From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 28 Dec 2023 12:12:24 +0000 (+0000)
Subject: 4.14-stable patches
X-Git-Tag: v6.1.70~26
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bd8ac350e8ef01c1141a704af592373624e3821f;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	net-9p-avoid-freeing-uninit-memory-in-p9pdu_vreadf.patch
	net-rfkill-gpio-set-gpio-direction.patch
---

diff --git a/queue-4.14/net-9p-avoid-freeing-uninit-memory-in-p9pdu_vreadf.patch b/queue-4.14/net-9p-avoid-freeing-uninit-memory-in-p9pdu_vreadf.patch
new file mode 100644
index 00000000000..ebb82fb4af2
--- /dev/null
+++ b/queue-4.14/net-9p-avoid-freeing-uninit-memory-in-p9pdu_vreadf.patch
@@ -0,0 +1,82 @@
+From ff49bf1867578f23a5ffdd38f927f6e1e16796c4 Mon Sep 17 00:00:00 2001
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+Date: Wed, 6 Dec 2023 23:09:13 +0300
+Subject: net: 9p: avoid freeing uninit memory in p9pdu_vreadf
+
+From: Fedor Pchelkin <pchelkin@ispras.ru>
+
+commit ff49bf1867578f23a5ffdd38f927f6e1e16796c4 upstream.
+
+If some of p9pdu_readf() calls inside case 'T' in p9pdu_vreadf() fails,
+the error path is not handled properly. *wnames or members of *wnames
+array may be left uninitialized and invalidly freed.
+
+Initialize *wnames to NULL in beginning of case 'T'. Initialize the first
+*wnames array element to NULL and nullify the failing *wnames element so
+that the error path freeing loop stops on the first NULL element and
+doesn't proceed further.
+
+Found by Linux Verification Center (linuxtesting.org).
+
+Fixes: ace51c4dd2f9 ("9p: add new protocol support code")
+Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
+Message-ID: <20231206200913.16135-1-pchelkin@ispras.ru>
+Cc: stable@vger.kernel.org
+Reviewed-by: Simon Horman <horms@kernel.org>
+Reviewed-by: Christian Schoenebeck <linux_oss@crudebyte.com>
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/9p/protocol.c |   17 +++++++++++++----
+ 1 file changed, 13 insertions(+), 4 deletions(-)
+
+--- a/net/9p/protocol.c
++++ b/net/9p/protocol.c
+@@ -243,6 +243,8 @@ p9pdu_vreadf(struct p9_fcall *pdu, int p
+ 				uint16_t *nwname = va_arg(ap, uint16_t *);
+ 				char ***wnames = va_arg(ap, char ***);
+ 
++				*wnames = NULL;
++
+ 				errcode = p9pdu_readf(pdu, proto_version,
+ 								"w", nwname);
+ 				if (!errcode) {
+@@ -251,6 +253,8 @@ p9pdu_vreadf(struct p9_fcall *pdu, int p
+ 						    GFP_NOFS);
+ 					if (!*wnames)
+ 						errcode = -ENOMEM;
++					else
++						(*wnames)[0] = NULL;
+ 				}
+ 
+ 				if (!errcode) {
+@@ -262,8 +266,10 @@ p9pdu_vreadf(struct p9_fcall *pdu, int p
+ 								proto_version,
+ 								"s",
+ 								&(*wnames)[i]);
+-						if (errcode)
++						if (errcode) {
++							(*wnames)[i] = NULL;
+ 							break;
++						}
+ 					}
+ 				}
+ 
+@@ -271,11 +277,14 @@ p9pdu_vreadf(struct p9_fcall *pdu, int p
+ 					if (*wnames) {
+ 						int i;
+ 
+-						for (i = 0; i < *nwname; i++)
++						for (i = 0; i < *nwname; i++) {
++							if (!(*wnames)[i])
++								break;
+ 							kfree((*wnames)[i]);
++						}
++						kfree(*wnames);
++						*wnames = NULL;
+ 					}
+-					kfree(*wnames);
+-					*wnames = NULL;
+ 				}
+ 			}
+ 			break;
diff --git a/queue-4.14/net-rfkill-gpio-set-gpio-direction.patch b/queue-4.14/net-rfkill-gpio-set-gpio-direction.patch
new file mode 100644
index 00000000000..e3db2e53465
--- /dev/null
+++ b/queue-4.14/net-rfkill-gpio-set-gpio-direction.patch
@@ -0,0 +1,45 @@
+From 23484d817082c3005252d8edfc8292c8a1006b5b Mon Sep 17 00:00:00 2001
+From: Rouven Czerwinski <r.czerwinski@pengutronix.de>
+Date: Thu, 7 Dec 2023 08:58:36 +0100
+Subject: net: rfkill: gpio: set GPIO direction
+
+From: Rouven Czerwinski <r.czerwinski@pengutronix.de>
+
+commit 23484d817082c3005252d8edfc8292c8a1006b5b upstream.
+
+Fix the undefined usage of the GPIO consumer API after retrieving the
+GPIO description with GPIO_ASIS. The API documentation mentions that
+GPIO_ASIS won't set a GPIO direction and requires the user to set a
+direction before using the GPIO.
+
+This can be confirmed on i.MX6 hardware, where rfkill-gpio is no longer
+able to enabled/disable a device, presumably because the GPIO controller
+was never configured for the output direction.
+
+Fixes: b2f750c3a80b ("net: rfkill: gpio: prevent value glitch during probe")
+Cc: stable@vger.kernel.org
+Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
+Link: https://msgid.link/20231207075835.3091694-1-r.czerwinski@pengutronix.de
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/rfkill/rfkill-gpio.c |    8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/rfkill/rfkill-gpio.c
++++ b/net/rfkill/rfkill-gpio.c
+@@ -129,6 +129,14 @@ static int rfkill_gpio_probe(struct plat
+ 		return -EINVAL;
+ 	}
+ 
++	ret = gpiod_direction_output(rfkill->reset_gpio, true);
++	if (ret)
++		return ret;
++
++	ret = gpiod_direction_output(rfkill->shutdown_gpio, true);
++	if (ret)
++		return ret;
++
+ 	rfkill->rfkill_dev = rfkill_alloc(rfkill->name, &pdev->dev,
+ 					  rfkill->type, &rfkill_gpio_ops,
+ 					  rfkill);
diff --git a/queue-4.14/series b/queue-4.14/series
index ffb8ffa629c..476f6d3ae5e 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -15,3 +15,5 @@ usb-serial-option-add-quectel-eg912y-module-support.patch
 usb-serial-option-add-foxconn-t99w265-with-new-baseline.patch
 usb-serial-option-add-quectel-rm500q-r13-firmware-support.patch
 bluetooth-hci_event-fix-not-checking-if-hci_op_inquiry-has-been-sent.patch
+net-9p-avoid-freeing-uninit-memory-in-p9pdu_vreadf.patch
+net-rfkill-gpio-set-gpio-direction.patch