From 4715cfbd230d425c5145542bac45d8249979f676 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 15 Aug 2022 17:35:47 +0200
Subject: [PATCH] 4.9-stable patches

added patches:
	bluetooth-l2cap-fix-l2cap_global_chan_by_psm-regression.patch
	nios2-time-read-timer-in-get_cycles-only-if-initialized.patch
---
 ...-l2cap_global_chan_by_psm-regression.patch | 56 +++++++++++++++++++
 ...er-in-get_cycles-only-if-initialized.patch | 47 ++++++++++++++++
 queue-4.9/series                              |  2 +
 3 files changed, 105 insertions(+)
 create mode 100644 queue-4.9/bluetooth-l2cap-fix-l2cap_global_chan_by_psm-regression.patch
 create mode 100644 queue-4.9/nios2-time-read-timer-in-get_cycles-only-if-initialized.patch

diff --git a/queue-4.9/bluetooth-l2cap-fix-l2cap_global_chan_by_psm-regression.patch b/queue-4.9/bluetooth-l2cap-fix-l2cap_global_chan_by_psm-regression.patch
new file mode 100644
index 00000000000..a6e315f907c
--- /dev/null
+++ b/queue-4.9/bluetooth-l2cap-fix-l2cap_global_chan_by_psm-regression.patch
@@ -0,0 +1,56 @@
+From 332f1795ca202489c665a75e62e18ff6284de077 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Mon, 1 Aug 2022 13:52:07 -0700
+Subject: Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit 332f1795ca202489c665a75e62e18ff6284de077 upstream.
+
+The patch d0be8347c623: "Bluetooth: L2CAP: Fix use-after-free caused
+by l2cap_chan_put" from Jul 21, 2022, leads to the following Smatch
+static checker warning:
+
+        net/bluetooth/l2cap_core.c:1977 l2cap_global_chan_by_psm()
+        error: we previously assumed 'c' could be null (see line 1996)
+
+Fixes: d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_core.c |   13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -1804,11 +1804,11 @@ static struct l2cap_chan *l2cap_global_c
+ 						   bdaddr_t *dst,
+ 						   u8 link_type)
+ {
+-	struct l2cap_chan *c, *c1 = NULL;
++	struct l2cap_chan *c, *tmp, *c1 = NULL;
+ 
+ 	read_lock(&chan_list_lock);
+ 
+-	list_for_each_entry(c, &chan_list, global_l) {
++	list_for_each_entry_safe(c, tmp, &chan_list, global_l) {
+ 		if (state && c->state != state)
+ 			continue;
+ 
+@@ -1827,11 +1827,10 @@ static struct l2cap_chan *l2cap_global_c
+ 			dst_match = !bacmp(&c->dst, dst);
+ 			if (src_match && dst_match) {
+ 				c = l2cap_chan_hold_unless_zero(c);
+-				if (!c)
+-					continue;
+-
+-				read_unlock(&chan_list_lock);
+-				return c;
++				if (c) {
++					read_unlock(&chan_list_lock);
++					return c;
++				}
+ 			}
+ 
+ 			/* Closest match */
diff --git a/queue-4.9/nios2-time-read-timer-in-get_cycles-only-if-initialized.patch b/queue-4.9/nios2-time-read-timer-in-get_cycles-only-if-initialized.patch
new file mode 100644
index 00000000000..44c10981eab
--- /dev/null
+++ b/queue-4.9/nios2-time-read-timer-in-get_cycles-only-if-initialized.patch
@@ -0,0 +1,47 @@
+From 65d1e3ddeae117f6a224535e10a09145f0f96508 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Mon, 11 Sep 2017 20:45:26 -0700
+Subject: nios2: time: Read timer in get_cycles only if initialized
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 65d1e3ddeae117f6a224535e10a09145f0f96508 upstream.
+
+Mainline crashes as follows when running nios2 images.
+
+On node 0 totalpages: 65536
+free_area_init_node: node 0, pgdat c8408fa0, node_mem_map c8726000
+  Normal zone: 512 pages used for memmap
+  Normal zone: 0 pages reserved
+  Normal zone: 65536 pages, LIFO batch:15
+Unable to handle kernel NULL pointer dereference at virtual address 00000000
+ea = c8003cb0, ra = c81cbf40, cause = 15
+Kernel panic - not syncing: Oops
+
+Problem is seen because get_cycles() is called before the timer it depends
+on is initialized. Returning 0 in that situation fixes the problem.
+
+Fixes: 33d72f3822d7 ("init/main.c: extract early boot entropy from the ..")
+Cc: Laura Abbott <labbott@redhat.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Daniel Micay <danielmicay@gmail.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/nios2/kernel/time.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/nios2/kernel/time.c
++++ b/arch/nios2/kernel/time.c
+@@ -107,7 +107,10 @@ static struct nios2_clocksource nios2_cs
+ 
+ cycles_t get_cycles(void)
+ {
+-	return nios2_timer_read(&nios2_cs.cs);
++	/* Only read timer if it has been initialized */
++	if (nios2_cs.timer.base)
++		return nios2_timer_read(&nios2_cs.cs);
++	return 0;
+ }
+ EXPORT_SYMBOL(get_cycles);
+ 
diff --git a/queue-4.9/series b/queue-4.9/series
index 5182e7477f3..b7a1e4e5d9b 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -60,3 +60,5 @@ btrfs-reject-log-replay-if-there-is-unsupported-ro-compat-flag.patch
 tcp-fix-over-estimation-in-sk_forced_mem_schedule.patch
 scsi-sg-allow-waiting-for-commands-to-complete-on-removed-device.patch
 revert-net-usb-ax88179_178a-needs-flag_send_zlp.patch
+bluetooth-l2cap-fix-l2cap_global_chan_by_psm-regression.patch
+nios2-time-read-timer-in-get_cycles-only-if-initialized.patch
-- 
2.47.3