--- /dev/null
+From f997ea3b7afc108eb9761f321b57de2d089c7c48 Mon Sep 17 00:00:00 2001
+From: Xie Yongji <xieyongji@bytedance.com>
+Date: Mon, 17 May 2021 16:35:57 +0800
+Subject: 9p/trans_virtio: Remove sysfs file on probe failure
+
+From: Xie Yongji <xieyongji@bytedance.com>
+
+commit f997ea3b7afc108eb9761f321b57de2d089c7c48 upstream.
+
+This ensures we don't leak the sysfs file if we failed to
+allocate chan->vc_wq during probe.
+
+Link: http://lkml.kernel.org/r/20210517083557.172-1-xieyongji@bytedance.com
+Fixes: 86c8437383ac ("net/9p: Add sysfs mount_tag file for virtio 9P device")
+Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
+Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/9p/trans_virtio.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/9p/trans_virtio.c
++++ b/net/9p/trans_virtio.c
+@@ -605,7 +605,7 @@ static int p9_virtio_probe(struct virtio
+ chan->vc_wq = kmalloc(sizeof(wait_queue_head_t), GFP_KERNEL);
+ if (!chan->vc_wq) {
+ err = -ENOMEM;
+- goto out_free_tag;
++ goto out_remove_file;
+ }
+ init_waitqueue_head(chan->vc_wq);
+ chan->ring_bufs_avail = 1;
+@@ -623,6 +623,8 @@ static int p9_virtio_probe(struct virtio
+
+ return 0;
+
++out_remove_file:
++ sysfs_remove_file(&vdev->dev.kobj, &dev_attr_mount_tag.attr);
+ out_free_tag:
+ kfree(tag);
+ out_free_vq:
--- /dev/null
+From e1fbbd073137a9d63279f6bf363151a938347640 Mon Sep 17 00:00:00 2001
+From: Cyrill Gorcunov <gorcunov@gmail.com>
+Date: Tue, 7 Sep 2021 20:00:41 -0700
+Subject: prctl: allow to setup brk for et_dyn executables
+
+From: Cyrill Gorcunov <gorcunov@gmail.com>
+
+commit e1fbbd073137a9d63279f6bf363151a938347640 upstream.
+
+Keno Fischer reported that when a binray loaded via ld-linux-x the
+prctl(PR_SET_MM_MAP) doesn't allow to setup brk value because it lays
+before mm:end_data.
+
+For example a test program shows
+
+ | # ~/t
+ |
+ | start_code 401000
+ | end_code 401a15
+ | start_stack 7ffce4577dd0
+ | start_data 403e10
+ | end_data 40408c
+ | start_brk b5b000
+ | sbrk(0) b5b000
+
+and when executed via ld-linux
+
+ | # /lib64/ld-linux-x86-64.so.2 ~/t
+ |
+ | start_code 7fc25b0a4000
+ | end_code 7fc25b0c4524
+ | start_stack 7fffcc6b2400
+ | start_data 7fc25b0ce4c0
+ | end_data 7fc25b0cff98
+ | start_brk 55555710c000
+ | sbrk(0) 55555710c000
+
+This of course prevent criu from restoring such programs. Looking into
+how kernel operates with brk/start_brk inside brk() syscall I don't see
+any problem if we allow to setup brk/start_brk without checking for
+end_data. Even if someone pass some weird address here on a purpose then
+the worst possible result will be an unexpected unmapping of existing vma
+(own vma, since prctl works with the callers memory) but test for
+RLIMIT_DATA is still valid and a user won't be able to gain more memory in
+case of expanding VMAs via new values shipped with prctl call.
+
+Link: https://lkml.kernel.org/r/20210121221207.GB2174@grain
+Fixes: bbdc6076d2e5 ("binfmt_elf: move brk out of mmap when doing direct loader exec")
+Signed-off-by: Cyrill Gorcunov <gorcunov@gmail.com>
+Reported-by: Keno Fischer <keno@juliacomputing.com>
+Acked-by: Andrey Vagin <avagin@gmail.com>
+Tested-by: Andrey Vagin <avagin@gmail.com>
+Cc: Dmitry Safonov <0x7f454c46@gmail.com>
+Cc: Kirill Tkhai <ktkhai@virtuozzo.com>
+Cc: Eric W. Biederman <ebiederm@xmission.com>
+Cc: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
+Cc: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/sys.c | 7 -------
+ 1 file changed, 7 deletions(-)
+
+--- a/kernel/sys.c
++++ b/kernel/sys.c
+@@ -1775,13 +1775,6 @@ static int validate_prctl_map(struct prc
+ error = -EINVAL;
+
+ /*
+- * @brk should be after @end_data in traditional maps.
+- */
+- if (prctl_map->start_brk <= prctl_map->end_data ||
+- prctl_map->brk <= prctl_map->end_data)
+- goto out;
+-
+- /*
+ * Neither we should allow to override limits if they set.
+ */
+ if (check_data_rlimit(rlimit(RLIMIT_DATA), prctl_map->brk,
--- /dev/null
+From 2d186afd04d669fe9c48b994c41a7405a3c9f16d Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Tue, 7 Sep 2021 19:58:21 -0700
+Subject: profiling: fix shift-out-of-bounds bugs
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 2d186afd04d669fe9c48b994c41a7405a3c9f16d upstream.
+
+Syzbot reported shift-out-of-bounds bug in profile_init().
+The problem was in incorrect prof_shift. Since prof_shift value comes from
+userspace we need to clamp this value into [0, BITS_PER_LONG -1]
+boundaries.
+
+Second possible shiht-out-of-bounds was found by Tetsuo:
+sample_step local variable in read_profile() had "unsigned int" type,
+but prof_shift allows to make a BITS_PER_LONG shift. So, to prevent
+possible shiht-out-of-bounds sample_step type was changed to
+"unsigned long".
+
+Also, "unsigned short int" will be sufficient for storing
+[0, BITS_PER_LONG] value, that's why there is no need for
+"unsigned long" prof_shift.
+
+Link: https://lkml.kernel.org/r/20210813140022.5011-1-paskripkin@gmail.com
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Reported-and-tested-by: syzbot+e68c89a9510c159d9684@syzkaller.appspotmail.com
+Suggested-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/profile.c | 21 +++++++++++----------
+ 1 file changed, 11 insertions(+), 10 deletions(-)
+
+--- a/kernel/profile.c
++++ b/kernel/profile.c
+@@ -38,7 +38,8 @@ struct profile_hit {
+ #define NR_PROFILE_GRP (NR_PROFILE_HIT/PROFILE_GRPSZ)
+
+ static atomic_t *prof_buffer;
+-static unsigned long prof_len, prof_shift;
++static unsigned long prof_len;
++static unsigned short int prof_shift;
+
+ int prof_on __read_mostly;
+ EXPORT_SYMBOL_GPL(prof_on);
+@@ -63,8 +64,8 @@ int profile_setup(char *str)
+ if (str[strlen(sleepstr)] == ',')
+ str += strlen(sleepstr) + 1;
+ if (get_option(&str, &par))
+- prof_shift = par;
+- pr_info("kernel sleep profiling enabled (shift: %ld)\n",
++ prof_shift = clamp(par, 0, BITS_PER_LONG - 1);
++ pr_info("kernel sleep profiling enabled (shift: %u)\n",
+ prof_shift);
+ #else
+ pr_warn("kernel sleep profiling requires CONFIG_SCHEDSTATS\n");
+@@ -74,21 +75,21 @@ int profile_setup(char *str)
+ if (str[strlen(schedstr)] == ',')
+ str += strlen(schedstr) + 1;
+ if (get_option(&str, &par))
+- prof_shift = par;
+- pr_info("kernel schedule profiling enabled (shift: %ld)\n",
++ prof_shift = clamp(par, 0, BITS_PER_LONG - 1);
++ pr_info("kernel schedule profiling enabled (shift: %u)\n",
+ prof_shift);
+ } else if (!strncmp(str, kvmstr, strlen(kvmstr))) {
+ prof_on = KVM_PROFILING;
+ if (str[strlen(kvmstr)] == ',')
+ str += strlen(kvmstr) + 1;
+ if (get_option(&str, &par))
+- prof_shift = par;
+- pr_info("kernel KVM profiling enabled (shift: %ld)\n",
++ prof_shift = clamp(par, 0, BITS_PER_LONG - 1);
++ pr_info("kernel KVM profiling enabled (shift: %u)\n",
+ prof_shift);
+ } else if (get_option(&str, &par)) {
+- prof_shift = par;
++ prof_shift = clamp(par, 0, BITS_PER_LONG - 1);
+ prof_on = CPU_PROFILING;
+- pr_info("kernel profiling enabled (shift: %ld)\n",
++ pr_info("kernel profiling enabled (shift: %u)\n",
+ prof_shift);
+ }
+ return 1;
+@@ -475,7 +476,7 @@ read_profile(struct file *file, char __u
+ unsigned long p = *ppos;
+ ssize_t read;
+ char *pnt;
+- unsigned int sample_step = 1 << prof_shift;
++ unsigned long sample_step = 1UL << prof_shift;
+
+ profile_flip_buffers();
+ if (p >= (prof_len+1)*sizeof(unsigned int))
--- /dev/null
+From 020162d6f49f2963062229814a56a89c86cbeaa8 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= <u.kleine-koenig@pengutronix.de>
+Date: Wed, 7 Jul 2021 18:27:50 +0200
+Subject: pwm: mxs: Don't modify HW state in .probe() after the PWM chip was registered
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+commit 020162d6f49f2963062229814a56a89c86cbeaa8 upstream.
+
+This fixes a race condition: After pwmchip_add() is called there might
+already be a consumer and then modifying the hardware behind the
+consumer's back is bad. So reset before calling pwmchip_add().
+
+Note that reseting the hardware isn't the right thing to do if the PWM
+is already running as it might e.g. disable (or even enable) a backlight
+that is supposed to be on (or off).
+
+Fixes: 4dce82c1e840 ("pwm: add pwm-mxs support")
+Cc: Sascha Hauer <s.hauer@pengutronix.de>
+Cc: Shawn Guo <shawnguo@kernel.org>
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pwm/pwm-mxs.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+--- a/drivers/pwm/pwm-mxs.c
++++ b/drivers/pwm/pwm-mxs.c
+@@ -158,6 +158,11 @@ static int mxs_pwm_probe(struct platform
+ return ret;
+ }
+
++ /* FIXME: Only do this if the PWM isn't already running */
++ ret = stmp_reset_block(mxs->base);
++ if (ret)
++ return dev_err_probe(&pdev->dev, ret, "failed to reset PWM\n");
++
+ ret = pwmchip_add(&mxs->chip);
+ if (ret < 0) {
+ dev_err(&pdev->dev, "failed to add pwm chip %d\n", ret);
+@@ -166,15 +171,7 @@ static int mxs_pwm_probe(struct platform
+
+ platform_set_drvdata(pdev, mxs);
+
+- ret = stmp_reset_block(mxs->base);
+- if (ret)
+- goto pwm_remove;
+-
+ return 0;
+-
+-pwm_remove:
+- pwmchip_remove(&mxs->chip);
+- return ret;
+ }
+
+ static int mxs_pwm_remove(struct platform_device *pdev)
pm-wakeirq-fix-unbalanced-irq-enable-for-wakeirq.patch
sctp-validate-chunk-size-in-__rcv_asconf_lookup.patch
sctp-add-param-size-validation-for-sctp_param_set_primary.patch
+thermal-drivers-exynos-fix-an-error-code-in-exynos_tmu_probe.patch
+9p-trans_virtio-remove-sysfs-file-on-probe-failure.patch
+prctl-allow-to-setup-brk-for-et_dyn-executables.patch
+profiling-fix-shift-out-of-bounds-bugs.patch
+pwm-mxs-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch
--- /dev/null
+From 02d438f62c05f0d055ceeedf12a2f8796b258c08 Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Tue, 10 Aug 2021 11:44:13 +0300
+Subject: thermal/drivers/exynos: Fix an error code in exynos_tmu_probe()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 02d438f62c05f0d055ceeedf12a2f8796b258c08 upstream.
+
+This error path return success but it should propagate the negative
+error code from devm_clk_get().
+
+Fixes: 6c247393cfdd ("thermal: exynos: Add TMU support for Exynos7 SoC")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Link: https://lore.kernel.org/r/20210810084413.GA23810@kili
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/thermal/samsung/exynos_tmu.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/thermal/samsung/exynos_tmu.c
++++ b/drivers/thermal/samsung/exynos_tmu.c
+@@ -1347,6 +1347,7 @@ static int exynos_tmu_probe(struct platf
+ data->sclk = devm_clk_get(&pdev->dev, "tmu_sclk");
+ if (IS_ERR(data->sclk)) {
+ dev_err(&pdev->dev, "Failed to get sclk\n");
++ ret = PTR_ERR(data->sclk);
+ goto err_clk;
+ } else {
+ ret = clk_prepare_enable(data->sclk);
projects / thirdparty / kernel / stable-queue.git / commitdiff
