From: Greg Kroah-Hartman Date: Tue, 23 May 2017 13:41:44 +0000 (+0200) Subject: 4.9-stable patches X-Git-Tag: v3.18.55~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dcfe13a298646ebfa71c2152f1e59eb078570a62;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: cx231xx-audio-fix-init-error-path.patch cx231xx-audio-fix-null-deref-at-probe.patch cx231xx-cards-fix-null-deref-at-probe.patch dib0700-fix-null-deref-at-probe.patch digitv-limit-messages-to-buffer-size.patch dvb-frontends-cxd2841er-define-symbol_rate_min-max-in-t-c-fe-ops.patch dw2102-limit-messages-to-buffer-size.patch gspca-konica-add-missing-endpoint-sanity-check.patch iio-hid-sensor-store-restore-poll-and-hysteresis-on-s3.patch iio-proximity-as3935-fix-as3935_write.patch ipx-call-ipxitf_put-in-ioctl-error-path.patch s5p-mfc-fix-race-between-interrupt-routine-and-device-functions.patch s5p-mfc-fix-unbalanced-call-to-clock-management.patch zr364xx-enforce-minimum-size-when-reading-header.patch --- diff --git a/queue-4.9/cx231xx-audio-fix-init-error-path.patch b/queue-4.9/cx231xx-audio-fix-init-error-path.patch new file mode 100644 index 00000000000..7d34cb6b7f3 --- /dev/null +++ b/queue-4.9/cx231xx-audio-fix-init-error-path.patch @@ -0,0 +1,78 @@ +From fff1abc4d54e469140a699612b4db8d6397bfcba Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 09:53:57 -0300 +Subject: [media] cx231xx-audio: fix init error path + +From: Johan Hovold + +commit fff1abc4d54e469140a699612b4db8d6397bfcba upstream. + +Make sure to release the snd_card also on a late allocation error. + +Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver") + +Cc: Sri Deevi +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/cx231xx/cx231xx-audio.c | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +--- a/drivers/media/usb/cx231xx/cx231xx-audio.c ++++ b/drivers/media/usb/cx231xx/cx231xx-audio.c +@@ -674,10 +674,8 @@ static int cx231xx_audio_init(struct cx2 + + spin_lock_init(&adev->slock); + err = snd_pcm_new(card, "Cx231xx Audio", 0, 0, 1, &pcm); +- if (err < 0) { +- snd_card_free(card); +- return err; +- } ++ if (err < 0) ++ goto err_free_card; + + snd_pcm_set_ops(pcm, SNDRV_PCM_STREAM_CAPTURE, + &snd_cx231xx_pcm_capture); +@@ -691,10 +689,9 @@ static int cx231xx_audio_init(struct cx2 + INIT_WORK(&dev->wq_trigger, audio_trigger); + + err = snd_card_register(card); +- if (err < 0) { +- snd_card_free(card); +- return err; +- } ++ if (err < 0) ++ goto err_free_card; ++ + adev->sndcard = card; + adev->udev = dev->udev; + +@@ -713,9 +710,10 @@ static int cx231xx_audio_init(struct cx2 + "audio EndPoint Addr 0x%x, Alternate settings: %i\n", + adev->end_point_addr, adev->num_alt); + adev->alt_max_pkt_size = kmalloc(32 * adev->num_alt, GFP_KERNEL); +- +- if (adev->alt_max_pkt_size == NULL) +- return -ENOMEM; ++ if (!adev->alt_max_pkt_size) { ++ err = -ENOMEM; ++ goto err_free_card; ++ } + + for (i = 0; i < adev->num_alt; i++) { + u16 tmp = +@@ -729,6 +727,11 @@ static int cx231xx_audio_init(struct cx2 + } + + return 0; ++ ++err_free_card: ++ snd_card_free(card); ++ ++ return err; + } + + static int cx231xx_audio_fini(struct cx231xx *dev) diff --git a/queue-4.9/cx231xx-audio-fix-null-deref-at-probe.patch b/queue-4.9/cx231xx-audio-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..96e0f1b533d --- /dev/null +++ b/queue-4.9/cx231xx-audio-fix-null-deref-at-probe.patch @@ -0,0 +1,65 @@ +From 65f921647f4c89a2068478c89691f39b309b58f7 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 09:53:58 -0300 +Subject: [media] cx231xx-audio: fix NULL-deref at probe + +From: Johan Hovold + +commit 65f921647f4c89a2068478c89691f39b309b58f7 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer or accessing memory beyond the endpoint array should a +malicious device lack the expected endpoints. + +Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver") + +Cc: Sri Deevi +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/cx231xx/cx231xx-audio.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/cx231xx/cx231xx-audio.c ++++ b/drivers/media/usb/cx231xx/cx231xx-audio.c +@@ -701,6 +701,11 @@ static int cx231xx_audio_init(struct cx2 + hs_config_info[0].interface_info. + audio_index + 1]; + ++ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) { ++ err = -ENODEV; ++ goto err_free_card; ++ } ++ + adev->end_point_addr = + uif->altsetting[0].endpoint[isoc_pipe].desc. + bEndpointAddress; +@@ -716,8 +721,14 @@ static int cx231xx_audio_init(struct cx2 + } + + for (i = 0; i < adev->num_alt; i++) { +- u16 tmp = +- le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc. ++ u16 tmp; ++ ++ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1) { ++ err = -ENODEV; ++ goto err_free_pkt_size; ++ } ++ ++ tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc. + wMaxPacketSize); + adev->alt_max_pkt_size[i] = + (tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1); +@@ -728,6 +739,8 @@ static int cx231xx_audio_init(struct cx2 + + return 0; + ++err_free_pkt_size: ++ kfree(adev->alt_max_pkt_size); + err_free_card: + snd_card_free(card); + diff --git a/queue-4.9/cx231xx-cards-fix-null-deref-at-probe.patch b/queue-4.9/cx231xx-cards-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..09d1ab349fa --- /dev/null +++ b/queue-4.9/cx231xx-cards-fix-null-deref-at-probe.patch @@ -0,0 +1,128 @@ +From 0cd273bb5e4d1828efaaa8dfd11b7928131ed149 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 09:53:56 -0300 +Subject: [media] cx231xx-cards: fix NULL-deref at probe + +From: Johan Hovold + +commit 0cd273bb5e4d1828efaaa8dfd11b7928131ed149 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer or accessing memory beyond the endpoint array should a +malicious device lack the expected endpoints. + +Fixes: e0d3bafd0258 ("V4L/DVB (10954): Add cx231xx USB driver") + +Cc: Sri Deevi +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/cx231xx/cx231xx-cards.c | 45 ++++++++++++++++++++++++++---- + 1 file changed, 40 insertions(+), 5 deletions(-) + +--- a/drivers/media/usb/cx231xx/cx231xx-cards.c ++++ b/drivers/media/usb/cx231xx/cx231xx-cards.c +@@ -1397,6 +1397,9 @@ static int cx231xx_init_v4l2(struct cx23 + + uif = udev->actconfig->interface[idx]; + ++ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) ++ return -ENODEV; ++ + dev->video_mode.end_point_addr = uif->altsetting[0].endpoint[isoc_pipe].desc.bEndpointAddress; + dev->video_mode.num_alt = uif->num_altsetting; + +@@ -1410,7 +1413,12 @@ static int cx231xx_init_v4l2(struct cx23 + return -ENOMEM; + + for (i = 0; i < dev->video_mode.num_alt; i++) { +- u16 tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc.wMaxPacketSize); ++ u16 tmp; ++ ++ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1) ++ return -ENODEV; ++ ++ tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe].desc.wMaxPacketSize); + dev->video_mode.alt_max_pkt_size[i] = (tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1); + dev_dbg(dev->dev, + "Alternate setting %i, max size= %i\n", i, +@@ -1427,6 +1435,9 @@ static int cx231xx_init_v4l2(struct cx23 + } + uif = udev->actconfig->interface[idx]; + ++ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) ++ return -ENODEV; ++ + dev->vbi_mode.end_point_addr = + uif->altsetting[0].endpoint[isoc_pipe].desc. + bEndpointAddress; +@@ -1443,8 +1454,12 @@ static int cx231xx_init_v4l2(struct cx23 + return -ENOMEM; + + for (i = 0; i < dev->vbi_mode.num_alt; i++) { +- u16 tmp = +- le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe]. ++ u16 tmp; ++ ++ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1) ++ return -ENODEV; ++ ++ tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe]. + desc.wMaxPacketSize); + dev->vbi_mode.alt_max_pkt_size[i] = + (tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1); +@@ -1464,6 +1479,9 @@ static int cx231xx_init_v4l2(struct cx23 + } + uif = udev->actconfig->interface[idx]; + ++ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) ++ return -ENODEV; ++ + dev->sliced_cc_mode.end_point_addr = + uif->altsetting[0].endpoint[isoc_pipe].desc. + bEndpointAddress; +@@ -1478,7 +1496,12 @@ static int cx231xx_init_v4l2(struct cx23 + return -ENOMEM; + + for (i = 0; i < dev->sliced_cc_mode.num_alt; i++) { +- u16 tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe]. ++ u16 tmp; ++ ++ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1) ++ return -ENODEV; ++ ++ tmp = le16_to_cpu(uif->altsetting[i].endpoint[isoc_pipe]. + desc.wMaxPacketSize); + dev->sliced_cc_mode.alt_max_pkt_size[i] = + (tmp & 0x07ff) * (((tmp & 0x1800) >> 11) + 1); +@@ -1647,6 +1670,11 @@ static int cx231xx_usb_probe(struct usb_ + } + uif = udev->actconfig->interface[idx]; + ++ if (uif->altsetting[0].desc.bNumEndpoints < isoc_pipe + 1) { ++ retval = -ENODEV; ++ goto err_video_alt; ++ } ++ + dev->ts1_mode.end_point_addr = + uif->altsetting[0].endpoint[isoc_pipe]. + desc.bEndpointAddress; +@@ -1664,7 +1692,14 @@ static int cx231xx_usb_probe(struct usb_ + } + + for (i = 0; i < dev->ts1_mode.num_alt; i++) { +- u16 tmp = le16_to_cpu(uif->altsetting[i]. ++ u16 tmp; ++ ++ if (uif->altsetting[i].desc.bNumEndpoints < isoc_pipe + 1) { ++ retval = -ENODEV; ++ goto err_video_alt; ++ } ++ ++ tmp = le16_to_cpu(uif->altsetting[i]. + endpoint[isoc_pipe].desc. + wMaxPacketSize); + dev->ts1_mode.alt_max_pkt_size[i] = diff --git a/queue-4.9/dib0700-fix-null-deref-at-probe.patch b/queue-4.9/dib0700-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..9aab5c9f74f --- /dev/null +++ b/queue-4.9/dib0700-fix-null-deref-at-probe.patch @@ -0,0 +1,37 @@ +From d5823511c0f8719a39e72ede1bce65411ac653b7 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 09:53:54 -0300 +Subject: [media] dib0700: fix NULL-deref at probe + +From: Johan Hovold + +commit d5823511c0f8719a39e72ede1bce65411ac653b7 upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer should a malicious device lack endpoints. + +Fixes: c4018fa2e4c0 ("[media] dib0700: fix RC support on Hauppauge +Nova-TD") + +Cc: Mauro Carvalho Chehab +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/dib0700_core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/usb/dvb-usb/dib0700_core.c ++++ b/drivers/media/usb/dvb-usb/dib0700_core.c +@@ -812,6 +812,9 @@ int dib0700_rc_setup(struct dvb_usb_devi + + /* Starting in firmware 1.20, the RC info is provided on a bulk pipe */ + ++ if (intf->altsetting[0].desc.bNumEndpoints < rc_ep + 1) ++ return -ENODEV; ++ + purb = usb_alloc_urb(0, GFP_KERNEL); + if (purb == NULL) + return -ENOMEM; diff --git a/queue-4.9/digitv-limit-messages-to-buffer-size.patch b/queue-4.9/digitv-limit-messages-to-buffer-size.patch new file mode 100644 index 00000000000..b8864df17b6 --- /dev/null +++ b/queue-4.9/digitv-limit-messages-to-buffer-size.patch @@ -0,0 +1,32 @@ +From 821117dc21083a99dd99174c10848d70ff43de29 Mon Sep 17 00:00:00 2001 +From: Alyssa Milburn +Date: Sat, 1 Apr 2017 14:33:42 -0300 +Subject: [media] digitv: limit messages to buffer size + +From: Alyssa Milburn + +commit 821117dc21083a99dd99174c10848d70ff43de29 upstream. + +Return an error rather than memcpy()ing beyond the end of the buffer. +Internal callers use appropriate sizes, but digitv_i2c_xfer may not. + +Signed-off-by: Alyssa Milburn +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/digitv.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/usb/dvb-usb/digitv.c ++++ b/drivers/media/usb/dvb-usb/digitv.c +@@ -33,6 +33,9 @@ static int digitv_ctrl_msg(struct dvb_us + + wo = (rbuf == NULL || rlen == 0); /* write-only */ + ++ if (wlen > 4 || rlen > 4) ++ return -EIO; ++ + memset(st->sndbuf, 0, 7); + memset(st->rcvbuf, 0, 7); + diff --git a/queue-4.9/dvb-frontends-cxd2841er-define-symbol_rate_min-max-in-t-c-fe-ops.patch b/queue-4.9/dvb-frontends-cxd2841er-define-symbol_rate_min-max-in-t-c-fe-ops.patch new file mode 100644 index 00000000000..867f0d48a12 --- /dev/null +++ b/queue-4.9/dvb-frontends-cxd2841er-define-symbol_rate_min-max-in-t-c-fe-ops.patch @@ -0,0 +1,36 @@ +From 158f0328af86a99d64073851967a02694bff987d Mon Sep 17 00:00:00 2001 +From: Daniel Scheller +Date: Sun, 19 Mar 2017 12:26:39 -0300 +Subject: [media] dvb-frontends/cxd2841er: define symbol_rate_min/max in T/C fe-ops + +From: Daniel Scheller + +commit 158f0328af86a99d64073851967a02694bff987d upstream. + +Fixes "w_scan -f c" complaining with + + This dvb driver is *buggy*: the symbol rate limits are undefined - please + report to linuxtv.org) + +Signed-off-by: Daniel Scheller +Acked-by: Abylay Ospan +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/dvb-frontends/cxd2841er.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/media/dvb-frontends/cxd2841er.c ++++ b/drivers/media/dvb-frontends/cxd2841er.c +@@ -3852,7 +3852,9 @@ static struct dvb_frontend_ops cxd2841e + FE_CAN_MUTE_TS | + FE_CAN_2G_MODULATION, + .frequency_min = 42000000, +- .frequency_max = 1002000000 ++ .frequency_max = 1002000000, ++ .symbol_rate_min = 870000, ++ .symbol_rate_max = 11700000 + }, + .init = cxd2841er_init_tc, + .sleep = cxd2841er_sleep_tc, diff --git a/queue-4.9/dw2102-limit-messages-to-buffer-size.patch b/queue-4.9/dw2102-limit-messages-to-buffer-size.patch new file mode 100644 index 00000000000..3419c86bc1d --- /dev/null +++ b/queue-4.9/dw2102-limit-messages-to-buffer-size.patch @@ -0,0 +1,118 @@ +From 950e252cb469f323740d78e4907843acef89eedb Mon Sep 17 00:00:00 2001 +From: Alyssa Milburn +Date: Sat, 1 Apr 2017 14:34:49 -0300 +Subject: [media] dw2102: limit messages to buffer size + +From: Alyssa Milburn + +commit 950e252cb469f323740d78e4907843acef89eedb upstream. + +Otherwise the i2c transfer functions can read or write beyond the end of +stack or heap buffers. + +Signed-off-by: Alyssa Milburn +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/dw2102.c | 54 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 54 insertions(+) + +--- a/drivers/media/usb/dvb-usb/dw2102.c ++++ b/drivers/media/usb/dvb-usb/dw2102.c +@@ -205,6 +205,20 @@ static int dw2102_serit_i2c_transfer(str + + switch (num) { + case 2: ++ if (msg[0].len != 1) { ++ warn("i2c rd: len=%d is not 1!\n", ++ msg[0].len); ++ num = -EOPNOTSUPP; ++ break; ++ } ++ ++ if (2 + msg[1].len > sizeof(buf6)) { ++ warn("i2c rd: len=%d is too big!\n", ++ msg[1].len); ++ num = -EOPNOTSUPP; ++ break; ++ } ++ + /* read si2109 register by number */ + buf6[0] = msg[0].addr << 1; + buf6[1] = msg[0].len; +@@ -220,6 +234,13 @@ static int dw2102_serit_i2c_transfer(str + case 1: + switch (msg[0].addr) { + case 0x68: ++ if (2 + msg[0].len > sizeof(buf6)) { ++ warn("i2c wr: len=%d is too big!\n", ++ msg[0].len); ++ num = -EOPNOTSUPP; ++ break; ++ } ++ + /* write to si2109 register */ + buf6[0] = msg[0].addr << 1; + buf6[1] = msg[0].len; +@@ -263,6 +284,13 @@ static int dw2102_earda_i2c_transfer(str + /* first write first register number */ + u8 ibuf[MAX_XFER_SIZE], obuf[3]; + ++ if (2 + msg[0].len != sizeof(obuf)) { ++ warn("i2c rd: len=%d is not 1!\n", ++ msg[0].len); ++ ret = -EOPNOTSUPP; ++ goto unlock; ++ } ++ + if (2 + msg[1].len > sizeof(ibuf)) { + warn("i2c rd: len=%d is too big!\n", + msg[1].len); +@@ -463,6 +491,12 @@ static int dw3101_i2c_transfer(struct i2 + /* first write first register number */ + u8 ibuf[MAX_XFER_SIZE], obuf[3]; + ++ if (2 + msg[0].len != sizeof(obuf)) { ++ warn("i2c rd: len=%d is not 1!\n", ++ msg[0].len); ++ ret = -EOPNOTSUPP; ++ goto unlock; ++ } + if (2 + msg[1].len > sizeof(ibuf)) { + warn("i2c rd: len=%d is too big!\n", + msg[1].len); +@@ -697,6 +731,13 @@ static int su3000_i2c_transfer(struct i2 + msg[0].buf[0] = state->data[1]; + break; + default: ++ if (3 + msg[0].len > sizeof(state->data)) { ++ warn("i2c wr: len=%d is too big!\n", ++ msg[0].len); ++ num = -EOPNOTSUPP; ++ break; ++ } ++ + /* always i2c write*/ + state->data[0] = 0x08; + state->data[1] = msg[0].addr; +@@ -712,6 +753,19 @@ static int su3000_i2c_transfer(struct i2 + break; + case 2: + /* always i2c read */ ++ if (4 + msg[0].len > sizeof(state->data)) { ++ warn("i2c rd: len=%d is too big!\n", ++ msg[0].len); ++ num = -EOPNOTSUPP; ++ break; ++ } ++ if (1 + msg[1].len > sizeof(state->data)) { ++ warn("i2c rd: len=%d is too big!\n", ++ msg[1].len); ++ num = -EOPNOTSUPP; ++ break; ++ } ++ + state->data[0] = 0x09; + state->data[1] = msg[0].len; + state->data[2] = msg[1].len; diff --git a/queue-4.9/gspca-konica-add-missing-endpoint-sanity-check.patch b/queue-4.9/gspca-konica-add-missing-endpoint-sanity-check.patch new file mode 100644 index 00000000000..a418c2bfb1b --- /dev/null +++ b/queue-4.9/gspca-konica-add-missing-endpoint-sanity-check.patch @@ -0,0 +1,41 @@ +From aa58fedb8c7b6cf2f05941d238495f9e2f29655c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 09:53:59 -0300 +Subject: [media] gspca: konica: add missing endpoint sanity check + +From: Johan Hovold + +commit aa58fedb8c7b6cf2f05941d238495f9e2f29655c upstream. + +Make sure to check the number of endpoints to avoid accessing memory +beyond the endpoint array should a device lack the expected endpoints. + +Note that, as far as I can tell, the gspca framework has already made +sure there is at least one endpoint in the current alternate setting so +there should be no risk for a NULL-pointer dereference here. + +Fixes: b517af722860 ("V4L/DVB: gspca_konica: New gspca subdriver for +konica chipset using cams") + +Cc: Hans de Goede +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/gspca/konica.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/usb/gspca/konica.c ++++ b/drivers/media/usb/gspca/konica.c +@@ -188,6 +188,9 @@ static int sd_start(struct gspca_dev *gs + return -EIO; + } + ++ if (alt->desc.bNumEndpoints < 2) ++ return -ENODEV; ++ + packet_size = le16_to_cpu(alt->endpoint[0].desc.wMaxPacketSize); + + n = gspca_dev->cam.cam_mode[gspca_dev->curr_mode].priv; diff --git a/queue-4.9/iio-hid-sensor-store-restore-poll-and-hysteresis-on-s3.patch b/queue-4.9/iio-hid-sensor-store-restore-poll-and-hysteresis-on-s3.patch new file mode 100644 index 00000000000..769d072e619 --- /dev/null +++ b/queue-4.9/iio-hid-sensor-store-restore-poll-and-hysteresis-on-s3.patch @@ -0,0 +1,148 @@ +From 5d9854eaea776441b38a9a45b4e6879524c4f48c Mon Sep 17 00:00:00 2001 +From: Srinivas Pandruvada +Date: Fri, 7 Apr 2017 17:13:17 -0700 +Subject: iio: hid-sensor: Store restore poll and hysteresis on S3 + +From: Srinivas Pandruvada + +commit 5d9854eaea776441b38a9a45b4e6879524c4f48c upstream. + +This change undo the change done by 'commit 3bec24747446 +("iio: hid-sensor-trigger: Change get poll value function order to avoid +sensor properties losing after resume from S3")' as this breaks some +USB/i2c sensor hubs. + +Instead of relying on HW for restoring poll and hysteresis, driver stores +and restores on resume (S3). In this way user space modified settings are +not lost for any kind of sensor hub behavior. + +In this change, whenever user space modifies sampling frequency or +hysteresis driver will get the feature value from the hub and store in the +per device hid_sensor_common data structure. On resume callback from S3, +system will set the feature to sensor hub, if user space ever modified the +feature value. + +Fixes: 3bec24747446 ("iio: hid-sensor-trigger: Change get poll value function order to avoid sensor properties losing after resume from S3") +Reported-by: Ritesh Raj Sarraf +Tested-by: Ritesh Raj Sarraf +Tested-by: Song, Hongyan +Signed-off-by: Srinivas Pandruvada +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/common/hid-sensors/hid-sensor-attributes.c | 26 +++++++++++++++-- + drivers/iio/common/hid-sensors/hid-sensor-trigger.c | 20 +++++++++++-- + include/linux/hid-sensor-hub.h | 2 + + 3 files changed, 43 insertions(+), 5 deletions(-) + +--- a/drivers/iio/common/hid-sensors/hid-sensor-attributes.c ++++ b/drivers/iio/common/hid-sensors/hid-sensor-attributes.c +@@ -217,7 +217,15 @@ int hid_sensor_write_samp_freq_value(str + if (ret < 0 || value < 0) + ret = -EINVAL; + +- return ret; ++ ret = sensor_hub_get_feature(st->hsdev, ++ st->poll.report_id, ++ st->poll.index, sizeof(value), &value); ++ if (ret < 0 || value < 0) ++ return -EINVAL; ++ ++ st->poll_interval = value; ++ ++ return 0; + } + EXPORT_SYMBOL(hid_sensor_write_samp_freq_value); + +@@ -259,7 +267,16 @@ int hid_sensor_write_raw_hyst_value(stru + if (ret < 0 || value < 0) + ret = -EINVAL; + +- return ret; ++ ret = sensor_hub_get_feature(st->hsdev, ++ st->sensitivity.report_id, ++ st->sensitivity.index, sizeof(value), ++ &value); ++ if (ret < 0 || value < 0) ++ return -EINVAL; ++ ++ st->raw_hystersis = value; ++ ++ return 0; + } + EXPORT_SYMBOL(hid_sensor_write_raw_hyst_value); + +@@ -355,6 +372,9 @@ int hid_sensor_get_reporting_interval(st + /* Default unit of measure is milliseconds */ + if (st->poll.units == 0) + st->poll.units = HID_USAGE_SENSOR_UNITS_MILLISECOND; ++ ++ st->poll_interval = -1; ++ + return 0; + + } +@@ -377,6 +397,8 @@ int hid_sensor_parse_common_attributes(s + HID_USAGE_SENSOR_PROY_POWER_STATE, + &st->power_state); + ++ st->raw_hystersis = -1; ++ + sensor_hub_input_get_attribute_info(hsdev, + HID_FEATURE_REPORT, usage_id, + HID_USAGE_SENSOR_PROP_SENSITIVITY_ABS, +--- a/drivers/iio/common/hid-sensors/hid-sensor-trigger.c ++++ b/drivers/iio/common/hid-sensors/hid-sensor-trigger.c +@@ -51,6 +51,8 @@ static int _hid_sensor_power_state(struc + st->report_state.report_id, + st->report_state.index, + HID_USAGE_SENSOR_PROP_REPORTING_STATE_ALL_EVENTS_ENUM); ++ ++ poll_value = hid_sensor_read_poll_value(st); + } else { + int val; + +@@ -87,9 +89,7 @@ static int _hid_sensor_power_state(struc + sensor_hub_get_feature(st->hsdev, st->power_state.report_id, + st->power_state.index, + sizeof(state_val), &state_val); +- if (state) +- poll_value = hid_sensor_read_poll_value(st); +- if (poll_value > 0) ++ if (state && poll_value) + msleep_interruptible(poll_value * 2); + + return 0; +@@ -127,6 +127,20 @@ static void hid_sensor_set_power_work(st + struct hid_sensor_common *attrb = container_of(work, + struct hid_sensor_common, + work); ++ ++ if (attrb->poll_interval >= 0) ++ sensor_hub_set_feature(attrb->hsdev, attrb->poll.report_id, ++ attrb->poll.index, ++ sizeof(attrb->poll_interval), ++ &attrb->poll_interval); ++ ++ if (attrb->raw_hystersis >= 0) ++ sensor_hub_set_feature(attrb->hsdev, ++ attrb->sensitivity.report_id, ++ attrb->sensitivity.index, ++ sizeof(attrb->raw_hystersis), ++ &attrb->raw_hystersis); ++ + _hid_sensor_power_state(attrb, true); + } + +--- a/include/linux/hid-sensor-hub.h ++++ b/include/linux/hid-sensor-hub.h +@@ -231,6 +231,8 @@ struct hid_sensor_common { + unsigned usage_id; + atomic_t data_ready; + atomic_t user_requested_state; ++ int poll_interval; ++ int raw_hystersis; + struct iio_trigger *trigger; + struct hid_sensor_hub_attribute_info poll; + struct hid_sensor_hub_attribute_info report_state; diff --git a/queue-4.9/iio-proximity-as3935-fix-as3935_write.patch b/queue-4.9/iio-proximity-as3935-fix-as3935_write.patch new file mode 100644 index 00000000000..e678df63deb --- /dev/null +++ b/queue-4.9/iio-proximity-as3935-fix-as3935_write.patch @@ -0,0 +1,40 @@ +From 84ca8e364acb26aba3292bc113ca8ed4335380fd Mon Sep 17 00:00:00 2001 +From: Matt Ranostay +Date: Thu, 13 Apr 2017 23:21:56 -0700 +Subject: iio: proximity: as3935: fix as3935_write + +From: Matt Ranostay + +commit 84ca8e364acb26aba3292bc113ca8ed4335380fd upstream. + +AS3935_WRITE_DATA macro bit is incorrect and the actual write +sequence is two leading zeros. + +Cc: George McCollister +Signed-off-by: Matt Ranostay +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/proximity/as3935.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/iio/proximity/as3935.c ++++ b/drivers/iio/proximity/as3935.c +@@ -50,7 +50,6 @@ + #define AS3935_TUNE_CAP 0x08 + #define AS3935_CALIBRATE 0x3D + +-#define AS3935_WRITE_DATA BIT(15) + #define AS3935_READ_DATA BIT(14) + #define AS3935_ADDRESS(x) ((x) << 8) + +@@ -105,7 +104,7 @@ static int as3935_write(struct as3935_st + { + u8 *buf = st->buf; + +- buf[0] = (AS3935_WRITE_DATA | AS3935_ADDRESS(reg)) >> 8; ++ buf[0] = AS3935_ADDRESS(reg) >> 8; + buf[1] = val; + + return spi_write(st->spi, buf, 2); diff --git a/queue-4.9/ipx-call-ipxitf_put-in-ioctl-error-path.patch b/queue-4.9/ipx-call-ipxitf_put-in-ioctl-error-path.patch new file mode 100644 index 00000000000..d61f880100c --- /dev/null +++ b/queue-4.9/ipx-call-ipxitf_put-in-ioctl-error-path.patch @@ -0,0 +1,39 @@ +From ee0d8d8482345ff97a75a7d747efc309f13b0d80 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 2 May 2017 13:58:53 +0300 +Subject: ipx: call ipxitf_put() in ioctl error path +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Carpenter + +commit ee0d8d8482345ff97a75a7d747efc309f13b0d80 upstream. + +We should call ipxitf_put() if the copy_to_user() fails. + +Reported-by: 李强 +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipx/af_ipx.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/net/ipx/af_ipx.c ++++ b/net/ipx/af_ipx.c +@@ -1168,11 +1168,10 @@ static int ipxitf_ioctl(unsigned int cmd + sipx->sipx_network = ipxif->if_netnum; + memcpy(sipx->sipx_node, ipxif->if_node, + sizeof(sipx->sipx_node)); +- rc = -EFAULT; ++ rc = 0; + if (copy_to_user(arg, &ifr, sizeof(ifr))) +- break; ++ rc = -EFAULT; + ipxitf_put(ipxif); +- rc = 0; + break; + } + case SIOCAIPXITFCRT: diff --git a/queue-4.9/s5p-mfc-fix-race-between-interrupt-routine-and-device-functions.patch b/queue-4.9/s5p-mfc-fix-race-between-interrupt-routine-and-device-functions.patch new file mode 100644 index 00000000000..f920eeb8b97 --- /dev/null +++ b/queue-4.9/s5p-mfc-fix-race-between-interrupt-routine-and-device-functions.patch @@ -0,0 +1,113 @@ +From 0c32b8ec02832df167e16ad659cb11dc148f2ddf Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Thu, 23 Feb 2017 08:43:27 -0300 +Subject: [media] s5p-mfc: Fix race between interrupt routine and device functions + +From: Marek Szyprowski + +commit 0c32b8ec02832df167e16ad659cb11dc148f2ddf upstream. + +Interrupt routine must wake process waiting for given interrupt AFTER +updating driver's internal structures and contexts. Doing it in-between +is a serious bug. This patch moves all calls to the wake() function to +the end of the interrupt processing block to avoid potential and real +races, especially on multi-core platforms. This also fixes following issue +reported from clock core (clocks were disabled in interrupt after being +unprepared from the other place in the driver, the stack trace however +points to the different place than s5p_mfc driver because of the race): + +WARNING: CPU: 1 PID: 18 at drivers/clk/clk.c:544 clk_core_unprepare+0xc8/0x108 +Modules linked in: +CPU: 1 PID: 18 Comm: kworker/1:0 Not tainted 4.10.0-next-20170223-00070-g04e18bc99ab9-dirty #2154 +Hardware name: SAMSUNG EXYNOS (Flattened Device Tree) +Workqueue: pm pm_runtime_work +[] (unwind_backtrace) from [] (show_stack+0x10/0x14) +[] (show_stack) from [] (dump_stack+0x74/0x94) +[] (dump_stack) from [] (__warn+0xd4/0x100) +[] (__warn) from [] (warn_slowpath_null+0x20/0x28) +[] (warn_slowpath_null) from [] (clk_core_unprepare+0xc8/0x108) +[] (clk_core_unprepare) from [] (clk_unprepare+0x24/0x2c) +[] (clk_unprepare) from [] (exynos_sysmmu_suspend+0x48/0x60) +[] (exynos_sysmmu_suspend) from [] (pm_generic_runtime_suspend+0x2c/0x38) +[] (pm_generic_runtime_suspend) from [] (genpd_runtime_suspend+0x94/0x220) +[] (genpd_runtime_suspend) from [] (__rpm_callback+0x134/0x208) +[] (__rpm_callback) from [] (rpm_callback+0x20/0x80) +[] (rpm_callback) from [] (rpm_suspend+0xdc/0x458) +[] (rpm_suspend) from [] (pm_runtime_work+0x80/0x90) +[] (pm_runtime_work) from [] (process_one_work+0x120/0x318) +[] (process_one_work) from [] (worker_thread+0x2c/0x4ac) +[] (worker_thread) from [] (kthread+0xfc/0x134) +[] (kthread) from [] (ret_from_fork+0x14/0x3c) +---[ end trace 1ead49a7bb83f0d8 ]--- + +Fixes: af93574678108 ("[media] MFC: Add MFC 5.1 V4L2 driver") + +Signed-off-by: Marek Szyprowski +Reviewed-by: Javier Martinez Canillas +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/s5p-mfc/s5p_mfc.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c +@@ -663,9 +663,9 @@ static irqreturn_t s5p_mfc_irq(int irq, + break; + } + s5p_mfc_hw_call(dev->mfc_ops, clear_int_flags, dev); +- wake_up_ctx(ctx, reason, err); + WARN_ON(test_and_clear_bit(0, &dev->hw_lock) == 0); + s5p_mfc_clock_off(); ++ wake_up_ctx(ctx, reason, err); + s5p_mfc_hw_call(dev->mfc_ops, try_run, dev); + } else { + s5p_mfc_handle_frame(ctx, reason, err); +@@ -679,15 +679,11 @@ static irqreturn_t s5p_mfc_irq(int irq, + case S5P_MFC_R2H_CMD_OPEN_INSTANCE_RET: + ctx->inst_no = s5p_mfc_hw_call(dev->mfc_ops, get_inst_no, dev); + ctx->state = MFCINST_GOT_INST; +- clear_work_bit(ctx); +- wake_up(&ctx->queue); + goto irq_cleanup_hw; + + case S5P_MFC_R2H_CMD_CLOSE_INSTANCE_RET: +- clear_work_bit(ctx); + ctx->inst_no = MFC_NO_INSTANCE_SET; + ctx->state = MFCINST_FREE; +- wake_up(&ctx->queue); + goto irq_cleanup_hw; + + case S5P_MFC_R2H_CMD_SYS_INIT_RET: +@@ -697,9 +693,9 @@ static irqreturn_t s5p_mfc_irq(int irq, + if (ctx) + clear_work_bit(ctx); + s5p_mfc_hw_call(dev->mfc_ops, clear_int_flags, dev); +- wake_up_dev(dev, reason, err); + clear_bit(0, &dev->hw_lock); + clear_bit(0, &dev->enter_suspend); ++ wake_up_dev(dev, reason, err); + break; + + case S5P_MFC_R2H_CMD_INIT_BUFFERS_RET: +@@ -714,9 +710,7 @@ static irqreturn_t s5p_mfc_irq(int irq, + break; + + case S5P_MFC_R2H_CMD_DPB_FLUSH_RET: +- clear_work_bit(ctx); + ctx->state = MFCINST_RUNNING; +- wake_up(&ctx->queue); + goto irq_cleanup_hw; + + default: +@@ -735,6 +729,8 @@ irq_cleanup_hw: + mfc_err("Failed to unlock hw\n"); + + s5p_mfc_clock_off(); ++ clear_work_bit(ctx); ++ wake_up(&ctx->queue); + + s5p_mfc_hw_call(dev->mfc_ops, try_run, dev); + spin_unlock(&dev->irqlock); diff --git a/queue-4.9/s5p-mfc-fix-unbalanced-call-to-clock-management.patch b/queue-4.9/s5p-mfc-fix-unbalanced-call-to-clock-management.patch new file mode 100644 index 00000000000..d52b781248e --- /dev/null +++ b/queue-4.9/s5p-mfc-fix-unbalanced-call-to-clock-management.patch @@ -0,0 +1,34 @@ +From a5cb00eb4223458250b55daf03ac7ea5f424d601 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Wed, 22 Mar 2017 04:53:57 -0300 +Subject: [media] s5p-mfc: Fix unbalanced call to clock management + +From: Marek Szyprowski + +commit a5cb00eb4223458250b55daf03ac7ea5f424d601 upstream. + +Clock should be turned off after calling s5p_mfc_init_hw() from the +watchdog worker, like it is already done in the s5p_mfc_open() which also +calls this function. + +Fixes: af93574678108 ("[media] MFC: Add MFC 5.1 V4L2 driver") + +Signed-off-by: Marek Szyprowski +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/platform/s5p-mfc/s5p_mfc.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c +@@ -206,6 +206,7 @@ static void s5p_mfc_watchdog_worker(stru + } + s5p_mfc_clock_on(); + ret = s5p_mfc_init_hw(dev); ++ s5p_mfc_clock_off(); + if (ret) + mfc_err("Failed to reinit FW\n"); + } diff --git a/queue-4.9/series b/queue-4.9/series index e411dc204e0..3d248819bfa 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -94,3 +94,17 @@ usb-serial-mct_u232-fix-big-endian-baud-rate-handling.patch usb-serial-io_ti-fix-div-by-zero-in-set_termios.patch usb-hub-fix-ss-hub-descriptor-handling.patch usb-hub-fix-non-ss-hub-descriptor-handling.patch +ipx-call-ipxitf_put-in-ioctl-error-path.patch +iio-proximity-as3935-fix-as3935_write.patch +iio-hid-sensor-store-restore-poll-and-hysteresis-on-s3.patch +s5p-mfc-fix-race-between-interrupt-routine-and-device-functions.patch +gspca-konica-add-missing-endpoint-sanity-check.patch +s5p-mfc-fix-unbalanced-call-to-clock-management.patch +dib0700-fix-null-deref-at-probe.patch +zr364xx-enforce-minimum-size-when-reading-header.patch +dvb-frontends-cxd2841er-define-symbol_rate_min-max-in-t-c-fe-ops.patch +digitv-limit-messages-to-buffer-size.patch +dw2102-limit-messages-to-buffer-size.patch +cx231xx-audio-fix-init-error-path.patch +cx231xx-audio-fix-null-deref-at-probe.patch +cx231xx-cards-fix-null-deref-at-probe.patch diff --git a/queue-4.9/zr364xx-enforce-minimum-size-when-reading-header.patch b/queue-4.9/zr364xx-enforce-minimum-size-when-reading-header.patch new file mode 100644 index 00000000000..4264c3df492 --- /dev/null +++ b/queue-4.9/zr364xx-enforce-minimum-size-when-reading-header.patch @@ -0,0 +1,37 @@ +From ee0fe833d96793853335844b6d99fb76bd12cbeb Mon Sep 17 00:00:00 2001 +From: Alyssa Milburn +Date: Sat, 1 Apr 2017 14:34:08 -0300 +Subject: [media] zr364xx: enforce minimum size when reading header + +From: Alyssa Milburn + +commit ee0fe833d96793853335844b6d99fb76bd12cbeb upstream. + +This code copies actual_length-128 bytes from the header, which will +underflow if the received buffer is too small. + +Signed-off-by: Alyssa Milburn +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/zr364xx/zr364xx.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/media/usb/zr364xx/zr364xx.c ++++ b/drivers/media/usb/zr364xx/zr364xx.c +@@ -604,6 +604,14 @@ static int zr364xx_read_video_callback(s + ptr = pdest = frm->lpvbits; + + if (frm->ulState == ZR364XX_READ_IDLE) { ++ if (purb->actual_length < 128) { ++ /* header incomplete */ ++ dev_info(&cam->udev->dev, ++ "%s: buffer (%d bytes) too small to hold jpeg header. Discarding.\n", ++ __func__, purb->actual_length); ++ return -EINVAL; ++ } ++ + frm->ulState = ZR364XX_READ_FRAME; + frm->cur_size = 0; +