tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'staging-7.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging

Pull staging driver fixes from Greg KH:
"Here are three small staging driver fixes for 7.0-rc4 that resolve
some reported problems. They are:

- two rtl8723bs data validation bugfixes

- sm750fb removal path bugfix

All of these have been in linux-next for many weeks with no reported
issues"

* tag 'staging-7.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie
staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()
staging: sm750fb: add missing pci_release_region on error and removal

Linus Torvalds 4dad25aa 1c9982b4

+26 -17
+10 -5
drivers/staging/rtl8723bs/core/rtw_ieee80211.c
··· 186 186 187 187 cnt = 0; 188 188 189 - while (cnt < in_len) { 189 + while (cnt + 2 <= in_len) { 190 + u8 ie_len = in_ie[cnt + 1]; 191 + 192 + if (cnt + 2 + ie_len > in_len) 193 + break; 194 + 190 195 if (eid == in_ie[cnt] 191 - && (!oui || !memcmp(&in_ie[cnt+2], oui, oui_len))) { 196 + && (!oui || (ie_len >= oui_len && !memcmp(&in_ie[cnt + 2], oui, oui_len)))) { 192 197 target_ie = &in_ie[cnt]; 193 198 194 199 if (ie) 195 - memcpy(ie, &in_ie[cnt], in_ie[cnt+1]+2); 200 + memcpy(ie, &in_ie[cnt], ie_len + 2); 196 201 197 202 if (ielen) 198 - *ielen = in_ie[cnt+1]+2; 203 + *ielen = ie_len + 2; 199 204 200 205 break; 201 206 } 202 - cnt += in_ie[cnt+1]+2; /* goto next */ 207 + cnt += ie_len + 2; /* goto next */ 203 208 } 204 209 205 210 return target_ie;
+4 -1
drivers/staging/rtl8723bs/core/rtw_mlme.c
··· 1988 1988 while (i < in_len) { 1989 1989 ielength = initial_out_len; 1990 1990 1991 - if (in_ie[i] == 0xDD && in_ie[i + 2] == 0x00 && in_ie[i + 3] == 0x50 && in_ie[i + 4] == 0xF2 && in_ie[i + 5] == 0x02 && i + 5 < in_len) { /* WMM element ID and OUI */ 1991 + if (i + 5 < in_len && 1992 + in_ie[i] == 0xDD && in_ie[i + 2] == 0x00 && 1993 + in_ie[i + 3] == 0x50 && in_ie[i + 4] == 0xF2 && 1994 + in_ie[i + 5] == 0x02) { 1992 1995 for (j = i; j < i + 9; j++) { 1993 1996 out_ie[ielength] = in_ie[j]; 1994 1997 ielength++;
+1
drivers/staging/sm750fb/sm750.c
··· 1123 1123 1124 1124 iounmap(sm750_dev->pvReg); 1125 1125 iounmap(sm750_dev->pvMem); 1126 + pci_release_region(pdev, 1); 1126 1127 kfree(g_settings); 1127 1128 } 1128 1129
+11 -11
drivers/staging/sm750fb/sm750_hw.c
··· 36 36 37 37 pr_info("mmio phyAddr = %lx\n", sm750_dev->vidreg_start); 38 38 39 - /* 40 - * reserve the vidreg space of smi adaptor 41 - * if you do this, you need to add release region code 42 - * in lynxfb_remove, or memory will not be mapped again 43 - * successfully 44 - */ 39 + /* reserve the vidreg space of smi adaptor */ 45 40 ret = pci_request_region(pdev, 1, "sm750fb"); 46 41 if (ret) { 47 42 pr_err("Can not request PCI regions.\n"); 48 - goto exit; 43 + return ret; 49 44 } 50 45 51 46 /* now map mmio and vidmem */ ··· 49 54 if (!sm750_dev->pvReg) { 50 55 pr_err("mmio failed\n"); 51 56 ret = -EFAULT; 52 - goto exit; 57 + goto err_release_region; 53 58 } 54 59 pr_info("mmio virtual addr = %p\n", sm750_dev->pvReg); 55 60 ··· 74 79 sm750_dev->pvMem = 75 80 ioremap_wc(sm750_dev->vidmem_start, sm750_dev->vidmem_size); 76 81 if (!sm750_dev->pvMem) { 77 - iounmap(sm750_dev->pvReg); 78 82 pr_err("Map video memory failed\n"); 79 83 ret = -EFAULT; 80 - goto exit; 84 + goto err_unmap_reg; 81 85 } 82 86 pr_info("video memory vaddr = %p\n", sm750_dev->pvMem); 83 - exit: 87 + 88 + return 0; 89 + 90 + err_unmap_reg: 91 + iounmap(sm750_dev->pvReg); 92 + err_release_region: 93 + pci_release_region(pdev, 1); 84 94 return ret; 85 95 } 86 96