--- /dev/null
+From efd6c12fcac286518d994653c0c985f535aaa60e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 1 Mar 2021 21:38:26 +0100
+Subject: media: drivers/media/usb: fix memory leak in zr364xx_probe
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+[ Upstream commit 9c39be40c0155c43343f53e3a439290c0fec5542 ]
+
+syzbot reported memory leak in zr364xx_probe()[1].
+The problem was in invalid error handling order.
+All error conditions rigth after v4l2_ctrl_handler_init()
+must call v4l2_ctrl_handler_free().
+
+Reported-by: syzbot+efe9aefc31ae1e6f7675@syzkaller.appspotmail.com
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/zr364xx/zr364xx.c | 13 ++++++-------
+ 1 file changed, 6 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/media/usb/zr364xx/zr364xx.c b/drivers/media/usb/zr364xx/zr364xx.c
+index b3f01de9cf37..25f16ff6dcc7 100644
+--- a/drivers/media/usb/zr364xx/zr364xx.c
++++ b/drivers/media/usb/zr364xx/zr364xx.c
+@@ -1436,7 +1436,7 @@ static int zr364xx_probe(struct usb_interface *intf,
+ if (hdl->error) {
+ err = hdl->error;
+ dev_err(&udev->dev, "couldn't register control\n");
+- goto unregister;
++ goto free_hdlr_and_unreg_dev;
+ }
+ /* save the init method used by this camera */
+ cam->method = id->driver_info;
+@@ -1509,7 +1509,7 @@ static int zr364xx_probe(struct usb_interface *intf,
+ if (!cam->read_endpoint) {
+ err = -ENOMEM;
+ dev_err(&intf->dev, "Could not find bulk-in endpoint\n");
+- goto unregister;
++ goto free_hdlr_and_unreg_dev;
+ }
+
+ /* v4l */
+@@ -1521,7 +1521,7 @@ static int zr364xx_probe(struct usb_interface *intf,
+ /* load zr364xx board specific */
+ err = zr364xx_board_init(cam);
+ if (err)
+- goto unregister;
++ goto free_hdlr_and_unreg_dev;
+ err = v4l2_ctrl_handler_setup(hdl);
+ if (err)
+ goto board_uninit;
+@@ -1539,7 +1539,7 @@ static int zr364xx_probe(struct usb_interface *intf,
+ err = video_register_device(&cam->vdev, VFL_TYPE_GRABBER, -1);
+ if (err) {
+ dev_err(&udev->dev, "video_register_device failed\n");
+- goto free_handler;
++ goto board_uninit;
+ }
+ cam->v4l2_dev.release = zr364xx_release;
+
+@@ -1547,11 +1547,10 @@ static int zr364xx_probe(struct usb_interface *intf,
+ video_device_node_name(&cam->vdev));
+ return 0;
+
+-free_handler:
+- v4l2_ctrl_handler_free(hdl);
+ board_uninit:
+ zr364xx_board_uninit(cam);
+-unregister:
++free_hdlr_and_unreg_dev:
++ v4l2_ctrl_handler_free(hdl);
+ v4l2_device_unregister(&cam->v4l2_dev);
+ free_cam:
+ kfree(cam);
+--
+2.30.2
+
--- /dev/null
+From f8f32b1cb35ddf80a67703cf7be0babab3133a7f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 21 Jan 2021 07:44:00 +0100
+Subject: media: zr364xx: fix memory leaks in probe()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit ea354b6ddd6f09be29424f41fa75a3e637fea234 ]
+
+Syzbot discovered that the probe error handling doesn't clean up the
+resources allocated in zr364xx_board_init(). There are several
+related bugs in this code so I have re-written the error handling.
+
+1) Introduce a new function zr364xx_board_uninit() which cleans up
+ the resources in zr364xx_board_init().
+2) In zr364xx_board_init() if the call to zr364xx_start_readpipe()
+ fails then release the "cam->buffer.frame[i].lpvbits" memory
+ before returning. This way every function either allocates
+ everything successfully or it cleans up after itself.
+3) Re-write the probe function so that each failure path goto frees
+ the most recent allocation. That way we don't free anything
+ before it has been allocated and we can also verify that
+ everything is freed.
+4) Originally, in the probe function the "cam->v4l2_dev.release"
+ pointer was set to "zr364xx_release" near the start but I moved
+ that assignment to the end, after everything had succeeded. The
+ release function was never actually called during the probe cleanup
+ process, but with this change I wanted to make it clear that we
+ don't want to call zr364xx_release() until everything is
+ allocated successfully.
+
+Next I re-wrote the zr364xx_release() function. Ideally this would
+have been a simple matter of copy and pasting the cleanup code from
+probe and adding an additional call to video_unregister_device(). But
+there are a couple quirks to note.
+
+1) The probe function does not call videobuf_mmap_free() and I don't
+ know where the videobuf_mmap is allocated. I left the code as-is to
+ avoid introducing a bug in code I don't understand.
+2) The zr364xx_board_uninit() has a call to zr364xx_stop_readpipe()
+ which is a change from the original behavior with regards to
+ unloading the driver. Calling zr364xx_stop_readpipe() on a stopped
+ pipe is not a problem so this is safe and is potentially a bugfix.
+
+Reported-by: syzbot+b4d54814b339b5c6bbd4@syzkaller.appspotmail.com
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/zr364xx/zr364xx.c | 49 ++++++++++++++++++-----------
+ 1 file changed, 31 insertions(+), 18 deletions(-)
+
+diff --git a/drivers/media/usb/zr364xx/zr364xx.c b/drivers/media/usb/zr364xx/zr364xx.c
+index 22b34690a016..b3f01de9cf37 100644
+--- a/drivers/media/usb/zr364xx/zr364xx.c
++++ b/drivers/media/usb/zr364xx/zr364xx.c
+@@ -1187,15 +1187,11 @@ static int zr364xx_open(struct file *file)
+ return err;
+ }
+
+-static void zr364xx_release(struct v4l2_device *v4l2_dev)
++static void zr364xx_board_uninit(struct zr364xx_camera *cam)
+ {
+- struct zr364xx_camera *cam =
+- container_of(v4l2_dev, struct zr364xx_camera, v4l2_dev);
+ unsigned long i;
+
+- v4l2_device_unregister(&cam->v4l2_dev);
+-
+- videobuf_mmap_free(&cam->vb_vidq);
++ zr364xx_stop_readpipe(cam);
+
+ /* release sys buffers */
+ for (i = 0; i < FRAMES; i++) {
+@@ -1206,9 +1202,19 @@ static void zr364xx_release(struct v4l2_device *v4l2_dev)
+ cam->buffer.frame[i].lpvbits = NULL;
+ }
+
+- v4l2_ctrl_handler_free(&cam->ctrl_handler);
+ /* release transfer buffer */
+ kfree(cam->pipe->transfer_buffer);
++}
++
++static void zr364xx_release(struct v4l2_device *v4l2_dev)
++{
++ struct zr364xx_camera *cam =
++ container_of(v4l2_dev, struct zr364xx_camera, v4l2_dev);
++
++ videobuf_mmap_free(&cam->vb_vidq);
++ v4l2_ctrl_handler_free(&cam->ctrl_handler);
++ zr364xx_board_uninit(cam);
++ v4l2_device_unregister(&cam->v4l2_dev);
+ kfree(cam);
+ }
+
+@@ -1382,11 +1388,14 @@ static int zr364xx_board_init(struct zr364xx_camera *cam)
+ /* start read pipe */
+ err = zr364xx_start_readpipe(cam);
+ if (err)
+- goto err_free;
++ goto err_free_frames;
+
+ DBG(": board initialized\n");
+ return 0;
+
++err_free_frames:
++ for (i = 0; i < FRAMES; i++)
++ vfree(cam->buffer.frame[i].lpvbits);
+ err_free:
+ kfree(cam->pipe->transfer_buffer);
+ cam->pipe->transfer_buffer = NULL;
+@@ -1415,12 +1424,10 @@ static int zr364xx_probe(struct usb_interface *intf,
+ if (!cam)
+ return -ENOMEM;
+
+- cam->v4l2_dev.release = zr364xx_release;
+ err = v4l2_device_register(&intf->dev, &cam->v4l2_dev);
+ if (err < 0) {
+ dev_err(&udev->dev, "couldn't register v4l2_device\n");
+- kfree(cam);
+- return err;
++ goto free_cam;
+ }
+ hdl = &cam->ctrl_handler;
+ v4l2_ctrl_handler_init(hdl, 1);
+@@ -1429,7 +1436,7 @@ static int zr364xx_probe(struct usb_interface *intf,
+ if (hdl->error) {
+ err = hdl->error;
+ dev_err(&udev->dev, "couldn't register control\n");
+- goto fail;
++ goto unregister;
+ }
+ /* save the init method used by this camera */
+ cam->method = id->driver_info;
+@@ -1502,7 +1509,7 @@ static int zr364xx_probe(struct usb_interface *intf,
+ if (!cam->read_endpoint) {
+ err = -ENOMEM;
+ dev_err(&intf->dev, "Could not find bulk-in endpoint\n");
+- goto fail;
++ goto unregister;
+ }
+
+ /* v4l */
+@@ -1513,10 +1520,11 @@ static int zr364xx_probe(struct usb_interface *intf,
+
+ /* load zr364xx board specific */
+ err = zr364xx_board_init(cam);
+- if (!err)
+- err = v4l2_ctrl_handler_setup(hdl);
+ if (err)
+- goto fail;
++ goto unregister;
++ err = v4l2_ctrl_handler_setup(hdl);
++ if (err)
++ goto board_uninit;
+
+ spin_lock_init(&cam->slock);
+
+@@ -1531,16 +1539,21 @@ static int zr364xx_probe(struct usb_interface *intf,
+ err = video_register_device(&cam->vdev, VFL_TYPE_GRABBER, -1);
+ if (err) {
+ dev_err(&udev->dev, "video_register_device failed\n");
+- goto fail;
++ goto free_handler;
+ }
++ cam->v4l2_dev.release = zr364xx_release;
+
+ dev_info(&udev->dev, DRIVER_DESC " controlling device %s\n",
+ video_device_node_name(&cam->vdev));
+ return 0;
+
+-fail:
++free_handler:
+ v4l2_ctrl_handler_free(hdl);
++board_uninit:
++ zr364xx_board_uninit(cam);
++unregister:
+ v4l2_device_unregister(&cam->v4l2_dev);
++free_cam:
+ kfree(cam);
+ return err;
+ }
+--
+2.30.2
+
--- /dev/null
+From c3126b1734f065689a2ee93cb6894f410ea3199d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 6 Oct 2020 19:21:22 +0200
+Subject: media: zr364xx: propagate errors from zr364xx_start_readpipe()
+
+From: Evgeny Novikov <novikov@ispras.ru>
+
+[ Upstream commit af0321a5be3e5647441eb6b79355beaa592df97a ]
+
+zr364xx_start_readpipe() can fail but callers do not care about that.
+This can result in various negative consequences. The patch adds missed
+error handling.
+
+Found by Linux Driver Verification project (linuxtesting.org).
+
+Signed-off-by: Evgeny Novikov <novikov@ispras.ru>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/media/usb/zr364xx/zr364xx.c | 31 ++++++++++++++++++++++-------
+ 1 file changed, 24 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/media/usb/zr364xx/zr364xx.c b/drivers/media/usb/zr364xx/zr364xx.c
+index 02458c9cb5dc..22b34690a016 100644
+--- a/drivers/media/usb/zr364xx/zr364xx.c
++++ b/drivers/media/usb/zr364xx/zr364xx.c
+@@ -1331,6 +1331,7 @@ static int zr364xx_board_init(struct zr364xx_camera *cam)
+ {
+ struct zr364xx_pipeinfo *pipe = cam->pipe;
+ unsigned long i;
++ int err;
+
+ DBG("board init: %p\n", cam);
+ memset(pipe, 0, sizeof(*pipe));
+@@ -1363,9 +1364,8 @@ static int zr364xx_board_init(struct zr364xx_camera *cam)
+
+ if (i == 0) {
+ printk(KERN_INFO KBUILD_MODNAME ": out of memory. Aborting\n");
+- kfree(cam->pipe->transfer_buffer);
+- cam->pipe->transfer_buffer = NULL;
+- return -ENOMEM;
++ err = -ENOMEM;
++ goto err_free;
+ } else
+ cam->buffer.dwFrames = i;
+
+@@ -1380,9 +1380,17 @@ static int zr364xx_board_init(struct zr364xx_camera *cam)
+ /*** end create system buffers ***/
+
+ /* start read pipe */
+- zr364xx_start_readpipe(cam);
++ err = zr364xx_start_readpipe(cam);
++ if (err)
++ goto err_free;
++
+ DBG(": board initialized\n");
+ return 0;
++
++err_free:
++ kfree(cam->pipe->transfer_buffer);
++ cam->pipe->transfer_buffer = NULL;
++ return err;
+ }
+
+ static int zr364xx_probe(struct usb_interface *intf,
+@@ -1579,10 +1587,19 @@ static int zr364xx_resume(struct usb_interface *intf)
+ if (!cam->was_streaming)
+ return 0;
+
+- zr364xx_start_readpipe(cam);
++ res = zr364xx_start_readpipe(cam);
++ if (res)
++ return res;
++
+ res = zr364xx_prepare(cam);
+- if (!res)
+- zr364xx_start_acquire(cam);
++ if (res)
++ goto err_prepare;
++
++ zr364xx_start_acquire(cam);
++ return 0;
++
++err_prepare:
++ zr364xx_stop_readpipe(cam);
+ return res;
+ }
+ #endif
+--
+2.30.2
+
--- /dev/null
+From 6f985bb70e108d80eab25dcd0146721bab8f36fb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 May 2021 18:34:44 -0700
+Subject: mm/cma: change cma mutex to irq safe spinlock
+
+From: Mike Kravetz <mike.kravetz@oracle.com>
+
+[ Upstream commit 0ef7dcac998fefc4767b7f10eb3b6df150c38a4e ]
+
+Patch series "make hugetlb put_page safe for all calling contexts", v5.
+
+This effort is the result a recent bug report [1]. Syzbot found a
+potential deadlock in the hugetlb put_page/free_huge_page_path. WARNING:
+SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected Since the
+free_huge_page_path already has code to 'hand off' page free requests to a
+workqueue, a suggestion was proposed to make the in_irq() detection
+accurate by always enabling PREEMPT_COUNT [2]. The outcome of that
+discussion was that the hugetlb put_page path (free_huge_page) path should
+be properly fixed and safe for all calling contexts.
+
+[1] https://lore.kernel.org/linux-mm/000000000000f1c03b05bc43aadc@google.com/
+[2] http://lkml.kernel.org/r/20210311021321.127500-1-mike.kravetz@oracle.com
+
+This patch (of 8):
+
+cma_release is currently a sleepable operatation because the bitmap
+manipulation is protected by cma->lock mutex. Hugetlb code which relies
+on cma_release for CMA backed (giga) hugetlb pages, however, needs to be
+irq safe.
+
+The lock doesn't protect any sleepable operation so it can be changed to a
+(irq aware) spin lock. The bitmap processing should be quite fast in
+typical case but if cma sizes grow to TB then we will likely need to
+replace the lock by a more optimized bitmap implementation.
+
+Link: https://lkml.kernel.org/r/20210409205254.242291-1-mike.kravetz@oracle.com
+Link: https://lkml.kernel.org/r/20210409205254.242291-2-mike.kravetz@oracle.com
+Signed-off-by: Mike Kravetz <mike.kravetz@oracle.com>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Reviewed-by: David Hildenbrand <david@redhat.com>
+Acked-by: Roman Gushchin <guro@fb.com>
+Cc: Shakeel Butt <shakeelb@google.com>
+Cc: Oscar Salvador <osalvador@suse.de>
+Cc: Muchun Song <songmuchun@bytedance.com>
+Cc: David Rientjes <rientjes@google.com>
+Cc: Miaohe Lin <linmiaohe@huawei.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Matthew Wilcox <willy@infradead.org>
+Cc: HORIGUCHI NAOYA <naoya.horiguchi@nec.com>
+Cc: "Aneesh Kumar K . V" <aneesh.kumar@linux.ibm.com>
+Cc: Waiman Long <longman@redhat.com>
+Cc: Peter Xu <peterx@redhat.com>
+Cc: Mina Almasry <almasrymina@google.com>
+Cc: Hillf Danton <hdanton@sina.com>
+Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
+Cc: Barry Song <song.bao.hua@hisilicon.com>
+Cc: Will Deacon <will@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ mm/cma.c | 18 +++++++++---------
+ mm/cma.h | 2 +-
+ mm/cma_debug.c | 8 ++++----
+ 3 files changed, 14 insertions(+), 14 deletions(-)
+
+diff --git a/mm/cma.c b/mm/cma.c
+index 7de520c0a1db..b895b2ca8800 100644
+--- a/mm/cma.c
++++ b/mm/cma.c
+@@ -24,7 +24,6 @@
+ #include <linux/memblock.h>
+ #include <linux/err.h>
+ #include <linux/mm.h>
+-#include <linux/mutex.h>
+ #include <linux/sizes.h>
+ #include <linux/slab.h>
+ #include <linux/log2.h>
+@@ -84,13 +83,14 @@ static void cma_clear_bitmap(struct cma *cma, unsigned long pfn,
+ unsigned int count)
+ {
+ unsigned long bitmap_no, bitmap_count;
++ unsigned long flags;
+
+ bitmap_no = (pfn - cma->base_pfn) >> cma->order_per_bit;
+ bitmap_count = cma_bitmap_pages_to_bits(cma, count);
+
+- mutex_lock(&cma->lock);
++ spin_lock_irqsave(&cma->lock, flags);
+ bitmap_clear(cma->bitmap, bitmap_no, bitmap_count);
+- mutex_unlock(&cma->lock);
++ spin_unlock_irqrestore(&cma->lock, flags);
+ }
+
+ static void __init cma_activate_area(struct cma *cma)
+@@ -124,7 +124,7 @@ static void __init cma_activate_area(struct cma *cma)
+ init_cma_reserved_pageblock(pfn_to_page(base_pfn));
+ } while (--i);
+
+- mutex_init(&cma->lock);
++ spin_lock_init(&cma->lock);
+
+ #ifdef CONFIG_CMA_DEBUGFS
+ INIT_HLIST_HEAD(&cma->mem_head);
+@@ -376,7 +376,7 @@ static void cma_debug_show_areas(struct cma *cma)
+ unsigned long nr_part, nr_total = 0;
+ unsigned long nbits = cma_bitmap_maxno(cma);
+
+- mutex_lock(&cma->lock);
++ spin_lock_irq(&cma->lock);
+ pr_info("number of available pages: ");
+ for (;;) {
+ next_zero_bit = find_next_zero_bit(cma->bitmap, nbits, start);
+@@ -391,7 +391,7 @@ static void cma_debug_show_areas(struct cma *cma)
+ start = next_zero_bit + nr_zero;
+ }
+ pr_cont("=> %lu free of %lu total pages\n", nr_total, cma->count);
+- mutex_unlock(&cma->lock);
++ spin_unlock_irq(&cma->lock);
+ }
+ #else
+ static inline void cma_debug_show_areas(struct cma *cma) { }
+@@ -436,12 +436,12 @@ struct page *cma_alloc(struct cma *cma, size_t count, unsigned int align,
+ return NULL;
+
+ for (;;) {
+- mutex_lock(&cma->lock);
++ spin_lock_irq(&cma->lock);
+ bitmap_no = bitmap_find_next_zero_area_off(cma->bitmap,
+ bitmap_maxno, start, bitmap_count, mask,
+ offset);
+ if (bitmap_no >= bitmap_maxno) {
+- mutex_unlock(&cma->lock);
++ spin_unlock_irq(&cma->lock);
+ break;
+ }
+ bitmap_set(cma->bitmap, bitmap_no, bitmap_count);
+@@ -450,7 +450,7 @@ struct page *cma_alloc(struct cma *cma, size_t count, unsigned int align,
+ * our exclusive use. If the migration fails we will take the
+ * lock again and unmark it.
+ */
+- mutex_unlock(&cma->lock);
++ spin_unlock_irq(&cma->lock);
+
+ pfn = cma->base_pfn + (bitmap_no << cma->order_per_bit);
+ mutex_lock(&cma_mutex);
+diff --git a/mm/cma.h b/mm/cma.h
+index 33c0b517733c..043bfbff9225 100644
+--- a/mm/cma.h
++++ b/mm/cma.h
+@@ -7,7 +7,7 @@ struct cma {
+ unsigned long count;
+ unsigned long *bitmap;
+ unsigned int order_per_bit; /* Order of pages represented by one bit */
+- struct mutex lock;
++ spinlock_t lock;
+ #ifdef CONFIG_CMA_DEBUGFS
+ struct hlist_head mem_head;
+ spinlock_t mem_head_lock;
+diff --git a/mm/cma_debug.c b/mm/cma_debug.c
+index a7dd9e8e10d5..d27881adce19 100644
+--- a/mm/cma_debug.c
++++ b/mm/cma_debug.c
+@@ -36,10 +36,10 @@ static int cma_used_get(void *data, u64 *val)
+ struct cma *cma = data;
+ unsigned long used;
+
+- mutex_lock(&cma->lock);
++ spin_lock_irq(&cma->lock);
+ /* pages counter is smaller than sizeof(int) */
+ used = bitmap_weight(cma->bitmap, (int)cma_bitmap_maxno(cma));
+- mutex_unlock(&cma->lock);
++ spin_unlock_irq(&cma->lock);
+ *val = (u64)used << cma->order_per_bit;
+
+ return 0;
+@@ -53,7 +53,7 @@ static int cma_maxchunk_get(void *data, u64 *val)
+ unsigned long start, end = 0;
+ unsigned long bitmap_maxno = cma_bitmap_maxno(cma);
+
+- mutex_lock(&cma->lock);
++ spin_lock_irq(&cma->lock);
+ for (;;) {
+ start = find_next_zero_bit(cma->bitmap, bitmap_maxno, end);
+ if (start >= bitmap_maxno)
+@@ -61,7 +61,7 @@ static int cma_maxchunk_get(void *data, u64 *val)
+ end = find_next_bit(cma->bitmap, bitmap_maxno, start);
+ maxchunk = max(end - start, maxchunk);
+ }
+- mutex_unlock(&cma->lock);
++ spin_unlock_irq(&cma->lock);
+ *val = (u64)maxchunk << cma->order_per_bit;
+
+ return 0;
+--
+2.30.2
+
ath-modify-ath_key_delete-to-not-need-full-key-entry.patch
ath9k-postpone-key-cache-entry-deletion-for-txq-frames-reference-it.patch
mtd-cfi_cmdset_0002-fix-crash-when-erasing-writing-amd-cards.patch
+media-zr364xx-propagate-errors-from-zr364xx_start_re.patch
+media-zr364xx-fix-memory-leaks-in-probe.patch
+media-drivers-media-usb-fix-memory-leak-in-zr364xx_p.patch
+mm-cma-change-cma-mutex-to-irq-safe-spinlock.patch
+usb-core-avoid-warnings-for-0-length-descriptor-requ.patch
--- /dev/null
+From a01dc8a012e1071693c56a3bab98180edee46ee9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 7 Jun 2021 11:23:07 -0400
+Subject: USB: core: Avoid WARNings for 0-length descriptor requests
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+[ Upstream commit 60dfe484cef45293e631b3a6e8995f1689818172 ]
+
+The USB core has utility routines to retrieve various types of
+descriptors. These routines will now provoke a WARN if they are asked
+to retrieve 0 bytes (USB "receive" requests must not have zero
+length), so avert this by checking the size argument at the start.
+
+CC: Johan Hovold <johan@kernel.org>
+Reported-and-tested-by: syzbot+7dbcd9ff34dc4ed45240@syzkaller.appspotmail.com
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Link: https://lore.kernel.org/r/20210607152307.GD1768031@rowland.harvard.edu
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/core/message.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/drivers/usb/core/message.c b/drivers/usb/core/message.c
+index 041c68ea329f..7ca908704777 100644
+--- a/drivers/usb/core/message.c
++++ b/drivers/usb/core/message.c
+@@ -647,6 +647,9 @@ int usb_get_descriptor(struct usb_device *dev, unsigned char type,
+ int i;
+ int result;
+
++ if (size <= 0) /* No point in asking for no data */
++ return -EINVAL;
++
+ memset(buf, 0, size); /* Make sure we parse really received data */
+
+ for (i = 0; i < 3; ++i) {
+@@ -695,6 +698,9 @@ static int usb_get_string(struct usb_device *dev, unsigned short langid,
+ int i;
+ int result;
+
++ if (size <= 0) /* No point in asking for no data */
++ return -EINVAL;
++
+ for (i = 0; i < 3; ++i) {
+ /* retry on length 0 or stall; some devices are flakey */
+ result = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
+--
+2.30.2
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
