From: Greg Kroah-Hartman Date: Sun, 27 Oct 2019 08:54:24 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.4.198~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a715ca7f74a9a2f51d52d4879d249fb9d846d331;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: asoc-rsnd-reinitialize-bit-clock-inversion-flag-for-every-format-setting.patch cfg80211-wext-avoid-copying-malformed-ssids.patch drm-edid-add-6-bpc-quirk-for-sdc-panel-in-lenovo-g50.patch input-da9063-fix-capability-and-drop-key_sleep.patch mac80211-reject-malformed-ssid-elements.patch mips-tlbex-fix-build_restore_pagemask-kscratch-restore.patch scsi-core-try-to-get-module-before-removing-device.patch staging-wlan-ng-fix-exit-return-when-sme-key_idx-num_wepkeys.patch --- diff --git a/queue-4.9/asoc-rsnd-reinitialize-bit-clock-inversion-flag-for-every-format-setting.patch b/queue-4.9/asoc-rsnd-reinitialize-bit-clock-inversion-flag-for-every-format-setting.patch new file mode 100644 index 00000000000..7b3353314d5 --- /dev/null +++ b/queue-4.9/asoc-rsnd-reinitialize-bit-clock-inversion-flag-for-every-format-setting.patch @@ -0,0 +1,42 @@ +From 22e58665a01006d05f0239621f7d41cacca96cc4 Mon Sep 17 00:00:00 2001 +From: Junya Monden +Date: Wed, 16 Oct 2019 14:42:55 +0200 +Subject: ASoC: rsnd: Reinitialize bit clock inversion flag for every format setting + +From: Junya Monden + +commit 22e58665a01006d05f0239621f7d41cacca96cc4 upstream. + +Unlike other format-related DAI parameters, rdai->bit_clk_inv flag +is not properly re-initialized when setting format for new stream +processing. The inversion, if requested, is then applied not to default, +but to a previous value, which leads to SCKP bit in SSICR register being +set incorrectly. +Fix this by re-setting the flag to its initial value, determined by format. + +Fixes: 1a7889ca8aba3 ("ASoC: rsnd: fixup SND_SOC_DAIFMT_xB_xF behavior") +Cc: Andrew Gabbasov +Cc: Jiada Wang +Cc: Timo Wischer +Cc: stable@vger.kernel.org # v3.17+ +Signed-off-by: Junya Monden +Signed-off-by: Eugeniu Rosca +Acked-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/20191016124255.7442-1-erosca@de.adit-jv.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/sh/rcar/core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/soc/sh/rcar/core.c ++++ b/sound/soc/sh/rcar/core.c +@@ -629,6 +629,7 @@ static int rsnd_soc_dai_set_fmt(struct s + } + + /* set format */ ++ rdai->bit_clk_inv = 0; + switch (fmt & SND_SOC_DAIFMT_FORMAT_MASK) { + case SND_SOC_DAIFMT_I2S: + rdai->sys_delay = 0; diff --git a/queue-4.9/cfg80211-wext-avoid-copying-malformed-ssids.patch b/queue-4.9/cfg80211-wext-avoid-copying-malformed-ssids.patch new file mode 100644 index 00000000000..8d61e512038 --- /dev/null +++ b/queue-4.9/cfg80211-wext-avoid-copying-malformed-ssids.patch @@ -0,0 +1,56 @@ +From 4ac2813cc867ae563a1ba5a9414bfb554e5796fa Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Fri, 4 Oct 2019 10:51:32 +0100 +Subject: cfg80211: wext: avoid copying malformed SSIDs + +From: Will Deacon + +commit 4ac2813cc867ae563a1ba5a9414bfb554e5796fa upstream. + +Ensure the SSID element is bounds-checked prior to invoking memcpy() +with its length field, when copying to userspace. + +Cc: +Cc: Kees Cook +Reported-by: Nicolas Waisman +Signed-off-by: Will Deacon +Link: https://lore.kernel.org/r/20191004095132.15777-2-will@kernel.org +[adjust commit log a bit] +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/wext-sme.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/wireless/wext-sme.c ++++ b/net/wireless/wext-sme.c +@@ -224,6 +224,7 @@ int cfg80211_mgd_wext_giwessid(struct ne + struct iw_point *data, char *ssid) + { + struct wireless_dev *wdev = dev->ieee80211_ptr; ++ int ret = 0; + + /* call only for station! */ + if (WARN_ON(wdev->iftype != NL80211_IFTYPE_STATION)) +@@ -241,7 +242,10 @@ int cfg80211_mgd_wext_giwessid(struct ne + if (ie) { + data->flags = 1; + data->length = ie[1]; +- memcpy(ssid, ie + 2, data->length); ++ if (data->length > IW_ESSID_MAX_SIZE) ++ ret = -EINVAL; ++ else ++ memcpy(ssid, ie + 2, data->length); + } + rcu_read_unlock(); + } else if (wdev->wext.connect.ssid && wdev->wext.connect.ssid_len) { +@@ -251,7 +255,7 @@ int cfg80211_mgd_wext_giwessid(struct ne + } + wdev_unlock(wdev); + +- return 0; ++ return ret; + } + + int cfg80211_mgd_wext_siwap(struct net_device *dev, diff --git a/queue-4.9/drm-edid-add-6-bpc-quirk-for-sdc-panel-in-lenovo-g50.patch b/queue-4.9/drm-edid-add-6-bpc-quirk-for-sdc-panel-in-lenovo-g50.patch new file mode 100644 index 00000000000..ad44b90b6d4 --- /dev/null +++ b/queue-4.9/drm-edid-add-6-bpc-quirk-for-sdc-panel-in-lenovo-g50.patch @@ -0,0 +1,35 @@ +From 11bcf5f78905b90baae8fb01e16650664ed0cb00 Mon Sep 17 00:00:00 2001 +From: Kai-Heng Feng +Date: Tue, 2 Apr 2019 11:30:37 +0800 +Subject: drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50 + +From: Kai-Heng Feng + +commit 11bcf5f78905b90baae8fb01e16650664ed0cb00 upstream. + +Another panel that needs 6BPC quirk. + +BugLink: https://bugs.launchpad.net/bugs/1819968 +Cc: # v4.8+ +Reviewed-by: Alex Deucher +Signed-off-by: Kai-Heng Feng +Signed-off-by: Alex Deucher +Link: https://patchwork.freedesktop.org/patch/msgid/20190402033037.21877-1-kai.heng.feng@canonical.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_edid.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -160,6 +160,9 @@ static const struct edid_quirk { + /* Medion MD 30217 PG */ + { "MED", 0x7b8, EDID_QUIRK_PREFER_LARGE_75 }, + ++ /* Lenovo G50 */ ++ { "SDC", 18514, EDID_QUIRK_FORCE_6BPC }, ++ + /* Panel in Samsung NP700G7A-S01PL notebook reports 6bpc */ + { "SEC", 0xd033, EDID_QUIRK_FORCE_8BPC }, + diff --git a/queue-4.9/input-da9063-fix-capability-and-drop-key_sleep.patch b/queue-4.9/input-da9063-fix-capability-and-drop-key_sleep.patch new file mode 100644 index 00000000000..452815975c0 --- /dev/null +++ b/queue-4.9/input-da9063-fix-capability-and-drop-key_sleep.patch @@ -0,0 +1,41 @@ +From afce285b859cea91c182015fc9858ea58c26cd0e Mon Sep 17 00:00:00 2001 +From: Marco Felsch +Date: Mon, 16 Sep 2019 12:45:48 -0700 +Subject: Input: da9063 - fix capability and drop KEY_SLEEP + +From: Marco Felsch + +commit afce285b859cea91c182015fc9858ea58c26cd0e upstream. + +Since commit f889beaaab1c ("Input: da9063 - report KEY_POWER instead of +KEY_SLEEP during power key-press") KEY_SLEEP isn't supported anymore. This +caused input device to not generate any events if "dlg,disable-key-power" +is set. + +Fix this by unconditionally setting KEY_POWER capability, and not +declaring KEY_SLEEP. + +Fixes: f889beaaab1c ("Input: da9063 - report KEY_POWER instead of KEY_SLEEP during power key-press") +Signed-off-by: Marco Felsch +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/misc/da9063_onkey.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/input/misc/da9063_onkey.c ++++ b/drivers/input/misc/da9063_onkey.c +@@ -247,10 +247,7 @@ static int da9063_onkey_probe(struct pla + onkey->input->phys = onkey->phys; + onkey->input->dev.parent = &pdev->dev; + +- if (onkey->key_power) +- input_set_capability(onkey->input, EV_KEY, KEY_POWER); +- +- input_set_capability(onkey->input, EV_KEY, KEY_SLEEP); ++ input_set_capability(onkey->input, EV_KEY, KEY_POWER); + + INIT_DELAYED_WORK(&onkey->work, da9063_poll_on); + diff --git a/queue-4.9/mac80211-reject-malformed-ssid-elements.patch b/queue-4.9/mac80211-reject-malformed-ssid-elements.patch new file mode 100644 index 00000000000..f0414bcb768 --- /dev/null +++ b/queue-4.9/mac80211-reject-malformed-ssid-elements.patch @@ -0,0 +1,46 @@ +From 4152561f5da3fca92af7179dd538ea89e248f9d0 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Fri, 4 Oct 2019 10:51:31 +0100 +Subject: mac80211: Reject malformed SSID elements + +From: Will Deacon + +commit 4152561f5da3fca92af7179dd538ea89e248f9d0 upstream. + +Although this shouldn't occur in practice, it's a good idea to bounds +check the length field of the SSID element prior to using it for things +like allocations or memcpy operations. + +Cc: +Cc: Kees Cook +Reported-by: Nicolas Waisman +Signed-off-by: Will Deacon +Link: https://lore.kernel.org/r/20191004095132.15777-1-will@kernel.org +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mlme.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -2434,7 +2434,8 @@ struct sk_buff *ieee80211_ap_probereq_ge + + rcu_read_lock(); + ssid = ieee80211_bss_get_ie(cbss, WLAN_EID_SSID); +- if (WARN_ON_ONCE(ssid == NULL)) ++ if (WARN_ONCE(!ssid || ssid[1] > IEEE80211_MAX_SSID_LEN, ++ "invalid SSID element (len=%d)", ssid ? ssid[1] : -1)) + ssid_len = 0; + else + ssid_len = ssid[1]; +@@ -4691,7 +4692,7 @@ int ieee80211_mgd_assoc(struct ieee80211 + + rcu_read_lock(); + ssidie = ieee80211_bss_get_ie(req->bss, WLAN_EID_SSID); +- if (!ssidie) { ++ if (!ssidie || ssidie[1] > sizeof(assoc_data->ssid)) { + rcu_read_unlock(); + kfree(assoc_data); + return -EINVAL; diff --git a/queue-4.9/mips-tlbex-fix-build_restore_pagemask-kscratch-restore.patch b/queue-4.9/mips-tlbex-fix-build_restore_pagemask-kscratch-restore.patch new file mode 100644 index 00000000000..988f399ce43 --- /dev/null +++ b/queue-4.9/mips-tlbex-fix-build_restore_pagemask-kscratch-restore.patch @@ -0,0 +1,105 @@ +From b42aa3fd5957e4daf4b69129e5ce752a2a53e7d6 Mon Sep 17 00:00:00 2001 +From: Paul Burton +Date: Fri, 18 Oct 2019 15:38:48 -0700 +Subject: MIPS: tlbex: Fix build_restore_pagemask KScratch restore + +From: Paul Burton + +commit b42aa3fd5957e4daf4b69129e5ce752a2a53e7d6 upstream. + +build_restore_pagemask() will restore the value of register $1/$at when +its restore_scratch argument is non-zero, and aims to do so by filling a +branch delay slot. Commit 0b24cae4d535 ("MIPS: Add missing EHB in mtc0 +-> mfc0 sequence.") added an EHB instruction (Execution Hazard Barrier) +prior to restoring $1 from a KScratch register, in order to resolve a +hazard that can result in stale values of the KScratch register being +observed. In particular, P-class CPUs from MIPS with out of order +execution pipelines such as the P5600 & P6600 are affected. + +Unfortunately this EHB instruction was inserted in the branch delay slot +causing the MFC0 instruction which performs the restoration to no longer +execute along with the branch. The result is that the $1 register isn't +actually restored, ie. the TLB refill exception handler clobbers it - +which is exactly the problem the EHB is meant to avoid for the P-class +CPUs. + +Similarly build_get_pgd_vmalloc() will restore the value of $1/$at when +its mode argument equals refill_scratch, and suffers from the same +problem. + +Fix this by in both cases moving the EHB earlier in the emitted code. +There's no reason it needs to immediately precede the MFC0 - it simply +needs to be between the MTC0 & MFC0. + +This bug only affects Cavium Octeon systems which use +build_fast_tlb_refill_handler(). + +Signed-off-by: Paul Burton +Fixes: 0b24cae4d535 ("MIPS: Add missing EHB in mtc0 -> mfc0 sequence.") +Cc: Dmitry Korotin +Cc: stable@vger.kernel.org # v3.15+ +Cc: linux-mips@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/mm/tlbex.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +--- a/arch/mips/mm/tlbex.c ++++ b/arch/mips/mm/tlbex.c +@@ -661,6 +661,13 @@ static void build_restore_pagemask(u32 * + int restore_scratch) + { + if (restore_scratch) { ++ /* ++ * Ensure the MFC0 below observes the value written to the ++ * KScratch register by the prior MTC0. ++ */ ++ if (scratch_reg >= 0) ++ uasm_i_ehb(p); ++ + /* Reset default page size */ + if (PM_DEFAULT_MASK >> 16) { + uasm_i_lui(p, tmp, PM_DEFAULT_MASK >> 16); +@@ -675,12 +682,10 @@ static void build_restore_pagemask(u32 * + uasm_i_mtc0(p, 0, C0_PAGEMASK); + uasm_il_b(p, r, lid); + } +- if (scratch_reg >= 0) { +- uasm_i_ehb(p); ++ if (scratch_reg >= 0) + UASM_i_MFC0(p, 1, c0_kscratch(), scratch_reg); +- } else { ++ else + UASM_i_LW(p, 1, scratchpad_offset(0), 0); +- } + } else { + /* Reset default page size */ + if (PM_DEFAULT_MASK >> 16) { +@@ -922,6 +927,10 @@ build_get_pgd_vmalloc64(u32 **p, struct + } + if (mode != not_refill && check_for_high_segbits) { + uasm_l_large_segbits_fault(l, *p); ++ ++ if (mode == refill_scratch && scratch_reg >= 0) ++ uasm_i_ehb(p); ++ + /* + * We get here if we are an xsseg address, or if we are + * an xuseg address above (PGDIR_SHIFT+PGDIR_BITS) boundary. +@@ -938,12 +947,10 @@ build_get_pgd_vmalloc64(u32 **p, struct + uasm_i_jr(p, ptr); + + if (mode == refill_scratch) { +- if (scratch_reg >= 0) { +- uasm_i_ehb(p); ++ if (scratch_reg >= 0) + UASM_i_MFC0(p, 1, c0_kscratch(), scratch_reg); +- } else { ++ else + UASM_i_LW(p, 1, scratchpad_offset(0), 0); +- } + } else { + uasm_i_nop(p); + } diff --git a/queue-4.9/scsi-core-try-to-get-module-before-removing-device.patch b/queue-4.9/scsi-core-try-to-get-module-before-removing-device.patch new file mode 100644 index 00000000000..72b4b9e7902 --- /dev/null +++ b/queue-4.9/scsi-core-try-to-get-module-before-removing-device.patch @@ -0,0 +1,94 @@ +From 77c301287ebae86cc71d03eb3806f271cb14da79 Mon Sep 17 00:00:00 2001 +From: Yufen Yu +Date: Tue, 15 Oct 2019 21:05:56 +0800 +Subject: scsi: core: try to get module before removing device + +From: Yufen Yu + +commit 77c301287ebae86cc71d03eb3806f271cb14da79 upstream. + +We have a test case like block/001 in blktests, which will create a scsi +device by loading scsi_debug module and then try to delete the device by +sysfs interface. At the same time, it may remove the scsi_debug module. + +And getting a invalid paging request BUG_ON as following: + +[ 34.625854] BUG: unable to handle page fault for address: ffffffffa0016bb8 +[ 34.629189] Oops: 0000 [#1] SMP PTI +[ 34.629618] CPU: 1 PID: 450 Comm: bash Tainted: G W 5.4.0-rc3+ #473 +[ 34.632524] RIP: 0010:scsi_proc_hostdir_rm+0x5/0xa0 +[ 34.643555] CR2: ffffffffa0016bb8 CR3: 000000012cd88000 CR4: 00000000000006e0 +[ 34.644545] Call Trace: +[ 34.644907] scsi_host_dev_release+0x6b/0x1f0 +[ 34.645511] device_release+0x74/0x110 +[ 34.646046] kobject_put+0x116/0x390 +[ 34.646559] put_device+0x17/0x30 +[ 34.647041] scsi_target_dev_release+0x2b/0x40 +[ 34.647652] device_release+0x74/0x110 +[ 34.648186] kobject_put+0x116/0x390 +[ 34.648691] put_device+0x17/0x30 +[ 34.649157] scsi_device_dev_release_usercontext+0x2e8/0x360 +[ 34.649953] execute_in_process_context+0x29/0x80 +[ 34.650603] scsi_device_dev_release+0x20/0x30 +[ 34.651221] device_release+0x74/0x110 +[ 34.651732] kobject_put+0x116/0x390 +[ 34.652230] sysfs_unbreak_active_protection+0x3f/0x50 +[ 34.652935] sdev_store_delete.cold.4+0x71/0x8f +[ 34.653579] dev_attr_store+0x1b/0x40 +[ 34.654103] sysfs_kf_write+0x3d/0x60 +[ 34.654603] kernfs_fop_write+0x174/0x250 +[ 34.655165] __vfs_write+0x1f/0x60 +[ 34.655639] vfs_write+0xc7/0x280 +[ 34.656117] ksys_write+0x6d/0x140 +[ 34.656591] __x64_sys_write+0x1e/0x30 +[ 34.657114] do_syscall_64+0xb1/0x400 +[ 34.657627] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[ 34.658335] RIP: 0033:0x7f156f337130 + +During deleting scsi target, the scsi_debug module have been removed. Then, +sdebug_driver_template belonged to the module cannot be accessd, resulting +in scsi_proc_hostdir_rm() BUG_ON. + +To fix the bug, we add scsi_device_get() in sdev_store_delete() to try to +increase refcount of module, avoiding the module been removed. + +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20191015130556.18061-1-yuyufen@huawei.com +Signed-off-by: Yufen Yu +Reviewed-by: Bart Van Assche +Signed-off-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_sysfs.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/scsi_sysfs.c ++++ b/drivers/scsi/scsi_sysfs.c +@@ -710,6 +710,14 @@ sdev_store_delete(struct device *dev, st + const char *buf, size_t count) + { + struct kernfs_node *kn; ++ struct scsi_device *sdev = to_scsi_device(dev); ++ ++ /* ++ * We need to try to get module, avoiding the module been removed ++ * during delete. ++ */ ++ if (scsi_device_get(sdev)) ++ return -ENODEV; + + kn = sysfs_break_active_protection(&dev->kobj, &attr->attr); + WARN_ON_ONCE(!kn); +@@ -724,9 +732,10 @@ sdev_store_delete(struct device *dev, st + * state into SDEV_DEL. + */ + device_remove_file(dev, attr); +- scsi_remove_device(to_scsi_device(dev)); ++ scsi_remove_device(sdev); + if (kn) + sysfs_unbreak_active_protection(kn); ++ scsi_device_put(sdev); + return count; + }; + static DEVICE_ATTR(delete, S_IWUSR, NULL, sdev_store_delete); diff --git a/queue-4.9/series b/queue-4.9/series index c1dc9f0939b..dcc5749ec82 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -27,3 +27,11 @@ usb-serial-ti_usb_3410_5052-fix-port-close-races.patch usb-ldusb-fix-memleak-on-disconnect.patch usb-usblp-fix-use-after-free-on-disconnect.patch usb-ldusb-fix-read-info-leaks.patch +mips-tlbex-fix-build_restore_pagemask-kscratch-restore.patch +staging-wlan-ng-fix-exit-return-when-sme-key_idx-num_wepkeys.patch +scsi-core-try-to-get-module-before-removing-device.patch +input-da9063-fix-capability-and-drop-key_sleep.patch +asoc-rsnd-reinitialize-bit-clock-inversion-flag-for-every-format-setting.patch +cfg80211-wext-avoid-copying-malformed-ssids.patch +mac80211-reject-malformed-ssid-elements.patch +drm-edid-add-6-bpc-quirk-for-sdc-panel-in-lenovo-g50.patch diff --git a/queue-4.9/staging-wlan-ng-fix-exit-return-when-sme-key_idx-num_wepkeys.patch b/queue-4.9/staging-wlan-ng-fix-exit-return-when-sme-key_idx-num_wepkeys.patch new file mode 100644 index 00000000000..fae5b73d87e --- /dev/null +++ b/queue-4.9/staging-wlan-ng-fix-exit-return-when-sme-key_idx-num_wepkeys.patch @@ -0,0 +1,40 @@ +From 153c5d8191c26165dbbd2646448ca7207f7796d0 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Mon, 14 Oct 2019 12:02:01 +0100 +Subject: staging: wlan-ng: fix exit return when sme->key_idx >= NUM_WEPKEYS + +From: Colin Ian King + +commit 153c5d8191c26165dbbd2646448ca7207f7796d0 upstream. + +Currently the exit return path when sme->key_idx >= NUM_WEPKEYS is via +label 'exit' and this checks if result is non-zero, however result has +not been initialized and contains garbage. Fix this by replacing the +goto with a return with the error code. + +Addresses-Coverity: ("Uninitialized scalar variable") +Fixes: 0ca6d8e74489 ("Staging: wlan-ng: replace switch-case statements with macro") +Signed-off-by: Colin Ian King +Cc: stable +Link: https://lore.kernel.org/r/20191014110201.9874-1-colin.king@canonical.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/wlan-ng/cfg80211.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/staging/wlan-ng/cfg80211.c ++++ b/drivers/staging/wlan-ng/cfg80211.c +@@ -489,10 +489,8 @@ static int prism2_connect(struct wiphy * + /* Set the encryption - we only support wep */ + if (is_wep) { + if (sme->key) { +- if (sme->key_idx >= NUM_WEPKEYS) { +- err = -EINVAL; +- goto exit; +- } ++ if (sme->key_idx >= NUM_WEPKEYS) ++ return -EINVAL; + + result = prism2_domibset_uint32(wlandev, + DIDmib_dot11smt_dot11PrivacyTable_dot11WEPDefaultKeyID, diff --git a/queue-4.9/usb-ldusb-fix-read-info-leaks.patch b/queue-4.9/usb-ldusb-fix-read-info-leaks.patch index 8ae02e49f1d..1a25d38bd61 100644 --- a/queue-4.9/usb-ldusb-fix-read-info-leaks.patch +++ b/queue-4.9/usb-ldusb-fix-read-info-leaks.patch @@ -30,8 +30,8 @@ Link: https://lore.kernel.org/r/20191018151955.25135-2-johan@kernel.org Signed-off-by: Greg Kroah-Hartman --- - drivers/usb/misc/ldusb.c | 13 ++++++++++--- - 1 file changed, 10 insertions(+), 3 deletions(-) + drivers/usb/misc/ldusb.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) --- a/drivers/usb/misc/ldusb.c +++ b/drivers/usb/misc/ldusb.c @@ -44,11 +44,13 @@ Signed-off-by: Greg Kroah-Hartman dev->interrupt_in_done = 0; spin_unlock_irq(&dev->rbsl); if (file->f_flags & O_NONBLOCK) { -@@ -479,11 +479,16 @@ static ssize_t ld_usb_read(struct file * +@@ -478,12 +478,17 @@ static ssize_t ld_usb_read(struct file * + retval = wait_event_interruptible(dev->read_wait, dev->interrupt_in_done); if (retval < 0) goto unlock_exit; - } else { +- } else { - spin_unlock_irq(&dev->rbsl); ++ + spin_lock_irq(&dev->rbsl); } + spin_unlock_irq(&dev->rbsl);