From: Sasha Levin Date: Sat, 18 Jun 2022 17:07:52 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v5.4.200~65 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=776bf01f5455099c2c7d1e55c75a824301068c0d;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/asoc-cs42l52-correct-tlv-for-bypass-volume.patch b/queue-4.14/asoc-cs42l52-correct-tlv-for-bypass-volume.patch new file mode 100644 index 00000000000..007d90ade53 --- /dev/null +++ b/queue-4.14/asoc-cs42l52-correct-tlv-for-bypass-volume.patch @@ -0,0 +1,45 @@ +From 856cba04e8210834732cbd37f17906e73f13cbbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 17:21:17 +0100 +Subject: ASoC: cs42l52: Correct TLV for Bypass Volume + +From: Charles Keepax + +[ Upstream commit 91e90c712fade0b69cdff7cc6512f6099bd18ae5 ] + +The Bypass Volume is accidentally using a -6dB minimum TLV rather than +the correct -60dB minimum. Add a new TLV to correct this. + +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20220602162119.3393857-5-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l52.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/cs42l52.c b/sound/soc/codecs/cs42l52.c +index f733f6b42b53..47f2439fd7b0 100644 +--- a/sound/soc/codecs/cs42l52.c ++++ b/sound/soc/codecs/cs42l52.c +@@ -141,6 +141,8 @@ static DECLARE_TLV_DB_SCALE(mic_tlv, 1600, 100, 0); + + static DECLARE_TLV_DB_SCALE(pga_tlv, -600, 50, 0); + ++static DECLARE_TLV_DB_SCALE(pass_tlv, -6000, 50, 0); ++ + static DECLARE_TLV_DB_SCALE(mix_tlv, -5150, 50, 0); + + static DECLARE_TLV_DB_SCALE(beep_tlv, -56, 200, 0); +@@ -355,7 +357,7 @@ static const struct snd_kcontrol_new cs42l52_snd_controls[] = { + CS42L52_SPKB_VOL, 0, 0x40, 0xC0, hl_tlv), + + SOC_DOUBLE_R_SX_TLV("Bypass Volume", CS42L52_PASSTHRUA_VOL, +- CS42L52_PASSTHRUB_VOL, 0, 0x88, 0x90, pga_tlv), ++ CS42L52_PASSTHRUB_VOL, 0, 0x88, 0x90, pass_tlv), + + SOC_DOUBLE("Bypass Mute", CS42L52_MISC_CTL, 4, 5, 1, 0), + +-- +2.35.1 + diff --git a/queue-4.14/asoc-cs42l52-fix-tlv-scales-for-mixer-controls.patch b/queue-4.14/asoc-cs42l52-fix-tlv-scales-for-mixer-controls.patch new file mode 100644 index 00000000000..c78711f2848 --- /dev/null +++ b/queue-4.14/asoc-cs42l52-fix-tlv-scales-for-mixer-controls.patch @@ -0,0 +1,45 @@ +From 6d468b203726e6a325b5491e3c7821802f81a722 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 17:21:14 +0100 +Subject: ASoC: cs42l52: Fix TLV scales for mixer controls + +From: Charles Keepax + +[ Upstream commit 8bf5aabf524eec61013e506f764a0b2652dc5665 ] + +The datasheet specifies the range of the mixer volumes as between +-51.5dB and 12dB with a 0.5dB step. Update the TLVs for this. + +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20220602162119.3393857-2-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l52.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/cs42l52.c b/sound/soc/codecs/cs42l52.c +index 0d9c4a57301b..f733f6b42b53 100644 +--- a/sound/soc/codecs/cs42l52.c ++++ b/sound/soc/codecs/cs42l52.c +@@ -141,7 +141,7 @@ static DECLARE_TLV_DB_SCALE(mic_tlv, 1600, 100, 0); + + static DECLARE_TLV_DB_SCALE(pga_tlv, -600, 50, 0); + +-static DECLARE_TLV_DB_SCALE(mix_tlv, -50, 50, 0); ++static DECLARE_TLV_DB_SCALE(mix_tlv, -5150, 50, 0); + + static DECLARE_TLV_DB_SCALE(beep_tlv, -56, 200, 0); + +@@ -368,7 +368,7 @@ static const struct snd_kcontrol_new cs42l52_snd_controls[] = { + CS42L52_ADCB_VOL, 0, 0xA0, 0x78, ipd_tlv), + SOC_DOUBLE_R_SX_TLV("ADC Mixer Volume", + CS42L52_ADCA_MIXER_VOL, CS42L52_ADCB_MIXER_VOL, +- 0, 0x19, 0x7F, ipd_tlv), ++ 0, 0x19, 0x7F, mix_tlv), + + SOC_DOUBLE("ADC Switch", CS42L52_ADC_MISC_CTL, 0, 1, 1, 0), + +-- +2.35.1 + diff --git a/queue-4.14/asoc-cs42l56-correct-typo-in-minimum-level-for-sx-vo.patch b/queue-4.14/asoc-cs42l56-correct-typo-in-minimum-level-for-sx-vo.patch new file mode 100644 index 00000000000..7ee4ec99f78 --- /dev/null +++ b/queue-4.14/asoc-cs42l56-correct-typo-in-minimum-level-for-sx-vo.patch @@ -0,0 +1,41 @@ +From 458adaa781d4dddff208a40401eca14026bc257c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 17:21:18 +0100 +Subject: ASoC: cs42l56: Correct typo in minimum level for SX volume controls + +From: Charles Keepax + +[ Upstream commit a8928ada9b96944cadd8b65d191e33199fd38782 ] + +A couple of the SX volume controls specify 0x84 as the lowest volume +value, however the correct value from the datasheet is 0x44. The +datasheet don't include spaces in the value it displays as binary so +this was almost certainly just a typo reading 1000100. + +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20220602162119.3393857-6-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs42l56.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/codecs/cs42l56.c b/sound/soc/codecs/cs42l56.c +index 52858b6c95a6..9274b52edc44 100644 +--- a/sound/soc/codecs/cs42l56.c ++++ b/sound/soc/codecs/cs42l56.c +@@ -403,9 +403,9 @@ static const struct snd_kcontrol_new cs42l56_snd_controls[] = { + SOC_DOUBLE("ADC Boost Switch", CS42L56_GAIN_BIAS_CTL, 3, 2, 1, 1), + + SOC_DOUBLE_R_SX_TLV("Headphone Volume", CS42L56_HPA_VOLUME, +- CS42L56_HPB_VOLUME, 0, 0x84, 0x48, hl_tlv), ++ CS42L56_HPB_VOLUME, 0, 0x44, 0x48, hl_tlv), + SOC_DOUBLE_R_SX_TLV("LineOut Volume", CS42L56_LOA_VOLUME, +- CS42L56_LOB_VOLUME, 0, 0x84, 0x48, hl_tlv), ++ CS42L56_LOB_VOLUME, 0, 0x44, 0x48, hl_tlv), + + SOC_SINGLE_TLV("Bass Shelving Volume", CS42L56_TONE_CTL, + 0, 0x00, 1, tone_tlv), +-- +2.35.1 + diff --git a/queue-4.14/asoc-cs53l30-correct-number-of-volume-levels-on-sx-c.patch b/queue-4.14/asoc-cs53l30-correct-number-of-volume-levels-on-sx-c.patch new file mode 100644 index 00000000000..6c9841a1efa --- /dev/null +++ b/queue-4.14/asoc-cs53l30-correct-number-of-volume-levels-on-sx-c.patch @@ -0,0 +1,59 @@ +From 895739fa03eeeb77fd3279a55b3ffcf8fe3cec3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 17:21:16 +0100 +Subject: ASoC: cs53l30: Correct number of volume levels on SX controls + +From: Charles Keepax + +[ Upstream commit 7fbd6dd68127927e844912a16741016d432a0737 ] + +This driver specified the maximum value rather than the number of volume +levels on the SX controls, this is incorrect, so correct them. + +Reported-by: David Rhodes +Signed-off-by: Charles Keepax +Link: https://lore.kernel.org/r/20220602162119.3393857-4-ckeepax@opensource.cirrus.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs53l30.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/sound/soc/codecs/cs53l30.c b/sound/soc/codecs/cs53l30.c +index c7edf2df5e36..f30807b3705d 100644 +--- a/sound/soc/codecs/cs53l30.c ++++ b/sound/soc/codecs/cs53l30.c +@@ -351,22 +351,22 @@ static const struct snd_kcontrol_new cs53l30_snd_controls[] = { + SOC_ENUM("ADC2 NG Delay", adc2_ng_delay_enum), + + SOC_SINGLE_SX_TLV("ADC1A PGA Volume", +- CS53L30_ADC1A_AFE_CTL, 0, 0x34, 0x18, pga_tlv), ++ CS53L30_ADC1A_AFE_CTL, 0, 0x34, 0x24, pga_tlv), + SOC_SINGLE_SX_TLV("ADC1B PGA Volume", +- CS53L30_ADC1B_AFE_CTL, 0, 0x34, 0x18, pga_tlv), ++ CS53L30_ADC1B_AFE_CTL, 0, 0x34, 0x24, pga_tlv), + SOC_SINGLE_SX_TLV("ADC2A PGA Volume", +- CS53L30_ADC2A_AFE_CTL, 0, 0x34, 0x18, pga_tlv), ++ CS53L30_ADC2A_AFE_CTL, 0, 0x34, 0x24, pga_tlv), + SOC_SINGLE_SX_TLV("ADC2B PGA Volume", +- CS53L30_ADC2B_AFE_CTL, 0, 0x34, 0x18, pga_tlv), ++ CS53L30_ADC2B_AFE_CTL, 0, 0x34, 0x24, pga_tlv), + + SOC_SINGLE_SX_TLV("ADC1A Digital Volume", +- CS53L30_ADC1A_DIG_VOL, 0, 0xA0, 0x0C, dig_tlv), ++ CS53L30_ADC1A_DIG_VOL, 0, 0xA0, 0x6C, dig_tlv), + SOC_SINGLE_SX_TLV("ADC1B Digital Volume", +- CS53L30_ADC1B_DIG_VOL, 0, 0xA0, 0x0C, dig_tlv), ++ CS53L30_ADC1B_DIG_VOL, 0, 0xA0, 0x6C, dig_tlv), + SOC_SINGLE_SX_TLV("ADC2A Digital Volume", +- CS53L30_ADC2A_DIG_VOL, 0, 0xA0, 0x0C, dig_tlv), ++ CS53L30_ADC2A_DIG_VOL, 0, 0xA0, 0x6C, dig_tlv), + SOC_SINGLE_SX_TLV("ADC2B Digital Volume", +- CS53L30_ADC2B_DIG_VOL, 0, 0xA0, 0x0C, dig_tlv), ++ CS53L30_ADC2B_DIG_VOL, 0, 0xA0, 0x6C, dig_tlv), + }; + + static const struct snd_soc_dapm_widget cs53l30_dapm_widgets[] = { +-- +2.35.1 + diff --git a/queue-4.14/asoc-wm8962-fix-suspend-while-playing-music.patch b/queue-4.14/asoc-wm8962-fix-suspend-while-playing-music.patch new file mode 100644 index 00000000000..4251264d200 --- /dev/null +++ b/queue-4.14/asoc-wm8962-fix-suspend-while-playing-music.patch @@ -0,0 +1,42 @@ +From c89804dd4182e23b247f4860e23ef7d382b74de4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 May 2022 13:21:28 -0500 +Subject: ASoC: wm8962: Fix suspend while playing music + +From: Adam Ford + +[ Upstream commit d1f5272c0f7d2e53c6f2480f46725442776f5f78 ] + +If the audio CODEC is playing sound when the system is suspended, +it can be left in a state which throws the following error: + +wm8962 3-001a: ASoC: error at soc_component_read_no_lock on wm8962.3-001a: -16 + +Once this error has occurred, the audio will not work again until rebooted. + +Fix this by configuring SET_SYSTEM_SLEEP_PM_OPS. + +Signed-off-by: Adam Ford +Acked-by: Charles Keepax +Link: https://lore.kernel.org/r/20220526182129.538472-1-aford173@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/wm8962.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/codecs/wm8962.c b/sound/soc/codecs/wm8962.c +index 0e8008d38161..d46881f96c16 100644 +--- a/sound/soc/codecs/wm8962.c ++++ b/sound/soc/codecs/wm8962.c +@@ -3861,6 +3861,7 @@ static int wm8962_runtime_suspend(struct device *dev) + #endif + + static const struct dev_pm_ops wm8962_pm = { ++ SET_SYSTEM_SLEEP_PM_OPS(pm_runtime_force_suspend, pm_runtime_force_resume) + SET_RUNTIME_PM_OPS(wm8962_runtime_suspend, wm8962_runtime_resume, NULL) + }; + +-- +2.35.1 + diff --git a/queue-4.14/ata-libata-core-fix-null-pointer-deref-in-ata_host_a.patch b/queue-4.14/ata-libata-core-fix-null-pointer-deref-in-ata_host_a.patch new file mode 100644 index 00000000000..948ca245773 --- /dev/null +++ b/queue-4.14/ata-libata-core-fix-null-pointer-deref-in-ata_host_a.patch @@ -0,0 +1,50 @@ +From 1f2ebd247a73131dc96adf4b2df3a24a6712f954 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 May 2022 23:34:10 +0300 +Subject: ata: libata-core: fix NULL pointer deref in ata_host_alloc_pinfo() + +From: Sergey Shtylyov + +[ Upstream commit bf476fe22aa1851bab4728e0c49025a6a0bea307 ] + +In an unlikely (and probably wrong?) case that the 'ppi' parameter of +ata_host_alloc_pinfo() points to an array starting with a NULL pointer, +there's going to be a kernel oops as the 'pi' local variable won't get +reassigned from the initial value of NULL. Initialize 'pi' instead to +'&ata_dummy_port_info' to fix the possible kernel oops for good... + +Found by Linux Verification Center (linuxtesting.org) with the SVACE static +analysis tool. + +Signed-off-by: Sergey Shtylyov +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index d3a7b3bb5043..08dc37a62f5a 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -6180,7 +6180,7 @@ struct ata_host *ata_host_alloc_pinfo(struct device *dev, + const struct ata_port_info * const * ppi, + int n_ports) + { +- const struct ata_port_info *pi; ++ const struct ata_port_info *pi = &ata_dummy_port_info; + struct ata_host *host; + int i, j; + +@@ -6188,7 +6188,7 @@ struct ata_host *ata_host_alloc_pinfo(struct device *dev, + if (!host) + return NULL; + +- for (i = 0, j = 0, pi = NULL; i < host->n_ports; i++) { ++ for (i = 0, j = 0; i < host->n_ports; i++) { + struct ata_port *ap = host->ports[i]; + + if (ppi[j]) +-- +2.35.1 + diff --git a/queue-4.14/ipv6-fix-signed-integer-overflow-in-l2tp_ip6_sendmsg.patch b/queue-4.14/ipv6-fix-signed-integer-overflow-in-l2tp_ip6_sendmsg.patch new file mode 100644 index 00000000000..57e78b6e57b --- /dev/null +++ b/queue-4.14/ipv6-fix-signed-integer-overflow-in-l2tp_ip6_sendmsg.patch @@ -0,0 +1,46 @@ +From ba556ae29dbc79e6524b9b7f803c4732aeb85db1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jun 2022 20:00:28 +0800 +Subject: ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg + +From: Wang Yufen + +[ Upstream commit f638a84afef3dfe10554c51820c16e39a278c915 ] + +When len >= INT_MAX - transhdrlen, ulen = len + transhdrlen will be +overflow. To fix, we can follow what udpv6 does and subtract the +transhdrlen from the max. + +Signed-off-by: Wang Yufen +Link: https://lore.kernel.org/r/20220607120028.845916-2-wangyufen@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/l2tp/l2tp_ip6.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c +index 9c4670fb29d7..7b0963712c22 100644 +--- a/net/l2tp/l2tp_ip6.c ++++ b/net/l2tp/l2tp_ip6.c +@@ -526,14 +526,15 @@ static int l2tp_ip6_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) + struct ipcm6_cookie ipc6; + int addr_len = msg->msg_namelen; + int transhdrlen = 4; /* zero session-id */ +- int ulen = len + transhdrlen; ++ int ulen; + int err; + + /* Rough check on arithmetic overflow, + better check is made in ip6_append_data(). + */ +- if (len > INT_MAX) ++ if (len > INT_MAX - transhdrlen) + return -EMSGSIZE; ++ ulen = len + transhdrlen; + + /* Mirror BSD error message compatibility */ + if (msg->msg_flags & MSG_OOB) +-- +2.35.1 + diff --git a/queue-4.14/net-ethernet-mtk_eth_soc-fix-misuse-of-mem-alloc-int.patch b/queue-4.14/net-ethernet-mtk_eth_soc-fix-misuse-of-mem-alloc-int.patch new file mode 100644 index 00000000000..6d4efc4daaf --- /dev/null +++ b/queue-4.14/net-ethernet-mtk_eth_soc-fix-misuse-of-mem-alloc-int.patch @@ -0,0 +1,74 @@ +From cd11d7c4096e9eb1f7a39bfc6f7efd783dfcf3cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Jun 2022 20:46:53 +0800 +Subject: net: ethernet: mtk_eth_soc: fix misuse of mem alloc interface + netdev[napi]_alloc_frag + +From: Chen Lin + +[ Upstream commit 2f2c0d2919a14002760f89f4e02960c735a316d2 ] + +When rx_flag == MTK_RX_FLAGS_HWLRO, +rx_data_len = MTK_MAX_LRO_RX_LENGTH(4096 * 3) > PAGE_SIZE. +netdev_alloc_frag is for alloction of page fragment only. +Reference to other drivers and Documentation/vm/page_frags.rst + +Branch to use __get_free_pages when ring->frag_size > PAGE_SIZE. + +Signed-off-by: Chen Lin +Link: https://lore.kernel.org/r/1654692413-2598-1-git-send-email-chen45464546@163.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 21 +++++++++++++++++++-- + 1 file changed, 19 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index ade72b46e93c..fb48efa70797 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -596,6 +596,17 @@ static inline void mtk_rx_get_desc(struct mtk_rx_dma *rxd, + rxd->rxd4 = READ_ONCE(dma_rxd->rxd4); + } + ++static void *mtk_max_lro_buf_alloc(gfp_t gfp_mask) ++{ ++ unsigned int size = mtk_max_frag_size(MTK_MAX_LRO_RX_LENGTH); ++ unsigned long data; ++ ++ data = __get_free_pages(gfp_mask | __GFP_COMP | __GFP_NOWARN, ++ get_order(size)); ++ ++ return (void *)data; ++} ++ + /* the qdma core needs scratch memory to be setup */ + static int mtk_init_fq_dma(struct mtk_eth *eth) + { +@@ -1005,7 +1016,10 @@ static int mtk_poll_rx(struct napi_struct *napi, int budget, + goto release_desc; + + /* alloc new buffer */ +- new_data = napi_alloc_frag(ring->frag_size); ++ if (ring->frag_size <= PAGE_SIZE) ++ new_data = napi_alloc_frag(ring->frag_size); ++ else ++ new_data = mtk_max_lro_buf_alloc(GFP_ATOMIC); + if (unlikely(!new_data)) { + netdev->stats.rx_dropped++; + goto release_desc; +@@ -1315,7 +1329,10 @@ static int mtk_rx_alloc(struct mtk_eth *eth, int ring_no, int rx_flag) + return -ENOMEM; + + for (i = 0; i < rx_dma_size; i++) { +- ring->data[i] = netdev_alloc_frag(ring->frag_size); ++ if (ring->frag_size <= PAGE_SIZE) ++ ring->data[i] = netdev_alloc_frag(ring->frag_size); ++ else ++ ring->data[i] = mtk_max_lro_buf_alloc(GFP_KERNEL); + if (!ring->data[i]) + return -ENOMEM; + } +-- +2.35.1 + diff --git a/queue-4.14/nfc-nfcmrvl-fix-memory-leak-in-nfcmrvl_play_deferred.patch b/queue-4.14/nfc-nfcmrvl-fix-memory-leak-in-nfcmrvl_play_deferred.patch new file mode 100644 index 00000000000..ce29ea9f334 --- /dev/null +++ b/queue-4.14/nfc-nfcmrvl-fix-memory-leak-in-nfcmrvl_play_deferred.patch @@ -0,0 +1,66 @@ +From 4380a479e4d600c898d809c0c0bb3faadbf08b75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Jun 2022 16:32:30 +0800 +Subject: nfc: nfcmrvl: Fix memory leak in nfcmrvl_play_deferred + +From: Xiaohui Zhang + +[ Upstream commit 8a4d480702b71184fabcf379b80bf7539716752e ] + +Similar to the handling of play_deferred in commit 19cfe912c37b +("Bluetooth: btusb: Fix memory leak in play_deferred"), we thought +a patch might be needed here as well. + +Currently usb_submit_urb is called directly to submit deferred tx +urbs after unanchor them. + +So the usb_giveback_urb_bh would failed to unref it in usb_unanchor_urb +and cause memory leak. + +Put those urbs in tx_anchor to avoid the leak, and also fix the error +handling. + +Signed-off-by: Xiaohui Zhang +Acked-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20220607083230.6182-1-xiaohuizhang@ruc.edu.cn +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/nfcmrvl/usb.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/nfc/nfcmrvl/usb.c b/drivers/nfc/nfcmrvl/usb.c +index deb953290f8f..e88147c47c17 100644 +--- a/drivers/nfc/nfcmrvl/usb.c ++++ b/drivers/nfc/nfcmrvl/usb.c +@@ -400,13 +400,25 @@ static void nfcmrvl_play_deferred(struct nfcmrvl_usb_drv_data *drv_data) + int err; + + while ((urb = usb_get_from_anchor(&drv_data->deferred))) { ++ usb_anchor_urb(urb, &drv_data->tx_anchor); ++ + err = usb_submit_urb(urb, GFP_ATOMIC); +- if (err) ++ if (err) { ++ kfree(urb->setup_packet); ++ usb_unanchor_urb(urb); ++ usb_free_urb(urb); + break; ++ } + + drv_data->tx_in_flight++; ++ usb_free_urb(urb); ++ } ++ ++ /* Cleanup the rest deferred urbs. */ ++ while ((urb = usb_get_from_anchor(&drv_data->deferred))) { ++ kfree(urb->setup_packet); ++ usb_free_urb(urb); + } +- usb_scuttle_anchored_urbs(&drv_data->deferred); + } + + static int nfcmrvl_resume(struct usb_interface *intf) +-- +2.35.1 + diff --git a/queue-4.14/random-credit-cpu-and-bootloader-seeds-by-default.patch b/queue-4.14/random-credit-cpu-and-bootloader-seeds-by-default.patch new file mode 100644 index 00000000000..6b68472f6df --- /dev/null +++ b/queue-4.14/random-credit-cpu-and-bootloader-seeds-by-default.patch @@ -0,0 +1,203 @@ +From ef243baf3645c6e97cc5ccc10f2ce3a548d0f558 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Jun 2022 22:07:01 -0400 +Subject: random: credit cpu and bootloader seeds by default + +From: Jason A. Donenfeld + +[ Upstream commit 846bb97e131d7938847963cca00657c995b1fce1 ] + +This commit changes the default Kconfig values of RANDOM_TRUST_CPU and +RANDOM_TRUST_BOOTLOADER to be Y by default. It does not change any +existing configs or change any kernel behavior. The reason for this is +several fold. + +As background, I recently had an email thread with the kernel +maintainers of Fedora/RHEL, Debian, Ubuntu, Gentoo, Arch, NixOS, Alpine, +SUSE, and Void as recipients. I noted that some distros trust RDRAND, +some trust EFI, and some trust both, and I asked why or why not. There +wasn't really much of a "debate" but rather an interesting discussion of +what the historical reasons have been for this, and it came up that some +distros just missed the introduction of the bootloader Kconfig knob, +while another didn't want to enable it until there was a boot time +switch to turn it off for more concerned users (which has since been +added). The result of the rather uneventful discussion is that every +major Linux distro enables these two options by default. + +While I didn't have really too strong of an opinion going into this +thread -- and I mostly wanted to learn what the distros' thinking was +one way or another -- ultimately I think their choice was a decent +enough one for a default option (which can be disabled at boot time). +I'll try to summarize the pros and cons: + +Pros: + +- The RNG machinery gets initialized super quickly, and there's no + messing around with subsequent blocking behavior. + +- The bootloader mechanism is used by kexec in order for the prior + kernel to initialize the RNG of the next kernel, which increases + the entropy available to early boot daemons of the next kernel. + +- Previous objections related to backdoors centered around + Dual_EC_DRBG-like kleptographic systems, in which observing some + amount of the output stream enables an adversary holding the right key + to determine the entire output stream. + + This used to be a partially justified concern, because RDRAND output + was mixed into the output stream in varying ways, some of which may + have lacked pre-image resistance (e.g. XOR or an LFSR). + + But this is no longer the case. Now, all usage of RDRAND and + bootloader seeds go through a cryptographic hash function. This means + that the CPU would have to compute a hash pre-image, which is not + considered to be feasible (otherwise the hash function would be + terribly broken). + +- More generally, if the CPU is backdoored, the RNG is probably not the + realistic vector of choice for an attacker. + +- These CPU or bootloader seeds are far from being the only source of + entropy. Rather, there is generally a pretty huge amount of entropy, + not all of which is credited, especially on CPUs that support + instructions like RDRAND. In other words, assuming RDRAND outputs all + zeros, an attacker would *still* have to accurately model every single + other entropy source also in use. + +- The RNG now reseeds itself quite rapidly during boot, starting at 2 + seconds, then 4, then 8, then 16, and so forth, so that other sources + of entropy get used without much delay. + +- Paranoid users can set random.trust_{cpu,bootloader}=no in the kernel + command line, and paranoid system builders can set the Kconfig options + to N, so there's no reduction or restriction of optionality. + +- It's a practical default. + +- All the distros have it set this way. Microsoft and Apple trust it + too. Bandwagon. + +Cons: + +- RDRAND *could* still be backdoored with something like a fixed key or + limited space serial number seed or another indexable scheme like + that. (However, it's hard to imagine threat models where the CPU is + backdoored like this, yet people are still okay making *any* + computations with it or connecting it to networks, etc.) + +- RDRAND *could* be defective, rather than backdoored, and produce + garbage that is in one way or another insufficient for crypto. + +- Suggesting a *reduction* in paranoia, as this commit effectively does, + may cause some to question my personal integrity as a "security + person". + +- Bootloader seeds and RDRAND are generally very difficult if not all + together impossible to audit. + +Keep in mind that this doesn't actually change any behavior. This +is just a change in the default Kconfig value. The distros already are +shipping kernels that set things this way. + +Ard made an additional argument in [1]: + + We're at the mercy of firmware and micro-architecture anyway, given + that we are also relying on it to ensure that every instruction in + the kernel's executable image has been faithfully copied to memory, + and that the CPU implements those instructions as documented. So I + don't think firmware or ISA bugs related to RNGs deserve special + treatment - if they are broken, we should quirk around them like we + usually do. So enabling these by default is a step in the right + direction IMHO. + +In [2], Phil pointed out that having this disabled masked a bug that CI +otherwise would have caught: + + A clean 5.15.45 boots cleanly, whereas a downstream kernel shows the + static key warning (but it does go on to boot). The significant + difference is that our defconfigs set CONFIG_RANDOM_TRUST_BOOTLOADER=y + defining that on top of multi_v7_defconfig demonstrates the issue on + a clean 5.15.45. Conversely, not setting that option in a + downstream kernel build avoids the warning + +[1] https://lore.kernel.org/lkml/CAMj1kXGi+ieviFjXv9zQBSaGyyzeGW_VpMpTLJK8PJb2QHEQ-w@mail.gmail.com/ +[2] https://lore.kernel.org/lkml/c47c42e3-1d56-5859-a6ad-976a1a3381c6@raspberrypi.com/ + +Cc: Theodore Ts'o +Reviewed-by: Ard Biesheuvel +Signed-off-by: Jason A. Donenfeld +Signed-off-by: Sasha Levin +--- + drivers/char/Kconfig | 54 +++++++++++++++++++++++++++----------------- + 1 file changed, 33 insertions(+), 21 deletions(-) + +diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig +index 3efb8a74dc01..e329d1cc019a 100644 +--- a/drivers/char/Kconfig ++++ b/drivers/char/Kconfig +@@ -588,29 +588,41 @@ config TILE_SROM + + source "drivers/char/xillybus/Kconfig" + +-endmenu +- + config RANDOM_TRUST_CPU +- bool "Trust the CPU manufacturer to initialize Linux's CRNG" +- depends on X86 || S390 || PPC +- default n ++ bool "Initialize RNG using CPU RNG instructions" ++ default y ++ depends on ARCH_RANDOM + help +- Assume that CPU manufacturer (e.g., Intel or AMD for RDSEED or +- RDRAND, IBM for the S390 and Power PC architectures) is trustworthy +- for the purposes of initializing Linux's CRNG. Since this is not +- something that can be independently audited, this amounts to trusting +- that CPU manufacturer (perhaps with the insistence or mandate +- of a Nation State's intelligence or law enforcement agencies) +- has not installed a hidden back door to compromise the CPU's +- random number generation facilities. This can also be configured +- at boot with "random.trust_cpu=on/off". ++ Initialize the RNG using random numbers supplied by the CPU's ++ RNG instructions (e.g. RDRAND), if supported and available. These ++ random numbers are never used directly, but are rather hashed into ++ the main input pool, and this happens regardless of whether or not ++ this option is enabled. Instead, this option controls whether the ++ they are credited and hence can initialize the RNG. Additionally, ++ other sources of randomness are always used, regardless of this ++ setting. Enabling this implies trusting that the CPU can supply high ++ quality and non-backdoored random numbers. ++ ++ Say Y here unless you have reason to mistrust your CPU or believe ++ its RNG facilities may be faulty. This may also be configured at ++ boot time with "random.trust_cpu=on/off". + + config RANDOM_TRUST_BOOTLOADER +- bool "Trust the bootloader to initialize Linux's CRNG" ++ bool "Initialize RNG using bootloader-supplied seed" ++ default y + help +- Some bootloaders can provide entropy to increase the kernel's initial +- device randomness. Say Y here to assume the entropy provided by the +- booloader is trustworthy so it will be added to the kernel's entropy +- pool. Otherwise, say N here so it will be regarded as device input that +- only mixes the entropy pool. This can also be configured at boot with +- "random.trust_bootloader=on/off". ++ Initialize the RNG using a seed supplied by the bootloader or boot ++ environment (e.g. EFI or a bootloader-generated device tree). This ++ seed is not used directly, but is rather hashed into the main input ++ pool, and this happens regardless of whether or not this option is ++ enabled. Instead, this option controls whether the seed is credited ++ and hence can initialize the RNG. Additionally, other sources of ++ randomness are always used, regardless of this setting. Enabling ++ this implies trusting that the bootloader can supply high quality and ++ non-backdoored seeds. ++ ++ Say Y here unless you have reason to mistrust your bootloader or ++ believe its RNG facilities may be faulty. This may also be configured ++ at boot time with "random.trust_bootloader=on/off". ++ ++endmenu +-- +2.35.1 + diff --git a/queue-4.14/scsi-ipr-fix-missing-incorrect-resource-cleanup-in-e.patch b/queue-4.14/scsi-ipr-fix-missing-incorrect-resource-cleanup-in-e.patch new file mode 100644 index 00000000000..a7af31061ee --- /dev/null +++ b/queue-4.14/scsi-ipr-fix-missing-incorrect-resource-cleanup-in-e.patch @@ -0,0 +1,49 @@ +From dad981f97bae859f26c65cd9582b2ec142ee3d3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 May 2022 23:34:53 +0800 +Subject: scsi: ipr: Fix missing/incorrect resource cleanup in error case + +From: Chengguang Xu + +[ Upstream commit d64c491911322af1dcada98e5b9ee0d87e8c8fee ] + +Fix missing resource cleanup (when '(--i) == 0') for error case in +ipr_alloc_mem() and skip incorrect resource cleanup (when '(--i) == 0') for +error case in ipr_request_other_msi_irqs() because variable i started from +1. + +Link: https://lore.kernel.org/r/20220529153456.4183738-4-cgxu519@mykernel.net +Reviewed-by: Dan Carpenter +Acked-by: Brian King +Signed-off-by: Chengguang Xu +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ipr.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c +index b172f0a02083..99b37e19feca 100644 +--- a/drivers/scsi/ipr.c ++++ b/drivers/scsi/ipr.c +@@ -9788,7 +9788,7 @@ static int ipr_alloc_mem(struct ipr_ioa_cfg *ioa_cfg) + GFP_KERNEL); + + if (!ioa_cfg->hrrq[i].host_rrq) { +- while (--i > 0) ++ while (--i >= 0) + dma_free_coherent(&pdev->dev, + sizeof(u32) * ioa_cfg->hrrq[i].size, + ioa_cfg->hrrq[i].host_rrq, +@@ -10060,7 +10060,7 @@ static int ipr_request_other_msi_irqs(struct ipr_ioa_cfg *ioa_cfg, + ioa_cfg->vectors_info[i].desc, + &ioa_cfg->hrrq[i]); + if (rc) { +- while (--i >= 0) ++ while (--i > 0) + free_irq(pci_irq_vector(pdev, i), + &ioa_cfg->hrrq[i]); + return rc; +-- +2.35.1 + diff --git a/queue-4.14/scsi-lpfc-fix-port-stuck-in-bypassed-state-after-lip.patch b/queue-4.14/scsi-lpfc-fix-port-stuck-in-bypassed-state-after-lip.patch new file mode 100644 index 00000000000..5406c98f839 --- /dev/null +++ b/queue-4.14/scsi-lpfc-fix-port-stuck-in-bypassed-state-after-lip.patch @@ -0,0 +1,50 @@ +From c4c9cf01432dad753b9c765c3a888a7a5ff78f1b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jun 2022 10:43:26 -0700 +Subject: scsi: lpfc: Fix port stuck in bypassed state after LIP in PT2PT + topology + +From: James Smart + +[ Upstream commit 336d63615466b4c06b9401c987813fd19bdde39b ] + +After issuing a LIP, a specific target vendor does not ACC the FLOGI that +lpfc sends. However, it does send its own FLOGI that lpfc ACCs. The +target then establishes the port IDs by sending a PLOGI. lpfc PLOGI_ACCs +and starts the RPI registration for DID 0x000001. The target then sends a +LOGO to the fabric DID. lpfc is currently treating the LOGO from the +fabric DID as a link down and cleans up all the ndlps. The ndlp for DID +0x000001 is put back into NPR and discovery stops, leaving the port in +stuck in bypassed mode. + +Change lpfc behavior such that if a LOGO is received for the fabric DID in +PT2PT topology skip the lpfc_linkdown_port() routine and just move the +fabric DID back to NPR. + +Link: https://lore.kernel.org/r/20220603174329.63777-7-jsmart2021@gmail.com +Co-developed-by: Justin Tee +Signed-off-by: Justin Tee +Signed-off-by: James Smart +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_nportdisc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c +index da6685700b04..70733d751bb8 100644 +--- a/drivers/scsi/lpfc/lpfc_nportdisc.c ++++ b/drivers/scsi/lpfc/lpfc_nportdisc.c +@@ -662,7 +662,8 @@ lpfc_rcv_logo(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp, + else + lpfc_els_rsp_acc(vport, ELS_CMD_ACC, cmdiocb, ndlp, NULL); + if (ndlp->nlp_DID == Fabric_DID) { +- if (vport->port_state <= LPFC_FDISC) ++ if (vport->port_state <= LPFC_FDISC || ++ vport->fc_flag & FC_PT2PT) + goto out; + lpfc_linkdown_port(vport); + spin_lock_irq(shost->host_lock); +-- +2.35.1 + diff --git a/queue-4.14/scsi-pmcraid-fix-missing-resource-cleanup-in-error-c.patch b/queue-4.14/scsi-pmcraid-fix-missing-resource-cleanup-in-error-c.patch new file mode 100644 index 00000000000..a6436c32807 --- /dev/null +++ b/queue-4.14/scsi-pmcraid-fix-missing-resource-cleanup-in-error-c.patch @@ -0,0 +1,37 @@ +From 2728f74aed42f94c1dbbf129e21a570671a4324e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 May 2022 23:34:55 +0800 +Subject: scsi: pmcraid: Fix missing resource cleanup in error case + +From: Chengguang Xu + +[ Upstream commit ec1e8adcbdf661c57c395bca342945f4f815add7 ] + +Fix missing resource cleanup (when '(--i) == 0') for error case in +pmcraid_register_interrupt_handler(). + +Link: https://lore.kernel.org/r/20220529153456.4183738-6-cgxu519@mykernel.net +Reviewed-by: Dan Carpenter +Signed-off-by: Chengguang Xu +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/pmcraid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/pmcraid.c b/drivers/scsi/pmcraid.c +index b4d6cd8cd1ad..d27ae937ff68 100644 +--- a/drivers/scsi/pmcraid.c ++++ b/drivers/scsi/pmcraid.c +@@ -4601,7 +4601,7 @@ pmcraid_register_interrupt_handler(struct pmcraid_instance *pinstance) + return 0; + + out_unwind: +- while (--i > 0) ++ while (--i >= 0) + free_irq(pci_irq_vector(pdev, i), &pinstance->hrrq_vector[i]); + pci_free_irq_vectors(pdev); + return rc; +-- +2.35.1 + diff --git a/queue-4.14/scsi-vmw_pvscsi-expand-vcpuhint-to-16-bits.patch b/queue-4.14/scsi-vmw_pvscsi-expand-vcpuhint-to-16-bits.patch new file mode 100644 index 00000000000..5d343bba1fa --- /dev/null +++ b/queue-4.14/scsi-vmw_pvscsi-expand-vcpuhint-to-16-bits.patch @@ -0,0 +1,40 @@ +From f185e43d3a66a27b84689422c4fa5f5d8c7ea6ce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 08:57:00 +0000 +Subject: scsi: vmw_pvscsi: Expand vcpuHint to 16 bits + +From: Wentao Wang + +[ Upstream commit cf71d59c2eceadfcde0fb52e237990a0909880d7 ] + +vcpuHint has been expanded to 16 bit on host to enable routing to more +CPUs. Guest side should align with the change. This change has been tested +with hosts with 8-bit and 16-bit vcpuHint, on both platforms host side can +get correct value. + +Link: https://lore.kernel.org/r/EF35F4D5-5DCC-42C5-BCC4-29DF1729B24C@vmware.com +Signed-off-by: Wentao Wang +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/vmw_pvscsi.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/vmw_pvscsi.h b/drivers/scsi/vmw_pvscsi.h +index 75966d3f326e..d87c12324c03 100644 +--- a/drivers/scsi/vmw_pvscsi.h ++++ b/drivers/scsi/vmw_pvscsi.h +@@ -333,8 +333,8 @@ struct PVSCSIRingReqDesc { + u8 tag; + u8 bus; + u8 target; +- u8 vcpuHint; +- u8 unused[59]; ++ u16 vcpuHint; ++ u8 unused[58]; + } __packed; + + /* +-- +2.35.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 7ba68ecf9cf..77ec066cae6 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -191,3 +191,18 @@ crypto-drbg-make-reseeding-from-get_random_bytes-synchronous.patch random-avoid-checking-crng_ready-twice-in-random_init.patch random-mark-bootloader-randomness-code-as-__init.patch random-account-for-arch-randomness-in-bits.patch +asoc-cs42l52-fix-tlv-scales-for-mixer-controls.patch +asoc-cs53l30-correct-number-of-volume-levels-on-sx-c.patch +asoc-cs42l52-correct-tlv-for-bypass-volume.patch +asoc-cs42l56-correct-typo-in-minimum-level-for-sx-vo.patch +ata-libata-core-fix-null-pointer-deref-in-ata_host_a.patch +asoc-wm8962-fix-suspend-while-playing-music.patch +scsi-vmw_pvscsi-expand-vcpuhint-to-16-bits.patch +scsi-lpfc-fix-port-stuck-in-bypassed-state-after-lip.patch +scsi-ipr-fix-missing-incorrect-resource-cleanup-in-e.patch +scsi-pmcraid-fix-missing-resource-cleanup-in-error-c.patch +virtio-mmio-fix-missing-put_device-when-vm_cmdline_p.patch +nfc-nfcmrvl-fix-memory-leak-in-nfcmrvl_play_deferred.patch +ipv6-fix-signed-integer-overflow-in-l2tp_ip6_sendmsg.patch +net-ethernet-mtk_eth_soc-fix-misuse-of-mem-alloc-int.patch +random-credit-cpu-and-bootloader-seeds-by-default.patch diff --git a/queue-4.14/virtio-mmio-fix-missing-put_device-when-vm_cmdline_p.patch b/queue-4.14/virtio-mmio-fix-missing-put_device-when-vm_cmdline_p.patch new file mode 100644 index 00000000000..e0e80de1963 --- /dev/null +++ b/queue-4.14/virtio-mmio-fix-missing-put_device-when-vm_cmdline_p.patch @@ -0,0 +1,37 @@ +From 10a38df47e46cae1887c42124f9cd6fde5a1a537 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 08:55:42 +0800 +Subject: virtio-mmio: fix missing put_device() when vm_cmdline_parent + registration failed + +From: chengkaitao + +[ Upstream commit a58a7f97ba11391d2d0d408e0b24f38d86ae748e ] + +The reference must be released when device_register(&vm_cmdline_parent) +failed. Add the corresponding 'put_device()' in the error handling path. + +Signed-off-by: chengkaitao +Message-Id: <20220602005542.16489-1-chengkaitao@didiglobal.com> +Signed-off-by: Michael S. Tsirkin +Acked-by: Jason Wang +Signed-off-by: Sasha Levin +--- + drivers/virtio/virtio_mmio.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/virtio/virtio_mmio.c b/drivers/virtio/virtio_mmio.c +index 74dc7170fd35..181386e06cb7 100644 +--- a/drivers/virtio/virtio_mmio.c ++++ b/drivers/virtio/virtio_mmio.c +@@ -635,6 +635,7 @@ static int vm_cmdline_set(const char *device, + if (!vm_cmdline_parent_registered) { + err = device_register(&vm_cmdline_parent); + if (err) { ++ put_device(&vm_cmdline_parent); + pr_err("Failed to register parent device!\n"); + return err; + } +-- +2.35.1 +