From a0726f3a333c3fe356268840366b0702b0f04fd2 Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Sun, 19 Jul 2020 23:53:06 -0400
Subject: [PATCH] Fixes for 4.4

Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 queue-4.4/series                              |  2 +
 ...erify-array-index-is-correct-before-.patch | 54 +++++++++++++++++++
 ...tmel-fix-uninitialized-read-in-debug.patch | 39 ++++++++++++++
 3 files changed, 95 insertions(+)
 create mode 100644 queue-4.4/staging-comedi-verify-array-index-is-correct-before-.patch
 create mode 100644 queue-4.4/usb-gadget-udc-atmel-fix-uninitialized-read-in-debug.patch

diff --git a/queue-4.4/series b/queue-4.4/series
index adab6641ea6..079a452b757 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -30,3 +30,5 @@ i2c-eg20t-load-module-automatically-if-id-matches.patch
 revert-usb-ehci-platform-set-pm-runtime-as-active-on.patch
 revert-usb-xhci-plat-set-pm-runtime-as-active-on-res.patch
 revert-usb-ohci-platform-fix-a-warning-when-hibernat.patch
+usb-gadget-udc-atmel-fix-uninitialized-read-in-debug.patch
+staging-comedi-verify-array-index-is-correct-before-.patch
diff --git a/queue-4.4/staging-comedi-verify-array-index-is-correct-before-.patch b/queue-4.4/staging-comedi-verify-array-index-is-correct-before-.patch
new file mode 100644
index 00000000000..4f4ef58d2bb
--- /dev/null
+++ b/queue-4.4/staging-comedi-verify-array-index-is-correct-before-.patch
@@ -0,0 +1,54 @@
+From 1aaf1154e6edc1c9e0232be87736b4ba83e24321 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 9 Jul 2020 13:29:36 +0300
+Subject: staging: comedi: verify array index is correct before using it
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit ef75e14a6c935eec82abac07ab68e388514e39bc ]
+
+This code reads from the array before verifying that "trig" is a valid
+index.  If the index is wildly out of bounds then reading from an
+invalid address could lead to an Oops.
+
+Fixes: a8c66b684efa ("staging: comedi: addi_apci_1500: rewrite the subdevice support functions")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Ian Abbott <abbotti@mev.co.uk>
+Link: https://lore.kernel.org/r/20200709102936.GA20875@mwanda
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/comedi/drivers/addi_apci_1500.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/staging/comedi/drivers/addi_apci_1500.c b/drivers/staging/comedi/drivers/addi_apci_1500.c
+index 63991c49ff230..79a8799b12628 100644
+--- a/drivers/staging/comedi/drivers/addi_apci_1500.c
++++ b/drivers/staging/comedi/drivers/addi_apci_1500.c
+@@ -465,9 +465,9 @@ static int apci1500_di_cfg_trig(struct comedi_device *dev,
+ 	unsigned int lo_mask = data[5] << shift;
+ 	unsigned int chan_mask = hi_mask | lo_mask;
+ 	unsigned int old_mask = (1 << shift) - 1;
+-	unsigned int pm = devpriv->pm[trig] & old_mask;
+-	unsigned int pt = devpriv->pt[trig] & old_mask;
+-	unsigned int pp = devpriv->pp[trig] & old_mask;
++	unsigned int pm;
++	unsigned int pt;
++	unsigned int pp;
+ 
+ 	if (trig > 1) {
+ 		dev_dbg(dev->class_dev,
+@@ -480,6 +480,10 @@ static int apci1500_di_cfg_trig(struct comedi_device *dev,
+ 		return -EINVAL;
+ 	}
+ 
++	pm = devpriv->pm[trig] & old_mask;
++	pt = devpriv->pt[trig] & old_mask;
++	pp = devpriv->pp[trig] & old_mask;
++
+ 	switch (data[2]) {
+ 	case COMEDI_DIGITAL_TRIG_DISABLE:
+ 		/* clear trigger configuration */
+-- 
+2.25.1
+
diff --git a/queue-4.4/usb-gadget-udc-atmel-fix-uninitialized-read-in-debug.patch b/queue-4.4/usb-gadget-udc-atmel-fix-uninitialized-read-in-debug.patch
new file mode 100644
index 00000000000..9b4aa6298b7
--- /dev/null
+++ b/queue-4.4/usb-gadget-udc-atmel-fix-uninitialized-read-in-debug.patch
@@ -0,0 +1,39 @@
+From 6133e7dceaa234e51f01635f8253ffc89228d9d0 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 28 May 2020 20:35:54 +0200
+Subject: usb: gadget: udc: atmel: fix uninitialized read in debug printk
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: MichaÅ MirosÅaw <mirq-linux@rere.qmqm.pl>
+
+[ Upstream commit 30517ffeb3bff842e1355cbc32f1959d9dbb5414 ]
+
+Fixed commit moved the assignment of 'req', but did not update a
+reference in the DBG() call. Use the argument as it was renamed.
+
+Fixes: 5fb694f96e7c ("usb: gadget: udc: atmel: fix possible oops when unloading module")
+Signed-off-by: MichaÅ MirosÅaw <mirq-linux@rere.qmqm.pl>
+Signed-off-by: Felipe Balbi <balbi@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/gadget/udc/atmel_usba_udc.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/gadget/udc/atmel_usba_udc.c b/drivers/usb/gadget/udc/atmel_usba_udc.c
+index 668ac5e8681b5..e6902257d7de7 100644
+--- a/drivers/usb/gadget/udc/atmel_usba_udc.c
++++ b/drivers/usb/gadget/udc/atmel_usba_udc.c
+@@ -843,7 +843,7 @@ static int usba_ep_dequeue(struct usb_ep *_ep, struct usb_request *_req)
+ 	u32 status;
+ 
+ 	DBG(DBG_GADGET | DBG_QUEUE, "ep_dequeue: %s, req %p\n",
+-			ep->ep.name, req);
++			ep->ep.name, _req);
+ 
+ 	spin_lock_irqsave(&udc->lock, flags);
+ 
+-- 
+2.25.1
+
-- 
2.47.3