--- /dev/null
+From 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e Mon Sep 17 00:00:00 2001
+From: Andy Whitcroft <apw@canonical.com>
+Date: Thu, 20 Sep 2018 09:09:48 -0600
+Subject: floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
+
+From: Andy Whitcroft <apw@canonical.com>
+
+commit 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e upstream.
+
+The final field of a floppy_struct is the field "name", which is a pointer
+to a string in kernel memory. The kernel pointer should not be copied to
+user memory. The FDGETPRM ioctl copies a floppy_struct to user memory,
+including this "name" field. This pointer cannot be used by the user
+and it will leak a kernel address to user-space, which will reveal the
+location of kernel code and data and undermine KASLR protection.
+
+Model this code after the compat ioctl which copies the returned data
+to a previously cleared temporary structure on the stack (excluding the
+name pointer) and copy out to userspace from there. As we already have
+an inparam union with an appropriate member and that memory is already
+cleared even for read only calls make use of that as a temporary store.
+
+Based on an initial patch by Brian Belleville.
+
+CVE-2018-7755
+Signed-off-by: Andy Whitcroft <apw@canonical.com>
+Broke up long line.
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/floppy.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3459,6 +3459,9 @@ static int fd_locked_ioctl(struct block_
+ (struct floppy_struct **)&outparam);
+ if (ret)
+ return ret;
++ memcpy(&inparam.g, outparam,
++ offsetof(struct floppy_struct, name));
++ outparam = &inparam.g;
+ break;
+ case FDMSGON:
+ UDP->flags |= FTD_MSG;
--- /dev/null
+From be28c1e3ca29887e207f0cbcd294cefe5074bab6 Mon Sep 17 00:00:00 2001
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+Date: Fri, 14 Sep 2018 10:32:50 +0000
+Subject: serial: cpm_uart: return immediately from console poll
+
+From: Christophe Leroy <christophe.leroy@c-s.fr>
+
+commit be28c1e3ca29887e207f0cbcd294cefe5074bab6 upstream.
+
+kgdb expects poll function to return immediately and
+returning NO_POLL_CHAR when no character is available.
+
+Fixes: f5316b4aea024 ("kgdb,8250,pl011: Return immediately from console poll")
+Cc: Jason Wessel <jason.wessel@windriver.com>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Christophe Leroy <christophe.leroy@c-s.fr>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/serial/cpm_uart/cpm_uart_core.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/tty/serial/cpm_uart/cpm_uart_core.c
++++ b/drivers/tty/serial/cpm_uart/cpm_uart_core.c
+@@ -1068,8 +1068,8 @@ static int poll_wait_key(char *obuf, str
+ /* Get the address of the host memory buffer.
+ */
+ bdp = pinfo->rx_cur;
+- while (bdp->cbd_sc & BD_SC_EMPTY)
+- ;
++ if (bdp->cbd_sc & BD_SC_EMPTY)
++ return NO_POLL_CHAR;
+
+ /* If the buffer address is in the CPM DPRAM, don't
+ * convert it.
+@@ -1104,7 +1104,11 @@ static int cpm_get_poll_char(struct uart
+ poll_chars = 0;
+ }
+ if (poll_chars <= 0) {
+- poll_chars = poll_wait_key(poll_buf, pinfo);
++ int ret = poll_wait_key(poll_buf, pinfo);
++
++ if (ret == NO_POLL_CHAR)
++ return ret;
++ poll_chars = ret;
+ pollp = poll_buf;
+ }
+ poll_chars--;
module-exclude-shn_undef-symbols-from-kallsyms-api.patch
nfsd-fix-corrupted-reply-to-badly-ordered-compound.patch
arm-dts-dra7-fix-dcan-node-addresses.patch
+floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch
+serial-cpm_uart-return-immediately-from-console-poll.patch
+spi-tegra20-slink-explicitly-enable-disable-clock.patch
+spi-sh-msiof-fix-invalid-spi-use-during-system-suspend.patch
+spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch
+spi-rspi-fix-invalid-spi-use-during-system-suspend.patch
+spi-rspi-fix-interrupted-dma-transfers.patch
+usb-fix-error-handling-in-usb_driver_claim_interface.patch
+usb-handle-null-config-in-usb_find_alt_setting.patch
--- /dev/null
+From 8dbbaa47b96f6ea5f09f922b4effff3c505cd8cf Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Wed, 5 Sep 2018 10:49:39 +0200
+Subject: spi: rspi: Fix interrupted DMA transfers
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit 8dbbaa47b96f6ea5f09f922b4effff3c505cd8cf upstream.
+
+When interrupted, wait_event_interruptible_timeout() returns
+-ERESTARTSYS, and the SPI transfer in progress will fail, as expected:
+
+ m25p80 spi0.0: SPI transfer failed: -512
+ spi_master spi0: failed to transfer one message from queue
+
+However, as the underlying DMA transfers may not have completed, all
+subsequent SPI transfers may start to fail:
+
+ spi_master spi0: receive timeout
+ qspi_transfer_out_in() returned -110
+ m25p80 spi0.0: SPI transfer failed: -110
+ spi_master spi0: failed to transfer one message from queue
+
+Fix this by calling dmaengine_terminate_all() not only for timeouts, but
+also for errors.
+
+This can be reproduced on r8a7991/koelsch, using "hd /dev/mtd0" followed
+by CTRL-C.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-rspi.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/drivers/spi/spi-rspi.c
++++ b/drivers/spi/spi-rspi.c
+@@ -587,11 +587,13 @@ static int rspi_dma_transfer(struct rspi
+
+ ret = wait_event_interruptible_timeout(rspi->wait,
+ rspi->dma_callbacked, HZ);
+- if (ret > 0 && rspi->dma_callbacked)
++ if (ret > 0 && rspi->dma_callbacked) {
+ ret = 0;
+- else if (!ret) {
+- dev_err(&rspi->master->dev, "DMA timeout\n");
+- ret = -ETIMEDOUT;
++ } else {
++ if (!ret) {
++ dev_err(&rspi->master->dev, "DMA timeout\n");
++ ret = -ETIMEDOUT;
++ }
+ if (tx)
+ dmaengine_terminate_all(rspi->master->dma_tx);
+ if (rx)
--- /dev/null
+From c1ca59c22c56930b377a665fdd1b43351887830b Mon Sep 17 00:00:00 2001
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+Date: Wed, 5 Sep 2018 10:49:38 +0200
+Subject: spi: rspi: Fix invalid SPI use during system suspend
+
+From: Geert Uytterhoeven <geert+renesas@glider.be>
+
+commit c1ca59c22c56930b377a665fdd1b43351887830b upstream.
+
+If the SPI queue is running during system suspend, the system may lock
+up.
+
+Fix this by stopping/restarting the queue during system suspend/resume,
+by calling spi_master_suspend()/spi_master_resume() from the PM
+callbacks. In-kernel users will receive an -ESHUTDOWN error while
+system suspend/resume is in progress.
+
+Based on a patch for sh-msiof by Gaku Inami.
+
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-rspi.c | 24 ++++++++++++++++++++++++
+ 1 file changed, 24 insertions(+)
+
+--- a/drivers/spi/spi-rspi.c
++++ b/drivers/spi/spi-rspi.c
+@@ -1303,12 +1303,36 @@ static const struct platform_device_id s
+
+ MODULE_DEVICE_TABLE(platform, spi_driver_ids);
+
++#ifdef CONFIG_PM_SLEEP
++static int rspi_suspend(struct device *dev)
++{
++ struct platform_device *pdev = to_platform_device(dev);
++ struct rspi_data *rspi = platform_get_drvdata(pdev);
++
++ return spi_master_suspend(rspi->master);
++}
++
++static int rspi_resume(struct device *dev)
++{
++ struct platform_device *pdev = to_platform_device(dev);
++ struct rspi_data *rspi = platform_get_drvdata(pdev);
++
++ return spi_master_resume(rspi->master);
++}
++
++static SIMPLE_DEV_PM_OPS(rspi_pm_ops, rspi_suspend, rspi_resume);
++#define DEV_PM_OPS &rspi_pm_ops
++#else
++#define DEV_PM_OPS NULL
++#endif /* CONFIG_PM_SLEEP */
++
+ static struct platform_driver rspi_driver = {
+ .probe = rspi_probe,
+ .remove = rspi_remove,
+ .id_table = spi_driver_ids,
+ .driver = {
+ .name = "renesas_spi",
++ .pm = DEV_PM_OPS,
+ .of_match_table = of_match_ptr(rspi_of_match),
+ },
+ };
--- /dev/null
+From 31a5fae4c5a009898da6d177901d5328051641ff Mon Sep 17 00:00:00 2001
+From: Hiromitsu Yamasaki <hiromitsu.yamasaki.ym@renesas.com>
+Date: Wed, 5 Sep 2018 10:49:37 +0200
+Subject: spi: sh-msiof: Fix handling of write value for SISTR register
+
+From: Hiromitsu Yamasaki <hiromitsu.yamasaki.ym@renesas.com>
+
+commit 31a5fae4c5a009898da6d177901d5328051641ff upstream.
+
+This patch changes writing to the SISTR register according to the H/W
+user's manual.
+
+The TDREQ bit and RDREQ bits of SISTR are read-only, and must be written
+their initial values of zero.
+
+Signed-off-by: Hiromitsu Yamasaki <hiromitsu.yamasaki.ym@renesas.com>
+[geert: reword]
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-sh-msiof.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/spi/spi-sh-msiof.c
++++ b/drivers/spi/spi-sh-msiof.c
+@@ -374,7 +374,8 @@ static void sh_msiof_spi_set_mode_regs(s
+
+ static void sh_msiof_reset_str(struct sh_msiof_spi_priv *p)
+ {
+- sh_msiof_write(p, STR, sh_msiof_read(p, STR));
++ sh_msiof_write(p, STR,
++ sh_msiof_read(p, STR) & ~(STR_TDREQ | STR_RDREQ));
+ }
+
+ static void sh_msiof_spi_write_fifo_8(struct sh_msiof_spi_priv *p,
--- /dev/null
+From ffa69d6a16f686efe45269342474e421f2aa58b2 Mon Sep 17 00:00:00 2001
+From: Gaku Inami <gaku.inami.xw@bp.renesas.com>
+Date: Wed, 5 Sep 2018 10:49:36 +0200
+Subject: spi: sh-msiof: Fix invalid SPI use during system suspend
+
+From: Gaku Inami <gaku.inami.xw@bp.renesas.com>
+
+commit ffa69d6a16f686efe45269342474e421f2aa58b2 upstream.
+
+If the SPI queue is running during system suspend, the system may lock
+up.
+
+Fix this by stopping/restarting the queue during system suspend/resume
+by calling spi_master_suspend()/spi_master_resume() from the PM
+callbacks. In-kernel users will receive an -ESHUTDOWN error while
+system suspend/resume is in progress.
+
+Signed-off-by: Gaku Inami <gaku.inami.xw@bp.renesas.com>
+Signed-off-by: Hiromitsu Yamasaki <hiromitsu.yamasaki.ym@renesas.com>
+[geert: Cleanup, reword]
+Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-sh-msiof.c | 25 +++++++++++++++++++++++++
+ 1 file changed, 25 insertions(+)
+
+--- a/drivers/spi/spi-sh-msiof.c
++++ b/drivers/spi/spi-sh-msiof.c
+@@ -1275,12 +1275,37 @@ static const struct platform_device_id s
+ };
+ MODULE_DEVICE_TABLE(platform, spi_driver_ids);
+
++#ifdef CONFIG_PM_SLEEP
++static int sh_msiof_spi_suspend(struct device *dev)
++{
++ struct platform_device *pdev = to_platform_device(dev);
++ struct sh_msiof_spi_priv *p = platform_get_drvdata(pdev);
++
++ return spi_master_suspend(p->master);
++}
++
++static int sh_msiof_spi_resume(struct device *dev)
++{
++ struct platform_device *pdev = to_platform_device(dev);
++ struct sh_msiof_spi_priv *p = platform_get_drvdata(pdev);
++
++ return spi_master_resume(p->master);
++}
++
++static SIMPLE_DEV_PM_OPS(sh_msiof_spi_pm_ops, sh_msiof_spi_suspend,
++ sh_msiof_spi_resume);
++#define DEV_PM_OPS &sh_msiof_spi_pm_ops
++#else
++#define DEV_PM_OPS NULL
++#endif /* CONFIG_PM_SLEEP */
++
+ static struct platform_driver sh_msiof_spi_drv = {
+ .probe = sh_msiof_spi_probe,
+ .remove = sh_msiof_spi_remove,
+ .id_table = spi_driver_ids,
+ .driver = {
+ .name = "spi_sh_msiof",
++ .pm = DEV_PM_OPS,
+ .of_match_table = of_match_ptr(sh_msiof_match),
+ },
+ };
--- /dev/null
+From 7001cab1dabc0b72b2b672ef58a90ab64f5e2343 Mon Sep 17 00:00:00 2001
+From: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+Date: Wed, 29 Aug 2018 08:47:57 +0200
+Subject: spi: tegra20-slink: explicitly enable/disable clock
+
+From: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+
+commit 7001cab1dabc0b72b2b672ef58a90ab64f5e2343 upstream.
+
+Depending on the SPI instance one may get an interrupt storm upon
+requesting resp. interrupt unless the clock is explicitly enabled
+beforehand. This has been observed trying to bring up instance 4 on
+T20.
+
+Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/spi/spi-tegra20-slink.c | 31 +++++++++++++++++++++++--------
+ 1 file changed, 23 insertions(+), 8 deletions(-)
+
+--- a/drivers/spi/spi-tegra20-slink.c
++++ b/drivers/spi/spi-tegra20-slink.c
+@@ -1063,6 +1063,24 @@ static int tegra_slink_probe(struct plat
+ goto exit_free_master;
+ }
+
++ /* disabled clock may cause interrupt storm upon request */
++ tspi->clk = devm_clk_get(&pdev->dev, NULL);
++ if (IS_ERR(tspi->clk)) {
++ ret = PTR_ERR(tspi->clk);
++ dev_err(&pdev->dev, "Can not get clock %d\n", ret);
++ goto exit_free_master;
++ }
++ ret = clk_prepare(tspi->clk);
++ if (ret < 0) {
++ dev_err(&pdev->dev, "Clock prepare failed %d\n", ret);
++ goto exit_free_master;
++ }
++ ret = clk_enable(tspi->clk);
++ if (ret < 0) {
++ dev_err(&pdev->dev, "Clock enable failed %d\n", ret);
++ goto exit_free_master;
++ }
++
+ spi_irq = platform_get_irq(pdev, 0);
+ tspi->irq = spi_irq;
+ ret = request_threaded_irq(tspi->irq, tegra_slink_isr,
+@@ -1071,14 +1089,7 @@ static int tegra_slink_probe(struct plat
+ if (ret < 0) {
+ dev_err(&pdev->dev, "Failed to register ISR for IRQ %d\n",
+ tspi->irq);
+- goto exit_free_master;
+- }
+-
+- tspi->clk = devm_clk_get(&pdev->dev, NULL);
+- if (IS_ERR(tspi->clk)) {
+- dev_err(&pdev->dev, "can not get clock\n");
+- ret = PTR_ERR(tspi->clk);
+- goto exit_free_irq;
++ goto exit_clk_disable;
+ }
+
+ tspi->rst = devm_reset_control_get(&pdev->dev, "spi");
+@@ -1138,6 +1149,8 @@ exit_rx_dma_free:
+ tegra_slink_deinit_dma_param(tspi, true);
+ exit_free_irq:
+ free_irq(spi_irq, tspi);
++exit_clk_disable:
++ clk_disable(tspi->clk);
+ exit_free_master:
+ spi_master_put(master);
+ return ret;
+@@ -1150,6 +1163,8 @@ static int tegra_slink_remove(struct pla
+
+ free_irq(tspi->irq, tspi);
+
++ clk_disable(tspi->clk);
++
+ if (tspi->tx_dma_chan)
+ tegra_slink_deinit_dma_param(tspi, false);
+
--- /dev/null
+From bd729f9d67aa9a303d8925bb8c4f06af25f407d1 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 10 Sep 2018 13:59:59 -0400
+Subject: USB: fix error handling in usb_driver_claim_interface()
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit bd729f9d67aa9a303d8925bb8c4f06af25f407d1 upstream.
+
+The syzbot fuzzing project found a use-after-free bug in the USB
+core. The bug was caused by usbfs not unbinding from an interface
+when the USB device file was closed, which led another process to
+attempt the unbind later on, after the private data structure had been
+deallocated.
+
+The reason usbfs did not unbind the interface at the appropriate time
+was because it thought the interface had never been claimed in the
+first place. This was caused by the fact that
+usb_driver_claim_interface() does not clean up properly when
+device_bind_driver() returns an error. Although the error code gets
+passed back to the caller, the iface->dev.driver pointer remains set
+and iface->condition remains equal to USB_INTERFACE_BOUND.
+
+This patch adds proper error handling to usb_driver_claim_interface().
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: syzbot+f84aa7209ccec829536f@syzkaller.appspotmail.com
+CC: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/driver.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/drivers/usb/core/driver.c
++++ b/drivers/usb/core/driver.c
+@@ -562,6 +562,21 @@ int usb_driver_claim_interface(struct us
+ if (!lpm_disable_error)
+ usb_unlocked_enable_lpm(udev);
+
++ if (retval) {
++ dev->driver = NULL;
++ usb_set_intfdata(iface, NULL);
++ iface->needs_remote_wakeup = 0;
++ iface->condition = USB_INTERFACE_UNBOUND;
++
++ /*
++ * Unbound interfaces are always runtime-PM-disabled
++ * and runtime-PM-suspended
++ */
++ if (driver->supports_autosuspend)
++ pm_runtime_disable(dev);
++ pm_runtime_set_suspended(dev);
++ }
++
+ return retval;
+ }
+ EXPORT_SYMBOL_GPL(usb_driver_claim_interface);
--- /dev/null
+From c9a4cb204e9eb7fa7dfbe3f7d3a674fa530aa193 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 10 Sep 2018 14:00:53 -0400
+Subject: USB: handle NULL config in usb_find_alt_setting()
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit c9a4cb204e9eb7fa7dfbe3f7d3a674fa530aa193 upstream.
+
+usb_find_alt_setting() takes a pointer to a struct usb_host_config as
+an argument; it searches for an interface with specified interface and
+alternate setting numbers in that config. However, it crashes if the
+usb_host_config pointer argument is NULL.
+
+Since this is a general-purpose routine, available for use in many
+places, we want to to be more robust. This patch makes it return NULL
+whenever the config argument is NULL.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: syzbot+19c3aaef85a89d451eac@syzkaller.appspotmail.com
+CC: <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/usb.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/core/usb.c
++++ b/drivers/usb/core/usb.c
+@@ -95,6 +95,8 @@ struct usb_host_interface *usb_find_alt_
+ struct usb_interface_cache *intf_cache = NULL;
+ int i;
+
++ if (!config)
++ return NULL;
+ for (i = 0; i < config->desc.bNumInterfaces; i++) {
+ if (config->intf_cache[i]->altsetting[0].desc.bInterfaceNumber
+ == iface_num) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
