From: Greg Kroah-Hartman Date: Sun, 14 Nov 2021 14:33:09 +0000 (+0100) Subject: 5.10-stable patches X-Git-Tag: v5.4.160~87 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=88b37a3562ab864489d567f58d73f8db871eb18a;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: coresight-cti-correct-the-parameter-for-pm_runtime_put.patch iio-ad5770r-make-devicetree-property-reading-consistent.patch iio-dac-ad5446-fix-ad5622_write-return-value.patch most-fix-control-message-timeouts.patch pinctrl-core-fix-possible-memory-leak-in-pinctrl_enable.patch power-supply-max17042_battery-clear-status-bits-in-interrupt-handler.patch serial-8250-fix-racy-uartclk-update.patch usb-chipidea-fix-interrupt-deadlock.patch usb-iowarrior-fix-control-message-timeouts.patch usb-serial-keyspan-fix-memleak-on-probe-errors.patch --- diff --git a/queue-5.10/coresight-cti-correct-the-parameter-for-pm_runtime_put.patch b/queue-5.10/coresight-cti-correct-the-parameter-for-pm_runtime_put.patch new file mode 100644 index 00000000000..82207397e91 --- /dev/null +++ b/queue-5.10/coresight-cti-correct-the-parameter-for-pm_runtime_put.patch @@ -0,0 +1,35 @@ +From 692c9a499b286ea478f41b23a91fe3873b9e1326 Mon Sep 17 00:00:00 2001 +From: Tao Zhang +Date: Thu, 19 Aug 2021 17:29:37 +0800 +Subject: coresight: cti: Correct the parameter for pm_runtime_put + +From: Tao Zhang + +commit 692c9a499b286ea478f41b23a91fe3873b9e1326 upstream. + +The input parameter of the function pm_runtime_put should be the +same in the function cti_enable_hw and cti_disable_hw. The correct +parameter to use here should be dev->parent. + +Signed-off-by: Tao Zhang +Reviewed-by: Leo Yan +Fixes: 835d722ba10a ("coresight: cti: Initial CoreSight CTI Driver") +Cc: stable +Link: https://lore.kernel.org/r/1629365377-5937-1-git-send-email-quic_taozha@quicinc.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/coresight/coresight-cti-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwtracing/coresight/coresight-cti-core.c ++++ b/drivers/hwtracing/coresight/coresight-cti-core.c +@@ -174,7 +174,7 @@ static int cti_disable_hw(struct cti_drv + coresight_disclaim_device_unlocked(drvdata->base); + CS_LOCK(drvdata->base); + spin_unlock(&drvdata->spinlock); +- pm_runtime_put(dev); ++ pm_runtime_put(dev->parent); + return 0; + + /* not disabled this call */ diff --git a/queue-5.10/iio-ad5770r-make-devicetree-property-reading-consistent.patch b/queue-5.10/iio-ad5770r-make-devicetree-property-reading-consistent.patch new file mode 100644 index 00000000000..6a284e864d5 --- /dev/null +++ b/queue-5.10/iio-ad5770r-make-devicetree-property-reading-consistent.patch @@ -0,0 +1,47 @@ +From 26df977a909f818b7d346b3990735513e7e0bf93 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nuno=20S=C3=A1?= +Date: Wed, 18 Aug 2021 10:05:25 +0200 +Subject: iio: ad5770r: make devicetree property reading consistent +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +commit 26df977a909f818b7d346b3990735513e7e0bf93 upstream. + +The bindings file for this driver is defining the property as 'reg' but +the driver was reading it with the 'num' name. The bindings actually had +the 'num' property when added in +commit ea52c21268e6 ("dt-bindings: iio: dac: Add docs for AD5770R DAC") +and then changed it to 'reg' in +commit 2cf3818f18b2 ("dt-bindings: iio: dac: AD5570R fix bindings errors"). +However, both these commits landed in v5.7 so the assumption is +that either 'num' is not being used or if it is, the validations were not +done. + +Anyways, if someone comes back yelling about this, we might just support +both of the properties in the future. Not ideal, but that's life... + +Fixes: 2cf3818f18b2 ("dt-bindings: iio: dac: AD5570R fix bindings errors") +Signed-off-by: Nuno Sá +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210818080525.62790-1-nuno.sa@analog.com +Cc: Stable@vger.kernel.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/dac/ad5770r.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/dac/ad5770r.c ++++ b/drivers/iio/dac/ad5770r.c +@@ -522,7 +522,7 @@ static int ad5770r_channel_config(struct + return -EINVAL; + + device_for_each_child_node(&st->spi->dev, child) { +- ret = fwnode_property_read_u32(child, "num", &num); ++ ret = fwnode_property_read_u32(child, "reg", &num); + if (ret) + goto err_child_out; + if (num >= AD5770R_MAX_CHANNELS) { diff --git a/queue-5.10/iio-dac-ad5446-fix-ad5622_write-return-value.patch b/queue-5.10/iio-dac-ad5446-fix-ad5622_write-return-value.patch new file mode 100644 index 00000000000..dc1b4d8c355 --- /dev/null +++ b/queue-5.10/iio-dac-ad5446-fix-ad5622_write-return-value.patch @@ -0,0 +1,47 @@ +From 558df982d4ead9cac628153d0d7b60feae05ddc8 Mon Sep 17 00:00:00 2001 +From: Pekka Korpinen +Date: Wed, 29 Sep 2021 21:57:55 +0300 +Subject: iio: dac: ad5446: Fix ad5622_write() return value + +From: Pekka Korpinen + +commit 558df982d4ead9cac628153d0d7b60feae05ddc8 upstream. + +On success i2c_master_send() returns the number of bytes written. The +call from iio_write_channel_info(), however, expects the return value to +be zero on success. + +This bug causes incorrect consumption of the sysfs buffer in +iio_write_channel_info(). When writing more than two characters to +out_voltage0_raw, the ad5446 write handler is called multiple times +causing unexpected behavior. + +Fixes: 3ec36a2cf0d5 ("iio:ad5446: Add support for I2C based DACs") +Signed-off-by: Pekka Korpinen +Link: https://lore.kernel.org/r/20210929185755.2384-1-pekka.korpinen@iki.fi +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/dac/ad5446.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/iio/dac/ad5446.c ++++ b/drivers/iio/dac/ad5446.c +@@ -531,8 +531,15 @@ static int ad5622_write(struct ad5446_st + { + struct i2c_client *client = to_i2c_client(st->dev); + __be16 data = cpu_to_be16(val); ++ int ret; + +- return i2c_master_send(client, (char *)&data, sizeof(data)); ++ ret = i2c_master_send(client, (char *)&data, sizeof(data)); ++ if (ret < 0) ++ return ret; ++ if (ret != sizeof(data)) ++ return -EIO; ++ ++ return 0; + } + + /* diff --git a/queue-5.10/most-fix-control-message-timeouts.patch b/queue-5.10/most-fix-control-message-timeouts.patch new file mode 100644 index 00000000000..9902c4fd111 --- /dev/null +++ b/queue-5.10/most-fix-control-message-timeouts.patch @@ -0,0 +1,45 @@ +From 63b3e810eff65fb8587fcb26fa0b56802be12dcf Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:58:11 +0200 +Subject: most: fix control-message timeouts + +From: Johan Hovold + +commit 63b3e810eff65fb8587fcb26fa0b56802be12dcf upstream. + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Use the common control-message timeout defines for the five-second +timeouts. + +Fixes: 97a6f772f36b ("drivers: most: add USB adapter driver") +Cc: stable@vger.kernel.org # 5.9 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211025115811.5410-1-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/most/most_usb.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/most/most_usb.c ++++ b/drivers/most/most_usb.c +@@ -149,7 +149,8 @@ static inline int drci_rd_reg(struct usb + retval = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), + DRCI_READ_REQ, req_type, + 0x0000, +- reg, dma_buf, sizeof(*dma_buf), 5 * HZ); ++ reg, dma_buf, sizeof(*dma_buf), ++ USB_CTRL_GET_TIMEOUT); + *buf = le16_to_cpu(*dma_buf); + kfree(dma_buf); + +@@ -176,7 +177,7 @@ static inline int drci_wr_reg(struct usb + reg, + NULL, + 0, +- 5 * HZ); ++ USB_CTRL_SET_TIMEOUT); + } + + static inline int start_sync_ep(struct usb_device *usb_dev, u16 ep) diff --git a/queue-5.10/pinctrl-core-fix-possible-memory-leak-in-pinctrl_enable.patch b/queue-5.10/pinctrl-core-fix-possible-memory-leak-in-pinctrl_enable.patch new file mode 100644 index 00000000000..48333366f53 --- /dev/null +++ b/queue-5.10/pinctrl-core-fix-possible-memory-leak-in-pinctrl_enable.patch @@ -0,0 +1,49 @@ +From c7892ae13e461ed20154321eb792e07ebe38f5b3 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Fri, 22 Oct 2021 09:43:23 +0800 +Subject: pinctrl: core: fix possible memory leak in pinctrl_enable() + +From: Yang Yingliang + +commit c7892ae13e461ed20154321eb792e07ebe38f5b3 upstream. + +I got memory leak as follows when doing fault injection test: + +unreferenced object 0xffff888020a7a680 (size 64): + comm "i2c-mcp23018-41", pid 23090, jiffies 4295160544 (age 8.680s) + hex dump (first 32 bytes): + 00 48 d3 1e 80 88 ff ff 00 1a 56 c1 ff ff ff ff .H........V..... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<0000000083c79b35>] kmem_cache_alloc_trace+0x16d/0x360 + [<0000000051803c95>] pinctrl_init_controller+0x6ed/0xb70 + [<0000000064346707>] pinctrl_register+0x27/0x80 + [<0000000029b0e186>] devm_pinctrl_register+0x5b/0xe0 + [<00000000391f5a3e>] mcp23s08_probe_one+0x968/0x118a [pinctrl_mcp23s08] + [<000000006112c039>] mcp230xx_probe+0x266/0x560 [pinctrl_mcp23s08_i2c] + +If pinctrl_claim_hogs() fails, the 'pindesc' allocated in pinctrl_register_one_pin() +need be freed. + +Cc: stable@vger.kernel.org +Reported-by: Hulk Robot +Fixes: 950b0d91dc10 ("pinctrl: core: Fix regression caused by delayed work for hogs") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20211022014323.1156924-1-yangyingliang@huawei.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pinctrl/core.c ++++ b/drivers/pinctrl/core.c +@@ -2077,6 +2077,8 @@ int pinctrl_enable(struct pinctrl_dev *p + if (error) { + dev_err(pctldev->dev, "could not claim hogs: %i\n", + error); ++ pinctrl_free_pindescs(pctldev, pctldev->desc->pins, ++ pctldev->desc->npins); + mutex_destroy(&pctldev->mutex); + kfree(pctldev); + diff --git a/queue-5.10/power-supply-max17042_battery-clear-status-bits-in-interrupt-handler.patch b/queue-5.10/power-supply-max17042_battery-clear-status-bits-in-interrupt-handler.patch new file mode 100644 index 00000000000..674ccd55878 --- /dev/null +++ b/queue-5.10/power-supply-max17042_battery-clear-status-bits-in-interrupt-handler.patch @@ -0,0 +1,38 @@ +From 0cf48167b87e388fa1268c9fe6d2443ae7f43d8a Mon Sep 17 00:00:00 2001 +From: Sebastian Krzyszkowiak +Date: Tue, 14 Sep 2021 14:18:05 +0200 +Subject: power: supply: max17042_battery: Clear status bits in interrupt handler + +From: Sebastian Krzyszkowiak + +commit 0cf48167b87e388fa1268c9fe6d2443ae7f43d8a upstream. + +The gauge requires us to clear the status bits manually for some alerts +to be properly dismissed. Previously the IRQ was configured to react only +on falling edge, which wasn't technically correct (the ALRT line is active +low), but it had a happy side-effect of preventing interrupt storms +on uncleared alerts from happening. + +Fixes: 7fbf6b731bca ("power: supply: max17042: Do not enforce (incorrect) interrupt trigger type") +Cc: +Signed-off-by: Sebastian Krzyszkowiak +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/max17042_battery.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/power/supply/max17042_battery.c ++++ b/drivers/power/supply/max17042_battery.c +@@ -875,6 +875,10 @@ static irqreturn_t max17042_thread_handl + max17042_set_soc_threshold(chip, 1); + } + ++ /* we implicitly handle all alerts via power_supply_changed */ ++ regmap_clear_bits(chip->regmap, MAX17042_STATUS, ++ 0xFFFF & ~(STATUS_POR_BIT | STATUS_BST_BIT)); ++ + power_supply_changed(chip->battery); + return IRQ_HANDLED; + } diff --git a/queue-5.10/serial-8250-fix-racy-uartclk-update.patch b/queue-5.10/serial-8250-fix-racy-uartclk-update.patch new file mode 100644 index 00000000000..32883e51eb9 --- /dev/null +++ b/queue-5.10/serial-8250-fix-racy-uartclk-update.patch @@ -0,0 +1,83 @@ +From 211cde4f5817dc88ef7f8f2fa286e57fbf14c8ee Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 15 Oct 2021 13:14:20 +0200 +Subject: serial: 8250: fix racy uartclk update + +From: Johan Hovold + +commit 211cde4f5817dc88ef7f8f2fa286e57fbf14c8ee upstream. + +Commit 868f3ee6e452 ("serial: 8250: Add 8250 port clock update method") +added a hack to support SoCs where the UART reference clock can +change behind the back of the driver but failed to add the proper +locking. + +First, make sure to take a reference to the tty struct to avoid +dereferencing a NULL pointer if the clock change races with a hangup. + +Second, the termios semaphore must be held during the update to prevent +a racing termios change. + +Fixes: 868f3ee6e452 ("serial: 8250: Add 8250 port clock update method") +Fixes: c8dff3aa8241 ("serial: 8250: Skip uninitialized TTY port baud rate update") +Cc: stable@vger.kernel.org # 5.9 +Cc: Serge Semin +Tested-by: Serge Semin +Reviewed-by: Serge Semin +Acked-by: Andy Shevchenko +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211015111422.1027-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_port.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -2675,21 +2675,32 @@ static unsigned int serial8250_get_baud_ + void serial8250_update_uartclk(struct uart_port *port, unsigned int uartclk) + { + struct uart_8250_port *up = up_to_u8250p(port); ++ struct tty_port *tport = &port->state->port; + unsigned int baud, quot, frac = 0; + struct ktermios *termios; ++ struct tty_struct *tty; + unsigned long flags; + +- mutex_lock(&port->state->port.mutex); ++ tty = tty_port_tty_get(tport); ++ if (!tty) { ++ mutex_lock(&tport->mutex); ++ port->uartclk = uartclk; ++ mutex_unlock(&tport->mutex); ++ return; ++ } ++ ++ down_write(&tty->termios_rwsem); ++ mutex_lock(&tport->mutex); + + if (port->uartclk == uartclk) + goto out_lock; + + port->uartclk = uartclk; + +- if (!tty_port_initialized(&port->state->port)) ++ if (!tty_port_initialized(tport)) + goto out_lock; + +- termios = &port->state->port.tty->termios; ++ termios = &tty->termios; + + baud = serial8250_get_baud_rate(port, termios, NULL); + quot = serial8250_get_divisor(port, baud, &frac); +@@ -2706,7 +2717,9 @@ void serial8250_update_uartclk(struct ua + serial8250_rpm_put(up); + + out_lock: +- mutex_unlock(&port->state->port.mutex); ++ mutex_unlock(&tport->mutex); ++ up_write(&tty->termios_rwsem); ++ tty_kref_put(tty); + } + EXPORT_SYMBOL_GPL(serial8250_update_uartclk); + diff --git a/queue-5.10/series b/queue-5.10/series index 7cc9f20c2de..2903067e2a1 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -150,3 +150,13 @@ pci-aardvark-set-pci-bridge-class-code-to-pci-bridge.patch pci-aardvark-fix-support-for-pci_rom_address1-on-emulated-bridge.patch quota-check-block-number-when-reading-the-block-in-quota-file.patch quota-correct-error-number-in-free_dqentry.patch +pinctrl-core-fix-possible-memory-leak-in-pinctrl_enable.patch +coresight-cti-correct-the-parameter-for-pm_runtime_put.patch +iio-dac-ad5446-fix-ad5622_write-return-value.patch +iio-ad5770r-make-devicetree-property-reading-consistent.patch +usb-serial-keyspan-fix-memleak-on-probe-errors.patch +serial-8250-fix-racy-uartclk-update.patch +most-fix-control-message-timeouts.patch +usb-iowarrior-fix-control-message-timeouts.patch +usb-chipidea-fix-interrupt-deadlock.patch +power-supply-max17042_battery-clear-status-bits-in-interrupt-handler.patch diff --git a/queue-5.10/usb-chipidea-fix-interrupt-deadlock.patch b/queue-5.10/usb-chipidea-fix-interrupt-deadlock.patch new file mode 100644 index 00000000000..2a45681a425 --- /dev/null +++ b/queue-5.10/usb-chipidea-fix-interrupt-deadlock.patch @@ -0,0 +1,105 @@ +From 9aaa81c3366e8393a62374e3a1c67c69edc07b8a Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 21 Oct 2021 10:34:47 +0200 +Subject: USB: chipidea: fix interrupt deadlock + +From: Johan Hovold + +commit 9aaa81c3366e8393a62374e3a1c67c69edc07b8a upstream. + +Chipidea core was calling the interrupt handler from non-IRQ context +with interrupts enabled, something which can lead to a deadlock if +there's an actual interrupt trying to take a lock that's already held +(e.g. the controller lock in udc_irq()). + +Add a wrapper that can be used to fake interrupts instead of calling the +handler directly. + +Fixes: 3ecb3e09b042 ("usb: chipidea: Use extcon framework for VBUS and ID detect") +Fixes: 876d4e1e8298 ("usb: chipidea: core: add wakeup support for extcon") +Cc: Peter Chen +Cc: stable@vger.kernel.org # 4.4 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211021083447.20078-1-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/core.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -509,7 +509,7 @@ int hw_device_reset(struct ci_hdrc *ci) + return 0; + } + +-static irqreturn_t ci_irq(int irq, void *data) ++static irqreturn_t ci_irq_handler(int irq, void *data) + { + struct ci_hdrc *ci = data; + irqreturn_t ret = IRQ_NONE; +@@ -562,6 +562,15 @@ static irqreturn_t ci_irq(int irq, void + return ret; + } + ++static void ci_irq(struct ci_hdrc *ci) ++{ ++ unsigned long flags; ++ ++ local_irq_save(flags); ++ ci_irq_handler(ci->irq, ci); ++ local_irq_restore(flags); ++} ++ + static int ci_cable_notifier(struct notifier_block *nb, unsigned long event, + void *ptr) + { +@@ -571,7 +580,7 @@ static int ci_cable_notifier(struct noti + cbl->connected = event; + cbl->changed = true; + +- ci_irq(ci->irq, ci); ++ ci_irq(ci); + return NOTIFY_DONE; + } + +@@ -612,7 +621,7 @@ static int ci_usb_role_switch_set(struct + if (cable) { + cable->changed = true; + cable->connected = false; +- ci_irq(ci->irq, ci); ++ ci_irq(ci); + spin_unlock_irqrestore(&ci->lock, flags); + if (ci->wq && role != USB_ROLE_NONE) + flush_workqueue(ci->wq); +@@ -630,7 +639,7 @@ static int ci_usb_role_switch_set(struct + if (cable) { + cable->changed = true; + cable->connected = true; +- ci_irq(ci->irq, ci); ++ ci_irq(ci); + } + spin_unlock_irqrestore(&ci->lock, flags); + pm_runtime_put_sync(ci->dev); +@@ -1166,7 +1175,7 @@ static int ci_hdrc_probe(struct platform + } + } + +- ret = devm_request_irq(dev, ci->irq, ci_irq, IRQF_SHARED, ++ ret = devm_request_irq(dev, ci->irq, ci_irq_handler, IRQF_SHARED, + ci->platdata->name, ci); + if (ret) + goto stop; +@@ -1287,11 +1296,11 @@ static void ci_extcon_wakeup_int(struct + + if (!IS_ERR(cable_id->edev) && ci->is_otg && + (otgsc & OTGSC_IDIE) && (otgsc & OTGSC_IDIS)) +- ci_irq(ci->irq, ci); ++ ci_irq(ci); + + if (!IS_ERR(cable_vbus->edev) && ci->is_otg && + (otgsc & OTGSC_BSVIE) && (otgsc & OTGSC_BSVIS)) +- ci_irq(ci->irq, ci); ++ ci_irq(ci); + } + + static int ci_controller_resume(struct device *dev) diff --git a/queue-5.10/usb-iowarrior-fix-control-message-timeouts.patch b/queue-5.10/usb-iowarrior-fix-control-message-timeouts.patch new file mode 100644 index 00000000000..d987df6dcd0 --- /dev/null +++ b/queue-5.10/usb-iowarrior-fix-control-message-timeouts.patch @@ -0,0 +1,55 @@ +From 79a4479a17b83310deb0b1a2a274fe5be12d2318 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:51:59 +0200 +Subject: USB: iowarrior: fix control-message timeouts + +From: Johan Hovold + +commit 79a4479a17b83310deb0b1a2a274fe5be12d2318 upstream. + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Use the common control-message timeout define for the five-second +timeout and drop the driver-specific one. + +Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.") +Cc: stable@vger.kernel.org # 2.6.21 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211025115159.4954-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/misc/iowarrior.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -99,10 +99,6 @@ struct iowarrior { + /* globals */ + /*--------------*/ + +-/* +- * USB spec identifies 5 second timeouts. +- */ +-#define GET_TIMEOUT 5 + #define USB_REQ_GET_REPORT 0x01 + //#if 0 + static int usb_get_report(struct usb_device *dev, +@@ -114,7 +110,7 @@ static int usb_get_report(struct usb_dev + USB_DIR_IN | USB_TYPE_CLASS | + USB_RECIP_INTERFACE, (type << 8) + id, + inter->desc.bInterfaceNumber, buf, size, +- GET_TIMEOUT*HZ); ++ USB_CTRL_GET_TIMEOUT); + } + //#endif + +@@ -129,7 +125,7 @@ static int usb_set_report(struct usb_int + USB_TYPE_CLASS | USB_RECIP_INTERFACE, + (type << 8) + id, + intf->cur_altsetting->desc.bInterfaceNumber, buf, +- size, HZ); ++ size, 1000); + } + + /*---------------------*/ diff --git a/queue-5.10/usb-serial-keyspan-fix-memleak-on-probe-errors.patch b/queue-5.10/usb-serial-keyspan-fix-memleak-on-probe-errors.patch new file mode 100644 index 00000000000..e06508e2e6d --- /dev/null +++ b/queue-5.10/usb-serial-keyspan-fix-memleak-on-probe-errors.patch @@ -0,0 +1,98 @@ +From 910c996335c37552ee30fcb837375b808bb4f33b Mon Sep 17 00:00:00 2001 +From: Wang Hai +Date: Fri, 15 Oct 2021 16:55:43 +0800 +Subject: USB: serial: keyspan: fix memleak on probe errors + +From: Wang Hai + +commit 910c996335c37552ee30fcb837375b808bb4f33b upstream. + +I got memory leak as follows when doing fault injection test: + +unreferenced object 0xffff888258228440 (size 64): + comm "kworker/7:2", pid 2005, jiffies 4294989509 (age 824.540s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] slab_post_alloc_hook+0x9c/0x490 + [] kmem_cache_alloc_trace+0x1f7/0x470 + [] keyspan_port_probe+0xa4/0x5d0 [keyspan] + [] usb_serial_device_probe+0x97/0x1d0 [usbserial] + [] really_probe+0x167/0x460 + [] __driver_probe_device+0xf9/0x180 + [] driver_probe_device+0x53/0x130 + [] __device_attach_driver+0x105/0x130 + [] bus_for_each_drv+0x129/0x190 + [] __device_attach+0x1c9/0x270 + [] device_initial_probe+0x20/0x30 + [] bus_probe_device+0x142/0x160 + [] device_add+0x829/0x1300 + [] usb_serial_probe.cold+0xc9b/0x14ac [usbserial] + [] usb_probe_interface+0x1aa/0x3c0 [usbcore] + [] really_probe+0x167/0x460 + +If keyspan_port_probe() fails to allocate memory for an out_buffer[i] or +in_buffer[i], the previously allocated memory for out_buffer or +in_buffer needs to be freed on the error handling path, otherwise a +memory leak will result. + +Fixes: bad41a5bf177 ("USB: keyspan: fix port DMA-buffer allocations") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Link: https://lore.kernel.org/r/20211015085543.1203011-1-wanghai38@huawei.com +Cc: stable@vger.kernel.org # 3.12 +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/keyspan.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/usb/serial/keyspan.c ++++ b/drivers/usb/serial/keyspan.c +@@ -2910,22 +2910,22 @@ static int keyspan_port_probe(struct usb + for (i = 0; i < ARRAY_SIZE(p_priv->in_buffer); ++i) { + p_priv->in_buffer[i] = kzalloc(IN_BUFLEN, GFP_KERNEL); + if (!p_priv->in_buffer[i]) +- goto err_in_buffer; ++ goto err_free_in_buffer; + } + + for (i = 0; i < ARRAY_SIZE(p_priv->out_buffer); ++i) { + p_priv->out_buffer[i] = kzalloc(OUT_BUFLEN, GFP_KERNEL); + if (!p_priv->out_buffer[i]) +- goto err_out_buffer; ++ goto err_free_out_buffer; + } + + p_priv->inack_buffer = kzalloc(INACK_BUFLEN, GFP_KERNEL); + if (!p_priv->inack_buffer) +- goto err_inack_buffer; ++ goto err_free_out_buffer; + + p_priv->outcont_buffer = kzalloc(OUTCONT_BUFLEN, GFP_KERNEL); + if (!p_priv->outcont_buffer) +- goto err_outcont_buffer; ++ goto err_free_inack_buffer; + + p_priv->device_details = d_details; + +@@ -2971,15 +2971,14 @@ static int keyspan_port_probe(struct usb + + return 0; + +-err_outcont_buffer: ++err_free_inack_buffer: + kfree(p_priv->inack_buffer); +-err_inack_buffer: ++err_free_out_buffer: + for (i = 0; i < ARRAY_SIZE(p_priv->out_buffer); ++i) + kfree(p_priv->out_buffer[i]); +-err_out_buffer: ++err_free_in_buffer: + for (i = 0; i < ARRAY_SIZE(p_priv->in_buffer); ++i) + kfree(p_priv->in_buffer[i]); +-err_in_buffer: + kfree(p_priv); + + return -ENOMEM;