From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 26 May 2021 07:30:30 +0000 (+0200)
Subject: 5.4-stable patches
X-Git-Tag: v4.4.270~4
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f0b53178c4b077af82cda4e011af8e475410b23c;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	nvmet-use-new-ana_log_size-instead-the-old-one.patch
	video-hgafb-correctly-handle-card-detect-failure-during-probe.patch
---

diff --git a/queue-5.4/nvmet-use-new-ana_log_size-instead-the-old-one.patch b/queue-5.4/nvmet-use-new-ana_log_size-instead-the-old-one.patch
new file mode 100644
index 00000000000..7676e75c3a3
--- /dev/null
+++ b/queue-5.4/nvmet-use-new-ana_log_size-instead-the-old-one.patch
@@ -0,0 +1,67 @@
+From e181811bd04d874fe48bbfa1165a82068b58144d Mon Sep 17 00:00:00 2001
+From: Hou Pu <houpu.main@gmail.com>
+Date: Thu, 13 May 2021 21:04:10 +0800
+Subject: nvmet: use new ana_log_size instead the old one
+
+From: Hou Pu <houpu.main@gmail.com>
+
+commit e181811bd04d874fe48bbfa1165a82068b58144d upstream.
+
+The new ana_log_size should be used instead of the old one.
+Or kernel NULL pointer dereference will happen like below:
+
+[   38.957849][   T69] BUG: kernel NULL pointer dereference, address: 000000000000003c
+[   38.975550][   T69] #PF: supervisor write access in kernel mode
+[   38.975955][   T69] #PF: error_code(0x0002) - not-present page
+[   38.976905][   T69] PGD 0 P4D 0
+[   38.979388][   T69] Oops: 0002 [#1] SMP NOPTI
+[   38.980488][   T69] CPU: 0 PID: 69 Comm: kworker/0:2 Not tainted 5.12.0+ #54
+[   38.981254][   T69] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
+[   38.982502][   T69] Workqueue: events nvme_loop_execute_work
+[   38.985219][   T69] RIP: 0010:memcpy_orig+0x68/0x10f
+[   38.986203][   T69] Code: 83 c2 20 eb 44 48 01 d6 48 01 d7 48 83 ea 20 0f 1f 00 48 83 ea 20 4c 8b 46 f8 4c 8b 4e f0 4c 8b 56 e8 4c 8b 5e e0 48 8d 76 e0 <4c> 89 47 f8 4c 89 4f f0 4c 89 57 e8 4c 89 5f e0 48 8d 7f e0 73 d2
+[   38.987677][   T69] RSP: 0018:ffffc900001b7d48 EFLAGS: 00000287
+[   38.987996][   T69] RAX: 0000000000000020 RBX: 0000000000000024 RCX: 0000000000000010
+[   38.988327][   T69] RDX: ffffffffffffffe4 RSI: ffff8881084bc004 RDI: 0000000000000044
+[   38.988620][   T69] RBP: 0000000000000024 R08: 0000000100000000 R09: 0000000000000000
+[   38.988991][   T69] R10: 0000000100000000 R11: 0000000000000001 R12: 0000000000000024
+[   38.989289][   T69] R13: ffff8881084bc000 R14: 0000000000000000 R15: 0000000000000024
+[   38.989845][   T69] FS:  0000000000000000(0000) GS:ffff888237c00000(0000) knlGS:0000000000000000
+[   38.990234][   T69] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[   38.990490][   T69] CR2: 000000000000003c CR3: 00000001085b2000 CR4: 00000000000006f0
+[   38.991105][   T69] Call Trace:
+[   38.994157][   T69]  sg_copy_buffer+0xb8/0xf0
+[   38.995357][   T69]  nvmet_copy_to_sgl+0x48/0x6d
+[   38.995565][   T69]  nvmet_execute_get_log_page_ana+0xd4/0x1cb
+[   38.995792][   T69]  nvmet_execute_get_log_page+0xc9/0x146
+[   38.995992][   T69]  nvme_loop_execute_work+0x3e/0x44
+[   38.996181][   T69]  process_one_work+0x1c3/0x3c0
+[   38.996393][   T69]  worker_thread+0x44/0x3d0
+[   38.996600][   T69]  ? cancel_delayed_work+0x90/0x90
+[   38.996804][   T69]  kthread+0xf7/0x130
+[   38.996961][   T69]  ? kthread_create_worker_on_cpu+0x70/0x70
+[   38.997171][   T69]  ret_from_fork+0x22/0x30
+[   38.997705][   T69] Modules linked in:
+[   38.998741][   T69] CR2: 000000000000003c
+[   39.000104][   T69] ---[ end trace e719927b609d0fa0 ]---
+
+Fixes: 5e1f689913a4 ("nvme-multipath: fix double initialization of ANA state")
+Signed-off-by: Hou Pu <houpu.main@gmail.com>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nvme/host/multipath.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nvme/host/multipath.c
++++ b/drivers/nvme/host/multipath.c
+@@ -753,7 +753,7 @@ int nvme_mpath_init_identify(struct nvme
+ 	if (ana_log_size > ctrl->ana_log_size) {
+ 		nvme_mpath_stop(ctrl);
+ 		kfree(ctrl->ana_log_buf);
+-		ctrl->ana_log_buf = kmalloc(ctrl->ana_log_size, GFP_KERNEL);
++		ctrl->ana_log_buf = kmalloc(ana_log_size, GFP_KERNEL);
+ 		if (!ctrl->ana_log_buf)
+ 			return -ENOMEM;
+ 	}
diff --git a/queue-5.4/series b/queue-5.4/series
index bf455ef7387..33c682778ea 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -68,3 +68,5 @@ tty-vt-always-invoke-vc-vc_sw-con_resize-callback.patch
 nvme-multipath-fix-double-initialization-of-ana-state.patch
 ext4-fix-error-handling-in-ext4_end_enable_verity.patch
 bluetooth-l2cap-fix-handling-le-modes-by-l2cap_options.patch
+nvmet-use-new-ana_log_size-instead-the-old-one.patch
+video-hgafb-correctly-handle-card-detect-failure-during-probe.patch
diff --git a/queue-5.4/video-hgafb-correctly-handle-card-detect-failure-during-probe.patch b/queue-5.4/video-hgafb-correctly-handle-card-detect-failure-during-probe.patch
new file mode 100644
index 00000000000..d4f9481b13d
--- /dev/null
+++ b/queue-5.4/video-hgafb-correctly-handle-card-detect-failure-during-probe.patch
@@ -0,0 +1,43 @@
+From 02625c965239b71869326dd0461615f27307ecb3 Mon Sep 17 00:00:00 2001
+From: Anirudh Rayabharam <mail@anirudhrb.com>
+Date: Mon, 17 May 2021 00:57:14 +0530
+Subject: video: hgafb: correctly handle card detect failure during probe
+
+From: Anirudh Rayabharam <mail@anirudhrb.com>
+
+commit 02625c965239b71869326dd0461615f27307ecb3 upstream.
+
+The return value of hga_card_detect() is not properly handled causing
+the probe to succeed even though hga_card_detect() failed. Since probe
+succeeds, hgafb_open() can be called which will end up operating on an
+unmapped hga_vram. This results in an out-of-bounds access as reported
+by kernel test robot [1].
+
+To fix this, correctly detect failure of hga_card_detect() by checking
+for a non-zero error code.
+
+[1]: https://lore.kernel.org/lkml/20210516150019.GB25903@xsang-OptiPlex-9020/
+
+Fixes: dc13cac4862c ("video: hgafb: fix potential NULL pointer dereference")
+Cc: stable <stable@vger.kernel.org>
+Reported-by: kernel test robot <oliver.sang@intel.com>
+Reviewed-by: Igor Matheus Andrade Torrente <igormtorrente@gmail.com>
+Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Link: https://lore.kernel.org/r/20210516192714.25823-1-mail@anirudhrb.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/video/fbdev/hgafb.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/video/fbdev/hgafb.c
++++ b/drivers/video/fbdev/hgafb.c
+@@ -558,7 +558,7 @@ static int hgafb_probe(struct platform_d
+ 	int ret;
+ 
+ 	ret = hga_card_detect();
+-	if (!ret)
++	if (ret)
+ 		return ret;
+ 
+ 	printk(KERN_INFO "hgafb: %s with %ldK of memory detected.\n",