From: Greg Kroah-Hartman Date: Mon, 28 Dec 2020 11:37:47 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.4.249~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a53d6d85a0a97484fe1f94dfa81817a18e8cb3b5;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: clk-mvebu-a3700-fix-the-xtal-mode-pin-to-mpp1_9.patch drm-dp_aux_dev-check-aux_dev-before-use-in-drm_dp_aux_dev_get_by_minor.patch iio-adc-rockchip_saradc-fix-missing-clk_disable_unprepare-on-error-in-rockchip_saradc_resume.patch iio-buffer-fix-demux-update.patch iio-pressure-mpl3115-force-alignment-of-buffer.patch jfs-fix-array-index-bounds-check-in-dbadjtree.patch mtd-parser-cmdline-fix-parsing-of-part-names-with-colons.patch soc-qcom-smp2p-safely-acquire-spinlock-without-irqs.patch spi-davinci-fix-use-after-free-on-unbind.patch spi-pic32-don-t-leak-dma-channels-in-probe-error-path.patch spi-rb4xx-don-t-leak-spi-master-in-probe-error-path.patch spi-sc18is602-don-t-leak-spi-master-in-probe-error-path.patch spi-spi-sh-fix-use-after-free-on-unbind.patch spi-st-ssc4-fix-unbalanced-pm_runtime_disable-in-probe-error-path.patch xen-blkback-set-ring-xenblkd-to-null-after-kthread_stop.patch --- diff --git a/queue-4.9/clk-mvebu-a3700-fix-the-xtal-mode-pin-to-mpp1_9.patch b/queue-4.9/clk-mvebu-a3700-fix-the-xtal-mode-pin-to-mpp1_9.patch new file mode 100644 index 00000000000..2721519c5e7 --- /dev/null +++ b/queue-4.9/clk-mvebu-a3700-fix-the-xtal-mode-pin-to-mpp1_9.patch @@ -0,0 +1,43 @@ +From 6f37689cf6b38fff96de52e7f0d3e78f22803ba0 Mon Sep 17 00:00:00 2001 +From: Terry Zhou +Date: Fri, 6 Nov 2020 11:00:39 +0100 +Subject: clk: mvebu: a3700: fix the XTAL MODE pin to MPP1_9 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Terry Zhou + +commit 6f37689cf6b38fff96de52e7f0d3e78f22803ba0 upstream. + +There is an error in the current code that the XTAL MODE +pin was set to NB MPP1_31 which should be NB MPP1_9. +The latch register of NB MPP1_9 has different offset of 0x8. + +Signed-off-by: Terry Zhou +[pali: Fix pin name in commit message] +Signed-off-by: Pali Rohár +Fixes: 7ea8250406a6 ("clk: mvebu: Add the xtal clock for Armada 3700 SoC") +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20201106100039.11385-1-pali@kernel.org +Reviewed-by: Marek Behún +Signed-off-by: Stephen Boyd +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/mvebu/armada-37xx-xtal.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/clk/mvebu/armada-37xx-xtal.c ++++ b/drivers/clk/mvebu/armada-37xx-xtal.c +@@ -15,8 +15,8 @@ + #include + #include + +-#define NB_GPIO1_LATCH 0xC +-#define XTAL_MODE BIT(31) ++#define NB_GPIO1_LATCH 0x8 ++#define XTAL_MODE BIT(9) + + static int armada_3700_xtal_clock_probe(struct platform_device *pdev) + { diff --git a/queue-4.9/drm-dp_aux_dev-check-aux_dev-before-use-in-drm_dp_aux_dev_get_by_minor.patch b/queue-4.9/drm-dp_aux_dev-check-aux_dev-before-use-in-drm_dp_aux_dev_get_by_minor.patch new file mode 100644 index 00000000000..9d81a480f01 --- /dev/null +++ b/queue-4.9/drm-dp_aux_dev-check-aux_dev-before-use-in-drm_dp_aux_dev_get_by_minor.patch @@ -0,0 +1,151 @@ +From 73b62cdb93b68d7e2c1d373c6a411bc00c53e702 Mon Sep 17 00:00:00 2001 +From: Zwane Mwaikambo +Date: Mon, 12 Oct 2020 22:59:14 -0700 +Subject: drm/dp_aux_dev: check aux_dev before use in drm_dp_aux_dev_get_by_minor() + +From: Zwane Mwaikambo + +commit 73b62cdb93b68d7e2c1d373c6a411bc00c53e702 upstream. + +I observed this when unplugging a DP monitor whilst a computer is asleep +and then waking it up. This left DP chardev nodes still being present on +the filesystem and accessing these device nodes caused an oops because +drm_dp_aux_dev_get_by_minor() assumes a device exists if it is opened. +This can also be reproduced by creating a device node with mknod(1) and +issuing an open(2) + +[166164.933198] BUG: kernel NULL pointer dereference, address: 0000000000000018 +[166164.933202] #PF: supervisor read access in kernel mode +[166164.933204] #PF: error_code(0x0000) - not-present page +[166164.933205] PGD 0 P4D 0 +[166164.933208] Oops: 0000 [#1] PREEMPT SMP NOPTI +[166164.933211] CPU: 4 PID: 99071 Comm: fwupd Tainted: G W +5.8.0-rc6+ #1 +[166164.933213] Hardware name: LENOVO 20RD002VUS/20RD002VUS, BIOS R16ET25W +(1.11 ) 04/21/2020 +[166164.933232] RIP: 0010:drm_dp_aux_dev_get_by_minor+0x29/0x70 +[drm_kms_helper] +[166164.933234] Code: 00 0f 1f 44 00 00 55 48 89 e5 41 54 41 89 fc 48 c7 +c7 60 01 a4 c0 e8 26 ab 30 d7 44 89 e6 48 c7 c7 80 01 a4 c0 e8 47 94 d6 d6 +<8b> 50 18 49 89 c4 48 8d 78 18 85 d2 74 33 8d 4a 01 89 d0 f0 0f b1 +[166164.933236] RSP: 0018:ffffb7d7c41cbbf0 EFLAGS: 00010246 +[166164.933237] RAX: 0000000000000000 RBX: ffff8a90001fe900 RCX: 0000000000000000 +[166164.933238] RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffffffffc0a40180 +[166164.933239] RBP: ffffb7d7c41cbbf8 R08: 0000000000000000 R09: ffff8a93e157d6d0 +[166164.933240] R10: 0000000000000000 R11: ffffffffc0a40188 R12: 0000000000000003 +[166164.933241] R13: ffff8a9402200e80 R14: ffff8a90001fe900 R15: 0000000000000000 +[166164.933244] FS: 00007f7fb041eb00(0000) GS:ffff8a9411500000(0000) +knlGS:0000000000000000 +[166164.933245] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[166164.933246] CR2: 0000000000000018 CR3: 00000000352c2003 CR4: 00000000003606e0 +[166164.933247] Call Trace: +[166164.933264] auxdev_open+0x1b/0x40 [drm_kms_helper] +[166164.933278] chrdev_open+0xa7/0x1c0 +[166164.933282] ? cdev_put.part.0+0x20/0x20 +[166164.933287] do_dentry_open+0x161/0x3c0 +[166164.933291] vfs_open+0x2d/0x30 +[166164.933297] path_openat+0xb27/0x10e0 +[166164.933306] ? atime_needs_update+0x73/0xd0 +[166164.933309] do_filp_open+0x91/0x100 +[166164.933313] ? __alloc_fd+0xb2/0x150 +[166164.933316] do_sys_openat2+0x210/0x2d0 +[166164.933318] do_sys_open+0x46/0x80 +[166164.933320] __x64_sys_openat+0x20/0x30 +[166164.933328] do_syscall_64+0x52/0xc0 +[166164.933336] entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +(gdb) disassemble drm_dp_aux_dev_get_by_minor+0x29 +Dump of assembler code for function drm_dp_aux_dev_get_by_minor: + 0x0000000000017b10 <+0>: callq 0x17b15 + 0x0000000000017b15 <+5>: push %rbp + 0x0000000000017b16 <+6>: mov %rsp,%rbp + 0x0000000000017b19 <+9>: push %r12 + 0x0000000000017b1b <+11>: mov %edi,%r12d + 0x0000000000017b1e <+14>: mov $0x0,%rdi + 0x0000000000017b25 <+21>: callq 0x17b2a + 0x0000000000017b2a <+26>: mov %r12d,%esi + 0x0000000000017b2d <+29>: mov $0x0,%rdi + 0x0000000000017b34 <+36>: callq 0x17b39 + 0x0000000000017b39 <+41>: mov 0x18(%rax),%edx <========= + 0x0000000000017b3c <+44>: mov %rax,%r12 + 0x0000000000017b3f <+47>: lea 0x18(%rax),%rdi + 0x0000000000017b43 <+51>: test %edx,%edx + 0x0000000000017b45 <+53>: je 0x17b7a + 0x0000000000017b47 <+55>: lea 0x1(%rdx),%ecx + 0x0000000000017b4a <+58>: mov %edx,%eax + 0x0000000000017b4c <+60>: lock cmpxchg %ecx,(%rdi) + 0x0000000000017b50 <+64>: jne 0x17b76 + 0x0000000000017b52 <+66>: test %edx,%edx + 0x0000000000017b54 <+68>: js 0x17b6d + 0x0000000000017b56 <+70>: test %ecx,%ecx + 0x0000000000017b58 <+72>: js 0x17b6d + 0x0000000000017b5a <+74>: mov $0x0,%rdi + 0x0000000000017b61 <+81>: callq 0x17b66 + 0x0000000000017b66 <+86>: mov %r12,%rax + 0x0000000000017b69 <+89>: pop %r12 + 0x0000000000017b6b <+91>: pop %rbp + 0x0000000000017b6c <+92>: retq + 0x0000000000017b6d <+93>: xor %esi,%esi + 0x0000000000017b6f <+95>: callq 0x17b74 + 0x0000000000017b74 <+100>: jmp 0x17b5a + 0x0000000000017b76 <+102>: mov %eax,%edx + 0x0000000000017b78 <+104>: jmp 0x17b43 + 0x0000000000017b7a <+106>: xor %r12d,%r12d + 0x0000000000017b7d <+109>: jmp 0x17b5a +End of assembler dump. + +(gdb) list *drm_dp_aux_dev_get_by_minor+0x29 +0x17b39 is in drm_dp_aux_dev_get_by_minor (drivers/gpu/drm/drm_dp_aux_dev.c:65). +60 static struct drm_dp_aux_dev *drm_dp_aux_dev_get_by_minor(unsigned index) +61 { +62 struct drm_dp_aux_dev *aux_dev = NULL; +63 +64 mutex_lock(&aux_idr_mutex); +65 aux_dev = idr_find(&aux_idr, index); +66 if (!kref_get_unless_zero(&aux_dev->refcount)) +67 aux_dev = NULL; +68 mutex_unlock(&aux_idr_mutex); +69 +(gdb) p/x &((struct drm_dp_aux_dev *)(0x0))->refcount +$8 = 0x18 + +Looking at the caller, checks on the minor are pushed down to +drm_dp_aux_dev_get_by_minor() + +static int auxdev_open(struct inode *inode, struct file *file) +{ + unsigned int minor = iminor(inode); + struct drm_dp_aux_dev *aux_dev; + + aux_dev = drm_dp_aux_dev_get_by_minor(minor); <==== + if (!aux_dev) + return -ENODEV; + + file->private_data = aux_dev; + return 0; +} + +Fixes: e94cb37b34eb ("drm/dp: Add a drm_aux-dev module for reading/writing dpcd registers.") +Cc: # v4.6+ +Signed-off-by: Zwane Mwaikambo +Reviewed-by: Lyude Paul +[added Cc to stable] +Signed-off-by: Lyude Paul +Link: https://patchwork.freedesktop.org/patch/msgid/alpine.DEB.2.21.2010122231070.38717@montezuma.home +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_dp_aux_dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_dp_aux_dev.c ++++ b/drivers/gpu/drm/drm_dp_aux_dev.c +@@ -59,7 +59,7 @@ static struct drm_dp_aux_dev *drm_dp_aux + + mutex_lock(&aux_idr_mutex); + aux_dev = idr_find(&aux_idr, index); +- if (!kref_get_unless_zero(&aux_dev->refcount)) ++ if (aux_dev && !kref_get_unless_zero(&aux_dev->refcount)) + aux_dev = NULL; + mutex_unlock(&aux_idr_mutex); + diff --git a/queue-4.9/iio-adc-rockchip_saradc-fix-missing-clk_disable_unprepare-on-error-in-rockchip_saradc_resume.patch b/queue-4.9/iio-adc-rockchip_saradc-fix-missing-clk_disable_unprepare-on-error-in-rockchip_saradc_resume.patch new file mode 100644 index 00000000000..f5c934dccd8 --- /dev/null +++ b/queue-4.9/iio-adc-rockchip_saradc-fix-missing-clk_disable_unprepare-on-error-in-rockchip_saradc_resume.patch @@ -0,0 +1,36 @@ +From 560c6b914c6ec7d9d9a69fddbb5bf3bf71433e8b Mon Sep 17 00:00:00 2001 +From: Qinglang Miao +Date: Tue, 3 Nov 2020 20:07:43 +0800 +Subject: iio: adc: rockchip_saradc: fix missing clk_disable_unprepare() on error in rockchip_saradc_resume + +From: Qinglang Miao + +commit 560c6b914c6ec7d9d9a69fddbb5bf3bf71433e8b upstream. + +Fix the missing clk_disable_unprepare() of info->pclk +before return from rockchip_saradc_resume in the error +handling case when fails to prepare and enable info->clk. + +Suggested-by: Robin Murphy +Fixes: 44d6f2ef94f9 ("iio: adc: add driver for Rockchip saradc") +Signed-off-by: Qinglang Miao +Cc: +Link: https://lore.kernel.org/r/20201103120743.110662-1-miaoqinglang@huawei.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/adc/rockchip_saradc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/adc/rockchip_saradc.c ++++ b/drivers/iio/adc/rockchip_saradc.c +@@ -378,7 +378,7 @@ static int rockchip_saradc_resume(struct + + ret = clk_prepare_enable(info->clk); + if (ret) +- return ret; ++ clk_disable_unprepare(info->pclk); + + return ret; + } diff --git a/queue-4.9/iio-buffer-fix-demux-update.patch b/queue-4.9/iio-buffer-fix-demux-update.patch new file mode 100644 index 00000000000..58e7015bae6 --- /dev/null +++ b/queue-4.9/iio-buffer-fix-demux-update.patch @@ -0,0 +1,53 @@ +From 19ef7b70ca9487773c29b449adf0c70f540a0aab Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nuno=20S=C3=A1?= +Date: Thu, 12 Nov 2020 15:43:22 +0100 +Subject: iio: buffer: Fix demux update +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +commit 19ef7b70ca9487773c29b449adf0c70f540a0aab upstream. + +When updating the buffer demux, we will skip a scan element from the +device in the case `in_ind != out_ind` and we enter the while loop. +in_ind should only be refreshed with `find_next_bit()` in the end of the +loop. + +Note, to cause problems we need a situation where we are skippig over +an element (channel not enabled) that happens to not have the same size +as the next element. Whilst this is a possible situation we haven't +actually identified any cases in mainline where it happens as most drivers +have consistent channel storage sizes with the exception of the timestamp +which is the last element and hence never skipped over. + +Fixes: 5ada4ea9be16 ("staging:iio: add demux optionally to path from device to buffer") +Signed-off-by: Nuno Sá +Link: https://lore.kernel.org/r/20201112144323.28887-1-nuno.sa@analog.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/industrialio-buffer.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -1335,12 +1335,12 @@ static int iio_buffer_update_demux(struc + indio_dev->masklength, + in_ind + 1); + while (in_ind != out_ind) { +- in_ind = find_next_bit(indio_dev->active_scan_mask, +- indio_dev->masklength, +- in_ind + 1); + length = iio_storage_bytes_for_si(indio_dev, in_ind); + /* Make sure we are aligned */ + in_loc = roundup(in_loc, length) + length; ++ in_ind = find_next_bit(indio_dev->active_scan_mask, ++ indio_dev->masklength, ++ in_ind + 1); + } + length = iio_storage_bytes_for_si(indio_dev, in_ind); + out_loc = roundup(out_loc, length); diff --git a/queue-4.9/iio-pressure-mpl3115-force-alignment-of-buffer.patch b/queue-4.9/iio-pressure-mpl3115-force-alignment-of-buffer.patch new file mode 100644 index 00000000000..777c39ad7af --- /dev/null +++ b/queue-4.9/iio-pressure-mpl3115-force-alignment-of-buffer.patch @@ -0,0 +1,55 @@ +From 198cf32f0503d2ad60d320b95ef6fb8243db857f Mon Sep 17 00:00:00 2001 +From: Jonathan Cameron +Date: Sun, 20 Sep 2020 12:27:40 +0100 +Subject: iio:pressure:mpl3115: Force alignment of buffer + +From: Jonathan Cameron + +commit 198cf32f0503d2ad60d320b95ef6fb8243db857f upstream. + +Whilst this is another case of the issue Lars reported with +an array of elements of smaller than 8 bytes being passed +to iio_push_to_buffers_with_timestamp(), the solution here is +a bit different from the other cases and relies on __aligned +working on the stack (true since 4.6?) + +This one is unusual. We have to do an explicit memset() each time +as we are reading 3 bytes into a potential 4 byte channel which +may sometimes be a 2 byte channel depending on what is enabled. +As such, moving the buffer to the heap in the iio_priv structure +doesn't save us much. We can't use a nice explicit structure +on the stack either as the data channels have different storage +sizes and are all separately controlled. + +Fixes: cc26ad455f57 ("iio: Add Freescale MPL3115A2 pressure / temperature sensor driver") +Reported-by: Lars-Peter Clausen +Signed-off-by: Jonathan Cameron +Reviewed-by: Andy Shevchenko +Reviewed-by: Alexandru Ardelean +Cc: Peter Meerwald +Cc: +Link: https://lore.kernel.org/r/20200920112742.170751-7-jic23@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/pressure/mpl3115.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/iio/pressure/mpl3115.c ++++ b/drivers/iio/pressure/mpl3115.c +@@ -139,7 +139,14 @@ static irqreturn_t mpl3115_trigger_handl + struct iio_poll_func *pf = p; + struct iio_dev *indio_dev = pf->indio_dev; + struct mpl3115_data *data = iio_priv(indio_dev); +- u8 buffer[16]; /* 32-bit channel + 16-bit channel + padding + ts */ ++ /* ++ * 32-bit channel + 16-bit channel + padding + ts ++ * Note that it is possible for only one of the first 2 ++ * channels to be enabled. If that happens, the first element ++ * of the buffer may be either 16 or 32-bits. As such we cannot ++ * use a simple structure definition to express this data layout. ++ */ ++ u8 buffer[16] __aligned(8); + int ret, pos = 0; + + mutex_lock(&data->lock); diff --git a/queue-4.9/jfs-fix-array-index-bounds-check-in-dbadjtree.patch b/queue-4.9/jfs-fix-array-index-bounds-check-in-dbadjtree.patch new file mode 100644 index 00000000000..497cfac0400 --- /dev/null +++ b/queue-4.9/jfs-fix-array-index-bounds-check-in-dbadjtree.patch @@ -0,0 +1,33 @@ +From c61b3e4839007668360ed8b87d7da96d2e59fc6c Mon Sep 17 00:00:00 2001 +From: Dave Kleikamp +Date: Fri, 13 Nov 2020 14:58:46 -0600 +Subject: jfs: Fix array index bounds check in dbAdjTree + +From: Dave Kleikamp + +commit c61b3e4839007668360ed8b87d7da96d2e59fc6c upstream. + +Bounds checking tools can flag a bug in dbAdjTree() for an array index +out of bounds in dmt_stree. Since dmt_stree can refer to the stree in +both structures dmaptree and dmapctl, use the larger array to eliminate +the false positive. + +Signed-off-by: Dave Kleikamp +Reported-by: butt3rflyh4ck +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jfs/jfs_dmap.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/jfs/jfs_dmap.h ++++ b/fs/jfs/jfs_dmap.h +@@ -196,7 +196,7 @@ typedef union dmtree { + #define dmt_leafidx t1.leafidx + #define dmt_height t1.height + #define dmt_budmin t1.budmin +-#define dmt_stree t1.stree ++#define dmt_stree t2.stree + + /* + * on-disk aggregate disk allocation map descriptor. diff --git a/queue-4.9/mtd-parser-cmdline-fix-parsing-of-part-names-with-colons.patch b/queue-4.9/mtd-parser-cmdline-fix-parsing-of-part-names-with-colons.patch new file mode 100644 index 00000000000..48ddd1dfba1 --- /dev/null +++ b/queue-4.9/mtd-parser-cmdline-fix-parsing-of-part-names-with-colons.patch @@ -0,0 +1,75 @@ +From 639a82434f16a6df0ce0e7c8595976f1293940fd Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Tue, 24 Nov 2020 07:25:06 +0100 +Subject: mtd: parser: cmdline: Fix parsing of part-names with colons + +From: Sven Eckelmann + +commit 639a82434f16a6df0ce0e7c8595976f1293940fd upstream. + +Some devices (especially QCA ones) are already using hardcoded partition +names with colons in it. The OpenMesh A62 for example provides following +mtd relevant information via cmdline: + + root=31:11 mtdparts=spi0.0:256k(0:SBL1),128k(0:MIBIB),384k(0:QSEE),64k(0:CDT),64k(0:DDRPARAMS),64k(0:APPSBLENV),512k(0:APPSBL),64k(0:ART),64k(custom),64k(0:KEYS),0x002b0000(kernel),0x00c80000(rootfs),15552k(inactive) rootfsname=rootfs rootwait + +The change to split only on the last colon between mtd-id and partitions +will cause newpart to see following string for the first partition: + + KEYS),0x002b0000(kernel),0x00c80000(rootfs),15552k(inactive) + +Such a partition list cannot be parsed and thus the device fails to boot. + +Avoid this behavior by making sure that the start of the first part-name +("(") will also be the last byte the mtd-id split algorithm is using for +its colon search. + +Fixes: eb13fa022741 ("mtd: parser: cmdline: Support MTD names containing one or more colons") +Cc: stable@vger.kernel.org +Cc: Ron Minnich +Signed-off-by: Sven Eckelmann +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20201124062506.185392-1-sven@narfation.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/cmdlinepart.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/mtd/cmdlinepart.c ++++ b/drivers/mtd/cmdlinepart.c +@@ -228,7 +228,7 @@ static int mtdpart_setup_real(char *s) + struct cmdline_mtd_partition *this_mtd; + struct mtd_partition *parts; + int mtd_id_len, num_parts; +- char *p, *mtd_id, *semicol; ++ char *p, *mtd_id, *semicol, *open_parenth; + + /* + * Replace the first ';' by a NULL char so strrchr can work +@@ -238,6 +238,14 @@ static int mtdpart_setup_real(char *s) + if (semicol) + *semicol = '\0'; + ++ /* ++ * make sure that part-names with ":" will not be handled as ++ * part of the mtd-id with an ":" ++ */ ++ open_parenth = strchr(s, '('); ++ if (open_parenth) ++ *open_parenth = '\0'; ++ + mtd_id = s; + + /* +@@ -247,6 +255,10 @@ static int mtdpart_setup_real(char *s) + */ + p = strrchr(s, ':'); + ++ /* Restore the '(' now. */ ++ if (open_parenth) ++ *open_parenth = '('; ++ + /* Restore the ';' now. */ + if (semicol) + *semicol = ';'; diff --git a/queue-4.9/series b/queue-4.9/series index f5043824825..ec06a4c75e5 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -158,3 +158,18 @@ kvm-arm64-introduce-handling-of-aarch32-ttbcr2-traps.patch powerpc-xmon-change-printk-to-pr_cont.patch ceph-fix-race-in-concurrent-__ceph_remove_cap-invocations.patch jffs2-fix-gc-exit-abnormally.patch +jfs-fix-array-index-bounds-check-in-dbadjtree.patch +drm-dp_aux_dev-check-aux_dev-before-use-in-drm_dp_aux_dev_get_by_minor.patch +spi-spi-sh-fix-use-after-free-on-unbind.patch +spi-davinci-fix-use-after-free-on-unbind.patch +spi-pic32-don-t-leak-dma-channels-in-probe-error-path.patch +spi-rb4xx-don-t-leak-spi-master-in-probe-error-path.patch +spi-sc18is602-don-t-leak-spi-master-in-probe-error-path.patch +spi-st-ssc4-fix-unbalanced-pm_runtime_disable-in-probe-error-path.patch +soc-qcom-smp2p-safely-acquire-spinlock-without-irqs.patch +mtd-parser-cmdline-fix-parsing-of-part-names-with-colons.patch +iio-buffer-fix-demux-update.patch +iio-adc-rockchip_saradc-fix-missing-clk_disable_unprepare-on-error-in-rockchip_saradc_resume.patch +iio-pressure-mpl3115-force-alignment-of-buffer.patch +clk-mvebu-a3700-fix-the-xtal-mode-pin-to-mpp1_9.patch +xen-blkback-set-ring-xenblkd-to-null-after-kthread_stop.patch diff --git a/queue-4.9/soc-qcom-smp2p-safely-acquire-spinlock-without-irqs.patch b/queue-4.9/soc-qcom-smp2p-safely-acquire-spinlock-without-irqs.patch new file mode 100644 index 00000000000..4eb62643fb4 --- /dev/null +++ b/queue-4.9/soc-qcom-smp2p-safely-acquire-spinlock-without-irqs.patch @@ -0,0 +1,55 @@ +From fc3e62e25c3896855b7c3d72df19ca6be3459c9f Mon Sep 17 00:00:00 2001 +From: Evan Green +Date: Tue, 29 Sep 2020 13:30:57 -0700 +Subject: soc: qcom: smp2p: Safely acquire spinlock without IRQs + +From: Evan Green + +commit fc3e62e25c3896855b7c3d72df19ca6be3459c9f upstream. + +smp2p_update_bits() should disable interrupts when it acquires its +spinlock. This is important because without the _irqsave, a priority +inversion can occur. + +This function is called both with interrupts enabled in +qcom_q6v5_request_stop(), and with interrupts disabled in +ipa_smp2p_panic_notifier(). IRQ handling of spinlocks should be +consistent to avoid the panic notifier deadlocking because it's +sitting on the thread that's already got the lock via _request_stop(). + +Found via lockdep. + +Cc: stable@vger.kernel.org +Fixes: 50e99641413e7 ("soc: qcom: smp2p: Qualcomm Shared Memory Point to Point") +Reviewed-by: Bjorn Andersson +Reviewed-by: Stephen Boyd +Signed-off-by: Evan Green +Link: https://lore.kernel.org/r/20200929133040.RESEND.1.Ideabf6dcdfc577cf39ce3d95b0e4aa1ac8b38f0c@changeid +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/soc/qcom/smp2p.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/soc/qcom/smp2p.c ++++ b/drivers/soc/qcom/smp2p.c +@@ -314,15 +314,16 @@ static int qcom_smp2p_inbound_entry(stru + static int smp2p_update_bits(void *data, u32 mask, u32 value) + { + struct smp2p_entry *entry = data; ++ unsigned long flags; + u32 orig; + u32 val; + +- spin_lock(&entry->lock); ++ spin_lock_irqsave(&entry->lock, flags); + val = orig = readl(entry->value); + val &= ~mask; + val |= value; + writel(val, entry->value); +- spin_unlock(&entry->lock); ++ spin_unlock_irqrestore(&entry->lock, flags); + + if (val != orig) + qcom_smp2p_kick(entry->smp2p); diff --git a/queue-4.9/spi-davinci-fix-use-after-free-on-unbind.patch b/queue-4.9/spi-davinci-fix-use-after-free-on-unbind.patch new file mode 100644 index 00000000000..d21902ba565 --- /dev/null +++ b/queue-4.9/spi-davinci-fix-use-after-free-on-unbind.patch @@ -0,0 +1,43 @@ +From 373afef350a93519b4b8d636b0895da8650b714b Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Mon, 7 Dec 2020 09:17:01 +0100 +Subject: spi: davinci: Fix use-after-free on unbind + +From: Lukas Wunner + +commit 373afef350a93519b4b8d636b0895da8650b714b upstream. + +davinci_spi_remove() accesses the driver's private data after it's been +freed with spi_master_put(). + +Fix by moving the spi_master_put() to the end of the function. + +Fixes: fe5fd2540947 ("spi: davinci: Use dma_request_chan() for requesting DMA channel") +Signed-off-by: Lukas Wunner +Acked-by: Peter Ujfalusi +Cc: # v4.7+ +Link: https://lore.kernel.org/r/412f7eb1cf8990e0a3a2153f4c577298deab623e.1607286887.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-davinci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-davinci.c ++++ b/drivers/spi/spi-davinci.c +@@ -1099,13 +1099,13 @@ static int davinci_spi_remove(struct pla + spi_bitbang_stop(&dspi->bitbang); + + clk_disable_unprepare(dspi->clk); +- spi_master_put(master); + + if (dspi->dma_rx) { + dma_release_channel(dspi->dma_rx); + dma_release_channel(dspi->dma_tx); + } + ++ spi_master_put(master); + return 0; + } + diff --git a/queue-4.9/spi-pic32-don-t-leak-dma-channels-in-probe-error-path.patch b/queue-4.9/spi-pic32-don-t-leak-dma-channels-in-probe-error-path.patch new file mode 100644 index 00000000000..b8e927d6e27 --- /dev/null +++ b/queue-4.9/spi-pic32-don-t-leak-dma-channels-in-probe-error-path.patch @@ -0,0 +1,35 @@ +From c575e9113bff5e024d75481613faed5ef9d465b2 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sun, 8 Nov 2020 23:41:00 +0100 +Subject: spi: pic32: Don't leak DMA channels in probe error path + +From: Lukas Wunner + +commit c575e9113bff5e024d75481613faed5ef9d465b2 upstream. + +If the calls to devm_request_irq() or devm_spi_register_master() fail +on probe of the PIC32 SPI driver, the DMA channels requested by +pic32_spi_dma_prep() are erroneously not released. Plug the leak. + +Fixes: 1bcb9f8ceb67 ("spi: spi-pic32: Add PIC32 SPI master driver") +Signed-off-by: Lukas Wunner +Cc: # v4.7+ +Cc: Purna Chandra Mandal +Link: https://lore.kernel.org/r/9624250e3a7aa61274b38219a62375bac1def637.1604874488.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-pic32.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/spi/spi-pic32.c ++++ b/drivers/spi/spi-pic32.c +@@ -839,6 +839,7 @@ static int pic32_spi_probe(struct platfo + return 0; + + err_bailout: ++ pic32_spi_dma_unprep(pic32s); + clk_disable_unprepare(pic32s->clk); + err_master: + spi_master_put(master); diff --git a/queue-4.9/spi-rb4xx-don-t-leak-spi-master-in-probe-error-path.patch b/queue-4.9/spi-rb4xx-don-t-leak-spi-master-in-probe-error-path.patch new file mode 100644 index 00000000000..d6d3610d63a --- /dev/null +++ b/queue-4.9/spi-rb4xx-don-t-leak-spi-master-in-probe-error-path.patch @@ -0,0 +1,39 @@ +From a4729c3506c3eb1a6ca5c0289f4e7cafa4115065 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Mon, 7 Dec 2020 09:17:10 +0100 +Subject: spi: rb4xx: Don't leak SPI master in probe error path + +From: Lukas Wunner + +commit a4729c3506c3eb1a6ca5c0289f4e7cafa4115065 upstream. + +If the calls to devm_clk_get(), devm_spi_register_master() or +clk_prepare_enable() fail on probe of the Mikrotik RB4xx SPI driver, +the spi_master struct is erroneously not freed. + +Fix by switching over to the new devm_spi_alloc_master() helper. + +Fixes: 05aec357871f ("spi: Add SPI driver for Mikrotik RB4xx series boards") +Signed-off-by: Lukas Wunner +Cc: # v4.2+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation +Cc: # v4.2+ +Cc: Bert Vermeulen +Link: https://lore.kernel.org/r/369bf26d71927f60943b1d9d8f51810f00b0237d.1607286887.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-rb4xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-rb4xx.c ++++ b/drivers/spi/spi-rb4xx.c +@@ -148,7 +148,7 @@ static int rb4xx_spi_probe(struct platfo + if (IS_ERR(spi_base)) + return PTR_ERR(spi_base); + +- master = spi_alloc_master(&pdev->dev, sizeof(*rbspi)); ++ master = devm_spi_alloc_master(&pdev->dev, sizeof(*rbspi)); + if (!master) + return -ENOMEM; + diff --git a/queue-4.9/spi-sc18is602-don-t-leak-spi-master-in-probe-error-path.patch b/queue-4.9/spi-sc18is602-don-t-leak-spi-master-in-probe-error-path.patch new file mode 100644 index 00000000000..155ee6b13af --- /dev/null +++ b/queue-4.9/spi-sc18is602-don-t-leak-spi-master-in-probe-error-path.patch @@ -0,0 +1,61 @@ +From 5b8c88462d83331dacb48aeaec8388117fef82e0 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Mon, 7 Dec 2020 09:17:11 +0100 +Subject: spi: sc18is602: Don't leak SPI master in probe error path + +From: Lukas Wunner + +commit 5b8c88462d83331dacb48aeaec8388117fef82e0 upstream. + +If the call to devm_gpiod_get_optional() fails on probe of the NXP +SC18IS602/603 SPI driver, the spi_master struct is erroneously not freed. + +Fix by switching over to the new devm_spi_alloc_master() helper. + +Fixes: f99008013e19 ("spi: sc18is602: Add reset control via gpio pin.") +Signed-off-by: Lukas Wunner +Cc: # v4.9+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation +Cc: # v4.9+ +Cc: Phil Reid +Link: https://lore.kernel.org/r/d5f715527b894b91d530fe11a86f51b3184a4e1a.1607286887.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-sc18is602.c | 13 ++----------- + 1 file changed, 2 insertions(+), 11 deletions(-) + +--- a/drivers/spi/spi-sc18is602.c ++++ b/drivers/spi/spi-sc18is602.c +@@ -247,13 +247,12 @@ static int sc18is602_probe(struct i2c_cl + struct sc18is602_platform_data *pdata = dev_get_platdata(dev); + struct sc18is602 *hw; + struct spi_master *master; +- int error; + + if (!i2c_check_functionality(client->adapter, I2C_FUNC_I2C | + I2C_FUNC_SMBUS_WRITE_BYTE_DATA)) + return -EINVAL; + +- master = spi_alloc_master(dev, sizeof(struct sc18is602)); ++ master = devm_spi_alloc_master(dev, sizeof(struct sc18is602)); + if (!master) + return -ENOMEM; + +@@ -304,15 +303,7 @@ static int sc18is602_probe(struct i2c_cl + master->min_speed_hz = hw->freq / 128; + master->max_speed_hz = hw->freq / 4; + +- error = devm_spi_register_master(dev, master); +- if (error) +- goto error_reg; +- +- return 0; +- +-error_reg: +- spi_master_put(master); +- return error; ++ return devm_spi_register_master(dev, master); + } + + static const struct i2c_device_id sc18is602_id[] = { diff --git a/queue-4.9/spi-spi-sh-fix-use-after-free-on-unbind.patch b/queue-4.9/spi-spi-sh-fix-use-after-free-on-unbind.patch new file mode 100644 index 00000000000..5033691cc9f --- /dev/null +++ b/queue-4.9/spi-spi-sh-fix-use-after-free-on-unbind.patch @@ -0,0 +1,78 @@ +From e77df3eca12be4b17f13cf9f215cff248c57d98f Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Mon, 7 Dec 2020 09:17:04 +0100 +Subject: spi: spi-sh: Fix use-after-free on unbind + +From: Lukas Wunner + +commit e77df3eca12be4b17f13cf9f215cff248c57d98f upstream. + +spi_sh_remove() accesses the driver's private data after calling +spi_unregister_master() even though that function releases the last +reference on the spi_master and thereby frees the private data. + +Fix by switching over to the new devm_spi_alloc_master() helper which +keeps the private data accessible until the driver has unbound. + +Fixes: 680c1305e259 ("spi/spi_sh: use spi_unregister_master instead of spi_master_put in remove path") +Signed-off-by: Lukas Wunner +Cc: # v3.0+: 5e844cc37a5c: spi: Introduce device-managed SPI controller allocation +Cc: # v3.0+ +Cc: Axel Lin +Link: https://lore.kernel.org/r/6d97628b536baf01d5e3e39db61108f84d44c8b2.1607286887.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-sh.c | 13 ++++--------- + 1 file changed, 4 insertions(+), 9 deletions(-) + +--- a/drivers/spi/spi-sh.c ++++ b/drivers/spi/spi-sh.c +@@ -450,7 +450,7 @@ static int spi_sh_probe(struct platform_ + return -ENODEV; + } + +- master = spi_alloc_master(&pdev->dev, sizeof(struct spi_sh_data)); ++ master = devm_spi_alloc_master(&pdev->dev, sizeof(struct spi_sh_data)); + if (master == NULL) { + dev_err(&pdev->dev, "spi_alloc_master error.\n"); + return -ENOMEM; +@@ -468,16 +468,14 @@ static int spi_sh_probe(struct platform_ + break; + default: + dev_err(&pdev->dev, "No support width\n"); +- ret = -ENODEV; +- goto error1; ++ return -ENODEV; + } + ss->irq = irq; + ss->master = master; + ss->addr = devm_ioremap(&pdev->dev, res->start, resource_size(res)); + if (ss->addr == NULL) { + dev_err(&pdev->dev, "ioremap error.\n"); +- ret = -ENOMEM; +- goto error1; ++ return -ENOMEM; + } + INIT_LIST_HEAD(&ss->queue); + spin_lock_init(&ss->lock); +@@ -487,7 +485,7 @@ static int spi_sh_probe(struct platform_ + ret = request_irq(irq, spi_sh_irq, 0, "spi_sh", ss); + if (ret < 0) { + dev_err(&pdev->dev, "request_irq error\n"); +- goto error1; ++ return ret; + } + + master->num_chipselect = 2; +@@ -506,9 +504,6 @@ static int spi_sh_probe(struct platform_ + + error3: + free_irq(irq, ss); +- error1: +- spi_master_put(master); +- + return ret; + } + diff --git a/queue-4.9/spi-st-ssc4-fix-unbalanced-pm_runtime_disable-in-probe-error-path.patch b/queue-4.9/spi-st-ssc4-fix-unbalanced-pm_runtime_disable-in-probe-error-path.patch new file mode 100644 index 00000000000..5b46085f3d8 --- /dev/null +++ b/queue-4.9/spi-st-ssc4-fix-unbalanced-pm_runtime_disable-in-probe-error-path.patch @@ -0,0 +1,45 @@ +From 5ef76dac0f2c26aeae4ee79eb830280f16d5aceb Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Sun, 8 Nov 2020 23:41:00 +0100 +Subject: spi: st-ssc4: Fix unbalanced pm_runtime_disable() in probe error path + +From: Lukas Wunner + +commit 5ef76dac0f2c26aeae4ee79eb830280f16d5aceb upstream. + +If the calls to devm_platform_ioremap_resource(), irq_of_parse_and_map() +or devm_request_irq() fail on probe of the ST SSC4 SPI driver, the +runtime PM disable depth is incremented even though it was not +decremented before. Fix it. + +Fixes: cd050abeba2a ("spi: st-ssc4: add missed pm_runtime_disable") +Signed-off-by: Lukas Wunner +Cc: # v5.5+ +Cc: Chuhong Yuan +Link: https://lore.kernel.org/r/fbe8768c30dc829e2d77eabe7be062ca22f84024.1604874488.git.lukas@wunner.de +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-st-ssc4.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/spi/spi-st-ssc4.c ++++ b/drivers/spi/spi-st-ssc4.c +@@ -379,13 +379,14 @@ static int spi_st_probe(struct platform_ + ret = devm_spi_register_master(&pdev->dev, master); + if (ret) { + dev_err(&pdev->dev, "Failed to register master\n"); +- goto clk_disable; ++ goto rpm_disable; + } + + return 0; + +-clk_disable: ++rpm_disable: + pm_runtime_disable(&pdev->dev); ++clk_disable: + clk_disable_unprepare(spi_st->clk); + put_master: + spi_master_put(master); diff --git a/queue-4.9/xen-blkback-set-ring-xenblkd-to-null-after-kthread_stop.patch b/queue-4.9/xen-blkback-set-ring-xenblkd-to-null-after-kthread_stop.patch new file mode 100644 index 00000000000..fc345933771 --- /dev/null +++ b/queue-4.9/xen-blkback-set-ring-xenblkd-to-null-after-kthread_stop.patch @@ -0,0 +1,52 @@ +From 1c728719a4da6e654afb9cc047164755072ed7c9 Mon Sep 17 00:00:00 2001 +From: Pawel Wieczorkiewicz +Date: Mon, 14 Dec 2020 10:25:57 +0100 +Subject: xen-blkback: set ring->xenblkd to NULL after kthread_stop() + +From: Pawel Wieczorkiewicz + +commit 1c728719a4da6e654afb9cc047164755072ed7c9 upstream. + +When xen_blkif_disconnect() is called, the kernel thread behind the +block interface is stopped by calling kthread_stop(ring->xenblkd). +The ring->xenblkd thread pointer being non-NULL determines if the +thread has been already stopped. +Normally, the thread's function xen_blkif_schedule() sets the +ring->xenblkd to NULL, when the thread's main loop ends. + +However, when the thread has not been started yet (i.e. +wake_up_process() has not been called on it), the xen_blkif_schedule() +function would not be called yet. + +In such case the kthread_stop() call returns -EINTR and the +ring->xenblkd remains dangling. +When this happens, any consecutive call to xen_blkif_disconnect (for +example in frontend_changed() callback) leads to a kernel crash in +kthread_stop() (e.g. NULL pointer dereference in exit_creds()). + +This is XSA-350. + +Cc: # 4.12 +Fixes: a24fa22ce22a ("xen/blkback: don't use xen_blkif_get() in xen-blkback kthread") +Reported-by: Olivier Benjamin +Reported-by: Pawel Wieczorkiewicz +Signed-off-by: Pawel Wieczorkiewicz +Reviewed-by: Julien Grall +Reviewed-by: Juergen Gross +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/xen-blkback/xenbus.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/block/xen-blkback/xenbus.c ++++ b/drivers/block/xen-blkback/xenbus.c +@@ -262,6 +262,7 @@ static int xen_blkif_disconnect(struct x + + if (ring->xenblkd) { + kthread_stop(ring->xenblkd); ++ ring->xenblkd = NULL; + wake_up(&ring->shutdown_wq); + } +