From: Sasha Levin Date: Mon, 13 Jun 2022 00:59:23 +0000 (-0400) Subject: Fixes for 4.9 X-Git-Tag: v4.9.318~86 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d37c55ea9bd63c0802f83ea07515e41882ef75d2;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/clocksource-drivers-sp804-avoid-error-on-multiple-in.patch-20726 b/queue-4.9/clocksource-drivers-sp804-avoid-error-on-multiple-in.patch-20726 new file mode 100644 index 00000000000..8968af421ac --- /dev/null +++ b/queue-4.9/clocksource-drivers-sp804-avoid-error-on-multiple-in.patch-20726 @@ -0,0 +1,65 @@ +From 0981eb4e8bdb0f053c5813b3f4d5e494c9d81094 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 May 2022 17:25:22 +0100 +Subject: clocksource/drivers/sp804: Avoid error on multiple instances + +From: Andre Przywara + +[ Upstream commit a98399cbc1e05f7b977419f03905501d566cf54e ] + +When a machine sports more than one SP804 timer instance, we only bring +up the first one, since multiple timers of the same kind are not useful +to Linux. As this is intentional behaviour, we should not return an +error message, as we do today: +=============== +[ 0.000800] Failed to initialize '/bus@8000000/motherboard-bus@8000000/iofpga-bus@300000000/timer@120000': -22 +=============== + +Replace the -EINVAL return with a debug message and return 0 instead. + +Also we do not reach the init function anymore if the DT node is +disabled (as this is now handled by OF_DECLARE), so remove the explicit +check for that case. + +This fixes a long standing bogus error when booting ARM's fastmodels. + +Signed-off-by: Andre Przywara +Reviewed-by: Robin Murphy +Link: https://lore.kernel.org/r/20220506162522.3675399-1-andre.przywara@arm.com +Signed-off-by: Daniel Lezcano +Signed-off-by: Sasha Levin +--- + drivers/clocksource/timer-sp804.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/clocksource/timer-sp804.c b/drivers/clocksource/timer-sp804.c +index d07863388e05..780699e4d120 100644 +--- a/drivers/clocksource/timer-sp804.c ++++ b/drivers/clocksource/timer-sp804.c +@@ -227,6 +227,11 @@ static int __init sp804_of_init(struct device_node *np) + struct clk *clk1, *clk2; + const char *name = of_get_property(np, "compatible", NULL); + ++ if (initialized) { ++ pr_debug("%pOF: skipping further SP804 timer device\n", np); ++ return 0; ++ } ++ + base = of_iomap(np, 0); + if (!base) + return -ENXIO; +@@ -235,11 +240,6 @@ static int __init sp804_of_init(struct device_node *np) + writel(0, base + TIMER_CTRL); + writel(0, base + TIMER_2_BASE + TIMER_CTRL); + +- if (initialized || !of_device_is_available(np)) { +- ret = -EINVAL; +- goto err; +- } +- + clk1 = of_clk_get(np, 0); + if (IS_ERR(clk1)) + clk1 = NULL; +-- +2.35.1 + diff --git a/queue-4.9/drivers-staging-rtl8192e-fix-deadlock-in-rtllib_beac.patch-5623 b/queue-4.9/drivers-staging-rtl8192e-fix-deadlock-in-rtllib_beac.patch-5623 new file mode 100644 index 00000000000..430d1952eee --- /dev/null +++ b/queue-4.9/drivers-staging-rtl8192e-fix-deadlock-in-rtllib_beac.patch-5623 @@ -0,0 +1,55 @@ +From d8d5f0f9995d54b8e6fe337b46d8daba238971b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Apr 2022 22:16:41 +0800 +Subject: drivers: staging: rtl8192e: Fix deadlock in rtllib_beacons_stop() + +From: Duoming Zhou + +[ Upstream commit 9b6bdbd9337de3917945847bde262a34a87a6303 ] + +There is a deadlock in rtllib_beacons_stop(), which is shown +below: + + (Thread 1) | (Thread 2) + | rtllib_send_beacon() +rtllib_beacons_stop() | mod_timer() + spin_lock_irqsave() //(1) | (wait a time) + ... | rtllib_send_beacon_cb() + del_timer_sync() | spin_lock_irqsave() //(2) + (wait timer to stop) | ... + +We hold ieee->beacon_lock in position (1) of thread 1 and +use del_timer_sync() to wait timer to stop, but timer handler +also need ieee->beacon_lock in position (2) of thread 2. +As a result, rtllib_beacons_stop() will block forever. + +This patch extracts del_timer_sync() from the protection of +spin_lock_irqsave(), which could let timer handler to obtain +the needed lock. + +Signed-off-by: Duoming Zhou +Link: https://lore.kernel.org/r/20220417141641.124388-1-duoming@zju.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8192e/rtllib_softmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/rtl8192e/rtllib_softmac.c b/drivers/staging/rtl8192e/rtllib_softmac.c +index da74dc49b95e..f46def63967b 100644 +--- a/drivers/staging/rtl8192e/rtllib_softmac.c ++++ b/drivers/staging/rtl8192e/rtllib_softmac.c +@@ -655,9 +655,9 @@ static void rtllib_beacons_stop(struct rtllib_device *ieee) + spin_lock_irqsave(&ieee->beacon_lock, flags); + + ieee->beacon_txing = 0; +- del_timer_sync(&ieee->beacon_timer); + + spin_unlock_irqrestore(&ieee->beacon_lock, flags); ++ del_timer_sync(&ieee->beacon_timer); + + } + +-- +2.35.1 + diff --git a/queue-4.9/drivers-tty-serial-fix-deadlock-in-sa1100_set_termio.patch-29741 b/queue-4.9/drivers-tty-serial-fix-deadlock-in-sa1100_set_termio.patch-29741 new file mode 100644 index 00000000000..74434e51cdb --- /dev/null +++ b/queue-4.9/drivers-tty-serial-fix-deadlock-in-sa1100_set_termio.patch-29741 @@ -0,0 +1,61 @@ +From db47410ed6c0dd13b17bb2415a921ac432c3c1f9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Apr 2022 19:16:26 +0800 +Subject: drivers: tty: serial: Fix deadlock in sa1100_set_termios() + +From: Duoming Zhou + +[ Upstream commit 62b2caef400c1738b6d22f636c628d9f85cd4c4c ] + +There is a deadlock in sa1100_set_termios(), which is shown +below: + + (Thread 1) | (Thread 2) + | sa1100_enable_ms() +sa1100_set_termios() | mod_timer() + spin_lock_irqsave() //(1) | (wait a time) + ... | sa1100_timeout() + del_timer_sync() | spin_lock_irqsave() //(2) + (wait timer to stop) | ... + +We hold sport->port.lock in position (1) of thread 1 and +use del_timer_sync() to wait timer to stop, but timer handler +also need sport->port.lock in position (2) of thread 2. As a result, +sa1100_set_termios() will block forever. + +This patch moves del_timer_sync() before spin_lock_irqsave() +in order to prevent the deadlock. + +Signed-off-by: Duoming Zhou +Link: https://lore.kernel.org/r/20220417111626.7802-1-duoming@zju.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/sa1100.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/tty/serial/sa1100.c b/drivers/tty/serial/sa1100.c +index fd3d1329d48c..68eb1c9faa29 100644 +--- a/drivers/tty/serial/sa1100.c ++++ b/drivers/tty/serial/sa1100.c +@@ -452,6 +452,8 @@ sa1100_set_termios(struct uart_port *port, struct ktermios *termios, + baud = uart_get_baud_rate(port, termios, old, 0, port->uartclk/16); + quot = uart_get_divisor(port, baud); + ++ del_timer_sync(&sport->timer); ++ + spin_lock_irqsave(&sport->port.lock, flags); + + sport->port.read_status_mask &= UTSR0_TO_SM(UTSR0_TFS); +@@ -482,8 +484,6 @@ sa1100_set_termios(struct uart_port *port, struct ktermios *termios, + UTSR1_TO_SM(UTSR1_ROR); + } + +- del_timer_sync(&sport->timer); +- + /* + * Update the per-port timeout. + */ +-- +2.35.1 + diff --git a/queue-4.9/drivers-usb-host-fix-deadlock-in-oxu_bus_suspend.patch-7308 b/queue-4.9/drivers-usb-host-fix-deadlock-in-oxu_bus_suspend.patch-7308 new file mode 100644 index 00000000000..88291395142 --- /dev/null +++ b/queue-4.9/drivers-usb-host-fix-deadlock-in-oxu_bus_suspend.patch-7308 @@ -0,0 +1,54 @@ +From cc91bd07de1133da46dcc8f50625890b6bf1db78 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Apr 2022 20:03:05 +0800 +Subject: drivers: usb: host: Fix deadlock in oxu_bus_suspend() + +From: Duoming Zhou + +[ Upstream commit 4d378f2ae58138d4c55684e1d274e7dd94aa6524 ] + +There is a deadlock in oxu_bus_suspend(), which is shown below: + + (Thread 1) | (Thread 2) + | timer_action() +oxu_bus_suspend() | mod_timer() + spin_lock_irq() //(1) | (wait a time) + ... | oxu_watchdog() + del_timer_sync() | spin_lock_irq() //(2) + (wait timer to stop) | ... + +We hold oxu->lock in position (1) of thread 1, and use +del_timer_sync() to wait timer to stop, but timer handler +also need oxu->lock in position (2) of thread 2. As a result, +oxu_bus_suspend() will block forever. + +This patch extracts del_timer_sync() from the protection of +spin_lock_irq(), which could let timer handler to obtain +the needed lock. + +Signed-off-by: Duoming Zhou +Link: https://lore.kernel.org/r/20220417120305.64577-1-duoming@zju.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/oxu210hp-hcd.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/host/oxu210hp-hcd.c b/drivers/usb/host/oxu210hp-hcd.c +index 2f48da0c0bb3..af5248f62c59 100644 +--- a/drivers/usb/host/oxu210hp-hcd.c ++++ b/drivers/usb/host/oxu210hp-hcd.c +@@ -3491,8 +3491,10 @@ static int oxu_bus_suspend(struct usb_hcd *hcd) + } + } + ++ spin_unlock_irq(&oxu->lock); + /* turn off now-idle HC */ + del_timer_sync(&oxu->watchdog); ++ spin_lock_irq(&oxu->lock); + ehci_halt(oxu); + hcd->state = HC_STATE_SUSPENDED; + +-- +2.35.1 + diff --git a/queue-4.9/drm-radeon-fix-a-possible-null-pointer-dereference.patch-13071 b/queue-4.9/drm-radeon-fix-a-possible-null-pointer-dereference.patch-13071 new file mode 100644 index 00000000000..711cb450e4c --- /dev/null +++ b/queue-4.9/drm-radeon-fix-a-possible-null-pointer-dereference.patch-13071 @@ -0,0 +1,47 @@ +From d107ce35f5df68fd284e16aed6cf9380dbb98fd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 May 2022 17:57:00 +0800 +Subject: drm/radeon: fix a possible null pointer dereference + +From: Gong Yuanjun + +[ Upstream commit a2b28708b645c5632dc93669ab06e97874c8244f ] + +In radeon_fp_native_mode(), the return value of drm_mode_duplicate() +is assigned to mode, which will lead to a NULL pointer dereference +on failure of drm_mode_duplicate(). Add a check to avoid npd. + +The failure status of drm_cvt_mode() on the other path is checked too. + +Signed-off-by: Gong Yuanjun +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_connectors.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/radeon/radeon_connectors.c b/drivers/gpu/drm/radeon/radeon_connectors.c +index 9e6c2be0cc7d..a759955e3797 100644 +--- a/drivers/gpu/drm/radeon/radeon_connectors.c ++++ b/drivers/gpu/drm/radeon/radeon_connectors.c +@@ -489,6 +489,8 @@ static struct drm_display_mode *radeon_fp_native_mode(struct drm_encoder *encode + native_mode->vdisplay != 0 && + native_mode->clock != 0) { + mode = drm_mode_duplicate(dev, native_mode); ++ if (!mode) ++ return NULL; + mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER; + drm_mode_set_name(mode); + +@@ -503,6 +505,8 @@ static struct drm_display_mode *radeon_fp_native_mode(struct drm_encoder *encode + * simpler. + */ + mode = drm_cvt_mode(dev, native_mode->hdisplay, native_mode->vdisplay, 60, true, false, false); ++ if (!mode) ++ return NULL; + mode->type = DRM_MODE_TYPE_PREFERRED | DRM_MODE_TYPE_DRIVER; + DRM_DEBUG_KMS("Adding cvt approximation of native panel mode %s\n", mode->name); + } +-- +2.35.1 + diff --git a/queue-4.9/iio-dummy-iio_simple_dummy-check-the-return-value-of.patch-3507 b/queue-4.9/iio-dummy-iio_simple_dummy-check-the-return-value-of.patch-3507 new file mode 100644 index 00000000000..0bfbdbd4057 --- /dev/null +++ b/queue-4.9/iio-dummy-iio_simple_dummy-check-the-return-value-of.patch-3507 @@ -0,0 +1,88 @@ +From d7d3007f8c5eb24d655a2039afa27c1800ad93a6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 5 Mar 2022 11:14:05 +0800 +Subject: iio: dummy: iio_simple_dummy: check the return value of kstrdup() + +From: Xiaoke Wang + +[ Upstream commit ba93642188a6fed754bf7447f638bc410e05a929 ] + +kstrdup() is also a memory allocation-related function, it returns NULL +when some memory errors happen. So it is better to check the return +value of it so to catch the memory error in time. Besides, there should +have a kfree() to clear up the allocation if we get a failure later in +this function to prevent memory leak. + +Signed-off-by: Xiaoke Wang +Link: https://lore.kernel.org/r/tencent_C920CFCC33B9CC1C63141FE1334A39FF8508@qq.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/dummy/iio_simple_dummy.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/drivers/iio/dummy/iio_simple_dummy.c b/drivers/iio/dummy/iio_simple_dummy.c +index ad3410e528b6..7fef76f0b5c7 100644 +--- a/drivers/iio/dummy/iio_simple_dummy.c ++++ b/drivers/iio/dummy/iio_simple_dummy.c +@@ -572,10 +572,9 @@ static struct iio_sw_device *iio_dummy_probe(const char *name) + struct iio_sw_device *swd; + + swd = kzalloc(sizeof(*swd), GFP_KERNEL); +- if (!swd) { +- ret = -ENOMEM; +- goto error_kzalloc; +- } ++ if (!swd) ++ return ERR_PTR(-ENOMEM); ++ + /* + * Allocate an IIO device. + * +@@ -587,7 +586,7 @@ static struct iio_sw_device *iio_dummy_probe(const char *name) + indio_dev = iio_device_alloc(sizeof(*st)); + if (!indio_dev) { + ret = -ENOMEM; +- goto error_ret; ++ goto error_free_swd; + } + + st = iio_priv(indio_dev); +@@ -618,6 +617,10 @@ static struct iio_sw_device *iio_dummy_probe(const char *name) + * indio_dev->name = spi_get_device_id(spi)->name; + */ + indio_dev->name = kstrdup(name, GFP_KERNEL); ++ if (!indio_dev->name) { ++ ret = -ENOMEM; ++ goto error_free_device; ++ } + + /* Provide description of available channels */ + indio_dev->channels = iio_dummy_channels; +@@ -634,7 +637,7 @@ static struct iio_sw_device *iio_dummy_probe(const char *name) + + ret = iio_simple_dummy_events_register(indio_dev); + if (ret < 0) +- goto error_free_device; ++ goto error_free_name; + + ret = iio_simple_dummy_configure_buffer(indio_dev); + if (ret < 0) +@@ -651,11 +654,12 @@ static struct iio_sw_device *iio_dummy_probe(const char *name) + iio_simple_dummy_unconfigure_buffer(indio_dev); + error_unregister_events: + iio_simple_dummy_events_unregister(indio_dev); ++error_free_name: ++ kfree(indio_dev->name); + error_free_device: + iio_device_free(indio_dev); +-error_ret: ++error_free_swd: + kfree(swd); +-error_kzalloc: + return ERR_PTR(ret); + } + +-- +2.35.1 + diff --git a/queue-4.9/lkdtm-usercopy-expand-size-of-out-of-frame-object.patch-21612 b/queue-4.9/lkdtm-usercopy-expand-size-of-out-of-frame-object.patch-21612 new file mode 100644 index 00000000000..b1ba6e8cf9d --- /dev/null +++ b/queue-4.9/lkdtm-usercopy-expand-size-of-out-of-frame-object.patch-21612 @@ -0,0 +1,75 @@ +From 5754a57b4a9e125864d1fab869fd1da936ac4970 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Feb 2022 12:15:03 -0800 +Subject: lkdtm/usercopy: Expand size of "out of frame" object + +From: Kees Cook + +[ Upstream commit f387e86d3a74407bdd9c5815820ac9d060962840 ] + +To be sufficiently out of range for the usercopy test to see the lifetime +mismatch, expand the size of the "bad" buffer, which will let it be +beyond current_stack_pointer regardless of stack growth direction. +Paired with the recent addition of stack depth checking under +CONFIG_HARDENED_USERCOPY=y, this will correctly start tripping again. + +Reported-by: Muhammad Usama Anjum +Cc: Arnd Bergmann +Cc: Greg Kroah-Hartman +Reviewed-by: Muhammad Usama Anjum +Link: https://lore.kernel.org/lkml/762faf1b-0443-5ddf-4430-44a20cf2ec4d@collabora.com/ +Signed-off-by: Kees Cook +Signed-off-by: Sasha Levin +--- + drivers/misc/lkdtm_usercopy.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +diff --git a/drivers/misc/lkdtm_usercopy.c b/drivers/misc/lkdtm_usercopy.c +index 1dd611423d8b..36438947244d 100644 +--- a/drivers/misc/lkdtm_usercopy.c ++++ b/drivers/misc/lkdtm_usercopy.c +@@ -28,12 +28,12 @@ static const unsigned char test_text[] = "This is a test.\n"; + */ + static noinline unsigned char *trick_compiler(unsigned char *stack) + { +- return stack + 0; ++ return stack + unconst; + } + + static noinline unsigned char *do_usercopy_stack_callee(int value) + { +- unsigned char buf[32]; ++ unsigned char buf[128]; + int i; + + /* Exercise stack to avoid everything living in registers. */ +@@ -41,7 +41,12 @@ static noinline unsigned char *do_usercopy_stack_callee(int value) + buf[i] = value & 0xff; + } + +- return trick_compiler(buf); ++ /* ++ * Put the target buffer in the middle of stack allocation ++ * so that we don't step on future stack users regardless ++ * of stack growth direction. ++ */ ++ return trick_compiler(&buf[(128/2)-32]); + } + + static noinline void do_usercopy_stack(bool to_user, bool bad_frame) +@@ -64,6 +69,12 @@ static noinline void do_usercopy_stack(bool to_user, bool bad_frame) + bad_stack -= sizeof(unsigned long); + } + ++#ifdef ARCH_HAS_CURRENT_STACK_POINTER ++ pr_info("stack : %px\n", (void *)current_stack_pointer); ++#endif ++ pr_info("good_stack: %px-%px\n", good_stack, good_stack + sizeof(good_stack)); ++ pr_info("bad_stack : %px-%px\n", bad_stack, bad_stack + sizeof(good_stack)); ++ + user_addr = vm_mmap(NULL, 0, PAGE_SIZE, + PROT_READ | PROT_WRITE | PROT_EXEC, + MAP_ANONYMOUS | MAP_PRIVATE, 0); +-- +2.35.1 + diff --git a/queue-4.9/md-protect-md_unregister_thread-from-reentrancy.patch-2164 b/queue-4.9/md-protect-md_unregister_thread-from-reentrancy.patch-2164 new file mode 100644 index 00000000000..dae121b1a9e --- /dev/null +++ b/queue-4.9/md-protect-md_unregister_thread-from-reentrancy.patch-2164 @@ -0,0 +1,63 @@ +From 0e45c9ffc82ef1fd41dc2e5b2857109607e6b228 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Apr 2022 16:49:09 +0800 +Subject: md: protect md_unregister_thread from reentrancy + +From: Guoqing Jiang + +[ Upstream commit 1e267742283a4b5a8ca65755c44166be27e9aa0f ] + +Generally, the md_unregister_thread is called with reconfig_mutex, but +raid_message in dm-raid doesn't hold reconfig_mutex to unregister thread, +so md_unregister_thread can be called simulitaneously from two call sites +in theory. + +Then after previous commit which remove the protection of reconfig_mutex +for md_unregister_thread completely, the potential issue could be worse +than before. + +Let's take pers_lock at the beginning of function to ensure reentrancy. + +Reported-by: Donald Buczek +Signed-off-by: Guoqing Jiang +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/md.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index 0197d18b5407..9e8373e7e287 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -7254,17 +7254,22 @@ EXPORT_SYMBOL(md_register_thread); + + void md_unregister_thread(struct md_thread **threadp) + { +- struct md_thread *thread = *threadp; +- if (!thread) +- return; +- pr_debug("interrupting MD-thread pid %d\n", task_pid_nr(thread->tsk)); +- /* Locking ensures that mddev_unlock does not wake_up a ++ struct md_thread *thread; ++ ++ /* ++ * Locking ensures that mddev_unlock does not wake_up a + * non-existent thread + */ + spin_lock(&pers_lock); ++ thread = *threadp; ++ if (!thread) { ++ spin_unlock(&pers_lock); ++ return; ++ } + *threadp = NULL; + spin_unlock(&pers_lock); + ++ pr_debug("interrupting MD-thread pid %d\n", task_pid_nr(thread->tsk)); + kthread_stop(thread->tsk); + kfree(thread); + } +-- +2.35.1 + diff --git a/queue-4.9/misc-rtsx-set-null-intfdata-when-probe-fails.patch-2601 b/queue-4.9/misc-rtsx-set-null-intfdata-when-probe-fails.patch-2601 new file mode 100644 index 00000000000..e8f50b9ed72 --- /dev/null +++ b/queue-4.9/misc-rtsx-set-null-intfdata-when-probe-fails.patch-2601 @@ -0,0 +1,39 @@ +From 8fc659a8fbfc68ca1a3f6e48ca3ab7a92ccd4dbc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Apr 2022 15:09:13 -0600 +Subject: misc: rtsx: set NULL intfdata when probe fails + +From: Shuah Khan + +[ Upstream commit f861d36e021e1ac4a0a2a1f6411d623809975d63 ] + +rtsx_usb_probe() doesn't call usb_set_intfdata() to null out the +interface pointer when probe fails. This leaves a stale pointer. +Noticed the missing usb_set_intfdata() while debugging an unrelated +invalid DMA mapping problem. + +Fix it with a call to usb_set_intfdata(..., NULL). + +Signed-off-by: Shuah Khan +Link: https://lore.kernel.org/r/20220429210913.46804-1-skhan@linuxfoundation.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/mfd/rtsx_usb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mfd/rtsx_usb.c b/drivers/mfd/rtsx_usb.c +index 691dab791f7a..e94f855eac15 100644 +--- a/drivers/mfd/rtsx_usb.c ++++ b/drivers/mfd/rtsx_usb.c +@@ -678,6 +678,7 @@ static int rtsx_usb_probe(struct usb_interface *intf, + return 0; + + out_init_fail: ++ usb_set_intfdata(ucr->pusb_intf, NULL); + usb_free_coherent(ucr->pusb_dev, IOBUF_SIZE, ucr->iobuf, + ucr->iobuf_dma); + return ret; +-- +2.35.1 + diff --git a/queue-4.9/modpost-fix-undefined-behavior-of-is_arm_mapping_sym.patch-21303 b/queue-4.9/modpost-fix-undefined-behavior-of-is_arm_mapping_sym.patch-21303 new file mode 100644 index 00000000000..ce6e70a2e4d --- /dev/null +++ b/queue-4.9/modpost-fix-undefined-behavior-of-is_arm_mapping_sym.patch-21303 @@ -0,0 +1,63 @@ +From acbb53b02c4c3d15b925fd6ce446ba7e72422175 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 May 2022 01:46:22 +0900 +Subject: modpost: fix undefined behavior of is_arm_mapping_symbol() + +From: Masahiro Yamada + +[ Upstream commit d6b732666a1bae0df3c3ae06925043bba34502b1 ] + +The return value of is_arm_mapping_symbol() is unpredictable when "$" +is passed in. + +strchr(3) says: + The strchr() and strrchr() functions return a pointer to the matched + character or NULL if the character is not found. The terminating null + byte is considered part of the string, so that if c is specified as + '\0', these functions return a pointer to the terminator. + +When str[1] is '\0', strchr("axtd", str[1]) is not NULL, and str[2] is +referenced (i.e. buffer overrun). + +Test code +--------- + + char str1[] = "abc"; + char str2[] = "ab"; + + strcpy(str1, "$"); + strcpy(str2, "$"); + + printf("test1: %d\n", is_arm_mapping_symbol(str1)); + printf("test2: %d\n", is_arm_mapping_symbol(str2)); + +Result +------ + + test1: 0 + test2: 1 + +Signed-off-by: Masahiro Yamada +Reviewed-by: Nick Desaulniers +Signed-off-by: Sasha Levin +--- + scripts/mod/modpost.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/scripts/mod/modpost.c b/scripts/mod/modpost.c +index 29c3e4d6fc06..c5f3267aa08a 100644 +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -1212,7 +1212,8 @@ static int secref_whitelist(const struct sectioncheck *mismatch, + + static inline int is_arm_mapping_symbol(const char *str) + { +- return str[0] == '$' && strchr("axtd", str[1]) ++ return str[0] == '$' && ++ (str[1] == 'a' || str[1] == 'd' || str[1] == 't' || str[1] == 'x') + && (str[2] == '\0' || str[2] == '.'); + } + +-- +2.35.1 + diff --git a/queue-4.9/nodemask-fix-return-values-to-be-unsigned.patch-31283 b/queue-4.9/nodemask-fix-return-values-to-be-unsigned.patch-31283 new file mode 100644 index 00000000000..bc362f02ae6 --- /dev/null +++ b/queue-4.9/nodemask-fix-return-values-to-be-unsigned.patch-31283 @@ -0,0 +1,189 @@ +From 95b333efef95cf584c26ae6666192b1b1f9d407c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 May 2022 13:52:23 -0700 +Subject: nodemask: Fix return values to be unsigned +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kees Cook + +[ Upstream commit 0dfe54071d7c828a02917b595456bfde1afdddc9 ] + +The nodemask routines had mixed return values that provided potentially +signed return values that could never happen. This was leading to the +compiler getting confusing about the range of possible return values +(it was thinking things could be negative where they could not be). Fix +all the nodemask routines that should be returning unsigned +(or bool) values. Silences: + + mm/swapfile.c: In function ‘setup_swap_info’: + mm/swapfile.c:2291:47: error: array subscript -1 is below array bounds of ‘struct plist_node[]’ [-Werror=array-bounds] + 2291 | p->avail_lists[i].prio = 1; + | ~~~~~~~~~~~~~~^~~ + In file included from mm/swapfile.c:16: + ./include/linux/swap.h:292:27: note: while referencing ‘avail_lists’ + 292 | struct plist_node avail_lists[]; /* + | ^~~~~~~~~~~ + +Reported-by: Christophe de Dinechin +Link: https://lore.kernel.org/lkml/20220414150855.2407137-3-dinechin@redhat.com/ +Cc: Alexey Dobriyan +Cc: Yury Norov +Cc: Andy Shevchenko +Cc: Rasmus Villemoes +Cc: Andrew Morton +Cc: Zhen Lei +Signed-off-by: Kees Cook +Signed-off-by: Yury Norov +Signed-off-by: Sasha Levin +--- + include/linux/nodemask.h | 38 +++++++++++++++++++------------------- + lib/nodemask.c | 4 ++-- + 2 files changed, 21 insertions(+), 21 deletions(-) + +diff --git a/include/linux/nodemask.h b/include/linux/nodemask.h +index 7b7155a6c984..3cc98ded3373 100644 +--- a/include/linux/nodemask.h ++++ b/include/linux/nodemask.h +@@ -41,11 +41,11 @@ + * void nodes_shift_right(dst, src, n) Shift right + * void nodes_shift_left(dst, src, n) Shift left + * +- * int first_node(mask) Number lowest set bit, or MAX_NUMNODES +- * int next_node(node, mask) Next node past 'node', or MAX_NUMNODES +- * int next_node_in(node, mask) Next node past 'node', or wrap to first, ++ * unsigned int first_node(mask) Number lowest set bit, or MAX_NUMNODES ++ * unsigend int next_node(node, mask) Next node past 'node', or MAX_NUMNODES ++ * unsigned int next_node_in(node, mask) Next node past 'node', or wrap to first, + * or MAX_NUMNODES +- * int first_unset_node(mask) First node not set in mask, or ++ * unsigned int first_unset_node(mask) First node not set in mask, or + * MAX_NUMNODES + * + * nodemask_t nodemask_of_node(node) Return nodemask with bit 'node' set +@@ -143,7 +143,7 @@ static inline void __nodes_clear(nodemask_t *dstp, unsigned int nbits) + + #define node_test_and_set(node, nodemask) \ + __node_test_and_set((node), &(nodemask)) +-static inline int __node_test_and_set(int node, nodemask_t *addr) ++static inline bool __node_test_and_set(int node, nodemask_t *addr) + { + return test_and_set_bit(node, addr->bits); + } +@@ -190,7 +190,7 @@ static inline void __nodes_complement(nodemask_t *dstp, + + #define nodes_equal(src1, src2) \ + __nodes_equal(&(src1), &(src2), MAX_NUMNODES) +-static inline int __nodes_equal(const nodemask_t *src1p, ++static inline bool __nodes_equal(const nodemask_t *src1p, + const nodemask_t *src2p, unsigned int nbits) + { + return bitmap_equal(src1p->bits, src2p->bits, nbits); +@@ -198,7 +198,7 @@ static inline int __nodes_equal(const nodemask_t *src1p, + + #define nodes_intersects(src1, src2) \ + __nodes_intersects(&(src1), &(src2), MAX_NUMNODES) +-static inline int __nodes_intersects(const nodemask_t *src1p, ++static inline bool __nodes_intersects(const nodemask_t *src1p, + const nodemask_t *src2p, unsigned int nbits) + { + return bitmap_intersects(src1p->bits, src2p->bits, nbits); +@@ -206,20 +206,20 @@ static inline int __nodes_intersects(const nodemask_t *src1p, + + #define nodes_subset(src1, src2) \ + __nodes_subset(&(src1), &(src2), MAX_NUMNODES) +-static inline int __nodes_subset(const nodemask_t *src1p, ++static inline bool __nodes_subset(const nodemask_t *src1p, + const nodemask_t *src2p, unsigned int nbits) + { + return bitmap_subset(src1p->bits, src2p->bits, nbits); + } + + #define nodes_empty(src) __nodes_empty(&(src), MAX_NUMNODES) +-static inline int __nodes_empty(const nodemask_t *srcp, unsigned int nbits) ++static inline bool __nodes_empty(const nodemask_t *srcp, unsigned int nbits) + { + return bitmap_empty(srcp->bits, nbits); + } + + #define nodes_full(nodemask) __nodes_full(&(nodemask), MAX_NUMNODES) +-static inline int __nodes_full(const nodemask_t *srcp, unsigned int nbits) ++static inline bool __nodes_full(const nodemask_t *srcp, unsigned int nbits) + { + return bitmap_full(srcp->bits, nbits); + } +@@ -250,15 +250,15 @@ static inline void __nodes_shift_left(nodemask_t *dstp, + > MAX_NUMNODES, then the silly min_ts could be dropped. */ + + #define first_node(src) __first_node(&(src)) +-static inline int __first_node(const nodemask_t *srcp) ++static inline unsigned int __first_node(const nodemask_t *srcp) + { +- return min_t(int, MAX_NUMNODES, find_first_bit(srcp->bits, MAX_NUMNODES)); ++ return min_t(unsigned int, MAX_NUMNODES, find_first_bit(srcp->bits, MAX_NUMNODES)); + } + + #define next_node(n, src) __next_node((n), &(src)) +-static inline int __next_node(int n, const nodemask_t *srcp) ++static inline unsigned int __next_node(int n, const nodemask_t *srcp) + { +- return min_t(int,MAX_NUMNODES,find_next_bit(srcp->bits, MAX_NUMNODES, n+1)); ++ return min_t(unsigned int, MAX_NUMNODES, find_next_bit(srcp->bits, MAX_NUMNODES, n+1)); + } + + /* +@@ -266,7 +266,7 @@ static inline int __next_node(int n, const nodemask_t *srcp) + * the first node in src if needed. Returns MAX_NUMNODES if src is empty. + */ + #define next_node_in(n, src) __next_node_in((n), &(src)) +-int __next_node_in(int node, const nodemask_t *srcp); ++unsigned int __next_node_in(int node, const nodemask_t *srcp); + + static inline void init_nodemask_of_node(nodemask_t *mask, int node) + { +@@ -286,9 +286,9 @@ static inline void init_nodemask_of_node(nodemask_t *mask, int node) + }) + + #define first_unset_node(mask) __first_unset_node(&(mask)) +-static inline int __first_unset_node(const nodemask_t *maskp) ++static inline unsigned int __first_unset_node(const nodemask_t *maskp) + { +- return min_t(int,MAX_NUMNODES, ++ return min_t(unsigned int, MAX_NUMNODES, + find_first_zero_bit(maskp->bits, MAX_NUMNODES)); + } + +@@ -428,11 +428,11 @@ static inline int num_node_state(enum node_states state) + + #define first_online_node first_node(node_states[N_ONLINE]) + #define first_memory_node first_node(node_states[N_MEMORY]) +-static inline int next_online_node(int nid) ++static inline unsigned int next_online_node(int nid) + { + return next_node(nid, node_states[N_ONLINE]); + } +-static inline int next_memory_node(int nid) ++static inline unsigned int next_memory_node(int nid) + { + return next_node(nid, node_states[N_MEMORY]); + } +diff --git a/lib/nodemask.c b/lib/nodemask.c +index e42a5bf44d33..f6ad9c2775a8 100644 +--- a/lib/nodemask.c ++++ b/lib/nodemask.c +@@ -2,9 +2,9 @@ + #include + #include + +-int __next_node_in(int node, const nodemask_t *srcp) ++unsigned int __next_node_in(int node, const nodemask_t *srcp) + { +- int ret = __next_node(node, srcp); ++ unsigned int ret = __next_node(node, srcp); + + if (ret == MAX_NUMNODES) + ret = __first_node(srcp); +-- +2.35.1 + diff --git a/queue-4.9/revert-net-af_key-add-check-for-pfkey_broadcast-in-f.patch-18188 b/queue-4.9/revert-net-af_key-add-check-for-pfkey_broadcast-in-f.patch-18188 new file mode 100644 index 00000000000..68462a79fb9 --- /dev/null +++ b/queue-4.9/revert-net-af_key-add-check-for-pfkey_broadcast-in-f.patch-18188 @@ -0,0 +1,60 @@ +From ba7df6b9f13f43a1f7f3d50681dd7fefa08e113c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 May 2022 22:05:24 +0200 +Subject: Revert "net: af_key: add check for pfkey_broadcast in function + pfkey_process" + +From: Michal Kubecek + +[ Upstream commit 9c90c9b3e50e16d03c7f87d63e9db373974781e0 ] + +This reverts commit 4dc2a5a8f6754492180741facf2a8787f2c415d7. + +A non-zero return value from pfkey_broadcast() does not necessarily mean +an error occurred as this function returns -ESRCH when no registered +listener received the message. In particular, a call with +BROADCAST_PROMISC_ONLY flag and null one_sk argument can never return +zero so that this commit in fact prevents processing any PF_KEY message. +One visible effect is that racoon daemon fails to find encryption +algorithms like aes and refuses to start. + +Excluding -ESRCH return value would fix this but it's not obvious that +we really want to bail out here and most other callers of +pfkey_broadcast() also ignore the return value. Also, as pointed out by +Steffen Klassert, PF_KEY is kind of deprecated and newer userspace code +should use netlink instead so that we should only disturb the code for +really important fixes. + +v2: add a comment explaining why is the return value ignored + +Signed-off-by: Michal Kubecek +Signed-off-by: Steffen Klassert +Signed-off-by: Sasha Levin +--- + net/key/af_key.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/net/key/af_key.c b/net/key/af_key.c +index d5dc614af2f9..0737fc7b7ebd 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -2861,10 +2861,12 @@ static int pfkey_process(struct sock *sk, struct sk_buff *skb, const struct sadb + void *ext_hdrs[SADB_EXT_MAX]; + int err; + +- err = pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL, +- BROADCAST_PROMISC_ONLY, NULL, sock_net(sk)); +- if (err) +- return err; ++ /* Non-zero return value of pfkey_broadcast() does not always signal ++ * an error and even on an actual error we may still want to process ++ * the message so rather ignore the return value. ++ */ ++ pfkey_broadcast(skb_clone(skb, GFP_KERNEL), GFP_KERNEL, ++ BROADCAST_PROMISC_ONLY, NULL, sock_net(sk)); + + memset(ext_hdrs, 0, sizeof(ext_hdrs)); + err = parse_exthdrs(skb, hdr, ext_hdrs); +-- +2.35.1 + diff --git a/queue-4.9/serial-msm_serial-disable-interrupts-in-__msm_consol.patch-9319 b/queue-4.9/serial-msm_serial-disable-interrupts-in-__msm_consol.patch-9319 new file mode 100644 index 00000000000..30776fc6e84 --- /dev/null +++ b/queue-4.9/serial-msm_serial-disable-interrupts-in-__msm_consol.patch-9319 @@ -0,0 +1,59 @@ +From abd65e0782e247b072d9efae00862de06be8c579 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 May 2022 23:39:24 +0206 +Subject: serial: msm_serial: disable interrupts in __msm_console_write() + +From: John Ogness + +[ Upstream commit aabdbb1b7a5819e18c403334a31fb0cc2c06ad41 ] + +__msm_console_write() assumes that interrupts are disabled, but +with threaded console printers it is possible that the write() +callback of the console is called with interrupts enabled. + +Explicitly disable interrupts using local_irq_save() to preserve +the assumed context. + +Reported-by: Marek Szyprowski +Reviewed-by: Petr Mladek +Signed-off-by: John Ogness +Link: https://lore.kernel.org/r/20220506213324.470461-1-john.ogness@linutronix.de +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/msm_serial.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/tty/serial/msm_serial.c b/drivers/tty/serial/msm_serial.c +index c284e61ed4fc..33d035f9fded 100644 +--- a/drivers/tty/serial/msm_serial.c ++++ b/drivers/tty/serial/msm_serial.c +@@ -1578,6 +1578,7 @@ static inline struct uart_port *msm_get_port_from_line(unsigned int line) + static void __msm_console_write(struct uart_port *port, const char *s, + unsigned int count, bool is_uartdm) + { ++ unsigned long flags; + int i; + int num_newlines = 0; + bool replaced = false; +@@ -1595,6 +1596,8 @@ static void __msm_console_write(struct uart_port *port, const char *s, + num_newlines++; + count += num_newlines; + ++ local_irq_save(flags); ++ + if (port->sysrq) + locked = 0; + else if (oops_in_progress) +@@ -1640,6 +1643,8 @@ static void __msm_console_write(struct uart_port *port, const char *s, + + if (locked) + spin_unlock(&port->lock); ++ ++ local_irq_restore(flags); + } + + static void msm_console_write(struct console *co, const char *s, +-- +2.35.1 + diff --git a/queue-4.9/series b/queue-4.9/series index cdc1b954dff..250cc44a4a3 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -136,3 +136,60 @@ net-mlx4_en-fix-wrong-return-value-on-ioctl-eeprom-q.patch sunrpc-fix-the-calculation-of-xdr-end-in-xdr_get_nex.patch net-xfrm-unexport-__init-annotated-xfrm4_protocol_in.patch net-altera-fix-refcount-leak-in-altera_tse_mdio_crea.patch +iio-dummy-iio_simple_dummy-check-the-return-value-of.patch +lkdtm-usercopy-expand-size-of-out-of-frame-object.patch +tty-synclink_gt-fix-null-pointer-dereference-in-slgt.patch +tty-fix-a-possible-resource-leak-in-icom_probe.patch +drivers-staging-rtl8192e-fix-deadlock-in-rtllib_beac.patch +usb-host-isp116x-check-return-value-after-calling-pl.patch +drivers-tty-serial-fix-deadlock-in-sa1100_set_termio.patch +drivers-usb-host-fix-deadlock-in-oxu_bus_suspend.patch +usb-hcd-pci-fully-suspend-across-freeze-thaw-cycle.patch +usb-dwc2-gadget-don-t-reset-gadget-s-driver-bus.patch +misc-rtsx-set-null-intfdata-when-probe-fails.patch +clocksource-drivers-sp804-avoid-error-on-multiple-in.patch +staging-rtl8712-fix-uninit-value-in-r871xu_drv_init.patch +serial-msm_serial-disable-interrupts-in-__msm_consol.patch +md-protect-md_unregister_thread-from-reentrancy.patch +revert-net-af_key-add-check-for-pfkey_broadcast-in-f.patch +drm-radeon-fix-a-possible-null-pointer-dereference.patch +modpost-fix-undefined-behavior-of-is_arm_mapping_sym.patch +nodemask-fix-return-values-to-be-unsigned.patch +iio-dummy-iio_simple_dummy-check-the-return-value-of.patch-23524 +lkdtm-usercopy-expand-size-of-out-of-frame-object.patch-13206 +tty-synclink_gt-fix-null-pointer-dereference-in-slgt.patch-15162 +tty-fix-a-possible-resource-leak-in-icom_probe.patch-19297 +drivers-staging-rtl8192e-fix-deadlock-in-rtllib_beac.patch-31603 +usb-host-isp116x-check-return-value-after-calling-pl.patch-19356 +drivers-tty-serial-fix-deadlock-in-sa1100_set_termio.patch-18887 +drivers-usb-host-fix-deadlock-in-oxu_bus_suspend.patch-27031 +usb-hcd-pci-fully-suspend-across-freeze-thaw-cycle.patch-8845 +usb-dwc2-gadget-don-t-reset-gadget-s-driver-bus.patch-31688 +misc-rtsx-set-null-intfdata-when-probe-fails.patch-6529 +clocksource-drivers-sp804-avoid-error-on-multiple-in.patch-30578 +staging-rtl8712-fix-uninit-value-in-r871xu_drv_init.patch-20657 +serial-msm_serial-disable-interrupts-in-__msm_consol.patch-13437 +md-protect-md_unregister_thread-from-reentrancy.patch-19029 +revert-net-af_key-add-check-for-pfkey_broadcast-in-f.patch-7473 +drm-radeon-fix-a-possible-null-pointer-dereference.patch-1583 +modpost-fix-undefined-behavior-of-is_arm_mapping_sym.patch-9755 +nodemask-fix-return-values-to-be-unsigned.patch-13329 +iio-dummy-iio_simple_dummy-check-the-return-value-of.patch-3507 +lkdtm-usercopy-expand-size-of-out-of-frame-object.patch-21612 +tty-synclink_gt-fix-null-pointer-dereference-in-slgt.patch-3819 +tty-fix-a-possible-resource-leak-in-icom_probe.patch-21551 +drivers-staging-rtl8192e-fix-deadlock-in-rtllib_beac.patch-5623 +usb-host-isp116x-check-return-value-after-calling-pl.patch-5502 +drivers-tty-serial-fix-deadlock-in-sa1100_set_termio.patch-29741 +drivers-usb-host-fix-deadlock-in-oxu_bus_suspend.patch-7308 +usb-hcd-pci-fully-suspend-across-freeze-thaw-cycle.patch-10130 +usb-dwc2-gadget-don-t-reset-gadget-s-driver-bus.patch-31123 +misc-rtsx-set-null-intfdata-when-probe-fails.patch-2601 +clocksource-drivers-sp804-avoid-error-on-multiple-in.patch-20726 +staging-rtl8712-fix-uninit-value-in-r871xu_drv_init.patch-16645 +serial-msm_serial-disable-interrupts-in-__msm_consol.patch-9319 +md-protect-md_unregister_thread-from-reentrancy.patch-2164 +revert-net-af_key-add-check-for-pfkey_broadcast-in-f.patch-18188 +drm-radeon-fix-a-possible-null-pointer-dereference.patch-13071 +modpost-fix-undefined-behavior-of-is_arm_mapping_sym.patch-21303 +nodemask-fix-return-values-to-be-unsigned.patch-31283 diff --git a/queue-4.9/staging-rtl8712-fix-uninit-value-in-r871xu_drv_init.patch-16645 b/queue-4.9/staging-rtl8712-fix-uninit-value-in-r871xu_drv_init.patch-16645 new file mode 100644 index 00000000000..366a2aa1dce --- /dev/null +++ b/queue-4.9/staging-rtl8712-fix-uninit-value-in-r871xu_drv_init.patch-16645 @@ -0,0 +1,88 @@ +From 064b71054b67abbe1dce95a888e416ba23a3a43f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 May 2022 17:22:41 +0800 +Subject: staging: rtl8712: fix uninit-value in r871xu_drv_init() + +From: Wang Cheng + +[ Upstream commit 0458e5428e5e959d201a40ffe71d762a79ecedc4 ] + +When 'tmpU1b' returns from r8712_read8(padapter, EE_9346CR) is 0, +'mac[6]' will not be initialized. + +BUG: KMSAN: uninit-value in r871xu_drv_init+0x2d54/0x3070 drivers/staging/rtl8712/usb_intf.c:541 + r871xu_drv_init+0x2d54/0x3070 drivers/staging/rtl8712/usb_intf.c:541 + usb_probe_interface+0xf19/0x1600 drivers/usb/core/driver.c:396 + really_probe+0x653/0x14b0 drivers/base/dd.c:596 + __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:752 + driver_probe_device drivers/base/dd.c:782 [inline] + __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:899 + bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 + __device_attach+0x593/0x8e0 drivers/base/dd.c:970 + device_initial_probe+0x4a/0x60 drivers/base/dd.c:1017 + bus_probe_device+0x17b/0x3e0 drivers/base/bus.c:487 + device_add+0x1fff/0x26e0 drivers/base/core.c:3405 + usb_set_configuration+0x37e9/0x3ed0 drivers/usb/core/message.c:2170 + usb_generic_driver_probe+0x13c/0x300 drivers/usb/core/generic.c:238 + usb_probe_device+0x309/0x570 drivers/usb/core/driver.c:293 + really_probe+0x653/0x14b0 drivers/base/dd.c:596 + __driver_probe_device+0x3e9/0x530 drivers/base/dd.c:752 + driver_probe_device drivers/base/dd.c:782 [inline] + __device_attach_driver+0x79f/0x1120 drivers/base/dd.c:899 + bus_for_each_drv+0x2d6/0x3f0 drivers/base/bus.c:427 + __device_attach+0x593/0x8e0 drivers/base/dd.c:970 + device_initial_probe+0x4a/0x60 drivers/base/dd.c:1017 + bus_probe_device+0x17b/0x3e0 drivers/base/bus.c:487 + device_add+0x1fff/0x26e0 drivers/base/core.c:3405 + usb_new_device+0x1b8e/0x2950 drivers/usb/core/hub.c:2566 + hub_port_connect drivers/usb/core/hub.c:5358 [inline] + hub_port_connect_change drivers/usb/core/hub.c:5502 [inline] + port_event drivers/usb/core/hub.c:5660 [inline] + hub_event+0x58e3/0x89e0 drivers/usb/core/hub.c:5742 + process_one_work+0xdb6/0x1820 kernel/workqueue.c:2307 + worker_thread+0x10b3/0x21e0 kernel/workqueue.c:2454 + kthread+0x3c7/0x500 kernel/kthread.c:377 + ret_from_fork+0x1f/0x30 + +Local variable mac created at: + r871xu_drv_init+0x1771/0x3070 drivers/staging/rtl8712/usb_intf.c:394 + usb_probe_interface+0xf19/0x1600 drivers/usb/core/driver.c:396 + +KMSAN: uninit-value in r871xu_drv_init +https://syzkaller.appspot.com/bug?id=3cd92b1d85428b128503bfa7a250294c9ae00bd8 + +Reported-by: +Tested-by: +Reviewed-by: Dan Carpenter +Signed-off-by: Wang Cheng +Link: https://lore.kernel.org/r/14c3886173dfa4597f0704547c414cfdbcd11d16.1652618244.git.wanngchenng@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8712/usb_intf.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/staging/rtl8712/usb_intf.c b/drivers/staging/rtl8712/usb_intf.c +index d0ba42dfafeb..7b7cb2a7db60 100644 +--- a/drivers/staging/rtl8712/usb_intf.c ++++ b/drivers/staging/rtl8712/usb_intf.c +@@ -569,13 +569,13 @@ static int r871xu_drv_init(struct usb_interface *pusb_intf, + } else { + AutoloadFail = false; + } +- if (((mac[0] == 0xff) && (mac[1] == 0xff) && ++ if ((!AutoloadFail) || ++ ((mac[0] == 0xff) && (mac[1] == 0xff) && + (mac[2] == 0xff) && (mac[3] == 0xff) && + (mac[4] == 0xff) && (mac[5] == 0xff)) || + ((mac[0] == 0x00) && (mac[1] == 0x00) && + (mac[2] == 0x00) && (mac[3] == 0x00) && +- (mac[4] == 0x00) && (mac[5] == 0x00)) || +- (!AutoloadFail)) { ++ (mac[4] == 0x00) && (mac[5] == 0x00))) { + mac[0] = 0x00; + mac[1] = 0xe0; + mac[2] = 0x4c; +-- +2.35.1 + diff --git a/queue-4.9/tty-fix-a-possible-resource-leak-in-icom_probe.patch-21551 b/queue-4.9/tty-fix-a-possible-resource-leak-in-icom_probe.patch-21551 new file mode 100644 index 00000000000..3a4a3984061 --- /dev/null +++ b/queue-4.9/tty-fix-a-possible-resource-leak-in-icom_probe.patch-21551 @@ -0,0 +1,37 @@ +From 23d7af1b7abcdd650b2fb4b7f49c9c9e8c82e56a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Mar 2022 17:10:05 +0800 +Subject: tty: Fix a possible resource leak in icom_probe + +From: Huang Guobin + +[ Upstream commit ee157a79e7c82b01ae4c25de0ac75899801f322c ] + +When pci_read_config_dword failed, call pci_release_regions() and +pci_disable_device() to recycle the resource previously allocated. + +Reviewed-by: Jiri Slaby +Signed-off-by: Huang Guobin +Link: https://lore.kernel.org/r/20220331091005.3290753-1-huangguobin4@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/icom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/icom.c b/drivers/tty/serial/icom.c +index c60a8d5e4020..a3e420669674 100644 +--- a/drivers/tty/serial/icom.c ++++ b/drivers/tty/serial/icom.c +@@ -1515,7 +1515,7 @@ static int icom_probe(struct pci_dev *dev, + retval = pci_read_config_dword(dev, PCI_COMMAND, &command_reg); + if (retval) { + dev_err(&dev->dev, "PCI Config read FAILED\n"); +- return retval; ++ goto probe_exit0; + } + + pci_write_config_dword(dev, PCI_COMMAND, +-- +2.35.1 + diff --git a/queue-4.9/tty-synclink_gt-fix-null-pointer-dereference-in-slgt.patch-3819 b/queue-4.9/tty-synclink_gt-fix-null-pointer-dereference-in-slgt.patch-3819 new file mode 100644 index 00000000000..d51bb5430a1 --- /dev/null +++ b/queue-4.9/tty-synclink_gt-fix-null-pointer-dereference-in-slgt.patch-3819 @@ -0,0 +1,47 @@ +From 47326fe2bad4f3113add6e00cc99630afeaa976e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Apr 2022 19:48:14 +0800 +Subject: tty: synclink_gt: Fix null-pointer-dereference in slgt_clean() + +From: Zheyu Ma + +[ Upstream commit 689ca31c542687709ba21ec2195c1fbce34fd029 ] + +When the driver fails at alloc_hdlcdev(), and then we remove the driver +module, we will get the following splat: + +[ 25.065966] general protection fault, probably for non-canonical address 0xdffffc0000000182: 0000 [#1] PREEMPT SMP KASAN PTI +[ 25.066914] KASAN: null-ptr-deref in range [0x0000000000000c10-0x0000000000000c17] +[ 25.069262] RIP: 0010:detach_hdlc_protocol+0x2a/0x3e0 +[ 25.077709] Call Trace: +[ 25.077924] +[ 25.078108] unregister_hdlc_device+0x16/0x30 +[ 25.078481] slgt_cleanup+0x157/0x9f0 [synclink_gt] + +Fix this by checking whether the 'info->netdev' is a null pointer first. + +Reviewed-by: Jiri Slaby +Signed-off-by: Zheyu Ma +Link: https://lore.kernel.org/r/20220410114814.3920474-1-zheyuma97@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/synclink_gt.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/tty/synclink_gt.c b/drivers/tty/synclink_gt.c +index 7446ce29f677..b5d053763263 100644 +--- a/drivers/tty/synclink_gt.c ++++ b/drivers/tty/synclink_gt.c +@@ -1823,6 +1823,8 @@ static int hdlcdev_init(struct slgt_info *info) + */ + static void hdlcdev_exit(struct slgt_info *info) + { ++ if (!info->netdev) ++ return; + unregister_hdlc_device(info->netdev); + free_netdev(info->netdev); + info->netdev = NULL; +-- +2.35.1 + diff --git a/queue-4.9/usb-dwc2-gadget-don-t-reset-gadget-s-driver-bus.patch-31123 b/queue-4.9/usb-dwc2-gadget-don-t-reset-gadget-s-driver-bus.patch-31123 new file mode 100644 index 00000000000..9eeb78f0ed4 --- /dev/null +++ b/queue-4.9/usb-dwc2-gadget-don-t-reset-gadget-s-driver-bus.patch-31123 @@ -0,0 +1,66 @@ +From 92f28b067a760dc213c00a470c42edfc790d8dd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 May 2022 12:46:18 +0200 +Subject: usb: dwc2: gadget: don't reset gadget's driver->bus + +From: Marek Szyprowski + +[ Upstream commit 3120aac6d0ecd9accf56894aeac0e265f74d3d5a ] + +UDC driver should not touch gadget's driver internals, especially it +should not reset driver->bus. This wasn't harmful so far, but since +commit fc274c1e9973 ("USB: gadget: Add a new bus for gadgets") gadget +subsystem got it's own bus and messing with ->bus triggers the +following NULL pointer dereference: + +dwc2 12480000.hsotg: bound driver g_ether +8<--- cut here --- +Unable to handle kernel NULL pointer dereference at virtual address 00000000 +[00000000] *pgd=00000000 +Internal error: Oops: 5 [#1] SMP ARM +Modules linked in: ... +CPU: 0 PID: 620 Comm: modprobe Not tainted 5.18.0-rc5-next-20220504 #11862 +Hardware name: Samsung Exynos (Flattened Device Tree) +PC is at module_add_driver+0x44/0xe8 +LR is at sysfs_do_create_link_sd+0x84/0xe0 +... +Process modprobe (pid: 620, stack limit = 0x(ptrval)) +... + module_add_driver from bus_add_driver+0xf4/0x1e4 + bus_add_driver from driver_register+0x78/0x10c + driver_register from usb_gadget_register_driver_owner+0x40/0xb4 + usb_gadget_register_driver_owner from do_one_initcall+0x44/0x1e0 + do_one_initcall from do_init_module+0x44/0x1c8 + do_init_module from load_module+0x19b8/0x1b9c + load_module from sys_finit_module+0xdc/0xfc + sys_finit_module from ret_fast_syscall+0x0/0x54 +Exception stack(0xf1771fa8 to 0xf1771ff0) +... +dwc2 12480000.hsotg: new device is high-speed +---[ end trace 0000000000000000 ]--- + +Fix this by removing driver->bus entry reset. + +Signed-off-by: Marek Szyprowski +Link: https://lore.kernel.org/r/20220505104618.22729-1-m.szyprowski@samsung.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/gadget.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/usb/dwc2/gadget.c b/drivers/usb/dwc2/gadget.c +index 65bcbbad6d54..44bab6727b43 100644 +--- a/drivers/usb/dwc2/gadget.c ++++ b/drivers/usb/dwc2/gadget.c +@@ -3445,7 +3445,6 @@ static int dwc2_hsotg_udc_start(struct usb_gadget *gadget, + + WARN_ON(hsotg->driver); + +- driver->driver.bus = NULL; + hsotg->driver = driver; + hsotg->gadget.dev.of_node = hsotg->dev->of_node; + hsotg->gadget.speed = USB_SPEED_UNKNOWN; +-- +2.35.1 + diff --git a/queue-4.9/usb-hcd-pci-fully-suspend-across-freeze-thaw-cycle.patch-10130 b/queue-4.9/usb-hcd-pci-fully-suspend-across-freeze-thaw-cycle.patch-10130 new file mode 100644 index 00000000000..3ba755f4b33 --- /dev/null +++ b/queue-4.9/usb-hcd-pci-fully-suspend-across-freeze-thaw-cycle.patch-10130 @@ -0,0 +1,50 @@ +From efe56fa1ee86383cc45a1290de0c3773d6023caf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Apr 2022 10:39:27 -0700 +Subject: USB: hcd-pci: Fully suspend across freeze/thaw cycle + +From: Evan Green + +[ Upstream commit 63acaa8e9c65dc34dc249440216f8e977f5d2748 ] + +The documentation for the freeze() method says that it "should quiesce +the device so that it doesn't generate IRQs or DMA". The unspoken +consequence of not doing this is that MSIs aimed at non-boot CPUs may +get fully lost if they're sent during the period where the target CPU is +offline. + +The current callbacks for USB HCD do not fully quiesce interrupts, +specifically on XHCI. Change to use the full suspend/resume flow for +freeze/thaw to ensure interrupts are fully quiesced. This fixes issues +where USB devices fail to thaw during hibernation because XHCI misses +its interrupt and cannot recover. + +Acked-by: Alan Stern +Signed-off-by: Evan Green +Link: https://lore.kernel.org/r/20220421103751.v3.2.I8226c7fdae88329ef70957b96a39b346c69a914e@changeid +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/core/hcd-pci.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/core/hcd-pci.c b/drivers/usb/core/hcd-pci.c +index 7af23b215254..a416eea9a366 100644 +--- a/drivers/usb/core/hcd-pci.c ++++ b/drivers/usb/core/hcd-pci.c +@@ -637,10 +637,10 @@ const struct dev_pm_ops usb_hcd_pci_pm_ops = { + .suspend_noirq = hcd_pci_suspend_noirq, + .resume_noirq = hcd_pci_resume_noirq, + .resume = hcd_pci_resume, +- .freeze = check_root_hub_suspended, ++ .freeze = hcd_pci_suspend, + .freeze_noirq = check_root_hub_suspended, + .thaw_noirq = NULL, +- .thaw = NULL, ++ .thaw = hcd_pci_resume, + .poweroff = hcd_pci_suspend, + .poweroff_noirq = hcd_pci_suspend_noirq, + .restore_noirq = hcd_pci_resume_noirq, +-- +2.35.1 + diff --git a/queue-4.9/usb-host-isp116x-check-return-value-after-calling-pl.patch-5502 b/queue-4.9/usb-host-isp116x-check-return-value-after-calling-pl.patch-5502 new file mode 100644 index 00000000000..bc8d45cecfe --- /dev/null +++ b/queue-4.9/usb-host-isp116x-check-return-value-after-calling-pl.patch-5502 @@ -0,0 +1,43 @@ +From 3b40746f665aeabf7dc878d67a70ec55cda39f19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Mar 2022 11:37:16 +0800 +Subject: USB: host: isp116x: check return value after calling + platform_get_resource() + +From: Zhen Ni + +[ Upstream commit 134a3408c2d3f7e23eb0e4556e0a2d9f36c2614e ] + +It will cause null-ptr-deref if platform_get_resource() returns NULL, +we need check the return value. + +Signed-off-by: Zhen Ni +Link: https://lore.kernel.org/r/20220302033716.31272-1-nizhen@uniontech.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/isp116x-hcd.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/host/isp116x-hcd.c b/drivers/usb/host/isp116x-hcd.c +index d089b3fb7a13..c32145e63aea 100644 +--- a/drivers/usb/host/isp116x-hcd.c ++++ b/drivers/usb/host/isp116x-hcd.c +@@ -1551,10 +1551,12 @@ static int isp116x_remove(struct platform_device *pdev) + + iounmap(isp116x->data_reg); + res = platform_get_resource(pdev, IORESOURCE_MEM, 1); +- release_mem_region(res->start, 2); ++ if (res) ++ release_mem_region(res->start, 2); + iounmap(isp116x->addr_reg); + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +- release_mem_region(res->start, 2); ++ if (res) ++ release_mem_region(res->start, 2); + + usb_put_hcd(hcd); + return 0; +-- +2.35.1 +