From: Greg Kroah-Hartman Date: Fri, 1 Apr 2022 10:38:41 +0000 (+0200) Subject: 4.14-stable patches X-Git-Tag: v4.14.275~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=42afee8f39147ebc95e7272b61b569b5f9ee6eeb;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: clk-uniphier-fix-fixed-rate-initialization.patch coresight-fix-trcconfigr.qe-sysfs-interface.patch documentation-add-link-to-stable-release-candidate-tree.patch documentation-update-stable-tree-link.patch iio-inkern-apply-consumer-scale-on-iio_val_int-cases.patch iio-inkern-apply-consumer-scale-when-no-channel-scale-is-available.patch iio-inkern-make-a-best-effort-on-offset-calculation.patch nfsd-prevent-underflow-in-nfssvc_decode_writeargs.patch pinctrl-samsung-drop-pin-banks-references-on-error-paths.patch ptrace-check-ptrace_o_suspend_seccomp-permission-on-ptrace_seize.patch serial-sc16is7xx-clear-rs485-bits-in-the-shutdown.patch sunrpc-avoid-race-between-mod_timer-and-del_timer_sync.patch --- diff --git a/queue-4.14/clk-uniphier-fix-fixed-rate-initialization.patch b/queue-4.14/clk-uniphier-fix-fixed-rate-initialization.patch new file mode 100644 index 00000000000..166193238a1 --- /dev/null +++ b/queue-4.14/clk-uniphier-fix-fixed-rate-initialization.patch @@ -0,0 +1,35 @@ +From ca85a66710a8a1f6b0719397225c3e9ee0abb692 Mon Sep 17 00:00:00 2001 +From: Kunihiko Hayashi +Date: Wed, 9 Mar 2022 15:55:18 +0900 +Subject: clk: uniphier: Fix fixed-rate initialization + +From: Kunihiko Hayashi + +commit ca85a66710a8a1f6b0719397225c3e9ee0abb692 upstream. + +Fixed-rate clocks in UniPhier don't have any parent clocks, however, +initial data "init.flags" isn't initialized, so it might be determined +that there is a parent clock for fixed-rate clock. + +This sets init.flags to zero as initialization. + +Cc: +Fixes: 734d82f4a678 ("clk: uniphier: add core support code for UniPhier clock driver") +Signed-off-by: Kunihiko Hayashi +Link: https://lore.kernel.org/r/1646808918-30899-1-git-send-email-hayashi.kunihiko@socionext.com +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman +--- + drivers/clk/uniphier/clk-uniphier-fixed-rate.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/clk/uniphier/clk-uniphier-fixed-rate.c ++++ b/drivers/clk/uniphier/clk-uniphier-fixed-rate.c +@@ -33,6 +33,7 @@ struct clk_hw *uniphier_clk_register_fix + + init.name = name; + init.ops = &clk_fixed_rate_ops; ++ init.flags = 0; + init.parent_names = NULL; + init.num_parents = 0; + diff --git a/queue-4.14/coresight-fix-trcconfigr.qe-sysfs-interface.patch b/queue-4.14/coresight-fix-trcconfigr.qe-sysfs-interface.patch new file mode 100644 index 00000000000..91179516951 --- /dev/null +++ b/queue-4.14/coresight-fix-trcconfigr.qe-sysfs-interface.patch @@ -0,0 +1,56 @@ +From ea75a342aed5ed72c87f38fbe0df2f5df7eae374 Mon Sep 17 00:00:00 2001 +From: James Clark +Date: Thu, 20 Jan 2022 11:30:47 +0000 +Subject: coresight: Fix TRCCONFIGR.QE sysfs interface + +From: James Clark + +commit ea75a342aed5ed72c87f38fbe0df2f5df7eae374 upstream. + +It's impossible to program a valid value for TRCCONFIGR.QE +when TRCIDR0.QSUPP==0b10. In that case the following is true: + + Q element support is implemented, and only supports Q elements without + instruction counts. TRCCONFIGR.QE can only take the values 0b00 or 0b11. + +Currently the low bit of QSUPP is checked to see if the low bit of QE can +be written to, but as you can see when QSUPP==0b10 the low bit is cleared +making it impossible to ever write the only valid value of 0b11 to QE. +0b10 would be written instead, which is a reserved QE value even for all +values of QSUPP. + +The fix is to allow writing the low bit of QE for any non zero value of +QSUPP. + +This change also ensures that the low bit is always set, even when the +user attempts to only set the high bit. + +Signed-off-by: James Clark +Reviewed-by: Mike Leach +Fixes: d8c66962084f ("coresight-etm4x: Controls pertaining to the reset, mode, pe and events") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220120113047.2839622-2-james.clark@arm.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Suzuki K Poulose +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/coresight/coresight-etm4x-sysfs.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c ++++ b/drivers/hwtracing/coresight/coresight-etm4x-sysfs.c +@@ -379,8 +379,12 @@ static ssize_t mode_store(struct device + mode = ETM_MODE_QELEM(config->mode); + /* start by clearing QE bits */ + config->cfg &= ~(BIT(13) | BIT(14)); +- /* if supported, Q elements with instruction counts are enabled */ +- if ((mode & BIT(0)) && (drvdata->q_support & BIT(0))) ++ /* ++ * if supported, Q elements with instruction counts are enabled. ++ * Always set the low bit for any requested mode. Valid combos are ++ * 0b00, 0b01 and 0b11. ++ */ ++ if (mode && drvdata->q_support) + config->cfg |= BIT(13); + /* + * if supported, Q elements with and without instruction diff --git a/queue-4.14/documentation-add-link-to-stable-release-candidate-tree.patch b/queue-4.14/documentation-add-link-to-stable-release-candidate-tree.patch new file mode 100644 index 00000000000..d72e7000956 --- /dev/null +++ b/queue-4.14/documentation-add-link-to-stable-release-candidate-tree.patch @@ -0,0 +1,42 @@ +From 587d39b260c4d090166314d64be70b1f6a26b0b5 Mon Sep 17 00:00:00 2001 +From: Bagas Sanjaya +Date: Mon, 14 Mar 2022 18:33:28 +0700 +Subject: Documentation: add link to stable release candidate tree + +From: Bagas Sanjaya + +commit 587d39b260c4d090166314d64be70b1f6a26b0b5 upstream. + +There is also stable release candidate tree. Mention it, however with a +warning that the tree is for testing purposes. + +Cc: Greg Kroah-Hartman +Cc: Sasha Levin +Cc: Jonathan Corbet +Cc: stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Bagas Sanjaya +Link: https://lore.kernel.org/r/20220314113329.485372-5-bagasdotme@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/process/stable-kernel-rules.rst | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/Documentation/process/stable-kernel-rules.rst ++++ b/Documentation/process/stable-kernel-rules.rst +@@ -173,6 +173,15 @@ Trees + + https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git + ++ - The release candidate of all stable kernel versions can be found at: ++ ++ https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git/ ++ ++ .. warning:: ++ The -stable-rc tree is a snapshot in time of the stable-queue tree and ++ will change frequently, hence will be rebased often. It should only be ++ used for testing purposes (e.g. to be consumed by CI systems). ++ + + Review committee + ---------------- diff --git a/queue-4.14/documentation-update-stable-tree-link.patch b/queue-4.14/documentation-update-stable-tree-link.patch new file mode 100644 index 00000000000..ca23ce472ca --- /dev/null +++ b/queue-4.14/documentation-update-stable-tree-link.patch @@ -0,0 +1,36 @@ +From 555d44932c67e617d89bc13c81c7efac5b51fcfa Mon Sep 17 00:00:00 2001 +From: Bagas Sanjaya +Date: Mon, 14 Mar 2022 18:33:29 +0700 +Subject: Documentation: update stable tree link + +From: Bagas Sanjaya + +commit 555d44932c67e617d89bc13c81c7efac5b51fcfa upstream. + +The link to stable tree is redirected to +https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git. Update +accordingly. + +Cc: Greg Kroah-Hartman +Cc: Sasha Levin +Cc: Jonathan Corbet +Cc: stable@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Bagas Sanjaya +Link: https://lore.kernel.org/r/20220314113329.485372-6-bagasdotme@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/process/stable-kernel-rules.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/process/stable-kernel-rules.rst ++++ b/Documentation/process/stable-kernel-rules.rst +@@ -171,7 +171,7 @@ Trees + - The finalized and tagged releases of all stable kernels can be found + in separate branches per version at: + +- https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git ++ https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git + + - The release candidate of all stable kernel versions can be found at: + diff --git a/queue-4.14/iio-inkern-apply-consumer-scale-on-iio_val_int-cases.patch b/queue-4.14/iio-inkern-apply-consumer-scale-on-iio_val_int-cases.patch new file mode 100644 index 00000000000..643e3c62d4c --- /dev/null +++ b/queue-4.14/iio-inkern-apply-consumer-scale-on-iio_val_int-cases.patch @@ -0,0 +1,42 @@ +From 1bca97ff95c732a516ebb68da72814194980e0a5 Mon Sep 17 00:00:00 2001 +From: Liam Beguin +Date: Sat, 8 Jan 2022 15:53:04 -0500 +Subject: iio: inkern: apply consumer scale on IIO_VAL_INT cases + +From: Liam Beguin + +commit 1bca97ff95c732a516ebb68da72814194980e0a5 upstream. + +When a consumer calls iio_read_channel_processed() and the channel has +an integer scale, the scale channel scale is applied and the processed +value is returned as expected. + +On the other hand, if the consumer calls iio_convert_raw_to_processed() +the scaling factor requested by the consumer is not applied. + +This for example causes the consumer to process mV when expecting uV. +Make sure to always apply the scaling factor requested by the consumer. + +Fixes: 48e44ce0f881 ("iio:inkern: Add function to read the processed value") +Signed-off-by: Liam Beguin +Reviewed-by: Peter Rosin +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220108205319.2046348-2-liambeguin@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/inkern.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/inkern.c ++++ b/drivers/iio/inkern.c +@@ -612,7 +612,7 @@ static int iio_convert_raw_to_processed_ + + switch (scale_type) { + case IIO_VAL_INT: +- *processed = raw64 * scale_val; ++ *processed = raw64 * scale_val * scale; + break; + case IIO_VAL_INT_PLUS_MICRO: + if (scale_val2 < 0) diff --git a/queue-4.14/iio-inkern-apply-consumer-scale-when-no-channel-scale-is-available.patch b/queue-4.14/iio-inkern-apply-consumer-scale-when-no-channel-scale-is-available.patch new file mode 100644 index 00000000000..d07a8b0dd3a --- /dev/null +++ b/queue-4.14/iio-inkern-apply-consumer-scale-when-no-channel-scale-is-available.patch @@ -0,0 +1,47 @@ +From 14b457fdde38de594a4bc4bd9075019319d978da Mon Sep 17 00:00:00 2001 +From: Liam Beguin +Date: Sat, 8 Jan 2022 15:53:05 -0500 +Subject: iio: inkern: apply consumer scale when no channel scale is available + +From: Liam Beguin + +commit 14b457fdde38de594a4bc4bd9075019319d978da upstream. + +When a consumer calls iio_read_channel_processed() and no channel scale +is available, it's assumed that the scale is one and the raw value is +returned as expected. + +On the other hand, if the consumer calls iio_convert_raw_to_processed() +the scaling factor requested by the consumer is not applied. + +This for example causes the consumer to process mV when expecting uV. +Make sure to always apply the scaling factor requested by the consumer. + +Fixes: adc8ec5ff183 ("iio: inkern: pass through raw values if no scaling") +Signed-off-by: Liam Beguin +Reviewed-by: Peter Rosin +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220108205319.2046348-3-liambeguin@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/inkern.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/iio/inkern.c ++++ b/drivers/iio/inkern.c +@@ -603,10 +603,10 @@ static int iio_convert_raw_to_processed_ + IIO_CHAN_INFO_SCALE); + if (scale_type < 0) { + /* +- * Just pass raw values as processed if no scaling is +- * available. ++ * If no channel scaling is available apply consumer scale to ++ * raw value and return. + */ +- *processed = raw; ++ *processed = raw * scale; + return 0; + } + diff --git a/queue-4.14/iio-inkern-make-a-best-effort-on-offset-calculation.patch b/queue-4.14/iio-inkern-make-a-best-effort-on-offset-calculation.patch new file mode 100644 index 00000000000..28fcd3acc62 --- /dev/null +++ b/queue-4.14/iio-inkern-make-a-best-effort-on-offset-calculation.patch @@ -0,0 +1,68 @@ +From ca85123354e1a65a22170286387b4791997fe864 Mon Sep 17 00:00:00 2001 +From: Liam Beguin +Date: Sat, 8 Jan 2022 15:53:06 -0500 +Subject: iio: inkern: make a best effort on offset calculation + +From: Liam Beguin + +commit ca85123354e1a65a22170286387b4791997fe864 upstream. + +iio_convert_raw_to_processed_unlocked() assumes the offset is an +integer. Make a best effort to get a valid offset value for fractional +cases without breaking implicit truncations. + +Fixes: 48e44ce0f881 ("iio:inkern: Add function to read the processed value") +Signed-off-by: Liam Beguin +Reviewed-by: Peter Rosin +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220108205319.2046348-4-liambeguin@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/inkern.c | 32 +++++++++++++++++++++++++++----- + 1 file changed, 27 insertions(+), 5 deletions(-) + +--- a/drivers/iio/inkern.c ++++ b/drivers/iio/inkern.c +@@ -591,13 +591,35 @@ EXPORT_SYMBOL_GPL(iio_read_channel_avera + static int iio_convert_raw_to_processed_unlocked(struct iio_channel *chan, + int raw, int *processed, unsigned int scale) + { +- int scale_type, scale_val, scale_val2, offset; ++ int scale_type, scale_val, scale_val2; ++ int offset_type, offset_val, offset_val2; + s64 raw64 = raw; +- int ret; + +- ret = iio_channel_read(chan, &offset, NULL, IIO_CHAN_INFO_OFFSET); +- if (ret >= 0) +- raw64 += offset; ++ offset_type = iio_channel_read(chan, &offset_val, &offset_val2, ++ IIO_CHAN_INFO_OFFSET); ++ if (offset_type >= 0) { ++ switch (offset_type) { ++ case IIO_VAL_INT: ++ break; ++ case IIO_VAL_INT_PLUS_MICRO: ++ case IIO_VAL_INT_PLUS_NANO: ++ /* ++ * Both IIO_VAL_INT_PLUS_MICRO and IIO_VAL_INT_PLUS_NANO ++ * implicitely truncate the offset to it's integer form. ++ */ ++ break; ++ case IIO_VAL_FRACTIONAL: ++ offset_val /= offset_val2; ++ break; ++ case IIO_VAL_FRACTIONAL_LOG2: ++ offset_val >>= offset_val2; ++ break; ++ default: ++ return -EINVAL; ++ } ++ ++ raw64 += offset_val; ++ } + + scale_type = iio_channel_read(chan, &scale_val, &scale_val2, + IIO_CHAN_INFO_SCALE); diff --git a/queue-4.14/nfsd-prevent-underflow-in-nfssvc_decode_writeargs.patch b/queue-4.14/nfsd-prevent-underflow-in-nfssvc_decode_writeargs.patch new file mode 100644 index 00000000000..18c1b19fa82 --- /dev/null +++ b/queue-4.14/nfsd-prevent-underflow-in-nfssvc_decode_writeargs.patch @@ -0,0 +1,47 @@ +From 184416d4b98509fb4c3d8fc3d6dc1437896cc159 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 15 Mar 2022 13:30:09 +0300 +Subject: NFSD: prevent underflow in nfssvc_decode_writeargs() + +From: Dan Carpenter + +commit 184416d4b98509fb4c3d8fc3d6dc1437896cc159 upstream. + +Smatch complains: + + fs/nfsd/nfsxdr.c:341 nfssvc_decode_writeargs() + warn: no lower bound on 'args->len' + +Change the type to unsigned to prevent this issue. + +Cc: stable@vger.kernel.org +Signed-off-by: Dan Carpenter +Signed-off-by: Chuck Lever +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfsproc.c | 2 +- + fs/nfsd/xdr.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/nfsproc.c ++++ b/fs/nfsd/nfsproc.c +@@ -227,7 +227,7 @@ nfsd_proc_write(struct svc_rqst *rqstp) + __be32 nfserr; + unsigned long cnt = argp->len; + +- dprintk("nfsd: WRITE %s %d bytes at %d\n", ++ dprintk("nfsd: WRITE %s %u bytes at %d\n", + SVCFH_fmt(&argp->fh), + argp->len, argp->offset); + +--- a/fs/nfsd/xdr.h ++++ b/fs/nfsd/xdr.h +@@ -33,7 +33,7 @@ struct nfsd_readargs { + struct nfsd_writeargs { + svc_fh fh; + __u32 offset; +- int len; ++ __u32 len; + int vlen; + }; + diff --git a/queue-4.14/pinctrl-samsung-drop-pin-banks-references-on-error-paths.patch b/queue-4.14/pinctrl-samsung-drop-pin-banks-references-on-error-paths.patch new file mode 100644 index 00000000000..2acb972c977 --- /dev/null +++ b/queue-4.14/pinctrl-samsung-drop-pin-banks-references-on-error-paths.patch @@ -0,0 +1,83 @@ +From 50ebd19e3585b9792e994cfa8cbee8947fe06371 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Tue, 11 Jan 2022 21:13:59 +0100 +Subject: pinctrl: samsung: drop pin banks references on error paths + +From: Krzysztof Kozlowski + +commit 50ebd19e3585b9792e994cfa8cbee8947fe06371 upstream. + +The driver iterates over its devicetree children with +for_each_child_of_node() and stores for later found node pointer. This +has to be put in error paths to avoid leak during re-probing. + +Fixes: ab663789d697 ("pinctrl: samsung: Match pin banks with their device nodes") +Cc: +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Sam Protsenko +Reviewed-by: Chanho Park +Link: https://lore.kernel.org/r/20220111201426.326777-2-krzysztof.kozlowski@canonical.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/samsung/pinctrl-samsung.c | 30 +++++++++++++++++++++++------- + 1 file changed, 23 insertions(+), 7 deletions(-) + +--- a/drivers/pinctrl/samsung/pinctrl-samsung.c ++++ b/drivers/pinctrl/samsung/pinctrl-samsung.c +@@ -975,6 +975,16 @@ samsung_pinctrl_get_soc_data_for_of_alia + return &(of_data->ctrl[id]); + } + ++static void samsung_banks_of_node_put(struct samsung_pinctrl_drv_data *d) ++{ ++ struct samsung_pin_bank *bank; ++ unsigned int i; ++ ++ bank = d->pin_banks; ++ for (i = 0; i < d->nr_banks; ++i, ++bank) ++ of_node_put(bank->of_node); ++} ++ + /* retrieve the soc specific data */ + static const struct samsung_pin_ctrl * + samsung_pinctrl_get_soc_data(struct samsung_pinctrl_drv_data *d, +@@ -1089,19 +1099,19 @@ static int samsung_pinctrl_probe(struct + if (ctrl->retention_data) { + drvdata->retention_ctrl = ctrl->retention_data->init(drvdata, + ctrl->retention_data); +- if (IS_ERR(drvdata->retention_ctrl)) +- return PTR_ERR(drvdata->retention_ctrl); ++ if (IS_ERR(drvdata->retention_ctrl)) { ++ ret = PTR_ERR(drvdata->retention_ctrl); ++ goto err_put_banks; ++ } + } + + ret = samsung_pinctrl_register(pdev, drvdata); + if (ret) +- return ret; ++ goto err_put_banks; + + ret = samsung_gpiolib_register(pdev, drvdata); +- if (ret) { +- samsung_pinctrl_unregister(pdev, drvdata); +- return ret; +- } ++ if (ret) ++ goto err_unregister; + + if (ctrl->eint_gpio_init) + ctrl->eint_gpio_init(drvdata); +@@ -1111,6 +1121,12 @@ static int samsung_pinctrl_probe(struct + platform_set_drvdata(pdev, drvdata); + + return 0; ++ ++err_unregister: ++ samsung_pinctrl_unregister(pdev, drvdata); ++err_put_banks: ++ samsung_banks_of_node_put(drvdata); ++ return ret; + } + + /** diff --git a/queue-4.14/ptrace-check-ptrace_o_suspend_seccomp-permission-on-ptrace_seize.patch b/queue-4.14/ptrace-check-ptrace_o_suspend_seccomp-permission-on-ptrace_seize.patch new file mode 100644 index 00000000000..2fba96a479d --- /dev/null +++ b/queue-4.14/ptrace-check-ptrace_o_suspend_seccomp-permission-on-ptrace_seize.patch @@ -0,0 +1,105 @@ +From ee1fee900537b5d9560e9f937402de5ddc8412f3 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Sat, 19 Mar 2022 02:08:37 +0100 +Subject: ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE + +From: Jann Horn + +commit ee1fee900537b5d9560e9f937402de5ddc8412f3 upstream. + +Setting PTRACE_O_SUSPEND_SECCOMP is supposed to be a highly privileged +operation because it allows the tracee to completely bypass all seccomp +filters on kernels with CONFIG_CHECKPOINT_RESTORE=y. It is only supposed to +be settable by a process with global CAP_SYS_ADMIN, and only if that +process is not subject to any seccomp filters at all. + +However, while these permission checks were done on the PTRACE_SETOPTIONS +path, they were missing on the PTRACE_SEIZE path, which also sets +user-specified ptrace flags. + +Move the permissions checks out into a helper function and let both +ptrace_attach() and ptrace_setoptions() call it. + +Cc: stable@kernel.org +Fixes: 13c4a90119d2 ("seccomp: add ptrace options for suspend/resume") +Signed-off-by: Jann Horn +Link: https://lkml.kernel.org/r/20220319010838.1386861-1-jannh@google.com +Signed-off-by: Eric W. Biederman +Signed-off-by: Greg Kroah-Hartman +--- + kernel/ptrace.c | 47 ++++++++++++++++++++++++++++++++--------------- + 1 file changed, 32 insertions(+), 15 deletions(-) + +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -370,6 +370,26 @@ bool ptrace_may_access(struct task_struc + return !err; + } + ++static int check_ptrace_options(unsigned long data) ++{ ++ if (data & ~(unsigned long)PTRACE_O_MASK) ++ return -EINVAL; ++ ++ if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) { ++ if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) || ++ !IS_ENABLED(CONFIG_SECCOMP)) ++ return -EINVAL; ++ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ ++ if (seccomp_mode(¤t->seccomp) != SECCOMP_MODE_DISABLED || ++ current->ptrace & PT_SUSPEND_SECCOMP) ++ return -EPERM; ++ } ++ return 0; ++} ++ + static int ptrace_attach(struct task_struct *task, long request, + unsigned long addr, + unsigned long flags) +@@ -381,8 +401,16 @@ static int ptrace_attach(struct task_str + if (seize) { + if (addr != 0) + goto out; ++ /* ++ * This duplicates the check in check_ptrace_options() because ++ * ptrace_attach() and ptrace_setoptions() have historically ++ * used different error codes for unknown ptrace options. ++ */ + if (flags & ~(unsigned long)PTRACE_O_MASK) + goto out; ++ retval = check_ptrace_options(flags); ++ if (retval) ++ return retval; + flags = PT_PTRACED | PT_SEIZED | (flags << PT_OPT_FLAG_SHIFT); + } else { + flags = PT_PTRACED; +@@ -655,22 +683,11 @@ int ptrace_writedata(struct task_struct + static int ptrace_setoptions(struct task_struct *child, unsigned long data) + { + unsigned flags; ++ int ret; + +- if (data & ~(unsigned long)PTRACE_O_MASK) +- return -EINVAL; +- +- if (unlikely(data & PTRACE_O_SUSPEND_SECCOMP)) { +- if (!IS_ENABLED(CONFIG_CHECKPOINT_RESTORE) || +- !IS_ENABLED(CONFIG_SECCOMP)) +- return -EINVAL; +- +- if (!capable(CAP_SYS_ADMIN)) +- return -EPERM; +- +- if (seccomp_mode(¤t->seccomp) != SECCOMP_MODE_DISABLED || +- current->ptrace & PT_SUSPEND_SECCOMP) +- return -EPERM; +- } ++ ret = check_ptrace_options(data); ++ if (ret) ++ return ret; + + /* Avoid intermediate state when all opts are cleared */ + flags = child->ptrace; diff --git a/queue-4.14/serial-sc16is7xx-clear-rs485-bits-in-the-shutdown.patch b/queue-4.14/serial-sc16is7xx-clear-rs485-bits-in-the-shutdown.patch new file mode 100644 index 00000000000..b4dd5ebe7ce --- /dev/null +++ b/queue-4.14/serial-sc16is7xx-clear-rs485-bits-in-the-shutdown.patch @@ -0,0 +1,42 @@ +From 927728a34f11b5a27f4610bdb7068317d6fdc72a Mon Sep 17 00:00:00 2001 +From: Hui Wang +Date: Tue, 8 Mar 2022 19:00:42 +0800 +Subject: serial: sc16is7xx: Clear RS485 bits in the shutdown + +From: Hui Wang + +commit 927728a34f11b5a27f4610bdb7068317d6fdc72a upstream. + +We tested RS485 function on an EVB which has SC16IS752, after +finishing the test, we started the RS232 function test, but found the +RTS is still working in the RS485 mode. + +That is because both startup and shutdown call port_update() to set +the EFCR_REG, this will not clear the RS485 bits once the bits are set +in the reconf_rs485(). To fix it, clear the RS485 bits in shutdown. + +Cc: +Signed-off-by: Hui Wang +Link: https://lore.kernel.org/r/20220308110042.108451-1-hui.wang@canonical.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/sc16is7xx.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/tty/serial/sc16is7xx.c ++++ b/drivers/tty/serial/sc16is7xx.c +@@ -1056,10 +1056,12 @@ static void sc16is7xx_shutdown(struct ua + + /* Disable all interrupts */ + sc16is7xx_port_write(port, SC16IS7XX_IER_REG, 0); +- /* Disable TX/RX */ ++ /* Disable TX/RX, clear auto RS485 and RTS invert */ + sc16is7xx_port_update(port, SC16IS7XX_EFCR_REG, + SC16IS7XX_EFCR_RXDISABLE_BIT | +- SC16IS7XX_EFCR_TXDISABLE_BIT, ++ SC16IS7XX_EFCR_TXDISABLE_BIT | ++ SC16IS7XX_EFCR_AUTO_RS485_BIT | ++ SC16IS7XX_EFCR_RTS_INVERT_BIT, + SC16IS7XX_EFCR_RXDISABLE_BIT | + SC16IS7XX_EFCR_TXDISABLE_BIT); + diff --git a/queue-4.14/series b/queue-4.14/series index fd405cd08e7..27cb154f1df 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -12,3 +12,15 @@ tpm-fix-reference-counting-for-struct-tpm_chip.patch block-add-a-helper-to-validate-the-block-size.patch virtio-blk-use-blk_validate_block_size-to-validate-block-size.patch usb-usb-storage-fix-use-of-bitfields-for-hardware-data-in-ene_ub6250.c.patch +coresight-fix-trcconfigr.qe-sysfs-interface.patch +iio-inkern-apply-consumer-scale-on-iio_val_int-cases.patch +iio-inkern-apply-consumer-scale-when-no-channel-scale-is-available.patch +iio-inkern-make-a-best-effort-on-offset-calculation.patch +clk-uniphier-fix-fixed-rate-initialization.patch +ptrace-check-ptrace_o_suspend_seccomp-permission-on-ptrace_seize.patch +serial-sc16is7xx-clear-rs485-bits-in-the-shutdown.patch +documentation-add-link-to-stable-release-candidate-tree.patch +documentation-update-stable-tree-link.patch +sunrpc-avoid-race-between-mod_timer-and-del_timer_sync.patch +nfsd-prevent-underflow-in-nfssvc_decode_writeargs.patch +pinctrl-samsung-drop-pin-banks-references-on-error-paths.patch diff --git a/queue-4.14/sunrpc-avoid-race-between-mod_timer-and-del_timer_sync.patch b/queue-4.14/sunrpc-avoid-race-between-mod_timer-and-del_timer_sync.patch new file mode 100644 index 00000000000..d3f87c869ba --- /dev/null +++ b/queue-4.14/sunrpc-avoid-race-between-mod_timer-and-del_timer_sync.patch @@ -0,0 +1,49 @@ +From 3848e96edf4788f772d83990022fa7023a233d83 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Tue, 8 Mar 2022 13:42:17 +1100 +Subject: SUNRPC: avoid race between mod_timer() and del_timer_sync() + +From: NeilBrown + +commit 3848e96edf4788f772d83990022fa7023a233d83 upstream. + +xprt_destory() claims XPRT_LOCKED and then calls del_timer_sync(). +Both xprt_unlock_connect() and xprt_release() call + ->release_xprt() +which drops XPRT_LOCKED and *then* xprt_schedule_autodisconnect() +which calls mod_timer(). + +This may result in mod_timer() being called *after* del_timer_sync(). +When this happens, the timer may fire long after the xprt has been freed, +and run_timer_softirq() will probably crash. + +The pairing of ->release_xprt() and xprt_schedule_autodisconnect() is +always called under ->transport_lock. So if we take ->transport_lock to +call del_timer_sync(), we can be sure that mod_timer() will run first +(if it runs at all). + +Cc: stable@vger.kernel.org +Signed-off-by: NeilBrown +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman +--- + net/sunrpc/xprt.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/sunrpc/xprt.c ++++ b/net/sunrpc/xprt.c +@@ -1520,7 +1520,14 @@ static void xprt_destroy(struct rpc_xprt + */ + wait_on_bit_lock(&xprt->state, XPRT_LOCKED, TASK_UNINTERRUPTIBLE); + ++ /* ++ * xprt_schedule_autodisconnect() can run after XPRT_LOCKED ++ * is cleared. We use ->transport_lock to ensure the mod_timer() ++ * can only run *before* del_time_sync(), never after. ++ */ ++ spin_lock(&xprt->transport_lock); + del_timer_sync(&xprt->timer); ++ spin_unlock(&xprt->transport_lock); + + /* + * Destroy sockets etc from the system workqueue so they can