tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'char-misc-4.15-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc

Pull char/misc fixes from Greg KH:
"Here are two bugfixes for some driver bugs for 4.15-rc8

The first is a bluetooth security bug that has been ignored by the
Bluetooth developers for months for no obvious reason at all, so I've
taken it through my tree.

The second is a simple double-free bug in the mux subsystem.

Both have been in linux-next for a while with no reported issues"

* tag 'char-misc-4.15-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
mux: core: fix double get_device()
Bluetooth: Prevent stack info leak from the EFS element.

Linus Torvalds 9e8f8f1e 22079ee4

+14 -10
+3 -1
drivers/mux/core.c
··· 413 413 return dev->of_node == data; 414 414 } 415 415 416 + /* Note this function returns a reference to the mux_chip dev. */ 416 417 static struct mux_chip *of_find_mux_chip_by_node(struct device_node *np) 417 418 { 418 419 struct device *dev; ··· 467 466 (!args.args_count && (mux_chip->controllers > 1))) { 468 467 dev_err(dev, "%pOF: wrong #mux-control-cells for %pOF\n", 469 468 np, args.np); 469 + put_device(&mux_chip->dev); 470 470 return ERR_PTR(-EINVAL); 471 471 } 472 472 ··· 478 476 if (controller >= mux_chip->controllers) { 479 477 dev_err(dev, "%pOF: bad mux controller %u specified in %pOF\n", 480 478 np, controller, args.np); 479 + put_device(&mux_chip->dev); 481 480 return ERR_PTR(-EINVAL); 482 481 } 483 482 484 - get_device(&mux_chip->dev); 485 483 return &mux_chip->mux[controller]; 486 484 } 487 485 EXPORT_SYMBOL_GPL(mux_control_get);
+11 -9
net/bluetooth/l2cap_core.c
··· 3363 3363 break; 3364 3364 3365 3365 case L2CAP_CONF_EFS: 3366 - remote_efs = 1; 3367 - if (olen == sizeof(efs)) 3366 + if (olen == sizeof(efs)) { 3367 + remote_efs = 1; 3368 3368 memcpy(&efs, (void *) val, olen); 3369 + } 3369 3370 break; 3370 3371 3371 3372 case L2CAP_CONF_EWS: ··· 3585 3584 break; 3586 3585 3587 3586 case L2CAP_CONF_EFS: 3588 - if (olen == sizeof(efs)) 3587 + if (olen == sizeof(efs)) { 3589 3588 memcpy(&efs, (void *)val, olen); 3590 3589 3591 - if (chan->local_stype != L2CAP_SERV_NOTRAFIC && 3592 - efs.stype != L2CAP_SERV_NOTRAFIC && 3593 - efs.stype != chan->local_stype) 3594 - return -ECONNREFUSED; 3590 + if (chan->local_stype != L2CAP_SERV_NOTRAFIC && 3591 + efs.stype != L2CAP_SERV_NOTRAFIC && 3592 + efs.stype != chan->local_stype) 3593 + return -ECONNREFUSED; 3595 3594 3596 - l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), 3597 - (unsigned long) &efs, endptr - ptr); 3595 + l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), 3596 + (unsigned long) &efs, endptr - ptr); 3597 + } 3598 3598 break; 3599 3599 3600 3600 case L2CAP_CONF_FCS: