--- /dev/null
+From 1aaf1154e6edc1c9e0232be87736b4ba83e24321 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Jul 2020 13:29:36 +0300
+Subject: staging: comedi: verify array index is correct before using it
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit ef75e14a6c935eec82abac07ab68e388514e39bc ]
+
+This code reads from the array before verifying that "trig" is a valid
+index. If the index is wildly out of bounds then reading from an
+invalid address could lead to an Oops.
+
+Fixes: a8c66b684efa ("staging: comedi: addi_apci_1500: rewrite the subdevice support functions")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20200709102936.GA20875@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/comedi/drivers/addi_apci_1500.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/staging/comedi/drivers/addi_apci_1500.c b/drivers/staging/comedi/drivers/addi_apci_1500.c
+index 63991c49ff230..79a8799b12628 100644
+--- a/drivers/staging/comedi/drivers/addi_apci_1500.c
++++ b/drivers/staging/comedi/drivers/addi_apci_1500.c
+@@ -465,9 +465,9 @@ static int apci1500_di_cfg_trig(struct comedi_device *dev,
+ unsigned int lo_mask = data[5] << shift;
+ unsigned int chan_mask = hi_mask | lo_mask;
+ unsigned int old_mask = (1 << shift) - 1;
+- unsigned int pm = devpriv->pm[trig] & old_mask;
+- unsigned int pt = devpriv->pt[trig] & old_mask;
+- unsigned int pp = devpriv->pp[trig] & old_mask;
++ unsigned int pm;
++ unsigned int pt;
++ unsigned int pp;
+
+ if (trig > 1) {
+ dev_dbg(dev->class_dev,
+@@ -480,6 +480,10 @@ static int apci1500_di_cfg_trig(struct comedi_device *dev,
+ return -EINVAL;
+ }
+
++ pm = devpriv->pm[trig] & old_mask;
++ pt = devpriv->pt[trig] & old_mask;
++ pp = devpriv->pp[trig] & old_mask;
++
+ switch (data[2]) {
+ case COMEDI_DIGITAL_TRIG_DISABLE:
+ /* clear trigger configuration */
+--
+2.25.1
+
--- /dev/null
+From 6133e7dceaa234e51f01635f8253ffc89228d9d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 May 2020 20:35:54 +0200
+Subject: usb: gadget: udc: atmel: fix uninitialized read in debug printk
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+
+[ Upstream commit 30517ffeb3bff842e1355cbc32f1959d9dbb5414 ]
+
+Fixed commit moved the assignment of 'req', but did not update a
+reference in the DBG() call. Use the argument as it was renamed.
+
+Fixes: 5fb694f96e7c ("usb: gadget: udc: atmel: fix possible oops when unloading module")
+Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/atmel_usba_udc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/atmel_usba_udc.c b/drivers/usb/gadget/udc/atmel_usba_udc.c
+index 668ac5e8681b5..e6902257d7de7 100644
+--- a/drivers/usb/gadget/udc/atmel_usba_udc.c
++++ b/drivers/usb/gadget/udc/atmel_usba_udc.c
+@@ -843,7 +843,7 @@ static int usba_ep_dequeue(struct usb_ep *_ep, struct usb_request *_req)
+ u32 status;
+
+ DBG(DBG_GADGET | DBG_QUEUE, "ep_dequeue: %s, req %p\n",
+- ep->ep.name, req);
++ ep->ep.name, _req);
+
+ spin_lock_irqsave(&udc->lock, flags);
+
+--
+2.25.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
