--- /dev/null
+From 17c7d35f141ef6158076adf3338f115f64fcf760 Mon Sep 17 00:00:00 2001
+From: Can Guo <cang@codeaurora.org>
+Date: Thu, 5 Dec 2019 02:14:33 +0000
+Subject: scsi: ufs: Release clock if DMA map fails
+
+From: Can Guo <cang@codeaurora.org>
+
+commit 17c7d35f141ef6158076adf3338f115f64fcf760 upstream.
+
+In queuecommand path, if DMA map fails, it bails out with clock held. In
+this case, release the clock to keep its usage paired.
+
+[mkp: applied by hand]
+
+Link: https://lore.kernel.org/r/0101016ed3d66395-1b7e7fce-b74d-42ca-a88a-4db78b795d3b-000000@us-west-2.amazonses.com
+Reviewed-by: Bean Huo <beanhuo@micron.com>
+Signed-off-by: Can Guo <cang@codeaurora.org>
+Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
+[EB: resolved cherry-pick conflict caused by newer kernels not having
+ the clear_bit_unlock() line]
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/ufs/ufshcd.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/scsi/ufs/ufshcd.c
++++ b/drivers/scsi/ufs/ufshcd.c
+@@ -1374,6 +1374,7 @@ static int ufshcd_queuecommand(struct Sc
+ ufshcd_compose_upiu(hba, lrbp);
+ err = ufshcd_map_sg(lrbp);
+ if (err) {
++ ufshcd_release(hba);
+ lrbp->cmd = NULL;
+ clear_bit_unlock(tag, &hba->lrb_in_use);
+ goto out;
net-ethernet-stmmac-enable-interface-clocks-on-probe.patch
pppoe-only-process-padt-targeted-at-local-interfaces.patch
mmc-fix-compilation-of-user-api.patch
+slcan-fix-double-free-on-slcan_open-error-path.patch
+slip-not-call-free_netdev-before-rtnl_unlock-in-slip_open.patch
+scsi-ufs-release-clock-if-dma-map-fails.patch
--- /dev/null
+From ben@decadent.org.uk Fri Jun 5 15:44:25 2020
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Tue, 2 Jun 2020 18:54:18 +0100
+Subject: slcan: Fix double-free on slcan_open() error path
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, Sasha Levin <sashal@kernel.org>
+Cc: yangerkun <yangerkun@huawei.com>, stable@vger.kernel.org
+Message-ID: <20200602175418.GA53769@decadent.org.uk>
+Content-Disposition: inline
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+Commit 9ebd796e2400 ("can: slcan: Fix use-after-free Read in
+slcan_open") was incorrectly backported to 4.4 and 4.9 stable
+branches.
+
+Since they do not have commit cf124db566e6 ("net: Fix inconsistent
+teardown and release of private netdev state."), the destructor
+function slc_free_netdev() is already responsible for calling
+free_netdev() and slcan_open() must not call both of them.
+
+yangerkun previously fixed the same bug in slip.
+
+Fixes: ce624b2089ea ("can: slcan: Fix use-after-free Read in slcan_open") # 4.4
+Fixes: f59604a80fa4 ("slcan: not call free_netdev before rtnl_unlock ...") # 4.4
+Fixes: 56635a1e6ffb ("can: slcan: Fix use-after-free Read in slcan_open") # 4.9
+Fixes: a1c9b23142ac ("slcan: not call free_netdev before rtnl_unlock ...") # 4.9
+Cc: yangerkun <yangerkun@huawei.com>
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/can/slcan.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/can/slcan.c
++++ b/drivers/net/can/slcan.c
+@@ -618,10 +618,9 @@ err_free_chan:
+ sl->tty = NULL;
+ tty->disc_data = NULL;
+ clear_bit(SLF_INUSE, &sl->flags);
+- slc_free_netdev(sl->dev);
+ /* do not call free_netdev before rtnl_unlock */
+ rtnl_unlock();
+- free_netdev(sl->dev);
++ slc_free_netdev(sl->dev);
+ return err;
+
+ err_exit:
--- /dev/null
+From f596c87005f7b1baeb7d62d9a9e25d68c3dfae10 Mon Sep 17 00:00:00 2001
+From: yangerkun <yangerkun@huawei.com>
+Date: Wed, 26 Feb 2020 11:54:35 +0800
+Subject: slip: not call free_netdev before rtnl_unlock in slip_open
+
+From: yangerkun <yangerkun@huawei.com>
+
+commit f596c87005f7b1baeb7d62d9a9e25d68c3dfae10 upstream.
+
+As the description before netdev_run_todo, we cannot call free_netdev
+before rtnl_unlock, fix it by reorder the code.
+
+Signed-off-by: yangerkun <yangerkun@huawei.com>
+Reviewed-by: Oliver Hartkopp <socketcan@hartkopp.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[bwh: Backported to <4.11: free_netdev() is called through sl_free_netdev()]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/slip/slip.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/net/slip/slip.c
++++ b/drivers/net/slip/slip.c
+@@ -867,7 +867,10 @@ err_free_chan:
+ sl->tty = NULL;
+ tty->disc_data = NULL;
+ clear_bit(SLF_INUSE, &sl->flags);
++ /* do not call free_netdev before rtnl_unlock */
++ rtnl_unlock();
+ sl_free_netdev(sl->dev);
++ return err;
+
+ err_exit:
+ rtnl_unlock();
projects / thirdparty / kernel / stable-queue.git / commitdiff
