18 files changed, 0 insertions, 1073 deletions
diff --git a/recipes-kernel/linux/files/0001-net-fib-fib6_add-fix-potential-NULL-pointer-derefere.patch b/recipes-kernel/linux/files/0001-net-fib-fib6_add-fix-potential-NULL-pointer-derefere.patch
deleted file mode 100644
index abd4430..0000000
--- a/recipes-kernel/linux/files/0001-net-fib-fib6_add-fix-potential-NULL-pointer-derefere.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From c5c56513b779cb082d05f63c606bde9321d395fb Mon Sep 17 00:00:00 2001
-From: Sona Sarmadi <sona.sarmadi@enea.com>
-Date: Tue, 22 Apr 2014 13:52:58 +0200
-Subject: [PATCH] net: fib: fib6_add: fix potential NULL pointer dereference
-When the kernel is compiled with CONFIG_IPV6_SUBTREES, and we return
-with an error in fn = fib6_add_1(), then error codes are encoded into
-the return pointer e.g. ERR_PTR(-ENOENT). In such an error case, we
-write the error code into err and jump to out, hence enter the if(err)
-condition. Now, if CONFIG_IPV6_SUBTREES is enabled, we check for:
-if (pn != fn && pn->leaf == rt)
-...
-if (pn != fn && !pn->leaf && !(pn->fn_flags & RTN_RTINFO))
-...
-Since pn is NULL and fn is f.e. ERR_PTR(-ENOENT), then pn != fn
-evaluates to true and causes a NULL-pointer dereference on further
-checks on pn. Fix it, by setting both NULL in error case, so that
-pn != fn already evaluates to false and no further dereference
-takes place.
-This was first correctly implemented in 4a287eba2 ("IPv6 routing,
-NLM_F_* flag support: REPLACE and EXCL flags support, warn about
-missing CREATE flag"), but the bug got later on introduced by
-188c517a0 ("ipv6: return errno pointers consistently for fib6_add_1()").
-Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
-Cc: Lin Ming <mlin@ss.pku.edu.cn>
-Cc: Matti Vaittinen <matti.vaittinen@nsn.com>
-Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
-Acked-by: Matti Vaittinen <matti.vaittinen@nsn.com>
-Signed-off-by: David S. Miller <davem@davemloft.net>
-Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
---
- net/ipv6/ip6_fib.c |    1 +
- 1 file changed, 1 insertion(+)
-diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
-index 5fc9c7a..45562f6 100644
--- a/net/ipv6/ip6_fib.c
-+++ b/net/ipv6/ip6_fib.c
-@@ -828,6 +828,7 @@ int fib6_add(struct fib6_node *root, struct rt6_info *rt, struct nl_info *info)
- 
-        if (IS_ERR(fn)) {
-                err = PTR_ERR(fn);
-+                fn = NULL;
-                goto out;
-        }
- 
-- 
-1.7.10.4
diff --git a/recipes-kernel/linux/files/Check_correct_namespace_when_spoofing_pid_over_SCM_RIGHTS.patch b/recipes-kernel/linux/files/Check_correct_namespace_when_spoofing_pid_over_SCM_RIGHTS.patch
deleted file mode 100644
index 79e52c3..0000000
--- a/recipes-kernel/linux/files/Check_correct_namespace_when_spoofing_pid_over_SCM_RIGHTS.patch
+++ /dev/null
@@ -1,13 +0,0 @@
-diff --git a/net/core/scm.c b/net/core/scm.c
-index 03795d0..b4da80b 100644
--- a/net/core/scm.c
-+++ b/net/core/scm.c
-@@ -54,7 +54,7 @@ static __inline__ int scm_check_creds(struct ucred *creds)
-                return -EINVAL;
- 
-        if ((creds->pid == task_tgid_vnr(current) ||
-            ns_capable(current->nsproxy->pid_ns->user_ns, CAP_SYS_ADMIN)) &&
-+            ns_capable(task_active_pid_ns(current)->user_ns, CAP_SYS_ADMIN)) &&
-            ((uid_eq(uid, cred->uid)   || uid_eq(uid, cred->euid) ||
-              uid_eq(uid, cred->suid)) || nsown_capable(CAP_SETUID)) &&
-            ((gid_eq(gid, cred->gid)   || gid_eq(gid, cred->egid) ||
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0001-HID-validate-HID-report-id-size.patch b/recipes-kernel/linux/files/HID_CVE_patches/0001-HID-validate-HID-report-id-size.patch
deleted file mode 100644
index faeace9..0000000
--- a/recipes-kernel/linux/files/HID_CVE_patches/0001-HID-validate-HID-report-id-size.patch
+++ /dev/null
@@ -1,80 +0,0 @@
-From 43622021d2e2b82ea03d883926605bdd0525e1d1 Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 28 Aug 2013 22:29:55 +0200
-Subject: [PATCH] HID: validate HID report id size
-The "Report ID" field of a HID report is used to build indexes of
-reports. The kernel's index of these is limited to 256 entries, so any
-malicious device that sets a Report ID greater than 255 will trigger
-memory corruption on the host:
-[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878
-[ 1347.156261] IP: [<ffffffff813e4da0>] hid_register_report+0x2a/0x8b
-CVE-2013-2888
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@kernel.org
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
- drivers/hid/hid-core.c |   10 +++++++---
- include/linux/hid.h    |    4 +++-
- 2 files changed, 10 insertions(+), 4 deletions(-)
-diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
-index 36668d1..5ea7d51 100644
--- a/drivers/hid/hid-core.c
-+++ b/drivers/hid/hid-core.c
-@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type,
-        struct hid_report_enum *report_enum = device->report_enum + type;
-        struct hid_report *report;
- 
-+       if (id >= HID_MAX_IDS)
-+               return NULL;
-        if (report_enum->report_id_hash[id])
-                return report_enum->report_id_hash[id];
- 
-@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item)
- 
-        case HID_GLOBAL_ITEM_TAG_REPORT_ID:
-                parser->global.report_id = item_udata(item);
-               if (parser->global.report_id == 0) {
-                       hid_err(parser->device, "report_id 0 is invalid\n");
-+               if (parser->global.report_id == 0 ||
-+                   parser->global.report_id >= HID_MAX_IDS) {
-+                       hid_err(parser->device, "report_id %u is invalid\n",
-+                               parser->global.report_id);
-                        return -1;
-                }
-                return 0;
-@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device)
-        for (i = 0; i < HID_REPORT_TYPES; i++) {
-                struct hid_report_enum *report_enum = device->report_enum + i;
- 
-               for (j = 0; j < 256; j++) {
-+               for (j = 0; j < HID_MAX_IDS; j++) {
-                        struct hid_report *report = report_enum->report_id_hash[j];
-                        if (report)
-                                hid_free_report(report);
-diff --git a/include/linux/hid.h b/include/linux/hid.h
-index 0c48991..ff545cc 100644
--- a/include/linux/hid.h
-+++ b/include/linux/hid.h
-@@ -393,10 +393,12 @@ struct hid_report {
-        struct hid_device *device;                      /* associated device */
- };
- 
-+#define HID_MAX_IDS 256
-+
- struct hid_report_enum {
-        unsigned numbered;
-        struct list_head report_list;
-       struct hid_report *report_id_hash[256];
-+       struct hid_report *report_id_hash[HID_MAX_IDS];
- };
- 
- #define HID_REPORT_TYPES 3
-- 
-1.7.9.5
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0002-HID-provide-a-helper-for-validating-hid-reports.patch b/recipes-kernel/linux/files/HID_CVE_patches/0002-HID-provide-a-helper-for-validating-hid-reports.patch
deleted file mode 100644
index 860d710..0000000
--- a/recipes-kernel/linux/files/HID_CVE_patches/0002-HID-provide-a-helper-for-validating-hid-reports.patch
+++ /dev/null
@@ -1,107 +0,0 @@
-From 331415ff16a12147d57d5c953f3a961b7ede348b Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 11 Sep 2013 21:56:50 +0200
-Subject: [PATCH] HID: provide a helper for validating hid reports
-Many drivers need to validate the characteristics of their HID report
-during initialization to avoid misusing the reports. This adds a common
-helper to perform validation of the report exisitng, the field existing,
-and the expected number of values within the field.
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@vger.kernel.org
-Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
- drivers/hid/hid-core.c |   58 ++++++++++++++++++++++++++++++++++++++++++++++++
- include/linux/hid.h    |    4 ++++
- 2 files changed, 62 insertions(+)
-diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
-index ae88a97..be52c06 100644
--- a/drivers/hid/hid-core.c
-+++ b/drivers/hid/hid-core.c
-@@ -801,6 +801,64 @@ int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size)
- }
- EXPORT_SYMBOL_GPL(hid_parse_report);
- 
-+static const char * const hid_report_names[] = {
-+       "HID_INPUT_REPORT",
-+       "HID_OUTPUT_REPORT",
-+       "HID_FEATURE_REPORT",
-+};
-+/**
-+ * hid_validate_values - validate existing device report's value indexes
-+ *
-+ * @device: hid device
-+ * @type: which report type to examine
-+ * @id: which report ID to examine (0 for first)
-+ * @field_index: which report field to examine
-+ * @report_counts: expected number of values
-+ *
-+ * Validate the number of values in a given field of a given report, after
-+ * parsing.
-+ */
-+struct hid_report *hid_validate_values(struct hid_device *hid,
-+                                      unsigned int type, unsigned int id,
-+                                      unsigned int field_index,
-+                                      unsigned int report_counts)
-+{
-+       struct hid_report *report;
-+
-+       if (type > HID_FEATURE_REPORT) {
-+               hid_err(hid, "invalid HID report type %u\n", type);
-+               return NULL;
-+       }
-+
-+       if (id >= HID_MAX_IDS) {
-+               hid_err(hid, "invalid HID report id %u\n", id);
-+               return NULL;
-+       }
-+
-+       /*
-+        * Explicitly not using hid_get_report() here since it depends on
-+        * ->numbered being checked, which may not always be the case when
-+        * drivers go to access report values.
-+        */
-+       report = hid->report_enum[type].report_id_hash[id];
-+       if (!report) {
-+               hid_err(hid, "missing %s %u\n", hid_report_names[type], id);
-+               return NULL;
-+       }
-+       if (report->maxfield <= field_index) {
-+               hid_err(hid, "not enough fields in %s %u\n",
-+                       hid_report_names[type], id);
-+               return NULL;
-+       }
-+       if (report->field[field_index]->report_count < report_counts) {
-+               hid_err(hid, "not enough values in %s %u field %u\n",
-+                       hid_report_names[type], id, field_index);
-+               return NULL;
-+       }
-+       return report;
-+}
-+EXPORT_SYMBOL_GPL(hid_validate_values);
-+
- /**
-  * hid_open_report - open a driver-specific device report
-  *
-diff --git a/include/linux/hid.h b/include/linux/hid.h
-index ee1ffc5..31b9d29 100644
--- a/include/linux/hid.h
-+++ b/include/linux/hid.h
-@@ -756,6 +756,10 @@ u8 *hid_alloc_report_buf(struct hid_report *report, gfp_t flags);
- struct hid_device *hid_allocate_device(void);
- struct hid_report *hid_register_report(struct hid_device *device, unsigned type, unsigned id);
- int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size);
-+struct hid_report *hid_validate_values(struct hid_device *hid,
-+                                      unsigned int type, unsigned int id,
-+                                      unsigned int field_index,
-+                                      unsigned int report_counts);
- int hid_open_report(struct hid_device *device);
- int hid_check_keys_pressed(struct hid_device *hid);
- int hid_connect(struct hid_device *hid, unsigned int connect_mask);
-- 
-1.7.9.5
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0003-HID-zeroplus-validate-output-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0003-HID-zeroplus-validate-output-report-details.patch
deleted file mode 100644
index a2641cf..0000000
--- a/recipes-kernel/linux/files/HID_CVE_patches/0003-HID-zeroplus-validate-output-report-details.patch
+++ /dev/null
@@ -1,59 +0,0 @@
-From 78214e81a1bf43740ce89bb5efda78eac2f8ef83 Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 11 Sep 2013 21:56:51 +0200
-Subject: [PATCH] HID: zeroplus: validate output report details
-The zeroplus HID driver was not checking the size of allocated values
-in fields it used. A HID device could send a malicious output report
-that would cause the driver to write beyond the output report allocation
-during initialization, causing a heap overflow:
-[ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005
-...
-[ 1466.243173] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
-CVE-2013-2889
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@vger.kernel.org
-Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
- drivers/hid/hid-zpff.c |   18 +++++-------------
- 1 file changed, 5 insertions(+), 13 deletions(-)
-diff --git a/drivers/hid/hid-zpff.c b/drivers/hid/hid-zpff.c
-index 6ec28a3..a29756c 100644
--- a/drivers/hid/hid-zpff.c
-+++ b/drivers/hid/hid-zpff.c
-@@ -68,21 +68,13 @@ static int zpff_init(struct hid_device *hid)
-        struct hid_report *report;
-        struct hid_input *hidinput = list_entry(hid->inputs.next,
-                                                struct hid_input, list);
-       struct list_head *report_list =
-                       &hid->report_enum[HID_OUTPUT_REPORT].report_list;
-        struct input_dev *dev = hidinput->input;
-       int error;
-+       int i, error;
- 
-       if (list_empty(report_list)) {
-               hid_err(hid, "no output report found\n");
-               return -ENODEV;
-       }
-
-       report = list_entry(report_list->next, struct hid_report, list);
-
-       if (report->maxfield < 4) {
-               hid_err(hid, "not enough fields in report\n");
-               return -ENODEV;
-+       for (i = 0; i < 4; i++) {
-+               report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, i, 1);
-+               if (!report)
-+                       return -ENODEV;
-        }
- 
-        zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL);
-- 
-1.7.9.5
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0004-HID-sony-validate-HID-output-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0004-HID-sony-validate-HID-output-report-details.patch
deleted file mode 100644
index 3a4e843..0000000
--- a/recipes-kernel/linux/files/HID_CVE_patches/0004-HID-sony-validate-HID-output-report-details.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 9446edb9a1740989cf6c20daf7510fb9a23be14a Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 11 Sep 2013 21:56:52 +0200
-Subject: [PATCH] HID: sony: validate HID output report details
-This driver must validate the availability of the HID output report and
-its size before it can write LED states via buzz_set_leds(). This stops
-a heap overflow that is possible if a device provides a malicious HID
-output report:
-[  108.171280] usb 1-1: New USB device found, idVendor=054c, idProduct=0002
-...
-[  117.507877] BUG kmalloc-192 (Not tainted): Redzone overwritten
-CVE-2013-2890
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@vger.kernel.org #3.11
-Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
- drivers/hid/hid-sony.c |    4 ++++
- 1 file changed, 4 insertions(+)
-diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c
-index 30dbb6b..b18320d 100644
--- a/drivers/hid/hid-sony.c
-+++ b/drivers/hid/hid-sony.c
-@@ -537,6 +537,10 @@ static int buzz_init(struct hid_device *hdev)
-        drv_data = hid_get_drvdata(hdev);
-        BUG_ON(!(drv_data->quirks & BUZZ_CONTROLLER));
- 
-+       /* Validate expected report characteristics. */
-+       if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 0, 0, 7))
-+               return -ENODEV;
-+
-        buzz = kzalloc(sizeof(*buzz), GFP_KERNEL);
-        if (!buzz) {
-                hid_err(hdev, "Insufficient memory, cannot allocate driver data\n");
-- 
-1.7.9.5
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch
deleted file mode 100644
index e4eadff..0000000
--- a/recipes-kernel/linux/files/HID_CVE_patches/0005-HID-steelseries-validate-output-report-details.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From 41df7f6d43723deb7364340b44bc5d94bf717456 Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 11 Sep 2013 21:56:53 +0200
-Subject: [PATCH] HID: steelseries: validate output report details
-A HID device could send a malicious output report that would cause the
-steelseries HID driver to write beyond the output report allocation
-during initialization, causing a heap overflow:
-[  167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410
-...
-[  182.050547] BUG kmalloc-256 (Tainted: G        W   ): Redzone overwritten
-CVE-2013-2891
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@vger.kernel.org
-Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
- drivers/hid/hid-steelseries.c |    5 +++++
- 1 file changed, 5 insertions(+)
-diff --git a/drivers/hid/hid-steelseries.c b/drivers/hid/hid-steelseries.c
-index d164911..29f328f 100644
--- a/drivers/hid/hid-steelseries.c
-+++ b/drivers/hid/hid-steelseries.c
-@@ -249,6 +249,11 @@ static int steelseries_srws1_probe(struct hid_device *hdev,
-                goto err_free;
-        }
- 
-+       if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 0, 0, 16)) {
-+               ret = -ENODEV;
-+               goto err_free;
-+       }
-+
-        ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT);
-        if (ret) {
-                hid_err(hdev, "hw start failed\n");
-- 
-1.7.9.5
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0006-HID-pantherlord-validate-output-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0006-HID-pantherlord-validate-output-report-details.patch
deleted file mode 100644
index 15cf09b..0000000
--- a/recipes-kernel/linux/files/HID_CVE_patches/0006-HID-pantherlord-validate-output-report-details.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 412f30105ec6735224535791eed5cdc02888ecb4 Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 28 Aug 2013 22:30:49 +0200
-Subject: [PATCH] HID: pantherlord: validate output report details
-A HID device could send a malicious output report that would cause the
-pantherlord HID driver to write beyond the output report allocation
-during initialization, causing a heap overflow:
-[  310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003
-...
-[  315.980774] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
-CVE-2013-2892
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@kernel.org
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
- drivers/hid/hid-pl.c |   10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c
-index d29112f..2dcd7d9 100644
--- a/drivers/hid/hid-pl.c
-+++ b/drivers/hid/hid-pl.c
-@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid)
-                        strong = &report->field[0]->value[2];
-                        weak = &report->field[0]->value[3];
-                        debug("detected single-field device");
-               } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 &&
-                               report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) {
-+               } else if (report->field[0]->maxusage == 1 &&
-+                          report->field[0]->usage[0].hid ==
-+                               (HID_UP_LED | 0x43) &&
-+                          report->maxfield >= 4 &&
-+                          report->field[0]->report_count >= 1 &&
-+                          report->field[1]->report_count >= 1 &&
-+                          report->field[2]->report_count >= 1 &&
-+                          report->field[3]->report_count >= 1) {
-                        report->field[0]->value[0] = 0x00;
-                        report->field[1]->value[0] = 0x00;
-                        strong = &report->field[2]->value[0];
-- 
-1.7.9.5
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0007-HID-LG-validate-HID-output-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0007-HID-LG-validate-HID-output-report-details.patch
deleted file mode 100644
index 9376c42..0000000
--- a/recipes-kernel/linux/files/HID_CVE_patches/0007-HID-LG-validate-HID-output-report-details.patch
+++ /dev/null
@@ -1,195 +0,0 @@
-From 0fb6bd06e06792469acc15bbe427361b56ada528 Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 11 Sep 2013 21:56:54 +0200
-Subject: [PATCH] HID: LG: validate HID output report details
-A HID device could send a malicious output report that would cause the
-lg, lg3, and lg4 HID drivers to write beyond the output report allocation
-during an event, causing a heap overflow:
-[  325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287
-...
-[  414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten
-Additionally, while lg2 did correctly validate the report details, it was
-cleaned up and shortened.
-CVE-2013-2893
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@vger.kernel.org
-Reviewed-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
- drivers/hid/hid-lg2ff.c |   19 +++----------------
- drivers/hid/hid-lg3ff.c |   29 ++++++-----------------------
- drivers/hid/hid-lg4ff.c |   20 +-------------------
- drivers/hid/hid-lgff.c  |   17 ++---------------
- 4 files changed, 12 insertions(+), 73 deletions(-)
-diff --git a/drivers/hid/hid-lg2ff.c b/drivers/hid/hid-lg2ff.c
-index b3cd150..1a42eaa 100644
--- a/drivers/hid/hid-lg2ff.c
-+++ b/drivers/hid/hid-lg2ff.c
-@@ -64,26 +64,13 @@ int lg2ff_init(struct hid_device *hid)
-        struct hid_report *report;
-        struct hid_input *hidinput = list_entry(hid->inputs.next,
-                                                struct hid_input, list);
-       struct list_head *report_list =
-                       &hid->report_enum[HID_OUTPUT_REPORT].report_list;
-        struct input_dev *dev = hidinput->input;
-        int error;
- 
-       if (list_empty(report_list)) {
-               hid_err(hid, "no output report found\n");
-+       /* Check that the report looks ok */
-+       report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7);
-+       if (!report)
-                return -ENODEV;
-       }
-
-       report = list_entry(report_list->next, struct hid_report, list);
-
-       if (report->maxfield < 1) {
-               hid_err(hid, "output report is empty\n");
-               return -ENODEV;
-       }
-       if (report->field[0]->report_count < 7) {
-               hid_err(hid, "not enough values in the field\n");
-               return -ENODEV;
-       }
- 
-        lg2ff = kmalloc(sizeof(struct lg2ff_device), GFP_KERNEL);
-        if (!lg2ff)
-diff --git a/drivers/hid/hid-lg3ff.c b/drivers/hid/hid-lg3ff.c
-index e52f181..8c2da18 100644
--- a/drivers/hid/hid-lg3ff.c
-+++ b/drivers/hid/hid-lg3ff.c
-@@ -66,10 +66,11 @@ static int hid_lg3ff_play(struct input_dev *dev, void *data,
-        int x, y;
- 
- /*
- * Maxusage should always be 63 (maximum fields)
- * likely a better way to ensure this data is clean
-+ * Available values in the field should always be 63, but we only use up to
-+ * 35. Instead, clear the entire area, however big it is.
-  */
-       memset(report->field[0]->value, 0, sizeof(__s32)*report->field[0]->maxusage);
-+       memset(report->field[0]->value, 0,
-+              sizeof(__s32) * report->field[0]->report_count);
- 
-        switch (effect->type) {
-        case FF_CONSTANT:
-@@ -129,32 +130,14 @@ static const signed short ff3_joystick_ac[] = {
- int lg3ff_init(struct hid_device *hid)
- {
-        struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
-       struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
-        struct input_dev *dev = hidinput->input;
-       struct hid_report *report;
-       struct hid_field *field;
-        const signed short *ff_bits = ff3_joystick_ac;
-        int error;
-        int i;
- 
-       /* Find the report to use */
-       if (list_empty(report_list)) {
-               hid_err(hid, "No output report found\n");
-               return -1;
-       }
-
-        /* Check that the report looks ok */
-       report = list_entry(report_list->next, struct hid_report, list);
-       if (!report) {
-               hid_err(hid, "NULL output report\n");
-               return -1;
-       }
-
-       field = report->field[0];
-       if (!field) {
-               hid_err(hid, "NULL field\n");
-               return -1;
-       }
-+       if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 35))
-+               return -ENODEV;
- 
-        /* Assume single fixed device G940 */
-        for (i = 0; ff_bits[i] >= 0; i++)
-diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c
-index 0ddae2a..8782fe1 100644
--- a/drivers/hid/hid-lg4ff.c
-+++ b/drivers/hid/hid-lg4ff.c
-@@ -484,34 +484,16 @@ static enum led_brightness lg4ff_led_get_brightness(struct led_classdev *led_cde
- int lg4ff_init(struct hid_device *hid)
- {
-        struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
-       struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
-        struct input_dev *dev = hidinput->input;
-       struct hid_report *report;
-       struct hid_field *field;
-        struct lg4ff_device_entry *entry;
-        struct lg_drv_data *drv_data;
-        struct usb_device_descriptor *udesc;
-        int error, i, j;
-        __u16 bcdDevice, rev_maj, rev_min;
- 
-       /* Find the report to use */
-       if (list_empty(report_list)) {
-               hid_err(hid, "No output report found\n");
-               return -1;
-       }
-
-        /* Check that the report looks ok */
-       report = list_entry(report_list->next, struct hid_report, list);
-       if (!report) {
-               hid_err(hid, "NULL output report\n");
-+       if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7))
-                return -1;
-       }
-
-       field = report->field[0];
-       if (!field) {
-               hid_err(hid, "NULL field\n");
-               return -1;
-       }
- 
-        /* Check what wheel has been connected */
-        for (i = 0; i < ARRAY_SIZE(lg4ff_devices); i++) {
-diff --git a/drivers/hid/hid-lgff.c b/drivers/hid/hid-lgff.c
-index d7ea8c8..e1394af 100644
--- a/drivers/hid/hid-lgff.c
-+++ b/drivers/hid/hid-lgff.c
-@@ -128,27 +128,14 @@ static void hid_lgff_set_autocenter(struct input_dev *dev, u16 magnitude)
- int lgff_init(struct hid_device* hid)
- {
-        struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list);
-       struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list;
-        struct input_dev *dev = hidinput->input;
-       struct hid_report *report;
-       struct hid_field *field;
-        const signed short *ff_bits = ff_joystick;
-        int error;
-        int i;
- 
-       /* Find the report to use */
-       if (list_empty(report_list)) {
-               hid_err(hid, "No output report found\n");
-               return -1;
-       }
-
-        /* Check that the report looks ok */
-       report = list_entry(report_list->next, struct hid_report, list);
-       field = report->field[0];
-       if (!field) {
-               hid_err(hid, "NULL field\n");
-               return -1;
-       }
-+       if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7))
-+               return -ENODEV;
- 
-        for (i = 0; i < ARRAY_SIZE(devices); i++) {
-                if (dev->id.vendor == devices[i].idVendor &&
-- 
-1.7.9.5
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0008-HID-lenovo-tpkbd-validate-output-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0008-HID-lenovo-tpkbd-validate-output-report-details.patch
deleted file mode 100644
index 1c53d77..0000000
--- a/recipes-kernel/linux/files/HID_CVE_patches/0008-HID-lenovo-tpkbd-validate-output-report-details.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From 0a9cd0a80ac559357c6a90d26c55270ed752aa26 Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 11 Sep 2013 21:56:55 +0200
-Subject: [PATCH] HID: lenovo-tpkbd: validate output report details
-A HID device could send a malicious output report that would cause the
-lenovo-tpkbd HID driver to write just beyond the output report allocation
-during initialization, causing a heap overflow:
-[   76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009
-...
-[   80.462540] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
-CVE-2013-2894
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@vger.kernel.org
-Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
- drivers/hid/hid-lenovo-tpkbd.c |   10 +++++++++-
- 1 file changed, 9 insertions(+), 1 deletion(-)
-diff --git a/drivers/hid/hid-lenovo-tpkbd.c b/drivers/hid/hid-lenovo-tpkbd.c
-index 07837f5..762d988 100644
--- a/drivers/hid/hid-lenovo-tpkbd.c
-+++ b/drivers/hid/hid-lenovo-tpkbd.c
-@@ -339,7 +339,15 @@ static int tpkbd_probe_tp(struct hid_device *hdev)
-        struct tpkbd_data_pointer *data_pointer;
-        size_t name_sz = strlen(dev_name(dev)) + 16;
-        char *name_mute, *name_micmute;
-       int ret;
-+       int i, ret;
-+
-+       /* Validate required reports. */
-+       for (i = 0; i < 4; i++) {
-+               if (!hid_validate_values(hdev, HID_FEATURE_REPORT, 4, i, 1))
-+                       return -ENODEV;
-+       }
-+       if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 3, 0, 2))
-+               return -ENODEV;
- 
-        if (sysfs_create_group(&hdev->dev.kobj,
-                                &tpkbd_attr_group_pointer)) {
-- 
-1.7.9.5
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0009-HID-logitech-dj-validate-output-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0009-HID-logitech-dj-validate-output-report-details.patch
deleted file mode 100644
index a249c54..0000000
--- a/recipes-kernel/linux/files/HID_CVE_patches/0009-HID-logitech-dj-validate-output-report-details.patch
+++ /dev/null
@@ -1,63 +0,0 @@
-From 297502abb32e225fb23801fcdb0e4f6f8e17099a Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 11 Sep 2013 21:56:56 +0200
-Subject: [PATCH] HID: logitech-dj: validate output report details
-A HID device could send a malicious output report that would cause the
-logitech-dj HID driver to leak kernel memory contents to the device, or
-trigger a NULL dereference during initialization:
-[  304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b
-...
-[  304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028
-[  304.781409] IP: [<ffffffff815d50aa>] logi_dj_recv_send_report.isra.11+0x1a/0x90
-CVE-2013-2895
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@vger.kernel.org
-Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
- drivers/hid/hid-logitech-dj.c |   10 ++++++++--
- 1 file changed, 8 insertions(+), 2 deletions(-)
-diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c
-index 7800b14..2e53024 100644
--- a/drivers/hid/hid-logitech-dj.c
-+++ b/drivers/hid/hid-logitech-dj.c
-@@ -461,7 +461,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev,
-        struct hid_report *report;
-        struct hid_report_enum *output_report_enum;
-        u8 *data = (u8 *)(&dj_report->device_index);
-       int i;
-+       unsigned int i;
- 
-        output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT];
-        report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT];
-@@ -471,7 +471,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev,
-                return -ENODEV;
-        }
- 
-       for (i = 0; i < report->field[0]->report_count; i++)
-+       for (i = 0; i < DJREPORT_SHORT_LENGTH - 1; i++)
-                report->field[0]->value[i] = data[i];
- 
-        hid_hw_request(hdev, report, HID_REQ_SET_REPORT);
-@@ -791,6 +791,12 @@ static int logi_dj_probe(struct hid_device *hdev,
-                goto hid_parse_fail;
-        }
- 
-+       if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT,
-+                                0, DJREPORT_SHORT_LENGTH - 1)) {
-+               retval = -ENODEV;
-+               goto hid_parse_fail;
-+       }
-+
-        /* Starts the usb device and connects to upper interfaces hiddev and
-         * hidraw */
-        retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT);
-- 
-1.7.9.5
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0010-HID-ntrig-validate-feature-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0010-HID-ntrig-validate-feature-report-details.patch
deleted file mode 100644
index b243fc6..0000000
--- a/recipes-kernel/linux/files/HID_CVE_patches/0010-HID-ntrig-validate-feature-report-details.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From 875b4e3763dbc941f15143dd1a18d10bb0be303b Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 28 Aug 2013 22:31:28 +0200
-Subject: [PATCH] HID: ntrig: validate feature report details
-A HID device could send a malicious feature report that would cause the
-ntrig HID driver to trigger a NULL dereference during initialization:
-[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001
-...
-[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
-[57383.315308] IP: [<ffffffffa08102de>] ntrig_probe+0x25e/0x420 [hid_ntrig]
-CVE-2013-2896
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@kernel.org
-Signed-off-by: Rafi Rubin <rafi@seas.upenn.edu>
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
- drivers/hid/hid-ntrig.c |    3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c
-index 98d1fdf..600f207 100644
--- a/drivers/hid/hid-ntrig.c
-+++ b/drivers/hid/hid-ntrig.c
-@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev)
-        struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT].
-                                    report_id_hash[0x0d];
- 
-       if (!report)
-+       if (!report || report->maxfield < 1 ||
-+           report->field[0]->report_count < 1)
-                return -EINVAL;
- 
-        hid_hw_request(hdev, report, HID_REQ_GET_REPORT);
-- 
-1.7.9.5
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0011-HID-multitouch-validate-indexes-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0011-HID-multitouch-validate-indexes-details.patch
deleted file mode 100644
index ff425ec..0000000
--- a/recipes-kernel/linux/files/HID_CVE_patches/0011-HID-multitouch-validate-indexes-details.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From 8821f5dc187bdf16cfb32ef5aa8c3035273fa79a Mon Sep 17 00:00:00 2001
-From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
-Date: Wed, 11 Sep 2013 21:56:58 +0200
-Subject: [PATCH] HID: multitouch: validate indexes details
-When working on report indexes, always validate that they are in bounds.
-Without this, a HID device could report a malicious feature report that
-could trick the driver into a heap overflow:
-[  634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500
-...
-[  676.469629] BUG kmalloc-192 (Tainted: G        W   ): Redzone overwritten
-Note that we need to change the indexes from s8 to s16 as they can
-be between -1 and 255.
-CVE-2013-2897
-Cc: stable@vger.kernel.org
-Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
-Acked-by: Kees Cook <keescook@chromium.org>
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
- drivers/hid/hid-multitouch.c |   26 ++++++++++++++------------
- 1 file changed, 14 insertions(+), 12 deletions(-)
-diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
-index ac28f08..5e5fe1b 100644
--- a/drivers/hid/hid-multitouch.c
-+++ b/drivers/hid/hid-multitouch.c
-@@ -101,9 +101,9 @@ struct mt_device {
-        unsigned last_slot_field;       /* the last field of a slot */
-        unsigned mt_report_id;  /* the report ID of the multitouch device */
-        unsigned pen_report_id; /* the report ID of the pen device */
-       __s8 inputmode;         /* InputMode HID feature, -1 if non-existent */
-       __s8 inputmode_index;   /* InputMode HID feature index in the report */
-       __s8 maxcontact_report_id;      /* Maximum Contact Number HID feature,
-+       __s16 inputmode;        /* InputMode HID feature, -1 if non-existent */
-+       __s16 inputmode_index;  /* InputMode HID feature index in the report */
-+       __s16 maxcontact_report_id;     /* Maximum Contact Number HID feature,
-                                   -1 if non-existent */
-        __u8 num_received;      /* how many contacts we received */
-        __u8 num_expected;      /* expected last contact index */
-@@ -312,20 +312,18 @@ static void mt_feature_mapping(struct hid_device *hdev,
-                struct hid_field *field, struct hid_usage *usage)
- {
-        struct mt_device *td = hid_get_drvdata(hdev);
-       int i;
- 
-        switch (usage->hid) {
-        case HID_DG_INPUTMODE:
-               td->inputmode = field->report->id;
-               td->inputmode_index = 0; /* has to be updated below */
-
-               for (i=0; i < field->maxusage; i++) {
-                       if (field->usage[i].hid == usage->hid) {
-                               td->inputmode_index = i;
-                               break;
-                       }
-+               /* Ignore if value index is out of bounds. */
-+               if (usage->usage_index >= field->report_count) {
-+                       dev_err(&hdev->dev, "HID_DG_INPUTMODE out of range\n");
-+                       break;
-                }
- 
-+               td->inputmode = field->report->id;
-+               td->inputmode_index = usage->usage_index;
-+
-                break;
-        case HID_DG_CONTACTMAX:
-                td->maxcontact_report_id = field->report->id;
-@@ -511,6 +509,10 @@ static int mt_touch_input_mapping(struct hid_device *hdev, struct hid_input *hi,
-                        mt_store_field(usage, td, hi);
-                        return 1;
-                case HID_DG_CONTACTCOUNT:
-+                       /* Ignore if indexes are out of bounds. */
-+                       if (field->index >= field->report->maxfield ||
-+                           usage->usage_index >= field->report_count)
-+                               return 1;
-                        td->cc_index = field->index;
-                        td->cc_value_index = usage->usage_index;
-                        return 1;
-- 
-1.7.9.5
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0012-HID-sensor-hub-validate-feature-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0012-HID-sensor-hub-validate-feature-report-details.patch
deleted file mode 100644
index 745fa9e..0000000
--- a/recipes-kernel/linux/files/HID_CVE_patches/0012-HID-sensor-hub-validate-feature-report-details.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 9e8910257397372633e74b333ef891f20c800ee4 Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 28 Aug 2013 22:31:44 +0200
-Subject: [PATCH] HID: sensor-hub: validate feature report details
-A HID device could send a malicious feature report that would cause the
-sensor-hub HID driver to read past the end of heap allocation, leaking
-kernel memory contents to the caller.
-CVE-2013-2898
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@kernel.org
-Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
- drivers/hid/hid-sensor-hub.c |    3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
-index ffc80cf..6fca30e 100644
--- a/drivers/hid/hid-sensor-hub.c
-+++ b/drivers/hid/hid-sensor-hub.c
-@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id,
- 
-        mutex_lock(&data->mutex);
-        report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT);
-       if (!report || (field_index >=  report->maxfield)) {
-+       if (!report || (field_index >=  report->maxfield) ||
-+           report->field[field_index]->report_count < 1) {
-                ret = -EINVAL;
-                goto done_proc;
-        }
-- 
-1.7.9.5
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0013-HID-picolcd_core-validate-output-report-details.patch b/recipes-kernel/linux/files/HID_CVE_patches/0013-HID-picolcd_core-validate-output-report-details.patch
deleted file mode 100644
index 7abf193..0000000
--- a/recipes-kernel/linux/files/HID_CVE_patches/0013-HID-picolcd_core-validate-output-report-details.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From 1e87a2456b0227ca4ab881e19a11bb99d164e792 Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 28 Aug 2013 22:31:52 +0200
-Subject: [PATCH] HID: picolcd_core: validate output report details
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-A HID device could send a malicious output report that would cause the
-picolcd HID driver to trigger a NULL dereference during attr file writing.
-[jkosina@suse.cz: changed
-        report->maxfield < 1
-to
-        report->maxfield != 1
-as suggested by Bruno].
-CVE-2013-2899
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@kernel.org
-Reviewed-by: Bruno Prémont <bonbons@linux-vserver.org>
-Acked-by: Bruno Prémont <bonbons@linux-vserver.org>
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
- drivers/hid/hid-picolcd_core.c |    2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c
-index b48092d..acbb0210 100644
--- a/drivers/hid/hid-picolcd_core.c
-+++ b/drivers/hid/hid-picolcd_core.c
-@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev,
-                buf += 10;
-                cnt -= 10;
-        }
-       if (!report)
-+       if (!report || report->maxfield != 1)
-                return -EINVAL;
- 
-        while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r'))
-- 
-1.7.9.5
diff --git a/recipes-kernel/linux/files/HID_CVE_patches/0014-HID-check-for-NULL-field-when-setting-values.patch b/recipes-kernel/linux/files/HID_CVE_patches/0014-HID-check-for-NULL-field-when-setting-values.patch
deleted file mode 100644
index f75e653..0000000
--- a/recipes-kernel/linux/files/HID_CVE_patches/0014-HID-check-for-NULL-field-when-setting-values.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From be67b68d52fa28b9b721c47bb42068f0c1214855 Mon Sep 17 00:00:00 2001
-From: Kees Cook <keescook@chromium.org>
-Date: Wed, 28 Aug 2013 22:32:01 +0200
-Subject: [PATCH] HID: check for NULL field when setting values
-Defensively check that the field to be worked on is not NULL.
-Signed-off-by: Kees Cook <keescook@chromium.org>
-Cc: stable@kernel.org
-Signed-off-by: Jiri Kosina <jkosina@suse.cz>
-Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
---
- drivers/hid/hid-core.c |    7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
-index ebf5781..dcd60eb 100644
--- a/drivers/hid/hid-core.c
-+++ b/drivers/hid/hid-core.c
-@@ -1169,7 +1169,12 @@ EXPORT_SYMBOL_GPL(hid_alloc_report_buf);
- 
- int hid_set_field(struct hid_field *field, unsigned offset, __s32 value)
- {
-       unsigned size = field->report_size;
-+       unsigned size;
-+
-+       if (!field)
-+               return -1;
-+
-+       size = field->report_size;
- 
-        hid_dump_input(field->report->device, field->usage + offset, value);
- 
-- 
-1.7.9.5
diff --git a/recipes-kernel/linux/files/arm_arch_timer-Keystone-2-architected-timer-frequenc.patch b/recipes-kernel/linux/files/arm_arch_timer-Keystone-2-architected-timer-frequenc.patch
deleted file mode 100644
index 49bf07b..0000000
--- a/recipes-kernel/linux/files/arm_arch_timer-Keystone-2-architected-timer-frequenc.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From e2d575410329f42542972b7276fbb1c2c7f48334 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Sixten=20Sj=C3=B6str=C3=B6m=20Thames?=
- <Sixten.Sjoestroem.Thames@enea.com>
-Date: Mon, 12 May 2014 21:18:47 +0200
-Subject: [PATCH] arm_arch_timer: Keystone 2 architected timer frequency fix
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-The arch timer frequency register returns incorrect values on early
-versions of the Keystone 2 evm silicon. The frequency register always
-returns 1000 MHz on bad silicon. This temporary fix solves that.
-Signed-off-by: Sixten Sjöström Thames <Sixten.Sjoestroem.Thames@enea.com>
---
- drivers/clocksource/arm_arch_timer.c |   16 ++++++++++++++++
- 1 file changed, 16 insertions(+)
-diff --git a/drivers/clocksource/arm_arch_timer.c b/drivers/clocksource/arm_arch_timer.c
-index a2b2541..321aba1 100644
--- a/drivers/clocksource/arm_arch_timer.c
-+++ b/drivers/clocksource/arm_arch_timer.c
-@@ -23,6 +23,8 @@
- 
- #include <clocksource/arm_arch_timer.h>
- 
-+#define K2_PG1_AT_FREQ 133120000UL
-+
- static u32 arch_timer_rate;
- 
- enum ppi_nr {
-@@ -165,6 +167,20 @@ static int arch_timer_available(void)
-        if (arch_timer_rate == 0) {
-                freq = arch_timer_get_cntfrq();
- 
-+               /* The Keystone 2 EVM PG1.0 silicon has a malfunctional
-+                * Architected timer. The timer frequency register allways
-+                * incorrectly returns 1000 MHz. This is a temorary fix for
-+                * internal Enea Linux testing so that the same kernel can
-+                * be used on targets with both PG1.0 and PG1.1 silicon.
-+                * Another solution is to have different DTBs with hard
-+                * coded frequencies.*/
-+               if (freq == 1000000000) {
-+                       pr_warn("Keystone 2 EVM specific arch timer fix\n");
-+                       pr_warn("Set architected timer frequency to %u\n",
-+                               K2_PG1_AT_FREQ);
-+                       freq = K2_PG1_AT_FREQ;
-+               }
-+
-                /* Check the timer frequency. */
-                if (freq == 0) {
-                        pr_warn("Architected timer frequency not available\n");
-- 
-1.7.10.4
diff --git a/recipes-kernel/linux/files/disable_hw_checksum_offload.patch b/recipes-kernel/linux/files/disable_hw_checksum_offload.patch
deleted file mode 100644
index 4b318c1..0000000
--- a/recipes-kernel/linux/files/disable_hw_checksum_offload.patch
+++ /dev/null
@@ -1,19 +0,0 @@
-Temporarily disable HW checksum offload
-Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-Upstream-Status: Pending
-diff --git a/arch/arm/boot/dts/k2hk-evm.dts b/arch/arm/boot/dts/k2hk-evm.dts
-index 16cf335..7dc9665 100644
--- a/arch/arm/boot/dts/k2hk-evm.dts
-+++ b/arch/arm/boot/dts/k2hk-evm.dts
-@@ -2521,7 +2521,7 @@
-                        };
-                        pa: pa@2000000 {
-                                label = "keystone-pa";
-                               checksum-offload        = <1>; /* 1 - HW offload */
-+                               checksum-offload        = <2>;
-                                txhook-order            = <10>;
-                                txhook-softcsum         = <40>;
-                                rxhook-order            = <10>;