From: Sasha Levin Date: Wed, 16 Jun 2021 11:58:20 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v5.4.127~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=caa541ba9bc463429eb5773f4f6229182ed4796f;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/arm-omap2-fix-build-warning-when-mmc_omap-is-not-bui.patch b/queue-4.19/arm-omap2-fix-build-warning-when-mmc_omap-is-not-bui.patch new file mode 100644 index 00000000000..3b14ad1b1cd --- /dev/null +++ b/queue-4.19/arm-omap2-fix-build-warning-when-mmc_omap-is-not-bui.patch @@ -0,0 +1,49 @@ +From fdc882a031a5aa006db7ab3fd0bbb252935b8cb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Apr 2021 13:15:33 +0000 +Subject: ARM: OMAP2+: Fix build warning when mmc_omap is not built + +From: Yongqiang Liu + +[ Upstream commit 040ab72ee10ea88e1883ad143b3e2b77596abc31 ] + +GCC reports the following warning with W=1: + +arch/arm/mach-omap2/board-n8x0.c:325:19: warning: +variable 'index' set but not used [-Wunused-but-set-variable] +325 | int bit, *openp, index; + | ^~~~~ + +Fix this by moving CONFIG_MMC_OMAP to cover the rest codes +in the n8x0_mmc_callback(). + +Signed-off-by: Yongqiang Liu +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/board-n8x0.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mach-omap2/board-n8x0.c b/arch/arm/mach-omap2/board-n8x0.c +index 75bc18646df6..902e9df9b8bb 100644 +--- a/arch/arm/mach-omap2/board-n8x0.c ++++ b/arch/arm/mach-omap2/board-n8x0.c +@@ -325,6 +325,7 @@ static int n8x0_mmc_get_cover_state(struct device *dev, int slot) + + static void n8x0_mmc_callback(void *data, u8 card_mask) + { ++#ifdef CONFIG_MMC_OMAP + int bit, *openp, index; + + if (board_is_n800()) { +@@ -342,7 +343,6 @@ static void n8x0_mmc_callback(void *data, u8 card_mask) + else + *openp = 0; + +-#ifdef CONFIG_MMC_OMAP + omap_mmc_notify_cover_event(mmc_device, index, *openp); + #else + pr_warn("MMC: notify cover event not available\n"); +-- +2.30.2 + diff --git a/queue-4.19/ethernet-myri10ge-fix-missing-error-code-in-myri10ge.patch b/queue-4.19/ethernet-myri10ge-fix-missing-error-code-in-myri10ge.patch new file mode 100644 index 00000000000..ee68c1dac89 --- /dev/null +++ b/queue-4.19/ethernet-myri10ge-fix-missing-error-code-in-myri10ge.patch @@ -0,0 +1,40 @@ +From cc48b33148969e6845ebbc56791ed56dc0fc61d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jun 2021 19:04:51 +0800 +Subject: ethernet: myri10ge: Fix missing error code in myri10ge_probe() + +From: Jiapeng Chong + +[ Upstream commit f336d0b93ae978f12c5e27199f828da89b91e56a ] + +The error code is missing in this code scenario, add the error code +'-EINVAL' to the return value 'status'. + +Eliminate the follow smatch warning: + +drivers/net/ethernet/myricom/myri10ge/myri10ge.c:3818 myri10ge_probe() +warn: missing error code 'status'. + +Reported-by: Abaci Robot +Signed-off-by: Jiapeng Chong +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/myricom/myri10ge/myri10ge.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c +index 6789eed78ff7..3bc570c46f81 100644 +--- a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c ++++ b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c +@@ -3853,6 +3853,7 @@ static int myri10ge_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + dev_err(&pdev->dev, + "invalid sram_size %dB or board span %ldB\n", + mgp->sram_size, mgp->board_span); ++ status = -EINVAL; + goto abort_with_ioremap; + } + memcpy_fromio(mgp->eeprom_strings, +-- +2.30.2 + diff --git a/queue-4.19/fib-return-the-correct-errno-code.patch b/queue-4.19/fib-return-the-correct-errno-code.patch new file mode 100644 index 00000000000..2bd07f45e5a --- /dev/null +++ b/queue-4.19/fib-return-the-correct-errno-code.patch @@ -0,0 +1,34 @@ +From 43c4e6f8109cebf0221aa50d9755d94e69457796 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jun 2021 22:06:58 +0800 +Subject: fib: Return the correct errno code + +From: Zheng Yongjun + +[ Upstream commit 59607863c54e9eb3f69afc5257dfe71c38bb751e ] + +When kalloc or kmemdup failed, should return ENOMEM rather than ENOBUF. + +Signed-off-by: Zheng Yongjun +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/fib_rules.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c +index 8916c5d9b3b3..46a13ed15c4e 100644 +--- a/net/core/fib_rules.c ++++ b/net/core/fib_rules.c +@@ -1105,7 +1105,7 @@ static void notify_rule_change(int event, struct fib_rule *rule, + { + struct net *net; + struct sk_buff *skb; +- int err = -ENOBUFS; ++ int err = -ENOMEM; + + net = ops->fro_net; + skb = nlmsg_new(fib_rule_nlmsg_size(ops, rule), GFP_KERNEL); +-- +2.30.2 + diff --git a/queue-4.19/gfs2-fix-use-after-free-in-gfs2_glock_shrink_scan.patch b/queue-4.19/gfs2-fix-use-after-free-in-gfs2_glock_shrink_scan.patch new file mode 100644 index 00000000000..edaff01c3dc --- /dev/null +++ b/queue-4.19/gfs2-fix-use-after-free-in-gfs2_glock_shrink_scan.patch @@ -0,0 +1,51 @@ +From 10001c7ded7fa06692f9729e6d1c405f59a480a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 May 2021 16:46:25 +0800 +Subject: gfs2: Fix use-after-free in gfs2_glock_shrink_scan + +From: Hillf Danton + +[ Upstream commit 1ab19c5de4c537ec0d9b21020395a5b5a6c059b2 ] + +The GLF_LRU flag is checked under lru_lock in gfs2_glock_remove_from_lru() to +remove the glock from the lru list in __gfs2_glock_put(). + +On the shrink scan path, the same flag is cleared under lru_lock but because +of cond_resched_lock(&lru_lock) in gfs2_dispose_glock_lru(), progress on the +put side can be made without deleting the glock from the lru list. + +Keep GLF_LRU across the race window opened by cond_resched_lock(&lru_lock) to +ensure correct behavior on both sides - clear GLF_LRU after list_del under +lru_lock. + +Reported-by: syzbot +Signed-off-by: Hillf Danton +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/glock.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c +index c20d71d86812..14d11ccda868 100644 +--- a/fs/gfs2/glock.c ++++ b/fs/gfs2/glock.c +@@ -1457,6 +1457,7 @@ __acquires(&lru_lock) + while(!list_empty(list)) { + gl = list_entry(list->next, struct gfs2_glock, gl_lru); + list_del_init(&gl->gl_lru); ++ clear_bit(GLF_LRU, &gl->gl_flags); + if (!spin_trylock(&gl->gl_lockref.lock)) { + add_back_to_lru: + list_add(&gl->gl_lru, &lru_list); +@@ -1502,7 +1503,6 @@ static long gfs2_scan_glock_lru(int nr) + if (!test_bit(GLF_LOCK, &gl->gl_flags)) { + list_move(&gl->gl_lru, &dispose); + atomic_dec(&lru_count); +- clear_bit(GLF_LRU, &gl->gl_flags); + freed++; + continue; + } +-- +2.30.2 + diff --git a/queue-4.19/gfs2-prevent-direct-i-o-write-fallback-errors-from-g.patch b/queue-4.19/gfs2-prevent-direct-i-o-write-fallback-errors-from-g.patch new file mode 100644 index 00000000000..f5b55d4f805 --- /dev/null +++ b/queue-4.19/gfs2-prevent-direct-i-o-write-fallback-errors-from-g.patch @@ -0,0 +1,39 @@ +From d33ed323cb6f22ce4e1a935c6fe6cdb0bdee9561 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 May 2021 12:25:59 +0200 +Subject: gfs2: Prevent direct-I/O write fallback errors from getting lost + +From: Andreas Gruenbacher + +[ Upstream commit 43a511c44e58e357a687d61a20cf5ef1dc9e5a7c ] + +When a direct I/O write falls entirely and falls back to buffered I/O and the +buffered I/O fails, the write failed with return value 0 instead of the error +number reported by the buffered I/O. Fix that. + +Signed-off-by: Andreas Gruenbacher +Signed-off-by: Sasha Levin +--- + fs/gfs2/file.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/gfs2/file.c b/fs/gfs2/file.c +index 143e7d518c5d..7c69486d556f 100644 +--- a/fs/gfs2/file.c ++++ b/fs/gfs2/file.c +@@ -822,8 +822,11 @@ static ssize_t gfs2_file_write_iter(struct kiocb *iocb, struct iov_iter *from) + current->backing_dev_info = inode_to_bdi(inode); + buffered = iomap_file_buffered_write(iocb, from, &gfs2_iomap_ops); + current->backing_dev_info = NULL; +- if (unlikely(buffered <= 0)) ++ if (unlikely(buffered <= 0)) { ++ if (!ret) ++ ret = buffered; + goto out_unlock; ++ } + + /* + * We need to ensure that the page cache pages are written to +-- +2.30.2 + diff --git a/queue-4.19/hid-add-bus_virtual-to-hid_connect-logging.patch b/queue-4.19/hid-add-bus_virtual-to-hid_connect-logging.patch new file mode 100644 index 00000000000..2041eede60c --- /dev/null +++ b/queue-4.19/hid-add-bus_virtual-to-hid_connect-logging.patch @@ -0,0 +1,36 @@ +From 2097b07c49436c1ebb8118b9b3552f049201b097 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 May 2021 17:39:38 +0100 +Subject: HID: Add BUS_VIRTUAL to hid_connect logging + +From: Mark Bolhuis + +[ Upstream commit 48e33befe61a7d407753c53d1a06fc8d6b5dab80 ] + +Add BUS_VIRTUAL to hid_connect logging since it's a valid hid bus type and it +should not print + +Signed-off-by: Mark Bolhuis +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 9b66eb1d42c2..acbbc21e6233 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1823,6 +1823,9 @@ int hid_connect(struct hid_device *hdev, unsigned int connect_mask) + case BUS_I2C: + bus = "I2C"; + break; ++ case BUS_VIRTUAL: ++ bus = "VIRTUAL"; ++ break; + default: + bus = ""; + } +-- +2.30.2 + diff --git a/queue-4.19/hid-gt683r-add-missing-module_device_table.patch b/queue-4.19/hid-gt683r-add-missing-module_device_table.patch new file mode 100644 index 00000000000..9015bfe187d --- /dev/null +++ b/queue-4.19/hid-gt683r-add-missing-module_device_table.patch @@ -0,0 +1,36 @@ +From 6858df7c72632b33c0abb7c309704e9fe0d4ff36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 May 2021 11:14:48 +0800 +Subject: HID: gt683r: add missing MODULE_DEVICE_TABLE + +From: Bixuan Cui + +[ Upstream commit a4b494099ad657f1cb85436d333cf38870ee95bc ] + +This patch adds missing MODULE_DEVICE_TABLE definition which generates +correct modalias for automatic loading of this driver when it is built +as an external module. + +Reported-by: Hulk Robot +Signed-off-by: Bixuan Cui +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-gt683r.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hid/hid-gt683r.c b/drivers/hid/hid-gt683r.c +index a298fbd8db6b..8ca4c1baeda8 100644 +--- a/drivers/hid/hid-gt683r.c ++++ b/drivers/hid/hid-gt683r.c +@@ -64,6 +64,7 @@ static const struct hid_device_id gt683r_led_id[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_MSI, USB_DEVICE_ID_MSI_GT683R_LED_PANEL) }, + { } + }; ++MODULE_DEVICE_TABLE(hid, gt683r_led_id); + + static void gt683r_brightness_set(struct led_classdev *led_cdev, + enum led_brightness brightness) +-- +2.30.2 + diff --git a/queue-4.19/hid-hid-sensor-hub-return-error-for-hid_set_field-fa.patch b/queue-4.19/hid-hid-sensor-hub-return-error-for-hid_set_field-fa.patch new file mode 100644 index 00000000000..a8852ada41a --- /dev/null +++ b/queue-4.19/hid-hid-sensor-hub-return-error-for-hid_set_field-fa.patch @@ -0,0 +1,53 @@ +From 1c7e58107151e9c9be028716edd883e8cdf39271 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Apr 2021 11:52:31 -0700 +Subject: HID: hid-sensor-hub: Return error for hid_set_field() failure + +From: Srinivas Pandruvada + +[ Upstream commit edb032033da0dc850f6e7740fa1023c73195bc89 ] + +In the function sensor_hub_set_feature(), return error when hid_set_field() +fails. + +Signed-off-by: Srinivas Pandruvada +Acked-by: Jonathan Cameron +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-sensor-hub.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c +index 21fbdcde1faa..ef62f36ebcf9 100644 +--- a/drivers/hid/hid-sensor-hub.c ++++ b/drivers/hid/hid-sensor-hub.c +@@ -223,16 +223,21 @@ int sensor_hub_set_feature(struct hid_sensor_hub_device *hsdev, u32 report_id, + buffer_size = buffer_size / sizeof(__s32); + if (buffer_size) { + for (i = 0; i < buffer_size; ++i) { +- hid_set_field(report->field[field_index], i, +- (__force __s32)cpu_to_le32(*buf32)); ++ ret = hid_set_field(report->field[field_index], i, ++ (__force __s32)cpu_to_le32(*buf32)); ++ if (ret) ++ goto done_proc; ++ + ++buf32; + } + } + if (remaining_bytes) { + value = 0; + memcpy(&value, (u8 *)buf32, remaining_bytes); +- hid_set_field(report->field[field_index], i, +- (__force __s32)cpu_to_le32(value)); ++ ret = hid_set_field(report->field[field_index], i, ++ (__force __s32)cpu_to_le32(value)); ++ if (ret) ++ goto done_proc; + } + hid_hw_request(hsdev->hdev, report, HID_REQ_SET_REPORT); + hid_hw_wait(hsdev->hdev); +-- +2.30.2 + diff --git a/queue-4.19/hid-quirks-set-increment_usage_on_duplicate-for-sait.patch b/queue-4.19/hid-quirks-set-increment_usage_on_duplicate-for-sait.patch new file mode 100644 index 00000000000..4338ec95c3a --- /dev/null +++ b/queue-4.19/hid-quirks-set-increment_usage_on_duplicate-for-sait.patch @@ -0,0 +1,51 @@ +From ccbce1c5fb340fa307fc03c296e2098da4486883 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Mar 2021 09:10:02 -0700 +Subject: HID: quirks: Set INCREMENT_USAGE_ON_DUPLICATE for Saitek X65 + +From: Nirenjan Krishnan + +[ Upstream commit 25bdbfbb2d8331a67824dd03d0087e9c98835f3a ] + +The Saitek X65 joystick has a pair of axes that were used as mouse +pointer controls by the Windows driver. The corresponding usage page is +the Game Controls page, which is not recognized by the generic HID +driver, and therefore, both axes get mapped to ABS_MISC. The quirk makes +the second axis get mapped to ABS_MISC+1, and therefore made available +separately. + +Signed-off-by: Nirenjan Krishnan +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-quirks.c | 1 + + 2 files changed, 2 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 75342f3dfb86..ee5dce862a21 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -999,6 +999,7 @@ + #define USB_DEVICE_ID_SAITEK_X52 0x075c + #define USB_DEVICE_ID_SAITEK_X52_2 0x0255 + #define USB_DEVICE_ID_SAITEK_X52_PRO 0x0762 ++#define USB_DEVICE_ID_SAITEK_X65 0x0b6a + + #define USB_VENDOR_ID_SAMSUNG 0x0419 + #define USB_DEVICE_ID_SAMSUNG_IR_REMOTE 0x0001 +diff --git a/drivers/hid/hid-quirks.c b/drivers/hid/hid-quirks.c +index 8fbe7b9cd84a..48e9761d4ace 100644 +--- a/drivers/hid/hid-quirks.c ++++ b/drivers/hid/hid-quirks.c +@@ -155,6 +155,7 @@ static const struct hid_device_id hid_quirks[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_SAITEK, USB_DEVICE_ID_SAITEK_X52), HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE }, + { HID_USB_DEVICE(USB_VENDOR_ID_SAITEK, USB_DEVICE_ID_SAITEK_X52_2), HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE }, + { HID_USB_DEVICE(USB_VENDOR_ID_SAITEK, USB_DEVICE_ID_SAITEK_X52_PRO), HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_SAITEK, USB_DEVICE_ID_SAITEK_X65), HID_QUIRK_INCREMENT_USAGE_ON_DUPLICATE }, + { HID_USB_DEVICE(USB_VENDOR_ID_SEMICO, USB_DEVICE_ID_SEMICO_USB_KEYKOARD2), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_SEMICO, USB_DEVICE_ID_SEMICO_USB_KEYKOARD), HID_QUIRK_NO_INIT_REPORTS }, + { HID_USB_DEVICE(USB_VENDOR_ID_SENNHEISER, USB_DEVICE_ID_SENNHEISER_BTD500USB), HID_QUIRK_NOGET }, +-- +2.30.2 + diff --git a/queue-4.19/hid-usbhid-fix-info-leak-in-hid_submit_ctrl.patch b/queue-4.19/hid-usbhid-fix-info-leak-in-hid_submit_ctrl.patch new file mode 100644 index 00000000000..c350e926918 --- /dev/null +++ b/queue-4.19/hid-usbhid-fix-info-leak-in-hid_submit_ctrl.patch @@ -0,0 +1,59 @@ +From 4f775fdef4ce7f973c98dae3537ae3c8c1c8b0ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Apr 2021 23:03:53 +0530 +Subject: HID: usbhid: fix info leak in hid_submit_ctrl + +From: Anirudh Rayabharam + +[ Upstream commit 6be388f4a35d2ce5ef7dbf635a8964a5da7f799f ] + +In hid_submit_ctrl(), the way of calculating the report length doesn't +take into account that report->size can be zero. When running the +syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to +calculate transfer_buffer_length as 16384. When this urb is passed to +the usb core layer, KMSAN reports an info leak of 16384 bytes. + +To fix this, first modify hid_report_len() to account for the zero +report size case by using DIV_ROUND_UP for the division. Then, call it +from hid_submit_ctrl(). + +Reported-by: syzbot+7c2bb71996f95a82524c@syzkaller.appspotmail.com +Signed-off-by: Anirudh Rayabharam +Acked-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/usbhid/hid-core.c | 2 +- + include/linux/hid.h | 3 +-- + 2 files changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c +index 1e6f8b0d00fb..6b6db57b49d6 100644 +--- a/drivers/hid/usbhid/hid-core.c ++++ b/drivers/hid/usbhid/hid-core.c +@@ -377,7 +377,7 @@ static int hid_submit_ctrl(struct hid_device *hid) + raw_report = usbhid->ctrl[usbhid->ctrltail].raw_report; + dir = usbhid->ctrl[usbhid->ctrltail].dir; + +- len = ((report->size - 1) >> 3) + 1 + (report->id > 0); ++ len = hid_report_len(report); + if (dir == USB_DIR_OUT) { + usbhid->urbctrl->pipe = usb_sndctrlpipe(hid_to_usb_dev(hid), 0); + usbhid->urbctrl->transfer_buffer_length = len; +diff --git a/include/linux/hid.h b/include/linux/hid.h +index 4dcce83ca378..c833948aade0 100644 +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -1151,8 +1151,7 @@ static inline void hid_hw_wait(struct hid_device *hdev) + */ + static inline u32 hid_report_len(struct hid_report *report) + { +- /* equivalent to DIV_ROUND_UP(report->size, 8) + !!(report->id > 0) */ +- return ((report->size - 1) >> 3) + 1 + (report->id > 0); ++ return DIV_ROUND_UP(report->size, 8) + (report->id > 0); + } + + int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size, +-- +2.30.2 + diff --git a/queue-4.19/net-ieee802154-fix-null-deref-in-parse-dev-addr.patch b/queue-4.19/net-ieee802154-fix-null-deref-in-parse-dev-addr.patch new file mode 100644 index 00000000000..f958df89ecf --- /dev/null +++ b/queue-4.19/net-ieee802154-fix-null-deref-in-parse-dev-addr.patch @@ -0,0 +1,53 @@ +From 9fbcce7ae08290e2dabc26c452beb22342a08f95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Apr 2021 00:02:13 -0400 +Subject: net: ieee802154: fix null deref in parse dev addr + +From: Dan Robertson + +[ Upstream commit 9fdd04918a452980631ecc499317881c1d120b70 ] + +Fix a logic error that could result in a null deref if the user sets +the mode incorrectly for the given addr type. + +Signed-off-by: Dan Robertson +Acked-by: Alexander Aring +Link: https://lore.kernel.org/r/20210423040214.15438-2-dan@dlrobertson.com +Signed-off-by: Stefan Schmidt +Signed-off-by: Sasha Levin +--- + net/ieee802154/nl802154.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/net/ieee802154/nl802154.c b/net/ieee802154/nl802154.c +index b1c55db73764..6d4c71a52b6b 100644 +--- a/net/ieee802154/nl802154.c ++++ b/net/ieee802154/nl802154.c +@@ -1315,19 +1315,20 @@ ieee802154_llsec_parse_dev_addr(struct nlattr *nla, + nl802154_dev_addr_policy, NULL)) + return -EINVAL; + +- if (!attrs[NL802154_DEV_ADDR_ATTR_PAN_ID] || +- !attrs[NL802154_DEV_ADDR_ATTR_MODE] || +- !(attrs[NL802154_DEV_ADDR_ATTR_SHORT] || +- attrs[NL802154_DEV_ADDR_ATTR_EXTENDED])) ++ if (!attrs[NL802154_DEV_ADDR_ATTR_PAN_ID] || !attrs[NL802154_DEV_ADDR_ATTR_MODE]) + return -EINVAL; + + addr->pan_id = nla_get_le16(attrs[NL802154_DEV_ADDR_ATTR_PAN_ID]); + addr->mode = nla_get_u32(attrs[NL802154_DEV_ADDR_ATTR_MODE]); + switch (addr->mode) { + case NL802154_DEV_ADDR_SHORT: ++ if (!attrs[NL802154_DEV_ADDR_ATTR_SHORT]) ++ return -EINVAL; + addr->short_addr = nla_get_le16(attrs[NL802154_DEV_ADDR_ATTR_SHORT]); + break; + case NL802154_DEV_ADDR_EXTENDED: ++ if (!attrs[NL802154_DEV_ADDR_ATTR_EXTENDED]) ++ return -EINVAL; + addr->extended_addr = nla_get_le64(attrs[NL802154_DEV_ADDR_ATTR_EXTENDED]); + break; + default: +-- +2.30.2 + diff --git a/queue-4.19/net-ipconfig-don-t-override-command-line-hostnames-o.patch b/queue-4.19/net-ipconfig-don-t-override-command-line-hostnames-o.patch new file mode 100644 index 00000000000..3d82a6607a9 --- /dev/null +++ b/queue-4.19/net-ipconfig-don-t-override-command-line-hostnames-o.patch @@ -0,0 +1,62 @@ +From e07db88e092b3d5f42b24e7004821cfad9ab6160 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jun 2021 18:38:41 -0700 +Subject: net: ipconfig: Don't override command-line hostnames or domains + +From: Josh Triplett + +[ Upstream commit b508d5fb69c2211a1b860fc058aafbefc3b3c3cd ] + +If the user specifies a hostname or domain name as part of the ip= +command-line option, preserve it and don't overwrite it with one +supplied by DHCP/BOOTP. + +For instance, ip=::::myhostname::dhcp will use "myhostname" rather than +ignoring and overwriting it. + +Fix the comment on ic_bootp_string that suggests it only copies a string +"if not already set"; it doesn't have any such logic. + +Signed-off-by: Josh Triplett +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/ipconfig.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c +index 88212615bf4c..58719b9635d9 100644 +--- a/net/ipv4/ipconfig.c ++++ b/net/ipv4/ipconfig.c +@@ -866,7 +866,7 @@ static void __init ic_bootp_send_if(struct ic_device *d, unsigned long jiffies_d + + + /* +- * Copy BOOTP-supplied string if not already set. ++ * Copy BOOTP-supplied string + */ + static int __init ic_bootp_string(char *dest, char *src, int len, int max) + { +@@ -915,12 +915,15 @@ static void __init ic_do_bootp_ext(u8 *ext) + } + break; + case 12: /* Host name */ +- ic_bootp_string(utsname()->nodename, ext+1, *ext, +- __NEW_UTS_LEN); +- ic_host_name_set = 1; ++ if (!ic_host_name_set) { ++ ic_bootp_string(utsname()->nodename, ext+1, *ext, ++ __NEW_UTS_LEN); ++ ic_host_name_set = 1; ++ } + break; + case 15: /* Domain name (DNS) */ +- ic_bootp_string(ic_domain, ext+1, *ext, sizeof(ic_domain)); ++ if (!ic_domain[0]) ++ ic_bootp_string(ic_domain, ext+1, *ext, sizeof(ic_domain)); + break; + case 17: /* Root path */ + if (!root_server_path[0]) +-- +2.30.2 + diff --git a/queue-4.19/net-return-the-correct-errno-code.patch b/queue-4.19/net-return-the-correct-errno-code.patch new file mode 100644 index 00000000000..2fa6392db5e --- /dev/null +++ b/queue-4.19/net-return-the-correct-errno-code.patch @@ -0,0 +1,34 @@ +From a52f5fdcf4a5a655f64b4ae0a8e945c701105e18 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jun 2021 22:06:40 +0800 +Subject: net: Return the correct errno code + +From: Zheng Yongjun + +[ Upstream commit 49251cd00228a3c983651f6bb2f33f6a0b8f152e ] + +When kalloc or kmemdup failed, should return ENOMEM rather than ENOBUF. + +Signed-off-by: Zheng Yongjun +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/compat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/compat.c b/net/compat.c +index 2a8c7cb5f06a..2778a236e091 100644 +--- a/net/compat.c ++++ b/net/compat.c +@@ -158,7 +158,7 @@ int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg, struct sock *sk, + if (kcmlen > stackbuf_size) + kcmsg_base = kcmsg = sock_kmalloc(sk, kcmlen, GFP_KERNEL); + if (kcmsg == NULL) +- return -ENOBUFS; ++ return -ENOMEM; + + /* Now copy them over neatly. */ + memset(kcmsg, 0, kcmlen); +-- +2.30.2 + diff --git a/queue-4.19/net-x25-return-the-correct-errno-code.patch b/queue-4.19/net-x25-return-the-correct-errno-code.patch new file mode 100644 index 00000000000..9407c38934d --- /dev/null +++ b/queue-4.19/net-x25-return-the-correct-errno-code.patch @@ -0,0 +1,34 @@ +From a1988c8e4588271ea072d130d824bcf22c187f15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jun 2021 22:06:30 +0800 +Subject: net/x25: Return the correct errno code + +From: Zheng Yongjun + +[ Upstream commit d7736958668c4facc15f421e622ffd718f5be80a ] + +When kalloc or kmemdup failed, should return ENOMEM rather than ENOBUF. + +Signed-off-by: Zheng Yongjun +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/x25/af_x25.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c +index f43d037ea852..f87002792836 100644 +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -551,7 +551,7 @@ static int x25_create(struct net *net, struct socket *sock, int protocol, + if (protocol) + goto out; + +- rc = -ENOBUFS; ++ rc = -ENOMEM; + if ((sk = x25_alloc_socket(net, kern)) == NULL) + goto out; + +-- +2.30.2 + diff --git a/queue-4.19/nvme-loop-check-for-nvme_loop_q_live-in-nvme_loop_de.patch b/queue-4.19/nvme-loop-check-for-nvme_loop_q_live-in-nvme_loop_de.patch new file mode 100644 index 00000000000..136102d8515 --- /dev/null +++ b/queue-4.19/nvme-loop-check-for-nvme_loop_q_live-in-nvme_loop_de.patch @@ -0,0 +1,39 @@ +From 093ab4363f562833457ea6bd7900153794a0fce5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 May 2021 17:23:17 +0200 +Subject: nvme-loop: check for NVME_LOOP_Q_LIVE in + nvme_loop_destroy_admin_queue() + +From: Hannes Reinecke + +[ Upstream commit 4237de2f73a669e4f89ac0aa2b44fb1a1d9ec583 ] + +We need to check the NVME_LOOP_Q_LIVE flag in +nvme_loop_destroy_admin_queue() to protect against duplicate +invocations eg during concurrent reset and remove calls. + +Signed-off-by: Hannes Reinecke +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/loop.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c +index dba0b0145f48..08b52f3ed0c3 100644 +--- a/drivers/nvme/target/loop.c ++++ b/drivers/nvme/target/loop.c +@@ -274,7 +274,8 @@ static const struct blk_mq_ops nvme_loop_admin_mq_ops = { + + static void nvme_loop_destroy_admin_queue(struct nvme_loop_ctrl *ctrl) + { +- clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[0].flags); ++ if (!test_and_clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[0].flags)) ++ return; + nvmet_sq_destroy(&ctrl->queues[0].nvme_sq); + blk_cleanup_queue(ctrl->ctrl.admin_q); + blk_mq_free_tag_set(&ctrl->admin_tag_set); +-- +2.30.2 + diff --git a/queue-4.19/nvme-loop-clear-nvme_loop_q_live-when-nvme_loop_conf.patch b/queue-4.19/nvme-loop-clear-nvme_loop_q_live-when-nvme_loop_conf.patch new file mode 100644 index 00000000000..f062f68eb68 --- /dev/null +++ b/queue-4.19/nvme-loop-clear-nvme_loop_q_live-when-nvme_loop_conf.patch @@ -0,0 +1,36 @@ +From 4c38307aff30129a8c4e6e0b022f0aa956a917ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 May 2021 17:23:16 +0200 +Subject: nvme-loop: clear NVME_LOOP_Q_LIVE when + nvme_loop_configure_admin_queue() fails + +From: Hannes Reinecke + +[ Upstream commit 1c5f8e882a05de5c011e8c3fbeceb0d1c590eb53 ] + +When the call to nvme_enable_ctrl() in nvme_loop_configure_admin_queue() +fails the NVME_LOOP_Q_LIVE flag is not cleared. + +Signed-off-by: Hannes Reinecke +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/loop.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c +index 7b6e44ed299a..dba0b0145f48 100644 +--- a/drivers/nvme/target/loop.c ++++ b/drivers/nvme/target/loop.c +@@ -418,6 +418,7 @@ static int nvme_loop_configure_admin_queue(struct nvme_loop_ctrl *ctrl) + return 0; + + out_cleanup_queue: ++ clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[0].flags); + blk_cleanup_queue(ctrl->ctrl.admin_q); + out_free_tagset: + blk_mq_free_tag_set(&ctrl->admin_tag_set); +-- +2.30.2 + diff --git a/queue-4.19/nvme-loop-reset-queue-count-to-1-in-nvme_loop_destro.patch b/queue-4.19/nvme-loop-reset-queue-count-to-1-in-nvme_loop_destro.patch new file mode 100644 index 00000000000..c5f379d5cdd --- /dev/null +++ b/queue-4.19/nvme-loop-reset-queue-count-to-1-in-nvme_loop_destro.patch @@ -0,0 +1,37 @@ +From 256e4e35d3281ebeb462222b73211cfab81ac906 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 May 2021 17:23:15 +0200 +Subject: nvme-loop: reset queue count to 1 in nvme_loop_destroy_io_queues() + +From: Hannes Reinecke + +[ Upstream commit a6c144f3d2e230f2b3ac5ed8c51e0f0391556197 ] + +The queue count is increased in nvme_loop_init_io_queues(), so we +need to reset it to 1 at the end of nvme_loop_destroy_io_queues(). +Otherwise the function is not re-entrant safe, and crash will happen +during concurrent reset and remove calls. + +Signed-off-by: Hannes Reinecke +Reviewed-by: Chaitanya Kulkarni +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + drivers/nvme/target/loop.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c +index 137a27fa369c..7b6e44ed299a 100644 +--- a/drivers/nvme/target/loop.c ++++ b/drivers/nvme/target/loop.c +@@ -309,6 +309,7 @@ static void nvme_loop_destroy_io_queues(struct nvme_loop_ctrl *ctrl) + clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[i].flags); + nvmet_sq_destroy(&ctrl->queues[i].nvme_sq); + } ++ ctrl->ctrl.queue_count = 1; + } + + static int nvme_loop_init_io_queues(struct nvme_loop_ctrl *ctrl) +-- +2.30.2 + diff --git a/queue-4.19/rtnetlink-fix-missing-error-code-in-rtnl_bridge_noti.patch b/queue-4.19/rtnetlink-fix-missing-error-code-in-rtnl_bridge_noti.patch new file mode 100644 index 00000000000..61a50796fb6 --- /dev/null +++ b/queue-4.19/rtnetlink-fix-missing-error-code-in-rtnl_bridge_noti.patch @@ -0,0 +1,44 @@ +From 0a5770da8c7f58c8bbd6da0d49e2370119937703 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jun 2021 18:15:04 +0800 +Subject: rtnetlink: Fix missing error code in rtnl_bridge_notify() + +From: Jiapeng Chong + +[ Upstream commit a8db57c1d285c758adc7fb43d6e2bad2554106e1 ] + +The error code is missing in this code scenario, add the error code +'-EINVAL' to the return value 'err'. + +Eliminate the follow smatch warning: + +net/core/rtnetlink.c:4834 rtnl_bridge_notify() warn: missing error code +'err'. + +Reported-by: Abaci Robot +Signed-off-by: Jiapeng Chong +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/rtnetlink.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c +index 935053ee7765..7f2dda27f9e7 100644 +--- a/net/core/rtnetlink.c ++++ b/net/core/rtnetlink.c +@@ -4102,8 +4102,10 @@ static int rtnl_bridge_notify(struct net_device *dev) + if (err < 0) + goto errout; + +- if (!skb->len) ++ if (!skb->len) { ++ err = -EINVAL; + goto errout; ++ } + + rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, GFP_ATOMIC); + return 0; +-- +2.30.2 + diff --git a/queue-4.19/scsi-scsi_devinfo-add-blacklist-entry-for-hpe-open-v.patch b/queue-4.19/scsi-scsi_devinfo-add-blacklist-entry-for-hpe-open-v.patch new file mode 100644 index 00000000000..baed8238f50 --- /dev/null +++ b/queue-4.19/scsi-scsi_devinfo-add-blacklist-entry-for-hpe-open-v.patch @@ -0,0 +1,34 @@ +From edddb561f00b4d7ac8c83f2f906252e385e4d490 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Jun 2021 13:52:14 -0400 +Subject: scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V + +From: Ewan D. Milne + +[ Upstream commit e57f5cd99ca60cddf40201b0f4ced9f1938e299c ] + +Apparently some arrays are now returning "HPE" as the vendor. + +Link: https://lore.kernel.org/r/20210601175214.25719-1-emilne@redhat.com +Signed-off-by: Ewan D. Milne +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/scsi_devinfo.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c +index a08ff3bd6310..6a2a413cc97e 100644 +--- a/drivers/scsi/scsi_devinfo.c ++++ b/drivers/scsi/scsi_devinfo.c +@@ -184,6 +184,7 @@ static struct { + {"HP", "C3323-300", "4269", BLIST_NOTQ}, + {"HP", "C5713A", NULL, BLIST_NOREPORTLUN}, + {"HP", "DISK-SUBSYSTEM", "*", BLIST_REPORTLUN2}, ++ {"HPE", "OPEN-", "*", BLIST_REPORTLUN2 | BLIST_TRY_VPD_PAGES}, + {"IBM", "AuSaV1S2", NULL, BLIST_FORCELUN}, + {"IBM", "ProFibre 4000R", "*", BLIST_SPARSELUN | BLIST_LARGELUN}, + {"IBM", "2105", NULL, BLIST_RETRY_HWERROR}, +-- +2.30.2 + diff --git a/queue-4.19/scsi-target-core-fix-warning-on-realtime-kernels.patch b/queue-4.19/scsi-target-core-fix-warning-on-realtime-kernels.patch new file mode 100644 index 00000000000..5185e939c70 --- /dev/null +++ b/queue-4.19/scsi-target-core-fix-warning-on-realtime-kernels.patch @@ -0,0 +1,43 @@ +From 433f1360ef6deff770f295d27ddc0b9f95cf20e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 May 2021 14:13:26 +0200 +Subject: scsi: target: core: Fix warning on realtime kernels + +From: Maurizio Lombardi + +[ Upstream commit 515da6f4295c2c42b8c54572cce3d2dd1167c41e ] + +On realtime kernels, spin_lock_irq*(spinlock_t) do not disable the +interrupts, a call to irqs_disabled() will return false thus firing a +warning in __transport_wait_for_tasks(). + +Remove the warning and also replace assert_spin_locked() with +lockdep_assert_held() + +Link: https://lore.kernel.org/r/20210531121326.3649-1-mlombard@redhat.com +Reviewed-by: Bart Van Assche +Signed-off-by: Maurizio Lombardi +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/target/target_core_transport.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c +index bdada97cd4fe..9c60a090cfd1 100644 +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -2982,9 +2982,7 @@ __transport_wait_for_tasks(struct se_cmd *cmd, bool fabric_stop, + __releases(&cmd->t_state_lock) + __acquires(&cmd->t_state_lock) + { +- +- assert_spin_locked(&cmd->t_state_lock); +- WARN_ON_ONCE(!irqs_disabled()); ++ lockdep_assert_held(&cmd->t_state_lock); + + if (fabric_stop) + cmd->transport_state |= CMD_T_FABRIC_STOP; +-- +2.30.2 + diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..eaecec99f28 --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,20 @@ +net-ieee802154-fix-null-deref-in-parse-dev-addr.patch +hid-quirks-set-increment_usage_on_duplicate-for-sait.patch +hid-hid-sensor-hub-return-error-for-hid_set_field-fa.patch +hid-add-bus_virtual-to-hid_connect-logging.patch +hid-usbhid-fix-info-leak-in-hid_submit_ctrl.patch +arm-omap2-fix-build-warning-when-mmc_omap-is-not-bui.patch +gfs2-prevent-direct-i-o-write-fallback-errors-from-g.patch +hid-gt683r-add-missing-module_device_table.patch +gfs2-fix-use-after-free-in-gfs2_glock_shrink_scan.patch +scsi-target-core-fix-warning-on-realtime-kernels.patch +ethernet-myri10ge-fix-missing-error-code-in-myri10ge.patch +scsi-scsi_devinfo-add-blacklist-entry-for-hpe-open-v.patch +nvme-loop-reset-queue-count-to-1-in-nvme_loop_destro.patch +nvme-loop-clear-nvme_loop_q_live-when-nvme_loop_conf.patch +nvme-loop-check-for-nvme_loop_q_live-in-nvme_loop_de.patch +net-ipconfig-don-t-override-command-line-hostnames-o.patch +rtnetlink-fix-missing-error-code-in-rtnl_bridge_noti.patch +net-x25-return-the-correct-errno-code.patch +net-return-the-correct-errno-code.patch +fib-return-the-correct-errno-code.patch