--- /dev/null
+From e181811bd04d874fe48bbfa1165a82068b58144d Mon Sep 17 00:00:00 2001
+From: Hou Pu <houpu.main@gmail.com>
+Date: Thu, 13 May 2021 21:04:10 +0800
+Subject: nvmet: use new ana_log_size instead the old one
+
+From: Hou Pu <houpu.main@gmail.com>
+
+commit e181811bd04d874fe48bbfa1165a82068b58144d upstream.
+
+The new ana_log_size should be used instead of the old one.
+Or kernel NULL pointer dereference will happen like below:
+
+[ 38.957849][ T69] BUG: kernel NULL pointer dereference, address: 000000000000003c
+[ 38.975550][ T69] #PF: supervisor write access in kernel mode
+[ 38.975955][ T69] #PF: error_code(0x0002) - not-present page
+[ 38.976905][ T69] PGD 0 P4D 0
+[ 38.979388][ T69] Oops: 0002 [#1] SMP NOPTI
+[ 38.980488][ T69] CPU: 0 PID: 69 Comm: kworker/0:2 Not tainted 5.12.0+ #54
+[ 38.981254][ T69] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
+[ 38.982502][ T69] Workqueue: events nvme_loop_execute_work
+[ 38.985219][ T69] RIP: 0010:memcpy_orig+0x68/0x10f
+[ 38.986203][ T69] Code: 83 c2 20 eb 44 48 01 d6 48 01 d7 48 83 ea 20 0f 1f 00 48 83 ea 20 4c 8b 46 f8 4c 8b 4e f0 4c 8b 56 e8 4c 8b 5e e0 48 8d 76 e0 <4c> 89 47 f8 4c 89 4f f0 4c 89 57 e8 4c 89 5f e0 48 8d 7f e0 73 d2
+[ 38.987677][ T69] RSP: 0018:ffffc900001b7d48 EFLAGS: 00000287
+[ 38.987996][ T69] RAX: 0000000000000020 RBX: 0000000000000024 RCX: 0000000000000010
+[ 38.988327][ T69] RDX: ffffffffffffffe4 RSI: ffff8881084bc004 RDI: 0000000000000044
+[ 38.988620][ T69] RBP: 0000000000000024 R08: 0000000100000000 R09: 0000000000000000
+[ 38.988991][ T69] R10: 0000000100000000 R11: 0000000000000001 R12: 0000000000000024
+[ 38.989289][ T69] R13: ffff8881084bc000 R14: 0000000000000000 R15: 0000000000000024
+[ 38.989845][ T69] FS: 0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000
+[ 38.990234][ T69] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[ 38.990490][ T69] CR2: 000000000000003c CR3: 00000001085b2000 CR4: 00000000000006f0
+[ 38.991105][ T69] Call Trace:
+[ 38.994157][ T69] sg_copy_buffer+0xb8/0xf0
+[ 38.995357][ T69] nvmet_copy_to_sgl+0x48/0x6d
+[ 38.995565][ T69] nvmet_execute_get_log_page_ana+0xd4/0x1cb
+[ 38.995792][ T69] nvmet_execute_get_log_page+0xc9/0x146
+[ 38.995992][ T69] nvme_loop_execute_work+0x3e/0x44
+[ 38.996181][ T69] process_one_work+0x1c3/0x3c0
+[ 38.996393][ T69] worker_thread+0x44/0x3d0
+[ 38.996600][ T69] ? cancel_delayed_work+0x90/0x90
+[ 38.996804][ T69] kthread+0xf7/0x130
+[ 38.996961][ T69] ? kthread_create_worker_on_cpu+0x70/0x70
+[ 38.997171][ T69] ret_from_fork+0x22/0x30
+[ 38.997705][ T69] Modules linked in:
+[ 38.998741][ T69] CR2: 000000000000003c
+[ 39.000104][ T69] ---[ end trace e719927b609d0fa0 ]---
+
+Fixes: 5e1f689913a4 ("nvme-multipath: fix double initialization of ANA state")
+Signed-off-by: Hou Pu <houpu.main@gmail.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/multipath.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -744,7 +744,7 @@ int nvme_mpath_init_identify(struct nvme
+ if (ana_log_size > ctrl->ana_log_size) {
+ nvme_mpath_stop(ctrl);
+ kfree(ctrl->ana_log_buf);
+- ctrl->ana_log_buf = kmalloc(ctrl->ana_log_size, GFP_KERNEL);
++ ctrl->ana_log_buf = kmalloc(ana_log_size, GFP_KERNEL);
+ if (!ctrl->ana_log_buf)
+ return -ENOMEM;
+ }
--- /dev/null
+From 02625c965239b71869326dd0461615f27307ecb3 Mon Sep 17 00:00:00 2001
+From: Anirudh Rayabharam <mail@anirudhrb.com>
+Date: Mon, 17 May 2021 00:57:14 +0530
+Subject: video: hgafb: correctly handle card detect failure during probe
+
+From: Anirudh Rayabharam <mail@anirudhrb.com>
+
+commit 02625c965239b71869326dd0461615f27307ecb3 upstream.
+
+The return value of hga_card_detect() is not properly handled causing
+the probe to succeed even though hga_card_detect() failed. Since probe
+succeeds, hgafb_open() can be called which will end up operating on an
+unmapped hga_vram. This results in an out-of-bounds access as reported
+by kernel test robot [1].
+
+To fix this, correctly detect failure of hga_card_detect() by checking
+for a non-zero error code.
+
+[1]: https://lore.kernel.org/lkml/20210516150019.GB25903@xsang-OptiPlex-9020/
+
+Fixes: dc13cac4862c ("video: hgafb: fix potential NULL pointer dereference")
+Cc: stable <stable@vger.kernel.org>
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Reviewed-by: Igor Matheus Andrade Torrente <igormtorrente@gmail.com>
+Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20210516192714.25823-1-mail@anirudhrb.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/hgafb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/hgafb.c
++++ b/drivers/video/fbdev/hgafb.c
+@@ -558,7 +558,7 @@ static int hgafb_probe(struct platform_d
+ int ret;
+
+ ret = hga_card_detect();
+- if (!ret)
++ if (ret)
+ return ret;
+
+ printk(KERN_INFO "hgafb: %s with %ldK of memory detected.\n",
projects / thirdparty / kernel / stable-queue.git / commitdiff
