From: Greg Kroah-Hartman Date: Sun, 14 Nov 2021 14:36:29 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v5.4.160~82 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=48f980e374c79e3f7db647262f10b8f75e1c0ed0;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: iio-dac-ad5446-fix-ad5622_write-return-value.patch pinctrl-core-fix-possible-memory-leak-in-pinctrl_enable.patch usb-chipidea-fix-interrupt-deadlock.patch usb-iowarrior-fix-control-message-timeouts.patch usb-serial-keyspan-fix-memleak-on-probe-errors.patch --- diff --git a/queue-5.4/iio-dac-ad5446-fix-ad5622_write-return-value.patch b/queue-5.4/iio-dac-ad5446-fix-ad5622_write-return-value.patch new file mode 100644 index 00000000000..889706073ea --- /dev/null +++ b/queue-5.4/iio-dac-ad5446-fix-ad5622_write-return-value.patch @@ -0,0 +1,47 @@ +From 558df982d4ead9cac628153d0d7b60feae05ddc8 Mon Sep 17 00:00:00 2001 +From: Pekka Korpinen +Date: Wed, 29 Sep 2021 21:57:55 +0300 +Subject: iio: dac: ad5446: Fix ad5622_write() return value + +From: Pekka Korpinen + +commit 558df982d4ead9cac628153d0d7b60feae05ddc8 upstream. + +On success i2c_master_send() returns the number of bytes written. The +call from iio_write_channel_info(), however, expects the return value to +be zero on success. + +This bug causes incorrect consumption of the sysfs buffer in +iio_write_channel_info(). When writing more than two characters to +out_voltage0_raw, the ad5446 write handler is called multiple times +causing unexpected behavior. + +Fixes: 3ec36a2cf0d5 ("iio:ad5446: Add support for I2C based DACs") +Signed-off-by: Pekka Korpinen +Link: https://lore.kernel.org/r/20210929185755.2384-1-pekka.korpinen@iki.fi +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/dac/ad5446.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/iio/dac/ad5446.c ++++ b/drivers/iio/dac/ad5446.c +@@ -527,8 +527,15 @@ static int ad5622_write(struct ad5446_st + { + struct i2c_client *client = to_i2c_client(st->dev); + __be16 data = cpu_to_be16(val); ++ int ret; + +- return i2c_master_send(client, (char *)&data, sizeof(data)); ++ ret = i2c_master_send(client, (char *)&data, sizeof(data)); ++ if (ret < 0) ++ return ret; ++ if (ret != sizeof(data)) ++ return -EIO; ++ ++ return 0; + } + + /** diff --git a/queue-5.4/pinctrl-core-fix-possible-memory-leak-in-pinctrl_enable.patch b/queue-5.4/pinctrl-core-fix-possible-memory-leak-in-pinctrl_enable.patch new file mode 100644 index 00000000000..ab8de754ed2 --- /dev/null +++ b/queue-5.4/pinctrl-core-fix-possible-memory-leak-in-pinctrl_enable.patch @@ -0,0 +1,49 @@ +From c7892ae13e461ed20154321eb792e07ebe38f5b3 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Fri, 22 Oct 2021 09:43:23 +0800 +Subject: pinctrl: core: fix possible memory leak in pinctrl_enable() + +From: Yang Yingliang + +commit c7892ae13e461ed20154321eb792e07ebe38f5b3 upstream. + +I got memory leak as follows when doing fault injection test: + +unreferenced object 0xffff888020a7a680 (size 64): + comm "i2c-mcp23018-41", pid 23090, jiffies 4295160544 (age 8.680s) + hex dump (first 32 bytes): + 00 48 d3 1e 80 88 ff ff 00 1a 56 c1 ff ff ff ff .H........V..... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<0000000083c79b35>] kmem_cache_alloc_trace+0x16d/0x360 + [<0000000051803c95>] pinctrl_init_controller+0x6ed/0xb70 + [<0000000064346707>] pinctrl_register+0x27/0x80 + [<0000000029b0e186>] devm_pinctrl_register+0x5b/0xe0 + [<00000000391f5a3e>] mcp23s08_probe_one+0x968/0x118a [pinctrl_mcp23s08] + [<000000006112c039>] mcp230xx_probe+0x266/0x560 [pinctrl_mcp23s08_i2c] + +If pinctrl_claim_hogs() fails, the 'pindesc' allocated in pinctrl_register_one_pin() +need be freed. + +Cc: stable@vger.kernel.org +Reported-by: Hulk Robot +Fixes: 950b0d91dc10 ("pinctrl: core: Fix regression caused by delayed work for hogs") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20211022014323.1156924-1-yangyingliang@huawei.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pinctrl/core.c ++++ b/drivers/pinctrl/core.c +@@ -2055,6 +2055,8 @@ int pinctrl_enable(struct pinctrl_dev *p + if (error) { + dev_err(pctldev->dev, "could not claim hogs: %i\n", + error); ++ pinctrl_free_pindescs(pctldev, pctldev->desc->pins, ++ pctldev->desc->npins); + mutex_destroy(&pctldev->mutex); + kfree(pctldev); + diff --git a/queue-5.4/series b/queue-5.4/series index 4e0f30eb655..cd892299f46 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -106,3 +106,8 @@ pci-aardvark-fix-return-value-of-msi-domain-.alloc-method.patch pci-aardvark-read-all-16-bits-from-pcie_msi_payload_reg.patch quota-check-block-number-when-reading-the-block-in-quota-file.patch quota-correct-error-number-in-free_dqentry.patch +pinctrl-core-fix-possible-memory-leak-in-pinctrl_enable.patch +iio-dac-ad5446-fix-ad5622_write-return-value.patch +usb-serial-keyspan-fix-memleak-on-probe-errors.patch +usb-iowarrior-fix-control-message-timeouts.patch +usb-chipidea-fix-interrupt-deadlock.patch diff --git a/queue-5.4/usb-chipidea-fix-interrupt-deadlock.patch b/queue-5.4/usb-chipidea-fix-interrupt-deadlock.patch new file mode 100644 index 00000000000..8f9e49c86d5 --- /dev/null +++ b/queue-5.4/usb-chipidea-fix-interrupt-deadlock.patch @@ -0,0 +1,105 @@ +From 9aaa81c3366e8393a62374e3a1c67c69edc07b8a Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 21 Oct 2021 10:34:47 +0200 +Subject: USB: chipidea: fix interrupt deadlock + +From: Johan Hovold + +commit 9aaa81c3366e8393a62374e3a1c67c69edc07b8a upstream. + +Chipidea core was calling the interrupt handler from non-IRQ context +with interrupts enabled, something which can lead to a deadlock if +there's an actual interrupt trying to take a lock that's already held +(e.g. the controller lock in udc_irq()). + +Add a wrapper that can be used to fake interrupts instead of calling the +handler directly. + +Fixes: 3ecb3e09b042 ("usb: chipidea: Use extcon framework for VBUS and ID detect") +Fixes: 876d4e1e8298 ("usb: chipidea: core: add wakeup support for extcon") +Cc: Peter Chen +Cc: stable@vger.kernel.org # 4.4 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211021083447.20078-1-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/core.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -534,7 +534,7 @@ int hw_device_reset(struct ci_hdrc *ci) + return 0; + } + +-static irqreturn_t ci_irq(int irq, void *data) ++static irqreturn_t ci_irq_handler(int irq, void *data) + { + struct ci_hdrc *ci = data; + irqreturn_t ret = IRQ_NONE; +@@ -587,6 +587,15 @@ static irqreturn_t ci_irq(int irq, void + return ret; + } + ++static void ci_irq(struct ci_hdrc *ci) ++{ ++ unsigned long flags; ++ ++ local_irq_save(flags); ++ ci_irq_handler(ci->irq, ci); ++ local_irq_restore(flags); ++} ++ + static int ci_cable_notifier(struct notifier_block *nb, unsigned long event, + void *ptr) + { +@@ -596,7 +605,7 @@ static int ci_cable_notifier(struct noti + cbl->connected = event; + cbl->changed = true; + +- ci_irq(ci->irq, ci); ++ ci_irq(ci); + return NOTIFY_DONE; + } + +@@ -634,7 +643,7 @@ static int ci_usb_role_switch_set(struct + if (cable) { + cable->changed = true; + cable->connected = false; +- ci_irq(ci->irq, ci); ++ ci_irq(ci); + spin_unlock_irqrestore(&ci->lock, flags); + if (ci->wq && role != USB_ROLE_NONE) + flush_workqueue(ci->wq); +@@ -652,7 +661,7 @@ static int ci_usb_role_switch_set(struct + if (cable) { + cable->changed = true; + cable->connected = true; +- ci_irq(ci->irq, ci); ++ ci_irq(ci); + } + spin_unlock_irqrestore(&ci->lock, flags); + pm_runtime_put_sync(ci->dev); +@@ -1156,7 +1165,7 @@ static int ci_hdrc_probe(struct platform + } + } + +- ret = devm_request_irq(dev, ci->irq, ci_irq, IRQF_SHARED, ++ ret = devm_request_irq(dev, ci->irq, ci_irq_handler, IRQF_SHARED, + ci->platdata->name, ci); + if (ret) + goto stop; +@@ -1277,11 +1286,11 @@ static void ci_extcon_wakeup_int(struct + + if (!IS_ERR(cable_id->edev) && ci->is_otg && + (otgsc & OTGSC_IDIE) && (otgsc & OTGSC_IDIS)) +- ci_irq(ci->irq, ci); ++ ci_irq(ci); + + if (!IS_ERR(cable_vbus->edev) && ci->is_otg && + (otgsc & OTGSC_BSVIE) && (otgsc & OTGSC_BSVIS)) +- ci_irq(ci->irq, ci); ++ ci_irq(ci); + } + + static int ci_controller_resume(struct device *dev) diff --git a/queue-5.4/usb-iowarrior-fix-control-message-timeouts.patch b/queue-5.4/usb-iowarrior-fix-control-message-timeouts.patch new file mode 100644 index 00000000000..d987df6dcd0 --- /dev/null +++ b/queue-5.4/usb-iowarrior-fix-control-message-timeouts.patch @@ -0,0 +1,55 @@ +From 79a4479a17b83310deb0b1a2a274fe5be12d2318 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:51:59 +0200 +Subject: USB: iowarrior: fix control-message timeouts + +From: Johan Hovold + +commit 79a4479a17b83310deb0b1a2a274fe5be12d2318 upstream. + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Use the common control-message timeout define for the five-second +timeout and drop the driver-specific one. + +Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.") +Cc: stable@vger.kernel.org # 2.6.21 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211025115159.4954-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/misc/iowarrior.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -99,10 +99,6 @@ struct iowarrior { + /* globals */ + /*--------------*/ + +-/* +- * USB spec identifies 5 second timeouts. +- */ +-#define GET_TIMEOUT 5 + #define USB_REQ_GET_REPORT 0x01 + //#if 0 + static int usb_get_report(struct usb_device *dev, +@@ -114,7 +110,7 @@ static int usb_get_report(struct usb_dev + USB_DIR_IN | USB_TYPE_CLASS | + USB_RECIP_INTERFACE, (type << 8) + id, + inter->desc.bInterfaceNumber, buf, size, +- GET_TIMEOUT*HZ); ++ USB_CTRL_GET_TIMEOUT); + } + //#endif + +@@ -129,7 +125,7 @@ static int usb_set_report(struct usb_int + USB_TYPE_CLASS | USB_RECIP_INTERFACE, + (type << 8) + id, + intf->cur_altsetting->desc.bInterfaceNumber, buf, +- size, HZ); ++ size, 1000); + } + + /*---------------------*/ diff --git a/queue-5.4/usb-serial-keyspan-fix-memleak-on-probe-errors.patch b/queue-5.4/usb-serial-keyspan-fix-memleak-on-probe-errors.patch new file mode 100644 index 00000000000..e06508e2e6d --- /dev/null +++ b/queue-5.4/usb-serial-keyspan-fix-memleak-on-probe-errors.patch @@ -0,0 +1,98 @@ +From 910c996335c37552ee30fcb837375b808bb4f33b Mon Sep 17 00:00:00 2001 +From: Wang Hai +Date: Fri, 15 Oct 2021 16:55:43 +0800 +Subject: USB: serial: keyspan: fix memleak on probe errors + +From: Wang Hai + +commit 910c996335c37552ee30fcb837375b808bb4f33b upstream. + +I got memory leak as follows when doing fault injection test: + +unreferenced object 0xffff888258228440 (size 64): + comm "kworker/7:2", pid 2005, jiffies 4294989509 (age 824.540s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] slab_post_alloc_hook+0x9c/0x490 + [] kmem_cache_alloc_trace+0x1f7/0x470 + [] keyspan_port_probe+0xa4/0x5d0 [keyspan] + [] usb_serial_device_probe+0x97/0x1d0 [usbserial] + [] really_probe+0x167/0x460 + [] __driver_probe_device+0xf9/0x180 + [] driver_probe_device+0x53/0x130 + [] __device_attach_driver+0x105/0x130 + [] bus_for_each_drv+0x129/0x190 + [] __device_attach+0x1c9/0x270 + [] device_initial_probe+0x20/0x30 + [] bus_probe_device+0x142/0x160 + [] device_add+0x829/0x1300 + [] usb_serial_probe.cold+0xc9b/0x14ac [usbserial] + [] usb_probe_interface+0x1aa/0x3c0 [usbcore] + [] really_probe+0x167/0x460 + +If keyspan_port_probe() fails to allocate memory for an out_buffer[i] or +in_buffer[i], the previously allocated memory for out_buffer or +in_buffer needs to be freed on the error handling path, otherwise a +memory leak will result. + +Fixes: bad41a5bf177 ("USB: keyspan: fix port DMA-buffer allocations") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Link: https://lore.kernel.org/r/20211015085543.1203011-1-wanghai38@huawei.com +Cc: stable@vger.kernel.org # 3.12 +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/keyspan.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/usb/serial/keyspan.c ++++ b/drivers/usb/serial/keyspan.c +@@ -2910,22 +2910,22 @@ static int keyspan_port_probe(struct usb + for (i = 0; i < ARRAY_SIZE(p_priv->in_buffer); ++i) { + p_priv->in_buffer[i] = kzalloc(IN_BUFLEN, GFP_KERNEL); + if (!p_priv->in_buffer[i]) +- goto err_in_buffer; ++ goto err_free_in_buffer; + } + + for (i = 0; i < ARRAY_SIZE(p_priv->out_buffer); ++i) { + p_priv->out_buffer[i] = kzalloc(OUT_BUFLEN, GFP_KERNEL); + if (!p_priv->out_buffer[i]) +- goto err_out_buffer; ++ goto err_free_out_buffer; + } + + p_priv->inack_buffer = kzalloc(INACK_BUFLEN, GFP_KERNEL); + if (!p_priv->inack_buffer) +- goto err_inack_buffer; ++ goto err_free_out_buffer; + + p_priv->outcont_buffer = kzalloc(OUTCONT_BUFLEN, GFP_KERNEL); + if (!p_priv->outcont_buffer) +- goto err_outcont_buffer; ++ goto err_free_inack_buffer; + + p_priv->device_details = d_details; + +@@ -2971,15 +2971,14 @@ static int keyspan_port_probe(struct usb + + return 0; + +-err_outcont_buffer: ++err_free_inack_buffer: + kfree(p_priv->inack_buffer); +-err_inack_buffer: ++err_free_out_buffer: + for (i = 0; i < ARRAY_SIZE(p_priv->out_buffer); ++i) + kfree(p_priv->out_buffer[i]); +-err_out_buffer: ++err_free_in_buffer: + for (i = 0; i < ARRAY_SIZE(p_priv->in_buffer); ++i) + kfree(p_priv->in_buffer[i]); +-err_in_buffer: + kfree(p_priv); + + return -ENOMEM;