From 263b47f5131dfa0b9fe21efe7b76fd982baa9f0b Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 30 May 2021 16:46:34 +0200
Subject: [PATCH] 4.14-stable patches

added patches:
	i2c-i801-don-t-generate-an-interrupt-on-bus-reset.patch
	i2c-s3c2410-fix-possible-null-pointer-deref-on-read-message-after-write.patch
	perf-jevents-fix-getting-maximum-number-of-fds.patch
---
 ...t-generate-an-interrupt-on-bus-reset.patch | 56 ++++++++++++++++
 ...er-deref-on-read-message-after-write.patch | 67 +++++++++++++++++++
 ...ts-fix-getting-maximum-number-of-fds.patch | 41 ++++++++++++
 queue-4.14/series                             |  3 +
 4 files changed, 167 insertions(+)
 create mode 100644 queue-4.14/i2c-i801-don-t-generate-an-interrupt-on-bus-reset.patch
 create mode 100644 queue-4.14/i2c-s3c2410-fix-possible-null-pointer-deref-on-read-message-after-write.patch
 create mode 100644 queue-4.14/perf-jevents-fix-getting-maximum-number-of-fds.patch

diff --git a/queue-4.14/i2c-i801-don-t-generate-an-interrupt-on-bus-reset.patch b/queue-4.14/i2c-i801-don-t-generate-an-interrupt-on-bus-reset.patch
new file mode 100644
index 00000000000..91ebec93a9b
--- /dev/null
+++ b/queue-4.14/i2c-i801-don-t-generate-an-interrupt-on-bus-reset.patch
@@ -0,0 +1,56 @@
+From e4d8716c3dcec47f1557024add24e1f3c09eb24b Mon Sep 17 00:00:00 2001
+From: Jean Delvare <jdelvare@suse.de>
+Date: Tue, 25 May 2021 17:03:36 +0200
+Subject: i2c: i801: Don't generate an interrupt on bus reset
+
+From: Jean Delvare <jdelvare@suse.de>
+
+commit e4d8716c3dcec47f1557024add24e1f3c09eb24b upstream.
+
+Now that the i2c-i801 driver supports interrupts, setting the KILL bit
+in a attempt to recover from a timed out transaction triggers an
+interrupt. Unfortunately, the interrupt handler (i801_isr) is not
+prepared for this situation and will try to process the interrupt as
+if it was signaling the end of a successful transaction. In the case
+of a block transaction, this can result in an out-of-range memory
+access.
+
+This condition was reproduced several times by syzbot:
+https://syzkaller.appspot.com/bug?extid=ed71512d469895b5b34e
+https://syzkaller.appspot.com/bug?extid=8c8dedc0ba9e03f6c79e
+https://syzkaller.appspot.com/bug?extid=c8ff0b6d6c73d81b610e
+https://syzkaller.appspot.com/bug?extid=33f6c360821c399d69eb
+https://syzkaller.appspot.com/bug?extid=be15dc0b1933f04b043a
+https://syzkaller.appspot.com/bug?extid=b4d3fd1dfd53e90afd79
+
+So disable interrupts while trying to reset the bus. Interrupts will
+be enabled again for the following transaction.
+
+Fixes: 636752bcb517 ("i2c-i801: Enable IRQ for SMBus transactions")
+Reported-by: syzbot+b4d3fd1dfd53e90afd79@syzkaller.appspotmail.com
+Signed-off-by: Jean Delvare <jdelvare@suse.de>
+Acked-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Tested-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-i801.c |    6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-i801.c
++++ b/drivers/i2c/busses/i2c-i801.c
+@@ -379,11 +379,9 @@ static int i801_check_post(struct i801_p
+ 		dev_err(&priv->pci_dev->dev, "Transaction timeout\n");
+ 		/* try to stop the current command */
+ 		dev_dbg(&priv->pci_dev->dev, "Terminating the current operation\n");
+-		outb_p(inb_p(SMBHSTCNT(priv)) | SMBHSTCNT_KILL,
+-		       SMBHSTCNT(priv));
++		outb_p(SMBHSTCNT_KILL, SMBHSTCNT(priv));
+ 		usleep_range(1000, 2000);
+-		outb_p(inb_p(SMBHSTCNT(priv)) & (~SMBHSTCNT_KILL),
+-		       SMBHSTCNT(priv));
++		outb_p(0, SMBHSTCNT(priv));
+ 
+ 		/* Check if it worked */
+ 		status = inb_p(SMBHSTSTS(priv));
diff --git a/queue-4.14/i2c-s3c2410-fix-possible-null-pointer-deref-on-read-message-after-write.patch b/queue-4.14/i2c-s3c2410-fix-possible-null-pointer-deref-on-read-message-after-write.patch
new file mode 100644
index 00000000000..7b63f15837d
--- /dev/null
+++ b/queue-4.14/i2c-s3c2410-fix-possible-null-pointer-deref-on-read-message-after-write.patch
@@ -0,0 +1,67 @@
+From 24990423267ec283b9d86f07f362b753eb9b0ed5 Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Date: Wed, 26 May 2021 08:39:37 -0400
+Subject: i2c: s3c2410: fix possible NULL pointer deref on read message after write
+
+From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+
+commit 24990423267ec283b9d86f07f362b753eb9b0ed5 upstream.
+
+Interrupt handler processes multiple message write requests one after
+another, till the driver message queue is drained.  However if driver
+encounters a read message without preceding START, it stops the I2C
+transfer as it is an invalid condition for the controller.  At least the
+comment describes a requirement "the controller forces us to send a new
+START when we change direction".  This stop results in clearing the
+message queue (i2c->msg = NULL).
+
+The code however immediately jumped back to label "retry_write" which
+dereferenced the "i2c->msg" making it a possible NULL pointer
+dereference.
+
+The Coverity analysis:
+1. Condition !is_msgend(i2c), taking false branch.
+   if (!is_msgend(i2c)) {
+
+2. Condition !is_lastmsg(i2c), taking true branch.
+   } else if (!is_lastmsg(i2c)) {
+
+3. Condition i2c->msg->flags & 1, taking true branch.
+   if (i2c->msg->flags & I2C_M_RD) {
+
+4. write_zero_model: Passing i2c to s3c24xx_i2c_stop, which sets i2c->msg to NULL.
+   s3c24xx_i2c_stop(i2c, -EINVAL);
+
+5. Jumping to label retry_write.
+   goto retry_write;
+
+6. var_deref_model: Passing i2c to is_msgend, which dereferences null i2c->msg.
+   if (!is_msgend(i2c)) {"
+
+All previous calls to s3c24xx_i2c_stop() in this interrupt service
+routine are followed by jumping to end of function (acknowledging
+the interrupt and returning).  This seems a reasonable choice also here
+since message buffer was entirely emptied.
+
+Addresses-Coverity: Explicit null dereferenced
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
+Signed-off-by: Wolfram Sang <wsa@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/i2c/busses/i2c-s3c2410.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/drivers/i2c/busses/i2c-s3c2410.c
++++ b/drivers/i2c/busses/i2c-s3c2410.c
+@@ -495,7 +495,10 @@ static int i2c_s3c_irq_nextbyte(struct s
+ 					 * forces us to send a new START
+ 					 * when we change direction
+ 					 */
++					dev_dbg(i2c->dev,
++						"missing START before write->read\n");
+ 					s3c24xx_i2c_stop(i2c, -EINVAL);
++					break;
+ 				}
+ 
+ 				goto retry_write;
diff --git a/queue-4.14/perf-jevents-fix-getting-maximum-number-of-fds.patch b/queue-4.14/perf-jevents-fix-getting-maximum-number-of-fds.patch
new file mode 100644
index 00000000000..fe14c36c956
--- /dev/null
+++ b/queue-4.14/perf-jevents-fix-getting-maximum-number-of-fds.patch
@@ -0,0 +1,41 @@
+From 75ea44e356b5de8c817f821c9dd68ae329e82add Mon Sep 17 00:00:00 2001
+From: Felix Fietkau <nbd@nbd.name>
+Date: Tue, 25 May 2021 18:07:58 +0200
+Subject: perf jevents: Fix getting maximum number of fds
+
+From: Felix Fietkau <nbd@nbd.name>
+
+commit 75ea44e356b5de8c817f821c9dd68ae329e82add upstream.
+
+On some hosts, rlim.rlim_max can be returned as RLIM_INFINITY.
+By casting it to int, it is interpreted as -1, which will cause get_maxfds
+to return 0, causing "Invalid argument" errors in nftw() calls.
+Fix this by casting the second argument of min() to rlim_t instead.
+
+Fixes: 80eeb67fe577 ("perf jevents: Program to convert JSON file")
+Signed-off-by: Felix Fietkau <nbd@nbd.name>
+Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
+Cc: Andi Kleen <ak@linux.intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: Mark Rutland <mark.rutland@arm.com>
+Cc: Namhyung Kim <namhyung@kernel.org>
+Cc: Peter Zijlstra <peterz@infradead.org>
+Cc: Sukadev Bhattiprolu <sukadev@linux.vnet.ibm.com>
+Link: http://lore.kernel.org/lkml/20210525160758.97829-1-nbd@nbd.name
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/perf/pmu-events/jevents.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/perf/pmu-events/jevents.c
++++ b/tools/perf/pmu-events/jevents.c
+@@ -695,7 +695,7 @@ static int get_maxfds(void)
+ 	struct rlimit rlim;
+ 
+ 	if (getrlimit(RLIMIT_NOFILE, &rlim) == 0)
+-		return min((int)rlim.rlim_max / 2, 512);
++		return min(rlim.rlim_max / 2, (rlim_t)512);
+ 
+ 	return 512;
+ }
diff --git a/queue-4.14/series b/queue-4.14/series
index f3e2b831fd4..f7f21e9dd6e 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -39,3 +39,6 @@ drm-meson-fix-shutdown-crash-when-component-not-probed.patch
 net-mlx4-fix-eeprom-dump-support.patch
 revert-net-tipc-fix-a-double-free-in-tipc_sk_mcast_rcv.patch
 tipc-skb_linearize-the-head-skb-when-reassembling-msgs.patch
+i2c-s3c2410-fix-possible-null-pointer-deref-on-read-message-after-write.patch
+i2c-i801-don-t-generate-an-interrupt-on-bus-reset.patch
+perf-jevents-fix-getting-maximum-number-of-fds.patch
-- 
2.47.3