4.9-stable patches

added patches:
	input-bcm5974-set-missing-urb_no_transfer_dma_map-urb-flag.patch
	nfc-st21nfca-fix-incorrect-validating-logic-in-evt_transaction.patch
	nfc-st21nfca-fix-memory-leaks-in-evt_transaction-handling.patch

diff --git a/queue-4.9/input-bcm5974-set-missing-urb_no_transfer_dma_map-urb-flag.patch b/queue-4.9/input-bcm5974-set-missing-urb_no_transfer_dma_map-urb-flag.patch
new file mode 100644 (file)
index 0000000..940a221
--- /dev/null
+++ b/queue-4.9/input-bcm5974-set-missing-urb_no_transfer_dma_map-urb-flag.patch
@@ -0,0 +1,55 @@
+From c42e65664390be7c1ef3838cd84956d3a2739d60 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Tue, 7 Jun 2022 12:11:33 -0700
+Subject: Input: bcm5974 - set missing URB_NO_TRANSFER_DMA_MAP urb flag
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit c42e65664390be7c1ef3838cd84956d3a2739d60 upstream.
+
+The bcm5974 driver does the allocation and dma mapping of the usb urb
+data buffer, but driver does not set the URB_NO_TRANSFER_DMA_MAP flag
+to let usb core know the buffer is already mapped.
+
+usb core tries to map the already mapped buffer, causing a warning:
+"xhci_hcd 0000:00:14.0: rejecting DMA map of vmalloc memory"
+
+Fix this by setting the URB_NO_TRANSFER_DMA_MAP, letting usb core
+know buffer is already mapped by bcm5974 driver
+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Cc: stable@vger.kernel.org
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=215890
+Link: https://lore.kernel.org/r/20220606113636.588955-1-mathias.nyman@linux.intel.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/mouse/bcm5974.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/mouse/bcm5974.c
++++ b/drivers/input/mouse/bcm5974.c
+@@ -956,17 +956,22 @@ static int bcm5974_probe(struct usb_inte
+       if (!dev->tp_data)
+               goto err_free_bt_buffer;
+ 
+-      if (dev->bt_urb)
++      if (dev->bt_urb) {
+               usb_fill_int_urb(dev->bt_urb, udev,
+                                usb_rcvintpipe(udev, cfg->bt_ep),
+                                dev->bt_data, dev->cfg.bt_datalen,
+                                bcm5974_irq_button, dev, 1);
+ 
++              dev->bt_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
++      }
++
+       usb_fill_int_urb(dev->tp_urb, udev,
+                        usb_rcvintpipe(udev, cfg->tp_ep),
+                        dev->tp_data, dev->cfg.tp_datalen,
+                        bcm5974_irq_trackpad, dev, 1);
+ 
++      dev->tp_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
++
+       /* create bcm5974 device */
+       usb_make_path(udev, dev->phys, sizeof(dev->phys));
+       strlcat(dev->phys, "/input0", sizeof(dev->phys));

diff --git a/queue-4.9/nfc-st21nfca-fix-incorrect-validating-logic-in-evt_transaction.patch b/queue-4.9/nfc-st21nfca-fix-incorrect-validating-logic-in-evt_transaction.patch
new file mode 100644 (file)
index 0000000..999f283
--- /dev/null
+++ b/queue-4.9/nfc-st21nfca-fix-incorrect-validating-logic-in-evt_transaction.patch
@@ -0,0 +1,36 @@
+From 77e5fe8f176a525523ae091d6fd0fbb8834c156d Mon Sep 17 00:00:00 2001
+From: Martin Faltesek <mfaltesek@google.com>
+Date: Mon, 6 Jun 2022 21:57:27 -0500
+Subject: nfc: st21nfca: fix incorrect validating logic in EVT_TRANSACTION
+
+From: Martin Faltesek <mfaltesek@google.com>
+
+commit 77e5fe8f176a525523ae091d6fd0fbb8834c156d upstream.
+
+The first validation check for EVT_TRANSACTION has two different checks
+tied together with logical AND. One is a check for minimum packet length,
+and the other is for a valid aid_tag. If either condition is true (fails),
+then an error should be triggered.  The fix is to change && to ||.
+
+Fixes: 26fc6c7f02cb ("NFC: st21nfca: Add HCI transaction event support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Martin Faltesek <mfaltesek@google.com>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/st21nfca/se.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nfc/st21nfca/se.c
++++ b/drivers/nfc/st21nfca/se.c
+@@ -320,7 +320,7 @@ int st21nfca_connectivity_event_received
+                * AID          81      5 to 16
+                * PARAMETERS   82      0 to 255
+                */
+-              if (skb->len < NFC_MIN_AID_LENGTH + 2 &&
++              if (skb->len < NFC_MIN_AID_LENGTH + 2 ||
+                   skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG)
+                       return -EPROTO;
+ 

diff --git a/queue-4.9/nfc-st21nfca-fix-memory-leaks-in-evt_transaction-handling.patch b/queue-4.9/nfc-st21nfca-fix-memory-leaks-in-evt_transaction-handling.patch
new file mode 100644 (file)
index 0000000..cdadf76
--- /dev/null
+++ b/queue-4.9/nfc-st21nfca-fix-memory-leaks-in-evt_transaction-handling.patch
@@ -0,0 +1,59 @@
+From 996419e0594abb311fb958553809f24f38e7abbe Mon Sep 17 00:00:00 2001
+From: Martin Faltesek <mfaltesek@google.com>
+Date: Mon, 6 Jun 2022 21:57:28 -0500
+Subject: nfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling
+
+From: Martin Faltesek <mfaltesek@google.com>
+
+commit 996419e0594abb311fb958553809f24f38e7abbe upstream.
+
+Error paths do not free previously allocated memory. Add devm_kfree() to
+those failure paths.
+
+Fixes: 26fc6c7f02cb ("NFC: st21nfca: Add HCI transaction event support")
+Fixes: 4fbcc1a4cb20 ("nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION")
+Cc: stable@vger.kernel.org
+Signed-off-by: Martin Faltesek <mfaltesek@google.com>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/st21nfca/se.c |   13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/nfc/st21nfca/se.c
++++ b/drivers/nfc/st21nfca/se.c
+@@ -332,22 +332,29 @@ int st21nfca_connectivity_event_received
+               transaction->aid_len = skb->data[1];
+ 
+               /* Checking if the length of the AID is valid */
+-              if (transaction->aid_len > sizeof(transaction->aid))
++              if (transaction->aid_len > sizeof(transaction->aid)) {
++                      devm_kfree(dev, transaction);
+                       return -EINVAL;
++              }
+ 
+               memcpy(transaction->aid, &skb->data[2],
+                      transaction->aid_len);
+ 
+               /* Check next byte is PARAMETERS tag (82) */
+               if (skb->data[transaction->aid_len + 2] !=
+-                  NFC_EVT_TRANSACTION_PARAMS_TAG)
++                  NFC_EVT_TRANSACTION_PARAMS_TAG) {
++                      devm_kfree(dev, transaction);
+                       return -EPROTO;
++              }
+ 
+               transaction->params_len = skb->data[transaction->aid_len + 3];
+ 
+               /* Total size is allocated (skb->len - 2) minus fixed array members */
+-              if (transaction->params_len > ((skb->len - 2) - sizeof(struct nfc_evt_transaction)))
++              if (transaction->params_len > ((skb->len - 2) -
++                  sizeof(struct nfc_evt_transaction))) {
++                      devm_kfree(dev, transaction);
+                       return -EINVAL;
++              }
+ 
+               memcpy(transaction->params, skb->data +
+                      transaction->aid_len + 4, transaction->params_len);

diff --git a/queue-4.9/series b/queue-4.9/series
index 9c82f302b9af3fec3b55bc5cd48ba89667befb4f..457df126482af4d4bf60f72b8b46e7ffc63261f4 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -159,3 +159,6 @@ vringh-fix-loop-descriptors-check-in-the-indirect-ca.patch
 alsa-hda-conexant-fix-loopback-issue-with-cx20632.patch
 cifs-return-errors-during-session-setup-during-reconnects.patch
 ata-libata-transport-fix-dma-pio-xfer-_mode-sysfs-files.patch
+nfc-st21nfca-fix-incorrect-validating-logic-in-evt_transaction.patch
+nfc-st21nfca-fix-memory-leaks-in-evt_transaction-handling.patch
+input-bcm5974-set-missing-urb_no_transfer_dma_map-urb-flag.patch