--- /dev/null
+From 2dee54b289fbc810669a1b2b8a0887fa1c9a14d7 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.i.king@gmail.com>
+Date: Sun, 12 Dec 2021 17:20:25 +0000
+Subject: ALSA: drivers: opl3: Fix incorrect use of vp->state
+
+From: Colin Ian King <colin.i.king@gmail.com>
+
+commit 2dee54b289fbc810669a1b2b8a0887fa1c9a14d7 upstream.
+
+Static analysis with scan-build has found an assignment to vp2 that is
+never used. It seems that the check on vp->state > 0 should be actually
+on vp2->state instead. Fix this.
+
+This dates back to 2002, I found the offending commit from the git
+history git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git,
+commit 91e39521bbf6 ("[PATCH] ALSA patch for 2.5.4")
+
+Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211212172025.470367-1-colin.i.king@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/drivers/opl3/opl3_midi.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/sound/drivers/opl3/opl3_midi.c
++++ b/sound/drivers/opl3/opl3_midi.c
+@@ -398,7 +398,7 @@ void snd_opl3_note_on(void *p, int note,
+ }
+ if (instr_4op) {
+ vp2 = &opl3->voices[voice + 3];
+- if (vp->state > 0) {
++ if (vp2->state > 0) {
+ opl3_reg = reg_side | (OPL3_REG_KEYON_BLOCK +
+ voice_offset + 3);
+ reg_val = vp->keyon_reg & ~OPL3_KEYON_BIT;
--- /dev/null
+From d296a74b7b59ff9116236c17edb25f26935dbf70 Mon Sep 17 00:00:00 2001
+From: Bradley Scott <Bradley.Scott@zebra.com>
+Date: Mon, 13 Dec 2021 10:49:39 -0500
+Subject: ALSA: hda/realtek: Amp init fixup for HP ZBook 15 G6
+
+From: Bradley Scott <Bradley.Scott@zebra.com>
+
+commit d296a74b7b59ff9116236c17edb25f26935dbf70 upstream.
+
+HP ZBook 15 G6 (SSID 103c:860f) needs the same speaker amplifier
+initialization as used on several other HP laptops using ALC285.
+
+Signed-off-by: Bradley Scott <Bradley.Scott@zebra.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20211213154938.503201-1-Bradley.Scott@zebra.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -8101,6 +8101,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x84da, "HP OMEN dc0019-ur", ALC295_FIXUP_HP_OMEN),
+ SND_PCI_QUIRK(0x103c, 0x84e7, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3),
+ SND_PCI_QUIRK(0x103c, 0x8519, "HP Spectre x360 15-df0xxx", ALC285_FIXUP_HP_SPECTRE_X360),
++ SND_PCI_QUIRK(0x103c, 0x860f, "HP ZBook 15 G6", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x861f, "HP Elite Dragonfly G1", ALC285_FIXUP_HP_GPIO_AMP_INIT),
+ SND_PCI_QUIRK(0x103c, 0x869d, "HP", ALC236_FIXUP_HP_MUTE_LED),
+ SND_PCI_QUIRK(0x103c, 0x8724, "HP EliteBook 850 G7", ALC285_FIXUP_HP_GPIO_LED),
--- /dev/null
+From c01c1db1dc632edafb0dff32d40daf4f9c1a4e19 Mon Sep 17 00:00:00 2001
+From: Xiaoke Wang <xkernel.wang@foxmail.com>
+Date: Mon, 13 Dec 2021 15:39:31 +0800
+Subject: ALSA: jack: Check the return value of kstrdup()
+
+From: Xiaoke Wang <xkernel.wang@foxmail.com>
+
+commit c01c1db1dc632edafb0dff32d40daf4f9c1a4e19 upstream.
+
+kstrdup() can return NULL, it is better to check the return value of it.
+
+Signed-off-by: Xiaoke Wang <xkernel.wang@foxmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/tencent_094816F3522E0DC704056C789352EBBF0606@qq.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/jack.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/sound/core/jack.c
++++ b/sound/core/jack.c
+@@ -220,6 +220,10 @@ int snd_jack_new(struct snd_card *card,
+ return -ENOMEM;
+
+ jack->id = kstrdup(id, GFP_KERNEL);
++ if (jack->id == NULL) {
++ kfree(jack);
++ return -ENOMEM;
++ }
+
+ /* don't creat input device for phantom jack */
+ if (!phantom_jack) {
--- /dev/null
+From 12f247ab590a08856441efdbd351cf2cc8f60a2d Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Exp=C3=B3sito?= <jose.exposito89@gmail.com>
+Date: Sun, 12 Dec 2021 21:01:49 -0800
+Subject: Input: atmel_mxt_ts - fix double free in mxt_read_info_block
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Expósito <jose.exposito89@gmail.com>
+
+commit 12f247ab590a08856441efdbd351cf2cc8f60a2d upstream.
+
+The "id_buf" buffer is stored in "data->raw_info_block" and freed by
+"mxt_free_object_table" in case of error.
+
+Return instead of jumping to avoid a double free.
+
+Addresses-Coverity-ID: 1474582 ("Double free")
+Fixes: 068bdb67ef74 ("Input: atmel_mxt_ts - fix the firmware update")
+Signed-off-by: José Expósito <jose.exposito89@gmail.com>
+Link: https://lore.kernel.org/r/20211212194257.68879-1-jose.exposito89@gmail.com
+Cc: stable@vger.kernel.org
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/input/touchscreen/atmel_mxt_ts.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/atmel_mxt_ts.c
++++ b/drivers/input/touchscreen/atmel_mxt_ts.c
+@@ -1794,7 +1794,7 @@ static int mxt_read_info_block(struct mx
+ if (error) {
+ dev_err(&client->dev, "Error %d parsing object table\n", error);
+ mxt_free_object_table(data);
+- goto err_free_mem;
++ return error;
+ }
+
+ data->object_table = (struct mxt_object *)(id_buf + MXT_OBJECT_START);
--- /dev/null
+From 2b5160b12091285c5aca45980f100a9294af7b04 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Fri, 17 Dec 2021 12:44:09 -0300
+Subject: ipmi: bail out if init_srcu_struct fails
+
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+
+commit 2b5160b12091285c5aca45980f100a9294af7b04 upstream.
+
+In case, init_srcu_struct fails (because of memory allocation failure), we
+might proceed with the driver initialization despite srcu_struct not being
+entirely initialized.
+
+Fixes: 913a89f009d9 ("ipmi: Don't initialize anything in the core until something uses it")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Cc: Corey Minyard <cminyard@mvista.com>
+Cc: stable@vger.kernel.org
+Message-Id: <20211217154410.1228673-1-cascardo@canonical.com>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/ipmi/ipmi_msghandler.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/ipmi/ipmi_msghandler.c
++++ b/drivers/char/ipmi/ipmi_msghandler.c
+@@ -5156,7 +5156,9 @@ static int ipmi_init_msghandler(void)
+ if (initialized)
+ goto out;
+
+- init_srcu_struct(&ipmi_interfaces_srcu);
++ rv = init_srcu_struct(&ipmi_interfaces_srcu);
++ if (rv)
++ goto out;
+
+ timer_setup(&ipmi_timer, ipmi_timeout, 0);
+ mod_timer(&ipmi_timer, jiffies + IPMI_TIMEOUT_JIFFIES);
--- /dev/null
+From 75d70d76cb7b927cace2cb34265d68ebb3306b13 Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Fri, 17 Dec 2021 12:44:10 -0300
+Subject: ipmi: fix initialization when workqueue allocation fails
+
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+
+commit 75d70d76cb7b927cace2cb34265d68ebb3306b13 upstream.
+
+If the workqueue allocation fails, the driver is marked as not initialized,
+and timer and panic_notifier will be left registered.
+
+Instead of removing those when workqueue allocation fails, do the workqueue
+initialization before doing it, and cleanup srcu_struct if it fails.
+
+Fixes: 1d49eb91e86e ("ipmi: Move remove_work to dedicated workqueue")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Cc: Corey Minyard <cminyard@mvista.com>
+Cc: Ioanna Alifieraki <ioanna-maria.alifieraki@canonical.com>
+Cc: stable@vger.kernel.org
+Message-Id: <20211217154410.1228673-2-cascardo@canonical.com>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/ipmi/ipmi_msghandler.c | 15 +++++++++------
+ 1 file changed, 9 insertions(+), 6 deletions(-)
+
+--- a/drivers/char/ipmi/ipmi_msghandler.c
++++ b/drivers/char/ipmi/ipmi_msghandler.c
+@@ -5160,20 +5160,23 @@ static int ipmi_init_msghandler(void)
+ if (rv)
+ goto out;
+
+- timer_setup(&ipmi_timer, ipmi_timeout, 0);
+- mod_timer(&ipmi_timer, jiffies + IPMI_TIMEOUT_JIFFIES);
+-
+- atomic_notifier_chain_register(&panic_notifier_list, &panic_block);
+-
+ remove_work_wq = create_singlethread_workqueue("ipmi-msghandler-remove-wq");
+ if (!remove_work_wq) {
+ pr_err("unable to create ipmi-msghandler-remove-wq workqueue");
+ rv = -ENOMEM;
+- goto out;
++ goto out_wq;
+ }
+
++ timer_setup(&ipmi_timer, ipmi_timeout, 0);
++ mod_timer(&ipmi_timer, jiffies + IPMI_TIMEOUT_JIFFIES);
++
++ atomic_notifier_chain_register(&panic_notifier_list, &panic_block);
++
+ initialized = true;
+
++out_wq:
++ if (rv)
++ cleanup_srcu_struct(&ipmi_interfaces_srcu);
+ out:
+ mutex_unlock(&ipmi_interfaces_mutex);
+ return rv;
--- /dev/null
+From 34f35f8f14bc406efc06ee4ff73202c6fd245d15 Mon Sep 17 00:00:00 2001
+From: Mian Yousaf Kaukab <ykaukab@suse.de>
+Date: Wed, 8 Dec 2021 10:32:39 +0100
+Subject: ipmi: ssif: initialize ssif_info->client early
+
+From: Mian Yousaf Kaukab <ykaukab@suse.de>
+
+commit 34f35f8f14bc406efc06ee4ff73202c6fd245d15 upstream.
+
+During probe ssif_info->client is dereferenced in error path. However,
+it is set when some of the error checking has already been done. This
+causes following kernel crash if an error path is taken:
+
+[ 30.645593][ T674] ipmi_ssif 0-000e: ipmi_ssif: Not probing, Interface already present
+[ 30.657616][ T674] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000088
+...
+[ 30.657723][ T674] pc : __dev_printk+0x28/0xa0
+[ 30.657732][ T674] lr : _dev_err+0x7c/0xa0
+...
+[ 30.657772][ T674] Call trace:
+[ 30.657775][ T674] __dev_printk+0x28/0xa0
+[ 30.657778][ T674] _dev_err+0x7c/0xa0
+[ 30.657781][ T674] ssif_probe+0x548/0x900 [ipmi_ssif 62ce4b08badc1458fd896206d9ef69a3c31f3d3e]
+[ 30.657791][ T674] i2c_device_probe+0x37c/0x3c0
+...
+
+Initialize ssif_info->client before any error path can be taken. Clear
+i2c_client data in the error path to prevent the dangling pointer from
+leaking.
+
+Fixes: c4436c9149c5 ("ipmi_ssif: avoid registering duplicate ssif interface")
+Cc: stable@vger.kernel.org # 5.4.x
+Suggested-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Mian Yousaf Kaukab <ykaukab@suse.de>
+Message-Id: <20211208093239.4432-1-ykaukab@suse.de>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/char/ipmi/ipmi_ssif.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/char/ipmi/ipmi_ssif.c
++++ b/drivers/char/ipmi/ipmi_ssif.c
+@@ -1704,6 +1704,9 @@ static int ssif_probe(struct i2c_client
+ }
+ }
+
++ ssif_info->client = client;
++ i2c_set_clientdata(client, ssif_info);
++
+ rv = ssif_check_and_remove(client, ssif_info);
+ /* If rv is 0 and addr source is not SI_ACPI, continue probing */
+ if (!rv && ssif_info->addr_source == SI_ACPI) {
+@@ -1724,9 +1727,6 @@ static int ssif_probe(struct i2c_client
+ ipmi_addr_src_to_str(ssif_info->addr_source),
+ client->addr, client->adapter->name, slave_addr);
+
+- ssif_info->client = client;
+- i2c_set_clientdata(client, ssif_info);
+-
+ /* Now check for system interface capabilities */
+ msg[0] = IPMI_NETFN_APP_REQUEST << 2;
+ msg[1] = IPMI_GET_SYSTEM_INTERFACE_CAPABILITIES_CMD;
+@@ -1926,6 +1926,7 @@ static int ssif_probe(struct i2c_client
+
+ dev_err(&ssif_info->client->dev,
+ "Unable to start IPMI SSIF: %d\n", rv);
++ i2c_set_clientdata(client, NULL);
+ kfree(ssif_info);
+ }
+ kfree(resp);
--- /dev/null
+From 8f66fce0f46560b9e910787ff7ad0974441c4f9c Mon Sep 17 00:00:00 2001
+From: John David Anglin <dave.anglin@bell.net>
+Date: Tue, 21 Dec 2021 13:21:22 -0500
+Subject: parisc: Correct completer in lws start
+
+From: John David Anglin <dave.anglin@bell.net>
+
+commit 8f66fce0f46560b9e910787ff7ad0974441c4f9c upstream.
+
+The completer in the "or,ev %r1,%r30,%r30" instruction is reversed, so we are
+not clipping the LWS number when we are called from a 32-bit process (W=0).
+We need to nulify the following depdi instruction when the least-significant
+bit of %r30 is 1.
+
+If the %r20 register is not clipped, a user process could perform a LWS call
+that would branch to an undefined location in the kernel and potentially crash
+the machine.
+
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Cc: stable@vger.kernel.org # 4.19+
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/parisc/kernel/syscall.S | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/parisc/kernel/syscall.S
++++ b/arch/parisc/kernel/syscall.S
+@@ -478,7 +478,7 @@ lws_start:
+ extrd,u %r1,PSW_W_BIT,1,%r1
+ /* sp must be aligned on 4, so deposit the W bit setting into
+ * the bottom of sp temporarily */
+- or,ev %r1,%r30,%r30
++ or,od %r1,%r30,%r30
+
+ /* Clip LWS number to a 32-bit value for 32-bit processes */
+ depdi 0, 31, 32, %r20
hwmon-lm90-add-basic-support-for-ti-tmp461.patch
hwmon-lm90-introduce-flag-indicating-extended-temper.patch
hwmon-lm90-drop-critical-attribute-support-for-max66.patch
+alsa-jack-check-the-return-value-of-kstrdup.patch
+alsa-drivers-opl3-fix-incorrect-use-of-vp-state.patch
+alsa-hda-realtek-amp-init-fixup-for-hp-zbook-15-g6.patch
+input-atmel_mxt_ts-fix-double-free-in-mxt_read_info_block.patch
+ipmi-bail-out-if-init_srcu_struct-fails.patch
+ipmi-ssif-initialize-ssif_info-client-early.patch
+ipmi-fix-initialization-when-workqueue-allocation-fails.patch
+parisc-correct-completer-in-lws-start.patch
+x86-pkey-fix-undefined-behaviour-with-pkru_wd_bit.patch
--- /dev/null
+From 57690554abe135fee81d6ac33cc94d75a7e224bb Mon Sep 17 00:00:00 2001
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+Date: Thu, 16 Dec 2021 00:08:56 +0000
+Subject: x86/pkey: Fix undefined behaviour with PKRU_WD_BIT
+
+From: Andrew Cooper <andrew.cooper3@citrix.com>
+
+commit 57690554abe135fee81d6ac33cc94d75a7e224bb upstream.
+
+Both __pkru_allows_write() and arch_set_user_pkey_access() shift
+PKRU_WD_BIT (a signed constant) by up to 30 bits, hitting the
+sign bit.
+
+Use unsigned constants instead.
+
+Clearly pkey 15 has not been used in combination with UBSAN yet.
+
+Noticed by code inspection only. I can't actually provoke the
+compiler into generating incorrect logic as far as this shift is
+concerned.
+
+[
+ dhansen: add stable@ tag, plus minor changelog massaging,
+
+ For anyone doing backports, these #defines were in
+ arch/x86/include/asm/pgtable.h before 784a46618f6.
+]
+
+Fixes: 33a709b25a76 ("mm/gup, x86/mm/pkeys: Check VMAs and PTEs for protection keys")
+Signed-off-by: Andrew Cooper <andrew.cooper3@citrix.com>
+Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
+Signed-off-by: Borislav Petkov <bp@suse.de>
+Cc: stable@vger.kernel.org
+Link: https://lkml.kernel.org/r/20211216000856.4480-1-andrew.cooper3@citrix.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/include/asm/pgtable.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/include/asm/pgtable.h
++++ b/arch/x86/include/asm/pgtable.h
+@@ -1375,8 +1375,8 @@ static inline pmd_t pmd_swp_clear_soft_d
+ #endif
+ #endif
+
+-#define PKRU_AD_BIT 0x1
+-#define PKRU_WD_BIT 0x2
++#define PKRU_AD_BIT 0x1u
++#define PKRU_WD_BIT 0x2u
+ #define PKRU_BITS_PER_PKEY 2
+
+ #ifdef CONFIG_X86_INTEL_MEMORY_PROTECTION_KEYS
projects / thirdparty / kernel / stable-queue.git / commitdiff
