--- /dev/null
+From 332f1795ca202489c665a75e62e18ff6284de077 Mon Sep 17 00:00:00 2001
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Date: Mon, 1 Aug 2022 13:52:07 -0700
+Subject: Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression
+
+From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+
+commit 332f1795ca202489c665a75e62e18ff6284de077 upstream.
+
+The patch d0be8347c623: "Bluetooth: L2CAP: Fix use-after-free caused
+by l2cap_chan_put" from Jul 21, 2022, leads to the following Smatch
+static checker warning:
+
+ net/bluetooth/l2cap_core.c:1977 l2cap_global_chan_by_psm()
+ error: we previously assumed 'c' could be null (see line 1996)
+
+Fixes: d0be8347c623 ("Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bluetooth/l2cap_core.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+--- a/net/bluetooth/l2cap_core.c
++++ b/net/bluetooth/l2cap_core.c
+@@ -1804,11 +1804,11 @@ static struct l2cap_chan *l2cap_global_c
+ bdaddr_t *dst,
+ u8 link_type)
+ {
+- struct l2cap_chan *c, *c1 = NULL;
++ struct l2cap_chan *c, *tmp, *c1 = NULL;
+
+ read_lock(&chan_list_lock);
+
+- list_for_each_entry(c, &chan_list, global_l) {
++ list_for_each_entry_safe(c, tmp, &chan_list, global_l) {
+ if (state && c->state != state)
+ continue;
+
+@@ -1827,11 +1827,10 @@ static struct l2cap_chan *l2cap_global_c
+ dst_match = !bacmp(&c->dst, dst);
+ if (src_match && dst_match) {
+ c = l2cap_chan_hold_unless_zero(c);
+- if (!c)
+- continue;
+-
+- read_unlock(&chan_list_lock);
+- return c;
++ if (c) {
++ read_unlock(&chan_list_lock);
++ return c;
++ }
+ }
+
+ /* Closest match */
--- /dev/null
+From 65d1e3ddeae117f6a224535e10a09145f0f96508 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Mon, 11 Sep 2017 20:45:26 -0700
+Subject: nios2: time: Read timer in get_cycles only if initialized
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 65d1e3ddeae117f6a224535e10a09145f0f96508 upstream.
+
+Mainline crashes as follows when running nios2 images.
+
+On node 0 totalpages: 65536
+free_area_init_node: node 0, pgdat c8408fa0, node_mem_map c8726000
+ Normal zone: 512 pages used for memmap
+ Normal zone: 0 pages reserved
+ Normal zone: 65536 pages, LIFO batch:15
+Unable to handle kernel NULL pointer dereference at virtual address 00000000
+ea = c8003cb0, ra = c81cbf40, cause = 15
+Kernel panic - not syncing: Oops
+
+Problem is seen because get_cycles() is called before the timer it depends
+on is initialized. Returning 0 in that situation fixes the problem.
+
+Fixes: 33d72f3822d7 ("init/main.c: extract early boot entropy from the ..")
+Cc: Laura Abbott <labbott@redhat.com>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Daniel Micay <danielmicay@gmail.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/nios2/kernel/time.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/arch/nios2/kernel/time.c
++++ b/arch/nios2/kernel/time.c
+@@ -107,7 +107,10 @@ static struct nios2_clocksource nios2_cs
+
+ cycles_t get_cycles(void)
+ {
+- return nios2_timer_read(&nios2_cs.cs);
++ /* Only read timer if it has been initialized */
++ if (nios2_cs.timer.base)
++ return nios2_timer_read(&nios2_cs.cs);
++ return 0;
+ }
+ EXPORT_SYMBOL(get_cycles);
+
tcp-fix-over-estimation-in-sk_forced_mem_schedule.patch
scsi-sg-allow-waiting-for-commands-to-complete-on-removed-device.patch
revert-net-usb-ax88179_178a-needs-flag_send_zlp.patch
+bluetooth-l2cap-fix-l2cap_global_chan_by_psm-regression.patch
+nios2-time-read-timer-in-get_cycles-only-if-initialized.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
