From 7c806883e143dc60439e6bdb3589700ebed1efaa Mon Sep 17 00:00:00 2001 From: ZhengShunQian Date: Wed, 30 Sep 2015 13:33:56 +0100 Subject: [PATCH 1/6] nvmem: core: fix the out-of-range leak in read/write() The position to read/write must be less than max register size. Signed-off-by: ZhengShunQian Acked-by: Srinivas Kandagatla Signed-off-by: Srinivas Kandagatla Signed-off-by: Greg Kroah-Hartman --- drivers/nvmem/core.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c index d3c6676b3c0c..f4af8e5fcd94 100644 --- a/drivers/nvmem/core.c +++ b/drivers/nvmem/core.c @@ -67,7 +67,7 @@ static ssize_t bin_attr_nvmem_read(struct file *filp, struct kobject *kobj, int rc; /* Stop the user from reading */ - if (pos > nvmem->size) + if (pos >= nvmem->size) return 0; if (pos + count > nvmem->size) @@ -92,7 +92,7 @@ static ssize_t bin_attr_nvmem_write(struct file *filp, struct kobject *kobj, int rc; /* Stop the user from writing */ - if (pos > nvmem->size) + if (pos >= nvmem->size) return 0; if (pos + count > nvmem->size) From cbf854ab36870b931aeba4edd954015b7c3005a2 Mon Sep 17 00:00:00 2001 From: Axel Lin Date: Wed, 30 Sep 2015 13:35:15 +0100 Subject: [PATCH 2/6] nvmem: core: Handle shift bits in-place if cell->nbits is non-zero It's pointless to test (cell->bit_offset || cell->bit_offset). nvmem_shift_read_buffer_in_place() should be called when (cell->bit_offset || cell->nbits). Signed-off-by: Axel Lin Signed-off-by: Srinivas Kandagatla Signed-off-by: Greg Kroah-Hartman --- drivers/nvmem/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c index f4af8e5fcd94..676607cb01bb 100644 --- a/drivers/nvmem/core.c +++ b/drivers/nvmem/core.c @@ -825,7 +825,7 @@ static int __nvmem_cell_read(struct nvmem_device *nvmem, return rc; /* shift bits in-place */ - if (cell->bit_offset || cell->bit_offset) + if (cell->bit_offset || cell->nbits) nvmem_shift_read_buffer_in_place(cell, buf); *len = cell->bytes; From ace22170655f61d82fff95e57d673bf847a32a03 Mon Sep 17 00:00:00 2001 From: Axel Lin Date: Wed, 30 Sep 2015 13:36:10 +0100 Subject: [PATCH 3/6] nvmem: core: Fix memory leak in nvmem_cell_write A tmp buffer is allocated if cell->bit_offset || cell->nbits. So the tmp buffer needs to be freed at the same condition to avoid leak. Signed-off-by: Axel Lin Signed-off-by: Srinivas Kandagatla Signed-off-by: Greg Kroah-Hartman --- drivers/nvmem/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/nvmem/core.c b/drivers/nvmem/core.c index 676607cb01bb..6fd4e5a5ef4a 100644 --- a/drivers/nvmem/core.c +++ b/drivers/nvmem/core.c @@ -938,7 +938,7 @@ int nvmem_cell_write(struct nvmem_cell *cell, void *buf, size_t len) rc = regmap_raw_write(nvmem->regmap, cell->offset, buf, cell->bytes); /* free the tmp buffer */ - if (cell->bit_offset) + if (cell->bit_offset || cell->nbits) kfree(buf); if (IS_ERR_VALUE(rc)) From fb727077b04f768d0c79d9aa29e958262a9e3d9e Mon Sep 17 00:00:00 2001 From: Maxime Ripard Date: Wed, 30 Sep 2015 13:36:31 +0100 Subject: [PATCH 4/6] nvmem: sunxi: Check for memory allocation failure The sunxi_sid driver doesn't check for kmalloc return status before derefencing the returned pointer, which could lead to a NULL pointer dereference if kmalloc failed. Check for its return code to make sure it deosn't happen. Reported-by: Dan Carpenter Signed-off-by: Maxime Ripard Signed-off-by: Greg Kroah-Hartman --- drivers/nvmem/sunxi_sid.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/drivers/nvmem/sunxi_sid.c b/drivers/nvmem/sunxi_sid.c index 14777dd5212d..cfa3b85064dd 100644 --- a/drivers/nvmem/sunxi_sid.c +++ b/drivers/nvmem/sunxi_sid.c @@ -103,7 +103,7 @@ static int sunxi_sid_probe(struct platform_device *pdev) struct nvmem_device *nvmem; struct regmap *regmap; struct sunxi_sid *sid; - int i, size; + int ret, i, size; char *randomness; sid = devm_kzalloc(dev, sizeof(*sid), GFP_KERNEL); @@ -131,6 +131,11 @@ static int sunxi_sid_probe(struct platform_device *pdev) return PTR_ERR(nvmem); randomness = kzalloc(sizeof(u8) * size, GFP_KERNEL); + if (!randomness) { + ret = -EINVAL; + goto err_unreg_nvmem; + } + for (i = 0; i < size; i++) randomness[i] = sunxi_sid_read_byte(sid, i); @@ -140,6 +145,10 @@ static int sunxi_sid_probe(struct platform_device *pdev) platform_set_drvdata(pdev, nvmem); return 0; + +err_unreg_nvmem: + nvmem_unregister(nvmem); + return ret; } static int sunxi_sid_remove(struct platform_device *pdev) From 84dfe03ae2112b817d5221575d59ba616dc0c3e2 Mon Sep 17 00:00:00 2001 From: Alexander Usyskin Date: Mon, 21 Sep 2015 11:45:32 +0300 Subject: [PATCH 5/6] mei: hbm: fix error in state check logic MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Use || instead && in state check. The latter is bogus and leads to following warning: drivers/misc/mei/hbm.c:1212:46: warning: logical ‘and’ of mutually exclusive tests is always false [-Wlogical-op] Fixes: 70ef835c84b3 ("mei: support for dynamic clients") Reported-by: David Binderman Signed-off-by: Alexander Usyskin Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman --- drivers/misc/mei/hbm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/misc/mei/hbm.c b/drivers/misc/mei/hbm.c index 8eec887c8f70..6d7c188fb65c 100644 --- a/drivers/misc/mei/hbm.c +++ b/drivers/misc/mei/hbm.c @@ -1209,7 +1209,7 @@ int mei_hbm_dispatch(struct mei_device *dev, struct mei_msg_hdr *hdr) * after the host receives the enum_resp * message clients may be added or removed */ - if (dev->hbm_state <= MEI_HBM_ENUM_CLIENTS && + if (dev->hbm_state <= MEI_HBM_ENUM_CLIENTS || dev->hbm_state >= MEI_HBM_STOPPED) { dev_err(dev->dev, "hbm: add client: state mismatch, [%d, %d]\n", dev->dev_state, dev->hbm_state); From 41ada9df7f340998e810dcda21a00da5f75c4147 Mon Sep 17 00:00:00 2001 From: Alexey Khoroshilov Date: Mon, 24 Aug 2015 10:18:38 +0200 Subject: [PATCH 6/6] mcb: Fix error handling in mcb_pci_probe() If a MCB PCI Carrier device is IO mapped insted of memory-mapped, the memory of the PCI device is still not unmapped. Also the patch adds deallocation of the bus if chameleon_parse_cells() fails. Found by Linux Driver Verification project (linuxtesting.org). Signed-off-by: Alexey Khoroshilov Signed-off-by: Johannes Thumshirn Signed-off-by: Greg Kroah-Hartman --- drivers/mcb/mcb-pci.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/drivers/mcb/mcb-pci.c b/drivers/mcb/mcb-pci.c index de36237d7c6b..051645498b53 100644 --- a/drivers/mcb/mcb-pci.c +++ b/drivers/mcb/mcb-pci.c @@ -74,7 +74,7 @@ static int mcb_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) ret = -ENOTSUPP; dev_err(&pdev->dev, "IO mapped PCI devices are not supported\n"); - goto out_release; + goto out_iounmap; } pci_set_drvdata(pdev, priv); @@ -89,7 +89,7 @@ static int mcb_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) ret = chameleon_parse_cells(priv->bus, priv->mapbase, priv->base); if (ret < 0) - goto out_iounmap; + goto out_mcb_bus; num_cells = ret; dev_dbg(&pdev->dev, "Found %d cells\n", num_cells); @@ -98,6 +98,8 @@ static int mcb_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) return 0; +out_mcb_bus: + mcb_release_bus(priv->bus); out_iounmap: iounmap(priv->base); out_release: