kernel/linux.git/drivers/staging, branch v6.1.2

vme: Fix error not catched in fake_init()

2022-12-31T12:32:42+00:00

[ Upstream commit 7bef797d707f1744f71156b21d41e3b8c946631f ] In fake_init(), __root_device_register() is possible to fail but it's ignored, which can cause unregistering vme_root fail when exit. general protection fault, probably for non-canonical address 0xdffffc000000008c KASAN: null-ptr-deref in range [0x0000000000000460-0x0000000000000467] RIP: 0010:root_device_unregister+0x26/0x60 Call Trace: __x64_sys_delete_module+0x34f/0x540 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd Return error when __root_device_register() fails. Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver") Signed-off-by: Chen Zhongjin Link: https://lore.kernel.org/r/20221205084805.147436-1-chenzhongjin@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin

staging: rtl8192e: Fix potential use-after-free in rtllib_rx_Monitor()

2022-12-31T12:32:42+00:00

[ Upstream commit d30f4436f364b4ad915ca2c09be07cd0f93ceb44 ] The skb is delivered to netif_rx() in rtllib_monitor_rx(), which may free it, after calling this, dereferencing skb may trigger use-after-free. Found by Smatch. Fixes: 94a799425eee ("From: wlanfae [PATCH 1/8] rtl8192e: Import new version of driver from realtek") Signed-off-by: YueHaibing Link: https://lore.kernel.org/r/20221123081253.22296-1-yuehaibing@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin

staging: rtl8192u: Fix use after free in ieee80211_rx()

2022-12-31T12:32:42+00:00

[ Upstream commit bcc5e2dcf09089b337b76fc1a589f6ff95ca19ac ] We cannot dereference the "skb" pointer after calling ieee80211_monitor_rx(), because it is a use after free. Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging") Signed-off-by: Dan Carpenter Link: https://lore.kernel.org/r/Y33BArx3k/aw6yv/@kili Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin

staging: vme_user: Fix possible UAF in tsi148_dma_list_add

2022-12-31T12:32:39+00:00

[ Upstream commit 357057ee55d3c99a5de5abe8150f7bca04f8e53b ] Smatch report warning as follows: drivers/staging/vme_user/vme_tsi148.c:1757 tsi148_dma_list_add() warn: '&entry->list' not removed from list In tsi148_dma_list_add(), the error path "goto err_dma" will not remove entry->list from list->entries, but entry will be freed, then list traversal may cause UAF. Fix by removeing it from list->entries before free(). Fixes: b2383c90a9d6 ("vme: tsi148: fix first DMA item mapping") Signed-off-by: Gaosheng Cui Link: https://lore.kernel.org/r/20221117035914.2954454-1-cuigaosheng1@huawei.com Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin

drivers: staging: r8188eu: Fix sleep-in-atomic-context bug in rtw_join_timeout_handler

2022-12-31T12:32:38+00:00

[ Upstream commit ce8cc75c7419ad54cb99437543a54c97c7446db5 ] The rtw_join_timeout_handler() is a timer handler that runs in atomic context, but it could call msleep(). As a result, the sleep-in-atomic-context bug will happen. The process is shown below: (atomic context) rtw_join_timeout_handler _rtw_join_timeout_handler rtw_do_join rtw_select_and_join_from_scanned_queue rtw_indicate_disconnect rtw_lps_ctrl_wk_cmd lps_ctrl_wk_hdl LPS_Leave LPS_RF_ON_check msleep //sleep in atomic context Fix by removing msleep() and replacing with mdelay(). Fixes: 15865124feed ("staging: r8188eu: introduce new core dir for RTL8188eu driver") Signed-off-by: Duoming Zhou Link: https://lore.kernel.org/r/20221018083424.79741-1-duoming@zju.edu.cn Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin

media: staging: stkwebcam: Restore MEDIA_{USB,CAMERA}_SUPPORT dependencies

2022-12-31T12:32:25+00:00

[ Upstream commit faaf901727eddcfbe889fe172ec9cdb5e63c8236 ] By moving support for the USB Syntek DC1125 Camera to staging, the dependencies on MEDIA_USB_SUPPORT and MEDIA_CAMERA_SUPPORT were lost. Fixes: 56280c64ecac ("media: stkwebcam: deprecate driver, move to staging") Signed-off-by: Geert Uytterhoeven Reviewed-by: Ricardo Ribalda Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin

media: imx: imx7-media-csi: Clear BIT_MIPI_DOUBLE_CMPNT for <16b formats

2022-12-31T12:32:16+00:00

[ Upstream commit cccc08a95ca57624563daafd47df5691e8c38995 ] Commit 9babbbaaeb87 ("media: imx: imx7-media-csi: Use dual sampling for YUV 1X16") set BIT_MIPI_DOUBLE_CMPNT in the CR18 register for 16-bit YUV formats in imx7_csi_configure(). The CR18 register is always updated with read-modify-write cycles, so if a 16-bit YUV format is selected, the bit will stay set forever, even if the format is changed. Fix it by clearing the bit at the beginning of the imx7_csi_configure() function. While at it, swap two of the bits being cleared to match the MSB to LSB order. This doesn't cause any functional change. Fixes: 9babbbaaeb87 ("media: imx: imx7-media-csi: Use dual sampling for YUV 1X16") Signed-off-by: Laurent Pinchart Reviewed-by: Paul Elder Acked-by: Rui Miguel Silva Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Sasha Levin

media: rkvdec: Add required padding

2022-12-31T12:32:08+00:00

[ Upstream commit 00c47aa85bb26450edc6059c3d245de062e60b5d ] The addresses of two elements of the segmap[][] member are passed to the hardware which expects 128-bit aligned addresses. However, without this patch offsetof(struct rkvdec_vp9_priv_tbl, segmap[0]) is an odd number (2421) but the hardware just ignores the 5 least significant bits of the address. As a result, the hardware writes the segmentation map to incorrect locations. Inserting 11 bytes of padding corrects this situation by making the said addresses divisible by 16 (i.e. aligned on a 128-bit boundary). Signed-off-by: Andrzej Pietrasiewicz Fixes: f25709c4ff15 ("media: rkvdec: Add the VP9 backend") Reviewed-by: Nicolas Dufresne Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin

media: cedrus: hevc: Fix offset adjustments

2022-12-31T12:32:04+00:00

[ Upstream commit e9120e76a6f7e19a8d26c03f2964937e4ce69784 ] As it turns out, current padding size check works fine in theory but it doesn't in practice. Most probable reason are caching issues. Let's rework reading data from bitstream using Cedrus engine instead of CPU. That way we avoid all cache issues and make sure that we're reading same data as Cedrus. Fixes: e7060d9a78c2 ("media: uapi: Change data_bit_offset definition") Signed-off-by: Jernej Skrabec Signed-off-by: Hans Verkuil Signed-off-by: Sasha Levin

staging: r8188eu: fix led register settings

2022-12-21T16:48:09+00:00

commit 12c6223fc1804fd9295dc50d358294539b4a4184 upstream. Using an InterTech DMG-02 dongle, the led remains on when the system goes into standby mode. After wakeup, it's no longer possible to control the led. It turned out that the register settings to enable or disable the led were not correct. They worked for some dongles like the Edimax V2 but not for others like the InterTech DMG-02. This patch fixes the register settings. Bit 3 in the led_cfg2 register controls the led status, bit 5 must always be set to be able to control the led, bit 6 has no influence on the led. Setting the mac_pinmux_cfg register is not necessary. These settings were tested with Edimax V2 and InterTech DMG-02. Cc: stable@vger.kernel.org Fixes: 8cd574e6af54 ("staging: r8188eu: introduce new hal dir for RTL8188eu driver") Suggested-by: Michael Straube Signed-off-by: Martin Kaiser Tested-by: Michael Straube # InterTech DMG-02, Tested-by: Philipp Hortmann # Edimax N150 Link: https://lore.kernel.org/r/20221015151115.232095-2-martin@kaiser.cx Signed-off-by: Greg Kroah-Hartman