Merge tag 'driver-core-4.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core

Pull driver core fixes from Greg KH:
 "Here are two bugfixes for things reported.  One regression in kernfs,
  and another issue fixed in the LZ4 code that was fixed in the
  "upstream" codebase that solves a reported kernel crash

  Both have been in linux-next for a while"

* tag 'driver-core-4.0-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core:
  LZ4 : fix the data abort issue
  kernfs: handle poll correctly on 'direct_read' files.

2 files changed, 4 insertions, 0 deletions

diff --git a/fs/kernfs/file.c b/fs/kernfs/file.c
index b684e8a132e6..2bacb9988566 100644
--- a/fs/kernfs/file.c
+++ b/fs/kernfs/file.c
@@ -207,6 +207,7 @@ static ssize_t kernfs_file_direct_read(struct kernfs_open_file *of,
                 goto out_free;
         }
 
+        of->event = atomic_read(&of->kn->attr.open->event);
         ops = kernfs_ops(of->kn);
         if (ops->read)
                 len = ops->read(of, buf, len, *ppos);
diff --git a/lib/lz4/lz4_decompress.c b/lib/lz4/lz4_decompress.c
index 7a85967060a5..f0f5c5c3de12 100644
--- a/lib/lz4/lz4_decompress.c
+++ b/lib/lz4/lz4_decompress.c
@@ -139,6 +139,9 @@ static int lz4_uncompress(const char *source, char *dest, int osize)
                         /* Error: request to write beyond destination buffer */
                         if (cpy > oend)
                                 goto _output_error;
+                        if ((ref + COPYLENGTH) > oend ||
+                                        (op + COPYLENGTH) > oend)
+                                goto _output_error;
                         LZ4_SECURECOPY(ref, op, (oend - COPYLENGTH));
                         while (op < cpy)
                                 *op++ = *ref++;