tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'staging-5.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging

Pull staging driver fixes from Greg KH:
"Here are two small staging driver fixes for 5.15-rc3:

- greybus tty use-after-free bugfix

- r8188eu ioctl overlap build warning fix

Note, the r8188eu ioctl has been entirely removed for 5.16-rc1, but
it's good to get this fixed now for people using this in 5.15.

Both of these have been in linux-next for a while with no reported
issues"

* tag 'staging-5.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
staging: r8188eu: fix -Wrestrict warnings
staging: greybus: uart: fix tty use after free

Linus Torvalds 9cbef308 f9d4be25

+36 -34
+32 -30
drivers/staging/greybus/uart.c
··· 761 761 gbphy_runtime_put_autosuspend(gb_tty->gbphy_dev); 762 762 } 763 763 764 + static void gb_tty_port_destruct(struct tty_port *port) 765 + { 766 + struct gb_tty *gb_tty = container_of(port, struct gb_tty, port); 767 + 768 + if (gb_tty->minor != GB_NUM_MINORS) 769 + release_minor(gb_tty); 770 + kfifo_free(&gb_tty->write_fifo); 771 + kfree(gb_tty->buffer); 772 + kfree(gb_tty); 773 + } 774 + 764 775 static const struct tty_operations gb_ops = { 765 776 .install = gb_tty_install, 766 777 .open = gb_tty_open, ··· 797 786 .dtr_rts = gb_tty_dtr_rts, 798 787 .activate = gb_tty_port_activate, 799 788 .shutdown = gb_tty_port_shutdown, 789 + .destruct = gb_tty_port_destruct, 800 790 }; 801 791 802 792 static int gb_uart_probe(struct gbphy_device *gbphy_dev, ··· 810 798 int retval; 811 799 int minor; 812 800 813 - gb_tty = kzalloc(sizeof(*gb_tty), GFP_KERNEL); 814 - if (!gb_tty) 815 - return -ENOMEM; 816 - 817 801 connection = gb_connection_create(gbphy_dev->bundle, 818 802 le16_to_cpu(gbphy_dev->cport_desc->id), 819 803 gb_uart_request_handler); 820 - if (IS_ERR(connection)) { 821 - retval = PTR_ERR(connection); 822 - goto exit_tty_free; 823 - } 804 + if (IS_ERR(connection)) 805 + return PTR_ERR(connection); 824 806 825 807 max_payload = gb_operation_get_payload_size_max(connection); 826 808 if (max_payload < sizeof(struct gb_uart_send_data_request)) { ··· 822 816 goto exit_connection_destroy; 823 817 } 824 818 819 + gb_tty = kzalloc(sizeof(*gb_tty), GFP_KERNEL); 820 + if (!gb_tty) { 821 + retval = -ENOMEM; 822 + goto exit_connection_destroy; 823 + } 824 + 825 + tty_port_init(&gb_tty->port); 826 + gb_tty->port.ops = &gb_port_ops; 827 + gb_tty->minor = GB_NUM_MINORS; 828 + 825 829 gb_tty->buffer_payload_max = max_payload - 826 830 sizeof(struct gb_uart_send_data_request); 827 831 828 832 gb_tty->buffer = kzalloc(gb_tty->buffer_payload_max, GFP_KERNEL); 829 833 if (!gb_tty->buffer) { 830 834 retval = -ENOMEM; 831 - goto exit_connection_destroy; 835 + goto exit_put_port; 832 836 } 833 837 834 838 INIT_WORK(&gb_tty->tx_work, gb_uart_tx_write_work); ··· 846 830 retval = kfifo_alloc(&gb_tty->write_fifo, GB_UART_WRITE_FIFO_SIZE, 847 831 GFP_KERNEL); 848 832 if (retval) 849 - goto exit_buf_free; 833 + goto exit_put_port; 850 834 851 835 gb_tty->credits = GB_UART_FIRMWARE_CREDITS; 852 836 init_completion(&gb_tty->credits_complete); ··· 860 844 } else { 861 845 retval = minor; 862 846 } 863 - goto exit_kfifo_free; 847 + goto exit_put_port; 864 848 } 865 849 866 850 gb_tty->minor = minor; ··· 869 853 init_waitqueue_head(&gb_tty->wioctl); 870 854 mutex_init(&gb_tty->mutex); 871 855 872 - tty_port_init(&gb_tty->port); 873 - gb_tty->port.ops = &gb_port_ops; 874 - 875 856 gb_tty->connection = connection; 876 857 gb_tty->gbphy_dev = gbphy_dev; 877 858 gb_connection_set_data(connection, gb_tty); ··· 876 863 877 864 retval = gb_connection_enable_tx(connection); 878 865 if (retval) 879 - goto exit_release_minor; 866 + goto exit_put_port; 880 867 881 868 send_control(gb_tty, gb_tty->ctrlout); 882 869 ··· 903 890 904 891 exit_connection_disable: 905 892 gb_connection_disable(connection); 906 - exit_release_minor: 907 - release_minor(gb_tty); 908 - exit_kfifo_free: 909 - kfifo_free(&gb_tty->write_fifo); 910 - exit_buf_free: 911 - kfree(gb_tty->buffer); 893 + exit_put_port: 894 + tty_port_put(&gb_tty->port); 912 895 exit_connection_destroy: 913 896 gb_connection_destroy(connection); 914 - exit_tty_free: 915 - kfree(gb_tty); 916 897 917 898 return retval; 918 899 } ··· 937 930 gb_connection_disable_rx(connection); 938 931 tty_unregister_device(gb_tty_driver, gb_tty->minor); 939 932 940 - /* FIXME - free transmit / receive buffers */ 941 - 942 933 gb_connection_disable(connection); 943 - tty_port_destroy(&gb_tty->port); 944 934 gb_connection_destroy(connection); 945 - release_minor(gb_tty); 946 - kfifo_free(&gb_tty->write_fifo); 947 - kfree(gb_tty->buffer); 948 - kfree(gb_tty); 935 + 936 + tty_port_put(&gb_tty->port); 949 937 } 950 938 951 939 static int gb_tty_init(void)
+4 -4
drivers/staging/r8188eu/os_dep/ioctl_linux.c
··· 5372 5372 5373 5373 pnext++; 5374 5374 if (*pnext != '\0') { 5375 - strtout = simple_strtoul(pnext, &ptmp, 16); 5376 - sprintf(extra, "%s %d", extra, strtout); 5375 + strtout = simple_strtoul(pnext, &ptmp, 16); 5376 + sprintf(extra + strlen(extra), " %d", strtout); 5377 5377 } else { 5378 5378 break; 5379 5379 } ··· 5405 5405 pnext++; 5406 5406 if (*pnext != '\0') { 5407 5407 strtout = simple_strtoul(pnext, &ptmp, 16); 5408 - sprintf(extra, "%s %d", extra, strtout); 5408 + sprintf(extra + strlen(extra), " %d", strtout); 5409 5409 } else { 5410 5410 break; 5411 5411 } ··· 5512 5512 pnext++; 5513 5513 if (*pnext != '\0') { 5514 5514 strtou = simple_strtoul(pnext, &ptmp, 16); 5515 - sprintf(extra, "%s %d", extra, strtou); 5515 + sprintf(extra + strlen(extra), " %d", strtou); 5516 5516 } else { 5517 5517 break; 5518 5518 }