From: Greg Kroah-Hartman Date: Fri, 1 Apr 2022 10:38:53 +0000 (+0200) Subject: 5.17-stable patches X-Git-Tag: v4.14.275~30 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=162f0d40d1c50c3d2754a5d07b55732f550ef3d0;p=thirdparty%2Fkernel%2Fstable-queue.git 5.17-stable patches added patches: cifs-fix-handlecache-and-multiuser.patch cifs-truncate-the-inode-and-mapping-when-we-simulate-fcollapse.patch cifs-we-do-not-need-a-spinlock-around-the-tree-access-during-umount.patch clk-rockchip-re-add-rational-best-approximation-algorithm-to-the-fractional-divider.patch clk-uniphier-fix-fixed-rate-initialization.patch coresight-fix-trcconfigr.qe-sysfs-interface.patch coresight-syscfg-fix-memleak-on-registration-failure-in-cscfg_create_device.patch docs-sphinx-requirements-limit-jinja2-3.1.patch documentation-add-link-to-stable-release-candidate-tree.patch documentation-update-stable-tree-link.patch dt-bindings-iio-adc-zynqmp_ams-add-clock-entry.patch f2fs-fix-to-do-sanity-check-on-.cp_pack_total_block_count.patch f2fs-fix-to-unlock-page-correctly-in-error-path-of-is_alive.patch f2fs-quota-fix-loop-condition-at-f2fs_quota_sync.patch firmware-stratix10-svc-add-missing-callback-parameter-on-rsu.patch firmware-sysfb-fix-platform-device-leak-in-error-path.patch greybus-svc-fix-an-error-handling-bug-in-gb_svc_hello.patch hid-intel-ish-hid-use-dma_alloc_coherent-for-firmware-update.patch iio-accel-mma8452-use-the-correct-logic-to-get-mma8452_data.patch iio-adc-aspeed-add-divider-flag-to-fix-incorrect-voltage-reading.patch iio-adc-xilinx-ams-fix-single-channel-switching-sequence.patch iio-adc-xilinx-ams-fixed-missing-ps-channels.patch iio-adc-xilinx-ams-fixed-wrong-sequencer-register-settings.patch iio-afe-rescale-use-s64-for-temporary-scale-calculations.patch iio-imu-st_lsm6dsx-use-dev_to_iio_dev-to-get-iio_dev-struct.patch iio-inkern-apply-consumer-scale-on-iio_val_int-cases.patch iio-inkern-apply-consumer-scale-when-no-channel-scale-is-available.patch iio-inkern-make-a-best-effort-on-offset-calculation.patch keys-asymmetric-enforce-that-sig-algo-matches-key-algo.patch keys-asymmetric-properly-validate-hash_algo-and-encoding.patch keys-fix-length-validation-in-keyctl_pkey_params_get_2.patch mm-mlock-fix-two-bugs-in-user_shm_lock.patch mtd-rawnand-protect-access-to-rawnand-devices-while-in-suspend.patch mtd-spi-nor-skip-erase-logic-when-spi_nor_no_erase-is-set.patch net-bnxt_ptp-fix-compilation-error.patch nfs-nfsv2-v3-clients-should-never-be-setting-nfs_cap_xattr.patch nfsd-prevent-integer-overflow-on-32-bit-systems.patch nfsd-prevent-underflow-in-nfssvc_decode_writeargs.patch pinctrl-ingenic-fix-regmap-on-x-series-socs.patch pinctrl-samsung-drop-pin-banks-references-on-error-paths.patch ptrace-check-ptrace_o_suspend_seccomp-permission-on-ptrace_seize.patch remoteproc-fix-count-check-in-rproc_coredump_write.patch serial-sc16is7xx-clear-rs485-bits-in-the-shutdown.patch spi-mxic-fix-the-transmit-path.patch sunrpc-avoid-race-between-mod_timer-and-del_timer_sync.patch sunrpc-do-not-dereference-non-socket-transports-in-sysfs.patch --- diff --git a/queue-5.17/cifs-fix-handlecache-and-multiuser.patch b/queue-5.17/cifs-fix-handlecache-and-multiuser.patch new file mode 100644 index 00000000000..883bcda00b8 --- /dev/null +++ b/queue-5.17/cifs-fix-handlecache-and-multiuser.patch @@ -0,0 +1,80 @@ +From 47178c7722ac528ea08aa82c3ef9ffa178962d7a Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Fri, 4 Mar 2022 10:31:49 +1000 +Subject: cifs: fix handlecache and multiuser + +From: Ronnie Sahlberg + +commit 47178c7722ac528ea08aa82c3ef9ffa178962d7a upstream. + +In multiuser each individual user has their own tcon structure for the +share and thus their own handle for a cached directory. +When we umount such a share we much make sure to release the pinned down dentry +for each such tcon and not just the master tcon. + +Otherwise we will get nasty warnings on umount that dentries are still in use: +[ 3459.590047] BUG: Dentry 00000000115c6f41{i=12000000019d95,n=/} still in use\ + (2) [unmount of cifs cifs] +... +[ 3459.590492] Call Trace: +[ 3459.590500] d_walk+0x61/0x2a0 +[ 3459.590518] ? shrink_lock_dentry.part.0+0xe0/0xe0 +[ 3459.590526] shrink_dcache_for_umount+0x49/0x110 +[ 3459.590535] generic_shutdown_super+0x1a/0x110 +[ 3459.590542] kill_anon_super+0x14/0x30 +[ 3459.590549] cifs_kill_sb+0xf5/0x104 [cifs] +[ 3459.590773] deactivate_locked_super+0x36/0xa0 +[ 3459.590782] cleanup_mnt+0x131/0x190 +[ 3459.590789] task_work_run+0x5c/0x90 +[ 3459.590798] exit_to_user_mode_loop+0x151/0x160 +[ 3459.590809] exit_to_user_mode_prepare+0x83/0xd0 +[ 3459.590818] syscall_exit_to_user_mode+0x12/0x30 +[ 3459.590828] do_syscall_64+0x48/0x90 +[ 3459.590833] entry_SYSCALL_64_after_hwframe+0x44/0xae + +Signed-off-by: Ronnie Sahlberg +Acked-by: Paulo Alcantara (SUSE) +Cc: stable@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifsfs.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +--- a/fs/cifs/cifsfs.c ++++ b/fs/cifs/cifsfs.c +@@ -254,6 +254,9 @@ static void cifs_kill_sb(struct super_bl + struct cifs_sb_info *cifs_sb = CIFS_SB(sb); + struct cifs_tcon *tcon; + struct cached_fid *cfid; ++ struct rb_root *root = &cifs_sb->tlink_tree; ++ struct rb_node *node; ++ struct tcon_link *tlink; + + /* + * We ned to release all dentries for the cached directories +@@ -263,17 +266,21 @@ static void cifs_kill_sb(struct super_bl + dput(cifs_sb->root); + cifs_sb->root = NULL; + } +- tcon = cifs_sb_master_tcon(cifs_sb); +- if (tcon) { ++ spin_lock(&cifs_sb->tlink_tree_lock); ++ node = rb_first(root); ++ while (node != NULL) { ++ tlink = rb_entry(node, struct tcon_link, tl_rbnode); ++ tcon = tlink_tcon(tlink); + cfid = &tcon->crfid; + mutex_lock(&cfid->fid_mutex); + if (cfid->dentry) { +- + dput(cfid->dentry); + cfid->dentry = NULL; + } + mutex_unlock(&cfid->fid_mutex); ++ node = rb_next(node); + } ++ spin_unlock(&cifs_sb->tlink_tree_lock); + + kill_anon_super(sb); + cifs_umount(cifs_sb); diff --git a/queue-5.17/cifs-truncate-the-inode-and-mapping-when-we-simulate-fcollapse.patch b/queue-5.17/cifs-truncate-the-inode-and-mapping-when-we-simulate-fcollapse.patch new file mode 100644 index 00000000000..227620eae3f --- /dev/null +++ b/queue-5.17/cifs-truncate-the-inode-and-mapping-when-we-simulate-fcollapse.patch @@ -0,0 +1,99 @@ +From 84330d41efb12bc227899e54dbdbe7d9590cb2b7 Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Wed, 23 Feb 2022 11:14:16 +1000 +Subject: cifs: truncate the inode and mapping when we simulate fcollapse + +From: Ronnie Sahlberg + +commit 84330d41efb12bc227899e54dbdbe7d9590cb2b7 upstream. + +RHBZ:1997367 + +When we collapse a range in smb3_collapse_range() we must make sure +we update the inode size and pagecache accordingly. + +If not, both inode size and pagecahce may be stale until it is refreshed. + +This can be demonstrated for the inode size by running : + +xfs_io -i -f -c "truncate 320k" -c "fcollapse 64k 128k" -c "fiemap -v" \ +/mnt/testfile + +where we can see the result of stale data in the fiemap output. +The third line of the output is wrong, all this data should be truncated. + + EXT: FILE-OFFSET BLOCK-RANGE TOTAL FLAGS + 0: [0..127]: hole 128 + 1: [128..383]: 128..383 256 0x1 + 2: [384..639]: hole 256 + +And the correct output, when the inode size has been updated correctly should +look like this: + + EXT: FILE-OFFSET BLOCK-RANGE TOTAL FLAGS + 0: [0..127]: hole 128 + 1: [128..383]: 128..383 256 0x1 + +Reported-by: Xiaoli Feng +Reported-by: kernel test robot +Cc: stable@vger.kernel.org +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/smb2ops.c | 18 ++++++++++++++---- + 1 file changed, 14 insertions(+), 4 deletions(-) + +--- a/fs/cifs/smb2ops.c ++++ b/fs/cifs/smb2ops.c +@@ -25,6 +25,7 @@ + #include "smb2glob.h" + #include "cifs_ioctl.h" + #include "smbdirect.h" ++#include "fscache.h" + #include "fs_context.h" + + /* Change credits for different ops and return the total number of credits */ +@@ -3887,29 +3888,38 @@ static long smb3_collapse_range(struct f + { + int rc; + unsigned int xid; ++ struct inode *inode; + struct cifsFileInfo *cfile = file->private_data; ++ struct cifsInodeInfo *cifsi; + __le64 eof; + + xid = get_xid(); + +- if (off >= i_size_read(file->f_inode) || +- off + len >= i_size_read(file->f_inode)) { ++ inode = d_inode(cfile->dentry); ++ cifsi = CIFS_I(inode); ++ ++ if (off >= i_size_read(inode) || ++ off + len >= i_size_read(inode)) { + rc = -EINVAL; + goto out; + } + + rc = smb2_copychunk_range(xid, cfile, cfile, off + len, +- i_size_read(file->f_inode) - off - len, off); ++ i_size_read(inode) - off - len, off); + if (rc < 0) + goto out; + +- eof = cpu_to_le64(i_size_read(file->f_inode) - len); ++ eof = cpu_to_le64(i_size_read(inode) - len); + rc = SMB2_set_eof(xid, tcon, cfile->fid.persistent_fid, + cfile->fid.volatile_fid, cfile->pid, &eof); + if (rc < 0) + goto out; + + rc = 0; ++ ++ cifsi->server_eof = i_size_read(inode) - len; ++ truncate_setsize(inode, cifsi->server_eof); ++ fscache_resize_cookie(cifs_inode_cookie(inode), cifsi->server_eof); + out: + free_xid(xid); + return rc; diff --git a/queue-5.17/cifs-we-do-not-need-a-spinlock-around-the-tree-access-during-umount.patch b/queue-5.17/cifs-we-do-not-need-a-spinlock-around-the-tree-access-during-umount.patch new file mode 100644 index 00000000000..de65a3ee214 --- /dev/null +++ b/queue-5.17/cifs-we-do-not-need-a-spinlock-around-the-tree-access-during-umount.patch @@ -0,0 +1,71 @@ +From 9a14b65d590105d393b63f5320e1594edda7c672 Mon Sep 17 00:00:00 2001 +From: Ronnie Sahlberg +Date: Tue, 15 Mar 2022 13:44:04 +1000 +Subject: cifs: we do not need a spinlock around the tree access during umount + +From: Ronnie Sahlberg + +commit 9a14b65d590105d393b63f5320e1594edda7c672 upstream. + +Remove the spinlock around the tree traversal as we are calling possibly +sleeping functions. +We do not need a spinlock here as there will be no modifications to this +tree at this point. + +This prevents warnings like this to occur in dmesg: +[ 653.774996] BUG: sleeping function called from invalid context at kernel/loc\ +king/mutex.c:280 +[ 653.775088] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 1827, nam\ +e: umount +[ 653.775152] preempt_count: 1, expected: 0 +[ 653.775191] CPU: 0 PID: 1827 Comm: umount Tainted: G W OE 5.17.0\ +-rc7-00006-g4eb628dd74df #135 +[ 653.775195] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-\ +1.fc33 04/01/2014 +[ 653.775197] Call Trace: +[ 653.775199] +[ 653.775202] dump_stack_lvl+0x34/0x44 +[ 653.775209] __might_resched.cold+0x13f/0x172 +[ 653.775213] mutex_lock+0x75/0xf0 +[ 653.775217] ? __mutex_lock_slowpath+0x10/0x10 +[ 653.775220] ? _raw_write_lock_irq+0xd0/0xd0 +[ 653.775224] ? dput+0x6b/0x360 +[ 653.775228] cifs_kill_sb+0xff/0x1d0 [cifs] +[ 653.775285] deactivate_locked_super+0x85/0x130 +[ 653.775289] cleanup_mnt+0x32c/0x4d0 +[ 653.775292] ? path_umount+0x228/0x380 +[ 653.775296] task_work_run+0xd8/0x180 +[ 653.775301] exit_to_user_mode_loop+0x152/0x160 +[ 653.775306] exit_to_user_mode_prepare+0x89/0xd0 +[ 653.775315] syscall_exit_to_user_mode+0x12/0x30 +[ 653.775322] do_syscall_64+0x48/0x90 +[ 653.775326] entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: 187af6e98b44e5d8f25e1d41a92db138eb54416f ("cifs: fix handlecache and multiuser") +Reported-by: kernel test robot +Cc: stable@vger.kernel.org +Signed-off-by: Ronnie Sahlberg +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/cifs/cifsfs.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/fs/cifs/cifsfs.c ++++ b/fs/cifs/cifsfs.c +@@ -266,7 +266,6 @@ static void cifs_kill_sb(struct super_bl + dput(cifs_sb->root); + cifs_sb->root = NULL; + } +- spin_lock(&cifs_sb->tlink_tree_lock); + node = rb_first(root); + while (node != NULL) { + tlink = rb_entry(node, struct tcon_link, tl_rbnode); +@@ -280,7 +279,6 @@ static void cifs_kill_sb(struct super_bl + mutex_unlock(&cfid->fid_mutex); + node = rb_next(node); + } +- spin_unlock(&cifs_sb->tlink_tree_lock); + + kill_anon_super(sb); + cifs_umount(cifs_sb); diff --git a/queue-5.17/clk-rockchip-re-add-rational-best-approximation-algorithm-to-the-fractional-divider.patch b/queue-5.17/clk-rockchip-re-add-rational-best-approximation-algorithm-to-the-fractional-divider.patch new file mode 100644 index 00000000000..2e50aff721a --- /dev/null +++ b/queue-5.17/clk-rockchip-re-add-rational-best-approximation-algorithm-to-the-fractional-divider.patch @@ -0,0 +1,56 @@ +From 10b74af310735860510a533433b1d3ab2e05a138 Mon Sep 17 00:00:00 2001 +From: Quentin Schulz +Date: Mon, 31 Jan 2022 17:32:24 +0100 +Subject: clk: rockchip: re-add rational best approximation algorithm to the fractional divider + +From: Quentin Schulz + +commit 10b74af310735860510a533433b1d3ab2e05a138 upstream. + +In commit 4e7cf74fa3b2 ("clk: fractional-divider: Export approximation +algorithm to the CCF users"), the code handling the rational best +approximation algorithm was replaced by a call to the core +clk_fractional_divider_general_approximation function which did the same +thing back then. + +However, in commit 82f53f9ee577 ("clk: fractional-divider: Introduce +POWER_OF_TWO_PS flag"), this common code was made conditional on +CLK_FRAC_DIVIDER_POWER_OF_TWO_PS flag which was not added back to the +rockchip clock driver. + +This broke the ltk050h3146w-a2 MIPI DSI display present on a PX30-based +downstream board. + +Let's add the flag to the fractional divider flags so that the original +and intended behavior is brought back to the rockchip clock drivers. + +Fixes: 82f53f9ee577 ("clk: fractional-divider: Introduce POWER_OF_TWO_PS flag") +Cc: stable@vger.kernel.org +Cc: Quentin Schulz +Signed-off-by: Quentin Schulz +Link: https://lore.kernel.org/r/20220131163224.708002-1-quentin.schulz@theobroma-systems.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/rockchip/clk.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/clk/rockchip/clk.c ++++ b/drivers/clk/rockchip/clk.c +@@ -180,6 +180,7 @@ static void rockchip_fractional_approxim + unsigned long rate, unsigned long *parent_rate, + unsigned long *m, unsigned long *n) + { ++ struct clk_fractional_divider *fd = to_clk_fd(hw); + unsigned long p_rate, p_parent_rate; + struct clk_hw *p_parent; + +@@ -190,6 +191,8 @@ static void rockchip_fractional_approxim + *parent_rate = p_parent_rate; + } + ++ fd->flags |= CLK_FRAC_DIVIDER_POWER_OF_TWO_PS; ++ + clk_fractional_divider_general_approximation(hw, rate, parent_rate, m, n); + } + diff --git a/queue-5.17/clk-uniphier-fix-fixed-rate-initialization.patch b/queue-5.17/clk-uniphier-fix-fixed-rate-initialization.patch new file mode 100644 index 00000000000..0a5d3a4ea6e --- /dev/null +++ b/queue-5.17/clk-uniphier-fix-fixed-rate-initialization.patch @@ -0,0 +1,35 @@ +From ca85a66710a8a1f6b0719397225c3e9ee0abb692 Mon Sep 17 00:00:00 2001 +From: Kunihiko Hayashi +Date: Wed, 9 Mar 2022 15:55:18 +0900 +Subject: clk: uniphier: Fix fixed-rate initialization + +From: Kunihiko Hayashi + +commit ca85a66710a8a1f6b0719397225c3e9ee0abb692 upstream. + +Fixed-rate clocks in UniPhier don't have any parent clocks, however, +initial data "init.flags" isn't initialized, so it might be determined +that there is a parent clock for fixed-rate clock. + +This sets init.flags to zero as initialization. + +Cc: +Fixes: 734d82f4a678 ("clk: uniphier: add core support code for UniPhier clock driver") +Signed-off-by: Kunihiko Hayashi +Link: https://lore.kernel.org/r/1646808918-30899-1-git-send-email-hayashi.kunihiko@socionext.com +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/uniphier/clk-uniphier-fixed-rate.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/clk/uniphier/clk-uniphier-fixed-rate.c ++++ b/drivers/clk/uniphier/clk-uniphier-fixed-rate.c +@@ -24,6 +24,7 @@ struct clk_hw *uniphier_clk_register_fix + + init.name = name; + init.ops = &clk_fixed_rate_ops; ++ init.flags = 0; + init.parent_names = NULL; + init.num_parents = 0; + diff --git a/queue-5.17/coresight-fix-trcconfigr.qe-sysfs-interface.patch b/queue-5.17/coresight-fix-trcconfigr.qe-sysfs-interface.patch new file mode 100644 index 00000000000..164d205791f --- /dev/null +++ b/queue-5.17/coresight-fix-trcconfigr.qe-sysfs-interface.patch @@ -0,0 +1,56 @@ +From ea75a342aed5ed72c87f38fbe0df2f5df7eae374 Mon Sep 17 00:00:00 2001 +From: James Clark +Date: Thu, 20 Jan 2022 11:30:47 +0000 +Subject: coresight: Fix TRCCONFIGR.QE sysfs interface + +From: James Clark + +commit ea75a342aed5ed72c87f38fbe0df2f5df7eae374 upstream. + +It's impossible to program a valid value for TRCCONFIGR.QE +when TRCIDR0.QSUPP==0b10. In that case the following is true: + + Q element support is implemented, and only supports Q elements without + instruction counts. TRCCONFIGR.QE can only take the values 0b00 or 0b11. + +Currently the low bit of QSUPP is checked to see if the low bit of QE can +be written to, but as you can see when QSUPP==0b10 the low bit is cleared +making it impossible to ever write the only valid value of 0b11 to QE. +0b10 would be written instead, which is a reserved QE value even for all +values of QSUPP. + +The fix is to allow writing the low bit of QE for any non zero value of +QSUPP. + +This change also ensures that the low bit is always set, even when the +user attempts to only set the high bit. + +Signed-off-by: James Clark +Reviewed-by: Mike Leach +Fixes: d8c66962084f ("coresight-etm4x: Controls pertaining to the reset, mode, pe and events") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220120113047.2839622-2-james.clark@arm.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Suzuki K Poulose +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/coresight/coresight-etm4x-sysfs.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c ++++ b/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c +@@ -367,8 +367,12 @@ static ssize_t mode_store(struct device + mode = ETM_MODE_QELEM(config->mode); + /* start by clearing QE bits */ + config->cfg &= ~(BIT(13) | BIT(14)); +- /* if supported, Q elements with instruction counts are enabled */ +- if ((mode & BIT(0)) && (drvdata->q_support & BIT(0))) ++ /* ++ * if supported, Q elements with instruction counts are enabled. ++ * Always set the low bit for any requested mode. Valid combos are ++ * 0b00, 0b01 and 0b11. ++ */ ++ if (mode && drvdata->q_support) + config->cfg |= BIT(13); + /* + * if supported, Q elements with and without instruction diff --git a/queue-5.17/coresight-syscfg-fix-memleak-on-registration-failure-in-cscfg_create_device.patch b/queue-5.17/coresight-syscfg-fix-memleak-on-registration-failure-in-cscfg_create_device.patch new file mode 100644 index 00000000000..f45bb9ad7a8 --- /dev/null +++ b/queue-5.17/coresight-syscfg-fix-memleak-on-registration-failure-in-cscfg_create_device.patch @@ -0,0 +1,39 @@ +From cfa5dbcdd7aece76f3415284569f2f384aff0253 Mon Sep 17 00:00:00 2001 +From: Miaoqian Lin +Date: Mon, 24 Jan 2022 12:41:21 +0000 +Subject: coresight: syscfg: Fix memleak on registration failure in cscfg_create_device + +From: Miaoqian Lin + +commit cfa5dbcdd7aece76f3415284569f2f384aff0253 upstream. + +device_register() calls device_initialize(), +according to doc of device_initialize: + + Use put_device() to give up your reference instead of freeing + * @dev directly once you have called this function. + +To prevent potential memleak, use put_device() for error handling. + +Signed-off-by: Miaoqian Lin +Fixes: 85e2414c518a ("coresight: syscfg: Initial coresight system configuration") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220124124121.8888-1-linmq006@gmail.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Suzuki K Poulose +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/coresight/coresight-syscfg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwtracing/coresight/coresight-syscfg.c ++++ b/drivers/hwtracing/coresight/coresight-syscfg.c +@@ -1049,7 +1049,7 @@ static int cscfg_create_device(void) + + err = device_register(dev); + if (err) +- cscfg_dev_release(dev); ++ put_device(dev); + + create_dev_exit_unlock: + mutex_unlock(&cscfg_mutex); diff --git a/queue-5.17/docs-sphinx-requirements-limit-jinja2-3.1.patch b/queue-5.17/docs-sphinx-requirements-limit-jinja2-3.1.patch new file mode 100644 index 00000000000..bf90232dd39 --- /dev/null +++ b/queue-5.17/docs-sphinx-requirements-limit-jinja2-3.1.patch @@ -0,0 +1,33 @@ +From be78837ca3c88eebd405103a7a2ce891c466b0db Mon Sep 17 00:00:00 2001 +From: Akira Yokosawa +Date: Tue, 29 Mar 2022 15:07:02 +0900 +Subject: docs: sphinx/requirements: Limit jinja2<3.1 + +From: Akira Yokosawa + +commit be78837ca3c88eebd405103a7a2ce891c466b0db upstream. + +jinja2 release 3.1.0 (March 24, 2022) broke Sphinx<4.0. +This looks like the result of deprecating Python 3.6. +It has been tested against Sphinx 4.3.0 and later. + +Setting an upper limit of <3.1 to junja2 can unbreak Sphinx<4.0 +including Sphinx 2.4.4. + +Signed-off-by: Akira Yokosawa +Cc: Mauro Carvalho Chehab +Cc: stable@vger.kernel.org # v5.15+ +Link: https://lore.kernel.org/r/7dbff8a0-f4ff-34a0-71c7-1987baf471f9@gmail.com +Signed-off-by: Jonathan Corbet +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/sphinx/requirements.txt | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/Documentation/sphinx/requirements.txt ++++ b/Documentation/sphinx/requirements.txt +@@ -1,2 +1,4 @@ ++# jinja2>=3.1 is not compatible with Sphinx<4.0 ++jinja2<3.1 + sphinx_rtd_theme + Sphinx==2.4.4 diff --git a/queue-5.17/documentation-add-link-to-stable-release-candidate-tree.patch b/queue-5.17/documentation-add-link-to-stable-release-candidate-tree.patch new file mode 100644 index 00000000000..07b9e47c558 --- /dev/null +++ b/queue-5.17/documentation-add-link-to-stable-release-candidate-tree.patch @@ -0,0 +1,42 @@ +From 587d39b260c4d090166314d64be70b1f6a26b0b5 Mon Sep 17 00:00:00 2001 +From: Bagas Sanjaya +Date: Mon, 14 Mar 2022 18:33:28 +0700 +Subject: Documentation: add link to stable release candidate tree + +From: Bagas Sanjaya + +commit 587d39b260c4d090166314d64be70b1f6a26b0b5 upstream. + +There is also stable release candidate tree. Mention it, however with a +warning that the tree is for testing purposes. + +Cc: Greg Kroah-Hartman +Cc: Sasha Levin +Cc: Jonathan Corbet +Cc: stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Bagas Sanjaya +Link: https://lore.kernel.org/r/20220314113329.485372-5-bagasdotme@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/process/stable-kernel-rules.rst | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/Documentation/process/stable-kernel-rules.rst ++++ b/Documentation/process/stable-kernel-rules.rst +@@ -170,6 +170,15 @@ Trees + + https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git + ++ - The release candidate of all stable kernel versions can be found at: ++ ++ https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/ ++ ++ .. warning:: ++ The -stable-rc tree is a snapshot in time of the stable-queue tree and ++ will change frequently, hence will be rebased often. It should only be ++ used for testing purposes (e.g. to be consumed by CI systems). ++ + + Review committee + ---------------- diff --git a/queue-5.17/documentation-update-stable-tree-link.patch b/queue-5.17/documentation-update-stable-tree-link.patch new file mode 100644 index 00000000000..520d880d0d8 --- /dev/null +++ b/queue-5.17/documentation-update-stable-tree-link.patch @@ -0,0 +1,36 @@ +From 555d44932c67e617d89bc13c81c7efac5b51fcfa Mon Sep 17 00:00:00 2001 +From: Bagas Sanjaya +Date: Mon, 14 Mar 2022 18:33:29 +0700 +Subject: Documentation: update stable tree link + +From: Bagas Sanjaya + +commit 555d44932c67e617d89bc13c81c7efac5b51fcfa upstream. + +The link to stable tree is redirected to +https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git. Update +accordingly. + +Cc: Greg Kroah-Hartman +Cc: Sasha Levin +Cc: Jonathan Corbet +Cc: stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Bagas Sanjaya +Link: https://lore.kernel.org/r/20220314113329.485372-6-bagasdotme@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/process/stable-kernel-rules.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/process/stable-kernel-rules.rst ++++ b/Documentation/process/stable-kernel-rules.rst +@@ -168,7 +168,7 @@ Trees + - The finalized and tagged releases of all stable kernels can be found + in separate branches per version at: + +- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git ++ https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git + + - The release candidate of all stable kernel versions can be found at: + diff --git a/queue-5.17/dt-bindings-iio-adc-zynqmp_ams-add-clock-entry.patch b/queue-5.17/dt-bindings-iio-adc-zynqmp_ams-add-clock-entry.patch new file mode 100644 index 00000000000..babf5b02e8d --- /dev/null +++ b/queue-5.17/dt-bindings-iio-adc-zynqmp_ams-add-clock-entry.patch @@ -0,0 +1,61 @@ +From 5165102efa41c2aedc77441612f4506a8a8671db Mon Sep 17 00:00:00 2001 +From: Robert Hancock +Date: Thu, 27 Jan 2022 11:34:47 -0600 +Subject: dt-bindings: iio: adc: zynqmp_ams: Add clock entry + +From: Robert Hancock + +commit 5165102efa41c2aedc77441612f4506a8a8671db upstream. + +The AMS driver DT binding was missing the clock entry, which is actually +mandatory according to the driver implementation. Add this in. + +Fixes: 39dd2d1e251d ("dt-bindings: iio: adc: Add Xilinx AMS binding documentation") +Signed-off-by: Robert Hancock +Reviewed-by: Rob Herring +Acked-by: Michal Simek +Link: https://lore.kernel.org/r/20220127173450.3684318-2-robert.hancock@calian.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/iio/adc/xlnx,zynqmp-ams.yaml | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/Documentation/devicetree/bindings/iio/adc/xlnx,zynqmp-ams.yaml ++++ b/Documentation/devicetree/bindings/iio/adc/xlnx,zynqmp-ams.yaml +@@ -92,6 +92,10 @@ properties: + description: AMS Controller register space + maxItems: 1 + ++ clocks: ++ items: ++ - description: AMS reference clock ++ + ranges: + description: + Maps the child address space for PS and/or PL. +@@ -181,12 +185,15 @@ properties: + required: + - compatible + - reg ++ - clocks + - ranges + + additionalProperties: false + + examples: + - | ++ #include ++ + bus { + #address-cells = <2>; + #size-cells = <2>; +@@ -196,6 +203,7 @@ examples: + interrupt-parent = <&gic>; + interrupts = <0 56 4>; + reg = <0x0 0xffa50000 0x0 0x800>; ++ clocks = <&zynqmp_clk AMS_REF>; + #address-cells = <1>; + #size-cells = <1>; + #io-channel-cells = <1>; diff --git a/queue-5.17/f2fs-fix-to-do-sanity-check-on-.cp_pack_total_block_count.patch b/queue-5.17/f2fs-fix-to-do-sanity-check-on-.cp_pack_total_block_count.patch new file mode 100644 index 00000000000..f542298a18c --- /dev/null +++ b/queue-5.17/f2fs-fix-to-do-sanity-check-on-.cp_pack_total_block_count.patch @@ -0,0 +1,76 @@ +From 5b5b4f85b01604389f7a0f11ef180a725bf0e2d4 Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Mon, 21 Mar 2022 23:22:11 +0800 +Subject: f2fs: fix to do sanity check on .cp_pack_total_block_count + +From: Chao Yu + +commit 5b5b4f85b01604389f7a0f11ef180a725bf0e2d4 upstream. + +As bughunter reported in bugzilla: + +https://bugzilla.kernel.org/show_bug.cgi?id=215709 + +f2fs may hang when mounting a fuzzed image, the dmesg shows as below: + +__filemap_get_folio+0x3a9/0x590 +pagecache_get_page+0x18/0x60 +__get_meta_page+0x95/0x460 [f2fs] +get_checkpoint_version+0x2a/0x1e0 [f2fs] +validate_checkpoint+0x8e/0x2a0 [f2fs] +f2fs_get_valid_checkpoint+0xd0/0x620 [f2fs] +f2fs_fill_super+0xc01/0x1d40 [f2fs] +mount_bdev+0x18a/0x1c0 +f2fs_mount+0x15/0x20 [f2fs] +legacy_get_tree+0x28/0x50 +vfs_get_tree+0x27/0xc0 +path_mount+0x480/0xaa0 +do_mount+0x7c/0xa0 +__x64_sys_mount+0x8b/0xe0 +do_syscall_64+0x38/0xc0 +entry_SYSCALL_64_after_hwframe+0x44/0xae + +The root cause is cp_pack_total_block_count field in checkpoint was fuzzed +to one, as calcuated, two cp pack block locates in the same block address, +so then read latter cp pack block, it will block on the page lock due to +the lock has already held when reading previous cp pack block, fix it by +adding sanity check for cp_pack_total_block_count. + +Cc: stable@vger.kernel.org +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/checkpoint.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/fs/f2fs/checkpoint.c ++++ b/fs/f2fs/checkpoint.c +@@ -864,6 +864,7 @@ static struct page *validate_checkpoint( + struct page *cp_page_1 = NULL, *cp_page_2 = NULL; + struct f2fs_checkpoint *cp_block = NULL; + unsigned long long cur_version = 0, pre_version = 0; ++ unsigned int cp_blocks; + int err; + + err = get_checkpoint_version(sbi, cp_addr, &cp_block, +@@ -871,15 +872,16 @@ static struct page *validate_checkpoint( + if (err) + return NULL; + +- if (le32_to_cpu(cp_block->cp_pack_total_block_count) > +- sbi->blocks_per_seg) { ++ cp_blocks = le32_to_cpu(cp_block->cp_pack_total_block_count); ++ ++ if (cp_blocks > sbi->blocks_per_seg || cp_blocks <= F2FS_CP_PACKS) { + f2fs_warn(sbi, "invalid cp_pack_total_block_count:%u", + le32_to_cpu(cp_block->cp_pack_total_block_count)); + goto invalid_cp; + } + pre_version = *version; + +- cp_addr += le32_to_cpu(cp_block->cp_pack_total_block_count) - 1; ++ cp_addr += cp_blocks - 1; + err = get_checkpoint_version(sbi, cp_addr, &cp_block, + &cp_page_2, version); + if (err) diff --git a/queue-5.17/f2fs-fix-to-unlock-page-correctly-in-error-path-of-is_alive.patch b/queue-5.17/f2fs-fix-to-unlock-page-correctly-in-error-path-of-is_alive.patch new file mode 100644 index 00000000000..1bc99bea69d --- /dev/null +++ b/queue-5.17/f2fs-fix-to-unlock-page-correctly-in-error-path-of-is_alive.patch @@ -0,0 +1,43 @@ +From 6d18762ed5cd549fde74fd0e05d4d87bac5a3beb Mon Sep 17 00:00:00 2001 +From: Chao Yu +Date: Fri, 4 Feb 2022 11:21:14 +0800 +Subject: f2fs: fix to unlock page correctly in error path of is_alive() + +From: Chao Yu + +commit 6d18762ed5cd549fde74fd0e05d4d87bac5a3beb upstream. + +As Pavel Machek reported in below link [1]: + +After commit 77900c45ee5c ("f2fs: fix to do sanity check in is_alive()"), +node page should be unlock via calling f2fs_put_page() in the error path +of is_alive(), otherwise, f2fs may hang when it tries to lock the node +page, fix it. + +[1] https://lore.kernel.org/stable/20220124203637.GA19321@duo.ucw.cz/ + +Fixes: 77900c45ee5c ("f2fs: fix to do sanity check in is_alive()") +Cc: +Reported-by: Pavel Machek +Signed-off-by: Pavel Machek +Signed-off-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/gc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/f2fs/gc.c ++++ b/fs/f2fs/gc.c +@@ -1038,8 +1038,10 @@ static bool is_alive(struct f2fs_sb_info + set_sbi_flag(sbi, SBI_NEED_FSCK); + } + +- if (f2fs_check_nid_range(sbi, dni->ino)) ++ if (f2fs_check_nid_range(sbi, dni->ino)) { ++ f2fs_put_page(node_page, 1); + return false; ++ } + + *nofs = ofs_of_node(node_page); + source_blkaddr = data_blkaddr(NULL, node_page, ofs_in_node); diff --git a/queue-5.17/f2fs-quota-fix-loop-condition-at-f2fs_quota_sync.patch b/queue-5.17/f2fs-quota-fix-loop-condition-at-f2fs_quota_sync.patch new file mode 100644 index 00000000000..947505ba8dc --- /dev/null +++ b/queue-5.17/f2fs-quota-fix-loop-condition-at-f2fs_quota_sync.patch @@ -0,0 +1,95 @@ +From 680af5b824a52faa819167628665804a14f0e0df Mon Sep 17 00:00:00 2001 +From: Juhyung Park +Date: Tue, 15 Feb 2022 17:27:21 +0900 +Subject: f2fs: quota: fix loop condition at f2fs_quota_sync() + +From: Juhyung Park + +commit 680af5b824a52faa819167628665804a14f0e0df upstream. + +cnt should be passed to sb_has_quota_active() instead of type to check +active quota properly. + +Moreover, when the type is -1, the compiler with enough inline knowledge +can discard sb_has_quota_active() check altogether, causing a NULL pointer +dereference at the following inode_lock(dqopt->files[cnt]): + +[ 2.796010] Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a0 +[ 2.796024] Mem abort info: +[ 2.796025] ESR = 0x96000005 +[ 2.796028] EC = 0x25: DABT (current EL), IL = 32 bits +[ 2.796029] SET = 0, FnV = 0 +[ 2.796031] EA = 0, S1PTW = 0 +[ 2.796032] Data abort info: +[ 2.796034] ISV = 0, ISS = 0x00000005 +[ 2.796035] CM = 0, WnR = 0 +[ 2.796046] user pgtable: 4k pages, 39-bit VAs, pgdp=00000003370d1000 +[ 2.796048] [00000000000000a0] pgd=0000000000000000, pud=0000000000000000 +[ 2.796051] Internal error: Oops: 96000005 [#1] PREEMPT SMP +[ 2.796056] CPU: 7 PID: 640 Comm: f2fs_ckpt-259:7 Tainted: G S 5.4.179-arter97-r8-64666-g2f16e087f9d8 #1 +[ 2.796057] Hardware name: Qualcomm Technologies, Inc. Lahaina MTP lemonadep (DT) +[ 2.796059] pstate: 80c00005 (Nzcv daif +PAN +UAO) +[ 2.796065] pc : down_write+0x28/0x70 +[ 2.796070] lr : f2fs_quota_sync+0x100/0x294 +[ 2.796071] sp : ffffffa3f48ffc30 +[ 2.796073] x29: ffffffa3f48ffc30 x28: 0000000000000000 +[ 2.796075] x27: ffffffa3f6d718b8 x26: ffffffa415fe9d80 +[ 2.796077] x25: ffffffa3f7290048 x24: 0000000000000001 +[ 2.796078] x23: 0000000000000000 x22: ffffffa3f7290000 +[ 2.796080] x21: ffffffa3f72904a0 x20: ffffffa3f7290110 +[ 2.796081] x19: ffffffa3f77a9800 x18: ffffffc020aae038 +[ 2.796083] x17: ffffffa40e38e040 x16: ffffffa40e38e6d0 +[ 2.796085] x15: ffffffa40e38e6cc x14: ffffffa40e38e6d0 +[ 2.796086] x13: 00000000000004f6 x12: 00162c44ff493000 +[ 2.796088] x11: 0000000000000400 x10: ffffffa40e38c948 +[ 2.796090] x9 : 0000000000000000 x8 : 00000000000000a0 +[ 2.796091] x7 : 0000000000000000 x6 : 0000d1060f00002a +[ 2.796093] x5 : ffffffa3f48ff718 x4 : 000000000000000d +[ 2.796094] x3 : 00000000060c0000 x2 : 0000000000000001 +[ 2.796096] x1 : 0000000000000000 x0 : 00000000000000a0 +[ 2.796098] Call trace: +[ 2.796100] down_write+0x28/0x70 +[ 2.796102] f2fs_quota_sync+0x100/0x294 +[ 2.796104] block_operations+0x120/0x204 +[ 2.796106] f2fs_write_checkpoint+0x11c/0x520 +[ 2.796107] __checkpoint_and_complete_reqs+0x7c/0xd34 +[ 2.796109] issue_checkpoint_thread+0x6c/0xb8 +[ 2.796112] kthread+0x138/0x414 +[ 2.796114] ret_from_fork+0x10/0x18 +[ 2.796117] Code: aa0803e0 aa1f03e1 52800022 aa0103e9 (c8e97d02) +[ 2.796120] ---[ end trace 96e942e8eb6a0b53 ]--- +[ 2.800116] Kernel panic - not syncing: Fatal exception +[ 2.800120] SMP: stopping secondary CPUs + +Fixes: 9de71ede81e6 ("f2fs: quota: fix potential deadlock") +Cc: # v5.15+ +Signed-off-by: Juhyung Park +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman +--- + fs/f2fs/super.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/f2fs/super.c ++++ b/fs/f2fs/super.c +@@ -2688,7 +2688,7 @@ int f2fs_quota_sync(struct super_block * + struct f2fs_sb_info *sbi = F2FS_SB(sb); + struct quota_info *dqopt = sb_dqopt(sb); + int cnt; +- int ret; ++ int ret = 0; + + /* + * Now when everything is written we can discard the pagecache so +@@ -2699,8 +2699,8 @@ int f2fs_quota_sync(struct super_block * + if (type != -1 && cnt != type) + continue; + +- if (!sb_has_quota_active(sb, type)) +- return 0; ++ if (!sb_has_quota_active(sb, cnt)) ++ continue; + + inode_lock(dqopt->files[cnt]); + diff --git a/queue-5.17/firmware-stratix10-svc-add-missing-callback-parameter-on-rsu.patch b/queue-5.17/firmware-stratix10-svc-add-missing-callback-parameter-on-rsu.patch new file mode 100644 index 00000000000..c80b70b158e --- /dev/null +++ b/queue-5.17/firmware-stratix10-svc-add-missing-callback-parameter-on-rsu.patch @@ -0,0 +1,35 @@ +From b850b7a8b369322adf699ef48ceff4d902525c8c Mon Sep 17 00:00:00 2001 +From: Ang Tien Sung +Date: Wed, 23 Feb 2022 08:41:46 -0600 +Subject: firmware: stratix10-svc: add missing callback parameter on RSU + +From: Ang Tien Sung + +commit b850b7a8b369322adf699ef48ceff4d902525c8c upstream. + +Fix a bug whereby, the return response of parameter a1 from an +SMC call is not properly set to the callback data during an +INTEL_SIP_SMC_RSU_ERROR command. + +Link: https://lore.kernel.org/lkml/20220216081513.28319-1-tien.sung.ang@intel.com +Fixes: 6b50d882d38d ("firmware: add remote status update client support") +Cc: stable@vger.kernel.org +Signed-off-by: Ang Tien Sung +Signed-off-by: Dinh Nguyen +Link: https://lore.kernel.org/r/20220223144146.399263-1-dinguyen@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/stratix10-svc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/firmware/stratix10-svc.c ++++ b/drivers/firmware/stratix10-svc.c +@@ -477,7 +477,7 @@ static int svc_normal_to_secure_thread(v + case INTEL_SIP_SMC_RSU_ERROR: + pr_err("%s: STATUS_ERROR\n", __func__); + cbdata->status = BIT(SVC_STATUS_ERROR); +- cbdata->kaddr1 = NULL; ++ cbdata->kaddr1 = &res.a1; + cbdata->kaddr2 = NULL; + cbdata->kaddr3 = NULL; + pdata->chan->scl->receive_cb(pdata->chan->scl, cbdata); diff --git a/queue-5.17/firmware-sysfb-fix-platform-device-leak-in-error-path.patch b/queue-5.17/firmware-sysfb-fix-platform-device-leak-in-error-path.patch new file mode 100644 index 00000000000..06ae78f048c --- /dev/null +++ b/queue-5.17/firmware-sysfb-fix-platform-device-leak-in-error-path.patch @@ -0,0 +1,57 @@ +From 202c08914ba50dd324e42d5ad99535a89f242560 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 3 Mar 2022 19:05:19 +0100 +Subject: firmware: sysfb: fix platform-device leak in error path + +From: Johan Hovold + +commit 202c08914ba50dd324e42d5ad99535a89f242560 upstream. + +Make sure to free the platform device also in the unlikely event that +registration fails. + +Fixes: 0589e8889dce ("drivers/firmware: Add missing platform_device_put() in sysfb_create_simplefb") +Fixes: 8633ef82f101 ("drivers/firmware: consolidate EFI framebuffer setup for all arches") +Cc: stable@vger.kernel.org # 5.14 +Cc: Miaoqian Lin +Cc: Javier Martinez Canillas +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20220303180519.3117-1-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/sysfb_simplefb.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/drivers/firmware/sysfb_simplefb.c ++++ b/drivers/firmware/sysfb_simplefb.c +@@ -113,16 +113,21 @@ __init int sysfb_create_simplefb(const s + sysfb_apply_efi_quirks(pd); + + ret = platform_device_add_resources(pd, &res, 1); +- if (ret) { +- platform_device_put(pd); +- return ret; +- } ++ if (ret) ++ goto err_put_device; + + ret = platform_device_add_data(pd, mode, sizeof(*mode)); +- if (ret) { +- platform_device_put(pd); +- return ret; +- } ++ if (ret) ++ goto err_put_device; + +- return platform_device_add(pd); ++ ret = platform_device_add(pd); ++ if (ret) ++ goto err_put_device; ++ ++ return 0; ++ ++err_put_device: ++ platform_device_put(pd); ++ ++ return ret; + } diff --git a/queue-5.17/greybus-svc-fix-an-error-handling-bug-in-gb_svc_hello.patch b/queue-5.17/greybus-svc-fix-an-error-handling-bug-in-gb_svc_hello.patch new file mode 100644 index 00000000000..a7b10b43a8b --- /dev/null +++ b/queue-5.17/greybus-svc-fix-an-error-handling-bug-in-gb_svc_hello.patch @@ -0,0 +1,41 @@ +From 5f8583a3b7552092582a92e7bbd2153319929ad7 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 2 Feb 2022 12:33:45 +0100 +Subject: greybus: svc: fix an error handling bug in gb_svc_hello() + +From: Dan Carpenter + +commit 5f8583a3b7552092582a92e7bbd2153319929ad7 upstream. + +Cleanup if gb_svc_queue_deferred_request() fails. + +Link: https://lore.kernel.org/r/20220202072016.GA6748@kili +Fixes: ee2f2074fdb2 ("greybus: svc: reconfig APBridgeA-Switch link to handle required load") +Cc: stable@vger.kernel.org # 4.9 +[johan: fix commit summary prefix and rename label ] +Signed-off-by: Dan Carpenter +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20220202113347.1288-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/greybus/svc.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/greybus/svc.c ++++ b/drivers/greybus/svc.c +@@ -866,8 +866,14 @@ static int gb_svc_hello(struct gb_operat + + gb_svc_debugfs_init(svc); + +- return gb_svc_queue_deferred_request(op); ++ ret = gb_svc_queue_deferred_request(op); ++ if (ret) ++ goto err_remove_debugfs; + ++ return 0; ++ ++err_remove_debugfs: ++ gb_svc_debugfs_exit(svc); + err_unregister_device: + gb_svc_watchdog_destroy(svc); + device_del(&svc->dev); diff --git a/queue-5.17/hid-intel-ish-hid-use-dma_alloc_coherent-for-firmware-update.patch b/queue-5.17/hid-intel-ish-hid-use-dma_alloc_coherent-for-firmware-update.patch new file mode 100644 index 00000000000..1d044a08119 --- /dev/null +++ b/queue-5.17/hid-intel-ish-hid-use-dma_alloc_coherent-for-firmware-update.patch @@ -0,0 +1,92 @@ +From f97ec5d75e9261a5da78dc28a8955b7cc0c4468b Mon Sep 17 00:00:00 2001 +From: Gwendal Grignou +Date: Tue, 8 Feb 2022 21:09:47 -0800 +Subject: HID: intel-ish-hid: Use dma_alloc_coherent for firmware update + +From: Gwendal Grignou + +commit f97ec5d75e9261a5da78dc28a8955b7cc0c4468b upstream. + +Allocating memory with kmalloc and GPF_DMA32 is not allowed, the +allocator will ignore the attribute. + +Instead, use dma_alloc_coherent() API as we allocate a small amount of +memory to transfer firmware fragment to the ISH. + +On Arcada chromebook, after the patch the warning: +"Unexpected gfp: 0x4 (GFP_DMA32). Fixing up to gfp: 0xcc0 (GFP_KERNEL). Fix your code!" +is gone. The ISH firmware is loaded properly and we can interact with +the ISH: +> ectool --name cros_ish version +... +Build info: arcada_ish_v2.0.3661+3c1a1c1ae0 2022-02-08 05:37:47 @localhost +Tool version: v2.0.12300-900b03ec7f 2022-02-08 10:01:48 @localhost + +Fixes: commit 91b228107da3 ("HID: intel-ish-hid: ISH firmware loader client driver") +Signed-off-by: Gwendal Grignou +Acked-by: Srinivas Pandruvada +Cc: stable@vger.kernel.org +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/intel-ish-hid/ishtp-fw-loader.c | 29 ++-------------------------- + 1 file changed, 3 insertions(+), 26 deletions(-) + +--- a/drivers/hid/intel-ish-hid/ishtp-fw-loader.c ++++ b/drivers/hid/intel-ish-hid/ishtp-fw-loader.c +@@ -661,21 +661,12 @@ static int ish_fw_xfer_direct_dma(struct + */ + payload_max_size &= ~(L1_CACHE_BYTES - 1); + +- dma_buf = kmalloc(payload_max_size, GFP_KERNEL | GFP_DMA32); ++ dma_buf = dma_alloc_coherent(devc, payload_max_size, &dma_buf_phy, GFP_KERNEL); + if (!dma_buf) { + client_data->flag_retry = true; + return -ENOMEM; + } + +- dma_buf_phy = dma_map_single(devc, dma_buf, payload_max_size, +- DMA_TO_DEVICE); +- if (dma_mapping_error(devc, dma_buf_phy)) { +- dev_err(cl_data_to_dev(client_data), "DMA map failed\n"); +- client_data->flag_retry = true; +- rv = -ENOMEM; +- goto end_err_dma_buf_release; +- } +- + ldr_xfer_dma_frag.fragment.hdr.command = LOADER_CMD_XFER_FRAGMENT; + ldr_xfer_dma_frag.fragment.xfer_mode = LOADER_XFER_MODE_DIRECT_DMA; + ldr_xfer_dma_frag.ddr_phys_addr = (u64)dma_buf_phy; +@@ -695,14 +686,7 @@ static int ish_fw_xfer_direct_dma(struct + ldr_xfer_dma_frag.fragment.size = fragment_size; + memcpy(dma_buf, &fw->data[fragment_offset], fragment_size); + +- dma_sync_single_for_device(devc, dma_buf_phy, +- payload_max_size, +- DMA_TO_DEVICE); +- +- /* +- * Flush cache here because the dma_sync_single_for_device() +- * does not do for x86. +- */ ++ /* Flush cache to be sure the data is in main memory. */ + clflush_cache_range(dma_buf, payload_max_size); + + dev_dbg(cl_data_to_dev(client_data), +@@ -725,15 +709,8 @@ static int ish_fw_xfer_direct_dma(struct + fragment_offset += fragment_size; + } + +- dma_unmap_single(devc, dma_buf_phy, payload_max_size, DMA_TO_DEVICE); +- kfree(dma_buf); +- return 0; +- + end_err_resp_buf_release: +- /* Free ISH buffer if not done already, in error case */ +- dma_unmap_single(devc, dma_buf_phy, payload_max_size, DMA_TO_DEVICE); +-end_err_dma_buf_release: +- kfree(dma_buf); ++ dma_free_coherent(devc, payload_max_size, dma_buf, dma_buf_phy); + return rv; + } + diff --git a/queue-5.17/iio-accel-mma8452-use-the-correct-logic-to-get-mma8452_data.patch b/queue-5.17/iio-accel-mma8452-use-the-correct-logic-to-get-mma8452_data.patch new file mode 100644 index 00000000000..7c1a49e1542 --- /dev/null +++ b/queue-5.17/iio-accel-mma8452-use-the-correct-logic-to-get-mma8452_data.patch @@ -0,0 +1,53 @@ +From c87b7b12f48db86ac9909894f4dc0107d7df6375 Mon Sep 17 00:00:00 2001 +From: Haibo Chen +Date: Tue, 22 Feb 2022 10:42:21 +0800 +Subject: iio: accel: mma8452: use the correct logic to get mma8452_data + +From: Haibo Chen + +commit c87b7b12f48db86ac9909894f4dc0107d7df6375 upstream. + +The original logic to get mma8452_data is wrong, the *dev point to +the device belong to iio_dev. we can't use this dev to find the +correct i2c_client. The original logic happen to work because it +finally use dev->driver_data to get iio_dev. Here use the API +to_i2c_client() is wrong and make reader confuse. To correct the +logic, it should be like this + + struct mma8452_data *data = iio_priv(dev_get_drvdata(dev)); + +But after commit 8b7651f25962 ("iio: iio_device_alloc(): Remove +unnecessary self drvdata"), the upper logic also can't work. +When try to show the avialable scale in userspace, will meet kernel +dump, kernel handle NULL pointer dereference. + +So use dev_to_iio_dev() to correct the logic. + +Dual fixes tags as the second reflects when the bug was exposed, whilst +the first reflects when the original bug was introduced. + +Fixes: c3cdd6e48e35 ("iio: mma8452: refactor for seperating chip specific data") +Fixes: 8b7651f25962 ("iio: iio_device_alloc(): Remove unnecessary self drvdata") +Signed-off-by: Haibo Chen +Reviewed-by: Martin Kepplinger +Cc: +Link: https://lore.kernel.org/r/1645497741-5402-1-git-send-email-haibo.chen@nxp.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/accel/mma8452.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/accel/mma8452.c ++++ b/drivers/iio/accel/mma8452.c +@@ -379,8 +379,8 @@ static ssize_t mma8452_show_scale_avail( + struct device_attribute *attr, + char *buf) + { +- struct mma8452_data *data = iio_priv(i2c_get_clientdata( +- to_i2c_client(dev))); ++ struct iio_dev *indio_dev = dev_to_iio_dev(dev); ++ struct mma8452_data *data = iio_priv(indio_dev); + + return mma8452_show_int_plus_micros(buf, data->chip_info->mma_scales, + ARRAY_SIZE(data->chip_info->mma_scales)); diff --git a/queue-5.17/iio-adc-aspeed-add-divider-flag-to-fix-incorrect-voltage-reading.patch b/queue-5.17/iio-adc-aspeed-add-divider-flag-to-fix-incorrect-voltage-reading.patch new file mode 100644 index 00000000000..36c04ab1cda --- /dev/null +++ b/queue-5.17/iio-adc-aspeed-add-divider-flag-to-fix-incorrect-voltage-reading.patch @@ -0,0 +1,43 @@ +From 571426631acf46e2999c7ecd1e9d048172969a43 Mon Sep 17 00:00:00 2001 +From: Billy Tsai +Date: Mon, 21 Feb 2022 09:27:05 +0800 +Subject: iio: adc: aspeed: Add divider flag to fix incorrect voltage reading. + +From: Billy Tsai + +commit 571426631acf46e2999c7ecd1e9d048172969a43 upstream. + +The formula for the ADC sampling period in ast2400/ast2500 is: +ADC clock period = PCLK * 2 * (ADC0C[31:17] + 1) * (ADC0C[9:0]) +When ADC0C[9:0] is set to 0 the sampling voltage will be lower than +expected, because the hardware may not have enough time to +charge/discharge to a stable voltage. This patch use the flag +CLK_DIVIDER_ONE_BASED which will use the raw value read from the +register, with the value of zero considered invalid to conform to the +corrected formula. + +Fixes: 573803234e72 ("iio: Aspeed ADC") +Reported-by: Konstantin Klubnichkin +Signed-off-by: Billy Tsai +Reviewed-by: Joel Stanley +Link: https://lore.kernel.org/r/20220221012705.22008-1-billy_tsai@aspeedtech.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/aspeed_adc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/iio/adc/aspeed_adc.c ++++ b/drivers/iio/adc/aspeed_adc.c +@@ -539,7 +539,9 @@ static int aspeed_adc_probe(struct platf + data->clk_scaler = devm_clk_hw_register_divider( + &pdev->dev, clk_name, clk_parent_name, scaler_flags, + data->base + ASPEED_REG_CLOCK_CONTROL, 0, +- data->model_data->scaler_bit_width, 0, &data->clk_lock); ++ data->model_data->scaler_bit_width, ++ data->model_data->need_prescaler ? CLK_DIVIDER_ONE_BASED : 0, ++ &data->clk_lock); + if (IS_ERR(data->clk_scaler)) + return PTR_ERR(data->clk_scaler); + diff --git a/queue-5.17/iio-adc-xilinx-ams-fix-single-channel-switching-sequence.patch b/queue-5.17/iio-adc-xilinx-ams-fix-single-channel-switching-sequence.patch new file mode 100644 index 00000000000..864ff50465f --- /dev/null +++ b/queue-5.17/iio-adc-xilinx-ams-fix-single-channel-switching-sequence.patch @@ -0,0 +1,66 @@ +From 0bf126163c3e7e6d722622073046aed567a5551e Mon Sep 17 00:00:00 2001 +From: Robert Hancock +Date: Thu, 27 Jan 2022 11:34:50 -0600 +Subject: iio: adc: xilinx-ams: Fix single channel switching sequence + +From: Robert Hancock + +commit 0bf126163c3e7e6d722622073046aed567a5551e upstream. + +Some of the AMS channels need to be read by switching into single-channel +mode from the normal polling sequence. There was a logic issue in this +switching code that could cause the first read of these channels to read +back as zero. + +It appears that the sequencer should be set back to default mode before +changing the channel selection, and the channel should be set before +switching the sequencer back into single-channel mode. + +Also, write 1 to the EOC bit in the status register to clear it before +waiting for it to become set, so that we actually wait for a new +conversion to complete, and don't proceed based on a previous conversion +completing. + +Fixes: d5c70627a794 ("iio: adc: Add Xilinx AMS driver") +Signed-off-by: Robert Hancock +Acked-by: Michal Simek +Link: https://lore.kernel.org/r/20220127173450.3684318-5-robert.hancock@calian.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/xilinx-ams.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/iio/adc/xilinx-ams.c ++++ b/drivers/iio/adc/xilinx-ams.c +@@ -530,14 +530,18 @@ static int ams_enable_single_channel(str + return -EINVAL; + } + +- /* set single channel, sequencer off mode */ ++ /* put sysmon in a soft reset to change the sequence */ + ams_ps_update_reg(ams, AMS_REG_CONFIG1, AMS_CONF1_SEQ_MASK, +- AMS_CONF1_SEQ_SINGLE_CHANNEL); ++ AMS_CONF1_SEQ_DEFAULT); + + /* write the channel number */ + ams_ps_update_reg(ams, AMS_REG_CONFIG0, AMS_CONF0_CHANNEL_NUM_MASK, + channel_num); + ++ /* set single channel, sequencer off mode */ ++ ams_ps_update_reg(ams, AMS_REG_CONFIG1, AMS_CONF1_SEQ_MASK, ++ AMS_CONF1_SEQ_SINGLE_CHANNEL); ++ + return 0; + } + +@@ -551,6 +555,8 @@ static int ams_read_vcc_reg(struct ams * + if (ret) + return ret; + ++ /* clear end-of-conversion flag, wait for next conversion to complete */ ++ writel(expect, ams->base + AMS_ISR_1); + ret = readl_poll_timeout(ams->base + AMS_ISR_1, reg, (reg & expect), + AMS_INIT_POLL_TIME_US, AMS_INIT_TIMEOUT_US); + if (ret) diff --git a/queue-5.17/iio-adc-xilinx-ams-fixed-missing-ps-channels.patch b/queue-5.17/iio-adc-xilinx-ams-fixed-missing-ps-channels.patch new file mode 100644 index 00000000000..3c07b2223f1 --- /dev/null +++ b/queue-5.17/iio-adc-xilinx-ams-fixed-missing-ps-channels.patch @@ -0,0 +1,34 @@ +From 1f21a41578062d439cc485bce2d8b664f9a6170e Mon Sep 17 00:00:00 2001 +From: Robert Hancock +Date: Thu, 27 Jan 2022 11:34:48 -0600 +Subject: iio: adc: xilinx-ams: Fixed missing PS channels + +From: Robert Hancock + +commit 1f21a41578062d439cc485bce2d8b664f9a6170e upstream. + +The code forgot to increment num_channels for the PS channel inputs, +resulting in them not being enabled as they should. + +Fixes: d5c70627a794 ("iio: adc: Add Xilinx AMS driver") +Signed-off-by: Robert Hancock +Reviewed-by: Michael Tretter +Acked-by: Michal Simek +Link: https://lore.kernel.org/r/20220127173450.3684318-3-robert.hancock@calian.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/xilinx-ams.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iio/adc/xilinx-ams.c ++++ b/drivers/iio/adc/xilinx-ams.c +@@ -1230,6 +1230,7 @@ static int ams_init_module(struct iio_de + + /* add PS channels to iio device channels */ + memcpy(channels, ams_ps_channels, sizeof(ams_ps_channels)); ++ num_channels = ARRAY_SIZE(ams_ps_channels); + } else if (fwnode_property_match_string(fwnode, "compatible", + "xlnx,zynqmp-ams-pl") == 0) { + ams->pl_base = fwnode_iomap(fwnode, 0); diff --git a/queue-5.17/iio-adc-xilinx-ams-fixed-wrong-sequencer-register-settings.patch b/queue-5.17/iio-adc-xilinx-ams-fixed-wrong-sequencer-register-settings.patch new file mode 100644 index 00000000000..fa5f8e6c1ad --- /dev/null +++ b/queue-5.17/iio-adc-xilinx-ams-fixed-wrong-sequencer-register-settings.patch @@ -0,0 +1,37 @@ +From d5d786fb531697be74c567b3844c6897ddf1ffdd Mon Sep 17 00:00:00 2001 +From: Robert Hancock +Date: Thu, 27 Jan 2022 11:34:49 -0600 +Subject: iio: adc: xilinx-ams: Fixed wrong sequencer register settings + +From: Robert Hancock + +commit d5d786fb531697be74c567b3844c6897ddf1ffdd upstream. + +Register settings used for the sequencer configuration register +were incorrect, causing some inputs to not be read properly. + +Fixes: d5c70627a794 ("iio: adc: Add Xilinx AMS driver") +Signed-off-by: Robert Hancock +Reviewed-by: Michael Tretter +Acked-by: Michal Simek +Link: https://lore.kernel.org/r/20220127173450.3684318-4-robert.hancock@calian.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/xilinx-ams.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/adc/xilinx-ams.c ++++ b/drivers/iio/adc/xilinx-ams.c +@@ -91,8 +91,8 @@ + + #define AMS_CONF1_SEQ_MASK GENMASK(15, 12) + #define AMS_CONF1_SEQ_DEFAULT FIELD_PREP(AMS_CONF1_SEQ_MASK, 0) +-#define AMS_CONF1_SEQ_CONTINUOUS FIELD_PREP(AMS_CONF1_SEQ_MASK, 1) +-#define AMS_CONF1_SEQ_SINGLE_CHANNEL FIELD_PREP(AMS_CONF1_SEQ_MASK, 2) ++#define AMS_CONF1_SEQ_CONTINUOUS FIELD_PREP(AMS_CONF1_SEQ_MASK, 2) ++#define AMS_CONF1_SEQ_SINGLE_CHANNEL FIELD_PREP(AMS_CONF1_SEQ_MASK, 3) + + #define AMS_REG_SEQ0_MASK GENMASK(15, 0) + #define AMS_REG_SEQ2_MASK GENMASK(21, 16) diff --git a/queue-5.17/iio-afe-rescale-use-s64-for-temporary-scale-calculations.patch b/queue-5.17/iio-afe-rescale-use-s64-for-temporary-scale-calculations.patch new file mode 100644 index 00000000000..11db5730413 --- /dev/null +++ b/queue-5.17/iio-afe-rescale-use-s64-for-temporary-scale-calculations.patch @@ -0,0 +1,50 @@ +From 51593106b608ae4247cc8da928813347da16d025 Mon Sep 17 00:00:00 2001 +From: Liam Beguin +Date: Sat, 8 Jan 2022 15:53:07 -0500 +Subject: iio: afe: rescale: use s64 for temporary scale calculations + +From: Liam Beguin + +commit 51593106b608ae4247cc8da928813347da16d025 upstream. + +All four scaling coefficients can take signed values. +Make tmp a signed 64-bit integer and switch to div_s64() to preserve +signs during 64-bit divisions. + +Fixes: 8b74816b5a9a ("iio: afe: rescale: new driver") +Signed-off-by: Liam Beguin +Reviewed-by: Peter Rosin +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220108205319.2046348-5-liambeguin@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/afe/iio-rescale.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/iio/afe/iio-rescale.c ++++ b/drivers/iio/afe/iio-rescale.c +@@ -39,7 +39,7 @@ static int rescale_read_raw(struct iio_d + int *val, int *val2, long mask) + { + struct rescale *rescale = iio_priv(indio_dev); +- unsigned long long tmp; ++ s64 tmp; + int ret; + + switch (mask) { +@@ -77,10 +77,10 @@ static int rescale_read_raw(struct iio_d + *val2 = rescale->denominator; + return IIO_VAL_FRACTIONAL; + case IIO_VAL_FRACTIONAL_LOG2: +- tmp = *val * 1000000000LL; +- do_div(tmp, rescale->denominator); ++ tmp = (s64)*val * 1000000000LL; ++ tmp = div_s64(tmp, rescale->denominator); + tmp *= rescale->numerator; +- do_div(tmp, 1000000000LL); ++ tmp = div_s64(tmp, 1000000000LL); + *val = tmp; + return ret; + default: diff --git a/queue-5.17/iio-imu-st_lsm6dsx-use-dev_to_iio_dev-to-get-iio_dev-struct.patch b/queue-5.17/iio-imu-st_lsm6dsx-use-dev_to_iio_dev-to-get-iio_dev-struct.patch new file mode 100644 index 00000000000..d8359c14072 --- /dev/null +++ b/queue-5.17/iio-imu-st_lsm6dsx-use-dev_to_iio_dev-to-get-iio_dev-struct.patch @@ -0,0 +1,42 @@ +From 6270bf1f0197739a9cddaf0a40699a99b7357cb5 Mon Sep 17 00:00:00 2001 +From: Haibo Chen +Date: Thu, 24 Feb 2022 19:29:51 +0800 +Subject: iio: imu: st_lsm6dsx: use dev_to_iio_dev() to get iio_dev struct + +From: Haibo Chen + +commit 6270bf1f0197739a9cddaf0a40699a99b7357cb5 upstream. + +dev_get_drvdata() on iio_dev->dev no longer returns the iio_dev. +Use dev_to_iio_dev() to get iio_dev struct. + +Fixes: 8b7651f25962 ("iio: iio_device_alloc(): Remove unnecessary self drvdata") +Signed-off-by: Haibo Chen +Link: https://lore.kernel.org/r/1645702191-9400-1-git-send-email-haibo.chen@nxp.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c ++++ b/drivers/iio/imu/st_lsm6dsx/st_lsm6dsx_core.c +@@ -1633,7 +1633,7 @@ st_lsm6dsx_sysfs_sampling_frequency_avai + struct device_attribute *attr, + char *buf) + { +- struct st_lsm6dsx_sensor *sensor = iio_priv(dev_get_drvdata(dev)); ++ struct st_lsm6dsx_sensor *sensor = iio_priv(dev_to_iio_dev(dev)); + const struct st_lsm6dsx_odr_table_entry *odr_table; + int i, len = 0; + +@@ -1651,7 +1651,7 @@ static ssize_t st_lsm6dsx_sysfs_scale_av + struct device_attribute *attr, + char *buf) + { +- struct st_lsm6dsx_sensor *sensor = iio_priv(dev_get_drvdata(dev)); ++ struct st_lsm6dsx_sensor *sensor = iio_priv(dev_to_iio_dev(dev)); + const struct st_lsm6dsx_fs_table_entry *fs_table; + struct st_lsm6dsx_hw *hw = sensor->hw; + int i, len = 0; diff --git a/queue-5.17/iio-inkern-apply-consumer-scale-on-iio_val_int-cases.patch b/queue-5.17/iio-inkern-apply-consumer-scale-on-iio_val_int-cases.patch new file mode 100644 index 00000000000..67aaef5c29e --- /dev/null +++ b/queue-5.17/iio-inkern-apply-consumer-scale-on-iio_val_int-cases.patch @@ -0,0 +1,42 @@ +From 1bca97ff95c732a516ebb68da72814194980e0a5 Mon Sep 17 00:00:00 2001 +From: Liam Beguin +Date: Sat, 8 Jan 2022 15:53:04 -0500 +Subject: iio: inkern: apply consumer scale on IIO_VAL_INT cases + +From: Liam Beguin + +commit 1bca97ff95c732a516ebb68da72814194980e0a5 upstream. + +When a consumer calls iio_read_channel_processed() and the channel has +an integer scale, the scale channel scale is applied and the processed +value is returned as expected. + +On the other hand, if the consumer calls iio_convert_raw_to_processed() +the scaling factor requested by the consumer is not applied. + +This for example causes the consumer to process mV when expecting uV. +Make sure to always apply the scaling factor requested by the consumer. + +Fixes: 48e44ce0f881 ("iio:inkern: Add function to read the processed value") +Signed-off-by: Liam Beguin +Reviewed-by: Peter Rosin +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220108205319.2046348-2-liambeguin@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/inkern.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/inkern.c ++++ b/drivers/iio/inkern.c +@@ -616,7 +616,7 @@ static int iio_convert_raw_to_processed_ + + switch (scale_type) { + case IIO_VAL_INT: +- *processed = raw64 * scale_val; ++ *processed = raw64 * scale_val * scale; + break; + case IIO_VAL_INT_PLUS_MICRO: + if (scale_val2 < 0) diff --git a/queue-5.17/iio-inkern-apply-consumer-scale-when-no-channel-scale-is-available.patch b/queue-5.17/iio-inkern-apply-consumer-scale-when-no-channel-scale-is-available.patch new file mode 100644 index 00000000000..82105893580 --- /dev/null +++ b/queue-5.17/iio-inkern-apply-consumer-scale-when-no-channel-scale-is-available.patch @@ -0,0 +1,47 @@ +From 14b457fdde38de594a4bc4bd9075019319d978da Mon Sep 17 00:00:00 2001 +From: Liam Beguin +Date: Sat, 8 Jan 2022 15:53:05 -0500 +Subject: iio: inkern: apply consumer scale when no channel scale is available + +From: Liam Beguin + +commit 14b457fdde38de594a4bc4bd9075019319d978da upstream. + +When a consumer calls iio_read_channel_processed() and no channel scale +is available, it's assumed that the scale is one and the raw value is +returned as expected. + +On the other hand, if the consumer calls iio_convert_raw_to_processed() +the scaling factor requested by the consumer is not applied. + +This for example causes the consumer to process mV when expecting uV. +Make sure to always apply the scaling factor requested by the consumer. + +Fixes: adc8ec5ff183 ("iio: inkern: pass through raw values if no scaling") +Signed-off-by: Liam Beguin +Reviewed-by: Peter Rosin +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220108205319.2046348-3-liambeguin@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/inkern.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/iio/inkern.c ++++ b/drivers/iio/inkern.c +@@ -607,10 +607,10 @@ static int iio_convert_raw_to_processed_ + IIO_CHAN_INFO_SCALE); + if (scale_type < 0) { + /* +- * Just pass raw values as processed if no scaling is +- * available. ++ * If no channel scaling is available apply consumer scale to ++ * raw value and return. + */ +- *processed = raw; ++ *processed = raw * scale; + return 0; + } + diff --git a/queue-5.17/iio-inkern-make-a-best-effort-on-offset-calculation.patch b/queue-5.17/iio-inkern-make-a-best-effort-on-offset-calculation.patch new file mode 100644 index 00000000000..a4f1841c51b --- /dev/null +++ b/queue-5.17/iio-inkern-make-a-best-effort-on-offset-calculation.patch @@ -0,0 +1,68 @@ +From ca85123354e1a65a22170286387b4791997fe864 Mon Sep 17 00:00:00 2001 +From: Liam Beguin +Date: Sat, 8 Jan 2022 15:53:06 -0500 +Subject: iio: inkern: make a best effort on offset calculation + +From: Liam Beguin + +commit ca85123354e1a65a22170286387b4791997fe864 upstream. + +iio_convert_raw_to_processed_unlocked() assumes the offset is an +integer. Make a best effort to get a valid offset value for fractional +cases without breaking implicit truncations. + +Fixes: 48e44ce0f881 ("iio:inkern: Add function to read the processed value") +Signed-off-by: Liam Beguin +Reviewed-by: Peter Rosin +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220108205319.2046348-4-liambeguin@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/inkern.c | 32 +++++++++++++++++++++++++++----- + 1 file changed, 27 insertions(+), 5 deletions(-) + +--- a/drivers/iio/inkern.c ++++ b/drivers/iio/inkern.c +@@ -595,13 +595,35 @@ EXPORT_SYMBOL_GPL(iio_read_channel_avera + static int iio_convert_raw_to_processed_unlocked(struct iio_channel *chan, + int raw, int *processed, unsigned int scale) + { +- int scale_type, scale_val, scale_val2, offset; ++ int scale_type, scale_val, scale_val2; ++ int offset_type, offset_val, offset_val2; + s64 raw64 = raw; +- int ret; + +- ret = iio_channel_read(chan, &offset, NULL, IIO_CHAN_INFO_OFFSET); +- if (ret >= 0) +- raw64 += offset; ++ offset_type = iio_channel_read(chan, &offset_val, &offset_val2, ++ IIO_CHAN_INFO_OFFSET); ++ if (offset_type >= 0) { ++ switch (offset_type) { ++ case IIO_VAL_INT: ++ break; ++ case IIO_VAL_INT_PLUS_MICRO: ++ case IIO_VAL_INT_PLUS_NANO: ++ /* ++ * Both IIO_VAL_INT_PLUS_MICRO and IIO_VAL_INT_PLUS_NANO ++ * implicitely truncate the offset to it's integer form. ++ */ ++ break; ++ case IIO_VAL_FRACTIONAL: ++ offset_val /= offset_val2; ++ break; ++ case IIO_VAL_FRACTIONAL_LOG2: ++ offset_val >>= offset_val2; ++ break; ++ default: ++ return -EINVAL; ++ } ++ ++ raw64 += offset_val; ++ } + + scale_type = iio_channel_read(chan, &scale_val, &scale_val2, + IIO_CHAN_INFO_SCALE); diff --git a/queue-5.17/keys-asymmetric-enforce-that-sig-algo-matches-key-algo.patch b/queue-5.17/keys-asymmetric-enforce-that-sig-algo-matches-key-algo.patch new file mode 100644 index 00000000000..e0d981e1585 --- /dev/null +++ b/queue-5.17/keys-asymmetric-enforce-that-sig-algo-matches-key-algo.patch @@ -0,0 +1,97 @@ +From 2abc9c246e0548e52985b10440c9ea3e9f65f793 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 7 Feb 2022 21:24:47 -0800 +Subject: KEYS: asymmetric: enforce that sig algo matches key algo + +From: Eric Biggers + +commit 2abc9c246e0548e52985b10440c9ea3e9f65f793 upstream. + +Most callers of public_key_verify_signature(), including most indirect +callers via verify_signature() as well as pkcs7_verify_sig_chain(), +don't check that public_key_signature::pkey_algo matches +public_key::pkey_algo. These should always match. However, a malicious +signature could intentionally declare an unintended algorithm. It is +essential that such signatures be rejected outright, or that the +algorithm of the *key* be used -- not the algorithm of the signature as +that would allow attackers to choose the algorithm used. + +Currently, public_key_verify_signature() correctly uses the key's +algorithm when deciding which akcipher to allocate. That's good. +However, it uses the signature's algorithm when deciding whether to do +the first step of SM2, which is incorrect. Also, v4.19 and older +kernels used the signature's algorithm for the entire process. + +Prevent such errors by making public_key_verify_signature() enforce that +the signature's algorithm (if given) matches the key's algorithm. + +Also remove two checks of this done by callers, which are now redundant. + +Cc: stable@vger.kernel.org +Tested-by: Stefan Berger +Tested-by: Tianjia Zhang +Signed-off-by: Eric Biggers +Reviewed-by: Vitaly Chikunov +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + crypto/asymmetric_keys/pkcs7_verify.c | 6 ------ + crypto/asymmetric_keys/public_key.c | 15 +++++++++++++++ + crypto/asymmetric_keys/x509_public_key.c | 6 ------ + 3 files changed, 15 insertions(+), 12 deletions(-) + +--- a/crypto/asymmetric_keys/pkcs7_verify.c ++++ b/crypto/asymmetric_keys/pkcs7_verify.c +@@ -174,12 +174,6 @@ static int pkcs7_find_key(struct pkcs7_m + pr_devel("Sig %u: Found cert serial match X.509[%u]\n", + sinfo->index, certix); + +- if (strcmp(x509->pub->pkey_algo, sinfo->sig->pkey_algo) != 0) { +- pr_warn("Sig %u: X.509 algo and PKCS#7 sig algo don't match\n", +- sinfo->index); +- continue; +- } +- + sinfo->signer = x509; + return 0; + } +--- a/crypto/asymmetric_keys/public_key.c ++++ b/crypto/asymmetric_keys/public_key.c +@@ -325,6 +325,21 @@ int public_key_verify_signature(const st + BUG_ON(!sig); + BUG_ON(!sig->s); + ++ /* ++ * If the signature specifies a public key algorithm, it *must* match ++ * the key's actual public key algorithm. ++ * ++ * Small exception: ECDSA signatures don't specify the curve, but ECDSA ++ * keys do. So the strings can mismatch slightly in that case: ++ * "ecdsa-nist-*" for the key, but "ecdsa" for the signature. ++ */ ++ if (sig->pkey_algo) { ++ if (strcmp(pkey->pkey_algo, sig->pkey_algo) != 0 && ++ (strncmp(pkey->pkey_algo, "ecdsa-", 6) != 0 || ++ strcmp(sig->pkey_algo, "ecdsa") != 0)) ++ return -EKEYREJECTED; ++ } ++ + ret = software_key_determine_akcipher(sig->encoding, + sig->hash_algo, + pkey, alg_name); +--- a/crypto/asymmetric_keys/x509_public_key.c ++++ b/crypto/asymmetric_keys/x509_public_key.c +@@ -128,12 +128,6 @@ int x509_check_for_self_signed(struct x5 + goto out; + } + +- ret = -EKEYREJECTED; +- if (strcmp(cert->pub->pkey_algo, cert->sig->pkey_algo) != 0 && +- (strncmp(cert->pub->pkey_algo, "ecdsa-", 6) != 0 || +- strcmp(cert->sig->pkey_algo, "ecdsa") != 0)) +- goto out; +- + ret = public_key_verify_signature(cert->pub, cert->sig); + if (ret < 0) { + if (ret == -ENOPKG) { diff --git a/queue-5.17/keys-asymmetric-properly-validate-hash_algo-and-encoding.patch b/queue-5.17/keys-asymmetric-properly-validate-hash_algo-and-encoding.patch new file mode 100644 index 00000000000..d4715ffdb68 --- /dev/null +++ b/queue-5.17/keys-asymmetric-properly-validate-hash_algo-and-encoding.patch @@ -0,0 +1,188 @@ +From 590bfb57b2328951d5833979e7ca1d5fde2e609a Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Mon, 7 Feb 2022 21:24:48 -0800 +Subject: KEYS: asymmetric: properly validate hash_algo and encoding + +From: Eric Biggers + +commit 590bfb57b2328951d5833979e7ca1d5fde2e609a upstream. + +It is insecure to allow arbitrary hash algorithms and signature +encodings to be used with arbitrary signature algorithms. Notably, +ECDSA, ECRDSA, and SM2 all sign/verify raw hash values and don't +disambiguate between different hash algorithms like RSA PKCS#1 v1.5 +padding does. Therefore, they need to be restricted to certain sets of +hash algorithms (ideally just one, but in practice small sets are used). +Additionally, the encoding is an integral part of modern signature +algorithms, and is not supposed to vary. + +Therefore, tighten the checks of hash_algo and encoding done by +software_key_determine_akcipher(). + +Also rearrange the parameters to software_key_determine_akcipher() to +put the public_key first, as this is the most important parameter and it +often determines everything else. + +Fixes: 299f561a6693 ("x509: Add support for parsing x509 certs with ECDSA keys") +Fixes: 215525639631 ("X.509: support OSCCA SM2-with-SM3 certificate verification") +Fixes: 0d7a78643f69 ("crypto: ecrdsa - add EC-RDSA (GOST 34.10) algorithm") +Cc: stable@vger.kernel.org +Tested-by: Stefan Berger +Tested-by: Tianjia Zhang +Signed-off-by: Eric Biggers +Reviewed-by: Vitaly Chikunov +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + crypto/asymmetric_keys/public_key.c | 111 ++++++++++++++++++++++++------------ + 1 file changed, 76 insertions(+), 35 deletions(-) + +--- a/crypto/asymmetric_keys/public_key.c ++++ b/crypto/asymmetric_keys/public_key.c +@@ -60,39 +60,83 @@ static void public_key_destroy(void *pay + } + + /* +- * Determine the crypto algorithm name. ++ * Given a public_key, and an encoding and hash_algo to be used for signing ++ * and/or verification with that key, determine the name of the corresponding ++ * akcipher algorithm. Also check that encoding and hash_algo are allowed. + */ +-static +-int software_key_determine_akcipher(const char *encoding, +- const char *hash_algo, +- const struct public_key *pkey, +- char alg_name[CRYPTO_MAX_ALG_NAME]) ++static int ++software_key_determine_akcipher(const struct public_key *pkey, ++ const char *encoding, const char *hash_algo, ++ char alg_name[CRYPTO_MAX_ALG_NAME]) + { + int n; + +- if (strcmp(encoding, "pkcs1") == 0) { +- /* The data wangled by the RSA algorithm is typically padded +- * and encoded in some manner, such as EMSA-PKCS1-1_5 [RFC3447 +- * sec 8.2]. ++ if (!encoding) ++ return -EINVAL; ++ ++ if (strcmp(pkey->pkey_algo, "rsa") == 0) { ++ /* ++ * RSA signatures usually use EMSA-PKCS1-1_5 [RFC3447 sec 8.2]. ++ */ ++ if (strcmp(encoding, "pkcs1") == 0) { ++ if (!hash_algo) ++ n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME, ++ "pkcs1pad(%s)", ++ pkey->pkey_algo); ++ else ++ n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME, ++ "pkcs1pad(%s,%s)", ++ pkey->pkey_algo, hash_algo); ++ return n >= CRYPTO_MAX_ALG_NAME ? -EINVAL : 0; ++ } ++ if (strcmp(encoding, "raw") != 0) ++ return -EINVAL; ++ /* ++ * Raw RSA cannot differentiate between different hash ++ * algorithms. ++ */ ++ if (hash_algo) ++ return -EINVAL; ++ } else if (strncmp(pkey->pkey_algo, "ecdsa", 5) == 0) { ++ if (strcmp(encoding, "x962") != 0) ++ return -EINVAL; ++ /* ++ * ECDSA signatures are taken over a raw hash, so they don't ++ * differentiate between different hash algorithms. That means ++ * that the verifier should hard-code a specific hash algorithm. ++ * Unfortunately, in practice ECDSA is used with multiple SHAs, ++ * so we have to allow all of them and not just one. + */ + if (!hash_algo) +- n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME, +- "pkcs1pad(%s)", +- pkey->pkey_algo); +- else +- n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME, +- "pkcs1pad(%s,%s)", +- pkey->pkey_algo, hash_algo); +- return n >= CRYPTO_MAX_ALG_NAME ? -EINVAL : 0; +- } +- +- if (strcmp(encoding, "raw") == 0 || +- strcmp(encoding, "x962") == 0) { +- strcpy(alg_name, pkey->pkey_algo); +- return 0; ++ return -EINVAL; ++ if (strcmp(hash_algo, "sha1") != 0 && ++ strcmp(hash_algo, "sha224") != 0 && ++ strcmp(hash_algo, "sha256") != 0 && ++ strcmp(hash_algo, "sha384") != 0 && ++ strcmp(hash_algo, "sha512") != 0) ++ return -EINVAL; ++ } else if (strcmp(pkey->pkey_algo, "sm2") == 0) { ++ if (strcmp(encoding, "raw") != 0) ++ return -EINVAL; ++ if (!hash_algo) ++ return -EINVAL; ++ if (strcmp(hash_algo, "sm3") != 0) ++ return -EINVAL; ++ } else if (strcmp(pkey->pkey_algo, "ecrdsa") == 0) { ++ if (strcmp(encoding, "raw") != 0) ++ return -EINVAL; ++ if (!hash_algo) ++ return -EINVAL; ++ if (strcmp(hash_algo, "streebog256") != 0 && ++ strcmp(hash_algo, "streebog512") != 0) ++ return -EINVAL; ++ } else { ++ /* Unknown public key algorithm */ ++ return -ENOPKG; + } +- +- return -ENOPKG; ++ if (strscpy(alg_name, pkey->pkey_algo, CRYPTO_MAX_ALG_NAME) < 0) ++ return -EINVAL; ++ return 0; + } + + static u8 *pkey_pack_u32(u8 *dst, u32 val) +@@ -113,9 +157,8 @@ static int software_key_query(const stru + u8 *key, *ptr; + int ret, len; + +- ret = software_key_determine_akcipher(params->encoding, +- params->hash_algo, +- pkey, alg_name); ++ ret = software_key_determine_akcipher(pkey, params->encoding, ++ params->hash_algo, alg_name); + if (ret < 0) + return ret; + +@@ -179,9 +222,8 @@ static int software_key_eds_op(struct ke + + pr_devel("==>%s()\n", __func__); + +- ret = software_key_determine_akcipher(params->encoding, +- params->hash_algo, +- pkey, alg_name); ++ ret = software_key_determine_akcipher(pkey, params->encoding, ++ params->hash_algo, alg_name); + if (ret < 0) + return ret; + +@@ -340,9 +382,8 @@ int public_key_verify_signature(const st + return -EKEYREJECTED; + } + +- ret = software_key_determine_akcipher(sig->encoding, +- sig->hash_algo, +- pkey, alg_name); ++ ret = software_key_determine_akcipher(pkey, sig->encoding, ++ sig->hash_algo, alg_name); + if (ret < 0) + return ret; + diff --git a/queue-5.17/keys-fix-length-validation-in-keyctl_pkey_params_get_2.patch b/queue-5.17/keys-fix-length-validation-in-keyctl_pkey_params_get_2.patch new file mode 100644 index 00000000000..cde1c22a0c6 --- /dev/null +++ b/queue-5.17/keys-fix-length-validation-in-keyctl_pkey_params_get_2.patch @@ -0,0 +1,66 @@ +From c51abd96837f600d8fd940b6ab8e2da578575504 Mon Sep 17 00:00:00 2001 +From: Eric Biggers +Date: Thu, 13 Jan 2022 12:04:54 -0800 +Subject: KEYS: fix length validation in keyctl_pkey_params_get_2() + +From: Eric Biggers + +commit c51abd96837f600d8fd940b6ab8e2da578575504 upstream. + +In many cases, keyctl_pkey_params_get_2() is validating the user buffer +lengths against the wrong algorithm properties. Fix it to check against +the correct properties. + +Probably this wasn't noticed before because for all asymmetric keys of +the "public_key" subtype, max_data_size == max_sig_size == max_enc_size +== max_dec_size. However, this isn't necessarily true for the +"asym_tpm" subtype (it should be, but it's not strictly validated). Of +course, future key types could have different values as well. + +Fixes: 00d60fd3b932 ("KEYS: Provide keyctls to drive the new key type ops for asymmetric keys [ver #2]") +Cc: # v4.20+ +Signed-off-by: Eric Biggers +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + security/keys/keyctl_pkey.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +--- a/security/keys/keyctl_pkey.c ++++ b/security/keys/keyctl_pkey.c +@@ -135,15 +135,23 @@ static int keyctl_pkey_params_get_2(cons + + switch (op) { + case KEYCTL_PKEY_ENCRYPT: ++ if (uparams.in_len > info.max_dec_size || ++ uparams.out_len > info.max_enc_size) ++ return -EINVAL; ++ break; + case KEYCTL_PKEY_DECRYPT: + if (uparams.in_len > info.max_enc_size || + uparams.out_len > info.max_dec_size) + return -EINVAL; + break; + case KEYCTL_PKEY_SIGN: ++ if (uparams.in_len > info.max_data_size || ++ uparams.out_len > info.max_sig_size) ++ return -EINVAL; ++ break; + case KEYCTL_PKEY_VERIFY: +- if (uparams.in_len > info.max_sig_size || +- uparams.out_len > info.max_data_size) ++ if (uparams.in_len > info.max_data_size || ++ uparams.in2_len > info.max_sig_size) + return -EINVAL; + break; + default: +@@ -151,7 +159,7 @@ static int keyctl_pkey_params_get_2(cons + } + + params->in_len = uparams.in_len; +- params->out_len = uparams.out_len; ++ params->out_len = uparams.out_len; /* Note: same as in2_len */ + return 0; + } + diff --git a/queue-5.17/mm-mlock-fix-two-bugs-in-user_shm_lock.patch b/queue-5.17/mm-mlock-fix-two-bugs-in-user_shm_lock.patch new file mode 100644 index 00000000000..90cfc2d32b1 --- /dev/null +++ b/queue-5.17/mm-mlock-fix-two-bugs-in-user_shm_lock.patch @@ -0,0 +1,51 @@ +From e97824ff663ce3509fe040431c713182c2f058b1 Mon Sep 17 00:00:00 2001 +From: Miaohe Lin +Date: Tue, 22 Mar 2022 16:09:18 +0800 +Subject: mm/mlock: fix two bugs in user_shm_lock() + +From: Miaohe Lin + +commit e97824ff663ce3509fe040431c713182c2f058b1 upstream. + +user_shm_lock forgets to set allowed to 0 when get_ucounts fails. So the +later user_shm_unlock might do the extra dec_rlimit_ucounts. Also in the +RLIM_INFINITY case, user_shm_lock will success regardless of the value of +memlock where memblock == LONG_MAX && !capable(CAP_IPC_LOCK) should fail. +Fix all of these by changing the code to leave lock_limit at ULONG_MAX aka +RLIM_INFINITY, leave "allowed" initialized to 0 and remove the special case +of RLIM_INFINITY as nothing can be greater than ULONG_MAX. + +Credit goes to Eric W. Biederman for proposing simplifying the code and +thus catching the later bug. + +Fixes: d7c9e99aee48 ("Reimplement RLIMIT_MEMLOCK on top of ucounts") +Signed-off-by: Miaohe Lin +Cc: stable@vger.kernel.org +v1: https://lkml.kernel.org/r/20220310132417.41189-1-linmiaohe@huawei.com +v2: https://lkml.kernel.org/r/20220314064039.62972-1-linmiaohe@huawei.com +Link: https://lkml.kernel.org/r/20220322080918.59861-1-linmiaohe@huawei.com +Signed-off-by: Eric W. Biederman +Signed-off-by: Greg Kroah-Hartman +--- + mm/mlock.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/mm/mlock.c ++++ b/mm/mlock.c +@@ -827,13 +827,12 @@ int user_shm_lock(size_t size, struct uc + + locked = (size + PAGE_SIZE - 1) >> PAGE_SHIFT; + lock_limit = rlimit(RLIMIT_MEMLOCK); +- if (lock_limit == RLIM_INFINITY) +- allowed = 1; +- lock_limit >>= PAGE_SHIFT; ++ if (lock_limit != RLIM_INFINITY) ++ lock_limit >>= PAGE_SHIFT; + spin_lock(&shmlock_user_lock); + memlock = inc_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_MEMLOCK, locked); + +- if (!allowed && (memlock == LONG_MAX || memlock > lock_limit) && !capable(CAP_IPC_LOCK)) { ++ if ((memlock == LONG_MAX || memlock > lock_limit) && !capable(CAP_IPC_LOCK)) { + dec_rlimit_ucounts(ucounts, UCOUNT_RLIMIT_MEMLOCK, locked); + goto out; + } diff --git a/queue-5.17/mtd-rawnand-protect-access-to-rawnand-devices-while-in-suspend.patch b/queue-5.17/mtd-rawnand-protect-access-to-rawnand-devices-while-in-suspend.patch new file mode 100644 index 00000000000..51e1ae84d55 --- /dev/null +++ b/queue-5.17/mtd-rawnand-protect-access-to-rawnand-devices-while-in-suspend.patch @@ -0,0 +1,161 @@ +From 8cba323437a49a45756d661f500b324fc2d486fe Mon Sep 17 00:00:00 2001 +From: Sean Nyekjaer +Date: Tue, 8 Feb 2022 09:52:13 +0100 +Subject: mtd: rawnand: protect access to rawnand devices while in suspend + +From: Sean Nyekjaer + +commit 8cba323437a49a45756d661f500b324fc2d486fe upstream. + +Prevent rawnand access while in a suspended state. + +Commit 013e6292aaf5 ("mtd: rawnand: Simplify the locking") allows the +rawnand layer to return errors rather than waiting in a blocking wait. + +Tested on a iMX6ULL. + +Fixes: 013e6292aaf5 ("mtd: rawnand: Simplify the locking") +Signed-off-by: Sean Nyekjaer +Reviewed-by: Boris Brezillon +Cc: stable@vger.kernel.org +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20220208085213.1838273-1-sean@geanix.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/nand/raw/nand_base.c | 44 +++++++++++++++++---------------------- + include/linux/mtd/rawnand.h | 2 + + 2 files changed, 22 insertions(+), 24 deletions(-) + +--- a/drivers/mtd/nand/raw/nand_base.c ++++ b/drivers/mtd/nand/raw/nand_base.c +@@ -338,16 +338,19 @@ static int nand_isbad_bbm(struct nand_ch + * + * Return: -EBUSY if the chip has been suspended, 0 otherwise + */ +-static int nand_get_device(struct nand_chip *chip) ++static void nand_get_device(struct nand_chip *chip) + { +- mutex_lock(&chip->lock); +- if (chip->suspended) { ++ /* Wait until the device is resumed. */ ++ while (1) { ++ mutex_lock(&chip->lock); ++ if (!chip->suspended) { ++ mutex_lock(&chip->controller->lock); ++ return; ++ } + mutex_unlock(&chip->lock); +- return -EBUSY; +- } +- mutex_lock(&chip->controller->lock); + +- return 0; ++ wait_event(chip->resume_wq, !chip->suspended); ++ } + } + + /** +@@ -576,9 +579,7 @@ static int nand_block_markbad_lowlevel(s + nand_erase_nand(chip, &einfo, 0); + + /* Write bad block marker to OOB */ +- ret = nand_get_device(chip); +- if (ret) +- return ret; ++ nand_get_device(chip); + + ret = nand_markbad_bbm(chip, ofs); + nand_release_device(chip); +@@ -3826,9 +3827,7 @@ static int nand_read_oob(struct mtd_info + ops->mode != MTD_OPS_RAW) + return -ENOTSUPP; + +- ret = nand_get_device(chip); +- if (ret) +- return ret; ++ nand_get_device(chip); + + if (!ops->datbuf) + ret = nand_do_read_oob(chip, from, ops); +@@ -4415,13 +4414,11 @@ static int nand_write_oob(struct mtd_inf + struct mtd_oob_ops *ops) + { + struct nand_chip *chip = mtd_to_nand(mtd); +- int ret; ++ int ret = 0; + + ops->retlen = 0; + +- ret = nand_get_device(chip); +- if (ret) +- return ret; ++ nand_get_device(chip); + + switch (ops->mode) { + case MTD_OPS_PLACE_OOB: +@@ -4481,9 +4478,7 @@ int nand_erase_nand(struct nand_chip *ch + return -EIO; + + /* Grab the lock and see if the device is available */ +- ret = nand_get_device(chip); +- if (ret) +- return ret; ++ nand_get_device(chip); + + /* Shift to get first page */ + page = (int)(instr->addr >> chip->page_shift); +@@ -4570,7 +4565,7 @@ static void nand_sync(struct mtd_info *m + pr_debug("%s: called\n", __func__); + + /* Grab the lock and see if the device is available */ +- WARN_ON(nand_get_device(chip)); ++ nand_get_device(chip); + /* Release it and go back */ + nand_release_device(chip); + } +@@ -4587,9 +4582,7 @@ static int nand_block_isbad(struct mtd_i + int ret; + + /* Select the NAND device */ +- ret = nand_get_device(chip); +- if (ret) +- return ret; ++ nand_get_device(chip); + + nand_select_target(chip, chipnr); + +@@ -4660,6 +4653,8 @@ static void nand_resume(struct mtd_info + __func__); + } + mutex_unlock(&chip->lock); ++ ++ wake_up_all(&chip->resume_wq); + } + + /** +@@ -5437,6 +5432,7 @@ static int nand_scan_ident(struct nand_c + chip->cur_cs = -1; + + mutex_init(&chip->lock); ++ init_waitqueue_head(&chip->resume_wq); + + /* Enforce the right timings for reset/detection */ + chip->current_interface_config = nand_get_reset_interface_config(); +--- a/include/linux/mtd/rawnand.h ++++ b/include/linux/mtd/rawnand.h +@@ -1240,6 +1240,7 @@ struct nand_secure_region { + * @lock: Lock protecting the suspended field. Also used to serialize accesses + * to the NAND device + * @suspended: Set to 1 when the device is suspended, 0 when it's not ++ * @resume_wq: wait queue to sleep if rawnand is in suspended state. + * @cur_cs: Currently selected target. -1 means no target selected, otherwise we + * should always have cur_cs >= 0 && cur_cs < nanddev_ntargets(). + * NAND Controller drivers should not modify this value, but they're +@@ -1294,6 +1295,7 @@ struct nand_chip { + /* Internals */ + struct mutex lock; + unsigned int suspended : 1; ++ wait_queue_head_t resume_wq; + int cur_cs; + int read_retries; + struct nand_secure_region *secure_regions; diff --git a/queue-5.17/mtd-spi-nor-skip-erase-logic-when-spi_nor_no_erase-is-set.patch b/queue-5.17/mtd-spi-nor-skip-erase-logic-when-spi_nor_no_erase-is-set.patch new file mode 100644 index 00000000000..4028f4fec48 --- /dev/null +++ b/queue-5.17/mtd-spi-nor-skip-erase-logic-when-spi_nor_no_erase-is-set.patch @@ -0,0 +1,40 @@ +From 151c6b49d679872d6fc0b50e0ad96303091694a2 Mon Sep 17 00:00:00 2001 +From: Tudor Ambarus +Date: Mon, 28 Feb 2022 18:33:34 +0200 +Subject: mtd: spi-nor: Skip erase logic when SPI_NOR_NO_ERASE is set + +From: Tudor Ambarus + +commit 151c6b49d679872d6fc0b50e0ad96303091694a2 upstream. + +Even if SPI_NOR_NO_ERASE was set, one could still send erase opcodes +to the flash. It is not recommended to send unsupported opcodes to +flashes. Fix the logic and do not set mtd->_erase when SPI_NOR_NO_ERASE +is specified. With this users will not be able to issue erase opcodes to +flashes and instead they will recive an -ENOTSUPP error. + +Fixes: b199489d37b2 ("mtd: spi-nor: add the framework for SPI NOR") +Signed-off-by: Tudor Ambarus +Reviewed-by: Michael Walle +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220228163334.277730-1-tudor.ambarus@microchip.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mtd/spi-nor/core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/spi-nor/core.c ++++ b/drivers/mtd/spi-nor/core.c +@@ -3181,10 +3181,11 @@ static void spi_nor_set_mtd_info(struct + mtd->flags = MTD_CAP_NORFLASH; + if (nor->info->flags & SPI_NOR_NO_ERASE) + mtd->flags |= MTD_NO_ERASE; ++ else ++ mtd->_erase = spi_nor_erase; + mtd->writesize = nor->params->writesize; + mtd->writebufsize = nor->params->page_size; + mtd->size = nor->params->size; +- mtd->_erase = spi_nor_erase; + mtd->_read = spi_nor_read; + /* Might be already set by some SST flashes. */ + if (!mtd->_write) diff --git a/queue-5.17/net-bnxt_ptp-fix-compilation-error.patch b/queue-5.17/net-bnxt_ptp-fix-compilation-error.patch new file mode 100644 index 00000000000..ffd724b6e39 --- /dev/null +++ b/queue-5.17/net-bnxt_ptp-fix-compilation-error.patch @@ -0,0 +1,87 @@ +From dcf500065fabe27676dfe7b4ba521a4f1e0fc8ac Mon Sep 17 00:00:00 2001 +From: Damien Le Moal +Date: Mon, 28 Mar 2022 15:27:08 +0900 +Subject: net: bnxt_ptp: fix compilation error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Damien Le Moal + +commit dcf500065fabe27676dfe7b4ba521a4f1e0fc8ac upstream. + +The Broadcom bnxt_ptp driver does not compile with GCC 11.2.2 when +CONFIG_WERROR is enabled. The following error is generated: + +drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c: In function ‘bnxt_ptp_enable’: +drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:400:43: error: array +subscript 255 is above array bounds of ‘struct pps_pin[4]’ +[-Werror=array-bounds] + 400 | ptp->pps_info.pins[pin_id].event = BNXT_PPS_EVENT_EXTERNAL; + | ~~~~~~~~~~~~~~~~~~^~~~~~~~ +In file included from drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:20: +drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.h:75:24: note: while +referencing ‘pins’ + 75 | struct pps_pin pins[BNXT_MAX_TSIO_PINS]; + | ^~~~ +cc1: all warnings being treated as errors + +This is due to the function ptp_find_pin() returning a pin ID of -1 when +a valid pin is not found and this error never being checked. +Change the TSIO_PIN_VALID() function to also check that a pin ID is not +negative and use this macro in bnxt_ptp_enable() to check the result of +the calls to ptp_find_pin() to return an error early for invalid pins. +This fixes the compilation error. + +Cc: +Fixes: 9e518f25802c ("bnxt_en: 1PPS functions to configure TSIO pins") +Signed-off-by: Damien Le Moal +Reviewed-by: Michael Chan +Link: https://lore.kernel.org/r/20220328062708.207079-1-damien.lemoal@opensource.wdc.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c | 6 +++++- + drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.h | 2 +- + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c +@@ -329,7 +329,7 @@ static int bnxt_ptp_enable(struct ptp_cl + struct bnxt_ptp_cfg *ptp = container_of(ptp_info, struct bnxt_ptp_cfg, + ptp_info); + struct bnxt *bp = ptp->bp; +- u8 pin_id; ++ int pin_id; + int rc; + + switch (rq->type) { +@@ -337,6 +337,8 @@ static int bnxt_ptp_enable(struct ptp_cl + /* Configure an External PPS IN */ + pin_id = ptp_find_pin(ptp->ptp_clock, PTP_PF_EXTTS, + rq->extts.index); ++ if (!TSIO_PIN_VALID(pin_id)) ++ return -EOPNOTSUPP; + if (!on) + break; + rc = bnxt_ptp_cfg_pin(bp, pin_id, BNXT_PPS_PIN_PPS_IN); +@@ -350,6 +352,8 @@ static int bnxt_ptp_enable(struct ptp_cl + /* Configure a Periodic PPS OUT */ + pin_id = ptp_find_pin(ptp->ptp_clock, PTP_PF_PEROUT, + rq->perout.index); ++ if (!TSIO_PIN_VALID(pin_id)) ++ return -EOPNOTSUPP; + if (!on) + break; + +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.h ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.h +@@ -31,7 +31,7 @@ struct pps_pin { + u8 state; + }; + +-#define TSIO_PIN_VALID(pin) ((pin) < (BNXT_MAX_TSIO_PINS)) ++#define TSIO_PIN_VALID(pin) ((pin) >= 0 && (pin) < (BNXT_MAX_TSIO_PINS)) + + #define EVENT_DATA2_PPS_EVENT_TYPE(data2) \ + ((data2) & ASYNC_EVENT_CMPL_PPS_TIMESTAMP_EVENT_DATA2_EVENT_TYPE) diff --git a/queue-5.17/nfs-nfsv2-v3-clients-should-never-be-setting-nfs_cap_xattr.patch b/queue-5.17/nfs-nfsv2-v3-clients-should-never-be-setting-nfs_cap_xattr.patch new file mode 100644 index 00000000000..8bf714439da --- /dev/null +++ b/queue-5.17/nfs-nfsv2-v3-clients-should-never-be-setting-nfs_cap_xattr.patch @@ -0,0 +1,48 @@ +From b622ffe1d9ecbac71f0cddb52ff0831efdf8fb83 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 22 Feb 2022 18:20:38 -0500 +Subject: NFS: NFSv2/v3 clients should never be setting NFS_CAP_XATTR + +From: Trond Myklebust + +commit b622ffe1d9ecbac71f0cddb52ff0831efdf8fb83 upstream. + +Ensure that we always initialise the 'xattr_support' field in struct +nfs_fsinfo, so that nfs_server_set_fsinfo() doesn't declare our NFSv2/v3 +client to be capable of supporting the NFSv4.2 xattr protocol by setting +the NFS_CAP_XATTR capability. + +This configuration can cause nfs_do_access() to set access mode bits +that are unsupported by the NFSv3 ACCESS call, which may confuse +spec-compliant servers. + +Reported-by: Olga Kornievskaia +Fixes: b78ef845c35d ("NFSv4.2: query the server for extended attribute support") +Cc: stable@vger.kernel.org +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/nfs3xdr.c | 1 + + fs/nfs/proc.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/fs/nfs/nfs3xdr.c ++++ b/fs/nfs/nfs3xdr.c +@@ -2228,6 +2228,7 @@ static int decode_fsinfo3resok(struct xd + /* ignore properties */ + result->lease_time = 0; + result->change_attr_type = NFS4_CHANGE_TYPE_IS_UNDEFINED; ++ result->xattr_support = 0; + return 0; + } + +--- a/fs/nfs/proc.c ++++ b/fs/nfs/proc.c +@@ -92,6 +92,7 @@ nfs_proc_get_root(struct nfs_server *ser + info->maxfilesize = 0x7FFFFFFF; + info->lease_time = 0; + info->change_attr_type = NFS4_CHANGE_TYPE_IS_UNDEFINED; ++ info->xattr_support = 0; + return 0; + } + diff --git a/queue-5.17/nfsd-prevent-integer-overflow-on-32-bit-systems.patch b/queue-5.17/nfsd-prevent-integer-overflow-on-32-bit-systems.patch new file mode 100644 index 00000000000..5461a4ff9ed --- /dev/null +++ b/queue-5.17/nfsd-prevent-integer-overflow-on-32-bit-systems.patch @@ -0,0 +1,31 @@ +From 23a9dbbe0faf124fc4c139615633b9d12a3a89ef Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 15 Mar 2022 18:34:06 +0300 +Subject: NFSD: prevent integer overflow on 32 bit systems + +From: Dan Carpenter + +commit 23a9dbbe0faf124fc4c139615633b9d12a3a89ef upstream. + +On a 32 bit system, the "len * sizeof(*p)" operation can have an +integer overflow. + +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/sunrpc/xdr.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/linux/sunrpc/xdr.h ++++ b/include/linux/sunrpc/xdr.h +@@ -731,6 +731,8 @@ xdr_stream_decode_uint32_array(struct xd + + if (unlikely(xdr_stream_decode_u32(xdr, &len) < 0)) + return -EBADMSG; ++ if (len > SIZE_MAX / sizeof(*p)) ++ return -EBADMSG; + p = xdr_inline_decode(xdr, len * sizeof(*p)); + if (unlikely(!p)) + return -EBADMSG; diff --git a/queue-5.17/nfsd-prevent-underflow-in-nfssvc_decode_writeargs.patch b/queue-5.17/nfsd-prevent-underflow-in-nfssvc_decode_writeargs.patch new file mode 100644 index 00000000000..7b6a57d3a6e --- /dev/null +++ b/queue-5.17/nfsd-prevent-underflow-in-nfssvc_decode_writeargs.patch @@ -0,0 +1,47 @@ +From 184416d4b98509fb4c3d8fc3d6dc1437896cc159 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 15 Mar 2022 13:30:09 +0300 +Subject: NFSD: prevent underflow in nfssvc_decode_writeargs() + +From: Dan Carpenter + +commit 184416d4b98509fb4c3d8fc3d6dc1437896cc159 upstream. + +Smatch complains: + + fs/nfsd/nfsxdr.c:341 nfssvc_decode_writeargs() + warn: no lower bound on 'args->len' + +Change the type to unsigned to prevent this issue. + +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfsproc.c | 2 +- + fs/nfsd/xdr.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfsproc.c ++++ b/fs/nfsd/nfsproc.c +@@ -230,7 +230,7 @@ nfsd_proc_write(struct svc_rqst *rqstp) + unsigned long cnt = argp->len; + unsigned int nvecs; + +- dprintk("nfsd: WRITE %s %d bytes at %d\n", ++ dprintk("nfsd: WRITE %s %u bytes at %d\n", + SVCFH_fmt(&argp->fh), + argp->len, argp->offset); + +--- a/fs/nfsd/xdr.h ++++ b/fs/nfsd/xdr.h +@@ -32,7 +32,7 @@ struct nfsd_readargs { + struct nfsd_writeargs { + svc_fh fh; + __u32 offset; +- int len; ++ __u32 len; + struct xdr_buf payload; + }; + diff --git a/queue-5.17/pinctrl-ingenic-fix-regmap-on-x-series-socs.patch b/queue-5.17/pinctrl-ingenic-fix-regmap-on-x-series-socs.patch new file mode 100644 index 00000000000..61cd365e4fe --- /dev/null +++ b/queue-5.17/pinctrl-ingenic-fix-regmap-on-x-series-socs.patch @@ -0,0 +1,148 @@ +From 9279c00fa40250e5cb23a8423dce7dbc6516a0ea Mon Sep 17 00:00:00 2001 +From: Aidan MacDonald +Date: Thu, 17 Mar 2022 00:07:40 +0000 +Subject: pinctrl: ingenic: Fix regmap on X series SoCs + +From: Aidan MacDonald + +commit 9279c00fa40250e5cb23a8423dce7dbc6516a0ea upstream. + +The X series Ingenic SoCs have a shadow GPIO group which is at a higher +offset than the other groups, and is used for all GPIO configuration. +The regmap did not take this offset into account and set max_register +too low, so the regmap API blocked writes to the shadow group, which +made the pinctrl driver unable to configure any pins. + +Fix this by adding regmap access tables to the chip info. The way that +max_register was computed was also off by one, since max_register is an +inclusive bound, not an exclusive bound; this has been fixed. + +Cc: stable@vger.kernel.org +Signed-off-by: Aidan MacDonald +Fixes: 6626a76ef857 ("pinctrl: ingenic: Add .max_register in regmap_config") +Reviewed-by: Paul Cercueil +Link: https://lore.kernel.org/r/20220317000740.1045204-1-aidanmacdonald.0x0@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/pinctrl-ingenic.c | 46 +++++++++++++++++++++++++++++++++++++- + 1 file changed, 45 insertions(+), 1 deletion(-) + +--- a/drivers/pinctrl/pinctrl-ingenic.c ++++ b/drivers/pinctrl/pinctrl-ingenic.c +@@ -119,6 +119,8 @@ struct ingenic_chip_info { + unsigned int num_functions; + + const u32 *pull_ups, *pull_downs; ++ ++ const struct regmap_access_table *access_table; + }; + + struct ingenic_pinctrl { +@@ -2179,6 +2181,17 @@ static const struct function_desc x1000_ + { "mac", x1000_mac_groups, ARRAY_SIZE(x1000_mac_groups), }, + }; + ++static const struct regmap_range x1000_access_ranges[] = { ++ regmap_reg_range(0x000, 0x400 - 4), ++ regmap_reg_range(0x700, 0x800 - 4), ++}; ++ ++/* shared with X1500 */ ++static const struct regmap_access_table x1000_access_table = { ++ .yes_ranges = x1000_access_ranges, ++ .n_yes_ranges = ARRAY_SIZE(x1000_access_ranges), ++}; ++ + static const struct ingenic_chip_info x1000_chip_info = { + .num_chips = 4, + .reg_offset = 0x100, +@@ -2189,6 +2202,7 @@ static const struct ingenic_chip_info x1 + .num_functions = ARRAY_SIZE(x1000_functions), + .pull_ups = x1000_pull_ups, + .pull_downs = x1000_pull_downs, ++ .access_table = &x1000_access_table, + }; + + static int x1500_uart0_data_pins[] = { 0x4a, 0x4b, }; +@@ -2300,6 +2314,7 @@ static const struct ingenic_chip_info x1 + .num_functions = ARRAY_SIZE(x1500_functions), + .pull_ups = x1000_pull_ups, + .pull_downs = x1000_pull_downs, ++ .access_table = &x1000_access_table, + }; + + static const u32 x1830_pull_ups[4] = { +@@ -2506,6 +2521,16 @@ static const struct function_desc x1830_ + { "mac", x1830_mac_groups, ARRAY_SIZE(x1830_mac_groups), }, + }; + ++static const struct regmap_range x1830_access_ranges[] = { ++ regmap_reg_range(0x0000, 0x4000 - 4), ++ regmap_reg_range(0x7000, 0x8000 - 4), ++}; ++ ++static const struct regmap_access_table x1830_access_table = { ++ .yes_ranges = x1830_access_ranges, ++ .n_yes_ranges = ARRAY_SIZE(x1830_access_ranges), ++}; ++ + static const struct ingenic_chip_info x1830_chip_info = { + .num_chips = 4, + .reg_offset = 0x1000, +@@ -2516,6 +2541,7 @@ static const struct ingenic_chip_info x1 + .num_functions = ARRAY_SIZE(x1830_functions), + .pull_ups = x1830_pull_ups, + .pull_downs = x1830_pull_downs, ++ .access_table = &x1830_access_table, + }; + + static const u32 x2000_pull_ups[5] = { +@@ -2969,6 +2995,17 @@ static const struct function_desc x2000_ + { "otg", x2000_otg_groups, ARRAY_SIZE(x2000_otg_groups), }, + }; + ++static const struct regmap_range x2000_access_ranges[] = { ++ regmap_reg_range(0x000, 0x500 - 4), ++ regmap_reg_range(0x700, 0x800 - 4), ++}; ++ ++/* shared with X2100 */ ++static const struct regmap_access_table x2000_access_table = { ++ .yes_ranges = x2000_access_ranges, ++ .n_yes_ranges = ARRAY_SIZE(x2000_access_ranges), ++}; ++ + static const struct ingenic_chip_info x2000_chip_info = { + .num_chips = 5, + .reg_offset = 0x100, +@@ -2979,6 +3016,7 @@ static const struct ingenic_chip_info x2 + .num_functions = ARRAY_SIZE(x2000_functions), + .pull_ups = x2000_pull_ups, + .pull_downs = x2000_pull_downs, ++ .access_table = &x2000_access_table, + }; + + static const u32 x2100_pull_ups[5] = { +@@ -3189,6 +3227,7 @@ static const struct ingenic_chip_info x2 + .num_functions = ARRAY_SIZE(x2100_functions), + .pull_ups = x2100_pull_ups, + .pull_downs = x2100_pull_downs, ++ .access_table = &x2000_access_table, + }; + + static u32 ingenic_gpio_read_reg(struct ingenic_gpio_chip *jzgc, u8 reg) +@@ -4168,7 +4207,12 @@ static int __init ingenic_pinctrl_probe( + return PTR_ERR(base); + + regmap_config = ingenic_pinctrl_regmap_config; +- regmap_config.max_register = chip_info->num_chips * chip_info->reg_offset; ++ if (chip_info->access_table) { ++ regmap_config.rd_table = chip_info->access_table; ++ regmap_config.wr_table = chip_info->access_table; ++ } else { ++ regmap_config.max_register = chip_info->num_chips * chip_info->reg_offset - 4; ++ } + + jzpc->map = devm_regmap_init_mmio(dev, base, ®map_config); + if (IS_ERR(jzpc->map)) { diff --git a/queue-5.17/pinctrl-samsung-drop-pin-banks-references-on-error-paths.patch b/queue-5.17/pinctrl-samsung-drop-pin-banks-references-on-error-paths.patch new file mode 100644 index 00000000000..9d98a814e9e --- /dev/null +++ b/queue-5.17/pinctrl-samsung-drop-pin-banks-references-on-error-paths.patch @@ -0,0 +1,83 @@ +From 50ebd19e3585b9792e994cfa8cbee8947fe06371 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Tue, 11 Jan 2022 21:13:59 +0100 +Subject: pinctrl: samsung: drop pin banks references on error paths + +From: Krzysztof Kozlowski + +commit 50ebd19e3585b9792e994cfa8cbee8947fe06371 upstream. + +The driver iterates over its devicetree children with +for_each_child_of_node() and stores for later found node pointer. This +has to be put in error paths to avoid leak during re-probing. + +Fixes: ab663789d697 ("pinctrl: samsung: Match pin banks with their device nodes") +Cc: +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Sam Protsenko +Reviewed-by: Chanho Park +Link: https://lore.kernel.org/r/20220111201426.326777-2-krzysztof.kozlowski@canonical.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/samsung/pinctrl-samsung.c | 30 +++++++++++++++++++++++------- + 1 file changed, 23 insertions(+), 7 deletions(-) + +--- a/drivers/pinctrl/samsung/pinctrl-samsung.c ++++ b/drivers/pinctrl/samsung/pinctrl-samsung.c +@@ -1002,6 +1002,16 @@ samsung_pinctrl_get_soc_data_for_of_alia + return &(of_data->ctrl[id]); + } + ++static void samsung_banks_of_node_put(struct samsung_pinctrl_drv_data *d) ++{ ++ struct samsung_pin_bank *bank; ++ unsigned int i; ++ ++ bank = d->pin_banks; ++ for (i = 0; i < d->nr_banks; ++i, ++bank) ++ of_node_put(bank->of_node); ++} ++ + /* retrieve the soc specific data */ + static const struct samsung_pin_ctrl * + samsung_pinctrl_get_soc_data(struct samsung_pinctrl_drv_data *d, +@@ -1117,19 +1127,19 @@ static int samsung_pinctrl_probe(struct + if (ctrl->retention_data) { + drvdata->retention_ctrl = ctrl->retention_data->init(drvdata, + ctrl->retention_data); +- if (IS_ERR(drvdata->retention_ctrl)) +- return PTR_ERR(drvdata->retention_ctrl); ++ if (IS_ERR(drvdata->retention_ctrl)) { ++ ret = PTR_ERR(drvdata->retention_ctrl); ++ goto err_put_banks; ++ } + } + + ret = samsung_pinctrl_register(pdev, drvdata); + if (ret) +- return ret; ++ goto err_put_banks; + + ret = samsung_gpiolib_register(pdev, drvdata); +- if (ret) { +- samsung_pinctrl_unregister(pdev, drvdata); +- return ret; +- } ++ if (ret) ++ goto err_unregister; + + if (ctrl->eint_gpio_init) + ctrl->eint_gpio_init(drvdata); +@@ -1139,6 +1149,12 @@ static int samsung_pinctrl_probe(struct + platform_set_drvdata(pdev, drvdata); + + return 0; ++ ++err_unregister: ++ samsung_pinctrl_unregister(pdev, drvdata); ++err_put_banks: ++ samsung_banks_of_node_put(drvdata); ++ return ret; + } + + /* diff --git a/queue-5.17/ptrace-check-ptrace_o_suspend_seccomp-permission-on-ptrace_seize.patch b/queue-5.17/ptrace-check-ptrace_o_suspend_seccomp-permission-on-ptrace_seize.patch new file mode 100644 index 00000000000..e99c48d5d3c --- /dev/null +++ b/queue-5.17/ptrace-check-ptrace_o_suspend_seccomp-permission-on-ptrace_seize.patch @@ -0,0 +1,105 @@ +From ee1fee900537b5d9560e9f937402de5ddc8412f3 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Sat, 19 Mar 2022 02:08:37 +0100 +Subject: ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE + +From: Jann Horn + +commit ee1fee900537b5d9560e9f937402de5ddc8412f3 upstream. + +Setting PTRACE_O_SUSPEND_SECCOMP is supposed to be a highly privileged +operation because it allows the tracee to completely bypass all seccomp +filters on kernels with CONFIG_CHECKPOINT_RESTORE=y. It is only supposed to +be settable by a process with global CAP_SYS_ADMIN, and only if that +process is not subject to any seccomp filters at all. + +However, while these permission checks were done on the PTRACE_SETOPTIONS +path, they were missing on the PTRACE_SEIZE path, which also sets +user-specified ptrace flags. + +Move the permissions checks out into a helper function and let both +ptrace_attach() and ptrace_setoptions() call it. + +Cc: stable@kernel.org +Fixes: 13c4a90119d2 ("seccomp: add ptrace options for suspend/resume") +Signed-off-by: Jann Horn +Link: https://lkml.kernel.org/r/20220319010838.1386861-1-jannh@google.com +Signed-off-by: Eric W. Biederman +Signed-off-by: Greg Kroah-Hartman +--- + kernel/ptrace.c | 47 ++++++++++++++++++++++++++++++++--------------- + 1 file changed, 32 insertions(+), 15 deletions(-) + +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -371,6 +371,26 @@ bool ptrace_may_access(struct task_struc + return !err; + } + ++static int check_ptrace_options(unsigned long data) ++{ ++ if (data & ~(unsigned long)PTRACE_O_MASK) ++ return -EINVAL; ++ ++ if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) { ++ if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) || ++ !IS_ENABLED(CONFIG_SECCOMP)) ++ return -EINVAL; ++ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ ++ if (seccomp_mode(¤t->seccomp) != SECCOMP_MODE_DISABLED || ++ current->ptrace & PT_SUSPEND_SECCOMP) ++ return -EPERM; ++ } ++ return 0; ++} ++ + static int ptrace_attach(struct task_struct *task, long request, + unsigned long addr, + unsigned long flags) +@@ -382,8 +402,16 @@ static int ptrace_attach(struct task_str + if (seize) { + if (addr != 0) + goto out; ++ /* ++ * This duplicates the check in check_ptrace_options() because ++ * ptrace_attach() and ptrace_setoptions() have historically ++ * used different error codes for unknown ptrace options. ++ */ + if (flags & ~(unsigned long)PTRACE_O_MASK) + goto out; ++ retval = check_ptrace_options(flags); ++ if (retval) ++ return retval; + flags = PT_PTRACED | PT_SEIZED | (flags << PT_OPT_FLAG_SHIFT); + } else { + flags = PT_PTRACED; +@@ -654,22 +682,11 @@ int ptrace_writedata(struct task_struct + static int ptrace_setoptions(struct task_struct *child, unsigned long data) + { + unsigned flags; ++ int ret; + +- if (data & ~(unsigned long)PTRACE_O_MASK) +- return -EINVAL; +- +- if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) { +- if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) || +- !IS_ENABLED(CONFIG_SECCOMP)) +- return -EINVAL; +- +- if (!capable(CAP_SYS_ADMIN)) +- return -EPERM; +- +- if (seccomp_mode(¤t->seccomp) != SECCOMP_MODE_DISABLED || +- current->ptrace & PT_SUSPEND_SECCOMP) +- return -EPERM; +- } ++ ret = check_ptrace_options(data); ++ if (ret) ++ return ret; + + /* Avoid intermediate state when all opts are cleared */ + flags = child->ptrace; diff --git a/queue-5.17/remoteproc-fix-count-check-in-rproc_coredump_write.patch b/queue-5.17/remoteproc-fix-count-check-in-rproc_coredump_write.patch new file mode 100644 index 00000000000..3e974598199 --- /dev/null +++ b/queue-5.17/remoteproc-fix-count-check-in-rproc_coredump_write.patch @@ -0,0 +1,41 @@ +From f89672cc3681952f2d06314981a6b45f8b0045d1 Mon Sep 17 00:00:00 2001 +From: Alistair Delva +Date: Wed, 19 Jan 2022 23:21:39 +0000 +Subject: remoteproc: Fix count check in rproc_coredump_write() + +From: Alistair Delva + +commit f89672cc3681952f2d06314981a6b45f8b0045d1 upstream. + +Check count for 0, to avoid a potential underflow. Make the check the +same as the one in rproc_recovery_write(). + +Fixes: 3afdc59e4390 ("remoteproc: Add coredump debugfs entry") +Signed-off-by: Alistair Delva +Cc: Rishabh Bhatnagar +Cc: stable@vger.kernel.org +Cc: Ohad Ben-Cohen +Cc: Bjorn Andersson +Cc: Mathieu Poirier +Cc: Sibi Sankar +Cc: linux-remoteproc@vger.kernel.org +Cc: kernel-team@android.com +Reviewed-by: Bjorn Andersson +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220119232139.1125908-1-adelva@google.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/remoteproc/remoteproc_debugfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/remoteproc/remoteproc_debugfs.c ++++ b/drivers/remoteproc/remoteproc_debugfs.c +@@ -76,7 +76,7 @@ static ssize_t rproc_coredump_write(stru + int ret, err = 0; + char buf[20]; + +- if (count > sizeof(buf)) ++ if (count < 1 || count > sizeof(buf)) + return -EINVAL; + + ret = copy_from_user(buf, user_buf, count); diff --git a/queue-5.17/serial-sc16is7xx-clear-rs485-bits-in-the-shutdown.patch b/queue-5.17/serial-sc16is7xx-clear-rs485-bits-in-the-shutdown.patch new file mode 100644 index 00000000000..d71bc510b8f --- /dev/null +++ b/queue-5.17/serial-sc16is7xx-clear-rs485-bits-in-the-shutdown.patch @@ -0,0 +1,42 @@ +From 927728a34f11b5a27f4610bdb7068317d6fdc72a Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Tue, 8 Mar 2022 19:00:42 +0800 +Subject: serial: sc16is7xx: Clear RS485 bits in the shutdown + +From: Hui Wang + +commit 927728a34f11b5a27f4610bdb7068317d6fdc72a upstream. + +We tested RS485 function on an EVB which has SC16IS752, after +finishing the test, we started the RS232 function test, but found the +RTS is still working in the RS485 mode. + +That is because both startup and shutdown call port_update() to set +the EFCR_REG, this will not clear the RS485 bits once the bits are set +in the reconf_rs485(). To fix it, clear the RS485 bits in shutdown. + +Cc: +Signed-off-by: Hui Wang +Link: https://lore.kernel.org/r/20220308110042.108451-1-hui.wang@canonical.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sc16is7xx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/sc16is7xx.c ++++ b/drivers/tty/serial/sc16is7xx.c +@@ -1055,10 +1055,12 @@ static void sc16is7xx_shutdown(struct ua + + /* Disable all interrupts */ + sc16is7xx_port_write(port, SC16IS7XX_IER_REG, 0); +- /* Disable TX/RX */ ++ /* Disable TX/RX, clear auto RS485 and RTS invert */ + sc16is7xx_port_update(port, SC16IS7XX_EFCR_REG, + SC16IS7XX_EFCR_RXDISABLE_BIT | +- SC16IS7XX_EFCR_TXDISABLE_BIT, ++ SC16IS7XX_EFCR_TXDISABLE_BIT | ++ SC16IS7XX_EFCR_AUTO_RS485_BIT | ++ SC16IS7XX_EFCR_RTS_INVERT_BIT, + SC16IS7XX_EFCR_RXDISABLE_BIT | + SC16IS7XX_EFCR_TXDISABLE_BIT); + diff --git a/queue-5.17/series b/queue-5.17/series index ea50837ebf5..c7e315bd696 100644 --- a/queue-5.17/series +++ b/queue-5.17/series @@ -22,3 +22,49 @@ mei-avoid-iterator-usage-outside-of-list_for_each_entry.patch bus-mhi-pci_generic-add-mru_default-for-quectel-em1xx-series.patch bus-mhi-fix-pm_state-conversion-to-string.patch bus-mhi-fix-mhi-dma-structure-endianness.patch +docs-sphinx-requirements-limit-jinja2-3.1.patch +coresight-fix-trcconfigr.qe-sysfs-interface.patch +coresight-syscfg-fix-memleak-on-registration-failure-in-cscfg_create_device.patch +dt-bindings-iio-adc-zynqmp_ams-add-clock-entry.patch +iio-adc-xilinx-ams-fix-single-channel-switching-sequence.patch +iio-accel-mma8452-use-the-correct-logic-to-get-mma8452_data.patch +iio-adc-aspeed-add-divider-flag-to-fix-incorrect-voltage-reading.patch +iio-imu-st_lsm6dsx-use-dev_to_iio_dev-to-get-iio_dev-struct.patch +iio-afe-rescale-use-s64-for-temporary-scale-calculations.patch +iio-adc-xilinx-ams-fixed-missing-ps-channels.patch +iio-adc-xilinx-ams-fixed-wrong-sequencer-register-settings.patch +iio-inkern-apply-consumer-scale-on-iio_val_int-cases.patch +iio-inkern-apply-consumer-scale-when-no-channel-scale-is-available.patch +iio-inkern-make-a-best-effort-on-offset-calculation.patch +greybus-svc-fix-an-error-handling-bug-in-gb_svc_hello.patch +clk-rockchip-re-add-rational-best-approximation-algorithm-to-the-fractional-divider.patch +clk-uniphier-fix-fixed-rate-initialization.patch +ptrace-check-ptrace_o_suspend_seccomp-permission-on-ptrace_seize.patch +cifs-truncate-the-inode-and-mapping-when-we-simulate-fcollapse.patch +cifs-fix-handlecache-and-multiuser.patch +cifs-we-do-not-need-a-spinlock-around-the-tree-access-during-umount.patch +keys-fix-length-validation-in-keyctl_pkey_params_get_2.patch +keys-asymmetric-enforce-that-sig-algo-matches-key-algo.patch +keys-asymmetric-properly-validate-hash_algo-and-encoding.patch +serial-sc16is7xx-clear-rs485-bits-in-the-shutdown.patch +documentation-add-link-to-stable-release-candidate-tree.patch +documentation-update-stable-tree-link.patch +firmware-stratix10-svc-add-missing-callback-parameter-on-rsu.patch +firmware-sysfb-fix-platform-device-leak-in-error-path.patch +hid-intel-ish-hid-use-dma_alloc_coherent-for-firmware-update.patch +sunrpc-avoid-race-between-mod_timer-and-del_timer_sync.patch +sunrpc-do-not-dereference-non-socket-transports-in-sysfs.patch +nfs-nfsv2-v3-clients-should-never-be-setting-nfs_cap_xattr.patch +nfsd-prevent-underflow-in-nfssvc_decode_writeargs.patch +nfsd-prevent-integer-overflow-on-32-bit-systems.patch +f2fs-fix-to-unlock-page-correctly-in-error-path-of-is_alive.patch +f2fs-quota-fix-loop-condition-at-f2fs_quota_sync.patch +f2fs-fix-to-do-sanity-check-on-.cp_pack_total_block_count.patch +remoteproc-fix-count-check-in-rproc_coredump_write.patch +mm-mlock-fix-two-bugs-in-user_shm_lock.patch +pinctrl-ingenic-fix-regmap-on-x-series-socs.patch +pinctrl-samsung-drop-pin-banks-references-on-error-paths.patch +net-bnxt_ptp-fix-compilation-error.patch +spi-mxic-fix-the-transmit-path.patch +mtd-spi-nor-skip-erase-logic-when-spi_nor_no_erase-is-set.patch +mtd-rawnand-protect-access-to-rawnand-devices-while-in-suspend.patch diff --git a/queue-5.17/spi-mxic-fix-the-transmit-path.patch b/queue-5.17/spi-mxic-fix-the-transmit-path.patch new file mode 100644 index 00000000000..08f5d1b78ea --- /dev/null +++ b/queue-5.17/spi-mxic-fix-the-transmit-path.patch @@ -0,0 +1,66 @@ +From 5fd6739e0df7e320bcac103dfb95fe75941fea17 Mon Sep 17 00:00:00 2001 +From: Miquel Raynal +Date: Thu, 27 Jan 2022 10:18:04 +0100 +Subject: spi: mxic: Fix the transmit path + +From: Miquel Raynal + +commit 5fd6739e0df7e320bcac103dfb95fe75941fea17 upstream. + +By working with external hardware ECC engines, we figured out that +Under certain circumstances, it is needed for the SPI controller to +check INT_TX_EMPTY and INT_RX_NOT_EMPTY in both receive and transmit +path (not only in the receive path). The delay penalty being +negligible, move this code in the common path. + +Fixes: b942d80b0a39 ("spi: Add MXIC controller driver") +Cc: stable@vger.kernel.org +Suggested-by: Mason Yang +Signed-off-by: Miquel Raynal +Reviewed-by: Zhengxun Li +Reviewed-by: Mark Brown +Link: https://lore.kernel.org/linux-mtd/20220127091808.1043392-10-miquel.raynal@bootlin.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/spi/spi-mxic.c | 26 +++++++++++--------------- + 1 file changed, 11 insertions(+), 15 deletions(-) + +--- a/drivers/spi/spi-mxic.c ++++ b/drivers/spi/spi-mxic.c +@@ -304,25 +304,21 @@ static int mxic_spi_data_xfer(struct mxi + + writel(data, mxic->regs + TXD(nbytes % 4)); + +- if (rxbuf) { +- ret = readl_poll_timeout(mxic->regs + INT_STS, sts, +- sts & INT_TX_EMPTY, 0, +- USEC_PER_SEC); +- if (ret) +- return ret; ++ ret = readl_poll_timeout(mxic->regs + INT_STS, sts, ++ sts & INT_TX_EMPTY, 0, USEC_PER_SEC); ++ if (ret) ++ return ret; + +- ret = readl_poll_timeout(mxic->regs + INT_STS, sts, +- sts & INT_RX_NOT_EMPTY, 0, +- USEC_PER_SEC); +- if (ret) +- return ret; ++ ret = readl_poll_timeout(mxic->regs + INT_STS, sts, ++ sts & INT_RX_NOT_EMPTY, 0, ++ USEC_PER_SEC); ++ if (ret) ++ return ret; + +- data = readl(mxic->regs + RXD); ++ data = readl(mxic->regs + RXD); ++ if (rxbuf) { + data >>= (8 * (4 - nbytes)); + memcpy(rxbuf + pos, &data, nbytes); +- WARN_ON(readl(mxic->regs + INT_STS) & INT_RX_NOT_EMPTY); +- } else { +- readl(mxic->regs + RXD); + } + WARN_ON(readl(mxic->regs + INT_STS) & INT_RX_NOT_EMPTY); + diff --git a/queue-5.17/sunrpc-avoid-race-between-mod_timer-and-del_timer_sync.patch b/queue-5.17/sunrpc-avoid-race-between-mod_timer-and-del_timer_sync.patch new file mode 100644 index 00000000000..e9ceb3e1179 --- /dev/null +++ b/queue-5.17/sunrpc-avoid-race-between-mod_timer-and-del_timer_sync.patch @@ -0,0 +1,49 @@ +From 3848e96edf4788f772d83990022fa7023a233d83 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Tue, 8 Mar 2022 13:42:17 +1100 +Subject: SUNRPC: avoid race between mod_timer() and del_timer_sync() + +From: NeilBrown + +commit 3848e96edf4788f772d83990022fa7023a233d83 upstream. + +xprt_destory() claims XPRT_LOCKED and then calls del_timer_sync(). +Both xprt_unlock_connect() and xprt_release() call + ->release_xprt() +which drops XPRT_LOCKED and *then* xprt_schedule_autodisconnect() +which calls mod_timer(). + +This may result in mod_timer() being called *after* del_timer_sync(). +When this happens, the timer may fire long after the xprt has been freed, +and run_timer_softirq() will probably crash. + +The pairing of ->release_xprt() and xprt_schedule_autodisconnect() is +always called under ->transport_lock. So if we take ->transport_lock to +call del_timer_sync(), we can be sure that mod_timer() will run first +(if it runs at all). + +Cc: stable@vger.kernel.org +Signed-off-by: NeilBrown +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/xprt.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/sunrpc/xprt.c ++++ b/net/sunrpc/xprt.c +@@ -2112,7 +2112,14 @@ static void xprt_destroy(struct rpc_xprt + */ + wait_on_bit_lock(&xprt->state, XPRT_LOCKED, TASK_UNINTERRUPTIBLE); + ++ /* ++ * xprt_schedule_autodisconnect() can run after XPRT_LOCKED ++ * is cleared. We use ->transport_lock to ensure the mod_timer() ++ * can only run *before* del_time_sync(), never after. ++ */ ++ spin_lock(&xprt->transport_lock); + del_timer_sync(&xprt->timer); ++ spin_unlock(&xprt->transport_lock); + + /* + * Destroy sockets etc from the system workqueue so they can diff --git a/queue-5.17/sunrpc-do-not-dereference-non-socket-transports-in-sysfs.patch b/queue-5.17/sunrpc-do-not-dereference-non-socket-transports-in-sysfs.patch new file mode 100644 index 00000000000..91fd3f34f98 --- /dev/null +++ b/queue-5.17/sunrpc-do-not-dereference-non-socket-transports-in-sysfs.patch @@ -0,0 +1,213 @@ +From 421ab1be43bd015ffe744f4ea25df4f19d1ce6fe Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Fri, 25 Mar 2022 10:37:31 -0400 +Subject: SUNRPC: Do not dereference non-socket transports in sysfs + +From: Trond Myklebust + +commit 421ab1be43bd015ffe744f4ea25df4f19d1ce6fe upstream. + +Do not cast the struct xprt to a sock_xprt unless we know it is a UDP or +TCP transport. Otherwise the call to lock the mutex will scribble over +whatever structure is actually there. This has been seen to cause hard +system lockups when the underlying transport was RDMA. + +Fixes: b49ea673e119 ("SUNRPC: lock against ->sock changing during sysfs read") +Cc: stable@vger.kernel.org +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/sunrpc/xprt.h | 3 ++ + include/linux/sunrpc/xprtsock.h | 1 + net/sunrpc/sysfs.c | 55 +++++++++++++++++++--------------------- + net/sunrpc/xprtsock.c | 26 +++++++++++++++++- + 4 files changed, 54 insertions(+), 31 deletions(-) + +--- a/include/linux/sunrpc/xprt.h ++++ b/include/linux/sunrpc/xprt.h +@@ -139,6 +139,9 @@ struct rpc_xprt_ops { + void (*rpcbind)(struct rpc_task *task); + void (*set_port)(struct rpc_xprt *xprt, unsigned short port); + void (*connect)(struct rpc_xprt *xprt, struct rpc_task *task); ++ int (*get_srcaddr)(struct rpc_xprt *xprt, char *buf, ++ size_t buflen); ++ unsigned short (*get_srcport)(struct rpc_xprt *xprt); + int (*buf_alloc)(struct rpc_task *task); + void (*buf_free)(struct rpc_task *task); + void (*prepare_request)(struct rpc_rqst *req); +--- a/include/linux/sunrpc/xprtsock.h ++++ b/include/linux/sunrpc/xprtsock.h +@@ -10,7 +10,6 @@ + + int init_socket_xprt(void); + void cleanup_socket_xprt(void); +-unsigned short get_srcport(struct rpc_xprt *); + + #define RPC_MIN_RESVPORT (1U) + #define RPC_MAX_RESVPORT (65535U) +--- a/net/sunrpc/sysfs.c ++++ b/net/sunrpc/sysfs.c +@@ -97,7 +97,7 @@ static ssize_t rpc_sysfs_xprt_dstaddr_sh + return 0; + ret = sprintf(buf, "%s\n", xprt->address_strings[RPC_DISPLAY_ADDR]); + xprt_put(xprt); +- return ret + 1; ++ return ret; + } + + static ssize_t rpc_sysfs_xprt_srcaddr_show(struct kobject *kobj, +@@ -105,33 +105,31 @@ static ssize_t rpc_sysfs_xprt_srcaddr_sh + char *buf) + { + struct rpc_xprt *xprt = rpc_sysfs_xprt_kobj_get_xprt(kobj); +- struct sockaddr_storage saddr; +- struct sock_xprt *sock; +- ssize_t ret = -1; ++ size_t buflen = PAGE_SIZE; ++ ssize_t ret = -ENOTSOCK; + + if (!xprt || !xprt_connected(xprt)) { +- xprt_put(xprt); +- return -ENOTCONN; ++ ret = -ENOTCONN; ++ } else if (xprt->ops->get_srcaddr) { ++ ret = xprt->ops->get_srcaddr(xprt, buf, buflen); ++ if (ret > 0) { ++ if (ret < buflen - 1) { ++ buf[ret] = '\n'; ++ ret++; ++ buf[ret] = '\0'; ++ } ++ } + } +- +- sock = container_of(xprt, struct sock_xprt, xprt); +- mutex_lock(&sock->recv_mutex); +- if (sock->sock == NULL || +- kernel_getsockname(sock->sock, (struct sockaddr *)&saddr) < 0) +- goto out; +- +- ret = sprintf(buf, "%pISc\n", &saddr); +-out: +- mutex_unlock(&sock->recv_mutex); + xprt_put(xprt); +- return ret + 1; ++ return ret; + } + + static ssize_t rpc_sysfs_xprt_info_show(struct kobject *kobj, +- struct kobj_attribute *attr, +- char *buf) ++ struct kobj_attribute *attr, char *buf) + { + struct rpc_xprt *xprt = rpc_sysfs_xprt_kobj_get_xprt(kobj); ++ unsigned short srcport = 0; ++ size_t buflen = PAGE_SIZE; + ssize_t ret; + + if (!xprt || !xprt_connected(xprt)) { +@@ -139,7 +137,11 @@ static ssize_t rpc_sysfs_xprt_info_show( + return -ENOTCONN; + } + +- ret = sprintf(buf, "last_used=%lu\ncur_cong=%lu\ncong_win=%lu\n" ++ if (xprt->ops->get_srcport) ++ srcport = xprt->ops->get_srcport(xprt); ++ ++ ret = snprintf(buf, buflen, ++ "last_used=%lu\ncur_cong=%lu\ncong_win=%lu\n" + "max_num_slots=%u\nmin_num_slots=%u\nnum_reqs=%u\n" + "binding_q_len=%u\nsending_q_len=%u\npending_q_len=%u\n" + "backlog_q_len=%u\nmain_xprt=%d\nsrc_port=%u\n" +@@ -147,14 +149,11 @@ static ssize_t rpc_sysfs_xprt_info_show( + xprt->last_used, xprt->cong, xprt->cwnd, xprt->max_reqs, + xprt->min_reqs, xprt->num_reqs, xprt->binding.qlen, + xprt->sending.qlen, xprt->pending.qlen, +- xprt->backlog.qlen, xprt->main, +- (xprt->xprt_class->ident == XPRT_TRANSPORT_TCP) ? +- get_srcport(xprt) : 0, ++ xprt->backlog.qlen, xprt->main, srcport, + atomic_long_read(&xprt->queuelen), +- (xprt->xprt_class->ident == XPRT_TRANSPORT_TCP) ? +- xprt->address_strings[RPC_DISPLAY_PORT] : "0"); ++ xprt->address_strings[RPC_DISPLAY_PORT]); + xprt_put(xprt); +- return ret + 1; ++ return ret; + } + + static ssize_t rpc_sysfs_xprt_state_show(struct kobject *kobj, +@@ -201,7 +200,7 @@ static ssize_t rpc_sysfs_xprt_state_show + } + + xprt_put(xprt); +- return ret + 1; ++ return ret; + } + + static ssize_t rpc_sysfs_xprt_switch_info_show(struct kobject *kobj, +@@ -220,7 +219,7 @@ static ssize_t rpc_sysfs_xprt_switch_inf + xprt_switch->xps_nunique_destaddr_xprts, + atomic_long_read(&xprt_switch->xps_queuelen)); + xprt_switch_put(xprt_switch); +- return ret + 1; ++ return ret; + } + + static ssize_t rpc_sysfs_xprt_dstaddr_store(struct kobject *kobj, +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -1638,7 +1638,7 @@ static int xs_get_srcport(struct sock_xp + return port; + } + +-unsigned short get_srcport(struct rpc_xprt *xprt) ++static unsigned short xs_sock_srcport(struct rpc_xprt *xprt) + { + struct sock_xprt *sock = container_of(xprt, struct sock_xprt, xprt); + unsigned short ret = 0; +@@ -1648,7 +1648,25 @@ unsigned short get_srcport(struct rpc_xp + mutex_unlock(&sock->recv_mutex); + return ret; + } +-EXPORT_SYMBOL(get_srcport); ++ ++static int xs_sock_srcaddr(struct rpc_xprt *xprt, char *buf, size_t buflen) ++{ ++ struct sock_xprt *sock = container_of(xprt, struct sock_xprt, xprt); ++ union { ++ struct sockaddr sa; ++ struct sockaddr_storage st; ++ } saddr; ++ int ret = -ENOTCONN; ++ ++ mutex_lock(&sock->recv_mutex); ++ if (sock->sock) { ++ ret = kernel_getsockname(sock->sock, &saddr.sa); ++ if (ret >= 0) ++ ret = snprintf(buf, buflen, "%pISc", &saddr.sa); ++ } ++ mutex_unlock(&sock->recv_mutex); ++ return ret; ++} + + static unsigned short xs_next_srcport(struct sock_xprt *transport, unsigned short port) + { +@@ -2621,6 +2639,8 @@ static const struct rpc_xprt_ops xs_udp_ + .rpcbind = rpcb_getport_async, + .set_port = xs_set_port, + .connect = xs_connect, ++ .get_srcaddr = xs_sock_srcaddr, ++ .get_srcport = xs_sock_srcport, + .buf_alloc = rpc_malloc, + .buf_free = rpc_free, + .send_request = xs_udp_send_request, +@@ -2643,6 +2663,8 @@ static const struct rpc_xprt_ops xs_tcp_ + .rpcbind = rpcb_getport_async, + .set_port = xs_set_port, + .connect = xs_connect, ++ .get_srcaddr = xs_sock_srcaddr, ++ .get_srcport = xs_sock_srcport, + .buf_alloc = rpc_malloc, + .buf_free = rpc_free, + .prepare_request = xs_stream_prepare_request,