From: Sasha Levin Date: Sun, 11 Jul 2021 14:44:17 +0000 (-0400) Subject: Fixes for 4.4 X-Git-Tag: v5.4.132~30^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=862813fa2ce3f8beb6e9973719ffbf817313b0f1;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/acpi-bus-call-kobject_put-in-acpi_init-error-path.patch b/queue-4.4/acpi-bus-call-kobject_put-in-acpi_init-error-path.patch new file mode 100644 index 00000000000..08096646af0 --- /dev/null +++ b/queue-4.4/acpi-bus-call-kobject_put-in-acpi_init-error-path.patch @@ -0,0 +1,36 @@ +From 5d3a500ee8af991f5893ff823020734beee9a074 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jun 2021 17:36:50 +0800 +Subject: ACPI: bus: Call kobject_put() in acpi_init() error path + +From: Hanjun Guo + +[ Upstream commit 4ac7a817f1992103d4e68e9837304f860b5e7300 ] + +Although the system will not be in a good condition or it will not +boot if acpi_bus_init() fails, it is still necessary to put the +kobject in the error path before returning to avoid leaking memory. + +Signed-off-by: Hanjun Guo +[ rjw: Subject and changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/bus.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c +index 521d1b28760c..d016eba51a95 100644 +--- a/drivers/acpi/bus.c ++++ b/drivers/acpi/bus.c +@@ -1087,6 +1087,7 @@ static int __init acpi_init(void) + init_acpi_device_notify(); + result = acpi_bus_init(); + if (result) { ++ kobject_put(acpi_kobj); + disable_acpi(); + return result; + } +-- +2.30.2 + diff --git a/queue-4.4/acpi-processor-idle-fix-up-c-state-latency-if-not-or.patch b/queue-4.4/acpi-processor-idle-fix-up-c-state-latency-if-not-or.patch new file mode 100644 index 00000000000..fdcce288a02 --- /dev/null +++ b/queue-4.4/acpi-processor-idle-fix-up-c-state-latency-if-not-or.patch @@ -0,0 +1,113 @@ +From 9e2df9ae3f2c23ae1d8694f80d9444df2cbacc1c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 May 2021 17:15:14 -0500 +Subject: ACPI: processor idle: Fix up C-state latency if not ordered + +From: Mario Limonciello + +[ Upstream commit 65ea8f2c6e230bdf71fed0137cf9e9d1b307db32 ] + +Generally, the C-state latency is provided by the _CST method or +FADT, but some OEM platforms using AMD Picasso, Renoir, Van Gogh, +and Cezanne set the C2 latency greater than C3's which causes the +C2 state to be skipped. + +That will block the core entering PC6, which prevents S0ix working +properly on Linux systems. + +In other operating systems, the latency values are not validated and +this does not cause problems by skipping states. + +To avoid this issue on Linux, detect when latencies are not an +arithmetic progression and sort them. + +Link: https://gitlab.freedesktop.org/agd5f/linux/-/commit/026d186e4592c1ee9c1cb44295912d0294508725 +Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1230#note_712174 +Suggested-by: Prike Liang +Suggested-by: Alex Deucher +Signed-off-by: Mario Limonciello +[ rjw: Subject and changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/processor_idle.c | 40 +++++++++++++++++++++++++++++++++++ + 1 file changed, 40 insertions(+) + +diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c +index 175c86bee3a9..69fec2d3a1f5 100644 +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -28,6 +28,7 @@ + #include + #include + #include /* need_resched() */ ++#include + #include + #include + #include +@@ -572,10 +573,37 @@ static void acpi_processor_power_verify_c3(struct acpi_processor *pr, + return; + } + ++static int acpi_cst_latency_cmp(const void *a, const void *b) ++{ ++ const struct acpi_processor_cx *x = a, *y = b; ++ ++ if (!(x->valid && y->valid)) ++ return 0; ++ if (x->latency > y->latency) ++ return 1; ++ if (x->latency < y->latency) ++ return -1; ++ return 0; ++} ++static void acpi_cst_latency_swap(void *a, void *b, int n) ++{ ++ struct acpi_processor_cx *x = a, *y = b; ++ u32 tmp; ++ ++ if (!(x->valid && y->valid)) ++ return; ++ tmp = x->latency; ++ x->latency = y->latency; ++ y->latency = tmp; ++} ++ + static int acpi_processor_power_verify(struct acpi_processor *pr) + { + unsigned int i; + unsigned int working = 0; ++ unsigned int last_latency = 0; ++ unsigned int last_type = 0; ++ bool buggy_latency = false; + + pr->power.timer_broadcast_on_state = INT_MAX; + +@@ -599,12 +627,24 @@ static int acpi_processor_power_verify(struct acpi_processor *pr) + } + if (!cx->valid) + continue; ++ if (cx->type >= last_type && cx->latency < last_latency) ++ buggy_latency = true; ++ last_latency = cx->latency; ++ last_type = cx->type; + + lapic_timer_check_state(i, pr, cx); + tsc_check_state(cx->type); + working++; + } + ++ if (buggy_latency) { ++ pr_notice("FW issue: working around C-state latencies out of order\n"); ++ sort(&pr->power.states[1], max_cstate, ++ sizeof(struct acpi_processor_cx), ++ acpi_cst_latency_cmp, ++ acpi_cst_latency_swap); ++ } ++ + lapic_timer_propagate_broadcast(pr); + + return (working); +-- +2.30.2 + diff --git a/queue-4.4/acpi-sysfs-fix-a-buffer-overrun-problem-with-descrip.patch b/queue-4.4/acpi-sysfs-fix-a-buffer-overrun-problem-with-descrip.patch new file mode 100644 index 00000000000..fe564aad5b6 --- /dev/null +++ b/queue-4.4/acpi-sysfs-fix-a-buffer-overrun-problem-with-descrip.patch @@ -0,0 +1,73 @@ +From 419f45010a1f9af6af1470926e9ad117b9f252b9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jun 2021 17:12:01 +0000 +Subject: ACPI: sysfs: Fix a buffer overrun problem with description_show() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Krzysztof Wilczyński + +[ Upstream commit 888be6067b97132c3992866bbcf647572253ab3f ] + +Currently, a device description can be obtained using ACPI, if the _STR +method exists for a particular device, and then exposed to the userspace +via a sysfs object as a string value. + +If the _STR method is available for a given device then the data +(usually a Unicode string) is read and stored in a buffer (of the +ACPI_TYPE_BUFFER type) with a pointer to said buffer cached in the +struct acpi_device_pnp for later access. + +The description_show() function is responsible for exposing the device +description to the userspace via a corresponding sysfs object and +internally calls the utf16s_to_utf8s() function with a pointer to the +buffer that contains the Unicode string so that it can be converted from +UTF16 encoding to UTF8 and thus allowing for the value to be safely +stored and later displayed. + +When invoking the utf16s_to_utf8s() function, the description_show() +function also sets a limit of the data that can be saved into a provided +buffer as a result of the character conversion to be a total of +PAGE_SIZE, and upon completion, the utf16s_to_utf8s() function returns +an integer value denoting the number of bytes that have been written +into the provided buffer. + +Following the execution of the utf16s_to_utf8s() a newline character +will be added at the end of the resulting buffer so that when the value +is read in the userspace through the sysfs object then it would include +newline making it more accessible when working with the sysfs file +system in the shell, etc. Normally, this wouldn't be a problem, but if +the function utf16s_to_utf8s() happens to return the number of bytes +written to be precisely PAGE_SIZE, then we would overrun the buffer and +write the newline character outside the allotted space which can have +undefined consequences or result in a failure. + +To fix this buffer overrun, ensure that there always is enough space +left for the newline character to be safely appended. + +Fixes: d1efe3c324ea ("ACPI: Add new sysfs interface to export device description") +Signed-off-by: Krzysztof Wilczyński +Reviewed-by: Bjorn Helgaas +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/device_sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/device_sysfs.c b/drivers/acpi/device_sysfs.c +index 139ee989b0d0..c201aaf287dc 100644 +--- a/drivers/acpi/device_sysfs.c ++++ b/drivers/acpi/device_sysfs.c +@@ -450,7 +450,7 @@ static ssize_t description_show(struct device *dev, + (wchar_t *)acpi_dev->pnp.str_obj->buffer.pointer, + acpi_dev->pnp.str_obj->buffer.length, + UTF16_LITTLE_ENDIAN, buf, +- PAGE_SIZE); ++ PAGE_SIZE - 1); + + buf[result++] = '\n'; + +-- +2.30.2 + diff --git a/queue-4.4/ath10k-fix-an-error-code-in-ath10k_add_interface.patch b/queue-4.4/ath10k-fix-an-error-code-in-ath10k_add_interface.patch new file mode 100644 index 00000000000..95bb77f4109 --- /dev/null +++ b/queue-4.4/ath10k-fix-an-error-code-in-ath10k_add_interface.patch @@ -0,0 +1,43 @@ +From 93af856bf9d2ebe243119858fdd89f072676c66b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 May 2021 18:46:17 +0800 +Subject: ath10k: Fix an error code in ath10k_add_interface() + +From: Yang Li + +[ Upstream commit e9ca70c735ce66fc6a0e02c8b6958434f74ef8de ] + +When the code execute this if statement, the value of ret is 0. +However, we can see from the ath10k_warn() log that the value of +ret should be -EINVAL. + +Clean up smatch warning: + +drivers/net/wireless/ath/ath10k/mac.c:5596 ath10k_add_interface() warn: +missing error code 'ret' + +Reported-by: Abaci Robot +Fixes: ccec9038c721 ("ath10k: enable raw encap mode and software crypto engine") +Signed-off-by: Yang Li +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1621939577-62218-1-git-send-email-yang.lee@linux.alibaba.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/mac.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c +index 5fad38c3feb1..7993ca956ede 100644 +--- a/drivers/net/wireless/ath/ath10k/mac.c ++++ b/drivers/net/wireless/ath/ath10k/mac.c +@@ -4450,6 +4450,7 @@ static int ath10k_add_interface(struct ieee80211_hw *hw, + + if (arvif->nohwcrypt && + !test_bit(ATH10K_FLAG_RAW_MODE, &ar->dev_flags)) { ++ ret = -EINVAL; + ath10k_warn(ar, "cryptmode module param needed for sw crypto\n"); + goto err; + } +-- +2.30.2 + diff --git a/queue-4.4/block_dump-remove-block_dump-feature-in-mark_inode_d.patch b/queue-4.4/block_dump-remove-block_dump-feature-in-mark_inode_d.patch new file mode 100644 index 00000000000..e25537de90f --- /dev/null +++ b/queue-4.4/block_dump-remove-block_dump-feature-in-mark_inode_d.patch @@ -0,0 +1,84 @@ +From 2777de5ee13950da0ba0f4d3a31dec965d3ecef9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 13 Mar 2021 11:01:44 +0800 +Subject: block_dump: remove block_dump feature in mark_inode_dirty() + +From: zhangyi (F) + +[ Upstream commit 12e0613715e1cf305fffafaf0e89d810d9a85cc0 ] + +block_dump is an old debugging interface, one of it's functions is used +to print the information about who write which file on disk. If we +enable block_dump through /proc/sys/vm/block_dump and turn on debug log +level, we can gather information about write process name, target file +name and disk from kernel message. This feature is realized in +block_dump___mark_inode_dirty(), it print above information into kernel +message directly when marking inode dirty, so it is noisy and can easily +trigger log storm. At the same time, get the dentry refcount is also not +safe, we found it will lead to deadlock on ext4 file system with +data=journal mode. + +After tracepoints has been introduced into the kernel, we got a +tracepoint in __mark_inode_dirty(), which is a better replacement of +block_dump___mark_inode_dirty(). The only downside is that it only trace +the inode number and not a file name, but it probably doesn't matter +because the original printed file name in block_dump is not accurate in +some cases, and we can still find it through the inode number and device +id. So this patch delete the dirting inode part of block_dump feature. + +Signed-off-by: zhangyi (F) +Reviewed-by: Jan Kara +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20210313030146.2882027-2-yi.zhang@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + fs/fs-writeback.c | 25 ------------------------- + 1 file changed, 25 deletions(-) + +diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c +index 7f068330edb6..958a1bd0b5fc 100644 +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -2040,28 +2040,6 @@ int dirtytime_interval_handler(struct ctl_table *table, int write, + return ret; + } + +-static noinline void block_dump___mark_inode_dirty(struct inode *inode) +-{ +- if (inode->i_ino || strcmp(inode->i_sb->s_id, "bdev")) { +- struct dentry *dentry; +- const char *name = "?"; +- +- dentry = d_find_alias(inode); +- if (dentry) { +- spin_lock(&dentry->d_lock); +- name = (const char *) dentry->d_name.name; +- } +- printk(KERN_DEBUG +- "%s(%d): dirtied inode %lu (%s) on %s\n", +- current->comm, task_pid_nr(current), inode->i_ino, +- name, inode->i_sb->s_id); +- if (dentry) { +- spin_unlock(&dentry->d_lock); +- dput(dentry); +- } +- } +-} +- + /** + * __mark_inode_dirty - internal function + * @inode: inode to mark +@@ -2120,9 +2098,6 @@ void __mark_inode_dirty(struct inode *inode, int flags) + (dirtytime && (inode->i_state & I_DIRTY_INODE))) + return; + +- if (unlikely(block_dump)) +- block_dump___mark_inode_dirty(inode); +- + spin_lock(&inode->i_lock); + if (dirtytime && (inode->i_state & I_DIRTY_INODE)) + goto out_unlock_inode; +-- +2.30.2 + diff --git a/queue-4.4/brcmsmac-mac80211_if-fix-a-resource-leak-in-an-error.patch b/queue-4.4/brcmsmac-mac80211_if-fix-a-resource-leak-in-an-error.patch new file mode 100644 index 00000000000..4b0d7521577 --- /dev/null +++ b/queue-4.4/brcmsmac-mac80211_if-fix-a-resource-leak-in-an-error.patch @@ -0,0 +1,55 @@ +From 36b80b5d244bb2a75f2e93bf4e1fe4b96d77c73c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 May 2021 22:58:30 +0200 +Subject: brcmsmac: mac80211_if: Fix a resource leak in an error handling path + +From: Christophe JAILLET + +[ Upstream commit 9a25344d5177c2b9285532236dc3d10a091f39a8 ] + +If 'brcms_attach()' fails, we must undo the previous 'ieee80211_alloc_hw()' +as already done in the remove function. + +Fixes: 5b435de0d786 ("net: wireless: add brcm80211 drivers") +Signed-off-by: Christophe JAILLET +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/8fbc171a1a493b38db5a6f0873c6021fca026a6c.1620852921.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c +index a4e1eec96c60..e3a500fb4e3c 100644 +--- a/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c ++++ b/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c +@@ -1221,6 +1221,7 @@ static int brcms_bcma_probe(struct bcma_device *pdev) + { + struct brcms_info *wl; + struct ieee80211_hw *hw; ++ int ret; + + dev_info(&pdev->dev, "mfg %x core %x rev %d class %d irq %d\n", + pdev->id.manuf, pdev->id.id, pdev->id.rev, pdev->id.class, +@@ -1245,11 +1246,16 @@ static int brcms_bcma_probe(struct bcma_device *pdev) + wl = brcms_attach(pdev); + if (!wl) { + pr_err("%s: brcms_attach failed!\n", __func__); +- return -ENODEV; ++ ret = -ENODEV; ++ goto err_free_ieee80211; + } + brcms_led_register(wl); + + return 0; ++ ++err_free_ieee80211: ++ ieee80211_free_hw(hw); ++ return ret; + } + + static int brcms_suspend(struct bcma_device *pdev) +-- +2.30.2 + diff --git a/queue-4.4/btrfs-disable-build-on-platforms-having-page-size-25.patch b/queue-4.4/btrfs-disable-build-on-platforms-having-page-size-25.patch new file mode 100644 index 00000000000..a151f9c8b1f --- /dev/null +++ b/queue-4.4/btrfs-disable-build-on-platforms-having-page-size-25.patch @@ -0,0 +1,54 @@ +From 01c87831a2f928686440210afdccaee7036ba1a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 05:23:02 +0000 +Subject: btrfs: disable build on platforms having page size 256K + +From: Christophe Leroy + +[ Upstream commit b05fbcc36be1f8597a1febef4892053a0b2f3f60 ] + +With a config having PAGE_SIZE set to 256K, BTRFS build fails +with the following message + + include/linux/compiler_types.h:326:38: error: call to + '__compiletime_assert_791' declared with attribute error: + BUILD_BUG_ON failed: (BTRFS_MAX_COMPRESSED % PAGE_SIZE) != 0 + +BTRFS_MAX_COMPRESSED being 128K, BTRFS cannot support platforms with +256K pages at the time being. + +There are two platforms that can select 256K pages: + - hexagon + - powerpc + +Disable BTRFS when 256K page size is selected. Supporting this would +require changes to the subpage mode that's currently being developed. +Given that 256K is many times larger than page sizes commonly used and +for what the algorithms and structures have been tuned, it's out of +scope and disabling build is a reasonable option. + +Reported-by: kernel test robot +Signed-off-by: Christophe Leroy +[ update changelog ] +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/Kconfig | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/btrfs/Kconfig b/fs/btrfs/Kconfig +index 80e9c18ea64f..fd6b67c40d9d 100644 +--- a/fs/btrfs/Kconfig ++++ b/fs/btrfs/Kconfig +@@ -9,6 +9,8 @@ config BTRFS_FS + select RAID6_PQ + select XOR_BLOCKS + select SRCU ++ depends on !PPC_256K_PAGES # powerpc ++ depends on !PAGE_SIZE_256KB # hexagon + + help + Btrfs is a general purpose copy-on-write filesystem with extents, +-- +2.30.2 + diff --git a/queue-4.4/char-pcmcia-error-out-if-num_bytes_read-is-greater-t.patch b/queue-4.4/char-pcmcia-error-out-if-num_bytes_read-is-greater-t.patch new file mode 100644 index 00000000000..024853a7df8 --- /dev/null +++ b/queue-4.4/char-pcmcia-error-out-if-num_bytes_read-is-greater-t.patch @@ -0,0 +1,41 @@ +From d4668ff55117eab91d6b7a731cb7012fa21ddcae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 May 2021 20:06:17 +0800 +Subject: char: pcmcia: error out if 'num_bytes_read' is greater than 4 in + set_protocol() + +From: Yu Kuai + +[ Upstream commit 37188559c610f1b7eec83c8e448936c361c578de ] + +Theoretically, it will cause index out of bounds error if +'num_bytes_read' is greater than 4. As we expect it(and was tested) +never to be greater than 4, error out if it happens. + +Fixes: c1986ee9bea3 ("[PATCH] New Omnikey Cardman 4000 driver") +Signed-off-by: Yu Kuai +Link: https://lore.kernel.org/r/20210521120617.138396-1-yukuai3@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/char/pcmcia/cm4000_cs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/char/pcmcia/cm4000_cs.c b/drivers/char/pcmcia/cm4000_cs.c +index c115217c79ae..f8d98f7e6fb7 100644 +--- a/drivers/char/pcmcia/cm4000_cs.c ++++ b/drivers/char/pcmcia/cm4000_cs.c +@@ -544,6 +544,10 @@ static int set_protocol(struct cm4000_dev *dev, struct ptsreq *ptsreq) + io_read_num_rec_bytes(iobase, &num_bytes_read); + if (num_bytes_read >= 4) { + DEBUGP(2, dev, "NumRecBytes = %i\n", num_bytes_read); ++ if (num_bytes_read > 4) { ++ rc = -EIO; ++ goto exit_setprotocol; ++ } + break; + } + mdelay(10); +-- +2.30.2 + diff --git a/queue-4.4/crypto-ixp4xx-dma_unmap-the-correct-address.patch b/queue-4.4/crypto-ixp4xx-dma_unmap-the-correct-address.patch new file mode 100644 index 00000000000..136c96c99db --- /dev/null +++ b/queue-4.4/crypto-ixp4xx-dma_unmap-the-correct-address.patch @@ -0,0 +1,38 @@ +From 9a62eeda09da048048f5c68695d512f9b58d6832 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 May 2021 20:26:08 +0000 +Subject: crypto: ixp4xx - dma_unmap the correct address + +From: Corentin Labbe + +[ Upstream commit 9395c58fdddd79cdd3882132cdd04e8ac7ad525f ] + +Testing ixp4xx_crypto with CONFIG_DMA_API_DEBUG lead to the following error: +DMA-API: platform ixp4xx_crypto.0: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=24 bytes] + +This is due to dma_unmap using the wrong address. + +Fixes: 0d44dc59b2b4 ("crypto: ixp4xx - Fix handling of chained sg buffers") +Signed-off-by: Corentin Labbe +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ixp4xx_crypto.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/ixp4xx_crypto.c b/drivers/crypto/ixp4xx_crypto.c +index 13657105cfb9..8d0613170d57 100644 +--- a/drivers/crypto/ixp4xx_crypto.c ++++ b/drivers/crypto/ixp4xx_crypto.c +@@ -334,7 +334,7 @@ static void free_buf_chain(struct device *dev, struct buffer_desc *buf,u32 phys) + + buf1 = buf->next; + phys1 = buf->phys_next; +- dma_unmap_single(dev, buf->phys_next, buf->buf_len, buf->dir); ++ dma_unmap_single(dev, buf->phys_addr, buf->buf_len, buf->dir); + dma_pool_free(buffer_pool, buf, phys); + buf = buf1; + phys = phys1; +-- +2.30.2 + diff --git a/queue-4.4/crypto-nx-add-missing-module_device_table.patch b/queue-4.4/crypto-nx-add-missing-module_device_table.patch new file mode 100644 index 00000000000..1b2ed80cfdc --- /dev/null +++ b/queue-4.4/crypto-nx-add-missing-module_device_table.patch @@ -0,0 +1,36 @@ +From 238cddbba89294d51767b6125005569a24c02cd1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 May 2021 11:14:55 +0800 +Subject: crypto: nx - add missing MODULE_DEVICE_TABLE + +From: Bixuan Cui + +[ Upstream commit 06676aa1f455c74e3ad1624cea3acb9ed2ef71ae ] + +This patch adds missing MODULE_DEVICE_TABLE definition which generates +correct modalias for automatic loading of this driver when it is built +as an external module. + +Reported-by: Hulk Robot +Signed-off-by: Bixuan Cui +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/nx/nx-842-pseries.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/crypto/nx/nx-842-pseries.c b/drivers/crypto/nx/nx-842-pseries.c +index cddc6d8b55d9..2e5b4004f0ee 100644 +--- a/drivers/crypto/nx/nx-842-pseries.c ++++ b/drivers/crypto/nx/nx-842-pseries.c +@@ -1086,6 +1086,7 @@ static struct vio_device_id nx842_vio_driver_ids[] = { + {"ibm,compression-v1", "ibm,compression"}, + {"", ""}, + }; ++MODULE_DEVICE_TABLE(vio, nx842_vio_driver_ids); + + static struct vio_driver nx842_vio_driver = { + .name = KBUILD_MODNAME, +-- +2.30.2 + diff --git a/queue-4.4/crypto-nx-fix-rcu-warning-in-nx842_of_upd_status.patch b/queue-4.4/crypto-nx-fix-rcu-warning-in-nx842_of_upd_status.patch new file mode 100644 index 00000000000..975d019f212 --- /dev/null +++ b/queue-4.4/crypto-nx-fix-rcu-warning-in-nx842_of_upd_status.patch @@ -0,0 +1,61 @@ +From c76d4874934762f0d2803c8cb96c54611c626a75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Jun 2021 15:57:12 +0800 +Subject: crypto: nx - Fix RCU warning in nx842_OF_upd_status + +From: Herbert Xu + +[ Upstream commit 2a96726bd0ccde4f12b9b9a9f61f7b1ac5af7e10 ] + +The function nx842_OF_upd_status triggers a sparse RCU warning when +it directly dereferences the RCU-protected devdata. This appears +to be an accident as there was another variable of the same name +that was passed in from the caller. + +After it was removed (because the main purpose of using it, to +update the status member was itself removed) the global variable +unintenionally stood in as its replacement. + +This patch restores the devdata parameter. + +Fixes: 90fd73f912f0 ("crypto: nx - remove pSeries NX 'status' field") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/nx/nx-842-pseries.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/crypto/nx/nx-842-pseries.c b/drivers/crypto/nx/nx-842-pseries.c +index 2e5b4004f0ee..1b8c87770645 100644 +--- a/drivers/crypto/nx/nx-842-pseries.c ++++ b/drivers/crypto/nx/nx-842-pseries.c +@@ -553,13 +553,15 @@ static int nx842_OF_set_defaults(struct nx842_devdata *devdata) + * The status field indicates if the device is enabled when the status + * is 'okay'. Otherwise the device driver will be disabled. + * +- * @prop - struct property point containing the maxsyncop for the update ++ * @devdata: struct nx842_devdata to use for dev_info ++ * @prop: struct property point containing the maxsyncop for the update + * + * Returns: + * 0 - Device is available + * -ENODEV - Device is not available + */ +-static int nx842_OF_upd_status(struct property *prop) ++static int nx842_OF_upd_status(struct nx842_devdata *devdata, ++ struct property *prop) + { + const char *status = (const char *)prop->value; + +@@ -773,7 +775,7 @@ static int nx842_OF_upd(struct property *new_prop) + goto out; + + /* Perform property updates */ +- ret = nx842_OF_upd_status(status); ++ ret = nx842_OF_upd_status(new_devdata, status); + if (ret) + goto error_out; + +-- +2.30.2 + diff --git a/queue-4.4/crypto-qat-check-return-code-of-qat_hal_rd_rel_reg.patch b/queue-4.4/crypto-qat-check-return-code-of-qat_hal_rd_rel_reg.patch new file mode 100644 index 00000000000..9ae608c601f --- /dev/null +++ b/queue-4.4/crypto-qat-check-return-code-of-qat_hal_rd_rel_reg.patch @@ -0,0 +1,47 @@ +From 33a99f32cf8654d85de8f6b8af6c3725f590c0c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 May 2021 05:13:15 -0400 +Subject: crypto: qat - check return code of qat_hal_rd_rel_reg() + +From: Jack Xu + +[ Upstream commit 96b57229209490c8bca4335b01a426a96173dc56 ] + +Check the return code of the function qat_hal_rd_rel_reg() and return it +to the caller. + +This is to fix the following warning when compiling the driver with +clang scan-build: + + drivers/crypto/qat/qat_common/qat_hal.c:1436:2: warning: 6th function call argument is an uninitialized value + +Signed-off-by: Jack Xu +Co-developed-by: Zhehui Xiang +Signed-off-by: Zhehui Xiang +Reviewed-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/qat_hal.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/crypto/qat/qat_common/qat_hal.c b/drivers/crypto/qat/qat_common/qat_hal.c +index 380e761801a7..5e5003379281 100644 +--- a/drivers/crypto/qat/qat_common/qat_hal.c ++++ b/drivers/crypto/qat/qat_common/qat_hal.c +@@ -1210,7 +1210,11 @@ static int qat_hal_put_rel_wr_xfer(struct icp_qat_fw_loader_handle *handle, + pr_err("QAT: bad xfrAddr=0x%x\n", xfr_addr); + return -EINVAL; + } +- qat_hal_rd_rel_reg(handle, ae, ctx, ICP_GPB_REL, gprnum, &gprval); ++ status = qat_hal_rd_rel_reg(handle, ae, ctx, ICP_GPB_REL, gprnum, &gprval); ++ if (status) { ++ pr_err("QAT: failed to read register"); ++ return status; ++ } + gpr_addr = qat_hal_get_reg_addr(ICP_GPB_REL, gprnum); + data16low = 0xffff & data; + data16hi = 0xffff & (data >> 0x10); +-- +2.30.2 + diff --git a/queue-4.4/crypto-qat-remove-unused-macro-in-fw-loader.patch b/queue-4.4/crypto-qat-remove-unused-macro-in-fw-loader.patch new file mode 100644 index 00000000000..2ed70b4c47d --- /dev/null +++ b/queue-4.4/crypto-qat-remove-unused-macro-in-fw-loader.patch @@ -0,0 +1,42 @@ +From 3aac480bce592667e5e470384cfac55c378587fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 May 2021 05:13:16 -0400 +Subject: crypto: qat - remove unused macro in FW loader + +From: Jack Xu + +[ Upstream commit 9afe77cf25d9670e61b489fd52cc6f75fd7f6803 ] + +Remove the unused macro ICP_DH895XCC_PESRAM_BAR_SIZE in the firmware +loader. + +This is to fix the following warning when compiling the driver using the +clang compiler with CC=clang W=2: + + drivers/crypto/qat/qat_common/qat_uclo.c:345:9: warning: macro is not used [-Wunused-macros] + +Signed-off-by: Jack Xu +Co-developed-by: Zhehui Xiang +Signed-off-by: Zhehui Xiang +Reviewed-by: Giovanni Cabiddu +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/qat_uclo.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/crypto/qat/qat_common/qat_uclo.c b/drivers/crypto/qat/qat_common/qat_uclo.c +index 923bb1988973..28e642959a9a 100644 +--- a/drivers/crypto/qat/qat_common/qat_uclo.c ++++ b/drivers/crypto/qat/qat_common/qat_uclo.c +@@ -360,7 +360,6 @@ static int qat_uclo_init_umem_seg(struct icp_qat_fw_loader_handle *handle, + return 0; + } + +-#define ICP_DH895XCC_PESRAM_BAR_SIZE 0x80000 + static int qat_uclo_init_ae_memory(struct icp_qat_fw_loader_handle *handle, + struct icp_qat_uof_initmem *init_mem) + { +-- +2.30.2 + diff --git a/queue-4.4/crypto-shash-avoid-comparing-pointers-to-exported-fu.patch b/queue-4.4/crypto-shash-avoid-comparing-pointers-to-exported-fu.patch new file mode 100644 index 00000000000..9e98220d1b8 --- /dev/null +++ b/queue-4.4/crypto-shash-avoid-comparing-pointers-to-exported-fu.patch @@ -0,0 +1,88 @@ +From 06d9bda3f2abc23ee2b7ea588a3a9e3931122d22 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 08:21:50 +0200 +Subject: crypto: shash - avoid comparing pointers to exported functions under + CFI + +From: Ard Biesheuvel + +[ Upstream commit 22ca9f4aaf431a9413dcc115dd590123307f274f ] + +crypto_shash_alg_has_setkey() is implemented by testing whether the +.setkey() member of a struct shash_alg points to the default version, +called shash_no_setkey(). As crypto_shash_alg_has_setkey() is a static +inline, this requires shash_no_setkey() to be exported to modules. + +Unfortunately, when building with CFI, function pointers are routed +via CFI stubs which are private to each module (or to the kernel proper) +and so this function pointer comparison may fail spuriously. + +Let's fix this by turning crypto_shash_alg_has_setkey() into an out of +line function. + +Cc: Sami Tolvanen +Cc: Eric Biggers +Signed-off-by: Ard Biesheuvel +Reviewed-by: Eric Biggers +Reviewed-by: Sami Tolvanen +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/shash.c | 18 +++++++++++++++--- + include/crypto/internal/hash.h | 8 +------- + 2 files changed, 16 insertions(+), 10 deletions(-) + +diff --git a/crypto/shash.c b/crypto/shash.c +index 4f89f78031e2..8f162476d214 100644 +--- a/crypto/shash.c ++++ b/crypto/shash.c +@@ -24,12 +24,24 @@ + + static const struct crypto_type crypto_shash_type; + +-int shash_no_setkey(struct crypto_shash *tfm, const u8 *key, +- unsigned int keylen) ++static int shash_no_setkey(struct crypto_shash *tfm, const u8 *key, ++ unsigned int keylen) + { + return -ENOSYS; + } +-EXPORT_SYMBOL_GPL(shash_no_setkey); ++ ++/* ++ * Check whether an shash algorithm has a setkey function. ++ * ++ * For CFI compatibility, this must not be an inline function. This is because ++ * when CFI is enabled, modules won't get the same address for shash_no_setkey ++ * (if it were exported, which inlining would require) as the core kernel will. ++ */ ++bool crypto_shash_alg_has_setkey(struct shash_alg *alg) ++{ ++ return alg->setkey != shash_no_setkey; ++} ++EXPORT_SYMBOL_GPL(crypto_shash_alg_has_setkey); + + static int shash_setkey_unaligned(struct crypto_shash *tfm, const u8 *key, + unsigned int keylen) +diff --git a/include/crypto/internal/hash.h b/include/crypto/internal/hash.h +index dab9569f22bf..e51741670a60 100644 +--- a/include/crypto/internal/hash.h ++++ b/include/crypto/internal/hash.h +@@ -83,13 +83,7 @@ int ahash_register_instance(struct crypto_template *tmpl, + struct ahash_instance *inst); + void ahash_free_instance(struct crypto_instance *inst); + +-int shash_no_setkey(struct crypto_shash *tfm, const u8 *key, +- unsigned int keylen); +- +-static inline bool crypto_shash_alg_has_setkey(struct shash_alg *alg) +-{ +- return alg->setkey != shash_no_setkey; +-} ++bool crypto_shash_alg_has_setkey(struct shash_alg *alg); + + bool crypto_hash_alg_has_setkey(struct hash_alg_common *halg); + +-- +2.30.2 + diff --git a/queue-4.4/crypto-ux500-fix-error-return-code-in-hash_hw_final.patch b/queue-4.4/crypto-ux500-fix-error-return-code-in-hash_hw_final.patch new file mode 100644 index 00000000000..e7860cbe443 --- /dev/null +++ b/queue-4.4/crypto-ux500-fix-error-return-code-in-hash_hw_final.patch @@ -0,0 +1,37 @@ +From fc113f02119e68f060bc4665af18db53822a57d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 May 2021 15:00:49 +0800 +Subject: crypto: ux500 - Fix error return code in hash_hw_final() + +From: Zhen Lei + +[ Upstream commit b01360384009ab066940b45f34880991ea7ccbfb ] + +Fix to return a negative error code from the error handling +case instead of 0, as done elsewhere in this function. + +Fixes: 8a63b1994c50 ("crypto: ux500 - Add driver for HASH hardware") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Reviewed-by: Linus Walleij +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/ux500/hash/hash_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/crypto/ux500/hash/hash_core.c b/drivers/crypto/ux500/hash/hash_core.c +index bca6b701c067..7021b5b49c03 100644 +--- a/drivers/crypto/ux500/hash/hash_core.c ++++ b/drivers/crypto/ux500/hash/hash_core.c +@@ -1022,6 +1022,7 @@ static int hash_hw_final(struct ahash_request *req) + goto out; + } + } else if (req->nbytes == 0 && ctx->keylen > 0) { ++ ret = -EPERM; + dev_err(device_data->dev, "%s: Empty message with keylength > 0, NOT supported\n", + __func__); + goto out; +-- +2.30.2 + diff --git a/queue-4.4/drm-qxl-ensure-surf.data-is-ininitialized.patch b/queue-4.4/drm-qxl-ensure-surf.data-is-ininitialized.patch new file mode 100644 index 00000000000..7353232a553 --- /dev/null +++ b/queue-4.4/drm-qxl-ensure-surf.data-is-ininitialized.patch @@ -0,0 +1,40 @@ +From cc5c7e9607b585ede27b0f5af114136606939e57 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Jun 2021 17:13:13 +0100 +Subject: drm: qxl: ensure surf.data is ininitialized + +From: Colin Ian King + +[ Upstream commit fbbf23ddb2a1cc0c12c9f78237d1561c24006f50 ] + +The object surf is not fully initialized and the uninitialized +field surf.data is being copied by the call to qxl_bo_create +via the call to qxl_gem_object_create. Set surf.data to zero +to ensure garbage data from the stack is not being copied. + +Addresses-Coverity: ("Uninitialized scalar variable") +Fixes: f64122c1f6ad ("drm: add new QXL driver. (v1.4)") +Signed-off-by: Colin Ian King +Link: http://patchwork.freedesktop.org/patch/msgid/20210608161313.161922-1-colin.king@canonical.com +Signed-off-by: Gerd Hoffmann +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/qxl/qxl_dumb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/gpu/drm/qxl/qxl_dumb.c b/drivers/gpu/drm/qxl/qxl_dumb.c +index d34bb4130ff0..5f757328fced 100644 +--- a/drivers/gpu/drm/qxl/qxl_dumb.c ++++ b/drivers/gpu/drm/qxl/qxl_dumb.c +@@ -57,6 +57,8 @@ int qxl_mode_dumb_create(struct drm_file *file_priv, + surf.height = args->height; + surf.stride = pitch; + surf.format = format; ++ surf.data = 0; ++ + r = qxl_gem_object_create_with_handle(qdev, file_priv, + QXL_GEM_DOMAIN_VRAM, + args->size, &surf, &qobj, +-- +2.30.2 + diff --git a/queue-4.4/ehea-fix-error-return-code-in-ehea_restart_qps.patch b/queue-4.4/ehea-fix-error-return-code-in-ehea_restart_qps.patch new file mode 100644 index 00000000000..287896bdbba --- /dev/null +++ b/queue-4.4/ehea-fix-error-return-code-in-ehea_restart_qps.patch @@ -0,0 +1,69 @@ +From 2afa48e5e2cf9864b6931b21418a97172b17477a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 May 2021 16:55:55 +0800 +Subject: ehea: fix error return code in ehea_restart_qps() + +From: Zhen Lei + +[ Upstream commit 015dbf5662fd689d581c0bc980711b073ca09a1a ] + +Fix to return -EFAULT from the error handling case instead of 0, as done +elsewhere in this function. + +By the way, when get_zeroed_page() fails, directly return -ENOMEM to +simplify code. + +Fixes: 2c69448bbced ("ehea: DLPAR memory add fix") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Link: https://lore.kernel.org/r/20210528085555.9390-1-thunder.leizhen@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ibm/ehea/ehea_main.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/ibm/ehea/ehea_main.c b/drivers/net/ethernet/ibm/ehea/ehea_main.c +index efe84ca20da7..43fc6d370457 100644 +--- a/drivers/net/ethernet/ibm/ehea/ehea_main.c ++++ b/drivers/net/ethernet/ibm/ehea/ehea_main.c +@@ -2654,10 +2654,8 @@ static int ehea_restart_qps(struct net_device *dev) + u16 dummy16 = 0; + + cb0 = (void *)get_zeroed_page(GFP_KERNEL); +- if (!cb0) { +- ret = -ENOMEM; +- goto out; +- } ++ if (!cb0) ++ return -ENOMEM; + + for (i = 0; i < (port->num_def_qps); i++) { + struct ehea_port_res *pr = &port->port_res[i]; +@@ -2677,6 +2675,7 @@ static int ehea_restart_qps(struct net_device *dev) + cb0); + if (hret != H_SUCCESS) { + netdev_err(dev, "query_ehea_qp failed (1)\n"); ++ ret = -EFAULT; + goto out; + } + +@@ -2689,6 +2688,7 @@ static int ehea_restart_qps(struct net_device *dev) + &dummy64, &dummy16, &dummy16); + if (hret != H_SUCCESS) { + netdev_err(dev, "modify_ehea_qp failed (1)\n"); ++ ret = -EFAULT; + goto out; + } + +@@ -2697,6 +2697,7 @@ static int ehea_restart_qps(struct net_device *dev) + cb0); + if (hret != H_SUCCESS) { + netdev_err(dev, "query_ehea_qp failed (2)\n"); ++ ret = -EFAULT; + goto out; + } + +-- +2.30.2 + diff --git a/queue-4.4/extcon-max8997-add-missing-modalias-string.patch b/queue-4.4/extcon-max8997-add-missing-modalias-string.patch new file mode 100644 index 00000000000..8ae1b74d100 --- /dev/null +++ b/queue-4.4/extcon-max8997-add-missing-modalias-string.patch @@ -0,0 +1,33 @@ +From 79816c3092192a3a1a79ac415d5194ecab6367af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Apr 2021 22:46:24 +0200 +Subject: extcon: max8997: Add missing modalias string + +From: Marek Szyprowski + +[ Upstream commit dc11fc2991e9efbceef93912b83e333d2835fb19 ] + +The platform device driver name is "max8997-muic", so advertise it +properly in the modalias string. This fixes automated module loading when +this driver is compiled as a module. + +Fixes: b76668ba8a77 ("Extcon: add MAX8997 extcon driver") +Signed-off-by: Marek Szyprowski +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/extcon/extcon-max8997.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/extcon/extcon-max8997.c b/drivers/extcon/extcon-max8997.c +index 3d6b42f61f56..a37c7257ccc7 100644 +--- a/drivers/extcon/extcon-max8997.c ++++ b/drivers/extcon/extcon-max8997.c +@@ -780,3 +780,4 @@ module_platform_driver(max8997_muic_driver); + MODULE_DESCRIPTION("Maxim MAX8997 Extcon driver"); + MODULE_AUTHOR("Donggeun Kim "); + MODULE_LICENSE("GPL"); ++MODULE_ALIAS("platform:max8997-muic"); +-- +2.30.2 + diff --git a/queue-4.4/extcon-sm5502-drop-invalid-register-write-in-sm5502_.patch b/queue-4.4/extcon-sm5502-drop-invalid-register-write-in-sm5502_.patch new file mode 100644 index 00000000000..380d025e953 --- /dev/null +++ b/queue-4.4/extcon-sm5502-drop-invalid-register-write-in-sm5502_.patch @@ -0,0 +1,40 @@ +From f299ec77074c5302fa3e4f6da995d41a48b85ca8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 May 2021 15:34:35 +0200 +Subject: extcon: sm5502: Drop invalid register write in sm5502_reg_data + +From: Stephan Gerhold + +[ Upstream commit d25b224f8e5507879b36a769a6d1324cf163466c ] + +When sm5502_init_dev_type() iterates over sm5502_reg_data to +initialize the registers it is limited by ARRAY_SIZE(sm5502_reg_data). +There is no need to add another empty element to sm5502_reg_data. + +Having the additional empty element in sm5502_reg_data will just +result in writing 0xff to register 0x00, which does not really +make sense. + +Fixes: 914b881f9452 ("extcon: sm5502: Add support new SM5502 extcon device driver") +Signed-off-by: Stephan Gerhold +Signed-off-by: Chanwoo Choi +Signed-off-by: Sasha Levin +--- + drivers/extcon/extcon-sm5502.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/extcon/extcon-sm5502.c b/drivers/extcon/extcon-sm5502.c +index f63f9961ac12..9b8c79bc3acd 100644 +--- a/drivers/extcon/extcon-sm5502.c ++++ b/drivers/extcon/extcon-sm5502.c +@@ -92,7 +92,6 @@ static struct reg_data sm5502_reg_data[] = { + | SM5502_REG_INTM2_MHL_MASK, + .invert = true, + }, +- { } + }; + + /* List of detectable cables */ +-- +2.30.2 + diff --git a/queue-4.4/fs-dlm-cancel-work-sync-othercon.patch b/queue-4.4/fs-dlm-cancel-work-sync-othercon.patch new file mode 100644 index 00000000000..1a60d8e38a9 --- /dev/null +++ b/queue-4.4/fs-dlm-cancel-work-sync-othercon.patch @@ -0,0 +1,38 @@ +From d2bf711ec55ffb7308687aff5f4cde100d5fba54 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 May 2021 15:08:38 -0400 +Subject: fs: dlm: cancel work sync othercon + +From: Alexander Aring + +[ Upstream commit c6aa00e3d20c2767ba3f57b64eb862572b9744b3 ] + +These rx tx flags arguments are for signaling close_connection() from +which worker they are called. Obviously the receive worker cannot cancel +itself and vice versa for swork. For the othercon the receive worker +should only be used, however to avoid deadlocks we should pass the same +flags as the original close_connection() was called. + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/lowcomms.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c +index 9d7a4a714907..99f4cd91910f 100644 +--- a/fs/dlm/lowcomms.c ++++ b/fs/dlm/lowcomms.c +@@ -554,7 +554,7 @@ static void close_connection(struct connection *con, bool and_other, + } + if (con->othercon && and_other) { + /* Will only re-enter once. */ +- close_connection(con->othercon, false, true, true); ++ close_connection(con->othercon, false, tx, rx); + } + if (con->rx_page) { + __free_page(con->rx_page); +-- +2.30.2 + diff --git a/queue-4.4/i40e-fix-error-handling-in-i40e_vsi_open.patch b/queue-4.4/i40e-fix-error-handling-in-i40e_vsi_open.patch new file mode 100644 index 00000000000..f1543a327d6 --- /dev/null +++ b/queue-4.4/i40e-fix-error-handling-in-i40e_vsi_open.patch @@ -0,0 +1,38 @@ +From eab2d8f89a65763001ed7bc07d46fdef4a7746a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 28 Feb 2021 19:50:58 +0800 +Subject: i40e: Fix error handling in i40e_vsi_open + +From: Dinghao Liu + +[ Upstream commit 9c04cfcd4aad232e36306cdc5c74cd9fc9148a7e ] + +When vsi->type == I40E_VSI_FDIR, we have caught the return value of +i40e_vsi_request_irq() but without further handling. Check and execute +memory clean on failure just like the other i40e_vsi_request_irq(). + +Fixes: 8a9eb7d3cbcab ("i40e: rework fdir setup and teardown") +Signed-off-by: Dinghao Liu +Tested-by: Tony Brelinski +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 8bdc17658f3f..d6d4faa5c542 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -5409,6 +5409,8 @@ int i40e_vsi_open(struct i40e_vsi *vsi) + dev_driver_string(&pf->pdev->dev), + dev_name(&pf->pdev->dev)); + err = i40e_vsi_request_irq(vsi, int_name); ++ if (err) ++ goto err_setup_rx; + + } else { + err = -EINVAL; +-- +2.30.2 + diff --git a/queue-4.4/ia64-mca_drv-fix-incorrect-array-size-calculation.patch b/queue-4.4/ia64-mca_drv-fix-incorrect-array-size-calculation.patch new file mode 100644 index 00000000000..a8a4a120c63 --- /dev/null +++ b/queue-4.4/ia64-mca_drv-fix-incorrect-array-size-calculation.patch @@ -0,0 +1,48 @@ +From 380fa6f009d984c471bb65dd73322b0ab45135f2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Jun 2021 19:33:41 -0700 +Subject: ia64: mca_drv: fix incorrect array size calculation + +From: Arnd Bergmann + +[ Upstream commit c5f320ff8a79501bb59338278336ec43acb9d7e2 ] + +gcc points out a mistake in the mca driver that goes back to before the +git history: + +arch/ia64/kernel/mca_drv.c: In function 'init_record_index_pools': +arch/ia64/kernel/mca_drv.c:346:54: error: expression does not compute the number of elements in this array; element typ +e is 'int', not 'size_t' {aka 'long unsigned int'} [-Werror=sizeof-array-div] + 346 | for (i = 1; i < sizeof sal_log_sect_min_sizes/sizeof(size_t); i++) + | ^ + +This is the same as sizeof(size_t), which is two shorter than the actual +array. Use the ARRAY_SIZE() macro to get the correct calculation instead. + +Link: https://lkml.kernel.org/r/20210514214123.875971-1-arnd@kernel.org +Signed-off-by: Arnd Bergmann +Cc: Masahiro Yamada +Cc: Randy Dunlap +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/ia64/kernel/mca_drv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/ia64/kernel/mca_drv.c b/arch/ia64/kernel/mca_drv.c +index 94f8bf777afa..3503d488e9b3 100644 +--- a/arch/ia64/kernel/mca_drv.c ++++ b/arch/ia64/kernel/mca_drv.c +@@ -343,7 +343,7 @@ init_record_index_pools(void) + + /* - 2 - */ + sect_min_size = sal_log_sect_min_sizes[0]; +- for (i = 1; i < sizeof sal_log_sect_min_sizes/sizeof(size_t); i++) ++ for (i = 1; i < ARRAY_SIZE(sal_log_sect_min_sizes); i++) + if (sect_min_size > sal_log_sect_min_sizes[i]) + sect_min_size = sal_log_sect_min_sizes[i]; + +-- +2.30.2 + diff --git a/queue-4.4/iio-accel-bma180-fix-buffer-alignment-in-iio_push_to.patch b/queue-4.4/iio-accel-bma180-fix-buffer-alignment-in-iio_push_to.patch new file mode 100644 index 00000000000..98a81042f9e --- /dev/null +++ b/queue-4.4/iio-accel-bma180-fix-buffer-alignment-in-iio_push_to.patch @@ -0,0 +1,60 @@ +From 01eaad706bc6a40eb42fd7daee9f8c1e0756c88a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 18:01:03 +0100 +Subject: iio: accel: bma180: Fix buffer alignment in + iio_push_to_buffers_with_timestamp() + +From: Jonathan Cameron + +[ Upstream commit fc36da3131a747a9367a05caf06de19be1bcc972 ] + +To make code more readable, use a structure to express the channel +layout and ensure the timestamp is 8 byte aligned. + +Found during an audit of all calls of this function. + +Fixes: b9a6a237ffc9 ("iio:bma180: Drop _update_scan_mode()") +Signed-off-by: Jonathan Cameron +Cc: Peter Meerwald +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210501170121.512209-2-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/bma180.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/iio/accel/bma180.c b/drivers/iio/accel/bma180.c +index f04b88406995..68c9e5478fec 100644 +--- a/drivers/iio/accel/bma180.c ++++ b/drivers/iio/accel/bma180.c +@@ -120,7 +120,11 @@ struct bma180_data { + int scale; + int bw; + bool pmode; +- u8 buff[16]; /* 3x 16-bit + 8-bit + padding + timestamp */ ++ /* Ensure timestamp is naturally aligned */ ++ struct { ++ s16 chan[4]; ++ s64 timestamp __aligned(8); ++ } scan; + }; + + enum bma180_chan { +@@ -666,12 +670,12 @@ static irqreturn_t bma180_trigger_handler(int irq, void *p) + mutex_unlock(&data->mutex); + goto err; + } +- ((s16 *)data->buff)[i++] = ret; ++ data->scan.chan[i++] = ret; + } + + mutex_unlock(&data->mutex); + +- iio_push_to_buffers_with_timestamp(indio_dev, data->buff, time_ns); ++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, time_ns); + err: + iio_trigger_notify_done(indio_dev->trig); + +-- +2.30.2 + diff --git a/queue-4.4/iio-accel-stk8312-fix-buffer-alignment-in-iio_push_t.patch b/queue-4.4/iio-accel-stk8312-fix-buffer-alignment-in-iio_push_t.patch new file mode 100644 index 00000000000..e6e2754d068 --- /dev/null +++ b/queue-4.4/iio-accel-stk8312-fix-buffer-alignment-in-iio_push_t.patch @@ -0,0 +1,68 @@ +From 239ef9aa730004cc75d337e79d8a4a464cdaead8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 18:01:08 +0100 +Subject: iio: accel: stk8312: Fix buffer alignment in + iio_push_to_buffers_with_timestamp() + +From: Jonathan Cameron + +[ Upstream commit f40a71ffec808e7e51848f63f0c0d3c32d65081b ] + +To make code more readable, use a structure to express the channel +layout and ensure the timestamp is 8 byte aligned. + +Found during an audit of all calls of this function. + +Fixes: 95c12bba51c3 ("iio: accel: Add buffer mode for Sensortek STK8312") +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210501170121.512209-7-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/stk8312.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/iio/accel/stk8312.c b/drivers/iio/accel/stk8312.c +index 85fe7f7247c1..945c80183f35 100644 +--- a/drivers/iio/accel/stk8312.c ++++ b/drivers/iio/accel/stk8312.c +@@ -107,7 +107,11 @@ struct stk8312_data { + u8 mode; + struct iio_trigger *dready_trig; + bool dready_trigger_on; +- s8 buffer[16]; /* 3x8-bit channels + 5x8 padding + 64-bit timestamp */ ++ /* Ensure timestamp is naturally aligned */ ++ struct { ++ s8 chans[3]; ++ s64 timestamp __aligned(8); ++ } scan; + }; + + static IIO_CONST_ATTR(in_accel_scale_available, STK8312_SCALE_AVAIL); +@@ -444,7 +448,7 @@ static irqreturn_t stk8312_trigger_handler(int irq, void *p) + ret = i2c_smbus_read_i2c_block_data(data->client, + STK8312_REG_XOUT, + STK8312_ALL_CHANNEL_SIZE, +- data->buffer); ++ data->scan.chans); + if (ret < STK8312_ALL_CHANNEL_SIZE) { + dev_err(&data->client->dev, "register read failed\n"); + mutex_unlock(&data->lock); +@@ -458,12 +462,12 @@ static irqreturn_t stk8312_trigger_handler(int irq, void *p) + mutex_unlock(&data->lock); + goto err; + } +- data->buffer[i++] = ret; ++ data->scan.chans[i++] = ret; + } + } + mutex_unlock(&data->lock); + +- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer, ++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, + pf->timestamp); + err: + iio_trigger_notify_done(indio_dev->trig); +-- +2.30.2 + diff --git a/queue-4.4/iio-accel-stk8ba50-fix-buffer-alignment-in-iio_push_.patch b/queue-4.4/iio-accel-stk8ba50-fix-buffer-alignment-in-iio_push_.patch new file mode 100644 index 00000000000..848df1c4611 --- /dev/null +++ b/queue-4.4/iio-accel-stk8ba50-fix-buffer-alignment-in-iio_push_.patch @@ -0,0 +1,71 @@ +From 3e1314255acc9183ec6395dd1bb378a9b511b21b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 1 May 2021 18:01:09 +0100 +Subject: iio: accel: stk8ba50: Fix buffer alignment in + iio_push_to_buffers_with_timestamp() + +From: Jonathan Cameron + +[ Upstream commit 334883894bc1e145a1e0f5de1b0d1b6a1133f0e6 ] + +To make code more readable, use a structure to express the channel +layout and ensure the timestamp is 8 byte aligned. + +Found during an audit of all calls of this function. + +Fixes: db6a19b8251f ("iio: accel: Add trigger support for STK8BA50") +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210501170121.512209-8-jic23@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/iio/accel/stk8ba50.c | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/drivers/iio/accel/stk8ba50.c b/drivers/iio/accel/stk8ba50.c +index 5709d9eb8f34..b6e2d15024c8 100644 +--- a/drivers/iio/accel/stk8ba50.c ++++ b/drivers/iio/accel/stk8ba50.c +@@ -95,12 +95,11 @@ struct stk8ba50_data { + u8 sample_rate_idx; + struct iio_trigger *dready_trig; + bool dready_trigger_on; +- /* +- * 3 x 16-bit channels (10-bit data, 6-bit padding) + +- * 1 x 16 padding + +- * 4 x 16 64-bit timestamp +- */ +- s16 buffer[8]; ++ /* Ensure timestamp is naturally aligned */ ++ struct { ++ s16 chans[3]; ++ s64 timetamp __aligned(8); ++ } scan; + }; + + #define STK8BA50_ACCEL_CHANNEL(index, reg, axis) { \ +@@ -330,7 +329,7 @@ static irqreturn_t stk8ba50_trigger_handler(int irq, void *p) + ret = i2c_smbus_read_i2c_block_data(data->client, + STK8BA50_REG_XOUT, + STK8BA50_ALL_CHANNEL_SIZE, +- (u8 *)data->buffer); ++ (u8 *)data->scan.chans); + if (ret < STK8BA50_ALL_CHANNEL_SIZE) { + dev_err(&data->client->dev, "register read failed\n"); + goto err; +@@ -343,10 +342,10 @@ static irqreturn_t stk8ba50_trigger_handler(int irq, void *p) + if (ret < 0) + goto err; + +- data->buffer[i++] = ret; ++ data->scan.chans[i++] = ret; + } + } +- iio_push_to_buffers_with_timestamp(indio_dev, data->buffer, ++ iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, + pf->timestamp); + err: + mutex_unlock(&data->lock); +-- +2.30.2 + diff --git a/queue-4.4/iio-adis_buffer-do-not-return-ints-in-irq-handlers.patch b/queue-4.4/iio-adis_buffer-do-not-return-ints-in-irq-handlers.patch new file mode 100644 index 00000000000..ee506c818fd --- /dev/null +++ b/queue-4.4/iio-adis_buffer-do-not-return-ints-in-irq-handlers.patch @@ -0,0 +1,42 @@ +From 34423f18d2f720993b58963b2f084471ca4d81c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 22 Apr 2021 12:19:03 +0200 +Subject: iio: adis_buffer: do not return ints in irq handlers + +From: Nuno Sa + +[ Upstream commit d877539ad8e8fdde9af69887055fec6402be1a13 ] + +On an IRQ handler we should not return normal error codes as 'irqreturn_t' +is expected. + +Not necessarily stable material as the old check cannot fail, so it's a bug +we can not hit. + +Fixes: ccd2b52f4ac69 ("staging:iio: Add common ADIS library") +Reviewed-by: Alexandru Ardelean +Signed-off-by: Nuno Sa +Link: https://lore.kernel.org/r/20210422101911.135630-2-nuno.sa@analog.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/imu/adis_buffer.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/iio/imu/adis_buffer.c b/drivers/iio/imu/adis_buffer.c +index 9de553e8c214..625f54d9e382 100644 +--- a/drivers/iio/imu/adis_buffer.c ++++ b/drivers/iio/imu/adis_buffer.c +@@ -83,9 +83,6 @@ static irqreturn_t adis_trigger_handler(int irq, void *p) + struct adis *adis = iio_device_get_drvdata(indio_dev); + int ret; + +- if (!adis->buffer) +- return -ENOMEM; +- + if (adis->data->has_paging) { + mutex_lock(&adis->txrx_lock); + if (adis->current_page != 0) { +-- +2.30.2 + diff --git a/queue-4.4/input-hil_kbd-fix-error-return-code-in-hil_dev_conne.patch b/queue-4.4/input-hil_kbd-fix-error-return-code-in-hil_dev_conne.patch new file mode 100644 index 00000000000..ca9a3dbbfd6 --- /dev/null +++ b/queue-4.4/input-hil_kbd-fix-error-return-code-in-hil_dev_conne.patch @@ -0,0 +1,37 @@ +From b4ea3e9f57a56c47f4affea30ee2ccd683c712b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 May 2021 11:52:42 -0700 +Subject: Input: hil_kbd - fix error return code in hil_dev_connect() + +From: Zhen Lei + +[ Upstream commit d9b576917a1d0efa293801a264150a1b37691617 ] + +Return error code -EINVAL rather than '0' when the combo devices are not +supported. + +Fixes: fa71c605c2bb ("Input: combine hil_kbd and hil_ptr drivers") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Link: https://lore.kernel.org/r/20210515030053.6824-1-thunder.leizhen@huawei.com +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/keyboard/hil_kbd.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/input/keyboard/hil_kbd.c b/drivers/input/keyboard/hil_kbd.c +index 5b152f25a8e1..da07742fd9a4 100644 +--- a/drivers/input/keyboard/hil_kbd.c ++++ b/drivers/input/keyboard/hil_kbd.c +@@ -512,6 +512,7 @@ static int hil_dev_connect(struct serio *serio, struct serio_driver *drv) + HIL_IDD_NUM_AXES_PER_SET(*idd)) { + printk(KERN_INFO PREFIX + "combo devices are not supported.\n"); ++ error = -EINVAL; + goto bail1; + } + +-- +2.30.2 + diff --git a/queue-4.4/media-bt8xx-fix-a-missing-check-bug-in-bt878_probe.patch b/queue-4.4/media-bt8xx-fix-a-missing-check-bug-in-bt878_probe.patch new file mode 100644 index 00000000000..6aa71ab8f02 --- /dev/null +++ b/queue-4.4/media-bt8xx-fix-a-missing-check-bug-in-bt878_probe.patch @@ -0,0 +1,122 @@ +From c9aaced1da2788b80203064ad80163bd166b641c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 May 2021 17:18:36 +0200 +Subject: media: bt8xx: Fix a missing check bug in bt878_probe + +From: Zheyu Ma + +[ Upstream commit 1a4520090681853e6b850cbe54b27247a013e0e5 ] + +In 'bt878_irq', the driver calls 'tasklet_schedule', but this tasklet is +set in 'dvb_bt8xx_load_card' of another driver 'dvb-bt8xx'. +However, this two drivers are separate. The user may not load the +'dvb-bt8xx' driver when loading the 'bt8xx' driver, that is, the tasklet +has not been initialized when 'tasklet_schedule' is called, so it is +necessary to check whether the tasklet is initialized in 'bt878_probe'. + +Fix this by adding a check at the end of bt878_probe. + +The KASAN's report reveals it: + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000000 +PGD 800000006aab2067 P4D 800000006aab2067 PUD 6b2ea067 PMD 0 +Oops: 0010 [#1] PREEMPT SMP KASAN PTI +CPU: 2 PID: 8724 Comm: syz-executor.0 Not tainted 4.19.177- +gdba4159c14ef-dirty #40 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59- +gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +RIP: 0010: (null) +Code: Bad RIP value. +RSP: 0018:ffff88806c287ea0 EFLAGS: 00010246 +RAX: fffffbfff1b01774 RBX: dffffc0000000000 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: 1ffffffff1b01775 RDI: 0000000000000000 +RBP: ffff88806c287f00 R08: fffffbfff1b01774 R09: fffffbfff1b01774 +R10: 0000000000000001 R11: fffffbfff1b01773 R12: 0000000000000000 +R13: ffff88806c29f530 R14: ffffffff8d80bb88 R15: ffffffff8d80bb90 +FS: 00007f6b550e6700(0000) GS:ffff88806c280000(0000) knlGS: +0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffffffffd6 CR3: 000000005ec98000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + tasklet_action_common.isra.17+0x141/0x420 kernel/softirq.c:522 + tasklet_action+0x50/0x70 kernel/softirq.c:540 + __do_softirq+0x224/0x92c kernel/softirq.c:292 + invoke_softirq kernel/softirq.c:372 [inline] + irq_exit+0x15a/0x180 kernel/softirq.c:412 + exiting_irq arch/x86/include/asm/apic.h:535 [inline] + do_IRQ+0x123/0x1e0 arch/x86/kernel/irq.c:260 + common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670 + +RIP: 0010:__do_sys_interrupt kernel/sys.c:2593 [inline] +RIP: 0010:__se_sys_interrupt kernel/sys.c:2584 [inline] +RIP: 0010:__x64_sys_interrupt+0x5b/0x80 kernel/sys.c:2584 +Code: ba 00 04 00 00 48 c7 c7 c0 99 31 8c e8 ae 76 5e 01 48 85 c0 75 21 e8 +14 ae 24 00 48 c7 c3 c0 99 31 8c b8 0c 00 00 00 0f 01 c1 <31> db e8 fe ad +24 00 48 89 d8 5b 5d c3 48 c7 c3 ea ff ff ff eb ec +RSP: 0018:ffff888054167f10 EFLAGS: 00000212 ORIG_RAX: ffffffffffffffde +RAX: 000000000000000c RBX: ffffffff8c3199c0 RCX: ffffc90001ca6000 +RDX: 000000000000001a RSI: ffffffff813478fc RDI: ffffffff8c319dc0 +RBP: ffff888054167f18 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000080 R11: fffffbfff18633b7 R12: ffff888054167f58 +R13: ffff88805f638000 R14: 0000000000000000 R15: 0000000000000000 + do_syscall_64+0xb0/0x4e0 arch/x86/entry/common.c:293 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x4692a9 +Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 +48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff +ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 +RSP: 002b:00007f6b550e5c48 EFLAGS: 00000246 ORIG_RAX: 000000000000014f +RAX: ffffffffffffffda RBX: 000000000077bf60 RCX: 00000000004692a9 +RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000140 +RBP: 00000000004cf7eb R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf60 +R13: 0000000000000000 R14: 000000000077bf60 R15: 00007fff55a1dca0 +Modules linked in: +Dumping ftrace buffer: + (ftrace buffer empty) +CR2: 0000000000000000 +---[ end trace 68e5849c3f77cbb6 ]--- +RIP: 0010: (null) +Code: Bad RIP value. +RSP: 0018:ffff88806c287ea0 EFLAGS: 00010246 +RAX: fffffbfff1b01774 RBX: dffffc0000000000 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: 1ffffffff1b01775 RDI: 0000000000000000 +RBP: ffff88806c287f00 R08: fffffbfff1b01774 R09: fffffbfff1b01774 +R10: 0000000000000001 R11: fffffbfff1b01773 R12: 0000000000000000 +R13: ffff88806c29f530 R14: ffffffff8d80bb88 R15: ffffffff8d80bb90 +FS: 00007f6b550e6700(0000) GS:ffff88806c280000(0000) knlGS: +0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffffffffd6 CR3: 000000005ec98000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +Reported-by: Zheyu Ma +Signed-off-by: Zheyu Ma +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/bt8xx/bt878.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/pci/bt8xx/bt878.c b/drivers/media/pci/bt8xx/bt878.c +index 90fcccc05b56..c678d7120727 100644 +--- a/drivers/media/pci/bt8xx/bt878.c ++++ b/drivers/media/pci/bt8xx/bt878.c +@@ -494,6 +494,9 @@ static int bt878_probe(struct pci_dev *dev, const struct pci_device_id *pci_id) + btwrite(0, BT878_AINT_MASK); + bt878_num++; + ++ if (!bt->tasklet.func) ++ tasklet_disable(&bt->tasklet); ++ + return 0; + + fail2: +-- +2.30.2 + diff --git a/queue-4.4/media-cpia2-fix-memory-leak-in-cpia2_usb_probe.patch b/queue-4.4/media-cpia2-fix-memory-leak-in-cpia2_usb_probe.patch new file mode 100644 index 00000000000..d4d969f9fc2 --- /dev/null +++ b/queue-4.4/media-cpia2-fix-memory-leak-in-cpia2_usb_probe.patch @@ -0,0 +1,104 @@ +From ccc7d7ec5a4d126a0ee782211b154d9107091315 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Apr 2021 21:43:45 +0200 +Subject: media: cpia2: fix memory leak in cpia2_usb_probe + +From: Pavel Skripkin + +[ Upstream commit be8656e62e9e791837b606a027802b504a945c97 ] + +syzbot reported leak in cpia2 usb driver. The problem was +in invalid error handling. + +v4l2_device_register() is called in cpia2_init_camera_struct(), but +all error cases after cpia2_init_camera_struct() did not call the +v4l2_device_unregister() + +Reported-by: syzbot+d1e69c888f0d3866ead4@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/cpia2/cpia2.h | 1 + + drivers/media/usb/cpia2/cpia2_core.c | 12 ++++++++++++ + drivers/media/usb/cpia2/cpia2_usb.c | 13 +++++++------ + 3 files changed, 20 insertions(+), 6 deletions(-) + +diff --git a/drivers/media/usb/cpia2/cpia2.h b/drivers/media/usb/cpia2/cpia2.h +index cdef677d57ec..80a7af6482ae 100644 +--- a/drivers/media/usb/cpia2/cpia2.h ++++ b/drivers/media/usb/cpia2/cpia2.h +@@ -442,6 +442,7 @@ int cpia2_send_command(struct camera_data *cam, struct cpia2_command *cmd); + int cpia2_do_command(struct camera_data *cam, + unsigned int command, + unsigned char direction, unsigned char param); ++void cpia2_deinit_camera_struct(struct camera_data *cam, struct usb_interface *intf); + struct camera_data *cpia2_init_camera_struct(struct usb_interface *intf); + int cpia2_init_camera(struct camera_data *cam); + int cpia2_allocate_buffers(struct camera_data *cam); +diff --git a/drivers/media/usb/cpia2/cpia2_core.c b/drivers/media/usb/cpia2/cpia2_core.c +index 187012ce444b..35c9e00267d5 100644 +--- a/drivers/media/usb/cpia2/cpia2_core.c ++++ b/drivers/media/usb/cpia2/cpia2_core.c +@@ -2158,6 +2158,18 @@ static void reset_camera_struct(struct camera_data *cam) + cam->height = cam->params.roi.height; + } + ++/****************************************************************************** ++ * ++ * cpia2_init_camera_struct ++ * ++ * Deinitialize camera struct ++ *****************************************************************************/ ++void cpia2_deinit_camera_struct(struct camera_data *cam, struct usb_interface *intf) ++{ ++ v4l2_device_unregister(&cam->v4l2_dev); ++ kfree(cam); ++} ++ + /****************************************************************************** + * + * cpia2_init_camera_struct +diff --git a/drivers/media/usb/cpia2/cpia2_usb.c b/drivers/media/usb/cpia2/cpia2_usb.c +index 76b9cb940b87..7bd50feadfe4 100644 +--- a/drivers/media/usb/cpia2/cpia2_usb.c ++++ b/drivers/media/usb/cpia2/cpia2_usb.c +@@ -835,15 +835,13 @@ static int cpia2_usb_probe(struct usb_interface *intf, + ret = set_alternate(cam, USBIF_CMDONLY); + if (ret < 0) { + ERR("%s: usb_set_interface error (ret = %d)\n", __func__, ret); +- kfree(cam); +- return ret; ++ goto alt_err; + } + + + if((ret = cpia2_init_camera(cam)) < 0) { + ERR("%s: failed to initialize cpia2 camera (ret = %d)\n", __func__, ret); +- kfree(cam); +- return ret; ++ goto alt_err; + } + LOG(" CPiA Version: %d.%02d (%d.%d)\n", + cam->params.version.firmware_revision_hi, +@@ -863,11 +861,14 @@ static int cpia2_usb_probe(struct usb_interface *intf, + ret = cpia2_register_camera(cam); + if (ret < 0) { + ERR("%s: Failed to register cpia2 camera (ret = %d)\n", __func__, ret); +- kfree(cam); +- return ret; ++ goto alt_err; + } + + return 0; ++ ++alt_err: ++ cpia2_deinit_camera_struct(cam, intf); ++ return ret; + } + + /****************************************************************************** +-- +2.30.2 + diff --git a/queue-4.4/media-dvb_net-avoid-speculation-from-net-slot.patch b/queue-4.4/media-dvb_net-avoid-speculation-from-net-slot.patch new file mode 100644 index 00000000000..a8370692100 --- /dev/null +++ b/queue-4.4/media-dvb_net-avoid-speculation-from-net-slot.patch @@ -0,0 +1,89 @@ +From 39548b688a3c88e067eaa1f6d5a18d2ec7f2114e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Jun 2021 13:13:54 +0200 +Subject: media: dvb_net: avoid speculation from net slot + +From: Mauro Carvalho Chehab + +[ Upstream commit abc0226df64dc137b48b911c1fe4319aec5891bb ] + +The risk of especulation is actually almost-non-existing here, +as there are very few users of TCP/IP using the DVB stack, +as, this is mainly used with DVB-S/S2 cards, and only by people +that receives TCP/IP from satellite connections, which limits +a lot the number of users of such feature(*). + +(*) In thesis, DVB-C cards could also benefit from it, but I'm +yet to see a hardware that supports it. + +Yet, fixing it is trivial. + +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-core/dvb_net.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/drivers/media/dvb-core/dvb_net.c b/drivers/media/dvb-core/dvb_net.c +index ce4332e80a91..735baa74043c 100644 +--- a/drivers/media/dvb-core/dvb_net.c ++++ b/drivers/media/dvb-core/dvb_net.c +@@ -57,6 +57,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1350,14 +1351,20 @@ static int dvb_net_do_ioctl(struct file *file, + struct net_device *netdev; + struct dvb_net_priv *priv_data; + struct dvb_net_if *dvbnetif = parg; ++ int if_num = dvbnetif->if_num; + +- if (dvbnetif->if_num >= DVB_NET_DEVICES_MAX || +- !dvbnet->state[dvbnetif->if_num]) { ++ if (if_num >= DVB_NET_DEVICES_MAX) { + ret = -EINVAL; + goto ioctl_error; + } ++ if_num = array_index_nospec(if_num, DVB_NET_DEVICES_MAX); + +- netdev = dvbnet->device[dvbnetif->if_num]; ++ if (!dvbnet->state[if_num]) { ++ ret = -EINVAL; ++ goto ioctl_error; ++ } ++ ++ netdev = dvbnet->device[if_num]; + + priv_data = netdev_priv(netdev); + dvbnetif->pid=priv_data->pid; +@@ -1410,14 +1417,20 @@ static int dvb_net_do_ioctl(struct file *file, + struct net_device *netdev; + struct dvb_net_priv *priv_data; + struct __dvb_net_if_old *dvbnetif = parg; ++ int if_num = dvbnetif->if_num; ++ ++ if (if_num >= DVB_NET_DEVICES_MAX) { ++ ret = -EINVAL; ++ goto ioctl_error; ++ } ++ if_num = array_index_nospec(if_num, DVB_NET_DEVICES_MAX); + +- if (dvbnetif->if_num >= DVB_NET_DEVICES_MAX || +- !dvbnet->state[dvbnetif->if_num]) { ++ if (!dvbnet->state[if_num]) { + ret = -EINVAL; + goto ioctl_error; + } + +- netdev = dvbnet->device[dvbnetif->if_num]; ++ netdev = dvbnet->device[if_num]; + + priv_data = netdev_priv(netdev); + dvbnetif->pid=priv_data->pid; +-- +2.30.2 + diff --git a/queue-4.4/media-i2c-change-rst-to-rset-to-fix-multiple-build-e.patch b/queue-4.4/media-i2c-change-rst-to-rset-to-fix-multiple-build-e.patch new file mode 100644 index 00000000000..f30115c8548 --- /dev/null +++ b/queue-4.4/media-i2c-change-rst-to-rset-to-fix-multiple-build-e.patch @@ -0,0 +1,244 @@ +From 0e8f7d976728ea1f5d1a36bfbe8ad56688158e76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Apr 2021 22:19:55 +0200 +Subject: media: I2C: change 'RST' to "RSET" to fix multiple build errors + +From: Randy Dunlap + +[ Upstream commit 8edcb5049ac29aa3c8acc5ef15dd4036543d747e ] + +The use of an enum named 'RST' conflicts with a #define macro +named 'RST' in arch/mips/include/asm/mach-rc32434/rb.h. + +The MIPS use of RST was there first (AFAICT), so change the +media/i2c/ uses of RST to be named 'RSET'. +'git grep -w RSET' does not report any naming conflicts with the +new name. + +This fixes multiple build errors: + +arch/mips/include/asm/mach-rc32434/rb.h:15:14: error: expected identifier before '(' token + 15 | #define RST (1 << 15) + | ^ +drivers/media/i2c/s5c73m3/s5c73m3.h:356:2: note: in expansion of macro 'RST' + 356 | RST, + | ^~~ + +../arch/mips/include/asm/mach-rc32434/rb.h:15:14: error: expected identifier before '(' token + 15 | #define RST (1 << 15) + | ^ +../drivers/media/i2c/s5k6aa.c:180:2: note: in expansion of macro 'RST' + 180 | RST, + | ^~~ + +../arch/mips/include/asm/mach-rc32434/rb.h:15:14: error: expected identifier before '(' token + 15 | #define RST (1 << 15) + | ^ +../drivers/media/i2c/s5k5baf.c:238:2: note: in expansion of macro 'RST' + 238 | RST, + | ^~~ + +and some others that I have trimmed. + +Fixes: cac47f1822fc ("[media] V4L: Add S5C73M3 camera driver") +Fixes: 8b99312b7214 ("[media] Add v4l2 subdev driver for S5K4ECGX sensor") +Fixes: 7d459937dc09 ("[media] Add driver for Samsung S5K5BAF camera sensor") +Fixes: bfa8dd3a0524 ("[media] v4l: Add v4l2 subdev driver for S5K6AAFX sensor") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Shawn Guo +Cc: Sascha Hauer +Cc: Pengutronix Kernel Team +Cc: Fabio Estevam +Cc: NXP Linux Team +Cc: linux-arm-kernel@lists.infradead.org (moderated for non-subscribers) +Cc: Andrzej Hajda +Cc: Sylwester Nawrocki +Cc: Sangwook Lee +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/s5c73m3/s5c73m3-core.c | 6 +++--- + drivers/media/i2c/s5c73m3/s5c73m3.h | 2 +- + drivers/media/i2c/s5k4ecgx.c | 10 +++++----- + drivers/media/i2c/s5k5baf.c | 6 +++--- + drivers/media/i2c/s5k6aa.c | 10 +++++----- + 5 files changed, 17 insertions(+), 17 deletions(-) + +diff --git a/drivers/media/i2c/s5c73m3/s5c73m3-core.c b/drivers/media/i2c/s5c73m3/s5c73m3-core.c +index 51b26010403c..376ffa19555d 100644 +--- a/drivers/media/i2c/s5c73m3/s5c73m3-core.c ++++ b/drivers/media/i2c/s5c73m3/s5c73m3-core.c +@@ -1393,7 +1393,7 @@ static int __s5c73m3_power_on(struct s5c73m3 *state) + s5c73m3_gpio_deassert(state, STBY); + usleep_range(100, 200); + +- s5c73m3_gpio_deassert(state, RST); ++ s5c73m3_gpio_deassert(state, RSET); + usleep_range(50, 100); + + return 0; +@@ -1408,7 +1408,7 @@ static int __s5c73m3_power_off(struct s5c73m3 *state) + { + int i, ret; + +- if (s5c73m3_gpio_assert(state, RST)) ++ if (s5c73m3_gpio_assert(state, RSET)) + usleep_range(10, 50); + + if (s5c73m3_gpio_assert(state, STBY)) +@@ -1613,7 +1613,7 @@ static int s5c73m3_get_platform_data(struct s5c73m3 *state) + + state->mclk_frequency = pdata->mclk_frequency; + state->gpio[STBY] = pdata->gpio_stby; +- state->gpio[RST] = pdata->gpio_reset; ++ state->gpio[RSET] = pdata->gpio_reset; + return 0; + } + +diff --git a/drivers/media/i2c/s5c73m3/s5c73m3.h b/drivers/media/i2c/s5c73m3/s5c73m3.h +index 13aed59f0f5d..01f57055e20f 100644 +--- a/drivers/media/i2c/s5c73m3/s5c73m3.h ++++ b/drivers/media/i2c/s5c73m3/s5c73m3.h +@@ -361,7 +361,7 @@ struct s5c73m3_ctrls { + + enum s5c73m3_gpio_id { + STBY, +- RST, ++ RSET, + GPIO_NUM, + }; + +diff --git a/drivers/media/i2c/s5k4ecgx.c b/drivers/media/i2c/s5k4ecgx.c +index 97084237275d..4959edcb76cd 100644 +--- a/drivers/media/i2c/s5k4ecgx.c ++++ b/drivers/media/i2c/s5k4ecgx.c +@@ -177,7 +177,7 @@ static const char * const s5k4ecgx_supply_names[] = { + + enum s5k4ecgx_gpio_id { + STBY, +- RST, ++ RSET, + GPIO_NUM, + }; + +@@ -482,7 +482,7 @@ static int __s5k4ecgx_power_on(struct s5k4ecgx *priv) + if (s5k4ecgx_gpio_set_value(priv, STBY, priv->gpio[STBY].level)) + usleep_range(30, 50); + +- if (s5k4ecgx_gpio_set_value(priv, RST, priv->gpio[RST].level)) ++ if (s5k4ecgx_gpio_set_value(priv, RSET, priv->gpio[RSET].level)) + usleep_range(30, 50); + + return 0; +@@ -490,7 +490,7 @@ static int __s5k4ecgx_power_on(struct s5k4ecgx *priv) + + static int __s5k4ecgx_power_off(struct s5k4ecgx *priv) + { +- if (s5k4ecgx_gpio_set_value(priv, RST, !priv->gpio[RST].level)) ++ if (s5k4ecgx_gpio_set_value(priv, RSET, !priv->gpio[RSET].level)) + usleep_range(30, 50); + + if (s5k4ecgx_gpio_set_value(priv, STBY, !priv->gpio[STBY].level)) +@@ -878,7 +878,7 @@ static int s5k4ecgx_config_gpios(struct s5k4ecgx *priv, + int ret; + + priv->gpio[STBY].gpio = -EINVAL; +- priv->gpio[RST].gpio = -EINVAL; ++ priv->gpio[RSET].gpio = -EINVAL; + + ret = s5k4ecgx_config_gpio(gpio->gpio, gpio->level, "S5K4ECGX_STBY"); + +@@ -897,7 +897,7 @@ static int s5k4ecgx_config_gpios(struct s5k4ecgx *priv, + s5k4ecgx_free_gpios(priv); + return ret; + } +- priv->gpio[RST] = *gpio; ++ priv->gpio[RSET] = *gpio; + if (gpio_is_valid(gpio->gpio)) + gpio_set_value(gpio->gpio, 0); + +diff --git a/drivers/media/i2c/s5k5baf.c b/drivers/media/i2c/s5k5baf.c +index 774e0d0c94cb..a9052219a278 100644 +--- a/drivers/media/i2c/s5k5baf.c ++++ b/drivers/media/i2c/s5k5baf.c +@@ -238,7 +238,7 @@ struct s5k5baf_gpio { + + enum s5k5baf_gpio_id { + STBY, +- RST, ++ RSET, + NUM_GPIOS, + }; + +@@ -973,7 +973,7 @@ static int s5k5baf_power_on(struct s5k5baf *state) + + s5k5baf_gpio_deassert(state, STBY); + usleep_range(50, 100); +- s5k5baf_gpio_deassert(state, RST); ++ s5k5baf_gpio_deassert(state, RSET); + return 0; + + err_reg_dis: +@@ -991,7 +991,7 @@ static int s5k5baf_power_off(struct s5k5baf *state) + state->apply_cfg = 0; + state->apply_crop = 0; + +- s5k5baf_gpio_assert(state, RST); ++ s5k5baf_gpio_assert(state, RSET); + s5k5baf_gpio_assert(state, STBY); + + if (!IS_ERR(state->clock)) +diff --git a/drivers/media/i2c/s5k6aa.c b/drivers/media/i2c/s5k6aa.c +index 5ac2babe123b..ca1c0568a561 100644 +--- a/drivers/media/i2c/s5k6aa.c ++++ b/drivers/media/i2c/s5k6aa.c +@@ -181,7 +181,7 @@ static const char * const s5k6aa_supply_names[] = { + + enum s5k6aa_gpio_id { + STBY, +- RST, ++ RSET, + GPIO_NUM, + }; + +@@ -845,7 +845,7 @@ static int __s5k6aa_power_on(struct s5k6aa *s5k6aa) + ret = s5k6aa->s_power(1); + usleep_range(4000, 4000); + +- if (s5k6aa_gpio_deassert(s5k6aa, RST)) ++ if (s5k6aa_gpio_deassert(s5k6aa, RSET)) + msleep(20); + + return ret; +@@ -855,7 +855,7 @@ static int __s5k6aa_power_off(struct s5k6aa *s5k6aa) + { + int ret; + +- if (s5k6aa_gpio_assert(s5k6aa, RST)) ++ if (s5k6aa_gpio_assert(s5k6aa, RSET)) + usleep_range(100, 150); + + if (s5k6aa->s_power) { +@@ -1514,7 +1514,7 @@ static int s5k6aa_configure_gpios(struct s5k6aa *s5k6aa, + int ret; + + s5k6aa->gpio[STBY].gpio = -EINVAL; +- s5k6aa->gpio[RST].gpio = -EINVAL; ++ s5k6aa->gpio[RSET].gpio = -EINVAL; + + gpio = &pdata->gpio_stby; + if (gpio_is_valid(gpio->gpio)) { +@@ -1537,7 +1537,7 @@ static int s5k6aa_configure_gpios(struct s5k6aa *s5k6aa, + if (ret < 0) + return ret; + +- s5k6aa->gpio[RST] = *gpio; ++ s5k6aa->gpio[RSET] = *gpio; + } + + return 0; +-- +2.30.2 + diff --git a/queue-4.4/media-pvrusb2-fix-warning-in-pvr2_i2c_core_done.patch b/queue-4.4/media-pvrusb2-fix-warning-in-pvr2_i2c_core_done.patch new file mode 100644 index 00000000000..8287bf2cc4e --- /dev/null +++ b/queue-4.4/media-pvrusb2-fix-warning-in-pvr2_i2c_core_done.patch @@ -0,0 +1,60 @@ +From 9af0a25955c1bf93461595f41d67ff6ccef6155f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 May 2021 19:08:58 +0200 +Subject: media: pvrusb2: fix warning in pvr2_i2c_core_done + +From: Anirudh Rayabharam + +[ Upstream commit f8194e5e63fdcb349e8da9eef9e574d5b1d687cb ] + +syzbot has reported the following warning in pvr2_i2c_done: + + sysfs group 'power' not found for kobject '1-0043' + +When the device is disconnected (pvr_hdw_disconnect), the i2c adapter is +not unregistered along with the USB and v4l2 teardown. As part of the USB +device disconnect, the sysfs files of the subdevices are also deleted. +So, by the time pvr_i2c_core_done is called by pvr_context_destroy, the +sysfs files have been deleted. + +To fix this, unregister the i2c adapter too in pvr_hdw_disconnect. Make +the device deregistration code shared by calling pvr_hdw_disconnect from +pvr2_hdw_destroy. + +Reported-by: syzbot+e74a998ca8f1df9cc332@syzkaller.appspotmail.com +Tested-by: syzbot+e74a998ca8f1df9cc332@syzkaller.appspotmail.com +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Anirudh Rayabharam +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +index 232b0fd3e478..ba3b0141538d 100644 +--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +@@ -2731,9 +2731,8 @@ void pvr2_hdw_destroy(struct pvr2_hdw *hdw) + pvr2_stream_destroy(hdw->vid_stream); + hdw->vid_stream = NULL; + } +- pvr2_i2c_core_done(hdw); + v4l2_device_unregister(&hdw->v4l2_dev); +- pvr2_hdw_remove_usb_stuff(hdw); ++ pvr2_hdw_disconnect(hdw); + mutex_lock(&pvr2_unit_mtx); + do { + if ((hdw->unit_number >= 0) && +@@ -2760,6 +2759,7 @@ void pvr2_hdw_disconnect(struct pvr2_hdw *hdw) + { + pvr2_trace(PVR2_TRACE_INIT,"pvr2_hdw_disconnect(hdw=%p)",hdw); + LOCK_TAKE(hdw->big_lock); ++ pvr2_i2c_core_done(hdw); + LOCK_TAKE(hdw->ctl_lock); + pvr2_hdw_remove_usb_stuff(hdw); + LOCK_GIVE(hdw->ctl_lock); +-- +2.30.2 + diff --git a/queue-4.4/media-s5p-g2d-fix-a-memory-leak-on-ctx-fh.m2m_ctx.patch b/queue-4.4/media-s5p-g2d-fix-a-memory-leak-on-ctx-fh.m2m_ctx.patch new file mode 100644 index 00000000000..5061be81a9a --- /dev/null +++ b/queue-4.4/media-s5p-g2d-fix-a-memory-leak-on-ctx-fh.m2m_ctx.patch @@ -0,0 +1,40 @@ +From a4730b76aeb94a93f4809f9889fb015be3d200ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 26 May 2021 17:18:32 +0200 +Subject: media: s5p-g2d: Fix a memory leak on ctx->fh.m2m_ctx + +From: Dillon Min + +[ Upstream commit 5d11e6aad1811ea293ee2996cec9124f7fccb661 ] + +The m2m_ctx resources was allocated by v4l2_m2m_ctx_init() in g2d_open() +should be freed from g2d_release() when it's not used. + +Fix it + +Fixes: 918847341af0 ("[media] v4l: add G2D driver for s5p device family") +Signed-off-by: Dillon Min +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s5p-g2d/g2d.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/platform/s5p-g2d/g2d.c b/drivers/media/platform/s5p-g2d/g2d.c +index 2b939555cccb..21968ef9dc45 100644 +--- a/drivers/media/platform/s5p-g2d/g2d.c ++++ b/drivers/media/platform/s5p-g2d/g2d.c +@@ -282,6 +282,9 @@ static int g2d_release(struct file *file) + struct g2d_dev *dev = video_drvdata(file); + struct g2d_ctx *ctx = fh2ctx(file->private_data); + ++ mutex_lock(&dev->mutex); ++ v4l2_m2m_ctx_release(ctx->fh.m2m_ctx); ++ mutex_unlock(&dev->mutex); + v4l2_ctrl_handler_free(&ctx->ctrl_handler); + v4l2_fh_del(&ctx->fh); + v4l2_fh_exit(&ctx->fh); +-- +2.30.2 + diff --git a/queue-4.4/media-siano-fix-out-of-bounds-warnings-in-smscore_lo.patch b/queue-4.4/media-siano-fix-out-of-bounds-warnings-in-smscore_lo.patch new file mode 100644 index 00000000000..8bb370eeedd --- /dev/null +++ b/queue-4.4/media-siano-fix-out-of-bounds-warnings-in-smscore_lo.patch @@ -0,0 +1,167 @@ +From 3f30411f77eb44668ca89820b2b498320c4bb03c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 10 Mar 2021 19:40:43 -0600 +Subject: media: siano: Fix out-of-bounds warnings in + smscore_load_firmware_family2() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Gustavo A. R. Silva + +[ Upstream commit 13dfead49db07225335d4f587a560a2210391a1a ] + +Rename struct sms_msg_data4 to sms_msg_data5 and increase the size of +its msg_data array from 4 to 5 elements. Notice that at some point +the 5th element of msg_data is being accessed in function +smscore_load_firmware_family2(): + +1006 trigger_msg->msg_data[4] = 4; /* Task ID */ + +Also, there is no need for the object _trigger_msg_ of type struct +sms_msg_data *, when _msg_ can be used, directly. Notice that msg_data +in struct sms_msg_data is a one-element array, which causes multiple +out-of-bounds warnings when accessing beyond its first element +in function smscore_load_firmware_family2(): + + 992 struct sms_msg_data *trigger_msg = + 993 (struct sms_msg_data *) msg; + 994 + 995 pr_debug("sending MSG_SMS_SWDOWNLOAD_TRIGGER_REQ\n"); + 996 SMS_INIT_MSG(&msg->x_msg_header, + 997 MSG_SMS_SWDOWNLOAD_TRIGGER_REQ, + 998 sizeof(struct sms_msg_hdr) + + 999 sizeof(u32) * 5); +1000 +1001 trigger_msg->msg_data[0] = firmware->start_address; +1002 /* Entry point */ +1003 trigger_msg->msg_data[1] = 6; /* Priority */ +1004 trigger_msg->msg_data[2] = 0x200; /* Stack size */ +1005 trigger_msg->msg_data[3] = 0; /* Parameter */ +1006 trigger_msg->msg_data[4] = 4; /* Task ID */ + +even when enough dynamic memory is allocated for _msg_: + + 929 /* PAGE_SIZE buffer shall be enough and dma aligned */ + 930 msg = kmalloc(PAGE_SIZE, GFP_KERNEL | coredev->gfp_buf_flags); + +but as _msg_ is casted to (struct sms_msg_data *): + + 992 struct sms_msg_data *trigger_msg = + 993 (struct sms_msg_data *) msg; + +the out-of-bounds warnings are actually valid and should be addressed. + +Fix this by declaring object _msg_ of type struct sms_msg_data5 *, +which contains a 5-elements array, instead of just 4. And use +_msg_ directly, instead of creating object trigger_msg. + +This helps with the ongoing efforts to enable -Warray-bounds by fixing +the following warnings: + + CC [M] drivers/media/common/siano/smscoreapi.o +drivers/media/common/siano/smscoreapi.c: In function ‘smscore_load_firmware_family2’: +drivers/media/common/siano/smscoreapi.c:1003:24: warning: array subscript 1 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds] + 1003 | trigger_msg->msg_data[1] = 6; /* Priority */ + | ~~~~~~~~~~~~~~~~~~~~~^~~ +In file included from drivers/media/common/siano/smscoreapi.c:12: +drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’ + 619 | u32 msg_data[1]; + | ^~~~~~~~ +drivers/media/common/siano/smscoreapi.c:1004:24: warning: array subscript 2 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds] + 1004 | trigger_msg->msg_data[2] = 0x200; /* Stack size */ + | ~~~~~~~~~~~~~~~~~~~~~^~~ +In file included from drivers/media/common/siano/smscoreapi.c:12: +drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’ + 619 | u32 msg_data[1]; + | ^~~~~~~~ +drivers/media/common/siano/smscoreapi.c:1005:24: warning: array subscript 3 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds] + 1005 | trigger_msg->msg_data[3] = 0; /* Parameter */ + | ~~~~~~~~~~~~~~~~~~~~~^~~ +In file included from drivers/media/common/siano/smscoreapi.c:12: +drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’ + 619 | u32 msg_data[1]; + | ^~~~~~~~ +drivers/media/common/siano/smscoreapi.c:1006:24: warning: array subscript 4 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds] + 1006 | trigger_msg->msg_data[4] = 4; /* Task ID */ + | ~~~~~~~~~~~~~~~~~~~~~^~~ +In file included from drivers/media/common/siano/smscoreapi.c:12: +drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’ + 619 | u32 msg_data[1]; + | ^~~~~~~~ + +Fixes: 018b0c6f8acb ("[media] siano: make load firmware logic to work with newer firmwares") +Co-developed-by: Kees Cook +Signed-off-by: Kees Cook +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Sasha Levin +--- + drivers/media/common/siano/smscoreapi.c | 22 +++++++++------------- + drivers/media/common/siano/smscoreapi.h | 4 ++-- + 2 files changed, 11 insertions(+), 15 deletions(-) + +diff --git a/drivers/media/common/siano/smscoreapi.c b/drivers/media/common/siano/smscoreapi.c +index 2a8d9a36d6f0..5cc68144771c 100644 +--- a/drivers/media/common/siano/smscoreapi.c ++++ b/drivers/media/common/siano/smscoreapi.c +@@ -914,7 +914,7 @@ static int smscore_load_firmware_family2(struct smscore_device_t *coredev, + void *buffer, size_t size) + { + struct sms_firmware *firmware = (struct sms_firmware *) buffer; +- struct sms_msg_data4 *msg; ++ struct sms_msg_data5 *msg; + u32 mem_address, calc_checksum = 0; + u32 i, *ptr; + u8 *payload = firmware->payload; +@@ -995,24 +995,20 @@ static int smscore_load_firmware_family2(struct smscore_device_t *coredev, + goto exit_fw_download; + + if (coredev->mode == DEVICE_MODE_NONE) { +- struct sms_msg_data *trigger_msg = +- (struct sms_msg_data *) msg; +- + pr_debug("sending MSG_SMS_SWDOWNLOAD_TRIGGER_REQ\n"); + SMS_INIT_MSG(&msg->x_msg_header, + MSG_SMS_SWDOWNLOAD_TRIGGER_REQ, +- sizeof(struct sms_msg_hdr) + +- sizeof(u32) * 5); ++ sizeof(*msg)); + +- trigger_msg->msg_data[0] = firmware->start_address; ++ msg->msg_data[0] = firmware->start_address; + /* Entry point */ +- trigger_msg->msg_data[1] = 6; /* Priority */ +- trigger_msg->msg_data[2] = 0x200; /* Stack size */ +- trigger_msg->msg_data[3] = 0; /* Parameter */ +- trigger_msg->msg_data[4] = 4; /* Task ID */ ++ msg->msg_data[1] = 6; /* Priority */ ++ msg->msg_data[2] = 0x200; /* Stack size */ ++ msg->msg_data[3] = 0; /* Parameter */ ++ msg->msg_data[4] = 4; /* Task ID */ + +- rc = smscore_sendrequest_and_wait(coredev, trigger_msg, +- trigger_msg->x_msg_header.msg_length, ++ rc = smscore_sendrequest_and_wait(coredev, msg, ++ msg->x_msg_header.msg_length, + &coredev->trigger_done); + } else { + SMS_INIT_MSG(&msg->x_msg_header, MSG_SW_RELOAD_EXEC_REQ, +diff --git a/drivers/media/common/siano/smscoreapi.h b/drivers/media/common/siano/smscoreapi.h +index 4cc39e4a8318..55d02c27f124 100644 +--- a/drivers/media/common/siano/smscoreapi.h ++++ b/drivers/media/common/siano/smscoreapi.h +@@ -636,9 +636,9 @@ struct sms_msg_data2 { + u32 msg_data[2]; + }; + +-struct sms_msg_data4 { ++struct sms_msg_data5 { + struct sms_msg_hdr x_msg_header; +- u32 msg_data[4]; ++ u32 msg_data[5]; + }; + + struct sms_data_download { +-- +2.30.2 + diff --git a/queue-4.4/media-tc358743-fix-error-return-code-in-tc358743_pro.patch b/queue-4.4/media-tc358743-fix-error-return-code-in-tc358743_pro.patch new file mode 100644 index 00000000000..81fbc2ed068 --- /dev/null +++ b/queue-4.4/media-tc358743-fix-error-return-code-in-tc358743_pro.patch @@ -0,0 +1,38 @@ +From 0bad7c38a36d36135a11237de60497551eb9243c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 May 2021 08:58:30 +0200 +Subject: media: tc358743: Fix error return code in tc358743_probe_of() + +From: Zhen Lei + +[ Upstream commit a6b1e7093f0a099571fc8836ab4a589633f956a8 ] + +When the CSI bps per lane is not in the valid range, an appropriate error +code -EINVAL should be returned. However, we currently do not explicitly +assign this error code to 'ret'. As a result, 0 was incorrectly returned. + +Fixes: 256148246852 ("[media] tc358743: support probe from device tree") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/tc358743.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c +index 1e95fdb61041..c3befb3f5dcd 100644 +--- a/drivers/media/i2c/tc358743.c ++++ b/drivers/media/i2c/tc358743.c +@@ -1761,6 +1761,7 @@ static int tc358743_probe_of(struct tc358743_state *state) + bps_pr_lane = 2 * endpoint->link_frequencies[0]; + if (bps_pr_lane < 62500000U || bps_pr_lane > 1000000000U) { + dev_err(dev, "unsupported bps per lane: %u bps\n", bps_pr_lane); ++ ret = -EINVAL; + goto disable_clk; + } + +-- +2.30.2 + diff --git a/queue-4.4/media-v4l2-core-avoid-the-dangling-pointer-in-v4l2_f.patch b/queue-4.4/media-v4l2-core-avoid-the-dangling-pointer-in-v4l2_f.patch new file mode 100644 index 00000000000..2641ad7c5dc --- /dev/null +++ b/queue-4.4/media-v4l2-core-avoid-the-dangling-pointer-in-v4l2_f.patch @@ -0,0 +1,39 @@ +From 8f44fc7a4dd90f4a3f30a0c308bd759f58784d98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 May 2021 10:24:02 +0200 +Subject: media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release + +From: Lv Yunlong + +[ Upstream commit 7dd0c9e547b6924e18712b6b51aa3cba1896ee2c ] + +A use after free bug caused by the dangling pointer +filp->privitate_data in v4l2_fh_release. +See https://lore.kernel.org/patchwork/patch/1419058/. + +My patch sets the dangling pointer to NULL to provide +robust. + +Signed-off-by: Lv Yunlong +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/v4l2-core/v4l2-fh.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/v4l2-core/v4l2-fh.c b/drivers/media/v4l2-core/v4l2-fh.c +index 1d076deb05a9..ce844ecc3340 100644 +--- a/drivers/media/v4l2-core/v4l2-fh.c ++++ b/drivers/media/v4l2-core/v4l2-fh.c +@@ -107,6 +107,7 @@ int v4l2_fh_release(struct file *filp) + v4l2_fh_del(fh); + v4l2_fh_exit(fh); + kfree(fh); ++ filp->private_data = NULL; + } + return 0; + } +-- +2.30.2 + diff --git a/queue-4.4/mmc-usdhi6rol0-fix-error-return-code-in-usdhi6_probe.patch b/queue-4.4/mmc-usdhi6rol0-fix-error-return-code-in-usdhi6_probe.patch new file mode 100644 index 00000000000..f811008dcf2 --- /dev/null +++ b/queue-4.4/mmc-usdhi6rol0-fix-error-return-code-in-usdhi6_probe.patch @@ -0,0 +1,37 @@ +From cd8dc20de8791a2ff6dcafb4dafde1e94816b77b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 May 2021 10:03:21 +0800 +Subject: mmc: usdhi6rol0: fix error return code in usdhi6_probe() + +From: Zhen Lei + +[ Upstream commit 2f9ae69e5267f53e89e296fccee291975a85f0eb ] + +Fix to return a negative error code from the error handling case instead +of 0, as done elsewhere in this function. + +Fixes: 75fa9ea6e3c0 ("mmc: add a driver for the Renesas usdhi6rol0 SD/SDIO host controller") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Link: https://lore.kernel.org/r/20210508020321.1677-1-thunder.leizhen@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/usdhi6rol0.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mmc/host/usdhi6rol0.c b/drivers/mmc/host/usdhi6rol0.c +index 2b6a9c6a6e96..49798a68299e 100644 +--- a/drivers/mmc/host/usdhi6rol0.c ++++ b/drivers/mmc/host/usdhi6rol0.c +@@ -1751,6 +1751,7 @@ static int usdhi6_probe(struct platform_device *pdev) + + version = usdhi6_read(host, USDHI6_VERSION); + if ((version & 0xfff) != 0xa0d) { ++ ret = -EPERM; + dev_err(dev, "Version not recognized %x\n", version); + goto e_clk_off; + } +-- +2.30.2 + diff --git a/queue-4.4/mmc-via-sdmmc-add-a-check-against-null-pointer-deref.patch b/queue-4.4/mmc-via-sdmmc-add-a-check-against-null-pointer-deref.patch new file mode 100644 index 00000000000..8d02cb20282 --- /dev/null +++ b/queue-4.4/mmc-via-sdmmc-add-a-check-against-null-pointer-deref.patch @@ -0,0 +1,140 @@ +From 6e984c52ab8aa0419b71ad0264b8ed1c43131a64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Jun 2021 13:33:20 +0000 +Subject: mmc: via-sdmmc: add a check against NULL pointer dereference + +From: Zheyu Ma + +[ Upstream commit 45c8ddd06c4b729c56a6083ab311bfbd9643f4a6 ] + +Before referencing 'host->data', the driver needs to check whether it is +null pointer, otherwise it will cause a null pointer reference. + +This log reveals it: + +[ 29.355199] BUG: kernel NULL pointer dereference, address: +0000000000000014 +[ 29.357323] #PF: supervisor write access in kernel mode +[ 29.357706] #PF: error_code(0x0002) - not-present page +[ 29.358088] PGD 0 P4D 0 +[ 29.358280] Oops: 0002 [#1] PREEMPT SMP PTI +[ 29.358595] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.12.4- +g70e7f0549188-dirty #102 +[ 29.359164] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), +BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +[ 29.359978] RIP: 0010:via_sdc_isr+0x21f/0x410 +[ 29.360314] Code: ff ff e8 84 aa d0 fd 66 45 89 7e 28 66 41 f7 c4 00 +10 75 56 e8 72 aa d0 fd 66 41 f7 c4 00 c0 74 10 e8 65 aa d0 fd 48 8b 43 +18 40 14 ac ff ff ff e8 55 aa d0 fd 48 89 df e8 ad fb ff ff e9 77 +[ 29.361661] RSP: 0018:ffffc90000118e98 EFLAGS: 00010046 +[ 29.362042] RAX: 0000000000000000 RBX: ffff888107d77880 +RCX: 0000000000000000 +[ 29.362564] RDX: 0000000000000000 RSI: ffffffff835d20bb +RDI: 00000000ffffffff +[ 29.363085] RBP: ffffc90000118ed8 R08: 0000000000000001 +R09: 0000000000000001 +[ 29.363604] R10: 0000000000000000 R11: 0000000000000001 +R12: 0000000000008600 +[ 29.364128] R13: ffff888107d779c8 R14: ffffc90009c00200 +R15: 0000000000008000 +[ 29.364651] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) +knlGS:0000000000000000 +[ 29.365235] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 29.365655] CR2: 0000000000000014 CR3: 0000000005a2e000 +CR4: 00000000000006e0 +[ 29.366170] DR0: 0000000000000000 DR1: 0000000000000000 +DR2: 0000000000000000 +[ 29.366683] DR3: 0000000000000000 DR6: 00000000fffe0ff0 +DR7: 0000000000000400 +[ 29.367197] Call Trace: +[ 29.367381] +[ 29.367537] __handle_irq_event_percpu+0x53/0x3e0 +[ 29.367916] handle_irq_event_percpu+0x35/0x90 +[ 29.368247] handle_irq_event+0x39/0x60 +[ 29.368632] handle_fasteoi_irq+0xc2/0x1d0 +[ 29.368950] __common_interrupt+0x7f/0x150 +[ 29.369254] common_interrupt+0xb4/0xd0 +[ 29.369547] +[ 29.369708] asm_common_interrupt+0x1e/0x40 +[ 29.370016] RIP: 0010:native_safe_halt+0x17/0x20 +[ 29.370360] Code: 07 0f 00 2d db 80 43 00 f4 5d c3 0f 1f 84 00 00 00 +00 00 8b 05 c2 37 e5 01 55 48 89 e5 85 c0 7e 07 0f 00 2d bb 80 43 00 fb +f4 <5d> c3 cc cc cc cc cc cc cc 55 48 89 e5 e8 67 53 ff ff 8b 0d f9 91 +[ 29.371696] RSP: 0018:ffffc9000008fe90 EFLAGS: 00000246 +[ 29.372079] RAX: 0000000000000000 RBX: 0000000000000002 +RCX: 0000000000000000 +[ 29.372595] RDX: 0000000000000000 RSI: ffffffff854f67a4 +RDI: ffffffff85403406 +[ 29.373122] RBP: ffffc9000008fe90 R08: 0000000000000001 +R09: 0000000000000001 +[ 29.373646] R10: 0000000000000000 R11: 0000000000000001 +R12: ffffffff86009188 +[ 29.374160] R13: 0000000000000000 R14: 0000000000000000 +R15: ffff888100258000 +[ 29.374690] default_idle+0x9/0x10 +[ 29.374944] arch_cpu_idle+0xa/0x10 +[ 29.375198] default_idle_call+0x6e/0x250 +[ 29.375491] do_idle+0x1f0/0x2d0 +[ 29.375740] cpu_startup_entry+0x18/0x20 +[ 29.376034] start_secondary+0x11f/0x160 +[ 29.376328] secondary_startup_64_no_verify+0xb0/0xbb +[ 29.376705] Modules linked in: +[ 29.376939] Dumping ftrace buffer: +[ 29.377187] (ftrace buffer empty) +[ 29.377460] CR2: 0000000000000014 +[ 29.377712] ---[ end trace 51a473dffb618c47 ]--- +[ 29.378056] RIP: 0010:via_sdc_isr+0x21f/0x410 +[ 29.378380] Code: ff ff e8 84 aa d0 fd 66 45 89 7e 28 66 41 f7 c4 00 +10 75 56 e8 72 aa d0 fd 66 41 f7 c4 00 c0 74 10 e8 65 aa d0 fd 48 8b 43 +18 40 14 ac ff ff ff e8 55 aa d0 fd 48 89 df e8 ad fb ff ff e9 77 +[ 29.379714] RSP: 0018:ffffc90000118e98 EFLAGS: 00010046 +[ 29.380098] RAX: 0000000000000000 RBX: ffff888107d77880 +RCX: 0000000000000000 +[ 29.380614] RDX: 0000000000000000 RSI: ffffffff835d20bb +RDI: 00000000ffffffff +[ 29.381134] RBP: ffffc90000118ed8 R08: 0000000000000001 +R09: 0000000000000001 +[ 29.381653] R10: 0000000000000000 R11: 0000000000000001 +R12: 0000000000008600 +[ 29.382176] R13: ffff888107d779c8 R14: ffffc90009c00200 +R15: 0000000000008000 +[ 29.382697] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) +knlGS:0000000000000000 +[ 29.383277] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 29.383697] CR2: 0000000000000014 CR3: 0000000005a2e000 +CR4: 00000000000006e0 +[ 29.384223] DR0: 0000000000000000 DR1: 0000000000000000 +DR2: 0000000000000000 +[ 29.384736] DR3: 0000000000000000 DR6: 00000000fffe0ff0 +DR7: 0000000000000400 +[ 29.385260] Kernel panic - not syncing: Fatal exception in interrupt +[ 29.385882] Dumping ftrace buffer: +[ 29.386135] (ftrace buffer empty) +[ 29.386401] Kernel Offset: disabled +[ 29.386656] Rebooting in 1 seconds.. + +Signed-off-by: Zheyu Ma +Link: https://lore.kernel.org/r/1622727200-15808-1-git-send-email-zheyuma97@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/via-sdmmc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mmc/host/via-sdmmc.c b/drivers/mmc/host/via-sdmmc.c +index b455e9cf95af..a3472127bea3 100644 +--- a/drivers/mmc/host/via-sdmmc.c ++++ b/drivers/mmc/host/via-sdmmc.c +@@ -859,6 +859,9 @@ static void via_sdc_data_isr(struct via_crdr_mmc_host *host, u16 intmask) + { + BUG_ON(intmask == 0); + ++ if (!host->data) ++ return; ++ + if (intmask & VIA_CRDR_SDSTS_DT) + host->data->error = -ETIMEDOUT; + else if (intmask & (VIA_CRDR_SDSTS_RC | VIA_CRDR_SDSTS_WC)) +-- +2.30.2 + diff --git a/queue-4.4/net-ethernet-aeroflex-fix-uaf-in-greth_of_remove.patch b/queue-4.4/net-ethernet-aeroflex-fix-uaf-in-greth_of_remove.patch new file mode 100644 index 00000000000..649a45754c8 --- /dev/null +++ b/queue-4.4/net-ethernet-aeroflex-fix-uaf-in-greth_of_remove.patch @@ -0,0 +1,54 @@ +From 93c3d7c915259cfeaf145d7054fc4f07c940f921 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 17:57:31 +0300 +Subject: net: ethernet: aeroflex: fix UAF in greth_of_remove + +From: Pavel Skripkin + +[ Upstream commit e3a5de6d81d8b2199935c7eb3f7d17a50a7075b7 ] + +static int greth_of_remove(struct platform_device *of_dev) +{ +... + struct greth_private *greth = netdev_priv(ndev); +... + unregister_netdev(ndev); + free_netdev(ndev); + + of_iounmap(&of_dev->resource[0], greth->regs, resource_size(&of_dev->resource[0])); +... +} + +greth is netdev private data, but it is used +after free_netdev(). It can cause use-after-free when accessing greth +pointer. So, fix it by moving free_netdev() after of_iounmap() +call. + +Fixes: d4c41139df6e ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/aeroflex/greth.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/aeroflex/greth.c b/drivers/net/ethernet/aeroflex/greth.c +index 20bf55dbd76f..e3ca8abb14f4 100644 +--- a/drivers/net/ethernet/aeroflex/greth.c ++++ b/drivers/net/ethernet/aeroflex/greth.c +@@ -1579,10 +1579,11 @@ static int greth_of_remove(struct platform_device *of_dev) + mdiobus_unregister(greth->mdio); + + unregister_netdev(ndev); +- free_netdev(ndev); + + of_iounmap(&of_dev->resource[0], greth->regs, resource_size(&of_dev->resource[0])); + ++ free_netdev(ndev); ++ + return 0; + } + +-- +2.30.2 + diff --git a/queue-4.4/net-ethernet-ezchip-fix-error-handling.patch b/queue-4.4/net-ethernet-ezchip-fix-error-handling.patch new file mode 100644 index 00000000000..84ec83acbf6 --- /dev/null +++ b/queue-4.4/net-ethernet-ezchip-fix-error-handling.patch @@ -0,0 +1,44 @@ +From b5e59f834913b892c2d27794149aca3282a78855 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 19:14:47 +0300 +Subject: net: ethernet: ezchip: fix error handling + +From: Pavel Skripkin + +[ Upstream commit 0de449d599594f5472e00267d651615c7f2c6c1d ] + +As documented at drivers/base/platform.c for platform_get_irq: + + * Gets an IRQ for a platform device and prints an error message if finding the + * IRQ fails. Device drivers should check the return value for errors so as to + * not pass a negative integer value to the request_irq() APIs. + +So, the driver should check that platform_get_irq() return value +is _negative_, not that it's equal to zero, because -ENXIO (return +value from request_irq() if irq was not found) will +pass this check and it leads to passing negative irq to request_irq() + +Fixes: 0dd077093636 ("NET: Add ezchip ethernet driver") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ezchip/nps_enet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ezchip/nps_enet.c b/drivers/net/ethernet/ezchip/nps_enet.c +index 73d2bc349b2f..2cb20d8e6bdf 100644 +--- a/drivers/net/ethernet/ezchip/nps_enet.c ++++ b/drivers/net/ethernet/ezchip/nps_enet.c +@@ -586,7 +586,7 @@ static s32 nps_enet_probe(struct platform_device *pdev) + + /* Get IRQ number */ + priv->irq = platform_get_irq(pdev, 0); +- if (!priv->irq) { ++ if (priv->irq < 0) { + dev_err(dev, "failed to retrieve value from device tree\n"); + err = -ENODEV; + goto out_netdev; +-- +2.30.2 + diff --git a/queue-4.4/net-ethernet-ezchip-fix-uaf-in-nps_enet_remove.patch b/queue-4.4/net-ethernet-ezchip-fix-uaf-in-nps_enet_remove.patch new file mode 100644 index 00000000000..e35bbad443d --- /dev/null +++ b/queue-4.4/net-ethernet-ezchip-fix-uaf-in-nps_enet_remove.patch @@ -0,0 +1,39 @@ +From 7bc4747d89bbc92d5ecd5f7cc22dffe8afe46bd7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 19:14:31 +0300 +Subject: net: ethernet: ezchip: fix UAF in nps_enet_remove + +From: Pavel Skripkin + +[ Upstream commit e4b8700e07a86e8eab6916aa5c5ba99042c34089 ] + +priv is netdev private data, but it is used +after free_netdev(). It can cause use-after-free when accessing priv +pointer. So, fix it by moving free_netdev() after netif_napi_del() +call. + +Fixes: 0dd077093636 ("NET: Add ezchip ethernet driver") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ezchip/nps_enet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ezchip/nps_enet.c b/drivers/net/ethernet/ezchip/nps_enet.c +index b1026689b78f..73d2bc349b2f 100644 +--- a/drivers/net/ethernet/ezchip/nps_enet.c ++++ b/drivers/net/ethernet/ezchip/nps_enet.c +@@ -621,8 +621,8 @@ static s32 nps_enet_remove(struct platform_device *pdev) + struct nps_enet_priv *priv = netdev_priv(ndev); + + unregister_netdev(ndev); +- free_netdev(ndev); + netif_napi_del(&priv->napi); ++ free_netdev(ndev); + + return 0; + } +-- +2.30.2 + diff --git a/queue-4.4/net-pch_gbe-propagate-error-from-devm_gpio_request_o.patch b/queue-4.4/net-pch_gbe-propagate-error-from-devm_gpio_request_o.patch new file mode 100644 index 00000000000..da1b7666dc1 --- /dev/null +++ b/queue-4.4/net-pch_gbe-propagate-error-from-devm_gpio_request_o.patch @@ -0,0 +1,56 @@ +From 9cdbd380252dd828a56ed7e3ddf2edc14b1c47bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 May 2021 19:39:27 +0300 +Subject: net: pch_gbe: Propagate error from devm_gpio_request_one() + +From: Andy Shevchenko + +[ Upstream commit 9e3617a7b84512bf96c04f9cf82d1a7257d33794 ] + +If GPIO controller is not available yet we need to defer +the probe of GBE until provider will become available. + +While here, drop GPIOF_EXPORT because it's deprecated and +may not be available. + +Fixes: f1a26fdf5944 ("pch_gbe: Add MinnowBoard support") +Signed-off-by: Andy Shevchenko +Tested-by: Flavio Suligoi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c +index 3b98b263bad0..a7ec9492d126 100644 +--- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c ++++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c +@@ -2625,9 +2625,13 @@ static int pch_gbe_probe(struct pci_dev *pdev, + adapter->pdev = pdev; + adapter->hw.back = adapter; + adapter->hw.reg = pcim_iomap_table(pdev)[PCH_GBE_PCI_BAR]; ++ + adapter->pdata = (struct pch_gbe_privdata *)pci_id->driver_data; +- if (adapter->pdata && adapter->pdata->platform_init) +- adapter->pdata->platform_init(pdev); ++ if (adapter->pdata && adapter->pdata->platform_init) { ++ ret = adapter->pdata->platform_init(pdev); ++ if (ret) ++ goto err_free_netdev; ++ } + + adapter->ptp_pdev = pci_get_bus_and_slot(adapter->pdev->bus->number, + PCI_DEVFN(12, 4)); +@@ -2717,7 +2721,7 @@ err_free_netdev: + */ + static int pch_gbe_minnow_platform_init(struct pci_dev *pdev) + { +- unsigned long flags = GPIOF_DIR_OUT | GPIOF_INIT_HIGH | GPIOF_EXPORT; ++ unsigned long flags = GPIOF_OUT_INIT_HIGH; + unsigned gpio = MINNOW_PHY_RESET_GPIO; + int ret; + +-- +2.30.2 + diff --git a/queue-4.4/netfilter-nft_exthdr-check-for-ipv6-packet-before-fu.patch b/queue-4.4/netfilter-nft_exthdr-check-for-ipv6-packet-before-fu.patch new file mode 100644 index 00000000000..34d54b8dfa2 --- /dev/null +++ b/queue-4.4/netfilter-nft_exthdr-check-for-ipv6-packet-before-fu.patch @@ -0,0 +1,38 @@ +From e6b1846744ba68e47afa6a396580200aa31b0669 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Jun 2021 20:20:30 +0200 +Subject: netfilter: nft_exthdr: check for IPv6 packet before further + processing + +From: Pablo Neira Ayuso + +[ Upstream commit cdd73cc545c0fb9b1a1f7b209f4f536e7990cff4 ] + +ipv6_find_hdr() does not validate that this is an IPv6 packet. Add a +sanity check for calling ipv6_find_hdr() to make sure an IPv6 packet +is passed for parsing. + +Fixes: 96518518cc41 ("netfilter: add nftables") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nft_exthdr.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c +index ba7aed13e174..a81f6bf42d1f 100644 +--- a/net/netfilter/nft_exthdr.c ++++ b/net/netfilter/nft_exthdr.c +@@ -34,6 +34,9 @@ static void nft_exthdr_eval(const struct nft_expr *expr, + unsigned int offset = 0; + int err; + ++ if (pkt->skb->protocol != htons(ETH_P_IPV6)) ++ goto err; ++ + err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL); + if (err < 0) + goto err; +-- +2.30.2 + diff --git a/queue-4.4/netlabel-fix-memory-leak-in-netlbl_mgmt_add_common.patch b/queue-4.4/netlabel-fix-memory-leak-in-netlbl_mgmt_add_common.patch new file mode 100644 index 00000000000..9f4be03b087 --- /dev/null +++ b/queue-4.4/netlabel-fix-memory-leak-in-netlbl_mgmt_add_common.patch @@ -0,0 +1,114 @@ +From 10c2d1cb71755a0afb78fed1ead4b616dabc2844 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jun 2021 10:14:44 +0800 +Subject: netlabel: Fix memory leak in netlbl_mgmt_add_common + +From: Liu Shixin + +[ Upstream commit b8f6b0522c298ae9267bd6584e19b942a0636910 ] + +Hulk Robot reported memory leak in netlbl_mgmt_add_common. +The problem is non-freed map in case of netlbl_domhsh_add() failed. + +BUG: memory leak +unreferenced object 0xffff888100ab7080 (size 96): + comm "syz-executor537", pid 360, jiffies 4294862456 (age 22.678s) + hex dump (first 32 bytes): + 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + fe 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ................ + backtrace: + [<0000000008b40026>] netlbl_mgmt_add_common.isra.0+0xb2a/0x1b40 + [<000000003be10950>] netlbl_mgmt_add+0x271/0x3c0 + [<00000000c70487ed>] genl_family_rcv_msg_doit.isra.0+0x20e/0x320 + [<000000001f2ff614>] genl_rcv_msg+0x2bf/0x4f0 + [<0000000089045792>] netlink_rcv_skb+0x134/0x3d0 + [<0000000020e96fdd>] genl_rcv+0x24/0x40 + [<0000000042810c66>] netlink_unicast+0x4a0/0x6a0 + [<000000002e1659f0>] netlink_sendmsg+0x789/0xc70 + [<000000006e43415f>] sock_sendmsg+0x139/0x170 + [<00000000680a73d7>] ____sys_sendmsg+0x658/0x7d0 + [<0000000065cbb8af>] ___sys_sendmsg+0xf8/0x170 + [<0000000019932b6c>] __sys_sendmsg+0xd3/0x190 + [<00000000643ac172>] do_syscall_64+0x37/0x90 + [<000000009b79d6dc>] entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: 63c416887437 ("netlabel: Add network address selectors to the NetLabel/LSM domain mapping") +Reported-by: Hulk Robot +Signed-off-by: Liu Shixin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netlabel/netlabel_mgmt.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c +index 13f777f20995..5f1218dc9162 100644 +--- a/net/netlabel/netlabel_mgmt.c ++++ b/net/netlabel/netlabel_mgmt.c +@@ -92,6 +92,7 @@ static const struct nla_policy netlbl_mgmt_genl_policy[NLBL_MGMT_A_MAX + 1] = { + static int netlbl_mgmt_add_common(struct genl_info *info, + struct netlbl_audit *audit_info) + { ++ void *pmap = NULL; + int ret_val = -EINVAL; + struct netlbl_domaddr_map *addrmap = NULL; + struct cipso_v4_doi *cipsov4 = NULL; +@@ -165,6 +166,7 @@ static int netlbl_mgmt_add_common(struct genl_info *info, + ret_val = -ENOMEM; + goto add_free_addrmap; + } ++ pmap = map; + map->list.addr = addr->s_addr & mask->s_addr; + map->list.mask = mask->s_addr; + map->list.valid = 1; +@@ -173,10 +175,8 @@ static int netlbl_mgmt_add_common(struct genl_info *info, + map->def.cipso = cipsov4; + + ret_val = netlbl_af4list_add(&map->list, &addrmap->list4); +- if (ret_val != 0) { +- kfree(map); +- goto add_free_addrmap; +- } ++ if (ret_val != 0) ++ goto add_free_map; + + entry->def.type = NETLBL_NLTYPE_ADDRSELECT; + entry->def.addrsel = addrmap; +@@ -212,6 +212,7 @@ static int netlbl_mgmt_add_common(struct genl_info *info, + ret_val = -ENOMEM; + goto add_free_addrmap; + } ++ pmap = map; + map->list.addr = *addr; + map->list.addr.s6_addr32[0] &= mask->s6_addr32[0]; + map->list.addr.s6_addr32[1] &= mask->s6_addr32[1]; +@@ -222,10 +223,8 @@ static int netlbl_mgmt_add_common(struct genl_info *info, + map->def.type = entry->def.type; + + ret_val = netlbl_af6list_add(&map->list, &addrmap->list6); +- if (ret_val != 0) { +- kfree(map); +- goto add_free_addrmap; +- } ++ if (ret_val != 0) ++ goto add_free_map; + + entry->def.type = NETLBL_NLTYPE_ADDRSELECT; + entry->def.addrsel = addrmap; +@@ -234,10 +233,12 @@ static int netlbl_mgmt_add_common(struct genl_info *info, + + ret_val = netlbl_domhsh_add(entry, audit_info); + if (ret_val != 0) +- goto add_free_addrmap; ++ goto add_free_map; + + return 0; + ++add_free_map: ++ kfree(pmap); + add_free_addrmap: + kfree(addrmap); + add_doi_put_def: +-- +2.30.2 + diff --git a/queue-4.4/pata_ep93xx-fix-deferred-probing.patch b/queue-4.4/pata_ep93xx-fix-deferred-probing.patch new file mode 100644 index 00000000000..2a099200648 --- /dev/null +++ b/queue-4.4/pata_ep93xx-fix-deferred-probing.patch @@ -0,0 +1,39 @@ +From 4ffc295586d9a078781ed18947552bbea562769e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 20 Mar 2021 23:32:38 +0300 +Subject: pata_ep93xx: fix deferred probing + +From: Sergey Shtylyov + +[ Upstream commit 5c8121262484d99bffb598f39a0df445cecd8efb ] + +The driver overrides the error codes returned by platform_get_irq() to +-ENXIO, so if it returns -EPROBE_DEFER, the driver would fail the probe +permanently instead of the deferred probing. Propagate the error code +upstream, as it should have been done from the start... + +Fixes: 2fff27512600 ("PATA host controller driver for ep93xx") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/509fda88-2e0d-2cc7-f411-695d7e94b136@omprussia.ru +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/pata_ep93xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/pata_ep93xx.c b/drivers/ata/pata_ep93xx.c +index 634c814cbeda..ebdd2dfabbeb 100644 +--- a/drivers/ata/pata_ep93xx.c ++++ b/drivers/ata/pata_ep93xx.c +@@ -927,7 +927,7 @@ static int ep93xx_pata_probe(struct platform_device *pdev) + /* INT[3] (IRQ_EP93XX_EXT3) line connected as pull down */ + irq = platform_get_irq(pdev, 0); + if (irq < 0) { +- err = -ENXIO; ++ err = irq; + goto err_rel_gpio; + } + +-- +2.30.2 + diff --git a/queue-4.4/pata_octeon_cf-avoid-warn_on-in-ata_host_activate.patch b/queue-4.4/pata_octeon_cf-avoid-warn_on-in-ata_host_activate.patch new file mode 100644 index 00000000000..34a01c743fd --- /dev/null +++ b/queue-4.4/pata_octeon_cf-avoid-warn_on-in-ata_host_activate.patch @@ -0,0 +1,45 @@ +From 97019be9423584cc82936593bed2824d970fd281 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 May 2021 23:38:54 +0300 +Subject: pata_octeon_cf: avoid WARN_ON() in ata_host_activate() + +From: Sergey Shtylyov + +[ Upstream commit bfc1f378c8953e68ccdbfe0a8c20748427488b80 ] + +Iff platform_get_irq() fails (or returns IRQ0) and thus the polling mode +has to be used, ata_host_activate() hits the WARN_ON() due to 'irq_handler' +parameter being non-NULL if the polling mode is selected. Let's only set +the pointer to the driver's IRQ handler if platform_get_irq() returns a +valid IRQ # -- this should avoid the unnecessary WARN_ON()... + +Fixes: 43f01da0f279 ("MIPS/OCTEON/ata: Convert pata_octeon_cf.c to use device tree.") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/3a241167-f84d-1d25-5b9b-be910afbe666@omp.ru +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/pata_octeon_cf.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/pata_octeon_cf.c b/drivers/ata/pata_octeon_cf.c +index 27245957eee3..909de33f9158 100644 +--- a/drivers/ata/pata_octeon_cf.c ++++ b/drivers/ata/pata_octeon_cf.c +@@ -909,10 +909,11 @@ static int octeon_cf_probe(struct platform_device *pdev) + return -EINVAL; + } + +- irq_handler = octeon_cf_interrupt; + i = platform_get_irq(dma_dev, 0); +- if (i > 0) ++ if (i > 0) { + irq = i; ++ irq_handler = octeon_cf_interrupt; ++ } + } + of_node_put(dma_node); + } +-- +2.30.2 + diff --git a/queue-4.4/pata_rb532_cf-fix-deferred-probing.patch b/queue-4.4/pata_rb532_cf-fix-deferred-probing.patch new file mode 100644 index 00000000000..86e86f26480 --- /dev/null +++ b/queue-4.4/pata_rb532_cf-fix-deferred-probing.patch @@ -0,0 +1,46 @@ +From 1277f29f07654736cfeed443f4ffa15e77447549 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Mar 2021 14:46:53 +0300 +Subject: pata_rb532_cf: fix deferred probing + +From: Sergey Shtylyov + +[ Upstream commit 2d3a62fbae8e5badc2342388f65ab2191c209cc0 ] + +The driver overrides the error codes returned by platform_get_irq() to +-ENOENT, so if it returns -EPROBE_DEFER, the driver would fail the probe +permanently instead of the deferred probing. Switch to propagating the +error code upstream, still checking/overriding IRQ0 as libata regards it +as "no IRQ" (thus polling) anyway... + +Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/771ced55-3efb-21f5-f21c-b99920aae611@omprussia.ru +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/pata_rb532_cf.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/pata_rb532_cf.c b/drivers/ata/pata_rb532_cf.c +index c8b6a780a290..76c550e160f6 100644 +--- a/drivers/ata/pata_rb532_cf.c ++++ b/drivers/ata/pata_rb532_cf.c +@@ -120,10 +120,12 @@ static int rb532_pata_driver_probe(struct platform_device *pdev) + } + + irq = platform_get_irq(pdev, 0); +- if (irq <= 0) { ++ if (irq < 0) { + dev_err(&pdev->dev, "no IRQ resource found\n"); +- return -ENOENT; ++ return irq; + } ++ if (!irq) ++ return -EINVAL; + + pdata = dev_get_platdata(&pdev->dev); + if (!pdata) { +-- +2.30.2 + diff --git a/queue-4.4/phy-ti-dm816x-fix-the-error-handling-path-in-dm816x_.patch b/queue-4.4/phy-ti-dm816x-fix-the-error-handling-path-in-dm816x_.patch new file mode 100644 index 00000000000..7e9f6a2b81c --- /dev/null +++ b/queue-4.4/phy-ti-dm816x-fix-the-error-handling-path-in-dm816x_.patch @@ -0,0 +1,62 @@ +From 36b5df4c9fd953759372bc24aa70865cd688a455 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Jun 2021 15:17:43 +0200 +Subject: phy: ti: dm816x: Fix the error handling path in + 'dm816x_usb_phy_probe() + +From: Christophe JAILLET + +[ Upstream commit f7eedcb8539ddcbb6fe7791f1b4ccf43f905c72f ] + +Add an error handling path in the probe to release some resources, as +already done in the remove function. + +Fixes: 609adde838f4 ("phy: Add a driver for dm816x USB PHY") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/ac5136881f6bdec50be19b3bf73b3bc1b15ef1f1.1622898974.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/phy/phy-dm816x-usb.c | 17 +++++++++++++---- + 1 file changed, 13 insertions(+), 4 deletions(-) + +diff --git a/drivers/phy/phy-dm816x-usb.c b/drivers/phy/phy-dm816x-usb.c +index b4bbef664d20..908b5ff0e888 100644 +--- a/drivers/phy/phy-dm816x-usb.c ++++ b/drivers/phy/phy-dm816x-usb.c +@@ -246,19 +246,28 @@ static int dm816x_usb_phy_probe(struct platform_device *pdev) + + pm_runtime_enable(phy->dev); + generic_phy = devm_phy_create(phy->dev, NULL, &ops); +- if (IS_ERR(generic_phy)) +- return PTR_ERR(generic_phy); ++ if (IS_ERR(generic_phy)) { ++ error = PTR_ERR(generic_phy); ++ goto clk_unprepare; ++ } + + phy_set_drvdata(generic_phy, phy); + + phy_provider = devm_of_phy_provider_register(phy->dev, + of_phy_simple_xlate); +- if (IS_ERR(phy_provider)) +- return PTR_ERR(phy_provider); ++ if (IS_ERR(phy_provider)) { ++ error = PTR_ERR(phy_provider); ++ goto clk_unprepare; ++ } + + usb_add_phy_dev(&phy->phy); + + return 0; ++ ++clk_unprepare: ++ pm_runtime_disable(phy->dev); ++ clk_unprepare(phy->refclk); ++ return error; + } + + static int dm816x_usb_phy_remove(struct platform_device *pdev) +-- +2.30.2 + diff --git a/queue-4.4/platform-x86-toshiba_acpi-fix-missing-error-code-in-.patch b/queue-4.4/platform-x86-toshiba_acpi-fix-missing-error-code-in-.patch new file mode 100644 index 00000000000..a33fdb3a6f6 --- /dev/null +++ b/queue-4.4/platform-x86-toshiba_acpi-fix-missing-error-code-in-.patch @@ -0,0 +1,42 @@ +From e0255e01037848bd48ee9b53d9c67339299330f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Jun 2021 18:05:48 +0800 +Subject: platform/x86: toshiba_acpi: Fix missing error code in + toshiba_acpi_setup_keyboard() + +From: Jiapeng Chong + +[ Upstream commit 28e367127718a9cb85d615a71e152f7acee41bfc ] + +The error code is missing in this code scenario, add the error code +'-EINVAL' to the return value 'error'. + +Eliminate the follow smatch warning: + +drivers/platform/x86/toshiba_acpi.c:2834 toshiba_acpi_setup_keyboard() +warn: missing error code 'error'. + +Reported-by: Abaci Robot +Signed-off-by: Jiapeng Chong +Link: https://lore.kernel.org/r/1622628348-87035-1-git-send-email-jiapeng.chong@linux.alibaba.com +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/toshiba_acpi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/platform/x86/toshiba_acpi.c b/drivers/platform/x86/toshiba_acpi.c +index 1ff95b5a429d..974d4ac78d10 100644 +--- a/drivers/platform/x86/toshiba_acpi.c ++++ b/drivers/platform/x86/toshiba_acpi.c +@@ -2448,6 +2448,7 @@ static int toshiba_acpi_setup_keyboard(struct toshiba_acpi_dev *dev) + + if (!dev->info_supported && !dev->system_event_supported) { + pr_warn("No hotkey query interface found\n"); ++ error = -EINVAL; + goto err_remove_filter; + } + +-- +2.30.2 + diff --git a/queue-4.4/random32-fix-implicit-truncation-warning-in-prandom_.patch b/queue-4.4/random32-fix-implicit-truncation-warning-in-prandom_.patch new file mode 100644 index 00000000000..1d23d256735 --- /dev/null +++ b/queue-4.4/random32-fix-implicit-truncation-warning-in-prandom_.patch @@ -0,0 +1,48 @@ +From 0d96543e92015bd5d478e98815bc05ec4488c0ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 May 2021 13:20:12 +0100 +Subject: random32: Fix implicit truncation warning in prandom_seed_state() + +From: Richard Fitzgerald + +[ Upstream commit d327ea15a305024ef0085252fa3657bbb1ce25f5 ] + +sparse generates the following warning: + + include/linux/prandom.h:114:45: sparse: sparse: cast truncates bits from + constant value + +This is because the 64-bit seed value is manipulated and then placed in a +u32, causing an implicit cast and truncation. A forced cast to u32 doesn't +prevent this warning, which is reasonable because a typecast doesn't prove +that truncation was expected. + +Logical-AND the value with 0xffffffff to make explicit that truncation to +32-bit is intended. + +Reported-by: kernel test robot +Signed-off-by: Richard Fitzgerald +Reviewed-by: Petr Mladek +Signed-off-by: Petr Mladek +Link: https://lore.kernel.org/r/20210525122012.6336-3-rf@opensource.cirrus.com +Signed-off-by: Sasha Levin +--- + include/linux/prandom.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/prandom.h b/include/linux/prandom.h +index cc1e71334e53..e20339c78a84 100644 +--- a/include/linux/prandom.h ++++ b/include/linux/prandom.h +@@ -93,7 +93,7 @@ static inline u32 __seed(u32 x, u32 m) + */ + static inline void prandom_seed_state(struct rnd_state *state, u64 seed) + { +- u32 i = (seed >> 32) ^ (seed << 10) ^ seed; ++ u32 i = ((seed >> 32) ^ (seed << 10) ^ seed) & 0xffffffffUL; + + state->s1 = __seed(i, 2U); + state->s2 = __seed(i, 8U); +-- +2.30.2 + diff --git a/queue-4.4/regulator-da9052-ensure-enough-delay-time-for-.set_v.patch b/queue-4.4/regulator-da9052-ensure-enough-delay-time-for-.set_v.patch new file mode 100644 index 00000000000..27b91cef5ff --- /dev/null +++ b/queue-4.4/regulator-da9052-ensure-enough-delay-time-for-.set_v.patch @@ -0,0 +1,39 @@ +From 9b4ae743fae8c0764830ec084d0b2a8a1af3a7d7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 22:14:11 +0800 +Subject: regulator: da9052: Ensure enough delay time for .set_voltage_time_sel + +From: Axel Lin + +[ Upstream commit a336dc8f683e5be794186b5643cd34cb28dd2c53 ] + +Use DIV_ROUND_UP to prevent truncation by integer division issue. +This ensures we return enough delay time. + +Also fix returning negative value when new_sel < old_sel. + +Signed-off-by: Axel Lin +Link: https://lore.kernel.org/r/20210618141412.4014912-1-axel.lin@ingics.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/da9052-regulator.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/regulator/da9052-regulator.c b/drivers/regulator/da9052-regulator.c +index 12a25b40e473..fa9cb7df79de 100644 +--- a/drivers/regulator/da9052-regulator.c ++++ b/drivers/regulator/da9052-regulator.c +@@ -258,7 +258,8 @@ static int da9052_regulator_set_voltage_time_sel(struct regulator_dev *rdev, + case DA9052_ID_BUCK3: + case DA9052_ID_LDO2: + case DA9052_ID_LDO3: +- ret = (new_sel - old_sel) * info->step_uV / 6250; ++ ret = DIV_ROUND_UP(abs(new_sel - old_sel) * info->step_uV, ++ 6250); + break; + } + +-- +2.30.2 + diff --git a/queue-4.4/s390-appldata-depends-on-proc_sysctl.patch b/queue-4.4/s390-appldata-depends-on-proc_sysctl.patch new file mode 100644 index 00000000000..fddc0caabe8 --- /dev/null +++ b/queue-4.4/s390-appldata-depends-on-proc_sysctl.patch @@ -0,0 +1,46 @@ +From 2174708c73b3175a5ce5ba903dac2386542b55e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 May 2021 17:24:20 -0700 +Subject: s390: appldata depends on PROC_SYSCTL + +From: Randy Dunlap + +[ Upstream commit 5d3516b3647621d5a1180672ea9e0817fb718ada ] + +APPLDATA_BASE should depend on PROC_SYSCTL instead of PROC_FS. +Building with PROC_FS but not PROC_SYSCTL causes a build error, +since appldata_base.c uses data and APIs from fs/proc/proc_sysctl.c. + +arch/s390/appldata/appldata_base.o: in function `appldata_generic_handler': +appldata_base.c:(.text+0x192): undefined reference to `sysctl_vals' + +Fixes: c185b783b099 ("[S390] Remove config options.") +Signed-off-by: Randy Dunlap +Cc: Heiko Carstens +Cc: Vasily Gorbik +Cc: Christian Borntraeger +Cc: linux-s390@vger.kernel.org +Signed-off-by: Vasily Gorbik +Link: https://lore.kernel.org/r/20210528002420.17634-1-rdunlap@infradead.org +Signed-off-by: Vasily Gorbik +Signed-off-by: Sasha Levin +--- + arch/s390/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig +index 9bdaeb38a768..7466e034e1fc 100644 +--- a/arch/s390/Kconfig ++++ b/arch/s390/Kconfig +@@ -834,7 +834,7 @@ config CMM_IUCV + config APPLDATA_BASE + def_bool n + prompt "Linux - VM Monitor Stream, base infrastructure" +- depends on PROC_FS ++ depends on PROC_SYSCTL + help + This provides a kernel interface for creating and updating z/VM APPLDATA + monitor records. The monitor records are updated at certain time +-- +2.30.2 + diff --git a/queue-4.4/sata_highbank-fix-deferred-probing.patch b/queue-4.4/sata_highbank-fix-deferred-probing.patch new file mode 100644 index 00000000000..0a7029a82ad --- /dev/null +++ b/queue-4.4/sata_highbank-fix-deferred-probing.patch @@ -0,0 +1,46 @@ +From 31383d8ff2f9c551613424b331698fe5a614575e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 14 Mar 2021 23:34:27 +0300 +Subject: sata_highbank: fix deferred probing + +From: Sergey Shtylyov + +[ Upstream commit 4a24efa16e7db02306fb5db84518bb0a7ada5a46 ] + +The driver overrides the error codes returned by platform_get_irq() to +-EINVAL, so if it returns -EPROBE_DEFER, the driver would fail the probe +permanently instead of the deferred probing. Switch to propagating the +error code upstream, still checking/overriding IRQ0 as libata regards it +as "no IRQ" (thus polling) anyway... + +Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq") +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/105b456d-1199-f6e9-ceb7-ffc5ba551d1a@omprussia.ru +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/sata_highbank.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/ata/sata_highbank.c b/drivers/ata/sata_highbank.c +index 8638d575b2b9..77691154d2f1 100644 +--- a/drivers/ata/sata_highbank.c ++++ b/drivers/ata/sata_highbank.c +@@ -483,10 +483,12 @@ static int ahci_highbank_probe(struct platform_device *pdev) + } + + irq = platform_get_irq(pdev, 0); +- if (irq <= 0) { ++ if (irq < 0) { + dev_err(dev, "no irq\n"); +- return -EINVAL; ++ return irq; + } ++ if (!irq) ++ return -EINVAL; + + hpriv = devm_kzalloc(dev, sizeof(*hpriv), GFP_KERNEL); + if (!hpriv) { +-- +2.30.2 + diff --git a/queue-4.4/scsi-flashpoint-rename-si_flags-field.patch b/queue-4.4/scsi-flashpoint-rename-si_flags-field.patch new file mode 100644 index 00000000000..a59f60270dc --- /dev/null +++ b/queue-4.4/scsi-flashpoint-rename-si_flags-field.patch @@ -0,0 +1,163 @@ +From 66a6b11e40d79894df688ec6faa0d5f90c69e775 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 May 2021 16:48:57 -0700 +Subject: scsi: FlashPoint: Rename si_flags field + +From: Randy Dunlap + +[ Upstream commit 4d431153e751caa93f3b7e6f6313446974e92253 ] + +The BusLogic driver has build errors on ia64 due to a name collision (in +the #included FlashPoint.c file). Rename the struct field in struct +sccb_mgr_info from si_flags to si_mflags (manager flags) to mend the build. + +This is the first problem. There are 50+ others after this one: + +In file included from ../include/uapi/linux/signal.h:6, + from ../include/linux/signal_types.h:10, + from ../include/linux/sched.h:29, + from ../include/linux/hardirq.h:9, + from ../include/linux/interrupt.h:11, + from ../drivers/scsi/BusLogic.c:27: +../arch/ia64/include/uapi/asm/siginfo.h:15:27: error: expected ':', ',', ';', '}' or '__attribute__' before '.' token + 15 | #define si_flags _sifields._sigfault._flags + | ^ +../drivers/scsi/FlashPoint.c:43:6: note: in expansion of macro 'si_flags' + 43 | u16 si_flags; + | ^~~~~~~~ +In file included from ../drivers/scsi/BusLogic.c:51: +../drivers/scsi/FlashPoint.c: In function 'FlashPoint_ProbeHostAdapter': +../drivers/scsi/FlashPoint.c:1076:11: error: 'struct sccb_mgr_info' has no member named '_sifields' + 1076 | pCardInfo->si_flags = 0x0000; + | ^~ +../drivers/scsi/FlashPoint.c:1079:12: error: 'struct sccb_mgr_info' has no member named '_sifields' + +Link: https://lore.kernel.org/r/20210529234857.6870-1-rdunlap@infradead.org +Fixes: 391e2f25601e ("[SCSI] BusLogic: Port driver to 64-bit.") +Cc: "James E.J. Bottomley" +Cc: "Martin K. Petersen" +Cc: Christoph Hellwig +Cc: Jens Axboe +Cc: Hannes Reinecke +Cc: Khalid Aziz +Cc: Khalid Aziz +Reported-by: kernel test robot +Reviewed-by: Hannes Reinecke +Signed-off-by: Randy Dunlap +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/FlashPoint.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/drivers/scsi/FlashPoint.c b/drivers/scsi/FlashPoint.c +index 867b864f5047..4bca37d52bad 100644 +--- a/drivers/scsi/FlashPoint.c ++++ b/drivers/scsi/FlashPoint.c +@@ -40,7 +40,7 @@ struct sccb_mgr_info { + u16 si_per_targ_ultra_nego; + u16 si_per_targ_no_disc; + u16 si_per_targ_wide_nego; +- u16 si_flags; ++ u16 si_mflags; + unsigned char si_card_family; + unsigned char si_bustype; + unsigned char si_card_model[3]; +@@ -1070,22 +1070,22 @@ static int FlashPoint_ProbeHostAdapter(struct sccb_mgr_info *pCardInfo) + ScamFlg = + (unsigned char)FPT_utilEERead(ioport, SCAM_CONFIG / 2); + +- pCardInfo->si_flags = 0x0000; ++ pCardInfo->si_mflags = 0x0000; + + if (i & 0x01) +- pCardInfo->si_flags |= SCSI_PARITY_ENA; ++ pCardInfo->si_mflags |= SCSI_PARITY_ENA; + + if (!(i & 0x02)) +- pCardInfo->si_flags |= SOFT_RESET; ++ pCardInfo->si_mflags |= SOFT_RESET; + + if (i & 0x10) +- pCardInfo->si_flags |= EXTENDED_TRANSLATION; ++ pCardInfo->si_mflags |= EXTENDED_TRANSLATION; + + if (ScamFlg & SCAM_ENABLED) +- pCardInfo->si_flags |= FLAG_SCAM_ENABLED; ++ pCardInfo->si_mflags |= FLAG_SCAM_ENABLED; + + if (ScamFlg & SCAM_LEVEL2) +- pCardInfo->si_flags |= FLAG_SCAM_LEVEL2; ++ pCardInfo->si_mflags |= FLAG_SCAM_LEVEL2; + + j = (RD_HARPOON(ioport + hp_bm_ctrl) & ~SCSI_TERM_ENA_L); + if (i & 0x04) { +@@ -1101,7 +1101,7 @@ static int FlashPoint_ProbeHostAdapter(struct sccb_mgr_info *pCardInfo) + + if (!(RD_HARPOON(ioport + hp_page_ctrl) & NARROW_SCSI_CARD)) + +- pCardInfo->si_flags |= SUPPORT_16TAR_32LUN; ++ pCardInfo->si_mflags |= SUPPORT_16TAR_32LUN; + + pCardInfo->si_card_family = HARPOON_FAMILY; + pCardInfo->si_bustype = BUSTYPE_PCI; +@@ -1137,15 +1137,15 @@ static int FlashPoint_ProbeHostAdapter(struct sccb_mgr_info *pCardInfo) + + if (pCardInfo->si_card_model[1] == '3') { + if (RD_HARPOON(ioport + hp_ee_ctrl) & BIT(7)) +- pCardInfo->si_flags |= LOW_BYTE_TERM; ++ pCardInfo->si_mflags |= LOW_BYTE_TERM; + } else if (pCardInfo->si_card_model[2] == '0') { + temp = RD_HARPOON(ioport + hp_xfer_pad); + WR_HARPOON(ioport + hp_xfer_pad, (temp & ~BIT(4))); + if (RD_HARPOON(ioport + hp_ee_ctrl) & BIT(7)) +- pCardInfo->si_flags |= LOW_BYTE_TERM; ++ pCardInfo->si_mflags |= LOW_BYTE_TERM; + WR_HARPOON(ioport + hp_xfer_pad, (temp | BIT(4))); + if (RD_HARPOON(ioport + hp_ee_ctrl) & BIT(7)) +- pCardInfo->si_flags |= HIGH_BYTE_TERM; ++ pCardInfo->si_mflags |= HIGH_BYTE_TERM; + WR_HARPOON(ioport + hp_xfer_pad, temp); + } else { + temp = RD_HARPOON(ioport + hp_ee_ctrl); +@@ -1163,9 +1163,9 @@ static int FlashPoint_ProbeHostAdapter(struct sccb_mgr_info *pCardInfo) + WR_HARPOON(ioport + hp_ee_ctrl, temp); + WR_HARPOON(ioport + hp_xfer_pad, temp2); + if (!(temp3 & BIT(7))) +- pCardInfo->si_flags |= LOW_BYTE_TERM; ++ pCardInfo->si_mflags |= LOW_BYTE_TERM; + if (!(temp3 & BIT(6))) +- pCardInfo->si_flags |= HIGH_BYTE_TERM; ++ pCardInfo->si_mflags |= HIGH_BYTE_TERM; + } + + ARAM_ACCESS(ioport); +@@ -1272,7 +1272,7 @@ static void *FlashPoint_HardwareResetHostAdapter(struct sccb_mgr_info + WR_HARPOON(ioport + hp_arb_id, pCardInfo->si_id); + CurrCard->ourId = pCardInfo->si_id; + +- i = (unsigned char)pCardInfo->si_flags; ++ i = (unsigned char)pCardInfo->si_mflags; + if (i & SCSI_PARITY_ENA) + WR_HARPOON(ioport + hp_portctrl_1, (HOST_MODE8 | CHK_SCSI_P)); + +@@ -1286,14 +1286,14 @@ static void *FlashPoint_HardwareResetHostAdapter(struct sccb_mgr_info + j |= SCSI_TERM_ENA_H; + WR_HARPOON(ioport + hp_ee_ctrl, j); + +- if (!(pCardInfo->si_flags & SOFT_RESET)) { ++ if (!(pCardInfo->si_mflags & SOFT_RESET)) { + + FPT_sresb(ioport, thisCard); + + FPT_scini(thisCard, pCardInfo->si_id, 0); + } + +- if (pCardInfo->si_flags & POST_ALL_UNDERRRUNS) ++ if (pCardInfo->si_mflags & POST_ALL_UNDERRRUNS) + CurrCard->globalFlags |= F_NO_FILTER; + + if (pCurrNvRam) { +-- +2.30.2 + diff --git a/queue-4.4/scsi-mpt3sas-fix-error-return-value-in-_scsih_expand.patch b/queue-4.4/scsi-mpt3sas-fix-error-return-value-in-_scsih_expand.patch new file mode 100644 index 00000000000..cddf0bca71b --- /dev/null +++ b/queue-4.4/scsi-mpt3sas-fix-error-return-value-in-_scsih_expand.patch @@ -0,0 +1,43 @@ +From ceed4349f712f2cb94f03f230591cfd8123800ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 14 May 2021 16:13:00 +0800 +Subject: scsi: mpt3sas: Fix error return value in _scsih_expander_add() + +From: Zhen Lei + +[ Upstream commit d6c2ce435ffe23ef7f395ae76ec747414589db46 ] + +When an expander does not contain any 'phys', an appropriate error code -1 +should be returned, as done elsewhere in this function. However, we +currently do not explicitly assign this error code to 'rc'. As a result, 0 +was incorrectly returned. + +Link: https://lore.kernel.org/r/20210514081300.6650-1-thunder.leizhen@huawei.com +Fixes: f92363d12359 ("[SCSI] mpt3sas: add new driver supporting 12GB SAS") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/mpt3sas/mpt3sas_scsih.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +index 8735e4257028..49b751a8f5f3 100644 +--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c ++++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c +@@ -5014,8 +5014,10 @@ _scsih_expander_add(struct MPT3SAS_ADAPTER *ioc, u16 handle) + handle, parent_handle, (unsigned long long) + sas_expander->sas_address, sas_expander->num_phys); + +- if (!sas_expander->num_phys) ++ if (!sas_expander->num_phys) { ++ rc = -1; + goto out_fail; ++ } + sas_expander->phy = kcalloc(sas_expander->num_phys, + sizeof(struct _sas_phy), GFP_KERNEL); + if (!sas_expander->phy) { +-- +2.30.2 + diff --git a/queue-4.4/series b/queue-4.4/series index d747071b72e..0ab4ff241f5 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -24,3 +24,68 @@ ath9k-fix-kernel-null-pointer-dereference-during-ath_reset_internal.patch ssb-sdio-don-t-overwrite-const-buffer-if-block_write-fails.patch seq_buf-make-trace_seq_putmem_hex-support-data-longer-than-8.patch fuse-check-connected-before-queueing-on-fpq-io.patch +spi-spi-topcliff-pch-fix-potential-double-free-in-pc.patch +spi-omap-100k-fix-the-length-judgment-problem.patch +crypto-nx-add-missing-module_device_table.patch +media-cpia2-fix-memory-leak-in-cpia2_usb_probe.patch +media-pvrusb2-fix-warning-in-pvr2_i2c_core_done.patch +crypto-qat-check-return-code-of-qat_hal_rd_rel_reg.patch +crypto-qat-remove-unused-macro-in-fw-loader.patch +media-v4l2-core-avoid-the-dangling-pointer-in-v4l2_f.patch +media-bt8xx-fix-a-missing-check-bug-in-bt878_probe.patch +mmc-via-sdmmc-add-a-check-against-null-pointer-deref.patch +crypto-shash-avoid-comparing-pointers-to-exported-fu.patch +media-dvb_net-avoid-speculation-from-net-slot.patch +btrfs-disable-build-on-platforms-having-page-size-25.patch +regulator-da9052-ensure-enough-delay-time-for-.set_v.patch +acpi-processor-idle-fix-up-c-state-latency-if-not-or.patch +block_dump-remove-block_dump-feature-in-mark_inode_d.patch +fs-dlm-cancel-work-sync-othercon.patch +random32-fix-implicit-truncation-warning-in-prandom_.patch +acpi-bus-call-kobject_put-in-acpi_init-error-path.patch +platform-x86-toshiba_acpi-fix-missing-error-code-in-.patch +ia64-mca_drv-fix-incorrect-array-size-calculation.patch +crypto-ixp4xx-dma_unmap-the-correct-address.patch +crypto-ux500-fix-error-return-code-in-hash_hw_final.patch +sata_highbank-fix-deferred-probing.patch +pata_rb532_cf-fix-deferred-probing.patch +media-i2c-change-rst-to-rset-to-fix-multiple-build-e.patch +pata_octeon_cf-avoid-warn_on-in-ata_host_activate.patch +pata_ep93xx-fix-deferred-probing.patch +media-tc358743-fix-error-return-code-in-tc358743_pro.patch +media-siano-fix-out-of-bounds-warnings-in-smscore_lo.patch +mmc-usdhi6rol0-fix-error-return-code-in-usdhi6_probe.patch +media-s5p-g2d-fix-a-memory-leak-on-ctx-fh.m2m_ctx.patch +spi-spi-sun6i-fix-chipselect-clock-bug.patch +crypto-nx-fix-rcu-warning-in-nx842_of_upd_status.patch +acpi-sysfs-fix-a-buffer-overrun-problem-with-descrip.patch +net-pch_gbe-propagate-error-from-devm_gpio_request_o.patch +ehea-fix-error-return-code-in-ehea_restart_qps.patch +drm-qxl-ensure-surf.data-is-ininitialized.patch +wireless-carl9170-fix-leds-build-errors-warnings.patch +brcmsmac-mac80211_if-fix-a-resource-leak-in-an-error.patch +ath10k-fix-an-error-code-in-ath10k_add_interface.patch +netlabel-fix-memory-leak-in-netlbl_mgmt_add_common.patch +netfilter-nft_exthdr-check-for-ipv6-packet-before-fu.patch +net-ethernet-aeroflex-fix-uaf-in-greth_of_remove.patch +net-ethernet-ezchip-fix-uaf-in-nps_enet_remove.patch +net-ethernet-ezchip-fix-error-handling.patch +vxlan-add-missing-rcu_read_lock-in-neigh_reduce.patch +i40e-fix-error-handling-in-i40e_vsi_open.patch +writeback-fix-obtain-a-reference-to-a-freeing-memcg-.patch +tty-nozomi-fix-a-resource-leak-in-an-error-handling-.patch +iio-adis_buffer-do-not-return-ints-in-irq-handlers.patch +iio-accel-bma180-fix-buffer-alignment-in-iio_push_to.patch +iio-accel-stk8312-fix-buffer-alignment-in-iio_push_t.patch +iio-accel-stk8ba50-fix-buffer-alignment-in-iio_push_.patch +input-hil_kbd-fix-error-return-code-in-hil_dev_conne.patch +char-pcmcia-error-out-if-num_bytes_read-is-greater-t.patch +tty-nozomi-fix-the-error-handling-path-of-nozomi_car.patch +scsi-flashpoint-rename-si_flags-field.patch +s390-appldata-depends-on-proc_sysctl.patch +staging-gdm724x-check-for-buffer-overflow-in-gdm_lte.patch +staging-gdm724x-check-for-overflow-in-gdm_lte_netif_.patch +scsi-mpt3sas-fix-error-return-value-in-_scsih_expand.patch +phy-ti-dm816x-fix-the-error-handling-path-in-dm816x_.patch +extcon-sm5502-drop-invalid-register-write-in-sm5502_.patch +extcon-max8997-add-missing-modalias-string.patch diff --git a/queue-4.4/spi-omap-100k-fix-the-length-judgment-problem.patch b/queue-4.4/spi-omap-100k-fix-the-length-judgment-problem.patch new file mode 100644 index 00000000000..576d97161c4 --- /dev/null +++ b/queue-4.4/spi-omap-100k-fix-the-length-judgment-problem.patch @@ -0,0 +1,36 @@ +From 7ef705f571c7e90ee92fb8215226dad41482a1c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Apr 2021 19:20:48 +0800 +Subject: spi: omap-100k: Fix the length judgment problem + +From: Tian Tao + +[ Upstream commit e7a1a3abea373e41ba7dfe0fbc93cb79b6a3a529 ] + +word_len should be checked in the omap1_spi100k_setup_transfer +function to see if it exceeds 32. + +Signed-off-by: Tian Tao +Link: https://lore.kernel.org/r/1619695248-39045-1-git-send-email-tiantao6@hisilicon.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-omap-100k.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-omap-100k.c b/drivers/spi/spi-omap-100k.c +index 1eccdc4a4581..2eeb0fe2eed2 100644 +--- a/drivers/spi/spi-omap-100k.c ++++ b/drivers/spi/spi-omap-100k.c +@@ -251,7 +251,7 @@ static int omap1_spi100k_setup_transfer(struct spi_device *spi, + else + word_len = spi->bits_per_word; + +- if (spi->bits_per_word > 32) ++ if (word_len > 32) + return -EINVAL; + cs->word_len = word_len; + +-- +2.30.2 + diff --git a/queue-4.4/spi-spi-sun6i-fix-chipselect-clock-bug.patch b/queue-4.4/spi-spi-sun6i-fix-chipselect-clock-bug.patch new file mode 100644 index 00000000000..a0681f67f51 --- /dev/null +++ b/queue-4.4/spi-spi-sun6i-fix-chipselect-clock-bug.patch @@ -0,0 +1,56 @@ +From 2c5c5e03df9124653f228e22f23d98e1cd04751d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jun 2021 16:45:07 +0200 +Subject: spi: spi-sun6i: Fix chipselect/clock bug + +From: Mirko Vogt + +[ Upstream commit 0d7993b234c9fad8cb6bec6adfaa74694ba85ecb ] + +The current sun6i SPI implementation initializes the transfer too early, +resulting in SCK going high before the transfer. When using an additional +(gpio) chipselect with sun6i, the chipselect is asserted at a time when +clock is high, making the SPI transfer fail. + +This is due to SUN6I_GBL_CTL_BUS_ENABLE being written into +SUN6I_GBL_CTL_REG at an early stage. Moving that to the transfer +function, hence, right before the transfer starts, mitigates that +problem. + +Fixes: 3558fe900e8af (spi: sunxi: Add Allwinner A31 SPI controller driver) +Signed-off-by: Mirko Vogt +Signed-off-by: Ralf Schlatterbeck +Link: https://lore.kernel.org/r/20210614144507.y3udezjfbko7eavv@runtux.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-sun6i.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-sun6i.c b/drivers/spi/spi-sun6i.c +index 48888ab630c2..079bdc4e65ff 100644 +--- a/drivers/spi/spi-sun6i.c ++++ b/drivers/spi/spi-sun6i.c +@@ -249,6 +249,10 @@ static int sun6i_spi_transfer_one(struct spi_master *master, + } + + sun6i_spi_write(sspi, SUN6I_CLK_CTL_REG, reg); ++ /* Finally enable the bus - doing so before might raise SCK to HIGH */ ++ reg = sun6i_spi_read(sspi, SUN6I_GBL_CTL_REG); ++ reg |= SUN6I_GBL_CTL_BUS_ENABLE; ++ sun6i_spi_write(sspi, SUN6I_GBL_CTL_REG, reg); + + /* Setup the transfer now... */ + if (sspi->tx_buf) +@@ -332,7 +336,7 @@ static int sun6i_spi_runtime_resume(struct device *dev) + } + + sun6i_spi_write(sspi, SUN6I_GBL_CTL_REG, +- SUN6I_GBL_CTL_BUS_ENABLE | SUN6I_GBL_CTL_MASTER | SUN6I_GBL_CTL_TP); ++ SUN6I_GBL_CTL_MASTER | SUN6I_GBL_CTL_TP); + + return 0; + +-- +2.30.2 + diff --git a/queue-4.4/spi-spi-topcliff-pch-fix-potential-double-free-in-pc.patch b/queue-4.4/spi-spi-topcliff-pch-fix-potential-double-free-in-pc.patch new file mode 100644 index 00000000000..dfcdee869f0 --- /dev/null +++ b/queue-4.4/spi-spi-topcliff-pch-fix-potential-double-free-in-pc.patch @@ -0,0 +1,42 @@ +From 9f6309ae1eb2d8665ddbfb44f2a11151f96e5060 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 6 May 2021 15:08:08 +0800 +Subject: spi: spi-topcliff-pch: Fix potential double free in + pch_spi_process_messages() + +From: Jay Fang + +[ Upstream commit 026a1dc1af52742c5897e64a3431445371a71871 ] + +pch_spi_set_tx() frees data->pkt_tx_buff on failure of kzalloc() for +data->pkt_rx_buff, but its caller, pch_spi_process_messages(), will +free data->pkt_tx_buff again. Set data->pkt_tx_buff to NULL after +kfree() to avoid double free. + +Signed-off-by: Jay Fang +Link: https://lore.kernel.org/r/1620284888-65215-1-git-send-email-f.fangjian@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-topcliff-pch.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-topcliff-pch.c b/drivers/spi/spi-topcliff-pch.c +index 9f30a4ab2004..66c170e799fc 100644 +--- a/drivers/spi/spi-topcliff-pch.c ++++ b/drivers/spi/spi-topcliff-pch.c +@@ -589,8 +589,10 @@ static void pch_spi_set_tx(struct pch_spi_data *data, int *bpw) + data->pkt_tx_buff = kzalloc(size, GFP_KERNEL); + if (data->pkt_tx_buff != NULL) { + data->pkt_rx_buff = kzalloc(size, GFP_KERNEL); +- if (!data->pkt_rx_buff) ++ if (!data->pkt_rx_buff) { + kfree(data->pkt_tx_buff); ++ data->pkt_tx_buff = NULL; ++ } + } + + if (!data->pkt_rx_buff) { +-- +2.30.2 + diff --git a/queue-4.4/staging-gdm724x-check-for-buffer-overflow-in-gdm_lte.patch b/queue-4.4/staging-gdm724x-check-for-buffer-overflow-in-gdm_lte.patch new file mode 100644 index 00000000000..952cbdb607a --- /dev/null +++ b/queue-4.4/staging-gdm724x-check-for-buffer-overflow-in-gdm_lte.patch @@ -0,0 +1,61 @@ +From 3218720482e2e92ec8bda7861788720ed6f47795 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jun 2021 12:55:35 +0300 +Subject: staging: gdm724x: check for buffer overflow in + gdm_lte_multi_sdu_pkt() + +From: Dan Carpenter + +[ Upstream commit 4a36e160856db8a8ddd6a3d2e5db5a850ab87f82 ] + +There needs to be a check to verify that we don't read beyond the end +of "buf". This function is called from do_rx(). The "buf" is the USB +transfer_buffer and "len" is "urb->actual_length". + +Fixes: 61e121047645 ("staging: gdm7240: adding LTE USB driver") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YMcnl4zCwGWGDVMG@mwanda +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/gdm724x/gdm_lte.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/gdm724x/gdm_lte.c b/drivers/staging/gdm724x/gdm_lte.c +index 79de678807cc..1eacf82d1bd0 100644 +--- a/drivers/staging/gdm724x/gdm_lte.c ++++ b/drivers/staging/gdm724x/gdm_lte.c +@@ -689,6 +689,7 @@ static void gdm_lte_multi_sdu_pkt(struct phy_dev *phy_dev, char *buf, int len) + struct multi_sdu *multi_sdu = (struct multi_sdu *)buf; + struct sdu *sdu = NULL; + u8 *data = (u8 *)multi_sdu->data; ++ int copied; + u16 i = 0; + u16 num_packet; + u16 hci_len; +@@ -702,6 +703,12 @@ static void gdm_lte_multi_sdu_pkt(struct phy_dev *phy_dev, char *buf, int len) + multi_sdu->num_packet); + + for (i = 0; i < num_packet; i++) { ++ copied = data - multi_sdu->data; ++ if (len < copied + sizeof(*sdu)) { ++ pr_err("rx prevent buffer overflow"); ++ return; ++ } ++ + sdu = (struct sdu *)data; + + cmd_evt = gdm_dev16_to_cpu(phy_dev-> +@@ -715,7 +722,8 @@ static void gdm_lte_multi_sdu_pkt(struct phy_dev *phy_dev, char *buf, int len) + pr_err("rx sdu wrong hci %04x\n", cmd_evt); + return; + } +- if (hci_len < 12) { ++ if (hci_len < 12 || ++ len < copied + sizeof(*sdu) + (hci_len - 12)) { + pr_err("rx sdu invalid len %d\n", hci_len); + return; + } +-- +2.30.2 + diff --git a/queue-4.4/staging-gdm724x-check-for-overflow-in-gdm_lte_netif_.patch b/queue-4.4/staging-gdm724x-check-for-overflow-in-gdm_lte_netif_.patch new file mode 100644 index 00000000000..3e51285bd5e --- /dev/null +++ b/queue-4.4/staging-gdm724x-check-for-overflow-in-gdm_lte_netif_.patch @@ -0,0 +1,45 @@ +From 75e1d3533ea2453c768c13c8ac48d05715799898 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Jun 2021 12:58:36 +0300 +Subject: staging: gdm724x: check for overflow in gdm_lte_netif_rx() + +From: Dan Carpenter + +[ Upstream commit 7002b526f4ff1f6da34356e67085caafa6be383a ] + +This code assumes that "len" is at least 62 bytes, but we need a check +to prevent a read overflow. + +Fixes: 61e121047645 ("staging: gdm7240: adding LTE USB driver") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YMcoTPsCYlhh2TQo@mwanda +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/gdm724x/gdm_lte.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/staging/gdm724x/gdm_lte.c b/drivers/staging/gdm724x/gdm_lte.c +index 1eacf82d1bd0..8561f7fb53e9 100644 +--- a/drivers/staging/gdm724x/gdm_lte.c ++++ b/drivers/staging/gdm724x/gdm_lte.c +@@ -624,10 +624,12 @@ static void gdm_lte_netif_rx(struct net_device *dev, char *buf, + * bytes (99,130,83,99 dec) + */ + } __packed; +- void *addr = buf + sizeof(struct iphdr) + +- sizeof(struct udphdr) + +- offsetof(struct dhcp_packet, chaddr); +- ether_addr_copy(nic->dest_mac_addr, addr); ++ int offset = sizeof(struct iphdr) + ++ sizeof(struct udphdr) + ++ offsetof(struct dhcp_packet, chaddr); ++ if (offset + ETH_ALEN > len) ++ return; ++ ether_addr_copy(nic->dest_mac_addr, buf + offset); + } + } + +-- +2.30.2 + diff --git a/queue-4.4/tty-nozomi-fix-a-resource-leak-in-an-error-handling-.patch b/queue-4.4/tty-nozomi-fix-a-resource-leak-in-an-error-handling-.patch new file mode 100644 index 00000000000..c9b8269f480 --- /dev/null +++ b/queue-4.4/tty-nozomi-fix-a-resource-leak-in-an-error-handling-.patch @@ -0,0 +1,39 @@ +From 2979fece7a33fde8581d012582071bc24fa9aadd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 May 2021 19:22:33 +0200 +Subject: tty: nozomi: Fix a resource leak in an error handling function + +From: Christophe JAILLET + +[ Upstream commit 31a9a318255960d32ae183e95d0999daf2418608 ] + +A 'request_irq()' call is not balanced by a corresponding 'free_irq()' in +the error handling path, as already done in the remove function. + +Add it. + +Fixes: 9842c38e9176 ("kfifo: fix warn_unused_result") +Reviewed-by: Jiri Slaby +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/4f0d2b3038e82f081d370ccb0cade3ad88463fe7.1620580838.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/nozomi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/tty/nozomi.c b/drivers/tty/nozomi.c +index 5cc80b80c82b..880cfc780e67 100644 +--- a/drivers/tty/nozomi.c ++++ b/drivers/tty/nozomi.c +@@ -1479,6 +1479,7 @@ err_free_tty: + tty_unregister_device(ntty_driver, dc->index_start + i); + tty_port_destroy(&dc->port[i].port); + } ++ free_irq(pdev->irq, dc); + err_free_kfifo: + for (i = 0; i < MAX_PORT; i++) + kfifo_free(&dc->port[i].fifo_ul); +-- +2.30.2 + diff --git a/queue-4.4/tty-nozomi-fix-the-error-handling-path-of-nozomi_car.patch b/queue-4.4/tty-nozomi-fix-the-error-handling-path-of-nozomi_car.patch new file mode 100644 index 00000000000..12254d74673 --- /dev/null +++ b/queue-4.4/tty-nozomi-fix-the-error-handling-path-of-nozomi_car.patch @@ -0,0 +1,58 @@ +From c73f06cbf64840680096cd7062edfe6b24e6a3ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 May 2021 20:51:57 +0200 +Subject: tty: nozomi: Fix the error handling path of 'nozomi_card_init()' + +From: Christophe JAILLET + +[ Upstream commit 6ae7d0f5a92b9619f6e3c307ce56b2cefff3f0e9 ] + +The error handling path is broken and we may un-register things that have +never been registered. + +Update the loops index accordingly. + +Fixes: 9842c38e9176 ("kfifo: fix warn_unused_result") +Suggested-by: Dan Carpenter +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/e28c2e92c7475da25b03d022ea2d6dcf1ba807a2.1621968629.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/nozomi.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/nozomi.c b/drivers/tty/nozomi.c +index 880cfc780e67..1a3cc6ef4331 100644 +--- a/drivers/tty/nozomi.c ++++ b/drivers/tty/nozomi.c +@@ -1437,7 +1437,7 @@ static int nozomi_card_init(struct pci_dev *pdev, + NOZOMI_NAME, dc); + if (unlikely(ret)) { + dev_err(&pdev->dev, "can't request irq %d\n", pdev->irq); +- goto err_free_kfifo; ++ goto err_free_all_kfifo; + } + + DBG1("base_addr: %p", dc->base_addr); +@@ -1475,13 +1475,15 @@ static int nozomi_card_init(struct pci_dev *pdev, + return 0; + + err_free_tty: +- for (i = 0; i < MAX_PORT; ++i) { ++ for (i--; i >= 0; i--) { + tty_unregister_device(ntty_driver, dc->index_start + i); + tty_port_destroy(&dc->port[i].port); + } + free_irq(pdev->irq, dc); ++err_free_all_kfifo: ++ i = MAX_PORT; + err_free_kfifo: +- for (i = 0; i < MAX_PORT; i++) ++ for (i--; i >= PORT_MDM; i--) + kfifo_free(&dc->port[i].fifo_ul); + err_free_sbuf: + kfree(dc->send_buf); +-- +2.30.2 + diff --git a/queue-4.4/vxlan-add-missing-rcu_read_lock-in-neigh_reduce.patch b/queue-4.4/vxlan-add-missing-rcu_read_lock-in-neigh_reduce.patch new file mode 100644 index 00000000000..95d8c401395 --- /dev/null +++ b/queue-4.4/vxlan-add-missing-rcu_read_lock-in-neigh_reduce.patch @@ -0,0 +1,84 @@ +From 996a3ae7ea7dc4b723cba7b92f0a64198777265a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Jun 2021 07:44:17 -0700 +Subject: vxlan: add missing rcu_read_lock() in neigh_reduce() + +From: Eric Dumazet + +[ Upstream commit 85e8b032d6ebb0f698a34dd22c2f13443d905888 ] + +syzbot complained in neigh_reduce(), because rcu_read_lock_bh() +is treated differently than rcu_read_lock() + +WARNING: suspicious RCU usage +5.13.0-rc6-syzkaller #0 Not tainted +----------------------------- +include/net/addrconf.h:313 suspicious rcu_dereference_check() usage! + +other info that might help us debug this: + +rcu_scheduler_active = 2, debug_locks = 1 +3 locks held by kworker/0:0/5: + #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline] + #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline] + #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline] + #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:617 [inline] + #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline] + #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x871/0x1600 kernel/workqueue.c:2247 + #1: ffffc90000ca7da8 ((work_completion)(&port->wq)){+.+.}-{0:0}, at: process_one_work+0x8a5/0x1600 kernel/workqueue.c:2251 + #2: ffffffff8bf795c0 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x1da/0x3130 net/core/dev.c:4180 + +stack backtrace: +CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.13.0-rc6-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Workqueue: events ipvlan_process_multicast +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x141/0x1d7 lib/dump_stack.c:120 + __in6_dev_get include/net/addrconf.h:313 [inline] + __in6_dev_get include/net/addrconf.h:311 [inline] + neigh_reduce drivers/net/vxlan.c:2167 [inline] + vxlan_xmit+0x34d5/0x4c30 drivers/net/vxlan.c:2919 + __netdev_start_xmit include/linux/netdevice.h:4944 [inline] + netdev_start_xmit include/linux/netdevice.h:4958 [inline] + xmit_one net/core/dev.c:3654 [inline] + dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3670 + __dev_queue_xmit+0x2133/0x3130 net/core/dev.c:4246 + ipvlan_process_multicast+0xa99/0xd70 drivers/net/ipvlan/ipvlan_core.c:287 + process_one_work+0x98d/0x1600 kernel/workqueue.c:2276 + worker_thread+0x64c/0x1120 kernel/workqueue.c:2422 + kthread+0x3b1/0x4a0 kernel/kthread.c:313 + ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294 + +Fixes: f564f45c4518 ("vxlan: add ipv6 proxy support") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c +index 50ede6b8b874..4d44ec5b7cd7 100644 +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -1549,6 +1549,7 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb) + struct neighbour *n; + struct inet6_dev *in6_dev; + ++ rcu_read_lock(); + in6_dev = __in6_dev_get(dev); + if (!in6_dev) + goto out; +@@ -1605,6 +1606,7 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb) + } + + out: ++ rcu_read_unlock(); + consume_skb(skb); + return NETDEV_TX_OK; + } +-- +2.30.2 + diff --git a/queue-4.4/wireless-carl9170-fix-leds-build-errors-warnings.patch b/queue-4.4/wireless-carl9170-fix-leds-build-errors-warnings.patch new file mode 100644 index 00000000000..b1608112e93 --- /dev/null +++ b/queue-4.4/wireless-carl9170-fix-leds-build-errors-warnings.patch @@ -0,0 +1,66 @@ +From f467db8764611012f332504e91241c972e19cc13 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 May 2021 17:41:28 +0300 +Subject: wireless: carl9170: fix LEDS build errors & warnings + +From: Randy Dunlap + +[ Upstream commit 272fdc0c4542fad173b44965be02a16d6db95499 ] + +kernel test robot reports over 200 build errors and warnings +that are due to this Kconfig problem when CARL9170=m, +MAC80211=y, and LEDS_CLASS=m. + +WARNING: unmet direct dependencies detected for MAC80211_LEDS + Depends on [n]: NET [=y] && WIRELESS [=y] && MAC80211 [=y] && (LEDS_CLASS [=m]=y || LEDS_CLASS [=m]=MAC80211 [=y]) + Selected by [m]: + - CARL9170_LEDS [=y] && NETDEVICES [=y] && WLAN [=y] && WLAN_VENDOR_ATH [=y] && CARL9170 [=m] + +CARL9170_LEDS selects MAC80211_LEDS even though its kconfig +dependencies are not met. This happens because 'select' does not follow +any Kconfig dependency chains. + +Fix this by making CARL9170_LEDS depend on MAC80211_LEDS, where +the latter supplies any needed dependencies on LEDS_CLASS. + +Fixes: 1d7e1e6b1b8ed ("carl9170: Makefile, Kconfig files and MAINTAINERS") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Kalle Valo +Cc: Christian Lamparter +Cc: linux-wireless@vger.kernel.org +Cc: Arnd Bergmann +Suggested-by: Christian Lamparter +Acked-by: Arnd Bergmann +Acked-by: Christian Lamparter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210530031134.23274-1-rdunlap@infradead.org +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/carl9170/Kconfig | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/ath/carl9170/Kconfig b/drivers/net/wireless/ath/carl9170/Kconfig +index 1a796e5f69ec..3fc87997fcb3 100644 +--- a/drivers/net/wireless/ath/carl9170/Kconfig ++++ b/drivers/net/wireless/ath/carl9170/Kconfig +@@ -17,13 +17,11 @@ config CARL9170 + + config CARL9170_LEDS + bool "SoftLED Support" +- depends on CARL9170 +- select MAC80211_LEDS +- select LEDS_CLASS +- select NEW_LEDS + default y ++ depends on CARL9170 ++ depends on MAC80211_LEDS + help +- This option is necessary, if you want your device' LEDs to blink ++ This option is necessary, if you want your device's LEDs to blink. + + Say Y, unless you need the LEDs for firmware debugging. + +-- +2.30.2 + diff --git a/queue-4.4/writeback-fix-obtain-a-reference-to-a-freeing-memcg-.patch b/queue-4.4/writeback-fix-obtain-a-reference-to-a-freeing-memcg-.patch new file mode 100644 index 00000000000..9bead9fdad7 --- /dev/null +++ b/queue-4.4/writeback-fix-obtain-a-reference-to-a-freeing-memcg-.patch @@ -0,0 +1,61 @@ +From 00091ce27f5bfd1012bce06d71ddb131e38ded35 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Apr 2021 17:11:45 +0800 +Subject: writeback: fix obtain a reference to a freeing memcg css + +From: Muchun Song + +[ Upstream commit 8b0ed8443ae6458786580d36b7d5f8125535c5d4 ] + +The caller of wb_get_create() should pin the memcg, because +wb_get_create() relies on this guarantee. The rcu read lock +only can guarantee that the memcg css returned by css_from_id() +cannot be released, but the reference of the memcg can be zero. + + rcu_read_lock() + memcg_css = css_from_id() + wb_get_create(memcg_css) + cgwb_create(memcg_css) + // css_get can change the ref counter from 0 back to 1 + css_get(memcg_css) + rcu_read_unlock() + +Fix it by holding a reference to the css before calling +wb_get_create(). This is not a problem I encountered in the +real world. Just the result of a code review. + +Fixes: 682aa8e1a6a1 ("writeback: implement unlocked_inode_to_wb transaction and use it for stat updates") +Link: https://lore.kernel.org/r/20210402091145.80635-1-songmuchun@bytedance.com +Signed-off-by: Muchun Song +Acked-by: Michal Hocko +Acked-by: Tejun Heo +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/fs-writeback.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c +index 958a1bd0b5fc..0ce7ff7a2ce8 100644 +--- a/fs/fs-writeback.c ++++ b/fs/fs-writeback.c +@@ -512,9 +512,14 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id) + /* find and pin the new wb */ + rcu_read_lock(); + memcg_css = css_from_id(new_wb_id, &memory_cgrp_subsys); +- if (memcg_css) +- isw->new_wb = wb_get_create(bdi, memcg_css, GFP_ATOMIC); ++ if (memcg_css && !css_tryget(memcg_css)) ++ memcg_css = NULL; + rcu_read_unlock(); ++ if (!memcg_css) ++ goto out_free; ++ ++ isw->new_wb = wb_get_create(bdi, memcg_css, GFP_ATOMIC); ++ css_put(memcg_css); + if (!isw->new_wb) + goto out_free; + +-- +2.30.2 +