From: Sasha Levin Date: Mon, 13 Sep 2021 01:33:33 +0000 (-0400) Subject: Fixes for 4.4 X-Git-Tag: v5.4.146~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f156d73d7da44357ee275991bc0c346546a90d62;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.4 Signed-off-by: Sasha Levin --- diff --git a/queue-4.4/arm64-dts-exynos-correct-gic-cpu-interfaces-address-.patch b/queue-4.4/arm64-dts-exynos-correct-gic-cpu-interfaces-address-.patch new file mode 100644 index 00000000000..7402cbe1135 --- /dev/null +++ b/queue-4.4/arm64-dts-exynos-correct-gic-cpu-interfaces-address-.patch @@ -0,0 +1,41 @@ +From 1f36e97196bd20a954db8e561eaa031d9992b222 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Aug 2021 09:21:10 +0200 +Subject: arm64: dts: exynos: correct GIC CPU interfaces address range on + Exynos7 + +From: Krzysztof Kozlowski + +[ Upstream commit 01c72cad790cb6cd3ccbe4c1402b6cb6c6bbffd0 ] + +The GIC-400 CPU interfaces address range is defined as 0x2000-0x3FFF (by +ARM). + +Reported-by: Sam Protsenko +Reported-by: Marc Zyngier +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Sam Protsenko +Reviewed-by: Alim Akhtar +Fixes: b9024cbc937d ("arm64: dts: Add initial device tree support for exynos7") +Link: https://lore.kernel.org/r/20210805072110.4730-1-krzysztof.kozlowski@canonical.com +Signed-off-by: Sasha Levin +--- + arch/arm64/boot/dts/exynos/exynos7.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm64/boot/dts/exynos/exynos7.dtsi b/arch/arm64/boot/dts/exynos/exynos7.dtsi +index f9c5a549c2c0..cb863891f29e 100644 +--- a/arch/arm64/boot/dts/exynos/exynos7.dtsi ++++ b/arch/arm64/boot/dts/exynos/exynos7.dtsi +@@ -90,7 +90,7 @@ + #address-cells = <0>; + interrupt-controller; + reg = <0x11001000 0x1000>, +- <0x11002000 0x1000>, ++ <0x11002000 0x2000>, + <0x11004000 0x2000>, + <0x11006000 0x2000>; + }; +-- +2.30.2 + diff --git a/queue-4.4/ath6kl-wmi-fix-an-error-code-in-ath6kl_wmi_sync_poin.patch b/queue-4.4/ath6kl-wmi-fix-an-error-code-in-ath6kl_wmi_sync_poin.patch new file mode 100644 index 00000000000..2401ccf76c7 --- /dev/null +++ b/queue-4.4/ath6kl-wmi-fix-an-error-code-in-ath6kl_wmi_sync_poin.patch @@ -0,0 +1,42 @@ +From 8ac7efb4f53f3a71fd66f0ec7647f844350303ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Aug 2021 14:34:38 +0300 +Subject: ath6kl: wmi: fix an error code in ath6kl_wmi_sync_point() + +From: Dan Carpenter + +[ Upstream commit fd6729ec534cffbbeb3917761e6d1fe6a412d3fe ] + +This error path is unlikely because of it checked for NULL and +returned -ENOMEM earlier in the function. But it should return +an error code here as well if we ever do hit it because of a +race condition or something. + +Fixes: bdcd81707973 ("Add ath6kl cleaned up driver") +Signed-off-by: Dan Carpenter +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210813113438.GB30697@kili +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath6kl/wmi.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath6kl/wmi.c b/drivers/net/wireless/ath/ath6kl/wmi.c +index 7e1010475cfb..f94d2433a42f 100644 +--- a/drivers/net/wireless/ath/ath6kl/wmi.c ++++ b/drivers/net/wireless/ath/ath6kl/wmi.c +@@ -2508,8 +2508,10 @@ static int ath6kl_wmi_sync_point(struct wmi *wmi, u8 if_idx) + goto free_data_skb; + + for (index = 0; index < num_pri_streams; index++) { +- if (WARN_ON(!data_sync_bufs[index].skb)) ++ if (WARN_ON(!data_sync_bufs[index].skb)) { ++ ret = -ENOMEM; + goto free_data_skb; ++ } + + ep_id = ath6kl_ac2_endpoint_id(wmi->parent_dev, + data_sync_bufs[index]. +-- +2.30.2 + diff --git a/queue-4.4/bcma-fix-memory-leak-for-internally-handled-cores.patch b/queue-4.4/bcma-fix-memory-leak-for-internally-handled-cores.patch new file mode 100644 index 00000000000..56504502185 --- /dev/null +++ b/queue-4.4/bcma-fix-memory-leak-for-internally-handled-cores.patch @@ -0,0 +1,65 @@ +From 76309f7c31471f6bb03a5b74885bb57f1a607c14 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jul 2021 10:52:31 +0800 +Subject: bcma: Fix memory leak for internally-handled cores + +From: Zenghui Yu + +[ Upstream commit b63aed3ff195130fef12e0af590f4838cf0201d8 ] + +kmemleak reported that dev_name() of internally-handled cores were leaked +on driver unbinding. Let's use device_initialize() to take refcounts for +them and put_device() to properly free the related stuff. + +While looking at it, there's another potential issue for those which should +be *registered* into driver core. If device_register() failed, we put +device once and freed bcma_device structures. In bcma_unregister_cores(), +they're treated as unregistered and we hit both UAF and double-free. That +smells not good and has also been fixed now. + +Fixes: ab54bc8460b5 ("bcma: fill core details for every device") +Signed-off-by: Zenghui Yu +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210727025232.663-2-yuzenghui@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/bcma/main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/bcma/main.c b/drivers/bcma/main.c +index 327f9e374b44..30827ab3bb07 100644 +--- a/drivers/bcma/main.c ++++ b/drivers/bcma/main.c +@@ -246,6 +246,7 @@ EXPORT_SYMBOL(bcma_core_irq); + + void bcma_prepare_core(struct bcma_bus *bus, struct bcma_device *core) + { ++ device_initialize(&core->dev); + core->dev.release = bcma_release_core_dev; + core->dev.bus = &bcma_bus_type; + dev_set_name(&core->dev, "bcma%d:%d", bus->num, core->core_index); +@@ -309,11 +310,10 @@ static void bcma_register_core(struct bcma_bus *bus, struct bcma_device *core) + { + int err; + +- err = device_register(&core->dev); ++ err = device_add(&core->dev); + if (err) { + bcma_err(bus, "Could not register dev for core 0x%03X\n", + core->id.id); +- put_device(&core->dev); + return; + } + core->dev_registered = true; +@@ -404,7 +404,7 @@ void bcma_unregister_cores(struct bcma_bus *bus) + /* Now noone uses internally-handled cores, we can free them */ + list_for_each_entry_safe(core, tmp, &bus->cores, list) { + list_del(&core->list); +- kfree(core); ++ put_device(&core->dev); + } + } + +-- +2.30.2 + diff --git a/queue-4.4/bluetooth-add-timeout-sanity-check-to-hci_inquiry.patch b/queue-4.4/bluetooth-add-timeout-sanity-check-to-hci_inquiry.patch new file mode 100644 index 00000000000..b6da0bfa523 --- /dev/null +++ b/queue-4.4/bluetooth-add-timeout-sanity-check-to-hci_inquiry.patch @@ -0,0 +1,46 @@ +From f77acf6e01a5bf61beca940fc632f7927331fcb9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Aug 2021 18:15:21 +0300 +Subject: Bluetooth: add timeout sanity check to hci_inquiry + +From: Pavel Skripkin + +[ Upstream commit f41a4b2b5eb7872109723dab8ae1603bdd9d9ec1 ] + +Syzbot hit "task hung" bug in hci_req_sync(). The problem was in +unreasonable huge inquiry timeout passed from userspace. +Fix it by adding sanity check for timeout value to hci_inquiry(). + +Since hci_inquiry() is the only user of hci_req_sync() with user +controlled timeout value, it makes sense to check timeout value in +hci_inquiry() and don't touch hci_req_sync(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-and-tested-by: syzbot+be2baed593ea56c6a84c@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index bf69bfd0b475..eefaa10c74db 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -1357,6 +1357,12 @@ int hci_inquiry(void __user *arg) + goto done; + } + ++ /* Restrict maximum inquiry length to 60 seconds */ ++ if (ir.length > 60) { ++ err = -EINVAL; ++ goto done; ++ } ++ + hci_dev_lock(hdev); + if (inquiry_cache_age(hdev) > INQUIRY_CACHE_AGE_MAX || + inquiry_cache_empty(hdev) || ir.flags & IREQ_CACHE_FLUSH) { +-- +2.30.2 + diff --git a/queue-4.4/bluetooth-fix-repeated-calls-to-sco_sock_kill.patch b/queue-4.4/bluetooth-fix-repeated-calls-to-sco_sock_kill.patch new file mode 100644 index 00000000000..a9124b44256 --- /dev/null +++ b/queue-4.4/bluetooth-fix-repeated-calls-to-sco_sock_kill.patch @@ -0,0 +1,86 @@ +From 81934a294644c2a079a9c913f060c8b3e0b5f5d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 12:14:10 +0800 +Subject: Bluetooth: fix repeated calls to sco_sock_kill + +From: Desmond Cheong Zhi Xi + +[ Upstream commit e1dee2c1de2b4dd00eb44004a4bda6326ed07b59 ] + +In commit 4e1a720d0312 ("Bluetooth: avoid killing an already killed +socket"), a check was added to sco_sock_kill to skip killing a socket +if the SOCK_DEAD flag was set. + +This was done after a trace for a use-after-free bug showed that the +same sock pointer was being killed twice. + +Unfortunately, this check prevents sco_sock_kill from running on any +socket. sco_sock_kill kills a socket only if it's zapped and orphaned, +however sock_orphan announces that the socket is dead before detaching +it. i.e., orphaned sockets have the SOCK_DEAD flag set. + +To fix this, we remove the check for SOCK_DEAD, and avoid repeated +calls to sco_sock_kill by removing incorrect calls in: + +1. sco_sock_timeout. The socket should not be killed on timeout as +further processing is expected to be done. For example, +sco_sock_connect sets the timer then waits for the socket to be +connected or for an error to be returned. + +2. sco_conn_del. This function should clean up resources for the +connection, but the socket itself should be cleaned up in +sco_sock_release. + +3. sco_sock_close. Calls to sco_sock_close in sco_sock_cleanup_listen +and sco_sock_release are followed by sco_sock_kill. Hence the +duplicated call should be removed. + +Fixes: 4e1a720d0312 ("Bluetooth: avoid killing an already killed socket") +Signed-off-by: Desmond Cheong Zhi Xi +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/sco.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index cad0d2750735..701d230fb9cf 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -83,7 +83,6 @@ static void sco_sock_timeout(unsigned long arg) + sk->sk_state_change(sk); + bh_unlock_sock(sk); + +- sco_sock_kill(sk); + sock_put(sk); + } + +@@ -175,7 +174,6 @@ static void sco_conn_del(struct hci_conn *hcon, int err) + sco_sock_clear_timer(sk); + sco_chan_del(sk, err); + bh_unlock_sock(sk); +- sco_sock_kill(sk); + sock_put(sk); + } + +@@ -392,8 +390,7 @@ static void sco_sock_cleanup_listen(struct sock *parent) + */ + static void sco_sock_kill(struct sock *sk) + { +- if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket || +- sock_flag(sk, SOCK_DEAD)) ++ if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) + return; + + BT_DBG("sk %p state %d", sk, sk->sk_state); +@@ -445,7 +442,6 @@ static void sco_sock_close(struct sock *sk) + lock_sock(sk); + __sco_sock_close(sk); + release_sock(sk); +- sco_sock_kill(sk); + } + + static void sco_sock_init(struct sock *sk, struct sock *parent) +-- +2.30.2 + diff --git a/queue-4.4/bluetooth-increase-btnamsiz-to-21-chars-to-fix-poten.patch b/queue-4.4/bluetooth-increase-btnamsiz-to-21-chars-to-fix-poten.patch new file mode 100644 index 00000000000..047f7da3fda --- /dev/null +++ b/queue-4.4/bluetooth-increase-btnamsiz-to-21-chars-to-fix-poten.patch @@ -0,0 +1,41 @@ +From 17993d4ff0d31515f534fe5ec7327df34c8f1c5e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Aug 2021 16:09:51 +0100 +Subject: Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer + overflow + +From: Colin Ian King + +[ Upstream commit 713baf3dae8f45dc8ada4ed2f5fdcbf94a5c274d ] + +An earlier commit replaced using batostr to using %pMR sprintf for the +construction of session->name. Static analysis detected that this new +method can use a total of 21 characters (including the trailing '\0') +so we need to increase the BTNAMSIZ from 18 to 21 to fix potential +buffer overflows. + +Addresses-Coverity: ("Out-of-bounds write") +Fixes: fcb73338ed53 ("Bluetooth: Use %pMR in sprintf/seq_printf instead of batostr") +Signed-off-by: Colin Ian King +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/cmtp/cmtp.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/cmtp/cmtp.h b/net/bluetooth/cmtp/cmtp.h +index c32638dddbf9..f6b9dc4e408f 100644 +--- a/net/bluetooth/cmtp/cmtp.h ++++ b/net/bluetooth/cmtp/cmtp.h +@@ -26,7 +26,7 @@ + #include + #include + +-#define BTNAMSIZ 18 ++#define BTNAMSIZ 21 + + /* CMTP ioctl defines */ + #define CMTPCONNADD _IOW('C', 200, int) +-- +2.30.2 + diff --git a/queue-4.4/bluetooth-move-shutdown-callback-before-flushing-tx-.patch b/queue-4.4/bluetooth-move-shutdown-callback-before-flushing-tx-.patch new file mode 100644 index 00000000000..5969ba64365 --- /dev/null +++ b/queue-4.4/bluetooth-move-shutdown-callback-before-flushing-tx-.patch @@ -0,0 +1,64 @@ +From 553e00546deff6a19e803306d48c8d188410e5ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 12:53:15 +0800 +Subject: Bluetooth: Move shutdown callback before flushing tx and rx queue + +From: Kai-Heng Feng + +[ Upstream commit 0ea53674d07fb6db2dd7a7ec2fdc85a12eb246c2 ] + +Commit 0ea9fd001a14 ("Bluetooth: Shutdown controller after workqueues +are flushed or cancelled") introduced a regression that makes mtkbtsdio +driver stops working: +[ 36.593956] Bluetooth: hci0: Firmware already downloaded +[ 46.814613] Bluetooth: hci0: Execution of wmt command timed out +[ 46.814619] Bluetooth: hci0: Failed to send wmt func ctrl (-110) + +The shutdown callback depends on the result of hdev->rx_work, so we +should call it before flushing rx_work: +-> btmtksdio_shutdown() + -> mtk_hci_wmt_sync() + -> __hci_cmd_send() + -> wait for BTMTKSDIO_TX_WAIT_VND_EVT gets cleared + +-> btmtksdio_recv_event() + -> hci_recv_frame() + -> queue_work(hdev->workqueue, &hdev->rx_work) + -> clears BTMTKSDIO_TX_WAIT_VND_EVT + +So move the shutdown callback before flushing TX/RX queue to resolve the +issue. + +Reported-and-tested-by: Mattijs Korpershoek +Tested-by: Hsin-Yi Wang +Cc: Guenter Roeck +Fixes: 0ea9fd001a14 ("Bluetooth: Shutdown controller after workqueues are flushed or cancelled") +Signed-off-by: Kai-Heng Feng +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 304abf2af9f3..bf69bfd0b475 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -1679,6 +1679,14 @@ int hci_dev_do_close(struct hci_dev *hdev) + hci_req_cancel(hdev, ENODEV); + hci_req_lock(hdev); + ++ if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) && ++ !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) && ++ test_bit(HCI_UP, &hdev->flags)) { ++ /* Execute vendor specific shutdown routine */ ++ if (hdev->shutdown) ++ hdev->shutdown(hdev); ++ } ++ + if (!test_and_clear_bit(HCI_UP, &hdev->flags)) { + cancel_delayed_work_sync(&hdev->cmd_timer); + hci_req_unlock(hdev); +-- +2.30.2 + diff --git a/queue-4.4/bluetooth-sco-prevent-information-leak-in-sco_conn_d.patch b/queue-4.4/bluetooth-sco-prevent-information-leak-in-sco_conn_d.patch new file mode 100644 index 00000000000..194371947e4 --- /dev/null +++ b/queue-4.4/bluetooth-sco-prevent-information-leak-in-sco_conn_d.patch @@ -0,0 +1,45 @@ +From 2a3f1e46638e0bb866048a8eca1a94270e88156b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jun 2021 18:00:09 +0300 +Subject: Bluetooth: sco: prevent information leak in sco_conn_defer_accept() + +From: Dan Carpenter + +[ Upstream commit 59da0b38bc2ea570ede23a3332ecb3e7574ce6b2 ] + +Smatch complains that some of these struct members are not initialized +leading to a stack information disclosure: + + net/bluetooth/sco.c:778 sco_conn_defer_accept() warn: + check that 'cp.retrans_effort' doesn't leak information + +This seems like a valid warning. I've added a default case to fix +this issue. + +Fixes: 2f69a82acf6f ("Bluetooth: Use voice setting in deferred SCO connection request") +Signed-off-by: Dan Carpenter +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/sco.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index 2209fd2ff2e3..cad0d2750735 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -763,6 +763,11 @@ static void sco_conn_defer_accept(struct hci_conn *conn, u16 setting) + cp.max_latency = cpu_to_le16(0xffff); + cp.retrans_effort = 0xff; + break; ++ default: ++ /* use CVSD settings as fallback */ ++ cp.max_latency = cpu_to_le16(0xffff); ++ cp.retrans_effort = 0xff; ++ break; + } + + hci_send_cmd(hdev, HCI_OP_ACCEPT_SYNC_CONN_REQ, +-- +2.30.2 + diff --git a/queue-4.4/certs-trigger-creation-of-rsa-module-signing-key-if-.patch b/queue-4.4/certs-trigger-creation-of-rsa-module-signing-key-if-.patch new file mode 100644 index 00000000000..4cc2448ea31 --- /dev/null +++ b/queue-4.4/certs-trigger-creation-of-rsa-module-signing-key-if-.patch @@ -0,0 +1,56 @@ +From 03c41afec21d9451af4fbe1c39ca84a35cec5bbe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 29 Jun 2021 17:34:20 -0400 +Subject: certs: Trigger creation of RSA module signing key if it's not an RSA + key + +From: Stefan Berger + +[ Upstream commit ea35e0d5df6c92fa2e124bb1b91d09b2240715ba ] + +Address a kbuild issue where a developer created an ECDSA key for signing +kernel modules and then builds an older version of the kernel, when bi- +secting the kernel for example, that does not support ECDSA keys. + +If openssl is installed, trigger the creation of an RSA module signing +key if it is not an RSA key. + +Fixes: cfc411e7fff3 ("Move certificate handling to its own directory") +Cc: David Howells +Cc: David Woodhouse +Signed-off-by: Stefan Berger +Reviewed-by: Jarkko Sakkinen +Tested-by: Jarkko Sakkinen +Signed-off-by: Jarkko Sakkinen +Signed-off-by: Sasha Levin +--- + certs/Makefile | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/certs/Makefile b/certs/Makefile +index 2773c4afa24c..4417cc5cf5e8 100644 +--- a/certs/Makefile ++++ b/certs/Makefile +@@ -39,11 +39,19 @@ endif + redirect_openssl = 2>&1 + quiet_redirect_openssl = 2>&1 + silent_redirect_openssl = 2>/dev/null ++openssl_available = $(shell openssl help 2>/dev/null && echo yes) + + # We do it this way rather than having a boolean option for enabling an + # external private key, because 'make randconfig' might enable such a + # boolean option and we unfortunately can't make it depend on !RANDCONFIG. + ifeq ($(CONFIG_MODULE_SIG_KEY),"certs/signing_key.pem") ++ ++ifeq ($(openssl_available),yes) ++X509TEXT=$(shell openssl x509 -in "certs/signing_key.pem" -text 2>/dev/null) ++ ++$(if $(findstring rsaEncryption,$(X509TEXT)),,$(shell rm -f "certs/signing_key.pem")) ++endif ++ + $(obj)/signing_key.pem: $(obj)/x509.genkey + @$(kecho) "###" + @$(kecho) "### Now generating an X.509 key pair to be used for signing modules." +-- +2.30.2 + diff --git a/queue-4.4/cifs-fix-a-potencially-linear-read-overflow.patch b/queue-4.4/cifs-fix-a-potencially-linear-read-overflow.patch new file mode 100644 index 00000000000..b29d9b718fb --- /dev/null +++ b/queue-4.4/cifs-fix-a-potencially-linear-read-overflow.patch @@ -0,0 +1,53 @@ +From ea8da6296aaed4027863cd433a513914b9dbe52c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Aug 2021 12:27:09 +0200 +Subject: CIFS: Fix a potencially linear read overflow + +From: Len Baker + +[ Upstream commit f980d055a0f858d73d9467bb0b570721bbfcdfb8 ] + +strlcpy() reads the entire source buffer first. This read may exceed the +destination size limit. This is both inefficient and can lead to linear +read overflows if a source string is not NUL-terminated. + +Also, the strnlen() call does not avoid the read overflow in the strlcpy +function when a not NUL-terminated string is passed. + +So, replace this block by a call to kstrndup() that avoids this type of +overflow and does the same. + +Fixes: 066ce6899484d ("cifs: rename cifs_strlcpy_to_host and make it use new functions") +Signed-off-by: Len Baker +Reviewed-by: Paulo Alcantara (SUSE) +Reviewed-by: Jeff Layton +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/cifs_unicode.c | 9 ++------- + 1 file changed, 2 insertions(+), 7 deletions(-) + +diff --git a/fs/cifs/cifs_unicode.c b/fs/cifs/cifs_unicode.c +index 942874257a09..e5e780145728 100644 +--- a/fs/cifs/cifs_unicode.c ++++ b/fs/cifs/cifs_unicode.c +@@ -367,14 +367,9 @@ cifs_strndup_from_utf16(const char *src, const int maxlen, + if (!dst) + return NULL; + cifs_from_utf16(dst, (__le16 *) src, len, maxlen, codepage, +- NO_MAP_UNI_RSVD); ++ NO_MAP_UNI_RSVD); + } else { +- len = strnlen(src, maxlen); +- len++; +- dst = kmalloc(len, GFP_KERNEL); +- if (!dst) +- return NULL; +- strlcpy(dst, src, len); ++ dst = kstrndup(src, maxlen, GFP_KERNEL); + } + + return dst; +-- +2.30.2 + diff --git a/queue-4.4/crypto-mxs-dcp-check-for-dma-mapping-errors.patch b/queue-4.4/crypto-mxs-dcp-check-for-dma-mapping-errors.patch new file mode 100644 index 00000000000..347af31411f --- /dev/null +++ b/queue-4.4/crypto-mxs-dcp-check-for-dma-mapping-errors.patch @@ -0,0 +1,125 @@ +From 657826741b878a286814cf81f878b3eca967405b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jul 2021 14:56:37 -0400 +Subject: crypto: mxs-dcp - Check for DMA mapping errors + +From: Sean Anderson + +[ Upstream commit df6313d707e575a679ada3313358289af24454c0 ] + +After calling dma_map_single(), we must also call dma_mapping_error(). +This fixes the following warning when compiling with CONFIG_DMA_API_DEBUG: + +[ 311.241478] WARNING: CPU: 0 PID: 428 at kernel/dma/debug.c:1027 check_unmap+0x79c/0x96c +[ 311.249547] DMA-API: mxs-dcp 2280000.crypto: device driver failed to check map error[device address=0x00000000860cb080] [size=32 bytes] [mapped as single] + +Signed-off-by: Sean Anderson +Reviewed-by: Richard Weinberger +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/mxs-dcp.c | 45 +++++++++++++++++++++++++++++++--------- + 1 file changed, 35 insertions(+), 10 deletions(-) + +diff --git a/drivers/crypto/mxs-dcp.c b/drivers/crypto/mxs-dcp.c +index 1a8dc76e117e..c94db361138d 100644 +--- a/drivers/crypto/mxs-dcp.c ++++ b/drivers/crypto/mxs-dcp.c +@@ -167,15 +167,19 @@ static struct dcp *global_sdcp; + + static int mxs_dcp_start_dma(struct dcp_async_ctx *actx) + { ++ int dma_err; + struct dcp *sdcp = global_sdcp; + const int chan = actx->chan; + uint32_t stat; + unsigned long ret; + struct dcp_dma_desc *desc = &sdcp->coh->desc[actx->chan]; +- + dma_addr_t desc_phys = dma_map_single(sdcp->dev, desc, sizeof(*desc), + DMA_TO_DEVICE); + ++ dma_err = dma_mapping_error(sdcp->dev, desc_phys); ++ if (dma_err) ++ return dma_err; ++ + reinit_completion(&sdcp->completion[chan]); + + /* Clear status register. */ +@@ -213,18 +217,29 @@ static int mxs_dcp_start_dma(struct dcp_async_ctx *actx) + static int mxs_dcp_run_aes(struct dcp_async_ctx *actx, + struct ablkcipher_request *req, int init) + { ++ dma_addr_t key_phys, src_phys, dst_phys; + struct dcp *sdcp = global_sdcp; + struct dcp_dma_desc *desc = &sdcp->coh->desc[actx->chan]; + struct dcp_aes_req_ctx *rctx = ablkcipher_request_ctx(req); + int ret; + +- dma_addr_t key_phys = dma_map_single(sdcp->dev, sdcp->coh->aes_key, +- 2 * AES_KEYSIZE_128, +- DMA_TO_DEVICE); +- dma_addr_t src_phys = dma_map_single(sdcp->dev, sdcp->coh->aes_in_buf, +- DCP_BUF_SZ, DMA_TO_DEVICE); +- dma_addr_t dst_phys = dma_map_single(sdcp->dev, sdcp->coh->aes_out_buf, +- DCP_BUF_SZ, DMA_FROM_DEVICE); ++ key_phys = dma_map_single(sdcp->dev, sdcp->coh->aes_key, ++ 2 * AES_KEYSIZE_128, DMA_TO_DEVICE); ++ ret = dma_mapping_error(sdcp->dev, key_phys); ++ if (ret) ++ return ret; ++ ++ src_phys = dma_map_single(sdcp->dev, sdcp->coh->aes_in_buf, ++ DCP_BUF_SZ, DMA_TO_DEVICE); ++ ret = dma_mapping_error(sdcp->dev, src_phys); ++ if (ret) ++ goto err_src; ++ ++ dst_phys = dma_map_single(sdcp->dev, sdcp->coh->aes_out_buf, ++ DCP_BUF_SZ, DMA_FROM_DEVICE); ++ ret = dma_mapping_error(sdcp->dev, dst_phys); ++ if (ret) ++ goto err_dst; + + if (actx->fill % AES_BLOCK_SIZE) { + dev_err(sdcp->dev, "Invalid block size!\n"); +@@ -262,10 +277,12 @@ static int mxs_dcp_run_aes(struct dcp_async_ctx *actx, + ret = mxs_dcp_start_dma(actx); + + aes_done_run: ++ dma_unmap_single(sdcp->dev, dst_phys, DCP_BUF_SZ, DMA_FROM_DEVICE); ++err_dst: ++ dma_unmap_single(sdcp->dev, src_phys, DCP_BUF_SZ, DMA_TO_DEVICE); ++err_src: + dma_unmap_single(sdcp->dev, key_phys, 2 * AES_KEYSIZE_128, + DMA_TO_DEVICE); +- dma_unmap_single(sdcp->dev, src_phys, DCP_BUF_SZ, DMA_TO_DEVICE); +- dma_unmap_single(sdcp->dev, dst_phys, DCP_BUF_SZ, DMA_FROM_DEVICE); + + return ret; + } +@@ -570,6 +587,10 @@ static int mxs_dcp_run_sha(struct ahash_request *req) + dma_addr_t buf_phys = dma_map_single(sdcp->dev, sdcp->coh->sha_in_buf, + DCP_BUF_SZ, DMA_TO_DEVICE); + ++ ret = dma_mapping_error(sdcp->dev, buf_phys); ++ if (ret) ++ return ret; ++ + /* Fill in the DMA descriptor. */ + desc->control0 = MXS_DCP_CONTROL0_DECR_SEMAPHORE | + MXS_DCP_CONTROL0_INTERRUPT | +@@ -602,6 +623,10 @@ static int mxs_dcp_run_sha(struct ahash_request *req) + if (rctx->fini) { + digest_phys = dma_map_single(sdcp->dev, sdcp->coh->sha_out_buf, + DCP_SHA_PAY_SZ, DMA_FROM_DEVICE); ++ ret = dma_mapping_error(sdcp->dev, digest_phys); ++ if (ret) ++ goto done_run; ++ + desc->control0 |= MXS_DCP_CONTROL0_HASH_TERM; + desc->payload = digest_phys; + } +-- +2.30.2 + diff --git a/queue-4.4/crypto-omap-sham-clear-dma-flags-only-after-omap_sha.patch b/queue-4.4/crypto-omap-sham-clear-dma-flags-only-after-omap_sha.patch new file mode 100644 index 00000000000..43d700fc659 --- /dev/null +++ b/queue-4.4/crypto-omap-sham-clear-dma-flags-only-after-omap_sha.patch @@ -0,0 +1,43 @@ +From 02d597b65695b91c8b472930c0a5c63b9d9dbb95 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jul 2021 13:23:34 +0300 +Subject: crypto: omap-sham - clear dma flags only after + omap_sham_update_dma_stop() + +From: Tony Lindgren + +[ Upstream commit fe28140b3393b0ba1eb95cc109f974a7e58b26fd ] + +We should not clear FLAGS_DMA_ACTIVE before omap_sham_update_dma_stop() is +done calling dma_unmap_sg(). We already clear FLAGS_DMA_ACTIVE at the +end of omap_sham_update_dma_stop(). + +The early clearing of FLAGS_DMA_ACTIVE is not causing issues as we do not +need to defer anything based on FLAGS_DMA_ACTIVE currently. So this can be +applied as clean-up. + +Cc: Lokesh Vutla +Cc: Tero Kristo +Signed-off-by: Tony Lindgren +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/omap-sham.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/crypto/omap-sham.c b/drivers/crypto/omap-sham.c +index 7e9a44cee425..be82186a8afb 100644 +--- a/drivers/crypto/omap-sham.c ++++ b/drivers/crypto/omap-sham.c +@@ -1630,7 +1630,7 @@ static void omap_sham_done_task(unsigned long data) + goto finish; + } + } else if (test_bit(FLAGS_DMA_READY, &dd->flags)) { +- if (test_and_clear_bit(FLAGS_DMA_ACTIVE, &dd->flags)) { ++ if (test_bit(FLAGS_DMA_ACTIVE, &dd->flags)) { + omap_sham_update_dma_stop(dd); + if (dd->err) { + err = dd->err; +-- +2.30.2 + diff --git a/queue-4.4/crypto-qat-do-not-export-adf_iov_putmsg.patch b/queue-4.4/crypto-qat-do-not-export-adf_iov_putmsg.patch new file mode 100644 index 00000000000..4a1fba62f6d --- /dev/null +++ b/queue-4.4/crypto-qat-do-not-export-adf_iov_putmsg.patch @@ -0,0 +1,36 @@ +From 5f8033f94420950b5fc4b91dd2154c00fc88d44e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Aug 2021 21:21:28 +0100 +Subject: crypto: qat - do not export adf_iov_putmsg() + +From: Giovanni Cabiddu + +[ Upstream commit 645ae0af1840199086c33e4f841892ebee73f615 ] + +The function adf_iov_putmsg() is only used inside the intel_qat module +therefore should not be exported. +Remove EXPORT_SYMBOL for the function adf_iov_putmsg(). + +Signed-off-by: Giovanni Cabiddu +Reviewed-by: Fiona Trahe +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/adf_pf2vf_msg.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +index 711706819b05..f071aba32a28 100644 +--- a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c ++++ b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +@@ -254,7 +254,6 @@ int adf_iov_putmsg(struct adf_accel_dev *accel_dev, u32 msg, u8 vf_nr) + + return ret; + } +-EXPORT_SYMBOL_GPL(adf_iov_putmsg); + + void adf_vf2pf_req_hndl(struct adf_accel_vf_info *vf_info) + { +-- +2.30.2 + diff --git a/queue-4.4/crypto-qat-do-not-ignore-errors-from-enable_vf2pf_co.patch b/queue-4.4/crypto-qat-do-not-ignore-errors-from-enable_vf2pf_co.patch new file mode 100644 index 00000000000..3b2fbb5e24d --- /dev/null +++ b/queue-4.4/crypto-qat-do-not-ignore-errors-from-enable_vf2pf_co.patch @@ -0,0 +1,51 @@ +From b2410ba684d2269bb329a16699b2037495930372 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Aug 2021 21:21:13 +0100 +Subject: crypto: qat - do not ignore errors from enable_vf2pf_comms() + +From: Giovanni Cabiddu + +[ Upstream commit 5147f0906d50a9d26f2b8698cd06b5680e9867ff ] + +The function adf_dev_init() ignores the error code reported by +enable_vf2pf_comms(). If the latter fails, e.g. the VF is not compatible +with the pf, then the load of the VF driver progresses. +This patch changes adf_dev_init() so that the error code from +enable_vf2pf_comms() is returned to the caller. + +Signed-off-by: Giovanni Cabiddu +Reviewed-by: Marco Chiappero +Reviewed-by: Fiona Trahe +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/adf_init.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/qat/qat_common/adf_init.c b/drivers/crypto/qat/qat_common/adf_init.c +index d873eeecc363..06b35edb0d43 100644 +--- a/drivers/crypto/qat/qat_common/adf_init.c ++++ b/drivers/crypto/qat/qat_common/adf_init.c +@@ -121,6 +121,7 @@ int adf_dev_init(struct adf_accel_dev *accel_dev) + struct service_hndl *service; + struct list_head *list_itr; + struct adf_hw_device_data *hw_data = accel_dev->hw_device; ++ int ret; + + if (!hw_data) { + dev_err(&GET_DEV(accel_dev), +@@ -187,9 +188,9 @@ int adf_dev_init(struct adf_accel_dev *accel_dev) + } + + hw_data->enable_error_correction(accel_dev); +- hw_data->enable_vf2pf_comms(accel_dev); ++ ret = hw_data->enable_vf2pf_comms(accel_dev); + +- return 0; ++ return ret; + } + EXPORT_SYMBOL_GPL(adf_dev_init); + +-- +2.30.2 + diff --git a/queue-4.4/crypto-qat-fix-reuse-of-completion-variable.patch b/queue-4.4/crypto-qat-fix-reuse-of-completion-variable.patch new file mode 100644 index 00000000000..9e7049863c2 --- /dev/null +++ b/queue-4.4/crypto-qat-fix-reuse-of-completion-variable.patch @@ -0,0 +1,39 @@ +From 0d59f34d25f69bb3513e3493d233c7c03ebe731c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Aug 2021 21:21:19 +0100 +Subject: crypto: qat - fix reuse of completion variable + +From: Marco Chiappero + +[ Upstream commit 3d655732b0199562267a05c7ff69ecdd11632939 ] + +Use reinit_completion() to set to a clean state a completion variable, +used to coordinate the VF to PF request-response flow, before every +new VF request. + +Signed-off-by: Marco Chiappero +Co-developed-by: Giovanni Cabiddu +Signed-off-by: Giovanni Cabiddu +Reviewed-by: Fiona Trahe +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/adf_pf2vf_msg.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +index 5fdbad809343..711706819b05 100644 +--- a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c ++++ b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +@@ -384,6 +384,8 @@ static int adf_vf2pf_request_version(struct adf_accel_dev *accel_dev) + msg |= ADF_PFVF_COMPATIBILITY_VERSION << ADF_VF2PF_COMPAT_VER_REQ_SHIFT; + BUILD_BUG_ON(ADF_PFVF_COMPATIBILITY_VERSION > 255); + ++ reinit_completion(&accel_dev->vf.iov_msg_completion); ++ + /* Send request from VF to PF */ + ret = adf_iov_putmsg(accel_dev, msg, 0); + if (ret) { +-- +2.30.2 + diff --git a/queue-4.4/drm-msm-dsi-fix-some-reference-counted-resource-leak.patch b/queue-4.4/drm-msm-dsi-fix-some-reference-counted-resource-leak.patch new file mode 100644 index 00000000000..95234e5c6e8 --- /dev/null +++ b/queue-4.4/drm-msm-dsi-fix-some-reference-counted-resource-leak.patch @@ -0,0 +1,62 @@ +From 078597d90b4e5f30af9c41981970cb355d1e9e70 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Aug 2021 11:15:13 +0200 +Subject: drm/msm/dsi: Fix some reference counted resource leaks + +From: Christophe JAILLET + +[ Upstream commit 6977cc89c87506ff17e6c05f0e37f46752256e82 ] + +'of_find_device_by_node()' takes a reference that must be released when +not needed anymore. +This is expected to be done in 'dsi_destroy()'. + +However, there are 2 issues in 'dsi_get_phy()'. + +First, if 'of_find_device_by_node()' succeeds but 'platform_get_drvdata()' +returns NULL, 'msm_dsi->phy_dev' will still be NULL, and the reference +won't be released in 'dsi_destroy()'. + +Secondly, as 'of_find_device_by_node()' already takes a reference, there is +no need for an additional 'get_device()'. + +Move the assignment to 'msm_dsi->phy_dev' a few lines above and remove the +unneeded 'get_device()' to solve both issues. + +Fixes: ec31abf6684e ("drm/msm/dsi: Separate PHY to another platform device") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/f15bc57648a00e7c99f943903468a04639d50596.1628241097.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/dsi/dsi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/msm/dsi/dsi.c b/drivers/gpu/drm/msm/dsi/dsi.c +index 6edcd6f57e70..817661462676 100644 +--- a/drivers/gpu/drm/msm/dsi/dsi.c ++++ b/drivers/gpu/drm/msm/dsi/dsi.c +@@ -36,8 +36,10 @@ static int dsi_get_phy(struct msm_dsi *msm_dsi) + } + + phy_pdev = of_find_device_by_node(phy_node); +- if (phy_pdev) ++ if (phy_pdev) { + msm_dsi->phy = platform_get_drvdata(phy_pdev); ++ msm_dsi->phy_dev = &phy_pdev->dev; ++ } + + of_node_put(phy_node); + +@@ -46,8 +48,6 @@ static int dsi_get_phy(struct msm_dsi *msm_dsi) + return -EPROBE_DEFER; + } + +- msm_dsi->phy_dev = get_device(&phy_pdev->dev); +- + return 0; + } + +-- +2.30.2 + diff --git a/queue-4.4/i2c-highlander-add-irq-check.patch b/queue-4.4/i2c-highlander-add-irq-check.patch new file mode 100644 index 00000000000..e392364b566 --- /dev/null +++ b/queue-4.4/i2c-highlander-add-irq-check.patch @@ -0,0 +1,39 @@ +From 83771d502beb59c79d861c8e0e92c7f8b68d8a98 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 30 May 2021 22:13:45 +0300 +Subject: i2c: highlander: add IRQ check + +From: Sergey Shtylyov + +[ Upstream commit f16a3bb69aa6baabf8f0aca982c8cf21e2a4f6bc ] + +The driver is written as if platform_get_irq() returns 0 on errors (while +actually it returns a negative error code), blithely passing these error +codes to request_irq() (which takes *unsigned* IRQ #) -- which fails with +-EINVAL. Add the necessary error check to the pre-existing *if* statement +forcing the driver into the polling mode... + +Fixes: 4ad48e6ab18c ("i2c: Renesas Highlander FPGA SMBus support") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-highlander.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-highlander.c b/drivers/i2c/busses/i2c-highlander.c +index 56dc69e7349f..9ad031ea3300 100644 +--- a/drivers/i2c/busses/i2c-highlander.c ++++ b/drivers/i2c/busses/i2c-highlander.c +@@ -382,7 +382,7 @@ static int highlander_i2c_probe(struct platform_device *pdev) + platform_set_drvdata(pdev, dev); + + dev->irq = platform_get_irq(pdev, 0); +- if (iic_force_poll) ++ if (dev->irq < 0 || iic_force_poll) + dev->irq = 0; + + if (dev->irq) { +-- +2.30.2 + diff --git a/queue-4.4/i2c-iop3xx-fix-deferred-probing.patch b/queue-4.4/i2c-iop3xx-fix-deferred-probing.patch new file mode 100644 index 00000000000..7e3a542d332 --- /dev/null +++ b/queue-4.4/i2c-iop3xx-fix-deferred-probing.patch @@ -0,0 +1,53 @@ +From 4a64732f93827a1afde5ab19f03246afaca62564 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Aug 2021 23:35:09 +0300 +Subject: i2c: iop3xx: fix deferred probing + +From: Sergey Shtylyov + +[ Upstream commit a1299505162ad00def3573260c2c68b9c8e8d697 ] + +When adding the code to handle platform_get_irq*() errors in the commit +489447380a29 ("handle errors returned by platform_get_irq*()"), the +actual error code was enforced to be -ENXIO in the driver for some +strange reason. This didn't matter much until the deferred probing was +introduced -- which requires an actual error code to be propagated +upstream from the failure site. + +While fixing this, also stop overriding the errors from request_irq() to +-EIO (done since the pre-git era). + +Fixes: 489447380a29 ("[PATCH] handle errors returned by platform_get_irq*()") +Signed-off-by: Sergey Shtylyov +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-iop3xx.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-iop3xx.c b/drivers/i2c/busses/i2c-iop3xx.c +index 72d6161cf77c..6b9031ccd767 100644 +--- a/drivers/i2c/busses/i2c-iop3xx.c ++++ b/drivers/i2c/busses/i2c-iop3xx.c +@@ -459,16 +459,14 @@ iop3xx_i2c_probe(struct platform_device *pdev) + + irq = platform_get_irq(pdev, 0); + if (irq < 0) { +- ret = -ENXIO; ++ ret = irq; + goto unmap; + } + ret = request_irq(irq, iop3xx_i2c_irq_handler, 0, + pdev->name, adapter_data); + +- if (ret) { +- ret = -EIO; ++ if (ret) + goto unmap; +- } + + memcpy(new_adapter->name, pdev->name, strlen(pdev->name)); + new_adapter->owner = THIS_MODULE; +-- +2.30.2 + diff --git a/queue-4.4/i2c-mt65xx-fix-irq-check.patch b/queue-4.4/i2c-mt65xx-fix-irq-check.patch new file mode 100644 index 00000000000..9b96ddae8c4 --- /dev/null +++ b/queue-4.4/i2c-mt65xx-fix-irq-check.patch @@ -0,0 +1,38 @@ +From 7b5f74598589f6e875400dcdccfef47a08ae4cdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jul 2021 17:38:45 +0300 +Subject: i2c: mt65xx: fix IRQ check + +From: Sergey Shtylyov + +[ Upstream commit 58fb7c643d346e2364404554f531cfa6a1a3917c ] + +Iff platform_get_irq() returns 0, the driver's probe() method will return 0 +early (as if the method's call was successful). Let's consider IRQ0 valid +for simplicity -- devm_request_irq() can always override that decision... + +Fixes: ce38815d39ea ("I2C: mediatek: Add driver for MediaTek I2C controller") +Signed-off-by: Sergey Shtylyov +Reviewed-by: Qii Wang +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-mt65xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-mt65xx.c b/drivers/i2c/busses/i2c-mt65xx.c +index 9b867169142f..42a998fa5f79 100644 +--- a/drivers/i2c/busses/i2c-mt65xx.c ++++ b/drivers/i2c/busses/i2c-mt65xx.c +@@ -639,7 +639,7 @@ static int mtk_i2c_probe(struct platform_device *pdev) + return PTR_ERR(i2c->pdmabase); + + irq = platform_get_irq(pdev, 0); +- if (irq <= 0) ++ if (irq < 0) + return irq; + + init_completion(&i2c->msg_complete); +-- +2.30.2 + diff --git a/queue-4.4/i2c-s3c2410-fix-irq-check.patch b/queue-4.4/i2c-s3c2410-fix-irq-check.patch new file mode 100644 index 00000000000..654e17fe9a5 --- /dev/null +++ b/queue-4.4/i2c-s3c2410-fix-irq-check.patch @@ -0,0 +1,38 @@ +From d5bd7677a738398a263fb5910fb3fd8aa9360101 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Jul 2021 17:45:25 +0300 +Subject: i2c: s3c2410: fix IRQ check + +From: Sergey Shtylyov + +[ Upstream commit d6840a5e370b7ea4fde16ce2caf431bcc87f9a75 ] + +Iff platform_get_irq() returns 0, the driver's probe() method will return 0 +early (as if the method's call was successful). Let's consider IRQ0 valid +for simplicity -- devm_request_irq() can always override that decision... + +Fixes: e0d1ec97853f ("i2c-s3c2410: Change IRQ to be plain integer.") +Signed-off-by: Sergey Shtylyov +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-s3c2410.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/i2c/busses/i2c-s3c2410.c b/drivers/i2c/busses/i2c-s3c2410.c +index bea74aa3f56c..44af640496bb 100644 +--- a/drivers/i2c/busses/i2c-s3c2410.c ++++ b/drivers/i2c/busses/i2c-s3c2410.c +@@ -1213,7 +1213,7 @@ static int s3c24xx_i2c_probe(struct platform_device *pdev) + + if (!(i2c->quirks & QUIRK_POLL)) { + i2c->irq = ret = platform_get_irq(pdev, 0); +- if (ret <= 0) { ++ if (ret < 0) { + dev_err(&pdev->dev, "cannot find IRQ\n"); + clk_unprepare(i2c->clk); + return ret; +-- +2.30.2 + diff --git a/queue-4.4/ipv4-make-exception-cache-less-predictible.patch b/queue-4.4/ipv4-make-exception-cache-less-predictible.patch new file mode 100644 index 00000000000..5d0d78b258a --- /dev/null +++ b/queue-4.4/ipv4-make-exception-cache-less-predictible.patch @@ -0,0 +1,127 @@ +From 68ffcbc724e3b0d97fb32e732ba992e7ea0c4840 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 29 Aug 2021 15:16:15 -0700 +Subject: ipv4: make exception cache less predictible + +From: Eric Dumazet + +[ Upstream commit 67d6d681e15b578c1725bad8ad079e05d1c48a8e ] + +Even after commit 6457378fe796 ("ipv4: use siphash instead of Jenkins in +fnhe_hashfun()"), an attacker can still use brute force to learn +some secrets from a victim linux host. + +One way to defeat these attacks is to make the max depth of the hash +table bucket a random value. + +Before this patch, each bucket of the hash table used to store exceptions +could contain 6 items under attack. + +After the patch, each bucket would contains a random number of items, +between 6 and 10. The attacker can no longer infer secrets. + +This is slightly increasing memory size used by the hash table, +by 50% in average, we do not expect this to be a problem. + +This patch is more complex than the prior one (IPv6 equivalent), +because IPv4 was reusing the oldest entry. +Since we need to be able to evict more than one entry per +update_or_create_fnhe() call, I had to replace +fnhe_oldest() with fnhe_remove_oldest(). + +Also note that we will queue extra kfree_rcu() calls under stress, +which hopefully wont be a too big issue. + +Fixes: 4895c771c7f0 ("ipv4: Add FIB nexthop exceptions.") +Signed-off-by: Eric Dumazet +Reported-by: Keyu Man +Cc: Willy Tarreau +Signed-off-by: David S. Miller +Reviewed-by: David Ahern +Tested-by: David Ahern +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/route.c | 46 ++++++++++++++++++++++++++++++---------------- + 1 file changed, 30 insertions(+), 16 deletions(-) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index 2ab2289d97a0..ed6483181676 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -597,18 +597,25 @@ static void fnhe_flush_routes(struct fib_nh_exception *fnhe) + } + } + +-static struct fib_nh_exception *fnhe_oldest(struct fnhe_hash_bucket *hash) ++static void fnhe_remove_oldest(struct fnhe_hash_bucket *hash) + { +- struct fib_nh_exception *fnhe, *oldest; ++ struct fib_nh_exception __rcu **fnhe_p, **oldest_p; ++ struct fib_nh_exception *fnhe, *oldest = NULL; + +- oldest = rcu_dereference(hash->chain); +- for (fnhe = rcu_dereference(oldest->fnhe_next); fnhe; +- fnhe = rcu_dereference(fnhe->fnhe_next)) { +- if (time_before(fnhe->fnhe_stamp, oldest->fnhe_stamp)) ++ for (fnhe_p = &hash->chain; ; fnhe_p = &fnhe->fnhe_next) { ++ fnhe = rcu_dereference_protected(*fnhe_p, ++ lockdep_is_held(&fnhe_lock)); ++ if (!fnhe) ++ break; ++ if (!oldest || ++ time_before(fnhe->fnhe_stamp, oldest->fnhe_stamp)) { + oldest = fnhe; ++ oldest_p = fnhe_p; ++ } + } + fnhe_flush_routes(oldest); +- return oldest; ++ *oldest_p = oldest->fnhe_next; ++ kfree_rcu(oldest, rcu); + } + + static inline u32 fnhe_hashfun(__be32 daddr) +@@ -685,16 +692,21 @@ static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw, + if (rt) + fill_route_from_fnhe(rt, fnhe); + } else { +- if (depth > FNHE_RECLAIM_DEPTH) +- fnhe = fnhe_oldest(hash); +- else { +- fnhe = kzalloc(sizeof(*fnhe), GFP_ATOMIC); +- if (!fnhe) +- goto out_unlock; +- +- fnhe->fnhe_next = hash->chain; +- rcu_assign_pointer(hash->chain, fnhe); ++ /* Randomize max depth to avoid some side channels attacks. */ ++ int max_depth = FNHE_RECLAIM_DEPTH + ++ prandom_u32_max(FNHE_RECLAIM_DEPTH); ++ ++ while (depth > max_depth) { ++ fnhe_remove_oldest(hash); ++ depth--; + } ++ ++ fnhe = kzalloc(sizeof(*fnhe), GFP_ATOMIC); ++ if (!fnhe) ++ goto out_unlock; ++ ++ fnhe->fnhe_next = hash->chain; ++ + fnhe->fnhe_genid = genid; + fnhe->fnhe_daddr = daddr; + fnhe->fnhe_gw = gw; +@@ -702,6 +714,8 @@ static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw, + fnhe->fnhe_mtu_locked = lock; + fnhe->fnhe_expires = expires; + ++ rcu_assign_pointer(hash->chain, fnhe); ++ + /* Exception created; mark the cached routes for the nexthop + * stale, so anyone caching it rechecks if this exception + * applies to them. +-- +2.30.2 + diff --git a/queue-4.4/libata-fix-ata_host_start.patch b/queue-4.4/libata-fix-ata_host_start.patch new file mode 100644 index 00000000000..4681860c90c --- /dev/null +++ b/queue-4.4/libata-fix-ata_host_start.patch @@ -0,0 +1,39 @@ +From a80d08a27d159af8667eb0e26d9057b9cf71a45d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Aug 2021 10:44:47 +0900 +Subject: libata: fix ata_host_start() + +From: Damien Le Moal + +[ Upstream commit 355a8031dc174450ccad2a61c513ad7222d87a97 ] + +The loop on entry of ata_host_start() may not initialize host->ops to a +non NULL value. The test on the host_stop field of host->ops must then +be preceded by a check that host->ops is not NULL. + +Reported-by: kernel test robot +Signed-off-by: Damien Le Moal +Reviewed-by: Hannes Reinecke +Link: https://lore.kernel.org/r/20210816014456.2191776-3-damien.lemoal@wdc.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index 8ed3f6d75ff1..2ece0a65ccee 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -6026,7 +6026,7 @@ int ata_host_start(struct ata_host *host) + have_stop = 1; + } + +- if (host->ops->host_stop) ++ if (host->ops && host->ops->host_stop) + have_stop = 1; + + if (have_stop) { +-- +2.30.2 + diff --git a/queue-4.4/m68k-emu-fix-invalid-free-in-nfeth_cleanup.patch b/queue-4.4/m68k-emu-fix-invalid-free-in-nfeth_cleanup.patch new file mode 100644 index 00000000000..5ef05e6144a --- /dev/null +++ b/queue-4.4/m68k-emu-fix-invalid-free-in-nfeth_cleanup.patch @@ -0,0 +1,40 @@ +From 35d65414a1a0a4735c61df01657b4ac6ae4ef8dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Jul 2021 23:47:27 +0300 +Subject: m68k: emu: Fix invalid free in nfeth_cleanup() + +From: Pavel Skripkin + +[ Upstream commit 761608f5cf70e8876c2f0e39ca54b516bdcb7c12 ] + +In the for loop all nfeth_dev array members should be freed, not only +the first one. Freeing only the first array member can cause +double-free bugs and memory leaks. + +Fixes: 9cd7b148312f ("m68k/atari: ARAnyM - Add support for network access") +Signed-off-by: Pavel Skripkin +Link: https://lore.kernel.org/r/20210705204727.10743-1-paskripkin@gmail.com +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Sasha Levin +--- + arch/m68k/emu/nfeth.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/m68k/emu/nfeth.c b/arch/m68k/emu/nfeth.c +index a0985fd088d1..7d695fc7a2d0 100644 +--- a/arch/m68k/emu/nfeth.c ++++ b/arch/m68k/emu/nfeth.c +@@ -260,8 +260,8 @@ static void __exit nfeth_cleanup(void) + + for (i = 0; i < MAX_UNIT; i++) { + if (nfeth_dev[i]) { +- unregister_netdev(nfeth_dev[0]); +- free_netdev(nfeth_dev[0]); ++ unregister_netdev(nfeth_dev[i]); ++ free_netdev(nfeth_dev[i]); + } + } + free_irq(nfEtherIRQ, nfeth_interrupt); +-- +2.30.2 + diff --git a/queue-4.4/media-dvb-usb-fix-uninit-value-in-dvb_usb_adapter_dv.patch b/queue-4.4/media-dvb-usb-fix-uninit-value-in-dvb_usb_adapter_dv.patch new file mode 100644 index 00000000000..238ef8c2721 --- /dev/null +++ b/queue-4.4/media-dvb-usb-fix-uninit-value-in-dvb_usb_adapter_dv.patch @@ -0,0 +1,52 @@ +From b84a467a711d4bb32d7597b616d5e19f86f85fc0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jun 2021 07:33:27 +0200 +Subject: media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init + +From: Dongliang Mu + +[ Upstream commit c5453769f77ce19a5b03f1f49946fd3f8a374009 ] + +If dibusb_read_eeprom_byte fails, the mac address is not initialized. +And nova_t_read_mac_address does not handle this failure, which leads to +the uninit-value in dvb_usb_adapter_dvb_init. + +Fix this by handling the failure of dibusb_read_eeprom_byte. + +Reported-by: syzbot+e27b4fd589762b0b9329@syzkaller.appspotmail.com +Fixes: 786baecfe78f ("[media] dvb-usb: move it to drivers/media/usb/dvb-usb") +Signed-off-by: Dongliang Mu +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/nova-t-usb2.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/nova-t-usb2.c b/drivers/media/usb/dvb-usb/nova-t-usb2.c +index 6c55384e2fca..c570c4af64f3 100644 +--- a/drivers/media/usb/dvb-usb/nova-t-usb2.c ++++ b/drivers/media/usb/dvb-usb/nova-t-usb2.c +@@ -122,7 +122,7 @@ static int nova_t_rc_query(struct dvb_usb_device *d, u32 *event, int *state) + + static int nova_t_read_mac_address (struct dvb_usb_device *d, u8 mac[6]) + { +- int i; ++ int i, ret; + u8 b; + + mac[0] = 0x00; +@@ -131,7 +131,9 @@ static int nova_t_read_mac_address (struct dvb_usb_device *d, u8 mac[6]) + + /* this is a complete guess, but works for my box */ + for (i = 136; i < 139; i++) { +- dibusb_read_eeprom_byte(d,i, &b); ++ ret = dibusb_read_eeprom_byte(d, i, &b); ++ if (ret) ++ return ret; + + mac[5 - (i - 136)] = b; + } +-- +2.30.2 + diff --git a/queue-4.4/media-dvb-usb-fix-uninit-value-in-vp702x_read_mac_ad.patch b/queue-4.4/media-dvb-usb-fix-uninit-value-in-vp702x_read_mac_ad.patch new file mode 100644 index 00000000000..6aaf4f0b359 --- /dev/null +++ b/queue-4.4/media-dvb-usb-fix-uninit-value-in-vp702x_read_mac_ad.patch @@ -0,0 +1,57 @@ +From a8a6717506c68e99df1d0937be23e8d163fb4832 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Jun 2021 07:59:04 +0200 +Subject: media: dvb-usb: fix uninit-value in vp702x_read_mac_addr + +From: Dongliang Mu + +[ Upstream commit 797c061ad715a9a1480eb73f44b6939fbe3209ed ] + +If vp702x_usb_in_op fails, the mac address is not initialized. +And vp702x_read_mac_addr does not handle this failure, which leads to +the uninit-value in dvb_usb_adapter_dvb_init. + +Fix this by handling the failure of vp702x_usb_in_op. + +Fixes: 786baecfe78f ("[media] dvb-usb: move it to drivers/media/usb/dvb-usb") +Signed-off-by: Dongliang Mu +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/vp702x.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb/vp702x.c b/drivers/media/usb/dvb-usb/vp702x.c +index ee1e19e36445..55d515507f0e 100644 +--- a/drivers/media/usb/dvb-usb/vp702x.c ++++ b/drivers/media/usb/dvb-usb/vp702x.c +@@ -294,16 +294,22 @@ static int vp702x_rc_query(struct dvb_usb_device *d, u32 *event, int *state) + static int vp702x_read_mac_addr(struct dvb_usb_device *d,u8 mac[6]) + { + u8 i, *buf; ++ int ret; + struct vp702x_device_state *st = d->priv; + + mutex_lock(&st->buf_mutex); + buf = st->buf; +- for (i = 6; i < 12; i++) +- vp702x_usb_in_op(d, READ_EEPROM_REQ, i, 1, &buf[i - 6], 1); ++ for (i = 6; i < 12; i++) { ++ ret = vp702x_usb_in_op(d, READ_EEPROM_REQ, i, 1, ++ &buf[i - 6], 1); ++ if (ret < 0) ++ goto err; ++ } + + memcpy(mac, buf, 6); ++err: + mutex_unlock(&st->buf_mutex); +- return 0; ++ return ret; + } + + static int vp702x_frontend_attach(struct dvb_usb_adapter *adap) +-- +2.30.2 + diff --git a/queue-4.4/media-go7007-remove-redundant-initialization.patch b/queue-4.4/media-go7007-remove-redundant-initialization.patch new file mode 100644 index 00000000000..1a29745c6a9 --- /dev/null +++ b/queue-4.4/media-go7007-remove-redundant-initialization.patch @@ -0,0 +1,87 @@ +From e56f02c7ae5c3e322618be9664a0e9348b511a85 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Jun 2021 21:45:42 +0200 +Subject: media: go7007: remove redundant initialization + +From: Pavel Skripkin + +[ Upstream commit 6f5885a7750545973bf1a942d2f0f129aef0aa06 ] + +In go7007_alloc() kzalloc() is used for struct go7007 +allocation. It means that there is no need in zeroing +any members, because kzalloc will take care of it. + +Removing these reduntant initialization steps increases +execution speed a lot: + + Before: + + 86.802 us | go7007_alloc(); + After: + + 29.595 us | go7007_alloc(); + +Fixes: 866b8695d67e8 ("Staging: add the go7007 video driver") +Signed-off-by: Pavel Skripkin +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/go7007/go7007-driver.c | 26 ------------------------ + 1 file changed, 26 deletions(-) + +diff --git a/drivers/media/usb/go7007/go7007-driver.c b/drivers/media/usb/go7007/go7007-driver.c +index ae1cfa792c58..11429bf28c8a 100644 +--- a/drivers/media/usb/go7007/go7007-driver.c ++++ b/drivers/media/usb/go7007/go7007-driver.c +@@ -698,49 +698,23 @@ struct go7007 *go7007_alloc(const struct go7007_board_info *board, + struct device *dev) + { + struct go7007 *go; +- int i; + + go = kzalloc(sizeof(struct go7007), GFP_KERNEL); + if (go == NULL) + return NULL; + go->dev = dev; + go->board_info = board; +- go->board_id = 0; + go->tuner_type = -1; +- go->channel_number = 0; +- go->name[0] = 0; + mutex_init(&go->hw_lock); + init_waitqueue_head(&go->frame_waitq); + spin_lock_init(&go->spinlock); + go->status = STATUS_INIT; +- memset(&go->i2c_adapter, 0, sizeof(go->i2c_adapter)); +- go->i2c_adapter_online = 0; +- go->interrupt_available = 0; + init_waitqueue_head(&go->interrupt_waitq); +- go->input = 0; + go7007_update_board(go); +- go->encoder_h_halve = 0; +- go->encoder_v_halve = 0; +- go->encoder_subsample = 0; + go->format = V4L2_PIX_FMT_MJPEG; + go->bitrate = 1500000; + go->fps_scale = 1; +- go->pali = 0; + go->aspect_ratio = GO7007_RATIO_1_1; +- go->gop_size = 0; +- go->ipb = 0; +- go->closed_gop = 0; +- go->repeat_seqhead = 0; +- go->seq_header_enable = 0; +- go->gop_header_enable = 0; +- go->dvd_mode = 0; +- go->interlace_coding = 0; +- for (i = 0; i < 4; ++i) +- go->modet[i].enable = 0; +- for (i = 0; i < 1624; ++i) +- go->modet_map[i] = 0; +- go->audio_deliver = NULL; +- go->audio_enabled = 0; + + return go; + } +-- +2.30.2 + diff --git a/queue-4.4/mmc-dw_mmc-fix-issue-with-uninitialized-dma_slave_co.patch b/queue-4.4/mmc-dw_mmc-fix-issue-with-uninitialized-dma_slave_co.patch new file mode 100644 index 00000000000..ff8ad404b0e --- /dev/null +++ b/queue-4.4/mmc-dw_mmc-fix-issue-with-uninitialized-dma_slave_co.patch @@ -0,0 +1,47 @@ +From 378031f09ff51c6ce2aa36a4251f65f9fd1025a8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 11:16:43 +0300 +Subject: mmc: dw_mmc: Fix issue with uninitialized dma_slave_config + +From: Tony Lindgren + +[ Upstream commit c3ff0189d3bc9c03845fe37472c140f0fefd0c79 ] + +Depending on the DMA driver being used, the struct dma_slave_config may +need to be initialized to zero for the unused data. + +For example, we have three DMA drivers using src_port_window_size and +dst_port_window_size. If these are left uninitialized, it can cause DMA +failures. + +For dw_mmc, this is probably not currently an issue but is still good to +fix though. + +Fixes: 3fc7eaef44db ("mmc: dw_mmc: Add external dma interface support") +Cc: Shawn Lin +Cc: Jaehoon Chung +Cc: Peter Ujfalusi +Cc: Vinod Koul +Signed-off-by: Tony Lindgren +Link: https://lore.kernel.org/r/20210810081644.19353-2-tony@atomide.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/dw_mmc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mmc/host/dw_mmc.c b/drivers/mmc/host/dw_mmc.c +index 9eff3b41a086..03ac8d599763 100644 +--- a/drivers/mmc/host/dw_mmc.c ++++ b/drivers/mmc/host/dw_mmc.c +@@ -701,6 +701,7 @@ static int dw_mci_edmac_start_dma(struct dw_mci *host, + int ret = 0; + + /* Set external dma config: burst size, burst width */ ++ memset(&cfg, 0, sizeof(cfg)); + cfg.dst_addr = host->phy_regs + fifo_offset; + cfg.src_addr = cfg.dst_addr; + cfg.dst_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; +-- +2.30.2 + diff --git a/queue-4.4/mmc-moxart-fix-issue-with-uninitialized-dma_slave_co.patch b/queue-4.4/mmc-moxart-fix-issue-with-uninitialized-dma_slave_co.patch new file mode 100644 index 00000000000..36eb2780d03 --- /dev/null +++ b/queue-4.4/mmc-moxart-fix-issue-with-uninitialized-dma_slave_co.patch @@ -0,0 +1,46 @@ +From 1797c7d2b848c0908697f7029441fe6788702831 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 10 Aug 2021 11:16:44 +0300 +Subject: mmc: moxart: Fix issue with uninitialized dma_slave_config + +From: Tony Lindgren + +[ Upstream commit ee5165354d498e5bceb0b386e480ac84c5f8c28c ] + +Depending on the DMA driver being used, the struct dma_slave_config may +need to be initialized to zero for the unused data. + +For example, we have three DMA drivers using src_port_window_size and +dst_port_window_size. If these are left uninitialized, it can cause DMA +failures. + +For moxart, this is probably not currently an issue but is still good to +fix though. + +Fixes: 1b66e94e6b99 ("mmc: moxart: Add MOXA ART SD/MMC driver") +Cc: Jonas Jensen +Cc: Vinod Koul +Cc: Peter Ujfalusi +Signed-off-by: Tony Lindgren +Link: https://lore.kernel.org/r/20210810081644.19353-3-tony@atomide.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/moxart-mmc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/mmc/host/moxart-mmc.c b/drivers/mmc/host/moxart-mmc.c +index bbad309679cf..41a5493cb68d 100644 +--- a/drivers/mmc/host/moxart-mmc.c ++++ b/drivers/mmc/host/moxart-mmc.c +@@ -633,6 +633,7 @@ static int moxart_probe(struct platform_device *pdev) + host->dma_chan_tx, host->dma_chan_rx); + host->have_dma = true; + ++ memset(&cfg, 0, sizeof(cfg)); + cfg.src_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; + cfg.dst_addr_width = DMA_SLAVE_BUSWIDTH_4_BYTES; + +-- +2.30.2 + diff --git a/queue-4.4/net-cipso-fix-warnings-in-netlbl_cipsov4_add_std.patch b/queue-4.4/net-cipso-fix-warnings-in-netlbl_cipsov4_add_std.patch new file mode 100644 index 00000000000..e88d386a44f --- /dev/null +++ b/queue-4.4/net-cipso-fix-warnings-in-netlbl_cipsov4_add_std.patch @@ -0,0 +1,70 @@ +From a2d87079063803ea01d283d72b9e17324a066d1f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Jul 2021 19:35:30 +0300 +Subject: net: cipso: fix warnings in netlbl_cipsov4_add_std + +From: Pavel Skripkin + +[ Upstream commit 8ca34a13f7f9b3fa2c464160ffe8cc1a72088204 ] + +Syzbot reported warning in netlbl_cipsov4_add(). The +problem was in too big doi_def->map.std->lvl.local_size +passed to kcalloc(). Since this value comes from userpace there is +no need to warn if value is not correct. + +The same problem may occur with other kcalloc() calls in +this function, so, I've added __GFP_NOWARN flag to all +kcalloc() calls there. + +Reported-and-tested-by: syzbot+cdd51ee2e6b0b2e18c0d@syzkaller.appspotmail.com +Fixes: 96cb8e3313c7 ("[NetLabel]: CIPSOv4 and Unlabeled packet integration") +Acked-by: Paul Moore +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/netlabel/netlabel_cipso_v4.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/netlabel/netlabel_cipso_v4.c b/net/netlabel/netlabel_cipso_v4.c +index 7fd1104ba900..d31cd4d509ca 100644 +--- a/net/netlabel/netlabel_cipso_v4.c ++++ b/net/netlabel/netlabel_cipso_v4.c +@@ -205,14 +205,14 @@ static int netlbl_cipsov4_add_std(struct genl_info *info, + } + doi_def->map.std->lvl.local = kcalloc(doi_def->map.std->lvl.local_size, + sizeof(u32), +- GFP_KERNEL); ++ GFP_KERNEL | __GFP_NOWARN); + if (doi_def->map.std->lvl.local == NULL) { + ret_val = -ENOMEM; + goto add_std_failure; + } + doi_def->map.std->lvl.cipso = kcalloc(doi_def->map.std->lvl.cipso_size, + sizeof(u32), +- GFP_KERNEL); ++ GFP_KERNEL | __GFP_NOWARN); + if (doi_def->map.std->lvl.cipso == NULL) { + ret_val = -ENOMEM; + goto add_std_failure; +@@ -279,7 +279,7 @@ static int netlbl_cipsov4_add_std(struct genl_info *info, + doi_def->map.std->cat.local = kcalloc( + doi_def->map.std->cat.local_size, + sizeof(u32), +- GFP_KERNEL); ++ GFP_KERNEL | __GFP_NOWARN); + if (doi_def->map.std->cat.local == NULL) { + ret_val = -ENOMEM; + goto add_std_failure; +@@ -287,7 +287,7 @@ static int netlbl_cipsov4_add_std(struct genl_info *info, + doi_def->map.std->cat.cipso = kcalloc( + doi_def->map.std->cat.cipso_size, + sizeof(u32), +- GFP_KERNEL); ++ GFP_KERNEL | __GFP_NOWARN); + if (doi_def->map.std->cat.cipso == NULL) { + ret_val = -ENOMEM; + goto add_std_failure; +-- +2.30.2 + diff --git a/queue-4.4/pci-pm-enable-pme-if-it-can-be-signaled-from-d3cold.patch b/queue-4.4/pci-pm-enable-pme-if-it-can-be-signaled-from-d3cold.patch new file mode 100644 index 00000000000..ecca429dfc1 --- /dev/null +++ b/queue-4.4/pci-pm-enable-pme-if-it-can-be-signaled-from-d3cold.patch @@ -0,0 +1,56 @@ +From 129c05062fc9f0e714ef62b554c0173d283a8959 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Jul 2021 16:49:10 +0200 +Subject: PCI: PM: Enable PME if it can be signaled from D3cold + +From: Rafael J. Wysocki + +[ Upstream commit 0e00392a895c95c6d12d42158236c8862a2f43f2 ] + +PME signaling is only enabled by __pci_enable_wake() if the target +device can signal PME from the given target power state (to avoid +pointless reconfiguration of the device), but if the hierarchy above +the device goes into D3cold, the device itself will end up in D3cold +too, so if it can signal PME from D3cold, it should be enabled to +do so in __pci_enable_wake(). + +[Note that if the device does not end up in D3cold and it cannot + signal PME from the original target power state, it will not signal + PME, so in that case the behavior does not change.] + +Link: https://lore.kernel.org/linux-pm/3149540.aeNJFYEL58@kreacher/ +Fixes: 5bcc2fb4e815 ("PCI PM: Simplify PCI wake-up code") +Reported-by: Mika Westerberg +Reported-by: Utkarsh H Patel +Reported-by: Koba Ko +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Mika Westerberg +Tested-by: Mika Westerberg +Signed-off-by: Sasha Levin +--- + drivers/pci/pci.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index b7f65fc54dc2..216a1c880924 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -1876,7 +1876,14 @@ int __pci_enable_wake(struct pci_dev *dev, pci_power_t state, + if (enable) { + int error; + +- if (pci_pme_capable(dev, state)) ++ /* ++ * Enable PME signaling if the device can signal PME from ++ * D3cold regardless of whether or not it can signal PME from ++ * the current target state, because that will allow it to ++ * signal PME when the hierarchy above it goes into D3cold and ++ * the device itself ends up in D3cold as a result of that. ++ */ ++ if (pci_pme_capable(dev, state) || pci_pme_capable(dev, PCI_D3cold)) + pci_pme_active(dev, true); + else + ret = 1; +-- +2.30.2 + diff --git a/queue-4.4/power-supply-max17042_battery-fix-typo-in-max17042_t.patch b/queue-4.4/power-supply-max17042_battery-fix-typo-in-max17042_t.patch new file mode 100644 index 00000000000..ee2fc2c2550 --- /dev/null +++ b/queue-4.4/power-supply-max17042_battery-fix-typo-in-max17042_t.patch @@ -0,0 +1,46 @@ +From 61202d25c851c352e166cf171f2a0de60b312a16 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 16 Aug 2021 18:50:14 +0200 +Subject: power: supply: max17042_battery: fix typo in MAx17042_TOFF + +From: Sebastian Krzyszkowiak + +[ Upstream commit ed0d0a0506025f06061325cedae1bbebd081620a ] + +Signed-off-by: Sebastian Krzyszkowiak +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/max17042_battery.c | 2 +- + include/linux/power/max17042_battery.h | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/power/max17042_battery.c b/drivers/power/max17042_battery.c +index da7a75f82489..249b0758dae6 100644 +--- a/drivers/power/max17042_battery.c ++++ b/drivers/power/max17042_battery.c +@@ -644,7 +644,7 @@ static inline void max17042_override_por_values(struct max17042_chip *chip) + struct max17042_config_data *config = chip->pdata->config_data; + + max17042_override_por(map, MAX17042_TGAIN, config->tgain); +- max17042_override_por(map, MAx17042_TOFF, config->toff); ++ max17042_override_por(map, MAX17042_TOFF, config->toff); + max17042_override_por(map, MAX17042_CGAIN, config->cgain); + max17042_override_por(map, MAX17042_COFF, config->coff); + +diff --git a/include/linux/power/max17042_battery.h b/include/linux/power/max17042_battery.h +index 522757ac9cd4..890f53881fad 100644 +--- a/include/linux/power/max17042_battery.h ++++ b/include/linux/power/max17042_battery.h +@@ -75,7 +75,7 @@ enum max17042_register { + MAX17042_RelaxCFG = 0x2A, + MAX17042_MiscCFG = 0x2B, + MAX17042_TGAIN = 0x2C, +- MAx17042_TOFF = 0x2D, ++ MAX17042_TOFF = 0x2D, + MAX17042_CGAIN = 0x2E, + MAX17042_COFF = 0x2F, + +-- +2.30.2 + diff --git a/queue-4.4/series b/queue-4.4/series index 4c30e24c14a..9c1db02b1a8 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -26,3 +26,43 @@ mm-page_alloc-speed-up-the-iteration-of-max_order.patch revert-btrfs-compression-don-t-try-to-compress-if-we-don-t-have-enough-pages.patch x86-reboot-limit-dell-optiplex-990-quirk-to-early-bios-versions.patch pci-call-max-payload-size-related-fixup-quirks-early.patch +crypto-mxs-dcp-check-for-dma-mapping-errors.patch +crypto-omap-sham-clear-dma-flags-only-after-omap_sha.patch +power-supply-max17042_battery-fix-typo-in-max17042_t.patch +libata-fix-ata_host_start.patch +crypto-qat-do-not-ignore-errors-from-enable_vf2pf_co.patch +crypto-qat-fix-reuse-of-completion-variable.patch +crypto-qat-do-not-export-adf_iov_putmsg.patch +udf_get_extendedattr-had-no-boundary-checks.patch +m68k-emu-fix-invalid-free-in-nfeth_cleanup.patch +certs-trigger-creation-of-rsa-module-signing-key-if-.patch +media-dvb-usb-fix-uninit-value-in-dvb_usb_adapter_dv.patch +media-dvb-usb-fix-uninit-value-in-vp702x_read_mac_ad.patch +media-go7007-remove-redundant-initialization.patch +bluetooth-sco-prevent-information-leak-in-sco_conn_d.patch +tcp-seq_file-avoid-skipping-sk-during-tcp_seek_last_.patch +net-cipso-fix-warnings-in-netlbl_cipsov4_add_std.patch +i2c-highlander-add-irq-check.patch +pci-pm-enable-pme-if-it-can-be-signaled-from-d3cold.patch +bluetooth-increase-btnamsiz-to-21-chars-to-fix-poten.patch +arm64-dts-exynos-correct-gic-cpu-interfaces-address-.patch +bluetooth-fix-repeated-calls-to-sco_sock_kill.patch +drm-msm-dsi-fix-some-reference-counted-resource-leak.patch +usb-gadget-udc-at91-add-irq-check.patch +usb-phy-fsl-usb-add-irq-check.patch +usb-phy-twl6030-add-irq-checks.patch +bluetooth-move-shutdown-callback-before-flushing-tx-.patch +usb-host-ohci-tmio-add-irq-check.patch +usb-phy-tahvo-add-irq-check.patch +usb-gadget-mv_u3d-request_irq-after-initializing-udc.patch +bluetooth-add-timeout-sanity-check-to-hci_inquiry.patch +i2c-iop3xx-fix-deferred-probing.patch +i2c-s3c2410-fix-irq-check.patch +mmc-dw_mmc-fix-issue-with-uninitialized-dma_slave_co.patch +mmc-moxart-fix-issue-with-uninitialized-dma_slave_co.patch +cifs-fix-a-potencially-linear-read-overflow.patch +i2c-mt65xx-fix-irq-check.patch +usb-ehci-orion-handle-errors-of-clk_prepare_enable-i.patch +ath6kl-wmi-fix-an-error-code-in-ath6kl_wmi_sync_poin.patch +bcma-fix-memory-leak-for-internally-handled-cores.patch +ipv4-make-exception-cache-less-predictible.patch diff --git a/queue-4.4/tcp-seq_file-avoid-skipping-sk-during-tcp_seek_last_.patch b/queue-4.4/tcp-seq_file-avoid-skipping-sk-during-tcp_seek_last_.patch new file mode 100644 index 00000000000..0e0600b7c21 --- /dev/null +++ b/queue-4.4/tcp-seq_file-avoid-skipping-sk-during-tcp_seek_last_.patch @@ -0,0 +1,75 @@ +From 48dbb410e6e20b3e197d756229309edf636cf94c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jul 2021 13:05:41 -0700 +Subject: tcp: seq_file: Avoid skipping sk during tcp_seek_last_pos + +From: Martin KaFai Lau + +[ Upstream commit 525e2f9fd0229eb10cb460a9e6d978257f24804e ] + +st->bucket stores the current bucket number. +st->offset stores the offset within this bucket that is the sk to be +seq_show(). Thus, st->offset only makes sense within the same +st->bucket. + +These two variables are an optimization for the common no-lseek case. +When resuming the seq_file iteration (i.e. seq_start()), +tcp_seek_last_pos() tries to continue from the st->offset +at bucket st->bucket. + +However, it is possible that the bucket pointed by st->bucket +has changed and st->offset may end up skipping the whole st->bucket +without finding a sk. In this case, tcp_seek_last_pos() currently +continues to satisfy the offset condition in the next (and incorrect) +bucket. Instead, regardless of the offset value, the first sk of the +next bucket should be returned. Thus, "bucket == st->bucket" check is +added to tcp_seek_last_pos(). + +The chance of hitting this is small and the issue is a decade old, +so targeting for the next tree. + +Fixes: a8b690f98baf ("tcp: Fix slowness in read /proc/net/tcp") +Signed-off-by: Martin KaFai Lau +Signed-off-by: Andrii Nakryiko +Reviewed-by: Eric Dumazet +Acked-by: Kuniyuki Iwashima +Acked-by: Yonghong Song +Link: https://lore.kernel.org/bpf/20210701200541.1033917-1-kafai@fb.com +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_ipv4.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c +index bb6d251ce103..f9d55dd2dec8 100644 +--- a/net/ipv4/tcp_ipv4.c ++++ b/net/ipv4/tcp_ipv4.c +@@ -2033,6 +2033,7 @@ static void *tcp_get_idx(struct seq_file *seq, loff_t pos) + static void *tcp_seek_last_pos(struct seq_file *seq) + { + struct tcp_iter_state *st = seq->private; ++ int bucket = st->bucket; + int offset = st->offset; + int orig_num = st->num; + void *rc = NULL; +@@ -2043,7 +2044,7 @@ static void *tcp_seek_last_pos(struct seq_file *seq) + break; + st->state = TCP_SEQ_STATE_LISTENING; + rc = listening_get_next(seq, NULL); +- while (offset-- && rc) ++ while (offset-- && rc && bucket == st->bucket) + rc = listening_get_next(seq, rc); + if (rc) + break; +@@ -2054,7 +2055,7 @@ static void *tcp_seek_last_pos(struct seq_file *seq) + if (st->bucket > tcp_hashinfo.ehash_mask) + break; + rc = established_get_first(seq); +- while (offset-- && rc) ++ while (offset-- && rc && bucket == st->bucket) + rc = established_get_next(seq, rc); + } + +-- +2.30.2 + diff --git a/queue-4.4/udf_get_extendedattr-had-no-boundary-checks.patch b/queue-4.4/udf_get_extendedattr-had-no-boundary-checks.patch new file mode 100644 index 00000000000..64cb55d7637 --- /dev/null +++ b/queue-4.4/udf_get_extendedattr-had-no-boundary-checks.patch @@ -0,0 +1,52 @@ +From eaf643205e4cff81ec5bc4d5488af274290a146c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 22 Aug 2021 11:33:32 +0200 +Subject: udf_get_extendedattr() had no boundary checks. + +From: Stian Skjelstad + +[ Upstream commit 58bc6d1be2f3b0ceecb6027dfa17513ec6aa2abb ] + +When parsing the ExtendedAttr data, malicous or corrupt attribute length +could cause kernel hangs and buffer overruns in some special cases. + +Link: https://lore.kernel.org/r/20210822093332.25234-1-stian.skjelstad@gmail.com +Signed-off-by: Stian Skjelstad +Signed-off-by: Jan Kara +Signed-off-by: Sasha Levin +--- + fs/udf/misc.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/fs/udf/misc.c b/fs/udf/misc.c +index 71d1c25f360d..8c7f9ea251e5 100644 +--- a/fs/udf/misc.c ++++ b/fs/udf/misc.c +@@ -175,13 +175,22 @@ struct genericFormat *udf_get_extendedattr(struct inode *inode, uint32_t type, + else + offset = le32_to_cpu(eahd->appAttrLocation); + +- while (offset < iinfo->i_lenEAttr) { ++ while (offset + sizeof(*gaf) < iinfo->i_lenEAttr) { ++ uint32_t attrLength; ++ + gaf = (struct genericFormat *)&ea[offset]; ++ attrLength = le32_to_cpu(gaf->attrLength); ++ ++ /* Detect undersized elements and buffer overflows */ ++ if ((attrLength < sizeof(*gaf)) || ++ (attrLength > (iinfo->i_lenEAttr - offset))) ++ break; ++ + if (le32_to_cpu(gaf->attrType) == type && + gaf->attrSubtype == subtype) + return gaf; + else +- offset += le32_to_cpu(gaf->attrLength); ++ offset += attrLength; + } + } + +-- +2.30.2 + diff --git a/queue-4.4/usb-ehci-orion-handle-errors-of-clk_prepare_enable-i.patch b/queue-4.4/usb-ehci-orion-handle-errors-of-clk_prepare_enable-i.patch new file mode 100644 index 00000000000..1cbb9dea438 --- /dev/null +++ b/queue-4.4/usb-ehci-orion-handle-errors-of-clk_prepare_enable-i.patch @@ -0,0 +1,64 @@ +From a268f61eeac14400b4ae42fbf6bcfcf58d43253f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 25 Aug 2021 20:09:02 +0300 +Subject: usb: ehci-orion: Handle errors of clk_prepare_enable() in probe + +From: Evgeny Novikov + +[ Upstream commit 4720f1bf4ee4a784d9ece05420ba33c9222a3004 ] + +ehci_orion_drv_probe() did not account for possible errors of +clk_prepare_enable() that in particular could cause invocation of +clk_disable_unprepare() on clocks that were not prepared/enabled yet, +e.g. in remove or on handling errors of usb_add_hcd() in probe. Though, +there were several patches fixing different issues with clocks in this +driver, they did not solve this problem. + +Add handling of errors of clk_prepare_enable() in ehci_orion_drv_probe() +to avoid calls of clk_disable_unprepare() without previous successful +invocation of clk_prepare_enable(). + +Found by Linux Driver Verification project (linuxtesting.org). + +Fixes: 8c869edaee07 ("ARM: Orion: EHCI: Add support for enabling clocks") +Co-developed-by: Kirill Shilimanov +Reviewed-by: Andrew Lunn +Acked-by: Alan Stern +Signed-off-by: Evgeny Novikov +Signed-off-by: Kirill Shilimanov +Link: https://lore.kernel.org/r/20210825170902.11234-1-novikov@ispras.ru +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ehci-orion.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/host/ehci-orion.c b/drivers/usb/host/ehci-orion.c +index ee8d5faa0194..3eecf47d4e89 100644 +--- a/drivers/usb/host/ehci-orion.c ++++ b/drivers/usb/host/ehci-orion.c +@@ -218,8 +218,11 @@ static int ehci_orion_drv_probe(struct platform_device *pdev) + * the clock does not exists. + */ + priv->clk = devm_clk_get(&pdev->dev, NULL); +- if (!IS_ERR(priv->clk)) +- clk_prepare_enable(priv->clk); ++ if (!IS_ERR(priv->clk)) { ++ err = clk_prepare_enable(priv->clk); ++ if (err) ++ goto err_put_hcd; ++ } + + priv->phy = devm_phy_optional_get(&pdev->dev, "usb"); + if (IS_ERR(priv->phy)) { +@@ -280,6 +283,7 @@ err_phy_init: + err_phy_get: + if (!IS_ERR(priv->clk)) + clk_disable_unprepare(priv->clk); ++err_put_hcd: + usb_put_hcd(hcd); + err: + dev_err(&pdev->dev, "init %s fail, %d\n", +-- +2.30.2 + diff --git a/queue-4.4/usb-gadget-mv_u3d-request_irq-after-initializing-udc.patch b/queue-4.4/usb-gadget-mv_u3d-request_irq-after-initializing-udc.patch new file mode 100644 index 00000000000..463b9465389 --- /dev/null +++ b/queue-4.4/usb-gadget-mv_u3d-request_irq-after-initializing-udc.patch @@ -0,0 +1,76 @@ +From 57cfa90de53bbbdbb616c15e9eb3c79c29cbc209 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Aug 2021 17:12:47 +0300 +Subject: usb: gadget: mv_u3d: request_irq() after initializing UDC + +From: Nadezda Lutovinova + +[ Upstream commit 2af0c5ffadaf9d13eca28409d4238b4e672942d3 ] + +If IRQ occurs between calling request_irq() and mv_u3d_eps_init(), +then null pointer dereference occurs since u3d->eps[] wasn't +initialized yet but used in mv_u3d_nuke(). + +The patch puts registration of the interrupt handler after +initializing of neccesery data. + +Found by Linux Driver Verification project (linuxtesting.org). + +Fixes: 90fccb529d24 ("usb: gadget: Gadget directory cleanup - group UDC drivers") +Acked-by: Felipe Balbi +Signed-off-by: Nadezda Lutovinova +Link: https://lore.kernel.org/r/20210818141247.4794-1-lutovinova@ispras.ru +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/mv_u3d_core.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/drivers/usb/gadget/udc/mv_u3d_core.c b/drivers/usb/gadget/udc/mv_u3d_core.c +index dafe74eb9ade..9ee4a2605dea 100644 +--- a/drivers/usb/gadget/udc/mv_u3d_core.c ++++ b/drivers/usb/gadget/udc/mv_u3d_core.c +@@ -1929,14 +1929,6 @@ static int mv_u3d_probe(struct platform_device *dev) + goto err_get_irq; + } + u3d->irq = r->start; +- if (request_irq(u3d->irq, mv_u3d_irq, +- IRQF_SHARED, driver_name, u3d)) { +- u3d->irq = 0; +- dev_err(&dev->dev, "Request irq %d for u3d failed\n", +- u3d->irq); +- retval = -ENODEV; +- goto err_request_irq; +- } + + /* initialize gadget structure */ + u3d->gadget.ops = &mv_u3d_ops; /* usb_gadget_ops */ +@@ -1949,6 +1941,15 @@ static int mv_u3d_probe(struct platform_device *dev) + + mv_u3d_eps_init(u3d); + ++ if (request_irq(u3d->irq, mv_u3d_irq, ++ IRQF_SHARED, driver_name, u3d)) { ++ u3d->irq = 0; ++ dev_err(&dev->dev, "Request irq %d for u3d failed\n", ++ u3d->irq); ++ retval = -ENODEV; ++ goto err_request_irq; ++ } ++ + /* external vbus detection */ + if (u3d->vbus) { + u3d->clock_gating = 1; +@@ -1972,8 +1973,8 @@ static int mv_u3d_probe(struct platform_device *dev) + + err_unregister: + free_irq(u3d->irq, u3d); +-err_request_irq: + err_get_irq: ++err_request_irq: + kfree(u3d->status_req); + err_alloc_status_req: + kfree(u3d->eps); +-- +2.30.2 + diff --git a/queue-4.4/usb-gadget-udc-at91-add-irq-check.patch b/queue-4.4/usb-gadget-udc-at91-add-irq-check.patch new file mode 100644 index 00000000000..9a5f7b43220 --- /dev/null +++ b/queue-4.4/usb-gadget-udc-at91-add-irq-check.patch @@ -0,0 +1,42 @@ +From 825c68c2da280317260968741c9fc97057fb88aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 23:27:28 +0300 +Subject: usb: gadget: udc: at91: add IRQ check + +From: Sergey Shtylyov + +[ Upstream commit 50855c31573b02963f0aa2aacfd4ea41c31ae0e0 ] + +The driver neglects to check the result of platform_get_irq()'s call and +blithely passes the negative error codes to devm_request_irq() (which takes +*unsigned* IRQ #), causing it to fail with -EINVAL, overriding an original +error code. Stop calling devm_request_irq() with the invalid IRQ #s. + +Fixes: 8b2e76687b39 ("USB: AT91 UDC updates, mostly power management") +Signed-off-by: Sergey Shtylyov +Acked-by: Felipe Balbi +Link: https://lore.kernel.org/r/6654a224-739a-1a80-12f0-76d920f87b6c@omp.ru +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/at91_udc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/udc/at91_udc.c b/drivers/usb/gadget/udc/at91_udc.c +index d0d18947f58b..2da281a743b8 100644 +--- a/drivers/usb/gadget/udc/at91_udc.c ++++ b/drivers/usb/gadget/udc/at91_udc.c +@@ -1898,7 +1898,9 @@ static int at91udc_probe(struct platform_device *pdev) + clk_disable(udc->iclk); + + /* request UDC and maybe VBUS irqs */ +- udc->udp_irq = platform_get_irq(pdev, 0); ++ udc->udp_irq = retval = platform_get_irq(pdev, 0); ++ if (retval < 0) ++ goto err_unprepare_iclk; + retval = devm_request_irq(dev, udc->udp_irq, at91_udc_irq, 0, + driver_name, udc); + if (retval) { +-- +2.30.2 + diff --git a/queue-4.4/usb-host-ohci-tmio-add-irq-check.patch b/queue-4.4/usb-host-ohci-tmio-add-irq-check.patch new file mode 100644 index 00000000000..879ed3628b5 --- /dev/null +++ b/queue-4.4/usb-host-ohci-tmio-add-irq-check.patch @@ -0,0 +1,42 @@ +From 1c70c60b22a90a68e2a6bcb4b366851485affab0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Aug 2021 23:30:18 +0300 +Subject: usb: host: ohci-tmio: add IRQ check + +From: Sergey Shtylyov + +[ Upstream commit 4ac5132e8a4300637a2da8f5d6bc7650db735b8a ] + +The driver neglects to check the result of platform_get_irq()'s call and +blithely passes the negative error codes to usb_add_hcd() (which takes +*unsigned* IRQ #), causing request_irq() that it calls to fail with +-EINVAL, overriding an original error code. Stop calling usb_add_hcd() +with the invalid IRQ #s. + +Fixes: 78c73414f4f6 ("USB: ohci: add support for tmio-ohci cell") +Acked-by: Alan Stern +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/402e1a45-a0a4-0e08-566a-7ca1331506b1@omp.ru +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/host/ohci-tmio.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/usb/host/ohci-tmio.c b/drivers/usb/host/ohci-tmio.c +index cfcfadfc94fc..9c9e97294c18 100644 +--- a/drivers/usb/host/ohci-tmio.c ++++ b/drivers/usb/host/ohci-tmio.c +@@ -202,6 +202,9 @@ static int ohci_hcd_tmio_drv_probe(struct platform_device *dev) + if (!cell) + return -EINVAL; + ++ if (irq < 0) ++ return irq; ++ + hcd = usb_create_hcd(&ohci_tmio_hc_driver, &dev->dev, dev_name(&dev->dev)); + if (!hcd) { + ret = -ENOMEM; +-- +2.30.2 + diff --git a/queue-4.4/usb-phy-fsl-usb-add-irq-check.patch b/queue-4.4/usb-phy-fsl-usb-add-irq-check.patch new file mode 100644 index 00000000000..7cb3f7eaf04 --- /dev/null +++ b/queue-4.4/usb-phy-fsl-usb-add-irq-check.patch @@ -0,0 +1,40 @@ +From 4ac4dc5de746978563ebbee1ba54c3359c2bba0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 23:50:18 +0300 +Subject: usb: phy: fsl-usb: add IRQ check + +From: Sergey Shtylyov + +[ Upstream commit ecc2f30dbb25969908115c81ec23650ed982b004 ] + +The driver neglects to check the result of platform_get_irq()'s call and +blithely passes the negative error codes to request_irq() (which takes +*unsigned* IRQ #), causing it to fail with -EINVAL, overriding an original +error code. Stop calling request_irq() with the invalid IRQ #s. + +Fixes: 0807c500a1a6 ("USB: add Freescale USB OTG Transceiver driver") +Acked-by: Felipe Balbi +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/b0a86089-8b8b-122e-fd6d-73e8c2304964@omp.ru +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/phy/phy-fsl-usb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/phy/phy-fsl-usb.c b/drivers/usb/phy/phy-fsl-usb.c +index 85d031ce85c1..63798de8b5ae 100644 +--- a/drivers/usb/phy/phy-fsl-usb.c ++++ b/drivers/usb/phy/phy-fsl-usb.c +@@ -891,6 +891,8 @@ int usb_otg_start(struct platform_device *pdev) + + /* request irq */ + p_otg->irq = platform_get_irq(pdev, 0); ++ if (p_otg->irq < 0) ++ return p_otg->irq; + status = request_irq(p_otg->irq, fsl_otg_isr, + IRQF_SHARED, driver_name, p_otg); + if (status) { +-- +2.30.2 + diff --git a/queue-4.4/usb-phy-tahvo-add-irq-check.patch b/queue-4.4/usb-phy-tahvo-add-irq-check.patch new file mode 100644 index 00000000000..91283cecae5 --- /dev/null +++ b/queue-4.4/usb-phy-tahvo-add-irq-check.patch @@ -0,0 +1,43 @@ +From 79258e3e7763903170f8b783ba66591fde16044e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Aug 2021 23:32:38 +0300 +Subject: usb: phy: tahvo: add IRQ check + +From: Sergey Shtylyov + +[ Upstream commit 0d45a1373e669880b8beaecc8765f44cb0241e47 ] + +The driver neglects to check the result of platform_get_irq()'s call and +blithely passes the negative error codes to request_threaded_irq() (which +takes *unsigned* IRQ #), causing it to fail with -EINVAL, overriding an +original error code. Stop calling request_threaded_irq() with the invalid +IRQ #s. + +Fixes: 9ba96ae5074c ("usb: omap1: Tahvo USB transceiver driver") +Acked-by: Felipe Balbi +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/8280d6a4-8e9a-7cfe-1aa9-db586dc9afdf@omp.ru +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/phy/phy-tahvo.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/phy/phy-tahvo.c b/drivers/usb/phy/phy-tahvo.c +index 335a1ef35224..ec86eedd789b 100644 +--- a/drivers/usb/phy/phy-tahvo.c ++++ b/drivers/usb/phy/phy-tahvo.c +@@ -404,7 +404,9 @@ static int tahvo_usb_probe(struct platform_device *pdev) + + dev_set_drvdata(&pdev->dev, tu); + +- tu->irq = platform_get_irq(pdev, 0); ++ tu->irq = ret = platform_get_irq(pdev, 0); ++ if (ret < 0) ++ return ret; + ret = request_threaded_irq(tu->irq, NULL, tahvo_usb_vbus_interrupt, + IRQF_ONESHOT, + "tahvo-vbus", tu); +-- +2.30.2 + diff --git a/queue-4.4/usb-phy-twl6030-add-irq-checks.patch b/queue-4.4/usb-phy-twl6030-add-irq-checks.patch new file mode 100644 index 00000000000..6416d5e936b --- /dev/null +++ b/queue-4.4/usb-phy-twl6030-add-irq-checks.patch @@ -0,0 +1,44 @@ +From 5247a6dd700c8602a663b9a27d259526a71c1a09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 23:53:16 +0300 +Subject: usb: phy: twl6030: add IRQ checks + +From: Sergey Shtylyov + +[ Upstream commit 0881e22c06e66af0b64773c91c8868ead3d01aa1 ] + +The driver neglects to check the result of platform_get_irq()'s calls and +blithely passes the negative error codes to request_threaded_irq() (which +takes *unsigned* IRQ #), causing them both to fail with -EINVAL, overriding +an original error code. Stop calling request_threaded_irq() with the +invalid IRQ #s. + +Fixes: c33fad0c3748 ("usb: otg: Adding twl6030-usb transceiver driver for OMAP4430") +Acked-by: Felipe Balbi +Signed-off-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/9507f50b-50f1-6dc4-f57c-3ed4e53a1c25@omp.ru +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/phy/phy-twl6030-usb.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/usb/phy/phy-twl6030-usb.c b/drivers/usb/phy/phy-twl6030-usb.c +index 12741856a75c..220e1a59a871 100644 +--- a/drivers/usb/phy/phy-twl6030-usb.c ++++ b/drivers/usb/phy/phy-twl6030-usb.c +@@ -336,6 +336,11 @@ static int twl6030_usb_probe(struct platform_device *pdev) + twl->irq2 = platform_get_irq(pdev, 1); + twl->linkstat = OMAP_MUSB_UNKNOWN; + ++ if (twl->irq1 < 0) ++ return twl->irq1; ++ if (twl->irq2 < 0) ++ return twl->irq2; ++ + twl->comparator.set_vbus = twl6030_set_vbus; + twl->comparator.start_srp = twl6030_start_srp; + +-- +2.30.2 +