From: Greg Kroah-Hartman Date: Fri, 23 Feb 2018 09:50:21 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v3.18.96~22 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d1960e52885e28a439534a77a700e3fa657454ce;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: binder-check-for-binder_thread-allocation-failure-in-binder_poll.patch staging-android-ashmem-fix-a-race-condition-in-pin-ioctls.patch staging-iio-ad5933-switch-buffer-mode-to-software.patch staging-iio-adc-ad7192-fix-external-frequency-setting.patch usbip-keep-usbip_device-sockfd-state-in-sync-with-tcp_socket.patch --- diff --git a/queue-4.9/binder-check-for-binder_thread-allocation-failure-in-binder_poll.patch b/queue-4.9/binder-check-for-binder_thread-allocation-failure-in-binder_poll.patch new file mode 100644 index 00000000000..ab9c1aee89a --- /dev/null +++ b/queue-4.9/binder-check-for-binder_thread-allocation-failure-in-binder_poll.patch @@ -0,0 +1,37 @@ +From f88982679f54f75daa5b8eff3da72508f1e7422f Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Tue, 30 Jan 2018 23:11:24 -0800 +Subject: binder: check for binder_thread allocation failure in binder_poll() + +From: Eric Biggers + +commit f88982679f54f75daa5b8eff3da72508f1e7422f upstream. + +If the kzalloc() in binder_get_thread() fails, binder_poll() +dereferences the resulting NULL pointer. + +Fix it by returning POLLERR if the memory allocation failed. + +This bug was found by syzkaller using fault injection. + +Reported-by: syzbot +Fixes: 457b9a6f09f0 ("Staging: android: add binder driver") +Cc: stable@vger.kernel.org +Signed-off-by: Eric Biggers +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/android/binder.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -2628,6 +2628,8 @@ static unsigned int binder_poll(struct f + binder_lock(__func__); + + thread = binder_get_thread(proc); ++ if (!thread) ++ return POLLERR; + + wait_for_proc_work = thread->transaction_stack == NULL && + list_empty(&thread->todo) && thread->return_error == BR_OK; diff --git a/queue-4.9/series b/queue-4.9/series index d98af37ed0c..eef71f6af60 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -34,3 +34,8 @@ video-fbdev-mmp-add-module_license.patch arm-8743-1-bl_switcher-add-module_license-tag.patch arm64-dts-add-cooling-cells-to-cpu-nodes.patch dn_getsockoptdecnet-move-nf_-get-set-sockopt-outside-sock-lock.patch +staging-android-ashmem-fix-a-race-condition-in-pin-ioctls.patch +binder-check-for-binder_thread-allocation-failure-in-binder_poll.patch +staging-iio-adc-ad7192-fix-external-frequency-setting.patch +staging-iio-ad5933-switch-buffer-mode-to-software.patch +usbip-keep-usbip_device-sockfd-state-in-sync-with-tcp_socket.patch diff --git a/queue-4.9/staging-android-ashmem-fix-a-race-condition-in-pin-ioctls.patch b/queue-4.9/staging-android-ashmem-fix-a-race-condition-in-pin-ioctls.patch new file mode 100644 index 00000000000..932b2fa1843 --- /dev/null +++ b/queue-4.9/staging-android-ashmem-fix-a-race-condition-in-pin-ioctls.patch @@ -0,0 +1,72 @@ +From ce8a3a9e76d0193e2e8d74a06d275b3c324ca652 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Sun, 4 Feb 2018 02:06:27 +0000 +Subject: staging: android: ashmem: Fix a race condition in pin ioctls + +From: Ben Hutchings + +commit ce8a3a9e76d0193e2e8d74a06d275b3c324ca652 upstream. + +ashmem_pin_unpin() reads asma->file and asma->size before taking the +ashmem_mutex, so it can race with other operations that modify them. + +Build-tested only. + +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/android/ashmem.c | 19 +++++++++++-------- + 1 file changed, 11 insertions(+), 8 deletions(-) + +--- a/drivers/staging/android/ashmem.c ++++ b/drivers/staging/android/ashmem.c +@@ -719,30 +719,32 @@ static int ashmem_pin_unpin(struct ashme + size_t pgstart, pgend; + int ret = -EINVAL; + ++ mutex_lock(&ashmem_mutex); ++ + if (unlikely(!asma->file)) +- return -EINVAL; ++ goto out_unlock; + +- if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) +- return -EFAULT; ++ if (unlikely(copy_from_user(&pin, p, sizeof(pin)))) { ++ ret = -EFAULT; ++ goto out_unlock; ++ } + + /* per custom, you can pass zero for len to mean "everything onward" */ + if (!pin.len) + pin.len = PAGE_ALIGN(asma->size) - pin.offset; + + if (unlikely((pin.offset | pin.len) & ~PAGE_MASK)) +- return -EINVAL; ++ goto out_unlock; + + if (unlikely(((__u32)-1) - pin.offset < pin.len)) +- return -EINVAL; ++ goto out_unlock; + + if (unlikely(PAGE_ALIGN(asma->size) < pin.offset + pin.len)) +- return -EINVAL; ++ goto out_unlock; + + pgstart = pin.offset / PAGE_SIZE; + pgend = pgstart + (pin.len / PAGE_SIZE) - 1; + +- mutex_lock(&ashmem_mutex); +- + switch (cmd) { + case ASHMEM_PIN: + ret = ashmem_pin(asma, pgstart, pgend); +@@ -755,6 +757,7 @@ static int ashmem_pin_unpin(struct ashme + break; + } + ++out_unlock: + mutex_unlock(&ashmem_mutex); + + return ret; diff --git a/queue-4.9/staging-iio-ad5933-switch-buffer-mode-to-software.patch b/queue-4.9/staging-iio-ad5933-switch-buffer-mode-to-software.patch new file mode 100644 index 00000000000..d6a42b3bf0c --- /dev/null +++ b/queue-4.9/staging-iio-ad5933-switch-buffer-mode-to-software.patch @@ -0,0 +1,53 @@ +From 7d2b8e6aaf9ee87910c2337e1c59bb5d3e3ba8c5 Mon Sep 17 00:00:00 2001 +From: Alexandru Ardelean +Date: Thu, 25 Jan 2018 14:30:45 +0200 +Subject: staging: iio: ad5933: switch buffer mode to software + +From: Alexandru Ardelean + +commit 7d2b8e6aaf9ee87910c2337e1c59bb5d3e3ba8c5 upstream. + +Since commit 152a6a884ae1 ("staging:iio:accel:sca3000 move +to hybrid hard / soft buffer design.") +the buffer mechanism has changed and the +INDIO_BUFFER_HARDWARE flag has been unused. + +Since commit 2d6ca60f3284 ("iio: Add a DMAengine framework +based buffer") +the INDIO_BUFFER_HARDWARE flag has been re-purposed for +DMA buffers. + +This driver has lagged behind these changes, and +in order for buffers to work, the INDIO_BUFFER_SOFTWARE +needs to be used. + +Signed-off-by: Alexandru Ardelean +Fixes: 2d6ca60f3284 ("iio: Add a DMAengine framework based buffer") +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/iio/impedance-analyzer/ad5933.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/staging/iio/impedance-analyzer/ad5933.c ++++ b/drivers/staging/iio/impedance-analyzer/ad5933.c +@@ -642,8 +642,6 @@ static int ad5933_register_ring_funcs_an + /* Ring buffer functions - here trigger setup related */ + indio_dev->setup_ops = &ad5933_ring_setup_ops; + +- indio_dev->modes |= INDIO_BUFFER_HARDWARE; +- + return 0; + } + +@@ -754,7 +752,7 @@ static int ad5933_probe(struct i2c_clien + indio_dev->dev.parent = &client->dev; + indio_dev->info = &ad5933_info; + indio_dev->name = id->name; +- indio_dev->modes = INDIO_DIRECT_MODE; ++ indio_dev->modes = (INDIO_BUFFER_SOFTWARE | INDIO_DIRECT_MODE); + indio_dev->channels = ad5933_channels; + indio_dev->num_channels = ARRAY_SIZE(ad5933_channels); + diff --git a/queue-4.9/staging-iio-adc-ad7192-fix-external-frequency-setting.patch b/queue-4.9/staging-iio-adc-ad7192-fix-external-frequency-setting.patch new file mode 100644 index 00000000000..d7043857d2b --- /dev/null +++ b/queue-4.9/staging-iio-adc-ad7192-fix-external-frequency-setting.patch @@ -0,0 +1,81 @@ +From e31b617d0a63c6558485aaa730fd162faa95a766 Mon Sep 17 00:00:00 2001 +From: Alexandru Ardelean +Date: Mon, 22 Jan 2018 11:53:12 +0200 +Subject: staging: iio: adc: ad7192: fix external frequency setting + +From: Alexandru Ardelean + +commit e31b617d0a63c6558485aaa730fd162faa95a766 upstream. + +The external clock frequency was set only when selecting +the internal clock, which is fixed at 4.9152 Mhz. + +This is incorrect, since it should be set when any of +the external clock or crystal settings is selected. + +Added range validation for the external (crystal/clock) +frequency setting. +Valid values are between 2.4576 and 5.12 Mhz. + +Signed-off-by: Alexandru Ardelean +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/iio/adc/ad7192.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +--- a/drivers/staging/iio/adc/ad7192.c ++++ b/drivers/staging/iio/adc/ad7192.c +@@ -141,6 +141,8 @@ + #define AD7192_GPOCON_P1DAT BIT(1) /* P1 state */ + #define AD7192_GPOCON_P0DAT BIT(0) /* P0 state */ + ++#define AD7192_EXT_FREQ_MHZ_MIN 2457600 ++#define AD7192_EXT_FREQ_MHZ_MAX 5120000 + #define AD7192_INT_FREQ_MHZ 4915200 + + /* NOTE: +@@ -216,6 +218,12 @@ static int ad7192_calibrate_all(struct a + ARRAY_SIZE(ad7192_calib_arr)); + } + ++static inline bool ad7192_valid_external_frequency(u32 freq) ++{ ++ return (freq >= AD7192_EXT_FREQ_MHZ_MIN && ++ freq <= AD7192_EXT_FREQ_MHZ_MAX); ++} ++ + static int ad7192_setup(struct ad7192_state *st, + const struct ad7192_platform_data *pdata) + { +@@ -241,17 +249,20 @@ static int ad7192_setup(struct ad7192_st + id); + + switch (pdata->clock_source_sel) { +- case AD7192_CLK_EXT_MCLK1_2: +- case AD7192_CLK_EXT_MCLK2: +- st->mclk = AD7192_INT_FREQ_MHZ; +- break; + case AD7192_CLK_INT: + case AD7192_CLK_INT_CO: +- if (pdata->ext_clk_hz) +- st->mclk = pdata->ext_clk_hz; +- else +- st->mclk = AD7192_INT_FREQ_MHZ; ++ st->mclk = AD7192_INT_FREQ_MHZ; + break; ++ case AD7192_CLK_EXT_MCLK1_2: ++ case AD7192_CLK_EXT_MCLK2: ++ if (ad7192_valid_external_frequency(pdata->ext_clk_hz)) { ++ st->mclk = pdata->ext_clk_hz; ++ break; ++ } ++ dev_err(&st->sd.spi->dev, "Invalid frequency setting %u\n", ++ pdata->ext_clk_hz); ++ ret = -EINVAL; ++ goto out; + default: + ret = -EINVAL; + goto out; diff --git a/queue-4.9/usbip-keep-usbip_device-sockfd-state-in-sync-with-tcp_socket.patch b/queue-4.9/usbip-keep-usbip_device-sockfd-state-in-sync-with-tcp_socket.patch new file mode 100644 index 00000000000..11431303ed1 --- /dev/null +++ b/queue-4.9/usbip-keep-usbip_device-sockfd-state-in-sync-with-tcp_socket.patch @@ -0,0 +1,65 @@ +From 009f41aed4b3e11e6dc1e3c07377a10c20f1a5ed Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Fri, 26 Jan 2018 11:56:50 -0700 +Subject: usbip: keep usbip_device sockfd state in sync with tcp_socket + +From: Shuah Khan + +commit 009f41aed4b3e11e6dc1e3c07377a10c20f1a5ed upstream. + +Keep usbip_device sockfd state in sync with tcp_socket. When tcp_socket +is reset to null, reset sockfd to -1 to keep it in sync. + +Signed-off-by: Shuah Khan +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/usbip/stub_dev.c | 3 +++ + drivers/usb/usbip/vhci_hcd.c | 2 ++ + 2 files changed, 5 insertions(+) + +--- a/drivers/usb/usbip/stub_dev.c ++++ b/drivers/usb/usbip/stub_dev.c +@@ -87,6 +87,7 @@ static ssize_t store_sockfd(struct devic + goto err; + + sdev->ud.tcp_socket = socket; ++ sdev->ud.sockfd = sockfd; + + spin_unlock_irq(&sdev->ud.lock); + +@@ -186,6 +187,7 @@ static void stub_shutdown_connection(str + if (ud->tcp_socket) { + sockfd_put(ud->tcp_socket); + ud->tcp_socket = NULL; ++ ud->sockfd = -1; + } + + /* 3. free used data */ +@@ -280,6 +282,7 @@ static struct stub_device *stub_device_a + sdev->ud.status = SDEV_ST_AVAILABLE; + spin_lock_init(&sdev->ud.lock); + sdev->ud.tcp_socket = NULL; ++ sdev->ud.sockfd = -1; + + INIT_LIST_HEAD(&sdev->priv_init); + INIT_LIST_HEAD(&sdev->priv_tx); +--- a/drivers/usb/usbip/vhci_hcd.c ++++ b/drivers/usb/usbip/vhci_hcd.c +@@ -832,6 +832,7 @@ static void vhci_shutdown_connection(str + if (vdev->ud.tcp_socket) { + sockfd_put(vdev->ud.tcp_socket); + vdev->ud.tcp_socket = NULL; ++ vdev->ud.sockfd = -1; + } + pr_info("release socket\n"); + +@@ -879,6 +880,7 @@ static void vhci_device_reset(struct usb + if (ud->tcp_socket) { + sockfd_put(ud->tcp_socket); + ud->tcp_socket = NULL; ++ ud->sockfd = -1; + } + ud->status = VDEV_ST_NULL; +