--- /dev/null
+From a0023bb9dd9bc439d44604eeec62426a990054cd Mon Sep 17 00:00:00 2001
+From: Zheyu Ma <zheyuma97@gmail.com>
+Date: Fri, 22 Oct 2021 09:12:26 +0000
+Subject: ata: sata_mv: Fix the error handling of mv_chip_id()
+
+From: Zheyu Ma <zheyuma97@gmail.com>
+
+commit a0023bb9dd9bc439d44604eeec62426a990054cd upstream.
+
+mv_init_host() propagates the value returned by mv_chip_id() which in turn
+gets propagated by mv_pci_init_one() and hits local_pci_probe().
+
+During the process of driver probing, the probe function should return < 0
+for failure, otherwise, the kernel will treat value > 0 as success.
+
+Since this is a bug rather than a recoverable runtime error we should
+use dev_alert() instead of dev_err().
+
+Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
+Signed-off-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/ata/sata_mv.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/ata/sata_mv.c
++++ b/drivers/ata/sata_mv.c
+@@ -3892,8 +3892,8 @@ static int mv_chip_id(struct ata_host *h
+ break;
+
+ default:
+- dev_err(host->dev, "BUG: invalid board index %u\n", board_idx);
+- return 1;
++ dev_alert(host->dev, "BUG: invalid board index %u\n", board_idx);
++ return -EINVAL;
+ }
+
+ hpriv->hp_flags = hp_flags;
--- /dev/null
+From foo@baz Fri Oct 29 09:38:21 AM CEST 2021
+From: Ovidiu Panait <ovidiu.panait@windriver.com>
+Date: Thu, 28 Oct 2021 20:56:31 +0300
+Subject: ipv4: use siphash instead of Jenkins in fnhe_hashfun()
+To: stable@vger.kernel.org
+Message-ID: <20211028175631.1803277-3-ovidiu.panait@windriver.com>
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 6457378fe796815c973f631a1904e147d6ee33b1 upstream.
+
+A group of security researchers brought to our attention
+the weakness of hash function used in fnhe_hashfun().
+
+Lets use siphash instead of Jenkins Hash, to considerably
+reduce security risks.
+
+Also remove the inline keyword, this really is distracting.
+
+Fixes: d546c621542d ("ipv4: harden fnhe_hashfun()")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Keyu Man <kman001@ucr.edu>
+Cc: Willy Tarreau <w@1wt.eu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[OP: adjusted context for 5.4 stable]
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -631,14 +631,14 @@ static void fnhe_remove_oldest(struct fn
+ kfree_rcu(oldest, rcu);
+ }
+
+-static inline u32 fnhe_hashfun(__be32 daddr)
++static u32 fnhe_hashfun(__be32 daddr)
+ {
+- static u32 fnhe_hashrnd __read_mostly;
+- u32 hval;
++ static siphash_key_t fnhe_hash_key __read_mostly;
++ u64 hval;
+
+- net_get_random_once(&fnhe_hashrnd, sizeof(fnhe_hashrnd));
+- hval = jhash_1word((__force u32) daddr, fnhe_hashrnd);
+- return hash_32(hval, FNHE_HASH_SHIFT);
++ net_get_random_once(&fnhe_hash_key, sizeof(fnhe_hash_key));
++ hval = siphash_1u32((__force u32)daddr, &fnhe_hash_key);
++ return hash_64(hval, FNHE_HASH_SHIFT);
+ }
+
+ static void fill_route_from_fnhe(struct rtable *rt, struct fib_nh_exception *fnhe)
--- /dev/null
+From foo@baz Fri Oct 29 09:38:21 AM CEST 2021
+From: Ovidiu Panait <ovidiu.panait@windriver.com>
+Date: Thu, 28 Oct 2021 20:56:30 +0300
+Subject: ipv6: use siphash in rt6_exception_hash()
+To: stable@vger.kernel.org
+Message-ID: <20211028175631.1803277-2-ovidiu.panait@windriver.com>
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 4785305c05b25a242e5314cc821f54ade4c18810 upstream.
+
+A group of security researchers brought to our attention
+the weakness of hash function used in rt6_exception_hash()
+
+Lets use siphash instead of Jenkins Hash, to considerably
+reduce security risks.
+
+Following patch deals with IPv4.
+
+Fixes: 35732d01fe31 ("ipv6: introduce a hash table to store dst cache")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Keyu Man <kman001@ucr.edu>
+Cc: Wei Wang <weiwan@google.com>
+Cc: Martin KaFai Lau <kafai@fb.com>
+Acked-by: Wei Wang <weiwan@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[OP: adjusted context for 5.4 stable]
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/route.c | 20 ++++++++++++++------
+ 1 file changed, 14 insertions(+), 6 deletions(-)
+
+--- a/net/ipv6/route.c
++++ b/net/ipv6/route.c
+@@ -41,6 +41,7 @@
+ #include <linux/nsproxy.h>
+ #include <linux/slab.h>
+ #include <linux/jhash.h>
++#include <linux/siphash.h>
+ #include <net/net_namespace.h>
+ #include <net/snmp.h>
+ #include <net/ipv6.h>
+@@ -1502,17 +1503,24 @@ static void rt6_exception_remove_oldest(
+ static u32 rt6_exception_hash(const struct in6_addr *dst,
+ const struct in6_addr *src)
+ {
+- static u32 seed __read_mostly;
+- u32 val;
++ static siphash_key_t rt6_exception_key __read_mostly;
++ struct {
++ struct in6_addr dst;
++ struct in6_addr src;
++ } __aligned(SIPHASH_ALIGNMENT) combined = {
++ .dst = *dst,
++ };
++ u64 val;
+
+- net_get_random_once(&seed, sizeof(seed));
+- val = jhash(dst, sizeof(*dst), seed);
++ net_get_random_once(&rt6_exception_key, sizeof(rt6_exception_key));
+
+ #ifdef CONFIG_IPV6_SUBTREES
+ if (src)
+- val = jhash(src, sizeof(*src), val);
++ combined.src = *src;
+ #endif
+- return hash_32(val, FIB6_EXCEPTION_BUCKET_SIZE_SHIFT);
++ val = siphash(&combined, sizeof(combined), &rt6_exception_key);
++
++ return hash_64(val, FIB6_EXCEPTION_BUCKET_SIZE_SHIFT);
+ }
+
+ /* Helper function to find the cached rt in the hash table
--- /dev/null
+From da353fac65fede6b8b4cfe207f0d9408e3121105 Mon Sep 17 00:00:00 2001
+From: Daniel Jordan <daniel.m.jordan@oracle.com>
+Date: Wed, 27 Oct 2021 17:59:20 -0400
+Subject: net/tls: Fix flipped sign in tls_err_abort() calls
+
+From: Daniel Jordan <daniel.m.jordan@oracle.com>
+
+commit da353fac65fede6b8b4cfe207f0d9408e3121105 upstream.
+
+sk->sk_err appears to expect a positive value, a convention that ktls
+doesn't always follow and that leads to memory corruption in other code.
+For instance,
+
+ [kworker]
+ tls_encrypt_done(..., err=<negative error from crypto request>)
+ tls_err_abort(.., err)
+ sk->sk_err = err;
+
+ [task]
+ splice_from_pipe_feed
+ ...
+ tls_sw_do_sendpage
+ if (sk->sk_err) {
+ ret = -sk->sk_err; // ret is positive
+
+ splice_from_pipe_feed (continued)
+ ret = actor(...) // ret is still positive and interpreted as bytes
+ // written, resulting in underflow of buf->len and
+ // sd->len, leading to huge buf->offset and bogus
+ // addresses computed in later calls to actor()
+
+Fix all tls_err_abort() callers to pass a negative error code
+consistently and centralize the error-prone sign flip there, throwing in
+a warning to catch future misuse and uninlining the function so it
+really does only warn once.
+
+Cc: stable@vger.kernel.org
+Fixes: c46234ebb4d1e ("tls: RX path for ktls")
+Reported-by: syzbot+b187b77c8474f9648fae@syzkaller.appspotmail.com
+Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/tls.h | 9 ++-------
+ net/tls/tls_sw.c | 17 +++++++++++++----
+ 2 files changed, 15 insertions(+), 11 deletions(-)
+
+--- a/include/net/tls.h
++++ b/include/net/tls.h
+@@ -360,6 +360,7 @@ int tls_sk_query(struct sock *sk, int op
+ int __user *optlen);
+ int tls_sk_attach(struct sock *sk, int optname, char __user *optval,
+ unsigned int optlen);
++void tls_err_abort(struct sock *sk, int err);
+
+ int tls_set_sw_offload(struct sock *sk, struct tls_context *ctx, int tx);
+ void tls_sw_strparser_arm(struct sock *sk, struct tls_context *ctx);
+@@ -465,12 +466,6 @@ static inline bool tls_is_sk_tx_device_o
+ #endif
+ }
+
+-static inline void tls_err_abort(struct sock *sk, int err)
+-{
+- sk->sk_err = err;
+- sk->sk_error_report(sk);
+-}
+-
+ static inline bool tls_bigint_increment(unsigned char *seq, int len)
+ {
+ int i;
+@@ -499,7 +494,7 @@ static inline void tls_advance_record_sn
+ struct cipher_context *ctx)
+ {
+ if (tls_bigint_increment(ctx->rec_seq, prot->rec_seq_size))
+- tls_err_abort(sk, EBADMSG);
++ tls_err_abort(sk, -EBADMSG);
+
+ if (prot->version != TLS_1_3_VERSION)
+ tls_bigint_increment(ctx->iv + TLS_CIPHER_AES_GCM_128_SALT_SIZE,
+--- a/net/tls/tls_sw.c
++++ b/net/tls/tls_sw.c
+@@ -35,6 +35,7 @@
+ * SOFTWARE.
+ */
+
++#include <linux/bug.h>
+ #include <linux/sched/signal.h>
+ #include <linux/module.h>
+ #include <linux/splice.h>
+@@ -43,6 +44,14 @@
+ #include <net/strparser.h>
+ #include <net/tls.h>
+
++noinline void tls_err_abort(struct sock *sk, int err)
++{
++ WARN_ON_ONCE(err >= 0);
++ /* sk->sk_err should contain a positive error code. */
++ sk->sk_err = -err;
++ sk->sk_error_report(sk);
++}
++
+ static int __skb_nsg(struct sk_buff *skb, int offset, int len,
+ unsigned int recursion_level)
+ {
+@@ -416,7 +425,7 @@ int tls_tx_records(struct sock *sk, int
+
+ tx_err:
+ if (rc < 0 && rc != -EAGAIN)
+- tls_err_abort(sk, EBADMSG);
++ tls_err_abort(sk, -EBADMSG);
+
+ return rc;
+ }
+@@ -761,7 +770,7 @@ static int tls_push_record(struct sock *
+ msg_pl->sg.size + prot->tail_size, i);
+ if (rc < 0) {
+ if (rc != -EINPROGRESS) {
+- tls_err_abort(sk, EBADMSG);
++ tls_err_abort(sk, -EBADMSG);
+ if (split) {
+ tls_ctx->pending_open_record_frags = true;
+ tls_merge_open_record(sk, rec, tmp, orig_end);
+@@ -1822,7 +1831,7 @@ int tls_sw_recvmsg(struct sock *sk,
+ err = decrypt_skb_update(sk, skb, &msg->msg_iter,
+ &chunk, &zc, async_capable);
+ if (err < 0 && err != -EINPROGRESS) {
+- tls_err_abort(sk, EBADMSG);
++ tls_err_abort(sk, -EBADMSG);
+ goto recv_end;
+ }
+
+@@ -2002,7 +2011,7 @@ ssize_t tls_sw_splice_read(struct socket
+ }
+
+ if (err < 0) {
+- tls_err_abort(sk, EBADMSG);
++ tls_err_abort(sk, -EBADMSG);
+ goto splice_read_end;
+ }
+ ctx->decrypted = true;
--- /dev/null
+From 2195f2062e4cc93870da8e71c318ef98a1c51cef Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Date: Mon, 25 Oct 2021 16:49:36 +0200
+Subject: nfc: port100: fix using -ERRNO as command type mask
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+commit 2195f2062e4cc93870da8e71c318ef98a1c51cef upstream.
+
+During probing, the driver tries to get a list (mask) of supported
+command types in port100_get_command_type_mask() function. The value
+is u64 and 0 is treated as invalid mask (no commands supported). The
+function however returns also -ERRNO as u64 which will be interpret as
+valid command mask.
+
+Return 0 on every error case of port100_get_command_type_mask(), so the
+probing will stop.
+
+Cc: <stable@vger.kernel.org>
+Fixes: 0347a6ab300a ("NFC: port100: Commands mechanism implementation")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/nfc/port100.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/nfc/port100.c
++++ b/drivers/nfc/port100.c
+@@ -1003,11 +1003,11 @@ static u64 port100_get_command_type_mask
+
+ skb = port100_alloc_skb(dev, 0);
+ if (!skb)
+- return -ENOMEM;
++ return 0;
+
+ resp = port100_send_cmd_sync(dev, PORT100_CMD_GET_COMMAND_TYPE, skb);
+ if (IS_ERR(resp))
+- return PTR_ERR(resp);
++ return 0;
+
+ if (resp->len < 8)
+ mask = 0;
--- /dev/null
+From 10eff1f5788b6ffac212c254e2f3666219576889 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Thu, 30 Sep 2021 20:49:42 +0300
+Subject: Revert "net: mdiobus: Fix memory leak in __mdiobus_register"
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 10eff1f5788b6ffac212c254e2f3666219576889 upstream.
+
+This reverts commit ab609f25d19858513919369ff3d9a63c02cd9e2e.
+
+This patch is correct in the sense that we _should_ call device_put() in
+case of device_register() failure, but the problem in this code is more
+vast.
+
+We need to set bus->state to UNMDIOBUS_REGISTERED before calling
+device_register() to correctly release the device in mdiobus_free().
+This patch prevents us from doing it, since in case of device_register()
+failure put_device() will be called 2 times and it will cause UAF or
+something else.
+
+Also, Reported-by: tag in revered commit was wrong, since syzbot
+reported different leak in same function.
+
+Link: https://lore.kernel.org/netdev/20210928092657.GI2048@kadam/
+Acked-by: Yanfei Xu <yanfei.xu@windriver.com>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Link: https://lore.kernel.org/r/f12fb1faa4eccf0f355788225335eb4309ff2599.1633024062.git.paskripkin@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/phy/mdio_bus.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/net/phy/mdio_bus.c
++++ b/drivers/net/phy/mdio_bus.c
+@@ -395,7 +395,6 @@ int __mdiobus_register(struct mii_bus *b
+ err = device_register(&bus->dev);
+ if (err) {
+ pr_err("mii_bus %s failed to register\n", bus->id);
+- put_device(&bus->dev);
+ return -EINVAL;
+ }
+
--- /dev/null
+From 6dba4bdfd7a30e77b848a45404b224588bf989e5 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <rafal@milecki.pl>
+Date: Fri, 8 Oct 2021 22:59:38 +0200
+Subject: Revert "pinctrl: bcm: ns: support updated DT binding as syscon subnode"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafał Miłecki <rafal@milecki.pl>
+
+commit 6dba4bdfd7a30e77b848a45404b224588bf989e5 upstream.
+
+This reverts commit a49d784d5a8272d0f63c448fe8dc69e589db006e.
+
+The updated binding was wrong / invalid and has been reverted. There
+isn't any upstream kernel DTS using it and Broadcom isn't known to use
+it neither. There is close to zero chance this will cause regression for
+anyone.
+
+Actually in-kernel bcm5301x.dtsi still uses the old good binding and so
+it's broken since the driver update. This revert fixes it.
+
+Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
+Link: https://lore.kernel.org/r/20211008205938.29925-3-zajec5@gmail.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/bcm/pinctrl-ns.c | 29 ++++++++++-------------------
+ 1 file changed, 10 insertions(+), 19 deletions(-)
+
+--- a/drivers/pinctrl/bcm/pinctrl-ns.c
++++ b/drivers/pinctrl/bcm/pinctrl-ns.c
+@@ -5,7 +5,6 @@
+
+ #include <linux/err.h>
+ #include <linux/io.h>
+-#include <linux/mfd/syscon.h>
+ #include <linux/module.h>
+ #include <linux/of.h>
+ #include <linux/of_device.h>
+@@ -13,7 +12,6 @@
+ #include <linux/pinctrl/pinctrl.h>
+ #include <linux/pinctrl/pinmux.h>
+ #include <linux/platform_device.h>
+-#include <linux/regmap.h>
+ #include <linux/slab.h>
+
+ #define FLAG_BCM4708 BIT(1)
+@@ -24,8 +22,7 @@ struct ns_pinctrl {
+ struct device *dev;
+ unsigned int chipset_flag;
+ struct pinctrl_dev *pctldev;
+- struct regmap *regmap;
+- u32 offset;
++ void __iomem *base;
+
+ struct pinctrl_desc pctldesc;
+ struct ns_pinctrl_group *groups;
+@@ -232,9 +229,9 @@ static int ns_pinctrl_set_mux(struct pin
+ unset |= BIT(pin_number);
+ }
+
+- regmap_read(ns_pinctrl->regmap, ns_pinctrl->offset, &tmp);
++ tmp = readl(ns_pinctrl->base);
+ tmp &= ~unset;
+- regmap_write(ns_pinctrl->regmap, ns_pinctrl->offset, tmp);
++ writel(tmp, ns_pinctrl->base);
+
+ return 0;
+ }
+@@ -266,13 +263,13 @@ static const struct of_device_id ns_pinc
+ static int ns_pinctrl_probe(struct platform_device *pdev)
+ {
+ struct device *dev = &pdev->dev;
+- struct device_node *np = dev->of_node;
+ const struct of_device_id *of_id;
+ struct ns_pinctrl *ns_pinctrl;
+ struct pinctrl_desc *pctldesc;
+ struct pinctrl_pin_desc *pin;
+ struct ns_pinctrl_group *group;
+ struct ns_pinctrl_function *function;
++ struct resource *res;
+ int i;
+
+ ns_pinctrl = devm_kzalloc(dev, sizeof(*ns_pinctrl), GFP_KERNEL);
+@@ -290,18 +287,12 @@ static int ns_pinctrl_probe(struct platf
+ return -EINVAL;
+ ns_pinctrl->chipset_flag = (uintptr_t)of_id->data;
+
+- ns_pinctrl->regmap = syscon_node_to_regmap(of_get_parent(np));
+- if (IS_ERR(ns_pinctrl->regmap)) {
+- int err = PTR_ERR(ns_pinctrl->regmap);
+-
+- dev_err(dev, "Failed to map pinctrl regs: %d\n", err);
+-
+- return err;
+- }
+-
+- if (of_property_read_u32(np, "offset", &ns_pinctrl->offset)) {
+- dev_err(dev, "Failed to get register offset\n");
+- return -ENOENT;
++ res = platform_get_resource_byname(pdev, IORESOURCE_MEM,
++ "cru_gpio_control");
++ ns_pinctrl->base = devm_ioremap_resource(dev, res);
++ if (IS_ERR(ns_pinctrl->base)) {
++ dev_err(dev, "Failed to map pinctrl regs\n");
++ return PTR_ERR(ns_pinctrl->base);
+ }
+
+ memcpy(pctldesc, &ns_pinctrl_desc, sizeof(*pctldesc));
arm-9139-1-kprobes-fix-arch_init_kprobes-prototype.patch
arm-9141-1-only-warn-about-xip-address-when-not-compile-testing.patch
powerpc-bpf-fix-bpf_mod-when-imm-1.patch
+ipv6-use-siphash-in-rt6_exception_hash.patch
+ipv4-use-siphash-instead-of-jenkins-in-fnhe_hashfun.patch
+usbnet-sanity-check-for-maxpacket.patch
+usbnet-fix-error-return-code-in-usbnet_probe.patch
+revert-pinctrl-bcm-ns-support-updated-dt-binding-as-syscon-subnode.patch
+ata-sata_mv-fix-the-error-handling-of-mv_chip_id.patch
+nfc-port100-fix-using-errno-as-command-type-mask.patch
+revert-net-mdiobus-fix-memory-leak-in-__mdiobus_register.patch
+net-tls-fix-flipped-sign-in-tls_err_abort-calls.patch
--- /dev/null
+From 6f7c88691191e6c52ef2543d6f1da8d360b27a24 Mon Sep 17 00:00:00 2001
+From: Wang Hai <wanghai38@huawei.com>
+Date: Tue, 26 Oct 2021 20:40:15 +0800
+Subject: usbnet: fix error return code in usbnet_probe()
+
+From: Wang Hai <wanghai38@huawei.com>
+
+commit 6f7c88691191e6c52ef2543d6f1da8d360b27a24 upstream.
+
+Return error code if usb_maxpacket() returns 0 in usbnet_probe()
+
+Fixes: 397430b50a36 ("usbnet: sanity check for maxpacket")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211026124015.3025136-1-wanghai38@huawei.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1775,6 +1775,7 @@ usbnet_probe (struct usb_interface *udev
+ dev->maxpacket = usb_maxpacket (dev->udev, dev->out, 1);
+ if (dev->maxpacket == 0) {
+ /* that is a broken device */
++ status = -ENODEV;
+ goto out4;
+ }
+
--- /dev/null
+From 397430b50a363d8b7bdda00522123f82df6adc5e Mon Sep 17 00:00:00 2001
+From: Oliver Neukum <oneukum@suse.com>
+Date: Thu, 21 Oct 2021 14:29:44 +0200
+Subject: usbnet: sanity check for maxpacket
+
+From: Oliver Neukum <oneukum@suse.com>
+
+commit 397430b50a363d8b7bdda00522123f82df6adc5e upstream.
+
+maxpacket of 0 makes no sense and oopses as we need to divide
+by it. Give up.
+
+V2: fixed typo in log and stylistic issues
+
+Signed-off-by: Oliver Neukum <oneukum@suse.com>
+Reported-by: syzbot+76bb1d34ffa0adc03baa@syzkaller.appspotmail.com
+Reviewed-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211021122944.21816-1-oneukum@suse.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/usb/usbnet.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/usb/usbnet.c
++++ b/drivers/net/usb/usbnet.c
+@@ -1773,6 +1773,10 @@ usbnet_probe (struct usb_interface *udev
+ if (!dev->rx_urb_size)
+ dev->rx_urb_size = dev->hard_mtu;
+ dev->maxpacket = usb_maxpacket (dev->udev, dev->out, 1);
++ if (dev->maxpacket == 0) {
++ /* that is a broken device */
++ goto out4;
++ }
+
+ /* let userspace know we have a random address */
+ if (ether_addr_equal(net->dev_addr, node_id))
projects / thirdparty / kernel / stable-queue.git / commitdiff
