--- /dev/null
+From f88982679f54f75daa5b8eff3da72508f1e7422f Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 30 Jan 2018 23:11:24 -0800
+Subject: binder: check for binder_thread allocation failure in binder_poll()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit f88982679f54f75daa5b8eff3da72508f1e7422f upstream.
+
+If the kzalloc() in binder_get_thread() fails, binder_poll()
+dereferences the resulting NULL pointer.
+
+Fix it by returning POLLERR if the memory allocation failed.
+
+This bug was found by syzkaller using fault injection.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -2622,6 +2622,8 @@ static unsigned int binder_poll(struct f
+ binder_lock(__func__);
+
+ thread = binder_get_thread(proc);
++ if (!thread)
++ return POLLERR;
+
+ wait_for_proc_work = thread->transaction_stack == NULL &&
+ list_empty(&thread->todo) && thread->return_error == BR_OK;
arm64-dts-add-cooling-cells-to-cpu-nodes.patch
make-dst_cache-a-silent-config-option.patch
dn_getsockoptdecnet-move-nf_-get-set-sockopt-outside-sock-lock.patch
+staging-android-ashmem-fix-a-race-condition-in-pin-ioctls.patch
+binder-check-for-binder_thread-allocation-failure-in-binder_poll.patch
+staging-iio-adc-ad7192-fix-external-frequency-setting.patch
+usbip-keep-usbip_device-sockfd-state-in-sync-with-tcp_socket.patch
--- /dev/null
+From ce8a3a9e76d0193e2e8d74a06d275b3c324ca652 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sun, 4 Feb 2018 02:06:27 +0000
+Subject: staging: android: ashmem: Fix a race condition in pin ioctls
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit ce8a3a9e76d0193e2e8d74a06d275b3c324ca652 upstream.
+
+ashmem_pin_unpin() reads asma->file and asma->size before taking the
+ashmem_mutex, so it can race with other operations that modify them.
+
+Build-tested only.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/android/ashmem.c | 19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+--- a/drivers/staging/android/ashmem.c
++++ b/drivers/staging/android/ashmem.c
+@@ -704,30 +704,32 @@ static int ashmem_pin_unpin(struct ashme
+ size_t pgstart, pgend;
+ int ret = -EINVAL;
+
++ mutex_lock(&ashmem_mutex);
++
+ if (unlikely(!asma->file))
+- return -EINVAL;
++ goto out_unlock;
+
+- if (unlikely(copy_from_user(&pin, p, sizeof(pin))))
+- return -EFAULT;
++ if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) {
++ ret = -EFAULT;
++ goto out_unlock;
++ }
+
+ /* per custom, you can pass zero for len to mean "everything onward" */
+ if (!pin.len)
+ pin.len = PAGE_ALIGN(asma->size) - pin.offset;
+
+ if (unlikely((pin.offset | pin.len) & ~PAGE_MASK))
+- return -EINVAL;
++ goto out_unlock;
+
+ if (unlikely(((__u32)-1) - pin.offset < pin.len))
+- return -EINVAL;
++ goto out_unlock;
+
+ if (unlikely(PAGE_ALIGN(asma->size) < pin.offset + pin.len))
+- return -EINVAL;
++ goto out_unlock;
+
+ pgstart = pin.offset / PAGE_SIZE;
+ pgend = pgstart + (pin.len / PAGE_SIZE) - 1;
+
+- mutex_lock(&ashmem_mutex);
+-
+ switch (cmd) {
+ case ASHMEM_PIN:
+ ret = ashmem_pin(asma, pgstart, pgend);
+@@ -740,6 +742,7 @@ static int ashmem_pin_unpin(struct ashme
+ break;
+ }
+
++out_unlock:
+ mutex_unlock(&ashmem_mutex);
+
+ return ret;
--- /dev/null
+From e31b617d0a63c6558485aaa730fd162faa95a766 Mon Sep 17 00:00:00 2001
+From: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Date: Mon, 22 Jan 2018 11:53:12 +0200
+Subject: staging: iio: adc: ad7192: fix external frequency setting
+
+From: Alexandru Ardelean <alexandru.ardelean@analog.com>
+
+commit e31b617d0a63c6558485aaa730fd162faa95a766 upstream.
+
+The external clock frequency was set only when selecting
+the internal clock, which is fixed at 4.9152 Mhz.
+
+This is incorrect, since it should be set when any of
+the external clock or crystal settings is selected.
+
+Added range validation for the external (crystal/clock)
+frequency setting.
+Valid values are between 2.4576 and 5.12 Mhz.
+
+Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/iio/adc/ad7192.c | 27 +++++++++++++++++++--------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+--- a/drivers/staging/iio/adc/ad7192.c
++++ b/drivers/staging/iio/adc/ad7192.c
+@@ -124,6 +124,8 @@
+ #define AD7192_GPOCON_P1DAT BIT(1) /* P1 state */
+ #define AD7192_GPOCON_P0DAT BIT(0) /* P0 state */
+
++#define AD7192_EXT_FREQ_MHZ_MIN 2457600
++#define AD7192_EXT_FREQ_MHZ_MAX 5120000
+ #define AD7192_INT_FREQ_MHZ 4915200
+
+ /* NOTE:
+@@ -199,6 +201,12 @@ static int ad7192_calibrate_all(struct a
+ ARRAY_SIZE(ad7192_calib_arr));
+ }
+
++static inline bool ad7192_valid_external_frequency(u32 freq)
++{
++ return (freq >= AD7192_EXT_FREQ_MHZ_MIN &&
++ freq <= AD7192_EXT_FREQ_MHZ_MAX);
++}
++
+ static int ad7192_setup(struct ad7192_state *st,
+ const struct ad7192_platform_data *pdata)
+ {
+@@ -224,17 +232,20 @@ static int ad7192_setup(struct ad7192_st
+ id);
+
+ switch (pdata->clock_source_sel) {
+- case AD7192_CLK_EXT_MCLK1_2:
+- case AD7192_CLK_EXT_MCLK2:
+- st->mclk = AD7192_INT_FREQ_MHZ;
+- break;
+ case AD7192_CLK_INT:
+ case AD7192_CLK_INT_CO:
+- if (pdata->ext_clk_hz)
+- st->mclk = pdata->ext_clk_hz;
+- else
+- st->mclk = AD7192_INT_FREQ_MHZ;
++ st->mclk = AD7192_INT_FREQ_MHZ;
+ break;
++ case AD7192_CLK_EXT_MCLK1_2:
++ case AD7192_CLK_EXT_MCLK2:
++ if (ad7192_valid_external_frequency(pdata->ext_clk_hz)) {
++ st->mclk = pdata->ext_clk_hz;
++ break;
++ }
++ dev_err(&st->sd.spi->dev, "Invalid frequency setting %u\n",
++ pdata->ext_clk_hz);
++ ret = -EINVAL;
++ goto out;
+ default:
+ ret = -EINVAL;
+ goto out;
--- /dev/null
+From 009f41aed4b3e11e6dc1e3c07377a10c20f1a5ed Mon Sep 17 00:00:00 2001
+From: Shuah Khan <shuahkh@osg.samsung.com>
+Date: Fri, 26 Jan 2018 11:56:50 -0700
+Subject: usbip: keep usbip_device sockfd state in sync with tcp_socket
+
+From: Shuah Khan <shuahkh@osg.samsung.com>
+
+commit 009f41aed4b3e11e6dc1e3c07377a10c20f1a5ed upstream.
+
+Keep usbip_device sockfd state in sync with tcp_socket. When tcp_socket
+is reset to null, reset sockfd to -1 to keep it in sync.
+
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usbip/stub_dev.c | 3 +++
+ drivers/usb/usbip/vhci_hcd.c | 2 ++
+ 2 files changed, 5 insertions(+)
+
+--- a/drivers/usb/usbip/stub_dev.c
++++ b/drivers/usb/usbip/stub_dev.c
+@@ -87,6 +87,7 @@ static ssize_t store_sockfd(struct devic
+ goto err;
+
+ sdev->ud.tcp_socket = socket;
++ sdev->ud.sockfd = sockfd;
+
+ spin_unlock_irq(&sdev->ud.lock);
+
+@@ -186,6 +187,7 @@ static void stub_shutdown_connection(str
+ if (ud->tcp_socket) {
+ sockfd_put(ud->tcp_socket);
+ ud->tcp_socket = NULL;
++ ud->sockfd = -1;
+ }
+
+ /* 3. free used data */
+@@ -280,6 +282,7 @@ static struct stub_device *stub_device_a
+ sdev->ud.status = SDEV_ST_AVAILABLE;
+ spin_lock_init(&sdev->ud.lock);
+ sdev->ud.tcp_socket = NULL;
++ sdev->ud.sockfd = -1;
+
+ INIT_LIST_HEAD(&sdev->priv_init);
+ INIT_LIST_HEAD(&sdev->priv_tx);
+--- a/drivers/usb/usbip/vhci_hcd.c
++++ b/drivers/usb/usbip/vhci_hcd.c
+@@ -797,6 +797,7 @@ static void vhci_shutdown_connection(str
+ if (vdev->ud.tcp_socket) {
+ sockfd_put(vdev->ud.tcp_socket);
+ vdev->ud.tcp_socket = NULL;
++ vdev->ud.sockfd = -1;
+ }
+ pr_info("release socket\n");
+
+@@ -844,6 +845,7 @@ static void vhci_device_reset(struct usb
+ if (ud->tcp_socket) {
+ sockfd_put(ud->tcp_socket);
+ ud->tcp_socket = NULL;
++ ud->sockfd = -1;
+ }
+ ud->status = VDEV_ST_NULL;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
