--- /dev/null
+From d815b3f2f273537cb8afaf5ab11a46851f6c03e5 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 16 Nov 2021 14:50:25 +0300
+Subject: btrfs: fix error pointer dereference in btrfs_ioctl_rm_dev_v2()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit d815b3f2f273537cb8afaf5ab11a46851f6c03e5 upstream.
+
+If memdup_user() fails the error handing will crash when it tries
+to kfree() an error pointer. Just return directly because there is
+no cleanup required.
+
+Fixes: 1a15eb724aae ("btrfs: use btrfs_get_dev_args_from_path in dev removal ioctls")
+Reviewed-by: Josef Bacik <josef@toxicpanda.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: David Sterba <dsterba@suse.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ioctl.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -3231,10 +3231,8 @@ static long btrfs_ioctl_rm_dev_v2(struct
+ return -EPERM;
+
+ vol_args = memdup_user(arg, sizeof(*vol_args));
+- if (IS_ERR(vol_args)) {
+- ret = PTR_ERR(vol_args);
+- goto out;
+- }
++ if (IS_ERR(vol_args))
++ return PTR_ERR(vol_args);
+
+ if (vol_args->flags & ~BTRFS_DEVICE_REMOVE_ARGS_MASK) {
+ ret = -EOPNOTSUPP;
--- /dev/null
+From 37b4599547e324589e011c20f74b021d6d25cb7f Mon Sep 17 00:00:00 2001
+From: Tom Rix <trix@redhat.com>
+Date: Fri, 21 Jan 2022 05:45:22 -0800
+Subject: btrfs: fix use of uninitialized variable at rm device ioctl
+
+From: Tom Rix <trix@redhat.com>
+
+commit 37b4599547e324589e011c20f74b021d6d25cb7f upstream.
+
+Clang static analysis reports this problem
+ioctl.c:3333:8: warning: 3rd function call argument is an
+ uninitialized value
+ ret = exclop_start_or_cancel_reloc(fs_info,
+
+cancel is only set in one branch of an if-check and is always used. So
+initialize to false.
+
+Fixes: 1a15eb724aae ("btrfs: use btrfs_get_dev_args_from_path in dev removal ioctls")
+Reviewed-by: Filipe Manana <fdmanana@suse.com>
+Reviewed-by: Anand Jain <anand.jain@oracle.com>
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: David Sterba <dsterba@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/btrfs/ioctl.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/btrfs/ioctl.c
++++ b/fs/btrfs/ioctl.c
+@@ -3291,7 +3291,7 @@ static long btrfs_ioctl_rm_dev(struct fi
+ struct block_device *bdev = NULL;
+ fmode_t mode;
+ int ret;
+- bool cancel;
++ bool cancel = false;
+
+ if (!capable(CAP_SYS_ADMIN))
+ return -EPERM;
From: Lukas Fink <lukas.fink1@gmail.com>
[ Upstream commit 3993a799fc971bc9b918bd969aa55864447b5dde ]
+[ Upstream commit 5f0754ab2751d1935818459e8e71a8fe26f6403c ]
eb4fd29afd4a ("drm/amdgpu: bind to any 0x1002 PCI diplay class device") added
generic bindings to amdgpu so that that it binds to all display class devices
Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1860
Fixes: eb4fd29afd4a ("drm/amdgpu: bind to any 0x1002 PCI diplay class device")
-
Cc: stable@vger.kernel.org
Signed-off-by: Lukas Fink <lukas.fink1@gmail.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
- drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 2 +-
+ drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
-index c294081022bd..cb0b5972e7fd 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c
-@@ -2009,7 +2009,7 @@ static int amdgpu_pci_probe(struct pci_dev *pdev,
+@@ -2009,7 +2009,7 @@ static int amdgpu_pci_probe(struct pci_d
return -ENODEV;
}
DRM_INFO("Unsupported asic. Remove me when IP discovery init is in place.\n");
return -ENODEV;
}
---
-2.35.1
-
can-kvaser_usb-kvaser_usb_leaf-fix-bittiming-limits.patch
xfs-remove-incorrect-assert-in-xfs_rename.patch
revert-serial-sc16is7xx-clear-rs485-bits-in-the-shutdown.patch
+btrfs-fix-error-pointer-dereference-in-btrfs_ioctl_rm_dev_v2.patch
+virtio-blk-modify-the-value-type-of-num-in-virtio_queue_rq.patch
+btrfs-fix-use-of-uninitialized-variable-at-rm-device-ioctl.patch
+tty-n_gsm-fix-encoding-of-command-response-bit.patch
--- /dev/null
+From 57435c42400ec147a527b2313188b649e81e449e Mon Sep 17 00:00:00 2001
+From: "daniel.starke@siemens.com" <daniel.starke@siemens.com>
+Date: Thu, 17 Feb 2022 23:31:18 -0800
+Subject: tty: n_gsm: fix encoding of command/response bit
+
+From: daniel.starke@siemens.com <daniel.starke@siemens.com>
+
+commit 57435c42400ec147a527b2313188b649e81e449e upstream.
+
+n_gsm is based on the 3GPP 07.010 and its newer version is the 3GPP 27.010.
+See https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1516
+The changes from 07.010 to 27.010 are non-functional. Therefore, I refer to
+the newer 27.010 here. Chapter 5.2.1.2 describes the encoding of the
+C/R (command/response) bit. Table 1 shows that the actual encoding of the
+C/R bit is inverted if the associated frame is sent by the responder.
+
+The referenced commit fixed here further broke the internal meaning of this
+bit in the outgoing path by always setting the C/R bit regardless of the
+frame type.
+
+This patch fixes both by setting the C/R bit always consistently for
+command (1) and response (0) frames and inverting it later for the
+responder where necessary. The meaning of this bit in the debug output
+is being preserved and shows the bit as if it was encoded by the initiator.
+This reflects only the frame type rather than the encoded combination of
+communication side and frame type.
+
+Fixes: cc0f42122a7e ("tty: n_gsm: Modify CR,PF bit when config requester")
+Cc: stable@vger.kernel.org
+Signed-off-by: Daniel Starke <daniel.starke@siemens.com>
+Link: https://lore.kernel.org/r/20220218073123.2121-2-daniel.starke@siemens.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/n_gsm.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/drivers/tty/n_gsm.c
++++ b/drivers/tty/n_gsm.c
+@@ -471,7 +471,7 @@ static void gsm_hex_dump_bytes(const cha
+ * gsm_print_packet - display a frame for debug
+ * @hdr: header to print before decode
+ * @addr: address EA from the frame
+- * @cr: C/R bit from the frame
++ * @cr: C/R bit seen as initiator
+ * @control: control including PF bit
+ * @data: following data bytes
+ * @dlen: length of data
+@@ -571,7 +571,7 @@ static int gsm_stuff_frame(const u8 *inp
+ * gsm_send - send a control frame
+ * @gsm: our GSM mux
+ * @addr: address for control frame
+- * @cr: command/response bit
++ * @cr: command/response bit seen as initiator
+ * @control: control byte including PF bit
+ *
+ * Format up and transmit a control frame. These do not go via the
+@@ -586,11 +586,15 @@ static void gsm_send(struct gsm_mux *gsm
+ int len;
+ u8 cbuf[10];
+ u8 ibuf[3];
++ int ocr;
++
++ /* toggle C/R coding if not initiator */
++ ocr = cr ^ (gsm->initiator ? 0 : 1);
+
+ switch (gsm->encoding) {
+ case 0:
+ cbuf[0] = GSM0_SOF;
+- cbuf[1] = (addr << 2) | (cr << 1) | EA;
++ cbuf[1] = (addr << 2) | (ocr << 1) | EA;
+ cbuf[2] = control;
+ cbuf[3] = EA; /* Length of data = 0 */
+ cbuf[4] = 0xFF - gsm_fcs_add_block(INIT_FCS, cbuf + 1, 3);
+@@ -600,7 +604,7 @@ static void gsm_send(struct gsm_mux *gsm
+ case 1:
+ case 2:
+ /* Control frame + packing (but not frame stuffing) in mode 1 */
+- ibuf[0] = (addr << 2) | (cr << 1) | EA;
++ ibuf[0] = (addr << 2) | (ocr << 1) | EA;
+ ibuf[1] = control;
+ ibuf[2] = 0xFF - gsm_fcs_add_block(INIT_FCS, ibuf, 2);
+ /* Stuffing may double the size worst case */
+@@ -630,7 +634,7 @@ static void gsm_send(struct gsm_mux *gsm
+
+ static inline void gsm_response(struct gsm_mux *gsm, int addr, int control)
+ {
+- gsm_send(gsm, addr, 1, control);
++ gsm_send(gsm, addr, 0, control);
+ }
+
+ /**
+@@ -1875,10 +1879,10 @@ static void gsm_queue(struct gsm_mux *gs
+ goto invalid;
+
+ cr = gsm->address & 1; /* C/R bit */
++ cr ^= gsm->initiator ? 0 : 1; /* Flip so 1 always means command */
+
+ gsm_print_packet("<--", address, cr, gsm->control, gsm->buf, gsm->len);
+
+- cr ^= 1 - gsm->initiator; /* Flip so 1 always means command */
+ dlci = gsm->dlci[address];
+
+ switch (gsm->control) {
--- /dev/null
+From 0466a39bd0b6c462338f10d18076703d14a552de Mon Sep 17 00:00:00 2001
+From: Ye Guojin <ye.guojin@zte.com.cn>
+Date: Wed, 17 Nov 2021 06:39:55 +0000
+Subject: virtio-blk: modify the value type of num in virtio_queue_rq()
+
+From: Ye Guojin <ye.guojin@zte.com.cn>
+
+commit 0466a39bd0b6c462338f10d18076703d14a552de upstream.
+
+This was found by coccicheck:
+./drivers/block/virtio_blk.c, 334, 14-17, WARNING Unsigned expression
+compared with zero num < 0
+
+Reported-by: Zeal Robot <zealci@zte.com.cn>
+Signed-off-by: Ye Guojin <ye.guojin@zte.com.cn>
+Link: https://lore.kernel.org/r/20211117063955.160777-1-ye.guojin@zte.com.cn
+Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
+Fixes: 02746e26c39e ("virtio-blk: avoid preallocating big SGL for data")
+Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
+Reviewed-by: Max Gurtovoy <mgurtovoy@nvidia.com>
+Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/block/virtio_blk.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/block/virtio_blk.c
++++ b/drivers/block/virtio_blk.c
+@@ -308,7 +308,7 @@ static blk_status_t virtio_queue_rq(stru
+ struct request *req = bd->rq;
+ struct virtblk_req *vbr = blk_mq_rq_to_pdu(req);
+ unsigned long flags;
+- unsigned int num;
++ int num;
+ int qid = hctx->queue_num;
+ int err;
+ bool notify = false;
projects / thirdparty / kernel / stable-queue.git / commitdiff
