--- /dev/null
+From 9804501fa1228048857910a6bf23e085aade37cc Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Thu, 14 Mar 2019 13:47:59 +0800
+Subject: appletalk: Fix potential NULL pointer dereference in unregister_snap_client
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit 9804501fa1228048857910a6bf23e085aade37cc upstream.
+
+register_snap_client may return NULL, all the callers
+check it, but only print a warning. This will result in
+NULL pointer dereference in unregister_snap_client and other
+places.
+
+It has always been used like this since v2.6
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[bwh: Backported to <4.15: adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/atalk.h | 2 +-
+ net/appletalk/aarp.c | 15 ++++++++++++---
+ net/appletalk/ddp.c | 20 ++++++++++++--------
+ 3 files changed, 25 insertions(+), 12 deletions(-)
+
+--- a/include/linux/atalk.h
++++ b/include/linux/atalk.h
+@@ -108,7 +108,7 @@ static __inline__ struct elapaarp *aarp_
+ #define AARP_RESOLVE_TIME (10 * HZ)
+
+ extern struct datalink_proto *ddp_dl, *aarp_dl;
+-extern void aarp_proto_init(void);
++extern int aarp_proto_init(void);
+
+ /* Inter module exports */
+
+--- a/net/appletalk/aarp.c
++++ b/net/appletalk/aarp.c
+@@ -879,15 +879,24 @@ static struct notifier_block aarp_notifi
+
+ static unsigned char aarp_snap_id[] = { 0x00, 0x00, 0x00, 0x80, 0xF3 };
+
+-void __init aarp_proto_init(void)
++int __init aarp_proto_init(void)
+ {
++ int rc;
++
+ aarp_dl = register_snap_client(aarp_snap_id, aarp_rcv);
+- if (!aarp_dl)
++ if (!aarp_dl) {
+ printk(KERN_CRIT "Unable to register AARP with SNAP.\n");
++ return -ENOMEM;
++ }
+ setup_timer(&aarp_timer, aarp_expire_timeout, 0);
+ aarp_timer.expires = jiffies + sysctl_aarp_expiry_time;
+ add_timer(&aarp_timer);
+- register_netdevice_notifier(&aarp_notifier);
++ rc = register_netdevice_notifier(&aarp_notifier);
++ if (rc) {
++ del_timer_sync(&aarp_timer);
++ unregister_snap_client(aarp_dl);
++ }
++ return rc;
+ }
+
+ /* Remove the AARP entries associated with a device. */
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1911,9 +1911,6 @@ static unsigned char ddp_snap_id[] = { 0
+ EXPORT_SYMBOL(atrtr_get_dev);
+ EXPORT_SYMBOL(atalk_find_dev_addr);
+
+-static const char atalk_err_snap[] __initconst =
+- KERN_CRIT "Unable to register DDP with SNAP.\n";
+-
+ /* Called by proto.c on kernel start up */
+ static int __init atalk_init(void)
+ {
+@@ -1928,17 +1925,22 @@ static int __init atalk_init(void)
+ goto out_proto;
+
+ ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv);
+- if (!ddp_dl)
+- printk(atalk_err_snap);
++ if (!ddp_dl) {
++ pr_crit("Unable to register DDP with SNAP.\n");
++ goto out_sock;
++ }
+
+ dev_add_pack(<alk_packet_type);
+ dev_add_pack(&ppptalk_packet_type);
+
+ rc = register_netdevice_notifier(&ddp_notifier);
+ if (rc)
+- goto out_sock;
++ goto out_snap;
++
++ rc = aarp_proto_init();
++ if (rc)
++ goto out_dev;
+
+- aarp_proto_init();
+ rc = atalk_proc_init();
+ if (rc)
+ goto out_aarp;
+@@ -1952,11 +1954,13 @@ out_proc:
+ atalk_proc_exit();
+ out_aarp:
+ aarp_cleanup_module();
++out_dev:
+ unregister_netdevice_notifier(&ddp_notifier);
+-out_sock:
++out_snap:
+ dev_remove_pack(&ppptalk_packet_type);
+ dev_remove_pack(<alk_packet_type);
+ unregister_snap_client(ddp_dl);
++out_sock:
+ sock_unregister(PF_APPLETALK);
+ out_proto:
+ proto_unregister(&ddp_proto);
--- /dev/null
+From c93ad1337ad06a718890a89cdd85188ff9a5a5cc Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 30 Apr 2019 19:34:08 +0800
+Subject: appletalk: Set error code if register_snap_client failed
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit c93ad1337ad06a718890a89cdd85188ff9a5a5cc upstream.
+
+If register_snap_client fails in atalk_init,
+error code should be set, otherwise it will
+triggers NULL pointer dereference while unloading
+module.
+
+Fixes: 9804501fa122 ("appletalk: Fix potential NULL pointer dereference in unregister_snap_client")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/appletalk/ddp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1927,6 +1927,7 @@ static int __init atalk_init(void)
+ ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv);
+ if (!ddp_dl) {
+ pr_crit("Unable to register DDP with SNAP.\n");
++ rc = -ENOMEM;
+ goto out_sock;
+ }
+
--- /dev/null
+From 7aea8a9d71d54f449f49e20324df06341cc18395 Mon Sep 17 00:00:00 2001
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Date: Fri, 1 Feb 2019 16:49:30 +0900
+Subject: ASoC: rsnd: fixup MIX kctrl registration
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+commit 7aea8a9d71d54f449f49e20324df06341cc18395 upstream.
+
+Renesas sound device has many IPs and many situations.
+If platform/board uses MIXer, situation will be more complex.
+To avoid duplicate DVC kctrl registration when MIXer was used,
+it had original flags.
+But it was issue when sound card was re-binded, because
+no one can't cleanup this flags then.
+
+To solve this issue, commit 9c698e8481a15237a ("ASoC: rsnd: tidyup
+registering method for rsnd_kctrl_new()") checks registered
+card->controls, because if card was re-binded, these were cleanuped
+automatically. This patch could solve re-binding issue.
+But, it start to avoid MIX kctrl.
+
+To solve these issues, we need below.
+To avoid card re-binding issue: check registered card->controls
+To avoid duplicate DVC registration: check registered rsnd_kctrl_cfg
+To allow multiple MIX registration: check registered rsnd_kctrl_cfg
+This patch do it.
+
+Fixes: 9c698e8481a15237a ("ASoC: rsnd: tidyup registering method for rsnd_kctrl_new()")
+Reported-by: Jiada Wang <jiada_wang@mentor.com>
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Tested-By: Jiada Wang <jiada_wang@mentor.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/sh/rcar/core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/sound/soc/sh/rcar/core.c
++++ b/sound/soc/sh/rcar/core.c
+@@ -1279,14 +1279,14 @@ int rsnd_kctrl_new(struct rsnd_mod *mod,
+ int ret;
+
+ /*
+- * 1) Avoid duplicate register (ex. MIXer case)
+- * 2) re-register if card was rebinded
++ * 1) Avoid duplicate register for DVC with MIX case
++ * 2) Allow duplicate register for MIX
++ * 3) re-register if card was rebinded
+ */
+ list_for_each_entry(kctrl, &card->controls, list) {
+ struct rsnd_kctrl_cfg *c = kctrl->private_data;
+
+- if (strcmp(kctrl->id.name, name) == 0 &&
+- c->mod == mod)
++ if (c == cfg)
+ return 0;
+ }
+
--- /dev/null
+From 433f4ba1904100da65a311033f17a9bf586b287e Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 4 Dec 2019 10:28:54 +0100
+Subject: KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332)
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 433f4ba1904100da65a311033f17a9bf586b287e upstream.
+
+The bounds check was present in KVM_GET_SUPPORTED_CPUID but not
+KVM_GET_EMULATED_CPUID.
+
+Reported-by: syzbot+e3f4897236c4eeb8af4f@syzkaller.appspotmail.com
+Fixes: 84cffe499b94 ("kvm: Emulate MOVBE", 2013-10-29)
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/cpuid.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -404,7 +404,7 @@ static inline int __do_cpuid_ent(struct
+
+ r = -E2BIG;
+
+- if (*nent >= maxnent)
++ if (WARN_ON(*nent >= maxnent))
+ goto out;
+
+ do_cpuid_1_ent(entry, function, index);
+@@ -707,6 +707,9 @@ out:
+ static int do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 func,
+ u32 idx, int *nent, int maxnent, unsigned int type)
+ {
++ if (*nent >= maxnent)
++ return -E2BIG;
++
+ if (type == KVM_GET_EMULATED_CPUID)
+ return __do_cpuid_ent_emulated(entry, func, idx, nent, maxnent);
+
iomap-fix-pipe-page-leakage-during-splicing.patch
thermal-fix-deadlock-in-thermal-thermal_zone_device_check.patch
binder-handle-start-null-in-binder_update_page_range.patch
+asoc-rsnd-fixup-mix-kctrl-registration.patch
+kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch
+appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch
+appletalk-set-error-code-if-register_snap_client-failed.patch
alsa-hda-fix-pending-unsol-events-at-shutdown.patch
md-raid0-fix-an-error-message-in-raid0_make_request.patch
watchdog-aspeed-fix-clock-behaviour-for-ast2600.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
