From: Greg Kroah-Hartman Date: Fri, 24 Sep 2021 09:32:44 +0000 (+0200) Subject: 5.10-stable patches X-Git-Tag: v4.4.285~28 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f3fa9993199e43d1b18dca2580c8e6f3d2045402;p=thirdparty%2Fkernel%2Fstable-queue.git 5.10-stable patches added patches: 9p-trans_virtio-remove-sysfs-file-on-probe-failure.patch nilfs2-use-refcount_dec_and_lock-to-fix-potential-uaf.patch perf-test-fix-bpf-test-sample-mismatch-reporting.patch perf-tools-allow-build-id-with-trailing-zeros.patch pm-sleep-core-avoid-setting-power.must_resume-to-false.patch prctl-allow-to-setup-brk-for-et_dyn-executables.patch profiling-fix-shift-out-of-bounds-bugs.patch pwm-lpc32xx-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch pwm-mxs-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch thermal-drivers-exynos-fix-an-error-code-in-exynos_tmu_probe.patch --- diff --git a/queue-5.10/9p-trans_virtio-remove-sysfs-file-on-probe-failure.patch b/queue-5.10/9p-trans_virtio-remove-sysfs-file-on-probe-failure.patch new file mode 100644 index 00000000000..803098265e9 --- /dev/null +++ b/queue-5.10/9p-trans_virtio-remove-sysfs-file-on-probe-failure.patch @@ -0,0 +1,41 @@ +From f997ea3b7afc108eb9761f321b57de2d089c7c48 Mon Sep 17 00:00:00 2001 +From: Xie Yongji +Date: Mon, 17 May 2021 16:35:57 +0800 +Subject: 9p/trans_virtio: Remove sysfs file on probe failure + +From: Xie Yongji + +commit f997ea3b7afc108eb9761f321b57de2d089c7c48 upstream. + +This ensures we don't leak the sysfs file if we failed to +allocate chan->vc_wq during probe. + +Link: http://lkml.kernel.org/r/20210517083557.172-1-xieyongji@bytedance.com +Fixes: 86c8437383ac ("net/9p: Add sysfs mount_tag file for virtio 9P device") +Signed-off-by: Xie Yongji +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman +--- + net/9p/trans_virtio.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/9p/trans_virtio.c ++++ b/net/9p/trans_virtio.c +@@ -605,7 +605,7 @@ static int p9_virtio_probe(struct virtio + chan->vc_wq = kmalloc(sizeof(wait_queue_head_t), GFP_KERNEL); + if (!chan->vc_wq) { + err = -ENOMEM; +- goto out_free_tag; ++ goto out_remove_file; + } + init_waitqueue_head(chan->vc_wq); + chan->ring_bufs_avail = 1; +@@ -623,6 +623,8 @@ static int p9_virtio_probe(struct virtio + + return 0; + ++out_remove_file: ++ sysfs_remove_file(&vdev->dev.kobj, &dev_attr_mount_tag.attr); + out_free_tag: + kfree(tag); + out_free_vq: diff --git a/queue-5.10/nilfs2-use-refcount_dec_and_lock-to-fix-potential-uaf.patch b/queue-5.10/nilfs2-use-refcount_dec_and_lock-to-fix-potential-uaf.patch new file mode 100644 index 00000000000..39f7480a6b9 --- /dev/null +++ b/queue-5.10/nilfs2-use-refcount_dec_and_lock-to-fix-potential-uaf.patch @@ -0,0 +1,98 @@ +From 98e2e409e76ef7781d8511f997359e9c504a95c1 Mon Sep 17 00:00:00 2001 +From: Zhen Lei +Date: Tue, 7 Sep 2021 20:00:26 -0700 +Subject: nilfs2: use refcount_dec_and_lock() to fix potential UAF + +From: Zhen Lei + +commit 98e2e409e76ef7781d8511f997359e9c504a95c1 upstream. + +When the refcount is decreased to 0, the resource reclamation branch is +entered. Before CPU0 reaches the race point (1), CPU1 may obtain the +spinlock and traverse the rbtree to find 'root', see +nilfs_lookup_root(). + +Although CPU1 will call refcount_inc() to increase the refcount, it is +obviously too late. CPU0 will release 'root' directly, CPU1 then +accesses 'root' and triggers UAF. + +Use refcount_dec_and_lock() to ensure that both the operations of +decrease refcount to 0 and link deletion are lock protected eliminates +this risk. + + CPU0 CPU1 + nilfs_put_root(): + <-------- (1) + spin_lock(&nilfs->ns_cptree_lock); + rb_erase(&root->rb_node, &nilfs->ns_cptree); + spin_unlock(&nilfs->ns_cptree_lock); + + kfree(root); + <-------- use-after-free + + refcount_t: underflow; use-after-free. + WARNING: CPU: 2 PID: 9476 at lib/refcount.c:28 \ + refcount_warn_saturate+0x1cf/0x210 lib/refcount.c:28 + Modules linked in: + CPU: 2 PID: 9476 Comm: syz-executor.0 Not tainted 5.10.45-rc1+ #3 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), ... + RIP: 0010:refcount_warn_saturate+0x1cf/0x210 lib/refcount.c:28 + ... ... + Call Trace: + __refcount_sub_and_test include/linux/refcount.h:283 [inline] + __refcount_dec_and_test include/linux/refcount.h:315 [inline] + refcount_dec_and_test include/linux/refcount.h:333 [inline] + nilfs_put_root+0xc1/0xd0 fs/nilfs2/the_nilfs.c:795 + nilfs_segctor_destroy fs/nilfs2/segment.c:2749 [inline] + nilfs_detach_log_writer+0x3fa/0x570 fs/nilfs2/segment.c:2812 + nilfs_put_super+0x2f/0xf0 fs/nilfs2/super.c:467 + generic_shutdown_super+0xcd/0x1f0 fs/super.c:464 + kill_block_super+0x4a/0x90 fs/super.c:1446 + deactivate_locked_super+0x6a/0xb0 fs/super.c:335 + deactivate_super+0x85/0x90 fs/super.c:366 + cleanup_mnt+0x277/0x2e0 fs/namespace.c:1118 + __cleanup_mnt+0x15/0x20 fs/namespace.c:1125 + task_work_run+0x8e/0x110 kernel/task_work.c:151 + tracehook_notify_resume include/linux/tracehook.h:188 [inline] + exit_to_user_mode_loop kernel/entry/common.c:164 [inline] + exit_to_user_mode_prepare+0x13c/0x170 kernel/entry/common.c:191 + syscall_exit_to_user_mode+0x16/0x30 kernel/entry/common.c:266 + do_syscall_64+0x45/0x80 arch/x86/entry/common.c:56 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +There is no reproduction program, and the above is only theoretical +analysis. + +Link: https://lkml.kernel.org/r/1629859428-5906-1-git-send-email-konishi.ryusuke@gmail.com +Fixes: ba65ae4729bf ("nilfs2: add checkpoint tree to nilfs object") +Link: https://lkml.kernel.org/r/20210723012317.4146-1-thunder.leizhen@huawei.com +Signed-off-by: Zhen Lei +Signed-off-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + fs/nilfs2/the_nilfs.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/fs/nilfs2/the_nilfs.c ++++ b/fs/nilfs2/the_nilfs.c +@@ -792,14 +792,13 @@ nilfs_find_or_create_root(struct the_nil + + void nilfs_put_root(struct nilfs_root *root) + { +- if (refcount_dec_and_test(&root->count)) { +- struct the_nilfs *nilfs = root->nilfs; ++ struct the_nilfs *nilfs = root->nilfs; + +- nilfs_sysfs_delete_snapshot_group(root); +- +- spin_lock(&nilfs->ns_cptree_lock); ++ if (refcount_dec_and_lock(&root->count, &nilfs->ns_cptree_lock)) { + rb_erase(&root->rb_node, &nilfs->ns_cptree); + spin_unlock(&nilfs->ns_cptree_lock); ++ ++ nilfs_sysfs_delete_snapshot_group(root); + iput(root->ifile); + + kfree(root); diff --git a/queue-5.10/perf-test-fix-bpf-test-sample-mismatch-reporting.patch b/queue-5.10/perf-test-fix-bpf-test-sample-mismatch-reporting.patch new file mode 100644 index 00000000000..3fba3408add --- /dev/null +++ b/queue-5.10/perf-test-fix-bpf-test-sample-mismatch-reporting.patch @@ -0,0 +1,37 @@ +From 3e11300cdfd5f1bc13a05dfc6dccf69aca5dd1dc Mon Sep 17 00:00:00 2001 +From: Michael Petlan +Date: Thu, 5 Aug 2021 18:06:11 +0200 +Subject: perf test: Fix bpf test sample mismatch reporting + +From: Michael Petlan + +commit 3e11300cdfd5f1bc13a05dfc6dccf69aca5dd1dc upstream. + +When the expected sample count in the condition changed, the message +needs to be changed too, otherwise we'll get: + + 0x1001f2091d8: mmap mask[0]: + BPF filter result incorrect, expected 56, got 56 samples + +Fixes: 4b04e0decd2518e5 ("perf test: Fix basic bpf filtering test") +Signed-off-by: Michael Petlan +Cc: Jiri Olsa +Cc: Sumanth Korikkar +Link: https //lore.kernel.org/r/20210805160611.5542-1-mpetlan@redhat.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/tests/bpf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/tests/bpf.c ++++ b/tools/perf/tests/bpf.c +@@ -199,7 +199,7 @@ static int do_test(struct bpf_object *ob + } + + if (count != expect * evlist->core.nr_entries) { +- pr_debug("BPF filter result incorrect, expected %d, got %d samples\n", expect, count); ++ pr_debug("BPF filter result incorrect, expected %d, got %d samples\n", expect * evlist->core.nr_entries, count); + goto out_delete_evlist; + } + diff --git a/queue-5.10/perf-tools-allow-build-id-with-trailing-zeros.patch b/queue-5.10/perf-tools-allow-build-id-with-trailing-zeros.patch new file mode 100644 index 00000000000..8f530f2d688 --- /dev/null +++ b/queue-5.10/perf-tools-allow-build-id-with-trailing-zeros.patch @@ -0,0 +1,65 @@ +From 4a86d41404005a3c7e7b6065e8169ac6202887a9 Mon Sep 17 00:00:00 2001 +From: Namhyung Kim +Date: Fri, 10 Sep 2021 15:46:30 -0700 +Subject: perf tools: Allow build-id with trailing zeros + +From: Namhyung Kim + +commit 4a86d41404005a3c7e7b6065e8169ac6202887a9 upstream. + +Currently perf saves a build-id with size but old versions assumes the +size of 20. In case the build-id is less than 20 (like for MD5), it'd +fill the rest with 0s. + +I saw a problem when old version of perf record saved a binary in the +build-id cache and new version of perf reads the data. The symbols +should be read from the build-id cache (as the path no longer has the +same binary) but it failed due to mismatch in the build-id. + + symsrc__init: build id mismatch for /home/namhyung/.debug/.build-id/53/e4c2f42a4c61a2d632d92a72afa08f00000000/elf. + +The build-id event in the data has 20 byte build-ids, but it saw a +different size (16) when it reads the build-id of the elf file in the +build-id cache. + + $ readelf -n ~/.debug/.build-id/53/e4c2f42a4c61a2d632d92a72afa08f00000000/elf + + Displaying notes found in: .note.gnu.build-id + Owner Data size Description + GNU 0x00000010 NT_GNU_BUILD_ID (unique build ID bitstring) + Build ID: 53e4c2f42a4c61a2d632d92a72afa08f + +Let's fix this by allowing trailing zeros if the size is different. + +Fixes: 39be8d0115b321ed ("perf tools: Pass build_id object to dso__build_id_equal()") +Signed-off-by: Namhyung Kim +Acked-by: Jiri Olsa +Cc: Andi Kleen +Cc: Ian Rogers +Cc: Peter Zijlstra +Link: http://lore.kernel.org/lkml/20210910224630.1084877-1-namhyung@kernel.org +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman +--- + tools/perf/util/dso.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/tools/perf/util/dso.c ++++ b/tools/perf/util/dso.c +@@ -1336,6 +1336,16 @@ void dso__set_build_id(struct dso *dso, + + bool dso__build_id_equal(const struct dso *dso, struct build_id *bid) + { ++ if (dso->bid.size > bid->size && dso->bid.size == BUILD_ID_SIZE) { ++ /* ++ * For the backward compatibility, it allows a build-id has ++ * trailing zeros. ++ */ ++ return !memcmp(dso->bid.data, bid->data, bid->size) && ++ !memchr_inv(&dso->bid.data[bid->size], 0, ++ dso->bid.size - bid->size); ++ } ++ + return dso->bid.size == bid->size && + memcmp(dso->bid.data, bid->data, dso->bid.size) == 0; + } diff --git a/queue-5.10/pm-sleep-core-avoid-setting-power.must_resume-to-false.patch b/queue-5.10/pm-sleep-core-avoid-setting-power.must_resume-to-false.patch new file mode 100644 index 00000000000..1ac86d31045 --- /dev/null +++ b/queue-5.10/pm-sleep-core-avoid-setting-power.must_resume-to-false.patch @@ -0,0 +1,51 @@ +From 4a9344cd0aa4499beb3772bbecb40bb78888c0e1 Mon Sep 17 00:00:00 2001 +From: Prasad Sodagudi +Date: Tue, 7 Sep 2021 04:24:23 -0700 +Subject: PM: sleep: core: Avoid setting power.must_resume to false + +From: Prasad Sodagudi + +commit 4a9344cd0aa4499beb3772bbecb40bb78888c0e1 upstream. + +There are variables(power.may_skip_resume and dev->power.must_resume) +and DPM_FLAG_MAY_SKIP_RESUME flags to control the resume of devices after +a system wide suspend transition. + +Setting the DPM_FLAG_MAY_SKIP_RESUME flag means that the driver allows +its "noirq" and "early" resume callbacks to be skipped if the device +can be left in suspend after a system-wide transition into the working +state. PM core determines that the driver's "noirq" and "early" resume +callbacks should be skipped or not with dev_pm_skip_resume() function by +checking power.may_skip_resume variable. + +power.must_resume variable is getting set to false in __device_suspend() +function without checking device's DPM_FLAG_MAY_SKIP_RESUME settings. +In problematic scenario, where all the devices in the suspend_late +stage are successful and some device can fail to suspend in +suspend_noirq phase. So some devices successfully suspended in suspend_late +stage are not getting chance to execute __device_suspend_noirq() +to set dev->power.must_resume variable to true and not getting +resumed in early_resume phase. + +Add a check for device's DPM_FLAG_MAY_SKIP_RESUME flag before +setting power.must_resume variable in __device_suspend function. + +Fixes: 6e176bf8d461 ("PM: sleep: core: Do not skip callbacks in the resume phase") +Signed-off-by: Prasad Sodagudi +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/power/main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -1644,7 +1644,7 @@ static int __device_suspend(struct devic + } + + dev->power.may_skip_resume = true; +- dev->power.must_resume = false; ++ dev->power.must_resume = !dev_pm_test_driver_flags(dev, DPM_FLAG_MAY_SKIP_RESUME); + + dpm_watchdog_set(&wd, dev); + device_lock(dev); diff --git a/queue-5.10/prctl-allow-to-setup-brk-for-et_dyn-executables.patch b/queue-5.10/prctl-allow-to-setup-brk-for-et_dyn-executables.patch new file mode 100644 index 00000000000..167d6b746d5 --- /dev/null +++ b/queue-5.10/prctl-allow-to-setup-brk-for-et_dyn-executables.patch @@ -0,0 +1,80 @@ +From e1fbbd073137a9d63279f6bf363151a938347640 Mon Sep 17 00:00:00 2001 +From: Cyrill Gorcunov +Date: Tue, 7 Sep 2021 20:00:41 -0700 +Subject: prctl: allow to setup brk for et_dyn executables + +From: Cyrill Gorcunov + +commit e1fbbd073137a9d63279f6bf363151a938347640 upstream. + +Keno Fischer reported that when a binray loaded via ld-linux-x the +prctl(PR_SET_MM_MAP) doesn't allow to setup brk value because it lays +before mm:end_data. + +For example a test program shows + + | # ~/t + | + | start_code 401000 + | end_code 401a15 + | start_stack 7ffce4577dd0 + | start_data 403e10 + | end_data 40408c + | start_brk b5b000 + | sbrk(0) b5b000 + +and when executed via ld-linux + + | # /lib64/ld-linux-x86-64.so.2 ~/t + | + | start_code 7fc25b0a4000 + | end_code 7fc25b0c4524 + | start_stack 7fffcc6b2400 + | start_data 7fc25b0ce4c0 + | end_data 7fc25b0cff98 + | start_brk 55555710c000 + | sbrk(0) 55555710c000 + +This of course prevent criu from restoring such programs. Looking into +how kernel operates with brk/start_brk inside brk() syscall I don't see +any problem if we allow to setup brk/start_brk without checking for +end_data. Even if someone pass some weird address here on a purpose then +the worst possible result will be an unexpected unmapping of existing vma +(own vma, since prctl works with the callers memory) but test for +RLIMIT_DATA is still valid and a user won't be able to gain more memory in +case of expanding VMAs via new values shipped with prctl call. + +Link: https://lkml.kernel.org/r/20210121221207.GB2174@grain +Fixes: bbdc6076d2e5 ("binfmt_elf: move brk out of mmap when doing direct loader exec") +Signed-off-by: Cyrill Gorcunov +Reported-by: Keno Fischer +Acked-by: Andrey Vagin +Tested-by: Andrey Vagin +Cc: Dmitry Safonov <0x7f454c46@gmail.com> +Cc: Kirill Tkhai +Cc: Eric W. Biederman +Cc: Pavel Tikhomirov +Cc: Alexander Mikhalitsyn +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + kernel/sys.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -1942,13 +1942,6 @@ static int validate_prctl_map_addr(struc + error = -EINVAL; + + /* +- * @brk should be after @end_data in traditional maps. +- */ +- if (prctl_map->start_brk <= prctl_map->end_data || +- prctl_map->brk <= prctl_map->end_data) +- goto out; +- +- /* + * Neither we should allow to override limits if they set. + */ + if (check_data_rlimit(rlimit(RLIMIT_DATA), prctl_map->brk, diff --git a/queue-5.10/profiling-fix-shift-out-of-bounds-bugs.patch b/queue-5.10/profiling-fix-shift-out-of-bounds-bugs.patch new file mode 100644 index 00000000000..c4d275d0446 --- /dev/null +++ b/queue-5.10/profiling-fix-shift-out-of-bounds-bugs.patch @@ -0,0 +1,98 @@ +From 2d186afd04d669fe9c48b994c41a7405a3c9f16d Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Tue, 7 Sep 2021 19:58:21 -0700 +Subject: profiling: fix shift-out-of-bounds bugs + +From: Pavel Skripkin + +commit 2d186afd04d669fe9c48b994c41a7405a3c9f16d upstream. + +Syzbot reported shift-out-of-bounds bug in profile_init(). +The problem was in incorrect prof_shift. Since prof_shift value comes from +userspace we need to clamp this value into [0, BITS_PER_LONG -1] +boundaries. + +Second possible shiht-out-of-bounds was found by Tetsuo: +sample_step local variable in read_profile() had "unsigned int" type, +but prof_shift allows to make a BITS_PER_LONG shift. So, to prevent +possible shiht-out-of-bounds sample_step type was changed to +"unsigned long". + +Also, "unsigned short int" will be sufficient for storing +[0, BITS_PER_LONG] value, that's why there is no need for +"unsigned long" prof_shift. + +Link: https://lkml.kernel.org/r/20210813140022.5011-1-paskripkin@gmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-and-tested-by: syzbot+e68c89a9510c159d9684@syzkaller.appspotmail.com +Suggested-by: Tetsuo Handa +Signed-off-by: Pavel Skripkin +Cc: Thomas Gleixner +Cc: Steven Rostedt +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + kernel/profile.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +--- a/kernel/profile.c ++++ b/kernel/profile.c +@@ -41,7 +41,8 @@ struct profile_hit { + #define NR_PROFILE_GRP (NR_PROFILE_HIT/PROFILE_GRPSZ) + + static atomic_t *prof_buffer; +-static unsigned long prof_len, prof_shift; ++static unsigned long prof_len; ++static unsigned short int prof_shift; + + int prof_on __read_mostly; + EXPORT_SYMBOL_GPL(prof_on); +@@ -67,8 +68,8 @@ int profile_setup(char *str) + if (str[strlen(sleepstr)] == ',') + str += strlen(sleepstr) + 1; + if (get_option(&str, &par)) +- prof_shift = par; +- pr_info("kernel sleep profiling enabled (shift: %ld)\n", ++ prof_shift = clamp(par, 0, BITS_PER_LONG - 1); ++ pr_info("kernel sleep profiling enabled (shift: %u)\n", + prof_shift); + #else + pr_warn("kernel sleep profiling requires CONFIG_SCHEDSTATS\n"); +@@ -78,21 +79,21 @@ int profile_setup(char *str) + if (str[strlen(schedstr)] == ',') + str += strlen(schedstr) + 1; + if (get_option(&str, &par)) +- prof_shift = par; +- pr_info("kernel schedule profiling enabled (shift: %ld)\n", ++ prof_shift = clamp(par, 0, BITS_PER_LONG - 1); ++ pr_info("kernel schedule profiling enabled (shift: %u)\n", + prof_shift); + } else if (!strncmp(str, kvmstr, strlen(kvmstr))) { + prof_on = KVM_PROFILING; + if (str[strlen(kvmstr)] == ',') + str += strlen(kvmstr) + 1; + if (get_option(&str, &par)) +- prof_shift = par; +- pr_info("kernel KVM profiling enabled (shift: %ld)\n", ++ prof_shift = clamp(par, 0, BITS_PER_LONG - 1); ++ pr_info("kernel KVM profiling enabled (shift: %u)\n", + prof_shift); + } else if (get_option(&str, &par)) { +- prof_shift = par; ++ prof_shift = clamp(par, 0, BITS_PER_LONG - 1); + prof_on = CPU_PROFILING; +- pr_info("kernel profiling enabled (shift: %ld)\n", ++ pr_info("kernel profiling enabled (shift: %u)\n", + prof_shift); + } + return 1; +@@ -468,7 +469,7 @@ read_profile(struct file *file, char __u + unsigned long p = *ppos; + ssize_t read; + char *pnt; +- unsigned int sample_step = 1 << prof_shift; ++ unsigned long sample_step = 1UL << prof_shift; + + profile_flip_buffers(); + if (p >= (prof_len+1)*sizeof(unsigned int)) diff --git a/queue-5.10/pwm-lpc32xx-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch b/queue-5.10/pwm-lpc32xx-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch new file mode 100644 index 00000000000..1d8fa44286d --- /dev/null +++ b/queue-5.10/pwm-lpc32xx-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch @@ -0,0 +1,55 @@ +From 3d2813fb17e5fd0d73c1d1442ca0192bde4af10e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Wed, 7 Jul 2021 18:27:49 +0200 +Subject: pwm: lpc32xx: Don't modify HW state in .probe() after the PWM chip was registered +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +commit 3d2813fb17e5fd0d73c1d1442ca0192bde4af10e upstream. + +This fixes a race condition: After pwmchip_add() is called there might +already be a consumer and then modifying the hardware behind the +consumer's back is bad. So set the default before. + +(Side-note: I don't know what this register setting actually does, if +this modifies the polarity there is an inconsistency because the +inversed polarity isn't considered if the PWM is already running during +.probe().) + +Fixes: acfd92fdfb93 ("pwm: lpc32xx: Set PWM_PIN_LEVEL bit to default value") +Cc: Sylvain Lemieux +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pwm/pwm-lpc32xx.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/pwm/pwm-lpc32xx.c ++++ b/drivers/pwm/pwm-lpc32xx.c +@@ -120,17 +120,17 @@ static int lpc32xx_pwm_probe(struct plat + lpc32xx->chip.npwm = 1; + lpc32xx->chip.base = -1; + ++ /* If PWM is disabled, configure the output to the default value */ ++ val = readl(lpc32xx->base + (lpc32xx->chip.pwms[0].hwpwm << 2)); ++ val &= ~PWM_PIN_LEVEL; ++ writel(val, lpc32xx->base + (lpc32xx->chip.pwms[0].hwpwm << 2)); ++ + ret = pwmchip_add(&lpc32xx->chip); + if (ret < 0) { + dev_err(&pdev->dev, "failed to add PWM chip, error %d\n", ret); + return ret; + } + +- /* When PWM is disable, configure the output to the default value */ +- val = readl(lpc32xx->base + (lpc32xx->chip.pwms[0].hwpwm << 2)); +- val &= ~PWM_PIN_LEVEL; +- writel(val, lpc32xx->base + (lpc32xx->chip.pwms[0].hwpwm << 2)); +- + platform_set_drvdata(pdev, lpc32xx); + + return 0; diff --git a/queue-5.10/pwm-mxs-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch b/queue-5.10/pwm-mxs-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch new file mode 100644 index 00000000000..ef7d86a358f --- /dev/null +++ b/queue-5.10/pwm-mxs-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch @@ -0,0 +1,60 @@ +From 020162d6f49f2963062229814a56a89c86cbeaa8 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Uwe=20Kleine-K=C3=B6nig?= +Date: Wed, 7 Jul 2021 18:27:50 +0200 +Subject: pwm: mxs: Don't modify HW state in .probe() after the PWM chip was registered +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Uwe Kleine-König + +commit 020162d6f49f2963062229814a56a89c86cbeaa8 upstream. + +This fixes a race condition: After pwmchip_add() is called there might +already be a consumer and then modifying the hardware behind the +consumer's back is bad. So reset before calling pwmchip_add(). + +Note that reseting the hardware isn't the right thing to do if the PWM +is already running as it might e.g. disable (or even enable) a backlight +that is supposed to be on (or off). + +Fixes: 4dce82c1e840 ("pwm: add pwm-mxs support") +Cc: Sascha Hauer +Cc: Shawn Guo +Signed-off-by: Uwe Kleine-König +Signed-off-by: Thierry Reding +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pwm/pwm-mxs.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +--- a/drivers/pwm/pwm-mxs.c ++++ b/drivers/pwm/pwm-mxs.c +@@ -148,6 +148,11 @@ static int mxs_pwm_probe(struct platform + return ret; + } + ++ /* FIXME: Only do this if the PWM isn't already running */ ++ ret = stmp_reset_block(mxs->base); ++ if (ret) ++ return dev_err_probe(&pdev->dev, ret, "failed to reset PWM\n"); ++ + ret = pwmchip_add(&mxs->chip); + if (ret < 0) { + dev_err(&pdev->dev, "failed to add pwm chip %d\n", ret); +@@ -156,15 +161,7 @@ static int mxs_pwm_probe(struct platform + + platform_set_drvdata(pdev, mxs); + +- ret = stmp_reset_block(mxs->base); +- if (ret) +- goto pwm_remove; +- + return 0; +- +-pwm_remove: +- pwmchip_remove(&mxs->chip); +- return ret; + } + + static int mxs_pwm_remove(struct platform_device *pdev) diff --git a/queue-5.10/series b/queue-5.10/series index 67f0f87123f..ab9d349c990 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -14,3 +14,13 @@ staging-rtl8192u-fix-bitwise-vs-logical-operator-in-translaterxsignalstuff819xus coredump-fix-memleak-in-dump_vma_snapshot.patch um-virtio_uml-fix-memory-leak-on-init-failures.patch dmaengine-acpi-avoid-comparison-gsi-with-linux-virq.patch +perf-test-fix-bpf-test-sample-mismatch-reporting.patch +perf-tools-allow-build-id-with-trailing-zeros.patch +thermal-drivers-exynos-fix-an-error-code-in-exynos_tmu_probe.patch +9p-trans_virtio-remove-sysfs-file-on-probe-failure.patch +prctl-allow-to-setup-brk-for-et_dyn-executables.patch +nilfs2-use-refcount_dec_and_lock-to-fix-potential-uaf.patch +profiling-fix-shift-out-of-bounds-bugs.patch +pm-sleep-core-avoid-setting-power.must_resume-to-false.patch +pwm-lpc32xx-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch +pwm-mxs-don-t-modify-hw-state-in-.probe-after-the-pwm-chip-was-registered.patch diff --git a/queue-5.10/thermal-drivers-exynos-fix-an-error-code-in-exynos_tmu_probe.patch b/queue-5.10/thermal-drivers-exynos-fix-an-error-code-in-exynos_tmu_probe.patch new file mode 100644 index 00000000000..52b4a869ce4 --- /dev/null +++ b/queue-5.10/thermal-drivers-exynos-fix-an-error-code-in-exynos_tmu_probe.patch @@ -0,0 +1,32 @@ +From 02d438f62c05f0d055ceeedf12a2f8796b258c08 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 10 Aug 2021 11:44:13 +0300 +Subject: thermal/drivers/exynos: Fix an error code in exynos_tmu_probe() + +From: Dan Carpenter + +commit 02d438f62c05f0d055ceeedf12a2f8796b258c08 upstream. + +This error path return success but it should propagate the negative +error code from devm_clk_get(). + +Fixes: 6c247393cfdd ("thermal: exynos: Add TMU support for Exynos7 SoC") +Signed-off-by: Dan Carpenter +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Daniel Lezcano +Link: https://lore.kernel.org/r/20210810084413.GA23810@kili +Signed-off-by: Greg Kroah-Hartman +--- + drivers/thermal/samsung/exynos_tmu.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/thermal/samsung/exynos_tmu.c ++++ b/drivers/thermal/samsung/exynos_tmu.c +@@ -1073,6 +1073,7 @@ static int exynos_tmu_probe(struct platf + data->sclk = devm_clk_get(&pdev->dev, "tmu_sclk"); + if (IS_ERR(data->sclk)) { + dev_err(&pdev->dev, "Failed to get sclk\n"); ++ ret = PTR_ERR(data->sclk); + goto err_clk; + } else { + ret = clk_prepare_enable(data->sclk);