From 003ffd0a04929e713fa183720033c49361cf321d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 29 Sep 2018 16:47:05 -0700 Subject: [PATCH] 4.9-stable patches added patches: floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch regulator-fix-crash-caused-by-null-driver-data.patch serial-cpm_uart-return-immediately-from-console-poll.patch serial-imx-restore-handshaking-irq-for-imx1.patch spi-rspi-fix-interrupted-dma-transfers.patch spi-rspi-fix-invalid-spi-use-during-system-suspend.patch spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch spi-sh-msiof-fix-invalid-spi-use-during-system-suspend.patch spi-tegra20-slink-explicitly-enable-disable-clock.patch tty-serial-lpuart-avoid-leaking-struct-tty_struct.patch usb-fix-error-handling-in-usb_driver_claim_interface.patch usb-handle-null-config-in-usb_find_alt_setting.patch --- ...ter-to-user-memory-in-fdgetprm-ioctl.patch | 46 ++++++++++ ...fix-crash-caused-by-null-driver-data.patch | 42 ++++++++++ ...return-immediately-from-console-poll.patch | 48 +++++++++++ ...imx-restore-handshaking-irq-for-imx1.patch | 42 ++++++++++ queue-4.9/series | 12 +++ ...i-rspi-fix-interrupted-dma-transfers.patch | 58 +++++++++++++ ...nvalid-spi-use-during-system-suspend.patch | 67 +++++++++++++++ ...ng-of-write-value-for-sistr-register.patch | 38 +++++++++ ...nvalid-spi-use-during-system-suspend.patch | 69 +++++++++++++++ ...link-explicitly-enable-disable-clock.patch | 84 +++++++++++++++++++ ...uart-avoid-leaking-struct-tty_struct.patch | 39 +++++++++ ...ndling-in-usb_driver_claim_interface.patch | 58 +++++++++++++ ...-null-config-in-usb_find_alt_setting.patch | 38 +++++++++ 13 files changed, 641 insertions(+) create mode 100644 queue-4.9/floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch create mode 100644 queue-4.9/regulator-fix-crash-caused-by-null-driver-data.patch create mode 100644 queue-4.9/serial-cpm_uart-return-immediately-from-console-poll.patch create mode 100644 queue-4.9/serial-imx-restore-handshaking-irq-for-imx1.patch create mode 100644 queue-4.9/spi-rspi-fix-interrupted-dma-transfers.patch create mode 100644 queue-4.9/spi-rspi-fix-invalid-spi-use-during-system-suspend.patch create mode 100644 queue-4.9/spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch create mode 100644 queue-4.9/spi-sh-msiof-fix-invalid-spi-use-during-system-suspend.patch create mode 100644 queue-4.9/spi-tegra20-slink-explicitly-enable-disable-clock.patch create mode 100644 queue-4.9/tty-serial-lpuart-avoid-leaking-struct-tty_struct.patch create mode 100644 queue-4.9/usb-fix-error-handling-in-usb_driver_claim_interface.patch create mode 100644 queue-4.9/usb-handle-null-config-in-usb_find_alt_setting.patch diff --git a/queue-4.9/floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch b/queue-4.9/floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch new file mode 100644 index 00000000000..a3e8157d9f9 --- /dev/null +++ b/queue-4.9/floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch @@ -0,0 +1,46 @@ +From 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e Mon Sep 17 00:00:00 2001 +From: Andy Whitcroft +Date: Thu, 20 Sep 2018 09:09:48 -0600 +Subject: floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl + +From: Andy Whitcroft + +commit 65eea8edc315589d6c993cf12dbb5d0e9ef1fe4e upstream. + +The final field of a floppy_struct is the field "name", which is a pointer +to a string in kernel memory. The kernel pointer should not be copied to +user memory. The FDGETPRM ioctl copies a floppy_struct to user memory, +including this "name" field. This pointer cannot be used by the user +and it will leak a kernel address to user-space, which will reveal the +location of kernel code and data and undermine KASLR protection. + +Model this code after the compat ioctl which copies the returned data +to a previously cleared temporary structure on the stack (excluding the +name pointer) and copy out to userspace from there. As we already have +an inparam union with an appropriate member and that memory is already +cleared even for read only calls make use of that as a temporary store. + +Based on an initial patch by Brian Belleville. + +CVE-2018-7755 +Signed-off-by: Andy Whitcroft +Broke up long line. +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/floppy.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3459,6 +3459,9 @@ static int fd_locked_ioctl(struct block_ + (struct floppy_struct **)&outparam); + if (ret) + return ret; ++ memcpy(&inparam.g, outparam, ++ offsetof(struct floppy_struct, name)); ++ outparam = &inparam.g; + break; + case FDMSGON: + UDP->flags |= FTD_MSG; diff --git a/queue-4.9/regulator-fix-crash-caused-by-null-driver-data.patch b/queue-4.9/regulator-fix-crash-caused-by-null-driver-data.patch new file mode 100644 index 00000000000..b3bcebbfc27 --- /dev/null +++ b/queue-4.9/regulator-fix-crash-caused-by-null-driver-data.patch @@ -0,0 +1,42 @@ +From fb6de923ca3358a91525552b4907d4cb38730bdd Mon Sep 17 00:00:00 2001 +From: Yu Zhao +Date: Wed, 19 Sep 2018 15:30:51 -0600 +Subject: regulator: fix crash caused by null driver data + +From: Yu Zhao + +commit fb6de923ca3358a91525552b4907d4cb38730bdd upstream. + +dev_set_drvdata() needs to be called before device_register() +exposes device to userspace. Otherwise kernel crashes after it +gets null pointer from dev_get_drvdata() when userspace tries +to access sysfs entries. + +[Removed backtrace for length -- broonie] + +Signed-off-by: Yu Zhao +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/regulator/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -4054,13 +4054,13 @@ regulator_register(const struct regulato + !rdev->desc->fixed_uV) + rdev->is_switch = true; + ++ dev_set_drvdata(&rdev->dev, rdev); + ret = device_register(&rdev->dev); + if (ret != 0) { + put_device(&rdev->dev); + goto unset_supplies; + } + +- dev_set_drvdata(&rdev->dev, rdev); + rdev_init_debugfs(rdev); + + /* try to resolve regulators supply since a new one was registered */ diff --git a/queue-4.9/serial-cpm_uart-return-immediately-from-console-poll.patch b/queue-4.9/serial-cpm_uart-return-immediately-from-console-poll.patch new file mode 100644 index 00000000000..00c7cc229b5 --- /dev/null +++ b/queue-4.9/serial-cpm_uart-return-immediately-from-console-poll.patch @@ -0,0 +1,48 @@ +From be28c1e3ca29887e207f0cbcd294cefe5074bab6 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Fri, 14 Sep 2018 10:32:50 +0000 +Subject: serial: cpm_uart: return immediately from console poll + +From: Christophe Leroy + +commit be28c1e3ca29887e207f0cbcd294cefe5074bab6 upstream. + +kgdb expects poll function to return immediately and +returning NO_POLL_CHAR when no character is available. + +Fixes: f5316b4aea024 ("kgdb,8250,pl011: Return immediately from console poll") +Cc: Jason Wessel +Cc: +Signed-off-by: Christophe Leroy +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/cpm_uart/cpm_uart_core.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/tty/serial/cpm_uart/cpm_uart_core.c ++++ b/drivers/tty/serial/cpm_uart/cpm_uart_core.c +@@ -1068,8 +1068,8 @@ static int poll_wait_key(char *obuf, str + /* Get the address of the host memory buffer. + */ + bdp = pinfo->rx_cur; +- while (bdp->cbd_sc & BD_SC_EMPTY) +- ; ++ if (bdp->cbd_sc & BD_SC_EMPTY) ++ return NO_POLL_CHAR; + + /* If the buffer address is in the CPM DPRAM, don't + * convert it. +@@ -1104,7 +1104,11 @@ static int cpm_get_poll_char(struct uart + poll_chars = 0; + } + if (poll_chars <= 0) { +- poll_chars = poll_wait_key(poll_buf, pinfo); ++ int ret = poll_wait_key(poll_buf, pinfo); ++ ++ if (ret == NO_POLL_CHAR) ++ return ret; ++ poll_chars = ret; + pollp = poll_buf; + } + poll_chars--; diff --git a/queue-4.9/serial-imx-restore-handshaking-irq-for-imx1.patch b/queue-4.9/serial-imx-restore-handshaking-irq-for-imx1.patch new file mode 100644 index 00000000000..9b04984c328 --- /dev/null +++ b/queue-4.9/serial-imx-restore-handshaking-irq-for-imx1.patch @@ -0,0 +1,42 @@ +From 7e620984b62532783912312e334f3c48cdacbd5d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Thu, 20 Sep 2018 14:11:17 +0200 +Subject: serial: imx: restore handshaking irq for imx1 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +commit 7e620984b62532783912312e334f3c48cdacbd5d upstream. + +Back in 2015 when irda was dropped from the driver imx1 was broken. This +change reintroduces the support for the third interrupt of the UART. + +Fixes: afe9cbb1a6ad ("serial: imx: drop support for IRDA") +Cc: stable +Signed-off-by: Uwe Kleine-König +Reviewed-by: Leonard Crestez +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/imx.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/tty/serial/imx.c ++++ b/drivers/tty/serial/imx.c +@@ -2197,6 +2197,14 @@ static int serial_imx_probe(struct platf + ret); + return ret; + } ++ ++ ret = devm_request_irq(&pdev->dev, rtsirq, imx_uart_rtsint, 0, ++ dev_name(&pdev->dev), sport); ++ if (ret) { ++ dev_err(&pdev->dev, "failed to request rts irq: %d\n", ++ ret); ++ return ret; ++ } + } else { + ret = devm_request_irq(&pdev->dev, rxirq, imx_int, 0, + dev_name(&pdev->dev), sport); diff --git a/queue-4.9/series b/queue-4.9/series index c3bc668cc12..70f06c2deb5 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -53,3 +53,15 @@ gpio-fix-wrong-rounding-in-gpio-menz127.patch nfsd-fix-corrupted-reply-to-badly-ordered-compound.patch edac-fix-memleak-in-module-init-error-path.patch arm-dts-dra7-fix-dcan-node-addresses.patch +floppy-do-not-copy-a-kernel-pointer-to-user-memory-in-fdgetprm-ioctl.patch +tty-serial-lpuart-avoid-leaking-struct-tty_struct.patch +serial-imx-restore-handshaking-irq-for-imx1.patch +serial-cpm_uart-return-immediately-from-console-poll.patch +spi-tegra20-slink-explicitly-enable-disable-clock.patch +spi-sh-msiof-fix-invalid-spi-use-during-system-suspend.patch +spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch +spi-rspi-fix-invalid-spi-use-during-system-suspend.patch +spi-rspi-fix-interrupted-dma-transfers.patch +regulator-fix-crash-caused-by-null-driver-data.patch +usb-fix-error-handling-in-usb_driver_claim_interface.patch +usb-handle-null-config-in-usb_find_alt_setting.patch diff --git a/queue-4.9/spi-rspi-fix-interrupted-dma-transfers.patch b/queue-4.9/spi-rspi-fix-interrupted-dma-transfers.patch new file mode 100644 index 00000000000..ac4ba489792 --- /dev/null +++ b/queue-4.9/spi-rspi-fix-interrupted-dma-transfers.patch @@ -0,0 +1,58 @@ +From 8dbbaa47b96f6ea5f09f922b4effff3c505cd8cf Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Wed, 5 Sep 2018 10:49:39 +0200 +Subject: spi: rspi: Fix interrupted DMA transfers + +From: Geert Uytterhoeven + +commit 8dbbaa47b96f6ea5f09f922b4effff3c505cd8cf upstream. + +When interrupted, wait_event_interruptible_timeout() returns +-ERESTARTSYS, and the SPI transfer in progress will fail, as expected: + + m25p80 spi0.0: SPI transfer failed: -512 + spi_master spi0: failed to transfer one message from queue + +However, as the underlying DMA transfers may not have completed, all +subsequent SPI transfers may start to fail: + + spi_master spi0: receive timeout + qspi_transfer_out_in() returned -110 + m25p80 spi0.0: SPI transfer failed: -110 + spi_master spi0: failed to transfer one message from queue + +Fix this by calling dmaengine_terminate_all() not only for timeouts, but +also for errors. + +This can be reproduced on r8a7991/koelsch, using "hd /dev/mtd0" followed +by CTRL-C. + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-rspi.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/spi/spi-rspi.c ++++ b/drivers/spi/spi-rspi.c +@@ -597,11 +597,13 @@ static int rspi_dma_transfer(struct rspi + + ret = wait_event_interruptible_timeout(rspi->wait, + rspi->dma_callbacked, HZ); +- if (ret > 0 && rspi->dma_callbacked) ++ if (ret > 0 && rspi->dma_callbacked) { + ret = 0; +- else if (!ret) { +- dev_err(&rspi->master->dev, "DMA timeout\n"); +- ret = -ETIMEDOUT; ++ } else { ++ if (!ret) { ++ dev_err(&rspi->master->dev, "DMA timeout\n"); ++ ret = -ETIMEDOUT; ++ } + if (tx) + dmaengine_terminate_all(rspi->master->dma_tx); + if (rx) diff --git a/queue-4.9/spi-rspi-fix-invalid-spi-use-during-system-suspend.patch b/queue-4.9/spi-rspi-fix-invalid-spi-use-during-system-suspend.patch new file mode 100644 index 00000000000..1526600e6ab --- /dev/null +++ b/queue-4.9/spi-rspi-fix-invalid-spi-use-during-system-suspend.patch @@ -0,0 +1,67 @@ +From c1ca59c22c56930b377a665fdd1b43351887830b Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Wed, 5 Sep 2018 10:49:38 +0200 +Subject: spi: rspi: Fix invalid SPI use during system suspend + +From: Geert Uytterhoeven + +commit c1ca59c22c56930b377a665fdd1b43351887830b upstream. + +If the SPI queue is running during system suspend, the system may lock +up. + +Fix this by stopping/restarting the queue during system suspend/resume, +by calling spi_master_suspend()/spi_master_resume() from the PM +callbacks. In-kernel users will receive an -ESHUTDOWN error while +system suspend/resume is in progress. + +Based on a patch for sh-msiof by Gaku Inami. + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-rspi.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +--- a/drivers/spi/spi-rspi.c ++++ b/drivers/spi/spi-rspi.c +@@ -1313,12 +1313,36 @@ static const struct platform_device_id s + + MODULE_DEVICE_TABLE(platform, spi_driver_ids); + ++#ifdef CONFIG_PM_SLEEP ++static int rspi_suspend(struct device *dev) ++{ ++ struct platform_device *pdev = to_platform_device(dev); ++ struct rspi_data *rspi = platform_get_drvdata(pdev); ++ ++ return spi_master_suspend(rspi->master); ++} ++ ++static int rspi_resume(struct device *dev) ++{ ++ struct platform_device *pdev = to_platform_device(dev); ++ struct rspi_data *rspi = platform_get_drvdata(pdev); ++ ++ return spi_master_resume(rspi->master); ++} ++ ++static SIMPLE_DEV_PM_OPS(rspi_pm_ops, rspi_suspend, rspi_resume); ++#define DEV_PM_OPS &rspi_pm_ops ++#else ++#define DEV_PM_OPS NULL ++#endif /* CONFIG_PM_SLEEP */ ++ + static struct platform_driver rspi_driver = { + .probe = rspi_probe, + .remove = rspi_remove, + .id_table = spi_driver_ids, + .driver = { + .name = "renesas_spi", ++ .pm = DEV_PM_OPS, + .of_match_table = of_match_ptr(rspi_of_match), + }, + }; diff --git a/queue-4.9/spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch b/queue-4.9/spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch new file mode 100644 index 00000000000..ee03459b4a1 --- /dev/null +++ b/queue-4.9/spi-sh-msiof-fix-handling-of-write-value-for-sistr-register.patch @@ -0,0 +1,38 @@ +From 31a5fae4c5a009898da6d177901d5328051641ff Mon Sep 17 00:00:00 2001 +From: Hiromitsu Yamasaki +Date: Wed, 5 Sep 2018 10:49:37 +0200 +Subject: spi: sh-msiof: Fix handling of write value for SISTR register + +From: Hiromitsu Yamasaki + +commit 31a5fae4c5a009898da6d177901d5328051641ff upstream. + +This patch changes writing to the SISTR register according to the H/W +user's manual. + +The TDREQ bit and RDREQ bits of SISTR are read-only, and must be written +their initial values of zero. + +Signed-off-by: Hiromitsu Yamasaki +[geert: reword] +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-sh-msiof.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/spi/spi-sh-msiof.c ++++ b/drivers/spi/spi-sh-msiof.c +@@ -373,7 +373,8 @@ static void sh_msiof_spi_set_mode_regs(s + + static void sh_msiof_reset_str(struct sh_msiof_spi_priv *p) + { +- sh_msiof_write(p, STR, sh_msiof_read(p, STR)); ++ sh_msiof_write(p, STR, ++ sh_msiof_read(p, STR) & ~(STR_TDREQ | STR_RDREQ)); + } + + static void sh_msiof_spi_write_fifo_8(struct sh_msiof_spi_priv *p, diff --git a/queue-4.9/spi-sh-msiof-fix-invalid-spi-use-during-system-suspend.patch b/queue-4.9/spi-sh-msiof-fix-invalid-spi-use-during-system-suspend.patch new file mode 100644 index 00000000000..952c09d5a9e --- /dev/null +++ b/queue-4.9/spi-sh-msiof-fix-invalid-spi-use-during-system-suspend.patch @@ -0,0 +1,69 @@ +From ffa69d6a16f686efe45269342474e421f2aa58b2 Mon Sep 17 00:00:00 2001 +From: Gaku Inami +Date: Wed, 5 Sep 2018 10:49:36 +0200 +Subject: spi: sh-msiof: Fix invalid SPI use during system suspend + +From: Gaku Inami + +commit ffa69d6a16f686efe45269342474e421f2aa58b2 upstream. + +If the SPI queue is running during system suspend, the system may lock +up. + +Fix this by stopping/restarting the queue during system suspend/resume +by calling spi_master_suspend()/spi_master_resume() from the PM +callbacks. In-kernel users will receive an -ESHUTDOWN error while +system suspend/resume is in progress. + +Signed-off-by: Gaku Inami +Signed-off-by: Hiromitsu Yamasaki +[geert: Cleanup, reword] +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-sh-msiof.c | 25 +++++++++++++++++++++++++ + 1 file changed, 25 insertions(+) + +--- a/drivers/spi/spi-sh-msiof.c ++++ b/drivers/spi/spi-sh-msiof.c +@@ -1275,12 +1275,37 @@ static const struct platform_device_id s + }; + MODULE_DEVICE_TABLE(platform, spi_driver_ids); + ++#ifdef CONFIG_PM_SLEEP ++static int sh_msiof_spi_suspend(struct device *dev) ++{ ++ struct platform_device *pdev = to_platform_device(dev); ++ struct sh_msiof_spi_priv *p = platform_get_drvdata(pdev); ++ ++ return spi_master_suspend(p->master); ++} ++ ++static int sh_msiof_spi_resume(struct device *dev) ++{ ++ struct platform_device *pdev = to_platform_device(dev); ++ struct sh_msiof_spi_priv *p = platform_get_drvdata(pdev); ++ ++ return spi_master_resume(p->master); ++} ++ ++static SIMPLE_DEV_PM_OPS(sh_msiof_spi_pm_ops, sh_msiof_spi_suspend, ++ sh_msiof_spi_resume); ++#define DEV_PM_OPS &sh_msiof_spi_pm_ops ++#else ++#define DEV_PM_OPS NULL ++#endif /* CONFIG_PM_SLEEP */ ++ + static struct platform_driver sh_msiof_spi_drv = { + .probe = sh_msiof_spi_probe, + .remove = sh_msiof_spi_remove, + .id_table = spi_driver_ids, + .driver = { + .name = "spi_sh_msiof", ++ .pm = DEV_PM_OPS, + .of_match_table = of_match_ptr(sh_msiof_match), + }, + }; diff --git a/queue-4.9/spi-tegra20-slink-explicitly-enable-disable-clock.patch b/queue-4.9/spi-tegra20-slink-explicitly-enable-disable-clock.patch new file mode 100644 index 00000000000..d1773786fc3 --- /dev/null +++ b/queue-4.9/spi-tegra20-slink-explicitly-enable-disable-clock.patch @@ -0,0 +1,84 @@ +From 7001cab1dabc0b72b2b672ef58a90ab64f5e2343 Mon Sep 17 00:00:00 2001 +From: Marcel Ziswiler +Date: Wed, 29 Aug 2018 08:47:57 +0200 +Subject: spi: tegra20-slink: explicitly enable/disable clock + +From: Marcel Ziswiler + +commit 7001cab1dabc0b72b2b672ef58a90ab64f5e2343 upstream. + +Depending on the SPI instance one may get an interrupt storm upon +requesting resp. interrupt unless the clock is explicitly enabled +beforehand. This has been observed trying to bring up instance 4 on +T20. + +Signed-off-by: Marcel Ziswiler +Signed-off-by: Mark Brown +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-tegra20-slink.c | 31 +++++++++++++++++++++++-------- + 1 file changed, 23 insertions(+), 8 deletions(-) + +--- a/drivers/spi/spi-tegra20-slink.c ++++ b/drivers/spi/spi-tegra20-slink.c +@@ -1063,6 +1063,24 @@ static int tegra_slink_probe(struct plat + goto exit_free_master; + } + ++ /* disabled clock may cause interrupt storm upon request */ ++ tspi->clk = devm_clk_get(&pdev->dev, NULL); ++ if (IS_ERR(tspi->clk)) { ++ ret = PTR_ERR(tspi->clk); ++ dev_err(&pdev->dev, "Can not get clock %d\n", ret); ++ goto exit_free_master; ++ } ++ ret = clk_prepare(tspi->clk); ++ if (ret < 0) { ++ dev_err(&pdev->dev, "Clock prepare failed %d\n", ret); ++ goto exit_free_master; ++ } ++ ret = clk_enable(tspi->clk); ++ if (ret < 0) { ++ dev_err(&pdev->dev, "Clock enable failed %d\n", ret); ++ goto exit_free_master; ++ } ++ + spi_irq = platform_get_irq(pdev, 0); + tspi->irq = spi_irq; + ret = request_threaded_irq(tspi->irq, tegra_slink_isr, +@@ -1071,14 +1089,7 @@ static int tegra_slink_probe(struct plat + if (ret < 0) { + dev_err(&pdev->dev, "Failed to register ISR for IRQ %d\n", + tspi->irq); +- goto exit_free_master; +- } +- +- tspi->clk = devm_clk_get(&pdev->dev, NULL); +- if (IS_ERR(tspi->clk)) { +- dev_err(&pdev->dev, "can not get clock\n"); +- ret = PTR_ERR(tspi->clk); +- goto exit_free_irq; ++ goto exit_clk_disable; + } + + tspi->rst = devm_reset_control_get(&pdev->dev, "spi"); +@@ -1138,6 +1149,8 @@ exit_rx_dma_free: + tegra_slink_deinit_dma_param(tspi, true); + exit_free_irq: + free_irq(spi_irq, tspi); ++exit_clk_disable: ++ clk_disable(tspi->clk); + exit_free_master: + spi_master_put(master); + return ret; +@@ -1150,6 +1163,8 @@ static int tegra_slink_remove(struct pla + + free_irq(tspi->irq, tspi); + ++ clk_disable(tspi->clk); ++ + if (tspi->tx_dma_chan) + tegra_slink_deinit_dma_param(tspi, false); + diff --git a/queue-4.9/tty-serial-lpuart-avoid-leaking-struct-tty_struct.patch b/queue-4.9/tty-serial-lpuart-avoid-leaking-struct-tty_struct.patch new file mode 100644 index 00000000000..c7234952569 --- /dev/null +++ b/queue-4.9/tty-serial-lpuart-avoid-leaking-struct-tty_struct.patch @@ -0,0 +1,39 @@ +From 3216c622a24b0ebb9c159a8d1daf7f17a106b3f5 Mon Sep 17 00:00:00 2001 +From: Stefan Agner +Date: Tue, 28 Aug 2018 12:44:24 +0200 +Subject: tty: serial: lpuart: avoid leaking struct tty_struct + +From: Stefan Agner + +commit 3216c622a24b0ebb9c159a8d1daf7f17a106b3f5 upstream. + +The function tty_port_tty_get() gets a reference to the tty. Since +the code is not using tty_port_tty_set(), the reference is kept +even after closing the tty. + +Avoid using tty_port_tty_get() by directly access the tty instance. +Since lpuart_start_rx_dma() is called from the .startup() and +.set_termios() callback, it is safe to assume the tty instance is +valid. + +Cc: stable@vger.kernel.org # v4.9+ +Fixes: 5887ad43ee02 ("tty: serial: fsl_lpuart: Use cyclic DMA for Rx") +Signed-off-by: Stefan Agner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/fsl_lpuart.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -833,7 +833,8 @@ static inline int lpuart_start_rx_dma(st + struct circ_buf *ring = &sport->rx_ring; + int ret, nent; + int bits, baud; +- struct tty_struct *tty = tty_port_tty_get(&sport->port.state->port); ++ struct tty_port *port = &sport->port.state->port; ++ struct tty_struct *tty = port->tty; + struct ktermios *termios = &tty->termios; + + baud = tty_get_baud_rate(tty); diff --git a/queue-4.9/usb-fix-error-handling-in-usb_driver_claim_interface.patch b/queue-4.9/usb-fix-error-handling-in-usb_driver_claim_interface.patch new file mode 100644 index 00000000000..3856f7ef0c0 --- /dev/null +++ b/queue-4.9/usb-fix-error-handling-in-usb_driver_claim_interface.patch @@ -0,0 +1,58 @@ +From bd729f9d67aa9a303d8925bb8c4f06af25f407d1 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 10 Sep 2018 13:59:59 -0400 +Subject: USB: fix error handling in usb_driver_claim_interface() + +From: Alan Stern + +commit bd729f9d67aa9a303d8925bb8c4f06af25f407d1 upstream. + +The syzbot fuzzing project found a use-after-free bug in the USB +core. The bug was caused by usbfs not unbinding from an interface +when the USB device file was closed, which led another process to +attempt the unbind later on, after the private data structure had been +deallocated. + +The reason usbfs did not unbind the interface at the appropriate time +was because it thought the interface had never been claimed in the +first place. This was caused by the fact that +usb_driver_claim_interface() does not clean up properly when +device_bind_driver() returns an error. Although the error code gets +passed back to the caller, the iface->dev.driver pointer remains set +and iface->condition remains equal to USB_INTERFACE_BOUND. + +This patch adds proper error handling to usb_driver_claim_interface(). + +Signed-off-by: Alan Stern +Reported-by: syzbot+f84aa7209ccec829536f@syzkaller.appspotmail.com +CC: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/driver.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/drivers/usb/core/driver.c ++++ b/drivers/usb/core/driver.c +@@ -562,6 +562,21 @@ int usb_driver_claim_interface(struct us + if (!lpm_disable_error) + usb_unlocked_enable_lpm(udev); + ++ if (retval) { ++ dev->driver = NULL; ++ usb_set_intfdata(iface, NULL); ++ iface->needs_remote_wakeup = 0; ++ iface->condition = USB_INTERFACE_UNBOUND; ++ ++ /* ++ * Unbound interfaces are always runtime-PM-disabled ++ * and runtime-PM-suspended ++ */ ++ if (driver->supports_autosuspend) ++ pm_runtime_disable(dev); ++ pm_runtime_set_suspended(dev); ++ } ++ + return retval; + } + EXPORT_SYMBOL_GPL(usb_driver_claim_interface); diff --git a/queue-4.9/usb-handle-null-config-in-usb_find_alt_setting.patch b/queue-4.9/usb-handle-null-config-in-usb_find_alt_setting.patch new file mode 100644 index 00000000000..920bf8baebc --- /dev/null +++ b/queue-4.9/usb-handle-null-config-in-usb_find_alt_setting.patch @@ -0,0 +1,38 @@ +From c9a4cb204e9eb7fa7dfbe3f7d3a674fa530aa193 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 10 Sep 2018 14:00:53 -0400 +Subject: USB: handle NULL config in usb_find_alt_setting() + +From: Alan Stern + +commit c9a4cb204e9eb7fa7dfbe3f7d3a674fa530aa193 upstream. + +usb_find_alt_setting() takes a pointer to a struct usb_host_config as +an argument; it searches for an interface with specified interface and +alternate setting numbers in that config. However, it crashes if the +usb_host_config pointer argument is NULL. + +Since this is a general-purpose routine, available for use in many +places, we want to to be more robust. This patch makes it return NULL +whenever the config argument is NULL. + +Signed-off-by: Alan Stern +Reported-by: syzbot+19c3aaef85a89d451eac@syzkaller.appspotmail.com +CC: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/usb.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/core/usb.c ++++ b/drivers/usb/core/usb.c +@@ -91,6 +91,8 @@ struct usb_host_interface *usb_find_alt_ + struct usb_interface_cache *intf_cache = NULL; + int i; + ++ if (!config) ++ return NULL; + for (i = 0; i < config->desc.bNumInterfaces; i++) { + if (config->intf_cache[i]->altsetting[0].desc.bInterfaceNumber + == iface_num) { -- 2.47.2