From: Sasha Levin Date: Sun, 5 Mar 2023 01:57:04 +0000 (-0500) Subject: Fixes for 4.14 X-Git-Tag: v6.2.3~122 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e70ae8b643743010400f4d0b7126d89a7f3da4f2;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/acpi-battery-fix-missing-nul-termination-with-large-.patch b/queue-4.14/acpi-battery-fix-missing-nul-termination-with-large-.patch new file mode 100644 index 00000000000..833004fcec6 --- /dev/null +++ b/queue-4.14/acpi-battery-fix-missing-nul-termination-with-large-.patch @@ -0,0 +1,44 @@ +From d9149cf7a64451c3e4deb63497b6c46aa6b2f02b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jan 2023 09:50:50 +0100 +Subject: ACPI: battery: Fix missing NUL-termination with large strings + +From: Armin Wolf + +[ Upstream commit f2ac14b5f197e4a2dec51e5ceaa56682ff1592bc ] + +When encountering a string bigger than the destination buffer (32 bytes), +the string is not properly NUL-terminated, causing buffer overreads later. + +This for example happens on the Inspiron 3505, where the battery +model name is larger than 32 bytes, which leads to sysfs showing +the model name together with the serial number string (which is +NUL-terminated and thus prevents worse). + +Fix this by using strscpy() which ensures that the result is +always NUL-terminated. + +Fixes: 106449e870b3 ("ACPI: Battery: Allow extract string from integer") +Signed-off-by: Armin Wolf +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/battery.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c +index 42fba8493854f..96aeb0c8cc0e9 100644 +--- a/drivers/acpi/battery.c ++++ b/drivers/acpi/battery.c +@@ -415,7 +415,7 @@ static int extract_package(struct acpi_battery *battery, + u8 *ptr = (u8 *)battery + offsets[i].offset; + if (element->type == ACPI_TYPE_STRING || + element->type == ACPI_TYPE_BUFFER) +- strncpy(ptr, element->string.pointer, 32); ++ strscpy(ptr, element->string.pointer, 32); + else if (element->type == ACPI_TYPE_INTEGER) { + strncpy(ptr, (u8 *)&element->integer.value, + sizeof(u64)); +-- +2.39.2 + diff --git a/queue-4.14/acpi-don-t-build-acpica-with-os.patch b/queue-4.14/acpi-don-t-build-acpica-with-os.patch new file mode 100644 index 00000000000..5ccf633de9b --- /dev/null +++ b/queue-4.14/acpi-don-t-build-acpica-with-os.patch @@ -0,0 +1,111 @@ +From abde976836aed9e765b67d7a11033393f4e09efc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jan 2023 13:45:58 +0000 +Subject: ACPI: Don't build ACPICA with '-Os' + +From: Mark Rutland + +[ Upstream commit 8f9e0a52810dd83406c768972d022c37e7a18f1f ] + +The ACPICA code has been built with '-Os' since the beginning of git +history, though there's no explanatory comment as to why. + +This is unfortunate as GCC drops the alignment specificed by +'-falign-functions=N' when '-Os' is used, as reported in GCC bug 88345: + + https://gcc.gnu.org/bugzilla/show_bug.cgi?id=88345 + +This prevents CONFIG_FUNCTION_ALIGNMENT and +CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B from having their expected effect +on the ACPICA code. This is doubly unfortunate as in subsequent patches +arm64 will depend upon CONFIG_FUNCTION_ALIGNMENT for its ftrace +implementation. + +Drop the '-Os' flag when building the ACPICA code. With this removed, +the code builds cleanly and works correctly in testing so far. + +I've tested this by selecting CONFIG_DEBUG_FORCE_FUNCTION_ALIGN_64B=y, +building and booting a kernel using ACPI, and looking for misaligned +text symbols: + +* arm64: + + Before, v6.2-rc3: + # uname -rm + 6.2.0-rc3 aarch64 + # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l + 5009 + + Before, v6.2-rc3 + fixed __cold: + # uname -rm + 6.2.0-rc3-00001-g2a2bedf8bfa9 aarch64 + # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l + 919 + + After: + # uname -rm + 6.2.0-rc3-00002-g267bddc38572 aarch64 + # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l + 323 + # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | grep acpi | wc -l + 0 + +* x86_64: + + Before, v6.2-rc3: + # uname -rm + 6.2.0-rc3 x86_64 + # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l + 11537 + + Before, v6.2-rc3 + fixed __cold: + # uname -rm + 6.2.0-rc3-00001-g2a2bedf8bfa9 x86_64 + # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l + 2805 + + After: + # uname -rm + 6.2.0-rc3-00002-g267bddc38572 x86_64 + # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | wc -l + 1357 + # grep ' [Tt] ' /proc/kallsyms | grep -iv '[048c]0 [Tt] ' | grep acpi | wc -l + 0 + +With the patch applied, the remaining unaligned text labels are a +combination of static call trampolines and labels in assembly, which can +be dealt with in subsequent patches. + +Signed-off-by: Mark Rutland +Acked-by: Rafael J. Wysocki +Cc: Florent Revest +Cc: Len Brown +Cc: Masami Hiramatsu +Cc: Peter Zijlstra +Cc: Robert Moore +Cc: Steven Rostedt +Cc: Will Deacon +Cc: linux-acpi@vger.kernel.org +Link: https://lore.kernel.org/r/20230123134603.1064407-4-mark.rutland@arm.com +Signed-off-by: Catalin Marinas +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/acpica/Makefile b/drivers/acpi/acpica/Makefile +index e05232da05888..1e8e4e7a29cb3 100644 +--- a/drivers/acpi/acpica/Makefile ++++ b/drivers/acpi/acpica/Makefile +@@ -3,7 +3,7 @@ + # Makefile for ACPICA Core interpreter + # + +-ccflags-y := -Os -D_LINUX -DBUILDING_ACPICA ++ccflags-y := -D_LINUX -DBUILDING_ACPICA + ccflags-$(CONFIG_ACPI_DEBUG) += -DACPI_DEBUG_OUTPUT + + # use acpi.o to put all files here into acpi.o modparam namespace +-- +2.39.2 + diff --git a/queue-4.14/acpi-video-fix-lenovo-ideapad-z570-dmi-match.patch b/queue-4.14/acpi-video-fix-lenovo-ideapad-z570-dmi-match.patch new file mode 100644 index 00000000000..7427a6b442e --- /dev/null +++ b/queue-4.14/acpi-video-fix-lenovo-ideapad-z570-dmi-match.patch @@ -0,0 +1,42 @@ +From 5da4f8042b69566bef084a2c783a91fef5cc8f73 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Feb 2023 13:44:49 +0100 +Subject: ACPI: video: Fix Lenovo Ideapad Z570 DMI match + +From: Hans de Goede + +[ Upstream commit 2d11eae42d52a131f06061015e49dc0f085c5bfc ] + +Multiple Ideapad Z570 variants need acpi_backlight=native to force native +use on these pre Windows 8 machines since acpi_video backlight control +does not work here. + +The original DMI quirk matches on a product_name of "102434U" but other +variants may have different product_name-s such as e.g. "1024D9U". + +Move to checking product_version instead as is more or less standard for +Lenovo DMI quirks for similar reasons. + +Signed-off-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/video_detect.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c +index 0ec74ab2a3995..b4f16073ef432 100644 +--- a/drivers/acpi/video_detect.c ++++ b/drivers/acpi/video_detect.c +@@ -300,7 +300,7 @@ static const struct dmi_system_id video_detect_dmi_table[] = { + .ident = "Lenovo Ideapad Z570", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"), +- DMI_MATCH(DMI_PRODUCT_NAME, "102434U"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "Ideapad Z570"), + }, + }, + { +-- +2.39.2 + diff --git a/queue-4.14/acpica-nsrepair-handle-cases-without-a-return-value-.patch b/queue-4.14/acpica-nsrepair-handle-cases-without-a-return-value-.patch new file mode 100644 index 00000000000..9c273dd1e37 --- /dev/null +++ b/queue-4.14/acpica-nsrepair-handle-cases-without-a-return-value-.patch @@ -0,0 +1,65 @@ +From 6dca4b2326799d22b158f948ab38a39c07a37ca5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Jan 2023 02:53:08 +0300 +Subject: ACPICA: nsrepair: handle cases without a return value correctly + +From: Daniil Tatianin + +[ Upstream commit ca843a4c79486e99a19b859ef0b9887854afe146 ] + +Previously acpi_ns_simple_repair() would crash if expected_btypes +contained any combination of ACPI_RTYPE_NONE with a different type, +e.g | ACPI_RTYPE_INTEGER because of slightly incorrect logic in the +!return_object branch, which wouldn't return AE_AML_NO_RETURN_VALUE +for such cases. + +Found by Linux Verification Center (linuxtesting.org) with the SVACE +static analysis tool. + +Link: https://github.com/acpica/acpica/pull/811 +Fixes: 61db45ca2163 ("ACPICA: Restore code that repairs NULL package elements in return values.") +Signed-off-by: Daniil Tatianin +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/nsrepair.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/acpi/acpica/nsrepair.c b/drivers/acpi/acpica/nsrepair.c +index 418ef2ac82abe..9f95369772ddc 100644 +--- a/drivers/acpi/acpica/nsrepair.c ++++ b/drivers/acpi/acpica/nsrepair.c +@@ -215,8 +215,9 @@ acpi_ns_simple_repair(struct acpi_evaluate_info *info, + * Try to fix if there was no return object. Warning if failed to fix. + */ + if (!return_object) { +- if (expected_btypes && (!(expected_btypes & ACPI_RTYPE_NONE))) { +- if (package_index != ACPI_NOT_PACKAGE_ELEMENT) { ++ if (expected_btypes) { ++ if (!(expected_btypes & ACPI_RTYPE_NONE) && ++ package_index != ACPI_NOT_PACKAGE_ELEMENT) { + ACPI_WARN_PREDEFINED((AE_INFO, + info->full_pathname, + ACPI_WARN_ALWAYS, +@@ -230,14 +231,15 @@ acpi_ns_simple_repair(struct acpi_evaluate_info *info, + if (ACPI_SUCCESS(status)) { + return (AE_OK); /* Repair was successful */ + } +- } else { ++ } ++ ++ if (expected_btypes != ACPI_RTYPE_NONE) { + ACPI_WARN_PREDEFINED((AE_INFO, + info->full_pathname, + ACPI_WARN_ALWAYS, + "Missing expected return value")); ++ return (AE_AML_NO_RETURN_VALUE); + } +- +- return (AE_AML_NO_RETURN_VALUE); + } + } + +-- +2.39.2 + diff --git a/queue-4.14/alsa-hda-ca0132-minor-fix-for-allocation-size.patch b/queue-4.14/alsa-hda-ca0132-minor-fix-for-allocation-size.patch new file mode 100644 index 00000000000..316c34e30d1 --- /dev/null +++ b/queue-4.14/alsa-hda-ca0132-minor-fix-for-allocation-size.patch @@ -0,0 +1,40 @@ +From a276cd37dd079c4dcc53db0242ddbf091972ff20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jan 2023 14:15:23 +0300 +Subject: ALSA: hda/ca0132: minor fix for allocation size + +From: Alexey V. Vissarionov + +[ Upstream commit 3ee0fe7fa39b14d1cea455b7041f2df933bd97d2 ] + +Although the "dma_chan" pointer occupies more or equal space compared +to "*dma_chan", the allocation size should use the size of variable +itself. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 01ef7dbffb41 ("ALSA: hda - Update CA0132 codec to load DSP firmware binary") +Signed-off-by: Alexey V. Vissarionov +Link: https://lore.kernel.org/r/20230117111522.GA15213@altlinux.org +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_ca0132.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/hda/patch_ca0132.c b/sound/pci/hda/patch_ca0132.c +index 369f812d70722..280643f72c6e2 100644 +--- a/sound/pci/hda/patch_ca0132.c ++++ b/sound/pci/hda/patch_ca0132.c +@@ -1523,7 +1523,7 @@ static int dspio_set_uint_param(struct hda_codec *codec, int mod_id, + static int dspio_alloc_dma_chan(struct hda_codec *codec, unsigned int *dma_chan) + { + int status = 0; +- unsigned int size = sizeof(dma_chan); ++ unsigned int size = sizeof(*dma_chan); + + codec_dbg(codec, " dspio_alloc_dma_chan() -- begin\n"); + status = dspio_scp(codec, MASTERCONTROL, MASTERCONTROL_ALLOC_DMA_CHAN, +-- +2.39.2 + diff --git a/queue-4.14/arm-dts-exynos-correct-wr-active-property-in-exynos3.patch b/queue-4.14/arm-dts-exynos-correct-wr-active-property-in-exynos3.patch new file mode 100644 index 00000000000..7f34e9dffc7 --- /dev/null +++ b/queue-4.14/arm-dts-exynos-correct-wr-active-property-in-exynos3.patch @@ -0,0 +1,37 @@ +From 58b8bb1c64ff7ae1acd2262e24be7f3e8d642a8d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 16:53:54 +0100 +Subject: ARM: dts: exynos: correct wr-active property in Exynos3250 Rinato + +From: Krzysztof Kozlowski + +[ Upstream commit d15d2a617499882971ddb773a583015bf36fa492 ] + +The property is wr-active: + + exynos3250-rinato.dtb: fimd@11c00000: i80-if-timings: 'wr-act' does not match any of the regexes: 'pinctrl-[0-9]+' + +Fixes: b59b3afb94d4 ("ARM: dts: add fimd device support for exynos3250-rinato") +Link: https://lore.kernel.org/r/20230120155404.323386-2-krzysztof.kozlowski@linaro.org +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos3250-rinato.dts | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/exynos3250-rinato.dts b/arch/arm/boot/dts/exynos3250-rinato.dts +index c0c3b185b731f..2a945d04592b1 100644 +--- a/arch/arm/boot/dts/exynos3250-rinato.dts ++++ b/arch/arm/boot/dts/exynos3250-rinato.dts +@@ -258,7 +258,7 @@ &fimd { + i80-if-timings { + cs-setup = <0>; + wr-setup = <0>; +- wr-act = <1>; ++ wr-active = <1>; + wr-hold = <0>; + }; + }; +-- +2.39.2 + diff --git a/queue-4.14/arm-dts-exynos-use-exynos5420-compatible-for-the-mip.patch b/queue-4.14/arm-dts-exynos-use-exynos5420-compatible-for-the-mip.patch new file mode 100644 index 00000000000..93c222b2d61 --- /dev/null +++ b/queue-4.14/arm-dts-exynos-use-exynos5420-compatible-for-the-mip.patch @@ -0,0 +1,37 @@ +From e80bf18b58a03a7f800614159a826322e515bf3a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 21 Jan 2023 22:18:42 +0200 +Subject: ARM: dts: exynos: Use Exynos5420 compatible for the MIPI video phy + +From: Markuss Broks + +[ Upstream commit 5d5aa219a790d61cad2c38e1aa32058f16ad2f0b ] + +For some reason, the driver adding support for Exynos5420 MIPI phy +back in 2016 wasn't used on Exynos5420, which caused a kernel panic. +Add the proper compatible for it. + +Signed-off-by: Markuss Broks +Link: https://lore.kernel.org/r/20230121201844.46872-2-markuss.broks@gmail.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/exynos5420.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/exynos5420.dtsi b/arch/arm/boot/dts/exynos5420.dtsi +index 02d2f898efa6c..d07e2a94a9dd6 100644 +--- a/arch/arm/boot/dts/exynos5420.dtsi ++++ b/arch/arm/boot/dts/exynos5420.dtsi +@@ -536,7 +536,7 @@ dp_phy: dp-video-phy { + }; + + mipi_phy: mipi-video-phy { +- compatible = "samsung,s5pv210-mipi-video-phy"; ++ compatible = "samsung,exynos5420-mipi-video-phy"; + syscon = <&pmu_system_controller>; + #phy-cells = <1>; + }; +-- +2.39.2 + diff --git a/queue-4.14/arm-omap1-call-platform_device_put-in-error-case-in-.patch b/queue-4.14/arm-omap1-call-platform_device_put-in-error-case-in-.patch new file mode 100644 index 00000000000..479e72ad59e --- /dev/null +++ b/queue-4.14/arm-omap1-call-platform_device_put-in-error-case-in-.patch @@ -0,0 +1,39 @@ +From 494132eda885c07ecc8dfa7c4169d6811554de42 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 11:57:54 +0200 +Subject: ARM: OMAP1: call platform_device_put() in error case in + omap1_dm_timer_init() + +From: Yang Yingliang + +[ Upstream commit 0414a100d6ab32721efa70ab55524540fdfe0ede ] + +If platform_device_add() is not called or failed, it should call +platform_device_put() in error case. + +Fixes: 97933d6ced60 ("ARM: OMAP1: dmtimer: conversion to platform devices") +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Message-Id: <20220701094602.2365099-1-yangyingliang@huawei.com> +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap1/timer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mach-omap1/timer.c b/arch/arm/mach-omap1/timer.c +index 8fb1ec6fa9992..7654253bc63c3 100644 +--- a/arch/arm/mach-omap1/timer.c ++++ b/arch/arm/mach-omap1/timer.c +@@ -165,7 +165,7 @@ static int __init omap1_dm_timer_init(void) + kfree(pdata); + + err_free_pdev: +- platform_device_unregister(pdev); ++ platform_device_put(pdev); + + return ret; + } +-- +2.39.2 + diff --git a/queue-4.14/arm-omap2-fix-memory-leak-in-realtime_counter_init.patch b/queue-4.14/arm-omap2-fix-memory-leak-in-realtime_counter_init.patch new file mode 100644 index 00000000000..74a194dc265 --- /dev/null +++ b/queue-4.14/arm-omap2-fix-memory-leak-in-realtime_counter_init.patch @@ -0,0 +1,36 @@ +From d076c26e1886980963736733b702ef6aaba9f1d3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 22:19:17 +0800 +Subject: ARM: OMAP2+: Fix memory leak in realtime_counter_init() + +From: Chen Hui + +[ Upstream commit ed8167cbf65c2b6ff6faeb0f96ded4d6d581e1ac ] + +The "sys_clk" resource is malloced by clk_get(), +it is not released when the function return. + +Fixes: fa6d79d27614 ("ARM: OMAP: Add initialisation for the real-time counter.") +Signed-off-by: Chen Hui +Message-Id: <20221108141917.46796-1-judy.chenhui@huawei.com> +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/mach-omap2/timer.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-omap2/timer.c b/arch/arm/mach-omap2/timer.c +index d61fbd7a2840a..c421d12b32038 100644 +--- a/arch/arm/mach-omap2/timer.c ++++ b/arch/arm/mach-omap2/timer.c +@@ -562,6 +562,7 @@ static void __init realtime_counter_init(void) + } + + rate = clk_get_rate(sys_clk); ++ clk_put(sys_clk); + + if (soc_is_dra7xx()) { + /* +-- +2.39.2 + diff --git a/queue-4.14/arm-zynq-fix-refcount-leak-in-zynq_early_slcr_init.patch b/queue-4.14/arm-zynq-fix-refcount-leak-in-zynq_early_slcr_init.patch new file mode 100644 index 00000000000..5c6b4c10576 --- /dev/null +++ b/queue-4.14/arm-zynq-fix-refcount-leak-in-zynq_early_slcr_init.patch @@ -0,0 +1,37 @@ +From 60f5bd573bad07061c3741b91308318a44a85fdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Nov 2022 22:05:44 +0800 +Subject: ARM: zynq: Fix refcount leak in zynq_early_slcr_init + +From: Qiheng Lin + +[ Upstream commit 9eedb910a3be0005b88c696a8552c0d4c9937cd4 ] + +of_find_compatible_node() returns a node pointer with refcount incremented, +we should use of_node_put() on error path. +Add missing of_node_put() to avoid refcount leak. + +Fixes: 3329659df030 ("ARM: zynq: Simplify SLCR initialization") +Signed-off-by: Qiheng Lin +Link: https://lore.kernel.org/r/20221129140544.41293-1-linqiheng@huawei.com +Signed-off-by: Michal Simek +Signed-off-by: Sasha Levin +--- + arch/arm/mach-zynq/slcr.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/mach-zynq/slcr.c b/arch/arm/mach-zynq/slcr.c +index f0292a30e6f69..6b75ef7be3fda 100644 +--- a/arch/arm/mach-zynq/slcr.c ++++ b/arch/arm/mach-zynq/slcr.c +@@ -222,6 +222,7 @@ int __init zynq_early_slcr_init(void) + zynq_slcr_regmap = syscon_regmap_lookup_by_compatible("xlnx,zynq-slcr"); + if (IS_ERR(zynq_slcr_regmap)) { + pr_err("%s: failed to find zynq-slcr\n", __func__); ++ of_node_put(np); + return -ENODEV; + } + +-- +2.39.2 + diff --git a/queue-4.14/arm64-dts-amlogic-meson-gx-add-missing-unit-address-.patch b/queue-4.14/arm64-dts-amlogic-meson-gx-add-missing-unit-address-.patch new file mode 100644 index 00000000000..508f744fd4e --- /dev/null +++ b/queue-4.14/arm64-dts-amlogic-meson-gx-add-missing-unit-address-.patch @@ -0,0 +1,36 @@ +From fbc2292c21996e9732509e59b861fe395f306937 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 11:34:27 +0100 +Subject: arm64: dts: amlogic: meson-gx: add missing unit address to rng node + name + +From: Neil Armstrong + +[ Upstream commit 61ff70708b98a85516eccb3755084ac97b42cf48 ] + +Fixes: +bus@c8834000: rng: {...} should not be valid under {'type': 'object'} + +Link: https://lore.kernel.org/r/20230124-b4-amlogic-bindings-fixups-v1-6-44351528957e@linaro.org +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-gx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +index a677873a32abe..735dd7f07aaad 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +@@ -435,7 +435,7 @@ periphs: periphs@c8834000 { + #size-cells = <2>; + ranges = <0x0 0x0 0x0 0xc8834000 0x0 0x2000>; + +- hwrng: rng { ++ hwrng: rng@0 { + compatible = "amlogic,meson-rng"; + reg = <0x0 0x0 0x0 0x4>; + }; +-- +2.39.2 + diff --git a/queue-4.14/arm64-dts-amlogic-meson-gx-fix-scpi-clock-dvfs-node-.patch b/queue-4.14/arm64-dts-amlogic-meson-gx-fix-scpi-clock-dvfs-node-.patch new file mode 100644 index 00000000000..875684c7c59 --- /dev/null +++ b/queue-4.14/arm64-dts-amlogic-meson-gx-fix-scpi-clock-dvfs-node-.patch @@ -0,0 +1,35 @@ +From abfc95fa98c3626c0d8d6954952e42076e51ed89 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 11:34:22 +0100 +Subject: arm64: dts: amlogic: meson-gx: fix SCPI clock dvfs node name + +From: Neil Armstrong + +[ Upstream commit 127f79212b07c5d9a6657a87e3eafdd889335814 ] + +Fixes: +scpi: clocks: 'clock-controller' does not match any of the regexes: '^clocks-[0-9a-f]+$', 'pinctrl-[0-9]+' + +Link: https://lore.kernel.org/r/20230124-b4-amlogic-bindings-fixups-v1-1-44351528957e@linaro.org +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-gx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +index f78be385d4dcd..a677873a32abe 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +@@ -191,7 +191,7 @@ scpi { + scpi_clocks: clocks { + compatible = "arm,scpi-clocks"; + +- scpi_dvfs: clock-controller { ++ scpi_dvfs: clocks-0 { + compatible = "arm,scpi-dvfs-clocks"; + #clock-cells = <1>; + clock-indices = <0>; +-- +2.39.2 + diff --git a/queue-4.14/arm64-dts-amlogic-meson-gxl-add-missing-unit-address.patch b/queue-4.14/arm64-dts-amlogic-meson-gxl-add-missing-unit-address.patch new file mode 100644 index 00000000000..e3185bc8a45 --- /dev/null +++ b/queue-4.14/arm64-dts-amlogic-meson-gxl-add-missing-unit-address.patch @@ -0,0 +1,36 @@ +From 3302af45ac545a7b9019574561baf044f6593e2f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 11:34:30 +0100 +Subject: arm64: dts: amlogic: meson-gxl: add missing unit address to + eth-phy-mux node name + +From: Neil Armstrong + +[ Upstream commit d19189f70ba596798ea49166d2d1ef36a8df5289 ] + +Fixes: +bus@c8834000: eth-phy-mux: {...} should not be valid under {'type': 'object'} + +Link: https://lore.kernel.org/r/20230124-b4-amlogic-bindings-fixups-v1-9-44351528957e@linaro.org +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-gxl.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi b/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi +index 3ee6c4bae08f6..853da285929c3 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-gxl.dtsi +@@ -609,7 +609,7 @@ mux { + }; + }; + +- eth-phy-mux { ++ eth-phy-mux@55c { + compatible = "mdio-mux-mmioreg", "mdio-mux"; + #address-cells = <1>; + #size-cells = <0>; +-- +2.39.2 + diff --git a/queue-4.14/arm64-dts-meson-gx-fix-ethernet-mac-address-unit-nam.patch b/queue-4.14/arm64-dts-meson-gx-fix-ethernet-mac-address-unit-nam.patch new file mode 100644 index 00000000000..60ec7e9e10e --- /dev/null +++ b/queue-4.14/arm64-dts-meson-gx-fix-ethernet-mac-address-unit-nam.patch @@ -0,0 +1,39 @@ +From c82f77018d678afca10a6ae918416fd17e9f1d29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 22:13:48 +0100 +Subject: arm64: dts: meson-gx: Fix Ethernet MAC address unit name + +From: Martin Blumenstingl + +[ Upstream commit 8ed5310356bfa47cc6bb4221ae6b21258c52e3d1 ] + +Unit names should use hyphens instead of underscores to not cause +warnings. + +Fixes: bfe59f92d306 ("ARM64: dts: amlogic: gxbb: Enable NVMEM") +Suggested-by: Vyacheslav Bocharov +Signed-off-by: Martin Blumenstingl +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20230111211350.1461860-5-martin.blumenstingl@googlemail.com +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-gx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +index f175db8462861..007aed410704f 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +@@ -174,7 +174,7 @@ sn: sn@14 { + reg = <0x14 0x10>; + }; + +- eth_mac: eth_mac@34 { ++ eth_mac: eth-mac@34 { + reg = <0x34 0x10>; + }; + +-- +2.39.2 + diff --git a/queue-4.14/arm64-dts-meson-gx-fix-the-scpi-dvfs-node-name-and-u.patch b/queue-4.14/arm64-dts-meson-gx-fix-the-scpi-dvfs-node-name-and-u.patch new file mode 100644 index 00000000000..010fdccc6b2 --- /dev/null +++ b/queue-4.14/arm64-dts-meson-gx-fix-the-scpi-dvfs-node-name-and-u.patch @@ -0,0 +1,40 @@ +From f14c5fac7005a55ac19aabcc6595f2d08f28da85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 11 Jan 2023 22:13:50 +0100 +Subject: arm64: dts: meson-gx: Fix the SCPI DVFS node name and unit address + +From: Martin Blumenstingl + +[ Upstream commit f189c869ad92787ddd753558bcbae89d75825bb6 ] + +Node names should be generic and use hyphens instead of underscores to +not cause warnings. Also nodes without a reg property should not have a +unit-address. Change the scpi_dvfs node to use clock-controller as node +name without a unit address (since it does not have a reg property). + +Fixes: 70db166a2baa ("ARM64: dts: meson-gxbb: Add SCPI with cpufreq & sensors Nodes") +Signed-off-by: Martin Blumenstingl +Reviewed-by: Neil Armstrong +Link: https://lore.kernel.org/r/20230111211350.1461860-7-martin.blumenstingl@googlemail.com +Signed-off-by: Neil Armstrong +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/amlogic/meson-gx.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +index 007aed410704f..f78be385d4dcd 100644 +--- a/arch/arm64/boot/dts/amlogic/meson-gx.dtsi ++++ b/arch/arm64/boot/dts/amlogic/meson-gx.dtsi +@@ -191,7 +191,7 @@ scpi { + scpi_clocks: clocks { + compatible = "arm,scpi-clocks"; + +- scpi_dvfs: scpi_clocks@0 { ++ scpi_dvfs: clock-controller { + compatible = "arm,scpi-dvfs-clocks"; + #clock-cells = <1>; + clock-indices = <0>; +-- +2.39.2 + diff --git a/queue-4.14/asoc-kirkwood-iterate-over-array-indexes-instead-of-.patch b/queue-4.14/asoc-kirkwood-iterate-over-array-indexes-instead-of-.patch new file mode 100644 index 00000000000..f69cb0986d0 --- /dev/null +++ b/queue-4.14/asoc-kirkwood-iterate-over-array-indexes-instead-of-.patch @@ -0,0 +1,50 @@ +From 0acea9e066bdab3c75d060dfcdc883fda72acfdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jan 2023 14:41:29 -0800 +Subject: ASoC: kirkwood: Iterate over array indexes instead of using pointer + math + +From: Kees Cook + +[ Upstream commit b3bcedc0402fcdc5c8624c433562d9d1882749d8 ] + +Walking the dram->cs array was seen as accesses beyond the first array +item by the compiler. Instead, use the array index directly. This allows +for run-time bounds checking under CONFIG_UBSAN_BOUNDS as well. Seen +with GCC 13 with -fstrict-flex-arrays: + +../sound/soc/kirkwood/kirkwood-dma.c: In function +'kirkwood_dma_conf_mbus_windows.constprop': +../sound/soc/kirkwood/kirkwood-dma.c:90:24: warning: array subscript 0 is outside array bounds of 'const struct mbus_dram_window[0]' [-Warray-bounds=] + 90 | if ((cs->base & 0xffff0000) < (dma & 0xffff0000)) { + | ~~^~~~~~ + +Cc: Liam Girdwood +Cc: Mark Brown +Cc: Jaroslav Kysela +Cc: Takashi Iwai +Cc: alsa-devel@alsa-project.org +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20230127224128.never.410-kees@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/kirkwood/kirkwood-dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/kirkwood/kirkwood-dma.c b/sound/soc/kirkwood/kirkwood-dma.c +index 35ca8e8bb5e52..9736fb36082fb 100644 +--- a/sound/soc/kirkwood/kirkwood-dma.c ++++ b/sound/soc/kirkwood/kirkwood-dma.c +@@ -90,7 +90,7 @@ kirkwood_dma_conf_mbus_windows(void __iomem *base, int win, + + /* try to find matching cs for current dma address */ + for (i = 0; i < dram->num_cs; i++) { +- const struct mbus_dram_window *cs = dram->cs + i; ++ const struct mbus_dram_window *cs = &dram->cs[i]; + if ((cs->base & 0xffff0000) < (dma & 0xffff0000)) { + writel(cs->base & 0xffff0000, + base + KIRKWOOD_AUDIO_WIN_BASE_REG(win)); +-- +2.39.2 + diff --git a/queue-4.14/asoc-soc-compress.c-fixup-private_data-on-snd_soc_ne.patch b/queue-4.14/asoc-soc-compress.c-fixup-private_data-on-snd_soc_ne.patch new file mode 100644 index 00000000000..607635ca67d --- /dev/null +++ b/queue-4.14/asoc-soc-compress.c-fixup-private_data-on-snd_soc_ne.patch @@ -0,0 +1,41 @@ +From 98be4ccb7c9869d4c98a473c2452b4777b9f0d3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jan 2023 23:17:20 +0000 +Subject: ASoC: soc-compress.c: fixup private_data on snd_soc_new_compress() + +From: Kuninori Morimoto + +[ Upstream commit ffe4c0f0bfaa571a676a0e946d4a6a0607f94294 ] + +commit d3268a40d4b19f ("ASoC: soc-compress.c: fix NULL dereference") +enables DPCM capture, but it should independent from playback. +This patch fixup it. + +Fixes: d3268a40d4b1 ("ASoC: soc-compress.c: fix NULL dereference") +Link: https://lore.kernel.org/r/87tu0i6j7j.wl-kuninori.morimoto.gx@renesas.com +Acked-by: Charles Keepax +Acked-by: Pierre-Louis Bossart +Signed-off-by: Kuninori Morimoto +Link: https://lore.kernel.org/r/871qnkvo1s.wl-kuninori.morimoto.gx@renesas.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-compress.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/soc-compress.c b/sound/soc/soc-compress.c +index 2cb8d3b55fbc2..c00f21dbcf11d 100644 +--- a/sound/soc/soc-compress.c ++++ b/sound/soc/soc-compress.c +@@ -788,7 +788,7 @@ int snd_soc_new_compress(struct snd_soc_pcm_runtime *rtd, int num) + rtd->fe_compr = 1; + if (rtd->dai_link->dpcm_playback) + be_pcm->streams[SNDRV_PCM_STREAM_PLAYBACK].substream->private_data = rtd; +- else if (rtd->dai_link->dpcm_capture) ++ if (rtd->dai_link->dpcm_capture) + be_pcm->streams[SNDRV_PCM_STREAM_CAPTURE].substream->private_data = rtd; + memcpy(compr->ops, &soc_compr_dyn_ops, sizeof(soc_compr_dyn_ops)); + } else { +-- +2.39.2 + diff --git a/queue-4.14/block-bio-integrity-copy-flags-when-bio_integrity_pa.patch b/queue-4.14/block-bio-integrity-copy-flags-when-bio_integrity_pa.patch new file mode 100644 index 00000000000..2c09c2870e6 --- /dev/null +++ b/queue-4.14/block-bio-integrity-copy-flags-when-bio_integrity_pa.patch @@ -0,0 +1,44 @@ +From c91baa94f6e7ebdce395c1fa8fe40680f3727fd5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Feb 2023 12:18:01 -0500 +Subject: block: bio-integrity: Copy flags when bio_integrity_payload is cloned + +From: Martin K. Petersen + +[ Upstream commit b6a4bdcda430e3ca43bbb9cb1d4d4d34ebe15c40 ] + +Make sure to copy the flags when a bio_integrity_payload is cloned. +Otherwise per-I/O properties such as IP checksum flag will not be +passed down to the HBA driver. Since the integrity buffer is owned by +the original bio, the BIP_BLOCK_INTEGRITY flag needs to be masked off +to avoid a double free in the completion path. + +Fixes: aae7df50190a ("block: Integrity checksum flag") +Fixes: b1f01388574c ("block: Relocate bio integrity flags") +Reported-by: Saurav Kashyap +Tested-by: Saurav Kashyap +Signed-off-by: Martin K. Petersen +Reviewed-by: Christoph Hellwig +Reviewed-by: Chaitanya Kulkarni +Link: https://lore.kernel.org/r/20230215171801.21062-1-martin.petersen@oracle.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/bio-integrity.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/block/bio-integrity.c b/block/bio-integrity.c +index 4cee9446ce588..d0cdfba3a4c4d 100644 +--- a/block/bio-integrity.c ++++ b/block/bio-integrity.c +@@ -462,6 +462,7 @@ int bio_integrity_clone(struct bio *bio, struct bio *bio_src, + + bip->bip_vcnt = bip_src->bip_vcnt; + bip->bip_iter = bip_src->bip_iter; ++ bip->bip_flags = bip_src->bip_flags & ~BIP_BLOCK_INTEGRITY; + + return 0; + } +-- +2.39.2 + diff --git a/queue-4.14/bluetooth-l2cap-fix-potential-user-after-free.patch b/queue-4.14/bluetooth-l2cap-fix-potential-user-after-free.patch new file mode 100644 index 00000000000..1f2f0aa0905 --- /dev/null +++ b/queue-4.14/bluetooth-l2cap-fix-potential-user-after-free.patch @@ -0,0 +1,93 @@ +From e0e48012cd9b21e4f027f709b05d9796188dd153 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Feb 2023 14:01:11 -0800 +Subject: Bluetooth: L2CAP: Fix potential user-after-free + +From: Luiz Augusto von Dentz + +[ Upstream commit df5703348813235874d851934e957c3723d71644 ] + +This fixes all instances of which requires to allocate a buffer calling +alloc_skb which may release the chan lock and reacquire later which +makes it possible that the chan is disconnected in the meantime. + +Fixes: a6a5568c03c4 ("Bluetooth: Lock the L2CAP channel when sending") +Reported-by: Alexander Coffin +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_core.c | 24 ------------------------ + net/bluetooth/l2cap_sock.c | 8 ++++++++ + 2 files changed, 8 insertions(+), 24 deletions(-) + +diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c +index a5a19be51aff0..9fdd2260961e6 100644 +--- a/net/bluetooth/l2cap_core.c ++++ b/net/bluetooth/l2cap_core.c +@@ -2517,14 +2517,6 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len) + if (IS_ERR(skb)) + return PTR_ERR(skb); + +- /* Channel lock is released before requesting new skb and then +- * reacquired thus we need to recheck channel state. +- */ +- if (chan->state != BT_CONNECTED) { +- kfree_skb(skb); +- return -ENOTCONN; +- } +- + l2cap_do_send(chan, skb); + return len; + } +@@ -2568,14 +2560,6 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len) + if (IS_ERR(skb)) + return PTR_ERR(skb); + +- /* Channel lock is released before requesting new skb and then +- * reacquired thus we need to recheck channel state. +- */ +- if (chan->state != BT_CONNECTED) { +- kfree_skb(skb); +- return -ENOTCONN; +- } +- + l2cap_do_send(chan, skb); + err = len; + break; +@@ -2596,14 +2580,6 @@ int l2cap_chan_send(struct l2cap_chan *chan, struct msghdr *msg, size_t len) + */ + err = l2cap_segment_sdu(chan, &seg_queue, msg, len); + +- /* The channel could have been closed while segmenting, +- * check that it is still connected. +- */ +- if (chan->state != BT_CONNECTED) { +- __skb_queue_purge(&seg_queue); +- err = -ENOTCONN; +- } +- + if (err) + break; + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 13d070e7738db..47a16f6e741b8 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1415,6 +1415,14 @@ static struct sk_buff *l2cap_sock_alloc_skb_cb(struct l2cap_chan *chan, + if (!skb) + return ERR_PTR(err); + ++ /* Channel lock is released before requesting new skb and then ++ * reacquired thus we need to recheck channel state. ++ */ ++ if (chan->state != BT_CONNECTED) { ++ kfree_skb(skb); ++ return ERR_PTR(-ENOTCONN); ++ } ++ + skb->priority = sk->sk_priority; + + bt_cb(skb)->l2cap.chan = chan; +-- +2.39.2 + diff --git a/queue-4.14/can-esd_usb-move-mislocated-storage-of-sja1000_ecc_s.patch b/queue-4.14/can-esd_usb-move-mislocated-storage-of-sja1000_ecc_s.patch new file mode 100644 index 00000000000..0af5b0d34c2 --- /dev/null +++ b/queue-4.14/can-esd_usb-move-mislocated-storage-of-sja1000_ecc_s.patch @@ -0,0 +1,49 @@ +From 4c2336f6cf6b9cbee5ad8fa0c5b3b4dad918abdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Feb 2023 20:04:48 +0100 +Subject: can: esd_usb: Move mislocated storage of SJA1000_ECC_SEG bits in case + of a bus error + +From: Frank Jungclaus + +[ Upstream commit 118469f88180438ef43dee93d71f77c00e7b425d ] + +Move the supply for cf->data[3] (bit stream position of CAN error), in +case of a bus- or protocol-error, outside of the "switch (ecc & +SJA1000_ECC_MASK){}"-statement, because this bit stream position is +independent of the error type. + +Fixes: 96d8e90382dc ("can: Add driver for esd CAN-USB/2 device") +Signed-off-by: Frank Jungclaus +Link: https://lore.kernel.org/all/20230216190450.3901254-2-frank.jungclaus@esd.eu +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/usb/esd_usb2.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/can/usb/esd_usb2.c b/drivers/net/can/usb/esd_usb2.c +index fbe1173b2651f..b15154a6c53eb 100644 +--- a/drivers/net/can/usb/esd_usb2.c ++++ b/drivers/net/can/usb/esd_usb2.c +@@ -284,7 +284,6 @@ static void esd_usb2_rx_event(struct esd_usb2_net_priv *priv, + cf->data[2] |= CAN_ERR_PROT_STUFF; + break; + default: +- cf->data[3] = ecc & SJA1000_ECC_SEG; + break; + } + +@@ -292,6 +291,9 @@ static void esd_usb2_rx_event(struct esd_usb2_net_priv *priv, + if (!(ecc & SJA1000_ECC_DIR)) + cf->data[2] |= CAN_ERR_PROT_TX; + ++ /* Bit stream position in CAN frame as the error was detected */ ++ cf->data[3] = ecc & SJA1000_ECC_SEG; ++ + if (priv->can.state == CAN_STATE_ERROR_WARNING || + priv->can.state == CAN_STATE_ERROR_PASSIVE) { + cf->data[1] = (txerr > rxerr) ? +-- +2.39.2 + diff --git a/queue-4.14/cpufreq-davinci-fix-clk-use-after-free.patch b/queue-4.14/cpufreq-davinci-fix-clk-use-after-free.patch new file mode 100644 index 00000000000..41452a265ae --- /dev/null +++ b/queue-4.14/cpufreq-davinci-fix-clk-use-after-free.patch @@ -0,0 +1,49 @@ +From 7c73bcbbcf5b318473d98e28b314863e94fda963 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Feb 2023 10:26:54 +0100 +Subject: cpufreq: davinci: Fix clk use after free +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +[ Upstream commit 5d8f384a9b4fc50f6a18405f1c08e5a87a77b5b3 ] + +The remove function first frees the clks and only then calls +cpufreq_unregister_driver(). If one of the cpufreq callbacks is called +just before cpufreq_unregister_driver() is run, the freed clks might be +used. + +Fixes: 6601b8030de3 ("davinci: add generic CPUFreq driver for DaVinci") +Signed-off-by: Uwe Kleine-König +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpufreq/davinci-cpufreq.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/cpufreq/davinci-cpufreq.c b/drivers/cpufreq/davinci-cpufreq.c +index d54a27c991218..3dacfc53a80da 100644 +--- a/drivers/cpufreq/davinci-cpufreq.c ++++ b/drivers/cpufreq/davinci-cpufreq.c +@@ -138,12 +138,14 @@ static int __init davinci_cpufreq_probe(struct platform_device *pdev) + + static int __exit davinci_cpufreq_remove(struct platform_device *pdev) + { ++ cpufreq_unregister_driver(&davinci_driver); ++ + clk_put(cpufreq.armclk); + + if (cpufreq.asyncclk) + clk_put(cpufreq.asyncclk); + +- return cpufreq_unregister_driver(&davinci_driver); ++ return 0; + } + + static struct platform_driver davinci_cpufreq_driver = { +-- +2.39.2 + diff --git a/queue-4.14/crypto-rsa-pkcs1pad-use-akcipher_request_complete.patch b/queue-4.14/crypto-rsa-pkcs1pad-use-akcipher_request_complete.patch new file mode 100644 index 00000000000..5ce63ee537d --- /dev/null +++ b/queue-4.14/crypto-rsa-pkcs1pad-use-akcipher_request_complete.patch @@ -0,0 +1,91 @@ +From e5ee9dbca41f3d1164ac80b43af50799a17270e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Jan 2023 16:02:04 +0800 +Subject: crypto: rsa-pkcs1pad - Use akcipher_request_complete + +From: Herbert Xu + +[ Upstream commit 564cabc0ca0bdfa8f0fc1ae74b24d0a7554522c5 ] + +Use the akcipher_request_complete helper instead of calling the +completion function directly. In fact the previous code was buggy +in that EINPROGRESS was never passed back to the original caller. + +Fixes: 3d5b1ecdea6f ("crypto: rsa - RSA padding algorithm") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/rsa-pkcs1pad.c | 34 +++++++++++++++------------------- + 1 file changed, 15 insertions(+), 19 deletions(-) + +diff --git a/crypto/rsa-pkcs1pad.c b/crypto/rsa-pkcs1pad.c +index 3279b457c4ede..0c70fbcd293d9 100644 +--- a/crypto/rsa-pkcs1pad.c ++++ b/crypto/rsa-pkcs1pad.c +@@ -216,16 +216,14 @@ static void pkcs1pad_encrypt_sign_complete_cb( + struct crypto_async_request *child_async_req, int err) + { + struct akcipher_request *req = child_async_req->data; +- struct crypto_async_request async_req; + + if (err == -EINPROGRESS) +- return; ++ goto out; ++ ++ err = pkcs1pad_encrypt_sign_complete(req, err); + +- async_req.data = req->base.data; +- async_req.tfm = crypto_akcipher_tfm(crypto_akcipher_reqtfm(req)); +- async_req.flags = child_async_req->flags; +- req->base.complete(&async_req, +- pkcs1pad_encrypt_sign_complete(req, err)); ++out: ++ akcipher_request_complete(req, err); + } + + static int pkcs1pad_encrypt(struct akcipher_request *req) +@@ -336,15 +334,14 @@ static void pkcs1pad_decrypt_complete_cb( + struct crypto_async_request *child_async_req, int err) + { + struct akcipher_request *req = child_async_req->data; +- struct crypto_async_request async_req; + + if (err == -EINPROGRESS) +- return; ++ goto out; ++ ++ err = pkcs1pad_decrypt_complete(req, err); + +- async_req.data = req->base.data; +- async_req.tfm = crypto_akcipher_tfm(crypto_akcipher_reqtfm(req)); +- async_req.flags = child_async_req->flags; +- req->base.complete(&async_req, pkcs1pad_decrypt_complete(req, err)); ++out: ++ akcipher_request_complete(req, err); + } + + static int pkcs1pad_decrypt(struct akcipher_request *req) +@@ -506,15 +503,14 @@ static void pkcs1pad_verify_complete_cb( + struct crypto_async_request *child_async_req, int err) + { + struct akcipher_request *req = child_async_req->data; +- struct crypto_async_request async_req; + + if (err == -EINPROGRESS) +- return; ++ goto out; + +- async_req.data = req->base.data; +- async_req.tfm = crypto_akcipher_tfm(crypto_akcipher_reqtfm(req)); +- async_req.flags = child_async_req->flags; +- req->base.complete(&async_req, pkcs1pad_verify_complete(req, err)); ++ err = pkcs1pad_verify_complete(req, err); ++ ++out: ++ akcipher_request_complete(req, err); + } + + /* +-- +2.39.2 + diff --git a/queue-4.14/crypto-seqiv-handle-ebusy-correctly.patch b/queue-4.14/crypto-seqiv-handle-ebusy-correctly.patch new file mode 100644 index 00000000000..769f2b32854 --- /dev/null +++ b/queue-4.14/crypto-seqiv-handle-ebusy-correctly.patch @@ -0,0 +1,40 @@ +From ebe646b91853044d3365eabf026958ccd1d39232 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Jan 2023 18:27:51 +0800 +Subject: crypto: seqiv - Handle EBUSY correctly + +From: Herbert Xu + +[ Upstream commit 32e62025e5e52fbe4812ef044759de7010b15dbc ] + +As it is seqiv only handles the special return value of EINPROGERSS, +which means that in all other cases it will free data related to the +request. + +However, as the caller of seqiv may specify MAY_BACKLOG, we also need +to expect EBUSY and treat it in the same way. Otherwise backlogged +requests will trigger a use-after-free. + +Fixes: 0a270321dbf9 ("[CRYPTO] seqiv: Add Sequence Number IV Generator") +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/seqiv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/crypto/seqiv.c b/crypto/seqiv.c +index 570b7d1aa0cac..ce9214097bc98 100644 +--- a/crypto/seqiv.c ++++ b/crypto/seqiv.c +@@ -30,7 +30,7 @@ static void seqiv_aead_encrypt_complete2(struct aead_request *req, int err) + struct aead_request *subreq = aead_request_ctx(req); + struct crypto_aead *geniv; + +- if (err == -EINPROGRESS) ++ if (err == -EINPROGRESS || err == -EBUSY) + return; + + if (err) +-- +2.39.2 + diff --git a/queue-4.14/dm-cache-add-cond_resched-to-various-workqueue-loops.patch b/queue-4.14/dm-cache-add-cond_resched-to-various-workqueue-loops.patch new file mode 100644 index 00000000000..696bb01969e --- /dev/null +++ b/queue-4.14/dm-cache-add-cond_resched-to-various-workqueue-loops.patch @@ -0,0 +1,50 @@ +From a8b9efb0e05cff96bee46c9665f2b9e9a47e5722 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Feb 2023 15:31:08 -0500 +Subject: dm cache: add cond_resched() to various workqueue loops + +From: Mike Snitzer + +[ Upstream commit 76227f6dc805e9e960128bcc6276647361e0827c ] + +Otherwise on resource constrained systems these workqueues may be too +greedy. + +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-cache-target.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/md/dm-cache-target.c b/drivers/md/dm-cache-target.c +index 5458a06971670..590aff275acb8 100644 +--- a/drivers/md/dm-cache-target.c ++++ b/drivers/md/dm-cache-target.c +@@ -1952,6 +1952,7 @@ static void process_deferred_bios(struct work_struct *ws) + + else + commit_needed = process_bio(cache, bio) || commit_needed; ++ cond_resched(); + } + + if (commit_needed) +@@ -1974,6 +1975,7 @@ static void requeue_deferred_bios(struct cache *cache) + while ((bio = bio_list_pop(&bios))) { + bio->bi_status = BLK_STS_DM_REQUEUE; + bio_endio(bio); ++ cond_resched(); + } + } + +@@ -2014,6 +2016,8 @@ static void check_migrations(struct work_struct *ws) + r = mg_start(cache, op, NULL); + if (r) + break; ++ ++ cond_resched(); + } + } + +-- +2.39.2 + diff --git a/queue-4.14/dm-remove-flush_scheduled_work-during-local_exit.patch b/queue-4.14/dm-remove-flush_scheduled_work-during-local_exit.patch new file mode 100644 index 00000000000..3c15d381658 --- /dev/null +++ b/queue-4.14/dm-remove-flush_scheduled_work-during-local_exit.patch @@ -0,0 +1,43 @@ +From d9f3508d7786ed25d0ec93da42c4c5d73d420dd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Feb 2023 13:06:05 -0500 +Subject: dm: remove flush_scheduled_work() during local_exit() + +From: Mike Snitzer + +[ Upstream commit 0b22ff5360f5c4e11050b89206370fdf7dc0a226 ] + +Commit acfe0ad74d2e1 ("dm: allocate a special workqueue for deferred +device removal") switched from using system workqueue to a single +workqueue local to DM. But it didn't eliminate the call to +flush_scheduled_work() that was introduced purely for the benefit of +deferred device removal with commit 2c140a246dc ("dm: allow remove to +be deferred"). + +Since DM core uses its own workqueue (and queue_work) there is no need +to call flush_scheduled_work() from local_exit(). local_exit()'s +destroy_workqueue(deferred_remove_workqueue) handles flushing work +started with queue_work(). + +Fixes: acfe0ad74d2e1 ("dm: allocate a special workqueue for deferred device removal") +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index 9e6689fd22730..e3facf14f6149 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -220,7 +220,6 @@ static int __init local_init(void) + + static void local_exit(void) + { +- flush_scheduled_work(); + destroy_workqueue(deferred_remove_workqueue); + + kmem_cache_destroy(_rq_cache); +-- +2.39.2 + diff --git a/queue-4.14/dm-thin-add-cond_resched-to-various-workqueue-loops.patch b/queue-4.14/dm-thin-add-cond_resched-to-various-workqueue-loops.patch new file mode 100644 index 00000000000..6dd62baef0d --- /dev/null +++ b/queue-4.14/dm-thin-add-cond_resched-to-various-workqueue-loops.patch @@ -0,0 +1,41 @@ +From b54e930245daf206460880fdb59a4f7f85810a9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Feb 2023 15:29:44 -0500 +Subject: dm thin: add cond_resched() to various workqueue loops + +From: Mike Snitzer + +[ Upstream commit e4f80303c2353952e6e980b23914e4214487f2a6 ] + +Otherwise on resource constrained systems these workqueues may be too +greedy. + +Signed-off-by: Mike Snitzer +Signed-off-by: Sasha Levin +--- + drivers/md/dm-thin.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/md/dm-thin.c b/drivers/md/dm-thin.c +index 6c7fa790c8ae6..fcf1eaafec72d 100644 +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -2233,6 +2233,7 @@ static void process_thin_deferred_bios(struct thin_c *tc) + throttle_work_update(&pool->throttle); + dm_pool_issue_prefetches(pool->pmd); + } ++ cond_resched(); + } + blk_finish_plug(&plug); + } +@@ -2316,6 +2317,7 @@ static void process_thin_deferred_cells(struct thin_c *tc) + else + pool->process_cell(tc, cell); + } ++ cond_resched(); + } while (!list_empty(&cells)); + } + +-- +2.39.2 + diff --git a/queue-4.14/docs-scripts-gdb-add-necessary-make-scripts_gdb-step.patch b/queue-4.14/docs-scripts-gdb-add-necessary-make-scripts_gdb-step.patch new file mode 100644 index 00000000000..2f81fc6e3ec --- /dev/null +++ b/queue-4.14/docs-scripts-gdb-add-necessary-make-scripts_gdb-step.patch @@ -0,0 +1,46 @@ +From 318fc5db6830700c8f2c2cc64f734e2e063ee839 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 00:23:20 +0100 +Subject: docs/scripts/gdb: add necessary make scripts_gdb step + +From: Jakob Koschel + +[ Upstream commit 6b219431037bf98c9efd49716aea9b68440477a3 ] + +In order to debug the kernel successfully with gdb you need to run +'make scripts_gdb' nowadays. + +This was changed with the following commit: + +Commit 67274c083438340ad16c ("scripts/gdb: delay generation of gdb +constants.py") + +In order to have a complete guide for beginners this remark +should be added to the offial documentation. + +Signed-off-by: Jakob Koschel +Link: https://lore.kernel.org/r/20230112-documentation-gdb-v2-1-292785c43dc9@gmail.com +Signed-off-by: Jonathan Corbet +Signed-off-by: Sasha Levin +--- + Documentation/dev-tools/gdb-kernel-debugging.rst | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/Documentation/dev-tools/gdb-kernel-debugging.rst b/Documentation/dev-tools/gdb-kernel-debugging.rst +index 19df79286f000..afe4bc206486c 100644 +--- a/Documentation/dev-tools/gdb-kernel-debugging.rst ++++ b/Documentation/dev-tools/gdb-kernel-debugging.rst +@@ -39,6 +39,10 @@ Setup + this mode. In this case, you should build the kernel with + CONFIG_RANDOMIZE_BASE disabled if the architecture supports KASLR. + ++- Build the gdb scripts (required on kernels v5.1 and above):: ++ ++ make scripts_gdb ++ + - Enable the gdb stub of QEMU/KVM, either + + - at VM startup time by appending "-s" to the QEMU command line +-- +2.39.2 + diff --git a/queue-4.14/drm-bridge-megachips-fix-error-handling-in-i2c_regis.patch b/queue-4.14/drm-bridge-megachips-fix-error-handling-in-i2c_regis.patch new file mode 100644 index 00000000000..03452ff739f --- /dev/null +++ b/queue-4.14/drm-bridge-megachips-fix-error-handling-in-i2c_regis.patch @@ -0,0 +1,65 @@ +From 2cd47624e72c2a1e9907655e006f4e971e5d914a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 09:12:26 +0000 +Subject: drm/bridge: megachips: Fix error handling in i2c_register_driver() + +From: Yuan Can + +[ Upstream commit 4ecff954c370b82bce45bdca2846c5c5563e8a8a ] + +A problem about insmod megachips-stdpxxxx-ge-b850v3-fw.ko failed is +triggered with the following log given: + +[ 4497.981497] Error: Driver 'stdp4028-ge-b850v3-fw' is already registered, aborting... +insmod: ERROR: could not insert module megachips-stdpxxxx-ge-b850v3-fw.ko: Device or resource busy + +The reason is that stdpxxxx_ge_b850v3_init() returns i2c_add_driver() +directly without checking its return value, if i2c_add_driver() failed, +it returns without calling i2c_del_driver() on the previous i2c driver, +resulting the megachips-stdpxxxx-ge-b850v3-fw can never be installed +later. +A simple call graph is shown as below: + + stdpxxxx_ge_b850v3_init() + i2c_add_driver(&stdp4028_ge_b850v3_fw_driver) + i2c_add_driver(&stdp2690_ge_b850v3_fw_driver) + i2c_register_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without delete stdp4028_ge_b850v3_fw_driver + +Fix by calling i2c_del_driver() on stdp4028_ge_b850v3_fw_driver when +i2c_add_driver() returns error. + +Fixes: fcfa0ddc18ed ("drm/bridge: Drivers for megachips-stdpxxxx-ge-b850v3-fw (LVDS-DP++)") +Signed-off-by: Yuan Can +Reviewed-by: Andrzej Hajda +Tested-by: Ian Ray +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20221108091226.114524-1-yuancan@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c +index 313c80f299722..89454d1d2d998 100644 +--- a/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c ++++ b/drivers/gpu/drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c +@@ -437,7 +437,11 @@ static int __init stdpxxxx_ge_b850v3_init(void) + if (ret) + return ret; + +- return i2c_add_driver(&stdp2690_ge_b850v3_fw_driver); ++ ret = i2c_add_driver(&stdp2690_ge_b850v3_fw_driver); ++ if (ret) ++ i2c_del_driver(&stdp4028_ge_b850v3_fw_driver); ++ ++ return ret; + } + module_init(stdpxxxx_ge_b850v3_init); + +-- +2.39.2 + diff --git a/queue-4.14/drm-mediatek-drop-unbalanced-obj-unref.patch b/queue-4.14/drm-mediatek-drop-unbalanced-obj-unref.patch new file mode 100644 index 00000000000..59729ea6b8f --- /dev/null +++ b/queue-4.14/drm-mediatek-drop-unbalanced-obj-unref.patch @@ -0,0 +1,37 @@ +From 000c91e488766e1a803a7ecbc10d6e83edd3d1db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Jan 2023 15:12:55 -0800 +Subject: drm/mediatek: Drop unbalanced obj unref + +From: Rob Clark + +[ Upstream commit 4deef811828e87e26a978d5d6433b261d4713849 ] + +In the error path, mtk_drm_gem_object_mmap() is dropping an obj +reference that it doesn't own. + +Fixes: 119f5173628a ("drm/mediatek: Add DRM Driver for Mediatek SoC MT8173.") +Signed-off-by: Rob Clark +Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20230119231255.2883365-1-robdclark@gmail.com/ +Signed-off-by: Chun-Kuang Hu +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mediatek/mtk_drm_gem.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/gpu/drm/mediatek/mtk_drm_gem.c b/drivers/gpu/drm/mediatek/mtk_drm_gem.c +index f595ac816b555..1818980dafced 100644 +--- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c ++++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c +@@ -148,8 +148,6 @@ static int mtk_drm_gem_object_mmap(struct drm_gem_object *obj, + + ret = dma_mmap_attrs(priv->dma_dev, vma, mtk_gem->cookie, + mtk_gem->dma_addr, obj->size, mtk_gem->dma_attrs); +- if (ret) +- drm_gem_vm_close(vma); + + return ret; + } +-- +2.39.2 + diff --git a/queue-4.14/drm-mipi-dsi-fix-byte-order-of-16-bit-dcs-set-get-br.patch b/queue-4.14/drm-mipi-dsi-fix-byte-order-of-16-bit-dcs-set-get-br.patch new file mode 100644 index 00000000000..9a091b7c49f --- /dev/null +++ b/queue-4.14/drm-mipi-dsi-fix-byte-order-of-16-bit-dcs-set-get-br.patch @@ -0,0 +1,117 @@ +From 9eae599673b998373b3f9813a5d881f1bde365d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Jan 2023 17:49:07 -0500 +Subject: drm/mipi-dsi: Fix byte order of 16-bit DCS set/get brightness + +From: Daniel Mentz + +[ Upstream commit c9d27c6be518b4ef2966d9564654ef99292ea1b3 ] + +The MIPI DCS specification demands that brightness values are sent in +big endian byte order. It also states that one parameter (i.e. one byte) +shall be sent/received for 8 bit wide values, and two parameters shall +be used for values that are between 9 and 16 bits wide. + +Add new functions to properly handle 16-bit brightness in big endian, +since the two 8- and 16-bit cases are distinct from each other. + +[richard: use separate functions instead of switch/case] +[richard: split into 16-bit component] + +Fixes: 1a9d759331b8 ("drm/dsi: Implement DCS set/get display brightness") +Signed-off-by: Daniel Mentz +Link: https://android.googlesource.com/kernel/msm/+/754affd62d0ee268c686c53169b1dbb7deac8550 +[richard: fix 16-bit brightness_get] +Signed-off-by: Richard Acayan +Tested-by: Caleb Connolly +Reviewed-by: Neil Armstrong +Reviewed-by: Sam Ravnborg +Signed-off-by: Neil Armstrong +Link: https://patchwork.freedesktop.org/patch/msgid/20230116224909.23884-2-mailingradian@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/drm_mipi_dsi.c | 52 ++++++++++++++++++++++++++++++++++ + include/drm/drm_mipi_dsi.h | 4 +++ + 2 files changed, 56 insertions(+) + +diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c +index bd5e8661f826a..6995bee5ad0fb 100644 +--- a/drivers/gpu/drm/drm_mipi_dsi.c ++++ b/drivers/gpu/drm/drm_mipi_dsi.c +@@ -1091,6 +1091,58 @@ int mipi_dsi_dcs_get_display_brightness(struct mipi_dsi_device *dsi, + } + EXPORT_SYMBOL(mipi_dsi_dcs_get_display_brightness); + ++/** ++ * mipi_dsi_dcs_set_display_brightness_large() - sets the 16-bit brightness value ++ * of the display ++ * @dsi: DSI peripheral device ++ * @brightness: brightness value ++ * ++ * Return: 0 on success or a negative error code on failure. ++ */ ++int mipi_dsi_dcs_set_display_brightness_large(struct mipi_dsi_device *dsi, ++ u16 brightness) ++{ ++ u8 payload[2] = { brightness >> 8, brightness & 0xff }; ++ ssize_t err; ++ ++ err = mipi_dsi_dcs_write(dsi, MIPI_DCS_SET_DISPLAY_BRIGHTNESS, ++ payload, sizeof(payload)); ++ if (err < 0) ++ return err; ++ ++ return 0; ++} ++EXPORT_SYMBOL(mipi_dsi_dcs_set_display_brightness_large); ++ ++/** ++ * mipi_dsi_dcs_get_display_brightness_large() - gets the current 16-bit ++ * brightness value of the display ++ * @dsi: DSI peripheral device ++ * @brightness: brightness value ++ * ++ * Return: 0 on success or a negative error code on failure. ++ */ ++int mipi_dsi_dcs_get_display_brightness_large(struct mipi_dsi_device *dsi, ++ u16 *brightness) ++{ ++ u8 brightness_be[2]; ++ ssize_t err; ++ ++ err = mipi_dsi_dcs_read(dsi, MIPI_DCS_GET_DISPLAY_BRIGHTNESS, ++ brightness_be, sizeof(brightness_be)); ++ if (err <= 0) { ++ if (err == 0) ++ err = -ENODATA; ++ ++ return err; ++ } ++ ++ *brightness = (brightness_be[0] << 8) | brightness_be[1]; ++ ++ return 0; ++} ++EXPORT_SYMBOL(mipi_dsi_dcs_get_display_brightness_large); ++ + static int mipi_dsi_drv_probe(struct device *dev) + { + struct mipi_dsi_driver *drv = to_mipi_dsi_driver(dev->driver); +diff --git a/include/drm/drm_mipi_dsi.h b/include/drm/drm_mipi_dsi.h +index 4fef19064b0f1..689f615471ab1 100644 +--- a/include/drm/drm_mipi_dsi.h ++++ b/include/drm/drm_mipi_dsi.h +@@ -274,6 +274,10 @@ int mipi_dsi_dcs_set_display_brightness(struct mipi_dsi_device *dsi, + u16 brightness); + int mipi_dsi_dcs_get_display_brightness(struct mipi_dsi_device *dsi, + u16 *brightness); ++int mipi_dsi_dcs_set_display_brightness_large(struct mipi_dsi_device *dsi, ++ u16 brightness); ++int mipi_dsi_dcs_get_display_brightness_large(struct mipi_dsi_device *dsi, ++ u16 *brightness); + + /** + * struct mipi_dsi_driver - DSI driver +-- +2.39.2 + diff --git a/queue-4.14/drm-msm-dsi-add-missing-check-for-alloc_ordered_work.patch b/queue-4.14/drm-msm-dsi-add-missing-check-for-alloc_ordered_work.patch new file mode 100644 index 00000000000..fadeb0d844f --- /dev/null +++ b/queue-4.14/drm-msm-dsi-add-missing-check-for-alloc_ordered_work.patch @@ -0,0 +1,39 @@ +From 006ddce03ca3da7b6b7ef4a9eeb5dbbc9552a3e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Jan 2023 10:16:51 +0800 +Subject: drm/msm/dsi: Add missing check for alloc_ordered_workqueue + +From: Jiasheng Jiang + +[ Upstream commit 115906ca7b535afb1fe7b5406c566ccd3873f82b ] + +Add check for the return value of alloc_ordered_workqueue as it may return +NULL pointer and cause NULL pointer dereference. + +Signed-off-by: Jiasheng Jiang +Reviewed-by: Abhinav Kumar +Patchwork: https://patchwork.freedesktop.org/patch/517646/ +Link: https://lore.kernel.org/r/20230110021651.12770-1-jiasheng@iscas.ac.cn +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi_host.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi_host.c b/drivers/gpu/drm/msm/dsi/dsi_host.c +index c9c8d21905159..43a3a48a15df5 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi_host.c ++++ b/drivers/gpu/drm/msm/dsi/dsi_host.c +@@ -1769,6 +1769,9 @@ int msm_dsi_host_init(struct msm_dsi *msm_dsi) + + /* setup workqueue */ + msm_host->workqueue = alloc_ordered_workqueue("dsi_drm_work", 0); ++ if (!msm_host->workqueue) ++ return -ENOMEM; ++ + INIT_WORK(&msm_host->err_work, dsi_err_worker); + INIT_WORK(&msm_host->hpd_work, dsi_hpd_worker); + +-- +2.39.2 + diff --git a/queue-4.14/drm-msm-hdmi-add-missing-check-for-alloc_ordered_wor.patch b/queue-4.14/drm-msm-hdmi-add-missing-check-for-alloc_ordered_wor.patch new file mode 100644 index 00000000000..c79c6390035 --- /dev/null +++ b/queue-4.14/drm-msm-hdmi-add-missing-check-for-alloc_ordered_wor.patch @@ -0,0 +1,42 @@ +From 11bed4905f9eb33b75ae7ddc2e46cfb33aec595a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jan 2023 10:30:11 +0800 +Subject: drm/msm/hdmi: Add missing check for alloc_ordered_workqueue + +From: Jiasheng Jiang + +[ Upstream commit afe4cb96153a0d8003e4e4ebd91b5c543e10df84 ] + +Add check for the return value of alloc_ordered_workqueue as it may return +NULL pointer and cause NULL pointer dereference in `hdmi_hdcp.c` and +`hdmi_hpd.c`. + +Fixes: c6a57a50ad56 ("drm/msm/hdmi: add hdmi hdcp support (V3)") +Signed-off-by: Jiasheng Jiang +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/517211/ +Link: https://lore.kernel.org/r/20230106023011.3985-1-jiasheng@iscas.ac.cn +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/hdmi/hdmi.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/gpu/drm/msm/hdmi/hdmi.c b/drivers/gpu/drm/msm/hdmi/hdmi.c +index c55e1920bfde7..4c02c057fc0d0 100644 +--- a/drivers/gpu/drm/msm/hdmi/hdmi.c ++++ b/drivers/gpu/drm/msm/hdmi/hdmi.c +@@ -246,6 +246,10 @@ static struct hdmi *msm_hdmi_init(struct platform_device *pdev) + pm_runtime_enable(&pdev->dev); + + hdmi->workq = alloc_ordered_workqueue("msm_hdmi", 0); ++ if (!hdmi->workq) { ++ ret = -ENOMEM; ++ goto fail; ++ } + + hdmi->i2c = msm_hdmi_i2c_init(hdmi); + if (IS_ERR(hdmi->i2c)) { +-- +2.39.2 + diff --git a/queue-4.14/drm-mxsfb-drm_mxsfb-should-depend-on-arch_mxs-arch_m.patch b/queue-4.14/drm-mxsfb-drm_mxsfb-should-depend-on-arch_mxs-arch_m.patch new file mode 100644 index 00000000000..d24ceb9c127 --- /dev/null +++ b/queue-4.14/drm-mxsfb-drm_mxsfb-should-depend-on-arch_mxs-arch_m.patch @@ -0,0 +1,39 @@ +From 4a3a70ca245b082844242f28441f6cb229f21c58 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 16:59:55 +0100 +Subject: drm: mxsfb: DRM_MXSFB should depend on ARCH_MXS || ARCH_MXC + +From: Geert Uytterhoeven + +[ Upstream commit 7783cc67862f9166c901bfa0f80b717aa8d354dd ] + +Freescale/NXP i.MX LCDIF and eLCDIF LCD controllers are only present on +Freescale/NXP i.MX SoCs. Hence add a dependency on ARCH_MXS || +ARCH_MXC, to prevent asking the user about this driver when configuring +a kernel without Freescale/NXP i.MX support. + +Fixes: 45d59d704080cc0c ("drm: Add new driver for MXSFB controller") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: Marek Vasut +Signed-off-by: Marek Vasut +Link: https://patchwork.freedesktop.org/patch/msgid/98e74779ca2bc575d91afff03369e86b080c01ac.1669046358.git.geert+renesas@glider.be +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/mxsfb/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/mxsfb/Kconfig b/drivers/gpu/drm/mxsfb/Kconfig +index 3ed6849d63cba..1a2805c7a0eb7 100644 +--- a/drivers/gpu/drm/mxsfb/Kconfig ++++ b/drivers/gpu/drm/mxsfb/Kconfig +@@ -7,6 +7,7 @@ config DRM_MXSFB + tristate "i.MX23/i.MX28/i.MX6SX MXSFB LCD controller" + depends on DRM && OF + depends on COMMON_CLK ++ depends on ARCH_MXS || ARCH_MXC || COMPILE_TEST + select DRM_MXS + select DRM_KMS_HELPER + select DRM_KMS_CMA_HELPER +-- +2.39.2 + diff --git a/queue-4.14/drm-radeon-free-iio-for-atombios-when-driver-shutdow.patch b/queue-4.14/drm-radeon-free-iio-for-atombios-when-driver-shutdow.patch new file mode 100644 index 00000000000..2bb8e27d026 --- /dev/null +++ b/queue-4.14/drm-radeon-free-iio-for-atombios-when-driver-shutdow.patch @@ -0,0 +1,60 @@ +From f8385b2775765cc962671870e13b6c217a404d51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jan 2023 17:47:29 +0800 +Subject: drm/radeon: free iio for atombios when driver shutdown + +From: Liwei Song + +[ Upstream commit 4773fadedca918faec443daaca5e4ea1c0ced144 ] + +Fix below kmemleak when unload radeon driver: + +unreferenced object 0xffff9f8608ede200 (size 512): + comm "systemd-udevd", pid 326, jiffies 4294682822 (age 716.338s) + hex dump (first 32 bytes): + 00 00 00 00 c4 aa ec aa 14 ab 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<0000000062fadebe>] kmem_cache_alloc_trace+0x2f1/0x500 + [<00000000b6883cea>] atom_parse+0x117/0x230 [radeon] + [<00000000158c23fd>] radeon_atombios_init+0xab/0x170 [radeon] + [<00000000683f672e>] si_init+0x57/0x750 [radeon] + [<00000000566cc31f>] radeon_device_init+0x559/0x9c0 [radeon] + [<0000000046efabb3>] radeon_driver_load_kms+0xc1/0x1a0 [radeon] + [<00000000b5155064>] drm_dev_register+0xdd/0x1d0 + [<0000000045fec835>] radeon_pci_probe+0xbd/0x100 [radeon] + [<00000000e69ecca3>] pci_device_probe+0xe1/0x160 + [<0000000019484b76>] really_probe.part.0+0xc1/0x2c0 + [<000000003f2649da>] __driver_probe_device+0x96/0x130 + [<00000000231c5bb1>] driver_probe_device+0x24/0xf0 + [<0000000000a42377>] __driver_attach+0x77/0x190 + [<00000000d7574da6>] bus_for_each_dev+0x7f/0xd0 + [<00000000633166d2>] driver_attach+0x1e/0x30 + [<00000000313b05b8>] bus_add_driver+0x12c/0x1e0 + +iio was allocated in atom_index_iio() called by atom_parse(), +but it doesn't got released when the dirver is shutdown. +Fix this kmemleak by free it in radeon_atombios_fini(). + +Signed-off-by: Liwei Song +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_device.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c +index 906547b229a9a..e0fe21e7378b6 100644 +--- a/drivers/gpu/drm/radeon/radeon_device.c ++++ b/drivers/gpu/drm/radeon/radeon_device.c +@@ -1045,6 +1045,7 @@ void radeon_atombios_fini(struct radeon_device *rdev) + { + if (rdev->mode_info.atom_context) { + kfree(rdev->mode_info.atom_context->scratch); ++ kfree(rdev->mode_info.atom_context->iio); + } + kfree(rdev->mode_info.atom_context); + rdev->mode_info.atom_context = NULL; +-- +2.39.2 + diff --git a/queue-4.14/genirq-fix-the-return-type-of-kstat_cpu_irqs_sum.patch b/queue-4.14/genirq-fix-the-return-type-of-kstat_cpu_irqs_sum.patch new file mode 100644 index 00000000000..ec04b4ef128 --- /dev/null +++ b/queue-4.14/genirq-fix-the-return-type-of-kstat_cpu_irqs_sum.patch @@ -0,0 +1,44 @@ +From d745c4631fcf1cbaf3953668fb930e6078c48c83 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Nov 2022 17:25:03 +0800 +Subject: genirq: Fix the return type of kstat_cpu_irqs_sum() + +From: Zhen Lei + +[ Upstream commit 47904aed898a08f028572b9b5a5cc101ddfb2d82 ] + +The type of member ->irqs_sum is unsigned long, but kstat_cpu_irqs_sum() +returns int, which can result in truncation. Therefore, change the +kstat_cpu_irqs_sum() function's return value to unsigned long to avoid +truncation. + +Fixes: f2c66cd8eedd ("/proc/stat: scalability of irq num per cpu") +Reported-by: Elliott, Robert (Servers) +Signed-off-by: Zhen Lei +Cc: Tejun Heo +Cc: "Peter Zijlstra (Intel)" +Cc: Josh Don +Cc: Andrew Morton +Reviewed-by: Frederic Weisbecker +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + include/linux/kernel_stat.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/kernel_stat.h b/include/linux/kernel_stat.h +index 7ee2bb43b251a..f7f20cf1bd3b1 100644 +--- a/include/linux/kernel_stat.h ++++ b/include/linux/kernel_stat.h +@@ -73,7 +73,7 @@ extern unsigned int kstat_irqs_usr(unsigned int irq); + /* + * Number of interrupts per cpu, since bootup + */ +-static inline unsigned int kstat_cpu_irqs_sum(unsigned int cpu) ++static inline unsigned long kstat_cpu_irqs_sum(unsigned int cpu) + { + return kstat_cpu(cpu).irqs_sum; + } +-- +2.39.2 + diff --git a/queue-4.14/gpio-vf610-connect-gpio-label-to-dev-name.patch b/queue-4.14/gpio-vf610-connect-gpio-label-to-dev-name.patch new file mode 100644 index 00000000000..27e44ff8193 --- /dev/null +++ b/queue-4.14/gpio-vf610-connect-gpio-label-to-dev-name.patch @@ -0,0 +1,38 @@ +From 5e1f30de0fe7a0b7a1889f25f225b3ea3548756f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Dec 2022 17:02:47 +0800 +Subject: gpio: vf610: connect GPIO label to dev name + +From: Haibo Chen + +[ Upstream commit 6f8ecb7f85f441eb7d78ba2a4df45ee8a821934e ] + +Current GPIO label is fixed, so can't distinguish different GPIO +controllers through labels. Use dev name instead. + +Fixes: 7f2691a19627 ("gpio: vf610: add gpiolib/IRQ chip driver for Vybrid") +Signed-off-by: Clark Wang +Signed-off-by: Haibo Chen +Reviewed-by: Linus Walleij +Signed-off-by: Bartosz Golaszewski +Signed-off-by: Sasha Levin +--- + drivers/gpio/gpio-vf610.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/gpio/gpio-vf610.c b/drivers/gpio/gpio-vf610.c +index 91d6966c3d29b..457ee42023f41 100644 +--- a/drivers/gpio/gpio-vf610.c ++++ b/drivers/gpio/gpio-vf610.c +@@ -281,7 +281,7 @@ static int vf610_gpio_probe(struct platform_device *pdev) + gc = &port->gc; + gc->of_node = np; + gc->parent = dev; +- gc->label = "vf610-gpio"; ++ gc->label = dev_name(dev); + gc->ngpio = VF610_GPIO_PER_PORT; + gc->base = of_alias_get_id(np, "gpio") * VF610_GPIO_PER_PORT; + +-- +2.39.2 + diff --git a/queue-4.14/gpu-ipu-v3-common-add-of_node_put-for-reference-retu.patch b/queue-4.14/gpu-ipu-v3-common-add-of_node_put-for-reference-retu.patch new file mode 100644 index 00000000000..749b0fac39b --- /dev/null +++ b/queue-4.14/gpu-ipu-v3-common-add-of_node_put-for-reference-retu.patch @@ -0,0 +1,39 @@ +From 1548d0ff918b6f79a0f5dbc27e2150c8111eb3c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Jul 2022 23:22:27 +0800 +Subject: gpu: ipu-v3: common: Add of_node_put() for reference returned by + of_graph_get_port_by_id() + +From: Liang He + +[ Upstream commit 9afdf98cfdfa2ba8ec068cf08c5fcdc1ed8daf3f ] + +In ipu_add_client_devices(), we need to call of_node_put() for +reference returned by of_graph_get_port_by_id() in fail path. + +Fixes: 17e052175039 ("gpu: ipu-v3: Do not bail out on missing optional port nodes") +Signed-off-by: Liang He +Reviewed-by: Philipp Zabel +Link: https://lore.kernel.org/r/20220720152227.1288413-1-windhl@126.com +Signed-off-by: Philipp Zabel +Link: https://patchwork.freedesktop.org/patch/msgid/20220720152227.1288413-1-windhl@126.com +Signed-off-by: Sasha Levin +--- + drivers/gpu/ipu-v3/ipu-common.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/ipu-v3/ipu-common.c b/drivers/gpu/ipu-v3/ipu-common.c +index f3a57c0500f30..1a7ca888546f7 100644 +--- a/drivers/gpu/ipu-v3/ipu-common.c ++++ b/drivers/gpu/ipu-v3/ipu-common.c +@@ -1234,6 +1234,7 @@ static int ipu_add_client_devices(struct ipu_soc *ipu, unsigned long ipu_base) + pdev = platform_device_alloc(reg->name, id++); + if (!pdev) { + ret = -ENOMEM; ++ of_node_put(of_node); + goto err_register; + } + +-- +2.39.2 + diff --git a/queue-4.14/hwmon-ltc2945-handle-error-case-in-ltc2945_value_sto.patch b/queue-4.14/hwmon-ltc2945-handle-error-case-in-ltc2945_value_sto.patch new file mode 100644 index 00000000000..ba6c9af23ba --- /dev/null +++ b/queue-4.14/hwmon-ltc2945-handle-error-case-in-ltc2945_value_sto.patch @@ -0,0 +1,38 @@ +From c95720d2a551238cd6cf0ea0d8cf792a503237c4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 17:32:25 -0500 +Subject: hwmon: (ltc2945) Handle error case in ltc2945_value_store + +From: Jonathan Cormier + +[ Upstream commit 178b01eccfb0b8149682f61388400bd3d903dddc ] + +ltc2945_val_to_reg errors were not being handled +which would have resulted in register being set to +0 (clamped) instead of being left alone. + +Fixes: 6700ce035f83 ("hwmon: Driver for Linear Technologies LTC2945") + +Signed-off-by: Jonathan Cormier +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ltc2945.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/hwmon/ltc2945.c b/drivers/hwmon/ltc2945.c +index 1b92e4f6e2349..efabe514ec560 100644 +--- a/drivers/hwmon/ltc2945.c ++++ b/drivers/hwmon/ltc2945.c +@@ -257,6 +257,8 @@ static ssize_t ltc2945_set_value(struct device *dev, + + /* convert to register value, then clamp and write result */ + regval = ltc2945_val_to_reg(dev, reg, val); ++ if (regval < 0) ++ return regval; + if (is_power_reg(reg)) { + regval = clamp_val(regval, 0, 0xffffff); + regbuf[0] = regval >> 16; +-- +2.39.2 + diff --git a/queue-4.14/inet-fix-fast-path-in-__inet_hash_connect.patch b/queue-4.14/inet-fix-fast-path-in-__inet_hash_connect.patch new file mode 100644 index 00000000000..c4f4f9ecef6 --- /dev/null +++ b/queue-4.14/inet-fix-fast-path-in-__inet_hash_connect.patch @@ -0,0 +1,56 @@ +From bcfdfc986a9ba69eb7a4e1508a28115d397eab9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 14 Jan 2023 13:11:41 +0000 +Subject: inet: fix fast path in __inet_hash_connect() + +From: Pietro Borrello + +[ Upstream commit 21cbd90a6fab7123905386985e3e4a80236b8714 ] + +__inet_hash_connect() has a fast path taken if sk_head(&tb->owners) is +equal to the sk parameter. +sk_head() returns the hlist_entry() with respect to the sk_node field. +However entries in the tb->owners list are inserted with respect to the +sk_bind_node field with sk_add_bind_node(). +Thus the check would never pass and the fast path never execute. + +This fast path has never been executed or tested as this bug seems +to be present since commit 1da177e4c3f4 ("Linux-2.6.12-rc2"), thus +remove it to reduce code complexity. + +Signed-off-by: Pietro Borrello +Reviewed-by: Kuniyuki Iwashima +Reviewed-by: Eric Dumazet +Link: https://lore.kernel.org/r/20230112-inet_hash_connect_bind_head-v3-1-b591fd212b93@diag.uniroma1.it +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/inet_hashtables.c | 12 +----------- + 1 file changed, 1 insertion(+), 11 deletions(-) + +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index 590801a7487f7..c5092e2b5933e 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -616,17 +616,7 @@ int __inet_hash_connect(struct inet_timewait_death_row *death_row, + u32 index; + + if (port) { +- head = &hinfo->bhash[inet_bhashfn(net, port, +- hinfo->bhash_size)]; +- tb = inet_csk(sk)->icsk_bind_hash; +- spin_lock_bh(&head->lock); +- if (sk_head(&tb->owners) == sk && !sk->sk_bind_node.next) { +- inet_ehash_nolisten(sk, NULL, NULL); +- spin_unlock_bh(&head->lock); +- return 0; +- } +- spin_unlock(&head->lock); +- /* No definite answer... Walk to established hash table */ ++ local_bh_disable(); + ret = check_established(death_row, sk, port, NULL); + local_bh_enable(); + return ret; +-- +2.39.2 + diff --git a/queue-4.14/input-ads7846-don-t-check-penirq-immediately-for-784.patch b/queue-4.14/input-ads7846-don-t-check-penirq-immediately-for-784.patch new file mode 100644 index 00000000000..572149c0bd5 --- /dev/null +++ b/queue-4.14/input-ads7846-don-t-check-penirq-immediately-for-784.patch @@ -0,0 +1,46 @@ +From 42436ec5ea470f9fd48cebab22e1ed349d7f2d37 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 11:52:27 +0100 +Subject: Input: ads7846 - don't check penirq immediately for 7845 + +From: Luca Ellero + +[ Upstream commit fa9f4275b20ec7b2a8fb05c66362d10b36f9efec ] + +To discard false readings, one should use "ti,penirq-recheck-delay-usecs". +Checking get_pendown_state() at the beginning, most of the time fails +causing malfunctioning. + +Fixes: ffa458c1bd9b ("spi: ads7846 driver") +Signed-off-by: Luca Ellero +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230126105227.47648-4-l.ellero@asem.it +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/ads7846.c | 8 +------- + 1 file changed, 1 insertion(+), 7 deletions(-) + +diff --git a/drivers/input/touchscreen/ads7846.c b/drivers/input/touchscreen/ads7846.c +index 491cc7efecf9e..fe6c9e1870414 100644 +--- a/drivers/input/touchscreen/ads7846.c ++++ b/drivers/input/touchscreen/ads7846.c +@@ -790,14 +790,8 @@ static void ads7846_report_state(struct ads7846 *ts) + if (x == MAX_12BIT) + x = 0; + +- if (ts->model == 7843) { ++ if (ts->model == 7843 || ts->model == 7845) { + Rt = ts->pressure_max / 2; +- } else if (ts->model == 7845) { +- if (get_pendown_state(ts)) +- Rt = ts->pressure_max / 2; +- else +- Rt = 0; +- dev_vdbg(&ts->spi->dev, "x/y: %d/%d, PD %d\n", x, y, Rt); + } else if (likely(x && z1)) { + /* compute touch pressure resistance using equation #2 */ + Rt = z2; +-- +2.39.2 + diff --git a/queue-4.14/input-ads7846-don-t-report-pressure-for-ads7845.patch b/queue-4.14/input-ads7846-don-t-report-pressure-for-ads7845.patch new file mode 100644 index 00000000000..7b253cca897 --- /dev/null +++ b/queue-4.14/input-ads7846-don-t-report-pressure-for-ads7845.patch @@ -0,0 +1,42 @@ +From 0c9638468e305e3e198166c01230c01b8204580a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 11:52:25 +0100 +Subject: Input: ads7846 - don't report pressure for ads7845 + +From: Luca Ellero + +[ Upstream commit d50584d783313c8b05b84d0b07a2142f1bde46dd ] + +ADS7845 doesn't support pressure. +Avoid the following error reported by libinput-list-devices: +"ADS7845 Touchscreen: kernel bug: device has min == max on ABS_PRESSURE". + +Fixes: ffa458c1bd9b ("spi: ads7846 driver") +Signed-off-by: Luca Ellero +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20230126105227.47648-2-l.ellero@asem.it +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/ads7846.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/input/touchscreen/ads7846.c b/drivers/input/touchscreen/ads7846.c +index b536768234b7c..491cc7efecf9e 100644 +--- a/drivers/input/touchscreen/ads7846.c ++++ b/drivers/input/touchscreen/ads7846.c +@@ -1374,8 +1374,9 @@ static int ads7846_probe(struct spi_device *spi) + pdata->y_min ? : 0, + pdata->y_max ? : MAX_12BIT, + 0, 0); +- input_set_abs_params(input_dev, ABS_PRESSURE, +- pdata->pressure_min, pdata->pressure_max, 0, 0); ++ if (ts->model != 7845) ++ input_set_abs_params(input_dev, ABS_PRESSURE, ++ pdata->pressure_min, pdata->pressure_max, 0, 0); + + ads7846_setup_spi_msg(ts, pdata); + +-- +2.39.2 + diff --git a/queue-4.14/irqchip-alpine-msi-fix-refcount-leak-in-alpine_msix_.patch b/queue-4.14/irqchip-alpine-msi-fix-refcount-leak-in-alpine_msix_.patch new file mode 100644 index 00000000000..7d627df8346 --- /dev/null +++ b/queue-4.14/irqchip-alpine-msi-fix-refcount-leak-in-alpine_msix_.patch @@ -0,0 +1,37 @@ +From b537fa9a85aa207855ff6e3897f759dfdd994c0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jan 2023 12:28:10 +0400 +Subject: irqchip/alpine-msi: Fix refcount leak in alpine_msix_init_domains + +From: Miaoqian Lin + +[ Upstream commit 071d068b89e95d1b078aa6bbcb9d0961b77d6aa1 ] + +of_irq_find_parent() returns a node pointer with refcount incremented, +We should use of_node_put() on it when not needed anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: e6b78f2c3e14 ("irqchip: Add the Alpine MSIX interrupt controller") +Signed-off-by: Miaoqian Lin +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20230102082811.3947760-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-alpine-msi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/irqchip/irq-alpine-msi.c b/drivers/irqchip/irq-alpine-msi.c +index ac431697ebe1c..5e03574e1c5fb 100644 +--- a/drivers/irqchip/irq-alpine-msi.c ++++ b/drivers/irqchip/irq-alpine-msi.c +@@ -199,6 +199,7 @@ static int alpine_msix_init_domains(struct alpine_msix_data *priv, + } + + gic_domain = irq_find_host(gic_node); ++ of_node_put(gic_node); + if (!gic_domain) { + pr_err("Failed to find the GIC domain\n"); + return -ENXIO; +-- +2.39.2 + diff --git a/queue-4.14/irqchip-irq-bcm7120-l2-set-irq_level-for-level-trigg.patch b/queue-4.14/irqchip-irq-bcm7120-l2-set-irq_level-for-level-trigg.patch new file mode 100644 index 00000000000..ad0bc690b6f --- /dev/null +++ b/queue-4.14/irqchip-irq-bcm7120-l2-set-irq_level-for-level-trigg.patch @@ -0,0 +1,44 @@ +From 6ecbafa1a9d3b7e411ba0306d5bd15af76860947 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Dec 2022 15:09:34 -0800 +Subject: irqchip/irq-bcm7120-l2: Set IRQ_LEVEL for level triggered interrupts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Florian Fainelli + +[ Upstream commit 13a157b38ca5b4f9eed81442b8821db293755961 ] + +When support for the interrupt controller was added with a5042de2688d, +we forgot to update the flags to be set to contain IRQ_LEVEL. While the +flow handler is correct, the output from /proc/interrupts does not show +such interrupts as being level triggered when they are, correct that. + +Fixes: a5042de2688d ("irqchip: bcm7120-l2: Add Broadcom BCM7120-style Level 2 interrupt controller") +Signed-off-by: Florian Fainelli +Reviewed-by: Philippe Mathieu-Daudé +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20221216230934.2478345-3-f.fainelli@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-bcm7120-l2.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-bcm7120-l2.c b/drivers/irqchip/irq-bcm7120-l2.c +index 983640eba418e..80c52854d41b5 100644 +--- a/drivers/irqchip/irq-bcm7120-l2.c ++++ b/drivers/irqchip/irq-bcm7120-l2.c +@@ -271,7 +271,8 @@ static int __init bcm7120_l2_intc_probe(struct device_node *dn, + flags |= IRQ_GC_BE_IO; + + ret = irq_alloc_domain_generic_chips(data->domain, IRQS_PER_WORD, 1, +- dn->full_name, handle_level_irq, clr, 0, flags); ++ dn->full_name, handle_level_irq, clr, ++ IRQ_LEVEL, flags); + if (ret) { + pr_err("failed to allocate generic irq chip\n"); + goto out_free_domain; +-- +2.39.2 + diff --git a/queue-4.14/irqchip-irq-mvebu-gicp-fix-refcount-leak-in-mvebu_gi.patch b/queue-4.14/irqchip-irq-mvebu-gicp-fix-refcount-leak-in-mvebu_gi.patch new file mode 100644 index 00000000000..584f6456435 --- /dev/null +++ b/queue-4.14/irqchip-irq-mvebu-gicp-fix-refcount-leak-in-mvebu_gi.patch @@ -0,0 +1,37 @@ +From c7dab20b29428d6d9710e00be3ca6e3ef7b03b69 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jan 2023 12:42:08 +0400 +Subject: irqchip/irq-mvebu-gicp: Fix refcount leak in mvebu_gicp_probe + +From: Miaoqian Lin + +[ Upstream commit 9419e700021a393f67be36abd0c4f3acc6139041 ] + +of_irq_find_parent() returns a node pointer with refcount incremented, +We should use of_node_put() on it when not needed anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: a68a63cb4dfc ("irqchip/irq-mvebu-gicp: Add new driver for Marvell GICP") +Signed-off-by: Miaoqian Lin +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20230102084208.3951758-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-mvebu-gicp.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/irqchip/irq-mvebu-gicp.c b/drivers/irqchip/irq-mvebu-gicp.c +index 17a4a7b6cdbb9..6d9761423cbd6 100644 +--- a/drivers/irqchip/irq-mvebu-gicp.c ++++ b/drivers/irqchip/irq-mvebu-gicp.c +@@ -239,6 +239,7 @@ static int mvebu_gicp_probe(struct platform_device *pdev) + } + + parent_domain = irq_find_host(irq_parent_dn); ++ of_node_put(irq_parent_dn); + if (!parent_domain) { + dev_err(&pdev->dev, "failed to find parent IRQ domain\n"); + return -ENODEV; +-- +2.39.2 + diff --git a/queue-4.14/lib-mpi-fix-buffer-overrun-when-sg-is-too-long.patch b/queue-4.14/lib-mpi-fix-buffer-overrun-when-sg-is-too-long.patch new file mode 100644 index 00000000000..c41e0820cbf --- /dev/null +++ b/queue-4.14/lib-mpi-fix-buffer-overrun-when-sg-is-too-long.patch @@ -0,0 +1,41 @@ +From 8e0790f9a43b8cf094cb16af94807d9c2d6f9ca7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Dec 2022 15:27:39 +0100 +Subject: lib/mpi: Fix buffer overrun when SG is too long + +From: Herbert Xu + +[ Upstream commit 7361d1bc307b926cbca214ab67b641123c2d6357 ] + +The helper mpi_read_raw_from_sgl sets the number of entries in +the SG list according to nbytes. However, if the last entry +in the SG list contains more data than nbytes, then it may overrun +the buffer because it only allocates enough memory for nbytes. + +Fixes: 2d4d1eea540b ("lib/mpi: Add mpi sgl helpers") +Reported-by: Roberto Sassu +Signed-off-by: Herbert Xu +Reviewed-by: Eric Biggers +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + lib/mpi/mpicoder.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/mpi/mpicoder.c b/lib/mpi/mpicoder.c +index eead4b3394668..4f73db248009e 100644 +--- a/lib/mpi/mpicoder.c ++++ b/lib/mpi/mpicoder.c +@@ -397,7 +397,8 @@ MPI mpi_read_raw_from_sgl(struct scatterlist *sgl, unsigned int nbytes) + + while (sg_miter_next(&miter)) { + buff = miter.addr; +- len = miter.length; ++ len = min_t(unsigned, miter.length, nbytes); ++ nbytes -= len; + + for (x = 0; x < len; x++) { + a <<= 8; +-- +2.39.2 + diff --git a/queue-4.14/m68k-check-syscall_trace_enter-return-code.patch b/queue-4.14/m68k-check-syscall_trace_enter-return-code.patch new file mode 100644 index 00000000000..34eb176f05a --- /dev/null +++ b/queue-4.14/m68k-check-syscall_trace_enter-return-code.patch @@ -0,0 +1,72 @@ +From 128bc596be58b766c63b7a75887d7e5c75b645c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Jan 2023 16:55:27 +1300 +Subject: m68k: Check syscall_trace_enter() return code + +From: Michael Schmitz + +[ Upstream commit 2ca8a1de4437f21562e57f9ac123914747a8e7a1 ] + +Check return code of syscall_trace_enter(), and skip syscall +if -1. Return code will be left at what had been set by +ptrace or seccomp (in regs->d0). + +No regression seen in testing with strace on ARAnyM. + +Signed-off-by: Michael Schmitz +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230112035529.13521-2-schmitzmic@gmail.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/68000/entry.S | 2 ++ + arch/m68k/coldfire/entry.S | 2 ++ + arch/m68k/kernel/entry.S | 3 +++ + 3 files changed, 7 insertions(+) + +diff --git a/arch/m68k/68000/entry.S b/arch/m68k/68000/entry.S +index 259b3661b6141..94abf3d8afc52 100644 +--- a/arch/m68k/68000/entry.S ++++ b/arch/m68k/68000/entry.S +@@ -47,6 +47,8 @@ do_trace: + jbsr syscall_trace_enter + RESTORE_SWITCH_STACK + addql #4,%sp ++ addql #1,%d0 ++ jeq ret_from_exception + movel %sp@(PT_OFF_ORIG_D0),%d1 + movel #-ENOSYS,%d0 + cmpl #NR_syscalls,%d1 +diff --git a/arch/m68k/coldfire/entry.S b/arch/m68k/coldfire/entry.S +index 52d312d5b4d4f..fb3b065677459 100644 +--- a/arch/m68k/coldfire/entry.S ++++ b/arch/m68k/coldfire/entry.S +@@ -92,6 +92,8 @@ ENTRY(system_call) + jbsr syscall_trace_enter + RESTORE_SWITCH_STACK + addql #4,%sp ++ addql #1,%d0 ++ jeq ret_from_exception + movel %d3,%a0 + jbsr %a0@ + movel %d0,%sp@(PT_OFF_D0) /* save the return value */ +diff --git a/arch/m68k/kernel/entry.S b/arch/m68k/kernel/entry.S +index 97cd3ea5f10b8..9a66657773beb 100644 +--- a/arch/m68k/kernel/entry.S ++++ b/arch/m68k/kernel/entry.S +@@ -160,9 +160,12 @@ do_trace_entry: + jbsr syscall_trace + RESTORE_SWITCH_STACK + addql #4,%sp ++ addql #1,%d0 | optimization for cmpil #-1,%d0 ++ jeq ret_from_syscall + movel %sp@(PT_OFF_ORIG_D0),%d0 + cmpl #NR_syscalls,%d0 + jcs syscall ++ jra ret_from_syscall + badsys: + movel #-ENOSYS,%sp@(PT_OFF_D0) + jra ret_from_syscall +-- +2.39.2 + diff --git a/queue-4.14/m68k-proc-hardware-should-depend-on-proc_fs.patch b/queue-4.14/m68k-proc-hardware-should-depend-on-proc_fs.patch new file mode 100644 index 00000000000..b99c919d7cc --- /dev/null +++ b/queue-4.14/m68k-proc-hardware-should-depend-on-proc_fs.patch @@ -0,0 +1,42 @@ +From b2917788d2f9e617f1b28d0472509142ad7b77a0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 8 Feb 2023 17:08:25 -0800 +Subject: m68k: /proc/hardware should depend on PROC_FS + +From: Randy Dunlap + +[ Upstream commit 1e5b5df65af99013b4d31607ddb3ca5731dbe44d ] + +When CONFIG_PROC_FS is not set, there is a build error for an unused +function. Make PROC_HARDWARE depend on PROC_FS to prevent this error. + +In file included from ../arch/m68k/kernel/setup.c:3: +../arch/m68k/kernel/setup_mm.c:477:12: error: 'hardware_proc_show' defined but not used [-Werror=unused-function] + 477 | static int hardware_proc_show(struct seq_file *m, void *v) + | ^~~~~~~~~~~~~~~~~~ + +Fixes: 66d857b08b8c ("m68k: merge m68k and m68knommu arch directories") # v3.0 +Signed-off-by: Randy Dunlap +Reviewed-by: Geert Uytterhoeven +Link: https://lore.kernel.org/r/20230209010825.24136-1-rdunlap@infradead.org +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/Kconfig.devices | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/m68k/Kconfig.devices b/arch/m68k/Kconfig.devices +index 3e9b0b826f8a1..6fb693bb0771c 100644 +--- a/arch/m68k/Kconfig.devices ++++ b/arch/m68k/Kconfig.devices +@@ -19,6 +19,7 @@ config HEARTBEAT + # We have a dedicated heartbeat LED. :-) + config PROC_HARDWARE + bool "/proc/hardware support" ++ depends on PROC_FS + help + Say Y here to support the /proc/hardware file, which gives you + access to information about the machine you're running on, +-- +2.39.2 + diff --git a/queue-4.14/media-platform-ti-add-missing-check-for-devm_regulat.patch b/queue-4.14/media-platform-ti-add-missing-check-for-devm_regulat.patch new file mode 100644 index 00000000000..0a6730c4624 --- /dev/null +++ b/queue-4.14/media-platform-ti-add-missing-check-for-devm_regulat.patch @@ -0,0 +1,45 @@ +From 054eef7271fd289a35e615b432a092a9b41437ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jan 2023 09:55:37 +0100 +Subject: media: platform: ti: Add missing check for devm_regulator_get + +From: Jiasheng Jiang + +[ Upstream commit da8e05f84a11c3cc3b0ba0a3c62d20e358002d99 ] + +Add check for the return value of devm_regulator_get since it may return +error pointer. + +Fixes: 448de7e7850b ("[media] omap3isp: OMAP3 ISP core") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/omap3isp/isp.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/media/platform/omap3isp/isp.c b/drivers/media/platform/omap3isp/isp.c +index c46402f3e88c1..0df930c80916a 100644 +--- a/drivers/media/platform/omap3isp/isp.c ++++ b/drivers/media/platform/omap3isp/isp.c +@@ -2286,7 +2286,16 @@ static int isp_probe(struct platform_device *pdev) + + /* Regulators */ + isp->isp_csiphy1.vdd = devm_regulator_get(&pdev->dev, "vdd-csiphy1"); ++ if (IS_ERR(isp->isp_csiphy1.vdd)) { ++ ret = PTR_ERR(isp->isp_csiphy1.vdd); ++ goto error; ++ } ++ + isp->isp_csiphy2.vdd = devm_regulator_get(&pdev->dev, "vdd-csiphy2"); ++ if (IS_ERR(isp->isp_csiphy2.vdd)) { ++ ret = PTR_ERR(isp->isp_csiphy2.vdd); ++ goto error; ++ } + + /* Clocks + * +-- +2.39.2 + diff --git a/queue-4.14/media-rc-fix-use-after-free-bugs-caused-by-ene_tx_ir.patch b/queue-4.14/media-rc-fix-use-after-free-bugs-caused-by-ene_tx_ir.patch new file mode 100644 index 00000000000..7324fa9877d --- /dev/null +++ b/queue-4.14/media-rc-fix-use-after-free-bugs-caused-by-ene_tx_ir.patch @@ -0,0 +1,83 @@ +From 6e189a03fb645167aea2ca6e6c9a78908acae1a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Jan 2023 08:55:33 +0100 +Subject: media: rc: Fix use-after-free bugs caused by ene_tx_irqsim() + +From: Duoming Zhou + +[ Upstream commit 29b0589a865b6f66d141d79b2dd1373e4e50fe17 ] + +When the ene device is detaching, function ene_remove() will +be called. But there is no function to cancel tx_sim_timer +in ene_remove(), the timer handler ene_tx_irqsim() could race +with ene_remove(). As a result, the UAF bugs could happen, +the process is shown below. + + (cleanup routine) | (timer routine) + | mod_timer(&dev->tx_sim_timer, ..) +ene_remove() | (wait a time) + | ene_tx_irqsim() + | dev->hw_lock //USE + | ene_tx_sample(dev) //USE + +Fix by adding del_timer_sync(&dev->tx_sim_timer) in ene_remove(), +The tx_sim_timer could stop before ene device is deallocated. + +What's more, The rc_unregister_device() and del_timer_sync() +should be called first in ene_remove() and the deallocated +functions such as free_irq(), release_region() and so on +should be called behind them. Because the rc_unregister_device() +is well synchronized. Otherwise, race conditions may happen. The +situations that may lead to race conditions are shown below. + +Firstly, the rx receiver is disabled with ene_rx_disable() +before rc_unregister_device() in ene_remove(), which means it +can be enabled again if a process opens /dev/lirc0 between +ene_rx_disable() and rc_unregister_device(). + +Secondly, the irqaction descriptor is freed by free_irq() +before the rc device is unregistered, which means irqaction +descriptor may be accessed again after it is deallocated. + +Thirdly, the timer can call ene_tx_sample() that can write +to the io ports, which means the io ports could be accessed +again after they are deallocated by release_region(). + +Therefore, the rc_unregister_device() and del_timer_sync() +should be called first in ene_remove(). + +Suggested by: Sean Young + +Fixes: 9ea53b74df9c ("V4L/DVB: STAGING: remove lirc_ene0100 driver") +Signed-off-by: Duoming Zhou +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/rc/ene_ir.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/rc/ene_ir.c b/drivers/media/rc/ene_ir.c +index af7ba23e16e12..4761b2a72d8eb 100644 +--- a/drivers/media/rc/ene_ir.c ++++ b/drivers/media/rc/ene_ir.c +@@ -1117,6 +1117,8 @@ static void ene_remove(struct pnp_dev *pnp_dev) + struct ene_device *dev = pnp_get_drvdata(pnp_dev); + unsigned long flags; + ++ rc_unregister_device(dev->rdev); ++ del_timer_sync(&dev->tx_sim_timer); + spin_lock_irqsave(&dev->hw_lock, flags); + ene_rx_disable(dev); + ene_rx_restore_hw_buffer(dev); +@@ -1124,7 +1126,6 @@ static void ene_remove(struct pnp_dev *pnp_dev) + + free_irq(dev->irq, dev); + release_region(dev->hw_io, ENE_IO_SIZE); +- rc_unregister_device(dev->rdev); + kfree(dev); + } + +-- +2.39.2 + diff --git a/queue-4.14/media-usb-siano-fix-use-after-free-bugs-caused-by-do.patch b/queue-4.14/media-usb-siano-fix-use-after-free-bugs-caused-by-do.patch new file mode 100644 index 00000000000..05c460f1a06 --- /dev/null +++ b/queue-4.14/media-usb-siano-fix-use-after-free-bugs-caused-by-do.patch @@ -0,0 +1,233 @@ +From 341bf58e41ea7081a6aa1eea75d4f68da904e5d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Jan 2023 03:04:38 +0100 +Subject: media: usb: siano: Fix use after free bugs caused by do_submit_urb + +From: Duoming Zhou + +[ Upstream commit ebad8e731c1c06adf04621d6fd327b860c0861b5 ] + +There are UAF bugs caused by do_submit_urb(). One of the KASan reports +is shown below: + +[ 36.403605] BUG: KASAN: use-after-free in worker_thread+0x4a2/0x890 +[ 36.406105] Read of size 8 at addr ffff8880059600e8 by task kworker/0:2/49 +[ 36.408316] +[ 36.408867] CPU: 0 PID: 49 Comm: kworker/0:2 Not tainted 6.2.0-rc3-15798-g5a41237ad1d4-dir8 +[ 36.411696] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584 +[ 36.416157] Workqueue: 0x0 (events) +[ 36.417654] Call Trace: +[ 36.418546] +[ 36.419320] dump_stack_lvl+0x96/0xd0 +[ 36.420522] print_address_description+0x75/0x350 +[ 36.421992] print_report+0x11b/0x250 +[ 36.423174] ? _raw_spin_lock_irqsave+0x87/0xd0 +[ 36.424806] ? __virt_addr_valid+0xcf/0x170 +[ 36.426069] ? worker_thread+0x4a2/0x890 +[ 36.427355] kasan_report+0x131/0x160 +[ 36.428556] ? worker_thread+0x4a2/0x890 +[ 36.430053] worker_thread+0x4a2/0x890 +[ 36.431297] ? worker_clr_flags+0x90/0x90 +[ 36.432479] kthread+0x166/0x190 +[ 36.433493] ? kthread_blkcg+0x50/0x50 +[ 36.434669] ret_from_fork+0x22/0x30 +[ 36.435923] +[ 36.436684] +[ 36.437215] Allocated by task 24: +[ 36.438289] kasan_set_track+0x50/0x80 +[ 36.439436] __kasan_kmalloc+0x89/0xa0 +[ 36.440566] smsusb_probe+0x374/0xc90 +[ 36.441920] usb_probe_interface+0x2d1/0x4c0 +[ 36.443253] really_probe+0x1d5/0x580 +[ 36.444539] __driver_probe_device+0xe3/0x130 +[ 36.446085] driver_probe_device+0x49/0x220 +[ 36.447423] __device_attach_driver+0x19e/0x1b0 +[ 36.448931] bus_for_each_drv+0xcb/0x110 +[ 36.450217] __device_attach+0x132/0x1f0 +[ 36.451470] bus_probe_device+0x59/0xf0 +[ 36.452563] device_add+0x4ec/0x7b0 +[ 36.453830] usb_set_configuration+0xc63/0xe10 +[ 36.455230] usb_generic_driver_probe+0x3b/0x80 +[ 36.456166] printk: console [ttyGS0] disabled +[ 36.456569] usb_probe_device+0x90/0x110 +[ 36.459523] really_probe+0x1d5/0x580 +[ 36.461027] __driver_probe_device+0xe3/0x130 +[ 36.462465] driver_probe_device+0x49/0x220 +[ 36.463847] __device_attach_driver+0x19e/0x1b0 +[ 36.465229] bus_for_each_drv+0xcb/0x110 +[ 36.466466] __device_attach+0x132/0x1f0 +[ 36.467799] bus_probe_device+0x59/0xf0 +[ 36.469010] device_add+0x4ec/0x7b0 +[ 36.470125] usb_new_device+0x863/0xa00 +[ 36.471374] hub_event+0x18c7/0x2220 +[ 36.472746] process_one_work+0x34c/0x5b0 +[ 36.474041] worker_thread+0x4b7/0x890 +[ 36.475216] kthread+0x166/0x190 +[ 36.476267] ret_from_fork+0x22/0x30 +[ 36.477447] +[ 36.478160] Freed by task 24: +[ 36.479239] kasan_set_track+0x50/0x80 +[ 36.480512] kasan_save_free_info+0x2b/0x40 +[ 36.481808] ____kasan_slab_free+0x122/0x1a0 +[ 36.483173] __kmem_cache_free+0xc4/0x200 +[ 36.484563] smsusb_term_device+0xcd/0xf0 +[ 36.485896] smsusb_probe+0xc85/0xc90 +[ 36.486976] usb_probe_interface+0x2d1/0x4c0 +[ 36.488303] really_probe+0x1d5/0x580 +[ 36.489498] __driver_probe_device+0xe3/0x130 +[ 36.491140] driver_probe_device+0x49/0x220 +[ 36.492475] __device_attach_driver+0x19e/0x1b0 +[ 36.493988] bus_for_each_drv+0xcb/0x110 +[ 36.495171] __device_attach+0x132/0x1f0 +[ 36.496617] bus_probe_device+0x59/0xf0 +[ 36.497875] device_add+0x4ec/0x7b0 +[ 36.498972] usb_set_configuration+0xc63/0xe10 +[ 36.500264] usb_generic_driver_probe+0x3b/0x80 +[ 36.501740] usb_probe_device+0x90/0x110 +[ 36.503084] really_probe+0x1d5/0x580 +[ 36.504241] __driver_probe_device+0xe3/0x130 +[ 36.505548] driver_probe_device+0x49/0x220 +[ 36.506766] __device_attach_driver+0x19e/0x1b0 +[ 36.508368] bus_for_each_drv+0xcb/0x110 +[ 36.509646] __device_attach+0x132/0x1f0 +[ 36.510911] bus_probe_device+0x59/0xf0 +[ 36.512103] device_add+0x4ec/0x7b0 +[ 36.513215] usb_new_device+0x863/0xa00 +[ 36.514736] hub_event+0x18c7/0x2220 +[ 36.516130] process_one_work+0x34c/0x5b0 +[ 36.517396] worker_thread+0x4b7/0x890 +[ 36.518591] kthread+0x166/0x190 +[ 36.519599] ret_from_fork+0x22/0x30 +[ 36.520851] +[ 36.521405] Last potentially related work creation: +[ 36.523143] kasan_save_stack+0x3f/0x60 +[ 36.524275] kasan_record_aux_stack_noalloc+0x9d/0xb0 +[ 36.525831] insert_work+0x25/0x130 +[ 36.527039] __queue_work+0x4d4/0x620 +[ 36.528236] queue_work_on+0x72/0xb0 +[ 36.529344] __usb_hcd_giveback_urb+0x13f/0x1b0 +[ 36.530819] dummy_timer+0x350/0x1a40 +[ 36.532149] call_timer_fn+0x2c/0x190 +[ 36.533567] expire_timers+0x69/0x1f0 +[ 36.534736] __run_timers+0x289/0x2d0 +[ 36.535841] run_timer_softirq+0x2d/0x60 +[ 36.537110] __do_softirq+0x116/0x380 +[ 36.538377] +[ 36.538950] Second to last potentially related work creation: +[ 36.540855] kasan_save_stack+0x3f/0x60 +[ 36.542084] kasan_record_aux_stack_noalloc+0x9d/0xb0 +[ 36.543592] insert_work+0x25/0x130 +[ 36.544891] __queue_work+0x4d4/0x620 +[ 36.546168] queue_work_on+0x72/0xb0 +[ 36.547328] __usb_hcd_giveback_urb+0x13f/0x1b0 +[ 36.548805] dummy_timer+0x350/0x1a40 +[ 36.550116] call_timer_fn+0x2c/0x190 +[ 36.551570] expire_timers+0x69/0x1f0 +[ 36.552762] __run_timers+0x289/0x2d0 +[ 36.553916] run_timer_softirq+0x2d/0x60 +[ 36.555118] __do_softirq+0x116/0x380 +[ 36.556239] +[ 36.556807] The buggy address belongs to the object at ffff888005960000 +[ 36.556807] which belongs to the cache kmalloc-4k of size 4096 +[ 36.560652] The buggy address is located 232 bytes inside of +[ 36.560652] 4096-byte region [ffff888005960000, ffff888005961000) +[ 36.564791] +[ 36.565355] The buggy address belongs to the physical page: +[ 36.567212] page:000000004f0a0731 refcount:1 mapcount:0 mapping:0000000000000000 index:0x00 +[ 36.570534] head:000000004f0a0731 order:3 compound_mapcount:0 subpages_mapcount:0 compound0 +[ 36.573717] flags: 0x100000000010200(slab|head|node=0|zone=1) +[ 36.575481] raw: 0100000000010200 ffff888001042140 dead000000000122 0000000000000000 +[ 36.577842] raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 +[ 36.580175] page dumped because: kasan: bad access detected +[ 36.581994] +[ 36.582548] Memory state around the buggy address: +[ 36.583983] ffff88800595ff80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +[ 36.586240] ffff888005960000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 36.588884] >ffff888005960080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 36.591071] ^ +[ 36.593295] ffff888005960100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 36.595705] ffff888005960180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +[ 36.598026] ================================================================== +[ 36.600224] Disabling lock debugging due to kernel taint +[ 36.602681] general protection fault, probably for non-canonical address 0x43600a000000060I +[ 36.607129] CPU: 0 PID: 49 Comm: kworker/0:2 Tainted: G B 6.2.0-rc3-15798-8 +[ 36.611115] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g15584 +[ 36.615026] Workqueue: events do_submit_urb +[ 36.616290] RIP: 0010:_raw_spin_lock_irqsave+0x8a/0xd0 +[ 36.618107] Code: 24 00 00 00 00 48 89 df be 04 00 00 00 e8 9e b5 c6 fe 48 89 ef be 04 00 5 +[ 36.623522] RSP: 0018:ffff888004b6fcf0 EFLAGS: 00010046 +[ 36.625072] RAX: 0000000000000000 RBX: 043600a000000060 RCX: ffffffff9fc0e0d7 +[ 36.627206] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff888004b6fcf0 +[ 36.629813] RBP: ffff888004b6fcf0 R08: dffffc0000000000 R09: ffffed100096df9f +[ 36.631974] R10: dfffe9100096dfa0 R11: 1ffff1100096df9e R12: ffff888005960020 +[ 36.634285] R13: ffff8880059600f0 R14: 0000000000000246 R15: 0000000000000001 +[ 36.636438] FS: 0000000000000000(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 +[ 36.639092] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 36.640951] CR2: 00007f07476819a3 CR3: 0000000004a34000 CR4: 00000000000006f0 +[ 36.643411] Call Trace: +[ 36.644215] +[ 36.644902] smscore_getbuffer+0x3e/0x1e0 +[ 36.646147] do_submit_urb+0x4f/0x190 +[ 36.647449] process_one_work+0x34c/0x5b0 +[ 36.648777] worker_thread+0x4b7/0x890 +[ 36.649984] ? worker_clr_flags+0x90/0x90 +[ 36.651166] kthread+0x166/0x190 +[ 36.652151] ? kthread_blkcg+0x50/0x50 +[ 36.653547] ret_from_fork+0x22/0x30 +[ 36.655051] +[ 36.655733] Modules linked in: +[ 36.656787] ---[ end trace 0000000000000000 ]--- +[ 36.658328] RIP: 0010:_raw_spin_lock_irqsave+0x8a/0xd0 +[ 36.660045] Code: 24 00 00 00 00 48 89 df be 04 00 00 00 e8 9e b5 c6 fe 48 89 ef be 04 00 5 +[ 36.665730] RSP: 0018:ffff888004b6fcf0 EFLAGS: 00010046 +[ 36.667448] RAX: 0000000000000000 RBX: 043600a000000060 RCX: ffffffff9fc0e0d7 +[ 36.669675] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: ffff888004b6fcf0 +[ 36.672645] RBP: ffff888004b6fcf0 R08: dffffc0000000000 R09: ffffed100096df9f +[ 36.674921] R10: dfffe9100096dfa0 R11: 1ffff1100096df9e R12: ffff888005960020 +[ 36.677034] R13: ffff8880059600f0 R14: 0000000000000246 R15: 0000000000000001 +[ 36.679184] FS: 0000000000000000(0000) GS:ffff88806d600000(0000) knlGS:0000000000000000 +[ 36.681655] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 36.683383] CR2: 00007f07476819a3 CR3: 0000000004a34000 CR4: 00000000000006f0 +[ 36.685733] Kernel panic - not syncing: Fatal exception +[ 36.688585] Kernel Offset: 0x1d400000 from 0xffffffff81000000 (relocation range: 0xfffffff) +[ 36.692199] ---[ end Kernel panic - not syncing: Fatal exception ]--- + +When the siano device is plugged in, it may call the following functions +to initialize the device. + +smsusb_probe()-->smsusb_init_device()-->smscore_start_device(). + +When smscore_start_device() gets failed, the function smsusb_term_device() +will be called and smsusb_device_t will be deallocated. Although we use +usb_kill_urb() in smsusb_stop_streaming() to cancel transfer requests +and wait for them to finish, the worker threads that are scheduled by +smsusb_onresponse() may be still running. As a result, the UAF bugs +could happen. + +We add cancel_work_sync() in smsusb_stop_streaming() in order that the +worker threads could finish before the smsusb_device_t is deallocated. + +Fixes: dd47fbd40e6e ("[media] smsusb: don't sleep while atomic") +Signed-off-by: Duoming Zhou +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/siano/smsusb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/usb/siano/smsusb.c b/drivers/media/usb/siano/smsusb.c +index ec759f43c634d..cdbc636e8ff88 100644 +--- a/drivers/media/usb/siano/smsusb.c ++++ b/drivers/media/usb/siano/smsusb.c +@@ -191,6 +191,7 @@ static void smsusb_stop_streaming(struct smsusb_device_t *dev) + + for (i = 0; i < MAX_URBS; i++) { + usb_kill_urb(&dev->surbs[i].urb); ++ cancel_work_sync(&dev->surbs[i].wq); + + if (dev->surbs[i].cb) { + smscore_putbuffer(dev->coredev, dev->surbs[i].cb); +-- +2.39.2 + diff --git a/queue-4.14/mfd-pcf50633-adc-fix-potential-memleak-in-pcf50633_a.patch b/queue-4.14/mfd-pcf50633-adc-fix-potential-memleak-in-pcf50633_a.patch new file mode 100644 index 00000000000..f4113c1fab7 --- /dev/null +++ b/queue-4.14/mfd-pcf50633-adc-fix-potential-memleak-in-pcf50633_a.patch @@ -0,0 +1,50 @@ +From f4cebc70fc9e3ee19d4ed39a9cdf1ba5d27f878b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 14:15:55 +0800 +Subject: mfd: pcf50633-adc: Fix potential memleak in pcf50633_adc_async_read() + +From: Qiheng Lin + +[ Upstream commit 8b450dcff23aa254844492831a8e2b508a9d522d ] + +`req` is allocated in pcf50633_adc_async_read(), but +adc_enqueue_request() could fail to insert the `req` into queue. +We need to check the return value and free it in the case of failure. + +Fixes: 08c3e06a5eb2 ("mfd: PCF50633 adc driver") +Signed-off-by: Qiheng Lin +Signed-off-by: Lee Jones +Link: https://lore.kernel.org/r/20221208061555.8776-1-linqiheng@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/mfd/pcf50633-adc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/mfd/pcf50633-adc.c b/drivers/mfd/pcf50633-adc.c +index c1984b0d1b652..a4a765055ee6b 100644 +--- a/drivers/mfd/pcf50633-adc.c ++++ b/drivers/mfd/pcf50633-adc.c +@@ -140,6 +140,7 @@ int pcf50633_adc_async_read(struct pcf50633 *pcf, int mux, int avg, + void *callback_param) + { + struct pcf50633_adc_request *req; ++ int ret; + + /* req is freed when the result is ready, in interrupt handler */ + req = kmalloc(sizeof(*req), GFP_KERNEL); +@@ -151,7 +152,11 @@ int pcf50633_adc_async_read(struct pcf50633 *pcf, int mux, int avg, + req->callback = callback; + req->callback_param = callback_param; + +- return adc_enqueue_request(pcf, req); ++ ret = adc_enqueue_request(pcf, req); ++ if (ret) ++ kfree(req); ++ ++ return ret; + } + EXPORT_SYMBOL_GPL(pcf50633_adc_async_read); + +-- +2.39.2 + diff --git a/queue-4.14/mips-vpe-mt-drop-physical_memsize.patch b/queue-4.14/mips-vpe-mt-drop-physical_memsize.patch new file mode 100644 index 00000000000..4116e415427 --- /dev/null +++ b/queue-4.14/mips-vpe-mt-drop-physical_memsize.patch @@ -0,0 +1,99 @@ +From 85cb0e7be9a2118139f351478f51d90df3d22d27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Feb 2023 15:15:25 -0800 +Subject: MIPS: vpe-mt: drop physical_memsize +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Randy Dunlap + +[ Upstream commit 91dc288f4edf0d768e46c2c6d33e0ab703403459 ] + +When neither LANTIQ nor MIPS_MALTA is set, 'physical_memsize' is not +declared. This causes the build to fail with: + +mips-linux-ld: arch/mips/kernel/vpe-mt.o: in function `vpe_run': +arch/mips/kernel/vpe-mt.c:(.text.vpe_run+0x280): undefined reference to `physical_memsize' + +LANTIQ is not using 'physical_memsize' and MIPS_MALTA's use of it is +self-contained in mti-malta/malta-dtshim.c. +Use of physical_memsize in vpe-mt.c appears to be unused, so eliminate +this loader mode completely and require VPE programs to be compiled with +DFLT_STACK_SIZE and DFLT_HEAP_SIZE defined. + +Fixes: 9050d50e2244 ("MIPS: lantiq: Set physical_memsize") +Fixes: 1a2a6d7e8816 ("MIPS: APRP: Split VPE loader into separate files.") +Signed-off-by: Randy Dunlap +Reported-by: kernel test robot +Link: https://lore.kernel.org/all/202302030625.2g3E98sY-lkp@intel.com/ +Cc: Dengcheng Zhu +Cc: John Crispin +Cc: Thomas Bogendoerfer +Cc: Philippe Mathieu-Daudé +Cc: "Steven J. Hill" +Cc: Qais Yousef +Cc: Yang Yingliang +Cc: Hauke Mehrtens +Cc: James Hogan +Cc: linux-mips@vger.kernel.org +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/include/asm/vpe.h | 1 - + arch/mips/kernel/vpe-mt.c | 7 +++---- + arch/mips/lantiq/prom.c | 6 ------ + 3 files changed, 3 insertions(+), 11 deletions(-) + +diff --git a/arch/mips/include/asm/vpe.h b/arch/mips/include/asm/vpe.h +index 80e70dbd1f641..012731546cf60 100644 +--- a/arch/mips/include/asm/vpe.h ++++ b/arch/mips/include/asm/vpe.h +@@ -104,7 +104,6 @@ struct vpe_control { + struct list_head tc_list; /* Thread contexts */ + }; + +-extern unsigned long physical_memsize; + extern struct vpe_control vpecontrol; + extern const struct file_operations vpe_fops; + +diff --git a/arch/mips/kernel/vpe-mt.c b/arch/mips/kernel/vpe-mt.c +index 9fd7cd48ea1d2..496ed8f362f62 100644 +--- a/arch/mips/kernel/vpe-mt.c ++++ b/arch/mips/kernel/vpe-mt.c +@@ -92,12 +92,11 @@ int vpe_run(struct vpe *v) + write_tc_c0_tchalt(read_tc_c0_tchalt() & ~TCHALT_H); + + /* +- * The sde-kit passes 'memsize' to __start in $a3, so set something +- * here... Or set $a3 to zero and define DFLT_STACK_SIZE and +- * DFLT_HEAP_SIZE when you compile your program ++ * We don't pass the memsize here, so VPE programs need to be ++ * compiled with DFLT_STACK_SIZE and DFLT_HEAP_SIZE defined. + */ ++ mttgpr(7, 0); + mttgpr(6, v->ntcs); +- mttgpr(7, physical_memsize); + + /* set up VPE1 */ + /* +diff --git a/arch/mips/lantiq/prom.c b/arch/mips/lantiq/prom.c +index a26322ff57e01..8cf1868540312 100644 +--- a/arch/mips/lantiq/prom.c ++++ b/arch/mips/lantiq/prom.c +@@ -25,12 +25,6 @@ + DEFINE_SPINLOCK(ebu_lock); + EXPORT_SYMBOL_GPL(ebu_lock); + +-/* +- * This is needed by the VPE loader code, just set it to 0 and assume +- * that the firmware hardcodes this value to something useful. +- */ +-unsigned long physical_memsize = 0L; +- + /* + * this struct is filled by the soc specific detection code and holds + * information about the specific soc type, revision and name +-- +2.39.2 + diff --git a/queue-4.14/mtd-rawnand-sunxi-fix-the-size-of-the-last-oob-regio.patch b/queue-4.14/mtd-rawnand-sunxi-fix-the-size-of-the-last-oob-regio.patch new file mode 100644 index 00000000000..610c139be7f --- /dev/null +++ b/queue-4.14/mtd-rawnand-sunxi-fix-the-size-of-the-last-oob-regio.patch @@ -0,0 +1,37 @@ +From 3eb451f9b7fc93670b4f68af686a598644bb21b1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Dec 2022 12:15:24 -0600 +Subject: mtd: rawnand: sunxi: Fix the size of the last OOB region + +From: Samuel Holland + +[ Upstream commit 34569d869532b54d6e360d224a0254dcdd6a1785 ] + +The previous code assigned to the wrong structure member. + +Fixes: c66811e6d350 ("mtd: nand: sunxi: switch to mtd_ooblayout_ops") +Signed-off-by: Samuel Holland +Acked-By: Dhruva Gole +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20221229181526.53766-6-samuel@sholland.org +Signed-off-by: Sasha Levin +--- + drivers/mtd/nand/sunxi_nand.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mtd/nand/sunxi_nand.c b/drivers/mtd/nand/sunxi_nand.c +index 916e0ccd1e27e..f8e98b1eaede7 100644 +--- a/drivers/mtd/nand/sunxi_nand.c ++++ b/drivers/mtd/nand/sunxi_nand.c +@@ -1786,7 +1786,7 @@ static int sunxi_nand_ooblayout_free(struct mtd_info *mtd, int section, + if (section < ecc->steps) + oobregion->length = 4; + else +- oobregion->offset = mtd->oobsize - oobregion->offset; ++ oobregion->length = mtd->oobsize - oobregion->offset; + + return 0; + } +-- +2.39.2 + diff --git a/queue-4.14/net-bcmgenet-add-a-check-for-oversized-packets.patch b/queue-4.14/net-bcmgenet-add-a-check-for-oversized-packets.patch new file mode 100644 index 00000000000..97fc53a6434 --- /dev/null +++ b/queue-4.14/net-bcmgenet-add-a-check-for-oversized-packets.patch @@ -0,0 +1,43 @@ +From ea5bdae1295454b7095e803c18eff65406daf06c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Jan 2023 16:08:19 -0800 +Subject: net: bcmgenet: Add a check for oversized packets + +From: Florian Fainelli + +[ Upstream commit 5c0862c2c962052ed5055220a00ac1cefb92fbcd ] + +Occasionnaly we may get oversized packets from the hardware which +exceed the nomimal 2KiB buffer size we allocate SKBs with. Add an early +check which drops the packet to avoid invoking skb_over_panic() and move +on to processing the next packet. + +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +index 9bb398d058379..e5e52c0c39a55 100644 +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -1799,6 +1799,14 @@ static unsigned int bcmgenet_desc_rx(struct bcmgenet_rx_ring *ring, + __func__, p_index, ring->c_index, + ring->read_ptr, dma_length_status); + ++ if (unlikely(len > RX_BUF_LENGTH)) { ++ netif_err(priv, rx_status, dev, "oversized packet\n"); ++ dev->stats.rx_length_errors++; ++ dev->stats.rx_errors++; ++ dev_kfree_skb_any(skb); ++ goto next; ++ } ++ + if (unlikely(!(dma_flag & DMA_EOP) || !(dma_flag & DMA_SOP))) { + netif_err(priv, rx_status, dev, + "dropping fragmented packet!\n"); +-- +2.39.2 + diff --git a/queue-4.14/net-mlx5-enhance-debug-print-in-page-allocation-fail.patch b/queue-4.14/net-mlx5-enhance-debug-print-in-page-allocation-fail.patch new file mode 100644 index 00000000000..873f6360352 --- /dev/null +++ b/queue-4.14/net-mlx5-enhance-debug-print-in-page-allocation-fail.patch @@ -0,0 +1,38 @@ +From 6437023aa5f74ae017e600b43f7edbf083923caf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Jan 2023 19:57:04 +0200 +Subject: net/mlx5: Enhance debug print in page allocation failure + +From: Jack Morgenstein + +[ Upstream commit 7eef93003e5d20e1a6a6e59e12d914b5431cbda2 ] + +Provide more details to aid debugging. + +Fixes: bf0bf77f6519 ("mlx5: Support communicating arbitrary host page size to firmware") +Signed-off-by: Eran Ben Elisha +Signed-off-by: Majd Dibbiny +Signed-off-by: Jack Morgenstein +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c b/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c +index 9c3653e06886a..fc880c02459db 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/pagealloc.c +@@ -164,7 +164,8 @@ static int alloc_4k(struct mlx5_core_dev *dev, u64 *addr) + fp = list_entry(dev->priv.free_list.next, struct fw_page, list); + n = find_first_bit(&fp->bitmask, 8 * sizeof(fp->bitmask)); + if (n >= MLX5_NUM_4K_IN_PAGE) { +- mlx5_core_warn(dev, "alloc 4k bug\n"); ++ mlx5_core_warn(dev, "alloc 4k bug: fw page = 0x%llx, n = %u, bitmask: %lu, max num of 4K pages: %d\n", ++ fp->addr, n, fp->bitmask, MLX5_NUM_4K_IN_PAGE); + return -ENOENT; + } + clear_bit(n, &fp->bitmask); +-- +2.39.2 + diff --git a/queue-4.14/pinctrl-at91-use-devm_kasprintf-to-avoid-potential-l.patch b/queue-4.14/pinctrl-at91-use-devm_kasprintf-to-avoid-potential-l.patch new file mode 100644 index 00000000000..27869c78242 --- /dev/null +++ b/queue-4.14/pinctrl-at91-use-devm_kasprintf-to-avoid-potential-l.patch @@ -0,0 +1,53 @@ +From 3003ab2b38a5ab618b5cc5e559da0c4fd93687e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Feb 2023 15:27:14 +0200 +Subject: pinctrl: at91: use devm_kasprintf() to avoid potential leaks + +From: Claudiu Beznea + +[ Upstream commit 1c4e5c470a56f7f7c649c0c70e603abc1eab15c4 ] + +Use devm_kasprintf() instead of kasprintf() to avoid any potential +leaks. At the moment drivers have no remove functionality thus +there is no need for fixes tag. + +Signed-off-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20230203132714.1931596-1-claudiu.beznea@microchip.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-at91-pio4.c | 4 ++-- + drivers/pinctrl/pinctrl-at91.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/pinctrl/pinctrl-at91-pio4.c b/drivers/pinctrl/pinctrl-at91-pio4.c +index e9d7977072553..78aeb882f1cad 100644 +--- a/drivers/pinctrl/pinctrl-at91-pio4.c ++++ b/drivers/pinctrl/pinctrl-at91-pio4.c +@@ -981,8 +981,8 @@ static int atmel_pinctrl_probe(struct platform_device *pdev) + + pin_desc[i].number = i; + /* Pin naming convention: P(bank_name)(bank_pin_number). */ +- pin_desc[i].name = kasprintf(GFP_KERNEL, "P%c%d", +- bank + 'A', line); ++ pin_desc[i].name = devm_kasprintf(&pdev->dev, GFP_KERNEL, "P%c%d", ++ bank + 'A', line); + + group->name = group_names[i] = pin_desc[i].name; + group->pin = pin_desc[i].number; +diff --git a/drivers/pinctrl/pinctrl-at91.c b/drivers/pinctrl/pinctrl-at91.c +index 404711f0985aa..3173e1f5bcb69 100644 +--- a/drivers/pinctrl/pinctrl-at91.c ++++ b/drivers/pinctrl/pinctrl-at91.c +@@ -1774,7 +1774,7 @@ static int at91_gpio_probe(struct platform_device *pdev) + } + + for (i = 0; i < chip->ngpio; i++) +- names[i] = kasprintf(GFP_KERNEL, "pio%c%d", alias_idx + 'A', i); ++ names[i] = devm_kasprintf(&pdev->dev, GFP_KERNEL, "pio%c%d", alias_idx + 'A', i); + + chip->names = (const char *const *)names; + +-- +2.39.2 + diff --git a/queue-4.14/pinctrl-rockchip-fix-refcount-leak-in-rockchip_pinct.patch b/queue-4.14/pinctrl-rockchip-fix-refcount-leak-in-rockchip_pinct.patch new file mode 100644 index 00000000000..f3dc47f3dfb --- /dev/null +++ b/queue-4.14/pinctrl-rockchip-fix-refcount-leak-in-rockchip_pinct.patch @@ -0,0 +1,37 @@ +From 7cb75889a790ca8faa315ce408f6442c677353f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 2 Jan 2023 15:28:45 +0400 +Subject: pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups + +From: Miaoqian Lin + +[ Upstream commit c818ae563bf99457f02e8170aabd6b174f629f65 ] + +of_find_node_by_phandle() returns a node pointer with refcount incremented, +We should use of_node_put() on it when not needed anymore. +Add missing of_node_put() to avoid refcount leak. + +Fixes: d3e5116119bd ("pinctrl: add pinctrl driver for Rockchip SoCs") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20230102112845.3982407-1-linmq006@gmail.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinctrl-rockchip.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pinctrl/pinctrl-rockchip.c b/drivers/pinctrl/pinctrl-rockchip.c +index 0c237dd13f2ff..1f4b9fc9e2781 100644 +--- a/drivers/pinctrl/pinctrl-rockchip.c ++++ b/drivers/pinctrl/pinctrl-rockchip.c +@@ -2320,6 +2320,7 @@ static int rockchip_pinctrl_parse_groups(struct device_node *np, + np_config = of_find_node_by_phandle(be32_to_cpup(phandle)); + ret = pinconf_generic_parse_dt_config(np_config, NULL, + &grp->data[j].configs, &grp->data[j].nconfigs); ++ of_node_put(np_config); + if (ret) + return ret; + } +-- +2.39.2 + diff --git a/queue-4.14/powerpc-powernv-ioda-skip-unallocated-resources-when.patch b/queue-4.14/powerpc-powernv-ioda-skip-unallocated-resources-when.patch new file mode 100644 index 00000000000..f4d149f487b --- /dev/null +++ b/queue-4.14/powerpc-powernv-ioda-skip-unallocated-resources-when.patch @@ -0,0 +1,93 @@ +From 6745c43938be4c090cb6e3ddf3807adc9f6a5c2a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Jan 2023 10:32:15 +0100 +Subject: powerpc/powernv/ioda: Skip unallocated resources when mapping to PE + +From: Frederic Barrat + +[ Upstream commit e64e71056f323a1e178dccf04d4c0f032d84436c ] + +pnv_ioda_setup_pe_res() calls opal to map a resource with a PE. However, +the code assumes the resource is allocated and it uses the resource +address to find out the segment(s) which need to be mapped to the +PE. In the unlikely case where the resource hasn't been allocated, the +computation for the segment number is garbage, which can lead to +invalid memory access and potentially a kernel crash, such as: + +[ ] pci_bus 0002:02: Configuring PE for bus +[ ] pci 0002:02 : [PE# fc] Secondary bus 0x0000000000000002..0x0000000000000002 associated with PE#fc +[ ] BUG: Kernel NULL pointer dereference on write at 0x00000000 +[ ] Faulting instruction address: 0xc00000000005eac4 +[ ] Oops: Kernel access of bad area, sig: 7 [#1] +[ ] LE PAGE_SIZE=64K MMU=Radix SMP NR_CPUS=2048 NUMA PowerNV +[ ] Modules linked in: +[ ] CPU: 12 PID: 1 Comm: swapper/20 Not tainted 5.10.50-openpower1 #2 +[ ] NIP: c00000000005eac4 LR: c00000000005ea44 CTR: 0000000030061b9c +[ ] REGS: c000200007383650 TRAP: 0300 Not tainted (5.10.50-openpower1) +[ ] MSR: 9000000000009033 CR: 44000224 XER: 20040000 +[ ] CFAR: c00000000005eaa0 DAR: 0000000000000000 DSISR: 02080000 IRQMASK: 0 +[ ] GPR00: c00000000005dd98 c0002000073838e0 c00000000185de00 c000200fff018960 +[ ] GPR04: 00000000000000fc 0000000000000003 0000000000000000 0000000000000000 +[ ] GPR08: 0000000000000000 0000000000000000 0000000000000000 9000000000001033 +[ ] GPR12: 0000000031cb0000 c000000ffffe6a80 c000000000010a58 0000000000000000 +[ ] GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +[ ] GPR20: 0000000000000000 0000000000000000 0000000000000000 c00000000711e200 +[ ] GPR24: 0000000000000100 c000200009501120 c00020000cee2800 00000000000003ff +[ ] GPR28: c000200fff018960 0000000000000000 c000200ffcb7fd00 0000000000000000 +[ ] NIP [c00000000005eac4] pnv_ioda_setup_pe_res+0x94/0x1a0 +[ ] LR [c00000000005ea44] pnv_ioda_setup_pe_res+0x14/0x1a0 +[ ] Call Trace: +[ ] [c0002000073838e0] [c00000000005eb98] pnv_ioda_setup_pe_res+0x168/0x1a0 (unreliable) +[ ] [c000200007383970] [c00000000005dd98] pnv_pci_ioda_dma_dev_setup+0x43c/0x970 +[ ] [c000200007383a60] [c000000000032cdc] pcibios_bus_add_device+0x78/0x18c +[ ] [c000200007383aa0] [c00000000028f2bc] pci_bus_add_device+0x28/0xbc +[ ] [c000200007383b10] [c00000000028f3a0] pci_bus_add_devices+0x50/0x7c +[ ] [c000200007383b50] [c00000000028f3c4] pci_bus_add_devices+0x74/0x7c +[ ] [c000200007383b90] [c00000000028f3c4] pci_bus_add_devices+0x74/0x7c +[ ] [c000200007383bd0] [c00000000069ad0c] pcibios_init+0xf0/0x104 +[ ] [c000200007383c50] [c0000000000106d8] do_one_initcall+0x84/0x1c4 +[ ] [c000200007383d20] [c0000000006910b8] kernel_init_freeable+0x264/0x268 +[ ] [c000200007383dc0] [c000000000010a68] kernel_init+0x18/0x138 +[ ] [c000200007383e20] [c00000000000cbfc] ret_from_kernel_thread+0x5c/0x80 +[ ] Instruction dump: +[ ] 7f89e840 409d000c 7fbbf840 409c000c 38210090 4848f448 809c002c e95e0120 +[ ] 7ba91764 38a00003 57a7043e 38c00000 <7c8a492e> 5484043e e87e0018 4bff23bd + +Hitting the problem is not that easy. It was seen with a (semi-bogus) +PCI device with a class code of 0. The generic PCI framework doesn't +allocate resources in such a case. + +The patch is simply skipping resources which are still flagged with +IORESOURCE_UNSET. + +We don't have the problem with 64-bit mem resources, as the address of +the resource is checked to be within the range of the 64-bit mmio +window. See pnv_ioda_reserve_dev_m64_pe() and pnv_pci_is_m64(). + +Reported-by: Andrew Jeffery +Fixes: 23e79425fe7c ("powerpc/powernv: Simplify pnv_ioda_setup_pe_seg()") +Signed-off-by: Frederic Barrat +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20230120093215.19496-1-fbarrat@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/powernv/pci-ioda.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/powernv/pci-ioda.c b/arch/powerpc/platforms/powernv/pci-ioda.c +index 36ef504eeab32..58798ced4dbbf 100644 +--- a/arch/powerpc/platforms/powernv/pci-ioda.c ++++ b/arch/powerpc/platforms/powernv/pci-ioda.c +@@ -3155,7 +3155,8 @@ static void pnv_ioda_setup_pe_res(struct pnv_ioda_pe *pe, + int index; + int64_t rc; + +- if (!res || !res->flags || res->start > res->end) ++ if (!res || !res->flags || res->start > res->end || ++ res->flags & IORESOURCE_UNSET) + return; + + if (res->flags & IORESOURCE_IO) { +-- +2.39.2 + diff --git a/queue-4.14/powerpc-pseries-lparcfg-add-missing-rtas-retry-statu.patch b/queue-4.14/powerpc-pseries-lparcfg-add-missing-rtas-retry-statu.patch new file mode 100644 index 00000000000..94a27ebcc1c --- /dev/null +++ b/queue-4.14/powerpc-pseries-lparcfg-add-missing-rtas-retry-statu.patch @@ -0,0 +1,67 @@ +From dae00a25ca6e7a1e85ce028579cd39fcaeeace7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Feb 2023 12:41:52 -0600 +Subject: powerpc/pseries/lparcfg: add missing RTAS retry status handling + +From: Nathan Lynch + +[ Upstream commit 5d08633e5f6564b60f1cbe09af3af40a74d66431 ] + +The ibm,get-system-parameter RTAS function may return -2 or 990x, +which indicate that the caller should try again. + +lparcfg's parse_system_parameter_string() ignores this, making it +possible to intermittently report incorrect SPLPAR characteristics. + +Move the RTAS call into a coventional rtas_busy_delay()-based loop. + +Signed-off-by: Nathan Lynch +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20230125-b4-powerpc-rtas-queue-v3-4-26929c8cce78@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/pseries/lparcfg.c | 20 ++++++++++---------- + 1 file changed, 10 insertions(+), 10 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/lparcfg.c b/arch/powerpc/platforms/pseries/lparcfg.c +index 779fc2a1c8f77..f40dabf7d163f 100644 +--- a/arch/powerpc/platforms/pseries/lparcfg.c ++++ b/arch/powerpc/platforms/pseries/lparcfg.c +@@ -289,6 +289,7 @@ static void parse_mpp_x_data(struct seq_file *m) + */ + static void parse_system_parameter_string(struct seq_file *m) + { ++ const s32 token = rtas_token("ibm,get-system-parameter"); + int call_status; + + unsigned char *local_buffer = kmalloc(SPLPAR_MAXLENGTH, GFP_KERNEL); +@@ -298,16 +299,15 @@ static void parse_system_parameter_string(struct seq_file *m) + return; + } + +- spin_lock(&rtas_data_buf_lock); +- memset(rtas_data_buf, 0, SPLPAR_MAXLENGTH); +- call_status = rtas_call(rtas_token("ibm,get-system-parameter"), 3, 1, +- NULL, +- SPLPAR_CHARACTERISTICS_TOKEN, +- __pa(rtas_data_buf), +- RTAS_DATA_BUF_SIZE); +- memcpy(local_buffer, rtas_data_buf, SPLPAR_MAXLENGTH); +- local_buffer[SPLPAR_MAXLENGTH - 1] = '\0'; +- spin_unlock(&rtas_data_buf_lock); ++ do { ++ spin_lock(&rtas_data_buf_lock); ++ memset(rtas_data_buf, 0, SPLPAR_MAXLENGTH); ++ call_status = rtas_call(token, 3, 1, NULL, SPLPAR_CHARACTERISTICS_TOKEN, ++ __pa(rtas_data_buf), RTAS_DATA_BUF_SIZE); ++ memcpy(local_buffer, rtas_data_buf, SPLPAR_MAXLENGTH); ++ local_buffer[SPLPAR_MAXLENGTH - 1] = '\0'; ++ spin_unlock(&rtas_data_buf_lock); ++ } while (rtas_busy_delay(call_status)); + + if (call_status != 0) { + printk(KERN_INFO +-- +2.39.2 + diff --git a/queue-4.14/rcu-suppress-smp_processor_id-complaint-in-synchroni.patch b/queue-4.14/rcu-suppress-smp_processor_id-complaint-in-synchroni.patch new file mode 100644 index 00000000000..eca201f1fd2 --- /dev/null +++ b/queue-4.14/rcu-suppress-smp_processor_id-complaint-in-synchroni.patch @@ -0,0 +1,43 @@ +From e4d10627a8f674cab4e8084937374e5d41574464 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Dec 2022 15:55:48 -0800 +Subject: rcu: Suppress smp_processor_id() complaint in + synchronize_rcu_expedited_wait() + +From: Paul E. McKenney + +[ Upstream commit 2d7f00b2f01301d6e41fd4a28030dab0442265be ] + +The normal grace period's RCU CPU stall warnings are invoked from the +scheduling-clock interrupt handler, and can thus invoke smp_processor_id() +with impunity, which allows them to directly invoke dump_cpu_task(). +In contrast, the expedited grace period's RCU CPU stall warnings are +invoked from process context, which causes the dump_cpu_task() function's +calls to smp_processor_id() to complain bitterly in debug kernels. + +This commit therefore causes synchronize_rcu_expedited_wait() to disable +preemption around its call to dump_cpu_task(). + +Signed-off-by: Paul E. McKenney +Signed-off-by: Sasha Levin +--- + kernel/rcu/tree_exp.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/rcu/tree_exp.h b/kernel/rcu/tree_exp.h +index f90d10c1c3c8d..843399e98bb37 100644 +--- a/kernel/rcu/tree_exp.h ++++ b/kernel/rcu/tree_exp.h +@@ -498,7 +498,9 @@ static void synchronize_sched_expedited_wait(struct rcu_state *rsp) + mask = leaf_node_cpu_bit(rnp, cpu); + if (!(rnp->expmask & mask)) + continue; ++ preempt_disable(); // For smp_processor_id() in dump_cpu_task(). + dump_cpu_task(cpu); ++ preempt_enable(); + } + } + jiffies_stall = 3 * rcu_jiffies_till_stall_check() + 3; +-- +2.39.2 + diff --git a/queue-4.14/regulator-max77802-bounds-check-regulator-id-against.patch b/queue-4.14/regulator-max77802-bounds-check-regulator-id-against.patch new file mode 100644 index 00000000000..02fa43d818c --- /dev/null +++ b/queue-4.14/regulator-max77802-bounds-check-regulator-id-against.patch @@ -0,0 +1,137 @@ +From 12eec43ad3fa7a603084143348058086b608662e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jan 2023 14:52:07 -0800 +Subject: regulator: max77802: Bounds check regulator id against opmode + +From: Kees Cook + +[ Upstream commit 4fd8bcec5fd7c0d586206fa2f42bd67b06cdaa7e ] + +Explicitly bounds-check the id before accessing the opmode array. Seen +with GCC 13: + +../drivers/regulator/max77802-regulator.c: In function 'max77802_enable': +../drivers/regulator/max77802-regulator.c:217:29: warning: array subscript [0, 41] is outside array bounds of 'unsigned int[42]' [-Warray-bounds=] + 217 | if (max77802->opmode[id] == MAX77802_OFF_PWRREQ) + | ~~~~~~~~~~~~~~~~^~~~ +../drivers/regulator/max77802-regulator.c:62:22: note: while referencing 'opmode' + 62 | unsigned int opmode[MAX77802_REG_MAX]; + | ^~~~~~ + +Cc: Javier Martinez Canillas +Cc: Liam Girdwood +Cc: Mark Brown +Signed-off-by: Kees Cook +Acked-by: Javier Martinez Canillas +Link: https://lore.kernel.org/r/20230127225203.never.864-kees@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/max77802-regulator.c | 34 ++++++++++++++++++-------- + 1 file changed, 24 insertions(+), 10 deletions(-) + +diff --git a/drivers/regulator/max77802-regulator.c b/drivers/regulator/max77802-regulator.c +index b6261903818c6..e12bab733e186 100644 +--- a/drivers/regulator/max77802-regulator.c ++++ b/drivers/regulator/max77802-regulator.c +@@ -107,9 +107,11 @@ static int max77802_set_suspend_disable(struct regulator_dev *rdev) + { + unsigned int val = MAX77802_OFF_PWRREQ; + struct max77802_regulator_prv *max77802 = rdev_get_drvdata(rdev); +- int id = rdev_get_id(rdev); ++ unsigned int id = rdev_get_id(rdev); + int shift = max77802_get_opmode_shift(id); + ++ if (WARN_ON_ONCE(id >= ARRAY_SIZE(max77802->opmode))) ++ return -EINVAL; + max77802->opmode[id] = val; + return regmap_update_bits(rdev->regmap, rdev->desc->enable_reg, + rdev->desc->enable_mask, val << shift); +@@ -123,7 +125,7 @@ static int max77802_set_suspend_disable(struct regulator_dev *rdev) + static int max77802_set_mode(struct regulator_dev *rdev, unsigned int mode) + { + struct max77802_regulator_prv *max77802 = rdev_get_drvdata(rdev); +- int id = rdev_get_id(rdev); ++ unsigned int id = rdev_get_id(rdev); + unsigned int val; + int shift = max77802_get_opmode_shift(id); + +@@ -140,6 +142,9 @@ static int max77802_set_mode(struct regulator_dev *rdev, unsigned int mode) + return -EINVAL; + } + ++ if (WARN_ON_ONCE(id >= ARRAY_SIZE(max77802->opmode))) ++ return -EINVAL; ++ + max77802->opmode[id] = val; + return regmap_update_bits(rdev->regmap, rdev->desc->enable_reg, + rdev->desc->enable_mask, val << shift); +@@ -148,8 +153,10 @@ static int max77802_set_mode(struct regulator_dev *rdev, unsigned int mode) + static unsigned max77802_get_mode(struct regulator_dev *rdev) + { + struct max77802_regulator_prv *max77802 = rdev_get_drvdata(rdev); +- int id = rdev_get_id(rdev); ++ unsigned int id = rdev_get_id(rdev); + ++ if (WARN_ON_ONCE(id >= ARRAY_SIZE(max77802->opmode))) ++ return -EINVAL; + return max77802_map_mode(max77802->opmode[id]); + } + +@@ -173,10 +180,13 @@ static int max77802_set_suspend_mode(struct regulator_dev *rdev, + unsigned int mode) + { + struct max77802_regulator_prv *max77802 = rdev_get_drvdata(rdev); +- int id = rdev_get_id(rdev); ++ unsigned int id = rdev_get_id(rdev); + unsigned int val; + int shift = max77802_get_opmode_shift(id); + ++ if (WARN_ON_ONCE(id >= ARRAY_SIZE(max77802->opmode))) ++ return -EINVAL; ++ + /* + * If the regulator has been disabled for suspend + * then is invalid to try setting a suspend mode. +@@ -222,9 +232,11 @@ static int max77802_set_suspend_mode(struct regulator_dev *rdev, + static int max77802_enable(struct regulator_dev *rdev) + { + struct max77802_regulator_prv *max77802 = rdev_get_drvdata(rdev); +- int id = rdev_get_id(rdev); ++ unsigned int id = rdev_get_id(rdev); + int shift = max77802_get_opmode_shift(id); + ++ if (WARN_ON_ONCE(id >= ARRAY_SIZE(max77802->opmode))) ++ return -EINVAL; + if (max77802->opmode[id] == MAX77802_OFF_PWRREQ) + max77802->opmode[id] = MAX77802_OPMODE_NORMAL; + +@@ -553,7 +565,7 @@ static int max77802_pmic_probe(struct platform_device *pdev) + + for (i = 0; i < MAX77802_REG_MAX; i++) { + struct regulator_dev *rdev; +- int id = regulators[i].id; ++ unsigned int id = regulators[i].id; + int shift = max77802_get_opmode_shift(id); + int ret; + +@@ -571,10 +583,12 @@ static int max77802_pmic_probe(struct platform_device *pdev) + * the hardware reports OFF as the regulator operating mode. + * Default to operating mode NORMAL in that case. + */ +- if (val == MAX77802_STATUS_OFF) +- max77802->opmode[id] = MAX77802_OPMODE_NORMAL; +- else +- max77802->opmode[id] = val; ++ if (id < ARRAY_SIZE(max77802->opmode)) { ++ if (val == MAX77802_STATUS_OFF) ++ max77802->opmode[id] = MAX77802_OPMODE_NORMAL; ++ else ++ max77802->opmode[id] = val; ++ } + + rdev = devm_regulator_register(&pdev->dev, + ®ulators[i], &config); +-- +2.39.2 + diff --git a/queue-4.14/regulator-s5m8767-bounds-check-id-indexing-into-arra.patch b/queue-4.14/regulator-s5m8767-bounds-check-id-indexing-into-arra.patch new file mode 100644 index 00000000000..cef373f27cc --- /dev/null +++ b/queue-4.14/regulator-s5m8767-bounds-check-id-indexing-into-arra.patch @@ -0,0 +1,55 @@ +From cb160e72cd69b99b034378ac92249d7cd3035019 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Jan 2023 16:53:58 -0800 +Subject: regulator: s5m8767: Bounds check id indexing into arrays + +From: Kees Cook + +[ Upstream commit e314e15a0b58f9d051c00b25951073bcdae61953 ] + +The compiler has no way to know if "id" is within the array bounds of +the regulators array. Add a check for this and a build-time check that +the regulators and reg_voltage_map arrays are sized the same. Seen with +GCC 13: + +../drivers/regulator/s5m8767.c: In function 's5m8767_pmic_probe': +../drivers/regulator/s5m8767.c:936:35: warning: array subscript [0, 36] is outside array bounds of 'struct regulator_desc[37]' [-Warray-bounds=] + 936 | regulators[id].vsel_reg = + | ~~~~~~~~~~^~~~ + +Cc: Krzysztof Kozlowski +Cc: Liam Girdwood +Cc: Mark Brown +Cc: linux-samsung-soc@vger.kernel.org +Signed-off-by: Kees Cook +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20230128005358.never.313-kees@kernel.org +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/s5m8767.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/regulator/s5m8767.c b/drivers/regulator/s5m8767.c +index d558f806a4705..80e751759b706 100644 +--- a/drivers/regulator/s5m8767.c ++++ b/drivers/regulator/s5m8767.c +@@ -918,10 +918,14 @@ static int s5m8767_pmic_probe(struct platform_device *pdev) + + for (i = 0; i < pdata->num_regulators; i++) { + const struct sec_voltage_desc *desc; +- int id = pdata->regulators[i].id; ++ unsigned int id = pdata->regulators[i].id; + int enable_reg, enable_val; + struct regulator_dev *rdev; + ++ BUILD_BUG_ON(ARRAY_SIZE(regulators) != ARRAY_SIZE(reg_voltage_map)); ++ if (WARN_ON_ONCE(id >= ARRAY_SIZE(regulators))) ++ continue; ++ + desc = reg_voltage_map[id]; + if (desc) { + regulators[id].n_voltages = +-- +2.39.2 + diff --git a/queue-4.14/rpmsg-glink-avoid-infinite-loop-on-intent-for-missin.patch b/queue-4.14/rpmsg-glink-avoid-infinite-loop-on-intent-for-missin.patch new file mode 100644 index 00000000000..ec80ac7503d --- /dev/null +++ b/queue-4.14/rpmsg-glink-avoid-infinite-loop-on-intent-for-missin.patch @@ -0,0 +1,38 @@ +From be83a532e2a4362fa923a877521d8e84031416af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Feb 2023 15:42:31 -0800 +Subject: rpmsg: glink: Avoid infinite loop on intent for missing channel + +From: Bjorn Andersson + +[ Upstream commit 3e74ec2f39362bffbd42854acbb67c7f4cb808f9 ] + +In the event that an intent advertisement arrives on an unknown channel +the fifo is not advanced, resulting in the same message being handled +over and over. + +Fixes: dacbb35e930f ("rpmsg: glink: Receive and store the remote intent buffers") +Signed-off-by: Bjorn Andersson +Reviewed-by: Chris Lew +Signed-off-by: Bjorn Andersson +Link: https://lore.kernel.org/r/20230214234231.2069751-1-quic_bjorande@quicinc.com +Signed-off-by: Sasha Levin +--- + drivers/rpmsg/qcom_glink_native.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/rpmsg/qcom_glink_native.c b/drivers/rpmsg/qcom_glink_native.c +index 4c90364638f9c..0fb185e0620aa 100644 +--- a/drivers/rpmsg/qcom_glink_native.c ++++ b/drivers/rpmsg/qcom_glink_native.c +@@ -928,6 +928,7 @@ static void qcom_glink_handle_intent(struct qcom_glink *glink, + spin_unlock_irqrestore(&glink->idr_lock, flags); + if (!channel) { + dev_err(glink->dev, "intents for non-existing channel\n"); ++ qcom_glink_rx_advance(glink, ALIGN(msglen, 8)); + return; + } + +-- +2.39.2 + diff --git a/queue-4.14/s390-bpf-add-expoline-to-tail-calls.patch b/queue-4.14/s390-bpf-add-expoline-to-tail-calls.patch new file mode 100644 index 00000000000..ba78f22998b --- /dev/null +++ b/queue-4.14/s390-bpf-add-expoline-to-tail-calls.patch @@ -0,0 +1,47 @@ +From 914c53dcaea29d0ddb50b4ea448049e04982f337 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Jan 2023 20:04:55 +0100 +Subject: s390/bpf: Add expoline to tail calls + +From: Ilya Leoshkevich + +[ Upstream commit bb4ef8fc3d193ed8d5583fb47cbeff5d8fb8302f ] + +All the indirect jumps in the eBPF JIT already use expolines, except +for the tail call one. + +Fixes: de5cb6eb514e ("s390: use expoline thunks in the BPF JIT") +Signed-off-by: Ilya Leoshkevich +Link: https://lore.kernel.org/r/20230129190501.1624747-3-iii@linux.ibm.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + arch/s390/net/bpf_jit_comp.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/net/bpf_jit_comp.c b/arch/s390/net/bpf_jit_comp.c +index 60029baaa72ad..f2b516f8a3a64 100644 +--- a/arch/s390/net/bpf_jit_comp.c ++++ b/arch/s390/net/bpf_jit_comp.c +@@ -1119,8 +1119,16 @@ static noinline int bpf_jit_insn(struct bpf_jit *jit, struct bpf_prog *fp, int i + /* lg %r1,bpf_func(%r1) */ + EMIT6_DISP_LH(0xe3000000, 0x0004, REG_1, REG_1, REG_0, + offsetof(struct bpf_prog, bpf_func)); +- /* bc 0xf,tail_call_start(%r1) */ +- _EMIT4(0x47f01000 + jit->tail_call_start); ++ if (nospec_uses_trampoline()) { ++ jit->seen |= SEEN_FUNC; ++ /* aghi %r1,tail_call_start */ ++ EMIT4_IMM(0xa70b0000, REG_1, jit->tail_call_start); ++ /* brcl 0xf,__s390_indirect_jump_r1 */ ++ EMIT6_PCREL_RILC(0xc0040000, 0xf, jit->r1_thunk_ip); ++ } else { ++ /* bc 0xf,tail_call_start(%r1) */ ++ _EMIT4(0x47f01000 + jit->tail_call_start); ++ } + /* out: */ + jit->labels[0] = jit->prg; + break; +-- +2.39.2 + diff --git a/queue-4.14/sched-fair-sanitize-vruntime-of-entity-being-placed.patch b/queue-4.14/sched-fair-sanitize-vruntime-of-entity-being-placed.patch new file mode 100644 index 00000000000..d124b62c8f4 --- /dev/null +++ b/queue-4.14/sched-fair-sanitize-vruntime-of-entity-being-placed.patch @@ -0,0 +1,70 @@ +From 38247e1de3305a6ef644404ac818bc6129440eae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Jan 2023 13:22:16 +0100 +Subject: sched/fair: sanitize vruntime of entity being placed + +From: Zhang Qiao + +[ Upstream commit 829c1651e9c4a6f78398d3e67651cef9bb6b42cc ] + +When a scheduling entity is placed onto cfs_rq, its vruntime is pulled +to the base level (around cfs_rq->min_vruntime), so that the entity +doesn't gain extra boost when placed backwards. + +However, if the entity being placed wasn't executed for a long time, its +vruntime may get too far behind (e.g. while cfs_rq was executing a +low-weight hog), which can inverse the vruntime comparison due to s64 +overflow. This results in the entity being placed with its original +vruntime way forwards, so that it will effectively never get to the cpu. + +To prevent that, ignore the vruntime of the entity being placed if it +didn't execute for much longer than the characteristic sheduler time +scale. + +[rkagan: formatted, adjusted commit log, comments, cutoff value] +Signed-off-by: Zhang Qiao +Co-developed-by: Roman Kagan +Signed-off-by: Roman Kagan +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20230130122216.3555094-1-rkagan@amazon.de +Signed-off-by: Sasha Levin +--- + kernel/sched/fair.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c +index 3ff60230710c9..afa21e43477fa 100644 +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -3615,6 +3615,7 @@ static void + place_entity(struct cfs_rq *cfs_rq, struct sched_entity *se, int initial) + { + u64 vruntime = cfs_rq->min_vruntime; ++ u64 sleep_time; + + /* + * The 'current' period is already promised to the current tasks, +@@ -3639,8 +3640,18 @@ place_entity(struct cfs_rq *cfs_rq, struct sched_entity *se, int initial) + vruntime -= thresh; + } + +- /* ensure we never gain time by being placed backwards. */ +- se->vruntime = max_vruntime(se->vruntime, vruntime); ++ /* ++ * Pull vruntime of the entity being placed to the base level of ++ * cfs_rq, to prevent boosting it if placed backwards. If the entity ++ * slept for a long time, don't even try to compare its vruntime with ++ * the base as it may be too far off and the comparison may get ++ * inversed due to s64 overflow. ++ */ ++ sleep_time = rq_clock_task(rq_of(cfs_rq)) - se->exec_start; ++ if ((s64)sleep_time > 60LL * NSEC_PER_SEC) ++ se->vruntime = vruntime; ++ else ++ se->vruntime = max_vruntime(se->vruntime, vruntime); + } + + static void check_enqueue_throttle(struct cfs_rq *cfs_rq); +-- +2.39.2 + diff --git a/queue-4.14/scsi-aic94xx-add-missing-check-for-dma_map_single.patch b/queue-4.14/scsi-aic94xx-add-missing-check-for-dma_map_single.patch new file mode 100644 index 00000000000..3cfda8f7cea --- /dev/null +++ b/queue-4.14/scsi-aic94xx-add-missing-check-for-dma_map_single.patch @@ -0,0 +1,39 @@ +From ac3ceff954cc8972eecb0aa2037e69beba9c9002 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Jan 2023 19:08:32 +0800 +Subject: scsi: aic94xx: Add missing check for dma_map_single() + +From: Jiasheng Jiang + +[ Upstream commit 32fe45274edb5926abc0fac7263d9f889d02d9cf ] + +Add check for dma_map_single() and return error if it fails in order to +avoid invalid DMA address. + +Fixes: 2908d778ab3e ("[SCSI] aic94xx: new driver") +Link: https://lore.kernel.org/r/20230128110832.6792-1-jiasheng@iscas.ac.cn +Signed-off-by: Jiasheng Jiang +Reviewed-by: Jason Yan +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/aic94xx/aic94xx_task.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/aic94xx/aic94xx_task.c b/drivers/scsi/aic94xx/aic94xx_task.c +index cdd4ab683be98..4de4bbca1f925 100644 +--- a/drivers/scsi/aic94xx/aic94xx_task.c ++++ b/drivers/scsi/aic94xx/aic94xx_task.c +@@ -68,6 +68,9 @@ static int asd_map_scatterlist(struct sas_task *task, + dma_addr_t dma = pci_map_single(asd_ha->pcidev, p, + task->total_xfer_len, + task->data_dir); ++ if (dma_mapping_error(&asd_ha->pcidev->dev, dma)) ++ return -ENOMEM; ++ + sg_arr[0].bus_addr = cpu_to_le64((u64)dma); + sg_arr[0].size = cpu_to_le32(task->total_xfer_len); + sg_arr[0].flags |= ASD_SG_EL_LIST_EOL; +-- +2.39.2 + diff --git a/queue-4.14/series b/queue-4.14/series index 7ebfcfe67a5..7f0903f3292 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -12,3 +12,88 @@ usb-core-don-t-hold-device-lock-while-reading-the-descriptors-sysfs-file.patch hid-asus-remove-check-for-same-led-brightness-on-set.patch hid-asus-use-spinlock-to-protect-concurrent-accesses.patch hid-asus-use-spinlock-to-safely-schedule-workers.patch +arm-omap2-fix-memory-leak-in-realtime_counter_init.patch +arm-zynq-fix-refcount-leak-in-zynq_early_slcr_init.patch +arm64-dts-meson-gx-fix-ethernet-mac-address-unit-nam.patch +arm64-dts-meson-gx-fix-the-scpi-dvfs-node-name-and-u.patch +arm-omap1-call-platform_device_put-in-error-case-in-.patch +arm-dts-exynos-correct-wr-active-property-in-exynos3.patch +arm64-dts-amlogic-meson-gx-fix-scpi-clock-dvfs-node-.patch +arm64-dts-amlogic-meson-gx-add-missing-unit-address-.patch +arm64-dts-amlogic-meson-gxl-add-missing-unit-address.patch +block-bio-integrity-copy-flags-when-bio_integrity_pa.patch +wifi-libertas-fix-memory-leak-in-lbs_init_adapter.patch +wifi-rtl8xxxu-don-t-call-dev_kfree_skb-under-spin_lo.patch +wifi-ipw2200-fix-memory-leak-in-ipw_wdev_init.patch +wifi-brcmfmac-fix-potential-memory-leak-in-brcmf_net.patch +wifi-brcmfmac-unmap-dma-buffer-in-brcmf_msgbuf_alloc.patch +wifi-libertas-main-don-t-call-kfree_skb-under-spin_l.patch +wifi-libertas-cmdresp-don-t-call-kfree_skb-under-spi.patch +wifi-wl3501_cs-don-t-call-kfree_skb-under-spin_lock_.patch +genirq-fix-the-return-type-of-kstat_cpu_irqs_sum.patch +lib-mpi-fix-buffer-overrun-when-sg-is-too-long.patch +acpica-nsrepair-handle-cases-without-a-return-value-.patch +wifi-orinoco-check-return-value-of-hermes_write_word.patch +wifi-ath9k-htc_hst-free-skb-in-ath9k_htc_rx_msg-if-t.patch +wifi-ath9k-fix-potential-stack-out-of-bounds-write-i.patch +acpi-battery-fix-missing-nul-termination-with-large-.patch +crypto-seqiv-handle-ebusy-correctly.patch +s390-bpf-add-expoline-to-tail-calls.patch +net-mlx5-enhance-debug-print-in-page-allocation-fail.patch +irqchip-alpine-msi-fix-refcount-leak-in-alpine_msix_.patch +irqchip-irq-mvebu-gicp-fix-refcount-leak-in-mvebu_gi.patch +cpufreq-davinci-fix-clk-use-after-free.patch +bluetooth-l2cap-fix-potential-user-after-free.patch +crypto-rsa-pkcs1pad-use-akcipher_request_complete.patch +m68k-proc-hardware-should-depend-on-proc_fs.patch +wifi-mwifiex-fix-loop-iterator-in-mwifiex_update_amp.patch +can-esd_usb-move-mislocated-storage-of-sja1000_ecc_s.patch +irqchip-irq-bcm7120-l2-set-irq_level-for-level-trigg.patch +drm-mxsfb-drm_mxsfb-should-depend-on-arch_mxs-arch_m.patch +drm-bridge-megachips-fix-error-handling-in-i2c_regis.patch +gpu-ipu-v3-common-add-of_node_put-for-reference-retu.patch +drm-msm-hdmi-add-missing-check-for-alloc_ordered_wor.patch +pinctrl-rockchip-fix-refcount-leak-in-rockchip_pinct.patch +alsa-hda-ca0132-minor-fix-for-allocation-size.patch +drm-mipi-dsi-fix-byte-order-of-16-bit-dcs-set-get-br.patch +drm-mediatek-drop-unbalanced-obj-unref.patch +asoc-soc-compress.c-fixup-private_data-on-snd_soc_ne.patch +gpio-vf610-connect-gpio-label-to-dev-name.patch +hwmon-ltc2945-handle-error-case-in-ltc2945_value_sto.patch +scsi-aic94xx-add-missing-check-for-dma_map_single.patch +spi-bcm63xx-hsspi-endianness-fix-for-arm-based-soc.patch +dm-remove-flush_scheduled_work-during-local_exit.patch +mfd-pcf50633-adc-fix-potential-memleak-in-pcf50633_a.patch +mtd-rawnand-sunxi-fix-the-size-of-the-last-oob-regio.patch +input-ads7846-don-t-report-pressure-for-ads7845.patch +input-ads7846-don-t-check-penirq-immediately-for-784.patch +powerpc-powernv-ioda-skip-unallocated-resources-when.patch +powerpc-pseries-lparcfg-add-missing-rtas-retry-statu.patch +mips-vpe-mt-drop-physical_memsize.patch +media-platform-ti-add-missing-check-for-devm_regulat.patch +media-rc-fix-use-after-free-bugs-caused-by-ene_tx_ir.patch +media-usb-siano-fix-use-after-free-bugs-caused-by-do.patch +rpmsg-glink-avoid-infinite-loop-on-intent-for-missin.patch +udf-define-efscorrupted-error-code.patch +arm-dts-exynos-use-exynos5420-compatible-for-the-mip.patch +sched-fair-sanitize-vruntime-of-entity-being-placed.patch +wifi-brcmfmac-fix-potential-stack-out-of-bounds-in-b.patch +rcu-suppress-smp_processor_id-complaint-in-synchroni.patch +thermal-intel-fix-unsigned-comparison-with-less-than.patch +timers-prevent-union-confusion-from-unexpected-resta.patch +x86-bugs-reset-speculation-control-settings-on-init.patch +inet-fix-fast-path-in-__inet_hash_connect.patch +acpi-don-t-build-acpica-with-os.patch +net-bcmgenet-add-a-check-for-oversized-packets.patch +m68k-check-syscall_trace_enter-return-code.patch +acpi-video-fix-lenovo-ideapad-z570-dmi-match.patch +drm-radeon-free-iio-for-atombios-when-driver-shutdow.patch +drm-msm-dsi-add-missing-check-for-alloc_ordered_work.patch +docs-scripts-gdb-add-necessary-make-scripts_gdb-step.patch +asoc-kirkwood-iterate-over-array-indexes-instead-of-.patch +regulator-max77802-bounds-check-regulator-id-against.patch +regulator-s5m8767-bounds-check-id-indexing-into-arra.patch +pinctrl-at91-use-devm_kasprintf-to-avoid-potential-l.patch +dm-thin-add-cond_resched-to-various-workqueue-loops.patch +dm-cache-add-cond_resched-to-various-workqueue-loops.patch +spi-bcm63xx-hsspi-fix-multi-bit-mode-setting.patch diff --git a/queue-4.14/spi-bcm63xx-hsspi-endianness-fix-for-arm-based-soc.patch b/queue-4.14/spi-bcm63xx-hsspi-endianness-fix-for-arm-based-soc.patch new file mode 100644 index 00000000000..b490640f293 --- /dev/null +++ b/queue-4.14/spi-bcm63xx-hsspi-endianness-fix-for-arm-based-soc.patch @@ -0,0 +1,41 @@ +From 7ae079fbda5ccd60b72d76e6f5d44e8355d3f4dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Feb 2023 22:58:17 -0800 +Subject: spi: bcm63xx-hsspi: Endianness fix for ARM based SoC + +From: William Zhang + +[ Upstream commit 85a84a61699990db6a025b5073f337f49933a875 ] + +HSSPI controller uses big endian for the opcode in the message to the +controller ping pong buffer. Use cpu_to_be16 to properly handle the +endianness for both big and little endian host. + +Fixes: 142168eba9dc ("spi: bcm63xx-hsspi: add bcm63xx HSSPI driver") +Signed-off-by: Kursad Oney +Signed-off-by: William Zhang +Acked-by: Florian Fainelli + +Link: https://lore.kernel.org/r/20230207065826.285013-7-william.zhang@broadcom.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx-hsspi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/spi/spi-bcm63xx-hsspi.c b/drivers/spi/spi-bcm63xx-hsspi.c +index cbcba614b2533..bc539010f2b98 100644 +--- a/drivers/spi/spi-bcm63xx-hsspi.c ++++ b/drivers/spi/spi-bcm63xx-hsspi.c +@@ -191,7 +191,7 @@ static int bcm63xx_hsspi_do_txrx(struct spi_device *spi, struct spi_transfer *t) + tx += curr_step; + } + +- __raw_writew(opcode | curr_step, bs->fifo); ++ __raw_writew((u16)cpu_to_be16(opcode | curr_step), bs->fifo); + + /* enable interrupt */ + __raw_writel(HSSPI_PINGx_CMD_DONE(0), +-- +2.39.2 + diff --git a/queue-4.14/spi-bcm63xx-hsspi-fix-multi-bit-mode-setting.patch b/queue-4.14/spi-bcm63xx-hsspi-fix-multi-bit-mode-setting.patch new file mode 100644 index 00000000000..dd1586ae89b --- /dev/null +++ b/queue-4.14/spi-bcm63xx-hsspi-fix-multi-bit-mode-setting.patch @@ -0,0 +1,61 @@ +From 50a8924674a937d8fc8f74bc7caf655c357d6913 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 9 Feb 2023 12:02:41 -0800 +Subject: spi: bcm63xx-hsspi: Fix multi-bit mode setting + +From: William Zhang + +[ Upstream commit 811ff802aaf878ebbbaeac0307a0164fa21e7d40 ] + +Currently the driver always sets the controller to dual data bit mode +for both tx and rx data in the profile mode control register even for +single data bit transfer. Luckily the opcode is set correctly according +to SPI transfer data bit width so it does not actually cause issues. + +This change fixes the problem by setting tx and rx data bit mode field +correctly according to the actual SPI transfer tx and rx data bit width. + +Fixes: 142168eba9dc ("spi: bcm63xx-hsspi: add bcm63xx HSSPI driver") +Signed-off-by: William Zhang +Link: https://lore.kernel.org/r/20230209200246.141520-11-william.zhang@broadcom.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-bcm63xx-hsspi.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/spi/spi-bcm63xx-hsspi.c b/drivers/spi/spi-bcm63xx-hsspi.c +index bc539010f2b98..6071756149ef4 100644 +--- a/drivers/spi/spi-bcm63xx-hsspi.c ++++ b/drivers/spi/spi-bcm63xx-hsspi.c +@@ -160,6 +160,7 @@ static int bcm63xx_hsspi_do_txrx(struct spi_device *spi, struct spi_transfer *t) + int step_size = HSSPI_BUFFER_LEN; + const u8 *tx = t->tx_buf; + u8 *rx = t->rx_buf; ++ u32 val = 0; + + bcm63xx_hsspi_set_clk(bs, spi, t->speed_hz); + bcm63xx_hsspi_set_cs(bs, spi->chip_select, true); +@@ -175,11 +176,16 @@ static int bcm63xx_hsspi_do_txrx(struct spi_device *spi, struct spi_transfer *t) + step_size -= HSSPI_OPCODE_LEN; + + if ((opcode == HSSPI_OP_READ && t->rx_nbits == SPI_NBITS_DUAL) || +- (opcode == HSSPI_OP_WRITE && t->tx_nbits == SPI_NBITS_DUAL)) ++ (opcode == HSSPI_OP_WRITE && t->tx_nbits == SPI_NBITS_DUAL)) { + opcode |= HSSPI_OP_MULTIBIT; + +- __raw_writel(1 << MODE_CTRL_MULTIDATA_WR_SIZE_SHIFT | +- 1 << MODE_CTRL_MULTIDATA_RD_SIZE_SHIFT | 0xff, ++ if (t->rx_nbits == SPI_NBITS_DUAL) ++ val |= 1 << MODE_CTRL_MULTIDATA_RD_SIZE_SHIFT; ++ if (t->tx_nbits == SPI_NBITS_DUAL) ++ val |= 1 << MODE_CTRL_MULTIDATA_WR_SIZE_SHIFT; ++ } ++ ++ __raw_writel(val | 0xff, + bs->regs + HSSPI_PROFILE_MODE_CTRL_REG(chip_select)); + + while (pending > 0) { +-- +2.39.2 + diff --git a/queue-4.14/thermal-intel-fix-unsigned-comparison-with-less-than.patch b/queue-4.14/thermal-intel-fix-unsigned-comparison-with-less-than.patch new file mode 100644 index 00000000000..9f74239f291 --- /dev/null +++ b/queue-4.14/thermal-intel-fix-unsigned-comparison-with-less-than.patch @@ -0,0 +1,42 @@ +From 1c833bd6bcab52ef2440777415fb260578f76658 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Jan 2023 08:59:51 +0800 +Subject: thermal: intel: Fix unsigned comparison with less than zero + +From: Yang Li + +[ Upstream commit e7fcfe67f9f410736b758969477b17ea285e8e6c ] + +The return value from the call to intel_tcc_get_tjmax() is int, which can +be a negative error code. However, the return value is being assigned to +an u32 variable 'tj_max', so making 'tj_max' an int. + +Eliminate the following warning: +./drivers/thermal/intel/intel_soc_dts_iosf.c:394:5-11: WARNING: Unsigned expression compared with zero: tj_max < 0 + +Link: https://bugzilla.openanolis.cn/show_bug.cgi?id=3637 +Reported-by: Abaci Robot +Signed-off-by: Yang Li +Acked-by: Zhang Rui +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/thermal/intel_soc_dts_iosf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/thermal/intel_soc_dts_iosf.c b/drivers/thermal/intel_soc_dts_iosf.c +index e0813dfaa2783..435a093998000 100644 +--- a/drivers/thermal/intel_soc_dts_iosf.c ++++ b/drivers/thermal/intel_soc_dts_iosf.c +@@ -405,7 +405,7 @@ struct intel_soc_dts_sensors *intel_soc_dts_iosf_init( + { + struct intel_soc_dts_sensors *sensors; + bool notification; +- u32 tj_max; ++ int tj_max; + int ret; + int i; + +-- +2.39.2 + diff --git a/queue-4.14/timers-prevent-union-confusion-from-unexpected-resta.patch b/queue-4.14/timers-prevent-union-confusion-from-unexpected-resta.patch new file mode 100644 index 00000000000..2ba6284330b --- /dev/null +++ b/queue-4.14/timers-prevent-union-confusion-from-unexpected-resta.patch @@ -0,0 +1,108 @@ +From 3c683c46758688b0b24f8123a07a7e22ca57692e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Jan 2023 14:44:03 +0100 +Subject: timers: Prevent union confusion from unexpected restart_syscall() + +From: Jann Horn + +[ Upstream commit 9f76d59173d9d146e96c66886b671c1915a5c5e5 ] + +The nanosleep syscalls use the restart_block mechanism, with a quirk: +The `type` and `rmtp`/`compat_rmtp` fields are set up unconditionally on +syscall entry, while the rest of the restart_block is only set up in the +unlikely case that the syscall is actually interrupted by a signal (or +pseudo-signal) that doesn't have a signal handler. + +If the restart_block was set up by a previous syscall (futex(..., +FUTEX_WAIT, ...) or poll()) and hasn't been invalidated somehow since then, +this will clobber some of the union fields used by futex_wait_restart() and +do_restart_poll(). + +If userspace afterwards wrongly calls the restart_syscall syscall, +futex_wait_restart()/do_restart_poll() will read struct fields that have +been clobbered. + +This doesn't actually lead to anything particularly interesting because +none of the union fields contain trusted kernel data, and +futex(..., FUTEX_WAIT, ...) and poll() aren't syscalls where it makes much +sense to apply seccomp filters to their arguments. + +So the current consequences are just of the "if userspace does bad stuff, +it can damage itself, and that's not a problem" flavor. + +But still, it seems like a hazard for future developers, so invalidate the +restart_block when partly setting it up in the nanosleep syscalls. + +Signed-off-by: Jann Horn +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20230105134403.754986-1-jannh@google.com +Signed-off-by: Sasha Levin +--- + kernel/time/hrtimer.c | 2 ++ + kernel/time/posix-stubs.c | 2 ++ + kernel/time/posix-timers.c | 2 ++ + 3 files changed, 6 insertions(+) + +diff --git a/kernel/time/hrtimer.c b/kernel/time/hrtimer.c +index 94dd37e8890d8..7a84c54219f35 100644 +--- a/kernel/time/hrtimer.c ++++ b/kernel/time/hrtimer.c +@@ -1564,6 +1564,7 @@ SYSCALL_DEFINE2(nanosleep, struct timespec __user *, rqtp, + if (!timespec64_valid(&tu)) + return -EINVAL; + ++ current->restart_block.fn = do_no_restart_syscall; + current->restart_block.nanosleep.type = rmtp ? TT_NATIVE : TT_NONE; + current->restart_block.nanosleep.rmtp = rmtp; + return hrtimer_nanosleep(&tu, HRTIMER_MODE_REL, CLOCK_MONOTONIC); +@@ -1582,6 +1583,7 @@ COMPAT_SYSCALL_DEFINE2(nanosleep, struct compat_timespec __user *, rqtp, + if (!timespec64_valid(&tu)) + return -EINVAL; + ++ current->restart_block.fn = do_no_restart_syscall; + current->restart_block.nanosleep.type = rmtp ? TT_COMPAT : TT_NONE; + current->restart_block.nanosleep.compat_rmtp = rmtp; + return hrtimer_nanosleep(&tu, HRTIMER_MODE_REL, CLOCK_MONOTONIC); +diff --git a/kernel/time/posix-stubs.c b/kernel/time/posix-stubs.c +index 06f34feb635ed..20117340c2493 100644 +--- a/kernel/time/posix-stubs.c ++++ b/kernel/time/posix-stubs.c +@@ -136,6 +136,7 @@ SYSCALL_DEFINE4(clock_nanosleep, const clockid_t, which_clock, int, flags, + return -EINVAL; + if (flags & TIMER_ABSTIME) + rmtp = NULL; ++ current->restart_block.fn = do_no_restart_syscall; + current->restart_block.nanosleep.type = rmtp ? TT_NATIVE : TT_NONE; + current->restart_block.nanosleep.rmtp = rmtp; + return hrtimer_nanosleep(&t64, flags & TIMER_ABSTIME ? +@@ -222,6 +223,7 @@ COMPAT_SYSCALL_DEFINE4(clock_nanosleep, clockid_t, which_clock, int, flags, + return -EINVAL; + if (flags & TIMER_ABSTIME) + rmtp = NULL; ++ current->restart_block.fn = do_no_restart_syscall; + current->restart_block.nanosleep.type = rmtp ? TT_COMPAT : TT_NONE; + current->restart_block.nanosleep.compat_rmtp = rmtp; + return hrtimer_nanosleep(&t64, flags & TIMER_ABSTIME ? +diff --git a/kernel/time/posix-timers.c b/kernel/time/posix-timers.c +index f46694850b445..8b90abd690730 100644 +--- a/kernel/time/posix-timers.c ++++ b/kernel/time/posix-timers.c +@@ -1227,6 +1227,7 @@ SYSCALL_DEFINE4(clock_nanosleep, const clockid_t, which_clock, int, flags, + return -EINVAL; + if (flags & TIMER_ABSTIME) + rmtp = NULL; ++ current->restart_block.fn = do_no_restart_syscall; + current->restart_block.nanosleep.type = rmtp ? TT_NATIVE : TT_NONE; + current->restart_block.nanosleep.rmtp = rmtp; + +@@ -1253,6 +1254,7 @@ COMPAT_SYSCALL_DEFINE4(clock_nanosleep, clockid_t, which_clock, int, flags, + return -EINVAL; + if (flags & TIMER_ABSTIME) + rmtp = NULL; ++ current->restart_block.fn = do_no_restart_syscall; + current->restart_block.nanosleep.type = rmtp ? TT_COMPAT : TT_NONE; + current->restart_block.nanosleep.compat_rmtp = rmtp; + +-- +2.39.2 + diff --git a/queue-4.14/udf-define-efscorrupted-error-code.patch b/queue-4.14/udf-define-efscorrupted-error-code.patch new file mode 100644 index 00000000000..c4957242e4a --- /dev/null +++ b/queue-4.14/udf-define-efscorrupted-error-code.patch @@ -0,0 +1,34 @@ +From ed3660d47bcb95f9e5fb8b7762ea5f1e583e9aff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 16:34:45 +0200 +Subject: udf: Define EFSCORRUPTED error code + +From: Jan Kara + +[ Upstream commit 3d2d7e61553dbcc8ba45201d8ae4f383742c8202 ] + +Similarly to other filesystems define EFSCORRUPTED error code for +reporting internal filesystem corruption. + +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/udf_sb.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/udf/udf_sb.h b/fs/udf/udf_sb.h +index 68c9f1d618f5b..796706d73feb8 100644 +--- a/fs/udf/udf_sb.h ++++ b/fs/udf/udf_sb.h +@@ -56,6 +56,8 @@ + #define MF_DUPLICATE_MD 0x01 + #define MF_MIRROR_FE_LOADED 0x02 + ++#define EFSCORRUPTED EUCLEAN ++ + struct udf_meta_data { + __u32 s_meta_file_loc; + __u32 s_mirror_file_loc; +-- +2.39.2 + diff --git a/queue-4.14/wifi-ath9k-fix-potential-stack-out-of-bounds-write-i.patch b/queue-4.14/wifi-ath9k-fix-potential-stack-out-of-bounds-write-i.patch new file mode 100644 index 00000000000..2f98a283810 --- /dev/null +++ b/queue-4.14/wifi-ath9k-fix-potential-stack-out-of-bounds-write-i.patch @@ -0,0 +1,62 @@ +From 695c0b02425ae99a090c64e33d682426a711c99e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jan 2023 21:41:30 +0900 +Subject: wifi: ath9k: Fix potential stack-out-of-bounds write in + ath9k_wmi_rsp_callback() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Minsuk Kang + +[ Upstream commit 8a2f35b9830692f7a616f2f627f943bc748af13a ] + +Fix a stack-out-of-bounds write that occurs in a WMI response callback +function that is called after a timeout occurs in ath9k_wmi_cmd(). +The callback writes to wmi->cmd_rsp_buf, a stack-allocated buffer that +could no longer be valid when a timeout occurs. Set wmi->last_seq_id to +0 when a timeout occurred. + +Found by a modified version of syzkaller. + +BUG: KASAN: stack-out-of-bounds in ath9k_wmi_ctrl_rx +Write of size 4 +Call Trace: + memcpy + ath9k_wmi_ctrl_rx + ath9k_htc_rx_msg + ath9k_hif_usb_reg_in_cb + __usb_hcd_giveback_urb + usb_hcd_giveback_urb + dummy_timer + call_timer_fn + run_timer_softirq + __do_softirq + irq_exit_rcu + sysvec_apic_timer_interrupt + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Signed-off-by: Minsuk Kang +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230104124130.10996-1-linuxlovemin@yonsei.ac.kr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/wmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/ath/ath9k/wmi.c b/drivers/net/wireless/ath/ath9k/wmi.c +index 4b68804f3742e..9a17f7a07b1e8 100644 +--- a/drivers/net/wireless/ath/ath9k/wmi.c ++++ b/drivers/net/wireless/ath/ath9k/wmi.c +@@ -337,6 +337,7 @@ int ath9k_wmi_cmd(struct wmi *wmi, enum wmi_cmd_id cmd_id, + if (!time_left) { + ath_dbg(common, WMI, "Timeout waiting for WMI command: %s\n", + wmi_cmd_to_name(cmd_id)); ++ wmi->last_seq_id = 0; + mutex_unlock(&wmi->op_mutex); + kfree_skb(skb); + return -ETIMEDOUT; +-- +2.39.2 + diff --git a/queue-4.14/wifi-ath9k-htc_hst-free-skb-in-ath9k_htc_rx_msg-if-t.patch b/queue-4.14/wifi-ath9k-htc_hst-free-skb-in-ath9k_htc_rx_msg-if-t.patch new file mode 100644 index 00000000000..b76b4f218fb --- /dev/null +++ b/queue-4.14/wifi-ath9k-htc_hst-free-skb-in-ath9k_htc_rx_msg-if-t.patch @@ -0,0 +1,58 @@ +From 00b553341a9692e1f89ea76c4d1cb3fb00a7501e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Jan 2023 15:35:46 +0300 +Subject: wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no + callback function +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit 9b25e3985477ac3f02eca5fc1e0cc6850a3f7e69 ] + +It is stated that ath9k_htc_rx_msg() either frees the provided skb or +passes its management to another callback function. However, the skb is +not freed in case there is no another callback function, and Syzkaller was +able to cause a memory leak. Also minor comment fix. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") +Reported-by: syzbot+e008dccab31bd3647609@syzkaller.appspotmail.com +Reported-by: syzbot+6692c72009680f7c4eb2@syzkaller.appspotmail.com +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230104123546.51427-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/htc_hst.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/htc_hst.c b/drivers/net/wireless/ath/ath9k/htc_hst.c +index 6d69cf69fd86e..6331c98088e03 100644 +--- a/drivers/net/wireless/ath/ath9k/htc_hst.c ++++ b/drivers/net/wireless/ath/ath9k/htc_hst.c +@@ -394,7 +394,7 @@ static void ath9k_htc_fw_panic_report(struct htc_target *htc_handle, + * HTC Messages are handled directly here and the obtained SKB + * is freed. + * +- * Service messages (Data, WMI) passed to the corresponding ++ * Service messages (Data, WMI) are passed to the corresponding + * endpoint RX handlers, which have to free the SKB. + */ + void ath9k_htc_rx_msg(struct htc_target *htc_handle, +@@ -481,6 +481,8 @@ void ath9k_htc_rx_msg(struct htc_target *htc_handle, + if (endpoint->ep_callbacks.rx) + endpoint->ep_callbacks.rx(endpoint->ep_callbacks.priv, + skb, epid); ++ else ++ goto invalid; + } + } + +-- +2.39.2 + diff --git a/queue-4.14/wifi-brcmfmac-fix-potential-memory-leak-in-brcmf_net.patch b/queue-4.14/wifi-brcmfmac-fix-potential-memory-leak-in-brcmf_net.patch new file mode 100644 index 00000000000..29a6e8911a4 --- /dev/null +++ b/queue-4.14/wifi-brcmfmac-fix-potential-memory-leak-in-brcmf_net.patch @@ -0,0 +1,39 @@ +From 7cbecdd172a2f771477fb290e9586adb6e3462ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 19:33:01 +0800 +Subject: wifi: brcmfmac: fix potential memory leak in + brcmf_netdev_start_xmit() + +From: Zhang Changzhong + +[ Upstream commit 212fde3fe76e962598ce1d47b97cc78afdfc71b3 ] + +The brcmf_netdev_start_xmit() returns NETDEV_TX_OK without freeing skb +in case of pskb_expand_head() fails, add dev_kfree_skb() to fix it. +Compile tested only. + +Fixes: 270a6c1f65fe ("brcmfmac: rework headroom check in .start_xmit()") +Signed-off-by: Zhang Changzhong +Reviewed-by: Arend van Spriel +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1668684782-47422-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +index 9c8102be1d0b3..55027886f4041 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/core.c +@@ -226,6 +226,7 @@ static netdev_tx_t brcmf_netdev_start_xmit(struct sk_buff *skb, + brcmf_err("%s: failed to expand headroom\n", + brcmf_ifname(ifp)); + atomic_inc(&drvr->bus_if->stats.pktcow_failed); ++ dev_kfree_skb(skb); + goto done; + } + } +-- +2.39.2 + diff --git a/queue-4.14/wifi-brcmfmac-fix-potential-stack-out-of-bounds-in-b.patch b/queue-4.14/wifi-brcmfmac-fix-potential-stack-out-of-bounds-in-b.patch new file mode 100644 index 00000000000..8517cf88a79 --- /dev/null +++ b/queue-4.14/wifi-brcmfmac-fix-potential-stack-out-of-bounds-in-b.patch @@ -0,0 +1,160 @@ +From fa23bbb31955db1ba893b4b99d4a1a2b938c8358 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 13:34:58 +0900 +Subject: wifi: brcmfmac: Fix potential stack-out-of-bounds in + brcmf_c_preinit_dcmds() + +From: Jisoo Jang + +[ Upstream commit 0a06cadcc2a0044e4a117cc0e61436fc3a0dad69 ] + +This patch fixes a stack-out-of-bounds read in brcmfmac that occurs +when 'buf' that is not null-terminated is passed as an argument of +strsep() in brcmf_c_preinit_dcmds(). This buffer is filled with a firmware +version string by memcpy() in brcmf_fil_iovar_data_get(). +The patch ensures buf is null-terminated. + +Found by a modified version of syzkaller. + +[ 47.569679][ T1897] brcmfmac: brcmf_fw_alloc_request: using brcm/brcmfmac43236b for chip BCM43236/3 +[ 47.582839][ T1897] brcmfmac: brcmf_c_process_clm_blob: no clm_blob available (err=-2), device may have limited channels available +[ 47.601565][ T1897] ================================================================== +[ 47.602574][ T1897] BUG: KASAN: stack-out-of-bounds in strsep+0x1b2/0x1f0 +[ 47.603447][ T1897] Read of size 1 at addr ffffc90001f6f000 by task kworker/0:2/1897 +[ 47.604336][ T1897] +[ 47.604621][ T1897] CPU: 0 PID: 1897 Comm: kworker/0:2 Tainted: G O 5.14.0+ #131 +[ 47.605617][ T1897] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 +[ 47.606907][ T1897] Workqueue: usb_hub_wq hub_event +[ 47.607453][ T1897] Call Trace: +[ 47.607801][ T1897] dump_stack_lvl+0x8e/0xd1 +[ 47.608295][ T1897] print_address_description.constprop.0.cold+0xf/0x334 +[ 47.609009][ T1897] ? strsep+0x1b2/0x1f0 +[ 47.609434][ T1897] ? strsep+0x1b2/0x1f0 +[ 47.609863][ T1897] kasan_report.cold+0x83/0xdf +[ 47.610366][ T1897] ? strsep+0x1b2/0x1f0 +[ 47.610882][ T1897] strsep+0x1b2/0x1f0 +[ 47.611300][ T1897] ? brcmf_fil_iovar_data_get+0x3a/0xf0 +[ 47.611883][ T1897] brcmf_c_preinit_dcmds+0x995/0xc40 +[ 47.612434][ T1897] ? brcmf_c_set_joinpref_default+0x100/0x100 +[ 47.613078][ T1897] ? rcu_read_lock_sched_held+0xa1/0xd0 +[ 47.613662][ T1897] ? rcu_read_lock_bh_held+0xb0/0xb0 +[ 47.614208][ T1897] ? lock_acquire+0x19d/0x4e0 +[ 47.614704][ T1897] ? find_held_lock+0x2d/0x110 +[ 47.615236][ T1897] ? brcmf_usb_deq+0x1a7/0x260 +[ 47.615741][ T1897] ? brcmf_usb_rx_fill_all+0x5a/0xf0 +[ 47.616288][ T1897] brcmf_attach+0x246/0xd40 +[ 47.616758][ T1897] ? wiphy_new_nm+0x1703/0x1dd0 +[ 47.617280][ T1897] ? kmemdup+0x43/0x50 +[ 47.617720][ T1897] brcmf_usb_probe+0x12de/0x1690 +[ 47.618244][ T1897] ? brcmf_usbdev_qinit.constprop.0+0x470/0x470 +[ 47.618901][ T1897] usb_probe_interface+0x2aa/0x760 +[ 47.619429][ T1897] ? usb_probe_device+0x250/0x250 +[ 47.619950][ T1897] really_probe+0x205/0xb70 +[ 47.620435][ T1897] ? driver_allows_async_probing+0x130/0x130 +[ 47.621048][ T1897] __driver_probe_device+0x311/0x4b0 +[ 47.621595][ T1897] ? driver_allows_async_probing+0x130/0x130 +[ 47.622209][ T1897] driver_probe_device+0x4e/0x150 +[ 47.622739][ T1897] __device_attach_driver+0x1cc/0x2a0 +[ 47.623287][ T1897] bus_for_each_drv+0x156/0x1d0 +[ 47.623796][ T1897] ? bus_rescan_devices+0x30/0x30 +[ 47.624309][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 +[ 47.624907][ T1897] ? trace_hardirqs_on+0x46/0x160 +[ 47.625437][ T1897] __device_attach+0x23f/0x3a0 +[ 47.625924][ T1897] ? device_bind_driver+0xd0/0xd0 +[ 47.626433][ T1897] ? kobject_uevent_env+0x287/0x14b0 +[ 47.627057][ T1897] bus_probe_device+0x1da/0x290 +[ 47.627557][ T1897] device_add+0xb7b/0x1eb0 +[ 47.628027][ T1897] ? wait_for_completion+0x290/0x290 +[ 47.628593][ T1897] ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0 +[ 47.629249][ T1897] usb_set_configuration+0xf59/0x16f0 +[ 47.629829][ T1897] usb_generic_driver_probe+0x82/0xa0 +[ 47.630385][ T1897] usb_probe_device+0xbb/0x250 +[ 47.630927][ T1897] ? usb_suspend+0x590/0x590 +[ 47.631397][ T1897] really_probe+0x205/0xb70 +[ 47.631855][ T1897] ? driver_allows_async_probing+0x130/0x130 +[ 47.632469][ T1897] __driver_probe_device+0x311/0x4b0 +[ 47.633002][ T1897] ? usb_generic_driver_match+0x75/0x90 +[ 47.633573][ T1897] ? driver_allows_async_probing+0x130/0x130 +[ 47.634170][ T1897] driver_probe_device+0x4e/0x150 +[ 47.634703][ T1897] __device_attach_driver+0x1cc/0x2a0 +[ 47.635248][ T1897] bus_for_each_drv+0x156/0x1d0 +[ 47.635748][ T1897] ? bus_rescan_devices+0x30/0x30 +[ 47.636271][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 +[ 47.636881][ T1897] ? trace_hardirqs_on+0x46/0x160 +[ 47.637396][ T1897] __device_attach+0x23f/0x3a0 +[ 47.637904][ T1897] ? device_bind_driver+0xd0/0xd0 +[ 47.638426][ T1897] ? kobject_uevent_env+0x287/0x14b0 +[ 47.638985][ T1897] bus_probe_device+0x1da/0x290 +[ 47.639512][ T1897] device_add+0xb7b/0x1eb0 +[ 47.639977][ T1897] ? __fw_devlink_link_to_suppliers+0x5a0/0x5a0 +[ 47.640612][ T1897] ? kfree+0x14a/0x6b0 +[ 47.641055][ T1897] ? __usb_get_extra_descriptor+0x116/0x160 +[ 47.641679][ T1897] usb_new_device.cold+0x49c/0x1029 +[ 47.642245][ T1897] ? hub_disconnect+0x450/0x450 +[ 47.642756][ T1897] ? rwlock_bug.part.0+0x90/0x90 +[ 47.643273][ T1897] ? _raw_spin_unlock_irq+0x24/0x30 +[ 47.643822][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 +[ 47.644445][ T1897] hub_event+0x1c98/0x3950 +[ 47.644939][ T1897] ? hub_port_debounce+0x2e0/0x2e0 +[ 47.645467][ T1897] ? check_irq_usage+0x861/0xf20 +[ 47.645975][ T1897] ? drain_workqueue+0x280/0x360 +[ 47.646506][ T1897] ? lock_release+0x640/0x640 +[ 47.646994][ T1897] ? rcu_read_lock_sched_held+0xa1/0xd0 +[ 47.647572][ T1897] ? rcu_read_lock_bh_held+0xb0/0xb0 +[ 47.648111][ T1897] ? lockdep_hardirqs_on_prepare+0x273/0x3e0 +[ 47.648735][ T1897] process_one_work+0x92b/0x1460 +[ 47.649262][ T1897] ? pwq_dec_nr_in_flight+0x330/0x330 +[ 47.649816][ T1897] ? rwlock_bug.part.0+0x90/0x90 +[ 47.650336][ T1897] worker_thread+0x95/0xe00 +[ 47.650830][ T1897] ? __kthread_parkme+0x115/0x1e0 +[ 47.651361][ T1897] ? process_one_work+0x1460/0x1460 +[ 47.651904][ T1897] kthread+0x3a1/0x480 +[ 47.652329][ T1897] ? set_kthread_struct+0x120/0x120 +[ 47.652878][ T1897] ret_from_fork+0x1f/0x30 +[ 47.653370][ T1897] +[ 47.653608][ T1897] +[ 47.653848][ T1897] addr ffffc90001f6f000 is located in stack of task kworker/0:2/1897 at offset 512 in frame: +[ 47.654891][ T1897] brcmf_c_preinit_dcmds+0x0/0xc40 +[ 47.655442][ T1897] +[ 47.655690][ T1897] this frame has 4 objects: +[ 47.656151][ T1897] [48, 56) 'ptr' +[ 47.656159][ T1897] [80, 148) 'revinfo' +[ 47.656534][ T1897] [192, 210) 'eventmask' +[ 47.656953][ T1897] [256, 512) 'buf' +[ 47.657410][ T1897] +[ 47.658035][ T1897] Memory state around the buggy address: +[ 47.658743][ T1897] ffffc90001f6ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 47.659577][ T1897] ffffc90001f6ef80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 47.660394][ T1897] >ffffc90001f6f000: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 +[ 47.661199][ T1897] ^ +[ 47.661625][ T1897] ffffc90001f6f080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 +[ 47.662455][ T1897] ffffc90001f6f100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 +[ 47.663318][ T1897] ================================================================== +[ 47.664147][ T1897] Disabling lock debugging due to kernel taint + +Reported-by: Dokyung Song +Reported-by: Jisoo Jang +Reported-by: Minsuk Kang +Signed-off-by: Jisoo Jang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221115043458.37562-1-jisoo.jang@yonsei.ac.kr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c +index 7a2b49587b4d3..b2f46685391c2 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/common.c +@@ -157,6 +157,7 @@ int brcmf_c_preinit_dcmds(struct brcmf_if *ifp) + err); + goto done; + } ++ buf[sizeof(buf) - 1] = '\0'; + ptr = (char *)buf; + strsep(&ptr, "\n"); + +-- +2.39.2 + diff --git a/queue-4.14/wifi-brcmfmac-unmap-dma-buffer-in-brcmf_msgbuf_alloc.patch b/queue-4.14/wifi-brcmfmac-unmap-dma-buffer-in-brcmf_msgbuf_alloc.patch new file mode 100644 index 00000000000..5598901a36f --- /dev/null +++ b/queue-4.14/wifi-brcmfmac-unmap-dma-buffer-in-brcmf_msgbuf_alloc.patch @@ -0,0 +1,46 @@ +From cf7c9e0c7068bf224de24bd8ce25471d3ea47561 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 09:31:14 +0800 +Subject: wifi: brcmfmac: unmap dma buffer in brcmf_msgbuf_alloc_pktid() + +From: Zhengchao Shao + +[ Upstream commit b9f420032f2ba1e634b22ca7b433e5c40ea663af ] + +After the DMA buffer is mapped to a physical address, address is stored +in pktids in brcmf_msgbuf_alloc_pktid(). Then, pktids is parsed in +brcmf_msgbuf_get_pktid()/brcmf_msgbuf_release_array() to obtain physaddr +and later unmap the DMA buffer. But when count is always equal to +pktids->array_size, physaddr isn't stored in pktids and the DMA buffer +will not be unmapped anyway. + +Fixes: 9a1bb60250d2 ("brcmfmac: Adding msgbuf protocol.") +Signed-off-by: Zhengchao Shao +Reviewed-by: Sebastian Andrzej Siewior +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221207013114.1748936-1-shaozhengchao@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c +index 5f0af5fac343d..19dad0a72753d 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/msgbuf.c +@@ -337,8 +337,11 @@ brcmf_msgbuf_alloc_pktid(struct device *dev, + count++; + } while (count < pktids->array_size); + +- if (count == pktids->array_size) ++ if (count == pktids->array_size) { ++ dma_unmap_single(dev, *physaddr, skb->len - data_offset, ++ pktids->direction); + return -ENOMEM; ++ } + + array[*idx].data_offset = data_offset; + array[*idx].physaddr = *physaddr; +-- +2.39.2 + diff --git a/queue-4.14/wifi-ipw2200-fix-memory-leak-in-ipw_wdev_init.patch b/queue-4.14/wifi-ipw2200-fix-memory-leak-in-ipw_wdev_init.patch new file mode 100644 index 00000000000..c5e64c6c14e --- /dev/null +++ b/queue-4.14/wifi-ipw2200-fix-memory-leak-in-ipw_wdev_init.patch @@ -0,0 +1,47 @@ +From 4166914c7ee1fda60c5c19822e7c878e2a996c1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Dec 2022 09:24:22 +0800 +Subject: wifi: ipw2200: fix memory leak in ipw_wdev_init() + +From: Zhengchao Shao + +[ Upstream commit 9fe21dc626117fb44a8eb393713a86a620128ce3 ] + +In the error path of ipw_wdev_init(), exception value is returned, and +the memory applied for in the function is not released. Also the memory +is not released in ipw_pci_probe(). As a result, memory leakage occurs. +So memory release needs to be added to the error path of ipw_wdev_init(). + +Fixes: a3caa99e6c68 ("libipw: initiate cfg80211 API conversion (v2)") +Signed-off-by: Zhengchao Shao +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221209012422.182669-1-shaozhengchao@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intel/ipw2x00/ipw2200.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/intel/ipw2x00/ipw2200.c b/drivers/net/wireless/intel/ipw2x00/ipw2200.c +index 2d0734ab3f747..3c447d6f84af5 100644 +--- a/drivers/net/wireless/intel/ipw2x00/ipw2200.c ++++ b/drivers/net/wireless/intel/ipw2x00/ipw2200.c +@@ -11437,9 +11437,14 @@ static int ipw_wdev_init(struct net_device *dev) + set_wiphy_dev(wdev->wiphy, &priv->pci_dev->dev); + + /* With that information in place, we can now register the wiphy... */ +- if (wiphy_register(wdev->wiphy)) +- rc = -EIO; ++ rc = wiphy_register(wdev->wiphy); ++ if (rc) ++ goto out; ++ ++ return 0; + out: ++ kfree(priv->ieee->a_band.channels); ++ kfree(priv->ieee->bg_band.channels); + return rc; + } + +-- +2.39.2 + diff --git a/queue-4.14/wifi-libertas-cmdresp-don-t-call-kfree_skb-under-spi.patch b/queue-4.14/wifi-libertas-cmdresp-don-t-call-kfree_skb-under-spi.patch new file mode 100644 index 00000000000..ca51be0e9a3 --- /dev/null +++ b/queue-4.14/wifi-libertas-cmdresp-don-t-call-kfree_skb-under-spi.patch @@ -0,0 +1,40 @@ +From e3182e11fc87a953efde0086b31bdb56824de9e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 23:00:08 +0800 +Subject: wifi: libertas: cmdresp: don't call kfree_skb() under + spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 708a49a64237f19bd404852f297aaadbc9e7fee0 ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). Compile +tested only. + +Fixes: f52b041aed77 ("libertas: Add spinlock to avoid race condition") +Signed-off-by: Yang Yingliang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221207150008.111743-5-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/cmdresp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/libertas/cmdresp.c b/drivers/net/wireless/marvell/libertas/cmdresp.c +index b73d083813985..5908f07d62ed7 100644 +--- a/drivers/net/wireless/marvell/libertas/cmdresp.c ++++ b/drivers/net/wireless/marvell/libertas/cmdresp.c +@@ -48,7 +48,7 @@ void lbs_mac_event_disconnected(struct lbs_private *priv, + + /* Free Tx and Rx packets */ + spin_lock_irqsave(&priv->driver_lock, flags); +- kfree_skb(priv->currenttxskb); ++ dev_kfree_skb_irq(priv->currenttxskb); + priv->currenttxskb = NULL; + priv->tx_pending_len = 0; + spin_unlock_irqrestore(&priv->driver_lock, flags); +-- +2.39.2 + diff --git a/queue-4.14/wifi-libertas-fix-memory-leak-in-lbs_init_adapter.patch b/queue-4.14/wifi-libertas-fix-memory-leak-in-lbs_init_adapter.patch new file mode 100644 index 00000000000..8e89d0caf1f --- /dev/null +++ b/queue-4.14/wifi-libertas-fix-memory-leak-in-lbs_init_adapter.patch @@ -0,0 +1,37 @@ +From 1967a9ad2e5e9b42031473deaf805cf1b0a42e0d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 20:14:48 +0800 +Subject: wifi: libertas: fix memory leak in lbs_init_adapter() + +From: Zhengchao Shao + +[ Upstream commit 16a03958618fb91bb1bc7077cf3211055162cc2f ] + +When kfifo_alloc() failed in lbs_init_adapter(), cmd buffer is not +released. Add free memory to processing error path. + +Fixes: 7919b89c8276 ("libertas: convert libertas driver to use an event/cmdresp queue") +Signed-off-by: Zhengchao Shao +Reviewed-by: Jiri Pirko +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221208121448.2845986-1-shaozhengchao@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wireless/marvell/libertas/main.c b/drivers/net/wireless/marvell/libertas/main.c +index aefa88f4f29ce..feb204cd74a9a 100644 +--- a/drivers/net/wireless/marvell/libertas/main.c ++++ b/drivers/net/wireless/marvell/libertas/main.c +@@ -872,6 +872,7 @@ static int lbs_init_adapter(struct lbs_private *priv) + ret = kfifo_alloc(&priv->event_fifo, sizeof(u32) * 16, GFP_KERNEL); + if (ret) { + pr_err("Out of memory allocating event FIFO buffer\n"); ++ lbs_free_cmd_buffer(priv); + goto out; + } + +-- +2.39.2 + diff --git a/queue-4.14/wifi-libertas-main-don-t-call-kfree_skb-under-spin_l.patch b/queue-4.14/wifi-libertas-main-don-t-call-kfree_skb-under-spin_l.patch new file mode 100644 index 00000000000..3ef5cdf17b0 --- /dev/null +++ b/queue-4.14/wifi-libertas-main-don-t-call-kfree_skb-under-spin_l.patch @@ -0,0 +1,40 @@ +From 3484a9186e959d4eae982e187161a7c2de35783a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 23:00:07 +0800 +Subject: wifi: libertas: main: don't call kfree_skb() under + spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit f393df151540bf858effbd29ff572ab94e76a4c4 ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). Compile +tested only. + +Fixes: d2e7b3425c47 ("libertas: disable functionality when interface is down") +Signed-off-by: Yang Yingliang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221207150008.111743-4-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/libertas/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/marvell/libertas/main.c b/drivers/net/wireless/marvell/libertas/main.c +index feb204cd74a9a..21816f0e9e930 100644 +--- a/drivers/net/wireless/marvell/libertas/main.c ++++ b/drivers/net/wireless/marvell/libertas/main.c +@@ -216,7 +216,7 @@ int lbs_stop_iface(struct lbs_private *priv) + + spin_lock_irqsave(&priv->driver_lock, flags); + priv->iface_running = false; +- kfree_skb(priv->currenttxskb); ++ dev_kfree_skb_irq(priv->currenttxskb); + priv->currenttxskb = NULL; + priv->tx_pending_len = 0; + spin_unlock_irqrestore(&priv->driver_lock, flags); +-- +2.39.2 + diff --git a/queue-4.14/wifi-mwifiex-fix-loop-iterator-in-mwifiex_update_amp.patch b/queue-4.14/wifi-mwifiex-fix-loop-iterator-in-mwifiex_update_amp.patch new file mode 100644 index 00000000000..bf639462de4 --- /dev/null +++ b/queue-4.14/wifi-mwifiex-fix-loop-iterator-in-mwifiex_update_amp.patch @@ -0,0 +1,48 @@ +From 08b3c7bb593c900f003eb338823ac74f68d15f5d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Feb 2023 17:41:33 +0300 +Subject: wifi: mwifiex: fix loop iterator in mwifiex_update_ampdu_txwinsize() + +From: Dan Carpenter + +[ Upstream commit 3cfb7df24cee0f5fdc4cc5d3176cab9aadfcb430 ] + +This code re-uses "i" to be the iterator for both the inside and outside +loops. It means the outside loop will exit earlier than intended. + +Fixes: d219b7eb3792 ("mwifiex: handle BT coex event to adjust Rx BA window size") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/Y+ERnaDaZD7RtLvX@kili +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/marvell/mwifiex/11n.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/marvell/mwifiex/11n.c b/drivers/net/wireless/marvell/mwifiex/11n.c +index 2844f937cc659..1e4921d9061dc 100644 +--- a/drivers/net/wireless/marvell/mwifiex/11n.c ++++ b/drivers/net/wireless/marvell/mwifiex/11n.c +@@ -878,7 +878,7 @@ mwifiex_send_delba_txbastream_tbl(struct mwifiex_private *priv, u8 tid) + */ + void mwifiex_update_ampdu_txwinsize(struct mwifiex_adapter *adapter) + { +- u8 i; ++ u8 i, j; + u32 tx_win_size; + struct mwifiex_private *priv; + +@@ -909,8 +909,8 @@ void mwifiex_update_ampdu_txwinsize(struct mwifiex_adapter *adapter) + if (tx_win_size != priv->add_ba_param.tx_win_size) { + if (!priv->media_connected) + continue; +- for (i = 0; i < MAX_NUM_TID; i++) +- mwifiex_send_delba_txbastream_tbl(priv, i); ++ for (j = 0; j < MAX_NUM_TID; j++) ++ mwifiex_send_delba_txbastream_tbl(priv, j); + } + } + } +-- +2.39.2 + diff --git a/queue-4.14/wifi-orinoco-check-return-value-of-hermes_write_word.patch b/queue-4.14/wifi-orinoco-check-return-value-of-hermes_write_word.patch new file mode 100644 index 00000000000..ee08cf0685b --- /dev/null +++ b/queue-4.14/wifi-orinoco-check-return-value-of-hermes_write_word.patch @@ -0,0 +1,43 @@ +From 6114ddbfc3721144f9369c76fd179bd86c066c6b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Dec 2022 16:33:06 +0300 +Subject: wifi: orinoco: check return value of hermes_write_wordrec() + +From: Alexey Kodanev + +[ Upstream commit 1e346cbb096a5351a637ec1992beffbf330547f0 ] + +There is currently no return check for writing an authentication +type (HERMES_AUTH_SHARED_KEY or HERMES_AUTH_OPEN). It looks like +it was accidentally skipped. + +This patch adds a return check similar to the other checks in +__orinoco_hw_setup_enc() for hermes_write_wordrec(). + +Detected using the static analysis tool - Svace. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Alexey Kodanev +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221227133306.201356-1-aleksei.kodanev@bell-sw.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/intersil/orinoco/hw.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/intersil/orinoco/hw.c b/drivers/net/wireless/intersil/orinoco/hw.c +index 61af5a28f269f..af49aa421e47f 100644 +--- a/drivers/net/wireless/intersil/orinoco/hw.c ++++ b/drivers/net/wireless/intersil/orinoco/hw.c +@@ -931,6 +931,8 @@ int __orinoco_hw_setup_enc(struct orinoco_private *priv) + err = hermes_write_wordrec(hw, USER_BAP, + HERMES_RID_CNFAUTHENTICATION_AGERE, + auth_flag); ++ if (err) ++ return err; + } + err = hermes_write_wordrec(hw, USER_BAP, + HERMES_RID_CNFWEPENABLED_AGERE, +-- +2.39.2 + diff --git a/queue-4.14/wifi-rtl8xxxu-don-t-call-dev_kfree_skb-under-spin_lo.patch b/queue-4.14/wifi-rtl8xxxu-don-t-call-dev_kfree_skb-under-spin_lo.patch new file mode 100644 index 00000000000..97c65d2b39c --- /dev/null +++ b/queue-4.14/wifi-rtl8xxxu-don-t-call-dev_kfree_skb-under-spin_lo.patch @@ -0,0 +1,47 @@ +From 0574d12abeaf2c32a056b42aac4b8e2df0a30507 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 22:35:17 +0800 +Subject: wifi: rtl8xxxu: don't call dev_kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 4c2005ac87685907b3719b4f40215b578efd27c4 ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. +The difference between them is free reason, dev_kfree_skb_irq() means +the SKB is dropped in error and dev_consume_skb_irq() means the SKB +is consumed in normal. + +In this case, dev_kfree_skb() is called to free and drop the SKB when +it's shutdown, so replace it with dev_kfree_skb_irq(). Compile tested +only. + +Fixes: 26f1fad29ad9 ("New driver: rtl8xxxu (mac80211)") +Signed-off-by: Yang Yingliang +Reviewed-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221208143517.2383424-1-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +index f7c879a7a1be3..c9fe9383026e2 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c +@@ -5101,7 +5101,7 @@ static void rtl8xxxu_queue_rx_urb(struct rtl8xxxu_priv *priv, + pending = priv->rx_urb_pending_count; + } else { + skb = (struct sk_buff *)rx_urb->urb.context; +- dev_kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + usb_free_urb(&rx_urb->urb); + } + +-- +2.39.2 + diff --git a/queue-4.14/wifi-wl3501_cs-don-t-call-kfree_skb-under-spin_lock_.patch b/queue-4.14/wifi-wl3501_cs-don-t-call-kfree_skb-under-spin_lock_.patch new file mode 100644 index 00000000000..7f3251b312e --- /dev/null +++ b/queue-4.14/wifi-wl3501_cs-don-t-call-kfree_skb-under-spin_lock_.patch @@ -0,0 +1,39 @@ +From 62b8b69151113f114279be189f1b520bcedde7a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 23:04:53 +0800 +Subject: wifi: wl3501_cs: don't call kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 44bacbdf9066c590423259dbd6d520baac99c1a8 ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). Compile +tested only. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221207150453.114742-1-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/wl3501_cs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/wl3501_cs.c b/drivers/net/wireless/wl3501_cs.c +index f33ece9370473..cfde9b94b4b60 100644 +--- a/drivers/net/wireless/wl3501_cs.c ++++ b/drivers/net/wireless/wl3501_cs.c +@@ -1329,7 +1329,7 @@ static netdev_tx_t wl3501_hard_start_xmit(struct sk_buff *skb, + } else { + ++dev->stats.tx_packets; + dev->stats.tx_bytes += skb->len; +- kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + + if (this->tx_buffer_cnt < 2) + netif_stop_queue(dev); +-- +2.39.2 + diff --git a/queue-4.14/x86-bugs-reset-speculation-control-settings-on-init.patch b/queue-4.14/x86-bugs-reset-speculation-control-settings-on-init.patch new file mode 100644 index 00000000000..499af052237 --- /dev/null +++ b/queue-4.14/x86-bugs-reset-speculation-control-settings-on-init.patch @@ -0,0 +1,75 @@ +From b88524bab80fcb164f449ae71d2b5104e1dc533f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 07:31:48 -0800 +Subject: x86/bugs: Reset speculation control settings on init + +From: Breno Leitao + +[ Upstream commit 0125acda7d76b943ca55811df40ed6ec0ecf670f ] + +Currently, x86_spec_ctrl_base is read at boot time and speculative bits +are set if Kconfig items are enabled. For example, IBRS is enabled if +CONFIG_CPU_IBRS_ENTRY is configured, etc. These MSR bits are not cleared +if the mitigations are disabled. + +This is a problem when kexec-ing a kernel that has the mitigation +disabled from a kernel that has the mitigation enabled. In this case, +the MSR bits are not cleared during the new kernel boot. As a result, +this might have some performance degradation that is hard to pinpoint. + +This problem does not happen if the machine is (hard) rebooted because +the bit will be cleared by default. + + [ bp: Massage. ] + +Suggested-by: Pawan Gupta +Signed-off-by: Breno Leitao +Signed-off-by: Borislav Petkov (AMD) +Link: https://lore.kernel.org/r/20221128153148.1129350-1-leitao@debian.org +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/msr-index.h | 4 ++++ + arch/x86/kernel/cpu/bugs.c | 10 +++++++++- + 2 files changed, 13 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h +index d7a344e0a8519..c71862d340485 100644 +--- a/arch/x86/include/asm/msr-index.h ++++ b/arch/x86/include/asm/msr-index.h +@@ -50,6 +50,10 @@ + #define SPEC_CTRL_RRSBA_DIS_S_SHIFT 6 /* Disable RRSBA behavior */ + #define SPEC_CTRL_RRSBA_DIS_S BIT(SPEC_CTRL_RRSBA_DIS_S_SHIFT) + ++/* A mask for bits which the kernel toggles when controlling mitigations */ ++#define SPEC_CTRL_MITIGATIONS_MASK (SPEC_CTRL_IBRS | SPEC_CTRL_STIBP | SPEC_CTRL_SSBD \ ++ | SPEC_CTRL_RRSBA_DIS_S) ++ + #define MSR_IA32_PRED_CMD 0x00000049 /* Prediction Command */ + #define PRED_CMD_IBPB BIT(0) /* Indirect Branch Prediction Barrier */ + +diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c +index 80dfd84c3ca82..166c9e28f7bfe 100644 +--- a/arch/x86/kernel/cpu/bugs.c ++++ b/arch/x86/kernel/cpu/bugs.c +@@ -135,9 +135,17 @@ void __init check_bugs(void) + * have unknown values. AMD64_LS_CFG MSR is cached in the early AMD + * init code as it is not enumerated and depends on the family. + */ +- if (boot_cpu_has(X86_FEATURE_MSR_SPEC_CTRL)) ++ if (cpu_feature_enabled(X86_FEATURE_MSR_SPEC_CTRL)) { + rdmsrl(MSR_IA32_SPEC_CTRL, x86_spec_ctrl_base); + ++ /* ++ * Previously running kernel (kexec), may have some controls ++ * turned ON. Clear them and let the mitigations setup below ++ * rediscover them based on configuration. ++ */ ++ x86_spec_ctrl_base &= ~SPEC_CTRL_MITIGATIONS_MASK; ++ } ++ + /* Select the proper CPU mitigations before patching alternatives: */ + spectre_v1_select_mitigation(); + spectre_v2_select_mitigation(); +-- +2.39.2 +