From f02a33e10cfc87cd995d7f18a602530a42c05187 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 5 Sep 2022 17:45:34 +0200
Subject: [PATCH] 4.9-stable patches

added patches:
	serial-fsl_lpuart-rs485-rts-polariy-is-inverse.patch
	staging-rtl8712-fix-use-after-free-bugs.patch
---
 ..._lpuart-rs485-rts-polariy-is-inverse.patch | 39 ++++++++++
 queue-4.9/series                              |  2 +
 ...ging-rtl8712-fix-use-after-free-bugs.patch | 75 +++++++++++++++++++
 3 files changed, 116 insertions(+)
 create mode 100644 queue-4.9/serial-fsl_lpuart-rs485-rts-polariy-is-inverse.patch
 create mode 100644 queue-4.9/staging-rtl8712-fix-use-after-free-bugs.patch

diff --git a/queue-4.9/serial-fsl_lpuart-rs485-rts-polariy-is-inverse.patch b/queue-4.9/serial-fsl_lpuart-rs485-rts-polariy-is-inverse.patch
new file mode 100644
index 00000000000..27d7d61d748
--- /dev/null
+++ b/queue-4.9/serial-fsl_lpuart-rs485-rts-polariy-is-inverse.patch
@@ -0,0 +1,39 @@
+From 846651eca073e2e02e37490a4a52752415d84781 Mon Sep 17 00:00:00 2001
+From: Shenwei Wang <shenwei.wang@nxp.com>
+Date: Fri, 5 Aug 2022 09:45:29 -0500
+Subject: serial: fsl_lpuart: RS485 RTS polariy is inverse
+
+From: Shenwei Wang <shenwei.wang@nxp.com>
+
+commit 846651eca073e2e02e37490a4a52752415d84781 upstream.
+
+The setting of RS485 RTS polarity is inverse in the current driver.
+
+When the property of 'rs485-rts-active-low' is enabled in the dts node,
+the RTS signal should be LOW during sending. Otherwise, if there is no
+such a property, the RTS should be HIGH during sending.
+
+Fixes: 03895cf41d18 ("tty: serial: fsl_lpuart: Add support for RS-485")
+Cc: stable <stable@kernel.org>
+Signed-off-by: Nicolas Diaz <nicolas.diaz@nxp.com>
+Signed-off-by: Shenwei Wang <shenwei.wang@nxp.com>
+Link: https://lore.kernel.org/r/20220805144529.604856-1-shenwei.wang@nxp.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/fsl_lpuart.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/tty/serial/fsl_lpuart.c
++++ b/drivers/tty/serial/fsl_lpuart.c
+@@ -951,9 +951,9 @@ static int lpuart_config_rs485(struct ua
+ 		 * Note: UART is assumed to be active high.
+ 		 */
+ 		if (rs485->flags & SER_RS485_RTS_ON_SEND)
+-			modem &= ~UARTMODEM_TXRTSPOL;
+-		else if (rs485->flags & SER_RS485_RTS_AFTER_SEND)
+ 			modem |= UARTMODEM_TXRTSPOL;
++		else if (rs485->flags & SER_RS485_RTS_AFTER_SEND)
++			modem &= ~UARTMODEM_TXRTSPOL;
+ 	}
+ 
+ 	/* Store the new configuration */
diff --git a/queue-4.9/series b/queue-4.9/series
index efb5a81ff4c..2dbe25ffbd8 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -1,3 +1,5 @@
 fbdev-fb_pm2fb-avoid-potential-divide-by-zero-error.patch
 platform-x86-pmc_atom-fix-slp_typx-bitfield-mask.patch
 wifi-cfg80211-debugfs-fix-return-type-in-ht40allow_m.patch
+serial-fsl_lpuart-rs485-rts-polariy-is-inverse.patch
+staging-rtl8712-fix-use-after-free-bugs.patch
diff --git a/queue-4.9/staging-rtl8712-fix-use-after-free-bugs.patch b/queue-4.9/staging-rtl8712-fix-use-after-free-bugs.patch
new file mode 100644
index 00000000000..e53a4f0f7b3
--- /dev/null
+++ b/queue-4.9/staging-rtl8712-fix-use-after-free-bugs.patch
@@ -0,0 +1,75 @@
+From e230a4455ac3e9b112f0367d1b8e255e141afae0 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 30 Aug 2022 17:55:07 +0300
+Subject: staging: rtl8712: fix use after free bugs
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit e230a4455ac3e9b112f0367d1b8e255e141afae0 upstream.
+
+_Read/Write_MACREG callbacks are NULL so the read/write_macreg_hdl()
+functions don't do anything except free the "pcmd" pointer.  It
+results in a use after free.  Delete them.
+
+Fixes: 2865d42c78a9 ("staging: r8712u: Add the new driver to the mainline kernel")
+Cc: stable <stable@kernel.org>
+Reported-by: Zheng Wang <hackerzheng666@gmail.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/Yw4ASqkYcUhUfoY2@kili
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/staging/rtl8712/rtl8712_cmd.c |   36 ----------------------------------
+ 1 file changed, 36 deletions(-)
+
+--- a/drivers/staging/rtl8712/rtl8712_cmd.c
++++ b/drivers/staging/rtl8712/rtl8712_cmd.c
+@@ -128,34 +128,6 @@ static void r871x_internal_cmd_hdl(struc
+ 	kfree(pdrvcmd->pbuf);
+ }
+ 
+-static u8 read_macreg_hdl(struct _adapter *padapter, u8 *pbuf)
+-{
+-	void (*pcmd_callback)(struct _adapter *dev, struct cmd_obj	*pcmd);
+-	struct cmd_obj *pcmd  = (struct cmd_obj *)pbuf;
+-
+-	/*  invoke cmd->callback function */
+-	pcmd_callback = cmd_callback[pcmd->cmdcode].callback;
+-	if (!pcmd_callback)
+-		r8712_free_cmd_obj(pcmd);
+-	else
+-		pcmd_callback(padapter, pcmd);
+-	return H2C_SUCCESS;
+-}
+-
+-static u8 write_macreg_hdl(struct _adapter *padapter, u8 *pbuf)
+-{
+-	void (*pcmd_callback)(struct _adapter *dev, struct cmd_obj	*pcmd);
+-	struct cmd_obj *pcmd  = (struct cmd_obj *)pbuf;
+-
+-	/*  invoke cmd->callback function */
+-	pcmd_callback = cmd_callback[pcmd->cmdcode].callback;
+-	if (!pcmd_callback)
+-		r8712_free_cmd_obj(pcmd);
+-	else
+-		pcmd_callback(padapter, pcmd);
+-	return H2C_SUCCESS;
+-}
+-
+ static u8 read_bbreg_hdl(struct _adapter *padapter, u8 *pbuf)
+ {
+ 	struct cmd_obj *pcmd  = (struct cmd_obj *)pbuf;
+@@ -224,14 +196,6 @@ static struct cmd_obj *cmd_hdl_filter(st
+ 	pcmd_r = NULL;
+ 
+ 	switch (pcmd->cmdcode) {
+-	case GEN_CMD_CODE(_Read_MACREG):
+-		read_macreg_hdl(padapter, (u8 *)pcmd);
+-		pcmd_r = pcmd;
+-		break;
+-	case GEN_CMD_CODE(_Write_MACREG):
+-		write_macreg_hdl(padapter, (u8 *)pcmd);
+-		pcmd_r = pcmd;
+-		break;
+ 	case GEN_CMD_CODE(_Read_BBREG):
+ 		read_bbreg_hdl(padapter, (u8 *)pcmd);
+ 		break;
-- 
2.47.2