--- /dev/null
+From cb0aae0e31c632c407a2cab4307be85a001d4d98 Mon Sep 17 00:00:00 2001
+From: Zheng Bin <zhengbin13@huawei.com>
+Date: Mon, 15 Jun 2020 09:21:53 +0800
+Subject: 9p: Fix memory leak in v9fs_mount
+
+From: Zheng Bin <zhengbin13@huawei.com>
+
+commit cb0aae0e31c632c407a2cab4307be85a001d4d98 upstream.
+
+v9fs_mount
+ v9fs_session_init
+ v9fs_cache_session_get_cookie
+ v9fs_random_cachetag -->alloc cachetag
+ v9ses->fscache = fscache_acquire_cookie -->maybe NULL
+ sb = sget -->fail, goto clunk
+clunk_fid:
+ v9fs_session_close
+ if (v9ses->fscache) -->NULL
+ kfree(v9ses->cachetag)
+
+Thus memleak happens.
+
+Link: http://lkml.kernel.org/r/20200615012153.89538-1-zhengbin13@huawei.com
+Fixes: 60e78d2c993e ("9p: Add fscache support to 9p")
+Cc: <stable@vger.kernel.org> # v2.6.32+
+Signed-off-by: Zheng Bin <zhengbin13@huawei.com>
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/9p/v9fs.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/fs/9p/v9fs.c
++++ b/fs/9p/v9fs.c
+@@ -457,10 +457,9 @@ void v9fs_session_close(struct v9fs_sess
+ }
+
+ #ifdef CONFIG_9P_FSCACHE
+- if (v9ses->fscache) {
++ if (v9ses->fscache)
+ v9fs_cache_session_put_cookie(v9ses);
+- kfree(v9ses->cachetag);
+- }
++ kfree(v9ses->cachetag);
+ #endif
+ kfree(v9ses->uname);
+ kfree(v9ses->aname);
--- /dev/null
+From 6e8596172ee1cd46ec0bfd5adcf4ff86371478b6 Mon Sep 17 00:00:00 2001
+From: Hector Martin <marcan@marcan.st>
+Date: Mon, 10 Aug 2020 17:25:02 +0900
+Subject: ALSA: usb-audio: add quirk for Pioneer DDJ-RB
+
+From: Hector Martin <marcan@marcan.st>
+
+commit 6e8596172ee1cd46ec0bfd5adcf4ff86371478b6 upstream.
+
+This is just another Pioneer device with fixed endpoints. Input is dummy
+but used as feedback (it always returns silence).
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hector Martin <marcan@marcan.st>
+Link: https://lore.kernel.org/r/20200810082502.225979-1-marcan@marcan.st
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/quirks-table.h | 56 +++++++++++++++++++++++++++++++++++++++++++++++
+ 1 file changed, 56 insertions(+)
+
+--- a/sound/usb/quirks-table.h
++++ b/sound/usb/quirks-table.h
+@@ -3380,5 +3380,61 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge
+ }
+ }
+ },
++{
++ /*
++ * PIONEER DJ DDJ-RB
++ * PCM is 4 channels out, 2 dummy channels in @ 44.1 fixed
++ * The feedback for the output is the dummy input.
++ */
++ USB_DEVICE_VENDOR_SPEC(0x2b73, 0x000e),
++ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
++ .ifnum = QUIRK_ANY_INTERFACE,
++ .type = QUIRK_COMPOSITE,
++ .data = (const struct snd_usb_audio_quirk[]) {
++ {
++ .ifnum = 0,
++ .type = QUIRK_AUDIO_FIXED_ENDPOINT,
++ .data = &(const struct audioformat) {
++ .formats = SNDRV_PCM_FMTBIT_S24_3LE,
++ .channels = 4,
++ .iface = 0,
++ .altsetting = 1,
++ .altset_idx = 1,
++ .endpoint = 0x01,
++ .ep_attr = USB_ENDPOINT_XFER_ISOC|
++ USB_ENDPOINT_SYNC_ASYNC,
++ .rates = SNDRV_PCM_RATE_44100,
++ .rate_min = 44100,
++ .rate_max = 44100,
++ .nr_rates = 1,
++ .rate_table = (unsigned int[]) { 44100 }
++ }
++ },
++ {
++ .ifnum = 0,
++ .type = QUIRK_AUDIO_FIXED_ENDPOINT,
++ .data = &(const struct audioformat) {
++ .formats = SNDRV_PCM_FMTBIT_S24_3LE,
++ .channels = 2,
++ .iface = 0,
++ .altsetting = 1,
++ .altset_idx = 1,
++ .endpoint = 0x82,
++ .ep_attr = USB_ENDPOINT_XFER_ISOC|
++ USB_ENDPOINT_SYNC_ASYNC|
++ USB_ENDPOINT_USAGE_IMPLICIT_FB,
++ .rates = SNDRV_PCM_RATE_44100,
++ .rate_min = 44100,
++ .rate_max = 44100,
++ .nr_rates = 1,
++ .rate_table = (unsigned int[]) { 44100 }
++ }
++ },
++ {
++ .ifnum = -1
++ }
++ }
++ }
++},
+
+ #undef USB_DEVICE_VENDOR_SPEC
--- /dev/null
+From fec9008828cde0076aae595ac031bfcf49d335a4 Mon Sep 17 00:00:00 2001
+From: Mirko Dietrich <buzz@l4m1.de>
+Date: Thu, 6 Aug 2020 14:48:50 +0200
+Subject: ALSA: usb-audio: Creative USB X-Fi Pro SB1095 volume knob support
+
+From: Mirko Dietrich <buzz@l4m1.de>
+
+commit fec9008828cde0076aae595ac031bfcf49d335a4 upstream.
+
+Adds an entry for Creative USB X-Fi to the rc_config array in
+mixer_quirks.c to allow use of volume knob on the device.
+Adds support for newer X-Fi Pro card, known as "Model No. SB1095"
+with USB ID "041e:3263"
+
+Signed-off-by: Mirko Dietrich <buzz@l4m1.de>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20200806124850.20334-1-buzz@l4m1.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/mixer_quirks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/usb/mixer_quirks.c
++++ b/sound/usb/mixer_quirks.c
+@@ -195,6 +195,7 @@ static const struct rc_config {
+ { USB_ID(0x041e, 0x3042), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 */
+ { USB_ID(0x041e, 0x30df), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 Pro */
+ { USB_ID(0x041e, 0x3237), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 Pro */
++ { USB_ID(0x041e, 0x3263), 0, 1, 1, 1, 1, 0x000d }, /* Usb X-Fi S51 Pro */
+ { USB_ID(0x041e, 0x3048), 2, 2, 6, 6, 2, 0x6e91 }, /* Toshiba SB0500 */
+ };
+
--- /dev/null
+From 14a720dc1f5332f3bdf30a23a3bc549e81be974c Mon Sep 17 00:00:00 2001
+From: Hector Martin <marcan@marcan.st>
+Date: Mon, 10 Aug 2020 13:53:19 +0900
+Subject: ALSA: usb-audio: fix overeager device match for MacroSilicon MS2109
+
+From: Hector Martin <marcan@marcan.st>
+
+commit 14a720dc1f5332f3bdf30a23a3bc549e81be974c upstream.
+
+Matching by device matches all interfaces, which breaks the video/HID
+portions of the device depending on module load order.
+
+Fixes: e337bf19f6af ("ALSA: usb-audio: add quirk for MacroSilicon MS2109")
+Cc: stable@vger.kernel.org
+Signed-off-by: Hector Martin <marcan@marcan.st>
+Link: https://lore.kernel.org/r/20200810045319.128745-1-marcan@marcan.st
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/quirks-table.h | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/sound/usb/quirks-table.h
++++ b/sound/usb/quirks-table.h
+@@ -3335,7 +3335,13 @@ AU0828_DEVICE(0x2040, 0x7270, "Hauppauge
+ * with.
+ */
+ {
+- USB_DEVICE(0x534d, 0x2109),
++ .match_flags = USB_DEVICE_ID_MATCH_DEVICE |
++ USB_DEVICE_ID_MATCH_INT_CLASS |
++ USB_DEVICE_ID_MATCH_INT_SUBCLASS,
++ .idVendor = 0x534d,
++ .idProduct = 0x2109,
++ .bInterfaceClass = USB_CLASS_AUDIO,
++ .bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL,
+ .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+ .vendor_name = "MacroSilicon",
+ .product_name = "MS2109",
--- /dev/null
+From 1b7ecc241a67ad6b584e071bd791a54e0cd5f097 Mon Sep 17 00:00:00 2001
+From: Hector Martin <marcan@marcan.st>
+Date: Mon, 10 Aug 2020 17:24:00 +0900
+Subject: ALSA: usb-audio: work around streaming quirk for MacroSilicon MS2109
+
+From: Hector Martin <marcan@marcan.st>
+
+commit 1b7ecc241a67ad6b584e071bd791a54e0cd5f097 upstream.
+
+Further investigation of the L-R swap problem on the MS2109 reveals that
+the problem isn't that the channels are swapped, but rather that they
+are swapped and also out of phase by one sample. In other words, the
+issue is actually that the very first frame that comes from the hardware
+is a half-frame containing only the right channel, and after that
+everything becomes offset.
+
+So introduce a new quirk field to drop the very first 2 bytes that come
+in after the format is configured and a capture stream starts. This puts
+the channels in phase and in the correct order.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Hector Martin <marcan@marcan.st>
+Link: https://lore.kernel.org/r/20200810082400.225858-1-marcan@marcan.st
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ sound/usb/card.h | 1 +
+ sound/usb/pcm.c | 6 ++++++
+ sound/usb/quirks.c | 3 +++
+ sound/usb/stream.c | 1 +
+ 4 files changed, 11 insertions(+)
+
+--- a/sound/usb/card.h
++++ b/sound/usb/card.h
+@@ -125,6 +125,7 @@ struct snd_usb_substream {
+ unsigned int tx_length_quirk:1; /* add length specifier to transfers */
+ unsigned int fmt_type; /* USB audio format type (1-3) */
+ unsigned int pkt_offset_adj; /* Bytes to drop from beginning of packets (for non-compliant devices) */
++ unsigned int stream_offset_adj; /* Bytes to drop from beginning of stream (for non-compliant devices) */
+
+ unsigned int running: 1; /* running status */
+
+--- a/sound/usb/pcm.c
++++ b/sound/usb/pcm.c
+@@ -1312,6 +1312,12 @@ static void retire_capture_urb(struct sn
+ // continue;
+ }
+ bytes = urb->iso_frame_desc[i].actual_length;
++ if (subs->stream_offset_adj > 0) {
++ unsigned int adj = min(subs->stream_offset_adj, bytes);
++ cp += adj;
++ bytes -= adj;
++ subs->stream_offset_adj -= adj;
++ }
+ frames = bytes / stride;
+ if (!subs->txfr_quirk)
+ bytes = frames * stride;
+--- a/sound/usb/quirks.c
++++ b/sound/usb/quirks.c
+@@ -1121,6 +1121,9 @@ void snd_usb_set_format_quirk(struct snd
+ case USB_ID(0x041e, 0x3f19): /* E-Mu 0204 USB */
+ set_format_emu_quirk(subs, fmt);
+ break;
++ case USB_ID(0x534d, 0x2109): /* MacroSilicon MS2109 */
++ subs->stream_offset_adj = 2;
++ break;
+ }
+ }
+
+--- a/sound/usb/stream.c
++++ b/sound/usb/stream.c
+@@ -95,6 +95,7 @@ static void snd_usb_init_substream(struc
+ subs->tx_length_quirk = as->chip->tx_length_quirk;
+ subs->speed = snd_usb_get_speed(subs->dev);
+ subs->pkt_offset_adj = 0;
++ subs->stream_offset_adj = 0;
+
+ snd_usb_set_pcm_ops(as->pcm, stream);
+
--- /dev/null
+From 8a302808c60d441d9884cb00ea7f2b534f2e3ca5 Mon Sep 17 00:00:00 2001
+From: John Allen <john.allen@amd.com>
+Date: Mon, 22 Jun 2020 15:24:02 -0500
+Subject: crypto: ccp - Fix use of merged scatterlists
+
+From: John Allen <john.allen@amd.com>
+
+commit 8a302808c60d441d9884cb00ea7f2b534f2e3ca5 upstream.
+
+Running the crypto manager self tests with
+CONFIG_CRYPTO_MANAGER_EXTRA_TESTS may result in several types of errors
+when using the ccp-crypto driver:
+
+alg: skcipher: cbc-des3-ccp encryption failed on test vector 0; expected_error=0, actual_error=-5 ...
+
+alg: skcipher: ctr-aes-ccp decryption overran dst buffer on test vector 0 ...
+
+alg: ahash: sha224-ccp test failed (wrong result) on test vector ...
+
+These errors are the result of improper processing of scatterlists mapped
+for DMA.
+
+Given a scatterlist in which entries are merged as part of mapping the
+scatterlist for DMA, the DMA length of a merged entry will reflect the
+combined length of the entries that were merged. The subsequent
+scatterlist entry will contain DMA information for the scatterlist entry
+after the last merged entry, but the non-DMA information will be that of
+the first merged entry.
+
+The ccp driver does not take this scatterlist merging into account. To
+address this, add a second scatterlist pointer to track the current
+position in the DMA mapped representation of the scatterlist. Both the DMA
+representation and the original representation of the scatterlist must be
+tracked as while most of the driver can use just the DMA representation,
+scatterlist_map_and_copy() must use the original representation and
+expects the scatterlist pointer to be accurate to the original
+representation.
+
+In order to properly walk the original scatterlist, the scatterlist must
+be walked until the combined lengths of the entries seen is equal to the
+DMA length of the current entry being processed in the DMA mapped
+representation.
+
+Fixes: 63b945091a070 ("crypto: ccp - CCP device driver and interface support")
+Signed-off-by: John Allen <john.allen@amd.com>
+Cc: stable@vger.kernel.org
+Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/ccp/ccp-dev.h | 1 +
+ drivers/crypto/ccp/ccp-ops.c | 37 ++++++++++++++++++++++++++-----------
+ 2 files changed, 27 insertions(+), 11 deletions(-)
+
+--- a/drivers/crypto/ccp/ccp-dev.h
++++ b/drivers/crypto/ccp/ccp-dev.h
+@@ -444,6 +444,7 @@ struct ccp_sg_workarea {
+ int nents;
+
+ struct scatterlist *dma_sg;
++ struct scatterlist *dma_sg_head;
+ struct device *dma_dev;
+ unsigned int dma_count;
+ enum dma_data_direction dma_dir;
+--- a/drivers/crypto/ccp/ccp-ops.c
++++ b/drivers/crypto/ccp/ccp-ops.c
+@@ -52,7 +52,7 @@ static u32 ccp_gen_jobid(struct ccp_devi
+ static void ccp_sg_free(struct ccp_sg_workarea *wa)
+ {
+ if (wa->dma_count)
+- dma_unmap_sg(wa->dma_dev, wa->dma_sg, wa->nents, wa->dma_dir);
++ dma_unmap_sg(wa->dma_dev, wa->dma_sg_head, wa->nents, wa->dma_dir);
+
+ wa->dma_count = 0;
+ }
+@@ -81,6 +81,7 @@ static int ccp_init_sg_workarea(struct c
+ return 0;
+
+ wa->dma_sg = sg;
++ wa->dma_sg_head = sg;
+ wa->dma_dev = dev;
+ wa->dma_dir = dma_dir;
+ wa->dma_count = dma_map_sg(dev, sg, wa->nents, dma_dir);
+@@ -93,14 +94,28 @@ static int ccp_init_sg_workarea(struct c
+ static void ccp_update_sg_workarea(struct ccp_sg_workarea *wa, unsigned int len)
+ {
+ unsigned int nbytes = min_t(u64, len, wa->bytes_left);
++ unsigned int sg_combined_len = 0;
+
+ if (!wa->sg)
+ return;
+
+ wa->sg_used += nbytes;
+ wa->bytes_left -= nbytes;
+- if (wa->sg_used == wa->sg->length) {
+- wa->sg = sg_next(wa->sg);
++ if (wa->sg_used == sg_dma_len(wa->dma_sg)) {
++ /* Advance to the next DMA scatterlist entry */
++ wa->dma_sg = sg_next(wa->dma_sg);
++
++ /* In the case that the DMA mapped scatterlist has entries
++ * that have been merged, the non-DMA mapped scatterlist
++ * must be advanced multiple times for each merged entry.
++ * This ensures that the current non-DMA mapped entry
++ * corresponds to the current DMA mapped entry.
++ */
++ do {
++ sg_combined_len += wa->sg->length;
++ wa->sg = sg_next(wa->sg);
++ } while (wa->sg_used > sg_combined_len);
++
+ wa->sg_used = 0;
+ }
+ }
+@@ -298,7 +313,7 @@ static unsigned int ccp_queue_buf(struct
+ /* Update the structures and generate the count */
+ buf_count = 0;
+ while (sg_wa->bytes_left && (buf_count < dm_wa->length)) {
+- nbytes = min(sg_wa->sg->length - sg_wa->sg_used,
++ nbytes = min(sg_dma_len(sg_wa->dma_sg) - sg_wa->sg_used,
+ dm_wa->length - buf_count);
+ nbytes = min_t(u64, sg_wa->bytes_left, nbytes);
+
+@@ -330,11 +345,11 @@ static void ccp_prepare_data(struct ccp_
+ * and destination. The resulting len values will always be <= UINT_MAX
+ * because the dma length is an unsigned int.
+ */
+- sg_src_len = sg_dma_len(src->sg_wa.sg) - src->sg_wa.sg_used;
++ sg_src_len = sg_dma_len(src->sg_wa.dma_sg) - src->sg_wa.sg_used;
+ sg_src_len = min_t(u64, src->sg_wa.bytes_left, sg_src_len);
+
+ if (dst) {
+- sg_dst_len = sg_dma_len(dst->sg_wa.sg) - dst->sg_wa.sg_used;
++ sg_dst_len = sg_dma_len(dst->sg_wa.dma_sg) - dst->sg_wa.sg_used;
+ sg_dst_len = min_t(u64, src->sg_wa.bytes_left, sg_dst_len);
+ op_len = min(sg_src_len, sg_dst_len);
+ } else {
+@@ -364,7 +379,7 @@ static void ccp_prepare_data(struct ccp_
+ /* Enough data in the sg element, but we need to
+ * adjust for any previously copied data
+ */
+- op->src.u.dma.address = sg_dma_address(src->sg_wa.sg);
++ op->src.u.dma.address = sg_dma_address(src->sg_wa.dma_sg);
+ op->src.u.dma.offset = src->sg_wa.sg_used;
+ op->src.u.dma.length = op_len & ~(block_size - 1);
+
+@@ -385,7 +400,7 @@ static void ccp_prepare_data(struct ccp_
+ /* Enough room in the sg element, but we need to
+ * adjust for any previously used area
+ */
+- op->dst.u.dma.address = sg_dma_address(dst->sg_wa.sg);
++ op->dst.u.dma.address = sg_dma_address(dst->sg_wa.dma_sg);
+ op->dst.u.dma.offset = dst->sg_wa.sg_used;
+ op->dst.u.dma.length = op->src.u.dma.length;
+ }
+@@ -1447,7 +1462,7 @@ static int ccp_run_passthru_cmd(struct c
+ dst.sg_wa.sg_used = 0;
+ for (i = 1; i <= src.sg_wa.dma_count; i++) {
+ if (!dst.sg_wa.sg ||
+- (dst.sg_wa.sg->length < src.sg_wa.sg->length)) {
++ (sg_dma_len(dst.sg_wa.sg) < sg_dma_len(src.sg_wa.sg))) {
+ ret = -EINVAL;
+ goto e_dst;
+ }
+@@ -1473,8 +1488,8 @@ static int ccp_run_passthru_cmd(struct c
+ goto e_dst;
+ }
+
+- dst.sg_wa.sg_used += src.sg_wa.sg->length;
+- if (dst.sg_wa.sg_used == dst.sg_wa.sg->length) {
++ dst.sg_wa.sg_used += sg_dma_len(src.sg_wa.sg);
++ if (dst.sg_wa.sg_used == sg_dma_len(dst.sg_wa.sg)) {
+ dst.sg_wa.sg = sg_next(dst.sg_wa.sg);
+ dst.sg_wa.sg_used = 0;
+ }
--- /dev/null
+From c06c76602e03bde24ee69a2022a829127e504202 Mon Sep 17 00:00:00 2001
+From: Tom Rix <trix@redhat.com>
+Date: Mon, 13 Jul 2020 07:06:34 -0700
+Subject: crypto: qat - fix double free in qat_uclo_create_batch_init_list
+
+From: Tom Rix <trix@redhat.com>
+
+commit c06c76602e03bde24ee69a2022a829127e504202 upstream.
+
+clang static analysis flags this error
+
+qat_uclo.c:297:3: warning: Attempt to free released memory
+ [unix.Malloc]
+ kfree(*init_tab_base);
+ ^~~~~~~~~~~~~~~~~~~~~
+
+When input *init_tab_base is null, the function allocates memory for
+the head of the list. When there is problem allocating other list
+elements the list is unwound and freed. Then a check is made if the
+list head was allocated and is also freed.
+
+Keeping track of the what may need to be freed is the variable 'tail_old'.
+The unwinding/freeing block is
+
+ while (tail_old) {
+ mem_init = tail_old->next;
+ kfree(tail_old);
+ tail_old = mem_init;
+ }
+
+The problem is that the first element of tail_old is also what was
+allocated for the list head
+
+ init_header = kzalloc(sizeof(*init_header), GFP_KERNEL);
+ ...
+ *init_tab_base = init_header;
+ flag = 1;
+ }
+ tail_old = init_header;
+
+So *init_tab_base/init_header are freed twice.
+
+There is another problem.
+When the input *init_tab_base is non null the tail_old is calculated by
+traveling down the list to first non null entry.
+
+ tail_old = init_header;
+ while (tail_old->next)
+ tail_old = tail_old->next;
+
+When the unwinding free happens, the last entry of the input list will
+be freed.
+
+So the freeing needs a general changed.
+If locally allocated the first element of tail_old is freed, else it
+is skipped. As a bit of cleanup, reset *init_tab_base if it came in
+as null.
+
+Fixes: b4b7e67c917f ("crypto: qat - Intel(R) QAT ucode part of fw loader")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Tom Rix <trix@redhat.com>
+Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/crypto/qat/qat_common/qat_uclo.c | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/drivers/crypto/qat/qat_common/qat_uclo.c
++++ b/drivers/crypto/qat/qat_common/qat_uclo.c
+@@ -332,13 +332,18 @@ static int qat_uclo_create_batch_init_li
+ }
+ return 0;
+ out_err:
++ /* Do not free the list head unless we allocated it. */
++ tail_old = tail_old->next;
++ if (flag) {
++ kfree(*init_tab_base);
++ *init_tab_base = NULL;
++ }
++
+ while (tail_old) {
+ mem_init = tail_old->next;
+ kfree(tail_old);
+ tail_old = mem_init;
+ }
+- if (flag)
+- kfree(*init_tab_base);
+ return -ENOMEM;
+ }
+
--- /dev/null
+From da27e0a0e5f655f0d58d4e153c3182bb2b290f64 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 11 Aug 2020 18:35:24 -0700
+Subject: fs/minix: check return value of sb_getblk()
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit da27e0a0e5f655f0d58d4e153c3182bb2b290f64 upstream.
+
+Patch series "fs/minix: fix syzbot bugs and set s_maxbytes".
+
+This series fixes all syzbot bugs in the minix filesystem:
+
+ KASAN: null-ptr-deref Write in get_block
+ KASAN: use-after-free Write in get_block
+ KASAN: use-after-free Read in get_block
+ WARNING in inc_nlink
+ KMSAN: uninit-value in get_block
+ WARNING in drop_nlink
+
+It also fixes the minix filesystem to set s_maxbytes correctly, so that
+userspace sees the correct behavior when exceeding the max file size.
+
+This patch (of 6):
+
+sb_getblk() can fail, so check its return value.
+
+This fixes a NULL pointer dereference.
+
+Originally from Qiujun Huang.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+4a88b2b9dc280f47baf4@syzkaller.appspotmail.com
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Qiujun Huang <anenbupt@gmail.com>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: <stable@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20200628060846.682158-1-ebiggers@kernel.org
+Link: http://lkml.kernel.org/r/20200628060846.682158-2-ebiggers@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/minix/itree_common.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/fs/minix/itree_common.c
++++ b/fs/minix/itree_common.c
+@@ -74,6 +74,7 @@ static int alloc_branch(struct inode *in
+ int n = 0;
+ int i;
+ int parent = minix_new_block(inode);
++ int err = -ENOSPC;
+
+ branch[0].key = cpu_to_block(parent);
+ if (parent) for (n = 1; n < num; n++) {
+@@ -84,6 +85,11 @@ static int alloc_branch(struct inode *in
+ break;
+ branch[n].key = cpu_to_block(nr);
+ bh = sb_getblk(inode->i_sb, parent);
++ if (!bh) {
++ minix_free_block(inode, nr);
++ err = -ENOMEM;
++ break;
++ }
+ lock_buffer(bh);
+ memset(bh->b_data, 0, bh->b_size);
+ branch[n].bh = bh;
+@@ -102,7 +108,7 @@ static int alloc_branch(struct inode *in
+ bforget(branch[i].bh);
+ for (i = 0; i < n; i++)
+ minix_free_block(inode, block_to_cpu(branch[i].key));
+- return -ENOSPC;
++ return err;
+ }
+
+ static inline int splice_branch(struct inode *inode,
--- /dev/null
+From facb03dddec04e4aac1bb2139accdceb04deb1f3 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 11 Aug 2020 18:35:27 -0700
+Subject: fs/minix: don't allow getting deleted inodes
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit facb03dddec04e4aac1bb2139accdceb04deb1f3 upstream.
+
+If an inode has no links, we need to mark it bad rather than allowing it
+to be accessed. This avoids WARNINGs in inc_nlink() and drop_nlink() when
+doing directory operations on a fuzzed filesystem.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+a9ac3de1b5de5fb10efc@syzkaller.appspotmail.com
+Reported-by: syzbot+df958cf5688a96ad3287@syzkaller.appspotmail.com
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Qiujun Huang <anenbupt@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20200628060846.682158-3-ebiggers@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/minix/inode.c | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+--- a/fs/minix/inode.c
++++ b/fs/minix/inode.c
+@@ -472,6 +472,13 @@ static struct inode *V1_minix_iget(struc
+ iget_failed(inode);
+ return ERR_PTR(-EIO);
+ }
++ if (raw_inode->i_nlinks == 0) {
++ printk("MINIX-fs: deleted inode referenced: %lu\n",
++ inode->i_ino);
++ brelse(bh);
++ iget_failed(inode);
++ return ERR_PTR(-ESTALE);
++ }
+ inode->i_mode = raw_inode->i_mode;
+ i_uid_write(inode, raw_inode->i_uid);
+ i_gid_write(inode, raw_inode->i_gid);
+@@ -505,6 +512,13 @@ static struct inode *V2_minix_iget(struc
+ iget_failed(inode);
+ return ERR_PTR(-EIO);
+ }
++ if (raw_inode->i_nlinks == 0) {
++ printk("MINIX-fs: deleted inode referenced: %lu\n",
++ inode->i_ino);
++ brelse(bh);
++ iget_failed(inode);
++ return ERR_PTR(-ESTALE);
++ }
+ inode->i_mode = raw_inode->i_mode;
+ i_uid_write(inode, raw_inode->i_uid);
+ i_gid_write(inode, raw_inode->i_gid);
--- /dev/null
+From 270ef41094e9fa95273f288d7d785313ceab2ff3 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Tue, 11 Aug 2020 18:35:30 -0700
+Subject: fs/minix: reject too-large maximum file size
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit 270ef41094e9fa95273f288d7d785313ceab2ff3 upstream.
+
+If the minix filesystem tries to map a very large logical block number to
+its on-disk location, block_to_path() can return offsets that are too
+large, causing out-of-bounds memory accesses when accessing indirect index
+blocks. This should be prevented by the check against the maximum file
+size, but this doesn't work because the maximum file size is read directly
+from the on-disk superblock and isn't validated itself.
+
+Fix this by validating the maximum file size at mount time.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-by: syzbot+c7d9ec7a1a7272dd71b3@syzkaller.appspotmail.com
+Reported-by: syzbot+3b7b03a0c28948054fb5@syzkaller.appspotmail.com
+Reported-by: syzbot+6e056ee473568865f3e6@syzkaller.appspotmail.com
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Cc: Alexander Viro <viro@zeniv.linux.org.uk>
+Cc: Qiujun Huang <anenbupt@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: http://lkml.kernel.org/r/20200628060846.682158-4-ebiggers@kernel.org
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/minix/inode.c | 22 ++++++++++++++++++++--
+ 1 file changed, 20 insertions(+), 2 deletions(-)
+
+--- a/fs/minix/inode.c
++++ b/fs/minix/inode.c
+@@ -155,6 +155,23 @@ static int minix_remount (struct super_b
+ return 0;
+ }
+
++static bool minix_check_superblock(struct minix_sb_info *sbi)
++{
++ if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0)
++ return false;
++
++ /*
++ * s_max_size must not exceed the block mapping limitation. This check
++ * is only needed for V1 filesystems, since V2/V3 support an extra level
++ * of indirect blocks which places the limit well above U32_MAX.
++ */
++ if (sbi->s_version == MINIX_V1 &&
++ sbi->s_max_size > (7 + 512 + 512*512) * BLOCK_SIZE)
++ return false;
++
++ return true;
++}
++
+ static int minix_fill_super(struct super_block *s, void *data, int silent)
+ {
+ struct buffer_head *bh;
+@@ -233,11 +250,12 @@ static int minix_fill_super(struct super
+ } else
+ goto out_no_fs;
+
++ if (!minix_check_superblock(sbi))
++ goto out_illegal_sb;
++
+ /*
+ * Allocate the buffer map to keep the superblock small.
+ */
+- if (sbi->s_imap_blocks == 0 || sbi->s_zmap_blocks == 0)
+- goto out_illegal_sb;
+ i = (sbi->s_imap_blocks + sbi->s_zmap_blocks) * sizeof(bh);
+ map = kzalloc(i, GFP_KERNEL);
+ if (!map)
drivers-net-wan-lapbether-added-needed_headroom-and-a-skb-len-check.patch
net-nfc-rawsock.c-add-cap_net_raw-check.patch
net-set-fput_needed-iff-fdput_fput-is-set.patch
+usb-serial-cp210x-re-enable-auto-rts-on-open.patch
+usb-serial-cp210x-enable-usb-generic-throttle-unthrottle.patch
+alsa-usb-audio-creative-usb-x-fi-pro-sb1095-volume-knob-support.patch
+alsa-usb-audio-fix-overeager-device-match-for-macrosilicon-ms2109.patch
+alsa-usb-audio-add-quirk-for-pioneer-ddj-rb.patch
+crypto-qat-fix-double-free-in-qat_uclo_create_batch_init_list.patch
+crypto-ccp-fix-use-of-merged-scatterlists.patch
+fs-minix-check-return-value-of-sb_getblk.patch
+fs-minix-don-t-allow-getting-deleted-inodes.patch
+fs-minix-reject-too-large-maximum-file-size.patch
+alsa-usb-audio-work-around-streaming-quirk-for-macrosilicon-ms2109.patch
+9p-fix-memory-leak-in-v9fs_mount.patch
--- /dev/null
+From 4387b3dbb079d482d3c2b43a703ceed4dd27ed28 Mon Sep 17 00:00:00 2001
+From: Brant Merryman <brant.merryman@silabs.com>
+Date: Fri, 26 Jun 2020 04:22:58 +0000
+Subject: USB: serial: cp210x: enable usb generic throttle/unthrottle
+
+From: Brant Merryman <brant.merryman@silabs.com>
+
+commit 4387b3dbb079d482d3c2b43a703ceed4dd27ed28 upstream.
+
+Assign the .throttle and .unthrottle functions to be generic function
+in the driver structure to prevent data loss that can otherwise occur
+if the host does not enable USB throttling.
+
+Signed-off-by: Brant Merryman <brant.merryman@silabs.com>
+Co-developed-by: Phu Luu <phu.luu@silabs.com>
+Signed-off-by: Phu Luu <phu.luu@silabs.com>
+Link: https://lore.kernel.org/r/57401AF3-9961-461F-95E1-F8AFC2105F5E@silabs.com
+[ johan: fix up tags ]
+Fixes: 39a66b8d22a3 ("[PATCH] USB: CP2101 Add support for flow control")
+Cc: stable <stable@vger.kernel.org> # 2.6.12
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/cp210x.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -255,6 +255,8 @@ static struct usb_serial_driver cp210x_d
+ .break_ctl = cp210x_break_ctl,
+ .set_termios = cp210x_set_termios,
+ .tx_empty = cp210x_tx_empty,
++ .throttle = usb_serial_generic_throttle,
++ .unthrottle = usb_serial_generic_unthrottle,
+ .tiocmget = cp210x_tiocmget,
+ .tiocmset = cp210x_tiocmset,
+ .port_probe = cp210x_port_probe,
--- /dev/null
+From c7614ff9b73a1e6fb2b1b51396da132ed22fecdb Mon Sep 17 00:00:00 2001
+From: Brant Merryman <brant.merryman@silabs.com>
+Date: Fri, 26 Jun 2020 04:24:20 +0000
+Subject: USB: serial: cp210x: re-enable auto-RTS on open
+
+From: Brant Merryman <brant.merryman@silabs.com>
+
+commit c7614ff9b73a1e6fb2b1b51396da132ed22fecdb upstream.
+
+CP210x hardware disables auto-RTS but leaves auto-CTS when in hardware
+flow control mode and UART on cp210x hardware is disabled. When
+re-opening the port, if auto-CTS is enabled on the cp210x, then auto-RTS
+must be re-enabled in the driver.
+
+Signed-off-by: Brant Merryman <brant.merryman@silabs.com>
+Co-developed-by: Phu Luu <phu.luu@silabs.com>
+Signed-off-by: Phu Luu <phu.luu@silabs.com>
+Link: https://lore.kernel.org/r/ECCF8E73-91F3-4080-BE17-1714BC8818FB@silabs.com
+[ johan: fix up tags and problem description ]
+Fixes: 39a66b8d22a3 ("[PATCH] USB: CP2101 Add support for flow control")
+Cc: stable <stable@vger.kernel.org> # 2.6.12
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/cp210x.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/drivers/usb/serial/cp210x.c
++++ b/drivers/usb/serial/cp210x.c
+@@ -765,6 +765,7 @@ static void cp210x_get_termios_port(stru
+ u32 baud;
+ u16 bits;
+ u32 ctl_hs;
++ u32 flow_repl;
+
+ cp210x_read_u32_reg(port, CP210X_GET_BAUDRATE, &baud);
+
+@@ -865,6 +866,22 @@ static void cp210x_get_termios_port(stru
+ ctl_hs = le32_to_cpu(flow_ctl.ulControlHandshake);
+ if (ctl_hs & CP210X_SERIAL_CTS_HANDSHAKE) {
+ dev_dbg(dev, "%s - flow control = CRTSCTS\n", __func__);
++ /*
++ * When the port is closed, the CP210x hardware disables
++ * auto-RTS and RTS is deasserted but it leaves auto-CTS when
++ * in hardware flow control mode. When re-opening the port, if
++ * auto-CTS is enabled on the cp210x, then auto-RTS must be
++ * re-enabled in the driver.
++ */
++ flow_repl = le32_to_cpu(flow_ctl.ulFlowReplace);
++ flow_repl &= ~CP210X_SERIAL_RTS_MASK;
++ flow_repl |= CP210X_SERIAL_RTS_SHIFT(CP210X_SERIAL_RTS_FLOW_CTL);
++ flow_ctl.ulFlowReplace = cpu_to_le32(flow_repl);
++ cp210x_write_reg_block(port,
++ CP210X_SET_FLOW,
++ &flow_ctl,
++ sizeof(flow_ctl));
++
+ cflag |= CRTSCTS;
+ } else {
+ dev_dbg(dev, "%s - flow control = NONE\n", __func__);
projects / thirdparty / kernel / stable-queue.git / commitdiff
