From: Greg Kroah-Hartman Date: Mon, 22 May 2017 17:02:47 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.55~51 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eb099f815892eb9592529b1b0eef170de103a51a;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: cdc-acm-fix-possible-invalid-access-when-processing-notification.patch iio-dac-ad7303-fix-channel-description.patch of-fdt-add-missing-allocation-failure-check.patch of-fix-sparse-warning-in-of_pci_range_parser_one.patch ohci-pci-add-qemu-quirk.patch --- diff --git a/queue-3.18/cdc-acm-fix-possible-invalid-access-when-processing-notification.patch b/queue-3.18/cdc-acm-fix-possible-invalid-access-when-processing-notification.patch new file mode 100644 index 00000000000..5f73974afe3 --- /dev/null +++ b/queue-3.18/cdc-acm-fix-possible-invalid-access-when-processing-notification.patch @@ -0,0 +1,52 @@ +From 1bb9914e1730417d530de9ed37e59efdc647146b Mon Sep 17 00:00:00 2001 +From: Tobias Herzog +Date: Thu, 30 Mar 2017 22:15:10 +0200 +Subject: cdc-acm: fix possible invalid access when processing notification + +From: Tobias Herzog + +commit 1bb9914e1730417d530de9ed37e59efdc647146b upstream. + +Notifications may only be 8 bytes long. Accessing the 9th and +10th byte of unimplemented/unknown notifications may be insecure. +Also check the length of known notifications before accessing anything +behind the 8th byte. + +Signed-off-by: Tobias Herzog +Acked-by: Oliver Neukum +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/cdc-acm.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -315,6 +315,12 @@ static void acm_ctrl_irq(struct urb *urb + break; + + case USB_CDC_NOTIFY_SERIAL_STATE: ++ if (le16_to_cpu(dr->wLength) != 2) { ++ dev_dbg(&acm->control->dev, ++ "%s - malformed serial state\n", __func__); ++ break; ++ } ++ + newctrl = get_unaligned_le16(data); + + if (!acm->clocal && (acm->ctrlin & ~newctrl & ACM_CTRL_DCD)) { +@@ -351,11 +357,10 @@ static void acm_ctrl_irq(struct urb *urb + + default: + dev_dbg(&acm->control->dev, +- "%s - unknown notification %d received: index %d " +- "len %d data0 %d data1 %d\n", ++ "%s - unknown notification %d received: index %d len %d\n", + __func__, +- dr->bNotificationType, dr->wIndex, +- dr->wLength, data[0], data[1]); ++ dr->bNotificationType, dr->wIndex, dr->wLength); ++ + break; + } + exit: diff --git a/queue-3.18/iio-dac-ad7303-fix-channel-description.patch b/queue-3.18/iio-dac-ad7303-fix-channel-description.patch new file mode 100644 index 00000000000..0a436dc57cc --- /dev/null +++ b/queue-3.18/iio-dac-ad7303-fix-channel-description.patch @@ -0,0 +1,35 @@ +From ce420fd4251809b4c3119b3b20c8b13bd8eba150 Mon Sep 17 00:00:00 2001 +From: Pavel Roskin +Date: Thu, 13 Apr 2017 14:54:23 -0700 +Subject: iio: dac: ad7303: fix channel description + +From: Pavel Roskin + +commit ce420fd4251809b4c3119b3b20c8b13bd8eba150 upstream. + +realbits, storagebits and shift should be numbers, not ASCII characters. + +Signed-off-by: Pavel Roskin +Reviewed-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/dac/ad7303.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/iio/dac/ad7303.c ++++ b/drivers/iio/dac/ad7303.c +@@ -184,9 +184,9 @@ static const struct iio_chan_spec_ext_in + .address = (chan), \ + .scan_type = { \ + .sign = 'u', \ +- .realbits = '8', \ +- .storagebits = '8', \ +- .shift = '0', \ ++ .realbits = 8, \ ++ .storagebits = 8, \ ++ .shift = 0, \ + }, \ + .ext_info = ad7303_ext_info, \ + } diff --git a/queue-3.18/of-fdt-add-missing-allocation-failure-check.patch b/queue-3.18/of-fdt-add-missing-allocation-failure-check.patch new file mode 100644 index 00000000000..3773082e919 --- /dev/null +++ b/queue-3.18/of-fdt-add-missing-allocation-failure-check.patch @@ -0,0 +1,34 @@ +From 49e67dd17649b60b4d54966e18ec9c80198227f0 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 17 May 2017 17:29:09 +0200 +Subject: of: fdt: add missing allocation-failure check + +From: Johan Hovold + +commit 49e67dd17649b60b4d54966e18ec9c80198227f0 upstream. + +The memory allocator passed to __unflatten_device_tree() (e.g. a wrapped +kzalloc) can fail so add the missing sanity check to avoid dereferencing +a NULL pointer. + +Fixes: fe14042358fa ("of/flattree: Refactor unflatten_device_tree and add fdt_unflatten_tree") +Signed-off-by: Johan Hovold +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/of/fdt.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/of/fdt.c ++++ b/drivers/of/fdt.c +@@ -380,6 +380,9 @@ static void __unflatten_device_tree(void + + /* Allocate memory for the expanded device tree */ + mem = dt_alloc(size + 4, __alignof__(struct device_node)); ++ if (!mem) ++ return NULL; ++ + memset(mem, 0, size); + + *(__be32 *)(mem + size) = cpu_to_be32(0xdeadbeef); diff --git a/queue-3.18/of-fix-sparse-warning-in-of_pci_range_parser_one.patch b/queue-3.18/of-fix-sparse-warning-in-of_pci_range_parser_one.patch new file mode 100644 index 00000000000..1e491c36ba5 --- /dev/null +++ b/queue-3.18/of-fix-sparse-warning-in-of_pci_range_parser_one.patch @@ -0,0 +1,36 @@ +From eb3100365791b06242b8bb5c3c2854ba41dabfbc Mon Sep 17 00:00:00 2001 +From: Rob Herring +Date: Thu, 4 May 2017 12:34:30 -0500 +Subject: of: fix sparse warning in of_pci_range_parser_one + +From: Rob Herring + +commit eb3100365791b06242b8bb5c3c2854ba41dabfbc upstream. + +sparse gives the following warning for 'pci_space': + +../drivers/of/address.c:266:26: warning: incorrect type in assignment (different base types) +../drivers/of/address.c:266:26: expected unsigned int [unsigned] [usertype] pci_space +../drivers/of/address.c:266:26: got restricted __be32 const [usertype] + +It appears that pci_space is only ever accessed on powerpc, so the endian +swap is often not needed. + +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/of/address.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/of/address.c ++++ b/drivers/of/address.c +@@ -260,7 +260,7 @@ struct of_pci_range *of_pci_range_parser + if (!parser->range || parser->range + parser->np > parser->end) + return NULL; + +- range->pci_space = parser->range[0]; ++ range->pci_space = be32_to_cpup(parser->range); + range->flags = of_bus_pci_get_flags(parser->range); + range->pci_addr = of_read_number(parser->range + 1, ns); + range->cpu_addr = of_translate_address(parser->node, diff --git a/queue-3.18/ohci-pci-add-qemu-quirk.patch b/queue-3.18/ohci-pci-add-qemu-quirk.patch new file mode 100644 index 00000000000..eb441cc816b --- /dev/null +++ b/queue-3.18/ohci-pci-add-qemu-quirk.patch @@ -0,0 +1,83 @@ +From 21a60f6e65181cad64fd66ccc8080d413721ba27 Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann +Date: Mon, 20 Mar 2017 09:11:49 +0100 +Subject: ohci-pci: add qemu quirk + +From: Gerd Hoffmann + +commit 21a60f6e65181cad64fd66ccc8080d413721ba27 upstream. + +On a loaded virtualization host (dozen guests booting at the same time) +it may happen that the ohci controller emulation doesn't manage to do +timely frame processing, with the result that the io watchdog fires and +considers the controller being dead, even though it's only the emulation +being unusual slow due to the load peak. + +So, add a quirk for qemu and don't use the watchdog in case we figure we +are running on emulated ohci. The virtual ohci controller masquerades +as apple ohci controller, but we can identify it by subsystem id. + +Signed-off-by: Gerd Hoffmann +Signed-off-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ohci-hcd.c | 3 ++- + drivers/usb/host/ohci-pci.c | 16 ++++++++++++++++ + drivers/usb/host/ohci.h | 1 + + 3 files changed, 19 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/ohci-hcd.c ++++ b/drivers/usb/host/ohci-hcd.c +@@ -230,7 +230,8 @@ static int ohci_urb_enqueue ( + + /* Start up the I/O watchdog timer, if it's not running */ + if (!timer_pending(&ohci->io_watchdog) && +- list_empty(&ohci->eds_in_use)) { ++ list_empty(&ohci->eds_in_use) && ++ !(ohci->flags & OHCI_QUIRK_QEMU)) { + ohci->prev_frame_no = ohci_frame_no(ohci); + mod_timer(&ohci->io_watchdog, + jiffies + IO_WATCHDOG_DELAY); +--- a/drivers/usb/host/ohci-pci.c ++++ b/drivers/usb/host/ohci-pci.c +@@ -164,6 +164,15 @@ static int ohci_quirk_amd700(struct usb_ + return 0; + } + ++static int ohci_quirk_qemu(struct usb_hcd *hcd) ++{ ++ struct ohci_hcd *ohci = hcd_to_ohci(hcd); ++ ++ ohci->flags |= OHCI_QUIRK_QEMU; ++ ohci_dbg(ohci, "enabled qemu quirk\n"); ++ return 0; ++} ++ + /* List of quirks for OHCI */ + static const struct pci_device_id ohci_pci_quirks[] = { + { +@@ -214,6 +223,13 @@ static const struct pci_device_id ohci_p + PCI_DEVICE(PCI_VENDOR_ID_ATI, 0x4399), + .driver_data = (unsigned long)ohci_quirk_amd700, + }, ++ { ++ .vendor = PCI_VENDOR_ID_APPLE, ++ .device = 0x003f, ++ .subvendor = PCI_SUBVENDOR_ID_REDHAT_QUMRANET, ++ .subdevice = PCI_SUBDEVICE_ID_QEMU, ++ .driver_data = (unsigned long)ohci_quirk_qemu, ++ }, + + /* FIXME for some of the early AMD 760 southbridges, OHCI + * won't work at all. blacklist them. +--- a/drivers/usb/host/ohci.h ++++ b/drivers/usb/host/ohci.h +@@ -418,6 +418,7 @@ struct ohci_hcd { + #define OHCI_QUIRK_AMD_PLL 0x200 /* AMD PLL quirk*/ + #define OHCI_QUIRK_AMD_PREFETCH 0x400 /* pre-fetch for ISO transfer */ + #define OHCI_QUIRK_GLOBAL_SUSPEND 0x800 /* must suspend ports */ ++#define OHCI_QUIRK_QEMU 0x1000 /* relax timing expectations */ + + // there are also chip quirks/bugs in init logic + diff --git a/queue-3.18/series b/queue-3.18/series index b962bc47a55..9c5ea6f5ccc 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -10,3 +10,8 @@ mwifiex-pcie-fix-cmd_buf-use-after-free-in-remove-reset.patch ima-accept-previously-set-ima_new_file.patch regulator-tps65023-fix-inverted-core-enable-logic.patch ath9k_htc-fix-null-deref-at-probe.patch +cdc-acm-fix-possible-invalid-access-when-processing-notification.patch +ohci-pci-add-qemu-quirk.patch +of-fix-sparse-warning-in-of_pci_range_parser_one.patch +of-fdt-add-missing-allocation-failure-check.patch +iio-dac-ad7303-fix-channel-description.patch