--- /dev/null
+From a0023bb9dd9bc439d44604eeec62426a990054cd Mon Sep 17 00:00:00 2001
+From: Zheyu Ma <zheyuma97@gmail.com>
+Date: Fri, 22 Oct 2021 09:12:26 +0000
+Subject: ata: sata_mv: Fix the error handling of mv_chip_id()
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+commit a0023bb9dd9bc439d44604eeec62426a990054cd upstream.
+
+mv_init_host() propagates the value returned by mv_chip_id() which in turn
+gets propagated by mv_pci_init_one() and hits local_pci_probe().
+
+During the process of driver probing, the probe function should return < 0
+for failure, otherwise, the kernel will treat value > 0 as success.
+
+Since this is a bug rather than a recoverable runtime error we should
+use dev_alert() instead of dev_err().
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/sata_mv.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/ata/sata_mv.c
++++ b/drivers/ata/sata_mv.c
+@@ -3909,8 +3909,8 @@ static int mv_chip_id(struct ata_host *h
+ break;
+
+ default:
+- dev_err(host->dev, "BUG: invalid board index %u\n", board_idx);
+- return 1;
++ dev_alert(host->dev, "BUG: invalid board index %u\n", board_idx);
++ return -EINVAL;
+ }
+
+ hpriv->hp_flags = hp_flags;
--- /dev/null
+From 2195f2062e4cc93870da8e71c318ef98a1c51cef Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Date: Mon, 25 Oct 2021 16:49:36 +0200
+Subject: nfc: port100: fix using -ERRNO as command type mask
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+commit 2195f2062e4cc93870da8e71c318ef98a1c51cef upstream.
+
+During probing, the driver tries to get a list (mask) of supported
+command types in port100_get_command_type_mask() function. The value
+is u64 and 0 is treated as invalid mask (no commands supported). The
+function however returns also -ERRNO as u64 which will be interpret as
+valid command mask.
+
+Return 0 on every error case of port100_get_command_type_mask(), so the
+probing will stop.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 0347a6ab300a ("NFC: port100: Commands mechanism implementation")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/port100.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/nfc/port100.c
++++ b/drivers/nfc/port100.c
+@@ -936,11 +936,11 @@ static u64 port100_get_command_type_mask
+
+ skb = port100_alloc_skb(dev, 0);
+ if (!skb)
+- return -ENOMEM;
++ return 0;
+
+ resp = port100_send_cmd_sync(dev, PORT100_CMD_GET_COMMAND_TYPE, skb);
+ if (IS_ERR(resp))
+- return PTR_ERR(resp);
++ return 0;
+
+ if (resp->len < 8)
+ mask = 0;
--- /dev/null
+From 10eff1f5788b6ffac212c254e2f3666219576889 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 30 Sep 2021 20:49:42 +0300
+Subject: Revert "net: mdiobus: Fix memory leak in __mdiobus_register"
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 10eff1f5788b6ffac212c254e2f3666219576889 upstream.
+
+This reverts commit ab609f25d19858513919369ff3d9a63c02cd9e2e.
+
+This patch is correct in the sense that we _should_ call device_put() in
+case of device_register() failure, but the problem in this code is more
+vast.
+
+We need to set bus->state to UNMDIOBUS_REGISTERED before calling
+device_register() to correctly release the device in mdiobus_free().
+This patch prevents us from doing it, since in case of device_register()
+failure put_device() will be called 2 times and it will cause UAF or
+something else.
+
+Also, Reported-by: tag in revered commit was wrong, since syzbot
+reported different leak in same function.
+
+Link: https://lore.kernel.org/netdev/20210928092657.GI2048@kadam/
+Acked-by: Yanfei Xu <yanfei.xu@windriver.com>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Link: https://lore.kernel.org/r/f12fb1faa4eccf0f355788225335eb4309ff2599.1633024062.git.paskripkin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/mdio_bus.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/phy/mdio_bus.c
++++ b/drivers/net/phy/mdio_bus.c
+@@ -274,7 +274,6 @@ int __mdiobus_register(struct mii_bus *b
+ err = device_register(&bus->dev);
+ if (err) {
+ pr_err("mii_bus %s failed to register\n", bus->id);
+- put_device(&bus->dev);
+ return -EINVAL;
+ }
+
arm-9134-1-remove-duplicate-memcpy-definition.patch
arm-9139-1-kprobes-fix-arch_init_kprobes-prototype.patch
arm-8819-1-remove-p-from-ldflags.patch
+usbnet-sanity-check-for-maxpacket.patch
+usbnet-fix-error-return-code-in-usbnet_probe.patch
+ata-sata_mv-fix-the-error-handling-of-mv_chip_id.patch
+nfc-port100-fix-using-errno-as-command-type-mask.patch
+revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
--- /dev/null
+From 6f7c88691191e6c52ef2543d6f1da8d360b27a24 Mon Sep 17 00:00:00 2001
+From: Wang Hai <wanghai38@huawei.com>
+Date: Tue, 26 Oct 2021 20:40:15 +0800
+Subject: usbnet: fix error return code in usbnet_probe()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+commit 6f7c88691191e6c52ef2543d6f1da8d360b27a24 upstream.
+
+Return error code if usb_maxpacket() returns 0 in usbnet_probe()
+
+Fixes: 397430b50a36 ("usbnet: sanity check for maxpacket")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211026124015.3025136-1-wanghai38@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1732,6 +1732,7 @@ usbnet_probe (struct usb_interface *udev
+ dev->maxpacket = usb_maxpacket (dev->udev, dev->out, 1);
+ if (dev->maxpacket == 0) {
+ /* that is a broken device */
++ status = -ENODEV;
+ goto out4;
+ }
+
--- /dev/null
+From 397430b50a363d8b7bdda00522123f82df6adc5e Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 21 Oct 2021 14:29:44 +0200
+Subject: usbnet: sanity check for maxpacket
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 397430b50a363d8b7bdda00522123f82df6adc5e upstream.
+
+maxpacket of 0 makes no sense and oopses as we need to divide
+by it. Give up.
+
+V2: fixed typo in log and stylistic issues
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-by: syzbot+76bb1d34ffa0adc03baa@syzkaller.appspotmail.com
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211021122944.21816-1-oneukum@suse.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1730,6 +1730,10 @@ usbnet_probe (struct usb_interface *udev
+ if (!dev->rx_urb_size)
+ dev->rx_urb_size = dev->hard_mtu;
+ dev->maxpacket = usb_maxpacket (dev->udev, dev->out, 1);
++ if (dev->maxpacket == 0) {
++ /* that is a broken device */
++ goto out4;
++ }
+
+ /* let userspace know we have a random address */
+ if (ether_addr_equal(net->dev_addr, node_id))
projects / thirdparty / kernel / stable-queue.git / commitdiff
