4.4-stable patches

added patches:
	drm-msm-fix-null-pointer-dereference-on-pointer-edp.patch
	nfc-digital-fix-possible-memory-leak-in-digital_in_send_sdd_req.patch
	nfc-digital-fix-possible-memory-leak-in-digital_tg_listen_mdaa.patch
	nfc-fix-error-handling-of-nfc_proto_register.patch
	pata_legacy-fix-a-couple-uninitialized-variable-bugs.patch
	r8152-select-crc32-and-crypto-crypto_hash-crypto_sha256.patch

diff --git a/queue-4.4/drm-msm-fix-null-pointer-dereference-on-pointer-edp.patch b/queue-4.4/drm-msm-fix-null-pointer-dereference-on-pointer-edp.patch
new file mode 100644 (file)
index 0000000..69478b7
--- /dev/null
+++ b/queue-4.4/drm-msm-fix-null-pointer-dereference-on-pointer-edp.patch
@@ -0,0 +1,44 @@
+From 2133c4fc8e1348dcb752f267a143fe2254613b34 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Wed, 29 Sep 2021 13:18:57 +0100
+Subject: drm/msm: Fix null pointer dereference on pointer edp
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 2133c4fc8e1348dcb752f267a143fe2254613b34 upstream.
+
+The initialization of pointer dev dereferences pointer edp before
+edp is null checked, so there is a potential null pointer deference
+issue. Fix this by only dereferencing edp after edp has been null
+checked.
+
+Addresses-Coverity: ("Dereference before null check")
+Fixes: ab5b0107ccf3 ("drm/msm: Initial add eDP support in msm drm driver (v5)")
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
+Link: https://lore.kernel.org/r/20210929121857.213922-1-colin.king@canonical.com
+Signed-off-by: Rob Clark <robdclark@chromium.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/gpu/drm/msm/edp/edp_ctrl.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/msm/edp/edp_ctrl.c
++++ b/drivers/gpu/drm/msm/edp/edp_ctrl.c
+@@ -1095,7 +1095,7 @@ void msm_edp_ctrl_power(struct edp_ctrl
+ int msm_edp_ctrl_init(struct msm_edp *edp)
+ {
+       struct edp_ctrl *ctrl = NULL;
+-      struct device *dev = &edp->pdev->dev;
++      struct device *dev;
+       int ret;
+ 
+       if (!edp) {
+@@ -1103,6 +1103,7 @@ int msm_edp_ctrl_init(struct msm_edp *ed
+               return -EINVAL;
+       }
+ 
++      dev = &edp->pdev->dev;
+       ctrl = devm_kzalloc(dev, sizeof(*ctrl), GFP_KERNEL);
+       if (!ctrl)
+               return -ENOMEM;

diff --git a/queue-4.4/nfc-digital-fix-possible-memory-leak-in-digital_in_send_sdd_req.patch b/queue-4.4/nfc-digital-fix-possible-memory-leak-in-digital_in_send_sdd_req.patch
new file mode 100644 (file)
index 0000000..18d7c67
--- /dev/null
+++ b/queue-4.4/nfc-digital-fix-possible-memory-leak-in-digital_in_send_sdd_req.patch
@@ -0,0 +1,39 @@
+From 291c932fc3692e4d211a445ba8aa35663831bac7 Mon Sep 17 00:00:00 2001
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+Date: Wed, 13 Oct 2021 15:50:32 +0800
+Subject: NFC: digital: fix possible memory leak in digital_in_send_sdd_req()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+commit 291c932fc3692e4d211a445ba8aa35663831bac7 upstream.
+
+'skb' is allocated in digital_in_send_sdd_req(), but not free when
+digital_in_send_cmd() failed, which will cause memory leak. Fix it
+by freeing 'skb' if digital_in_send_cmd() return failed.
+
+Fixes: 2c66daecc409 ("NFC Digital: Add NFC-A technology support")
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/digital_technology.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/nfc/digital_technology.c
++++ b/net/nfc/digital_technology.c
+@@ -473,8 +473,12 @@ static int digital_in_send_sdd_req(struc
+       *skb_put(skb, sizeof(u8)) = sel_cmd;
+       *skb_put(skb, sizeof(u8)) = DIGITAL_SDD_REQ_SEL_PAR;
+ 
+-      return digital_in_send_cmd(ddev, skb, 30, digital_in_recv_sdd_res,
+-                                 target);
++      rc = digital_in_send_cmd(ddev, skb, 30, digital_in_recv_sdd_res,
++                               target);
++      if (rc)
++              kfree_skb(skb);
++
++      return rc;
+ }
+ 
+ static void digital_in_recv_sens_res(struct nfc_digital_dev *ddev, void *arg,

diff --git a/queue-4.4/nfc-digital-fix-possible-memory-leak-in-digital_tg_listen_mdaa.patch b/queue-4.4/nfc-digital-fix-possible-memory-leak-in-digital_tg_listen_mdaa.patch
new file mode 100644 (file)
index 0000000..6982661
--- /dev/null
+++ b/queue-4.4/nfc-digital-fix-possible-memory-leak-in-digital_tg_listen_mdaa.patch
@@ -0,0 +1,47 @@
+From 58e7dcc9ca29c14e44267a4d0ea61e3229124907 Mon Sep 17 00:00:00 2001
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+Date: Wed, 13 Oct 2021 15:50:12 +0800
+Subject: NFC: digital: fix possible memory leak in digital_tg_listen_mdaa()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+commit 58e7dcc9ca29c14e44267a4d0ea61e3229124907 upstream.
+
+'params' is allocated in digital_tg_listen_mdaa(), but not free when
+digital_send_cmd() failed, which will cause memory leak. Fix it by
+freeing 'params' if digital_send_cmd() return failed.
+
+Fixes: 1c7a4c24fbfd ("NFC Digital: Add target NFC-DEP support")
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/digital_core.c |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/nfc/digital_core.c
++++ b/net/nfc/digital_core.c
+@@ -280,6 +280,7 @@ int digital_tg_configure_hw(struct nfc_d
+ static int digital_tg_listen_mdaa(struct nfc_digital_dev *ddev, u8 rf_tech)
+ {
+       struct digital_tg_mdaa_params *params;
++      int rc;
+ 
+       params = kzalloc(sizeof(struct digital_tg_mdaa_params), GFP_KERNEL);
+       if (!params)
+@@ -294,8 +295,12 @@ static int digital_tg_listen_mdaa(struct
+       get_random_bytes(params->nfcid2 + 2, NFC_NFCID2_MAXSIZE - 2);
+       params->sc = DIGITAL_SENSF_FELICA_SC;
+ 
+-      return digital_send_cmd(ddev, DIGITAL_CMD_TG_LISTEN_MDAA, NULL, params,
+-                              500, digital_tg_recv_atr_req, NULL);
++      rc = digital_send_cmd(ddev, DIGITAL_CMD_TG_LISTEN_MDAA, NULL, params,
++                            500, digital_tg_recv_atr_req, NULL);
++      if (rc)
++              kfree(params);
++
++      return rc;
+ }
+ 
+ static int digital_tg_listen_md(struct nfc_digital_dev *ddev, u8 rf_tech)

diff --git a/queue-4.4/nfc-fix-error-handling-of-nfc_proto_register.patch b/queue-4.4/nfc-fix-error-handling-of-nfc_proto_register.patch
new file mode 100644 (file)
index 0000000..678dad7
--- /dev/null
+++ b/queue-4.4/nfc-fix-error-handling-of-nfc_proto_register.patch
@@ -0,0 +1,35 @@
+From 0911ab31896f0e908540746414a77dd63912748d Mon Sep 17 00:00:00 2001
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+Date: Wed, 13 Oct 2021 11:49:32 +0800
+Subject: nfc: fix error handling of nfc_proto_register()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+commit 0911ab31896f0e908540746414a77dd63912748d upstream.
+
+When nfc proto id is using, nfc_proto_register() return -EBUSY error
+code, but forgot to unregister proto. Fix it by adding proto_unregister()
+in the error handling case.
+
+Fixes: c7fe3b52c128 ("NFC: add NFC socket family")
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Link: https://lore.kernel.org/r/20211013034932.2833737-1-william.xuanziyang@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/nfc/af_nfc.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/nfc/af_nfc.c
++++ b/net/nfc/af_nfc.c
+@@ -72,6 +72,9 @@ int nfc_proto_register(const struct nfc_
+               proto_tab[nfc_proto->id] = nfc_proto;
+       write_unlock(&proto_tab_lock);
+ 
++      if (rc)
++              proto_unregister(nfc_proto->proto);
++
+       return rc;
+ }
+ EXPORT_SYMBOL(nfc_proto_register);

diff --git a/queue-4.4/pata_legacy-fix-a-couple-uninitialized-variable-bugs.patch b/queue-4.4/pata_legacy-fix-a-couple-uninitialized-variable-bugs.patch
new file mode 100644 (file)
index 0000000..17edfb3
--- /dev/null
+++ b/queue-4.4/pata_legacy-fix-a-couple-uninitialized-variable-bugs.patch
@@ -0,0 +1,41 @@
+From 013923477cb311293df9079332cf8b806ed0e6f2 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Wed, 6 Oct 2021 10:34:19 +0300
+Subject: pata_legacy: fix a couple uninitialized variable bugs
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 013923477cb311293df9079332cf8b806ed0e6f2 upstream.
+
+The last byte of "pad" is used without being initialized.
+
+Fixes: 55dba3120fbc ("libata: update ->data_xfer hook for ATAPI")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/pata_legacy.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/ata/pata_legacy.c
++++ b/drivers/ata/pata_legacy.c
+@@ -328,7 +328,8 @@ static unsigned int pdc_data_xfer_vlb(st
+                       iowrite32_rep(ap->ioaddr.data_addr, buf, buflen >> 2);
+ 
+               if (unlikely(slop)) {
+-                      __le32 pad;
++                      __le32 pad = 0;
++
+                       if (rw == READ) {
+                               pad = cpu_to_le32(ioread32(ap->ioaddr.data_addr));
+                               memcpy(buf + buflen - slop, &pad, slop);
+@@ -716,7 +717,8 @@ static unsigned int vlb32_data_xfer(stru
+                       ioread32_rep(ap->ioaddr.data_addr, buf, buflen >> 2);
+ 
+               if (unlikely(slop)) {
+-                      __le32 pad;
++                      __le32 pad = 0;
++
+                       if (rw == WRITE) {
+                               memcpy(&pad, buf + buflen - slop, slop);
+                               iowrite32(le32_to_cpu(pad), ap->ioaddr.data_addr);

diff --git a/queue-4.4/r8152-select-crc32-and-crypto-crypto_hash-crypto_sha256.patch b/queue-4.4/r8152-select-crc32-and-crypto-crypto_hash-crypto_sha256.patch
new file mode 100644 (file)
index 0000000..9c0f82c
--- /dev/null
+++ b/queue-4.4/r8152-select-crc32-and-crypto-crypto_hash-crypto_sha256.patch
@@ -0,0 +1,41 @@
+From 9973a43012b6ad1720dbc4d5faf5302c28635b8c Mon Sep 17 00:00:00 2001
+From: Vegard Nossum <vegard.nossum@oracle.com>
+Date: Mon, 11 Oct 2021 17:22:49 +0200
+Subject: r8152: select CRC32 and CRYPTO/CRYPTO_HASH/CRYPTO_SHA256
+
+From: Vegard Nossum <vegard.nossum@oracle.com>
+
+commit 9973a43012b6ad1720dbc4d5faf5302c28635b8c upstream.
+
+Fix the following build/link errors by adding a dependency on
+CRYPTO, CRYPTO_HASH, CRYPTO_SHA256 and CRC32:
+
+  ld: drivers/net/usb/r8152.o: in function `rtl8152_fw_verify_checksum':
+  r8152.c:(.text+0x2b2a): undefined reference to `crypto_alloc_shash'
+  ld: r8152.c:(.text+0x2bed): undefined reference to `crypto_shash_digest'
+  ld: r8152.c:(.text+0x2c50): undefined reference to `crypto_destroy_tfm'
+  ld: drivers/net/usb/r8152.o: in function `_rtl8152_set_rx_mode':
+  r8152.c:(.text+0xdcb0): undefined reference to `crc32_le'
+
+Fixes: 9370f2d05a2a1 ("r8152: support request_firmware for RTL8153")
+Fixes: ac718b69301c7 ("net/usb: new driver for RTL8152")
+Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/Kconfig |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/usb/Kconfig
++++ b/drivers/net/usb/Kconfig
+@@ -98,6 +98,10 @@ config USB_RTL8150
+ config USB_RTL8152
+       tristate "Realtek RTL8152/RTL8153 Based USB Ethernet Adapters"
+       select MII
++      select CRC32
++      select CRYPTO
++      select CRYPTO_HASH
++      select CRYPTO_SHA256
+       help
+         This option adds support for Realtek RTL8152 based USB 2.0
+         10/100 Ethernet adapters and RTL8153 based USB 3.0 10/100/1000

diff --git a/queue-4.4/series b/queue-4.4/series
index b5c8efd3558216c3042c64b72ed04ebc19e629c6..71ebf788512a175a0e4e9963ac705679aeab44df 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -14,3 +14,9 @@ net-arc-select-crc32.patch
 net-korina-select-crc32.patch
 net-encx24j600-check-error-in-devm_regmap_init_encx24j600.patch
 ethernet-s2io-fix-setting-mac-address-during-resume.patch
+nfc-fix-error-handling-of-nfc_proto_register.patch
+nfc-digital-fix-possible-memory-leak-in-digital_tg_listen_mdaa.patch
+nfc-digital-fix-possible-memory-leak-in-digital_in_send_sdd_req.patch
+pata_legacy-fix-a-couple-uninitialized-variable-bugs.patch
+drm-msm-fix-null-pointer-dereference-on-pointer-edp.patch
+r8152-select-crc32-and-crypto-crypto_hash-crypto_sha256.patch