--- /dev/null
+From 3edfd14bb50fa6f94ed1a37bbb17d9f1c2793b57 Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Mon, 28 Nov 2022 08:39:03 +0000
+Subject: media: dvbdev: fix build warning due to comments
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit 3edfd14bb50fa6f94ed1a37bbb17d9f1c2793b57 upstream.
+
+Previous commit that introduces reference counter does not add proper
+comments, which will lead to warning when building htmldocs. Fix them.
+
+Reported-by: "Stephen Rothwell" <sfr@canb.auug.org.au>
+Fixes: 0fc044b2b5e2 ("media: dvbdev: adopts refcnt to avoid UAF")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/media/dvbdev.h | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/media/dvbdev.h
++++ b/include/media/dvbdev.h
+@@ -126,6 +126,7 @@ struct dvb_adapter {
+ * struct dvb_device - represents a DVB device node
+ *
+ * @list_head: List head with all DVB devices
++ * @ref: reference counter
+ * @fops: pointer to struct file_operations
+ * @adapter: pointer to the adapter that holds this device node
+ * @type: type of the device, as defined by &enum dvb_device_type.
+@@ -196,7 +197,7 @@ struct dvb_device {
+ struct dvb_device *dvb_device_get(struct dvb_device *dvbdev);
+
+ /**
+- * dvb_device_get - Decrease dvb_device reference
++ * dvb_device_put - Decrease dvb_device reference
+ *
+ * @dvbdev: pointer to struct dvb_device
+ */
--- /dev/null
+From 3a664569b71b0a52be5ffb9fb87cc4f83d29bd71 Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Mon, 28 Nov 2022 16:21:59 +0000
+Subject: media: dvbdev: fix refcnt bug
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit 3a664569b71b0a52be5ffb9fb87cc4f83d29bd71 upstream.
+
+Previous commit initialize the dvbdev->ref before the template copy,
+which will overwrite the reference and cause refcnt bug.
+
+refcount_t: addition on 0; use-after-free.
+WARNING: CPU: 0 PID: 1 at lib/refcount.c:25 refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25
+Modules linked in:
+CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.0-rc6-next-20221128-syzkaller #0
+...
+RIP: 0010:refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25
+RSP: 0000:ffffc900000678d0 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+RDX: ffff88813ff58000 RSI: ffffffff81660e7c RDI: fffff5200000cf0c
+RBP: ffff888022a45010 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000001
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
+FS: 0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffff88823ffff000 CR3: 000000000c48e000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ __refcount_add include/linux/refcount.h:199 [inline]
+ __refcount_inc include/linux/refcount.h:250 [inline]
+ refcount_inc include/linux/refcount.h:267 [inline]
+ kref_get include/linux/kref.h:45 [inline]
+ dvb_device_get drivers/media/dvb-core/dvbdev.c:585 [inline]
+ dvb_register_device+0xe83/0x16e0 drivers/media/dvb-core/dvbdev.c:517
+...
+
+Just place the kref_init at correct position.
+
+Reported-by: syzbot+fce48a3dd3368645bd6c@syzkaller.appspotmail.com
+Fixes: 0fc044b2b5e2 ("media: dvbdev: adopts refcnt to avoid UAF")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-core/dvbdev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/dvb-core/dvbdev.c
++++ b/drivers/media/dvb-core/dvbdev.c
+@@ -490,8 +490,8 @@ int dvb_register_device(struct dvb_adapt
+ return -ENOMEM;
+ }
+
+- kref_init(&dvbdev->ref);
+ memcpy(dvbdev, template, sizeof(struct dvb_device));
++ kref_init(&dvbdev->ref);
+ dvbdev->type = type;
+ dvbdev->id = id;
+ dvbdev->adapter = adap;
--- /dev/null
+From 2cb815cfc78b137ee38bcd65e7c955d6cc2cc250 Mon Sep 17 00:00:00 2001
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+Date: Wed, 14 Dec 2022 16:01:17 +0800
+Subject: net: stmmac: fix errno when create_singlethread_workqueue() fails
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+commit 2cb815cfc78b137ee38bcd65e7c955d6cc2cc250 upstream.
+
+We should set the return value to -ENOMEM explicitly when
+create_singlethread_workqueue() fails in stmmac_dvr_probe(),
+otherwise we'll lose the error value.
+
+Fixes: a137f3f27f92 ("net: stmmac: fix possible memory leak in stmmac_dvr_probe()")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Link: https://lore.kernel.org/r/20221214080117.3514615-1-cuigaosheng1@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -7046,6 +7046,7 @@ int stmmac_dvr_probe(struct device *devi
+ priv->wq = create_singlethread_workqueue("stmmac_wq");
+ if (!priv->wq) {
+ dev_err(priv->device, "failed to create workqueue\n");
++ ret = -ENOMEM;
+ goto error_wq_init;
+ }
+
ovl-fix-use-inode-directly-in-rcu-walk-mode.patch
btrfs-do-not-bug_on-on-enomem-when-dropping-extent-items-for-a-range.patch
scsi-qla2xxx-fix-crash-when-i-o-abort-times-out.patch
+net-stmmac-fix-errno-when-create_singlethread_workqueue-fails.patch
+media-dvbdev-fix-build-warning-due-to-comments.patch
+media-dvbdev-fix-refcnt-bug.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
