--- /dev/null
+From 7369d0473073f3211faa1870760660410eb0532c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Aug 2021 19:26:56 +0900
+Subject: Bluetooth: defer cleanup of resources in hci_unregister_dev()
+
+From: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+
+[ Upstream commit e04480920d1eec9c061841399aa6f35b6f987d8b ]
+
+syzbot is hitting might_sleep() warning at hci_sock_dev_event() due to
+calling lock_sock() with rw spinlock held [1].
+
+It seems that history of this locking problem is a trial and error.
+
+Commit b40df5743ee8 ("[PATCH] bluetooth: fix socket locking in
+hci_sock_dev_event()") in 2.6.21-rc4 changed bh_lock_sock() to
+lock_sock() as an attempt to fix lockdep warning.
+
+Then, commit 4ce61d1c7a8e ("[BLUETOOTH]: Fix locking in
+hci_sock_dev_event().") in 2.6.22-rc2 changed lock_sock() to
+local_bh_disable() + bh_lock_sock_nested() as an attempt to fix the
+sleep in atomic context warning.
+
+Then, commit 4b5dd696f81b ("Bluetooth: Remove local_bh_disable() from
+hci_sock.c") in 3.3-rc1 removed local_bh_disable().
+
+Then, commit e305509e678b ("Bluetooth: use correct lock to prevent UAF
+of hdev object") in 5.13-rc5 again changed bh_lock_sock_nested() to
+lock_sock() as an attempt to fix CVE-2021-3573.
+
+This difficulty comes from current implementation that
+hci_sock_dev_event(HCI_DEV_UNREG) is responsible for dropping all
+references from sockets because hci_unregister_dev() immediately
+reclaims resources as soon as returning from
+hci_sock_dev_event(HCI_DEV_UNREG).
+
+But the history suggests that hci_sock_dev_event(HCI_DEV_UNREG) was not
+doing what it should do.
+
+Therefore, instead of trying to detach sockets from device, let's accept
+not detaching sockets from device at hci_sock_dev_event(HCI_DEV_UNREG),
+by moving actual cleanup of resources from hci_unregister_dev() to
+hci_cleanup_dev() which is called by bt_host_release() when all
+references to this unregistered device (which is a kobject) are gone.
+
+Since hci_sock_dev_event(HCI_DEV_UNREG) no longer resets
+hci_pi(sk)->hdev, we need to check whether this device was unregistered
+and return an error based on HCI_UNREGISTER flag. There might be subtle
+behavioral difference in "monitor the hdev" functionality; please report
+if you found something went wrong due to this patch.
+
+Link: https://syzkaller.appspot.com/bug?extid=a5df189917e79d5e59c9 [1]
+Reported-by: syzbot <syzbot+a5df189917e79d5e59c9@syzkaller.appspotmail.com>
+Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Fixes: e305509e678b ("Bluetooth: use correct lock to prevent UAF of hdev object")
+Acked-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/net/bluetooth/hci_core.h | 1 +
+ net/bluetooth/hci_core.c | 16 +++++------
+ net/bluetooth/hci_sock.c | 49 +++++++++++++++++++++-----------
+ net/bluetooth/hci_sysfs.c | 3 ++
+ 4 files changed, 45 insertions(+), 24 deletions(-)
+
+diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
+index 0cc5e2b4bbf4..51afaaa68408 100644
+--- a/include/net/bluetooth/hci_core.h
++++ b/include/net/bluetooth/hci_core.h
+@@ -1030,6 +1030,7 @@ struct hci_dev *hci_alloc_dev(void);
+ void hci_free_dev(struct hci_dev *hdev);
+ int hci_register_dev(struct hci_dev *hdev);
+ void hci_unregister_dev(struct hci_dev *hdev);
++void hci_cleanup_dev(struct hci_dev *hdev);
+ int hci_suspend_dev(struct hci_dev *hdev);
+ int hci_resume_dev(struct hci_dev *hdev);
+ int hci_reset_dev(struct hci_dev *hdev);
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
+index ba5c899d1edf..3b2dd98e9fd6 100644
+--- a/net/bluetooth/hci_core.c
++++ b/net/bluetooth/hci_core.c
+@@ -3181,14 +3181,10 @@ EXPORT_SYMBOL(hci_register_dev);
+ /* Unregister HCI device */
+ void hci_unregister_dev(struct hci_dev *hdev)
+ {
+- int id;
+-
+ BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
+
+ hci_dev_set_flag(hdev, HCI_UNREGISTER);
+
+- id = hdev->id;
+-
+ write_lock(&hci_dev_list_lock);
+ list_del(&hdev->list);
+ write_unlock(&hci_dev_list_lock);
+@@ -3217,7 +3213,14 @@ void hci_unregister_dev(struct hci_dev *hdev)
+ }
+
+ device_del(&hdev->dev);
++ /* Actual cleanup is deferred until hci_cleanup_dev(). */
++ hci_dev_put(hdev);
++}
++EXPORT_SYMBOL(hci_unregister_dev);
+
++/* Cleanup HCI device */
++void hci_cleanup_dev(struct hci_dev *hdev)
++{
+ debugfs_remove_recursive(hdev->debugfs);
+ kfree_const(hdev->hw_info);
+ kfree_const(hdev->fw_info);
+@@ -3239,11 +3242,8 @@ void hci_unregister_dev(struct hci_dev *hdev)
+ hci_discovery_filter_clear(hdev);
+ hci_dev_unlock(hdev);
+
+- hci_dev_put(hdev);
+-
+- ida_simple_remove(&hci_index_ida, id);
++ ida_simple_remove(&hci_index_ida, hdev->id);
+ }
+-EXPORT_SYMBOL(hci_unregister_dev);
+
+ /* Suspend HCI device */
+ int hci_suspend_dev(struct hci_dev *hdev)
+diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
+index 120064e9cb2b..1ad569581165 100644
+--- a/net/bluetooth/hci_sock.c
++++ b/net/bluetooth/hci_sock.c
+@@ -59,6 +59,17 @@ struct hci_pinfo {
+ char comm[TASK_COMM_LEN];
+ };
+
++static struct hci_dev *hci_hdev_from_sock(struct sock *sk)
++{
++ struct hci_dev *hdev = hci_pi(sk)->hdev;
++
++ if (!hdev)
++ return ERR_PTR(-EBADFD);
++ if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
++ return ERR_PTR(-EPIPE);
++ return hdev;
++}
++
+ void hci_sock_set_flag(struct sock *sk, int nr)
+ {
+ set_bit(nr, &hci_pi(sk)->flags);
+@@ -747,19 +758,13 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event)
+ if (event == HCI_DEV_UNREG) {
+ struct sock *sk;
+
+- /* Detach sockets from device */
++ /* Wake up sockets using this dead device */
+ read_lock(&hci_sk_list.lock);
+ sk_for_each(sk, &hci_sk_list.head) {
+- lock_sock(sk);
+ if (hci_pi(sk)->hdev == hdev) {
+- hci_pi(sk)->hdev = NULL;
+ sk->sk_err = EPIPE;
+- sk->sk_state = BT_OPEN;
+ sk->sk_state_change(sk);
+-
+- hci_dev_put(hdev);
+ }
+- release_sock(sk);
+ }
+ read_unlock(&hci_sk_list.lock);
+ }
+@@ -918,10 +923,10 @@ static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg)
+ static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd,
+ unsigned long arg)
+ {
+- struct hci_dev *hdev = hci_pi(sk)->hdev;
++ struct hci_dev *hdev = hci_hdev_from_sock(sk);
+
+- if (!hdev)
+- return -EBADFD;
++ if (IS_ERR(hdev))
++ return PTR_ERR(hdev);
+
+ if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL))
+ return -EBUSY;
+@@ -1075,6 +1080,18 @@ static int hci_sock_bind(struct socket *sock, struct sockaddr *addr,
+
+ lock_sock(sk);
+
++ /* Allow detaching from dead device and attaching to alive device, if
++ * the caller wants to re-bind (instead of close) this socket in
++ * response to hci_sock_dev_event(HCI_DEV_UNREG) notification.
++ */
++ hdev = hci_pi(sk)->hdev;
++ if (hdev && hci_dev_test_flag(hdev, HCI_UNREGISTER)) {
++ hci_pi(sk)->hdev = NULL;
++ sk->sk_state = BT_OPEN;
++ hci_dev_put(hdev);
++ }
++ hdev = NULL;
++
+ if (sk->sk_state == BT_BOUND) {
+ err = -EALREADY;
+ goto done;
+@@ -1351,9 +1368,9 @@ static int hci_sock_getname(struct socket *sock, struct sockaddr *addr,
+
+ lock_sock(sk);
+
+- hdev = hci_pi(sk)->hdev;
+- if (!hdev) {
+- err = -EBADFD;
++ hdev = hci_hdev_from_sock(sk);
++ if (IS_ERR(hdev)) {
++ err = PTR_ERR(hdev);
+ goto done;
+ }
+
+@@ -1713,9 +1730,9 @@ static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg,
+ goto done;
+ }
+
+- hdev = hci_pi(sk)->hdev;
+- if (!hdev) {
+- err = -EBADFD;
++ hdev = hci_hdev_from_sock(sk);
++ if (IS_ERR(hdev)) {
++ err = PTR_ERR(hdev);
+ goto done;
+ }
+
+diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c
+index d5c7c89ec4d6..b568f7c21b30 100644
+--- a/net/bluetooth/hci_sysfs.c
++++ b/net/bluetooth/hci_sysfs.c
+@@ -83,6 +83,9 @@ void hci_conn_del_sysfs(struct hci_conn *conn)
+ static void bt_host_release(struct device *dev)
+ {
+ struct hci_dev *hdev = to_hci_dev(dev);
++
++ if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
++ hci_cleanup_dev(hdev);
+ kfree(hdev);
+ module_put(THIS_MODULE);
+ }
+--
+2.30.2
+
--- /dev/null
+From 42186d22a33336af7b44dc7678a57434d4726add Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 Aug 2021 13:38:26 +0300
+Subject: bnx2x: fix an error code in bnx2x_nic_load()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit fb653827c758725b149b5c924a5eb50ab4812750 ]
+
+Set the error code if bnx2x_alloc_fw_stats_mem() fails. The current
+code returns success.
+
+Fixes: ad5afc89365e ("bnx2x: Separate VF and PF logic")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+index faa45491ae4d..8c111def8185 100644
+--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c
+@@ -2667,7 +2667,8 @@ int bnx2x_nic_load(struct bnx2x *bp, int load_mode)
+ }
+
+ /* Allocated memory for FW statistics */
+- if (bnx2x_alloc_fw_stats_mem(bp))
++ rc = bnx2x_alloc_fw_stats_mem(bp);
++ if (rc)
+ LOAD_ERROR_EXIT(bp, load_error0);
+
+ /* request pf to initialize status blocks */
+--
+2.30.2
+
--- /dev/null
+From 0fa216d49e5762aa05e7831a157556194fa813f7 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 25 Jul 2021 18:07:25 +0200
+Subject: clk: stm32f4: fix post divisor setup for I2S/SAI PLLs
+
+From: Dario Binacchi <dariobin@libero.it>
+
+[ Upstream commit 24b5b1978cd5a80db58e2a19db2f9c36fe8d4f7a ]
+
+Enabling the framebuffer leads to a system hang. Running, as a debug
+hack, the store_pan() function in drivers/video/fbdev/core/fbsysfs.c
+without taking the console_lock, allows to see the crash backtrace on
+the serial line.
+
+~ # echo 0 0 > /sys/class/graphics/fb0/pan
+
+[ 9.719414] Unhandled exception: IPSR = 00000005 LR = fffffff1
+[ 9.726937] CPU: 0 PID: 49 Comm: sh Not tainted 5.13.0-rc5 #9
+[ 9.733008] Hardware name: STM32 (Device Tree Support)
+[ 9.738296] PC is at clk_gate_is_enabled+0x0/0x28
+[ 9.743426] LR is at stm32f4_pll_div_set_rate+0xf/0x38
+[ 9.748857] pc : [<0011e4be>] lr : [<0011f9e3>] psr: 0100000b
+[ 9.755373] sp : 00bc7be0 ip : 00000000 fp : 001f3ac4
+[ 9.760812] r10: 002610d0 r9 : 01efe920 r8 : 00540560
+[ 9.766269] r7 : 02e7ddb0 r6 : 0173eed8 r5 : 00000000 r4 : 004027c0
+[ 9.773081] r3 : 0011e4bf r2 : 02e7ddb0 r1 : 0173eed8 r0 : 1d3267b8
+[ 9.779911] xPSR: 0100000b
+[ 9.782719] CPU: 0 PID: 49 Comm: sh Not tainted 5.13.0-rc5 #9
+[ 9.788791] Hardware name: STM32 (Device Tree Support)
+[ 9.794120] [<0000afa1>] (unwind_backtrace) from [<0000a33f>] (show_stack+0xb/0xc)
+[ 9.802421] [<0000a33f>] (show_stack) from [<0000a8df>] (__invalid_entry+0x4b/0x4c)
+
+The `pll_num' field in the post_div_data configuration contained a wrong
+value which also referenced an uninitialized hardware clock when
+clk_register_pll_div() was called.
+
+Fixes: 517633ef630e ("clk: stm32f4: Add post divisor for I2S & SAI PLLs")
+Signed-off-by: Dario Binacchi <dariobin@libero.it>
+Reviewed-by: Gabriel Fernandez <gabriel.fernandez@st.com>
+Link: https://lore.kernel.org/r/20210725160725.10788-1-dariobin@libero.it
+Signed-off-by: Stephen Boyd <sboyd@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clk/clk-stm32f4.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/drivers/clk/clk-stm32f4.c b/drivers/clk/clk-stm32f4.c
+index 96c6b6bc8f0e..46bc5f5d7134 100644
+--- a/drivers/clk/clk-stm32f4.c
++++ b/drivers/clk/clk-stm32f4.c
+@@ -453,7 +453,7 @@ struct stm32f4_pll {
+
+ struct stm32f4_pll_post_div_data {
+ int idx;
+- u8 pll_num;
++ int pll_idx;
+ const char *name;
+ const char *parent;
+ u8 flag;
+@@ -484,13 +484,13 @@ static const struct clk_div_table post_divr_table[] = {
+
+ #define MAX_POST_DIV 3
+ static const struct stm32f4_pll_post_div_data post_div_data[MAX_POST_DIV] = {
+- { CLK_I2SQ_PDIV, PLL_I2S, "plli2s-q-div", "plli2s-q",
++ { CLK_I2SQ_PDIV, PLL_VCO_I2S, "plli2s-q-div", "plli2s-q",
+ CLK_SET_RATE_PARENT, STM32F4_RCC_DCKCFGR, 0, 5, 0, NULL},
+
+- { CLK_SAIQ_PDIV, PLL_SAI, "pllsai-q-div", "pllsai-q",
++ { CLK_SAIQ_PDIV, PLL_VCO_SAI, "pllsai-q-div", "pllsai-q",
+ CLK_SET_RATE_PARENT, STM32F4_RCC_DCKCFGR, 8, 5, 0, NULL },
+
+- { NO_IDX, PLL_SAI, "pllsai-r-div", "pllsai-r", CLK_SET_RATE_PARENT,
++ { NO_IDX, PLL_VCO_SAI, "pllsai-r-div", "pllsai-r", CLK_SET_RATE_PARENT,
+ STM32F4_RCC_DCKCFGR, 16, 2, 0, post_divr_table },
+ };
+
+@@ -1489,7 +1489,7 @@ static void __init stm32f4_rcc_init(struct device_node *np)
+ post_div->width,
+ post_div->flag_div,
+ post_div->div_table,
+- clks[post_div->pll_num],
++ clks[post_div->pll_idx],
+ &stm32f4_clk_lock);
+
+ if (post_div->idx != NO_IDX)
+--
+2.30.2
+
--- /dev/null
+From d9f8123c2b9f7713f1854a91a1519bef9c932456 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 30 Jun 2021 09:58:23 +0200
+Subject: media: videobuf2-core: dequeue if start_streaming fails
+
+From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+
+[ Upstream commit c592b46907adbeb81243f7eb7a468c36692658b8 ]
+
+If a vb2_queue sets q->min_buffers_needed then when the number of
+queued buffers reaches q->min_buffers_needed, vb2_core_qbuf() will call
+the start_streaming() callback. If start_streaming() returns an error,
+then that error was just returned by vb2_core_qbuf(), but the buffer
+was still queued. However, userspace expects that if VIDIOC_QBUF fails,
+the buffer is returned dequeued.
+
+So if start_streaming() fails, then remove the buffer from the queue,
+thus avoiding this unwanted side-effect.
+
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
+Tested-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
+Fixes: b3379c6201bb ("[media] vb2: only call start_streaming if sufficient buffers are queued")
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/v4l2-core/videobuf2-core.c | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/media/v4l2-core/videobuf2-core.c b/drivers/media/v4l2-core/videobuf2-core.c
+index f1725da2a90d..5cd496e5010c 100644
+--- a/drivers/media/v4l2-core/videobuf2-core.c
++++ b/drivers/media/v4l2-core/videobuf2-core.c
+@@ -1371,6 +1371,7 @@ static int vb2_start_streaming(struct vb2_queue *q)
+ int vb2_core_qbuf(struct vb2_queue *q, unsigned int index, void *pb)
+ {
+ struct vb2_buffer *vb;
++ enum vb2_buffer_state orig_state;
+ int ret;
+
+ if (q->error) {
+@@ -1400,6 +1401,7 @@ int vb2_core_qbuf(struct vb2_queue *q, unsigned int index, void *pb)
+ * Add to the queued buffers list, a buffer will stay on it until
+ * dequeued in dqbuf.
+ */
++ orig_state = vb->state;
+ list_add_tail(&vb->queued_entry, &q->queued_list);
+ q->queued_count++;
+ q->waiting_for_buffers = false;
+@@ -1430,8 +1432,17 @@ int vb2_core_qbuf(struct vb2_queue *q, unsigned int index, void *pb)
+ if (q->streaming && !q->start_streaming_called &&
+ q->queued_count >= q->min_buffers_needed) {
+ ret = vb2_start_streaming(q);
+- if (ret)
++ if (ret) {
++ /*
++ * Since vb2_core_qbuf will return with an error,
++ * we should return it to state DEQUEUED since
++ * the error indicates that the buffer wasn't queued.
++ */
++ list_del(&vb->queued_entry);
++ q->queued_count--;
++ vb->state = orig_state;
+ return ret;
++ }
+ }
+
+ dprintk(2, "qbuf of buffer %d succeeded\n", vb->index);
+--
+2.30.2
+
--- /dev/null
+From fe0500cdedc44aff0d46cd578f069588db059b9e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 8 Jul 2021 10:57:10 +0200
+Subject: mips: Fix non-POSIX regexp
+
+From: H. Nikolaus Schaller <hns@goldelico.com>
+
+[ Upstream commit 28bbbb9875a35975904e46f9b06fa689d051b290 ]
+
+When cross compiling a MIPS kernel on a BSD based HOSTCC leads
+to errors like
+
+ SYNC include/config/auto.conf.cmd - due to: .config
+egrep: empty (sub)expression
+ UPD include/config/kernel.release
+ HOSTCC scripts/dtc/dtc.o - due to target missing
+
+It turns out that egrep uses this egrep pattern:
+
+ (|MINOR_|PATCHLEVEL_)
+
+This is not valid syntax or gives undefined results according
+to POSIX 9.5.3 ERE Grammar
+
+ https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html
+
+It seems to be silently accepted by the Linux egrep implementation
+while a BSD host complains.
+
+Such patterns can be replaced by a transformation like
+
+ "(|p1|p2)" -> "(p1|p2)?"
+
+Fixes: 48c35b2d245f ("[MIPS] There is no __GNUC_MAJOR__")
+Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/mips/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/mips/Makefile b/arch/mips/Makefile
+index a4a06d173858..1190e6f75d4b 100644
+--- a/arch/mips/Makefile
++++ b/arch/mips/Makefile
+@@ -314,7 +314,7 @@ LDFLAGS += -m $(ld-emul)
+
+ ifdef CONFIG_MIPS
+ CHECKFLAGS += $(shell $(CC) $(KBUILD_CFLAGS) -dM -E -x c /dev/null | \
+- egrep -vw '__GNUC_(|MINOR_|PATCHLEVEL_)_' | \
++ egrep -vw '__GNUC_(MINOR_|PATCHLEVEL_)?_' | \
+ sed -e "s/^\#define /-D'/" -e "s/ /'='/" -e "s/$$/'/" -e 's/\$$/&&/g')
+ ifdef CONFIG_64BIT
+ CHECKFLAGS += -m64
+--
+2.30.2
+
--- /dev/null
+From 13fe2afa7d48e2fbe868c96082ccb684cd5e741c Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Aug 2021 18:51:51 +0300
+Subject: net: fec: fix use-after-free in fec_drv_remove
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 44712965bf12ae1758cec4de53816ed4b914ca1a ]
+
+Smatch says:
+ drivers/net/ethernet/freescale/fec_main.c:3994 fec_drv_remove() error: Using fep after free_{netdev,candev}(ndev);
+ drivers/net/ethernet/freescale/fec_main.c:3995 fec_drv_remove() error: Using fep after free_{netdev,candev}(ndev);
+
+Since fep pointer is netdev private data, accessing it after free_netdev()
+call can cause use-after-free bug. Fix it by moving free_netdev() call at
+the end of the function
+
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Fixes: a31eda65ba21 ("net: fec: fix clock count mis-match")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Reviewed-by: Joakim Zhang <qiangqing.zhang@nxp.com>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/freescale/fec_main.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
+index 22f964ef859e..29902b8709f1 100644
+--- a/drivers/net/ethernet/freescale/fec_main.c
++++ b/drivers/net/ethernet/freescale/fec_main.c
+@@ -3581,13 +3581,13 @@ fec_drv_remove(struct platform_device *pdev)
+ if (of_phy_is_fixed_link(np))
+ of_phy_deregister_fixed_link(np);
+ of_node_put(fep->phy_node);
+- free_netdev(ndev);
+
+ clk_disable_unprepare(fep->clk_ahb);
+ clk_disable_unprepare(fep->clk_ipg);
+ pm_runtime_put_noidle(&pdev->dev);
+ pm_runtime_disable(&pdev->dev);
+
++ free_netdev(ndev);
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+From 39c974f0e136a860177cf40d83387f3dfd0c627a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sat, 31 Jul 2021 14:38:01 +0800
+Subject: net: natsemi: Fix missing pci_disable_device() in probe and remove
+
+From: Wang Hai <wanghai38@huawei.com>
+
+[ Upstream commit 7fe74dfd41c428afb24e2e615470832fa997ff14 ]
+
+Replace pci_enable_device() with pcim_enable_device(),
+pci_disable_device() and pci_release_regions() will be
+called in release automatically.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/natsemi/natsemi.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/net/ethernet/natsemi/natsemi.c b/drivers/net/ethernet/natsemi/natsemi.c
+index 18af2a23a933..779f8042478a 100644
+--- a/drivers/net/ethernet/natsemi/natsemi.c
++++ b/drivers/net/ethernet/natsemi/natsemi.c
+@@ -819,7 +819,7 @@ static int natsemi_probe1(struct pci_dev *pdev, const struct pci_device_id *ent)
+ printk(version);
+ #endif
+
+- i = pci_enable_device(pdev);
++ i = pcim_enable_device(pdev);
+ if (i) return i;
+
+ /* natsemi has a non-standard PM control register
+@@ -852,7 +852,7 @@ static int natsemi_probe1(struct pci_dev *pdev, const struct pci_device_id *ent)
+ ioaddr = ioremap(iostart, iosize);
+ if (!ioaddr) {
+ i = -ENOMEM;
+- goto err_ioremap;
++ goto err_pci_request_regions;
+ }
+
+ /* Work around the dropped serial bit. */
+@@ -974,9 +974,6 @@ static int natsemi_probe1(struct pci_dev *pdev, const struct pci_device_id *ent)
+ err_register_netdev:
+ iounmap(ioaddr);
+
+- err_ioremap:
+- pci_release_regions(pdev);
+-
+ err_pci_request_regions:
+ free_netdev(dev);
+ return i;
+@@ -3244,7 +3241,6 @@ static void natsemi_remove1(struct pci_dev *pdev)
+
+ NATSEMI_REMOVE_FILE(pdev, dspcfg_workaround);
+ unregister_netdev (dev);
+- pci_release_regions (pdev);
+ iounmap(ioaddr);
+ free_netdev (dev);
+ }
+--
+2.30.2
+
--- /dev/null
+From 183c276395e1265c2f43d109e3d8aa962e9d3782 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Aug 2021 17:30:05 +0300
+Subject: net: pegasus: fix uninit-value in get_interrupt_interval
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit af35fc37354cda3c9c8cc4961b1d24bdc9d27903 ]
+
+Syzbot reported uninit value pegasus_probe(). The problem was in missing
+error handling.
+
+get_interrupt_interval() internally calls read_eprom_word() which can
+fail in some cases. For example: failed to receive usb control message.
+These cases should be handled to prevent uninit value bug, since
+read_eprom_word() will not initialize passed stack variable in case of
+internal failure.
+
+Fail log:
+
+BUG: KMSAN: uninit-value in get_interrupt_interval drivers/net/usb/pegasus.c:746 [inline]
+BUG: KMSAN: uninit-value in pegasus_probe+0x10e7/0x4080 drivers/net/usb/pegasus.c:1152
+CPU: 1 PID: 825 Comm: kworker/1:1 Not tainted 5.12.0-rc6-syzkaller #0
+...
+Workqueue: usb_hub_wq hub_event
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x24c/0x2e0 lib/dump_stack.c:120
+ kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118
+ __msan_warning+0x5c/0xa0 mm/kmsan/kmsan_instr.c:197
+ get_interrupt_interval drivers/net/usb/pegasus.c:746 [inline]
+ pegasus_probe+0x10e7/0x4080 drivers/net/usb/pegasus.c:1152
+....
+
+Local variable ----data.i@pegasus_probe created at:
+ get_interrupt_interval drivers/net/usb/pegasus.c:1151 [inline]
+ pegasus_probe+0xe57/0x4080 drivers/net/usb/pegasus.c:1152
+ get_interrupt_interval drivers/net/usb/pegasus.c:1151 [inline]
+ pegasus_probe+0xe57/0x4080 drivers/net/usb/pegasus.c:1152
+
+Reported-and-tested-by: syzbot+02c9f70f3afae308464a@syzkaller.appspotmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Link: https://lore.kernel.org/r/20210804143005.439-1-paskripkin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/usb/pegasus.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c
+index 5435c34dfcc7..d18a283a0ccf 100644
+--- a/drivers/net/usb/pegasus.c
++++ b/drivers/net/usb/pegasus.c
+@@ -750,12 +750,16 @@ static inline void disable_net_traffic(pegasus_t *pegasus)
+ set_registers(pegasus, EthCtrl0, sizeof(tmp), &tmp);
+ }
+
+-static inline void get_interrupt_interval(pegasus_t *pegasus)
++static inline int get_interrupt_interval(pegasus_t *pegasus)
+ {
+ u16 data;
+ u8 interval;
++ int ret;
++
++ ret = read_eprom_word(pegasus, 4, &data);
++ if (ret < 0)
++ return ret;
+
+- read_eprom_word(pegasus, 4, &data);
+ interval = data >> 8;
+ if (pegasus->usb->speed != USB_SPEED_HIGH) {
+ if (interval < 0x80) {
+@@ -770,6 +774,8 @@ static inline void get_interrupt_interval(pegasus_t *pegasus)
+ }
+ }
+ pegasus->intr_interval = interval;
++
++ return 0;
+ }
+
+ static void set_carrier(struct net_device *net)
+@@ -1188,7 +1194,9 @@ static int pegasus_probe(struct usb_interface *intf,
+ | NETIF_MSG_PROBE | NETIF_MSG_LINK);
+
+ pegasus->features = usb_dev_id[dev_index].private;
+- get_interrupt_interval(pegasus);
++ res = get_interrupt_interval(pegasus);
++ if (res)
++ goto out2;
+ if (reset_mac(pegasus)) {
+ dev_err(&intf->dev, "can't reset MAC\n");
+ res = -EIO;
+--
+2.30.2
+
--- /dev/null
+From ad878da819314d15cf991d6ab91186eaad1810ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 4 Aug 2021 18:52:20 +0300
+Subject: net: vxge: fix use-after-free in vxge_device_unregister
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 942e560a3d3862dd5dee1411dbdd7097d29b8416 ]
+
+Smatch says:
+drivers/net/ethernet/neterion/vxge/vxge-main.c:3518 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev);
+drivers/net/ethernet/neterion/vxge/vxge-main.c:3518 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev);
+drivers/net/ethernet/neterion/vxge/vxge-main.c:3520 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev);
+drivers/net/ethernet/neterion/vxge/vxge-main.c:3520 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev);
+
+Since vdev pointer is netdev private data accessing it after free_netdev()
+call can cause use-after-free bug. Fix it by moving free_netdev() call at
+the end of the function
+
+Fixes: 6cca200362b4 ("vxge: cleanup probe error paths")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Reviewed-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/neterion/vxge/vxge-main.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/net/ethernet/neterion/vxge/vxge-main.c b/drivers/net/ethernet/neterion/vxge/vxge-main.c
+index 50ea69d88480..e69e76bb2c77 100644
+--- a/drivers/net/ethernet/neterion/vxge/vxge-main.c
++++ b/drivers/net/ethernet/neterion/vxge/vxge-main.c
+@@ -3537,13 +3537,13 @@ static void vxge_device_unregister(struct __vxge_hw_device *hldev)
+
+ kfree(vdev->vpaths);
+
+- /* we are safe to free it now */
+- free_netdev(dev);
+-
+ vxge_debug_init(vdev->level_trace, "%s: ethernet device unregistered",
+ buf);
+ vxge_debug_entryexit(vdev->level_trace, "%s: %s:%d Exiting...", buf,
+ __func__, __LINE__);
++
++ /* we are safe to free it now */
++ free_netdev(dev);
+ }
+
+ /*
+--
+2.30.2
+
--- /dev/null
+From eb584f747dc48b65179ac39838b30a05f86e6d90 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 3 Aug 2021 12:39:11 +0200
+Subject: nfp: update ethtool reporting of pauseframe control
+
+From: Fei Qin <fei.qin@corigine.com>
+
+[ Upstream commit 9fdc5d85a8fe684cdf24dc31c6bc4a727decfe87 ]
+
+Pauseframe control is set to symmetric mode by default on the NFP.
+Pause frames can not be configured through ethtool now, but ethtool can
+report the supported mode.
+
+Fixes: 265aeb511bd5 ("nfp: add support for .get_link_ksettings()")
+Signed-off-by: Fei Qin <fei.qin@corigine.com>
+Signed-off-by: Louis Peens <louis.peens@corigine.com>
+Signed-off-by: Simon Horman <simon.horman@corigine.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
+index 8e623d8fa78e..681919f8cbd7 100644
+--- a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c
+@@ -271,6 +271,8 @@ nfp_net_get_link_ksettings(struct net_device *netdev,
+
+ /* Init to unknowns */
+ ethtool_link_ksettings_add_link_mode(cmd, supported, FIBRE);
++ ethtool_link_ksettings_add_link_mode(cmd, supported, Pause);
++ ethtool_link_ksettings_add_link_mode(cmd, advertising, Pause);
+ cmd->base.port = PORT_OTHER;
+ cmd->base.speed = SPEED_UNKNOWN;
+ cmd->base.duplex = DUPLEX_UNKNOWN;
+--
+2.30.2
+
--- /dev/null
+From d2af24e35f61fefd3038a6db398cc0778cb6617b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 1 Jul 2021 16:00:22 +0200
+Subject: omap5-board-common: remove not physically existing vdds_1v8_main
+ fixed-regulator
+
+From: H. Nikolaus Schaller <hns@goldelico.com>
+
+[ Upstream commit c68ef4ad180e09805fa46965d15e1dfadf09ffa5 ]
+
+This device tree include file describes a fixed-regulator
+connecting smps7_reg output (1.8V) to some 1.8V rail and
+consumers (vdds_1v8_main).
+
+This regulator does not physically exist.
+
+I assume it was introduced as a wrapper around smps7_reg
+to provide a speaking signal name "vdds_1v8_main" as label.
+
+This fixed-regulator without real function was not an issue
+in driver code until
+
+ Commit 98e48cd9283d ("regulator: core: resolve supply for boot-on/always-on regulators")
+
+introduced a new check for regulator initialization which
+makes Palmas regulator registration fail:
+
+[ 5.407712] ldo1: supplied by vsys_cobra
+[ 5.412748] ldo2: supplied by vsys_cobra
+[ 5.417603] palmas-pmic 48070000.i2c:palmas@48:palmas_pmic: failed to register 48070000.i2c:palmas@48:palmas_pmic regulator
+
+The reason is that the supply-chain of regulators is too
+long and goes from ldo3 through the virtual vdds_1v8_main
+regulator and then back to smps7. This adds a cross-dependency
+of probing Palmas regulators and the fixed-regulator which
+leads to probe deferral by the new check and is no longer
+resolved.
+
+Since we do not control what device tree files including this
+one reference (either &vdds_1v8_main or &smps7_reg or both)
+we keep both labels for smps7 for compatibility.
+
+Fixes: 98e48cd9283d ("regulator: core: resolve supply for boot-on/always-on regulators")
+Signed-off-by: H. Nikolaus Schaller <hns@goldelico.com>
+Signed-off-by: Tony Lindgren <tony@atomide.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/arm/boot/dts/omap5-board-common.dtsi | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+diff --git a/arch/arm/boot/dts/omap5-board-common.dtsi b/arch/arm/boot/dts/omap5-board-common.dtsi
+index c58f14de0145..7d1877c9c361 100644
+--- a/arch/arm/boot/dts/omap5-board-common.dtsi
++++ b/arch/arm/boot/dts/omap5-board-common.dtsi
+@@ -29,14 +29,6 @@
+ regulator-max-microvolt = <5000000>;
+ };
+
+- vdds_1v8_main: fixedregulator-vdds_1v8_main {
+- compatible = "regulator-fixed";
+- regulator-name = "vdds_1v8_main";
+- vin-supply = <&smps7_reg>;
+- regulator-min-microvolt = <1800000>;
+- regulator-max-microvolt = <1800000>;
+- };
+-
+ vmmcsd_fixed: fixedregulator-mmcsd {
+ compatible = "regulator-fixed";
+ regulator-name = "vmmcsd_fixed";
+@@ -482,6 +474,7 @@
+ regulator-boot-on;
+ };
+
++ vdds_1v8_main:
+ smps7_reg: smps7 {
+ /* VDDS_1v8_OMAP over VDDS_1v8_MAIN */
+ regulator-name = "smps7";
+--
+2.30.2
+
--- /dev/null
+From 2030e2f30930b40b2733d28ef86aa3a92f5e6ef2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 26 Jul 2021 19:49:13 +0800
+Subject: scsi: sr: Return correct event when media event code is 3
+
+From: Li Manyi <limanyi@uniontech.com>
+
+[ Upstream commit 5c04243a56a7977185b00400e59ca7e108004faf ]
+
+Media event code 3 is defined in the MMC-6 spec as follows:
+
+ "MediaRemoval: The media has been removed from the specified slot, and
+ the Drive is unable to access the media without user intervention. This
+ applies to media changers only."
+
+This indicated that treating the condition as an EJECT_REQUEST was
+appropriate. However, doing so had the unfortunate side-effect of causing
+the drive tray to be physically ejected on resume. Instead treat the event
+as a MEDIA_CHANGE request.
+
+Fixes: 7dd753ca59d6 ("scsi: sr: Return appropriate error code when disk is ejected")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=213759
+Link: https://lore.kernel.org/r/20210726114913.6760-1-limanyi@uniontech.com
+Signed-off-by: Li Manyi <limanyi@uniontech.com>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/sr.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c
+index a46fbe2d2ee6..be2daf5536ff 100644
+--- a/drivers/scsi/sr.c
++++ b/drivers/scsi/sr.c
+@@ -217,7 +217,7 @@ static unsigned int sr_get_events(struct scsi_device *sdev)
+ else if (med->media_event_code == 2)
+ return DISK_EVENT_MEDIA_CHANGE;
+ else if (med->media_event_code == 3)
+- return DISK_EVENT_EJECT_REQUEST;
++ return DISK_EVENT_MEDIA_CHANGE;
+ return 0;
+ }
+
+--
+2.30.2
+
--- /dev/null
+clk-stm32f4-fix-post-divisor-setup-for-i2s-sai-plls.patch
+omap5-board-common-remove-not-physically-existing-vd.patch
+scsi-sr-return-correct-event-when-media-event-code-i.patch
+media-videobuf2-core-dequeue-if-start_streaming-fail.patch
+net-natsemi-fix-missing-pci_disable_device-in-probe-.patch
+nfp-update-ethtool-reporting-of-pauseframe-control.patch
+mips-fix-non-posix-regexp.patch
+bnx2x-fix-an-error-code-in-bnx2x_nic_load.patch
+net-pegasus-fix-uninit-value-in-get_interrupt_interv.patch
+net-fec-fix-use-after-free-in-fec_drv_remove.patch
+net-vxge-fix-use-after-free-in-vxge_device_unregiste.patch
+bluetooth-defer-cleanup-of-resources-in-hci_unregist.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
