Commit 4dad25aa authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'staging-7.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging 

Pull staging driver fixes from Greg KH:
 "Here are three small staging driver fixes for 7.0-rc4 that resolve
  some reported problems. They are:

   - two rtl8723bs data validation bugfixes

   - sm750fb removal path bugfix

  All of these have been in linux-next for many weeks with no reported
  issues"

* tag 'staging-7.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
  staging: rtl8723bs: fix potential out-of-bounds read in rtw_restruct_wmm_ie
  staging: rtl8723bs: properly validate the data in rtw_get_ie_ex()
  staging: sm750fb: add missing pci_release_region on error and removal
parents 1c9982b4 a7528162

drivers/staging/rtl8723bs/core/rtw_ieee80211.c

+10 −5
Original line number Diff line number Diff line
@@ -186,20 +186,25 @@ u8 *rtw_get_ie_ex(u8 *in_ie, uint in_len, u8 eid, u8 *oui, u8 oui_len, u8 *ie, u 


	cnt = 0;



	while (cnt < in_len) {

	while (cnt + 2 <= in_len) {

		u8 ie_len = in_ie[cnt + 1];



		if (cnt + 2 + ie_len > in_len)

			break;



		if (eid == in_ie[cnt]

			&& (!oui || !memcmp(&in_ie[cnt+2], oui, oui_len))) {

			&& (!oui || (ie_len >= oui_len && !memcmp(&in_ie[cnt + 2], oui, oui_len)))) {

			target_ie = &in_ie[cnt];



			if (ie)

				memcpy(ie, &in_ie[cnt], in_ie[cnt+1]+2);

				memcpy(ie, &in_ie[cnt], ie_len + 2);



			if (ielen)

				*ielen = in_ie[cnt+1]+2;

				*ielen = ie_len + 2;



			break;

		}

		cnt += in_ie[cnt+1]+2; /* goto next */

		cnt += ie_len + 2; /* goto next */

	}



	return target_ie;

drivers/staging/rtl8723bs/core/rtw_mlme.c

+4 −1
Original line number Diff line number Diff line
@@ -1988,7 +1988,10 @@ int rtw_restruct_wmm_ie(struct adapter *adapter, u8 *in_ie, u8 *out_ie, uint in_ 
	while (i < in_len) {

		ielength = initial_out_len;



		if (in_ie[i] == 0xDD && in_ie[i + 2] == 0x00 && in_ie[i + 3] == 0x50  && in_ie[i + 4] == 0xF2 && in_ie[i + 5] == 0x02 && i + 5 < in_len) { /* WMM element ID and OUI */

		if (i + 5 < in_len &&

		    in_ie[i] == 0xDD && in_ie[i + 2] == 0x00 &&

		    in_ie[i + 3] == 0x50 && in_ie[i + 4] == 0xF2 &&

		    in_ie[i + 5] == 0x02) {

			for (j = i; j < i + 9; j++) {

				out_ie[ielength] = in_ie[j];

				ielength++;

drivers/staging/sm750fb/sm750.c

+1 −0
Original line number Diff line number Diff line
@@ -1123,6 +1123,7 @@ static void lynxfb_pci_remove(struct pci_dev *pdev) 


	iounmap(sm750_dev->pvReg);

	iounmap(sm750_dev->pvMem);

	pci_release_region(pdev, 1);

	kfree(g_settings);

}

drivers/staging/sm750fb/sm750_hw.c

+11 −11
Original line number Diff line number Diff line
@@ -36,16 +36,11 @@ int hw_sm750_map(struct sm750_dev *sm750_dev, struct pci_dev *pdev) 


	pr_info("mmio phyAddr = %lx\n", sm750_dev->vidreg_start);



	/*

	 * reserve the vidreg space of smi adaptor

	 * if you do this, you need to add release region code

	 * in lynxfb_remove, or memory will not be mapped again

	 * successfully

	 */

	/* reserve the vidreg space of smi adaptor */

	ret = pci_request_region(pdev, 1, "sm750fb");

	if (ret) {

		pr_err("Can not request PCI regions.\n");

		goto exit;

		return ret;

	}



	/* now map mmio and vidmem */
@@ -54,7 +49,7 @@ int hw_sm750_map(struct sm750_dev *sm750_dev, struct pci_dev *pdev) 
	if (!sm750_dev->pvReg) {

		pr_err("mmio failed\n");

		ret = -EFAULT;

		goto exit;

		goto err_release_region;

	}

	pr_info("mmio virtual addr = %p\n", sm750_dev->pvReg);
@@ -79,13 +74,18 @@ int hw_sm750_map(struct sm750_dev *sm750_dev, struct pci_dev *pdev) 
	sm750_dev->pvMem =

		ioremap_wc(sm750_dev->vidmem_start, sm750_dev->vidmem_size);

	if (!sm750_dev->pvMem) {

		iounmap(sm750_dev->pvReg);

		pr_err("Map video memory failed\n");

		ret = -EFAULT;

		goto exit;

		goto err_unmap_reg;

	}

	pr_info("video memory vaddr = %p\n", sm750_dev->pvMem);

exit:



	return 0;



err_unmap_reg:

	iounmap(sm750_dev->pvReg);

err_release_region:

	pci_release_region(pdev, 1);

	return ret;

}