From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 13 Jun 2022 07:43:46 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v4.9.318~49
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d2245d411733bc3c521e1f182d139fd738e828d7;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	input-bcm5974-set-missing-urb_no_transfer_dma_map-urb-flag.patch
	nfc-st21nfca-fix-incorrect-validating-logic-in-evt_transaction.patch
	nfc-st21nfca-fix-memory-leaks-in-evt_transaction-handling.patch
---

diff --git a/queue-4.9/input-bcm5974-set-missing-urb_no_transfer_dma_map-urb-flag.patch b/queue-4.9/input-bcm5974-set-missing-urb_no_transfer_dma_map-urb-flag.patch
new file mode 100644
index 00000000000..940a221e637
--- /dev/null
+++ b/queue-4.9/input-bcm5974-set-missing-urb_no_transfer_dma_map-urb-flag.patch
@@ -0,0 +1,55 @@
+From c42e65664390be7c1ef3838cd84956d3a2739d60 Mon Sep 17 00:00:00 2001
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+Date: Tue, 7 Jun 2022 12:11:33 -0700
+Subject: Input: bcm5974 - set missing URB_NO_TRANSFER_DMA_MAP urb flag
+
+From: Mathias Nyman <mathias.nyman@linux.intel.com>
+
+commit c42e65664390be7c1ef3838cd84956d3a2739d60 upstream.
+
+The bcm5974 driver does the allocation and dma mapping of the usb urb
+data buffer, but driver does not set the URB_NO_TRANSFER_DMA_MAP flag
+to let usb core know the buffer is already mapped.
+
+usb core tries to map the already mapped buffer, causing a warning:
+"xhci_hcd 0000:00:14.0: rejecting DMA map of vmalloc memory"
+
+Fix this by setting the URB_NO_TRANSFER_DMA_MAP, letting usb core
+know buffer is already mapped by bcm5974 driver
+
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Cc: stable@vger.kernel.org
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=215890
+Link: https://lore.kernel.org/r/20220606113636.588955-1-mathias.nyman@linux.intel.com
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/mouse/bcm5974.c |    7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/drivers/input/mouse/bcm5974.c
++++ b/drivers/input/mouse/bcm5974.c
+@@ -956,17 +956,22 @@ static int bcm5974_probe(struct usb_inte
+ 	if (!dev->tp_data)
+ 		goto err_free_bt_buffer;
+ 
+-	if (dev->bt_urb)
++	if (dev->bt_urb) {
+ 		usb_fill_int_urb(dev->bt_urb, udev,
+ 				 usb_rcvintpipe(udev, cfg->bt_ep),
+ 				 dev->bt_data, dev->cfg.bt_datalen,
+ 				 bcm5974_irq_button, dev, 1);
+ 
++		dev->bt_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
++	}
++
+ 	usb_fill_int_urb(dev->tp_urb, udev,
+ 			 usb_rcvintpipe(udev, cfg->tp_ep),
+ 			 dev->tp_data, dev->cfg.tp_datalen,
+ 			 bcm5974_irq_trackpad, dev, 1);
+ 
++	dev->tp_urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
++
+ 	/* create bcm5974 device */
+ 	usb_make_path(udev, dev->phys, sizeof(dev->phys));
+ 	strlcat(dev->phys, "/input0", sizeof(dev->phys));
diff --git a/queue-4.9/nfc-st21nfca-fix-incorrect-validating-logic-in-evt_transaction.patch b/queue-4.9/nfc-st21nfca-fix-incorrect-validating-logic-in-evt_transaction.patch
new file mode 100644
index 00000000000..999f28361e5
--- /dev/null
+++ b/queue-4.9/nfc-st21nfca-fix-incorrect-validating-logic-in-evt_transaction.patch
@@ -0,0 +1,36 @@
+From 77e5fe8f176a525523ae091d6fd0fbb8834c156d Mon Sep 17 00:00:00 2001
+From: Martin Faltesek <mfaltesek@google.com>
+Date: Mon, 6 Jun 2022 21:57:27 -0500
+Subject: nfc: st21nfca: fix incorrect validating logic in EVT_TRANSACTION
+
+From: Martin Faltesek <mfaltesek@google.com>
+
+commit 77e5fe8f176a525523ae091d6fd0fbb8834c156d upstream.
+
+The first validation check for EVT_TRANSACTION has two different checks
+tied together with logical AND. One is a check for minimum packet length,
+and the other is for a valid aid_tag. If either condition is true (fails),
+then an error should be triggered.  The fix is to change && to ||.
+
+Fixes: 26fc6c7f02cb ("NFC: st21nfca: Add HCI transaction event support")
+Cc: stable@vger.kernel.org
+Signed-off-by: Martin Faltesek <mfaltesek@google.com>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/st21nfca/se.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nfc/st21nfca/se.c
++++ b/drivers/nfc/st21nfca/se.c
+@@ -320,7 +320,7 @@ int st21nfca_connectivity_event_received
+ 		 * AID		81	5 to 16
+ 		 * PARAMETERS	82	0 to 255
+ 		 */
+-		if (skb->len < NFC_MIN_AID_LENGTH + 2 &&
++		if (skb->len < NFC_MIN_AID_LENGTH + 2 ||
+ 		    skb->data[0] != NFC_EVT_TRANSACTION_AID_TAG)
+ 			return -EPROTO;
+ 
diff --git a/queue-4.9/nfc-st21nfca-fix-memory-leaks-in-evt_transaction-handling.patch b/queue-4.9/nfc-st21nfca-fix-memory-leaks-in-evt_transaction-handling.patch
new file mode 100644
index 00000000000..cdadf767b99
--- /dev/null
+++ b/queue-4.9/nfc-st21nfca-fix-memory-leaks-in-evt_transaction-handling.patch
@@ -0,0 +1,59 @@
+From 996419e0594abb311fb958553809f24f38e7abbe Mon Sep 17 00:00:00 2001
+From: Martin Faltesek <mfaltesek@google.com>
+Date: Mon, 6 Jun 2022 21:57:28 -0500
+Subject: nfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling
+
+From: Martin Faltesek <mfaltesek@google.com>
+
+commit 996419e0594abb311fb958553809f24f38e7abbe upstream.
+
+Error paths do not free previously allocated memory. Add devm_kfree() to
+those failure paths.
+
+Fixes: 26fc6c7f02cb ("NFC: st21nfca: Add HCI transaction event support")
+Fixes: 4fbcc1a4cb20 ("nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION")
+Cc: stable@vger.kernel.org
+Signed-off-by: Martin Faltesek <mfaltesek@google.com>
+Reviewed-by: Guenter Roeck <groeck@chromium.org>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/st21nfca/se.c |   13 ++++++++++---
+ 1 file changed, 10 insertions(+), 3 deletions(-)
+
+--- a/drivers/nfc/st21nfca/se.c
++++ b/drivers/nfc/st21nfca/se.c
+@@ -332,22 +332,29 @@ int st21nfca_connectivity_event_received
+ 		transaction->aid_len = skb->data[1];
+ 
+ 		/* Checking if the length of the AID is valid */
+-		if (transaction->aid_len > sizeof(transaction->aid))
++		if (transaction->aid_len > sizeof(transaction->aid)) {
++			devm_kfree(dev, transaction);
+ 			return -EINVAL;
++		}
+ 
+ 		memcpy(transaction->aid, &skb->data[2],
+ 		       transaction->aid_len);
+ 
+ 		/* Check next byte is PARAMETERS tag (82) */
+ 		if (skb->data[transaction->aid_len + 2] !=
+-		    NFC_EVT_TRANSACTION_PARAMS_TAG)
++		    NFC_EVT_TRANSACTION_PARAMS_TAG) {
++			devm_kfree(dev, transaction);
+ 			return -EPROTO;
++		}
+ 
+ 		transaction->params_len = skb->data[transaction->aid_len + 3];
+ 
+ 		/* Total size is allocated (skb->len - 2) minus fixed array members */
+-		if (transaction->params_len > ((skb->len - 2) - sizeof(struct nfc_evt_transaction)))
++		if (transaction->params_len > ((skb->len - 2) -
++		    sizeof(struct nfc_evt_transaction))) {
++			devm_kfree(dev, transaction);
+ 			return -EINVAL;
++		}
+ 
+ 		memcpy(transaction->params, skb->data +
+ 		       transaction->aid_len + 4, transaction->params_len);
diff --git a/queue-4.9/series b/queue-4.9/series
index 9c82f302b9a..457df126482 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -159,3 +159,6 @@ vringh-fix-loop-descriptors-check-in-the-indirect-ca.patch
 alsa-hda-conexant-fix-loopback-issue-with-cx20632.patch
 cifs-return-errors-during-session-setup-during-reconnects.patch
 ata-libata-transport-fix-dma-pio-xfer-_mode-sysfs-files.patch
+nfc-st21nfca-fix-incorrect-validating-logic-in-evt_transaction.patch
+nfc-st21nfca-fix-memory-leaks-in-evt_transaction-handling.patch
+input-bcm5974-set-missing-urb_no_transfer_dma_map-urb-flag.patch