4.9-stable patches

added patches:
	binder-check-for-binder_thread-allocation-failure-in-binder_poll.patch
	staging-android-ashmem-fix-a-race-condition-in-pin-ioctls.patch
	staging-iio-ad5933-switch-buffer-mode-to-software.patch
	staging-iio-adc-ad7192-fix-external-frequency-setting.patch
	usbip-keep-usbip_device-sockfd-state-in-sync-with-tcp_socket.patch

diff --git a/queue-4.9/binder-check-for-binder_thread-allocation-failure-in-binder_poll.patch b/queue-4.9/binder-check-for-binder_thread-allocation-failure-in-binder_poll.patch
new file mode 100644 (file)
index 0000000..ab9c1ae
--- /dev/null
+++ b/queue-4.9/binder-check-for-binder_thread-allocation-failure-in-binder_poll.patch
@@ -0,0 +1,37 @@
+From f88982679f54f75daa5b8eff3da72508f1e7422f Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 30 Jan 2018 23:11:24 -0800
+Subject: binder: check for binder_thread allocation failure in binder_poll()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit f88982679f54f75daa5b8eff3da72508f1e7422f upstream.
+
+If the kzalloc() in binder_get_thread() fails, binder_poll()
+dereferences the resulting NULL pointer.
+
+Fix it by returning POLLERR if the memory allocation failed.
+
+This bug was found by syzkaller using fault injection.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Fixes: 457b9a6f09f0 ("Staging: android: add binder driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/android/binder.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/android/binder.c
++++ b/drivers/android/binder.c
+@@ -2628,6 +2628,8 @@ static unsigned int binder_poll(struct f
+       binder_lock(__func__);
+ 
+       thread = binder_get_thread(proc);
++      if (!thread)
++              return POLLERR;
+ 
+       wait_for_proc_work = thread->transaction_stack == NULL &&
+               list_empty(&thread->todo) && thread->return_error == BR_OK;

diff --git a/queue-4.9/series b/queue-4.9/series
index d98af37ed0cd0e6e91dbe5672747175a547c512f..eef71f6af60599b3f657766b819d08f3f8fdb4f4 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -34,3 +34,8 @@ video-fbdev-mmp-add-module_license.patch
 arm-8743-1-bl_switcher-add-module_license-tag.patch
 arm64-dts-add-cooling-cells-to-cpu-nodes.patch
 dn_getsockoptdecnet-move-nf_-get-set-sockopt-outside-sock-lock.patch
+staging-android-ashmem-fix-a-race-condition-in-pin-ioctls.patch
+binder-check-for-binder_thread-allocation-failure-in-binder_poll.patch
+staging-iio-adc-ad7192-fix-external-frequency-setting.patch
+staging-iio-ad5933-switch-buffer-mode-to-software.patch
+usbip-keep-usbip_device-sockfd-state-in-sync-with-tcp_socket.patch

diff --git a/queue-4.9/staging-android-ashmem-fix-a-race-condition-in-pin-ioctls.patch b/queue-4.9/staging-android-ashmem-fix-a-race-condition-in-pin-ioctls.patch
new file mode 100644 (file)
index 0000000..932b2fa
--- /dev/null
+++ b/queue-4.9/staging-android-ashmem-fix-a-race-condition-in-pin-ioctls.patch
@@ -0,0 +1,72 @@
+From ce8a3a9e76d0193e2e8d74a06d275b3c324ca652 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sun, 4 Feb 2018 02:06:27 +0000
+Subject: staging: android: ashmem: Fix a race condition in pin ioctls
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit ce8a3a9e76d0193e2e8d74a06d275b3c324ca652 upstream.
+
+ashmem_pin_unpin() reads asma->file and asma->size before taking the
+ashmem_mutex, so it can race with other operations that modify them.
+
+Build-tested only.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/android/ashmem.c |   19 +++++++++++--------
+ 1 file changed, 11 insertions(+), 8 deletions(-)
+
+--- a/drivers/staging/android/ashmem.c
++++ b/drivers/staging/android/ashmem.c
+@@ -719,30 +719,32 @@ static int ashmem_pin_unpin(struct ashme
+       size_t pgstart, pgend;
+       int ret = -EINVAL;
+ 
++      mutex_lock(&ashmem_mutex);
++
+       if (unlikely(!asma->file))
+-              return -EINVAL;
++              goto out_unlock;
+ 
+-      if (unlikely(copy_from_user(&pin, p, sizeof(pin))))
+-              return -EFAULT;
++      if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) {
++              ret = -EFAULT;
++              goto out_unlock;
++      }
+ 
+       /* per custom, you can pass zero for len to mean "everything onward" */
+       if (!pin.len)
+               pin.len = PAGE_ALIGN(asma->size) - pin.offset;
+ 
+       if (unlikely((pin.offset | pin.len) & ~PAGE_MASK))
+-              return -EINVAL;
++              goto out_unlock;
+ 
+       if (unlikely(((__u32)-1) - pin.offset < pin.len))
+-              return -EINVAL;
++              goto out_unlock;
+ 
+       if (unlikely(PAGE_ALIGN(asma->size) < pin.offset + pin.len))
+-              return -EINVAL;
++              goto out_unlock;
+ 
+       pgstart = pin.offset / PAGE_SIZE;
+       pgend = pgstart + (pin.len / PAGE_SIZE) - 1;
+ 
+-      mutex_lock(&ashmem_mutex);
+-
+       switch (cmd) {
+       case ASHMEM_PIN:
+               ret = ashmem_pin(asma, pgstart, pgend);
+@@ -755,6 +757,7 @@ static int ashmem_pin_unpin(struct ashme
+               break;
+       }
+ 
++out_unlock:
+       mutex_unlock(&ashmem_mutex);
+ 
+       return ret;

diff --git a/queue-4.9/staging-iio-ad5933-switch-buffer-mode-to-software.patch b/queue-4.9/staging-iio-ad5933-switch-buffer-mode-to-software.patch
new file mode 100644 (file)
index 0000000..d6a42b3
--- /dev/null
+++ b/queue-4.9/staging-iio-ad5933-switch-buffer-mode-to-software.patch
@@ -0,0 +1,53 @@
+From 7d2b8e6aaf9ee87910c2337e1c59bb5d3e3ba8c5 Mon Sep 17 00:00:00 2001
+From: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Date: Thu, 25 Jan 2018 14:30:45 +0200
+Subject: staging: iio: ad5933: switch buffer mode to software
+
+From: Alexandru Ardelean <alexandru.ardelean@analog.com>
+
+commit 7d2b8e6aaf9ee87910c2337e1c59bb5d3e3ba8c5 upstream.
+
+Since commit 152a6a884ae1 ("staging:iio:accel:sca3000 move
+to hybrid hard / soft buffer design.")
+the buffer mechanism has changed and the
+INDIO_BUFFER_HARDWARE flag has been unused.
+
+Since commit 2d6ca60f3284 ("iio: Add a DMAengine framework
+based buffer")
+the INDIO_BUFFER_HARDWARE flag has been re-purposed for
+DMA buffers.
+
+This driver has lagged behind these changes, and
+in order for buffers to work, the INDIO_BUFFER_SOFTWARE
+needs to be used.
+
+Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Fixes: 2d6ca60f3284 ("iio: Add a DMAengine framework based buffer")
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/iio/impedance-analyzer/ad5933.c |    4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/staging/iio/impedance-analyzer/ad5933.c
++++ b/drivers/staging/iio/impedance-analyzer/ad5933.c
+@@ -642,8 +642,6 @@ static int ad5933_register_ring_funcs_an
+       /* Ring buffer functions - here trigger setup related */
+       indio_dev->setup_ops = &ad5933_ring_setup_ops;
+ 
+-      indio_dev->modes |= INDIO_BUFFER_HARDWARE;
+-
+       return 0;
+ }
+ 
+@@ -754,7 +752,7 @@ static int ad5933_probe(struct i2c_clien
+       indio_dev->dev.parent = &client->dev;
+       indio_dev->info = &ad5933_info;
+       indio_dev->name = id->name;
+-      indio_dev->modes = INDIO_DIRECT_MODE;
++      indio_dev->modes = (INDIO_BUFFER_SOFTWARE | INDIO_DIRECT_MODE);
+       indio_dev->channels = ad5933_channels;
+       indio_dev->num_channels = ARRAY_SIZE(ad5933_channels);
+ 

diff --git a/queue-4.9/staging-iio-adc-ad7192-fix-external-frequency-setting.patch b/queue-4.9/staging-iio-adc-ad7192-fix-external-frequency-setting.patch
new file mode 100644 (file)
index 0000000..d704385
--- /dev/null
+++ b/queue-4.9/staging-iio-adc-ad7192-fix-external-frequency-setting.patch
@@ -0,0 +1,81 @@
+From e31b617d0a63c6558485aaa730fd162faa95a766 Mon Sep 17 00:00:00 2001
+From: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Date: Mon, 22 Jan 2018 11:53:12 +0200
+Subject: staging: iio: adc: ad7192: fix external frequency setting
+
+From: Alexandru Ardelean <alexandru.ardelean@analog.com>
+
+commit e31b617d0a63c6558485aaa730fd162faa95a766 upstream.
+
+The external clock frequency was set only when selecting
+the internal clock, which is fixed at 4.9152 Mhz.
+
+This is incorrect, since it should be set when any of
+the external clock or crystal settings is selected.
+
+Added range validation for the external (crystal/clock)
+frequency setting.
+Valid values are between 2.4576 and 5.12 Mhz.
+
+Signed-off-by: Alexandru Ardelean <alexandru.ardelean@analog.com>
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/staging/iio/adc/ad7192.c |   27 +++++++++++++++++++--------
+ 1 file changed, 19 insertions(+), 8 deletions(-)
+
+--- a/drivers/staging/iio/adc/ad7192.c
++++ b/drivers/staging/iio/adc/ad7192.c
+@@ -141,6 +141,8 @@
+ #define AD7192_GPOCON_P1DAT   BIT(1) /* P1 state */
+ #define AD7192_GPOCON_P0DAT   BIT(0) /* P0 state */
+ 
++#define AD7192_EXT_FREQ_MHZ_MIN       2457600
++#define AD7192_EXT_FREQ_MHZ_MAX       5120000
+ #define AD7192_INT_FREQ_MHZ   4915200
+ 
+ /* NOTE:
+@@ -216,6 +218,12 @@ static int ad7192_calibrate_all(struct a
+                               ARRAY_SIZE(ad7192_calib_arr));
+ }
+ 
++static inline bool ad7192_valid_external_frequency(u32 freq)
++{
++      return (freq >= AD7192_EXT_FREQ_MHZ_MIN &&
++              freq <= AD7192_EXT_FREQ_MHZ_MAX);
++}
++
+ static int ad7192_setup(struct ad7192_state *st,
+                       const struct ad7192_platform_data *pdata)
+ {
+@@ -241,17 +249,20 @@ static int ad7192_setup(struct ad7192_st
+                        id);
+ 
+       switch (pdata->clock_source_sel) {
+-      case AD7192_CLK_EXT_MCLK1_2:
+-      case AD7192_CLK_EXT_MCLK2:
+-              st->mclk = AD7192_INT_FREQ_MHZ;
+-              break;
+       case AD7192_CLK_INT:
+       case AD7192_CLK_INT_CO:
+-              if (pdata->ext_clk_hz)
+-                      st->mclk = pdata->ext_clk_hz;
+-              else
+-                      st->mclk = AD7192_INT_FREQ_MHZ;
++              st->mclk = AD7192_INT_FREQ_MHZ;
+               break;
++      case AD7192_CLK_EXT_MCLK1_2:
++      case AD7192_CLK_EXT_MCLK2:
++              if (ad7192_valid_external_frequency(pdata->ext_clk_hz)) {
++                      st->mclk = pdata->ext_clk_hz;
++                      break;
++              }
++              dev_err(&st->sd.spi->dev, "Invalid frequency setting %u\n",
++                      pdata->ext_clk_hz);
++              ret = -EINVAL;
++              goto out;
+       default:
+               ret = -EINVAL;
+               goto out;

diff --git a/queue-4.9/usbip-keep-usbip_device-sockfd-state-in-sync-with-tcp_socket.patch b/queue-4.9/usbip-keep-usbip_device-sockfd-state-in-sync-with-tcp_socket.patch
new file mode 100644 (file)
index 0000000..1143130
--- /dev/null
+++ b/queue-4.9/usbip-keep-usbip_device-sockfd-state-in-sync-with-tcp_socket.patch
@@ -0,0 +1,65 @@
+From 009f41aed4b3e11e6dc1e3c07377a10c20f1a5ed Mon Sep 17 00:00:00 2001
+From: Shuah Khan <shuahkh@osg.samsung.com>
+Date: Fri, 26 Jan 2018 11:56:50 -0700
+Subject: usbip: keep usbip_device sockfd state in sync with tcp_socket
+
+From: Shuah Khan <shuahkh@osg.samsung.com>
+
+commit 009f41aed4b3e11e6dc1e3c07377a10c20f1a5ed upstream.
+
+Keep usbip_device sockfd state in sync with tcp_socket. When tcp_socket
+is reset to null, reset sockfd to -1 to keep it in sync.
+
+Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/usbip/stub_dev.c |    3 +++
+ drivers/usb/usbip/vhci_hcd.c |    2 ++
+ 2 files changed, 5 insertions(+)
+
+--- a/drivers/usb/usbip/stub_dev.c
++++ b/drivers/usb/usbip/stub_dev.c
+@@ -87,6 +87,7 @@ static ssize_t store_sockfd(struct devic
+                       goto err;
+ 
+               sdev->ud.tcp_socket = socket;
++              sdev->ud.sockfd = sockfd;
+ 
+               spin_unlock_irq(&sdev->ud.lock);
+ 
+@@ -186,6 +187,7 @@ static void stub_shutdown_connection(str
+       if (ud->tcp_socket) {
+               sockfd_put(ud->tcp_socket);
+               ud->tcp_socket = NULL;
++              ud->sockfd = -1;
+       }
+ 
+       /* 3. free used data */
+@@ -280,6 +282,7 @@ static struct stub_device *stub_device_a
+       sdev->ud.status         = SDEV_ST_AVAILABLE;
+       spin_lock_init(&sdev->ud.lock);
+       sdev->ud.tcp_socket     = NULL;
++      sdev->ud.sockfd         = -1;
+ 
+       INIT_LIST_HEAD(&sdev->priv_init);
+       INIT_LIST_HEAD(&sdev->priv_tx);
+--- a/drivers/usb/usbip/vhci_hcd.c
++++ b/drivers/usb/usbip/vhci_hcd.c
+@@ -832,6 +832,7 @@ static void vhci_shutdown_connection(str
+       if (vdev->ud.tcp_socket) {
+               sockfd_put(vdev->ud.tcp_socket);
+               vdev->ud.tcp_socket = NULL;
++              vdev->ud.sockfd = -1;
+       }
+       pr_info("release socket\n");
+ 
+@@ -879,6 +880,7 @@ static void vhci_device_reset(struct usb
+       if (ud->tcp_socket) {
+               sockfd_put(ud->tcp_socket);
+               ud->tcp_socket = NULL;
++              ud->sockfd = -1;
+       }
+       ud->status = VDEV_ST_NULL;
+