4.4-stable patches

added patches:
	usb-misc-legousbtower-fix-null-pointer-deference.patch
	usb-serial-cp210x-fix-hardware-flow-control-disable.patch

diff --git a/queue-4.4/dm-log-writes-fix-bug-with-too-large-bios.patch b/queue-4.4/dm-log-writes-fix-bug-with-too-large-bios.patch
index 8188f9c9ed1d30c5ee7c99ef4c2394a203499d59..f203c2b5cd11cdee1513d91438a0d5e8964b7db9 100644 (file)
--- a/queue-4.4/dm-log-writes-fix-bug-with-too-large-bios.patch
+++ b/queue-4.4/dm-log-writes-fix-bug-with-too-large-bios.patch
@@ -19,7 +19,7 @@ handles bio_add_page() failure already exists in the dm-log-writes
 target.
 
 Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
-Reviewed-by: Josef Bacik <jbacik@fb,com>
+Reviewed-by: Josef Bacik <jbacik@fb.com>
 Signed-off-by: Mike Snitzer <snitzer@redhat.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 

diff --git a/queue-4.4/series b/queue-4.4/series
index 4feb982f51040bddfd6636ef8b92a7fed778a64d..0ad2c4ac359e5e79c47c8687177205ece5ece8cd 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -82,3 +82,5 @@ batman-adv-remove-unused-callback-from-batadv_algo_ops-struct.patch
 aio-mark-aio-pseudo-fs-noexec.patch
 clk-xgene-add-missing-parenthesis-when-clearing-divider-value.patch
 dm-log-writes-fix-bug-with-too-large-bios.patch
+usb-serial-cp210x-fix-hardware-flow-control-disable.patch
+usb-misc-legousbtower-fix-null-pointer-deference.patch

diff --git a/queue-4.4/usb-misc-legousbtower-fix-null-pointer-deference.patch b/queue-4.4/usb-misc-legousbtower-fix-null-pointer-deference.patch
new file mode 100644 (file)
index 0000000..ddcf19e
--- /dev/null
+++ b/queue-4.4/usb-misc-legousbtower-fix-null-pointer-deference.patch
@@ -0,0 +1,90 @@
+From 2fae9e5a7babada041e2e161699ade2447a01989 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 19 Sep 2016 19:09:51 +0100
+Subject: usb: misc: legousbtower: Fix NULL pointer deference
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+commit 2fae9e5a7babada041e2e161699ade2447a01989 upstream.
+
+This patch fixes a NULL pointer dereference caused by a race codition in
+the probe function of the legousbtower driver. It re-structures the
+probe function to only register the interface after successfully reading
+the board's firmware ID.
+
+The probe function does not deregister the usb interface after an error
+receiving the devices firmware ID. The device file registered
+(/dev/usb/legousbtower%d) may be read/written globally before the probe
+function returns. When tower_delete is called in the probe function
+(after an r/w has been initiated), core dev structures are deleted while
+the file operation functions are still running. If the 0 address is
+mappable on the machine, this vulnerability can be used to create a
+Local Priviege Escalation exploit via a write-what-where condition by
+remapping dev->interrupt_out_buffer in tower_write. A forged USB device
+and local program execution would be required for LPE. The USB device
+would have to delay the control message in tower_probe and accept
+the control urb in tower_open whilst guest code initiated a write to the
+device file as tower_delete is called from the error in tower_probe.
+
+This bug has existed since 2003. Patch tested by emulated device.
+
+Reported-by: James Patrick-Evans <james@jmp-e.com>
+Tested-by: James Patrick-Evans <james@jmp-e.com>
+Signed-off-by: James Patrick-Evans <james@jmp-e.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/misc/legousbtower.c |   35 +++++++++++++++++------------------
+ 1 file changed, 17 insertions(+), 18 deletions(-)
+
+--- a/drivers/usb/misc/legousbtower.c
++++ b/drivers/usb/misc/legousbtower.c
+@@ -898,24 +898,6 @@ static int tower_probe (struct usb_inter
+       dev->interrupt_in_interval = interrupt_in_interval ? interrupt_in_interval : dev->interrupt_in_endpoint->bInterval;
+       dev->interrupt_out_interval = interrupt_out_interval ? interrupt_out_interval : dev->interrupt_out_endpoint->bInterval;
+ 
+-      /* we can register the device now, as it is ready */
+-      usb_set_intfdata (interface, dev);
+-
+-      retval = usb_register_dev (interface, &tower_class);
+-
+-      if (retval) {
+-              /* something prevented us from registering this driver */
+-              dev_err(idev, "Not able to get a minor for this device.\n");
+-              usb_set_intfdata (interface, NULL);
+-              goto error;
+-      }
+-      dev->minor = interface->minor;
+-
+-      /* let the user know what node this device is now attached to */
+-      dev_info(&interface->dev, "LEGO USB Tower #%d now attached to major "
+-               "%d minor %d\n", (dev->minor - LEGO_USB_TOWER_MINOR_BASE),
+-               USB_MAJOR, dev->minor);
+-
+       /* get the firmware version and log it */
+       result = usb_control_msg (udev,
+                                 usb_rcvctrlpipe(udev, 0),
+@@ -936,6 +918,23 @@ static int tower_probe (struct usb_inter
+                get_version_reply.minor,
+                le16_to_cpu(get_version_reply.build_no));
+ 
++      /* we can register the device now, as it is ready */
++      usb_set_intfdata (interface, dev);
++
++      retval = usb_register_dev (interface, &tower_class);
++
++      if (retval) {
++              /* something prevented us from registering this driver */
++              dev_err(idev, "Not able to get a minor for this device.\n");
++              usb_set_intfdata (interface, NULL);
++              goto error;
++      }
++      dev->minor = interface->minor;
++
++      /* let the user know what node this device is now attached to */
++      dev_info(&interface->dev, "LEGO USB Tower #%d now attached to major "
++               "%d minor %d\n", (dev->minor - LEGO_USB_TOWER_MINOR_BASE),
++               USB_MAJOR, dev->minor);
+ 
+ exit:
+       return retval;

diff --git a/queue-4.4/usb-serial-cp210x-fix-hardware-flow-control-disable.patch b/queue-4.4/usb-serial-cp210x-fix-hardware-flow-control-disable.patch
new file mode 100644 (file)
index 0000000..4b6837d
--- /dev/null
+++ b/queue-4.4/usb-serial-cp210x-fix-hardware-flow-control-disable.patch
@@ -0,0 +1,51 @@
+From a377f9e906af4df9071ba8ddba60188cb4013d93 Mon Sep 17 00:00:00 2001
+From: Konstantin Shkolnyy <konstantin.shkolnyy@gmail.com>
+Date: Wed, 4 May 2016 16:56:52 -0500
+Subject: USB: serial: cp210x: fix hardware flow-control disable
+
+From: Konstantin Shkolnyy <konstantin.shkolnyy@gmail.com>
+
+commit a377f9e906af4df9071ba8ddba60188cb4013d93 upstream.
+
+A bug in the CRTSCTS handling caused RTS to alternate between
+
+CRTSCTS=0 => "RTS is transmit active signal" and
+CRTSCTS=1 => "RTS is used for receive flow control"
+
+instead of
+
+CRTSCTS=0 => "RTS is statically active" and
+CRTSCTS=1 => "RTS is used for receive flow control"
+
+This only happened after first having enabled CRTSCTS.
+
+Signed-off-by: Konstantin Shkolnyy <konstantin.shkolnyy@gmail.com>
+Fixes: 39a66b8d22a3 ("[PATCH] USB: CP2101 Add support for flow control")
+[johan: reword commit message ]
+Signed-off-by: Johan Hovold <johan@kernel.org>
+[johan: backport to 4.4 ]
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+
+This is a backport of an upstream fix to v4.4, which should apply too
+earlier stable trees as well.
+
+Johan
+
+
+ drivers/usb/serial/cp210x.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -784,7 +784,7 @@ static void cp210x_set_termios(struct tt
+               } else {
+                       modem_ctl[0] &= ~0x7B;
+                       modem_ctl[0] |= 0x01;
+-                      modem_ctl[1] |= 0x40;
++                      modem_ctl[1] = 0x40;
+                       dev_dbg(dev, "%s - flow control = NONE\n", __func__);
+               }
+