--- /dev/null
+From 9804501fa1228048857910a6bf23e085aade37cc Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Thu, 14 Mar 2019 13:47:59 +0800
+Subject: appletalk: Fix potential NULL pointer dereference in unregister_snap_client
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit 9804501fa1228048857910a6bf23e085aade37cc upstream.
+
+register_snap_client may return NULL, all the callers
+check it, but only print a warning. This will result in
+NULL pointer dereference in unregister_snap_client and other
+places.
+
+It has always been used like this since v2.6
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/atalk.h | 2 +-
+ net/appletalk/aarp.c | 15 ++++++++++++---
+ net/appletalk/ddp.c | 20 ++++++++++++--------
+ 3 files changed, 25 insertions(+), 12 deletions(-)
+
+--- a/include/linux/atalk.h
++++ b/include/linux/atalk.h
+@@ -108,7 +108,7 @@ static __inline__ struct elapaarp *aarp_
+ #define AARP_RESOLVE_TIME (10 * HZ)
+
+ extern struct datalink_proto *ddp_dl, *aarp_dl;
+-extern void aarp_proto_init(void);
++extern int aarp_proto_init(void);
+
+ /* Inter module exports */
+
+--- a/net/appletalk/aarp.c
++++ b/net/appletalk/aarp.c
+@@ -879,15 +879,24 @@ static struct notifier_block aarp_notifi
+
+ static unsigned char aarp_snap_id[] = { 0x00, 0x00, 0x00, 0x80, 0xF3 };
+
+-void __init aarp_proto_init(void)
++int __init aarp_proto_init(void)
+ {
++ int rc;
++
+ aarp_dl = register_snap_client(aarp_snap_id, aarp_rcv);
+- if (!aarp_dl)
++ if (!aarp_dl) {
+ printk(KERN_CRIT "Unable to register AARP with SNAP.\n");
++ return -ENOMEM;
++ }
+ timer_setup(&aarp_timer, aarp_expire_timeout, 0);
+ aarp_timer.expires = jiffies + sysctl_aarp_expiry_time;
+ add_timer(&aarp_timer);
+- register_netdevice_notifier(&aarp_notifier);
++ rc = register_netdevice_notifier(&aarp_notifier);
++ if (rc) {
++ del_timer_sync(&aarp_timer);
++ unregister_snap_client(aarp_dl);
++ }
++ return rc;
+ }
+
+ /* Remove the AARP entries associated with a device. */
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1909,9 +1909,6 @@ static unsigned char ddp_snap_id[] = { 0
+ EXPORT_SYMBOL(atrtr_get_dev);
+ EXPORT_SYMBOL(atalk_find_dev_addr);
+
+-static const char atalk_err_snap[] __initconst =
+- KERN_CRIT "Unable to register DDP with SNAP.\n";
+-
+ /* Called by proto.c on kernel start up */
+ static int __init atalk_init(void)
+ {
+@@ -1926,17 +1923,22 @@ static int __init atalk_init(void)
+ goto out_proto;
+
+ ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv);
+- if (!ddp_dl)
+- printk(atalk_err_snap);
++ if (!ddp_dl) {
++ pr_crit("Unable to register DDP with SNAP.\n");
++ goto out_sock;
++ }
+
+ dev_add_pack(<alk_packet_type);
+ dev_add_pack(&ppptalk_packet_type);
+
+ rc = register_netdevice_notifier(&ddp_notifier);
+ if (rc)
+- goto out_sock;
++ goto out_snap;
++
++ rc = aarp_proto_init();
++ if (rc)
++ goto out_dev;
+
+- aarp_proto_init();
+ rc = atalk_proc_init();
+ if (rc)
+ goto out_aarp;
+@@ -1950,11 +1952,13 @@ out_proc:
+ atalk_proc_exit();
+ out_aarp:
+ aarp_cleanup_module();
++out_dev:
+ unregister_netdevice_notifier(&ddp_notifier);
+-out_sock:
++out_snap:
+ dev_remove_pack(&ppptalk_packet_type);
+ dev_remove_pack(<alk_packet_type);
+ unregister_snap_client(ddp_dl);
++out_sock:
+ sock_unregister(PF_APPLETALK);
+ out_proto:
+ proto_unregister(&ddp_proto);
--- /dev/null
+From c93ad1337ad06a718890a89cdd85188ff9a5a5cc Mon Sep 17 00:00:00 2001
+From: YueHaibing <yuehaibing@huawei.com>
+Date: Tue, 30 Apr 2019 19:34:08 +0800
+Subject: appletalk: Set error code if register_snap_client failed
+
+From: YueHaibing <yuehaibing@huawei.com>
+
+commit c93ad1337ad06a718890a89cdd85188ff9a5a5cc upstream.
+
+If register_snap_client fails in atalk_init,
+error code should be set, otherwise it will
+triggers NULL pointer dereference while unloading
+module.
+
+Fixes: 9804501fa122 ("appletalk: Fix potential NULL pointer dereference in unregister_snap_client")
+Signed-off-by: YueHaibing <yuehaibing@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/appletalk/ddp.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/appletalk/ddp.c
++++ b/net/appletalk/ddp.c
+@@ -1925,6 +1925,7 @@ static int __init atalk_init(void)
+ ddp_dl = register_snap_client(ddp_snap_id, atalk_rcv);
+ if (!ddp_dl) {
+ pr_crit("Unable to register DDP with SNAP.\n");
++ rc = -ENOMEM;
+ goto out_sock;
+ }
+
--- /dev/null
+From 7aea8a9d71d54f449f49e20324df06341cc18395 Mon Sep 17 00:00:00 2001
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Date: Fri, 1 Feb 2019 16:49:30 +0900
+Subject: ASoC: rsnd: fixup MIX kctrl registration
+
+From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+
+commit 7aea8a9d71d54f449f49e20324df06341cc18395 upstream.
+
+Renesas sound device has many IPs and many situations.
+If platform/board uses MIXer, situation will be more complex.
+To avoid duplicate DVC kctrl registration when MIXer was used,
+it had original flags.
+But it was issue when sound card was re-binded, because
+no one can't cleanup this flags then.
+
+To solve this issue, commit 9c698e8481a15237a ("ASoC: rsnd: tidyup
+registering method for rsnd_kctrl_new()") checks registered
+card->controls, because if card was re-binded, these were cleanuped
+automatically. This patch could solve re-binding issue.
+But, it start to avoid MIX kctrl.
+
+To solve these issues, we need below.
+To avoid card re-binding issue: check registered card->controls
+To avoid duplicate DVC registration: check registered rsnd_kctrl_cfg
+To allow multiple MIX registration: check registered rsnd_kctrl_cfg
+This patch do it.
+
+Fixes: 9c698e8481a15237a ("ASoC: rsnd: tidyup registering method for rsnd_kctrl_new()")
+Reported-by: Jiada Wang <jiada_wang@mentor.com>
+Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
+Tested-By: Jiada Wang <jiada_wang@mentor.com>
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Cc: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/soc/sh/rcar/core.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/sound/soc/sh/rcar/core.c
++++ b/sound/soc/sh/rcar/core.c
+@@ -1345,14 +1345,14 @@ int rsnd_kctrl_new(struct rsnd_mod *mod,
+ int ret;
+
+ /*
+- * 1) Avoid duplicate register (ex. MIXer case)
+- * 2) re-register if card was rebinded
++ * 1) Avoid duplicate register for DVC with MIX case
++ * 2) Allow duplicate register for MIX
++ * 3) re-register if card was rebinded
+ */
+ list_for_each_entry(kctrl, &card->controls, list) {
+ struct rsnd_kctrl_cfg *c = kctrl->private_data;
+
+- if (strcmp(kctrl->id.name, name) == 0 &&
+- c->mod == mod)
++ if (c == cfg)
+ return 0;
+ }
+
--- /dev/null
+From 433f4ba1904100da65a311033f17a9bf586b287e Mon Sep 17 00:00:00 2001
+From: Paolo Bonzini <pbonzini@redhat.com>
+Date: Wed, 4 Dec 2019 10:28:54 +0100
+Subject: KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332)
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+commit 433f4ba1904100da65a311033f17a9bf586b287e upstream.
+
+The bounds check was present in KVM_GET_SUPPORTED_CPUID but not
+KVM_GET_EMULATED_CPUID.
+
+Reported-by: syzbot+e3f4897236c4eeb8af4f@syzkaller.appspotmail.com
+Fixes: 84cffe499b94 ("kvm: Emulate MOVBE", 2013-10-29)
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kvm/cpuid.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kvm/cpuid.c
++++ b/arch/x86/kvm/cpuid.c
+@@ -420,7 +420,7 @@ static inline int __do_cpuid_ent(struct
+
+ r = -E2BIG;
+
+- if (*nent >= maxnent)
++ if (WARN_ON(*nent >= maxnent))
+ goto out;
+
+ do_cpuid_1_ent(entry, function, index);
+@@ -729,6 +729,9 @@ out:
+ static int do_cpuid_ent(struct kvm_cpuid_entry2 *entry, u32 func,
+ u32 idx, int *nent, int maxnent, unsigned int type)
+ {
++ if (*nent >= maxnent)
++ return -E2BIG;
++
+ if (type == KVM_GET_EMULATED_CPUID)
+ return __do_cpuid_ent_emulated(entry, func, idx, nent, maxnent);
+
--- /dev/null
+From a21b7f0cff1906a93a0130b74713b15a0b36481d Mon Sep 17 00:00:00 2001
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+Date: Wed, 11 Sep 2019 10:09:02 -0500
+Subject: net: qrtr: fix memort leak in qrtr_tun_write_iter
+
+From: Navid Emamdoost <navid.emamdoost@gmail.com>
+
+commit a21b7f0cff1906a93a0130b74713b15a0b36481d upstream.
+
+In qrtr_tun_write_iter the allocated kbuf should be release in case of
+error or success return.
+
+v2 Update: Thanks to David Miller for pointing out the release on success
+path as well.
+
+Signed-off-by: Navid Emamdoost <navid.emamdoost@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/qrtr/tun.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/qrtr/tun.c
++++ b/net/qrtr/tun.c
+@@ -84,11 +84,14 @@ static ssize_t qrtr_tun_write_iter(struc
+ if (!kbuf)
+ return -ENOMEM;
+
+- if (!copy_from_iter_full(kbuf, len, from))
++ if (!copy_from_iter_full(kbuf, len, from)) {
++ kfree(kbuf);
+ return -EFAULT;
++ }
+
+ ret = qrtr_endpoint_post(&tun->ep, kbuf, len);
+
++ kfree(kbuf);
+ return ret < 0 ? ret : len;
+ }
+
perf-script-fix-invalid-lbr-binary-mismatch-error.patch
splice-don-t-read-more-than-available-pipe-space.patch
iomap-partially-revert-4721a601099-simulated-directi.patch
+xfs-add-missing-error-check-in-xfs_prepare_shift.patch
+asoc-rsnd-fixup-mix-kctrl-registration.patch
+kvm-x86-fix-out-of-bounds-write-in-kvm_get_emulated_cpuid-cve-2019-19332.patch
+net-qrtr-fix-memort-leak-in-qrtr_tun_write_iter.patch
+appletalk-fix-potential-null-pointer-dereference-in-unregister_snap_client.patch
+appletalk-set-error-code-if-register_snap_client-failed.patch
--- /dev/null
+From 1749d1ea89bdf3181328b7d846e609d5a0e53e50 Mon Sep 17 00:00:00 2001
+From: Brian Foster <bfoster@redhat.com>
+Date: Fri, 26 Apr 2019 07:30:24 -0700
+Subject: xfs: add missing error check in xfs_prepare_shift()
+
+From: Brian Foster <bfoster@redhat.com>
+
+commit 1749d1ea89bdf3181328b7d846e609d5a0e53e50 upstream.
+
+xfs_prepare_shift() fails to check the error return from
+xfs_flush_unmap_range(). If the latter fails, that could lead to an
+insert/collapse range operation over a delalloc range, which is not
+supported.
+
+Add an error check and return appropriately. This is reproduced
+rarely by generic/475.
+
+Fixes: 7f9f71be84bc ("xfs: extent shifting doesn't fully invalidate page cache")
+Signed-off-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
+Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
+Reviewed-by: Allison Collins <allison.henderson@oracle.com>
+Reviewed-by: Dave Chinner <dchinner@redhat.com>
+Cc: Nobuhiro Iwamatsu <nobuhiro1.iwamatsu@toshiba.co.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/xfs_bmap_util.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/xfs/xfs_bmap_util.c
++++ b/fs/xfs/xfs_bmap_util.c
+@@ -1245,6 +1245,8 @@ xfs_prepare_shift(
+ * about to shift down every extent from offset to EOF.
+ */
+ error = xfs_flush_unmap_range(ip, offset, XFS_ISIZE(ip));
++ if (error)
++ return error;
+
+ /*
+ * Clean out anything hanging around in the cow fork now that
projects / thirdparty / kernel / stable-queue.git / commitdiff
