From: Greg Kroah-Hartman Date: Sun, 14 Nov 2021 14:28:49 +0000 (+0100) Subject: 5.15-stable patches X-Git-Tag: v5.4.160~89 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d9d9a7b829e42a338ba00add5ed8439887e29b70;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: component-do-not-leave-master-devres-group-open-after-bind.patch coresight-cti-correct-the-parameter-for-pm_runtime_put.patch coresight-trbe-defer-the-probe-on-offline-cpus.patch coresight-trbe-fix-incorrect-access-of-the-sink-specific-data.patch documentation-devicetree-bindings-iio-dac-fix-val.patch drivers-iio-dac-ad5766-fix-dt-property-name.patch iio-ad5770r-make-devicetree-property-reading-consistent.patch iio-buffer-check-return-value-of-kstrdup_const.patch iio-buffer-fix-memory-leak-in-__iio_buffer_alloc_sysfs_and_mask.patch iio-buffer-fix-memory-leak-in-iio_buffer_register_legacy_sysfs_groups.patch iio-buffer-fix-memory-leak-in-iio_buffers_alloc_sysfs_and_mask.patch iio-dac-ad5446-fix-ad5622_write-return-value.patch io-wq-serialize-hash-clear-with-wakeup.patch ksmbd-set-unique-value-to-volume-serial-field-in-fs_volume_information.patch mfd-simple-mfd-i2c-select-mfd_core-to-fix-build-error.patch most-fix-control-message-timeouts.patch pinctrl-core-fix-possible-memory-leak-in-pinctrl_enable.patch power-supply-max17042_battery-clear-status-bits-in-interrupt-handler.patch revert-serial-8250-fix-reporting-real-baudrate-value-in-c_ospeed-field.patch serial-8250-fix-racy-uartclk-update.patch serial-8250-fix-reporting-real-baudrate-value-in-c_ospeed-field.patch usb-chipidea-fix-interrupt-deadlock.patch usb-iowarrior-fix-control-message-timeouts.patch usb-serial-keyspan-fix-memleak-on-probe-errors.patch --- diff --git a/queue-5.15/component-do-not-leave-master-devres-group-open-after-bind.patch b/queue-5.15/component-do-not-leave-master-devres-group-open-after-bind.patch new file mode 100644 index 00000000000..0651920f127 --- /dev/null +++ b/queue-5.15/component-do-not-leave-master-devres-group-open-after-bind.patch @@ -0,0 +1,95 @@ +From c87761db2100677a69be551365105125d872af5b Mon Sep 17 00:00:00 2001 +From: Kai Vehmanen +Date: Wed, 13 Oct 2021 19:13:45 +0300 +Subject: component: do not leave master devres group open after bind + +From: Kai Vehmanen + +commit c87761db2100677a69be551365105125d872af5b upstream. + +In current code, the devres group for aggregate master is left open +after call to component_master_add_*(). This leads to problems when the +master does further managed allocations on its own. When any +participating driver calls component_del(), this leads to immediate +release of resources. + +This came up when investigating a page fault occurring with i915 DRM +driver unbind with 5.15-rc1 kernel. The following sequence occurs: + + i915_pci_remove() + -> intel_display_driver_unregister() + -> i915_audio_component_cleanup() + -> component_del() + -> component.c:take_down_master() + -> hdac_component_master_unbind() [via master->ops->unbind()] + -> devres_release_group(master->parent, NULL) + +With older kernels this has not caused issues, but with audio driver +moving to use managed interfaces for more of its allocations, this no +longer works. Devres log shows following to occur: + +component_master_add_with_match() +[ 126.886032] snd_hda_intel 0000:00:1f.3: DEVRES ADD 00000000323ccdc5 devm_component_match_release (24 bytes) +[ 126.886045] snd_hda_intel 0000:00:1f.3: DEVRES ADD 00000000865cdb29 grp< (0 bytes) +[ 126.886049] snd_hda_intel 0000:00:1f.3: DEVRES ADD 000000001b480725 grp< (0 bytes) + +audio driver completes its PCI probe() +[ 126.892238] snd_hda_intel 0000:00:1f.3: DEVRES ADD 000000001b480725 pcim_iomap_release (48 bytes) + +component_del() called() at DRM/i915 unbind() +[ 137.579422] i915 0000:00:02.0: DEVRES REL 00000000ef44c293 grp< (0 bytes) +[ 137.579445] snd_hda_intel 0000:00:1f.3: DEVRES REL 00000000865cdb29 grp< (0 bytes) +[ 137.579458] snd_hda_intel 0000:00:1f.3: DEVRES REL 000000001b480725 pcim_iomap_release (48 bytes) + +So the "devres_release_group(master->parent, NULL)" ends up freeing the +pcim_iomap allocation. Upon next runtime resume, the audio driver will +cause a page fault as the iomap alloc was released without the driver +knowing about it. + +Fix this issue by using the "struct master" pointer as identifier for +the devres group, and by closing the devres group after +the master->ops->bind() call is done. This allows devres allocations +done by the driver acting as master to be isolated from the binding state +of the aggregate driver. This modifies the logic originally introduced in +commit 9e1ccb4a7700 ("drivers/base: fix devres handling for master device") + +Fixes: 9e1ccb4a7700 ("drivers/base: fix devres handling for master device") +Cc: stable@vger.kernel.org +Acked-by: Imre Deak +Acked-by: Russell King (Oracle) +Signed-off-by: Kai Vehmanen +BugLink: https://gitlab.freedesktop.org/drm/intel/-/issues/4136 +Link: https://lore.kernel.org/r/20211013161345.3755341-1-kai.vehmanen@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/component.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/base/component.c ++++ b/drivers/base/component.c +@@ -246,7 +246,7 @@ static int try_to_bring_up_master(struct + return 0; + } + +- if (!devres_open_group(master->parent, NULL, GFP_KERNEL)) ++ if (!devres_open_group(master->parent, master, GFP_KERNEL)) + return -ENOMEM; + + /* Found all components */ +@@ -258,6 +258,7 @@ static int try_to_bring_up_master(struct + return ret; + } + ++ devres_close_group(master->parent, NULL); + master->bound = true; + return 1; + } +@@ -282,7 +283,7 @@ static void take_down_master(struct mast + { + if (master->bound) { + master->ops->unbind(master->parent); +- devres_release_group(master->parent, NULL); ++ devres_release_group(master->parent, master); + master->bound = false; + } + } diff --git a/queue-5.15/coresight-cti-correct-the-parameter-for-pm_runtime_put.patch b/queue-5.15/coresight-cti-correct-the-parameter-for-pm_runtime_put.patch new file mode 100644 index 00000000000..08b4c930415 --- /dev/null +++ b/queue-5.15/coresight-cti-correct-the-parameter-for-pm_runtime_put.patch @@ -0,0 +1,35 @@ +From 692c9a499b286ea478f41b23a91fe3873b9e1326 Mon Sep 17 00:00:00 2001 +From: Tao Zhang +Date: Thu, 19 Aug 2021 17:29:37 +0800 +Subject: coresight: cti: Correct the parameter for pm_runtime_put + +From: Tao Zhang + +commit 692c9a499b286ea478f41b23a91fe3873b9e1326 upstream. + +The input parameter of the function pm_runtime_put should be the +same in the function cti_enable_hw and cti_disable_hw. The correct +parameter to use here should be dev->parent. + +Signed-off-by: Tao Zhang +Reviewed-by: Leo Yan +Fixes: 835d722ba10a ("coresight: cti: Initial CoreSight CTI Driver") +Cc: stable +Link: https://lore.kernel.org/r/1629365377-5937-1-git-send-email-quic_taozha@quicinc.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/coresight/coresight-cti-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwtracing/coresight/coresight-cti-core.c ++++ b/drivers/hwtracing/coresight/coresight-cti-core.c +@@ -175,7 +175,7 @@ static int cti_disable_hw(struct cti_drv + coresight_disclaim_device_unlocked(csdev); + CS_LOCK(drvdata->base); + spin_unlock(&drvdata->spinlock); +- pm_runtime_put(dev); ++ pm_runtime_put(dev->parent); + return 0; + + /* not disabled this call */ diff --git a/queue-5.15/coresight-trbe-defer-the-probe-on-offline-cpus.patch b/queue-5.15/coresight-trbe-defer-the-probe-on-offline-cpus.patch new file mode 100644 index 00000000000..31521a670fa --- /dev/null +++ b/queue-5.15/coresight-trbe-defer-the-probe-on-offline-cpus.patch @@ -0,0 +1,106 @@ +From a08025b3fe56185290a1ea476581f03ca733f967 Mon Sep 17 00:00:00 2001 +From: Suzuki K Poulose +Date: Thu, 14 Oct 2021 15:22:38 +0100 +Subject: coresight: trbe: Defer the probe on offline CPUs + +From: Suzuki K Poulose + +commit a08025b3fe56185290a1ea476581f03ca733f967 upstream. + +If a CPU is offline during the driver init, we could end up causing +a kernel crash trying to register the coresight device for the TRBE +instance. The trbe_cpudata for the TRBE instance is initialized only +when it is probed. Otherwise, we could end up dereferencing a NULL +cpudata->drvdata. + +e.g: + +[ 0.149999] coresight ete0: CPU0: ete v1.1 initialized +[ 0.149999] coresight-etm4x ete_1: ETM arch init failed +[ 0.149999] coresight-etm4x: probe of ete_1 failed with error -22 +[ 0.150085] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000050 +[ 0.150085] Mem abort info: +[ 0.150085] ESR = 0x96000005 +[ 0.150085] EC = 0x25: DABT (current EL), IL = 32 bits +[ 0.150085] SET = 0, FnV = 0 +[ 0.150085] EA = 0, S1PTW = 0 +[ 0.150085] Data abort info: +[ 0.150085] ISV = 0, ISS = 0x00000005 +[ 0.150085] CM = 0, WnR = 0 +[ 0.150085] [0000000000000050] user address but active_mm is swapper +[ 0.150085] Internal error: Oops: 96000005 [#1] PREEMPT SMP +[ 0.150085] Modules linked in: +[ 0.150085] Hardware name: FVP Base RevC (DT) +[ 0.150085] pstate: 00800009 (nzcv daif -PAN +UAO -TCO BTYPE=--) +[ 0.150155] pc : arm_trbe_register_coresight_cpu+0x74/0x144 +[ 0.150155] lr : arm_trbe_register_coresight_cpu+0x48/0x144 + ... + +[ 0.150237] Call trace: +[ 0.150237] arm_trbe_register_coresight_cpu+0x74/0x144 +[ 0.150237] arm_trbe_device_probe+0x1c0/0x2d8 +[ 0.150259] platform_drv_probe+0x94/0xbc +[ 0.150259] really_probe+0x1bc/0x4a8 +[ 0.150266] driver_probe_device+0x7c/0xb8 +[ 0.150266] device_driver_attach+0x6c/0xac +[ 0.150266] __driver_attach+0xc4/0x148 +[ 0.150266] bus_for_each_dev+0x7c/0xc8 +[ 0.150266] driver_attach+0x24/0x30 +[ 0.150266] bus_add_driver+0x100/0x1e0 +[ 0.150266] driver_register+0x78/0x110 +[ 0.150266] __platform_driver_register+0x44/0x50 +[ 0.150266] arm_trbe_init+0x28/0x84 +[ 0.150266] do_one_initcall+0x94/0x2bc +[ 0.150266] do_initcall_level+0xa4/0x158 +[ 0.150266] do_initcalls+0x54/0x94 +[ 0.150319] do_basic_setup+0x24/0x30 +[ 0.150319] kernel_init_freeable+0xe8/0x14c +[ 0.150319] kernel_init+0x14/0x18c +[ 0.150319] ret_from_fork+0x10/0x30 +[ 0.150319] Code: f94012c8 b0004ce2 9134a442 52819801 (f9402917) +[ 0.150319] ---[ end trace d23e0cfe5098535e ]--- +[ 0.150346] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000000b + +Fix this by skipping the step, if we are unable to probe the CPU. + +Fixes: 3fbf7f011f24 ("coresight: sink: Add TRBE driver") +Reported-by: Bransilav Rankov +Cc: Anshuman Khandual +Cc: Mathieu Poirier +Cc: Mike Leach +Cc: Leo Yan +Cc: stable +Tested-by: Branislav Rankov +Signed-off-by: Suzuki K Poulose +Reviewed-by: Anshuman Khandual +Link: https://lore.kernel.org/r/20211014142238.2221248-1-suzuki.poulose@arm.com +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/coresight/coresight-trbe.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/hwtracing/coresight/coresight-trbe.c ++++ b/drivers/hwtracing/coresight/coresight-trbe.c +@@ -869,6 +869,10 @@ static void arm_trbe_register_coresight_ + if (WARN_ON(trbe_csdev)) + return; + ++ /* If the TRBE was not probed on the CPU, we shouldn't be here */ ++ if (WARN_ON(!cpudata->drvdata)) ++ return; ++ + dev = &cpudata->drvdata->pdev->dev; + desc.name = devm_kasprintf(dev, GFP_KERNEL, "trbe%d", cpu); + if (!desc.name) +@@ -950,7 +954,9 @@ static int arm_trbe_probe_coresight(stru + return -ENOMEM; + + for_each_cpu(cpu, &drvdata->supported_cpus) { +- smp_call_function_single(cpu, arm_trbe_probe_cpu, drvdata, 1); ++ /* If we fail to probe the CPU, let us defer it to hotplug callbacks */ ++ if (smp_call_function_single(cpu, arm_trbe_probe_cpu, drvdata, 1)) ++ continue; + if (cpumask_test_cpu(cpu, &drvdata->supported_cpus)) + arm_trbe_register_coresight_cpu(drvdata, cpu); + if (cpumask_test_cpu(cpu, &drvdata->supported_cpus)) diff --git a/queue-5.15/coresight-trbe-fix-incorrect-access-of-the-sink-specific-data.patch b/queue-5.15/coresight-trbe-fix-incorrect-access-of-the-sink-specific-data.patch new file mode 100644 index 00000000000..5fb5ed23ab5 --- /dev/null +++ b/queue-5.15/coresight-trbe-fix-incorrect-access-of-the-sink-specific-data.patch @@ -0,0 +1,37 @@ +From bb5293e334af51b19b62d8bef1852ea13e935e9b Mon Sep 17 00:00:00 2001 +From: Suzuki K Poulose +Date: Tue, 21 Sep 2021 14:41:05 +0100 +Subject: coresight: trbe: Fix incorrect access of the sink specific data + +From: Suzuki K Poulose + +commit bb5293e334af51b19b62d8bef1852ea13e935e9b upstream. + +The TRBE driver wrongly treats the aux private data as the TRBE driver +specific buffer for a given perf handle, while it is the ETM PMU's +event specific data. Fix this by correcting the instance to use +appropriate helper. + +Cc: stable +Fixes: 3fbf7f011f24 ("coresight: sink: Add TRBE driver") +Signed-off-by: Suzuki K Poulose +Reviewed-by: Anshuman Khandual +Link: https://lore.kernel.org/r/20210921134121.2423546-2-suzuki.poulose@arm.com +[Fixed 13 character SHA down to 12] +Signed-off-by: Mathieu Poirier +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/coresight/coresight-trbe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwtracing/coresight/coresight-trbe.c ++++ b/drivers/hwtracing/coresight/coresight-trbe.c +@@ -366,7 +366,7 @@ static unsigned long __trbe_normal_offse + + static unsigned long trbe_normal_offset(struct perf_output_handle *handle) + { +- struct trbe_buf *buf = perf_get_aux(handle); ++ struct trbe_buf *buf = etm_perf_sink_config(handle); + u64 limit = __trbe_normal_offset(handle); + u64 head = PERF_IDX2OFF(handle->head, buf); + diff --git a/queue-5.15/documentation-devicetree-bindings-iio-dac-fix-val.patch b/queue-5.15/documentation-devicetree-bindings-iio-dac-fix-val.patch new file mode 100644 index 00000000000..58a2f89fdd9 --- /dev/null +++ b/queue-5.15/documentation-devicetree-bindings-iio-dac-fix-val.patch @@ -0,0 +1,34 @@ +From 8fc4f038fa832ec3543907fdcbe1334e1b0a8950 Mon Sep 17 00:00:00 2001 +From: Mihail Chindris +Date: Thu, 7 Oct 2021 08:00:36 +0000 +Subject: Documentation:devicetree:bindings:iio:dac: Fix val + +From: Mihail Chindris + +commit 8fc4f038fa832ec3543907fdcbe1334e1b0a8950 upstream. + +A correct value for output-range-microvolts is -5 to 5 Volts +not -5 to 5 milivolts + +Fixes: e904cc899293f ("dt-bindings: iio: dac: AD5766 yaml documentation") +Signed-off-by: Mihail Chindris +Reviewed-by: Alexandru Ardelean +Link: https://lore.kernel.org/r/20211007080035.2531-6-mihail.chindris@analog.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/devicetree/bindings/iio/dac/adi,ad5766.yaml | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/iio/dac/adi,ad5766.yaml ++++ b/Documentation/devicetree/bindings/iio/dac/adi,ad5766.yaml +@@ -54,7 +54,7 @@ examples: + + ad5766@0 { + compatible = "adi,ad5766"; +- output-range-microvolts = <(-5000) 5000>; ++ output-range-microvolts = <(-5000000) 5000000>; + reg = <0>; + spi-cpol; + spi-max-frequency = <1000000>; diff --git a/queue-5.15/drivers-iio-dac-ad5766-fix-dt-property-name.patch b/queue-5.15/drivers-iio-dac-ad5766-fix-dt-property-name.patch new file mode 100644 index 00000000000..a51de31b810 --- /dev/null +++ b/queue-5.15/drivers-iio-dac-ad5766-fix-dt-property-name.patch @@ -0,0 +1,43 @@ +From d9de0fbdeb0103a204055efb69cb5cc8f5f12a6a Mon Sep 17 00:00:00 2001 +From: Mihail Chindris +Date: Thu, 7 Oct 2021 08:00:34 +0000 +Subject: drivers: iio: dac: ad5766: Fix dt property name + +From: Mihail Chindris + +commit d9de0fbdeb0103a204055efb69cb5cc8f5f12a6a upstream. + +In the documentation the name for the property is +output-range-microvolts which is a standard name, therefore this name +must be used. + +Fixes: fd9373e41b9ba ("iio: dac: ad5766: add driver support for AD5766") +Signed-off-by: Mihail Chindris +Reviewed-by: Alexandru Ardelean +Link: https://lore.kernel.org/r/20211007080035.2531-5-mihail.chindris@analog.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/dac/ad5766.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/iio/dac/ad5766.c ++++ b/drivers/iio/dac/ad5766.c +@@ -503,13 +503,13 @@ static int ad5766_get_output_range(struc + int i, ret, min, max, tmp[2]; + + ret = device_property_read_u32_array(&st->spi->dev, +- "output-range-voltage", ++ "output-range-microvolts", + tmp, 2); + if (ret) + return ret; + +- min = tmp[0] / 1000; +- max = tmp[1] / 1000; ++ min = tmp[0] / 1000000; ++ max = tmp[1] / 1000000; + for (i = 0; i < ARRAY_SIZE(ad5766_span_tbl); i++) { + if (ad5766_span_tbl[i].min != min || + ad5766_span_tbl[i].max != max) diff --git a/queue-5.15/iio-ad5770r-make-devicetree-property-reading-consistent.patch b/queue-5.15/iio-ad5770r-make-devicetree-property-reading-consistent.patch new file mode 100644 index 00000000000..6a284e864d5 --- /dev/null +++ b/queue-5.15/iio-ad5770r-make-devicetree-property-reading-consistent.patch @@ -0,0 +1,47 @@ +From 26df977a909f818b7d346b3990735513e7e0bf93 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Nuno=20S=C3=A1?= +Date: Wed, 18 Aug 2021 10:05:25 +0200 +Subject: iio: ad5770r: make devicetree property reading consistent +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Nuno Sá + +commit 26df977a909f818b7d346b3990735513e7e0bf93 upstream. + +The bindings file for this driver is defining the property as 'reg' but +the driver was reading it with the 'num' name. The bindings actually had +the 'num' property when added in +commit ea52c21268e6 ("dt-bindings: iio: dac: Add docs for AD5770R DAC") +and then changed it to 'reg' in +commit 2cf3818f18b2 ("dt-bindings: iio: dac: AD5570R fix bindings errors"). +However, both these commits landed in v5.7 so the assumption is +that either 'num' is not being used or if it is, the validations were not +done. + +Anyways, if someone comes back yelling about this, we might just support +both of the properties in the future. Not ideal, but that's life... + +Fixes: 2cf3818f18b2 ("dt-bindings: iio: dac: AD5570R fix bindings errors") +Signed-off-by: Nuno Sá +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20210818080525.62790-1-nuno.sa@analog.com +Cc: Stable@vger.kernel.org +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/dac/ad5770r.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iio/dac/ad5770r.c ++++ b/drivers/iio/dac/ad5770r.c +@@ -522,7 +522,7 @@ static int ad5770r_channel_config(struct + return -EINVAL; + + device_for_each_child_node(&st->spi->dev, child) { +- ret = fwnode_property_read_u32(child, "num", &num); ++ ret = fwnode_property_read_u32(child, "reg", &num); + if (ret) + goto err_child_out; + if (num >= AD5770R_MAX_CHANNELS) { diff --git a/queue-5.15/iio-buffer-check-return-value-of-kstrdup_const.patch b/queue-5.15/iio-buffer-check-return-value-of-kstrdup_const.patch new file mode 100644 index 00000000000..e1550d4a020 --- /dev/null +++ b/queue-5.15/iio-buffer-check-return-value-of-kstrdup_const.patch @@ -0,0 +1,54 @@ +From 2c0ad3f0cc04dec489552a21b80cd6d708bea96d Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Wed, 13 Oct 2021 12:04:38 +0800 +Subject: iio: buffer: check return value of kstrdup_const() + +From: Yang Yingliang + +commit 2c0ad3f0cc04dec489552a21b80cd6d708bea96d upstream. + +Check return value of kstrdup_const() in iio_buffer_wrap_attr(), +or it will cause null-ptr-deref in kernfs_name_hash() when calling +device_add() as follows: + +BUG: kernel NULL pointer dereference, address: 0000000000000000 +RIP: 0010:strlen+0x0/0x20 +Call Trace: + kernfs_name_hash+0x22/0x110 + kernfs_find_ns+0x11d/0x390 + kernfs_remove_by_name_ns+0x3b/0xb0 + remove_files.isra.1+0x7b/0x190 + internal_create_group+0x7f1/0xbb0 + internal_create_groups+0xa3/0x150 + device_add+0x8f0/0x2020 + cdev_device_add+0xc3/0x160 + __iio_device_register+0x1427/0x1b40 [industrialio] + __devm_iio_device_register+0x22/0x80 [industrialio] + adjd_s311_probe+0x195/0x200 [adjd_s311] + i2c_device_probe+0xa07/0xbb0 + +Reported-by: Hulk Robot +Fixes: 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20211013040438.1689277-1-yangyingliang@huawei.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/industrialio-buffer.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -1312,6 +1312,11 @@ static struct attribute *iio_buffer_wrap + iio_attr->buffer = buffer; + memcpy(&iio_attr->dev_attr, dattr, sizeof(iio_attr->dev_attr)); + iio_attr->dev_attr.attr.name = kstrdup_const(attr->name, GFP_KERNEL); ++ if (!iio_attr->dev_attr.attr.name) { ++ kfree(iio_attr); ++ return NULL; ++ } ++ + sysfs_attr_init(&iio_attr->dev_attr.attr); + + list_add(&iio_attr->l, &buffer->buffer_attr_list); diff --git a/queue-5.15/iio-buffer-fix-memory-leak-in-__iio_buffer_alloc_sysfs_and_mask.patch b/queue-5.15/iio-buffer-fix-memory-leak-in-__iio_buffer_alloc_sysfs_and_mask.patch new file mode 100644 index 00000000000..0f5fd88428d --- /dev/null +++ b/queue-5.15/iio-buffer-fix-memory-leak-in-__iio_buffer_alloc_sysfs_and_mask.patch @@ -0,0 +1,78 @@ +From 9a2ff8009e53296e47de72d5af0bc31cd53274ff Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Wed, 13 Oct 2021 17:43:43 +0800 +Subject: iio: buffer: Fix memory leak in __iio_buffer_alloc_sysfs_and_mask() + +From: Yang Yingliang + +commit 9a2ff8009e53296e47de72d5af0bc31cd53274ff upstream. + +When iio_buffer_wrap_attr() returns NULL or buffer->buffer_group.name alloc +fails, the 'attr' which is allocated in __iio_buffer_alloc_sysfs_and_mask() +is not freed, and cause memory leak. + +unreferenced object 0xffff888014882a00 (size 64): + comm "i2c-adjd_s311-8", pid 424, jiffies 4294907737 (age 44.396s) + hex dump (first 32 bytes): + 00 0f 8a 15 80 88 ff ff 00 0e 8a 15 80 88 ff ff ................ + 80 04 8a 15 80 88 ff ff 80 05 8a 15 80 88 ff ff ................ + backtrace: + [<0000000021752e67>] __kmalloc+0x1af/0x3c0 + [<0000000043e8305c>] iio_buffers_alloc_sysfs_and_mask+0xe73/0x1570 [industrialio] + [<00000000b7aa5a17>] __iio_device_register+0x483/0x1a30 [industrialio] + [<000000003fa0fb2f>] __devm_iio_device_register+0x23/0x90 [industrialio] + [<000000003ab040cf>] adjd_s311_probe+0x19c/0x200 [adjd_s311] + [<0000000080458969>] i2c_device_probe+0xa31/0xbe0 + [<00000000e20678ad>] really_probe+0x299/0xc30 + [<000000006bea9b27>] __driver_probe_device+0x357/0x500 + [<00000000e1df10d4>] driver_probe_device+0x4e/0x140 + [<0000000003661beb>] __device_attach_driver+0x257/0x340 + [<000000005bb4aa26>] bus_for_each_drv+0x166/0x1e0 + [<00000000272c5236>] __device_attach+0x272/0x420 + [<00000000d52a96ae>] bus_probe_device+0x1eb/0x2a0 + [<00000000129f7737>] device_add+0xbf0/0x1f90 + [<000000005eed4e52>] i2c_new_client_device+0x622/0xb20 + [<00000000b85a9c43>] new_device_store+0x1fa/0x420 + +This patch fix to free it before the error return. + +Reported-by: Hulk Robot +Fixes: 15097c7a1adc ("iio: buffer: wrap all buffer attributes into iio_dev_attr") +Fixes: d9a625744ed0 ("iio: core: merge buffer/ & scan_elements/ attributes") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20211013094343.315275-1-yangyingliang@huawei.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/industrialio-buffer.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -1536,6 +1536,7 @@ static int __iio_buffer_alloc_sysfs_and_ + sizeof(struct attribute *) * buffer_attrcount); + + buffer_attrcount += ARRAY_SIZE(iio_buffer_attrs); ++ buffer->buffer_group.attrs = attr; + + for (i = 0; i < buffer_attrcount; i++) { + struct attribute *wrapped; +@@ -1543,7 +1544,7 @@ static int __iio_buffer_alloc_sysfs_and_ + wrapped = iio_buffer_wrap_attr(buffer, attr[i]); + if (!wrapped) { + ret = -ENOMEM; +- goto error_free_scan_mask; ++ goto error_free_buffer_attrs; + } + attr[i] = wrapped; + } +@@ -1558,8 +1559,6 @@ static int __iio_buffer_alloc_sysfs_and_ + goto error_free_buffer_attrs; + } + +- buffer->buffer_group.attrs = attr; +- + ret = iio_device_register_sysfs_group(indio_dev, &buffer->buffer_group); + if (ret) + goto error_free_buffer_attr_group_name; diff --git a/queue-5.15/iio-buffer-fix-memory-leak-in-iio_buffer_register_legacy_sysfs_groups.patch b/queue-5.15/iio-buffer-fix-memory-leak-in-iio_buffer_register_legacy_sysfs_groups.patch new file mode 100644 index 00000000000..d11c3018e89 --- /dev/null +++ b/queue-5.15/iio-buffer-fix-memory-leak-in-iio_buffer_register_legacy_sysfs_groups.patch @@ -0,0 +1,48 @@ +From 604faf9a2ecd1addcc0c10a47e5aaef3c4d4fd6b Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Wed, 13 Oct 2021 22:42:42 +0800 +Subject: iio: buffer: Fix memory leak in iio_buffer_register_legacy_sysfs_groups() + +From: Yang Yingliang + +commit 604faf9a2ecd1addcc0c10a47e5aaef3c4d4fd6b upstream. + +If the second iio_device_register_sysfs_group() fails, +'legacy_buffer_group.attrs' need be freed too or it will +cause memory leak: + +unreferenced object 0xffff888003618280 (size 64): + comm "xrun", pid 357, jiffies 4294907259 (age 22.296s) + hex dump (first 32 bytes): + 80 f6 8c 03 80 88 ff ff 80 fb 8c 03 80 88 ff ff ................ + 00 f9 8c 03 80 88 ff ff 80 fc 8c 03 80 88 ff ff ................ + backtrace: + [<00000000076bfd43>] __kmalloc+0x1a3/0x2f0 + [<00000000c32e4886>] iio_buffers_alloc_sysfs_and_mask+0xc31/0x1290 [industrialio] + +Reported-by: Hulk Robot +Fixes: d9a625744ed0 ("iio: core: merge buffer/ & scan_elements/ attributes") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20211013144242.1685060-1-yangyingliang@huawei.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/industrialio-buffer.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -1367,10 +1367,10 @@ static int iio_buffer_register_legacy_sy + + return 0; + +-error_free_buffer_attrs: +- kfree(iio_dev_opaque->legacy_buffer_group.attrs); + error_free_scan_el_attrs: + kfree(iio_dev_opaque->legacy_scan_el_group.attrs); ++error_free_buffer_attrs: ++ kfree(iio_dev_opaque->legacy_buffer_group.attrs); + + return ret; + } diff --git a/queue-5.15/iio-buffer-fix-memory-leak-in-iio_buffers_alloc_sysfs_and_mask.patch b/queue-5.15/iio-buffer-fix-memory-leak-in-iio_buffers_alloc_sysfs_and_mask.patch new file mode 100644 index 00000000000..4fc76c21bc8 --- /dev/null +++ b/queue-5.15/iio-buffer-fix-memory-leak-in-iio_buffers_alloc_sysfs_and_mask.patch @@ -0,0 +1,81 @@ +From 486a25084155bf633768c26f022201c051d6fd95 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Mon, 18 Oct 2021 14:37:18 +0800 +Subject: iio: buffer: Fix memory leak in iio_buffers_alloc_sysfs_and_mask() + +From: Yang Yingliang + +commit 486a25084155bf633768c26f022201c051d6fd95 upstream. + +When 'iio_dev_opaque->buffer_ioctl_handler' alloc fails in +iio_buffers_alloc_sysfs_and_mask(), the 'attrs' allocated in +iio_buffer_register_legacy_sysfs_groups() will be leaked: + +unreferenced object 0xffff888108568d00 (size 128): + comm "88", pid 2014, jiffies 4294963294 (age 26.920s) + hex dump (first 32 bytes): + 80 3e da 02 80 88 ff ff 00 3a da 02 80 88 ff ff .>.......:...... + 00 35 da 02 80 88 ff ff 00 38 da 02 80 88 ff ff .5.......8...... + backtrace: + [<0000000095a9e51e>] __kmalloc+0x1a3/0x2f0 + [<00000000faa3735e>] iio_buffers_alloc_sysfs_and_mask+0xfa3/0x1480 [industrialio] + [<00000000a46384dc>] __iio_device_register+0x52e/0x1b40 [industrialio] + [<00000000210af05e>] __devm_iio_device_register+0x22/0x80 [industrialio] + [<00000000730d7b41>] adjd_s311_probe+0x195/0x200 [adjd_s311] + [<00000000c0f70eb9>] i2c_device_probe+0xa07/0xbb0 + +The iio_buffer_register_legacy_sysfs_groups() is +called in __iio_buffer_alloc_sysfs_and_mask(), +so move the iio_buffer_unregister_legacy_sysfs_groups() +into __iio_buffer_free_sysfs_and_mask(), then the memory +will be freed. + +Reported-by: Hulk Robot +Fixes: d9a625744ed0 ("iio: core: merge buffer/ & scan_elements/ attributes") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20211018063718.1971240-1-yangyingliang@huawei.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/industrialio-buffer.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/iio/industrialio-buffer.c ++++ b/drivers/iio/industrialio-buffer.c +@@ -1588,8 +1588,12 @@ error_cleanup_dynamic: + return ret; + } + +-static void __iio_buffer_free_sysfs_and_mask(struct iio_buffer *buffer) ++static void __iio_buffer_free_sysfs_and_mask(struct iio_buffer *buffer, ++ struct iio_dev *indio_dev, ++ int index) + { ++ if (index == 0) ++ iio_buffer_unregister_legacy_sysfs_groups(indio_dev); + bitmap_free(buffer->scan_mask); + kfree(buffer->buffer_group.name); + kfree(buffer->buffer_group.attrs); +@@ -1643,7 +1647,7 @@ int iio_buffers_alloc_sysfs_and_mask(str + error_unwind_sysfs_and_mask: + for (; unwind_idx >= 0; unwind_idx--) { + buffer = iio_dev_opaque->attached_buffers[unwind_idx]; +- __iio_buffer_free_sysfs_and_mask(buffer); ++ __iio_buffer_free_sysfs_and_mask(buffer, indio_dev, unwind_idx); + } + return ret; + } +@@ -1660,11 +1664,9 @@ void iio_buffers_free_sysfs_and_mask(str + iio_device_ioctl_handler_unregister(iio_dev_opaque->buffer_ioctl_handler); + kfree(iio_dev_opaque->buffer_ioctl_handler); + +- iio_buffer_unregister_legacy_sysfs_groups(indio_dev); +- + for (i = iio_dev_opaque->attached_buffers_cnt - 1; i >= 0; i--) { + buffer = iio_dev_opaque->attached_buffers[i]; +- __iio_buffer_free_sysfs_and_mask(buffer); ++ __iio_buffer_free_sysfs_and_mask(buffer, indio_dev, i); + } + } + diff --git a/queue-5.15/iio-dac-ad5446-fix-ad5622_write-return-value.patch b/queue-5.15/iio-dac-ad5446-fix-ad5622_write-return-value.patch new file mode 100644 index 00000000000..dc1b4d8c355 --- /dev/null +++ b/queue-5.15/iio-dac-ad5446-fix-ad5622_write-return-value.patch @@ -0,0 +1,47 @@ +From 558df982d4ead9cac628153d0d7b60feae05ddc8 Mon Sep 17 00:00:00 2001 +From: Pekka Korpinen +Date: Wed, 29 Sep 2021 21:57:55 +0300 +Subject: iio: dac: ad5446: Fix ad5622_write() return value + +From: Pekka Korpinen + +commit 558df982d4ead9cac628153d0d7b60feae05ddc8 upstream. + +On success i2c_master_send() returns the number of bytes written. The +call from iio_write_channel_info(), however, expects the return value to +be zero on success. + +This bug causes incorrect consumption of the sysfs buffer in +iio_write_channel_info(). When writing more than two characters to +out_voltage0_raw, the ad5446 write handler is called multiple times +causing unexpected behavior. + +Fixes: 3ec36a2cf0d5 ("iio:ad5446: Add support for I2C based DACs") +Signed-off-by: Pekka Korpinen +Link: https://lore.kernel.org/r/20210929185755.2384-1-pekka.korpinen@iki.fi +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/dac/ad5446.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/iio/dac/ad5446.c ++++ b/drivers/iio/dac/ad5446.c +@@ -531,8 +531,15 @@ static int ad5622_write(struct ad5446_st + { + struct i2c_client *client = to_i2c_client(st->dev); + __be16 data = cpu_to_be16(val); ++ int ret; + +- return i2c_master_send(client, (char *)&data, sizeof(data)); ++ ret = i2c_master_send(client, (char *)&data, sizeof(data)); ++ if (ret < 0) ++ return ret; ++ if (ret != sizeof(data)) ++ return -EIO; ++ ++ return 0; + } + + /* diff --git a/queue-5.15/io-wq-serialize-hash-clear-with-wakeup.patch b/queue-5.15/io-wq-serialize-hash-clear-with-wakeup.patch new file mode 100644 index 00000000000..3bf40d7191c --- /dev/null +++ b/queue-5.15/io-wq-serialize-hash-clear-with-wakeup.patch @@ -0,0 +1,86 @@ +From d3e3c102d107bb84251455a298cf475f24bab995 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Thu, 11 Nov 2021 17:32:53 -0700 +Subject: io-wq: serialize hash clear with wakeup + +From: Jens Axboe + +commit d3e3c102d107bb84251455a298cf475f24bab995 upstream. + +We need to ensure that we serialize the stalled and hash bits with the +wait_queue wait handler, or we could be racing with someone modifying +the hashed state after we find it busy, but before we then give up and +wait for it to be cleared. This can cause random delays or stalls when +handling buffered writes for many files, where some of these files cause +hash collisions between the worker threads. + +Cc: stable@vger.kernel.org +Reported-by: Daniel Black +Fixes: e941894eae31 ("io-wq: make buffered file write hashed work map per-ctx") +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io-wq.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/fs/io-wq.c ++++ b/fs/io-wq.c +@@ -421,9 +421,10 @@ static inline unsigned int io_get_work_h + return work->flags >> IO_WQ_HASH_SHIFT; + } + +-static void io_wait_on_hash(struct io_wqe *wqe, unsigned int hash) ++static bool io_wait_on_hash(struct io_wqe *wqe, unsigned int hash) + { + struct io_wq *wq = wqe->wq; ++ bool ret = false; + + spin_lock_irq(&wq->hash->wait.lock); + if (list_empty(&wqe->wait.entry)) { +@@ -431,9 +432,11 @@ static void io_wait_on_hash(struct io_wq + if (!test_bit(hash, &wq->hash->map)) { + __set_current_state(TASK_RUNNING); + list_del_init(&wqe->wait.entry); ++ ret = true; + } + } + spin_unlock_irq(&wq->hash->wait.lock); ++ return ret; + } + + static struct io_wq_work *io_get_next_work(struct io_wqe_acct *acct, +@@ -473,14 +476,21 @@ static struct io_wq_work *io_get_next_wo + } + + if (stall_hash != -1U) { ++ bool unstalled; ++ + /* + * Set this before dropping the lock to avoid racing with new + * work being added and clearing the stalled bit. + */ + set_bit(IO_ACCT_STALLED_BIT, &acct->flags); + raw_spin_unlock(&wqe->lock); +- io_wait_on_hash(wqe, stall_hash); ++ unstalled = io_wait_on_hash(wqe, stall_hash); + raw_spin_lock(&wqe->lock); ++ if (unstalled) { ++ clear_bit(IO_ACCT_STALLED_BIT, &acct->flags); ++ if (wq_has_sleeper(&wqe->wq->hash->wait)) ++ wake_up(&wqe->wq->hash->wait); ++ } + } + + return NULL; +@@ -562,8 +572,11 @@ get_next: + io_wqe_enqueue(wqe, linked); + + if (hash != -1U && !next_hashed) { ++ /* serialize hash clear with wake_up() */ ++ spin_lock_irq(&wq->hash->wait.lock); + clear_bit(hash, &wq->hash->map); + clear_bit(IO_ACCT_STALLED_BIT, &acct->flags); ++ spin_unlock_irq(&wq->hash->wait.lock); + if (wq_has_sleeper(&wq->hash->wait)) + wake_up(&wq->hash->wait); + raw_spin_lock(&wqe->lock); diff --git a/queue-5.15/ksmbd-set-unique-value-to-volume-serial-field-in-fs_volume_information.patch b/queue-5.15/ksmbd-set-unique-value-to-volume-serial-field-in-fs_volume_information.patch new file mode 100644 index 00000000000..b3484662ee3 --- /dev/null +++ b/queue-5.15/ksmbd-set-unique-value-to-volume-serial-field-in-fs_volume_information.patch @@ -0,0 +1,67 @@ +From 5d2f0b1083eb158bdff01dd557e2c25046c0a7d2 Mon Sep 17 00:00:00 2001 +From: Namjae Jeon +Date: Sun, 31 Oct 2021 09:53:50 +0900 +Subject: ksmbd: set unique value to volume serial field in FS_VOLUME_INFORMATION + +From: Namjae Jeon + +commit 5d2f0b1083eb158bdff01dd557e2c25046c0a7d2 upstream. + +Steve French reported ksmbd set fixed value to volume serial field in +FS_VOLUME_INFORMATION. Volume serial value needs to be set to a unique +value for client fscache. This patch set crc value that is generated +with share name, path name and netbios name to volume serial. + +Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3") +Cc: stable@vger.kernel.org # v5.15 +Reported-by: Steve French +Signed-off-by: Namjae Jeon +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman +--- + fs/ksmbd/Kconfig | 1 + + fs/ksmbd/server.c | 1 + + fs/ksmbd/smb2pdu.c | 9 ++++++++- + 3 files changed, 10 insertions(+), 1 deletion(-) + +--- a/fs/ksmbd/Kconfig ++++ b/fs/ksmbd/Kconfig +@@ -19,6 +19,7 @@ config SMB_SERVER + select CRYPTO_GCM + select ASN1 + select OID_REGISTRY ++ select CRC32 + default n + help + Choose Y here if you want to allow SMB3 compliant clients +--- a/fs/ksmbd/server.c ++++ b/fs/ksmbd/server.c +@@ -632,5 +632,6 @@ MODULE_SOFTDEP("pre: sha512"); + MODULE_SOFTDEP("pre: aead2"); + MODULE_SOFTDEP("pre: ccm"); + MODULE_SOFTDEP("pre: gcm"); ++MODULE_SOFTDEP("pre: crc32"); + module_init(ksmbd_server_init) + module_exit(ksmbd_server_exit) +--- a/fs/ksmbd/smb2pdu.c ++++ b/fs/ksmbd/smb2pdu.c +@@ -4891,11 +4891,18 @@ static int smb2_get_info_filesystem(stru + { + struct filesystem_vol_info *info; + size_t sz; ++ unsigned int serial_crc = 0; + + info = (struct filesystem_vol_info *)(rsp->Buffer); + info->VolumeCreationTime = 0; ++ serial_crc = crc32_le(serial_crc, share->name, ++ strlen(share->name)); ++ serial_crc = crc32_le(serial_crc, share->path, ++ strlen(share->path)); ++ serial_crc = crc32_le(serial_crc, ksmbd_netbios_name(), ++ strlen(ksmbd_netbios_name())); + /* Taking dummy value of serial number*/ +- info->SerialNumber = cpu_to_le32(0xbc3ac512); ++ info->SerialNumber = cpu_to_le32(serial_crc); + len = smbConvertToUTF16((__le16 *)info->VolumeLabel, + share->name, PATH_MAX, + conn->local_nls, 0); diff --git a/queue-5.15/mfd-simple-mfd-i2c-select-mfd_core-to-fix-build-error.patch b/queue-5.15/mfd-simple-mfd-i2c-select-mfd_core-to-fix-build-error.patch new file mode 100644 index 00000000000..ebdf9d9a3ea --- /dev/null +++ b/queue-5.15/mfd-simple-mfd-i2c-select-mfd_core-to-fix-build-error.patch @@ -0,0 +1,34 @@ +From 5dc6dafe62099ade0e7232ce9db4013b7673d860 Mon Sep 17 00:00:00 2001 +From: Robert Marko +Date: Tue, 2 Nov 2021 11:04:20 +0100 +Subject: mfd: simple-mfd-i2c: Select MFD_CORE to fix build error + +From: Robert Marko + +commit 5dc6dafe62099ade0e7232ce9db4013b7673d860 upstream. + +MFD_SIMPLE_MFD_I2C should select the MFD_CORE to a prevent build error: + +aarch64-linux-ld: drivers/mfd/simple-mfd-i2c.o: in function `simple_mfd_i2c_probe': +drivers/mfd/simple-mfd-i2c.c:55: undefined reference to `devm_mfd_add_devices' + +Cc: +Fixes: c753ea31781aa ("mfd: simple-mfd-i2c: Add support for registering devices via MFD cells") +Signed-off-by: Robert Marko +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20211102100420.112215-1-robert.marko@sartura.hr +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mfd/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/mfd/Kconfig ++++ b/drivers/mfd/Kconfig +@@ -1194,6 +1194,7 @@ config MFD_SI476X_CORE + config MFD_SIMPLE_MFD_I2C + tristate + depends on I2C ++ select MFD_CORE + select REGMAP_I2C + help + This driver creates a single register map with the intention for it diff --git a/queue-5.15/most-fix-control-message-timeouts.patch b/queue-5.15/most-fix-control-message-timeouts.patch new file mode 100644 index 00000000000..9902c4fd111 --- /dev/null +++ b/queue-5.15/most-fix-control-message-timeouts.patch @@ -0,0 +1,45 @@ +From 63b3e810eff65fb8587fcb26fa0b56802be12dcf Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:58:11 +0200 +Subject: most: fix control-message timeouts + +From: Johan Hovold + +commit 63b3e810eff65fb8587fcb26fa0b56802be12dcf upstream. + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Use the common control-message timeout defines for the five-second +timeouts. + +Fixes: 97a6f772f36b ("drivers: most: add USB adapter driver") +Cc: stable@vger.kernel.org # 5.9 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211025115811.5410-1-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/most/most_usb.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/most/most_usb.c ++++ b/drivers/most/most_usb.c +@@ -149,7 +149,8 @@ static inline int drci_rd_reg(struct usb + retval = usb_control_msg(dev, usb_rcvctrlpipe(dev, 0), + DRCI_READ_REQ, req_type, + 0x0000, +- reg, dma_buf, sizeof(*dma_buf), 5 * HZ); ++ reg, dma_buf, sizeof(*dma_buf), ++ USB_CTRL_GET_TIMEOUT); + *buf = le16_to_cpu(*dma_buf); + kfree(dma_buf); + +@@ -176,7 +177,7 @@ static inline int drci_wr_reg(struct usb + reg, + NULL, + 0, +- 5 * HZ); ++ USB_CTRL_SET_TIMEOUT); + } + + static inline int start_sync_ep(struct usb_device *usb_dev, u16 ep) diff --git a/queue-5.15/pinctrl-core-fix-possible-memory-leak-in-pinctrl_enable.patch b/queue-5.15/pinctrl-core-fix-possible-memory-leak-in-pinctrl_enable.patch new file mode 100644 index 00000000000..bc3a81184f4 --- /dev/null +++ b/queue-5.15/pinctrl-core-fix-possible-memory-leak-in-pinctrl_enable.patch @@ -0,0 +1,49 @@ +From c7892ae13e461ed20154321eb792e07ebe38f5b3 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Fri, 22 Oct 2021 09:43:23 +0800 +Subject: pinctrl: core: fix possible memory leak in pinctrl_enable() + +From: Yang Yingliang + +commit c7892ae13e461ed20154321eb792e07ebe38f5b3 upstream. + +I got memory leak as follows when doing fault injection test: + +unreferenced object 0xffff888020a7a680 (size 64): + comm "i2c-mcp23018-41", pid 23090, jiffies 4295160544 (age 8.680s) + hex dump (first 32 bytes): + 00 48 d3 1e 80 88 ff ff 00 1a 56 c1 ff ff ff ff .H........V..... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<0000000083c79b35>] kmem_cache_alloc_trace+0x16d/0x360 + [<0000000051803c95>] pinctrl_init_controller+0x6ed/0xb70 + [<0000000064346707>] pinctrl_register+0x27/0x80 + [<0000000029b0e186>] devm_pinctrl_register+0x5b/0xe0 + [<00000000391f5a3e>] mcp23s08_probe_one+0x968/0x118a [pinctrl_mcp23s08] + [<000000006112c039>] mcp230xx_probe+0x266/0x560 [pinctrl_mcp23s08_i2c] + +If pinctrl_claim_hogs() fails, the 'pindesc' allocated in pinctrl_register_one_pin() +need be freed. + +Cc: stable@vger.kernel.org +Reported-by: Hulk Robot +Fixes: 950b0d91dc10 ("pinctrl: core: Fix regression caused by delayed work for hogs") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20211022014323.1156924-1-yangyingliang@huawei.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pinctrl/core.c ++++ b/drivers/pinctrl/core.c +@@ -2100,6 +2100,8 @@ int pinctrl_enable(struct pinctrl_dev *p + if (error) { + dev_err(pctldev->dev, "could not claim hogs: %i\n", + error); ++ pinctrl_free_pindescs(pctldev, pctldev->desc->pins, ++ pctldev->desc->npins); + mutex_destroy(&pctldev->mutex); + kfree(pctldev); + diff --git a/queue-5.15/power-supply-max17042_battery-clear-status-bits-in-interrupt-handler.patch b/queue-5.15/power-supply-max17042_battery-clear-status-bits-in-interrupt-handler.patch new file mode 100644 index 00000000000..2771c37173f --- /dev/null +++ b/queue-5.15/power-supply-max17042_battery-clear-status-bits-in-interrupt-handler.patch @@ -0,0 +1,38 @@ +From 0cf48167b87e388fa1268c9fe6d2443ae7f43d8a Mon Sep 17 00:00:00 2001 +From: Sebastian Krzyszkowiak +Date: Tue, 14 Sep 2021 14:18:05 +0200 +Subject: power: supply: max17042_battery: Clear status bits in interrupt handler + +From: Sebastian Krzyszkowiak + +commit 0cf48167b87e388fa1268c9fe6d2443ae7f43d8a upstream. + +The gauge requires us to clear the status bits manually for some alerts +to be properly dismissed. Previously the IRQ was configured to react only +on falling edge, which wasn't technically correct (the ALRT line is active +low), but it had a happy side-effect of preventing interrupt storms +on uncleared alerts from happening. + +Fixes: 7fbf6b731bca ("power: supply: max17042: Do not enforce (incorrect) interrupt trigger type") +Cc: +Signed-off-by: Sebastian Krzyszkowiak +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + drivers/power/supply/max17042_battery.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/power/supply/max17042_battery.c ++++ b/drivers/power/supply/max17042_battery.c +@@ -880,6 +880,10 @@ static irqreturn_t max17042_thread_handl + max17042_set_soc_threshold(chip, 1); + } + ++ /* we implicitly handle all alerts via power_supply_changed */ ++ regmap_clear_bits(chip->regmap, MAX17042_STATUS, ++ 0xFFFF & ~(STATUS_POR_BIT | STATUS_BST_BIT)); ++ + power_supply_changed(chip->battery); + return IRQ_HANDLED; + } diff --git a/queue-5.15/revert-serial-8250-fix-reporting-real-baudrate-value-in-c_ospeed-field.patch b/queue-5.15/revert-serial-8250-fix-reporting-real-baudrate-value-in-c_ospeed-field.patch new file mode 100644 index 00000000000..8266e1dd19b --- /dev/null +++ b/queue-5.15/revert-serial-8250-fix-reporting-real-baudrate-value-in-c_ospeed-field.patch @@ -0,0 +1,88 @@ +From d02b006b29de14968ba4afa998bede0d55469e29 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 7 Oct 2021 15:31:46 +0200 +Subject: Revert "serial: 8250: Fix reporting real baudrate value in c_ospeed field" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Johan Hovold + +commit d02b006b29de14968ba4afa998bede0d55469e29 upstream. + +This reverts commit 32262e2e429cdb31f9e957e997d53458762931b7. + +The commit in question claims to determine the inverse of +serial8250_get_divisor() but failed to notice that some drivers override +the default implementation using a get_divisor() callback. + +This means that the computed line-speed values can be completely wrong +and results in regular TCSETS requests failing (the incorrect values +would also be passed to any overridden set_divisor() callback). + +Similarly, it also failed to honour the old (deprecated) ASYNC_SPD_FLAGS +and would break applications relying on those when re-encoding the +actual line speed. + +There are also at least two quirks, UART_BUG_QUOT and an OMAP1510 +workaround, which were happily ignored and that are now broken. + +Finally, even if the offending commit were to be implemented correctly, +this is a new feature and not something which should be backported to +stable. + +Cc: Pali Rohár +Fixes: 32262e2e429c ("serial: 8250: Fix reporting real baudrate value in c_ospeed field") +Cc: stable +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211007133146.28949-1-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_port.c | 17 ----------------- + 1 file changed, 17 deletions(-) + +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -2584,19 +2584,6 @@ static unsigned int serial8250_get_divis + return serial8250_do_get_divisor(port, baud, frac); + } + +-static unsigned int serial8250_compute_baud_rate(struct uart_port *port, +- unsigned int quot) +-{ +- if ((port->flags & UPF_MAGIC_MULTIPLIER) && quot == 0x8001) +- return port->uartclk / 4; +- else if ((port->flags & UPF_MAGIC_MULTIPLIER) && quot == 0x8002) +- return port->uartclk / 8; +- else if (port->type == PORT_NPCM) +- return DIV_ROUND_CLOSEST(port->uartclk - 2 * (quot + 2), 16 * (quot + 2)); +- else +- return DIV_ROUND_CLOSEST(port->uartclk, 16 * quot); +-} +- + static unsigned char serial8250_compute_lcr(struct uart_8250_port *up, + tcflag_t c_cflag) + { +@@ -2738,14 +2725,11 @@ void serial8250_update_uartclk(struct ua + + baud = serial8250_get_baud_rate(port, termios, NULL); + quot = serial8250_get_divisor(port, baud, &frac); +- baud = serial8250_compute_baud_rate(port, quot); + + serial8250_rpm_get(up); + spin_lock_irqsave(&port->lock, flags); + + uart_update_timeout(port, termios->c_cflag, baud); +- if (tty_termios_baud_rate(termios)) +- tty_termios_encode_baud_rate(termios, baud, baud); + + serial8250_set_divisor(port, baud, quot, frac); + serial_port_out(port, UART_LCR, up->lcr); +@@ -2779,7 +2763,6 @@ serial8250_do_set_termios(struct uart_po + + baud = serial8250_get_baud_rate(port, termios, old); + quot = serial8250_get_divisor(port, baud, &frac); +- baud = serial8250_compute_baud_rate(port, quot); + + /* + * Ok, we're now changing the port state. Do it with diff --git a/queue-5.15/serial-8250-fix-racy-uartclk-update.patch b/queue-5.15/serial-8250-fix-racy-uartclk-update.patch new file mode 100644 index 00000000000..edd676d7509 --- /dev/null +++ b/queue-5.15/serial-8250-fix-racy-uartclk-update.patch @@ -0,0 +1,88 @@ +From 211cde4f5817dc88ef7f8f2fa286e57fbf14c8ee Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 15 Oct 2021 13:14:20 +0200 +Subject: serial: 8250: fix racy uartclk update + +From: Johan Hovold + +commit 211cde4f5817dc88ef7f8f2fa286e57fbf14c8ee upstream. + +Commit 868f3ee6e452 ("serial: 8250: Add 8250 port clock update method") +added a hack to support SoCs where the UART reference clock can +change behind the back of the driver but failed to add the proper +locking. + +First, make sure to take a reference to the tty struct to avoid +dereferencing a NULL pointer if the clock change races with a hangup. + +Second, the termios semaphore must be held during the update to prevent +a racing termios change. + +Fixes: 868f3ee6e452 ("serial: 8250: Add 8250 port clock update method") +Fixes: c8dff3aa8241 ("serial: 8250: Skip uninitialized TTY port baud rate update") +Cc: stable@vger.kernel.org # 5.9 +Cc: Serge Semin +Tested-by: Serge Semin +Reviewed-by: Serge Semin +Acked-by: Andy Shevchenko +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211015111422.1027-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_port.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c +index 66374704747e..e4dd82fd7c2a 100644 +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -2696,21 +2696,32 @@ static unsigned int serial8250_get_baud_rate(struct uart_port *port, + void serial8250_update_uartclk(struct uart_port *port, unsigned int uartclk) + { + struct uart_8250_port *up = up_to_u8250p(port); ++ struct tty_port *tport = &port->state->port; + unsigned int baud, quot, frac = 0; + struct ktermios *termios; ++ struct tty_struct *tty; + unsigned long flags; + +- mutex_lock(&port->state->port.mutex); ++ tty = tty_port_tty_get(tport); ++ if (!tty) { ++ mutex_lock(&tport->mutex); ++ port->uartclk = uartclk; ++ mutex_unlock(&tport->mutex); ++ return; ++ } ++ ++ down_write(&tty->termios_rwsem); ++ mutex_lock(&tport->mutex); + + if (port->uartclk == uartclk) + goto out_lock; + + port->uartclk = uartclk; + +- if (!tty_port_initialized(&port->state->port)) ++ if (!tty_port_initialized(tport)) + goto out_lock; + +- termios = &port->state->port.tty->termios; ++ termios = &tty->termios; + + baud = serial8250_get_baud_rate(port, termios, NULL); + quot = serial8250_get_divisor(port, baud, &frac); +@@ -2727,7 +2738,9 @@ void serial8250_update_uartclk(struct uart_port *port, unsigned int uartclk) + serial8250_rpm_put(up); + + out_lock: +- mutex_unlock(&port->state->port.mutex); ++ mutex_unlock(&tport->mutex); ++ up_write(&tty->termios_rwsem); ++ tty_kref_put(tty); + } + EXPORT_SYMBOL_GPL(serial8250_update_uartclk); + +-- +2.33.1 + diff --git a/queue-5.15/serial-8250-fix-reporting-real-baudrate-value-in-c_ospeed-field.patch b/queue-5.15/serial-8250-fix-reporting-real-baudrate-value-in-c_ospeed-field.patch new file mode 100644 index 00000000000..693d0513c7f --- /dev/null +++ b/queue-5.15/serial-8250-fix-reporting-real-baudrate-value-in-c_ospeed-field.patch @@ -0,0 +1,78 @@ +From 32262e2e429cdb31f9e957e997d53458762931b7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Pali=20Roh=C3=A1r?= +Date: Mon, 27 Sep 2021 11:37:04 +0200 +Subject: serial: 8250: Fix reporting real baudrate value in c_ospeed field +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +commit 32262e2e429cdb31f9e957e997d53458762931b7 upstream. + +In most cases it is not possible to set exact baudrate value to hardware. + +So fix reporting real baudrate value which was set to hardware via c_ospeed +termios field. It can be retrieved by ioctl(TCGETS2) from userspace. + +Real baudrate value is calculated from chosen hardware divisor and base +clock. It is implemented in a new function serial8250_compute_baud_rate() +which is inverse of serial8250_get_divisor() function. + +With this change is fixed also UART timeout value (it is updated via +uart_update_timeout() function), which is calculated from the now fixed +baudrate value too. + +Cc: stable@vger.kernel.org +Signed-off-by: Pali Rohár +Link: https://lore.kernel.org/r/20210927093704.19768-1-pali@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/8250/8250_port.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -2584,6 +2584,19 @@ static unsigned int serial8250_get_divis + return serial8250_do_get_divisor(port, baud, frac); + } + ++static unsigned int serial8250_compute_baud_rate(struct uart_port *port, ++ unsigned int quot) ++{ ++ if ((port->flags & UPF_MAGIC_MULTIPLIER) && quot == 0x8001) ++ return port->uartclk / 4; ++ else if ((port->flags & UPF_MAGIC_MULTIPLIER) && quot == 0x8002) ++ return port->uartclk / 8; ++ else if (port->type == PORT_NPCM) ++ return DIV_ROUND_CLOSEST(port->uartclk - 2 * (quot + 2), 16 * (quot + 2)); ++ else ++ return DIV_ROUND_CLOSEST(port->uartclk, 16 * quot); ++} ++ + static unsigned char serial8250_compute_lcr(struct uart_8250_port *up, + tcflag_t c_cflag) + { +@@ -2725,11 +2738,14 @@ void serial8250_update_uartclk(struct ua + + baud = serial8250_get_baud_rate(port, termios, NULL); + quot = serial8250_get_divisor(port, baud, &frac); ++ baud = serial8250_compute_baud_rate(port, quot); + + serial8250_rpm_get(up); + spin_lock_irqsave(&port->lock, flags); + + uart_update_timeout(port, termios->c_cflag, baud); ++ if (tty_termios_baud_rate(termios)) ++ tty_termios_encode_baud_rate(termios, baud, baud); + + serial8250_set_divisor(port, baud, quot, frac); + serial_port_out(port, UART_LCR, up->lcr); +@@ -2763,6 +2779,7 @@ serial8250_do_set_termios(struct uart_po + + baud = serial8250_get_baud_rate(port, termios, old); + quot = serial8250_get_divisor(port, baud, &frac); ++ baud = serial8250_compute_baud_rate(port, quot); + + /* + * Ok, we're now changing the port state. Do it with diff --git a/queue-5.15/series b/queue-5.15/series index 80c277ac502..df80d2295fe 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -155,3 +155,27 @@ quota-check-block-number-when-reading-the-block-in-quota-file.patch quota-correct-error-number-in-free_dqentry.patch cifs-to-match-file-servers-make-sure-the-server-hostname-matches.patch cifs-set-a-minimum-of-120s-for-next-dns-resolution.patch +mfd-simple-mfd-i2c-select-mfd_core-to-fix-build-error.patch +pinctrl-core-fix-possible-memory-leak-in-pinctrl_enable.patch +coresight-cti-correct-the-parameter-for-pm_runtime_put.patch +coresight-trbe-fix-incorrect-access-of-the-sink-specific-data.patch +coresight-trbe-defer-the-probe-on-offline-cpus.patch +iio-buffer-check-return-value-of-kstrdup_const.patch +iio-buffer-fix-memory-leak-in-iio_buffers_alloc_sysfs_and_mask.patch +iio-buffer-fix-memory-leak-in-__iio_buffer_alloc_sysfs_and_mask.patch +iio-buffer-fix-memory-leak-in-iio_buffer_register_legacy_sysfs_groups.patch +drivers-iio-dac-ad5766-fix-dt-property-name.patch +iio-dac-ad5446-fix-ad5622_write-return-value.patch +iio-ad5770r-make-devicetree-property-reading-consistent.patch +documentation-devicetree-bindings-iio-dac-fix-val.patch +usb-serial-keyspan-fix-memleak-on-probe-errors.patch +serial-8250-fix-racy-uartclk-update.patch +ksmbd-set-unique-value-to-volume-serial-field-in-fs_volume_information.patch +io-wq-serialize-hash-clear-with-wakeup.patch +serial-8250-fix-reporting-real-baudrate-value-in-c_ospeed-field.patch +revert-serial-8250-fix-reporting-real-baudrate-value-in-c_ospeed-field.patch +most-fix-control-message-timeouts.patch +usb-iowarrior-fix-control-message-timeouts.patch +usb-chipidea-fix-interrupt-deadlock.patch +power-supply-max17042_battery-clear-status-bits-in-interrupt-handler.patch +component-do-not-leave-master-devres-group-open-after-bind.patch diff --git a/queue-5.15/usb-chipidea-fix-interrupt-deadlock.patch b/queue-5.15/usb-chipidea-fix-interrupt-deadlock.patch new file mode 100644 index 00000000000..adbe8e89063 --- /dev/null +++ b/queue-5.15/usb-chipidea-fix-interrupt-deadlock.patch @@ -0,0 +1,105 @@ +From 9aaa81c3366e8393a62374e3a1c67c69edc07b8a Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 21 Oct 2021 10:34:47 +0200 +Subject: USB: chipidea: fix interrupt deadlock + +From: Johan Hovold + +commit 9aaa81c3366e8393a62374e3a1c67c69edc07b8a upstream. + +Chipidea core was calling the interrupt handler from non-IRQ context +with interrupts enabled, something which can lead to a deadlock if +there's an actual interrupt trying to take a lock that's already held +(e.g. the controller lock in udc_irq()). + +Add a wrapper that can be used to fake interrupts instead of calling the +handler directly. + +Fixes: 3ecb3e09b042 ("usb: chipidea: Use extcon framework for VBUS and ID detect") +Fixes: 876d4e1e8298 ("usb: chipidea: core: add wakeup support for extcon") +Cc: Peter Chen +Cc: stable@vger.kernel.org # 4.4 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211021083447.20078-1-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/chipidea/core.c | 23 ++++++++++++++++------- + 1 file changed, 16 insertions(+), 7 deletions(-) + +--- a/drivers/usb/chipidea/core.c ++++ b/drivers/usb/chipidea/core.c +@@ -514,7 +514,7 @@ int hw_device_reset(struct ci_hdrc *ci) + return 0; + } + +-static irqreturn_t ci_irq(int irq, void *data) ++static irqreturn_t ci_irq_handler(int irq, void *data) + { + struct ci_hdrc *ci = data; + irqreturn_t ret = IRQ_NONE; +@@ -567,6 +567,15 @@ static irqreturn_t ci_irq(int irq, void + return ret; + } + ++static void ci_irq(struct ci_hdrc *ci) ++{ ++ unsigned long flags; ++ ++ local_irq_save(flags); ++ ci_irq_handler(ci->irq, ci); ++ local_irq_restore(flags); ++} ++ + static int ci_cable_notifier(struct notifier_block *nb, unsigned long event, + void *ptr) + { +@@ -576,7 +585,7 @@ static int ci_cable_notifier(struct noti + cbl->connected = event; + cbl->changed = true; + +- ci_irq(ci->irq, ci); ++ ci_irq(ci); + return NOTIFY_DONE; + } + +@@ -617,7 +626,7 @@ static int ci_usb_role_switch_set(struct + if (cable) { + cable->changed = true; + cable->connected = false; +- ci_irq(ci->irq, ci); ++ ci_irq(ci); + spin_unlock_irqrestore(&ci->lock, flags); + if (ci->wq && role != USB_ROLE_NONE) + flush_workqueue(ci->wq); +@@ -635,7 +644,7 @@ static int ci_usb_role_switch_set(struct + if (cable) { + cable->changed = true; + cable->connected = true; +- ci_irq(ci->irq, ci); ++ ci_irq(ci); + } + spin_unlock_irqrestore(&ci->lock, flags); + pm_runtime_put_sync(ci->dev); +@@ -1174,7 +1183,7 @@ static int ci_hdrc_probe(struct platform + } + } + +- ret = devm_request_irq(dev, ci->irq, ci_irq, IRQF_SHARED, ++ ret = devm_request_irq(dev, ci->irq, ci_irq_handler, IRQF_SHARED, + ci->platdata->name, ci); + if (ret) + goto stop; +@@ -1295,11 +1304,11 @@ static void ci_extcon_wakeup_int(struct + + if (!IS_ERR(cable_id->edev) && ci->is_otg && + (otgsc & OTGSC_IDIE) && (otgsc & OTGSC_IDIS)) +- ci_irq(ci->irq, ci); ++ ci_irq(ci); + + if (!IS_ERR(cable_vbus->edev) && ci->is_otg && + (otgsc & OTGSC_BSVIE) && (otgsc & OTGSC_BSVIS)) +- ci_irq(ci->irq, ci); ++ ci_irq(ci); + } + + static int ci_controller_resume(struct device *dev) diff --git a/queue-5.15/usb-iowarrior-fix-control-message-timeouts.patch b/queue-5.15/usb-iowarrior-fix-control-message-timeouts.patch new file mode 100644 index 00000000000..d987df6dcd0 --- /dev/null +++ b/queue-5.15/usb-iowarrior-fix-control-message-timeouts.patch @@ -0,0 +1,55 @@ +From 79a4479a17b83310deb0b1a2a274fe5be12d2318 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:51:59 +0200 +Subject: USB: iowarrior: fix control-message timeouts + +From: Johan Hovold + +commit 79a4479a17b83310deb0b1a2a274fe5be12d2318 upstream. + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Use the common control-message timeout define for the five-second +timeout and drop the driver-specific one. + +Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.") +Cc: stable@vger.kernel.org # 2.6.21 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211025115159.4954-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/misc/iowarrior.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -99,10 +99,6 @@ struct iowarrior { + /* globals */ + /*--------------*/ + +-/* +- * USB spec identifies 5 second timeouts. +- */ +-#define GET_TIMEOUT 5 + #define USB_REQ_GET_REPORT 0x01 + //#if 0 + static int usb_get_report(struct usb_device *dev, +@@ -114,7 +110,7 @@ static int usb_get_report(struct usb_dev + USB_DIR_IN | USB_TYPE_CLASS | + USB_RECIP_INTERFACE, (type << 8) + id, + inter->desc.bInterfaceNumber, buf, size, +- GET_TIMEOUT*HZ); ++ USB_CTRL_GET_TIMEOUT); + } + //#endif + +@@ -129,7 +125,7 @@ static int usb_set_report(struct usb_int + USB_TYPE_CLASS | USB_RECIP_INTERFACE, + (type << 8) + id, + intf->cur_altsetting->desc.bInterfaceNumber, buf, +- size, HZ); ++ size, 1000); + } + + /*---------------------*/ diff --git a/queue-5.15/usb-serial-keyspan-fix-memleak-on-probe-errors.patch b/queue-5.15/usb-serial-keyspan-fix-memleak-on-probe-errors.patch new file mode 100644 index 00000000000..41d1b910fd8 --- /dev/null +++ b/queue-5.15/usb-serial-keyspan-fix-memleak-on-probe-errors.patch @@ -0,0 +1,98 @@ +From 910c996335c37552ee30fcb837375b808bb4f33b Mon Sep 17 00:00:00 2001 +From: Wang Hai +Date: Fri, 15 Oct 2021 16:55:43 +0800 +Subject: USB: serial: keyspan: fix memleak on probe errors + +From: Wang Hai + +commit 910c996335c37552ee30fcb837375b808bb4f33b upstream. + +I got memory leak as follows when doing fault injection test: + +unreferenced object 0xffff888258228440 (size 64): + comm "kworker/7:2", pid 2005, jiffies 4294989509 (age 824.540s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] slab_post_alloc_hook+0x9c/0x490 + [] kmem_cache_alloc_trace+0x1f7/0x470 + [] keyspan_port_probe+0xa4/0x5d0 [keyspan] + [] usb_serial_device_probe+0x97/0x1d0 [usbserial] + [] really_probe+0x167/0x460 + [] __driver_probe_device+0xf9/0x180 + [] driver_probe_device+0x53/0x130 + [] __device_attach_driver+0x105/0x130 + [] bus_for_each_drv+0x129/0x190 + [] __device_attach+0x1c9/0x270 + [] device_initial_probe+0x20/0x30 + [] bus_probe_device+0x142/0x160 + [] device_add+0x829/0x1300 + [] usb_serial_probe.cold+0xc9b/0x14ac [usbserial] + [] usb_probe_interface+0x1aa/0x3c0 [usbcore] + [] really_probe+0x167/0x460 + +If keyspan_port_probe() fails to allocate memory for an out_buffer[i] or +in_buffer[i], the previously allocated memory for out_buffer or +in_buffer needs to be freed on the error handling path, otherwise a +memory leak will result. + +Fixes: bad41a5bf177 ("USB: keyspan: fix port DMA-buffer allocations") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Link: https://lore.kernel.org/r/20211015085543.1203011-1-wanghai38@huawei.com +Cc: stable@vger.kernel.org # 3.12 +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/keyspan.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/usb/serial/keyspan.c ++++ b/drivers/usb/serial/keyspan.c +@@ -2890,22 +2890,22 @@ static int keyspan_port_probe(struct usb + for (i = 0; i < ARRAY_SIZE(p_priv->in_buffer); ++i) { + p_priv->in_buffer[i] = kzalloc(IN_BUFLEN, GFP_KERNEL); + if (!p_priv->in_buffer[i]) +- goto err_in_buffer; ++ goto err_free_in_buffer; + } + + for (i = 0; i < ARRAY_SIZE(p_priv->out_buffer); ++i) { + p_priv->out_buffer[i] = kzalloc(OUT_BUFLEN, GFP_KERNEL); + if (!p_priv->out_buffer[i]) +- goto err_out_buffer; ++ goto err_free_out_buffer; + } + + p_priv->inack_buffer = kzalloc(INACK_BUFLEN, GFP_KERNEL); + if (!p_priv->inack_buffer) +- goto err_inack_buffer; ++ goto err_free_out_buffer; + + p_priv->outcont_buffer = kzalloc(OUTCONT_BUFLEN, GFP_KERNEL); + if (!p_priv->outcont_buffer) +- goto err_outcont_buffer; ++ goto err_free_inack_buffer; + + p_priv->device_details = d_details; + +@@ -2951,15 +2951,14 @@ static int keyspan_port_probe(struct usb + + return 0; + +-err_outcont_buffer: ++err_free_inack_buffer: + kfree(p_priv->inack_buffer); +-err_inack_buffer: ++err_free_out_buffer: + for (i = 0; i < ARRAY_SIZE(p_priv->out_buffer); ++i) + kfree(p_priv->out_buffer[i]); +-err_out_buffer: ++err_free_in_buffer: + for (i = 0; i < ARRAY_SIZE(p_priv->in_buffer); ++i) + kfree(p_priv->in_buffer[i]); +-err_in_buffer: + kfree(p_priv); + + return -ENOMEM;