From e8ba0b317696c49753665905bf498b20c352dc08 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 27 Nov 2021 14:13:02 +0100 Subject: [PATCH] 5.15-stable patches added patches: alsa-ctxfi-fix-out-of-range-access.patch alsa-hda-realtek-add-quirk-for-asrock-nuc-box-1100.patch alsa-hda-realtek-fix-led-on-hp-probook-435-g7.patch binder-fix-test-regression-due-to-sender_euid-change.patch fuse-release-pipe-buf-after-last-use.patch hid-wacom-use-confidence-flag-to-prevent-reporting-invalid-contacts.patch media-cec-copy-sequence-field-for-the-reply.patch revert-parisc-fix-backtrace-to-always-include-init-funtion-names.patch staging-fbtft-fix-backlight.patch staging-greybus-add-missing-rwsem-around-snd_ctl_remove-calls.patch staging-r8188eu-fix-a-memory-leak-in-rtw_wx_read32.patch staging-r8188eu-fix-breakage-introduced-when-5g-code-was-removed.patch staging-r8188eu-use-gfp_atomic-under-spinlock.patch staging-r8188eu-use-kzalloc-with-gfp_atomic-in-atomic-context.patch staging-rtl8192e-fix-use-after-free-in-_rtl92e_pci_disconnect.patch --- .../alsa-ctxfi-fix-out-of-range-access.patch | 181 ++++++++++++++++++ ...ek-add-quirk-for-asrock-nuc-box-1100.patch | 86 +++++++++ ...realtek-fix-led-on-hp-probook-435-g7.patch | 31 +++ ...regression-due-to-sender_euid-change.patch | 37 ++++ ...fuse-release-pipe-buf-after-last-use.patch | 50 +++++ ...o-prevent-reporting-invalid-contacts.patch | 81 ++++++++ ...ec-copy-sequence-field-for-the-reply.patch | 34 ++++ ...to-always-include-init-funtion-names.patch | 59 ++++++ queue-5.15/series | 15 ++ queue-5.15/staging-fbtft-fix-backlight.patch | 94 +++++++++ ...ng-rwsem-around-snd_ctl_remove-calls.patch | 38 ++++ ...u-fix-a-memory-leak-in-rtw_wx_read32.patch | 49 +++++ ...-introduced-when-5g-code-was-removed.patch | 46 +++++ ...8188eu-use-gfp_atomic-under-spinlock.patch | 39 ++++ ...oc-with-gfp_atomic-in-atomic-context.patch | 52 +++++ ...after-free-in-_rtl92e_pci_disconnect.patch | 39 ++++ 16 files changed, 931 insertions(+) create mode 100644 queue-5.15/alsa-ctxfi-fix-out-of-range-access.patch create mode 100644 queue-5.15/alsa-hda-realtek-add-quirk-for-asrock-nuc-box-1100.patch create mode 100644 queue-5.15/alsa-hda-realtek-fix-led-on-hp-probook-435-g7.patch create mode 100644 queue-5.15/binder-fix-test-regression-due-to-sender_euid-change.patch create mode 100644 queue-5.15/fuse-release-pipe-buf-after-last-use.patch create mode 100644 queue-5.15/hid-wacom-use-confidence-flag-to-prevent-reporting-invalid-contacts.patch create mode 100644 queue-5.15/media-cec-copy-sequence-field-for-the-reply.patch create mode 100644 queue-5.15/revert-parisc-fix-backtrace-to-always-include-init-funtion-names.patch create mode 100644 queue-5.15/staging-fbtft-fix-backlight.patch create mode 100644 queue-5.15/staging-greybus-add-missing-rwsem-around-snd_ctl_remove-calls.patch create mode 100644 queue-5.15/staging-r8188eu-fix-a-memory-leak-in-rtw_wx_read32.patch create mode 100644 queue-5.15/staging-r8188eu-fix-breakage-introduced-when-5g-code-was-removed.patch create mode 100644 queue-5.15/staging-r8188eu-use-gfp_atomic-under-spinlock.patch create mode 100644 queue-5.15/staging-r8188eu-use-kzalloc-with-gfp_atomic-in-atomic-context.patch create mode 100644 queue-5.15/staging-rtl8192e-fix-use-after-free-in-_rtl92e_pci_disconnect.patch diff --git a/queue-5.15/alsa-ctxfi-fix-out-of-range-access.patch b/queue-5.15/alsa-ctxfi-fix-out-of-range-access.patch new file mode 100644 index 00000000000..9a63c09a8b3 --- /dev/null +++ b/queue-5.15/alsa-ctxfi-fix-out-of-range-access.patch @@ -0,0 +1,181 @@ +From 76c47183224c86e4011048b80f0e2d0d166f01c2 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 18 Nov 2021 22:57:29 +0100 +Subject: ALSA: ctxfi: Fix out-of-range access + +From: Takashi Iwai + +commit 76c47183224c86e4011048b80f0e2d0d166f01c2 upstream. + +The master and next_conj of rcs_ops are used for iterating the +resource list entries, and currently those are supposed to return the +current value. The problem is that next_conf may go over the last +entry before the loop abort condition is evaluated, and it may return +the "current" value that is beyond the array size. It was caught +recently as a GPF, for example. + +Those return values are, however, never actually evaluated, hence +basically we don't have to consider the current value as the return at +all. By dropping those return values, the potential out-of-range +access above is also fixed automatically. + +This patch changes the return type of master and next_conj callbacks +to void and drop the superfluous code accordingly. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=214985 +Cc: +Link: https://lore.kernel.org/r/20211118215729.26257-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/ctxfi/ctamixer.c | 14 ++++++-------- + sound/pci/ctxfi/ctdaio.c | 16 ++++++++-------- + sound/pci/ctxfi/ctresource.c | 7 +++---- + sound/pci/ctxfi/ctresource.h | 4 ++-- + sound/pci/ctxfi/ctsrc.c | 7 +++---- + 5 files changed, 22 insertions(+), 26 deletions(-) + +--- a/sound/pci/ctxfi/ctamixer.c ++++ b/sound/pci/ctxfi/ctamixer.c +@@ -23,16 +23,15 @@ + + #define BLANK_SLOT 4094 + +-static int amixer_master(struct rsc *rsc) ++static void amixer_master(struct rsc *rsc) + { + rsc->conj = 0; +- return rsc->idx = container_of(rsc, struct amixer, rsc)->idx[0]; ++ rsc->idx = container_of(rsc, struct amixer, rsc)->idx[0]; + } + +-static int amixer_next_conj(struct rsc *rsc) ++static void amixer_next_conj(struct rsc *rsc) + { + rsc->conj++; +- return container_of(rsc, struct amixer, rsc)->idx[rsc->conj]; + } + + static int amixer_index(const struct rsc *rsc) +@@ -331,16 +330,15 @@ int amixer_mgr_destroy(struct amixer_mgr + + /* SUM resource management */ + +-static int sum_master(struct rsc *rsc) ++static void sum_master(struct rsc *rsc) + { + rsc->conj = 0; +- return rsc->idx = container_of(rsc, struct sum, rsc)->idx[0]; ++ rsc->idx = container_of(rsc, struct sum, rsc)->idx[0]; + } + +-static int sum_next_conj(struct rsc *rsc) ++static void sum_next_conj(struct rsc *rsc) + { + rsc->conj++; +- return container_of(rsc, struct sum, rsc)->idx[rsc->conj]; + } + + static int sum_index(const struct rsc *rsc) +--- a/sound/pci/ctxfi/ctdaio.c ++++ b/sound/pci/ctxfi/ctdaio.c +@@ -51,12 +51,12 @@ static const struct daio_rsc_idx idx_20k + [SPDIFIO] = {.left = 0x05, .right = 0x85}, + }; + +-static int daio_master(struct rsc *rsc) ++static void daio_master(struct rsc *rsc) + { + /* Actually, this is not the resource index of DAIO. + * For DAO, it is the input mapper index. And, for DAI, + * it is the output time-slot index. */ +- return rsc->conj = rsc->idx; ++ rsc->conj = rsc->idx; + } + + static int daio_index(const struct rsc *rsc) +@@ -64,19 +64,19 @@ static int daio_index(const struct rsc * + return rsc->conj; + } + +-static int daio_out_next_conj(struct rsc *rsc) ++static void daio_out_next_conj(struct rsc *rsc) + { +- return rsc->conj += 2; ++ rsc->conj += 2; + } + +-static int daio_in_next_conj_20k1(struct rsc *rsc) ++static void daio_in_next_conj_20k1(struct rsc *rsc) + { +- return rsc->conj += 0x200; ++ rsc->conj += 0x200; + } + +-static int daio_in_next_conj_20k2(struct rsc *rsc) ++static void daio_in_next_conj_20k2(struct rsc *rsc) + { +- return rsc->conj += 0x100; ++ rsc->conj += 0x100; + } + + static const struct rsc_ops daio_out_rsc_ops = { +--- a/sound/pci/ctxfi/ctresource.c ++++ b/sound/pci/ctxfi/ctresource.c +@@ -109,18 +109,17 @@ static int audio_ring_slot(const struct + return (rsc->conj << 4) + offset_in_audio_slot_block[rsc->type]; + } + +-static int rsc_next_conj(struct rsc *rsc) ++static void rsc_next_conj(struct rsc *rsc) + { + unsigned int i; + for (i = 0; (i < 8) && (!(rsc->msr & (0x1 << i))); ) + i++; + rsc->conj += (AUDIO_SLOT_BLOCK_NUM >> i); +- return rsc->conj; + } + +-static int rsc_master(struct rsc *rsc) ++static void rsc_master(struct rsc *rsc) + { +- return rsc->conj = rsc->idx; ++ rsc->conj = rsc->idx; + } + + static const struct rsc_ops rsc_generic_ops = { +--- a/sound/pci/ctxfi/ctresource.h ++++ b/sound/pci/ctxfi/ctresource.h +@@ -39,8 +39,8 @@ struct rsc { + }; + + struct rsc_ops { +- int (*master)(struct rsc *rsc); /* Move to master resource */ +- int (*next_conj)(struct rsc *rsc); /* Move to next conjugate resource */ ++ void (*master)(struct rsc *rsc); /* Move to master resource */ ++ void (*next_conj)(struct rsc *rsc); /* Move to next conjugate resource */ + int (*index)(const struct rsc *rsc); /* Return the index of resource */ + /* Return the output slot number */ + int (*output_slot)(const struct rsc *rsc); +--- a/sound/pci/ctxfi/ctsrc.c ++++ b/sound/pci/ctxfi/ctsrc.c +@@ -590,16 +590,15 @@ int src_mgr_destroy(struct src_mgr *src_ + + /* SRCIMP resource manager operations */ + +-static int srcimp_master(struct rsc *rsc) ++static void srcimp_master(struct rsc *rsc) + { + rsc->conj = 0; +- return rsc->idx = container_of(rsc, struct srcimp, rsc)->idx[0]; ++ rsc->idx = container_of(rsc, struct srcimp, rsc)->idx[0]; + } + +-static int srcimp_next_conj(struct rsc *rsc) ++static void srcimp_next_conj(struct rsc *rsc) + { + rsc->conj++; +- return container_of(rsc, struct srcimp, rsc)->idx[rsc->conj]; + } + + static int srcimp_index(const struct rsc *rsc) diff --git a/queue-5.15/alsa-hda-realtek-add-quirk-for-asrock-nuc-box-1100.patch b/queue-5.15/alsa-hda-realtek-add-quirk-for-asrock-nuc-box-1100.patch new file mode 100644 index 00000000000..9b892063d63 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-add-quirk-for-asrock-nuc-box-1100.patch @@ -0,0 +1,86 @@ +From 174a7fb3859ae75b0f0e35ef852459d8882b55b5 Mon Sep 17 00:00:00 2001 +From: Werner Sembach +Date: Fri, 12 Nov 2021 12:07:04 +0100 +Subject: ALSA: hda/realtek: Add quirk for ASRock NUC Box 1100 + +From: Werner Sembach + +commit 174a7fb3859ae75b0f0e35ef852459d8882b55b5 upstream. + +This applies a SND_PCI_QUIRK(...) to the ASRock NUC Box 1100 series. This +fixes the issue of the headphone jack not being detected unless warm +rebooted from a certain other OS. + +When booting a certain other OS some coeff settings are changed that enable +the audio jack. These settings are preserved on a warm reboot and can be +easily dumped. + +The relevant indexes and values where gathered by naively diff-ing and +reading a working and a non-working coeff dump. + +Signed-off-by: Werner Sembach +Cc: +Link: https://lore.kernel.org/r/20211112110704.1022501-1-wse@tuxedocomputers.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6521,6 +6521,27 @@ static void alc256_fixup_tongfang_reset_ + alc_write_coef_idx(codec, 0x45, 0x5089); + } + ++static const struct coef_fw alc233_fixup_no_audio_jack_coefs[] = { ++ WRITE_COEF(0x1a, 0x9003), WRITE_COEF(0x1b, 0x0e2b), WRITE_COEF(0x37, 0xfe06), ++ WRITE_COEF(0x38, 0x4981), WRITE_COEF(0x45, 0xd489), WRITE_COEF(0x46, 0x0074), ++ WRITE_COEF(0x49, 0x0149), ++ {} ++}; ++ ++static void alc233_fixup_no_audio_jack(struct hda_codec *codec, ++ const struct hda_fixup *fix, ++ int action) ++{ ++ /* ++ * The audio jack input and output is not detected on the ASRock NUC Box ++ * 1100 series when cold booting without this fix. Warm rebooting from a ++ * certain other OS makes the audio functional, as COEF settings are ++ * preserved in this case. This fix sets these altered COEF values as ++ * the default. ++ */ ++ alc_process_coef_fw(codec, alc233_fixup_no_audio_jack_coefs); ++} ++ + enum { + ALC269_FIXUP_GPIO2, + ALC269_FIXUP_SONY_VAIO, +@@ -6740,6 +6761,7 @@ enum { + ALC287_FIXUP_13S_GEN2_SPEAKERS, + ALC256_FIXUP_TONGFANG_RESET_PERSISTENT_SETTINGS, + ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE, ++ ALC233_FIXUP_NO_AUDIO_JACK, + }; + + static const struct hda_fixup alc269_fixups[] = { +@@ -8460,6 +8482,10 @@ static const struct hda_fixup alc269_fix + .chained = true, + .chain_id = ALC269_FIXUP_HEADSET_MODE_NO_HP_MIC, + }, ++ [ALC233_FIXUP_NO_AUDIO_JACK] = { ++ .type = HDA_FIXUP_FUNC, ++ .v.func = alc233_fixup_no_audio_jack, ++ }, + }; + + static const struct snd_pci_quirk alc269_fixup_tbl[] = { +@@ -8894,6 +8920,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x17aa, 0x511e, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), + SND_PCI_QUIRK(0x17aa, 0x511f, "Thinkpad", ALC298_FIXUP_TPT470_DOCK), + SND_PCI_QUIRK(0x17aa, 0x9e54, "LENOVO NB", ALC269_FIXUP_LENOVO_EAPD), ++ SND_PCI_QUIRK(0x1849, 0x1233, "ASRock NUC Box 1100", ALC233_FIXUP_NO_AUDIO_JACK), + SND_PCI_QUIRK(0x19e5, 0x3204, "Huawei MACH-WX9", ALC256_FIXUP_HUAWEI_MACH_WX9_PINS), + SND_PCI_QUIRK(0x1b35, 0x1235, "CZC B20", ALC269_FIXUP_CZC_B20), + SND_PCI_QUIRK(0x1b35, 0x1236, "CZC TMI", ALC269_FIXUP_CZC_TMI), diff --git a/queue-5.15/alsa-hda-realtek-fix-led-on-hp-probook-435-g7.patch b/queue-5.15/alsa-hda-realtek-fix-led-on-hp-probook-435-g7.patch new file mode 100644 index 00000000000..79149ffe570 --- /dev/null +++ b/queue-5.15/alsa-hda-realtek-fix-led-on-hp-probook-435-g7.patch @@ -0,0 +1,31 @@ +From 05ec7161084565365ecf267e9909a897a95f243a Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 18 Nov 2021 08:16:36 +0100 +Subject: ALSA: hda/realtek: Fix LED on HP ProBook 435 G7 + +From: Takashi Iwai + +commit 05ec7161084565365ecf267e9909a897a95f243a upstream. + +HP ProBook 435 G7 (SSID 103c:8735) needs the similar quirk as another +HP ProBook for enabling the mute and the mic-mute LEDs. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=215021 +Cc: +Link: https://lore.kernel.org/r/20211118071636.14738-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8665,6 +8665,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x8728, "HP EliteBook 840 G7", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8729, "HP", ALC285_FIXUP_HP_GPIO_LED), + SND_PCI_QUIRK(0x103c, 0x8730, "HP ProBook 445 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), ++ SND_PCI_QUIRK(0x103c, 0x8735, "HP ProBook 435 G7", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF), + SND_PCI_QUIRK(0x103c, 0x8736, "HP", ALC285_FIXUP_HP_GPIO_AMP_INIT), + SND_PCI_QUIRK(0x103c, 0x8760, "HP", ALC285_FIXUP_HP_MUTE_LED), + SND_PCI_QUIRK(0x103c, 0x877a, "HP", ALC285_FIXUP_HP_MUTE_LED), diff --git a/queue-5.15/binder-fix-test-regression-due-to-sender_euid-change.patch b/queue-5.15/binder-fix-test-regression-due-to-sender_euid-change.patch new file mode 100644 index 00000000000..ed760b0a8c1 --- /dev/null +++ b/queue-5.15/binder-fix-test-regression-due-to-sender_euid-change.patch @@ -0,0 +1,37 @@ +From c21a80ca0684ec2910344d72556c816cb8940c01 Mon Sep 17 00:00:00 2001 +From: Todd Kjos +Date: Fri, 12 Nov 2021 10:07:20 -0800 +Subject: binder: fix test regression due to sender_euid change + +From: Todd Kjos + +commit c21a80ca0684ec2910344d72556c816cb8940c01 upstream. + +This is a partial revert of commit +29bc22ac5e5b ("binder: use euid from cred instead of using task"). +Setting sender_euid using proc->cred caused some Android system test +regressions that need further investigation. It is a partial +reversion because subsequent patches rely on proc->cred. + +Fixes: 29bc22ac5e5b ("binder: use euid from cred instead of using task") +Cc: stable@vger.kernel.org # 4.4+ +Acked-by: Christian Brauner +Signed-off-by: Todd Kjos +Change-Id: I9b1769a3510fed250bb21859ef8beebabe034c66 +Link: https://lore.kernel.org/r/20211112180720.2858135-1-tkjos@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/android/binder.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/android/binder.c ++++ b/drivers/android/binder.c +@@ -2710,7 +2710,7 @@ static void binder_transaction(struct bi + t->from = thread; + else + t->from = NULL; +- t->sender_euid = proc->cred->euid; ++ t->sender_euid = task_euid(proc->tsk); + t->to_proc = target_proc; + t->to_thread = target_thread; + t->code = tr->code; diff --git a/queue-5.15/fuse-release-pipe-buf-after-last-use.patch b/queue-5.15/fuse-release-pipe-buf-after-last-use.patch new file mode 100644 index 00000000000..563ce6fd1ed --- /dev/null +++ b/queue-5.15/fuse-release-pipe-buf-after-last-use.patch @@ -0,0 +1,50 @@ +From 473441720c8616dfaf4451f9c7ea14f0eb5e5d65 Mon Sep 17 00:00:00 2001 +From: Miklos Szeredi +Date: Thu, 25 Nov 2021 14:05:18 +0100 +Subject: fuse: release pipe buf after last use + +From: Miklos Szeredi + +commit 473441720c8616dfaf4451f9c7ea14f0eb5e5d65 upstream. + +Checking buf->flags should be done before the pipe_buf_release() is called +on the pipe buffer, since releasing the buffer might modify the flags. + +This is exactly what page_cache_pipe_buf_release() does, and which results +in the same VM_BUG_ON_PAGE(PageLRU(page)) that the original patch was +trying to fix. + +Reported-by: Justin Forbes +Fixes: 712a951025c0 ("fuse: fix page stealing") +Cc: # v2.6.35 +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman +--- + fs/fuse/dev.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/fs/fuse/dev.c ++++ b/fs/fuse/dev.c +@@ -847,17 +847,17 @@ static int fuse_try_move_page(struct fus + + replace_page_cache_page(oldpage, newpage); + ++ get_page(newpage); ++ ++ if (!(buf->flags & PIPE_BUF_FLAG_LRU)) ++ lru_cache_add(newpage); ++ + /* + * Release while we have extra ref on stolen page. Otherwise + * anon_pipe_buf_release() might think the page can be reused. + */ + pipe_buf_release(cs->pipe, buf); + +- get_page(newpage); +- +- if (!(buf->flags & PIPE_BUF_FLAG_LRU)) +- lru_cache_add(newpage); +- + err = 0; + spin_lock(&cs->req->waitq.lock); + if (test_bit(FR_ABORTED, &cs->req->flags)) diff --git a/queue-5.15/hid-wacom-use-confidence-flag-to-prevent-reporting-invalid-contacts.patch b/queue-5.15/hid-wacom-use-confidence-flag-to-prevent-reporting-invalid-contacts.patch new file mode 100644 index 00000000000..cc709540c23 --- /dev/null +++ b/queue-5.15/hid-wacom-use-confidence-flag-to-prevent-reporting-invalid-contacts.patch @@ -0,0 +1,81 @@ +From 7fb0413baa7f8a04caef0c504df9af7e0623d296 Mon Sep 17 00:00:00 2001 +From: Jason Gerecke +Date: Mon, 8 Nov 2021 16:31:01 -0800 +Subject: HID: wacom: Use "Confidence" flag to prevent reporting invalid contacts + +From: Jason Gerecke + +commit 7fb0413baa7f8a04caef0c504df9af7e0623d296 upstream. + +The HID descriptor of many of Wacom's touch input devices include a +"Confidence" usage that signals if a particular touch collection contains +useful data. The driver does not look at this flag, however, which causes +even invalid contacts to be reported to userspace. A lucky combination of +kernel event filtering and device behavior (specifically: contact ID 0 == +invalid, contact ID >0 == valid; and order all data so that all valid +contacts are reported before any invalid contacts) spare most devices from +any visibly-bad behavior. + +The DTH-2452 is one example of an unlucky device that misbehaves. It uses +ID 0 for both the first valid contact and all invalid contacts. Because +we report both the valid and invalid contacts, the kernel reports that +contact 0 first goes down (valid) and then goes up (invalid) in every +report. This causes ~100 clicks per second simply by touching the screen. + +This patch inroduces new `confidence` flag in our `hid_data` structure. +The value is initially set to `true` at the start of a report and can be +set to `false` if an invalid touch usage is seen. + +Link: https://github.com/linuxwacom/input-wacom/issues/270 +Fixes: f8b6a74719b5 ("HID: wacom: generic: Support multiple tools per report") +Signed-off-by: Jason Gerecke +Tested-by: Joshua Dickens +Cc: +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/wacom_wac.c | 8 +++++++- + drivers/hid/wacom_wac.h | 1 + + 2 files changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/hid/wacom_wac.c ++++ b/drivers/hid/wacom_wac.c +@@ -2603,6 +2603,9 @@ static void wacom_wac_finger_event(struc + return; + + switch (equivalent_usage) { ++ case HID_DG_CONFIDENCE: ++ wacom_wac->hid_data.confidence = value; ++ break; + case HID_GD_X: + wacom_wac->hid_data.x = value; + break; +@@ -2635,7 +2638,8 @@ static void wacom_wac_finger_event(struc + } + + if (usage->usage_index + 1 == field->report_count) { +- if (equivalent_usage == wacom_wac->hid_data.last_slot_field) ++ if (equivalent_usage == wacom_wac->hid_data.last_slot_field && ++ wacom_wac->hid_data.confidence) + wacom_wac_finger_slot(wacom_wac, wacom_wac->touch_input); + } + } +@@ -2653,6 +2657,8 @@ static void wacom_wac_finger_pre_report( + + wacom_wac->is_invalid_bt_frame = false; + ++ hid_data->confidence = true; ++ + for (i = 0; i < report->maxfield; i++) { + struct hid_field *field = report->field[i]; + int j; +--- a/drivers/hid/wacom_wac.h ++++ b/drivers/hid/wacom_wac.h +@@ -301,6 +301,7 @@ struct hid_data { + bool barrelswitch; + bool barrelswitch2; + bool serialhi; ++ bool confidence; + int x; + int y; + int pressure; diff --git a/queue-5.15/media-cec-copy-sequence-field-for-the-reply.patch b/queue-5.15/media-cec-copy-sequence-field-for-the-reply.patch new file mode 100644 index 00000000000..6e06bbc971f --- /dev/null +++ b/queue-5.15/media-cec-copy-sequence-field-for-the-reply.patch @@ -0,0 +1,34 @@ +From 13cbaa4c2b7bf9f8285e1164d005dbf08244ecd5 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Tue, 2 Nov 2021 12:24:26 +0000 +Subject: media: cec: copy sequence field for the reply + +From: Hans Verkuil + +commit 13cbaa4c2b7bf9f8285e1164d005dbf08244ecd5 upstream. + +When the reply for a non-blocking transmit arrives, the sequence +field for that reply was never filled in, so userspace would have no +way of associating the reply to the original transmit. + +Copy the sequence field to ensure that this is now possible. + +Signed-off-by: Hans Verkuil +Fixes: 0dbacebede1e ([media] cec: move the CEC framework out of staging and to media) +Cc: +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/cec/core/cec-adap.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/cec/core/cec-adap.c ++++ b/drivers/media/cec/core/cec-adap.c +@@ -1199,6 +1199,7 @@ void cec_received_msg_ts(struct cec_adap + if (abort) + dst->rx_status |= CEC_RX_STATUS_FEATURE_ABORT; + msg->flags = dst->flags; ++ msg->sequence = dst->sequence; + /* Remove it from the wait_queue */ + list_del_init(&data->list); + diff --git a/queue-5.15/revert-parisc-fix-backtrace-to-always-include-init-funtion-names.patch b/queue-5.15/revert-parisc-fix-backtrace-to-always-include-init-funtion-names.patch new file mode 100644 index 00000000000..a2a611ee870 --- /dev/null +++ b/queue-5.15/revert-parisc-fix-backtrace-to-always-include-init-funtion-names.patch @@ -0,0 +1,59 @@ +From 98400ad75e95860e9a10ec78b0b90ab66184a2ce Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sun, 21 Nov 2021 11:10:55 +0100 +Subject: Revert "parisc: Fix backtrace to always include init funtion names" + +From: Helge Deller + +commit 98400ad75e95860e9a10ec78b0b90ab66184a2ce upstream. + +This reverts commit 279917e27edc293eb645a25428c6ab3f3bca3f86. + +With the CONFIG_HARDENED_USERCOPY option enabled, this patch triggers +kernel bugs at runtime: + + usercopy: Kernel memory overwrite attempt detected to kernel text (offset 2084839, size 6)! + kernel BUG at mm/usercopy.c:99! + Backtrace: + IAOQ[0]: usercopy_abort+0xc4/0xe8 + [<00000000406ed1c8>] __check_object_size+0x174/0x238 + [<00000000407086d4>] copy_strings.isra.0+0x3e8/0x708 + [<0000000040709a20>] do_execveat_common.isra.0+0x1bc/0x328 + [<000000004070b760>] compat_sys_execve+0x7c/0xb8 + [<0000000040303eb8>] syscall_exit+0x0/0x14 + +The problem is, that we have an init section of at least 2MB size which +starts at _stext and is freed after bootup. + +If then later some kernel data is (temporarily) stored in this free +memory, check_kernel_text_object() will trigger a bug since the data +appears to be inside the kernel text (>=_stext) area: + if (overlaps(ptr, len, _stext, _etext)) + usercopy_abort("kernel text"); + +Signed-off-by: Helge Deller +Cc: stable@kernel.org # 5.4+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/vmlinux.lds.S | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/parisc/kernel/vmlinux.lds.S ++++ b/arch/parisc/kernel/vmlinux.lds.S +@@ -57,8 +57,6 @@ SECTIONS + { + . = KERNEL_BINARY_TEXT_START; + +- _stext = .; /* start of kernel text, includes init code & data */ +- + __init_begin = .; + HEAD_TEXT_SECTION + MLONGCALL_DISCARD(INIT_TEXT_SECTION(8)) +@@ -82,6 +80,7 @@ SECTIONS + /* freed after init ends here */ + + _text = .; /* Text and read-only data */ ++ _stext = .; + MLONGCALL_KEEP(INIT_TEXT_SECTION(8)) + .text ALIGN(PAGE_SIZE) : { + TEXT_TEXT diff --git a/queue-5.15/series b/queue-5.15/series index 44829f0f583..dc15388f764 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -18,3 +18,18 @@ usb-typec-fusb302-fix-masking-of-comparator-and-bc_lvl-interrupts.patch usb-xhci-tegra-check-padctrl-interrupt-presence-in-device-tree.patch usb-hub-fix-usb-enumeration-issue-due-to-address0-race.patch usb-hub-fix-locking-issues-with-address0_mutex.patch +binder-fix-test-regression-due-to-sender_euid-change.patch +alsa-ctxfi-fix-out-of-range-access.patch +alsa-hda-realtek-add-quirk-for-asrock-nuc-box-1100.patch +alsa-hda-realtek-fix-led-on-hp-probook-435-g7.patch +media-cec-copy-sequence-field-for-the-reply.patch +revert-parisc-fix-backtrace-to-always-include-init-funtion-names.patch +hid-wacom-use-confidence-flag-to-prevent-reporting-invalid-contacts.patch +staging-fbtft-fix-backlight.patch +staging-greybus-add-missing-rwsem-around-snd_ctl_remove-calls.patch +staging-rtl8192e-fix-use-after-free-in-_rtl92e_pci_disconnect.patch +staging-r8188eu-use-kzalloc-with-gfp_atomic-in-atomic-context.patch +staging-r8188eu-fix-breakage-introduced-when-5g-code-was-removed.patch +staging-r8188eu-use-gfp_atomic-under-spinlock.patch +staging-r8188eu-fix-a-memory-leak-in-rtw_wx_read32.patch +fuse-release-pipe-buf-after-last-use.patch diff --git a/queue-5.15/staging-fbtft-fix-backlight.patch b/queue-5.15/staging-fbtft-fix-backlight.patch new file mode 100644 index 00000000000..6f55922435b --- /dev/null +++ b/queue-5.15/staging-fbtft-fix-backlight.patch @@ -0,0 +1,94 @@ +From 7865dd24934ad580d1bcde8f63c39f324211a23b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Noralf=20Tr=C3=B8nnes?= +Date: Fri, 5 Nov 2021 21:43:58 +0100 +Subject: staging/fbtft: Fix backlight +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Noralf Trønnes + +commit 7865dd24934ad580d1bcde8f63c39f324211a23b upstream. + +Commit b4a1ed0cd18b ("fbdev: make FB_BACKLIGHT a tristate") forgot to +update fbtft breaking its backlight support when FB_BACKLIGHT is a module. + +Since FB_TFT selects FB_BACKLIGHT there's no need for this conditional +so just remove it and we're good. + +Fixes: b4a1ed0cd18b ("fbdev: make FB_BACKLIGHT a tristate") +Cc: +Acked-by: Sam Ravnborg +Signed-off-by: Noralf Trønnes +Link: https://lore.kernel.org/r/20211105204358.2991-1-noralf@tronnes.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/fbtft/fb_ssd1351.c | 4 ---- + drivers/staging/fbtft/fbtft-core.c | 9 +-------- + 2 files changed, 1 insertion(+), 12 deletions(-) + +--- a/drivers/staging/fbtft/fb_ssd1351.c ++++ b/drivers/staging/fbtft/fb_ssd1351.c +@@ -187,7 +187,6 @@ static struct fbtft_display display = { + }, + }; + +-#ifdef CONFIG_FB_BACKLIGHT + static int update_onboard_backlight(struct backlight_device *bd) + { + struct fbtft_par *par = bl_get_data(bd); +@@ -231,9 +230,6 @@ static void register_onboard_backlight(s + if (!par->fbtftops.unregister_backlight) + par->fbtftops.unregister_backlight = fbtft_unregister_backlight; + } +-#else +-static void register_onboard_backlight(struct fbtft_par *par) { }; +-#endif + + FBTFT_REGISTER_DRIVER(DRVNAME, "solomon,ssd1351", &display); + +--- a/drivers/staging/fbtft/fbtft-core.c ++++ b/drivers/staging/fbtft/fbtft-core.c +@@ -128,7 +128,6 @@ static int fbtft_request_gpios(struct fb + return 0; + } + +-#ifdef CONFIG_FB_BACKLIGHT + static int fbtft_backlight_update_status(struct backlight_device *bd) + { + struct fbtft_par *par = bl_get_data(bd); +@@ -161,6 +160,7 @@ void fbtft_unregister_backlight(struct f + par->info->bl_dev = NULL; + } + } ++EXPORT_SYMBOL(fbtft_unregister_backlight); + + static const struct backlight_ops fbtft_bl_ops = { + .get_brightness = fbtft_backlight_get_brightness, +@@ -198,12 +198,7 @@ void fbtft_register_backlight(struct fbt + if (!par->fbtftops.unregister_backlight) + par->fbtftops.unregister_backlight = fbtft_unregister_backlight; + } +-#else +-void fbtft_register_backlight(struct fbtft_par *par) { }; +-void fbtft_unregister_backlight(struct fbtft_par *par) { }; +-#endif + EXPORT_SYMBOL(fbtft_register_backlight); +-EXPORT_SYMBOL(fbtft_unregister_backlight); + + static void fbtft_set_addr_win(struct fbtft_par *par, int xs, int ys, int xe, + int ye) +@@ -853,13 +848,11 @@ int fbtft_register_framebuffer(struct fb + fb_info->fix.smem_len >> 10, text1, + HZ / fb_info->fbdefio->delay, text2); + +-#ifdef CONFIG_FB_BACKLIGHT + /* Turn on backlight if available */ + if (fb_info->bl_dev) { + fb_info->bl_dev->props.power = FB_BLANK_UNBLANK; + fb_info->bl_dev->ops->update_status(fb_info->bl_dev); + } +-#endif + + return 0; + diff --git a/queue-5.15/staging-greybus-add-missing-rwsem-around-snd_ctl_remove-calls.patch b/queue-5.15/staging-greybus-add-missing-rwsem-around-snd_ctl_remove-calls.patch new file mode 100644 index 00000000000..f1bb6afb7c8 --- /dev/null +++ b/queue-5.15/staging-greybus-add-missing-rwsem-around-snd_ctl_remove-calls.patch @@ -0,0 +1,38 @@ +From ffcf7ae90f4489047d7b076539ba207024dea5f6 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 16 Nov 2021 08:20:27 +0100 +Subject: staging: greybus: Add missing rwsem around snd_ctl_remove() calls + +From: Takashi Iwai + +commit ffcf7ae90f4489047d7b076539ba207024dea5f6 upstream. + +snd_ctl_remove() has to be called with card->controls_rwsem held (when +called after the card instantiation). This patch adds the missing +rwsem calls around it. + +Fixes: 510e340efe0c ("staging: greybus: audio: Add helper APIs for dynamic audio modules") +Cc: stable +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/r/20211116072027.18466-1-tiwai@suse.de +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/greybus/audio_helper.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/staging/greybus/audio_helper.c ++++ b/drivers/staging/greybus/audio_helper.c +@@ -192,7 +192,11 @@ int gbaudio_remove_component_controls(st + unsigned int num_controls) + { + struct snd_card *card = component->card->snd_card; ++ int err; + +- return gbaudio_remove_controls(card, component->dev, controls, +- num_controls, component->name_prefix); ++ down_write(&card->controls_rwsem); ++ err = gbaudio_remove_controls(card, component->dev, controls, ++ num_controls, component->name_prefix); ++ up_write(&card->controls_rwsem); ++ return err; + } diff --git a/queue-5.15/staging-r8188eu-fix-a-memory-leak-in-rtw_wx_read32.patch b/queue-5.15/staging-r8188eu-fix-a-memory-leak-in-rtw_wx_read32.patch new file mode 100644 index 00000000000..8880b0aa6f6 --- /dev/null +++ b/queue-5.15/staging-r8188eu-fix-a-memory-leak-in-rtw_wx_read32.patch @@ -0,0 +1,49 @@ +From be4ea8f383551b9dae11b8dfff1f38b3b5436e9a Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 9 Nov 2021 14:49:36 +0300 +Subject: staging: r8188eu: fix a memory leak in rtw_wx_read32() + +From: Dan Carpenter + +commit be4ea8f383551b9dae11b8dfff1f38b3b5436e9a upstream. + +Free "ptmp" before returning -EINVAL. + +Fixes: 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for RTL8188eu driver") +Cc: stable +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20211109114935.GC16587@kili +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/r8188eu/os_dep/ioctl_linux.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/staging/r8188eu/os_dep/ioctl_linux.c ++++ b/drivers/staging/r8188eu/os_dep/ioctl_linux.c +@@ -2061,6 +2061,7 @@ static int rtw_wx_read32(struct net_devi + u32 data32; + u32 bytes; + u8 *ptmp; ++ int ret; + + padapter = (struct adapter *)rtw_netdev_priv(dev); + p = &wrqu->data; +@@ -2093,12 +2094,17 @@ static int rtw_wx_read32(struct net_devi + break; + default: + DBG_88E(KERN_INFO "%s: usage> read [bytes],[address(hex)]\n", __func__); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err_free_ptmp; + } + DBG_88E(KERN_INFO "%s: addr = 0x%08X data =%s\n", __func__, addr, extra); + + kfree(ptmp); + return 0; ++ ++err_free_ptmp: ++ kfree(ptmp); ++ return ret; + } + + static int rtw_wx_write32(struct net_device *dev, diff --git a/queue-5.15/staging-r8188eu-fix-breakage-introduced-when-5g-code-was-removed.patch b/queue-5.15/staging-r8188eu-fix-breakage-introduced-when-5g-code-was-removed.patch new file mode 100644 index 00000000000..17eaf9ee13a --- /dev/null +++ b/queue-5.15/staging-r8188eu-fix-breakage-introduced-when-5g-code-was-removed.patch @@ -0,0 +1,46 @@ +From d5f0b804368951b6b4a77d2f14b5bb6a04b0e011 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Sun, 7 Nov 2021 11:35:43 -0600 +Subject: staging: r8188eu: Fix breakage introduced when 5G code was removed + +From: Larry Finger + +commit d5f0b804368951b6b4a77d2f14b5bb6a04b0e011 upstream. + +In commit 221abd4d478a ("staging: r8188eu: Remove no more necessary definitions +and code"), two entries were removed from RTW_ChannelPlanMap[], but not replaced +with zeros. The position within this table is important, thus the patch broke +systems operating in regulatory domains osted later than entry 0x13 in the table. +Unfortunately, the FCC entry comes before that point and most testers did not see +this problem. + +Fixes: 221abd4d478a ("staging: r8188eu: Remove no more necessary definitions and code") +Cc: Stable # v5.5+ +Reported-and-tested-by: Zameer Manji +Reported-by: kernel test robot +Reviewed-by: Phillip Potter +Signed-off-by: Larry Finger +Link: https://lore.kernel.org/r/20211107173543.7486-1-Larry.Finger@lwfinger.net +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/r8188eu/core/rtw_mlme_ext.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/staging/r8188eu/core/rtw_mlme_ext.c ++++ b/drivers/staging/r8188eu/core/rtw_mlme_ext.c +@@ -104,6 +104,7 @@ static struct rt_channel_plan_map RTW_Ch + {0x01}, /* 0x10, RT_CHANNEL_DOMAIN_JAPAN */ + {0x02}, /* 0x11, RT_CHANNEL_DOMAIN_FCC_NO_DFS */ + {0x01}, /* 0x12, RT_CHANNEL_DOMAIN_JAPAN_NO_DFS */ ++ {0x00}, /* 0x13 */ + {0x02}, /* 0x14, RT_CHANNEL_DOMAIN_TAIWAN_NO_DFS */ + {0x00}, /* 0x15, RT_CHANNEL_DOMAIN_ETSI_NO_DFS */ + {0x00}, /* 0x16, RT_CHANNEL_DOMAIN_KOREA_NO_DFS */ +@@ -115,6 +116,7 @@ static struct rt_channel_plan_map RTW_Ch + {0x00}, /* 0x1C, */ + {0x00}, /* 0x1D, */ + {0x00}, /* 0x1E, */ ++ {0x00}, /* 0x1F, */ + /* 0x20 ~ 0x7F , New Define ===== */ + {0x00}, /* 0x20, RT_CHANNEL_DOMAIN_WORLD_NULL */ + {0x01}, /* 0x21, RT_CHANNEL_DOMAIN_ETSI1_NULL */ diff --git a/queue-5.15/staging-r8188eu-use-gfp_atomic-under-spinlock.patch b/queue-5.15/staging-r8188eu-use-gfp_atomic-under-spinlock.patch new file mode 100644 index 00000000000..281291f7924 --- /dev/null +++ b/queue-5.15/staging-r8188eu-use-gfp_atomic-under-spinlock.patch @@ -0,0 +1,39 @@ +From 4a293eaf92a510ff688dc7b3f0815221f99c9d1b Mon Sep 17 00:00:00 2001 +From: Michael Straube +Date: Mon, 8 Nov 2021 11:55:37 +0100 +Subject: staging: r8188eu: use GFP_ATOMIC under spinlock + +From: Michael Straube + +commit 4a293eaf92a510ff688dc7b3f0815221f99c9d1b upstream. + +In function rtw_report_sec_ie() kzalloc() is called under a spinlock, +so the allocation have to be atomic. + +Call tree: + +-> rtw_select_and_join_from_scanned_queue() <- takes a spinlock + -> rtw_joinbss_cmd() + -> rtw_restruct_sec_ie() + -> rtw_report_sec_ie() + +Fixes: 2b42bd58b321 ("staging: r8188eu: introduce new os_dep dir for RTL8188eu driver") +Cc: stable +Signed-off-by: Michael Straube +Link: https://lore.kernel.org/r/20211108105537.31655-1-straube.linux@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/r8188eu/os_dep/mlme_linux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/r8188eu/os_dep/mlme_linux.c ++++ b/drivers/staging/r8188eu/os_dep/mlme_linux.c +@@ -114,7 +114,7 @@ void rtw_report_sec_ie(struct adapter *a + + buff = NULL; + if (authmode == _WPA_IE_ID_) { +- buff = kzalloc(IW_CUSTOM_MAX, GFP_KERNEL); ++ buff = kzalloc(IW_CUSTOM_MAX, GFP_ATOMIC); + if (!buff) + return; + p = buff; diff --git a/queue-5.15/staging-r8188eu-use-kzalloc-with-gfp_atomic-in-atomic-context.patch b/queue-5.15/staging-r8188eu-use-kzalloc-with-gfp_atomic-in-atomic-context.patch new file mode 100644 index 00000000000..5766ac80ad6 --- /dev/null +++ b/queue-5.15/staging-r8188eu-use-kzalloc-with-gfp_atomic-in-atomic-context.patch @@ -0,0 +1,52 @@ +From c15a059f85de49c542e6ec2464967dd2b2aa18f6 Mon Sep 17 00:00:00 2001 +From: "Fabio M. De Francesco" +Date: Mon, 1 Nov 2021 20:18:47 +0100 +Subject: staging: r8188eu: Use kzalloc() with GFP_ATOMIC in atomic context + +From: Fabio M. De Francesco + +commit c15a059f85de49c542e6ec2464967dd2b2aa18f6 upstream. + +Use the GFP_ATOMIC flag of kzalloc() with two memory allocation in +report_del_sta_event(). This function is called while holding spinlocks, +therefore it is not allowed to sleep. With the GFP_ATOMIC type flag, the +allocation is high priority and must not sleep. + +This issue is detected by Smatch which emits the following warning: +"drivers/staging/r8188eu/core/rtw_mlme_ext.c:6848 report_del_sta_event() +warn: sleeping in atomic context". + +After the change, the post-commit hook output the following message: +"CHECK: Prefer kzalloc(sizeof(*pcmd_obj)...) over +kzalloc(sizeof(struct cmd_obj)...)". + +According to the above "CHECK", use the preferred style in the first +kzalloc(). + +Fixes: 79f712ea994d ("staging: r8188eu: Remove wrappers for kalloc() and kzalloc()") +Fixes: 15865124feed ("staging: r8188eu: introduce new core dir for RTL8188eu driver") +Signed-off-by: Fabio M. De Francesco +Link: https://lore.kernel.org/r/20211101191847.6749-1-fmdefrancesco@gmail.com +Signed-off-by: Greg Kroah-Hartman +Cc: stable +--- + drivers/staging/r8188eu/core/rtw_mlme_ext.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/staging/r8188eu/core/rtw_mlme_ext.c ++++ b/drivers/staging/r8188eu/core/rtw_mlme_ext.c +@@ -7080,12 +7080,12 @@ void report_del_sta_event(struct adapter + struct mlme_ext_priv *pmlmeext = &padapter->mlmeextpriv; + struct cmd_priv *pcmdpriv = &padapter->cmdpriv; + +- pcmd_obj = kzalloc(sizeof(struct cmd_obj), GFP_KERNEL); ++ pcmd_obj = kzalloc(sizeof(*pcmd_obj), GFP_ATOMIC); + if (!pcmd_obj) + return; + + cmdsz = (sizeof(struct stadel_event) + sizeof(struct C2HEvent_Header)); +- pevtcmd = kzalloc(cmdsz, GFP_KERNEL); ++ pevtcmd = kzalloc(cmdsz, GFP_ATOMIC); + if (!pevtcmd) { + kfree(pcmd_obj); + return; diff --git a/queue-5.15/staging-rtl8192e-fix-use-after-free-in-_rtl92e_pci_disconnect.patch b/queue-5.15/staging-rtl8192e-fix-use-after-free-in-_rtl92e_pci_disconnect.patch new file mode 100644 index 00000000000..cbe97c1e23b --- /dev/null +++ b/queue-5.15/staging-rtl8192e-fix-use-after-free-in-_rtl92e_pci_disconnect.patch @@ -0,0 +1,39 @@ +From b535917c51acc97fb0761b1edec85f1f3d02bda4 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 17 Nov 2021 10:20:16 +0300 +Subject: staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect() + +From: Dan Carpenter + +commit b535917c51acc97fb0761b1edec85f1f3d02bda4 upstream. + +The free_rtllib() function frees the "dev" pointer so there is use +after free on the next line. Re-arrange things to avoid that. + +Fixes: 66898177e7e5 ("staging: rtl8192e: Fix unload/reload problem") +Cc: stable +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20211117072016.GA5237@kili +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/rtl8192e/rtl8192e/rtl_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c ++++ b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c +@@ -2549,13 +2549,14 @@ static void _rtl92e_pci_disconnect(struc + free_irq(dev->irq, dev); + priv->irq = 0; + } +- free_rtllib(dev); + + if (dev->mem_start != 0) { + iounmap((void __iomem *)dev->mem_start); + release_mem_region(pci_resource_start(pdev, 1), + pci_resource_len(pdev, 1)); + } ++ ++ free_rtllib(dev); + } + + pci_disable_device(pdev); -- 2.47.2