--- /dev/null
+From 33812fc7c8d77a43b7e2bf36a0d5a57c277a4b0c Mon Sep 17 00:00:00 2001
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Date: Tue, 28 Dec 2021 22:09:17 +0100
+Subject: HID: magicmouse: Fix an error handling path in magicmouse_probe()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+commit 33812fc7c8d77a43b7e2bf36a0d5a57c277a4b0c upstream.
+
+If the timer introduced by the commit below is started, then it must be
+deleted in the error handling of the probe. Otherwise it would trigger
+once the driver is no more.
+
+Fixes: 0b91b4e4dae6 ("HID: magicmouse: Report battery level over USB")
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Tested-by: José Expósito <jose.exposito89@gmail.com>
+Reported-by: <syzbot+a437546ec71b04dfb5ac@syzkaller.appspotmail.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-magicmouse.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/hid/hid-magicmouse.c
++++ b/drivers/hid/hid-magicmouse.c
+@@ -873,6 +873,7 @@ static int magicmouse_probe(struct hid_d
+
+ return 0;
+ err_stop_hw:
++ del_timer_sync(&msc->battery_timer);
+ hid_hw_stop(hdev);
+ return ret;
+ }
spi-uniphier-fix-a-bug-that-doesn-t-point-to-private-data-correctly.patch
xen-gntdev-fix-unmap-notification-order.patch
md-move-alloc-free-acct-bioset-in-to-personality.patch
+hid-magicmouse-fix-an-error-handling-path-in-magicmouse_probe.patch
+x86-mce-check-regs-before-accessing-it.patch
--- /dev/null
+From 1acd85feba81084fcef00b73fc1601e42b77c5d8 Mon Sep 17 00:00:00 2001
+From: Borislav Petkov <bp@suse.de>
+Date: Fri, 17 Dec 2021 16:49:25 +0100
+Subject: x86/mce: Check regs before accessing it
+
+From: Borislav Petkov <bp@suse.de>
+
+commit 1acd85feba81084fcef00b73fc1601e42b77c5d8 upstream.
+
+Commit in Fixes accesses pt_regs before checking whether it is NULL or
+not. Make sure the NULL pointer check happens first.
+
+Fixes: 0a5b288e85bb ("x86/mce: Prevent severity computation from being instrumented")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Reviewed-by: Tony Luck <tony.luck@intel.com>
+Link: https://lore.kernel.org/r/20211217102029.GA29708@kili
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/cpu/mce/severity.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/cpu/mce/severity.c
++++ b/arch/x86/kernel/cpu/mce/severity.c
+@@ -222,6 +222,9 @@ static bool is_copy_from_user(struct pt_
+ struct insn insn;
+ int ret;
+
++ if (!regs)
++ return false;
++
+ if (copy_from_kernel_nofault(insn_buf, (void *)regs->ip, MAX_INSN_SIZE))
+ return false;
+
+@@ -283,7 +286,7 @@ static noinstr int error_context(struct
+ switch (fixup_type) {
+ case EX_TYPE_UACCESS:
+ case EX_TYPE_COPY:
+- if (!regs || !copy_user)
++ if (!copy_user)
+ return IN_KERNEL;
+ m->kflags |= MCE_IN_KERNEL_COPYIN;
+ fallthrough;
projects / thirdparty / kernel / stable-queue.git / commitdiff
