--- /dev/null
+From 22e58665a01006d05f0239621f7d41cacca96cc4 Mon Sep 17 00:00:00 2001
+From: Junya Monden <jmonden@jp.adit-jv.com>
+Date: Wed, 16 Oct 2019 14:42:55 +0200
+Subject: ASoC: rsnd: Reinitialize bit clock inversion flag for every format setting
+
+From: Junya Monden <jmonden@jp.adit-jv.com>
+
+commit 22e58665a01006d05f0239621f7d41cacca96cc4 upstream.
+
+Unlike other format-related DAI parameters, rdai->bit_clk_inv flag
+is not properly re-initialized when setting format for new stream
+processing. The inversion, if requested, is then applied not to default,
+but to a previous value, which leads to SCKP bit in SSICR register being
+set incorrectly.
+Fix this by re-setting the flag to its initial value, determined by format.
+
+Fixes: 1a7889ca8aba3 ("ASoC: rsnd: fixup SND_SOC_DAIFMT_xB_xF behavior")
+Cc: Andrew Gabbasov <andrew_gabbasov@mentor.com>
+Cc: Jiada Wang <jiada_wang@mentor.com>
+Cc: Timo Wischer <twischer@de.adit-jv.com>
+Cc: stable@vger.kernel.org # v3.17+
+Signed-off-by: Junya Monden <jmonden@jp.adit-jv.com>
+Signed-off-by: Eugeniu Rosca <erosca@de.adit-jv.com>
+Acked-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Link: https://lore.kernel.org/r/20191016124255.7442-1-erosca@de.adit-jv.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/sh/rcar/core.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/soc/sh/rcar/core.c
++++ b/sound/soc/sh/rcar/core.c
+@@ -524,6 +524,7 @@ static int rsnd_soc_dai_set_fmt(struct s
+ }
+
+ /* set format */
++ rdai->bit_clk_inv = 0;
+ switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) {
+ case SND_SOC_DAIFMT_I2S:
+ rdai->sys_delay = 0;
--- /dev/null
+From 4ac2813cc867ae563a1ba5a9414bfb554e5796fa Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Fri, 4 Oct 2019 10:51:32 +0100
+Subject: cfg80211: wext: avoid copying malformed SSIDs
+
+From: Will Deacon <will@kernel.org>
+
+commit 4ac2813cc867ae563a1ba5a9414bfb554e5796fa upstream.
+
+Ensure the SSID element is bounds-checked prior to invoking memcpy()
+with its length field, when copying to userspace.
+
+Cc: <stable@vger.kernel.org>
+Cc: Kees Cook <keescook@chromium.org>
+Reported-by: Nicolas Waisman <nico@semmle.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20191004095132.15777-2-will@kernel.org
+[adjust commit log a bit]
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/wireless/wext-sme.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/wireless/wext-sme.c
++++ b/net/wireless/wext-sme.c
+@@ -225,6 +225,7 @@ int cfg80211_mgd_wext_giwessid(struct ne
+ struct iw_point *data, char *ssid)
+ {
+ struct wireless_dev *wdev = dev->ieee80211_ptr;
++ int ret = 0;
+
+ /* call only for station! */
+ if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION))
+@@ -242,7 +243,10 @@ int cfg80211_mgd_wext_giwessid(struct ne
+ if (ie) {
+ data->flags = 1;
+ data->length = ie[1];
+- memcpy(ssid, ie + 2, data->length);
++ if (data->length > IW_ESSID_MAX_SIZE)
++ ret = -EINVAL;
++ else
++ memcpy(ssid, ie + 2, data->length);
+ }
+ rcu_read_unlock();
+ } else if (wdev->wext.connect.ssid && wdev->wext.connect.ssid_len) {
+@@ -252,7 +256,7 @@ int cfg80211_mgd_wext_giwessid(struct ne
+ }
+ wdev_unlock(wdev);
+
+- return 0;
++ return ret;
+ }
+
+ int cfg80211_mgd_wext_siwap(struct net_device *dev,
--- /dev/null
+From 11bcf5f78905b90baae8fb01e16650664ed0cb00 Mon Sep 17 00:00:00 2001
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Date: Tue, 2 Apr 2019 11:30:37 +0800
+Subject: drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50
+
+From: Kai-Heng Feng <kai.heng.feng@canonical.com>
+
+commit 11bcf5f78905b90baae8fb01e16650664ed0cb00 upstream.
+
+Another panel that needs 6BPC quirk.
+
+BugLink: https://bugs.launchpad.net/bugs/1819968
+Cc: <stable@vger.kernel.org> # v4.8+
+Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20190402033037.21877-1-kai.heng.feng@canonical.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/drm_edid.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/gpu/drm/drm_edid.c
++++ b/drivers/gpu/drm/drm_edid.c
+@@ -150,6 +150,9 @@ static struct edid_quirk {
+ /* Medion MD 30217 PG */
+ { "MED", 0x7b8, EDID_QUIRK_PREFER_LARGE_75 },
+
++ /* Lenovo G50 */
++ { "SDC", 18514, EDID_QUIRK_FORCE_6BPC },
++
+ /* Panel in Samsung NP700G7A-S01PL notebook reports 6bpc */
+ { "SEC", 0xd033, EDID_QUIRK_FORCE_8BPC },
+
--- /dev/null
+From 4152561f5da3fca92af7179dd538ea89e248f9d0 Mon Sep 17 00:00:00 2001
+From: Will Deacon <will@kernel.org>
+Date: Fri, 4 Oct 2019 10:51:31 +0100
+Subject: mac80211: Reject malformed SSID elements
+
+From: Will Deacon <will@kernel.org>
+
+commit 4152561f5da3fca92af7179dd538ea89e248f9d0 upstream.
+
+Although this shouldn't occur in practice, it's a good idea to bounds
+check the length field of the SSID element prior to using it for things
+like allocations or memcpy operations.
+
+Cc: <stable@vger.kernel.org>
+Cc: Kees Cook <keescook@chromium.org>
+Reported-by: Nicolas Waisman <nico@semmle.com>
+Signed-off-by: Will Deacon <will@kernel.org>
+Link: https://lore.kernel.org/r/20191004095132.15777-1-will@kernel.org
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/mlme.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/mac80211/mlme.c
++++ b/net/mac80211/mlme.c
+@@ -2431,7 +2431,8 @@ struct sk_buff *ieee80211_ap_probereq_ge
+
+ rcu_read_lock();
+ ssid = ieee80211_bss_get_ie(cbss, WLAN_EID_SSID);
+- if (WARN_ON_ONCE(ssid == NULL))
++ if (WARN_ONCE(!ssid || ssid[1] > IEEE80211_MAX_SSID_LEN,
++ "invalid SSID element (len=%d)", ssid ? ssid[1] : -1))
+ ssid_len = 0;
+ else
+ ssid_len = ssid[1];
+@@ -4669,7 +4670,7 @@ int ieee80211_mgd_assoc(struct ieee80211
+
+ rcu_read_lock();
+ ssidie = ieee80211_bss_get_ie(req->bss, WLAN_EID_SSID);
+- if (!ssidie) {
++ if (!ssidie || ssidie[1] > sizeof(assoc_data->ssid)) {
+ rcu_read_unlock();
+ kfree(assoc_data);
+ return -EINVAL;
--- /dev/null
+From 77c301287ebae86cc71d03eb3806f271cb14da79 Mon Sep 17 00:00:00 2001
+From: Yufen Yu <yuyufen@huawei.com>
+Date: Tue, 15 Oct 2019 21:05:56 +0800
+Subject: scsi: core: try to get module before removing device
+
+From: Yufen Yu <yuyufen@huawei.com>
+
+commit 77c301287ebae86cc71d03eb3806f271cb14da79 upstream.
+
+We have a test case like block/001 in blktests, which will create a scsi
+device by loading scsi_debug module and then try to delete the device by
+sysfs interface. At the same time, it may remove the scsi_debug module.
+
+And getting a invalid paging request BUG_ON as following:
+
+[ 34.625854] BUG: unable to handle page fault for address: ffffffffa0016bb8
+[ 34.629189] Oops: 0000 [#1] SMP PTI
+[ 34.629618] CPU: 1 PID: 450 Comm: bash Tainted: G W 5.4.0-rc3+ #473
+[ 34.632524] RIP: 0010:scsi_proc_hostdir_rm+0x5/0xa0
+[ 34.643555] CR2: ffffffffa0016bb8 CR3: 000000012cd88000 CR4: 00000000000006e0
+[ 34.644545] Call Trace:
+[ 34.644907] scsi_host_dev_release+0x6b/0x1f0
+[ 34.645511] device_release+0x74/0x110
+[ 34.646046] kobject_put+0x116/0x390
+[ 34.646559] put_device+0x17/0x30
+[ 34.647041] scsi_target_dev_release+0x2b/0x40
+[ 34.647652] device_release+0x74/0x110
+[ 34.648186] kobject_put+0x116/0x390
+[ 34.648691] put_device+0x17/0x30
+[ 34.649157] scsi_device_dev_release_usercontext+0x2e8/0x360
+[ 34.649953] execute_in_process_context+0x29/0x80
+[ 34.650603] scsi_device_dev_release+0x20/0x30
+[ 34.651221] device_release+0x74/0x110
+[ 34.651732] kobject_put+0x116/0x390
+[ 34.652230] sysfs_unbreak_active_protection+0x3f/0x50
+[ 34.652935] sdev_store_delete.cold.4+0x71/0x8f
+[ 34.653579] dev_attr_store+0x1b/0x40
+[ 34.654103] sysfs_kf_write+0x3d/0x60
+[ 34.654603] kernfs_fop_write+0x174/0x250
+[ 34.655165] __vfs_write+0x1f/0x60
+[ 34.655639] vfs_write+0xc7/0x280
+[ 34.656117] ksys_write+0x6d/0x140
+[ 34.656591] __x64_sys_write+0x1e/0x30
+[ 34.657114] do_syscall_64+0xb1/0x400
+[ 34.657627] entry_SYSCALL_64_after_hwframe+0x44/0xa9
+[ 34.658335] RIP: 0033:0x7f156f337130
+
+During deleting scsi target, the scsi_debug module have been removed. Then,
+sdebug_driver_template belonged to the module cannot be accessd, resulting
+in scsi_proc_hostdir_rm() BUG_ON.
+
+To fix the bug, we add scsi_device_get() in sdev_store_delete() to try to
+increase refcount of module, avoiding the module been removed.
+
+Cc: stable@vger.kernel.org
+Link: https://lore.kernel.org/r/20191015130556.18061-1-yuyufen@huawei.com
+Signed-off-by: Yufen Yu <yuyufen@huawei.com>
+Reviewed-by: Bart Van Assche <bvanassche@acm.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_sysfs.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/scsi_sysfs.c
++++ b/drivers/scsi/scsi_sysfs.c
+@@ -679,6 +679,14 @@ sdev_store_delete(struct device *dev, st
+ const char *buf, size_t count)
+ {
+ struct kernfs_node *kn;
++ struct scsi_device *sdev = to_scsi_device(dev);
++
++ /*
++ * We need to try to get module, avoiding the module been removed
++ * during delete.
++ */
++ if (scsi_device_get(sdev))
++ return -ENODEV;
+
+ kn = sysfs_break_active_protection(&dev->kobj, &attr->attr);
+ WARN_ON_ONCE(!kn);
+@@ -693,9 +701,10 @@ sdev_store_delete(struct device *dev, st
+ * state into SDEV_DEL.
+ */
+ device_remove_file(dev, attr);
+- scsi_remove_device(to_scsi_device(dev));
++ scsi_remove_device(sdev);
+ if (kn)
+ sysfs_unbreak_active_protection(kn);
++ scsi_device_put(sdev);
+ return count;
+ };
+ static DEVICE_ATTR(delete, S_IWUSR, NULL, sdev_store_delete);
usb-ldusb-fix-memleak-on-disconnect.patch
usb-usblp-fix-use-after-free-on-disconnect.patch
usb-ldusb-fix-read-info-leaks.patch
+scsi-core-try-to-get-module-before-removing-device.patch
+asoc-rsnd-reinitialize-bit-clock-inversion-flag-for-every-format-setting.patch
+cfg80211-wext-avoid-copying-malformed-ssids.patch
+mac80211-reject-malformed-ssid-elements.patch
+drm-edid-add-6-bpc-quirk-for-sdc-panel-in-lenovo-g50.patch
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
- drivers/usb/misc/ldusb.c | 13 ++++++++++---
- 1 file changed, 10 insertions(+), 3 deletions(-)
+ drivers/usb/misc/ldusb.c | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
--- a/drivers/usb/misc/ldusb.c
+++ b/drivers/usb/misc/ldusb.c
dev->interrupt_in_done = 0;
spin_unlock_irq(&dev->rbsl);
if (file->f_flags & O_NONBLOCK) {
-@@ -479,11 +479,16 @@ static ssize_t ld_usb_read(struct file *
+@@ -478,12 +478,17 @@ static ssize_t ld_usb_read(struct file *
+ retval = wait_event_interruptible(dev->read_wait, dev->interrupt_in_done);
if (retval < 0)
goto unlock_exit;
- } else {
+- } else {
- spin_unlock_irq(&dev->rbsl);
++
+ spin_lock_irq(&dev->rbsl);
}
+ spin_unlock_irq(&dev->rbsl);
projects / thirdparty / kernel / stable-queue.git / commitdiff
