Fixes for 4.14

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.14/clocksource-drivers-oxnas-rps-fix-irq_of_parse_and_m.patch b/queue-4.14/clocksource-drivers-oxnas-rps-fix-irq_of_parse_and_m.patch
new file mode 100644 (file)
index 0000000..e0740e2
--- /dev/null
+++ b/queue-4.14/clocksource-drivers-oxnas-rps-fix-irq_of_parse_and_m.patch
@@ -0,0 +1,38 @@
+From acf48e1b728d8907613972c0630acfbdc0ab4b2d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Apr 2022 12:41:01 +0200
+Subject: clocksource/drivers/oxnas-rps: Fix irq_of_parse_and_map() return
+ value
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 9c04a8ff03def4df3f81219ffbe1ec9b44ff5348 ]
+
+The irq_of_parse_and_map() returns 0 on failure, not a negative ERRNO.
+
+Fixes: 89355274e1f7 ("clocksource/drivers/oxnas-rps: Add Oxford Semiconductor RPS Dual Timer")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Reviewed-by: Neil Armstrong <narmstrong@baylibre.com>
+Link: https://lore.kernel.org/r/20220422104101.55754-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/clocksource/timer-oxnas-rps.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/clocksource/timer-oxnas-rps.c b/drivers/clocksource/timer-oxnas-rps.c
+index 30c6f4ce672b..cfcd54e66c57 100644
+--- a/drivers/clocksource/timer-oxnas-rps.c
++++ b/drivers/clocksource/timer-oxnas-rps.c
+@@ -247,7 +247,7 @@ static int __init oxnas_rps_timer_init(struct device_node *np)
+       }
+ 
+       rps->irq = irq_of_parse_and_map(np, 0);
+-      if (rps->irq < 0) {
++      if (!rps->irq) {
+               ret = -EINVAL;
+               goto err_iomap;
+       }
+-- 
+2.35.1
+

diff --git a/queue-4.14/coresight-cpu-debug-replace-mutex-with-mutex_trylock.patch b/queue-4.14/coresight-cpu-debug-replace-mutex-with-mutex_trylock.patch
new file mode 100644 (file)
index 0000000..2d7c313
--- /dev/null
+++ b/queue-4.14/coresight-cpu-debug-replace-mutex-with-mutex_trylock.patch
@@ -0,0 +1,64 @@
+From 91d51d61915457d2fd4ebfa61b94e242a2fe71b2 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 27 Apr 2022 19:49:03 -0300
+Subject: coresight: cpu-debug: Replace mutex with mutex_trylock on panic
+ notifier
+
+From: Guilherme G. Piccoli <gpiccoli@igalia.com>
+
+[ Upstream commit 1adff542d67a2ed1120955cb219bfff8a9c53f59 ]
+
+The panic notifier infrastructure executes registered callbacks when
+a panic event happens - such callbacks are executed in atomic context,
+with interrupts and preemption disabled in the running CPU and all other
+CPUs disabled. That said, mutexes in such context are not a good idea.
+
+This patch replaces a regular mutex with a mutex_trylock safer approach;
+given the nature of the mutex used in the driver, it should be pretty
+uncommon being unable to acquire such mutex in the panic path, hence
+no functional change should be observed (and if it is, that would be
+likely a deadlock with the regular mutex).
+
+Fixes: 2227b7c74634 ("coresight: add support for CPU debug module")
+Cc: Leo Yan <leo.yan@linaro.org>
+Cc: Mathieu Poirier <mathieu.poirier@linaro.org>
+Cc: Mike Leach <mike.leach@linaro.org>
+Cc: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Guilherme G. Piccoli <gpiccoli@igalia.com>
+Reviewed-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
+Link: https://lore.kernel.org/r/20220427224924.592546-10-gpiccoli@igalia.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/hwtracing/coresight/coresight-cpu-debug.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/drivers/hwtracing/coresight/coresight-cpu-debug.c b/drivers/hwtracing/coresight/coresight-cpu-debug.c
+index 2f6f46ea68e9..ccd59ba26609 100644
+--- a/drivers/hwtracing/coresight/coresight-cpu-debug.c
++++ b/drivers/hwtracing/coresight/coresight-cpu-debug.c
+@@ -391,9 +391,10 @@ static int debug_notifier_call(struct notifier_block *self,
+       int cpu;
+       struct debug_drvdata *drvdata;
+ 
+-      mutex_lock(&debug_lock);
++      /* Bail out if we can't acquire the mutex or the functionality is off */
++      if (!mutex_trylock(&debug_lock))
++              return NOTIFY_DONE;
+ 
+-      /* Bail out if the functionality is disabled */
+       if (!debug_enable)
+               goto skip_dump;
+ 
+@@ -412,7 +413,7 @@ static int debug_notifier_call(struct notifier_block *self,
+ 
+ skip_dump:
+       mutex_unlock(&debug_lock);
+-      return 0;
++      return NOTIFY_DONE;
+ }
+ 
+ static struct notifier_block debug_notifier = {
+-- 
+2.35.1
+

diff --git a/queue-4.14/firmware-dmi-sysfs-fix-memory-leak-in-dmi_sysfs_regi.patch b/queue-4.14/firmware-dmi-sysfs-fix-memory-leak-in-dmi_sysfs_regi.patch
new file mode 100644 (file)
index 0000000..3fa4c2b
--- /dev/null
+++ b/queue-4.14/firmware-dmi-sysfs-fix-memory-leak-in-dmi_sysfs_regi.patch
@@ -0,0 +1,42 @@
+From 552cf7d1c22ad1aadf65a0336f336f590d97bacc Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 11 May 2022 11:14:19 +0400
+Subject: firmware: dmi-sysfs: Fix memory leak in dmi_sysfs_register_handle
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 660ba678f9998aca6db74f2dd912fa5124f0fa31 ]
+
+kobject_init_and_add() takes reference even when it fails.
+According to the doc of kobject_init_and_add()
+
+   If this function returns an error, kobject_put() must be called to
+   properly clean up the memory associated with the object.
+
+Fix this issue by calling kobject_put().
+
+Fixes: 948af1f0bbc8 ("firmware: Basic dmi-sysfs support")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20220511071421.9769-1-linmq006@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/firmware/dmi-sysfs.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/firmware/dmi-sysfs.c b/drivers/firmware/dmi-sysfs.c
+index d5de6ee8466d..084948a31d2d 100644
+--- a/drivers/firmware/dmi-sysfs.c
++++ b/drivers/firmware/dmi-sysfs.c
+@@ -602,7 +602,7 @@ static void __init dmi_sysfs_register_handle(const struct dmi_header *dh,
+                                   "%d-%d", dh->type, entry->instance);
+ 
+       if (*ret) {
+-              kfree(entry);
++              kobject_put(&entry->kobj);
+               return;
+       }
+ 
+-- 
+2.35.1
+

diff --git a/queue-4.14/jffs2-fix-memory-leak-in-jffs2_do_fill_super.patch b/queue-4.14/jffs2-fix-memory-leak-in-jffs2_do_fill_super.patch
new file mode 100644 (file)
index 0000000..a108cc9
--- /dev/null
+++ b/queue-4.14/jffs2-fix-memory-leak-in-jffs2_do_fill_super.patch
@@ -0,0 +1,68 @@
+From 7683c3e61ad5d76391b6397b7a243f7710c1fd6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Apr 2022 17:38:16 +0800
+Subject: jffs2: fix memory leak in jffs2_do_fill_super
+
+From: Baokun Li <libaokun1@huawei.com>
+
+[ Upstream commit c14adb1cf70a984ed081c67e9d27bc3caad9537c ]
+
+If jffs2_iget() or d_make_root() in jffs2_do_fill_super() returns
+an error, we can observe the following kmemleak report:
+
+--------------------------------------------
+unreferenced object 0xffff888105a65340 (size 64):
+  comm "mount", pid 710, jiffies 4302851558 (age 58.239s)
+  hex dump (first 32 bytes):
+    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+  backtrace:
+    [<ffffffff859c45e5>] kmem_cache_alloc_trace+0x475/0x8a0
+    [<ffffffff86160146>] jffs2_sum_init+0x96/0x1a0
+    [<ffffffff86140e25>] jffs2_do_mount_fs+0x745/0x2120
+    [<ffffffff86149fec>] jffs2_do_fill_super+0x35c/0x810
+    [<ffffffff8614aae9>] jffs2_fill_super+0x2b9/0x3b0
+    [...]
+unreferenced object 0xffff8881bd7f0000 (size 65536):
+  comm "mount", pid 710, jiffies 4302851558 (age 58.239s)
+  hex dump (first 32 bytes):
+    bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
+    bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb  ................
+  backtrace:
+    [<ffffffff858579ba>] kmalloc_order+0xda/0x110
+    [<ffffffff85857a11>] kmalloc_order_trace+0x21/0x130
+    [<ffffffff859c2ed1>] __kmalloc+0x711/0x8a0
+    [<ffffffff86160189>] jffs2_sum_init+0xd9/0x1a0
+    [<ffffffff86140e25>] jffs2_do_mount_fs+0x745/0x2120
+    [<ffffffff86149fec>] jffs2_do_fill_super+0x35c/0x810
+    [<ffffffff8614aae9>] jffs2_fill_super+0x2b9/0x3b0
+    [...]
+--------------------------------------------
+
+This is because the resources allocated in jffs2_sum_init() are not
+released. Call jffs2_sum_exit() to release these resources to solve
+the problem.
+
+Fixes: e631ddba5887 ("[JFFS2] Add erase block summary support (mount time improvement)")
+Signed-off-by: Baokun Li <libaokun1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ fs/jffs2/fs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/fs/jffs2/fs.c b/fs/jffs2/fs.c
+index b7df9e34ccfd..dd7c6fbd2cc5 100644
+--- a/fs/jffs2/fs.c
++++ b/fs/jffs2/fs.c
+@@ -598,6 +598,7 @@ int jffs2_do_fill_super(struct super_block *sb, void *data, int silent)
+       jffs2_free_raw_node_refs(c);
+       kvfree(c->blocks);
+       jffs2_clear_xattr_subsystem(c);
++      jffs2_sum_exit(c);
+  out_inohash:
+       kfree(c->inocache_list);
+  out_wbuf:
+-- 
+2.35.1
+

diff --git a/queue-4.14/modpost-fix-removing-numeric-suffixes.patch b/queue-4.14/modpost-fix-removing-numeric-suffixes.patch
new file mode 100644 (file)
index 0000000..679be28
--- /dev/null
+++ b/queue-4.14/modpost-fix-removing-numeric-suffixes.patch
@@ -0,0 +1,58 @@
+From afb17c87bc3f0a1263073f403d190d94f1fbebc9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 24 May 2022 17:27:18 +0200
+Subject: modpost: fix removing numeric suffixes
+
+From: Alexander Lobakin <alexandr.lobakin@intel.com>
+
+[ Upstream commit b5beffa20d83c4e15306c991ffd00de0d8628338 ]
+
+With the `-z unique-symbol` linker flag or any similar mechanism,
+it is possible to trigger the following:
+
+ERROR: modpost: "param_set_uint.0" [vmlinux] is a static EXPORT_SYMBOL
+
+The reason is that for now the condition from remove_dot():
+
+if (m && (s[n + m] == '.' || s[n + m] == 0))
+
+which was designed to test if it's a dot or a '\0' after the suffix
+is never satisfied.
+This is due to that `s[n + m]` always points to the last digit of a
+numeric suffix, not on the symbol next to it (from a custom debug
+print added to modpost):
+
+param_set_uint.0, s[n + m] is '0', s[n + m + 1] is '\0'
+
+So it's off-by-one and was like that since 2014.
+
+Fix this for the sake of any potential upcoming features, but don't
+bother stable-backporting, as it's well hidden -- apart from that
+LD flag, it can be triggered only with GCC LTO which never landed
+upstream.
+
+Fixes: fcd38ed0ff26 ("scripts: modpost: fix compilation warning")
+Signed-off-by: Alexander Lobakin <alexandr.lobakin@intel.com>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ scripts/mod/modpost.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c
+index b6eb929899c5..bc2c860f88ef 100644
+--- a/scripts/mod/modpost.c
++++ b/scripts/mod/modpost.c
+@@ -1949,7 +1949,7 @@ static char *remove_dot(char *s)
+ 
+       if (n && s[n]) {
+               size_t m = strspn(s + n + 1, "0123456789");
+-              if (m && (s[n + m] == '.' || s[n + m] == 0))
++              if (m && (s[n + m + 1] == '.' || s[n + m + 1] == 0))
+                       s[n] = 0;
+       }
+       return s;
+-- 
+2.35.1
+

diff --git a/queue-4.14/net-dsa-mv88e6xxx-fix-refcount-leak-in-mv88e6xxx_mdi.patch b/queue-4.14/net-dsa-mv88e6xxx-fix-refcount-leak-in-mv88e6xxx_mdi.patch
new file mode 100644 (file)
index 0000000..0adad81
--- /dev/null
+++ b/queue-4.14/net-dsa-mv88e6xxx-fix-refcount-leak-in-mv88e6xxx_mdi.patch
@@ -0,0 +1,44 @@
+From 138d83c2d7576e2f0b648d237f719d07bb734c91 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 May 2022 18:52:08 +0400
+Subject: net: dsa: mv88e6xxx: Fix refcount leak in mv88e6xxx_mdios_register
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 02ded5a173619b11728b8bf75a3fd995a2c1ff28 ]
+
+of_get_child_by_name() returns a node pointer with refcount
+incremented, we should use of_node_put() on it when done.
+
+mv88e6xxx_mdio_register() pass the device node to of_mdiobus_register().
+We don't need the device node after it.
+
+Add missing of_node_put() to avoid refcount leak.
+
+Fixes: a3c53be55c95 ("net: dsa: mv88e6xxx: Support multiple MDIO busses")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Reviewed-by: Marek Behún <kabel@kernel.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c
+index 7ab4cc0962ac..ef016c9f7c74 100644
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -2317,6 +2317,7 @@ static int mv88e6xxx_mdios_register(struct mv88e6xxx_chip *chip,
+        */
+       child = of_get_child_by_name(np, "mdio");
+       err = mv88e6xxx_mdio_register(chip, child, false);
++      of_node_put(child);
+       if (err)
+               return err;
+ 
+-- 
+2.35.1
+

diff --git a/queue-4.14/net-ethernet-mtk_eth_soc-out-of-bounds-read-in-mtk_h.patch b/queue-4.14/net-ethernet-mtk_eth_soc-out-of-bounds-read-in-mtk_h.patch
new file mode 100644 (file)
index 0000000..689fd6a
--- /dev/null
+++ b/queue-4.14/net-ethernet-mtk_eth_soc-out-of-bounds-read-in-mtk_h.patch
@@ -0,0 +1,38 @@
+From afb38fd1bd05ef2f95e4a67bdc0ed52491375f68 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 26 May 2022 11:02:42 +0300
+Subject: net: ethernet: mtk_eth_soc: out of bounds read in
+ mtk_hwlro_get_fdir_entry()
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+[ Upstream commit e7e7104e2d5ddf3806a28695670f21bef471f1e1 ]
+
+The "fsp->location" variable comes from user via ethtool_get_rxnfc().
+Check that it is valid to prevent an out of bounds read.
+
+Fixes: 7aab747e5563 ("net: ethernet: mediatek: add ethtool functions to configure RX flows of HW LRO")
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/ethernet/mediatek/mtk_eth_soc.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+index dbd16dd5aa04..ade72b46e93c 100644
+--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c
++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c
+@@ -1579,6 +1579,9 @@ static int mtk_hwlro_get_fdir_entry(struct net_device *dev,
+       struct ethtool_rx_flow_spec *fsp =
+               (struct ethtool_rx_flow_spec *)&cmd->fs;
+ 
++      if (fsp->location >= ARRAY_SIZE(mac->hwlro_ip))
++              return -EINVAL;
++
+       /* only tcp dst ipv4 is meaningful, others are meaningless */
+       fsp->flow_type = TCP_V4_FLOW;
+       fsp->h_u.tcp_ip4_spec.ip4dst = ntohl(mac->hwlro_ip[fsp->location]);
+-- 
+2.35.1
+

diff --git a/queue-4.14/pcmcia-db1xxx_ss-restrict-to-mips_db1xxx-boards.patch b/queue-4.14/pcmcia-db1xxx_ss-restrict-to-mips_db1xxx-boards.patch
new file mode 100644 (file)
index 0000000..f549148
--- /dev/null
+++ b/queue-4.14/pcmcia-db1xxx_ss-restrict-to-mips_db1xxx-boards.patch
@@ -0,0 +1,48 @@
+From 196272dcaed2cee2f7b1884211528882989ffbed Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 23 Jan 2022 09:40:31 -0800
+Subject: pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards
+
+From: Randy Dunlap <rdunlap@infradead.org>
+
+[ Upstream commit 3928cf08334ed895a31458cbebd8d4ec6d84c080 ]
+
+When the MIPS_ALCHEMY board selection is MIPS_XXS1500 instead of
+MIPS_DB1XXX, the PCMCIA driver 'db1xxx_ss' has build errors due
+to missing DB1XXX symbols. The PCMCIA driver should be restricted
+to MIPS_DB1XXX instead of MIPS_ALCHEMY to fix this build error.
+
+ERROR: modpost: "bcsr_read" [drivers/pcmcia/db1xxx_ss.ko] undefined!
+ERROR: modpost: "bcsr_mod" [drivers/pcmcia/db1xxx_ss.ko] undefined!
+
+Fixes: 42a4f17dc356 ("MIPS: Alchemy: remove SOC_AU1X00 in favor of MIPS_ALCHEMY")
+Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
+Reported-by: kernel test robot <lkp@intel.com>
+Cc: Arnd Bergmann <arnd@arndb.de>
+Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
+Cc: Kees Cook <keescook@chromium.org>
+Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
+Cc: linux-mips@vger.kernel.org
+Acked-by: Manuel Lauss <manuel.lauss@gmail.com>
+Signed-off-by: Dominik Brodowski <linux@dominikbrodowski.net>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pcmcia/Kconfig | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/pcmcia/Kconfig b/drivers/pcmcia/Kconfig
+index d3c378b4db6c..20d85d564b80 100644
+--- a/drivers/pcmcia/Kconfig
++++ b/drivers/pcmcia/Kconfig
+@@ -146,7 +146,7 @@ config TCIC
+ 
+ config PCMCIA_ALCHEMY_DEVBOARD
+       tristate "Alchemy Db/Pb1xxx PCMCIA socket services"
+-      depends on MIPS_ALCHEMY && PCMCIA
++      depends on MIPS_DB1XXX && PCMCIA
+       help
+         Enable this driver of you want PCMCIA support on your Alchemy
+         Db1000, Db/Pb1100, Db/Pb1500, Db/Pb1550, Db/Pb1200, DB1300
+-- 
+2.35.1
+

diff --git a/queue-4.14/perf-c2c-fix-sorting-in-percent_rmt_hitm_cmp.patch b/queue-4.14/perf-c2c-fix-sorting-in-percent_rmt_hitm_cmp.patch
new file mode 100644 (file)
index 0000000..c5a5271
--- /dev/null
+++ b/queue-4.14/perf-c2c-fix-sorting-in-percent_rmt_hitm_cmp.patch
@@ -0,0 +1,49 @@
+From 764ac1a38011497d13db93bb21a89b5af7ca30f8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 May 2022 16:42:53 +0800
+Subject: perf c2c: Fix sorting in percent_rmt_hitm_cmp()
+
+From: Leo Yan <leo.yan@linaro.org>
+
+[ Upstream commit b24192a17337abbf3f44aaa75e15df14a2d0016e ]
+
+The function percent_rmt_hitm_cmp() wrongly uses local HITMs for
+sorting remote HITMs.
+
+Since this function is to sort cache lines for remote HITMs, this patch
+changes to use 'rmt_hitm' field for correct sorting.
+
+Fixes: 9cb3500afc0980c5 ("perf c2c report: Add hitm/store percent related sort keys")
+Signed-off-by: Leo Yan <leo.yan@linaro.org>
+Acked-by: Namhyung Kim <namhyung@kernel.org>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Ingo Molnar <mingo@redhat.com>
+Cc: Jiri Olsa <jolsa@kernel.org>
+Cc: Joe Mario <jmario@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Link: https://lore.kernel.org/r/20220530084253.750190-1-leo.yan@linaro.org
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/perf/builtin-c2c.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tools/perf/builtin-c2c.c b/tools/perf/builtin-c2c.c
+index 9cbd8b0d5b77..729e5f137963 100644
+--- a/tools/perf/builtin-c2c.c
++++ b/tools/perf/builtin-c2c.c
+@@ -886,8 +886,8 @@ percent_rmt_hitm_cmp(struct perf_hpp_fmt *fmt __maybe_unused,
+       double per_left;
+       double per_right;
+ 
+-      per_left  = PERCENT(left, lcl_hitm);
+-      per_right = PERCENT(right, lcl_hitm);
++      per_left  = PERCENT(left, rmt_hitm);
++      per_right = PERCENT(right, rmt_hitm);
+ 
+       return per_left - per_right;
+ }
+-- 
+2.35.1
+

diff --git a/queue-4.14/pwm-lp3943-fix-duty-calculation-in-case-period-was-c.patch b/queue-4.14/pwm-lp3943-fix-duty-calculation-in-case-period-was-c.patch
new file mode 100644 (file)
index 0000000..83cba8a
--- /dev/null
+++ b/queue-4.14/pwm-lp3943-fix-duty-calculation-in-case-period-was-c.patch
@@ -0,0 +1,40 @@
+From 6202d3ffcde9f3da5c84b0dd07eb20e646fa5a4e Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 8 Apr 2022 17:22:38 +0200
+Subject: pwm: lp3943: Fix duty calculation in case period was clamped
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+
+[ Upstream commit 5e3b07ca5cc78cd4a987e78446849e41288d87cb ]
+
+The hardware only supports periods <= 1.6 ms and if a bigger period is
+requested it is clamped to 1.6 ms. In this case duty_cycle might be bigger
+than 1.6 ms and then the duty cycle register is written with a value
+bigger than LP3943_MAX_DUTY. So clamp duty_cycle accordingly.
+
+Fixes: af66b3c0934e ("pwm: Add LP3943 PWM driver")
+Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
+Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/pwm/pwm-lp3943.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/pwm/pwm-lp3943.c b/drivers/pwm/pwm-lp3943.c
+index fc446d5c19f9..34151fc4cd51 100644
+--- a/drivers/pwm/pwm-lp3943.c
++++ b/drivers/pwm/pwm-lp3943.c
+@@ -128,6 +128,7 @@ static int lp3943_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm,
+       if (err)
+               return err;
+ 
++      duty_ns = min(duty_ns, period_ns);
+       val = (u8)(duty_ns * LP3943_MAX_DUTY / period_ns);
+ 
+       return lp3943_write_byte(lp3943, reg_duty, val);
+-- 
+2.35.1
+

diff --git a/queue-4.14/rpmsg-qcom_smd-fix-irq_of_parse_and_map-return-value.patch b/queue-4.14/rpmsg-qcom_smd-fix-irq_of_parse_and_map-return-value.patch
new file mode 100644 (file)
index 0000000..3a7d88f
--- /dev/null
+++ b/queue-4.14/rpmsg-qcom_smd-fix-irq_of_parse_and_map-return-value.patch
@@ -0,0 +1,36 @@
+From 3e2d2fad9f53a2939906f0d5bf0a8a5b5551fc8a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 22 Apr 2022 12:53:26 +0200
+Subject: rpmsg: qcom_smd: Fix irq_of_parse_and_map() return value
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+
+[ Upstream commit 1a358d35066487d228a68303d808bc4721c6b1b9 ]
+
+The irq_of_parse_and_map() returns 0 on failure, not a negative ERRNO.
+
+Fixes: 53e2822e56c7 ("rpmsg: Introduce Qualcomm SMD backend")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
+Signed-off-by: Bjorn Andersson <bjorn.andersson@linaro.org>
+Link: https://lore.kernel.org/r/20220422105326.78713-1-krzysztof.kozlowski@linaro.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rpmsg/qcom_smd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c
+index 72d02bfeda9e..781df7a17b56 100644
+--- a/drivers/rpmsg/qcom_smd.c
++++ b/drivers/rpmsg/qcom_smd.c
+@@ -1299,7 +1299,7 @@ static int qcom_smd_parse_edge(struct device *dev,
+               edge->name = node->name;
+ 
+       irq = irq_of_parse_and_map(node, 0);
+-      if (irq < 0) {
++      if (!irq) {
+               dev_err(dev, "required smd interrupt missing\n");
+               return -EINVAL;
+       }
+-- 
+2.35.1
+

diff --git a/queue-4.14/rtc-mt6397-check-return-value-after-calling-platform.patch b/queue-4.14/rtc-mt6397-check-return-value-after-calling-platform.patch
new file mode 100644 (file)
index 0000000..fe493e2
--- /dev/null
+++ b/queue-4.14/rtc-mt6397-check-return-value-after-calling-platform.patch
@@ -0,0 +1,38 @@
+From b59f124a69314318641fa29f22c415f82a5e6e6a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 5 May 2022 20:50:43 +0800
+Subject: rtc: mt6397: check return value after calling platform_get_resource()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+[ Upstream commit d3b43eb505bffb8e4cdf6800c15660c001553fe6 ]
+
+It will cause null-ptr-deref if platform_get_resource() returns NULL,
+we need check the return value.
+
+Fixes: fc2979118f3f ("rtc: mediatek: Add MT6397 RTC driver")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
+Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
+Link: https://lore.kernel.org/r/20220505125043.1594771-1-yangyingliang@huawei.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/rtc/rtc-mt6397.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/rtc/rtc-mt6397.c b/drivers/rtc/rtc-mt6397.c
+index c696d9186451..4fdd96f71e11 100644
+--- a/drivers/rtc/rtc-mt6397.c
++++ b/drivers/rtc/rtc-mt6397.c
+@@ -339,6 +339,8 @@ static int mtk_rtc_probe(struct platform_device *pdev)
+               return -ENOMEM;
+ 
+       res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
++      if (!res)
++              return -EINVAL;
+       rtc->addr_base = res->start;
+ 
+       res = platform_get_resource(pdev, IORESOURCE_IRQ, 0);
+-- 
+2.35.1
+

diff --git a/queue-4.14/serial-digicolor-usart-don-t-allow-cs5-6.patch b/queue-4.14/serial-digicolor-usart-don-t-allow-cs5-6.patch
new file mode 100644 (file)
index 0000000..318eabf
--- /dev/null
+++ b/queue-4.14/serial-digicolor-usart-don-t-allow-cs5-6.patch
@@ -0,0 +1,46 @@
+From 4cfee3146e396569b3b8c50d6dd46a53167d4942 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 May 2022 11:18:01 +0300
+Subject: serial: digicolor-usart: Don't allow CS5-6
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+[ Upstream commit fd63031b8c0763addcecdefe0e0c59d49646204e ]
+
+Only CS7 and CS8 seem supported but CSIZE is not sanitized to CS8 in
+the default: block.
+
+Set CSIZE correctly so that userspace knows the effective value.
+Incorrect CSIZE also results in miscalculation of the frame bits in
+tty_get_char_size() or in its predecessor where the roughly the same
+code is directly within uart_update_timeout().
+
+Fixes: 5930cb3511df (serial: driver for Conexant Digicolor USART)
+Acked-by: Baruch Siach <baruch@tkos.co.il>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://lore.kernel.org/r/20220519081808.3776-3-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/digicolor-usart.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/tty/serial/digicolor-usart.c b/drivers/tty/serial/digicolor-usart.c
+index 794864fac625..74127813e6db 100644
+--- a/drivers/tty/serial/digicolor-usart.c
++++ b/drivers/tty/serial/digicolor-usart.c
+@@ -313,6 +313,8 @@ static void digicolor_uart_set_termios(struct uart_port *port,
+       case CS8:
+       default:
+               config |= UA_CONFIG_CHAR_LEN;
++              termios->c_cflag &= ~CSIZE;
++              termios->c_cflag |= CS8;
+               break;
+       }
+ 
+-- 
+2.35.1
+

diff --git a/queue-4.14/serial-meson-acquire-port-lock-in-startup.patch b/queue-4.14/serial-meson-acquire-port-lock-in-startup.patch
new file mode 100644 (file)
index 0000000..f2948a6
--- /dev/null
+++ b/queue-4.14/serial-meson-acquire-port-lock-in-startup.patch
@@ -0,0 +1,98 @@
+From 1bf978e22245cc95b9616ff643369d09d8bab80d Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 8 May 2022 12:41:47 +0206
+Subject: serial: meson: acquire port->lock in startup()
+
+From: John Ogness <john.ogness@linutronix.de>
+
+[ Upstream commit 589f892ac8ef244e47c5a00ffd8605daa1eaef8e ]
+
+The uart_ops startup() callback is called without interrupts
+disabled and without port->lock locked, relatively late during the
+boot process (from the call path of console_on_rootfs()). If the
+device is a console, it was already previously registered and could
+be actively printing messages.
+
+Since the startup() callback is reading/writing registers used by
+the console write() callback (AML_UART_CONTROL), its access must
+be synchronized using the port->lock. Currently it is not.
+
+The startup() callback is the only function that explicitly enables
+interrupts. Without the synchronization, it is possible that
+interrupts become accidentally permanently disabled.
+
+CPU0                           CPU1
+meson_serial_console_write     meson_uart_startup
+--------------------------     ------------------
+spin_lock(port->lock)
+val = readl(AML_UART_CONTROL)
+uart_console_write()
+                               writel(INT_EN, AML_UART_CONTROL)
+writel(val, AML_UART_CONTROL)
+spin_unlock(port->lock)
+
+Add port->lock synchronization to meson_uart_startup() to avoid
+racing with meson_serial_console_write().
+
+Also add detailed comments to meson_uart_reset() explaining why it
+is *not* using port->lock synchronization.
+
+Link: https://lore.kernel.org/lkml/2a82eae7-a256-f70c-fd82-4e510750906e@samsung.com
+Fixes: ff7693d079e5 ("ARM: meson: serial: add MesonX SoC on-chip uart driver")
+Reported-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Tested-by: Marek Szyprowski <m.szyprowski@samsung.com>
+Reviewed-by: Petr Mladek <pmladek@suse.com>
+Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
+Acked-by: Neil Armstrong <narmstrong@baylibre.com>
+Signed-off-by: John Ogness <john.ogness@linutronix.de>
+Link: https://lore.kernel.org/r/20220508103547.626355-1-john.ogness@linutronix.de
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/meson_uart.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+diff --git a/drivers/tty/serial/meson_uart.c b/drivers/tty/serial/meson_uart.c
+index 07c0f98be3ac..2bb5ab508321 100644
+--- a/drivers/tty/serial/meson_uart.c
++++ b/drivers/tty/serial/meson_uart.c
+@@ -253,6 +253,14 @@ static const char *meson_uart_type(struct uart_port *port)
+       return (port->type == PORT_MESON) ? "meson_uart" : NULL;
+ }
+ 
++/*
++ * This function is called only from probe() using a temporary io mapping
++ * in order to perform a reset before setting up the device. Since the
++ * temporarily mapped region was successfully requested, there can be no
++ * console on this port at this time. Hence it is not necessary for this
++ * function to acquire the port->lock. (Since there is no console on this
++ * port at this time, the port->lock is not initialized yet.)
++ */
+ static void meson_uart_reset(struct uart_port *port)
+ {
+       u32 val;
+@@ -267,9 +275,12 @@ static void meson_uart_reset(struct uart_port *port)
+ 
+ static int meson_uart_startup(struct uart_port *port)
+ {
++      unsigned long flags;
+       u32 val;
+       int ret = 0;
+ 
++      spin_lock_irqsave(&port->lock, flags);
++
+       val = readl(port->membase + AML_UART_CONTROL);
+       val |= AML_UART_CLR_ERR;
+       writel(val, port->membase + AML_UART_CONTROL);
+@@ -285,6 +296,8 @@ static int meson_uart_startup(struct uart_port *port)
+       val = (AML_UART_RECV_IRQ(1) | AML_UART_XMIT_IRQ(port->fifosize / 2));
+       writel(val, port->membase + AML_UART_MISC);
+ 
++      spin_unlock_irqrestore(&port->lock, flags);
++
+       ret = request_irq(port->irq, meson_uart_interrupt, 0,
+                         port->name, port);
+ 
+-- 
+2.35.1
+

diff --git a/queue-4.14/serial-sh-sci-don-t-allow-cs5-6.patch b/queue-4.14/serial-sh-sci-don-t-allow-cs5-6.patch
new file mode 100644 (file)
index 0000000..42f062c
--- /dev/null
+++ b/queue-4.14/serial-sh-sci-don-t-allow-cs5-6.patch
@@ -0,0 +1,50 @@
+From 44da4d0bc54cf45085e5d344c97cd74944f3b69f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 May 2022 11:18:04 +0300
+Subject: serial: sh-sci: Don't allow CS5-6
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+[ Upstream commit 9b87162de8be26bf3156460b37deee6399fd0fcb ]
+
+Only CS7 and CS8 seem supported but CSIZE is not sanitized from
+CS5 or CS6 to CS8.
+
+Set CSIZE correctly so that userspace knows the effective value.
+Incorrect CSIZE also results in miscalculation of the frame bits in
+tty_get_char_size() or in its predecessor where the roughly the same
+code is directly within uart_update_timeout().
+
+Fixes: 1da177e4c3f4 (Linux-2.6.12-rc2)
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://lore.kernel.org/r/20220519081808.3776-6-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/sh-sci.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c
+index 21f81dc08139..f7dd843a3eff 100644
+--- a/drivers/tty/serial/sh-sci.c
++++ b/drivers/tty/serial/sh-sci.c
+@@ -2267,8 +2267,12 @@ static void sci_set_termios(struct uart_port *port, struct ktermios *termios,
+       unsigned long max_freq = 0;
+       int best_clk = -1;
+ 
+-      if ((termios->c_cflag & CSIZE) == CS7)
++      if ((termios->c_cflag & CSIZE) == CS7) {
+               smr_val |= SCSMR_CHR;
++      } else {
++              termios->c_cflag &= ~CSIZE;
++              termios->c_cflag |= CS8;
++      }
+       if (termios->c_cflag & PARENB)
+               smr_val |= SCSMR_PE;
+       if (termios->c_cflag & PARODD)
+-- 
+2.35.1
+

diff --git a/queue-4.14/serial-st-asc-sanitize-csize-and-correct-parenb-for-.patch b/queue-4.14/serial-st-asc-sanitize-csize-and-correct-parenb-for-.patch
new file mode 100644 (file)
index 0000000..649b760
--- /dev/null
+++ b/queue-4.14/serial-st-asc-sanitize-csize-and-correct-parenb-for-.patch
@@ -0,0 +1,52 @@
+From 4f7bedfc3f728856959d1122df9bb887f5403ca6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 May 2022 11:18:06 +0300
+Subject: serial: st-asc: Sanitize CSIZE and correct PARENB for CS7
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+[ Upstream commit 52bb1cb7118564166b04d52387bd8403632f5190 ]
+
+Only CS7 and CS8 seem supported but CSIZE is not sanitized from CS5 or
+CS6 to CS8. In addition, ASC_CTL_MODE_7BIT_PAR suggests that CS7 has
+to have parity, thus add PARENB.
+
+Incorrect CSIZE results in miscalculation of the frame bits in
+tty_get_char_size() or in its predecessor where the roughly the same
+code is directly within uart_update_timeout().
+
+Fixes: c4b058560762 (serial:st-asc: Add ST ASC driver.)
+Cc: Srinivas Kandagatla <srinivas.kandagatla@st.com>
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://lore.kernel.org/r/20220519081808.3776-8-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/st-asc.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/drivers/tty/serial/st-asc.c b/drivers/tty/serial/st-asc.c
+index b313a792b149..44d52c087c56 100644
+--- a/drivers/tty/serial/st-asc.c
++++ b/drivers/tty/serial/st-asc.c
+@@ -545,10 +545,14 @@ static void asc_set_termios(struct uart_port *port, struct ktermios *termios,
+       /* set character length */
+       if ((cflag & CSIZE) == CS7) {
+               ctrl_val |= ASC_CTL_MODE_7BIT_PAR;
++              cflag |= PARENB;
+       } else {
+               ctrl_val |= (cflag & PARENB) ?  ASC_CTL_MODE_8BIT_PAR :
+                                               ASC_CTL_MODE_8BIT;
++              cflag &= ~CSIZE;
++              cflag |= CS8;
+       }
++      termios->c_cflag = cflag;
+ 
+       /* set stop bit */
+       ctrl_val |= (cflag & CSTOPB) ? ASC_CTL_STOP_2BIT : ASC_CTL_STOP_1BIT;
+-- 
+2.35.1
+

diff --git a/queue-4.14/serial-txx9-don-t-allow-cs5-6.patch b/queue-4.14/serial-txx9-don-t-allow-cs5-6.patch
new file mode 100644 (file)
index 0000000..d8fad60
--- /dev/null
+++ b/queue-4.14/serial-txx9-don-t-allow-cs5-6.patch
@@ -0,0 +1,45 @@
+From bbc3a9055f0ab1f1e94a5dec4ae2a223da09b715 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 19 May 2022 11:18:03 +0300
+Subject: serial: txx9: Don't allow CS5-6
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+
+[ Upstream commit 79ac88655dc0551e3571ad16bdabdbe65d61553e ]
+
+Only CS7 and CS8 are supported but CSIZE is not sanitized with
+CS5 or CS6 to CS8.
+
+Set CSIZE correctly so that userspace knows the effective value.
+Incorrect CSIZE also results in miscalculation of the frame bits in
+tty_get_char_size() or in its predecessor where the roughly the same
+code is directly within uart_update_timeout().
+
+Fixes: 1da177e4c3f4 (Linux-2.6.12-rc2)
+Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
+Link: https://lore.kernel.org/r/20220519081808.3776-5-ilpo.jarvinen@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/serial_txx9.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/tty/serial/serial_txx9.c b/drivers/tty/serial/serial_txx9.c
+index ba77e72057a9..5d41884f5012 100644
+--- a/drivers/tty/serial/serial_txx9.c
++++ b/drivers/tty/serial/serial_txx9.c
+@@ -652,6 +652,8 @@ serial_txx9_set_termios(struct uart_port *port, struct ktermios *termios,
+       case CS6:       /* not supported */
+       case CS8:
+               cval |= TXX9_SILCR_UMODE_8BIT;
++              termios->c_cflag &= ~CSIZE;
++              termios->c_cflag |= CS8;
+               break;
+       }
+ 
+-- 
+2.35.1
+

diff --git a/queue-4.14/series b/queue-4.14/series
index b128f496a342e61cdd27d74e7a97f9c334c4e9a7..93141ed1995bd45d6bca04c689b4e5f1b0d1f217 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -138,3 +138,28 @@ phy-qcom-qmp-fix-reset-controller-leak-on-probe-errors.patch
 rdma-rxe-generate-a-completion-for-unsupported-invalid-opcode.patch
 mips-ip27-remove-incorrect-cpu_has_fpu-override.patch
 netfilter-nf_tables-disallow-non-stateful-expression-in-sets-earlier.patch
+pcmcia-db1xxx_ss-restrict-to-mips_db1xxx-boards.patch
+staging-greybus-codecs-fix-type-confusion-of-list-it.patch
+tty-goldfish-use-tty_port_destroy-to-destroy-port.patch
+usb-usbip-fix-a-refcount-leak-in-stub_probe.patch
+usb-usbip-add-missing-device-lock-on-tweak-configura.patch
+usb-storage-karma-fix-rio_karma_init-return.patch
+pwm-lp3943-fix-duty-calculation-in-case-period-was-c.patch
+rpmsg-qcom_smd-fix-irq_of_parse_and_map-return-value.patch
+coresight-cpu-debug-replace-mutex-with-mutex_trylock.patch
+soc-rockchip-fix-refcount-leak-in-rockchip_grf_init.patch
+rtc-mt6397-check-return-value-after-calling-platform.patch
+serial-meson-acquire-port-lock-in-startup.patch
+serial-digicolor-usart-don-t-allow-cs5-6.patch
+serial-txx9-don-t-allow-cs5-6.patch
+serial-sh-sci-don-t-allow-cs5-6.patch
+serial-st-asc-sanitize-csize-and-correct-parenb-for-.patch
+firmware-dmi-sysfs-fix-memory-leak-in-dmi_sysfs_regi.patch
+clocksource-drivers-oxnas-rps-fix-irq_of_parse_and_m.patch
+net-ethernet-mtk_eth_soc-out-of-bounds-read-in-mtk_h.patch
+net-dsa-mv88e6xxx-fix-refcount-leak-in-mv88e6xxx_mdi.patch
+modpost-fix-removing-numeric-suffixes.patch
+jffs2-fix-memory-leak-in-jffs2_do_fill_super.patch
+ubi-ubi_create_volume-fix-use-after-free-when-volume.patch
+tcp-tcp_rtx_synack-can-be-called-from-process-contex.patch
+perf-c2c-fix-sorting-in-percent_rmt_hitm_cmp.patch

diff --git a/queue-4.14/soc-rockchip-fix-refcount-leak-in-rockchip_grf_init.patch b/queue-4.14/soc-rockchip-fix-refcount-leak-in-rockchip_grf_init.patch
new file mode 100644 (file)
index 0000000..fb4344e
--- /dev/null
+++ b/queue-4.14/soc-rockchip-fix-refcount-leak-in-rockchip_grf_init.patch
@@ -0,0 +1,44 @@
+From 8e6b7fd2222f89203753aa4252c35c81baaa7629 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 16 May 2022 11:20:10 +0400
+Subject: soc: rockchip: Fix refcount leak in rockchip_grf_init
+
+From: Miaoqian Lin <linmq006@gmail.com>
+
+[ Upstream commit 9b59588d8be91c96bfb0371e912ceb4f16315dbf ]
+
+of_find_matching_node_and_match returns a node pointer with refcount
+incremented, we should use of_node_put() on it when done.
+Add missing of_node_put() to avoid refcount leak.
+
+Fixes: 4c58063d4258 ("soc: rockchip: add driver handling grf setup")
+Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
+Link: https://lore.kernel.org/r/20220516072013.19731-1-linmq006@gmail.com
+Signed-off-by: Heiko Stuebner <heiko@sntech.de>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/soc/rockchip/grf.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/soc/rockchip/grf.c b/drivers/soc/rockchip/grf.c
+index 0931ddb0b384..39f9a7c1d7e0 100644
+--- a/drivers/soc/rockchip/grf.c
++++ b/drivers/soc/rockchip/grf.c
+@@ -123,12 +123,14 @@ static int __init rockchip_grf_init(void)
+               return -ENODEV;
+       if (!match || !match->data) {
+               pr_err("%s: missing grf data\n", __func__);
++              of_node_put(np);
+               return -EINVAL;
+       }
+ 
+       grf_info = match->data;
+ 
+       grf = syscon_node_to_regmap(np);
++      of_node_put(np);
+       if (IS_ERR(grf)) {
+               pr_err("%s: could not get grf syscon\n", __func__);
+               return PTR_ERR(grf);
+-- 
+2.35.1
+

diff --git a/queue-4.14/staging-greybus-codecs-fix-type-confusion-of-list-it.patch b/queue-4.14/staging-greybus-codecs-fix-type-confusion-of-list-it.patch
new file mode 100644 (file)
index 0000000..f7b229d
--- /dev/null
+++ b/queue-4.14/staging-greybus-codecs-fix-type-confusion-of-list-it.patch
@@ -0,0 +1,44 @@
+From 15a6e870973a0c7b479a377293396a0bcfb0ff08 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 21 Mar 2022 13:36:26 +0100
+Subject: staging: greybus: codecs: fix type confusion of list iterator
+ variable
+
+From: Jakob Koschel <jakobkoschel@gmail.com>
+
+[ Upstream commit 84ef256550196bc06e6849a34224c998b45bd557 ]
+
+If the list does not exit early then data == NULL and 'module' does not
+point to a valid list element.
+Using 'module' in such a case is not valid and was therefore removed.
+
+Fixes: 6dd67645f22c ("greybus: audio: Use single codec driver registration")
+Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
+Reviewed-by: Vaibhav Agarwal <vaibhav.sr@gmail.com>
+Reviewed-by: Mark Greer <mgreer@animalcreek.com>
+Signed-off-by: Jakob Koschel <jakobkoschel@gmail.com>
+Link: https://lore.kernel.org/r/20220321123626.3068639-1-jakobkoschel@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/staging/greybus/audio_codec.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/drivers/staging/greybus/audio_codec.c b/drivers/staging/greybus/audio_codec.c
+index 6ba5a34fcdf2..2e9ec3fe442b 100644
+--- a/drivers/staging/greybus/audio_codec.c
++++ b/drivers/staging/greybus/audio_codec.c
+@@ -622,8 +622,8 @@ static int gbcodec_mute_stream(struct snd_soc_dai *dai, int mute, int stream)
+                       break;
+       }
+       if (!data) {
+-              dev_err(dai->dev, "%s:%s DATA connection missing\n",
+-                      dai->name, module->name);
++              dev_err(dai->dev, "%s DATA connection missing\n",
++                      dai->name);
+               mutex_unlock(&codec->lock);
+               return -ENODEV;
+       }
+-- 
+2.35.1
+

diff --git a/queue-4.14/tcp-tcp_rtx_synack-can-be-called-from-process-contex.patch b/queue-4.14/tcp-tcp_rtx_synack-can-be-called-from-process-contex.patch
new file mode 100644 (file)
index 0000000..9777833
--- /dev/null
+++ b/queue-4.14/tcp-tcp_rtx_synack-can-be-called-from-process-contex.patch
@@ -0,0 +1,92 @@
+From c303345117ee4255c9a25f8061836116f1708723 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 30 May 2022 14:37:13 -0700
+Subject: tcp: tcp_rtx_synack() can be called from process context
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 0a375c822497ed6ad6b5da0792a12a6f1af10c0b ]
+
+Laurent reported the enclosed report [1]
+
+This bug triggers with following coditions:
+
+0) Kernel built with CONFIG_DEBUG_PREEMPT=y
+
+1) A new passive FastOpen TCP socket is created.
+   This FO socket waits for an ACK coming from client to be a complete
+   ESTABLISHED one.
+2) A socket operation on this socket goes through lock_sock()
+   release_sock() dance.
+3) While the socket is owned by the user in step 2),
+   a retransmit of the SYN is received and stored in socket backlog.
+4) At release_sock() time, the socket backlog is processed while
+   in process context.
+5) A SYNACK packet is cooked in response of the SYN retransmit.
+6) -> tcp_rtx_synack() is called in process context.
+
+Before blamed commit, tcp_rtx_synack() was always called from BH handler,
+from a timer handler.
+
+Fix this by using TCP_INC_STATS() & NET_INC_STATS()
+which do not assume caller is in non preemptible context.
+
+[1]
+BUG: using __this_cpu_add() in preemptible [00000000] code: epollpep/2180
+caller is tcp_rtx_synack.part.0+0x36/0xc0
+CPU: 10 PID: 2180 Comm: epollpep Tainted: G           OE     5.16.0-0.bpo.4-amd64 #1  Debian 5.16.12-1~bpo11+1
+Hardware name: Supermicro SYS-5039MC-H8TRF/X11SCD-F, BIOS 1.7 11/23/2021
+Call Trace:
+ <TASK>
+ dump_stack_lvl+0x48/0x5e
+ check_preemption_disabled+0xde/0xe0
+ tcp_rtx_synack.part.0+0x36/0xc0
+ tcp_rtx_synack+0x8d/0xa0
+ ? kmem_cache_alloc+0x2e0/0x3e0
+ ? apparmor_file_alloc_security+0x3b/0x1f0
+ inet_rtx_syn_ack+0x16/0x30
+ tcp_check_req+0x367/0x610
+ tcp_rcv_state_process+0x91/0xf60
+ ? get_nohz_timer_target+0x18/0x1a0
+ ? lock_timer_base+0x61/0x80
+ ? preempt_count_add+0x68/0xa0
+ tcp_v4_do_rcv+0xbd/0x270
+ __release_sock+0x6d/0xb0
+ release_sock+0x2b/0x90
+ sock_setsockopt+0x138/0x1140
+ ? __sys_getsockname+0x7e/0xc0
+ ? aa_sk_perm+0x3e/0x1a0
+ __sys_setsockopt+0x198/0x1e0
+ __x64_sys_setsockopt+0x21/0x30
+ do_syscall_64+0x38/0xc0
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Fixes: 168a8f58059a ("tcp: TCP Fast Open Server - main code path")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: Laurent Fasnacht <laurent.fasnacht@proton.ch>
+Acked-by: Neal Cardwell <ncardwell@google.com>
+Link: https://lore.kernel.org/r/20220530213713.601888-1-eric.dumazet@gmail.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/ipv4/tcp_output.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
+index 1a5c42c67d42..a231993c81c4 100644
+--- a/net/ipv4/tcp_output.c
++++ b/net/ipv4/tcp_output.c
+@@ -3795,8 +3795,8 @@ int tcp_rtx_synack(const struct sock *sk, struct request_sock *req)
+       tcp_rsk(req)->txhash = net_tx_rndhash();
+       res = af_ops->send_synack(sk, NULL, &fl, req, NULL, TCP_SYNACK_NORMAL);
+       if (!res) {
+-              __TCP_INC_STATS(sock_net(sk), TCP_MIB_RETRANSSEGS);
+-              __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPSYNRETRANS);
++              TCP_INC_STATS(sock_net(sk), TCP_MIB_RETRANSSEGS);
++              NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPSYNRETRANS);
+               if (unlikely(tcp_passive_fastopen(sk)))
+                       tcp_sk(sk)->total_retrans++;
+       }
+-- 
+2.35.1
+

diff --git a/queue-4.14/tty-goldfish-use-tty_port_destroy-to-destroy-port.patch b/queue-4.14/tty-goldfish-use-tty_port_destroy-to-destroy-port.patch
new file mode 100644 (file)
index 0000000..82b1aa5
--- /dev/null
+++ b/queue-4.14/tty-goldfish-use-tty_port_destroy-to-destroy-port.patch
@@ -0,0 +1,48 @@
+From cf6e42cd0d1bd48999b9cfb65985bb517d35ec24 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 28 Mar 2022 19:58:44 +0800
+Subject: tty: goldfish: Use tty_port_destroy() to destroy port
+
+From: Wang Weiyang <wangweiyang2@huawei.com>
+
+[ Upstream commit 507b05063d1b7a1fcb9f7d7c47586fc4f3508f98 ]
+
+In goldfish_tty_probe(), the port initialized through tty_port_init()
+should be destroyed in error paths.In goldfish_tty_remove(), qtty->port
+also should be destroyed or else might leak resources.
+
+Fix the above by calling tty_port_destroy().
+
+Fixes: 666b7793d4bf ("goldfish: tty driver")
+Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
+Signed-off-by: Wang Weiyang <wangweiyang2@huawei.com>
+Link: https://lore.kernel.org/r/20220328115844.86032-1-wangweiyang2@huawei.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/goldfish.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/tty/goldfish.c b/drivers/tty/goldfish.c
+index 85a500ddbcaa..1b72321f2d0b 100644
+--- a/drivers/tty/goldfish.c
++++ b/drivers/tty/goldfish.c
+@@ -414,6 +414,7 @@ static int goldfish_tty_probe(struct platform_device *pdev)
+ err_tty_register_device_failed:
+       free_irq(irq, qtty);
+ err_dec_line_count:
++      tty_port_destroy(&qtty->port);
+       goldfish_tty_current_line_count--;
+       if (goldfish_tty_current_line_count == 0)
+               goldfish_tty_delete_driver();
+@@ -435,6 +436,7 @@ static int goldfish_tty_remove(struct platform_device *pdev)
+       iounmap(qtty->base);
+       qtty->base = NULL;
+       free_irq(qtty->irq, pdev);
++      tty_port_destroy(&qtty->port);
+       goldfish_tty_current_line_count--;
+       if (goldfish_tty_current_line_count == 0)
+               goldfish_tty_delete_driver();
+-- 
+2.35.1
+

diff --git a/queue-4.14/ubi-ubi_create_volume-fix-use-after-free-when-volume.patch b/queue-4.14/ubi-ubi_create_volume-fix-use-after-free-when-volume.patch
new file mode 100644 (file)
index 0000000..8b74840
--- /dev/null
+++ b/queue-4.14/ubi-ubi_create_volume-fix-use-after-free-when-volume.patch
@@ -0,0 +1,49 @@
+From e5b90859b4f15c7e340da084b45923907474baa6 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 10 May 2022 20:31:26 +0800
+Subject: ubi: ubi_create_volume: Fix use-after-free when volume creation
+ failed
+
+From: Zhihao Cheng <chengzhihao1@huawei.com>
+
+[ Upstream commit 8c03a1c21d72210f81cb369cc528e3fde4b45411 ]
+
+There is an use-after-free problem for 'eba_tbl' in ubi_create_volume()'s
+error handling path:
+
+  ubi_eba_replace_table(vol, eba_tbl)
+    vol->eba_tbl = tbl
+out_mapping:
+  ubi_eba_destroy_table(eba_tbl)   // Free 'eba_tbl'
+out_unlock:
+  put_device(&vol->dev)
+    vol_release
+      kfree(tbl->entries)        // UAF
+
+Fix it by removing redundant 'eba_tbl' releasing.
+Fetch a reproducer in [Link].
+
+Fixes: 493cfaeaa0c9b ("mtd: utilize new cdev_device_add helper function")
+Link: https://bugzilla.kernel.org/show_bug.cgi?id=215965
+Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
+Signed-off-by: Richard Weinberger <richard@nod.at>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/mtd/ubi/vmt.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c
+index 8f641448a97a..d32144c0098a 100644
+--- a/drivers/mtd/ubi/vmt.c
++++ b/drivers/mtd/ubi/vmt.c
+@@ -315,7 +315,6 @@ int ubi_create_volume(struct ubi_device *ubi, struct ubi_mkvol_req *req)
+       ubi->volumes[vol_id] = NULL;
+       ubi->vol_count -= 1;
+       spin_unlock(&ubi->volumes_lock);
+-      ubi_eba_destroy_table(eba_tbl);
+ out_acc:
+       spin_lock(&ubi->volumes_lock);
+       ubi->rsvd_pebs -= vol->reserved_pebs;
+-- 
+2.35.1
+

diff --git a/queue-4.14/usb-storage-karma-fix-rio_karma_init-return.patch b/queue-4.14/usb-storage-karma-fix-rio_karma_init-return.patch
new file mode 100644 (file)
index 0000000..2981451
--- /dev/null
+++ b/queue-4.14/usb-storage-karma-fix-rio_karma_init-return.patch
@@ -0,0 +1,63 @@
+From ecf066a6668b60efaa00305c2b98a347a32e35a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Apr 2022 22:43:59 +0800
+Subject: USB: storage: karma: fix rio_karma_init return
+
+From: Lin Ma <linma@zju.edu.cn>
+
+[ Upstream commit b92ffb1eddd9a66a90defc556dcbf65a43c196c7 ]
+
+The function rio_karam_init() should return -ENOMEM instead of
+value 0 (USB_STOR_TRANSPORT_GOOD) when allocation fails.
+
+Similarly, it should return -EIO when rio_karma_send_command() fails.
+
+Fixes: dfe0d3ba20e8 ("USB Storage: add rio karma eject support")
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Lin Ma <linma@zju.edu.cn>
+Link: https://lore.kernel.org/r/20220412144359.28447-1-linma@zju.edu.cn
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/storage/karma.c | 15 ++++++++-------
+ 1 file changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/drivers/usb/storage/karma.c b/drivers/usb/storage/karma.c
+index b05ba4929f00..89a273e9439f 100644
+--- a/drivers/usb/storage/karma.c
++++ b/drivers/usb/storage/karma.c
+@@ -185,23 +185,24 @@ static void rio_karma_destructor(void *extra)
+ 
+ static int rio_karma_init(struct us_data *us)
+ {
+-      int ret = 0;
+       struct karma_data *data = kzalloc(sizeof(struct karma_data), GFP_NOIO);
+       if (!data)
+-              goto out;
++              return -ENOMEM;
+ 
+       data->recv = kmalloc(RIO_RECV_LEN, GFP_NOIO);
+       if (!data->recv) {
+               kfree(data);
+-              goto out;
++              return -ENOMEM;
+       }
+ 
+       us->extra = data;
+       us->extra_destructor = rio_karma_destructor;
+-      ret = rio_karma_send_command(RIO_ENTER_STORAGE, us);
+-      data->in_storage = (ret == 0);
+-out:
+-      return ret;
++      if (rio_karma_send_command(RIO_ENTER_STORAGE, us))
++              return -EIO;
++
++      data->in_storage = 1;
++
++      return 0;
+ }
+ 
+ static struct scsi_host_template karma_host_template;
+-- 
+2.35.1
+

diff --git a/queue-4.14/usb-usbip-add-missing-device-lock-on-tweak-configura.patch b/queue-4.14/usb-usbip-add-missing-device-lock-on-tweak-configura.patch
new file mode 100644 (file)
index 0000000..b1b8c0b
--- /dev/null
+++ b/queue-4.14/usb-usbip-add-missing-device-lock-on-tweak-configura.patch
@@ -0,0 +1,49 @@
+From eca860d2fc9925624d7cecd7197bee86c003c32b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Apr 2022 18:50:55 +0200
+Subject: usb: usbip: add missing device lock on tweak configuration cmd
+
+From: Niels Dossche <dossche.niels@gmail.com>
+
+[ Upstream commit d088fabace2ca337b275d1d4b36db4fe7771e44f ]
+
+The function documentation of usb_set_configuration says that its
+callers should hold the device lock. This lock is held for all
+callsites except tweak_set_configuration_cmd. The code path can be
+executed for example when attaching a remote USB device.
+The solution is to surround the call by the device lock.
+
+This bug was found using my experimental own-developed static analysis
+tool, which reported the missing lock on v5.17.2. I manually verified
+this bug report by doing code review as well. I runtime checked that
+the required lock is not held. I compiled and runtime tested this on
+x86_64 with a USB mouse. After applying this patch, my analyser no
+longer reports this potential bug.
+
+Fixes: 2c8c98158946 ("staging: usbip: let client choose device configuration")
+Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Niels Dossche <dossche.niels@gmail.com>
+Link: https://lore.kernel.org/r/20220412165055.257113-1-dossche.niels@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/usbip/stub_rx.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c
+index cb24b22252e4..bf4a6dca95c6 100644
+--- a/drivers/usb/usbip/stub_rx.c
++++ b/drivers/usb/usbip/stub_rx.c
+@@ -152,7 +152,9 @@ static int tweak_set_configuration_cmd(struct urb *urb)
+       req = (struct usb_ctrlrequest *) urb->setup_packet;
+       config = le16_to_cpu(req->wValue);
+ 
++      usb_lock_device(sdev->udev);
+       err = usb_set_configuration(sdev->udev, config);
++      usb_unlock_device(sdev->udev);
+       if (err && err != -ENODEV)
+               dev_err(&sdev->udev->dev, "can't set config #%d, error %d\n",
+                       config, err);
+-- 
+2.35.1
+

diff --git a/queue-4.14/usb-usbip-fix-a-refcount-leak-in-stub_probe.patch b/queue-4.14/usb-usbip-fix-a-refcount-leak-in-stub_probe.patch
new file mode 100644 (file)
index 0000000..c823a75
--- /dev/null
+++ b/queue-4.14/usb-usbip-fix-a-refcount-leak-in-stub_probe.patch
@@ -0,0 +1,49 @@
+From b23806dc4cad39af5cece8108eb38151c4673134 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 12 Apr 2022 10:02:57 +0800
+Subject: usb: usbip: fix a refcount leak in stub_probe()
+
+From: Hangyu Hua <hbh25y@gmail.com>
+
+[ Upstream commit 9ec4cbf1cc55d126759051acfe328d489c5d6e60 ]
+
+usb_get_dev() is called in stub_device_alloc(). When stub_probe() fails
+after that, usb_put_dev() needs to be called to release the reference.
+
+Fix this by moving usb_put_dev() to sdev_free error path handling.
+
+Find this by code review.
+
+Fixes: 3ff67445750a ("usbip: fix error handling in stub_probe()")
+Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
+Signed-off-by: Hangyu Hua <hbh25y@gmail.com>
+Link: https://lore.kernel.org/r/20220412020257.9767-1-hbh25y@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/usb/usbip/stub_dev.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c
+index 1b3aad59d6c9..16bb3197d658 100644
+--- a/drivers/usb/usbip/stub_dev.c
++++ b/drivers/usb/usbip/stub_dev.c
+@@ -441,7 +441,6 @@ static int stub_probe(struct usb_device *udev)
+                            (struct usb_dev_state *) udev);
+ err_port:
+       dev_set_drvdata(&udev->dev, NULL);
+-      usb_put_dev(udev);
+ 
+       /* we already have busid_priv, just lock busid_lock */
+       spin_lock(&busid_priv->busid_lock);
+@@ -456,6 +455,7 @@ static int stub_probe(struct usb_device *udev)
+       put_busid_priv(busid_priv);
+ 
+ sdev_free:
++      usb_put_dev(udev);
+       stub_device_free(sdev);
+ 
+       return rc;
+-- 
+2.35.1
+