--- /dev/null
+From 88a06d6fd6b369d88cec46c62db3e2604a2f50d5 Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sun, 6 Dec 2020 09:35:27 +0100
+Subject: ALSA: rawmidi: Access runtime->avail always in spinlock
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 88a06d6fd6b369d88cec46c62db3e2604a2f50d5 upstream.
+
+The runtime->avail field may be accessed concurrently while some
+places refer to it without taking the runtime->lock spinlock, as
+detected by KCSAN. Usually this isn't a big problem, but for
+consistency and safety, we should take the spinlock at each place
+referencing this field.
+
+Reported-by: syzbot+a23a6f1215c84756577c@syzkaller.appspotmail.com
+Reported-by: syzbot+3d367d1df1d2b67f5c19@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20201206083527.21163-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/rawmidi.c | 49 +++++++++++++++++++++++++++++++++++--------------
+ 1 file changed, 35 insertions(+), 14 deletions(-)
+
+--- a/sound/core/rawmidi.c
++++ b/sound/core/rawmidi.c
+@@ -72,11 +72,21 @@ static inline unsigned short snd_rawmidi
+ }
+ }
+
+-static inline int snd_rawmidi_ready(struct snd_rawmidi_substream *substream)
++static inline bool __snd_rawmidi_ready(struct snd_rawmidi_runtime *runtime)
++{
++ return runtime->avail >= runtime->avail_min;
++}
++
++static bool snd_rawmidi_ready(struct snd_rawmidi_substream *substream)
+ {
+ struct snd_rawmidi_runtime *runtime = substream->runtime;
++ unsigned long flags;
++ bool ready;
+
+- return runtime->avail >= runtime->avail_min;
++ spin_lock_irqsave(&runtime->lock, flags);
++ ready = __snd_rawmidi_ready(runtime);
++ spin_unlock_irqrestore(&runtime->lock, flags);
++ return ready;
+ }
+
+ static inline int snd_rawmidi_ready_append(struct snd_rawmidi_substream *substream,
+@@ -945,7 +955,7 @@ int snd_rawmidi_receive(struct snd_rawmi
+ if (result > 0) {
+ if (runtime->event)
+ schedule_work(&runtime->event_work);
+- else if (snd_rawmidi_ready(substream))
++ else if (__snd_rawmidi_ready(runtime))
+ wake_up(&runtime->sleep);
+ }
+ spin_unlock_irqrestore(&runtime->lock, flags);
+@@ -1024,7 +1034,7 @@ static ssize_t snd_rawmidi_read(struct f
+ result = 0;
+ while (count > 0) {
+ spin_lock_irq(&runtime->lock);
+- while (!snd_rawmidi_ready(substream)) {
++ while (!__snd_rawmidi_ready(runtime)) {
+ wait_queue_entry_t wait;
+
+ if ((file->f_flags & O_NONBLOCK) != 0 || result > 0) {
+@@ -1041,9 +1051,11 @@ static ssize_t snd_rawmidi_read(struct f
+ return -ENODEV;
+ if (signal_pending(current))
+ return result > 0 ? result : -ERESTARTSYS;
+- if (!runtime->avail)
+- return result > 0 ? result : -EIO;
+ spin_lock_irq(&runtime->lock);
++ if (!runtime->avail) {
++ spin_unlock_irq(&runtime->lock);
++ return result > 0 ? result : -EIO;
++ }
+ }
+ spin_unlock_irq(&runtime->lock);
+ count1 = snd_rawmidi_kernel_read1(substream,
+@@ -1181,7 +1193,7 @@ int __snd_rawmidi_transmit_ack(struct sn
+ runtime->avail += count;
+ substream->bytes += count;
+ if (count > 0) {
+- if (runtime->drain || snd_rawmidi_ready(substream))
++ if (runtime->drain || __snd_rawmidi_ready(runtime))
+ wake_up(&runtime->sleep);
+ }
+ return count;
+@@ -1370,9 +1382,11 @@ static ssize_t snd_rawmidi_write(struct
+ return -ENODEV;
+ if (signal_pending(current))
+ return result > 0 ? result : -ERESTARTSYS;
+- if (!runtime->avail && !timeout)
+- return result > 0 ? result : -EIO;
+ spin_lock_irq(&runtime->lock);
++ if (!runtime->avail && !timeout) {
++ spin_unlock_irq(&runtime->lock);
++ return result > 0 ? result : -EIO;
++ }
+ }
+ spin_unlock_irq(&runtime->lock);
+ count1 = snd_rawmidi_kernel_write1(substream, buf, NULL, count);
+@@ -1452,6 +1466,7 @@ static void snd_rawmidi_proc_info_read(s
+ struct snd_rawmidi *rmidi;
+ struct snd_rawmidi_substream *substream;
+ struct snd_rawmidi_runtime *runtime;
++ unsigned long buffer_size, avail, xruns;
+
+ rmidi = entry->private_data;
+ snd_iprintf(buffer, "%s\n\n", rmidi->name);
+@@ -1470,13 +1485,16 @@ static void snd_rawmidi_proc_info_read(s
+ " Owner PID : %d\n",
+ pid_vnr(substream->pid));
+ runtime = substream->runtime;
++ spin_lock_irq(&runtime->lock);
++ buffer_size = runtime->buffer_size;
++ avail = runtime->avail;
++ spin_unlock_irq(&runtime->lock);
+ snd_iprintf(buffer,
+ " Mode : %s\n"
+ " Buffer size : %lu\n"
+ " Avail : %lu\n",
+ runtime->oss ? "OSS compatible" : "native",
+- (unsigned long) runtime->buffer_size,
+- (unsigned long) runtime->avail);
++ buffer_size, avail);
+ }
+ }
+ }
+@@ -1494,13 +1512,16 @@ static void snd_rawmidi_proc_info_read(s
+ " Owner PID : %d\n",
+ pid_vnr(substream->pid));
+ runtime = substream->runtime;
++ spin_lock_irq(&runtime->lock);
++ buffer_size = runtime->buffer_size;
++ avail = runtime->avail;
++ xruns = runtime->xruns;
++ spin_unlock_irq(&runtime->lock);
+ snd_iprintf(buffer,
+ " Buffer size : %lu\n"
+ " Avail : %lu\n"
+ " Overruns : %lu\n",
+- (unsigned long) runtime->buffer_size,
+- (unsigned long) runtime->avail,
+- (unsigned long) runtime->xruns);
++ buffer_size, avail, xruns);
+ }
+ }
+ }
--- /dev/null
+From 4ebd47037027c4beae99680bff3b20fdee5d7c1e Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Sun, 6 Dec 2020 09:34:56 +0100
+Subject: ALSA: seq: Use bool for snd_seq_queue internal flags
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 4ebd47037027c4beae99680bff3b20fdee5d7c1e upstream.
+
+The snd_seq_queue struct contains various flags in the bit fields.
+Those are categorized to two different use cases, both of which are
+protected by different spinlocks. That implies that there are still
+potential risks of the bad operations for bit fields by concurrent
+accesses.
+
+For addressing the problem, this patch rearranges those flags to be
+a standard bool instead of a bit field.
+
+Reported-by: syzbot+63cbe31877bb80ef58f5@syzkaller.appspotmail.com
+Link: https://lore.kernel.org/r/20201206083456.21110-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/core/seq/seq_queue.h | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/sound/core/seq/seq_queue.h
++++ b/sound/core/seq/seq_queue.h
+@@ -26,10 +26,10 @@ struct snd_seq_queue {
+
+ struct snd_seq_timer *timer; /* time keeper for this queue */
+ int owner; /* client that 'owns' the timer */
+- unsigned int locked:1, /* timer is only accesibble by owner if set */
+- klocked:1, /* kernel lock (after START) */
+- check_again:1,
+- check_blocked:1;
++ bool locked; /* timer is only accesibble by owner if set */
++ bool klocked; /* kernel lock (after START) */
++ bool check_again; /* concurrent access happened during check */
++ bool check_blocked; /* queue being checked */
+
+ unsigned int flags; /* status flags */
+ unsigned int info_flags; /* info for sync */
--- /dev/null
+From dc889b8d4a8122549feabe99eead04e6b23b6513 Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Tue, 15 Dec 2020 20:45:44 -0800
+Subject: bfs: don't use WARNING: string when it's just info.
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit dc889b8d4a8122549feabe99eead04e6b23b6513 upstream.
+
+Make the printk() [bfs "printf" macro] seem less severe by changing
+"WARNING:" to "NOTE:".
+
+<asm-generic/bug.h> warns us about using WARNING or BUG in a format string
+other than in WARN() or BUG() family macros. bfs/inode.c is doing just
+that in a normal printk() call, so change the "WARNING" string to be
+"NOTE".
+
+Link: https://lkml.kernel.org/r/20201203212634.17278-1-rdunlap@infradead.org
+Reported-by: syzbot+3fd34060f26e766536ff@syzkaller.appspotmail.com
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Al Viro <viro@ZenIV.linux.org.uk>
+Cc: "Tigran A. Aivazian" <aivazian.tigran@gmail.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/bfs/inode.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/bfs/inode.c
++++ b/fs/bfs/inode.c
+@@ -351,7 +351,7 @@ static int bfs_fill_super(struct super_b
+
+ info->si_lasti = (le32_to_cpu(bfs_sb->s_start) - BFS_BSIZE) / sizeof(struct bfs_inode) + BFS_ROOT_INO - 1;
+ if (info->si_lasti == BFS_MAX_LASTI)
+- printf("WARNING: filesystem %s was created with 512 inodes, the real maximum is 511, mounting anyway\n", s->s_id);
++ printf("NOTE: filesystem %s was created with 512 inodes, the real maximum is 511, mounting anyway\n", s->s_id);
+ else if (info->si_lasti > BFS_MAX_LASTI) {
+ printf("Impossible last inode number %lu > %d on %s\n", info->si_lasti, BFS_MAX_LASTI, s->s_id);
+ goto out1;
--- /dev/null
+From 70f259a3f4276b71db365b1d6ff1eab805ea6ec3 Mon Sep 17 00:00:00 2001
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Date: Wed, 30 Sep 2020 00:28:15 +0530
+Subject: Bluetooth: hci_h5: close serdev device and free hu in h5_close
+
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+
+commit 70f259a3f4276b71db365b1d6ff1eab805ea6ec3 upstream.
+
+When h5_close() gets called, the memory allocated for the hu gets
+freed only if hu->serdev doesn't exist. This leads to a memory leak.
+So when h5_close() is requested, close the serdev device instance and
+free the memory allocated to the hu entirely instead.
+
+Fixes: https://syzkaller.appspot.com/bug?extid=6ce141c55b2f7aafd1c4
+Reported-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com
+Tested-by: syzbot+6ce141c55b2f7aafd1c4@syzkaller.appspotmail.com
+Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/bluetooth/hci_h5.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/drivers/bluetooth/hci_h5.c
++++ b/drivers/bluetooth/hci_h5.c
+@@ -250,8 +250,12 @@ static int h5_close(struct hci_uart *hu)
+ if (h5->vnd && h5->vnd->close)
+ h5->vnd->close(h5);
+
+- if (!hu->serdev)
+- kfree(h5);
++ if (hu->serdev)
++ serdev_device_close(hu->serdev);
++
++ kfree_skb(h5->rx_skb);
++ kfree(h5);
++ h5 = NULL;
+
+ return 0;
+ }
--- /dev/null
+From 2d18e54dd8662442ef5898c6bdadeaf90b3cebbc Mon Sep 17 00:00:00 2001
+From: Qinglang Miao <miaoqinglang@huawei.com>
+Date: Thu, 10 Dec 2020 09:29:43 +0800
+Subject: cgroup: Fix memory leak when parsing multiple source parameters
+
+From: Qinglang Miao <miaoqinglang@huawei.com>
+
+commit 2d18e54dd8662442ef5898c6bdadeaf90b3cebbc upstream.
+
+A memory leak is found in cgroup1_parse_param() when multiple source
+parameters overwrite fc->source in the fs_context struct without free.
+
+unreferenced object 0xffff888100d930e0 (size 16):
+ comm "mount", pid 520, jiffies 4303326831 (age 152.783s)
+ hex dump (first 16 bytes):
+ 74 65 73 74 6c 65 61 6b 00 00 00 00 00 00 00 00 testleak........
+ backtrace:
+ [<000000003e5023ec>] kmemdup_nul+0x2d/0xa0
+ [<00000000377dbdaa>] vfs_parse_fs_string+0xc0/0x150
+ [<00000000cb2b4882>] generic_parse_monolithic+0x15a/0x1d0
+ [<000000000f750198>] path_mount+0xee1/0x1820
+ [<0000000004756de2>] do_mount+0xea/0x100
+ [<0000000094cafb0a>] __x64_sys_mount+0x14b/0x1f0
+
+Fix this bug by permitting a single source parameter and rejecting with
+an error all subsequent ones.
+
+Fixes: 8d2451f4994f ("cgroup1: switch to option-by-option parsing")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Qinglang Miao <miaoqinglang@huawei.com>
+Reviewed-by: Zefan Li <lizefan@huawei.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/cgroup/cgroup-v1.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/cgroup/cgroup-v1.c
++++ b/kernel/cgroup/cgroup-v1.c
+@@ -914,6 +914,8 @@ int cgroup1_parse_param(struct fs_contex
+ opt = fs_parse(fc, &cgroup1_fs_parameters, param, &result);
+ if (opt == -ENOPARAM) {
+ if (strcmp(param->key, "source") == 0) {
++ if (fc->source)
++ return invalf(fc, "Multiple sources not supported");
+ fc->source = param->string;
+ param->string = NULL;
+ return 0;
--- /dev/null
+From e584bbe821229a3e7cc409eecd51df66f9268c21 Mon Sep 17 00:00:00 2001
+From: Chao Yu <chao@kernel.org>
+Date: Wed, 9 Dec 2020 16:49:36 +0800
+Subject: f2fs: fix shift-out-of-bounds in sanity_check_raw_super()
+
+From: Chao Yu <yuchao0@huawei.com>
+
+commit e584bbe821229a3e7cc409eecd51df66f9268c21 upstream.
+
+syzbot reported a bug which could cause shift-out-of-bounds issue,
+fix it.
+
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x107/0x163 lib/dump_stack.c:120
+ ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
+ __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
+ sanity_check_raw_super fs/f2fs/super.c:2812 [inline]
+ read_raw_super_block fs/f2fs/super.c:3267 [inline]
+ f2fs_fill_super.cold+0x16c9/0x16f6 fs/f2fs/super.c:3519
+ mount_bdev+0x34d/0x410 fs/super.c:1366
+ legacy_get_tree+0x105/0x220 fs/fs_context.c:592
+ vfs_get_tree+0x89/0x2f0 fs/super.c:1496
+ do_new_mount fs/namespace.c:2896 [inline]
+ path_mount+0x12ae/0x1e70 fs/namespace.c:3227
+ do_mount fs/namespace.c:3240 [inline]
+ __do_sys_mount fs/namespace.c:3448 [inline]
+ __se_sys_mount fs/namespace.c:3425 [inline]
+ __x64_sys_mount+0x27f/0x300 fs/namespace.c:3425
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+ entry_SYSCALL_64_after_hwframe+0x44/0xa9
+
+Reported-by: syzbot+ca9a785f8ac472085994@syzkaller.appspotmail.com
+Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Signed-off-by: Chao Yu <yuchao0@huawei.com>
+Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/f2fs/super.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/fs/f2fs/super.c
++++ b/fs/f2fs/super.c
+@@ -2523,7 +2523,6 @@ static int sanity_check_raw_super(struct
+ block_t total_sections, blocks_per_seg;
+ struct f2fs_super_block *raw_super = (struct f2fs_super_block *)
+ (bh->b_data + F2FS_SUPER_OFFSET);
+- unsigned int blocksize;
+ size_t crc_offset = 0;
+ __u32 crc = 0;
+
+@@ -2557,10 +2556,10 @@ static int sanity_check_raw_super(struct
+ }
+
+ /* Currently, support only 4KB block size */
+- blocksize = 1 << le32_to_cpu(raw_super->log_blocksize);
+- if (blocksize != F2FS_BLKSIZE) {
+- f2fs_info(sbi, "Invalid blocksize (%u), supports only 4KB",
+- blocksize);
++ if (le32_to_cpu(raw_super->log_blocksize) != F2FS_BLKSIZE_BITS) {
++ f2fs_info(sbi, "Invalid log_blocksize (%u), supports only %u",
++ le32_to_cpu(raw_super->log_blocksize),
++ F2FS_BLKSIZE_BITS);
+ return -EFSCORRUPTED;
+ }
+
--- /dev/null
+From 8d1ddb5e79374fb277985a6b3faa2ed8631c5b4c Mon Sep 17 00:00:00 2001
+From: Boqun Feng <boqun.feng@gmail.com>
+Date: Thu, 5 Nov 2020 14:23:51 +0800
+Subject: fcntl: Fix potential deadlock in send_sig{io, urg}()
+
+From: Boqun Feng <boqun.feng@gmail.com>
+
+commit 8d1ddb5e79374fb277985a6b3faa2ed8631c5b4c upstream.
+
+Syzbot reports a potential deadlock found by the newly added recursive
+read deadlock detection in lockdep:
+
+[...] ========================================================
+[...] WARNING: possible irq lock inversion dependency detected
+[...] 5.9.0-rc2-syzkaller #0 Not tainted
+[...] --------------------------------------------------------
+[...] syz-executor.1/10214 just changed the state of lock:
+[...] ffff88811f506338 (&f->f_owner.lock){.+..}-{2:2}, at: send_sigurg+0x1d/0x200
+[...] but this lock was taken by another, HARDIRQ-safe lock in the past:
+[...] (&dev->event_lock){-...}-{2:2}
+[...]
+[...]
+[...] and interrupts could create inverse lock ordering between them.
+[...]
+[...]
+[...] other info that might help us debug this:
+[...] Chain exists of:
+[...] &dev->event_lock --> &new->fa_lock --> &f->f_owner.lock
+[...]
+[...] Possible interrupt unsafe locking scenario:
+[...]
+[...] CPU0 CPU1
+[...] ---- ----
+[...] lock(&f->f_owner.lock);
+[...] local_irq_disable();
+[...] lock(&dev->event_lock);
+[...] lock(&new->fa_lock);
+[...] <Interrupt>
+[...] lock(&dev->event_lock);
+[...]
+[...] *** DEADLOCK ***
+
+The corresponding deadlock case is as followed:
+
+ CPU 0 CPU 1 CPU 2
+ read_lock(&fown->lock);
+ spin_lock_irqsave(&dev->event_lock, ...)
+ write_lock_irq(&filp->f_owner.lock); // wait for the lock
+ read_lock(&fown-lock); // have to wait until the writer release
+ // due to the fairness
+ <interrupted>
+ spin_lock_irqsave(&dev->event_lock); // wait for the lock
+
+The lock dependency on CPU 1 happens if there exists a call sequence:
+
+ input_inject_event():
+ spin_lock_irqsave(&dev->event_lock,...);
+ input_handle_event():
+ input_pass_values():
+ input_to_handler():
+ handler->event(): // evdev_event()
+ evdev_pass_values():
+ spin_lock(&client->buffer_lock);
+ __pass_event():
+ kill_fasync():
+ kill_fasync_rcu():
+ read_lock(&fa->fa_lock);
+ send_sigio():
+ read_lock(&fown->lock);
+
+To fix this, make the reader in send_sigurg() and send_sigio() use
+read_lock_irqsave() and read_lock_irqrestore().
+
+Reported-by: syzbot+22e87cdf94021b984aa6@syzkaller.appspotmail.com
+Reported-by: syzbot+c5e32344981ad9f33750@syzkaller.appspotmail.com
+Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
+Signed-off-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fcntl.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/fs/fcntl.c
++++ b/fs/fcntl.c
+@@ -779,9 +779,10 @@ void send_sigio(struct fown_struct *fown
+ {
+ struct task_struct *p;
+ enum pid_type type;
++ unsigned long flags;
+ struct pid *pid;
+
+- read_lock(&fown->lock);
++ read_lock_irqsave(&fown->lock, flags);
+
+ type = fown->pid_type;
+ pid = fown->pid;
+@@ -802,7 +803,7 @@ void send_sigio(struct fown_struct *fown
+ read_unlock(&tasklist_lock);
+ }
+ out_unlock_fown:
+- read_unlock(&fown->lock);
++ read_unlock_irqrestore(&fown->lock, flags);
+ }
+
+ static void send_sigurg_to_task(struct task_struct *p,
+@@ -817,9 +818,10 @@ int send_sigurg(struct fown_struct *fown
+ struct task_struct *p;
+ enum pid_type type;
+ struct pid *pid;
++ unsigned long flags;
+ int ret = 0;
+
+- read_lock(&fown->lock);
++ read_lock_irqsave(&fown->lock, flags);
+
+ type = fown->pid_type;
+ pid = fown->pid;
+@@ -842,7 +844,7 @@ int send_sigurg(struct fown_struct *fown
+ read_unlock(&tasklist_lock);
+ }
+ out_unlock_fown:
+- read_unlock(&fown->lock);
++ read_unlock_irqrestore(&fown->lock, flags);
+ return ret;
+ }
+
--- /dev/null
+From d0ac1a26ed5943127cb0156148735f5f52a07075 Mon Sep 17 00:00:00 2001
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Date: Fri, 27 Nov 2020 07:40:21 +0100
+Subject: media: gp8psk: initialize stats at power control logic
+
+From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+
+commit d0ac1a26ed5943127cb0156148735f5f52a07075 upstream.
+
+As reported on:
+ https://lore.kernel.org/linux-media/20190627222020.45909-1-willemdebruijn.kernel@gmail.com/
+
+if gp8psk_usb_in_op() returns an error, the status var is not
+initialized. Yet, this var is used later on, in order to
+identify:
+ - if the device was already started;
+ - if firmware has loaded;
+ - if the LNBf was powered on.
+
+Using status = 0 seems to ensure that everything will be
+properly powered up.
+
+So, instead of the proposed solution, let's just set
+status = 0.
+
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Reported-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/usb/dvb-usb/gp8psk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/usb/dvb-usb/gp8psk.c
++++ b/drivers/media/usb/dvb-usb/gp8psk.c
+@@ -182,7 +182,7 @@ out_rel_fw:
+
+ static int gp8psk_power_ctrl(struct dvb_usb_device *d, int onoff)
+ {
+- u8 status, buf;
++ u8 status = 0, buf;
+ int gp_product_id = le16_to_cpu(d->udev->descriptor.idProduct);
+
+ if (onoff) {
--- /dev/null
+From 31dcb6c30a26d32650ce134820f27de3c675a45a Mon Sep 17 00:00:00 2001
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Date: Mon, 23 Nov 2020 04:15:34 +0530
+Subject: misc: vmw_vmci: fix kernel info-leak by initializing dbells in vmci_ctx_get_chkpt_doorbells()
+
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+
+commit 31dcb6c30a26d32650ce134820f27de3c675a45a upstream.
+
+A kernel-infoleak was reported by syzbot, which was caused because
+dbells was left uninitialized.
+Using kzalloc() instead of kmalloc() fixes this issue.
+
+Reported-by: syzbot+a79e17c39564bedf0930@syzkaller.appspotmail.com
+Tested-by: syzbot+a79e17c39564bedf0930@syzkaller.appspotmail.com
+Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Link: https://lore.kernel.org/r/20201122224534.333471-1-anant.thazhemadam@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/misc/vmw_vmci/vmci_context.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/misc/vmw_vmci/vmci_context.c
++++ b/drivers/misc/vmw_vmci/vmci_context.c
+@@ -743,7 +743,7 @@ static int vmci_ctx_get_chkpt_doorbells(
+ return VMCI_ERROR_MORE_DATA;
+ }
+
+- dbells = kmalloc(data_size, GFP_ATOMIC);
++ dbells = kzalloc(data_size, GFP_ATOMIC);
+ if (!dbells)
+ return VMCI_ERROR_NO_MEM;
+
--- /dev/null
+From d24396c5290ba8ab04ba505176874c4e04a2d53c Mon Sep 17 00:00:00 2001
+From: Rustam Kovhaev <rkovhaev@gmail.com>
+Date: Sun, 1 Nov 2020 06:09:58 -0800
+Subject: reiserfs: add check for an invalid ih_entry_count
+
+From: Rustam Kovhaev <rkovhaev@gmail.com>
+
+commit d24396c5290ba8ab04ba505176874c4e04a2d53c upstream.
+
+when directory item has an invalid value set for ih_entry_count it might
+trigger use-after-free or out-of-bounds read in bin_search_in_dir_item()
+
+ih_entry_count * IH_SIZE for directory item should not be larger than
+ih_item_len
+
+Link: https://lore.kernel.org/r/20201101140958.3650143-1-rkovhaev@gmail.com
+Reported-and-tested-by: syzbot+83b6f7cf9922cae5c4d7@syzkaller.appspotmail.com
+Link: https://syzkaller.appspot.com/bug?extid=83b6f7cf9922cae5c4d7
+Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
+Signed-off-by: Jan Kara <jack@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/reiserfs/stree.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/fs/reiserfs/stree.c
++++ b/fs/reiserfs/stree.c
+@@ -454,6 +454,12 @@ static int is_leaf(char *buf, int blocks
+ "(second one): %h", ih);
+ return 0;
+ }
++ if (is_direntry_le_ih(ih) && (ih_item_len(ih) < (ih_entry_count(ih) * IH_SIZE))) {
++ reiserfs_warning(NULL, "reiserfs-5093",
++ "item entry count seems wrong %h",
++ ih);
++ return 0;
++ }
+ prev_location = ih_location(ih);
+ }
+
--- /dev/null
+From cb5253198f10a4cd79b7523c581e6173c7d49ddb Mon Sep 17 00:00:00 2001
+From: Randy Dunlap <rdunlap@infradead.org>
+Date: Tue, 8 Dec 2020 14:05:05 -0800
+Subject: scsi: cxgb4i: Fix TLS dependency
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+commit cb5253198f10a4cd79b7523c581e6173c7d49ddb upstream.
+
+SCSI_CXGB4_ISCSI selects CHELSIO_T4. The latter depends on TLS || TLS=n, so
+since 'select' does not check dependencies of the selected symbol,
+SCSI_CXGB4_ISCSI should also depend on TLS || TLS=n.
+
+This prevents the following kconfig warning and restricts SCSI_CXGB4_ISCSI
+to 'm' whenever TLS=m.
+
+WARNING: unmet direct dependencies detected for CHELSIO_T4
+ Depends on [m]: NETDEVICES [=y] && ETHERNET [=y] && NET_VENDOR_CHELSIO [=y] && PCI [=y] && (IPV6 [=y] || IPV6 [=y]=n) && (TLS [=m] || TLS [=m]=n)
+ Selected by [y]:
+ - SCSI_CXGB4_ISCSI [=y] && SCSI_LOWLEVEL [=y] && SCSI [=y] && PCI [=y] && INET [=y] && (IPV6 [=y] || IPV6 [=y]=n) && ETHERNET [=y]
+
+Link: https://lore.kernel.org/r/20201208220505.24488-1-rdunlap@infradead.org
+Fixes: 7b36b6e03b0d ("[SCSI] cxgb4i v5: iscsi driver")
+Cc: Karen Xie <kxie@chelsio.com>
+Cc: linux-scsi@vger.kernel.org
+Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
+Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/cxgbi/cxgb4i/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/cxgbi/cxgb4i/Kconfig
++++ b/drivers/scsi/cxgbi/cxgb4i/Kconfig
+@@ -4,6 +4,7 @@ config SCSI_CXGB4_ISCSI
+ depends on PCI && INET && (IPV6 || IPV6=n)
+ depends on THERMAL || !THERMAL
+ depends on ETHERNET
++ depends on TLS || TLS=n
+ select NET_VENDOR_CHELSIO
+ select CHELSIO_T4
+ select CHELSIO_LIB
tools-headers-uapi-sync-linux-const.h-with-the-kernel-headers.patch
null_blk-fix-zone-size-initialization.patch
of-fix-linker-section-match-table-corruption.patch
+cgroup-fix-memory-leak-when-parsing-multiple-source-parameters.patch
+scsi-cxgb4i-fix-tls-dependency.patch
+bluetooth-hci_h5-close-serdev-device-and-free-hu-in-h5_close.patch
+reiserfs-add-check-for-an-invalid-ih_entry_count.patch
+misc-vmw_vmci-fix-kernel-info-leak-by-initializing-dbells-in-vmci_ctx_get_chkpt_doorbells.patch
+media-gp8psk-initialize-stats-at-power-control-logic.patch
+f2fs-fix-shift-out-of-bounds-in-sanity_check_raw_super.patch
+alsa-seq-use-bool-for-snd_seq_queue-internal-flags.patch
+alsa-rawmidi-access-runtime-avail-always-in-spinlock.patch
+bfs-don-t-use-warning-string-when-it-s-just-info.patch
+fcntl-fix-potential-deadlock-in-send_sig-io-urg.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
