--- /dev/null
+From edd4f70be70d90e70ddfcd3d139098db43e4f580 Mon Sep 17 00:00:00 2001
+From: Daniel Mack <daniel@zonque.org>
+Date: Thu, 11 Oct 2018 20:32:05 +0200
+Subject: ASoC: sta32x: set ->component pointer in private struct
+
+[ Upstream commit 747df19747bc9752cd40b9cce761e17a033aa5c2 ]
+
+The ESD watchdog code in sta32x_watchdog() dereferences the pointer
+which is never assigned.
+
+This is a regression from a1be4cead9b950 ("ASoC: sta32x: Convert to direct
+regmap API usage.") which went unnoticed since nobody seems to use that ESD
+workaround.
+
+Fixes: a1be4cead9b950 ("ASoC: sta32x: Convert to direct regmap API usage.")
+Signed-off-by: Daniel Mack <daniel@zonque.org>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: stable@vger.kernel.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ sound/soc/codecs/sta32x.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/sound/soc/codecs/sta32x.c b/sound/soc/codecs/sta32x.c
+index a9844b2ac829..c3eacf46b551 100644
+--- a/sound/soc/codecs/sta32x.c
++++ b/sound/soc/codecs/sta32x.c
+@@ -880,6 +880,9 @@ static int sta32x_probe(struct snd_soc_codec *codec)
+ struct sta32x_priv *sta32x = snd_soc_codec_get_drvdata(codec);
+ struct sta32x_platform_data *pdata = sta32x->pdata;
+ int i, ret = 0, thermal = 0;
++
++ sta32x->component = component;
++
+ ret = regulator_bulk_enable(ARRAY_SIZE(sta32x->supplies),
+ sta32x->supplies);
+ if (ret != 0) {
+--
+2.19.1
+
--- /dev/null
+From fc99a1748ead3571a3580749ade3550d0b55a7d4 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 10 Sep 2018 14:12:07 +0300
+Subject: cifs: integer overflow in in SMB2_ioctl()
+
+[ Upstream commit 2d204ee9d671327915260071c19350d84344e096 ]
+
+The "le32_to_cpu(rsp->OutputOffset) + *plen" addition can overflow and
+wrap around to a smaller value which looks like it would lead to an
+information leak.
+
+Fixes: 4a72dafa19ba ("SMB2 FSCTL and IOCTL worker function")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Reviewed-by: Aurelien Aptel <aaptel@suse.com>
+CC: Stable <stable@vger.kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/cifs/smb2pdu.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/fs/cifs/smb2pdu.c b/fs/cifs/smb2pdu.c
+index f7111bb88ec1..14c65942adc6 100644
+--- a/fs/cifs/smb2pdu.c
++++ b/fs/cifs/smb2pdu.c
+@@ -1589,14 +1589,14 @@ SMB2_ioctl(const unsigned int xid, struct cifs_tcon *tcon, u64 persistent_fid,
+ /* We check for obvious errors in the output buffer length and offset */
+ if (*plen == 0)
+ goto ioctl_exit; /* server returned no data */
+- else if (*plen > 0xFF00) {
++ else if (*plen > rsp_iov.iov_len || *plen > 0xFF00) {
+ cifs_dbg(VFS, "srv returned invalid ioctl length: %d\n", *plen);
+ *plen = 0;
+ rc = -EIO;
+ goto ioctl_exit;
+ }
+
+- if (get_rfc1002_length(rsp) < le32_to_cpu(rsp->OutputOffset) + *plen) {
++ if (get_rfc1002_length(rsp) - *plen < le32_to_cpu(rsp->OutputOffset)) {
+ cifs_dbg(VFS, "Malformed ioctl resp: len %d offset %d\n", *plen,
+ le32_to_cpu(rsp->OutputOffset));
+ *plen = 0;
+--
+2.19.1
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
