From: Sasha Levin Date: Wed, 16 Jun 2021 11:58:20 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v5.4.127~4 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=35a2e914e2d47b32e14e92251d5cf657cc7c5064;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/arm-omap2-fix-build-warning-when-mmc_omap-is-not-bui.patch b/queue-4.14/arm-omap2-fix-build-warning-when-mmc_omap-is-not-bui.patch new file mode 100644 index 00000000000..a31e075843c --- /dev/null +++ b/queue-4.14/arm-omap2-fix-build-warning-when-mmc_omap-is-not-bui.patch @@ -0,0 +1,49 @@ +From 50fab7459bb641c2fcc75d70344a9b8e1385561e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Apr 2021 13:15:33 +0000 +Subject: ARM: OMAP2+: Fix build warning when mmc_omap is not built + +From: Yongqiang Liu + +[ Upstream commit 040ab72ee10ea88e1883ad143b3e2b77596abc31 ] + +GCC reports the following warning with W=1: + +arch/arm/mach-omap2/board-n8x0.c:325:19: warning: +variable 'index' set but not used [-Wunused-but-set-variable] +325 | int bit, *openp, index; + | ^~~~~ + +Fix this by moving CONFIG_MMC_OMAP to cover the rest codes +in the n8x0_mmc_callback(). + +Signed-off-by: Yongqiang Liu +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/board-n8x0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mach-omap2/board-n8x0.c b/arch/arm/mach-omap2/board-n8x0.c +index 20f25539d572..47abea1475d4 100644 +--- a/arch/arm/mach-omap2/board-n8x0.c ++++ b/arch/arm/mach-omap2/board-n8x0.c +@@ -325,6 +325,7 @@ static int n8x0_mmc_get_cover_state(struct device *dev, int slot) + + static void n8x0_mmc_callback(void *data, u8 card_mask) + { ++#ifdef CONFIG_MMC_OMAP + int bit, *openp, index; + + if (board_is_n800()) { +@@ -342,7 +343,6 @@ static void n8x0_mmc_callback(void *data, u8 card_mask) + else + *openp = 0; + +-#ifdef CONFIG_MMC_OMAP + omap_mmc_notify_cover_event(mmc_device, index, *openp); + #else + pr_warn("MMC: notify cover event not available\n"); +-- +2.30.2 + diff --git a/queue-4.14/ethernet-myri10ge-fix-missing-error-code-in-myri10ge.patch b/queue-4.14/ethernet-myri10ge-fix-missing-error-code-in-myri10ge.patch new file mode 100644 index 00000000000..e43b4a7b514 --- /dev/null +++ b/queue-4.14/ethernet-myri10ge-fix-missing-error-code-in-myri10ge.patch @@ -0,0 +1,40 @@ +From f6f64a36868434a44856f9bee56f8ab7e5ec23d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jun 2021 19:04:51 +0800 +Subject: ethernet: myri10ge: Fix missing error code in myri10ge_probe() + +From: Jiapeng Chong + +[ Upstream commit f336d0b93ae978f12c5e27199f828da89b91e56a ] + +The error code is missing in this code scenario, add the error code +'-EINVAL' to the return value 'status'. + +Eliminate the follow smatch warning: + +drivers/net/ethernet/myricom/myri10ge/myri10ge.c:3818 myri10ge_probe() +warn: missing error code 'status'. + +Reported-by: Abaci Robot +Signed-off-by: Jiapeng Chong +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/myricom/myri10ge/myri10ge.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c +index a0a555052d8c..1ac2bc75edb1 100644 +--- a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c ++++ b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c +@@ -3853,6 +3853,7 @@ static int myri10ge_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + dev_err(&pdev->dev, + "invalid sram_size %dB or board span %ldB\n", + mgp->sram_size, mgp->board_span); ++ status = -EINVAL; + goto abort_with_ioremap; + } + memcpy_fromio(mgp->eeprom_strings, +-- +2.30.2 + diff --git a/queue-4.14/fib-return-the-correct-errno-code.patch b/queue-4.14/fib-return-the-correct-errno-code.patch new file mode 100644 index 00000000000..c45e84c7fd9 --- /dev/null +++ b/queue-4.14/fib-return-the-correct-errno-code.patch @@ -0,0 +1,34 @@ +From 5b3b0614f1f4b898139e30a0c3e69f6a5402753d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jun 2021 22:06:58 +0800 +Subject: fib: Return the correct errno code + +From: Zheng Yongjun + +[ Upstream commit 59607863c54e9eb3f69afc5257dfe71c38bb751e ] + +When kalloc or kmemdup failed, should return ENOMEM rather than ENOBUF. + +Signed-off-by: Zheng Yongjun +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/fib_rules.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c +index 9bb321df0869..76c3f602ee15 100644 +--- a/net/core/fib_rules.c ++++ b/net/core/fib_rules.c +@@ -928,7 +928,7 @@ static void notify_rule_change(int event, struct fib_rule *rule, + { + struct net *net; + struct sk_buff *skb; +- int err = -ENOBUFS; ++ int err = -ENOMEM; + + net = ops->fro_net; + skb = nlmsg_new(fib_rule_nlmsg_size(ops, rule), GFP_KERNEL); +-- +2.30.2 + diff --git a/queue-4.14/gfs2-fix-use-after-free-in-gfs2_glock_shrink_scan.patch b/queue-4.14/gfs2-fix-use-after-free-in-gfs2_glock_shrink_scan.patch new file mode 100644 index 00000000000..480ee17d96a --- /dev/null +++ b/queue-4.14/gfs2-fix-use-after-free-in-gfs2_glock_shrink_scan.patch @@ -0,0 +1,51 @@ +From e7d387bcb97d356461929f9c08bd7202467d2613 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 May 2021 16:46:25 +0800 +Subject: gfs2: Fix use-after-free in gfs2_glock_shrink_scan + +From: Hillf Danton + +[ Upstream commit 1ab19c5de4c537ec0d9b21020395a5b5a6c059b2 ] + +The GLF_LRU flag is checked under lru_lock in gfs2_glock_remove_from_lru() to +remove the glock from the lru list in __gfs2_glock_put(). + +On the shrink scan path, the same flag is cleared under lru_lock but because +of cond_resched_lock(&lru_lock) in gfs2_dispose_glock_lru(), progress on the +put side can be made without deleting the glock from the lru list. + +Keep GLF_LRU across the race window opened by cond_resched_lock(&lru_lock) to +ensure correct behavior on both sides - clear GLF_LRU after list_del under +lru_lock. + +Reported-by: syzbot +Signed-off-by: Hillf Danton +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/glock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c +index 0a0dd3178483..be969f24ccf0 100644 +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -1456,6 +1456,7 @@ __acquires(&lru_lock) + while(!list_empty(list)) { + gl = list_entry(list->next, struct gfs2_glock, gl_lru); + list_del_init(&gl->gl_lru); ++ clear_bit(GLF_LRU, &gl->gl_flags); + if (!spin_trylock(&gl->gl_lockref.lock)) { + add_back_to_lru: + list_add(&gl->gl_lru, &lru_list); +@@ -1501,7 +1502,6 @@ static long gfs2_scan_glock_lru(int nr) + if (!test_bit(GLF_LOCK, &gl->gl_flags)) { + list_move(&gl->gl_lru, &dispose); + atomic_dec(&lru_count); +- clear_bit(GLF_LRU, &gl->gl_flags); + freed++; + continue; + } +-- +2.30.2 + diff --git a/queue-4.14/hid-add-bus_virtual-to-hid_connect-logging.patch b/queue-4.14/hid-add-bus_virtual-to-hid_connect-logging.patch new file mode 100644 index 00000000000..6531093c43b --- /dev/null +++ b/queue-4.14/hid-add-bus_virtual-to-hid_connect-logging.patch @@ -0,0 +1,36 @@ +From 7f1df4edbacdef923b57abafcb17db071cff42c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 May 2021 17:39:38 +0100 +Subject: HID: Add BUS_VIRTUAL to hid_connect logging + +From: Mark Bolhuis + +[ Upstream commit 48e33befe61a7d407753c53d1a06fc8d6b5dab80 ] + +Add BUS_VIRTUAL to hid_connect logging since it's a valid hid bus type and it +should not print + +Signed-off-by: Mark Bolhuis +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 71ee1267d2ef..381ab96c1e38 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1824,6 +1824,9 @@ int hid_connect(struct hid_device *hdev, unsigned int connect_mask) + case BUS_I2C: + bus = "I2C"; + break; ++ case BUS_VIRTUAL: ++ bus = "VIRTUAL"; ++ break; + default: + bus = ""; + } +-- +2.30.2 + diff --git a/queue-4.14/hid-gt683r-add-missing-module_device_table.patch b/queue-4.14/hid-gt683r-add-missing-module_device_table.patch new file mode 100644 index 00000000000..6b8d79180a5 --- /dev/null +++ b/queue-4.14/hid-gt683r-add-missing-module_device_table.patch @@ -0,0 +1,36 @@ +From b5dfb7e7e701c430edd5c517b81ba20f0ce995f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 May 2021 11:14:48 +0800 +Subject: HID: gt683r: add missing MODULE_DEVICE_TABLE + +From: Bixuan Cui + +[ Upstream commit a4b494099ad657f1cb85436d333cf38870ee95bc ] + +This patch adds missing MODULE_DEVICE_TABLE definition which generates +correct modalias for automatic loading of this driver when it is built +as an external module. + +Reported-by: Hulk Robot +Signed-off-by: Bixuan Cui +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-gt683r.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/hid-gt683r.c b/drivers/hid/hid-gt683r.c +index a298fbd8db6b..8ca4c1baeda8 100644 +--- a/drivers/hid/hid-gt683r.c ++++ b/drivers/hid/hid-gt683r.c +@@ -64,6 +64,7 @@ static const struct hid_device_id gt683r_led_id[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_MSI, USB_DEVICE_ID_MSI_GT683R_LED_PANEL) }, + { } + }; ++MODULE_DEVICE_TABLE(hid, gt683r_led_id); + + static void gt683r_brightness_set(struct led_classdev *led_cdev, + enum led_brightness brightness) +-- +2.30.2 + diff --git a/queue-4.14/hid-hid-sensor-hub-return-error-for-hid_set_field-fa.patch b/queue-4.14/hid-hid-sensor-hub-return-error-for-hid_set_field-fa.patch new file mode 100644 index 00000000000..78f519641ac --- /dev/null +++ b/queue-4.14/hid-hid-sensor-hub-return-error-for-hid_set_field-fa.patch @@ -0,0 +1,53 @@ +From 34f78989523233719da53b94b12f19e5543e7894 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Apr 2021 11:52:31 -0700 +Subject: HID: hid-sensor-hub: Return error for hid_set_field() failure + +From: Srinivas Pandruvada + +[ Upstream commit edb032033da0dc850f6e7740fa1023c73195bc89 ] + +In the function sensor_hub_set_feature(), return error when hid_set_field() +fails. + +Signed-off-by: Srinivas Pandruvada +Acked-by: Jonathan Cameron +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-sensor-hub.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c +index aa078c1dad14..6c7e12d8e7d9 100644 +--- a/drivers/hid/hid-sensor-hub.c ++++ b/drivers/hid/hid-sensor-hub.c +@@ -223,16 +223,21 @@ int sensor_hub_set_feature(struct hid_sensor_hub_device *hsdev, u32 report_id, + buffer_size = buffer_size / sizeof(__s32); + if (buffer_size) { + for (i = 0; i < buffer_size; ++i) { +- hid_set_field(report->field[field_index], i, +- (__force __s32)cpu_to_le32(*buf32)); ++ ret = hid_set_field(report->field[field_index], i, ++ (__force __s32)cpu_to_le32(*buf32)); ++ if (ret) ++ goto done_proc; ++ + ++buf32; + } + } + if (remaining_bytes) { + value = 0; + memcpy(&value, (u8 *)buf32, remaining_bytes); +- hid_set_field(report->field[field_index], i, +- (__force __s32)cpu_to_le32(value)); ++ ret = hid_set_field(report->field[field_index], i, ++ (__force __s32)cpu_to_le32(value)); ++ if (ret) ++ goto done_proc; + } + hid_hw_request(hsdev->hdev, report, HID_REQ_SET_REPORT); + hid_hw_wait(hsdev->hdev); +-- +2.30.2 + diff --git a/queue-4.14/hid-usbhid-fix-info-leak-in-hid_submit_ctrl.patch b/queue-4.14/hid-usbhid-fix-info-leak-in-hid_submit_ctrl.patch new file mode 100644 index 00000000000..f2978cfd9b0 --- /dev/null +++ b/queue-4.14/hid-usbhid-fix-info-leak-in-hid_submit_ctrl.patch @@ -0,0 +1,59 @@ +From 0324024965dec3ff8c4c685dd5826f9d4fc5d087 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Apr 2021 23:03:53 +0530 +Subject: HID: usbhid: fix info leak in hid_submit_ctrl + +From: Anirudh Rayabharam + +[ Upstream commit 6be388f4a35d2ce5ef7dbf635a8964a5da7f799f ] + +In hid_submit_ctrl(), the way of calculating the report length doesn't +take into account that report->size can be zero. When running the +syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to +calculate transfer_buffer_length as 16384. When this urb is passed to +the usb core layer, KMSAN reports an info leak of 16384 bytes. + +To fix this, first modify hid_report_len() to account for the zero +report size case by using DIV_ROUND_UP for the division. Then, call it +from hid_submit_ctrl(). + +Reported-by: syzbot+7c2bb71996f95a82524c@syzkaller.appspotmail.com +Signed-off-by: Anirudh Rayabharam +Acked-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/usbhid/hid-core.c | 2 +- + include/linux/hid.h | 3 +-- + 2 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c +index 98916fb4191a..46b8f4c353de 100644 +--- a/drivers/hid/usbhid/hid-core.c ++++ b/drivers/hid/usbhid/hid-core.c +@@ -373,7 +373,7 @@ static int hid_submit_ctrl(struct hid_device *hid) + raw_report = usbhid->ctrl[usbhid->ctrltail].raw_report; + dir = usbhid->ctrl[usbhid->ctrltail].dir; + +- len = ((report->size - 1) >> 3) + 1 + (report->id > 0); ++ len = hid_report_len(report); + if (dir == USB_DIR_OUT) { + usbhid->urbctrl->pipe = usb_sndctrlpipe(hid_to_usb_dev(hid), 0); + usbhid->urbctrl->transfer_buffer_length = len; +diff --git a/include/linux/hid.h b/include/linux/hid.h +index d07fe33a9045..5a2c55ed33fa 100644 +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -1114,8 +1114,7 @@ static inline void hid_hw_wait(struct hid_device *hdev) + */ + static inline u32 hid_report_len(struct hid_report *report) + { +- /* equivalent to DIV_ROUND_UP(report->size, 8) + !!(report->id > 0) */ +- return ((report->size - 1) >> 3) + 1 + (report->id > 0); ++ return DIV_ROUND_UP(report->size, 8) + (report->id > 0); + } + + int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size, +-- +2.30.2 + diff --git a/queue-4.14/net-ieee802154-fix-null-deref-in-parse-dev-addr.patch b/queue-4.14/net-ieee802154-fix-null-deref-in-parse-dev-addr.patch new file mode 100644 index 00000000000..a5ac8feda16 --- /dev/null +++ b/queue-4.14/net-ieee802154-fix-null-deref-in-parse-dev-addr.patch @@ -0,0 +1,53 @@ +From 63cc39ddd013aa7d5a39aec3ba58c9c762402a59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Apr 2021 00:02:13 -0400 +Subject: net: ieee802154: fix null deref in parse dev addr + +From: Dan Robertson + +[ Upstream commit 9fdd04918a452980631ecc499317881c1d120b70 ] + +Fix a logic error that could result in a null deref if the user sets +the mode incorrectly for the given addr type. + +Signed-off-by: Dan Robertson +Acked-by: Alexander Aring +Link: https://lore.kernel.org/r/20210423040214.15438-2-dan@dlrobertson.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + net/ieee802154/nl802154.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/net/ieee802154/nl802154.c b/net/ieee802154/nl802154.c +index b1c55db73764..6d4c71a52b6b 100644 +--- a/net/ieee802154/nl802154.c ++++ b/net/ieee802154/nl802154.c +@@ -1315,19 +1315,20 @@ ieee802154_llsec_parse_dev_addr(struct nlattr *nla, + nl802154_dev_addr_policy, NULL)) + return -EINVAL; + +- if (!attrs[NL802154_DEV_ADDR_ATTR_PAN_ID] || +- !attrs[NL802154_DEV_ADDR_ATTR_MODE] || +- !(attrs[NL802154_DEV_ADDR_ATTR_SHORT] || +- attrs[NL802154_DEV_ADDR_ATTR_EXTENDED])) ++ if (!attrs[NL802154_DEV_ADDR_ATTR_PAN_ID] || !attrs[NL802154_DEV_ADDR_ATTR_MODE]) + return -EINVAL; + + addr->pan_id = nla_get_le16(attrs[NL802154_DEV_ADDR_ATTR_PAN_ID]); + addr->mode = nla_get_u32(attrs[NL802154_DEV_ADDR_ATTR_MODE]); + switch (addr->mode) { + case NL802154_DEV_ADDR_SHORT: ++ if (!attrs[NL802154_DEV_ADDR_ATTR_SHORT]) ++ return -EINVAL; + addr->short_addr = nla_get_le16(attrs[NL802154_DEV_ADDR_ATTR_SHORT]); + break; + case NL802154_DEV_ADDR_EXTENDED: ++ if (!attrs[NL802154_DEV_ADDR_ATTR_EXTENDED]) ++ return -EINVAL; + addr->extended_addr = nla_get_le64(attrs[NL802154_DEV_ADDR_ATTR_EXTENDED]); + break; + default: +-- +2.30.2 + diff --git a/queue-4.14/net-ipconfig-don-t-override-command-line-hostnames-o.patch b/queue-4.14/net-ipconfig-don-t-override-command-line-hostnames-o.patch new file mode 100644 index 00000000000..2048bafe436 --- /dev/null +++ b/queue-4.14/net-ipconfig-don-t-override-command-line-hostnames-o.patch @@ -0,0 +1,62 @@ +From 7735465e9d803787961d0cbf9ad7d84c5c471b87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jun 2021 18:38:41 -0700 +Subject: net: ipconfig: Don't override command-line hostnames or domains + +From: Josh Triplett + +[ Upstream commit b508d5fb69c2211a1b860fc058aafbefc3b3c3cd ] + +If the user specifies a hostname or domain name as part of the ip= +command-line option, preserve it and don't overwrite it with one +supplied by DHCP/BOOTP. + +For instance, ip=::::myhostname::dhcp will use "myhostname" rather than +ignoring and overwriting it. + +Fix the comment on ic_bootp_string that suggests it only copies a string +"if not already set"; it doesn't have any such logic. + +Signed-off-by: Josh Triplett +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/ipconfig.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c +index f0782c91514c..41e384834d50 100644 +--- a/net/ipv4/ipconfig.c ++++ b/net/ipv4/ipconfig.c +@@ -881,7 +881,7 @@ static void __init ic_bootp_send_if(struct ic_device *d, unsigned long jiffies_d + + + /* +- * Copy BOOTP-supplied string if not already set. ++ * Copy BOOTP-supplied string + */ + static int __init ic_bootp_string(char *dest, char *src, int len, int max) + { +@@ -930,12 +930,15 @@ static void __init ic_do_bootp_ext(u8 *ext) + } + break; + case 12: /* Host name */ +- ic_bootp_string(utsname()->nodename, ext+1, *ext, +- __NEW_UTS_LEN); +- ic_host_name_set = 1; ++ if (!ic_host_name_set) { ++ ic_bootp_string(utsname()->nodename, ext+1, *ext, ++ __NEW_UTS_LEN); ++ ic_host_name_set = 1; ++ } + break; + case 15: /* Domain name (DNS) */ +- ic_bootp_string(ic_domain, ext+1, *ext, sizeof(ic_domain)); ++ if (!ic_domain[0]) ++ ic_bootp_string(ic_domain, ext+1, *ext, sizeof(ic_domain)); + break; + case 17: /* Root path */ + if (!root_server_path[0]) +-- +2.30.2 + diff --git a/queue-4.14/net-return-the-correct-errno-code.patch b/queue-4.14/net-return-the-correct-errno-code.patch new file mode 100644 index 00000000000..0efc04300e3 --- /dev/null +++ b/queue-4.14/net-return-the-correct-errno-code.patch @@ -0,0 +1,34 @@ +From 75b45edd9c641ade7626facc296e89d7807f6f0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jun 2021 22:06:40 +0800 +Subject: net: Return the correct errno code + +From: Zheng Yongjun + +[ Upstream commit 49251cd00228a3c983651f6bb2f33f6a0b8f152e ] + +When kalloc or kmemdup failed, should return ENOMEM rather than ENOBUF. + +Signed-off-by: Zheng Yongjun +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/compat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/compat.c b/net/compat.c +index 45349658ed01..2ec822f4e409 100644 +--- a/net/compat.c ++++ b/net/compat.c +@@ -158,7 +158,7 @@ int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg, struct sock *sk, + if (kcmlen > stackbuf_size) + kcmsg_base = kcmsg = sock_kmalloc(sk, kcmlen, GFP_KERNEL); + if (kcmsg == NULL) +- return -ENOBUFS; ++ return -ENOMEM; + + /* Now copy them over neatly. */ + memset(kcmsg, 0, kcmlen); +-- +2.30.2 + diff --git a/queue-4.14/net-x25-return-the-correct-errno-code.patch b/queue-4.14/net-x25-return-the-correct-errno-code.patch new file mode 100644 index 00000000000..4dcc8464834 --- /dev/null +++ b/queue-4.14/net-x25-return-the-correct-errno-code.patch @@ -0,0 +1,34 @@ +From 9ab57ad9227579df06993a663640ca01473ccf56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jun 2021 22:06:30 +0800 +Subject: net/x25: Return the correct errno code + +From: Zheng Yongjun + +[ Upstream commit d7736958668c4facc15f421e622ffd718f5be80a ] + +When kalloc or kmemdup failed, should return ENOMEM rather than ENOBUF. + +Signed-off-by: Zheng Yongjun +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/x25/af_x25.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c +index 987e5f8cafbe..fd0a6c6c77b6 100644 +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -550,7 +550,7 @@ static int x25_create(struct net *net, struct socket *sock, int protocol, + if (protocol) + goto out; + +- rc = -ENOBUFS; ++ rc = -ENOMEM; + if ((sk = x25_alloc_socket(net, kern)) == NULL) + goto out; + +-- +2.30.2 + diff --git a/queue-4.14/nvme-loop-check-for-nvme_loop_q_live-in-nvme_loop_de.patch b/queue-4.14/nvme-loop-check-for-nvme_loop_q_live-in-nvme_loop_de.patch new file mode 100644 index 00000000000..728bad3711b --- /dev/null +++ b/queue-4.14/nvme-loop-check-for-nvme_loop_q_live-in-nvme_loop_de.patch @@ -0,0 +1,39 @@ +From ad8635d7b9b85eb95f19280073fae1e79078a05d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 May 2021 17:23:17 +0200 +Subject: nvme-loop: check for NVME_LOOP_Q_LIVE in + nvme_loop_destroy_admin_queue() + +From: Hannes Reinecke + +[ Upstream commit 4237de2f73a669e4f89ac0aa2b44fb1a1d9ec583 ] + +We need to check the NVME_LOOP_Q_LIVE flag in +nvme_loop_destroy_admin_queue() to protect against duplicate +invocations eg during concurrent reset and remove calls. + +Signed-off-by: Hannes Reinecke +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/loop.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c +index 963d8de932d1..7a0a10777cd1 100644 +--- a/drivers/nvme/target/loop.c ++++ b/drivers/nvme/target/loop.c +@@ -287,7 +287,8 @@ static const struct blk_mq_ops nvme_loop_admin_mq_ops = { + + static void nvme_loop_destroy_admin_queue(struct nvme_loop_ctrl *ctrl) + { +- clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[0].flags); ++ if (!test_and_clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[0].flags)) ++ return; + nvmet_sq_destroy(&ctrl->queues[0].nvme_sq); + blk_cleanup_queue(ctrl->ctrl.admin_q); + blk_mq_free_tag_set(&ctrl->admin_tag_set); +-- +2.30.2 + diff --git a/queue-4.14/nvme-loop-clear-nvme_loop_q_live-when-nvme_loop_conf.patch b/queue-4.14/nvme-loop-clear-nvme_loop_q_live-when-nvme_loop_conf.patch new file mode 100644 index 00000000000..bb1ede66d0b --- /dev/null +++ b/queue-4.14/nvme-loop-clear-nvme_loop_q_live-when-nvme_loop_conf.patch @@ -0,0 +1,36 @@ +From 7b18a6ac648365614f6c11c01290cebd8ea590d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 May 2021 17:23:16 +0200 +Subject: nvme-loop: clear NVME_LOOP_Q_LIVE when + nvme_loop_configure_admin_queue() fails + +From: Hannes Reinecke + +[ Upstream commit 1c5f8e882a05de5c011e8c3fbeceb0d1c590eb53 ] + +When the call to nvme_enable_ctrl() in nvme_loop_configure_admin_queue() +fails the NVME_LOOP_Q_LIVE flag is not cleared. + +Signed-off-by: Hannes Reinecke +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/loop.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c +index 5f33c3a9469b..963d8de932d1 100644 +--- a/drivers/nvme/target/loop.c ++++ b/drivers/nvme/target/loop.c +@@ -430,6 +430,7 @@ static int nvme_loop_configure_admin_queue(struct nvme_loop_ctrl *ctrl) + return 0; + + out_cleanup_queue: ++ clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[0].flags); + blk_cleanup_queue(ctrl->ctrl.admin_q); + out_free_tagset: + blk_mq_free_tag_set(&ctrl->admin_tag_set); +-- +2.30.2 + diff --git a/queue-4.14/nvme-loop-reset-queue-count-to-1-in-nvme_loop_destro.patch b/queue-4.14/nvme-loop-reset-queue-count-to-1-in-nvme_loop_destro.patch new file mode 100644 index 00000000000..d1c3d124e6c --- /dev/null +++ b/queue-4.14/nvme-loop-reset-queue-count-to-1-in-nvme_loop_destro.patch @@ -0,0 +1,37 @@ +From b9bb0046fd9c99d7450ab8f3e3eff9899a81f35b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 May 2021 17:23:15 +0200 +Subject: nvme-loop: reset queue count to 1 in nvme_loop_destroy_io_queues() + +From: Hannes Reinecke + +[ Upstream commit a6c144f3d2e230f2b3ac5ed8c51e0f0391556197 ] + +The queue count is increased in nvme_loop_init_io_queues(), so we +need to reset it to 1 at the end of nvme_loop_destroy_io_queues(). +Otherwise the function is not re-entrant safe, and crash will happen +during concurrent reset and remove calls. + +Signed-off-by: Hannes Reinecke +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/loop.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c +index 3388d2788fe0..5f33c3a9469b 100644 +--- a/drivers/nvme/target/loop.c ++++ b/drivers/nvme/target/loop.c +@@ -322,6 +322,7 @@ static void nvme_loop_destroy_io_queues(struct nvme_loop_ctrl *ctrl) + clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[i].flags); + nvmet_sq_destroy(&ctrl->queues[i].nvme_sq); + } ++ ctrl->ctrl.queue_count = 1; + } + + static int nvme_loop_init_io_queues(struct nvme_loop_ctrl *ctrl) +-- +2.30.2 + diff --git a/queue-4.14/rtnetlink-fix-missing-error-code-in-rtnl_bridge_noti.patch b/queue-4.14/rtnetlink-fix-missing-error-code-in-rtnl_bridge_noti.patch new file mode 100644 index 00000000000..674ba9322a5 --- /dev/null +++ b/queue-4.14/rtnetlink-fix-missing-error-code-in-rtnl_bridge_noti.patch @@ -0,0 +1,44 @@ +From 2fe1b1c1d57a4c5c2cbab75ce48cb7c2d608570e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jun 2021 18:15:04 +0800 +Subject: rtnetlink: Fix missing error code in rtnl_bridge_notify() + +From: Jiapeng Chong + +[ Upstream commit a8db57c1d285c758adc7fb43d6e2bad2554106e1 ] + +The error code is missing in this code scenario, add the error code +'-EINVAL' to the return value 'err'. + +Eliminate the follow smatch warning: + +net/core/rtnetlink.c:4834 rtnl_bridge_notify() warn: missing error code +'err'. + +Reported-by: Abaci Robot +Signed-off-by: Jiapeng Chong +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 0168c700a201..fa3ed51f846b 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -3648,8 +3648,10 @@ static int rtnl_bridge_notify(struct net_device *dev) + if (err < 0) + goto errout; + +- if (!skb->len) ++ if (!skb->len) { ++ err = -EINVAL; + goto errout; ++ } + + rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, GFP_ATOMIC); + return 0; +-- +2.30.2 + diff --git a/queue-4.14/scsi-target-core-fix-warning-on-realtime-kernels.patch b/queue-4.14/scsi-target-core-fix-warning-on-realtime-kernels.patch new file mode 100644 index 00000000000..93cbf6ce320 --- /dev/null +++ b/queue-4.14/scsi-target-core-fix-warning-on-realtime-kernels.patch @@ -0,0 +1,43 @@ +From 0d0dfd51503a89287890ac3602b3a66d03a07576 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 May 2021 14:13:26 +0200 +Subject: scsi: target: core: Fix warning on realtime kernels + +From: Maurizio Lombardi + +[ Upstream commit 515da6f4295c2c42b8c54572cce3d2dd1167c41e ] + +On realtime kernels, spin_lock_irq*(spinlock_t) do not disable the +interrupts, a call to irqs_disabled() will return false thus firing a +warning in __transport_wait_for_tasks(). + +Remove the warning and also replace assert_spin_locked() with +lockdep_assert_held() + +Link: https://lore.kernel.org/r/20210531121326.3649-1-mlombard@redhat.com +Reviewed-by: Bart Van Assche +Signed-off-by: Maurizio Lombardi +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_transport.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c +index 0d0be7d8b9d6..852680e85921 100644 +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -2966,9 +2966,7 @@ __transport_wait_for_tasks(struct se_cmd *cmd, bool fabric_stop, + __releases(&cmd->t_state_lock) + __acquires(&cmd->t_state_lock) + { +- +- assert_spin_locked(&cmd->t_state_lock); +- WARN_ON_ONCE(!irqs_disabled()); ++ lockdep_assert_held(&cmd->t_state_lock); + + if (fabric_stop) + cmd->transport_state |= CMD_T_FABRIC_STOP; +-- +2.30.2 + diff --git a/queue-4.14/series b/queue-4.14/series new file mode 100644 index 00000000000..40231f3e79d --- /dev/null +++ b/queue-4.14/series @@ -0,0 +1,17 @@ +net-ieee802154-fix-null-deref-in-parse-dev-addr.patch +hid-hid-sensor-hub-return-error-for-hid_set_field-fa.patch +hid-add-bus_virtual-to-hid_connect-logging.patch +hid-usbhid-fix-info-leak-in-hid_submit_ctrl.patch +arm-omap2-fix-build-warning-when-mmc_omap-is-not-bui.patch +hid-gt683r-add-missing-module_device_table.patch +gfs2-fix-use-after-free-in-gfs2_glock_shrink_scan.patch +scsi-target-core-fix-warning-on-realtime-kernels.patch +ethernet-myri10ge-fix-missing-error-code-in-myri10ge.patch +nvme-loop-reset-queue-count-to-1-in-nvme_loop_destro.patch +nvme-loop-clear-nvme_loop_q_live-when-nvme_loop_conf.patch +nvme-loop-check-for-nvme_loop_q_live-in-nvme_loop_de.patch +net-ipconfig-don-t-override-command-line-hostnames-o.patch +rtnetlink-fix-missing-error-code-in-rtnl_bridge_noti.patch +net-x25-return-the-correct-errno-code.patch +net-return-the-correct-errno-code.patch +fib-return-the-correct-errno-code.patch