Fixes for 4.14

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.14/drbd-fix-five-use-after-free-bugs-in-get_initial_sta.patch b/queue-4.14/drbd-fix-five-use-after-free-bugs-in-get_initial_sta.patch
new file mode 100644 (file)
index 0000000..8dc4ab2
--- /dev/null
+++ b/queue-4.14/drbd-fix-five-use-after-free-bugs-in-get_initial_sta.patch
@@ -0,0 +1,344 @@
+From b443755706600f8f5c1b80b9552ef02476501f54 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 6 Apr 2022 21:04:43 +0200
+Subject: drbd: Fix five use after free bugs in get_initial_state
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+
+[ Upstream commit aadb22ba2f656581b2f733deb3a467c48cc618f6 ]
+
+In get_initial_state, it calls notify_initial_state_done(skb,..) if
+cb->args[5]==1. If genlmsg_put() failed in notify_initial_state_done(),
+the skb will be freed by nlmsg_free(skb).
+Then get_initial_state will goto out and the freed skb will be used by
+return value skb->len, which is a uaf bug.
+
+What's worse, the same problem goes even further: skb can also be
+freed in the notify_*_state_change -> notify_*_state calls below.
+Thus 4 additional uaf bugs happened.
+
+My patch lets the problem callee functions: notify_initial_state_done
+and notify_*_state_change return an error code if errors happen.
+So that the error codes could be propagated and the uaf bugs can be avoid.
+
+v2 reports a compilation warning. This v3 fixed this warning and built
+successfully in my local environment with no additional warnings.
+v2: https://lore.kernel.org/patchwork/patch/1435218/
+
+Fixes: a29728463b254 ("drbd: Backport the "events2" command")
+Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
+Reviewed-by: Christoph Böhmwalder <christoph.boehmwalder@linbit.com>
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/block/drbd/drbd_int.h          |  8 ++---
+ drivers/block/drbd/drbd_nl.c           | 41 ++++++++++++++++----------
+ drivers/block/drbd/drbd_state.c        | 18 +++++------
+ drivers/block/drbd/drbd_state_change.h |  8 ++---
+ 4 files changed, 42 insertions(+), 33 deletions(-)
+
+diff --git a/drivers/block/drbd/drbd_int.h b/drivers/block/drbd/drbd_int.h
+index 7e8589ce631c..204b4a84bdbb 100644
+--- a/drivers/block/drbd/drbd_int.h
++++ b/drivers/block/drbd/drbd_int.h
+@@ -1690,22 +1690,22 @@ struct sib_info {
+ };
+ void drbd_bcast_event(struct drbd_device *device, const struct sib_info *sib);
+ 
+-extern void notify_resource_state(struct sk_buff *,
++extern int notify_resource_state(struct sk_buff *,
+                                 unsigned int,
+                                 struct drbd_resource *,
+                                 struct resource_info *,
+                                 enum drbd_notification_type);
+-extern void notify_device_state(struct sk_buff *,
++extern int notify_device_state(struct sk_buff *,
+                               unsigned int,
+                               struct drbd_device *,
+                               struct device_info *,
+                               enum drbd_notification_type);
+-extern void notify_connection_state(struct sk_buff *,
++extern int notify_connection_state(struct sk_buff *,
+                                   unsigned int,
+                                   struct drbd_connection *,
+                                   struct connection_info *,
+                                   enum drbd_notification_type);
+-extern void notify_peer_device_state(struct sk_buff *,
++extern int notify_peer_device_state(struct sk_buff *,
+                                    unsigned int,
+                                    struct drbd_peer_device *,
+                                    struct peer_device_info *,
+diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c
+index 31d7fe4480af..5543876ec0e2 100644
+--- a/drivers/block/drbd/drbd_nl.c
++++ b/drivers/block/drbd/drbd_nl.c
+@@ -4598,7 +4598,7 @@ static int nla_put_notification_header(struct sk_buff *msg,
+       return drbd_notification_header_to_skb(msg, &nh, true);
+ }
+ 
+-void notify_resource_state(struct sk_buff *skb,
++int notify_resource_state(struct sk_buff *skb,
+                          unsigned int seq,
+                          struct drbd_resource *resource,
+                          struct resource_info *resource_info,
+@@ -4640,16 +4640,17 @@ void notify_resource_state(struct sk_buff *skb,
+               if (err && err != -ESRCH)
+                       goto failed;
+       }
+-      return;
++      return 0;
+ 
+ nla_put_failure:
+       nlmsg_free(skb);
+ failed:
+       drbd_err(resource, "Error %d while broadcasting event. Event seq:%u\n",
+                       err, seq);
++      return err;
+ }
+ 
+-void notify_device_state(struct sk_buff *skb,
++int notify_device_state(struct sk_buff *skb,
+                        unsigned int seq,
+                        struct drbd_device *device,
+                        struct device_info *device_info,
+@@ -4689,16 +4690,17 @@ void notify_device_state(struct sk_buff *skb,
+               if (err && err != -ESRCH)
+                       goto failed;
+       }
+-      return;
++      return 0;
+ 
+ nla_put_failure:
+       nlmsg_free(skb);
+ failed:
+       drbd_err(device, "Error %d while broadcasting event. Event seq:%u\n",
+                err, seq);
++      return err;
+ }
+ 
+-void notify_connection_state(struct sk_buff *skb,
++int notify_connection_state(struct sk_buff *skb,
+                            unsigned int seq,
+                            struct drbd_connection *connection,
+                            struct connection_info *connection_info,
+@@ -4738,16 +4740,17 @@ void notify_connection_state(struct sk_buff *skb,
+               if (err && err != -ESRCH)
+                       goto failed;
+       }
+-      return;
++      return 0;
+ 
+ nla_put_failure:
+       nlmsg_free(skb);
+ failed:
+       drbd_err(connection, "Error %d while broadcasting event. Event seq:%u\n",
+                err, seq);
++      return err;
+ }
+ 
+-void notify_peer_device_state(struct sk_buff *skb,
++int notify_peer_device_state(struct sk_buff *skb,
+                             unsigned int seq,
+                             struct drbd_peer_device *peer_device,
+                             struct peer_device_info *peer_device_info,
+@@ -4788,13 +4791,14 @@ void notify_peer_device_state(struct sk_buff *skb,
+               if (err && err != -ESRCH)
+                       goto failed;
+       }
+-      return;
++      return 0;
+ 
+ nla_put_failure:
+       nlmsg_free(skb);
+ failed:
+       drbd_err(peer_device, "Error %d while broadcasting event. Event seq:%u\n",
+                err, seq);
++      return err;
+ }
+ 
+ void notify_helper(enum drbd_notification_type type,
+@@ -4845,7 +4849,7 @@ void notify_helper(enum drbd_notification_type type,
+                err, seq);
+ }
+ 
+-static void notify_initial_state_done(struct sk_buff *skb, unsigned int seq)
++static int notify_initial_state_done(struct sk_buff *skb, unsigned int seq)
+ {
+       struct drbd_genlmsghdr *dh;
+       int err;
+@@ -4859,11 +4863,12 @@ static void notify_initial_state_done(struct sk_buff *skb, unsigned int seq)
+       if (nla_put_notification_header(skb, NOTIFY_EXISTS))
+               goto nla_put_failure;
+       genlmsg_end(skb, dh);
+-      return;
++      return 0;
+ 
+ nla_put_failure:
+       nlmsg_free(skb);
+       pr_err("Error %d sending event. Event seq:%u\n", err, seq);
++      return err;
+ }
+ 
+ static void free_state_changes(struct list_head *list)
+@@ -4890,6 +4895,7 @@ static int get_initial_state(struct sk_buff *skb, struct netlink_callback *cb)
+       unsigned int seq = cb->args[2];
+       unsigned int n;
+       enum drbd_notification_type flags = 0;
++      int err = 0;
+ 
+       /* There is no need for taking notification_mutex here: it doesn't
+          matter if the initial state events mix with later state chage
+@@ -4898,32 +4904,32 @@ static int get_initial_state(struct sk_buff *skb, struct netlink_callback *cb)
+ 
+       cb->args[5]--;
+       if (cb->args[5] == 1) {
+-              notify_initial_state_done(skb, seq);
++              err = notify_initial_state_done(skb, seq);
+               goto out;
+       }
+       n = cb->args[4]++;
+       if (cb->args[4] < cb->args[3])
+               flags |= NOTIFY_CONTINUES;
+       if (n < 1) {
+-              notify_resource_state_change(skb, seq, state_change->resource,
++              err = notify_resource_state_change(skb, seq, state_change->resource,
+                                            NOTIFY_EXISTS | flags);
+               goto next;
+       }
+       n--;
+       if (n < state_change->n_connections) {
+-              notify_connection_state_change(skb, seq, &state_change->connections[n],
++              err = notify_connection_state_change(skb, seq, &state_change->connections[n],
+                                              NOTIFY_EXISTS | flags);
+               goto next;
+       }
+       n -= state_change->n_connections;
+       if (n < state_change->n_devices) {
+-              notify_device_state_change(skb, seq, &state_change->devices[n],
++              err = notify_device_state_change(skb, seq, &state_change->devices[n],
+                                          NOTIFY_EXISTS | flags);
+               goto next;
+       }
+       n -= state_change->n_devices;
+       if (n < state_change->n_devices * state_change->n_connections) {
+-              notify_peer_device_state_change(skb, seq, &state_change->peer_devices[n],
++              err = notify_peer_device_state_change(skb, seq, &state_change->peer_devices[n],
+                                               NOTIFY_EXISTS | flags);
+               goto next;
+       }
+@@ -4938,7 +4944,10 @@ static int get_initial_state(struct sk_buff *skb, struct netlink_callback *cb)
+               cb->args[4] = 0;
+       }
+ out:
+-      return skb->len;
++      if (err)
++              return err;
++      else
++              return skb->len;
+ }
+ 
+ int drbd_adm_get_initial_state(struct sk_buff *skb, struct netlink_callback *cb)
+diff --git a/drivers/block/drbd/drbd_state.c b/drivers/block/drbd/drbd_state.c
+index b452359b6aae..1474250f9440 100644
+--- a/drivers/block/drbd/drbd_state.c
++++ b/drivers/block/drbd/drbd_state.c
+@@ -1549,7 +1549,7 @@ int drbd_bitmap_io_from_worker(struct drbd_device *device,
+       return rv;
+ }
+ 
+-void notify_resource_state_change(struct sk_buff *skb,
++int notify_resource_state_change(struct sk_buff *skb,
+                                 unsigned int seq,
+                                 struct drbd_resource_state_change *resource_state_change,
+                                 enum drbd_notification_type type)
+@@ -1562,10 +1562,10 @@ void notify_resource_state_change(struct sk_buff *skb,
+               .res_susp_fen = resource_state_change->susp_fen[NEW],
+       };
+ 
+-      notify_resource_state(skb, seq, resource, &resource_info, type);
++      return notify_resource_state(skb, seq, resource, &resource_info, type);
+ }
+ 
+-void notify_connection_state_change(struct sk_buff *skb,
++int notify_connection_state_change(struct sk_buff *skb,
+                                   unsigned int seq,
+                                   struct drbd_connection_state_change *connection_state_change,
+                                   enum drbd_notification_type type)
+@@ -1576,10 +1576,10 @@ void notify_connection_state_change(struct sk_buff *skb,
+               .conn_role = connection_state_change->peer_role[NEW],
+       };
+ 
+-      notify_connection_state(skb, seq, connection, &connection_info, type);
++      return notify_connection_state(skb, seq, connection, &connection_info, type);
+ }
+ 
+-void notify_device_state_change(struct sk_buff *skb,
++int notify_device_state_change(struct sk_buff *skb,
+                               unsigned int seq,
+                               struct drbd_device_state_change *device_state_change,
+                               enum drbd_notification_type type)
+@@ -1589,10 +1589,10 @@ void notify_device_state_change(struct sk_buff *skb,
+               .dev_disk_state = device_state_change->disk_state[NEW],
+       };
+ 
+-      notify_device_state(skb, seq, device, &device_info, type);
++      return notify_device_state(skb, seq, device, &device_info, type);
+ }
+ 
+-void notify_peer_device_state_change(struct sk_buff *skb,
++int notify_peer_device_state_change(struct sk_buff *skb,
+                                    unsigned int seq,
+                                    struct drbd_peer_device_state_change *p,
+                                    enum drbd_notification_type type)
+@@ -1606,7 +1606,7 @@ void notify_peer_device_state_change(struct sk_buff *skb,
+               .peer_resync_susp_dependency = p->resync_susp_dependency[NEW],
+       };
+ 
+-      notify_peer_device_state(skb, seq, peer_device, &peer_device_info, type);
++      return notify_peer_device_state(skb, seq, peer_device, &peer_device_info, type);
+ }
+ 
+ static void broadcast_state_change(struct drbd_state_change *state_change)
+@@ -1614,7 +1614,7 @@ static void broadcast_state_change(struct drbd_state_change *state_change)
+       struct drbd_resource_state_change *resource_state_change = &state_change->resource[0];
+       bool resource_state_has_changed;
+       unsigned int n_device, n_connection, n_peer_device, n_peer_devices;
+-      void (*last_func)(struct sk_buff *, unsigned int, void *,
++      int (*last_func)(struct sk_buff *, unsigned int, void *,
+                         enum drbd_notification_type) = NULL;
+       void *uninitialized_var(last_arg);
+ 
+diff --git a/drivers/block/drbd/drbd_state_change.h b/drivers/block/drbd/drbd_state_change.h
+index ba80f612d6ab..d5b0479bc9a6 100644
+--- a/drivers/block/drbd/drbd_state_change.h
++++ b/drivers/block/drbd/drbd_state_change.h
+@@ -44,19 +44,19 @@ extern struct drbd_state_change *remember_old_state(struct drbd_resource *, gfp_
+ extern void copy_old_to_new_state_change(struct drbd_state_change *);
+ extern void forget_state_change(struct drbd_state_change *);
+ 
+-extern void notify_resource_state_change(struct sk_buff *,
++extern int notify_resource_state_change(struct sk_buff *,
+                                        unsigned int,
+                                        struct drbd_resource_state_change *,
+                                        enum drbd_notification_type type);
+-extern void notify_connection_state_change(struct sk_buff *,
++extern int notify_connection_state_change(struct sk_buff *,
+                                          unsigned int,
+                                          struct drbd_connection_state_change *,
+                                          enum drbd_notification_type type);
+-extern void notify_device_state_change(struct sk_buff *,
++extern int notify_device_state_change(struct sk_buff *,
+                                      unsigned int,
+                                      struct drbd_device_state_change *,
+                                      enum drbd_notification_type type);
+-extern void notify_peer_device_state_change(struct sk_buff *,
++extern int notify_peer_device_state_change(struct sk_buff *,
+                                           unsigned int,
+                                           struct drbd_peer_device_state_change *,
+                                           enum drbd_notification_type type);
+-- 
+2.35.1
+

diff --git a/queue-4.14/drm-amdgpu-fix-off-by-one-in-amdgpu_gfx_kiq_acquire.patch b/queue-4.14/drm-amdgpu-fix-off-by-one-in-amdgpu_gfx_kiq_acquire.patch
new file mode 100644 (file)
index 0000000..e82d7ab
--- /dev/null
+++ b/queue-4.14/drm-amdgpu-fix-off-by-one-in-amdgpu_gfx_kiq_acquire.patch
@@ -0,0 +1,37 @@
+From e8f9134288376d9b4481ca9612386af6e2710dae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 16 Mar 2022 11:41:48 +0300
+Subject: drm/amdgpu: fix off by one in amdgpu_gfx_kiq_acquire()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit 1647b54ed55d4d48c7199d439f8834626576cbe9 ]
+
+This post-op should be a pre-op so that we do not pass -1 as the bit
+number to test_bit().  The current code will loop downwards from 63 to
+-1.  After changing to a pre-op, it loops from 63 to 0.
+
+Fixes: 71c37505e7ea ("drm/amdgpu/gfx: move more common KIQ code to amdgpu_gfx.c")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c
+index 4f6c68fc1dd9..f3bdd14e13a0 100644
+--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c
++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c
+@@ -157,7 +157,7 @@ static int amdgpu_gfx_kiq_acquire(struct amdgpu_device *adev,
+                   * adev->gfx.mec.num_pipe_per_mec
+                   * adev->gfx.mec.num_queue_per_pipe;
+ 
+-      while (queue_bit-- >= 0) {
++      while (--queue_bit >= 0) {
+               if (test_bit(queue_bit, adev->gfx.mec.queue_bitmap))
+                       continue;
+ 
+-- 
+2.35.1
+

diff --git a/queue-4.14/drm-imx-fix-memory-leak-in-imx_pd_connector_get_mode.patch b/queue-4.14/drm-imx-fix-memory-leak-in-imx_pd_connector_get_mode.patch
new file mode 100644 (file)
index 0000000..95de3a4
--- /dev/null
+++ b/queue-4.14/drm-imx-fix-memory-leak-in-imx_pd_connector_get_mode.patch
@@ -0,0 +1,44 @@
+From 4da2d3ff4c1eb114e896343208b2b4ca4be27328 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 8 Jan 2022 17:52:30 +0100
+Subject: drm/imx: Fix memory leak in imx_pd_connector_get_modes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: José Expósito <jose.exposito89@gmail.com>
+
+[ Upstream commit bce81feb03a20fca7bbdd1c4af16b4e9d5c0e1d3 ]
+
+Avoid leaking the display mode variable if of_get_drm_display_mode
+fails.
+
+Fixes: 76ecd9c9fb24 ("drm/imx: parallel-display: check return code from of_get_drm_display_mode()")
+Addresses-Coverity-ID: 1443943 ("Resource leak")
+Signed-off-by: José Expósito <jose.exposito89@gmail.com>
+Signed-off-by: Philipp Zabel <p.zabel@pengutronix.de>
+Link: https://lore.kernel.org/r/20220108165230.44610-1-jose.exposito89@gmail.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/gpu/drm/imx/parallel-display.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/gpu/drm/imx/parallel-display.c b/drivers/gpu/drm/imx/parallel-display.c
+index 8def97d75030..6420dec6cc00 100644
+--- a/drivers/gpu/drm/imx/parallel-display.c
++++ b/drivers/gpu/drm/imx/parallel-display.c
+@@ -77,8 +77,10 @@ static int imx_pd_connector_get_modes(struct drm_connector *connector)
+               ret = of_get_drm_display_mode(np, &imxpd->mode,
+                                             &imxpd->bus_flags,
+                                             OF_USE_NATIVE_MODE);
+-              if (ret)
++              if (ret) {
++                      drm_mode_destroy(connector->dev, mode);
+                       return ret;
++              }
+ 
+               drm_mode_copy(mode, &imxpd->mode);
+               mode->type |= DRM_MODE_TYPE_DRIVER | DRM_MODE_TYPE_PREFERRED,
+-- 
+2.35.1
+

diff --git a/queue-4.14/net-stmmac-fix-unset-max_speed-difference-between-dt.patch b/queue-4.14/net-stmmac-fix-unset-max_speed-difference-between-dt.patch
new file mode 100644 (file)
index 0000000..aed48cc
--- /dev/null
+++ b/queue-4.14/net-stmmac-fix-unset-max_speed-difference-between-dt.patch
@@ -0,0 +1,56 @@
+From 85e97a1c0fcbf94469d61031bf4d3e1363e85537 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 1 Apr 2022 02:48:32 +0800
+Subject: net: stmmac: Fix unset max_speed difference between DT and non-DT
+ platforms
+
+From: Chen-Yu Tsai <wens@csie.org>
+
+[ Upstream commit c21cabb0fd0b54b8b54235fc1ecfe1195a23bcb2 ]
+
+In commit 9cbadf094d9d ("net: stmmac: support max-speed device tree
+property"), when DT platforms don't set "max-speed", max_speed is set to
+-1; for non-DT platforms, it stays the default 0.
+
+Prior to commit eeef2f6b9f6e ("net: stmmac: Start adding phylink support"),
+the check for a valid max_speed setting was to check if it was greater
+than zero. This commit got it right, but subsequent patches just checked
+for non-zero, which is incorrect for DT platforms.
+
+In commit 92c3807b9ac3 ("net: stmmac: convert to phylink_get_linkmodes()")
+the conversion switched completely to checking for non-zero value as a
+valid value, which caused 1000base-T to stop getting advertised by
+default.
+
+Instead of trying to fix all the checks, simply leave max_speed alone if
+DT property parsing fails.
+
+Fixes: 9cbadf094d9d ("net: stmmac: support max-speed device tree property")
+Fixes: 92c3807b9ac3 ("net: stmmac: convert to phylink_get_linkmodes()")
+Signed-off-by: Chen-Yu Tsai <wens@csie.org>
+Acked-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
+Link: https://lore.kernel.org/r/20220331184832.16316-1-wens@kernel.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
+index d008e9d1518b..14d11f9fcbe8 100644
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_platform.c
+@@ -388,8 +388,7 @@ stmmac_probe_config_dt(struct platform_device *pdev, const char **mac)
+       plat->interface = of_get_phy_mode(np);
+ 
+       /* Get max speed of operation from device tree */
+-      if (of_property_read_u32(np, "max-speed", &plat->max_speed))
+-              plat->max_speed = -1;
++      of_property_read_u32(np, "max-speed", &plat->max_speed);
+ 
+       plat->bus_id = of_alias_get_id(np, "ethernet");
+       if (plat->bus_id < 0)
+-- 
+2.35.1
+

diff --git a/queue-4.14/scsi-zorro7xx-fix-a-resource-leak-in-zorro7xx_remove.patch b/queue-4.14/scsi-zorro7xx-fix-a-resource-leak-in-zorro7xx_remove.patch
new file mode 100644 (file)
index 0000000..8e64858
--- /dev/null
+++ b/queue-4.14/scsi-zorro7xx-fix-a-resource-leak-in-zorro7xx_remove.patch
@@ -0,0 +1,40 @@
+From 6d4aaaed0915cab852bb06e15a15d2cc52a98bbb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 19 Mar 2022 08:01:24 +0100
+Subject: scsi: zorro7xx: Fix a resource leak in zorro7xx_remove_one()
+
+From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+
+[ Upstream commit 16ed828b872d12ccba8f07bcc446ae89ba662f9c ]
+
+The error handling path of the probe releases a resource that is not freed
+in the remove function. In some cases, a ioremap() must be undone.
+
+Add the missing iounmap() call in the remove function.
+
+Link: https://lore.kernel.org/r/247066a3104d25f9a05de8b3270fc3c848763bcc.1647673264.git.christophe.jaillet@wanadoo.fr
+Fixes: 45804fbb00ee ("[SCSI] 53c700: Amiga Zorro NCR53c710 SCSI")
+Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
+Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/zorro7xx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/scsi/zorro7xx.c b/drivers/scsi/zorro7xx.c
+index aff31991aea9..ee6d97473853 100644
+--- a/drivers/scsi/zorro7xx.c
++++ b/drivers/scsi/zorro7xx.c
+@@ -158,6 +158,8 @@ static void zorro7xx_remove_one(struct zorro_dev *z)
+       scsi_remove_host(host);
+ 
+       NCR_700_release(host);
++      if (host->base > 0x01000000)
++              iounmap(hostdata->base);
+       kfree(hostdata);
+       free_irq(host->irq, host);
+       zorro_release_device(z);
+-- 
+2.35.1
+

diff --git a/queue-4.14/series b/queue-4.14/series
index 42a3248abacc33abf0c11d27d21aeb2275537b9d..21b9fea32503d97346428893db0ae62022ba63f8 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -240,3 +240,8 @@ parisc-fix-cpu-affinity-for-lasi-wax-and-dino-chips.patch
 ipv6-add-missing-tx-timestamping-on-ipproto_raw.patch
 net-add-missing-sof_timestamping_opt_id-support.patch
 mm-fix-race-between-madv_free-reclaim-and-blkdev-dir.patch
+drm-amdgpu-fix-off-by-one-in-amdgpu_gfx_kiq_acquire.patch
+scsi-zorro7xx-fix-a-resource-leak-in-zorro7xx_remove.patch
+net-stmmac-fix-unset-max_speed-difference-between-dt.patch
+drm-imx-fix-memory-leak-in-imx_pd_connector_get_mode.patch
+drbd-fix-five-use-after-free-bugs-in-get_initial_sta.patch