--- /dev/null
+From ff49bf1867578f23a5ffdd38f927f6e1e16796c4 Mon Sep 17 00:00:00 2001
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+Date: Wed, 6 Dec 2023 23:09:13 +0300
+Subject: net: 9p: avoid freeing uninit memory in p9pdu_vreadf
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+commit ff49bf1867578f23a5ffdd38f927f6e1e16796c4 upstream.
+
+If some of p9pdu_readf() calls inside case 'T' in p9pdu_vreadf() fails,
+the error path is not handled properly. *wnames or members of *wnames
+array may be left uninitialized and invalidly freed.
+
+Initialize *wnames to NULL in beginning of case 'T'. Initialize the first
+*wnames array element to NULL and nullify the failing *wnames element so
+that the error path freeing loop stops on the first NULL element and
+doesn't proceed further.
+
+Found by Linux Verification Center (linuxtesting.org).
+
+Fixes: ace51c4dd2f9 ("9p: add new protocol support code")
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Message-ID: <20231206200913.16135-1-pchelkin@ispras.ru>
+Cc: stable@vger.kernel.org
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Christian Schoenebeck <linux_oss@crudebyte.com>
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/9p/protocol.c | 17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+--- a/net/9p/protocol.c
++++ b/net/9p/protocol.c
+@@ -243,6 +243,8 @@ p9pdu_vreadf(struct p9_fcall *pdu, int p
+ uint16_t *nwname = va_arg(ap, uint16_t *);
+ char ***wnames = va_arg(ap, char ***);
+
++ *wnames = NULL;
++
+ errcode = p9pdu_readf(pdu, proto_version,
+ "w", nwname);
+ if (!errcode) {
+@@ -251,6 +253,8 @@ p9pdu_vreadf(struct p9_fcall *pdu, int p
+ GFP_NOFS);
+ if (!*wnames)
+ errcode = -ENOMEM;
++ else
++ (*wnames)[0] = NULL;
+ }
+
+ if (!errcode) {
+@@ -262,8 +266,10 @@ p9pdu_vreadf(struct p9_fcall *pdu, int p
+ proto_version,
+ "s",
+ &(*wnames)[i]);
+- if (errcode)
++ if (errcode) {
++ (*wnames)[i] = NULL;
+ break;
++ }
+ }
+ }
+
+@@ -271,11 +277,14 @@ p9pdu_vreadf(struct p9_fcall *pdu, int p
+ if (*wnames) {
+ int i;
+
+- for (i = 0; i < *nwname; i++)
++ for (i = 0; i < *nwname; i++) {
++ if (!(*wnames)[i])
++ break;
+ kfree((*wnames)[i]);
++ }
++ kfree(*wnames);
++ *wnames = NULL;
+ }
+- kfree(*wnames);
+- *wnames = NULL;
+ }
+ }
+ break;
--- /dev/null
+From 23484d817082c3005252d8edfc8292c8a1006b5b Mon Sep 17 00:00:00 2001
+From: Rouven Czerwinski <r.czerwinski@pengutronix.de>
+Date: Thu, 7 Dec 2023 08:58:36 +0100
+Subject: net: rfkill: gpio: set GPIO direction
+
+From: Rouven Czerwinski <r.czerwinski@pengutronix.de>
+
+commit 23484d817082c3005252d8edfc8292c8a1006b5b upstream.
+
+Fix the undefined usage of the GPIO consumer API after retrieving the
+GPIO description with GPIO_ASIS. The API documentation mentions that
+GPIO_ASIS won't set a GPIO direction and requires the user to set a
+direction before using the GPIO.
+
+This can be confirmed on i.MX6 hardware, where rfkill-gpio is no longer
+able to enabled/disable a device, presumably because the GPIO controller
+was never configured for the output direction.
+
+Fixes: b2f750c3a80b ("net: rfkill: gpio: prevent value glitch during probe")
+Cc: stable@vger.kernel.org
+Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
+Link: https://msgid.link/20231207075835.3091694-1-r.czerwinski@pengutronix.de
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rfkill/rfkill-gpio.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/rfkill/rfkill-gpio.c
++++ b/net/rfkill/rfkill-gpio.c
+@@ -129,6 +129,14 @@ static int rfkill_gpio_probe(struct plat
+ return -EINVAL;
+ }
+
++ ret = gpiod_direction_output(rfkill->reset_gpio, true);
++ if (ret)
++ return ret;
++
++ ret = gpiod_direction_output(rfkill->shutdown_gpio, true);
++ if (ret)
++ return ret;
++
+ rfkill->rfkill_dev = rfkill_alloc(rfkill->name, &pdev->dev,
+ rfkill->type, &rfkill_gpio_ops,
+ rfkill);
projects / thirdparty / kernel / stable-queue.git / commitdiff
