From: Sasha Levin Date: Sat, 26 Feb 2022 02:59:32 +0000 (-0500) Subject: Fixes for 5.10 X-Git-Tag: v4.9.304~40 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4c0dea91debf54d61bfadef37017691f4e2f6fbd;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 5.10 Signed-off-by: Sasha Levin --- diff --git a/queue-5.10/configfs-fix-a-race-in-configfs_-un-register_subsyst.patch b/queue-5.10/configfs-fix-a-race-in-configfs_-un-register_subsyst.patch new file mode 100644 index 00000000000..9096997c5a7 --- /dev/null +++ b/queue-5.10/configfs-fix-a-race-in-configfs_-un-register_subsyst.patch @@ -0,0 +1,98 @@ +From 93fb4b67e12d81a7a09a6fc8fdf15c490447696b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Feb 2022 15:10:30 +0800 +Subject: configfs: fix a race in configfs_{,un}register_subsystem() + +From: ChenXiaoSong + +[ Upstream commit 84ec758fb2daa236026506868c8796b0500c047d ] + +When configfs_register_subsystem() or configfs_unregister_subsystem() +is executing link_group() or unlink_group(), +it is possible that two processes add or delete list concurrently. +Some unfortunate interleavings of them can cause kernel panic. + +One of cases is: +A --> B --> C --> D +A <-- B <-- C <-- D + + delete list_head *B | delete list_head *C +--------------------------------|----------------------------------- +configfs_unregister_subsystem | configfs_unregister_subsystem + unlink_group | unlink_group + unlink_obj | unlink_obj + list_del_init | list_del_init + __list_del_entry | __list_del_entry + __list_del | __list_del + // next == C | + next->prev = prev | + | next->prev = prev + prev->next = next | + | // prev == B + | prev->next = next + +Fix this by adding mutex when calling link_group() or unlink_group(), +but parent configfs_subsystem is NULL when config_item is root. +So I create a mutex configfs_subsystem_mutex. + +Fixes: 7063fbf22611 ("[PATCH] configfs: User-driven configuration filesystem") +Signed-off-by: ChenXiaoSong +Signed-off-by: Laibin Qiu +Signed-off-by: Christoph Hellwig +Signed-off-by: Sasha Levin +--- + fs/configfs/dir.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c +index 32ddad3ec5d53..5ad27e484014f 100644 +--- a/fs/configfs/dir.c ++++ b/fs/configfs/dir.c +@@ -36,6 +36,14 @@ + */ + DEFINE_SPINLOCK(configfs_dirent_lock); + ++/* ++ * All of link_obj/unlink_obj/link_group/unlink_group require that ++ * subsys->su_mutex is held. ++ * But parent configfs_subsystem is NULL when config_item is root. ++ * Use this mutex when config_item is root. ++ */ ++static DEFINE_MUTEX(configfs_subsystem_mutex); ++ + static void configfs_d_iput(struct dentry * dentry, + struct inode * inode) + { +@@ -1884,7 +1892,9 @@ int configfs_register_subsystem(struct configfs_subsystem *subsys) + group->cg_item.ci_name = group->cg_item.ci_namebuf; + + sd = root->d_fsdata; ++ mutex_lock(&configfs_subsystem_mutex); + link_group(to_config_group(sd->s_element), group); ++ mutex_unlock(&configfs_subsystem_mutex); + + inode_lock_nested(d_inode(root), I_MUTEX_PARENT); + +@@ -1909,7 +1919,9 @@ int configfs_register_subsystem(struct configfs_subsystem *subsys) + inode_unlock(d_inode(root)); + + if (err) { ++ mutex_lock(&configfs_subsystem_mutex); + unlink_group(group); ++ mutex_unlock(&configfs_subsystem_mutex); + configfs_release_fs(); + } + put_fragment(frag); +@@ -1956,7 +1968,9 @@ void configfs_unregister_subsystem(struct configfs_subsystem *subsys) + + dput(dentry); + ++ mutex_lock(&configfs_subsystem_mutex); + unlink_group(group); ++ mutex_unlock(&configfs_subsystem_mutex); + configfs_release_fs(); + } + +-- +2.34.1 + diff --git a/queue-5.10/rdma-ib_srp-fix-a-deadlock.patch b/queue-5.10/rdma-ib_srp-fix-a-deadlock.patch new file mode 100644 index 00000000000..55b27d84dca --- /dev/null +++ b/queue-5.10/rdma-ib_srp-fix-a-deadlock.patch @@ -0,0 +1,45 @@ +From 083e648dc5ce9d314d1c9c63b011cfdbe1869e4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Feb 2022 13:05:11 -0800 +Subject: RDMA/ib_srp: Fix a deadlock + +From: Bart Van Assche + +[ Upstream commit 081bdc9fe05bb23248f5effb6f811da3da4b8252 ] + +Remove the flush_workqueue(system_long_wq) call since flushing +system_long_wq is deadlock-prone and since that call is redundant with a +preceding cancel_work_sync() + +Link: https://lore.kernel.org/r/20220215210511.28303-3-bvanassche@acm.org +Fixes: ef6c49d87c34 ("IB/srp: Eliminate state SRP_TARGET_DEAD") +Reported-by: syzbot+831661966588c802aae9@syzkaller.appspotmail.com +Signed-off-by: Bart Van Assche +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/srp/ib_srp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/ulp/srp/ib_srp.c b/drivers/infiniband/ulp/srp/ib_srp.c +index 86d5c4c92b363..b4ccb333a8342 100644 +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -4045,9 +4045,11 @@ static void srp_remove_one(struct ib_device *device, void *client_data) + spin_unlock(&host->target_lock); + + /* +- * Wait for tl_err and target port removal tasks. ++ * srp_queue_remove_work() queues a call to ++ * srp_remove_target(). The latter function cancels ++ * target->tl_err_work so waiting for the remove works to ++ * finish is sufficient. + */ +- flush_workqueue(system_long_wq); + flush_workqueue(srp_remove_wq); + + kfree(host); +-- +2.34.1 + diff --git a/queue-5.10/rdma-rtrs-clt-fix-possible-double-free-in-error-case.patch b/queue-5.10/rdma-rtrs-clt-fix-possible-double-free-in-error-case.patch new file mode 100644 index 00000000000..5681b8edd06 --- /dev/null +++ b/queue-5.10/rdma-rtrs-clt-fix-possible-double-free-in-error-case.patch @@ -0,0 +1,125 @@ +From 79dbf4fa4fd811f839cdb77fa7f8a7ee14c09c8b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Feb 2022 04:09:28 +0100 +Subject: RDMA/rtrs-clt: Fix possible double free in error case + +From: Md Haris Iqbal + +[ Upstream commit 8700af2cc18c919b2a83e74e0479038fd113c15d ] + +Callback function rtrs_clt_dev_release() for put_device() calls kfree(clt) +to free memory. We shouldn't call kfree(clt) again, and we can't use the +clt after kfree too. + +Replace device_register() with device_initialize() and device_add() so that +dev_set_name can() be used appropriately. + +Move mutex_destroy() to the release function so it can be called in +the alloc_clt err path. + +Fixes: eab098246625 ("RDMA/rtrs-clt: Refactor the failure cases in alloc_clt") +Link: https://lore.kernel.org/r/20220217030929.323849-1-haris.iqbal@ionos.com +Reported-by: Miaoqian Lin +Signed-off-by: Md Haris Iqbal +Reviewed-by: Jack Wang +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/rtrs/rtrs-clt.c | 37 ++++++++++++++------------ + 1 file changed, 20 insertions(+), 17 deletions(-) + +diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c +index 46fad202a380e..8937530a42d3d 100644 +--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c ++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c +@@ -2540,6 +2540,8 @@ static void rtrs_clt_dev_release(struct device *dev) + { + struct rtrs_clt *clt = container_of(dev, struct rtrs_clt, dev); + ++ mutex_destroy(&clt->paths_ev_mutex); ++ mutex_destroy(&clt->paths_mutex); + kfree(clt); + } + +@@ -2571,6 +2573,8 @@ static struct rtrs_clt *alloc_clt(const char *sessname, size_t paths_num, + return ERR_PTR(-ENOMEM); + } + ++ clt->dev.class = rtrs_clt_dev_class; ++ clt->dev.release = rtrs_clt_dev_release; + uuid_gen(&clt->paths_uuid); + INIT_LIST_HEAD_RCU(&clt->paths_list); + clt->paths_num = paths_num; +@@ -2588,43 +2592,41 @@ static struct rtrs_clt *alloc_clt(const char *sessname, size_t paths_num, + init_waitqueue_head(&clt->permits_wait); + mutex_init(&clt->paths_ev_mutex); + mutex_init(&clt->paths_mutex); ++ device_initialize(&clt->dev); + +- clt->dev.class = rtrs_clt_dev_class; +- clt->dev.release = rtrs_clt_dev_release; + err = dev_set_name(&clt->dev, "%s", sessname); + if (err) +- goto err; ++ goto err_put; ++ + /* + * Suppress user space notification until + * sysfs files are created + */ + dev_set_uevent_suppress(&clt->dev, true); +- err = device_register(&clt->dev); +- if (err) { +- put_device(&clt->dev); +- goto err; +- } ++ err = device_add(&clt->dev); ++ if (err) ++ goto err_put; + + clt->kobj_paths = kobject_create_and_add("paths", &clt->dev.kobj); + if (!clt->kobj_paths) { + err = -ENOMEM; +- goto err_dev; ++ goto err_del; + } + err = rtrs_clt_create_sysfs_root_files(clt); + if (err) { + kobject_del(clt->kobj_paths); + kobject_put(clt->kobj_paths); +- goto err_dev; ++ goto err_del; + } + dev_set_uevent_suppress(&clt->dev, false); + kobject_uevent(&clt->dev.kobj, KOBJ_ADD); + + return clt; +-err_dev: +- device_unregister(&clt->dev); +-err: ++err_del: ++ device_del(&clt->dev); ++err_put: + free_percpu(clt->pcpu_path); +- kfree(clt); ++ put_device(&clt->dev); + return ERR_PTR(err); + } + +@@ -2643,9 +2645,10 @@ static void free_clt(struct rtrs_clt *clt) + wait_for_inflight_permits(clt); + free_permits(clt); + free_percpu(clt->pcpu_path); +- mutex_destroy(&clt->paths_ev_mutex); +- mutex_destroy(&clt->paths_mutex); +- /* release callback will free clt in last put */ ++ ++ /* ++ * release callback will free clt and destroy mutexes in last put ++ */ + device_unregister(&clt->dev); + } + +-- +2.34.1 + diff --git a/queue-5.10/rdma-rtrs-clt-kill-wait_for_inflight_permits.patch b/queue-5.10/rdma-rtrs-clt-kill-wait_for_inflight_permits.patch new file mode 100644 index 00000000000..213bf56f1aa --- /dev/null +++ b/queue-5.10/rdma-rtrs-clt-kill-wait_for_inflight_permits.patch @@ -0,0 +1,61 @@ +From 6cf8d8fc8bd6e666233d769c811cd1212a352f77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Dec 2020 15:19:05 +0100 +Subject: RDMA/rtrs-clt: Kill wait_for_inflight_permits + +From: Guoqing Jiang + +[ Upstream commit 25a033f5a75873cfdd36eca3c702363b682afb42 ] + +Let's wait the inflight permits before free it. + +Link: https://lore.kernel.org/r/20201217141915.56989-10-jinpu.wang@cloud.ionos.com +Signed-off-by: Guoqing Jiang +Reviewed-by: Md Haris Iqbal +Signed-off-by: Jack Wang +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/rtrs/rtrs-clt.c | 17 ++++++----------- + 1 file changed, 6 insertions(+), 11 deletions(-) + +diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c +index 8937530a42d3d..5a3c11b0b3102 100644 +--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c ++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c +@@ -1328,6 +1328,12 @@ static int alloc_permits(struct rtrs_clt *clt) + + static void free_permits(struct rtrs_clt *clt) + { ++ if (clt->permits_map) { ++ size_t sz = clt->queue_depth; ++ ++ wait_event(clt->permits_wait, ++ find_first_bit(clt->permits_map, sz) >= sz); ++ } + kfree(clt->permits_map); + clt->permits_map = NULL; + kfree(clt->permits); +@@ -2630,19 +2636,8 @@ static struct rtrs_clt *alloc_clt(const char *sessname, size_t paths_num, + return ERR_PTR(err); + } + +-static void wait_for_inflight_permits(struct rtrs_clt *clt) +-{ +- if (clt->permits_map) { +- size_t sz = clt->queue_depth; +- +- wait_event(clt->permits_wait, +- find_first_bit(clt->permits_map, sz) >= sz); +- } +-} +- + static void free_clt(struct rtrs_clt *clt) + { +- wait_for_inflight_permits(clt); + free_permits(clt); + free_percpu(clt->pcpu_path); + +-- +2.34.1 + diff --git a/queue-5.10/rdma-rtrs-clt-move-free_permit-from-free_clt-to-rtrs.patch b/queue-5.10/rdma-rtrs-clt-move-free_permit-from-free_clt-to-rtrs.patch new file mode 100644 index 00000000000..66611366e3e --- /dev/null +++ b/queue-5.10/rdma-rtrs-clt-move-free_permit-from-free_clt-to-rtrs.patch @@ -0,0 +1,49 @@ +From a77c0172ca90402b741845c88556be58012cbaf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Feb 2022 04:09:29 +0100 +Subject: RDMA/rtrs-clt: Move free_permit from free_clt to rtrs_clt_close + +From: Md Haris Iqbal + +[ Upstream commit c46fa8911b17e3f808679061a8af8bee219f4602 ] + +Error path of rtrs_clt_open() calls free_clt(), where free_permit is +called. This is wrong since error path of rtrs_clt_open() does not need +to call free_permit(). + +Also, moving free_permits() call to rtrs_clt_close(), makes it more +aligned with the call to alloc_permit() in rtrs_clt_open(). + +Fixes: 6a98d71daea1 ("RDMA/rtrs: client: main functionality") +Link: https://lore.kernel.org/r/20220217030929.323849-2-haris.iqbal@ionos.com +Signed-off-by: Md Haris Iqbal +Reviewed-by: Jack Wang +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/rtrs/rtrs-clt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/ulp/rtrs/rtrs-clt.c b/drivers/infiniband/ulp/rtrs/rtrs-clt.c +index 5a3c11b0b3102..13634eda833de 100644 +--- a/drivers/infiniband/ulp/rtrs/rtrs-clt.c ++++ b/drivers/infiniband/ulp/rtrs/rtrs-clt.c +@@ -2638,7 +2638,6 @@ static struct rtrs_clt *alloc_clt(const char *sessname, size_t paths_num, + + static void free_clt(struct rtrs_clt *clt) + { +- free_permits(clt); + free_percpu(clt->pcpu_path); + + /* +@@ -2759,6 +2758,7 @@ void rtrs_clt_close(struct rtrs_clt *clt) + rtrs_clt_destroy_sess_files(sess, NULL); + kobject_put(&sess->kobj); + } ++ free_permits(clt); + free_clt(clt); + } + EXPORT_SYMBOL(rtrs_clt_close); +-- +2.34.1 + diff --git a/queue-5.10/regmap-irq-update-interrupt-clear-register-for-prope.patch b/queue-5.10/regmap-irq-update-interrupt-clear-register-for-prope.patch new file mode 100644 index 00000000000..6b6a3a57681 --- /dev/null +++ b/queue-5.10/regmap-irq-update-interrupt-clear-register-for-prope.patch @@ -0,0 +1,105 @@ +From 5e36315a30f9d78b774e59b93c71b57f369d1785 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Feb 2022 14:20:07 +0530 +Subject: regmap-irq: Update interrupt clear register for proper reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Prasad Kumpatla + +[ Upstream commit d04ad245d67a3991dfea5e108e4c452c2ab39bac ] + +With the existing logic where clear_ack is true (HW doesn’t support +auto clear for ICR), interrupt clear register reset is not handled +properly. Due to this only the first interrupts get processed properly +and further interrupts are blocked due to not resetting interrupt +clear register. + +Example for issue case where Invert_ack is false and clear_ack is true: + + Say Default ISR=0x00 & ICR=0x00 and ISR is triggered with 2 + interrupts making ISR = 0x11. + + Step 1: Say ISR is set 0x11 (store status_buff = ISR). ISR needs to + be cleared with the help of ICR once the Interrupt is processed. + + Step 2: Write ICR = 0x11 (status_buff), this will clear the ISR to 0x00. + + Step 3: Issue - In the existing code, ICR is written with ICR = + ~(status_buff) i.e ICR = 0xEE -> This will block all the interrupts + from raising except for interrupts 0 and 4. So expectation here is to + reset ICR, which will unblock all the interrupts. + + if (chip->clear_ack) { + if (chip->ack_invert && !ret) + ........ + else if (!ret) + ret = regmap_write(map, reg, + ~data->status_buf[i]); + +So writing 0 and 0xff (when ack_invert is true) should have no effect, other +than clearing the ACKs just set. + +Fixes: 3a6f0fb7b8eb ("regmap: irq: Add support to clear ack registers") +Signed-off-by: Prasad Kumpatla +Reviewed-by: Charles Keepax +Tested-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20220217085007.30218-1-quic_pkumpatl@quicinc.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regmap-irq.c | 20 ++++++-------------- + 1 file changed, 6 insertions(+), 14 deletions(-) + +diff --git a/drivers/base/regmap/regmap-irq.c b/drivers/base/regmap/regmap-irq.c +index ad5c2de395d1f..87c5c421e0f46 100644 +--- a/drivers/base/regmap/regmap-irq.c ++++ b/drivers/base/regmap/regmap-irq.c +@@ -170,11 +170,9 @@ static void regmap_irq_sync_unlock(struct irq_data *data) + ret = regmap_write(map, reg, d->mask_buf[i]); + if (d->chip->clear_ack) { + if (d->chip->ack_invert && !ret) +- ret = regmap_write(map, reg, +- d->mask_buf[i]); ++ ret = regmap_write(map, reg, UINT_MAX); + else if (!ret) +- ret = regmap_write(map, reg, +- ~d->mask_buf[i]); ++ ret = regmap_write(map, reg, 0); + } + if (ret != 0) + dev_err(d->map->dev, "Failed to ack 0x%x: %d\n", +@@ -509,11 +507,9 @@ static irqreturn_t regmap_irq_thread(int irq, void *d) + data->status_buf[i]); + if (chip->clear_ack) { + if (chip->ack_invert && !ret) +- ret = regmap_write(map, reg, +- data->status_buf[i]); ++ ret = regmap_write(map, reg, UINT_MAX); + else if (!ret) +- ret = regmap_write(map, reg, +- ~data->status_buf[i]); ++ ret = regmap_write(map, reg, 0); + } + if (ret != 0) + dev_err(map->dev, "Failed to ack 0x%x: %d\n", +@@ -745,13 +741,9 @@ int regmap_add_irq_chip_fwnode(struct fwnode_handle *fwnode, + d->status_buf[i] & d->mask_buf[i]); + if (chip->clear_ack) { + if (chip->ack_invert && !ret) +- ret = regmap_write(map, reg, +- (d->status_buf[i] & +- d->mask_buf[i])); ++ ret = regmap_write(map, reg, UINT_MAX); + else if (!ret) +- ret = regmap_write(map, reg, +- ~(d->status_buf[i] & +- d->mask_buf[i])); ++ ret = regmap_write(map, reg, 0); + } + if (ret != 0) { + dev_err(map->dev, "Failed to ack 0x%x: %d\n", +-- +2.34.1 + diff --git a/queue-5.10/series b/queue-5.10/series index 069e64311c9..e75a9b23206 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -42,3 +42,10 @@ udp_tunnel-fix-end-of-loop-test-in-udp_tunnel_nic_unregister.patch net-mlx5-fix-possible-deadlock-on-rule-deletion.patch net-mlx5-fix-wrong-limitation-of-metadata-match-on-ecpf.patch net-mlx5e-ktls-use-checksum_unnecessary-for-device-offloaded-packets.patch +spi-spi-zynq-qspi-fix-a-null-pointer-dereference-in-.patch +regmap-irq-update-interrupt-clear-register-for-prope.patch +rdma-rtrs-clt-fix-possible-double-free-in-error-case.patch +rdma-rtrs-clt-kill-wait_for_inflight_permits.patch +rdma-rtrs-clt-move-free_permit-from-free_clt-to-rtrs.patch +configfs-fix-a-race-in-configfs_-un-register_subsyst.patch +rdma-ib_srp-fix-a-deadlock.patch diff --git a/queue-5.10/spi-spi-zynq-qspi-fix-a-null-pointer-dereference-in-.patch b/queue-5.10/spi-spi-zynq-qspi-fix-a-null-pointer-dereference-in-.patch new file mode 100644 index 00000000000..2fd6c9bc0a8 --- /dev/null +++ b/queue-5.10/spi-spi-zynq-qspi-fix-a-null-pointer-dereference-in-.patch @@ -0,0 +1,55 @@ +From 9124f2fcff30df4086e6dab80a7ac30731c4ed73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Dec 2021 01:22:53 +0800 +Subject: spi: spi-zynq-qspi: Fix a NULL pointer dereference in + zynq_qspi_exec_mem_op() + +From: Zhou Qingyang + +[ Upstream commit ab3824427b848da10e9fe2727f035bbeecae6ff4 ] + +In zynq_qspi_exec_mem_op(), kzalloc() is directly used in memset(), +which could lead to a NULL pointer dereference on failure of +kzalloc(). + +Fix this bug by adding a check of tmpbuf. + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_SPI_ZYNQ_QSPI=m show no new warnings, +and our static analyzer no longer warns about this code. + +Fixes: 67dca5e580f1 ("spi: spi-mem: Add support for Zynq QSPI controller") +Signed-off-by: Zhou Qingyang +Link: https://lore.kernel.org/r/20211130172253.203700-1-zhou1615@umn.edu +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-zynq-qspi.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/spi/spi-zynq-qspi.c b/drivers/spi/spi-zynq-qspi.c +index b635835729d66..13c0b15fe1764 100644 +--- a/drivers/spi/spi-zynq-qspi.c ++++ b/drivers/spi/spi-zynq-qspi.c +@@ -570,6 +570,9 @@ static int zynq_qspi_exec_mem_op(struct spi_mem *mem, + + if (op->dummy.nbytes) { + tmpbuf = kzalloc(op->dummy.nbytes, GFP_KERNEL); ++ if (!tmpbuf) ++ return -ENOMEM; ++ + memset(tmpbuf, 0xff, op->dummy.nbytes); + reinit_completion(&xqspi->data_completion); + xqspi->txbuf = tmpbuf; +-- +2.34.1 +