From d7ff4603d5794f1d017dd9725cb6d6835db6ac29 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 27 Dec 2021 12:24:43 +0100 Subject: [PATCH] 4.14-stable patches added patches: alsa-drivers-opl3-fix-incorrect-use-of-vp-state.patch alsa-jack-check-the-return-value-of-kstrdup.patch input-atmel_mxt_ts-fix-double-free-in-mxt_read_info_block.patch --- ...s-opl3-fix-incorrect-use-of-vp-state.patch | 37 ++++++++++++++++++ ...ck-check-the-return-value-of-kstrdup.patch | 33 ++++++++++++++++ ...x-double-free-in-mxt_read_info_block.patch | 39 +++++++++++++++++++ queue-4.14/series | 3 ++ 4 files changed, 112 insertions(+) create mode 100644 queue-4.14/alsa-drivers-opl3-fix-incorrect-use-of-vp-state.patch create mode 100644 queue-4.14/alsa-jack-check-the-return-value-of-kstrdup.patch create mode 100644 queue-4.14/input-atmel_mxt_ts-fix-double-free-in-mxt_read_info_block.patch diff --git a/queue-4.14/alsa-drivers-opl3-fix-incorrect-use-of-vp-state.patch b/queue-4.14/alsa-drivers-opl3-fix-incorrect-use-of-vp-state.patch new file mode 100644 index 00000000000..3f3f8467044 --- /dev/null +++ b/queue-4.14/alsa-drivers-opl3-fix-incorrect-use-of-vp-state.patch @@ -0,0 +1,37 @@ +From 2dee54b289fbc810669a1b2b8a0887fa1c9a14d7 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Sun, 12 Dec 2021 17:20:25 +0000 +Subject: ALSA: drivers: opl3: Fix incorrect use of vp->state + +From: Colin Ian King + +commit 2dee54b289fbc810669a1b2b8a0887fa1c9a14d7 upstream. + +Static analysis with scan-build has found an assignment to vp2 that is +never used. It seems that the check on vp->state > 0 should be actually +on vp2->state instead. Fix this. + +This dates back to 2002, I found the offending commit from the git +history git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git, +commit 91e39521bbf6 ("[PATCH] ALSA patch for 2.5.4") + +Signed-off-by: Colin Ian King +Cc: +Link: https://lore.kernel.org/r/20211212172025.470367-1-colin.i.king@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/drivers/opl3/opl3_midi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/drivers/opl3/opl3_midi.c ++++ b/sound/drivers/opl3/opl3_midi.c +@@ -415,7 +415,7 @@ void snd_opl3_note_on(void *p, int note, + } + if (instr_4op) { + vp2 = &opl3->voices[voice + 3]; +- if (vp->state > 0) { ++ if (vp2->state > 0) { + opl3_reg = reg_side | (OPL3_REG_KEYON_BLOCK + + voice_offset + 3); + reg_val = vp->keyon_reg & ~OPL3_KEYON_BIT; diff --git a/queue-4.14/alsa-jack-check-the-return-value-of-kstrdup.patch b/queue-4.14/alsa-jack-check-the-return-value-of-kstrdup.patch new file mode 100644 index 00000000000..0a3ec0d07c0 --- /dev/null +++ b/queue-4.14/alsa-jack-check-the-return-value-of-kstrdup.patch @@ -0,0 +1,33 @@ +From c01c1db1dc632edafb0dff32d40daf4f9c1a4e19 Mon Sep 17 00:00:00 2001 +From: Xiaoke Wang +Date: Mon, 13 Dec 2021 15:39:31 +0800 +Subject: ALSA: jack: Check the return value of kstrdup() + +From: Xiaoke Wang + +commit c01c1db1dc632edafb0dff32d40daf4f9c1a4e19 upstream. + +kstrdup() can return NULL, it is better to check the return value of it. + +Signed-off-by: Xiaoke Wang +Cc: +Link: https://lore.kernel.org/r/tencent_094816F3522E0DC704056C789352EBBF0606@qq.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/jack.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/core/jack.c ++++ b/sound/core/jack.c +@@ -234,6 +234,10 @@ int snd_jack_new(struct snd_card *card, + return -ENOMEM; + + jack->id = kstrdup(id, GFP_KERNEL); ++ if (jack->id == NULL) { ++ kfree(jack); ++ return -ENOMEM; ++ } + + /* don't creat input device for phantom jack */ + if (!phantom_jack) { diff --git a/queue-4.14/input-atmel_mxt_ts-fix-double-free-in-mxt_read_info_block.patch b/queue-4.14/input-atmel_mxt_ts-fix-double-free-in-mxt_read_info_block.patch new file mode 100644 index 00000000000..07e490c4f34 --- /dev/null +++ b/queue-4.14/input-atmel_mxt_ts-fix-double-free-in-mxt_read_info_block.patch @@ -0,0 +1,39 @@ +From 12f247ab590a08856441efdbd351cf2cc8f60a2d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= +Date: Sun, 12 Dec 2021 21:01:49 -0800 +Subject: Input: atmel_mxt_ts - fix double free in mxt_read_info_block +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: José Expósito + +commit 12f247ab590a08856441efdbd351cf2cc8f60a2d upstream. + +The "id_buf" buffer is stored in "data->raw_info_block" and freed by +"mxt_free_object_table" in case of error. + +Return instead of jumping to avoid a double free. + +Addresses-Coverity-ID: 1474582 ("Double free") +Fixes: 068bdb67ef74 ("Input: atmel_mxt_ts - fix the firmware update") +Signed-off-by: José Expósito +Link: https://lore.kernel.org/r/20211212194257.68879-1-jose.exposito89@gmail.com +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/touchscreen/atmel_mxt_ts.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/input/touchscreen/atmel_mxt_ts.c ++++ b/drivers/input/touchscreen/atmel_mxt_ts.c +@@ -1768,7 +1768,7 @@ static int mxt_read_info_block(struct mx + if (error) { + dev_err(&client->dev, "Error %d parsing object table\n", error); + mxt_free_object_table(data); +- goto err_free_mem; ++ return error; + } + + data->object_table = (struct mxt_object *)(id_buf + MXT_OBJECT_START); diff --git a/queue-4.14/series b/queue-4.14/series index ed9cb07e09f..d90f4b4e2de 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -12,3 +12,6 @@ fjes-check-for-error-irq.patch drivers-net-smc911x-check-for-error-irq.patch sfc-falcon-check-null-pointer-of-rx_queue-page_ring.patch hwmon-lm90-fix-usage-of-config2-register-in-detect-f.patch +alsa-jack-check-the-return-value-of-kstrdup.patch +alsa-drivers-opl3-fix-incorrect-use-of-vp-state.patch +input-atmel_mxt_ts-fix-double-free-in-mxt_read_info_block.patch -- 2.47.2