All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr
@ 2021-06-07 16:14 Sasha Levin
  2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 02/18] HID: hid-sensor-hub: Return error for hid_set_field() failure Sasha Levin
                   ` (16 more replies)
  0 siblings, 17 replies; 23+ messages in thread
From: Sasha Levin @ 2021-06-07 16:14 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Dan Robertson, Alexander Aring, Stefan Schmidt, Sasha Levin,
	linux-wpan, netdev

From: Dan Robertson <dan@dlrobertson.com>

[ Upstream commit 9fdd04918a452980631ecc499317881c1d120b70 ]

Fix a logic error that could result in a null deref if the user sets
the mode incorrectly for the given addr type.

Signed-off-by: Dan Robertson <dan@dlrobertson.com>
Acked-by: Alexander Aring <aahringo@redhat.com>
Link: https://lore.kernel.org/r/20210423040214.15438-2-dan@dlrobertson.com
Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ieee802154/nl802154.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/net/ieee802154/nl802154.c b/net/ieee802154/nl802154.c
index b1c55db73764..6d4c71a52b6b 100644
--- a/net/ieee802154/nl802154.c
+++ b/net/ieee802154/nl802154.c
@@ -1315,19 +1315,20 @@ ieee802154_llsec_parse_dev_addr(struct nlattr *nla,
 				     nl802154_dev_addr_policy, NULL))
 		return -EINVAL;
 
-	if (!attrs[NL802154_DEV_ADDR_ATTR_PAN_ID] ||
-	    !attrs[NL802154_DEV_ADDR_ATTR_MODE] ||
-	    !(attrs[NL802154_DEV_ADDR_ATTR_SHORT] ||
-	      attrs[NL802154_DEV_ADDR_ATTR_EXTENDED]))
+	if (!attrs[NL802154_DEV_ADDR_ATTR_PAN_ID] || !attrs[NL802154_DEV_ADDR_ATTR_MODE])
 		return -EINVAL;
 
 	addr->pan_id = nla_get_le16(attrs[NL802154_DEV_ADDR_ATTR_PAN_ID]);
 	addr->mode = nla_get_u32(attrs[NL802154_DEV_ADDR_ATTR_MODE]);
 	switch (addr->mode) {
 	case NL802154_DEV_ADDR_SHORT:
+		if (!attrs[NL802154_DEV_ADDR_ATTR_SHORT])
+			return -EINVAL;
 		addr->short_addr = nla_get_le16(attrs[NL802154_DEV_ADDR_ATTR_SHORT]);
 		break;
 	case NL802154_DEV_ADDR_EXTENDED:
+		if (!attrs[NL802154_DEV_ADDR_ATTR_EXTENDED])
+			return -EINVAL;
 		addr->extended_addr = nla_get_le64(attrs[NL802154_DEV_ADDR_ATTR_EXTENDED]);
 		break;
 	default:
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 23+ messages in thread

* [PATCH AUTOSEL 4.14 02/18] HID: hid-sensor-hub: Return error for hid_set_field() failure
  2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
  2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 03/18] HID: Add BUS_VIRTUAL to hid_connect logging Sasha Levin
                   ` (15 subsequent siblings)
  16 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Srinivas Pandruvada, Jonathan Cameron, Jiri Kosina, Sasha Levin,
	linux-input, linux-iio

From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>

[ Upstream commit edb032033da0dc850f6e7740fa1023c73195bc89 ]

In the function sensor_hub_set_feature(), return error when hid_set_field()
fails.

Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Acked-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hid/hid-sensor-hub.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
index aa078c1dad14..6c7e12d8e7d9 100644
--- a/drivers/hid/hid-sensor-hub.c
+++ b/drivers/hid/hid-sensor-hub.c
@@ -223,16 +223,21 @@ int sensor_hub_set_feature(struct hid_sensor_hub_device *hsdev, u32 report_id,
 	buffer_size = buffer_size / sizeof(__s32);
 	if (buffer_size) {
 		for (i = 0; i < buffer_size; ++i) {
-			hid_set_field(report->field[field_index], i,
-				      (__force __s32)cpu_to_le32(*buf32));
+			ret = hid_set_field(report->field[field_index], i,
+					    (__force __s32)cpu_to_le32(*buf32));
+			if (ret)
+				goto done_proc;
+
 			++buf32;
 		}
 	}
 	if (remaining_bytes) {
 		value = 0;
 		memcpy(&value, (u8 *)buf32, remaining_bytes);
-		hid_set_field(report->field[field_index], i,
-			      (__force __s32)cpu_to_le32(value));
+		ret = hid_set_field(report->field[field_index], i,
+				    (__force __s32)cpu_to_le32(value));
+		if (ret)
+			goto done_proc;
 	}
 	hid_hw_request(hsdev->hdev, report, HID_REQ_SET_REPORT);
 	hid_hw_wait(hsdev->hdev);
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 23+ messages in thread

* [PATCH AUTOSEL 4.14 03/18] HID: Add BUS_VIRTUAL to hid_connect logging
  2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
  2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 02/18] HID: hid-sensor-hub: Return error for hid_set_field() failure Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
  2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 04/18] HID: usbhid: fix info leak in hid_submit_ctrl Sasha Levin
                   ` (14 subsequent siblings)
  16 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Mark Bolhuis, Jiri Kosina, Sasha Levin, linux-input

From: Mark Bolhuis <mark@bolhuis.dev>

[ Upstream commit 48e33befe61a7d407753c53d1a06fc8d6b5dab80 ]

Add BUS_VIRTUAL to hid_connect logging since it's a valid hid bus type and it
should not print <UNKNOWN>

Signed-off-by: Mark Bolhuis <mark@bolhuis.dev>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hid/hid-core.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 71ee1267d2ef..381ab96c1e38 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1824,6 +1824,9 @@ int hid_connect(struct hid_device *hdev, unsigned int connect_mask)
 	case BUS_I2C:
 		bus = "I2C";
 		break;
+	case BUS_VIRTUAL:
+		bus = "VIRTUAL";
+		break;
 	default:
 		bus = "<UNKNOWN>";
 	}
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 23+ messages in thread

* [PATCH AUTOSEL 4.14 04/18] HID: usbhid: fix info leak in hid_submit_ctrl
  2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
  2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 02/18] HID: hid-sensor-hub: Return error for hid_set_field() failure Sasha Levin
  2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 03/18] HID: Add BUS_VIRTUAL to hid_connect logging Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
  2021-06-07 16:15   ` Sasha Levin
                   ` (13 subsequent siblings)
  16 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Anirudh Rayabharam, syzbot+7c2bb71996f95a82524c,
	Benjamin Tissoires, Jiri Kosina, Sasha Levin, linux-usb,
	linux-input

From: Anirudh Rayabharam <mail@anirudhrb.com>

[ Upstream commit 6be388f4a35d2ce5ef7dbf635a8964a5da7f799f ]

In hid_submit_ctrl(), the way of calculating the report length doesn't
take into account that report->size can be zero. When running the
syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to
calculate transfer_buffer_length as 16384. When this urb is passed to
the usb core layer, KMSAN reports an info leak of 16384 bytes.

To fix this, first modify hid_report_len() to account for the zero
report size case by using DIV_ROUND_UP for the division. Then, call it
from hid_submit_ctrl().

Reported-by: syzbot+7c2bb71996f95a82524c@syzkaller.appspotmail.com
Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hid/usbhid/hid-core.c | 2 +-
 include/linux/hid.h           | 3 +--
 2 files changed, 2 insertions(+), 3 deletions(-)

diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index 98916fb4191a..46b8f4c353de 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -373,7 +373,7 @@ static int hid_submit_ctrl(struct hid_device *hid)
 	raw_report = usbhid->ctrl[usbhid->ctrltail].raw_report;
 	dir = usbhid->ctrl[usbhid->ctrltail].dir;
 
-	len = ((report->size - 1) >> 3) + 1 + (report->id > 0);
+	len = hid_report_len(report);
 	if (dir == USB_DIR_OUT) {
 		usbhid->urbctrl->pipe = usb_sndctrlpipe(hid_to_usb_dev(hid), 0);
 		usbhid->urbctrl->transfer_buffer_length = len;
diff --git a/include/linux/hid.h b/include/linux/hid.h
index d07fe33a9045..5a2c55ed33fa 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -1114,8 +1114,7 @@ static inline void hid_hw_wait(struct hid_device *hdev)
  */
 static inline u32 hid_report_len(struct hid_report *report)
 {
-	/* equivalent to DIV_ROUND_UP(report->size, 8) + !!(report->id > 0) */
-	return ((report->size - 1) >> 3) + 1 + (report->id > 0);
+	return DIV_ROUND_UP(report->size, 8) + (report->id > 0);
 }
 
 int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 23+ messages in thread

* [PATCH AUTOSEL 4.14 05/18] ARM: OMAP2+: Fix build warning when mmc_omap is not built
  2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
@ 2021-06-07 16:15   ` Sasha Levin
  2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 03/18] HID: Add BUS_VIRTUAL to hid_connect logging Sasha Levin
                     ` (15 subsequent siblings)
  16 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Yongqiang Liu, Tony Lindgren, Sasha Levin, linux-omap, linux-arm-kernel

From: Yongqiang Liu <liuyongqiang13@huawei.com>

[ Upstream commit 040ab72ee10ea88e1883ad143b3e2b77596abc31 ]

GCC reports the following warning with W=1:

arch/arm/mach-omap2/board-n8x0.c:325:19: warning:
variable 'index' set but not used [-Wunused-but-set-variable]
325 |  int bit, *openp, index;
    |                   ^~~~~

Fix this by moving CONFIG_MMC_OMAP to cover the rest codes
in the n8x0_mmc_callback().

Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/mach-omap2/board-n8x0.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/mach-omap2/board-n8x0.c b/arch/arm/mach-omap2/board-n8x0.c
index 20f25539d572..47abea1475d4 100644
--- a/arch/arm/mach-omap2/board-n8x0.c
+++ b/arch/arm/mach-omap2/board-n8x0.c
@@ -325,6 +325,7 @@ static int n8x0_mmc_get_cover_state(struct device *dev, int slot)
 
 static void n8x0_mmc_callback(void *data, u8 card_mask)
 {
+#ifdef CONFIG_MMC_OMAP
 	int bit, *openp, index;
 
 	if (board_is_n800()) {
@@ -342,7 +343,6 @@ static void n8x0_mmc_callback(void *data, u8 card_mask)
 	else
 		*openp = 0;
 
-#ifdef CONFIG_MMC_OMAP
 	omap_mmc_notify_cover_event(mmc_device, index, *openp);
 #else
 	pr_warn("MMC: notify cover event not available\n");
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 23+ messages in thread

* [PATCH AUTOSEL 4.14 05/18] ARM: OMAP2+: Fix build warning when mmc_omap is not built
@ 2021-06-07 16:15   ` Sasha Levin
  0 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Yongqiang Liu, Tony Lindgren, Sasha Levin, linux-omap, linux-arm-kernel

From: Yongqiang Liu <liuyongqiang13@huawei.com>

[ Upstream commit 040ab72ee10ea88e1883ad143b3e2b77596abc31 ]

GCC reports the following warning with W=1:

arch/arm/mach-omap2/board-n8x0.c:325:19: warning:
variable 'index' set but not used [-Wunused-but-set-variable]
325 |  int bit, *openp, index;
    |                   ^~~~~

Fix this by moving CONFIG_MMC_OMAP to cover the rest codes
in the n8x0_mmc_callback().

Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/mach-omap2/board-n8x0.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/mach-omap2/board-n8x0.c b/arch/arm/mach-omap2/board-n8x0.c
index 20f25539d572..47abea1475d4 100644
--- a/arch/arm/mach-omap2/board-n8x0.c
+++ b/arch/arm/mach-omap2/board-n8x0.c
@@ -325,6 +325,7 @@ static int n8x0_mmc_get_cover_state(struct device *dev, int slot)
 
 static void n8x0_mmc_callback(void *data, u8 card_mask)
 {
+#ifdef CONFIG_MMC_OMAP
 	int bit, *openp, index;
 
 	if (board_is_n800()) {
@@ -342,7 +343,6 @@ static void n8x0_mmc_callback(void *data, u8 card_mask)
 	else
 		*openp = 0;
 
-#ifdef CONFIG_MMC_OMAP
 	omap_mmc_notify_cover_event(mmc_device, index, *openp);
 #else
 	pr_warn("MMC: notify cover event not available\n");
-- 
2.30.2


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply related	[flat|nested] 23+ messages in thread

* [PATCH AUTOSEL 4.14 06/18] HID: gt683r: add missing MODULE_DEVICE_TABLE
  2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
                   ` (3 preceding siblings ...)
  2021-06-07 16:15   ` Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
  2021-06-07 16:15   ` [Cluster-devel] " Sasha Levin
                   ` (11 subsequent siblings)
  16 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Bixuan Cui, Hulk Robot, Jiri Kosina, Sasha Levin, linux-input

From: Bixuan Cui <cuibixuan@huawei.com>

[ Upstream commit a4b494099ad657f1cb85436d333cf38870ee95bc ]

This patch adds missing MODULE_DEVICE_TABLE definition which generates
correct modalias for automatic loading of this driver when it is built
as an external module.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Bixuan Cui <cuibixuan@huawei.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/hid/hid-gt683r.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/hid/hid-gt683r.c b/drivers/hid/hid-gt683r.c
index a298fbd8db6b..8ca4c1baeda8 100644
--- a/drivers/hid/hid-gt683r.c
+++ b/drivers/hid/hid-gt683r.c
@@ -64,6 +64,7 @@ static const struct hid_device_id gt683r_led_id[] = {
 	{ HID_USB_DEVICE(USB_VENDOR_ID_MSI, USB_DEVICE_ID_MSI_GT683R_LED_PANEL) },
 	{ }
 };
+MODULE_DEVICE_TABLE(hid, gt683r_led_id);
 
 static void gt683r_brightness_set(struct led_classdev *led_cdev,
 				enum led_brightness brightness)
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 23+ messages in thread

* [PATCH AUTOSEL 4.14 07/18] gfs2: Fix use-after-free in gfs2_glock_shrink_scan
  2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
@ 2021-06-07 16:15   ` Sasha Levin
  2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 03/18] HID: Add BUS_VIRTUAL to hid_connect logging Sasha Levin
                     ` (15 subsequent siblings)
  16 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Hillf Danton, syzbot, Andreas Gruenbacher, Sasha Levin, cluster-devel

From: Hillf Danton <hdanton@sina.com>

[ Upstream commit 1ab19c5de4c537ec0d9b21020395a5b5a6c059b2 ]

The GLF_LRU flag is checked under lru_lock in gfs2_glock_remove_from_lru() to
remove the glock from the lru list in __gfs2_glock_put().

On the shrink scan path, the same flag is cleared under lru_lock but because
of cond_resched_lock(&lru_lock) in gfs2_dispose_glock_lru(), progress on the
put side can be made without deleting the glock from the lru list.

Keep GLF_LRU across the race window opened by cond_resched_lock(&lru_lock) to
ensure correct behavior on both sides - clear GLF_LRU after list_del under
lru_lock.

Reported-by: syzbot <syzbot+34ba7ddbf3021981a228@syzkaller.appspotmail.com>
Signed-off-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/gfs2/glock.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
index 0a0dd3178483..be969f24ccf0 100644
--- a/fs/gfs2/glock.c
+++ b/fs/gfs2/glock.c
@@ -1456,6 +1456,7 @@ __acquires(&lru_lock)
 	while(!list_empty(list)) {
 		gl = list_entry(list->next, struct gfs2_glock, gl_lru);
 		list_del_init(&gl->gl_lru);
+		clear_bit(GLF_LRU, &gl->gl_flags);
 		if (!spin_trylock(&gl->gl_lockref.lock)) {
 add_back_to_lru:
 			list_add(&gl->gl_lru, &lru_list);
@@ -1501,7 +1502,6 @@ static long gfs2_scan_glock_lru(int nr)
 		if (!test_bit(GLF_LOCK, &gl->gl_flags)) {
 			list_move(&gl->gl_lru, &dispose);
 			atomic_dec(&lru_count);
-			clear_bit(GLF_LRU, &gl->gl_flags);
 			freed++;
 			continue;
 		}
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 23+ messages in thread

* [Cluster-devel] [PATCH AUTOSEL 4.14 07/18] gfs2: Fix use-after-free in gfs2_glock_shrink_scan
@ 2021-06-07 16:15   ` Sasha Levin
  0 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
  To: cluster-devel.redhat.com

From: Hillf Danton <hdanton@sina.com>

[ Upstream commit 1ab19c5de4c537ec0d9b21020395a5b5a6c059b2 ]

The GLF_LRU flag is checked under lru_lock in gfs2_glock_remove_from_lru() to
remove the glock from the lru list in __gfs2_glock_put().

On the shrink scan path, the same flag is cleared under lru_lock but because
of cond_resched_lock(&lru_lock) in gfs2_dispose_glock_lru(), progress on the
put side can be made without deleting the glock from the lru list.

Keep GLF_LRU across the race window opened by cond_resched_lock(&lru_lock) to
ensure correct behavior on both sides - clear GLF_LRU after list_del under
lru_lock.

Reported-by: syzbot <syzbot+34ba7ddbf3021981a228@syzkaller.appspotmail.com>
Signed-off-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/gfs2/glock.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
index 0a0dd3178483..be969f24ccf0 100644
--- a/fs/gfs2/glock.c
+++ b/fs/gfs2/glock.c
@@ -1456,6 +1456,7 @@ __acquires(&lru_lock)
 	while(!list_empty(list)) {
 		gl = list_entry(list->next, struct gfs2_glock, gl_lru);
 		list_del_init(&gl->gl_lru);
+		clear_bit(GLF_LRU, &gl->gl_flags);
 		if (!spin_trylock(&gl->gl_lockref.lock)) {
 add_back_to_lru:
 			list_add(&gl->gl_lru, &lru_list);
@@ -1501,7 +1502,6 @@ static long gfs2_scan_glock_lru(int nr)
 		if (!test_bit(GLF_LOCK, &gl->gl_flags)) {
 			list_move(&gl->gl_lru, &dispose);
 			atomic_dec(&lru_count);
-			clear_bit(GLF_LRU, &gl->gl_flags);
 			freed++;
 			continue;
 		}
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 23+ messages in thread

* [PATCH AUTOSEL 4.14 08/18] Bluetooth: use correct lock to prevent UAF of hdev object
  2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
                   ` (5 preceding siblings ...)
  2021-06-07 16:15   ` [Cluster-devel] " Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
  2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 09/18] scsi: target: core: Fix warning on realtime kernels Sasha Levin
                   ` (9 subsequent siblings)
  16 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Lin Ma, Marcel Holtmann, Sasha Levin, linux-bluetooth, netdev

From: Lin Ma <linma@zju.edu.cn>

[ Upstream commit e305509e678b3a4af2b3cfd410f409f7cdaabb52 ]

The hci_sock_dev_event() function will cleanup the hdev object for
sockets even if this object may still be in used within the
hci_sock_bound_ioctl() function, result in UAF vulnerability.

This patch replace the BH context lock to serialize these affairs
and prevent the race condition.

Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/bluetooth/hci_sock.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 93093d7c3824..120064e9cb2b 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -750,7 +750,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event)
 		/* Detach sockets from device */
 		read_lock(&hci_sk_list.lock);
 		sk_for_each(sk, &hci_sk_list.head) {
-			bh_lock_sock_nested(sk);
+			lock_sock(sk);
 			if (hci_pi(sk)->hdev == hdev) {
 				hci_pi(sk)->hdev = NULL;
 				sk->sk_err = EPIPE;
@@ -759,7 +759,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event)
 
 				hci_dev_put(hdev);
 			}
-			bh_unlock_sock(sk);
+			release_sock(sk);
 		}
 		read_unlock(&hci_sk_list.lock);
 	}
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 23+ messages in thread

* [PATCH AUTOSEL 4.14 09/18] scsi: target: core: Fix warning on realtime kernels
  2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
                   ` (6 preceding siblings ...)
  2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 08/18] Bluetooth: use correct lock to prevent UAF of hdev object Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
  2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 10/18] ethernet: myri10ge: Fix missing error code in myri10ge_probe() Sasha Levin
                   ` (8 subsequent siblings)
  16 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Maurizio Lombardi, Bart Van Assche, Martin K . Petersen,
	Sasha Levin, linux-scsi, target-devel

From: Maurizio Lombardi <mlombard@redhat.com>

[ Upstream commit 515da6f4295c2c42b8c54572cce3d2dd1167c41e ]

On realtime kernels, spin_lock_irq*(spinlock_t) do not disable the
interrupts, a call to irqs_disabled() will return false thus firing a
warning in __transport_wait_for_tasks().

Remove the warning and also replace assert_spin_locked() with
lockdep_assert_held()

Link: https://lore.kernel.org/r/20210531121326.3649-1-mlombard@redhat.com
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/target/target_core_transport.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
index 0d0be7d8b9d6..852680e85921 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -2966,9 +2966,7 @@ __transport_wait_for_tasks(struct se_cmd *cmd, bool fabric_stop,
 	__releases(&cmd->t_state_lock)
 	__acquires(&cmd->t_state_lock)
 {
-
-	assert_spin_locked(&cmd->t_state_lock);
-	WARN_ON_ONCE(!irqs_disabled());
+	lockdep_assert_held(&cmd->t_state_lock);
 
 	if (fabric_stop)
 		cmd->transport_state |= CMD_T_FABRIC_STOP;
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 23+ messages in thread

* [PATCH AUTOSEL 4.14 10/18] ethernet: myri10ge: Fix missing error code in myri10ge_probe()
  2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
                   ` (7 preceding siblings ...)
  2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 09/18] scsi: target: core: Fix warning on realtime kernels Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
  2021-06-07 16:15   ` Sasha Levin
                   ` (7 subsequent siblings)
  16 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Jiapeng Chong, Abaci Robot, David S . Miller, Sasha Levin, netdev

From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>

[ Upstream commit f336d0b93ae978f12c5e27199f828da89b91e56a ]

The error code is missing in this code scenario, add the error code
'-EINVAL' to the return value 'status'.

Eliminate the follow smatch warning:

drivers/net/ethernet/myricom/myri10ge/myri10ge.c:3818 myri10ge_probe()
warn: missing error code 'status'.

Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/myricom/myri10ge/myri10ge.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
index a0a555052d8c..1ac2bc75edb1 100644
--- a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
+++ b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
@@ -3853,6 +3853,7 @@ static int myri10ge_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
 		dev_err(&pdev->dev,
 			"invalid sram_size %dB or board span %ldB\n",
 			mgp->sram_size, mgp->board_span);
+		status = -EINVAL;
 		goto abort_with_ioremap;
 	}
 	memcpy_fromio(mgp->eeprom_strings,
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 23+ messages in thread

* [PATCH AUTOSEL 4.14 11/18] nvme-loop: reset queue count to 1 in nvme_loop_destroy_io_queues()
  2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
@ 2021-06-07 16:15   ` Sasha Levin
  2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 03/18] HID: Add BUS_VIRTUAL to hid_connect logging Sasha Levin
                     ` (15 subsequent siblings)
  16 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Hannes Reinecke, Chaitanya Kulkarni, Christoph Hellwig,
	Sasha Levin, linux-nvme

From: Hannes Reinecke <hare@suse.de>

[ Upstream commit a6c144f3d2e230f2b3ac5ed8c51e0f0391556197 ]

The queue count is increased in nvme_loop_init_io_queues(), so we
need to reset it to 1 at the end of nvme_loop_destroy_io_queues().
Otherwise the function is not re-entrant safe, and crash will happen
during concurrent reset and remove calls.

Signed-off-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nvme/target/loop.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c
index 3388d2788fe0..5f33c3a9469b 100644
--- a/drivers/nvme/target/loop.c
+++ b/drivers/nvme/target/loop.c
@@ -322,6 +322,7 @@ static void nvme_loop_destroy_io_queues(struct nvme_loop_ctrl *ctrl)
 		clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[i].flags);
 		nvmet_sq_destroy(&ctrl->queues[i].nvme_sq);
 	}
+	ctrl->ctrl.queue_count = 1;
 }
 
 static int nvme_loop_init_io_queues(struct nvme_loop_ctrl *ctrl)
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 23+ messages in thread

* [PATCH AUTOSEL 4.14 11/18] nvme-loop: reset queue count to 1 in nvme_loop_destroy_io_queues()
@ 2021-06-07 16:15   ` Sasha Levin
  0 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Hannes Reinecke, Chaitanya Kulkarni, Christoph Hellwig,
	Sasha Levin, linux-nvme

From: Hannes Reinecke <hare@suse.de>

[ Upstream commit a6c144f3d2e230f2b3ac5ed8c51e0f0391556197 ]

The queue count is increased in nvme_loop_init_io_queues(), so we
need to reset it to 1 at the end of nvme_loop_destroy_io_queues().
Otherwise the function is not re-entrant safe, and crash will happen
during concurrent reset and remove calls.

Signed-off-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nvme/target/loop.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c
index 3388d2788fe0..5f33c3a9469b 100644
--- a/drivers/nvme/target/loop.c
+++ b/drivers/nvme/target/loop.c
@@ -322,6 +322,7 @@ static void nvme_loop_destroy_io_queues(struct nvme_loop_ctrl *ctrl)
 		clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[i].flags);
 		nvmet_sq_destroy(&ctrl->queues[i].nvme_sq);
 	}
+	ctrl->ctrl.queue_count = 1;
 }
 
 static int nvme_loop_init_io_queues(struct nvme_loop_ctrl *ctrl)
-- 
2.30.2


_______________________________________________
Linux-nvme mailing list
Linux-nvme@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-nvme

^ permalink raw reply related	[flat|nested] 23+ messages in thread

* [PATCH AUTOSEL 4.14 12/18] nvme-loop: clear NVME_LOOP_Q_LIVE when nvme_loop_configure_admin_queue() fails
  2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
@ 2021-06-07 16:15   ` Sasha Levin
  2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 03/18] HID: Add BUS_VIRTUAL to hid_connect logging Sasha Levin
                     ` (15 subsequent siblings)
  16 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Hannes Reinecke, Chaitanya Kulkarni, Christoph Hellwig,
	Sasha Levin, linux-nvme

From: Hannes Reinecke <hare@suse.de>

[ Upstream commit 1c5f8e882a05de5c011e8c3fbeceb0d1c590eb53 ]

When the call to nvme_enable_ctrl() in nvme_loop_configure_admin_queue()
fails the NVME_LOOP_Q_LIVE flag is not cleared.

Signed-off-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nvme/target/loop.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c
index 5f33c3a9469b..963d8de932d1 100644
--- a/drivers/nvme/target/loop.c
+++ b/drivers/nvme/target/loop.c
@@ -430,6 +430,7 @@ static int nvme_loop_configure_admin_queue(struct nvme_loop_ctrl *ctrl)
 	return 0;
 
 out_cleanup_queue:
+	clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[0].flags);
 	blk_cleanup_queue(ctrl->ctrl.admin_q);
 out_free_tagset:
 	blk_mq_free_tag_set(&ctrl->admin_tag_set);
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 23+ messages in thread

* [PATCH AUTOSEL 4.14 12/18] nvme-loop: clear NVME_LOOP_Q_LIVE when nvme_loop_configure_admin_queue() fails
@ 2021-06-07 16:15   ` Sasha Levin
  0 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Hannes Reinecke, Chaitanya Kulkarni, Christoph Hellwig,
	Sasha Levin, linux-nvme

From: Hannes Reinecke <hare@suse.de>

[ Upstream commit 1c5f8e882a05de5c011e8c3fbeceb0d1c590eb53 ]

When the call to nvme_enable_ctrl() in nvme_loop_configure_admin_queue()
fails the NVME_LOOP_Q_LIVE flag is not cleared.

Signed-off-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nvme/target/loop.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c
index 5f33c3a9469b..963d8de932d1 100644
--- a/drivers/nvme/target/loop.c
+++ b/drivers/nvme/target/loop.c
@@ -430,6 +430,7 @@ static int nvme_loop_configure_admin_queue(struct nvme_loop_ctrl *ctrl)
 	return 0;
 
 out_cleanup_queue:
+	clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[0].flags);
 	blk_cleanup_queue(ctrl->ctrl.admin_q);
 out_free_tagset:
 	blk_mq_free_tag_set(&ctrl->admin_tag_set);
-- 
2.30.2


_______________________________________________
Linux-nvme mailing list
Linux-nvme@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-nvme

^ permalink raw reply related	[flat|nested] 23+ messages in thread

* [PATCH AUTOSEL 4.14 13/18] nvme-loop: check for NVME_LOOP_Q_LIVE in nvme_loop_destroy_admin_queue()
  2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
@ 2021-06-07 16:15   ` Sasha Levin
  2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 03/18] HID: Add BUS_VIRTUAL to hid_connect logging Sasha Levin
                     ` (15 subsequent siblings)
  16 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Hannes Reinecke, Chaitanya Kulkarni, Christoph Hellwig,
	Sasha Levin, linux-nvme

From: Hannes Reinecke <hare@suse.de>

[ Upstream commit 4237de2f73a669e4f89ac0aa2b44fb1a1d9ec583 ]

We need to check the NVME_LOOP_Q_LIVE flag in
nvme_loop_destroy_admin_queue() to protect against duplicate
invocations eg during concurrent reset and remove calls.

Signed-off-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nvme/target/loop.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c
index 963d8de932d1..7a0a10777cd1 100644
--- a/drivers/nvme/target/loop.c
+++ b/drivers/nvme/target/loop.c
@@ -287,7 +287,8 @@ static const struct blk_mq_ops nvme_loop_admin_mq_ops = {
 
 static void nvme_loop_destroy_admin_queue(struct nvme_loop_ctrl *ctrl)
 {
-	clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[0].flags);
+	if (!test_and_clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[0].flags))
+		return;
 	nvmet_sq_destroy(&ctrl->queues[0].nvme_sq);
 	blk_cleanup_queue(ctrl->ctrl.admin_q);
 	blk_mq_free_tag_set(&ctrl->admin_tag_set);
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 23+ messages in thread

* [PATCH AUTOSEL 4.14 13/18] nvme-loop: check for NVME_LOOP_Q_LIVE in nvme_loop_destroy_admin_queue()
@ 2021-06-07 16:15   ` Sasha Levin
  0 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Hannes Reinecke, Chaitanya Kulkarni, Christoph Hellwig,
	Sasha Levin, linux-nvme

From: Hannes Reinecke <hare@suse.de>

[ Upstream commit 4237de2f73a669e4f89ac0aa2b44fb1a1d9ec583 ]

We need to check the NVME_LOOP_Q_LIVE flag in
nvme_loop_destroy_admin_queue() to protect against duplicate
invocations eg during concurrent reset and remove calls.

Signed-off-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nvme/target/loop.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c
index 963d8de932d1..7a0a10777cd1 100644
--- a/drivers/nvme/target/loop.c
+++ b/drivers/nvme/target/loop.c
@@ -287,7 +287,8 @@ static const struct blk_mq_ops nvme_loop_admin_mq_ops = {
 
 static void nvme_loop_destroy_admin_queue(struct nvme_loop_ctrl *ctrl)
 {
-	clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[0].flags);
+	if (!test_and_clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[0].flags))
+		return;
 	nvmet_sq_destroy(&ctrl->queues[0].nvme_sq);
 	blk_cleanup_queue(ctrl->ctrl.admin_q);
 	blk_mq_free_tag_set(&ctrl->admin_tag_set);
-- 
2.30.2


_______________________________________________
Linux-nvme mailing list
Linux-nvme@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-nvme

^ permalink raw reply related	[flat|nested] 23+ messages in thread

* [PATCH AUTOSEL 4.14 14/18] net: ipconfig: Don't override command-line hostnames or domains
  2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
                   ` (11 preceding siblings ...)
  2021-06-07 16:15   ` Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
  2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 15/18] rtnetlink: Fix missing error code in rtnl_bridge_notify() Sasha Levin
                   ` (3 subsequent siblings)
  16 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Josh Triplett, David S . Miller, Sasha Levin, netdev

From: Josh Triplett <josh@joshtriplett.org>

[ Upstream commit b508d5fb69c2211a1b860fc058aafbefc3b3c3cd ]

If the user specifies a hostname or domain name as part of the ip=
command-line option, preserve it and don't overwrite it with one
supplied by DHCP/BOOTP.

For instance, ip=::::myhostname::dhcp will use "myhostname" rather than
ignoring and overwriting it.

Fix the comment on ic_bootp_string that suggests it only copies a string
"if not already set"; it doesn't have any such logic.

Signed-off-by: Josh Triplett <josh@joshtriplett.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv4/ipconfig.c | 13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c
index f0782c91514c..41e384834d50 100644
--- a/net/ipv4/ipconfig.c
+++ b/net/ipv4/ipconfig.c
@@ -881,7 +881,7 @@ static void __init ic_bootp_send_if(struct ic_device *d, unsigned long jiffies_d
 
 
 /*
- *  Copy BOOTP-supplied string if not already set.
+ *  Copy BOOTP-supplied string
  */
 static int __init ic_bootp_string(char *dest, char *src, int len, int max)
 {
@@ -930,12 +930,15 @@ static void __init ic_do_bootp_ext(u8 *ext)
 		}
 		break;
 	case 12:	/* Host name */
-		ic_bootp_string(utsname()->nodename, ext+1, *ext,
-				__NEW_UTS_LEN);
-		ic_host_name_set = 1;
+		if (!ic_host_name_set) {
+			ic_bootp_string(utsname()->nodename, ext+1, *ext,
+					__NEW_UTS_LEN);
+			ic_host_name_set = 1;
+		}
 		break;
 	case 15:	/* Domain name (DNS) */
-		ic_bootp_string(ic_domain, ext+1, *ext, sizeof(ic_domain));
+		if (!ic_domain[0])
+			ic_bootp_string(ic_domain, ext+1, *ext, sizeof(ic_domain));
 		break;
 	case 17:	/* Root path */
 		if (!root_server_path[0])
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 23+ messages in thread

* [PATCH AUTOSEL 4.14 15/18] rtnetlink: Fix missing error code in rtnl_bridge_notify()
  2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
                   ` (12 preceding siblings ...)
  2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 14/18] net: ipconfig: Don't override command-line hostnames or domains Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
  2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 16/18] net/x25: Return the correct errno code Sasha Levin
                   ` (2 subsequent siblings)
  16 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Jiapeng Chong, Abaci Robot, David S . Miller, Sasha Levin, netdev

From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>

[ Upstream commit a8db57c1d285c758adc7fb43d6e2bad2554106e1 ]

The error code is missing in this code scenario, add the error code
'-EINVAL' to the return value 'err'.

Eliminate the follow smatch warning:

net/core/rtnetlink.c:4834 rtnl_bridge_notify() warn: missing error code
'err'.

Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/core/rtnetlink.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 0168c700a201..fa3ed51f846b 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -3648,8 +3648,10 @@ static int rtnl_bridge_notify(struct net_device *dev)
 	if (err < 0)
 		goto errout;
 
-	if (!skb->len)
+	if (!skb->len) {
+		err = -EINVAL;
 		goto errout;
+	}
 
 	rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, GFP_ATOMIC);
 	return 0;
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 23+ messages in thread

* [PATCH AUTOSEL 4.14 16/18] net/x25: Return the correct errno code
  2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
                   ` (13 preceding siblings ...)
  2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 15/18] rtnetlink: Fix missing error code in rtnl_bridge_notify() Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
  2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 17/18] net: " Sasha Levin
  2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 18/18] fib: " Sasha Levin
  16 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Zheng Yongjun, David S . Miller, Sasha Levin, linux-x25, netdev

From: Zheng Yongjun <zhengyongjun3@huawei.com>

[ Upstream commit d7736958668c4facc15f421e622ffd718f5be80a ]

When kalloc or kmemdup failed, should return ENOMEM rather than ENOBUF.

Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/x25/af_x25.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index 987e5f8cafbe..fd0a6c6c77b6 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -550,7 +550,7 @@ static int x25_create(struct net *net, struct socket *sock, int protocol,
 	if (protocol)
 		goto out;
 
-	rc = -ENOBUFS;
+	rc = -ENOMEM;
 	if ((sk = x25_alloc_socket(net, kern)) == NULL)
 		goto out;
 
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 23+ messages in thread

* [PATCH AUTOSEL 4.14 17/18] net: Return the correct errno code
  2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
                   ` (14 preceding siblings ...)
  2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 16/18] net/x25: Return the correct errno code Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
  2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 18/18] fib: " Sasha Levin
  16 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Zheng Yongjun, David S . Miller, Sasha Levin, netdev

From: Zheng Yongjun <zhengyongjun3@huawei.com>

[ Upstream commit 49251cd00228a3c983651f6bb2f33f6a0b8f152e ]

When kalloc or kmemdup failed, should return ENOMEM rather than ENOBUF.

Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/compat.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/compat.c b/net/compat.c
index 45349658ed01..2ec822f4e409 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -158,7 +158,7 @@ int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg, struct sock *sk,
 	if (kcmlen > stackbuf_size)
 		kcmsg_base = kcmsg = sock_kmalloc(sk, kcmlen, GFP_KERNEL);
 	if (kcmsg == NULL)
-		return -ENOBUFS;
+		return -ENOMEM;
 
 	/* Now copy them over neatly. */
 	memset(kcmsg, 0, kcmlen);
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 23+ messages in thread

* [PATCH AUTOSEL 4.14 18/18] fib: Return the correct errno code
  2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
                   ` (15 preceding siblings ...)
  2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 17/18] net: " Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
  16 siblings, 0 replies; 23+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Zheng Yongjun, David S . Miller, Sasha Levin, netdev

From: Zheng Yongjun <zhengyongjun3@huawei.com>

[ Upstream commit 59607863c54e9eb3f69afc5257dfe71c38bb751e ]

When kalloc or kmemdup failed, should return ENOMEM rather than ENOBUF.

Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/core/fib_rules.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index 9bb321df0869..76c3f602ee15 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -928,7 +928,7 @@ static void notify_rule_change(int event, struct fib_rule *rule,
 {
 	struct net *net;
 	struct sk_buff *skb;
-	int err = -ENOBUFS;
+	int err = -ENOMEM;
 
 	net = ops->fro_net;
 	skb = nlmsg_new(fib_rule_nlmsg_size(ops, rule), GFP_KERNEL);
-- 
2.30.2


^ permalink raw reply related	[flat|nested] 23+ messages in thread

end of thread, other threads:[~2021-06-07 16:37 UTC | newest]

Thread overview: 23+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 02/18] HID: hid-sensor-hub: Return error for hid_set_field() failure Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 03/18] HID: Add BUS_VIRTUAL to hid_connect logging Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 04/18] HID: usbhid: fix info leak in hid_submit_ctrl Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 05/18] ARM: OMAP2+: Fix build warning when mmc_omap is not built Sasha Levin
2021-06-07 16:15   ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 06/18] HID: gt683r: add missing MODULE_DEVICE_TABLE Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 07/18] gfs2: Fix use-after-free in gfs2_glock_shrink_scan Sasha Levin
2021-06-07 16:15   ` [Cluster-devel] " Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 08/18] Bluetooth: use correct lock to prevent UAF of hdev object Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 09/18] scsi: target: core: Fix warning on realtime kernels Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 10/18] ethernet: myri10ge: Fix missing error code in myri10ge_probe() Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 11/18] nvme-loop: reset queue count to 1 in nvme_loop_destroy_io_queues() Sasha Levin
2021-06-07 16:15   ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 12/18] nvme-loop: clear NVME_LOOP_Q_LIVE when nvme_loop_configure_admin_queue() fails Sasha Levin
2021-06-07 16:15   ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 13/18] nvme-loop: check for NVME_LOOP_Q_LIVE in nvme_loop_destroy_admin_queue() Sasha Levin
2021-06-07 16:15   ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 14/18] net: ipconfig: Don't override command-line hostnames or domains Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 15/18] rtnetlink: Fix missing error code in rtnl_bridge_notify() Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 16/18] net/x25: Return the correct errno code Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 17/18] net: " Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 18/18] fib: " Sasha Levin

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.