCTION_REMOTE_FILE_SYS:
++                      string = "Remote File System";
++                      break;
++              default:
++                      string = "unknown";
++                      break;
++              }
++              dev_info(dev, "%s: port %d, is for %s use\n",
++                      serial->type->description,
++                      connection_info->connections[i].port, string);
++      }
+       dev_info(dev, "%s: Number of ports: %d\n", serial->type->description,
+               num_ports);
+