From: Sasha Levin Date: Mon, 17 Oct 2022 02:10:19 +0000 (-0400) Subject: Fixes for 4.9 X-Git-Tag: v5.4.219~47 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5cf7eb9e64eec19a2eb51d4a43d0458fbb2fcb16;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/acpi-video-add-toshiba-satellite-portege-z830-quirk.patch b/queue-4.9/acpi-video-add-toshiba-satellite-portege-z830-quirk.patch new file mode 100644 index 00000000000..7d4bf0360c5 --- /dev/null +++ b/queue-4.9/acpi-video-add-toshiba-satellite-portege-z830-quirk.patch @@ -0,0 +1,59 @@ +From acb12812efed8fb93076b3c5c8a37fd09cb286af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 20:49:50 +0200 +Subject: ACPI: video: Add Toshiba Satellite/Portege Z830 quirk + +From: Arvid Norlander + +[ Upstream commit 574160b8548deff8b80b174f03201e94ab8431e2 ] + +Toshiba Satellite Z830 needs the quirk video_disable_backlight_sysfs_if +for proper backlight control after suspend/resume cycles. + +Toshiba Portege Z830 is simply the same laptop rebranded for certain +markets (I looked through the manual to other language sections to confirm +this) and thus also needs this quirk. + +Thanks to Hans de Goede for suggesting this fix. + +Link: https://www.spinics.net/lists/platform-driver-x86/msg34394.html +Suggested-by: Hans de Goede +Signed-off-by: Arvid Norlander +Reviewed-by: Hans de Goede +Tested-by: Arvid Norlander +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpi_video.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/acpi/acpi_video.c b/drivers/acpi/acpi_video.c +index ea0573176894..209903c2ee85 100644 +--- a/drivers/acpi/acpi_video.c ++++ b/drivers/acpi/acpi_video.c +@@ -485,6 +485,22 @@ static struct dmi_system_id video_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "SATELLITE R830"), + }, + }, ++ { ++ .callback = video_disable_backlight_sysfs_if, ++ .ident = "Toshiba Satellite Z830", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "SATELLITE Z830"), ++ }, ++ }, ++ { ++ .callback = video_disable_backlight_sysfs_if, ++ .ident = "Toshiba Portege Z830", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE Z830"), ++ }, ++ }, + /* + * Some machine's _DOD IDs don't have bit 31(Device ID Scheme) set + * but the IDs actually follow the Device ID Scheme. +-- +2.35.1 + diff --git a/queue-4.9/alsa-dmaengine-increment-buffer-pointer-atomically.patch b/queue-4.9/alsa-dmaengine-increment-buffer-pointer-atomically.patch new file mode 100644 index 00000000000..4765a1493e9 --- /dev/null +++ b/queue-4.9/alsa-dmaengine-increment-buffer-pointer-atomically.patch @@ -0,0 +1,49 @@ +From 893690e1aa2829b3418d630e107a82960e25a790 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Sep 2022 18:58:13 +0200 +Subject: ALSA: dmaengine: increment buffer pointer atomically + +From: Andreas Pape + +[ Upstream commit d1c442019594692c64a70a86ad88eb5b6db92216 ] + +Setting pointer and afterwards checking for wraparound leads +to the possibility of returning the inconsistent pointer position. + +This patch increments buffer pointer atomically to avoid this issue. + +Fixes: e7f73a1613567a ("ASoC: Add dmaengine PCM helper functions") +Signed-off-by: Andreas Pape +Signed-off-by: Eugeniu Rosca +Link: https://lore.kernel.org/r/1664211493-11789-1-git-send-email-erosca@de.adit-jv.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/pcm_dmaengine.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/sound/core/pcm_dmaengine.c b/sound/core/pcm_dmaengine.c +index 8eb58c709b14..6f6da1128edc 100644 +--- a/sound/core/pcm_dmaengine.c ++++ b/sound/core/pcm_dmaengine.c +@@ -139,12 +139,14 @@ EXPORT_SYMBOL_GPL(snd_dmaengine_pcm_set_config_from_dai_data); + + static void dmaengine_pcm_dma_complete(void *arg) + { ++ unsigned int new_pos; + struct snd_pcm_substream *substream = arg; + struct dmaengine_pcm_runtime_data *prtd = substream_to_prtd(substream); + +- prtd->pos += snd_pcm_lib_period_bytes(substream); +- if (prtd->pos >= snd_pcm_lib_buffer_bytes(substream)) +- prtd->pos = 0; ++ new_pos = prtd->pos + snd_pcm_lib_period_bytes(substream); ++ if (new_pos >= snd_pcm_lib_buffer_bytes(substream)) ++ new_pos = 0; ++ prtd->pos = new_pos; + + snd_pcm_period_elapsed(substream); + } +-- +2.35.1 + diff --git a/queue-4.9/arm-drop-cmdline_-dependency-on-atags.patch b/queue-4.9/arm-drop-cmdline_-dependency-on-atags.patch new file mode 100644 index 00000000000..66dcac39555 --- /dev/null +++ b/queue-4.9/arm-drop-cmdline_-dependency-on-atags.patch @@ -0,0 +1,45 @@ +From 8c2f770d7d6afe6ebf2d75342c6cd95de9f94fc9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 15:28:26 +0200 +Subject: ARM: Drop CMDLINE_* dependency on ATAGS + +From: Geert Uytterhoeven + +[ Upstream commit 136f4b1ec7c962ee37a787e095fd37b058d72bd3 ] + +On arm32, the configuration options to specify the kernel command line +type depend on ATAGS. However, the actual CMDLINE cofiguration option +does not depend on ATAGS, and the code that handles this is not specific +to ATAGS (see drivers/of/fdt.c:early_init_dt_scan_chosen()). + +Hence users who desire to override the kernel command line on arm32 must +enable support for ATAGS, even on a pure-DT system. Other architectures +(arm64, loongarch, microblaze, nios2, powerpc, and riscv) do not impose +such a restriction. + +Hence drop the dependency on ATAGS. + +Fixes: bd51e2f595580fb6 ("ARM: 7506/1: allow for ATAGS to be configured out when DT support is selected") +Signed-off-by: Geert Uytterhoeven +Acked-by: Ard Biesheuvel +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/arch/arm/Kconfig b/arch/arm/Kconfig +index 0429d1d20393..25eaf3775904 100644 +--- a/arch/arm/Kconfig ++++ b/arch/arm/Kconfig +@@ -1961,7 +1961,6 @@ config CMDLINE + choice + prompt "Kernel command line type" if CMDLINE != "" + default CMDLINE_FROM_BOOTLOADER +- depends on ATAGS + + config CMDLINE_FROM_BOOTLOADER + bool "Use bootloader kernel arguments if available" +-- +2.35.1 + diff --git a/queue-4.9/arm-dts-exynos-fix-polarity-of-vbus-gpio-of-origen.patch b/queue-4.9/arm-dts-exynos-fix-polarity-of-vbus-gpio-of-origen.patch new file mode 100644 index 00000000000..8cd4ddfeea9 --- /dev/null +++ b/queue-4.9/arm-dts-exynos-fix-polarity-of-vbus-gpio-of-origen.patch @@ -0,0 +1,39 @@ +From 1998dd4e778b2637189c3450384c406b457ad48e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 15:05:03 -0700 +Subject: ARM: dts: exynos: fix polarity of VBUS GPIO of Origen + +From: Dmitry Torokhov + +[ Upstream commit a08137bd1e0a7ce951dce9ce4a83e39d379b6e1b ] + +EHCI Oxynos (drivers/usb/host/ehci-exynos.c) drives VBUS GPIO high when +trying to power up the bus, therefore the GPIO in DTS must be marked as +"active high". This will be important when EHCI driver is converted to +gpiod API that respects declared polarities. + +Fixes: 4e8991def565 ("ARM: dts: exynos: Enable AX88760 USB hub on Origen board") +Signed-off-by: Dmitry Torokhov +Link: https://lore.kernel.org/r/20220927220504.3744878-1-dmitry.torokhov@gmail.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos4412-origen.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/exynos4412-origen.dts b/arch/arm/boot/dts/exynos4412-origen.dts +index a1ab6f94bb64..62f9623d1fb1 100644 +--- a/arch/arm/boot/dts/exynos4412-origen.dts ++++ b/arch/arm/boot/dts/exynos4412-origen.dts +@@ -90,7 +90,7 @@ + }; + + &ehci { +- samsung,vbus-gpio = <&gpx3 5 1>; ++ samsung,vbus-gpio = <&gpx3 5 GPIO_ACTIVE_HIGH>; + status = "okay"; + + port@1{ +-- +2.35.1 + diff --git a/queue-4.9/arm-dts-imx6dl-add-missing-properties-for-sram.patch b/queue-4.9/arm-dts-imx6dl-add-missing-properties-for-sram.patch new file mode 100644 index 00000000000..25283e651d7 --- /dev/null +++ b/queue-4.9/arm-dts-imx6dl-add-missing-properties-for-sram.patch @@ -0,0 +1,38 @@ +From 73cbd4886657888905aa609131b43a4ac59c6f56 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 07:53:32 +0200 +Subject: ARM: dts: imx6dl: add missing properties for sram + +From: Alexander Stein + +[ Upstream commit f5848b95633d598bacf0500e0108dc5961af88c0 ] + +All 3 properties are required by sram.yaml. Fixes the dtbs_check warning: +sram@900000: '#address-cells' is a required property +sram@900000: '#size-cells' is a required property +sram@900000: 'ranges' is a required property + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6dl.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/boot/dts/imx6dl.dtsi b/arch/arm/boot/dts/imx6dl.dtsi +index 7aa120fbdc71..82a7d5b68da7 100644 +--- a/arch/arm/boot/dts/imx6dl.dtsi ++++ b/arch/arm/boot/dts/imx6dl.dtsi +@@ -63,6 +63,9 @@ + ocram: sram@00900000 { + compatible = "mmio-sram"; + reg = <0x00900000 0x20000>; ++ ranges = <0 0x00900000 0x20000>; ++ #address-cells = <1>; ++ #size-cells = <1>; + clocks = <&clks IMX6QDL_CLK_OCRAM>; + }; + +-- +2.35.1 + diff --git a/queue-4.9/arm-dts-imx6q-add-missing-properties-for-sram.patch b/queue-4.9/arm-dts-imx6q-add-missing-properties-for-sram.patch new file mode 100644 index 00000000000..f4536e13409 --- /dev/null +++ b/queue-4.9/arm-dts-imx6q-add-missing-properties-for-sram.patch @@ -0,0 +1,38 @@ +From 462a5474f6bbaf88efcd0006fe3b362fe7af22f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 07:53:31 +0200 +Subject: ARM: dts: imx6q: add missing properties for sram + +From: Alexander Stein + +[ Upstream commit b11d083c5dcec7c42fe982c854706d404ddd3a5f ] + +All 3 properties are required by sram.yaml. Fixes the dtbs_check warning: +sram@900000: '#address-cells' is a required property +sram@900000: '#size-cells' is a required property +sram@900000: 'ranges' is a required property + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6q.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/boot/dts/imx6q.dtsi b/arch/arm/boot/dts/imx6q.dtsi +index 908b269a016b..692afd2f5dd4 100644 +--- a/arch/arm/boot/dts/imx6q.dtsi ++++ b/arch/arm/boot/dts/imx6q.dtsi +@@ -82,6 +82,9 @@ + ocram: sram@00900000 { + compatible = "mmio-sram"; + reg = <0x00900000 0x40000>; ++ ranges = <0 0x00900000 0x40000>; ++ #address-cells = <1>; ++ #size-cells = <1>; + clocks = <&clks IMX6QDL_CLK_OCRAM>; + }; + +-- +2.35.1 + diff --git a/queue-4.9/arm-dts-imx6qp-add-missing-properties-for-sram.patch b/queue-4.9/arm-dts-imx6qp-add-missing-properties-for-sram.patch new file mode 100644 index 00000000000..a39b32a6a90 --- /dev/null +++ b/queue-4.9/arm-dts-imx6qp-add-missing-properties-for-sram.patch @@ -0,0 +1,47 @@ +From 0a35c218eeb04aa3e91eb701ce5666c585887b72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 07:53:33 +0200 +Subject: ARM: dts: imx6qp: add missing properties for sram + +From: Alexander Stein + +[ Upstream commit 088fe5237435ee2f7ed4450519b2ef58b94c832f ] + +All 3 properties are required by sram.yaml. Fixes the dtbs_check warning: +sram@940000: '#address-cells' is a required property +sram@940000: '#size-cells' is a required property +sram@940000: 'ranges' is a required property + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6qp.dtsi | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/arm/boot/dts/imx6qp.dtsi b/arch/arm/boot/dts/imx6qp.dtsi +index 886dbf2eca49..711ab061c81d 100644 +--- a/arch/arm/boot/dts/imx6qp.dtsi ++++ b/arch/arm/boot/dts/imx6qp.dtsi +@@ -47,12 +47,18 @@ + ocram2: sram@00940000 { + compatible = "mmio-sram"; + reg = <0x00940000 0x20000>; ++ ranges = <0 0x00940000 0x20000>; ++ #address-cells = <1>; ++ #size-cells = <1>; + clocks = <&clks IMX6QDL_CLK_OCRAM>; + }; + + ocram3: sram@00960000 { + compatible = "mmio-sram"; + reg = <0x00960000 0x20000>; ++ ranges = <0 0x00960000 0x20000>; ++ #address-cells = <1>; ++ #size-cells = <1>; + clocks = <&clks IMX6QDL_CLK_OCRAM>; + }; + +-- +2.35.1 + diff --git a/queue-4.9/arm-dts-imx6sl-add-missing-properties-for-sram.patch b/queue-4.9/arm-dts-imx6sl-add-missing-properties-for-sram.patch new file mode 100644 index 00000000000..b30da09d761 --- /dev/null +++ b/queue-4.9/arm-dts-imx6sl-add-missing-properties-for-sram.patch @@ -0,0 +1,38 @@ +From 342e2fc6d13b56c8ed98fc83b3f34466ba73a3c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 07:53:34 +0200 +Subject: ARM: dts: imx6sl: add missing properties for sram + +From: Alexander Stein + +[ Upstream commit 60c9213a1d9941a8b33db570796c3f9be8984974 ] + +All 3 properties are required by sram.yaml. Fixes the dtbs_check warning: +sram@900000: '#address-cells' is a required property +sram@900000: '#size-cells' is a required property +sram@900000: 'ranges' is a required property + +Signed-off-by: Alexander Stein +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6sl.dtsi | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/arm/boot/dts/imx6sl.dtsi b/arch/arm/boot/dts/imx6sl.dtsi +index a2c76797e871..a9a53a78de03 100644 +--- a/arch/arm/boot/dts/imx6sl.dtsi ++++ b/arch/arm/boot/dts/imx6sl.dtsi +@@ -102,6 +102,9 @@ + ocram: sram@00900000 { + compatible = "mmio-sram"; + reg = <0x00900000 0x20000>; ++ ranges = <0 0x00900000 0x20000>; ++ #address-cells = <1>; ++ #size-cells = <1>; + clocks = <&clks IMX6SL_CLK_OCRAM>; + }; + +-- +2.35.1 + diff --git a/queue-4.9/arm-dts-imx7d-sdb-config-the-max-pressure-for-tsc204.patch b/queue-4.9/arm-dts-imx7d-sdb-config-the-max-pressure-for-tsc204.patch new file mode 100644 index 00000000000..569f91eef32 --- /dev/null +++ b/queue-4.9/arm-dts-imx7d-sdb-config-the-max-pressure-for-tsc204.patch @@ -0,0 +1,60 @@ +From 3f08e48e18f8e8b72b227d2f0bbf0f5b40941c26 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jul 2022 18:16:22 +0800 +Subject: ARM: dts: imx7d-sdb: config the max pressure for tsc2046 + +From: Haibo Chen + +[ Upstream commit e7c4ebe2f9cd68588eb24ba4ed122e696e2d5272 ] + +Use the general touchscreen method to config the max pressure for +touch tsc2046(data sheet suggest 8 bit pressure), otherwise, for +ABS_PRESSURE, when config the same max and min value, weston will +meet the following issue, + +[17:19:39.183] event1 - ADS7846 Touchscreen: is tagged by udev as: Touchscreen +[17:19:39.183] event1 - ADS7846 Touchscreen: kernel bug: device has min == max on ABS_PRESSURE +[17:19:39.183] event1 - ADS7846 Touchscreen: was rejected +[17:19:39.183] event1 - not using input device '/dev/input/event1' + +This will then cause the APP weston-touch-calibrator can't list touch devices. + +root@imx6ul7d:~# weston-touch-calibrator +could not load cursor 'dnd-move' +could not load cursor 'dnd-copy' +could not load cursor 'dnd-none' +No devices listed. + +And accroding to binding Doc, "ti,x-max", "ti,y-max", "ti,pressure-max" +belong to the deprecated properties, so remove them. Also for "ti,x-min", +"ti,y-min", "ti,x-plate-ohms", the value set in dts equal to the default +value in driver, so are redundant, also remove here. + +Signed-off-by: Haibo Chen +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx7d-sdb.dts | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +diff --git a/arch/arm/boot/dts/imx7d-sdb.dts b/arch/arm/boot/dts/imx7d-sdb.dts +index 2f33c463cbce..83867357f135 100644 +--- a/arch/arm/boot/dts/imx7d-sdb.dts ++++ b/arch/arm/boot/dts/imx7d-sdb.dts +@@ -126,12 +126,7 @@ + interrupt-parent = <&gpio2>; + interrupts = <29 0>; + pendown-gpio = <&gpio2 29 GPIO_ACTIVE_HIGH>; +- ti,x-min = /bits/ 16 <0>; +- ti,x-max = /bits/ 16 <0>; +- ti,y-min = /bits/ 16 <0>; +- ti,y-max = /bits/ 16 <0>; +- ti,pressure-max = /bits/ 16 <0>; +- ti,x-plate-ohms = /bits/ 16 <400>; ++ touchscreen-max-pressure = <255>; + wakeup-source; + }; + }; +-- +2.35.1 + diff --git a/queue-4.9/arm-dts-kirkwood-lsxl-fix-serial-line.patch b/queue-4.9/arm-dts-kirkwood-lsxl-fix-serial-line.patch new file mode 100644 index 00000000000..114d7cce490 --- /dev/null +++ b/queue-4.9/arm-dts-kirkwood-lsxl-fix-serial-line.patch @@ -0,0 +1,50 @@ +From bac3a6c190ab8a224d30227a2e57e629e3d787de Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 02:10:24 +0200 +Subject: ARM: dts: kirkwood: lsxl: fix serial line + +From: Michael Walle + +[ Upstream commit 04eabc6ac10fda9424606d9a7ab6ab9a5d95350a ] + +Commit 327e15428977 ("ARM: dts: kirkwood: consolidate common pinctrl +settings") unknowingly broke the serial output on this board. Before +this commit, the pinmux was still configured by the bootloader and the +kernel didn't reconfigured it again. This was an oversight by the +initial board support where the pinmux for the serial line was never +configured by the kernel. But with this commit, the serial line will be +reconfigured to the wrong pins. This is especially confusing, because +the output still works, but the input doesn't. Presumingly, the input is +reconfigured to MPP10, but the output is connected to both MPP11 and +MPP5. + +Override the pinmux in the board device tree. + +Fixes: 327e15428977 ("ARM: dts: kirkwood: consolidate common pinctrl settings") +Signed-off-by: Michael Walle +Reviewed-by: Andrew Lunn +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/kirkwood-lsxl.dtsi | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm/boot/dts/kirkwood-lsxl.dtsi b/arch/arm/boot/dts/kirkwood-lsxl.dtsi +index 8b7c6ce79a41..c330d96cc023 100644 +--- a/arch/arm/boot/dts/kirkwood-lsxl.dtsi ++++ b/arch/arm/boot/dts/kirkwood-lsxl.dtsi +@@ -9,6 +9,11 @@ + + ocp@f1000000 { + pinctrl: pin-controller@10000 { ++ /* Non-default UART pins */ ++ pmx_uart0: pmx-uart0 { ++ marvell,pins = "mpp4", "mpp5"; ++ }; ++ + pmx_power_hdd: pmx-power-hdd { + marvell,pins = "mpp10"; + marvell,function = "gpo"; +-- +2.35.1 + diff --git a/queue-4.9/arm-dts-kirkwood-lsxl-remove-first-ethernet-port.patch b/queue-4.9/arm-dts-kirkwood-lsxl-remove-first-ethernet-port.patch new file mode 100644 index 00000000000..7560d9ef6e7 --- /dev/null +++ b/queue-4.9/arm-dts-kirkwood-lsxl-remove-first-ethernet-port.patch @@ -0,0 +1,53 @@ +From 9e6822e0efd8142cb7f4f1acc940b6c427ef7184 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Aug 2022 02:10:25 +0200 +Subject: ARM: dts: kirkwood: lsxl: remove first ethernet port + +From: Michael Walle + +[ Upstream commit 2d528eda7c96ce5c70f895854ecd5684bd5d80b9 ] + +Both the Linkstation LS-CHLv2 and the LS-XHL have only one ethernet +port. This has always been wrong, i.e. the board code used to set up +both ports, but the driver will play nice and return -ENODEV if the +assiciated PHY is not found. Nevertheless, it is wrong. Remove it. + +Fixes: 876e23333511 ("ARM: kirkwood: add gigabit ethernet and mvmdio device tree nodes") +Signed-off-by: Michael Walle +Reviewed-by: Andrew Lunn +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/kirkwood-lsxl.dtsi | 11 ----------- + 1 file changed, 11 deletions(-) + +diff --git a/arch/arm/boot/dts/kirkwood-lsxl.dtsi b/arch/arm/boot/dts/kirkwood-lsxl.dtsi +index c330d96cc023..450b4de544e1 100644 +--- a/arch/arm/boot/dts/kirkwood-lsxl.dtsi ++++ b/arch/arm/boot/dts/kirkwood-lsxl.dtsi +@@ -217,22 +217,11 @@ + &mdio { + status = "okay"; + +- ethphy0: ethernet-phy@0 { +- reg = <0>; +- }; +- + ethphy1: ethernet-phy@8 { + reg = <8>; + }; + }; + +-ð0 { +- status = "okay"; +- ethernet0-port@0 { +- phy-handle = <ðphy0>; +- }; +-}; +- + ð1 { + status = "okay"; + ethernet1-port@0 { +-- +2.35.1 + diff --git a/queue-4.9/arm-orion-fix-include-path.patch b/queue-4.9/arm-orion-fix-include-path.patch new file mode 100644 index 00000000000..0f08e5f37a4 --- /dev/null +++ b/queue-4.9/arm-orion-fix-include-path.patch @@ -0,0 +1,39 @@ +From 4d516ecb23b8fac03311b18320f507a30db718e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Sep 2022 21:55:50 +0200 +Subject: ARM: orion: fix include path + +From: Arnd Bergmann + +[ Upstream commit 63872304bdb3decd5454f4dd210c25395278ed13 ] + +Now that CONFIG_ARCH_MULTIPLATFORM can be disabled anywhere, +there is a build failure for plat-orion: + +arch/arm/plat-orion/irq.c:19:10: fatal error: plat/irq.h: No such file or directory + +Make the include path unconditional. + +Reported-by: kernel test robot +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/plat-orion/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/plat-orion/Makefile b/arch/arm/plat-orion/Makefile +index 9433605cd290..06c3530d8ad5 100644 +--- a/arch/arm/plat-orion/Makefile ++++ b/arch/arm/plat-orion/Makefile +@@ -1,7 +1,7 @@ + # + # Makefile for the linux kernel. + # +-ccflags-$(CONFIG_ARCH_MULTIPLATFORM) := -I$(srctree)/$(src)/include ++ccflags-y := -I$(srctree)/$(src)/include + + orion-gpio-$(CONFIG_GPIOLIB) += gpio.o + obj-$(CONFIG_PLAT_ORION_LEGACY) += irq.o pcie.o time.o common.o mpp.o +-- +2.35.1 + diff --git a/queue-4.9/asoc-eureka-tlv320-hold-reference-returned-from-of_f.patch b/queue-4.9/asoc-eureka-tlv320-hold-reference-returned-from-of_f.patch new file mode 100644 index 00000000000..8b4bad6ddf6 --- /dev/null +++ b/queue-4.9/asoc-eureka-tlv320-hold-reference-returned-from-of_f.patch @@ -0,0 +1,69 @@ +From 57db505b7a6093bcfa105fd46af88874fe2f3c11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Sep 2022 21:43:54 +0800 +Subject: ASoC: eureka-tlv320: Hold reference returned from of_find_xxx API + +From: Liang He + +[ Upstream commit bfb735a3ceff0bab6473bac275da96f9b2a06dec ] + +In eukrea_tlv320_probe(), we need to hold the reference returned +from of_find_compatible_node() which has increased the refcount +and then call of_node_put() with it when done. + +Fixes: 66f232908de2 ("ASoC: eukrea-tlv320: Add DT support.") +Co-authored-by: Kelin Wang +Signed-off-by: Liang He +Link: https://lore.kernel.org/r/20220914134354.3995587-1-windhl@126.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/fsl/eukrea-tlv320.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/sound/soc/fsl/eukrea-tlv320.c b/sound/soc/fsl/eukrea-tlv320.c +index 38132143b7d5..10da7fd2d054 100644 +--- a/sound/soc/fsl/eukrea-tlv320.c ++++ b/sound/soc/fsl/eukrea-tlv320.c +@@ -88,7 +88,7 @@ static int eukrea_tlv320_probe(struct platform_device *pdev) + int ret; + int int_port = 0, ext_port; + struct device_node *np = pdev->dev.of_node; +- struct device_node *ssi_np = NULL, *codec_np = NULL; ++ struct device_node *ssi_np = NULL, *codec_np = NULL, *tmp_np = NULL; + + eukrea_tlv320.dev = &pdev->dev; + if (np) { +@@ -145,7 +145,7 @@ static int eukrea_tlv320_probe(struct platform_device *pdev) + } + + if (machine_is_eukrea_cpuimx27() || +- of_find_compatible_node(NULL, NULL, "fsl,imx21-audmux")) { ++ (tmp_np = of_find_compatible_node(NULL, NULL, "fsl,imx21-audmux"))) { + imx_audmux_v1_configure_port(MX27_AUDMUX_HPCR1_SSI0, + IMX_AUDMUX_V1_PCR_SYN | + IMX_AUDMUX_V1_PCR_TFSDIR | +@@ -160,10 +160,11 @@ static int eukrea_tlv320_probe(struct platform_device *pdev) + IMX_AUDMUX_V1_PCR_SYN | + IMX_AUDMUX_V1_PCR_RXDSEL(MX27_AUDMUX_HPCR1_SSI0) + ); ++ of_node_put(tmp_np); + } else if (machine_is_eukrea_cpuimx25sd() || + machine_is_eukrea_cpuimx35sd() || + machine_is_eukrea_cpuimx51sd() || +- of_find_compatible_node(NULL, NULL, "fsl,imx31-audmux")) { ++ (tmp_np = of_find_compatible_node(NULL, NULL, "fsl,imx31-audmux"))) { + if (!np) + ext_port = machine_is_eukrea_cpuimx25sd() ? + 4 : 3; +@@ -180,6 +181,7 @@ static int eukrea_tlv320_probe(struct platform_device *pdev) + IMX_AUDMUX_V2_PTCR_SYN, + IMX_AUDMUX_V2_PDCR_RXDSEL(int_port) + ); ++ of_node_put(tmp_np); + } else { + if (np) { + /* The eukrea,asoc-tlv320 driver was explicitly +-- +2.35.1 + diff --git a/queue-4.9/ata-fix-ata_id_has_devslp.patch b/queue-4.9/ata-fix-ata_id_has_devslp.patch new file mode 100644 index 00000000000..2ea0e439f70 --- /dev/null +++ b/queue-4.9/ata-fix-ata_id_has_devslp.patch @@ -0,0 +1,57 @@ +From 66bbb53d56c68cdf7d5ed82892005fd2429156d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 14:28:33 +0200 +Subject: ata: fix ata_id_has_devslp() + +From: Niklas Cassel + +[ Upstream commit 9c6e09a434e1317e09b78b3b69cd384022ec9a03 ] + +ACS-5 section +7.13.6.36 Word 78: Serial ATA features supported +states that: + +If word 76 is not 0000h or FFFFh, word 78 reports the features supported +by the device. If this word is not supported, the word shall be cleared +to zero. + +(This text also exists in really old ACS standards, e.g. ACS-3.) + +Additionally, move the macro to the other ATA_ID_FEATURE_SUPP macros +(which already have this check), thus making it more likely that the +next ATA_ID_FEATURE_SUPP macro that is added will include this check. + +Fixes: 65fe1f0f66a5 ("ahci: implement aggressive SATA device sleep support") +Signed-off-by: Niklas Cassel +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + include/linux/ata.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/include/linux/ata.h b/include/linux/ata.h +index 8e5e7bf4a37f..315a7eaba655 100644 +--- a/include/linux/ata.h ++++ b/include/linux/ata.h +@@ -572,6 +572,10 @@ struct ata_bmdma_prd { + ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ + ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \ + ((id)[ATA_ID_FEATURE_SUPP] & (1 << 2))) ++#define ata_id_has_devslp(id) \ ++ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ ++ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \ ++ ((id)[ATA_ID_FEATURE_SUPP] & (1 << 8))) + #define ata_id_iordy_disable(id) ((id)[ATA_ID_CAPABILITY] & (1 << 10)) + #define ata_id_has_iordy(id) ((id)[ATA_ID_CAPABILITY] & (1 << 11)) + #define ata_id_u32(id,n) \ +@@ -584,7 +588,6 @@ struct ata_bmdma_prd { + + #define ata_id_cdb_intr(id) (((id)[ATA_ID_CONFIG] & 0x60) == 0x20) + #define ata_id_has_da(id) ((id)[ATA_ID_SATA_CAPABILITY_2] & (1 << 4)) +-#define ata_id_has_devslp(id) ((id)[ATA_ID_FEATURE_SUPP] & (1 << 8)) + #define ata_id_has_ncq_autosense(id) \ + ((id)[ATA_ID_FEATURE_SUPP] & (1 << 7)) + +-- +2.35.1 + diff --git a/queue-4.9/ata-fix-ata_id_has_dipm.patch b/queue-4.9/ata-fix-ata_id_has_dipm.patch new file mode 100644 index 00000000000..7ce2e55f3f5 --- /dev/null +++ b/queue-4.9/ata-fix-ata_id_has_dipm.patch @@ -0,0 +1,76 @@ +From a96ab9666ce854dab58d06cb53047a1bbca4a0ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 14:28:35 +0200 +Subject: ata: fix ata_id_has_dipm() + +From: Niklas Cassel + +[ Upstream commit 630624cb1b5826d753ac8e01a0e42de43d66dedf ] + +ACS-5 section +7.13.6.36 Word 78: Serial ATA features supported +states that: + +If word 76 is not 0000h or FFFFh, word 78 reports the features supported +by the device. If this word is not supported, the word shall be cleared +to zero. + +(This text also exists in really old ACS standards, e.g. ACS-3.) + +The problem with ata_id_has_dipm() is that the while it performs a +check against 0 and 0xffff, it performs the check against +ATA_ID_FEATURE_SUPP (word 78), the same word where the feature bit +is stored. + +Fix this by performing the check against ATA_ID_SATA_CAPABILITY +(word 76), like required by the spec. The feature bit check itself +is of course still performed against ATA_ID_FEATURE_SUPP (word 78). + +Additionally, move the macro to the other ATA_ID_FEATURE_SUPP macros +(which already have this check), thus making it more likely that the +next ATA_ID_FEATURE_SUPP macro that is added will include this check. + +Fixes: ca77329fb713 ("[libata] Link power management infrastructure") +Signed-off-by: Niklas Cassel +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + include/linux/ata.h | 15 ++++----------- + 1 file changed, 4 insertions(+), 11 deletions(-) + +diff --git a/include/linux/ata.h b/include/linux/ata.h +index 33e0786c3c51..33bee000ddab 100644 +--- a/include/linux/ata.h ++++ b/include/linux/ata.h +@@ -580,6 +580,10 @@ struct ata_bmdma_prd { + ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ + ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \ + ((id)[ATA_ID_FEATURE_SUPP] & (1 << 7))) ++#define ata_id_has_dipm(id) \ ++ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ ++ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \ ++ ((id)[ATA_ID_FEATURE_SUPP] & (1 << 3))) + #define ata_id_iordy_disable(id) ((id)[ATA_ID_CAPABILITY] & (1 << 10)) + #define ata_id_has_iordy(id) ((id)[ATA_ID_CAPABILITY] & (1 << 11)) + #define ata_id_u32(id,n) \ +@@ -603,17 +607,6 @@ static inline bool ata_id_has_hipm(const u16 *id) + return val & (1 << 9); + } + +-static inline bool ata_id_has_dipm(const u16 *id) +-{ +- u16 val = id[ATA_ID_FEATURE_SUPP]; +- +- if (val == 0 || val == 0xffff) +- return false; +- +- return val & (1 << 3); +-} +- +- + static inline bool ata_id_has_fua(const u16 *id) + { + if ((id[ATA_ID_CFSSE] & 0xC000) != 0x4000) +-- +2.35.1 + diff --git a/queue-4.9/ata-fix-ata_id_has_ncq_autosense.patch b/queue-4.9/ata-fix-ata_id_has_ncq_autosense.patch new file mode 100644 index 00000000000..d2246de2279 --- /dev/null +++ b/queue-4.9/ata-fix-ata_id_has_ncq_autosense.patch @@ -0,0 +1,58 @@ +From bddd1866058e2f3bdd1d2ff9c52a43784014dd6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 14:28:34 +0200 +Subject: ata: fix ata_id_has_ncq_autosense() + +From: Niklas Cassel + +[ Upstream commit a5fb6bf853148974dbde092ec1bde553bea5e49f ] + +ACS-5 section +7.13.6.36 Word 78: Serial ATA features supported +states that: + +If word 76 is not 0000h or FFFFh, word 78 reports the features supported +by the device. If this word is not supported, the word shall be cleared +to zero. + +(This text also exists in really old ACS standards, e.g. ACS-3.) + +Additionally, move the macro to the other ATA_ID_FEATURE_SUPP macros +(which already have this check), thus making it more likely that the +next ATA_ID_FEATURE_SUPP macro that is added will include this check. + +Fixes: 5b01e4b9efa0 ("libata: Implement NCQ autosense") +Signed-off-by: Niklas Cassel +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + include/linux/ata.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/include/linux/ata.h b/include/linux/ata.h +index 315a7eaba655..33e0786c3c51 100644 +--- a/include/linux/ata.h ++++ b/include/linux/ata.h +@@ -576,6 +576,10 @@ struct ata_bmdma_prd { + ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ + ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \ + ((id)[ATA_ID_FEATURE_SUPP] & (1 << 8))) ++#define ata_id_has_ncq_autosense(id) \ ++ ((((id)[ATA_ID_SATA_CAPABILITY] != 0x0000) && \ ++ ((id)[ATA_ID_SATA_CAPABILITY] != 0xffff)) && \ ++ ((id)[ATA_ID_FEATURE_SUPP] & (1 << 7))) + #define ata_id_iordy_disable(id) ((id)[ATA_ID_CAPABILITY] & (1 << 10)) + #define ata_id_has_iordy(id) ((id)[ATA_ID_CAPABILITY] & (1 << 11)) + #define ata_id_u32(id,n) \ +@@ -588,8 +592,6 @@ struct ata_bmdma_prd { + + #define ata_id_cdb_intr(id) (((id)[ATA_ID_CONFIG] & 0x60) == 0x20) + #define ata_id_has_da(id) ((id)[ATA_ID_SATA_CAPABILITY_2] & (1 << 4)) +-#define ata_id_has_ncq_autosense(id) \ +- ((id)[ATA_ID_FEATURE_SUPP] & (1 << 7)) + + static inline bool ata_id_has_hipm(const u16 *id) + { +-- +2.35.1 + diff --git a/queue-4.9/ata-fix-ata_id_sense_reporting_enabled-and-ata_id_ha.patch b/queue-4.9/ata-fix-ata_id_sense_reporting_enabled-and-ata_id_ha.patch new file mode 100644 index 00000000000..c5539e1dddc --- /dev/null +++ b/queue-4.9/ata-fix-ata_id_sense_reporting_enabled-and-ata_id_ha.patch @@ -0,0 +1,72 @@ +From d64567358a7526853c0bd4ff535ff3e4a780a5cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Sep 2022 14:28:32 +0200 +Subject: ata: fix ata_id_sense_reporting_enabled() and + ata_id_has_sense_reporting() + +From: Niklas Cassel + +[ Upstream commit 690aa8c3ae308bc696ec8b1b357b995193927083 ] + +ACS-5 section +7.13.6.41 Words 85..87, 120: Commands and feature sets supported or enabled +states that: + +If bit 15 of word 86 is set to one, bit 14 of word 119 is set to one, +and bit 15 of word 119 is cleared to zero, then word 119 is valid. + +If bit 15 of word 86 is set to one, bit 14 of word 120 is set to one, +and bit 15 of word 120 is cleared to zero, then word 120 is valid. + +(This text also exists in really old ACS standards, e.g. ACS-3.) + +Currently, ata_id_sense_reporting_enabled() and +ata_id_has_sense_reporting() both check bit 15 of word 86, +but neither of them check that bit 14 of word 119 is set to one, +or that bit 15 of word 119 is cleared to zero. + +Additionally, make ata_id_sense_reporting_enabled() return false +if !ata_id_has_sense_reporting(), similar to how e.g. +ata_id_flush_ext_enabled() returns false if !ata_id_has_flush_ext(). + +Fixes: e87fd28cf9a2 ("libata: Implement support for sense data reporting") +Signed-off-by: Niklas Cassel +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + include/linux/ata.h | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/include/linux/ata.h b/include/linux/ata.h +index fdb180367ba1..8e5e7bf4a37f 100644 +--- a/include/linux/ata.h ++++ b/include/linux/ata.h +@@ -777,16 +777,21 @@ static inline bool ata_id_has_read_log_dma_ext(const u16 *id) + + static inline bool ata_id_has_sense_reporting(const u16 *id) + { +- if (!(id[ATA_ID_CFS_ENABLE_2] & (1 << 15))) ++ if (!(id[ATA_ID_CFS_ENABLE_2] & BIT(15))) ++ return false; ++ if ((id[ATA_ID_COMMAND_SET_3] & (BIT(15) | BIT(14))) != BIT(14)) + return false; +- return id[ATA_ID_COMMAND_SET_3] & (1 << 6); ++ return id[ATA_ID_COMMAND_SET_3] & BIT(6); + } + + static inline bool ata_id_sense_reporting_enabled(const u16 *id) + { +- if (!(id[ATA_ID_CFS_ENABLE_2] & (1 << 15))) ++ if (!ata_id_has_sense_reporting(id)) ++ return false; ++ /* ata_id_has_sense_reporting() == true, word 86 must have bit 15 set */ ++ if ((id[ATA_ID_COMMAND_SET_4] & (BIT(15) | BIT(14))) != BIT(14)) + return false; +- return id[ATA_ID_COMMAND_SET_4] & (1 << 6); ++ return id[ATA_ID_COMMAND_SET_4] & BIT(6); + } + + /** +-- +2.35.1 + diff --git a/queue-4.9/bluetooth-hci_sysfs-fix-attempting-to-call-device_ad.patch b/queue-4.9/bluetooth-hci_sysfs-fix-attempting-to-call-device_ad.patch new file mode 100644 index 00000000000..f806dcd389a --- /dev/null +++ b/queue-4.9/bluetooth-hci_sysfs-fix-attempting-to-call-device_ad.patch @@ -0,0 +1,67 @@ +From e1777a577b87056923f6673c0a98a784cd10c357 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 10:56:59 -0700 +Subject: Bluetooth: hci_sysfs: Fix attempting to call device_add multiple + times + +From: Luiz Augusto von Dentz + +[ Upstream commit 448a496f760664d3e2e79466aa1787e6abc922b5 ] + +device_add shall not be called multiple times as stated in its +documentation: + + 'Do not call this routine or device_register() more than once for + any device structure' + +Syzkaller reports a bug as follows [1]: +------------[ cut here ]------------ +kernel BUG at lib/list_debug.c:33! +invalid opcode: 0000 [#1] PREEMPT SMP KASAN +[...] +Call Trace: + + __list_add include/linux/list.h:69 [inline] + list_add_tail include/linux/list.h:102 [inline] + kobj_kset_join lib/kobject.c:164 [inline] + kobject_add_internal+0x18f/0x8f0 lib/kobject.c:214 + kobject_add_varg lib/kobject.c:358 [inline] + kobject_add+0x150/0x1c0 lib/kobject.c:410 + device_add+0x368/0x1e90 drivers/base/core.c:3452 + hci_conn_add_sysfs+0x9b/0x1b0 net/bluetooth/hci_sysfs.c:53 + hci_le_cis_estabilished_evt+0x57c/0xae0 net/bluetooth/hci_event.c:6799 + hci_le_meta_evt+0x2b8/0x510 net/bluetooth/hci_event.c:7110 + hci_event_func net/bluetooth/hci_event.c:7440 [inline] + hci_event_packet+0x63d/0xfd0 net/bluetooth/hci_event.c:7495 + hci_rx_work+0xae7/0x1230 net/bluetooth/hci_core.c:4007 + process_one_work+0x991/0x1610 kernel/workqueue.c:2289 + worker_thread+0x665/0x1080 kernel/workqueue.c:2436 + kthread+0x2e4/0x3a0 kernel/kthread.c:376 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 + + +Link: https://syzkaller.appspot.com/bug?id=da3246e2d33afdb92d66bc166a0934c5b146404a +Signed-off-by: Luiz Augusto von Dentz +Tested-by: Hawkins Jiawei +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_sysfs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c +index cb7d06bb0243..37ec675b7bee 100644 +--- a/net/bluetooth/hci_sysfs.c ++++ b/net/bluetooth/hci_sysfs.c +@@ -47,6 +47,9 @@ void hci_conn_add_sysfs(struct hci_conn *conn) + + BT_DBG("conn %p", conn); + ++ if (device_is_registered(&conn->dev)) ++ return; ++ + dev_set_name(&conn->dev, "%s:%d", hdev->name, conn->handle); + + if (device_add(&conn->dev) < 0) { +-- +2.35.1 + diff --git a/queue-4.9/bluetooth-l2cap-fix-user-after-free.patch b/queue-4.9/bluetooth-l2cap-fix-user-after-free.patch new file mode 100644 index 00000000000..cf559cbcd3f --- /dev/null +++ b/queue-4.9/bluetooth-l2cap-fix-user-after-free.patch @@ -0,0 +1,61 @@ +From 94d94c91626a190837fbede74952fbdfc8eef75f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 13:27:13 -0700 +Subject: Bluetooth: L2CAP: Fix user-after-free + +From: Luiz Augusto von Dentz + +[ Upstream commit 35fcbc4243aad7e7d020b7c1dfb14bb888b20a4f ] + +This uses l2cap_chan_hold_unless_zero() after calling +__l2cap_get_chan_blah() to prevent the following trace: + +Bluetooth: l2cap_core.c:static void l2cap_chan_destroy(struct kref +*kref) +Bluetooth: chan 0000000023c4974d +Bluetooth: parent 00000000ae861c08 +================================================================== +BUG: KASAN: use-after-free in __mutex_waiter_is_first +kernel/locking/mutex.c:191 [inline] +BUG: KASAN: use-after-free in __mutex_lock_common +kernel/locking/mutex.c:671 [inline] +BUG: KASAN: use-after-free in __mutex_lock+0x278/0x400 +kernel/locking/mutex.c:729 +Read of size 8 at addr ffff888006a49b08 by task kworker/u3:2/389 + +Link: https://lore.kernel.org/lkml/20220622082716.478486-1-lee.jones@linaro.org +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sungwoo Kim +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 42df17fa7f16..ec04a7ea5537 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -4039,6 +4039,12 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, + } + } + ++ chan = l2cap_chan_hold_unless_zero(chan); ++ if (!chan) { ++ err = -EBADSLT; ++ goto unlock; ++ } ++ + err = 0; + + l2cap_chan_lock(chan); +@@ -4068,6 +4074,7 @@ static int l2cap_connect_create_rsp(struct l2cap_conn *conn, + } + + l2cap_chan_unlock(chan); ++ l2cap_chan_put(chan); + + unlock: + mutex_unlock(&conn->chan_lock); +-- +2.35.1 + diff --git a/queue-4.9/bluetooth-l2cap-initialize-delayed-works-at-l2cap_ch.patch b/queue-4.9/bluetooth-l2cap-initialize-delayed-works-at-l2cap_ch.patch new file mode 100644 index 00000000000..ef5ecbb1b3a --- /dev/null +++ b/queue-4.9/bluetooth-l2cap-initialize-delayed-works-at-l2cap_ch.patch @@ -0,0 +1,82 @@ +From 2b13ab72e0722b48cb67e9fd224282e3be8469b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Sep 2022 00:32:56 +0900 +Subject: Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() + +From: Tetsuo Handa + +[ Upstream commit 2d2cb3066f2c90cd8ca540b36ba7a55e7f2406e0 ] + +syzbot is reporting cancel_delayed_work() without INIT_DELAYED_WORK() at +l2cap_chan_del() [1], for CONF_NOT_COMPLETE flag (which meant to prevent +l2cap_chan_del() from calling cancel_delayed_work()) is cleared by timer +which fires before l2cap_chan_del() is called by closing file descriptor +created by socket(AF_BLUETOOTH, SOCK_STREAM, BTPROTO_L2CAP). + +l2cap_bredr_sig_cmd(L2CAP_CONF_REQ) and l2cap_bredr_sig_cmd(L2CAP_CONF_RSP) +are calling l2cap_ertm_init(chan), and they call l2cap_chan_ready() (which +clears CONF_NOT_COMPLETE flag) only when l2cap_ertm_init(chan) succeeded. + +l2cap_sock_init() does not call l2cap_ertm_init(chan), and it instead sets +CONF_NOT_COMPLETE flag by calling l2cap_chan_set_defaults(). However, when +connect() is requested, "command 0x0409 tx timeout" happens after 2 seconds + from connect() request, and CONF_NOT_COMPLETE flag is cleared after 4 +seconds from connect() request, for l2cap_conn_start() from +l2cap_info_timeout() callback scheduled by + + schedule_delayed_work(&conn->info_timer, L2CAP_INFO_TIMEOUT); + +in l2cap_connect() is calling l2cap_chan_ready(). + +Fix this problem by initializing delayed works used by L2CAP_MODE_ERTM +mode as soon as l2cap_chan_create() allocates a channel, like I did in +commit be8597239379f0f5 ("Bluetooth: initialize skb_queue_head at +l2cap_chan_create()"). + +Link: https://syzkaller.appspot.com/bug?extid=83672956c7aa6af698b3 [1] +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index 474c12d4f8ba..42df17fa7f16 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -63,6 +63,9 @@ static void l2cap_send_disconn_req(struct l2cap_chan *chan, int err); + + static void l2cap_tx(struct l2cap_chan *chan, struct l2cap_ctrl *control, + struct sk_buff_head *skbs, u8 event); ++static void l2cap_retrans_timeout(struct work_struct *work); ++static void l2cap_monitor_timeout(struct work_struct *work); ++static void l2cap_ack_timeout(struct work_struct *work); + + static inline u8 bdaddr_type(u8 link_type, u8 bdaddr_type) + { +@@ -470,6 +473,9 @@ struct l2cap_chan *l2cap_chan_create(void) + write_unlock(&chan_list_lock); + + INIT_DELAYED_WORK(&chan->chan_timer, l2cap_chan_timeout); ++ INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout); ++ INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout); ++ INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout); + + chan->state = BT_OPEN; + +@@ -3144,10 +3150,6 @@ int l2cap_ertm_init(struct l2cap_chan *chan) + chan->rx_state = L2CAP_RX_STATE_RECV; + chan->tx_state = L2CAP_TX_STATE_XMIT; + +- INIT_DELAYED_WORK(&chan->retrans_timer, l2cap_retrans_timeout); +- INIT_DELAYED_WORK(&chan->monitor_timer, l2cap_monitor_timeout); +- INIT_DELAYED_WORK(&chan->ack_timer, l2cap_ack_timeout); +- + skb_queue_head_init(&chan->srej_q); + + err = l2cap_seq_list_init(&chan->srej_list, chan->tx_win); +-- +2.35.1 + diff --git a/queue-4.9/bnx2x-fix-potential-memory-leak-in-bnx2x_tpa_stop.patch b/queue-4.9/bnx2x-fix-potential-memory-leak-in-bnx2x_tpa_stop.patch new file mode 100644 index 00000000000..08acf536c1c --- /dev/null +++ b/queue-4.9/bnx2x-fix-potential-memory-leak-in-bnx2x_tpa_stop.patch @@ -0,0 +1,40 @@ +From 34ee3e2c9e97ea4941254b38f9ff269745470371 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Sep 2022 14:28:43 +0800 +Subject: bnx2x: fix potential memory leak in bnx2x_tpa_stop() + +From: Jianglei Nie + +[ Upstream commit b43f9acbb8942b05252be83ac25a81cec70cc192 ] + +bnx2x_tpa_stop() allocates a memory chunk from new_data with +bnx2x_frag_alloc(). The new_data should be freed when gets some error. +But when "pad + len > fp->rx_buf_size" is true, bnx2x_tpa_stop() returns +without releasing the new_data, which will lead to a memory leak. + +We should free the new_data with bnx2x_frag_free() when "pad + len > +fp->rx_buf_size" is true. + +Fixes: 07b0f00964def8af9321cfd6c4a7e84f6362f728 ("bnx2x: fix possible panic under memory stress") +Signed-off-by: Jianglei Nie +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +index 9d7f491931ce..36108b26d804 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -792,6 +792,7 @@ static void bnx2x_tpa_stop(struct bnx2x *bp, struct bnx2x_fastpath *fp, + BNX2X_ERR("skb_put is about to fail... pad %d len %d rx_buf_size %d\n", + pad, len, fp->rx_buf_size); + bnx2x_panic(); ++ bnx2x_frag_free(fp, new_data); + return; + } + #endif +-- +2.35.1 + diff --git a/queue-4.9/can-bcm-check-the-result-of-can_send-in-bcm_can_tx.patch b/queue-4.9/can-bcm-check-the-result-of-can_send-in-bcm_can_tx.patch new file mode 100644 index 00000000000..5f7028d6f73 --- /dev/null +++ b/queue-4.9/can-bcm-check-the-result-of-can_send-in-bcm_can_tx.patch @@ -0,0 +1,53 @@ +From 02566247de2b953ef5679bb8290de6a18f13e5fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Sep 2022 09:55:56 +0800 +Subject: can: bcm: check the result of can_send() in bcm_can_tx() + +From: Ziyang Xuan + +[ Upstream commit 3fd7bfd28cfd68ae80a2fe92ea1615722cc2ee6e ] + +If can_send() fail, it should not update frames_abs counter +in bcm_can_tx(). Add the result check for can_send() in bcm_can_tx(). + +Suggested-by: Marc Kleine-Budde +Suggested-by: Oliver Hartkopp +Signed-off-by: Ziyang Xuan +Link: https://lore.kernel.org/all/9851878e74d6d37aee2f1ee76d68361a46f89458.1663206163.git.william.xuanziyang@huawei.com +Acked-by: Oliver Hartkopp +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + net/can/bcm.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/net/can/bcm.c b/net/can/bcm.c +index bfb507223468..ece04ad50348 100644 +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -285,6 +285,7 @@ static void bcm_can_tx(struct bcm_op *op) + struct sk_buff *skb; + struct net_device *dev; + struct canfd_frame *cf = op->frames + op->cfsiz * op->currframe; ++ int err; + + /* no target device? => exit */ + if (!op->ifindex) +@@ -309,11 +310,11 @@ static void bcm_can_tx(struct bcm_op *op) + /* send with loopback */ + skb->dev = dev; + can_skb_set_owner(skb, op->sk); +- can_send(skb, 1); ++ err = can_send(skb, 1); ++ if (!err) ++ op->frames_abs++; + +- /* update statistics */ + op->currframe++; +- op->frames_abs++; + + /* reached last frame? */ + if (op->currframe >= op->nframes) +-- +2.35.1 + diff --git a/queue-4.9/clk-bcm2835-fix-bcm2835_clock_rate_from_divisor-decl.patch b/queue-4.9/clk-bcm2835-fix-bcm2835_clock_rate_from_divisor-decl.patch new file mode 100644 index 00000000000..53d93644451 --- /dev/null +++ b/queue-4.9/clk-bcm2835-fix-bcm2835_clock_rate_from_divisor-decl.patch @@ -0,0 +1,43 @@ +From fd79022c7a434e3a76ebef4b0463949635b742b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Sep 2022 16:10:37 +0200 +Subject: clk: bcm2835: fix bcm2835_clock_rate_from_divisor declaration + +From: Stefan Wahren + +[ Upstream commit 0b919a3728691c172312dee99ba654055ccd8c84 ] + +The return value of bcm2835_clock_rate_from_divisor is always unsigned +and also all caller expect this. So fix the declaration accordingly. + +Fixes: 41691b8862e2 ("clk: bcm2835: Add support for programming the audio domain clocks") +Signed-off-by: Stefan Wahren +Link: https://lore.kernel.org/r/20220904141037.38816-1-stefan.wahren@i2se.com +Reviewed-by: Ivan T. Ivanov +Reviewed-by: Florian Fainelli +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/bcm/clk-bcm2835.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/bcm/clk-bcm2835.c b/drivers/clk/bcm/clk-bcm2835.c +index 3f16b553982d..87cd8fde3a02 100644 +--- a/drivers/clk/bcm/clk-bcm2835.c ++++ b/drivers/clk/bcm/clk-bcm2835.c +@@ -902,9 +902,9 @@ static u32 bcm2835_clock_choose_div(struct clk_hw *hw, + return div; + } + +-static long bcm2835_clock_rate_from_divisor(struct bcm2835_clock *clock, +- unsigned long parent_rate, +- u32 div) ++static unsigned long bcm2835_clock_rate_from_divisor(struct bcm2835_clock *clock, ++ unsigned long parent_rate, ++ u32 div) + { + const struct bcm2835_clock_data *data = clock->data; + u64 temp; +-- +2.35.1 + diff --git a/queue-4.9/clk-tegra-fix-refcount-leak-in-tegra114_clock_init.patch b/queue-4.9/clk-tegra-fix-refcount-leak-in-tegra114_clock_init.patch new file mode 100644 index 00000000000..41ac24ad755 --- /dev/null +++ b/queue-4.9/clk-tegra-fix-refcount-leak-in-tegra114_clock_init.patch @@ -0,0 +1,37 @@ +From f83b268209373f5a703d93a40c7c3d1883d2756c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 May 2022 18:38:34 +0400 +Subject: clk: tegra: Fix refcount leak in tegra114_clock_init + +From: Miaoqian Lin + +[ Upstream commit db16a80c76ea395766913082b1e3f939dde29b2c ] + +of_find_matching_node() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 2cb5efefd6f7 ("clk: tegra: Implement clocks for Tegra114") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220523143834.7587-1-linmq006@gmail.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-tegra114.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/tegra/clk-tegra114.c b/drivers/clk/tegra/clk-tegra114.c +index 933b5dd698b8..c92d8f36a00a 100644 +--- a/drivers/clk/tegra/clk-tegra114.c ++++ b/drivers/clk/tegra/clk-tegra114.c +@@ -1342,6 +1342,7 @@ static void __init tegra114_clock_init(struct device_node *np) + } + + pmc_base = of_iomap(node, 0); ++ of_node_put(node); + if (!pmc_base) { + pr_err("Can't map pmc registers\n"); + WARN_ON(1); +-- +2.35.1 + diff --git a/queue-4.9/clk-tegra-fix-refcount-leak-in-tegra210_clock_init.patch b/queue-4.9/clk-tegra-fix-refcount-leak-in-tegra210_clock_init.patch new file mode 100644 index 00000000000..c9ed7601d10 --- /dev/null +++ b/queue-4.9/clk-tegra-fix-refcount-leak-in-tegra210_clock_init.patch @@ -0,0 +1,37 @@ +From 555114945836f75348f4ed574e980647dfaecdee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 May 2022 18:26:08 +0400 +Subject: clk: tegra: Fix refcount leak in tegra210_clock_init + +From: Miaoqian Lin + +[ Upstream commit 56c78cb1f00a9dde8cd762131ce8f4c5eb046fbb ] + +of_find_matching_node() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 6b301a059eb2 ("clk: tegra: Add support for Tegra210 clocks") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220523142608.65074-1-linmq006@gmail.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-tegra210.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/tegra/clk-tegra210.c b/drivers/clk/tegra/clk-tegra210.c +index 2896d2e783ce..21b426d508aa 100644 +--- a/drivers/clk/tegra/clk-tegra210.c ++++ b/drivers/clk/tegra/clk-tegra210.c +@@ -2706,6 +2706,7 @@ static void __init tegra210_clock_init(struct device_node *np) + } + + pmc_base = of_iomap(node, 0); ++ of_node_put(node); + if (!pmc_base) { + pr_err("Can't map pmc registers\n"); + WARN_ON(1); +-- +2.35.1 + diff --git a/queue-4.9/clk-tegra20-fix-refcount-leak-in-tegra20_clock_init.patch b/queue-4.9/clk-tegra20-fix-refcount-leak-in-tegra20_clock_init.patch new file mode 100644 index 00000000000..92936f5e76f --- /dev/null +++ b/queue-4.9/clk-tegra20-fix-refcount-leak-in-tegra20_clock_init.patch @@ -0,0 +1,37 @@ +From 01e60f20c4b608ba7b90935c59de85a2b77de776 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 May 2022 19:28:11 +0400 +Subject: clk: tegra20: Fix refcount leak in tegra20_clock_init + +From: Miaoqian Lin + +[ Upstream commit 4e343bafe03ff68a62f48f8235cf98f2c685468b ] + +of_find_matching_node() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 37c26a906527 ("clk: tegra: add clock support for Tegra20") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220523152811.19692-1-linmq006@gmail.com +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/tegra/clk-tegra20.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/tegra/clk-tegra20.c b/drivers/clk/tegra/clk-tegra20.c +index 837e5cbd60e9..4c9038e73888 100644 +--- a/drivers/clk/tegra/clk-tegra20.c ++++ b/drivers/clk/tegra/clk-tegra20.c +@@ -1101,6 +1101,7 @@ static void __init tegra20_clock_init(struct device_node *np) + } + + pmc_base = of_iomap(node, 0); ++ of_node_put(node); + if (!pmc_base) { + pr_err("Can't map pmc registers\n"); + BUG(); +-- +2.35.1 + diff --git a/queue-4.9/clk-ti-dra7-atl-fix-reference-leak-in-of_dra7_atl_cl.patch b/queue-4.9/clk-ti-dra7-atl-fix-reference-leak-in-of_dra7_atl_cl.patch new file mode 100644 index 00000000000..ca3c4d57a55 --- /dev/null +++ b/queue-4.9/clk-ti-dra7-atl-fix-reference-leak-in-of_dra7_atl_cl.patch @@ -0,0 +1,60 @@ +From a1bd61db9d35bb1a0d05d3fb3fe7ea4aefaf3d6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 07:08:36 +0400 +Subject: clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe + +From: Miaoqian Lin + +[ Upstream commit 9c59a01caba26ec06fefd6ca1f22d5fd1de57d63 ] + +pm_runtime_get_sync() will increment pm usage counter. +Forgetting to putting operation will result in reference leak. +Add missing pm_runtime_put_sync in some error paths. + +Fixes: 9ac33b0ce81f ("CLK: TI: Driver for DRA7 ATL (Audio Tracking Logic)") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220602030838.52057-1-linmq006@gmail.com +Reviewed-by: Tony Lindgren +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/ti/clk-dra7-atl.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/clk/ti/clk-dra7-atl.c b/drivers/clk/ti/clk-dra7-atl.c +index 7d060ffe8975..9b1f9af35a23 100644 +--- a/drivers/clk/ti/clk-dra7-atl.c ++++ b/drivers/clk/ti/clk-dra7-atl.c +@@ -249,14 +249,16 @@ static int of_dra7_atl_clk_probe(struct platform_device *pdev) + if (rc) { + pr_err("%s: failed to lookup atl clock %d\n", __func__, + i); +- return -EINVAL; ++ ret = -EINVAL; ++ goto pm_put; + } + + clk = of_clk_get_from_provider(&clkspec); + if (IS_ERR(clk)) { + pr_err("%s: failed to get atl clock %d from provider\n", + __func__, i); +- return PTR_ERR(clk); ++ ret = PTR_ERR(clk); ++ goto pm_put; + } + + cdesc = to_atl_desc(__clk_get_hw(clk)); +@@ -289,8 +291,9 @@ static int of_dra7_atl_clk_probe(struct platform_device *pdev) + if (cdesc->enabled) + atl_clk_enable(__clk_get_hw(clk)); + } +- pm_runtime_put_sync(cinfo->dev); + ++pm_put: ++ pm_runtime_put_sync(cinfo->dev); + return ret; + } + +-- +2.35.1 + diff --git a/queue-4.9/dmaengine-ioat-stop-mod_timer-from-resurrecting-dele.patch b/queue-4.9/dmaengine-ioat-stop-mod_timer-from-resurrecting-dele.patch new file mode 100644 index 00000000000..3fc35d64bdd --- /dev/null +++ b/queue-4.9/dmaengine-ioat-stop-mod_timer-from-resurrecting-dele.patch @@ -0,0 +1,61 @@ +From 7fdf005077d9a0a2a28f72089b09c9ff47d9ba11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 09:58:42 -0700 +Subject: dmaengine: ioat: stop mod_timer from resurrecting deleted timer in + __cleanup() + +From: Dave Jiang + +[ Upstream commit 898ec89dbb55b8294695ad71694a0684e62b2a73 ] + +User reports observing timer event report channel halted but no error +observed in CHANERR register. The driver finished self-test and released +channel resources. Debug shows that __cleanup() can call +mod_timer() after the timer has been deleted and thus resurrect the +timer. While harmless, it causes suprious error message to be emitted. +Use mod_timer_pending() call to prevent deleted timer from being +resurrected. + +Fixes: 3372de5813e4 ("dmaengine: ioatdma: removal of dma_v3.c and relevant ioat3 references") +Signed-off-by: Dave Jiang +Link: https://lore.kernel.org/r/166360672197.3851724.17040290563764838369.stgit@djiang5-desk3.ch.intel.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/ioat/dma.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/dma/ioat/dma.c b/drivers/dma/ioat/dma.c +index c5a45c57b8b8..36189a3337b1 100644 +--- a/drivers/dma/ioat/dma.c ++++ b/drivers/dma/ioat/dma.c +@@ -663,7 +663,7 @@ static void __cleanup(struct ioatdma_chan *ioat_chan, dma_addr_t phys_complete) + if (active - i == 0) { + dev_dbg(to_dev(ioat_chan), "%s: cancel completion timeout\n", + __func__); +- mod_timer(&ioat_chan->timer, jiffies + IDLE_TIMEOUT); ++ mod_timer_pending(&ioat_chan->timer, jiffies + IDLE_TIMEOUT); + } + + /* 5 microsecond delay per pending descriptor */ +@@ -685,7 +685,7 @@ static void ioat_cleanup(struct ioatdma_chan *ioat_chan) + + if (chanerr & + (IOAT_CHANERR_HANDLE_MASK | IOAT_CHANERR_RECOVER_MASK)) { +- mod_timer(&ioat_chan->timer, jiffies + IDLE_TIMEOUT); ++ mod_timer_pending(&ioat_chan->timer, jiffies + IDLE_TIMEOUT); + ioat_eh(ioat_chan); + } + } +@@ -877,7 +877,7 @@ static void check_active(struct ioatdma_chan *ioat_chan) + } + + if (test_and_clear_bit(IOAT_CHAN_ACTIVE, &ioat_chan->state)) +- mod_timer(&ioat_chan->timer, jiffies + IDLE_TIMEOUT); ++ mod_timer_pending(&ioat_chan->timer, jiffies + IDLE_TIMEOUT); + } + + void ioat_timer_event(unsigned long data) +-- +2.35.1 + diff --git a/queue-4.9/drivers-serial-jsm-fix-some-leaks-in-probe.patch b/queue-4.9/drivers-serial-jsm-fix-some-leaks-in-probe.patch new file mode 100644 index 00000000000..68d8dd462b6 --- /dev/null +++ b/queue-4.9/drivers-serial-jsm-fix-some-leaks-in-probe.patch @@ -0,0 +1,37 @@ +From 916eeb1cc9629f62c5b5a6ec1fac904f6f7d03b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 14:22:47 +0300 +Subject: drivers: serial: jsm: fix some leaks in probe + +From: Dan Carpenter + +[ Upstream commit 1d5859ef229e381f4db38dce8ed58e4bf862006b ] + +This error path needs to unwind instead of just returning directly. + +Fixes: 03a8482c17dd ("drivers: serial: jsm: Enable support for Digi Classic adapters") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YyxFh1+lOeZ9WfKO@kili +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/jsm/jsm_driver.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/jsm/jsm_driver.c b/drivers/tty/serial/jsm/jsm_driver.c +index a119f11bf2f4..3971abb0963c 100644 +--- a/drivers/tty/serial/jsm/jsm_driver.c ++++ b/drivers/tty/serial/jsm/jsm_driver.c +@@ -221,7 +221,8 @@ static int jsm_probe_one(struct pci_dev *pdev, const struct pci_device_id *ent) + + break; + default: +- return -ENXIO; ++ rc = -ENXIO; ++ goto out_kfree_brd; + } + + rc = request_irq(brd->irq, brd->bd_ops->intr, IRQF_SHARED, "JSM", brd); +-- +2.35.1 + diff --git a/queue-4.9/drm-amdgpu-fix-initial-connector-audio-value.patch b/queue-4.9/drm-amdgpu-fix-initial-connector-audio-value.patch new file mode 100644 index 00000000000..b1f471d60c8 --- /dev/null +++ b/queue-4.9/drm-amdgpu-fix-initial-connector-audio-value.patch @@ -0,0 +1,64 @@ +From effcd838ac713ac8714b5d25d556080ae7214508 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 17:24:53 +0800 +Subject: drm/amdgpu: fix initial connector audio value + +From: hongao + +[ Upstream commit 4bb71fce58f30df3f251118291d6b0187ce531e6 ] + +This got lost somewhere along the way, This fixes +audio not working until set_property was called. + +Signed-off-by: hongao +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +index 7264169d5f2a..7c266dbb88a1 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +@@ -1760,10 +1760,12 @@ amdgpu_connector_add(struct amdgpu_device *adev, + adev->mode_info.dither_property, + AMDGPU_FMT_DITHER_DISABLE); + +- if (amdgpu_audio != 0) ++ if (amdgpu_audio != 0) { + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.audio_property, + AMDGPU_AUDIO_AUTO); ++ amdgpu_connector->audio = AMDGPU_AUDIO_AUTO; ++ } + + subpixel_order = SubPixelHorizontalRGB; + connector->interlace_allowed = true; +@@ -1868,6 +1870,7 @@ amdgpu_connector_add(struct amdgpu_device *adev, + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.audio_property, + AMDGPU_AUDIO_AUTO); ++ amdgpu_connector->audio = AMDGPU_AUDIO_AUTO; + } + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.dither_property, +@@ -1916,6 +1919,7 @@ amdgpu_connector_add(struct amdgpu_device *adev, + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.audio_property, + AMDGPU_AUDIO_AUTO); ++ amdgpu_connector->audio = AMDGPU_AUDIO_AUTO; + } + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.dither_property, +@@ -1961,6 +1965,7 @@ amdgpu_connector_add(struct amdgpu_device *adev, + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.audio_property, + AMDGPU_AUDIO_AUTO); ++ amdgpu_connector->audio = AMDGPU_AUDIO_AUTO; + } + drm_object_attach_property(&amdgpu_connector->base.base, + adev->mode_info.dither_property, +-- +2.35.1 + diff --git a/queue-4.9/drm-mipi-dsi-detach-devices-when-removing-the-host.patch b/queue-4.9/drm-mipi-dsi-detach-devices-when-removing-the-host.patch new file mode 100644 index 00000000000..69241d08c0a --- /dev/null +++ b/queue-4.9/drm-mipi-dsi-detach-devices-when-removing-the-host.patch @@ -0,0 +1,41 @@ +From c3b00cb2de4a033b346d48e11c22dffa79515830 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Jul 2022 19:38:31 +0200 +Subject: drm/mipi-dsi: Detach devices when removing the host + +From: Maxime Ripard + +[ Upstream commit 668a8f17b5290d04ef7343636a5588a0692731a1 ] + +Whenever the MIPI-DSI host is unregistered, the code of +mipi_dsi_host_unregister() loops over every device currently found on that +bus and will unregister it. + +However, it doesn't detach it from the bus first, which leads to all kind +of resource leaks if the host wants to perform some clean up whenever a +device is detached. + +Fixes: 068a00233969 ("drm: Add MIPI DSI bus support") +Acked-by: Thomas Zimmermann +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20220711173939.1132294-2-maxime@cerno.tech +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_mipi_dsi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c +index 99415808e9f9..af80cf8030b8 100644 +--- a/drivers/gpu/drm/drm_mipi_dsi.c ++++ b/drivers/gpu/drm/drm_mipi_dsi.c +@@ -305,6 +305,7 @@ static int mipi_dsi_remove_device_fn(struct device *dev, void *priv) + { + struct mipi_dsi_device *dsi = to_mipi_dsi_device(dev); + ++ mipi_dsi_detach(dsi); + mipi_dsi_device_unregister(dsi); + + return 0; +-- +2.35.1 + diff --git a/queue-4.9/drm-prevent-drm_copy_field-to-attempt-copying-a-null.patch b/queue-4.9/drm-prevent-drm_copy_field-to-attempt-copying-a-null.patch new file mode 100644 index 00000000000..2f444339652 --- /dev/null +++ b/queue-4.9/drm-prevent-drm_copy_field-to-attempt-copying-a-null.patch @@ -0,0 +1,87 @@ +From 245333c3c8b948c52eea9a89fb5b9a921c51cc00 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jul 2022 12:02:14 +0200 +Subject: drm: Prevent drm_copy_field() to attempt copying a NULL pointer + +From: Javier Martinez Canillas + +[ Upstream commit f6ee30407e883042482ad4ad30da5eaba47872ee ] + +There are some struct drm_driver fields that are required by drivers since +drm_copy_field() attempts to copy them to user-space via DRM_IOCTL_VERSION. + +But it can be possible that a driver has a bug and did not set some of the +fields, which leads to drm_copy_field() attempting to copy a NULL pointer: + +[ +10.395966] Unable to handle kernel access to user memory outside uaccess routines at virtual address 0000000000000000 +[ +0.010955] Mem abort info: +[ +0.002835] ESR = 0x0000000096000004 +[ +0.003872] EC = 0x25: DABT (current EL), IL = 32 bits +[ +0.005395] SET = 0, FnV = 0 +[ +0.003113] EA = 0, S1PTW = 0 +[ +0.003182] FSC = 0x04: level 0 translation fault +[ +0.004964] Data abort info: +[ +0.002919] ISV = 0, ISS = 0x00000004 +[ +0.003886] CM = 0, WnR = 0 +[ +0.003040] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000115dad000 +[ +0.006536] [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 +[ +0.006925] Internal error: Oops: 96000004 [#1] SMP +... +[ +0.011113] pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +[ +0.007061] pc : __pi_strlen+0x14/0x150 +[ +0.003895] lr : drm_copy_field+0x30/0x1a4 +[ +0.004156] sp : ffff8000094b3a50 +[ +0.003355] x29: ffff8000094b3a50 x28: ffff8000094b3b70 x27: 0000000000000040 +[ +0.007242] x26: ffff443743c2ba00 x25: 0000000000000000 x24: 0000000000000040 +[ +0.007243] x23: ffff443743c2ba00 x22: ffff8000094b3b70 x21: 0000000000000000 +[ +0.007241] x20: 0000000000000000 x19: ffff8000094b3b90 x18: 0000000000000000 +[ +0.007241] x17: 0000000000000000 x16: 0000000000000000 x15: 0000aaab14b9af40 +[ +0.007241] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 +[ +0.007239] x11: 0000000000000000 x10: 0000000000000000 x9 : ffffa524ad67d4d8 +[ +0.007242] x8 : 0101010101010101 x7 : 7f7f7f7f7f7f7f7f x6 : 6c6e6263606e7141 +[ +0.007239] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 +[ +0.007241] x2 : 0000000000000000 x1 : ffff8000094b3b90 x0 : 0000000000000000 +[ +0.007240] Call trace: +[ +0.002475] __pi_strlen+0x14/0x150 +[ +0.003537] drm_version+0x84/0xac +[ +0.003448] drm_ioctl_kernel+0xa8/0x16c +[ +0.003975] drm_ioctl+0x270/0x580 +[ +0.003448] __arm64_sys_ioctl+0xb8/0xfc +[ +0.003978] invoke_syscall+0x78/0x100 +[ +0.003799] el0_svc_common.constprop.0+0x4c/0xf4 +[ +0.004767] do_el0_svc+0x38/0x4c +[ +0.003357] el0_svc+0x34/0x100 +[ +0.003185] el0t_64_sync_handler+0x11c/0x150 +[ +0.004418] el0t_64_sync+0x190/0x194 +[ +0.003716] Code: 92402c04 b200c3e8 f13fc09f 5400088c (a9400c02) +[ +0.006180] ---[ end trace 0000000000000000 ]--- + +Reported-by: Peter Robinson +Signed-off-by: Javier Martinez Canillas +Acked-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20220705100215.572498-3-javierm@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_ioctl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c +index faa084ff4f17..ec505929cae7 100644 +--- a/drivers/gpu/drm/drm_ioctl.c ++++ b/drivers/gpu/drm/drm_ioctl.c +@@ -421,6 +421,12 @@ static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value) + { + size_t len; + ++ /* don't attempt to copy a NULL pointer */ ++ if (WARN_ONCE(!value, "BUG: the value to copy was not set!")) { ++ *buf_len = 0; ++ return 0; ++ } ++ + /* don't overflow userbuf */ + len = strlen(value); + if (len > *buf_len) +-- +2.35.1 + diff --git a/queue-4.9/drm-use-size_t-type-for-len-variable-in-drm_copy_fie.patch b/queue-4.9/drm-use-size_t-type-for-len-variable-in-drm_copy_fie.patch new file mode 100644 index 00000000000..daa4c0656c0 --- /dev/null +++ b/queue-4.9/drm-use-size_t-type-for-len-variable-in-drm_copy_fie.patch @@ -0,0 +1,48 @@ +From a2915427f37c113bfa0885965a8b2aed36970631 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Jul 2022 12:02:13 +0200 +Subject: drm: Use size_t type for len variable in drm_copy_field() + +From: Javier Martinez Canillas + +[ Upstream commit 94dc3471d1b2b58b3728558d0e3f264e9ce6ff59 ] + +The strlen() function returns a size_t which is an unsigned int on 32-bit +arches and an unsigned long on 64-bit arches. But in the drm_copy_field() +function, the strlen() return value is assigned to an 'int len' variable. + +Later, the len variable is passed as copy_from_user() third argument that +is an unsigned long parameter as well. + +In theory, this can lead to an integer overflow via type conversion. Since +the assignment happens to a signed int lvalue instead of a size_t lvalue. + +In practice though, that's unlikely since the values copied are set by DRM +drivers and not controlled by userspace. But using a size_t for len is the +correct thing to do anyways. + +Signed-off-by: Javier Martinez Canillas +Tested-by: Peter Robinson +Reviewed-by: Thomas Zimmermann +Link: https://patchwork.freedesktop.org/patch/msgid/20220705100215.572498-2-javierm@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/drm_ioctl.c b/drivers/gpu/drm/drm_ioctl.c +index 04b26ca06180..faa084ff4f17 100644 +--- a/drivers/gpu/drm/drm_ioctl.c ++++ b/drivers/gpu/drm/drm_ioctl.c +@@ -419,7 +419,7 @@ EXPORT_SYMBOL(drm_invalid_op); + */ + static int drm_copy_field(char __user *buf, size_t *buf_len, const char *value) + { +- int len; ++ size_t len; + + /* don't overflow userbuf */ + len = strlen(value); +-- +2.35.1 + diff --git a/queue-4.9/dyndbg-fix-module.dyndbg-handling.patch b/queue-4.9/dyndbg-fix-module.dyndbg-handling.patch new file mode 100644 index 00000000000..a3c32c69903 --- /dev/null +++ b/queue-4.9/dyndbg-fix-module.dyndbg-handling.patch @@ -0,0 +1,52 @@ +From 23a3d7b547eb214681fe5f05c457324ce38e37d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Sep 2022 15:40:39 -0600 +Subject: dyndbg: fix module.dyndbg handling + +From: Jim Cromie + +[ Upstream commit 85d6b66d31c35158364058ee98fb69ab5bb6a6b1 ] + +For CONFIG_DYNAMIC_DEBUG=N, the ddebug_dyndbg_module_param_cb() +stub-fn is too permissive: + +bash-5.1# modprobe drm JUNKdyndbg +bash-5.1# modprobe drm dyndbgJUNK +[ 42.933220] dyndbg param is supported only in CONFIG_DYNAMIC_DEBUG builds +[ 42.937484] ACPI: bus type drm_connector registered + +This caused no ill effects, because unknown parameters are either +ignored by default with an "unknown parameter" warning, or ignored +because dyndbg allows its no-effect use on non-dyndbg builds. + +But since the code has an explicit feedback message, it should be +issued accurately. Fix with strcmp for exact param-name match. + +Fixes: b48420c1d301 dynamic_debug: make dynamic-debug work for module initialization +Reported-by: Rasmus Villemoes +Acked-by: Jason Baron +Acked-by: Daniel Vetter +Signed-off-by: Jim Cromie +Link: https://lore.kernel.org/r/20220904214134.408619-3-jim.cromie@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + include/linux/dynamic_debug.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/dynamic_debug.h b/include/linux/dynamic_debug.h +index 546d68057e3b..d8981b34d142 100644 +--- a/include/linux/dynamic_debug.h ++++ b/include/linux/dynamic_debug.h +@@ -167,7 +167,7 @@ static inline int ddebug_remove_module(const char *mod) + static inline int ddebug_dyndbg_module_param_cb(char *param, char *val, + const char *modname) + { +- if (strstr(param, "dyndbg")) { ++ if (!strcmp(param, "dyndbg")) { + /* avoid pr_warn(), which wants pr_fmt() fully defined */ + printk(KERN_WARNING "dyndbg param is supported only in " + "CONFIG_DYNAMIC_DEBUG builds\n"); +-- +2.35.1 + diff --git a/queue-4.9/dyndbg-let-query-modname-override-actual-module-name.patch b/queue-4.9/dyndbg-let-query-modname-override-actual-module-name.patch new file mode 100644 index 00000000000..0ce4ca37477 --- /dev/null +++ b/queue-4.9/dyndbg-let-query-modname-override-actual-module-name.patch @@ -0,0 +1,80 @@ +From 54da6d194c4a295da954ea3227f0743daefb4291 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Sep 2022 15:40:44 -0600 +Subject: dyndbg: let query-modname override actual module name + +From: Jim Cromie + +[ Upstream commit e75ef56f74965f426dd819a41336b640ffdd8fbc ] + +dyndbg's control-parser: ddebug_parse_query(), requires that search +terms: module, func, file, lineno, are used only once in a query; a +thing cannot be named both foo and bar. + +The cited commit added an overriding module modname, taken from the +module loader, which is authoritative. So it set query.module 1st, +which disallowed its use in the query-string. + +But now, its useful to allow a module-load to enable classes across a +whole (or part of) a subsystem at once. + + # enable (dynamic-debug in) drm only + modprobe drm dyndbg="class DRM_UT_CORE +p" + + # get drm_helper too + modprobe drm dyndbg="class DRM_UT_CORE module drm* +p" + + # get everything that knows DRM_UT_CORE + modprobe drm dyndbg="class DRM_UT_CORE module * +p" + + # also for boot-args: + drm.dyndbg="class DRM_UT_CORE module * +p" + +So convert the override into a default, by filling it only when/after +the query-string omitted the module. + +NB: the query class FOO handling is forthcoming. + +Fixes: 8e59b5cfb9a6 dynamic_debug: add modname arg to exec_query callchain +Acked-by: Jason Baron +Acked-by: Daniel Vetter +Signed-off-by: Jim Cromie +Link: https://lore.kernel.org/r/20220904214134.408619-8-jim.cromie@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + lib/dynamic_debug.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/lib/dynamic_debug.c b/lib/dynamic_debug.c +index 91c451e0f474..01591a7b151f 100644 +--- a/lib/dynamic_debug.c ++++ b/lib/dynamic_debug.c +@@ -327,10 +327,6 @@ static int ddebug_parse_query(char *words[], int nwords, + } + memset(query, 0, sizeof(*query)); + +- if (modname) +- /* support $modname.dyndbg= */ +- query->module = modname; +- + for (i = 0; i < nwords; i += 2) { + if (!strcmp(words[i], "func")) { + rc = check_set(&query->function, words[i+1], "func"); +@@ -379,6 +375,13 @@ static int ddebug_parse_query(char *words[], int nwords, + if (rc) + return rc; + } ++ if (!query->module && modname) ++ /* ++ * support $modname.dyndbg=, when ++ * not given in the query itself ++ */ ++ query->module = modname; ++ + vpr_info_dq(query, "parsed"); + return 0; + } +-- +2.35.1 + diff --git a/queue-4.9/f2fs-fix-race-condition-on-setting-fi_no_extent-flag.patch b/queue-4.9/f2fs-fix-race-condition-on-setting-fi_no_extent-flag.patch new file mode 100644 index 00000000000..586c94e7011 --- /dev/null +++ b/queue-4.9/f2fs-fix-race-condition-on-setting-fi_no_extent-flag.patch @@ -0,0 +1,55 @@ +From 36449fb3e74236087fd025f45fc4955d03a6698b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 12:59:17 +0800 +Subject: f2fs: fix race condition on setting FI_NO_EXTENT flag + +From: Zhang Qilong + +[ Upstream commit 07725adc55c0a414c10acb5c8c86cea34b95ddef ] + +The following scenarios exist. +process A: process B: +->f2fs_drop_extent_tree ->f2fs_update_extent_cache_range + ->f2fs_update_extent_tree_range + ->write_lock + ->set_inode_flag + ->is_inode_flag_set + ->__free_extent_tree // Shouldn't + // have been + // cleaned up + // here + ->write_lock + +In this case, the "FI_NO_EXTENT" flag is set between +f2fs_update_extent_tree_range and is_inode_flag_set +by other process. it leads to clearing the whole exten +tree which should not have happened. And we fix it by +move the setting it to the range of write_lock. + +Fixes:5f281fab9b9a3 ("f2fs: disable extent_cache for fcollapse/finsert inodes") +Signed-off-by: Zhang Qilong +Reviewed-by: Chao Yu +Signed-off-by: Jaegeuk Kim +Signed-off-by: Sasha Levin +--- + fs/f2fs/extent_cache.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/f2fs/extent_cache.c b/fs/f2fs/extent_cache.c +index d7b8c8b5fc39..3f872145a988 100644 +--- a/fs/f2fs/extent_cache.c ++++ b/fs/f2fs/extent_cache.c +@@ -650,9 +650,8 @@ void f2fs_drop_extent_tree(struct inode *inode) + if (!f2fs_may_extent_tree(inode)) + return; + +- set_inode_flag(inode, FI_NO_EXTENT); +- + write_lock(&et->lock); ++ set_inode_flag(inode, FI_NO_EXTENT); + __free_extent_tree(sbi, et); + __drop_largest_extent(inode, 0, UINT_MAX); + write_unlock(&et->lock); +-- +2.35.1 + diff --git a/queue-4.9/firmware-google-test-spinlock-on-panic-path-to-avoid.patch b/queue-4.9/firmware-google-test-spinlock-on-panic-path-to-avoid.patch new file mode 100644 index 00000000000..49b26b3115a --- /dev/null +++ b/queue-4.9/firmware-google-test-spinlock-on-panic-path-to-avoid.patch @@ -0,0 +1,59 @@ +From 76b34484b82c663944a5d53b0b448899d08498b4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Sep 2022 17:07:55 -0300 +Subject: firmware: google: Test spinlock on panic path to avoid lockups + +From: Guilherme G. Piccoli + +[ Upstream commit 3e081438b8e639cc76ef1a5ce0c1bd8a154082c7 ] + +Currently the gsmi driver registers a panic notifier as well as +reboot and die notifiers. The callbacks registered are called in +atomic and very limited context - for instance, panic disables +preemption and local IRQs, also all secondary CPUs (not executing +the panic path) are shutdown. + +With that said, taking a spinlock in this scenario is a dangerous +invitation for lockup scenarios. So, fix that by checking if the +spinlock is free to acquire in the panic notifier callback - if not, +bail-out and avoid a potential hang. + +Fixes: 74c5b31c6618 ("driver: Google EFI SMI") +Cc: Andrew Morton +Cc: Ard Biesheuvel +Cc: David Gow +Cc: Greg Kroah-Hartman +Cc: Julius Werner +Cc: Petr Mladek +Reviewed-by: Evan Green +Signed-off-by: Guilherme G. Piccoli +Link: https://lore.kernel.org/r/20220909200755.189679-1-gpiccoli@igalia.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/firmware/google/gsmi.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/firmware/google/gsmi.c b/drivers/firmware/google/gsmi.c +index 98cdfc2ee0df..6fd5f6776735 100644 +--- a/drivers/firmware/google/gsmi.c ++++ b/drivers/firmware/google/gsmi.c +@@ -661,6 +661,15 @@ static struct notifier_block gsmi_die_notifier = { + static int gsmi_panic_callback(struct notifier_block *nb, + unsigned long reason, void *arg) + { ++ ++ /* ++ * Panic callbacks are executed with all other CPUs stopped, ++ * so we must not attempt to spin waiting for gsmi_dev.lock ++ * to be released. ++ */ ++ if (spin_is_locked(&gsmi_dev.lock)) ++ return NOTIFY_DONE; ++ + gsmi_shutdown_reason(GSMI_SHUTDOWN_PANIC); + return NOTIFY_DONE; + } +-- +2.35.1 + diff --git a/queue-4.9/hid-roccat-fix-use-after-free-in-roccat_read.patch b/queue-4.9/hid-roccat-fix-use-after-free-in-roccat_read.patch new file mode 100644 index 00000000000..b2bc7e2d5fb --- /dev/null +++ b/queue-4.9/hid-roccat-fix-use-after-free-in-roccat_read.patch @@ -0,0 +1,108 @@ +From 88a9dffa6b0cea279e1488f88fa99fb22eaaa4f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Sep 2022 12:31:15 -0700 +Subject: HID: roccat: Fix use-after-free in roccat_read() + +From: Hyunwoo Kim + +[ Upstream commit cacdb14b1c8d3804a3a7d31773bc7569837b71a4 ] + +roccat_report_event() is responsible for registering +roccat-related reports in struct roccat_device. + +int roccat_report_event(int minor, u8 const *data) +{ + struct roccat_device *device; + struct roccat_reader *reader; + struct roccat_report *report; + uint8_t *new_value; + + device = devices[minor]; + + new_value = kmemdup(data, device->report_size, GFP_ATOMIC); + if (!new_value) + return -ENOMEM; + + report = &device->cbuf[device->cbuf_end]; + + /* passing NULL is safe */ + kfree(report->value); + ... + +The registered report is stored in the struct roccat_device member +"struct roccat_report cbuf[ROCCAT_CBUF_SIZE];". +If more reports are received than the "ROCCAT_CBUF_SIZE" value, +kfree() the saved report from cbuf[0] and allocates a new reprot. +Since there is no lock when this kfree() is performed, +kfree() can be performed even while reading the saved report. + +static ssize_t roccat_read(struct file *file, char __user *buffer, + size_t count, loff_t *ppos) +{ + struct roccat_reader *reader = file->private_data; + struct roccat_device *device = reader->device; + struct roccat_report *report; + ssize_t retval = 0, len; + DECLARE_WAITQUEUE(wait, current); + + mutex_lock(&device->cbuf_lock); + + ... + + report = &device->cbuf[reader->cbuf_start]; + /* + * If report is larger than requested amount of data, rest of report + * is lost! + */ + len = device->report_size > count ? count : device->report_size; + + if (copy_to_user(buffer, report->value, len)) { + retval = -EFAULT; + goto exit_unlock; + } + ... + +The roccat_read() function receives the device->cbuf report and +delivers it to the user through copy_to_user(). +If the N+ROCCAT_CBUF_SIZE th report is received while copying of +the Nth report->value is in progress, the pointer that copy_to_user() +is working on is kfree()ed and UAF read may occur. (race condition) + +Since the device node of this driver does not set separate permissions, +this is not a security vulnerability, but because it is used for +requesting screen display of profile or dpi settings, +a user using the roccat device can apply udev to this device node or +There is a possibility to use it by giving. + +Signed-off-by: Hyunwoo Kim +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-roccat.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-roccat.c b/drivers/hid/hid-roccat.c +index 76d06cf87b2a..36eee9663962 100644 +--- a/drivers/hid/hid-roccat.c ++++ b/drivers/hid/hid-roccat.c +@@ -260,6 +260,8 @@ int roccat_report_event(int minor, u8 const *data) + if (!new_value) + return -ENOMEM; + ++ mutex_lock(&device->cbuf_lock); ++ + report = &device->cbuf[device->cbuf_end]; + + /* passing NULL is safe */ +@@ -279,6 +281,8 @@ int roccat_report_event(int minor, u8 const *data) + reader->cbuf_start = (reader->cbuf_start + 1) % ROCCAT_CBUF_SIZE; + } + ++ mutex_unlock(&device->cbuf_lock); ++ + wake_up_interruptible(&device->wait); + return 0; + } +-- +2.35.1 + diff --git a/queue-4.9/hid-topre-add-driver-fixing-report-descriptor.patch b/queue-4.9/hid-topre-add-driver-fixing-report-descriptor.patch new file mode 100644 index 00000000000..47c6cffcafe --- /dev/null +++ b/queue-4.9/hid-topre-add-driver-fixing-report-descriptor.patch @@ -0,0 +1,139 @@ +From 490623c4ec034a3be3ff836c425322ecf4f4c5ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Sep 2022 20:36:13 -0400 +Subject: hid: topre: Add driver fixing report descriptor + +From: Harry Stern + +[ Upstream commit a109d5c45b3d6728b9430716b915afbe16eef27c ] + +The Topre REALFORCE R2 firmware incorrectly reports that interface +descriptor number 1, input report descriptor 2's events are array events +rather than variable events. That particular report descriptor is used +to report keypresses when there are more than 6 keys held at a time. +This bug prevents events from this interface from being registered +properly, so only 6 keypresses (from a different interface) can be +registered at once, rather than full n-key rollover. + +This commit fixes the bug by setting the correct value in a report_fixup +function. + +The original bug report can be found here: +Link: https://gitlab.freedesktop.org/libinput/libinput/-/issues/804 + +Thanks to Benjamin Tissoires for diagnosing the issue with the report +descriptor. + +Signed-off-by: Harry Stern +Signed-off-by: Benjamin Tissoires +Link: https://lore.kernel.org/r/20220911003614.297613-1-harry@harrystern.net +Signed-off-by: Sasha Levin +--- + drivers/hid/Kconfig | 6 +++++ + drivers/hid/Makefile | 1 + + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/hid-topre.c | 49 +++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 59 insertions(+) + create mode 100644 drivers/hid/hid-topre.c + +diff --git a/drivers/hid/Kconfig b/drivers/hid/Kconfig +index 2b5ae00f8df2..80c54cd437db 100644 +--- a/drivers/hid/Kconfig ++++ b/drivers/hid/Kconfig +@@ -837,6 +837,12 @@ config HID_TOPSEED + Say Y if you have a TopSeed Cyberlink or BTC Emprex or Conceptronic + CLLRCMCE remote control. + ++config HID_TOPRE ++ tristate "Topre REALFORCE keyboards" ++ depends on HID ++ help ++ Say Y for N-key rollover support on Topre REALFORCE R2 108 key keyboards. ++ + config HID_THINGM + tristate "ThingM blink(1) USB RGB LED" + depends on HID +diff --git a/drivers/hid/Makefile b/drivers/hid/Makefile +index 86b2b5785fd2..245878158850 100644 +--- a/drivers/hid/Makefile ++++ b/drivers/hid/Makefile +@@ -94,6 +94,7 @@ obj-$(CONFIG_HID_GREENASIA) += hid-gaff.o + obj-$(CONFIG_HID_THRUSTMASTER) += hid-tmff.o + obj-$(CONFIG_HID_TIVO) += hid-tivo.o + obj-$(CONFIG_HID_TOPSEED) += hid-topseed.o ++obj-$(CONFIG_HID_TOPRE) += hid-topre.o + obj-$(CONFIG_HID_TWINHAN) += hid-twinhan.o + obj-$(CONFIG_HID_UCLOGIC) += hid-uclogic.o + obj-$(CONFIG_HID_LED) += hid-led.o +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 1f641870d860..3ae9f6489f8f 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -1001,6 +1001,9 @@ + #define USB_DEVICE_ID_TIVO_SLIDE 0x1201 + #define USB_DEVICE_ID_TIVO_SLIDE_PRO 0x1203 + ++#define USB_VENDOR_ID_TOPRE 0x0853 ++#define USB_DEVICE_ID_TOPRE_REALFORCE_R2_108 0x0148 ++ + #define USB_VENDOR_ID_TOPSEED 0x0766 + #define USB_DEVICE_ID_TOPSEED_CYBERLINK 0x0204 + +diff --git a/drivers/hid/hid-topre.c b/drivers/hid/hid-topre.c +new file mode 100644 +index 000000000000..88a91cdad5f8 +--- /dev/null ++++ b/drivers/hid/hid-topre.c +@@ -0,0 +1,49 @@ ++// SPDX-License-Identifier: GPL-2.0+ ++/* ++ * HID driver for Topre REALFORCE Keyboards ++ * ++ * Copyright (c) 2022 Harry Stern ++ * ++ * Based on the hid-macally driver ++ */ ++ ++#include ++#include ++ ++#include "hid-ids.h" ++ ++MODULE_AUTHOR("Harry Stern "); ++MODULE_DESCRIPTION("REALFORCE R2 Keyboard driver"); ++MODULE_LICENSE("GPL"); ++ ++/* ++ * Fix the REALFORCE R2's non-boot interface's report descriptor to match the ++ * events it's actually sending. It claims to send array events but is instead ++ * sending variable events. ++ */ ++static __u8 *topre_report_fixup(struct hid_device *hdev, __u8 *rdesc, ++ unsigned int *rsize) ++{ ++ if (*rsize >= 119 && rdesc[69] == 0x29 && rdesc[70] == 0xe7 && ++ rdesc[71] == 0x81 && rdesc[72] == 0x00) { ++ hid_info(hdev, ++ "fixing up Topre REALFORCE keyboard report descriptor\n"); ++ rdesc[72] = 0x02; ++ } ++ return rdesc; ++} ++ ++static const struct hid_device_id topre_id_table[] = { ++ { HID_USB_DEVICE(USB_VENDOR_ID_TOPRE, ++ USB_DEVICE_ID_TOPRE_REALFORCE_R2_108) }, ++ { } ++}; ++MODULE_DEVICE_TABLE(hid, topre_id_table); ++ ++static struct hid_driver topre_driver = { ++ .name = "topre", ++ .id_table = topre_id_table, ++ .report_fixup = topre_report_fixup, ++}; ++ ++module_hid_driver(topre_driver); +-- +2.35.1 + diff --git a/queue-4.9/hsi-omap_ssi-fix-refcount-leak-in-ssi_probe.patch b/queue-4.9/hsi-omap_ssi-fix-refcount-leak-in-ssi_probe.patch new file mode 100644 index 00000000000..d99643cc0a2 --- /dev/null +++ b/queue-4.9/hsi-omap_ssi-fix-refcount-leak-in-ssi_probe.patch @@ -0,0 +1,36 @@ +From 2c0d3f14099141f8f4c9c229898cdcc0e8d6f13f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 4 Apr 2022 08:52:32 +0000 +Subject: HSI: omap_ssi: Fix refcount leak in ssi_probe + +From: Miaoqian Lin + +[ Upstream commit 9a2ea132df860177b33c9fd421b26c4e9a0a9396 ] + +When returning or breaking early from a +for_each_available_child_of_node() loop, we need to explicitly call +of_node_put() on the child node to possibly release the node. + +Fixes: b209e047bc74 ("HSI: Introduce OMAP SSI driver") +Signed-off-by: Miaoqian Lin +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/hsi/controllers/omap_ssi_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hsi/controllers/omap_ssi_core.c b/drivers/hsi/controllers/omap_ssi_core.c +index 22cd7169011d..56de30c25063 100644 +--- a/drivers/hsi/controllers/omap_ssi_core.c ++++ b/drivers/hsi/controllers/omap_ssi_core.c +@@ -562,6 +562,7 @@ static int ssi_probe(struct platform_device *pd) + if (!childpdev) { + err = -ENODEV; + dev_err(&pd->dev, "failed to create ssi controller port\n"); ++ of_node_put(child); + goto out3; + } + } +-- +2.35.1 + diff --git a/queue-4.9/hsi-omap_ssi_port-fix-dma_map_sg-error-check.patch b/queue-4.9/hsi-omap_ssi_port-fix-dma_map_sg-error-check.patch new file mode 100644 index 00000000000..93d5cd39fce --- /dev/null +++ b/queue-4.9/hsi-omap_ssi_port-fix-dma_map_sg-error-check.patch @@ -0,0 +1,55 @@ +From d471f84fef067e1d69d7359ab0de93c293e1b595 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Aug 2022 12:12:27 +0200 +Subject: HSI: omap_ssi_port: Fix dma_map_sg error check + +From: Jack Wang + +[ Upstream commit 551e325bbd3fb8b5a686ac1e6cf76e5641461cf2 ] + +dma_map_sg return 0 on error, in case of error return -EIO +to caller. + +Cc: Sebastian Reichel +Cc: linux-kernel@vger.kernel.org (open list) +Fixes: b209e047bc74 ("HSI: Introduce OMAP SSI driver") +Signed-off-by: Jack Wang +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/hsi/controllers/omap_ssi_port.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/hsi/controllers/omap_ssi_port.c b/drivers/hsi/controllers/omap_ssi_port.c +index 7765de2f1ef1..68619dd6dfc1 100644 +--- a/drivers/hsi/controllers/omap_ssi_port.c ++++ b/drivers/hsi/controllers/omap_ssi_port.c +@@ -252,10 +252,10 @@ static int ssi_start_dma(struct hsi_msg *msg, int lch) + if (msg->ttype == HSI_MSG_READ) { + err = dma_map_sg(&ssi->device, msg->sgt.sgl, msg->sgt.nents, + DMA_FROM_DEVICE); +- if (err < 0) { ++ if (!err) { + dev_dbg(&ssi->device, "DMA map SG failed !\n"); + pm_runtime_put_autosuspend(omap_port->pdev); +- return err; ++ return -EIO; + } + csdp = SSI_DST_BURST_4x32_BIT | SSI_DST_MEMORY_PORT | + SSI_SRC_SINGLE_ACCESS0 | SSI_SRC_PERIPHERAL_PORT | +@@ -269,10 +269,10 @@ static int ssi_start_dma(struct hsi_msg *msg, int lch) + } else { + err = dma_map_sg(&ssi->device, msg->sgt.sgl, msg->sgt.nents, + DMA_TO_DEVICE); +- if (err < 0) { ++ if (!err) { + dev_dbg(&ssi->device, "DMA map SG failed !\n"); + pm_runtime_put_autosuspend(omap_port->pdev); +- return err; ++ return -EIO; + } + csdp = SSI_SRC_BURST_4x32_BIT | SSI_SRC_MEMORY_PORT | + SSI_DST_SINGLE_ACCESS0 | SSI_DST_PERIPHERAL_PORT | +-- +2.35.1 + diff --git a/queue-4.9/hsi-ssi_protocol-fix-potential-resource-leak-in-ssip.patch b/queue-4.9/hsi-ssi_protocol-fix-potential-resource-leak-in-ssip.patch new file mode 100644 index 00000000000..171908cf06f --- /dev/null +++ b/queue-4.9/hsi-ssi_protocol-fix-potential-resource-leak-in-ssip.patch @@ -0,0 +1,37 @@ +From 0c7af5deb592a7a835a974a83cb3928a6f7b547a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 15:48:01 +0800 +Subject: HSI: ssi_protocol: fix potential resource leak in ssip_pn_open() + +From: Jianglei Nie + +[ Upstream commit b28dbcb379e6a7f80262c2732a57681b1ee548ca ] + +ssip_pn_open() claims the HSI client's port with hsi_claim_port(). When +hsi_register_port_event() gets some error and returns a negetive value, +the HSI client's port should be released with hsi_release_port(). + +Fix it by calling hsi_release_port() when hsi_register_port_event() fails. + +Signed-off-by: Jianglei Nie +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/hsi/clients/ssi_protocol.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hsi/clients/ssi_protocol.c b/drivers/hsi/clients/ssi_protocol.c +index 802afc98e8bd..09e6be746d1e 100644 +--- a/drivers/hsi/clients/ssi_protocol.c ++++ b/drivers/hsi/clients/ssi_protocol.c +@@ -932,6 +932,7 @@ static int ssip_pn_open(struct net_device *dev) + if (err < 0) { + dev_err(&cl->device, "Register HSI port event failed (%d)\n", + err); ++ hsi_release_port(cl); + return err; + } + dev_dbg(&cl->device, "Configuring SSI port\n"); +-- +2.35.1 + diff --git a/queue-4.9/ib-rdmavt-add-__init-__exit-annotations-to-module-in.patch b/queue-4.9/ib-rdmavt-add-__init-__exit-annotations-to-module-in.patch new file mode 100644 index 00000000000..4ae2324537d --- /dev/null +++ b/queue-4.9/ib-rdmavt-add-__init-__exit-annotations-to-module-in.patch @@ -0,0 +1,45 @@ +From f96d9633e0a4e6708bbd9d168edc2f008190a16c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Sep 2022 17:14:57 +0800 +Subject: IB/rdmavt: Add __init/__exit annotations to module init/exit funcs + +From: Xiu Jianfeng + +[ Upstream commit 78657a445ca7603024348781c921f8ecaee10a49 ] + +Add missing __init/__exit annotations to module init/exit funcs. + +Fixes: 0194621b2253 ("IB/rdmavt: Create module framework and handle driver registration") +Link: https://lore.kernel.org/r/20220924091457.52446-1-xiujianfeng@huawei.com +Signed-off-by: Xiu Jianfeng +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rdmavt/vt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/sw/rdmavt/vt.c b/drivers/infiniband/sw/rdmavt/vt.c +index 1a1d7329fbb2..747de2e4f0eb 100644 +--- a/drivers/infiniband/sw/rdmavt/vt.c ++++ b/drivers/infiniband/sw/rdmavt/vt.c +@@ -55,7 +55,7 @@ + MODULE_LICENSE("Dual BSD/GPL"); + MODULE_DESCRIPTION("RDMA Verbs Transport Library"); + +-static int rvt_init(void) ++static int __init rvt_init(void) + { + /* + * rdmavt does not need to do anything special when it starts up. All it +@@ -65,7 +65,7 @@ static int rvt_init(void) + } + module_init(rvt_init); + +-static void rvt_cleanup(void) ++static void __exit rvt_cleanup(void) + { + /* + * Nothing to do at exit time either. The module won't be able to be +-- +2.35.1 + diff --git a/queue-4.9/iio-abi-fix-wrong-format-of-differential-capacitance.patch b/queue-4.9/iio-abi-fix-wrong-format-of-differential-capacitance.patch new file mode 100644 index 00000000000..dac8e634443 --- /dev/null +++ b/queue-4.9/iio-abi-fix-wrong-format-of-differential-capacitance.patch @@ -0,0 +1,36 @@ +From 923bd3a99cb8acdee3aeb75b877459149fc670c0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Jun 2022 13:29:23 +0100 +Subject: iio: ABI: Fix wrong format of differential capacitance channel ABI. + +From: Jonathan Cameron + +[ Upstream commit 1efc41035f1841acf0af2bab153158e27ce94f10 ] + +in_ only occurs once in these attributes. + +Fixes: 0baf29d658c7 ("staging:iio:documentation Add abi docs for capacitance adcs.") +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220626122938.582107-3-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + Documentation/ABI/testing/sysfs-bus-iio | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Documentation/ABI/testing/sysfs-bus-iio b/Documentation/ABI/testing/sysfs-bus-iio +index 743ffbcc6b5f..2d1f8f803fb2 100644 +--- a/Documentation/ABI/testing/sysfs-bus-iio ++++ b/Documentation/ABI/testing/sysfs-bus-iio +@@ -125,7 +125,7 @@ Description: + Raw capacitance measurement from channel Y. Units after + application of scale and offset are nanofarads. + +-What: /sys/.../iio:deviceX/in_capacitanceY-in_capacitanceZ_raw ++What: /sys/.../iio:deviceX/in_capacitanceY-capacitanceZ_raw + KernelVersion: 3.2 + Contact: linux-iio@vger.kernel.org + Description: +-- +2.35.1 + diff --git a/queue-4.9/iio-adc-at91-sama5d2_adc-fix-at91_sama5d2_mr_trackti.patch b/queue-4.9/iio-adc-at91-sama5d2_adc-fix-at91_sama5d2_mr_trackti.patch new file mode 100644 index 00000000000..494e803aaeb --- /dev/null +++ b/queue-4.9/iio-adc-at91-sama5d2_adc-fix-at91_sama5d2_mr_trackti.patch @@ -0,0 +1,38 @@ +From 15f50bcb061da3e07cdd2e03e42c62698be5b754 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Aug 2022 13:28:37 +0300 +Subject: iio: adc: at91-sama5d2_adc: fix AT91_SAMA5D2_MR_TRACKTIM_MAX + +From: Claudiu Beznea + +[ Upstream commit bb73d5d9164c57c4bb916739a98e5cd8e0a5ed8c ] + +All ADC HW versions handled by this driver (SAMA5D2, SAM9X60, SAMA7G5) +have MR.TRACKTIM on 4 bits. Fix AT91_SAMA5D2_MR_TRACKTIM_MAX to reflect +this. + +Fixes: 27e177190891 ("iio:adc:at91_adc8xx: introduce new atmel adc driver") +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20220803102855.2191070-2-claudiu.beznea@microchip.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/at91-sama5d2_adc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iio/adc/at91-sama5d2_adc.c b/drivers/iio/adc/at91-sama5d2_adc.c +index e10dca3ed74b..5a7f9120e13d 100644 +--- a/drivers/iio/adc/at91-sama5d2_adc.c ++++ b/drivers/iio/adc/at91-sama5d2_adc.c +@@ -74,7 +74,7 @@ + #define AT91_SAMA5D2_MR_ANACH BIT(23) + /* Tracking Time */ + #define AT91_SAMA5D2_MR_TRACKTIM(v) ((v) << 24) +-#define AT91_SAMA5D2_MR_TRACKTIM_MAX 0xff ++#define AT91_SAMA5D2_MR_TRACKTIM_MAX 0xf + /* Transfer Time */ + #define AT91_SAMA5D2_MR_TRANSFER(v) ((v) << 28) + #define AT91_SAMA5D2_MR_TRANSFER_MAX 0x3 +-- +2.35.1 + diff --git a/queue-4.9/iio-inkern-only-release-the-device-node-when-done-wi.patch b/queue-4.9/iio-inkern-only-release-the-device-node-when-done-wi.patch new file mode 100644 index 00000000000..87fcea3c3b4 --- /dev/null +++ b/queue-4.9/iio-inkern-only-release-the-device-node-when-done-wi.patch @@ -0,0 +1,60 @@ +From 01e4e9d2018dce3076f4f35df01b2798a2be7401 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Jul 2022 14:28:49 +0200 +Subject: iio: inkern: only release the device node when done with it +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +[ Upstream commit 79c3e84874c7d14f04ad58313b64955a0d2e9437 ] + +'of_node_put()' can potentially release the memory pointed to by +'iiospec.np' which would leave us with an invalid pointer (and we would +still pass it in 'of_xlate()'). Note that it is not guaranteed for the +of_node lifespan to be attached to the device (to which is attached) +lifespan so that there is (even though very unlikely) the possibility +for the node to be freed while the device is still around. Thus, as there +are indeed some of_xlate users which do access the node, a race is indeed +possible. + +As such, we can only release the node after we are done with it. + +Fixes: 17d82b47a215d ("iio: Add OF support") +Signed-off-by: Nuno Sá +Link: https://lore.kernel.org/r/20220715122903.332535-2-nuno.sa@analog.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/inkern.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/inkern.c b/drivers/iio/inkern.c +index 218cf4567ab5..13be4c8d7fd3 100644 +--- a/drivers/iio/inkern.c ++++ b/drivers/iio/inkern.c +@@ -139,9 +139,10 @@ static int __of_iio_channel_get(struct iio_channel *channel, + + idev = bus_find_device(&iio_bus_type, NULL, iiospec.np, + iio_dev_node_match); +- of_node_put(iiospec.np); +- if (idev == NULL) ++ if (idev == NULL) { ++ of_node_put(iiospec.np); + return -EPROBE_DEFER; ++ } + + indio_dev = dev_to_iio_dev(idev); + channel->indio_dev = indio_dev; +@@ -149,6 +150,7 @@ static int __of_iio_channel_get(struct iio_channel *channel, + index = indio_dev->info->of_xlate(indio_dev, &iiospec); + else + index = __of_iio_simple_xlate(indio_dev, &iiospec); ++ of_node_put(iiospec.np); + if (index < 0) + goto err_put; + channel->channel = &indio_dev->channels[index]; +-- +2.35.1 + diff --git a/queue-4.9/iommu-omap-fix-buffer-overflow-in-debugfs.patch b/queue-4.9/iommu-omap-fix-buffer-overflow-in-debugfs.patch new file mode 100644 index 00000000000..7e0adcc75e3 --- /dev/null +++ b/queue-4.9/iommu-omap-fix-buffer-overflow-in-debugfs.patch @@ -0,0 +1,53 @@ +From 363a7af313d7dde7d578eaf239b08e9fcab40d76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Aug 2022 17:32:39 +0300 +Subject: iommu/omap: Fix buffer overflow in debugfs + +From: Dan Carpenter + +[ Upstream commit 184233a5202786b20220acd2d04ddf909ef18f29 ] + +There are two issues here: + +1) The "len" variable needs to be checked before the very first write. + Otherwise if omap2_iommu_dump_ctx() with "bytes" less than 32 it is a + buffer overflow. +2) The snprintf() function returns the number of bytes that *would* have + been copied if there were enough space. But we want to know the + number of bytes which were *actually* copied so use scnprintf() + instead. + +Fixes: bd4396f09a4a ("iommu/omap: Consolidate OMAP IOMMU modules") +Signed-off-by: Dan Carpenter +Reviewed-by: Robin Murphy +Reviewed-by: Laurent Pinchart +Link: https://lore.kernel.org/r/YuvYh1JbE3v+abd5@kili +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/omap-iommu-debug.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/iommu/omap-iommu-debug.c b/drivers/iommu/omap-iommu-debug.c +index cec33e90e399..a15c4d99b888 100644 +--- a/drivers/iommu/omap-iommu-debug.c ++++ b/drivers/iommu/omap-iommu-debug.c +@@ -35,12 +35,12 @@ static inline bool is_omap_iommu_detached(struct omap_iommu *obj) + ssize_t bytes; \ + const char *str = "%20s: %08x\n"; \ + const int maxcol = 32; \ +- bytes = snprintf(p, maxcol, str, __stringify(name), \ ++ if (len < maxcol) \ ++ goto out; \ ++ bytes = scnprintf(p, maxcol, str, __stringify(name), \ + iommu_read_reg(obj, MMU_##name)); \ + p += bytes; \ + len -= bytes; \ +- if (len < maxcol) \ +- goto out; \ + } while (0) + + static ssize_t +-- +2.35.1 + diff --git a/queue-4.9/media-cx88-fix-a-null-ptr-deref-bug-in-buffer_prepar.patch b/queue-4.9/media-cx88-fix-a-null-ptr-deref-bug-in-buffer_prepar.patch new file mode 100644 index 00000000000..da87042066b --- /dev/null +++ b/queue-4.9/media-cx88-fix-a-null-ptr-deref-bug-in-buffer_prepar.patch @@ -0,0 +1,140 @@ +From 5a8234ddefb927390d46e0d6dfc69cea1c200a5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jul 2022 04:23:38 +0200 +Subject: media: cx88: Fix a null-ptr-deref bug in buffer_prepare() + +From: Zheyu Ma + +[ Upstream commit 2b064d91440b33fba5b452f2d1b31f13ae911d71 ] + +When the driver calls cx88_risc_buffer() to prepare the buffer, the +function call may fail, resulting in a empty buffer and null-ptr-deref +later in buffer_queue(). + +The following log can reveal it: + +[ 41.822762] general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN PTI +[ 41.824488] KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] +[ 41.828027] RIP: 0010:buffer_queue+0xc2/0x500 +[ 41.836311] Call Trace: +[ 41.836945] __enqueue_in_driver+0x141/0x360 +[ 41.837262] vb2_start_streaming+0x62/0x4a0 +[ 41.838216] vb2_core_streamon+0x1da/0x2c0 +[ 41.838516] __vb2_init_fileio+0x981/0xbc0 +[ 41.839141] __vb2_perform_fileio+0xbf9/0x1120 +[ 41.840072] vb2_fop_read+0x20e/0x400 +[ 41.840346] v4l2_read+0x215/0x290 +[ 41.840603] vfs_read+0x162/0x4c0 + +Fix this by checking the return value of cx88_risc_buffer() + +[hverkuil: fix coding style issues] + +Signed-off-by: Zheyu Ma +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/cx88/cx88-vbi.c | 9 +++--- + drivers/media/pci/cx88/cx88-video.c | 43 +++++++++++++++-------------- + 2 files changed, 26 insertions(+), 26 deletions(-) + +diff --git a/drivers/media/pci/cx88/cx88-vbi.c b/drivers/media/pci/cx88/cx88-vbi.c +index d3237cf8ffa3..78d78b7c974c 100644 +--- a/drivers/media/pci/cx88/cx88-vbi.c ++++ b/drivers/media/pci/cx88/cx88-vbi.c +@@ -140,11 +140,10 @@ static int buffer_prepare(struct vb2_buffer *vb) + return -EINVAL; + vb2_set_plane_payload(vb, 0, size); + +- cx88_risc_buffer(dev->pci, &buf->risc, sgt->sgl, +- 0, VBI_LINE_LENGTH * lines, +- VBI_LINE_LENGTH, 0, +- lines); +- return 0; ++ return cx88_risc_buffer(dev->pci, &buf->risc, sgt->sgl, ++ 0, VBI_LINE_LENGTH * lines, ++ VBI_LINE_LENGTH, 0, ++ lines); + } + + static void buffer_finish(struct vb2_buffer *vb) +diff --git a/drivers/media/pci/cx88/cx88-video.c b/drivers/media/pci/cx88/cx88-video.c +index 3b140ad598de..0ad0f4ab6c4b 100644 +--- a/drivers/media/pci/cx88/cx88-video.c ++++ b/drivers/media/pci/cx88/cx88-video.c +@@ -443,6 +443,7 @@ static int queue_setup(struct vb2_queue *q, + + static int buffer_prepare(struct vb2_buffer *vb) + { ++ int ret; + struct vb2_v4l2_buffer *vbuf = to_vb2_v4l2_buffer(vb); + struct cx8800_dev *dev = vb->vb2_queue->drv_priv; + struct cx88_core *core = dev->core; +@@ -457,42 +458,42 @@ static int buffer_prepare(struct vb2_buffer *vb) + + switch (core->field) { + case V4L2_FIELD_TOP: +- cx88_risc_buffer(dev->pci, &buf->risc, +- sgt->sgl, 0, UNSET, +- buf->bpl, 0, core->height); ++ ret = cx88_risc_buffer(dev->pci, &buf->risc, ++ sgt->sgl, 0, UNSET, ++ buf->bpl, 0, core->height); + break; + case V4L2_FIELD_BOTTOM: +- cx88_risc_buffer(dev->pci, &buf->risc, +- sgt->sgl, UNSET, 0, +- buf->bpl, 0, core->height); ++ ret = cx88_risc_buffer(dev->pci, &buf->risc, ++ sgt->sgl, UNSET, 0, ++ buf->bpl, 0, core->height); + break; + case V4L2_FIELD_SEQ_TB: +- cx88_risc_buffer(dev->pci, &buf->risc, +- sgt->sgl, +- 0, buf->bpl * (core->height >> 1), +- buf->bpl, 0, +- core->height >> 1); ++ ret = cx88_risc_buffer(dev->pci, &buf->risc, ++ sgt->sgl, ++ 0, buf->bpl * (core->height >> 1), ++ buf->bpl, 0, ++ core->height >> 1); + break; + case V4L2_FIELD_SEQ_BT: +- cx88_risc_buffer(dev->pci, &buf->risc, +- sgt->sgl, +- buf->bpl * (core->height >> 1), 0, +- buf->bpl, 0, +- core->height >> 1); ++ ret = cx88_risc_buffer(dev->pci, &buf->risc, ++ sgt->sgl, ++ buf->bpl * (core->height >> 1), 0, ++ buf->bpl, 0, ++ core->height >> 1); + break; + case V4L2_FIELD_INTERLACED: + default: +- cx88_risc_buffer(dev->pci, &buf->risc, +- sgt->sgl, 0, buf->bpl, +- buf->bpl, buf->bpl, +- core->height >> 1); ++ ret = cx88_risc_buffer(dev->pci, &buf->risc, ++ sgt->sgl, 0, buf->bpl, ++ buf->bpl, buf->bpl, ++ core->height >> 1); + break; + } + dprintk(2,"[%p/%d] buffer_prepare - %dx%d %dbpp \"%s\" - dma=0x%08lx\n", + buf, buf->vb.vb2_buf.index, + core->width, core->height, dev->fmt->depth, dev->fmt->name, + (unsigned long)buf->risc.dma); +- return 0; ++ return ret; + } + + static void buffer_finish(struct vb2_buffer *vb) +-- +2.35.1 + diff --git a/queue-4.9/media-exynos4-is-fimc-is-add-of_node_put-when-breaki.patch b/queue-4.9/media-exynos4-is-fimc-is-add-of_node_put-when-breaki.patch new file mode 100644 index 00000000000..83ce5030255 --- /dev/null +++ b/queue-4.9/media-exynos4-is-fimc-is-add-of_node_put-when-breaki.patch @@ -0,0 +1,38 @@ +From a8577d9cc69d46c1035a7c784274b5fe7b76b9f8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jul 2022 16:30:03 +0200 +Subject: media: exynos4-is: fimc-is: Add of_node_put() when breaking out of + loop + +From: Liang He + +[ Upstream commit 211f8304fa21aaedc2c247f0c9d6c7f1aaa61ad7 ] + +In fimc_is_register_subdevs(), we need to call of_node_put() for +the reference 'i2c_bus' when breaking out of the +for_each_compatible_node() which has increased the refcount. + +Fixes: 9a761e436843 ("[media] exynos4-is: Add Exynos4x12 FIMC-IS driver") +Signed-off-by: Liang He +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/fimc-is.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/platform/exynos4-is/fimc-is.c b/drivers/media/platform/exynos4-is/fimc-is.c +index 590ec04de827..3a1311d572c2 100644 +--- a/drivers/media/platform/exynos4-is/fimc-is.c ++++ b/drivers/media/platform/exynos4-is/fimc-is.c +@@ -217,6 +217,7 @@ static int fimc_is_register_subdevs(struct fimc_is *is) + + if (ret < 0 || index >= FIMC_IS_SENSORS_NUM) { + of_node_put(child); ++ of_node_put(i2c_bus); + return ret; + } + index++; +-- +2.35.1 + diff --git a/queue-4.9/media-tm6000-fix-unused-value-in-vidioc_try_fmt_vid_.patch b/queue-4.9/media-tm6000-fix-unused-value-in-vidioc_try_fmt_vid_.patch new file mode 100644 index 00000000000..01485d697a9 --- /dev/null +++ b/queue-4.9/media-tm6000-fix-unused-value-in-vidioc_try_fmt_vid_.patch @@ -0,0 +1,46 @@ +From b289272a455418128d1674cda530d69002a0036d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Jul 2022 18:12:36 +0800 +Subject: media: tm6000: Fix unused value in vidioc_try_fmt_vid_cap() + +From: Zeng Jingxiang + +[ Upstream commit d682869daa23938b5e8919db45c4b5b227749712 ] + +Coverity warns of an unused value: + +assigned_value: Assign the value of the variable f->fmt.pix.field +to field here, but that stored value is overwritten. +before it can be used. +919 field = f->fmt.pix.field; +920 + +value_overwrite: Overwriting previous write to field with +the value of V4L2_FIELD_INTERLACED. +921 field = V4L2_FIELD_INTERLACED; + +Fixes: ed57256f6fe8 ("[media] tm6000: fix G/TRY_FMT") +Signed-off-by: Zeng Jingxiang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/tm6000/tm6000-video.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/media/usb/tm6000/tm6000-video.c b/drivers/media/usb/tm6000/tm6000-video.c +index dee7e7d3d47d..d6e909aa4bbe 100644 +--- a/drivers/media/usb/tm6000/tm6000-video.c ++++ b/drivers/media/usb/tm6000/tm6000-video.c +@@ -944,8 +944,6 @@ static int vidioc_try_fmt_vid_cap(struct file *file, void *priv, + return -EINVAL; + } + +- field = f->fmt.pix.field; +- + field = V4L2_FIELD_INTERLACED; + + tm6000_get_std_res(dev); +-- +2.35.1 + diff --git a/queue-4.9/media-xilinx-vipp-fix-refcount-leak-in-xvip_graph_dm.patch b/queue-4.9/media-xilinx-vipp-fix-refcount-leak-in-xvip_graph_dm.patch new file mode 100644 index 00000000000..951a549ac5f --- /dev/null +++ b/queue-4.9/media-xilinx-vipp-fix-refcount-leak-in-xvip_graph_dm.patch @@ -0,0 +1,56 @@ +From d1d75efe25101b52cee3c8eb96bdabe29cebdade Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Jun 2022 06:25:14 +0200 +Subject: media: xilinx: vipp: Fix refcount leak in xvip_graph_dma_init + +From: Miaoqian Lin + +[ Upstream commit 1c78f19c3a0ea312a8178a6bfd8934eb93e9b10a ] + +of_get_child_by_name() returns a node pointer with refcount +incremented, we should use of_node_put() on it when not need anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: df3305156f98 ("[media] v4l: xilinx: Add Xilinx Video IP core") +Signed-off-by: Miaoqian Lin +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/xilinx/xilinx-vipp.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/platform/xilinx/xilinx-vipp.c b/drivers/media/platform/xilinx/xilinx-vipp.c +index feb3b2f1d874..df21646ef9fa 100644 +--- a/drivers/media/platform/xilinx/xilinx-vipp.c ++++ b/drivers/media/platform/xilinx/xilinx-vipp.c +@@ -462,7 +462,7 @@ static int xvip_graph_dma_init(struct xvip_composite_device *xdev) + { + struct device_node *ports; + struct device_node *port; +- int ret; ++ int ret = 0; + + ports = of_get_child_by_name(xdev->dev->of_node, "ports"); + if (ports == NULL) { +@@ -472,13 +472,14 @@ static int xvip_graph_dma_init(struct xvip_composite_device *xdev) + + for_each_child_of_node(ports, port) { + ret = xvip_graph_dma_init_one(xdev, port); +- if (ret < 0) { ++ if (ret) { + of_node_put(port); +- return ret; ++ break; + } + } + +- return 0; ++ of_node_put(ports); ++ return ret; + } + + static void xvip_graph_cleanup(struct xvip_composite_device *xdev) +-- +2.35.1 + diff --git a/queue-4.9/memory-of-fix-refcount-leak-bug-in-of_get_ddr_timing.patch b/queue-4.9/memory-of-fix-refcount-leak-bug-in-of_get_ddr_timing.patch new file mode 100644 index 00000000000..f0e51284fbe --- /dev/null +++ b/queue-4.9/memory-of-fix-refcount-leak-bug-in-of_get_ddr_timing.patch @@ -0,0 +1,37 @@ +From cac880f87a2251f773e7a1fe49361b3d92d8ac7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 16:56:39 +0800 +Subject: memory: of: Fix refcount leak bug in of_get_ddr_timings() + +From: Liang He + +[ Upstream commit 05215fb32010d4afb68fbdbb4d237df6e2d4567b ] + +We should add the of_node_put() when breaking out of +for_each_child_of_node() as it will automatically increase +and decrease the refcount. + +Fixes: e6b42eb6a66c ("memory: emif: add device tree support to emif driver") +Signed-off-by: Liang He +Signed-off-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220719085640.1210583-1-windhl@126.com +Signed-off-by: Sasha Levin +--- + drivers/memory/of_memory.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/memory/of_memory.c b/drivers/memory/of_memory.c +index 568f05ed961a..36517b7d093e 100644 +--- a/drivers/memory/of_memory.c ++++ b/drivers/memory/of_memory.c +@@ -135,6 +135,7 @@ const struct lpddr2_timings *of_get_ddr_timings(struct device_node *np_ddr, + for_each_child_of_node(np_ddr, np_tim) { + if (of_device_is_compatible(np_tim, tim_compat)) { + if (of_do_get_timings(np_tim, &timings[i])) { ++ of_node_put(np_tim); + devm_kfree(dev, timings); + goto default_timings; + } +-- +2.35.1 + diff --git a/queue-4.9/mfd-intel_soc_pmic-fix-an-error-handling-path-in-int.patch b/queue-4.9/mfd-intel_soc_pmic-fix-an-error-handling-path-in-int.patch new file mode 100644 index 00000000000..16d9f04d3c1 --- /dev/null +++ b/queue-4.9/mfd-intel_soc_pmic-fix-an-error-handling-path-in-int.patch @@ -0,0 +1,42 @@ +From 9d8ffbb8bcc12d297c56647ca2d8b3fe5e2c7c6a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 14:42:02 +0300 +Subject: mfd: intel_soc_pmic: Fix an error handling path in + intel_soc_pmic_i2c_probe() + +From: Christophe JAILLET + +[ Upstream commit 48749cabba109397b4e7dd556e85718ec0ec114d ] + +The commit in Fixes: has added a pwm_add_table() call in the probe() and +a pwm_remove_table() call in the remove(), but forget to update the error +handling path of the probe. + +Add the missing pwm_remove_table() call. + +Fixes: a3aa9a93df9f ("mfd: intel_soc_pmic_core: ADD PWM lookup table for CRC PMIC based PWM") +Signed-off-by: Christophe JAILLET +Signed-off-by: Andy Shevchenko +Reviewed-by: Hans de Goede +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20220801114211.36267-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Sasha Levin +--- + drivers/mfd/intel_soc_pmic_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mfd/intel_soc_pmic_core.c b/drivers/mfd/intel_soc_pmic_core.c +index 12d6ebb4ae5d..e233585645b9 100644 +--- a/drivers/mfd/intel_soc_pmic_core.c ++++ b/drivers/mfd/intel_soc_pmic_core.c +@@ -118,6 +118,7 @@ static int intel_soc_pmic_i2c_probe(struct i2c_client *i2c, + return 0; + + err_del_irq_chip: ++ pwm_remove_table(crc_pwm_lookup, ARRAY_SIZE(crc_pwm_lookup)); + regmap_del_irq_chip(pmic->irq, pmic->irq_chip_data); + return ret; + } +-- +2.35.1 + diff --git a/queue-4.9/mfd-lp8788-fix-an-error-handling-path-in-lp8788_irq_.patch b/queue-4.9/mfd-lp8788-fix-an-error-handling-path-in-lp8788_irq_.patch new file mode 100644 index 00000000000..bc1e9c158e7 --- /dev/null +++ b/queue-4.9/mfd-lp8788-fix-an-error-handling-path-in-lp8788_irq_.patch @@ -0,0 +1,48 @@ +From 032195dd97a12af519d1ade1ba5de7d74b8953ec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Jul 2022 11:55:38 +0200 +Subject: mfd: lp8788: Fix an error handling path in lp8788_irq_init() and + lp8788_irq_init() + +From: Christophe JAILLET + +[ Upstream commit 557244f6284f30613f2d61f14b579303165876c3 ] + +In lp8788_irq_init(), if an error occurs after a successful +irq_domain_add_linear() call, it must be undone by a corresponding +irq_domain_remove() call. + +irq_domain_remove() should also be called in lp8788_irq_exit() for the same +reason. + +Fixes: eea6b7cc53aa ("mfd: Add lp8788 mfd driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/bcd5a72c9c1c383dd6324680116426e32737655a.1659261275.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/mfd/lp8788-irq.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mfd/lp8788-irq.c b/drivers/mfd/lp8788-irq.c +index 792d51bae20f..ae65928f35f0 100644 +--- a/drivers/mfd/lp8788-irq.c ++++ b/drivers/mfd/lp8788-irq.c +@@ -179,6 +179,7 @@ int lp8788_irq_init(struct lp8788 *lp, int irq) + IRQF_TRIGGER_FALLING | IRQF_ONESHOT, + "lp8788-irq", irqd); + if (ret) { ++ irq_domain_remove(lp->irqdm); + dev_err(lp->dev, "failed to create a thread for IRQ_N\n"); + return ret; + } +@@ -192,4 +193,6 @@ void lp8788_irq_exit(struct lp8788 *lp) + { + if (lp->irq) + free_irq(lp->irq, lp->irqdm); ++ if (lp->irqdm) ++ irq_domain_remove(lp->irqdm); + } +-- +2.35.1 + diff --git a/queue-4.9/mfd-lp8788-fix-an-error-handling-path-in-lp8788_prob.patch b/queue-4.9/mfd-lp8788-fix-an-error-handling-path-in-lp8788_prob.patch new file mode 100644 index 00000000000..6a73b2c7e7a --- /dev/null +++ b/queue-4.9/mfd-lp8788-fix-an-error-handling-path-in-lp8788_prob.patch @@ -0,0 +1,50 @@ +From 05718201d12b27c99739d9daba432b531df5abb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Jul 2022 11:55:27 +0200 +Subject: mfd: lp8788: Fix an error handling path in lp8788_probe() + +From: Christophe JAILLET + +[ Upstream commit becfdcd75126b20b8ec10066c5e85b34f8994ad5 ] + +Should an error occurs in mfd_add_devices(), some resources need to be +released, as already done in the .remove() function. + +Add an error handling path and a lp8788_irq_exit() call to undo a previous +lp8788_irq_init(). + +Fixes: eea6b7cc53aa ("mfd: Add lp8788 mfd driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/18398722da9df9490722d853e4797350189ae79b.1659261275.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/mfd/lp8788.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/mfd/lp8788.c b/drivers/mfd/lp8788.c +index acf616559512..e47150cdf747 100644 +--- a/drivers/mfd/lp8788.c ++++ b/drivers/mfd/lp8788.c +@@ -199,8 +199,16 @@ static int lp8788_probe(struct i2c_client *cl, const struct i2c_device_id *id) + if (ret) + return ret; + +- return mfd_add_devices(lp->dev, -1, lp8788_devs, +- ARRAY_SIZE(lp8788_devs), NULL, 0, NULL); ++ ret = mfd_add_devices(lp->dev, -1, lp8788_devs, ++ ARRAY_SIZE(lp8788_devs), NULL, 0, NULL); ++ if (ret) ++ goto err_exit_irq; ++ ++ return 0; ++ ++err_exit_irq: ++ lp8788_irq_exit(lp); ++ return ret; + } + + static int lp8788_remove(struct i2c_client *cl) +-- +2.35.1 + diff --git a/queue-4.9/mfd-sm501-add-check-for-platform_driver_register.patch b/queue-4.9/mfd-sm501-add-check-for-platform_driver_register.patch new file mode 100644 index 00000000000..db83553ab20 --- /dev/null +++ b/queue-4.9/mfd-sm501-add-check-for-platform_driver_register.patch @@ -0,0 +1,43 @@ +From 7375dd0f2e081cbdb4d2cb31b2d648bc729a779f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Sep 2022 17:11:12 +0800 +Subject: mfd: sm501: Add check for platform_driver_register() + +From: Jiasheng Jiang + +[ Upstream commit 8325a6c24ad78b8c1acc3c42b098ee24105d68e5 ] + +As platform_driver_register() can return error numbers, +it should be better to check platform_driver_register() +and deal with the exception. + +Fixes: b6d6454fdb66 ("[PATCH] mfd: SM501 core driver") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20220913091112.1739138-1-jiasheng@iscas.ac.cn +Signed-off-by: Sasha Levin +--- + drivers/mfd/sm501.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/sm501.c b/drivers/mfd/sm501.c +index 4ca245518a19..d64bd28cc6b8 100644 +--- a/drivers/mfd/sm501.c ++++ b/drivers/mfd/sm501.c +@@ -1736,7 +1736,12 @@ static struct platform_driver sm501_plat_driver = { + + static int __init sm501_base_init(void) + { +- platform_driver_register(&sm501_plat_driver); ++ int ret; ++ ++ ret = platform_driver_register(&sm501_plat_driver); ++ if (ret < 0) ++ return ret; ++ + return pci_register_driver(&sm501_pci_driver); + } + +-- +2.35.1 + diff --git a/queue-4.9/mips-bcm47xx-cast-memcmp-of-function-to-void.patch b/queue-4.9/mips-bcm47xx-cast-memcmp-of-function-to-void.patch new file mode 100644 index 00000000000..af8c942e9b4 --- /dev/null +++ b/queue-4.9/mips-bcm47xx-cast-memcmp-of-function-to-void.patch @@ -0,0 +1,62 @@ +From 4b319a8ef2a29ea1281dfe6199aa1f0b7cff3904 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 16:05:56 -0700 +Subject: MIPS: BCM47XX: Cast memcmp() of function to (void *) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kees Cook + +[ Upstream commit 0dedcf6e3301836eb70cfa649052e7ce4fcd13ba ] + +Clang is especially sensitive about argument type matching when using +__overloaded functions (like memcmp(), etc). Help it see that function +pointers are just "void *". Avoids this error: + +arch/mips/bcm47xx/prom.c:89:8: error: no matching function for call to 'memcmp' + if (!memcmp(prom_init, prom_init + mem, 32)) + ^~~~~~ +include/linux/string.h:156:12: note: candidate function not viable: no known conversion from 'void (void)' to 'const void *' for 1st argument extern int memcmp(const void *,const void *,__kernel_size_t); + +Cc: Hauke Mehrtens +Cc: "Rafał Miłecki" +Cc: Thomas Bogendoerfer +Cc: linux-mips@vger.kernel.org +Cc: Nathan Chancellor +Cc: Nick Desaulniers +Cc: llvm@lists.linux.dev +Reported-by: kernel test robot +Link: https://lore.kernel.org/lkml/202209080652.sz2d68e5-lkp@intel.com +Signed-off-by: Kees Cook +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/bcm47xx/prom.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/bcm47xx/prom.c b/arch/mips/bcm47xx/prom.c +index 135a5407f015..d26d9a6f6ee7 100644 +--- a/arch/mips/bcm47xx/prom.c ++++ b/arch/mips/bcm47xx/prom.c +@@ -85,7 +85,7 @@ static __init void prom_init_mem(void) + pr_debug("Assume 128MB RAM\n"); + break; + } +- if (!memcmp(prom_init, prom_init + mem, 32)) ++ if (!memcmp((void *)prom_init, (void *)prom_init + mem, 32)) + break; + } + lowmem = mem; +@@ -162,7 +162,7 @@ void __init bcm47xx_prom_highmem_init(void) + + off = EXTVBASE + __pa(off); + for (extmem = 128 << 20; extmem < 512 << 20; extmem <<= 1) { +- if (!memcmp(prom_init, (void *)(off + extmem), 16)) ++ if (!memcmp((void *)prom_init, (void *)(off + extmem), 16)) + break; + } + extmem -= lowmem; +-- +2.35.1 + diff --git a/queue-4.9/misdn-fix-use-after-free-bugs-in-l1oip-timer-handler.patch b/queue-4.9/misdn-fix-use-after-free-bugs-in-l1oip-timer-handler.patch new file mode 100644 index 00000000000..f83ed1c2b46 --- /dev/null +++ b/queue-4.9/misdn-fix-use-after-free-bugs-in-l1oip-timer-handler.patch @@ -0,0 +1,97 @@ +From 2bfe58c93d9249b7765a23fb944aa2ee7144ea10 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Sep 2022 21:39:38 +0800 +Subject: mISDN: fix use-after-free bugs in l1oip timer handlers + +From: Duoming Zhou + +[ Upstream commit 2568a7e0832ee30b0a351016d03062ab4e0e0a3f ] + +The l1oip_cleanup() traverses the l1oip_ilist and calls +release_card() to cleanup module and stack. However, +release_card() calls del_timer() to delete the timers +such as keep_tl and timeout_tl. If the timer handler is +running, the del_timer() will not stop it and result in +UAF bugs. One of the processes is shown below: + + (cleanup routine) | (timer handler) +release_card() | l1oip_timeout() + ... | + del_timer() | ... + ... | + kfree(hc) //FREE | + | hc->timeout_on = 0 //USE + +Fix by calling del_timer_sync() in release_card(), which +makes sure the timer handlers have finished before the +resources, such as l1oip and so on, have been deallocated. + +What's more, the hc->workq and hc->socket_thread can kick +those timers right back in. We add a bool flag to show +if card is released. Then, check this flag in hc->workq +and hc->socket_thread. + +Fixes: 3712b42d4b1b ("Add layer1 over IP support") +Signed-off-by: Duoming Zhou +Reviewed-by: Leon Romanovsky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/l1oip.h | 1 + + drivers/isdn/mISDN/l1oip_core.c | 13 +++++++------ + 2 files changed, 8 insertions(+), 6 deletions(-) + +diff --git a/drivers/isdn/mISDN/l1oip.h b/drivers/isdn/mISDN/l1oip.h +index 661c060ada49..67d1a4762d56 100644 +--- a/drivers/isdn/mISDN/l1oip.h ++++ b/drivers/isdn/mISDN/l1oip.h +@@ -58,6 +58,7 @@ struct l1oip { + int bundle; /* bundle channels in one frm */ + int codec; /* codec to use for transmis. */ + int limit; /* limit number of bchannels */ ++ bool shutdown; /* if card is released */ + + /* timer */ + struct timer_list keep_tl; +diff --git a/drivers/isdn/mISDN/l1oip_core.c b/drivers/isdn/mISDN/l1oip_core.c +index 67c21876c35f..b77ae00a95a3 100644 +--- a/drivers/isdn/mISDN/l1oip_core.c ++++ b/drivers/isdn/mISDN/l1oip_core.c +@@ -287,7 +287,7 @@ l1oip_socket_send(struct l1oip *hc, u8 localcodec, u8 channel, u32 chanmask, + p = frame; + + /* restart timer */ +- if (time_before(hc->keep_tl.expires, jiffies + 5 * HZ)) ++ if (time_before(hc->keep_tl.expires, jiffies + 5 * HZ) && !hc->shutdown) + mod_timer(&hc->keep_tl, jiffies + L1OIP_KEEPALIVE * HZ); + else + hc->keep_tl.expires = jiffies + L1OIP_KEEPALIVE * HZ; +@@ -619,7 +619,9 @@ l1oip_socket_parse(struct l1oip *hc, struct sockaddr_in *sin, u8 *buf, int len) + goto multiframe; + + /* restart timer */ +- if (time_before(hc->timeout_tl.expires, jiffies + 5 * HZ) || !hc->timeout_on) { ++ if ((time_before(hc->timeout_tl.expires, jiffies + 5 * HZ) || ++ !hc->timeout_on) && ++ !hc->shutdown) { + hc->timeout_on = 1; + mod_timer(&hc->timeout_tl, jiffies + L1OIP_TIMEOUT * HZ); + } else /* only adjust timer */ +@@ -1246,11 +1248,10 @@ release_card(struct l1oip *hc) + { + int ch; + +- if (timer_pending(&hc->keep_tl)) +- del_timer(&hc->keep_tl); ++ hc->shutdown = true; + +- if (timer_pending(&hc->timeout_tl)) +- del_timer(&hc->timeout_tl); ++ del_timer_sync(&hc->keep_tl); ++ del_timer_sync(&hc->timeout_tl); + + cancel_work_sync(&hc->workq); + +-- +2.35.1 + diff --git a/queue-4.9/mmc-au1xmmc-fix-an-error-handling-path-in-au1xmmc_pr.patch b/queue-4.9/mmc-au1xmmc-fix-an-error-handling-path-in-au1xmmc_pr.patch new file mode 100644 index 00000000000..9767446756a --- /dev/null +++ b/queue-4.9/mmc-au1xmmc-fix-an-error-handling-path-in-au1xmmc_pr.patch @@ -0,0 +1,41 @@ +From 31cb5c77d7d6217709de5de7d6150625d7aca942 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 09:33:57 +0200 +Subject: mmc: au1xmmc: Fix an error handling path in au1xmmc_probe() + +From: Christophe JAILLET + +[ Upstream commit 5cbedf52608cc3cbc1c2a9a861fb671620427a20 ] + +If clk_prepare_enable() fails, there is no point in calling +clk_disable_unprepare() in the error handling path. + +Move the out_clk label at the right place. + +Fixes: b6507596dfd6 ("MIPS: Alchemy: au1xmmc: use clk framework") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/21d99886d07fa7fcbec74992657dabad98c935c4.1661412818.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/au1xmmc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/au1xmmc.c b/drivers/mmc/host/au1xmmc.c +index ed77fbfa4774..a1667339e21d 100644 +--- a/drivers/mmc/host/au1xmmc.c ++++ b/drivers/mmc/host/au1xmmc.c +@@ -1114,8 +1114,9 @@ static int au1xmmc_probe(struct platform_device *pdev) + if (host->platdata && host->platdata->cd_setup && + !(mmc->caps & MMC_CAP_NEEDS_POLL)) + host->platdata->cd_setup(mmc, 0); +-out_clk: ++ + clk_disable_unprepare(host->clk); ++out_clk: + clk_put(host->clk); + out_irq: + free_irq(host->irq, host); +-- +2.35.1 + diff --git a/queue-4.9/net-davicom-fix-return-type-of-dm9000_start_xmit.patch b/queue-4.9/net-davicom-fix-return-type-of-dm9000_start_xmit.patch new file mode 100644 index 00000000000..42e4883c7c7 --- /dev/null +++ b/queue-4.9/net-davicom-fix-return-type-of-dm9000_start_xmit.patch @@ -0,0 +1,46 @@ +From 45f754f7dd409c836b002bbd00a492af83419027 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 12:47:19 -0700 +Subject: net: davicom: Fix return type of dm9000_start_xmit + +From: Nathan Huckleberry + +[ Upstream commit 0191580b000d50089a0b351f7cdbec4866e3d0d2 ] + +The ndo_start_xmit field in net_device_ops is expected to be of type +netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev). + +The mismatched return type breaks forward edge kCFI since the underlying +function definition does not match the function hook definition. + +The return type of dm9000_start_xmit should be changed from int to +netdev_tx_t. + +Reported-by: Dan Carpenter +Link: https://github.com/ClangBuiltLinux/linux/issues/1703 +Cc: llvm@lists.linux.dev +Signed-off-by: Nathan Huckleberry +Reviewed-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20220912194722.809525-1-nhuck@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/davicom/dm9000.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/davicom/dm9000.c b/drivers/net/ethernet/davicom/dm9000.c +index 0fe4d8999823..59e09f7174c1 100644 +--- a/drivers/net/ethernet/davicom/dm9000.c ++++ b/drivers/net/ethernet/davicom/dm9000.c +@@ -1023,7 +1023,7 @@ static void dm9000_send_packet(struct net_device *dev, + * Hardware start transmission. + * Send a packet to media from the upper layer. + */ +-static int ++static netdev_tx_t + dm9000_start_xmit(struct sk_buff *skb, struct net_device *dev) + { + unsigned long flags; +-- +2.35.1 + diff --git a/queue-4.9/net-ethernet-ti-davinci_emac-fix-return-type-of-emac.patch b/queue-4.9/net-ethernet-ti-davinci_emac-fix-return-type-of-emac.patch new file mode 100644 index 00000000000..7d7bc79e2a0 --- /dev/null +++ b/queue-4.9/net-ethernet-ti-davinci_emac-fix-return-type-of-emac.patch @@ -0,0 +1,46 @@ +From 5c2820e58b4e279579bc4b599b4c6cea0fe0016f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 12:50:19 -0700 +Subject: net: ethernet: ti: davinci_emac: Fix return type of emac_dev_xmit + +From: Nathan Huckleberry + +[ Upstream commit 5972ca946098487c5155fe13654743f9010f5ed5 ] + +The ndo_start_xmit field in net_device_ops is expected to be of type +netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev). + +The mismatched return type breaks forward edge kCFI since the underlying +function definition does not match the function hook definition. + +The return type of emac_dev_xmit should be changed from int to +netdev_tx_t. + +Reported-by: Dan Carpenter +Link: https://github.com/ClangBuiltLinux/linux/issues/1703 +Cc: llvm@lists.linux.dev +Signed-off-by: Nathan Huckleberry +Reviewed-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20220912195023.810319-1-nhuck@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/davinci_emac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ti/davinci_emac.c b/drivers/net/ethernet/ti/davinci_emac.c +index 37162492e263..ebf22429c349 100644 +--- a/drivers/net/ethernet/ti/davinci_emac.c ++++ b/drivers/net/ethernet/ti/davinci_emac.c +@@ -955,7 +955,7 @@ static void emac_tx_handler(void *token, int len, int status) + * + * Returns success(NETDEV_TX_OK) or error code (typically out of desc's) + */ +-static int emac_dev_xmit(struct sk_buff *skb, struct net_device *ndev) ++static netdev_tx_t emac_dev_xmit(struct sk_buff *skb, struct net_device *ndev) + { + struct device *emac_dev = &ndev->dev; + int ret_code; +-- +2.35.1 + diff --git a/queue-4.9/net-fs_enet-fix-wrong-check-in-do_pd_setup.patch b/queue-4.9/net-fs_enet-fix-wrong-check-in-do_pd_setup.patch new file mode 100644 index 00000000000..16c3e397a65 --- /dev/null +++ b/queue-4.9/net-fs_enet-fix-wrong-check-in-do_pd_setup.patch @@ -0,0 +1,36 @@ +From d28cc8c4e93c9bd2cc33d9a90d4a8bddf1a56997 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Sep 2022 13:55:13 +0000 +Subject: net: fs_enet: Fix wrong check in do_pd_setup + +From: Zheng Yongjun + +[ Upstream commit ec3f06b542a960806a81345042e4eee3f8c5dec4 ] + +Should check of_iomap return value 'fep->fec.fecp' instead of 'fep->fcc.fccp' + +Fixes: 976de6a8c304 ("fs_enet: Be an of_platform device when CONFIG_PPC_CPM_NEW_BINDING is set.") +Signed-off-by: Zheng Yongjun +Reviewed-by: Christophe Leroy +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fs_enet/mac-fec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/fs_enet/mac-fec.c b/drivers/net/ethernet/freescale/fs_enet/mac-fec.c +index 777beffa1e1e..7861a5025dfb 100644 +--- a/drivers/net/ethernet/freescale/fs_enet/mac-fec.c ++++ b/drivers/net/ethernet/freescale/fs_enet/mac-fec.c +@@ -103,7 +103,7 @@ static int do_pd_setup(struct fs_enet_private *fep) + return -EINVAL; + + fep->fec.fecp = of_iomap(ofdev->dev.of_node, 0); +- if (!fep->fcc.fccp) ++ if (!fep->fec.fecp) + return -EINVAL; + + return 0; +-- +2.35.1 + diff --git a/queue-4.9/net-ftmac100-fix-endianness-related-issues-from-spar.patch b/queue-4.9/net-ftmac100-fix-endianness-related-issues-from-spar.patch new file mode 100644 index 00000000000..a0421b4de7f --- /dev/null +++ b/queue-4.9/net-ftmac100-fix-endianness-related-issues-from-spar.patch @@ -0,0 +1,67 @@ +From 85991c4341a5eaa57bb41683856535fba4db6ccc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 14:37:49 +0300 +Subject: net: ftmac100: fix endianness-related issues from 'sparse' + +From: Sergei Antonov + +[ Upstream commit 9df696b3b3a4c96c3219eb87c7bf03fb50e490b8 ] + +Sparse found a number of endianness-related issues of these kinds: + +.../ftmac100.c:192:32: warning: restricted __le32 degrades to integer + +.../ftmac100.c:208:23: warning: incorrect type in assignment (different base types) +.../ftmac100.c:208:23: expected unsigned int rxdes0 +.../ftmac100.c:208:23: got restricted __le32 [usertype] + +.../ftmac100.c:249:23: warning: invalid assignment: &= +.../ftmac100.c:249:23: left side has type unsigned int +.../ftmac100.c:249:23: right side has type restricted __le32 + +.../ftmac100.c:527:16: warning: cast to restricted __le32 + +Change type of some fields from 'unsigned int' to '__le32' to fix it. + +Signed-off-by: Sergei Antonov +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20220902113749.1408562-1-saproj@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/faraday/ftmac100.h | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/faraday/ftmac100.h b/drivers/net/ethernet/faraday/ftmac100.h +index 46a0c47b1ee1..0731d65e856c 100644 +--- a/drivers/net/ethernet/faraday/ftmac100.h ++++ b/drivers/net/ethernet/faraday/ftmac100.h +@@ -135,9 +135,9 @@ + * Transmit descriptor, aligned to 16 bytes + */ + struct ftmac100_txdes { +- unsigned int txdes0; +- unsigned int txdes1; +- unsigned int txdes2; /* TXBUF_BADR */ ++ __le32 txdes0; ++ __le32 txdes1; ++ __le32 txdes2; /* TXBUF_BADR */ + unsigned int txdes3; /* not used by HW */ + } __attribute__ ((aligned(16))); + +@@ -156,9 +156,9 @@ struct ftmac100_txdes { + * Receive descriptor, aligned to 16 bytes + */ + struct ftmac100_rxdes { +- unsigned int rxdes0; +- unsigned int rxdes1; +- unsigned int rxdes2; /* RXBUF_BADR */ ++ __le32 rxdes0; ++ __le32 rxdes1; ++ __le32 rxdes2; /* RXBUF_BADR */ + unsigned int rxdes3; /* not used by HW */ + } __attribute__ ((aligned(16))); + +-- +2.35.1 + diff --git a/queue-4.9/net-korina-fix-return-type-of-korina_send_packet.patch b/queue-4.9/net-korina-fix-return-type-of-korina_send_packet.patch new file mode 100644 index 00000000000..98e86f3222f --- /dev/null +++ b/queue-4.9/net-korina-fix-return-type-of-korina_send_packet.patch @@ -0,0 +1,47 @@ +From d5d3fd87ed3a9ac722cc78c56d6fb2f2a61899a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Sep 2022 14:43:40 -0700 +Subject: net: korina: Fix return type of korina_send_packet + +From: Nathan Huckleberry + +[ Upstream commit 106c67ce46f3c82dd276e983668a91d6ed631173 ] + +The ndo_start_xmit field in net_device_ops is expected to be of type +netdev_tx_t (*ndo_start_xmit)(struct sk_buff *skb, struct net_device *dev). + +The mismatched return type breaks forward edge kCFI since the underlying +function definition does not match the function hook definition. + +The return type of korina_send_packet should be changed from int to +netdev_tx_t. + +Reported-by: Dan Carpenter +Link: https://github.com/ClangBuiltLinux/linux/issues/1703 +Cc: llvm@lists.linux.dev +Signed-off-by: Nathan Huckleberry +Reviewed-by: Nathan Chancellor +Link: https://lore.kernel.org/r/20220912214344.928925-1-nhuck@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/korina.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/korina.c b/drivers/net/ethernet/korina.c +index 4cf1fc89df3c..b9c02cd3a78e 100644 +--- a/drivers/net/ethernet/korina.c ++++ b/drivers/net/ethernet/korina.c +@@ -193,7 +193,8 @@ static void korina_chain_rx(struct korina_private *lp, + } + + /* transmit packet */ +-static int korina_send_packet(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t korina_send_packet(struct sk_buff *skb, ++ struct net_device *dev) + { + struct korina_private *lp = netdev_priv(dev); + unsigned long flags; +-- +2.35.1 + diff --git a/queue-4.9/net-lantiq_etop-fix-return-type-for-implementation-o.patch b/queue-4.9/net-lantiq_etop-fix-return-type-for-implementation-o.patch new file mode 100644 index 00000000000..66087c09ee7 --- /dev/null +++ b/queue-4.9/net-lantiq_etop-fix-return-type-for-implementation-o.patch @@ -0,0 +1,41 @@ +From 04bfe9580925fdfe2dfa856e4335af65fc788996 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 16:15:21 +0800 +Subject: net: lantiq_etop: Fix return type for implementation of + ndo_start_xmit + +From: GUO Zihua + +[ Upstream commit c8ef3c94bda0e21123202d057d4a299698fa0ed9 ] + +Since Linux now supports CFI, it will be a good idea to fix mismatched +return type for implementation of hooks. Otherwise this might get +cought out by CFI and cause a panic. + +ltq_etop_tx() would return either NETDEV_TX_BUSY or NETDEV_TX_OK, so +change the return type to netdev_tx_t directly. + +Signed-off-by: GUO Zihua +Link: https://lore.kernel.org/r/20220902081521.59867-1-guozihua@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/lantiq_etop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/lantiq_etop.c b/drivers/net/ethernet/lantiq_etop.c +index a167fd7ee13e..f9bff9c5d93e 100644 +--- a/drivers/net/ethernet/lantiq_etop.c ++++ b/drivers/net/ethernet/lantiq_etop.c +@@ -473,7 +473,7 @@ ltq_etop_stop(struct net_device *dev) + return 0; + } + +-static int ++static netdev_tx_t + ltq_etop_tx(struct sk_buff *skb, struct net_device *dev) + { + int queue = skb_get_queue_mapping(skb); +-- +2.35.1 + diff --git a/queue-4.9/net-rds-don-t-hold-sock-lock-when-cancelling-work-fr.patch b/queue-4.9/net-rds-don-t-hold-sock-lock-when-cancelling-work-fr.patch new file mode 100644 index 00000000000..f4c0356b587 --- /dev/null +++ b/queue-4.9/net-rds-don-t-hold-sock-lock-when-cancelling-work-fr.patch @@ -0,0 +1,54 @@ +From 46e2c290aaa1b5617c89d4b5c32259ddd72188f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 00:25:37 +0900 +Subject: net: rds: don't hold sock lock when cancelling work from + rds_tcp_reset_callbacks() + +From: Tetsuo Handa + +[ Upstream commit a91b750fd6629354460282bbf5146c01b05c4859 ] + +syzbot is reporting lockdep warning at rds_tcp_reset_callbacks() [1], for +commit ac3615e7f3cffe2a ("RDS: TCP: Reduce code duplication in +rds_tcp_reset_callbacks()") added cancel_delayed_work_sync() into a section +protected by lock_sock() without realizing that rds_send_xmit() might call +lock_sock(). + +We don't need to protect cancel_delayed_work_sync() using lock_sock(), for +even if rds_{send,recv}_worker() re-queued this work while __flush_work() + from cancel_delayed_work_sync() was waiting for this work to complete, +retried rds_{send,recv}_worker() is no-op due to the absence of RDS_CONN_UP +bit. + +Link: https://syzkaller.appspot.com/bug?extid=78c55c7bc6f66e53dce2 [1] +Reported-by: syzbot +Co-developed-by: Hillf Danton +Signed-off-by: Hillf Danton +Signed-off-by: Tetsuo Handa +Tested-by: syzbot +Fixes: ac3615e7f3cffe2a ("RDS: TCP: Reduce code duplication in rds_tcp_reset_callbacks()") +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rds/tcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rds/tcp.c b/net/rds/tcp.c +index 192f932bce0d..d7c9576a1148 100644 +--- a/net/rds/tcp.c ++++ b/net/rds/tcp.c +@@ -165,10 +165,10 @@ void rds_tcp_reset_callbacks(struct socket *sock, + */ + atomic_set(&cp->cp_state, RDS_CONN_RESETTING); + wait_event(cp->cp_waitq, !test_bit(RDS_IN_XMIT, &cp->cp_flags)); +- lock_sock(osock->sk); + /* reset receive side state for rds_tcp_data_recv() for osock */ + cancel_delayed_work_sync(&cp->cp_send_w); + cancel_delayed_work_sync(&cp->cp_recv_w); ++ lock_sock(osock->sk); + if (tc->t_tinc) { + rds_inc_put(&tc->t_tinc->ti_inc); + tc->t_tinc = NULL; +-- +2.35.1 + diff --git a/queue-4.9/net-xscale-fix-return-type-for-implementation-of-ndo.patch b/queue-4.9/net-xscale-fix-return-type-for-implementation-of-ndo.patch new file mode 100644 index 00000000000..7de00ffe354 --- /dev/null +++ b/queue-4.9/net-xscale-fix-return-type-for-implementation-of-ndo.patch @@ -0,0 +1,40 @@ +From 25451062268e79de70e91a32dbf49b935c7e07a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 16:16:12 +0800 +Subject: net: xscale: Fix return type for implementation of ndo_start_xmit + +From: GUO Zihua + +[ Upstream commit 0dbaf0fa62329d9fe452d9041a707a33f6274f1f ] + +Since Linux now supports CFI, it will be a good idea to fix mismatched +return type for implementation of hooks. Otherwise this might get +cought out by CFI and cause a panic. + +eth_xmit() would return either NETDEV_TX_BUSY or NETDEV_TX_OK, so +change the return type to netdev_tx_t directly. + +Signed-off-by: GUO Zihua +Link: https://lore.kernel.org/r/20220902081612.60405-1-guozihua@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xscale/ixp4xx_eth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/xscale/ixp4xx_eth.c b/drivers/net/ethernet/xscale/ixp4xx_eth.c +index fa32391720fe..62fcdf75a011 100644 +--- a/drivers/net/ethernet/xscale/ixp4xx_eth.c ++++ b/drivers/net/ethernet/xscale/ixp4xx_eth.c +@@ -835,7 +835,7 @@ static void eth_txdone_irq(void *unused) + } + } + +-static int eth_xmit(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t eth_xmit(struct sk_buff *skb, struct net_device *dev) + { + struct port *port = netdev_priv(dev); + unsigned int txreadyq = port->plat->txreadyq; +-- +2.35.1 + diff --git a/queue-4.9/openvswitch-fix-double-reporting-of-drops-in-dropwat.patch b/queue-4.9/openvswitch-fix-double-reporting-of-drops-in-dropwat.patch new file mode 100644 index 00000000000..3d8d9e15499 --- /dev/null +++ b/queue-4.9/openvswitch-fix-double-reporting-of-drops-in-dropwat.patch @@ -0,0 +1,52 @@ +From 05ee737acbf4a059ac6f840f854025579408473a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Aug 2022 11:06:34 -0400 +Subject: openvswitch: Fix double reporting of drops in dropwatch + +From: Mike Pattrick + +[ Upstream commit 1100248a5c5ccd57059eb8d02ec077e839a23826 ] + +Frames sent to userspace can be reported as dropped in +ovs_dp_process_packet, however, if they are dropped in the netlink code +then netlink_attachskb will report the same frame as dropped. + +This patch checks for error codes which indicate that the frame has +already been freed. + +Signed-off-by: Mike Pattrick +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2109946 +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/openvswitch/datapath.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c +index c28f0e2a7c3c..ab318844a19b 100644 +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -278,10 +278,17 @@ void ovs_dp_process_packet(struct sk_buff *skb, struct sw_flow_key *key) + upcall.portid = ovs_vport_find_upcall_portid(p, skb); + upcall.mru = OVS_CB(skb)->mru; + error = ovs_dp_upcall(dp, skb, key, &upcall, 0); +- if (unlikely(error)) +- kfree_skb(skb); +- else ++ switch (error) { ++ case 0: ++ case -EAGAIN: ++ case -ERESTARTSYS: ++ case -EINTR: + consume_skb(skb); ++ break; ++ default: ++ kfree_skb(skb); ++ break; ++ } + stats_counter = &stats->n_missed; + goto out; + } +-- +2.35.1 + diff --git a/queue-4.9/openvswitch-fix-overreporting-of-drops-in-dropwatch.patch b/queue-4.9/openvswitch-fix-overreporting-of-drops-in-dropwatch.patch new file mode 100644 index 00000000000..bebb18b0700 --- /dev/null +++ b/queue-4.9/openvswitch-fix-overreporting-of-drops-in-dropwatch.patch @@ -0,0 +1,42 @@ +From 32a56cbe239504406bd6c1fea4ce96352771ad49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 17 Aug 2022 11:06:35 -0400 +Subject: openvswitch: Fix overreporting of drops in dropwatch + +From: Mike Pattrick + +[ Upstream commit c21ab2afa2c64896a7f0e3cbc6845ec63dcfad2e ] + +Currently queue_userspace_packet will call kfree_skb for all frames, +whether or not an error occurred. This can result in a single dropped +frame being reported as multiple drops in dropwatch. This functions +caller may also call kfree_skb in case of an error. This patch will +consume the skbs instead and allow caller's to use kfree_skb. + +Signed-off-by: Mike Pattrick +Link: https://bugzilla.redhat.com/show_bug.cgi?id=2109957 +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/openvswitch/datapath.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c +index ab318844a19b..10423757e781 100644 +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -555,8 +555,9 @@ static int queue_userspace_packet(struct datapath *dp, struct sk_buff *skb, + out: + if (err) + skb_tx_error(skb); +- kfree_skb(user_skb); +- kfree_skb(nskb); ++ consume_skb(user_skb); ++ consume_skb(nskb); ++ + return err; + } + +-- +2.35.1 + diff --git a/queue-4.9/platform-x86-msi-laptop-change-dmi-match-alias-strin.patch b/queue-4.9/platform-x86-msi-laptop-change-dmi-match-alias-strin.patch new file mode 100644 index 00000000000..57efc3a7b39 --- /dev/null +++ b/queue-4.9/platform-x86-msi-laptop-change-dmi-match-alias-strin.patch @@ -0,0 +1,58 @@ +From 51cbf5a365455eb817c306d779f422375ee1f2d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Sep 2022 23:04:07 +0200 +Subject: platform/x86: msi-laptop: Change DMI match / alias strings to fix + module autoloading + +From: Hans de Goede + +[ Upstream commit 2a2565272a3628e45d61625e36ef17af7af4e3de ] + +On a MSI S270 with Fedora 37 x86_64 / systemd-251.4 the module does not +properly autoload. + +This is likely caused by issues with how systemd-udevd handles the single +quote char (') which is part of the sys_vendor / chassis_vendor strings +on this laptop. As a workaround remove the single quote char + everything +behind it from the sys_vendor + chassis_vendor matches. This fixes +the module not autoloading. + +Link: https://github.com/systemd/systemd/issues/24715 +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20220917210407.647432-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/msi-laptop.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c +index c2a1bc8e9fef..4ae2287ce262 100644 +--- a/drivers/platform/x86/msi-laptop.c ++++ b/drivers/platform/x86/msi-laptop.c +@@ -609,11 +609,10 @@ static struct dmi_system_id __initdata msi_dmi_table[] = { + { + .ident = "MSI S270", + .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "MICRO-STAR INT'L CO.,LTD"), ++ DMI_MATCH(DMI_SYS_VENDOR, "MICRO-STAR INT"), + DMI_MATCH(DMI_PRODUCT_NAME, "MS-1013"), + DMI_MATCH(DMI_PRODUCT_VERSION, "0131"), +- DMI_MATCH(DMI_CHASSIS_VENDOR, +- "MICRO-STAR INT'L CO.,LTD") ++ DMI_MATCH(DMI_CHASSIS_VENDOR, "MICRO-STAR INT") + }, + .driver_data = &quirk_old_ec_model, + .callback = dmi_check_cb +@@ -646,8 +645,7 @@ static struct dmi_system_id __initdata msi_dmi_table[] = { + DMI_MATCH(DMI_SYS_VENDOR, "NOTEBOOK"), + DMI_MATCH(DMI_PRODUCT_NAME, "SAM2000"), + DMI_MATCH(DMI_PRODUCT_VERSION, "0131"), +- DMI_MATCH(DMI_CHASSIS_VENDOR, +- "MICRO-STAR INT'L CO.,LTD") ++ DMI_MATCH(DMI_CHASSIS_VENDOR, "MICRO-STAR INT") + }, + .driver_data = &quirk_old_ec_model, + .callback = dmi_check_cb +-- +2.35.1 + diff --git a/queue-4.9/platform-x86-msi-laptop-fix-old-ec-check-for-backlig.patch b/queue-4.9/platform-x86-msi-laptop-fix-old-ec-check-for-backlig.patch new file mode 100644 index 00000000000..f034866b392 --- /dev/null +++ b/queue-4.9/platform-x86-msi-laptop-fix-old-ec-check-for-backlig.patch @@ -0,0 +1,58 @@ +From eb4d37d3bb695d4817d0cd3b1686b0f8e1b7cc97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 16:13:34 +0200 +Subject: platform/x86: msi-laptop: Fix old-ec check for backlight registering + +From: Hans de Goede + +[ Upstream commit 83ac7a1c2ed5f17caa07cbbc84bad3c05dc3bf22 ] + +Commit 2cc6c717799f ("msi-laptop: Port to new backlight interface +selection API") replaced this check: + + if (!quirks->old_ec_model || acpi_video_backlight_support()) + pr_info("Brightness ignored, ..."); + else + do_register(); + +With: + + if (quirks->old_ec_model || + acpi_video_get_backlight_type() == acpi_backlight_vendor) + do_register(); + +But since the do_register() part was part of the else branch, the entire +condition should be inverted. So not only the 2 statements on either +side of the || should be inverted, but the || itself should be replaced +with a &&. + +In practice this has likely not been an issue because the new-ec models +(old_ec_model==false) likely all support ACPI video backlight control, +making acpi_video_get_backlight_type() return acpi_backlight_video +turning the second part of the || also false when old_ec_model == false. + +Fixes: 2cc6c717799f ("msi-laptop: Port to new backlight interface selection API") +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20220825141336.208597-1-hdegoede@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/msi-laptop.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/platform/x86/msi-laptop.c b/drivers/platform/x86/msi-laptop.c +index 42317704629d..c2a1bc8e9fef 100644 +--- a/drivers/platform/x86/msi-laptop.c ++++ b/drivers/platform/x86/msi-laptop.c +@@ -1069,8 +1069,7 @@ static int __init msi_init(void) + return -EINVAL; + + /* Register backlight stuff */ +- +- if (quirks->old_ec_model || ++ if (quirks->old_ec_model && + acpi_video_get_backlight_type() == acpi_backlight_vendor) { + struct backlight_properties props; + memset(&props, 0, sizeof(struct backlight_properties)); +-- +2.35.1 + diff --git a/queue-4.9/powercap-intel_rapl-fix-ubsan-shift-out-of-bounds-is.patch b/queue-4.9/powercap-intel_rapl-fix-ubsan-shift-out-of-bounds-is.patch new file mode 100644 index 00000000000..aca77eed501 --- /dev/null +++ b/queue-4.9/powercap-intel_rapl-fix-ubsan-shift-out-of-bounds-is.patch @@ -0,0 +1,45 @@ +From 70c41d37d770e892b889949dbe7361b5fc359a1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 14:08:26 +0800 +Subject: powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue + +From: Chao Qin + +[ Upstream commit 2d93540014387d1c73b9ccc4d7895320df66d01b ] + +When value < time_unit, the parameter of ilog2() will be zero and +the return value is -1. u64(-1) is too large for shift exponent +and then will trigger shift-out-of-bounds: + +shift exponent 18446744073709551615 is too large for 32-bit type 'int' +Call Trace: + rapl_compute_time_window_core + rapl_write_data_raw + set_time_window + store_constraint_time_window_us + +Signed-off-by: Chao Qin +Acked-by: Zhang Rui +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/powercap/intel_rapl.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/powercap/intel_rapl.c b/drivers/powercap/intel_rapl.c +index 8809c1a20bed..5f31606e1982 100644 +--- a/drivers/powercap/intel_rapl.c ++++ b/drivers/powercap/intel_rapl.c +@@ -1080,6 +1080,9 @@ static u64 rapl_compute_time_window_core(struct rapl_package *rp, u64 value, + y = value & 0x1f; + value = (1 << y) * (4 + f) * rp->time_unit / 4; + } else { ++ if (value < rp->time_unit) ++ return 0; ++ + do_div(value, rp->time_unit); + y = ilog2(value); + f = div64_u64(4 * (value - (1 << y)), 1 << y); +-- +2.35.1 + diff --git a/queue-4.9/powerpc-fix-spe-power-isa-properties-for-e500v1-plat.patch b/queue-4.9/powerpc-fix-spe-power-isa-properties-for-e500v1-plat.patch new file mode 100644 index 00000000000..d0f0fa2df54 --- /dev/null +++ b/queue-4.9/powerpc-fix-spe-power-isa-properties-for-e500v1-plat.patch @@ -0,0 +1,150 @@ +From 6b999f32d9063f3ee9ac7c5c28d8c359f24b6589 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 23:21:02 +0200 +Subject: powerpc: Fix SPE Power ISA properties for e500v1 platforms +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 37b9345ce7f4ab17538ea62def6f6d430f091355 ] + +Commit 2eb28006431c ("powerpc/e500v2: Add Power ISA properties to comply +with ePAPR 1.1") introduced new include file e500v2_power_isa.dtsi and +should have used it for all e500v2 platforms. But apparently it was used +also for e500v1 platforms mpc8540, mpc8541, mpc8555 and mpc8560. + +e500v1 cores compared to e500v2 do not support double precision floating +point SPE instructions. Hence power-isa-sp.fd should not be set on e500v1 +platforms, which is in e500v2_power_isa.dtsi include file. + +Fix this issue by introducing a new e500v1_power_isa.dtsi include file and +use it in all e500v1 device tree files. + +Fixes: 2eb28006431c ("powerpc/e500v2: Add Power ISA properties to comply with ePAPR 1.1") +Signed-off-by: Pali Rohár +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220902212103.22534-1-pali@kernel.org +Signed-off-by: Sasha Levin +--- + .../boot/dts/fsl/e500v1_power_isa.dtsi | 51 +++++++++++++++++++ + arch/powerpc/boot/dts/fsl/mpc8540ads.dts | 2 +- + arch/powerpc/boot/dts/fsl/mpc8541cds.dts | 2 +- + arch/powerpc/boot/dts/fsl/mpc8555cds.dts | 2 +- + arch/powerpc/boot/dts/fsl/mpc8560ads.dts | 2 +- + 5 files changed, 55 insertions(+), 4 deletions(-) + create mode 100644 arch/powerpc/boot/dts/fsl/e500v1_power_isa.dtsi + +diff --git a/arch/powerpc/boot/dts/fsl/e500v1_power_isa.dtsi b/arch/powerpc/boot/dts/fsl/e500v1_power_isa.dtsi +new file mode 100644 +index 000000000000..7e2a90cde72e +--- /dev/null ++++ b/arch/powerpc/boot/dts/fsl/e500v1_power_isa.dtsi +@@ -0,0 +1,51 @@ ++/* ++ * e500v1 Power ISA Device Tree Source (include) ++ * ++ * Copyright 2012 Freescale Semiconductor Inc. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions are met: ++ * * Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * * Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * * Neither the name of Freescale Semiconductor nor the ++ * names of its contributors may be used to endorse or promote products ++ * derived from this software without specific prior written permission. ++ * ++ * ++ * ALTERNATIVELY, this software may be distributed under the terms of the ++ * GNU General Public License ("GPL") as published by the Free Software ++ * Foundation, either version 2 of that License or (at your option) any ++ * later version. ++ * ++ * THIS SOFTWARE IS PROVIDED BY Freescale Semiconductor "AS IS" AND ANY ++ * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED ++ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE ++ * DISCLAIMED. IN NO EVENT SHALL Freescale Semiconductor BE LIABLE FOR ANY ++ * DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES ++ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; ++ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ++ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT ++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS ++ * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. ++ */ ++ ++/ { ++ cpus { ++ power-isa-version = "2.03"; ++ power-isa-b; // Base ++ power-isa-e; // Embedded ++ power-isa-atb; // Alternate Time Base ++ power-isa-cs; // Cache Specification ++ power-isa-e.le; // Embedded.Little-Endian ++ power-isa-e.pm; // Embedded.Performance Monitor ++ power-isa-ecl; // Embedded Cache Locking ++ power-isa-mmc; // Memory Coherence ++ power-isa-sp; // Signal Processing Engine ++ power-isa-sp.fs; // SPE.Embedded Float Scalar Single ++ power-isa-sp.fv; // SPE.Embedded Float Vector ++ mmu-type = "power-embedded"; ++ }; ++}; +diff --git a/arch/powerpc/boot/dts/fsl/mpc8540ads.dts b/arch/powerpc/boot/dts/fsl/mpc8540ads.dts +index e6d0b166d68d..b4314aa6769c 100644 +--- a/arch/powerpc/boot/dts/fsl/mpc8540ads.dts ++++ b/arch/powerpc/boot/dts/fsl/mpc8540ads.dts +@@ -11,7 +11,7 @@ + + /dts-v1/; + +-/include/ "e500v2_power_isa.dtsi" ++/include/ "e500v1_power_isa.dtsi" + + / { + model = "MPC8540ADS"; +diff --git a/arch/powerpc/boot/dts/fsl/mpc8541cds.dts b/arch/powerpc/boot/dts/fsl/mpc8541cds.dts +index 9fa2c734a988..48492c621edf 100644 +--- a/arch/powerpc/boot/dts/fsl/mpc8541cds.dts ++++ b/arch/powerpc/boot/dts/fsl/mpc8541cds.dts +@@ -11,7 +11,7 @@ + + /dts-v1/; + +-/include/ "e500v2_power_isa.dtsi" ++/include/ "e500v1_power_isa.dtsi" + + / { + model = "MPC8541CDS"; +diff --git a/arch/powerpc/boot/dts/fsl/mpc8555cds.dts b/arch/powerpc/boot/dts/fsl/mpc8555cds.dts +index 272f08caea92..325c817dedeb 100644 +--- a/arch/powerpc/boot/dts/fsl/mpc8555cds.dts ++++ b/arch/powerpc/boot/dts/fsl/mpc8555cds.dts +@@ -11,7 +11,7 @@ + + /dts-v1/; + +-/include/ "e500v2_power_isa.dtsi" ++/include/ "e500v1_power_isa.dtsi" + + / { + model = "MPC8555CDS"; +diff --git a/arch/powerpc/boot/dts/fsl/mpc8560ads.dts b/arch/powerpc/boot/dts/fsl/mpc8560ads.dts +index 7a822b08aa35..b5fb5ae3ed68 100644 +--- a/arch/powerpc/boot/dts/fsl/mpc8560ads.dts ++++ b/arch/powerpc/boot/dts/fsl/mpc8560ads.dts +@@ -11,7 +11,7 @@ + + /dts-v1/; + +-/include/ "e500v2_power_isa.dtsi" ++/include/ "e500v1_power_isa.dtsi" + + / { + model = "MPC8560ADS"; +-- +2.35.1 + diff --git a/queue-4.9/powerpc-math_emu-efp-include-module.h.patch b/queue-4.9/powerpc-math_emu-efp-include-module.h.patch new file mode 100644 index 00000000000..62dcd7eece9 --- /dev/null +++ b/queue-4.9/powerpc-math_emu-efp-include-module.h.patch @@ -0,0 +1,53 @@ +From b74ea3a0f345d0fee7843ef504021823381451e6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 18:00:08 +0200 +Subject: powerpc/math_emu/efp: Include module.h + +From: Nathan Chancellor + +[ Upstream commit cfe0d370e0788625ce0df3239aad07a2506c1796 ] + +When building with a recent version of clang, there are a couple of +errors around the call to module_init(): + + arch/powerpc/math-emu/math_efp.c:927:1: error: type specifier missing, defaults to 'int'; ISO C99 and later do not support implicit int [-Wimplicit-int] + module_init(spe_mathemu_init); + ^ + int + arch/powerpc/math-emu/math_efp.c:927:13: error: a parameter list without types is only allowed in a function definition + module_init(spe_mathemu_init); + ^ + 2 errors generated. + +module_init() is a macro, which is not getting expanded because module.h +is not included in this file. Add the include so that the macro can +expand properly, clearing up the build failure. + +Fixes: ac6f120369ff ("powerpc/85xx: Workaroudn e500 CPU erratum A005") +[chleroy: added fixes tag] +Reported-by: kernel test robot +Signed-off-by: Nathan Chancellor +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Reviewed-by: Christophe Leroy +Link: https://lore.kernel.org/r/8403854a4c187459b2f4da3537f51227b70b9223.1662134272.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + arch/powerpc/math-emu/math_efp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/math-emu/math_efp.c b/arch/powerpc/math-emu/math_efp.c +index 28337c9709ae..cc4bbc4f8169 100644 +--- a/arch/powerpc/math-emu/math_efp.c ++++ b/arch/powerpc/math-emu/math_efp.c +@@ -21,6 +21,7 @@ + + #include + #include ++#include + + #include + #include +-- +2.35.1 + diff --git a/queue-4.9/powerpc-pci_dn-add-missing-of_node_put.patch b/queue-4.9/powerpc-pci_dn-add-missing-of_node_put.patch new file mode 100644 index 00000000000..f2976a17ace --- /dev/null +++ b/queue-4.9/powerpc-pci_dn-add-missing-of_node_put.patch @@ -0,0 +1,38 @@ +From 5b6526b03c338e323b6df8001933941651b4fe96 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Jul 2022 21:17:50 +0800 +Subject: powerpc/pci_dn: Add missing of_node_put() + +From: Liang He + +[ Upstream commit 110a1fcb6c4d55144d8179983a475f17a1d6f832 ] + +In pci_add_device_node_info(), use of_node_put() to drop the reference +to 'parent' returned by of_get_parent() to keep refcount balance. + +Fixes: cca87d303c85 ("powerpc/pci: Refactor pci_dn") +Co-authored-by: Miaoqian Lin +Signed-off-by: Liang He +Signed-off-by: Michael Ellerman +Reviewed-by: Tyrel Datwyler +Link: https://lore.kernel.org/r/20220701131750.240170-1-windhl@126.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/pci_dn.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/kernel/pci_dn.c b/arch/powerpc/kernel/pci_dn.c +index c8f1b78fbd0e..3954e3bb944b 100644 +--- a/arch/powerpc/kernel/pci_dn.c ++++ b/arch/powerpc/kernel/pci_dn.c +@@ -355,6 +355,7 @@ struct pci_dn *pci_add_device_node_info(struct pci_controller *hose, + INIT_LIST_HEAD(&pdn->list); + parent = of_get_parent(dn); + pdn->parent = parent ? PCI_DN(parent) : NULL; ++ of_node_put(parent); + if (pdn->parent) + list_add_tail(&pdn->list, &pdn->parent->child_list); + +-- +2.35.1 + diff --git a/queue-4.9/r8152-rate-limit-overflow-messages.patch b/queue-4.9/r8152-rate-limit-overflow-messages.patch new file mode 100644 index 00000000000..aac649f3c64 --- /dev/null +++ b/queue-4.9/r8152-rate-limit-overflow-messages.patch @@ -0,0 +1,38 @@ +From 86a61df57c5ac731bb84f1df5a16d3f8ea9bf10b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Oct 2022 12:41:28 +0900 +Subject: r8152: Rate limit overflow messages + +From: Andrew Gaul + +[ Upstream commit 93e2be344a7db169b7119de21ac1bf253b8c6907 ] + +My system shows almost 10 million of these messages over a 24-hour +period which pollutes my logs. + +Signed-off-by: Andrew Gaul +Link: https://lore.kernel.org/r/20221002034128.2026653-1-gaul@google.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/r8152.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/usb/r8152.c b/drivers/net/usb/r8152.c +index 96f6edcb0062..a354695a22a9 100644 +--- a/drivers/net/usb/r8152.c ++++ b/drivers/net/usb/r8152.c +@@ -1282,7 +1282,9 @@ static void intr_callback(struct urb *urb) + "Stop submitting intr, status %d\n", status); + return; + case -EOVERFLOW: +- netif_info(tp, intr, tp->netdev, "intr status -EOVERFLOW\n"); ++ if (net_ratelimit()) ++ netif_info(tp, intr, tp->netdev, ++ "intr status -EOVERFLOW\n"); + goto resubmit; + /* -EPIPE: should clear the halt */ + default: +-- +2.35.1 + diff --git a/queue-4.9/rdma-rxe-fix-kernel-null-pointer-dereference-error.patch b/queue-4.9/rdma-rxe-fix-kernel-null-pointer-dereference-error.patch new file mode 100644 index 00000000000..2f07a57bfcb --- /dev/null +++ b/queue-4.9/rdma-rxe-fix-kernel-null-pointer-dereference-error.patch @@ -0,0 +1,48 @@ +From 81ae0a273119225b33a747f107c3125c4b31db6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Aug 2022 21:16:13 -0400 +Subject: RDMA/rxe: Fix "kernel NULL pointer dereference" error + +From: Zhu Yanjun + +[ Upstream commit a625ca30eff806395175ebad3ac1399014bdb280 ] + +When rxe_queue_init in the function rxe_qp_init_req fails, +both qp->req.task.func and qp->req.task.arg are not initialized. + +Because of creation of qp fails, the function rxe_create_qp will +call rxe_qp_do_cleanup to handle allocated resource. + +Before calling __rxe_do_task, both qp->req.task.func and +qp->req.task.arg should be checked. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20220822011615.805603-2-yanjun.zhu@linux.dev +Reported-by: syzbot+ab99dc4c6e961eed8b8e@syzkaller.appspotmail.com +Signed-off-by: Zhu Yanjun +Reviewed-by: Li Zhijian +Reviewed-by: Bob Pearson +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_qp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c +index 5fa1442fd4f1..d41728397bd2 100644 +--- a/drivers/infiniband/sw/rxe/rxe_qp.c ++++ b/drivers/infiniband/sw/rxe/rxe_qp.c +@@ -825,7 +825,9 @@ void rxe_qp_destroy(struct rxe_qp *qp) + rxe_cleanup_task(&qp->comp.task); + + /* flush out any receive wr's or pending requests */ +- __rxe_do_task(&qp->req.task); ++ if (qp->req.task.func) ++ __rxe_do_task(&qp->req.task); ++ + if (qp->sq.queue) { + __rxe_do_task(&qp->comp.task); + __rxe_do_task(&qp->req.task); +-- +2.35.1 + diff --git a/queue-4.9/rdma-rxe-fix-the-error-caused-by-qp-sk.patch b/queue-4.9/rdma-rxe-fix-the-error-caused-by-qp-sk.patch new file mode 100644 index 00000000000..8644f2bca9b --- /dev/null +++ b/queue-4.9/rdma-rxe-fix-the-error-caused-by-qp-sk.patch @@ -0,0 +1,46 @@ +From 7db0853e09be336a45de8b6778bf633b08183686 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 21 Aug 2022 21:16:14 -0400 +Subject: RDMA/rxe: Fix the error caused by qp->sk + +From: Zhu Yanjun + +[ Upstream commit 548ce2e66725dcba4e27d1e8ac468d5dd17fd509 ] + +When sock_create_kern in the function rxe_qp_init_req fails, +qp->sk is set to NULL. + +Then the function rxe_create_qp will call rxe_qp_do_cleanup +to handle allocated resource. + +Before handling qp->sk, this variable should be checked. + +Fixes: 8700e3e7c485 ("Soft RoCE driver") +Link: https://lore.kernel.org/r/20220822011615.805603-3-yanjun.zhu@linux.dev +Signed-off-by: Zhu Yanjun +Reviewed-by: Li Zhijian +Reviewed-by: Bob Pearson +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/sw/rxe/rxe_qp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c +index d41728397bd2..4c91062ff247 100644 +--- a/drivers/infiniband/sw/rxe/rxe_qp.c ++++ b/drivers/infiniband/sw/rxe/rxe_qp.c +@@ -864,6 +864,8 @@ void rxe_qp_cleanup(void *arg) + + free_rd_atomic_resources(qp); + +- kernel_sock_shutdown(qp->sk, SHUT_RDWR); +- sock_release(qp->sk); ++ if (qp->sk) { ++ kernel_sock_shutdown(qp->sk, SHUT_RDWR); ++ sock_release(qp->sk); ++ } + } +-- +2.35.1 + diff --git a/queue-4.9/revert-usb-storage-add-quirk-for-samsung-fit-flash.patch b/queue-4.9/revert-usb-storage-add-quirk-for-samsung-fit-flash.patch new file mode 100644 index 00000000000..deaddf85b28 --- /dev/null +++ b/queue-4.9/revert-usb-storage-add-quirk-for-samsung-fit-flash.patch @@ -0,0 +1,59 @@ +From 54cc68d4c499786a52a82fa577d0f5a9445998b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Sep 2022 20:49:13 +0900 +Subject: Revert "usb: storage: Add quirk for Samsung Fit flash" + +From: sunghwan jung + +[ Upstream commit ad5dbfc123e6ffbbde194e2a4603323e09f741ee ] + +This reverts commit 86d92f5465958752481269348d474414dccb1552, +which fix the timeout issue for "Samsung Fit Flash". + +But the commit affects not only "Samsung Fit Flash" but also other usb +storages that use the same controller and causes severe performance +regression. + + # hdparm -t /dev/sda (without the quirk) + Timing buffered disk reads: 622 MB in 3.01 seconds = 206.66 MB/sec + + # hdparm -t /dev/sda (with the quirk) + Timing buffered disk reads: 220 MB in 3.00 seconds = 73.32 MB/sec + +The commit author mentioned that "Issue was reproduced after device has +bad block", so this quirk should be applied when we have the timeout +issue with a device that has bad blocks. + +We revert the commit so that we apply this quirk by adding kernel +paramters using a bootloader or other ways when we really need it, +without the performance regression with devices that don't have the +issue. + +Signed-off-by: sunghwan jung +Link: https://lore.kernel.org/r/20220913114913.3073-1-onenowy@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/storage/unusual_devs.h | 6 ------ + 1 file changed, 6 deletions(-) + +diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h +index 5a6ca1460711..8c51bb66f16f 100644 +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -1294,12 +1294,6 @@ UNUSUAL_DEV( 0x090a, 0x1200, 0x0000, 0x9999, + USB_SC_RBC, USB_PR_BULK, NULL, + 0 ), + +-UNUSUAL_DEV(0x090c, 0x1000, 0x1100, 0x1100, +- "Samsung", +- "Flash Drive FIT", +- USB_SC_DEVICE, USB_PR_DEVICE, NULL, +- US_FL_MAX_SECTORS_64), +- + /* aeb */ + UNUSUAL_DEV( 0x090c, 0x1132, 0x0000, 0xffff, + "Feiya", +-- +2.35.1 + diff --git a/queue-4.9/scsi-3w-9xxx-avoid-disabling-device-if-failing-to-en.patch b/queue-4.9/scsi-3w-9xxx-avoid-disabling-device-if-failing-to-en.patch new file mode 100644 index 00000000000..cf3df03278d --- /dev/null +++ b/queue-4.9/scsi-3w-9xxx-avoid-disabling-device-if-failing-to-en.patch @@ -0,0 +1,42 @@ +From 8d208e118c189635beddabfc96c561836b751713 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Aug 2022 19:01:15 +0800 +Subject: scsi: 3w-9xxx: Avoid disabling device if failing to enable it + +From: Letu Ren + +[ Upstream commit 7eff437b5ee1309b34667844361c6bbb5c97df05 ] + +The original code will "goto out_disable_device" and call +pci_disable_device() if pci_enable_device() fails. The kernel will generate +a warning message like "3w-9xxx 0000:00:05.0: disabling already-disabled +device". + +We shouldn't disable a device that failed to be enabled. A simple return is +fine. + +Link: https://lore.kernel.org/r/20220829110115.38789-1-fantasquex@gmail.com +Reported-by: Zheyu Ma +Signed-off-by: Letu Ren +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/3w-9xxx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/3w-9xxx.c b/drivers/scsi/3w-9xxx.c +index b78a2f3745f2..9c2edd9b66d1 100644 +--- a/drivers/scsi/3w-9xxx.c ++++ b/drivers/scsi/3w-9xxx.c +@@ -2016,7 +2016,7 @@ static int twa_probe(struct pci_dev *pdev, const struct pci_device_id *dev_id) + retval = pci_enable_device(pdev); + if (retval) { + TW_PRINTK(host, TW_DRIVER, 0x34, "Failed to enable pci device"); +- goto out_disable_device; ++ return -ENODEV; + } + + pci_set_master(pdev); +-- +2.35.1 + diff --git a/queue-4.9/serial-8250-fix-restoring-termios-speed-after-suspen.patch b/queue-4.9/serial-8250-fix-restoring-termios-speed-after-suspen.patch new file mode 100644 index 00000000000..9d9754a3715 --- /dev/null +++ b/queue-4.9/serial-8250-fix-restoring-termios-speed-after-suspen.patch @@ -0,0 +1,54 @@ +From 947f0ba63c742f0dcb17c3efe37cf953a12c18d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Sep 2022 12:43:24 +0200 +Subject: serial: 8250: Fix restoring termios speed after suspend +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 379a33786d489ab81885ff0b3935cfeb36137fea ] + +Since commit edc6afc54968 ("tty: switch to ktermios and new framework") +termios speed is no longer stored only in c_cflag member but also in new +additional c_ispeed and c_ospeed members. If BOTHER flag is set in c_cflag +then termios speed is stored only in these new members. + +Since commit 027b57170bf8 ("serial: core: Fix initializing and restoring +termios speed") termios speed is available also in struct console. + +So properly restore also c_ispeed and c_ospeed members after suspend to fix +restoring termios speed which is not represented by Bnnn constant. + +Fixes: 4516d50aabed ("serial: 8250: Use canary to restart console after suspend") +Signed-off-by: Pali Rohár +Link: https://lore.kernel.org/r/20220924104324.4035-1-pali@kernel.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_port.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c +index d337a6d02282..b461cf2cc2ca 100644 +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -3146,8 +3146,13 @@ static void serial8250_console_restore(struct uart_8250_port *up) + unsigned int baud, quot, frac = 0; + + termios.c_cflag = port->cons->cflag; +- if (port->state->port.tty && termios.c_cflag == 0) ++ termios.c_ispeed = port->cons->ispeed; ++ termios.c_ospeed = port->cons->ospeed; ++ if (port->state->port.tty && termios.c_cflag == 0) { + termios.c_cflag = port->state->port.tty->termios.c_cflag; ++ termios.c_ispeed = port->state->port.tty->termios.c_ispeed; ++ termios.c_ospeed = port->state->port.tty->termios.c_ospeed; ++ } + + baud = serial8250_get_baud_rate(port, &termios, NULL); + quot = serial8250_get_divisor(up, baud, &frac); +-- +2.35.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 8db33da0384..542adcdd15d 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -61,3 +61,104 @@ ring-buffer-check-pending-waiters-when-doing-wake-ups-as-well.patch ring-buffer-fix-race-between-reset-page-and-reading-page.patch kvm-x86-emulator-fix-handing-of-pop-ss-to-correctly-set-interruptibility.patch selinux-use-grep-e-instead-of-egrep.patch +sh-machvec-use-char-for-section-boundaries.patch +wifi-ath10k-add-peer-map-clean-up-for-peer-delete-in.patch +wifi-mac80211-allow-bw-change-during-channel-switch-.patch +wifi-rtl8xxxu-tighten-bounds-checking-in-rtl8xxxu_re.patch +spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch +spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch-15914 +wifi-rtl8xxxu-gen2-fix-mistake-in-path-b-iq-calibrat.patch +net-fs_enet-fix-wrong-check-in-do_pd_setup.patch +spi-omap100k-fix-pm-disable-depth-imbalance-in-omap1.patch +misdn-fix-use-after-free-bugs-in-l1oip-timer-handler.patch +tcp-fix-tcp_cwnd_validate-to-not-forget-is_cwnd_limi.patch +net-rds-don-t-hold-sock-lock-when-cancelling-work-fr.patch +bnx2x-fix-potential-memory-leak-in-bnx2x_tpa_stop.patch +drm-mipi-dsi-detach-devices-when-removing-the-host.patch +platform-x86-msi-laptop-fix-old-ec-check-for-backlig.patch +mmc-au1xmmc-fix-an-error-handling-path-in-au1xmmc_pr.patch +asoc-eureka-tlv320-hold-reference-returned-from-of_f.patch +alsa-dmaengine-increment-buffer-pointer-atomically.patch +memory-of-fix-refcount-leak-bug-in-of_get_ddr_timing.patch +soc-qcom-smsm-fix-refcount-leak-bugs-in-qcom_smsm_pr.patch +soc-qcom-smem_state-add-refcounting-for-the-state-of.patch +arm-dts-kirkwood-lsxl-fix-serial-line.patch +arm-dts-kirkwood-lsxl-remove-first-ethernet-port.patch +arm-drop-cmdline_-dependency-on-atags.patch +arm-dts-exynos-fix-polarity-of-vbus-gpio-of-origen.patch +iio-adc-at91-sama5d2_adc-fix-at91_sama5d2_mr_trackti.patch +iio-inkern-only-release-the-device-node-when-done-wi.patch +iio-abi-fix-wrong-format-of-differential-capacitance.patch +clk-tegra-fix-refcount-leak-in-tegra210_clock_init.patch +clk-tegra-fix-refcount-leak-in-tegra114_clock_init.patch +clk-tegra20-fix-refcount-leak-in-tegra20_clock_init.patch +hsi-omap_ssi-fix-refcount-leak-in-ssi_probe.patch +hsi-omap_ssi_port-fix-dma_map_sg-error-check.patch +media-exynos4-is-fimc-is-add-of_node_put-when-breaki.patch +media-tm6000-fix-unused-value-in-vidioc_try_fmt_vid_.patch +tty-xilinx_uartps-fix-the-ignore_status.patch +media-xilinx-vipp-fix-refcount-leak-in-xvip_graph_dm.patch +rdma-rxe-fix-kernel-null-pointer-dereference-error.patch +rdma-rxe-fix-the-error-caused-by-qp-sk.patch +dyndbg-fix-module.dyndbg-handling.patch +dyndbg-let-query-modname-override-actual-module-name.patch +usb-serial-console-move-mutex_unlock-before-usb_seri.patch +ata-fix-ata_id_sense_reporting_enabled-and-ata_id_ha.patch +ata-fix-ata_id_has_devslp.patch +ata-fix-ata_id_has_ncq_autosense.patch +ata-fix-ata_id_has_dipm.patch +drivers-serial-jsm-fix-some-leaks-in-probe.patch +firmware-google-test-spinlock-on-panic-path-to-avoid.patch +serial-8250-fix-restoring-termios-speed-after-suspen.patch +ib-rdmavt-add-__init-__exit-annotations-to-module-in.patch +mfd-intel_soc_pmic-fix-an-error-handling-path-in-int.patch +mfd-lp8788-fix-an-error-handling-path-in-lp8788_prob.patch +mfd-lp8788-fix-an-error-handling-path-in-lp8788_irq_.patch +mfd-sm501-add-check-for-platform_driver_register.patch +dmaengine-ioat-stop-mod_timer-from-resurrecting-dele.patch +clk-bcm2835-fix-bcm2835_clock_rate_from_divisor-decl.patch +clk-ti-dra7-atl-fix-reference-leak-in-of_dra7_atl_cl.patch +powerpc-math_emu-efp-include-module.h.patch +powerpc-pci_dn-add-missing-of_node_put.patch +powerpc-fix-spe-power-isa-properties-for-e500v1-plat.patch +iommu-omap-fix-buffer-overflow-in-debugfs.patch +f2fs-fix-race-condition-on-setting-fi_no_extent-flag.patch +acpi-video-add-toshiba-satellite-portege-z830-quirk.patch +mips-bcm47xx-cast-memcmp-of-function-to-void.patch +powercap-intel_rapl-fix-ubsan-shift-out-of-bounds-is.patch +thermal-intel_powerclamp-use-get_cpu-instead-of-smp_.patch +openvswitch-fix-double-reporting-of-drops-in-dropwat.patch +openvswitch-fix-overreporting-of-drops-in-dropwatch.patch +tcp-annotate-data-race-around-tcp_md5sig_pool_popula.patch +xfrm-update-ipcomp_scratches-with-null-when-freed.patch +net-xscale-fix-return-type-for-implementation-of-ndo.patch +net-lantiq_etop-fix-return-type-for-implementation-o.patch +net-ftmac100-fix-endianness-related-issues-from-spar.patch +bluetooth-l2cap-initialize-delayed-works-at-l2cap_ch.patch +net-davicom-fix-return-type-of-dm9000_start_xmit.patch +net-ethernet-ti-davinci_emac-fix-return-type-of-emac.patch +net-korina-fix-return-type-of-korina_send_packet.patch +bluetooth-hci_sysfs-fix-attempting-to-call-device_ad.patch +can-bcm-check-the-result-of-can_send-in-bcm_can_tx.patch +wifi-rt2x00-don-t-run-rt5592-iq-calibration-on-mt762.patch +bluetooth-l2cap-fix-user-after-free.patch +r8152-rate-limit-overflow-messages.patch +drm-use-size_t-type-for-len-variable-in-drm_copy_fie.patch +drm-prevent-drm_copy_field-to-attempt-copying-a-null.patch +platform-x86-msi-laptop-change-dmi-match-alias-strin.patch +drm-amdgpu-fix-initial-connector-audio-value.patch +arm-dts-imx7d-sdb-config-the-max-pressure-for-tsc204.patch +arm-dts-imx6q-add-missing-properties-for-sram.patch +arm-dts-imx6dl-add-missing-properties-for-sram.patch +arm-dts-imx6qp-add-missing-properties-for-sram.patch +arm-dts-imx6sl-add-missing-properties-for-sram.patch +arm-orion-fix-include-path.patch +media-cx88-fix-a-null-ptr-deref-bug-in-buffer_prepar.patch +scsi-3w-9xxx-avoid-disabling-device-if-failing-to-en.patch +hid-topre-add-driver-fixing-report-descriptor.patch +hid-roccat-fix-use-after-free-in-roccat_read.patch +hsi-ssi_protocol-fix-potential-resource-leak-in-ssip.patch +usb-host-xhci-fix-potential-memory-leak-in-xhci_allo.patch +usb-musb-fix-musb_gadget.c-rxstate-overflow-bug.patch +revert-usb-storage-add-quirk-for-samsung-fit-flash.patch +usb-idmouse-fix-an-uninit-value-in-idmouse_open.patch diff --git a/queue-4.9/sh-machvec-use-char-for-section-boundaries.patch b/queue-4.9/sh-machvec-use-char-for-section-boundaries.patch new file mode 100644 index 00000000000..6c6ef8cc6f1 --- /dev/null +++ b/queue-4.9/sh-machvec-use-char-for-section-boundaries.patch @@ -0,0 +1,82 @@ +From 6c3a5451b28e873dbd1546a2c4bcc3a0c9b77164 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Sep 2022 16:40:44 -0700 +Subject: sh: machvec: Use char[] for section boundaries + +From: Kees Cook + +[ Upstream commit c5783af354688b24abd359f7086c282ec74de993 ] + +As done for other sections, define the extern as a character array, +which relaxes many of the compiler-time object size checks, which would +otherwise assume it's a single long. Solves the following build error: + +arch/sh/kernel/machvec.c: error: array subscript 'struct sh_machine_vector[0]' is partly outside array bounds of 'long int[1]' [-Werror=array-bounds]: => 105:33 + +Cc: Yoshinori Sato +Cc: Rich Felker +Cc: linux-sh@vger.kernel.org +Reported-by: Geert Uytterhoeven +Link: https://lore.kernel.org/lkml/alpine.DEB.2.22.394.2209050944290.964530@ramsan.of.borg/ +Fixes: 9655ad03af2d ("sh: Fixup machvec support.") +Reviewed-by: Geert Uytterhoeven +Reviewed-by: Gustavo A. R. Silva +Acked-by: Rich Felker +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + arch/sh/include/asm/sections.h | 2 +- + arch/sh/kernel/machvec.c | 10 +++++----- + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/arch/sh/include/asm/sections.h b/arch/sh/include/asm/sections.h +index 7a99e6af6372..9ec764c4ffe9 100644 +--- a/arch/sh/include/asm/sections.h ++++ b/arch/sh/include/asm/sections.h +@@ -3,7 +3,7 @@ + + #include + +-extern long __machvec_start, __machvec_end; ++extern char __machvec_start[], __machvec_end[]; + extern char __uncached_start, __uncached_end; + extern char __start_eh_frame[], __stop_eh_frame[]; + +diff --git a/arch/sh/kernel/machvec.c b/arch/sh/kernel/machvec.c +index ec05f491c347..a9f797a76e7c 100644 +--- a/arch/sh/kernel/machvec.c ++++ b/arch/sh/kernel/machvec.c +@@ -22,8 +22,8 @@ + #define MV_NAME_SIZE 32 + + #define for_each_mv(mv) \ +- for ((mv) = (struct sh_machine_vector *)&__machvec_start; \ +- (mv) && (unsigned long)(mv) < (unsigned long)&__machvec_end; \ ++ for ((mv) = (struct sh_machine_vector *)__machvec_start; \ ++ (mv) && (unsigned long)(mv) < (unsigned long)__machvec_end; \ + (mv)++) + + static struct sh_machine_vector * __init get_mv_byname(const char *name) +@@ -89,8 +89,8 @@ void __init sh_mv_setup(void) + if (!machvec_selected) { + unsigned long machvec_size; + +- machvec_size = ((unsigned long)&__machvec_end - +- (unsigned long)&__machvec_start); ++ machvec_size = ((unsigned long)__machvec_end - ++ (unsigned long)__machvec_start); + + /* + * Sanity check for machvec section alignment. Ensure +@@ -104,7 +104,7 @@ void __init sh_mv_setup(void) + * vector (usually the only one) from .machvec.init. + */ + if (machvec_size >= sizeof(struct sh_machine_vector)) +- sh_mv = *(struct sh_machine_vector *)&__machvec_start; ++ sh_mv = *(struct sh_machine_vector *)__machvec_start; + } + + printk(KERN_NOTICE "Booting machvec: %s\n", get_system_type()); +-- +2.35.1 + diff --git a/queue-4.9/soc-qcom-smem_state-add-refcounting-for-the-state-of.patch b/queue-4.9/soc-qcom-smem_state-add-refcounting-for-the-state-of.patch new file mode 100644 index 00000000000..c6e035153cd --- /dev/null +++ b/queue-4.9/soc-qcom-smem_state-add-refcounting-for-the-state-of.patch @@ -0,0 +1,46 @@ +From f3c898b4cf9700d70b8830f7f925d9f39b6a16e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jul 2022 21:52:17 +0800 +Subject: soc: qcom: smem_state: Add refcounting for the 'state->of_node' + +From: Liang He + +[ Upstream commit 90681f53b9381c23ff7762a3b13826d620c272de ] + +In qcom_smem_state_register() and qcom_smem_state_release(), we +should better use of_node_get() and of_node_put() for the reference +creation and destruction of 'device_node'. + +Fixes: 9460ae2ff308 ("soc: qcom: Introduce common SMEM state machine code") +Signed-off-by: Liang He +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220721135217.1301039-2-windhl@126.com +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/smem_state.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/soc/qcom/smem_state.c b/drivers/soc/qcom/smem_state.c +index d5437ca76ed9..1502cf037a6b 100644 +--- a/drivers/soc/qcom/smem_state.c ++++ b/drivers/soc/qcom/smem_state.c +@@ -144,6 +144,7 @@ static void qcom_smem_state_release(struct kref *ref) + struct qcom_smem_state *state = container_of(ref, struct qcom_smem_state, refcount); + + list_del(&state->list); ++ of_node_put(state->of_node); + kfree(state); + } + +@@ -177,7 +178,7 @@ struct qcom_smem_state *qcom_smem_state_register(struct device_node *of_node, + + kref_init(&state->refcount); + +- state->of_node = of_node; ++ state->of_node = of_node_get(of_node); + state->ops = *ops; + state->priv = priv; + +-- +2.35.1 + diff --git a/queue-4.9/soc-qcom-smsm-fix-refcount-leak-bugs-in-qcom_smsm_pr.patch b/queue-4.9/soc-qcom-smsm-fix-refcount-leak-bugs-in-qcom_smsm_pr.patch new file mode 100644 index 00000000000..3c9303cac59 --- /dev/null +++ b/queue-4.9/soc-qcom-smsm-fix-refcount-leak-bugs-in-qcom_smsm_pr.patch @@ -0,0 +1,107 @@ +From b564f61d6747a889351ce533e9fc01129f60d5d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Jul 2022 21:52:16 +0800 +Subject: soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe() + +From: Liang He + +[ Upstream commit af8f6f39b8afd772fda4f8e61823ef8c021bf382 ] + +There are two refcount leak bugs in qcom_smsm_probe(): + +(1) The 'local_node' is escaped out from for_each_child_of_node() as +the break of iteration, we should call of_node_put() for it in error +path or when it is not used anymore. +(2) The 'node' is escaped out from for_each_available_child_of_node() +as the 'goto', we should call of_node_put() for it in goto target. + +Fixes: c97c4090ff72 ("soc: qcom: smsm: Add driver for Qualcomm SMSM") +Signed-off-by: Liang He +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220721135217.1301039-1-windhl@126.com +Signed-off-by: Sasha Levin +--- + drivers/soc/qcom/smsm.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/drivers/soc/qcom/smsm.c b/drivers/soc/qcom/smsm.c +index 01bc8528f24d..87ab37807e3f 100644 +--- a/drivers/soc/qcom/smsm.c ++++ b/drivers/soc/qcom/smsm.c +@@ -515,7 +515,7 @@ static int qcom_smsm_probe(struct platform_device *pdev) + for (id = 0; id < smsm->num_hosts; id++) { + ret = smsm_parse_ipc(smsm, id); + if (ret < 0) +- return ret; ++ goto out_put; + } + + /* Acquire the main SMSM state vector */ +@@ -523,13 +523,14 @@ static int qcom_smsm_probe(struct platform_device *pdev) + smsm->num_entries * sizeof(u32)); + if (ret < 0 && ret != -EEXIST) { + dev_err(&pdev->dev, "unable to allocate shared state entry\n"); +- return ret; ++ goto out_put; + } + + states = qcom_smem_get(QCOM_SMEM_HOST_ANY, SMEM_SMSM_SHARED_STATE, NULL); + if (IS_ERR(states)) { + dev_err(&pdev->dev, "Unable to acquire shared state entry\n"); +- return PTR_ERR(states); ++ ret = PTR_ERR(states); ++ goto out_put; + } + + /* Acquire the list of interrupt mask vectors */ +@@ -537,13 +538,14 @@ static int qcom_smsm_probe(struct platform_device *pdev) + ret = qcom_smem_alloc(QCOM_SMEM_HOST_ANY, SMEM_SMSM_CPU_INTR_MASK, size); + if (ret < 0 && ret != -EEXIST) { + dev_err(&pdev->dev, "unable to allocate smsm interrupt mask\n"); +- return ret; ++ goto out_put; + } + + intr_mask = qcom_smem_get(QCOM_SMEM_HOST_ANY, SMEM_SMSM_CPU_INTR_MASK, NULL); + if (IS_ERR(intr_mask)) { + dev_err(&pdev->dev, "unable to acquire shared memory interrupt mask\n"); +- return PTR_ERR(intr_mask); ++ ret = PTR_ERR(intr_mask); ++ goto out_put; + } + + /* Setup the reference to the local state bits */ +@@ -554,7 +556,8 @@ static int qcom_smsm_probe(struct platform_device *pdev) + smsm->state = qcom_smem_state_register(local_node, &smsm_state_ops, smsm); + if (IS_ERR(smsm->state)) { + dev_err(smsm->dev, "failed to register qcom_smem_state\n"); +- return PTR_ERR(smsm->state); ++ ret = PTR_ERR(smsm->state); ++ goto out_put; + } + + /* Register handlers for remote processor entries of interest. */ +@@ -584,16 +587,19 @@ static int qcom_smsm_probe(struct platform_device *pdev) + } + + platform_set_drvdata(pdev, smsm); ++ of_node_put(local_node); + + return 0; + + unwind_interfaces: ++ of_node_put(node); + for (id = 0; id < smsm->num_entries; id++) + if (smsm->entries[id].domain) + irq_domain_remove(smsm->entries[id].domain); + + qcom_smem_state_unregister(smsm->state); +- ++out_put: ++ of_node_put(local_node); + return ret; + } + +-- +2.35.1 + diff --git a/queue-4.9/spi-omap100k-fix-pm-disable-depth-imbalance-in-omap1.patch b/queue-4.9/spi-omap100k-fix-pm-disable-depth-imbalance-in-omap1.patch new file mode 100644 index 00000000000..027d5db469a --- /dev/null +++ b/queue-4.9/spi-omap100k-fix-pm-disable-depth-imbalance-in-omap1.patch @@ -0,0 +1,38 @@ +From c4260859268f4a421b984ccdf75c291e2772b3af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Sep 2022 20:13:09 +0800 +Subject: spi/omap100k:Fix PM disable depth imbalance in omap1_spi100k_probe + +From: Zhang Qilong + +[ Upstream commit 29f65f2171c85a9633daa380df14009a365f42f2 ] + +The pm_runtime_enable will increase power disable depth. Thus +a pairing decrement is needed on the error handling path to +keep it balanced according to context. + +Fixes:db91841b58f9a ("spi/omap100k: Convert to runtime PM") + +Signed-off-by: Zhang Qilong +Link: https://lore.kernel.org/r/20220924121310.78331-4-zhangqilong3@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-omap-100k.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spi-omap-100k.c b/drivers/spi/spi-omap-100k.c +index 2eeb0fe2eed2..022f5bccef81 100644 +--- a/drivers/spi/spi-omap-100k.c ++++ b/drivers/spi/spi-omap-100k.c +@@ -425,6 +425,7 @@ static int omap1_spi100k_probe(struct platform_device *pdev) + return status; + + err_fck: ++ pm_runtime_disable(&pdev->dev); + clk_disable_unprepare(spi100k->fck); + err_ick: + clk_disable_unprepare(spi100k->ick); +-- +2.35.1 + diff --git a/queue-4.9/spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch b/queue-4.9/spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch new file mode 100644 index 00000000000..aaaf858bd4b --- /dev/null +++ b/queue-4.9/spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch @@ -0,0 +1,61 @@ +From 4f386d011c8a29f416d42913721c17ae092c7a64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 06:53:23 +0000 +Subject: spi: qup: add missing clk_disable_unprepare on error in + spi_qup_resume() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xu Qiang + +[ Upstream commit 70034320fdc597b8f58b4a43bb547f17c4c5557a ] + +Add the missing clk_disable_unprepare() before return +from spi_qup_resume() in the error handling case. + +Fixes: 64ff247a978f (“spi: Add Qualcomm QUP SPI controller support”) +Signed-off-by: Xu Qiang +Link: https://lore.kernel.org/r/20220825065324.68446-1-xuqiang36@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-qup.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-qup.c b/drivers/spi/spi-qup.c +index 88b108e1c85f..431cb184595f 100644 +--- a/drivers/spi/spi-qup.c ++++ b/drivers/spi/spi-qup.c +@@ -1003,14 +1003,25 @@ static int spi_qup_resume(struct device *device) + return ret; + + ret = clk_prepare_enable(controller->cclk); +- if (ret) ++ if (ret) { ++ clk_disable_unprepare(controller->iclk); + return ret; ++ } + + ret = spi_qup_set_state(controller, QUP_STATE_RESET); + if (ret) +- return ret; ++ goto disable_clk; ++ ++ ret = spi_master_resume(master); ++ if (ret) ++ goto disable_clk; + +- return spi_master_resume(master); ++ return 0; ++ ++disable_clk: ++ clk_disable_unprepare(controller->cclk); ++ clk_disable_unprepare(controller->iclk); ++ return ret; + } + #endif /* CONFIG_PM_SLEEP */ + +-- +2.35.1 + diff --git a/queue-4.9/spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch-15914 b/queue-4.9/spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch-15914 new file mode 100644 index 00000000000..9786a700540 --- /dev/null +++ b/queue-4.9/spi-qup-add-missing-clk_disable_unprepare-on-error-i.patch-15914 @@ -0,0 +1,44 @@ +From 7e87682bcea18adf39b83f123a98b0f060e30db7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 06:53:24 +0000 +Subject: spi: qup: add missing clk_disable_unprepare on error in + spi_qup_pm_resume_runtime() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Xu Qiang + +[ Upstream commit 494a22765ce479c9f8ad181c5d24cffda9f534bb ] + +Add the missing clk_disable_unprepare() before return +from spi_qup_pm_resume_runtime() in the error handling case. + +Fixes: dae1a7700b34 (“spi: qup: Handle clocks in pm_runtime suspend and resume”) +Signed-off-by: Xu Qiang +Link: https://lore.kernel.org/r/20220825065324.68446-2-xuqiang36@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-qup.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-qup.c b/drivers/spi/spi-qup.c +index 431cb184595f..bfca5f38d7b7 100644 +--- a/drivers/spi/spi-qup.c ++++ b/drivers/spi/spi-qup.c +@@ -956,8 +956,10 @@ static int spi_qup_pm_resume_runtime(struct device *device) + return ret; + + ret = clk_prepare_enable(controller->cclk); +- if (ret) ++ if (ret) { ++ clk_disable_unprepare(controller->iclk); + return ret; ++ } + + /* Disable clocks auto gaiting */ + config = readl_relaxed(controller->base + QUP_CONFIG); +-- +2.35.1 + diff --git a/queue-4.9/tcp-annotate-data-race-around-tcp_md5sig_pool_popula.patch b/queue-4.9/tcp-annotate-data-race-around-tcp_md5sig_pool_popula.patch new file mode 100644 index 00000000000..01337e2f1f0 --- /dev/null +++ b/queue-4.9/tcp-annotate-data-race-around-tcp_md5sig_pool_popula.patch @@ -0,0 +1,72 @@ +From ed8faf6787143337628f5f8367a058e2098584d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Aug 2022 21:15:28 +0000 +Subject: tcp: annotate data-race around tcp_md5sig_pool_populated + +From: Eric Dumazet + +[ Upstream commit aacd467c0a576e5e44d2de4205855dc0fe43f6fb ] + +tcp_md5sig_pool_populated can be read while another thread +changes its value. + +The race has no consequence because allocations +are protected with tcp_md5sig_mutex. + +This patch adds READ_ONCE() and WRITE_ONCE() to document +the race and silence KCSAN. + +Reported-by: Abhishek Shah +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 7a75eb177878..4252aa0b5143 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -3131,12 +3131,16 @@ static void __tcp_alloc_md5sig_pool(void) + * to memory. See smp_rmb() in tcp_get_md5sig_pool() + */ + smp_wmb(); +- tcp_md5sig_pool_populated = true; ++ /* Paired with READ_ONCE() from tcp_alloc_md5sig_pool() ++ * and tcp_get_md5sig_pool(). ++ */ ++ WRITE_ONCE(tcp_md5sig_pool_populated, true); + } + + bool tcp_alloc_md5sig_pool(void) + { +- if (unlikely(!tcp_md5sig_pool_populated)) { ++ /* Paired with WRITE_ONCE() from __tcp_alloc_md5sig_pool() */ ++ if (unlikely(!READ_ONCE(tcp_md5sig_pool_populated))) { + mutex_lock(&tcp_md5sig_mutex); + + if (!tcp_md5sig_pool_populated) +@@ -3144,7 +3148,8 @@ bool tcp_alloc_md5sig_pool(void) + + mutex_unlock(&tcp_md5sig_mutex); + } +- return tcp_md5sig_pool_populated; ++ /* Paired with WRITE_ONCE() from __tcp_alloc_md5sig_pool() */ ++ return READ_ONCE(tcp_md5sig_pool_populated); + } + EXPORT_SYMBOL(tcp_alloc_md5sig_pool); + +@@ -3160,7 +3165,8 @@ struct tcp_md5sig_pool *tcp_get_md5sig_pool(void) + { + local_bh_disable(); + +- if (tcp_md5sig_pool_populated) { ++ /* Paired with WRITE_ONCE() from __tcp_alloc_md5sig_pool() */ ++ if (READ_ONCE(tcp_md5sig_pool_populated)) { + /* coupled with smp_wmb() in __tcp_alloc_md5sig_pool() */ + smp_rmb(); + return this_cpu_ptr(&tcp_md5sig_pool); +-- +2.35.1 + diff --git a/queue-4.9/tcp-fix-tcp_cwnd_validate-to-not-forget-is_cwnd_limi.patch b/queue-4.9/tcp-fix-tcp_cwnd_validate-to-not-forget-is_cwnd_limi.patch new file mode 100644 index 00000000000..8f873b2f165 --- /dev/null +++ b/queue-4.9/tcp-fix-tcp_cwnd_validate-to-not-forget-is_cwnd_limi.patch @@ -0,0 +1,150 @@ +From d274c814adf7a630d29bff4432078a8f4d10e1c9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 28 Sep 2022 16:03:31 -0400 +Subject: tcp: fix tcp_cwnd_validate() to not forget is_cwnd_limited + +From: Neal Cardwell + +[ Upstream commit f4ce91ce12a7c6ead19b128ffa8cff6e3ded2a14 ] + +This commit fixes a bug in the tracking of max_packets_out and +is_cwnd_limited. This bug can cause the connection to fail to remember +that is_cwnd_limited is true, causing the connection to fail to grow +cwnd when it should, causing throughput to be lower than it should be. + +The following event sequence is an example that triggers the bug: + + (a) The connection is cwnd_limited, but packets_out is not at its + peak due to TSO deferral deciding not to send another skb yet. + In such cases the connection can advance max_packets_seq and set + tp->is_cwnd_limited to true and max_packets_out to a small + number. + +(b) Then later in the round trip the connection is pacing-limited (not + cwnd-limited), and packets_out is larger. In such cases the + connection would raise max_packets_out to a bigger number but + (unexpectedly) flip tp->is_cwnd_limited from true to false. + +This commit fixes that bug. + +One straightforward fix would be to separately track (a) the next +window after max_packets_out reaches a maximum, and (b) the next +window after tp->is_cwnd_limited is set to true. But this would +require consuming an extra u32 sequence number. + +Instead, to save space we track only the most important +information. Specifically, we track the strongest available signal of +the degree to which the cwnd is fully utilized: + +(1) If the connection is cwnd-limited then we remember that fact for +the current window. + +(2) If the connection not cwnd-limited then we track the maximum +number of outstanding packets in the current window. + +In particular, note that the new logic cannot trigger the buggy +(a)/(b) sequence above because with the new logic a condition where +tp->packets_out > tp->max_packets_out can only trigger an update of +tp->is_cwnd_limited if tp->is_cwnd_limited is false. + +This first showed up in a testing of a BBRv2 dev branch, but this +buggy behavior highlighted a general issue with the +tcp_cwnd_validate() logic that can cause cwnd to fail to increase at +the proper rate for any TCP congestion control, including Reno or +CUBIC. + +Fixes: ca8a22634381 ("tcp: make cwnd-limited checks measurement-based, and gentler") +Signed-off-by: Neal Cardwell +Signed-off-by: Kevin(Yudong) Yang +Signed-off-by: Yuchung Cheng +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/linux/tcp.h | 2 +- + include/net/tcp.h | 5 ++++- + net/ipv4/tcp.c | 2 ++ + net/ipv4/tcp_output.c | 19 ++++++++++++------- + 4 files changed, 19 insertions(+), 9 deletions(-) + +diff --git a/include/linux/tcp.h b/include/linux/tcp.h +index 53eb9fecd263..e3e59a0ee16f 100644 +--- a/include/linux/tcp.h ++++ b/include/linux/tcp.h +@@ -249,7 +249,7 @@ struct tcp_sock { + u32 packets_out; /* Packets which are "in flight" */ + u32 retrans_out; /* Retransmitted packets out */ + u32 max_packets_out; /* max packets_out in last window */ +- u32 max_packets_seq; /* right edge of max_packets_out flight */ ++ u32 cwnd_usage_seq; /* right edge of cwnd usage tracking flight */ + + u16 urg_data; /* Saved octet of OOB data and control flags */ + u8 ecn_flags; /* ECN status bits. */ +diff --git a/include/net/tcp.h b/include/net/tcp.h +index 164dc4f04d0f..80ef46dd4930 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -1155,11 +1155,14 @@ static inline bool tcp_is_cwnd_limited(const struct sock *sk) + { + const struct tcp_sock *tp = tcp_sk(sk); + ++ if (tp->is_cwnd_limited) ++ return true; ++ + /* If in slow start, ensure cwnd grows to twice what was ACKed. */ + if (tcp_in_slow_start(tp)) + return tp->snd_cwnd < 2 * tp->max_packets_out; + +- return tp->is_cwnd_limited; ++ return false; + } + + /* Something is really bad, we could not queue an additional packet, +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 6dfb964e1ad8..7a75eb177878 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2299,6 +2299,8 @@ int tcp_disconnect(struct sock *sk, int flags) + tp->packets_out = 0; + tp->snd_ssthresh = TCP_INFINITE_SSTHRESH; + tp->snd_cwnd_cnt = 0; ++ tp->is_cwnd_limited = 0; ++ tp->max_packets_out = 0; + tp->window_clamp = 0; + tp->delivered = 0; + if (icsk->icsk_ca_ops->release) +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 49061c3fc218..1acf67f0d3cf 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -1530,15 +1530,20 @@ static void tcp_cwnd_validate(struct sock *sk, bool is_cwnd_limited) + { + struct tcp_sock *tp = tcp_sk(sk); + +- /* Track the maximum number of outstanding packets in each +- * window, and remember whether we were cwnd-limited then. ++ /* Track the strongest available signal of the degree to which the cwnd ++ * is fully utilized. If cwnd-limited then remember that fact for the ++ * current window. If not cwnd-limited then track the maximum number of ++ * outstanding packets in the current window. (If cwnd-limited then we ++ * chose to not update tp->max_packets_out to avoid an extra else ++ * clause with no functional impact.) + */ +- if (!before(tp->snd_una, tp->max_packets_seq) || +- tp->packets_out > tp->max_packets_out || +- is_cwnd_limited) { +- tp->max_packets_out = tp->packets_out; +- tp->max_packets_seq = tp->snd_nxt; ++ if (!before(tp->snd_una, tp->cwnd_usage_seq) || ++ is_cwnd_limited || ++ (!tp->is_cwnd_limited && ++ tp->packets_out > tp->max_packets_out)) { + tp->is_cwnd_limited = is_cwnd_limited; ++ tp->max_packets_out = tp->packets_out; ++ tp->cwnd_usage_seq = tp->snd_nxt; + } + + if (tcp_is_cwnd_limited(sk)) { +-- +2.35.1 + diff --git a/queue-4.9/thermal-intel_powerclamp-use-get_cpu-instead-of-smp_.patch b/queue-4.9/thermal-intel_powerclamp-use-get_cpu-instead-of-smp_.patch new file mode 100644 index 00000000000..06d3217382d --- /dev/null +++ b/queue-4.9/thermal-intel_powerclamp-use-get_cpu-instead-of-smp_.patch @@ -0,0 +1,61 @@ +From 72a06021338344e3ae2753aadc145d7917321834 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 04:06:57 -0700 +Subject: thermal: intel_powerclamp: Use get_cpu() instead of + smp_processor_id() to avoid crash + +From: Srinivas Pandruvada + +[ Upstream commit 68b99e94a4a2db6ba9b31fe0485e057b9354a640 ] + +When CPU 0 is offline and intel_powerclamp is used to inject +idle, it generates kernel BUG: + +BUG: using smp_processor_id() in preemptible [00000000] code: bash/15687 +caller is debug_smp_processor_id+0x17/0x20 +CPU: 4 PID: 15687 Comm: bash Not tainted 5.19.0-rc7+ #57 +Call Trace: + +dump_stack_lvl+0x49/0x63 +dump_stack+0x10/0x16 +check_preemption_disabled+0xdd/0xe0 +debug_smp_processor_id+0x17/0x20 +powerclamp_set_cur_state+0x7f/0xf9 [intel_powerclamp] +... +... + +Here CPU 0 is the control CPU by default and changed to the current CPU, +if CPU 0 offlined. This check has to be performed under cpus_read_lock(), +hence the above warning. + +Use get_cpu() instead of smp_processor_id() to avoid this BUG. + +Suggested-by: Chen Yu +Signed-off-by: Srinivas Pandruvada +[ rjw: Subject edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/thermal/intel_powerclamp.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/thermal/intel_powerclamp.c b/drivers/thermal/intel_powerclamp.c +index afada655f861..492bb3ec6546 100644 +--- a/drivers/thermal/intel_powerclamp.c ++++ b/drivers/thermal/intel_powerclamp.c +@@ -519,8 +519,10 @@ static int start_power_clamp(void) + + /* prefer BSP */ + control_cpu = 0; +- if (!cpu_online(control_cpu)) +- control_cpu = smp_processor_id(); ++ if (!cpu_online(control_cpu)) { ++ control_cpu = get_cpu(); ++ put_cpu(); ++ } + + clamping = true; + schedule_delayed_work(&poll_pkg_cstate_work, 0); +-- +2.35.1 + diff --git a/queue-4.9/tty-xilinx_uartps-fix-the-ignore_status.patch b/queue-4.9/tty-xilinx_uartps-fix-the-ignore_status.patch new file mode 100644 index 00000000000..ea381c3d054 --- /dev/null +++ b/queue-4.9/tty-xilinx_uartps-fix-the-ignore_status.patch @@ -0,0 +1,37 @@ +From 5c25ff372f06d14db5d3956bbc8b99e0703bf59a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jul 2022 17:17:45 +0530 +Subject: tty: xilinx_uartps: Fix the ignore_status + +From: Shubhrajyoti Datta + +[ Upstream commit b8a6c3b3d4654fba19881cc77da61eac29f57cae ] + +Currently the ignore_status is not considered in the isr. +Add a check to add the ignore_status. + +Fixes: 61ec9016988f ("tty/serial: add support for Xilinx PS UART") +Signed-off-by: Shubhrajyoti Datta +Link: https://lore.kernel.org/r/20220729114748.18332-5-shubhrajyoti.datta@xilinx.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/xilinx_uartps.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/tty/serial/xilinx_uartps.c b/drivers/tty/serial/xilinx_uartps.c +index b92700fdfd51..4fb040569194 100644 +--- a/drivers/tty/serial/xilinx_uartps.c ++++ b/drivers/tty/serial/xilinx_uartps.c +@@ -363,6 +363,8 @@ static irqreturn_t cdns_uart_isr(int irq, void *dev_id) + isrstatus &= ~CDNS_UART_IXR_TXEMPTY; + } + ++ isrstatus &= port->read_status_mask; ++ isrstatus &= ~port->ignore_status_mask; + /* + * Skip RX processing if RX is disabled as RXEMPTY will never be set + * as read bytes will not be removed from the FIFO. +-- +2.35.1 + diff --git a/queue-4.9/usb-host-xhci-fix-potential-memory-leak-in-xhci_allo.patch b/queue-4.9/usb-host-xhci-fix-potential-memory-leak-in-xhci_allo.patch new file mode 100644 index 00000000000..62d49932bbd --- /dev/null +++ b/queue-4.9/usb-host-xhci-fix-potential-memory-leak-in-xhci_allo.patch @@ -0,0 +1,56 @@ +From fc622bddae4d8362a5e408588e8387a72686a681 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 15:34:45 +0300 +Subject: usb: host: xhci: Fix potential memory leak in + xhci_alloc_stream_info() + +From: Jianglei Nie + +[ Upstream commit 7e271f42a5cc3768cd2622b929ba66859ae21f97 ] + +xhci_alloc_stream_info() allocates stream context array for stream_info +->stream_ctx_array with xhci_alloc_stream_ctx(). When some error occurs, +stream_info->stream_ctx_array is not released, which will lead to a +memory leak. + +We can fix it by releasing the stream_info->stream_ctx_array with +xhci_free_stream_ctx() on the error path to avoid the potential memory +leak. + +Signed-off-by: Jianglei Nie +Signed-off-by: Mathias Nyman +Link: https://lore.kernel.org/r/20220921123450.671459-2-mathias.nyman@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/xhci-mem.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index 9b30936904da..0850d587683a 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -703,7 +703,7 @@ struct xhci_stream_info *xhci_alloc_stream_info(struct xhci_hcd *xhci, + num_stream_ctxs, &stream_info->ctx_array_dma, + mem_flags); + if (!stream_info->stream_ctx_array) +- goto cleanup_ctx; ++ goto cleanup_ring_array; + memset(stream_info->stream_ctx_array, 0, + sizeof(struct xhci_stream_ctx)*num_stream_ctxs); + +@@ -764,6 +764,11 @@ struct xhci_stream_info *xhci_alloc_stream_info(struct xhci_hcd *xhci, + } + xhci_free_command(xhci, stream_info->free_streams_command); + cleanup_ctx: ++ xhci_free_stream_ctx(xhci, ++ stream_info->num_stream_ctxs, ++ stream_info->stream_ctx_array, ++ stream_info->ctx_array_dma); ++cleanup_ring_array: + kfree(stream_info->stream_rings); + cleanup_info: + kfree(stream_info); +-- +2.35.1 + diff --git a/queue-4.9/usb-idmouse-fix-an-uninit-value-in-idmouse_open.patch b/queue-4.9/usb-idmouse-fix-an-uninit-value-in-idmouse_open.patch new file mode 100644 index 00000000000..4d56c579a5a --- /dev/null +++ b/queue-4.9/usb-idmouse-fix-an-uninit-value-in-idmouse_open.patch @@ -0,0 +1,59 @@ +From 03d3f1dfb5e8e7b829b6fe7d9aa1b2b06dbe7a33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Sep 2022 21:48:44 +0800 +Subject: usb: idmouse: fix an uninit-value in idmouse_open + +From: Dongliang Mu + +[ Upstream commit bce2b0539933e485d22d6f6f076c0fcd6f185c4c ] + +In idmouse_create_image, if any ftip_command fails, it will +go to the reset label. However, this leads to the data in +bulk_in_buffer[HEADER..IMGSIZE] uninitialized. And the check +for valid image incurs an uninitialized dereference. + +Fix this by moving the check before reset label since this +check only be valid if the data after bulk_in_buffer[HEADER] +has concrete data. + +Note that this is found by KMSAN, so only kernel compilation +is tested. + +Reported-by: syzbot+79832d33eb89fb3cd092@syzkaller.appspotmail.com +Signed-off-by: Dongliang Mu +Link: https://lore.kernel.org/r/20220922134847.1101921-1-dzm91@hust.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/misc/idmouse.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/usb/misc/idmouse.c b/drivers/usb/misc/idmouse.c +index 9cf8a9b16336..51f5cee880b2 100644 +--- a/drivers/usb/misc/idmouse.c ++++ b/drivers/usb/misc/idmouse.c +@@ -183,10 +183,6 @@ static int idmouse_create_image(struct usb_idmouse *dev) + bytes_read += bulk_read; + } + +- /* reset the device */ +-reset: +- ftip_command(dev, FTIP_RELEASE, 0, 0); +- + /* check for valid image */ + /* right border should be black (0x00) */ + for (bytes_read = sizeof(HEADER)-1 + WIDTH-1; bytes_read < IMGSIZE; bytes_read += WIDTH) +@@ -198,6 +194,10 @@ static int idmouse_create_image(struct usb_idmouse *dev) + if (dev->bulk_in_buffer[bytes_read] != 0xFF) + return -EAGAIN; + ++ /* reset the device */ ++reset: ++ ftip_command(dev, FTIP_RELEASE, 0, 0); ++ + /* should be IMGSIZE == 65040 */ + dev_dbg(&dev->interface->dev, "read %d bytes fingerprint data\n", + bytes_read); +-- +2.35.1 + diff --git a/queue-4.9/usb-musb-fix-musb_gadget.c-rxstate-overflow-bug.patch b/queue-4.9/usb-musb-fix-musb_gadget.c-rxstate-overflow-bug.patch new file mode 100644 index 00000000000..650df103e1c --- /dev/null +++ b/queue-4.9/usb-musb-fix-musb_gadget.c-rxstate-overflow-bug.patch @@ -0,0 +1,42 @@ +From 89ce6f83350f1e25e68e44734ffeacd6056a38ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 10:21:19 +0800 +Subject: usb: musb: Fix musb_gadget.c rxstate overflow bug + +From: Robin Guo + +[ Upstream commit eea4c860c3b366369eff0489d94ee4f0571d467d ] + +The usb function device call musb_gadget_queue() adds the passed +request to musb_ep::req_list,If the (request->length > musb_ep->packet_sz) +and (is_buffer_mapped(req) return false),the rxstate() will copy all data +in fifo to request->buf which may cause request->buf out of bounds. + +Fix it by add the length check : +fifocnt = min_t(unsigned, request->length - request->actual, fifocnt); + +Signed-off-by: Robin Guo +Link: https://lore.kernel.org/r/20220906102119.1b071d07a8391ff115e6d1ef@inspur.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/musb/musb_gadget.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/musb/musb_gadget.c b/drivers/usb/musb/musb_gadget.c +index 8eb3a291ca9d..02ec84ce5ab9 100644 +--- a/drivers/usb/musb/musb_gadget.c ++++ b/drivers/usb/musb/musb_gadget.c +@@ -785,6 +785,9 @@ static void rxstate(struct musb *musb, struct musb_request *req) + musb_writew(epio, MUSB_RXCSR, csr); + + buffer_aint_mapped: ++ fifo_count = min_t(unsigned int, ++ request->length - request->actual, ++ (unsigned int)fifo_count); + musb_read_fifo(musb_ep->hw_ep, fifo_count, (u8 *) + (request->buf + request->actual)); + request->actual += fifo_count; +-- +2.35.1 + diff --git a/queue-4.9/usb-serial-console-move-mutex_unlock-before-usb_seri.patch b/queue-4.9/usb-serial-console-move-mutex_unlock-before-usb_seri.patch new file mode 100644 index 00000000000..4f2ea413a3b --- /dev/null +++ b/queue-4.9/usb-serial-console-move-mutex_unlock-before-usb_seri.patch @@ -0,0 +1,39 @@ +From 3dd36f21191220cf593913bc40e64d94cac6f87f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 19 Sep 2022 18:48:24 +0800 +Subject: USB: serial: console: move mutex_unlock() before usb_serial_put() + +From: Liang He + +[ Upstream commit 61dfa797c731754642d1ac500a6ac42f9b47f920 ] + +While in current version there is no use-after-free as USB serial +core holds another reference when the console is registered, we +should better unlock before dropping the reference in +usb_console_setup(). + +Fixes: 7bd032dc2793 ("USB serial: update the console driver") +Signed-off-by: Liang He +Signed-off-by: Johan Hovold +Signed-off-by: Sasha Levin +--- + drivers/usb/serial/console.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/serial/console.c b/drivers/usb/serial/console.c +index 76062ce2d459..8b2ce8a9d97a 100644 +--- a/drivers/usb/serial/console.c ++++ b/drivers/usb/serial/console.c +@@ -189,8 +189,8 @@ static int usb_console_setup(struct console *co, char *options) + info->port = NULL; + usb_autopm_put_interface(serial->interface); + error_get_interface: +- usb_serial_put(serial); + mutex_unlock(&serial->disc_mutex); ++ usb_serial_put(serial); + return retval; + } + +-- +2.35.1 + diff --git a/queue-4.9/wifi-ath10k-add-peer-map-clean-up-for-peer-delete-in.patch b/queue-4.9/wifi-ath10k-add-peer-map-clean-up-for-peer-delete-in.patch new file mode 100644 index 00000000000..55453738500 --- /dev/null +++ b/queue-4.9/wifi-ath10k-add-peer-map-clean-up-for-peer-delete-in.patch @@ -0,0 +1,206 @@ +From 4757690a4e2e5f86ec2ccfe0b06d6f46065f35ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Aug 2022 10:19:30 -0400 +Subject: wifi: ath10k: add peer map clean up for peer delete in + ath10k_sta_state() + +From: Wen Gong + +[ Upstream commit f020d9570a04df0762a2ac5c50cf1d8c511c9164 ] + +When peer delete failed in a disconnect operation, use-after-free +detected by KFENCE in below log. It is because for each vdev_id and +address, it has only one struct ath10k_peer, it is allocated in +ath10k_peer_map_event(). When connected to an AP, it has more than +one HTT_T2H_MSG_TYPE_PEER_MAP reported from firmware, then the +array peer_map of struct ath10k will be set muti-elements to the +same ath10k_peer in ath10k_peer_map_event(). When peer delete failed +in ath10k_sta_state(), the ath10k_peer will be free for the 1st peer +id in array peer_map of struct ath10k, and then use-after-free happened +for the 2nd peer id because they map to the same ath10k_peer. + +And clean up all peers in array peer_map for the ath10k_peer, then +user-after-free disappeared + +peer map event log: +[ 306.911021] wlan0: authenticate with b0:2a:43:e6:75:0e +[ 306.957187] ath10k_pci 0000:01:00.0: mac vdev 0 peer create b0:2a:43:e6:75:0e (new sta) sta 1 / 32 peer 1 / 33 +[ 306.957395] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 246 +[ 306.957404] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 198 +[ 306.986924] ath10k_pci 0000:01:00.0: htt peer map vdev 0 peer b0:2a:43:e6:75:0e id 166 + +peer unmap event log: +[ 435.715691] wlan0: deauthenticating from b0:2a:43:e6:75:0e by local choice (Reason: 3=DEAUTH_LEAVING) +[ 435.716802] ath10k_pci 0000:01:00.0: mac vdev 0 peer delete b0:2a:43:e6:75:0e sta ffff990e0e9c2b50 (sta gone) +[ 435.717177] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 246 +[ 435.717186] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 198 +[ 435.717193] ath10k_pci 0000:01:00.0: htt peer unmap vdev 0 peer b0:2a:43:e6:75:0e id 166 + +use-after-free log: +[21705.888627] wlan0: deauthenticating from d0:76:8f:82:be:75 by local choice (Reason: 3=DEAUTH_LEAVING) +[21713.799910] ath10k_pci 0000:01:00.0: failed to delete peer d0:76:8f:82:be:75 for vdev 0: -110 +[21713.799925] ath10k_pci 0000:01:00.0: found sta peer d0:76:8f:82:be:75 (ptr 0000000000000000 id 102) entry on vdev 0 after it was supposedly removed +[21713.799968] ================================================================== +[21713.799991] BUG: KFENCE: use-after-free read in ath10k_sta_state+0x265/0xb8a [ath10k_core] +[21713.799991] +[21713.799997] Use-after-free read at 0x00000000abe1c75e (in kfence-#69): +[21713.800010] ath10k_sta_state+0x265/0xb8a [ath10k_core] +[21713.800041] drv_sta_state+0x115/0x677 [mac80211] +[21713.800059] __sta_info_destroy_part2+0xb1/0x133 [mac80211] +[21713.800076] __sta_info_flush+0x11d/0x162 [mac80211] +[21713.800093] ieee80211_set_disassoc+0x12d/0x2f4 [mac80211] +[21713.800110] ieee80211_mgd_deauth+0x26c/0x29b [mac80211] +[21713.800137] cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211] +[21713.800153] nl80211_deauthenticate+0xf8/0x121 [cfg80211] +[21713.800161] genl_rcv_msg+0x38e/0x3be +[21713.800166] netlink_rcv_skb+0x89/0xf7 +[21713.800171] genl_rcv+0x28/0x36 +[21713.800176] netlink_unicast+0x179/0x24b +[21713.800181] netlink_sendmsg+0x3a0/0x40e +[21713.800187] sock_sendmsg+0x72/0x76 +[21713.800192] ____sys_sendmsg+0x16d/0x1e3 +[21713.800196] ___sys_sendmsg+0x95/0xd1 +[21713.800200] __sys_sendmsg+0x85/0xbf +[21713.800205] do_syscall_64+0x43/0x55 +[21713.800210] entry_SYSCALL_64_after_hwframe+0x44/0xa9 +[21713.800213] +[21713.800219] kfence-#69: 0x000000009149b0d5-0x000000004c0697fb, size=1064, cache=kmalloc-2k +[21713.800219] +[21713.800224] allocated by task 13 on cpu 0 at 21705.501373s: +[21713.800241] ath10k_peer_map_event+0x7e/0x154 [ath10k_core] +[21713.800254] ath10k_htt_t2h_msg_handler+0x586/0x1039 [ath10k_core] +[21713.800265] ath10k_htt_htc_t2h_msg_handler+0x12/0x28 [ath10k_core] +[21713.800277] ath10k_htc_rx_completion_handler+0x14c/0x1b5 [ath10k_core] +[21713.800283] ath10k_pci_process_rx_cb+0x195/0x1df [ath10k_pci] +[21713.800294] ath10k_ce_per_engine_service+0x55/0x74 [ath10k_core] +[21713.800305] ath10k_ce_per_engine_service_any+0x76/0x84 [ath10k_core] +[21713.800310] ath10k_pci_napi_poll+0x49/0x144 [ath10k_pci] +[21713.800316] net_rx_action+0xdc/0x361 +[21713.800320] __do_softirq+0x163/0x29a +[21713.800325] asm_call_irq_on_stack+0x12/0x20 +[21713.800331] do_softirq_own_stack+0x3c/0x48 +[21713.800337] __irq_exit_rcu+0x9b/0x9d +[21713.800342] common_interrupt+0xc9/0x14d +[21713.800346] asm_common_interrupt+0x1e/0x40 +[21713.800351] ksoftirqd_should_run+0x5/0x16 +[21713.800357] smpboot_thread_fn+0x148/0x211 +[21713.800362] kthread+0x150/0x15f +[21713.800367] ret_from_fork+0x22/0x30 +[21713.800370] +[21713.800374] freed by task 708 on cpu 1 at 21713.799953s: +[21713.800498] ath10k_sta_state+0x2c6/0xb8a [ath10k_core] +[21713.800515] drv_sta_state+0x115/0x677 [mac80211] +[21713.800532] __sta_info_destroy_part2+0xb1/0x133 [mac80211] +[21713.800548] __sta_info_flush+0x11d/0x162 [mac80211] +[21713.800565] ieee80211_set_disassoc+0x12d/0x2f4 [mac80211] +[21713.800581] ieee80211_mgd_deauth+0x26c/0x29b [mac80211] +[21713.800598] cfg80211_mlme_deauth+0x13f/0x1bb [cfg80211] +[21713.800614] nl80211_deauthenticate+0xf8/0x121 [cfg80211] +[21713.800619] genl_rcv_msg+0x38e/0x3be +[21713.800623] netlink_rcv_skb+0x89/0xf7 +[21713.800628] genl_rcv+0x28/0x36 +[21713.800632] netlink_unicast+0x179/0x24b +[21713.800637] netlink_sendmsg+0x3a0/0x40e +[21713.800642] sock_sendmsg+0x72/0x76 +[21713.800646] ____sys_sendmsg+0x16d/0x1e3 +[21713.800651] ___sys_sendmsg+0x95/0xd1 +[21713.800655] __sys_sendmsg+0x85/0xbf +[21713.800659] do_syscall_64+0x43/0x55 +[21713.800663] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Tested-on: QCA6174 hw3.2 PCI WLAN.RM.4.4.1-00288-QCARMSWPZ-1 + +Fixes: d0eeafad1189 ("ath10k: Clean up peer when sta goes away.") +Signed-off-by: Wen Gong +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220801141930.16794-1-quic_wgong@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/mac.c | 54 ++++++++++++++------------- + 1 file changed, 29 insertions(+), 25 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index 41fb17cece62..1ac24507b4e5 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -798,11 +798,36 @@ static int ath10k_peer_delete(struct ath10k *ar, u32 vdev_id, const u8 *addr) + return 0; + } + ++static void ath10k_peer_map_cleanup(struct ath10k *ar, struct ath10k_peer *peer) ++{ ++ int peer_id, i; ++ ++ lockdep_assert_held(&ar->conf_mutex); ++ ++ for_each_set_bit(peer_id, peer->peer_ids, ++ ATH10K_MAX_NUM_PEER_IDS) { ++ ar->peer_map[peer_id] = NULL; ++ } ++ ++ /* Double check that peer is properly un-referenced from ++ * the peer_map ++ */ ++ for (i = 0; i < ARRAY_SIZE(ar->peer_map); i++) { ++ if (ar->peer_map[i] == peer) { ++ ath10k_warn(ar, "removing stale peer_map entry for %pM (ptr %pK idx %d)\n", ++ peer->addr, peer, i); ++ ar->peer_map[i] = NULL; ++ } ++ } ++ ++ list_del(&peer->list); ++ kfree(peer); ++ ar->num_peers--; ++} ++ + static void ath10k_peer_cleanup(struct ath10k *ar, u32 vdev_id) + { + struct ath10k_peer *peer, *tmp; +- int peer_id; +- int i; + + lockdep_assert_held(&ar->conf_mutex); + +@@ -814,25 +839,7 @@ static void ath10k_peer_cleanup(struct ath10k *ar, u32 vdev_id) + ath10k_warn(ar, "removing stale peer %pM from vdev_id %d\n", + peer->addr, vdev_id); + +- for_each_set_bit(peer_id, peer->peer_ids, +- ATH10K_MAX_NUM_PEER_IDS) { +- ar->peer_map[peer_id] = NULL; +- } +- +- /* Double check that peer is properly un-referenced from +- * the peer_map +- */ +- for (i = 0; i < ARRAY_SIZE(ar->peer_map); i++) { +- if (ar->peer_map[i] == peer) { +- ath10k_warn(ar, "removing stale peer_map entry for %pM (ptr %pK idx %d)\n", +- peer->addr, peer, i); +- ar->peer_map[i] = NULL; +- } +- } +- +- list_del(&peer->list); +- kfree(peer); +- ar->num_peers--; ++ ath10k_peer_map_cleanup(ar, peer); + } + spin_unlock_bh(&ar->data_lock); + } +@@ -6095,10 +6102,7 @@ static int ath10k_sta_state(struct ieee80211_hw *hw, + /* Clean up the peer object as well since we + * must have failed to do this above. + */ +- list_del(&peer->list); +- ar->peer_map[i] = NULL; +- kfree(peer); +- ar->num_peers--; ++ ath10k_peer_map_cleanup(ar, peer); + } + } + spin_unlock_bh(&ar->data_lock); +-- +2.35.1 + diff --git a/queue-4.9/wifi-mac80211-allow-bw-change-during-channel-switch-.patch b/queue-4.9/wifi-mac80211-allow-bw-change-during-channel-switch-.patch new file mode 100644 index 00000000000..2c4f33b048c --- /dev/null +++ b/queue-4.9/wifi-mac80211-allow-bw-change-during-channel-switch-.patch @@ -0,0 +1,47 @@ +From de527e3ef640cc9cc38631e47d4775ef93963604 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Jul 2022 12:02:29 +0530 +Subject: wifi: mac80211: allow bw change during channel switch in mesh + +From: Hari Chandrakanthan + +[ Upstream commit 6b75f133fe05c36c52d691ff21545d5757fff721 ] + +From 'IEEE Std 802.11-2020 section 11.8.8.4.1': + The mesh channel switch may be triggered by the need to avoid + interference to a detected radar signal, or to reassign mesh STA + channels to ensure the MBSS connectivity. + + A 20/40 MHz MBSS may be changed to a 20 MHz MBSS and a 20 MHz + MBSS may be changed to a 20/40 MHz MBSS. + +Since the standard allows the change of bandwidth during +the channel switch in mesh, remove the bandwidth check present in +ieee80211_set_csa_beacon. + +Fixes: c6da674aff94 ("{nl,cfg,mac}80211: enable the triggering of CSA frame in mesh") +Signed-off-by: Hari Chandrakanthan +Link: https://lore.kernel.org/r/1658903549-21218-1-git-send-email-quic_haric@quicinc.com +Signed-off-by: Johannes Berg +Signed-off-by: Sasha Levin +--- + net/mac80211/cfg.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c +index 091ac3a7b186..85beeb32f59f 100644 +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -3016,9 +3016,6 @@ static int ieee80211_set_csa_beacon(struct ieee80211_sub_if_data *sdata, + case NL80211_IFTYPE_MESH_POINT: { + struct ieee80211_if_mesh *ifmsh = &sdata->u.mesh; + +- if (params->chandef.width != sdata->vif.bss_conf.chandef.width) +- return -EINVAL; +- + /* changes into another band are not supported */ + if (sdata->vif.bss_conf.chandef.chan->band != + params->chandef.chan->band) +-- +2.35.1 + diff --git a/queue-4.9/wifi-rt2x00-don-t-run-rt5592-iq-calibration-on-mt762.patch b/queue-4.9/wifi-rt2x00-don-t-run-rt5592-iq-calibration-on-mt762.patch new file mode 100644 index 00000000000..ad723175990 --- /dev/null +++ b/queue-4.9/wifi-rt2x00-don-t-run-rt5592-iq-calibration-on-mt762.patch @@ -0,0 +1,38 @@ +From 90d4245372a356d6417c0022f2dcf46338017a54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Sep 2022 21:28:29 +0100 +Subject: wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620 + +From: Daniel Golle + +[ Upstream commit d3aad83d05aec0cfd7670cf0028f2ad4b81de92e ] + +The function rt2800_iq_calibrate is intended for Rt5592 only. +Don't call it for MT7620 which has it's own calibration functions. + +Reported-by: Serge Vasilugin +Signed-off-by: Daniel Golle +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/31a1c34ddbd296b82f38c18c9ae7339059215fdc.1663445157.git.daniel@makrotopia.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +index 9fc6f1615343..079611ff8def 100644 +--- a/drivers/net/wireless/ralink/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/ralink/rt2x00/rt2800lib.c +@@ -3386,7 +3386,8 @@ static void rt2800_config_channel(struct rt2x00_dev *rt2x00dev, + reg = (rf->channel <= 14 ? 0x1c : 0x24) + 2 * rt2x00dev->lna_gain; + rt2800_bbp_write_with_rx_chain(rt2x00dev, 66, reg); + +- rt2800_iq_calibrate(rt2x00dev, rf->channel); ++ if (rt2x00_rt(rt2x00dev, RT5592)) ++ rt2800_iq_calibrate(rt2x00dev, rf->channel); + } + + rt2800_bbp_read(rt2x00dev, 4, &bbp); +-- +2.35.1 + diff --git a/queue-4.9/wifi-rtl8xxxu-gen2-fix-mistake-in-path-b-iq-calibrat.patch b/queue-4.9/wifi-rtl8xxxu-gen2-fix-mistake-in-path-b-iq-calibrat.patch new file mode 100644 index 00000000000..d94e7d42f7b --- /dev/null +++ b/queue-4.9/wifi-rtl8xxxu-gen2-fix-mistake-in-path-b-iq-calibrat.patch @@ -0,0 +1,46 @@ +From 2f4762a2f8bee2b78a063dface9ecec0b7605993 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Sep 2022 14:48:32 +0300 +Subject: wifi: rtl8xxxu: gen2: Fix mistake in path B IQ calibration + +From: Bitterblue Smith + +[ Upstream commit e963a19c64ac0d2f8785d36a27391abd91ac77aa ] + +Found by comparing with the vendor driver. Currently this affects +only the RTL8192EU, which is the only gen2 chip with 2 TX paths +supported by this driver. It's unclear what kind of effect the +mistake had in practice, since I don't have any RTL8192EU devices +to test it. + +Fixes: e1547c535ede ("rtl8xxxu: First stab at adding IQK calibration for 8723bu parts") +Signed-off-by: Bitterblue Smith +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/30a59f3a-cfa9-8379-7af0-78a8f4c77cfd@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index 31e9495bb479..6875ec7290bf 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -2930,12 +2930,12 @@ bool rtl8xxxu_gen2_simularity_compare(struct rtl8xxxu_priv *priv, + } + + if (!(simubitmap & 0x30) && priv->tx_paths > 1) { +- /* path B RX OK */ ++ /* path B TX OK */ + for (i = 4; i < 6; i++) + result[3][i] = result[c1][i]; + } + +- if (!(simubitmap & 0x30) && priv->tx_paths > 1) { ++ if (!(simubitmap & 0xc0) && priv->tx_paths > 1) { + /* path B RX OK */ + for (i = 6; i < 8; i++) + result[3][i] = result[c1][i]; +-- +2.35.1 + diff --git a/queue-4.9/wifi-rtl8xxxu-tighten-bounds-checking-in-rtl8xxxu_re.patch b/queue-4.9/wifi-rtl8xxxu-tighten-bounds-checking-in-rtl8xxxu_re.patch new file mode 100644 index 00000000000..3c4552b000a --- /dev/null +++ b/queue-4.9/wifi-rtl8xxxu-tighten-bounds-checking-in-rtl8xxxu_re.patch @@ -0,0 +1,59 @@ +From 817d23ed939cc907ab072207702d4f926ee9f643 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Aug 2022 08:22:32 +0300 +Subject: wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse() + +From: Dan Carpenter + +[ Upstream commit 620d5eaeb9059636864bda83ca1c68c20ede34a5 ] + +There some bounds checking to ensure that "map_addr" is not out of +bounds before the start of the loop. But the checking needs to be +done as we iterate through the loop because "map_addr" gets larger as +we iterate. + +Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)") +Signed-off-by: Dan Carpenter +Acked-by: Jes Sorensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/Yv8eGLdBslLAk3Ct@kili +Signed-off-by: Sasha Levin +--- + .../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index e73613b9f2f5..31e9495bb479 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -1879,13 +1879,6 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv) + + /* We have 8 bits to indicate validity */ + map_addr = offset * 8; +- if (map_addr >= EFUSE_MAP_LEN) { +- dev_warn(dev, "%s: Illegal map_addr (%04x), " +- "efuse corrupt!\n", +- __func__, map_addr); +- ret = -EINVAL; +- goto exit; +- } + for (i = 0; i < EFUSE_MAX_WORD_UNIT; i++) { + /* Check word enable condition in the section */ + if (word_mask & BIT(i)) { +@@ -1896,6 +1889,13 @@ static int rtl8xxxu_read_efuse(struct rtl8xxxu_priv *priv) + ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8); + if (ret) + goto exit; ++ if (map_addr >= EFUSE_MAP_LEN - 1) { ++ dev_warn(dev, "%s: Illegal map_addr (%04x), " ++ "efuse corrupt!\n", ++ __func__, map_addr); ++ ret = -EINVAL; ++ goto exit; ++ } + priv->efuse_wifi.raw[map_addr++] = val8; + + ret = rtl8xxxu_read_efuse8(priv, efuse_addr++, &val8); +-- +2.35.1 + diff --git a/queue-4.9/xfrm-update-ipcomp_scratches-with-null-when-freed.patch b/queue-4.9/xfrm-update-ipcomp_scratches-with-null-when-freed.patch new file mode 100644 index 00000000000..309ee38846c --- /dev/null +++ b/queue-4.9/xfrm-update-ipcomp_scratches-with-null-when-freed.patch @@ -0,0 +1,72 @@ +From a03ac7fc16d2f17781caa3aad1a95d2834c19711 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 13:12:10 +0600 +Subject: xfrm: Update ipcomp_scratches with NULL when freed + +From: Khalid Masum + +[ Upstream commit 8a04d2fc700f717104bfb95b0f6694e448a4537f ] + +Currently if ipcomp_alloc_scratches() fails to allocate memory +ipcomp_scratches holds obsolete address. So when we try to free the +percpu scratches using ipcomp_free_scratches() it tries to vfree non +existent vm area. Described below: + +static void * __percpu *ipcomp_alloc_scratches(void) +{ + ... + scratches = alloc_percpu(void *); + if (!scratches) + return NULL; +ipcomp_scratches does not know about this allocation failure. +Therefore holding the old obsolete address. + ... +} + +So when we free, + +static void ipcomp_free_scratches(void) +{ + ... + scratches = ipcomp_scratches; +Assigning obsolete address from ipcomp_scratches + + if (!scratches) + return; + + for_each_possible_cpu(i) + vfree(*per_cpu_ptr(scratches, i)); +Trying to free non existent page, causing warning: trying to vfree +existent vm area. + ... +} + +Fix this breakage by updating ipcomp_scrtches with NULL when scratches +is freed + +Suggested-by: Herbert Xu +Reported-by: syzbot+5ec9bb042ddfe9644773@syzkaller.appspotmail.com +Tested-by: syzbot+5ec9bb042ddfe9644773@syzkaller.appspotmail.com +Signed-off-by: Khalid Masum +Acked-by: Herbert Xu +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/xfrm/xfrm_ipcomp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/xfrm/xfrm_ipcomp.c b/net/xfrm/xfrm_ipcomp.c +index a00ec715aa46..32aed1d0f6ee 100644 +--- a/net/xfrm/xfrm_ipcomp.c ++++ b/net/xfrm/xfrm_ipcomp.c +@@ -216,6 +216,7 @@ static void ipcomp_free_scratches(void) + vfree(*per_cpu_ptr(scratches, i)); + + free_percpu(scratches); ++ ipcomp_scratches = NULL; + } + + static void * __percpu *ipcomp_alloc_scratches(void) +-- +2.35.1 +