* [PATCH AUTOSEL 4.14 02/18] HID: hid-sensor-hub: Return error for hid_set_field() failure
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 03/18] HID: Add BUS_VIRTUAL to hid_connect logging Sasha Levin
` (15 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Srinivas Pandruvada, Jonathan Cameron, Jiri Kosina, Sasha Levin,
linux-input, linux-iio
From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
[ Upstream commit edb032033da0dc850f6e7740fa1023c73195bc89 ]
In the function sensor_hub_set_feature(), return error when hid_set_field()
fails.
Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Acked-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-sensor-hub.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c
index aa078c1dad14..6c7e12d8e7d9 100644
--- a/drivers/hid/hid-sensor-hub.c
+++ b/drivers/hid/hid-sensor-hub.c
@@ -223,16 +223,21 @@ int sensor_hub_set_feature(struct hid_sensor_hub_device *hsdev, u32 report_id,
buffer_size = buffer_size / sizeof(__s32);
if (buffer_size) {
for (i = 0; i < buffer_size; ++i) {
- hid_set_field(report->field[field_index], i,
- (__force __s32)cpu_to_le32(*buf32));
+ ret = hid_set_field(report->field[field_index], i,
+ (__force __s32)cpu_to_le32(*buf32));
+ if (ret)
+ goto done_proc;
+
++buf32;
}
}
if (remaining_bytes) {
value = 0;
memcpy(&value, (u8 *)buf32, remaining_bytes);
- hid_set_field(report->field[field_index], i,
- (__force __s32)cpu_to_le32(value));
+ ret = hid_set_field(report->field[field_index], i,
+ (__force __s32)cpu_to_le32(value));
+ if (ret)
+ goto done_proc;
}
hid_hw_request(hsdev->hdev, report, HID_REQ_SET_REPORT);
hid_hw_wait(hsdev->hdev);
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH AUTOSEL 4.14 03/18] HID: Add BUS_VIRTUAL to hid_connect logging
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 02/18] HID: hid-sensor-hub: Return error for hid_set_field() failure Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 04/18] HID: usbhid: fix info leak in hid_submit_ctrl Sasha Levin
` (14 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Mark Bolhuis, Jiri Kosina, Sasha Levin, linux-input
From: Mark Bolhuis <mark@bolhuis.dev>
[ Upstream commit 48e33befe61a7d407753c53d1a06fc8d6b5dab80 ]
Add BUS_VIRTUAL to hid_connect logging since it's a valid hid bus type and it
should not print <UNKNOWN>
Signed-off-by: Mark Bolhuis <mark@bolhuis.dev>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c
index 71ee1267d2ef..381ab96c1e38 100644
--- a/drivers/hid/hid-core.c
+++ b/drivers/hid/hid-core.c
@@ -1824,6 +1824,9 @@ int hid_connect(struct hid_device *hdev, unsigned int connect_mask)
case BUS_I2C:
bus = "I2C";
break;
+ case BUS_VIRTUAL:
+ bus = "VIRTUAL";
+ break;
default:
bus = "<UNKNOWN>";
}
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH AUTOSEL 4.14 04/18] HID: usbhid: fix info leak in hid_submit_ctrl
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 02/18] HID: hid-sensor-hub: Return error for hid_set_field() failure Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 03/18] HID: Add BUS_VIRTUAL to hid_connect logging Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 05/18] ARM: OMAP2+: Fix build warning when mmc_omap is not built Sasha Levin
` (13 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Anirudh Rayabharam, syzbot+7c2bb71996f95a82524c,
Benjamin Tissoires, Jiri Kosina, Sasha Levin, linux-usb,
linux-input
From: Anirudh Rayabharam <mail@anirudhrb.com>
[ Upstream commit 6be388f4a35d2ce5ef7dbf635a8964a5da7f799f ]
In hid_submit_ctrl(), the way of calculating the report length doesn't
take into account that report->size can be zero. When running the
syzkaller reproducer, a report of size 0 causes hid_submit_ctrl) to
calculate transfer_buffer_length as 16384. When this urb is passed to
the usb core layer, KMSAN reports an info leak of 16384 bytes.
To fix this, first modify hid_report_len() to account for the zero
report size case by using DIV_ROUND_UP for the division. Then, call it
from hid_submit_ctrl().
Reported-by: syzbot+7c2bb71996f95a82524c@syzkaller.appspotmail.com
Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
Acked-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/usbhid/hid-core.c | 2 +-
include/linux/hid.h | 3 +--
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/hid/usbhid/hid-core.c b/drivers/hid/usbhid/hid-core.c
index 98916fb4191a..46b8f4c353de 100644
--- a/drivers/hid/usbhid/hid-core.c
+++ b/drivers/hid/usbhid/hid-core.c
@@ -373,7 +373,7 @@ static int hid_submit_ctrl(struct hid_device *hid)
raw_report = usbhid->ctrl[usbhid->ctrltail].raw_report;
dir = usbhid->ctrl[usbhid->ctrltail].dir;
- len = ((report->size - 1) >> 3) + 1 + (report->id > 0);
+ len = hid_report_len(report);
if (dir == USB_DIR_OUT) {
usbhid->urbctrl->pipe = usb_sndctrlpipe(hid_to_usb_dev(hid), 0);
usbhid->urbctrl->transfer_buffer_length = len;
diff --git a/include/linux/hid.h b/include/linux/hid.h
index d07fe33a9045..5a2c55ed33fa 100644
--- a/include/linux/hid.h
+++ b/include/linux/hid.h
@@ -1114,8 +1114,7 @@ static inline void hid_hw_wait(struct hid_device *hdev)
*/
static inline u32 hid_report_len(struct hid_report *report)
{
- /* equivalent to DIV_ROUND_UP(report->size, 8) + !!(report->id > 0) */
- return ((report->size - 1) >> 3) + 1 + (report->id > 0);
+ return DIV_ROUND_UP(report->size, 8) + (report->id > 0);
}
int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, u32 size,
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH AUTOSEL 4.14 05/18] ARM: OMAP2+: Fix build warning when mmc_omap is not built
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
` (2 preceding siblings ...)
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 04/18] HID: usbhid: fix info leak in hid_submit_ctrl Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 06/18] HID: gt683r: add missing MODULE_DEVICE_TABLE Sasha Levin
` (12 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Yongqiang Liu, Tony Lindgren, Sasha Levin, linux-omap, linux-arm-kernel
From: Yongqiang Liu <liuyongqiang13@huawei.com>
[ Upstream commit 040ab72ee10ea88e1883ad143b3e2b77596abc31 ]
GCC reports the following warning with W=1:
arch/arm/mach-omap2/board-n8x0.c:325:19: warning:
variable 'index' set but not used [-Wunused-but-set-variable]
325 | int bit, *openp, index;
| ^~~~~
Fix this by moving CONFIG_MMC_OMAP to cover the rest codes
in the n8x0_mmc_callback().
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/mach-omap2/board-n8x0.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/mach-omap2/board-n8x0.c b/arch/arm/mach-omap2/board-n8x0.c
index 20f25539d572..47abea1475d4 100644
--- a/arch/arm/mach-omap2/board-n8x0.c
+++ b/arch/arm/mach-omap2/board-n8x0.c
@@ -325,6 +325,7 @@ static int n8x0_mmc_get_cover_state(struct device *dev, int slot)
static void n8x0_mmc_callback(void *data, u8 card_mask)
{
+#ifdef CONFIG_MMC_OMAP
int bit, *openp, index;
if (board_is_n800()) {
@@ -342,7 +343,6 @@ static void n8x0_mmc_callback(void *data, u8 card_mask)
else
*openp = 0;
-#ifdef CONFIG_MMC_OMAP
omap_mmc_notify_cover_event(mmc_device, index, *openp);
#else
pr_warn("MMC: notify cover event not available\n");
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH AUTOSEL 4.14 06/18] HID: gt683r: add missing MODULE_DEVICE_TABLE
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
` (3 preceding siblings ...)
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 05/18] ARM: OMAP2+: Fix build warning when mmc_omap is not built Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 07/18] gfs2: Fix use-after-free in gfs2_glock_shrink_scan Sasha Levin
` (11 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Bixuan Cui, Hulk Robot, Jiri Kosina, Sasha Levin, linux-input
From: Bixuan Cui <cuibixuan@huawei.com>
[ Upstream commit a4b494099ad657f1cb85436d333cf38870ee95bc ]
This patch adds missing MODULE_DEVICE_TABLE definition which generates
correct modalias for automatic loading of this driver when it is built
as an external module.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Bixuan Cui <cuibixuan@huawei.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-gt683r.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/hid/hid-gt683r.c b/drivers/hid/hid-gt683r.c
index a298fbd8db6b..8ca4c1baeda8 100644
--- a/drivers/hid/hid-gt683r.c
+++ b/drivers/hid/hid-gt683r.c
@@ -64,6 +64,7 @@ static const struct hid_device_id gt683r_led_id[] = {
{ HID_USB_DEVICE(USB_VENDOR_ID_MSI, USB_DEVICE_ID_MSI_GT683R_LED_PANEL) },
{ }
};
+MODULE_DEVICE_TABLE(hid, gt683r_led_id);
static void gt683r_brightness_set(struct led_classdev *led_cdev,
enum led_brightness brightness)
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH AUTOSEL 4.14 07/18] gfs2: Fix use-after-free in gfs2_glock_shrink_scan
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
` (4 preceding siblings ...)
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 06/18] HID: gt683r: add missing MODULE_DEVICE_TABLE Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 08/18] Bluetooth: use correct lock to prevent UAF of hdev object Sasha Levin
` (10 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Hillf Danton, syzbot, Andreas Gruenbacher, Sasha Levin, cluster-devel
From: Hillf Danton <hdanton@sina.com>
[ Upstream commit 1ab19c5de4c537ec0d9b21020395a5b5a6c059b2 ]
The GLF_LRU flag is checked under lru_lock in gfs2_glock_remove_from_lru() to
remove the glock from the lru list in __gfs2_glock_put().
On the shrink scan path, the same flag is cleared under lru_lock but because
of cond_resched_lock(&lru_lock) in gfs2_dispose_glock_lru(), progress on the
put side can be made without deleting the glock from the lru list.
Keep GLF_LRU across the race window opened by cond_resched_lock(&lru_lock) to
ensure correct behavior on both sides - clear GLF_LRU after list_del under
lru_lock.
Reported-by: syzbot <syzbot+34ba7ddbf3021981a228@syzkaller.appspotmail.com>
Signed-off-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/glock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
index 0a0dd3178483..be969f24ccf0 100644
--- a/fs/gfs2/glock.c
+++ b/fs/gfs2/glock.c
@@ -1456,6 +1456,7 @@ __acquires(&lru_lock)
while(!list_empty(list)) {
gl = list_entry(list->next, struct gfs2_glock, gl_lru);
list_del_init(&gl->gl_lru);
+ clear_bit(GLF_LRU, &gl->gl_flags);
if (!spin_trylock(&gl->gl_lockref.lock)) {
add_back_to_lru:
list_add(&gl->gl_lru, &lru_list);
@@ -1501,7 +1502,6 @@ static long gfs2_scan_glock_lru(int nr)
if (!test_bit(GLF_LOCK, &gl->gl_flags)) {
list_move(&gl->gl_lru, &dispose);
atomic_dec(&lru_count);
- clear_bit(GLF_LRU, &gl->gl_flags);
freed++;
continue;
}
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH AUTOSEL 4.14 08/18] Bluetooth: use correct lock to prevent UAF of hdev object
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
` (5 preceding siblings ...)
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 07/18] gfs2: Fix use-after-free in gfs2_glock_shrink_scan Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 09/18] scsi: target: core: Fix warning on realtime kernels Sasha Levin
` (9 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Lin Ma, Marcel Holtmann, Sasha Levin, linux-bluetooth, netdev
From: Lin Ma <linma@zju.edu.cn>
[ Upstream commit e305509e678b3a4af2b3cfd410f409f7cdaabb52 ]
The hci_sock_dev_event() function will cleanup the hdev object for
sockets even if this object may still be in used within the
hci_sock_bound_ioctl() function, result in UAF vulnerability.
This patch replace the BH context lock to serialize these affairs
and prevent the race condition.
Signed-off-by: Lin Ma <linma@zju.edu.cn>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_sock.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 93093d7c3824..120064e9cb2b 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -750,7 +750,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event)
/* Detach sockets from device */
read_lock(&hci_sk_list.lock);
sk_for_each(sk, &hci_sk_list.head) {
- bh_lock_sock_nested(sk);
+ lock_sock(sk);
if (hci_pi(sk)->hdev == hdev) {
hci_pi(sk)->hdev = NULL;
sk->sk_err = EPIPE;
@@ -759,7 +759,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event)
hci_dev_put(hdev);
}
- bh_unlock_sock(sk);
+ release_sock(sk);
}
read_unlock(&hci_sk_list.lock);
}
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH AUTOSEL 4.14 09/18] scsi: target: core: Fix warning on realtime kernels
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
` (6 preceding siblings ...)
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 08/18] Bluetooth: use correct lock to prevent UAF of hdev object Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 10/18] ethernet: myri10ge: Fix missing error code in myri10ge_probe() Sasha Levin
` (8 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Maurizio Lombardi, Bart Van Assche, Martin K . Petersen,
Sasha Levin, linux-scsi, target-devel
From: Maurizio Lombardi <mlombard@redhat.com>
[ Upstream commit 515da6f4295c2c42b8c54572cce3d2dd1167c41e ]
On realtime kernels, spin_lock_irq*(spinlock_t) do not disable the
interrupts, a call to irqs_disabled() will return false thus firing a
warning in __transport_wait_for_tasks().
Remove the warning and also replace assert_spin_locked() with
lockdep_assert_held()
Link: https://lore.kernel.org/r/20210531121326.3649-1-mlombard@redhat.com
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/target/target_core_transport.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/drivers/target/target_core_transport.c b/drivers/target/target_core_transport.c
index 0d0be7d8b9d6..852680e85921 100644
--- a/drivers/target/target_core_transport.c
+++ b/drivers/target/target_core_transport.c
@@ -2966,9 +2966,7 @@ __transport_wait_for_tasks(struct se_cmd *cmd, bool fabric_stop,
__releases(&cmd->t_state_lock)
__acquires(&cmd->t_state_lock)
{
-
- assert_spin_locked(&cmd->t_state_lock);
- WARN_ON_ONCE(!irqs_disabled());
+ lockdep_assert_held(&cmd->t_state_lock);
if (fabric_stop)
cmd->transport_state |= CMD_T_FABRIC_STOP;
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH AUTOSEL 4.14 10/18] ethernet: myri10ge: Fix missing error code in myri10ge_probe()
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
` (7 preceding siblings ...)
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 09/18] scsi: target: core: Fix warning on realtime kernels Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 11/18] nvme-loop: reset queue count to 1 in nvme_loop_destroy_io_queues() Sasha Levin
` (7 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Jiapeng Chong, Abaci Robot, David S . Miller, Sasha Levin, netdev
From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
[ Upstream commit f336d0b93ae978f12c5e27199f828da89b91e56a ]
The error code is missing in this code scenario, add the error code
'-EINVAL' to the return value 'status'.
Eliminate the follow smatch warning:
drivers/net/ethernet/myricom/myri10ge/myri10ge.c:3818 myri10ge_probe()
warn: missing error code 'status'.
Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/myricom/myri10ge/myri10ge.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
index a0a555052d8c..1ac2bc75edb1 100644
--- a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
+++ b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c
@@ -3853,6 +3853,7 @@ static int myri10ge_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
dev_err(&pdev->dev,
"invalid sram_size %dB or board span %ldB\n",
mgp->sram_size, mgp->board_span);
+ status = -EINVAL;
goto abort_with_ioremap;
}
memcpy_fromio(mgp->eeprom_strings,
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH AUTOSEL 4.14 11/18] nvme-loop: reset queue count to 1 in nvme_loop_destroy_io_queues()
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
` (8 preceding siblings ...)
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 10/18] ethernet: myri10ge: Fix missing error code in myri10ge_probe() Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 12/18] nvme-loop: clear NVME_LOOP_Q_LIVE when nvme_loop_configure_admin_queue() fails Sasha Levin
` (6 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Hannes Reinecke, Chaitanya Kulkarni, Christoph Hellwig,
Sasha Levin, linux-nvme
From: Hannes Reinecke <hare@suse.de>
[ Upstream commit a6c144f3d2e230f2b3ac5ed8c51e0f0391556197 ]
The queue count is increased in nvme_loop_init_io_queues(), so we
need to reset it to 1 at the end of nvme_loop_destroy_io_queues().
Otherwise the function is not re-entrant safe, and crash will happen
during concurrent reset and remove calls.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/target/loop.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c
index 3388d2788fe0..5f33c3a9469b 100644
--- a/drivers/nvme/target/loop.c
+++ b/drivers/nvme/target/loop.c
@@ -322,6 +322,7 @@ static void nvme_loop_destroy_io_queues(struct nvme_loop_ctrl *ctrl)
clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[i].flags);
nvmet_sq_destroy(&ctrl->queues[i].nvme_sq);
}
+ ctrl->ctrl.queue_count = 1;
}
static int nvme_loop_init_io_queues(struct nvme_loop_ctrl *ctrl)
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH AUTOSEL 4.14 12/18] nvme-loop: clear NVME_LOOP_Q_LIVE when nvme_loop_configure_admin_queue() fails
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
` (9 preceding siblings ...)
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 11/18] nvme-loop: reset queue count to 1 in nvme_loop_destroy_io_queues() Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 13/18] nvme-loop: check for NVME_LOOP_Q_LIVE in nvme_loop_destroy_admin_queue() Sasha Levin
` (5 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Hannes Reinecke, Chaitanya Kulkarni, Christoph Hellwig,
Sasha Levin, linux-nvme
From: Hannes Reinecke <hare@suse.de>
[ Upstream commit 1c5f8e882a05de5c011e8c3fbeceb0d1c590eb53 ]
When the call to nvme_enable_ctrl() in nvme_loop_configure_admin_queue()
fails the NVME_LOOP_Q_LIVE flag is not cleared.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/target/loop.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c
index 5f33c3a9469b..963d8de932d1 100644
--- a/drivers/nvme/target/loop.c
+++ b/drivers/nvme/target/loop.c
@@ -430,6 +430,7 @@ static int nvme_loop_configure_admin_queue(struct nvme_loop_ctrl *ctrl)
return 0;
out_cleanup_queue:
+ clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[0].flags);
blk_cleanup_queue(ctrl->ctrl.admin_q);
out_free_tagset:
blk_mq_free_tag_set(&ctrl->admin_tag_set);
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH AUTOSEL 4.14 13/18] nvme-loop: check for NVME_LOOP_Q_LIVE in nvme_loop_destroy_admin_queue()
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
` (10 preceding siblings ...)
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 12/18] nvme-loop: clear NVME_LOOP_Q_LIVE when nvme_loop_configure_admin_queue() fails Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 14/18] net: ipconfig: Don't override command-line hostnames or domains Sasha Levin
` (4 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Hannes Reinecke, Chaitanya Kulkarni, Christoph Hellwig,
Sasha Levin, linux-nvme
From: Hannes Reinecke <hare@suse.de>
[ Upstream commit 4237de2f73a669e4f89ac0aa2b44fb1a1d9ec583 ]
We need to check the NVME_LOOP_Q_LIVE flag in
nvme_loop_destroy_admin_queue() to protect against duplicate
invocations eg during concurrent reset and remove calls.
Signed-off-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Chaitanya Kulkarni <chaitanya.kulkarni@wdc.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nvme/target/loop.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/nvme/target/loop.c b/drivers/nvme/target/loop.c
index 963d8de932d1..7a0a10777cd1 100644
--- a/drivers/nvme/target/loop.c
+++ b/drivers/nvme/target/loop.c
@@ -287,7 +287,8 @@ static const struct blk_mq_ops nvme_loop_admin_mq_ops = {
static void nvme_loop_destroy_admin_queue(struct nvme_loop_ctrl *ctrl)
{
- clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[0].flags);
+ if (!test_and_clear_bit(NVME_LOOP_Q_LIVE, &ctrl->queues[0].flags))
+ return;
nvmet_sq_destroy(&ctrl->queues[0].nvme_sq);
blk_cleanup_queue(ctrl->ctrl.admin_q);
blk_mq_free_tag_set(&ctrl->admin_tag_set);
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH AUTOSEL 4.14 14/18] net: ipconfig: Don't override command-line hostnames or domains
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
` (11 preceding siblings ...)
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 13/18] nvme-loop: check for NVME_LOOP_Q_LIVE in nvme_loop_destroy_admin_queue() Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 15/18] rtnetlink: Fix missing error code in rtnl_bridge_notify() Sasha Levin
` (3 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Josh Triplett, David S . Miller, Sasha Levin, netdev
From: Josh Triplett <josh@joshtriplett.org>
[ Upstream commit b508d5fb69c2211a1b860fc058aafbefc3b3c3cd ]
If the user specifies a hostname or domain name as part of the ip=
command-line option, preserve it and don't overwrite it with one
supplied by DHCP/BOOTP.
For instance, ip=::::myhostname::dhcp will use "myhostname" rather than
ignoring and overwriting it.
Fix the comment on ic_bootp_string that suggests it only copies a string
"if not already set"; it doesn't have any such logic.
Signed-off-by: Josh Triplett <josh@joshtriplett.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ipconfig.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/net/ipv4/ipconfig.c b/net/ipv4/ipconfig.c
index f0782c91514c..41e384834d50 100644
--- a/net/ipv4/ipconfig.c
+++ b/net/ipv4/ipconfig.c
@@ -881,7 +881,7 @@ static void __init ic_bootp_send_if(struct ic_device *d, unsigned long jiffies_d
/*
- * Copy BOOTP-supplied string if not already set.
+ * Copy BOOTP-supplied string
*/
static int __init ic_bootp_string(char *dest, char *src, int len, int max)
{
@@ -930,12 +930,15 @@ static void __init ic_do_bootp_ext(u8 *ext)
}
break;
case 12: /* Host name */
- ic_bootp_string(utsname()->nodename, ext+1, *ext,
- __NEW_UTS_LEN);
- ic_host_name_set = 1;
+ if (!ic_host_name_set) {
+ ic_bootp_string(utsname()->nodename, ext+1, *ext,
+ __NEW_UTS_LEN);
+ ic_host_name_set = 1;
+ }
break;
case 15: /* Domain name (DNS) */
- ic_bootp_string(ic_domain, ext+1, *ext, sizeof(ic_domain));
+ if (!ic_domain[0])
+ ic_bootp_string(ic_domain, ext+1, *ext, sizeof(ic_domain));
break;
case 17: /* Root path */
if (!root_server_path[0])
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH AUTOSEL 4.14 15/18] rtnetlink: Fix missing error code in rtnl_bridge_notify()
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
` (12 preceding siblings ...)
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 14/18] net: ipconfig: Don't override command-line hostnames or domains Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 16/18] net/x25: Return the correct errno code Sasha Levin
` (2 subsequent siblings)
16 siblings, 0 replies; 18+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Jiapeng Chong, Abaci Robot, David S . Miller, Sasha Levin, netdev
From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
[ Upstream commit a8db57c1d285c758adc7fb43d6e2bad2554106e1 ]
The error code is missing in this code scenario, add the error code
'-EINVAL' to the return value 'err'.
Eliminate the follow smatch warning:
net/core/rtnetlink.c:4834 rtnl_bridge_notify() warn: missing error code
'err'.
Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/rtnetlink.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/core/rtnetlink.c b/net/core/rtnetlink.c
index 0168c700a201..fa3ed51f846b 100644
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -3648,8 +3648,10 @@ static int rtnl_bridge_notify(struct net_device *dev)
if (err < 0)
goto errout;
- if (!skb->len)
+ if (!skb->len) {
+ err = -EINVAL;
goto errout;
+ }
rtnl_notify(skb, net, 0, RTNLGRP_LINK, NULL, GFP_ATOMIC);
return 0;
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH AUTOSEL 4.14 16/18] net/x25: Return the correct errno code
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
` (13 preceding siblings ...)
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 15/18] rtnetlink: Fix missing error code in rtnl_bridge_notify() Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 17/18] net: " Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 18/18] fib: " Sasha Levin
16 siblings, 0 replies; 18+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
To: linux-kernel, stable
Cc: Zheng Yongjun, David S . Miller, Sasha Levin, linux-x25, netdev
From: Zheng Yongjun <zhengyongjun3@huawei.com>
[ Upstream commit d7736958668c4facc15f421e622ffd718f5be80a ]
When kalloc or kmemdup failed, should return ENOMEM rather than ENOBUF.
Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/x25/af_x25.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c
index 987e5f8cafbe..fd0a6c6c77b6 100644
--- a/net/x25/af_x25.c
+++ b/net/x25/af_x25.c
@@ -550,7 +550,7 @@ static int x25_create(struct net *net, struct socket *sock, int protocol,
if (protocol)
goto out;
- rc = -ENOBUFS;
+ rc = -ENOMEM;
if ((sk = x25_alloc_socket(net, kern)) == NULL)
goto out;
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH AUTOSEL 4.14 17/18] net: Return the correct errno code
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
` (14 preceding siblings ...)
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 16/18] net/x25: Return the correct errno code Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 18/18] fib: " Sasha Levin
16 siblings, 0 replies; 18+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Zheng Yongjun, David S . Miller, Sasha Levin, netdev
From: Zheng Yongjun <zhengyongjun3@huawei.com>
[ Upstream commit 49251cd00228a3c983651f6bb2f33f6a0b8f152e ]
When kalloc or kmemdup failed, should return ENOMEM rather than ENOBUF.
Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/compat.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/compat.c b/net/compat.c
index 45349658ed01..2ec822f4e409 100644
--- a/net/compat.c
+++ b/net/compat.c
@@ -158,7 +158,7 @@ int cmsghdr_from_user_compat_to_kern(struct msghdr *kmsg, struct sock *sk,
if (kcmlen > stackbuf_size)
kcmsg_base = kcmsg = sock_kmalloc(sk, kcmlen, GFP_KERNEL);
if (kcmsg == NULL)
- return -ENOBUFS;
+ return -ENOMEM;
/* Now copy them over neatly. */
memset(kcmsg, 0, kcmlen);
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread
* [PATCH AUTOSEL 4.14 18/18] fib: Return the correct errno code
2021-06-07 16:14 [PATCH AUTOSEL 4.14 01/18] net: ieee802154: fix null deref in parse dev addr Sasha Levin
` (15 preceding siblings ...)
2021-06-07 16:15 ` [PATCH AUTOSEL 4.14 17/18] net: " Sasha Levin
@ 2021-06-07 16:15 ` Sasha Levin
16 siblings, 0 replies; 18+ messages in thread
From: Sasha Levin @ 2021-06-07 16:15 UTC (permalink / raw)
To: linux-kernel, stable; +Cc: Zheng Yongjun, David S . Miller, Sasha Levin, netdev
From: Zheng Yongjun <zhengyongjun3@huawei.com>
[ Upstream commit 59607863c54e9eb3f69afc5257dfe71c38bb751e ]
When kalloc or kmemdup failed, should return ENOMEM rather than ENOBUF.
Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/fib_rules.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c
index 9bb321df0869..76c3f602ee15 100644
--- a/net/core/fib_rules.c
+++ b/net/core/fib_rules.c
@@ -928,7 +928,7 @@ static void notify_rule_change(int event, struct fib_rule *rule,
{
struct net *net;
struct sk_buff *skb;
- int err = -ENOBUFS;
+ int err = -ENOMEM;
net = ops->fro_net;
skb = nlmsg_new(fib_rule_nlmsg_size(ops, rule), GFP_KERNEL);
--
2.30.2
^ permalink raw reply related [flat|nested] 18+ messages in thread