--- /dev/null
+From c87761db2100677a69be551365105125d872af5b Mon Sep 17 00:00:00 2001
+From: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+Date: Wed, 13 Oct 2021 19:13:45 +0300
+Subject: component: do not leave master devres group open after bind
+
+From: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+
+commit c87761db2100677a69be551365105125d872af5b upstream.
+
+In current code, the devres group for aggregate master is left open
+after call to component_master_add_*(). This leads to problems when the
+master does further managed allocations on its own. When any
+participating driver calls component_del(), this leads to immediate
+release of resources.
+
+This came up when investigating a page fault occurring with i915 DRM
+driver unbind with 5.15-rc1 kernel. The following sequence occurs:
+
+ i915_pci_remove()
+ -> intel_display_driver_unregister()
+ -> i915_audio_component_cleanup()
+ -> component_del()
+ -> component.c:take_down_master()
+ -> hdac_component_master_unbind() [via master->ops->unbind()]
+ -> devres_release_group(master->parent, NULL)
+
+With older kernels this has not caused issues, but with audio driver
+moving to use managed interfaces for more of its allocations, this no
+longer works. Devres log shows following to occur:
+
+component_master_add_with_match()
+[ 126.886032] snd_hda_intel 0000:00:1f.3: DEVRES ADD 00000000323ccdc5 devm_component_match_release (24 bytes)
+[ 126.886045] snd_hda_intel 0000:00:1f.3: DEVRES ADD 00000000865cdb29 grp< (0 bytes)
+[ 126.886049] snd_hda_intel 0000:00:1f.3: DEVRES ADD 000000001b480725 grp< (0 bytes)
+
+audio driver completes its PCI probe()
+[ 126.892238] snd_hda_intel 0000:00:1f.3: DEVRES ADD 000000001b480725 pcim_iomap_release (48 bytes)
+
+component_del() called() at DRM/i915 unbind()
+[ 137.579422] i915 0000:00:02.0: DEVRES REL 00000000ef44c293 grp< (0 bytes)
+[ 137.579445] snd_hda_intel 0000:00:1f.3: DEVRES REL 00000000865cdb29 grp< (0 bytes)
+[ 137.579458] snd_hda_intel 0000:00:1f.3: DEVRES REL 000000001b480725 pcim_iomap_release (48 bytes)
+
+So the "devres_release_group(master->parent, NULL)" ends up freeing the
+pcim_iomap allocation. Upon next runtime resume, the audio driver will
+cause a page fault as the iomap alloc was released without the driver
+knowing about it.
+
+Fix this issue by using the "struct master" pointer as identifier for
+the devres group, and by closing the devres group after
+the master->ops->bind() call is done. This allows devres allocations
+done by the driver acting as master to be isolated from the binding state
+of the aggregate driver. This modifies the logic originally introduced in
+commit 9e1ccb4a7700 ("drivers/base: fix devres handling for master device")
+
+Fixes: 9e1ccb4a7700 ("drivers/base: fix devres handling for master device")
+Cc: stable@vger.kernel.org
+Acked-by: Imre Deak <imre.deak@intel.com>
+Acked-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
+Signed-off-by: Kai Vehmanen <kai.vehmanen@linux.intel.com>
+BugLink: https://gitlab.freedesktop.org/drm/intel/-/issues/4136
+Link: https://lore.kernel.org/r/20211013161345.3755341-1-kai.vehmanen@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/component.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/base/component.c
++++ b/drivers/base/component.c
+@@ -246,7 +246,7 @@ static int try_to_bring_up_master(struct
+ return 0;
+ }
+
+- if (!devres_open_group(master->parent, NULL, GFP_KERNEL))
++ if (!devres_open_group(master->parent, master, GFP_KERNEL))
+ return -ENOMEM;
+
+ /* Found all components */
+@@ -258,6 +258,7 @@ static int try_to_bring_up_master(struct
+ return ret;
+ }
+
++ devres_close_group(master->parent, NULL);
+ master->bound = true;
+ return 1;
+ }
+@@ -282,7 +283,7 @@ static void take_down_master(struct mast
+ {
+ if (master->bound) {
+ master->ops->unbind(master->parent);
+- devres_release_group(master->parent, NULL);
++ devres_release_group(master->parent, master);
+ master->bound = false;
+ }
+ }
--- /dev/null
+From 692c9a499b286ea478f41b23a91fe3873b9e1326 Mon Sep 17 00:00:00 2001
+From: Tao Zhang <quic_taozha@quicinc.com>
+Date: Thu, 19 Aug 2021 17:29:37 +0800
+Subject: coresight: cti: Correct the parameter for pm_runtime_put
+
+From: Tao Zhang <quic_taozha@quicinc.com>
+
+commit 692c9a499b286ea478f41b23a91fe3873b9e1326 upstream.
+
+The input parameter of the function pm_runtime_put should be the
+same in the function cti_enable_hw and cti_disable_hw. The correct
+parameter to use here should be dev->parent.
+
+Signed-off-by: Tao Zhang <quic_taozha@quicinc.com>
+Reviewed-by: Leo Yan <leo.yan@linaro.org>
+Fixes: 835d722ba10a ("coresight: cti: Initial CoreSight CTI Driver")
+Cc: stable <stable@vger.kernel.org>
+Link: https://lore.kernel.org/r/1629365377-5937-1-git-send-email-quic_taozha@quicinc.com
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/coresight/coresight-cti-core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwtracing/coresight/coresight-cti-core.c
++++ b/drivers/hwtracing/coresight/coresight-cti-core.c
+@@ -175,7 +175,7 @@ static int cti_disable_hw(struct cti_drv
+ coresight_disclaim_device_unlocked(csdev);
+ CS_LOCK(drvdata->base);
+ spin_unlock(&drvdata->spinlock);
+- pm_runtime_put(dev);
++ pm_runtime_put(dev->parent);
+ return 0;
+
+ /* not disabled this call */
--- /dev/null
+From a08025b3fe56185290a1ea476581f03ca733f967 Mon Sep 17 00:00:00 2001
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Thu, 14 Oct 2021 15:22:38 +0100
+Subject: coresight: trbe: Defer the probe on offline CPUs
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+commit a08025b3fe56185290a1ea476581f03ca733f967 upstream.
+
+If a CPU is offline during the driver init, we could end up causing
+a kernel crash trying to register the coresight device for the TRBE
+instance. The trbe_cpudata for the TRBE instance is initialized only
+when it is probed. Otherwise, we could end up dereferencing a NULL
+cpudata->drvdata.
+
+e.g:
+
+[ 0.149999] coresight ete0: CPU0: ete v1.1 initialized
+[ 0.149999] coresight-etm4x ete_1: ETM arch init failed
+[ 0.149999] coresight-etm4x: probe of ete_1 failed with error -22
+[ 0.150085] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050
+[ 0.150085] Mem abort info:
+[ 0.150085] ESR = 0x96000005
+[ 0.150085] EC = 0x25: DABT (current EL), IL = 32 bits
+[ 0.150085] SET = 0, FnV = 0
+[ 0.150085] EA = 0, S1PTW = 0
+[ 0.150085] Data abort info:
+[ 0.150085] ISV = 0, ISS = 0x00000005
+[ 0.150085] CM = 0, WnR = 0
+[ 0.150085] [0000000000000050] user address but active_mm is swapper
+[ 0.150085] Internal error: Oops: 96000005 [#1] PREEMPT SMP
+[ 0.150085] Modules linked in:
+[ 0.150085] Hardware name: FVP Base RevC (DT)
+[ 0.150085] pstate: 00800009 (nzcv daif -PAN +UAO -TCO BTYPE=--)
+[ 0.150155] pc : arm_trbe_register_coresight_cpu+0x74/0x144
+[ 0.150155] lr : arm_trbe_register_coresight_cpu+0x48/0x144
+ ...
+
+[ 0.150237] Call trace:
+[ 0.150237] arm_trbe_register_coresight_cpu+0x74/0x144
+[ 0.150237] arm_trbe_device_probe+0x1c0/0x2d8
+[ 0.150259] platform_drv_probe+0x94/0xbc
+[ 0.150259] really_probe+0x1bc/0x4a8
+[ 0.150266] driver_probe_device+0x7c/0xb8
+[ 0.150266] device_driver_attach+0x6c/0xac
+[ 0.150266] __driver_attach+0xc4/0x148
+[ 0.150266] bus_for_each_dev+0x7c/0xc8
+[ 0.150266] driver_attach+0x24/0x30
+[ 0.150266] bus_add_driver+0x100/0x1e0
+[ 0.150266] driver_register+0x78/0x110
+[ 0.150266] __platform_driver_register+0x44/0x50
+[ 0.150266] arm_trbe_init+0x28/0x84
+[ 0.150266] do_one_initcall+0x94/0x2bc
+[ 0.150266] do_initcall_level+0xa4/0x158
+[ 0.150266] do_initcalls+0x54/0x94
+[ 0.150319] do_basic_setup+0x24/0x30
+[ 0.150319] kernel_init_freeable+0xe8/0x14c
+[ 0.150319] kernel_init+0x14/0x18c
+[ 0.150319] ret_from_fork+0x10/0x30
+[ 0.150319] Code: f94012c8 b0004ce2 9134a442 52819801 (f9402917)
+[ 0.150319] ---[ end trace d23e0cfe5098535e ]---
+[ 0.150346] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b
+
+Fix this by skipping the step, if we are unable to probe the CPU.
+
+Fixes: 3fbf7f011f24 ("coresight: sink: Add TRBE driver")
+Reported-by: Bransilav Rankov <branislav.rankov@arm.com>
+Cc: Anshuman Khandual <anshuman.khandual@arm.com>
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Cc: Mike Leach <mike.leach@linaro.org>
+Cc: Leo Yan <leo.yan@linaro.org>
+Cc: stable <stable@vger.kernel.org>
+Tested-by: Branislav Rankov <branislav.rankov@arm.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Link: https://lore.kernel.org/r/20211014142238.2221248-1-suzuki.poulose@arm.com
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/coresight/coresight-trbe.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+--- a/drivers/hwtracing/coresight/coresight-trbe.c
++++ b/drivers/hwtracing/coresight/coresight-trbe.c
+@@ -869,6 +869,10 @@ static void arm_trbe_register_coresight_
+ if (WARN_ON(trbe_csdev))
+ return;
+
++ /* If the TRBE was not probed on the CPU, we shouldn't be here */
++ if (WARN_ON(!cpudata->drvdata))
++ return;
++
+ dev = &cpudata->drvdata->pdev->dev;
+ desc.name = devm_kasprintf(dev, GFP_KERNEL, "trbe%d", cpu);
+ if (!desc.name)
+@@ -950,7 +954,9 @@ static int arm_trbe_probe_coresight(stru
+ return -ENOMEM;
+
+ for_each_cpu(cpu, &drvdata->supported_cpus) {
+- smp_call_function_single(cpu, arm_trbe_probe_cpu, drvdata, 1);
++ /* If we fail to probe the CPU, let us defer it to hotplug callbacks */
++ if (smp_call_function_single(cpu, arm_trbe_probe_cpu, drvdata, 1))
++ continue;
+ if (cpumask_test_cpu(cpu, &drvdata->supported_cpus))
+ arm_trbe_register_coresight_cpu(drvdata, cpu);
+ if (cpumask_test_cpu(cpu, &drvdata->supported_cpus))
--- /dev/null
+From bb5293e334af51b19b62d8bef1852ea13e935e9b Mon Sep 17 00:00:00 2001
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+Date: Tue, 21 Sep 2021 14:41:05 +0100
+Subject: coresight: trbe: Fix incorrect access of the sink specific data
+
+From: Suzuki K Poulose <suzuki.poulose@arm.com>
+
+commit bb5293e334af51b19b62d8bef1852ea13e935e9b upstream.
+
+The TRBE driver wrongly treats the aux private data as the TRBE driver
+specific buffer for a given perf handle, while it is the ETM PMU's
+event specific data. Fix this by correcting the instance to use
+appropriate helper.
+
+Cc: stable <stable@vger.kernel.org>
+Fixes: 3fbf7f011f24 ("coresight: sink: Add TRBE driver")
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Reviewed-by: Anshuman Khandual <anshuman.khandual@arm.com>
+Link: https://lore.kernel.org/r/20210921134121.2423546-2-suzuki.poulose@arm.com
+[Fixed 13 character SHA down to 12]
+Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/hwtracing/coresight/coresight-trbe.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/hwtracing/coresight/coresight-trbe.c
++++ b/drivers/hwtracing/coresight/coresight-trbe.c
+@@ -366,7 +366,7 @@ static unsigned long __trbe_normal_offse
+
+ static unsigned long trbe_normal_offset(struct perf_output_handle *handle)
+ {
+- struct trbe_buf *buf = perf_get_aux(handle);
++ struct trbe_buf *buf = etm_perf_sink_config(handle);
+ u64 limit = __trbe_normal_offset(handle);
+ u64 head = PERF_IDX2OFF(handle->head, buf);
+
--- /dev/null
+From 8fc4f038fa832ec3543907fdcbe1334e1b0a8950 Mon Sep 17 00:00:00 2001
+From: Mihail Chindris <mihail.chindris@analog.com>
+Date: Thu, 7 Oct 2021 08:00:36 +0000
+Subject: Documentation:devicetree:bindings:iio:dac: Fix val
+
+From: Mihail Chindris <mihail.chindris@analog.com>
+
+commit 8fc4f038fa832ec3543907fdcbe1334e1b0a8950 upstream.
+
+A correct value for output-range-microvolts is -5 to 5 Volts
+not -5 to 5 milivolts
+
+Fixes: e904cc899293f ("dt-bindings: iio: dac: AD5766 yaml documentation")
+Signed-off-by: Mihail Chindris <mihail.chindris@analog.com>
+Reviewed-by: Alexandru Ardelean <ardeleanalex@gmail.com>
+Link: https://lore.kernel.org/r/20211007080035.2531-6-mihail.chindris@analog.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ Documentation/devicetree/bindings/iio/dac/adi,ad5766.yaml | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/Documentation/devicetree/bindings/iio/dac/adi,ad5766.yaml
++++ b/Documentation/devicetree/bindings/iio/dac/adi,ad5766.yaml
+@@ -54,7 +54,7 @@ examples:
+
+ ad5766@0 {
+ compatible = "adi,ad5766";
+- output-range-microvolts = <(-5000) 5000>;
++ output-range-microvolts = <(-5000000) 5000000>;
+ reg = <0>;
+ spi-cpol;
+ spi-max-frequency = <1000000>;
--- /dev/null
+From d9de0fbdeb0103a204055efb69cb5cc8f5f12a6a Mon Sep 17 00:00:00 2001
+From: Mihail Chindris <mihail.chindris@analog.com>
+Date: Thu, 7 Oct 2021 08:00:34 +0000
+Subject: drivers: iio: dac: ad5766: Fix dt property name
+
+From: Mihail Chindris <mihail.chindris@analog.com>
+
+commit d9de0fbdeb0103a204055efb69cb5cc8f5f12a6a upstream.
+
+In the documentation the name for the property is
+output-range-microvolts which is a standard name, therefore this name
+must be used.
+
+Fixes: fd9373e41b9ba ("iio: dac: ad5766: add driver support for AD5766")
+Signed-off-by: Mihail Chindris <mihail.chindris@analog.com>
+Reviewed-by: Alexandru Ardelean <ardeleanalex@gmail.com>
+Link: https://lore.kernel.org/r/20211007080035.2531-5-mihail.chindris@analog.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/dac/ad5766.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/iio/dac/ad5766.c
++++ b/drivers/iio/dac/ad5766.c
+@@ -503,13 +503,13 @@ static int ad5766_get_output_range(struc
+ int i, ret, min, max, tmp[2];
+
+ ret = device_property_read_u32_array(&st->spi->dev,
+- "output-range-voltage",
++ "output-range-microvolts",
+ tmp, 2);
+ if (ret)
+ return ret;
+
+- min = tmp[0] / 1000;
+- max = tmp[1] / 1000;
++ min = tmp[0] / 1000000;
++ max = tmp[1] / 1000000;
+ for (i = 0; i < ARRAY_SIZE(ad5766_span_tbl); i++) {
+ if (ad5766_span_tbl[i].min != min ||
+ ad5766_span_tbl[i].max != max)
--- /dev/null
+From 26df977a909f818b7d346b3990735513e7e0bf93 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Nuno=20S=C3=A1?= <nuno.sa@analog.com>
+Date: Wed, 18 Aug 2021 10:05:25 +0200
+Subject: iio: ad5770r: make devicetree property reading consistent
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Nuno Sá <nuno.sa@analog.com>
+
+commit 26df977a909f818b7d346b3990735513e7e0bf93 upstream.
+
+The bindings file for this driver is defining the property as 'reg' but
+the driver was reading it with the 'num' name. The bindings actually had
+the 'num' property when added in
+commit ea52c21268e6 ("dt-bindings: iio: dac: Add docs for AD5770R DAC")
+and then changed it to 'reg' in
+commit 2cf3818f18b2 ("dt-bindings: iio: dac: AD5570R fix bindings errors").
+However, both these commits landed in v5.7 so the assumption is
+that either 'num' is not being used or if it is, the validations were not
+done.
+
+Anyways, if someone comes back yelling about this, we might just support
+both of the properties in the future. Not ideal, but that's life...
+
+Fixes: 2cf3818f18b2 ("dt-bindings: iio: dac: AD5570R fix bindings errors")
+Signed-off-by: Nuno Sá <nuno.sa@analog.com>
+Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
+Link: https://lore.kernel.org/r/20210818080525.62790-1-nuno.sa@analog.com
+Cc: Stable@vger.kernel.org
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/dac/ad5770r.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/iio/dac/ad5770r.c
++++ b/drivers/iio/dac/ad5770r.c
+@@ -522,7 +522,7 @@ static int ad5770r_channel_config(struct
+ return -EINVAL;
+
+ device_for_each_child_node(&st->spi->dev, child) {
+- ret = fwnode_property_read_u32(child, "num", &num);
++ ret = fwnode_property_read_u32(child, "reg", &num);
+ if (ret)
+ goto err_child_out;
+ if (num >= AD5770R_MAX_CHANNELS) {
--- /dev/null
+From 2c0ad3f0cc04dec489552a21b80cd6d708bea96d Mon Sep 17 00:00:00 2001
+From: Yang Yingliang <yangyingliang@huawei.com>
+Date: Wed, 13 Oct 2021 12:04:38 +0800
+Subject: iio: buffer: check return value of kstrdup_const()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+commit 2c0ad3f0cc04dec489552a21b80cd6d708bea96d upstream.
+
+Check return value of kstrdup_const() in iio_buffer_wrap_attr(),
+or it will cause null-ptr-deref in kernfs_name_hash() when calling
+device_add() as follows:
+
+BUG: kernel NULL pointer dereference, address: 0000000000000000
+RIP: 0010:strlen+0x0/0x20
+Call Trace:
+ kernfs_name_hash+0x22/0x110
+ kernfs_find_ns+0x11d/0x390
+ kernfs_remove_by_name_ns+0x3b/0xb0
+ remove_files.isra.1+0x7b/0x190
+ internal_create_group+0x7f1/0xbb0
+ internal_create_groups+0xa3/0x150
+ device_add+0x8f0/0x2020
+ cdev_device_add+0xc3/0x160
+ __iio_device_register+0x1427/0x1b40 [industrialio]
+ __devm_iio_device_register+0x22/0x80 [industrialio]
+ adjd_s311_probe+0x195/0x200 [adjd_s311]
+ i2c_device_probe+0xa07/0xbb0
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20211013040438.1689277-1-yangyingliang@huawei.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/industrialio-buffer.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/drivers/iio/industrialio-buffer.c
++++ b/drivers/iio/industrialio-buffer.c
+@@ -1312,6 +1312,11 @@ static struct attribute *iio_buffer_wrap
+ iio_attr->buffer = buffer;
+ memcpy(&iio_attr->dev_attr, dattr, sizeof(iio_attr->dev_attr));
+ iio_attr->dev_attr.attr.name = kstrdup_const(attr->name, GFP_KERNEL);
++ if (!iio_attr->dev_attr.attr.name) {
++ kfree(iio_attr);
++ return NULL;
++ }
++
+ sysfs_attr_init(&iio_attr->dev_attr.attr);
+
+ list_add(&iio_attr->l, &buffer->buffer_attr_list);
--- /dev/null
+From 9a2ff8009e53296e47de72d5af0bc31cd53274ff Mon Sep 17 00:00:00 2001
+From: Yang Yingliang <yangyingliang@huawei.com>
+Date: Wed, 13 Oct 2021 17:43:43 +0800
+Subject: iio: buffer: Fix memory leak in __iio_buffer_alloc_sysfs_and_mask()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+commit 9a2ff8009e53296e47de72d5af0bc31cd53274ff upstream.
+
+When iio_buffer_wrap_attr() returns NULL or buffer->buffer_group.name alloc
+fails, the 'attr' which is allocated in __iio_buffer_alloc_sysfs_and_mask()
+is not freed, and cause memory leak.
+
+unreferenced object 0xffff888014882a00 (size 64):
+ comm "i2c-adjd_s311-8", pid 424, jiffies 4294907737 (age 44.396s)
+ hex dump (first 32 bytes):
+ 00 0f 8a 15 80 88 ff ff 00 0e 8a 15 80 88 ff ff ................
+ 80 04 8a 15 80 88 ff ff 80 05 8a 15 80 88 ff ff ................
+ backtrace:
+ [<0000000021752e67>] __kmalloc+0x1af/0x3c0
+ [<0000000043e8305c>] iio_buffers_alloc_sysfs_and_mask+0xe73/0x1570 [industrialio]
+ [<00000000b7aa5a17>] __iio_device_register+0x483/0x1a30 [industrialio]
+ [<000000003fa0fb2f>] __devm_iio_device_register+0x23/0x90 [industrialio]
+ [<000000003ab040cf>] adjd_s311_probe+0x19c/0x200 [adjd_s311]
+ [<0000000080458969>] i2c_device_probe+0xa31/0xbe0
+ [<00000000e20678ad>] really_probe+0x299/0xc30
+ [<000000006bea9b27>] __driver_probe_device+0x357/0x500
+ [<00000000e1df10d4>] driver_probe_device+0x4e/0x140
+ [<0000000003661beb>] __device_attach_driver+0x257/0x340
+ [<000000005bb4aa26>] bus_for_each_drv+0x166/0x1e0
+ [<00000000272c5236>] __device_attach+0x272/0x420
+ [<00000000d52a96ae>] bus_probe_device+0x1eb/0x2a0
+ [<00000000129f7737>] device_add+0xbf0/0x1f90
+ [<000000005eed4e52>] i2c_new_client_device+0x622/0xb20
+ [<00000000b85a9c43>] new_device_store+0x1fa/0x420
+
+This patch fix to free it before the error return.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr")
+Fixes: d9a625744ed0 ("iio: core: merge buffer/ & scan_elements/ attributes")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20211013094343.315275-1-yangyingliang@huawei.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/industrialio-buffer.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/drivers/iio/industrialio-buffer.c
++++ b/drivers/iio/industrialio-buffer.c
+@@ -1536,6 +1536,7 @@ static int __iio_buffer_alloc_sysfs_and_
+ sizeof(struct attribute *) * buffer_attrcount);
+
+ buffer_attrcount += ARRAY_SIZE(iio_buffer_attrs);
++ buffer->buffer_group.attrs = attr;
+
+ for (i = 0; i < buffer_attrcount; i++) {
+ struct attribute *wrapped;
+@@ -1543,7 +1544,7 @@ static int __iio_buffer_alloc_sysfs_and_
+ wrapped = iio_buffer_wrap_attr(buffer, attr[i]);
+ if (!wrapped) {
+ ret = -ENOMEM;
+- goto error_free_scan_mask;
++ goto error_free_buffer_attrs;
+ }
+ attr[i] = wrapped;
+ }
+@@ -1558,8 +1559,6 @@ static int __iio_buffer_alloc_sysfs_and_
+ goto error_free_buffer_attrs;
+ }
+
+- buffer->buffer_group.attrs = attr;
+-
+ ret = iio_device_register_sysfs_group(indio_dev, &buffer->buffer_group);
+ if (ret)
+ goto error_free_buffer_attr_group_name;
--- /dev/null
+From 604faf9a2ecd1addcc0c10a47e5aaef3c4d4fd6b Mon Sep 17 00:00:00 2001
+From: Yang Yingliang <yangyingliang@huawei.com>
+Date: Wed, 13 Oct 2021 22:42:42 +0800
+Subject: iio: buffer: Fix memory leak in iio_buffer_register_legacy_sysfs_groups()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+commit 604faf9a2ecd1addcc0c10a47e5aaef3c4d4fd6b upstream.
+
+If the second iio_device_register_sysfs_group() fails,
+'legacy_buffer_group.attrs' need be freed too or it will
+cause memory leak:
+
+unreferenced object 0xffff888003618280 (size 64):
+ comm "xrun", pid 357, jiffies 4294907259 (age 22.296s)
+ hex dump (first 32 bytes):
+ 80 f6 8c 03 80 88 ff ff 80 fb 8c 03 80 88 ff ff ................
+ 00 f9 8c 03 80 88 ff ff 80 fc 8c 03 80 88 ff ff ................
+ backtrace:
+ [<00000000076bfd43>] __kmalloc+0x1a3/0x2f0
+ [<00000000c32e4886>] iio_buffers_alloc_sysfs_and_mask+0xc31/0x1290 [industrialio]
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: d9a625744ed0 ("iio: core: merge buffer/ & scan_elements/ attributes")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20211013144242.1685060-1-yangyingliang@huawei.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/industrialio-buffer.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/iio/industrialio-buffer.c
++++ b/drivers/iio/industrialio-buffer.c
+@@ -1367,10 +1367,10 @@ static int iio_buffer_register_legacy_sy
+
+ return 0;
+
+-error_free_buffer_attrs:
+- kfree(iio_dev_opaque->legacy_buffer_group.attrs);
+ error_free_scan_el_attrs:
+ kfree(iio_dev_opaque->legacy_scan_el_group.attrs);
++error_free_buffer_attrs:
++ kfree(iio_dev_opaque->legacy_buffer_group.attrs);
+
+ return ret;
+ }
--- /dev/null
+From 486a25084155bf633768c26f022201c051d6fd95 Mon Sep 17 00:00:00 2001
+From: Yang Yingliang <yangyingliang@huawei.com>
+Date: Mon, 18 Oct 2021 14:37:18 +0800
+Subject: iio: buffer: Fix memory leak in iio_buffers_alloc_sysfs_and_mask()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+commit 486a25084155bf633768c26f022201c051d6fd95 upstream.
+
+When 'iio_dev_opaque->buffer_ioctl_handler' alloc fails in
+iio_buffers_alloc_sysfs_and_mask(), the 'attrs' allocated in
+iio_buffer_register_legacy_sysfs_groups() will be leaked:
+
+unreferenced object 0xffff888108568d00 (size 128):
+ comm "88", pid 2014, jiffies 4294963294 (age 26.920s)
+ hex dump (first 32 bytes):
+ 80 3e da 02 80 88 ff ff 00 3a da 02 80 88 ff ff .>.......:......
+ 00 35 da 02 80 88 ff ff 00 38 da 02 80 88 ff ff .5.......8......
+ backtrace:
+ [<0000000095a9e51e>] __kmalloc+0x1a3/0x2f0
+ [<00000000faa3735e>] iio_buffers_alloc_sysfs_and_mask+0xfa3/0x1480 [industrialio]
+ [<00000000a46384dc>] __iio_device_register+0x52e/0x1b40 [industrialio]
+ [<00000000210af05e>] __devm_iio_device_register+0x22/0x80 [industrialio]
+ [<00000000730d7b41>] adjd_s311_probe+0x195/0x200 [adjd_s311]
+ [<00000000c0f70eb9>] i2c_device_probe+0xa07/0xbb0
+
+The iio_buffer_register_legacy_sysfs_groups() is
+called in __iio_buffer_alloc_sysfs_and_mask(),
+so move the iio_buffer_unregister_legacy_sysfs_groups()
+into __iio_buffer_free_sysfs_and_mask(), then the memory
+will be freed.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: d9a625744ed0 ("iio: core: merge buffer/ & scan_elements/ attributes")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20211018063718.1971240-1-yangyingliang@huawei.com
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/industrialio-buffer.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/drivers/iio/industrialio-buffer.c
++++ b/drivers/iio/industrialio-buffer.c
+@@ -1588,8 +1588,12 @@ error_cleanup_dynamic:
+ return ret;
+ }
+
+-static void __iio_buffer_free_sysfs_and_mask(struct iio_buffer *buffer)
++static void __iio_buffer_free_sysfs_and_mask(struct iio_buffer *buffer,
++ struct iio_dev *indio_dev,
++ int index)
+ {
++ if (index == 0)
++ iio_buffer_unregister_legacy_sysfs_groups(indio_dev);
+ bitmap_free(buffer->scan_mask);
+ kfree(buffer->buffer_group.name);
+ kfree(buffer->buffer_group.attrs);
+@@ -1643,7 +1647,7 @@ int iio_buffers_alloc_sysfs_and_mask(str
+ error_unwind_sysfs_and_mask:
+ for (; unwind_idx >= 0; unwind_idx--) {
+ buffer = iio_dev_opaque->attached_buffers[unwind_idx];
+- __iio_buffer_free_sysfs_and_mask(buffer);
++ __iio_buffer_free_sysfs_and_mask(buffer, indio_dev, unwind_idx);
+ }
+ return ret;
+ }
+@@ -1660,11 +1664,9 @@ void iio_buffers_free_sysfs_and_mask(str
+ iio_device_ioctl_handler_unregister(iio_dev_opaque->buffer_ioctl_handler);
+ kfree(iio_dev_opaque->buffer_ioctl_handler);
+
+- iio_buffer_unregister_legacy_sysfs_groups(indio_dev);
+-
+ for (i = iio_dev_opaque->attached_buffers_cnt - 1; i >= 0; i--) {
+ buffer = iio_dev_opaque->attached_buffers[i];
+- __iio_buffer_free_sysfs_and_mask(buffer);
++ __iio_buffer_free_sysfs_and_mask(buffer, indio_dev, i);
+ }
+ }
+
--- /dev/null
+From 558df982d4ead9cac628153d0d7b60feae05ddc8 Mon Sep 17 00:00:00 2001
+From: Pekka Korpinen <pekka.korpinen@iki.fi>
+Date: Wed, 29 Sep 2021 21:57:55 +0300
+Subject: iio: dac: ad5446: Fix ad5622_write() return value
+
+From: Pekka Korpinen <pekka.korpinen@iki.fi>
+
+commit 558df982d4ead9cac628153d0d7b60feae05ddc8 upstream.
+
+On success i2c_master_send() returns the number of bytes written. The
+call from iio_write_channel_info(), however, expects the return value to
+be zero on success.
+
+This bug causes incorrect consumption of the sysfs buffer in
+iio_write_channel_info(). When writing more than two characters to
+out_voltage0_raw, the ad5446 write handler is called multiple times
+causing unexpected behavior.
+
+Fixes: 3ec36a2cf0d5 ("iio:ad5446: Add support for I2C based DACs")
+Signed-off-by: Pekka Korpinen <pekka.korpinen@iki.fi>
+Link: https://lore.kernel.org/r/20210929185755.2384-1-pekka.korpinen@iki.fi
+Cc: <Stable@vger.kernel.org>
+Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/iio/dac/ad5446.c | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+--- a/drivers/iio/dac/ad5446.c
++++ b/drivers/iio/dac/ad5446.c
+@@ -531,8 +531,15 @@ static int ad5622_write(struct ad5446_st
+ {
+ struct i2c_client *client = to_i2c_client(st->dev);
+ __be16 data = cpu_to_be16(val);
++ int ret;
+
+- return i2c_master_send(client, (char *)&data, sizeof(data));
++ ret = i2c_master_send(client, (char *)&data, sizeof(data));
++ if (ret < 0)
++ return ret;
++ if (ret != sizeof(data))
++ return -EIO;
++
++ return 0;
+ }
+
+ /*
--- /dev/null
+From d3e3c102d107bb84251455a298cf475f24bab995 Mon Sep 17 00:00:00 2001
+From: Jens Axboe <axboe@kernel.dk>
+Date: Thu, 11 Nov 2021 17:32:53 -0700
+Subject: io-wq: serialize hash clear with wakeup
+
+From: Jens Axboe <axboe@kernel.dk>
+
+commit d3e3c102d107bb84251455a298cf475f24bab995 upstream.
+
+We need to ensure that we serialize the stalled and hash bits with the
+wait_queue wait handler, or we could be racing with someone modifying
+the hashed state after we find it busy, but before we then give up and
+wait for it to be cleared. This can cause random delays or stalls when
+handling buffered writes for many files, where some of these files cause
+hash collisions between the worker threads.
+
+Cc: stable@vger.kernel.org
+Reported-by: Daniel Black <daniel@mariadb.org>
+Fixes: e941894eae31 ("io-wq: make buffered file write hashed work map per-ctx")
+Signed-off-by: Jens Axboe <axboe@kernel.dk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/io-wq.c | 17 +++++++++++++++--
+ 1 file changed, 15 insertions(+), 2 deletions(-)
+
+--- a/fs/io-wq.c
++++ b/fs/io-wq.c
+@@ -421,9 +421,10 @@ static inline unsigned int io_get_work_h
+ return work->flags >> IO_WQ_HASH_SHIFT;
+ }
+
+-static void io_wait_on_hash(struct io_wqe *wqe, unsigned int hash)
++static bool io_wait_on_hash(struct io_wqe *wqe, unsigned int hash)
+ {
+ struct io_wq *wq = wqe->wq;
++ bool ret = false;
+
+ spin_lock_irq(&wq->hash->wait.lock);
+ if (list_empty(&wqe->wait.entry)) {
+@@ -431,9 +432,11 @@ static void io_wait_on_hash(struct io_wq
+ if (!test_bit(hash, &wq->hash->map)) {
+ __set_current_state(TASK_RUNNING);
+ list_del_init(&wqe->wait.entry);
++ ret = true;
+ }
+ }
+ spin_unlock_irq(&wq->hash->wait.lock);
++ return ret;
+ }
+
+ static struct io_wq_work *io_get_next_work(struct io_wqe_acct *acct,
+@@ -473,14 +476,21 @@ static struct io_wq_work *io_get_next_wo
+ }
+
+ if (stall_hash != -1U) {
++ bool unstalled;
++
+ /*
+ * Set this before dropping the lock to avoid racing with new
+ * work being added and clearing the stalled bit.
+ */
+ set_bit(IO_ACCT_STALLED_BIT, &acct->flags);
+ raw_spin_unlock(&wqe->lock);
+- io_wait_on_hash(wqe, stall_hash);
++ unstalled = io_wait_on_hash(wqe, stall_hash);
+ raw_spin_lock(&wqe->lock);
++ if (unstalled) {
++ clear_bit(IO_ACCT_STALLED_BIT, &acct->flags);
++ if (wq_has_sleeper(&wqe->wq->hash->wait))
++ wake_up(&wqe->wq->hash->wait);
++ }
+ }
+
+ return NULL;
+@@ -562,8 +572,11 @@ get_next:
+ io_wqe_enqueue(wqe, linked);
+
+ if (hash != -1U && !next_hashed) {
++ /* serialize hash clear with wake_up() */
++ spin_lock_irq(&wq->hash->wait.lock);
+ clear_bit(hash, &wq->hash->map);
+ clear_bit(IO_ACCT_STALLED_BIT, &acct->flags);
++ spin_unlock_irq(&wq->hash->wait.lock);
+ if (wq_has_sleeper(&wq->hash->wait))
+ wake_up(&wq->hash->wait);
+ raw_spin_lock(&wqe->lock);
--- /dev/null
+From 5d2f0b1083eb158bdff01dd557e2c25046c0a7d2 Mon Sep 17 00:00:00 2001
+From: Namjae Jeon <linkinjeon@kernel.org>
+Date: Sun, 31 Oct 2021 09:53:50 +0900
+Subject: ksmbd: set unique value to volume serial field in FS_VOLUME_INFORMATION
+
+From: Namjae Jeon <linkinjeon@kernel.org>
+
+commit 5d2f0b1083eb158bdff01dd557e2c25046c0a7d2 upstream.
+
+Steve French reported ksmbd set fixed value to volume serial field in
+FS_VOLUME_INFORMATION. Volume serial value needs to be set to a unique
+value for client fscache. This patch set crc value that is generated
+with share name, path name and netbios name to volume serial.
+
+Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
+Cc: stable@vger.kernel.org # v5.15
+Reported-by: Steve French <smfrench@gmail.com>
+Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
+Signed-off-by: Steve French <stfrench@microsoft.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ksmbd/Kconfig | 1 +
+ fs/ksmbd/server.c | 1 +
+ fs/ksmbd/smb2pdu.c | 9 ++++++++-
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/fs/ksmbd/Kconfig
++++ b/fs/ksmbd/Kconfig
+@@ -19,6 +19,7 @@ config SMB_SERVER
+ select CRYPTO_GCM
+ select ASN1
+ select OID_REGISTRY
++ select CRC32
+ default n
+ help
+ Choose Y here if you want to allow SMB3 compliant clients
+--- a/fs/ksmbd/server.c
++++ b/fs/ksmbd/server.c
+@@ -632,5 +632,6 @@ MODULE_SOFTDEP("pre: sha512");
+ MODULE_SOFTDEP("pre: aead2");
+ MODULE_SOFTDEP("pre: ccm");
+ MODULE_SOFTDEP("pre: gcm");
++MODULE_SOFTDEP("pre: crc32");
+ module_init(ksmbd_server_init)
+ module_exit(ksmbd_server_exit)
+--- a/fs/ksmbd/smb2pdu.c
++++ b/fs/ksmbd/smb2pdu.c
+@@ -4891,11 +4891,18 @@ static int smb2_get_info_filesystem(stru
+ {
+ struct filesystem_vol_info *info;
+ size_t sz;
++ unsigned int serial_crc = 0;
+
+ info = (struct filesystem_vol_info *)(rsp->Buffer);
+ info->VolumeCreationTime = 0;
++ serial_crc = crc32_le(serial_crc, share->name,
++ strlen(share->name));
++ serial_crc = crc32_le(serial_crc, share->path,
++ strlen(share->path));
++ serial_crc = crc32_le(serial_crc, ksmbd_netbios_name(),
++ strlen(ksmbd_netbios_name()));
+ /* Taking dummy value of serial number*/
+- info->SerialNumber = cpu_to_le32(0xbc3ac512);
++ info->SerialNumber = cpu_to_le32(serial_crc);
+ len = smbConvertToUTF16((__le16 *)info->VolumeLabel,
+ share->name, PATH_MAX,
+ conn->local_nls, 0);
--- /dev/null
+From 5dc6dafe62099ade0e7232ce9db4013b7673d860 Mon Sep 17 00:00:00 2001
+From: Robert Marko <robert.marko@sartura.hr>
+Date: Tue, 2 Nov 2021 11:04:20 +0100
+Subject: mfd: simple-mfd-i2c: Select MFD_CORE to fix build error
+
+From: Robert Marko <robert.marko@sartura.hr>
+
+commit 5dc6dafe62099ade0e7232ce9db4013b7673d860 upstream.
+
+MFD_SIMPLE_MFD_I2C should select the MFD_CORE to a prevent build error:
+
+aarch64-linux-ld: drivers/mfd/simple-mfd-i2c.o: in function `simple_mfd_i2c_probe':
+drivers/mfd/simple-mfd-i2c.c:55: undefined reference to `devm_mfd_add_devices'
+
+Cc: <stable@vger.kernel.org>
+Fixes: c753ea31781aa ("mfd: simple-mfd-i2c: Add support for registering devices via MFD cells")
+Signed-off-by: Robert Marko <robert.marko@sartura.hr>
+Signed-off-by: Lee Jones <lee.jones@linaro.org>
+Link: https://lore.kernel.org/r/20211102100420.112215-1-robert.marko@sartura.hr
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/mfd/Kconfig | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mfd/Kconfig
++++ b/drivers/mfd/Kconfig
+@@ -1194,6 +1194,7 @@ config MFD_SI476X_CORE
+ config MFD_SIMPLE_MFD_I2C
+ tristate
+ depends on I2C
++ select MFD_CORE
+ select REGMAP_I2C
+ help
+ This driver creates a single register map with the intention for it
--- /dev/null
+From 63b3e810eff65fb8587fcb26fa0b56802be12dcf Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 25 Oct 2021 13:58:11 +0200
+Subject: most: fix control-message timeouts
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 63b3e810eff65fb8587fcb26fa0b56802be12dcf upstream.
+
+USB control-message timeouts are specified in milliseconds and should
+specifically not vary with CONFIG_HZ.
+
+Use the common control-message timeout defines for the five-second
+timeouts.
+
+Fixes: 97a6f772f36b ("drivers: most: add USB adapter driver")
+Cc: stable@vger.kernel.org # 5.9
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211025115811.5410-1-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/most/most_usb.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/most/most_usb.c
++++ b/drivers/most/most_usb.c
+@@ -149,7 +149,8 @@ static inline int drci_rd_reg(struct usb
+ retval = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0),
+ DRCI_READ_REQ, req_type,
+ 0x0000,
+- reg, dma_buf, sizeof(*dma_buf), 5 * HZ);
++ reg, dma_buf, sizeof(*dma_buf),
++ USB_CTRL_GET_TIMEOUT);
+ *buf = le16_to_cpu(*dma_buf);
+ kfree(dma_buf);
+
+@@ -176,7 +177,7 @@ static inline int drci_wr_reg(struct usb
+ reg,
+ NULL,
+ 0,
+- 5 * HZ);
++ USB_CTRL_SET_TIMEOUT);
+ }
+
+ static inline int start_sync_ep(struct usb_device *usb_dev, u16 ep)
--- /dev/null
+From c7892ae13e461ed20154321eb792e07ebe38f5b3 Mon Sep 17 00:00:00 2001
+From: Yang Yingliang <yangyingliang@huawei.com>
+Date: Fri, 22 Oct 2021 09:43:23 +0800
+Subject: pinctrl: core: fix possible memory leak in pinctrl_enable()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+commit c7892ae13e461ed20154321eb792e07ebe38f5b3 upstream.
+
+I got memory leak as follows when doing fault injection test:
+
+unreferenced object 0xffff888020a7a680 (size 64):
+ comm "i2c-mcp23018-41", pid 23090, jiffies 4295160544 (age 8.680s)
+ hex dump (first 32 bytes):
+ 00 48 d3 1e 80 88 ff ff 00 1a 56 c1 ff ff ff ff .H........V.....
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<0000000083c79b35>] kmem_cache_alloc_trace+0x16d/0x360
+ [<0000000051803c95>] pinctrl_init_controller+0x6ed/0xb70
+ [<0000000064346707>] pinctrl_register+0x27/0x80
+ [<0000000029b0e186>] devm_pinctrl_register+0x5b/0xe0
+ [<00000000391f5a3e>] mcp23s08_probe_one+0x968/0x118a [pinctrl_mcp23s08]
+ [<000000006112c039>] mcp230xx_probe+0x266/0x560 [pinctrl_mcp23s08_i2c]
+
+If pinctrl_claim_hogs() fails, the 'pindesc' allocated in pinctrl_register_one_pin()
+need be freed.
+
+Cc: stable@vger.kernel.org
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: 950b0d91dc10 ("pinctrl: core: Fix regression caused by delayed work for hogs")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20211022014323.1156924-1-yangyingliang@huawei.com
+Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/pinctrl/core.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/pinctrl/core.c
++++ b/drivers/pinctrl/core.c
+@@ -2100,6 +2100,8 @@ int pinctrl_enable(struct pinctrl_dev *p
+ if (error) {
+ dev_err(pctldev->dev, "could not claim hogs: %i\n",
+ error);
++ pinctrl_free_pindescs(pctldev, pctldev->desc->pins,
++ pctldev->desc->npins);
+ mutex_destroy(&pctldev->mutex);
+ kfree(pctldev);
+
--- /dev/null
+From 0cf48167b87e388fa1268c9fe6d2443ae7f43d8a Mon Sep 17 00:00:00 2001
+From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+Date: Tue, 14 Sep 2021 14:18:05 +0200
+Subject: power: supply: max17042_battery: Clear status bits in interrupt handler
+
+From: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+
+commit 0cf48167b87e388fa1268c9fe6d2443ae7f43d8a upstream.
+
+The gauge requires us to clear the status bits manually for some alerts
+to be properly dismissed. Previously the IRQ was configured to react only
+on falling edge, which wasn't technically correct (the ALRT line is active
+low), but it had a happy side-effect of preventing interrupt storms
+on uncleared alerts from happening.
+
+Fixes: 7fbf6b731bca ("power: supply: max17042: Do not enforce (incorrect) interrupt trigger type")
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
+Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/power/supply/max17042_battery.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/power/supply/max17042_battery.c
++++ b/drivers/power/supply/max17042_battery.c
+@@ -880,6 +880,10 @@ static irqreturn_t max17042_thread_handl
+ max17042_set_soc_threshold(chip, 1);
+ }
+
++ /* we implicitly handle all alerts via power_supply_changed */
++ regmap_clear_bits(chip->regmap, MAX17042_STATUS,
++ 0xFFFF & ~(STATUS_POR_BIT | STATUS_BST_BIT));
++
+ power_supply_changed(chip->battery);
+ return IRQ_HANDLED;
+ }
--- /dev/null
+From d02b006b29de14968ba4afa998bede0d55469e29 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 7 Oct 2021 15:31:46 +0200
+Subject: Revert "serial: 8250: Fix reporting real baudrate value in c_ospeed field"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Johan Hovold <johan@kernel.org>
+
+commit d02b006b29de14968ba4afa998bede0d55469e29 upstream.
+
+This reverts commit 32262e2e429cdb31f9e957e997d53458762931b7.
+
+The commit in question claims to determine the inverse of
+serial8250_get_divisor() but failed to notice that some drivers override
+the default implementation using a get_divisor() callback.
+
+This means that the computed line-speed values can be completely wrong
+and results in regular TCSETS requests failing (the incorrect values
+would also be passed to any overridden set_divisor() callback).
+
+Similarly, it also failed to honour the old (deprecated) ASYNC_SPD_FLAGS
+and would break applications relying on those when re-encoding the
+actual line speed.
+
+There are also at least two quirks, UART_BUG_QUOT and an OMAP1510
+workaround, which were happily ignored and that are now broken.
+
+Finally, even if the offending commit were to be implemented correctly,
+this is a new feature and not something which should be backported to
+stable.
+
+Cc: Pali Rohár <pali@kernel.org>
+Fixes: 32262e2e429c ("serial: 8250: Fix reporting real baudrate value in c_ospeed field")
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211007133146.28949-1-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_port.c | 17 -----------------
+ 1 file changed, 17 deletions(-)
+
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -2584,19 +2584,6 @@ static unsigned int serial8250_get_divis
+ return serial8250_do_get_divisor(port, baud, frac);
+ }
+
+-static unsigned int serial8250_compute_baud_rate(struct uart_port *port,
+- unsigned int quot)
+-{
+- if ((port->flags & UPF_MAGIC_MULTIPLIER) && quot == 0x8001)
+- return port->uartclk / 4;
+- else if ((port->flags & UPF_MAGIC_MULTIPLIER) && quot == 0x8002)
+- return port->uartclk / 8;
+- else if (port->type == PORT_NPCM)
+- return DIV_ROUND_CLOSEST(port->uartclk - 2 * (quot + 2), 16 * (quot + 2));
+- else
+- return DIV_ROUND_CLOSEST(port->uartclk, 16 * quot);
+-}
+-
+ static unsigned char serial8250_compute_lcr(struct uart_8250_port *up,
+ tcflag_t c_cflag)
+ {
+@@ -2738,14 +2725,11 @@ void serial8250_update_uartclk(struct ua
+
+ baud = serial8250_get_baud_rate(port, termios, NULL);
+ quot = serial8250_get_divisor(port, baud, &frac);
+- baud = serial8250_compute_baud_rate(port, quot);
+
+ serial8250_rpm_get(up);
+ spin_lock_irqsave(&port->lock, flags);
+
+ uart_update_timeout(port, termios->c_cflag, baud);
+- if (tty_termios_baud_rate(termios))
+- tty_termios_encode_baud_rate(termios, baud, baud);
+
+ serial8250_set_divisor(port, baud, quot, frac);
+ serial_port_out(port, UART_LCR, up->lcr);
+@@ -2779,7 +2763,6 @@ serial8250_do_set_termios(struct uart_po
+
+ baud = serial8250_get_baud_rate(port, termios, old);
+ quot = serial8250_get_divisor(port, baud, &frac);
+- baud = serial8250_compute_baud_rate(port, quot);
+
+ /*
+ * Ok, we're now changing the port state. Do it with
--- /dev/null
+From 211cde4f5817dc88ef7f8f2fa286e57fbf14c8ee Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Fri, 15 Oct 2021 13:14:20 +0200
+Subject: serial: 8250: fix racy uartclk update
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 211cde4f5817dc88ef7f8f2fa286e57fbf14c8ee upstream.
+
+Commit 868f3ee6e452 ("serial: 8250: Add 8250 port clock update method")
+added a hack to support SoCs where the UART reference clock can
+change behind the back of the driver but failed to add the proper
+locking.
+
+First, make sure to take a reference to the tty struct to avoid
+dereferencing a NULL pointer if the clock change races with a hangup.
+
+Second, the termios semaphore must be held during the update to prevent
+a racing termios change.
+
+Fixes: 868f3ee6e452 ("serial: 8250: Add 8250 port clock update method")
+Fixes: c8dff3aa8241 ("serial: 8250: Skip uninitialized TTY port baud rate update")
+Cc: stable@vger.kernel.org # 5.9
+Cc: Serge Semin <Sergey.Semin@baikalelectronics.ru>
+Tested-by: Serge Semin <fancer.lancer@gmail.com>
+Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
+Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211015111422.1027-2-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_port.c | 21 +++++++++++++++++----
+ 1 file changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c
+index 66374704747e..e4dd82fd7c2a 100644
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -2696,21 +2696,32 @@ static unsigned int serial8250_get_baud_rate(struct uart_port *port,
+ void serial8250_update_uartclk(struct uart_port *port, unsigned int uartclk)
+ {
+ struct uart_8250_port *up = up_to_u8250p(port);
++ struct tty_port *tport = &port->state->port;
+ unsigned int baud, quot, frac = 0;
+ struct ktermios *termios;
++ struct tty_struct *tty;
+ unsigned long flags;
+
+- mutex_lock(&port->state->port.mutex);
++ tty = tty_port_tty_get(tport);
++ if (!tty) {
++ mutex_lock(&tport->mutex);
++ port->uartclk = uartclk;
++ mutex_unlock(&tport->mutex);
++ return;
++ }
++
++ down_write(&tty->termios_rwsem);
++ mutex_lock(&tport->mutex);
+
+ if (port->uartclk == uartclk)
+ goto out_lock;
+
+ port->uartclk = uartclk;
+
+- if (!tty_port_initialized(&port->state->port))
++ if (!tty_port_initialized(tport))
+ goto out_lock;
+
+- termios = &port->state->port.tty->termios;
++ termios = &tty->termios;
+
+ baud = serial8250_get_baud_rate(port, termios, NULL);
+ quot = serial8250_get_divisor(port, baud, &frac);
+@@ -2727,7 +2738,9 @@ void serial8250_update_uartclk(struct uart_port *port, unsigned int uartclk)
+ serial8250_rpm_put(up);
+
+ out_lock:
+- mutex_unlock(&port->state->port.mutex);
++ mutex_unlock(&tport->mutex);
++ up_write(&tty->termios_rwsem);
++ tty_kref_put(tty);
+ }
+ EXPORT_SYMBOL_GPL(serial8250_update_uartclk);
+
+--
+2.33.1
+
--- /dev/null
+From 32262e2e429cdb31f9e957e997d53458762931b7 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Pali=20Roh=C3=A1r?= <pali@kernel.org>
+Date: Mon, 27 Sep 2021 11:37:04 +0200
+Subject: serial: 8250: Fix reporting real baudrate value in c_ospeed field
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Pali Rohár <pali@kernel.org>
+
+commit 32262e2e429cdb31f9e957e997d53458762931b7 upstream.
+
+In most cases it is not possible to set exact baudrate value to hardware.
+
+So fix reporting real baudrate value which was set to hardware via c_ospeed
+termios field. It can be retrieved by ioctl(TCGETS2) from userspace.
+
+Real baudrate value is calculated from chosen hardware divisor and base
+clock. It is implemented in a new function serial8250_compute_baud_rate()
+which is inverse of serial8250_get_divisor() function.
+
+With this change is fixed also UART timeout value (it is updated via
+uart_update_timeout() function), which is calculated from the now fixed
+baudrate value too.
+
+Cc: stable@vger.kernel.org
+Signed-off-by: Pali Rohár <pali@kernel.org>
+Link: https://lore.kernel.org/r/20210927093704.19768-1-pali@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/tty/serial/8250/8250_port.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -2584,6 +2584,19 @@ static unsigned int serial8250_get_divis
+ return serial8250_do_get_divisor(port, baud, frac);
+ }
+
++static unsigned int serial8250_compute_baud_rate(struct uart_port *port,
++ unsigned int quot)
++{
++ if ((port->flags & UPF_MAGIC_MULTIPLIER) && quot == 0x8001)
++ return port->uartclk / 4;
++ else if ((port->flags & UPF_MAGIC_MULTIPLIER) && quot == 0x8002)
++ return port->uartclk / 8;
++ else if (port->type == PORT_NPCM)
++ return DIV_ROUND_CLOSEST(port->uartclk - 2 * (quot + 2), 16 * (quot + 2));
++ else
++ return DIV_ROUND_CLOSEST(port->uartclk, 16 * quot);
++}
++
+ static unsigned char serial8250_compute_lcr(struct uart_8250_port *up,
+ tcflag_t c_cflag)
+ {
+@@ -2725,11 +2738,14 @@ void serial8250_update_uartclk(struct ua
+
+ baud = serial8250_get_baud_rate(port, termios, NULL);
+ quot = serial8250_get_divisor(port, baud, &frac);
++ baud = serial8250_compute_baud_rate(port, quot);
+
+ serial8250_rpm_get(up);
+ spin_lock_irqsave(&port->lock, flags);
+
+ uart_update_timeout(port, termios->c_cflag, baud);
++ if (tty_termios_baud_rate(termios))
++ tty_termios_encode_baud_rate(termios, baud, baud);
+
+ serial8250_set_divisor(port, baud, quot, frac);
+ serial_port_out(port, UART_LCR, up->lcr);
+@@ -2763,6 +2779,7 @@ serial8250_do_set_termios(struct uart_po
+
+ baud = serial8250_get_baud_rate(port, termios, old);
+ quot = serial8250_get_divisor(port, baud, &frac);
++ baud = serial8250_compute_baud_rate(port, quot);
+
+ /*
+ * Ok, we're now changing the port state. Do it with
quota-correct-error-number-in-free_dqentry.patch
cifs-to-match-file-servers-make-sure-the-server-hostname-matches.patch
cifs-set-a-minimum-of-120s-for-next-dns-resolution.patch
+mfd-simple-mfd-i2c-select-mfd_core-to-fix-build-error.patch
+pinctrl-core-fix-possible-memory-leak-in-pinctrl_enable.patch
+coresight-cti-correct-the-parameter-for-pm_runtime_put.patch
+coresight-trbe-fix-incorrect-access-of-the-sink-specific-data.patch
+coresight-trbe-defer-the-probe-on-offline-cpus.patch
+iio-buffer-check-return-value-of-kstrdup_const.patch
+iio-buffer-fix-memory-leak-in-iio_buffers_alloc_sysfs_and_mask.patch
+iio-buffer-fix-memory-leak-in-__iio_buffer_alloc_sysfs_and_mask.patch
+iio-buffer-fix-memory-leak-in-iio_buffer_register_legacy_sysfs_groups.patch
+drivers-iio-dac-ad5766-fix-dt-property-name.patch
+iio-dac-ad5446-fix-ad5622_write-return-value.patch
+iio-ad5770r-make-devicetree-property-reading-consistent.patch
+documentation-devicetree-bindings-iio-dac-fix-val.patch
+usb-serial-keyspan-fix-memleak-on-probe-errors.patch
+serial-8250-fix-racy-uartclk-update.patch
+ksmbd-set-unique-value-to-volume-serial-field-in-fs_volume_information.patch
+io-wq-serialize-hash-clear-with-wakeup.patch
+serial-8250-fix-reporting-real-baudrate-value-in-c_ospeed-field.patch
+revert-serial-8250-fix-reporting-real-baudrate-value-in-c_ospeed-field.patch
+most-fix-control-message-timeouts.patch
+usb-iowarrior-fix-control-message-timeouts.patch
+usb-chipidea-fix-interrupt-deadlock.patch
+power-supply-max17042_battery-clear-status-bits-in-interrupt-handler.patch
+component-do-not-leave-master-devres-group-open-after-bind.patch
--- /dev/null
+From 9aaa81c3366e8393a62374e3a1c67c69edc07b8a Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Thu, 21 Oct 2021 10:34:47 +0200
+Subject: USB: chipidea: fix interrupt deadlock
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 9aaa81c3366e8393a62374e3a1c67c69edc07b8a upstream.
+
+Chipidea core was calling the interrupt handler from non-IRQ context
+with interrupts enabled, something which can lead to a deadlock if
+there's an actual interrupt trying to take a lock that's already held
+(e.g. the controller lock in udc_irq()).
+
+Add a wrapper that can be used to fake interrupts instead of calling the
+handler directly.
+
+Fixes: 3ecb3e09b042 ("usb: chipidea: Use extcon framework for VBUS and ID detect")
+Fixes: 876d4e1e8298 ("usb: chipidea: core: add wakeup support for extcon")
+Cc: Peter Chen <peter.chen@kernel.org>
+Cc: stable@vger.kernel.org # 4.4
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211021083447.20078-1-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/chipidea/core.c | 23 ++++++++++++++++-------
+ 1 file changed, 16 insertions(+), 7 deletions(-)
+
+--- a/drivers/usb/chipidea/core.c
++++ b/drivers/usb/chipidea/core.c
+@@ -514,7 +514,7 @@ int hw_device_reset(struct ci_hdrc *ci)
+ return 0;
+ }
+
+-static irqreturn_t ci_irq(int irq, void *data)
++static irqreturn_t ci_irq_handler(int irq, void *data)
+ {
+ struct ci_hdrc *ci = data;
+ irqreturn_t ret = IRQ_NONE;
+@@ -567,6 +567,15 @@ static irqreturn_t ci_irq(int irq, void
+ return ret;
+ }
+
++static void ci_irq(struct ci_hdrc *ci)
++{
++ unsigned long flags;
++
++ local_irq_save(flags);
++ ci_irq_handler(ci->irq, ci);
++ local_irq_restore(flags);
++}
++
+ static int ci_cable_notifier(struct notifier_block *nb, unsigned long event,
+ void *ptr)
+ {
+@@ -576,7 +585,7 @@ static int ci_cable_notifier(struct noti
+ cbl->connected = event;
+ cbl->changed = true;
+
+- ci_irq(ci->irq, ci);
++ ci_irq(ci);
+ return NOTIFY_DONE;
+ }
+
+@@ -617,7 +626,7 @@ static int ci_usb_role_switch_set(struct
+ if (cable) {
+ cable->changed = true;
+ cable->connected = false;
+- ci_irq(ci->irq, ci);
++ ci_irq(ci);
+ spin_unlock_irqrestore(&ci->lock, flags);
+ if (ci->wq && role != USB_ROLE_NONE)
+ flush_workqueue(ci->wq);
+@@ -635,7 +644,7 @@ static int ci_usb_role_switch_set(struct
+ if (cable) {
+ cable->changed = true;
+ cable->connected = true;
+- ci_irq(ci->irq, ci);
++ ci_irq(ci);
+ }
+ spin_unlock_irqrestore(&ci->lock, flags);
+ pm_runtime_put_sync(ci->dev);
+@@ -1174,7 +1183,7 @@ static int ci_hdrc_probe(struct platform
+ }
+ }
+
+- ret = devm_request_irq(dev, ci->irq, ci_irq, IRQF_SHARED,
++ ret = devm_request_irq(dev, ci->irq, ci_irq_handler, IRQF_SHARED,
+ ci->platdata->name, ci);
+ if (ret)
+ goto stop;
+@@ -1295,11 +1304,11 @@ static void ci_extcon_wakeup_int(struct
+
+ if (!IS_ERR(cable_id->edev) && ci->is_otg &&
+ (otgsc & OTGSC_IDIE) && (otgsc & OTGSC_IDIS))
+- ci_irq(ci->irq, ci);
++ ci_irq(ci);
+
+ if (!IS_ERR(cable_vbus->edev) && ci->is_otg &&
+ (otgsc & OTGSC_BSVIE) && (otgsc & OTGSC_BSVIS))
+- ci_irq(ci->irq, ci);
++ ci_irq(ci);
+ }
+
+ static int ci_controller_resume(struct device *dev)
--- /dev/null
+From 79a4479a17b83310deb0b1a2a274fe5be12d2318 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 25 Oct 2021 13:51:59 +0200
+Subject: USB: iowarrior: fix control-message timeouts
+
+From: Johan Hovold <johan@kernel.org>
+
+commit 79a4479a17b83310deb0b1a2a274fe5be12d2318 upstream.
+
+USB control-message timeouts are specified in milliseconds and should
+specifically not vary with CONFIG_HZ.
+
+Use the common control-message timeout define for the five-second
+timeout and drop the driver-specific one.
+
+Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.")
+Cc: stable@vger.kernel.org # 2.6.21
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Link: https://lore.kernel.org/r/20211025115159.4954-3-johan@kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/misc/iowarrior.c | 8 ++------
+ 1 file changed, 2 insertions(+), 6 deletions(-)
+
+--- a/drivers/usb/misc/iowarrior.c
++++ b/drivers/usb/misc/iowarrior.c
+@@ -99,10 +99,6 @@ struct iowarrior {
+ /* globals */
+ /*--------------*/
+
+-/*
+- * USB spec identifies 5 second timeouts.
+- */
+-#define GET_TIMEOUT 5
+ #define USB_REQ_GET_REPORT 0x01
+ //#if 0
+ static int usb_get_report(struct usb_device *dev,
+@@ -114,7 +110,7 @@ static int usb_get_report(struct usb_dev
+ USB_DIR_IN | USB_TYPE_CLASS |
+ USB_RECIP_INTERFACE, (type << 8) + id,
+ inter->desc.bInterfaceNumber, buf, size,
+- GET_TIMEOUT*HZ);
++ USB_CTRL_GET_TIMEOUT);
+ }
+ //#endif
+
+@@ -129,7 +125,7 @@ static int usb_set_report(struct usb_int
+ USB_TYPE_CLASS | USB_RECIP_INTERFACE,
+ (type << 8) + id,
+ intf->cur_altsetting->desc.bInterfaceNumber, buf,
+- size, HZ);
++ size, 1000);
+ }
+
+ /*---------------------*/
--- /dev/null
+From 910c996335c37552ee30fcb837375b808bb4f33b Mon Sep 17 00:00:00 2001
+From: Wang Hai <wanghai38@huawei.com>
+Date: Fri, 15 Oct 2021 16:55:43 +0800
+Subject: USB: serial: keyspan: fix memleak on probe errors
+
+From: Wang Hai <wanghai38@huawei.com>
+
+commit 910c996335c37552ee30fcb837375b808bb4f33b upstream.
+
+I got memory leak as follows when doing fault injection test:
+
+unreferenced object 0xffff888258228440 (size 64):
+ comm "kworker/7:2", pid 2005, jiffies 4294989509 (age 824.540s)
+ hex dump (first 32 bytes):
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
+ backtrace:
+ [<ffffffff8167939c>] slab_post_alloc_hook+0x9c/0x490
+ [<ffffffff8167f627>] kmem_cache_alloc_trace+0x1f7/0x470
+ [<ffffffffa02ac0e4>] keyspan_port_probe+0xa4/0x5d0 [keyspan]
+ [<ffffffffa0294c07>] usb_serial_device_probe+0x97/0x1d0 [usbserial]
+ [<ffffffff82b50ca7>] really_probe+0x167/0x460
+ [<ffffffff82b51099>] __driver_probe_device+0xf9/0x180
+ [<ffffffff82b51173>] driver_probe_device+0x53/0x130
+ [<ffffffff82b516f5>] __device_attach_driver+0x105/0x130
+ [<ffffffff82b4cfe9>] bus_for_each_drv+0x129/0x190
+ [<ffffffff82b50a69>] __device_attach+0x1c9/0x270
+ [<ffffffff82b518d0>] device_initial_probe+0x20/0x30
+ [<ffffffff82b4f062>] bus_probe_device+0x142/0x160
+ [<ffffffff82b4a4e9>] device_add+0x829/0x1300
+ [<ffffffffa0295fda>] usb_serial_probe.cold+0xc9b/0x14ac [usbserial]
+ [<ffffffffa02266aa>] usb_probe_interface+0x1aa/0x3c0 [usbcore]
+ [<ffffffff82b50ca7>] really_probe+0x167/0x460
+
+If keyspan_port_probe() fails to allocate memory for an out_buffer[i] or
+in_buffer[i], the previously allocated memory for out_buffer or
+in_buffer needs to be freed on the error handling path, otherwise a
+memory leak will result.
+
+Fixes: bad41a5bf177 ("USB: keyspan: fix port DMA-buffer allocations")
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Signed-off-by: Wang Hai <wanghai38@huawei.com>
+Link: https://lore.kernel.org/r/20211015085543.1203011-1-wanghai38@huawei.com
+Cc: stable@vger.kernel.org # 3.12
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/usb/serial/keyspan.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+--- a/drivers/usb/serial/keyspan.c
++++ b/drivers/usb/serial/keyspan.c
+@@ -2890,22 +2890,22 @@ static int keyspan_port_probe(struct usb
+ for (i = 0; i < ARRAY_SIZE(p_priv->in_buffer); ++i) {
+ p_priv->in_buffer[i] = kzalloc(IN_BUFLEN, GFP_KERNEL);
+ if (!p_priv->in_buffer[i])
+- goto err_in_buffer;
++ goto err_free_in_buffer;
+ }
+
+ for (i = 0; i < ARRAY_SIZE(p_priv->out_buffer); ++i) {
+ p_priv->out_buffer[i] = kzalloc(OUT_BUFLEN, GFP_KERNEL);
+ if (!p_priv->out_buffer[i])
+- goto err_out_buffer;
++ goto err_free_out_buffer;
+ }
+
+ p_priv->inack_buffer = kzalloc(INACK_BUFLEN, GFP_KERNEL);
+ if (!p_priv->inack_buffer)
+- goto err_inack_buffer;
++ goto err_free_out_buffer;
+
+ p_priv->outcont_buffer = kzalloc(OUTCONT_BUFLEN, GFP_KERNEL);
+ if (!p_priv->outcont_buffer)
+- goto err_outcont_buffer;
++ goto err_free_inack_buffer;
+
+ p_priv->device_details = d_details;
+
+@@ -2951,15 +2951,14 @@ static int keyspan_port_probe(struct usb
+
+ return 0;
+
+-err_outcont_buffer:
++err_free_inack_buffer:
+ kfree(p_priv->inack_buffer);
+-err_inack_buffer:
++err_free_out_buffer:
+ for (i = 0; i < ARRAY_SIZE(p_priv->out_buffer); ++i)
+ kfree(p_priv->out_buffer[i]);
+-err_out_buffer:
++err_free_in_buffer:
+ for (i = 0; i < ARRAY_SIZE(p_priv->in_buffer); ++i)
+ kfree(p_priv->in_buffer[i]);
+-err_in_buffer:
+ kfree(p_priv);
+
+ return -ENOMEM;
projects / thirdparty / kernel / stable-queue.git / commitdiff
