--- /dev/null
+From 1bb9914e1730417d530de9ed37e59efdc647146b Mon Sep 17 00:00:00 2001
+From: Tobias Herzog <t-herzog@gmx.de>
+Date: Thu, 30 Mar 2017 22:15:10 +0200
+Subject: cdc-acm: fix possible invalid access when processing notification
+
+From: Tobias Herzog <t-herzog@gmx.de>
+
+commit 1bb9914e1730417d530de9ed37e59efdc647146b upstream.
+
+Notifications may only be 8 bytes long. Accessing the 9th and
+10th byte of unimplemented/unknown notifications may be insecure.
+Also check the length of known notifications before accessing anything
+behind the 8th byte.
+
+Signed-off-by: Tobias Herzog <t-herzog@gmx.de>
+Acked-by: Oliver Neukum <oneukum@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/class/cdc-acm.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/usb/class/cdc-acm.c
++++ b/drivers/usb/class/cdc-acm.c
+@@ -315,6 +315,12 @@ static void acm_ctrl_irq(struct urb *urb
+ break;
+
+ case USB_CDC_NOTIFY_SERIAL_STATE:
++ if (le16_to_cpu(dr->wLength) != 2) {
++ dev_dbg(&acm->control->dev,
++ "%s - malformed serial state\n", __func__);
++ break;
++ }
++
+ newctrl = get_unaligned_le16(data);
+
+ if (!acm->clocal && (acm->ctrlin & ~newctrl & ACM_CTRL_DCD)) {
+@@ -351,11 +357,10 @@ static void acm_ctrl_irq(struct urb *urb
+
+ default:
+ dev_dbg(&acm->control->dev,
+- "%s - unknown notification %d received: index %d "
+- "len %d data0 %d data1 %d\n",
++ "%s - unknown notification %d received: index %d len %d\n",
+ __func__,
+- dr->bNotificationType, dr->wIndex,
+- dr->wLength, data[0], data[1]);
++ dr->bNotificationType, dr->wIndex, dr->wLength);
++
+ break;
+ }
+ exit:
--- /dev/null
+From ce420fd4251809b4c3119b3b20c8b13bd8eba150 Mon Sep 17 00:00:00 2001
+From: Pavel Roskin <plroskin@gmail.com>
+Date: Thu, 13 Apr 2017 14:54:23 -0700
+Subject: iio: dac: ad7303: fix channel description
+
+From: Pavel Roskin <plroskin@gmail.com>
+
+commit ce420fd4251809b4c3119b3b20c8b13bd8eba150 upstream.
+
+realbits, storagebits and shift should be numbers, not ASCII characters.
+
+Signed-off-by: Pavel Roskin <plroskin@gmail.com>
+Reviewed-by: Lars-Peter Clausen <lars@metafoo.de>
+Signed-off-by: Jonathan Cameron <jic23@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/iio/dac/ad7303.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/iio/dac/ad7303.c
++++ b/drivers/iio/dac/ad7303.c
+@@ -184,9 +184,9 @@ static const struct iio_chan_spec_ext_in
+ .address = (chan), \
+ .scan_type = { \
+ .sign = 'u', \
+- .realbits = '8', \
+- .storagebits = '8', \
+- .shift = '0', \
++ .realbits = 8, \
++ .storagebits = 8, \
++ .shift = 0, \
+ }, \
+ .ext_info = ad7303_ext_info, \
+ }
--- /dev/null
+From 49e67dd17649b60b4d54966e18ec9c80198227f0 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Wed, 17 May 2017 17:29:09 +0200
+Subject: of: fdt: add missing allocation-failure check
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 49e67dd17649b60b4d54966e18ec9c80198227f0 upstream.
+
+The memory allocator passed to __unflatten_device_tree() (e.g. a wrapped
+kzalloc) can fail so add the missing sanity check to avoid dereferencing
+a NULL pointer.
+
+Fixes: fe14042358fa ("of/flattree: Refactor unflatten_device_tree and add fdt_unflatten_tree")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/of/fdt.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/of/fdt.c
++++ b/drivers/of/fdt.c
+@@ -380,6 +380,9 @@ static void __unflatten_device_tree(void
+
+ /* Allocate memory for the expanded device tree */
+ mem = dt_alloc(size + 4, __alignof__(struct device_node));
++ if (!mem)
++ return NULL;
++
+ memset(mem, 0, size);
+
+ *(__be32 *)(mem + size) = cpu_to_be32(0xdeadbeef);
--- /dev/null
+From eb3100365791b06242b8bb5c3c2854ba41dabfbc Mon Sep 17 00:00:00 2001
+From: Rob Herring <robh@kernel.org>
+Date: Thu, 4 May 2017 12:34:30 -0500
+Subject: of: fix sparse warning in of_pci_range_parser_one
+
+From: Rob Herring <robh@kernel.org>
+
+commit eb3100365791b06242b8bb5c3c2854ba41dabfbc upstream.
+
+sparse gives the following warning for 'pci_space':
+
+../drivers/of/address.c:266:26: warning: incorrect type in assignment (different base types)
+../drivers/of/address.c:266:26: expected unsigned int [unsigned] [usertype] pci_space
+../drivers/of/address.c:266:26: got restricted __be32 const [usertype] <noident>
+
+It appears that pci_space is only ever accessed on powerpc, so the endian
+swap is often not needed.
+
+Signed-off-by: Rob Herring <robh@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/of/address.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/of/address.c
++++ b/drivers/of/address.c
+@@ -260,7 +260,7 @@ struct of_pci_range *of_pci_range_parser
+ if (!parser->range || parser->range + parser->np > parser->end)
+ return NULL;
+
+- range->pci_space = parser->range[0];
++ range->pci_space = be32_to_cpup(parser->range);
+ range->flags = of_bus_pci_get_flags(parser->range);
+ range->pci_addr = of_read_number(parser->range + 1, ns);
+ range->cpu_addr = of_translate_address(parser->node,
--- /dev/null
+From 21a60f6e65181cad64fd66ccc8080d413721ba27 Mon Sep 17 00:00:00 2001
+From: Gerd Hoffmann <kraxel@redhat.com>
+Date: Mon, 20 Mar 2017 09:11:49 +0100
+Subject: ohci-pci: add qemu quirk
+
+From: Gerd Hoffmann <kraxel@redhat.com>
+
+commit 21a60f6e65181cad64fd66ccc8080d413721ba27 upstream.
+
+On a loaded virtualization host (dozen guests booting at the same time)
+it may happen that the ohci controller emulation doesn't manage to do
+timely frame processing, with the result that the io watchdog fires and
+considers the controller being dead, even though it's only the emulation
+being unusual slow due to the load peak.
+
+So, add a quirk for qemu and don't use the watchdog in case we figure we
+are running on emulated ohci. The virtual ohci controller masquerades
+as apple ohci controller, but we can identify it by subsystem id.
+
+Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/ohci-hcd.c | 3 ++-
+ drivers/usb/host/ohci-pci.c | 16 ++++++++++++++++
+ drivers/usb/host/ohci.h | 1 +
+ 3 files changed, 19 insertions(+), 1 deletion(-)
+
+--- a/drivers/usb/host/ohci-hcd.c
++++ b/drivers/usb/host/ohci-hcd.c
+@@ -230,7 +230,8 @@ static int ohci_urb_enqueue (
+
+ /* Start up the I/O watchdog timer, if it's not running */
+ if (!timer_pending(&ohci->io_watchdog) &&
+- list_empty(&ohci->eds_in_use)) {
++ list_empty(&ohci->eds_in_use) &&
++ !(ohci->flags & OHCI_QUIRK_QEMU)) {
+ ohci->prev_frame_no = ohci_frame_no(ohci);
+ mod_timer(&ohci->io_watchdog,
+ jiffies + IO_WATCHDOG_DELAY);
+--- a/drivers/usb/host/ohci-pci.c
++++ b/drivers/usb/host/ohci-pci.c
+@@ -164,6 +164,15 @@ static int ohci_quirk_amd700(struct usb_
+ return 0;
+ }
+
++static int ohci_quirk_qemu(struct usb_hcd *hcd)
++{
++ struct ohci_hcd *ohci = hcd_to_ohci(hcd);
++
++ ohci->flags |= OHCI_QUIRK_QEMU;
++ ohci_dbg(ohci, "enabled qemu quirk\n");
++ return 0;
++}
++
+ /* List of quirks for OHCI */
+ static const struct pci_device_id ohci_pci_quirks[] = {
+ {
+@@ -214,6 +223,13 @@ static const struct pci_device_id ohci_p
+ PCI_DEVICE(PCI_VENDOR_ID_ATI, 0x4399),
+ .driver_data = (unsigned long)ohci_quirk_amd700,
+ },
++ {
++ .vendor = PCI_VENDOR_ID_APPLE,
++ .device = 0x003f,
++ .subvendor = PCI_SUBVENDOR_ID_REDHAT_QUMRANET,
++ .subdevice = PCI_SUBDEVICE_ID_QEMU,
++ .driver_data = (unsigned long)ohci_quirk_qemu,
++ },
+
+ /* FIXME for some of the early AMD 760 southbridges, OHCI
+ * won't work at all. blacklist them.
+--- a/drivers/usb/host/ohci.h
++++ b/drivers/usb/host/ohci.h
+@@ -418,6 +418,7 @@ struct ohci_hcd {
+ #define OHCI_QUIRK_AMD_PLL 0x200 /* AMD PLL quirk*/
+ #define OHCI_QUIRK_AMD_PREFETCH 0x400 /* pre-fetch for ISO transfer */
+ #define OHCI_QUIRK_GLOBAL_SUSPEND 0x800 /* must suspend ports */
++#define OHCI_QUIRK_QEMU 0x1000 /* relax timing expectations */
+
+ // there are also chip quirks/bugs in init logic
+
ima-accept-previously-set-ima_new_file.patch
regulator-tps65023-fix-inverted-core-enable-logic.patch
ath9k_htc-fix-null-deref-at-probe.patch
+cdc-acm-fix-possible-invalid-access-when-processing-notification.patch
+ohci-pci-add-qemu-quirk.patch
+of-fix-sparse-warning-in-of_pci_range_parser_one.patch
+of-fdt-add-missing-allocation-failure-check.patch
+iio-dac-ad7303-fix-channel-description.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
