From: Sasha Levin Date: Sun, 23 Jan 2022 14:49:19 +0000 (-0500) Subject: Fixes for 4.4 X-Git-Tag: v4.4.300~132^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ba8d895a86907c50837508c586d09519dadec5c0;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/acpica-executer-fix-the-refclass_refof-case-in-acpi_.patch b/queue-4.4/acpica-executer-fix-the-refclass_refof-case-in-acpi_.patch new file mode 100644 index 00000000000..07cb5acaed9 --- /dev/null +++ b/queue-4.4/acpica-executer-fix-the-refclass_refof-case-in-acpi_.patch @@ -0,0 +1,57 @@ +From 3d89b72e65d99a728bfa92780cd4ff7a6e7346b6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 17:31:05 +0100 +Subject: ACPICA: Executer: Fix the REFCLASS_REFOF case in + acpi_ex_opcode_1A_0T_1R() + +From: Rafael J. Wysocki + +[ Upstream commit 24ea5f90ec9548044a6209685c5010edd66ffe8f ] + +ACPICA commit d984f12041392fa4156b52e2f7e5c5e7bc38ad9e + +If Operand[0] is a reference of the ACPI_REFCLASS_REFOF class, +acpi_ex_opcode_1A_0T_1R () calls acpi_ns_get_attached_object () to +obtain return_desc which may require additional resolution with +the help of acpi_ex_read_data_from_field (). If the latter fails, +the reference counter of the original return_desc is decremented +which is incorrect, because acpi_ns_get_attached_object () does not +increment the reference counter of the object returned by it. + +This issue may lead to premature deletion of the attached object +while it is still attached and a use-after-free and crash in the +host OS. For example, this may happen when on evaluation of ref_of() +a local region field where there is no registered handler for the +given Operation Region. + +Fix it by making acpi_ex_opcode_1A_0T_1R () return Status right away +after a acpi_ex_read_data_from_field () failure. + +Link: https://github.com/acpica/acpica/commit/d984f120 +Link: https://github.com/acpica/acpica/pull/685 +Reported-by: Lenny Szubowicz +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/exoparg1.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/acpica/exoparg1.c b/drivers/acpi/acpica/exoparg1.c +index 77930683ab7dd..c20b7dfec7b20 100644 +--- a/drivers/acpi/acpica/exoparg1.c ++++ b/drivers/acpi/acpica/exoparg1.c +@@ -1016,7 +1016,8 @@ acpi_status acpi_ex_opcode_1A_0T_1R(struct acpi_walk_state *walk_state) + (walk_state, return_desc, + &temp_desc); + if (ACPI_FAILURE(status)) { +- goto cleanup; ++ return_ACPI_STATUS ++ (status); + } + + return_desc = temp_desc; +-- +2.34.1 + diff --git a/queue-4.4/acpica-utilities-avoid-deleting-the-same-object-twic.patch b/queue-4.4/acpica-utilities-avoid-deleting-the-same-object-twic.patch new file mode 100644 index 00000000000..7401937d514 --- /dev/null +++ b/queue-4.4/acpica-utilities-avoid-deleting-the-same-object-twic.patch @@ -0,0 +1,48 @@ +From 8f51ae2d504d13e802f8d349dce66c8dba172c8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 17:29:45 +0100 +Subject: ACPICA: Utilities: Avoid deleting the same object twice in a row + +From: Rafael J. Wysocki + +[ Upstream commit 1cdfe9e346b4c5509ffe19ccde880fd259d9f7a3 ] + +ACPICA commit c11af67d8f7e3d381068ce7771322f2b5324d687 + +If original_count is 0 in acpi_ut_update_ref_count (), +acpi_ut_delete_internal_obj () is invoked for the target object, which is +incorrect, because that object has been deleted once already and the +memory allocated to store it may have been reclaimed and allocated +for a different purpose by the host OS. Moreover, a confusing debug +message following the "Reference Count is already zero, cannot +decrement" warning is printed in that case. + +To fix this issue, make acpi_ut_update_ref_count () return after finding +that original_count is 0 and printing the above warning. + +Link: https://github.com/acpica/acpica/commit/c11af67d +Link: https://github.com/acpica/acpica/pull/652 +Reported-by: Mark Asselstine +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Bob Moore +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/utdelete.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/acpi/acpica/utdelete.c b/drivers/acpi/acpica/utdelete.c +index 9f8b088e21d7e..d90b2cf310fb1 100644 +--- a/drivers/acpi/acpica/utdelete.c ++++ b/drivers/acpi/acpica/utdelete.c +@@ -439,6 +439,7 @@ acpi_ut_update_ref_count(union acpi_operand_object *object, u32 action) + ACPI_WARNING((AE_INFO, + "Obj %p, Reference Count is already zero, cannot decrement\n", + object)); ++ return; + } + + ACPI_DEBUG_PRINT((ACPI_DB_ALLOCATIONS, +-- +2.34.1 + diff --git a/queue-4.4/alsa-hda-add-missing-rwsem-around-snd_ctl_remove-cal.patch b/queue-4.4/alsa-hda-add-missing-rwsem-around-snd_ctl_remove-cal.patch new file mode 100644 index 00000000000..7536653ab7f --- /dev/null +++ b/queue-4.4/alsa-hda-add-missing-rwsem-around-snd_ctl_remove-cal.patch @@ -0,0 +1,40 @@ +From 0db5ba6469f9cd32e8768f8d1c7b9eae4610310c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Nov 2021 08:13:14 +0100 +Subject: ALSA: hda: Add missing rwsem around snd_ctl_remove() calls + +From: Takashi Iwai + +[ Upstream commit 80bd64af75b4bb11c0329bc66c35da2ddfb66d88 ] + +snd_ctl_remove() has to be called with card->controls_rwsem held (when +called after the card instantiation). This patch add the missing +rwsem calls around it. + +Fixes: d13bd412dce2 ("ALSA: hda - Manage kcontrol lists") +Link: https://lore.kernel.org/r/20211116071314.15065-3-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_codec.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/pci/hda/hda_codec.c b/sound/pci/hda/hda_codec.c +index 4962a9d8a572b..7533f8860c57e 100644 +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -1608,8 +1608,11 @@ void snd_hda_ctls_clear(struct hda_codec *codec) + { + int i; + struct hda_nid_item *items = codec->mixers.list; ++ ++ down_write(&codec->card->controls_rwsem); + for (i = 0; i < codec->mixers.used; i++) + snd_ctl_remove(codec->card, items[i].kctl); ++ up_write(&codec->card->controls_rwsem); + snd_array_free(&codec->mixers); + snd_array_free(&codec->nids); + } +-- +2.34.1 + diff --git a/queue-4.4/alsa-jack-add-missing-rwsem-around-snd_ctl_remove-ca.patch b/queue-4.4/alsa-jack-add-missing-rwsem-around-snd_ctl_remove-ca.patch new file mode 100644 index 00000000000..d6cf05dc546 --- /dev/null +++ b/queue-4.4/alsa-jack-add-missing-rwsem-around-snd_ctl_remove-ca.patch @@ -0,0 +1,42 @@ +From bb57e4429e9e44463876fb72270d370e03c130d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Nov 2021 08:13:12 +0100 +Subject: ALSA: jack: Add missing rwsem around snd_ctl_remove() calls + +From: Takashi Iwai + +[ Upstream commit 06764dc931848c3a9bc01a63bbf76a605408bb54 ] + +snd_ctl_remove() has to be called with card->controls_rwsem held (when +called after the card instantiation). This patch add the missing +rwsem calls around it. + +Fixes: 9058cbe1eed2 ("ALSA: jack: implement kctl creating for jack devices") +Link: https://lore.kernel.org/r/20211116071314.15065-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/jack.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/core/jack.c b/sound/core/jack.c +index fcc972fbe8ffd..ecbdac88f95ad 100644 +--- a/sound/core/jack.c ++++ b/sound/core/jack.c +@@ -64,10 +64,13 @@ static int snd_jack_dev_free(struct snd_device *device) + struct snd_card *card = device->card; + struct snd_jack_kctl *jack_kctl, *tmp_jack_kctl; + ++ down_write(&card->controls_rwsem); + list_for_each_entry_safe(jack_kctl, tmp_jack_kctl, &jack->kctl_list, list) { + list_del_init(&jack_kctl->list); + snd_ctl_remove(card, jack_kctl->kctl); + } ++ up_write(&card->controls_rwsem); ++ + if (jack->private_free) + jack->private_free(jack); + +-- +2.34.1 + diff --git a/queue-4.4/alsa-oss-fix-compile-error-when-oss_debug-is-enabled.patch b/queue-4.4/alsa-oss-fix-compile-error-when-oss_debug-is-enabled.patch new file mode 100644 index 00000000000..fbba6f7a186 --- /dev/null +++ b/queue-4.4/alsa-oss-fix-compile-error-when-oss_debug-is-enabled.patch @@ -0,0 +1,41 @@ +From a1680d4f6b075263ac435517912e1d78707740ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Dec 2021 16:58:54 +0800 +Subject: ALSA: oss: fix compile error when OSS_DEBUG is enabled + +From: Bixuan Cui + +[ Upstream commit 8e7daf318d97f25e18b2fc7eb5909e34cd903575 ] + +Fix compile error when OSS_DEBUG is enabled: + sound/core/oss/pcm_oss.c: In function 'snd_pcm_oss_set_trigger': + sound/core/oss/pcm_oss.c:2055:10: error: 'substream' undeclared (first + use in this function); did you mean 'csubstream'? + pcm_dbg(substream->pcm, "pcm_oss: trigger = 0x%x\n", trigger); + ^ + +Fixes: 61efcee8608c ("ALSA: oss: Use standard printk helpers") +Signed-off-by: Bixuan Cui +Link: https://lore.kernel.org/r/1638349134-110369-1-git-send-email-cuibixuan@linux.alibaba.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/oss/pcm_oss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/core/oss/pcm_oss.c b/sound/core/oss/pcm_oss.c +index 593791d9a334f..6af4afe23e373 100644 +--- a/sound/core/oss/pcm_oss.c ++++ b/sound/core/oss/pcm_oss.c +@@ -2121,7 +2121,7 @@ static int snd_pcm_oss_set_trigger(struct snd_pcm_oss_file *pcm_oss_file, int tr + int err, cmd; + + #ifdef OSS_DEBUG +- pcm_dbg(substream->pcm, "pcm_oss: trigger = 0x%x\n", trigger); ++ pr_debug("pcm_oss: trigger = 0x%x\n", trigger); + #endif + + psubstream = pcm_oss_file->streams[SNDRV_PCM_STREAM_PLAYBACK]; +-- +2.34.1 + diff --git a/queue-4.4/alsa-pcm-add-missing-rwsem-around-snd_ctl_remove-cal.patch b/queue-4.4/alsa-pcm-add-missing-rwsem-around-snd_ctl_remove-cal.patch new file mode 100644 index 00000000000..07b64886727 --- /dev/null +++ b/queue-4.4/alsa-pcm-add-missing-rwsem-around-snd_ctl_remove-cal.patch @@ -0,0 +1,41 @@ +From b3bd087693095b619fba1715b1eb05d927ab3c29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Nov 2021 08:13:13 +0100 +Subject: ALSA: PCM: Add missing rwsem around snd_ctl_remove() calls + +From: Takashi Iwai + +[ Upstream commit 5471e9762e1af4b7df057a96bfd46cc250979b88 ] + +snd_ctl_remove() has to be called with card->controls_rwsem held (when +called after the card instantiation). This patch add the missing +rwsem calls around it. + +Fixes: a8ff48cb7083 ("ALSA: pcm: Free chmap at PCM free callback, too") +Link: https://lore.kernel.org/r/20211116071314.15065-2-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/pcm.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/sound/core/pcm.c b/sound/core/pcm.c +index cdff5f9764808..6ae28dcd79945 100644 +--- a/sound/core/pcm.c ++++ b/sound/core/pcm.c +@@ -857,7 +857,11 @@ EXPORT_SYMBOL(snd_pcm_new_internal); + static void free_chmap(struct snd_pcm_str *pstr) + { + if (pstr->chmap_kctl) { +- snd_ctl_remove(pstr->pcm->card, pstr->chmap_kctl); ++ struct snd_card *card = pstr->pcm->card; ++ ++ down_write(&card->controls_rwsem); ++ snd_ctl_remove(card, pstr->chmap_kctl); ++ up_write(&card->controls_rwsem); + pstr->chmap_kctl = NULL; + } + } +-- +2.34.1 + diff --git a/queue-4.4/alsa-seq-set-upper-limit-of-processed-events.patch b/queue-4.4/alsa-seq-set-upper-limit-of-processed-events.patch new file mode 100644 index 00000000000..d734c97640f --- /dev/null +++ b/queue-4.4/alsa-seq-set-upper-limit-of-processed-events.patch @@ -0,0 +1,87 @@ +From c3fab2f09b506796d3d19c499dcde3b9db85168e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 7 Dec 2021 17:51:46 +0100 +Subject: ALSA: seq: Set upper limit of processed events + +From: Takashi Iwai + +[ Upstream commit 6fadb494a638d8b8a55864ecc6ac58194f03f327 ] + +Currently ALSA sequencer core tries to process the queued events as +much as possible when they become dispatchable. If applications try +to queue too massive events to be processed at the very same timing, +the sequencer core would still try to process such all events, either +in the interrupt context or via some notifier; in either away, it +might be a cause of RCU stall or such problems. + +As a potential workaround for those problems, this patch adds the +upper limit of the amount of events to be processed. The remaining +events are processed in the next batch, so they won't be lost. + +For the time being, it's limited up to 1000 events per queue, which +should be high enough for any normal usages. + +Reported-by: Zqiang +Reported-by: syzbot+bb950e68b400ab4f65f8@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20211102033222.3849-1-qiang.zhang1211@gmail.com +Link: https://lore.kernel.org/r/20211207165146.2888-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/core/seq/seq_queue.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +diff --git a/sound/core/seq/seq_queue.c b/sound/core/seq/seq_queue.c +index ea1aa07962761..b923059a22276 100644 +--- a/sound/core/seq/seq_queue.c ++++ b/sound/core/seq/seq_queue.c +@@ -257,12 +257,15 @@ struct snd_seq_queue *snd_seq_queue_find_name(char *name) + + /* -------------------------------------------------------- */ + ++#define MAX_CELL_PROCESSES_IN_QUEUE 1000 ++ + void snd_seq_check_queue(struct snd_seq_queue *q, int atomic, int hop) + { + unsigned long flags; + struct snd_seq_event_cell *cell; + snd_seq_tick_time_t cur_tick; + snd_seq_real_time_t cur_time; ++ int processed = 0; + + if (q == NULL) + return; +@@ -285,6 +288,8 @@ void snd_seq_check_queue(struct snd_seq_queue *q, int atomic, int hop) + if (!cell) + break; + snd_seq_dispatch_event(cell, atomic, hop); ++ if (++processed >= MAX_CELL_PROCESSES_IN_QUEUE) ++ goto out; /* the rest processed at the next batch */ + } + + /* Process time queue... */ +@@ -294,14 +299,19 @@ void snd_seq_check_queue(struct snd_seq_queue *q, int atomic, int hop) + if (!cell) + break; + snd_seq_dispatch_event(cell, atomic, hop); ++ if (++processed >= MAX_CELL_PROCESSES_IN_QUEUE) ++ goto out; /* the rest processed at the next batch */ + } + ++ out: + /* free lock */ + spin_lock_irqsave(&q->check_lock, flags); + if (q->check_again) { + q->check_again = 0; +- spin_unlock_irqrestore(&q->check_lock, flags); +- goto __again; ++ if (processed < MAX_CELL_PROCESSES_IN_QUEUE) { ++ spin_unlock_irqrestore(&q->check_lock, flags); ++ goto __again; ++ } + } + q->check_blocked = 0; + spin_unlock_irqrestore(&q->check_lock, flags); +-- +2.34.1 + diff --git a/queue-4.4/ar5523-fix-null-ptr-deref-with-unexpected-wdcmsg_tar.patch b/queue-4.4/ar5523-fix-null-ptr-deref-with-unexpected-wdcmsg_tar.patch new file mode 100644 index 00000000000..296797fc4e0 --- /dev/null +++ b/queue-4.4/ar5523-fix-null-ptr-deref-with-unexpected-wdcmsg_tar.patch @@ -0,0 +1,63 @@ +From d2460b702b5d28a27f77214615a31f0f34db7113 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 18:37:49 -0400 +Subject: ar5523: Fix null-ptr-deref with unexpected WDCMSG_TARGET_START reply + +From: Zekun Shen + +[ Upstream commit ae80b6033834342601e99f74f6a62ff5092b1cee ] + +Unexpected WDCMSG_TARGET_START replay can lead to null-ptr-deref +when ar->tx_cmd->odata is NULL. The patch adds a null check to +prevent such case. + +KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] + ar5523_cmd+0x46a/0x581 [ar5523] + ar5523_probe.cold+0x1b7/0x18da [ar5523] + ? ar5523_cmd_rx_cb+0x7a0/0x7a0 [ar5523] + ? __pm_runtime_set_status+0x54a/0x8f0 + ? _raw_spin_trylock_bh+0x120/0x120 + ? pm_runtime_barrier+0x220/0x220 + ? __pm_runtime_resume+0xb1/0xf0 + usb_probe_interface+0x25b/0x710 + really_probe+0x209/0x5d0 + driver_probe_device+0xc6/0x1b0 + device_driver_attach+0xe2/0x120 + +I found the bug using a custome USBFuzz port. It's a research work +to fuzz USB stack/drivers. I modified it to fuzz ath9k driver only, +providing hand-crafted usb descriptors to QEMU. + +After fixing the code (fourth byte in usb packet) to WDCMSG_TARGET_START, +I got the null-ptr-deref bug. I believe the bug is triggerable whenever +cmd->odata is NULL. After patching, I tested with the same input and no +longer see the KASAN report. + +This was NOT tested on a real device. + +Signed-off-by: Zekun Shen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/YXsmPQ3awHFLuAj2@10-18-43-117.dynapool.wireless.nyu.edu +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ar5523/ar5523.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c +index bc6330b437958..67c20cb92f138 100644 +--- a/drivers/net/wireless/ath/ar5523/ar5523.c ++++ b/drivers/net/wireless/ath/ar5523/ar5523.c +@@ -153,6 +153,10 @@ static void ar5523_cmd_rx_cb(struct urb *urb) + ar5523_err(ar, "Invalid reply to WDCMSG_TARGET_START"); + return; + } ++ if (!cmd->odata) { ++ ar5523_err(ar, "Unexpected WDCMSG_TARGET_START reply"); ++ return; ++ } + memcpy(cmd->odata, hdr + 1, sizeof(u32)); + cmd->olen = sizeof(u32); + cmd->res = 0; +-- +2.34.1 + diff --git a/queue-4.4/arm64-dts-qcom-msm8916-fix-mmc-controller-aliases.patch b/queue-4.4/arm64-dts-qcom-msm8916-fix-mmc-controller-aliases.patch new file mode 100644 index 00000000000..86e0943804d --- /dev/null +++ b/queue-4.4/arm64-dts-qcom-msm8916-fix-mmc-controller-aliases.patch @@ -0,0 +1,40 @@ +From 687c660181116d8d13257e21a6defa13a531b1fc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Dec 2021 05:05:59 +0300 +Subject: arm64: dts: qcom: msm8916: fix MMC controller aliases + +From: Dmitry Baryshkov + +[ Upstream commit b0293c19d42f6d6951c2fab9a47fed50baf2c14d ] + +Change sdhcN aliases to mmcN to make them actually work. Currently the +board uses non-standard aliases sdhcN, which do not work, resulting in +mmc0 and mmc1 hosts randomly changing indices between boots. + +Fixes: c4da5a561627 ("arm64: dts: qcom: Add msm8916 sdhci configuration nodes") +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20211201020559.1611890-1-dmitry.baryshkov@linaro.org +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/qcom/msm8916.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/boot/dts/qcom/msm8916.dtsi b/arch/arm64/boot/dts/qcom/msm8916.dtsi +index 8d184ff196429..5cac11e6ba4b4 100644 +--- a/arch/arm64/boot/dts/qcom/msm8916.dtsi ++++ b/arch/arm64/boot/dts/qcom/msm8916.dtsi +@@ -25,8 +25,8 @@ + #size-cells = <2>; + + aliases { +- sdhc1 = &sdhc_1; /* SDC1 eMMC slot */ +- sdhc2 = &sdhc_2; /* SDC2 SD card slot */ ++ mmc0 = &sdhc_1; /* SDC1 eMMC slot */ ++ mmc1 = &sdhc_2; /* SDC2 SD card slot */ + }; + + chosen { }; +-- +2.34.1 + diff --git a/queue-4.4/asoc-samsung-idma-check-of-ioremap-return-value.patch b/queue-4.4/asoc-samsung-idma-check-of-ioremap-return-value.patch new file mode 100644 index 00000000000..831a428270b --- /dev/null +++ b/queue-4.4/asoc-samsung-idma-check-of-ioremap-return-value.patch @@ -0,0 +1,40 @@ +From 34d0b627e63b0d0933fc7cec6ac4b395ec703e97 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Dec 2021 11:40:26 +0800 +Subject: ASoC: samsung: idma: Check of ioremap return value + +From: Jiasheng Jiang + +[ Upstream commit 3ecb46755eb85456b459a1a9f952c52986bce8ec ] + +Because of the potential failure of the ioremap(), the buf->area could +be NULL. +Therefore, we need to check it and return -ENOMEM in order to transfer +the error. + +Fixes: f09aecd50f39 ("ASoC: SAMSUNG: Add I2S0 internal dma driver") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20211228034026.1659385-1-jiasheng@iscas.ac.cn +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/samsung/idma.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sound/soc/samsung/idma.c b/sound/soc/samsung/idma.c +index 4ed29ffc1c54e..d9cd9350ffbe2 100644 +--- a/sound/soc/samsung/idma.c ++++ b/sound/soc/samsung/idma.c +@@ -370,6 +370,8 @@ static int preallocate_idma_buffer(struct snd_pcm *pcm, int stream) + buf->addr = idma.lp_tx_addr; + buf->bytes = idma_hardware.buffer_bytes_max; + buf->area = (unsigned char * __force)ioremap(buf->addr, buf->bytes); ++ if (!buf->area) ++ return -ENOMEM; + + return 0; + } +-- +2.34.1 + diff --git a/queue-4.4/ath9k-fix-out-of-bound-memcpy-in-ath9k_hif_usb_rx_st.patch b/queue-4.4/ath9k-fix-out-of-bound-memcpy-in-ath9k_hif_usb_rx_st.patch new file mode 100644 index 00000000000..d30aa8b7543 --- /dev/null +++ b/queue-4.4/ath9k-fix-out-of-bound-memcpy-in-ath9k_hif_usb_rx_st.patch @@ -0,0 +1,90 @@ +From 4ccbc17c8c3f3e8196f767451a68d7f4e6f386fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Oct 2021 18:21:42 -0400 +Subject: ath9k: Fix out-of-bound memcpy in ath9k_hif_usb_rx_stream + +From: Zekun Shen + +[ Upstream commit 6ce708f54cc8d73beca213cec66ede5ce100a781 ] + +Large pkt_len can lead to out-out-bound memcpy. Current +ath9k_hif_usb_rx_stream allows combining the content of two urb +inputs to one pkt. The first input can indicate the size of the +pkt. Any remaining size is saved in hif_dev->rx_remain_len. +While processing the next input, memcpy is used with rx_remain_len. + +4-byte pkt_len can go up to 0xffff, while a single input is 0x4000 +maximum in size (MAX_RX_BUF_SIZE). Thus, the patch adds a check for +pkt_len which must not exceed 2 * MAX_RX_BUG_SIZE. + +BUG: KASAN: slab-out-of-bounds in ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc] +Read of size 46393 at addr ffff888018798000 by task kworker/0:1/23 + +CPU: 0 PID: 23 Comm: kworker/0:1 Not tainted 5.6.0 #63 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), +BIOS rel-1.10.2-0-g5f4c7b1-prebuilt.qemu-project.org 04/01/2014 +Workqueue: events request_firmware_work_func +Call Trace: + + dump_stack+0x76/0xa0 + print_address_description.constprop.0+0x16/0x200 + ? ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc] + ? ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc] + __kasan_report.cold+0x37/0x7c + ? ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc] + kasan_report+0xe/0x20 + check_memory_region+0x15a/0x1d0 + memcpy+0x20/0x50 + ath9k_hif_usb_rx_cb+0x490/0xed7 [ath9k_htc] + ? hif_usb_mgmt_cb+0x2d9/0x2d9 [ath9k_htc] + ? _raw_spin_lock_irqsave+0x7b/0xd0 + ? _raw_spin_trylock_bh+0x120/0x120 + ? __usb_unanchor_urb+0x12f/0x210 + __usb_hcd_giveback_urb+0x1e4/0x380 + usb_giveback_urb_bh+0x241/0x4f0 + ? __hrtimer_run_queues+0x316/0x740 + ? __usb_hcd_giveback_urb+0x380/0x380 + tasklet_action_common.isra.0+0x135/0x330 + __do_softirq+0x18c/0x634 + irq_exit+0x114/0x140 + smp_apic_timer_interrupt+0xde/0x380 + apic_timer_interrupt+0xf/0x20 + +I found the bug using a custome USBFuzz port. It's a research work +to fuzz USB stack/drivers. I modified it to fuzz ath9k driver only, +providing hand-crafted usb descriptors to QEMU. + +After fixing the value of pkt_tag to ATH_USB_RX_STREAM_MODE_TAG in QEMU +emulation, I found the KASAN report. The bug is triggerable whenever +pkt_len is above two MAX_RX_BUG_SIZE. I used the same input that crashes +to test the driver works when applying the patch. + +Signed-off-by: Zekun Shen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/YXsidrRuK6zBJicZ@10-18-43-117.dynapool.wireless.nyu.edu +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c +index 75072a8f8cf42..15fb14f818f8b 100644 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -586,6 +586,13 @@ static void ath9k_hif_usb_rx_stream(struct hif_device_usb *hif_dev, + return; + } + ++ if (pkt_len > 2 * MAX_RX_BUF_SIZE) { ++ dev_err(&hif_dev->udev->dev, ++ "ath9k_htc: invalid pkt_len (%x)\n", pkt_len); ++ RX_STAT_INC(skb_dropped); ++ return; ++ } ++ + pad_len = 4 - (pkt_len & 0x3); + if (pad_len == 4) + pad_len = 0; +-- +2.34.1 + diff --git a/queue-4.4/bluetooth-cmtp-fix-possible-panic-when-cmtp_init_soc.patch b/queue-4.4/bluetooth-cmtp-fix-possible-panic-when-cmtp_init_soc.patch new file mode 100644 index 00000000000..888f2855595 --- /dev/null +++ b/queue-4.4/bluetooth-cmtp-fix-possible-panic-when-cmtp_init_soc.patch @@ -0,0 +1,54 @@ +From 815cb2496dc2a1a668a30bd08f549e647877085c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Oct 2021 21:10:12 +0800 +Subject: Bluetooth: cmtp: fix possible panic when cmtp_init_sockets() fails + +From: Wang Hai + +[ Upstream commit 2a7ca7459d905febf519163bd9e3eed894de6bb7 ] + +I got a kernel BUG report when doing fault injection test: + +------------[ cut here ]------------ +kernel BUG at lib/list_debug.c:45! +... +RIP: 0010:__list_del_entry_valid.cold+0x12/0x4d +... +Call Trace: + proto_unregister+0x83/0x220 + cmtp_cleanup_sockets+0x37/0x40 [cmtp] + cmtp_exit+0xe/0x1f [cmtp] + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +If cmtp_init_sockets() in cmtp_init() fails, cmtp_init() still returns +success. This will cause a kernel bug when accessing uncreated ctmp +related data when the module exits. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/cmtp/core.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/net/bluetooth/cmtp/core.c b/net/bluetooth/cmtp/core.c +index b1757895c4ad2..23bad44bb0850 100644 +--- a/net/bluetooth/cmtp/core.c ++++ b/net/bluetooth/cmtp/core.c +@@ -500,9 +500,7 @@ static int __init cmtp_init(void) + { + BT_INFO("CMTP (CAPI Emulation) ver %s", VERSION); + +- cmtp_init_sockets(); +- +- return 0; ++ return cmtp_init_sockets(); + } + + static void __exit cmtp_exit(void) +-- +2.34.1 + diff --git a/queue-4.4/bluetooth-fix-debugfs-entry-leak-in-hci_register_dev.patch b/queue-4.4/bluetooth-fix-debugfs-entry-leak-in-hci_register_dev.patch new file mode 100644 index 00000000000..cd3f25fe320 --- /dev/null +++ b/queue-4.4/bluetooth-fix-debugfs-entry-leak-in-hci_register_dev.patch @@ -0,0 +1,40 @@ +From 8c0de151e68ff872cae7c5052650b51dd6182da9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 16:55:46 +0800 +Subject: Bluetooth: Fix debugfs entry leak in hci_register_dev() + +From: Wei Yongjun + +[ Upstream commit 5a4bb6a8e981d3d0d492aa38412ee80b21033177 ] + +Fault injection test report debugfs entry leak as follows: + +debugfs: Directory 'hci0' with parent 'bluetooth' already present! + +When register_pm_notifier() failed in hci_register_dev(), the debugfs +create by debugfs_create_dir() do not removed in the error handing path. + +Add the remove debugfs code to fix it. + +Signed-off-by: Wei Yongjun +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index eefaa10c74dbb..1cc78b88a0d9f 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -3459,6 +3459,7 @@ int hci_register_dev(struct hci_dev *hdev) + return id; + + err_wqueue: ++ debugfs_remove_recursive(hdev->debugfs); + destroy_workqueue(hdev->workqueue); + destroy_workqueue(hdev->req_workqueue); + err: +-- +2.34.1 + diff --git a/queue-4.4/bluetooth-stop-proccessing-malicious-adv-data.patch b/queue-4.4/bluetooth-stop-proccessing-malicious-adv-data.patch new file mode 100644 index 00000000000..1e872557ed0 --- /dev/null +++ b/queue-4.4/bluetooth-stop-proccessing-malicious-adv-data.patch @@ -0,0 +1,54 @@ +From ea643f6ecc25564642fc981ac37c8737351491e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Nov 2021 10:12:12 +0300 +Subject: Bluetooth: stop proccessing malicious adv data + +From: Pavel Skripkin + +[ Upstream commit 3a56ef719f0b9682afb8a86d64b2399e36faa4e6 ] + +Syzbot reported slab-out-of-bounds read in hci_le_adv_report_evt(). The +problem was in missing validaion check. + +We should check if data is not malicious and we can read next data block. +If we won't check ptr validness, code can read a way beyond skb->end and +it can cause problems, of course. + +Fixes: e95beb414168 ("Bluetooth: hci_le_adv_report_evt code refactoring") +Reported-and-tested-by: syzbot+e3fcb9c4f3c2a931dc40@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_event.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c +index 6528ecc3a3bc5..05ccd2bcd9e46 100644 +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -4940,7 +4940,8 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) + struct hci_ev_le_advertising_info *ev = ptr; + s8 rssi; + +- if (ev->length <= HCI_MAX_AD_LENGTH) { ++ if (ev->length <= HCI_MAX_AD_LENGTH && ++ ev->data + ev->length <= skb_tail_pointer(skb)) { + rssi = ev->data[ev->length]; + process_adv_report(hdev, ev->evt_type, &ev->bdaddr, + ev->bdaddr_type, NULL, 0, rssi, +@@ -4950,6 +4951,11 @@ static void hci_le_adv_report_evt(struct hci_dev *hdev, struct sk_buff *skb) + } + + ptr += sizeof(*ev) + ev->length + 1; ++ ++ if (ptr > (void *) skb_tail_pointer(skb) - sizeof(*ev)) { ++ bt_dev_err(hdev, "Malicious advertising data. Stopping processing"); ++ break; ++ } + } + + hci_dev_unlock(hdev); +-- +2.34.1 + diff --git a/queue-4.4/btrfs-remove-bug_on-eie-in-find_parent_nodes.patch b/queue-4.4/btrfs-remove-bug_on-eie-in-find_parent_nodes.patch new file mode 100644 index 00000000000..3c1141da0ef --- /dev/null +++ b/queue-4.4/btrfs-remove-bug_on-eie-in-find_parent_nodes.patch @@ -0,0 +1,54 @@ +From 0a50611b839570a1971b63782f65eeae687d2507 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 16:45:35 -0400 +Subject: btrfs: remove BUG_ON(!eie) in find_parent_nodes + +From: Josef Bacik + +[ Upstream commit 9f05c09d6baef789726346397438cca4ec43c3ee ] + +If we're looking for leafs that point to a data extent we want to record +the extent items that point at our bytenr. At this point we have the +reference and we know for a fact that this leaf should have a reference +to our bytenr. However if there's some sort of corruption we may not +find any references to our leaf, and thus could end up with eie == NULL. +Replace this BUG_ON() with an ASSERT() and then return -EUCLEAN for the +mortals. + +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/backref.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c +index c59a13a53b1cc..00c9a9e719ece 100644 +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -1109,10 +1109,18 @@ again: + goto out; + if (!ret && extent_item_pos) { + /* +- * we've recorded that parent, so we must extend +- * its inode list here ++ * We've recorded that parent, so we must extend ++ * its inode list here. ++ * ++ * However if there was corruption we may not ++ * have found an eie, return an error in this ++ * case. + */ +- BUG_ON(!eie); ++ ASSERT(eie); ++ if (!eie) { ++ ret = -EUCLEAN; ++ goto out; ++ } + while (eie->next) + eie = eie->next; + eie->next = ref->inode_list; +-- +2.34.1 + diff --git a/queue-4.4/btrfs-remove-bug_on-in-find_parent_nodes.patch b/queue-4.4/btrfs-remove-bug_on-in-find_parent_nodes.patch new file mode 100644 index 00000000000..ce05390a8ed --- /dev/null +++ b/queue-4.4/btrfs-remove-bug_on-in-find_parent_nodes.patch @@ -0,0 +1,42 @@ +From d744d9c7cf2f5c120776b1ab88d2b308f95ecf68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 16:45:34 -0400 +Subject: btrfs: remove BUG_ON() in find_parent_nodes() + +From: Josef Bacik + +[ Upstream commit fcba0120edf88328524a4878d1d6f4ad39f2ec81 ] + +We search for an extent entry with .offset = -1, which shouldn't be a +thing, but corruption happens. Add an ASSERT() for the developers, +return -EUCLEAN for mortals. + +Signed-off-by: Josef Bacik +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/backref.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c +index 228bfa19b745d..c59a13a53b1cc 100644 +--- a/fs/btrfs/backref.c ++++ b/fs/btrfs/backref.c +@@ -975,7 +975,12 @@ again: + ret = btrfs_search_slot(trans, fs_info->extent_root, &key, path, 0, 0); + if (ret < 0) + goto out; +- BUG_ON(ret == 0); ++ if (ret == 0) { ++ /* This shouldn't happen, indicates a bug or fs corruption. */ ++ ASSERT(ret != 0); ++ ret = -EUCLEAN; ++ goto out; ++ } + + #ifdef CONFIG_BTRFS_FS_RUN_SANITY_TESTS + if (trans && likely(trans->type != __TRANS_DUMMY) && +-- +2.34.1 + diff --git a/queue-4.4/can-softing-softing_startstop-fix-set-but-not-used-v.patch b/queue-4.4/can-softing-softing_startstop-fix-set-but-not-used-v.patch new file mode 100644 index 00000000000..ff8cf590e71 --- /dev/null +++ b/queue-4.4/can-softing-softing_startstop-fix-set-but-not-used-v.patch @@ -0,0 +1,63 @@ +From 32e45e22dd5979bc95c31952af021ca20aa34bb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Jan 2022 21:57:51 +0100 +Subject: can: softing: softing_startstop(): fix set but not used variable + warning + +From: Marc Kleine-Budde + +[ Upstream commit 370d988cc529598ebaec6487d4f84c2115dc696b ] + +In the function softing_startstop() the variable error_reporting is +assigned but not used. The code that uses this variable is commented +out. Its stated that the functionality is not finally verified. + +To fix the warning: + +| drivers/net/can/softing/softing_fw.c:424:9: error: variable 'error_reporting' set but not used [-Werror,-Wunused-but-set-variable] + +remove the comment, activate the code, but add a "0 &&" to the if +expression and rely on the optimizer rather than the preprocessor to +remove the code. + +Link: https://lore.kernel.org/all/20220109103126.1872833-1-mkl@pengutronix.de +Fixes: 03fd3cf5a179 ("can: add driver for Softing card") +Cc: Kurt Van Dijck +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/softing/softing_fw.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/can/softing/softing_fw.c b/drivers/net/can/softing/softing_fw.c +index 52fe50725d749..a74c779feb90e 100644 +--- a/drivers/net/can/softing/softing_fw.c ++++ b/drivers/net/can/softing/softing_fw.c +@@ -576,18 +576,19 @@ int softing_startstop(struct net_device *dev, int up) + if (ret < 0) + goto failed; + } +- /* enable_error_frame */ +- /* ++ ++ /* enable_error_frame ++ * + * Error reporting is switched off at the moment since + * the receiving of them is not yet 100% verified + * This should be enabled sooner or later +- * +- if (error_reporting) { ++ */ ++ if (0 && error_reporting) { + ret = softing_fct_cmd(card, 51, "enable_error_frame"); + if (ret < 0) + goto failed; + } +- */ ++ + /* initialize interface */ + iowrite16(1, &card->dpram[DPRAM_FCT_PARAM + 2]); + iowrite16(1, &card->dpram[DPRAM_FCT_PARAM + 4]); +-- +2.34.1 + diff --git a/queue-4.4/can-xilinx_can-xcan_probe-check-for-error-irq.patch b/queue-4.4/can-xilinx_can-xcan_probe-check-for-error-irq.patch new file mode 100644 index 00000000000..4e587fffee5 --- /dev/null +++ b/queue-4.4/can-xilinx_can-xcan_probe-check-for-error-irq.patch @@ -0,0 +1,48 @@ +From e77bf6b7004d179696e7f1b25f4c00d395e49893 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 24 Dec 2021 10:13:24 +0800 +Subject: can: xilinx_can: xcan_probe(): check for error irq + +From: Jiasheng Jiang + +[ Upstream commit c6564c13dae25cd7f8e1de5127b4da4500ee5844 ] + +For the possible failure of the platform_get_irq(), the returned irq +could be error number and will finally cause the failure of the +request_irq(). + +Consider that platform_get_irq() can now in certain cases return +-EPROBE_DEFER, and the consequences of letting request_irq() +effectively convert that into -EINVAL, even at probe time rather than +later on. So it might be better to check just now. + +Fixes: b1201e44f50b ("can: xilinx CAN controller support") +Link: https://lore.kernel.org/all/20211224021324.1447494-1-jiasheng@iscas.ac.cn +Signed-off-by: Jiasheng Jiang +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/xilinx_can.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/xilinx_can.c b/drivers/net/can/xilinx_can.c +index 700b98d9c2500..19745e88774e2 100644 +--- a/drivers/net/can/xilinx_can.c ++++ b/drivers/net/can/xilinx_can.c +@@ -1284,7 +1284,12 @@ static int xcan_probe(struct platform_device *pdev) + spin_lock_init(&priv->tx_lock); + + /* Get IRQ for the device */ +- ndev->irq = platform_get_irq(pdev, 0); ++ ret = platform_get_irq(pdev, 0); ++ if (ret < 0) ++ goto err_free; ++ ++ ndev->irq = ret; ++ + ndev->flags |= IFF_ECHO; /* We support local echo */ + + platform_set_drvdata(pdev, ndev); +-- +2.34.1 + diff --git a/queue-4.4/char-mwave-adjust-io-port-register-size.patch b/queue-4.4/char-mwave-adjust-io-port-register-size.patch new file mode 100644 index 00000000000..a6155d4b114 --- /dev/null +++ b/queue-4.4/char-mwave-adjust-io-port-register-size.patch @@ -0,0 +1,51 @@ +From b6425b3e868475c9bbba8e3eb6b7c5fbbb86960b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Dec 2021 00:42:06 -0800 +Subject: char/mwave: Adjust io port register size + +From: Kees Cook + +[ Upstream commit f5912cc19acd7c24b2dbf65a6340bf194244f085 ] + +Using MKWORD() on a byte-sized variable results in OOB read. Expand the +size of the reserved area so both MKWORD and MKBYTE continue to work +without overflow. Silences this warning on a -Warray-bounds build: + +drivers/char/mwave/3780i.h:346:22: error: array subscript 'short unsigned int[0]' is partly outside array bounds of 'DSP_ISA_SLAVE_CONTROL[1]' [-Werror=array-bounds] + 346 | #define MKWORD(var) (*((unsigned short *)(&var))) + | ~^~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/char/mwave/3780i.h:356:40: note: in definition of macro 'OutWordDsp' + 356 | #define OutWordDsp(index,value) outw(value,usDspBaseIO+index) + | ^~~~~ +drivers/char/mwave/3780i.c:373:41: note: in expansion of macro 'MKWORD' + 373 | OutWordDsp(DSP_IsaSlaveControl, MKWORD(rSlaveControl)); + | ^~~~~~ +drivers/char/mwave/3780i.c:358:31: note: while referencing 'rSlaveControl' + 358 | DSP_ISA_SLAVE_CONTROL rSlaveControl; + | ^~~~~~~~~~~~~ + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20211203084206.3104326-1-keescook@chromium.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/char/mwave/3780i.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/char/mwave/3780i.h b/drivers/char/mwave/3780i.h +index fba6ab1160ce8..b167163b18277 100644 +--- a/drivers/char/mwave/3780i.h ++++ b/drivers/char/mwave/3780i.h +@@ -68,7 +68,7 @@ typedef struct { + unsigned char ClockControl:1; /* RW: Clock control: 0=normal, 1=stop 3780i clocks */ + unsigned char SoftReset:1; /* RW: Soft reset 0=normal, 1=soft reset active */ + unsigned char ConfigMode:1; /* RW: Configuration mode, 0=normal, 1=config mode */ +- unsigned char Reserved:5; /* 0: Reserved */ ++ unsigned short Reserved:13; /* 0: Reserved */ + } DSP_ISA_SLAVE_CONTROL; + + +-- +2.34.1 + diff --git a/queue-4.4/crypto-qce-fix-uaf-on-qce_ahash_register_one.patch b/queue-4.4/crypto-qce-fix-uaf-on-qce_ahash_register_one.patch new file mode 100644 index 00000000000..b4922c15970 --- /dev/null +++ b/queue-4.4/crypto-qce-fix-uaf-on-qce_ahash_register_one.patch @@ -0,0 +1,39 @@ +From 0bc35da932cb2f4ec9314154456ffac19de49c34 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 4 Nov 2021 06:38:31 -0700 +Subject: crypto: qce - fix uaf on qce_ahash_register_one + +From: Chengfeng Ye + +[ Upstream commit b4cb4d31631912842eb7dce02b4350cbb7562d5e ] + +Pointer base points to sub field of tmpl, it +is dereferenced after tmpl is freed. Fix +this by accessing base before free tmpl. + +Fixes: ec8f5d8f ("crypto: qce - Qualcomm crypto engine driver") +Signed-off-by: Chengfeng Ye +Acked-by: Thara Gopinath +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qce/sha.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/qce/sha.c b/drivers/crypto/qce/sha.c +index 0c9973ec80ebd..da2e4c193953a 100644 +--- a/drivers/crypto/qce/sha.c ++++ b/drivers/crypto/qce/sha.c +@@ -539,8 +539,8 @@ static int qce_ahash_register_one(const struct qce_ahash_def *def, + + ret = crypto_register_ahash(alg); + if (ret) { +- kfree(tmpl); + dev_err(qce->dev, "%s registration failed\n", base->cra_name); ++ kfree(tmpl); + return ret; + } + +-- +2.34.1 + diff --git a/queue-4.4/dm-btree-add-a-defensive-bounds-check-to-insert_at.patch b/queue-4.4/dm-btree-add-a-defensive-bounds-check-to-insert_at.patch new file mode 100644 index 00000000000..2667b830666 --- /dev/null +++ b/queue-4.4/dm-btree-add-a-defensive-bounds-check-to-insert_at.patch @@ -0,0 +1,45 @@ +From 7272347c3654861790c730ad174afb3c64758c01 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 13:44:13 +0000 +Subject: dm btree: add a defensive bounds check to insert_at() + +From: Joe Thornber + +[ Upstream commit 85bca3c05b6cca31625437eedf2060e846c4bbad ] + +Corrupt metadata could trigger an out of bounds write. + +Signed-off-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/persistent-data/dm-btree.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/drivers/md/persistent-data/dm-btree.c b/drivers/md/persistent-data/dm-btree.c +index fa9039a53ae5c..23b1d22f693c1 100644 +--- a/drivers/md/persistent-data/dm-btree.c ++++ b/drivers/md/persistent-data/dm-btree.c +@@ -83,14 +83,16 @@ void inc_children(struct dm_transaction_manager *tm, struct btree_node *n, + } + + static int insert_at(size_t value_size, struct btree_node *node, unsigned index, +- uint64_t key, void *value) +- __dm_written_to_disk(value) ++ uint64_t key, void *value) ++ __dm_written_to_disk(value) + { + uint32_t nr_entries = le32_to_cpu(node->header.nr_entries); ++ uint32_t max_entries = le32_to_cpu(node->header.max_entries); + __le64 key_le = cpu_to_le64(key); + + if (index > nr_entries || +- index >= le32_to_cpu(node->header.max_entries)) { ++ index >= max_entries || ++ nr_entries >= max_entries) { + DMERR("too many entries in btree node for insert"); + __dm_unbless_for_disk(value); + return -ENOMEM; +-- +2.34.1 + diff --git a/queue-4.4/dm-space-map-common-add-bounds-check-to-sm_ll_lookup.patch b/queue-4.4/dm-space-map-common-add-bounds-check-to-sm_ll_lookup.patch new file mode 100644 index 00000000000..81f580003b9 --- /dev/null +++ b/queue-4.4/dm-space-map-common-add-bounds-check-to-sm_ll_lookup.patch @@ -0,0 +1,37 @@ +From 163211e460901c820ba9c4a78c1b38457b6e92c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Dec 2021 13:49:53 +0000 +Subject: dm space map common: add bounds check to sm_ll_lookup_bitmap() + +From: Joe Thornber + +[ Upstream commit cba23ac158db7f3cd48a923d6861bee2eb7a2978 ] + +Corrupted metadata could warrant returning error from sm_ll_lookup_bitmap(). + +Signed-off-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/persistent-data/dm-space-map-common.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/md/persistent-data/dm-space-map-common.c b/drivers/md/persistent-data/dm-space-map-common.c +index ca09ad2a639c4..6fa4a68e78b0d 100644 +--- a/drivers/md/persistent-data/dm-space-map-common.c ++++ b/drivers/md/persistent-data/dm-space-map-common.c +@@ -279,6 +279,11 @@ int sm_ll_lookup_bitmap(struct ll_disk *ll, dm_block_t b, uint32_t *result) + struct disk_index_entry ie_disk; + struct dm_block *blk; + ++ if (b >= ll->nr_blocks) { ++ DMERR_LIMIT("metadata block out of bounds"); ++ return -EINVAL; ++ } ++ + b = do_div(index, ll->entries_per_block); + r = ll->load_ie(ll, index, &ie_disk); + if (r < 0) +-- +2.34.1 + diff --git a/queue-4.4/dmaengine-pxa-mmp-stop-referencing-config-slave_id.patch b/queue-4.4/dmaengine-pxa-mmp-stop-referencing-config-slave_id.patch new file mode 100644 index 00000000000..09ac34b5de2 --- /dev/null +++ b/queue-4.4/dmaengine-pxa-mmp-stop-referencing-config-slave_id.patch @@ -0,0 +1,63 @@ +From 4d797bb89ac69f72cbf84b3311850ca4387fdc2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 22 Nov 2021 23:21:58 +0100 +Subject: dmaengine: pxa/mmp: stop referencing config->slave_id + +From: Arnd Bergmann + +[ Upstream commit 134c37fa250a87a7e77c80a7c59ae16c462e46e0 ] + +The last driver referencing the slave_id on Marvell PXA and MMP platforms +was the SPI driver, but this stopped doing so a long time ago, so the +TODO from the earlier patch can no be removed. + +Fixes: b729bf34535e ("spi/pxa2xx: Don't use slave_id of dma_slave_config") +Fixes: 13b3006b8ebd ("dma: mmp_pdma: add filter function") +Signed-off-by: Arnd Bergmann +Acked-by: Mark Brown +Link: https://lore.kernel.org/r/20211122222203.4103644-7-arnd@kernel.org +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/mmp_pdma.c | 6 ------ + drivers/dma/pxa_dma.c | 7 ------- + 2 files changed, 13 deletions(-) + +diff --git a/drivers/dma/mmp_pdma.c b/drivers/dma/mmp_pdma.c +index e39457f13d4dd..548600ce6cc87 100644 +--- a/drivers/dma/mmp_pdma.c ++++ b/drivers/dma/mmp_pdma.c +@@ -723,12 +723,6 @@ static int mmp_pdma_config(struct dma_chan *dchan, + + chan->dir = cfg->direction; + chan->dev_addr = addr; +- /* FIXME: drivers should be ported over to use the filter +- * function. Once that's done, the following two lines can +- * be removed. +- */ +- if (cfg->slave_id) +- chan->drcmr = cfg->slave_id; + + return 0; + } +diff --git a/drivers/dma/pxa_dma.c b/drivers/dma/pxa_dma.c +index 4251e9ac0373c..ff2e28137a7b1 100644 +--- a/drivers/dma/pxa_dma.c ++++ b/drivers/dma/pxa_dma.c +@@ -959,13 +959,6 @@ static void pxad_get_config(struct pxad_chan *chan, + *dcmd |= PXA_DCMD_BURST16; + else if (maxburst == 32) + *dcmd |= PXA_DCMD_BURST32; +- +- /* FIXME: drivers should be ported over to use the filter +- * function. Once that's done, the following two lines can +- * be removed. +- */ +- if (chan->cfg.slave_id) +- chan->drcmr = chan->cfg.slave_id; + } + + static struct dma_async_tx_descriptor * +-- +2.34.1 + diff --git a/queue-4.4/drm-amdgpu-fix-a-null-pointer-dereference-in-amdgpu_.patch b/queue-4.4/drm-amdgpu-fix-a-null-pointer-dereference-in-amdgpu_.patch new file mode 100644 index 00000000000..a3e930d9ff9 --- /dev/null +++ b/queue-4.4/drm-amdgpu-fix-a-null-pointer-dereference-in-amdgpu_.patch @@ -0,0 +1,65 @@ +From 7b723fb8c76f9611047107d640990ffa31d98104 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Dec 2021 00:17:36 +0800 +Subject: drm/amdgpu: Fix a NULL pointer dereference in + amdgpu_connector_lcd_native_mode() + +From: Zhou Qingyang + +[ Upstream commit b220110e4cd442156f36e1d9b4914bb9e87b0d00 ] + +In amdgpu_connector_lcd_native_mode(), the return value of +drm_mode_duplicate() is assigned to mode, and there is a dereference +of it in amdgpu_connector_lcd_native_mode(), which will lead to a NULL +pointer dereference on failure of drm_mode_duplicate(). + +Fix this bug add a check of mode. + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_DRM_AMDGPU=m show no new warnings, and +our static analyzer no longer warns about this code. + +Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") +Signed-off-by: Zhou Qingyang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +index e1d4115bd6732..80e3b41294e5f 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c +@@ -404,6 +404,9 @@ amdgpu_connector_lcd_native_mode(struct drm_encoder *encoder) + native_mode->vdisplay != 0 && + native_mode->clock != 0) { + mode = drm_mode_duplicate(dev, native_mode); ++ if (!mode) ++ return NULL; ++ + mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER; + drm_mode_set_name(mode); + +@@ -418,6 +421,9 @@ amdgpu_connector_lcd_native_mode(struct drm_encoder *encoder) + * simpler. + */ + mode = drm_cvt_mode(dev, native_mode->hdisplay, native_mode->vdisplay, 60, true, false, false); ++ if (!mode) ++ return NULL; ++ + mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER; + DRM_DEBUG_KMS("Adding cvt approximation of native panel mode %s\n", mode->name); + } +-- +2.34.1 + diff --git a/queue-4.4/ext4-avoid-trim-error-on-fs-with-small-groups.patch b/queue-4.4/ext4-avoid-trim-error-on-fs-with-small-groups.patch new file mode 100644 index 00000000000..6782b9e0cde --- /dev/null +++ b/queue-4.4/ext4-avoid-trim-error-on-fs-with-small-groups.patch @@ -0,0 +1,72 @@ +From 13aa02b7a839f9a25bfee48995378404519988c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Nov 2021 16:22:02 +0100 +Subject: ext4: avoid trim error on fs with small groups + +From: Jan Kara + +[ Upstream commit 173b6e383d2a204c9921ffc1eca3b87aa2106c33 ] + +A user reported FITRIM ioctl failing for him on ext4 on some devices +without apparent reason. After some debugging we've found out that +these devices (being LVM volumes) report rather large discard +granularity of 42MB and the filesystem had 1k blocksize and thus group +size of 8MB. Because ext4 FITRIM implementation puts discard +granularity into minlen, ext4_trim_fs() declared the trim request as +invalid. However just silently doing nothing seems to be a more +appropriate reaction to such combination of parameters since user did +not specify anything wrong. + +CC: Lukas Czerner +Fixes: 5c2ed62fd447 ("ext4: Adjust minlen with discard_granularity in the FITRIM ioctl") +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20211112152202.26614-1-jack@suse.cz +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/ioctl.c | 2 -- + fs/ext4/mballoc.c | 8 ++++++++ + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c +index 84f8d07302efa..a224d6efb5a6d 100644 +--- a/fs/ext4/ioctl.c ++++ b/fs/ext4/ioctl.c +@@ -610,8 +610,6 @@ resizefs_out: + sizeof(range))) + return -EFAULT; + +- range.minlen = max((unsigned int)range.minlen, +- q->limits.discard_granularity); + ret = ext4_trim_fs(sb, &range); + if (ret < 0) + return ret; +diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c +index ac87f7e5d6a4f..c7be47ed71144 100644 +--- a/fs/ext4/mballoc.c ++++ b/fs/ext4/mballoc.c +@@ -5223,6 +5223,7 @@ out: + */ + int ext4_trim_fs(struct super_block *sb, struct fstrim_range *range) + { ++ struct request_queue *q = bdev_get_queue(sb->s_bdev); + struct ext4_group_info *grp; + ext4_group_t group, first_group, last_group; + ext4_grpblk_t cnt = 0, first_cluster, last_cluster; +@@ -5241,6 +5242,13 @@ int ext4_trim_fs(struct super_block *sb, struct fstrim_range *range) + start >= max_blks || + range->len < sb->s_blocksize) + return -EINVAL; ++ /* No point to try to trim less than discard granularity */ ++ if (range->minlen < q->limits.discard_granularity) { ++ minlen = EXT4_NUM_B2C(EXT4_SB(sb), ++ q->limits.discard_granularity >> sb->s_blocksize_bits); ++ if (minlen > EXT4_CLUSTERS_PER_GROUP(sb)) ++ goto out; ++ } + if (end >= max_blks) + end = max_blks - 1; + if (end <= first_data_blk) +-- +2.34.1 + diff --git a/queue-4.4/floppy-add-max-size-check-for-user-space-request.patch b/queue-4.4/floppy-add-max-size-check-for-user-space-request.patch new file mode 100644 index 00000000000..beb3100f258 --- /dev/null +++ b/queue-4.4/floppy-add-max-size-check-for-user-space-request.patch @@ -0,0 +1,82 @@ +From b622d4504442fff73ba6d5b9362d13f6d1a0a01f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 16 Nov 2021 21:10:33 +0800 +Subject: floppy: Add max size check for user space request + +From: Xiongwei Song + +[ Upstream commit 545a32498c536ee152331cd2e7d2416aa0f20e01 ] + +We need to check the max request size that is from user space before +allocating pages. If the request size exceeds the limit, return -EINVAL. +This check can avoid the warning below from page allocator. + +WARNING: CPU: 3 PID: 16525 at mm/page_alloc.c:5344 current_gfp_context include/linux/sched/mm.h:195 [inline] +WARNING: CPU: 3 PID: 16525 at mm/page_alloc.c:5344 __alloc_pages+0x45d/0x500 mm/page_alloc.c:5356 +Modules linked in: +CPU: 3 PID: 16525 Comm: syz-executor.3 Not tainted 5.15.0-syzkaller #0 +Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014 +RIP: 0010:__alloc_pages+0x45d/0x500 mm/page_alloc.c:5344 +Code: be c9 00 00 00 48 c7 c7 20 4a 97 89 c6 05 62 32 a7 0b 01 e8 74 9a 42 07 e9 6a ff ff ff 0f 0b e9 a0 fd ff ff 40 80 e5 3f eb 88 <0f> 0b e9 18 ff ff ff 4c 89 ef 44 89 e6 45 31 ed e8 1e 76 ff ff e9 +RSP: 0018:ffffc90023b87850 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 1ffff92004770f0b RCX: dffffc0000000000 +RDX: 0000000000000000 RSI: 0000000000000033 RDI: 0000000000010cc1 +RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000001 +R10: ffffffff81bb4686 R11: 0000000000000001 R12: ffffffff902c1960 +R13: 0000000000000033 R14: 0000000000000000 R15: ffff88804cf64a30 +FS: 0000000000000000(0000) GS:ffff88802cd00000(0063) knlGS:00000000f44b4b40 +CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033 +CR2: 000000002c921000 CR3: 000000004f507000 CR4: 0000000000150ee0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + alloc_pages+0x1a7/0x300 mm/mempolicy.c:2191 + __get_free_pages+0x8/0x40 mm/page_alloc.c:5418 + raw_cmd_copyin drivers/block/floppy.c:3113 [inline] + raw_cmd_ioctl drivers/block/floppy.c:3160 [inline] + fd_locked_ioctl+0x12e5/0x2820 drivers/block/floppy.c:3528 + fd_ioctl drivers/block/floppy.c:3555 [inline] + fd_compat_ioctl+0x891/0x1b60 drivers/block/floppy.c:3869 + compat_blkdev_ioctl+0x3b8/0x810 block/ioctl.c:662 + __do_compat_sys_ioctl+0x1c7/0x290 fs/ioctl.c:972 + do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline] + __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178 + do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203 + entry_SYSENTER_compat_after_hwframe+0x4d/0x5c + +Reported-by: syzbot+23a02c7df2cf2bc93fa2@syzkaller.appspotmail.com +Link: https://lore.kernel.org/r/20211116131033.27685-1-sxwjean@me.com +Signed-off-by: Xiongwei Song +Signed-off-by: Denis Efremov +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/floppy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index 826ab5f2f6b9f..373dab29addf2 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3116,6 +3116,8 @@ static void raw_cmd_free(struct floppy_raw_cmd **ptr) + } + } + ++#define MAX_LEN (1UL << MAX_ORDER << PAGE_SHIFT) ++ + static int raw_cmd_copyin(int cmd, void __user *param, + struct floppy_raw_cmd **rcmd) + { +@@ -3153,7 +3155,7 @@ loop: + ptr->resultcode = 0; + + if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) { +- if (ptr->length <= 0) ++ if (ptr->length <= 0 || ptr->length >= MAX_LEN) + return -EINVAL; + ptr->kernel_data = (char *)fd_dma_mem_alloc(ptr->length); + fallback_on_nodma_alloc(&ptr->kernel_data, ptr->length); +-- +2.34.1 + diff --git a/queue-4.4/floppy-fix-hang-in-watchdog-when-disk-is-ejected.patch b/queue-4.4/floppy-fix-hang-in-watchdog-when-disk-is-ejected.patch new file mode 100644 index 00000000000..deee90d8a96 --- /dev/null +++ b/queue-4.4/floppy-fix-hang-in-watchdog-when-disk-is-ejected.patch @@ -0,0 +1,52 @@ +From 5fdb69be5650674b1e42370b9dd7376cecfa3ed8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Sep 2021 09:47:58 +0300 +Subject: floppy: Fix hang in watchdog when disk is ejected + +From: Tasos Sahanidis + +[ Upstream commit fb48febce7e30baed94dd791e19521abd2c3fd83 ] + +When the watchdog detects a disk change, it calls cancel_activity(), +which in turn tries to cancel the fd_timer delayed work. + +In the above scenario, fd_timer_fn is set to fd_watchdog(), meaning +it is trying to cancel its own work. +This results in a hang as cancel_delayed_work_sync() is waiting for the +watchdog (itself) to return, which never happens. + +This can be reproduced relatively consistently by attempting to read a +broken floppy, and ejecting it while IO is being attempted and retried. + +To resolve this, this patch calls cancel_delayed_work() instead, which +cancels the work without waiting for the watchdog to return and finish. + +Before this regression was introduced, the code in this section used +del_timer(), and not del_timer_sync() to delete the watchdog timer. + +Link: https://lore.kernel.org/r/399e486c-6540-db27-76aa-7a271b061f76@tasossah.com +Fixes: 070ad7e793dc ("floppy: convert to delayed work and single-thread wq") +Signed-off-by: Tasos Sahanidis +Signed-off-by: Denis Efremov +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/floppy.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/floppy.c b/drivers/block/floppy.c +index 40c251ef175db..826ab5f2f6b9f 100644 +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -994,7 +994,7 @@ static DECLARE_DELAYED_WORK(fd_timer, fd_timer_workfn); + static void cancel_activity(void) + { + do_floppy = NULL; +- cancel_delayed_work_sync(&fd_timer); ++ cancel_delayed_work(&fd_timer); + cancel_work_sync(&floppy_work); + } + +-- +2.34.1 + diff --git a/queue-4.4/fs-dlm-filter-user-dlm-messages-for-kernel-locks.patch b/queue-4.4/fs-dlm-filter-user-dlm-messages-for-kernel-locks.patch new file mode 100644 index 00000000000..696f155096a --- /dev/null +++ b/queue-4.4/fs-dlm-filter-user-dlm-messages-for-kernel-locks.patch @@ -0,0 +1,118 @@ +From 14fa80fd80529387e1d3fbd8694e0472398c42ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Nov 2021 15:17:24 -0400 +Subject: fs: dlm: filter user dlm messages for kernel locks + +From: Alexander Aring + +[ Upstream commit 6c2e3bf68f3e5e5a647aa52be246d5f552d7496d ] + +This patch fixes the following crash by receiving a invalid message: + +[ 160.672220] ================================================================== +[ 160.676206] BUG: KASAN: user-memory-access in dlm_user_add_ast+0xc3/0x370 +[ 160.679659] Read of size 8 at addr 00000000deadbeef by task kworker/u32:13/319 +[ 160.681447] +[ 160.681824] CPU: 10 PID: 319 Comm: kworker/u32:13 Not tainted 5.14.0-rc2+ #399 +[ 160.683472] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.14.0-1.module+el8.6.0+12648+6ede71a5 04/01/2014 +[ 160.685574] Workqueue: dlm_recv process_recv_sockets +[ 160.686721] Call Trace: +[ 160.687310] dump_stack_lvl+0x56/0x6f +[ 160.688169] ? dlm_user_add_ast+0xc3/0x370 +[ 160.689116] kasan_report.cold.14+0x116/0x11b +[ 160.690138] ? dlm_user_add_ast+0xc3/0x370 +[ 160.690832] dlm_user_add_ast+0xc3/0x370 +[ 160.691502] _receive_unlock_reply+0x103/0x170 +[ 160.692241] _receive_message+0x11df/0x1ec0 +[ 160.692926] ? rcu_read_lock_sched_held+0xa1/0xd0 +[ 160.693700] ? rcu_read_lock_bh_held+0xb0/0xb0 +[ 160.694427] ? lock_acquire+0x175/0x400 +[ 160.695058] ? do_purge.isra.51+0x200/0x200 +[ 160.695744] ? lock_acquired+0x360/0x5d0 +[ 160.696400] ? lock_contended+0x6a0/0x6a0 +[ 160.697055] ? lock_release+0x21d/0x5e0 +[ 160.697686] ? lock_is_held_type+0xe0/0x110 +[ 160.698352] ? lock_is_held_type+0xe0/0x110 +[ 160.699026] ? ___might_sleep+0x1cc/0x1e0 +[ 160.699698] ? dlm_wait_requestqueue+0x94/0x140 +[ 160.700451] ? dlm_process_requestqueue+0x240/0x240 +[ 160.701249] ? down_write_killable+0x2b0/0x2b0 +[ 160.701988] ? do_raw_spin_unlock+0xa2/0x130 +[ 160.702690] dlm_receive_buffer+0x1a5/0x210 +[ 160.703385] dlm_process_incoming_buffer+0x726/0x9f0 +[ 160.704210] receive_from_sock+0x1c0/0x3b0 +[ 160.704886] ? dlm_tcp_shutdown+0x30/0x30 +[ 160.705561] ? lock_acquire+0x175/0x400 +[ 160.706197] ? rcu_read_lock_sched_held+0xa1/0xd0 +[ 160.706941] ? rcu_read_lock_bh_held+0xb0/0xb0 +[ 160.707681] process_recv_sockets+0x32/0x40 +[ 160.708366] process_one_work+0x55e/0xad0 +[ 160.709045] ? pwq_dec_nr_in_flight+0x110/0x110 +[ 160.709820] worker_thread+0x65/0x5e0 +[ 160.710423] ? process_one_work+0xad0/0xad0 +[ 160.711087] kthread+0x1ed/0x220 +[ 160.711628] ? set_kthread_struct+0x80/0x80 +[ 160.712314] ret_from_fork+0x22/0x30 + +The issue is that we received a DLM message for a user lock but the +destination lock is a kernel lock. Note that the address which is trying +to derefence is 00000000deadbeef, which is in a kernel lock +lkb->lkb_astparam, this field should never be derefenced by the DLM +kernel stack. In case of a user lock lkb->lkb_astparam is lkb->lkb_ua +(memory is shared by a union field). The struct lkb_ua will be handled +by the DLM kernel stack but on a kernel lock it will contain invalid +data and ends in most likely crashing the kernel. + +It can be reproduced with two cluster nodes. + +node 2: +dlm_tool join test +echo "862 fooobaar 1 2 1" > /sys/kernel/debug/dlm/test_locks +echo "862 3 1" > /sys/kernel/debug/dlm/test_waiters + +node 1: +dlm_tool join test + +python: +foo = DLM(h_cmd=3, o_nextcmd=1, h_nodeid=1, h_lockspace=0x77222027, \ + m_type=7, m_flags=0x1, m_remid=0x862, m_result=0xFFFEFFFE) +newFile = open("/sys/kernel/debug/dlm/comms/2/rawmsg", "wb") +newFile.write(bytes(foo)) + +Signed-off-by: Alexander Aring +Signed-off-by: David Teigland +Signed-off-by: Sasha Levin +--- + fs/dlm/lock.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/fs/dlm/lock.c b/fs/dlm/lock.c +index 3a7f401e943c1..ffab7dc881574 100644 +--- a/fs/dlm/lock.c ++++ b/fs/dlm/lock.c +@@ -3975,6 +3975,14 @@ static int validate_message(struct dlm_lkb *lkb, struct dlm_message *ms) + int from = ms->m_header.h_nodeid; + int error = 0; + ++ /* currently mixing of user/kernel locks are not supported */ ++ if (ms->m_flags & DLM_IFL_USER && ~lkb->lkb_flags & DLM_IFL_USER) { ++ log_error(lkb->lkb_resource->res_ls, ++ "got user dlm message for a kernel lock"); ++ error = -EINVAL; ++ goto out; ++ } ++ + switch (ms->m_type) { + case DLM_MSG_CONVERT: + case DLM_MSG_UNLOCK: +@@ -4003,6 +4011,7 @@ static int validate_message(struct dlm_lkb *lkb, struct dlm_message *ms) + error = -EINVAL; + } + ++out: + if (error) + log_error(lkb->lkb_resource->res_ls, + "ignore invalid message %d from %d %x %x %x %d", +-- +2.34.1 + diff --git a/queue-4.4/hsi-core-fix-return-freed-object-in-hsi_new_client.patch b/queue-4.4/hsi-core-fix-return-freed-object-in-hsi_new_client.patch new file mode 100644 index 00000000000..6b909ce0289 --- /dev/null +++ b/queue-4.4/hsi-core-fix-return-freed-object-in-hsi_new_client.patch @@ -0,0 +1,35 @@ +From 13ff86820abc146c76c1a1fdb0e50b6987f2ca93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 06:45:07 -0700 +Subject: HSI: core: Fix return freed object in hsi_new_client + +From: Chengfeng Ye + +[ Upstream commit a1ee1c08fcd5af03187dcd41dcab12fd5b379555 ] + +cl is freed on error of calling device_register, but this +object is return later, which will cause uaf issue. Fix it +by return NULL on error. + +Signed-off-by: Chengfeng Ye +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/hsi/hsi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hsi/hsi.c b/drivers/hsi/hsi.c +index 55e36fcd7ff35..e1080f005a19e 100644 +--- a/drivers/hsi/hsi.c ++++ b/drivers/hsi/hsi.c +@@ -115,6 +115,7 @@ struct hsi_client *hsi_new_client(struct hsi_port *port, + if (device_register(&cl->device) < 0) { + pr_err("hsi: failed to register client: %s\n", info->name); + put_device(&cl->device); ++ goto err; + } + + return cl; +-- +2.34.1 + diff --git a/queue-4.4/i2c-designware-pci-fix-to-change-data-types-of-hcnt-.patch b/queue-4.4/i2c-designware-pci-fix-to-change-data-types-of-hcnt-.patch new file mode 100644 index 00000000000..7b6cffd4f8b --- /dev/null +++ b/queue-4.4/i2c-designware-pci-fix-to-change-data-types-of-hcnt-.patch @@ -0,0 +1,45 @@ +From 3f62388c76b093bef225101652ac7ab85655792f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Dec 2021 17:12:01 +0200 +Subject: i2c: designware-pci: Fix to change data types of hcnt and lcnt + parameters + +From: Lakshmi Sowjanya D + +[ Upstream commit d52097010078c1844348dc0e467305e5f90fd317 ] + +The data type of hcnt and lcnt in the struct dw_i2c_dev is of type u16. +It's better to have same data type in struct dw_scl_sda_cfg as well. + +Reported-by: Wolfram Sang +Signed-off-by: Lakshmi Sowjanya D +Signed-off-by: Andy Shevchenko +Signed-off-by: Jarkko Nikula +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-designware-pcidrv.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-designware-pcidrv.c b/drivers/i2c/busses/i2c-designware-pcidrv.c +index 1543d35d228df..6831883741215 100644 +--- a/drivers/i2c/busses/i2c-designware-pcidrv.c ++++ b/drivers/i2c/busses/i2c-designware-pcidrv.c +@@ -53,10 +53,10 @@ enum dw_pci_ctl_id_t { + }; + + struct dw_scl_sda_cfg { +- u32 ss_hcnt; +- u32 fs_hcnt; +- u32 ss_lcnt; +- u32 fs_lcnt; ++ u16 ss_hcnt; ++ u16 fs_hcnt; ++ u16 ss_lcnt; ++ u16 fs_lcnt; + u32 sda_hold; + }; + +-- +2.34.1 + diff --git a/queue-4.4/i2c-i801-don-t-silently-correct-invalid-transfer-siz.patch b/queue-4.4/i2c-i801-don-t-silently-correct-invalid-transfer-siz.patch new file mode 100644 index 00000000000..719cff57043 --- /dev/null +++ b/queue-4.4/i2c-i801-don-t-silently-correct-invalid-transfer-siz.patch @@ -0,0 +1,63 @@ +From 7f157377adba61d5a5e73dd2d7fac0c0162f1689 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Nov 2021 22:57:00 +0100 +Subject: i2c: i801: Don't silently correct invalid transfer size + +From: Heiner Kallweit + +[ Upstream commit effa453168a7eeb8a562ff4edc1dbf9067360a61 ] + +If an invalid block size is provided, reject it instead of silently +changing it to a supported value. Especially critical I see the case of +a write transfer with block length 0. In this case we have no guarantee +that the byte we would write is valid. When silently reducing a read to +32 bytes then we don't return an error and the caller may falsely +assume that we returned the full requested data. + +If this change should break any (broken) caller, then I think we should +fix the caller. + +Signed-off-by: Heiner Kallweit +Reviewed-by: Jean Delvare +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-i801.c | 15 +++++---------- + 1 file changed, 5 insertions(+), 10 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-i801.c b/drivers/i2c/busses/i2c-i801.c +index 4399016a6caba..73026c00220c2 100644 +--- a/drivers/i2c/busses/i2c-i801.c ++++ b/drivers/i2c/busses/i2c-i801.c +@@ -669,6 +669,11 @@ static int i801_block_transaction(struct i801_priv *priv, + int result = 0; + unsigned char hostc; + ++ if (read_write == I2C_SMBUS_READ && command == I2C_SMBUS_BLOCK_DATA) ++ data->block[0] = I2C_SMBUS_BLOCK_MAX; ++ else if (data->block[0] < 1 || data->block[0] > I2C_SMBUS_BLOCK_MAX) ++ return -EPROTO; ++ + if (command == I2C_SMBUS_I2C_BLOCK_DATA) { + if (read_write == I2C_SMBUS_WRITE) { + /* set I2C_EN bit in configuration register */ +@@ -682,16 +687,6 @@ static int i801_block_transaction(struct i801_priv *priv, + } + } + +- if (read_write == I2C_SMBUS_WRITE +- || command == I2C_SMBUS_I2C_BLOCK_DATA) { +- if (data->block[0] < 1) +- data->block[0] = 1; +- if (data->block[0] > I2C_SMBUS_BLOCK_MAX) +- data->block[0] = I2C_SMBUS_BLOCK_MAX; +- } else { +- data->block[0] = 32; /* max for SMBus block reads */ +- } +- + /* Experience has shown that the block buffer can only be used for + SMBus (not I2C) block transactions, even though the datasheet + doesn't mention this limitation. */ +-- +2.34.1 + diff --git a/queue-4.4/i2c-mpc-correct-i2c-reset-procedure.patch b/queue-4.4/i2c-mpc-correct-i2c-reset-procedure.patch new file mode 100644 index 00000000000..a0b543b6e1c --- /dev/null +++ b/queue-4.4/i2c-mpc-correct-i2c-reset-procedure.patch @@ -0,0 +1,70 @@ +From ea915f7c20b543c2a71a62a20a61e08afc376f99 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 May 2017 14:20:33 +0200 +Subject: i2c: mpc: Correct I2C reset procedure + +From: Joakim Tjernlund + +[ Upstream commit ebe82cf92cd4825c3029434cabfcd2f1780e64be ] + +Current I2C reset procedure is broken in two ways: +1) It only generate 1 START instead of 9 STARTs and STOP. +2) It leaves the bus Busy so every I2C xfer after the first + fixup calls the reset routine again, for every xfer there after. + +This fixes both errors. + +Signed-off-by: Joakim Tjernlund +Acked-by: Scott Wood +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-mpc.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-mpc.c b/drivers/i2c/busses/i2c-mpc.c +index 2e083a71c2215..988ea9df6654c 100644 +--- a/drivers/i2c/busses/i2c-mpc.c ++++ b/drivers/i2c/busses/i2c-mpc.c +@@ -107,23 +107,30 @@ static irqreturn_t mpc_i2c_isr(int irq, void *dev_id) + /* Sometimes 9th clock pulse isn't generated, and slave doesn't release + * the bus, because it wants to send ACK. + * Following sequence of enabling/disabling and sending start/stop generates +- * the 9 pulses, so it's all OK. ++ * the 9 pulses, each with a START then ending with STOP, so it's all OK. + */ + static void mpc_i2c_fixup(struct mpc_i2c *i2c) + { + int k; +- u32 delay_val = 1000000 / i2c->real_clk + 1; +- +- if (delay_val < 2) +- delay_val = 2; ++ unsigned long flags; + + for (k = 9; k; k--) { + writeccr(i2c, 0); +- writeccr(i2c, CCR_MSTA | CCR_MTX | CCR_MEN); ++ writeb(0, i2c->base + MPC_I2C_SR); /* clear any status bits */ ++ writeccr(i2c, CCR_MEN | CCR_MSTA); /* START */ ++ readb(i2c->base + MPC_I2C_DR); /* init xfer */ ++ udelay(15); /* let it hit the bus */ ++ local_irq_save(flags); /* should not be delayed further */ ++ writeccr(i2c, CCR_MEN | CCR_MSTA | CCR_RSTA); /* delay SDA */ + readb(i2c->base + MPC_I2C_DR); +- writeccr(i2c, CCR_MEN); +- udelay(delay_val << 1); ++ if (k != 1) ++ udelay(5); ++ local_irq_restore(flags); + } ++ writeccr(i2c, CCR_MEN); /* Initiate STOP */ ++ readb(i2c->base + MPC_I2C_DR); ++ udelay(15); /* Let STOP propagate */ ++ writeccr(i2c, 0); + } + + static int i2c_wait(struct mpc_i2c *i2c, unsigned timeout, int writing) +-- +2.34.1 + diff --git a/queue-4.4/iwlwifi-mvm-synchronize-with-fw-after-multicast-comm.patch b/queue-4.4/iwlwifi-mvm-synchronize-with-fw-after-multicast-comm.patch new file mode 100644 index 00000000000..85620f937d5 --- /dev/null +++ b/queue-4.4/iwlwifi-mvm-synchronize-with-fw-after-multicast-comm.patch @@ -0,0 +1,72 @@ +From ca4de2d94d88824c724b83a8abc1404b5d4add8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Dec 2021 08:35:45 +0200 +Subject: iwlwifi: mvm: synchronize with FW after multicast commands + +From: Johannes Berg + +[ Upstream commit db66abeea3aefed481391ecc564fb7b7fb31d742 ] + +If userspace installs a lot of multicast groups very quickly, then +we may run out of command queue space as we send the updates in an +asynchronous fashion (due to locking concerns), and the CPU can +create them faster than the firmware can process them. This is true +even when mac80211 has a work struct that gets scheduled. + +Fix this by synchronizing with the firmware after sending all those +commands - outside of the iteration we can send a synchronous echo +command that just has the effect of the CPU waiting for the prior +asynchronous commands to finish. This also will cause fewer of the +commands to be sent to the firmware overall, because the work will +only run once when rescheduled multiple times while it's running. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=213649 +Suggested-by: Emmanuel Grumbach +Reported-by: Maximilian Ernestus +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20211204083238.51aea5b79ea4.I88a44798efda16e9fe480fb3e94224931d311b29@changeid +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/iwlwifi/mvm/mac80211.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git a/drivers/net/wireless/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/iwlwifi/mvm/mac80211.c +index ca498b1f1f568..6417fda88733c 100644 +--- a/drivers/net/wireless/iwlwifi/mvm/mac80211.c ++++ b/drivers/net/wireless/iwlwifi/mvm/mac80211.c +@@ -1957,6 +1957,7 @@ static void iwl_mvm_recalc_multicast(struct iwl_mvm *mvm) + struct iwl_mvm_mc_iter_data iter_data = { + .mvm = mvm, + }; ++ int ret; + + lockdep_assert_held(&mvm->mutex); + +@@ -1966,6 +1967,22 @@ static void iwl_mvm_recalc_multicast(struct iwl_mvm *mvm) + ieee80211_iterate_active_interfaces_atomic( + mvm->hw, IEEE80211_IFACE_ITER_NORMAL, + iwl_mvm_mc_iface_iterator, &iter_data); ++ ++ /* ++ * Send a (synchronous) ech command so that we wait for the ++ * multiple asynchronous MCAST_FILTER_CMD commands sent by ++ * the interface iterator. Otherwise, we might get here over ++ * and over again (by userspace just sending a lot of these) ++ * and the CPU can send them faster than the firmware can ++ * process them. ++ * Note that the CPU is still faster - but with this we'll ++ * actually send fewer commands overall because the CPU will ++ * not schedule the work in mac80211 as frequently if it's ++ * still running when rescheduled (possibly multiple times). ++ */ ++ ret = iwl_mvm_send_cmd_pdu(mvm, ECHO_CMD, 0, 0, NULL); ++ if (ret) ++ IWL_ERR(mvm, "Failed to synchronize multicast groups update\n"); + } + + static u64 iwl_mvm_prepare_multicast(struct ieee80211_hw *hw, +-- +2.34.1 + diff --git a/queue-4.4/media-b2c2-add-missing-check-in-flexcop_pci_isr.patch b/queue-4.4/media-b2c2-add-missing-check-in-flexcop_pci_isr.patch new file mode 100644 index 00000000000..3eaaa3842c3 --- /dev/null +++ b/queue-4.4/media-b2c2-add-missing-check-in-flexcop_pci_isr.patch @@ -0,0 +1,163 @@ +From 3d414eba949caf1903f329a98f5253cd614a47ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 May 2021 10:00:03 +0100 +Subject: media: b2c2: Add missing check in flexcop_pci_isr: + +From: Zheyu Ma + +[ Upstream commit b13203032e679674c7c518f52a7ec0801ca3a829 ] + +A out-of-bounds bug can be triggered by an interrupt, the reason for +this bug is the lack of checking of register values. + +In flexcop_pci_isr, the driver reads value from a register and uses it as +a dma address. Finally, this address will be passed to the count parameter +of find_next_packet. If this value is larger than the size of dma, the +index of buffer will be out-of-bounds. + +Fix this by adding a check after reading the value of the register. + +The following KASAN report reveals it: + +BUG: KASAN: slab-out-of-bounds in find_next_packet +drivers/media/dvb-core/dvb_demux.c:528 [inline] +BUG: KASAN: slab-out-of-bounds in _dvb_dmx_swfilter +drivers/media/dvb-core/dvb_demux.c:572 [inline] +BUG: KASAN: slab-out-of-bounds in dvb_dmx_swfilter+0x3fa/0x420 +drivers/media/dvb-core/dvb_demux.c:603 +Read of size 1 at addr ffff8880608c00a0 by task swapper/2/0 + +CPU: 2 PID: 0 Comm: swapper/2 Not tainted 4.19.177-gdba4159c14ef #25 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +Call Trace: + + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xec/0x156 lib/dump_stack.c:118 + print_address_description+0x78/0x290 mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report+0x25b/0x380 mm/kasan/report.c:412 + __asan_report_load1_noabort+0x19/0x20 mm/kasan/report.c:430 + find_next_packet drivers/media/dvb-core/dvb_demux.c:528 [inline] + _dvb_dmx_swfilter drivers/media/dvb-core/dvb_demux.c:572 [inline] + dvb_dmx_swfilter+0x3fa/0x420 drivers/media/dvb-core/dvb_demux.c:603 + flexcop_pass_dmx_data+0x2e/0x40 drivers/media/common/b2c2/flexcop.c:167 + flexcop_pci_isr+0x3d1/0x5d0 drivers/media/pci/b2c2/flexcop-pci.c:212 + __handle_irq_event_percpu+0xfb/0x770 kernel/irq/handle.c:149 + handle_irq_event_percpu+0x79/0x150 kernel/irq/handle.c:189 + handle_irq_event+0xac/0x140 kernel/irq/handle.c:206 + handle_fasteoi_irq+0x232/0x5c0 kernel/irq/chip.c:725 + generic_handle_irq_desc include/linux/irqdesc.h:155 [inline] + handle_irq+0x230/0x3a0 arch/x86/kernel/irq_64.c:87 + do_IRQ+0xa7/0x1e0 arch/x86/kernel/irq.c:247 + common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670 + +RIP: 0010:native_safe_halt+0x28/0x30 arch/x86/include/asm/irqflags.h:61 +Code: 00 00 55 be 04 00 00 00 48 c7 c7 00 62 2f 8c 48 89 e5 e8 fb 31 +e8 f8 8b 05 75 4f 8e 03 85 c0 7e 07 0f 00 2d 8a 61 66 00 fb f4 <5d> c3 +90 90 90 90 90 90 0f 1f 44 00 00 55 48 89 e5 41 57 41 56 41 +RSP: 0018:ffff88806b71fcc8 EFLAGS: 00000246 ORIG_RAX: ffffffffffffffde +RAX: 0000000000000000 RBX: ffffffff8bde44c8 RCX: ffffffff88a11285 +RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffff8c2f6200 +RBP: ffff88806b71fcc8 R08: fffffbfff185ec40 R09: fffffbfff185ec40 +R10: 0000000000000001 R11: fffffbfff185ec40 R12: 0000000000000002 +R13: ffffffff8be9d6e0 R14: 0000000000000000 R15: 0000000000000000 + arch_safe_halt arch/x86/include/asm/paravirt.h:94 [inline] + default_idle+0x6f/0x360 arch/x86/kernel/process.c:557 + arch_cpu_idle+0xf/0x20 arch/x86/kernel/process.c:548 + default_idle_call+0x3b/0x60 kernel/sched/idle.c:93 + cpuidle_idle_call kernel/sched/idle.c:153 [inline] + do_idle+0x2ab/0x3c0 kernel/sched/idle.c:263 + cpu_startup_entry+0xcb/0xe0 kernel/sched/idle.c:369 + start_secondary+0x3b8/0x4e0 arch/x86/kernel/smpboot.c:271 + secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:243 + +Allocated by task 1: + save_stack+0x43/0xd0 mm/kasan/kasan.c:448 + set_track mm/kasan/kasan.c:460 [inline] + kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:553 + kasan_slab_alloc+0x11/0x20 mm/kasan/kasan.c:490 + slab_post_alloc_hook mm/slab.h:445 [inline] + slab_alloc_node mm/slub.c:2741 [inline] + slab_alloc mm/slub.c:2749 [inline] + kmem_cache_alloc+0xeb/0x280 mm/slub.c:2754 + kmem_cache_zalloc include/linux/slab.h:699 [inline] + __kernfs_new_node+0xe2/0x6f0 fs/kernfs/dir.c:633 + kernfs_new_node+0x9a/0x120 fs/kernfs/dir.c:693 + __kernfs_create_file+0x5f/0x340 fs/kernfs/file.c:992 + sysfs_add_file_mode_ns+0x22a/0x4e0 fs/sysfs/file.c:306 + create_files fs/sysfs/group.c:63 [inline] + internal_create_group+0x34e/0xc30 fs/sysfs/group.c:147 + sysfs_create_group fs/sysfs/group.c:173 [inline] + sysfs_create_groups+0x9c/0x140 fs/sysfs/group.c:200 + driver_add_groups+0x3e/0x50 drivers/base/driver.c:129 + bus_add_driver+0x3a5/0x790 drivers/base/bus.c:684 + driver_register+0x1cd/0x410 drivers/base/driver.c:170 + __pci_register_driver+0x197/0x200 drivers/pci/pci-driver.c:1411 + cx88_audio_pci_driver_init+0x23/0x25 drivers/media/pci/cx88/cx88-alsa.c: + 1017 + do_one_initcall+0xe0/0x610 init/main.c:884 + do_initcall_level init/main.c:952 [inline] + do_initcalls init/main.c:960 [inline] + do_basic_setup init/main.c:978 [inline] + kernel_init_freeable+0x4d0/0x592 init/main.c:1145 + kernel_init+0x18/0x190 init/main.c:1062 + ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 + +Freed by task 0: +(stack is not available) + +The buggy address belongs to the object at ffff8880608c0000 + which belongs to the cache kernfs_node_cache of size 160 +The buggy address is located 0 bytes to the right of + 160-byte region [ffff8880608c0000, ffff8880608c00a0) +The buggy address belongs to the page: +page:ffffea0001823000 count:1 mapcount:0 mapping:ffff88806bed1e00 +index:0x0 compound_mapcount: 0 +flags: 0x100000000008100(slab|head) +raw: 0100000000008100 dead000000000100 dead000000000200 ffff88806bed1e00 +raw: 0000000000000000 0000000000240024 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8880608bff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff8880608c0000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +>ffff8880608c0080: 00 00 00 00 fc fc fc fc fc fc fc fc 00 00 00 00 + ^ + ffff8880608c0100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff8880608c0180: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 +================================================================== + +Link: https://lore.kernel.org/linux-media/1620723603-30912-1-git-send-email-zheyuma97@gmail.com +Reported-by: Zheyu Ma +Signed-off-by: Zheyu Ma +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/b2c2/flexcop-pci.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/media/pci/b2c2/flexcop-pci.c b/drivers/media/pci/b2c2/flexcop-pci.c +index 8b5e0b3a92a0c..2f496c05a3316 100644 +--- a/drivers/media/pci/b2c2/flexcop-pci.c ++++ b/drivers/media/pci/b2c2/flexcop-pci.c +@@ -184,6 +184,8 @@ static irqreturn_t flexcop_pci_isr(int irq, void *dev_id) + dma_addr_t cur_addr = + fc->read_ibi_reg(fc,dma1_008).dma_0x8.dma_cur_addr << 2; + u32 cur_pos = cur_addr - fc_pci->dma[0].dma_addr0; ++ if (cur_pos > fc_pci->dma[0].size * 2) ++ goto error; + + deb_irq("%u irq: %08x cur_addr: %llx: cur_pos: %08x, " + "last_cur_pos: %08x ", +@@ -225,6 +227,7 @@ static irqreturn_t flexcop_pci_isr(int irq, void *dev_id) + ret = IRQ_NONE; + } + ++error: + spin_unlock_irqrestore(&fc_pci->irq_lock, flags); + return ret; + } +-- +2.34.1 + diff --git a/queue-4.4/media-dib8000-fix-a-memleak-in-dib8000_init.patch b/queue-4.4/media-dib8000-fix-a-memleak-in-dib8000_init.patch new file mode 100644 index 00000000000..819e25e1b32 --- /dev/null +++ b/queue-4.4/media-dib8000-fix-a-memleak-in-dib8000_init.patch @@ -0,0 +1,55 @@ +From e36a8262262461e2b24b4b1e1851d53510b3ca92 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 16:38:05 +0100 +Subject: media: dib8000: Fix a memleak in dib8000_init() + +From: Zhou Qingyang + +[ Upstream commit 8dbdcc7269a83305ee9d677b75064d3530a48ee2 ] + +In dib8000_init(), the variable fe is not freed or passed out on the +failure of dib8000_identify(&state->i2c), which could lead to a memleak. + +Fix this bug by adding a kfree of fe in the error path. + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_DVB_DIB8000=m show no new warnings, +and our static analyzer no longer warns about this code. + +Fixes: 77e2c0f5d471 ("V4L/DVB (12900): DiB8000: added support for DiBcom ISDB-T/ISDB-Tsb demodulator DiB8000") +Signed-off-by: Zhou Qingyang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/dib8000.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/dvb-frontends/dib8000.c b/drivers/media/dvb-frontends/dib8000.c +index 94c26270fff0e..b8af5a3c707f8 100644 +--- a/drivers/media/dvb-frontends/dib8000.c ++++ b/drivers/media/dvb-frontends/dib8000.c +@@ -4461,8 +4461,10 @@ static struct dvb_frontend *dib8000_init(struct i2c_adapter *i2c_adap, u8 i2c_ad + + state->timf_default = cfg->pll->timf; + +- if (dib8000_identify(&state->i2c) == 0) ++ if (dib8000_identify(&state->i2c) == 0) { ++ kfree(fe); + goto error; ++ } + + dibx000_init_i2c_master(&state->i2c_master, DIB8000, state->i2c.adap, state->i2c.addr); + +-- +2.34.1 + diff --git a/queue-4.4/media-igorplugusb-receiver-overflow-should-be-report.patch b/queue-4.4/media-igorplugusb-receiver-overflow-should-be-report.patch new file mode 100644 index 00000000000..b5473ee5bcc --- /dev/null +++ b/queue-4.4/media-igorplugusb-receiver-overflow-should-be-report.patch @@ -0,0 +1,39 @@ +From 77586f21ac878cd743079e5aee30692146f21ca9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 23:58:19 +0100 +Subject: media: igorplugusb: receiver overflow should be reported + +From: Sean Young + +[ Upstream commit 8fede658e7ddb605bbd68ed38067ddb0af033db4 ] + +Without this, some IR will be missing mid-stream and we might decode +something which never really occurred. + +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/rc/igorplugusb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/rc/igorplugusb.c b/drivers/media/rc/igorplugusb.c +index b36e51576f8e4..645ea00c472ab 100644 +--- a/drivers/media/rc/igorplugusb.c ++++ b/drivers/media/rc/igorplugusb.c +@@ -73,9 +73,11 @@ static void igorplugusb_irdata(struct igorplugusb *ir, unsigned len) + if (start >= len) { + dev_err(ir->dev, "receive overflow invalid: %u", overflow); + } else { +- if (overflow > 0) ++ if (overflow > 0) { + dev_warn(ir->dev, "receive overflow, at least %u lost", + overflow); ++ ir_raw_event_reset(ir->rc); ++ } + + do { + rawir.duration = ir->buf_in[i] * 85333; +-- +2.34.1 + diff --git a/queue-4.4/media-m920x-don-t-use-stack-on-usb-reads.patch b/queue-4.4/media-m920x-don-t-use-stack-on-usb-reads.patch new file mode 100644 index 00000000000..6cc7dd1fd97 --- /dev/null +++ b/queue-4.4/media-m920x-don-t-use-stack-on-usb-reads.patch @@ -0,0 +1,59 @@ +From 8284c92c12a5a2e9082fe588bd7260c9dfc00775 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Dec 2021 15:34:19 +0100 +Subject: media: m920x: don't use stack on USB reads + +From: Mauro Carvalho Chehab + +[ Upstream commit a2ab06d7c4d6bfd0b545a768247a70463e977e27 ] + +Using stack-allocated pointers for USB message data don't work. +This driver is almost OK with that, except for the I2C read +logic. + +Fix it by using a temporary read buffer, just like on all other +calls to m920x_read(). + +Link: https://lore.kernel.org/all/ccc99e48-de4f-045e-0fe4-61e3118e3f74@mida.se/ +Reported-by: rkardell@mida.se +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/m920x.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb/m920x.c b/drivers/media/usb/dvb-usb/m920x.c +index eafc5c82467f4..5b806779e2106 100644 +--- a/drivers/media/usb/dvb-usb/m920x.c ++++ b/drivers/media/usb/dvb-usb/m920x.c +@@ -284,6 +284,13 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int nu + /* Should check for ack here, if we knew how. */ + } + if (msg[i].flags & I2C_M_RD) { ++ char *read = kmalloc(1, GFP_KERNEL); ++ if (!read) { ++ ret = -ENOMEM; ++ kfree(read); ++ goto unlock; ++ } ++ + for (j = 0; j < msg[i].len; j++) { + /* Last byte of transaction? + * Send STOP, otherwise send ACK. */ +@@ -291,9 +298,12 @@ static int m920x_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int nu + + if ((ret = m920x_read(d->udev, M9206_I2C, 0x0, + 0x20 | stop, +- &msg[i].buf[j], 1)) != 0) ++ read, 1)) != 0) + goto unlock; ++ msg[i].buf[j] = read[0]; + } ++ ++ kfree(read); + } else { + for (j = 0; j < msg[i].len; j++) { + /* Last byte of transaction? Then send STOP. */ +-- +2.34.1 + diff --git a/queue-4.4/media-msi001-fix-possible-null-ptr-deref-in-msi001_p.patch b/queue-4.4/media-msi001-fix-possible-null-ptr-deref-in-msi001_p.patch new file mode 100644 index 00000000000..7fd7b0cee11 --- /dev/null +++ b/queue-4.4/media-msi001-fix-possible-null-ptr-deref-in-msi001_p.patch @@ -0,0 +1,58 @@ +From ed533e6a6e3bca344c091d20e97fa5336bfb6651 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 13:23:48 +0200 +Subject: media: msi001: fix possible null-ptr-deref in msi001_probe() + +From: Wang Hai + +[ Upstream commit 3d5831a40d3464eea158180eb12cbd81c5edfb6a ] + +I got a null-ptr-deref report: + +BUG: kernel NULL pointer dereference, address: 0000000000000060 +... +RIP: 0010:v4l2_ctrl_auto_cluster+0x57/0x270 +... +Call Trace: + msi001_probe+0x13b/0x24b [msi001] + spi_probe+0xeb/0x130 +... + do_syscall_64+0x35/0xb0 + +In msi001_probe(), if the creation of control for bandwidth_auto +fails, there will be a null-ptr-deref issue when it is used in +v4l2_ctrl_auto_cluster(). + +Check dev->hdl.error before v4l2_ctrl_auto_cluster() to fix this bug. + +Link: https://lore.kernel.org/linux-media/20211026112348.2878040-1-wanghai38@huawei.com +Fixes: 93203dd6c7c4 ("[media] msi001: Mirics MSi001 silicon tuner driver") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/tuners/msi001.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/media/tuners/msi001.c b/drivers/media/tuners/msi001.c +index 3a12ef35682b5..64d98517f470f 100644 +--- a/drivers/media/tuners/msi001.c ++++ b/drivers/media/tuners/msi001.c +@@ -464,6 +464,13 @@ static int msi001_probe(struct spi_device *spi) + V4L2_CID_RF_TUNER_BANDWIDTH_AUTO, 0, 1, 1, 1); + dev->bandwidth = v4l2_ctrl_new_std(&dev->hdl, &msi001_ctrl_ops, + V4L2_CID_RF_TUNER_BANDWIDTH, 200000, 8000000, 1, 200000); ++ if (dev->hdl.error) { ++ ret = dev->hdl.error; ++ dev_err(&spi->dev, "Could not initialize controls\n"); ++ /* control init failed, free handler */ ++ goto err_ctrl_handler_free; ++ } ++ + v4l2_ctrl_auto_cluster(2, &dev->bandwidth_auto, 0, false); + dev->lna_gain = v4l2_ctrl_new_std(&dev->hdl, &msi001_ctrl_ops, + V4L2_CID_RF_TUNER_LNA_GAIN, 0, 1, 1, 1); +-- +2.34.1 + diff --git a/queue-4.4/media-saa7146-hexium_gemini-fix-a-null-pointer-deref.patch b/queue-4.4/media-saa7146-hexium_gemini-fix-a-null-pointer-deref.patch new file mode 100644 index 00000000000..19bc00adbb0 --- /dev/null +++ b/queue-4.4/media-saa7146-hexium_gemini-fix-a-null-pointer-deref.patch @@ -0,0 +1,74 @@ +From c765c4526b2556f77eade40304ea6509cf46f248 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Dec 2021 16:40:30 +0100 +Subject: media: saa7146: hexium_gemini: Fix a NULL pointer dereference in + hexium_attach() + +From: Zhou Qingyang + +[ Upstream commit 3af86b046933ba513d08399dba0d4d8b50d607d0 ] + +In hexium_attach(dev, info), saa7146_vv_init() is called to allocate +a new memory for dev->vv_data. saa7146_vv_release() will be called on +failure of saa7146_register_device(). There is a dereference of +dev->vv_data in saa7146_vv_release(), which could lead to a NULL +pointer dereference on failure of saa7146_vv_init(). + +Fix this bug by adding a check of saa7146_vv_init(). + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_VIDEO_HEXIUM_GEMINI=m show no new warnings, +and our static analyzer no longer warns about this code. + +Link: https://lore.kernel.org/linux-media/20211203154030.111210-1-zhou1615@umn.edu +Signed-off-by: Zhou Qingyang +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/common/saa7146/saa7146_fops.c | 2 +- + drivers/media/pci/saa7146/hexium_gemini.c | 7 ++++++- + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/common/saa7146/saa7146_fops.c b/drivers/media/common/saa7146/saa7146_fops.c +index df1e8c975cd82..6d0a0b08853b4 100644 +--- a/drivers/media/common/saa7146/saa7146_fops.c ++++ b/drivers/media/common/saa7146/saa7146_fops.c +@@ -524,7 +524,7 @@ int saa7146_vv_init(struct saa7146_dev* dev, struct saa7146_ext_vv *ext_vv) + ERR("out of memory. aborting.\n"); + kfree(vv); + v4l2_ctrl_handler_free(hdl); +- return -1; ++ return -ENOMEM; + } + + saa7146_video_uops.init(dev,vv); +diff --git a/drivers/media/pci/saa7146/hexium_gemini.c b/drivers/media/pci/saa7146/hexium_gemini.c +index 343cd75fcd8d1..f09f311a316f5 100644 +--- a/drivers/media/pci/saa7146/hexium_gemini.c ++++ b/drivers/media/pci/saa7146/hexium_gemini.c +@@ -296,7 +296,12 @@ static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_d + hexium_set_input(hexium, 0); + hexium->cur_input = 0; + +- saa7146_vv_init(dev, &vv_data); ++ ret = saa7146_vv_init(dev, &vv_data); ++ if (ret) { ++ i2c_del_adapter(&hexium->i2c_adapter); ++ kfree(hexium); ++ return ret; ++ } + + vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input; + vv_data.vid_ops.vidioc_g_input = vidioc_g_input; +-- +2.34.1 + diff --git a/queue-4.4/media-saa7146-hexium_orion-fix-a-null-pointer-derefe.patch b/queue-4.4/media-saa7146-hexium_orion-fix-a-null-pointer-derefe.patch new file mode 100644 index 00000000000..caab1720290 --- /dev/null +++ b/queue-4.4/media-saa7146-hexium_orion-fix-a-null-pointer-derefe.patch @@ -0,0 +1,74 @@ +From 06f1255be2047b6e1784f560d739a0d5ff4ab6bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 17:25:49 +0100 +Subject: media: saa7146: hexium_orion: Fix a NULL pointer dereference in + hexium_attach() + +From: Zhou Qingyang + +[ Upstream commit 348df8035301dd212e3cc2860efe4c86cb0d3303 ] + +In hexium_attach(dev, info), saa7146_vv_init() is called to allocate +a new memory for dev->vv_data. In hexium_detach(), saa7146_vv_release() +will be called and there is a dereference of dev->vv_data in +saa7146_vv_release(), which could lead to a NULL pointer dereference +on failure of saa7146_vv_init() according to the following logic. + +Both hexium_attach() and hexium_detach() are callback functions of +the variable 'extension', so there exists a possible call chain directly +from hexium_attach() to hexium_detach(): + +hexium_attach(dev, info) -- fail to alloc memory to dev->vv_data + | in saa7146_vv_init(). + | + | +hexium_detach() -- a dereference of dev->vv_data in saa7146_vv_release() + +Fix this bug by adding a check of saa7146_vv_init(). + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_VIDEO_HEXIUM_ORION=m show no new warnings, +and our static analyzer no longer warns about this code. + +Signed-off-by: Zhou Qingyang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/saa7146/hexium_orion.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/saa7146/hexium_orion.c b/drivers/media/pci/saa7146/hexium_orion.c +index 214396b1ca73c..2f3b4e01ff289 100644 +--- a/drivers/media/pci/saa7146/hexium_orion.c ++++ b/drivers/media/pci/saa7146/hexium_orion.c +@@ -366,10 +366,16 @@ static struct saa7146_ext_vv vv_data; + static int hexium_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info) + { + struct hexium *hexium = (struct hexium *) dev->ext_priv; ++ int ret; + + DEB_EE("\n"); + +- saa7146_vv_init(dev, &vv_data); ++ ret = saa7146_vv_init(dev, &vv_data); ++ if (ret) { ++ pr_err("Error in saa7146_vv_init()\n"); ++ return ret; ++ } ++ + vv_data.vid_ops.vidioc_enum_input = vidioc_enum_input; + vv_data.vid_ops.vidioc_g_input = vidioc_g_input; + vv_data.vid_ops.vidioc_s_input = vidioc_s_input; +-- +2.34.1 + diff --git a/queue-4.4/media-saa7146-mxb-fix-a-null-pointer-dereference-in-.patch b/queue-4.4/media-saa7146-mxb-fix-a-null-pointer-dereference-in-.patch new file mode 100644 index 00000000000..174405d59a0 --- /dev/null +++ b/queue-4.4/media-saa7146-mxb-fix-a-null-pointer-dereference-in-.patch @@ -0,0 +1,64 @@ +From 792fbe39459dac2cd5af65e7968fa0c263a51fe1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 30 Nov 2021 17:34:44 +0100 +Subject: media: saa7146: mxb: Fix a NULL pointer dereference in mxb_attach() + +From: Zhou Qingyang + +[ Upstream commit 0407c49ebe330333478440157c640fffd986f41b ] + +In mxb_attach(dev, info), saa7146_vv_init() is called to allocate a +new memory for dev->vv_data. saa7146_vv_release() will be called on +failure of mxb_probe(dev). There is a dereference of dev->vv_data +in saa7146_vv_release(), which could lead to a NULL pointer dereference +on failure of saa7146_vv_init(). + +Fix this bug by adding a check of saa7146_vv_init(). + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_VIDEO_MXB=m show no new warnings, +and our static analyzer no longer warns about this code. + +Fixes: 03b1930efd3c ("V4L/DVB: saa7146: fix regression of the av7110/budget-av driver") +Signed-off-by: Zhou Qingyang +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/saa7146/mxb.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/saa7146/mxb.c b/drivers/media/pci/saa7146/mxb.c +index 868af73c5536a..56691a79ef08f 100644 +--- a/drivers/media/pci/saa7146/mxb.c ++++ b/drivers/media/pci/saa7146/mxb.c +@@ -694,10 +694,16 @@ static struct saa7146_ext_vv vv_data; + static int mxb_attach(struct saa7146_dev *dev, struct saa7146_pci_extension_data *info) + { + struct mxb *mxb; ++ int ret; + + DEB_EE("dev:%p\n", dev); + +- saa7146_vv_init(dev, &vv_data); ++ ret = saa7146_vv_init(dev, &vv_data); ++ if (ret) { ++ ERR("Error in saa7146_vv_init()"); ++ return ret; ++ } ++ + if (mxb_probe(dev)) { + saa7146_vv_release(dev); + return -1; +-- +2.34.1 + diff --git a/queue-4.4/mips-bcm63xx-add-support-for-clk_set_parent.patch b/queue-4.4/mips-bcm63xx-add-support-for-clk_set_parent.patch new file mode 100644 index 00000000000..528bdb4d42c --- /dev/null +++ b/queue-4.4/mips-bcm63xx-add-support-for-clk_set_parent.patch @@ -0,0 +1,48 @@ +From c7a1d4555206d007c47db9124938eb24975df6a9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Dec 2021 16:05:53 -0800 +Subject: mips: bcm63xx: add support for clk_set_parent() + +From: Randy Dunlap + +[ Upstream commit 6f03055d508ff4feb8db02ba3df9303a1db8d381 ] + +The MIPS BMC63XX subarch does not provide/support clk_set_parent(). +This causes build errors in a few drivers, so add a simple implementation +of that function so that callers of it will build without errors. + +Fixes these build errors: + +ERROR: modpost: "clk_set_parent" [sound/soc/jz4740/snd-soc-jz4740-i2s.ko] undefined! +ERROR: modpost: "clk_set_parent" [sound/soc/atmel/snd-soc-atmel-i2s.ko] undefined! + +Fixes: e7300d04bd08 ("MIPS: BCM63xx: Add support for the Broadcom BCM63xx family of SOCs." ) +Signed-off-by: Randy Dunlap +Reviewed-by: Jonathan Cameron +Acked-by: Florian Fainelli +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/bcm63xx/clk.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/mips/bcm63xx/clk.c b/arch/mips/bcm63xx/clk.c +index ef268c9aac80d..fe90c1c86a600 100644 +--- a/arch/mips/bcm63xx/clk.c ++++ b/arch/mips/bcm63xx/clk.c +@@ -339,6 +339,12 @@ struct clk *clk_get_parent(struct clk *clk) + } + EXPORT_SYMBOL(clk_get_parent); + ++int clk_set_parent(struct clk *clk, struct clk *parent) ++{ ++ return 0; ++} ++EXPORT_SYMBOL(clk_set_parent); ++ + unsigned long clk_get_rate(struct clk *clk) + { + return clk->rate; +-- +2.34.1 + diff --git a/queue-4.4/mips-lantiq-add-support-for-clk_set_parent.patch b/queue-4.4/mips-lantiq-add-support-for-clk_set_parent.patch new file mode 100644 index 00000000000..b8ca97d7f1f --- /dev/null +++ b/queue-4.4/mips-lantiq-add-support-for-clk_set_parent.patch @@ -0,0 +1,48 @@ +From 7faf9668dfb3856f752928515203fb66e53329e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Dec 2021 16:03:45 -0800 +Subject: mips: lantiq: add support for clk_set_parent() + +From: Randy Dunlap + +[ Upstream commit 76f66dfd60dc5d2f9dec22d99091fea1035c5d03 ] + +Provide a simple implementation of clk_set_parent() in the lantiq +subarch so that callers of it will build without errors. + +Fixes these build errors: + +ERROR: modpost: "clk_set_parent" [sound/soc/jz4740/snd-soc-jz4740-i2s.ko] undefined! +ERROR: modpost: "clk_set_parent" [sound/soc/atmel/snd-soc-atmel-i2s.ko] undefined! + +Fixes: 171bb2f19ed6 ("MIPS: Lantiq: Add initial support for Lantiq SoCs") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +--to=linux-mips@vger.kernel.org --cc="John Crispin " --cc="Jonathan Cameron " --cc="Russell King " --cc="Andy Shevchenko " --cc=alsa-devel@alsa-project.org --to="Thomas Bogendoerfer " +Reviewed-by: Jonathan Cameron +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/lantiq/clk.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/mips/lantiq/clk.c b/arch/mips/lantiq/clk.c +index a0706fd4ce0a0..80bdcb26ef8a3 100644 +--- a/arch/mips/lantiq/clk.c ++++ b/arch/mips/lantiq/clk.c +@@ -165,6 +165,12 @@ struct clk *of_clk_get_from_provider(struct of_phandle_args *clkspec) + return NULL; + } + ++int clk_set_parent(struct clk *clk, struct clk *parent) ++{ ++ return 0; ++} ++EXPORT_SYMBOL(clk_set_parent); ++ + static inline u32 get_counter_resolution(void) + { + u32 res; +-- +2.34.1 + diff --git a/queue-4.4/mips-octeon-fix-build-errors-using-clang.patch b/queue-4.4/mips-octeon-fix-build-errors-using-clang.patch new file mode 100644 index 00000000000..c41032074f3 --- /dev/null +++ b/queue-4.4/mips-octeon-fix-build-errors-using-clang.patch @@ -0,0 +1,62 @@ +From 3c8d3608baffdc4931c7cdd78587a6f5b086d01f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Dec 2021 17:50:14 +0800 +Subject: MIPS: Octeon: Fix build errors using clang +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tianjia Zhang + +[ Upstream commit 95339b70677dc6f9a2d669c4716058e71b8dc1c7 ] + +A large number of the following errors is reported when compiling +with clang: + + cvmx-bootinfo.h:326:3: error: adding 'int' to a string does not append to the string [-Werror,-Wstring-plus-int] + ENUM_BRD_TYPE_CASE(CVMX_BOARD_TYPE_NULL) + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + cvmx-bootinfo.h:321:20: note: expanded from macro 'ENUM_BRD_TYPE_CASE' + case x: return(#x + 16); /* Skip CVMX_BOARD_TYPE_ */ + ~~~^~~~ + cvmx-bootinfo.h:326:3: note: use array indexing to silence this warning + cvmx-bootinfo.h:321:20: note: expanded from macro 'ENUM_BRD_TYPE_CASE' + case x: return(#x + 16); /* Skip CVMX_BOARD_TYPE_ */ + ^ + +Follow the prompts to use the address operator '&' to fix this error. + +Signed-off-by: Tianjia Zhang +Reviewed-by: Nathan Chancellor +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/octeon/cvmx-bootinfo.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/include/asm/octeon/cvmx-bootinfo.h b/arch/mips/include/asm/octeon/cvmx-bootinfo.h +index d92cf59bdae63..bc414657601c4 100644 +--- a/arch/mips/include/asm/octeon/cvmx-bootinfo.h ++++ b/arch/mips/include/asm/octeon/cvmx-bootinfo.h +@@ -303,7 +303,7 @@ enum cvmx_chip_types_enum { + + /* Functions to return string based on type */ + #define ENUM_BRD_TYPE_CASE(x) \ +- case x: return(#x + 16); /* Skip CVMX_BOARD_TYPE_ */ ++ case x: return (&#x[16]); /* Skip CVMX_BOARD_TYPE_ */ + static inline const char *cvmx_board_type_to_string(enum + cvmx_board_types_enum type) + { +@@ -392,7 +392,7 @@ static inline const char *cvmx_board_type_to_string(enum + } + + #define ENUM_CHIP_TYPE_CASE(x) \ +- case x: return(#x + 15); /* Skip CVMX_CHIP_TYPE */ ++ case x: return (&#x[15]); /* Skip CVMX_CHIP_TYPE */ + static inline const char *cvmx_chip_type_to_string(enum + cvmx_chip_types_enum type) + { +-- +2.34.1 + diff --git a/queue-4.4/misc-lattice-ecp3-config-fix-task-hung-when-firmware.patch b/queue-4.4/misc-lattice-ecp3-config-fix-task-hung-when-firmware.patch new file mode 100644 index 00000000000..c27e39b5e57 --- /dev/null +++ b/queue-4.4/misc-lattice-ecp3-config-fix-task-hung-when-firmware.patch @@ -0,0 +1,95 @@ +From 015d90ff6108eba15181aa2c9617525be26ce354 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Dec 2021 12:55:22 +0000 +Subject: misc: lattice-ecp3-config: Fix task hung when firmware load failed + +From: Wei Yongjun + +[ Upstream commit fcee5ce50bdb21116711e38635e3865594af907e ] + +When firmware load failed, kernel report task hung as follows: + +INFO: task xrun:5191 blocked for more than 147 seconds. + Tainted: G W 5.16.0-rc5-next-20211220+ #11 +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +task:xrun state:D stack: 0 pid: 5191 ppid: 270 flags:0x00000004 +Call Trace: + __schedule+0xc12/0x4b50 kernel/sched/core.c:4986 + schedule+0xd7/0x260 kernel/sched/core.c:6369 (discriminator 1) + schedule_timeout+0x7aa/0xa80 kernel/time/timer.c:1857 + wait_for_completion+0x181/0x290 kernel/sched/completion.c:85 + lattice_ecp3_remove+0x32/0x40 drivers/misc/lattice-ecp3-config.c:221 + spi_remove+0x72/0xb0 drivers/spi/spi.c:409 + +lattice_ecp3_remove() wait for signals from firmware loading, but when +load failed, firmware_load() does not send this signal. This cause +device remove hung. Fix it by sending signal even if load failed. + +Fixes: 781551df57c7 ("misc: Add Lattice ECP3 FPGA configuration via SPI") +Reported-by: Hulk Robot +Signed-off-by: Wei Yongjun +Link: https://lore.kernel.org/r/20211228125522.3122284-1-weiyongjun1@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/lattice-ecp3-config.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/misc/lattice-ecp3-config.c b/drivers/misc/lattice-ecp3-config.c +index 626fdcaf25101..645d26536114f 100644 +--- a/drivers/misc/lattice-ecp3-config.c ++++ b/drivers/misc/lattice-ecp3-config.c +@@ -81,12 +81,12 @@ static void firmware_load(const struct firmware *fw, void *context) + + if (fw == NULL) { + dev_err(&spi->dev, "Cannot load firmware, aborting\n"); +- return; ++ goto out; + } + + if (fw->size == 0) { + dev_err(&spi->dev, "Error: Firmware size is 0!\n"); +- return; ++ goto out; + } + + /* Fill dummy data (24 stuffing bits for commands) */ +@@ -108,7 +108,7 @@ static void firmware_load(const struct firmware *fw, void *context) + dev_err(&spi->dev, + "Error: No supported FPGA detected (JEDEC_ID=%08x)!\n", + jedec_id); +- return; ++ goto out; + } + + dev_info(&spi->dev, "FPGA %s detected\n", ecp3_dev[i].name); +@@ -121,7 +121,7 @@ static void firmware_load(const struct firmware *fw, void *context) + buffer = kzalloc(fw->size + 8, GFP_KERNEL); + if (!buffer) { + dev_err(&spi->dev, "Error: Can't allocate memory!\n"); +- return; ++ goto out; + } + + /* +@@ -160,7 +160,7 @@ static void firmware_load(const struct firmware *fw, void *context) + "Error: Timeout waiting for FPGA to clear (status=%08x)!\n", + status); + kfree(buffer); +- return; ++ goto out; + } + + dev_info(&spi->dev, "Configuring the FPGA...\n"); +@@ -186,7 +186,7 @@ static void firmware_load(const struct firmware *fw, void *context) + release_firmware(fw); + + kfree(buffer); +- ++out: + complete(&data->fw_loaded); + } + +-- +2.34.1 + diff --git a/queue-4.4/mwifiex-fix-skb_over_panic-in-mwifiex_usb_recv.patch b/queue-4.4/mwifiex-fix-skb_over_panic-in-mwifiex_usb_recv.patch new file mode 100644 index 00000000000..11e1310afe2 --- /dev/null +++ b/queue-4.4/mwifiex-fix-skb_over_panic-in-mwifiex_usb_recv.patch @@ -0,0 +1,68 @@ +From e3f719c2a662b177cc2b23b613f42306dc00b5d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 30 Oct 2021 22:42:50 -0400 +Subject: mwifiex: Fix skb_over_panic in mwifiex_usb_recv() + +From: Zekun Shen + +[ Upstream commit 04d80663f67ccef893061b49ec8a42ff7045ae84 ] + +Currently, with an unknown recv_type, mwifiex_usb_recv +just return -1 without restoring the skb. Next time +mwifiex_usb_rx_complete is invoked with the same skb, +calling skb_put causes skb_over_panic. + +The bug is triggerable with a compromised/malfunctioning +usb device. After applying the patch, skb_over_panic +no longer shows up with the same input. + +Attached is the panic report from fuzzing. +skbuff: skb_over_panic: text:000000003bf1b5fa + len:2048 put:4 head:00000000dd6a115b data:000000000a9445d8 + tail:0x844 end:0x840 dev: +kernel BUG at net/core/skbuff.c:109! +invalid opcode: 0000 [#1] SMP KASAN NOPTI +CPU: 0 PID: 198 Comm: in:imklog Not tainted 5.6.0 #60 +RIP: 0010:skb_panic+0x15f/0x161 +Call Trace: + + ? mwifiex_usb_rx_complete+0x26b/0xfcd [mwifiex_usb] + skb_put.cold+0x24/0x24 + mwifiex_usb_rx_complete+0x26b/0xfcd [mwifiex_usb] + __usb_hcd_giveback_urb+0x1e4/0x380 + usb_giveback_urb_bh+0x241/0x4f0 + ? __hrtimer_run_queues+0x316/0x740 + ? __usb_hcd_giveback_urb+0x380/0x380 + tasklet_action_common.isra.0+0x135/0x330 + __do_softirq+0x18c/0x634 + irq_exit+0x114/0x140 + smp_apic_timer_interrupt+0xde/0x380 + apic_timer_interrupt+0xf/0x20 + + +Reported-by: Brendan Dolan-Gavitt +Signed-off-by: Zekun Shen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/YX4CqjfRcTa6bVL+@Zekuns-MBP-16.fios-router.home +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mwifiex/usb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mwifiex/usb.c b/drivers/net/wireless/mwifiex/usb.c +index 1be7b219cb202..4cdf6450aeedd 100644 +--- a/drivers/net/wireless/mwifiex/usb.c ++++ b/drivers/net/wireless/mwifiex/usb.c +@@ -132,7 +132,8 @@ static int mwifiex_usb_recv(struct mwifiex_adapter *adapter, + default: + mwifiex_dbg(adapter, ERROR, + "unknown recv_type %#x\n", recv_type); +- return -1; ++ ret = -1; ++ goto exit_restore_skb; + } + break; + case MWIFIEX_USB_EP_DATA: +-- +2.34.1 + diff --git a/queue-4.4/net-bonding-debug-avoid-printing-debug-logs-when-bon.patch b/queue-4.4/net-bonding-debug-avoid-printing-debug-logs-when-bon.patch new file mode 100644 index 00000000000..5cf4ae6232a --- /dev/null +++ b/queue-4.4/net-bonding-debug-avoid-printing-debug-logs-when-bon.patch @@ -0,0 +1,69 @@ +From 861f6b91f6084ef0ce5410a94e566685e6523e3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 13 Dec 2021 11:17:09 +0530 +Subject: net: bonding: debug: avoid printing debug logs when bond is not + notifying peers + +From: Suresh Kumar + +[ Upstream commit fee32de284ac277ba434a2d59f8ce46528ff3946 ] + +Currently "bond_should_notify_peers: slave ..." messages are printed whenever +"bond_should_notify_peers" function is called. + ++++ +Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 +Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 +Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 +Dec 12 12:33:26 node1 kernel: bond0: (slave enp0s25): Received LACPDU on port 1 +Dec 12 12:33:26 node1 kernel: bond0: (slave enp0s25): Rx Machine: Port=1, Last State=6, Curr State=6 +Dec 12 12:33:26 node1 kernel: bond0: (slave enp0s25): partner sync=1 +Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 +Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 +Dec 12 12:33:26 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 +... +Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 +Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 +Dec 12 12:33:30 node1 kernel: bond0: (slave enp4s3): Received LACPDU on port 2 +Dec 12 12:33:30 node1 kernel: bond0: (slave enp4s3): Rx Machine: Port=2, Last State=6, Curr State=6 +Dec 12 12:33:30 node1 kernel: bond0: (slave enp4s3): partner sync=1 +Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 +Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 +Dec 12 12:33:30 node1 kernel: bond0: bond_should_notify_peers: slave enp0s25 ++++ + +This is confusing and can also clutter up debug logs. +Print logs only when the peer notification happens. + +Signed-off-by: Suresh Kumar +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index d6363ae220526..bbf18d6e4f677 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -785,14 +785,14 @@ static bool bond_should_notify_peers(struct bonding *bond) + slave = rcu_dereference(bond->curr_active_slave); + rcu_read_unlock(); + +- netdev_dbg(bond->dev, "bond_should_notify_peers: slave %s\n", +- slave ? slave->dev->name : "NULL"); +- + if (!slave || !bond->send_peer_notif || + !netif_carrier_ok(bond->dev) || + test_bit(__LINK_STATE_LINKWATCH_PENDING, &slave->dev->state)) + return false; + ++ netdev_dbg(bond->dev, "bond_should_notify_peers: slave %s\n", ++ slave ? slave->dev->name : "NULL"); ++ + return true; + } + +-- +2.34.1 + diff --git a/queue-4.4/net-mcs7830-handle-usb-read-errors-properly.patch b/queue-4.4/net-mcs7830-handle-usb-read-errors-properly.patch new file mode 100644 index 00000000000..64a82a0f41d --- /dev/null +++ b/queue-4.4/net-mcs7830-handle-usb-read-errors-properly.patch @@ -0,0 +1,56 @@ +From 19ed3b7b2af96b8f8d8e33d1172369a5411e085f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jan 2022 01:57:16 +0300 +Subject: net: mcs7830: handle usb read errors properly + +From: Pavel Skripkin + +[ Upstream commit d668769eb9c52b150753f1653f7f5a0aeb8239d2 ] + +Syzbot reported uninit value in mcs7830_bind(). The problem was in +missing validation check for bytes read via usbnet_read_cmd(). + +usbnet_read_cmd() internally calls usb_control_msg(), that returns +number of bytes read. Code should validate that requested number of bytes +was actually read. + +So, this patch adds missing size validation check inside +mcs7830_get_reg() to prevent uninit value bugs + +Reported-and-tested-by: syzbot+003c0a286b9af5412510@syzkaller.appspotmail.com +Fixes: 2a36d7083438 ("USB: driver for mcs7830 (aka DeLOCK) USB ethernet adapter") +Signed-off-by: Pavel Skripkin +Reviewed-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20220106225716.7425-1-paskripkin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/mcs7830.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/mcs7830.c b/drivers/net/usb/mcs7830.c +index 4f345bd4e6e29..95151b46f2001 100644 +--- a/drivers/net/usb/mcs7830.c ++++ b/drivers/net/usb/mcs7830.c +@@ -121,8 +121,16 @@ static const char driver_name[] = "MOSCHIP usb-ethernet driver"; + + static int mcs7830_get_reg(struct usbnet *dev, u16 index, u16 size, void *data) + { +- return usbnet_read_cmd(dev, MCS7830_RD_BREQ, MCS7830_RD_BMREQ, +- 0x0000, index, data, size); ++ int ret; ++ ++ ret = usbnet_read_cmd(dev, MCS7830_RD_BREQ, MCS7830_RD_BMREQ, ++ 0x0000, index, data, size); ++ if (ret < 0) ++ return ret; ++ else if (ret < size) ++ return -ENODATA; ++ ++ return ret; + } + + static int mcs7830_set_reg(struct usbnet *dev, u16 index, u16 size, const void *data) +-- +2.34.1 + diff --git a/queue-4.4/net-mdio-demote-probed-message-to-debug-print.patch b/queue-4.4/net-mdio-demote-probed-message-to-debug-print.patch new file mode 100644 index 00000000000..06e10a01ef7 --- /dev/null +++ b/queue-4.4/net-mdio-demote-probed-message-to-debug-print.patch @@ -0,0 +1,40 @@ +From 3602d712f4bf667c1de9ab49b3168187f006c09d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 3 Jan 2022 11:40:24 -0800 +Subject: net: mdio: Demote probed message to debug print + +From: Florian Fainelli + +[ Upstream commit 7590fc6f80ac2cbf23e6b42b668bbeded070850b ] + +On systems with large numbers of MDIO bus/muxes the message indicating +that a given MDIO bus has been successfully probed is repeated for as +many buses we have, which can eat up substantial boot time for no +reason, demote to a debug print. + +Reported-by: Maxime Bizon +Signed-off-by: Florian Fainelli +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/20220103194024.2620-1-f.fainelli@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mdio_bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/phy/mdio_bus.c b/drivers/net/phy/mdio_bus.c +index 4066fb5a935a7..2fb95cca33183 100644 +--- a/drivers/net/phy/mdio_bus.c ++++ b/drivers/net/phy/mdio_bus.c +@@ -295,7 +295,7 @@ int __mdiobus_register(struct mii_bus *bus, struct module *owner) + } + + bus->state = MDIOBUS_REGISTERED; +- pr_info("%s: probed\n", bus->name); ++ dev_dbg(&bus->dev, "probed\n"); + return 0; + + error: +-- +2.34.1 + diff --git a/queue-4.4/netfilter-bridge-add-support-for-pppoe-filtering.patch b/queue-4.4/netfilter-bridge-add-support-for-pppoe-filtering.patch new file mode 100644 index 00000000000..c8c8110e0dd --- /dev/null +++ b/queue-4.4/netfilter-bridge-add-support-for-pppoe-filtering.patch @@ -0,0 +1,77 @@ +From a5900ac5793640df9a3054b8ae90510542dc81ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Nov 2021 12:50:31 +0100 +Subject: netfilter: bridge: add support for pppoe filtering + +From: Florian Westphal + +[ Upstream commit 28b78ecffea8078d81466b2e01bb5a154509f1ba ] + +This makes 'bridge-nf-filter-pppoe-tagged' sysctl work for +bridged traffic. + +Looking at the original commit it doesn't appear this ever worked: + + static unsigned int br_nf_post_routing(unsigned int hook, struct sk_buff **pskb, +[..] + if (skb->protocol == htons(ETH_P_8021Q)) { + skb_pull(skb, VLAN_HLEN); + skb->network_header += VLAN_HLEN; ++ } else if (skb->protocol == htons(ETH_P_PPP_SES)) { ++ skb_pull(skb, PPPOE_SES_HLEN); ++ skb->network_header += PPPOE_SES_HLEN; + } + [..] + NF_HOOK(... POST_ROUTING, ...) + +... but the adjusted offsets are never restored. + +The alternative would be to rip this code out for good, +but otoh we'd have to keep this anyway for the vlan handling +(which works because vlan tag info is in the skb, not the packet + payload). + +Reported-and-tested-by: Amish Chana +Fixes: 516299d2f5b6f97 ("[NETFILTER]: bridge-nf: filter bridged IPv4/IPv6 encapsulated in pppoe traffic") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/bridge/br_netfilter_hooks.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c +index 24eea13035557..f580dbaac5a94 100644 +--- a/net/bridge/br_netfilter_hooks.c ++++ b/net/bridge/br_netfilter_hooks.c +@@ -719,6 +719,9 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff + if (nf_bridge->frag_max_size && nf_bridge->frag_max_size < mtu) + mtu = nf_bridge->frag_max_size; + ++ nf_bridge_update_protocol(skb); ++ nf_bridge_push_encap_header(skb); ++ + if (skb_is_gso(skb) || skb->len + mtu_reserved <= mtu) { + nf_bridge_info_free(skb); + return br_dev_queue_push_xmit(net, sk, skb); +@@ -736,8 +739,6 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff + + IPCB(skb)->frag_max_size = nf_bridge->frag_max_size; + +- nf_bridge_update_protocol(skb); +- + data = this_cpu_ptr(&brnf_frag_data_storage); + + data->vlan_tci = skb->vlan_tci; +@@ -760,8 +761,6 @@ static int br_nf_dev_queue_xmit(struct net *net, struct sock *sk, struct sk_buff + + IP6CB(skb)->frag_max_size = nf_bridge->frag_max_size; + +- nf_bridge_update_protocol(skb); +- + data = this_cpu_ptr(&brnf_frag_data_storage); + data->encap_size = nf_bridge_encap_header_len(skb); + data->size = ETH_HLEN + data->encap_size; +-- +2.34.1 + diff --git a/queue-4.4/parisc-avoid-calling-faulthandler_disabled-twice.patch b/queue-4.4/parisc-avoid-calling-faulthandler_disabled-twice.patch new file mode 100644 index 00000000000..509fe788c19 --- /dev/null +++ b/queue-4.4/parisc-avoid-calling-faulthandler_disabled-twice.patch @@ -0,0 +1,53 @@ +From eb6c94f5d297d48bf08668372ff5637f3ff6b08e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 16:52:26 +0000 +Subject: parisc: Avoid calling faulthandler_disabled() twice + +From: John David Anglin + +[ Upstream commit 9e9d4b460f23bab61672eae397417d03917d116c ] + +In handle_interruption(), we call faulthandler_disabled() to check whether the +fault handler is not disabled. If the fault handler is disabled, we immediately +call do_page_fault(). It then calls faulthandler_disabled(). If disabled, +do_page_fault() attempts to fixup the exception by jumping to no_context: + +no_context: + + if (!user_mode(regs) && fixup_exception(regs)) { + return; + } + + parisc_terminate("Bad Address (null pointer deref?)", regs, code, address); + +Apart from the error messages, the two blocks of code perform the same +function. + +We can avoid two calls to faulthandler_disabled() by a simple revision +to the code in handle_interruption(). + +Note: I didn't try to fix the formatting of this code block. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + arch/parisc/kernel/traps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/parisc/kernel/traps.c b/arch/parisc/kernel/traps.c +index 6f61a17e2485a..55e7ba06511df 100644 +--- a/arch/parisc/kernel/traps.c ++++ b/arch/parisc/kernel/traps.c +@@ -796,7 +796,7 @@ void notrace handle_interruption(int code, struct pt_regs *regs) + * unless pagefault_disable() was called before. + */ + +- if (fault_space == 0 && !faulthandler_disabled()) ++ if (faulthandler_disabled() || fault_space == 0) + { + /* Clean up and return if in exception table. */ + if (fixup_exception(regs)) +-- +2.34.1 + diff --git a/queue-4.4/pcmcia-fix-setting-of-kthread-task-states.patch b/queue-4.4/pcmcia-fix-setting-of-kthread-task-states.patch new file mode 100644 index 00000000000..c14b21506d6 --- /dev/null +++ b/queue-4.4/pcmcia-fix-setting-of-kthread-task-states.patch @@ -0,0 +1,55 @@ +From d30446bfe12ff1d491480787ce99ae7f7c7e2d49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Jan 2022 10:02:51 +0100 +Subject: pcmcia: fix setting of kthread task states + +From: Dominik Brodowski + +[ Upstream commit fbb3485f1f931102d8ba606f1c28123f5b48afa3 ] + +We need to set TASK_INTERRUPTIBLE before calling kthread_should_stop(). +Otherwise, kthread_stop() might see that the pccardd thread is still +in TASK_RUNNING state and fail to wake it up. + +Additionally, we only need to set the state back to TASK_RUNNING if +kthread_should_stop() breaks the loop. + +Cc: Greg Kroah-Hartman +Reported-by: Al Viro +Reviewed-by: Matthew Wilcox (Oracle) +Fixes: d3046ba809ce ("pcmcia: fix a boot time warning in pcmcia cs code") +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +--- + drivers/pcmcia/cs.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/pcmcia/cs.c b/drivers/pcmcia/cs.c +index c3b615c94b4bf..a92cbc952b70b 100644 +--- a/drivers/pcmcia/cs.c ++++ b/drivers/pcmcia/cs.c +@@ -665,18 +665,16 @@ static int pccardd(void *__skt) + if (events || sysfs_events) + continue; + ++ set_current_state(TASK_INTERRUPTIBLE); + if (kthread_should_stop()) + break; + +- set_current_state(TASK_INTERRUPTIBLE); +- + schedule(); + +- /* make sure we are running */ +- __set_current_state(TASK_RUNNING); +- + try_to_freeze(); + } ++ /* make sure we are running before we exit */ ++ __set_current_state(TASK_RUNNING); + + /* shut down socket, if a device is still present */ + if (skt->state & SOCKET_PRESENT) { +-- +2.34.1 + diff --git a/queue-4.4/pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch b/queue-4.4/pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch new file mode 100644 index 00000000000..b07e13611a6 --- /dev/null +++ b/queue-4.4/pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch @@ -0,0 +1,56 @@ +From 6ff0a0707f26186f96ab5cc739875862f45b2c5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Dec 2021 00:59:23 +0800 +Subject: pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in + __nonstatic_find_io_region() + +From: Zhou Qingyang + +[ Upstream commit ca0fe0d7c35c97528bdf621fdca75f13157c27af ] + +In __nonstatic_find_io_region(), pcmcia_make_resource() is assigned to +res and used in pci_bus_alloc_resource(). There is a dereference of res +in pci_bus_alloc_resource(), which could lead to a NULL pointer +dereference on failure of pcmcia_make_resource(). + +Fix this bug by adding a check of res. + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_PCCARD_NONSTATIC=y show no new warnings, +and our static analyzer no longer warns about this code. + +Fixes: 49b1153adfe1 ("pcmcia: move all pcmcia_resource_ops providers into one module") +Signed-off-by: Zhou Qingyang +[linux@dominikbrodowski.net: Fix typo in commit message] +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +--- + drivers/pcmcia/rsrc_nonstatic.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/pcmcia/rsrc_nonstatic.c b/drivers/pcmcia/rsrc_nonstatic.c +index 5ef7b46a25786..4d244014f423f 100644 +--- a/drivers/pcmcia/rsrc_nonstatic.c ++++ b/drivers/pcmcia/rsrc_nonstatic.c +@@ -693,6 +693,9 @@ static struct resource *__nonstatic_find_io_region(struct pcmcia_socket *s, + unsigned long min = base; + int ret; + ++ if (!res) ++ return NULL; ++ + data.mask = align - 1; + data.offset = base & data.mask; + data.map = &s_data->io_db; +-- +2.34.1 + diff --git a/queue-4.4/pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch-25366 b/queue-4.4/pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch-25366 new file mode 100644 index 00000000000..b81847cc990 --- /dev/null +++ b/queue-4.4/pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch-25366 @@ -0,0 +1,55 @@ +From 8b9a6621e120e3898bd94db260b79dc58687a8f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Dec 2021 02:11:40 +0800 +Subject: pcmcia: rsrc_nonstatic: Fix a NULL pointer dereference in + nonstatic_find_mem_region() + +From: Zhou Qingyang + +[ Upstream commit 977d2e7c63c3d04d07ba340b39987742e3241554 ] + +In nonstatic_find_mem_region(), pcmcia_make_resource() is assigned to +res and used in pci_bus_alloc_resource(). There a dereference of res +in pci_bus_alloc_resource(), which could lead to a NULL pointer +dereference on failure of pcmcia_make_resource(). + +Fix this bug by adding a check of res. + +This bug was found by a static analyzer. The analysis employs +differential checking to identify inconsistent security operations +(e.g., checks or kfrees) between two code paths and confirms that the +inconsistent operations are not recovered in the current function or +the callers, so they constitute bugs. + +Note that, as a bug found by static analysis, it can be a false +positive or hard to trigger. Multiple researchers have cross-reviewed +the bug. + +Builds with CONFIG_PCCARD_NONSTATIC=y show no new warnings, +and our static analyzer no longer warns about this code. + +Fixes: 49b1153adfe1 ("pcmcia: move all pcmcia_resource_ops providers into one module") +Signed-off-by: Zhou Qingyang +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +--- + drivers/pcmcia/rsrc_nonstatic.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/pcmcia/rsrc_nonstatic.c b/drivers/pcmcia/rsrc_nonstatic.c +index 4d244014f423f..2e96d9273b780 100644 +--- a/drivers/pcmcia/rsrc_nonstatic.c ++++ b/drivers/pcmcia/rsrc_nonstatic.c +@@ -815,6 +815,9 @@ static struct resource *nonstatic_find_mem_region(u_long base, u_long num, + unsigned long min, max; + int ret, i, j; + ++ if (!res) ++ return NULL; ++ + low = low || !(s->features & SS_CAP_PAGE_REGS); + + data.mask = align - 1; +-- +2.34.1 + diff --git a/queue-4.4/power-bq25890-enable-continuous-conversion-for-adc-a.patch b/queue-4.4/power-bq25890-enable-continuous-conversion-for-adc-a.patch new file mode 100644 index 00000000000..3b40463dee2 --- /dev/null +++ b/queue-4.4/power-bq25890-enable-continuous-conversion-for-adc-a.patch @@ -0,0 +1,43 @@ +From 51c5062a1b6dd5d86028be8a80b88aff0f811a21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 7 Nov 2021 23:20:01 +0300 +Subject: power: bq25890: Enable continuous conversion for ADC at charging + +From: Yauhen Kharuzhy + +[ Upstream commit 80211be1b9dec04cc2805d3d81e2091ecac289a1 ] + +Instead of one shot run of ADC at beginning of charging, run continuous +conversion to ensure that all charging-related values are monitored +properly (input voltage, input current, themperature etc.). + +Signed-off-by: Yauhen Kharuzhy +Reviewed-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/bq25890_charger.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/bq25890_charger.c b/drivers/power/bq25890_charger.c +index f993a55cde20f..faf2a62435674 100644 +--- a/drivers/power/bq25890_charger.c ++++ b/drivers/power/bq25890_charger.c +@@ -521,12 +521,12 @@ static void bq25890_handle_state_change(struct bq25890_device *bq, + + if (!new_state->online) { /* power removed */ + /* disable ADC */ +- ret = bq25890_field_write(bq, F_CONV_START, 0); ++ ret = bq25890_field_write(bq, F_CONV_RATE, 0); + if (ret < 0) + goto error; + } else if (!old_state.online) { /* power inserted */ + /* enable ADC, to have control of charge current/voltage */ +- ret = bq25890_field_write(bq, F_CONV_START, 1); ++ ret = bq25890_field_write(bq, F_CONV_RATE, 1); + if (ret < 0) + goto error; + } +-- +2.34.1 + diff --git a/queue-4.4/powerpc-6xx-add-missing-of_node_put.patch b/queue-4.4/powerpc-6xx-add-missing-of_node_put.patch new file mode 100644 index 00000000000..b0ebffb5229 --- /dev/null +++ b/queue-4.4/powerpc-6xx-add-missing-of_node_put.patch @@ -0,0 +1,64 @@ +From 2d2ceaa49cf7c6177570bc589f4654a262bbada1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Nov 2015 20:33:19 +0000 +Subject: powerpc/6xx: add missing of_node_put + +From: Julia Lawall + +[ Upstream commit f6e82647ff71d427d4148964b71f239fba9d7937 ] + +for_each_compatible_node performs an of_node_get on each iteration, so +a break out of the loop requires an of_node_put. + +A simplified version of the semantic patch that fixes this problem is as +follows (http://coccinelle.lip6.fr): + +// +@@ +expression e; +local idexpression n; +@@ + +@@ +local idexpression n; +expression e; +@@ + + for_each_compatible_node(n,...) { + ... +( + of_node_put(n); +| + e = n +| ++ of_node_put(n); +? break; +) + ... + } +... when != n +// + +Signed-off-by: Julia Lawall +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1448051604-25256-2-git-send-email-Julia.Lawall@lip6.fr +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/embedded6xx/hlwd-pic.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/embedded6xx/hlwd-pic.c b/arch/powerpc/platforms/embedded6xx/hlwd-pic.c +index 9485f1024d46c..b3bcdce89c3bb 100644 +--- a/arch/powerpc/platforms/embedded6xx/hlwd-pic.c ++++ b/arch/powerpc/platforms/embedded6xx/hlwd-pic.c +@@ -220,6 +220,7 @@ void hlwd_pic_probe(void) + irq_set_chained_handler(cascade_virq, + hlwd_pic_irq_cascade); + hlwd_irq_host = host; ++ of_node_put(np); + break; + } + } +-- +2.34.1 + diff --git a/queue-4.4/powerpc-btext-add-missing-of_node_put.patch b/queue-4.4/powerpc-btext-add-missing-of_node_put.patch new file mode 100644 index 00000000000..e9b28e4d991 --- /dev/null +++ b/queue-4.4/powerpc-btext-add-missing-of_node_put.patch @@ -0,0 +1,63 @@ +From 6b5a144ab8b0c509cf8385e5089bedf09e831b63 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Nov 2015 20:33:23 +0000 +Subject: powerpc/btext: add missing of_node_put + +From: Julia Lawall + +[ Upstream commit a1d2b210ffa52d60acabbf7b6af3ef7e1e69cda0 ] + +for_each_node_by_type performs an of_node_get on each iteration, so +a break out of the loop requires an of_node_put. + +A simplified version of the semantic patch that fixes this problem is as +follows (http://coccinelle.lip6.fr): + +// +@@ +local idexpression n; +expression e; +@@ + + for_each_node_by_type(n,...) { + ... +( + of_node_put(n); +| + e = n +| ++ of_node_put(n); +? break; +) + ... + } +... when != n +// + +Signed-off-by: Julia Lawall +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1448051604-25256-6-git-send-email-Julia.Lawall@lip6.fr +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/btext.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/btext.c b/arch/powerpc/kernel/btext.c +index 41c011cb60706..8d05ef26dea9d 100644 +--- a/arch/powerpc/kernel/btext.c ++++ b/arch/powerpc/kernel/btext.c +@@ -257,8 +257,10 @@ int __init btext_find_display(int allow_nonstdout) + rc = btext_initialize(np); + printk("result: %d\n", rc); + } +- if (rc == 0) ++ if (rc == 0) { ++ of_node_put(np); + break; ++ } + } + return rc; + } +-- +2.34.1 + diff --git a/queue-4.4/powerpc-cell-add-missing-of_node_put.patch b/queue-4.4/powerpc-cell-add-missing-of_node_put.patch new file mode 100644 index 00000000000..53893c36df8 --- /dev/null +++ b/queue-4.4/powerpc-cell-add-missing-of_node_put.patch @@ -0,0 +1,57 @@ +From 2ed16c1e8ef7c611354142c57ee17b2d0975fdbb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Nov 2015 21:33:24 +0100 +Subject: powerpc/cell: add missing of_node_put + +From: Julia Lawall + +[ Upstream commit a841fd009e51c8c0a8f07c942e9ab6bb48da8858 ] + +for_each_node_by_name performs an of_node_get on each iteration, so +a break out of the loop requires an of_node_put. + +A simplified version of the semantic patch that fixes this problem is as +follows (http://coccinelle.lip6.fr): + +// +@@ +expression e,e1; +local idexpression n; +@@ + + for_each_node_by_name(n, e1) { + ... when != of_node_put(n) + when != e = n +( + return n; +| ++ of_node_put(n); +? return ...; +) + ... + } +// + +Signed-off-by: Julia Lawall +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1448051604-25256-7-git-send-email-Julia.Lawall@lip6.fr +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/cell/iommu.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/cell/iommu.c b/arch/powerpc/platforms/cell/iommu.c +index 14a582b212745..4edceff5791ad 100644 +--- a/arch/powerpc/platforms/cell/iommu.c ++++ b/arch/powerpc/platforms/cell/iommu.c +@@ -1107,6 +1107,7 @@ static int __init cell_iommu_fixed_mapping_init(void) + if (hbase < dbase || (hend > (dbase + dsize))) { + pr_debug("iommu: hash window doesn't fit in" + "real DMA window\n"); ++ of_node_put(np); + return -1; + } + } +-- +2.34.1 + diff --git a/queue-4.4/powerpc-powernv-add-missing-of_node_put.patch b/queue-4.4/powerpc-powernv-add-missing-of_node_put.patch new file mode 100644 index 00000000000..d398d71a6d4 --- /dev/null +++ b/queue-4.4/powerpc-powernv-add-missing-of_node_put.patch @@ -0,0 +1,59 @@ +From 38e7d7cbf3720310d67d826332f29608f91eb007 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Nov 2015 20:33:21 +0000 +Subject: powerpc/powernv: add missing of_node_put + +From: Julia Lawall + +[ Upstream commit 7d405a939ca960162eb30c1475759cb2fdf38f8c ] + +for_each_compatible_node performs an of_node_get on each iteration, so +a break out of the loop requires an of_node_put. + +A simplified version of the semantic patch that fixes this problem is as +follows (http://coccinelle.lip6.fr): + +// +@@ +local idexpression n; +expression e; +@@ + + for_each_compatible_node(n,...) { + ... +( + of_node_put(n); +| + e = n +| ++ of_node_put(n); +? break; +) + ... + } +... when != n +// + +Signed-off-by: Julia Lawall +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/1448051604-25256-4-git-send-email-Julia.Lawall@lip6.fr +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/opal-lpc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/powernv/opal-lpc.c b/arch/powerpc/platforms/powernv/opal-lpc.c +index e4169d68cb328..d28c4a9269c38 100644 +--- a/arch/powerpc/platforms/powernv/opal-lpc.c ++++ b/arch/powerpc/platforms/powernv/opal-lpc.c +@@ -401,6 +401,7 @@ void opal_lpc_init(void) + if (!of_get_property(np, "primary", NULL)) + continue; + opal_lpc_chip_id = of_get_ibm_chip_id(np); ++ of_node_put(np); + break; + } + if (opal_lpc_chip_id < 0) +-- +2.34.1 + diff --git a/queue-4.4/powerpc-prom_init-fix-improper-check-of-prom_getprop.patch b/queue-4.4/powerpc-prom_init-fix-improper-check-of-prom_getprop.patch new file mode 100644 index 00000000000..858003e3171 --- /dev/null +++ b/queue-4.4/powerpc-prom_init-fix-improper-check-of-prom_getprop.patch @@ -0,0 +1,37 @@ +From 3d43193fb207a2ce42f3dfb348e7c5705fef2a94 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 19 Nov 2021 17:12:18 +0800 +Subject: powerpc/prom_init: Fix improper check of prom_getprop() + +From: Peiwei Hu + +[ Upstream commit 869fb7e5aecbc163003f93f36dcc26d0554319f6 ] + +prom_getprop() can return PROM_ERROR. Binary operator can not identify +it. + +Fixes: 94d2dde738a5 ("[POWERPC] Efika: prune fixups and make them more carefull") +Signed-off-by: Peiwei Hu +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/tencent_BA28CC6897B7C95A92EB8C580B5D18589105@qq.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/prom_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/prom_init.c b/arch/powerpc/kernel/prom_init.c +index 3139533640fc8..204e44cc896ec 100644 +--- a/arch/powerpc/kernel/prom_init.c ++++ b/arch/powerpc/kernel/prom_init.c +@@ -2526,7 +2526,7 @@ static void __init fixup_device_tree_efika_add_phy(void) + + /* Check if the phy-handle property exists - bail if it does */ + rv = prom_getprop(node, "phy-handle", prop, sizeof(prop)); +- if (!rv) ++ if (rv <= 0) + return; + + /* +-- +2.34.1 + diff --git a/queue-4.4/powerpc-smp-move-setup_profiling_timer-under-config_.patch b/queue-4.4/powerpc-smp-move-setup_profiling_timer-under-config_.patch new file mode 100644 index 00000000000..a946905d508 --- /dev/null +++ b/queue-4.4/powerpc-smp-move-setup_profiling_timer-under-config_.patch @@ -0,0 +1,44 @@ +From e8cd39a017f641d3df05dba4a3fda3f6b42a4dc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Nov 2021 20:32:53 +1100 +Subject: powerpc/smp: Move setup_profiling_timer() under CONFIG_PROFILING +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michael Ellerman + +[ Upstream commit a4ac0d249a5db80e79d573db9e4ad29354b643a8 ] + +setup_profiling_timer() is only needed when CONFIG_PROFILING is enabled. + +Fixes the following W=1 warning when CONFIG_PROFILING=n: + linux/arch/powerpc/kernel/smp.c:1638:5: error: no previous prototype for ‘setup_profiling_timer’ + +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20211124093254.1054750-5-mpe@ellerman.id.au +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/smp.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/powerpc/kernel/smp.c b/arch/powerpc/kernel/smp.c +index ec9ec2058d2d3..19ba60ab18073 100644 +--- a/arch/powerpc/kernel/smp.c ++++ b/arch/powerpc/kernel/smp.c +@@ -732,10 +732,12 @@ void start_secondary(void *unused) + BUG(); + } + ++#ifdef CONFIG_PROFILING + int setup_profiling_timer(unsigned int multiplier) + { + return 0; + } ++#endif + + #ifdef CONFIG_SCHED_SMT + /* cpumask of CPUs with asymetric SMT dependancy */ +-- +2.34.1 + diff --git a/queue-4.4/ppp-ensure-minimum-packet-size-in-ppp_write.patch b/queue-4.4/ppp-ensure-minimum-packet-size-in-ppp_write.patch new file mode 100644 index 00000000000..0cf0cf1d02a --- /dev/null +++ b/queue-4.4/ppp-ensure-minimum-packet-size-in-ppp_write.patch @@ -0,0 +1,104 @@ +From d72fed607113261ab65b030750354c80ea04091a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 5 Jan 2022 03:48:42 -0800 +Subject: ppp: ensure minimum packet size in ppp_write() + +From: Eric Dumazet + +[ Upstream commit 44073187990d5629804ce0627525f6ea5cfef171 ] + +It seems pretty clear ppp layer assumed user space +would always be kind to provide enough data +in their write() to a ppp device. + +This patch makes sure user provides at least +2 bytes. + +It adds PPP_PROTO_LEN macro that could replace +in net-next many occurrences of hard-coded 2 value. + +I replaced only one occurrence to ease backports +to stable kernels. + +The bug manifests in the following report: + +BUG: KMSAN: uninit-value in ppp_send_frame+0x28d/0x27c0 drivers/net/ppp/ppp_generic.c:1740 + ppp_send_frame+0x28d/0x27c0 drivers/net/ppp/ppp_generic.c:1740 + __ppp_xmit_process+0x23e/0x4b0 drivers/net/ppp/ppp_generic.c:1640 + ppp_xmit_process+0x1fe/0x480 drivers/net/ppp/ppp_generic.c:1661 + ppp_write+0x5cb/0x5e0 drivers/net/ppp/ppp_generic.c:513 + do_iter_write+0xb0c/0x1500 fs/read_write.c:853 + vfs_writev fs/read_write.c:924 [inline] + do_writev+0x645/0xe00 fs/read_write.c:967 + __do_sys_writev fs/read_write.c:1040 [inline] + __se_sys_writev fs/read_write.c:1037 [inline] + __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Uninit was created at: + slab_post_alloc_hook mm/slab.h:524 [inline] + slab_alloc_node mm/slub.c:3251 [inline] + __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974 + kmalloc_reserve net/core/skbuff.c:354 [inline] + __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 + alloc_skb include/linux/skbuff.h:1126 [inline] + ppp_write+0x11d/0x5e0 drivers/net/ppp/ppp_generic.c:501 + do_iter_write+0xb0c/0x1500 fs/read_write.c:853 + vfs_writev fs/read_write.c:924 [inline] + do_writev+0x645/0xe00 fs/read_write.c:967 + __do_sys_writev fs/read_write.c:1040 [inline] + __se_sys_writev fs/read_write.c:1037 [inline] + __x64_sys_writev+0xe5/0x120 fs/read_write.c:1037 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Cc: Paul Mackerras +Cc: linux-ppp@vger.kernel.org +Reported-by: syzbot +Acked-by: Guillaume Nault +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/ppp_generic.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index 46448d7e32902..679b14759379f 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -70,6 +70,8 @@ + #define MPHDRLEN 6 /* multilink protocol header length */ + #define MPHDRLEN_SSN 4 /* ditto with short sequence numbers */ + ++#define PPP_PROTO_LEN 2 ++ + /* + * An instance of /dev/ppp can be associated with either a ppp + * interface unit or a ppp channel. In both cases, file->private_data +@@ -487,6 +489,9 @@ static ssize_t ppp_write(struct file *file, const char __user *buf, + + if (!pf) + return -ENXIO; ++ /* All PPP packets should start with the 2-byte protocol */ ++ if (count < PPP_PROTO_LEN) ++ return -EINVAL; + ret = -ENOMEM; + skb = alloc_skb(count + pf->hdrlen, GFP_KERNEL); + if (!skb) +@@ -1293,7 +1298,7 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb) + } + + ++ppp->stats64.tx_packets; +- ppp->stats64.tx_bytes += skb->len - 2; ++ ppp->stats64.tx_bytes += skb->len - PPP_PROTO_LEN; + + switch (proto) { + case PPP_IP: +-- +2.34.1 + diff --git a/queue-4.4/rdma-core-let-ib_find_gid-continue-search-even-after.patch b/queue-4.4/rdma-core-let-ib_find_gid-continue-search-even-after.patch new file mode 100644 index 00000000000..7ea044cf55b --- /dev/null +++ b/queue-4.4/rdma-core-let-ib_find_gid-continue-search-even-after.patch @@ -0,0 +1,47 @@ +From 6bc796bbb57fe171f214a5a114261773a64e27f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Dec 2021 15:16:06 +0200 +Subject: RDMA/core: Let ib_find_gid() continue search even after empty entry + +From: Avihai Horon + +[ Upstream commit 483d805191a23191f8294bbf9b4e94836f5d92e4 ] + +Currently, ib_find_gid() will stop searching after encountering the first +empty GID table entry. This behavior is wrong since neither IB nor RoCE +spec enforce tightly packed GID tables. + +For example, when a valid GID entry exists at index N, and if a GID entry +is empty at index N-1, ib_find_gid() will fail to find the valid entry. + +Fix it by making ib_find_gid() continue searching even after encountering +missing entries. + +Fixes: 5eb620c81ce3 ("IB/core: Add helpers for uncached GID and P_Key searches") +Link: https://lore.kernel.org/r/e55d331b96cecfc2cf19803d16e7109ea966882d.1639055490.git.leonro@nvidia.com +Signed-off-by: Avihai Horon +Reviewed-by: Mark Zhang +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/core/device.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/core/device.c b/drivers/infiniband/core/device.c +index 179e8134d57fc..a14a3ec99ffe1 100644 +--- a/drivers/infiniband/core/device.c ++++ b/drivers/infiniband/core/device.c +@@ -848,7 +848,8 @@ int ib_find_gid(struct ib_device *device, union ib_gid *gid, + for (i = 0; i < device->port_immutable[port].gid_tbl_len; ++i) { + ret = ib_query_gid(device, port, i, &tmp_gid, NULL); + if (ret) +- return ret; ++ continue; ++ + if (!memcmp(&tmp_gid, gid, sizeof *gid)) { + *port_num = port; + if (index) +-- +2.34.1 + diff --git a/queue-4.4/rdma-cxgb4-set-queue-pair-state-when-being-queried.patch b/queue-4.4/rdma-cxgb4-set-queue-pair-state-when-being-queried.patch new file mode 100644 index 00000000000..77b18aedebc --- /dev/null +++ b/queue-4.4/rdma-cxgb4-set-queue-pair-state-when-being-queried.patch @@ -0,0 +1,37 @@ +From 2d82837ee2f63eee8d24c3829248fc63277df1b3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Dec 2021 17:25:30 +0200 +Subject: RDMA/cxgb4: Set queue pair state when being queried + +From: Kamal Heib + +[ Upstream commit e375b9c92985e409c4bb95dd43d34915ea7f5e28 ] + +The API for ib_query_qp requires the driver to set cur_qp_state on return, +add the missing set. + +Fixes: 67bbc05512d8 ("RDMA/cxgb4: Add query_qp support") +Link: https://lore.kernel.org/r/20211220152530.60399-1-kamalheib1@gmail.com +Signed-off-by: Kamal Heib +Reviewed-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/cxgb4/qp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c +index 67e4002bd776e..31a8119685114 100644 +--- a/drivers/infiniband/hw/cxgb4/qp.c ++++ b/drivers/infiniband/hw/cxgb4/qp.c +@@ -1896,6 +1896,7 @@ int c4iw_ib_query_qp(struct ib_qp *ibqp, struct ib_qp_attr *attr, + memset(attr, 0, sizeof *attr); + memset(init_attr, 0, sizeof *init_attr); + attr->qp_state = to_ib_qp_state(qhp->attr.state); ++ attr->cur_qp_state = to_ib_qp_state(qhp->attr.state); + init_attr->cap.max_send_wr = qhp->attr.sq_num_entries; + init_attr->cap.max_recv_wr = qhp->attr.rq_num_entries; + init_attr->cap.max_send_sge = qhp->attr.sq_max_sges; +-- +2.34.1 + diff --git a/queue-4.4/scsi-sr-don-t-use-gfp_dma.patch b/queue-4.4/scsi-sr-don-t-use-gfp_dma.patch new file mode 100644 index 00000000000..b8ad31c7396 --- /dev/null +++ b/queue-4.4/scsi-sr-don-t-use-gfp_dma.patch @@ -0,0 +1,61 @@ +From 7c51ea584c9dcfcb0741887c426b8c713c308483 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 22 Dec 2021 10:08:42 +0100 +Subject: scsi: sr: Don't use GFP_DMA + +From: Christoph Hellwig + +[ Upstream commit d94d94969a4ba07a43d62429c60372320519c391 ] + +The allocated buffers are used as a command payload, for which the block +layer and/or DMA API do the proper bounce buffering if needed. + +Link: https://lore.kernel.org/r/20211222090842.920724-1-hch@lst.de +Reported-by: Baoquan He +Reviewed-by: Baoquan He +Signed-off-by: Christoph Hellwig +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/sr.c | 2 +- + drivers/scsi/sr_vendor.c | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c +index df019b78d9f79..e26d6cc3c8716 100644 +--- a/drivers/scsi/sr.c ++++ b/drivers/scsi/sr.c +@@ -883,7 +883,7 @@ static void get_capabilities(struct scsi_cd *cd) + + + /* allocate transfer buffer */ +- buffer = kmalloc(512, GFP_KERNEL | GFP_DMA); ++ buffer = kmalloc(512, GFP_KERNEL); + if (!buffer) { + sr_printk(KERN_ERR, cd, "out of memory.\n"); + return; +diff --git a/drivers/scsi/sr_vendor.c b/drivers/scsi/sr_vendor.c +index 11a238cb22223..629bfe1b20263 100644 +--- a/drivers/scsi/sr_vendor.c ++++ b/drivers/scsi/sr_vendor.c +@@ -118,7 +118,7 @@ int sr_set_blocklength(Scsi_CD *cd, int blocklength) + density = (blocklength > 2048) ? 0x81 : 0x83; + #endif + +- buffer = kmalloc(512, GFP_KERNEL | GFP_DMA); ++ buffer = kmalloc(512, GFP_KERNEL); + if (!buffer) + return -ENOMEM; + +@@ -166,7 +166,7 @@ int sr_cd_check(struct cdrom_device_info *cdi) + if (cd->cdi.mask & CDC_MULTI_SESSION) + return 0; + +- buffer = kmalloc(512, GFP_KERNEL | GFP_DMA); ++ buffer = kmalloc(512, GFP_KERNEL); + if (!buffer) + return -ENOMEM; + +-- +2.34.1 + diff --git a/queue-4.4/serial-amba-pl011-do-not-request-memory-region-twice.patch b/queue-4.4/serial-amba-pl011-do-not-request-memory-region-twice.patch new file mode 100644 index 00000000000..d2a9aa7463e --- /dev/null +++ b/queue-4.4/serial-amba-pl011-do-not-request-memory-region-twice.patch @@ -0,0 +1,106 @@ +From bc2ee4c5b1f910fb7c1aa89850f708f7a7c6a8c1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 29 Nov 2021 18:42:38 +0100 +Subject: serial: amba-pl011: do not request memory region twice +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lino Sanfilippo + +[ Upstream commit d1180405c7b5c7a1c6bde79d5fc24fe931430737 ] + +With commit 3873e2d7f63a ("drivers: PL011: refactor pl011_probe()") the +function devm_ioremap() called from pl011_setup_port() was replaced with +devm_ioremap_resource(). Since this function not only remaps but also +requests the ports io memory region it now collides with the .config_port() +callback which requests the same region at uart port registration. + +Since devm_ioremap_resource() already claims the memory successfully, the +request in .config_port() fails. + +Later at uart port deregistration the attempt to release the unclaimed +memory also fails. The failure results in a “Trying to free nonexistent +resource" warning. + +Fix these issues by removing the callbacks that implement the redundant +memory allocation/release. Also make sure that changing the drivers io +memory base address via TIOCSSERIAL is not allowed any more. + +Fixes: 3873e2d7f63a ("drivers: PL011: refactor pl011_probe()") +Signed-off-by: Lino Sanfilippo +Link: https://lore.kernel.org/r/20211129174238.8333-1-LinoSanfilippo@gmx.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/amba-pl011.c | 27 +++------------------------ + 1 file changed, 3 insertions(+), 24 deletions(-) + +diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c +index ecace294dc7e6..75932d68a722f 100644 +--- a/drivers/tty/serial/amba-pl011.c ++++ b/drivers/tty/serial/amba-pl011.c +@@ -1944,32 +1944,13 @@ static const char *pl011_type(struct uart_port *port) + return uap->port.type == PORT_AMBA ? uap->type : NULL; + } + +-/* +- * Release the memory region(s) being used by 'port' +- */ +-static void pl011_release_port(struct uart_port *port) +-{ +- release_mem_region(port->mapbase, SZ_4K); +-} +- +-/* +- * Request the memory region(s) being used by 'port' +- */ +-static int pl011_request_port(struct uart_port *port) +-{ +- return request_mem_region(port->mapbase, SZ_4K, "uart-pl011") +- != NULL ? 0 : -EBUSY; +-} +- + /* + * Configure/autoconfigure the port. + */ + static void pl011_config_port(struct uart_port *port, int flags) + { +- if (flags & UART_CONFIG_TYPE) { ++ if (flags & UART_CONFIG_TYPE) + port->type = PORT_AMBA; +- pl011_request_port(port); +- } + } + + /* +@@ -1984,6 +1965,8 @@ static int pl011_verify_port(struct uart_port *port, struct serial_struct *ser) + ret = -EINVAL; + if (ser->baud_base < 9600) + ret = -EINVAL; ++ if (port->mapbase != (unsigned long) ser->iomem_base) ++ ret = -EINVAL; + return ret; + } + +@@ -2001,8 +1984,6 @@ static struct uart_ops amba_pl011_pops = { + .flush_buffer = pl011_dma_flush_buffer, + .set_termios = pl011_set_termios, + .type = pl011_type, +- .release_port = pl011_release_port, +- .request_port = pl011_request_port, + .config_port = pl011_config_port, + .verify_port = pl011_verify_port, + #ifdef CONFIG_CONSOLE_POLL +@@ -2032,8 +2013,6 @@ static const struct uart_ops sbsa_uart_pops = { + .shutdown = sbsa_uart_shutdown, + .set_termios = sbsa_uart_set_termios, + .type = pl011_type, +- .release_port = pl011_release_port, +- .request_port = pl011_request_port, + .config_port = pl011_config_port, + .verify_port = pl011_verify_port, + #ifdef CONFIG_CONSOLE_POLL +-- +2.34.1 + diff --git a/queue-4.4/serial-core-keep-mctrl-register-state-and-cached-cop.patch b/queue-4.4/serial-core-keep-mctrl-register-state-and-cached-cop.patch new file mode 100644 index 00000000000..b2b193540a8 --- /dev/null +++ b/queue-4.4/serial-core-keep-mctrl-register-state-and-cached-cop.patch @@ -0,0 +1,53 @@ +From 2104c4600da2a0a3f6b5ab30bccde97462ca3f08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Jan 2022 18:52:44 +0100 +Subject: serial: core: Keep mctrl register state and cached copy in sync + +From: Lukas Wunner + +[ Upstream commit 93a770b7e16772530196674ffc79bb13fa927dc6 ] + +struct uart_port contains a cached copy of the Modem Control signals. +It is used to skip register writes in uart_update_mctrl() if the new +signal state equals the old signal state. It also avoids a register +read to obtain the current state of output signals. + +When a uart_port is registered, uart_configure_port() changes signal +state but neglects to keep the cached copy in sync. That may cause +a subsequent register write to be incorrectly skipped. Fix it before +it trips somebody up. + +This behavior has been present ever since the serial core was introduced +in 2002: +https://git.kernel.org/history/history/c/33c0d1b0c3eb + +So far it was never an issue because the cached copy is initialized to 0 +by kzalloc() and when uart_configure_port() is executed, at most DTR has +been set by uart_set_options() or sunsu_console_setup(). Therefore, +a stable designation seems unnecessary. + +Signed-off-by: Lukas Wunner +Link: https://lore.kernel.org/r/bceeaba030b028ed810272d55d5fc6f3656ddddb.1641129752.git.lukas@wunner.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/serial_core.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/serial_core.c b/drivers/tty/serial/serial_core.c +index 013fb874c64e2..8142135a2eec4 100644 +--- a/drivers/tty/serial/serial_core.c ++++ b/drivers/tty/serial/serial_core.c +@@ -2247,7 +2247,8 @@ uart_configure_port(struct uart_driver *drv, struct uart_state *state, + * We probably don't need a spinlock around this, but + */ + spin_lock_irqsave(&port->lock, flags); +- port->ops->set_mctrl(port, port->mctrl & TIOCM_DTR); ++ port->mctrl &= TIOCM_DTR; ++ port->ops->set_mctrl(port, port->mctrl); + spin_unlock_irqrestore(&port->lock, flags); + + /* +-- +2.34.1 + diff --git a/queue-4.4/serial-pl010-drop-cr-register-reset-on-set_termios.patch b/queue-4.4/serial-pl010-drop-cr-register-reset-on-set_termios.patch new file mode 100644 index 00000000000..1393b93fd9f --- /dev/null +++ b/queue-4.4/serial-pl010-drop-cr-register-reset-on-set_termios.patch @@ -0,0 +1,58 @@ +From ce4d2437cffd1eae510143cc964d327b8d0e015b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Jan 2022 18:42:44 +0100 +Subject: serial: pl010: Drop CR register reset on set_termios + +From: Lukas Wunner + +[ Upstream commit 08a0c6dff91c965e39905cf200d22db989203ccb ] + +pl010_set_termios() briefly resets the CR register to zero. + +Where does this register write come from? + +The PL010 driver's IRQ handler ambauart_int() originally modified the CR +register without holding the port spinlock. ambauart_set_termios() also +modified that register. To prevent concurrent read-modify-writes by the +IRQ handler and to prevent transmission while changing baudrate, +ambauart_set_termios() had to disable interrupts. That is achieved by +writing zero to the CR register. + +However in 2004 the PL010 driver was amended to acquire the port +spinlock in the IRQ handler, obviating the need to disable interrupts in +->set_termios(): +https://git.kernel.org/history/history/c/157c0342e591 + +That rendered the CR register write obsolete. Drop it. + +Cc: Russell King +Signed-off-by: Lukas Wunner +Link: https://lore.kernel.org/r/fcaff16e5b1abb4cc3da5a2879ac13f278b99ed0.1641128728.git.lukas@wunner.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/amba-pl010.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/tty/serial/amba-pl010.c b/drivers/tty/serial/amba-pl010.c +index 5d41d5b92619a..7f4ba92739663 100644 +--- a/drivers/tty/serial/amba-pl010.c ++++ b/drivers/tty/serial/amba-pl010.c +@@ -465,14 +465,11 @@ pl010_set_termios(struct uart_port *port, struct ktermios *termios, + if ((termios->c_cflag & CREAD) == 0) + uap->port.ignore_status_mask |= UART_DUMMY_RSR_RX; + +- /* first, disable everything */ + old_cr = readb(uap->port.membase + UART010_CR) & ~UART010_CR_MSIE; + + if (UART_ENABLE_MS(port, termios->c_cflag)) + old_cr |= UART010_CR_MSIE; + +- writel(0, uap->port.membase + UART010_CR); +- + /* Set baud rate */ + quot -= 1; + writel((quot & 0xf00) >> 8, uap->port.membase + UART010_LCRM); +-- +2.34.1 + diff --git a/queue-4.4/series b/queue-4.4/series index 7a0795dfa01..1b422b3b63f 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -17,3 +17,80 @@ media-pvrusb2-fix-control-message-timeouts.patch media-stk1160-fix-control-message-timeouts.patch can-softing_cs-softingcs_probe-fix-memleak-on-registration-failure.patch pci-add-function-1-dma-alias-quirk-for-marvell-88se9125-sata-controller.patch +bluetooth-cmtp-fix-possible-panic-when-cmtp_init_soc.patch +bluetooth-stop-proccessing-malicious-adv-data.patch +crypto-qce-fix-uaf-on-qce_ahash_register_one.patch +tty-serial-atmel-check-return-code-of-dmaengine_subm.patch +tty-serial-atmel-call-dma_async_issue_pending.patch +netfilter-bridge-add-support-for-pppoe-filtering.patch +arm64-dts-qcom-msm8916-fix-mmc-controller-aliases.patch +drm-amdgpu-fix-a-null-pointer-dereference-in-amdgpu_.patch +serial-amba-pl011-do-not-request-memory-region-twice.patch +floppy-fix-hang-in-watchdog-when-disk-is-ejected.patch +media-dib8000-fix-a-memleak-in-dib8000_init.patch +media-saa7146-mxb-fix-a-null-pointer-dereference-in-.patch +media-msi001-fix-possible-null-ptr-deref-in-msi001_p.patch +usb-ftdi-elan-fix-memory-leak-on-device-disconnect.patch +pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch +pcmcia-rsrc_nonstatic-fix-a-null-pointer-dereference.patch-25366 +ppp-ensure-minimum-packet-size-in-ppp_write.patch +spi-spi-meson-spifc-add-missing-pm_runtime_disable-i.patch +can-softing-softing_startstop-fix-set-but-not-used-v.patch +can-xilinx_can-xcan_probe-check-for-error-irq.patch +pcmcia-fix-setting-of-kthread-task-states.patch +net-mcs7830-handle-usb-read-errors-properly.patch +ext4-avoid-trim-error-on-fs-with-small-groups.patch +alsa-jack-add-missing-rwsem-around-snd_ctl_remove-ca.patch +alsa-pcm-add-missing-rwsem-around-snd_ctl_remove-cal.patch +alsa-hda-add-missing-rwsem-around-snd_ctl_remove-cal.patch +powerpc-prom_init-fix-improper-check-of-prom_getprop.patch +alsa-oss-fix-compile-error-when-oss_debug-is-enabled.patch +char-mwave-adjust-io-port-register-size.patch +uio-uio_dmem_genirq-catch-the-exception.patch +rdma-core-let-ib_find_gid-continue-search-even-after.patch +dmaengine-pxa-mmp-stop-referencing-config-slave_id.patch +asoc-samsung-idma-check-of-ioremap-return-value.patch +misc-lattice-ecp3-config-fix-task-hung-when-firmware.patch +mips-lantiq-add-support-for-clk_set_parent.patch +mips-bcm63xx-add-support-for-clk_set_parent.patch +rdma-cxgb4-set-queue-pair-state-when-being-queried.patch +bluetooth-fix-debugfs-entry-leak-in-hci_register_dev.patch +fs-dlm-filter-user-dlm-messages-for-kernel-locks.patch +ar5523-fix-null-ptr-deref-with-unexpected-wdcmsg_tar.patch +usb-gadget-f_fs-use-stream_open-for-endpoint-files.patch +media-b2c2-add-missing-check-in-flexcop_pci_isr.patch +hsi-core-fix-return-freed-object-in-hsi_new_client.patch +mwifiex-fix-skb_over_panic-in-mwifiex_usb_recv.patch +floppy-add-max-size-check-for-user-space-request.patch +media-saa7146-hexium_orion-fix-a-null-pointer-derefe.patch +media-m920x-don-t-use-stack-on-usb-reads.patch +iwlwifi-mvm-synchronize-with-fw-after-multicast-comm.patch +net-bonding-debug-avoid-printing-debug-logs-when-bon.patch +media-igorplugusb-receiver-overflow-should-be-report.patch +media-saa7146-hexium_gemini-fix-a-null-pointer-deref.patch +usb-hub-add-delay-for-superspeed-hub-resume-to-let-l.patch +ath9k-fix-out-of-bound-memcpy-in-ath9k_hif_usb_rx_st.patch +um-registers-rename-function-names-to-avoid-conflict.patch +acpica-utilities-avoid-deleting-the-same-object-twic.patch +acpica-executer-fix-the-refclass_refof-case-in-acpi_.patch +btrfs-remove-bug_on-in-find_parent_nodes.patch +btrfs-remove-bug_on-eie-in-find_parent_nodes.patch +net-mdio-demote-probed-message-to-debug-print.patch +dm-btree-add-a-defensive-bounds-check-to-insert_at.patch +dm-space-map-common-add-bounds-check-to-sm_ll_lookup.patch +serial-pl010-drop-cr-register-reset-on-set_termios.patch +serial-core-keep-mctrl-register-state-and-cached-cop.patch +parisc-avoid-calling-faulthandler_disabled-twice.patch +powerpc-6xx-add-missing-of_node_put.patch +powerpc-powernv-add-missing-of_node_put.patch +powerpc-cell-add-missing-of_node_put.patch +powerpc-btext-add-missing-of_node_put.patch +i2c-i801-don-t-silently-correct-invalid-transfer-siz.patch +powerpc-smp-move-setup_profiling_timer-under-config_.patch +i2c-mpc-correct-i2c-reset-procedure.patch +w1-misuse-of-get_user-put_user-reported-by-sparse.patch +alsa-seq-set-upper-limit-of-processed-events.patch +i2c-designware-pci-fix-to-change-data-types-of-hcnt-.patch +mips-octeon-fix-build-errors-using-clang.patch +scsi-sr-don-t-use-gfp_dma.patch +power-bq25890-enable-continuous-conversion-for-adc-a.patch diff --git a/queue-4.4/spi-spi-meson-spifc-add-missing-pm_runtime_disable-i.patch b/queue-4.4/spi-spi-meson-spifc-add-missing-pm_runtime_disable-i.patch new file mode 100644 index 00000000000..cb63542d6a0 --- /dev/null +++ b/queue-4.4/spi-spi-meson-spifc-add-missing-pm_runtime_disable-i.patch @@ -0,0 +1,38 @@ +From 59a7404812fe8fab63a6057f26205028ac2aa46f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Jan 2022 07:54:24 +0000 +Subject: spi: spi-meson-spifc: Add missing pm_runtime_disable() in + meson_spifc_probe + +From: Miaoqian Lin + +[ Upstream commit 69c1b87516e327a60b39f96b778fe683259408bf ] + +If the probe fails, we should use pm_runtime_disable() to balance +pm_runtime_enable(). +Add missing pm_runtime_disable() for meson_spifc_probe. + +Fixes: c3e4bc5434d2 ("spi: meson: Add support for Amlogic Meson SPIFC") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220107075424.7774-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-meson-spifc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/spi/spi-meson-spifc.c b/drivers/spi/spi-meson-spifc.c +index 2465259f62411..8e662e7a35181 100644 +--- a/drivers/spi/spi-meson-spifc.c ++++ b/drivers/spi/spi-meson-spifc.c +@@ -357,6 +357,7 @@ static int meson_spifc_probe(struct platform_device *pdev) + return 0; + out_clk: + clk_disable_unprepare(spifc->clk); ++ pm_runtime_disable(spifc->dev); + out_err: + spi_master_put(master); + return ret; +-- +2.34.1 + diff --git a/queue-4.4/tty-serial-atmel-call-dma_async_issue_pending.patch b/queue-4.4/tty-serial-atmel-call-dma_async_issue_pending.patch new file mode 100644 index 00000000000..97356ac321e --- /dev/null +++ b/queue-4.4/tty-serial-atmel-call-dma_async_issue_pending.patch @@ -0,0 +1,50 @@ +From c6451eb7a6a378e218b80995ab0f20dd9a3fe1b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Nov 2021 11:00:18 +0200 +Subject: tty: serial: atmel: Call dma_async_issue_pending() + +From: Tudor Ambarus + +[ Upstream commit 4f4b9b5895614eb2e2b5f4cab7858f44bd113e1b ] + +The driver wrongly assummed that tx_submit() will start the transfer, +which is not the case, now that the at_xdmac driver is fixed. tx_submit +is supposed to push the current transaction descriptor to a pending queue, +waiting for issue_pending to be called. issue_pending must start the +transfer, not tx_submit. + +Fixes: 34df42f59a60 ("serial: at91: add rx dma support") +Fixes: 08f738be88bb ("serial: at91: add tx dma support") +Signed-off-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20211125090028.786832-4-tudor.ambarus@microchip.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/atmel_serial.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c +index be15061a14479..e49493703179d 100644 +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -933,6 +933,8 @@ static void atmel_tx_dma(struct uart_port *port) + atmel_port->cookie_tx); + return; + } ++ ++ dma_async_issue_pending(chan); + } + + if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS) +@@ -1197,6 +1199,8 @@ static int atmel_prepare_rx_dma(struct uart_port *port) + goto chan_err; + } + ++ dma_async_issue_pending(atmel_port->chan_rx); ++ + return 0; + + chan_err: +-- +2.34.1 + diff --git a/queue-4.4/tty-serial-atmel-check-return-code-of-dmaengine_subm.patch b/queue-4.4/tty-serial-atmel-check-return-code-of-dmaengine_subm.patch new file mode 100644 index 00000000000..7a4e0d3b068 --- /dev/null +++ b/queue-4.4/tty-serial-atmel-check-return-code-of-dmaengine_subm.patch @@ -0,0 +1,59 @@ +From ababb9f407cace9820a6298e97594456bf6cf064 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Nov 2021 11:00:17 +0200 +Subject: tty: serial: atmel: Check return code of dmaengine_submit() + +From: Tudor Ambarus + +[ Upstream commit 1e67bd2b8cb90b66e89562598e9c2046246832d3 ] + +The tx_submit() method of struct dma_async_tx_descriptor is entitled +to do sanity checks and return errors if encountered. It's not the +case for the DMA controller drivers that this client is using +(at_h/xdmac), because they currently don't do sanity checks and always +return a positive cookie at tx_submit() method. In case the controller +drivers will implement sanity checks and return errors, print a message +so that the client will be informed that something went wrong at +tx_submit() level. + +Fixes: 08f738be88bb ("serial: at91: add tx dma support") +Signed-off-by: Tudor Ambarus +Acked-by: Richard Genoud +Link: https://lore.kernel.org/r/20211125090028.786832-3-tudor.ambarus@microchip.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/atmel_serial.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/tty/serial/atmel_serial.c b/drivers/tty/serial/atmel_serial.c +index 3bd19de7df71b..be15061a14479 100644 +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -928,6 +928,11 @@ static void atmel_tx_dma(struct uart_port *port) + desc->callback = atmel_complete_tx_dma; + desc->callback_param = atmel_port; + atmel_port->cookie_tx = dmaengine_submit(desc); ++ if (dma_submit_error(atmel_port->cookie_tx)) { ++ dev_err(port->dev, "dma_submit_error %d\n", ++ atmel_port->cookie_tx); ++ return; ++ } + } + + if (uart_circ_chars_pending(xmit) < WAKEUP_CHARS) +@@ -1186,6 +1191,11 @@ static int atmel_prepare_rx_dma(struct uart_port *port) + desc->callback_param = port; + atmel_port->desc_rx = desc; + atmel_port->cookie_rx = dmaengine_submit(desc); ++ if (dma_submit_error(atmel_port->cookie_rx)) { ++ dev_err(port->dev, "dma_submit_error %d\n", ++ atmel_port->cookie_rx); ++ goto chan_err; ++ } + + return 0; + +-- +2.34.1 + diff --git a/queue-4.4/uio-uio_dmem_genirq-catch-the-exception.patch b/queue-4.4/uio-uio_dmem_genirq-catch-the-exception.patch new file mode 100644 index 00000000000..036a3446169 --- /dev/null +++ b/queue-4.4/uio-uio_dmem_genirq-catch-the-exception.patch @@ -0,0 +1,41 @@ +From 15eb4378d3afe81b093f4ed5d3b7dda65934c2e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Dec 2021 08:03:26 +0800 +Subject: uio: uio_dmem_genirq: Catch the Exception + +From: Jiasheng Jiang + +[ Upstream commit eec91694f927d1026974444eb6a3adccd4f1cbc2 ] + +The return value of dma_set_coherent_mask() is not always 0. +To catch the exception in case that dma is not support the mask. + +Fixes: 0a0c3b5a24bd ("Add new uio device for dynamic memory allocation") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20211204000326.1592687-1-jiasheng@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/uio/uio_dmem_genirq.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/uio/uio_dmem_genirq.c b/drivers/uio/uio_dmem_genirq.c +index a00b4aee6c799..a31b9d5260ca0 100644 +--- a/drivers/uio/uio_dmem_genirq.c ++++ b/drivers/uio/uio_dmem_genirq.c +@@ -194,7 +194,11 @@ static int uio_dmem_genirq_probe(struct platform_device *pdev) + goto bad0; + } + +- dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32)); ++ ret = dma_set_coherent_mask(&pdev->dev, DMA_BIT_MASK(32)); ++ if (ret) { ++ dev_err(&pdev->dev, "DMA enable failed\n"); ++ return ret; ++ } + + priv->uioinfo = uioinfo; + spin_lock_init(&priv->lock); +-- +2.34.1 + diff --git a/queue-4.4/um-registers-rename-function-names-to-avoid-conflict.patch b/queue-4.4/um-registers-rename-function-names-to-avoid-conflict.patch new file mode 100644 index 00000000000..e9561992196 --- /dev/null +++ b/queue-4.4/um-registers-rename-function-names-to-avoid-conflict.patch @@ -0,0 +1,104 @@ +From 4fa1d36307ba9f97ca8e1eb9d70e0e1c0fdd278f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 12 Sep 2021 23:12:52 -0700 +Subject: um: registers: Rename function names to avoid conflicts and build + problems + +From: Randy Dunlap + +[ Upstream commit 077b7320942b64b0da182aefd83c374462a65535 ] + +The function names init_registers() and restore_registers() are used +in several net/ethernet/ and gpu/drm/ drivers for other purposes (not +calls to UML functions), so rename them. + +This fixes multiple build errors. + +Signed-off-by: Randy Dunlap +Cc: Jeff Dike +Cc: Richard Weinberger +Cc: Anton Ivanov +Cc: linux-um@lists.infradead.org +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + arch/um/include/shared/registers.h | 4 ++-- + arch/um/os-Linux/registers.c | 4 ++-- + arch/um/os-Linux/start_up.c | 2 +- + arch/x86/um/syscalls_64.c | 3 ++- + 4 files changed, 7 insertions(+), 6 deletions(-) + +diff --git a/arch/um/include/shared/registers.h b/arch/um/include/shared/registers.h +index f5b76355ad71a..089f979e112e3 100644 +--- a/arch/um/include/shared/registers.h ++++ b/arch/um/include/shared/registers.h +@@ -14,8 +14,8 @@ extern int restore_fp_registers(int pid, unsigned long *fp_regs); + extern int save_fpx_registers(int pid, unsigned long *fp_regs); + extern int restore_fpx_registers(int pid, unsigned long *fp_regs); + extern int save_registers(int pid, struct uml_pt_regs *regs); +-extern int restore_registers(int pid, struct uml_pt_regs *regs); +-extern int init_registers(int pid); ++extern int restore_pid_registers(int pid, struct uml_pt_regs *regs); ++extern int init_pid_registers(int pid); + extern void get_safe_registers(unsigned long *regs, unsigned long *fp_regs); + extern unsigned long get_thread_reg(int reg, jmp_buf *buf); + extern int get_fp_registers(int pid, unsigned long *regs); +diff --git a/arch/um/os-Linux/registers.c b/arch/um/os-Linux/registers.c +index 2ff8d4fe83c4f..34a5963bd7efd 100644 +--- a/arch/um/os-Linux/registers.c ++++ b/arch/um/os-Linux/registers.c +@@ -21,7 +21,7 @@ int save_registers(int pid, struct uml_pt_regs *regs) + return 0; + } + +-int restore_registers(int pid, struct uml_pt_regs *regs) ++int restore_pid_registers(int pid, struct uml_pt_regs *regs) + { + int err; + +@@ -36,7 +36,7 @@ int restore_registers(int pid, struct uml_pt_regs *regs) + static unsigned long exec_regs[MAX_REG_NR]; + static unsigned long exec_fp_regs[FP_SIZE]; + +-int init_registers(int pid) ++int init_pid_registers(int pid) + { + int err; + +diff --git a/arch/um/os-Linux/start_up.c b/arch/um/os-Linux/start_up.c +index 22a358ef1b0cd..dc06933ba63d9 100644 +--- a/arch/um/os-Linux/start_up.c ++++ b/arch/um/os-Linux/start_up.c +@@ -334,7 +334,7 @@ void __init os_early_checks(void) + check_tmpexec(); + + pid = start_ptraced_child(); +- if (init_registers(pid)) ++ if (init_pid_registers(pid)) + fatal("Failed to initialize default registers"); + stop_ptraced_child(pid, 1, 1); + } +diff --git a/arch/x86/um/syscalls_64.c b/arch/x86/um/syscalls_64.c +index e6552275320bc..40ecacb2c54b3 100644 +--- a/arch/x86/um/syscalls_64.c ++++ b/arch/x86/um/syscalls_64.c +@@ -9,6 +9,7 @@ + #include + #include /* XXX This should get the constants from libc */ + #include ++#include + + long arch_prctl(struct task_struct *task, int code, unsigned long __user *addr) + { +@@ -32,7 +33,7 @@ long arch_prctl(struct task_struct *task, int code, unsigned long __user *addr) + switch (code) { + case ARCH_SET_FS: + case ARCH_SET_GS: +- ret = restore_registers(pid, ¤t->thread.regs.regs); ++ ret = restore_pid_registers(pid, ¤t->thread.regs.regs); + if (ret) + return ret; + break; +-- +2.34.1 + diff --git a/queue-4.4/usb-ftdi-elan-fix-memory-leak-on-device-disconnect.patch b/queue-4.4/usb-ftdi-elan-fix-memory-leak-on-device-disconnect.patch new file mode 100644 index 00000000000..d246458b94b --- /dev/null +++ b/queue-4.4/usb-ftdi-elan-fix-memory-leak-on-device-disconnect.patch @@ -0,0 +1,52 @@ +From e923968d890d246dde64693a5cbd632d79762d89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Dec 2021 16:34:28 +0800 +Subject: usb: ftdi-elan: fix memory leak on device disconnect + +From: Wei Yongjun + +[ Upstream commit 1646566b5e0c556f779180a8514e521ac735de1e ] + +'ftdi' is alloced when probe device, but not free on device disconnect, +this cause a memory leak as follows: + +unreferenced object 0xffff88800d584000 (size 8400): + comm "kworker/0:2", pid 3809, jiffies 4295453055 (age 13.784s) + hex dump (first 32 bytes): + 00 40 58 0d 80 88 ff ff 00 40 58 0d 80 88 ff ff .@X......@X..... + 00 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de .............N.. + backtrace: + [<000000000d47f947>] kmalloc_order_trace+0x19/0x110 mm/slab_common.c:960 + [<000000008548ac68>] ftdi_elan_probe+0x8c/0x880 drivers/usb/misc/ftdi-elan.c:2647 + [<000000007f73e422>] usb_probe_interface+0x31b/0x800 drivers/usb/core/driver.c:396 + [<00000000fe8d07fc>] really_probe+0x299/0xc30 drivers/base/dd.c:517 + [<0000000005da7d32>] __driver_probe_device+0x357/0x500 drivers/base/dd.c:751 + [<000000003c2c9579>] driver_probe_device+0x4e/0x140 drivers/base/dd.c:781 + +Fix it by freeing 'ftdi' after nobody use it. + +Fixes: a5c66e4b2418 ("USB: ftdi-elan: client driver for ELAN Uxxx adapters") +Reported-by: Hulk Robot +Signed-off-by: Wei Yongjun +Link: https://lore.kernel.org/r/20211217083428.2441-1-weiyongjun1@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/misc/ftdi-elan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/misc/ftdi-elan.c b/drivers/usb/misc/ftdi-elan.c +index 52c27cab78c3e..6f6315082bc44 100644 +--- a/drivers/usb/misc/ftdi-elan.c ++++ b/drivers/usb/misc/ftdi-elan.c +@@ -209,6 +209,7 @@ static void ftdi_elan_delete(struct kref *kref) + mutex_unlock(&ftdi_module_lock); + kfree(ftdi->bulk_in_buffer); + ftdi->bulk_in_buffer = NULL; ++ kfree(ftdi); + } + + static void ftdi_elan_put_kref(struct usb_ftdi *ftdi) +-- +2.34.1 + diff --git a/queue-4.4/usb-gadget-f_fs-use-stream_open-for-endpoint-files.patch b/queue-4.4/usb-gadget-f_fs-use-stream_open-for-endpoint-files.patch new file mode 100644 index 00000000000..c01c9f4e6bf --- /dev/null +++ b/queue-4.4/usb-gadget-f_fs-use-stream_open-for-endpoint-files.patch @@ -0,0 +1,65 @@ +From c1b8b08f438b63d2277a2ec5e1d4e494d04303c5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 12 Nov 2021 15:54:40 +0530 +Subject: usb: gadget: f_fs: Use stream_open() for endpoint files + +From: Pavankumar Kondeti + +[ Upstream commit c76ef96fc00eb398c8fc836b0eb2f82bcc619dc7 ] + +Function fs endpoint file operations are synchronized via an interruptible +mutex wait. However we see threads that do ep file operations concurrently +are getting blocked for the mutex lock in __fdget_pos(). This is an +uninterruptible wait and we see hung task warnings and kernel panic +if hung_task_panic systcl is enabled if host does not send/receive +the data for long time. + +The reason for threads getting blocked in __fdget_pos() is due to +the file position protection introduced by the commit 9c225f2655e3 +("vfs: atomic f_pos accesses as per POSIX"). Since function fs +endpoint files does not have the notion of the file position, switch +to the stream mode. This will bypass the file position mutex and +threads will be blocked in interruptible state for the function fs +mutex. + +It should not affects user space as we are only changing the task state +changes the task state from UNINTERRUPTIBLE to INTERRUPTIBLE while waiting +for the USB transfers to be finished. However there is a slight change to +the O_NONBLOCK behavior. Earlier threads that are using O_NONBLOCK are also +getting blocked inside fdget_pos(). Now they reach to function fs and error +code is returned. The non blocking behavior is actually honoured now. + +Reviewed-by: John Keeping +Signed-off-by: Pavankumar Kondeti +Link: https://lore.kernel.org/r/1636712682-1226-1-git-send-email-quic_pkondeti@quicinc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/function/f_fs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/function/f_fs.c b/drivers/usb/gadget/function/f_fs.c +index 390e592358e63..7af4d05dabeaa 100644 +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -541,7 +541,7 @@ static int ffs_ep0_open(struct inode *inode, struct file *file) + file->private_data = ffs; + ffs_data_opened(ffs); + +- return 0; ++ return stream_open(inode, file); + } + + static int ffs_ep0_release(struct inode *inode, struct file *file) +@@ -882,7 +882,7 @@ ffs_epfile_open(struct inode *inode, struct file *file) + file->private_data = epfile; + ffs_data_opened(epfile->ffs); + +- return 0; ++ return stream_open(inode, file); + } + + static int ffs_aio_cancel(struct kiocb *kiocb) +-- +2.34.1 + diff --git a/queue-4.4/usb-hub-add-delay-for-superspeed-hub-resume-to-let-l.patch b/queue-4.4/usb-hub-add-delay-for-superspeed-hub-resume-to-let-l.patch new file mode 100644 index 00000000000..07e29c36549 --- /dev/null +++ b/queue-4.4/usb-hub-add-delay-for-superspeed-hub-resume-to-let-l.patch @@ -0,0 +1,97 @@ +From ef5d99786d7e13cb262fa9af3423181ba367b0db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Dec 2021 20:01:06 +0800 +Subject: usb: hub: Add delay for SuperSpeed hub resume to let links transit to + U0 + +From: Kai-Heng Feng + +[ Upstream commit 00558586382891540c59c9febc671062425a6e47 ] + +When a new USB device gets plugged to nested hubs, the affected hub, +which connects to usb 2-1.4-port2, doesn't report there's any change, +hence the nested hubs go back to runtime suspend like nothing happened: +[ 281.032951] usb usb2: usb wakeup-resume +[ 281.032959] usb usb2: usb auto-resume +[ 281.032974] hub 2-0:1.0: hub_resume +[ 281.033011] usb usb2-port1: status 0263 change 0000 +[ 281.033077] hub 2-0:1.0: state 7 ports 4 chg 0000 evt 0000 +[ 281.049797] usb 2-1: usb wakeup-resume +[ 281.069800] usb 2-1: Waited 0ms for CONNECT +[ 281.069810] usb 2-1: finish resume +[ 281.070026] hub 2-1:1.0: hub_resume +[ 281.070250] usb 2-1-port4: status 0203 change 0000 +[ 281.070272] usb usb2-port1: resume, status 0 +[ 281.070282] hub 2-1:1.0: state 7 ports 4 chg 0010 evt 0000 +[ 281.089813] usb 2-1.4: usb wakeup-resume +[ 281.109792] usb 2-1.4: Waited 0ms for CONNECT +[ 281.109801] usb 2-1.4: finish resume +[ 281.109991] hub 2-1.4:1.0: hub_resume +[ 281.110147] usb 2-1.4-port2: status 0263 change 0000 +[ 281.110234] usb 2-1-port4: resume, status 0 +[ 281.110239] usb 2-1-port4: status 0203, change 0000, 10.0 Gb/s +[ 281.110266] hub 2-1.4:1.0: state 7 ports 4 chg 0000 evt 0000 +[ 281.110426] hub 2-1.4:1.0: hub_suspend +[ 281.110565] usb 2-1.4: usb auto-suspend, wakeup 1 +[ 281.130998] hub 2-1:1.0: hub_suspend +[ 281.137788] usb 2-1: usb auto-suspend, wakeup 1 +[ 281.142935] hub 2-0:1.0: state 7 ports 4 chg 0000 evt 0000 +[ 281.177828] usb 2-1: usb wakeup-resume +[ 281.197839] usb 2-1: Waited 0ms for CONNECT +[ 281.197850] usb 2-1: finish resume +[ 281.197984] hub 2-1:1.0: hub_resume +[ 281.198203] usb 2-1-port4: status 0203 change 0000 +[ 281.198228] usb usb2-port1: resume, status 0 +[ 281.198237] hub 2-1:1.0: state 7 ports 4 chg 0010 evt 0000 +[ 281.217835] usb 2-1.4: usb wakeup-resume +[ 281.237834] usb 2-1.4: Waited 0ms for CONNECT +[ 281.237845] usb 2-1.4: finish resume +[ 281.237990] hub 2-1.4:1.0: hub_resume +[ 281.238067] usb 2-1.4-port2: status 0263 change 0000 +[ 281.238148] usb 2-1-port4: resume, status 0 +[ 281.238152] usb 2-1-port4: status 0203, change 0000, 10.0 Gb/s +[ 281.238166] hub 2-1.4:1.0: state 7 ports 4 chg 0000 evt 0000 +[ 281.238385] hub 2-1.4:1.0: hub_suspend +[ 281.238523] usb 2-1.4: usb auto-suspend, wakeup 1 +[ 281.258076] hub 2-1:1.0: hub_suspend +[ 281.265744] usb 2-1: usb auto-suspend, wakeup 1 +[ 281.285976] hub 2-0:1.0: hub_suspend +[ 281.285988] usb usb2: bus auto-suspend, wakeup 1 + +USB 3.2 spec, 9.2.5.4 "Changing Function Suspend State" says that "If +the link is in a non-U0 state, then the device must transition the link +to U0 prior to sending the remote wake message", but the hub only +transits the link to U0 after signaling remote wakeup. + +So be more forgiving and use a 20ms delay to let the link transit to U0 +for remote wakeup. + +Suggested-by: Alan Stern +Acked-by: Alan Stern +Signed-off-by: Kai-Heng Feng +Link: https://lore.kernel.org/r/20211215120108.336597-1-kai.heng.feng@canonical.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/hub.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/core/hub.c b/drivers/usb/core/hub.c +index 97edc38eb8d2d..9b6d41740aaa6 100644 +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -1054,7 +1054,10 @@ static void hub_activate(struct usb_hub *hub, enum hub_activation_type type) + } else { + hub_power_on(hub, true); + } +- } ++ /* Give some time on remote wakeup to let links to transit to U0 */ ++ } else if (hub_is_superspeed(hub->hdev)) ++ msleep(20); ++ + init2: + + /* +-- +2.34.1 + diff --git a/queue-4.4/w1-misuse-of-get_user-put_user-reported-by-sparse.patch b/queue-4.4/w1-misuse-of-get_user-put_user-reported-by-sparse.patch new file mode 100644 index 00000000000..11ea85ff397 --- /dev/null +++ b/queue-4.4/w1-misuse-of-get_user-put_user-reported-by-sparse.patch @@ -0,0 +1,86 @@ +From dca83d79456dfc2e1a58ab8a8d561050461c253e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Nov 2021 18:06:46 +0100 +Subject: w1: Misuse of get_user()/put_user() reported by sparse + +From: Christophe Leroy + +[ Upstream commit 33dc3e3e99e626ce51f462d883b05856c6c30b1d ] + +sparse warnings: (new ones prefixed by >>) +>> drivers/w1/slaves/w1_ds28e04.c:342:13: sparse: sparse: incorrect type in initializer (different address spaces) @@ expected char [noderef] __user *_pu_addr @@ got char *buf @@ + drivers/w1/slaves/w1_ds28e04.c:342:13: sparse: expected char [noderef] __user *_pu_addr + drivers/w1/slaves/w1_ds28e04.c:342:13: sparse: got char *buf +>> drivers/w1/slaves/w1_ds28e04.c:356:13: sparse: sparse: incorrect type in initializer (different address spaces) @@ expected char const [noderef] __user *_gu_addr @@ got char const *buf @@ + drivers/w1/slaves/w1_ds28e04.c:356:13: sparse: expected char const [noderef] __user *_gu_addr + drivers/w1/slaves/w1_ds28e04.c:356:13: sparse: got char const *buf + +The buffer buf is a failsafe buffer in kernel space, it's not user +memory hence doesn't deserve the use of get_user() or put_user(). + +Access 'buf' content directly. + +Link: https://lore.kernel.org/lkml/202111190526.K5vb7NWC-lkp@intel.com/T/ +Reported-by: kernel test robot +Signed-off-by: Christophe Leroy +Link: https://lore.kernel.org/r/d14ed8d71ad4372e6839ae427f91441d3ba0e94d.1637946316.git.christophe.leroy@csgroup.eu +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/w1/slaves/w1_ds28e04.c | 26 ++++++-------------------- + 1 file changed, 6 insertions(+), 20 deletions(-) + +diff --git a/drivers/w1/slaves/w1_ds28e04.c b/drivers/w1/slaves/w1_ds28e04.c +index 365d6dff21de2..83c5864891424 100644 +--- a/drivers/w1/slaves/w1_ds28e04.c ++++ b/drivers/w1/slaves/w1_ds28e04.c +@@ -39,7 +39,7 @@ static int w1_strong_pullup = 1; + module_param_named(strong_pullup, w1_strong_pullup, int, 0); + + /* enable/disable CRC checking on DS28E04-100 memory accesses */ +-static char w1_enable_crccheck = 1; ++static bool w1_enable_crccheck = true; + + #define W1_EEPROM_SIZE 512 + #define W1_PAGE_COUNT 16 +@@ -346,32 +346,18 @@ static BIN_ATTR_RW(pio, 1); + static ssize_t crccheck_show(struct device *dev, struct device_attribute *attr, + char *buf) + { +- if (put_user(w1_enable_crccheck + 0x30, buf)) +- return -EFAULT; +- +- return sizeof(w1_enable_crccheck); ++ return sysfs_emit(buf, "%d\n", w1_enable_crccheck); + } + + static ssize_t crccheck_store(struct device *dev, struct device_attribute *attr, + const char *buf, size_t count) + { +- char val; +- +- if (count != 1 || !buf) +- return -EINVAL; ++ int err = kstrtobool(buf, &w1_enable_crccheck); + +- if (get_user(val, buf)) +- return -EFAULT; ++ if (err) ++ return err; + +- /* convert to decimal */ +- val = val - 0x30; +- if (val != 0 && val != 1) +- return -EINVAL; +- +- /* set the new value */ +- w1_enable_crccheck = val; +- +- return sizeof(w1_enable_crccheck); ++ return count; + } + + static DEVICE_ATTR_RW(crccheck); +-- +2.34.1 +