3.18-stable patches

added patches:
	cx231xx-audio-fix-null-deref-at-probe.patch
	cx231xx-cards-fix-null-deref-at-probe.patch
	dib0700-fix-null-deref-at-probe.patch
	gspca-konica-add-missing-endpoint-sanity-check.patch
	iio-proximity-as3935-fix-as3935_write.patch
	ipx-call-ipxitf_put-in-ioctl-error-path.patch
	s5p-mfc-fix-unbalanced-call-to-clock-management.patch
	zr364xx-enforce-minimum-size-when-reading-header.patch

diff --git a/queue-3.18/cx231xx-audio-fix-null-deref-at-probe.patch b/queue-3.18/cx231xx-audio-fix-null-deref-at-probe.patch
new file mode 100644 (file)
index 0000000..a20116b
--- /dev/null
+++ b/queue-3.18/cx231xx-audio-fix-null-deref-at-probe.patch
@@ -0,0 +1,56 @@
+From 65f921647f4c89a2068478c89691f39b309b58f7 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 09:53:58 -0300
+Subject: [media] cx231xx-audio: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 65f921647f4c89a2068478c89691f39b309b58f7 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer or accessing memory beyond the endpoint array should a
+malicious device lack the expected endpoints.
+
+Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver")
+
+Cc: Sri Deevi <Srinivasa.Deevi@conexant.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/cx231xx/cx231xx-audio.c |   15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+--- a/drivers/media/usb/cx231xx/cx231xx-audio.c
++++ b/drivers/media/usb/cx231xx/cx231xx-audio.c
+@@ -702,6 +702,11 @@ static int cx231xx_audio_init(struct cx2
+                                           hs_config_info[0].interface_info.
+                                           audio_index + 1];
+ 
++      if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) {
++              snd_card_free(card);
++              return -ENODEV;
++      }
++
+       adev->end_point_addr =
+           uif->altsetting[0].endpoint[isoc_pipe].desc.
+                       bEndpointAddress;
+@@ -717,8 +722,14 @@ static int cx231xx_audio_init(struct cx2
+       }
+ 
+       for (i = 0; i < adev->num_alt; i++) {
+-              u16 tmp =
+-                  le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc.
++              u16 tmp;
++
++              if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1) {
++                      snd_card_free(card);
++                      return -ENODEV;
++              }
++
++              tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc.
+                               wMaxPacketSize);
+               adev->alt_max_pkt_size[i] =
+                   (tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);

diff --git a/queue-3.18/cx231xx-cards-fix-null-deref-at-probe.patch b/queue-3.18/cx231xx-cards-fix-null-deref-at-probe.patch
new file mode 100644 (file)
index 0000000..b3b7167
--- /dev/null
+++ b/queue-3.18/cx231xx-cards-fix-null-deref-at-probe.patch
@@ -0,0 +1,128 @@
+From 0cd273bb5e4d1828efaaa8dfd11b7928131ed149 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 09:53:56 -0300
+Subject: [media] cx231xx-cards: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 0cd273bb5e4d1828efaaa8dfd11b7928131ed149 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer or accessing memory beyond the endpoint array should a
+malicious device lack the expected endpoints.
+
+Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver")
+
+Cc: Sri Deevi <Srinivasa.Deevi@conexant.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/cx231xx/cx231xx-cards.c |   45 ++++++++++++++++++++++++++----
+ 1 file changed, 40 insertions(+), 5 deletions(-)
+
+--- a/drivers/media/usb/cx231xx/cx231xx-cards.c
++++ b/drivers/media/usb/cx231xx/cx231xx-cards.c
+@@ -1291,6 +1291,9 @@ static int cx231xx_init_v4l2(struct cx23
+ 
+       uif = udev->actconfig->interface[idx];
+ 
++      if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1)
++              return -ENODEV;
++
+       dev->video_mode.end_point_addr = uif->altsetting[0].endpoint[isoc_pipe].desc.bEndpointAddress;
+       dev->video_mode.num_alt = uif->num_altsetting;
+ 
+@@ -1305,7 +1308,12 @@ static int cx231xx_init_v4l2(struct cx23
+       }
+ 
+       for (i = 0; i < dev->video_mode.num_alt; i++) {
+-              u16 tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc.wMaxPacketSize);
++              u16 tmp;
++
++              if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1)
++                      return -ENODEV;
++
++              tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc.wMaxPacketSize);
+               dev->video_mode.alt_max_pkt_size[i] = (tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);
+               cx231xx_info("Alternate setting %i, max size= %i\n", i,
+                            dev->video_mode.alt_max_pkt_size[i]);
+@@ -1320,6 +1328,9 @@ static int cx231xx_init_v4l2(struct cx23
+       }
+       uif = udev->actconfig->interface[idx];
+ 
++      if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1)
++              return -ENODEV;
++
+       dev->vbi_mode.end_point_addr =
+           uif->altsetting[0].endpoint[isoc_pipe].desc.
+                       bEndpointAddress;
+@@ -1337,8 +1348,12 @@ static int cx231xx_init_v4l2(struct cx23
+       }
+ 
+       for (i = 0; i < dev->vbi_mode.num_alt; i++) {
+-              u16 tmp =
+-                  le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].
++              u16 tmp;
++
++              if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1)
++                      return -ENODEV;
++
++              tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].
+                               desc.wMaxPacketSize);
+               dev->vbi_mode.alt_max_pkt_size[i] =
+                   (tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);
+@@ -1356,6 +1371,9 @@ static int cx231xx_init_v4l2(struct cx23
+       }
+       uif = udev->actconfig->interface[idx];
+ 
++      if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1)
++              return -ENODEV;
++
+       dev->sliced_cc_mode.end_point_addr =
+           uif->altsetting[0].endpoint[isoc_pipe].desc.
+                       bEndpointAddress;
+@@ -1372,7 +1390,12 @@ static int cx231xx_init_v4l2(struct cx23
+       }
+ 
+       for (i = 0; i < dev->sliced_cc_mode.num_alt; i++) {
+-              u16 tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].
++              u16 tmp;
++
++              if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1)
++                      return -ENODEV;
++
++              tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].
+                               desc.wMaxPacketSize);
+               dev->sliced_cc_mode.alt_max_pkt_size[i] =
+                   (tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1);
+@@ -1526,6 +1549,11 @@ static int cx231xx_usb_probe(struct usb_
+               }
+               uif = udev->actconfig->interface[idx];
+ 
++              if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) {
++                      retval = -ENODEV;
++                      goto err_video_alt;
++              }
++
+               dev->ts1_mode.end_point_addr =
+                   uif->altsetting[0].endpoint[isoc_pipe].
+                               desc.bEndpointAddress;
+@@ -1543,7 +1571,14 @@ static int cx231xx_usb_probe(struct usb_
+               }
+ 
+               for (i = 0; i < dev->ts1_mode.num_alt; i++) {
+-                      u16 tmp = le16_to_cpu(uif->altsetting[i].
++                      u16 tmp;
++
++                      if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1) {
++                              retval = -ENODEV;
++                              goto err_video_alt;
++                      }
++
++                      tmp = le16_to_cpu(uif->altsetting[i].
+                                               endpoint[isoc_pipe].desc.
+                                               wMaxPacketSize);
+                       dev->ts1_mode.alt_max_pkt_size[i] =

diff --git a/queue-3.18/dib0700-fix-null-deref-at-probe.patch b/queue-3.18/dib0700-fix-null-deref-at-probe.patch
new file mode 100644 (file)
index 0000000..d6d478e
--- /dev/null
+++ b/queue-3.18/dib0700-fix-null-deref-at-probe.patch
@@ -0,0 +1,37 @@
+From d5823511c0f8719a39e72ede1bce65411ac653b7 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 09:53:54 -0300
+Subject: [media] dib0700: fix NULL-deref at probe
+
+From: Johan Hovold <johan@kernel.org>
+
+commit d5823511c0f8719a39e72ede1bce65411ac653b7 upstream.
+
+Make sure to check the number of endpoints to avoid dereferencing a
+NULL-pointer should a malicious device lack endpoints.
+
+Fixes: c4018fa2e4c0 ("[media] dib0700: fix RC support on Hauppauge
+Nova-TD")
+
+Cc: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/dib0700_core.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/usb/dvb-usb/dib0700_core.c
++++ b/drivers/media/usb/dvb-usb/dib0700_core.c
+@@ -786,6 +786,9 @@ int dib0700_rc_setup(struct dvb_usb_devi
+ 
+       /* Starting in firmware 1.20, the RC info is provided on a bulk pipe */
+ 
++      if (intf->altsetting[0].desc.bNumEndpoints < rc_ep + 1)
++              return -ENODEV;
++
+       purb = usb_alloc_urb(0, GFP_KERNEL);
+       if (purb == NULL) {
+               err("rc usb alloc urb failed");

diff --git a/queue-3.18/gspca-konica-add-missing-endpoint-sanity-check.patch b/queue-3.18/gspca-konica-add-missing-endpoint-sanity-check.patch
new file mode 100644 (file)
index 0000000..a418c2b
--- /dev/null
+++ b/queue-3.18/gspca-konica-add-missing-endpoint-sanity-check.patch
@@ -0,0 +1,41 @@
+From aa58fedb8c7b6cf2f05941d238495f9e2f29655c Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Mar 2017 09:53:59 -0300
+Subject: [media] gspca: konica: add missing endpoint sanity check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit aa58fedb8c7b6cf2f05941d238495f9e2f29655c upstream.
+
+Make sure to check the number of endpoints to avoid accessing memory
+beyond the endpoint array should a device lack the expected endpoints.
+
+Note that, as far as I can tell, the gspca framework has already made
+sure there is at least one endpoint in the current alternate setting so
+there should be no risk for a NULL-pointer dereference here.
+
+Fixes: b517af722860 ("V4L/DVB: gspca_konica: New gspca subdriver for
+konica chipset using cams")
+
+Cc: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Hans Verkuil <hansverk@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/gspca/konica.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/media/usb/gspca/konica.c
++++ b/drivers/media/usb/gspca/konica.c
+@@ -188,6 +188,9 @@ static int sd_start(struct gspca_dev *gs
+               return -EIO;
+       }
+ 
++      if (alt->desc.bNumEndpoints < 2)
++              return -ENODEV;
++
+       packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize);
+ 
+       n = gspca_dev->cam.cam_mode[gspca_dev->curr_mode].priv;

diff --git a/queue-3.18/iio-proximity-as3935-fix-as3935_write.patch b/queue-3.18/iio-proximity-as3935-fix-as3935_write.patch
new file mode 100644 (file)
index 0000000..926530c
--- /dev/null
+++ b/queue-3.18/iio-proximity-as3935-fix-as3935_write.patch
@@ -0,0 +1,40 @@
+From 84ca8e364acb26aba3292bc113ca8ed4335380fd Mon Sep 17 00:00:00 2001
+From: Matt Ranostay <matt.ranostay@konsulko.com>
+Date: Thu, 13 Apr 2017 23:21:56 -0700
+Subject: iio: proximity: as3935: fix as3935_write
+
+From: Matt Ranostay <matt.ranostay@konsulko.com>
+
+commit 84ca8e364acb26aba3292bc113ca8ed4335380fd upstream.
+
+AS3935_WRITE_DATA macro bit is incorrect and the actual write
+sequence is two leading zeros.
+
+Cc: George McCollister <george.mccollister@gmail.com>
+Signed-off-by: Matt Ranostay <matt.ranostay@konsulko.com>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/proximity/as3935.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/iio/proximity/as3935.c
++++ b/drivers/iio/proximity/as3935.c
+@@ -50,7 +50,6 @@
+ #define AS3935_TUNE_CAP               0x08
+ #define AS3935_CALIBRATE      0x3D
+ 
+-#define AS3935_WRITE_DATA     BIT(15)
+ #define AS3935_READ_DATA      BIT(14)
+ #define AS3935_ADDRESS(x)     ((x) << 8)
+ 
+@@ -103,7 +102,7 @@ static int as3935_write(struct as3935_st
+ {
+       u8 *buf = st->buf;
+ 
+-      buf[0] = (AS3935_WRITE_DATA | AS3935_ADDRESS(reg)) >> 8;
++      buf[0] = AS3935_ADDRESS(reg) >> 8;
+       buf[1] = val;
+ 
+       return spi_write(st->spi, buf, 2);

diff --git a/queue-3.18/ipx-call-ipxitf_put-in-ioctl-error-path.patch b/queue-3.18/ipx-call-ipxitf_put-in-ioctl-error-path.patch
new file mode 100644 (file)
index 0000000..d61f880
--- /dev/null
+++ b/queue-3.18/ipx-call-ipxitf_put-in-ioctl-error-path.patch
@@ -0,0 +1,39 @@
+From ee0d8d8482345ff97a75a7d747efc309f13b0d80 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 2 May 2017 13:58:53 +0300
+Subject: ipx: call ipxitf_put() in ioctl error path
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit ee0d8d8482345ff97a75a7d747efc309f13b0d80 upstream.
+
+We should call ipxitf_put() if the copy_to_user() fails.
+
+Reported-by: 李强 <liqiang6-s@360.cn>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipx/af_ipx.c |    5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/net/ipx/af_ipx.c
++++ b/net/ipx/af_ipx.c
+@@ -1168,11 +1168,10 @@ static int ipxitf_ioctl(unsigned int cmd
+               sipx->sipx_network      = ipxif->if_netnum;
+               memcpy(sipx->sipx_node, ipxif->if_node,
+                       sizeof(sipx->sipx_node));
+-              rc = -EFAULT;
++              rc = 0;
+               if (copy_to_user(arg, &ifr, sizeof(ifr)))
+-                      break;
++                      rc = -EFAULT;
+               ipxitf_put(ipxif);
+-              rc = 0;
+               break;
+       }
+       case SIOCAIPXITFCRT:

diff --git a/queue-3.18/s5p-mfc-fix-unbalanced-call-to-clock-management.patch b/queue-3.18/s5p-mfc-fix-unbalanced-call-to-clock-management.patch
new file mode 100644 (file)
index 0000000..4d6753d
--- /dev/null
+++ b/queue-3.18/s5p-mfc-fix-unbalanced-call-to-clock-management.patch
@@ -0,0 +1,34 @@
+From a5cb00eb4223458250b55daf03ac7ea5f424d601 Mon Sep 17 00:00:00 2001
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+Date: Wed, 22 Mar 2017 04:53:57 -0300
+Subject: [media] s5p-mfc: Fix unbalanced call to clock management
+
+From: Marek Szyprowski <m.szyprowski@samsung.com>
+
+commit a5cb00eb4223458250b55daf03ac7ea5f424d601 upstream.
+
+Clock should be turned off after calling s5p_mfc_init_hw() from the
+watchdog worker, like it is already done in the s5p_mfc_open() which also
+calls this function.
+
+Fixes: af93574678108 ("[media] MFC: Add MFC 5.1 V4L2 driver")
+
+Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Signed-off-by: Sylwester Nawrocki <s.nawrocki@samsung.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/platform/s5p-mfc/s5p_mfc.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c
++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c
+@@ -169,6 +169,7 @@ static void s5p_mfc_watchdog_worker(stru
+               }
+               s5p_mfc_clock_on();
+               ret = s5p_mfc_init_hw(dev);
++              s5p_mfc_clock_off();
+               if (ret)
+                       mfc_err("Failed to reinit FW\n");
+       }

diff --git a/queue-3.18/series b/queue-3.18/series
index 85c74f47dd9b4bcf444eaf136d862a682e2504d3..a98c23ddd4c2ee31750dfff6c4086db20d5021f4 100644 (file)
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -32,3 +32,11 @@ usb-serial-io_ti-fix-div-by-zero-in-set_termios.patch
 usb-hub-fix-ss-hub-descriptor-handling.patch
 usb-hub-fix-non-ss-hub-descriptor-handling.patch
 tty-prevent-ldisc-drivers-from-re-using-stale-tty-fields.patch
+ipx-call-ipxitf_put-in-ioctl-error-path.patch
+iio-proximity-as3935-fix-as3935_write.patch
+gspca-konica-add-missing-endpoint-sanity-check.patch
+s5p-mfc-fix-unbalanced-call-to-clock-management.patch
+dib0700-fix-null-deref-at-probe.patch
+zr364xx-enforce-minimum-size-when-reading-header.patch
+cx231xx-cards-fix-null-deref-at-probe.patch
+cx231xx-audio-fix-null-deref-at-probe.patch

diff --git a/queue-3.18/zr364xx-enforce-minimum-size-when-reading-header.patch b/queue-3.18/zr364xx-enforce-minimum-size-when-reading-header.patch
new file mode 100644 (file)
index 0000000..28c8125
--- /dev/null
+++ b/queue-3.18/zr364xx-enforce-minimum-size-when-reading-header.patch
@@ -0,0 +1,37 @@
+From ee0fe833d96793853335844b6d99fb76bd12cbeb Mon Sep 17 00:00:00 2001
+From: Alyssa Milburn <amilburn@zall.org>
+Date: Sat, 1 Apr 2017 14:34:08 -0300
+Subject: [media] zr364xx: enforce minimum size when reading header
+
+From: Alyssa Milburn <amilburn@zall.org>
+
+commit ee0fe833d96793853335844b6d99fb76bd12cbeb upstream.
+
+This code copies actual_length-128 bytes from the header, which will
+underflow if the received buffer is too small.
+
+Signed-off-by: Alyssa Milburn <amilburn@zall.org>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@s-opensource.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/zr364xx/zr364xx.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/media/usb/zr364xx/zr364xx.c
++++ b/drivers/media/usb/zr364xx/zr364xx.c
+@@ -605,6 +605,14 @@ static int zr364xx_read_video_callback(s
+       ptr = pdest = frm->lpvbits;
+ 
+       if (frm->ulState == ZR364XX_READ_IDLE) {
++              if (purb->actual_length < 128) {
++                      /* header incomplete */
++                      dev_info(&cam->udev->dev,
++                               "%s: buffer (%d bytes) too small to hold jpeg header. Discarding.\n",
++                               __func__, purb->actual_length);
++                      return -EINVAL;
++              }
++
+               frm->ulState = ZR364XX_READ_FRAME;
+               frm->cur_size = 0;
+