--- /dev/null
+From ae1c696a480c67c45fb23b35162183f72c6be0e1 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Thu, 26 Jul 2018 15:49:10 -0500
+Subject: ASoC: sirf: Fix potential NULL pointer dereference
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit ae1c696a480c67c45fb23b35162183f72c6be0e1 upstream.
+
+There is a potential execution path in which function
+platform_get_resource() returns NULL. If this happens,
+we will end up having a NULL pointer dereference.
+
+Fix this by replacing devm_ioremap with devm_ioremap_resource,
+which has the NULL check and the memory region request.
+
+This code was detected with the help of Coccinelle.
+
+Cc: stable@vger.kernel.org
+Fixes: 2bd8d1d5cf89 ("ASoC: sirf: Add audio usp interface driver")
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/sirf/sirf-usp.c | 7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/sound/soc/sirf/sirf-usp.c
++++ b/sound/soc/sirf/sirf-usp.c
+@@ -367,10 +367,9 @@ static int sirf_usp_pcm_probe(struct pla
+ platform_set_drvdata(pdev, usp);
+
+ mem_res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+- base = devm_ioremap(&pdev->dev, mem_res->start,
+- resource_size(mem_res));
+- if (base == NULL)
+- return -ENOMEM;
++ base = devm_ioremap_resource(&pdev->dev, mem_res);
++ if (IS_ERR(base))
++ return PTR_ERR(base);
+ usp->regmap = devm_regmap_init_mmio(&pdev->dev, base,
+ &sirf_usp_regmap_config);
+ if (IS_ERR(usp->regmap))
--- /dev/null
+From 19da44cd33a3a6ff7c97fff0189999ff15b241e4 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Fri, 13 Jul 2018 17:55:15 +0300
+Subject: pinctrl: freescale: off by one in imx1_pinconf_group_dbg_show()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 19da44cd33a3a6ff7c97fff0189999ff15b241e4 upstream.
+
+The info->groups[] array is allocated in imx1_pinctrl_parse_dt(). It
+has info->ngroups elements. Thus the > here should be >= to prevent
+reading one element beyond the end of the array.
+
+Cc: stable@vger.kernel.org
+Fixes: 30612cd90005 ("pinctrl: imx1 core driver")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Uwe Kleine-König <u.kleine-könig@pengutronix.de>
+Acked-by: Dong Aisheng <Aisheng.dong@nxp.com>
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pinctrl/freescale/pinctrl-imx1-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/pinctrl/freescale/pinctrl-imx1-core.c
++++ b/drivers/pinctrl/freescale/pinctrl-imx1-core.c
+@@ -435,7 +435,7 @@ static void imx1_pinconf_group_dbg_show(
+ const char *name;
+ int i, ret;
+
+- if (group > info->ngroups)
++ if (group >= info->ngroups)
+ return;
+
+ seq_puts(s, "\n");
x86-process-re-export-start_thread.patch
fuse-don-t-access-pipe-buffers-without-pipe_lock.patch
fuse-add-missed-unlock_page-to-fuse_readpages_fill.patch
+udl-kms-change-down_interruptible-to-down.patch
+udl-kms-handle-allocation-failure.patch
+udl-kms-fix-crash-due-to-uninitialized-memory.patch
+asoc-sirf-fix-potential-null-pointer-dereference.patch
+pinctrl-freescale-off-by-one-in-imx1_pinconf_group_dbg_show.patch
--- /dev/null
+From 8456b99c16d193c4c3b7df305cf431e027f0189c Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sun, 3 Jun 2018 16:40:55 +0200
+Subject: udl-kms: change down_interruptible to down
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 8456b99c16d193c4c3b7df305cf431e027f0189c upstream.
+
+If we leave urbs around, it causes not only leak, but also memory
+corruption. This patch fixes the function udl_free_urb_list, so that it
+always waits for all urbs that are in progress.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/udl/udl_main.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/drivers/gpu/drm/udl/udl_main.c
++++ b/drivers/gpu/drm/udl/udl_main.c
+@@ -141,18 +141,13 @@ static void udl_free_urb_list(struct drm
+ struct list_head *node;
+ struct urb_node *unode;
+ struct urb *urb;
+- int ret;
+ unsigned long flags;
+
+ DRM_DEBUG("Waiting for completes and freeing all render urbs\n");
+
+ /* keep waiting and freeing, until we've got 'em all */
+ while (count--) {
+-
+- /* Getting interrupted means a leak, but ok at shutdown*/
+- ret = down_interruptible(&udl->urbs.limit_sem);
+- if (ret)
+- break;
++ down(&udl->urbs.limit_sem);
+
+ spin_lock_irqsave(&udl->urbs.lock, flags);
+
--- /dev/null
+From 09a00abe3a9941c2715ca83eb88172cd2f54d8fd Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sun, 3 Jun 2018 16:40:57 +0200
+Subject: udl-kms: fix crash due to uninitialized memory
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 09a00abe3a9941c2715ca83eb88172cd2f54d8fd upstream.
+
+We must use kzalloc when allocating the fb_deferred_io structure.
+Otherwise, the field first_io is undefined and it causes a crash.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/udl/udl_fb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/udl/udl_fb.c
++++ b/drivers/gpu/drm/udl/udl_fb.c
+@@ -341,7 +341,7 @@ static int udl_fb_open(struct fb_info *i
+
+ struct fb_deferred_io *fbdefio;
+
+- fbdefio = kmalloc(sizeof(struct fb_deferred_io), GFP_KERNEL);
++ fbdefio = kzalloc(sizeof(struct fb_deferred_io), GFP_KERNEL);
+
+ if (fbdefio) {
+ fbdefio->delay = DL_DEFIO_WRITE_DELAY;
--- /dev/null
+From 542bb9788a1f485eb1a2229178f665d8ea166156 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Sun, 3 Jun 2018 16:40:56 +0200
+Subject: udl-kms: handle allocation failure
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 542bb9788a1f485eb1a2229178f665d8ea166156 upstream.
+
+Allocations larger than PAGE_ALLOC_COSTLY_ORDER are unreliable and they
+may fail anytime. This patch fixes the udl kms driver so that when a large
+alloactions fails, it tries to do multiple smaller allocations.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/udl/udl_main.c | 28 ++++++++++++++++++----------
+ 1 file changed, 18 insertions(+), 10 deletions(-)
+
+--- a/drivers/gpu/drm/udl/udl_main.c
++++ b/drivers/gpu/drm/udl/udl_main.c
+@@ -171,17 +171,22 @@ static void udl_free_urb_list(struct drm
+ static int udl_alloc_urb_list(struct drm_device *dev, int count, size_t size)
+ {
+ struct udl_device *udl = dev->dev_private;
+- int i = 0;
+ struct urb *urb;
+ struct urb_node *unode;
+ char *buf;
++ size_t wanted_size = count * size;
+
+ spin_lock_init(&udl->urbs.lock);
+
++retry:
+ udl->urbs.size = size;
+ INIT_LIST_HEAD(&udl->urbs.list);
+
+- while (i < count) {
++ sema_init(&udl->urbs.limit_sem, 0);
++ udl->urbs.count = 0;
++ udl->urbs.available = 0;
++
++ while (udl->urbs.count * size < wanted_size) {
+ unode = kzalloc(sizeof(struct urb_node), GFP_KERNEL);
+ if (!unode)
+ break;
+@@ -197,11 +202,16 @@ static int udl_alloc_urb_list(struct drm
+ }
+ unode->urb = urb;
+
+- buf = usb_alloc_coherent(udl->udev, MAX_TRANSFER, GFP_KERNEL,
++ buf = usb_alloc_coherent(udl->udev, size, GFP_KERNEL,
+ &urb->transfer_dma);
+ if (!buf) {
+ kfree(unode);
+ usb_free_urb(urb);
++ if (size > PAGE_SIZE) {
++ size /= 2;
++ udl_free_urb_list(dev);
++ goto retry;
++ }
+ break;
+ }
+
+@@ -212,16 +222,14 @@ static int udl_alloc_urb_list(struct drm
+
+ list_add_tail(&unode->entry, &udl->urbs.list);
+
+- i++;
++ up(&udl->urbs.limit_sem);
++ udl->urbs.count++;
++ udl->urbs.available++;
+ }
+
+- sema_init(&udl->urbs.limit_sem, i);
+- udl->urbs.count = i;
+- udl->urbs.available = i;
+-
+- DRM_DEBUG("allocated %d %d byte urbs\n", i, (int) size);
++ DRM_DEBUG("allocated %d %d byte urbs\n", udl->urbs.count, (int) size);
+
+- return i;
++ return udl->urbs.count;
+ }
+
+ struct urb *udl_get_urb(struct drm_device *dev)
projects / thirdparty / kernel / stable-queue.git / commitdiff
