--- /dev/null
+From 04c9b00ba83594a29813d6b1fb8fdc93a3915174 Mon Sep 17 00:00:00 2001
+From: Hangyu Hua <hbh25y@gmail.com>
+Date: Fri, 11 Mar 2022 16:02:08 +0800
+Subject: can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb in error path
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+commit 04c9b00ba83594a29813d6b1fb8fdc93a3915174 upstream.
+
+There is no need to call dev_kfree_skb() when usb_submit_urb() fails
+because can_put_echo_skb() deletes original skb and
+can_free_echo_skb() deletes the cloned skb.
+
+Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer")
+Link: https://lore.kernel.org/all/20220311080208.45047-1-hbh25y@gmail.com
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/mcba_usb.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/can/usb/mcba_usb.c
++++ b/drivers/net/can/usb/mcba_usb.c
+@@ -368,7 +368,6 @@ static netdev_tx_t mcba_usb_start_xmit(s
+ xmit_failed:
+ can_free_echo_skb(priv->netdev, ctx->ndx, NULL);
+ mcba_usb_free_ctx(ctx);
+- dev_kfree_skb(skb);
+ stats->tx_dropped++;
+
+ return NETDEV_TX_OK;
--- /dev/null
+From 136bed0bfd3bc9c95c88aafff2d22ecb3a919f23 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Sun, 13 Mar 2022 13:09:03 +0300
+Subject: can: mcba_usb: properly check endpoint type
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 136bed0bfd3bc9c95c88aafff2d22ecb3a919f23 upstream.
+
+Syzbot reported warning in usb_submit_urb() which is caused by wrong
+endpoint type. We should check that in endpoint is actually present to
+prevent this warning.
+
+Found pipes are now saved to struct mcba_priv and code uses them
+directly instead of making pipes in place.
+
+Fail log:
+
+| usb 5-1: BOGUS urb xfer, pipe 3 != type 1
+| WARNING: CPU: 1 PID: 49 at drivers/usb/core/urb.c:502 usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
+| Modules linked in:
+| CPU: 1 PID: 49 Comm: kworker/1:2 Not tainted 5.17.0-rc6-syzkaller-00184-g38f80f42147f #0
+| Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
+| Workqueue: usb_hub_wq hub_event
+| RIP: 0010:usb_submit_urb+0xed2/0x18a0 drivers/usb/core/urb.c:502
+| ...
+| Call Trace:
+| <TASK>
+| mcba_usb_start drivers/net/can/usb/mcba_usb.c:662 [inline]
+| mcba_usb_probe+0x8a3/0xc50 drivers/net/can/usb/mcba_usb.c:858
+| usb_probe_interface+0x315/0x7f0 drivers/usb/core/driver.c:396
+| call_driver_probe drivers/base/dd.c:517 [inline]
+
+Fixes: 51f3baad7de9 ("can: mcba_usb: Add support for Microchip CAN BUS Analyzer")
+Link: https://lore.kernel.org/all/20220313100903.10868-1-paskripkin@gmail.com
+Reported-and-tested-by: syzbot+3bc1dce0cc0052d60fde@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Reviewed-by: Vincent Mailhol <mailhol.vincent@wanadoo.fr>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/usb/mcba_usb.c | 26 ++++++++++++++++----------
+ 1 file changed, 16 insertions(+), 10 deletions(-)
+
+--- a/drivers/net/can/usb/mcba_usb.c
++++ b/drivers/net/can/usb/mcba_usb.c
+@@ -33,10 +33,6 @@
+ #define MCBA_USB_RX_BUFF_SIZE 64
+ #define MCBA_USB_TX_BUFF_SIZE (sizeof(struct mcba_usb_msg))
+
+-/* MCBA endpoint numbers */
+-#define MCBA_USB_EP_IN 1
+-#define MCBA_USB_EP_OUT 1
+-
+ /* Microchip command id */
+ #define MBCA_CMD_RECEIVE_MESSAGE 0xE3
+ #define MBCA_CMD_I_AM_ALIVE_FROM_CAN 0xF5
+@@ -84,6 +80,8 @@ struct mcba_priv {
+ atomic_t free_ctx_cnt;
+ void *rxbuf[MCBA_MAX_RX_URBS];
+ dma_addr_t rxbuf_dma[MCBA_MAX_RX_URBS];
++ int rx_pipe;
++ int tx_pipe;
+ };
+
+ /* CAN frame */
+@@ -272,10 +270,8 @@ static netdev_tx_t mcba_usb_xmit(struct
+
+ memcpy(buf, usb_msg, MCBA_USB_TX_BUFF_SIZE);
+
+- usb_fill_bulk_urb(urb, priv->udev,
+- usb_sndbulkpipe(priv->udev, MCBA_USB_EP_OUT), buf,
+- MCBA_USB_TX_BUFF_SIZE, mcba_usb_write_bulk_callback,
+- ctx);
++ usb_fill_bulk_urb(urb, priv->udev, priv->tx_pipe, buf, MCBA_USB_TX_BUFF_SIZE,
++ mcba_usb_write_bulk_callback, ctx);
+
+ urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
+ usb_anchor_urb(urb, &priv->tx_submitted);
+@@ -610,7 +606,7 @@ static void mcba_usb_read_bulk_callback(
+ resubmit_urb:
+
+ usb_fill_bulk_urb(urb, priv->udev,
+- usb_rcvbulkpipe(priv->udev, MCBA_USB_EP_OUT),
++ priv->rx_pipe,
+ urb->transfer_buffer, MCBA_USB_RX_BUFF_SIZE,
+ mcba_usb_read_bulk_callback, priv);
+
+@@ -655,7 +651,7 @@ static int mcba_usb_start(struct mcba_pr
+ urb->transfer_dma = buf_dma;
+
+ usb_fill_bulk_urb(urb, priv->udev,
+- usb_rcvbulkpipe(priv->udev, MCBA_USB_EP_IN),
++ priv->rx_pipe,
+ buf, MCBA_USB_RX_BUFF_SIZE,
+ mcba_usb_read_bulk_callback, priv);
+ urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
+@@ -809,6 +805,13 @@ static int mcba_usb_probe(struct usb_int
+ struct mcba_priv *priv;
+ int err;
+ struct usb_device *usbdev = interface_to_usbdev(intf);
++ struct usb_endpoint_descriptor *in, *out;
++
++ err = usb_find_common_endpoints(intf->cur_altsetting, &in, &out, NULL, NULL);
++ if (err) {
++ dev_err(&intf->dev, "Can't find endpoints\n");
++ return err;
++ }
+
+ netdev = alloc_candev(sizeof(struct mcba_priv), MCBA_MAX_TX_URBS);
+ if (!netdev) {
+@@ -854,6 +857,9 @@ static int mcba_usb_probe(struct usb_int
+ goto cleanup_free_candev;
+ }
+
++ priv->rx_pipe = usb_rcvbulkpipe(priv->udev, in->bEndpointAddress);
++ priv->tx_pipe = usb_sndbulkpipe(priv->udev, out->bEndpointAddress);
++
+ devm_can_led_init(netdev);
+
+ /* Start USB dev only if we have successfully registered CAN device */
--- /dev/null
+From fa7b514d2b2894e052b8e94c7a29feb98e90093f Mon Sep 17 00:00:00 2001
+From: Tom Rix <trix@redhat.com>
+Date: Sat, 19 Mar 2022 08:31:28 -0700
+Subject: can: mcp251xfd: mcp251xfd_register_get_dev_id(): fix return of error value
+
+From: Tom Rix <trix@redhat.com>
+
+commit fa7b514d2b2894e052b8e94c7a29feb98e90093f upstream.
+
+Clang static analysis reports this issue:
+
+| mcp251xfd-core.c:1813:7: warning: The left operand
+| of '&' is a garbage value
+| FIELD_GET(MCP251XFD_REG_DEVID_ID_MASK, dev_id),
+| ^ ~~~~~~
+
+dev_id is set in a successful call to mcp251xfd_register_get_dev_id().
+Though the status of calls made by mcp251xfd_register_get_dev_id() are
+checked and handled, their status' are not returned. So return err.
+
+Fixes: 55e5b97f003e ("can: mcp25xxfd: add driver for Microchip MCP25xxFD SPI CAN")
+Link: https://lore.kernel.org/all/20220319153128.2164120-1-trix@redhat.com
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
++++ b/drivers/net/can/spi/mcp251xfd/mcp251xfd-core.c
+@@ -2706,7 +2706,7 @@ mcp251xfd_register_get_dev_id(const stru
+ out_kfree_buf_rx:
+ kfree(buf_rx);
+
+- return 0;
++ return err;
+ }
+
+ #define MCP251XFD_QUIRK_ACTIVE(quirk) \
--- /dev/null
+From bf5c0c2231bcab677e5cdfb7f73e6c79f6d8c2d4 Mon Sep 17 00:00:00 2001
+From: Masahiro Yamada <masahiroy@kernel.org>
+Date: Sat, 2 Apr 2022 00:56:10 +0900
+Subject: modpost: restore the warning message for missing symbol versions
+
+From: Masahiro Yamada <masahiroy@kernel.org>
+
+commit bf5c0c2231bcab677e5cdfb7f73e6c79f6d8c2d4 upstream.
+
+This log message was accidentally chopped off.
+
+I was wondering why this happened, but checking the ML log, Mark
+precisely followed my suggestion [1].
+
+I just used "..." because I was too lazy to type the sentence fully.
+Sorry for the confusion.
+
+[1]: https://lore.kernel.org/all/CAK7LNAR6bXXk9-ZzZYpTqzFqdYbQsZHmiWspu27rtsFxvfRuVA@mail.gmail.com/
+
+Fixes: 4a6795933a89 ("kbuild: modpost: Explicitly warn about unprototyped symbols")
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Acked-by: Mark Brown <broonie@kernel.org>
+Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ scripts/mod/modpost.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/scripts/mod/modpost.c
++++ b/scripts/mod/modpost.c
+@@ -669,7 +669,7 @@ static void handle_modversion(const stru
+ unsigned int crc;
+
+ if (sym->st_shndx == SHN_UNDEF) {
+- warn("EXPORT symbol \"%s\" [%s%s] version ...\n"
++ warn("EXPORT symbol \"%s\" [%s%s] version generation failed, symbol will not be versioned.\n"
+ "Is \"%s\" prototyped in <asm/asm-prototypes.h>?\n",
+ symname, mod->name, mod->is_vmlinux ? "" : ".ko",
+ symname);
wireguard-socket-free-skb-in-send6-when-ipv6-is-disabled.patch
wireguard-socket-ignore-v6-endpoints-when-ipv6-is-disabled.patch
xarray-fix-xas_create_range-when-multi-order-entry-present.patch
+can-mcba_usb-mcba_usb_start_xmit-fix-double-dev_kfree_skb-in-error-path.patch
+can-mcba_usb-properly-check-endpoint-type.patch
+can-mcp251xfd-mcp251xfd_register_get_dev_id-fix-return-of-error-value.patch
+xarray-update-the-lru-list-in-xas_split.patch
+modpost-restore-the-warning-message-for-missing-symbol-versions.patch
--- /dev/null
+From 3ed4bb77156da0bc732847c8c9df92454c1fbeea Mon Sep 17 00:00:00 2001
+From: "Matthew Wilcox (Oracle)" <willy@infradead.org>
+Date: Thu, 31 Mar 2022 08:27:09 -0400
+Subject: XArray: Update the LRU list in xas_split()
+
+From: Matthew Wilcox (Oracle) <willy@infradead.org>
+
+commit 3ed4bb77156da0bc732847c8c9df92454c1fbeea upstream.
+
+When splitting a value entry, we may need to add the new nodes to the LRU
+list and remove the parent node from the LRU list. The WARN_ON checks
+in shadow_lru_isolate() catch this oversight. This bug was latent
+until we stopped splitting folios in shrink_page_list() with commit
+820c4e2e6f51 ("mm/vmscan: Free non-shmem folios without splitting them").
+That allows the creation of large shadow entries, and subsequently when
+trying to page in a small page, we will split the large shadow entry
+in __filemap_add_folio().
+
+Fixes: 8fc75643c5e1 ("XArray: add xas_split")
+Reported-by: Hugh Dickins <hughd@google.com>
+Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ lib/xarray.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/lib/xarray.c
++++ b/lib/xarray.c
+@@ -1081,6 +1081,7 @@ void xas_split(struct xa_state *xas, voi
+ xa_mk_node(child));
+ if (xa_is_value(curr))
+ values--;
++ xas_update(xas, child);
+ } else {
+ unsigned int canon = offset - xas->xa_sibs;
+
+@@ -1095,6 +1096,7 @@ void xas_split(struct xa_state *xas, voi
+ } while (offset-- > xas->xa_offset);
+
+ node->nr_values += values;
++ xas_update(xas, node);
+ }
+ EXPORT_SYMBOL_GPL(xas_split);
+ #endif
projects / thirdparty / kernel / stable-queue.git / commitdiff
