From: Greg Kroah-Hartman Date: Tue, 23 May 2017 13:41:11 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.18.55~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dba91a627c659279eeaba6b5c398267de88e4beb;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: ceph-fix-recursion-between-ceph_set_acl-and-__ceph_setattr.patch cx231xx-audio-fix-init-error-path.patch cx231xx-audio-fix-null-deref-at-probe.patch cx231xx-cards-fix-null-deref-at-probe.patch dib0700-fix-null-deref-at-probe.patch dvb-frontends-cxd2841er-define-symbol_rate_min-max-in-t-c-fe-ops.patch gspca-konica-add-missing-endpoint-sanity-check.patch iio-proximity-as3935-fix-as3935_write.patch ipx-call-ipxitf_put-in-ioctl-error-path.patch s5p-mfc-fix-unbalanced-call-to-clock-management.patch zr364xx-enforce-minimum-size-when-reading-header.patch --- diff --git a/queue-4.4/ceph-fix-recursion-between-ceph_set_acl-and-__ceph_setattr.patch b/queue-4.4/ceph-fix-recursion-between-ceph_set_acl-and-__ceph_setattr.patch new file mode 100644 index 00000000000..848f396e169 --- /dev/null +++ b/queue-4.4/ceph-fix-recursion-between-ceph_set_acl-and-__ceph_setattr.patch @@ -0,0 +1,120 @@ +From 8179a101eb5f4ef0ac9a915fcea9a9d3109efa90 Mon Sep 17 00:00:00 2001 +From: "Yan, Zheng" +Date: Wed, 19 Apr 2017 10:01:48 +0800 +Subject: ceph: fix recursion between ceph_set_acl() and __ceph_setattr() + +From: Yan, Zheng + +commit 8179a101eb5f4ef0ac9a915fcea9a9d3109efa90 upstream. + +ceph_set_acl() calls __ceph_setattr() if the setacl operation needs +to modify inode's i_mode. __ceph_setattr() updates inode's i_mode, +then calls posix_acl_chmod(). + +The problem is that __ceph_setattr() calls posix_acl_chmod() before +sending the setattr request. The get_acl() call in posix_acl_chmod() +can trigger a getxattr request. The reply of the getxattr request +can restore inode's i_mode to its old value. The set_acl() call in +posix_acl_chmod() sees old value of inode's i_mode, so it calls +__ceph_setattr() again. + +Cc: stable@vger.kernel.org # needs backporting for < 4.9 +Link: http://tracker.ceph.com/issues/19688 +Reported-by: Jerry Lee +Signed-off-by: "Yan, Zheng" +Reviewed-by: Jeff Layton +Tested-by: Luis Henriques +Signed-off-by: Ilya Dryomov +[luis: introduce __ceph_setattr() and make ceph_set_acl() call it, as + suggested by Yan.] +Signed-off-by: Luis Henriques +Signed-off-by: Greg Kroah-Hartman +Reviewed-by: “Yan, Zheng” +--- + fs/ceph/acl.c | 4 ++-- + fs/ceph/inode.c | 27 ++++++++++++++++----------- + fs/ceph/super.h | 1 + + 3 files changed, 19 insertions(+), 13 deletions(-) + +--- a/fs/ceph/acl.c ++++ b/fs/ceph/acl.c +@@ -128,7 +128,7 @@ int ceph_set_acl(struct inode *inode, st + if (new_mode != old_mode) { + newattrs.ia_mode = new_mode; + newattrs.ia_valid = ATTR_MODE; +- ret = ceph_setattr(dentry, &newattrs); ++ ret = __ceph_setattr(dentry, &newattrs); + if (ret) + goto out_dput; + } +@@ -138,7 +138,7 @@ int ceph_set_acl(struct inode *inode, st + if (new_mode != old_mode) { + newattrs.ia_mode = old_mode; + newattrs.ia_valid = ATTR_MODE; +- ceph_setattr(dentry, &newattrs); ++ __ceph_setattr(dentry, &newattrs); + } + goto out_dput; + } +--- a/fs/ceph/inode.c ++++ b/fs/ceph/inode.c +@@ -1773,7 +1773,7 @@ static const struct inode_operations cep + /* + * setattr + */ +-int ceph_setattr(struct dentry *dentry, struct iattr *attr) ++int __ceph_setattr(struct dentry *dentry, struct iattr *attr) + { + struct inode *inode = d_inode(dentry); + struct ceph_inode_info *ci = ceph_inode(inode); +@@ -1975,11 +1975,6 @@ int ceph_setattr(struct dentry *dentry, + if (inode_dirty_flags) + __mark_inode_dirty(inode, inode_dirty_flags); + +- if (ia_valid & ATTR_MODE) { +- err = posix_acl_chmod(inode, attr->ia_mode); +- if (err) +- goto out_put; +- } + + if (mask) { + req->r_inode = inode; +@@ -1993,13 +1988,23 @@ int ceph_setattr(struct dentry *dentry, + ceph_cap_string(dirtied), mask); + + ceph_mdsc_put_request(req); +- if (mask & CEPH_SETATTR_SIZE) +- __ceph_do_pending_vmtruncate(inode); + ceph_free_cap_flush(prealloc_cf); ++ ++ if (err >= 0 && (mask & CEPH_SETATTR_SIZE)) ++ __ceph_do_pending_vmtruncate(inode); ++ + return err; +-out_put: +- ceph_mdsc_put_request(req); +- ceph_free_cap_flush(prealloc_cf); ++} ++ ++int ceph_setattr(struct dentry *dentry, struct iattr *attr) ++{ ++ int err; ++ ++ err = __ceph_setattr(dentry, attr); ++ ++ if (err >= 0 && (attr->ia_valid & ATTR_MODE)) ++ err = posix_acl_chmod(d_inode(dentry), attr->ia_mode); ++ + return err; + } + +--- a/fs/ceph/super.h ++++ b/fs/ceph/super.h +@@ -788,6 +788,7 @@ static inline int ceph_do_getattr(struct + return __ceph_do_getattr(inode, NULL, mask, force); + } + extern int ceph_permission(struct inode *inode, int mask); ++extern int __ceph_setattr(struct dentry *dentry, struct iattr *attr); + extern int ceph_setattr(struct dentry *dentry, struct iattr *attr); + extern int ceph_getattr(struct vfsmount *mnt, struct dentry *dentry, + struct kstat *stat); diff --git a/queue-4.4/cx231xx-audio-fix-init-error-path.patch b/queue-4.4/cx231xx-audio-fix-init-error-path.patch new file mode 100644 index 00000000000..95687e458bc --- /dev/null +++ b/queue-4.4/cx231xx-audio-fix-init-error-path.patch @@ -0,0 +1,78 @@ +From fff1abc4d54e469140a699612b4db8d6397bfcba Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 09:53:57 -0300 +Subject: [media] cx231xx-audio: fix init error path + +From: Johan Hovold + +commit fff1abc4d54e469140a699612b4db8d6397bfcba upstream. + +Make sure to release the snd_card also on a late allocation error. + +Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver") + +Cc: Sri Deevi +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/cx231xx/cx231xx-audio.c | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +--- a/drivers/media/usb/cx231xx/cx231xx-audio.c ++++ b/drivers/media/usb/cx231xx/cx231xx-audio.c +@@ -671,10 +671,8 @@ static int cx231xx_audio_init(struct cx2 + + spin_lock_init(&adev->slock); + err = snd_pcm_new(card, "Cx231xx Audio", 0, 0, 1, &pcm); +- if (err < 0) { +- snd_card_free(card); +- return err; +- } ++ if (err < 0) ++ goto err_free_card; + + snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_CAPTURE, + &snd_cx231xx_pcm_capture); +@@ -688,10 +686,9 @@ static int cx231xx_audio_init(struct cx2 + INIT_WORK(&dev->wq_trigger, audio_trigger); + + err = snd_card_register(card); +- if (err < 0) { +- snd_card_free(card); +- return err; +- } ++ if (err < 0) ++ goto err_free_card; ++ + adev->sndcard = card; + adev->udev = dev->udev; + +@@ -710,9 +707,10 @@ static int cx231xx_audio_init(struct cx2 + "audio EndPoint Addr 0x%x, Alternate settings: %i\n", + adev->end_point_addr, adev->num_alt); + adev->alt_max_pkt_size = kmalloc(32 * adev->num_alt, GFP_KERNEL); +- +- if (adev->alt_max_pkt_size == NULL) +- return -ENOMEM; ++ if (!adev->alt_max_pkt_size) { ++ err = -ENOMEM; ++ goto err_free_card; ++ } + + for (i = 0; i < adev->num_alt; i++) { + u16 tmp = +@@ -726,6 +724,11 @@ static int cx231xx_audio_init(struct cx2 + } + + return 0; ++ ++err_free_card: ++ snd_card_free(card); ++ ++ return err; + } + + static int cx231xx_audio_fini(struct cx231xx *dev) diff --git a/queue-4.4/cx231xx-audio-fix-null-deref-at-probe.patch b/queue-4.4/cx231xx-audio-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..4f704f0316b --- /dev/null +++ b/queue-4.4/cx231xx-audio-fix-null-deref-at-probe.patch @@ -0,0 +1,65 @@ +From 65f921647f4c89a2068478c89691f39b309b58f7 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 09:53:58 -0300 +Subject: [media] cx231xx-audio: fix NULL-deref at probe + +From: Johan Hovold + +commit 65f921647f4c89a2068478c89691f39b309b58f7 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer or accessing memory beyond the endpoint array should a +malicious device lack the expected endpoints. + +Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver") + +Cc: Sri Deevi +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/cx231xx/cx231xx-audio.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/cx231xx/cx231xx-audio.c ++++ b/drivers/media/usb/cx231xx/cx231xx-audio.c +@@ -698,6 +698,11 @@ static int cx231xx_audio_init(struct cx2 + hs_config_info[0].interface_info. + audio_index + 1]; + ++ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) { ++ err = -ENODEV; ++ goto err_free_card; ++ } ++ + adev->end_point_addr = + uif->altsetting[0].endpoint[isoc_pipe].desc. + bEndpointAddress; +@@ -713,8 +718,14 @@ static int cx231xx_audio_init(struct cx2 + } + + for (i = 0; i < adev->num_alt; i++) { +- u16 tmp = +- le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc. ++ u16 tmp; ++ ++ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1) { ++ err = -ENODEV; ++ goto err_free_pkt_size; ++ } ++ ++ tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc. + wMaxPacketSize); + adev->alt_max_pkt_size[i] = + (tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1); +@@ -725,6 +736,8 @@ static int cx231xx_audio_init(struct cx2 + + return 0; + ++err_free_pkt_size: ++ kfree(adev->alt_max_pkt_size); + err_free_card: + snd_card_free(card); + diff --git a/queue-4.4/cx231xx-cards-fix-null-deref-at-probe.patch b/queue-4.4/cx231xx-cards-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..ab74c1aab2e --- /dev/null +++ b/queue-4.4/cx231xx-cards-fix-null-deref-at-probe.patch @@ -0,0 +1,128 @@ +From 0cd273bb5e4d1828efaaa8dfd11b7928131ed149 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 09:53:56 -0300 +Subject: [media] cx231xx-cards: fix NULL-deref at probe + +From: Johan Hovold + +commit 0cd273bb5e4d1828efaaa8dfd11b7928131ed149 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer or accessing memory beyond the endpoint array should a +malicious device lack the expected endpoints. + +Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver") + +Cc: Sri Deevi +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/cx231xx/cx231xx-cards.c | 45 ++++++++++++++++++++++++++---- + 1 file changed, 40 insertions(+), 5 deletions(-) + +--- a/drivers/media/usb/cx231xx/cx231xx-cards.c ++++ b/drivers/media/usb/cx231xx/cx231xx-cards.c +@@ -1447,6 +1447,9 @@ static int cx231xx_init_v4l2(struct cx23 + + uif = udev->actconfig->interface[idx]; + ++ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) ++ return -ENODEV; ++ + dev->video_mode.end_point_addr = uif->altsetting[0].endpoint[isoc_pipe].desc.bEndpointAddress; + dev->video_mode.num_alt = uif->num_altsetting; + +@@ -1460,7 +1463,12 @@ static int cx231xx_init_v4l2(struct cx23 + return -ENOMEM; + + for (i = 0; i < dev->video_mode.num_alt; i++) { +- u16 tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc.wMaxPacketSize); ++ u16 tmp; ++ ++ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1) ++ return -ENODEV; ++ ++ tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc.wMaxPacketSize); + dev->video_mode.alt_max_pkt_size[i] = (tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1); + dev_dbg(dev->dev, + "Alternate setting %i, max size= %i\n", i, +@@ -1477,6 +1485,9 @@ static int cx231xx_init_v4l2(struct cx23 + } + uif = udev->actconfig->interface[idx]; + ++ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) ++ return -ENODEV; ++ + dev->vbi_mode.end_point_addr = + uif->altsetting[0].endpoint[isoc_pipe].desc. + bEndpointAddress; +@@ -1493,8 +1504,12 @@ static int cx231xx_init_v4l2(struct cx23 + return -ENOMEM; + + for (i = 0; i < dev->vbi_mode.num_alt; i++) { +- u16 tmp = +- le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe]. ++ u16 tmp; ++ ++ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1) ++ return -ENODEV; ++ ++ tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe]. + desc.wMaxPacketSize); + dev->vbi_mode.alt_max_pkt_size[i] = + (tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1); +@@ -1514,6 +1529,9 @@ static int cx231xx_init_v4l2(struct cx23 + } + uif = udev->actconfig->interface[idx]; + ++ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) ++ return -ENODEV; ++ + dev->sliced_cc_mode.end_point_addr = + uif->altsetting[0].endpoint[isoc_pipe].desc. + bEndpointAddress; +@@ -1528,7 +1546,12 @@ static int cx231xx_init_v4l2(struct cx23 + return -ENOMEM; + + for (i = 0; i < dev->sliced_cc_mode.num_alt; i++) { +- u16 tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe]. ++ u16 tmp; ++ ++ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1) ++ return -ENODEV; ++ ++ tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe]. + desc.wMaxPacketSize); + dev->sliced_cc_mode.alt_max_pkt_size[i] = + (tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1); +@@ -1693,6 +1716,11 @@ static int cx231xx_usb_probe(struct usb_ + } + uif = udev->actconfig->interface[idx]; + ++ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) { ++ retval = -ENODEV; ++ goto err_video_alt; ++ } ++ + dev->ts1_mode.end_point_addr = + uif->altsetting[0].endpoint[isoc_pipe]. + desc.bEndpointAddress; +@@ -1710,7 +1738,14 @@ static int cx231xx_usb_probe(struct usb_ + } + + for (i = 0; i < dev->ts1_mode.num_alt; i++) { +- u16 tmp = le16_to_cpu(uif->altsetting[i]. ++ u16 tmp; ++ ++ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1) { ++ retval = -ENODEV; ++ goto err_video_alt; ++ } ++ ++ tmp = le16_to_cpu(uif->altsetting[i]. + endpoint[isoc_pipe].desc. + wMaxPacketSize); + dev->ts1_mode.alt_max_pkt_size[i] = diff --git a/queue-4.4/dib0700-fix-null-deref-at-probe.patch b/queue-4.4/dib0700-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..0d008742615 --- /dev/null +++ b/queue-4.4/dib0700-fix-null-deref-at-probe.patch @@ -0,0 +1,37 @@ +From d5823511c0f8719a39e72ede1bce65411ac653b7 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 09:53:54 -0300 +Subject: [media] dib0700: fix NULL-deref at probe + +From: Johan Hovold + +commit d5823511c0f8719a39e72ede1bce65411ac653b7 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Fixes: c4018fa2e4c0 ("[media] dib0700: fix RC support on Hauppauge +Nova-TD") + +Cc: Mauro Carvalho Chehab +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/dib0700_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/usb/dvb-usb/dib0700_core.c ++++ b/drivers/media/usb/dvb-usb/dib0700_core.c +@@ -783,6 +783,9 @@ int dib0700_rc_setup(struct dvb_usb_devi + + /* Starting in firmware 1.20, the RC info is provided on a bulk pipe */ + ++ if (intf->altsetting[0].desc.bNumEndpoints < rc_ep + 1) ++ return -ENODEV; ++ + purb = usb_alloc_urb(0, GFP_KERNEL); + if (purb == NULL) { + err("rc usb alloc urb failed"); diff --git a/queue-4.4/dvb-frontends-cxd2841er-define-symbol_rate_min-max-in-t-c-fe-ops.patch b/queue-4.4/dvb-frontends-cxd2841er-define-symbol_rate_min-max-in-t-c-fe-ops.patch new file mode 100644 index 00000000000..126e97690fd --- /dev/null +++ b/queue-4.4/dvb-frontends-cxd2841er-define-symbol_rate_min-max-in-t-c-fe-ops.patch @@ -0,0 +1,36 @@ +From 158f0328af86a99d64073851967a02694bff987d Mon Sep 17 00:00:00 2001 +From: Daniel Scheller +Date: Sun, 19 Mar 2017 12:26:39 -0300 +Subject: [media] dvb-frontends/cxd2841er: define symbol_rate_min/max in T/C fe-ops + +From: Daniel Scheller + +commit 158f0328af86a99d64073851967a02694bff987d upstream. + +Fixes "w_scan -f c" complaining with + + This dvb driver is *buggy*: the symbol rate limits are undefined - please + report to linuxtv.org) + +Signed-off-by: Daniel Scheller +Acked-by: Abylay Ospan +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/dvb-frontends/cxd2841er.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/media/dvb-frontends/cxd2841er.c ++++ b/drivers/media/dvb-frontends/cxd2841er.c +@@ -2678,7 +2678,9 @@ static struct dvb_frontend_ops cxd2841e + FE_CAN_MUTE_TS | + FE_CAN_2G_MODULATION, + .frequency_min = 42000000, +- .frequency_max = 1002000000 ++ .frequency_max = 1002000000, ++ .symbol_rate_min = 870000, ++ .symbol_rate_max = 11700000 + }, + .init = cxd2841er_init_tc, + .sleep = cxd2841er_sleep_tc, diff --git a/queue-4.4/gspca-konica-add-missing-endpoint-sanity-check.patch b/queue-4.4/gspca-konica-add-missing-endpoint-sanity-check.patch new file mode 100644 index 00000000000..a418c2bfb1b --- /dev/null +++ b/queue-4.4/gspca-konica-add-missing-endpoint-sanity-check.patch @@ -0,0 +1,41 @@ +From aa58fedb8c7b6cf2f05941d238495f9e2f29655c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 09:53:59 -0300 +Subject: [media] gspca: konica: add missing endpoint sanity check + +From: Johan Hovold + +commit aa58fedb8c7b6cf2f05941d238495f9e2f29655c upstream. + +Make sure to check the number of endpoints to avoid accessing memory +beyond the endpoint array should a device lack the expected endpoints. + +Note that, as far as I can tell, the gspca framework has already made +sure there is at least one endpoint in the current alternate setting so +there should be no risk for a NULL-pointer dereference here. + +Fixes: b517af722860 ("V4L/DVB: gspca_konica: New gspca subdriver for +konica chipset using cams") + +Cc: Hans de Goede +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/gspca/konica.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/usb/gspca/konica.c ++++ b/drivers/media/usb/gspca/konica.c +@@ -188,6 +188,9 @@ static int sd_start(struct gspca_dev *gs + return -EIO; + } + ++ if (alt->desc.bNumEndpoints < 2) ++ return -ENODEV; ++ + packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); + + n = gspca_dev->cam.cam_mode[gspca_dev->curr_mode].priv; diff --git a/queue-4.4/iio-proximity-as3935-fix-as3935_write.patch b/queue-4.4/iio-proximity-as3935-fix-as3935_write.patch new file mode 100644 index 00000000000..e678df63deb --- /dev/null +++ b/queue-4.4/iio-proximity-as3935-fix-as3935_write.patch @@ -0,0 +1,40 @@ +From 84ca8e364acb26aba3292bc113ca8ed4335380fd Mon Sep 17 00:00:00 2001 +From: Matt Ranostay +Date: Thu, 13 Apr 2017 23:21:56 -0700 +Subject: iio: proximity: as3935: fix as3935_write + +From: Matt Ranostay + +commit 84ca8e364acb26aba3292bc113ca8ed4335380fd upstream. + +AS3935_WRITE_DATA macro bit is incorrect and the actual write +sequence is two leading zeros. + +Cc: George McCollister +Signed-off-by: Matt Ranostay +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/proximity/as3935.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/iio/proximity/as3935.c ++++ b/drivers/iio/proximity/as3935.c +@@ -50,7 +50,6 @@ + #define AS3935_TUNE_CAP 0x08 + #define AS3935_CALIBRATE 0x3D + +-#define AS3935_WRITE_DATA BIT(15) + #define AS3935_READ_DATA BIT(14) + #define AS3935_ADDRESS(x) ((x) << 8) + +@@ -105,7 +104,7 @@ static int as3935_write(struct as3935_st + { + u8 *buf = st->buf; + +- buf[0] = (AS3935_WRITE_DATA | AS3935_ADDRESS(reg)) >> 8; ++ buf[0] = AS3935_ADDRESS(reg) >> 8; + buf[1] = val; + + return spi_write(st->spi, buf, 2); diff --git a/queue-4.4/ipx-call-ipxitf_put-in-ioctl-error-path.patch b/queue-4.4/ipx-call-ipxitf_put-in-ioctl-error-path.patch new file mode 100644 index 00000000000..d61f880100c --- /dev/null +++ b/queue-4.4/ipx-call-ipxitf_put-in-ioctl-error-path.patch @@ -0,0 +1,39 @@ +From ee0d8d8482345ff97a75a7d747efc309f13b0d80 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 2 May 2017 13:58:53 +0300 +Subject: ipx: call ipxitf_put() in ioctl error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Carpenter + +commit ee0d8d8482345ff97a75a7d747efc309f13b0d80 upstream. + +We should call ipxitf_put() if the copy_to_user() fails. + +Reported-by: 李强 +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipx/af_ipx.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/net/ipx/af_ipx.c ++++ b/net/ipx/af_ipx.c +@@ -1168,11 +1168,10 @@ static int ipxitf_ioctl(unsigned int cmd + sipx->sipx_network = ipxif->if_netnum; + memcpy(sipx->sipx_node, ipxif->if_node, + sizeof(sipx->sipx_node)); +- rc = -EFAULT; ++ rc = 0; + if (copy_to_user(arg, &ifr, sizeof(ifr))) +- break; ++ rc = -EFAULT; + ipxitf_put(ipxif); +- rc = 0; + break; + } + case SIOCAIPXITFCRT: diff --git a/queue-4.4/s5p-mfc-fix-unbalanced-call-to-clock-management.patch b/queue-4.4/s5p-mfc-fix-unbalanced-call-to-clock-management.patch new file mode 100644 index 00000000000..436bf2c6bfe --- /dev/null +++ b/queue-4.4/s5p-mfc-fix-unbalanced-call-to-clock-management.patch @@ -0,0 +1,34 @@ +From a5cb00eb4223458250b55daf03ac7ea5f424d601 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Wed, 22 Mar 2017 04:53:57 -0300 +Subject: [media] s5p-mfc: Fix unbalanced call to clock management + +From: Marek Szyprowski + +commit a5cb00eb4223458250b55daf03ac7ea5f424d601 upstream. + +Clock should be turned off after calling s5p_mfc_init_hw() from the +watchdog worker, like it is already done in the s5p_mfc_open() which also +calls this function. + +Fixes: af93574678108 ("[media] MFC: Add MFC 5.1 V4L2 driver") + +Signed-off-by: Marek Szyprowski +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/s5p-mfc/s5p_mfc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c +@@ -173,6 +173,7 @@ static void s5p_mfc_watchdog_worker(stru + } + s5p_mfc_clock_on(); + ret = s5p_mfc_init_hw(dev); ++ s5p_mfc_clock_off(); + if (ret) + mfc_err("Failed to reinit FW\n"); + } diff --git a/queue-4.4/series b/queue-4.4/series index cde9b7f405a..3b0efa0897f 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -66,3 +66,14 @@ usb-serial-io_ti-fix-div-by-zero-in-set_termios.patch usb-hub-fix-ss-hub-descriptor-handling.patch usb-hub-fix-non-ss-hub-descriptor-handling.patch tty-prevent-ldisc-drivers-from-re-using-stale-tty-fields.patch +ipx-call-ipxitf_put-in-ioctl-error-path.patch +iio-proximity-as3935-fix-as3935_write.patch +ceph-fix-recursion-between-ceph_set_acl-and-__ceph_setattr.patch +gspca-konica-add-missing-endpoint-sanity-check.patch +s5p-mfc-fix-unbalanced-call-to-clock-management.patch +dib0700-fix-null-deref-at-probe.patch +zr364xx-enforce-minimum-size-when-reading-header.patch +dvb-frontends-cxd2841er-define-symbol_rate_min-max-in-t-c-fe-ops.patch +cx231xx-audio-fix-init-error-path.patch +cx231xx-audio-fix-null-deref-at-probe.patch +cx231xx-cards-fix-null-deref-at-probe.patch diff --git a/queue-4.4/zr364xx-enforce-minimum-size-when-reading-header.patch b/queue-4.4/zr364xx-enforce-minimum-size-when-reading-header.patch new file mode 100644 index 00000000000..4264c3df492 --- /dev/null +++ b/queue-4.4/zr364xx-enforce-minimum-size-when-reading-header.patch @@ -0,0 +1,37 @@ +From ee0fe833d96793853335844b6d99fb76bd12cbeb Mon Sep 17 00:00:00 2001 +From: Alyssa Milburn +Date: Sat, 1 Apr 2017 14:34:08 -0300 +Subject: [media] zr364xx: enforce minimum size when reading header + +From: Alyssa Milburn + +commit ee0fe833d96793853335844b6d99fb76bd12cbeb upstream. + +This code copies actual_length-128 bytes from the header, which will +underflow if the received buffer is too small. + +Signed-off-by: Alyssa Milburn +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/zr364xx/zr364xx.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/media/usb/zr364xx/zr364xx.c ++++ b/drivers/media/usb/zr364xx/zr364xx.c +@@ -604,6 +604,14 @@ static int zr364xx_read_video_callback(s + ptr = pdest = frm->lpvbits; + + if (frm->ulState == ZR364XX_READ_IDLE) { ++ if (purb->actual_length < 128) { ++ /* header incomplete */ ++ dev_info(&cam->udev->dev, ++ "%s: buffer (%d bytes) too small to hold jpeg header. Discarding.\n", ++ __func__, purb->actual_length); ++ return -EINVAL; ++ } ++ + frm->ulState = ZR364XX_READ_FRAME; + frm->cur_size = 0; +