--- /dev/null
+From bde717ab473668377fc65872398a102d40cb2d58 Mon Sep 17 00:00:00 2001
+From: Miaoqing Pan <miaoqing@codeaurora.org>
+Date: Tue, 27 Jun 2017 17:31:51 +0300
+Subject: ath9k: fix tx99 bus error
+
+From: Miaoqing Pan <miaoqing@codeaurora.org>
+
+commit bde717ab473668377fc65872398a102d40cb2d58 upstream.
+
+The hard coded register 0x9864 and 0x9924 are invalid
+for ar9300 chips.
+
+Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/ar9003_phy.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath9k/ar9003_phy.c
++++ b/drivers/net/wireless/ath/ath9k/ar9003_phy.c
+@@ -1815,8 +1815,6 @@ static void ar9003_hw_spectral_scan_wait
+ static void ar9003_hw_tx99_start(struct ath_hw *ah, u32 qnum)
+ {
+ REG_SET_BIT(ah, AR_PHY_TEST, PHY_AGC_CLR);
+- REG_SET_BIT(ah, 0x9864, 0x7f000);
+- REG_SET_BIT(ah, 0x9924, 0x7f00fe);
+ REG_CLR_BIT(ah, AR_DIAG_SW, AR_DIAG_RX_DIS);
+ REG_WRITE(ah, AR_CR, AR_CR_RXD);
+ REG_WRITE(ah, AR_DLCL_IFS(qnum), 0);
--- /dev/null
+From cf8ce1ea61b75712a154c93e40f2a5af2e4dd997 Mon Sep 17 00:00:00 2001
+From: Miaoqing Pan <miaoqing@codeaurora.org>
+Date: Tue, 27 Jun 2017 17:31:49 +0300
+Subject: ath9k: fix tx99 use after free
+
+From: Miaoqing Pan <miaoqing@codeaurora.org>
+
+commit cf8ce1ea61b75712a154c93e40f2a5af2e4dd997 upstream.
+
+One scenario that could lead to UAF is two threads writing
+simultaneously to the "tx99" debug file. One of them would
+set the "start" value to true and follow to ath9k_tx99_init().
+Inside the function it would set the sc->tx99_state to true
+after allocating sc->tx99skb. Then, the other thread would
+execute write_file_tx99() and call ath9k_tx99_deinit().
+sc->tx99_state would be freed. After that, the first thread
+would continue inside ath9k_tx99_init() and call
+r = ath9k_tx99_send(sc, sc->tx99_skb, &txctl);
+that would make use of the freed sc->tx99_skb memory.
+
+Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/tx99.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/ath/ath9k/tx99.c
++++ b/drivers/net/wireless/ath/ath9k/tx99.c
+@@ -190,22 +190,27 @@ static ssize_t write_file_tx99(struct fi
+ if (strtobool(buf, &start))
+ return -EINVAL;
+
++ mutex_lock(&sc->mutex);
++
+ if (start == sc->tx99_state) {
+ if (!start)
+- return count;
++ goto out;
+ ath_dbg(common, XMIT, "Resetting TX99\n");
+ ath9k_tx99_deinit(sc);
+ }
+
+ if (!start) {
+ ath9k_tx99_deinit(sc);
+- return count;
++ goto out;
+ }
+
+ r = ath9k_tx99_init(sc);
+- if (r)
++ if (r) {
++ mutex_unlock(&sc->mutex);
+ return r;
+-
++ }
++out:
++ mutex_unlock(&sc->mutex);
+ return count;
+ }
+
--- /dev/null
+From f6a5885fc4d68e7f25ffb42b9d8d80aebb3bacbb Mon Sep 17 00:00:00 2001
+From: Mateusz Jurczyk <mjurczyk@google.com>
+Date: Tue, 13 Jun 2017 18:44:28 +0200
+Subject: NFC: Add sockaddr length checks before accessing sa_family in bind handlers
+
+From: Mateusz Jurczyk <mjurczyk@google.com>
+
+commit f6a5885fc4d68e7f25ffb42b9d8d80aebb3bacbb upstream.
+
+Verify that the caller-provided sockaddr structure is large enough to
+contain the sa_family field, before accessing it in bind() handlers of the
+AF_NFC socket. Since the syscall doesn't enforce a minimum size of the
+corresponding memory region, very short sockaddrs (zero or one byte long)
+result in operating on uninitialized memory while referencing .sa_family.
+
+Signed-off-by: Mateusz Jurczyk <mjurczyk@google.com>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/nfc/llcp_sock.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -76,7 +76,8 @@ static int llcp_sock_bind(struct socket
+ struct sockaddr_nfc_llcp llcp_addr;
+ int len, ret = 0;
+
+- if (!addr || addr->sa_family != AF_NFC)
++ if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
++ addr->sa_family != AF_NFC)
+ return -EINVAL;
+
+ pr_debug("sk %p addr %p family %d\n", sk, addr, addr->sa_family);
+@@ -150,7 +151,8 @@ static int llcp_raw_sock_bind(struct soc
+ struct sockaddr_nfc_llcp llcp_addr;
+ int len, ret = 0;
+
+- if (!addr || addr->sa_family != AF_NFC)
++ if (!addr || alen < offsetofend(struct sockaddr, sa_family) ||
++ addr->sa_family != AF_NFC)
+ return -EINVAL;
+
+ pr_debug("sk %p addr %p family %d\n", sk, addr, addr->sa_family);
--- /dev/null
+From a0323b979f81ad2deb2c8836eab506534891876a Mon Sep 17 00:00:00 2001
+From: Mateusz Jurczyk <mjurczyk@google.com>
+Date: Wed, 24 May 2017 12:42:26 +0200
+Subject: nfc: Ensure presence of required attributes in the activate_target handler
+
+From: Mateusz Jurczyk <mjurczyk@google.com>
+
+commit a0323b979f81ad2deb2c8836eab506534891876a upstream.
+
+Check that the NFC_ATTR_TARGET_INDEX and NFC_ATTR_PROTOCOLS attributes (in
+addition to NFC_ATTR_DEVICE_INDEX) are provided by the netlink client
+prior to accessing them. This prevents potential unhandled NULL pointer
+dereference exceptions which can be triggered by malicious user-mode
+programs, if they omit one or both of these attributes.
+
+Signed-off-by: Mateusz Jurczyk <mjurczyk@google.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/nfc/netlink.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/nfc/netlink.c
++++ b/net/nfc/netlink.c
+@@ -873,7 +873,9 @@ static int nfc_genl_activate_target(stru
+ u32 device_idx, target_idx, protocol;
+ int rc;
+
+- if (!info->attrs[NFC_ATTR_DEVICE_INDEX])
++ if (!info->attrs[NFC_ATTR_DEVICE_INDEX] ||
++ !info->attrs[NFC_ATTR_TARGET_INDEX] ||
++ !info->attrs[NFC_ATTR_PROTOCOLS])
+ return -EINVAL;
+
+ device_idx = nla_get_u32(info->attrs[NFC_ATTR_DEVICE_INDEX]);
--- /dev/null
+From 20777bc57c346b6994f465e0d8261a7fbf213a09 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 30 Mar 2017 12:15:35 +0200
+Subject: NFC: fix broken device allocation
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 20777bc57c346b6994f465e0d8261a7fbf213a09 upstream.
+
+Commit 7eda8b8e9677 ("NFC: Use IDR library to assing NFC devices IDs")
+moved device-id allocation and struct-device initialisation from
+nfc_allocate_device() to nfc_register_device().
+
+This broke just about every nfc-device-registration error path, which
+continue to call nfc_free_device() that tries to put the device
+reference of the now uninitialised (but zeroed) struct device:
+
+kobject: '(null)' (ce316420): is not initialized, yet kobject_put() is being called.
+
+The late struct-device initialisation also meant that various work
+queues whose names are derived from the nfc device name were also
+misnamed:
+
+ 421 root 0 SW< [(null)_nci_cmd_]
+ 422 root 0 SW< [(null)_nci_rx_w]
+ 423 root 0 SW< [(null)_nci_tx_w]
+
+Move the id-allocation and struct-device initialisation back to
+nfc_allocate_device() and fix up the single call site which did not use
+nfc_free_device() in its error path.
+
+Fixes: 7eda8b8e9677 ("NFC: Use IDR library to assing NFC devices IDs")
+Cc: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/nfc/core.c | 31 ++++++++++++++++++-------------
+ net/nfc/nci/core.c | 3 +--
+ 2 files changed, 19 insertions(+), 15 deletions(-)
+
+--- a/net/nfc/core.c
++++ b/net/nfc/core.c
+@@ -969,6 +969,8 @@ static void nfc_release(struct device *d
+ kfree(se);
+ }
+
++ ida_simple_remove(&nfc_index_ida, dev->idx);
++
+ kfree(dev);
+ }
+
+@@ -1043,6 +1045,7 @@ struct nfc_dev *nfc_allocate_device(stru
+ int tx_headroom, int tx_tailroom)
+ {
+ struct nfc_dev *dev;
++ int rc;
+
+ if (!ops->start_poll || !ops->stop_poll || !ops->activate_target ||
+ !ops->deactivate_target || !ops->im_transceive)
+@@ -1055,6 +1058,15 @@ struct nfc_dev *nfc_allocate_device(stru
+ if (!dev)
+ return NULL;
+
++ rc = ida_simple_get(&nfc_index_ida, 0, 0, GFP_KERNEL);
++ if (rc < 0)
++ goto err_free_dev;
++ dev->idx = rc;
++
++ dev->dev.class = &nfc_class;
++ dev_set_name(&dev->dev, "nfc%d", dev->idx);
++ device_initialize(&dev->dev);
++
+ dev->ops = ops;
+ dev->supported_protocols = supported_protocols;
+ dev->tx_headroom = tx_headroom;
+@@ -1077,6 +1089,11 @@ struct nfc_dev *nfc_allocate_device(stru
+ }
+
+ return dev;
++
++err_free_dev:
++ kfree(dev);
++
++ return ERR_PTR(rc);
+ }
+ EXPORT_SYMBOL(nfc_allocate_device);
+
+@@ -1091,14 +1108,6 @@ int nfc_register_device(struct nfc_dev *
+
+ pr_debug("dev_name=%s\n", dev_name(&dev->dev));
+
+- dev->idx = ida_simple_get(&nfc_index_ida, 0, 0, GFP_KERNEL);
+- if (dev->idx < 0)
+- return dev->idx;
+-
+- dev->dev.class = &nfc_class;
+- dev_set_name(&dev->dev, "nfc%d", dev->idx);
+- device_initialize(&dev->dev);
+-
+ mutex_lock(&nfc_devlist_mutex);
+ nfc_devlist_generation++;
+ rc = device_add(&dev->dev);
+@@ -1136,12 +1145,10 @@ EXPORT_SYMBOL(nfc_register_device);
+ */
+ void nfc_unregister_device(struct nfc_dev *dev)
+ {
+- int rc, id;
++ int rc;
+
+ pr_debug("dev_name=%s\n", dev_name(&dev->dev));
+
+- id = dev->idx;
+-
+ if (dev->rfkill) {
+ rfkill_unregister(dev->rfkill);
+ rfkill_destroy(dev->rfkill);
+@@ -1166,8 +1173,6 @@ void nfc_unregister_device(struct nfc_de
+ nfc_devlist_generation++;
+ device_del(&dev->dev);
+ mutex_unlock(&nfc_devlist_mutex);
+-
+- ida_simple_remove(&nfc_index_ida, id);
+ }
+ EXPORT_SYMBOL(nfc_unregister_device);
+
+--- a/net/nfc/nci/core.c
++++ b/net/nfc/nci/core.c
+@@ -1084,8 +1084,7 @@ struct nci_dev *nci_allocate_device(stru
+ return ndev;
+
+ free_nfc:
+- kfree(ndev->nfc_dev);
+-
++ nfc_free_device(ndev->nfc_dev);
+ free_nci:
+ kfree(ndev);
+ return NULL;
--- /dev/null
+From 608c4adfcabab220142ee335a2a003ccd1c0b25b Mon Sep 17 00:00:00 2001
+From: Mateusz Jurczyk <mjurczyk@google.com>
+Date: Wed, 24 May 2017 12:26:20 +0200
+Subject: nfc: Fix the sockaddr length sanitization in llcp_sock_connect
+
+From: Mateusz Jurczyk <mjurczyk@google.com>
+
+commit 608c4adfcabab220142ee335a2a003ccd1c0b25b upstream.
+
+Fix the sockaddr length verification in the connect() handler of NFC/LLCP
+sockets, to compare against the size of the actual structure expected on
+input (sockaddr_nfc_llcp) instead of its shorter version (sockaddr_nfc).
+
+Both structures are defined in include/uapi/linux/nfc.h. The fields
+specific to the _llcp extended struct are as follows:
+
+ 276 __u8 dsap; /* Destination SAP, if known */
+ 277 __u8 ssap; /* Source SAP to be bound to */
+ 278 char service_name[NFC_LLCP_MAX_SERVICE_NAME]; /* Service name URI */;
+ 279 size_t service_name_len;
+
+If the caller doesn't provide a sufficiently long sockaddr buffer, these
+fields remain uninitialized (and they currently originate from the stack
+frame of the top-level sys_connect handler). They are then copied by
+llcp_sock_connect() into internal storage (nfc_llcp_sock structure), and
+could be subsequently read back through the user-mode getsockname()
+function (handled by llcp_sock_getname()). This would result in the
+disclosure of up to ~70 uninitialized bytes from the kernel stack to
+user-mode clients capable of creating AFC_NFC sockets.
+
+Signed-off-by: Mateusz Jurczyk <mjurczyk@google.com>
+Acked-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/nfc/llcp_sock.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/net/nfc/llcp_sock.c
++++ b/net/nfc/llcp_sock.c
+@@ -655,8 +655,7 @@ static int llcp_sock_connect(struct sock
+
+ pr_debug("sock %p sk %p flags 0x%x\n", sock, sk, flags);
+
+- if (!addr || len < sizeof(struct sockaddr_nfc) ||
+- addr->sa_family != AF_NFC)
++ if (!addr || len < sizeof(*addr) || addr->sa_family != AF_NFC)
+ return -EINVAL;
+
+ if (addr->service_name_len == 0 && addr->dsap == 0)
--- /dev/null
+From 0cbe40112f42cf5e008f9127f6cd5952ba3946c7 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 30 Mar 2017 12:15:37 +0200
+Subject: NFC: nfcmrvl: do not use device-managed resources
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 0cbe40112f42cf5e008f9127f6cd5952ba3946c7 upstream.
+
+This specifically fixes resource leaks in the registration error paths.
+
+Device-managed resources is a bad fit for this driver as devices can be
+registered from the n_nci line discipline. Firstly, a tty may not even
+have a corresponding device (should it be part of a Unix98 pty)
+something which would lead to a NULL-pointer dereference when
+registering resources.
+
+Secondly, if the tty has a class device, its lifetime exceeds that of
+the line discipline, which means that resources would leak every time
+the line discipline is closed (or if registration fails).
+
+Currently, the devres interface was only being used to request a reset
+gpio despite the fact that it was already explicitly freed in
+nfcmrvl_nci_unregister_dev() (along with the private data), something
+which also prevented the resource leak at close.
+
+Note that the driver treats gpio number 0 as invalid despite it being
+perfectly valid. This will be addressed in a follow-up patch.
+
+Fixes: b2fe288eac72 ("NFC: nfcmrvl: free reset gpio")
+Fixes: 4a2b947f56b3 ("NFC: nfcmrvl: add chip reset management")
+Cc: Vincent Cuissard <cuissard@marvell.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nfc/nfcmrvl/main.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+--- a/drivers/nfc/nfcmrvl/main.c
++++ b/drivers/nfc/nfcmrvl/main.c
+@@ -124,12 +124,13 @@ struct nfcmrvl_private *nfcmrvl_nci_regi
+ memcpy(&priv->config, pdata, sizeof(*pdata));
+
+ if (priv->config.reset_n_io) {
+- rc = devm_gpio_request_one(dev,
+- priv->config.reset_n_io,
+- GPIOF_OUT_INIT_LOW,
+- "nfcmrvl_reset_n");
+- if (rc < 0)
++ rc = gpio_request_one(priv->config.reset_n_io,
++ GPIOF_OUT_INIT_LOW,
++ "nfcmrvl_reset_n");
++ if (rc < 0) {
++ priv->config.reset_n_io = 0;
+ nfc_err(dev, "failed to request reset_n io\n");
++ }
+ }
+
+ if (phy == NFCMRVL_PHY_SPI) {
+@@ -154,7 +155,7 @@ struct nfcmrvl_private *nfcmrvl_nci_regi
+ if (!priv->ndev) {
+ nfc_err(dev, "nci_allocate_device failed\n");
+ rc = -ENOMEM;
+- goto error;
++ goto error_free_gpio;
+ }
+
+ nci_set_drvdata(priv->ndev, priv);
+@@ -179,7 +180,9 @@ struct nfcmrvl_private *nfcmrvl_nci_regi
+
+ error_free_dev:
+ nci_free_device(priv->ndev);
+-error:
++error_free_gpio:
++ if (priv->config.reset_n_io)
++ gpio_free(priv->config.reset_n_io);
+ kfree(priv);
+ return ERR_PTR(rc);
+ }
+@@ -195,7 +198,7 @@ void nfcmrvl_nci_unregister_dev(struct n
+ nfcmrvl_fw_dnld_deinit(priv);
+
+ if (priv->config.reset_n_io)
+- devm_gpio_free(priv->dev, priv->config.reset_n_io);
++ gpio_free(priv->config.reset_n_io);
+
+ nci_unregister_device(ndev);
+ nci_free_device(ndev);
--- /dev/null
+From 45dd39b974f6632222dd5cdcbea7358a077ab0b0 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 30 Mar 2017 12:15:39 +0200
+Subject: NFC: nfcmrvl: fix firmware-management initialisation
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 45dd39b974f6632222dd5cdcbea7358a077ab0b0 upstream.
+
+The nci-device was never deregistered in the event that
+fw-initialisation failed.
+
+Fix this by moving the firmware initialisation before device
+registration since the firmware work queue should be available before
+registering.
+
+Note that this depends on a recent fix that moved device-name
+initialisation back to to nci_allocate_device() as the
+firmware-workqueue name is now derived from the nfc-device name.
+
+Fixes: 3194c6870158 ("NFC: nfcmrvl: add firmware download support")
+Cc: Vincent Cuissard <cuissard@marvell.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nfc/nfcmrvl/main.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+--- a/drivers/nfc/nfcmrvl/main.c
++++ b/drivers/nfc/nfcmrvl/main.c
+@@ -158,26 +158,28 @@ struct nfcmrvl_private *nfcmrvl_nci_regi
+ goto error_free_gpio;
+ }
+
++ rc = nfcmrvl_fw_dnld_init(priv);
++ if (rc) {
++ nfc_err(dev, "failed to initialize FW download %d\n", rc);
++ goto error_free_dev;
++ }
++
+ nci_set_drvdata(priv->ndev, priv);
+
+ rc = nci_register_device(priv->ndev);
+ if (rc) {
+ nfc_err(dev, "nci_register_device failed %d\n", rc);
+- goto error_free_dev;
++ goto error_fw_dnld_deinit;
+ }
+
+ /* Ensure that controller is powered off */
+ nfcmrvl_chip_halt(priv);
+
+- rc = nfcmrvl_fw_dnld_init(priv);
+- if (rc) {
+- nfc_err(dev, "failed to initialize FW download %d\n", rc);
+- goto error_free_dev;
+- }
+-
+ nfc_info(dev, "registered with nci successfully\n");
+ return priv;
+
++error_fw_dnld_deinit:
++ nfcmrvl_fw_dnld_deinit(priv);
+ error_free_dev:
+ nci_free_device(priv->ndev);
+ error_free_gpio:
--- /dev/null
+From e5834ac22948169bbd7c45996d8d4905edd20f5e Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 30 Mar 2017 12:15:38 +0200
+Subject: NFC: nfcmrvl: use nfc-device for firmware download
+
+From: Johan Hovold <johan@kernel.org>
+
+commit e5834ac22948169bbd7c45996d8d4905edd20f5e upstream.
+
+Use the nfc- rather than phy-device in firmware-management code that
+needs a valid struct device.
+
+This specifically fixes a NULL-pointer dereference in
+nfcmrvl_fw_dnld_init() during registration when the underlying tty is
+one end of a Unix98 pty.
+
+Note that the driver still uses the phy device for any debugging, which
+is fine for now.
+
+Fixes: 3194c6870158 ("NFC: nfcmrvl: add firmware download support")
+Cc: Vincent Cuissard <cuissard@marvell.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nfc/nfcmrvl/fw_dnld.c | 7 +++++--
+ 1 file changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/nfc/nfcmrvl/fw_dnld.c
++++ b/drivers/nfc/nfcmrvl/fw_dnld.c
+@@ -459,7 +459,7 @@ int nfcmrvl_fw_dnld_init(struct nfcmrvl_
+
+ INIT_WORK(&priv->fw_dnld.rx_work, fw_dnld_rx_work);
+ snprintf(name, sizeof(name), "%s_nfcmrvl_fw_dnld_rx_wq",
+- dev_name(priv->dev));
++ dev_name(&priv->ndev->nfc_dev->dev));
+ priv->fw_dnld.rx_wq = create_singlethread_workqueue(name);
+ if (!priv->fw_dnld.rx_wq)
+ return -ENOMEM;
+@@ -496,6 +496,7 @@ int nfcmrvl_fw_dnld_start(struct nci_dev
+ {
+ struct nfcmrvl_private *priv = nci_get_drvdata(ndev);
+ struct nfcmrvl_fw_dnld *fw_dnld = &priv->fw_dnld;
++ int res;
+
+ if (!priv->support_fw_dnld)
+ return -ENOTSUPP;
+@@ -511,7 +512,9 @@ int nfcmrvl_fw_dnld_start(struct nci_dev
+ */
+
+ /* Retrieve FW binary */
+- if (request_firmware(&fw_dnld->fw, firmware_name, priv->dev) < 0) {
++ res = request_firmware(&fw_dnld->fw, firmware_name,
++ &ndev->nfc_dev->dev);
++ if (res < 0) {
+ nfc_err(priv->dev, "failed to retrieve FW %s", firmware_name);
+ return -ENOENT;
+ }
--- /dev/null
+From 15e0c59f1535926a939d1df66d6edcf997d7c1b9 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 30 Mar 2017 12:15:36 +0200
+Subject: NFC: nfcmrvl_uart: add missing tty-device sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 15e0c59f1535926a939d1df66d6edcf997d7c1b9 upstream.
+
+Make sure to check the tty-device pointer before trying to access the
+parent device to avoid dereferencing a NULL-pointer when the tty is one
+end of a Unix98 pty.
+
+Fixes: e097dc624f78 ("NFC: nfcmrvl: add UART driver")
+Cc: Vincent Cuissard <cuissard@marvell.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Samuel Ortiz <sameo@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nfc/nfcmrvl/uart.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/drivers/nfc/nfcmrvl/uart.c
++++ b/drivers/nfc/nfcmrvl/uart.c
+@@ -109,6 +109,7 @@ static int nfcmrvl_nci_uart_open(struct
+ struct nfcmrvl_private *priv;
+ struct nfcmrvl_platform_data *pdata = NULL;
+ struct nfcmrvl_platform_data config;
++ struct device *dev = nu->tty->dev;
+
+ /*
+ * Platform data cannot be used here since usually it is already used
+@@ -116,9 +117,8 @@ static int nfcmrvl_nci_uart_open(struct
+ * and check if DT entries were added.
+ */
+
+- if (nu->tty->dev->parent && nu->tty->dev->parent->of_node)
+- if (nfcmrvl_uart_parse_dt(nu->tty->dev->parent->of_node,
+- &config) == 0)
++ if (dev && dev->parent && dev->parent->of_node)
++ if (nfcmrvl_uart_parse_dt(dev->parent->of_node, &config) == 0)
+ pdata = &config;
+
+ if (!pdata) {
+@@ -131,7 +131,7 @@ static int nfcmrvl_nci_uart_open(struct
+ }
+
+ priv = nfcmrvl_nci_register_dev(NFCMRVL_PHY_UART, nu, &uart_ops,
+- nu->tty->dev, pdata);
++ dev, pdata);
+ if (IS_ERR(priv))
+ return PTR_ERR(priv);
+
disable-new-gcc-7.1.1-warnings-for-now.patch
ir-core-fix-gcc-7-warning-on-bool-arithmetic.patch
s5p-jpeg-don-t-return-a-random-width-height.patch
+thermal-cpu_cooling-avoid-accessing-potentially-freed-structures.patch
+ath9k-fix-tx99-use-after-free.patch
+ath9k-fix-tx99-bus-error.patch
+nfc-fix-broken-device-allocation.patch
+nfc-nfcmrvl_uart-add-missing-tty-device-sanity-check.patch
+nfc-nfcmrvl-do-not-use-device-managed-resources.patch
+nfc-nfcmrvl-use-nfc-device-for-firmware-download.patch
+nfc-nfcmrvl-fix-firmware-management-initialisation.patch
+nfc-ensure-presence-of-required-attributes-in-the-activate_target-handler.patch
+nfc-fix-the-sockaddr-length-sanitization-in-llcp_sock_connect.patch
+nfc-add-sockaddr-length-checks-before-accessing-sa_family-in-bind-handlers.patch
--- /dev/null
+From 289d72afddf83440117c35d864bf0c6309c1d011 Mon Sep 17 00:00:00 2001
+From: Viresh Kumar <viresh.kumar@linaro.org>
+Date: Tue, 25 Apr 2017 15:57:08 +0530
+Subject: thermal: cpu_cooling: Avoid accessing potentially freed structures
+
+From: Viresh Kumar <viresh.kumar@linaro.org>
+
+commit 289d72afddf83440117c35d864bf0c6309c1d011 upstream.
+
+After the lock is dropped, it is possible that the cpufreq_dev gets
+freed before we call get_level() and that can cause kernel to crash.
+
+Drop the lock after we are done using the structure.
+
+Fixes: 02373d7c69b4 ("thermal: cpu_cooling: fix lockdep problems in cpu_cooling")
+Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
+Reviewed-by: Lukasz Luba <lukasz.luba@arm.com>
+Tested-by: Lukasz Luba <lukasz.luba@arm.com>
+Signed-off-by: Eduardo Valentin <edubezval@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/thermal/cpu_cooling.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/thermal/cpu_cooling.c
++++ b/drivers/thermal/cpu_cooling.c
+@@ -191,8 +191,10 @@ unsigned long cpufreq_cooling_get_level(
+ mutex_lock(&cooling_list_lock);
+ list_for_each_entry(cpufreq_dev, &cpufreq_dev_list, node) {
+ if (cpumask_test_cpu(cpu, &cpufreq_dev->allowed_cpus)) {
++ unsigned long level = get_level(cpufreq_dev, freq);
++
+ mutex_unlock(&cooling_list_lock);
+- return get_level(cpufreq_dev, freq);
++ return level;
+ }
+ }
+ mutex_unlock(&cooling_list_lock);
projects / thirdparty / kernel / stable-queue.git / commitdiff
