From: Greg Kroah-Hartman Date: Sat, 13 Nov 2021 11:45:54 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v5.4.160~155 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b02c0abd4803724ebe8f67357c68542e00eeaace;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: crypto-s5p-sss-add-error-handling-in-s5p_aes_probe.patch firmware-psci-fix-application-of-sizeof-to-pointer.patch media-ir-kbd-i2c-improve-responsiveness-of-hauppauge-zilog-receivers.patch media-ite-cir-ir-receiver-stop-working-after-receive-overflow.patch mmc-dw_mmc-dont-wait-for-drto-on-write-rsp-error.patch parisc-fix-ptrace-check-on-syscall-return.patch tpm-check-for-integer-overflow-in-tpm2_map_response_body.patch --- diff --git a/queue-4.19/crypto-s5p-sss-add-error-handling-in-s5p_aes_probe.patch b/queue-4.19/crypto-s5p-sss-add-error-handling-in-s5p_aes_probe.patch new file mode 100644 index 00000000000..c97c1acaef2 --- /dev/null +++ b/queue-4.19/crypto-s5p-sss-add-error-handling-in-s5p_aes_probe.patch @@ -0,0 +1,33 @@ +From a472cc0dde3eb057db71c80f102556eeced03805 Mon Sep 17 00:00:00 2001 +From: Tang Bin +Date: Thu, 21 Oct 2021 09:34:22 +0800 +Subject: crypto: s5p-sss - Add error handling in s5p_aes_probe() + +From: Tang Bin + +commit a472cc0dde3eb057db71c80f102556eeced03805 upstream. + +The function s5p_aes_probe() does not perform sufficient error +checking after executing platform_get_resource(), thus fix it. + +Fixes: c2afad6c6105 ("crypto: s5p-sss - Add HASH support for Exynos") +Cc: +Signed-off-by: Tang Bin +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman +--- + drivers/crypto/s5p-sss.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/crypto/s5p-sss.c ++++ b/drivers/crypto/s5p-sss.c +@@ -2166,6 +2166,8 @@ static int s5p_aes_probe(struct platform + + variant = find_s5p_sss_version(pdev); + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (!res) ++ return -EINVAL; + + /* + * Note: HASH and PRNG uses the same registers in secss, avoid diff --git a/queue-4.19/firmware-psci-fix-application-of-sizeof-to-pointer.patch b/queue-4.19/firmware-psci-fix-application-of-sizeof-to-pointer.patch new file mode 100644 index 00000000000..857826d7876 --- /dev/null +++ b/queue-4.19/firmware-psci-fix-application-of-sizeof-to-pointer.patch @@ -0,0 +1,39 @@ +From 2ac5fb35cd520ab1851c9a4816c523b65276052f Mon Sep 17 00:00:00 2001 +From: jing yangyang +Date: Thu, 19 Aug 2021 19:30:16 -0700 +Subject: firmware/psci: fix application of sizeof to pointer + +From: jing yangyang + +commit 2ac5fb35cd520ab1851c9a4816c523b65276052f upstream. + +sizeof when applied to a pointer typed expression gives the size of +the pointer. + +./drivers/firmware/psci/psci_checker.c:158:41-47: ERROR application of sizeof to pointer + +This issue was detected with the help of Coccinelle. + +Fixes: 7401056de5f8 ("drivers/firmware: psci_checker: stash and use topology_core_cpumask for hotplug tests") +Cc: stable@vger.kernel.org +Reported-by: Zeal Robot +Acked-by: Mark Rutland +Reviewed-by: Gustavo A. R. Silva +Signed-off-by: jing yangyang +Signed-off-by: Gustavo A. R. Silva +Signed-off-by: Greg Kroah-Hartman +--- + drivers/firmware/psci_checker.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/firmware/psci_checker.c ++++ b/drivers/firmware/psci_checker.c +@@ -162,7 +162,7 @@ static int alloc_init_cpu_groups(cpumask + if (!alloc_cpumask_var(&tmp, GFP_KERNEL)) + return -ENOMEM; + +- cpu_groups = kcalloc(nb_available_cpus, sizeof(cpu_groups), ++ cpu_groups = kcalloc(nb_available_cpus, sizeof(*cpu_groups), + GFP_KERNEL); + if (!cpu_groups) { + free_cpumask_var(tmp); diff --git a/queue-4.19/media-ir-kbd-i2c-improve-responsiveness-of-hauppauge-zilog-receivers.patch b/queue-4.19/media-ir-kbd-i2c-improve-responsiveness-of-hauppauge-zilog-receivers.patch new file mode 100644 index 00000000000..06c9b214726 --- /dev/null +++ b/queue-4.19/media-ir-kbd-i2c-improve-responsiveness-of-hauppauge-zilog-receivers.patch @@ -0,0 +1,40 @@ +From c73ba202a851c0b611ef2c25e568fadeff5e667f Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Wed, 15 Sep 2021 18:14:07 +0200 +Subject: media: ir-kbd-i2c: improve responsiveness of hauppauge zilog receivers +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Sean Young + +commit c73ba202a851c0b611ef2c25e568fadeff5e667f upstream. + +The IR receiver has two issues: + + - Sometimes there is no response to a button press + - Sometimes a button press is repeated when it should not have been + +Hanging the polling interval fixes this behaviour. + +Link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=994050 + +Cc: stable@vger.kernel.org +Suggested-by: Joaquín Alberto Calderón Pozo +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/i2c/ir-kbd-i2c.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/i2c/ir-kbd-i2c.c ++++ b/drivers/media/i2c/ir-kbd-i2c.c +@@ -801,6 +801,7 @@ static int ir_probe(struct i2c_client *c + rc_proto = RC_PROTO_BIT_RC5 | RC_PROTO_BIT_RC6_MCE | + RC_PROTO_BIT_RC6_6A_32; + ir_codes = RC_MAP_HAUPPAUGE; ++ ir->polling_interval = 125; + probe_tx = true; + break; + } diff --git a/queue-4.19/media-ite-cir-ir-receiver-stop-working-after-receive-overflow.patch b/queue-4.19/media-ite-cir-ir-receiver-stop-working-after-receive-overflow.patch new file mode 100644 index 00000000000..1a57be740d3 --- /dev/null +++ b/queue-4.19/media-ite-cir-ir-receiver-stop-working-after-receive-overflow.patch @@ -0,0 +1,36 @@ +From fdc881783099c6343921ff017450831c8766d12a Mon Sep 17 00:00:00 2001 +From: Sean Young +Date: Sun, 17 Oct 2021 13:01:15 +0100 +Subject: media: ite-cir: IR receiver stop working after receive overflow + +From: Sean Young + +commit fdc881783099c6343921ff017450831c8766d12a upstream. + +On an Intel NUC6iSYK, no IR is reported after a receive overflow. + +When a receiver overflow occurs, this condition is only cleared by +reading the fifo. Make sure we read anything in the fifo. + +Fixes: 28c7afb07ccf ("media: ite-cir: check for receive overflow") +Suggested-by: Bryan Pass +Tested-by: Bryan Pass +Cc: stable@vger.kernel.org> +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/ite-cir.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/rc/ite-cir.c ++++ b/drivers/media/rc/ite-cir.c +@@ -292,7 +292,7 @@ static irqreturn_t ite_cir_isr(int irq, + } + + /* check for the receive interrupt */ +- if (iflags & ITE_IRQ_RX_FIFO) { ++ if (iflags & (ITE_IRQ_RX_FIFO | ITE_IRQ_RX_FIFO_OVERRUN)) { + /* read the FIFO bytes */ + rx_bytes = + dev->params.get_rx_bytes(dev, rx_buf, diff --git a/queue-4.19/mmc-dw_mmc-dont-wait-for-drto-on-write-rsp-error.patch b/queue-4.19/mmc-dw_mmc-dont-wait-for-drto-on-write-rsp-error.patch new file mode 100644 index 00000000000..230f9f5cbab --- /dev/null +++ b/queue-4.19/mmc-dw_mmc-dont-wait-for-drto-on-write-rsp-error.patch @@ -0,0 +1,45 @@ +From 43592c8736e84025d7a45e61a46c3fa40536a364 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Christian=20L=C3=B6hle?= +Date: Thu, 16 Sep 2021 05:59:19 +0000 +Subject: mmc: dw_mmc: Dont wait for DRTO on Write RSP error + +From: Christian Löhle + +commit 43592c8736e84025d7a45e61a46c3fa40536a364 upstream. + +Only wait for DRTO on reads, otherwise the driver hangs. + +The driver prevents sending CMD12 on response errors like CRCs. According +to the comment this is because some cards have problems with this during +the UHS tuning sequence. Unfortunately this workaround currently also +applies for any command with data. On reads this will set the drto timer, +which then triggers after a while. On writes this will not set any timer +and the tasklet will not be scheduled again. + +I cannot test for the UHS workarounds need, but even if so, it should at +most apply to reads. I have observed many hangs when CMD25 response +contained a CRC error. This patch fixes this without touching the actual +UHS tuning workaround. + +Signed-off-by: Christian Loehle +Reviewed-by: Jaehoon Chung +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/af8f8b8674ba4fcc9a781019e4aeb72c@hyperstone.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/dw_mmc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/dw_mmc.c ++++ b/drivers/mmc/host/dw_mmc.c +@@ -2039,7 +2039,8 @@ static void dw_mci_tasklet_func(unsigned + * delayed. Allowing the transfer to take place + * avoids races and keeps things simple. + */ +- if (err != -ETIMEDOUT) { ++ if (err != -ETIMEDOUT && ++ host->dir_status == DW_MCI_RECV_STATUS) { + state = STATE_SENDING_DATA; + continue; + } diff --git a/queue-4.19/parisc-fix-ptrace-check-on-syscall-return.patch b/queue-4.19/parisc-fix-ptrace-check-on-syscall-return.patch new file mode 100644 index 00000000000..7b105b5c4b3 --- /dev/null +++ b/queue-4.19/parisc-fix-ptrace-check-on-syscall-return.patch @@ -0,0 +1,36 @@ +From 8779e05ba8aaffec1829872ef9774a71f44f6580 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Tue, 5 Oct 2021 00:27:49 +0200 +Subject: parisc: Fix ptrace check on syscall return + +From: Helge Deller + +commit 8779e05ba8aaffec1829872ef9774a71f44f6580 upstream. + +The TIF_XXX flags are stored in the flags field in the thread_info +struct (TI_FLAGS), not in the flags field of the task_struct structure +(TASK_FLAGS). + +It seems this bug didn't generate any important side-effects, otherwise it +wouldn't have went unnoticed for 12 years (since v2.6.32). + +Signed-off-by: Helge Deller +Fixes: ecd3d4bc06e48 ("parisc: stop using task->ptrace for {single,block}step flags") +Cc: Kyle McMartin +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/parisc/kernel/entry.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/parisc/kernel/entry.S ++++ b/arch/parisc/kernel/entry.S +@@ -1851,7 +1851,7 @@ syscall_restore: + LDREG TI_TASK-THREAD_SZ_ALGN-FRAME_SIZE(%r30),%r1 + + /* Are we being ptraced? */ +- ldw TASK_FLAGS(%r1),%r19 ++ LDREG TI_FLAGS-THREAD_SZ_ALGN-FRAME_SIZE(%r30),%r19 + ldi _TIF_SYSCALL_TRACE_MASK,%r2 + and,COND(=) %r19,%r2,%r0 + b,n syscall_restore_rfi diff --git a/queue-4.19/series b/queue-4.19/series index bb5f9366dec..91c98671076 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -5,3 +5,10 @@ input-elantench-fix-misreporting-trackpoint-coordinates.patch input-i8042-add-quirk-for-fujitsu-lifebook-t725.patch libata-fix-read-log-timeout-value.patch ocfs2-fix-data-corruption-on-truncate.patch +mmc-dw_mmc-dont-wait-for-drto-on-write-rsp-error.patch +parisc-fix-ptrace-check-on-syscall-return.patch +tpm-check-for-integer-overflow-in-tpm2_map_response_body.patch +firmware-psci-fix-application-of-sizeof-to-pointer.patch +crypto-s5p-sss-add-error-handling-in-s5p_aes_probe.patch +media-ite-cir-ir-receiver-stop-working-after-receive-overflow.patch +media-ir-kbd-i2c-improve-responsiveness-of-hauppauge-zilog-receivers.patch diff --git a/queue-4.19/tpm-check-for-integer-overflow-in-tpm2_map_response_body.patch b/queue-4.19/tpm-check-for-integer-overflow-in-tpm2_map_response_body.patch new file mode 100644 index 00000000000..94c687ff05a --- /dev/null +++ b/queue-4.19/tpm-check-for-integer-overflow-in-tpm2_map_response_body.patch @@ -0,0 +1,34 @@ +From a0bcce2b2a169e10eb265c8f0ebdd5ae4c875670 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 8 Sep 2021 08:33:57 +0300 +Subject: tpm: Check for integer overflow in tpm2_map_response_body() + +From: Dan Carpenter + +commit a0bcce2b2a169e10eb265c8f0ebdd5ae4c875670 upstream. + +The "4 * be32_to_cpu(data->count)" multiplication can potentially +overflow which would lead to memory corruption. Add a check for that. + +Cc: stable@vger.kernel.org +Fixes: 745b361e989a ("tpm: infrastructure for TPM spaces") +Signed-off-by: Dan Carpenter +Reviewed-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tpm/tpm2-space.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/char/tpm/tpm2-space.c ++++ b/drivers/char/tpm/tpm2-space.c +@@ -419,6 +419,9 @@ static int tpm2_map_response_body(struct + if (be32_to_cpu(data->capability) != TPM2_CAP_HANDLES) + return 0; + ++ if (be32_to_cpu(data->count) > (UINT_MAX - TPM_HEADER_SIZE - 9) / 4) ++ return -EFAULT; ++ + if (len != TPM_HEADER_SIZE + 9 + 4 * be32_to_cpu(data->count)) + return -EFAULT; +