From: Sasha Levin Date: Thu, 9 Jun 2022 13:40:34 +0000 (-0400) Subject: Fixes for 4.19 X-Git-Tag: v4.9.318~115 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cc2e31c794347f24d45657a1a386e54509d5ada0;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.19 Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/afs-fix-infinite-loop-found-by-xfstest-generic-676.patch b/queue-4.19/afs-fix-infinite-loop-found-by-xfstest-generic-676.patch new file mode 100644 index 00000000000..e9ce3a832bc --- /dev/null +++ b/queue-4.19/afs-fix-infinite-loop-found-by-xfstest-generic-676.patch @@ -0,0 +1,65 @@ +From ad33fbc45384b1d9ffcc2957417ce1ecc76ed4e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 May 2022 09:30:40 +0100 +Subject: afs: Fix infinite loop found by xfstest generic/676 + +From: David Howells + +[ Upstream commit 17eabd42560f4636648ad65ba5b20228071e2363 ] + +In AFS, a directory is handled as a file that the client downloads and +parses locally for the purposes of performing lookup and getdents +operations. The in-kernel afs filesystem has a number of functions that +do this. + +A directory file is arranged as a series of 2K blocks divided into +32-byte slots, where a directory entry occupies one or more slots, plus +each block starts with one or more metadata blocks. + +When parsing a block, if the last slots are occupied by a dirent that +occupies more than a single slot and the file position points at a slot +that's not the initial one, the logic in afs_dir_iterate_block() that +skips over it won't advance the file pointer to the end of it. This +will cause an infinite loop in getdents() as it will keep retrying that +block and failing to advance beyond the final entry. + +Fix this by advancing the file pointer if the next entry will be beyond +it when we skip a block. + +This was found by the generic/676 xfstest but can also be triggered with +something like: + + ~/xfstests-dev/src/t_readdir_3 /xfstest.test/z 4000 1 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: David Howells +Reviewed-by: Marc Dionne +Tested-by: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: http://lore.kernel.org/r/165391973497.110268.2939296942213894166.stgit@warthog.procyon.org.uk/ +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/dir.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/fs/afs/dir.c b/fs/afs/dir.c +index 54e7f6f1405e..59eb92484051 100644 +--- a/fs/afs/dir.c ++++ b/fs/afs/dir.c +@@ -383,8 +383,11 @@ static int afs_dir_iterate_block(struct dir_context *ctx, + } + + /* skip if starts before the current position */ +- if (offset < curr) ++ if (offset < curr) { ++ if (next > curr) ++ ctx->pos = blkoff + next * sizeof(union afs_xdr_dirent); + continue; ++ } + + /* found the next entry */ + if (!dir_emit(ctx, dire->u.name, nlen, +-- +2.35.1 + diff --git a/queue-4.19/bus-ti-sysc-fix-warnings-for-unbind-for-serial.patch b/queue-4.19/bus-ti-sysc-fix-warnings-for-unbind-for-serial.patch new file mode 100644 index 00000000000..cd52cf0fbfc --- /dev/null +++ b/queue-4.19/bus-ti-sysc-fix-warnings-for-unbind-for-serial.patch @@ -0,0 +1,45 @@ +From 3a67f4ff8bdebb5993373f18e97a0a9beccf740e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 May 2022 08:30:21 +0300 +Subject: bus: ti-sysc: Fix warnings for unbind for serial + +From: Tony Lindgren + +[ Upstream commit c337125b8834f9719dfda0e40b25eaa266f1b8cf ] + +We can get "failed to disable" clock_unprepare warnings on unbind at least +for the serial console device if the unbind is done before the device has +been idled. + +As some devices are using deferred idle, we must check the status for +pending idle work to idle the device. + +Fixes: 76f0f772e469 ("bus: ti-sysc: Improve handling for no-reset-on-init and no-idle-on-init") +Cc: Romain Naour +Reviewed-by: Romain Naour +Signed-off-by: Tony Lindgren +Link: https://lore.kernel.org/r/20220512053021.61650-1-tony@atomide.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/bus/ti-sysc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/bus/ti-sysc.c b/drivers/bus/ti-sysc.c +index b6a278183d82..bc274ddb9767 100644 +--- a/drivers/bus/ti-sysc.c ++++ b/drivers/bus/ti-sysc.c +@@ -1801,7 +1801,9 @@ static int sysc_remove(struct platform_device *pdev) + struct sysc *ddata = platform_get_drvdata(pdev); + int error; + +- cancel_delayed_work_sync(&ddata->idle_work); ++ /* Device can still be enabled, see deferred idle quirk in probe */ ++ if (cancel_delayed_work_sync(&ddata->idle_work)) ++ ti_sysc_idle(&ddata->idle_work.work); + + error = pm_runtime_get_sync(ddata->dev); + if (error < 0) { +-- +2.35.1 + diff --git a/queue-4.19/clocksource-drivers-oxnas-rps-fix-irq_of_parse_and_m.patch b/queue-4.19/clocksource-drivers-oxnas-rps-fix-irq_of_parse_and_m.patch new file mode 100644 index 00000000000..71dc0850d62 --- /dev/null +++ b/queue-4.19/clocksource-drivers-oxnas-rps-fix-irq_of_parse_and_m.patch @@ -0,0 +1,38 @@ +From c345ad0b90bbf9f805c93a89af6998d1b46a8e3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Apr 2022 12:41:01 +0200 +Subject: clocksource/drivers/oxnas-rps: Fix irq_of_parse_and_map() return + value + +From: Krzysztof Kozlowski + +[ Upstream commit 9c04a8ff03def4df3f81219ffbe1ec9b44ff5348 ] + +The irq_of_parse_and_map() returns 0 on failure, not a negative ERRNO. + +Fixes: 89355274e1f7 ("clocksource/drivers/oxnas-rps: Add Oxford Semiconductor RPS Dual Timer") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20220422104101.55754-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-oxnas-rps.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clocksource/timer-oxnas-rps.c b/drivers/clocksource/timer-oxnas-rps.c +index 30c6f4ce672b..cfcd54e66c57 100644 +--- a/drivers/clocksource/timer-oxnas-rps.c ++++ b/drivers/clocksource/timer-oxnas-rps.c +@@ -247,7 +247,7 @@ static int __init oxnas_rps_timer_init(struct device_node *np) + } + + rps->irq = irq_of_parse_and_map(np, 0); +- if (rps->irq < 0) { ++ if (!rps->irq) { + ret = -EINVAL; + goto err_iomap; + } +-- +2.35.1 + diff --git a/queue-4.19/clocksource-drivers-riscv-events-are-stopped-during-.patch b/queue-4.19/clocksource-drivers-riscv-events-are-stopped-during-.patch new file mode 100644 index 00000000000..042da5ad062 --- /dev/null +++ b/queue-4.19/clocksource-drivers-riscv-events-are-stopped-during-.patch @@ -0,0 +1,40 @@ +From f0af6b7a5707485d1668a9967e28e45da5874232 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 May 2022 20:21:21 -0500 +Subject: clocksource/drivers/riscv: Events are stopped during CPU suspend + +From: Samuel Holland + +[ Upstream commit 232ccac1bd9b5bfe73895f527c08623e7fa0752d ] + +Some implementations of the SBI time extension depend on hart-local +state (for example, CSRs) that are lost or hardware that is powered +down when a CPU is suspended. To be safe, the clockevents driver +cannot assume that timer IRQs will be received during CPU suspend. + +Fixes: 62b019436814 ("clocksource: new RISC-V SBI timer driver") +Signed-off-by: Samuel Holland +Reviewed-by: Anup Patel +Link: https://lore.kernel.org/r/20220509012121.40031-1-samuel@sholland.org +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/clocksource/riscv_timer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/clocksource/riscv_timer.c b/drivers/clocksource/riscv_timer.c +index 4e8b347e43e2..0d5b99ca3bbd 100644 +--- a/drivers/clocksource/riscv_timer.c ++++ b/drivers/clocksource/riscv_timer.c +@@ -33,7 +33,7 @@ static int riscv_clock_next_event(unsigned long delta, + + static DEFINE_PER_CPU(struct clock_event_device, riscv_clock_event) = { + .name = "riscv_timer_clockevent", +- .features = CLOCK_EVT_FEAT_ONESHOT, ++ .features = CLOCK_EVT_FEAT_ONESHOT | CLOCK_EVT_FEAT_C3STOP, + .rating = 100, + .set_next_event = riscv_clock_next_event, + }; +-- +2.35.1 + diff --git a/queue-4.19/coresight-cpu-debug-replace-mutex-with-mutex_trylock.patch b/queue-4.19/coresight-cpu-debug-replace-mutex-with-mutex_trylock.patch new file mode 100644 index 00000000000..125ac28131d --- /dev/null +++ b/queue-4.19/coresight-cpu-debug-replace-mutex-with-mutex_trylock.patch @@ -0,0 +1,64 @@ +From 52008959f7550d84c02647fc079dea76f088edfc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 Apr 2022 19:49:03 -0300 +Subject: coresight: cpu-debug: Replace mutex with mutex_trylock on panic + notifier + +From: Guilherme G. Piccoli + +[ Upstream commit 1adff542d67a2ed1120955cb219bfff8a9c53f59 ] + +The panic notifier infrastructure executes registered callbacks when +a panic event happens - such callbacks are executed in atomic context, +with interrupts and preemption disabled in the running CPU and all other +CPUs disabled. That said, mutexes in such context are not a good idea. + +This patch replaces a regular mutex with a mutex_trylock safer approach; +given the nature of the mutex used in the driver, it should be pretty +uncommon being unable to acquire such mutex in the panic path, hence +no functional change should be observed (and if it is, that would be +likely a deadlock with the regular mutex). + +Fixes: 2227b7c74634 ("coresight: add support for CPU debug module") +Cc: Leo Yan +Cc: Mathieu Poirier +Cc: Mike Leach +Cc: Suzuki K Poulose +Signed-off-by: Guilherme G. Piccoli +Reviewed-by: Suzuki K Poulose +Signed-off-by: Suzuki K Poulose +Link: https://lore.kernel.org/r/20220427224924.592546-10-gpiccoli@igalia.com +Signed-off-by: Sasha Levin +--- + drivers/hwtracing/coresight/coresight-cpu-debug.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/hwtracing/coresight/coresight-cpu-debug.c b/drivers/hwtracing/coresight/coresight-cpu-debug.c +index e8819d750938..a4eba09691b4 100644 +--- a/drivers/hwtracing/coresight/coresight-cpu-debug.c ++++ b/drivers/hwtracing/coresight/coresight-cpu-debug.c +@@ -379,9 +379,10 @@ static int debug_notifier_call(struct notifier_block *self, + int cpu; + struct debug_drvdata *drvdata; + +- mutex_lock(&debug_lock); ++ /* Bail out if we can't acquire the mutex or the functionality is off */ ++ if (!mutex_trylock(&debug_lock)) ++ return NOTIFY_DONE; + +- /* Bail out if the functionality is disabled */ + if (!debug_enable) + goto skip_dump; + +@@ -400,7 +401,7 @@ static int debug_notifier_call(struct notifier_block *self, + + skip_dump: + mutex_unlock(&debug_lock); +- return 0; ++ return NOTIFY_DONE; + } + + static struct notifier_block debug_notifier = { +-- +2.35.1 + diff --git a/queue-4.19/firmware-dmi-sysfs-fix-memory-leak-in-dmi_sysfs_regi.patch b/queue-4.19/firmware-dmi-sysfs-fix-memory-leak-in-dmi_sysfs_regi.patch new file mode 100644 index 00000000000..af527ab475c --- /dev/null +++ b/queue-4.19/firmware-dmi-sysfs-fix-memory-leak-in-dmi_sysfs_regi.patch @@ -0,0 +1,42 @@ +From c56ae9e96439abb1ab83f8710409ee293f114c88 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 May 2022 11:14:19 +0400 +Subject: firmware: dmi-sysfs: Fix memory leak in dmi_sysfs_register_handle + +From: Miaoqian Lin + +[ Upstream commit 660ba678f9998aca6db74f2dd912fa5124f0fa31 ] + +kobject_init_and_add() takes reference even when it fails. +According to the doc of kobject_init_and_add() + + If this function returns an error, kobject_put() must be called to + properly clean up the memory associated with the object. + +Fix this issue by calling kobject_put(). + +Fixes: 948af1f0bbc8 ("firmware: Basic dmi-sysfs support") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220511071421.9769-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/firmware/dmi-sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/firmware/dmi-sysfs.c b/drivers/firmware/dmi-sysfs.c +index ecf2eeb5f6f9..5d6b497d54d0 100644 +--- a/drivers/firmware/dmi-sysfs.c ++++ b/drivers/firmware/dmi-sysfs.c +@@ -602,7 +602,7 @@ static void __init dmi_sysfs_register_handle(const struct dmi_header *dh, + "%d-%d", dh->type, entry->instance); + + if (*ret) { +- kfree(entry); ++ kobject_put(&entry->kobj); + return; + } + +-- +2.35.1 + diff --git a/queue-4.19/iio-adc-sc27xx-fix-read-big-scale-voltage-not-right.patch b/queue-4.19/iio-adc-sc27xx-fix-read-big-scale-voltage-not-right.patch new file mode 100644 index 00000000000..be24812caf8 --- /dev/null +++ b/queue-4.19/iio-adc-sc27xx-fix-read-big-scale-voltage-not-right.patch @@ -0,0 +1,40 @@ +From 200bc0ce8eb72c49fa5e01578dd540a5178ec7e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Apr 2022 22:24:53 +0800 +Subject: iio: adc: sc27xx: fix read big scale voltage not right + +From: Cixi Geng + +[ Upstream commit ad930a75613282400179361e220e58b87386b8c7 ] + +Fix wrong configuration value of SC27XX_ADC_SCALE_MASK and +SC27XX_ADC_SCALE_SHIFT by spec documetation. + +Fixes: 5df362a6cf49c (iio: adc: Add Spreadtrum SC27XX PMICs ADC support) +Signed-off-by: Cixi Geng +Reviewed-by: Baolin Wang +Link: https://lore.kernel.org/r/20220419142458.884933-3-gengcixi@gmail.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/adc/sc27xx_adc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/adc/sc27xx_adc.c b/drivers/iio/adc/sc27xx_adc.c +index 2b60efea0c39..4095e1f7d756 100644 +--- a/drivers/iio/adc/sc27xx_adc.c ++++ b/drivers/iio/adc/sc27xx_adc.c +@@ -35,8 +35,8 @@ + + /* Bits and mask definition for SC27XX_ADC_CH_CFG register */ + #define SC27XX_ADC_CHN_ID_MASK GENMASK(4, 0) +-#define SC27XX_ADC_SCALE_MASK GENMASK(10, 8) +-#define SC27XX_ADC_SCALE_SHIFT 8 ++#define SC27XX_ADC_SCALE_MASK GENMASK(10, 9) ++#define SC27XX_ADC_SCALE_SHIFT 9 + + /* Bits definitions for SC27XX_ADC_INT_EN registers */ + #define SC27XX_ADC_IRQ_EN BIT(0) +-- +2.35.1 + diff --git a/queue-4.19/jffs2-fix-memory-leak-in-jffs2_do_fill_super.patch b/queue-4.19/jffs2-fix-memory-leak-in-jffs2_do_fill_super.patch new file mode 100644 index 00000000000..f01d6a28cf9 --- /dev/null +++ b/queue-4.19/jffs2-fix-memory-leak-in-jffs2_do_fill_super.patch @@ -0,0 +1,68 @@ +From cc48df5a5811c65f9e73c234f3c7c357871ad721 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 17:38:16 +0800 +Subject: jffs2: fix memory leak in jffs2_do_fill_super + +From: Baokun Li + +[ Upstream commit c14adb1cf70a984ed081c67e9d27bc3caad9537c ] + +If jffs2_iget() or d_make_root() in jffs2_do_fill_super() returns +an error, we can observe the following kmemleak report: + +-------------------------------------------- +unreferenced object 0xffff888105a65340 (size 64): + comm "mount", pid 710, jiffies 4302851558 (age 58.239s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmem_cache_alloc_trace+0x475/0x8a0 + [] jffs2_sum_init+0x96/0x1a0 + [] jffs2_do_mount_fs+0x745/0x2120 + [] jffs2_do_fill_super+0x35c/0x810 + [] jffs2_fill_super+0x2b9/0x3b0 + [...] +unreferenced object 0xffff8881bd7f0000 (size 65536): + comm "mount", pid 710, jiffies 4302851558 (age 58.239s) + hex dump (first 32 bytes): + bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ + bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb bb ................ + backtrace: + [] kmalloc_order+0xda/0x110 + [] kmalloc_order_trace+0x21/0x130 + [] __kmalloc+0x711/0x8a0 + [] jffs2_sum_init+0xd9/0x1a0 + [] jffs2_do_mount_fs+0x745/0x2120 + [] jffs2_do_fill_super+0x35c/0x810 + [] jffs2_fill_super+0x2b9/0x3b0 + [...] +-------------------------------------------- + +This is because the resources allocated in jffs2_sum_init() are not +released. Call jffs2_sum_exit() to release these resources to solve +the problem. + +Fixes: e631ddba5887 ("[JFFS2] Add erase block summary support (mount time improvement)") +Signed-off-by: Baokun Li +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + fs/jffs2/fs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/jffs2/fs.c b/fs/jffs2/fs.c +index 81f7a6efe168..6afaace72f2b 100644 +--- a/fs/jffs2/fs.c ++++ b/fs/jffs2/fs.c +@@ -598,6 +598,7 @@ int jffs2_do_fill_super(struct super_block *sb, void *data, int silent) + jffs2_free_raw_node_refs(c); + kvfree(c->blocks); + jffs2_clear_xattr_subsystem(c); ++ jffs2_sum_exit(c); + out_inohash: + kfree(c->inocache_list); + out_wbuf: +-- +2.35.1 + diff --git a/queue-4.19/modpost-fix-removing-numeric-suffixes.patch b/queue-4.19/modpost-fix-removing-numeric-suffixes.patch new file mode 100644 index 00000000000..c525ec4f914 --- /dev/null +++ b/queue-4.19/modpost-fix-removing-numeric-suffixes.patch @@ -0,0 +1,58 @@ +From 846fb739bff3d3a291f96965bd07eda9982f90a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 May 2022 17:27:18 +0200 +Subject: modpost: fix removing numeric suffixes + +From: Alexander Lobakin + +[ Upstream commit b5beffa20d83c4e15306c991ffd00de0d8628338 ] + +With the `-z unique-symbol` linker flag or any similar mechanism, +it is possible to trigger the following: + +ERROR: modpost: "param_set_uint.0" [vmlinux] is a static EXPORT_SYMBOL + +The reason is that for now the condition from remove_dot(): + +if (m && (s[n + m] == '.' || s[n + m] == 0)) + +which was designed to test if it's a dot or a '\0' after the suffix +is never satisfied. +This is due to that `s[n + m]` always points to the last digit of a +numeric suffix, not on the symbol next to it (from a custom debug +print added to modpost): + +param_set_uint.0, s[n + m] is '0', s[n + m + 1] is '\0' + +So it's off-by-one and was like that since 2014. + +Fix this for the sake of any potential upcoming features, but don't +bother stable-backporting, as it's well hidden -- apart from that +LD flag, it can be triggered only with GCC LTO which never landed +upstream. + +Fixes: fcd38ed0ff26 ("scripts: modpost: fix compilation warning") +Signed-off-by: Alexander Lobakin +Reviewed-by: Petr Mladek +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mod/modpost.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index 7c693bd775c1..c42da4a35142 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -1937,7 +1937,7 @@ static char *remove_dot(char *s) + + if (n && s[n]) { + size_t m = strspn(s + n + 1, "0123456789"); +- if (m && (s[n + m] == '.' || s[n + m] == 0)) ++ if (m && (s[n + m + 1] == '.' || s[n + m + 1] == 0)) + s[n] = 0; + } + return s; +-- +2.35.1 + diff --git a/queue-4.19/net-dsa-mv88e6xxx-fix-refcount-leak-in-mv88e6xxx_mdi.patch b/queue-4.19/net-dsa-mv88e6xxx-fix-refcount-leak-in-mv88e6xxx_mdi.patch new file mode 100644 index 00000000000..5cdd69c9637 --- /dev/null +++ b/queue-4.19/net-dsa-mv88e6xxx-fix-refcount-leak-in-mv88e6xxx_mdi.patch @@ -0,0 +1,44 @@ +From 8523b54fe9f0f499682002b11f7eb1d0190b506b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 May 2022 18:52:08 +0400 +Subject: net: dsa: mv88e6xxx: Fix refcount leak in mv88e6xxx_mdios_register +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Miaoqian Lin + +[ Upstream commit 02ded5a173619b11728b8bf75a3fd995a2c1ff28 ] + +of_get_child_by_name() returns a node pointer with refcount +incremented, we should use of_node_put() on it when done. + +mv88e6xxx_mdio_register() pass the device node to of_mdiobus_register(). +We don't need the device node after it. + +Add missing of_node_put() to avoid refcount leak. + +Fixes: a3c53be55c95 ("net: dsa: mv88e6xxx: Support multiple MDIO busses") +Signed-off-by: Miaoqian Lin +Reviewed-by: Marek Behún +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/dsa/mv88e6xxx/chip.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/dsa/mv88e6xxx/chip.c b/drivers/net/dsa/mv88e6xxx/chip.c +index 1df7aed5ae15..be064bcfd70a 100644 +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -2778,6 +2778,7 @@ static int mv88e6xxx_mdios_register(struct mv88e6xxx_chip *chip, + */ + child = of_get_child_by_name(np, "mdio"); + err = mv88e6xxx_mdio_register(chip, child, false); ++ of_node_put(child); + if (err) + return err; + +-- +2.35.1 + diff --git a/queue-4.19/net-ethernet-mtk_eth_soc-out-of-bounds-read-in-mtk_h.patch b/queue-4.19/net-ethernet-mtk_eth_soc-out-of-bounds-read-in-mtk_h.patch new file mode 100644 index 00000000000..35b2ee6472b --- /dev/null +++ b/queue-4.19/net-ethernet-mtk_eth_soc-out-of-bounds-read-in-mtk_h.patch @@ -0,0 +1,38 @@ +From 8e221cc36c79c075ee8d24860f6675e04fa10072 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 May 2022 11:02:42 +0300 +Subject: net: ethernet: mtk_eth_soc: out of bounds read in + mtk_hwlro_get_fdir_entry() + +From: Dan Carpenter + +[ Upstream commit e7e7104e2d5ddf3806a28695670f21bef471f1e1 ] + +The "fsp->location" variable comes from user via ethtool_get_rxnfc(). +Check that it is valid to prevent an out of bounds read. + +Fixes: 7aab747e5563 ("net: ethernet: mediatek: add ethtool functions to configure RX flows of HW LRO") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mediatek/mtk_eth_soc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/ethernet/mediatek/mtk_eth_soc.c b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +index 59f3dce3ab1d..f2eaf8c13cc2 100644 +--- a/drivers/net/ethernet/mediatek/mtk_eth_soc.c ++++ b/drivers/net/ethernet/mediatek/mtk_eth_soc.c +@@ -1575,6 +1575,9 @@ static int mtk_hwlro_get_fdir_entry(struct net_device *dev, + struct ethtool_rx_flow_spec *fsp = + (struct ethtool_rx_flow_spec *)&cmd->fs; + ++ if (fsp->location >= ARRAY_SIZE(mac->hwlro_ip)) ++ return -EINVAL; ++ + /* only tcp dst ipv4 is meaningful, others are meaningless */ + fsp->flow_type = TCP_V4_FLOW; + fsp->h_u.tcp_ip4_spec.ip4dst = ntohl(mac->hwlro_ip[fsp->location]); +-- +2.35.1 + diff --git a/queue-4.19/net-mlx5e-update-netdev-features-after-changing-xdp-.patch b/queue-4.19/net-mlx5e-update-netdev-features-after-changing-xdp-.patch new file mode 100644 index 00000000000..b3c2d40c0bd --- /dev/null +++ b/queue-4.19/net-mlx5e-update-netdev-features-after-changing-xdp-.patch @@ -0,0 +1,44 @@ +From 312a3cb3134da9e09b90b6a9df003b2ca2afcf7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 May 2022 15:39:13 +0300 +Subject: net/mlx5e: Update netdev features after changing XDP state + +From: Maxim Mikityanskiy + +[ Upstream commit f6279f113ad593971999c877eb69dc3d36a75894 ] + +Some features (LRO, HW GRO) conflict with XDP. If there is an attempt to +enable such features while XDP is active, they will be set to `off +[requested on]`. In order to activate these features after XDP is turned +off, the driver needs to call netdev_update_features(). This commit adds +this missing call after XDP state changes. + +Fixes: cf6e34c8c22f ("net/mlx5e: Properly block LRO when XDP is enabled") +Fixes: b0617e7b3500 ("net/mlx5e: Properly block HW GRO when XDP is enabled") +Signed-off-by: Maxim Mikityanskiy +Reviewed-by: Tariq Toukan +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/en_main.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +index 75872aef44d0..6ecb92f55e97 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/en_main.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_main.c +@@ -4327,6 +4327,11 @@ static int mlx5e_xdp_set(struct net_device *netdev, struct bpf_prog *prog) + + unlock: + mutex_unlock(&priv->state_lock); ++ ++ /* Need to fix some features. */ ++ if (!err) ++ netdev_update_features(netdev); ++ + return err; + } + +-- +2.35.1 + diff --git a/queue-4.19/nfp-only-report-pause-frame-configuration-for-physic.patch b/queue-4.19/nfp-only-report-pause-frame-configuration-for-physic.patch new file mode 100644 index 00000000000..f1efdce3204 --- /dev/null +++ b/queue-4.19/nfp-only-report-pause-frame-configuration-for-physic.patch @@ -0,0 +1,46 @@ +From 3fab7410565a592f53cc707f67b37ed935b417cf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 May 2022 20:24:24 +0200 +Subject: nfp: only report pause frame configuration for physical device + +From: Yu Xiao + +[ Upstream commit 0649e4d63420ebc8cbebef3e9d39e12ffc5eb9fa ] + +Only report pause frame configuration for physical device. Logical +port of both PCI PF and PCI VF do not support it. + +Fixes: 9fdc5d85a8fe ("nfp: update ethtool reporting of pauseframe control") +Signed-off-by: Yu Xiao +Signed-off-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c +index 2e75d0af4a58..a51661cfd27f 100644 +--- a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c +@@ -292,8 +292,6 @@ nfp_net_get_link_ksettings(struct net_device *netdev, + + /* Init to unknowns */ + ethtool_link_ksettings_add_link_mode(cmd, supported, FIBRE); +- ethtool_link_ksettings_add_link_mode(cmd, supported, Pause); +- ethtool_link_ksettings_add_link_mode(cmd, advertising, Pause); + cmd->base.port = PORT_OTHER; + cmd->base.speed = SPEED_UNKNOWN; + cmd->base.duplex = DUPLEX_UNKNOWN; +@@ -301,6 +299,8 @@ nfp_net_get_link_ksettings(struct net_device *netdev, + port = nfp_port_from_netdev(netdev); + eth_port = nfp_port_get_eth_port(port); + if (eth_port) { ++ ethtool_link_ksettings_add_link_mode(cmd, supported, Pause); ++ ethtool_link_ksettings_add_link_mode(cmd, advertising, Pause); + cmd->base.autoneg = eth_port->aneg != NFP_ANEG_DISABLED ? + AUTONEG_ENABLE : AUTONEG_DISABLE; + nfp_net_set_fec_link_mode(eth_port, cmd); +-- +2.35.1 + diff --git a/queue-4.19/pcmcia-db1xxx_ss-restrict-to-mips_db1xxx-boards.patch b/queue-4.19/pcmcia-db1xxx_ss-restrict-to-mips_db1xxx-boards.patch new file mode 100644 index 00000000000..8f235a90ff3 --- /dev/null +++ b/queue-4.19/pcmcia-db1xxx_ss-restrict-to-mips_db1xxx-boards.patch @@ -0,0 +1,48 @@ +From 4afc134936ec62bd2ce07a87ff3909097c33aecc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Jan 2022 09:40:31 -0800 +Subject: pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards + +From: Randy Dunlap + +[ Upstream commit 3928cf08334ed895a31458cbebd8d4ec6d84c080 ] + +When the MIPS_ALCHEMY board selection is MIPS_XXS1500 instead of +MIPS_DB1XXX, the PCMCIA driver 'db1xxx_ss' has build errors due +to missing DB1XXX symbols. The PCMCIA driver should be restricted +to MIPS_DB1XXX instead of MIPS_ALCHEMY to fix this build error. + +ERROR: modpost: "bcsr_read" [drivers/pcmcia/db1xxx_ss.ko] undefined! +ERROR: modpost: "bcsr_mod" [drivers/pcmcia/db1xxx_ss.ko] undefined! + +Fixes: 42a4f17dc356 ("MIPS: Alchemy: remove SOC_AU1X00 in favor of MIPS_ALCHEMY") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Cc: Arnd Bergmann +Cc: Daniel Vetter +Cc: Kees Cook +Cc: Thomas Bogendoerfer +Cc: linux-mips@vger.kernel.org +Acked-by: Manuel Lauss +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +--- + drivers/pcmcia/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/pcmcia/Kconfig b/drivers/pcmcia/Kconfig +index cbbe4a285b48..a8fdd6df6a12 100644 +--- a/drivers/pcmcia/Kconfig ++++ b/drivers/pcmcia/Kconfig +@@ -146,7 +146,7 @@ config TCIC + + config PCMCIA_ALCHEMY_DEVBOARD + tristate "Alchemy Db/Pb1xxx PCMCIA socket services" +- depends on MIPS_ALCHEMY && PCMCIA ++ depends on MIPS_DB1XXX && PCMCIA + help + Enable this driver of you want PCMCIA support on your Alchemy + Db1000, Db/Pb1100, Db/Pb1500, Db/Pb1550, Db/Pb1200, DB1300 +-- +2.35.1 + diff --git a/queue-4.19/perf-c2c-fix-sorting-in-percent_rmt_hitm_cmp.patch b/queue-4.19/perf-c2c-fix-sorting-in-percent_rmt_hitm_cmp.patch new file mode 100644 index 00000000000..713f4d2240c --- /dev/null +++ b/queue-4.19/perf-c2c-fix-sorting-in-percent_rmt_hitm_cmp.patch @@ -0,0 +1,49 @@ +From b7e0c53af287580f6873d036472dc4e62b4e39d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 May 2022 16:42:53 +0800 +Subject: perf c2c: Fix sorting in percent_rmt_hitm_cmp() + +From: Leo Yan + +[ Upstream commit b24192a17337abbf3f44aaa75e15df14a2d0016e ] + +The function percent_rmt_hitm_cmp() wrongly uses local HITMs for +sorting remote HITMs. + +Since this function is to sort cache lines for remote HITMs, this patch +changes to use 'rmt_hitm' field for correct sorting. + +Fixes: 9cb3500afc0980c5 ("perf c2c report: Add hitm/store percent related sort keys") +Signed-off-by: Leo Yan +Acked-by: Namhyung Kim +Cc: Alexander Shishkin +Cc: Ingo Molnar +Cc: Jiri Olsa +Cc: Joe Mario +Cc: Mark Rutland +Cc: Peter Zijlstra +Link: https://lore.kernel.org/r/20220530084253.750190-1-leo.yan@linaro.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Sasha Levin +--- + tools/perf/builtin-c2c.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/tools/perf/builtin-c2c.c b/tools/perf/builtin-c2c.c +index fb875e365db1..f3c142bd1a11 100644 +--- a/tools/perf/builtin-c2c.c ++++ b/tools/perf/builtin-c2c.c +@@ -944,8 +944,8 @@ percent_rmt_hitm_cmp(struct perf_hpp_fmt *fmt __maybe_unused, + double per_left; + double per_right; + +- per_left = PERCENT(left, lcl_hitm); +- per_right = PERCENT(right, lcl_hitm); ++ per_left = PERCENT(left, rmt_hitm); ++ per_right = PERCENT(right, rmt_hitm); + + return per_left - per_right; + } +-- +2.35.1 + diff --git a/queue-4.19/pwm-lp3943-fix-duty-calculation-in-case-period-was-c.patch b/queue-4.19/pwm-lp3943-fix-duty-calculation-in-case-period-was-c.patch new file mode 100644 index 00000000000..9d366fd36f2 --- /dev/null +++ b/queue-4.19/pwm-lp3943-fix-duty-calculation-in-case-period-was-c.patch @@ -0,0 +1,40 @@ +From 7c7ecbfe76e62702bc03bdd46601a4c5b908f766 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Apr 2022 17:22:38 +0200 +Subject: pwm: lp3943: Fix duty calculation in case period was clamped +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 5e3b07ca5cc78cd4a987e78446849e41288d87cb ] + +The hardware only supports periods <= 1.6 ms and if a bigger period is +requested it is clamped to 1.6 ms. In this case duty_cycle might be bigger +than 1.6 ms and then the duty cycle register is written with a value +bigger than LP3943_MAX_DUTY. So clamp duty_cycle accordingly. + +Fixes: af66b3c0934e ("pwm: Add LP3943 PWM driver") +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Sasha Levin +--- + drivers/pwm/pwm-lp3943.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pwm/pwm-lp3943.c b/drivers/pwm/pwm-lp3943.c +index 5055ba2c6c94..a5f4c39eeb21 100644 +--- a/drivers/pwm/pwm-lp3943.c ++++ b/drivers/pwm/pwm-lp3943.c +@@ -128,6 +128,7 @@ static int lp3943_pwm_config(struct pwm_chip *chip, struct pwm_device *pwm, + if (err) + return err; + ++ duty_ns = min(duty_ns, period_ns); + val = (u8)(duty_ns * LP3943_MAX_DUTY / period_ns); + + return lp3943_write_byte(lp3943, reg_duty, val); +-- +2.35.1 + diff --git a/queue-4.19/rpmsg-qcom_smd-fix-irq_of_parse_and_map-return-value.patch b/queue-4.19/rpmsg-qcom_smd-fix-irq_of_parse_and_map-return-value.patch new file mode 100644 index 00000000000..34176a8a219 --- /dev/null +++ b/queue-4.19/rpmsg-qcom_smd-fix-irq_of_parse_and_map-return-value.patch @@ -0,0 +1,36 @@ +From 4a7f7181cf27e232cf03dcac32345967e72c1bf1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Apr 2022 12:53:26 +0200 +Subject: rpmsg: qcom_smd: Fix irq_of_parse_and_map() return value + +From: Krzysztof Kozlowski + +[ Upstream commit 1a358d35066487d228a68303d808bc4721c6b1b9 ] + +The irq_of_parse_and_map() returns 0 on failure, not a negative ERRNO. + +Fixes: 53e2822e56c7 ("rpmsg: Introduce Qualcomm SMD backend") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220422105326.78713-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/qcom_smd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c +index aa008fa11002..6e09fccd2e87 100644 +--- a/drivers/rpmsg/qcom_smd.c ++++ b/drivers/rpmsg/qcom_smd.c +@@ -1388,7 +1388,7 @@ static int qcom_smd_parse_edge(struct device *dev, + edge->name = node->name; + + irq = irq_of_parse_and_map(node, 0); +- if (irq < 0) { ++ if (!irq) { + dev_err(dev, "required smd interrupt missing\n"); + ret = irq; + goto put_node; +-- +2.35.1 + diff --git a/queue-4.19/rpmsg-qcom_smd-fix-returning-0-if-irq_of_parse_and_m.patch b/queue-4.19/rpmsg-qcom_smd-fix-returning-0-if-irq_of_parse_and_m.patch new file mode 100644 index 00000000000..c08b635e679 --- /dev/null +++ b/queue-4.19/rpmsg-qcom_smd-fix-returning-0-if-irq_of_parse_and_m.patch @@ -0,0 +1,37 @@ +From b8d5edcefc908fa3356933cdd1817c5c05d3f1ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 23 Apr 2022 11:39:32 +0200 +Subject: rpmsg: qcom_smd: Fix returning 0 if irq_of_parse_and_map() fails + +From: Krzysztof Kozlowski + +[ Upstream commit 59d6f72f6f9c92fec8757d9e29527da828e9281f ] + +irq_of_parse_and_map() returns 0 on failure, so this should not be +passed further as error return code. + +Fixes: 1a358d350664 ("rpmsg: qcom_smd: Fix irq_of_parse_and_map() return value") +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20220423093932.32136-1-krzysztof.kozlowski@linaro.org +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/qcom_smd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/rpmsg/qcom_smd.c b/drivers/rpmsg/qcom_smd.c +index 6e09fccd2e87..f23f10887d93 100644 +--- a/drivers/rpmsg/qcom_smd.c ++++ b/drivers/rpmsg/qcom_smd.c +@@ -1390,7 +1390,7 @@ static int qcom_smd_parse_edge(struct device *dev, + irq = irq_of_parse_and_map(node, 0); + if (!irq) { + dev_err(dev, "required smd interrupt missing\n"); +- ret = irq; ++ ret = -EINVAL; + goto put_node; + } + +-- +2.35.1 + diff --git a/queue-4.19/rtc-mt6397-check-return-value-after-calling-platform.patch b/queue-4.19/rtc-mt6397-check-return-value-after-calling-platform.patch new file mode 100644 index 00000000000..0c1c66c0cb7 --- /dev/null +++ b/queue-4.19/rtc-mt6397-check-return-value-after-calling-platform.patch @@ -0,0 +1,38 @@ +From 90a43a871af682a746163676866149cb819853d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 May 2022 20:50:43 +0800 +Subject: rtc: mt6397: check return value after calling platform_get_resource() + +From: Yang Yingliang + +[ Upstream commit d3b43eb505bffb8e4cdf6800c15660c001553fe6 ] + +It will cause null-ptr-deref if platform_get_resource() returns NULL, +we need check the return value. + +Fixes: fc2979118f3f ("rtc: mediatek: Add MT6397 RTC driver") +Signed-off-by: Yang Yingliang +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20220505125043.1594771-1-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-mt6397.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/rtc/rtc-mt6397.c b/drivers/rtc/rtc-mt6397.c +index 964ed91416e1..671b6d275da3 100644 +--- a/drivers/rtc/rtc-mt6397.c ++++ b/drivers/rtc/rtc-mt6397.c +@@ -339,6 +339,8 @@ static int mtk_rtc_probe(struct platform_device *pdev) + return -ENOMEM; + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (!res) ++ return -EINVAL; + rtc->addr_base = res->start; + + rtc->irq = platform_get_irq(pdev, 0); +-- +2.35.1 + diff --git a/queue-4.19/s390-crypto-fix-scatterwalk_unmap-callers-in-aes-gcm.patch b/queue-4.19/s390-crypto-fix-scatterwalk_unmap-callers-in-aes-gcm.patch new file mode 100644 index 00000000000..d17659fdb4c --- /dev/null +++ b/queue-4.19/s390-crypto-fix-scatterwalk_unmap-callers-in-aes-gcm.patch @@ -0,0 +1,52 @@ +From 91b31262cc53b1733b4a5d61354fdf7981c48168 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 16:30:47 +0200 +Subject: s390/crypto: fix scatterwalk_unmap() callers in AES-GCM + +From: Jann Horn + +[ Upstream commit bd52cd5e23f134019b23f0c389db0f9a436e4576 ] + +The argument of scatterwalk_unmap() is supposed to be the void* that was +returned by the previous scatterwalk_map() call. +The s390 AES-GCM implementation was instead passing the pointer to the +struct scatter_walk. + +This doesn't actually break anything because scatterwalk_unmap() only uses +its argument under CONFIG_HIGHMEM and ARCH_HAS_FLUSH_ON_KUNMAP. + +Fixes: bf7fa038707c ("s390/crypto: add s390 platform specific aes gcm support.") +Signed-off-by: Jann Horn +Acked-by: Harald Freudenberger +Link: https://lore.kernel.org/r/20220517143047.3054498-1-jannh@google.com +Signed-off-by: Heiko Carstens +Signed-off-by: Sasha Levin +--- + arch/s390/crypto/aes_s390.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/crypto/aes_s390.c b/arch/s390/crypto/aes_s390.c +index 2bc189187ed4..c663caf37ba4 100644 +--- a/arch/s390/crypto/aes_s390.c ++++ b/arch/s390/crypto/aes_s390.c +@@ -861,7 +861,7 @@ static inline void _gcm_sg_unmap_and_advance(struct gcm_sg_walk *gw, + unsigned int nbytes) + { + gw->walk_bytes_remain -= nbytes; +- scatterwalk_unmap(&gw->walk); ++ scatterwalk_unmap(gw->walk_ptr); + scatterwalk_advance(&gw->walk, nbytes); + scatterwalk_done(&gw->walk, 0, gw->walk_bytes_remain); + gw->walk_ptr = NULL; +@@ -936,7 +936,7 @@ static int gcm_out_walk_go(struct gcm_sg_walk *gw, unsigned int minbytesneeded) + goto out; + } + +- scatterwalk_unmap(&gw->walk); ++ scatterwalk_unmap(gw->walk_ptr); + gw->walk_ptr = NULL; + + gw->ptr = gw->buf; +-- +2.35.1 + diff --git a/queue-4.19/serial-8250_fintek-check-ser_rs485_rts_-only-with-rs.patch b/queue-4.19/serial-8250_fintek-check-ser_rs485_rts_-only-with-rs.patch new file mode 100644 index 00000000000..184c625447c --- /dev/null +++ b/queue-4.19/serial-8250_fintek-check-ser_rs485_rts_-only-with-rs.patch @@ -0,0 +1,61 @@ +From 271b8ed98a2150b1587675f5e6eee513fbba9d06 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 May 2022 16:46:43 +0300 +Subject: serial: 8250_fintek: Check SER_RS485_RTS_* only with RS485 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit af0179270977508df6986b51242825d7edd59caf ] + +SER_RS485_RTS_ON_SEND and SER_RS485_RTS_AFTER_SEND relate to behavior +within RS485 operation. The driver checks if they have the same value +which is not possible to realize with the hardware. The check is taken +regardless of SER_RS485_ENABLED flag and -EINVAL is returned when the +check fails, which creates problems. + +This check makes it unnecessarily complicated to turn RS485 mode off as +simple zeroed serial_rs485 struct will trigger that equal values check. +In addition, the driver itself memsets its rs485 structure to zero when +RS485 is disabled but if userspace would try to make an TIOCSRS485 +ioctl() call with the very same struct, it would end up failing with +-EINVAL which doesn't make much sense. + +Resolve the problem by moving the check inside SER_RS485_ENABLED block. + +Fixes: 7ecc77011c6f ("serial: 8250_fintek: Return -EINVAL on invalid configuration") +Cc: Ricardo Ribalda Delgado +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/035c738-8ea5-8b17-b1d7-84a7b3aeaa51@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_fintek.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/tty/serial/8250/8250_fintek.c b/drivers/tty/serial/8250/8250_fintek.c +index 79a4958b3f5c..440023069f4f 100644 +--- a/drivers/tty/serial/8250/8250_fintek.c ++++ b/drivers/tty/serial/8250/8250_fintek.c +@@ -197,12 +197,12 @@ static int fintek_8250_rs485_config(struct uart_port *port, + if (!pdata) + return -EINVAL; + +- /* Hardware do not support same RTS level on send and receive */ +- if (!(rs485->flags & SER_RS485_RTS_ON_SEND) == +- !(rs485->flags & SER_RS485_RTS_AFTER_SEND)) +- return -EINVAL; + + if (rs485->flags & SER_RS485_ENABLED) { ++ /* Hardware do not support same RTS level on send and receive */ ++ if (!(rs485->flags & SER_RS485_RTS_ON_SEND) == ++ !(rs485->flags & SER_RS485_RTS_AFTER_SEND)) ++ return -EINVAL; + memset(rs485->padding, 0, sizeof(rs485->padding)); + config |= RS485_URA; + } else { +-- +2.35.1 + diff --git a/queue-4.19/serial-digicolor-usart-don-t-allow-cs5-6.patch b/queue-4.19/serial-digicolor-usart-don-t-allow-cs5-6.patch new file mode 100644 index 00000000000..77a307f3867 --- /dev/null +++ b/queue-4.19/serial-digicolor-usart-don-t-allow-cs5-6.patch @@ -0,0 +1,46 @@ +From 22fa65c38c979d8eeb96869f5305e7dfd27b5534 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 May 2022 11:18:01 +0300 +Subject: serial: digicolor-usart: Don't allow CS5-6 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit fd63031b8c0763addcecdefe0e0c59d49646204e ] + +Only CS7 and CS8 seem supported but CSIZE is not sanitized to CS8 in +the default: block. + +Set CSIZE correctly so that userspace knows the effective value. +Incorrect CSIZE also results in miscalculation of the frame bits in +tty_get_char_size() or in its predecessor where the roughly the same +code is directly within uart_update_timeout(). + +Fixes: 5930cb3511df (serial: driver for Conexant Digicolor USART) +Acked-by: Baruch Siach +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20220519081808.3776-3-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/digicolor-usart.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/tty/serial/digicolor-usart.c b/drivers/tty/serial/digicolor-usart.c +index 4446c13629b1..e06967ca62fa 100644 +--- a/drivers/tty/serial/digicolor-usart.c ++++ b/drivers/tty/serial/digicolor-usart.c +@@ -309,6 +309,8 @@ static void digicolor_uart_set_termios(struct uart_port *port, + case CS8: + default: + config |= UA_CONFIG_CHAR_LEN; ++ termios->c_cflag &= ~CSIZE; ++ termios->c_cflag |= CS8; + break; + } + +-- +2.35.1 + diff --git a/queue-4.19/serial-meson-acquire-port-lock-in-startup.patch b/queue-4.19/serial-meson-acquire-port-lock-in-startup.patch new file mode 100644 index 00000000000..4a85f5a1de1 --- /dev/null +++ b/queue-4.19/serial-meson-acquire-port-lock-in-startup.patch @@ -0,0 +1,98 @@ +From 59fbf494f041751829f160934c95e2f6f09c654f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 8 May 2022 12:41:47 +0206 +Subject: serial: meson: acquire port->lock in startup() + +From: John Ogness + +[ Upstream commit 589f892ac8ef244e47c5a00ffd8605daa1eaef8e ] + +The uart_ops startup() callback is called without interrupts +disabled and without port->lock locked, relatively late during the +boot process (from the call path of console_on_rootfs()). If the +device is a console, it was already previously registered and could +be actively printing messages. + +Since the startup() callback is reading/writing registers used by +the console write() callback (AML_UART_CONTROL), its access must +be synchronized using the port->lock. Currently it is not. + +The startup() callback is the only function that explicitly enables +interrupts. Without the synchronization, it is possible that +interrupts become accidentally permanently disabled. + +CPU0 CPU1 +meson_serial_console_write meson_uart_startup +-------------------------- ------------------ +spin_lock(port->lock) +val = readl(AML_UART_CONTROL) +uart_console_write() + writel(INT_EN, AML_UART_CONTROL) +writel(val, AML_UART_CONTROL) +spin_unlock(port->lock) + +Add port->lock synchronization to meson_uart_startup() to avoid +racing with meson_serial_console_write(). + +Also add detailed comments to meson_uart_reset() explaining why it +is *not* using port->lock synchronization. + +Link: https://lore.kernel.org/lkml/2a82eae7-a256-f70c-fd82-4e510750906e@samsung.com +Fixes: ff7693d079e5 ("ARM: meson: serial: add MesonX SoC on-chip uart driver") +Reported-by: Marek Szyprowski +Tested-by: Marek Szyprowski +Reviewed-by: Petr Mladek +Reviewed-by: Jiri Slaby +Acked-by: Neil Armstrong +Signed-off-by: John Ogness +Link: https://lore.kernel.org/r/20220508103547.626355-1-john.ogness@linutronix.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/meson_uart.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +diff --git a/drivers/tty/serial/meson_uart.c b/drivers/tty/serial/meson_uart.c +index 8a842591b37c..1838d0be3704 100644 +--- a/drivers/tty/serial/meson_uart.c ++++ b/drivers/tty/serial/meson_uart.c +@@ -255,6 +255,14 @@ static const char *meson_uart_type(struct uart_port *port) + return (port->type == PORT_MESON) ? "meson_uart" : NULL; + } + ++/* ++ * This function is called only from probe() using a temporary io mapping ++ * in order to perform a reset before setting up the device. Since the ++ * temporarily mapped region was successfully requested, there can be no ++ * console on this port at this time. Hence it is not necessary for this ++ * function to acquire the port->lock. (Since there is no console on this ++ * port at this time, the port->lock is not initialized yet.) ++ */ + static void meson_uart_reset(struct uart_port *port) + { + u32 val; +@@ -269,9 +277,12 @@ static void meson_uart_reset(struct uart_port *port) + + static int meson_uart_startup(struct uart_port *port) + { ++ unsigned long flags; + u32 val; + int ret = 0; + ++ spin_lock_irqsave(&port->lock, flags); ++ + val = readl(port->membase + AML_UART_CONTROL); + val |= AML_UART_CLEAR_ERR; + writel(val, port->membase + AML_UART_CONTROL); +@@ -287,6 +298,8 @@ static int meson_uart_startup(struct uart_port *port) + val = (AML_UART_RECV_IRQ(1) | AML_UART_XMIT_IRQ(port->fifosize / 2)); + writel(val, port->membase + AML_UART_MISC); + ++ spin_unlock_irqrestore(&port->lock, flags); ++ + ret = request_irq(port->irq, meson_uart_interrupt, 0, + port->name, port); + +-- +2.35.1 + diff --git a/queue-4.19/serial-sh-sci-don-t-allow-cs5-6.patch b/queue-4.19/serial-sh-sci-don-t-allow-cs5-6.patch new file mode 100644 index 00000000000..240f89c886f --- /dev/null +++ b/queue-4.19/serial-sh-sci-don-t-allow-cs5-6.patch @@ -0,0 +1,50 @@ +From 52a4092e54893dbab678c3056288c430d222b12d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 May 2022 11:18:04 +0300 +Subject: serial: sh-sci: Don't allow CS5-6 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 9b87162de8be26bf3156460b37deee6399fd0fcb ] + +Only CS7 and CS8 seem supported but CSIZE is not sanitized from +CS5 or CS6 to CS8. + +Set CSIZE correctly so that userspace knows the effective value. +Incorrect CSIZE also results in miscalculation of the frame bits in +tty_get_char_size() or in its predecessor where the roughly the same +code is directly within uart_update_timeout(). + +Fixes: 1da177e4c3f4 (Linux-2.6.12-rc2) +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20220519081808.3776-6-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/sh-sci.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/sh-sci.c b/drivers/tty/serial/sh-sci.c +index 6f44c5f0ef3a..ba7f0b44b710 100644 +--- a/drivers/tty/serial/sh-sci.c ++++ b/drivers/tty/serial/sh-sci.c +@@ -2382,8 +2382,12 @@ static void sci_set_termios(struct uart_port *port, struct ktermios *termios, + int best_clk = -1; + unsigned long flags; + +- if ((termios->c_cflag & CSIZE) == CS7) ++ if ((termios->c_cflag & CSIZE) == CS7) { + smr_val |= SCSMR_CHR; ++ } else { ++ termios->c_cflag &= ~CSIZE; ++ termios->c_cflag |= CS8; ++ } + if (termios->c_cflag & PARENB) + smr_val |= SCSMR_PE; + if (termios->c_cflag & PARODD) +-- +2.35.1 + diff --git a/queue-4.19/serial-st-asc-sanitize-csize-and-correct-parenb-for-.patch b/queue-4.19/serial-st-asc-sanitize-csize-and-correct-parenb-for-.patch new file mode 100644 index 00000000000..7762db37364 --- /dev/null +++ b/queue-4.19/serial-st-asc-sanitize-csize-and-correct-parenb-for-.patch @@ -0,0 +1,52 @@ +From af47c8aeb410be7bf8a543433083140c857becc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 May 2022 11:18:06 +0300 +Subject: serial: st-asc: Sanitize CSIZE and correct PARENB for CS7 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 52bb1cb7118564166b04d52387bd8403632f5190 ] + +Only CS7 and CS8 seem supported but CSIZE is not sanitized from CS5 or +CS6 to CS8. In addition, ASC_CTL_MODE_7BIT_PAR suggests that CS7 has +to have parity, thus add PARENB. + +Incorrect CSIZE results in miscalculation of the frame bits in +tty_get_char_size() or in its predecessor where the roughly the same +code is directly within uart_update_timeout(). + +Fixes: c4b058560762 (serial:st-asc: Add ST ASC driver.) +Cc: Srinivas Kandagatla +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20220519081808.3776-8-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/st-asc.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/tty/serial/st-asc.c b/drivers/tty/serial/st-asc.c +index 7971997cdead..ce35e3a131b1 100644 +--- a/drivers/tty/serial/st-asc.c ++++ b/drivers/tty/serial/st-asc.c +@@ -540,10 +540,14 @@ static void asc_set_termios(struct uart_port *port, struct ktermios *termios, + /* set character length */ + if ((cflag & CSIZE) == CS7) { + ctrl_val |= ASC_CTL_MODE_7BIT_PAR; ++ cflag |= PARENB; + } else { + ctrl_val |= (cflag & PARENB) ? ASC_CTL_MODE_8BIT_PAR : + ASC_CTL_MODE_8BIT; ++ cflag &= ~CSIZE; ++ cflag |= CS8; + } ++ termios->c_cflag = cflag; + + /* set stop bit */ + ctrl_val |= (cflag & CSTOPB) ? ASC_CTL_STOP_2BIT : ASC_CTL_STOP_1BIT; +-- +2.35.1 + diff --git a/queue-4.19/serial-stm32-usart-correct-csize-bits-and-parity.patch b/queue-4.19/serial-stm32-usart-correct-csize-bits-and-parity.patch new file mode 100644 index 00000000000..1e9af6261ca --- /dev/null +++ b/queue-4.19/serial-stm32-usart-correct-csize-bits-and-parity.patch @@ -0,0 +1,64 @@ +From c1aac1f4a84b69c42a07329a2833e458dde7700c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 May 2022 11:18:07 +0300 +Subject: serial: stm32-usart: Correct CSIZE, bits, and parity +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 1deeda8d2877c18bc2b9eeee10dd6d2628852848 ] + +Add CSIZE sanitization for unsupported CSIZE configurations. In +addition, if parity is asked for but CSx was unsupported, the sensible +result is CS8+parity which requires setting USART_CR1_M0 like with 9 +bits. + +Incorrect CSIZE results in miscalculation of the frame bits in +tty_get_char_size() or in its predecessor where the roughly the same +code is directly within uart_update_timeout(). + +Fixes: c8a9d043947b (serial: stm32: fix word length configuration) +Cc: Erwan Le Ray +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20220519081808.3776-9-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/stm32-usart.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +diff --git a/drivers/tty/serial/stm32-usart.c b/drivers/tty/serial/stm32-usart.c +index ccaaf804df06..bb2f6f02ce23 100644 +--- a/drivers/tty/serial/stm32-usart.c ++++ b/drivers/tty/serial/stm32-usart.c +@@ -688,13 +688,22 @@ static void stm32_set_termios(struct uart_port *port, struct ktermios *termios, + * CS8 or (CS7 + parity), 8 bits word aka [M1:M0] = 0b00 + * M0 and M1 already cleared by cr1 initialization. + */ +- if (bits == 9) ++ if (bits == 9) { + cr1 |= USART_CR1_M0; +- else if ((bits == 7) && cfg->has_7bits_data) ++ } else if ((bits == 7) && cfg->has_7bits_data) { + cr1 |= USART_CR1_M1; +- else if (bits != 8) ++ } else if (bits != 8) { + dev_dbg(port->dev, "Unsupported data bits config: %u bits\n" + , bits); ++ cflag &= ~CSIZE; ++ cflag |= CS8; ++ termios->c_cflag = cflag; ++ bits = 8; ++ if (cflag & PARENB) { ++ bits++; ++ cr1 |= USART_CR1_M0; ++ } ++ } + + if (cflag & PARODD) + cr1 |= USART_CR1_PS; +-- +2.35.1 + diff --git a/queue-4.19/serial-txx9-don-t-allow-cs5-6.patch b/queue-4.19/serial-txx9-don-t-allow-cs5-6.patch new file mode 100644 index 00000000000..1f029d34939 --- /dev/null +++ b/queue-4.19/serial-txx9-don-t-allow-cs5-6.patch @@ -0,0 +1,45 @@ +From a7eef3c722401898e8698db0f1d5179b996cba05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 May 2022 11:18:03 +0300 +Subject: serial: txx9: Don't allow CS5-6 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +[ Upstream commit 79ac88655dc0551e3571ad16bdabdbe65d61553e ] + +Only CS7 and CS8 are supported but CSIZE is not sanitized with +CS5 or CS6 to CS8. + +Set CSIZE correctly so that userspace knows the effective value. +Incorrect CSIZE also results in miscalculation of the frame bits in +tty_get_char_size() or in its predecessor where the roughly the same +code is directly within uart_update_timeout(). + +Fixes: 1da177e4c3f4 (Linux-2.6.12-rc2) +Signed-off-by: Ilpo Järvinen +Link: https://lore.kernel.org/r/20220519081808.3776-5-ilpo.jarvinen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/serial_txx9.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/tty/serial/serial_txx9.c b/drivers/tty/serial/serial_txx9.c +index 2f7ef64536a0..8724db39e947 100644 +--- a/drivers/tty/serial/serial_txx9.c ++++ b/drivers/tty/serial/serial_txx9.c +@@ -649,6 +649,8 @@ serial_txx9_set_termios(struct uart_port *port, struct ktermios *termios, + case CS6: /* not supported */ + case CS8: + cval |= TXX9_SILCR_UMODE_8BIT; ++ termios->c_cflag &= ~CSIZE; ++ termios->c_cflag |= CS8; + break; + } + +-- +2.35.1 + diff --git a/queue-4.19/series b/queue-4.19/series index 1f6c820326b..08043c2644e 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -187,3 +187,41 @@ phy-qcom-qmp-fix-reset-controller-leak-on-probe-errors.patch rdma-rxe-generate-a-completion-for-unsupported-invalid-opcode.patch mips-ip27-remove-incorrect-cpu_has_fpu-override.patch md-bcache-check-the-return-value-of-kzalloc-in-detached_dev_do_request.patch +pcmcia-db1xxx_ss-restrict-to-mips_db1xxx-boards.patch +staging-greybus-codecs-fix-type-confusion-of-list-it.patch +tty-goldfish-use-tty_port_destroy-to-destroy-port.patch +usb-usbip-fix-a-refcount-leak-in-stub_probe.patch +usb-usbip-add-missing-device-lock-on-tweak-configura.patch +usb-storage-karma-fix-rio_karma_init-return.patch +usb-musb-fix-missing-of_node_put-in-omap2430_probe.patch +pwm-lp3943-fix-duty-calculation-in-case-period-was-c.patch +rpmsg-qcom_smd-fix-irq_of_parse_and_map-return-value.patch +usb-dwc3-pci-fix-pm_runtime_get_sync-error-checking.patch +iio-adc-sc27xx-fix-read-big-scale-voltage-not-right.patch +rpmsg-qcom_smd-fix-returning-0-if-irq_of_parse_and_m.patch +coresight-cpu-debug-replace-mutex-with-mutex_trylock.patch +soc-rockchip-fix-refcount-leak-in-rockchip_grf_init.patch +clocksource-drivers-riscv-events-are-stopped-during-.patch +rtc-mt6397-check-return-value-after-calling-platform.patch +serial-meson-acquire-port-lock-in-startup.patch +serial-8250_fintek-check-ser_rs485_rts_-only-with-rs.patch +serial-digicolor-usart-don-t-allow-cs5-6.patch +serial-txx9-don-t-allow-cs5-6.patch +serial-sh-sci-don-t-allow-cs5-6.patch +serial-st-asc-sanitize-csize-and-correct-parenb-for-.patch +serial-stm32-usart-correct-csize-bits-and-parity.patch +firmware-dmi-sysfs-fix-memory-leak-in-dmi_sysfs_regi.patch +bus-ti-sysc-fix-warnings-for-unbind-for-serial.patch +clocksource-drivers-oxnas-rps-fix-irq_of_parse_and_m.patch +s390-crypto-fix-scatterwalk_unmap-callers-in-aes-gcm.patch +net-ethernet-mtk_eth_soc-out-of-bounds-read-in-mtk_h.patch +net-dsa-mv88e6xxx-fix-refcount-leak-in-mv88e6xxx_mdi.patch +modpost-fix-removing-numeric-suffixes.patch +jffs2-fix-memory-leak-in-jffs2_do_fill_super.patch +ubi-ubi_create_volume-fix-use-after-free-when-volume.patch +nfp-only-report-pause-frame-configuration-for-physic.patch +net-mlx5e-update-netdev-features-after-changing-xdp-.patch +tcp-tcp_rtx_synack-can-be-called-from-process-contex.patch +afs-fix-infinite-loop-found-by-xfstest-generic-676.patch +tipc-check-attribute-length-for-bearer-name.patch +perf-c2c-fix-sorting-in-percent_rmt_hitm_cmp.patch diff --git a/queue-4.19/soc-rockchip-fix-refcount-leak-in-rockchip_grf_init.patch b/queue-4.19/soc-rockchip-fix-refcount-leak-in-rockchip_grf_init.patch new file mode 100644 index 00000000000..8b26c354d39 --- /dev/null +++ b/queue-4.19/soc-rockchip-fix-refcount-leak-in-rockchip_grf_init.patch @@ -0,0 +1,44 @@ +From 4632e119993bf03f8e4ddde26bcd3f64497c10a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 May 2022 11:20:10 +0400 +Subject: soc: rockchip: Fix refcount leak in rockchip_grf_init + +From: Miaoqian Lin + +[ Upstream commit 9b59588d8be91c96bfb0371e912ceb4f16315dbf ] + +of_find_matching_node_and_match returns a node pointer with refcount +incremented, we should use of_node_put() on it when done. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 4c58063d4258 ("soc: rockchip: add driver handling grf setup") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220516072013.19731-1-linmq006@gmail.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + drivers/soc/rockchip/grf.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/soc/rockchip/grf.c b/drivers/soc/rockchip/grf.c +index 3b81e1d75a97..3e7e999ee324 100644 +--- a/drivers/soc/rockchip/grf.c ++++ b/drivers/soc/rockchip/grf.c +@@ -151,12 +151,14 @@ static int __init rockchip_grf_init(void) + return -ENODEV; + if (!match || !match->data) { + pr_err("%s: missing grf data\n", __func__); ++ of_node_put(np); + return -EINVAL; + } + + grf_info = match->data; + + grf = syscon_node_to_regmap(np); ++ of_node_put(np); + if (IS_ERR(grf)) { + pr_err("%s: could not get grf syscon\n", __func__); + return PTR_ERR(grf); +-- +2.35.1 + diff --git a/queue-4.19/staging-greybus-codecs-fix-type-confusion-of-list-it.patch b/queue-4.19/staging-greybus-codecs-fix-type-confusion-of-list-it.patch new file mode 100644 index 00000000000..cc17eccec56 --- /dev/null +++ b/queue-4.19/staging-greybus-codecs-fix-type-confusion-of-list-it.patch @@ -0,0 +1,44 @@ +From 750fddfa4b7ad21abe300a817fd687b37bb91b53 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Mar 2022 13:36:26 +0100 +Subject: staging: greybus: codecs: fix type confusion of list iterator + variable + +From: Jakob Koschel + +[ Upstream commit 84ef256550196bc06e6849a34224c998b45bd557 ] + +If the list does not exit early then data == NULL and 'module' does not +point to a valid list element. +Using 'module' in such a case is not valid and was therefore removed. + +Fixes: 6dd67645f22c ("greybus: audio: Use single codec driver registration") +Reviewed-by: Dan Carpenter +Reviewed-by: Vaibhav Agarwal +Reviewed-by: Mark Greer +Signed-off-by: Jakob Koschel +Link: https://lore.kernel.org/r/20220321123626.3068639-1-jakobkoschel@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/greybus/audio_codec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/greybus/audio_codec.c b/drivers/staging/greybus/audio_codec.c +index 6cbf69a57dfd..806be9d86338 100644 +--- a/drivers/staging/greybus/audio_codec.c ++++ b/drivers/staging/greybus/audio_codec.c +@@ -620,8 +620,8 @@ static int gbcodec_mute_stream(struct snd_soc_dai *dai, int mute, int stream) + break; + } + if (!data) { +- dev_err(dai->dev, "%s:%s DATA connection missing\n", +- dai->name, module->name); ++ dev_err(dai->dev, "%s DATA connection missing\n", ++ dai->name); + mutex_unlock(&codec->lock); + return -ENODEV; + } +-- +2.35.1 + diff --git a/queue-4.19/tcp-tcp_rtx_synack-can-be-called-from-process-contex.patch b/queue-4.19/tcp-tcp_rtx_synack-can-be-called-from-process-contex.patch new file mode 100644 index 00000000000..e5c02f0151c --- /dev/null +++ b/queue-4.19/tcp-tcp_rtx_synack-can-be-called-from-process-contex.patch @@ -0,0 +1,92 @@ +From 92a0d41c73f4bfaeed27aa30d6fd0d5c4693a073 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 May 2022 14:37:13 -0700 +Subject: tcp: tcp_rtx_synack() can be called from process context + +From: Eric Dumazet + +[ Upstream commit 0a375c822497ed6ad6b5da0792a12a6f1af10c0b ] + +Laurent reported the enclosed report [1] + +This bug triggers with following coditions: + +0) Kernel built with CONFIG_DEBUG_PREEMPT=y + +1) A new passive FastOpen TCP socket is created. + This FO socket waits for an ACK coming from client to be a complete + ESTABLISHED one. +2) A socket operation on this socket goes through lock_sock() + release_sock() dance. +3) While the socket is owned by the user in step 2), + a retransmit of the SYN is received and stored in socket backlog. +4) At release_sock() time, the socket backlog is processed while + in process context. +5) A SYNACK packet is cooked in response of the SYN retransmit. +6) -> tcp_rtx_synack() is called in process context. + +Before blamed commit, tcp_rtx_synack() was always called from BH handler, +from a timer handler. + +Fix this by using TCP_INC_STATS() & NET_INC_STATS() +which do not assume caller is in non preemptible context. + +[1] +BUG: using __this_cpu_add() in preemptible [00000000] code: epollpep/2180 +caller is tcp_rtx_synack.part.0+0x36/0xc0 +CPU: 10 PID: 2180 Comm: epollpep Tainted: G OE 5.16.0-0.bpo.4-amd64 #1 Debian 5.16.12-1~bpo11+1 +Hardware name: Supermicro SYS-5039MC-H8TRF/X11SCD-F, BIOS 1.7 11/23/2021 +Call Trace: + + dump_stack_lvl+0x48/0x5e + check_preemption_disabled+0xde/0xe0 + tcp_rtx_synack.part.0+0x36/0xc0 + tcp_rtx_synack+0x8d/0xa0 + ? kmem_cache_alloc+0x2e0/0x3e0 + ? apparmor_file_alloc_security+0x3b/0x1f0 + inet_rtx_syn_ack+0x16/0x30 + tcp_check_req+0x367/0x610 + tcp_rcv_state_process+0x91/0xf60 + ? get_nohz_timer_target+0x18/0x1a0 + ? lock_timer_base+0x61/0x80 + ? preempt_count_add+0x68/0xa0 + tcp_v4_do_rcv+0xbd/0x270 + __release_sock+0x6d/0xb0 + release_sock+0x2b/0x90 + sock_setsockopt+0x138/0x1140 + ? __sys_getsockname+0x7e/0xc0 + ? aa_sk_perm+0x3e/0x1a0 + __sys_setsockopt+0x198/0x1e0 + __x64_sys_setsockopt+0x21/0x30 + do_syscall_64+0x38/0xc0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: 168a8f58059a ("tcp: TCP Fast Open Server - main code path") +Signed-off-by: Eric Dumazet +Reported-by: Laurent Fasnacht +Acked-by: Neal Cardwell +Link: https://lore.kernel.org/r/20220530213713.601888-1-eric.dumazet@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_output.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 8543cd724d54..25dbdb27a571 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -3805,8 +3805,8 @@ int tcp_rtx_synack(const struct sock *sk, struct request_sock *req) + tcp_rsk(req)->txhash = net_tx_rndhash(); + res = af_ops->send_synack(sk, NULL, &fl, req, NULL, TCP_SYNACK_NORMAL); + if (!res) { +- __TCP_INC_STATS(sock_net(sk), TCP_MIB_RETRANSSEGS); +- __NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPSYNRETRANS); ++ TCP_INC_STATS(sock_net(sk), TCP_MIB_RETRANSSEGS); ++ NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPSYNRETRANS); + if (unlikely(tcp_passive_fastopen(sk))) + tcp_sk(sk)->total_retrans++; + trace_tcp_retransmit_synack(sk, req); +-- +2.35.1 + diff --git a/queue-4.19/tipc-check-attribute-length-for-bearer-name.patch b/queue-4.19/tipc-check-attribute-length-for-bearer-name.patch new file mode 100644 index 00000000000..bb35a8b7467 --- /dev/null +++ b/queue-4.19/tipc-check-attribute-length-for-bearer-name.patch @@ -0,0 +1,58 @@ +From 750503c7097e296882ed42d24d704c032e2b9d9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 13:30:53 +0700 +Subject: tipc: check attribute length for bearer name + +From: Hoang Le + +[ Upstream commit 7f36f798f89bf32c0164049cb0e3fd1af613d0bb ] + +syzbot reported uninit-value: +===================================================== +BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:644 [inline] +BUG: KMSAN: uninit-value in string+0x4f9/0x6f0 lib/vsprintf.c:725 + string_nocheck lib/vsprintf.c:644 [inline] + string+0x4f9/0x6f0 lib/vsprintf.c:725 + vsnprintf+0x2222/0x3650 lib/vsprintf.c:2806 + vprintk_store+0x537/0x2150 kernel/printk/printk.c:2158 + vprintk_emit+0x28b/0xab0 kernel/printk/printk.c:2256 + vprintk_default+0x86/0xa0 kernel/printk/printk.c:2283 + vprintk+0x15f/0x180 kernel/printk/printk_safe.c:50 + _printk+0x18d/0x1cf kernel/printk/printk.c:2293 + tipc_enable_bearer net/tipc/bearer.c:371 [inline] + __tipc_nl_bearer_enable+0x2022/0x22a0 net/tipc/bearer.c:1033 + tipc_nl_bearer_enable+0x6c/0xb0 net/tipc/bearer.c:1042 + genl_family_rcv_msg_doit net/netlink/genetlink.c:731 [inline] + +- Do sanity check the attribute length for TIPC_NLA_BEARER_NAME. +- Do not use 'illegal name' in printing message. + +Reported-by: syzbot+e820fdc8ce362f2dea51@syzkaller.appspotmail.com +Fixes: cb30a63384bc ("tipc: refactor function tipc_enable_bearer()") +Acked-by: Jon Maloy +Signed-off-by: Hoang Le +Link: https://lore.kernel.org/r/20220602063053.5892-1-hoang.h.le@dektech.com.au +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/tipc/bearer.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c +index e1006ed4d90a..0f970259d0d5 100644 +--- a/net/tipc/bearer.c ++++ b/net/tipc/bearer.c +@@ -246,9 +246,8 @@ static int tipc_enable_bearer(struct net *net, const char *name, + u32 i; + + if (!bearer_name_validate(name, &b_names)) { +- errstr = "illegal name"; + NL_SET_ERR_MSG(extack, "Illegal name"); +- goto rejected; ++ return res; + } + + if (prio > TIPC_MAX_LINK_PRI && prio != TIPC_MEDIA_LINK_PRI) { +-- +2.35.1 + diff --git a/queue-4.19/tty-goldfish-use-tty_port_destroy-to-destroy-port.patch b/queue-4.19/tty-goldfish-use-tty_port_destroy-to-destroy-port.patch new file mode 100644 index 00000000000..9f131ddd2a4 --- /dev/null +++ b/queue-4.19/tty-goldfish-use-tty_port_destroy-to-destroy-port.patch @@ -0,0 +1,48 @@ +From 367f9c33d2577728980354c257c09e1d71de3980 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Mar 2022 19:58:44 +0800 +Subject: tty: goldfish: Use tty_port_destroy() to destroy port + +From: Wang Weiyang + +[ Upstream commit 507b05063d1b7a1fcb9f7d7c47586fc4f3508f98 ] + +In goldfish_tty_probe(), the port initialized through tty_port_init() +should be destroyed in error paths.In goldfish_tty_remove(), qtty->port +also should be destroyed or else might leak resources. + +Fix the above by calling tty_port_destroy(). + +Fixes: 666b7793d4bf ("goldfish: tty driver") +Reviewed-by: Jiri Slaby +Signed-off-by: Wang Weiyang +Link: https://lore.kernel.org/r/20220328115844.86032-1-wangweiyang2@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/goldfish.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/tty/goldfish.c b/drivers/tty/goldfish.c +index c8c5cdfc5e19..abc84d84f638 100644 +--- a/drivers/tty/goldfish.c ++++ b/drivers/tty/goldfish.c +@@ -407,6 +407,7 @@ static int goldfish_tty_probe(struct platform_device *pdev) + err_tty_register_device_failed: + free_irq(irq, qtty); + err_dec_line_count: ++ tty_port_destroy(&qtty->port); + goldfish_tty_current_line_count--; + if (goldfish_tty_current_line_count == 0) + goldfish_tty_delete_driver(); +@@ -428,6 +429,7 @@ static int goldfish_tty_remove(struct platform_device *pdev) + iounmap(qtty->base); + qtty->base = NULL; + free_irq(qtty->irq, pdev); ++ tty_port_destroy(&qtty->port); + goldfish_tty_current_line_count--; + if (goldfish_tty_current_line_count == 0) + goldfish_tty_delete_driver(); +-- +2.35.1 + diff --git a/queue-4.19/ubi-ubi_create_volume-fix-use-after-free-when-volume.patch b/queue-4.19/ubi-ubi_create_volume-fix-use-after-free-when-volume.patch new file mode 100644 index 00000000000..dd0dced34fd --- /dev/null +++ b/queue-4.19/ubi-ubi_create_volume-fix-use-after-free-when-volume.patch @@ -0,0 +1,49 @@ +From 84aed4107c845c26d3361d002206318d634cdf21 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 May 2022 20:31:26 +0800 +Subject: ubi: ubi_create_volume: Fix use-after-free when volume creation + failed + +From: Zhihao Cheng + +[ Upstream commit 8c03a1c21d72210f81cb369cc528e3fde4b45411 ] + +There is an use-after-free problem for 'eba_tbl' in ubi_create_volume()'s +error handling path: + + ubi_eba_replace_table(vol, eba_tbl) + vol->eba_tbl = tbl +out_mapping: + ubi_eba_destroy_table(eba_tbl) // Free 'eba_tbl' +out_unlock: + put_device(&vol->dev) + vol_release + kfree(tbl->entries) // UAF + +Fix it by removing redundant 'eba_tbl' releasing. +Fetch a reproducer in [Link]. + +Fixes: 493cfaeaa0c9b ("mtd: utilize new cdev_device_add helper function") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=215965 +Signed-off-by: Zhihao Cheng +Signed-off-by: Richard Weinberger +Signed-off-by: Sasha Levin +--- + drivers/mtd/ubi/vmt.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/mtd/ubi/vmt.c b/drivers/mtd/ubi/vmt.c +index d0c6b66b7450..9f6ffd340a3e 100644 +--- a/drivers/mtd/ubi/vmt.c ++++ b/drivers/mtd/ubi/vmt.c +@@ -322,7 +322,6 @@ int ubi_create_volume(struct ubi_device *ubi, struct ubi_mkvol_req *req) + ubi->volumes[vol_id] = NULL; + ubi->vol_count -= 1; + spin_unlock(&ubi->volumes_lock); +- ubi_eba_destroy_table(eba_tbl); + out_acc: + spin_lock(&ubi->volumes_lock); + ubi->rsvd_pebs -= vol->reserved_pebs; +-- +2.35.1 + diff --git a/queue-4.19/usb-dwc3-pci-fix-pm_runtime_get_sync-error-checking.patch b/queue-4.19/usb-dwc3-pci-fix-pm_runtime_get_sync-error-checking.patch new file mode 100644 index 00000000000..e622ad4bac9 --- /dev/null +++ b/queue-4.19/usb-dwc3-pci-fix-pm_runtime_get_sync-error-checking.patch @@ -0,0 +1,38 @@ +From 512d88f64982ecfb97e33d49afb73e311cd3260f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Apr 2022 06:26:52 +0000 +Subject: usb: dwc3: pci: Fix pm_runtime_get_sync() error checking + +From: Zheng Yongjun + +[ Upstream commit a03e2ddab8e735e2cc315609b297b300e9cc60d2 ] + +If the device is already in a runtime PM enabled state +pm_runtime_get_sync() will return 1, so a test for negative +value should be used to check for errors. + +Fixes: 8eed00b237a28 ("usb: dwc3: pci: Runtime resume child device from wq") +Signed-off-by: Zheng Yongjun +Link: https://lore.kernel.org/r/20220422062652.10575-1-zhengyongjun3@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc3/dwc3-pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc3/dwc3-pci.c b/drivers/usb/dwc3/dwc3-pci.c +index ad2cb08b440f..527938eee846 100644 +--- a/drivers/usb/dwc3/dwc3-pci.c ++++ b/drivers/usb/dwc3/dwc3-pci.c +@@ -205,7 +205,7 @@ static void dwc3_pci_resume_work(struct work_struct *work) + int ret; + + ret = pm_runtime_get_sync(&dwc3->dev); +- if (ret) { ++ if (ret < 0) { + pm_runtime_put_sync_autosuspend(&dwc3->dev); + return; + } +-- +2.35.1 + diff --git a/queue-4.19/usb-musb-fix-missing-of_node_put-in-omap2430_probe.patch b/queue-4.19/usb-musb-fix-missing-of_node_put-in-omap2430_probe.patch new file mode 100644 index 00000000000..6cfd4a02461 --- /dev/null +++ b/queue-4.19/usb-musb-fix-missing-of_node_put-in-omap2430_probe.patch @@ -0,0 +1,36 @@ +From de3ec9c56aeddb61376feb7ee813dc4c1845ce8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Mar 2022 11:10:33 +0000 +Subject: usb: musb: Fix missing of_node_put() in omap2430_probe + +From: Miaoqian Lin + +[ Upstream commit 424bef51fa530389b0b9008c9e144e40c10e8458 ] + +The device_node pointer is returned by of_parse_phandle() with refcount +incremented. We should use of_node_put() on it when done. + +Fixes: 8934d3e4d0e7 ("usb: musb: omap2430: Don't use omap_get_control_dev()") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220309111033.24487-1-linmq006@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/musb/omap2430.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/usb/musb/omap2430.c b/drivers/usb/musb/omap2430.c +index 24e622c05638..5f1c41e95f56 100644 +--- a/drivers/usb/musb/omap2430.c ++++ b/drivers/usb/musb/omap2430.c +@@ -433,6 +433,7 @@ static int omap2430_probe(struct platform_device *pdev) + control_node = of_parse_phandle(np, "ctrl-module", 0); + if (control_node) { + control_pdev = of_find_device_by_node(control_node); ++ of_node_put(control_node); + if (!control_pdev) { + dev_err(&pdev->dev, "Failed to get control device\n"); + ret = -EINVAL; +-- +2.35.1 + diff --git a/queue-4.19/usb-storage-karma-fix-rio_karma_init-return.patch b/queue-4.19/usb-storage-karma-fix-rio_karma_init-return.patch new file mode 100644 index 00000000000..f272c1db27a --- /dev/null +++ b/queue-4.19/usb-storage-karma-fix-rio_karma_init-return.patch @@ -0,0 +1,63 @@ +From 6f783cd6754f6d3608963e4330fbc1895b336577 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 22:43:59 +0800 +Subject: USB: storage: karma: fix rio_karma_init return + +From: Lin Ma + +[ Upstream commit b92ffb1eddd9a66a90defc556dcbf65a43c196c7 ] + +The function rio_karam_init() should return -ENOMEM instead of +value 0 (USB_STOR_TRANSPORT_GOOD) when allocation fails. + +Similarly, it should return -EIO when rio_karma_send_command() fails. + +Fixes: dfe0d3ba20e8 ("USB Storage: add rio karma eject support") +Acked-by: Alan Stern +Signed-off-by: Lin Ma +Link: https://lore.kernel.org/r/20220412144359.28447-1-linma@zju.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/storage/karma.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/drivers/usb/storage/karma.c b/drivers/usb/storage/karma.c +index edcf2be0e0eb..09c8add5108a 100644 +--- a/drivers/usb/storage/karma.c ++++ b/drivers/usb/storage/karma.c +@@ -172,23 +172,24 @@ static void rio_karma_destructor(void *extra) + + static int rio_karma_init(struct us_data *us) + { +- int ret = 0; + struct karma_data *data = kzalloc(sizeof(struct karma_data), GFP_NOIO); + if (!data) +- goto out; ++ return -ENOMEM; + + data->recv = kmalloc(RIO_RECV_LEN, GFP_NOIO); + if (!data->recv) { + kfree(data); +- goto out; ++ return -ENOMEM; + } + + us->extra = data; + us->extra_destructor = rio_karma_destructor; +- ret = rio_karma_send_command(RIO_ENTER_STORAGE, us); +- data->in_storage = (ret == 0); +-out: +- return ret; ++ if (rio_karma_send_command(RIO_ENTER_STORAGE, us)) ++ return -EIO; ++ ++ data->in_storage = 1; ++ ++ return 0; + } + + static struct scsi_host_template karma_host_template; +-- +2.35.1 + diff --git a/queue-4.19/usb-usbip-add-missing-device-lock-on-tweak-configura.patch b/queue-4.19/usb-usbip-add-missing-device-lock-on-tweak-configura.patch new file mode 100644 index 00000000000..27623abf12d --- /dev/null +++ b/queue-4.19/usb-usbip-add-missing-device-lock-on-tweak-configura.patch @@ -0,0 +1,49 @@ +From 39723fd842229a9b4e47a95295391113e5ea7208 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 18:50:55 +0200 +Subject: usb: usbip: add missing device lock on tweak configuration cmd + +From: Niels Dossche + +[ Upstream commit d088fabace2ca337b275d1d4b36db4fe7771e44f ] + +The function documentation of usb_set_configuration says that its +callers should hold the device lock. This lock is held for all +callsites except tweak_set_configuration_cmd. The code path can be +executed for example when attaching a remote USB device. +The solution is to surround the call by the device lock. + +This bug was found using my experimental own-developed static analysis +tool, which reported the missing lock on v5.17.2. I manually verified +this bug report by doing code review as well. I runtime checked that +the required lock is not held. I compiled and runtime tested this on +x86_64 with a USB mouse. After applying this patch, my analyser no +longer reports this potential bug. + +Fixes: 2c8c98158946 ("staging: usbip: let client choose device configuration") +Reviewed-by: Shuah Khan +Signed-off-by: Niels Dossche +Link: https://lore.kernel.org/r/20220412165055.257113-1-dossche.niels@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/usbip/stub_rx.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/usbip/stub_rx.c b/drivers/usb/usbip/stub_rx.c +index 8c55cd833098..b88eeaee637a 100644 +--- a/drivers/usb/usbip/stub_rx.c ++++ b/drivers/usb/usbip/stub_rx.c +@@ -138,7 +138,9 @@ static int tweak_set_configuration_cmd(struct urb *urb) + req = (struct usb_ctrlrequest *) urb->setup_packet; + config = le16_to_cpu(req->wValue); + ++ usb_lock_device(sdev->udev); + err = usb_set_configuration(sdev->udev, config); ++ usb_unlock_device(sdev->udev); + if (err && err != -ENODEV) + dev_err(&sdev->udev->dev, "can't set config #%d, error %d\n", + config, err); +-- +2.35.1 + diff --git a/queue-4.19/usb-usbip-fix-a-refcount-leak-in-stub_probe.patch b/queue-4.19/usb-usbip-fix-a-refcount-leak-in-stub_probe.patch new file mode 100644 index 00000000000..56efc425c37 --- /dev/null +++ b/queue-4.19/usb-usbip-fix-a-refcount-leak-in-stub_probe.patch @@ -0,0 +1,49 @@ +From 40fa18379148749943479216c9320180b03673b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 10:02:57 +0800 +Subject: usb: usbip: fix a refcount leak in stub_probe() + +From: Hangyu Hua + +[ Upstream commit 9ec4cbf1cc55d126759051acfe328d489c5d6e60 ] + +usb_get_dev() is called in stub_device_alloc(). When stub_probe() fails +after that, usb_put_dev() needs to be called to release the reference. + +Fix this by moving usb_put_dev() to sdev_free error path handling. + +Find this by code review. + +Fixes: 3ff67445750a ("usbip: fix error handling in stub_probe()") +Reviewed-by: Shuah Khan +Signed-off-by: Hangyu Hua +Link: https://lore.kernel.org/r/20220412020257.9767-1-hbh25y@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/usbip/stub_dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c +index 0081c1073b08..c64964c32cc9 100644 +--- a/drivers/usb/usbip/stub_dev.c ++++ b/drivers/usb/usbip/stub_dev.c +@@ -427,7 +427,6 @@ static int stub_probe(struct usb_device *udev) + (struct usb_dev_state *) udev); + err_port: + dev_set_drvdata(&udev->dev, NULL); +- usb_put_dev(udev); + + /* we already have busid_priv, just lock busid_lock */ + spin_lock(&busid_priv->busid_lock); +@@ -442,6 +441,7 @@ static int stub_probe(struct usb_device *udev) + put_busid_priv(busid_priv); + + sdev_free: ++ usb_put_dev(udev); + stub_device_free(sdev); + + return rc; +-- +2.35.1 +