From: Sasha Levin Date: Thu, 20 Aug 2020 04:04:01 +0000 (-0400) Subject: Fixes for 4.4 X-Git-Tag: v4.14.194~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6b0676c87f024287d357bf1f904602c82b698edf;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/alsa-echoaudio-fix-potential-oops-in-snd_echo_resume.patch b/queue-4.4/alsa-echoaudio-fix-potential-oops-in-snd_echo_resume.patch new file mode 100644 index 00000000000..8090f4d5f62 --- /dev/null +++ b/queue-4.4/alsa-echoaudio-fix-potential-oops-in-snd_echo_resume.patch @@ -0,0 +1,45 @@ +From 8051f90c1debb29feaa41d06efd4ab3dc5447b7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Aug 2020 15:46:30 +0800 +Subject: ALSA: echoaudio: Fix potential Oops in snd_echo_resume() + +From: Dinghao Liu + +[ Upstream commit 5a25de6df789cc805a9b8ba7ab5deef5067af47e ] + +Freeing chip on error may lead to an Oops at the next time +the system goes to resume. Fix this by removing all +snd_echo_free() calls on error. + +Fixes: 47b5d028fdce8 ("ALSA: Echoaudio - Add suspend support #2") +Signed-off-by: Dinghao Liu +Link: https://lore.kernel.org/r/20200813074632.17022-1-dinghao.liu@zju.edu.cn +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/echoaudio/echoaudio.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/sound/pci/echoaudio/echoaudio.c b/sound/pci/echoaudio/echoaudio.c +index d73ee11a32bd0..db14ee43e461a 100644 +--- a/sound/pci/echoaudio/echoaudio.c ++++ b/sound/pci/echoaudio/echoaudio.c +@@ -2215,7 +2215,6 @@ static int snd_echo_resume(struct device *dev) + if (err < 0) { + kfree(commpage_bak); + dev_err(dev, "resume init_hw err=%d\n", err); +- snd_echo_free(chip); + return err; + } + +@@ -2242,7 +2241,6 @@ static int snd_echo_resume(struct device *dev) + if (request_irq(pci->irq, snd_echo_interrupt, IRQF_SHARED, + KBUILD_MODNAME, chip)) { + dev_err(chip->card->dev, "cannot grab irq\n"); +- snd_echo_free(chip); + return -EBUSY; + } + chip->irq = pci->irq; +-- +2.25.1 + diff --git a/queue-4.4/clk-clk-atlas6-fix-return-value-check-in-atlas6_clk_.patch b/queue-4.4/clk-clk-atlas6-fix-return-value-check-in-atlas6_clk_.patch new file mode 100644 index 00000000000..b1fdfa41ed4 --- /dev/null +++ b/queue-4.4/clk-clk-atlas6-fix-return-value-check-in-atlas6_clk_.patch @@ -0,0 +1,39 @@ +From 44b575a38fd5e6cf44f3f0938c8bbfce4003cb34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jul 2020 03:21:43 +0000 +Subject: clk: clk-atlas6: fix return value check in atlas6_clk_init() + +From: Xu Wang + +[ Upstream commit 12b90b40854a8461a02ef19f6f4474cc88d64b66 ] + +In case of error, the function clk_register() returns ERR_PTR() +and never returns NULL. The NULL test in the return value check +should be replaced with IS_ERR(). + +Signed-off-by: Xu Wang +Link: https://lore.kernel.org/r/20200713032143.21362-1-vulab@iscas.ac.cn +Acked-by: Barry Song +Fixes: 7bf21bc81f28 ("clk: sirf: re-arch to make the codes support both prima2 and atlas6") +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/sirf/clk-atlas6.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clk/sirf/clk-atlas6.c b/drivers/clk/sirf/clk-atlas6.c +index c5eaa9d162476..9af2d0dcd6a0f 100644 +--- a/drivers/clk/sirf/clk-atlas6.c ++++ b/drivers/clk/sirf/clk-atlas6.c +@@ -137,7 +137,7 @@ static void __init atlas6_clk_init(struct device_node *np) + + for (i = pll1; i < maxclk; i++) { + atlas6_clks[i] = clk_register(NULL, atlas6_clk_hw_array[i]); +- BUG_ON(!atlas6_clks[i]); ++ BUG_ON(IS_ERR(atlas6_clks[i])); + } + clk_register_clkdev(atlas6_clks[cpu], NULL, "cpu"); + clk_register_clkdev(atlas6_clks[io], NULL, "io"); +-- +2.25.1 + diff --git a/queue-4.4/drm-vmwgfx-fix-two-list_for_each-loop-exit-tests.patch b/queue-4.4/drm-vmwgfx-fix-two-list_for_each-loop-exit-tests.patch new file mode 100644 index 00000000000..a2dea2c2993 --- /dev/null +++ b/queue-4.4/drm-vmwgfx-fix-two-list_for_each-loop-exit-tests.patch @@ -0,0 +1,62 @@ +From 6dcde46075c2037ddc0b97ecc162580e29cc430d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jun 2020 13:39:59 +0300 +Subject: drm/vmwgfx: Fix two list_for_each loop exit tests + +From: Dan Carpenter + +[ Upstream commit 4437c1152ce0e57ab8f401aa696ea6291cc07ab1 ] + +These if statements are supposed to be true if we ended the +list_for_each_entry() loops without hitting a break statement but they +don't work. + +In the first loop, we increment "i" after the "if (i == unit)" condition +so we don't necessarily know that "i" is not equal to unit at the end of +the loop. + +In the second loop we exit when mode is not pointing to a valid +drm_display_mode struct so it doesn't make sense to check "mode->type". + +Fixes: a278724aa23c ("drm/vmwgfx: Implement fbdev on kms v2") +Signed-off-by: Dan Carpenter +Reviewed-by: Roland Scheidegger +Signed-off-by: Roland Scheidegger +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vmwgfx/vmwgfx_kms.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +index 9b97f70fbb3df..0b7427d474feb 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_kms.c +@@ -2086,7 +2086,7 @@ int vmw_kms_fbdev_init_data(struct vmw_private *dev_priv, + ++i; + } + +- if (i != unit) { ++ if (&con->head == &dev_priv->dev->mode_config.connector_list) { + DRM_ERROR("Could not find initial display unit.\n"); + return -EINVAL; + } +@@ -2108,13 +2108,13 @@ int vmw_kms_fbdev_init_data(struct vmw_private *dev_priv, + break; + } + +- if (mode->type & DRM_MODE_TYPE_PREFERRED) +- *p_mode = mode; +- else { ++ if (&mode->head == &con->modes) { + WARN_ONCE(true, "Could not find initial preferred mode.\n"); + *p_mode = list_first_entry(&con->modes, + struct drm_display_mode, + head); ++ } else { ++ *p_mode = mode; + } + + return 0; +-- +2.25.1 + diff --git a/queue-4.4/fs-ufs-avoid-potential-u32-multiplication-overflow.patch b/queue-4.4/fs-ufs-avoid-potential-u32-multiplication-overflow.patch new file mode 100644 index 00000000000..566ecae1d3c --- /dev/null +++ b/queue-4.4/fs-ufs-avoid-potential-u32-multiplication-overflow.patch @@ -0,0 +1,44 @@ +From 2663441081806f11595dc7edad06b1ea50885601 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Aug 2020 18:35:53 -0700 +Subject: fs/ufs: avoid potential u32 multiplication overflow + +From: Colin Ian King + +[ Upstream commit 88b2e9b06381551b707d980627ad0591191f7a2d ] + +The 64 bit ino is being compared to the product of two u32 values, +however, the multiplication is being performed using a 32 bit multiply so +there is a potential of an overflow. To be fully safe, cast uspi->s_ncg +to a u64 to ensure a 64 bit multiplication occurs to avoid any chance of +overflow. + +Fixes: f3e2a520f5fb ("ufs: NFS support") +Signed-off-by: Colin Ian King +Signed-off-by: Andrew Morton +Cc: Evgeniy Dushistov +Cc: Alexey Dobriyan +Link: http://lkml.kernel.org/r/20200715170355.1081713-1-colin.king@canonical.com +Addresses-Coverity: ("Unintentional integer overflow") +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/ufs/super.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ufs/super.c b/fs/ufs/super.c +index 10f364490833e..be68b48de1cc6 100644 +--- a/fs/ufs/super.c ++++ b/fs/ufs/super.c +@@ -99,7 +99,7 @@ static struct inode *ufs_nfs_get_inode(struct super_block *sb, u64 ino, u32 gene + struct ufs_sb_private_info *uspi = UFS_SB(sb)->s_uspi; + struct inode *inode; + +- if (ino < UFS_ROOTINO || ino > uspi->s_ncg * uspi->s_ipg) ++ if (ino < UFS_ROOTINO || ino > (u64)uspi->s_ncg * uspi->s_ipg) + return ERR_PTR(-ESTALE); + + inode = ufs_iget(sb, ino); +-- +2.25.1 + diff --git a/queue-4.4/i2c-rcar-slave-only-send-stop-event-when-we-have-bee.patch b/queue-4.4/i2c-rcar-slave-only-send-stop-event-when-we-have-bee.patch new file mode 100644 index 00000000000..b3413f25e59 --- /dev/null +++ b/queue-4.4/i2c-rcar-slave-only-send-stop-event-when-we-have-bee.patch @@ -0,0 +1,55 @@ +From 4651725af4db3a35bc36d23ff6aa3be61f6a789c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Jun 2020 17:38:07 +0200 +Subject: i2c: rcar: slave: only send STOP event when we have been addressed + +From: Wolfram Sang + +[ Upstream commit 314139f9f0abdba61ed9a8463bbcb0bf900ac5a2 ] + +When the SSR interrupt is activated, it will detect every STOP condition +on the bus, not only the ones after we have been addressed. So, enable +this interrupt only after we have been addressed, and disable it +otherwise. + +Fixes: de20d1857dd6 ("i2c: rcar: add slave support") +Signed-off-by: Wolfram Sang +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-rcar.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-rcar.c b/drivers/i2c/busses/i2c-rcar.c +index dfe1a53ce4ad3..ddfb08a3e6c20 100644 +--- a/drivers/i2c/busses/i2c-rcar.c ++++ b/drivers/i2c/busses/i2c-rcar.c +@@ -386,13 +386,14 @@ static bool rcar_i2c_slave_irq(struct rcar_i2c_priv *priv) + rcar_i2c_write(priv, ICSIER, SDR | SSR | SAR); + } + +- rcar_i2c_write(priv, ICSSR, ~SAR & 0xff); ++ /* Clear SSR, too, because of old STOPs to other clients than us */ ++ rcar_i2c_write(priv, ICSSR, ~(SAR | SSR) & 0xff); + } + + /* master sent stop */ + if (ssr_filtered & SSR) { + i2c_slave_event(priv->slave, I2C_SLAVE_STOP, &value); +- rcar_i2c_write(priv, ICSIER, SAR | SSR); ++ rcar_i2c_write(priv, ICSIER, SAR); + rcar_i2c_write(priv, ICSSR, ~SSR & 0xff); + } + +@@ -541,7 +542,7 @@ static int rcar_reg_slave(struct i2c_client *slave) + priv->slave = slave; + rcar_i2c_write(priv, ICSAR, slave->addr); + rcar_i2c_write(priv, ICSSR, 0); +- rcar_i2c_write(priv, ICSIER, SAR | SSR); ++ rcar_i2c_write(priv, ICSIER, SAR); + rcar_i2c_write(priv, ICSCR, SIE | SDBS); + + return 0; +-- +2.25.1 + diff --git a/queue-4.4/input-sentelic-fix-error-return-when-fsp_reg_write-f.patch b/queue-4.4/input-sentelic-fix-error-return-when-fsp_reg_write-f.patch new file mode 100644 index 00000000000..b3c2a0d5e05 --- /dev/null +++ b/queue-4.4/input-sentelic-fix-error-return-when-fsp_reg_write-f.patch @@ -0,0 +1,39 @@ +From 39cc399a243c5d3da0b83929630c653f550ba712 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 Aug 2020 15:35:34 -0700 +Subject: Input: sentelic - fix error return when fsp_reg_write fails + +From: Colin Ian King + +[ Upstream commit ea38f06e0291986eb93beb6d61fd413607a30ca4 ] + +Currently when the call to fsp_reg_write fails -EIO is not being returned +because the count is being returned instead of the return value in retval. +Fix this by returning the value in retval instead of count. + +Addresses-Coverity: ("Unused value") +Fixes: fc69f4a6af49 ("Input: add new driver for Sentelic Finger Sensing Pad") +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20200603141218.131663-1-colin.king@canonical.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/mouse/sentelic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/input/mouse/sentelic.c b/drivers/input/mouse/sentelic.c +index 11c32ac8234b2..779d0b9341c0d 100644 +--- a/drivers/input/mouse/sentelic.c ++++ b/drivers/input/mouse/sentelic.c +@@ -454,7 +454,7 @@ static ssize_t fsp_attr_set_setreg(struct psmouse *psmouse, void *data, + + fsp_reg_write_enable(psmouse, false); + +- return count; ++ return retval; + } + + PSMOUSE_DEFINE_WO_ATTR(setreg, S_IWUSR, NULL, fsp_attr_set_setreg); +-- +2.25.1 + diff --git a/queue-4.4/iommu-omap-check-for-failure-of-a-call-to-omap_iommu.patch b/queue-4.4/iommu-omap-check-for-failure-of-a-call-to-omap_iommu.patch new file mode 100644 index 00000000000..759ae93c0b5 --- /dev/null +++ b/queue-4.4/iommu-omap-check-for-failure-of-a-call-to-omap_iommu.patch @@ -0,0 +1,43 @@ +From f69fdc720455fed3408c77227d7f156c52ce19d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jul 2020 20:22:11 +0100 +Subject: iommu/omap: Check for failure of a call to omap_iommu_dump_ctx + +From: Colin Ian King + +[ Upstream commit dee9d154f40c58d02f69acdaa5cfd1eae6ebc28b ] + +It is possible for the call to omap_iommu_dump_ctx to return +a negative error number, so check for the failure and return +the error number rather than pass the negative value to +simple_read_from_buffer. + +Fixes: 14e0e6796a0d ("OMAP: iommu: add initial debugfs support") +Signed-off-by: Colin Ian King +Link: https://lore.kernel.org/r/20200714192211.744776-1-colin.king@canonical.com +Addresses-Coverity: ("Improper use of negative value") +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/omap-iommu-debug.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/iommu/omap-iommu-debug.c b/drivers/iommu/omap-iommu-debug.c +index 9bc20e2119a35..82bf208295f4b 100644 +--- a/drivers/iommu/omap-iommu-debug.c ++++ b/drivers/iommu/omap-iommu-debug.c +@@ -101,8 +101,11 @@ static ssize_t debug_read_regs(struct file *file, char __user *userbuf, + mutex_lock(&iommu_debug_lock); + + bytes = omap_iommu_dump_ctx(obj, p, count); ++ if (bytes < 0) ++ goto err; + bytes = simple_read_from_buffer(userbuf, count, ppos, buf, bytes); + ++err: + mutex_unlock(&iommu_debug_lock); + kfree(buf); + +-- +2.25.1 + diff --git a/queue-4.4/iommu-vt-d-enforce-pasid-devtlb-field-mask.patch b/queue-4.4/iommu-vt-d-enforce-pasid-devtlb-field-mask.patch new file mode 100644 index 00000000000..23d7152b893 --- /dev/null +++ b/queue-4.4/iommu-vt-d-enforce-pasid-devtlb-field-mask.patch @@ -0,0 +1,40 @@ +From 90e8b5f9a3da387e917147bdf0c7edef7acc209b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Jul 2020 09:49:14 +0800 +Subject: iommu/vt-d: Enforce PASID devTLB field mask + +From: Liu Yi L + +[ Upstream commit 5f77d6ca5ca74e4b4a5e2e010f7ff50c45dea326 ] + +Set proper masks to avoid invalid input spillover to reserved bits. + +Signed-off-by: Liu Yi L +Signed-off-by: Jacob Pan +Signed-off-by: Lu Baolu +Reviewed-by: Eric Auger +Link: https://lore.kernel.org/r/20200724014925.15523-2-baolu.lu@linux.intel.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + include/linux/intel-iommu.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/linux/intel-iommu.h b/include/linux/intel-iommu.h +index 27dbab59f034c..d86ac620f0aac 100644 +--- a/include/linux/intel-iommu.h ++++ b/include/linux/intel-iommu.h +@@ -317,8 +317,8 @@ enum { + + #define QI_DEV_EIOTLB_ADDR(a) ((u64)(a) & VTD_PAGE_MASK) + #define QI_DEV_EIOTLB_SIZE (((u64)1) << 11) +-#define QI_DEV_EIOTLB_GLOB(g) ((u64)g) +-#define QI_DEV_EIOTLB_PASID(p) (((u64)p) << 32) ++#define QI_DEV_EIOTLB_GLOB(g) ((u64)(g) & 0x1) ++#define QI_DEV_EIOTLB_PASID(p) ((u64)((p) & 0xfffff) << 32) + #define QI_DEV_EIOTLB_SID(sid) ((u64)((sid) & 0xffff) << 16) + #define QI_DEV_EIOTLB_QDEP(qd) ((u64)((qd) & 0x1f) << 4) + #define QI_DEV_EIOTLB_PFSID(pfsid) (((u64)(pfsid & 0xf) << 12) | \ +-- +2.25.1 + diff --git a/queue-4.4/mfd-dln2-run-event-handler-loop-under-spinlock.patch b/queue-4.4/mfd-dln2-run-event-handler-loop-under-spinlock.patch new file mode 100644 index 00000000000..4a26855c4cc --- /dev/null +++ b/queue-4.4/mfd-dln2-run-event-handler-loop-under-spinlock.patch @@ -0,0 +1,68 @@ +From 59204d3a9f02b5dbfe7a9c88f5fe0edaf543aedb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jul 2020 16:02:46 +0300 +Subject: mfd: dln2: Run event handler loop under spinlock + +From: Andy Shevchenko + +[ Upstream commit 3d858942250820b9adc35f963a257481d6d4c81d ] + +The event handler loop must be run with interrupts disabled. +Otherwise we will have a warning: + +[ 1970.785649] irq 31 handler lineevent_irq_handler+0x0/0x20 enabled interrupts +[ 1970.792739] WARNING: CPU: 0 PID: 0 at kernel/irq/handle.c:159 __handle_irq_event_percpu+0x162/0x170 +[ 1970.860732] RIP: 0010:__handle_irq_event_percpu+0x162/0x170 +... +[ 1970.946994] Call Trace: +[ 1970.949446] +[ 1970.951471] handle_irq_event_percpu+0x2c/0x80 +[ 1970.955921] handle_irq_event+0x23/0x43 +[ 1970.959766] handle_simple_irq+0x57/0x70 +[ 1970.963695] generic_handle_irq+0x42/0x50 +[ 1970.967717] dln2_rx+0xc1/0x210 [dln2] +[ 1970.971479] ? usb_hcd_unmap_urb_for_dma+0xa6/0x1c0 +[ 1970.976362] __usb_hcd_giveback_urb+0x77/0xe0 +[ 1970.980727] usb_giveback_urb_bh+0x8e/0xe0 +[ 1970.984837] tasklet_action_common.isra.0+0x4a/0xe0 +... + +Recently xHCI driver switched to tasklets in the commit 36dc01657b49 +("usb: host: xhci: Support running urb giveback in tasklet context"). + +The handle_irq_event_* functions are expected to be called with interrupts +disabled and they rightfully complain here because we run in tasklet context +with interrupts enabled. + +Use a event spinlock to protect event handler from being interrupted. + +Note, that there are only two users of this GPIO and ADC drivers and both of +them are using generic_handle_irq() which makes above happen. + +Fixes: 338a12814297 ("mfd: Add support for Diolan DLN-2 devices") +Signed-off-by: Andy Shevchenko +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/dln2.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/mfd/dln2.c b/drivers/mfd/dln2.c +index 672831d5ee32e..97a69cd6f1278 100644 +--- a/drivers/mfd/dln2.c ++++ b/drivers/mfd/dln2.c +@@ -294,7 +294,11 @@ static void dln2_rx(struct urb *urb) + len = urb->actual_length - sizeof(struct dln2_header); + + if (handle == DLN2_HANDLE_EVENT) { ++ unsigned long flags; ++ ++ spin_lock_irqsave(&dln2->event_cb_lock, flags); + dln2_run_event_callbacks(dln2, id, echo, data, len); ++ spin_unlock_irqrestore(&dln2->event_cb_lock, flags); + } else { + /* URB will be re-submitted in _dln2_transfer (free_rx_slot) */ + if (dln2_transfer_complete(dln2, urb, handle, echo)) +-- +2.25.1 + diff --git a/queue-4.4/nfs-fix-getxattr-kernel-panic-and-memory-overflow.patch b/queue-4.4/nfs-fix-getxattr-kernel-panic-and-memory-overflow.patch new file mode 100644 index 00000000000..6eaf6eb3a74 --- /dev/null +++ b/queue-4.4/nfs-fix-getxattr-kernel-panic-and-memory-overflow.patch @@ -0,0 +1,55 @@ +From 339d37e3e6c371d897ced18b35285835e677da65 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Aug 2020 12:23:19 -0500 +Subject: nfs: Fix getxattr kernel panic and memory overflow + +From: Jeffrey Mitchell + +[ Upstream commit b4487b93545214a9db8cbf32e86411677b0cca21 ] + +Move the buffer size check to decode_attr_security_label() before memcpy() +Only call memcpy() if the buffer is large enough + +Fixes: aa9c2669626c ("NFS: Client implementation of Labeled-NFS") +Signed-off-by: Jeffrey Mitchell +[Trond: clean up duplicate test of label->len != 0] +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 2 -- + fs/nfs/nfs4xdr.c | 6 +++++- + 2 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 566afcc36adb5..ca1702cefb852 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -4916,8 +4916,6 @@ static int _nfs4_get_security_label(struct inode *inode, void *buf, + return ret; + if (!(fattr.valid & NFS_ATTR_FATTR_V4_SECURITY_LABEL)) + return -ENOENT; +- if (buflen < label.len) +- return -ERANGE; + return 0; + } + +diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c +index 15cd9db6d616d..28c1b765e4444 100644 +--- a/fs/nfs/nfs4xdr.c ++++ b/fs/nfs/nfs4xdr.c +@@ -4158,7 +4158,11 @@ static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap, + goto out_overflow; + if (len < NFS4_MAXLABELLEN) { + if (label) { +- memcpy(label->label, p, len); ++ if (label->len) { ++ if (label->len < len) ++ return -ERANGE; ++ memcpy(label->label, p, len); ++ } + label->len = len; + label->pi = pi; + label->lfs = lfs; +-- +2.25.1 + diff --git a/queue-4.4/series b/queue-4.4/series index a01b884c2a2..49dd4d0f056 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -131,3 +131,17 @@ ext2-fix-missing-percpu_counter_inc.patch ocfs2-change-slot-number-type-s16-to-u16.patch kprobes-fix-null-pointer-dereference-at-kprobe_ftrace_handler.patch pseries-fix-64-bit-logical-memory-block-panic.patch +usb-serial-ftdi_sio-make-process-packet-buffer-unsig.patch +usb-serial-ftdi_sio-clean-up-receive-processing.patch +usb-serial-ftdi_sio-fix-break-and-sysrq-handling.patch +iommu-omap-check-for-failure-of-a-call-to-omap_iommu.patch +iommu-vt-d-enforce-pasid-devtlb-field-mask.patch +i2c-rcar-slave-only-send-stop-event-when-we-have-bee.patch +clk-clk-atlas6-fix-return-value-check-in-atlas6_clk_.patch +input-sentelic-fix-error-return-when-fsp_reg_write-f.patch +drm-vmwgfx-fix-two-list_for_each-loop-exit-tests.patch +nfs-fix-getxattr-kernel-panic-and-memory-overflow.patch +fs-ufs-avoid-potential-u32-multiplication-overflow.patch +mfd-dln2-run-event-handler-loop-under-spinlock.patch +alsa-echoaudio-fix-potential-oops-in-snd_echo_resume.patch +sh-landisk-add-missing-initialization-of-sh_io_port_.patch diff --git a/queue-4.4/sh-landisk-add-missing-initialization-of-sh_io_port_.patch b/queue-4.4/sh-landisk-add-missing-initialization-of-sh_io_port_.patch new file mode 100644 index 00000000000..cee244df468 --- /dev/null +++ b/queue-4.4/sh-landisk-add-missing-initialization-of-sh_io_port_.patch @@ -0,0 +1,45 @@ +From 5ac205afecfb8864b6c6bd6e2e687fc444d90654 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 Aug 2020 14:42:45 +0200 +Subject: sh: landisk: Add missing initialization of sh_io_port_base + +From: Geert Uytterhoeven + +[ Upstream commit 0c64a0dce51faa9c706fdf1f957d6f19878f4b81 ] + +The Landisk setup code maps the CF IDE area using ioremap_prot(), and +passes the resulting virtual addresses to the pata_platform driver, +disguising them as I/O port addresses. Hence the pata_platform driver +translates them again using ioport_map(). +As CONFIG_GENERIC_IOMAP=n, and CONFIG_HAS_IOPORT_MAP=y, the +SuperH-specific mapping code in arch/sh/kernel/ioport.c translates +I/O port addresses to virtual addresses by adding sh_io_port_base, which +defaults to -1, thus breaking the assumption of an identity mapping. + +Fix this by setting sh_io_port_base to zero. + +Fixes: 37b7a97884ba64bf ("sh: machvec IO death.") +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Rich Felker +Signed-off-by: Sasha Levin +--- + arch/sh/boards/mach-landisk/setup.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/sh/boards/mach-landisk/setup.c b/arch/sh/boards/mach-landisk/setup.c +index f1147caebacf0..af69fb7fef7c7 100644 +--- a/arch/sh/boards/mach-landisk/setup.c ++++ b/arch/sh/boards/mach-landisk/setup.c +@@ -85,6 +85,9 @@ device_initcall(landisk_devices_setup); + + static void __init landisk_setup(char **cmdline_p) + { ++ /* I/O port identity mapping */ ++ __set_io_port_base(0); ++ + /* LED ON */ + __raw_writeb(__raw_readb(PA_LED) | 0x03, PA_LED); + +-- +2.25.1 + diff --git a/queue-4.4/usb-serial-ftdi_sio-clean-up-receive-processing.patch b/queue-4.4/usb-serial-ftdi_sio-clean-up-receive-processing.patch new file mode 100644 index 00000000000..8a10e5db5ff --- /dev/null +++ b/queue-4.4/usb-serial-ftdi_sio-clean-up-receive-processing.patch @@ -0,0 +1,75 @@ +From 7522c33a9c81a0a29feb4c67d84d589342007637 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jul 2020 14:49:52 +0200 +Subject: USB: serial: ftdi_sio: clean up receive processing + +From: Johan Hovold + +[ Upstream commit ce054039ba5e47b75a3be02a00274e52b06a6456 ] + +Clean up receive processing by dropping the character pointer and +keeping the length argument unchanged throughout the function. + +Also make it more apparent that sysrq processing can consume a +characters by adding an explicit continue. + +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Sasha Levin +--- + drivers/usb/serial/ftdi_sio.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index 4b9404f99c010..0afea511eb376 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -2054,7 +2054,6 @@ static int ftdi_process_packet(struct usb_serial_port *port, + struct ftdi_private *priv, unsigned char *buf, int len) + { + unsigned char status; +- unsigned char *ch; + int i; + char flag; + +@@ -2097,8 +2096,7 @@ static int ftdi_process_packet(struct usb_serial_port *port, + else + priv->transmit_empty = 0; + +- len -= 2; +- if (!len) ++ if (len == 2) + return 0; /* status only */ + + /* +@@ -2127,19 +2125,20 @@ static int ftdi_process_packet(struct usb_serial_port *port, + } + } + +- port->icount.rx += len; +- ch = buf + 2; ++ port->icount.rx += len - 2; + + if (port->port.console && port->sysrq) { +- for (i = 0; i < len; i++, ch++) { +- if (!usb_serial_handle_sysrq_char(port, *ch)) +- tty_insert_flip_char(&port->port, *ch, flag); ++ for (i = 2; i < len; i++) { ++ if (usb_serial_handle_sysrq_char(port, buf[i])) ++ continue; ++ tty_insert_flip_char(&port->port, buf[i], flag); + } + } else { +- tty_insert_flip_string_fixed_flag(&port->port, ch, flag, len); ++ tty_insert_flip_string_fixed_flag(&port->port, buf + 2, flag, ++ len - 2); + } + +- return len; ++ return len - 2; + } + + static void ftdi_process_read_urb(struct urb *urb) +-- +2.25.1 + diff --git a/queue-4.4/usb-serial-ftdi_sio-fix-break-and-sysrq-handling.patch b/queue-4.4/usb-serial-ftdi_sio-fix-break-and-sysrq-handling.patch new file mode 100644 index 00000000000..f0cb12fb47a --- /dev/null +++ b/queue-4.4/usb-serial-ftdi_sio-fix-break-and-sysrq-handling.patch @@ -0,0 +1,87 @@ +From fa9cb56cffc3e2c6d0a157b8d0109079ab0ba43d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jul 2020 14:49:53 +0200 +Subject: USB: serial: ftdi_sio: fix break and sysrq handling + +From: Johan Hovold + +[ Upstream commit 733fff67941dad64b8a630450b8372b1873edc41 ] + +Only the last NUL in a packet should be flagged as a break character, +for example, to avoid dropping unrelated characters when IGNBRK is set. + +Also make sysrq work by consuming the break character instead of having +it immediately cancel the sysrq request, and by not processing it +prematurely to avoid triggering a sysrq based on an unrelated character +received in the same packet (which was received *before* the break). + +Note that the break flag can be left set also for a packet received +immediately following a break and that and an ending NUL in such a +packet will continue to be reported as a break as there's no good way to +tell it apart from an actual break. + +Tested on FT232R and FT232H. + +Fixes: 72fda3ca6fc1 ("USB: serial: ftd_sio: implement sysrq handling on break") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Sasha Levin +--- + drivers/usb/serial/ftdi_sio.c | 24 +++++++++++++++++------- + 1 file changed, 17 insertions(+), 7 deletions(-) + +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index 0afea511eb376..2dfec4c1ef4de 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -2054,6 +2054,7 @@ static int ftdi_process_packet(struct usb_serial_port *port, + struct ftdi_private *priv, unsigned char *buf, int len) + { + unsigned char status; ++ bool brkint = false; + int i; + char flag; + +@@ -2105,13 +2106,17 @@ static int ftdi_process_packet(struct usb_serial_port *port, + */ + flag = TTY_NORMAL; + if (buf[1] & FTDI_RS_ERR_MASK) { +- /* Break takes precedence over parity, which takes precedence +- * over framing errors */ +- if (buf[1] & FTDI_RS_BI) { +- flag = TTY_BREAK; ++ /* ++ * Break takes precedence over parity, which takes precedence ++ * over framing errors. Note that break is only associated ++ * with the last character in the buffer and only when it's a ++ * NUL. ++ */ ++ if (buf[1] & FTDI_RS_BI && buf[len - 1] == '\0') { + port->icount.brk++; +- usb_serial_handle_break(port); +- } else if (buf[1] & FTDI_RS_PE) { ++ brkint = true; ++ } ++ if (buf[1] & FTDI_RS_PE) { + flag = TTY_PARITY; + port->icount.parity++; + } else if (buf[1] & FTDI_RS_FE) { +@@ -2127,8 +2132,13 @@ static int ftdi_process_packet(struct usb_serial_port *port, + + port->icount.rx += len - 2; + +- if (port->port.console && port->sysrq) { ++ if (brkint || (port->port.console && port->sysrq)) { + for (i = 2; i < len; i++) { ++ if (brkint && i == len - 1) { ++ if (usb_serial_handle_break(port)) ++ return len - 3; ++ flag = TTY_BREAK; ++ } + if (usb_serial_handle_sysrq_char(port, buf[i])) + continue; + tty_insert_flip_char(&port->port, buf[i], flag); +-- +2.25.1 + diff --git a/queue-4.4/usb-serial-ftdi_sio-make-process-packet-buffer-unsig.patch b/queue-4.4/usb-serial-ftdi_sio-make-process-packet-buffer-unsig.patch new file mode 100644 index 00000000000..c92e66714ab --- /dev/null +++ b/queue-4.4/usb-serial-ftdi_sio-make-process-packet-buffer-unsig.patch @@ -0,0 +1,96 @@ +From d61346287dddcda8ec23950569ff4cc312ceefbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jul 2020 14:49:51 +0200 +Subject: USB: serial: ftdi_sio: make process-packet buffer unsigned + +From: Johan Hovold + +[ Upstream commit ab4cc4ef6724ea588e835fc1e764c4b4407a70b7 ] + +Use an unsigned type for the process-packet buffer argument and give it +a more apt name. + +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Sasha Levin +--- + drivers/usb/serial/ftdi_sio.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index 8388f88ce6356..4b9404f99c010 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -2051,12 +2051,12 @@ static int ftdi_prepare_write_buffer(struct usb_serial_port *port, + #define FTDI_RS_ERR_MASK (FTDI_RS_BI | FTDI_RS_PE | FTDI_RS_FE | FTDI_RS_OE) + + static int ftdi_process_packet(struct usb_serial_port *port, +- struct ftdi_private *priv, char *packet, int len) ++ struct ftdi_private *priv, unsigned char *buf, int len) + { ++ unsigned char status; ++ unsigned char *ch; + int i; +- char status; + char flag; +- char *ch; + + if (len < 2) { + dev_dbg(&port->dev, "malformed packet\n"); +@@ -2066,7 +2066,7 @@ static int ftdi_process_packet(struct usb_serial_port *port, + /* Compare new line status to the old one, signal if different/ + N.B. packet may be processed more than once, but differences + are only processed once. */ +- status = packet[0] & FTDI_STATUS_B0_MASK; ++ status = buf[0] & FTDI_STATUS_B0_MASK; + if (status != priv->prev_status) { + char diff_status = status ^ priv->prev_status; + +@@ -2092,7 +2092,7 @@ static int ftdi_process_packet(struct usb_serial_port *port, + } + + /* save if the transmitter is empty or not */ +- if (packet[1] & FTDI_RS_TEMT) ++ if (buf[1] & FTDI_RS_TEMT) + priv->transmit_empty = 1; + else + priv->transmit_empty = 0; +@@ -2106,29 +2106,29 @@ static int ftdi_process_packet(struct usb_serial_port *port, + * data payload to avoid over-reporting. + */ + flag = TTY_NORMAL; +- if (packet[1] & FTDI_RS_ERR_MASK) { ++ if (buf[1] & FTDI_RS_ERR_MASK) { + /* Break takes precedence over parity, which takes precedence + * over framing errors */ +- if (packet[1] & FTDI_RS_BI) { ++ if (buf[1] & FTDI_RS_BI) { + flag = TTY_BREAK; + port->icount.brk++; + usb_serial_handle_break(port); +- } else if (packet[1] & FTDI_RS_PE) { ++ } else if (buf[1] & FTDI_RS_PE) { + flag = TTY_PARITY; + port->icount.parity++; +- } else if (packet[1] & FTDI_RS_FE) { ++ } else if (buf[1] & FTDI_RS_FE) { + flag = TTY_FRAME; + port->icount.frame++; + } + /* Overrun is special, not associated with a char */ +- if (packet[1] & FTDI_RS_OE) { ++ if (buf[1] & FTDI_RS_OE) { + port->icount.overrun++; + tty_insert_flip_char(&port->port, 0, TTY_OVERRUN); + } + } + + port->icount.rx += len; +- ch = packet + 2; ++ ch = buf + 2; + + if (port->port.console && port->sysrq) { + for (i = 0; i < len; i++, ch++) { +-- +2.25.1 +