From: Greg Kroah-Hartman Date: Sat, 13 Nov 2021 11:46:10 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v5.4.160~154 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=575930b734e6391d848bf408111ff06f61232523;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: crypto-s5p-sss-add-error-handling-in-s5p_aes_probe.patch firmware-psci-fix-application-of-sizeof-to-pointer.patch media-ir-kbd-i2c-improve-responsiveness-of-hauppauge-zilog-receivers.patch media-ite-cir-ir-receiver-stop-working-after-receive-overflow.patch media-v4l2-ioctl-fix-check_ext_ctrls.patch mmc-dw_mmc-dont-wait-for-drto-on-write-rsp-error.patch parisc-fix-ptrace-check-on-syscall-return.patch tpm-check-for-integer-overflow-in-tpm2_map_response_body.patch --- diff --git a/queue-5.4/crypto-s5p-sss-add-error-handling-in-s5p_aes_probe.patch b/queue-5.4/crypto-s5p-sss-add-error-handling-in-s5p_aes_probe.patch new file mode 100644 index 00000000000..3daf4bc9f78 --- /dev/null +++ b/queue-5.4/crypto-s5p-sss-add-error-handling-in-s5p_aes_probe.patch @@ -0,0 +1,33 @@ +From a472cc0dde3eb057db71c80f102556eeced03805 Mon Sep 17 00:00:00 2001 +From: Tang Bin +Date: Thu, 21 Oct 2021 09:34:22 +0800 +Subject: crypto: s5p-sss - Add error handling in s5p_aes_probe() + +From: Tang Bin + +commit a472cc0dde3eb057db71c80f102556eeced03805 upstream. + +The function s5p_aes_probe() does not perform sufficient error +checking after executing platform_get_resource(), thus fix it. + +Fixes: c2afad6c6105 ("crypto: s5p-sss - Add HASH support for Exynos") +Cc: +Signed-off-by: Tang Bin +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/s5p-sss.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/crypto/s5p-sss.c ++++ b/drivers/crypto/s5p-sss.c +@@ -2208,6 +2208,8 @@ static int s5p_aes_probe(struct platform + + variant = find_s5p_sss_version(pdev); + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (!res) ++ return -EINVAL; + + /* + * Note: HASH and PRNG uses the same registers in secss, avoid diff --git a/queue-5.4/firmware-psci-fix-application-of-sizeof-to-pointer.patch b/queue-5.4/firmware-psci-fix-application-of-sizeof-to-pointer.patch new file mode 100644 index 00000000000..65b9d12836d --- /dev/null +++ b/queue-5.4/firmware-psci-fix-application-of-sizeof-to-pointer.patch @@ -0,0 +1,39 @@ +From 2ac5fb35cd520ab1851c9a4816c523b65276052f Mon Sep 17 00:00:00 2001 +From: jing yangyang +Date: Thu, 19 Aug 2021 19:30:16 -0700 +Subject: firmware/psci: fix application of sizeof to pointer + +From: jing yangyang + +commit 2ac5fb35cd520ab1851c9a4816c523b65276052f upstream. + +sizeof when applied to a pointer typed expression gives the size of +the pointer. + +./drivers/firmware/psci/psci_checker.c:158:41-47: ERROR application of sizeof to pointer + +This issue was detected with the help of Coccinelle. + +Fixes: 7401056de5f8 ("drivers/firmware: psci_checker: stash and use topology_core_cpumask for hotplug tests") +Cc: stable@vger.kernel.org +Reported-by: Zeal Robot +Acked-by: Mark Rutland +Reviewed-by: Gustavo A. R. Silva +Signed-off-by: jing yangyang +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/psci/psci_checker.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/firmware/psci/psci_checker.c ++++ b/drivers/firmware/psci/psci_checker.c +@@ -155,7 +155,7 @@ static int alloc_init_cpu_groups(cpumask + if (!alloc_cpumask_var(&tmp, GFP_KERNEL)) + return -ENOMEM; + +- cpu_groups = kcalloc(nb_available_cpus, sizeof(cpu_groups), ++ cpu_groups = kcalloc(nb_available_cpus, sizeof(*cpu_groups), + GFP_KERNEL); + if (!cpu_groups) { + free_cpumask_var(tmp); diff --git a/queue-5.4/media-ir-kbd-i2c-improve-responsiveness-of-hauppauge-zilog-receivers.patch b/queue-5.4/media-ir-kbd-i2c-improve-responsiveness-of-hauppauge-zilog-receivers.patch new file mode 100644 index 00000000000..4fd79235fc8 --- /dev/null +++ b/queue-5.4/media-ir-kbd-i2c-improve-responsiveness-of-hauppauge-zilog-receivers.patch @@ -0,0 +1,40 @@ +From c73ba202a851c0b611ef2c25e568fadeff5e667f Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Wed, 15 Sep 2021 18:14:07 +0200 +Subject: media: ir-kbd-i2c: improve responsiveness of hauppauge zilog receivers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sean Young + +commit c73ba202a851c0b611ef2c25e568fadeff5e667f upstream. + +The IR receiver has two issues: + + - Sometimes there is no response to a button press + - Sometimes a button press is repeated when it should not have been + +Hanging the polling interval fixes this behaviour. + +Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994050 + +Cc: stable@vger.kernel.org +Suggested-by: Joaquín Alberto Calderón Pozo +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ir-kbd-i2c.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/i2c/ir-kbd-i2c.c ++++ b/drivers/media/i2c/ir-kbd-i2c.c +@@ -791,6 +791,7 @@ static int ir_probe(struct i2c_client *c + rc_proto = RC_PROTO_BIT_RC5 | RC_PROTO_BIT_RC6_MCE | + RC_PROTO_BIT_RC6_6A_32; + ir_codes = RC_MAP_HAUPPAUGE; ++ ir->polling_interval = 125; + probe_tx = true; + break; + } diff --git a/queue-5.4/media-ite-cir-ir-receiver-stop-working-after-receive-overflow.patch b/queue-5.4/media-ite-cir-ir-receiver-stop-working-after-receive-overflow.patch new file mode 100644 index 00000000000..fbc040691aa --- /dev/null +++ b/queue-5.4/media-ite-cir-ir-receiver-stop-working-after-receive-overflow.patch @@ -0,0 +1,36 @@ +From fdc881783099c6343921ff017450831c8766d12a Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Sun, 17 Oct 2021 13:01:15 +0100 +Subject: media: ite-cir: IR receiver stop working after receive overflow + +From: Sean Young + +commit fdc881783099c6343921ff017450831c8766d12a upstream. + +On an Intel NUC6iSYK, no IR is reported after a receive overflow. + +When a receiver overflow occurs, this condition is only cleared by +reading the fifo. Make sure we read anything in the fifo. + +Fixes: 28c7afb07ccf ("media: ite-cir: check for receive overflow") +Suggested-by: Bryan Pass +Tested-by: Bryan Pass +Cc: stable@vger.kernel.org> +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/ite-cir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/rc/ite-cir.c ++++ b/drivers/media/rc/ite-cir.c +@@ -283,7 +283,7 @@ static irqreturn_t ite_cir_isr(int irq, + } + + /* check for the receive interrupt */ +- if (iflags & ITE_IRQ_RX_FIFO) { ++ if (iflags & (ITE_IRQ_RX_FIFO | ITE_IRQ_RX_FIFO_OVERRUN)) { + /* read the FIFO bytes */ + rx_bytes = + dev->params.get_rx_bytes(dev, rx_buf, diff --git a/queue-5.4/media-v4l2-ioctl-fix-check_ext_ctrls.patch b/queue-5.4/media-v4l2-ioctl-fix-check_ext_ctrls.patch new file mode 100644 index 00000000000..0bc9177cf6c --- /dev/null +++ b/queue-5.4/media-v4l2-ioctl-fix-check_ext_ctrls.patch @@ -0,0 +1,162 @@ +From 861f92cb9160b14beef0ada047384c2340701ee2 Mon Sep 17 00:00:00 2001 +From: Ricardo Ribalda +Date: Fri, 18 Jun 2021 14:29:03 +0200 +Subject: media: v4l2-ioctl: Fix check_ext_ctrls + +From: Ricardo Ribalda + +commit 861f92cb9160b14beef0ada047384c2340701ee2 upstream. + +Drivers that do not use the ctrl-framework use this function instead. + +Fix the following issues: + +- Do not check for multiple classes when getting the DEF_VAL. +- Return -EINVAL for request_api calls +- Default value cannot be changed, return EINVAL as soon as possible. +- Return the right error_idx +[If an error is found when validating the list of controls passed with +VIDIOC_G_EXT_CTRLS, then error_idx shall be set to ctrls->count to +indicate to userspace that no actual hardware was touched. +It would have been much nicer of course if error_idx could point to the +control index that failed the validation, but sadly that's not how the +API was designed.] + +Fixes v4l2-compliance: +Control ioctls (Input 0): + warn: v4l2-test-controls.cpp(834): error_idx should be equal to count + warn: v4l2-test-controls.cpp(855): error_idx should be equal to count + fail: v4l2-test-controls.cpp(813): doioctl(node, VIDIOC_G_EXT_CTRLS, &ctrls) + test VIDIOC_G/S/TRY_EXT_CTRLS: FAIL +Buffer ioctls (Input 0): + fail: v4l2-test-buffers.cpp(1994): ret != EINVAL && ret != EBADR && ret != ENOTTY + test Requests: FAIL + +Cc: stable@vger.kernel.org +Fixes: 6fa6f831f095 ("media: v4l2-ctrls: add core request support") +Suggested-by: Hans Verkuil +Reviewed-by: Hans Verkuil +Signed-off-by: Ricardo Ribalda +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/v4l2-core/v4l2-ioctl.c | 60 ++++++++++++++++++++++------------- + 1 file changed, 39 insertions(+), 21 deletions(-) + +--- a/drivers/media/v4l2-core/v4l2-ioctl.c ++++ b/drivers/media/v4l2-core/v4l2-ioctl.c +@@ -902,7 +902,7 @@ static void v4l_print_default(const void + pr_cont("driver-specific ioctl\n"); + } + +-static int check_ext_ctrls(struct v4l2_ext_controls *c, int allow_priv) ++static bool check_ext_ctrls(struct v4l2_ext_controls *c, unsigned long ioctl) + { + __u32 i; + +@@ -911,23 +911,41 @@ static int check_ext_ctrls(struct v4l2_e + for (i = 0; i < c->count; i++) + c->controls[i].reserved2[0] = 0; + +- /* V4L2_CID_PRIVATE_BASE cannot be used as control class +- when using extended controls. +- Only when passed in through VIDIOC_G_CTRL and VIDIOC_S_CTRL +- is it allowed for backwards compatibility. +- */ +- if (!allow_priv && c->which == V4L2_CID_PRIVATE_BASE) +- return 0; +- if (!c->which) +- return 1; ++ switch (c->which) { ++ case V4L2_CID_PRIVATE_BASE: ++ /* ++ * V4L2_CID_PRIVATE_BASE cannot be used as control class ++ * when using extended controls. ++ * Only when passed in through VIDIOC_G_CTRL and VIDIOC_S_CTRL ++ * is it allowed for backwards compatibility. ++ */ ++ if (ioctl == VIDIOC_G_CTRL || ioctl == VIDIOC_S_CTRL) ++ return false; ++ break; ++ case V4L2_CTRL_WHICH_DEF_VAL: ++ /* Default value cannot be changed */ ++ if (ioctl == VIDIOC_S_EXT_CTRLS || ++ ioctl == VIDIOC_TRY_EXT_CTRLS) { ++ c->error_idx = c->count; ++ return false; ++ } ++ return true; ++ case V4L2_CTRL_WHICH_CUR_VAL: ++ return true; ++ case V4L2_CTRL_WHICH_REQUEST_VAL: ++ c->error_idx = c->count; ++ return false; ++ } ++ + /* Check that all controls are from the same control class. */ + for (i = 0; i < c->count; i++) { + if (V4L2_CTRL_ID2WHICH(c->controls[i].id) != c->which) { +- c->error_idx = i; +- return 0; ++ c->error_idx = ioctl == VIDIOC_TRY_EXT_CTRLS ? i : ++ c->count; ++ return false; + } + } +- return 1; ++ return true; + } + + static int check_fmt(struct file *file, enum v4l2_buf_type type) +@@ -2145,7 +2163,7 @@ static int v4l_g_ctrl(const struct v4l2_ + ctrls.controls = &ctrl; + ctrl.id = p->id; + ctrl.value = p->value; +- if (check_ext_ctrls(&ctrls, 1)) { ++ if (check_ext_ctrls(&ctrls, VIDIOC_G_CTRL)) { + int ret = ops->vidioc_g_ext_ctrls(file, fh, &ctrls); + + if (ret == 0) +@@ -2179,7 +2197,7 @@ static int v4l_s_ctrl(const struct v4l2_ + ctrls.controls = &ctrl; + ctrl.id = p->id; + ctrl.value = p->value; +- if (check_ext_ctrls(&ctrls, 1)) ++ if (check_ext_ctrls(&ctrls, VIDIOC_S_CTRL)) + return ops->vidioc_s_ext_ctrls(file, fh, &ctrls); + return -EINVAL; + } +@@ -2201,8 +2219,8 @@ static int v4l_g_ext_ctrls(const struct + vfd, vfd->v4l2_dev->mdev, p); + if (ops->vidioc_g_ext_ctrls == NULL) + return -ENOTTY; +- return check_ext_ctrls(p, 0) ? ops->vidioc_g_ext_ctrls(file, fh, p) : +- -EINVAL; ++ return check_ext_ctrls(p, VIDIOC_G_EXT_CTRLS) ? ++ ops->vidioc_g_ext_ctrls(file, fh, p) : -EINVAL; + } + + static int v4l_s_ext_ctrls(const struct v4l2_ioctl_ops *ops, +@@ -2222,8 +2240,8 @@ static int v4l_s_ext_ctrls(const struct + vfd, vfd->v4l2_dev->mdev, p); + if (ops->vidioc_s_ext_ctrls == NULL) + return -ENOTTY; +- return check_ext_ctrls(p, 0) ? ops->vidioc_s_ext_ctrls(file, fh, p) : +- -EINVAL; ++ return check_ext_ctrls(p, VIDIOC_S_EXT_CTRLS) ? ++ ops->vidioc_s_ext_ctrls(file, fh, p) : -EINVAL; + } + + static int v4l_try_ext_ctrls(const struct v4l2_ioctl_ops *ops, +@@ -2243,8 +2261,8 @@ static int v4l_try_ext_ctrls(const struc + vfd, vfd->v4l2_dev->mdev, p); + if (ops->vidioc_try_ext_ctrls == NULL) + return -ENOTTY; +- return check_ext_ctrls(p, 0) ? ops->vidioc_try_ext_ctrls(file, fh, p) : +- -EINVAL; ++ return check_ext_ctrls(p, VIDIOC_TRY_EXT_CTRLS) ? ++ ops->vidioc_try_ext_ctrls(file, fh, p) : -EINVAL; + } + + /* diff --git a/queue-5.4/mmc-dw_mmc-dont-wait-for-drto-on-write-rsp-error.patch b/queue-5.4/mmc-dw_mmc-dont-wait-for-drto-on-write-rsp-error.patch new file mode 100644 index 00000000000..8fc7c5091a1 --- /dev/null +++ b/queue-5.4/mmc-dw_mmc-dont-wait-for-drto-on-write-rsp-error.patch @@ -0,0 +1,45 @@ +From 43592c8736e84025d7a45e61a46c3fa40536a364 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20L=C3=B6hle?= +Date: Thu, 16 Sep 2021 05:59:19 +0000 +Subject: mmc: dw_mmc: Dont wait for DRTO on Write RSP error + +From: Christian Löhle + +commit 43592c8736e84025d7a45e61a46c3fa40536a364 upstream. + +Only wait for DRTO on reads, otherwise the driver hangs. + +The driver prevents sending CMD12 on response errors like CRCs. According +to the comment this is because some cards have problems with this during +the UHS tuning sequence. Unfortunately this workaround currently also +applies for any command with data. On reads this will set the drto timer, +which then triggers after a while. On writes this will not set any timer +and the tasklet will not be scheduled again. + +I cannot test for the UHS workarounds need, but even if so, it should at +most apply to reads. I have observed many hangs when CMD25 response +contained a CRC error. This patch fixes this without touching the actual +UHS tuning workaround. + +Signed-off-by: Christian Loehle +Reviewed-by: Jaehoon Chung +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/af8f8b8674ba4fcc9a781019e4aeb72c@hyperstone.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/dw_mmc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/dw_mmc.c ++++ b/drivers/mmc/host/dw_mmc.c +@@ -2013,7 +2013,8 @@ static void dw_mci_tasklet_func(unsigned + * delayed. Allowing the transfer to take place + * avoids races and keeps things simple. + */ +- if (err != -ETIMEDOUT) { ++ if (err != -ETIMEDOUT && ++ host->dir_status == DW_MCI_RECV_STATUS) { + state = STATE_SENDING_DATA; + continue; + } diff --git a/queue-5.4/parisc-fix-ptrace-check-on-syscall-return.patch b/queue-5.4/parisc-fix-ptrace-check-on-syscall-return.patch new file mode 100644 index 00000000000..3ff825eb3ba --- /dev/null +++ b/queue-5.4/parisc-fix-ptrace-check-on-syscall-return.patch @@ -0,0 +1,36 @@ +From 8779e05ba8aaffec1829872ef9774a71f44f6580 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Tue, 5 Oct 2021 00:27:49 +0200 +Subject: parisc: Fix ptrace check on syscall return + +From: Helge Deller + +commit 8779e05ba8aaffec1829872ef9774a71f44f6580 upstream. + +The TIF_XXX flags are stored in the flags field in the thread_info +struct (TI_FLAGS), not in the flags field of the task_struct structure +(TASK_FLAGS). + +It seems this bug didn't generate any important side-effects, otherwise it +wouldn't have went unnoticed for 12 years (since v2.6.32). + +Signed-off-by: Helge Deller +Fixes: ecd3d4bc06e48 ("parisc: stop using task->ptrace for {single,block}step flags") +Cc: Kyle McMartin +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/entry.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/kernel/entry.S ++++ b/arch/parisc/kernel/entry.S +@@ -1841,7 +1841,7 @@ syscall_restore: + LDREG TI_TASK-THREAD_SZ_ALGN-FRAME_SIZE(%r30),%r1 + + /* Are we being ptraced? */ +- ldw TASK_FLAGS(%r1),%r19 ++ LDREG TI_FLAGS-THREAD_SZ_ALGN-FRAME_SIZE(%r30),%r19 + ldi _TIF_SYSCALL_TRACE_MASK,%r2 + and,COND(=) %r19,%r2,%r0 + b,n syscall_restore_rfi diff --git a/queue-5.4/series b/queue-5.4/series index 03a6fffe164..9ffec72749e 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -10,3 +10,11 @@ libata-fix-read-log-timeout-value.patch ocfs2-fix-data-corruption-on-truncate.patch scsi-qla2xxx-fix-kernel-crash-when-accessing-port_speed-sysfs-file.patch scsi-qla2xxx-fix-use-after-free-in-eh_abort-path.patch +mmc-dw_mmc-dont-wait-for-drto-on-write-rsp-error.patch +parisc-fix-ptrace-check-on-syscall-return.patch +tpm-check-for-integer-overflow-in-tpm2_map_response_body.patch +firmware-psci-fix-application-of-sizeof-to-pointer.patch +crypto-s5p-sss-add-error-handling-in-s5p_aes_probe.patch +media-ite-cir-ir-receiver-stop-working-after-receive-overflow.patch +media-ir-kbd-i2c-improve-responsiveness-of-hauppauge-zilog-receivers.patch +media-v4l2-ioctl-fix-check_ext_ctrls.patch diff --git a/queue-5.4/tpm-check-for-integer-overflow-in-tpm2_map_response_body.patch b/queue-5.4/tpm-check-for-integer-overflow-in-tpm2_map_response_body.patch new file mode 100644 index 00000000000..98f74ee6f83 --- /dev/null +++ b/queue-5.4/tpm-check-for-integer-overflow-in-tpm2_map_response_body.patch @@ -0,0 +1,34 @@ +From a0bcce2b2a169e10eb265c8f0ebdd5ae4c875670 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 8 Sep 2021 08:33:57 +0300 +Subject: tpm: Check for integer overflow in tpm2_map_response_body() + +From: Dan Carpenter + +commit a0bcce2b2a169e10eb265c8f0ebdd5ae4c875670 upstream. + +The "4 * be32_to_cpu(data->count)" multiplication can potentially +overflow which would lead to memory corruption. Add a check for that. + +Cc: stable@vger.kernel.org +Fixes: 745b361e989a ("tpm: infrastructure for TPM spaces") +Signed-off-by: Dan Carpenter +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm2-space.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/char/tpm/tpm2-space.c ++++ b/drivers/char/tpm/tpm2-space.c +@@ -455,6 +455,9 @@ static int tpm2_map_response_body(struct + if (be32_to_cpu(data->capability) != TPM2_CAP_HANDLES) + return 0; + ++ if (be32_to_cpu(data->count) > (UINT_MAX - TPM_HEADER_SIZE - 9) / 4) ++ return -EFAULT; ++ + if (len != TPM_HEADER_SIZE + 9 + 4 * be32_to_cpu(data->count)) + return -EFAULT; +