From 85416080a6d5b00bf79da05df55b3ad4f6fe52d5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 23 Feb 2017 21:56:03 +0100 Subject: [PATCH] 4.10-stable patches added patches: goldfish-sanitize-the-broken-interrupt-handler.patch tty-serial-msm-fix-module-autoload.patch usb-serial-ark3116-fix-register-accessor-error-handling.patch usb-serial-console-fix-uninitialised-spinlock.patch usb-serial-cp210x-add-new-ids-for-ge-bx50v3-boards.patch usb-serial-digi_acceleport-fix-oob-data-sanity-check.patch usb-serial-ftdi_sio-fix-extreme-low-latency-setting.patch usb-serial-ftdi_sio-fix-line-status-over-reporting.patch usb-serial-ftdi_sio-fix-modem-status-error-handling.patch usb-serial-mos7840-fix-another-null-deref-at-open.patch usb-serial-opticon-fix-cts-retrieval-at-open.patch usb-serial-spcp8x5-fix-modem-status-handling.patch x86-platform-goldfish-prevent-unconditional-loading.patch --- ...anitize-the-broken-interrupt-handler.patch | 66 ++++++++++++++++ queue-4.10/series | 13 +++ .../tty-serial-msm-fix-module-autoload.patch | 48 +++++++++++ ...fix-register-accessor-error-handling.patch | 46 +++++++++++ ...l-console-fix-uninitialised-spinlock.patch | 38 +++++++++ ...10x-add-new-ids-for-ge-bx50v3-boards.patch | 31 ++++++++ ...acceleport-fix-oob-data-sanity-check.patch | 53 +++++++++++++ ..._sio-fix-extreme-low-latency-setting.patch | 51 ++++++++++++ ...i_sio-fix-line-status-over-reporting.patch | 75 ++++++++++++++++++ ..._sio-fix-modem-status-error-handling.patch | 40 ++++++++++ ...s7840-fix-another-null-deref-at-open.patch | 44 +++++++++++ ...al-opticon-fix-cts-retrieval-at-open.patch | 36 +++++++++ ...al-spcp8x5-fix-modem-status-handling.patch | 50 ++++++++++++ ...ldfish-prevent-unconditional-loading.patch | 79 +++++++++++++++++++ 14 files changed, 670 insertions(+) create mode 100644 queue-4.10/goldfish-sanitize-the-broken-interrupt-handler.patch create mode 100644 queue-4.10/tty-serial-msm-fix-module-autoload.patch create mode 100644 queue-4.10/usb-serial-ark3116-fix-register-accessor-error-handling.patch create mode 100644 queue-4.10/usb-serial-console-fix-uninitialised-spinlock.patch create mode 100644 queue-4.10/usb-serial-cp210x-add-new-ids-for-ge-bx50v3-boards.patch create mode 100644 queue-4.10/usb-serial-digi_acceleport-fix-oob-data-sanity-check.patch create mode 100644 queue-4.10/usb-serial-ftdi_sio-fix-extreme-low-latency-setting.patch create mode 100644 queue-4.10/usb-serial-ftdi_sio-fix-line-status-over-reporting.patch create mode 100644 queue-4.10/usb-serial-ftdi_sio-fix-modem-status-error-handling.patch create mode 100644 queue-4.10/usb-serial-mos7840-fix-another-null-deref-at-open.patch create mode 100644 queue-4.10/usb-serial-opticon-fix-cts-retrieval-at-open.patch create mode 100644 queue-4.10/usb-serial-spcp8x5-fix-modem-status-handling.patch create mode 100644 queue-4.10/x86-platform-goldfish-prevent-unconditional-loading.patch diff --git a/queue-4.10/goldfish-sanitize-the-broken-interrupt-handler.patch b/queue-4.10/goldfish-sanitize-the-broken-interrupt-handler.patch new file mode 100644 index 00000000000..54bd310981a --- /dev/null +++ b/queue-4.10/goldfish-sanitize-the-broken-interrupt-handler.patch @@ -0,0 +1,66 @@ +From 6cf18e6927c0b224f972e3042fb85770d63cb9f8 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Wed, 15 Feb 2017 11:11:51 +0100 +Subject: goldfish: Sanitize the broken interrupt handler + +From: Thomas Gleixner + +commit 6cf18e6927c0b224f972e3042fb85770d63cb9f8 upstream. + +This interrupt handler is broken in several ways: + + - It loops forever when the op code is not decodeable + + - It never returns IRQ_HANDLED because the only way to exit the loop + returns IRQ_NONE unconditionally. + +The whole concept of this is broken. Creating devices in an interrupt +handler is beyond any point of sanity. + +Make it at least behave halfways sane so accidental users do not have to +deal with a hard to debug lockup. + +Fixes: e809c22b8fb028 ("goldfish: add the goldfish virtual bus") +Reported-by: Gabriel C +Signed-off-by: Thomas Gleixner +Acked-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/goldfish/pdev_bus.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/platform/goldfish/pdev_bus.c ++++ b/drivers/platform/goldfish/pdev_bus.c +@@ -157,23 +157,26 @@ static int goldfish_new_pdev(void) + static irqreturn_t goldfish_pdev_bus_interrupt(int irq, void *dev_id) + { + irqreturn_t ret = IRQ_NONE; ++ + while (1) { + u32 op = readl(pdev_bus_base + PDEV_BUS_OP); +- switch (op) { +- case PDEV_BUS_OP_DONE: +- return IRQ_NONE; + ++ switch (op) { + case PDEV_BUS_OP_REMOVE_DEV: + goldfish_pdev_remove(); ++ ret = IRQ_HANDLED; + break; + + case PDEV_BUS_OP_ADD_DEV: + goldfish_new_pdev(); ++ ret = IRQ_HANDLED; + break; ++ ++ case PDEV_BUS_OP_DONE: ++ default: ++ return ret; + } +- ret = IRQ_HANDLED; + } +- return ret; + } + + static int goldfish_pdev_bus_probe(struct platform_device *pdev) diff --git a/queue-4.10/series b/queue-4.10/series index 6e39cb3c4b3..6eafb1597d3 100644 --- a/queue-4.10/series +++ b/queue-4.10/series @@ -1,3 +1,16 @@ ptr_ring-fix-race-conditions-when-resizing.patch ip-fix-ip_checksum-handling.patch net-socket-fix-recvmmsg-not-returning-error-from-sock_error.patch +tty-serial-msm-fix-module-autoload.patch +usb-serial-mos7840-fix-another-null-deref-at-open.patch +usb-serial-cp210x-add-new-ids-for-ge-bx50v3-boards.patch +usb-serial-ftdi_sio-fix-modem-status-error-handling.patch +usb-serial-ftdi_sio-fix-extreme-low-latency-setting.patch +usb-serial-ftdi_sio-fix-line-status-over-reporting.patch +usb-serial-digi_acceleport-fix-oob-data-sanity-check.patch +usb-serial-spcp8x5-fix-modem-status-handling.patch +usb-serial-opticon-fix-cts-retrieval-at-open.patch +usb-serial-ark3116-fix-register-accessor-error-handling.patch +usb-serial-console-fix-uninitialised-spinlock.patch +x86-platform-goldfish-prevent-unconditional-loading.patch +goldfish-sanitize-the-broken-interrupt-handler.patch diff --git a/queue-4.10/tty-serial-msm-fix-module-autoload.patch b/queue-4.10/tty-serial-msm-fix-module-autoload.patch new file mode 100644 index 00000000000..00f83346a94 --- /dev/null +++ b/queue-4.10/tty-serial-msm-fix-module-autoload.patch @@ -0,0 +1,48 @@ +From abe81f3b8ed2996e1712d26d38ff6b73f582c616 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Mon, 2 Jan 2017 11:57:20 -0300 +Subject: tty: serial: msm: Fix module autoload + +From: Javier Martinez Canillas + +commit abe81f3b8ed2996e1712d26d38ff6b73f582c616 upstream. + +If the driver is built as a module, autoload won't work because the module +alias information is not filled. So user-space can't match the registered +device with the corresponding module. + +Export the module alias information using the MODULE_DEVICE_TABLE() macro. + +Before this patch: + +$ modinfo drivers/tty/serial/msm_serial.ko | grep alias +$ + +After this patch: + +$ modinfo drivers/tty/serial/msm_serial.ko | grep alias +alias: of:N*T*Cqcom,msm-uartdmC* +alias: of:N*T*Cqcom,msm-uartdm +alias: of:N*T*Cqcom,msm-uartC* +alias: of:N*T*Cqcom,msm-uart + +Signed-off-by: Javier Martinez Canillas +Acked-by: Bjorn Andersson +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/msm_serial.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/serial/msm_serial.c ++++ b/drivers/tty/serial/msm_serial.c +@@ -1809,6 +1809,7 @@ static const struct of_device_id msm_mat + { .compatible = "qcom,msm-uartdm" }, + {} + }; ++MODULE_DEVICE_TABLE(of, msm_match_table); + + static struct platform_driver msm_platform_driver = { + .remove = msm_serial_remove, diff --git a/queue-4.10/usb-serial-ark3116-fix-register-accessor-error-handling.patch b/queue-4.10/usb-serial-ark3116-fix-register-accessor-error-handling.patch new file mode 100644 index 00000000000..ec1430a9b9f --- /dev/null +++ b/queue-4.10/usb-serial-ark3116-fix-register-accessor-error-handling.patch @@ -0,0 +1,46 @@ +From 9fef37d7cf170522fb354d6d0ea6de09b9b16678 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Jan 2017 14:56:09 +0100 +Subject: USB: serial: ark3116: fix register-accessor error handling + +From: Johan Hovold + +commit 9fef37d7cf170522fb354d6d0ea6de09b9b16678 upstream. + +The current implementation failed to detect short transfers, something +which could lead to bits of the uninitialised heap transfer buffer +leaking to user space. + +Fixes: 149fc791a452 ("USB: ark3116: Setup some basic infrastructure for new ark3116 driver.") +Fixes: f4c1e8d597d1 ("USB: ark3116: Make existing functions 16450-aware and add close and release functions.") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ark3116.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/usb/serial/ark3116.c ++++ b/drivers/usb/serial/ark3116.c +@@ -99,10 +99,17 @@ static int ark3116_read_reg(struct usb_s + usb_rcvctrlpipe(serial->dev, 0), + 0xfe, 0xc0, 0, reg, + buf, 1, ARK_TIMEOUT); +- if (result < 0) ++ if (result < 1) { ++ dev_err(&serial->interface->dev, ++ "failed to read register %u: %d\n", ++ reg, result); ++ if (result >= 0) ++ result = -EIO; ++ + return result; +- else +- return buf[0]; ++ } ++ ++ return buf[0]; + } + + static inline int calc_divisor(int bps) diff --git a/queue-4.10/usb-serial-console-fix-uninitialised-spinlock.patch b/queue-4.10/usb-serial-console-fix-uninitialised-spinlock.patch new file mode 100644 index 00000000000..5f0edc38f9a --- /dev/null +++ b/queue-4.10/usb-serial-console-fix-uninitialised-spinlock.patch @@ -0,0 +1,38 @@ +From 14816b16fa0adac24f82492f18fa62c55acabbbe Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 8 Feb 2017 18:53:08 +0100 +Subject: USB: serial: console: fix uninitialised spinlock + +From: Johan Hovold + +commit 14816b16fa0adac24f82492f18fa62c55acabbbe upstream. + +Since commit 4a510969374a ("tty: Make tty_files_lock per-tty") a new +tty_struct spin lock is taken in the tty release path, but the +USB-serial-console hack was never updated hence leaving the lock of its +"fake" tty uninitialised. This was eventually detected by lockdep. + +Make sure to initialise the new lock also for the fake tty to address +this regression. + +Yes, this code is a mess, but cleaning it up is left for another day. + +Fixes: 4a510969374a ("tty: Make tty_files_lock per-tty") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/console.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/console.c ++++ b/drivers/usb/serial/console.c +@@ -143,6 +143,7 @@ static int usb_console_setup(struct cons + tty->driver = usb_serial_tty_driver; + tty->index = co->index; + init_ldsem(&tty->ldisc_sem); ++ spin_lock_init(&tty->files_lock); + INIT_LIST_HEAD(&tty->tty_files); + kref_get(&tty->driver->kref); + __module_get(tty->driver->owner); diff --git a/queue-4.10/usb-serial-cp210x-add-new-ids-for-ge-bx50v3-boards.patch b/queue-4.10/usb-serial-cp210x-add-new-ids-for-ge-bx50v3-boards.patch new file mode 100644 index 00000000000..d85af84985e --- /dev/null +++ b/queue-4.10/usb-serial-cp210x-add-new-ids-for-ge-bx50v3-boards.patch @@ -0,0 +1,31 @@ +From 9a593656def0dc2f6c227851e8e602077267a5f1 Mon Sep 17 00:00:00 2001 +From: Ken Lin +Date: Sat, 4 Feb 2017 04:00:24 +0800 +Subject: USB: serial: cp210x: add new IDs for GE Bx50v3 boards + +From: Ken Lin + +commit 9a593656def0dc2f6c227851e8e602077267a5f1 upstream. + +Add new USB IDs for cp2104/5 devices on Bx50v3 boards due to the design +change. + +Signed-off-by: Ken Lin +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/cp210x.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -178,6 +178,8 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x1901, 0x0190) }, /* GE B850 CP2105 Recorder interface */ + { USB_DEVICE(0x1901, 0x0193) }, /* GE B650 CP2104 PMC interface */ + { USB_DEVICE(0x1901, 0x0194) }, /* GE Healthcare Remote Alarm Box */ ++ { USB_DEVICE(0x1901, 0x0195) }, /* GE B850/B650/B450 CP2104 DP UART interface */ ++ { USB_DEVICE(0x1901, 0x0196) }, /* GE B850 CP2105 DP UART interface */ + { USB_DEVICE(0x19CF, 0x3000) }, /* Parrot NMEA GPS Flight Recorder */ + { USB_DEVICE(0x1ADB, 0x0001) }, /* Schweitzer Engineering C662 Cable */ + { USB_DEVICE(0x1B1C, 0x1C00) }, /* Corsair USB Dongle */ diff --git a/queue-4.10/usb-serial-digi_acceleport-fix-oob-data-sanity-check.patch b/queue-4.10/usb-serial-digi_acceleport-fix-oob-data-sanity-check.patch new file mode 100644 index 00000000000..22c2761720a --- /dev/null +++ b/queue-4.10/usb-serial-digi_acceleport-fix-oob-data-sanity-check.patch @@ -0,0 +1,53 @@ +From 2d380889215fe20b8523345649dee0579821800c Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Tue, 31 Jan 2017 17:17:27 +0100 +Subject: USB: serial: digi_acceleport: fix OOB data sanity check + +From: Johan Hovold + +commit 2d380889215fe20b8523345649dee0579821800c upstream. + +Make sure to check for short transfers to avoid underflow in a loop +condition when parsing the receive buffer. + +Also fix an off-by-one error in the incomplete sanity check which could +lead to invalid data being parsed. + +Fixes: 8c209e6782ca ("USB: make actual_length in struct urb field u32") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/digi_acceleport.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/drivers/usb/serial/digi_acceleport.c ++++ b/drivers/usb/serial/digi_acceleport.c +@@ -1482,16 +1482,20 @@ static int digi_read_oob_callback(struct + struct usb_serial *serial = port->serial; + struct tty_struct *tty; + struct digi_port *priv = usb_get_serial_port_data(port); ++ unsigned char *buf = urb->transfer_buffer; + int opcode, line, status, val; + int i; + unsigned int rts; + ++ if (urb->actual_length < 4) ++ return -1; ++ + /* handle each oob command */ +- for (i = 0; i < urb->actual_length - 3;) { +- opcode = ((unsigned char *)urb->transfer_buffer)[i++]; +- line = ((unsigned char *)urb->transfer_buffer)[i++]; +- status = ((unsigned char *)urb->transfer_buffer)[i++]; +- val = ((unsigned char *)urb->transfer_buffer)[i++]; ++ for (i = 0; i < urb->actual_length - 4; i += 4) { ++ opcode = buf[i]; ++ line = buf[i + 1]; ++ status = buf[i + 2]; ++ val = buf[i + 3]; + + dev_dbg(&port->dev, "digi_read_oob_callback: opcode=%d, line=%d, status=%d, val=%d\n", + opcode, line, status, val); diff --git a/queue-4.10/usb-serial-ftdi_sio-fix-extreme-low-latency-setting.patch b/queue-4.10/usb-serial-ftdi_sio-fix-extreme-low-latency-setting.patch new file mode 100644 index 00000000000..68a218b4919 --- /dev/null +++ b/queue-4.10/usb-serial-ftdi_sio-fix-extreme-low-latency-setting.patch @@ -0,0 +1,51 @@ +From c6dce2626606ef16434802989466636bc28c1419 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 25 Jan 2017 15:35:20 +0100 +Subject: USB: serial: ftdi_sio: fix extreme low-latency setting + +From: Johan Hovold + +commit c6dce2626606ef16434802989466636bc28c1419 upstream. + +Since commit 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY +flag") the FTDI driver has been using a receive latency-timer value of +1 ms instead of the device default of 16 ms. + +The latency timer is used to periodically empty a non-full receive +buffer, but a status header is always sent when the timer expires +including when the buffer is empty. This means that a two-byte bulk +message is received every millisecond also for an otherwise idle port as +long as it is open. + +Let's restore the pre-2009 behaviour which reduces the rate of the +status messages to 1/16th (e.g. interrupt frequency drops from 1 kHz to +62.5 Hz) by not setting ASYNC_LOW_LATENCY by default. + +Anyone willing to pay the price for the minimum-latency behaviour should +set the flag explicitly instead using the TIOCSSERIAL ioctl or a tool +such as setserial (e.g. setserial /dev/ttyUSB0 low_latency). + +Note that since commit 0cbd81a9f6ba ("USB: ftdi_sio: remove +tty->low_latency") the ASYNC_LOW_LATENCY flag has no other effects but +to set a minimal latency timer. + +Reported-by: Antoine Aubert +Fixes: 557aaa7ffab6 ("ft232: support the ASYNC_LOW_LATENCY flag") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1802,8 +1802,6 @@ static int ftdi_sio_port_probe(struct us + + mutex_init(&priv->cfg_lock); + +- priv->flags = ASYNC_LOW_LATENCY; +- + if (quirk && quirk->port_probe) + quirk->port_probe(priv); + diff --git a/queue-4.10/usb-serial-ftdi_sio-fix-line-status-over-reporting.patch b/queue-4.10/usb-serial-ftdi_sio-fix-line-status-over-reporting.patch new file mode 100644 index 00000000000..355ed1e751a --- /dev/null +++ b/queue-4.10/usb-serial-ftdi_sio-fix-line-status-over-reporting.patch @@ -0,0 +1,75 @@ +From a6bb1e17a39818b01b55d8e6238b4b5f06d55038 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 2 Feb 2017 17:38:35 +0100 +Subject: USB: serial: ftdi_sio: fix line-status over-reporting + +From: Johan Hovold + +commit a6bb1e17a39818b01b55d8e6238b4b5f06d55038 upstream. + +FTDI devices use a receive latency timer to periodically empty the +receive buffer and report modem and line status (also when the buffer is +empty). + +When a break or error condition is detected the corresponding status +flags will be set on a packet with nonzero data payload and the flags +are not updated until the break is over or further characters are +received. + +In order to avoid over-reporting break and error conditions, these flags +must therefore only be processed for packets with payload. + +This specifically fixes the case where after an overrun, the error +condition is continuously reported and NULL-characters inserted until +further data is received. + +Reported-by: Michael Walle +Fixes: 72fda3ca6fc1 ("USB: serial: ftd_sio: implement sysrq handling on +break") +Fixes: 166ceb690750 ("USB: ftdi_sio: clean up line-status handling") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -2065,6 +2065,20 @@ static int ftdi_process_packet(struct us + priv->prev_status = status; + } + ++ /* save if the transmitter is empty or not */ ++ if (packet[1] & FTDI_RS_TEMT) ++ priv->transmit_empty = 1; ++ else ++ priv->transmit_empty = 0; ++ ++ len -= 2; ++ if (!len) ++ return 0; /* status only */ ++ ++ /* ++ * Break and error status must only be processed for packets with ++ * data payload to avoid over-reporting. ++ */ + flag = TTY_NORMAL; + if (packet[1] & FTDI_RS_ERR_MASK) { + /* Break takes precedence over parity, which takes precedence +@@ -2087,15 +2101,6 @@ static int ftdi_process_packet(struct us + } + } + +- /* save if the transmitter is empty or not */ +- if (packet[1] & FTDI_RS_TEMT) +- priv->transmit_empty = 1; +- else +- priv->transmit_empty = 0; +- +- len -= 2; +- if (!len) +- return 0; /* status only */ + port->icount.rx += len; + ch = packet + 2; + diff --git a/queue-4.10/usb-serial-ftdi_sio-fix-modem-status-error-handling.patch b/queue-4.10/usb-serial-ftdi_sio-fix-modem-status-error-handling.patch new file mode 100644 index 00000000000..ae40af4889e --- /dev/null +++ b/queue-4.10/usb-serial-ftdi_sio-fix-modem-status-error-handling.patch @@ -0,0 +1,40 @@ +From 427c3a95e3e29e65f59d99aaf320d7506f3eed57 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Jan 2017 14:56:11 +0100 +Subject: USB: serial: ftdi_sio: fix modem-status error handling + +From: Johan Hovold + +commit 427c3a95e3e29e65f59d99aaf320d7506f3eed57 upstream. + +Make sure to detect short responses when fetching the modem status in +order to avoid parsing uninitialised buffer data and having bits of it +leak to user space. + +Note that we still allow for short 1-byte responses. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -2428,8 +2428,12 @@ static int ftdi_get_modem_status(struct + FTDI_SIO_GET_MODEM_STATUS_REQUEST_TYPE, + 0, priv->interface, + buf, len, WDR_TIMEOUT); +- if (ret < 0) { ++ ++ /* NOTE: We allow short responses and handle that below. */ ++ if (ret < 1) { + dev_err(&port->dev, "failed to get modem status: %d\n", ret); ++ if (ret >= 0) ++ ret = -EIO; + ret = usb_translate_errors(ret); + goto out; + } diff --git a/queue-4.10/usb-serial-mos7840-fix-another-null-deref-at-open.patch b/queue-4.10/usb-serial-mos7840-fix-another-null-deref-at-open.patch new file mode 100644 index 00000000000..62e1533ef45 --- /dev/null +++ b/queue-4.10/usb-serial-mos7840-fix-another-null-deref-at-open.patch @@ -0,0 +1,44 @@ +From 5182c2cf2a9bfb7f066ef0bdd2bb6330b94dd74e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 9 Feb 2017 12:11:41 +0100 +Subject: USB: serial: mos7840: fix another NULL-deref at open + +From: Johan Hovold + +commit 5182c2cf2a9bfb7f066ef0bdd2bb6330b94dd74e upstream. + +Fix another NULL-pointer dereference at open should a malicious device +lack an interrupt-in endpoint. + +Note that the driver has a broken check for an interrupt-in endpoint +which means that an interrupt URB has never even been submitted. + +Fixes: 3f5429746d91 ("USB: Moschip 7840 USB-Serial Driver") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/mos7840.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/mos7840.c ++++ b/drivers/usb/serial/mos7840.c +@@ -1023,6 +1023,7 @@ static int mos7840_open(struct tty_struc + * (can't set it up in mos7840_startup as the structures * + * were not set up at that time.) */ + if (port0->open_ports == 1) { ++ /* FIXME: Buffer never NULL, so URB is not submitted. */ + if (serial->port[0]->interrupt_in_buffer == NULL) { + /* set up interrupt urb */ + usb_fill_int_urb(serial->port[0]->interrupt_in_urb, +@@ -2106,7 +2107,8 @@ static int mos7840_calc_num_ports(struct + static int mos7840_attach(struct usb_serial *serial) + { + if (serial->num_bulk_in < serial->num_ports || +- serial->num_bulk_out < serial->num_ports) { ++ serial->num_bulk_out < serial->num_ports || ++ serial->num_interrupt_in < 1) { + dev_err(&serial->interface->dev, "missing endpoints\n"); + return -ENODEV; + } diff --git a/queue-4.10/usb-serial-opticon-fix-cts-retrieval-at-open.patch b/queue-4.10/usb-serial-opticon-fix-cts-retrieval-at-open.patch new file mode 100644 index 00000000000..550f5bcfdfb --- /dev/null +++ b/queue-4.10/usb-serial-opticon-fix-cts-retrieval-at-open.patch @@ -0,0 +1,36 @@ +From 2eee05020a0e7ee7c04422cbacdb07859e45dce6 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 13 Jan 2017 13:21:08 +0100 +Subject: USB: serial: opticon: fix CTS retrieval at open + +From: Johan Hovold + +commit 2eee05020a0e7ee7c04422cbacdb07859e45dce6 upstream. + +The opticon driver used a control request at open to trigger a CTS +status notification to be sent over the bulk-in pipe. When the driver +was converted to using the generic read implementation, an inverted test +prevented this request from being sent, something which could lead to +TIOCMGET reporting an incorrect CTS state. + +Reported-by: Dan Carpenter +Fixes: 7a6ee2b02751 ("USB: opticon: switch to generic read implementation") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/opticon.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/serial/opticon.c ++++ b/drivers/usb/serial/opticon.c +@@ -142,7 +142,7 @@ static int opticon_open(struct tty_struc + usb_clear_halt(port->serial->dev, port->read_urb->pipe); + + res = usb_serial_generic_open(tty, port); +- if (!res) ++ if (res) + return res; + + /* Request CTS line state, sometimes during opening the current diff --git a/queue-4.10/usb-serial-spcp8x5-fix-modem-status-handling.patch b/queue-4.10/usb-serial-spcp8x5-fix-modem-status-handling.patch new file mode 100644 index 00000000000..aab93cdcae1 --- /dev/null +++ b/queue-4.10/usb-serial-spcp8x5-fix-modem-status-handling.patch @@ -0,0 +1,50 @@ +From 5ed8d41023751bdd3546f2fe4118304357efe8d2 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 12 Jan 2017 14:56:21 +0100 +Subject: USB: serial: spcp8x5: fix modem-status handling + +From: Johan Hovold + +commit 5ed8d41023751bdd3546f2fe4118304357efe8d2 upstream. + +Make sure to detect short control transfers and return zero on success +when retrieving the modem status. + +This fixes the TIOCMGET implementation which since e1ed212d8593 ("USB: +spcp8x5: add proper modem-status support") has returned TIOCM_LE on +successful retrieval, and avoids leaking bits from the stack on short +transfers. + +This also fixes the carrier-detect implementation which since the above +mentioned commit unconditionally has returned true. + +Fixes: e1ed212d8593 ("USB: spcp8x5: add proper modem-status support") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/spcp8x5.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/spcp8x5.c ++++ b/drivers/usb/serial/spcp8x5.c +@@ -232,11 +232,17 @@ static int spcp8x5_get_msr(struct usb_se + ret = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), + GET_UART_STATUS, GET_UART_STATUS_TYPE, + 0, GET_UART_STATUS_MSR, buf, 1, 100); +- if (ret < 0) ++ if (ret < 1) { + dev_err(&port->dev, "failed to get modem status: %d\n", ret); ++ if (ret >= 0) ++ ret = -EIO; ++ goto out; ++ } + + dev_dbg(&port->dev, "0xc0:0x22:0:6 %d - 0x02%x\n", ret, *buf); + *status = *buf; ++ ret = 0; ++out: + kfree(buf); + + return ret; diff --git a/queue-4.10/x86-platform-goldfish-prevent-unconditional-loading.patch b/queue-4.10/x86-platform-goldfish-prevent-unconditional-loading.patch new file mode 100644 index 00000000000..367d1232c45 --- /dev/null +++ b/queue-4.10/x86-platform-goldfish-prevent-unconditional-loading.patch @@ -0,0 +1,79 @@ +From 47512cfd0d7a8bd6ab71d01cd89fca19eb2093eb Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Wed, 15 Feb 2017 11:11:50 +0100 +Subject: x86/platform/goldfish: Prevent unconditional loading + +From: Thomas Gleixner + +commit 47512cfd0d7a8bd6ab71d01cd89fca19eb2093eb upstream. + +The goldfish platform code registers the platform device unconditionally +which causes havoc in several ways if the goldfish_pdev_bus driver is +enabled: + + - Access to the hardcoded physical memory region, which is either not + available or contains stuff which is completely unrelated. + + - Prevents that the interrupt of the serial port can be requested + + - In case of a spurious interrupt it goes into a infinite loop in the + interrupt handler of the pdev_bus driver (which needs to be fixed + seperately). + +Add a 'goldfish' command line option to make the registration opt-in when +the platform is compiled in. + +I'm seriously grumpy about this engineering trainwreck, which has seven +SOBs from Intel developers for 50 lines of code. And none of them figured +out that this is broken. Impressive fail! + +Fixes: ddd70cf93d78 ("goldfish: platform device for x86") +Reported-by: Gabriel C +Signed-off-by: Thomas Gleixner +Acked-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/admin-guide/kernel-parameters.txt | 4 ++++ + arch/x86/platform/goldfish/goldfish.c | 14 +++++++++++++- + 2 files changed, 17 insertions(+), 1 deletion(-) + +--- a/Documentation/admin-guide/kernel-parameters.txt ++++ b/Documentation/admin-guide/kernel-parameters.txt +@@ -1201,6 +1201,10 @@ + When zero, profiling data is discarded and associated + debugfs files are removed at module unload time. + ++ goldfish [X86] Enable the goldfish android emulator platform. ++ Don't use this when you are not running on the ++ android emulator ++ + gpt [EFI] Forces disk with valid GPT signature but + invalid Protective MBR to be treated as GPT. If the + primary GPT is corrupted, it enables the backup/alternate +--- a/arch/x86/platform/goldfish/goldfish.c ++++ b/arch/x86/platform/goldfish/goldfish.c +@@ -42,10 +42,22 @@ static struct resource goldfish_pdev_bus + } + }; + ++static bool goldfish_enable __initdata; ++ ++static int __init goldfish_setup(char *str) ++{ ++ goldfish_enable = true; ++ return 0; ++} ++__setup("goldfish", goldfish_setup); ++ + static int __init goldfish_init(void) + { ++ if (!goldfish_enable) ++ return -ENODEV; ++ + platform_device_register_simple("goldfish_pdev_bus", -1, +- goldfish_pdev_bus_resources, 2); ++ goldfish_pdev_bus_resources, 2); + return 0; + } + device_initcall(goldfish_init); -- 2.47.3