--- /dev/null
+From 8179a101eb5f4ef0ac9a915fcea9a9d3109efa90 Mon Sep 17 00:00:00 2001
+From: "Yan, Zheng" <zyan@redhat.com>
+Date: Wed, 19 Apr 2017 10:01:48 +0800
+Subject: ceph: fix recursion between ceph_set_acl() and __ceph_setattr()
+
+From: Yan, Zheng <zyan@redhat.com>
+
+commit 8179a101eb5f4ef0ac9a915fcea9a9d3109efa90 upstream.
+
+ceph_set_acl() calls __ceph_setattr() if the setacl operation needs
+to modify inode's i_mode. __ceph_setattr() updates inode's i_mode,
+then calls posix_acl_chmod().
+
+The problem is that __ceph_setattr() calls posix_acl_chmod() before
+sending the setattr request. The get_acl() call in posix_acl_chmod()
+can trigger a getxattr request. The reply of the getxattr request
+can restore inode's i_mode to its old value. The set_acl() call in
+posix_acl_chmod() sees old value of inode's i_mode, so it calls
+__ceph_setattr() again.
+
+Cc: stable@vger.kernel.org # needs backporting for < 4.9
+Link: http://tracker.ceph.com/issues/19688
+Reported-by: Jerry Lee <leisurelysw24@gmail.com>
+Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
+Reviewed-by: Jeff Layton <jlayton@redhat.com>
+Tested-by: Luis Henriques <lhenriques@suse.com>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+[luis: introduce __ceph_setattr() and make ceph_set_acl() call it, as
+ suggested by Yan.]
+Signed-off-by: Luis Henriques <lhenriques@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Reviewed-by: “Yan, Zheng” <zyan@redhat.com>
+---
+ fs/ceph/acl.c | 4 ++--
+ fs/ceph/inode.c | 27 ++++++++++++++++-----------
+ fs/ceph/super.h | 1 +
+ 3 files changed, 19 insertions(+), 13 deletions(-)
+
+--- a/fs/ceph/acl.c
++++ b/fs/ceph/acl.c
+@@ -128,7 +128,7 @@ int ceph_set_acl(struct inode *inode, st
+ if (new_mode != old_mode) {
+ newattrs.ia_mode = new_mode;
+ newattrs.ia_valid = ATTR_MODE;
+- ret = ceph_setattr(dentry, &newattrs);
++ ret = __ceph_setattr(dentry, &newattrs);
+ if (ret)
+ goto out_dput;
+ }
+@@ -138,7 +138,7 @@ int ceph_set_acl(struct inode *inode, st
+ if (new_mode != old_mode) {
+ newattrs.ia_mode = old_mode;
+ newattrs.ia_valid = ATTR_MODE;
+- ceph_setattr(dentry, &newattrs);
++ __ceph_setattr(dentry, &newattrs);
+ }
+ goto out_dput;
+ }
+--- a/fs/ceph/inode.c
++++ b/fs/ceph/inode.c
+@@ -1773,7 +1773,7 @@ static const struct inode_operations cep
+ /*
+ * setattr
+ */
+-int ceph_setattr(struct dentry *dentry, struct iattr *attr)
++int __ceph_setattr(struct dentry *dentry, struct iattr *attr)
+ {
+ struct inode *inode = d_inode(dentry);
+ struct ceph_inode_info *ci = ceph_inode(inode);
+@@ -1975,11 +1975,6 @@ int ceph_setattr(struct dentry *dentry,
+ if (inode_dirty_flags)
+ __mark_inode_dirty(inode, inode_dirty_flags);
+
+- if (ia_valid & ATTR_MODE) {
+- err = posix_acl_chmod(inode, attr->ia_mode);
+- if (err)
+- goto out_put;
+- }
+
+ if (mask) {
+ req->r_inode = inode;
+@@ -1993,13 +1988,23 @@ int ceph_setattr(struct dentry *dentry,
+ ceph_cap_string(dirtied), mask);
+
+ ceph_mdsc_put_request(req);
+- if (mask & CEPH_SETATTR_SIZE)
+- __ceph_do_pending_vmtruncate(inode);
+ ceph_free_cap_flush(prealloc_cf);
++
++ if (err >= 0 && (mask & CEPH_SETATTR_SIZE))
++ __ceph_do_pending_vmtruncate(inode);
++
+ return err;
+-out_put:
+- ceph_mdsc_put_request(req);
+- ceph_free_cap_flush(prealloc_cf);
++}
++
++int ceph_setattr(struct dentry *dentry, struct iattr *attr)
++{
++ int err;
++
++ err = __ceph_setattr(dentry, attr);
++
++ if (err >= 0 && (attr->ia_valid & ATTR_MODE))
++ err = posix_acl_chmod(d_inode(dentry), attr->ia_mode);
++
+ return err;
+ }
+
+--- a/fs/ceph/super.h
++++ b/fs/ceph/super.h
+@@ -788,6 +788,7 @@ static inline int ceph_do_getattr(struct
+ return __ceph_do_getattr(inode, NULL, mask, force);
+ }
+ extern int ceph_permission(struct inode *inode, int mask);
++extern int __ceph_setattr(struct dentry *dentry, struct iattr *attr);
+ extern int ceph_setattr(struct dentry *dentry, struct iattr *attr);
+ extern int ceph_getattr(struct vfsmount *mnt, struct dentry *dentry,
+ struct kstat *stat);
--- /dev/null
+From fff1abc4d54e469140a699612b4db8d6397bfcba Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 09:53:57 -0300
+Subject: [media] cx231xx-audio: fix init error path
+
+From: Johan Hovold <johan@kernel.org>
+
+commit fff1abc4d54e469140a699612b4db8d6397bfcba upstream.
+
+Make sure to release the snd_card also on a late allocation error.
+
+Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver")
+
+Cc: Sri Deevi <Srinivasa.Deevi@conexant.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/cx231xx/cx231xx-audio.c | 25 ++++++++++++++-----------
+ 1 file changed, 14 insertions(+), 11 deletions(-)
+
+--- a/drivers/media/usb/cx231xx/cx231xx-audio.c
++++ b/drivers/media/usb/cx231xx/cx231xx-audio.c
+@@ -671,10 +671,8 @@ static int cx231xx_audio_init(struct cx2
+
+ spin_lock_init(&adev->slock);
+ err = snd_pcm_new(card, "Cx231xx Audio", 0, 0, 1, &pcm);
+- if (err < 0) {
+- snd_card_free(card);
+- return err;
+- }
++ if (err < 0)
++ goto err_free_card;
+
+ snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_CAPTURE,
+ &snd_cx231xx_pcm_capture);
+@@ -688,10 +686,9 @@ static int cx231xx_audio_init(struct cx2
+ INIT_WORK(&dev->wq_trigger, audio_trigger);
+
+ err = snd_card_register(card);
+- if (err < 0) {
+- snd_card_free(card);
+- return err;
+- }
++ if (err < 0)
++ goto err_free_card;
++
+ adev->sndcard = card;
+ adev->udev = dev->udev;
+
+@@ -710,9 +707,10 @@ static int cx231xx_audio_init(struct cx2
+ "audio EndPoint Addr 0x%x, Alternate settings: %i\n",
+ adev->end_point_addr, adev->num_alt);
+ adev->alt_max_pkt_size = kmalloc(32 * adev->num_alt, GFP_KERNEL);
+-
+- if (adev->alt_max_pkt_size == NULL)
+- return -ENOMEM;
++ if (!adev->alt_max_pkt_size) {
++ err = -ENOMEM;
++ goto err_free_card;
++ }
+
+ for (i = 0; i < adev->num_alt; i++) {
+ u16 tmp =
+@@ -726,6 +724,11 @@ static int cx231xx_audio_init(struct cx2
+ }
+
+ return 0;
++
++err_free_card:
++ snd_card_free(card);
++
++ return err;
+ }
+
+ static int cx231xx_audio_fini(struct cx231xx *dev)
--- /dev/null
+From 65f921647f4c89a2068478c89691f39b309b58f7 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 09:53:58 -0300
+Subject: [media] cx231xx-audio: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 65f921647f4c89a2068478c89691f39b309b58f7 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer or accessing memory beyond the endpoint array should a
+malicious device lack the expected endpoints.
+
+Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver")
+
+Cc: Sri Deevi <Srinivasa.Deevi@conexant.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/cx231xx/cx231xx-audio.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/cx231xx/cx231xx-audio.c
++++ b/drivers/media/usb/cx231xx/cx231xx-audio.c
+@@ -698,6 +698,11 @@ static int cx231xx_audio_init(struct cx2
+ hs_config_info[0].interface_info.
+ audio_index + 1];
+
++ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) {
++ err = -ENODEV;
++ goto err_free_card;
++ }
++
+ adev->end_point_addr =
+ uif->altsetting[0].endpoint[isoc_pipe].desc.
+ bEndpointAddress;
+@@ -713,8 +718,14 @@ static int cx231xx_audio_init(struct cx2
+ }
+
+ for (i = 0; i < adev->num_alt; i++) {
+- u16 tmp =
+- le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc.
++ u16 tmp;
++
++ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1) {
++ err = -ENODEV;
++ goto err_free_pkt_size;
++ }
++
++ tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc.
+ wMaxPacketSize);
+ adev->alt_max_pkt_size[i] =
+ (tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);
+@@ -725,6 +736,8 @@ static int cx231xx_audio_init(struct cx2
+
+ return 0;
+
++err_free_pkt_size:
++ kfree(adev->alt_max_pkt_size);
+ err_free_card:
+ snd_card_free(card);
+
--- /dev/null
+From 0cd273bb5e4d1828efaaa8dfd11b7928131ed149 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 09:53:56 -0300
+Subject: [media] cx231xx-cards: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 0cd273bb5e4d1828efaaa8dfd11b7928131ed149 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer or accessing memory beyond the endpoint array should a
+malicious device lack the expected endpoints.
+
+Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver")
+
+Cc: Sri Deevi <Srinivasa.Deevi@conexant.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/cx231xx/cx231xx-cards.c | 45 ++++++++++++++++++++++++++----
+ 1 file changed, 40 insertions(+), 5 deletions(-)
+
+--- a/drivers/media/usb/cx231xx/cx231xx-cards.c
++++ b/drivers/media/usb/cx231xx/cx231xx-cards.c
+@@ -1447,6 +1447,9 @@ static int cx231xx_init_v4l2(struct cx23
+
+ uif = udev->actconfig->interface[idx];
+
++ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1)
++ return -ENODEV;
++
+ dev->video_mode.end_point_addr = uif->altsetting[0].endpoint[isoc_pipe].desc.bEndpointAddress;
+ dev->video_mode.num_alt = uif->num_altsetting;
+
+@@ -1460,7 +1463,12 @@ static int cx231xx_init_v4l2(struct cx23
+ return -ENOMEM;
+
+ for (i = 0; i < dev->video_mode.num_alt; i++) {
+- u16 tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc.wMaxPacketSize);
++ u16 tmp;
++
++ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1)
++ return -ENODEV;
++
++ tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc.wMaxPacketSize);
+ dev->video_mode.alt_max_pkt_size[i] = (tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);
+ dev_dbg(dev->dev,
+ "Alternate setting %i, max size= %i\n", i,
+@@ -1477,6 +1485,9 @@ static int cx231xx_init_v4l2(struct cx23
+ }
+ uif = udev->actconfig->interface[idx];
+
++ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1)
++ return -ENODEV;
++
+ dev->vbi_mode.end_point_addr =
+ uif->altsetting[0].endpoint[isoc_pipe].desc.
+ bEndpointAddress;
+@@ -1493,8 +1504,12 @@ static int cx231xx_init_v4l2(struct cx23
+ return -ENOMEM;
+
+ for (i = 0; i < dev->vbi_mode.num_alt; i++) {
+- u16 tmp =
+- le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].
++ u16 tmp;
++
++ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1)
++ return -ENODEV;
++
++ tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].
+ desc.wMaxPacketSize);
+ dev->vbi_mode.alt_max_pkt_size[i] =
+ (tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);
+@@ -1514,6 +1529,9 @@ static int cx231xx_init_v4l2(struct cx23
+ }
+ uif = udev->actconfig->interface[idx];
+
++ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1)
++ return -ENODEV;
++
+ dev->sliced_cc_mode.end_point_addr =
+ uif->altsetting[0].endpoint[isoc_pipe].desc.
+ bEndpointAddress;
+@@ -1528,7 +1546,12 @@ static int cx231xx_init_v4l2(struct cx23
+ return -ENOMEM;
+
+ for (i = 0; i < dev->sliced_cc_mode.num_alt; i++) {
+- u16 tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].
++ u16 tmp;
++
++ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1)
++ return -ENODEV;
++
++ tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].
+ desc.wMaxPacketSize);
+ dev->sliced_cc_mode.alt_max_pkt_size[i] =
+ (tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);
+@@ -1693,6 +1716,11 @@ static int cx231xx_usb_probe(struct usb_
+ }
+ uif = udev->actconfig->interface[idx];
+
++ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) {
++ retval = -ENODEV;
++ goto err_video_alt;
++ }
++
+ dev->ts1_mode.end_point_addr =
+ uif->altsetting[0].endpoint[isoc_pipe].
+ desc.bEndpointAddress;
+@@ -1710,7 +1738,14 @@ static int cx231xx_usb_probe(struct usb_
+ }
+
+ for (i = 0; i < dev->ts1_mode.num_alt; i++) {
+- u16 tmp = le16_to_cpu(uif->altsetting[i].
++ u16 tmp;
++
++ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1) {
++ retval = -ENODEV;
++ goto err_video_alt;
++ }
++
++ tmp = le16_to_cpu(uif->altsetting[i].
+ endpoint[isoc_pipe].desc.
+ wMaxPacketSize);
+ dev->ts1_mode.alt_max_pkt_size[i] =
--- /dev/null
+From d5823511c0f8719a39e72ede1bce65411ac653b7 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 09:53:54 -0300
+Subject: [media] dib0700: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit d5823511c0f8719a39e72ede1bce65411ac653b7 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer should a malicious device lack endpoints.
+
+Fixes: c4018fa2e4c0 ("[media] dib0700: fix RC support on Hauppauge
+Nova-TD")
+
+Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/dib0700_core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/usb/dvb-usb/dib0700_core.c
++++ b/drivers/media/usb/dvb-usb/dib0700_core.c
+@@ -783,6 +783,9 @@ int dib0700_rc_setup(struct dvb_usb_devi
+
+ /* Starting in firmware 1.20, the RC info is provided on a bulk pipe */
+
++ if (intf->altsetting[0].desc.bNumEndpoints < rc_ep + 1)
++ return -ENODEV;
++
+ purb = usb_alloc_urb(0, GFP_KERNEL);
+ if (purb == NULL) {
+ err("rc usb alloc urb failed");
--- /dev/null
+From 158f0328af86a99d64073851967a02694bff987d Mon Sep 17 00:00:00 2001
+From: Daniel Scheller <d.scheller@gmx.net>
+Date: Sun, 19 Mar 2017 12:26:39 -0300
+Subject: [media] dvb-frontends/cxd2841er: define symbol_rate_min/max in T/C fe-ops
+
+From: Daniel Scheller <d.scheller@gmx.net>
+
+commit 158f0328af86a99d64073851967a02694bff987d upstream.
+
+Fixes "w_scan -f c" complaining with
+
+ This dvb driver is *buggy*: the symbol rate limits are undefined - please
+ report to linuxtv.org)
+
+Signed-off-by: Daniel Scheller <d.scheller@gmx.net>
+Acked-by: Abylay Ospan <aospan@netup.ru>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/dvb-frontends/cxd2841er.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/media/dvb-frontends/cxd2841er.c
++++ b/drivers/media/dvb-frontends/cxd2841er.c
+@@ -2678,7 +2678,9 @@ static struct dvb_frontend_ops cxd2841e
+ FE_CAN_MUTE_TS |
+ FE_CAN_2G_MODULATION,
+ .frequency_min = 42000000,
+- .frequency_max = 1002000000
++ .frequency_max = 1002000000,
++ .symbol_rate_min = 870000,
++ .symbol_rate_max = 11700000
+ },
+ .init = cxd2841er_init_tc,
+ .sleep = cxd2841er_sleep_tc,
--- /dev/null
+From aa58fedb8c7b6cf2f05941d238495f9e2f29655c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 09:53:59 -0300
+Subject: [media] gspca: konica: add missing endpoint sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit aa58fedb8c7b6cf2f05941d238495f9e2f29655c upstream.
+
+Make sure to check the number of endpoints to avoid accessing memory
+beyond the endpoint array should a device lack the expected endpoints.
+
+Note that, as far as I can tell, the gspca framework has already made
+sure there is at least one endpoint in the current alternate setting so
+there should be no risk for a NULL-pointer dereference here.
+
+Fixes: b517af722860 ("V4L/DVB: gspca_konica: New gspca subdriver for
+konica chipset using cams")
+
+Cc: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hansverk@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/gspca/konica.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/usb/gspca/konica.c
++++ b/drivers/media/usb/gspca/konica.c
+@@ -188,6 +188,9 @@ static int sd_start(struct gspca_dev *gs
+ return -EIO;
+ }
+
++ if (alt->desc.bNumEndpoints < 2)
++ return -ENODEV;
++
+ packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
+
+ n = gspca_dev->cam.cam_mode[gspca_dev->curr_mode].priv;
--- /dev/null
+From 84ca8e364acb26aba3292bc113ca8ed4335380fd Mon Sep 17 00:00:00 2001
+From: Matt Ranostay <matt.ranostay@konsulko.com>
+Date: Thu, 13 Apr 2017 23:21:56 -0700
+Subject: iio: proximity: as3935: fix as3935_write
+
+From: Matt Ranostay <matt.ranostay@konsulko.com>
+
+commit 84ca8e364acb26aba3292bc113ca8ed4335380fd upstream.
+
+AS3935_WRITE_DATA macro bit is incorrect and the actual write
+sequence is two leading zeros.
+
+Cc: George McCollister <george.mccollister@gmail.com>
+Signed-off-by: Matt Ranostay <matt.ranostay@konsulko.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/proximity/as3935.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/iio/proximity/as3935.c
++++ b/drivers/iio/proximity/as3935.c
+@@ -50,7 +50,6 @@
+ #define AS3935_TUNE_CAP 0x08
+ #define AS3935_CALIBRATE 0x3D
+
+-#define AS3935_WRITE_DATA BIT(15)
+ #define AS3935_READ_DATA BIT(14)
+ #define AS3935_ADDRESS(x) ((x) << 8)
+
+@@ -105,7 +104,7 @@ static int as3935_write(struct as3935_st
+ {
+ u8 *buf = st->buf;
+
+- buf[0] = (AS3935_WRITE_DATA | AS3935_ADDRESS(reg)) >> 8;
++ buf[0] = AS3935_ADDRESS(reg) >> 8;
+ buf[1] = val;
+
+ return spi_write(st->spi, buf, 2);
--- /dev/null
+From ee0d8d8482345ff97a75a7d747efc309f13b0d80 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 2 May 2017 13:58:53 +0300
+Subject: ipx: call ipxitf_put() in ioctl error path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit ee0d8d8482345ff97a75a7d747efc309f13b0d80 upstream.
+
+We should call ipxitf_put() if the copy_to_user() fails.
+
+Reported-by: 李强 <liqiang6-s@360.cn>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipx/af_ipx.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/ipx/af_ipx.c
++++ b/net/ipx/af_ipx.c
+@@ -1168,11 +1168,10 @@ static int ipxitf_ioctl(unsigned int cmd
+ sipx->sipx_network = ipxif->if_netnum;
+ memcpy(sipx->sipx_node, ipxif->if_node,
+ sizeof(sipx->sipx_node));
+- rc = -EFAULT;
++ rc = 0;
+ if (copy_to_user(arg, &ifr, sizeof(ifr)))
+- break;
++ rc = -EFAULT;
+ ipxitf_put(ipxif);
+- rc = 0;
+ break;
+ }
+ case SIOCAIPXITFCRT:
--- /dev/null
+From a5cb00eb4223458250b55daf03ac7ea5f424d601 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Wed, 22 Mar 2017 04:53:57 -0300
+Subject: [media] s5p-mfc: Fix unbalanced call to clock management
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+commit a5cb00eb4223458250b55daf03ac7ea5f424d601 upstream.
+
+Clock should be turned off after calling s5p_mfc_init_hw() from the
+watchdog worker, like it is already done in the s5p_mfc_open() which also
+calls this function.
+
+Fixes: af93574678108 ("[media] MFC: Add MFC 5.1 V4L2 driver")
+
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/s5p-mfc/s5p_mfc.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
+@@ -173,6 +173,7 @@ static void s5p_mfc_watchdog_worker(stru
+ }
+ s5p_mfc_clock_on();
+ ret = s5p_mfc_init_hw(dev);
++ s5p_mfc_clock_off();
+ if (ret)
+ mfc_err("Failed to reinit FW\n");
+ }
usb-hub-fix-ss-hub-descriptor-handling.patch
usb-hub-fix-non-ss-hub-descriptor-handling.patch
tty-prevent-ldisc-drivers-from-re-using-stale-tty-fields.patch
+ipx-call-ipxitf_put-in-ioctl-error-path.patch
+iio-proximity-as3935-fix-as3935_write.patch
+ceph-fix-recursion-between-ceph_set_acl-and-__ceph_setattr.patch
+gspca-konica-add-missing-endpoint-sanity-check.patch
+s5p-mfc-fix-unbalanced-call-to-clock-management.patch
+dib0700-fix-null-deref-at-probe.patch
+zr364xx-enforce-minimum-size-when-reading-header.patch
+dvb-frontends-cxd2841er-define-symbol_rate_min-max-in-t-c-fe-ops.patch
+cx231xx-audio-fix-init-error-path.patch
+cx231xx-audio-fix-null-deref-at-probe.patch
+cx231xx-cards-fix-null-deref-at-probe.patch
--- /dev/null
+From ee0fe833d96793853335844b6d99fb76bd12cbeb Mon Sep 17 00:00:00 2001
+From: Alyssa Milburn <amilburn@zall.org>
+Date: Sat, 1 Apr 2017 14:34:08 -0300
+Subject: [media] zr364xx: enforce minimum size when reading header
+
+From: Alyssa Milburn <amilburn@zall.org>
+
+commit ee0fe833d96793853335844b6d99fb76bd12cbeb upstream.
+
+This code copies actual_length-128 bytes from the header, which will
+underflow if the received buffer is too small.
+
+Signed-off-by: Alyssa Milburn <amilburn@zall.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/zr364xx/zr364xx.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/media/usb/zr364xx/zr364xx.c
++++ b/drivers/media/usb/zr364xx/zr364xx.c
+@@ -604,6 +604,14 @@ static int zr364xx_read_video_callback(s
+ ptr = pdest = frm->lpvbits;
+
+ if (frm->ulState == ZR364XX_READ_IDLE) {
++ if (purb->actual_length < 128) {
++ /* header incomplete */
++ dev_info(&cam->udev->dev,
++ "%s: buffer (%d bytes) too small to hold jpeg header. Discarding.\n",
++ __func__, purb->actual_length);
++ return -EINVAL;
++ }
++
+ frm->ulState = ZR364XX_READ_FRAME;
+ frm->cur_size = 0;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
