--- /dev/null
+From ebeb36670ecac36c179b5fb5d5c88ff03ba191ec Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 13:44:20 +0100
+Subject: ath9k_htc: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit ebeb36670ecac36c179b5fb5d5c88ff03ba191ec upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer or accessing memory beyond the endpoint array should a
+malicious device lack the expected endpoints.
+
+Fixes: 36bcce430657 ("ath9k_htc: Handle storage devices")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/wireless/ath/ath9k/hif_usb.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
+@@ -1143,6 +1143,9 @@ static int send_eject_command(struct usb
+ u8 bulk_out_ep;
+ int r;
+
++ if (iface_desc->desc.bNumEndpoints < 2)
++ return -ENODEV;
++
+ /* Find bulk out endpoint */
+ for (r = 1; r >= 0; r--) {
+ endpoint = &iface_desc->endpoint[r].desc;
--- /dev/null
+From 1ac202e978e18f045006d75bd549612620c6ec3a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Daniel=20Gl=C3=B6ckner?= <dg@emlix.com>
+Date: Fri, 24 Feb 2017 15:05:14 +0100
+Subject: ima: accept previously set IMA_NEW_FILE
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Daniel Glöckner <dg@emlix.com>
+
+commit 1ac202e978e18f045006d75bd549612620c6ec3a upstream.
+
+Modifying the attributes of a file makes ima_inode_post_setattr reset
+the IMA cache flags. So if the file, which has just been created,
+is opened a second time before the first file descriptor is closed,
+verification fails since the security.ima xattr has not been written
+yet. We therefore have to look at the IMA_NEW_FILE even if the file
+already existed.
+
+With this patch there should no longer be an error when cat tries to
+open testfile:
+
+$ rm -f testfile
+$ ( echo test >&3 ; touch testfile ; cat testfile ) 3>testfile
+
+A file being new is no reason to accept that it is missing a digital
+signature demanded by the policy.
+
+Signed-off-by: Daniel Glöckner <dg@emlix.com>
+Signed-off-by: Mimi Zohar <zohar@linux.vnet.ibm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/integrity/ima/ima_appraise.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/security/integrity/ima/ima_appraise.c
++++ b/security/integrity/ima/ima_appraise.c
+@@ -203,10 +203,11 @@ int ima_appraise_measurement(int func, s
+
+ cause = "missing-hash";
+ status = INTEGRITY_NOLABEL;
+- if (opened & FILE_CREATED) {
++ if (opened & FILE_CREATED)
+ iint->flags |= IMA_NEW_FILE;
++ if ((iint->flags & IMA_NEW_FILE) &&
++ !(iint->flags & IMA_DIGSIG_REQUIRED))
+ status = INTEGRITY_PASS;
+- }
+ goto out;
+ }
+
--- /dev/null
+From c90722b54a4f5e21ac59301ed9a6dbaa439bdb16 Mon Sep 17 00:00:00 2001
+From: Richard Cochran <rcochran@linutronix.de>
+Date: Mon, 17 Apr 2017 10:23:36 +0200
+Subject: regulator: tps65023: Fix inverted core enable logic.
+
+From: Richard Cochran <rcochran@linutronix.de>
+
+commit c90722b54a4f5e21ac59301ed9a6dbaa439bdb16 upstream.
+
+Commit 43530b69d758328d3ffe6ab98fd640463e8e3667 ("regulator: Use
+regmap_read/write(), regmap_update_bits functions directly") intended
+to replace working inline helper functions with standard regmap
+calls. However, it also inverted the set/clear logic of the "CORE ADJ
+Allowed" bit. That patch was clearly never tested, since without that
+bit cleared, the core VDCDC1 voltage output does not react to I2C
+configuration changes.
+
+This patch fixes the issue by clearing the bit as in the original,
+correct implementation. Note for stable back porting that, due to
+subsequent driver churn, this patch will not apply on every kernel
+version.
+
+Fixes: 43530b69d758 ("regulator: Use regmap_read/write(), regmap_update_bits functions directly")
+Signed-off-by: Richard Cochran <rcochran@linutronix.de>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/regulator/tps65023-regulator.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/regulator/tps65023-regulator.c
++++ b/drivers/regulator/tps65023-regulator.c
+@@ -290,8 +290,7 @@ static int tps_65023_probe(struct i2c_cl
+
+ /* Enable setting output voltage by I2C */
+ regmap_update_bits(tps->regmap, TPS65023_REG_CON_CTRL2,
+- TPS65023_REG_CTRL2_CORE_ADJ,
+- TPS65023_REG_CTRL2_CORE_ADJ);
++ TPS65023_REG_CTRL2_CORE_ADJ, 0);
+
+ return 0;
+ }
dm-thin-metadata-call-precommit-before-saving-the-roots.patch
dm-space-map-disk-fix-some-book-keeping-in-the-disk-space-map.patch
mwifiex-pcie-fix-cmd_buf-use-after-free-in-remove-reset.patch
+ima-accept-previously-set-ima_new_file.patch
+regulator-tps65023-fix-inverted-core-enable-logic.patch
+ath9k_htc-fix-null-deref-at-probe.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
