From: Sasha Levin Date: Mon, 26 Oct 2020 04:58:14 +0000 (-0400) Subject: Fixes for 4.4 X-Git-Tag: v4.4.241~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1d969a8e168c96e7b47fa297374274c8daccffba;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/alsa-seq-oss-avoid-mutex-lock-for-a-long-time-ioctl.patch b/queue-4.4/alsa-seq-oss-avoid-mutex-lock-for-a-long-time-ioctl.patch new file mode 100644 index 00000000000..d396e7e4e8c --- /dev/null +++ b/queue-4.4/alsa-seq-oss-avoid-mutex-lock-for-a-long-time-ioctl.patch @@ -0,0 +1,51 @@ +From 5e726f2294382ff6ffaa89812680d435e3513037 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Sep 2020 10:38:56 +0200 +Subject: ALSA: seq: oss: Avoid mutex lock for a long-time ioctl + +From: Takashi Iwai + +[ Upstream commit 2759caad2600d503c3b0ed800e7e03d2cd7a4c05 ] + +Recently we applied a fix to cover the whole OSS sequencer ioctls with +the mutex for dealing with the possible races. This works fine in +general, but in theory, this may lead to unexpectedly long stall if an +ioctl like SNDCTL_SEQ_SYNC is issued and an event with the far future +timestamp was queued. + +For fixing such a potential stall, this patch changes the mutex lock +applied conditionally excluding such an ioctl command. Also, change +the mutex_lock() with the interruptible version for user to allow +escaping from the big-hammer mutex. + +Fixes: 80982c7e834e ("ALSA: seq: oss: Serialize ioctls") +Suggested-by: Pavel Machek +Link: https://lore.kernel.org/r/20200922083856.28572-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/oss/seq_oss.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/sound/core/seq/oss/seq_oss.c b/sound/core/seq/oss/seq_oss.c +index 8044775999eda..4d1548b951c41 100644 +--- a/sound/core/seq/oss/seq_oss.c ++++ b/sound/core/seq/oss/seq_oss.c +@@ -186,9 +186,12 @@ odev_ioctl(struct file *file, unsigned int cmd, unsigned long arg) + if (snd_BUG_ON(!dp)) + return -ENXIO; + +- mutex_lock(®ister_mutex); ++ if (cmd != SNDCTL_SEQ_SYNC && ++ mutex_lock_interruptible(®ister_mutex)) ++ return -ERESTARTSYS; + rc = snd_seq_oss_ioctl(dp, cmd, arg); +- mutex_unlock(®ister_mutex); ++ if (cmd != SNDCTL_SEQ_SYNC) ++ mutex_unlock(®ister_mutex); + return rc; + } + +-- +2.25.1 + diff --git a/queue-4.4/arm-9007-1-l2c-fix-prefetch-bits-init-in-l2x0_aux_ct.patch b/queue-4.4/arm-9007-1-l2c-fix-prefetch-bits-init-in-l2x0_aux_ct.patch new file mode 100644 index 00000000000..b2dc7639c50 --- /dev/null +++ b/queue-4.4/arm-9007-1-l2c-fix-prefetch-bits-init-in-l2x0_aux_ct.patch @@ -0,0 +1,68 @@ +From 85a02013dfd47a721ac8f5b3e6938678fba5d0b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Sep 2020 16:58:06 +0100 +Subject: ARM: 9007/1: l2c: fix prefetch bits init in L2X0_AUX_CTRL using DT + values + +From: Guillaume Tucker + +[ Upstream commit 8e007b367a59bcdf484c81f6df9bd5a4cc179ca6 ] + +The L310_PREFETCH_CTRL register bits 28 and 29 to enable data and +instruction prefetch respectively can also be accessed via the +L2X0_AUX_CTRL register. They appear to be actually wired together in +hardware between the registers. Changing them in the prefetch +register only will get undone when restoring the aux control register +later on. For this reason, set these bits in both registers during +initialisation according to the devicetree property values. + +Link: https://lore.kernel.org/lkml/76f2f3ad5e77e356e0a5b99ceee1e774a2842c25.1597061474.git.guillaume.tucker@collabora.com/ + +Fixes: ec3bd0e68a67 ("ARM: 8391/1: l2c: add options to overwrite prefetching behavior") +Signed-off-by: Guillaume Tucker +Signed-off-by: Russell King +Signed-off-by: Sasha Levin +--- + arch/arm/mm/cache-l2x0.c | 16 ++++++++++++---- + 1 file changed, 12 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/mm/cache-l2x0.c b/arch/arm/mm/cache-l2x0.c +index 493692d838c67..0b6f8a93d8c60 100644 +--- a/arch/arm/mm/cache-l2x0.c ++++ b/arch/arm/mm/cache-l2x0.c +@@ -1228,20 +1228,28 @@ static void __init l2c310_of_parse(const struct device_node *np, + + ret = of_property_read_u32(np, "prefetch-data", &val); + if (ret == 0) { +- if (val) ++ if (val) { + prefetch |= L310_PREFETCH_CTRL_DATA_PREFETCH; +- else ++ *aux_val |= L310_PREFETCH_CTRL_DATA_PREFETCH; ++ } else { + prefetch &= ~L310_PREFETCH_CTRL_DATA_PREFETCH; ++ *aux_val &= ~L310_PREFETCH_CTRL_DATA_PREFETCH; ++ } ++ *aux_mask &= ~L310_PREFETCH_CTRL_DATA_PREFETCH; + } else if (ret != -EINVAL) { + pr_err("L2C-310 OF prefetch-data property value is missing\n"); + } + + ret = of_property_read_u32(np, "prefetch-instr", &val); + if (ret == 0) { +- if (val) ++ if (val) { + prefetch |= L310_PREFETCH_CTRL_INSTR_PREFETCH; +- else ++ *aux_val |= L310_PREFETCH_CTRL_INSTR_PREFETCH; ++ } else { + prefetch &= ~L310_PREFETCH_CTRL_INSTR_PREFETCH; ++ *aux_val &= ~L310_PREFETCH_CTRL_INSTR_PREFETCH; ++ } ++ *aux_mask &= ~L310_PREFETCH_CTRL_INSTR_PREFETCH; + } else if (ret != -EINVAL) { + pr_err("L2C-310 OF prefetch-instr property value is missing\n"); + } +-- +2.25.1 + diff --git a/queue-4.4/arm64-dts-zynqmp-remove-additional-compatible-string.patch b/queue-4.4/arm64-dts-zynqmp-remove-additional-compatible-string.patch new file mode 100644 index 00000000000..55c594ac0ef --- /dev/null +++ b/queue-4.4/arm64-dts-zynqmp-remove-additional-compatible-string.patch @@ -0,0 +1,60 @@ +From aa4f7016a9c95e0e0c0c7b9728384a10c73ed5a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 10:59:14 +0200 +Subject: arm64: dts: zynqmp: Remove additional compatible string for i2c IPs + +From: Michal Simek + +[ Upstream commit 35292518cb0a626fcdcabf739aed75060a018ab5 ] + +DT binding permits only one compatible string which was decribed in past by +commit 63cab195bf49 ("i2c: removed work arounds in i2c driver for Zynq +Ultrascale+ MPSoC"). +The commit aea37006e183 ("dt-bindings: i2c: cadence: Migrate i2c-cadence +documentation to YAML") has converted binding to yaml and the following +issues is reported: +...: i2c@ff030000: compatible: Additional items are not allowed +('cdns,i2c-r1p10' was unexpected) + From schema: +.../Documentation/devicetree/bindings/i2c/cdns,i2c-r1p10.yaml fds +...: i2c@ff030000: compatible: ['cdns,i2c-r1p14', 'cdns,i2c-r1p10'] is too +long + +The commit c415f9e8304a ("ARM64: zynqmp: Fix i2c node's compatible string") +has added the second compatible string but without removing origin one. +The patch is only keeping one compatible string "cdns,i2c-r1p14". + +Fixes: c415f9e8304a ("ARM64: zynqmp: Fix i2c node's compatible string") +Signed-off-by: Michal Simek +Link: https://lore.kernel.org/r/cc294ae1a79ef845af6809ddb4049f0c0f5bb87a.1598259551.git.michal.simek@xilinx.com +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/xilinx/zynqmp.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/xilinx/zynqmp.dtsi b/arch/arm64/boot/dts/xilinx/zynqmp.dtsi +index 172402cc1a0f5..ae2cbbdb634e4 100644 +--- a/arch/arm64/boot/dts/xilinx/zynqmp.dtsi ++++ b/arch/arm64/boot/dts/xilinx/zynqmp.dtsi +@@ -191,7 +191,7 @@ i2c_clk: i2c_clk { + }; + + i2c0: i2c@ff020000 { +- compatible = "cdns,i2c-r1p14", "cdns,i2c-r1p10"; ++ compatible = "cdns,i2c-r1p14"; + status = "disabled"; + interrupt-parent = <&gic>; + interrupts = <0 17 4>; +@@ -202,7 +202,7 @@ i2c0: i2c@ff020000 { + }; + + i2c1: i2c@ff030000 { +- compatible = "cdns,i2c-r1p14", "cdns,i2c-r1p10"; ++ compatible = "cdns,i2c-r1p14"; + status = "disabled"; + interrupt-parent = <&gic>; + interrupts = <0 18 4>; +-- +2.25.1 + diff --git a/queue-4.4/ath10k-check-idx-validity-in-__ath10k_htt_rx_ring_fi.patch b/queue-4.4/ath10k-check-idx-validity-in-__ath10k_htt_rx_ring_fi.patch new file mode 100644 index 00000000000..641faf8f3cf --- /dev/null +++ b/queue-4.4/ath10k-check-idx-validity-in-__ath10k_htt_rx_ring_fi.patch @@ -0,0 +1,68 @@ +From 3bbf19b19cf845ec4f65b37e46660e0c0ababe27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Jun 2020 18:11:05 -0400 +Subject: ath10k: check idx validity in __ath10k_htt_rx_ring_fill_n() + +From: Zekun Shen + +[ Upstream commit bad60b8d1a7194df38fd7fe4b22f3f4dcf775099 ] + +The idx in __ath10k_htt_rx_ring_fill_n function lives in +consistent dma region writable by the device. Malfunctional +or malicious device could manipulate such idx to have a OOB +write. Either by + htt->rx_ring.netbufs_ring[idx] = skb; +or by + ath10k_htt_set_paddrs_ring(htt, paddr, idx); + +The idx can also be negative as it's signed, giving a large +memory space to write to. + +It's possibly exploitable by corruptting a legit pointer with +a skb pointer. And then fill skb with payload as rougue object. + +Part of the log here. Sometimes it appears as UAF when writing +to a freed memory by chance. + + [ 15.594376] BUG: unable to handle page fault for address: ffff887f5c1804f0 + [ 15.595483] #PF: supervisor write access in kernel mode + [ 15.596250] #PF: error_code(0x0002) - not-present page + [ 15.597013] PGD 0 P4D 0 + [ 15.597395] Oops: 0002 [#1] SMP KASAN PTI + [ 15.597967] CPU: 0 PID: 82 Comm: kworker/u2:2 Not tainted 5.6.0 #69 + [ 15.598843] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), + BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 + [ 15.600438] Workqueue: ath10k_wq ath10k_core_register_work [ath10k_core] + [ 15.601389] RIP: 0010:__ath10k_htt_rx_ring_fill_n + (linux/drivers/net/wireless/ath/ath10k/htt_rx.c:173) ath10k_core + +Signed-off-by: Zekun Shen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200623221105.3486-1-bruceshenzk@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/htt_rx.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath10k/htt_rx.c b/drivers/net/wireless/ath/ath10k/htt_rx.c +index a65b5d7f59f44..1c6c422dbad64 100644 +--- a/drivers/net/wireless/ath/ath10k/htt_rx.c ++++ b/drivers/net/wireless/ath/ath10k/htt_rx.c +@@ -99,6 +99,14 @@ static int __ath10k_htt_rx_ring_fill_n(struct ath10k_htt *htt, int num) + BUILD_BUG_ON(HTT_RX_RING_FILL_LEVEL >= HTT_RX_RING_SIZE / 2); + + idx = __le32_to_cpu(*htt->rx_ring.alloc_idx.vaddr); ++ ++ if (idx < 0 || idx >= htt->rx_ring.size) { ++ ath10k_err(htt->ar, "rx ring index is not valid, firmware malfunctioning?\n"); ++ idx &= htt->rx_ring.size_mask; ++ ret = -ENOMEM; ++ goto fail; ++ } ++ + while (num > 0) { + skb = dev_alloc_skb(HTT_RX_BUF_SIZE + HTT_RX_DESC_ALIGN); + if (!skb) { +-- +2.25.1 + diff --git a/queue-4.4/ath6kl-prevent-potential-array-overflow-in-ath6kl_ad.patch b/queue-4.4/ath6kl-prevent-potential-array-overflow-in-ath6kl_ad.patch new file mode 100644 index 00000000000..831b61be488 --- /dev/null +++ b/queue-4.4/ath6kl-prevent-potential-array-overflow-in-ath6kl_ad.patch @@ -0,0 +1,39 @@ +From b18df1c74233da3e121caa5f852dcf453f24db44 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 17:13:15 +0300 +Subject: ath6kl: prevent potential array overflow in ath6kl_add_new_sta() + +From: Dan Carpenter + +[ Upstream commit 54f9ab7b870934b70e5a21786d951fbcf663970f ] + +The value for "aid" comes from skb->data so Smatch marks it as +untrusted. If it's invalid then it can result in an out of bounds array +access in ath6kl_add_new_sta(). + +Fixes: 572e27c00c9d ("ath6kl: Fix AP mode connect event parsing and TIM updates") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200813141315.GB457408@mwanda +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath6kl/main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath6kl/main.c b/drivers/net/wireless/ath/ath6kl/main.c +index 1af3fed5a72ca..1a68518279689 100644 +--- a/drivers/net/wireless/ath/ath6kl/main.c ++++ b/drivers/net/wireless/ath/ath6kl/main.c +@@ -430,6 +430,9 @@ void ath6kl_connect_ap_mode_sta(struct ath6kl_vif *vif, u16 aid, u8 *mac_addr, + + ath6kl_dbg(ATH6KL_DBG_TRC, "new station %pM aid=%d\n", mac_addr, aid); + ++ if (aid < 1 || aid > AP_MAX_NUM_STA) ++ return; ++ + if (assoc_req_len > sizeof(struct ieee80211_hdr_3addr)) { + struct ieee80211_mgmt *mgmt = + (struct ieee80211_mgmt *) assoc_info; +-- +2.25.1 + diff --git a/queue-4.4/ath6kl-wmi-prevent-a-shift-wrapping-bug-in-ath6kl_wm.patch b/queue-4.4/ath6kl-wmi-prevent-a-shift-wrapping-bug-in-ath6kl_wm.patch new file mode 100644 index 00000000000..94742922e1e --- /dev/null +++ b/queue-4.4/ath6kl-wmi-prevent-a-shift-wrapping-bug-in-ath6kl_wm.patch @@ -0,0 +1,43 @@ +From 5950492080954e8cc8d0ec416a7f7ce3f618463c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Sep 2020 17:27:32 +0300 +Subject: ath6kl: wmi: prevent a shift wrapping bug in + ath6kl_wmi_delete_pstream_cmd() + +From: Dan Carpenter + +[ Upstream commit 6a950755cec1a90ddaaff3e4acb5333617441c32 ] + +The "tsid" is a user controlled u8 which comes from debugfs. Values +more than 15 are invalid because "active_tsids" is a 16 bit variable. +If the value of "tsid" is more than 31 then that leads to a shift +wrapping bug. + +Fixes: 8fffd9e5ec9e ("ath6kl: Implement support for QOS-enable and QOS-disable from userspace") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200918142732.GA909725@mwanda +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath6kl/wmi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c +index b2ec254f154e0..7e1010475cfb2 100644 +--- a/drivers/net/wireless/ath/ath6kl/wmi.c ++++ b/drivers/net/wireless/ath/ath6kl/wmi.c +@@ -2644,6 +2644,11 @@ int ath6kl_wmi_delete_pstream_cmd(struct wmi *wmi, u8 if_idx, u8 traffic_class, + return -EINVAL; + } + ++ if (tsid >= 16) { ++ ath6kl_err("invalid tsid: %d\n", tsid); ++ return -EINVAL; ++ } ++ + skb = ath6kl_wmi_get_new_buf(sizeof(*cmd)); + if (!skb) + return -ENOMEM; +-- +2.25.1 + diff --git a/queue-4.4/ath9k-fix-potential-out-of-bounds-in-ath9k_htc_txcom.patch b/queue-4.4/ath9k-fix-potential-out-of-bounds-in-ath9k_htc_txcom.patch new file mode 100644 index 00000000000..bd48779da51 --- /dev/null +++ b/queue-4.4/ath9k-fix-potential-out-of-bounds-in-ath9k_htc_txcom.patch @@ -0,0 +1,42 @@ +From e30f809da0a692d5c7830bde4800a96158ecfaa8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 17:12:53 +0300 +Subject: ath9k: Fix potential out of bounds in ath9k_htc_txcompletion_cb() + +From: Dan Carpenter + +[ Upstream commit 2705cd7558e718a7240c64eb0afb2edad5f8c190 ] + +The value of "htc_hdr->endpoint_id" comes from skb->data so Smatch marks +it as untrusted so we have to check it before using it as an array +offset. + +This is similar to a bug that syzkaller found in commit e4ff08a4d727 +("ath9k: Fix use-after-free Write in ath9k_htc_rx_msg") so it is +probably a real issue. + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200813141253.GA457408@mwanda +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_hst.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c +index 1af216aa5adae..625823e45d8f0 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_hst.c ++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c +@@ -346,6 +346,8 @@ void ath9k_htc_txcompletion_cb(struct htc_target *htc_handle, + + if (skb) { + htc_hdr = (struct htc_frame_hdr *) skb->data; ++ if (htc_hdr->endpoint_id >= ARRAY_SIZE(htc_handle->endpoint)) ++ goto ret; + endpoint = &htc_handle->endpoint[htc_hdr->endpoint_id]; + skb_pull(skb, sizeof(struct htc_frame_hdr)); + +-- +2.25.1 + diff --git a/queue-4.4/ath9k-hif_usb-fix-race-condition-between-usb_get_urb.patch b/queue-4.4/ath9k-hif_usb-fix-race-condition-between-usb_get_urb.patch new file mode 100644 index 00000000000..36a647f9a41 --- /dev/null +++ b/queue-4.4/ath9k-hif_usb-fix-race-condition-between-usb_get_urb.patch @@ -0,0 +1,92 @@ +From b9635616d0521910304f4bf443ea9d92688f4b40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 03:14:27 -0400 +Subject: ath9k: hif_usb: fix race condition between usb_get_urb() and + usb_kill_anchored_urbs() + +From: Brooke Basile + +[ Upstream commit 03fb92a432ea5abe5909bca1455b7e44a9380480 ] + +Calls to usb_kill_anchored_urbs() after usb_kill_urb() on multiprocessor +systems create a race condition in which usb_kill_anchored_urbs() deallocates +the URB before the completer callback is called in usb_kill_urb(), resulting +in a use-after-free. +To fix this, add proper lock protection to usb_kill_urb() calls that can +possibly run concurrently with usb_kill_anchored_urbs(). + +Reported-by: syzbot+89bd486af9427a9fc605@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=cabffad18eb74197f84871802fd2c5117b61febf +Signed-off-by: Brooke Basile +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200911071427.32354-1-brookebasile@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c +index 76d91859cfde9..75072a8f8cf42 100644 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -445,10 +445,19 @@ static void hif_usb_stop(void *hif_handle) + spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + + /* The pending URBs have to be canceled. */ ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + list_for_each_entry_safe(tx_buf, tx_buf_tmp, + &hif_dev->tx.tx_pending, list) { ++ usb_get_urb(tx_buf->urb); ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + usb_kill_urb(tx_buf->urb); ++ list_del(&tx_buf->list); ++ usb_free_urb(tx_buf->urb); ++ kfree(tx_buf->buf); ++ kfree(tx_buf); ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + } ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + + usb_kill_anchored_urbs(&hif_dev->mgmt_submitted); + } +@@ -758,27 +767,37 @@ static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb *hif_dev) + struct tx_buf *tx_buf = NULL, *tx_buf_tmp = NULL; + unsigned long flags; + ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + list_for_each_entry_safe(tx_buf, tx_buf_tmp, + &hif_dev->tx.tx_buf, list) { ++ usb_get_urb(tx_buf->urb); ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + usb_kill_urb(tx_buf->urb); + list_del(&tx_buf->list); + usb_free_urb(tx_buf->urb); + kfree(tx_buf->buf); + kfree(tx_buf); ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + } ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + + spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + hif_dev->tx.flags |= HIF_USB_TX_FLUSH; + spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + list_for_each_entry_safe(tx_buf, tx_buf_tmp, + &hif_dev->tx.tx_pending, list) { ++ usb_get_urb(tx_buf->urb); ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + usb_kill_urb(tx_buf->urb); + list_del(&tx_buf->list); + usb_free_urb(tx_buf->urb); + kfree(tx_buf->buf); + kfree(tx_buf); ++ spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + } ++ spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + + usb_kill_anchored_urbs(&hif_dev->mgmt_submitted); + } +-- +2.25.1 + diff --git a/queue-4.4/backlight-sky81452-backlight-fix-refcount-imbalance-.patch b/queue-4.4/backlight-sky81452-backlight-fix-refcount-imbalance-.patch new file mode 100644 index 00000000000..304a6903643 --- /dev/null +++ b/queue-4.4/backlight-sky81452-backlight-fix-refcount-imbalance-.patch @@ -0,0 +1,37 @@ +From 4892878c897147f2284c9030426e4f9328ee9581 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 14:38:17 +0800 +Subject: backlight: sky81452-backlight: Fix refcount imbalance on error + +From: dinghao.liu@zju.edu.cn + +[ Upstream commit b7a4f80bc316a56d6ec8750e93e66f42431ed960 ] + +When of_property_read_u32_array() returns an error code, a +pairing refcount decrement is needed to keep np's refcount +balanced. + +Fixes: f705806c9f355 ("backlight: Add support Skyworks SKY81452 backlight driver") +Signed-off-by: Dinghao Liu +Reviewed-by: Daniel Thompson +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/video/backlight/sky81452-backlight.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/backlight/sky81452-backlight.c b/drivers/video/backlight/sky81452-backlight.c +index d414c7a3acf5a..a2f77625b7170 100644 +--- a/drivers/video/backlight/sky81452-backlight.c ++++ b/drivers/video/backlight/sky81452-backlight.c +@@ -207,6 +207,7 @@ static struct sky81452_bl_platform_data *sky81452_bl_parse_dt( + num_entry); + if (ret < 0) { + dev_err(dev, "led-sources node is invalid.\n"); ++ of_node_put(np); + return ERR_PTR(-EINVAL); + } + +-- +2.25.1 + diff --git a/queue-4.4/bluetooth-only-mark-socket-zapped-after-unlocking.patch b/queue-4.4/bluetooth-only-mark-socket-zapped-after-unlocking.patch new file mode 100644 index 00000000000..f9f79d0dc78 --- /dev/null +++ b/queue-4.4/bluetooth-only-mark-socket-zapped-after-unlocking.patch @@ -0,0 +1,73 @@ +From 1bfdb2cffd079dfdd58dade12bcffda03c6fe889 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 15:33:18 -0700 +Subject: Bluetooth: Only mark socket zapped after unlocking + +From: Abhishek Pandit-Subedi + +[ Upstream commit 20ae4089d0afeb24e9ceb026b996bfa55c983cc2 ] + +Since l2cap_sock_teardown_cb doesn't acquire the channel lock before +setting the socket as zapped, it could potentially race with +l2cap_sock_release which frees the socket. Thus, wait until the cleanup +is complete before marking the socket as zapped. + +This race was reproduced on a JBL GO speaker after the remote device +rejected L2CAP connection due to resource unavailability. + +Here is a dmesg log with debug logs from a repro of this bug: +[ 3465.424086] Bluetooth: hci_core.c:hci_acldata_packet() hci0 len 16 handle 0x0003 flags 0x0002 +[ 3465.424090] Bluetooth: hci_conn.c:hci_conn_enter_active_mode() hcon 00000000cfedd07d mode 0 +[ 3465.424094] Bluetooth: l2cap_core.c:l2cap_recv_acldata() conn 000000007eae8952 len 16 flags 0x2 +[ 3465.424098] Bluetooth: l2cap_core.c:l2cap_recv_frame() len 12, cid 0x0001 +[ 3465.424102] Bluetooth: l2cap_core.c:l2cap_raw_recv() conn 000000007eae8952 +[ 3465.424175] Bluetooth: l2cap_core.c:l2cap_sig_channel() code 0x03 len 8 id 0x0c +[ 3465.424180] Bluetooth: l2cap_core.c:l2cap_connect_create_rsp() dcid 0x0045 scid 0x0000 result 0x02 status 0x00 +[ 3465.424189] Bluetooth: l2cap_core.c:l2cap_chan_put() chan 000000006acf9bff orig refcnt 4 +[ 3465.424196] Bluetooth: l2cap_core.c:l2cap_chan_del() chan 000000006acf9bff, conn 000000007eae8952, err 111, state BT_CONNECT +[ 3465.424203] Bluetooth: l2cap_sock.c:l2cap_sock_teardown_cb() chan 000000006acf9bff state BT_CONNECT +[ 3465.424221] Bluetooth: l2cap_core.c:l2cap_chan_put() chan 000000006acf9bff orig refcnt 3 +[ 3465.424226] Bluetooth: hci_core.h:hci_conn_drop() hcon 00000000cfedd07d orig refcnt 6 +[ 3465.424234] BUG: spinlock bad magic on CPU#2, kworker/u17:0/159 +[ 3465.425626] Bluetooth: hci_sock.c:hci_sock_sendmsg() sock 000000002bb0cb64 sk 00000000a7964053 +[ 3465.430330] lock: 0xffffff804410aac0, .magic: 00000000, .owner: /-1, .owner_cpu: 0 +[ 3465.430332] Causing a watchdog bite! + +Signed-off-by: Abhishek Pandit-Subedi +Reported-by: Balakrishna Godavarthi +Reviewed-by: Manish Mandlik +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index e562385d9440e..30731ce390ba0 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1330,8 +1330,6 @@ static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err) + + parent = bt_sk(sk)->parent; + +- sock_set_flag(sk, SOCK_ZAPPED); +- + switch (chan->state) { + case BT_OPEN: + case BT_BOUND: +@@ -1358,8 +1356,11 @@ static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err) + + break; + } +- + release_sock(sk); ++ ++ /* Only zap after cleanup to avoid use after free race */ ++ sock_set_flag(sk, SOCK_ZAPPED); ++ + } + + static void l2cap_sock_state_change_cb(struct l2cap_chan *chan, int state, +-- +2.25.1 + diff --git a/queue-4.4/brcm80211-fix-possible-memleak-in-brcmf_proto_msgbuf.patch b/queue-4.4/brcm80211-fix-possible-memleak-in-brcmf_proto_msgbuf.patch new file mode 100644 index 00000000000..6bffaae813e --- /dev/null +++ b/queue-4.4/brcm80211-fix-possible-memleak-in-brcmf_proto_msgbuf.patch @@ -0,0 +1,37 @@ +From 8fbd3586c6cf5819cf1c494f0c47aa114db5c347 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jul 2020 17:36:05 +0800 +Subject: brcm80211: fix possible memleak in brcmf_proto_msgbuf_attach + +From: Wang Yufen + +[ Upstream commit 6c151410d5b57e6bb0d91a735ac511459539a7bf ] + +When brcmf_proto_msgbuf_attach fail and msgbuf->txflow_wq != NULL, +we should destroy the workqueue. + +Reported-by: Hulk Robot +Signed-off-by: Wang Yufen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1595237765-66238-1-git-send-email-wangyufen@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c b/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c +index f944f356d9c51..cacb43573f579 100644 +--- a/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c ++++ b/drivers/net/wireless/brcm80211/brcmfmac/msgbuf.c +@@ -1530,6 +1530,8 @@ int brcmf_proto_msgbuf_attach(struct brcmf_pub *drvr) + BRCMF_TX_IOCTL_MAX_MSG_SIZE, + msgbuf->ioctbuf, + msgbuf->ioctbuf_handle); ++ if (msgbuf->txflow_wq) ++ destroy_workqueue(msgbuf->txflow_wq); + kfree(msgbuf); + } + return -ENOMEM; +-- +2.25.1 + diff --git a/queue-4.4/brcmsmac-fix-memory-leak-in-wlc_phy_attach_lcnphy.patch b/queue-4.4/brcmsmac-fix-memory-leak-in-wlc_phy_attach_lcnphy.patch new file mode 100644 index 00000000000..781a58d8b29 --- /dev/null +++ b/queue-4.4/brcmsmac-fix-memory-leak-in-wlc_phy_attach_lcnphy.patch @@ -0,0 +1,43 @@ +From 52f1105aefdcf00081678d564b5766f560689ddf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Sep 2020 12:17:41 +0000 +Subject: brcmsmac: fix memory leak in wlc_phy_attach_lcnphy + +From: Keita Suzuki + +[ Upstream commit f4443293d741d1776b86ed1dd8c4e4285d0775fc ] + +When wlc_phy_txpwr_srom_read_lcnphy fails in wlc_phy_attach_lcnphy, +the allocated pi->u.pi_lcnphy is leaked, since struct brcms_phy will be +freed in the caller function. + +Fix this by calling wlc_phy_detach_lcnphy in the error handler of +wlc_phy_txpwr_srom_read_lcnphy before returning. + +Signed-off-by: Keita Suzuki +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200908121743.23108-1-keitasuzuki.park@sslab.ics.keio.ac.jp +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/brcm80211/brcmsmac/phy/phy_lcn.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/brcm80211/brcmsmac/phy/phy_lcn.c b/drivers/net/wireless/brcm80211/brcmsmac/phy/phy_lcn.c +index 93d4cde0eb313..c9f48ec46f4a1 100644 +--- a/drivers/net/wireless/brcm80211/brcmsmac/phy/phy_lcn.c ++++ b/drivers/net/wireless/brcm80211/brcmsmac/phy/phy_lcn.c +@@ -5090,8 +5090,10 @@ bool wlc_phy_attach_lcnphy(struct brcms_phy *pi) + pi->pi_fptr.radioloftget = wlc_lcnphy_get_radio_loft; + pi->pi_fptr.detach = wlc_phy_detach_lcnphy; + +- if (!wlc_phy_txpwr_srom_read_lcnphy(pi)) ++ if (!wlc_phy_txpwr_srom_read_lcnphy(pi)) { ++ kfree(pi->u.pi_lcnphy); + return false; ++ } + + if (LCNREV_IS(pi->pubpi.phy_rev, 1)) { + if (pi_lcn->lcnphy_tempsense_option == 3) { +-- +2.25.1 + diff --git a/queue-4.4/cpufreq-powernv-fix-frame-size-overflow-in-powernv_c.patch b/queue-4.4/cpufreq-powernv-fix-frame-size-overflow-in-powernv_c.patch new file mode 100644 index 00000000000..9921c593729 --- /dev/null +++ b/queue-4.4/cpufreq-powernv-fix-frame-size-overflow-in-powernv_c.patch @@ -0,0 +1,52 @@ +From 71a5eba0fcca44aeb9267998d85929dad0fba627 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Sep 2020 13:32:54 +0530 +Subject: cpufreq: powernv: Fix frame-size-overflow in + powernv_cpufreq_reboot_notifier + +From: Srikar Dronamraju + +[ Upstream commit a2d0230b91f7e23ceb5d8fb6a9799f30517ec33a ] + +The patch avoids allocating cpufreq_policy on stack hence fixing frame +size overflow in 'powernv_cpufreq_reboot_notifier': + + drivers/cpufreq/powernv-cpufreq.c: In function powernv_cpufreq_reboot_notifier: + drivers/cpufreq/powernv-cpufreq.c:906:1: error: the frame size of 2064 bytes is larger than 2048 bytes + +Fixes: cf30af76 ("cpufreq: powernv: Set the cpus to nominal frequency during reboot/kexec") +Signed-off-by: Srikar Dronamraju +Reviewed-by: Daniel Axtens +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200922080254.41497-1-srikar@linux.vnet.ibm.com +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/powernv-cpufreq.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/cpufreq/powernv-cpufreq.c b/drivers/cpufreq/powernv-cpufreq.c +index 57e6c45724e73..1930a1d1a1892 100644 +--- a/drivers/cpufreq/powernv-cpufreq.c ++++ b/drivers/cpufreq/powernv-cpufreq.c +@@ -410,12 +410,15 @@ static int powernv_cpufreq_reboot_notifier(struct notifier_block *nb, + unsigned long action, void *unused) + { + int cpu; +- struct cpufreq_policy cpu_policy; ++ struct cpufreq_policy *cpu_policy; + + rebooting = true; + for_each_online_cpu(cpu) { +- cpufreq_get_policy(&cpu_policy, cpu); +- powernv_cpufreq_target_index(&cpu_policy, get_nominal_index()); ++ cpu_policy = cpufreq_cpu_get(cpu); ++ if (!cpu_policy) ++ continue; ++ powernv_cpufreq_target_index(cpu_policy, get_nominal_index()); ++ cpufreq_cpu_put(cpu_policy); + } + + return NOTIFY_DONE; +-- +2.25.1 + diff --git a/queue-4.4/crypto-ixp4xx-fix-the-size-used-in-a-dma_free_cohere.patch b/queue-4.4/crypto-ixp4xx-fix-the-size-used-in-a-dma_free_cohere.patch new file mode 100644 index 00000000000..b82b57afcd0 --- /dev/null +++ b/queue-4.4/crypto-ixp4xx-fix-the-size-used-in-a-dma_free_cohere.patch @@ -0,0 +1,36 @@ +From b47995439965a2b6629515b45b297e1adee0aa4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 16:56:48 +0200 +Subject: crypto: ixp4xx - Fix the size used in a 'dma_free_coherent()' call + +From: Christophe JAILLET + +[ Upstream commit f7ade9aaf66bd5599690acf0597df2c0f6cd825a ] + +Update the size used in 'dma_free_coherent()' in order to match the one +used in the corresponding 'dma_alloc_coherent()', in 'setup_crypt_desc()'. + +Fixes: 81bef0150074 ("crypto: ixp4xx - Hardware crypto support for IXP4xx CPUs") +Signed-off-by: Christophe JAILLET +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ixp4xx_crypto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/ixp4xx_crypto.c b/drivers/crypto/ixp4xx_crypto.c +index 8f27903532812..13657105cfb93 100644 +--- a/drivers/crypto/ixp4xx_crypto.c ++++ b/drivers/crypto/ixp4xx_crypto.c +@@ -533,7 +533,7 @@ static void release_ixp_crypto(struct device *dev) + + if (crypt_virt) { + dma_free_coherent(dev, +- NPE_QLEN_TOTAL * sizeof( struct crypt_ctl), ++ NPE_QLEN * sizeof(struct crypt_ctl), + crypt_virt, crypt_phys); + } + return; +-- +2.25.1 + diff --git a/queue-4.4/crypto-omap-sham-fix-digcnt-register-handling-with-e.patch b/queue-4.4/crypto-omap-sham-fix-digcnt-register-handling-with-e.patch new file mode 100644 index 00000000000..055485cc08a --- /dev/null +++ b/queue-4.4/crypto-omap-sham-fix-digcnt-register-handling-with-e.patch @@ -0,0 +1,39 @@ +From 59a84693080c9891f01652693a518f79e014340e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 10:56:24 +0300 +Subject: crypto: omap-sham - fix digcnt register handling with export/import + +From: Tero Kristo + +[ Upstream commit 3faf757bad75f3fc1b2736f0431e295a073a7423 ] + +Running export/import for hashes in peculiar order (mostly done by +openssl) can mess up the internal book keeping of the OMAP SHA core. +Fix by forcibly writing the correct DIGCNT back to hardware. This issue +was noticed while transitioning to openssl 1.1 support. + +Fixes: 0d373d603202 ("crypto: omap-sham - Add OMAP4/AM33XX SHAM Support") +Signed-off-by: Tero Kristo +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/omap-sham.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/crypto/omap-sham.c b/drivers/crypto/omap-sham.c +index 48adb2a0903e5..7e9a44cee4250 100644 +--- a/drivers/crypto/omap-sham.c ++++ b/drivers/crypto/omap-sham.c +@@ -453,6 +453,9 @@ static void omap_sham_write_ctrl_omap4(struct omap_sham_dev *dd, size_t length, + struct omap_sham_reqctx *ctx = ahash_request_ctx(dd->req); + u32 val, mask; + ++ if (likely(ctx->digcnt)) ++ omap_sham_write(dd, SHA_REG_DIGCNT(dd), ctx->digcnt); ++ + /* + * Setting ALGO_CONST only for the first iteration and + * CLOSE_HASH only for the last one. Note that flags mode bits +-- +2.25.1 + diff --git a/queue-4.4/drivers-virt-fsl_hypervisor-fix-error-handling-path.patch b/queue-4.4/drivers-virt-fsl_hypervisor-fix-error-handling-path.patch new file mode 100644 index 00000000000..4ac54ed456f --- /dev/null +++ b/queue-4.4/drivers-virt-fsl_hypervisor-fix-error-handling-path.patch @@ -0,0 +1,99 @@ +From 55f5c365c2c44c4c0a7a76e19198ebb1935487d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 02:51:11 +0530 +Subject: drivers/virt/fsl_hypervisor: Fix error handling path + +From: Souptick Joarder + +[ Upstream commit 7f360bec37857bfd5a48cef21d86f58a09a3df63 ] + +First, when memory allocation for sg_list_unaligned failed, there +is a bug of calling put_pages() as we haven't pinned any pages. + +Second, if get_user_pages_fast() failed we should unpin num_pinned +pages. + +This will address both. + +As part of these changes, minor update in documentation. + +Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver") +Signed-off-by: Souptick Joarder +Reviewed-by: Dan Carpenter +Reviewed-by: John Hubbard +Link: https://lore.kernel.org/r/1598995271-6755-1-git-send-email-jrdr.linux@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/virt/fsl_hypervisor.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/drivers/virt/fsl_hypervisor.c b/drivers/virt/fsl_hypervisor.c +index 9f96c7e61387d..0d11b5043db53 100644 +--- a/drivers/virt/fsl_hypervisor.c ++++ b/drivers/virt/fsl_hypervisor.c +@@ -157,7 +157,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + + unsigned int i; + long ret = 0; +- int num_pinned; /* return value from get_user_pages() */ ++ int num_pinned = 0; /* return value from get_user_pages_fast() */ + phys_addr_t remote_paddr; /* The next address in the remote buffer */ + uint32_t count; /* The number of bytes left to copy */ + +@@ -174,7 +174,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + return -EINVAL; + + /* +- * The array of pages returned by get_user_pages() covers only ++ * The array of pages returned by get_user_pages_fast() covers only + * page-aligned memory. Since the user buffer is probably not + * page-aligned, we need to handle the discrepancy. + * +@@ -224,7 +224,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + + /* + * 'pages' is an array of struct page pointers that's initialized by +- * get_user_pages(). ++ * get_user_pages_fast(). + */ + pages = kzalloc(num_pages * sizeof(struct page *), GFP_KERNEL); + if (!pages) { +@@ -241,7 +241,7 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + if (!sg_list_unaligned) { + pr_debug("fsl-hv: could not allocate S/G list\n"); + ret = -ENOMEM; +- goto exit; ++ goto free_pages; + } + sg_list = PTR_ALIGN(sg_list_unaligned, sizeof(struct fh_sg_list)); + +@@ -254,7 +254,6 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + up_read(¤t->mm->mmap_sem); + + if (num_pinned != num_pages) { +- /* get_user_pages() failed */ + pr_debug("fsl-hv: could not lock source buffer\n"); + ret = (num_pinned < 0) ? num_pinned : -EFAULT; + goto exit; +@@ -296,13 +295,13 @@ static long ioctl_memcpy(struct fsl_hv_ioctl_memcpy __user *p) + virt_to_phys(sg_list), num_pages); + + exit: +- if (pages) { +- for (i = 0; i < num_pages; i++) +- if (pages[i]) +- put_page(pages[i]); ++ if (pages && (num_pinned > 0)) { ++ for (i = 0; i < num_pinned; i++) ++ put_page(pages[i]); + } + + kfree(sg_list_unaligned); ++free_pages: + kfree(pages); + + if (!ret) +-- +2.25.1 + diff --git a/queue-4.4/drm-gma500-fix-error-check.patch b/queue-4.4/drm-gma500-fix-error-check.patch new file mode 100644 index 00000000000..ce39444d662 --- /dev/null +++ b/queue-4.4/drm-gma500-fix-error-check.patch @@ -0,0 +1,54 @@ +From 2616f1a9e6db5061c17f4b2af54fd35a9c3f6f4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 13:59:11 -0700 +Subject: drm/gma500: fix error check + +From: Tom Rix + +[ Upstream commit cdd296cdae1af2d27dae3fcfbdf12c5252ab78cf ] + +Reviewing this block of code in cdv_intel_dp_init() + +ret = cdv_intel_dp_aux_native_read(gma_encoder, DP_DPCD_REV, ... + +cdv_intel_edp_panel_vdd_off(gma_encoder); +if (ret == 0) { + /* if this fails, presume the device is a ghost */ + DRM_INFO("failed to retrieve link info, disabling eDP\n"); + drm_encoder_cleanup(encoder); + cdv_intel_dp_destroy(connector); + goto err_priv; +} else { + +The (ret == 0) is not strict enough. +cdv_intel_dp_aux_native_read() returns > 0 on success +otherwise it is failure. + +So change to <= + +Fixes: d112a8163f83 ("gma500/cdv: Add eDP support") + +Signed-off-by: Tom Rix +Signed-off-by: Patrik Jakobsson +Link: https://patchwork.freedesktop.org/patch/msgid/20200805205911.20927-1-trix@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/gma500/cdv_intel_dp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/gma500/cdv_intel_dp.c b/drivers/gpu/drm/gma500/cdv_intel_dp.c +index d3de377dc857e..25c68e4dc7a53 100644 +--- a/drivers/gpu/drm/gma500/cdv_intel_dp.c ++++ b/drivers/gpu/drm/gma500/cdv_intel_dp.c +@@ -2120,7 +2120,7 @@ cdv_intel_dp_init(struct drm_device *dev, struct psb_intel_mode_device *mode_dev + intel_dp->dpcd, + sizeof(intel_dp->dpcd)); + cdv_intel_edp_panel_vdd_off(gma_encoder); +- if (ret == 0) { ++ if (ret <= 0) { + /* if this fails, presume the device is a ghost */ + DRM_INFO("failed to retrieve link info, disabling eDP\n"); + cdv_intel_dp_encoder_destroy(encoder); +-- +2.25.1 + diff --git a/queue-4.4/edac-i5100-fix-error-handling-order-in-i5100_init_on.patch b/queue-4.4/edac-i5100-fix-error-handling-order-in-i5100_init_on.patch new file mode 100644 index 00000000000..7b5bdaa2221 --- /dev/null +++ b/queue-4.4/edac-i5100-fix-error-handling-order-in-i5100_init_on.patch @@ -0,0 +1,69 @@ +From 12ce960d8b1e0837b63932b7803b5ce91e732104 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 Aug 2020 20:14:37 +0800 +Subject: EDAC/i5100: Fix error handling order in i5100_init_one() + +From: Dinghao Liu + +[ Upstream commit 857a3139bd8be4f702c030c8ca06f3fd69c1741a ] + +When pci_get_device_func() fails, the driver doesn't need to execute +pci_dev_put(). mci should still be freed, though, to prevent a memory +leak. When pci_enable_device() fails, the error injection PCI device +"einj" doesn't need to be disabled either. + + [ bp: Massage commit message, rename label to "bail_mc_free". ] + +Fixes: 52608ba205461 ("i5100_edac: probe for device 19 function 0") +Signed-off-by: Dinghao Liu +Signed-off-by: Borislav Petkov +Link: https://lkml.kernel.org/r/20200826121437.31606-1-dinghao.liu@zju.edu.cn +Signed-off-by: Sasha Levin +--- + drivers/edac/i5100_edac.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/edac/i5100_edac.c b/drivers/edac/i5100_edac.c +index 40917775dca1c..59d10f48ed6ab 100644 +--- a/drivers/edac/i5100_edac.c ++++ b/drivers/edac/i5100_edac.c +@@ -1075,16 +1075,15 @@ static int i5100_init_one(struct pci_dev *pdev, const struct pci_device_id *id) + PCI_DEVICE_ID_INTEL_5100_19, 0); + if (!einj) { + ret = -ENODEV; +- goto bail_einj; ++ goto bail_mc_free; + } + + rc = pci_enable_device(einj); + if (rc < 0) { + ret = rc; +- goto bail_disable_einj; ++ goto bail_einj; + } + +- + mci->pdev = &pdev->dev; + + priv = mci->pvt_info; +@@ -1151,14 +1150,14 @@ static int i5100_init_one(struct pci_dev *pdev, const struct pci_device_id *id) + bail_scrub: + priv->scrub_enable = 0; + cancel_delayed_work_sync(&(priv->i5100_scrubbing)); +- edac_mc_free(mci); +- +-bail_disable_einj: + pci_disable_device(einj); + + bail_einj: + pci_dev_put(einj); + ++bail_mc_free: ++ edac_mc_free(mci); ++ + bail_disable_ch1: + pci_disable_device(ch1mm); + +-- +2.25.1 + diff --git a/queue-4.4/fix-use-after-free-in-get_capset_info-callback.patch b/queue-4.4/fix-use-after-free-in-get_capset_info-callback.patch new file mode 100644 index 00000000000..6aa210e95cc --- /dev/null +++ b/queue-4.4/fix-use-after-free-in-get_capset_info-callback.patch @@ -0,0 +1,61 @@ +From cc5451bf54ddb4335b8ca441d3f8c3212d2fb09e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 14:08:25 -0700 +Subject: Fix use after free in get_capset_info callback. + +From: Doug Horn + +[ Upstream commit e219688fc5c3d0d9136f8d29d7e0498388f01440 ] + +If a response to virtio_gpu_cmd_get_capset_info takes longer than +five seconds to return, the callback will access freed kernel memory +in vg->capsets. + +Signed-off-by: Doug Horn +Link: http://patchwork.freedesktop.org/patch/msgid/20200902210847.2689-2-gurchetansingh@chromium.org +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/virtio/virtgpu_kms.c | 2 ++ + drivers/gpu/drm/virtio/virtgpu_vq.c | 10 +++++++--- + 2 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/virtio/virtgpu_kms.c b/drivers/gpu/drm/virtio/virtgpu_kms.c +index 06496a1281622..476b9993b0682 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_kms.c ++++ b/drivers/gpu/drm/virtio/virtgpu_kms.c +@@ -113,8 +113,10 @@ static void virtio_gpu_get_capsets(struct virtio_gpu_device *vgdev, + vgdev->capsets[i].id > 0, 5 * HZ); + if (ret == 0) { + DRM_ERROR("timed out waiting for cap set %d\n", i); ++ spin_lock(&vgdev->display_info_lock); + kfree(vgdev->capsets); + vgdev->capsets = NULL; ++ spin_unlock(&vgdev->display_info_lock); + return; + } + DRM_INFO("cap set %d: id %d, max-version %d, max-size %d\n", +diff --git a/drivers/gpu/drm/virtio/virtgpu_vq.c b/drivers/gpu/drm/virtio/virtgpu_vq.c +index 772a5a3b0ce1a..18e8fcad6690b 100644 +--- a/drivers/gpu/drm/virtio/virtgpu_vq.c ++++ b/drivers/gpu/drm/virtio/virtgpu_vq.c +@@ -596,9 +596,13 @@ static void virtio_gpu_cmd_get_capset_info_cb(struct virtio_gpu_device *vgdev, + int i = le32_to_cpu(cmd->capset_index); + + spin_lock(&vgdev->display_info_lock); +- vgdev->capsets[i].id = le32_to_cpu(resp->capset_id); +- vgdev->capsets[i].max_version = le32_to_cpu(resp->capset_max_version); +- vgdev->capsets[i].max_size = le32_to_cpu(resp->capset_max_size); ++ if (vgdev->capsets) { ++ vgdev->capsets[i].id = le32_to_cpu(resp->capset_id); ++ vgdev->capsets[i].max_version = le32_to_cpu(resp->capset_max_version); ++ vgdev->capsets[i].max_size = le32_to_cpu(resp->capset_max_size); ++ } else { ++ DRM_ERROR("invalid capset memory."); ++ } + spin_unlock(&vgdev->display_info_lock); + wake_up(&vgdev->resp_wq); + } +-- +2.25.1 + diff --git a/queue-4.4/hid-roccat-add-bounds-checking-in-kone_sysfs_write_s.patch b/queue-4.4/hid-roccat-add-bounds-checking-in-kone_sysfs_write_s.patch new file mode 100644 index 00000000000..a654e2eabc3 --- /dev/null +++ b/queue-4.4/hid-roccat-add-bounds-checking-in-kone_sysfs_write_s.patch @@ -0,0 +1,78 @@ +From 360659f93ae6844e044cfeb18f058e7f980a962a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 11:57:35 +0300 +Subject: HID: roccat: add bounds checking in kone_sysfs_write_settings() + +From: Dan Carpenter + +[ Upstream commit d4f98dbfe717490e771b6e701904bfcf4b4557f0 ] + +This code doesn't check if "settings->startup_profile" is within bounds +and that could result in an out of bounds array access. What the code +does do is it checks if the settings can be written to the firmware, so +it's possible that the firmware has a bounds check? It's safer and +easier to verify when the bounds checking is done in the kernel. + +Fixes: 14bf62cde794 ("HID: add driver for Roccat Kone gaming mouse") +Signed-off-by: Dan Carpenter +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-roccat-kone.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +diff --git a/drivers/hid/hid-roccat-kone.c b/drivers/hid/hid-roccat-kone.c +index c29265055ac1a..6c2b821c8d8b5 100644 +--- a/drivers/hid/hid-roccat-kone.c ++++ b/drivers/hid/hid-roccat-kone.c +@@ -299,31 +299,40 @@ static ssize_t kone_sysfs_write_settings(struct file *fp, struct kobject *kobj, + struct kone_device *kone = hid_get_drvdata(dev_get_drvdata(dev)); + struct usb_device *usb_dev = interface_to_usbdev(to_usb_interface(dev)); + int retval = 0, difference, old_profile; ++ struct kone_settings *settings = (struct kone_settings *)buf; + + /* I need to get my data in one piece */ + if (off != 0 || count != sizeof(struct kone_settings)) + return -EINVAL; + + mutex_lock(&kone->kone_lock); +- difference = memcmp(buf, &kone->settings, sizeof(struct kone_settings)); ++ difference = memcmp(settings, &kone->settings, ++ sizeof(struct kone_settings)); + if (difference) { +- retval = kone_set_settings(usb_dev, +- (struct kone_settings const *)buf); +- if (retval) { +- mutex_unlock(&kone->kone_lock); +- return retval; ++ if (settings->startup_profile < 1 || ++ settings->startup_profile > 5) { ++ retval = -EINVAL; ++ goto unlock; + } + ++ retval = kone_set_settings(usb_dev, settings); ++ if (retval) ++ goto unlock; ++ + old_profile = kone->settings.startup_profile; +- memcpy(&kone->settings, buf, sizeof(struct kone_settings)); ++ memcpy(&kone->settings, settings, sizeof(struct kone_settings)); + + kone_profile_activated(kone, kone->settings.startup_profile); + + if (kone->settings.startup_profile != old_profile) + kone_profile_report(kone, kone->settings.startup_profile); + } ++unlock: + mutex_unlock(&kone->kone_lock); + ++ if (retval) ++ return retval; ++ + return sizeof(struct kone_settings); + } + static BIN_ATTR(settings, 0660, kone_sysfs_read_settings, +-- +2.25.1 + diff --git a/queue-4.4/ib-mlx4-adjust-delayed-work-when-a-dup-is-observed.patch b/queue-4.4/ib-mlx4-adjust-delayed-work-when-a-dup-is-observed.patch new file mode 100644 index 00000000000..fbe95e57005 --- /dev/null +++ b/queue-4.4/ib-mlx4-adjust-delayed-work-when-a-dup-is-observed.patch @@ -0,0 +1,41 @@ +From 4ffda7421bd532d73ac381202ed17677619de430 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Aug 2020 08:19:41 +0200 +Subject: IB/mlx4: Adjust delayed work when a dup is observed +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: HÃ¥kon Bugge + +[ Upstream commit 785167a114855c5aa75efca97000e405c2cc85bf ] + +When scheduling delayed work to clean up the cache, if the entry already +has been scheduled for deletion, we adjust the delay. + +Fixes: 3cf69cc8dbeb ("IB/mlx4: Add CM paravirtualization") +Link: https://lore.kernel.org/r/20200803061941.1139994-7-haakon.bugge@oracle.com +Signed-off-by: HÃ¥kon Bugge +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx4/cm.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/infiniband/hw/mlx4/cm.c b/drivers/infiniband/hw/mlx4/cm.c +index 5dc920fe13269..c8c586c78d071 100644 +--- a/drivers/infiniband/hw/mlx4/cm.c ++++ b/drivers/infiniband/hw/mlx4/cm.c +@@ -309,6 +309,9 @@ static void schedule_delayed(struct ib_device *ibdev, struct id_map_entry *id) + if (!sriov->is_going_down) { + id->scheduled_delete = 1; + schedule_delayed_work(&id->timeout, CM_CLEANUP_CACHE_TIMEOUT); ++ } else if (id->scheduled_delete) { ++ /* Adjust timeout if already scheduled */ ++ mod_delayed_work(system_wq, &id->timeout, CM_CLEANUP_CACHE_TIMEOUT); + } + spin_unlock_irqrestore(&sriov->going_down_lock, flags); + spin_unlock(&sriov->id_map_lock); +-- +2.25.1 + diff --git a/queue-4.4/input-ep93xx_keypad-fix-handling-of-platform_get_irq.patch b/queue-4.4/input-ep93xx_keypad-fix-handling-of-platform_get_irq.patch new file mode 100644 index 00000000000..ab1c2c3614c --- /dev/null +++ b/queue-4.4/input-ep93xx_keypad-fix-handling-of-platform_get_irq.patch @@ -0,0 +1,39 @@ +From 4b24f7640005313adedf8dbb539f28491a59628f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 17:51:05 -0700 +Subject: Input: ep93xx_keypad - fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit 7d50f6656dacf085a00beeedbc48b19a37d17881 ] + +platform_get_irq() returns -ERRNO on error. In such case comparison +to 0 would pass the check. + +Fixes: 60214f058f44 ("Input: ep93xx_keypad - update driver to new core support") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20200828145744.3636-1-krzk@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/ep93xx_keypad.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/input/keyboard/ep93xx_keypad.c b/drivers/input/keyboard/ep93xx_keypad.c +index f77b295e0123e..01788a78041b3 100644 +--- a/drivers/input/keyboard/ep93xx_keypad.c ++++ b/drivers/input/keyboard/ep93xx_keypad.c +@@ -257,8 +257,8 @@ static int ep93xx_keypad_probe(struct platform_device *pdev) + } + + keypad->irq = platform_get_irq(pdev, 0); +- if (!keypad->irq) { +- err = -ENXIO; ++ if (keypad->irq < 0) { ++ err = keypad->irq; + goto failed_free; + } + +-- +2.25.1 + diff --git a/queue-4.4/input-imx6ul_tsc-clean-up-some-errors-in-imx6ul_tsc_.patch b/queue-4.4/input-imx6ul_tsc-clean-up-some-errors-in-imx6ul_tsc_.patch new file mode 100644 index 00000000000..a670954d8a1 --- /dev/null +++ b/queue-4.4/input-imx6ul_tsc-clean-up-some-errors-in-imx6ul_tsc_.patch @@ -0,0 +1,67 @@ +From 520218d308403ccae955870b0c566f6ea2a50bba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Sep 2020 10:17:01 -0700 +Subject: Input: imx6ul_tsc - clean up some errors in imx6ul_tsc_resume() + +From: Dan Carpenter + +[ Upstream commit 30df23c5ecdfb8da5b0bc17ceef67eff9e1b0957 ] + +If imx6ul_tsc_init() fails then we need to clean up the clocks. + +I reversed the "if (input_dev->users) {" condition to make the code a +bit simpler. + +Fixes: 6cc527b05847 ("Input: imx6ul_tsc - propagate the errors") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20200905124942.GC183976@mwanda +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/imx6ul_tsc.c | 27 +++++++++++++++----------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +diff --git a/drivers/input/touchscreen/imx6ul_tsc.c b/drivers/input/touchscreen/imx6ul_tsc.c +index 8275267eac254..4be7ddc04af0f 100644 +--- a/drivers/input/touchscreen/imx6ul_tsc.c ++++ b/drivers/input/touchscreen/imx6ul_tsc.c +@@ -490,20 +490,25 @@ static int __maybe_unused imx6ul_tsc_resume(struct device *dev) + + mutex_lock(&input_dev->mutex); + +- if (input_dev->users) { +- retval = clk_prepare_enable(tsc->adc_clk); +- if (retval) +- goto out; +- +- retval = clk_prepare_enable(tsc->tsc_clk); +- if (retval) { +- clk_disable_unprepare(tsc->adc_clk); +- goto out; +- } ++ if (!input_dev->users) ++ goto out; + +- retval = imx6ul_tsc_init(tsc); ++ retval = clk_prepare_enable(tsc->adc_clk); ++ if (retval) ++ goto out; ++ ++ retval = clk_prepare_enable(tsc->tsc_clk); ++ if (retval) { ++ clk_disable_unprepare(tsc->adc_clk); ++ goto out; + } + ++ retval = imx6ul_tsc_init(tsc); ++ if (retval) { ++ clk_disable_unprepare(tsc->tsc_clk); ++ clk_disable_unprepare(tsc->adc_clk); ++ goto out; ++ } + out: + mutex_unlock(&input_dev->mutex); + return retval; +-- +2.25.1 + diff --git a/queue-4.4/input-omap4-keypad-fix-handling-of-platform_get_irq-.patch b/queue-4.4/input-omap4-keypad-fix-handling-of-platform_get_irq-.patch new file mode 100644 index 00000000000..68ea27f930d --- /dev/null +++ b/queue-4.4/input-omap4-keypad-fix-handling-of-platform_get_irq-.patch @@ -0,0 +1,41 @@ +From 67e78a18c648f8e998c542819ac2e530f85c58ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 17:52:15 -0700 +Subject: Input: omap4-keypad - fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit 4738dd1992fa13acfbbd71800c71c612f466fa44 ] + +platform_get_irq() returns -ERRNO on error. In such case comparison +to 0 would pass the check. + +Fixes: f3a1ba60dbdb ("Input: omap4-keypad - use platform device helpers") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20200828145744.3636-2-krzk@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/omap4-keypad.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/input/keyboard/omap4-keypad.c b/drivers/input/keyboard/omap4-keypad.c +index 3d2c60c8de830..c6a468dfdfb48 100644 +--- a/drivers/input/keyboard/omap4-keypad.c ++++ b/drivers/input/keyboard/omap4-keypad.c +@@ -253,10 +253,8 @@ static int omap4_keypad_probe(struct platform_device *pdev) + } + + irq = platform_get_irq(pdev, 0); +- if (!irq) { +- dev_err(&pdev->dev, "no keyboard irq assigned\n"); +- return -EINVAL; +- } ++ if (irq < 0) ++ return irq; + + keypad_data = kzalloc(sizeof(struct omap4_keypad), GFP_KERNEL); + if (!keypad_data) { +-- +2.25.1 + diff --git a/queue-4.4/input-sun4i-ps2-fix-handling-of-platform_get_irq-err.patch b/queue-4.4/input-sun4i-ps2-fix-handling-of-platform_get_irq-err.patch new file mode 100644 index 00000000000..0cc81fb6eb1 --- /dev/null +++ b/queue-4.4/input-sun4i-ps2-fix-handling-of-platform_get_irq-err.patch @@ -0,0 +1,55 @@ +From 0f5fe4d6a0fdb21b8533197e85701eb55ebeb740 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Sep 2020 17:56:40 -0700 +Subject: Input: sun4i-ps2 - fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit cafb3abea6136e59ea534004e5773361e196bb94 ] + +platform_get_irq() returns -ERRNO on error. In such case comparison +to 0 would pass the check. + +Fixes: e443631d20f5 ("Input: serio - add support for Alwinner A10/A20 PS/2 controller") +Signed-off-by: Krzysztof Kozlowski +Acked-by: Chen-Yu Tsai +Link: https://lore.kernel.org/r/20200828145744.3636-4-krzk@kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/serio/sun4i-ps2.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/input/serio/sun4i-ps2.c b/drivers/input/serio/sun4i-ps2.c +index 04b96fe393397..46512b4d686a8 100644 +--- a/drivers/input/serio/sun4i-ps2.c ++++ b/drivers/input/serio/sun4i-ps2.c +@@ -210,7 +210,6 @@ static int sun4i_ps2_probe(struct platform_device *pdev) + struct sun4i_ps2data *drvdata; + struct serio *serio; + struct device *dev = &pdev->dev; +- unsigned int irq; + int error; + + drvdata = kzalloc(sizeof(struct sun4i_ps2data), GFP_KERNEL); +@@ -263,14 +262,12 @@ static int sun4i_ps2_probe(struct platform_device *pdev) + writel(0, drvdata->reg_base + PS2_REG_GCTL); + + /* Get IRQ for the device */ +- irq = platform_get_irq(pdev, 0); +- if (!irq) { +- dev_err(dev, "no IRQ found\n"); +- error = -ENXIO; ++ drvdata->irq = platform_get_irq(pdev, 0); ++ if (drvdata->irq < 0) { ++ error = drvdata->irq; + goto err_disable_clk; + } + +- drvdata->irq = irq; + drvdata->serio = serio; + drvdata->dev = dev; + +-- +2.25.1 + diff --git a/queue-4.4/ipvs-fix-uninit-value-in-do_ip_vs_set_ctl.patch b/queue-4.4/ipvs-fix-uninit-value-in-do_ip_vs_set_ctl.patch new file mode 100644 index 00000000000..ea872847a77 --- /dev/null +++ b/queue-4.4/ipvs-fix-uninit-value-in-do_ip_vs_set_ctl.patch @@ -0,0 +1,52 @@ +From 1830ca4d0292e9f88bb6927932fd9c8ba552e7a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 03:46:40 -0400 +Subject: ipvs: Fix uninit-value in do_ip_vs_set_ctl() + +From: Peilin Ye + +[ Upstream commit c5a8a8498eed1c164afc94f50a939c1a10abf8ad ] + +do_ip_vs_set_ctl() is referencing uninitialized stack value when `len` is +zero. Fix it. + +Reported-by: syzbot+23b5f9e7caf61d9a3898@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=46ebfb92a8a812621a001ef04d90dfa459520fe2 +Suggested-by: Julian Anastasov +Signed-off-by: Peilin Ye +Acked-by: Julian Anastasov +Reviewed-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/ipvs/ip_vs_ctl.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c +index b176f76dfaa14..c7ee962a547b9 100644 +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -2383,6 +2383,10 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) + /* Set timeout values for (tcp tcpfin udp) */ + ret = ip_vs_set_timeout(ipvs, (struct ip_vs_timeout_user *)arg); + goto out_unlock; ++ } else if (!len) { ++ /* No more commands with len == 0 below */ ++ ret = -EINVAL; ++ goto out_unlock; + } + + usvc_compat = (struct ip_vs_service_user *)arg; +@@ -2459,9 +2463,6 @@ do_ip_vs_set_ctl(struct sock *sk, int cmd, void __user *user, unsigned int len) + break; + case IP_VS_SO_SET_DELDEST: + ret = ip_vs_del_dest(svc, &udest); +- break; +- default: +- ret = -EINVAL; + } + + out_unlock: +-- +2.25.1 + diff --git a/queue-4.4/kdb-fix-pager-search-for-multi-line-strings.patch b/queue-4.4/kdb-fix-pager-search-for-multi-line-strings.patch new file mode 100644 index 00000000000..6208cfd7d97 --- /dev/null +++ b/queue-4.4/kdb-fix-pager-search-for-multi-line-strings.patch @@ -0,0 +1,55 @@ +From e4e8c2c027504a70889d31ef6b411a69b95954eb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 15:17:08 +0100 +Subject: kdb: Fix pager search for multi-line strings + +From: Daniel Thompson + +[ Upstream commit d081a6e353168f15e63eb9e9334757f20343319f ] + +Currently using forward search doesn't handle multi-line strings correctly. +The search routine replaces line breaks with \0 during the search and, for +regular searches ("help | grep Common\n"), there is code after the line +has been discarded or printed to replace the break character. + +However during a pager search ("help\n" followed by "/Common\n") when the +string is matched we will immediately return to normal output and the code +that should restore the \n becomes unreachable. Fix this by restoring the +replaced character when we disable the search mode and update the comment +accordingly. + +Fixes: fb6daa7520f9d ("kdb: Provide forward search at more prompt") +Link: https://lore.kernel.org/r/20200909141708.338273-1-daniel.thompson@linaro.org +Reviewed-by: Douglas Anderson +Signed-off-by: Daniel Thompson +Signed-off-by: Sasha Levin +--- + kernel/debug/kdb/kdb_io.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/kernel/debug/kdb/kdb_io.c b/kernel/debug/kdb/kdb_io.c +index cc892a9e109d8..ae39b014b7d6c 100644 +--- a/kernel/debug/kdb/kdb_io.c ++++ b/kernel/debug/kdb/kdb_io.c +@@ -683,12 +683,16 @@ int vkdb_printf(enum kdb_msgsrc src, const char *fmt, va_list ap) + size_avail = sizeof(kdb_buffer) - len; + goto kdb_print_out; + } +- if (kdb_grepping_flag >= KDB_GREPPING_FLAG_SEARCH) ++ if (kdb_grepping_flag >= KDB_GREPPING_FLAG_SEARCH) { + /* + * This was a interactive search (using '/' at more +- * prompt) and it has completed. Clear the flag. ++ * prompt) and it has completed. Replace the \0 with ++ * its original value to ensure multi-line strings ++ * are handled properly, and return to normal mode. + */ ++ *cphold = replaced_byte; + kdb_grepping_flag = 0; ++ } + /* + * at this point the string is a full line and + * should be printed, up to the null. +-- +2.25.1 + diff --git a/queue-4.4/kvm-x86-emulating-rdpid-failure-shall-return-ud-rath.patch b/queue-4.4/kvm-x86-emulating-rdpid-failure-shall-return-ud-rath.patch new file mode 100644 index 00000000000..07baeda6e01 --- /dev/null +++ b/queue-4.4/kvm-x86-emulating-rdpid-failure-shall-return-ud-rath.patch @@ -0,0 +1,39 @@ +From f5973102fa0062db95351260f96e29d526d1834a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 10:23:42 +0800 +Subject: KVM: x86: emulating RDPID failure shall return #UD rather than #GP + +From: Robert Hoo + +[ Upstream commit a9e2e0ae686094571378c72d8146b5a1a92d0652 ] + +Per Intel's SDM, RDPID takes a #UD if it is unsupported, which is more or +less what KVM is emulating when MSR_TSC_AUX is not available. In fact, +there are no scenarios in which RDPID is supposed to #GP. + +Fixes: fb6d4d340e ("KVM: x86: emulate RDPID") +Signed-off-by: Robert Hoo +Message-Id: <1598581422-76264-1-git-send-email-robert.hu@linux.intel.com> +Reviewed-by: Jim Mattson +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/emulate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index 466028623e1a0..0c1e249a7ab69 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -3524,7 +3524,7 @@ static int em_rdpid(struct x86_emulate_ctxt *ctxt) + u64 tsc_aux = 0; + + if (ctxt->ops->get_msr(ctxt, MSR_TSC_AUX, &tsc_aux)) +- return emulate_gp(ctxt, 0); ++ return emulate_ud(ctxt); + ctxt->dst.val = tsc_aux; + return X86EMUL_CONTINUE; + } +-- +2.25.1 + diff --git a/queue-4.4/lib-crc32.c-fix-trivial-typo-in-preprocessor-conditi.patch b/queue-4.4/lib-crc32.c-fix-trivial-typo-in-preprocessor-conditi.patch new file mode 100644 index 00000000000..038477b0458 --- /dev/null +++ b/queue-4.4/lib-crc32.c-fix-trivial-typo-in-preprocessor-conditi.patch @@ -0,0 +1,45 @@ +From cc3cef5432ec8984b51afe29e88a0dd6721ef10b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Oct 2020 20:11:38 -0700 +Subject: lib/crc32.c: fix trivial typo in preprocessor condition + +From: Tobias Jordan + +[ Upstream commit 904542dc56524f921a6bab0639ff6249c01e775f ] + +Whether crc32_be needs a lookup table is chosen based on CRC_LE_BITS. +Obviously, the _be function should be governed by the _BE_ define. + +This probably never pops up as it's hard to come up with a configuration +where CRC_BE_BITS isn't the same as CRC_LE_BITS and as nobody is using +bitwise CRC anyway. + +Fixes: 46c5801eaf86 ("crc32: bolt on crc32c") +Signed-off-by: Tobias Jordan +Signed-off-by: Andrew Morton +Cc: Krzysztof Kozlowski +Cc: Jonathan Corbet +Cc: Mauro Carvalho Chehab +Link: https://lkml.kernel.org/r/20200923182122.GA3338@agrajag.zerfleddert.de +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/crc32.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/crc32.c b/lib/crc32.c +index 9a907d489d951..eed675bcd6751 100644 +--- a/lib/crc32.c ++++ b/lib/crc32.c +@@ -327,7 +327,7 @@ static inline u32 __pure crc32_be_generic(u32 crc, unsigned char const *p, + return crc; + } + +-#if CRC_LE_BITS == 1 ++#if CRC_BE_BITS == 1 + u32 __pure crc32_be(u32 crc, unsigned char const *p, size_t len) + { + return crc32_be_generic(crc, p, len, NULL, CRCPOLY_BE); +-- +2.25.1 + diff --git a/queue-4.4/media-ati_remote-sanity-check-for-both-endpoints.patch b/queue-4.4/media-ati_remote-sanity-check-for-both-endpoints.patch new file mode 100644 index 00000000000..6ce02875955 --- /dev/null +++ b/queue-4.4/media-ati_remote-sanity-check-for-both-endpoints.patch @@ -0,0 +1,40 @@ +From 48efa0dd602b4d04f1bad15def21b12c980f60bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Sep 2020 15:50:51 +0200 +Subject: media: ati_remote: sanity check for both endpoints + +From: Oliver Neukum + +[ Upstream commit a8be80053ea74bd9c3f9a3810e93b802236d6498 ] + +If you do sanity checks, you should do them for both endpoints. +Hence introduce checking for endpoint type for the output +endpoint, too. + +Reported-by: syzbot+998261c2ae5932458f6c@syzkaller.appspotmail.com +Signed-off-by: Oliver Neukum +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/rc/ati_remote.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/rc/ati_remote.c b/drivers/media/rc/ati_remote.c +index a35631891cc00..3c3f4c4f6be40 100644 +--- a/drivers/media/rc/ati_remote.c ++++ b/drivers/media/rc/ati_remote.c +@@ -843,6 +843,10 @@ static int ati_remote_probe(struct usb_interface *interface, + err("%s: endpoint_in message size==0? \n", __func__); + return -ENODEV; + } ++ if (!usb_endpoint_is_int_out(endpoint_out)) { ++ err("%s: Unexpected endpoint_out\n", __func__); ++ return -ENODEV; ++ } + + ati_remote = kzalloc(sizeof (struct ati_remote), GFP_KERNEL); + rc_dev = rc_allocate_device(); +-- +2.25.1 + diff --git a/queue-4.4/media-bdisp-fix-runtime-pm-imbalance-on-error.patch b/queue-4.4/media-bdisp-fix-runtime-pm-imbalance-on-error.patch new file mode 100644 index 00000000000..b4d59b8f1a0 --- /dev/null +++ b/queue-4.4/media-bdisp-fix-runtime-pm-imbalance-on-error.patch @@ -0,0 +1,46 @@ +From 6c31c30311c48ae3e10327e65be44c65f8819d2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 May 2020 12:00:21 +0200 +Subject: media: bdisp: Fix runtime PM imbalance on error + +From: Dinghao Liu + +[ Upstream commit dbd2f2dc025f9be8ae063e4f270099677238f620 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code. Thus a pairing decrement is needed on +the error handling path to keep the counter balanced. + +Signed-off-by: Dinghao Liu +Reviewed-by: Fabien Dessenne +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sti/bdisp/bdisp-v4l2.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c +index a00dfaa1b945d..6c97063cb3b3f 100644 +--- a/drivers/media/platform/sti/bdisp/bdisp-v4l2.c ++++ b/drivers/media/platform/sti/bdisp/bdisp-v4l2.c +@@ -1369,7 +1369,7 @@ static int bdisp_probe(struct platform_device *pdev) + ret = pm_runtime_get_sync(dev); + if (ret < 0) { + dev_err(dev, "failed to set PM\n"); +- goto err_dbg; ++ goto err_pm; + } + + /* Continuous memory allocator */ +@@ -1406,7 +1406,6 @@ static int bdisp_probe(struct platform_device *pdev) + vb2_dma_contig_cleanup_ctx(bdisp->alloc_ctx); + err_pm: + pm_runtime_put(dev); +-err_dbg: + bdisp_debugfs_remove(bdisp); + err_v4l2: + v4l2_device_unregister(&bdisp->v4l2_dev); +-- +2.25.1 + diff --git a/queue-4.4/media-exynos4-is-fix-a-reference-count-leak-due-to-p.patch b/queue-4.4/media-exynos4-is-fix-a-reference-count-leak-due-to-p.patch new file mode 100644 index 00000000000..8fbc28175e4 --- /dev/null +++ b/queue-4.4/media-exynos4-is-fix-a-reference-count-leak-due-to-p.patch @@ -0,0 +1,41 @@ +From 73145556d6e212b72af75b2ea0d7e938b97e1e7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 05:10:58 +0200 +Subject: media: exynos4-is: Fix a reference count leak due to + pm_runtime_get_sync + +From: Qiushi Wu + +[ Upstream commit c47f7c779ef0458a58583f00c9ed71b7f5a4d0a2 ] + +On calling pm_runtime_get_sync() the reference count of the device +is incremented. In case of failure, decrement the +reference count before returning the error. + +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/media-dev.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c +index 6bc3c8a2e1443..76fadd3e3ada2 100644 +--- a/drivers/media/platform/exynos4-is/media-dev.c ++++ b/drivers/media/platform/exynos4-is/media-dev.c +@@ -413,8 +413,10 @@ static int fimc_md_register_sensor_entities(struct fimc_md *fmd) + return -ENXIO; + + ret = pm_runtime_get_sync(fmd->pmf); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put(fmd->pmf); + return ret; ++ } + + fmd->num_sensors = 0; + +-- +2.25.1 + diff --git a/queue-4.4/media-exynos4-is-fix-a-reference-count-leak.patch b/queue-4.4/media-exynos4-is-fix-a-reference-count-leak.patch new file mode 100644 index 00000000000..5d8a5a32227 --- /dev/null +++ b/queue-4.4/media-exynos4-is-fix-a-reference-count-leak.patch @@ -0,0 +1,41 @@ +From 9df1c7abd9eafaab50d9aea63d2ef94f1fe08cdb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 05:01:11 +0200 +Subject: media: exynos4-is: Fix a reference count leak + +From: Qiushi Wu + +[ Upstream commit 64157b2cb1940449e7df2670e85781c690266588 ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code, causing incorrect ref count if +pm_runtime_put_noidle() is not called in error handling paths. +Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails. + +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/mipi-csis.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/platform/exynos4-is/mipi-csis.c b/drivers/media/platform/exynos4-is/mipi-csis.c +index 4b85105dc159b..4f7a0f59f36c2 100644 +--- a/drivers/media/platform/exynos4-is/mipi-csis.c ++++ b/drivers/media/platform/exynos4-is/mipi-csis.c +@@ -513,8 +513,10 @@ static int s5pcsis_s_stream(struct v4l2_subdev *sd, int enable) + if (enable) { + s5pcsis_clear_counters(state); + ret = pm_runtime_get_sync(&state->pdev->dev); +- if (ret && ret != 1) ++ if (ret && ret != 1) { ++ pm_runtime_put_noidle(&state->pdev->dev); + return ret; ++ } + } + + mutex_lock(&state->lock); +-- +2.25.1 + diff --git a/queue-4.4/media-exynos4-is-fix-several-reference-count-leaks-d.patch b/queue-4.4/media-exynos4-is-fix-several-reference-count-leaks-d.patch new file mode 100644 index 00000000000..845a4389423 --- /dev/null +++ b/queue-4.4/media-exynos4-is-fix-several-reference-count-leaks-d.patch @@ -0,0 +1,55 @@ +From 64b817e5274d9a278eac05291bd0bff9e4d867df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 05:18:29 +0200 +Subject: media: exynos4-is: Fix several reference count leaks due to + pm_runtime_get_sync + +From: Qiushi Wu + +[ Upstream commit 7ef64ceea0008c17e94a8a2c60c5d6d46f481996 ] + +On calling pm_runtime_get_sync() the reference count of the device +is incremented. In case of failure, decrement the +reference count before returning the error. + +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/fimc-isp.c | 4 +++- + drivers/media/platform/exynos4-is/fimc-lite.c | 2 +- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/exynos4-is/fimc-isp.c b/drivers/media/platform/exynos4-is/fimc-isp.c +index 5d78f5716f3b8..ad280c5258b34 100644 +--- a/drivers/media/platform/exynos4-is/fimc-isp.c ++++ b/drivers/media/platform/exynos4-is/fimc-isp.c +@@ -311,8 +311,10 @@ static int fimc_isp_subdev_s_power(struct v4l2_subdev *sd, int on) + + if (on) { + ret = pm_runtime_get_sync(&is->pdev->dev); +- if (ret < 0) ++ if (ret < 0) { ++ pm_runtime_put(&is->pdev->dev); + return ret; ++ } + set_bit(IS_ST_PWR_ON, &is->state); + + ret = fimc_is_start_firmware(is); +diff --git a/drivers/media/platform/exynos4-is/fimc-lite.c b/drivers/media/platform/exynos4-is/fimc-lite.c +index 60660c3a5de0d..65b33470a1b1b 100644 +--- a/drivers/media/platform/exynos4-is/fimc-lite.c ++++ b/drivers/media/platform/exynos4-is/fimc-lite.c +@@ -487,7 +487,7 @@ static int fimc_lite_open(struct file *file) + set_bit(ST_FLITE_IN_USE, &fimc->state); + ret = pm_runtime_get_sync(&fimc->pdev->dev); + if (ret < 0) +- goto unlock; ++ goto err_pm; + + ret = v4l2_fh_open(file); + if (ret < 0) +-- +2.25.1 + diff --git a/queue-4.4/media-firewire-fix-memory-leak.patch b/queue-4.4/media-firewire-fix-memory-leak.patch new file mode 100644 index 00000000000..e8f82de4b10 --- /dev/null +++ b/queue-4.4/media-firewire-fix-memory-leak.patch @@ -0,0 +1,39 @@ +From 6870ca13558068d29baf554c583b48ecb8880d59 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Sep 2020 11:01:37 +0200 +Subject: media: firewire: fix memory leak + +From: Pavel Machek + +[ Upstream commit b28e32798c78a346788d412f1958f36bb760ec03 ] + +Fix memory leak in node_probe. + +Signed-off-by: Pavel Machek (CIP) +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/firewire/firedtv-fw.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/firewire/firedtv-fw.c b/drivers/media/firewire/firedtv-fw.c +index 5d634706a7eaa..382f290c3f4d5 100644 +--- a/drivers/media/firewire/firedtv-fw.c ++++ b/drivers/media/firewire/firedtv-fw.c +@@ -271,8 +271,10 @@ static int node_probe(struct fw_unit *unit, const struct ieee1394_device_id *id) + + name_len = fw_csr_string(unit->directory, CSR_MODEL, + name, sizeof(name)); +- if (name_len < 0) +- return name_len; ++ if (name_len < 0) { ++ err = name_len; ++ goto fail_free; ++ } + for (i = ARRAY_SIZE(model_names); --i; ) + if (strlen(model_names[i]) <= name_len && + strncmp(name, model_names[i], name_len) == 0) +-- +2.25.1 + diff --git a/queue-4.4/media-m5mols-check-function-pointer-in-m5mols_sensor.patch b/queue-4.4/media-m5mols-check-function-pointer-in-m5mols_sensor.patch new file mode 100644 index 00000000000..3d2285ac0b7 --- /dev/null +++ b/queue-4.4/media-m5mols-check-function-pointer-in-m5mols_sensor.patch @@ -0,0 +1,45 @@ +From f9c0e7510bf844ec2eb26b2b39c5383912134382 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Jul 2020 17:34:47 +0200 +Subject: media: m5mols: Check function pointer in m5mols_sensor_power + +From: Tom Rix + +[ Upstream commit 52438c4463ac904d14bf3496765e67750766f3a6 ] + +clang static analysis reports this error + +m5mols_core.c:767:4: warning: Called function pointer + is null (null dereference) [core.CallAndMessage] + info->set_power(&client->dev, 0); + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +In other places, the set_power ptr is checked. +So add a check. + +Fixes: bc125106f8af ("[media] Add support for M-5MOLS 8 Mega Pixel camera ISP") +Signed-off-by: Tom Rix +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/m5mols/m5mols_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/m5mols/m5mols_core.c b/drivers/media/i2c/m5mols/m5mols_core.c +index 6404c0d93e7af..514267680dc96 100644 +--- a/drivers/media/i2c/m5mols/m5mols_core.c ++++ b/drivers/media/i2c/m5mols/m5mols_core.c +@@ -754,7 +754,8 @@ static int m5mols_sensor_power(struct m5mols_info *info, bool enable) + + ret = regulator_bulk_enable(ARRAY_SIZE(supplies), supplies); + if (ret) { +- info->set_power(&client->dev, 0); ++ if (info->set_power) ++ info->set_power(&client->dev, 0); + return ret; + } + +-- +2.25.1 + diff --git a/queue-4.4/media-media-pci-prevent-memory-leak-in-bttv_probe.patch b/queue-4.4/media-media-pci-prevent-memory-leak-in-bttv_probe.patch new file mode 100644 index 00000000000..19284a72df6 --- /dev/null +++ b/queue-4.4/media-media-pci-prevent-memory-leak-in-bttv_probe.patch @@ -0,0 +1,65 @@ +From a9c51d9f531ad059b60ed8f8f4d3e2e0d0f1861b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Apr 2020 11:52:30 +0200 +Subject: media: media/pci: prevent memory leak in bttv_probe + +From: Xiaolong Huang + +[ Upstream commit 7b817585b730665126b45df5508dd69526448bc8 ] + +In bttv_probe if some functions such as pci_enable_device, +pci_set_dma_mask and request_mem_region fails the allocated + memory for btv should be released. + +Signed-off-by: Xiaolong Huang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/bt8xx/bttv-driver.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/pci/bt8xx/bttv-driver.c b/drivers/media/pci/bt8xx/bttv-driver.c +index 51dbef2f9a489..10c9c078af014 100644 +--- a/drivers/media/pci/bt8xx/bttv-driver.c ++++ b/drivers/media/pci/bt8xx/bttv-driver.c +@@ -4053,11 +4053,13 @@ static int bttv_probe(struct pci_dev *dev, const struct pci_device_id *pci_id) + btv->id = dev->device; + if (pci_enable_device(dev)) { + pr_warn("%d: Can't enable device\n", btv->c.nr); +- return -EIO; ++ result = -EIO; ++ goto free_mem; + } + if (pci_set_dma_mask(dev, DMA_BIT_MASK(32))) { + pr_warn("%d: No suitable DMA available\n", btv->c.nr); +- return -EIO; ++ result = -EIO; ++ goto free_mem; + } + if (!request_mem_region(pci_resource_start(dev,0), + pci_resource_len(dev,0), +@@ -4065,7 +4067,8 @@ static int bttv_probe(struct pci_dev *dev, const struct pci_device_id *pci_id) + pr_warn("%d: can't request iomem (0x%llx)\n", + btv->c.nr, + (unsigned long long)pci_resource_start(dev, 0)); +- return -EBUSY; ++ result = -EBUSY; ++ goto free_mem; + } + pci_set_master(dev); + pci_set_command(dev); +@@ -4251,6 +4254,10 @@ static int bttv_probe(struct pci_dev *dev, const struct pci_device_id *pci_id) + release_mem_region(pci_resource_start(btv->c.pci,0), + pci_resource_len(btv->c.pci,0)); + pci_disable_device(btv->c.pci); ++ ++free_mem: ++ bttvs[btv->c.nr] = NULL; ++ kfree(btv); + return result; + } + +-- +2.25.1 + diff --git a/queue-4.4/media-omap3isp-fix-memleak-in-isp_probe.patch b/queue-4.4/media-omap3isp-fix-memleak-in-isp_probe.patch new file mode 100644 index 00000000000..b5091a47ba5 --- /dev/null +++ b/queue-4.4/media-omap3isp-fix-memleak-in-isp_probe.patch @@ -0,0 +1,41 @@ +From d644c97cf1f73d42106d697f0140d5c676d7a270 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Aug 2020 08:53:52 +0200 +Subject: media: omap3isp: Fix memleak in isp_probe + +From: Dinghao Liu + +[ Upstream commit d8fc21c17099635e8ebd986d042be65a6c6b5bd0 ] + +When devm_ioremap_resource() fails, isp should be +freed just like other error paths in isp_probe. + +Fixes: 8644cdf972dd6 ("[media] omap3isp: Replace many MMIO regions by two") +Signed-off-by: Dinghao Liu +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/omap3isp/isp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/omap3isp/isp.c b/drivers/media/platform/omap3isp/isp.c +index f41e0d08de93e..4c6842202e47c 100644 +--- a/drivers/media/platform/omap3isp/isp.c ++++ b/drivers/media/platform/omap3isp/isp.c +@@ -2388,8 +2388,10 @@ static int isp_probe(struct platform_device *pdev) + mem = platform_get_resource(pdev, IORESOURCE_MEM, i); + isp->mmio_base[map_idx] = + devm_ioremap_resource(isp->dev, mem); +- if (IS_ERR(isp->mmio_base[map_idx])) +- return PTR_ERR(isp->mmio_base[map_idx]); ++ if (IS_ERR(isp->mmio_base[map_idx])) { ++ ret = PTR_ERR(isp->mmio_base[map_idx]); ++ goto error; ++ } + } + + ret = isp_get_clocks(isp); +-- +2.25.1 + diff --git a/queue-4.4/media-revert-media-exynos4-is-add-missed-check-for-p.patch b/queue-4.4/media-revert-media-exynos4-is-add-missed-check-for-p.patch new file mode 100644 index 00000000000..c6f2b99bc63 --- /dev/null +++ b/queue-4.4/media-revert-media-exynos4-is-add-missed-check-for-p.patch @@ -0,0 +1,47 @@ +From 87338880e499402e2158b63b75c308c5feb323c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Aug 2020 17:32:39 +0200 +Subject: media: Revert "media: exynos4-is: Add missed check for + pinctrl_lookup_state()" + +From: Sylwester Nawrocki + +[ Upstream commit 00d21f325d58567d81d9172096692d0a9ea7f725 ] + +The "idle" pinctrl state is optional as documented in the DT binding. +The change introduced by the commit being reverted makes that pinctrl state +mandatory and breaks initialization of the whole media driver, since the +"idle" state is not specified in any mainline dts. + +This reverts commit 18ffec750578 ("media: exynos4-is: Add missed check for pinctrl_lookup_state()") +to fix the regression. + +Fixes: 18ffec750578 ("media: exynos4-is: Add missed check for pinctrl_lookup_state()") +Signed-off-by: Sylwester Nawrocki +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/media-dev.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c +index 31cc7d94064e3..6bc3c8a2e1443 100644 +--- a/drivers/media/platform/exynos4-is/media-dev.c ++++ b/drivers/media/platform/exynos4-is/media-dev.c +@@ -1170,11 +1170,9 @@ static int fimc_md_get_pinctrl(struct fimc_md *fmd) + if (IS_ERR(pctl->state_default)) + return PTR_ERR(pctl->state_default); + ++ /* PINCTRL_STATE_IDLE is optional */ + pctl->state_idle = pinctrl_lookup_state(pctl->pinctrl, + PINCTRL_STATE_IDLE); +- if (IS_ERR(pctl->state_idle)) +- return PTR_ERR(pctl->state_idle); +- + return 0; + } + +-- +2.25.1 + diff --git a/queue-4.4/media-saa7134-avoid-a-shift-overflow.patch b/queue-4.4/media-saa7134-avoid-a-shift-overflow.patch new file mode 100644 index 00000000000..a1f2a7f94a2 --- /dev/null +++ b/queue-4.4/media-saa7134-avoid-a-shift-overflow.patch @@ -0,0 +1,39 @@ +From 7d2122b7a99b77b2c452b2085d5c2fc5a5993dd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 08:37:12 +0200 +Subject: media: saa7134: avoid a shift overflow + +From: Mauro Carvalho Chehab + +[ Upstream commit 15a36aae1ec1c1f17149b6113b92631791830740 ] + +As reported by smatch: + drivers/media/pci/saa7134//saa7134-tvaudio.c:686 saa_dsp_writel() warn: should 'reg << 2' be a 64 bit type? + +On a 64-bits Kernel, the shift might be bigger than 32 bits. + +In real, this should never happen, but let's shut up the warning. + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/saa7134/saa7134-tvaudio.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/saa7134/saa7134-tvaudio.c b/drivers/media/pci/saa7134/saa7134-tvaudio.c +index 21a579309575d..02407983ce236 100644 +--- a/drivers/media/pci/saa7134/saa7134-tvaudio.c ++++ b/drivers/media/pci/saa7134/saa7134-tvaudio.c +@@ -696,7 +696,8 @@ int saa_dsp_writel(struct saa7134_dev *dev, int reg, u32 value) + { + int err; + +- audio_dbg(2, "dsp write reg 0x%x = 0x%06x\n", reg << 2, value); ++ audio_dbg(2, "dsp write reg 0x%x = 0x%06x\n", ++ (reg << 2) & 0xffffffff, value); + err = saa_dsp_wait_bit(dev,SAA7135_DSP_RWSTATE_WRR); + if (err < 0) + return err; +-- +2.25.1 + diff --git a/queue-4.4/media-tc358743-initialize-variable.patch b/queue-4.4/media-tc358743-initialize-variable.patch new file mode 100644 index 00000000000..a6481681c75 --- /dev/null +++ b/queue-4.4/media-tc358743-initialize-variable.patch @@ -0,0 +1,42 @@ +From 37764da42d275b337e89b2f7486000ef8125fca1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 Aug 2020 18:30:43 +0200 +Subject: media: tc358743: initialize variable + +From: Tom Rix + +[ Upstream commit 274cf92d5dff5c2fec1a518078542ffe70d07646 ] + +clang static analysis flags this error + +tc358743.c:1468:9: warning: Branch condition evaluates + to a garbage value + return handled ? IRQ_HANDLED : IRQ_NONE; + ^~~~~~~ +handled should be initialized to false. + +Fixes: d747b806abf4 ("[media] tc358743: add direct interrupt handling") +Signed-off-by: Tom Rix +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tc358743.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c +index bc630a7197761..1e95fdb61041b 100644 +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -1325,7 +1325,7 @@ static int tc358743_isr(struct v4l2_subdev *sd, u32 status, bool *handled) + static irqreturn_t tc358743_irq_handler(int irq, void *dev_id) + { + struct tc358743_state *state = dev_id; +- bool handled; ++ bool handled = false; + + tc358743_isr(&state->sd, 0, &handled); + +-- +2.25.1 + diff --git a/queue-4.4/media-ti-vpe-fix-a-missing-check-and-reference-count.patch b/queue-4.4/media-ti-vpe-fix-a-missing-check-and-reference-count.patch new file mode 100644 index 00000000000..f343f8eb212 --- /dev/null +++ b/queue-4.4/media-ti-vpe-fix-a-missing-check-and-reference-count.patch @@ -0,0 +1,42 @@ +From 44799e929190435bf9725da0e33df302510f4a15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Jun 2020 04:56:05 +0200 +Subject: media: ti-vpe: Fix a missing check and reference count leak + +From: Qiushi Wu + +[ Upstream commit 7dae2aaaf432767ca7aa11fa84643a7c2600dbdd ] + +pm_runtime_get_sync() increments the runtime PM usage counter even +when it returns an error code, causing incorrect ref count if +pm_runtime_put_noidle() is not called in error handling paths. +And also, when the call of function vpe_runtime_get() failed, +we won't call vpe_runtime_put(). +Thus call pm_runtime_put_noidle() if pm_runtime_get_sync() fails +inside vpe_runtime_get(). + +Fixes: 4571912743ac ("[media] v4l: ti-vpe: Add VPE mem to mem driver") +Signed-off-by: Qiushi Wu +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/ti-vpe/vpe.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/media/platform/ti-vpe/vpe.c b/drivers/media/platform/ti-vpe/vpe.c +index b5f8c425cd2ef..8a3714bfb77e8 100644 +--- a/drivers/media/platform/ti-vpe/vpe.c ++++ b/drivers/media/platform/ti-vpe/vpe.c +@@ -2135,6 +2135,8 @@ static int vpe_runtime_get(struct platform_device *pdev) + + r = pm_runtime_get_sync(&pdev->dev); + WARN_ON(r < 0); ++ if (r) ++ pm_runtime_put_noidle(&pdev->dev); + return r < 0 ? r : 0; + } + +-- +2.25.1 + diff --git a/queue-4.4/media-uvcvideo-ensure-all-probed-info-is-returned-to.patch b/queue-4.4/media-uvcvideo-ensure-all-probed-info-is-returned-to.patch new file mode 100644 index 00000000000..f3c6ba503ae --- /dev/null +++ b/queue-4.4/media-uvcvideo-ensure-all-probed-info-is-returned-to.patch @@ -0,0 +1,84 @@ +From 57e4b3d24c887d9a50f8fe31c4eec0ca96503976 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Aug 2020 03:21:33 +0200 +Subject: media: uvcvideo: Ensure all probed info is returned to v4l2 + +From: Adam Goode + +[ Upstream commit 8a652a17e3c005dcdae31b6c8fdf14382a29cbbe ] + +bFrameIndex and bFormatIndex can be negotiated by the camera during +probing, resulting in the camera choosing a different format than +expected. v4l2 can already accommodate such changes, but the code was +not updating the proper fields. + +Without such a change, v4l2 would potentially interpret the payload +incorrectly, causing corrupted output. This was happening on the +Elgato HD60 S+, which currently always renegotiates to format 1. + +As an aside, the Elgato firmware is buggy and should not be renegotating, +but it is still a valid thing for the camera to do. Both macOS and Windows +will properly probe and read uncorrupted images from this camera. + +With this change, both qv4l2 and chromium can now read uncorrupted video +from the Elgato HD60 S+. + +[Add blank lines, remove periods at the of messages] + +Signed-off-by: Adam Goode +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_v4l2.c | 30 ++++++++++++++++++++++++++++++ + 1 file changed, 30 insertions(+) + +diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c +index 0e7d16fe84d42..a0a544628053d 100644 +--- a/drivers/media/usb/uvc/uvc_v4l2.c ++++ b/drivers/media/usb/uvc/uvc_v4l2.c +@@ -242,11 +242,41 @@ static int uvc_v4l2_try_format(struct uvc_streaming *stream, + if (ret < 0) + goto done; + ++ /* After the probe, update fmt with the values returned from ++ * negotiation with the device. ++ */ ++ for (i = 0; i < stream->nformats; ++i) { ++ if (probe->bFormatIndex == stream->format[i].index) { ++ format = &stream->format[i]; ++ break; ++ } ++ } ++ ++ if (i == stream->nformats) { ++ uvc_trace(UVC_TRACE_FORMAT, "Unknown bFormatIndex %u\n", ++ probe->bFormatIndex); ++ return -EINVAL; ++ } ++ ++ for (i = 0; i < format->nframes; ++i) { ++ if (probe->bFrameIndex == format->frame[i].bFrameIndex) { ++ frame = &format->frame[i]; ++ break; ++ } ++ } ++ ++ if (i == format->nframes) { ++ uvc_trace(UVC_TRACE_FORMAT, "Unknown bFrameIndex %u\n", ++ probe->bFrameIndex); ++ return -EINVAL; ++ } ++ + fmt->fmt.pix.width = frame->wWidth; + fmt->fmt.pix.height = frame->wHeight; + fmt->fmt.pix.field = V4L2_FIELD_NONE; + fmt->fmt.pix.bytesperline = format->bpp * frame->wWidth / 8; + fmt->fmt.pix.sizeimage = probe->dwMaxVideoFrameSize; ++ fmt->fmt.pix.pixelformat = format->fcc; + fmt->fmt.pix.colorspace = format->colorspace; + fmt->fmt.pix.priv = 0; + +-- +2.25.1 + diff --git a/queue-4.4/memory-fsl-corenet-cf-fix-handling-of-platform_get_i.patch b/queue-4.4/memory-fsl-corenet-cf-fix-handling-of-platform_get_i.patch new file mode 100644 index 00000000000..b7f11194280 --- /dev/null +++ b/queue-4.4/memory-fsl-corenet-cf-fix-handling-of-platform_get_i.patch @@ -0,0 +1,40 @@ +From 3371e262bcec7351eaba0a2cb193cbd620c32215 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Aug 2020 09:33:15 +0200 +Subject: memory: fsl-corenet-cf: Fix handling of platform_get_irq() error + +From: Krzysztof Kozlowski + +[ Upstream commit dd85345abca60a8916617e8d75c0f9ce334336dd ] + +platform_get_irq() returns -ERRNO on error. In such case comparison +to 0 would pass the check. + +Fixes: 54afbec0d57f ("memory: Freescale CoreNet Coherency Fabric error reporting driver") +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20200827073315.29351-1-krzk@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/memory/fsl-corenet-cf.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/memory/fsl-corenet-cf.c b/drivers/memory/fsl-corenet-cf.c +index 662d050243bec..2fbf8d09af36b 100644 +--- a/drivers/memory/fsl-corenet-cf.c ++++ b/drivers/memory/fsl-corenet-cf.c +@@ -215,10 +215,8 @@ static int ccf_probe(struct platform_device *pdev) + dev_set_drvdata(&pdev->dev, ccf); + + irq = platform_get_irq(pdev, 0); +- if (!irq) { +- dev_err(&pdev->dev, "%s: no irq\n", __func__); +- return -ENXIO; +- } ++ if (irq < 0) ++ return irq; + + ret = devm_request_irq(&pdev->dev, irq, ccf_irq, 0, pdev->name, ccf); + if (ret) { +-- +2.25.1 + diff --git a/queue-4.4/memory-omap-gpmc-fix-a-couple-off-by-ones.patch b/queue-4.4/memory-omap-gpmc-fix-a-couple-off-by-ones.patch new file mode 100644 index 00000000000..dbcd2fb5cd7 --- /dev/null +++ b/queue-4.4/memory-omap-gpmc-fix-a-couple-off-by-ones.patch @@ -0,0 +1,48 @@ +From 8d8c0e7502239a86a2005649dbeb483939a6f41f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 13:47:07 +0300 +Subject: memory: omap-gpmc: Fix a couple off by ones + +From: Dan Carpenter + +[ Upstream commit 4c54228ac8fd55044195825873c50a524131fa53 ] + +These comparisons should be >= instead of > to prevent reading one +element beyond the end of the gpmc_cs[] array. + +Fixes: cdd6928c589a ("ARM: OMAP2+: Add device-tree support for NOR flash") +Fixes: f37e4580c409 ("ARM: OMAP2: Dynamic allocator for GPMC memory space") +Signed-off-by: Dan Carpenter +Acked-by: Roger Quadros +Link: https://lore.kernel.org/r/20200825104707.GB278587@mwanda +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/omap-gpmc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/memory/omap-gpmc.c b/drivers/memory/omap-gpmc.c +index 49691a8c74ee9..af187c91fc33b 100644 +--- a/drivers/memory/omap-gpmc.c ++++ b/drivers/memory/omap-gpmc.c +@@ -928,7 +928,7 @@ static int gpmc_cs_remap(int cs, u32 base) + int ret; + u32 old_base, size; + +- if (cs > gpmc_cs_num) { ++ if (cs >= gpmc_cs_num) { + pr_err("%s: requested chip-select is disabled\n", __func__); + return -ENODEV; + } +@@ -963,7 +963,7 @@ int gpmc_cs_request(int cs, unsigned long size, unsigned long *base) + struct resource *res = &gpmc->mem; + int r = -1; + +- if (cs > gpmc_cs_num) { ++ if (cs >= gpmc_cs_num) { + pr_err("%s: requested chip-select is disabled\n", __func__); + return -ENODEV; + } +-- +2.25.1 + diff --git a/queue-4.4/mfd-sm501-fix-leaks-in-probe.patch b/queue-4.4/mfd-sm501-fix-leaks-in-probe.patch new file mode 100644 index 00000000000..cc7c147b819 --- /dev/null +++ b/queue-4.4/mfd-sm501-fix-leaks-in-probe.patch @@ -0,0 +1,42 @@ +From a389a07c8c2dabcbf81471980b41ec91a1c28ec9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 14:33:26 +0300 +Subject: mfd: sm501: Fix leaks in probe() + +From: Dan Carpenter + +[ Upstream commit 8ce24f8967df2836b4557a23e74dc4bb098249f1 ] + +This code should clean up if sm501_init_dev() fails. + +Fixes: b6d6454fdb66 ("[PATCH] mfd: SM501 core driver") +Signed-off-by: Dan Carpenter +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/sm501.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/sm501.c b/drivers/mfd/sm501.c +index fbec711c41956..0fe273d2f6190 100644 +--- a/drivers/mfd/sm501.c ++++ b/drivers/mfd/sm501.c +@@ -1430,8 +1430,14 @@ static int sm501_plat_probe(struct platform_device *dev) + goto err_claim; + } + +- return sm501_init_dev(sm); ++ ret = sm501_init_dev(sm); ++ if (ret) ++ goto err_unmap; ++ ++ return 0; + ++ err_unmap: ++ iounmap(sm->regs); + err_claim: + release_resource(sm->regs_claim); + kfree(sm->regs_claim); +-- +2.25.1 + diff --git a/queue-4.4/misc-mic-scif-fix-error-handling-path.patch b/queue-4.4/misc-mic-scif-fix-error-handling-path.patch new file mode 100644 index 00000000000..50ae5391a20 --- /dev/null +++ b/queue-4.4/misc-mic-scif-fix-error-handling-path.patch @@ -0,0 +1,65 @@ +From 67a62e6fb50cf1d5ce02655d258b2787c7ea80bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Sep 2020 08:21:35 +0530 +Subject: misc: mic: scif: Fix error handling path + +From: Souptick Joarder + +[ Upstream commit a81072a9c0ae734b7889929b0bc070fe3f353f0e ] + +Inside __scif_pin_pages(), when map_flags != SCIF_MAP_KERNEL it +will call pin_user_pages_fast() to map nr_pages. However, +pin_user_pages_fast() might fail with a return value -ERRNO. + +The return value is stored in pinned_pages->nr_pages. which in +turn is passed to unpin_user_pages(), which expects +pinned_pages->nr_pages >=0, else disaster. + +Fix this by assigning pinned_pages->nr_pages to 0 if +pin_user_pages_fast() returns -ERRNO. + +Fixes: ba612aa8b487 ("misc: mic: SCIF memory registration and unregistration") +Cc: John Hubbard +Cc: Ira Weiny +Cc: Dan Carpenter +Reviewed-by: John Hubbard +Signed-off-by: Souptick Joarder +Link: https://lore.kernel.org/r/1600570295-29546-1-git-send-email-jrdr.linux@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/mic/scif/scif_rma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/misc/mic/scif/scif_rma.c b/drivers/misc/mic/scif/scif_rma.c +index 71c69e1c4ac05..4188b88c20a4a 100644 +--- a/drivers/misc/mic/scif/scif_rma.c ++++ b/drivers/misc/mic/scif/scif_rma.c +@@ -1403,6 +1403,8 @@ int __scif_pin_pages(void *addr, size_t len, int *out_prot, + NULL); + up_write(&mm->mmap_sem); + if (nr_pages != pinned_pages->nr_pages) { ++ if (pinned_pages->nr_pages < 0) ++ pinned_pages->nr_pages = 0; + if (try_upgrade) { + if (ulimit) + __scif_dec_pinned_vm_lock(mm, +@@ -1423,7 +1425,6 @@ int __scif_pin_pages(void *addr, size_t len, int *out_prot, + + if (pinned_pages->nr_pages < nr_pages) { + err = -EFAULT; +- pinned_pages->nr_pages = nr_pages; + goto dec_pinned; + } + +@@ -1436,7 +1437,6 @@ int __scif_pin_pages(void *addr, size_t len, int *out_prot, + __scif_dec_pinned_vm_lock(mm, nr_pages, 0); + /* Something went wrong! Rollback */ + error_unmap: +- pinned_pages->nr_pages = nr_pages; + scif_destroy_pinned_pages(pinned_pages); + *pages = NULL; + dev_dbg(scif_info.mdev.this_device, +-- +2.25.1 + diff --git a/queue-4.4/misc-rtsx-fix-memory-leak-in-rtsx_pci_probe.patch b/queue-4.4/misc-rtsx-fix-memory-leak-in-rtsx_pci_probe.patch new file mode 100644 index 00000000000..73468d8ffef --- /dev/null +++ b/queue-4.4/misc-rtsx-fix-memory-leak-in-rtsx_pci_probe.patch @@ -0,0 +1,46 @@ +From b1a5d1eb4e76b721351a0611fd0db4ba8ffb20d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 07:18:51 +0000 +Subject: misc: rtsx: Fix memory leak in rtsx_pci_probe + +From: Keita Suzuki + +[ Upstream commit bc28369c6189009b66d9619dd9f09bd8c684bb98 ] + +When mfd_add_devices() fail, pcr->slots should also be freed. However, +the current implementation does not free the member, leading to a memory +leak. + +Fix this by adding a new goto label that frees pcr->slots. + +Signed-off-by: Keita Suzuki +Link: https://lore.kernel.org/r/20200909071853.4053-1-keitasuzuki.park@sslab.ics.keio.ac.jp +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/mfd/rtsx_pcr.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/rtsx_pcr.c b/drivers/mfd/rtsx_pcr.c +index 98029ee0959e3..be61f8606a045 100644 +--- a/drivers/mfd/rtsx_pcr.c ++++ b/drivers/mfd/rtsx_pcr.c +@@ -1255,12 +1255,14 @@ static int rtsx_pci_probe(struct pci_dev *pcidev, + ret = mfd_add_devices(&pcidev->dev, pcr->id, rtsx_pcr_cells, + ARRAY_SIZE(rtsx_pcr_cells), NULL, 0, NULL); + if (ret < 0) +- goto disable_irq; ++ goto free_slots; + + schedule_delayed_work(&pcr->idle_work, msecs_to_jiffies(200)); + + return 0; + ++free_slots: ++ kfree(pcr->slots); + disable_irq: + free_irq(pcr->irq, (void *)pcr); + disable_msi: +-- +2.25.1 + diff --git a/queue-4.4/mmc-sdio-check-for-cistpl_vers_1-buffer-size.patch b/queue-4.4/mmc-sdio-check-for-cistpl_vers_1-buffer-size.patch new file mode 100644 index 00000000000..62a13dfc2f0 --- /dev/null +++ b/queue-4.4/mmc-sdio-check-for-cistpl_vers_1-buffer-size.patch @@ -0,0 +1,40 @@ +From bb860952def0e697f1c0a15635de536a45e5cc60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Jul 2020 15:38:34 +0200 +Subject: mmc: sdio: Check for CISTPL_VERS_1 buffer size +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 8ebe2607965d3e2dc02029e8c7dd35fbe508ffd0 ] + +Before parsing CISTPL_VERS_1 structure check that its size is at least two +bytes to prevent buffer overflow. + +Signed-off-by: Pali Rohár +Link: https://lore.kernel.org/r/20200727133837.19086-2-pali@kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/core/sdio_cis.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mmc/core/sdio_cis.c b/drivers/mmc/core/sdio_cis.c +index 8e94e555b788d..8651bd30863d4 100644 +--- a/drivers/mmc/core/sdio_cis.c ++++ b/drivers/mmc/core/sdio_cis.c +@@ -30,6 +30,9 @@ static int cistpl_vers_1(struct mmc_card *card, struct sdio_func *func, + unsigned i, nr_strings; + char **buffer, *string; + ++ if (size < 2) ++ return 0; ++ + /* Find all null-terminated (including zero length) strings in + the TPLLV1_INFO field. Trailing garbage is ignored. */ + buf += 2; +-- +2.25.1 + diff --git a/queue-4.4/mtd-lpddr-fix-excessive-stack-usage-with-clang.patch b/queue-4.4/mtd-lpddr-fix-excessive-stack-usage-with-clang.patch new file mode 100644 index 00000000000..ed3957bfd8e --- /dev/null +++ b/queue-4.4/mtd-lpddr-fix-excessive-stack-usage-with-clang.patch @@ -0,0 +1,96 @@ +From 5fc772b7f7f4e5edb19c946d47fe99dd86cdfd6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 May 2020 16:01:16 +0200 +Subject: mtd: lpddr: fix excessive stack usage with clang + +From: Arnd Bergmann + +[ Upstream commit 3e1b6469f8324bee5927b063e2aca30d3e56b907 ] + +Building lpddr2_nvm with clang can result in a giant stack usage +in one function: + +drivers/mtd/lpddr/lpddr2_nvm.c:399:12: error: stack frame size of 1144 bytes in function 'lpddr2_nvm_probe' [-Werror,-Wframe-larger-than=] + +The problem is that clang decides to build a copy of the mtd_info +structure on the stack and then do a memcpy() into the actual version. It +shouldn't really do it that way, but it's not strictly a bug either. + +As a workaround, use a static const version of the structure to assign +most of the members upfront and then only set the few members that +require runtime knowledge at probe time. + +Fixes: 96ba9dd65788 ("mtd: lpddr: add driver for LPDDR2-NVM PCM memories") +Signed-off-by: Arnd Bergmann +Reviewed-by: Nathan Chancellor +Acked-by: Miquel Raynal +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20200505140136.263461-1-arnd@arndb.de +Signed-off-by: Sasha Levin +--- + drivers/mtd/lpddr/lpddr2_nvm.c | 35 ++++++++++++++++++---------------- + 1 file changed, 19 insertions(+), 16 deletions(-) + +diff --git a/drivers/mtd/lpddr/lpddr2_nvm.c b/drivers/mtd/lpddr/lpddr2_nvm.c +index 2342277c9bcb0..5e36366d9b36d 100644 +--- a/drivers/mtd/lpddr/lpddr2_nvm.c ++++ b/drivers/mtd/lpddr/lpddr2_nvm.c +@@ -408,6 +408,17 @@ static int lpddr2_nvm_lock(struct mtd_info *mtd, loff_t start_add, + return lpddr2_nvm_do_block_op(mtd, start_add, len, LPDDR2_NVM_LOCK); + } + ++static const struct mtd_info lpddr2_nvm_mtd_info = { ++ .type = MTD_RAM, ++ .writesize = 1, ++ .flags = (MTD_CAP_NVRAM | MTD_POWERUP_LOCK), ++ ._read = lpddr2_nvm_read, ++ ._write = lpddr2_nvm_write, ++ ._erase = lpddr2_nvm_erase, ++ ._unlock = lpddr2_nvm_unlock, ++ ._lock = lpddr2_nvm_lock, ++}; ++ + /* + * lpddr2_nvm driver probe method + */ +@@ -448,6 +459,7 @@ static int lpddr2_nvm_probe(struct platform_device *pdev) + .pfow_base = OW_BASE_ADDRESS, + .fldrv_priv = pcm_data, + }; ++ + if (IS_ERR(map->virt)) + return PTR_ERR(map->virt); + +@@ -459,22 +471,13 @@ static int lpddr2_nvm_probe(struct platform_device *pdev) + return PTR_ERR(pcm_data->ctl_regs); + + /* Populate mtd_info data structure */ +- *mtd = (struct mtd_info) { +- .dev = { .parent = &pdev->dev }, +- .name = pdev->dev.init_name, +- .type = MTD_RAM, +- .priv = map, +- .size = resource_size(add_range), +- .erasesize = ERASE_BLOCKSIZE * pcm_data->bus_width, +- .writesize = 1, +- .writebufsize = WRITE_BUFFSIZE * pcm_data->bus_width, +- .flags = (MTD_CAP_NVRAM | MTD_POWERUP_LOCK), +- ._read = lpddr2_nvm_read, +- ._write = lpddr2_nvm_write, +- ._erase = lpddr2_nvm_erase, +- ._unlock = lpddr2_nvm_unlock, +- ._lock = lpddr2_nvm_lock, +- }; ++ *mtd = lpddr2_nvm_mtd_info; ++ mtd->dev.parent = &pdev->dev; ++ mtd->name = pdev->dev.init_name; ++ mtd->priv = map; ++ mtd->size = resource_size(add_range); ++ mtd->erasesize = ERASE_BLOCKSIZE * pcm_data->bus_width; ++ mtd->writebufsize = WRITE_BUFFSIZE * pcm_data->bus_width; + + /* Verify the presence of the device looking for PFOW string */ + if (!lpddr2_nvm_pfow_present(map)) { +-- +2.25.1 + diff --git a/queue-4.4/mtd-mtdoops-don-t-write-panic-data-twice.patch b/queue-4.4/mtd-mtdoops-don-t-write-panic-data-twice.patch new file mode 100644 index 00000000000..159247955a0 --- /dev/null +++ b/queue-4.4/mtd-mtdoops-don-t-write-panic-data-twice.patch @@ -0,0 +1,49 @@ +From 9ab5fff6e0d8d4f23913d467157ac44872273984 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Sep 2020 15:42:17 +1200 +Subject: mtd: mtdoops: Don't write panic data twice + +From: Mark Tomlinson + +[ Upstream commit c1cf1d57d1492235309111ea6a900940213a9166 ] + +If calling mtdoops_write, don't also schedule work to be done later. + +Although this appears to not be causing an issue, possibly because the +scheduled work will never get done, it is confusing. + +Fixes: 016c1291ce70 ("mtd: mtdoops: do not use mtd->panic_write directly") +Signed-off-by: Mark Tomlinson +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20200903034217.23079-1-mark.tomlinson@alliedtelesis.co.nz +Signed-off-by: Sasha Levin +--- + drivers/mtd/mtdoops.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/mtd/mtdoops.c b/drivers/mtd/mtdoops.c +index 97bb8f6304d4f..09165eaac7a15 100644 +--- a/drivers/mtd/mtdoops.c ++++ b/drivers/mtd/mtdoops.c +@@ -313,12 +313,13 @@ static void mtdoops_do_dump(struct kmsg_dumper *dumper, + kmsg_dump_get_buffer(dumper, true, cxt->oops_buf + MTDOOPS_HEADER_SIZE, + record_size - MTDOOPS_HEADER_SIZE, NULL); + +- /* Panics must be written immediately */ +- if (reason != KMSG_DUMP_OOPS) ++ if (reason != KMSG_DUMP_OOPS) { ++ /* Panics must be written immediately */ + mtdoops_write(cxt, 1); +- +- /* For other cases, schedule work to write it "nicely" */ +- schedule_work(&cxt->work_write); ++ } else { ++ /* For other cases, schedule work to write it "nicely" */ ++ schedule_work(&cxt->work_write); ++ } + } + + static void mtdoops_notify_add(struct mtd_info *mtd) +-- +2.25.1 + diff --git a/queue-4.4/mwifiex-do-not-use-gfp_kernel-in-atomic-context.patch b/queue-4.4/mwifiex-do-not-use-gfp_kernel-in-atomic-context.patch new file mode 100644 index 00000000000..550cc6409a1 --- /dev/null +++ b/queue-4.4/mwifiex-do-not-use-gfp_kernel-in-atomic-context.patch @@ -0,0 +1,51 @@ +From 8d5ee509123c2b15cd325d940043edbe6237e156 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Aug 2020 11:29:06 +0200 +Subject: mwifiex: Do not use GFP_KERNEL in atomic context + +From: Christophe JAILLET + +[ Upstream commit d2ab7f00f4321370a8ee14e5630d4349fdacc42e ] + +A possible call chain is as follow: + mwifiex_sdio_interrupt (sdio.c) + --> mwifiex_main_process (main.c) + --> mwifiex_process_cmdresp (cmdevt.c) + --> mwifiex_process_sta_cmdresp (sta_cmdresp.c) + --> mwifiex_ret_802_11_scan (scan.c) + --> mwifiex_parse_single_response_buf (scan.c) + +'mwifiex_sdio_interrupt()' is an interrupt function. + +Also note that 'mwifiex_ret_802_11_scan()' already uses GFP_ATOMIC. + +So use GFP_ATOMIC instead of GFP_KERNEL when memory is allocated in +'mwifiex_parse_single_response_buf()'. + +Fixes: 7c6fa2a843c5 ("mwifiex: use cfg80211 dynamic scan table and cfg80211_get_bss API") +or +Fixes: 601216e12c65e ("mwifiex: process RX packets in SDIO IRQ thread directly") +Signed-off-by: Christophe JAILLET +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200809092906.744621-1-christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mwifiex/scan.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mwifiex/scan.c b/drivers/net/wireless/mwifiex/scan.c +index e7c8972431d34..e54dd4b7face6 100644 +--- a/drivers/net/wireless/mwifiex/scan.c ++++ b/drivers/net/wireless/mwifiex/scan.c +@@ -1862,7 +1862,7 @@ mwifiex_parse_single_response_buf(struct mwifiex_private *priv, u8 **bss_info, + chan, CFG80211_BSS_FTYPE_UNKNOWN, + bssid, timestamp, + cap_info_bitmap, beacon_period, +- ie_buf, ie_len, rssi, GFP_KERNEL); ++ ie_buf, ie_len, rssi, GFP_ATOMIC); + if (bss) { + bss_priv = (struct mwifiex_bss_priv *)bss->priv; + bss_priv->band = band; +-- +2.25.1 + diff --git a/queue-4.4/mwifiex-fix-double-free.patch b/queue-4.4/mwifiex-fix-double-free.patch new file mode 100644 index 00000000000..921ea104264 --- /dev/null +++ b/queue-4.4/mwifiex-fix-double-free.patch @@ -0,0 +1,50 @@ +From 6ae0ab60747f71ecf3290b97b35d480d4a6a7180 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Oct 2020 06:19:31 -0700 +Subject: mwifiex: fix double free + +From: Tom Rix + +[ Upstream commit 53708f4fd9cfe389beab5c8daa763bcd0e0b4aef ] + +clang static analysis reports this problem: + +sdio.c:2403:3: warning: Attempt to free released memory + kfree(card->mpa_rx.buf); + ^~~~~~~~~~~~~~~~~~~~~~~ + +When mwifiex_init_sdio() fails in its first call to +mwifiex_alloc_sdio_mpa_buffer, it falls back to calling it +again. If the second alloc of mpa_tx.buf fails, the error +handler will try to free the old, previously freed mpa_rx.buf. +Reviewing the code, it looks like a second double free would +happen with mwifiex_cleanup_sdio(). + +So set both pointers to NULL when they are freed. + +Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") +Signed-off-by: Tom Rix +Reviewed-by: Brian Norris +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20201004131931.29782-1-trix@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mwifiex/sdio.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/mwifiex/sdio.c b/drivers/net/wireless/mwifiex/sdio.c +index 78a8474e1a3dc..abfe4e8700ed3 100644 +--- a/drivers/net/wireless/mwifiex/sdio.c ++++ b/drivers/net/wireless/mwifiex/sdio.c +@@ -1928,6 +1928,8 @@ static int mwifiex_alloc_sdio_mpa_buffers(struct mwifiex_adapter *adapter, + kfree(card->mpa_rx.buf); + card->mpa_tx.buf_size = 0; + card->mpa_rx.buf_size = 0; ++ card->mpa_tx.buf = NULL; ++ card->mpa_rx.buf = NULL; + } + + return ret; +-- +2.25.1 + diff --git a/queue-4.4/net-enic-cure-the-enic-api-locking-trainwreck.patch b/queue-4.4/net-enic-cure-the-enic-api-locking-trainwreck.patch new file mode 100644 index 00000000000..aed34164e36 --- /dev/null +++ b/queue-4.4/net-enic-cure-the-enic-api-locking-trainwreck.patch @@ -0,0 +1,157 @@ +From 1c8b2acdffb1cd84003cd538eb672ec7fddc261a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 22:25:10 +0200 +Subject: net: enic: Cure the enic api locking trainwreck + +From: Thomas Gleixner + +[ Upstream commit a53b59ece86c86d16d12ccdaa1ad0c78250a9d96 ] + +enic_dev_wait() has a BUG_ON(in_interrupt()). + +Chasing the callers of enic_dev_wait() revealed the gems of enic_reset() +and enic_tx_hang_reset() which are both invoked through work queues in +order to be able to call rtnl_lock(). So far so good. + +After locking rtnl both functions acquire enic::enic_api_lock which +serializes against the (ab)use from infiniband. This is where the +trainwreck starts. + +enic::enic_api_lock is a spin_lock() which implicitly disables preemption, +but both functions invoke a ton of functions under that lock which can +sleep. The BUG_ON(in_interrupt()) does not trigger in that case because it +can't detect the preempt disabled condition. + +This clearly has never been tested with any of the mandatory debug options +for 7+ years, which would have caught that for sure. + +Cure it by adding a enic_api_busy member to struct enic, which is modified +and evaluated with enic::enic_api_lock held. + +If enic_api_devcmd_proxy_by_index() observes enic::enic_api_busy as true, +it drops enic::enic_api_lock and busy waits for enic::enic_api_busy to +become false. + +It would be smarter to wait for a completion of that busy period, but +enic_api_devcmd_proxy_by_index() is called with other spin locks held which +obviously can't sleep. + +Remove the BUG_ON(in_interrupt()) check as well because it's incomplete and +with proper debugging enabled the problem would have been caught from the +debug checks in schedule_timeout(). + +Fixes: 0b038566c0ea ("drivers/net: enic: Add an interface for USNIC to interact with firmware") +Signed-off-by: Thomas Gleixner +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cisco/enic/enic.h | 1 + + drivers/net/ethernet/cisco/enic/enic_api.c | 6 +++++ + drivers/net/ethernet/cisco/enic/enic_main.c | 27 ++++++++++++++++----- + 3 files changed, 28 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/cisco/enic/enic.h b/drivers/net/ethernet/cisco/enic/enic.h +index 7ba6d530b0c0a..230a4157ae9d0 100644 +--- a/drivers/net/ethernet/cisco/enic/enic.h ++++ b/drivers/net/ethernet/cisco/enic/enic.h +@@ -163,6 +163,7 @@ struct enic { + u16 num_vfs; + #endif + spinlock_t enic_api_lock; ++ bool enic_api_busy; + struct enic_port_profile *pp; + + /* work queue cache line section */ +diff --git a/drivers/net/ethernet/cisco/enic/enic_api.c b/drivers/net/ethernet/cisco/enic/enic_api.c +index b161f24522b87..b028ea2dec2b9 100644 +--- a/drivers/net/ethernet/cisco/enic/enic_api.c ++++ b/drivers/net/ethernet/cisco/enic/enic_api.c +@@ -34,6 +34,12 @@ int enic_api_devcmd_proxy_by_index(struct net_device *netdev, int vf, + struct vnic_dev *vdev = enic->vdev; + + spin_lock(&enic->enic_api_lock); ++ while (enic->enic_api_busy) { ++ spin_unlock(&enic->enic_api_lock); ++ cpu_relax(); ++ spin_lock(&enic->enic_api_lock); ++ } ++ + spin_lock_bh(&enic->devcmd_lock); + + vnic_dev_cmd_proxy_by_index_start(vdev, vf); +diff --git a/drivers/net/ethernet/cisco/enic/enic_main.c b/drivers/net/ethernet/cisco/enic/enic_main.c +index 3fd1cba0c7ec3..5c74e55b75e52 100644 +--- a/drivers/net/ethernet/cisco/enic/enic_main.c ++++ b/drivers/net/ethernet/cisco/enic/enic_main.c +@@ -1938,8 +1938,6 @@ static int enic_dev_wait(struct vnic_dev *vdev, + int done; + int err; + +- BUG_ON(in_interrupt()); +- + err = start(vdev, arg); + if (err) + return err; +@@ -2116,6 +2114,13 @@ static int enic_set_rss_nic_cfg(struct enic *enic) + rss_hash_bits, rss_base_cpu, rss_enable); + } + ++static void enic_set_api_busy(struct enic *enic, bool busy) ++{ ++ spin_lock(&enic->enic_api_lock); ++ enic->enic_api_busy = busy; ++ spin_unlock(&enic->enic_api_lock); ++} ++ + static void enic_reset(struct work_struct *work) + { + struct enic *enic = container_of(work, struct enic, reset); +@@ -2125,7 +2130,9 @@ static void enic_reset(struct work_struct *work) + + rtnl_lock(); + +- spin_lock(&enic->enic_api_lock); ++ /* Stop any activity from infiniband */ ++ enic_set_api_busy(enic, true); ++ + enic_stop(enic->netdev); + enic_dev_soft_reset(enic); + enic_reset_addr_lists(enic); +@@ -2133,7 +2140,10 @@ static void enic_reset(struct work_struct *work) + enic_set_rss_nic_cfg(enic); + enic_dev_set_ig_vlan_rewrite_mode(enic); + enic_open(enic->netdev); +- spin_unlock(&enic->enic_api_lock); ++ ++ /* Allow infiniband to fiddle with the device again */ ++ enic_set_api_busy(enic, false); ++ + call_netdevice_notifiers(NETDEV_REBOOT, enic->netdev); + + rtnl_unlock(); +@@ -2145,7 +2155,9 @@ static void enic_tx_hang_reset(struct work_struct *work) + + rtnl_lock(); + +- spin_lock(&enic->enic_api_lock); ++ /* Stop any activity from infiniband */ ++ enic_set_api_busy(enic, true); ++ + enic_dev_hang_notify(enic); + enic_stop(enic->netdev); + enic_dev_hang_reset(enic); +@@ -2154,7 +2166,10 @@ static void enic_tx_hang_reset(struct work_struct *work) + enic_set_rss_nic_cfg(enic); + enic_dev_set_ig_vlan_rewrite_mode(enic); + enic_open(enic->netdev); +- spin_unlock(&enic->enic_api_lock); ++ ++ /* Allow infiniband to fiddle with the device again */ ++ enic_set_api_busy(enic, false); ++ + call_netdevice_notifiers(NETDEV_REBOOT, enic->netdev); + + rtnl_unlock(); +-- +2.25.1 + diff --git a/queue-4.4/net-korina-fix-kfree-of-rx-tx-descriptor-array.patch b/queue-4.4/net-korina-fix-kfree-of-rx-tx-descriptor-array.patch new file mode 100644 index 00000000000..b123818fd30 --- /dev/null +++ b/queue-4.4/net-korina-fix-kfree-of-rx-tx-descriptor-array.patch @@ -0,0 +1,46 @@ +From f06e8db717e489ade879152c7a600ab3dcf16d28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Oct 2020 00:03:29 +0200 +Subject: net: korina: fix kfree of rx/tx descriptor array + +From: Valentin Vidic + +[ Upstream commit 3af5f0f5c74ecbaf757ef06c3f80d56751277637 ] + +kmalloc returns KSEG0 addresses so convert back from KSEG1 +in kfree. Also make sure array is freed when the driver is +unloaded from the kernel. + +Fixes: ef11291bcd5f ("Add support the Korina (IDT RC32434) Ethernet MAC") +Signed-off-by: Valentin Vidic +Acked-by: Willem de Bruijn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/korina.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/korina.c b/drivers/net/ethernet/korina.c +index 07eabf72c480c..3954c80f70fcb 100644 +--- a/drivers/net/ethernet/korina.c ++++ b/drivers/net/ethernet/korina.c +@@ -1188,7 +1188,7 @@ static int korina_probe(struct platform_device *pdev) + return rc; + + probe_err_register: +- kfree(lp->td_ring); ++ kfree(KSEG0ADDR(lp->td_ring)); + probe_err_td_ring: + iounmap(lp->tx_dma_regs); + probe_err_dma_tx: +@@ -1208,6 +1208,7 @@ static int korina_remove(struct platform_device *pdev) + iounmap(lp->eth_regs); + iounmap(lp->rx_dma_regs); + iounmap(lp->tx_dma_regs); ++ kfree(KSEG0ADDR(lp->td_ring)); + + unregister_netdev(bif->dev); + free_netdev(bif->dev); +-- +2.25.1 + diff --git a/queue-4.4/nl80211-fix-non-split-wiphy-information.patch b/queue-4.4/nl80211-fix-non-split-wiphy-information.patch new file mode 100644 index 00000000000..9749f83d41e --- /dev/null +++ b/queue-4.4/nl80211-fix-non-split-wiphy-information.patch @@ -0,0 +1,49 @@ +From 64a3ca995d83b2a162ff098721690cff90f0e2a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Sep 2020 13:07:18 +0200 +Subject: nl80211: fix non-split wiphy information + +From: Johannes Berg + +[ Upstream commit ab10c22bc3b2024f0c9eafa463899a071eac8d97 ] + +When dumping wiphy information, we try to split the data into +many submessages, but for old userspace we still support the +old mode where this doesn't happen. + +However, in this case we were not resetting our state correctly +and dumping multiple messages for each wiphy, which would have +broken such older userspace. + +This was broken pretty much immediately afterwards because it +only worked in the original commit where non-split dumps didn't +have any more data than split dumps... + +Fixes: fe1abafd942f ("nl80211: re-add channel width and extended capa advertising") +Signed-off-by: Johannes Berg +Link: https://lore.kernel.org/r/20200928130717.3e6d9c6bada2.Ie0f151a8d0d00a8e1e18f6a8c9244dd02496af67@changeid +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/wireless/nl80211.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 95366e35ab134..7748d674677c9 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -1672,7 +1672,10 @@ static int nl80211_send_wiphy(struct cfg80211_registered_device *rdev, + * case we'll continue with more data in the next round, + * but break unconditionally so unsplit data stops here. + */ +- state->split_start++; ++ if (state->split) ++ state->split_start++; ++ else ++ state->split_start = 0; + break; + case 9: + if (rdev->wiphy.extended_capabilities && +-- +2.25.1 + diff --git a/queue-4.4/ntfs-add-check-for-mft-record-size-in-superblock.patch b/queue-4.4/ntfs-add-check-for-mft-record-size-in-superblock.patch new file mode 100644 index 00000000000..73a166f8ce0 --- /dev/null +++ b/queue-4.4/ntfs-add-check-for-mft-record-size-in-superblock.patch @@ -0,0 +1,46 @@ +From 90489325d9af45cae11665d53dd34e7e1e7fccf4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Oct 2020 16:48:17 -0700 +Subject: ntfs: add check for mft record size in superblock + +From: Rustam Kovhaev + +[ Upstream commit 4f8c94022f0bc3babd0a124c0a7dcdd7547bd94e ] + +Number of bytes allocated for mft record should be equal to the mft record +size stored in ntfs superblock as reported by syzbot, userspace might +trigger out-of-bounds read by dereferencing ctx->attr in ntfs_attr_find() + +Reported-by: syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com +Signed-off-by: Rustam Kovhaev +Signed-off-by: Andrew Morton +Tested-by: syzbot+aed06913f36eff9b544e@syzkaller.appspotmail.com +Acked-by: Anton Altaparmakov +Link: https://syzkaller.appspot.com/bug?extid=aed06913f36eff9b544e +Link: https://lkml.kernel.org/r/20200824022804.226242-1-rkovhaev@gmail.com +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ntfs/inode.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/ntfs/inode.c b/fs/ntfs/inode.c +index d284f07eda775..38260c07de8b5 100644 +--- a/fs/ntfs/inode.c ++++ b/fs/ntfs/inode.c +@@ -1844,6 +1844,12 @@ int ntfs_read_inode_mount(struct inode *vi) + brelse(bh); + } + ++ if (le32_to_cpu(m->bytes_allocated) != vol->mft_record_size) { ++ ntfs_error(sb, "Incorrect mft record size %u in superblock, should be %u.", ++ le32_to_cpu(m->bytes_allocated), vol->mft_record_size); ++ goto err_out; ++ } ++ + /* Apply the mst fixups. */ + if (post_read_mst_fixup((NTFS_RECORD*)m, vol->mft_record_size)) { + /* FIXME: Try to use the $MFTMirr now. */ +-- +2.25.1 + diff --git a/queue-4.4/perf-intel-pt-fix-context_switch-event-has-no-tid-er.patch b/queue-4.4/perf-intel-pt-fix-context_switch-event-has-no-tid-er.patch new file mode 100644 index 00000000000..79a084a1bfa --- /dev/null +++ b/queue-4.4/perf-intel-pt-fix-context_switch-event-has-no-tid-er.patch @@ -0,0 +1,152 @@ +From 69020590b76c163b96bcda7a77b740c2120a6034 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 11:49:23 +0300 +Subject: perf intel-pt: Fix "context_switch event has no tid" error + +From: Adrian Hunter + +[ Upstream commit 7d537a8d2e76bc4fc71e34545ceaa463ac2cd928 ] + +A context_switch event can have no tid because pids can be detached from +a task while the task is still running (in do_exit()). Note this won't +happen with per-task contexts because then tracing stops at +perf_event_exit_task() + +If a task with no tid gets preempted, or a dying task gets preempted and +its parent releases it, when it subsequently gets switched back in, +Intel PT will not be able to determine what task is running and prints +an error "context_switch event has no tid". However, it is not really an +error because the task is in kernel space and the decoder can continue +to decode successfully. Fix by changing the error to be only a logged +message, and make allowance for tid == -1. + +Example: + + Using 5.9-rc4 with Preemptible Kernel (Low-Latency Desktop) e.g. + $ uname -r + 5.9.0-rc4 + $ grep PREEMPT .config + # CONFIG_PREEMPT_NONE is not set + # CONFIG_PREEMPT_VOLUNTARY is not set + CONFIG_PREEMPT=y + CONFIG_PREEMPT_COUNT=y + CONFIG_PREEMPTION=y + CONFIG_PREEMPT_RCU=y + CONFIG_PREEMPT_NOTIFIERS=y + CONFIG_DRM_I915_PREEMPT_TIMEOUT=640 + CONFIG_DEBUG_PREEMPT=y + # CONFIG_PREEMPT_TRACER is not set + # CONFIG_PREEMPTIRQ_DELAY_TEST is not set + +Before: + + $ cat forkit.c + + #include + #include + #include + + int main() + { + pid_t child; + int status = 0; + + child = fork(); + if (child == 0) + return 123; + wait(&status); + return 0; + } + + $ gcc -o forkit forkit.c + $ sudo ~/bin/perf record --kcore -a -m,64M -e intel_pt/cyc/k & + [1] 11016 + $ taskset 2 ./forkit + $ sudo pkill perf + $ [ perf record: Woken up 1 times to write data ] + [ perf record: Captured and wrote 17.262 MB perf.data ] + + [1]+ Terminated sudo ~/bin/perf record --kcore -a -m,64M -e intel_pt/cyc/k + $ sudo ~/bin/perf script --show-task-events --show-switch-events --itrace=iqqe-o -C 1 --ns | grep -C 2 forkit + context_switch event has no tid + taskset 11019 [001] 66663.270045029: 1 instructions:k: ffffffffb1d9f844 strnlen_user+0xb4 ([kernel.kallsyms]) + taskset 11019 [001] 66663.270201816: 1 instructions:k: ffffffffb1a83121 unmap_page_range+0x561 ([kernel.kallsyms]) + forkit 11019 [001] 66663.270327553: PERF_RECORD_COMM exec: forkit:11019/11019 + forkit 11019 [001] 66663.270420028: 1 instructions:k: ffffffffb1db9537 __clear_user+0x27 ([kernel.kallsyms]) + forkit 11019 [001] 66663.270648704: 1 instructions:k: ffffffffb18829e6 do_user_addr_fault+0xf6 ([kernel.kallsyms]) + forkit 11019 [001] 66663.270833163: 1 instructions:k: ffffffffb230a825 irqentry_exit_to_user_mode+0x15 ([kernel.kallsyms]) + forkit 11019 [001] 66663.271092359: 1 instructions:k: ffffffffb1aea3d9 lock_page_memcg+0x9 ([kernel.kallsyms]) + forkit 11019 [001] 66663.271207092: PERF_RECORD_FORK(11020:11020):(11019:11019) + forkit 11019 [001] 66663.271234775: PERF_RECORD_SWITCH_CPU_WIDE OUT next pid/tid: 11020/11020 + forkit 11020 [001] 66663.271238407: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11019/11019 + forkit 11020 [001] 66663.271312066: 1 instructions:k: ffffffffb1a88140 handle_mm_fault+0x10 ([kernel.kallsyms]) + forkit 11020 [001] 66663.271476225: PERF_RECORD_EXIT(11020:11020):(11019:11019) + forkit 11020 [001] 66663.271497488: PERF_RECORD_SWITCH_CPU_WIDE OUT preempt next pid/tid: 11019/11019 + forkit 11019 [001] 66663.271500523: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11020/11020 + forkit 11019 [001] 66663.271517241: 1 instructions:k: ffffffffb24012cd error_entry+0x6d ([kernel.kallsyms]) + forkit 11019 [001] 66663.271664080: PERF_RECORD_EXIT(11019:11019):(1386:1386) + +After: + + $ sudo ~/bin/perf script --show-task-events --show-switch-events --itrace=iqqe-o -C 1 --ns | grep -C 2 forkit + taskset 11019 [001] 66663.270045029: 1 instructions:k: ffffffffb1d9f844 strnlen_user+0xb4 ([kernel.kallsyms]) + taskset 11019 [001] 66663.270201816: 1 instructions:k: ffffffffb1a83121 unmap_page_range+0x561 ([kernel.kallsyms]) + forkit 11019 [001] 66663.270327553: PERF_RECORD_COMM exec: forkit:11019/11019 + forkit 11019 [001] 66663.270420028: 1 instructions:k: ffffffffb1db9537 __clear_user+0x27 ([kernel.kallsyms]) + forkit 11019 [001] 66663.270648704: 1 instructions:k: ffffffffb18829e6 do_user_addr_fault+0xf6 ([kernel.kallsyms]) + forkit 11019 [001] 66663.270833163: 1 instructions:k: ffffffffb230a825 irqentry_exit_to_user_mode+0x15 ([kernel.kallsyms]) + forkit 11019 [001] 66663.271092359: 1 instructions:k: ffffffffb1aea3d9 lock_page_memcg+0x9 ([kernel.kallsyms]) + forkit 11019 [001] 66663.271207092: PERF_RECORD_FORK(11020:11020):(11019:11019) + forkit 11019 [001] 66663.271234775: PERF_RECORD_SWITCH_CPU_WIDE OUT next pid/tid: 11020/11020 + forkit 11020 [001] 66663.271238407: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11019/11019 + forkit 11020 [001] 66663.271312066: 1 instructions:k: ffffffffb1a88140 handle_mm_fault+0x10 ([kernel.kallsyms]) + forkit 11020 [001] 66663.271476225: PERF_RECORD_EXIT(11020:11020):(11019:11019) + forkit 11020 [001] 66663.271497488: PERF_RECORD_SWITCH_CPU_WIDE OUT preempt next pid/tid: 11019/11019 + forkit 11019 [001] 66663.271500523: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11020/11020 + forkit 11019 [001] 66663.271517241: 1 instructions:k: ffffffffb24012cd error_entry+0x6d ([kernel.kallsyms]) + forkit 11019 [001] 66663.271664080: PERF_RECORD_EXIT(11019:11019):(1386:1386) + forkit 11019 [001] 66663.271688752: PERF_RECORD_SWITCH_CPU_WIDE OUT next pid/tid: -1/-1 + :-1 -1 [001] 66663.271692086: PERF_RECORD_SWITCH_CPU_WIDE IN prev pid/tid: 11019/11019 + :-1 -1 [001] 66663.271707466: 1 instructions:k: ffffffffb18eb096 update_load_avg+0x306 ([kernel.kallsyms]) + +Fixes: 86c2786994bd7c ("perf intel-pt: Add support for PERF_RECORD_SWITCH") +Signed-off-by: Adrian Hunter +Cc: Andi Kleen +Cc: Jiri Olsa +Cc: Yu-cheng Yu +Link: http://lore.kernel.org/lkml/20200909084923.9096-3-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/util/intel-pt.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/tools/perf/util/intel-pt.c b/tools/perf/util/intel-pt.c +index c8f2d084a8ce3..be5a7c1b36ff3 100644 +--- a/tools/perf/util/intel-pt.c ++++ b/tools/perf/util/intel-pt.c +@@ -794,6 +794,8 @@ static void intel_pt_set_pid_tid_cpu(struct intel_pt *pt, + + if (queue->tid == -1 || pt->have_sched_switch) { + ptq->tid = machine__get_current_tid(pt->machine, ptq->cpu); ++ if (ptq->tid == -1) ++ ptq->pid = -1; + thread__zput(ptq->thread); + } + +@@ -1634,10 +1636,8 @@ static int intel_pt_context_switch(struct intel_pt *pt, union perf_event *event, + tid = sample->tid; + } + +- if (tid == -1) { +- pr_err("context_switch event has no tid\n"); +- return -EINVAL; +- } ++ if (tid == -1) ++ intel_pt_log("context_switch event has no tid\n"); + + intel_pt_log("context_switch: cpu %d pid %d tid %d time %"PRIu64" tsc %#"PRIx64"\n", + cpu, pid, tid, sample->time, perf_time_to_tsc(sample->time, +-- +2.25.1 + diff --git a/queue-4.4/pm-hibernate-remove-the-bogus-call-to-get_gendisk-in.patch b/queue-4.4/pm-hibernate-remove-the-bogus-call-to-get_gendisk-in.patch new file mode 100644 index 00000000000..2c0cc55c458 --- /dev/null +++ b/queue-4.4/pm-hibernate-remove-the-bogus-call-to-get_gendisk-in.patch @@ -0,0 +1,49 @@ +From 6997c5a070d184a0c7f36d380c06a9dacb43fabb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 18:14:47 +0200 +Subject: PM: hibernate: remove the bogus call to get_gendisk() in + software_resume() + +From: Christoph Hellwig + +[ Upstream commit 428805c0c5e76ef643b1fbc893edfb636b3d8aef ] + +get_gendisk grabs a reference on the disk and file operation, so this +code will leak both of them while having absolutely no use for the +gendisk itself. + +This effectively reverts commit 2df83fa4bce421f ("PM / Hibernate: Use +get_gendisk to verify partition if resume_file is integer format") + +Signed-off-by: Christoph Hellwig +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/hibernate.c | 11 ----------- + 1 file changed, 11 deletions(-) + +diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c +index 3124cebaec31e..7d73b30c55ccd 100644 +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -779,17 +779,6 @@ static int software_resume(void) + + /* Check if the device is there */ + swsusp_resume_device = name_to_dev_t(resume_file); +- +- /* +- * name_to_dev_t is ineffective to verify parition if resume_file is in +- * integer format. (e.g. major:minor) +- */ +- if (isdigit(resume_file[0]) && resume_wait) { +- int partno; +- while (!get_gendisk(swsusp_resume_device, &partno)) +- msleep(10); +- } +- + if (!swsusp_resume_device) { + /* + * Some device discovery might still be in progress; we need +-- +2.25.1 + diff --git a/queue-4.4/powerpc-icp-hv-fix-missing-of_node_put-in-success-pa.patch b/queue-4.4/powerpc-icp-hv-fix-missing-of_node_put-in-success-pa.patch new file mode 100644 index 00000000000..b9940b26db8 --- /dev/null +++ b/queue-4.4/powerpc-icp-hv-fix-missing-of_node_put-in-success-pa.patch @@ -0,0 +1,37 @@ +From 2cc11049c52a8c23f1ed480231af3de6df01083a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jul 2018 10:03:27 +0200 +Subject: powerpc/icp-hv: Fix missing of_node_put() in success path + +From: Nicholas Mc Guire + +[ Upstream commit d3e669f31ec35856f5e85df9224ede5bdbf1bc7b ] + +Both of_find_compatible_node() and of_find_node_by_type() will return +a refcounted node on success - thus for the success path the node must +be explicitly released with a of_node_put(). + +Fixes: 0b05ac6e2480 ("powerpc/xics: Rewrite XICS driver") +Signed-off-by: Nicholas Mc Guire +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1530691407-3991-1-git-send-email-hofrat@osadl.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/sysdev/xics/icp-hv.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/sysdev/xics/icp-hv.c b/arch/powerpc/sysdev/xics/icp-hv.c +index c1917cf67c3de..3205e64c452bd 100644 +--- a/arch/powerpc/sysdev/xics/icp-hv.c ++++ b/arch/powerpc/sysdev/xics/icp-hv.c +@@ -179,6 +179,7 @@ int icp_hv_init(void) + + icp_ops = &icp_hv_ops; + ++ of_node_put(np); + return 0; + } + +-- +2.25.1 + diff --git a/queue-4.4/powerpc-perf-hv-gpci-fix-starting-index-value.patch b/queue-4.4/powerpc-perf-hv-gpci-fix-starting-index-value.patch new file mode 100644 index 00000000000..84641cebb3a --- /dev/null +++ b/queue-4.4/powerpc-perf-hv-gpci-fix-starting-index-value.patch @@ -0,0 +1,76 @@ +From a075cd128f70dad5d58890950572f9ee6e1d244f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Oct 2020 13:19:39 +0530 +Subject: powerpc/perf/hv-gpci: Fix starting index value + +From: Kajol Jain + +[ Upstream commit 0f9866f7e85765bbda86666df56c92f377c3bc10 ] + +Commit 9e9f60108423f ("powerpc/perf/{hv-gpci, hv-common}: generate +requests with counters annotated") adds a framework for defining +gpci counters. +In this patch, they adds starting_index value as '0xffffffffffffffff'. +which is wrong as starting_index is of size 32 bits. + +Because of this, incase we try to run hv-gpci event we get error. + +In power9 machine: + +command#: perf stat -e hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ + -C 0 -I 1000 +event syntax error: '..bie_count_and_time_tlbie_instructions_issued/' + \___ value too big for format, maximum is 4294967295 + +This patch fix this issue and changes starting_index value to '0xffffffff' + +After this patch: + +command#: perf stat -e hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ -C 0 -I 1000 + 1.000085786 1,024 hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ + 2.000287818 1,024 hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ + 2.439113909 17,408 hv_gpci/system_tlbie_count_and_time_tlbie_instructions_issued/ + +Fixes: 9e9f60108423 ("powerpc/perf/{hv-gpci, hv-common}: generate requests with counters annotated") +Signed-off-by: Kajol Jain +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201003074943.338618-1-kjain@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/hv-gpci-requests.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/perf/hv-gpci-requests.h b/arch/powerpc/perf/hv-gpci-requests.h +index acd17648cd188..5ea24d16a74a1 100644 +--- a/arch/powerpc/perf/hv-gpci-requests.h ++++ b/arch/powerpc/perf/hv-gpci-requests.h +@@ -94,7 +94,7 @@ REQUEST(__field(0, 8, partition_id) + + #define REQUEST_NAME system_performance_capabilities + #define REQUEST_NUM 0x40 +-#define REQUEST_IDX_KIND "starting_index=0xffffffffffffffff" ++#define REQUEST_IDX_KIND "starting_index=0xffffffff" + #include I(REQUEST_BEGIN) + REQUEST(__field(0, 1, perf_collect_privileged) + __field(0x1, 1, capability_mask) +@@ -222,7 +222,7 @@ REQUEST(__field(0, 2, partition_id) + + #define REQUEST_NAME system_hypervisor_times + #define REQUEST_NUM 0xF0 +-#define REQUEST_IDX_KIND "starting_index=0xffffffffffffffff" ++#define REQUEST_IDX_KIND "starting_index=0xffffffff" + #include I(REQUEST_BEGIN) + REQUEST(__count(0, 8, time_spent_to_dispatch_virtual_processors) + __count(0x8, 8, time_spent_processing_virtual_processor_timers) +@@ -233,7 +233,7 @@ REQUEST(__count(0, 8, time_spent_to_dispatch_virtual_processors) + + #define REQUEST_NAME system_tlbie_count_and_time + #define REQUEST_NUM 0xF4 +-#define REQUEST_IDX_KIND "starting_index=0xffffffffffffffff" ++#define REQUEST_IDX_KIND "starting_index=0xffffffff" + #include I(REQUEST_BEGIN) + REQUEST(__count(0, 8, tlbie_instructions_issued) + /* +-- +2.25.1 + diff --git a/queue-4.4/powerpc-powernv-dump-fix-race-while-processing-opal-.patch b/queue-4.4/powerpc-powernv-dump-fix-race-while-processing-opal-.patch new file mode 100644 index 00000000000..43c59b0a5b2 --- /dev/null +++ b/queue-4.4/powerpc-powernv-dump-fix-race-while-processing-opal-.patch @@ -0,0 +1,117 @@ +From faa63b3cf39346b7a1e96d128133aadd8b59cc4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Oct 2020 22:12:10 +0530 +Subject: powerpc/powernv/dump: Fix race while processing OPAL dump + +From: Vasant Hegde + +[ Upstream commit 0a43ae3e2beb77e3481d812834d33abe270768ab ] + +Every dump reported by OPAL is exported to userspace through a sysfs +interface and notified using kobject_uevent(). The userspace daemon +(opal_errd) then reads the dump and acknowledges that the dump is +saved safely to disk. Once acknowledged the kernel removes the +respective sysfs file entry causing respective resources to be +released including kobject. + +However it's possible the userspace daemon may already be scanning +dump entries when a new sysfs dump entry is created by the kernel. +User daemon may read this new entry and ack it even before kernel can +notify userspace about it through kobject_uevent() call. If that +happens then we have a potential race between +dump_ack_store->kobject_put() and kobject_uevent which can lead to +use-after-free of a kernfs object resulting in a kernel crash. + +This patch fixes this race by protecting the sysfs file +creation/notification by holding a reference count on kobject until we +safely send kobject_uevent(). + +The function create_dump_obj() returns the dump object which if used +by caller function will end up in use-after-free problem again. +However, the return value of create_dump_obj() function isn't being +used today and there is no need as well. Hence change it to return +void to make this fix complete. + +Fixes: c7e64b9ce04a ("powerpc/powernv Platform dump interface") +Signed-off-by: Vasant Hegde +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20201017164210.264619-1-hegdevasant@linux.vnet.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/opal-dump.c | 41 +++++++++++++++------- + 1 file changed, 29 insertions(+), 12 deletions(-) + +diff --git a/arch/powerpc/platforms/powernv/opal-dump.c b/arch/powerpc/platforms/powernv/opal-dump.c +index 4c827826c05eb..e21e2c0af69d2 100644 +--- a/arch/powerpc/platforms/powernv/opal-dump.c ++++ b/arch/powerpc/platforms/powernv/opal-dump.c +@@ -319,15 +319,14 @@ static ssize_t dump_attr_read(struct file *filep, struct kobject *kobj, + return count; + } + +-static struct dump_obj *create_dump_obj(uint32_t id, size_t size, +- uint32_t type) ++static void create_dump_obj(uint32_t id, size_t size, uint32_t type) + { + struct dump_obj *dump; + int rc; + + dump = kzalloc(sizeof(*dump), GFP_KERNEL); + if (!dump) +- return NULL; ++ return; + + dump->kobj.kset = dump_kset; + +@@ -347,21 +346,39 @@ static struct dump_obj *create_dump_obj(uint32_t id, size_t size, + rc = kobject_add(&dump->kobj, NULL, "0x%x-0x%x", type, id); + if (rc) { + kobject_put(&dump->kobj); +- return NULL; ++ return; + } + ++ /* ++ * As soon as the sysfs file for this dump is created/activated there is ++ * a chance the opal_errd daemon (or any userspace) might read and ++ * acknowledge the dump before kobject_uevent() is called. If that ++ * happens then there is a potential race between ++ * dump_ack_store->kobject_put() and kobject_uevent() which leads to a ++ * use-after-free of a kernfs object resulting in a kernel crash. ++ * ++ * To avoid that, we need to take a reference on behalf of the bin file, ++ * so that our reference remains valid while we call kobject_uevent(). ++ * We then drop our reference before exiting the function, leaving the ++ * bin file to drop the last reference (if it hasn't already). ++ */ ++ ++ /* Take a reference for the bin file */ ++ kobject_get(&dump->kobj); + rc = sysfs_create_bin_file(&dump->kobj, &dump->dump_attr); +- if (rc) { ++ if (rc == 0) { ++ kobject_uevent(&dump->kobj, KOBJ_ADD); ++ ++ pr_info("%s: New platform dump. ID = 0x%x Size %u\n", ++ __func__, dump->id, dump->size); ++ } else { ++ /* Drop reference count taken for bin file */ + kobject_put(&dump->kobj); +- return NULL; + } + +- pr_info("%s: New platform dump. ID = 0x%x Size %u\n", +- __func__, dump->id, dump->size); +- +- kobject_uevent(&dump->kobj, KOBJ_ADD); +- +- return dump; ++ /* Drop our reference */ ++ kobject_put(&dump->kobj); ++ return; + } + + static irqreturn_t process_dump(int irq, void *data) +-- +2.25.1 + diff --git a/queue-4.4/powerpc-pseries-fix-missing-of_node_put-in-rng_init.patch b/queue-4.4/powerpc-pseries-fix-missing-of_node_put-in-rng_init.patch new file mode 100644 index 00000000000..8a67ed0facf --- /dev/null +++ b/queue-4.4/powerpc-pseries-fix-missing-of_node_put-in-rng_init.patch @@ -0,0 +1,37 @@ +From c558ede7f884e695d030d25dd8c5bf1f983ba532 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jul 2018 11:08:16 +0200 +Subject: powerpc/pseries: Fix missing of_node_put() in rng_init() + +From: Nicholas Mc Guire + +[ Upstream commit 67c3e59443f5fc77be39e2ce0db75fbfa78c7965 ] + +The call to of_find_compatible_node() returns a node pointer with +refcount incremented thus it must be explicitly decremented here +before returning. + +Fixes: a489043f4626 ("powerpc/pseries: Implement arch_get_random_long() based on H_RANDOM") +Signed-off-by: Nicholas Mc Guire +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1530522496-14816-1-git-send-email-hofrat@osadl.org +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/rng.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/pseries/rng.c b/arch/powerpc/platforms/pseries/rng.c +index 31ca557af60bc..262b8c5e1b9d0 100644 +--- a/arch/powerpc/platforms/pseries/rng.c ++++ b/arch/powerpc/platforms/pseries/rng.c +@@ -40,6 +40,7 @@ static __init int rng_init(void) + + ppc_md.get_random_seed = pseries_get_random_long; + ++ of_node_put(dn); + return 0; + } + machine_subsys_initcall(pseries, rng_init); +-- +2.25.1 + diff --git a/queue-4.4/powerpc-tau-disable-tau-between-measurements.patch b/queue-4.4/powerpc-tau-disable-tau-between-measurements.patch new file mode 100644 index 00000000000..120de02d222 --- /dev/null +++ b/queue-4.4/powerpc-tau-disable-tau-between-measurements.patch @@ -0,0 +1,200 @@ +From 084886229a85c532f0b80251e0e5d5e9195a0a73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Sep 2020 09:02:20 +1000 +Subject: powerpc/tau: Disable TAU between measurements + +From: Finn Thain + +[ Upstream commit e63d6fb5637e92725cf143559672a34b706bca4f ] + +Enabling CONFIG_TAU_INT causes random crashes: + +Unrecoverable exception 1700 at c0009414 (msr=1000) +Oops: Unrecoverable exception, sig: 6 [#1] +BE PAGE_SIZE=4K MMU=Hash SMP NR_CPUS=2 PowerMac +Modules linked in: +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.7.0-pmac-00043-gd5f545e1a8593 #5 +NIP: c0009414 LR: c0009414 CTR: c00116fc +REGS: c0799eb8 TRAP: 1700 Not tainted (5.7.0-pmac-00043-gd5f545e1a8593) +MSR: 00001000 CR: 22000228 XER: 00000100 + +GPR00: 00000000 c0799f70 c076e300 00800000 0291c0ac 00e00000 c076e300 00049032 +GPR08: 00000001 c00116fc 00000000 dfbd3200 ffffffff 007f80a8 00000000 00000000 +GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 c075ce04 +GPR24: c075ce04 dfff8880 c07b0000 c075ce04 00080000 00000001 c079ef98 c079ef5c +NIP [c0009414] arch_cpu_idle+0x24/0x6c +LR [c0009414] arch_cpu_idle+0x24/0x6c +Call Trace: +[c0799f70] [00000001] 0x1 (unreliable) +[c0799f80] [c0060990] do_idle+0xd8/0x17c +[c0799fa0] [c0060ba4] cpu_startup_entry+0x20/0x28 +[c0799fb0] [c072d220] start_kernel+0x434/0x44c +[c0799ff0] [00003860] 0x3860 +Instruction dump: +XXXXXXXX XXXXXXXX XXXXXXXX 3d20c07b XXXXXXXX XXXXXXXX XXXXXXXX 7c0802a6 +XXXXXXXX XXXXXXXX XXXXXXXX 4e800421 XXXXXXXX XXXXXXXX XXXXXXXX 7d2000a6 +---[ end trace 3a0c9b5cb216db6b ]--- + +Resolve this problem by disabling each THRMn comparator when handling +the associated THRMn interrupt and by disabling the TAU entirely when +updating THRMn thresholds. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Tested-by: Stan Johnson +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/5a0ba3dc5612c7aac596727331284a3676c08472.1599260540.git.fthain@telegraphics.com.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/tau_6xx.c | 65 +++++++++++++--------------------- + arch/powerpc/platforms/Kconfig | 9 ++--- + 2 files changed, 26 insertions(+), 48 deletions(-) + +diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c +index f6a92bf5ebfc6..70c9d134a9d44 100644 +--- a/arch/powerpc/kernel/tau_6xx.c ++++ b/arch/powerpc/kernel/tau_6xx.c +@@ -37,8 +37,6 @@ static struct tau_temp + + struct timer_list tau_timer; + +-#undef DEBUG +- + /* TODO: put these in a /proc interface, with some sanity checks, and maybe + * dynamic adjustment to minimize # of interrupts */ + /* configurable values for step size and how much to expand the window when +@@ -71,42 +69,33 @@ void set_thresholds(unsigned long cpu) + + void TAUupdate(int cpu) + { +- unsigned thrm; +- +-#ifdef DEBUG +- printk("TAUupdate "); +-#endif ++ u32 thrm; ++ u32 bits = THRM1_TIV | THRM1_TIN | THRM1_V; + + /* if both thresholds are crossed, the step_sizes cancel out + * and the window winds up getting expanded twice. */ +- if((thrm = mfspr(SPRN_THRM1)) & THRM1_TIV){ /* is valid? */ +- if(thrm & THRM1_TIN){ /* crossed low threshold */ +- if (tau[cpu].low >= step_size){ +- tau[cpu].low -= step_size; +- tau[cpu].high -= (step_size - window_expand); +- } +- tau[cpu].grew = 1; +-#ifdef DEBUG +- printk("low threshold crossed "); +-#endif ++ thrm = mfspr(SPRN_THRM1); ++ if ((thrm & bits) == bits) { ++ mtspr(SPRN_THRM1, 0); ++ ++ if (tau[cpu].low >= step_size) { ++ tau[cpu].low -= step_size; ++ tau[cpu].high -= (step_size - window_expand); + } ++ tau[cpu].grew = 1; ++ pr_debug("%s: low threshold crossed\n", __func__); + } +- if((thrm = mfspr(SPRN_THRM2)) & THRM1_TIV){ /* is valid? */ +- if(thrm & THRM1_TIN){ /* crossed high threshold */ +- if (tau[cpu].high <= 127-step_size){ +- tau[cpu].low += (step_size - window_expand); +- tau[cpu].high += step_size; +- } +- tau[cpu].grew = 1; +-#ifdef DEBUG +- printk("high threshold crossed "); +-#endif ++ thrm = mfspr(SPRN_THRM2); ++ if ((thrm & bits) == bits) { ++ mtspr(SPRN_THRM2, 0); ++ ++ if (tau[cpu].high <= 127 - step_size) { ++ tau[cpu].low += (step_size - window_expand); ++ tau[cpu].high += step_size; + } ++ tau[cpu].grew = 1; ++ pr_debug("%s: high threshold crossed\n", __func__); + } +- +-#ifdef DEBUG +- printk("grew = %d\n", tau[cpu].grew); +-#endif + } + + #ifdef CONFIG_TAU_INT +@@ -131,18 +120,18 @@ void TAUException(struct pt_regs * regs) + static void tau_timeout(void * info) + { + int cpu; +- unsigned long flags; + int size; + int shrink; + +- /* disabling interrupts *should* be okay */ +- local_irq_save(flags); + cpu = smp_processor_id(); + + #ifndef CONFIG_TAU_INT + TAUupdate(cpu); + #endif + ++ /* Stop thermal sensor comparisons and interrupts */ ++ mtspr(SPRN_THRM3, 0); ++ + size = tau[cpu].high - tau[cpu].low; + if (size > min_window && ! tau[cpu].grew) { + /* do an exponential shrink of half the amount currently over size */ +@@ -164,18 +153,12 @@ static void tau_timeout(void * info) + + set_thresholds(cpu); + +- /* +- * Do the enable every time, since otherwise a bunch of (relatively) +- * complex sleep code needs to be added. One mtspr every time +- * tau_timeout is called is probably not a big deal. +- * ++ /* Restart thermal sensor comparisons and interrupts. + * The "PowerPC 740 and PowerPC 750 Microprocessor Datasheet" + * recommends that "the maximum value be set in THRM3 under all + * conditions." + */ + mtspr(SPRN_THRM3, THRM3_SITV(0x1fff) | THRM3_E); +- +- local_irq_restore(flags); + } + + static void tau_timeout_smp(unsigned long unused) +diff --git a/arch/powerpc/platforms/Kconfig b/arch/powerpc/platforms/Kconfig +index b7f9c408bf24f..0a0281a21ea50 100644 +--- a/arch/powerpc/platforms/Kconfig ++++ b/arch/powerpc/platforms/Kconfig +@@ -242,7 +242,7 @@ config TAU + temp is actually what /proc/cpuinfo says it is. + + config TAU_INT +- bool "Interrupt driven TAU driver (DANGEROUS)" ++ bool "Interrupt driven TAU driver (EXPERIMENTAL)" + depends on TAU + ---help--- + The TAU supports an interrupt driven mode which causes an interrupt +@@ -250,12 +250,7 @@ config TAU_INT + to get notified the temp has exceeded a range. With this option off, + a timer is used to re-check the temperature periodically. + +- However, on some cpus it appears that the TAU interrupt hardware +- is buggy and can cause a situation which would lead unexplained hard +- lockups. +- +- Unless you are extending the TAU driver, or enjoy kernel/hardware +- debugging, leave this option off. ++ If in doubt, say N here. + + config TAU_AVERAGE + bool "Average high and low temp" +-- +2.25.1 + diff --git a/queue-4.4/powerpc-tau-remove-duplicated-set_thresholds-call.patch b/queue-4.4/powerpc-tau-remove-duplicated-set_thresholds-call.patch new file mode 100644 index 00000000000..0a5759c3f62 --- /dev/null +++ b/queue-4.4/powerpc-tau-remove-duplicated-set_thresholds-call.patch @@ -0,0 +1,44 @@ +From f19c40c22a8f5c918a0a00d0a5470fb9385e4307 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Sep 2020 09:02:20 +1000 +Subject: powerpc/tau: Remove duplicated set_thresholds() call + +From: Finn Thain + +[ Upstream commit 420ab2bc7544d978a5d0762ee736412fe9c796ab ] + +The commentary at the call site seems to disagree with the code. The +conditional prevents calling set_thresholds() via the exception handler, +which appears to crash. Perhaps that's because it immediately triggers +another TAU exception. Anyway, calling set_thresholds() from TAUupdate() +is redundant because tau_timeout() does so. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Tested-by: Stan Johnson +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/d7c7ee33232cf72a6a6bbb6ef05838b2e2b113c0.1599260540.git.fthain@telegraphics.com.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/tau_6xx.c | 5 ----- + 1 file changed, 5 deletions(-) + +diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c +index 1880481322880..f6a92bf5ebfc6 100644 +--- a/arch/powerpc/kernel/tau_6xx.c ++++ b/arch/powerpc/kernel/tau_6xx.c +@@ -107,11 +107,6 @@ void TAUupdate(int cpu) + #ifdef DEBUG + printk("grew = %d\n", tau[cpu].grew); + #endif +- +-#ifndef CONFIG_TAU_INT /* tau_timeout will do this if not using interrupts */ +- set_thresholds(cpu); +-#endif +- + } + + #ifdef CONFIG_TAU_INT +-- +2.25.1 + diff --git a/queue-4.4/powerpc-tau-use-appropriate-temperature-sample-inter.patch b/queue-4.4/powerpc-tau-use-appropriate-temperature-sample-inter.patch new file mode 100644 index 00000000000..77f6380d3c3 --- /dev/null +++ b/queue-4.4/powerpc-tau-use-appropriate-temperature-sample-inter.patch @@ -0,0 +1,68 @@ +From 9ffe49f28d8aefcf52a58b7bd83b61f9b7e47472 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Sep 2020 09:02:20 +1000 +Subject: powerpc/tau: Use appropriate temperature sample interval + +From: Finn Thain + +[ Upstream commit 66943005cc41f48e4d05614e8f76c0ca1812f0fd ] + +According to the MPC750 Users Manual, the SITV value in Thermal +Management Register 3 is 13 bits long. The present code calculates the +SITV value as 60 * 500 cycles. This would overflow to give 10 us on +a 500 MHz CPU rather than the intended 60 us. (But according to the +Microprocessor Datasheet, there is also a factor of 266 that has to be +applied to this value on certain parts i.e. speed sort above 266 MHz.) +Always use the maximum cycle count, as recommended by the Datasheet. + +Fixes: 1da177e4c3f41 ("Linux-2.6.12-rc2") +Signed-off-by: Finn Thain +Tested-by: Stan Johnson +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/896f542e5f0f1d6cf8218524c2b67d79f3d69b3c.1599260540.git.fthain@telegraphics.com.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/include/asm/reg.h | 2 +- + arch/powerpc/kernel/tau_6xx.c | 12 ++++-------- + 2 files changed, 5 insertions(+), 9 deletions(-) + +diff --git a/arch/powerpc/include/asm/reg.h b/arch/powerpc/include/asm/reg.h +index ca372bbc0ffee..dd262f09a99ed 100644 +--- a/arch/powerpc/include/asm/reg.h ++++ b/arch/powerpc/include/asm/reg.h +@@ -647,7 +647,7 @@ + #define THRM1_TIN (1 << 31) + #define THRM1_TIV (1 << 30) + #define THRM1_THRES(x) ((x&0x7f)<<23) +-#define THRM3_SITV(x) ((x&0x3fff)<<1) ++#define THRM3_SITV(x) ((x & 0x1fff) << 1) + #define THRM1_TID (1<<2) + #define THRM1_TIE (1<<1) + #define THRM1_V (1<<0) +diff --git a/arch/powerpc/kernel/tau_6xx.c b/arch/powerpc/kernel/tau_6xx.c +index a753b72efbc0c..1880481322880 100644 +--- a/arch/powerpc/kernel/tau_6xx.c ++++ b/arch/powerpc/kernel/tau_6xx.c +@@ -174,15 +174,11 @@ static void tau_timeout(void * info) + * complex sleep code needs to be added. One mtspr every time + * tau_timeout is called is probably not a big deal. + * +- * Enable thermal sensor and set up sample interval timer +- * need 20 us to do the compare.. until a nice 'cpu_speed' function +- * call is implemented, just assume a 500 mhz clock. It doesn't really +- * matter if we take too long for a compare since it's all interrupt +- * driven anyway. +- * +- * use a extra long time.. (60 us @ 500 mhz) ++ * The "PowerPC 740 and PowerPC 750 Microprocessor Datasheet" ++ * recommends that "the maximum value be set in THRM3 under all ++ * conditions." + */ +- mtspr(SPRN_THRM3, THRM3_SITV(500*60) | THRM3_E); ++ mtspr(SPRN_THRM3, THRM3_SITV(0x1fff) | THRM3_E); + + local_irq_restore(flags); + } +-- +2.25.1 + diff --git a/queue-4.4/pty-do-tty_flip_buffer_push-without-port-lock-in-pty.patch b/queue-4.4/pty-do-tty_flip_buffer_push-without-port-lock-in-pty.patch new file mode 100644 index 00000000000..7ec937a3258 --- /dev/null +++ b/queue-4.4/pty-do-tty_flip_buffer_push-without-port-lock-in-pty.patch @@ -0,0 +1,140 @@ +From da15134dd44e091ccdb845b9033cea4c7fd29c0a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Sep 2020 14:00:45 +0200 +Subject: pty: do tty_flip_buffer_push without port->lock in pty_write + +From: Artem Savkov + +[ Upstream commit 71a174b39f10b4b93223d374722aa894b5d8a82e ] + +b6da31b2c07c "tty: Fix data race in tty_insert_flip_string_fixed_flag" +puts tty_flip_buffer_push under port->lock introducing the following +possible circular locking dependency: + +[30129.876566] ====================================================== +[30129.876566] WARNING: possible circular locking dependency detected +[30129.876567] 5.9.0-rc2+ #3 Tainted: G S W +[30129.876568] ------------------------------------------------------ +[30129.876568] sysrq.sh/1222 is trying to acquire lock: +[30129.876569] ffffffff92c39480 (console_owner){....}-{0:0}, at: console_unlock+0x3fe/0xa90 + +[30129.876572] but task is already holding lock: +[30129.876572] ffff888107cb9018 (&pool->lock/1){-.-.}-{2:2}, at: show_workqueue_state.cold.55+0x15b/0x6ca + +[30129.876576] which lock already depends on the new lock. + +[30129.876577] the existing dependency chain (in reverse order) is: + +[30129.876578] -> #3 (&pool->lock/1){-.-.}-{2:2}: +[30129.876581] _raw_spin_lock+0x30/0x70 +[30129.876581] __queue_work+0x1a3/0x10f0 +[30129.876582] queue_work_on+0x78/0x80 +[30129.876582] pty_write+0x165/0x1e0 +[30129.876583] n_tty_write+0x47f/0xf00 +[30129.876583] tty_write+0x3d6/0x8d0 +[30129.876584] vfs_write+0x1a8/0x650 + +[30129.876588] -> #2 (&port->lock#2){-.-.}-{2:2}: +[30129.876590] _raw_spin_lock_irqsave+0x3b/0x80 +[30129.876591] tty_port_tty_get+0x1d/0xb0 +[30129.876592] tty_port_default_wakeup+0xb/0x30 +[30129.876592] serial8250_tx_chars+0x3d6/0x970 +[30129.876593] serial8250_handle_irq.part.12+0x216/0x380 +[30129.876593] serial8250_default_handle_irq+0x82/0xe0 +[30129.876594] serial8250_interrupt+0xdd/0x1b0 +[30129.876595] __handle_irq_event_percpu+0xfc/0x850 + +[30129.876602] -> #1 (&port->lock){-.-.}-{2:2}: +[30129.876605] _raw_spin_lock_irqsave+0x3b/0x80 +[30129.876605] serial8250_console_write+0x12d/0x900 +[30129.876606] console_unlock+0x679/0xa90 +[30129.876606] register_console+0x371/0x6e0 +[30129.876607] univ8250_console_init+0x24/0x27 +[30129.876607] console_init+0x2f9/0x45e + +[30129.876609] -> #0 (console_owner){....}-{0:0}: +[30129.876611] __lock_acquire+0x2f70/0x4e90 +[30129.876612] lock_acquire+0x1ac/0xad0 +[30129.876612] console_unlock+0x460/0xa90 +[30129.876613] vprintk_emit+0x130/0x420 +[30129.876613] printk+0x9f/0xc5 +[30129.876614] show_pwq+0x154/0x618 +[30129.876615] show_workqueue_state.cold.55+0x193/0x6ca +[30129.876615] __handle_sysrq+0x244/0x460 +[30129.876616] write_sysrq_trigger+0x48/0x4a +[30129.876616] proc_reg_write+0x1a6/0x240 +[30129.876617] vfs_write+0x1a8/0x650 + +[30129.876619] other info that might help us debug this: + +[30129.876620] Chain exists of: +[30129.876621] console_owner --> &port->lock#2 --> &pool->lock/1 + +[30129.876625] Possible unsafe locking scenario: + +[30129.876626] CPU0 CPU1 +[30129.876626] ---- ---- +[30129.876627] lock(&pool->lock/1); +[30129.876628] lock(&port->lock#2); +[30129.876630] lock(&pool->lock/1); +[30129.876631] lock(console_owner); + +[30129.876633] *** DEADLOCK *** + +[30129.876634] 5 locks held by sysrq.sh/1222: +[30129.876634] #0: ffff8881d3ce0470 (sb_writers#3){.+.+}-{0:0}, at: vfs_write+0x359/0x650 +[30129.876637] #1: ffffffff92c612c0 (rcu_read_lock){....}-{1:2}, at: __handle_sysrq+0x4d/0x460 +[30129.876640] #2: ffffffff92c612c0 (rcu_read_lock){....}-{1:2}, at: show_workqueue_state+0x5/0xf0 +[30129.876642] #3: ffff888107cb9018 (&pool->lock/1){-.-.}-{2:2}, at: show_workqueue_state.cold.55+0x15b/0x6ca +[30129.876645] #4: ffffffff92c39980 (console_lock){+.+.}-{0:0}, at: vprintk_emit+0x123/0x420 + +[30129.876648] stack backtrace: +[30129.876649] CPU: 3 PID: 1222 Comm: sysrq.sh Tainted: G S W 5.9.0-rc2+ #3 +[30129.876649] Hardware name: Intel Corporation 2012 Client Platform/Emerald Lake 2, BIOS ACRVMBY1.86C.0078.P00.1201161002 01/16/2012 +[30129.876650] Call Trace: +[30129.876650] dump_stack+0x9d/0xe0 +[30129.876651] check_noncircular+0x34f/0x410 +[30129.876653] __lock_acquire+0x2f70/0x4e90 +[30129.876656] lock_acquire+0x1ac/0xad0 +[30129.876658] console_unlock+0x460/0xa90 +[30129.876660] vprintk_emit+0x130/0x420 +[30129.876660] printk+0x9f/0xc5 +[30129.876661] show_pwq+0x154/0x618 +[30129.876662] show_workqueue_state.cold.55+0x193/0x6ca +[30129.876664] __handle_sysrq+0x244/0x460 +[30129.876665] write_sysrq_trigger+0x48/0x4a +[30129.876665] proc_reg_write+0x1a6/0x240 +[30129.876666] vfs_write+0x1a8/0x650 + +It looks like the commit was aimed to protect tty_insert_flip_string and +there is no need for tty_flip_buffer_push to be under this lock. + +Fixes: b6da31b2c07c ("tty: Fix data race in tty_insert_flip_string_fixed_flag") +Signed-off-by: Artem Savkov +Acked-by: Jiri Slaby +Link: https://lore.kernel.org/r/20200902120045.3693075-1-asavkov@redhat.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/pty.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/pty.c b/drivers/tty/pty.c +index c8a2e5b0eff76..8ee146b14aae8 100644 +--- a/drivers/tty/pty.c ++++ b/drivers/tty/pty.c +@@ -115,10 +115,10 @@ static int pty_write(struct tty_struct *tty, const unsigned char *buf, int c) + spin_lock_irqsave(&to->port->lock, flags); + /* Stuff the data into the input queue of the other end */ + c = tty_insert_flip_string(to->port, buf, c); ++ spin_unlock_irqrestore(&to->port->lock, flags); + /* And shovel */ + if (c) + tty_flip_buffer_push(to->port); +- spin_unlock_irqrestore(&to->port->lock, flags); + } + return c; + } +-- +2.25.1 + diff --git a/queue-4.4/quota-clear-padding-in-v2r1_mem2diskdqb.patch b/queue-4.4/quota-clear-padding-in-v2r1_mem2diskdqb.patch new file mode 100644 index 00000000000..26a3c0769cf --- /dev/null +++ b/queue-4.4/quota-clear-padding-in-v2r1_mem2diskdqb.patch @@ -0,0 +1,114 @@ +From be009efe790d878b00b05870bc2bcd198e2bbc70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Sep 2020 11:36:19 -0700 +Subject: quota: clear padding in v2r1_mem2diskdqb() + +From: Eric Dumazet + +[ Upstream commit 3d3dc274ce736227e3197868ff749cff2f175f63 ] + +Freshly allocated memory contains garbage, better make sure +to init all struct v2r1_disk_dqblk fields to avoid KMSAN report: + +BUG: KMSAN: uninit-value in qtree_entry_unused+0x137/0x1b0 fs/quota/quota_tree.c:218 +CPU: 0 PID: 23373 Comm: syz-executor.1 Not tainted 5.9.0-rc4-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x21c/0x280 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:122 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:219 + qtree_entry_unused+0x137/0x1b0 fs/quota/quota_tree.c:218 + v2r1_mem2diskdqb+0x43d/0x710 fs/quota/quota_v2.c:285 + qtree_write_dquot+0x226/0x870 fs/quota/quota_tree.c:394 + v2_write_dquot+0x1ad/0x280 fs/quota/quota_v2.c:333 + dquot_commit+0x4af/0x600 fs/quota/dquot.c:482 + ext4_write_dquot fs/ext4/super.c:5934 [inline] + ext4_mark_dquot_dirty+0x4d8/0x6a0 fs/ext4/super.c:5985 + mark_dquot_dirty fs/quota/dquot.c:347 [inline] + mark_all_dquot_dirty fs/quota/dquot.c:385 [inline] + dquot_alloc_inode+0xc05/0x12b0 fs/quota/dquot.c:1755 + __ext4_new_inode+0x8204/0x9d70 fs/ext4/ialloc.c:1155 + ext4_tmpfile+0x41a/0x850 fs/ext4/namei.c:2686 + vfs_tmpfile+0x2a2/0x570 fs/namei.c:3283 + do_tmpfile fs/namei.c:3316 [inline] + path_openat+0x4035/0x6a90 fs/namei.c:3359 + do_filp_open+0x2b8/0x710 fs/namei.c:3395 + do_sys_openat2+0xa88/0x1140 fs/open.c:1168 + do_sys_open fs/open.c:1184 [inline] + __do_compat_sys_openat fs/open.c:1242 [inline] + __se_compat_sys_openat+0x2a4/0x310 fs/open.c:1240 + __ia32_compat_sys_openat+0x56/0x70 fs/open.c:1240 + do_syscall_32_irqs_on arch/x86/entry/common.c:80 [inline] + __do_fast_syscall_32+0x129/0x180 arch/x86/entry/common.c:139 + do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:162 + do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:205 + entry_SYSENTER_compat_after_hwframe+0x4d/0x5c +RIP: 0023:0xf7ff4549 +Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 eb 0d 90 90 90 90 90 90 90 90 90 90 90 90 +RSP: 002b:00000000f55cd0cc EFLAGS: 00000296 ORIG_RAX: 0000000000000127 +RAX: ffffffffffffffda RBX: 00000000ffffff9c RCX: 0000000020000000 +RDX: 0000000000410481 RSI: 0000000000000000 RDI: 0000000000000000 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:143 [inline] + kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:126 + kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:80 + slab_alloc_node mm/slub.c:2907 [inline] + slab_alloc mm/slub.c:2916 [inline] + __kmalloc+0x2bb/0x4b0 mm/slub.c:3982 + kmalloc include/linux/slab.h:559 [inline] + getdqbuf+0x56/0x150 fs/quota/quota_tree.c:52 + qtree_write_dquot+0xf2/0x870 fs/quota/quota_tree.c:378 + v2_write_dquot+0x1ad/0x280 fs/quota/quota_v2.c:333 + dquot_commit+0x4af/0x600 fs/quota/dquot.c:482 + ext4_write_dquot fs/ext4/super.c:5934 [inline] + ext4_mark_dquot_dirty+0x4d8/0x6a0 fs/ext4/super.c:5985 + mark_dquot_dirty fs/quota/dquot.c:347 [inline] + mark_all_dquot_dirty fs/quota/dquot.c:385 [inline] + dquot_alloc_inode+0xc05/0x12b0 fs/quota/dquot.c:1755 + __ext4_new_inode+0x8204/0x9d70 fs/ext4/ialloc.c:1155 + ext4_tmpfile+0x41a/0x850 fs/ext4/namei.c:2686 + vfs_tmpfile+0x2a2/0x570 fs/namei.c:3283 + do_tmpfile fs/namei.c:3316 [inline] + path_openat+0x4035/0x6a90 fs/namei.c:3359 + do_filp_open+0x2b8/0x710 fs/namei.c:3395 + do_sys_openat2+0xa88/0x1140 fs/open.c:1168 + do_sys_open fs/open.c:1184 [inline] + __do_compat_sys_openat fs/open.c:1242 [inline] + __se_compat_sys_openat+0x2a4/0x310 fs/open.c:1240 + __ia32_compat_sys_openat+0x56/0x70 fs/open.c:1240 + do_syscall_32_irqs_on arch/x86/entry/common.c:80 [inline] + __do_fast_syscall_32+0x129/0x180 arch/x86/entry/common.c:139 + do_fast_syscall_32+0x6a/0xc0 arch/x86/entry/common.c:162 + do_SYSENTER_32+0x73/0x90 arch/x86/entry/common.c:205 + entry_SYSENTER_compat_after_hwframe+0x4d/0x5c + +Fixes: 498c60153ebb ("quota: Implement quota format with 64-bit space and inode limits") +Link: https://lore.kernel.org/r/20200924183619.4176790-1-edumazet@google.com +Signed-off-by: Eric Dumazet +Cc: Jan Kara +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/quota/quota_v2.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/quota/quota_v2.c b/fs/quota/quota_v2.c +index 2aa012a68e90e..9891b8fb0432f 100644 +--- a/fs/quota/quota_v2.c ++++ b/fs/quota/quota_v2.c +@@ -266,6 +266,7 @@ static void v2r1_mem2diskdqb(void *dp, struct dquot *dquot) + d->dqb_curspace = cpu_to_le64(m->dqb_curspace); + d->dqb_btime = cpu_to_le64(m->dqb_btime); + d->dqb_id = cpu_to_le32(from_kqid(&init_user_ns, dquot->dq_id)); ++ d->dqb_pad = 0; + if (qtree_entry_unused(info, dp)) + d->dqb_itime = cpu_to_le64(1); + } +-- +2.25.1 + diff --git a/queue-4.4/reiserfs-fix-memory-leak-in-reiserfs_parse_options.patch b/queue-4.4/reiserfs-fix-memory-leak-in-reiserfs_parse_options.patch new file mode 100644 index 00000000000..badc52fae6f --- /dev/null +++ b/queue-4.4/reiserfs-fix-memory-leak-in-reiserfs_parse_options.patch @@ -0,0 +1,49 @@ +From 23cfa9e9bbf4d300cc0dfba77d14dea3e6efbab3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Mar 2020 14:01:44 +0100 +Subject: reiserfs: Fix memory leak in reiserfs_parse_options() + +From: Jan Kara + +[ Upstream commit e9d4709fcc26353df12070566970f080e651f0c9 ] + +When a usrjquota or grpjquota mount option is used multiple times, we +will leak memory allocated for the file name. Make sure the last setting +is used and all the previous ones are properly freed. + +Reported-by: syzbot+c9e294bbe0333a6b7640@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/reiserfs/super.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/reiserfs/super.c b/fs/reiserfs/super.c +index f9796fd515315..503d8c06e0d93 100644 +--- a/fs/reiserfs/super.c ++++ b/fs/reiserfs/super.c +@@ -1232,6 +1232,10 @@ static int reiserfs_parse_options(struct super_block *s, + "turned on."); + return 0; + } ++ if (qf_names[qtype] != ++ REISERFS_SB(s)->s_qf_names[qtype]) ++ kfree(qf_names[qtype]); ++ qf_names[qtype] = NULL; + if (*arg) { /* Some filename specified? */ + if (REISERFS_SB(s)->s_qf_names[qtype] + && strcmp(REISERFS_SB(s)->s_qf_names[qtype], +@@ -1261,10 +1265,6 @@ static int reiserfs_parse_options(struct super_block *s, + else + *mount_options |= 1 << REISERFS_GRPQUOTA; + } else { +- if (qf_names[qtype] != +- REISERFS_SB(s)->s_qf_names[qtype]) +- kfree(qf_names[qtype]); +- qf_names[qtype] = NULL; + if (qtype == USRQUOTA) + *mount_options &= ~(1 << REISERFS_USRQUOTA); + else +-- +2.25.1 + diff --git a/queue-4.4/reiserfs-only-call-unlock_new_inode-if-i_new.patch b/queue-4.4/reiserfs-only-call-unlock_new_inode-if-i_new.patch new file mode 100644 index 00000000000..71fc686218e --- /dev/null +++ b/queue-4.4/reiserfs-only-call-unlock_new_inode-if-i_new.patch @@ -0,0 +1,44 @@ +From 45d3a6ecdfb86840bb2a76232b10a835cc8cffec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Jun 2020 00:00:57 -0700 +Subject: reiserfs: only call unlock_new_inode() if I_NEW + +From: Eric Biggers + +[ Upstream commit 8859bf2b1278d064a139e3031451524a49a56bd0 ] + +unlock_new_inode() is only meant to be called after a new inode has +already been inserted into the hash table. But reiserfs_new_inode() can +call it even before it has inserted the inode, triggering the WARNING in +unlock_new_inode(). Fix this by only calling unlock_new_inode() if the +inode has the I_NEW flag set, indicating that it's in the table. + +This addresses the syzbot report "WARNING in unlock_new_inode" +(https://syzkaller.appspot.com/bug?extid=187510916eb6a14598f7). + +Link: https://lore.kernel.org/r/20200628070057.820213-1-ebiggers@kernel.org +Reported-by: syzbot+187510916eb6a14598f7@syzkaller.appspotmail.com +Signed-off-by: Eric Biggers +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/reiserfs/inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c +index cfb4691d92741..ccbb15ab029f4 100644 +--- a/fs/reiserfs/inode.c ++++ b/fs/reiserfs/inode.c +@@ -2157,7 +2157,8 @@ int reiserfs_new_inode(struct reiserfs_transaction_handle *th, + out_inserted_sd: + clear_nlink(inode); + th->t_trans_id = 0; /* so the caller can't use this handle later */ +- unlock_new_inode(inode); /* OK to do even if we hadn't locked it */ ++ if (inode->i_state & I_NEW) ++ unlock_new_inode(inode); + iput(inode); + return err; + } +-- +2.25.1 + diff --git a/queue-4.4/rtl8xxxu-prevent-potential-memory-leak.patch b/queue-4.4/rtl8xxxu-prevent-potential-memory-leak.patch new file mode 100644 index 00000000000..48707112f06 --- /dev/null +++ b/queue-4.4/rtl8xxxu-prevent-potential-memory-leak.patch @@ -0,0 +1,65 @@ +From 95042a0bba6c2a41914b1daac1e6f873bd41999c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Sep 2020 12:04:24 +0800 +Subject: rtl8xxxu: prevent potential memory leak + +From: Chris Chiu + +[ Upstream commit 86279456a4d47782398d3cb8193f78f672e36cac ] + +Free the skb if usb_submit_urb fails on rx_urb. And free the urb +no matter usb_submit_urb succeeds or not in rtl8xxxu_submit_int_urb. + +Signed-off-by: Chris Chiu +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200906040424.22022-1-chiu@endlessm.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c +index 8254d4b22c50b..b8d387edde65c 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.c +@@ -5135,7 +5135,6 @@ static int rtl8xxxu_submit_int_urb(struct ieee80211_hw *hw) + ret = usb_submit_urb(urb, GFP_KERNEL); + if (ret) { + usb_unanchor_urb(urb); +- usb_free_urb(urb); + goto error; + } + +@@ -5144,6 +5143,7 @@ static int rtl8xxxu_submit_int_urb(struct ieee80211_hw *hw) + rtl8xxxu_write32(priv, REG_USB_HIMR, val32); + + error: ++ usb_free_urb(urb); + return ret; + } + +@@ -5424,6 +5424,7 @@ static int rtl8xxxu_start(struct ieee80211_hw *hw) + struct rtl8xxxu_priv *priv = hw->priv; + struct rtl8xxxu_rx_urb *rx_urb; + struct rtl8xxxu_tx_urb *tx_urb; ++ struct sk_buff *skb; + unsigned long flags; + int ret, i; + +@@ -5472,6 +5473,13 @@ static int rtl8xxxu_start(struct ieee80211_hw *hw) + rx_urb->hw = hw; + + ret = rtl8xxxu_submit_rx_urb(priv, rx_urb); ++ if (ret) { ++ if (ret != -ENOMEM) { ++ skb = (struct sk_buff *)rx_urb->urb.context; ++ dev_kfree_skb(skb); ++ } ++ rtl8xxxu_queue_rx_urb(priv, rx_urb); ++ } + } + exit: + /* +-- +2.25.1 + diff --git a/queue-4.4/scsi-csiostor-fix-wrong-return-value-in-csio_hw_prep.patch b/queue-4.4/scsi-csiostor-fix-wrong-return-value-in-csio_hw_prep.patch new file mode 100644 index 00000000000..85c8e3d6acf --- /dev/null +++ b/queue-4.4/scsi-csiostor-fix-wrong-return-value-in-csio_hw_prep.patch @@ -0,0 +1,38 @@ +From d29d7b7dbe1d20578ff81e4ed3c16905b1ad6d6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 19:15:31 +0800 +Subject: scsi: csiostor: Fix wrong return value in csio_hw_prep_fw() + +From: Tianjia Zhang + +[ Upstream commit 44f4daf8678ae5f08c93bbe70792f90cd88e4649 ] + +On an error exit path, a negative error code should be returned instead of +a positive return value. + +Link: https://lore.kernel.org/r/20200802111531.5065-1-tianjia.zhang@linux.alibaba.com +Fixes: f40e74ffa3de ("csiostor:firmware upgrade fix") +Cc: Praveen Madhavan +Signed-off-by: Tianjia Zhang +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/csiostor/csio_hw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/csiostor/csio_hw.c b/drivers/scsi/csiostor/csio_hw.c +index dab195f04da78..06ca0495f3e8e 100644 +--- a/drivers/scsi/csiostor/csio_hw.c ++++ b/drivers/scsi/csiostor/csio_hw.c +@@ -1973,7 +1973,7 @@ static int csio_hw_prep_fw(struct csio_hw *hw, struct fw_info *fw_info, + FW_HDR_FW_VER_MICRO_G(c), FW_HDR_FW_VER_BUILD_G(c), + FW_HDR_FW_VER_MAJOR_G(k), FW_HDR_FW_VER_MINOR_G(k), + FW_HDR_FW_VER_MICRO_G(k), FW_HDR_FW_VER_BUILD_G(k)); +- ret = EINVAL; ++ ret = -EINVAL; + goto bye; + } + +-- +2.25.1 + diff --git a/queue-4.4/scsi-ibmvfc-fix-error-return-in-ibmvfc_probe.patch b/queue-4.4/scsi-ibmvfc-fix-error-return-in-ibmvfc_probe.patch new file mode 100644 index 00000000000..3bbfd1b6cbe --- /dev/null +++ b/queue-4.4/scsi-ibmvfc-fix-error-return-in-ibmvfc_probe.patch @@ -0,0 +1,36 @@ +From 525d7f990528df81b4eda5271982b7cd12989719 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Sep 2020 16:39:49 +0800 +Subject: scsi: ibmvfc: Fix error return in ibmvfc_probe() + +From: Jing Xiangfeng + +[ Upstream commit 5e48a084f4e824e1b624d3fd7ddcf53d2ba69e53 ] + +Fix to return error code PTR_ERR() from the error handling case instead of +0. + +Link: https://lore.kernel.org/r/20200907083949.154251-1-jingxiangfeng@huawei.com +Acked-by: Tyrel Datwyler +Signed-off-by: Jing Xiangfeng +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ibmvscsi/ibmvfc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/ibmvscsi/ibmvfc.c b/drivers/scsi/ibmvscsi/ibmvfc.c +index 0526a47e30a3f..db80ab8335dfb 100644 +--- a/drivers/scsi/ibmvscsi/ibmvfc.c ++++ b/drivers/scsi/ibmvscsi/ibmvfc.c +@@ -4790,6 +4790,7 @@ static int ibmvfc_probe(struct vio_dev *vdev, const struct vio_device_id *id) + if (IS_ERR(vhost->work_thread)) { + dev_err(dev, "Couldn't create kernel thread: %ld\n", + PTR_ERR(vhost->work_thread)); ++ rc = PTR_ERR(vhost->work_thread); + goto free_host_mem; + } + +-- +2.25.1 + diff --git a/queue-4.4/scsi-mvumi-fix-error-return-in-mvumi_io_attach.patch b/queue-4.4/scsi-mvumi-fix-error-return-in-mvumi_io_attach.patch new file mode 100644 index 00000000000..449262a8a77 --- /dev/null +++ b/queue-4.4/scsi-mvumi-fix-error-return-in-mvumi_io_attach.patch @@ -0,0 +1,34 @@ +From ad977537159bb5a047d78509481c27a6ac7bbb27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Sep 2020 20:38:48 +0800 +Subject: scsi: mvumi: Fix error return in mvumi_io_attach() + +From: Jing Xiangfeng + +[ Upstream commit 055f15ab2cb4a5cbc4c0a775ef3d0066e0fa9b34 ] + +Return PTR_ERR() from the error handling case instead of 0. + +Link: https://lore.kernel.org/r/20200910123848.93649-1-jingxiangfeng@huawei.com +Signed-off-by: Jing Xiangfeng +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mvumi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/mvumi.c b/drivers/scsi/mvumi.c +index 39285070f3b51..17ec51f9d9880 100644 +--- a/drivers/scsi/mvumi.c ++++ b/drivers/scsi/mvumi.c +@@ -2476,6 +2476,7 @@ static int mvumi_io_attach(struct mvumi_hba *mhba) + if (IS_ERR(mhba->dm_thread)) { + dev_err(&mhba->pdev->dev, + "failed to create device scan thread\n"); ++ ret = PTR_ERR(mhba->dm_thread); + mutex_unlock(&mhba->sas_discovery_mutex); + goto fail_create_thread; + } +-- +2.25.1 + diff --git a/queue-4.4/scsi-qla4xxx-fix-an-error-handling-path-in-qla4xxx_g.patch b/queue-4.4/scsi-qla4xxx-fix-an-error-handling-path-in-qla4xxx_g.patch new file mode 100644 index 00000000000..efcd6a32cc1 --- /dev/null +++ b/queue-4.4/scsi-qla4xxx-fix-an-error-handling-path-in-qla4xxx_g.patch @@ -0,0 +1,38 @@ +From cfe7d57cf36309dc746f3ec04721bb8d70652b0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 12:15:27 +0200 +Subject: scsi: qla4xxx: Fix an error handling path in + 'qla4xxx_get_host_stats()' + +From: Christophe JAILLET + +[ Upstream commit 574918e69720fe62ab3eb42ec3750230c8d16b06 ] + +Update the size used in 'dma_free_coherent()' in order to match the one +used in the corresponding 'dma_alloc_coherent()'. + +Link: https://lore.kernel.org/r/20200802101527.676054-1-christophe.jaillet@wanadoo.fr +Fixes: 4161cee52df8 ("[SCSI] qla4xxx: Add host statistics support") +Signed-off-by: Christophe JAILLET +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla4xxx/ql4_os.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/qla4xxx/ql4_os.c b/drivers/scsi/qla4xxx/ql4_os.c +index 3fda5836aac69..f10088a1d38c0 100644 +--- a/drivers/scsi/qla4xxx/ql4_os.c ++++ b/drivers/scsi/qla4xxx/ql4_os.c +@@ -1223,7 +1223,7 @@ static int qla4xxx_get_host_stats(struct Scsi_Host *shost, char *buf, int len) + le64_to_cpu(ql_iscsi_stats->iscsi_sequence_error); + exit_host_stats: + if (ql_iscsi_stats) +- dma_free_coherent(&ha->pdev->dev, host_stats_size, ++ dma_free_coherent(&ha->pdev->dev, stats_size, + ql_iscsi_stats, iscsi_stats_dma); + + ql4_printk(KERN_INFO, ha, "%s: Get host stats done\n", +-- +2.25.1 + diff --git a/queue-4.4/scsi-target-core-add-control-field-for-trace-events.patch b/queue-4.4/scsi-target-core-add-control-field-for-trace-events.patch new file mode 100644 index 00000000000..1a27b505d29 --- /dev/null +++ b/queue-4.4/scsi-target-core-add-control-field-for-trace-events.patch @@ -0,0 +1,113 @@ +From 2273b4ca91e3dba9a5c5a4b5ae4233a4fd7e5d29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Sep 2020 15:59:57 +0300 +Subject: scsi: target: core: Add CONTROL field for trace events + +From: Roman Bolshakov + +[ Upstream commit 7010645ba7256992818b518163f46bd4cdf8002a ] + +trace-cmd report doesn't show events from target subsystem because +scsi_command_size() leaks through event format string: + + [target:target_sequencer_start] function scsi_command_size not defined + [target:target_cmd_complete] function scsi_command_size not defined + +Addition of scsi_command_size() to plugin_scsi.c in trace-cmd doesn't +help because an expression is used inside TP_printk(). trace-cmd event +parser doesn't understand minus sign inside [ ]: + + Error: expected ']' but read '-' + +Rather than duplicating kernel code in plugin_scsi.c, provide a dedicated +field for CONTROL byte. + +Link: https://lore.kernel.org/r/20200929125957.83069-1-r.bolshakov@yadro.com +Reviewed-by: Mike Christie +Signed-off-by: Roman Bolshakov +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + include/scsi/scsi_common.h | 7 +++++++ + include/trace/events/target.h | 12 ++++++------ + 2 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/include/scsi/scsi_common.h b/include/scsi/scsi_common.h +index 11571b2a831e3..92ba09200f89b 100644 +--- a/include/scsi/scsi_common.h ++++ b/include/scsi/scsi_common.h +@@ -24,6 +24,13 @@ scsi_command_size(const unsigned char *cmnd) + scsi_varlen_cdb_length(cmnd) : COMMAND_SIZE(cmnd[0]); + } + ++static inline unsigned char ++scsi_command_control(const unsigned char *cmnd) ++{ ++ return (cmnd[0] == VARIABLE_LENGTH_CMD) ? ++ cmnd[1] : cmnd[COMMAND_SIZE(cmnd[0]) - 1]; ++} ++ + /* Returns a human-readable name for the device */ + extern const char *scsi_device_type(unsigned type); + +diff --git a/include/trace/events/target.h b/include/trace/events/target.h +index 50fea660c0f89..d543e8b87e50a 100644 +--- a/include/trace/events/target.h ++++ b/include/trace/events/target.h +@@ -139,6 +139,7 @@ TRACE_EVENT(target_sequencer_start, + __field( unsigned int, opcode ) + __field( unsigned int, data_length ) + __field( unsigned int, task_attribute ) ++ __field( unsigned char, control ) + __array( unsigned char, cdb, TCM_MAX_COMMAND_SIZE ) + __string( initiator, cmd->se_sess->se_node_acl->initiatorname ) + ), +@@ -148,6 +149,7 @@ TRACE_EVENT(target_sequencer_start, + __entry->opcode = cmd->t_task_cdb[0]; + __entry->data_length = cmd->data_length; + __entry->task_attribute = cmd->sam_task_attr; ++ __entry->control = scsi_command_control(cmd->t_task_cdb); + memcpy(__entry->cdb, cmd->t_task_cdb, TCM_MAX_COMMAND_SIZE); + __assign_str(initiator, cmd->se_sess->se_node_acl->initiatorname); + ), +@@ -157,9 +159,7 @@ TRACE_EVENT(target_sequencer_start, + show_opcode_name(__entry->opcode), + __entry->data_length, __print_hex(__entry->cdb, 16), + show_task_attribute_name(__entry->task_attribute), +- scsi_command_size(__entry->cdb) <= 16 ? +- __entry->cdb[scsi_command_size(__entry->cdb) - 1] : +- __entry->cdb[1] ++ __entry->control + ) + ); + +@@ -174,6 +174,7 @@ TRACE_EVENT(target_cmd_complete, + __field( unsigned int, opcode ) + __field( unsigned int, data_length ) + __field( unsigned int, task_attribute ) ++ __field( unsigned char, control ) + __field( unsigned char, scsi_status ) + __field( unsigned char, sense_length ) + __array( unsigned char, cdb, TCM_MAX_COMMAND_SIZE ) +@@ -186,6 +187,7 @@ TRACE_EVENT(target_cmd_complete, + __entry->opcode = cmd->t_task_cdb[0]; + __entry->data_length = cmd->data_length; + __entry->task_attribute = cmd->sam_task_attr; ++ __entry->control = scsi_command_control(cmd->t_task_cdb); + __entry->scsi_status = cmd->scsi_status; + __entry->sense_length = cmd->scsi_status == SAM_STAT_CHECK_CONDITION ? + min(18, ((u8 *) cmd->sense_buffer)[SPC_ADD_SENSE_LEN_OFFSET] + 8) : 0; +@@ -202,9 +204,7 @@ TRACE_EVENT(target_cmd_complete, + show_opcode_name(__entry->opcode), + __entry->data_length, __print_hex(__entry->cdb, 16), + show_task_attribute_name(__entry->task_attribute), +- scsi_command_size(__entry->cdb) <= 16 ? +- __entry->cdb[scsi_command_size(__entry->cdb) - 1] : +- __entry->cdb[1] ++ __entry->control + ) + ); + +-- +2.25.1 + diff --git a/queue-4.4/series b/queue-4.4/series index a5a86d092c6..460432d0085 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -16,3 +16,94 @@ tcp-fix-to-update-snd_wl1-in-bulk-receiver-fast-path.patch icmp-randomize-the-global-rate-limiter.patch cifs-remove-bogus-debug-code.patch ima-don-t-ignore-errors-from-crypto_shash_update.patch +edac-i5100-fix-error-handling-order-in-i5100_init_on.patch +crypto-ixp4xx-fix-the-size-used-in-a-dma_free_cohere.patch +media-revert-media-exynos4-is-add-missed-check-for-p.patch +media-m5mols-check-function-pointer-in-m5mols_sensor.patch +media-omap3isp-fix-memleak-in-isp_probe.patch +crypto-omap-sham-fix-digcnt-register-handling-with-e.patch +media-tc358743-initialize-variable.patch +media-ti-vpe-fix-a-missing-check-and-reference-count.patch +ath6kl-prevent-potential-array-overflow-in-ath6kl_ad.patch +ath9k-fix-potential-out-of-bounds-in-ath9k_htc_txcom.patch +wcn36xx-fix-reported-802.11n-rx_highest-rate-wcn3660.patch +mwifiex-do-not-use-gfp_kernel-in-atomic-context.patch +drm-gma500-fix-error-check.patch +scsi-qla4xxx-fix-an-error-handling-path-in-qla4xxx_g.patch +scsi-csiostor-fix-wrong-return-value-in-csio_hw_prep.patch +backlight-sky81452-backlight-fix-refcount-imbalance-.patch +vmci-check-return-value-of-get_user_pages_fast-for-e.patch +tty-serial-earlycon-dependency.patch +tty-hvcs-don-t-null-tty-driver_data-until-hvcs_clean.patch +pty-do-tty_flip_buffer_push-without-port-lock-in-pty.patch +drivers-virt-fsl_hypervisor-fix-error-handling-path.patch +video-fbdev-vga16fb-fix-setting-of-pixclock-because-.patch +video-fbdev-sis-fix-null-ptr-dereference.patch +hid-roccat-add-bounds-checking-in-kone_sysfs_write_s.patch +ath6kl-wmi-prevent-a-shift-wrapping-bug-in-ath6kl_wm.patch +misc-mic-scif-fix-error-handling-path.patch +alsa-seq-oss-avoid-mutex-lock-for-a-long-time-ioctl.patch +quota-clear-padding-in-v2r1_mem2diskdqb.patch +net-enic-cure-the-enic-api-locking-trainwreck.patch +mfd-sm501-fix-leaks-in-probe.patch +usb-gadget-u_ether-enable-qmult-on-superspeed-plus-a.patch +nl80211-fix-non-split-wiphy-information.patch +mwifiex-fix-double-free.patch +net-korina-fix-kfree-of-rx-tx-descriptor-array.patch +ib-mlx4-adjust-delayed-work-when-a-dup-is-observed.patch +powerpc-pseries-fix-missing-of_node_put-in-rng_init.patch +powerpc-icp-hv-fix-missing-of_node_put-in-success-pa.patch +mtd-lpddr-fix-excessive-stack-usage-with-clang.patch +mtd-mtdoops-don-t-write-panic-data-twice.patch +arm-9007-1-l2c-fix-prefetch-bits-init-in-l2x0_aux_ct.patch +powerpc-tau-use-appropriate-temperature-sample-inter.patch +powerpc-tau-remove-duplicated-set_thresholds-call.patch +powerpc-tau-disable-tau-between-measurements.patch +perf-intel-pt-fix-context_switch-event-has-no-tid-er.patch +kdb-fix-pager-search-for-multi-line-strings.patch +powerpc-perf-hv-gpci-fix-starting-index-value.patch +cpufreq-powernv-fix-frame-size-overflow-in-powernv_c.patch +lib-crc32.c-fix-trivial-typo-in-preprocessor-conditi.patch +vfio-pci-clear-token-on-bypass-registration-failure.patch +input-imx6ul_tsc-clean-up-some-errors-in-imx6ul_tsc_.patch +input-ep93xx_keypad-fix-handling-of-platform_get_irq.patch +input-omap4-keypad-fix-handling-of-platform_get_irq-.patch +input-sun4i-ps2-fix-handling-of-platform_get_irq-err.patch +kvm-x86-emulating-rdpid-failure-shall-return-ud-rath.patch +memory-omap-gpmc-fix-a-couple-off-by-ones.patch +memory-fsl-corenet-cf-fix-handling-of-platform_get_i.patch +arm64-dts-zynqmp-remove-additional-compatible-string.patch +powerpc-powernv-dump-fix-race-while-processing-opal-.patch +media-firewire-fix-memory-leak.patch +media-ati_remote-sanity-check-for-both-endpoints.patch +media-exynos4-is-fix-several-reference-count-leaks-d.patch +media-exynos4-is-fix-a-reference-count-leak-due-to-p.patch +media-exynos4-is-fix-a-reference-count-leak.patch +media-bdisp-fix-runtime-pm-imbalance-on-error.patch +media-media-pci-prevent-memory-leak-in-bttv_probe.patch +media-uvcvideo-ensure-all-probed-info-is-returned-to.patch +mmc-sdio-check-for-cistpl_vers_1-buffer-size.patch +media-saa7134-avoid-a-shift-overflow.patch +ntfs-add-check-for-mft-record-size-in-superblock.patch +pm-hibernate-remove-the-bogus-call-to-get_gendisk-in.patch +scsi-mvumi-fix-error-return-in-mvumi_io_attach.patch +scsi-target-core-add-control-field-for-trace-events.patch +usb-gadget-function-printer-fix-use-after-free-in-__.patch +udf-limit-sparing-table-size.patch +udf-avoid-accessing-uninitialized-data-on-failed-ino.patch +ath9k-hif_usb-fix-race-condition-between-usb_get_urb.patch +misc-rtsx-fix-memory-leak-in-rtsx_pci_probe.patch +reiserfs-only-call-unlock_new_inode-if-i_new.patch +xfs-make-sure-the-rt-allocator-doesn-t-run-off-the-e.patch +usb-ohci-default-to-per-port-over-current-protection.patch +bluetooth-only-mark-socket-zapped-after-unlocking.patch +scsi-ibmvfc-fix-error-return-in-ibmvfc_probe.patch +brcmsmac-fix-memory-leak-in-wlc_phy_attach_lcnphy.patch +rtl8xxxu-prevent-potential-memory-leak.patch +fix-use-after-free-in-get_capset_info-callback.patch +tty-ipwireless-fix-error-handling.patch +ipvs-fix-uninit-value-in-do_ip_vs_set_ctl.patch +reiserfs-fix-memory-leak-in-reiserfs_parse_options.patch +brcm80211-fix-possible-memleak-in-brcmf_proto_msgbuf.patch +usb-core-solve-race-condition-in-anchor-cleanup-func.patch +ath10k-check-idx-validity-in-__ath10k_htt_rx_ring_fi.patch diff --git a/queue-4.4/tty-hvcs-don-t-null-tty-driver_data-until-hvcs_clean.patch b/queue-4.4/tty-hvcs-don-t-null-tty-driver_data-until-hvcs_clean.patch new file mode 100644 index 00000000000..a4b975f9efe --- /dev/null +++ b/queue-4.4/tty-hvcs-don-t-null-tty-driver_data-until-hvcs_clean.patch @@ -0,0 +1,66 @@ +From b7d29d1a0beaad90e987fda65c7b93675b79bd72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Aug 2020 18:46:38 -0500 +Subject: tty: hvcs: Don't NULL tty->driver_data until hvcs_cleanup() + +From: Tyrel Datwyler + +[ Upstream commit 63ffcbdad738e3d1c857027789a2273df3337624 ] + +The code currently NULLs tty->driver_data in hvcs_close() with the +intent of informing the next call to hvcs_open() that device needs to be +reconfigured. However, when hvcs_cleanup() is called we copy hvcsd from +tty->driver_data which was previoulsy NULLed by hvcs_close() and our +call to tty_port_put(&hvcsd->port) doesn't actually do anything since +&hvcsd->port ends up translating to NULL by chance. This has the side +effect that when hvcs_remove() is called we have one too many port +references preventing hvcs_destuct_port() from ever being called. This +also prevents us from reusing the /dev/hvcsX node in a future +hvcs_probe() and we can eventually run out of /dev/hvcsX devices. + +Fix this by waiting to NULL tty->driver_data in hvcs_cleanup(). + +Fixes: 27bf7c43a19c ("TTY: hvcs, add tty install") +Signed-off-by: Tyrel Datwyler +Link: https://lore.kernel.org/r/20200820234643.70412-1-tyreld@linux.ibm.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/hvc/hvcs.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/tty/hvc/hvcs.c b/drivers/tty/hvc/hvcs.c +index 5997b17311113..cba662c50f919 100644 +--- a/drivers/tty/hvc/hvcs.c ++++ b/drivers/tty/hvc/hvcs.c +@@ -1232,13 +1232,6 @@ static void hvcs_close(struct tty_struct *tty, struct file *filp) + + tty_wait_until_sent(tty, HVCS_CLOSE_WAIT); + +- /* +- * This line is important because it tells hvcs_open that this +- * device needs to be re-configured the next time hvcs_open is +- * called. +- */ +- tty->driver_data = NULL; +- + free_irq(irq, hvcsd); + return; + } else if (hvcsd->port.count < 0) { +@@ -1254,6 +1247,13 @@ static void hvcs_cleanup(struct tty_struct * tty) + { + struct hvcs_struct *hvcsd = tty->driver_data; + ++ /* ++ * This line is important because it tells hvcs_open that this ++ * device needs to be re-configured the next time hvcs_open is ++ * called. ++ */ ++ tty->driver_data = NULL; ++ + tty_port_put(&hvcsd->port); + } + +-- +2.25.1 + diff --git a/queue-4.4/tty-ipwireless-fix-error-handling.patch b/queue-4.4/tty-ipwireless-fix-error-handling.patch new file mode 100644 index 00000000000..d399c7c0735 --- /dev/null +++ b/queue-4.4/tty-ipwireless-fix-error-handling.patch @@ -0,0 +1,60 @@ +From b6f5768b5e54468cb3e4e67cc2ec44e4d2adc703 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Aug 2020 12:19:40 -0400 +Subject: tty: ipwireless: fix error handling + +From: Tong Zhang + +[ Upstream commit db332356222d9429731ab9395c89cca403828460 ] + +ipwireless_send_packet() can only return 0 on success and -ENOMEM on +error, the caller should check non zero for error condition + +Signed-off-by: Tong Zhang +Acked-by: David Sterba +Link: https://lore.kernel.org/r/20200821161942.36589-1-ztong0001@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/ipwireless/network.c | 4 ++-- + drivers/tty/ipwireless/tty.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/ipwireless/network.c b/drivers/tty/ipwireless/network.c +index c0dfb642383b2..dc7f4eb18e0a7 100644 +--- a/drivers/tty/ipwireless/network.c ++++ b/drivers/tty/ipwireless/network.c +@@ -116,7 +116,7 @@ static int ipwireless_ppp_start_xmit(struct ppp_channel *ppp_channel, + skb->len, + notify_packet_sent, + network); +- if (ret == -1) { ++ if (ret < 0) { + skb_pull(skb, 2); + return 0; + } +@@ -133,7 +133,7 @@ static int ipwireless_ppp_start_xmit(struct ppp_channel *ppp_channel, + notify_packet_sent, + network); + kfree(buf); +- if (ret == -1) ++ if (ret < 0) + return 0; + } + kfree_skb(skb); +diff --git a/drivers/tty/ipwireless/tty.c b/drivers/tty/ipwireless/tty.c +index 345cebb07ae79..0b06b1847450f 100644 +--- a/drivers/tty/ipwireless/tty.c ++++ b/drivers/tty/ipwireless/tty.c +@@ -217,7 +217,7 @@ static int ipw_write(struct tty_struct *linux_tty, + ret = ipwireless_send_packet(tty->hardware, IPW_CHANNEL_RAS, + buf, count, + ipw_write_packet_sent_callback, tty); +- if (ret == -1) { ++ if (ret < 0) { + mutex_unlock(&tty->ipw_tty_mutex); + return 0; + } +-- +2.25.1 + diff --git a/queue-4.4/tty-serial-earlycon-dependency.patch b/queue-4.4/tty-serial-earlycon-dependency.patch new file mode 100644 index 00000000000..e6ab431545b --- /dev/null +++ b/queue-4.4/tty-serial-earlycon-dependency.patch @@ -0,0 +1,38 @@ +From 90589c58f69039354526a1ffaf9a394c2236d3f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Aug 2020 08:39:50 -0400 +Subject: tty: serial: earlycon dependency + +From: Tong Zhang + +[ Upstream commit 0fb9342d06b0f667b915ba58bfefc030e534a218 ] + +parse_options() in drivers/tty/serial/earlycon.c calls uart_parse_earlycon +in drivers/tty/serial/serial_core.c therefore selecting SERIAL_EARLYCON +should automatically select SERIAL_CORE, otherwise will result in symbol +not found error during linking if SERIAL_CORE is not configured as builtin + +Fixes: 9aac5887595b ("tty/serial: add generic serial earlycon") +Signed-off-by: Tong Zhang +Link: https://lore.kernel.org/r/20200828123949.2642-1-ztong0001@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/tty/serial/Kconfig b/drivers/tty/serial/Kconfig +index f38beb28e7ae6..5c3c86d4fe716 100644 +--- a/drivers/tty/serial/Kconfig ++++ b/drivers/tty/serial/Kconfig +@@ -9,6 +9,7 @@ menu "Serial drivers" + + config SERIAL_EARLYCON + bool ++ depends on SERIAL_CORE + help + Support for early consoles with the earlycon parameter. This enables + the console before standard serial driver is probed. The console is +-- +2.25.1 + diff --git a/queue-4.4/udf-avoid-accessing-uninitialized-data-on-failed-ino.patch b/queue-4.4/udf-avoid-accessing-uninitialized-data-on-failed-ino.patch new file mode 100644 index 00000000000..728ade53817 --- /dev/null +++ b/queue-4.4/udf-avoid-accessing-uninitialized-data-on-failed-ino.patch @@ -0,0 +1,62 @@ +From 4a96527aca93df6e98ad926e63421a1beaa105db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 12:14:03 +0200 +Subject: udf: Avoid accessing uninitialized data on failed inode read + +From: Jan Kara + +[ Upstream commit 044e2e26f214e5ab26af85faffd8d1e4ec066931 ] + +When we fail to read inode, some data accessed in udf_evict_inode() may +be uninitialized. Move the accesses to !is_bad_inode() branch. + +Reported-by: syzbot+91f02b28f9bb5f5f1341@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/inode.c | 25 ++++++++++++++----------- + 1 file changed, 14 insertions(+), 11 deletions(-) + +diff --git a/fs/udf/inode.c b/fs/udf/inode.c +index 3876448ec0dcb..2c39c1c81196c 100644 +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -140,21 +140,24 @@ void udf_evict_inode(struct inode *inode) + struct udf_inode_info *iinfo = UDF_I(inode); + int want_delete = 0; + +- if (!inode->i_nlink && !is_bad_inode(inode)) { +- want_delete = 1; +- udf_setsize(inode, 0); +- udf_update_inode(inode, IS_SYNC(inode)); ++ if (!is_bad_inode(inode)) { ++ if (!inode->i_nlink) { ++ want_delete = 1; ++ udf_setsize(inode, 0); ++ udf_update_inode(inode, IS_SYNC(inode)); ++ } ++ if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB && ++ inode->i_size != iinfo->i_lenExtents) { ++ udf_warn(inode->i_sb, ++ "Inode %lu (mode %o) has inode size %llu different from extent length %llu. Filesystem need not be standards compliant.\n", ++ inode->i_ino, inode->i_mode, ++ (unsigned long long)inode->i_size, ++ (unsigned long long)iinfo->i_lenExtents); ++ } + } + truncate_inode_pages_final(&inode->i_data); + invalidate_inode_buffers(inode); + clear_inode(inode); +- if (iinfo->i_alloc_type != ICBTAG_FLAG_AD_IN_ICB && +- inode->i_size != iinfo->i_lenExtents) { +- udf_warn(inode->i_sb, "Inode %lu (mode %o) has inode size %llu different from extent length %llu. Filesystem need not be standards compliant.\n", +- inode->i_ino, inode->i_mode, +- (unsigned long long)inode->i_size, +- (unsigned long long)iinfo->i_lenExtents); +- } + kfree(iinfo->i_ext.i_data); + iinfo->i_ext.i_data = NULL; + udf_clear_extent_cache(inode); +-- +2.25.1 + diff --git a/queue-4.4/udf-limit-sparing-table-size.patch b/queue-4.4/udf-limit-sparing-table-size.patch new file mode 100644 index 00000000000..829ff060e65 --- /dev/null +++ b/queue-4.4/udf-limit-sparing-table-size.patch @@ -0,0 +1,40 @@ +From 1ab4494c8874b9a8360f0da0ff19e64dba5d70ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Sep 2020 14:53:08 +0200 +Subject: udf: Limit sparing table size + +From: Jan Kara + +[ Upstream commit 44ac6b829c4e173fdf6df18e6dd86aecf9a3dc99 ] + +Although UDF standard allows it, we don't support sparing table larger +than a single block. Check it during mount so that we don't try to +access memory beyond end of buffer. + +Reported-by: syzbot+9991561e714f597095da@syzkaller.appspotmail.com +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/super.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/fs/udf/super.c b/fs/udf/super.c +index 159977ec8e548..710f1b8fad9bf 100644 +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -1390,6 +1390,12 @@ static int udf_load_sparable_map(struct super_block *sb, + (int)spm->numSparingTables); + return -EIO; + } ++ if (le32_to_cpu(spm->sizeSparingTable) > sb->s_blocksize) { ++ udf_err(sb, "error loading logical volume descriptor: " ++ "Too big sparing table size (%u)\n", ++ le32_to_cpu(spm->sizeSparingTable)); ++ return -EIO; ++ } + + for (i = 0; i < spm->numSparingTables; i++) { + loc = le32_to_cpu(spm->locSparingTable[i]); +-- +2.25.1 + diff --git a/queue-4.4/usb-core-solve-race-condition-in-anchor-cleanup-func.patch b/queue-4.4/usb-core-solve-race-condition-in-anchor-cleanup-func.patch new file mode 100644 index 00000000000..961f3129ec0 --- /dev/null +++ b/queue-4.4/usb-core-solve-race-condition-in-anchor-cleanup-func.patch @@ -0,0 +1,202 @@ +From fdc3294cb4df011315b7f4b9143afd56d79c9a96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 31 Jul 2020 08:46:50 +0300 +Subject: usb: core: Solve race condition in anchor cleanup functions + +From: Eli Billauer + +[ Upstream commit fbc299437c06648afcc7891e6e2e6638dd48d4df ] + +usb_kill_anchored_urbs() is commonly used to cancel all URBs on an +anchor just before releasing resources which the URBs rely on. By doing +so, users of this function rely on that no completer callbacks will take +place from any URB on the anchor after it returns. + +However if this function is called in parallel with __usb_hcd_giveback_urb +processing a URB on the anchor, the latter may call the completer +callback after usb_kill_anchored_urbs() returns. This can lead to a +kernel panic due to use after release of memory in interrupt context. + +The race condition is that __usb_hcd_giveback_urb() first unanchors the URB +and then makes the completer callback. Such URB is hence invisible to +usb_kill_anchored_urbs(), allowing it to return before the completer has +been called, since the anchor's urb_list is empty. + +Even worse, if the racing completer callback resubmits the URB, it may +remain in the system long after usb_kill_anchored_urbs() returns. + +Hence list_empty(&anchor->urb_list), which is used in the existing +while-loop, doesn't reliably ensure that all URBs of the anchor are gone. + +A similar problem exists with usb_poison_anchored_urbs() and +usb_scuttle_anchored_urbs(). + +This patch adds an external do-while loop, which ensures that all URBs +are indeed handled before these three functions return. This change has +no effect at all unless the race condition occurs, in which case the +loop will busy-wait until the racing completer callback has finished. +This is a rare condition, so the CPU waste of this spinning is +negligible. + +The additional do-while loop relies on usb_anchor_check_wakeup(), which +returns true iff the anchor list is empty, and there is no +__usb_hcd_giveback_urb() in the system that is in the middle of the +unanchor-before-complete phase. The @suspend_wakeups member of +struct usb_anchor is used for this purpose, which was introduced to solve +another problem which the same race condition causes, in commit +6ec4147e7bdb ("usb-anchor: Delay usb_wait_anchor_empty_timeout wake up +till completion is done"). + +The surely_empty variable is necessary, because usb_anchor_check_wakeup() +must be called with the lock held to prevent races. However the spinlock +must be released and reacquired if the outer loop spins with an empty +URB list while waiting for the unanchor-before-complete passage to finish: +The completer callback may very well attempt to take the very same lock. + +To summarize, using usb_anchor_check_wakeup() means that the patched +functions can return only when the anchor's list is empty, and there is +no invisible URB being processed. Since the inner while loop finishes on +the empty list condition, the new do-while loop will terminate as well, +except for when the said race condition occurs. + +Signed-off-by: Eli Billauer +Acked-by: Oliver Neukum +Acked-by: Alan Stern +Link: https://lore.kernel.org/r/20200731054650.30644-1-eli.billauer@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/urb.c | 89 +++++++++++++++++++++++++----------------- + 1 file changed, 54 insertions(+), 35 deletions(-) + +diff --git a/drivers/usb/core/urb.c b/drivers/usb/core/urb.c +index c095cde55329c..8c4bfd42f785d 100644 +--- a/drivers/usb/core/urb.c ++++ b/drivers/usb/core/urb.c +@@ -767,11 +767,12 @@ void usb_block_urb(struct urb *urb) + EXPORT_SYMBOL_GPL(usb_block_urb); + + /** +- * usb_kill_anchored_urbs - cancel transfer requests en masse ++ * usb_kill_anchored_urbs - kill all URBs associated with an anchor + * @anchor: anchor the requests are bound to + * +- * this allows all outstanding URBs to be killed starting +- * from the back of the queue ++ * This kills all outstanding URBs starting from the back of the queue, ++ * with guarantee that no completer callbacks will take place from the ++ * anchor after this function returns. + * + * This routine should not be called by a driver after its disconnect + * method has returned. +@@ -779,20 +780,26 @@ EXPORT_SYMBOL_GPL(usb_block_urb); + void usb_kill_anchored_urbs(struct usb_anchor *anchor) + { + struct urb *victim; ++ int surely_empty; + +- spin_lock_irq(&anchor->lock); +- while (!list_empty(&anchor->urb_list)) { +- victim = list_entry(anchor->urb_list.prev, struct urb, +- anchor_list); +- /* we must make sure the URB isn't freed before we kill it*/ +- usb_get_urb(victim); +- spin_unlock_irq(&anchor->lock); +- /* this will unanchor the URB */ +- usb_kill_urb(victim); +- usb_put_urb(victim); ++ do { + spin_lock_irq(&anchor->lock); +- } +- spin_unlock_irq(&anchor->lock); ++ while (!list_empty(&anchor->urb_list)) { ++ victim = list_entry(anchor->urb_list.prev, ++ struct urb, anchor_list); ++ /* make sure the URB isn't freed before we kill it */ ++ usb_get_urb(victim); ++ spin_unlock_irq(&anchor->lock); ++ /* this will unanchor the URB */ ++ usb_kill_urb(victim); ++ usb_put_urb(victim); ++ spin_lock_irq(&anchor->lock); ++ } ++ surely_empty = usb_anchor_check_wakeup(anchor); ++ ++ spin_unlock_irq(&anchor->lock); ++ cpu_relax(); ++ } while (!surely_empty); + } + EXPORT_SYMBOL_GPL(usb_kill_anchored_urbs); + +@@ -811,21 +818,27 @@ EXPORT_SYMBOL_GPL(usb_kill_anchored_urbs); + void usb_poison_anchored_urbs(struct usb_anchor *anchor) + { + struct urb *victim; ++ int surely_empty; + +- spin_lock_irq(&anchor->lock); +- anchor->poisoned = 1; +- while (!list_empty(&anchor->urb_list)) { +- victim = list_entry(anchor->urb_list.prev, struct urb, +- anchor_list); +- /* we must make sure the URB isn't freed before we kill it*/ +- usb_get_urb(victim); +- spin_unlock_irq(&anchor->lock); +- /* this will unanchor the URB */ +- usb_poison_urb(victim); +- usb_put_urb(victim); ++ do { + spin_lock_irq(&anchor->lock); +- } +- spin_unlock_irq(&anchor->lock); ++ anchor->poisoned = 1; ++ while (!list_empty(&anchor->urb_list)) { ++ victim = list_entry(anchor->urb_list.prev, ++ struct urb, anchor_list); ++ /* make sure the URB isn't freed before we kill it */ ++ usb_get_urb(victim); ++ spin_unlock_irq(&anchor->lock); ++ /* this will unanchor the URB */ ++ usb_poison_urb(victim); ++ usb_put_urb(victim); ++ spin_lock_irq(&anchor->lock); ++ } ++ surely_empty = usb_anchor_check_wakeup(anchor); ++ ++ spin_unlock_irq(&anchor->lock); ++ cpu_relax(); ++ } while (!surely_empty); + } + EXPORT_SYMBOL_GPL(usb_poison_anchored_urbs); + +@@ -965,14 +978,20 @@ void usb_scuttle_anchored_urbs(struct usb_anchor *anchor) + { + struct urb *victim; + unsigned long flags; ++ int surely_empty; ++ ++ do { ++ spin_lock_irqsave(&anchor->lock, flags); ++ while (!list_empty(&anchor->urb_list)) { ++ victim = list_entry(anchor->urb_list.prev, ++ struct urb, anchor_list); ++ __usb_unanchor_urb(victim, anchor); ++ } ++ surely_empty = usb_anchor_check_wakeup(anchor); + +- spin_lock_irqsave(&anchor->lock, flags); +- while (!list_empty(&anchor->urb_list)) { +- victim = list_entry(anchor->urb_list.prev, struct urb, +- anchor_list); +- __usb_unanchor_urb(victim, anchor); +- } +- spin_unlock_irqrestore(&anchor->lock, flags); ++ spin_unlock_irqrestore(&anchor->lock, flags); ++ cpu_relax(); ++ } while (!surely_empty); + } + + EXPORT_SYMBOL_GPL(usb_scuttle_anchored_urbs); +-- +2.25.1 + diff --git a/queue-4.4/usb-gadget-function-printer-fix-use-after-free-in-__.patch b/queue-4.4/usb-gadget-function-printer-fix-use-after-free-in-__.patch new file mode 100644 index 00000000000..1ac04232e7e --- /dev/null +++ b/queue-4.4/usb-gadget-function-printer-fix-use-after-free-in-__.patch @@ -0,0 +1,181 @@ +From e82ea50348c106175a5f44902557652e48cfc514 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Jun 2020 11:05:33 +0800 +Subject: usb: gadget: function: printer: fix use-after-free in __lock_acquire + +From: Zqiang + +[ Upstream commit e8d5f92b8d30bb4ade76494490c3c065e12411b1 ] + +Fix this by increase object reference count. + +BUG: KASAN: use-after-free in __lock_acquire+0x3fd4/0x4180 +kernel/locking/lockdep.c:3831 +Read of size 8 at addr ffff8880683b0018 by task syz-executor.0/3377 + +CPU: 1 PID: 3377 Comm: syz-executor.0 Not tainted 5.6.11 #1 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xce/0x128 lib/dump_stack.c:118 + print_address_description.constprop.4+0x21/0x3c0 mm/kasan/report.c:374 + __kasan_report+0x131/0x1b0 mm/kasan/report.c:506 + kasan_report+0x12/0x20 mm/kasan/common.c:641 + __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135 + __lock_acquire+0x3fd4/0x4180 kernel/locking/lockdep.c:3831 + lock_acquire+0x127/0x350 kernel/locking/lockdep.c:4488 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] + _raw_spin_lock_irqsave+0x35/0x50 kernel/locking/spinlock.c:159 + printer_ioctl+0x4a/0x110 drivers/usb/gadget/function/f_printer.c:723 + vfs_ioctl fs/ioctl.c:47 [inline] + ksys_ioctl+0xfb/0x130 fs/ioctl.c:763 + __do_sys_ioctl fs/ioctl.c:772 [inline] + __se_sys_ioctl fs/ioctl.c:770 [inline] + __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770 + do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x4531a9 +Code: ed 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 +89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d +01 f0 ff ff 0f 83 bb 60 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007fd14ad72c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 000000000073bfa8 RCX: 00000000004531a9 +RDX: fffffffffffffff9 RSI: 000000000000009e RDI: 0000000000000003 +RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004bbd61 +R13: 00000000004d0a98 R14: 00007fd14ad736d4 R15: 00000000ffffffff + +Allocated by task 2393: + save_stack+0x21/0x90 mm/kasan/common.c:72 + set_track mm/kasan/common.c:80 [inline] + __kasan_kmalloc.constprop.3+0xa7/0xd0 mm/kasan/common.c:515 + kasan_kmalloc+0x9/0x10 mm/kasan/common.c:529 + kmem_cache_alloc_trace+0xfa/0x2d0 mm/slub.c:2813 + kmalloc include/linux/slab.h:555 [inline] + kzalloc include/linux/slab.h:669 [inline] + gprinter_alloc+0xa1/0x870 drivers/usb/gadget/function/f_printer.c:1416 + usb_get_function+0x58/0xc0 drivers/usb/gadget/functions.c:61 + config_usb_cfg_link+0x1ed/0x3e0 drivers/usb/gadget/configfs.c:444 + configfs_symlink+0x527/0x11d0 fs/configfs/symlink.c:202 + vfs_symlink+0x33d/0x5b0 fs/namei.c:4201 + do_symlinkat+0x11b/0x1d0 fs/namei.c:4228 + __do_sys_symlinkat fs/namei.c:4242 [inline] + __se_sys_symlinkat fs/namei.c:4239 [inline] + __x64_sys_symlinkat+0x73/0xb0 fs/namei.c:4239 + do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +Freed by task 3368: + save_stack+0x21/0x90 mm/kasan/common.c:72 + set_track mm/kasan/common.c:80 [inline] + kasan_set_free_info mm/kasan/common.c:337 [inline] + __kasan_slab_free+0x135/0x190 mm/kasan/common.c:476 + kasan_slab_free+0xe/0x10 mm/kasan/common.c:485 + slab_free_hook mm/slub.c:1444 [inline] + slab_free_freelist_hook mm/slub.c:1477 [inline] + slab_free mm/slub.c:3034 [inline] + kfree+0xf7/0x410 mm/slub.c:3995 + gprinter_free+0x49/0xd0 drivers/usb/gadget/function/f_printer.c:1353 + usb_put_function+0x38/0x50 drivers/usb/gadget/functions.c:87 + config_usb_cfg_unlink+0x2db/0x3b0 drivers/usb/gadget/configfs.c:485 + configfs_unlink+0x3b9/0x7f0 fs/configfs/symlink.c:250 + vfs_unlink+0x287/0x570 fs/namei.c:4073 + do_unlinkat+0x4f9/0x620 fs/namei.c:4137 + __do_sys_unlink fs/namei.c:4184 [inline] + __se_sys_unlink fs/namei.c:4182 [inline] + __x64_sys_unlink+0x42/0x50 fs/namei.c:4182 + do_syscall_64+0x9e/0x510 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe + +The buggy address belongs to the object at ffff8880683b0000 + which belongs to the cache kmalloc-1k of size 1024 +The buggy address is located 24 bytes inside of + 1024-byte region [ffff8880683b0000, ffff8880683b0400) +The buggy address belongs to the page: +page:ffffea0001a0ec00 refcount:1 mapcount:0 mapping:ffff88806c00e300 +index:0xffff8880683b1800 compound_mapcount: 0 +flags: 0x100000000010200(slab|head) +raw: 0100000000010200 0000000000000000 0000000600000001 ffff88806c00e300 +raw: ffff8880683b1800 000000008010000a 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Reported-by: Kyungtae Kim +Signed-off-by: Zqiang +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_printer.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_printer.c b/drivers/usb/gadget/function/f_printer.c +index 69afc17fca38f..7b21ef09fffc2 100644 +--- a/drivers/usb/gadget/function/f_printer.c ++++ b/drivers/usb/gadget/function/f_printer.c +@@ -35,6 +35,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -69,7 +70,7 @@ struct printer_dev { + struct usb_gadget *gadget; + s8 interface; + struct usb_ep *in_ep, *out_ep; +- ++ struct kref kref; + struct list_head rx_reqs; /* List of free RX structs */ + struct list_head rx_reqs_active; /* List of Active RX xfers */ + struct list_head rx_buffers; /* List of completed xfers */ +@@ -223,6 +224,13 @@ static inline struct usb_endpoint_descriptor *ep_desc(struct usb_gadget *gadget, + + /*-------------------------------------------------------------------------*/ + ++static void printer_dev_free(struct kref *kref) ++{ ++ struct printer_dev *dev = container_of(kref, struct printer_dev, kref); ++ ++ kfree(dev); ++} ++ + static struct usb_request * + printer_req_alloc(struct usb_ep *ep, unsigned len, gfp_t gfp_flags) + { +@@ -353,6 +361,7 @@ printer_open(struct inode *inode, struct file *fd) + + spin_unlock_irqrestore(&dev->lock, flags); + ++ kref_get(&dev->kref); + DBG(dev, "printer_open returned %x\n", ret); + return ret; + } +@@ -370,6 +379,7 @@ printer_close(struct inode *inode, struct file *fd) + dev->printer_status &= ~PRINTER_SELECTED; + spin_unlock_irqrestore(&dev->lock, flags); + ++ kref_put(&dev->kref, printer_dev_free); + DBG(dev, "printer_close\n"); + + return 0; +@@ -1316,7 +1326,8 @@ static void gprinter_free(struct usb_function *f) + struct f_printer_opts *opts; + + opts = container_of(f->fi, struct f_printer_opts, func_inst); +- kfree(dev); ++ ++ kref_put(&dev->kref, printer_dev_free); + mutex_lock(&opts->lock); + --opts->refcnt; + mutex_unlock(&opts->lock); +@@ -1385,6 +1396,7 @@ static struct usb_function *gprinter_alloc(struct usb_function_instance *fi) + return ERR_PTR(-ENOMEM); + } + ++ kref_init(&dev->kref); + ++opts->refcnt; + dev->minor = opts->minor; + dev->pnp_string = opts->pnp_string; +-- +2.25.1 + diff --git a/queue-4.4/usb-gadget-u_ether-enable-qmult-on-superspeed-plus-a.patch b/queue-4.4/usb-gadget-u_ether-enable-qmult-on-superspeed-plus-a.patch new file mode 100644 index 00000000000..9381abd2517 --- /dev/null +++ b/queue-4.4/usb-gadget-u_ether-enable-qmult-on-superspeed-plus-a.patch @@ -0,0 +1,56 @@ +From d28428d19afcddc12c428b0c5f61890c11a56826 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Aug 2020 01:19:49 +0900 +Subject: usb: gadget: u_ether: enable qmult on SuperSpeed Plus as well +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lorenzo Colitti + +[ Upstream commit 4eea21dc67b0c6ba15ae41b1defa113a680a858e ] + +The u_ether driver has a qmult setting that multiplies the +transmit queue length (which by default is 2). + +The intent is that it should be enabled at high/super speed, but +because the code does not explicitly check for USB_SUPER_PLUS, +it is disabled at that speed. + +Fix this by ensuring that the queue multiplier is enabled for any +wired link at high speed or above. Using >= for USB_SPEED_* +constants seems correct because it is what the gadget_is_xxxspeed +functions do. + +The queue multiplier substantially helps performance at higher +speeds. On a direct SuperSpeed Plus link to a Linux laptop, +iperf3 single TCP stream: + +Before (qmult=1): 1.3 Gbps +After (qmult=5): 3.2 Gbps + +Fixes: 04617db7aa68 ("usb: gadget: add SS descriptors to Ethernet gadget") +Reviewed-by: Maciej Å»enczykowski +Signed-off-by: Lorenzo Colitti +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/u_ether.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/function/u_ether.c b/drivers/usb/gadget/function/u_ether.c +index e69f20b2a3f44..46c50135ef9f7 100644 +--- a/drivers/usb/gadget/function/u_ether.c ++++ b/drivers/usb/gadget/function/u_ether.c +@@ -96,7 +96,7 @@ struct eth_dev { + static inline int qlen(struct usb_gadget *gadget, unsigned qmult) + { + if (gadget_is_dualspeed(gadget) && (gadget->speed == USB_SPEED_HIGH || +- gadget->speed == USB_SPEED_SUPER)) ++ gadget->speed >= USB_SPEED_SUPER)) + return qmult * DEFAULT_QLEN; + else + return DEFAULT_QLEN; +-- +2.25.1 + diff --git a/queue-4.4/usb-ohci-default-to-per-port-over-current-protection.patch b/queue-4.4/usb-ohci-default-to-per-port-over-current-protection.patch new file mode 100644 index 00000000000..48bd1d63426 --- /dev/null +++ b/queue-4.4/usb-ohci-default-to-per-port-over-current-protection.patch @@ -0,0 +1,78 @@ +From 1444768bdc0b48d47676c2325cbec1afc4ed41e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Sep 2020 09:25:11 +1200 +Subject: usb: ohci: Default to per-port over-current protection + +From: Hamish Martin + +[ Upstream commit b77d2a0a223bc139ee8904991b2922d215d02636 ] + +Some integrated OHCI controller hubs do not expose all ports of the hub +to pins on the SoC. In some cases the unconnected ports generate +spurious over-current events. For example the Broadcom 56060/Ranger 2 SoC +contains a nominally 3 port hub but only the first port is wired. + +Default behaviour for ohci-platform driver is to use global over-current +protection mode (AKA "ganged"). This leads to the spurious over-current +events affecting all ports in the hub. + +We now alter the default to use per-port over-current protection. + +This patch results in the following configuration changes depending +on quirks: +- For quirk OHCI_QUIRK_SUPERIO no changes. These systems remain set up + for ganged power switching and no over-current protection. +- For quirk OHCI_QUIRK_AMD756 or OHCI_QUIRK_HUB_POWER power switching + remains at none, while over-current protection is now guaranteed to be + set to per-port rather than the previous behaviour where it was either + none or global over-current protection depending on the value at + function entry. + +Suggested-by: Alan Stern +Acked-by: Alan Stern +Signed-off-by: Hamish Martin +Link: https://lore.kernel.org/r/20200910212512.16670-1-hamish.martin@alliedtelesis.co.nz +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ohci-hcd.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/drivers/usb/host/ohci-hcd.c b/drivers/usb/host/ohci-hcd.c +index 27bd3e49fe8e3..07d76d9d4ce1b 100644 +--- a/drivers/usb/host/ohci-hcd.c ++++ b/drivers/usb/host/ohci-hcd.c +@@ -663,20 +663,24 @@ static int ohci_run (struct ohci_hcd *ohci) + + /* handle root hub init quirks ... */ + val = roothub_a (ohci); +- val &= ~(RH_A_PSM | RH_A_OCPM); ++ /* Configure for per-port over-current protection by default */ ++ val &= ~RH_A_NOCP; ++ val |= RH_A_OCPM; + if (ohci->flags & OHCI_QUIRK_SUPERIO) { +- /* NSC 87560 and maybe others */ ++ /* NSC 87560 and maybe others. ++ * Ganged power switching, no over-current protection. ++ */ + val |= RH_A_NOCP; +- val &= ~(RH_A_POTPGT | RH_A_NPS); +- ohci_writel (ohci, val, &ohci->regs->roothub.a); ++ val &= ~(RH_A_POTPGT | RH_A_NPS | RH_A_PSM | RH_A_OCPM); + } else if ((ohci->flags & OHCI_QUIRK_AMD756) || + (ohci->flags & OHCI_QUIRK_HUB_POWER)) { + /* hub power always on; required for AMD-756 and some +- * Mac platforms. ganged overcurrent reporting, if any. ++ * Mac platforms. + */ + val |= RH_A_NPS; +- ohci_writel (ohci, val, &ohci->regs->roothub.a); + } ++ ohci_writel(ohci, val, &ohci->regs->roothub.a); ++ + ohci_writel (ohci, RH_HS_LPSC, &ohci->regs->roothub.status); + ohci_writel (ohci, (val & RH_A_NPS) ? 0 : RH_B_PPCM, + &ohci->regs->roothub.b); +-- +2.25.1 + diff --git a/queue-4.4/vfio-pci-clear-token-on-bypass-registration-failure.patch b/queue-4.4/vfio-pci-clear-token-on-bypass-registration-failure.patch new file mode 100644 index 00000000000..9fc0d330a86 --- /dev/null +++ b/queue-4.4/vfio-pci-clear-token-on-bypass-registration-failure.patch @@ -0,0 +1,47 @@ +From 800e09317d38ac8bd77ece7e0ddc4cf57b595d3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Oct 2020 07:13:55 -0600 +Subject: vfio/pci: Clear token on bypass registration failure + +From: Alex Williamson + +[ Upstream commit 852b1beecb6ff9326f7ca4bc0fe69ae860ebdb9e ] + +The eventfd context is used as our irqbypass token, therefore if an +eventfd is re-used, our token is the same. The irqbypass code will +return an -EBUSY in this case, but we'll still attempt to unregister +the producer, where if that duplicate token still exists, results in +removing the wrong object. Clear the token of failed producers so +that they harmlessly fall out when unregistered. + +Fixes: 6d7425f109d2 ("vfio: Register/unregister irq_bypass_producer") +Reported-by: guomin chen +Tested-by: guomin chen +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/pci/vfio_pci_intrs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/vfio/pci/vfio_pci_intrs.c b/drivers/vfio/pci/vfio_pci_intrs.c +index f7d48661aa944..af4f7ebb45a79 100644 +--- a/drivers/vfio/pci/vfio_pci_intrs.c ++++ b/drivers/vfio/pci/vfio_pci_intrs.c +@@ -364,11 +364,13 @@ static int vfio_msi_set_vector_signal(struct vfio_pci_device *vdev, + vdev->ctx[vector].producer.token = trigger; + vdev->ctx[vector].producer.irq = irq; + ret = irq_bypass_register_producer(&vdev->ctx[vector].producer); +- if (unlikely(ret)) ++ if (unlikely(ret)) { + dev_info(&pdev->dev, + "irq bypass producer (token %p) registration fails: %d\n", + vdev->ctx[vector].producer.token, ret); + ++ vdev->ctx[vector].producer.token = NULL; ++ } + vdev->ctx[vector].trigger = trigger; + + return 0; +-- +2.25.1 + diff --git a/queue-4.4/video-fbdev-sis-fix-null-ptr-dereference.patch b/queue-4.4/video-fbdev-sis-fix-null-ptr-dereference.patch new file mode 100644 index 00000000000..094579676d5 --- /dev/null +++ b/queue-4.4/video-fbdev-sis-fix-null-ptr-dereference.patch @@ -0,0 +1,78 @@ +From 5c1c48fe31599741baf7c4c09e3772b391eea787 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 07:52:08 -0700 +Subject: video: fbdev: sis: fix null ptr dereference + +From: Tom Rix + +[ Upstream commit ad6f93e9cd56f0b10e9b22e3e137d17a1a035242 ] + +Clang static analysis reports this representative error + +init.c:2501:18: warning: Array access (from variable 'queuedata') results + in a null pointer dereference + templ |= ((queuedata[i] & 0xc0) << 3); + +This is the problem block of code + + if(ModeNo > 0x13) { + ... + if(SiS_Pr->ChipType == SIS_730) { + queuedata = &FQBQData730[0]; + } else { + queuedata = &FQBQData[0]; + } + } else { + + } + +queuedata is not set in the else block + +Reviewing the old code, the arrays FQBQData730 and FQBQData were +used directly. + +So hoist the setting of queuedata out of the if-else block. + +Fixes: 544393fe584d ("[PATCH] sisfb update") +Signed-off-by: Tom Rix +Cc: Thomas Winischhofer +Cc: Andrew Morton +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200805145208.17727-1-trix@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/sis/init.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +diff --git a/drivers/video/fbdev/sis/init.c b/drivers/video/fbdev/sis/init.c +index dfe3eb769638b..fde27feae5d0c 100644 +--- a/drivers/video/fbdev/sis/init.c ++++ b/drivers/video/fbdev/sis/init.c +@@ -2428,6 +2428,11 @@ SiS_SetCRT1FIFO_630(struct SiS_Private *SiS_Pr, unsigned short ModeNo, + + i = 0; + ++ if (SiS_Pr->ChipType == SIS_730) ++ queuedata = &FQBQData730[0]; ++ else ++ queuedata = &FQBQData[0]; ++ + if(ModeNo > 0x13) { + + /* Get VCLK */ +@@ -2445,12 +2450,6 @@ SiS_SetCRT1FIFO_630(struct SiS_Private *SiS_Pr, unsigned short ModeNo, + /* Get half colordepth */ + colorth = colortharray[(SiS_Pr->SiS_ModeType - ModeEGA)]; + +- if(SiS_Pr->ChipType == SIS_730) { +- queuedata = &FQBQData730[0]; +- } else { +- queuedata = &FQBQData[0]; +- } +- + do { + templ = SiS_CalcDelay2(SiS_Pr, queuedata[i]) * VCLK * colorth; + +-- +2.25.1 + diff --git a/queue-4.4/video-fbdev-vga16fb-fix-setting-of-pixclock-because-.patch b/queue-4.4/video-fbdev-vga16fb-fix-setting-of-pixclock-because-.patch new file mode 100644 index 00000000000..8262643217a --- /dev/null +++ b/queue-4.4/video-fbdev-vga16fb-fix-setting-of-pixclock-because-.patch @@ -0,0 +1,87 @@ +From c212df8eb7cc47358d18786768cdc5a98cce2890 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jul 2020 18:02:27 +0100 +Subject: video: fbdev: vga16fb: fix setting of pixclock because a + pass-by-value error + +From: Colin Ian King + +[ Upstream commit c72fab81ceaa54408b827a2f0486d9a0f4be34cf ] + +The pixclock is being set locally because it is being passed as a +pass-by-value argument rather than pass-by-reference, so the computed +pixclock is never being set in var->pixclock. Fix this by passing +by reference. + +[This dates back to 2002, I found the offending commit from the git +history git://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git ] + +Addresses-Coverity: ("Unused value") +Signed-off-by: Colin Ian King +Cc: Daniel Vetter +Cc: Jani Nikula +[b.zolnierkie: minor patch summary fixup] +[b.zolnierkie: removed "Fixes:" tag (not in upstream tree)] +Signed-off-by: Bartlomiej Zolnierkiewicz +Link: https://patchwork.freedesktop.org/patch/msgid/20200723170227.996229-1-colin.king@canonical.com +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/vga16fb.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/video/fbdev/vga16fb.c b/drivers/video/fbdev/vga16fb.c +index 1acdb41a8a7c3..06cee2a40a9bf 100644 +--- a/drivers/video/fbdev/vga16fb.c ++++ b/drivers/video/fbdev/vga16fb.c +@@ -243,7 +243,7 @@ static void vga16fb_update_fix(struct fb_info *info) + } + + static void vga16fb_clock_chip(struct vga16fb_par *par, +- unsigned int pixclock, ++ unsigned int *pixclock, + const struct fb_info *info, + int mul, int div) + { +@@ -259,14 +259,14 @@ static void vga16fb_clock_chip(struct vga16fb_par *par, + { 0 /* bad */, 0x00, 0x00}}; + int err; + +- pixclock = (pixclock * mul) / div; ++ *pixclock = (*pixclock * mul) / div; + best = vgaclocks; +- err = pixclock - best->pixclock; ++ err = *pixclock - best->pixclock; + if (err < 0) err = -err; + for (ptr = vgaclocks + 1; ptr->pixclock; ptr++) { + int tmp; + +- tmp = pixclock - ptr->pixclock; ++ tmp = *pixclock - ptr->pixclock; + if (tmp < 0) tmp = -tmp; + if (tmp < err) { + err = tmp; +@@ -275,7 +275,7 @@ static void vga16fb_clock_chip(struct vga16fb_par *par, + } + par->misc |= best->misc; + par->clkdiv = best->seq_clock_mode; +- pixclock = (best->pixclock * div) / mul; ++ *pixclock = (best->pixclock * div) / mul; + } + + #define FAIL(X) return -EINVAL +@@ -497,10 +497,10 @@ static int vga16fb_check_var(struct fb_var_screeninfo *var, + + if (mode & MODE_8BPP) + /* pixel clock == vga clock / 2 */ +- vga16fb_clock_chip(par, var->pixclock, info, 1, 2); ++ vga16fb_clock_chip(par, &var->pixclock, info, 1, 2); + else + /* pixel clock == vga clock */ +- vga16fb_clock_chip(par, var->pixclock, info, 1, 1); ++ vga16fb_clock_chip(par, &var->pixclock, info, 1, 1); + + var->red.offset = var->green.offset = var->blue.offset = + var->transp.offset = 0; +-- +2.25.1 + diff --git a/queue-4.4/vmci-check-return-value-of-get_user_pages_fast-for-e.patch b/queue-4.4/vmci-check-return-value-of-get_user_pages_fast-for-e.patch new file mode 100644 index 00000000000..646d95fae02 --- /dev/null +++ b/queue-4.4/vmci-check-return-value-of-get_user_pages_fast-for-e.patch @@ -0,0 +1,57 @@ +From 91fc308f81c84ea7c95b20077b5d31870e6752b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Aug 2020 17:45:18 +0100 +Subject: VMCI: check return value of get_user_pages_fast() for errors + +From: Alex Dewar + +[ Upstream commit 90ca6333fd65f318c47bff425e1ea36c0a5539f6 ] + +In a couple of places in qp_host_get_user_memory(), +get_user_pages_fast() is called without properly checking for errors. If +e.g. -EFAULT is returned, this negative value will then be passed on to +qp_release_pages(), which expects a u64 as input. + +Fix this by only calling qp_release_pages() when we have a positive +number returned. + +Fixes: 06164d2b72aa ("VMCI: queue pairs implementation.") +Signed-off-by: Alex Dewar +Link: https://lore.kernel.org/r/20200825164522.412392-1-alex.dewar90@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/vmw_vmci/vmci_queue_pair.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/misc/vmw_vmci/vmci_queue_pair.c b/drivers/misc/vmw_vmci/vmci_queue_pair.c +index 3877f534fd3f4..e57340e980c4b 100644 +--- a/drivers/misc/vmw_vmci/vmci_queue_pair.c ++++ b/drivers/misc/vmw_vmci/vmci_queue_pair.c +@@ -758,8 +758,9 @@ static int qp_host_get_user_memory(u64 produce_uva, + if (retval < (int)produce_q->kernel_if->num_pages) { + pr_debug("get_user_pages_fast(produce) failed (retval=%d)", + retval); +- qp_release_pages(produce_q->kernel_if->u.h.header_page, +- retval, false); ++ if (retval > 0) ++ qp_release_pages(produce_q->kernel_if->u.h.header_page, ++ retval, false); + err = VMCI_ERROR_NO_MEM; + goto out; + } +@@ -770,8 +771,9 @@ static int qp_host_get_user_memory(u64 produce_uva, + if (retval < (int)consume_q->kernel_if->num_pages) { + pr_debug("get_user_pages_fast(consume) failed (retval=%d)", + retval); +- qp_release_pages(consume_q->kernel_if->u.h.header_page, +- retval, false); ++ if (retval > 0) ++ qp_release_pages(consume_q->kernel_if->u.h.header_page, ++ retval, false); + qp_release_pages(produce_q->kernel_if->u.h.header_page, + produce_q->kernel_if->num_pages, false); + err = VMCI_ERROR_NO_MEM; +-- +2.25.1 + diff --git a/queue-4.4/wcn36xx-fix-reported-802.11n-rx_highest-rate-wcn3660.patch b/queue-4.4/wcn36xx-fix-reported-802.11n-rx_highest-rate-wcn3660.patch new file mode 100644 index 00000000000..613336c28b1 --- /dev/null +++ b/queue-4.4/wcn36xx-fix-reported-802.11n-rx_highest-rate-wcn3660.patch @@ -0,0 +1,41 @@ +From 9185d4d7150801aeb5e54145662d700b0e2f6730 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Aug 2020 01:48:24 +0100 +Subject: wcn36xx: Fix reported 802.11n rx_highest rate wcn3660/wcn3680 + +From: Bryan O'Donoghue + +[ Upstream commit 3b9fb6791e7113679b1eb472e6ce1659e80f5797 ] + +Qualcomm's document "80-WL007-1 Rev. J" states that the highest rx rate for +the WCN3660 and WCN3680 on MCS 7 is 150 Mbps not the 72 Mbps stated here. + +This patch fixes the data-rate declared in the 5GHz table. + +Fixes: 8e84c2582169 ("wcn36xx: mac80211 driver for Qualcomm WCN3660/WCN3680 +hardware") + +Signed-off-by: Bryan O'Donoghue +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20200802004824.1307124-1-bryan.odonoghue@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/wcn36xx/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/wcn36xx/main.c b/drivers/net/wireless/ath/wcn36xx/main.c +index a27279c2c6950..274d114962e8a 100644 +--- a/drivers/net/wireless/ath/wcn36xx/main.c ++++ b/drivers/net/wireless/ath/wcn36xx/main.c +@@ -156,7 +156,7 @@ static struct ieee80211_supported_band wcn_band_5ghz = { + .ampdu_density = IEEE80211_HT_MPDU_DENSITY_16, + .mcs = { + .rx_mask = { 0xff, 0, 0, 0, 0, 0, 0, 0, 0, 0, }, +- .rx_highest = cpu_to_le16(72), ++ .rx_highest = cpu_to_le16(150), + .tx_params = IEEE80211_HT_MCS_TX_DEFINED, + } + } +-- +2.25.1 + diff --git a/queue-4.4/xfs-make-sure-the-rt-allocator-doesn-t-run-off-the-e.patch b/queue-4.4/xfs-make-sure-the-rt-allocator-doesn-t-run-off-the-e.patch new file mode 100644 index 00000000000..de2b52a7ad1 --- /dev/null +++ b/queue-4.4/xfs-make-sure-the-rt-allocator-doesn-t-run-off-the-e.patch @@ -0,0 +1,58 @@ +From 69733d159a5a98a932a466af8dd1a3a81fb641e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Sep 2020 14:21:06 -0700 +Subject: xfs: make sure the rt allocator doesn't run off the end + +From: Darrick J. Wong + +[ Upstream commit 2a6ca4baed620303d414934aa1b7b0a8e7bab05f ] + +There's an overflow bug in the realtime allocator. If the rt volume is +large enough to handle a single allocation request that is larger than +the maximum bmap extent length and the rt bitmap ends exactly on a +bitmap block boundary, it's possible that the near allocator will try to +check the freeness of a range that extends past the end of the bitmap. +This fails with a corruption error and shuts down the fs. + +Therefore, constrain maxlen so that the range scan cannot run off the +end of the rt bitmap. + +Signed-off-by: Darrick J. Wong +Reviewed-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/xfs/xfs_rtalloc.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/fs/xfs/xfs_rtalloc.c b/fs/xfs/xfs_rtalloc.c +index 919b6544b61a3..bda5248fc6498 100644 +--- a/fs/xfs/xfs_rtalloc.c ++++ b/fs/xfs/xfs_rtalloc.c +@@ -256,6 +256,9 @@ xfs_rtallocate_extent_block( + end = XFS_BLOCKTOBIT(mp, bbno + 1) - 1; + i <= end; + i++) { ++ /* Make sure we don't scan off the end of the rt volume. */ ++ maxlen = min(mp->m_sb.sb_rextents, i + maxlen) - i; ++ + /* + * See if there's a free extent of maxlen starting at i. + * If it's not so then next will contain the first non-free. +@@ -447,6 +450,14 @@ xfs_rtallocate_extent_near( + */ + if (bno >= mp->m_sb.sb_rextents) + bno = mp->m_sb.sb_rextents - 1; ++ ++ /* Make sure we don't run off the end of the rt volume. */ ++ maxlen = min(mp->m_sb.sb_rextents, bno + maxlen) - bno; ++ if (maxlen < minlen) { ++ *rtblock = NULLRTBLOCK; ++ return 0; ++ } ++ + /* + * Try the exact allocation first. + */ +-- +2.25.1 +