From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 28 Dec 2022 13:42:14 +0000 (+0100)
Subject: 5.15-stable patches
X-Git-Tag: v5.15.86~21
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d0c1ee1f42ef1e09e513488e8e11f480559df5a3;p=thirdparty%2Fkernel%2Fstable-queue.git

5.15-stable patches

added patches:
	media-dvbdev-fix-build-warning-due-to-comments.patch
	media-dvbdev-fix-refcnt-bug.patch
	net-stmmac-fix-errno-when-create_singlethread_workqueue-fails.patch
---

diff --git a/queue-5.15/media-dvbdev-fix-build-warning-due-to-comments.patch b/queue-5.15/media-dvbdev-fix-build-warning-due-to-comments.patch
new file mode 100644
index 00000000000..7e6a8ea597d
--- /dev/null
+++ b/queue-5.15/media-dvbdev-fix-build-warning-due-to-comments.patch
@@ -0,0 +1,41 @@
+From 3edfd14bb50fa6f94ed1a37bbb17d9f1c2793b57 Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Mon, 28 Nov 2022 08:39:03 +0000
+Subject: media: dvbdev: fix build warning due to comments
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit 3edfd14bb50fa6f94ed1a37bbb17d9f1c2793b57 upstream.
+
+Previous commit that introduces reference counter does not add proper
+comments, which will lead to warning when building htmldocs. Fix them.
+
+Reported-by: "Stephen Rothwell" <sfr@canb.auug.org.au>
+Fixes: 0fc044b2b5e2 ("media: dvbdev: adopts refcnt to avoid UAF")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/media/dvbdev.h |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/include/media/dvbdev.h
++++ b/include/media/dvbdev.h
+@@ -126,6 +126,7 @@ struct dvb_adapter {
+  * struct dvb_device - represents a DVB device node
+  *
+  * @list_head:	List head with all DVB devices
++ * @ref:	reference counter
+  * @fops:	pointer to struct file_operations
+  * @adapter:	pointer to the adapter that holds this device node
+  * @type:	type of the device, as defined by &enum dvb_device_type.
+@@ -196,7 +197,7 @@ struct dvb_device {
+ struct dvb_device *dvb_device_get(struct dvb_device *dvbdev);
+ 
+ /**
+- * dvb_device_get - Decrease dvb_device reference
++ * dvb_device_put - Decrease dvb_device reference
+  *
+  * @dvbdev:	pointer to struct dvb_device
+  */
diff --git a/queue-5.15/media-dvbdev-fix-refcnt-bug.patch b/queue-5.15/media-dvbdev-fix-refcnt-bug.patch
new file mode 100644
index 00000000000..a37d9772b60
--- /dev/null
+++ b/queue-5.15/media-dvbdev-fix-refcnt-bug.patch
@@ -0,0 +1,63 @@
+From 3a664569b71b0a52be5ffb9fb87cc4f83d29bd71 Mon Sep 17 00:00:00 2001
+From: Lin Ma <linma@zju.edu.cn>
+Date: Mon, 28 Nov 2022 16:21:59 +0000
+Subject: media: dvbdev: fix refcnt bug
+
+From: Lin Ma <linma@zju.edu.cn>
+
+commit 3a664569b71b0a52be5ffb9fb87cc4f83d29bd71 upstream.
+
+Previous commit initialize the dvbdev->ref before the template copy,
+which will overwrite the reference and cause refcnt bug.
+
+refcount_t: addition on 0; use-after-free.
+WARNING: CPU: 0 PID: 1 at lib/refcount.c:25 refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25
+Modules linked in:
+CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.1.0-rc6-next-20221128-syzkaller #0
+...
+RIP: 0010:refcount_warn_saturate+0x17c/0x1f0 lib/refcount.c:25
+RSP: 0000:ffffc900000678d0 EFLAGS: 00010282
+RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
+RDX: ffff88813ff58000 RSI: ffffffff81660e7c RDI: fffff5200000cf0c
+RBP: ffff888022a45010 R08: 0000000000000005 R09: 0000000000000000
+R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000001
+R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
+FS:  0000000000000000(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: ffff88823ffff000 CR3: 000000000c48e000 CR4: 00000000003506f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ <TASK>
+ __refcount_add include/linux/refcount.h:199 [inline]
+ __refcount_inc include/linux/refcount.h:250 [inline]
+ refcount_inc include/linux/refcount.h:267 [inline]
+ kref_get include/linux/kref.h:45 [inline]
+ dvb_device_get drivers/media/dvb-core/dvbdev.c:585 [inline]
+ dvb_register_device+0xe83/0x16e0 drivers/media/dvb-core/dvbdev.c:517
+...
+
+Just place the kref_init at correct position.
+
+Reported-by: syzbot+fce48a3dd3368645bd6c@syzkaller.appspotmail.com
+Fixes: 0fc044b2b5e2 ("media: dvbdev: adopts refcnt to avoid UAF")
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
+Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/media/dvb-core/dvbdev.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/media/dvb-core/dvbdev.c
++++ b/drivers/media/dvb-core/dvbdev.c
+@@ -490,8 +490,8 @@ int dvb_register_device(struct dvb_adapt
+ 		return -ENOMEM;
+ 	}
+ 
+-	kref_init(&dvbdev->ref);
+ 	memcpy(dvbdev, template, sizeof(struct dvb_device));
++	kref_init(&dvbdev->ref);
+ 	dvbdev->type = type;
+ 	dvbdev->id = id;
+ 	dvbdev->adapter = adap;
diff --git a/queue-5.15/net-stmmac-fix-errno-when-create_singlethread_workqueue-fails.patch b/queue-5.15/net-stmmac-fix-errno-when-create_singlethread_workqueue-fails.patch
new file mode 100644
index 00000000000..fc59b604c33
--- /dev/null
+++ b/queue-5.15/net-stmmac-fix-errno-when-create_singlethread_workqueue-fails.patch
@@ -0,0 +1,33 @@
+From 2cb815cfc78b137ee38bcd65e7c955d6cc2cc250 Mon Sep 17 00:00:00 2001
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+Date: Wed, 14 Dec 2022 16:01:17 +0800
+Subject: net: stmmac: fix errno when create_singlethread_workqueue() fails
+
+From: Gaosheng Cui <cuigaosheng1@huawei.com>
+
+commit 2cb815cfc78b137ee38bcd65e7c955d6cc2cc250 upstream.
+
+We should set the return value to -ENOMEM explicitly when
+create_singlethread_workqueue() fails in stmmac_dvr_probe(),
+otherwise we'll lose the error value.
+
+Fixes: a137f3f27f92 ("net: stmmac: fix possible memory leak in stmmac_dvr_probe()")
+Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
+Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
+Link: https://lore.kernel.org/r/20221214080117.3514615-1-cuigaosheng1@huawei.com
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/stmicro/stmmac/stmmac_main.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_main.c
+@@ -7046,6 +7046,7 @@ int stmmac_dvr_probe(struct device *devi
+ 	priv->wq = create_singlethread_workqueue("stmmac_wq");
+ 	if (!priv->wq) {
+ 		dev_err(priv->device, "failed to create workqueue\n");
++		ret = -ENOMEM;
+ 		goto error_wq_init;
+ 	}
+ 
diff --git a/queue-5.15/series b/queue-5.15/series
index a9d21daad02..2f76265e058 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -725,3 +725,6 @@ fbdev-fbcon-release-buffer-when-fbcon_do_set_font-failed.patch
 ovl-fix-use-inode-directly-in-rcu-walk-mode.patch
 btrfs-do-not-bug_on-on-enomem-when-dropping-extent-items-for-a-range.patch
 scsi-qla2xxx-fix-crash-when-i-o-abort-times-out.patch
+net-stmmac-fix-errno-when-create_singlethread_workqueue-fails.patch
+media-dvbdev-fix-build-warning-due-to-comments.patch
+media-dvbdev-fix-refcnt-bug.patch