From 75d31369957f343bc1ca2b2f71152a02b8352b21 Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Sun, 24 Dec 2023 19:41:24 -0500
Subject: [PATCH] Fixes for 5.4

Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 ...050-fix-an-error-code-problem-in-inv.patch | 45 +++++++++++++++
 ...-keys-add-error-handling-for-devm_km.patch | 40 ++++++++++++++
 ...at-xlate-returning-null-node-as-an-e.patch | 45 +++++++++++++++
 ...fc-fix-skb-double-free-in-bnx2fc_rcv.patch | 55 +++++++++++++++++++
 queue-5.4/series                              |  4 ++
 5 files changed, 189 insertions(+)
 create mode 100644 queue-5.4/iio-imu-inv_mpu6050-fix-an-error-code-problem-in-inv.patch
 create mode 100644 queue-5.4/input-ipaq-micro-keys-add-error-handling-for-devm_km.patch
 create mode 100644 queue-5.4/interconnect-treat-xlate-returning-null-node-as-an-e.patch
 create mode 100644 queue-5.4/scsi-bnx2fc-fix-skb-double-free-in-bnx2fc_rcv.patch

diff --git a/queue-5.4/iio-imu-inv_mpu6050-fix-an-error-code-problem-in-inv.patch b/queue-5.4/iio-imu-inv_mpu6050-fix-an-error-code-problem-in-inv.patch
new file mode 100644
index 00000000000..04cab36b29f
--- /dev/null
+++ b/queue-5.4/iio-imu-inv_mpu6050-fix-an-error-code-problem-in-inv.patch
@@ -0,0 +1,45 @@
+From aa078278ee7865ee69a0dedac7c9e45973f81b4f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 Oct 2023 10:02:19 +0800
+Subject: iio: imu: inv_mpu6050: fix an error code problem in
+ inv_mpu6050_read_raw
+
+From: Su Hui <suhui@nfschina.com>
+
+[ Upstream commit c3df0e29fb7788c4b3ddf37d5ed87dda2b822943 ]
+
+inv_mpu6050_sensor_show() can return -EINVAL or IIO_VAL_INT. Return the
+true value rather than only return IIO_VAL_INT.
+
+Fixes: d5098447147c ("iio: imu: mpu6050: add calibration offset support")
+Signed-off-by: Su Hui <suhui@nfschina.com>
+Link: https://lore.kernel.org/r/20231030020218.65728-1-suhui@nfschina.com
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/iio/imu/inv_mpu6050/inv_mpu_core.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
+index 2261c6c4ac656..87de2a05c7111 100644
+--- a/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
++++ b/drivers/iio/imu/inv_mpu6050/inv_mpu_core.c
+@@ -501,13 +501,13 @@ inv_mpu6050_read_raw(struct iio_dev *indio_dev,
+ 			ret = inv_mpu6050_sensor_show(st, st->reg->gyro_offset,
+ 						chan->channel2, val);
+ 			mutex_unlock(&st->lock);
+-			return IIO_VAL_INT;
++			return ret;
+ 		case IIO_ACCEL:
+ 			mutex_lock(&st->lock);
+ 			ret = inv_mpu6050_sensor_show(st, st->reg->accl_offset,
+ 						chan->channel2, val);
+ 			mutex_unlock(&st->lock);
+-			return IIO_VAL_INT;
++			return ret;
+ 
+ 		default:
+ 			return -EINVAL;
+-- 
+2.43.0
+
diff --git a/queue-5.4/input-ipaq-micro-keys-add-error-handling-for-devm_km.patch b/queue-5.4/input-ipaq-micro-keys-add-error-handling-for-devm_km.patch
new file mode 100644
index 00000000000..518df32bbdb
--- /dev/null
+++ b/queue-5.4/input-ipaq-micro-keys-add-error-handling-for-devm_km.patch
@@ -0,0 +1,40 @@
+From a0e3bf574fff730e1a2d31c81bc8fb4117305195 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 3 Dec 2023 19:00:23 +0000
+Subject: Input: ipaq-micro-keys - add error handling for devm_kmemdup
+
+From: Haoran Liu <liuhaoran14@163.com>
+
+[ Upstream commit 59b6a747e2d39227ac2325c5e29d6ab3bb070c2a ]
+
+Check the return value of i2c_add_adapter. Static analysis revealed that
+the function did not properly handle potential failures of
+i2c_add_adapter, which could lead to partial initialization of the I2C
+adapter and unstable operation.
+
+Signed-off-by: Haoran Liu <liuhaoran14@163.com>
+Link: https://lore.kernel.org/r/20231203164653.38983-1-liuhaoran14@163.com
+Fixes: d7535ffa427b ("Input: driver for microcontroller keys on the iPaq h3xxx")
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/input/keyboard/ipaq-micro-keys.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/input/keyboard/ipaq-micro-keys.c b/drivers/input/keyboard/ipaq-micro-keys.c
+index e3f9e445e8800..fe5a9c54ad583 100644
+--- a/drivers/input/keyboard/ipaq-micro-keys.c
++++ b/drivers/input/keyboard/ipaq-micro-keys.c
+@@ -105,6 +105,9 @@ static int micro_key_probe(struct platform_device *pdev)
+ 	keys->codes = devm_kmemdup(&pdev->dev, micro_keycodes,
+ 			   keys->input->keycodesize * keys->input->keycodemax,
+ 			   GFP_KERNEL);
++	if (!keys->codes)
++		return -ENOMEM;
++
+ 	keys->input->keycode = keys->codes;
+ 
+ 	__set_bit(EV_KEY, keys->input->evbit);
+-- 
+2.43.0
+
diff --git a/queue-5.4/interconnect-treat-xlate-returning-null-node-as-an-e.patch b/queue-5.4/interconnect-treat-xlate-returning-null-node-as-an-e.patch
new file mode 100644
index 00000000000..895dc55d7c0
--- /dev/null
+++ b/queue-5.4/interconnect-treat-xlate-returning-null-node-as-an-e.patch
@@ -0,0 +1,45 @@
+From 8914f0b3ba65461b97b9c696fe0c21e5104fc49d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 25 Oct 2023 07:58:29 -0700
+Subject: interconnect: Treat xlate() returning NULL node as an error
+
+From: Mike Tipton <quic_mdtipton@quicinc.com>
+
+[ Upstream commit ad2ab1297d0c80899125a842bb7a078abfe1e6ce ]
+
+Currently, if provider->xlate() or provider->xlate_extended()
+"successfully" return a NULL node, then of_icc_get_from_provider() won't
+consider that an error and will successfully return the NULL node. This
+bypasses error handling in of_icc_get_by_index() and leads to NULL
+dereferences in path_find().
+
+This could be avoided by ensuring provider callbacks always return an
+error for NULL nodes, but it's better to explicitly protect against this
+in the common framework.
+
+Fixes: 87e3031b6fbd ("interconnect: Allow endpoints translation via DT")
+Signed-off-by: Mike Tipton <quic_mdtipton@quicinc.com>
+Link: https://lore.kernel.org/r/20231025145829.11603-1-quic_mdtipton@quicinc.com
+Signed-off-by: Georgi Djakov <djakov@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/interconnect/core.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/interconnect/core.c b/drivers/interconnect/core.c
+index be3fa1ac4261c..8f6dfa6b6e4dc 100644
+--- a/drivers/interconnect/core.c
++++ b/drivers/interconnect/core.c
+@@ -280,6 +280,9 @@ static struct icc_node *of_icc_get_from_provider(struct of_phandle_args *spec)
+ 	}
+ 	mutex_unlock(&icc_lock);
+ 
++	if (!node)
++		return ERR_PTR(-EINVAL);
++
+ 	return node;
+ }
+ 
+-- 
+2.43.0
+
diff --git a/queue-5.4/scsi-bnx2fc-fix-skb-double-free-in-bnx2fc_rcv.patch b/queue-5.4/scsi-bnx2fc-fix-skb-double-free-in-bnx2fc_rcv.patch
new file mode 100644
index 00000000000..95b48278e12
--- /dev/null
+++ b/queue-5.4/scsi-bnx2fc-fix-skb-double-free-in-bnx2fc_rcv.patch
@@ -0,0 +1,55 @@
+From ed03ece2fab95d15a57f6f2ff4b55c8a63c200a1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 14 Nov 2022 11:06:26 +0000
+Subject: scsi: bnx2fc: Fix skb double free in bnx2fc_rcv()
+
+From: Wei Yongjun <weiyongjun1@huawei.com>
+
+[ Upstream commit 08c94d80b2da481652fb633e79cbc41e9e326a91 ]
+
+skb_share_check() already drops the reference to the skb when returning
+NULL. Using kfree_skb() in the error handling path leads to an skb double
+free.
+
+Fix this by removing the variable tmp_skb, and return directly when
+skb_share_check() returns NULL.
+
+Fixes: 01a4cc4d0cd6 ("bnx2fc: do not add shared skbs to the fcoe_rx_list")
+Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
+Link: https://lore.kernel.org/r/20221114110626.526643-1-weiyongjun@huaweicloud.com
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/scsi/bnx2fc/bnx2fc_fcoe.c | 9 +++------
+ 1 file changed, 3 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
+index 9ed109fb6b67b..3bef2ed50a07b 100644
+--- a/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
++++ b/drivers/scsi/bnx2fc/bnx2fc_fcoe.c
+@@ -430,7 +430,6 @@ static int bnx2fc_rcv(struct sk_buff *skb, struct net_device *dev,
+ 	struct fcoe_ctlr *ctlr;
+ 	struct fcoe_rcv_info *fr;
+ 	struct fcoe_percpu_s *bg;
+-	struct sk_buff *tmp_skb;
+ 
+ 	interface = container_of(ptype, struct bnx2fc_interface,
+ 				 fcoe_packet_type);
+@@ -442,11 +441,9 @@ static int bnx2fc_rcv(struct sk_buff *skb, struct net_device *dev,
+ 		goto err;
+ 	}
+ 
+-	tmp_skb = skb_share_check(skb, GFP_ATOMIC);
+-	if (!tmp_skb)
+-		goto err;
+-
+-	skb = tmp_skb;
++	skb = skb_share_check(skb, GFP_ATOMIC);
++	if (!skb)
++		return -1;
+ 
+ 	if (unlikely(eth_hdr(skb)->h_proto != htons(ETH_P_FCOE))) {
+ 		printk(KERN_ERR PFX "bnx2fc_rcv: Wrong FC type frame\n");
+-- 
+2.43.0
+
diff --git a/queue-5.4/series b/queue-5.4/series
index 3f75a855a62..198d8e41fd6 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -23,3 +23,7 @@ alsa-hda-hdmi-add-quirk-to-force-pin-connectivity-on.patch
 alsa-hda-hdmi-add-force-connect-quirk-for-nuc5cpyb.patch
 smb-client-fix-null-deref-in-asn1_ber_decoder.patch
 btrfs-do-not-allow-non-subvolume-root-targets-for-sn.patch
+interconnect-treat-xlate-returning-null-node-as-an-e.patch
+iio-imu-inv_mpu6050-fix-an-error-code-problem-in-inv.patch
+input-ipaq-micro-keys-add-error-handling-for-devm_km.patch
+scsi-bnx2fc-fix-skb-double-free-in-bnx2fc_rcv.patch
-- 
2.47.3