From 6f95da85b34e63333acfbf87f8194a2cf3957bec Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 18 Oct 2021 13:32:16 +0200 Subject: [PATCH] 4.9-stable patches added patches: drm-msm-dsi-fix-off-by-one-in-dsi_bus_clk_enable-error-handling.patch drm-msm-fix-null-pointer-dereference-on-pointer-edp.patch nfc-digital-fix-possible-memory-leak-in-digital_in_send_sdd_req.patch nfc-digital-fix-possible-memory-leak-in-digital_tg_listen_mdaa.patch nfc-fix-error-handling-of-nfc_proto_register.patch pata_legacy-fix-a-couple-uninitialized-variable-bugs.patch r8152-select-crc32-and-crypto-crypto_hash-crypto_sha256.patch --- ...in-dsi_bus_clk_enable-error-handling.patch | 34 ++++++++++++++ ...l-pointer-dereference-on-pointer-edp.patch | 44 +++++++++++++++++ ...mory-leak-in-digital_in_send_sdd_req.patch | 39 +++++++++++++++ ...emory-leak-in-digital_tg_listen_mdaa.patch | 47 +++++++++++++++++++ ...error-handling-of-nfc_proto_register.patch | 35 ++++++++++++++ ...a-couple-uninitialized-variable-bugs.patch | 41 ++++++++++++++++ ...and-crypto-crypto_hash-crypto_sha256.patch | 41 ++++++++++++++++ queue-4.9/series | 7 +++ 8 files changed, 288 insertions(+) create mode 100644 queue-4.9/drm-msm-dsi-fix-off-by-one-in-dsi_bus_clk_enable-error-handling.patch create mode 100644 queue-4.9/drm-msm-fix-null-pointer-dereference-on-pointer-edp.patch create mode 100644 queue-4.9/nfc-digital-fix-possible-memory-leak-in-digital_in_send_sdd_req.patch create mode 100644 queue-4.9/nfc-digital-fix-possible-memory-leak-in-digital_tg_listen_mdaa.patch create mode 100644 queue-4.9/nfc-fix-error-handling-of-nfc_proto_register.patch create mode 100644 queue-4.9/pata_legacy-fix-a-couple-uninitialized-variable-bugs.patch create mode 100644 queue-4.9/r8152-select-crc32-and-crypto-crypto_hash-crypto_sha256.patch diff --git a/queue-4.9/drm-msm-dsi-fix-off-by-one-in-dsi_bus_clk_enable-error-handling.patch b/queue-4.9/drm-msm-dsi-fix-off-by-one-in-dsi_bus_clk_enable-error-handling.patch new file mode 100644 index 00000000000..358cb74e6bf --- /dev/null +++ b/queue-4.9/drm-msm-dsi-fix-off-by-one-in-dsi_bus_clk_enable-error-handling.patch @@ -0,0 +1,34 @@ +From c8f01ffc83923a91e8087aaa077de13354a7aa59 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 1 Oct 2021 15:34:09 +0300 +Subject: drm/msm/dsi: fix off by one in dsi_bus_clk_enable error handling + +From: Dan Carpenter + +commit c8f01ffc83923a91e8087aaa077de13354a7aa59 upstream. + +This disables a lock which wasn't enabled and it does not disable +the first lock in the array. + +Fixes: 6e0eb52eba9e ("drm/msm/dsi: Parse bus clocks from a list") +Signed-off-by: Dan Carpenter +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20211001123409.GG2283@kili +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -439,7 +439,7 @@ static int dsi_bus_clk_enable(struct msm + + return 0; + err: +- for (; i > 0; i--) ++ while (--i >= 0) + clk_disable_unprepare(msm_host->bus_clks[i]); + + return ret; diff --git a/queue-4.9/drm-msm-fix-null-pointer-dereference-on-pointer-edp.patch b/queue-4.9/drm-msm-fix-null-pointer-dereference-on-pointer-edp.patch new file mode 100644 index 00000000000..309f0b88a98 --- /dev/null +++ b/queue-4.9/drm-msm-fix-null-pointer-dereference-on-pointer-edp.patch @@ -0,0 +1,44 @@ +From 2133c4fc8e1348dcb752f267a143fe2254613b34 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Wed, 29 Sep 2021 13:18:57 +0100 +Subject: drm/msm: Fix null pointer dereference on pointer edp + +From: Colin Ian King + +commit 2133c4fc8e1348dcb752f267a143fe2254613b34 upstream. + +The initialization of pointer dev dereferences pointer edp before +edp is null checked, so there is a potential null pointer deference +issue. Fix this by only dereferencing edp after edp has been null +checked. + +Addresses-Coverity: ("Dereference before null check") +Fixes: ab5b0107ccf3 ("drm/msm: Initial add eDP support in msm drm driver (v5)") +Signed-off-by: Colin Ian King +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20210929121857.213922-1-colin.king@canonical.com +Signed-off-by: Rob Clark +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/msm/edp/edp_ctrl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/msm/edp/edp_ctrl.c ++++ b/drivers/gpu/drm/msm/edp/edp_ctrl.c +@@ -1090,7 +1090,7 @@ void msm_edp_ctrl_power(struct edp_ctrl + int msm_edp_ctrl_init(struct msm_edp *edp) + { + struct edp_ctrl *ctrl = NULL; +- struct device *dev = &edp->pdev->dev; ++ struct device *dev; + int ret; + + if (!edp) { +@@ -1098,6 +1098,7 @@ int msm_edp_ctrl_init(struct msm_edp *ed + return -EINVAL; + } + ++ dev = &edp->pdev->dev; + ctrl = devm_kzalloc(dev, sizeof(*ctrl), GFP_KERNEL); + if (!ctrl) + return -ENOMEM; diff --git a/queue-4.9/nfc-digital-fix-possible-memory-leak-in-digital_in_send_sdd_req.patch b/queue-4.9/nfc-digital-fix-possible-memory-leak-in-digital_in_send_sdd_req.patch new file mode 100644 index 00000000000..18d7c679887 --- /dev/null +++ b/queue-4.9/nfc-digital-fix-possible-memory-leak-in-digital_in_send_sdd_req.patch @@ -0,0 +1,39 @@ +From 291c932fc3692e4d211a445ba8aa35663831bac7 Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Wed, 13 Oct 2021 15:50:32 +0800 +Subject: NFC: digital: fix possible memory leak in digital_in_send_sdd_req() + +From: Ziyang Xuan + +commit 291c932fc3692e4d211a445ba8aa35663831bac7 upstream. + +'skb' is allocated in digital_in_send_sdd_req(), but not free when +digital_in_send_cmd() failed, which will cause memory leak. Fix it +by freeing 'skb' if digital_in_send_cmd() return failed. + +Fixes: 2c66daecc409 ("NFC Digital: Add NFC-A technology support") +Signed-off-by: Ziyang Xuan +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/digital_technology.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/nfc/digital_technology.c ++++ b/net/nfc/digital_technology.c +@@ -473,8 +473,12 @@ static int digital_in_send_sdd_req(struc + *skb_put(skb, sizeof(u8)) = sel_cmd; + *skb_put(skb, sizeof(u8)) = DIGITAL_SDD_REQ_SEL_PAR; + +- return digital_in_send_cmd(ddev, skb, 30, digital_in_recv_sdd_res, +- target); ++ rc = digital_in_send_cmd(ddev, skb, 30, digital_in_recv_sdd_res, ++ target); ++ if (rc) ++ kfree_skb(skb); ++ ++ return rc; + } + + static void digital_in_recv_sens_res(struct nfc_digital_dev *ddev, void *arg, diff --git a/queue-4.9/nfc-digital-fix-possible-memory-leak-in-digital_tg_listen_mdaa.patch b/queue-4.9/nfc-digital-fix-possible-memory-leak-in-digital_tg_listen_mdaa.patch new file mode 100644 index 00000000000..680c77d470e --- /dev/null +++ b/queue-4.9/nfc-digital-fix-possible-memory-leak-in-digital_tg_listen_mdaa.patch @@ -0,0 +1,47 @@ +From 58e7dcc9ca29c14e44267a4d0ea61e3229124907 Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Wed, 13 Oct 2021 15:50:12 +0800 +Subject: NFC: digital: fix possible memory leak in digital_tg_listen_mdaa() + +From: Ziyang Xuan + +commit 58e7dcc9ca29c14e44267a4d0ea61e3229124907 upstream. + +'params' is allocated in digital_tg_listen_mdaa(), but not free when +digital_send_cmd() failed, which will cause memory leak. Fix it by +freeing 'params' if digital_send_cmd() return failed. + +Fixes: 1c7a4c24fbfd ("NFC Digital: Add target NFC-DEP support") +Signed-off-by: Ziyang Xuan +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/digital_core.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/net/nfc/digital_core.c ++++ b/net/nfc/digital_core.c +@@ -286,6 +286,7 @@ int digital_tg_configure_hw(struct nfc_d + static int digital_tg_listen_mdaa(struct nfc_digital_dev *ddev, u8 rf_tech) + { + struct digital_tg_mdaa_params *params; ++ int rc; + + params = kzalloc(sizeof(struct digital_tg_mdaa_params), GFP_KERNEL); + if (!params) +@@ -300,8 +301,12 @@ static int digital_tg_listen_mdaa(struct + get_random_bytes(params->nfcid2 + 2, NFC_NFCID2_MAXSIZE - 2); + params->sc = DIGITAL_SENSF_FELICA_SC; + +- return digital_send_cmd(ddev, DIGITAL_CMD_TG_LISTEN_MDAA, NULL, params, +- 500, digital_tg_recv_atr_req, NULL); ++ rc = digital_send_cmd(ddev, DIGITAL_CMD_TG_LISTEN_MDAA, NULL, params, ++ 500, digital_tg_recv_atr_req, NULL); ++ if (rc) ++ kfree(params); ++ ++ return rc; + } + + static int digital_tg_listen_md(struct nfc_digital_dev *ddev, u8 rf_tech) diff --git a/queue-4.9/nfc-fix-error-handling-of-nfc_proto_register.patch b/queue-4.9/nfc-fix-error-handling-of-nfc_proto_register.patch new file mode 100644 index 00000000000..678dad72dcd --- /dev/null +++ b/queue-4.9/nfc-fix-error-handling-of-nfc_proto_register.patch @@ -0,0 +1,35 @@ +From 0911ab31896f0e908540746414a77dd63912748d Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Wed, 13 Oct 2021 11:49:32 +0800 +Subject: nfc: fix error handling of nfc_proto_register() + +From: Ziyang Xuan + +commit 0911ab31896f0e908540746414a77dd63912748d upstream. + +When nfc proto id is using, nfc_proto_register() return -EBUSY error +code, but forgot to unregister proto. Fix it by adding proto_unregister() +in the error handling case. + +Fixes: c7fe3b52c128 ("NFC: add NFC socket family") +Signed-off-by: Ziyang Xuan +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20211013034932.2833737-1-william.xuanziyang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/af_nfc.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/nfc/af_nfc.c ++++ b/net/nfc/af_nfc.c +@@ -72,6 +72,9 @@ int nfc_proto_register(const struct nfc_ + proto_tab[nfc_proto->id] = nfc_proto; + write_unlock(&proto_tab_lock); + ++ if (rc) ++ proto_unregister(nfc_proto->proto); ++ + return rc; + } + EXPORT_SYMBOL(nfc_proto_register); diff --git a/queue-4.9/pata_legacy-fix-a-couple-uninitialized-variable-bugs.patch b/queue-4.9/pata_legacy-fix-a-couple-uninitialized-variable-bugs.patch new file mode 100644 index 00000000000..17edfb31424 --- /dev/null +++ b/queue-4.9/pata_legacy-fix-a-couple-uninitialized-variable-bugs.patch @@ -0,0 +1,41 @@ +From 013923477cb311293df9079332cf8b806ed0e6f2 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 6 Oct 2021 10:34:19 +0300 +Subject: pata_legacy: fix a couple uninitialized variable bugs + +From: Dan Carpenter + +commit 013923477cb311293df9079332cf8b806ed0e6f2 upstream. + +The last byte of "pad" is used without being initialized. + +Fixes: 55dba3120fbc ("libata: update ->data_xfer hook for ATAPI") +Signed-off-by: Dan Carpenter +Signed-off-by: Damien Le Moal +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ata/pata_legacy.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/ata/pata_legacy.c ++++ b/drivers/ata/pata_legacy.c +@@ -328,7 +328,8 @@ static unsigned int pdc_data_xfer_vlb(st + iowrite32_rep(ap->ioaddr.data_addr, buf, buflen >> 2); + + if (unlikely(slop)) { +- __le32 pad; ++ __le32 pad = 0; ++ + if (rw == READ) { + pad = cpu_to_le32(ioread32(ap->ioaddr.data_addr)); + memcpy(buf + buflen - slop, &pad, slop); +@@ -716,7 +717,8 @@ static unsigned int vlb32_data_xfer(stru + ioread32_rep(ap->ioaddr.data_addr, buf, buflen >> 2); + + if (unlikely(slop)) { +- __le32 pad; ++ __le32 pad = 0; ++ + if (rw == WRITE) { + memcpy(&pad, buf + buflen - slop, slop); + iowrite32(le32_to_cpu(pad), ap->ioaddr.data_addr); diff --git a/queue-4.9/r8152-select-crc32-and-crypto-crypto_hash-crypto_sha256.patch b/queue-4.9/r8152-select-crc32-and-crypto-crypto_hash-crypto_sha256.patch new file mode 100644 index 00000000000..9c0f82c54e9 --- /dev/null +++ b/queue-4.9/r8152-select-crc32-and-crypto-crypto_hash-crypto_sha256.patch @@ -0,0 +1,41 @@ +From 9973a43012b6ad1720dbc4d5faf5302c28635b8c Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Mon, 11 Oct 2021 17:22:49 +0200 +Subject: r8152: select CRC32 and CRYPTO/CRYPTO_HASH/CRYPTO_SHA256 + +From: Vegard Nossum + +commit 9973a43012b6ad1720dbc4d5faf5302c28635b8c upstream. + +Fix the following build/link errors by adding a dependency on +CRYPTO, CRYPTO_HASH, CRYPTO_SHA256 and CRC32: + + ld: drivers/net/usb/r8152.o: in function `rtl8152_fw_verify_checksum': + r8152.c:(.text+0x2b2a): undefined reference to `crypto_alloc_shash' + ld: r8152.c:(.text+0x2bed): undefined reference to `crypto_shash_digest' + ld: r8152.c:(.text+0x2c50): undefined reference to `crypto_destroy_tfm' + ld: drivers/net/usb/r8152.o: in function `_rtl8152_set_rx_mode': + r8152.c:(.text+0xdcb0): undefined reference to `crc32_le' + +Fixes: 9370f2d05a2a1 ("r8152: support request_firmware for RTL8153") +Fixes: ac718b69301c7 ("net/usb: new driver for RTL8152") +Signed-off-by: Vegard Nossum +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/Kconfig | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/usb/Kconfig ++++ b/drivers/net/usb/Kconfig +@@ -98,6 +98,10 @@ config USB_RTL8150 + config USB_RTL8152 + tristate "Realtek RTL8152/RTL8153 Based USB Ethernet Adapters" + select MII ++ select CRC32 ++ select CRYPTO ++ select CRYPTO_HASH ++ select CRYPTO_SHA256 + help + This option adds support for Realtek RTL8152 based USB 2.0 + 10/100 Ethernet adapters and RTL8153 based USB 3.0 10/100/1000 diff --git a/queue-4.9/series b/queue-4.9/series index 3c69f95ab97..7874127be02 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -16,3 +16,10 @@ net-arc-select-crc32.patch net-korina-select-crc32.patch net-encx24j600-check-error-in-devm_regmap_init_encx24j600.patch ethernet-s2io-fix-setting-mac-address-during-resume.patch +nfc-fix-error-handling-of-nfc_proto_register.patch +nfc-digital-fix-possible-memory-leak-in-digital_tg_listen_mdaa.patch +nfc-digital-fix-possible-memory-leak-in-digital_in_send_sdd_req.patch +pata_legacy-fix-a-couple-uninitialized-variable-bugs.patch +drm-msm-fix-null-pointer-dereference-on-pointer-edp.patch +drm-msm-dsi-fix-off-by-one-in-dsi_bus_clk_enable-error-handling.patch +r8152-select-crc32-and-crypto-crypto_hash-crypto_sha256.patch -- 2.47.3