--- /dev/null
+From 901be145a46eb79879367d853194346a549e623d Mon Sep 17 00:00:00 2001
+From: Carlos M <carlos.marr.pz@gmail.com>
+Date: Mon, 31 May 2021 22:20:26 +0200
+Subject: ALSA: hda: Fix for mute key LED for HP Pavilion 15-CK0xx
+
+From: Carlos M <carlos.marr.pz@gmail.com>
+
+commit 901be145a46eb79879367d853194346a549e623d upstream.
+
+For the HP Pavilion 15-CK0xx, with audio subsystem ID 0x103c:0x841c,
+adding a line in patch_realtek.c to apply the ALC269_FIXUP_HP_MUTE_LED_MIC3
+fix activates the mute key LED.
+
+Signed-off-by: Carlos M <carlos.marr.pz@gmail.com>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/20210531202026.35427-1-carlos.marr.pz@gmail.com
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/pci/hda/patch_realtek.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/sound/pci/hda/patch_realtek.c
++++ b/sound/pci/hda/patch_realtek.c
+@@ -7095,6 +7095,7 @@ static const struct snd_pci_quirk alc269
+ SND_PCI_QUIRK(0x103c, 0x82bf, "HP G3 mini", ALC221_FIXUP_HP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x82c0, "HP G3 mini premium", ALC221_FIXUP_HP_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x103c, 0x83b9, "HP Spectre x360", ALC269_FIXUP_HP_MUTE_LED_MIC3),
++ SND_PCI_QUIRK(0x103c, 0x841c, "HP Pavilion 15-CK0xx", ALC269_FIXUP_HP_MUTE_LED_MIC3),
+ SND_PCI_QUIRK(0x103c, 0x8497, "HP Envy x360", ALC269_FIXUP_HP_MUTE_LED_MIC3),
+ SND_PCI_QUIRK(0x103c, 0x84e7, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3),
+ SND_PCI_QUIRK(0x103c, 0x8736, "HP", ALC285_FIXUP_HP_GPIO_LED),
--- /dev/null
+From 9c1fe96bded935369f8340c2ac2e9e189f697d5d Mon Sep 17 00:00:00 2001
+From: Takashi Iwai <tiwai@suse.de>
+Date: Wed, 2 Jun 2021 13:38:23 +0200
+Subject: ALSA: timer: Fix master timer notification
+
+From: Takashi Iwai <tiwai@suse.de>
+
+commit 9c1fe96bded935369f8340c2ac2e9e189f697d5d upstream.
+
+snd_timer_notify1() calls the notification to each slave for a master
+event, but it passes a wrong event number. It should be +10 offset,
+corresponding to SNDRV_TIMER_EVENT_MXXX, but it's incorrectly with
++100 offset. Casually this was spotted by UBSAN check via syzkaller.
+
+Reported-by: syzbot+d102fa5b35335a7e544e@syzkaller.appspotmail.com
+Reviewed-by: Jaroslav Kysela <perex@perex.cz>
+Cc: <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/000000000000e5560e05c3bd1d63@google.com
+Link: https://lore.kernel.org/r/20210602113823.23777-1-tiwai@suse.de
+Signed-off-by: Takashi Iwai <tiwai@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ sound/core/timer.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/sound/core/timer.c
++++ b/sound/core/timer.c
+@@ -500,9 +500,10 @@ static void snd_timer_notify1(struct snd
+ return;
+ if (timer->hw.flags & SNDRV_TIMER_HW_SLAVE)
+ return;
++ event += 10; /* convert to SNDRV_TIMER_EVENT_MXXX */
+ list_for_each_entry(ts, &ti->slave_active_head, active_list)
+ if (ts->ccallback)
+- ts->ccallback(ts, event + 100, &tstamp, resolution);
++ ts->ccallback(ts, event, &tstamp, resolution);
+ }
+
+ /* start/continue a master timer */
--- /dev/null
+From 8967b27a6c1c19251989c7ab33c058d16e4a5f53 Mon Sep 17 00:00:00 2001
+From: Marek Vasut <marex@denx.de>
+Date: Mon, 26 Apr 2021 12:23:21 +0200
+Subject: ARM: dts: imx6q-dhcom: Add PU,VDD1P1,VDD2P5 regulators
+
+From: Marek Vasut <marex@denx.de>
+
+commit 8967b27a6c1c19251989c7ab33c058d16e4a5f53 upstream.
+
+Per schematic, both PU and SOC regulator are supplied from LTC3676 SW1
+via VDDSOC_IN rail, add the PU input. Both VDD1P1, VDD2P5 are supplied
+from LTC3676 SW2 via VDDHIGH_IN rail, add both inputs.
+
+While no instability or problems are currently observed, the regulators
+should be fully described in DT and that description should fully match
+the hardware, else this might lead to unforseen issues later. Fix this.
+
+Fixes: 52c7a088badd ("ARM: dts: imx6q: Add support for the DHCOM iMX6 SoM and PDK2")
+Reviewed-by: Fabio Estevam <festevam@gmail.com>
+Signed-off-by: Marek Vasut <marex@denx.de>
+Cc: Christoph Niedermaier <cniedermaier@dh-electronics.com>
+Cc: Fabio Estevam <festevam@gmail.com>
+Cc: Ludwig Zenz <lzenz@dh-electronics.com>
+Cc: NXP Linux Team <linux-imx@nxp.com>
+Cc: Shawn Guo <shawnguo@kernel.org>
+Cc: stable@vger.kernel.org
+Reviewed-by: Christoph Niedermaier <cniedermaier@dh-electronics.com>
+Signed-off-by: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/arm/boot/dts/imx6q-dhcom-som.dtsi | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/arch/arm/boot/dts/imx6q-dhcom-som.dtsi
++++ b/arch/arm/boot/dts/imx6q-dhcom-som.dtsi
+@@ -407,6 +407,18 @@
+ vin-supply = <&sw1_reg>;
+ };
+
++®_pu {
++ vin-supply = <&sw1_reg>;
++};
++
++®_vdd1p1 {
++ vin-supply = <&sw2_reg>;
++};
++
++®_vdd2p5 {
++ vin-supply = <&sw2_reg>;
++};
++
+ &uart1 {
+ pinctrl-names = "default";
+ pinctrl-0 = <&pinctrl_uart1>;
--- /dev/null
+From 082cd4ec240b8734a82a89ffb890216ac98fec68 Mon Sep 17 00:00:00 2001
+From: Ye Bin <yebin10@huawei.com>
+Date: Thu, 6 May 2021 22:10:42 +0800
+Subject: ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed
+
+From: Ye Bin <yebin10@huawei.com>
+
+commit 082cd4ec240b8734a82a89ffb890216ac98fec68 upstream.
+
+We got follow bug_on when run fsstress with injecting IO fault:
+[130747.323114] kernel BUG at fs/ext4/extents_status.c:762!
+[130747.323117] Internal error: Oops - BUG: 0 [#1] SMP
+......
+[130747.334329] Call trace:
+[130747.334553] ext4_es_cache_extent+0x150/0x168 [ext4]
+[130747.334975] ext4_cache_extents+0x64/0xe8 [ext4]
+[130747.335368] ext4_find_extent+0x300/0x330 [ext4]
+[130747.335759] ext4_ext_map_blocks+0x74/0x1178 [ext4]
+[130747.336179] ext4_map_blocks+0x2f4/0x5f0 [ext4]
+[130747.336567] ext4_mpage_readpages+0x4a8/0x7a8 [ext4]
+[130747.336995] ext4_readpage+0x54/0x100 [ext4]
+[130747.337359] generic_file_buffered_read+0x410/0xae8
+[130747.337767] generic_file_read_iter+0x114/0x190
+[130747.338152] ext4_file_read_iter+0x5c/0x140 [ext4]
+[130747.338556] __vfs_read+0x11c/0x188
+[130747.338851] vfs_read+0x94/0x150
+[130747.339110] ksys_read+0x74/0xf0
+
+This patch's modification is according to Jan Kara's suggestion in:
+https://patchwork.ozlabs.org/project/linux-ext4/patch/20210428085158.3728201-1-yebin10@huawei.com/
+"I see. Now I understand your patch. Honestly, seeing how fragile is trying
+to fix extent tree after split has failed in the middle, I would probably
+go even further and make sure we fix the tree properly in case of ENOSPC
+and EDQUOT (those are easily user triggerable). Anything else indicates a
+HW problem or fs corruption so I'd rather leave the extent tree as is and
+don't try to fix it (which also means we will not create overlapping
+extents)."
+
+Cc: stable@kernel.org
+Signed-off-by: Ye Bin <yebin10@huawei.com>
+Reviewed-by: Jan Kara <jack@suse.cz>
+Link: https://lore.kernel.org/r/20210506141042.3298679-1-yebin10@huawei.com
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/extents.c | 43 +++++++++++++++++++++++--------------------
+ 1 file changed, 23 insertions(+), 20 deletions(-)
+
+--- a/fs/ext4/extents.c
++++ b/fs/ext4/extents.c
+@@ -3263,7 +3263,10 @@ static int ext4_split_extent_at(handle_t
+ ext4_ext_mark_unwritten(ex2);
+
+ err = ext4_ext_insert_extent(handle, inode, ppath, &newex, flags);
+- if (err == -ENOSPC && (EXT4_EXT_MAY_ZEROOUT & split_flag)) {
++ if (err != -ENOSPC && err != -EDQUOT)
++ goto out;
++
++ if (EXT4_EXT_MAY_ZEROOUT & split_flag) {
+ if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) {
+ if (split_flag & EXT4_EXT_DATA_VALID1) {
+ err = ext4_ext_zeroout(inode, ex2);
+@@ -3289,30 +3292,30 @@ static int ext4_split_extent_at(handle_t
+ ext4_ext_pblock(&orig_ex));
+ }
+
+- if (err)
+- goto fix_extent_len;
+- /* update the extent length and mark as initialized */
+- ex->ee_len = cpu_to_le16(ee_len);
+- ext4_ext_try_to_merge(handle, inode, path, ex);
+- err = ext4_ext_dirty(handle, inode, path + path->p_depth);
+- if (err)
+- goto fix_extent_len;
+-
+- /* update extent status tree */
+- err = ext4_zeroout_es(inode, &zero_ex);
+-
+- goto out;
+- } else if (err)
+- goto fix_extent_len;
+-
+-out:
+- ext4_ext_show_leaf(inode, path);
+- return err;
++ if (!err) {
++ /* update the extent length and mark as initialized */
++ ex->ee_len = cpu_to_le16(ee_len);
++ ext4_ext_try_to_merge(handle, inode, path, ex);
++ err = ext4_ext_dirty(handle, inode, path + path->p_depth);
++ if (!err)
++ /* update extent status tree */
++ err = ext4_zeroout_es(inode, &zero_ex);
++ /* If we failed at this point, we don't know in which
++ * state the extent tree exactly is so don't try to fix
++ * length of the original extent as it may do even more
++ * damage.
++ */
++ goto out;
++ }
++ }
+
+ fix_extent_len:
+ ex->ee_len = orig_ex.ee_len;
+ ext4_ext_dirty(handle, inode, path + path->p_depth);
+ return err;
++out:
++ ext4_ext_show_leaf(inode, path);
++ return err;
+ }
+
+ /*
--- /dev/null
+From a2353e3b26012ff43bcdf81d37a3eaddd7ecdbf3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Ahelenia=20Ziemia=C5=84ska?=
+ <nabijaczleweli@nabijaczleweli.xyz>
+Date: Mon, 8 Mar 2021 18:42:03 +0100
+Subject: HID: multitouch: require Finger field to mark Win8 reports as MT
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz>
+
+commit a2353e3b26012ff43bcdf81d37a3eaddd7ecdbf3 upstream.
+
+This effectively changes collection_is_mt from
+ contact ID in report->field
+to
+ (device is Win8 => collection is finger) && contact ID in report->field
+
+Some devices erroneously report Pen for fingers, and Win8 stylus-on-touchscreen
+devices report contact ID, but mark the accompanying touchscreen device's
+collection correctly
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Ahelenia Ziemiańska <nabijaczleweli@nabijaczleweli.xyz>
+Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
+Signed-off-by: Jiri Kosina <jkosina@suse.cz>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hid/hid-multitouch.c | 10 +++++++---
+ 1 file changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/hid/hid-multitouch.c
++++ b/drivers/hid/hid-multitouch.c
+@@ -588,9 +588,13 @@ static struct mt_report_data *mt_allocat
+ if (!(HID_MAIN_ITEM_VARIABLE & field->flags))
+ continue;
+
+- for (n = 0; n < field->report_count; n++) {
+- if (field->usage[n].hid == HID_DG_CONTACTID)
+- rdata->is_mt_collection = true;
++ if (field->logical == HID_DG_FINGER || td->hdev->group != HID_GROUP_MULTITOUCH_WIN_8) {
++ for (n = 0; n < field->report_count; n++) {
++ if (field->usage[n].hid == HID_DG_CONTACTID) {
++ rdata->is_mt_collection = true;
++ break;
++ }
++ }
+ }
+ }
+
--- /dev/null
+From a2805dca5107d5603f4bbc027e81e20d93476e96 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 3 Jun 2021 19:38:51 +0300
+Subject: net: caif: add proper error handling
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit a2805dca5107d5603f4bbc027e81e20d93476e96 upstream.
+
+caif_enroll_dev() can fail in some cases. Ingnoring
+these cases can lead to memory leak due to not assigning
+link_support pointer to anywhere.
+
+Fixes: 7c18d2205ea7 ("caif: Restructure how link caif link layer enroll")
+Cc: stable@vger.kernel.org
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/caif/caif_dev.h | 2 +-
+ include/net/caif/cfcnfg.h | 2 +-
+ net/caif/caif_dev.c | 8 +++++---
+ net/caif/cfcnfg.c | 16 +++++++++++-----
+ 4 files changed, 18 insertions(+), 10 deletions(-)
+
+--- a/include/net/caif/caif_dev.h
++++ b/include/net/caif/caif_dev.h
+@@ -119,7 +119,7 @@ void caif_free_client(struct cflayer *ad
+ * The link_support layer is used to add any Link Layer specific
+ * framing.
+ */
+-void caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev,
++int caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev,
+ struct cflayer *link_support, int head_room,
+ struct cflayer **layer, int (**rcv_func)(
+ struct sk_buff *, struct net_device *,
+--- a/include/net/caif/cfcnfg.h
++++ b/include/net/caif/cfcnfg.h
+@@ -62,7 +62,7 @@ void cfcnfg_remove(struct cfcnfg *cfg);
+ * @fcs: Specify if checksum is used in CAIF Framing Layer.
+ * @head_room: Head space needed by link specific protocol.
+ */
+-void
++int
+ cfcnfg_add_phy_layer(struct cfcnfg *cnfg,
+ struct net_device *dev, struct cflayer *phy_layer,
+ enum cfcnfg_phy_preference pref,
+--- a/net/caif/caif_dev.c
++++ b/net/caif/caif_dev.c
+@@ -303,7 +303,7 @@ static void dev_flowctrl(struct net_devi
+ caifd_put(caifd);
+ }
+
+-void caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev,
++int caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev,
+ struct cflayer *link_support, int head_room,
+ struct cflayer **layer,
+ int (**rcv_func)(struct sk_buff *, struct net_device *,
+@@ -314,11 +314,12 @@ void caif_enroll_dev(struct net_device *
+ enum cfcnfg_phy_preference pref;
+ struct cfcnfg *cfg = get_cfcnfg(dev_net(dev));
+ struct caif_device_entry_list *caifdevs;
++ int res;
+
+ caifdevs = caif_device_list(dev_net(dev));
+ caifd = caif_device_alloc(dev);
+ if (!caifd)
+- return;
++ return -ENOMEM;
+ *layer = &caifd->layer;
+ spin_lock_init(&caifd->flow_lock);
+
+@@ -339,7 +340,7 @@ void caif_enroll_dev(struct net_device *
+ strlcpy(caifd->layer.name, dev->name,
+ sizeof(caifd->layer.name));
+ caifd->layer.transmit = transmit;
+- cfcnfg_add_phy_layer(cfg,
++ res = cfcnfg_add_phy_layer(cfg,
+ dev,
+ &caifd->layer,
+ pref,
+@@ -349,6 +350,7 @@ void caif_enroll_dev(struct net_device *
+ mutex_unlock(&caifdevs->lock);
+ if (rcv_func)
+ *rcv_func = receive;
++ return res;
+ }
+ EXPORT_SYMBOL(caif_enroll_dev);
+
+--- a/net/caif/cfcnfg.c
++++ b/net/caif/cfcnfg.c
+@@ -450,7 +450,7 @@ unlock:
+ rcu_read_unlock();
+ }
+
+-void
++int
+ cfcnfg_add_phy_layer(struct cfcnfg *cnfg,
+ struct net_device *dev, struct cflayer *phy_layer,
+ enum cfcnfg_phy_preference pref,
+@@ -459,7 +459,7 @@ cfcnfg_add_phy_layer(struct cfcnfg *cnfg
+ {
+ struct cflayer *frml;
+ struct cfcnfg_phyinfo *phyinfo = NULL;
+- int i;
++ int i, res = 0;
+ u8 phyid;
+
+ mutex_lock(&cnfg->lock);
+@@ -473,12 +473,15 @@ cfcnfg_add_phy_layer(struct cfcnfg *cnfg
+ goto got_phyid;
+ }
+ pr_warn("Too many CAIF Link Layers (max 6)\n");
++ res = -EEXIST;
+ goto out;
+
+ got_phyid:
+ phyinfo = kzalloc(sizeof(struct cfcnfg_phyinfo), GFP_ATOMIC);
+- if (!phyinfo)
++ if (!phyinfo) {
++ res = -ENOMEM;
+ goto out_err;
++ }
+
+ phy_layer->id = phyid;
+ phyinfo->pref = pref;
+@@ -492,8 +495,10 @@ got_phyid:
+
+ frml = cffrml_create(phyid, fcs);
+
+- if (!frml)
++ if (!frml) {
++ res = -ENOMEM;
+ goto out_err;
++ }
+ phyinfo->frm_layer = frml;
+ layer_set_up(frml, cnfg->mux);
+
+@@ -511,11 +516,12 @@ got_phyid:
+ list_add_rcu(&phyinfo->node, &cnfg->phys);
+ out:
+ mutex_unlock(&cnfg->lock);
+- return;
++ return res;
+
+ out_err:
+ kfree(phyinfo);
+ mutex_unlock(&cnfg->lock);
++ return res;
+ }
+ EXPORT_SYMBOL(cfcnfg_add_phy_layer);
+
--- /dev/null
+From bce130e7f392ddde8cfcb09927808ebd5f9c8669 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 3 Jun 2021 19:38:12 +0300
+Subject: net: caif: added cfserl_release function
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit bce130e7f392ddde8cfcb09927808ebd5f9c8669 upstream.
+
+Added cfserl_release() function.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/caif/cfserl.h | 1 +
+ net/caif/cfserl.c | 5 +++++
+ 2 files changed, 6 insertions(+)
+
+--- a/include/net/caif/cfserl.h
++++ b/include/net/caif/cfserl.h
+@@ -9,4 +9,5 @@
+ #include <net/caif/caif_layer.h>
+
+ struct cflayer *cfserl_create(int instance, bool use_stx);
++void cfserl_release(struct cflayer *layer);
+ #endif
+--- a/net/caif/cfserl.c
++++ b/net/caif/cfserl.c
+@@ -31,6 +31,11 @@ static int cfserl_transmit(struct cflaye
+ static void cfserl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl,
+ int phyid);
+
++void cfserl_release(struct cflayer *layer)
++{
++ kfree(layer);
++}
++
+ struct cflayer *cfserl_create(int instance, bool use_stx)
+ {
+ struct cfserl *this = kzalloc(sizeof(struct cfserl), GFP_ATOMIC);
--- /dev/null
+From b53558a950a89824938e9811eddfc8efcd94e1bb Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 3 Jun 2021 19:39:11 +0300
+Subject: net: caif: fix memory leak in caif_device_notify
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit b53558a950a89824938e9811eddfc8efcd94e1bb upstream.
+
+In case of caif_enroll_dev() fail, allocated
+link_support won't be assigned to the corresponding
+structure. So simply free allocated pointer in case
+of error
+
+Fixes: 7c18d2205ea7 ("caif: Restructure how link caif link layer enroll")
+Cc: stable@vger.kernel.org
+Reported-and-tested-by: syzbot+7ec324747ce876a29db6@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/caif/caif_dev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/caif/caif_dev.c
++++ b/net/caif/caif_dev.c
+@@ -365,6 +365,7 @@ static int caif_device_notify(struct not
+ struct cflayer *layer, *link_support;
+ int head_room = 0;
+ struct caif_device_entry_list *caifdevs;
++ int res;
+
+ cfg = get_cfcnfg(dev_net(dev));
+ caifdevs = caif_device_list(dev_net(dev));
+@@ -390,8 +391,10 @@ static int caif_device_notify(struct not
+ break;
+ }
+ }
+- caif_enroll_dev(dev, caifdev, link_support, head_room,
++ res = caif_enroll_dev(dev, caifdev, link_support, head_room,
+ &layer, NULL);
++ if (res)
++ cfserl_release(link_support);
+ caifdev->flowctrl = dev_flowctrl;
+ break;
+
--- /dev/null
+From 7f5d86669fa4d485523ddb1d212e0a2d90bd62bb Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 3 Jun 2021 19:39:35 +0300
+Subject: net: caif: fix memory leak in cfusbl_device_notify
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 7f5d86669fa4d485523ddb1d212e0a2d90bd62bb upstream.
+
+In case of caif_enroll_dev() fail, allocated
+link_support won't be assigned to the corresponding
+structure. So simply free allocated pointer in case
+of error.
+
+Fixes: 7ad65bf68d70 ("caif: Add support for CAIF over CDC NCM USB interface")
+Cc: stable@vger.kernel.org
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/caif/caif_usb.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/net/caif/caif_usb.c
++++ b/net/caif/caif_usb.c
+@@ -116,6 +116,11 @@ static struct cflayer *cfusbl_create(int
+ return (struct cflayer *) this;
+ }
+
++static void cfusbl_release(struct cflayer *layer)
++{
++ kfree(layer);
++}
++
+ static struct packet_type caif_usb_type __read_mostly = {
+ .type = cpu_to_be16(ETH_P_802_EX1),
+ };
+@@ -128,6 +133,7 @@ static int cfusbl_device_notify(struct n
+ struct cflayer *layer, *link_support;
+ struct usbnet *usbnet;
+ struct usb_device *usbdev;
++ int res;
+
+ /* Check whether we have a NCM device, and find its VID/PID. */
+ if (!(dev->dev.parent && dev->dev.parent->driver &&
+@@ -170,8 +176,11 @@ static int cfusbl_device_notify(struct n
+ if (dev->num_tx_queues > 1)
+ pr_warn("USB device uses more than one tx queue\n");
+
+- caif_enroll_dev(dev, &common, link_support, CFUSB_MAX_HEADLEN,
++ res = caif_enroll_dev(dev, &common, link_support, CFUSB_MAX_HEADLEN,
+ &layer, &caif_usb_type.func);
++ if (res)
++ goto err;
++
+ if (!pack_added)
+ dev_add_pack(&caif_usb_type);
+ pack_added = true;
+@@ -179,6 +188,9 @@ static int cfusbl_device_notify(struct n
+ strlcpy(layer->name, dev->name, sizeof(layer->name));
+
+ return 0;
++err:
++ cfusbl_release(link_support);
++ return res;
+ }
+
+ static struct notifier_block caif_device_notifier = {
--- /dev/null
+From c47cc304990a2813995b1a92bbc11d0bb9a19ea9 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Wed, 2 Jun 2021 22:26:40 +0300
+Subject: net: kcm: fix memory leak in kcm_sendmsg
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit c47cc304990a2813995b1a92bbc11d0bb9a19ea9 upstream.
+
+Syzbot reported memory leak in kcm_sendmsg()[1].
+The problem was in non-freed frag_list in case of error.
+
+In the while loop:
+
+ if (head == skb)
+ skb_shinfo(head)->frag_list = tskb;
+ else
+ skb->next = tskb;
+
+frag_list filled with skbs, but nothing was freeing them.
+
+backtrace:
+ [<0000000094c02615>] __alloc_skb+0x5e/0x250 net/core/skbuff.c:198
+ [<00000000e5386cbd>] alloc_skb include/linux/skbuff.h:1083 [inline]
+ [<00000000e5386cbd>] kcm_sendmsg+0x3b6/0xa50 net/kcm/kcmsock.c:967 [1]
+ [<00000000f1613a8a>] sock_sendmsg_nosec net/socket.c:652 [inline]
+ [<00000000f1613a8a>] sock_sendmsg+0x4c/0x60 net/socket.c:672
+
+Reported-and-tested-by: syzbot+b039f5699bd82e1fb011@syzkaller.appspotmail.com
+Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
+Cc: stable@vger.kernel.org
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/kcm/kcmsock.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/net/kcm/kcmsock.c
++++ b/net/kcm/kcmsock.c
+@@ -1067,6 +1067,11 @@ out_error:
+ goto partial_message;
+ }
+
++ if (skb_has_frag_list(head)) {
++ kfree_skb_list(skb_shinfo(head)->frag_list);
++ skb_shinfo(head)->frag_list = NULL;
++ }
++
+ if (head != kcm->seq_skb)
+ kfree_skb(head);
+
tipc-fix-unique-bearer-names-sanity-check.patch
bluetooth-fix-the-erroneous-flush_work-order.patch
bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch
+net-kcm-fix-memory-leak-in-kcm_sendmsg.patch
+net-caif-added-cfserl_release-function.patch
+net-caif-add-proper-error-handling.patch
+net-caif-fix-memory-leak-in-caif_device_notify.patch
+net-caif-fix-memory-leak-in-cfusbl_device_notify.patch
+hid-multitouch-require-finger-field-to-mark-win8-reports-as-mt.patch
+alsa-timer-fix-master-timer-notification.patch
+alsa-hda-fix-for-mute-key-led-for-hp-pavilion-15-ck0xx.patch
+arm-dts-imx6q-dhcom-add-pu-vdd1p1-vdd2p5-regulators.patch
+ext4-fix-bug-on-in-ext4_es_cache_extent-as-ext4_split_extent_at-failed.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
