From 3bb1dd1d34e4769d6ac2cc2adf2868e13324af98 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 30 Apr 2014 17:20:28 -0700
Subject: [PATCH] 3.4-stable patches

added patches:
	mfd-max8925-fix-possible-null-pointer-dereference-on-i2c_new_dummy-error.patch
	mfd-max8997-fix-possible-null-pointer-dereference-on-i2c_new_dummy-error.patch
	mfd-max8998-fix-possible-null-pointer-dereference-on-i2c_new_dummy-error.patch
	staging-serqt_usb2-fix-sparse-warning-restricted-__le16-degrades-to-integer.patch
	w1-fix-w1_send_slave-dropping-a-slave-id.patch
---
 ...r-dereference-on-i2c_new_dummy-error.patch | 49 ++++++++++++
 ...r-dereference-on-i2c_new_dummy-error.patch | 67 ++++++++++++++++
 ...r-dereference-on-i2c_new_dummy-error.patch | 39 ++++++++++
 queue-3.4/series                              |  5 ++
 ...estricted-__le16-degrades-to-integer.patch | 30 ++++++++
 ...ix-w1_send_slave-dropping-a-slave-id.patch | 77 +++++++++++++++++++
 6 files changed, 267 insertions(+)
 create mode 100644 queue-3.4/mfd-max8925-fix-possible-null-pointer-dereference-on-i2c_new_dummy-error.patch
 create mode 100644 queue-3.4/mfd-max8997-fix-possible-null-pointer-dereference-on-i2c_new_dummy-error.patch
 create mode 100644 queue-3.4/mfd-max8998-fix-possible-null-pointer-dereference-on-i2c_new_dummy-error.patch
 create mode 100644 queue-3.4/staging-serqt_usb2-fix-sparse-warning-restricted-__le16-degrades-to-integer.patch
 create mode 100644 queue-3.4/w1-fix-w1_send_slave-dropping-a-slave-id.patch

diff --git a/queue-3.4/mfd-max8925-fix-possible-null-pointer-dereference-on-i2c_new_dummy-error.patch b/queue-3.4/mfd-max8925-fix-possible-null-pointer-dereference-on-i2c_new_dummy-error.patch
new file mode 100644
index 00000000000..fc75f25194c
--- /dev/null
+++ b/queue-3.4/mfd-max8925-fix-possible-null-pointer-dereference-on-i2c_new_dummy-error.patch
@@ -0,0 +1,49 @@
+From 96cf3dedc491d2f1f66cc26217f2b06b0c7b6797 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Date: Tue, 11 Feb 2014 11:03:33 +0100
+Subject: mfd: max8925: Fix possible NULL pointer dereference on i2c_new_dummy error
+
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+
+commit 96cf3dedc491d2f1f66cc26217f2b06b0c7b6797 upstream.
+
+During probe the driver allocates dummy I2C devices for RTC and ADC
+with i2c_new_dummy() but it does not check the return value of this
+calls.
+
+In case of error (i2c_new_device(): memory allocation failure or I2C
+address cannot be used) this function returns NULL which is later used
+by i2c_unregister_device().
+
+If i2c_new_dummy() fails for RTC or ADC devices, fail also the probe
+for main MFD driver.
+
+Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/max8925-i2c.c |    9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/mfd/max8925-i2c.c
++++ b/drivers/mfd/max8925-i2c.c
+@@ -156,9 +156,18 @@ static int __devinit max8925_probe(struc
+ 	mutex_init(&chip->io_lock);
+ 
+ 	chip->rtc = i2c_new_dummy(chip->i2c->adapter, RTC_I2C_ADDR);
++	if (!chip->rtc) {
++		dev_err(chip->dev, "Failed to allocate I2C device for RTC\n");
++		return -ENODEV;
++	}
+ 	i2c_set_clientdata(chip->rtc, chip);
+ 
+ 	chip->adc = i2c_new_dummy(chip->i2c->adapter, ADC_I2C_ADDR);
++	if (!chip->adc) {
++		dev_err(chip->dev, "Failed to allocate I2C device for ADC\n");
++		i2c_unregister_device(chip->rtc);
++		return -ENODEV;
++	}
+ 	i2c_set_clientdata(chip->adc, chip);
+ 
+ 	device_init_wakeup(&client->dev, 1);
diff --git a/queue-3.4/mfd-max8997-fix-possible-null-pointer-dereference-on-i2c_new_dummy-error.patch b/queue-3.4/mfd-max8997-fix-possible-null-pointer-dereference-on-i2c_new_dummy-error.patch
new file mode 100644
index 00000000000..9c1af5097f6
--- /dev/null
+++ b/queue-3.4/mfd-max8997-fix-possible-null-pointer-dereference-on-i2c_new_dummy-error.patch
@@ -0,0 +1,67 @@
+From 97dc4ed3fa377ec91bb60ba98b70d645c2099384 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Date: Tue, 11 Feb 2014 11:03:34 +0100
+Subject: mfd: max8997: Fix possible NULL pointer dereference on i2c_new_dummy error
+
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+
+commit 97dc4ed3fa377ec91bb60ba98b70d645c2099384 upstream.
+
+During probe the driver allocates dummy I2C devices for RTC, haptic and
+MUIC with i2c_new_dummy() but it does not check the return value of this
+calls.
+
+In case of error (i2c_new_device(): memory allocation failure or I2C
+address cannot be used) this function returns NULL which is later used
+by i2c_unregister_device().
+
+If i2c_new_dummy() fails for RTC, haptic or MUIC devices, fail also the
+probe for main MFD driver.
+
+Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/max8997.c |   18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/mfd/max8997.c
++++ b/drivers/mfd/max8997.c
+@@ -149,10 +149,26 @@ static int max8997_i2c_probe(struct i2c_
+ 	mutex_init(&max8997->iolock);
+ 
+ 	max8997->rtc = i2c_new_dummy(i2c->adapter, I2C_ADDR_RTC);
++	if (!max8997->rtc) {
++		dev_err(max8997->dev, "Failed to allocate I2C device for RTC\n");
++		return -ENODEV;
++	}
+ 	i2c_set_clientdata(max8997->rtc, max8997);
++
+ 	max8997->haptic = i2c_new_dummy(i2c->adapter, I2C_ADDR_HAPTIC);
++	if (!max8997->haptic) {
++		dev_err(max8997->dev, "Failed to allocate I2C device for Haptic\n");
++		ret = -ENODEV;
++		goto err_i2c_haptic;
++	}
+ 	i2c_set_clientdata(max8997->haptic, max8997);
++
+ 	max8997->muic = i2c_new_dummy(i2c->adapter, I2C_ADDR_MUIC);
++	if (!max8997->muic) {
++		dev_err(max8997->dev, "Failed to allocate I2C device for MUIC\n");
++		ret = -ENODEV;
++		goto err_i2c_muic;
++	}
+ 	i2c_set_clientdata(max8997->muic, max8997);
+ 
+ 	pm_runtime_set_active(max8997->dev);
+@@ -179,7 +195,9 @@ static int max8997_i2c_probe(struct i2c_
+ err_mfd:
+ 	mfd_remove_devices(max8997->dev);
+ 	i2c_unregister_device(max8997->muic);
++err_i2c_muic:
+ 	i2c_unregister_device(max8997->haptic);
++err_i2c_haptic:
+ 	i2c_unregister_device(max8997->rtc);
+ err:
+ 	kfree(max8997);
diff --git a/queue-3.4/mfd-max8998-fix-possible-null-pointer-dereference-on-i2c_new_dummy-error.patch b/queue-3.4/mfd-max8998-fix-possible-null-pointer-dereference-on-i2c_new_dummy-error.patch
new file mode 100644
index 00000000000..e03cca2c357
--- /dev/null
+++ b/queue-3.4/mfd-max8998-fix-possible-null-pointer-dereference-on-i2c_new_dummy-error.patch
@@ -0,0 +1,39 @@
+From ed26f87b9f71693a1d1ee85f5e6209601505080f Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Date: Tue, 11 Feb 2014 11:03:35 +0100
+Subject: mfd: max8998: Fix possible NULL pointer dereference on i2c_new_dummy error
+
+From: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+
+commit ed26f87b9f71693a1d1ee85f5e6209601505080f upstream.
+
+During probe the driver allocates dummy I2C device for RTC with i2c_new_dummy() but it does not check the return value of this call.
+
+In case of error (i2c_new_device(): memory allocation failure or I2C
+address cannot be used) this function returns NULL which is later used
+by i2c_unregister_device().
+
+If i2c_new_dummy() fails for RTC device, fail also the probe for
+main MFD driver.
+
+Signed-off-by: Krzysztof Kozlowski <k.kozlowski@samsung.com>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mfd/max8998.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/mfd/max8998.c
++++ b/drivers/mfd/max8998.c
+@@ -152,6 +152,10 @@ static int max8998_i2c_probe(struct i2c_
+ 	mutex_init(&max8998->iolock);
+ 
+ 	max8998->rtc = i2c_new_dummy(i2c->adapter, RTC_I2C_ADDR);
++	if (!max8998->rtc) {
++		dev_err(&i2c->dev, "Failed to allocate I2C device for RTC\n");
++		return -ENODEV;
++	}
+ 	i2c_set_clientdata(max8998->rtc, max8998);
+ 
+ 	max8998_irq_init(max8998);
diff --git a/queue-3.4/series b/queue-3.4/series
index d7bda30f7dd..09098e7c377 100644
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -6,3 +6,8 @@ arm-8030-1-arm-kdump-add-arch_crash_save_vmcoreinfo.patch
 arm-pxa-hx4700.h-include-irqs.h-for-pxa_nr_builtin_gpio.patch
 alsa-hda-enable-beep-for-asus-1015e.patch
 alsa-ice1712-fix-boundary-checks-in-pcm-pointer-ops.patch
+mfd-max8925-fix-possible-null-pointer-dereference-on-i2c_new_dummy-error.patch
+mfd-max8998-fix-possible-null-pointer-dereference-on-i2c_new_dummy-error.patch
+mfd-max8997-fix-possible-null-pointer-dereference-on-i2c_new_dummy-error.patch
+w1-fix-w1_send_slave-dropping-a-slave-id.patch
+staging-serqt_usb2-fix-sparse-warning-restricted-__le16-degrades-to-integer.patch
diff --git a/queue-3.4/staging-serqt_usb2-fix-sparse-warning-restricted-__le16-degrades-to-integer.patch b/queue-3.4/staging-serqt_usb2-fix-sparse-warning-restricted-__le16-degrades-to-integer.patch
new file mode 100644
index 00000000000..42c715969b6
--- /dev/null
+++ b/queue-3.4/staging-serqt_usb2-fix-sparse-warning-restricted-__le16-degrades-to-integer.patch
@@ -0,0 +1,30 @@
+From abe5d64d1a74195a44cd14624f8178b9f48b7cc7 Mon Sep 17 00:00:00 2001
+From: Himangi Saraogi <himangi774@gmail.com>
+Date: Wed, 5 Mar 2014 04:59:57 +0530
+Subject: staging:serqt_usb2: Fix sparse warning restricted __le16 degrades to integer
+
+From: Himangi Saraogi <himangi774@gmail.com>
+
+commit abe5d64d1a74195a44cd14624f8178b9f48b7cc7 upstream.
+
+This patch fixes the following sparse warning :
+drivers/staging/serqt_usb2/serqt_usb2.c:727:40: warning: restricted __le16 degrades to integer
+
+Signed-off-by: Himangi Saraogi <himangi774@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/serqt_usb2/serqt_usb2.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/staging/serqt_usb2/serqt_usb2.c
++++ b/drivers/staging/serqt_usb2/serqt_usb2.c
+@@ -771,7 +771,7 @@ static int qt_startup(struct usb_serial
+ 		goto startup_error;
+ 	}
+ 
+-	switch (serial->dev->descriptor.idProduct) {
++	switch (le16_to_cpu(serial->dev->descriptor.idProduct)) {
+ 	case QUATECH_DSU100:
+ 	case QUATECH_QSU100:
+ 	case QUATECH_ESU100A:
diff --git a/queue-3.4/w1-fix-w1_send_slave-dropping-a-slave-id.patch b/queue-3.4/w1-fix-w1_send_slave-dropping-a-slave-id.patch
new file mode 100644
index 00000000000..8bfb5351839
--- /dev/null
+++ b/queue-3.4/w1-fix-w1_send_slave-dropping-a-slave-id.patch
@@ -0,0 +1,77 @@
+From 6b355b33a64fd6d8ead2b838ec16fb9b551f71e8 Mon Sep 17 00:00:00 2001
+From: David Fries <David@Fries.net>
+Date: Wed, 15 Jan 2014 22:29:12 -0600
+Subject: w1: fix w1_send_slave dropping a slave id
+
+From: David Fries <David@Fries.net>
+
+commit 6b355b33a64fd6d8ead2b838ec16fb9b551f71e8 upstream.
+
+Previous logic,
+if (avail > 8) {
+	store slave;
+	return;
+}
+send data; clear;
+
+The logic error is, if there isn't space send the buffer and clear,
+but the slave wasn't added to the now empty buffer loosing that slave
+id.  It also should have been "if (avail >= 8)" because when it is 8,
+there is space.
+
+Instead, if there isn't space send and clear the buffer, then there is
+always space for the slave id.
+
+Signed-off-by: David Fries <David@Fries.net>
+Acked-by: Evgeniy Polyakov <zbr@ioremap.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/w1/w1_netlink.c |   27 ++++++++++++++-------------
+ 1 file changed, 14 insertions(+), 13 deletions(-)
+
+--- a/drivers/w1/w1_netlink.c
++++ b/drivers/w1/w1_netlink.c
+@@ -54,28 +54,29 @@ static void w1_send_slave(struct w1_mast
+ 	struct w1_netlink_msg *hdr = (struct w1_netlink_msg *)(msg + 1);
+ 	struct w1_netlink_cmd *cmd = (struct w1_netlink_cmd *)(hdr + 1);
+ 	int avail;
++	u64 *data;
+ 
+ 	/* update kernel slave list */
+ 	w1_slave_found(dev, rn);
+ 
+ 	avail = dev->priv_size - cmd->len;
+ 
+-	if (avail > 8) {
+-		u64 *data = (void *)(cmd + 1) + cmd->len;
+-
+-		*data = rn;
+-		cmd->len += 8;
+-		hdr->len += 8;
+-		msg->len += 8;
+-		return;
++	if (avail < 8) {
++		msg->ack++;
++		cn_netlink_send(msg, 0, GFP_KERNEL);
++
++		msg->len = sizeof(struct w1_netlink_msg) +
++			sizeof(struct w1_netlink_cmd);
++		hdr->len = sizeof(struct w1_netlink_cmd);
++		cmd->len = 0;
+ 	}
+ 
+-	msg->ack++;
+-	cn_netlink_send(msg, 0, GFP_KERNEL);
++	data = (void *)(cmd + 1) + cmd->len;
+ 
+-	msg->len = sizeof(struct w1_netlink_msg) + sizeof(struct w1_netlink_cmd);
+-	hdr->len = sizeof(struct w1_netlink_cmd);
+-	cmd->len = 0;
++	*data = rn;
++	cmd->len += 8;
++	hdr->len += 8;
++	msg->len += 8;
+ }
+ 
+ static int w1_process_search_command(struct w1_master *dev, struct cn_msg *msg,
-- 
2.47.3