From: Greg Kroah-Hartman Date: Sun, 28 May 2023 16:45:32 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: review~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c07d0d0691a73a35bd12f089e0512a773712e330;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: bpf-fix-mask-generation-for-32-bit-narrow-loads-of-64-bit-fields.patch coresight-fix-signedness-bug-in-tmc_etr_buf_insert_barrier_packet.patch ipv6-fix-out-of-bounds-access-in-ipv6_find_tlv.patch net-fix-skb-leak-in-__skb_tstamp_tx.patch power-supply-bq27xxx-fix-bq27xxx_battery_update-race-condition.patch power-supply-bq27xxx-fix-i2c-irq-race-on-remove.patch power-supply-bq27xxx-fix-poll_interval-handling-and-races-on-remove.patch power-supply-leds-fix-blink-to-led-on-transition.patch power-supply-sbs-charger-fix-inhibited-bit-for-status-reg.patch xen-pvcalls-back-fix-double-frees-with-pvcalls_new_active_socket.patch --- diff --git a/queue-4.19/bpf-fix-mask-generation-for-32-bit-narrow-loads-of-64-bit-fields.patch b/queue-4.19/bpf-fix-mask-generation-for-32-bit-narrow-loads-of-64-bit-fields.patch new file mode 100644 index 00000000000..b092d49858f --- /dev/null +++ b/queue-4.19/bpf-fix-mask-generation-for-32-bit-narrow-loads-of-64-bit-fields.patch @@ -0,0 +1,58 @@ +From 0613d8ca9ab382caabe9ed2dceb429e9781e443f Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Thu, 18 May 2023 11:25:28 +0100 +Subject: bpf: Fix mask generation for 32-bit narrow loads of 64-bit fields + +From: Will Deacon + +commit 0613d8ca9ab382caabe9ed2dceb429e9781e443f upstream. + +A narrow load from a 64-bit context field results in a 64-bit load +followed potentially by a 64-bit right-shift and then a bitwise AND +operation to extract the relevant data. + +In the case of a 32-bit access, an immediate mask of 0xffffffff is used +to construct a 64-bit BPP_AND operation which then sign-extends the mask +value and effectively acts as a glorified no-op. For example: + +0: 61 10 00 00 00 00 00 00 r0 = *(u32 *)(r1 + 0) + +results in the following code generation for a 64-bit field: + + ldr x7, [x7] // 64-bit load + mov x10, #0xffffffffffffffff + and x7, x7, x10 + +Fix the mask generation so that narrow loads always perform a 32-bit AND +operation: + + ldr x7, [x7] // 64-bit load + mov w10, #0xffffffff + and w7, w7, w10 + +Cc: Alexei Starovoitov +Cc: Daniel Borkmann +Cc: John Fastabend +Cc: Krzesimir Nowak +Cc: Andrey Ignatov +Acked-by: Yonghong Song +Fixes: 31fd85816dbe ("bpf: permits narrower load from bpf program context fields") +Signed-off-by: Will Deacon +Link: https://lore.kernel.org/r/20230518102528.1341-1-will@kernel.org +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -5936,7 +5936,7 @@ static int convert_ctx_accesses(struct b + insn_buf[cnt++] = BPF_ALU64_IMM(BPF_RSH, + insn->dst_reg, + shift); +- insn_buf[cnt++] = BPF_ALU64_IMM(BPF_AND, insn->dst_reg, ++ insn_buf[cnt++] = BPF_ALU32_IMM(BPF_AND, insn->dst_reg, + (1ULL << size * 8) - 1); + } + } diff --git a/queue-4.19/coresight-fix-signedness-bug-in-tmc_etr_buf_insert_barrier_packet.patch b/queue-4.19/coresight-fix-signedness-bug-in-tmc_etr_buf_insert_barrier_packet.patch new file mode 100644 index 00000000000..53d099f532e --- /dev/null +++ b/queue-4.19/coresight-fix-signedness-bug-in-tmc_etr_buf_insert_barrier_packet.patch @@ -0,0 +1,40 @@ +From f67bc15e526bb9920683ad6c1891ff9e08981335 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 21 Apr 2023 13:42:41 +0300 +Subject: coresight: Fix signedness bug in tmc_etr_buf_insert_barrier_packet() + +From: Dan Carpenter + +commit f67bc15e526bb9920683ad6c1891ff9e08981335 upstream. + +This code generates a Smatch warning: + + drivers/hwtracing/coresight/coresight-tmc-etr.c:947 tmc_etr_buf_insert_barrier_packet() + error: uninitialized symbol 'bufp'. + +The problem is that if tmc_sg_table_get_data() returns -EINVAL, then +when we test if "len < CORESIGHT_BARRIER_PKT_SIZE", the negative "len" +value is type promoted to a high unsigned long value which is greater +than CORESIGHT_BARRIER_PKT_SIZE. Fix this bug by adding an explicit +check for error codes. + +Fixes: 75f4e3619fe2 ("coresight: tmc-etr: Add transparent buffer management") +Signed-off-by: Dan Carpenter +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/7d33e244-d8b9-4c27-9653-883a13534b01@kili.mountain +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwtracing/coresight/coresight-tmc-etr.c ++++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c +@@ -866,7 +866,7 @@ tmc_etr_buf_insert_barrier_packet(struct + + len = tmc_etr_buf_get_data(etr_buf, offset, + CORESIGHT_BARRIER_PKT_SIZE, &bufp); +- if (WARN_ON(len < CORESIGHT_BARRIER_PKT_SIZE)) ++ if (WARN_ON(len < 0 || len < CORESIGHT_BARRIER_PKT_SIZE)) + return -EINVAL; + coresight_insert_barrier_packet(bufp); + return offset + CORESIGHT_BARRIER_PKT_SIZE; diff --git a/queue-4.19/ipv6-fix-out-of-bounds-access-in-ipv6_find_tlv.patch b/queue-4.19/ipv6-fix-out-of-bounds-access-in-ipv6_find_tlv.patch new file mode 100644 index 00000000000..69d741b77f6 --- /dev/null +++ b/queue-4.19/ipv6-fix-out-of-bounds-access-in-ipv6_find_tlv.patch @@ -0,0 +1,36 @@ +From 878ecb0897f4737a4c9401f3523fd49589025671 Mon Sep 17 00:00:00 2001 +From: Gavrilov Ilia +Date: Tue, 23 May 2023 08:29:44 +0000 +Subject: ipv6: Fix out-of-bounds access in ipv6_find_tlv() + +From: Gavrilov Ilia + +commit 878ecb0897f4737a4c9401f3523fd49589025671 upstream. + +optlen is fetched without checking whether there is more than one byte to parse. +It can lead to out-of-bounds access. + +Found by InfoTeCS on behalf of Linux Verification Center +(linuxtesting.org) with SVACE. + +Fixes: c61a40432509 ("[IPV6]: Find option offset by type.") +Signed-off-by: Gavrilov Ilia +Reviewed-by: Jiri Pirko +Reviewed-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/exthdrs_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv6/exthdrs_core.c ++++ b/net/ipv6/exthdrs_core.c +@@ -142,6 +142,8 @@ int ipv6_find_tlv(const struct sk_buff * + optlen = 1; + break; + default: ++ if (len < 2) ++ goto bad; + optlen = nh[offset + 1] + 2; + if (optlen > len) + goto bad; diff --git a/queue-4.19/net-fix-skb-leak-in-__skb_tstamp_tx.patch b/queue-4.19/net-fix-skb-leak-in-__skb_tstamp_tx.patch new file mode 100644 index 00000000000..91a645d02d4 --- /dev/null +++ b/queue-4.19/net-fix-skb-leak-in-__skb_tstamp_tx.patch @@ -0,0 +1,43 @@ +From 8a02fb71d7192ff1a9a47c9d937624966c6e09af Mon Sep 17 00:00:00 2001 +From: Pratyush Yadav +Date: Mon, 22 May 2023 17:30:20 +0200 +Subject: net: fix skb leak in __skb_tstamp_tx() + +From: Pratyush Yadav + +commit 8a02fb71d7192ff1a9a47c9d937624966c6e09af upstream. + +Commit 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with +TX timestamp.") added a call to skb_orphan_frags_rx() to fix leaks with +zerocopy skbs. But it ended up adding a leak of its own. When +skb_orphan_frags_rx() fails, the function just returns, leaking the skb +it just cloned. Free it before returning. + +This bug was discovered and resolved using Coverity Static Analysis +Security Testing (SAST) by Synopsys, Inc. + +Fixes: 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.") +Signed-off-by: Pratyush Yadav +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20230522153020.32422-1-ptyadav@amazon.de +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/core/skbuff.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -4446,8 +4446,10 @@ void __skb_tstamp_tx(struct sk_buff *ori + } else { + skb = skb_clone(orig_skb, GFP_ATOMIC); + +- if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) ++ if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) { ++ kfree_skb(skb); + return; ++ } + } + if (!skb) + return; diff --git a/queue-4.19/power-supply-bq27xxx-fix-bq27xxx_battery_update-race-condition.patch b/queue-4.19/power-supply-bq27xxx-fix-bq27xxx_battery_update-race-condition.patch new file mode 100644 index 00000000000..b720b93f385 --- /dev/null +++ b/queue-4.19/power-supply-bq27xxx-fix-bq27xxx_battery_update-race-condition.patch @@ -0,0 +1,92 @@ +From 5c34c0aef185dcd10881847b9ebf20046aa77cb4 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 15 Apr 2023 20:23:32 +0200 +Subject: power: supply: bq27xxx: Fix bq27xxx_battery_update() race condition + +From: Hans de Goede + +commit 5c34c0aef185dcd10881847b9ebf20046aa77cb4 upstream. + +bq27xxx_battery_update() assumes / requires that it is only run once, +not multiple times at the same time. But there are 3 possible callers: + +1. bq27xxx_battery_poll() delayed_work item handler +2. bq27xxx_battery_irq_handler_thread() I2C IRQ handler +3. bq27xxx_battery_setup() + +And there is no protection against these racing with each other, +fix this race condition by making all callers take di->lock: + +- Rename bq27xxx_battery_update() to bq27xxx_battery_update_unlocked() + +- Add new bq27xxx_battery_update() which takes di->lock and then calls + bq27xxx_battery_update_unlocked() + +- Make stale cache check code in bq27xxx_battery_get_property(), which + already takes di->lock directly to check the jiffies, call + bq27xxx_battery_update_unlocked() instead of messing with + the delayed_work item + +- Make bq27xxx_battery_update_unlocked() mod the delayed-work item + so that the next poll is delayed to poll_interval milliseconds after + the last update independent of the source of the update + +Fixes: 740b755a3b34 ("bq27x00: Poll battery state") +Signed-off-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/bq27xxx_battery.c | 21 +++++++++++++-------- + 1 file changed, 13 insertions(+), 8 deletions(-) + +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -1551,7 +1551,7 @@ static int bq27xxx_battery_read_health(s + return POWER_SUPPLY_HEALTH_GOOD; + } + +-void bq27xxx_battery_update(struct bq27xxx_device_info *di) ++static void bq27xxx_battery_update_unlocked(struct bq27xxx_device_info *di) + { + struct bq27xxx_reg_cache cache = {0, }; + bool has_ci_flag = di->opts & BQ27XXX_O_ZERO; +@@ -1599,6 +1599,16 @@ void bq27xxx_battery_update(struct bq27x + di->cache = cache; + + di->last_update = jiffies; ++ ++ if (poll_interval > 0) ++ mod_delayed_work(system_wq, &di->work, poll_interval * HZ); ++} ++ ++void bq27xxx_battery_update(struct bq27xxx_device_info *di) ++{ ++ mutex_lock(&di->lock); ++ bq27xxx_battery_update_unlocked(di); ++ mutex_unlock(&di->lock); + } + EXPORT_SYMBOL_GPL(bq27xxx_battery_update); + +@@ -1609,9 +1619,6 @@ static void bq27xxx_battery_poll(struct + work.work); + + bq27xxx_battery_update(di); +- +- if (poll_interval > 0) +- schedule_delayed_work(&di->work, poll_interval * HZ); + } + + /* +@@ -1772,10 +1779,8 @@ static int bq27xxx_battery_get_property( + struct bq27xxx_device_info *di = power_supply_get_drvdata(psy); + + mutex_lock(&di->lock); +- if (time_is_before_jiffies(di->last_update + 5 * HZ)) { +- cancel_delayed_work_sync(&di->work); +- bq27xxx_battery_poll(&di->work.work); +- } ++ if (time_is_before_jiffies(di->last_update + 5 * HZ)) ++ bq27xxx_battery_update_unlocked(di); + mutex_unlock(&di->lock); + + if (psp != POWER_SUPPLY_PROP_PRESENT && di->cache.flags < 0) diff --git a/queue-4.19/power-supply-bq27xxx-fix-i2c-irq-race-on-remove.patch b/queue-4.19/power-supply-bq27xxx-fix-i2c-irq-race-on-remove.patch new file mode 100644 index 00000000000..2c58b4e491f --- /dev/null +++ b/queue-4.19/power-supply-bq27xxx-fix-i2c-irq-race-on-remove.patch @@ -0,0 +1,44 @@ +From 444ff00734f3878cd54ddd1ed5e2e6dbea9326d5 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 15 Apr 2023 20:23:33 +0200 +Subject: power: supply: bq27xxx: Fix I2C IRQ race on remove + +From: Hans de Goede + +commit 444ff00734f3878cd54ddd1ed5e2e6dbea9326d5 upstream. + +devm_request_threaded_irq() requested IRQs are only free-ed after +the driver's remove function has ran. So the IRQ could trigger and +call bq27xxx_battery_update() after bq27xxx_battery_teardown() has +already run. + +Switch to explicitly free-ing the IRQ in bq27xxx_battery_i2c_remove() +to fix this. + +Fixes: 8807feb91b76 ("power: bq27xxx_battery: Add interrupt handling support") +Signed-off-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/bq27xxx_battery_i2c.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/power/supply/bq27xxx_battery_i2c.c ++++ b/drivers/power/supply/bq27xxx_battery_i2c.c +@@ -187,7 +187,7 @@ static int bq27xxx_battery_i2c_probe(str + i2c_set_clientdata(client, di); + + if (client->irq) { +- ret = devm_request_threaded_irq(&client->dev, client->irq, ++ ret = request_threaded_irq(client->irq, + NULL, bq27xxx_battery_irq_handler_thread, + IRQF_ONESHOT, + di->name, di); +@@ -217,6 +217,7 @@ static int bq27xxx_battery_i2c_remove(st + { + struct bq27xxx_device_info *di = i2c_get_clientdata(client); + ++ free_irq(client->irq, di); + bq27xxx_battery_teardown(di); + + mutex_lock(&battery_mutex); diff --git a/queue-4.19/power-supply-bq27xxx-fix-poll_interval-handling-and-races-on-remove.patch b/queue-4.19/power-supply-bq27xxx-fix-poll_interval-handling-and-races-on-remove.patch new file mode 100644 index 00000000000..591c31cf8a8 --- /dev/null +++ b/queue-4.19/power-supply-bq27xxx-fix-poll_interval-handling-and-races-on-remove.patch @@ -0,0 +1,94 @@ +From c00bc80462afc7963f449d7f21d896d2f629cacc Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 15 Apr 2023 20:23:34 +0200 +Subject: power: supply: bq27xxx: Fix poll_interval handling and races on remove + +From: Hans de Goede + +commit c00bc80462afc7963f449d7f21d896d2f629cacc upstream. + +Before this patch bq27xxx_battery_teardown() was setting poll_interval = 0 +to avoid bq27xxx_battery_update() requeuing the delayed_work item. + +There are 2 problems with this: + +1. If the driver is unbound through sysfs, rather then the module being + rmmod-ed, this changes poll_interval unexpectedly + +2. This is racy, after it being set poll_interval could be changed + before bq27xxx_battery_update() checks it through + /sys/module/bq27xxx_battery/parameters/poll_interval + +Fix this by added a removed attribute to struct bq27xxx_device_info and +using that instead of setting poll_interval to 0. + +There also is another poll_interval related race on remove(), writing +/sys/module/bq27xxx_battery/parameters/poll_interval will requeue +the delayed_work item for all devices on the bq27xxx_battery_devices +list and the device being removed was only removed from that list +after cancelling the delayed_work item. + +Fix this by moving the removal from the bq27xxx_battery_devices list +to before cancelling the delayed_work item. + +Fixes: 8cfaaa811894 ("bq27x00_battery: Fix OOPS caused by unregistring bq27x00 driver") +Signed-off-by: Hans de Goede +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/bq27xxx_battery.c | 22 +++++++++------------- + include/linux/power/bq27xxx_battery.h | 1 + + 2 files changed, 10 insertions(+), 13 deletions(-) + +--- a/drivers/power/supply/bq27xxx_battery.c ++++ b/drivers/power/supply/bq27xxx_battery.c +@@ -1600,7 +1600,7 @@ static void bq27xxx_battery_update_unloc + + di->last_update = jiffies; + +- if (poll_interval > 0) ++ if (!di->removed && poll_interval > 0) + mod_delayed_work(system_wq, &di->work, poll_interval * HZ); + } + +@@ -1917,22 +1917,18 @@ EXPORT_SYMBOL_GPL(bq27xxx_battery_setup) + + void bq27xxx_battery_teardown(struct bq27xxx_device_info *di) + { +- /* +- * power_supply_unregister call bq27xxx_battery_get_property which +- * call bq27xxx_battery_poll. +- * Make sure that bq27xxx_battery_poll will not call +- * schedule_delayed_work again after unregister (which cause OOPS). +- */ +- poll_interval = 0; +- +- cancel_delayed_work_sync(&di->work); +- +- power_supply_unregister(di->bat); +- + mutex_lock(&bq27xxx_list_lock); + list_del(&di->list); + mutex_unlock(&bq27xxx_list_lock); + ++ /* Set removed to avoid bq27xxx_battery_update() re-queuing the work */ ++ mutex_lock(&di->lock); ++ di->removed = true; ++ mutex_unlock(&di->lock); ++ ++ cancel_delayed_work_sync(&di->work); ++ ++ power_supply_unregister(di->bat); + mutex_destroy(&di->lock); + } + EXPORT_SYMBOL_GPL(bq27xxx_battery_teardown); +--- a/include/linux/power/bq27xxx_battery.h ++++ b/include/linux/power/bq27xxx_battery.h +@@ -63,6 +63,7 @@ struct bq27xxx_device_info { + struct bq27xxx_access_methods bus; + struct bq27xxx_reg_cache cache; + int charge_design_full; ++ bool removed; + unsigned long last_update; + struct delayed_work work; + struct power_supply *bat; diff --git a/queue-4.19/power-supply-leds-fix-blink-to-led-on-transition.patch b/queue-4.19/power-supply-leds-fix-blink-to-led-on-transition.patch new file mode 100644 index 00000000000..648d3b45de6 --- /dev/null +++ b/queue-4.19/power-supply-leds-fix-blink-to-led-on-transition.patch @@ -0,0 +1,51 @@ +From e4484643991e0f6b89060092563f0dbab9450cbb Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Thu, 13 Apr 2023 12:09:41 +0200 +Subject: power: supply: leds: Fix blink to LED on transition + +From: Hans de Goede + +commit e4484643991e0f6b89060092563f0dbab9450cbb upstream. + +When a battery's status changes from charging to full then +the charging-blink-full-solid trigger tries to change +the LED from blinking to solid/on. + +As is documented in include/linux/leds.h to deactivate blinking / +to make the LED solid a LED_OFF must be send: + +""" + * Deactivate blinking again when the brightness is set to LED_OFF + * via the brightness_set() callback. +""" + +led_set_brighness() calls with a brightness value other then 0 / LED_OFF +merely change the brightness of the LED in its on state while it is +blinking. + +So power_supply_update_bat_leds() must first send a LED_OFF event +before the LED_FULL to disable blinking. + +Fixes: 6501f728c56f ("power_supply: Add new LED trigger charging-blink-solid-full") +Signed-off-by: Hans de Goede +Reviewed-by: Vasily Khoruzhick +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/power_supply_leds.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/power/supply/power_supply_leds.c ++++ b/drivers/power/supply/power_supply_leds.c +@@ -35,8 +35,9 @@ static void power_supply_update_bat_leds + led_trigger_event(psy->charging_full_trig, LED_FULL); + led_trigger_event(psy->charging_trig, LED_OFF); + led_trigger_event(psy->full_trig, LED_FULL); +- led_trigger_event(psy->charging_blink_full_solid_trig, +- LED_FULL); ++ /* Going from blink to LED on requires a LED_OFF event to stop blink */ ++ led_trigger_event(psy->charging_blink_full_solid_trig, LED_OFF); ++ led_trigger_event(psy->charging_blink_full_solid_trig, LED_FULL); + break; + case POWER_SUPPLY_STATUS_CHARGING: + led_trigger_event(psy->charging_full_trig, LED_FULL); diff --git a/queue-4.19/power-supply-sbs-charger-fix-inhibited-bit-for-status-reg.patch b/queue-4.19/power-supply-sbs-charger-fix-inhibited-bit-for-status-reg.patch new file mode 100644 index 00000000000..d1e464a9fc6 --- /dev/null +++ b/queue-4.19/power-supply-sbs-charger-fix-inhibited-bit-for-status-reg.patch @@ -0,0 +1,31 @@ +From b2f2a3c9800208b0db2c2e34b05323757117faa2 Mon Sep 17 00:00:00 2001 +From: Daisuke Nojiri +Date: Mon, 24 Apr 2023 11:25:58 -0700 +Subject: power: supply: sbs-charger: Fix INHIBITED bit for Status reg + +From: Daisuke Nojiri + +commit b2f2a3c9800208b0db2c2e34b05323757117faa2 upstream. + +CHARGE_INHIBITED bit position of the ChargerStatus register is actually +0 not 1. This patch corrects it. + +Fixes: feb583e37f8a8 ("power: supply: add sbs-charger driver") +Signed-off-by: Daisuke Nojiri +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/sbs-charger.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/power/supply/sbs-charger.c ++++ b/drivers/power/supply/sbs-charger.c +@@ -29,7 +29,7 @@ + #define SBS_CHARGER_REG_STATUS 0x13 + #define SBS_CHARGER_REG_ALARM_WARNING 0x16 + +-#define SBS_CHARGER_STATUS_CHARGE_INHIBITED BIT(1) ++#define SBS_CHARGER_STATUS_CHARGE_INHIBITED BIT(0) + #define SBS_CHARGER_STATUS_RES_COLD BIT(9) + #define SBS_CHARGER_STATUS_RES_HOT BIT(10) + #define SBS_CHARGER_STATUS_BATTERY_PRESENT BIT(14) diff --git a/queue-4.19/series b/queue-4.19/series index f174bedd89a..ab31b924e32 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -116,3 +116,13 @@ udplite-fix-null-pointer-dereference-in-__sk_mem_raise_allocated.patch usb-core-add-routines-for-endpoint-checks-in-old-drivers.patch usb-sisusbvga-add-endpoint-checks.patch media-radio-shark-add-endpoint-checks.patch +net-fix-skb-leak-in-__skb_tstamp_tx.patch +bpf-fix-mask-generation-for-32-bit-narrow-loads-of-64-bit-fields.patch +ipv6-fix-out-of-bounds-access-in-ipv6_find_tlv.patch +power-supply-leds-fix-blink-to-led-on-transition.patch +power-supply-bq27xxx-fix-bq27xxx_battery_update-race-condition.patch +power-supply-bq27xxx-fix-i2c-irq-race-on-remove.patch +power-supply-bq27xxx-fix-poll_interval-handling-and-races-on-remove.patch +power-supply-sbs-charger-fix-inhibited-bit-for-status-reg.patch +coresight-fix-signedness-bug-in-tmc_etr_buf_insert_barrier_packet.patch +xen-pvcalls-back-fix-double-frees-with-pvcalls_new_active_socket.patch diff --git a/queue-4.19/xen-pvcalls-back-fix-double-frees-with-pvcalls_new_active_socket.patch b/queue-4.19/xen-pvcalls-back-fix-double-frees-with-pvcalls_new_active_socket.patch new file mode 100644 index 00000000000..f2d01a9ace6 --- /dev/null +++ b/queue-4.19/xen-pvcalls-back-fix-double-frees-with-pvcalls_new_active_socket.patch @@ -0,0 +1,60 @@ +From 8fafac202d18230bb9926bda48e563fd2cce2a4f Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 3 May 2023 18:11:35 +0300 +Subject: xen/pvcalls-back: fix double frees with pvcalls_new_active_socket() + +From: Dan Carpenter + +commit 8fafac202d18230bb9926bda48e563fd2cce2a4f upstream. + +In the pvcalls_new_active_socket() function, most error paths call +pvcalls_back_release_active(fedata->dev, fedata, map) which calls +sock_release() on "sock". The bug is that the caller also frees sock. + +Fix this by making every error path in pvcalls_new_active_socket() +release the sock, and don't free it in the caller. + +Fixes: 5db4d286a8ef ("xen/pvcalls: implement connect command") +Signed-off-by: Dan Carpenter +Reviewed-by: Juergen Gross +Link: https://lore.kernel.org/r/e5f98dc2-0305-491f-a860-71bbd1398a2f@kili.mountain +Signed-off-by: Juergen Gross +Signed-off-by: Greg Kroah-Hartman +--- + drivers/xen/pvcalls-back.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/xen/pvcalls-back.c ++++ b/drivers/xen/pvcalls-back.c +@@ -330,8 +330,10 @@ static struct sock_mapping *pvcalls_new_ + void *page; + + map = kzalloc(sizeof(*map), GFP_KERNEL); +- if (map == NULL) ++ if (map == NULL) { ++ sock_release(sock); + return NULL; ++ } + + map->fedata = fedata; + map->sock = sock; +@@ -423,10 +425,8 @@ static int pvcalls_back_connect(struct x + req->u.connect.ref, + req->u.connect.evtchn, + sock); +- if (!map) { ++ if (!map) + ret = -EFAULT; +- sock_release(sock); +- } + + out: + rsp = RING_GET_RESPONSE(&fedata->ring, fedata->ring.rsp_prod_pvt++); +@@ -567,7 +567,6 @@ static void __pvcalls_back_accept(struct + sock); + if (!map) { + ret = -EFAULT; +- sock_release(sock); + goto out_error; + } +