--- /dev/null
+From 38bc1ab135db87577695816b190e7d6d8ec75879 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 28 Nov 2023 14:50:23 +0100
+Subject: dm-verity: align struct dm_verity_fec_io properly
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 38bc1ab135db87577695816b190e7d6d8ec75879 upstream.
+
+dm_verity_fec_io is placed after the end of two hash digests. If the hash
+digest has unaligned length, struct dm_verity_fec_io could be unaligned.
+
+This commit fixes the placement of struct dm_verity_fec_io, so that it's
+aligned.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Fixes: a739ff3f543a ("dm verity: add support for forward error correction")
+Signed-off-by: Mike Snitzer <snitzer@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/md/dm-verity-fec.c | 3 ++-
+ drivers/md/dm-verity.h | 6 ------
+ 2 files changed, 2 insertions(+), 7 deletions(-)
+
+--- a/drivers/md/dm-verity-fec.c
++++ b/drivers/md/dm-verity-fec.c
+@@ -28,7 +28,8 @@ bool verity_fec_is_enabled(struct dm_ver
+ */
+ static inline struct dm_verity_fec_io *fec_io(struct dm_verity_io *io)
+ {
+- return (struct dm_verity_fec_io *) verity_io_digest_end(io->v, io);
++ return (struct dm_verity_fec_io *)
++ ((char *)io + io->v->ti->per_io_data_size - sizeof(struct dm_verity_fec_io));
+ }
+
+ /*
+--- a/drivers/md/dm-verity.h
++++ b/drivers/md/dm-verity.h
+@@ -113,12 +113,6 @@ static inline u8 *verity_io_want_digest(
+ return (u8 *)(io + 1) + v->ahash_reqsize + v->digest_size;
+ }
+
+-static inline u8 *verity_io_digest_end(struct dm_verity *v,
+- struct dm_verity_io *io)
+-{
+- return verity_io_want_digest(v, io) + v->digest_size;
+-}
+-
+ extern int verity_for_bv_block(struct dm_verity *v, struct dm_verity_io *io,
+ struct bvec_iter *iter,
+ int (*process)(struct dm_verity *v,
--- /dev/null
+From 891e0eab32a57fca4d36c5162628eb0bcb1f0edf Mon Sep 17 00:00:00 2001
+From: Yang Yingliang <yangyingliang@huawei.com>
+Date: Wed, 29 Nov 2023 17:34:08 +0800
+Subject: firewire: core: fix possible memory leak in create_units()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+commit 891e0eab32a57fca4d36c5162628eb0bcb1f0edf upstream.
+
+If device_register() fails, the refcount of device is not 0, the name
+allocated in dev_set_name() is leaked. To fix this by calling put_device(),
+so that it will be freed in callback function kobject_cleanup().
+
+unreferenced object 0xffff9d99035c7a90 (size 8):
+ comm "systemd-udevd", pid 168, jiffies 4294672386 (age 152.089s)
+ hex dump (first 8 bytes):
+ 66 77 30 2e 30 00 ff ff fw0.0...
+ backtrace:
+ [<00000000e1d62bac>] __kmem_cache_alloc_node+0x1e9/0x360
+ [<00000000bbeaff31>] __kmalloc_node_track_caller+0x44/0x1a0
+ [<00000000491f2fb4>] kvasprintf+0x67/0xd0
+ [<000000005b960ddc>] kobject_set_name_vargs+0x1e/0x90
+ [<00000000427ac591>] dev_set_name+0x4e/0x70
+ [<000000003b4e447d>] create_units+0xc5/0x110
+
+fw_unit_release() will be called in the error path, move fw_device_get()
+before calling device_register() to keep balanced with fw_device_put() in
+fw_unit_release().
+
+Cc: stable@vger.kernel.org
+Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array")
+Fixes: a1f64819fe9f ("firewire: struct device - replace bus_id with dev_name(), dev_set_name()")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/firewire/core-device.c | 11 ++++-------
+ 1 file changed, 4 insertions(+), 7 deletions(-)
+
+--- a/drivers/firewire/core-device.c
++++ b/drivers/firewire/core-device.c
+@@ -732,14 +732,11 @@ static void create_units(struct fw_devic
+ fw_unit_attributes,
+ &unit->attribute_group);
+
+- if (device_register(&unit->device) < 0)
+- goto skip_unit;
+-
+ fw_device_get(device);
+- continue;
+-
+- skip_unit:
+- kfree(unit);
++ if (device_register(&unit->device) < 0) {
++ put_device(&unit->device);
++ continue;
++ }
+ }
+ }
+
--- /dev/null
+From 4198a9b571065978632276264e01d71d68000ac5 Mon Sep 17 00:00:00 2001
+From: Maria Yu <quic_aiquny@quicinc.com>
+Date: Wed, 15 Nov 2023 18:28:24 +0800
+Subject: pinctrl: avoid reload of p state in list iteration
+
+From: Maria Yu <quic_aiquny@quicinc.com>
+
+commit 4198a9b571065978632276264e01d71d68000ac5 upstream.
+
+When in the list_for_each_entry iteration, reload of p->state->settings
+with a local setting from old_state will turn the list iteration into an
+infinite loop.
+
+The typical symptom when the issue happens, will be a printk message like:
+
+ "not freeing pin xx (xxx) as part of deactivating group xxx - it is
+already used for some other setting".
+
+This is a compiler-dependent problem, one instance occurred using Clang
+version 10.0 on the arm64 architecture with linux version 4.19.
+
+Fixes: 6e5e959dde0d ("pinctrl: API changes to support multiple states per device")
+Signed-off-by: Maria Yu <quic_aiquny@quicinc.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20231115102824.23727-1-quic_aiquny@quicinc.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/core.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/pinctrl/core.c
++++ b/drivers/pinctrl/core.c
+@@ -1196,17 +1196,17 @@ EXPORT_SYMBOL_GPL(pinctrl_lookup_state);
+ static int pinctrl_commit_state(struct pinctrl *p, struct pinctrl_state *state)
+ {
+ struct pinctrl_setting *setting, *setting2;
+- struct pinctrl_state *old_state = p->state;
++ struct pinctrl_state *old_state = READ_ONCE(p->state);
+ int ret;
+
+- if (p->state) {
++ if (old_state) {
+ /*
+ * For each pinmux setting in the old state, forget SW's record
+ * of mux owner for that pingroup. Any pingroups which are
+ * still owned by the new state will be re-acquired by the call
+ * to pinmux_enable_setting() in the loop below.
+ */
+- list_for_each_entry(setting, &p->state->settings, node) {
++ list_for_each_entry(setting, &old_state->settings, node) {
+ if (setting->type != PIN_MAP_TYPE_MUX_GROUP)
+ continue;
+ pinmux_disable_setting(setting);
usb-serial-option-fix-fm101r-gl-defines.patch
usb-serial-option-don-t-claim-interface-4-for-zte-mf290.patch
usb-dwc3-set-the-dma-max_seg_size.patch
+pinctrl-avoid-reload-of-p-state-in-list-iteration.patch
+firewire-core-fix-possible-memory-leak-in-create_units.patch
+dm-verity-align-struct-dm_verity_fec_io-properly.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
