--- /dev/null
+From 93a2207c254ca102ebbdae47b00f19bbfbfa7ecd Mon Sep 17 00:00:00 2001
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Date: Mon, 20 Dec 2021 10:51:20 +0100
+Subject: HID: holtek: fix mouse probing
+
+From: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+
+commit 93a2207c254ca102ebbdae47b00f19bbfbfa7ecd upstream.
+
+An overlook from the previous commit: we don't even parse or start the
+device, meaning that the device is not presented to user space.
+
+Fixes: 93020953d0fa ("HID: check for valid USB device for many HID drivers")
+Cc: stable@vger.kernel.org
+Link: https://bugs.archlinux.org/task/73048
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=215341
+Link: https://lore.kernel.org/r/e4efbf13-bd8d-0370-629b-6c80c0044b15@leemhuis.info/
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-holtek-mouse.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+--- a/drivers/hid/hid-holtek-mouse.c
++++ b/drivers/hid/hid-holtek-mouse.c
+@@ -65,8 +65,23 @@ static __u8 *holtek_mouse_report_fixup(s
+ static int holtek_mouse_probe(struct hid_device *hdev,
+ const struct hid_device_id *id)
+ {
++ int ret;
++
+ if (!hid_is_usb(hdev))
+ return -EINVAL;
++
++ ret = hid_parse(hdev);
++ if (ret) {
++ hid_err(hdev, "hid parse failed: %d\n", ret);
++ return ret;
++ }
++
++ ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT);
++ if (ret) {
++ hid_err(hdev, "hw start failed: %d\n", ret);
++ return ret;
++ }
++
+ return 0;
+ }
+
--- /dev/null
+From 13251ce1dd9bb525da2becb9b26fdfb94ca58659 Mon Sep 17 00:00:00 2001
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Date: Wed, 15 Dec 2021 16:36:05 +0800
+Subject: HID: potential dereference of null pointer
+
+From: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+
+commit 13251ce1dd9bb525da2becb9b26fdfb94ca58659 upstream.
+
+The return value of devm_kzalloc() needs to be checked.
+To avoid hdev->dev->driver_data to be null in case of the failure of
+alloc.
+
+Fixes: 14c9c014babe ("HID: add vivaldi HID driver")
+Cc: stable@vger.kernel.org
+Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn>
+Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Link: https://lore.kernel.org/r/20211215083605.117638-1-jiasheng@iscas.ac.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-vivaldi.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/hid/hid-vivaldi.c
++++ b/drivers/hid/hid-vivaldi.c
+@@ -57,6 +57,9 @@ static int vivaldi_probe(struct hid_devi
+ int ret;
+
+ drvdata = devm_kzalloc(&hdev->dev, sizeof(*drvdata), GFP_KERNEL);
++ if (!drvdata)
++ return -ENOMEM;
++
+ hid_set_drvdata(hdev, drvdata);
+
+ ret = hid_parse(hdev);
--- /dev/null
+From 53b1119a6e5028b125f431a0116ba73510d82a72 Mon Sep 17 00:00:00 2001
+From: Chuck Lever <chuck.lever@oracle.com>
+Date: Thu, 16 Dec 2021 11:12:11 -0500
+Subject: NFSD: Fix READDIR buffer overflow
+
+From: Chuck Lever <chuck.lever@oracle.com>
+
+commit 53b1119a6e5028b125f431a0116ba73510d82a72 upstream.
+
+If a client sends a READDIR count argument that is too small (say,
+zero), then the buffer size calculation in the new init_dirlist
+helper functions results in an underflow, allowing the XDR stream
+functions to write beyond the actual buffer.
+
+This calculation has always been suspect. NFSD has never sanity-
+checked the READDIR count argument, but the old entry encoders
+managed the problem correctly.
+
+With the commits below, entry encoding changed, exposing the
+underflow to the pointer arithmetic in xdr_reserve_space().
+
+Modern NFS clients attempt to retrieve as much data as possible
+for each READDIR request. Also, we have no unit tests that
+exercise the behavior of READDIR at the lower bound of @count
+values. Thus this case was missed during testing.
+
+Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
+Fixes: f5dcccd647da ("NFSD: Update the NFSv2 READDIR entry encoder to use struct xdr_stream")
+Fixes: 7f87fc2d34d4 ("NFSD: Update NFSv3 READDIR entry encoders to use struct xdr_stream")
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/nfsd/nfs3proc.c | 11 ++++-------
+ fs/nfsd/nfsproc.c | 8 ++++----
+ 2 files changed, 8 insertions(+), 11 deletions(-)
+
+--- a/fs/nfsd/nfs3proc.c
++++ b/fs/nfsd/nfs3proc.c
+@@ -439,22 +439,19 @@ nfsd3_proc_link(struct svc_rqst *rqstp)
+
+ static void nfsd3_init_dirlist_pages(struct svc_rqst *rqstp,
+ struct nfsd3_readdirres *resp,
+- int count)
++ u32 count)
+ {
+ struct xdr_buf *buf = &resp->dirlist;
+ struct xdr_stream *xdr = &resp->xdr;
+
+- count = min_t(u32, count, svc_max_payload(rqstp));
++ count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp));
+
+ memset(buf, 0, sizeof(*buf));
+
+ /* Reserve room for the NULL ptr & eof flag (-2 words) */
+ buf->buflen = count - XDR_UNIT * 2;
+ buf->pages = rqstp->rq_next_page;
+- while (count > 0) {
+- rqstp->rq_next_page++;
+- count -= PAGE_SIZE;
+- }
++ rqstp->rq_next_page += (buf->buflen + PAGE_SIZE - 1) >> PAGE_SHIFT;
+
+ /* This is xdr_init_encode(), but it assumes that
+ * the head kvec has already been consumed. */
+@@ -463,7 +460,7 @@ static void nfsd3_init_dirlist_pages(str
+ xdr->page_ptr = buf->pages;
+ xdr->iov = NULL;
+ xdr->p = page_address(*buf->pages);
+- xdr->end = xdr->p + (PAGE_SIZE >> 2);
++ xdr->end = (void *)xdr->p + min_t(u32, buf->buflen, PAGE_SIZE);
+ xdr->rqst = NULL;
+ }
+
+--- a/fs/nfsd/nfsproc.c
++++ b/fs/nfsd/nfsproc.c
+@@ -557,17 +557,17 @@ nfsd_proc_rmdir(struct svc_rqst *rqstp)
+
+ static void nfsd_init_dirlist_pages(struct svc_rqst *rqstp,
+ struct nfsd_readdirres *resp,
+- int count)
++ u32 count)
+ {
+ struct xdr_buf *buf = &resp->dirlist;
+ struct xdr_stream *xdr = &resp->xdr;
+
+- count = min_t(u32, count, PAGE_SIZE);
++ count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp));
+
+ memset(buf, 0, sizeof(*buf));
+
+ /* Reserve room for the NULL ptr & eof flag (-2 words) */
+- buf->buflen = count - sizeof(__be32) * 2;
++ buf->buflen = count - XDR_UNIT * 2;
+ buf->pages = rqstp->rq_next_page;
+ rqstp->rq_next_page++;
+
+@@ -578,7 +578,7 @@ static void nfsd_init_dirlist_pages(stru
+ xdr->page_ptr = buf->pages;
+ xdr->iov = NULL;
+ xdr->p = page_address(*buf->pages);
+- xdr->end = xdr->p + (PAGE_SIZE >> 2);
++ xdr->end = (void *)xdr->p + min_t(u32, buf->buflen, PAGE_SIZE);
+ xdr->rqst = NULL;
+ }
+
--- /dev/null
+From 544e737dea5ad1a457f25dbddf68761ff25e028b Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Thu, 16 Dec 2021 20:30:18 +0100
+Subject: PM: sleep: Fix error handling in dpm_prepare()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit 544e737dea5ad1a457f25dbddf68761ff25e028b upstream.
+
+Commit 2aa36604e824 ("PM: sleep: Avoid calling put_device() under
+dpm_list_mtx") forgot to update the while () loop termination
+condition to also break the loop if error is nonzero, which
+causes the loop to become infinite if device_prepare() returns
+an error for one device.
+
+Add the missing !error check.
+
+Fixes: 2aa36604e824 ("PM: sleep: Avoid calling put_device() under dpm_list_mtx")
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reported-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
+Reviewed-by: Ulf Hansson <ulf.hansson@linaro.org>
+Cc: All applicable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/power/main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/base/power/main.c
++++ b/drivers/base/power/main.c
+@@ -1906,7 +1906,7 @@ int dpm_prepare(pm_message_t state)
+ device_block_probing();
+
+ mutex_lock(&dpm_list_mtx);
+- while (!list_empty(&dpm_list)) {
++ while (!list_empty(&dpm_list) && !error) {
+ struct device *dev = to_device(dpm_list.next);
+
+ get_device(dev);
--- /dev/null
+From 577e022b7b41854911dcfb03678d8d2b930e8a3f Mon Sep 17 00:00:00 2001
+From: Andrew Jones <drjones@redhat.com>
+Date: Tue, 14 Dec 2021 16:18:42 +0100
+Subject: selftests: KVM: Fix non-x86 compiling
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Andrew Jones <drjones@redhat.com>
+
+commit 577e022b7b41854911dcfb03678d8d2b930e8a3f upstream.
+
+Attempting to compile on a non-x86 architecture fails with
+
+include/kvm_util.h: In function ‘vm_compute_max_gfn’:
+include/kvm_util.h:79:21: error: dereferencing pointer to incomplete type ‘struct kvm_vm’
+ return ((1ULL << vm->pa_bits) >> vm->page_shift) - 1;
+ ^~
+
+This is because the declaration of struct kvm_vm is in
+lib/kvm_util_internal.h as an effort to make it private to
+the test lib code. We can still provide arch specific functions,
+though, by making the generic function symbols weak. Do that to
+fix the compile error.
+
+Fixes: c8cc43c1eae2 ("selftests: KVM: avoid failures due to reserved HyperTransport region")
+Cc: stable@vger.kernel.org
+Signed-off-by: Andrew Jones <drjones@redhat.com>
+Message-Id: <20211214151842.848314-1-drjones@redhat.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/kvm/include/kvm_util.h | 10 +---------
+ tools/testing/selftests/kvm/lib/kvm_util.c | 5 +++++
+ 2 files changed, 6 insertions(+), 9 deletions(-)
+
+--- a/tools/testing/selftests/kvm/include/kvm_util.h
++++ b/tools/testing/selftests/kvm/include/kvm_util.h
+@@ -69,15 +69,6 @@ enum vm_guest_mode {
+
+ #endif
+
+-#if defined(__x86_64__)
+-unsigned long vm_compute_max_gfn(struct kvm_vm *vm);
+-#else
+-static inline unsigned long vm_compute_max_gfn(struct kvm_vm *vm)
+-{
+- return ((1ULL << vm->pa_bits) >> vm->page_shift) - 1;
+-}
+-#endif
+-
+ #define MIN_PAGE_SIZE (1U << MIN_PAGE_SHIFT)
+ #define PTES_PER_MIN_PAGE ptes_per_page(MIN_PAGE_SIZE)
+
+@@ -318,6 +309,7 @@ bool vm_is_unrestricted_guest(struct kvm
+
+ unsigned int vm_get_page_size(struct kvm_vm *vm);
+ unsigned int vm_get_page_shift(struct kvm_vm *vm);
++unsigned long vm_compute_max_gfn(struct kvm_vm *vm);
+ uint64_t vm_get_max_gfn(struct kvm_vm *vm);
+ int vm_get_fd(struct kvm_vm *vm);
+
+--- a/tools/testing/selftests/kvm/lib/kvm_util.c
++++ b/tools/testing/selftests/kvm/lib/kvm_util.c
+@@ -2282,6 +2282,11 @@ unsigned int vm_get_page_shift(struct kv
+ return vm->page_shift;
+ }
+
++unsigned long __attribute__((weak)) vm_compute_max_gfn(struct kvm_vm *vm)
++{
++ return ((1ULL << vm->pa_bits) >> vm->page_shift) - 1;
++}
++
+ uint64_t vm_get_max_gfn(struct kvm_vm *vm)
+ {
+ return vm->max_gfn;
ext4-prevent-partial-update-of-the-extent-blocks.patch
ext4-check-for-out-of-order-index-extents-in-ext4_valid_extent_entries.patch
ext4-check-for-inconsistent-extents-between-index-and-leaf-block.patch
+selftests-kvm-fix-non-x86-compiling.patch
+hid-holtek-fix-mouse-probing.patch
+hid-potential-dereference-of-null-pointer.patch
+nfsd-fix-readdir-buffer-overflow.patch
+pm-sleep-fix-error-handling-in-dpm_prepare.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
