From 3f75edade927c2aaf321a6b05e6a59f0b195fdcc Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 14 Nov 2021 21:43:16 -0500 Subject: [PATCH] Fixes for 4.4 Signed-off-by: Sasha Levin --- ...ept-charges-over-the-design-capacity.patch | 44 ++++ ...luating-methods-too-early-during-sys.patch | 130 ++++++++++++ ...m-9136-1-armv7-m-uses-be-8-not-be-32.patch | 47 ++++ ...t-rely-on-lr-register-for-stacktrace.patch | 46 ++++ ...4xx-fix-return-value-check-for-s3c24.patch | 60 ++++++ ...detector-fix-possible-null-pointer-d.patch | 53 +++++ ...ntial-interrupt-storm-on-queue-reset.patch | 99 +++++++++ queue-4.4/b43-fix-a-lower-bounds-test.patch | 47 ++++ .../b43legacy-fix-a-lower-bounds-test.patch | 47 ++++ ...e-after-free-error-in-lock_sock_nest.patch | 139 ++++++++++++ ...x-lock_sock-blockage-by-memcpy_from_.patch | 96 +++++++++ ...e-after-free-problem-when-bond_sysfs.patch | 200 ++++++++++++++++++ ...-kobject-memory-leaks-in-error-paths.patch | 70 ++++++ ...to-pcrypt-delay-write-to-padata-info.patch | 85 ++++++++ ...-qat-detect-pfvf-collision-after-ack.patch | 46 ++++ ...at_xdmac-fix-at_xdmac_cc_perid-macro.patch | 41 ++++ ...itialized-variable-in-msm_gem_import.patch | 52 +++++ ...64_cmpxchg_debug-without-config_prin.patch | 53 +++++ ...vm-disable-rx-diversity-in-powersave.patch | 39 ++++ queue-4.4/jfs-fix-memleak-in-jfs_mount.patch | 158 ++++++++++++++ ...rlapping-memcpy-with-invalid-input-w.patch | 91 ++++++++ ...the-value-before-assigning-it-to-an-.patch | 51 +++++ ...sible-memory-leak-in-probe-and-disco.patch | 72 +++++++ ...possible-memory-leak-in-probe-and-di.patch | 72 +++++++ ...bound-array-index-in-llc_sk_dev_hash.patch | 68 ++++++ ...t-a-default-value-for-memory_reserve.patch | 50 +++++ ...-fix-ununit-value-in-az6027_rc_query.patch | 39 ++++ ...urn-without-resubmitting-urb-in-case.patch | 40 ++++ ...x-corrupted-frame-after-restarting-s.patch | 89 ++++++++ ...vb-handle-interrupt-properly-accordi.patch | 178 ++++++++++++++++ ...x-possible-null-pointer-dereference-.patch | 49 +++++ ...ia-si470x-avoid-card-name-truncation.patch | 54 +++++ ...b-fix-uninit-value-bug-in-dibusb_rea.patch | 41 ++++ ...a-uvcvideo-set-capability-in-s_param.patch | 47 ++++ ...ix-leak-of-irq-and-nand_irq-in-fsl_i.patch | 73 +++++++ .../memstick-avoid-out-of-range-warning.patch | 44 ++++ ...ms-use-appropriate-free-function-in-.patch | 40 ++++ ...x-a-uaf-bug-when-removing-the-driver.patch | 80 +++++++ ...ntiq-dma-add-small-delay-after-reset.patch | 43 ++++ ...-dma-reset-correct-number-of-channel.patch | 79 +++++++ ...end-delba-requests-according-to-spec.patch | 56 +++++ ...after-free-in-mwl8k_fw_state_machine.patch | 61 ++++++ ...ci_emac-fix-interrupt-pacing-disable.patch | 59 ++++++ ...-purge-sk_error_queue-in-sk_stream_k.patch | 68 ++++++ ...ink_queue-fix-oob-when-mac-header-wa.patch | 55 +++++ ...uble-free-when-pn533_fill_fragment_s.patch | 59 ++++++ .../parisc-fix-warning-in-flush_tlb_all.patch | 68 ++++++ ...kgdb_roundup-to-make-kgdb-work-with-.patch | 78 +++++++ ...nkpad_acpi-fix-bitwise-vs.-logical-w.patch | 50 +++++ ...6-wmi-do-not-fail-if-disabling-fails.patch | 52 +++++ ...-block-device-exclusively-in-swsusp_.patch | 100 +++++++++ ...033_battery-change-voltage-values-to.patch | 42 ++++ ...-missed-an-error-if-device-doesn-t-s.patch | 42 ++++ ...initialized-data-in-csio_ln_vnp_read.patch | 40 ++++ .../scsi-dc395-fix-error-case-unwinding.patch | 43 ++++ ...rn-off-target-reset-during-issue_lip.patch | 131 ++++++++++++ ...l-8250_dw-drop-wrong-use-of-acpi_ptr.patch | 40 ++++ queue-4.4/series | 67 ++++++ ...use-after-free-in-netlbl_catmap_walk.patch | 55 +++++ ...s-use-__gfp_nofail-for-smk_cipso_doi.patch | 41 ++++ ...bl_cfg_cipsov4_del-for-deleting-cips.patch | 41 ++++ ...cefs-directories-not-set-oth-permiss.patch | 47 ++++ ...dget-hid-fix-error-code-in-do_config.patch | 40 ++++ ...psfb-use-memset_io-instead-of-memset.patch | 84 ++++++++ ...necessary-refcnt-inc-for-nonblocking.patch | 42 ++++ ..._wdt-fix-inaccurate-report-in-wdioc_.patch | 53 +++++ .../x86-increase-exception-stack-sizes.patch | 37 ++++ ...n-pciback-fix-return-in-pm_ctrl_init.patch | 40 ++++ 68 files changed, 4443 insertions(+) create mode 100644 queue-4.4/acpi-battery-accept-charges-over-the-design-capacity.patch create mode 100644 queue-4.4/acpica-avoid-evaluating-methods-too-early-during-sys.patch create mode 100644 queue-4.4/arm-9136-1-armv7-m-uses-be-8-not-be-32.patch create mode 100644 queue-4.4/arm-clang-do-not-rely-on-lr-register-for-stacktrace.patch create mode 100644 queue-4.4/arm-s3c-irq-s3c24xx-fix-return-value-check-for-s3c24.patch create mode 100644 queue-4.4/ath-dfs_pattern_detector-fix-possible-null-pointer-d.patch create mode 100644 queue-4.4/ath9k-fix-potential-interrupt-storm-on-queue-reset.patch create mode 100644 queue-4.4/b43-fix-a-lower-bounds-test.patch create mode 100644 queue-4.4/b43legacy-fix-a-lower-bounds-test.patch create mode 100644 queue-4.4/bluetooth-fix-use-after-free-error-in-lock_sock_nest.patch create mode 100644 queue-4.4/bluetooth-sco-fix-lock_sock-blockage-by-memcpy_from_.patch create mode 100644 queue-4.4/bonding-fix-a-use-after-free-problem-when-bond_sysfs.patch create mode 100644 queue-4.4/cpuidle-fix-kobject-memory-leaks-in-error-paths.patch create mode 100644 queue-4.4/crypto-pcrypt-delay-write-to-padata-info.patch create mode 100644 queue-4.4/crypto-qat-detect-pfvf-collision-after-ack.patch create mode 100644 queue-4.4/dmaengine-at_xdmac-fix-at_xdmac_cc_perid-macro.patch create mode 100644 queue-4.4/drm-msm-uninitialized-variable-in-msm_gem_import.patch create mode 100644 queue-4.4/ia64-don-t-do-ia64_cmpxchg_debug-without-config_prin.patch create mode 100644 queue-4.4/iwlwifi-mvm-disable-rx-diversity-in-powersave.patch create mode 100644 queue-4.4/jfs-fix-memleak-in-jfs_mount.patch create mode 100644 queue-4.4/lib-xz-avoid-overlapping-memcpy-with-invalid-input-w.patch create mode 100644 queue-4.4/lib-xz-validate-the-value-before-assigning-it-to-an-.patch create mode 100644 queue-4.4/libertas-fix-possible-memory-leak-in-probe-and-disco.patch create mode 100644 queue-4.4/libertas_tf-fix-possible-memory-leak-in-probe-and-di.patch create mode 100644 queue-4.4/llc-fix-out-of-bound-array-index-in-llc_sk_dev_hash.patch create mode 100644 queue-4.4/m68k-set-a-default-value-for-memory_reserve.patch create mode 100644 queue-4.4/media-dvb-usb-fix-ununit-value-in-az6027_rc_query.patch create mode 100644 queue-4.4/media-mceusb-return-without-resubmitting-urb-in-case.patch create mode 100644 queue-4.4/media-mt9p031-fix-corrupted-frame-after-restarting-s.patch create mode 100644 queue-4.4/media-netup_unidvb-handle-interrupt-properly-accordi.patch create mode 100644 queue-4.4/media-s5p-mfc-fix-possible-null-pointer-dereference-.patch create mode 100644 queue-4.4/media-si470x-avoid-card-name-truncation.patch create mode 100644 queue-4.4/media-usb-dvd-usb-fix-uninit-value-bug-in-dibusb_rea.patch create mode 100644 queue-4.4/media-uvcvideo-set-capability-in-s_param.patch create mode 100644 queue-4.4/memory-fsl_ifc-fix-leak-of-irq-and-nand_irq-in-fsl_i.patch create mode 100644 queue-4.4/memstick-avoid-out-of-range-warning.patch create mode 100644 queue-4.4/memstick-jmb38x_ms-use-appropriate-free-function-in-.patch create mode 100644 queue-4.4/memstick-r592-fix-a-uaf-bug-when-removing-the-driver.patch create mode 100644 queue-4.4/mips-lantiq-dma-add-small-delay-after-reset.patch create mode 100644 queue-4.4/mips-lantiq-dma-reset-correct-number-of-channel.patch create mode 100644 queue-4.4/mwifiex-send-delba-requests-according-to-spec.patch create mode 100644 queue-4.4/mwl8k-fix-use-after-free-in-mwl8k_fw_state_machine.patch create mode 100644 queue-4.4/net-davinci_emac-fix-interrupt-pacing-disable.patch create mode 100644 queue-4.4/net-stream-don-t-purge-sk_error_queue-in-sk_stream_k.patch create mode 100644 queue-4.4/netfilter-nfnetlink_queue-fix-oob-when-mac-header-wa.patch create mode 100644 queue-4.4/nfc-pn533-fix-double-free-when-pn533_fill_fragment_s.patch create mode 100644 queue-4.4/parisc-fix-warning-in-flush_tlb_all.patch create mode 100644 queue-4.4/parisc-kgdb-add-kgdb_roundup-to-make-kgdb-work-with-.patch create mode 100644 queue-4.4/platform-x86-thinkpad_acpi-fix-bitwise-vs.-logical-w.patch create mode 100644 queue-4.4/platform-x86-wmi-do-not-fail-if-disabling-fails.patch create mode 100644 queue-4.4/pm-hibernate-get-block-device-exclusively-in-swsusp_.patch create mode 100644 queue-4.4/power-supply-rt5033_battery-change-voltage-values-to.patch create mode 100644 queue-4.4/rdma-mlx4-return-missed-an-error-if-device-doesn-t-s.patch create mode 100644 queue-4.4/scsi-csiostor-uninitialized-data-in-csio_ln_vnp_read.patch create mode 100644 queue-4.4/scsi-dc395-fix-error-case-unwinding.patch create mode 100644 queue-4.4/scsi-qla2xxx-turn-off-target-reset-during-issue_lip.patch create mode 100644 queue-4.4/serial-8250_dw-drop-wrong-use-of-acpi_ptr.patch create mode 100644 queue-4.4/smackfs-fix-use-after-free-in-netlbl_catmap_walk.patch create mode 100644 queue-4.4/smackfs-use-__gfp_nofail-for-smk_cipso_doi.patch create mode 100644 queue-4.4/smackfs-use-netlbl_cfg_cipsov4_del-for-deleting-cips.patch create mode 100644 queue-4.4/tracefs-have-tracefs-directories-not-set-oth-permiss.patch create mode 100644 queue-4.4/usb-gadget-hid-fix-error-code-in-do_config.patch create mode 100644 queue-4.4/video-fbdev-chipsfb-use-memset_io-instead-of-memset.patch create mode 100644 queue-4.4/vsock-prevent-unnecessary-refcnt-inc-for-nonblocking.patch create mode 100644 queue-4.4/watchdog-f71808e_wdt-fix-inaccurate-report-in-wdioc_.patch create mode 100644 queue-4.4/x86-increase-exception-stack-sizes.patch create mode 100644 queue-4.4/xen-pciback-fix-return-in-pm_ctrl_init.patch diff --git a/queue-4.4/acpi-battery-accept-charges-over-the-design-capacity.patch b/queue-4.4/acpi-battery-accept-charges-over-the-design-capacity.patch new file mode 100644 index 00000000000..31b75dd4225 --- /dev/null +++ b/queue-4.4/acpi-battery-accept-charges-over-the-design-capacity.patch @@ -0,0 +1,44 @@ +From d92657b0567606955b04029221ab16f14c66fe1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Oct 2021 00:05:29 -0300 +Subject: ACPI: battery: Accept charges over the design capacity as full +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: André Almeida + +[ Upstream commit 2835f327bd1240508db2c89fe94a056faa53c49a ] + +Some buggy firmware and/or brand new batteries can support a charge that's +slightly over the reported design capacity. In such cases, the kernel will +report to userspace that the charging state of the battery is "Unknown", +when in reality the battery charge is "Full", at least from the design +capacity point of view. Make the fallback condition accepts capacities +over the designed capacity so userspace knows that is full. + +Signed-off-by: André Almeida +Reviewed-by: Hans de Goede +Reviewed-by: Sebastian Reichel +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/battery.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c +index b719ab3090bb2..e4f1cb67ba127 100644 +--- a/drivers/acpi/battery.c ++++ b/drivers/acpi/battery.c +@@ -187,7 +187,7 @@ static int acpi_battery_is_charged(struct acpi_battery *battery) + return 1; + + /* fallback to using design values for broken batteries */ +- if (battery->design_capacity == battery->capacity_now) ++ if (battery->design_capacity <= battery->capacity_now) + return 1; + + /* we don't do any sort of metric based on percentages */ +-- +2.33.0 + diff --git a/queue-4.4/acpica-avoid-evaluating-methods-too-early-during-sys.patch b/queue-4.4/acpica-avoid-evaluating-methods-too-early-during-sys.patch new file mode 100644 index 00000000000..9b6cfbcaf1c --- /dev/null +++ b/queue-4.4/acpica-avoid-evaluating-methods-too-early-during-sys.patch @@ -0,0 +1,130 @@ +From fbed5dbaad6b2d50ce1f191c497287dc12f66172 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 29 Sep 2021 18:31:25 +0200 +Subject: ACPICA: Avoid evaluating methods too early during system resume + +From: Rafael J. Wysocki + +[ Upstream commit d3c4b6f64ad356c0d9ddbcf73fa471e6a841cc5c ] + +ACPICA commit 0762982923f95eb652cf7ded27356b247c9774de + +During wakeup from system-wide sleep states, acpi_get_sleep_type_data() +is called and it tries to get memory from the slab allocator in order +to evaluate a control method, but if KFENCE is enabled in the kernel, +the memory allocation attempt causes an IRQ work to be queued and a +self-IPI to be sent to the CPU running the code which requires the +memory controller to be ready, so if that happens too early in the +wakeup path, it doesn't work. + +Prevent that from taking place by calling acpi_get_sleep_type_data() +for S0 upfront, when preparing to enter a given sleep state, and +saving the data obtained by it for later use during system wakeup. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=214271 +Reported-by: Reik Keutterling +Tested-by: Reik Keutterling +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/acglobal.h | 2 ++ + drivers/acpi/acpica/hwesleep.c | 8 ++------ + drivers/acpi/acpica/hwsleep.c | 11 ++++------- + drivers/acpi/acpica/hwxfsleep.c | 7 +++++++ + 4 files changed, 15 insertions(+), 13 deletions(-) + +diff --git a/drivers/acpi/acpica/acglobal.h b/drivers/acpi/acpica/acglobal.h +index faa97604d878e..f178d11597c09 100644 +--- a/drivers/acpi/acpica/acglobal.h ++++ b/drivers/acpi/acpica/acglobal.h +@@ -256,6 +256,8 @@ extern struct acpi_bit_register_info + + ACPI_GLOBAL(u8, acpi_gbl_sleep_type_a); + ACPI_GLOBAL(u8, acpi_gbl_sleep_type_b); ++ACPI_GLOBAL(u8, acpi_gbl_sleep_type_a_s0); ++ACPI_GLOBAL(u8, acpi_gbl_sleep_type_b_s0); + + /***************************************************************************** + * +diff --git a/drivers/acpi/acpica/hwesleep.c b/drivers/acpi/acpica/hwesleep.c +index e5599f6108083..e4998cc0ce283 100644 +--- a/drivers/acpi/acpica/hwesleep.c ++++ b/drivers/acpi/acpica/hwesleep.c +@@ -184,17 +184,13 @@ acpi_status acpi_hw_extended_sleep(u8 sleep_state) + + acpi_status acpi_hw_extended_wake_prep(u8 sleep_state) + { +- acpi_status status; + u8 sleep_type_value; + + ACPI_FUNCTION_TRACE(hw_extended_wake_prep); + +- status = acpi_get_sleep_type_data(ACPI_STATE_S0, +- &acpi_gbl_sleep_type_a, +- &acpi_gbl_sleep_type_b); +- if (ACPI_SUCCESS(status)) { ++ if (acpi_gbl_sleep_type_a_s0 != ACPI_SLEEP_TYPE_INVALID) { + sleep_type_value = +- ((acpi_gbl_sleep_type_a << ACPI_X_SLEEP_TYPE_POSITION) & ++ ((acpi_gbl_sleep_type_a_s0 << ACPI_X_SLEEP_TYPE_POSITION) & + ACPI_X_SLEEP_TYPE_MASK); + + (void)acpi_write((u64)(sleep_type_value | ACPI_X_SLEEP_ENABLE), +diff --git a/drivers/acpi/acpica/hwsleep.c b/drivers/acpi/acpica/hwsleep.c +index 7d21cae6d6028..7e44ba8c6a1ab 100644 +--- a/drivers/acpi/acpica/hwsleep.c ++++ b/drivers/acpi/acpica/hwsleep.c +@@ -217,7 +217,7 @@ acpi_status acpi_hw_legacy_sleep(u8 sleep_state) + + acpi_status acpi_hw_legacy_wake_prep(u8 sleep_state) + { +- acpi_status status; ++ acpi_status status = AE_OK; + struct acpi_bit_register_info *sleep_type_reg_info; + struct acpi_bit_register_info *sleep_enable_reg_info; + u32 pm1a_control; +@@ -230,10 +230,7 @@ acpi_status acpi_hw_legacy_wake_prep(u8 sleep_state) + * This is unclear from the ACPI Spec, but it is required + * by some machines. + */ +- status = acpi_get_sleep_type_data(ACPI_STATE_S0, +- &acpi_gbl_sleep_type_a, +- &acpi_gbl_sleep_type_b); +- if (ACPI_SUCCESS(status)) { ++ if (acpi_gbl_sleep_type_a_s0 != ACPI_SLEEP_TYPE_INVALID) { + sleep_type_reg_info = + acpi_hw_get_bit_register_info(ACPI_BITREG_SLEEP_TYPE); + sleep_enable_reg_info = +@@ -254,9 +251,9 @@ acpi_status acpi_hw_legacy_wake_prep(u8 sleep_state) + + /* Insert the SLP_TYP bits */ + +- pm1a_control |= (acpi_gbl_sleep_type_a << ++ pm1a_control |= (acpi_gbl_sleep_type_a_s0 << + sleep_type_reg_info->bit_position); +- pm1b_control |= (acpi_gbl_sleep_type_b << ++ pm1b_control |= (acpi_gbl_sleep_type_b_s0 << + sleep_type_reg_info->bit_position); + + /* Write the control registers and ignore any errors */ +diff --git a/drivers/acpi/acpica/hwxfsleep.c b/drivers/acpi/acpica/hwxfsleep.c +index d62a61612b3f1..b04e2b0f62246 100644 +--- a/drivers/acpi/acpica/hwxfsleep.c ++++ b/drivers/acpi/acpica/hwxfsleep.c +@@ -372,6 +372,13 @@ acpi_status acpi_enter_sleep_state_prep(u8 sleep_state) + return_ACPI_STATUS(status); + } + ++ status = acpi_get_sleep_type_data(ACPI_STATE_S0, ++ &acpi_gbl_sleep_type_a_s0, ++ &acpi_gbl_sleep_type_b_s0); ++ if (ACPI_FAILURE(status)) { ++ acpi_gbl_sleep_type_a_s0 = ACPI_SLEEP_TYPE_INVALID; ++ } ++ + /* Execute the _PTS method (Prepare To Sleep) */ + + arg_list.count = 1; +-- +2.33.0 + diff --git a/queue-4.4/arm-9136-1-armv7-m-uses-be-8-not-be-32.patch b/queue-4.4/arm-9136-1-armv7-m-uses-be-8-not-be-32.patch new file mode 100644 index 00000000000..d758cfb08c9 --- /dev/null +++ b/queue-4.4/arm-9136-1-armv7-m-uses-be-8-not-be-32.patch @@ -0,0 +1,47 @@ +From 2b4a152a975c5bdbb70cd1a28a818957ec55cc93 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 15:30:06 +0100 +Subject: ARM: 9136/1: ARMv7-M uses BE-8, not BE-32 + +From: Arnd Bergmann + +[ Upstream commit 345dac33f58894a56d17b92a41be10e16585ceff ] + +When configuring the kernel for big-endian, we set either BE-8 or BE-32 +based on the CPU architecture level. Until linux-4.4, we did not have +any ARMv7-M platform allowing big-endian builds, but now i.MX/Vybrid +is in that category, adn we get a build error because of this: + +arch/arm/kernel/module-plts.c: In function 'get_module_plt': +arch/arm/kernel/module-plts.c:60:46: error: implicit declaration of function '__opcode_to_mem_thumb32' [-Werror=implicit-function-declaration] + +This comes down to picking the wrong default, ARMv7-M uses BE8 +like ARMv7-A does. Changing the default gets the kernel to compile +and presumably works. + +https://lore.kernel.org/all/1455804123-2526139-2-git-send-email-arnd@arndb.de/ + +Tested-by: Vladimir Murzin +Signed-off-by: Arnd Bergmann +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/mm/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mm/Kconfig b/arch/arm/mm/Kconfig +index 71115afb71a05..f46089b24588f 100644 +--- a/arch/arm/mm/Kconfig ++++ b/arch/arm/mm/Kconfig +@@ -724,7 +724,7 @@ config CPU_BIG_ENDIAN + config CPU_ENDIAN_BE8 + bool + depends on CPU_BIG_ENDIAN +- default CPU_V6 || CPU_V6K || CPU_V7 ++ default CPU_V6 || CPU_V6K || CPU_V7 || CPU_V7M + help + Support for the BE-8 (big-endian) mode on ARMv6 and ARMv7 processors. + +-- +2.33.0 + diff --git a/queue-4.4/arm-clang-do-not-rely-on-lr-register-for-stacktrace.patch b/queue-4.4/arm-clang-do-not-rely-on-lr-register-for-stacktrace.patch new file mode 100644 index 00000000000..e095600d74e --- /dev/null +++ b/queue-4.4/arm-clang-do-not-rely-on-lr-register-for-stacktrace.patch @@ -0,0 +1,46 @@ +From 259aa74b6cccadb43f3e4afbb9c681f725533279 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Oct 2021 09:55:17 +0900 +Subject: ARM: clang: Do not rely on lr register for stacktrace + +From: Masami Hiramatsu + +[ Upstream commit b3ea5d56f212ad81328c82454829a736197ebccc ] + +Currently the stacktrace on clang compiled arm kernel uses the 'lr' +register to find the first frame address from pt_regs. However, that +is wrong after calling another function, because the 'lr' register +is used by 'bl' instruction and never be recovered. + +As same as gcc arm kernel, directly use the frame pointer (r11) of +the pt_regs to find the first frame address. + +Note that this fixes kretprobe stacktrace issue only with +CONFIG_UNWINDER_FRAME_POINTER=y. For the CONFIG_UNWINDER_ARM, +we need another fix. + +Signed-off-by: Masami Hiramatsu +Reviewed-by: Nick Desaulniers +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + arch/arm/kernel/stacktrace.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/arch/arm/kernel/stacktrace.c b/arch/arm/kernel/stacktrace.c +index 6e8a50de40e2b..c10c1de244eba 100644 +--- a/arch/arm/kernel/stacktrace.c ++++ b/arch/arm/kernel/stacktrace.c +@@ -51,8 +51,7 @@ int notrace unwind_frame(struct stackframe *frame) + + frame->sp = frame->fp; + frame->fp = *(unsigned long *)(fp); +- frame->pc = frame->lr; +- frame->lr = *(unsigned long *)(fp + 4); ++ frame->pc = *(unsigned long *)(fp + 4); + #else + /* check current frame pointer is within bounds */ + if (fp < low + 12 || fp > high - 4) +-- +2.33.0 + diff --git a/queue-4.4/arm-s3c-irq-s3c24xx-fix-return-value-check-for-s3c24.patch b/queue-4.4/arm-s3c-irq-s3c24xx-fix-return-value-check-for-s3c24.patch new file mode 100644 index 00000000000..6d42a4f9a7b --- /dev/null +++ b/queue-4.4/arm-s3c-irq-s3c24xx-fix-return-value-check-for-s3c24.patch @@ -0,0 +1,60 @@ +From 76f27a4b8d09845dbba172b0eb7b6ccc39838e3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 1 Sep 2021 20:35:57 +0800 +Subject: ARM: s3c: irq-s3c24xx: Fix return value check for s3c24xx_init_intc() + +From: Jackie Liu + +[ Upstream commit 2aa717473ce96c93ae43a5dc8c23cedc8ce7dd9f ] + +The s3c24xx_init_intc() returns an error pointer upon failure, not NULL. +let's add an error pointer check in s3c24xx_handle_irq. + +s3c_intc[0] is not NULL or ERR, we can simplify the code. + +Fixes: 1f629b7a3ced ("ARM: S3C24XX: transform irq handling into a declarative form") +Signed-off-by: Jackie Liu +Link: https://lore.kernel.org/r/20210901123557.1043953-1-liu.yun@linux.dev +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-s3c24xx.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/drivers/irqchip/irq-s3c24xx.c b/drivers/irqchip/irq-s3c24xx.c +index c71914e8f596c..cd7fdce98359f 100644 +--- a/drivers/irqchip/irq-s3c24xx.c ++++ b/drivers/irqchip/irq-s3c24xx.c +@@ -368,11 +368,25 @@ static inline int s3c24xx_handle_intc(struct s3c_irq_intc *intc, + asmlinkage void __exception_irq_entry s3c24xx_handle_irq(struct pt_regs *regs) + { + do { +- if (likely(s3c_intc[0])) +- if (s3c24xx_handle_intc(s3c_intc[0], regs, 0)) +- continue; ++ /* ++ * For platform based machines, neither ERR nor NULL can happen here. ++ * The s3c24xx_handle_irq() will be set as IRQ handler iff this succeeds: ++ * ++ * s3c_intc[0] = s3c24xx_init_intc() ++ * ++ * If this fails, the next calls to s3c24xx_init_intc() won't be executed. ++ * ++ * For DT machine, s3c_init_intc_of() could set the IRQ handler without ++ * setting s3c_intc[0] only if it was called with num_ctrl=0. There is no ++ * such code path, so again the s3c_intc[0] will have a valid pointer if ++ * set_handle_irq() is called. ++ * ++ * Therefore in s3c24xx_handle_irq(), the s3c_intc[0] is always something. ++ */ ++ if (s3c24xx_handle_intc(s3c_intc[0], regs, 0)) ++ continue; + +- if (s3c_intc[2]) ++ if (!IS_ERR_OR_NULL(s3c_intc[2])) + if (s3c24xx_handle_intc(s3c_intc[2], regs, 64)) + continue; + +-- +2.33.0 + diff --git a/queue-4.4/ath-dfs_pattern_detector-fix-possible-null-pointer-d.patch b/queue-4.4/ath-dfs_pattern_detector-fix-possible-null-pointer-d.patch new file mode 100644 index 00000000000..d523743b760 --- /dev/null +++ b/queue-4.4/ath-dfs_pattern_detector-fix-possible-null-pointer-d.patch @@ -0,0 +1,53 @@ +From 1d0988fd3ef4c8e87641d3e7a98274f5d49faa6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Aug 2021 08:38:53 -0700 +Subject: ath: dfs_pattern_detector: Fix possible null-pointer dereference in + channel_detector_create() + +From: Tuo Li + +[ Upstream commit 4b6012a7830b813799a7faf40daa02a837e0fd5b ] + +kzalloc() is used to allocate memory for cd->detectors, and if it fails, +channel_detector_exit() behind the label fail will be called: + channel_detector_exit(dpd, cd); + +In channel_detector_exit(), cd->detectors is dereferenced through: + struct pri_detector *de = cd->detectors[i]; + +To fix this possible null-pointer dereference, check cd->detectors before +the for loop to dereference cd->detectors. + +Reported-by: TOTE Robot +Signed-off-by: Tuo Li +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210805153854.154066-1-islituo@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/dfs_pattern_detector.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/dfs_pattern_detector.c b/drivers/net/wireless/ath/dfs_pattern_detector.c +index 0835828ffed77..2f4b79102a27a 100644 +--- a/drivers/net/wireless/ath/dfs_pattern_detector.c ++++ b/drivers/net/wireless/ath/dfs_pattern_detector.c +@@ -182,10 +182,12 @@ static void channel_detector_exit(struct dfs_pattern_detector *dpd, + if (cd == NULL) + return; + list_del(&cd->head); +- for (i = 0; i < dpd->num_radar_types; i++) { +- struct pri_detector *de = cd->detectors[i]; +- if (de != NULL) +- de->exit(de); ++ if (cd->detectors) { ++ for (i = 0; i < dpd->num_radar_types; i++) { ++ struct pri_detector *de = cd->detectors[i]; ++ if (de != NULL) ++ de->exit(de); ++ } + } + kfree(cd->detectors); + kfree(cd); +-- +2.33.0 + diff --git a/queue-4.4/ath9k-fix-potential-interrupt-storm-on-queue-reset.patch b/queue-4.4/ath9k-fix-potential-interrupt-storm-on-queue-reset.patch new file mode 100644 index 00000000000..db9449b901e --- /dev/null +++ b/queue-4.4/ath9k-fix-potential-interrupt-storm-on-queue-reset.patch @@ -0,0 +1,99 @@ +From 1b39c2b36caf9ac0941cb8b0d9772f46348a8173 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Oct 2021 16:55:53 +0300 +Subject: ath9k: Fix potential interrupt storm on queue reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Lüssing + +[ Upstream commit 4925642d541278575ad1948c5924d71ffd57ef14 ] + +In tests with two Lima boards from 8devices (QCA4531 based) on OpenWrt +19.07 we could force a silent restart of a device with no serial +output when we were sending a high amount of UDP traffic (iperf3 at 80 +MBit/s in both directions from external hosts, saturating the wifi and +causing a load of about 4.5 to 6) and were then triggering an +ath9k_queue_reset(). + +Further debugging showed that the restart was caused by the ath79 +watchdog. With disabled watchdog we could observe that the device was +constantly going into ath_isr() interrupt handler and was returning +early after the ATH_OP_HW_RESET flag test, without clearing any +interrupts. Even though ath9k_queue_reset() calls +ath9k_hw_kill_interrupts(). + +With JTAG we could observe the following race condition: + +1) ath9k_queue_reset() + ... + -> ath9k_hw_kill_interrupts() + -> set_bit(ATH_OP_HW_RESET, &common->op_flags); + ... + <- returns + + 2) ath9k_tasklet() + ... + -> ath9k_hw_resume_interrupts() + ... + <- returns + + 3) loops around: + ... + handle_int() + -> ath_isr() + ... + -> if (test_bit(ATH_OP_HW_RESET, + &common->op_flags)) + return IRQ_HANDLED; + + x) ath_reset_internal(): + => never reached <= + +And in ath_isr() we would typically see the following interrupts / +interrupt causes: + +* status: 0x00111030 or 0x00110030 +* async_cause: 2 (AR_INTR_MAC_IPQ) +* sync_cause: 0 + +So the ath9k_tasklet() reenables the ath9k interrupts +through ath9k_hw_resume_interrupts() which ath9k_queue_reset() had just +disabled. And ath_isr() then keeps firing because it returns IRQ_HANDLED +without actually clearing the interrupt. + +To fix this IRQ storm also clear/disable the interrupts again when we +are in reset state. + +Cc: Sven Eckelmann +Cc: Simon Wunderlich +Cc: Linus Lüssing +Fixes: 872b5d814f99 ("ath9k: do not access hardware on IRQs during reset") +Signed-off-by: Linus Lüssing +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20210914192515.9273-3-linus.luessing@c0d3.blue +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/main.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/ath/ath9k/main.c b/drivers/net/wireless/ath/ath9k/main.c +index 298c7957dd160..52906c080e0aa 100644 +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -528,8 +528,10 @@ irqreturn_t ath_isr(int irq, void *dev) + ath9k_debug_sync_cause(sc, sync_cause); + status &= ah->imask; /* discard unasked-for bits */ + +- if (test_bit(ATH_OP_HW_RESET, &common->op_flags)) ++ if (test_bit(ATH_OP_HW_RESET, &common->op_flags)) { ++ ath9k_hw_kill_interrupts(sc->sc_ah); + return IRQ_HANDLED; ++ } + + /* + * If there are no status bits set, then this interrupt was not +-- +2.33.0 + diff --git a/queue-4.4/b43-fix-a-lower-bounds-test.patch b/queue-4.4/b43-fix-a-lower-bounds-test.patch new file mode 100644 index 00000000000..40482c4e237 --- /dev/null +++ b/queue-4.4/b43-fix-a-lower-bounds-test.patch @@ -0,0 +1,47 @@ +From 450308540ff4b60df9ec090cf9e08e5a68272d0f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Oct 2021 10:36:22 +0300 +Subject: b43: fix a lower bounds test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Carpenter + +[ Upstream commit 9b793db5fca44d01f72d3564a168171acf7c4076 ] + +The problem is that "channel" is an unsigned int, when it's less 5 the +value of "channel - 5" is not a negative number as one would expect but +is very high positive value instead. + +This means that "start" becomes a very high positive value. The result +of that is that we never enter the "for (i = start; i <= end; i++) {" +loop. Instead of storing the result from b43legacy_radio_aci_detect() +it just uses zero. + +Fixes: ef1a628d83fc ("b43: Implement dynamic PHY API") +Signed-off-by: Dan Carpenter +Acked-by: Michael Büsch +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211006073621.GE8404@kili +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/b43/phy_g.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/b43/phy_g.c b/drivers/net/wireless/b43/phy_g.c +index 462310e6e88fb..a706605cef9a8 100644 +--- a/drivers/net/wireless/b43/phy_g.c ++++ b/drivers/net/wireless/b43/phy_g.c +@@ -2295,7 +2295,7 @@ static u8 b43_gphy_aci_scan(struct b43_wldev *dev) + b43_phy_mask(dev, B43_PHY_G_CRS, 0x7FFF); + b43_set_all_gains(dev, 3, 8, 1); + +- start = (channel - 5 > 0) ? channel - 5 : 1; ++ start = (channel > 5) ? channel - 5 : 1; + end = (channel + 5 < 14) ? channel + 5 : 13; + + for (i = start; i <= end; i++) { +-- +2.33.0 + diff --git a/queue-4.4/b43legacy-fix-a-lower-bounds-test.patch b/queue-4.4/b43legacy-fix-a-lower-bounds-test.patch new file mode 100644 index 00000000000..e9eb7232c9a --- /dev/null +++ b/queue-4.4/b43legacy-fix-a-lower-bounds-test.patch @@ -0,0 +1,47 @@ +From 7ba368286dcf089daafa29397fccd53533f0469e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Oct 2021 10:35:42 +0300 +Subject: b43legacy: fix a lower bounds test +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Carpenter + +[ Upstream commit c1c8380b0320ab757e60ed90efc8b1992a943256 ] + +The problem is that "channel" is an unsigned int, when it's less 5 the +value of "channel - 5" is not a negative number as one would expect but +is very high positive value instead. + +This means that "start" becomes a very high positive value. The result +of that is that we never enter the "for (i = start; i <= end; i++) {" +loop. Instead of storing the result from b43legacy_radio_aci_detect() +it just uses zero. + +Fixes: 75388acd0cd8 ("[B43LEGACY]: add mac80211-based driver for legacy BCM43xx devices") +Signed-off-by: Dan Carpenter +Acked-by: Michael Büsch +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211006073542.GD8404@kili +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/b43legacy/radio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/b43legacy/radio.c b/drivers/net/wireless/b43legacy/radio.c +index 9501420340a91..5b1e8890305c1 100644 +--- a/drivers/net/wireless/b43legacy/radio.c ++++ b/drivers/net/wireless/b43legacy/radio.c +@@ -299,7 +299,7 @@ u8 b43legacy_radio_aci_scan(struct b43legacy_wldev *dev) + & 0x7FFF); + b43legacy_set_all_gains(dev, 3, 8, 1); + +- start = (channel - 5 > 0) ? channel - 5 : 1; ++ start = (channel > 5) ? channel - 5 : 1; + end = (channel + 5 < 14) ? channel + 5 : 13; + + for (i = start; i <= end; i++) { +-- +2.33.0 + diff --git a/queue-4.4/bluetooth-fix-use-after-free-error-in-lock_sock_nest.patch b/queue-4.4/bluetooth-fix-use-after-free-error-in-lock_sock_nest.patch new file mode 100644 index 00000000000..f7765e8b268 --- /dev/null +++ b/queue-4.4/bluetooth-fix-use-after-free-error-in-lock_sock_nest.patch @@ -0,0 +1,139 @@ +From c63ff9d82d00a09bdb30c56cf7d370c2efde3270 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 31 Aug 2021 17:35:37 -0700 +Subject: Bluetooth: fix use-after-free error in lock_sock_nested() + +From: Wang ShaoBo + +[ Upstream commit 1bff51ea59a9afb67d2dd78518ab0582a54a472c ] + +use-after-free error in lock_sock_nested is reported: + +[ 179.140137][ T3731] ===================================================== +[ 179.142675][ T3731] BUG: KMSAN: use-after-free in lock_sock_nested+0x280/0x2c0 +[ 179.145494][ T3731] CPU: 4 PID: 3731 Comm: kworker/4:2 Not tainted 5.12.0-rc6+ #54 +[ 179.148432][ T3731] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 +[ 179.151806][ T3731] Workqueue: events l2cap_chan_timeout +[ 179.152730][ T3731] Call Trace: +[ 179.153301][ T3731] dump_stack+0x24c/0x2e0 +[ 179.154063][ T3731] kmsan_report+0xfb/0x1e0 +[ 179.154855][ T3731] __msan_warning+0x5c/0xa0 +[ 179.155579][ T3731] lock_sock_nested+0x280/0x2c0 +[ 179.156436][ T3731] ? kmsan_get_metadata+0x116/0x180 +[ 179.157257][ T3731] l2cap_sock_teardown_cb+0xb8/0x890 +[ 179.158154][ T3731] ? __msan_metadata_ptr_for_load_8+0x10/0x20 +[ 179.159141][ T3731] ? kmsan_get_metadata+0x116/0x180 +[ 179.159994][ T3731] ? kmsan_get_shadow_origin_ptr+0x84/0xb0 +[ 179.160959][ T3731] ? l2cap_sock_recv_cb+0x420/0x420 +[ 179.161834][ T3731] l2cap_chan_del+0x3e1/0x1d50 +[ 179.162608][ T3731] ? kmsan_get_metadata+0x116/0x180 +[ 179.163435][ T3731] ? kmsan_get_shadow_origin_ptr+0x84/0xb0 +[ 179.164406][ T3731] l2cap_chan_close+0xeea/0x1050 +[ 179.165189][ T3731] ? kmsan_internal_unpoison_shadow+0x42/0x70 +[ 179.166180][ T3731] l2cap_chan_timeout+0x1da/0x590 +[ 179.167066][ T3731] ? __msan_metadata_ptr_for_load_8+0x10/0x20 +[ 179.168023][ T3731] ? l2cap_chan_create+0x560/0x560 +[ 179.168818][ T3731] process_one_work+0x121d/0x1ff0 +[ 179.169598][ T3731] worker_thread+0x121b/0x2370 +[ 179.170346][ T3731] kthread+0x4ef/0x610 +[ 179.171010][ T3731] ? process_one_work+0x1ff0/0x1ff0 +[ 179.171828][ T3731] ? kthread_blkcg+0x110/0x110 +[ 179.172587][ T3731] ret_from_fork+0x1f/0x30 +[ 179.173348][ T3731] +[ 179.173752][ T3731] Uninit was created at: +[ 179.174409][ T3731] kmsan_internal_poison_shadow+0x5c/0xf0 +[ 179.175373][ T3731] kmsan_slab_free+0x76/0xc0 +[ 179.176060][ T3731] kfree+0x3a5/0x1180 +[ 179.176664][ T3731] __sk_destruct+0x8af/0xb80 +[ 179.177375][ T3731] __sk_free+0x812/0x8c0 +[ 179.178032][ T3731] sk_free+0x97/0x130 +[ 179.178686][ T3731] l2cap_sock_release+0x3d5/0x4d0 +[ 179.179457][ T3731] sock_close+0x150/0x450 +[ 179.180117][ T3731] __fput+0x6bd/0xf00 +[ 179.180787][ T3731] ____fput+0x37/0x40 +[ 179.181481][ T3731] task_work_run+0x140/0x280 +[ 179.182219][ T3731] do_exit+0xe51/0x3e60 +[ 179.182930][ T3731] do_group_exit+0x20e/0x450 +[ 179.183656][ T3731] get_signal+0x2dfb/0x38f0 +[ 179.184344][ T3731] arch_do_signal_or_restart+0xaa/0xe10 +[ 179.185266][ T3731] exit_to_user_mode_prepare+0x2d2/0x560 +[ 179.186136][ T3731] syscall_exit_to_user_mode+0x35/0x60 +[ 179.186984][ T3731] do_syscall_64+0xc5/0x140 +[ 179.187681][ T3731] entry_SYSCALL_64_after_hwframe+0x44/0xae +[ 179.188604][ T3731] ===================================================== + +In our case, there are two Thread A and B: + +Context: Thread A: Context: Thread B: + +l2cap_chan_timeout() __se_sys_shutdown() + l2cap_chan_close() l2cap_sock_shutdown() + l2cap_chan_del() l2cap_chan_close() + l2cap_sock_teardown_cb() l2cap_sock_teardown_cb() + +Once l2cap_sock_teardown_cb() excuted, this sock will be marked as SOCK_ZAPPED, +and can be treated as killable in l2cap_sock_kill() if sock_orphan() has +excuted, at this time we close sock through sock_close() which end to call +l2cap_sock_kill() like Thread C: + +Context: Thread C: + +sock_close() + l2cap_sock_release() + sock_orphan() + l2cap_sock_kill() #free sock if refcnt is 1 + +If C completed, Once A or B reaches l2cap_sock_teardown_cb() again, +use-after-free happened. + +We should set chan->data to NULL if sock is destructed, for telling teardown +operation is not allowed in l2cap_sock_teardown_cb(), and also we should +avoid killing an already killed socket in l2cap_sock_close_cb(). + +Signed-off-by: Wang ShaoBo +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/l2cap_sock.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c +index 30731ce390ba0..eddf67a3dbdcb 100644 +--- a/net/bluetooth/l2cap_sock.c ++++ b/net/bluetooth/l2cap_sock.c +@@ -1309,6 +1309,9 @@ static void l2cap_sock_close_cb(struct l2cap_chan *chan) + { + struct sock *sk = chan->data; + ++ if (!sk) ++ return; ++ + l2cap_sock_kill(sk); + } + +@@ -1317,6 +1320,9 @@ static void l2cap_sock_teardown_cb(struct l2cap_chan *chan, int err) + struct sock *sk = chan->data; + struct sock *parent; + ++ if (!sk) ++ return; ++ + BT_DBG("chan %p state %s", chan, state_to_string(chan->state)); + + /* This callback can be called both for server (BT_LISTEN) +@@ -1486,8 +1492,10 @@ static void l2cap_sock_destruct(struct sock *sk) + { + BT_DBG("sk %p", sk); + +- if (l2cap_pi(sk)->chan) ++ if (l2cap_pi(sk)->chan) { ++ l2cap_pi(sk)->chan->data = NULL; + l2cap_chan_put(l2cap_pi(sk)->chan); ++ } + + if (l2cap_pi(sk)->rx_busy_skb) { + kfree_skb(l2cap_pi(sk)->rx_busy_skb); +-- +2.33.0 + diff --git a/queue-4.4/bluetooth-sco-fix-lock_sock-blockage-by-memcpy_from_.patch b/queue-4.4/bluetooth-sco-fix-lock_sock-blockage-by-memcpy_from_.patch new file mode 100644 index 00000000000..9da0558c025 --- /dev/null +++ b/queue-4.4/bluetooth-sco-fix-lock_sock-blockage-by-memcpy_from_.patch @@ -0,0 +1,96 @@ +From 2068e8316c605c249d541805b210f10f0f669c33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Aug 2021 18:18:18 +0200 +Subject: Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg() + +From: Takashi Iwai + +[ Upstream commit 99c23da0eed4fd20cae8243f2b51e10e66aa0951 ] + +The sco_send_frame() also takes lock_sock() during memcpy_from_msg() +call that may be endlessly blocked by a task with userfaultd +technique, and this will result in a hung task watchdog trigger. + +Just like the similar fix for hci_sock_sendmsg() in commit +92c685dc5de0 ("Bluetooth: reorganize functions..."), this patch moves +the memcpy_from_msg() out of lock_sock() for addressing the hang. + +This should be the last piece for fixing CVE-2021-3640 after a few +already queued fixes. + +Signed-off-by: Takashi Iwai +Signed-off-by: Marcel Holtmann +Signed-off-by: Sasha Levin +--- + net/bluetooth/sco.c | 24 ++++++++++++++++-------- + 1 file changed, 16 insertions(+), 8 deletions(-) + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index 701d230fb9cf6..b9d0d1d6a4be1 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -269,7 +269,8 @@ done: + return err; + } + +-static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len) ++static int sco_send_frame(struct sock *sk, void *buf, int len, ++ unsigned int msg_flags) + { + struct sco_conn *conn = sco_pi(sk)->conn; + struct sk_buff *skb; +@@ -281,15 +282,11 @@ static int sco_send_frame(struct sock *sk, struct msghdr *msg, int len) + + BT_DBG("sk %p len %d", sk, len); + +- skb = bt_skb_send_alloc(sk, len, msg->msg_flags & MSG_DONTWAIT, &err); ++ skb = bt_skb_send_alloc(sk, len, msg_flags & MSG_DONTWAIT, &err); + if (!skb) + return err; + +- if (memcpy_from_msg(skb_put(skb, len), msg, len)) { +- kfree_skb(skb); +- return -EFAULT; +- } +- ++ memcpy(skb_put(skb, len), buf, len); + hci_send_sco(conn->hcon, skb); + + return len; +@@ -700,6 +697,7 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg, + size_t len) + { + struct sock *sk = sock->sk; ++ void *buf; + int err; + + BT_DBG("sock %p, sk %p", sock, sk); +@@ -711,14 +709,24 @@ static int sco_sock_sendmsg(struct socket *sock, struct msghdr *msg, + if (msg->msg_flags & MSG_OOB) + return -EOPNOTSUPP; + ++ buf = kmalloc(len, GFP_KERNEL); ++ if (!buf) ++ return -ENOMEM; ++ ++ if (memcpy_from_msg(buf, msg, len)) { ++ kfree(buf); ++ return -EFAULT; ++ } ++ + lock_sock(sk); + + if (sk->sk_state == BT_CONNECTED) +- err = sco_send_frame(sk, msg, len); ++ err = sco_send_frame(sk, buf, len, msg->msg_flags); + else + err = -ENOTCONN; + + release_sock(sk); ++ kfree(buf); + return err; + } + +-- +2.33.0 + diff --git a/queue-4.4/bonding-fix-a-use-after-free-problem-when-bond_sysfs.patch b/queue-4.4/bonding-fix-a-use-after-free-problem-when-bond_sysfs.patch new file mode 100644 index 00000000000..e927e844536 --- /dev/null +++ b/queue-4.4/bonding-fix-a-use-after-free-problem-when-bond_sysfs.patch @@ -0,0 +1,200 @@ +From dde8d806653b95c189186c554a56bfe4233b6387 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Nov 2021 17:37:33 +0800 +Subject: bonding: Fix a use-after-free problem when bond_sysfs_slave_add() + failed + +From: Huang Guobin + +[ Upstream commit b93c6a911a3fe926b00add28f3b932007827c4ca ] + +When I do fuzz test for bonding device interface, I got the following +use-after-free Calltrace: + +================================================================== +BUG: KASAN: use-after-free in bond_enslave+0x1521/0x24f0 +Read of size 8 at addr ffff88825bc11c00 by task ifenslave/7365 + +CPU: 5 PID: 7365 Comm: ifenslave Tainted: G E 5.15.0-rc1+ #13 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014 +Call Trace: + dump_stack_lvl+0x6c/0x8b + print_address_description.constprop.0+0x48/0x70 + kasan_report.cold+0x82/0xdb + __asan_load8+0x69/0x90 + bond_enslave+0x1521/0x24f0 + bond_do_ioctl+0x3e0/0x450 + dev_ifsioc+0x2ba/0x970 + dev_ioctl+0x112/0x710 + sock_do_ioctl+0x118/0x1b0 + sock_ioctl+0x2e0/0x490 + __x64_sys_ioctl+0x118/0x150 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7f19159cf577 +Code: b3 66 90 48 8b 05 11 89 2c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 78 +RSP: 002b:00007ffeb3083c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007ffeb3084bca RCX: 00007f19159cf577 +RDX: 00007ffeb3083ce0 RSI: 0000000000008990 RDI: 0000000000000003 +RBP: 00007ffeb3084bc4 R08: 0000000000000040 R09: 0000000000000000 +R10: 00007ffeb3084bc0 R11: 0000000000000246 R12: 00007ffeb3083ce0 +R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffeb3083cb0 + +Allocated by task 7365: + kasan_save_stack+0x23/0x50 + __kasan_kmalloc+0x83/0xa0 + kmem_cache_alloc_trace+0x22e/0x470 + bond_enslave+0x2e1/0x24f0 + bond_do_ioctl+0x3e0/0x450 + dev_ifsioc+0x2ba/0x970 + dev_ioctl+0x112/0x710 + sock_do_ioctl+0x118/0x1b0 + sock_ioctl+0x2e0/0x490 + __x64_sys_ioctl+0x118/0x150 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Freed by task 7365: + kasan_save_stack+0x23/0x50 + kasan_set_track+0x20/0x30 + kasan_set_free_info+0x24/0x40 + __kasan_slab_free+0xf2/0x130 + kfree+0xd1/0x5c0 + slave_kobj_release+0x61/0x90 + kobject_put+0x102/0x180 + bond_sysfs_slave_add+0x7a/0xa0 + bond_enslave+0x11b6/0x24f0 + bond_do_ioctl+0x3e0/0x450 + dev_ifsioc+0x2ba/0x970 + dev_ioctl+0x112/0x710 + sock_do_ioctl+0x118/0x1b0 + sock_ioctl+0x2e0/0x490 + __x64_sys_ioctl+0x118/0x150 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Last potentially related work creation: + kasan_save_stack+0x23/0x50 + kasan_record_aux_stack+0xb7/0xd0 + insert_work+0x43/0x190 + __queue_work+0x2e3/0x970 + delayed_work_timer_fn+0x3e/0x50 + call_timer_fn+0x148/0x470 + run_timer_softirq+0x8a8/0xc50 + __do_softirq+0x107/0x55f + +Second to last potentially related work creation: + kasan_save_stack+0x23/0x50 + kasan_record_aux_stack+0xb7/0xd0 + insert_work+0x43/0x190 + __queue_work+0x2e3/0x970 + __queue_delayed_work+0x130/0x180 + queue_delayed_work_on+0xa7/0xb0 + bond_enslave+0xe25/0x24f0 + bond_do_ioctl+0x3e0/0x450 + dev_ifsioc+0x2ba/0x970 + dev_ioctl+0x112/0x710 + sock_do_ioctl+0x118/0x1b0 + sock_ioctl+0x2e0/0x490 + __x64_sys_ioctl+0x118/0x150 + do_syscall_64+0x35/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +The buggy address belongs to the object at ffff88825bc11c00 + which belongs to the cache kmalloc-1k of size 1024 +The buggy address is located 0 bytes inside of + 1024-byte region [ffff88825bc11c00, ffff88825bc12000) +The buggy address belongs to the page: +page:ffffea00096f0400 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x25bc10 +head:ffffea00096f0400 order:3 compound_mapcount:0 compound_pincount:0 +flags: 0x57ff00000010200(slab|head|node=1|zone=2|lastcpupid=0x7ff) +raw: 057ff00000010200 ffffea0009a71c08 ffff888240001968 ffff88810004dbc0 +raw: 0000000000000000 00000000000a000a 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88825bc11b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff88825bc11b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc +>ffff88825bc11c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff88825bc11c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ffff88825bc11d00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb +================================================================== + +Put new_slave in bond_sysfs_slave_add() will cause use-after-free problems +when new_slave is accessed in the subsequent error handling process. Since +new_slave will be put in the subsequent error handling process, remove the +unnecessary put to fix it. +In addition, when sysfs_create_file() fails, if some files have been crea- +ted successfully, we need to call sysfs_remove_file() to remove them. +Since there are sysfs_create_files() & sysfs_remove_files() can be used, +use these two functions instead. + +Fixes: 7afcaec49696 (bonding: use kobject_put instead of _del after kobject_add) +Signed-off-by: Huang Guobin +Reviewed-by: Jakub Kicinski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_sysfs_slave.c | 36 ++++++++------------------ + 1 file changed, 11 insertions(+), 25 deletions(-) + +diff --git a/drivers/net/bonding/bond_sysfs_slave.c b/drivers/net/bonding/bond_sysfs_slave.c +index 68bbac4715c35..1e1e77a40f182 100644 +--- a/drivers/net/bonding/bond_sysfs_slave.c ++++ b/drivers/net/bonding/bond_sysfs_slave.c +@@ -112,15 +112,15 @@ static ssize_t ad_partner_oper_port_state_show(struct slave *slave, char *buf) + } + static SLAVE_ATTR_RO(ad_partner_oper_port_state); + +-static const struct slave_attribute *slave_attrs[] = { +- &slave_attr_state, +- &slave_attr_mii_status, +- &slave_attr_link_failure_count, +- &slave_attr_perm_hwaddr, +- &slave_attr_queue_id, +- &slave_attr_ad_aggregator_id, +- &slave_attr_ad_actor_oper_port_state, +- &slave_attr_ad_partner_oper_port_state, ++static const struct attribute *slave_attrs[] = { ++ &slave_attr_state.attr, ++ &slave_attr_mii_status.attr, ++ &slave_attr_link_failure_count.attr, ++ &slave_attr_perm_hwaddr.attr, ++ &slave_attr_queue_id.attr, ++ &slave_attr_ad_aggregator_id.attr, ++ &slave_attr_ad_actor_oper_port_state.attr, ++ &slave_attr_ad_partner_oper_port_state.attr, + NULL + }; + +@@ -141,24 +141,10 @@ const struct sysfs_ops slave_sysfs_ops = { + + int bond_sysfs_slave_add(struct slave *slave) + { +- const struct slave_attribute **a; +- int err; +- +- for (a = slave_attrs; *a; ++a) { +- err = sysfs_create_file(&slave->kobj, &((*a)->attr)); +- if (err) { +- kobject_put(&slave->kobj); +- return err; +- } +- } +- +- return 0; ++ return sysfs_create_files(&slave->kobj, slave_attrs); + } + + void bond_sysfs_slave_del(struct slave *slave) + { +- const struct slave_attribute **a; +- +- for (a = slave_attrs; *a; ++a) +- sysfs_remove_file(&slave->kobj, &((*a)->attr)); ++ sysfs_remove_files(&slave->kobj, slave_attrs); + } +-- +2.33.0 + diff --git a/queue-4.4/cpuidle-fix-kobject-memory-leaks-in-error-paths.patch b/queue-4.4/cpuidle-fix-kobject-memory-leaks-in-error-paths.patch new file mode 100644 index 00000000000..8859b7ca68f --- /dev/null +++ b/queue-4.4/cpuidle-fix-kobject-memory-leaks-in-error-paths.patch @@ -0,0 +1,70 @@ +From 816af6688a167f29e03e581284591ecf78085ab6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 18:34:40 +0000 +Subject: cpuidle: Fix kobject memory leaks in error paths + +From: Anel Orazgaliyeva + +[ Upstream commit e5f5a66c9aa9c331da5527c2e3fd9394e7091e01 ] + +Commit c343bf1ba5ef ("cpuidle: Fix three reference count leaks") +fixes the cleanup of kobjects; however, it removes kfree() calls +altogether, leading to memory leaks. + +Fix those and also defer the initialization of dev->kobj_dev until +after the error check, so that we do not end up with a dangling +pointer. + +Fixes: c343bf1ba5ef ("cpuidle: Fix three reference count leaks") +Signed-off-by: Anel Orazgaliyeva +Suggested-by: Aman Priyadarshi +[ rjw: Subject edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpuidle/sysfs.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/cpuidle/sysfs.c b/drivers/cpuidle/sysfs.c +index e7e92ed34f0c6..34c4a61a954fc 100644 +--- a/drivers/cpuidle/sysfs.c ++++ b/drivers/cpuidle/sysfs.c +@@ -413,6 +413,7 @@ static int cpuidle_add_state_sysfs(struct cpuidle_device *device) + &kdev->kobj, "state%d", i); + if (ret) { + kobject_put(&kobj->kobj); ++ kfree(kobj); + goto error_state; + } + kobject_uevent(&kobj->kobj, KOBJ_ADD); +@@ -543,6 +544,7 @@ static int cpuidle_add_driver_sysfs(struct cpuidle_device *dev) + &kdev->kobj, "driver"); + if (ret) { + kobject_put(&kdrv->kobj); ++ kfree(kdrv); + return ret; + } + +@@ -629,7 +631,6 @@ int cpuidle_add_sysfs(struct cpuidle_device *dev) + if (!kdev) + return -ENOMEM; + kdev->dev = dev; +- dev->kobj_dev = kdev; + + init_completion(&kdev->kobj_unregister); + +@@ -637,9 +638,11 @@ int cpuidle_add_sysfs(struct cpuidle_device *dev) + "cpuidle"); + if (error) { + kobject_put(&kdev->kobj); ++ kfree(kdev); + return error; + } + ++ dev->kobj_dev = kdev; + kobject_uevent(&kdev->kobj, KOBJ_ADD); + + return 0; +-- +2.33.0 + diff --git a/queue-4.4/crypto-pcrypt-delay-write-to-padata-info.patch b/queue-4.4/crypto-pcrypt-delay-write-to-padata-info.patch new file mode 100644 index 00000000000..7be0dc48b66 --- /dev/null +++ b/queue-4.4/crypto-pcrypt-delay-write-to-padata-info.patch @@ -0,0 +1,85 @@ +From a66a390f166de1eb6c577a000d345fd024c7fa2c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Oct 2021 14:30:28 -0400 +Subject: crypto: pcrypt - Delay write to padata->info + +From: Daniel Jordan + +[ Upstream commit 68b6dea802cea0dbdd8bd7ccc60716b5a32a5d8a ] + +These three events can race when pcrypt is used multiple times in a +template ("pcrypt(pcrypt(...))"): + + 1. [taskA] The caller makes the crypto request via crypto_aead_encrypt() + 2. [kworkerB] padata serializes the inner pcrypt request + 3. [kworkerC] padata serializes the outer pcrypt request + +3 might finish before the call to crypto_aead_encrypt() returns in 1, +resulting in two possible issues. + +First, a use-after-free of the crypto request's memory when, for +example, taskA writes to the outer pcrypt request's padata->info in +pcrypt_aead_enc() after kworkerC completes the request. + +Second, the outer pcrypt request overwrites the inner pcrypt request's +return code with -EINPROGRESS, making a successful request appear to +fail. For instance, kworkerB writes the outer pcrypt request's +padata->info in pcrypt_aead_done() and then taskA overwrites it +in pcrypt_aead_enc(). + +Avoid both situations by delaying the write of padata->info until after +the inner crypto request's return code is checked. This prevents the +use-after-free by not touching the crypto request's memory after the +next-inner crypto request is made, and stops padata->info from being +overwritten. + +Fixes: 5068c7a883d16 ("crypto: pcrypt - Add pcrypt crypto parallelization wrapper") +Reported-by: syzbot+b187b77c8474f9648fae@syzkaller.appspotmail.com +Signed-off-by: Daniel Jordan +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + crypto/pcrypt.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/crypto/pcrypt.c b/crypto/pcrypt.c +index 85082574c5154..62e11835f220e 100644 +--- a/crypto/pcrypt.c ++++ b/crypto/pcrypt.c +@@ -138,12 +138,14 @@ static void pcrypt_aead_enc(struct padata_priv *padata) + { + struct pcrypt_request *preq = pcrypt_padata_request(padata); + struct aead_request *req = pcrypt_request_ctx(preq); ++ int ret; + +- padata->info = crypto_aead_encrypt(req); ++ ret = crypto_aead_encrypt(req); + +- if (padata->info == -EINPROGRESS) ++ if (ret == -EINPROGRESS) + return; + ++ padata->info = ret; + padata_do_serial(padata); + } + +@@ -180,12 +182,14 @@ static void pcrypt_aead_dec(struct padata_priv *padata) + { + struct pcrypt_request *preq = pcrypt_padata_request(padata); + struct aead_request *req = pcrypt_request_ctx(preq); ++ int ret; + +- padata->info = crypto_aead_decrypt(req); ++ ret = crypto_aead_decrypt(req); + +- if (padata->info == -EINPROGRESS) ++ if (ret == -EINPROGRESS) + return; + ++ padata->info = ret; + padata_do_serial(padata); + } + +-- +2.33.0 + diff --git a/queue-4.4/crypto-qat-detect-pfvf-collision-after-ack.patch b/queue-4.4/crypto-qat-detect-pfvf-collision-after-ack.patch new file mode 100644 index 00000000000..1f47986cce4 --- /dev/null +++ b/queue-4.4/crypto-qat-detect-pfvf-collision-after-ack.patch @@ -0,0 +1,46 @@ +From 3e2c71f864f1be9584ad13cc964d82414c665be6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Sep 2021 12:44:29 +0100 +Subject: crypto: qat - detect PFVF collision after ACK + +From: Giovanni Cabiddu + +[ Upstream commit 9b768e8a3909ac1ab39ed44a3933716da7761a6f ] + +Detect a PFVF collision between the local and the remote function by +checking if the message on the PFVF CSR has been overwritten. +This is done after the remote function confirms that the message has +been received, by clearing the interrupt bit, or the maximum number of +attempts (ADF_IOV_MSG_ACK_MAX_RETRY) to check the CSR has been exceeded. + +Fixes: ed8ccaef52fa ("crypto: qat - Add support for SRIOV") +Signed-off-by: Giovanni Cabiddu +Co-developed-by: Marco Chiappero +Signed-off-by: Marco Chiappero +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/qat/qat_common/adf_pf2vf_msg.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +index 711706819b05d..7e45c21a61657 100644 +--- a/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c ++++ b/drivers/crypto/qat/qat_common/adf_pf2vf_msg.c +@@ -218,6 +218,13 @@ static int __adf_iov_putmsg(struct adf_accel_dev *accel_dev, u32 msg, u8 vf_nr) + val = ADF_CSR_RD(pmisc_bar_addr, pf2vf_offset); + } while ((val & int_bit) && (count++ < ADF_IOV_MSG_ACK_MAX_RETRY)); + ++ if (val != msg) { ++ dev_dbg(&GET_DEV(accel_dev), ++ "Collision - PFVF CSR overwritten by remote function\n"); ++ ret = -EIO; ++ goto out; ++ } ++ + if (val & int_bit) { + dev_dbg(&GET_DEV(accel_dev), "ACK not received from remote\n"); + val &= ~int_bit; +-- +2.33.0 + diff --git a/queue-4.4/dmaengine-at_xdmac-fix-at_xdmac_cc_perid-macro.patch b/queue-4.4/dmaengine-at_xdmac-fix-at_xdmac_cc_perid-macro.patch new file mode 100644 index 00000000000..c5f635cacb2 --- /dev/null +++ b/queue-4.4/dmaengine-at_xdmac-fix-at_xdmac_cc_perid-macro.patch @@ -0,0 +1,41 @@ +From a9af426d3158f11bdd042d0460725ad57363f428 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Oct 2021 14:12:28 +0300 +Subject: dmaengine: at_xdmac: fix AT_XDMAC_CC_PERID() macro + +From: Claudiu Beznea + +[ Upstream commit 320c88a3104dc955f928a1eecebd551ff89530c0 ] + +AT_XDMAC_CC_PERID() should be used to setup bits 24..30 of XDMAC_CC +register. Using it without parenthesis around 0x7f & (i) will lead to +setting all the time zero for bits 24..30 of XDMAC_CC as the << operator +has higher precedence over bitwise &. Thus, add paranthesis around +0x7f & (i). + +Fixes: 15a03850ab8f ("dmaengine: at_xdmac: fix macro typo") +Signed-off-by: Claudiu Beznea +Reviewed-by: Tudor Ambarus +Link: https://lore.kernel.org/r/20211007111230.2331837-3-claudiu.beznea@microchip.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/at_xdmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/dma/at_xdmac.c b/drivers/dma/at_xdmac.c +index 8aa3ccf42e55a..2d87018069ca0 100644 +--- a/drivers/dma/at_xdmac.c ++++ b/drivers/dma/at_xdmac.c +@@ -156,7 +156,7 @@ + #define AT_XDMAC_CC_WRIP (0x1 << 23) /* Write in Progress (read only) */ + #define AT_XDMAC_CC_WRIP_DONE (0x0 << 23) + #define AT_XDMAC_CC_WRIP_IN_PROGRESS (0x1 << 23) +-#define AT_XDMAC_CC_PERID(i) (0x7f & (i) << 24) /* Channel Peripheral Identifier */ ++#define AT_XDMAC_CC_PERID(i) ((0x7f & (i)) << 24) /* Channel Peripheral Identifier */ + #define AT_XDMAC_CDS_MSP 0x2C /* Channel Data Stride Memory Set Pattern */ + #define AT_XDMAC_CSUS 0x30 /* Channel Source Microblock Stride */ + #define AT_XDMAC_CDUS 0x34 /* Channel Destination Microblock Stride */ +-- +2.33.0 + diff --git a/queue-4.4/drm-msm-uninitialized-variable-in-msm_gem_import.patch b/queue-4.4/drm-msm-uninitialized-variable-in-msm_gem_import.patch new file mode 100644 index 00000000000..e8e352b5877 --- /dev/null +++ b/queue-4.4/drm-msm-uninitialized-variable-in-msm_gem_import.patch @@ -0,0 +1,52 @@ +From d6cf2861d2d7364f0a4872e08364d91864fb1a19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 11:13:15 +0300 +Subject: drm/msm: uninitialized variable in msm_gem_import() + +From: Dan Carpenter + +[ Upstream commit 2203bd0e5c12ffc53ffdd4fbd7b12d6ba27e0424 ] + +The msm_gem_new_impl() function cleans up after itself so there is no +need to call drm_gem_object_put(). Conceptually, it does not make sense +to call a kref_put() function until after the reference counting has +been initialized which happens immediately after this call in the +drm_gem_(private_)object_init() functions. + +In the msm_gem_import() function the "obj" pointer is uninitialized, so +it will lead to a crash. + +Fixes: 05b849111c07 ("drm/msm: prime support") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20211013081315.GG6010@kili +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/msm_gem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/msm/msm_gem.c b/drivers/gpu/drm/msm/msm_gem.c +index 245070950e875..3fe5a49a9feeb 100644 +--- a/drivers/gpu/drm/msm/msm_gem.c ++++ b/drivers/gpu/drm/msm/msm_gem.c +@@ -651,7 +651,7 @@ struct drm_gem_object *msm_gem_new(struct drm_device *dev, + + ret = msm_gem_new_impl(dev, size, flags, &obj); + if (ret) +- goto fail; ++ return ERR_PTR(ret); + + if (use_pages(obj)) { + ret = drm_gem_object_init(dev, obj, size); +@@ -687,7 +687,7 @@ struct drm_gem_object *msm_gem_import(struct drm_device *dev, + + ret = msm_gem_new_impl(dev, size, MSM_BO_WC, &obj); + if (ret) +- goto fail; ++ return ERR_PTR(ret); + + drm_gem_private_object_init(dev, obj, size); + +-- +2.33.0 + diff --git a/queue-4.4/ia64-don-t-do-ia64_cmpxchg_debug-without-config_prin.patch b/queue-4.4/ia64-don-t-do-ia64_cmpxchg_debug-without-config_prin.patch new file mode 100644 index 00000000000..dcb3de8f28f --- /dev/null +++ b/queue-4.4/ia64-don-t-do-ia64_cmpxchg_debug-without-config_prin.patch @@ -0,0 +1,53 @@ +From e0e3ca57bc6e5e345373c33fdb0778e28f118424 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Sep 2021 10:12:24 -0700 +Subject: ia64: don't do IA64_CMPXCHG_DEBUG without CONFIG_PRINTK + +From: Randy Dunlap + +[ Upstream commit c15b5fc054c3d6c97e953617605235c5cb8ce979 ] + +When CONFIG_PRINTK is not set, the CMPXCHG_BUGCHECK() macro calls +_printk(), but _printk() is a static inline function, not available +as an extern. +Since the purpose of the macro is to print the BUGCHECK info, +make this config option depend on PRINTK. + +Fixes multiple occurrences of this build error: + +../include/linux/printk.h:208:5: error: static declaration of '_printk' follows non-static declaration + 208 | int _printk(const char *s, ...) + | ^~~~~~~ +In file included from ../arch/ia64/include/asm/cmpxchg.h:5, +../arch/ia64/include/uapi/asm/cmpxchg.h:146:28: note: previous declaration of '_printk' with type 'int(const char *, ...)' + 146 | extern int _printk(const char *fmt, ...); + +Cc: linux-ia64@vger.kernel.org +Cc: Andrew Morton +Cc: Tony Luck +Cc: Chris Down +Cc: Paul Gortmaker +Cc: John Paul Adrian Glaubitz +Signed-off-by: Randy Dunlap +Signed-off-by: Petr Mladek +Signed-off-by: Sasha Levin +--- + arch/ia64/Kconfig.debug | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/ia64/Kconfig.debug b/arch/ia64/Kconfig.debug +index de9d507ba0fd4..ee6c7f75f479d 100644 +--- a/arch/ia64/Kconfig.debug ++++ b/arch/ia64/Kconfig.debug +@@ -41,7 +41,7 @@ config DISABLE_VHPT + + config IA64_DEBUG_CMPXCHG + bool "Turn on compare-and-exchange bug checking (slow!)" +- depends on DEBUG_KERNEL ++ depends on DEBUG_KERNEL && PRINTK + help + Selecting this option turns on bug checking for the IA-64 + compare-and-exchange instructions. This is slow! Itaniums +-- +2.33.0 + diff --git a/queue-4.4/iwlwifi-mvm-disable-rx-diversity-in-powersave.patch b/queue-4.4/iwlwifi-mvm-disable-rx-diversity-in-powersave.patch new file mode 100644 index 00000000000..2d57c3cb64b --- /dev/null +++ b/queue-4.4/iwlwifi-mvm-disable-rx-diversity-in-powersave.patch @@ -0,0 +1,39 @@ +From 94df9059785d1b9c8df561da5c2e89db7139f4ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 17 Oct 2021 11:43:40 +0300 +Subject: iwlwifi: mvm: disable RX-diversity in powersave + +From: Johannes Berg + +[ Upstream commit e5322b9ab5f63536c41301150b7ce64605ce52cc ] + +Just like we have default SMPS mode as dynamic in powersave, +we should not enable RX-diversity in powersave, to reduce +power consumption when connected to a non-MIMO AP. + +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Link: https://lore.kernel.org/r/iwlwifi.20211017113927.fc896bc5cdaa.I1d11da71b8a5cbe921a37058d5f578f1b14a2023@changeid +Signed-off-by: Luca Coelho +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/iwlwifi/mvm/utils.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/iwlwifi/mvm/utils.c b/drivers/net/wireless/iwlwifi/mvm/utils.c +index ad0f16909e2e2..3d089eb9dff51 100644 +--- a/drivers/net/wireless/iwlwifi/mvm/utils.c ++++ b/drivers/net/wireless/iwlwifi/mvm/utils.c +@@ -923,6 +923,9 @@ bool iwl_mvm_rx_diversity_allowed(struct iwl_mvm *mvm) + + lockdep_assert_held(&mvm->mutex); + ++ if (iwlmvm_mod_params.power_scheme != IWL_POWER_SCHEME_CAM) ++ return false; ++ + if (num_of_ant(iwl_mvm_get_valid_rx_ant(mvm)) == 1) + return false; + +-- +2.33.0 + diff --git a/queue-4.4/jfs-fix-memleak-in-jfs_mount.patch b/queue-4.4/jfs-fix-memleak-in-jfs_mount.patch new file mode 100644 index 00000000000..633a370d751 --- /dev/null +++ b/queue-4.4/jfs-fix-memleak-in-jfs_mount.patch @@ -0,0 +1,158 @@ +From f3e26bf60bf34096ff82f96814772b2034d5cd20 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Sep 2021 10:37:41 +0800 +Subject: JFS: fix memleak in jfs_mount + +From: Dongliang Mu + +[ Upstream commit c48a14dca2cb57527dde6b960adbe69953935f10 ] + +In jfs_mount, when diMount(ipaimap2) fails, it goes to errout35. However, +the following code does not free ipaimap2 allocated by diReadSpecial. + +Fix this by refactoring the error handling code of jfs_mount. To be +specific, modify the lable name and free ipaimap2 when the above error +ocurrs. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Dongliang Mu +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_mount.c | 51 ++++++++++++++++++++-------------------------- + 1 file changed, 22 insertions(+), 29 deletions(-) + +diff --git a/fs/jfs/jfs_mount.c b/fs/jfs/jfs_mount.c +index 103788ecc28c1..0c2aabba1fdbb 100644 +--- a/fs/jfs/jfs_mount.c ++++ b/fs/jfs/jfs_mount.c +@@ -93,14 +93,14 @@ int jfs_mount(struct super_block *sb) + * (initialize mount inode from the superblock) + */ + if ((rc = chkSuper(sb))) { +- goto errout20; ++ goto out; + } + + ipaimap = diReadSpecial(sb, AGGREGATE_I, 0); + if (ipaimap == NULL) { + jfs_err("jfs_mount: Failed to read AGGREGATE_I"); + rc = -EIO; +- goto errout20; ++ goto out; + } + sbi->ipaimap = ipaimap; + +@@ -111,7 +111,7 @@ int jfs_mount(struct super_block *sb) + */ + if ((rc = diMount(ipaimap))) { + jfs_err("jfs_mount: diMount(ipaimap) failed w/rc = %d", rc); +- goto errout21; ++ goto err_ipaimap; + } + + /* +@@ -120,7 +120,7 @@ int jfs_mount(struct super_block *sb) + ipbmap = diReadSpecial(sb, BMAP_I, 0); + if (ipbmap == NULL) { + rc = -EIO; +- goto errout22; ++ goto err_umount_ipaimap; + } + + jfs_info("jfs_mount: ipbmap:0x%p", ipbmap); +@@ -132,7 +132,7 @@ int jfs_mount(struct super_block *sb) + */ + if ((rc = dbMount(ipbmap))) { + jfs_err("jfs_mount: dbMount failed w/rc = %d", rc); +- goto errout22; ++ goto err_ipbmap; + } + + /* +@@ -151,7 +151,7 @@ int jfs_mount(struct super_block *sb) + if (!ipaimap2) { + jfs_err("jfs_mount: Failed to read AGGREGATE_I"); + rc = -EIO; +- goto errout35; ++ goto err_umount_ipbmap; + } + sbi->ipaimap2 = ipaimap2; + +@@ -163,7 +163,7 @@ int jfs_mount(struct super_block *sb) + if ((rc = diMount(ipaimap2))) { + jfs_err("jfs_mount: diMount(ipaimap2) failed, rc = %d", + rc); +- goto errout35; ++ goto err_ipaimap2; + } + } else + /* Secondary aggregate inode table is not valid */ +@@ -180,7 +180,7 @@ int jfs_mount(struct super_block *sb) + jfs_err("jfs_mount: Failed to read FILESYSTEM_I"); + /* open fileset secondary inode allocation map */ + rc = -EIO; +- goto errout40; ++ goto err_umount_ipaimap2; + } + jfs_info("jfs_mount: ipimap:0x%p", ipimap); + +@@ -190,41 +190,34 @@ int jfs_mount(struct super_block *sb) + /* initialize fileset inode allocation map */ + if ((rc = diMount(ipimap))) { + jfs_err("jfs_mount: diMount failed w/rc = %d", rc); +- goto errout41; ++ goto err_ipimap; + } + +- goto out; ++ return rc; + + /* + * unwind on error + */ +- errout41: /* close fileset inode allocation map inode */ ++err_ipimap: ++ /* close fileset inode allocation map inode */ + diFreeSpecial(ipimap); +- +- errout40: /* fileset closed */ +- ++err_umount_ipaimap2: + /* close secondary aggregate inode allocation map */ +- if (ipaimap2) { ++ if (ipaimap2) + diUnmount(ipaimap2, 1); ++err_ipaimap2: ++ /* close aggregate inodes */ ++ if (ipaimap2) + diFreeSpecial(ipaimap2); +- } +- +- errout35: +- +- /* close aggregate block allocation map */ ++err_umount_ipbmap: /* close aggregate block allocation map */ + dbUnmount(ipbmap, 1); ++err_ipbmap: /* close aggregate inodes */ + diFreeSpecial(ipbmap); +- +- errout22: /* close aggregate inode allocation map */ +- ++err_umount_ipaimap: /* close aggregate inode allocation map */ + diUnmount(ipaimap, 1); +- +- errout21: /* close aggregate inodes */ ++err_ipaimap: /* close aggregate inodes */ + diFreeSpecial(ipaimap); +- errout20: /* aggregate closed */ +- +- out: +- ++out: + if (rc) + jfs_err("Mount JFS Failure: %d", rc); + +-- +2.33.0 + diff --git a/queue-4.4/lib-xz-avoid-overlapping-memcpy-with-invalid-input-w.patch b/queue-4.4/lib-xz-avoid-overlapping-memcpy-with-invalid-input-w.patch new file mode 100644 index 00000000000..b67950f8388 --- /dev/null +++ b/queue-4.4/lib-xz-avoid-overlapping-memcpy-with-invalid-input-w.patch @@ -0,0 +1,91 @@ +From 705ea0a1192a13c03db807cb3ea776a0beaf6df7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 05:31:39 +0800 +Subject: lib/xz: Avoid overlapping memcpy() with invalid input with in-place + decompression + +From: Lasse Collin + +[ Upstream commit 83d3c4f22a36d005b55f44628f46cc0d319a75e8 ] + +With valid files, the safety margin described in lib/decompress_unxz.c +ensures that these buffers cannot overlap. But if the uncompressed size +of the input is larger than the caller thought, which is possible when +the input file is invalid/corrupt, the buffers can overlap. Obviously +the result will then be garbage (and usually the decoder will return +an error too) but no other harm will happen when such an over-run occurs. + +This change only affects uncompressed LZMA2 chunks and so this +should have no effect on performance. + +Link: https://lore.kernel.org/r/20211010213145.17462-2-xiang@kernel.org +Signed-off-by: Lasse Collin +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + lib/decompress_unxz.c | 2 +- + lib/xz/xz_dec_lzma2.c | 21 +++++++++++++++++++-- + 2 files changed, 20 insertions(+), 3 deletions(-) + +diff --git a/lib/decompress_unxz.c b/lib/decompress_unxz.c +index 25d59a95bd668..abea25310ac73 100644 +--- a/lib/decompress_unxz.c ++++ b/lib/decompress_unxz.c +@@ -167,7 +167,7 @@ + * memeq and memzero are not used much and any remotely sane implementation + * is fast enough. memcpy/memmove speed matters in multi-call mode, but + * the kernel image is decompressed in single-call mode, in which only +- * memcpy speed can matter and only if there is a lot of uncompressible data ++ * memmove speed can matter and only if there is a lot of uncompressible data + * (LZMA2 stores uncompressible chunks in uncompressed form). Thus, the + * functions below should just be kept small; it's probably not worth + * optimizing for speed. +diff --git a/lib/xz/xz_dec_lzma2.c b/lib/xz/xz_dec_lzma2.c +index 08c3c80499983..2c5197d6b944d 100644 +--- a/lib/xz/xz_dec_lzma2.c ++++ b/lib/xz/xz_dec_lzma2.c +@@ -387,7 +387,14 @@ static void dict_uncompressed(struct dictionary *dict, struct xz_buf *b, + + *left -= copy_size; + +- memcpy(dict->buf + dict->pos, b->in + b->in_pos, copy_size); ++ /* ++ * If doing in-place decompression in single-call mode and the ++ * uncompressed size of the file is larger than the caller ++ * thought (i.e. it is invalid input!), the buffers below may ++ * overlap and cause undefined behavior with memcpy(). ++ * With valid inputs memcpy() would be fine here. ++ */ ++ memmove(dict->buf + dict->pos, b->in + b->in_pos, copy_size); + dict->pos += copy_size; + + if (dict->full < dict->pos) +@@ -397,7 +404,11 @@ static void dict_uncompressed(struct dictionary *dict, struct xz_buf *b, + if (dict->pos == dict->end) + dict->pos = 0; + +- memcpy(b->out + b->out_pos, b->in + b->in_pos, ++ /* ++ * Like above but for multi-call mode: use memmove() ++ * to avoid undefined behavior with invalid input. ++ */ ++ memmove(b->out + b->out_pos, b->in + b->in_pos, + copy_size); + } + +@@ -421,6 +432,12 @@ static uint32_t dict_flush(struct dictionary *dict, struct xz_buf *b) + if (dict->pos == dict->end) + dict->pos = 0; + ++ /* ++ * These buffers cannot overlap even if doing in-place ++ * decompression because in multi-call mode dict->buf ++ * has been allocated by us in this file; it's not ++ * provided by the caller like in single-call mode. ++ */ + memcpy(b->out + b->out_pos, dict->buf + dict->start, + copy_size); + } +-- +2.33.0 + diff --git a/queue-4.4/lib-xz-validate-the-value-before-assigning-it-to-an-.patch b/queue-4.4/lib-xz-validate-the-value-before-assigning-it-to-an-.patch new file mode 100644 index 00000000000..b58c1008eae --- /dev/null +++ b/queue-4.4/lib-xz-validate-the-value-before-assigning-it-to-an-.patch @@ -0,0 +1,51 @@ +From 3ac8758d42a09e900b494b8032cb857c996bc8ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 05:31:40 +0800 +Subject: lib/xz: Validate the value before assigning it to an enum variable + +From: Lasse Collin + +[ Upstream commit 4f8d7abaa413c34da9d751289849dbfb7c977d05 ] + +This might matter, for example, if the underlying type of enum xz_check +was a signed char. In such a case the validation wouldn't have caught an +unsupported header. I don't know if this problem can occur in the kernel +on any arch but it's still good to fix it because some people might copy +the XZ code to their own projects from Linux instead of the upstream +XZ Embedded repository. + +This change may increase the code size by a few bytes. An alternative +would have been to use an unsigned int instead of enum xz_check but +using an enumeration looks cleaner. + +Link: https://lore.kernel.org/r/20211010213145.17462-3-xiang@kernel.org +Signed-off-by: Lasse Collin +Signed-off-by: Gao Xiang +Signed-off-by: Sasha Levin +--- + lib/xz/xz_dec_stream.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/xz/xz_dec_stream.c b/lib/xz/xz_dec_stream.c +index ac809b1e64f78..9e5b9ab537fea 100644 +--- a/lib/xz/xz_dec_stream.c ++++ b/lib/xz/xz_dec_stream.c +@@ -402,12 +402,12 @@ static enum xz_ret dec_stream_header(struct xz_dec *s) + * we will accept other check types too, but then the check won't + * be verified and a warning (XZ_UNSUPPORTED_CHECK) will be given. + */ ++ if (s->temp.buf[HEADER_MAGIC_SIZE + 1] > XZ_CHECK_MAX) ++ return XZ_OPTIONS_ERROR; ++ + s->check_type = s->temp.buf[HEADER_MAGIC_SIZE + 1]; + + #ifdef XZ_DEC_ANY_CHECK +- if (s->check_type > XZ_CHECK_MAX) +- return XZ_OPTIONS_ERROR; +- + if (s->check_type > XZ_CHECK_CRC32) + return XZ_UNSUPPORTED_CHECK; + #else +-- +2.33.0 + diff --git a/queue-4.4/libertas-fix-possible-memory-leak-in-probe-and-disco.patch b/queue-4.4/libertas-fix-possible-memory-leak-in-probe-and-disco.patch new file mode 100644 index 00000000000..492e786e6cc --- /dev/null +++ b/queue-4.4/libertas-fix-possible-memory-leak-in-probe-and-disco.patch @@ -0,0 +1,72 @@ +From 13d40c854d9c092e2da045255a883c85660424cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 20:03:45 +0800 +Subject: libertas: Fix possible memory leak in probe and disconnect + +From: Wang Hai + +[ Upstream commit 9692151e2fe7a326bafe99836fd1f20a2cc3a049 ] + +I got memory leak as follows when doing fault injection test: + +unreferenced object 0xffff88812c7d7400 (size 512): + comm "kworker/6:1", pid 176, jiffies 4295003332 (age 822.830s) + hex dump (first 32 bytes): + 00 68 1e 04 81 88 ff ff 01 00 00 00 00 00 00 00 .h.............. + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] slab_post_alloc_hook+0x9c/0x490 + [] kmem_cache_alloc_trace+0x1f7/0x470 + [] if_usb_probe+0x63/0x446 [usb8xxx] + [] usb_probe_interface+0x1aa/0x3c0 [usbcore] + [] really_probe+0x190/0x480 + [] __driver_probe_device+0xf9/0x180 + [] driver_probe_device+0x53/0x130 + [] __device_attach_driver+0x105/0x130 + [] bus_for_each_drv+0x129/0x190 + [] __device_attach+0x1c9/0x270 + [] device_initial_probe+0x20/0x30 + [] bus_probe_device+0x142/0x160 + [] device_add+0x829/0x1300 + [] usb_set_configuration+0xb01/0xcc0 [usbcore] + [] usb_generic_driver_probe+0x6e/0x90 [usbcore] + [] usb_probe_device+0x6f/0x130 [usbcore] + +cardp is missing being freed in the error handling path of the probe +and the path of the disconnect, which will cause memory leak. + +This patch adds the missing kfree(). + +Fixes: 876c9d3aeb98 ("[PATCH] Marvell Libertas 8388 802.11b/g USB driver") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211020120345.2016045-3-wanghai38@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/libertas/if_usb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/libertas/if_usb.c b/drivers/net/wireless/libertas/if_usb.c +index d271eaf1f9499..1793611a380c8 100644 +--- a/drivers/net/wireless/libertas/if_usb.c ++++ b/drivers/net/wireless/libertas/if_usb.c +@@ -291,6 +291,7 @@ err_add_card: + if_usb_reset_device(cardp); + dealloc: + if_usb_free(cardp); ++ kfree(cardp); + + error: + return r; +@@ -317,6 +318,7 @@ static void if_usb_disconnect(struct usb_interface *intf) + + /* Unlink and free urb */ + if_usb_free(cardp); ++ kfree(cardp); + + usb_set_intfdata(intf, NULL); + usb_put_dev(interface_to_usbdev(intf)); +-- +2.33.0 + diff --git a/queue-4.4/libertas_tf-fix-possible-memory-leak-in-probe-and-di.patch b/queue-4.4/libertas_tf-fix-possible-memory-leak-in-probe-and-di.patch new file mode 100644 index 00000000000..8842e423ab1 --- /dev/null +++ b/queue-4.4/libertas_tf-fix-possible-memory-leak-in-probe-and-di.patch @@ -0,0 +1,72 @@ +From b0512a5db24da667ddcd12db96101e203b2f89e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 20:03:44 +0800 +Subject: libertas_tf: Fix possible memory leak in probe and disconnect + +From: Wang Hai + +[ Upstream commit d549107305b4634c81223a853701c06bcf657bc3 ] + +I got memory leak as follows when doing fault injection test: + +unreferenced object 0xffff88810a2ddc00 (size 512): + comm "kworker/6:1", pid 176, jiffies 4295009893 (age 757.220s) + hex dump (first 32 bytes): + 00 50 05 18 81 88 ff ff 00 00 00 00 00 00 00 00 .P.............. + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] slab_post_alloc_hook+0x9c/0x490 + [] kmem_cache_alloc_trace+0x1f7/0x470 + [] if_usb_probe+0x60/0x37c [libertas_tf_usb] + [] usb_probe_interface+0x1aa/0x3c0 [usbcore] + [] really_probe+0x190/0x480 + [] __driver_probe_device+0xf9/0x180 + [] driver_probe_device+0x53/0x130 + [] __device_attach_driver+0x105/0x130 + [] bus_for_each_drv+0x129/0x190 + [] __device_attach+0x1c9/0x270 + [] device_initial_probe+0x20/0x30 + [] bus_probe_device+0x142/0x160 + [] device_add+0x829/0x1300 + [] usb_set_configuration+0xb01/0xcc0 [usbcore] + [] usb_generic_driver_probe+0x6e/0x90 [usbcore] + [] usb_probe_device+0x6f/0x130 [usbcore] + +cardp is missing being freed in the error handling path of the probe +and the path of the disconnect, which will cause memory leak. + +This patch adds the missing kfree(). + +Fixes: c305a19a0d0a ("libertas_tf: usb specific functions") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211020120345.2016045-2-wanghai38@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/libertas_tf/if_usb.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wireless/libertas_tf/if_usb.c b/drivers/net/wireless/libertas_tf/if_usb.c +index 799a2efe57937..193f8f70c4edb 100644 +--- a/drivers/net/wireless/libertas_tf/if_usb.c ++++ b/drivers/net/wireless/libertas_tf/if_usb.c +@@ -240,6 +240,7 @@ static int if_usb_probe(struct usb_interface *intf, + + dealloc: + if_usb_free(cardp); ++ kfree(cardp); + error: + lbtf_deb_leave(LBTF_DEB_MAIN); + return -ENOMEM; +@@ -264,6 +265,7 @@ static void if_usb_disconnect(struct usb_interface *intf) + + /* Unlink and free urb */ + if_usb_free(cardp); ++ kfree(cardp); + + usb_set_intfdata(intf, NULL); + usb_put_dev(interface_to_usbdev(intf)); +-- +2.33.0 + diff --git a/queue-4.4/llc-fix-out-of-bound-array-index-in-llc_sk_dev_hash.patch b/queue-4.4/llc-fix-out-of-bound-array-index-in-llc_sk_dev_hash.patch new file mode 100644 index 00000000000..3efe29443d8 --- /dev/null +++ b/queue-4.4/llc-fix-out-of-bound-array-index-in-llc_sk_dev_hash.patch @@ -0,0 +1,68 @@ +From 3529b0e1e46eed8ebf0da93c9ce66213e0b096d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 14:42:14 -0700 +Subject: llc: fix out-of-bound array index in llc_sk_dev_hash() + +From: Eric Dumazet + +[ Upstream commit 8ac9dfd58b138f7e82098a4e0a0d46858b12215b ] + +Both ifindex and LLC_SK_DEV_HASH_ENTRIES are signed. + +This means that (ifindex % LLC_SK_DEV_HASH_ENTRIES) is negative +if @ifindex is negative. + +We could simply make LLC_SK_DEV_HASH_ENTRIES unsigned. + +In this patch I chose to use hash_32() to get more entropy +from @ifindex, like llc_sk_laddr_hashfn(). + +UBSAN: array-index-out-of-bounds in ./include/net/llc.h:75:26 +index -43 is out of range for type 'hlist_head [64]' +CPU: 1 PID: 20999 Comm: syz-executor.3 Not tainted 5.15.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 + ubsan_epilogue+0xb/0x5a lib/ubsan.c:151 + __ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:291 + llc_sk_dev_hash include/net/llc.h:75 [inline] + llc_sap_add_socket+0x49c/0x520 net/llc/llc_conn.c:697 + llc_ui_bind+0x680/0xd70 net/llc/af_llc.c:404 + __sys_bind+0x1e9/0x250 net/socket.c:1693 + __do_sys_bind net/socket.c:1704 [inline] + __se_sys_bind net/socket.c:1702 [inline] + __x64_sys_bind+0x6f/0xb0 net/socket.c:1702 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x44/0xae +RIP: 0033:0x7fa503407ae9 + +Fixes: 6d2e3ea28446 ("llc: use a device based hash table to speed up multicast delivery") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/llc.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/include/net/llc.h b/include/net/llc.h +index 95e5ced4c1339..18dfd3e49a69f 100644 +--- a/include/net/llc.h ++++ b/include/net/llc.h +@@ -72,7 +72,9 @@ struct llc_sap { + static inline + struct hlist_head *llc_sk_dev_hash(struct llc_sap *sap, int ifindex) + { +- return &sap->sk_dev_hash[ifindex % LLC_SK_DEV_HASH_ENTRIES]; ++ u32 bucket = hash_32(ifindex, LLC_SK_DEV_HASH_BITS); ++ ++ return &sap->sk_dev_hash[bucket]; + } + + static inline +-- +2.33.0 + diff --git a/queue-4.4/m68k-set-a-default-value-for-memory_reserve.patch b/queue-4.4/m68k-set-a-default-value-for-memory_reserve.patch new file mode 100644 index 00000000000..391cbecbb59 --- /dev/null +++ b/queue-4.4/m68k-set-a-default-value-for-memory_reserve.patch @@ -0,0 +1,50 @@ +From 3c6a88fdc686de8fef543a7a8efc1b8873d2aa6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Oct 2021 17:02:23 -0700 +Subject: m68k: set a default value for MEMORY_RESERVE + +From: Randy Dunlap + +[ Upstream commit 1aaa557b2db95c9506ed0981bc34505c32d6b62b ] + +'make randconfig' can produce a .config file with +"CONFIG_MEMORY_RESERVE=" (no value) since it has no default. +When a subsequent 'make all' is done, kconfig restarts the config +and prompts for a value for MEMORY_RESERVE. This breaks +scripting/automation where there is no interactive user input. + +Add a default value for MEMORY_RESERVE. (Any integer value will +work here for kconfig.) + +Fixes a kconfig warning: + +.config:214:warning: symbol value '' invalid for MEMORY_RESERVE +* Restart config... +Memory reservation (MiB) (MEMORY_RESERVE) [] (NEW) + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") # from beginning of git history +Signed-off-by: Randy Dunlap +Reviewed-by: Geert Uytterhoeven +Cc: Greg Ungerer +Cc: linux-m68k@lists.linux-m68k.org +Signed-off-by: Greg Ungerer +Signed-off-by: Sasha Levin +--- + arch/m68k/Kconfig.machine | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/m68k/Kconfig.machine b/arch/m68k/Kconfig.machine +index 61dc643c0b05c..16a737b9bd660 100644 +--- a/arch/m68k/Kconfig.machine ++++ b/arch/m68k/Kconfig.machine +@@ -184,6 +184,7 @@ config INIT_LCD + config MEMORY_RESERVE + int "Memory reservation (MiB)" + depends on (UCSIMM || UCDIMM) ++ default 0 + help + Reserve certain memory regions on 68x328 based boards. + +-- +2.33.0 + diff --git a/queue-4.4/media-dvb-usb-fix-ununit-value-in-az6027_rc_query.patch b/queue-4.4/media-dvb-usb-fix-ununit-value-in-az6027_rc_query.patch new file mode 100644 index 00000000000..46f670bcd95 --- /dev/null +++ b/queue-4.4/media-dvb-usb-fix-ununit-value-in-az6027_rc_query.patch @@ -0,0 +1,39 @@ +From 839e3e63dcf58e42a6f787e80796e6788b6f0440 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 13 Aug 2021 16:34:20 +0200 +Subject: media: dvb-usb: fix ununit-value in az6027_rc_query + +From: Pavel Skripkin + +[ Upstream commit afae4ef7d5ad913cab1316137854a36bea6268a5 ] + +Syzbot reported ununit-value bug in az6027_rc_query(). The problem was +in missing state pointer initialization. Since this function does nothing +we can simply initialize state to REMOTE_NO_KEY_PRESSED. + +Reported-and-tested-by: syzbot+2cd8c5db4a85f0a04142@syzkaller.appspotmail.com + +Fixes: 76f9a820c867 ("V4L/DVB: AZ6027: Initial import of the driver") +Signed-off-by: Pavel Skripkin +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/az6027.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/usb/dvb-usb/az6027.c b/drivers/media/usb/dvb-usb/az6027.c +index 92e47d6c3ee3e..c58fb74c3cd73 100644 +--- a/drivers/media/usb/dvb-usb/az6027.c ++++ b/drivers/media/usb/dvb-usb/az6027.c +@@ -394,6 +394,7 @@ static struct rc_map_table rc_map_az6027_table[] = { + /* remote control stuff (does not work with my box) */ + static int az6027_rc_query(struct dvb_usb_device *d, u32 *event, int *state) + { ++ *state = REMOTE_NO_KEY_PRESSED; + return 0; + } + +-- +2.33.0 + diff --git a/queue-4.4/media-mceusb-return-without-resubmitting-urb-in-case.patch b/queue-4.4/media-mceusb-return-without-resubmitting-urb-in-case.patch new file mode 100644 index 00000000000..15caadbb75a --- /dev/null +++ b/queue-4.4/media-mceusb-return-without-resubmitting-urb-in-case.patch @@ -0,0 +1,40 @@ +From 4113da77ce75dd4c5fbc2313369df5a18f477325 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Aug 2021 22:31:10 +0200 +Subject: media: mceusb: return without resubmitting URB in case of -EPROTO + error. + +From: Rajat Asthana + +[ Upstream commit 476db72e521983ecb847e4013b263072bb1110fc ] + +Syzkaller reported a warning called "rcu detected stall in dummy_timer". + +The error seems to be an error in mceusb_dev_recv(). In the case of +-EPROTO error, the routine immediately resubmits the URB. Instead it +should return without resubmitting URB. + +Reported-by: syzbot+4d3749e9612c2cfab956@syzkaller.appspotmail.com +Signed-off-by: Rajat Asthana +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/rc/mceusb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/rc/mceusb.c b/drivers/media/rc/mceusb.c +index 0fba4a2c16028..7b9800d3446cf 100644 +--- a/drivers/media/rc/mceusb.c ++++ b/drivers/media/rc/mceusb.c +@@ -1079,6 +1079,7 @@ static void mceusb_dev_recv(struct urb *urb) + case -ECONNRESET: + case -ENOENT: + case -EILSEQ: ++ case -EPROTO: + case -ESHUTDOWN: + usb_unlink_urb(urb); + return; +-- +2.33.0 + diff --git a/queue-4.4/media-mt9p031-fix-corrupted-frame-after-restarting-s.patch b/queue-4.4/media-mt9p031-fix-corrupted-frame-after-restarting-s.patch new file mode 100644 index 00000000000..2067c842f71 --- /dev/null +++ b/queue-4.4/media-mt9p031-fix-corrupted-frame-after-restarting-s.patch @@ -0,0 +1,89 @@ +From c7388fde2200fa05e4de3b1c78dfd07b2f9ce3f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jul 2021 09:35:15 +0200 +Subject: media: mt9p031: Fix corrupted frame after restarting stream + +From: Dirk Bender + +[ Upstream commit 0961ba6dd211a4a52d1dd4c2d59be60ac2dc08c7 ] + +To prevent corrupted frames after starting and stopping the sensor its +datasheet specifies a specific pause sequence to follow: + +Stopping: + Set Pause_Restart Bit -> Set Restart Bit -> Set Chip_Enable Off + +Restarting: + Set Chip_Enable On -> Clear Pause_Restart Bit + +The Restart Bit is cleared automatically and must not be cleared +manually as this would cause undefined behavior. + +Signed-off-by: Dirk Bender +Signed-off-by: Stefan Riedmueller +Signed-off-by: Sakari Ailus +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/mt9p031.c | 28 +++++++++++++++++++++++++++- + 1 file changed, 27 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/i2c/mt9p031.c b/drivers/media/i2c/mt9p031.c +index 0db15f528ac1c..fb60c9f42cb60 100644 +--- a/drivers/media/i2c/mt9p031.c ++++ b/drivers/media/i2c/mt9p031.c +@@ -81,7 +81,9 @@ + #define MT9P031_PIXEL_CLOCK_INVERT (1 << 15) + #define MT9P031_PIXEL_CLOCK_SHIFT(n) ((n) << 8) + #define MT9P031_PIXEL_CLOCK_DIVIDE(n) ((n) << 0) +-#define MT9P031_FRAME_RESTART 0x0b ++#define MT9P031_RESTART 0x0b ++#define MT9P031_FRAME_PAUSE_RESTART (1 << 1) ++#define MT9P031_FRAME_RESTART (1 << 0) + #define MT9P031_SHUTTER_DELAY 0x0c + #define MT9P031_RST 0x0d + #define MT9P031_RST_ENABLE 1 +@@ -448,9 +450,23 @@ static int mt9p031_set_params(struct mt9p031 *mt9p031) + static int mt9p031_s_stream(struct v4l2_subdev *subdev, int enable) + { + struct mt9p031 *mt9p031 = to_mt9p031(subdev); ++ struct i2c_client *client = v4l2_get_subdevdata(subdev); ++ int val; + int ret; + + if (!enable) { ++ /* enable pause restart */ ++ val = MT9P031_FRAME_PAUSE_RESTART; ++ ret = mt9p031_write(client, MT9P031_RESTART, val); ++ if (ret < 0) ++ return ret; ++ ++ /* enable restart + keep pause restart set */ ++ val |= MT9P031_FRAME_RESTART; ++ ret = mt9p031_write(client, MT9P031_RESTART, val); ++ if (ret < 0) ++ return ret; ++ + /* Stop sensor readout */ + ret = mt9p031_set_output_control(mt9p031, + MT9P031_OUTPUT_CONTROL_CEN, 0); +@@ -470,6 +486,16 @@ static int mt9p031_s_stream(struct v4l2_subdev *subdev, int enable) + if (ret < 0) + return ret; + ++ /* ++ * - clear pause restart ++ * - don't clear restart as clearing restart manually can cause ++ * undefined behavior ++ */ ++ val = MT9P031_FRAME_RESTART; ++ ret = mt9p031_write(client, MT9P031_RESTART, val); ++ if (ret < 0) ++ return ret; ++ + return mt9p031_pll_enable(mt9p031); + } + +-- +2.33.0 + diff --git a/queue-4.4/media-netup_unidvb-handle-interrupt-properly-accordi.patch b/queue-4.4/media-netup_unidvb-handle-interrupt-properly-accordi.patch new file mode 100644 index 00000000000..f3b2d7ed181 --- /dev/null +++ b/queue-4.4/media-netup_unidvb-handle-interrupt-properly-accordi.patch @@ -0,0 +1,178 @@ +From 038d3b02dd0e9c56f0d4161a692472fd011a7c4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Jun 2021 08:01:05 +0200 +Subject: media: netup_unidvb: handle interrupt properly according to the + firmware + +From: Zheyu Ma + +[ Upstream commit dbb4cfea6efe979ed153bd59a6a527a90d3d0ab3 ] + +The interrupt handling should be related to the firmware version. If +the driver matches an old firmware, then the driver should not handle +interrupt such as i2c or dma, otherwise it will cause some errors. + +This log reveals it: + +[ 27.708641] INFO: trying to register non-static key. +[ 27.710851] The code is fine but needs lockdep annotation, or maybe +[ 27.712010] you didn't initialize this object before use? +[ 27.712396] turning off the locking correctness validator. +[ 27.712787] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.12.4-g70e7f0549188-dirty #169 +[ 27.713349] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +[ 27.714149] Call Trace: +[ 27.714329] +[ 27.714480] dump_stack+0xba/0xf5 +[ 27.714737] register_lock_class+0x873/0x8f0 +[ 27.715052] ? __lock_acquire+0x323/0x1930 +[ 27.715353] __lock_acquire+0x75/0x1930 +[ 27.715636] lock_acquire+0x1dd/0x3e0 +[ 27.715905] ? netup_i2c_interrupt+0x19/0x310 +[ 27.716226] _raw_spin_lock_irqsave+0x4b/0x60 +[ 27.716544] ? netup_i2c_interrupt+0x19/0x310 +[ 27.716863] netup_i2c_interrupt+0x19/0x310 +[ 27.717178] netup_unidvb_isr+0xd3/0x160 +[ 27.717467] __handle_irq_event_percpu+0x53/0x3e0 +[ 27.717808] handle_irq_event_percpu+0x35/0x90 +[ 27.718129] handle_irq_event+0x39/0x60 +[ 27.718409] handle_fasteoi_irq+0xc2/0x1d0 +[ 27.718707] __common_interrupt+0x7f/0x150 +[ 27.719008] common_interrupt+0xb4/0xd0 +[ 27.719289] +[ 27.719446] asm_common_interrupt+0x1e/0x40 +[ 27.719747] RIP: 0010:native_safe_halt+0x17/0x20 +[ 27.720084] Code: 07 0f 00 2d 8b ee 4c 00 f4 5d c3 0f 1f 84 00 00 00 00 00 8b 05 72 95 17 02 55 48 89 e5 85 c0 7e 07 0f 00 2d 6b ee 4c 00 fb f4 <5d> c3 cc cc cc cc cc cc cc 55 48 89 e5 e8 67 53 ff ff 8b 0d 29 f6 +[ 27.721386] RSP: 0018:ffffc9000008fe90 EFLAGS: 00000246 +[ 27.721758] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 +[ 27.722262] RDX: 0000000000000000 RSI: ffffffff85f7c054 RDI: ffffffff85ded4e6 +[ 27.722770] RBP: ffffc9000008fe90 R08: 0000000000000001 R09: 0000000000000001 +[ 27.723277] R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff86a75408 +[ 27.723781] R13: 0000000000000000 R14: 0000000000000000 R15: ffff888100260000 +[ 27.724289] default_idle+0x9/0x10 +[ 27.724537] arch_cpu_idle+0xa/0x10 +[ 27.724791] default_idle_call+0x6e/0x250 +[ 27.725082] do_idle+0x1f0/0x2d0 +[ 27.725326] cpu_startup_entry+0x18/0x20 +[ 27.725613] start_secondary+0x11f/0x160 +[ 27.725902] secondary_startup_64_no_verify+0xb0/0xbb +[ 27.726272] BUG: kernel NULL pointer dereference, address: 0000000000000002 +[ 27.726768] #PF: supervisor read access in kernel mode +[ 27.727138] #PF: error_code(0x0000) - not-present page +[ 27.727507] PGD 8000000118688067 P4D 8000000118688067 PUD 10feab067 PMD 0 +[ 27.727999] Oops: 0000 [#1] PREEMPT SMP PTI +[ 27.728302] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.12.4-g70e7f0549188-dirty #169 +[ 27.728861] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 +[ 27.729660] RIP: 0010:netup_i2c_interrupt+0x23/0x310 +[ 27.730019] Code: 0f 1f 80 00 00 00 00 55 48 89 e5 41 55 41 54 53 48 89 fb e8 af 6e 95 fd 48 89 df e8 e7 9f 1c 01 49 89 c5 48 8b 83 48 08 00 00 <66> 44 8b 60 02 44 89 e0 48 8b 93 48 08 00 00 83 e0 f8 66 89 42 02 +[ 27.731339] RSP: 0018:ffffc90000118e90 EFLAGS: 00010046 +[ 27.731716] RAX: 0000000000000000 RBX: ffff88810803c4d8 RCX: 0000000000000000 +[ 27.732223] RDX: 0000000000000001 RSI: ffffffff85d37b94 RDI: ffff88810803c4d8 +[ 27.732727] RBP: ffffc90000118ea8 R08: 0000000000000000 R09: 0000000000000001 +[ 27.733239] R10: ffff88810803c4f0 R11: 61646e6f63657320 R12: 0000000000000000 +[ 27.733745] R13: 0000000000000046 R14: ffff888101041000 R15: ffff8881081b2400 +[ 27.734251] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000 +[ 27.734821] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 27.735228] CR2: 0000000000000002 CR3: 0000000108194000 CR4: 00000000000006e0 +[ 27.735735] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 27.736241] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 27.736744] Call Trace: +[ 27.736924] +[ 27.737074] netup_unidvb_isr+0xd3/0x160 +[ 27.737363] __handle_irq_event_percpu+0x53/0x3e0 +[ 27.737706] handle_irq_event_percpu+0x35/0x90 +[ 27.738028] handle_irq_event+0x39/0x60 +[ 27.738306] handle_fasteoi_irq+0xc2/0x1d0 +[ 27.738602] __common_interrupt+0x7f/0x150 +[ 27.738899] common_interrupt+0xb4/0xd0 +[ 27.739176] +[ 27.739331] asm_common_interrupt+0x1e/0x40 +[ 27.739633] RIP: 0010:native_safe_halt+0x17/0x20 +[ 27.739967] Code: 07 0f 00 2d 8b ee 4c 00 f4 5d c3 0f 1f 84 00 00 00 00 00 8b 05 72 95 17 02 55 48 89 e5 85 c0 7e 07 0f 00 2d 6b ee 4c 00 fb f4 <5d> c3 cc cc cc cc cc cc cc 55 48 89 e5 e8 67 53 ff ff 8b 0d 29 f6 +[ 27.741275] RSP: 0018:ffffc9000008fe90 EFLAGS: 00000246 +[ 27.741647] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 0000000000000000 +[ 27.742148] RDX: 0000000000000000 RSI: ffffffff85f7c054 RDI: ffffffff85ded4e6 +[ 27.742652] RBP: ffffc9000008fe90 R08: 0000000000000001 R09: 0000000000000001 +[ 27.743154] R10: 0000000000000000 R11: 0000000000000001 R12: ffffffff86a75408 +[ 27.743652] R13: 0000000000000000 R14: 0000000000000000 R15: ffff888100260000 +[ 27.744157] default_idle+0x9/0x10 +[ 27.744405] arch_cpu_idle+0xa/0x10 +[ 27.744658] default_idle_call+0x6e/0x250 +[ 27.744948] do_idle+0x1f0/0x2d0 +[ 27.745190] cpu_startup_entry+0x18/0x20 +[ 27.745475] start_secondary+0x11f/0x160 +[ 27.745761] secondary_startup_64_no_verify+0xb0/0xbb +[ 27.746123] Modules linked in: +[ 27.746348] Dumping ftrace buffer: +[ 27.746596] (ftrace buffer empty) +[ 27.746852] CR2: 0000000000000002 +[ 27.747094] ---[ end trace ebafd46f83ab946d ]--- +[ 27.747424] RIP: 0010:netup_i2c_interrupt+0x23/0x310 +[ 27.747778] Code: 0f 1f 80 00 00 00 00 55 48 89 e5 41 55 41 54 53 48 89 fb e8 af 6e 95 fd 48 89 df e8 e7 9f 1c 01 49 89 c5 48 8b 83 48 08 00 00 <66> 44 8b 60 02 44 89 e0 48 8b 93 48 08 00 00 83 e0 f8 66 89 42 02 +[ 27.749082] RSP: 0018:ffffc90000118e90 EFLAGS: 00010046 +[ 27.749461] RAX: 0000000000000000 RBX: ffff88810803c4d8 RCX: 0000000000000000 +[ 27.749966] RDX: 0000000000000001 RSI: ffffffff85d37b94 RDI: ffff88810803c4d8 +[ 27.750471] RBP: ffffc90000118ea8 R08: 0000000000000000 R09: 0000000000000001 +[ 27.750976] R10: ffff88810803c4f0 R11: 61646e6f63657320 R12: 0000000000000000 +[ 27.751480] R13: 0000000000000046 R14: ffff888101041000 R15: ffff8881081b2400 +[ 27.751986] FS: 0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000 +[ 27.752560] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 27.752970] CR2: 0000000000000002 CR3: 0000000108194000 CR4: 00000000000006e0 +[ 27.753481] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 27.753984] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 27.754487] Kernel panic - not syncing: Fatal exception in interrupt +[ 27.755033] Dumping ftrace buffer: +[ 27.755279] (ftrace buffer empty) +[ 27.755534] Kernel Offset: disabled +[ 27.755785] Rebooting in 1 seconds.. + +Signed-off-by: Zheyu Ma +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + .../pci/netup_unidvb/netup_unidvb_core.c | 27 +++++++++++-------- + 1 file changed, 16 insertions(+), 11 deletions(-) + +diff --git a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c +index 3fdbd81b55806..a83ba068b8376 100644 +--- a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c ++++ b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c +@@ -253,19 +253,24 @@ static irqreturn_t netup_unidvb_isr(int irq, void *dev_id) + if ((reg40 & AVL_IRQ_ASSERTED) != 0) { + /* IRQ is being signaled */ + reg_isr = readw(ndev->bmmio0 + REG_ISR); +- if (reg_isr & NETUP_UNIDVB_IRQ_I2C0) { +- iret = netup_i2c_interrupt(&ndev->i2c[0]); +- } else if (reg_isr & NETUP_UNIDVB_IRQ_I2C1) { +- iret = netup_i2c_interrupt(&ndev->i2c[1]); +- } else if (reg_isr & NETUP_UNIDVB_IRQ_SPI) { ++ if (reg_isr & NETUP_UNIDVB_IRQ_SPI) + iret = netup_spi_interrupt(ndev->spi); +- } else if (reg_isr & NETUP_UNIDVB_IRQ_DMA1) { +- iret = netup_dma_interrupt(&ndev->dma[0]); +- } else if (reg_isr & NETUP_UNIDVB_IRQ_DMA2) { +- iret = netup_dma_interrupt(&ndev->dma[1]); +- } else if (reg_isr & NETUP_UNIDVB_IRQ_CI) { +- iret = netup_ci_interrupt(ndev); ++ else if (!ndev->old_fw) { ++ if (reg_isr & NETUP_UNIDVB_IRQ_I2C0) { ++ iret = netup_i2c_interrupt(&ndev->i2c[0]); ++ } else if (reg_isr & NETUP_UNIDVB_IRQ_I2C1) { ++ iret = netup_i2c_interrupt(&ndev->i2c[1]); ++ } else if (reg_isr & NETUP_UNIDVB_IRQ_DMA1) { ++ iret = netup_dma_interrupt(&ndev->dma[0]); ++ } else if (reg_isr & NETUP_UNIDVB_IRQ_DMA2) { ++ iret = netup_dma_interrupt(&ndev->dma[1]); ++ } else if (reg_isr & NETUP_UNIDVB_IRQ_CI) { ++ iret = netup_ci_interrupt(ndev); ++ } else { ++ goto err; ++ } + } else { ++err: + dev_err(&pci_dev->dev, + "%s(): unknown interrupt 0x%x\n", + __func__, reg_isr); +-- +2.33.0 + diff --git a/queue-4.4/media-s5p-mfc-fix-possible-null-pointer-dereference-.patch b/queue-4.4/media-s5p-mfc-fix-possible-null-pointer-dereference-.patch new file mode 100644 index 00000000000..4fefa82db61 --- /dev/null +++ b/queue-4.4/media-s5p-mfc-fix-possible-null-pointer-dereference-.patch @@ -0,0 +1,49 @@ +From 7c8eebcca67cd3685bc2b141f1cdb67b02645562 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Aug 2021 09:55:35 +0200 +Subject: media: s5p-mfc: fix possible null-pointer dereference in + s5p_mfc_probe() + +From: Tuo Li + +[ Upstream commit 8515965e5e33f4feb56134348c95953f3eadfb26 ] + +The variable pdev is assigned to dev->plat_dev, and dev->plat_dev is +checked in: + if (!dev->plat_dev) + +This indicates both dev->plat_dev and pdev can be NULL. If so, the +function dev_err() is called to print error information. + dev_err(&pdev->dev, "No platform data specified\n"); + +However, &pdev->dev is an illegal address, and it is dereferenced in +dev_err(). + +To fix this possible null-pointer dereference, replace dev_err() with +mfc_err(). + +Reported-by: TOTE Robot +Signed-off-by: Tuo Li +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s5p-mfc/s5p_mfc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/platform/s5p-mfc/s5p_mfc.c b/drivers/media/platform/s5p-mfc/s5p_mfc.c +index 7727789dbda14..daa5b4dea092c 100644 +--- a/drivers/media/platform/s5p-mfc/s5p_mfc.c ++++ b/drivers/media/platform/s5p-mfc/s5p_mfc.c +@@ -1102,7 +1102,7 @@ static int s5p_mfc_probe(struct platform_device *pdev) + spin_lock_init(&dev->condlock); + dev->plat_dev = pdev; + if (!dev->plat_dev) { +- dev_err(&pdev->dev, "No platform data specified\n"); ++ mfc_err("No platform data specified\n"); + return -ENODEV; + } + +-- +2.33.0 + diff --git a/queue-4.4/media-si470x-avoid-card-name-truncation.patch b/queue-4.4/media-si470x-avoid-card-name-truncation.patch new file mode 100644 index 00000000000..12743c983bf --- /dev/null +++ b/queue-4.4/media-si470x-avoid-card-name-truncation.patch @@ -0,0 +1,54 @@ +From 375f44d956001699d312cb29df4a3cf403a9af12 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Aug 2021 21:46:09 +0200 +Subject: media: si470x: Avoid card name truncation + +From: Kees Cook + +[ Upstream commit 2908249f3878a591f7918368fdf0b7b0a6c3158c ] + +The "card" string only holds 31 characters (and the terminating NUL). +In order to avoid truncation, use a shorter card description instead of +the current result, "Silicon Labs Si470x FM Radio Re". + +Suggested-by: Hans Verkuil +Fixes: 78656acdcf48 ("V4L/DVB (7038): USB radio driver for Silicon Labs Si470x FM Radio Receivers") +Fixes: cc35bbddfe10 ("V4L/DVB (12416): radio-si470x: add i2c driver for si470x") +Signed-off-by: Kees Cook +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/radio/si470x/radio-si470x-i2c.c | 2 +- + drivers/media/radio/si470x/radio-si470x-usb.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/radio/si470x/radio-si470x-i2c.c b/drivers/media/radio/si470x/radio-si470x-i2c.c +index 0836fa442d224..24804ce70f523 100644 +--- a/drivers/media/radio/si470x/radio-si470x-i2c.c ++++ b/drivers/media/radio/si470x/radio-si470x-i2c.c +@@ -24,7 +24,7 @@ + + /* driver definitions */ + #define DRIVER_AUTHOR "Joonyoung Shim "; +-#define DRIVER_CARD "Silicon Labs Si470x FM Radio Receiver" ++#define DRIVER_CARD "Silicon Labs Si470x FM Radio" + #define DRIVER_DESC "I2C radio driver for Si470x FM Radio Receivers" + #define DRIVER_VERSION "1.0.2" + +diff --git a/drivers/media/radio/si470x/radio-si470x-usb.c b/drivers/media/radio/si470x/radio-si470x-usb.c +index c9347d5aac04f..6fd1e4f26f5f4 100644 +--- a/drivers/media/radio/si470x/radio-si470x-usb.c ++++ b/drivers/media/radio/si470x/radio-si470x-usb.c +@@ -29,7 +29,7 @@ + + /* driver definitions */ + #define DRIVER_AUTHOR "Tobias Lorenz " +-#define DRIVER_CARD "Silicon Labs Si470x FM Radio Receiver" ++#define DRIVER_CARD "Silicon Labs Si470x FM Radio" + #define DRIVER_DESC "USB radio driver for Si470x FM Radio Receivers" + #define DRIVER_VERSION "1.0.10" + +-- +2.33.0 + diff --git a/queue-4.4/media-usb-dvd-usb-fix-uninit-value-bug-in-dibusb_rea.patch b/queue-4.4/media-usb-dvd-usb-fix-uninit-value-bug-in-dibusb_rea.patch new file mode 100644 index 00000000000..60b31851922 --- /dev/null +++ b/queue-4.4/media-usb-dvd-usb-fix-uninit-value-bug-in-dibusb_rea.patch @@ -0,0 +1,41 @@ +From 9b677188ceaaf1f62ef11f0a6efaedb8fa823450 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Dec 2020 07:16:06 +0100 +Subject: media: usb: dvd-usb: fix uninit-value bug in + dibusb_read_eeprom_byte() + +From: Anant Thazhemadam + +[ Upstream commit 899a61a3305d49e8a712e9ab20d0db94bde5929f ] + +In dibusb_read_eeprom_byte(), if dibusb_i2c_msg() fails, val gets +assigned an value that's not properly initialized. +Using kzalloc() in place of kmalloc() for the buffer fixes this issue, +as the val can now be set to 0 in the event dibusb_i2c_msg() fails. + +Reported-by: syzbot+e27b4fd589762b0b9329@syzkaller.appspotmail.com +Tested-by: syzbot+e27b4fd589762b0b9329@syzkaller.appspotmail.com +Signed-off-by: Anant Thazhemadam +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/dibusb-common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb/dibusb-common.c b/drivers/media/usb/dvb-usb/dibusb-common.c +index 7b15aea2723d6..5a1dc0d465d26 100644 +--- a/drivers/media/usb/dvb-usb/dibusb-common.c ++++ b/drivers/media/usb/dvb-usb/dibusb-common.c +@@ -182,7 +182,7 @@ int dibusb_read_eeprom_byte(struct dvb_usb_device *d, u8 offs, u8 *val) + u8 *buf; + int rc; + +- buf = kmalloc(2, GFP_KERNEL); ++ buf = kzalloc(2, GFP_KERNEL); + if (!buf) + return -ENOMEM; + +-- +2.33.0 + diff --git a/queue-4.4/media-uvcvideo-set-capability-in-s_param.patch b/queue-4.4/media-uvcvideo-set-capability-in-s_param.patch new file mode 100644 index 00000000000..44eda945fe2 --- /dev/null +++ b/queue-4.4/media-uvcvideo-set-capability-in-s_param.patch @@ -0,0 +1,47 @@ +From 762229f3bf7fd4553c0745932b845052e96b2306 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Jun 2021 14:29:08 +0200 +Subject: media: uvcvideo: Set capability in s_param + +From: Ricardo Ribalda + +[ Upstream commit 97a2777a96070afb7da5d587834086c0b586c8cc ] + +Fixes v4l2-compliance: + +Format ioctls (Input 0): + warn: v4l2-test-formats.cpp(1339): S_PARM is supported but doesn't report V4L2_CAP_TIMEPERFRAME + fail: v4l2-test-formats.cpp(1241): node->has_frmintervals && !cap->capability + +Reviewed-by: Hans Verkuil +Signed-off-by: Ricardo Ribalda +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/uvc/uvc_v4l2.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/usb/uvc/uvc_v4l2.c b/drivers/media/usb/uvc/uvc_v4l2.c +index 049d664e94f07..8ac231f6b2d16 100644 +--- a/drivers/media/usb/uvc/uvc_v4l2.c ++++ b/drivers/media/usb/uvc/uvc_v4l2.c +@@ -436,10 +436,13 @@ static int uvc_v4l2_set_streamparm(struct uvc_streaming *stream, + uvc_simplify_fraction(&timeperframe.numerator, + &timeperframe.denominator, 8, 333); + +- if (parm->type == V4L2_BUF_TYPE_VIDEO_CAPTURE) ++ if (parm->type == V4L2_BUF_TYPE_VIDEO_CAPTURE) { + parm->parm.capture.timeperframe = timeperframe; +- else ++ parm->parm.capture.capability = V4L2_CAP_TIMEPERFRAME; ++ } else { + parm->parm.output.timeperframe = timeperframe; ++ parm->parm.output.capability = V4L2_CAP_TIMEPERFRAME; ++ } + + return 0; + } +-- +2.33.0 + diff --git a/queue-4.4/memory-fsl_ifc-fix-leak-of-irq-and-nand_irq-in-fsl_i.patch b/queue-4.4/memory-fsl_ifc-fix-leak-of-irq-and-nand_irq-in-fsl_i.patch new file mode 100644 index 00000000000..7e2d2954410 --- /dev/null +++ b/queue-4.4/memory-fsl_ifc-fix-leak-of-irq-and-nand_irq-in-fsl_i.patch @@ -0,0 +1,73 @@ +From 11d7a0c9b3177bfee3dab610378e39a0d49d0b7d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 25 Sep 2021 23:14:32 +0800 +Subject: memory: fsl_ifc: fix leak of irq and nand_irq in fsl_ifc_ctrl_probe + +From: Dongliang Mu + +[ Upstream commit 4ed2f3545c2e5acfbccd7f85fea5b1a82e9862d7 ] + +The error handling code of fsl_ifc_ctrl_probe is problematic. When +fsl_ifc_ctrl_init fails or request_irq of fsl_ifc_ctrl_dev->irq fails, +it forgets to free the irq and nand_irq. Meanwhile, if request_irq of +fsl_ifc_ctrl_dev->nand_irq fails, it will still free nand_irq even if +the request_irq is not successful. + +Fix this by refactoring the error handling code. + +Fixes: d2ae2e20fbdd ("driver/memory:Move Freescale IFC driver to a common driver") +Signed-off-by: Dongliang Mu +Link: https://lore.kernel.org/r/20210925151434.8170-1-mudongliangabcd@gmail.com +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Sasha Levin +--- + drivers/memory/fsl_ifc.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +diff --git a/drivers/memory/fsl_ifc.c b/drivers/memory/fsl_ifc.c +index 26b37ba4feda6..258d95b9c0adc 100644 +--- a/drivers/memory/fsl_ifc.c ++++ b/drivers/memory/fsl_ifc.c +@@ -275,7 +275,7 @@ static int fsl_ifc_ctrl_probe(struct platform_device *dev) + + ret = fsl_ifc_ctrl_init(fsl_ifc_ctrl_dev); + if (ret < 0) +- goto err; ++ goto err_unmap_nandirq; + + init_waitqueue_head(&fsl_ifc_ctrl_dev->nand_wait); + +@@ -284,7 +284,7 @@ static int fsl_ifc_ctrl_probe(struct platform_device *dev) + if (ret != 0) { + dev_err(&dev->dev, "failed to install irq (%d)\n", + fsl_ifc_ctrl_dev->irq); +- goto err_irq; ++ goto err_unmap_nandirq; + } + + if (fsl_ifc_ctrl_dev->nand_irq) { +@@ -293,17 +293,16 @@ static int fsl_ifc_ctrl_probe(struct platform_device *dev) + if (ret != 0) { + dev_err(&dev->dev, "failed to install irq (%d)\n", + fsl_ifc_ctrl_dev->nand_irq); +- goto err_nandirq; ++ goto err_free_irq; + } + } + + return 0; + +-err_nandirq: +- free_irq(fsl_ifc_ctrl_dev->nand_irq, fsl_ifc_ctrl_dev); +- irq_dispose_mapping(fsl_ifc_ctrl_dev->nand_irq); +-err_irq: ++err_free_irq: + free_irq(fsl_ifc_ctrl_dev->irq, fsl_ifc_ctrl_dev); ++err_unmap_nandirq: ++ irq_dispose_mapping(fsl_ifc_ctrl_dev->nand_irq); + irq_dispose_mapping(fsl_ifc_ctrl_dev->irq); + err: + return ret; +-- +2.33.0 + diff --git a/queue-4.4/memstick-avoid-out-of-range-warning.patch b/queue-4.4/memstick-avoid-out-of-range-warning.patch new file mode 100644 index 00000000000..cee0220913b --- /dev/null +++ b/queue-4.4/memstick-avoid-out-of-range-warning.patch @@ -0,0 +1,44 @@ +From 9ba66deb7652c8050b27e84920629db4570dd96b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 27 Sep 2021 11:44:47 +0200 +Subject: memstick: avoid out-of-range warning + +From: Arnd Bergmann + +[ Upstream commit 4853396f03c3019eccf5cd113e464231e9ddf0b3 ] + +clang-14 complains about a sanity check that always passes when the +page size is 64KB or larger: + +drivers/memstick/core/ms_block.c:1739:21: error: result of comparison of constant 65536 with expression of type 'unsigned short' is always false [-Werror,-Wtautological-constant-out-of-range-compare] + if (msb->page_size > PAGE_SIZE) { + ~~~~~~~~~~~~~~ ^ ~~~~~~~~~ + +This is fine, it will still work on all architectures, so just shut +up that warning with a cast. + +Fixes: 0ab30494bc4f ("memstick: add support for legacy memorysticks") +Signed-off-by: Arnd Bergmann +Link: https://lore.kernel.org/r/20210927094520.696665-1-arnd@kernel.org +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/memstick/core/ms_block.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/memstick/core/ms_block.c b/drivers/memstick/core/ms_block.c +index 24f2f8473deec..d0a4177f034a8 100644 +--- a/drivers/memstick/core/ms_block.c ++++ b/drivers/memstick/core/ms_block.c +@@ -1730,7 +1730,7 @@ static int msb_init_card(struct memstick_dev *card) + msb->pages_in_block = boot_block->attr.block_size * 2; + msb->block_size = msb->page_size * msb->pages_in_block; + +- if (msb->page_size > PAGE_SIZE) { ++ if ((size_t)msb->page_size > PAGE_SIZE) { + /* this isn't supported by linux at all, anyway*/ + dbg("device page %d size isn't supported", msb->page_size); + return -EINVAL; +-- +2.33.0 + diff --git a/queue-4.4/memstick-jmb38x_ms-use-appropriate-free-function-in-.patch b/queue-4.4/memstick-jmb38x_ms-use-appropriate-free-function-in-.patch new file mode 100644 index 00000000000..404dcbdcecb --- /dev/null +++ b/queue-4.4/memstick-jmb38x_ms-use-appropriate-free-function-in-.patch @@ -0,0 +1,40 @@ +From 9d7d9b69e65fa66ba995892039c22ca571b32538 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 15:39:12 +0300 +Subject: memstick: jmb38x_ms: use appropriate free function in + jmb38x_ms_alloc_host() + +From: Dan Carpenter + +[ Upstream commit beae4a6258e64af609ad5995cc6b6056eb0d898e ] + +The "msh" pointer is device managed, meaning that memstick_alloc_host() +calls device_initialize() on it. That means that it can't be free +using kfree() but must instead be freed with memstick_free_host(). +Otherwise it leads to a tiny memory leak of device resources. + +Fixes: 60fdd931d577 ("memstick: add support for JMicron jmb38x MemoryStick host controller") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20211011123912.GD15188@kili +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/memstick/host/jmb38x_ms.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/memstick/host/jmb38x_ms.c b/drivers/memstick/host/jmb38x_ms.c +index 08fa6400d2558..ba6cd576e9979 100644 +--- a/drivers/memstick/host/jmb38x_ms.c ++++ b/drivers/memstick/host/jmb38x_ms.c +@@ -905,7 +905,7 @@ static struct memstick_host *jmb38x_ms_alloc_host(struct jmb38x_ms *jm, int cnt) + + iounmap(host->addr); + err_out_free: +- kfree(msh); ++ memstick_free_host(msh); + return NULL; + } + +-- +2.33.0 + diff --git a/queue-4.4/memstick-r592-fix-a-uaf-bug-when-removing-the-driver.patch b/queue-4.4/memstick-r592-fix-a-uaf-bug-when-removing-the-driver.patch new file mode 100644 index 00000000000..d1f7d8105bd --- /dev/null +++ b/queue-4.4/memstick-r592-fix-a-uaf-bug-when-removing-the-driver.patch @@ -0,0 +1,80 @@ +From a1fe8f710e6246b90d5a2a3da03baa0bd46987ba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Oct 2021 11:26:21 +0000 +Subject: memstick: r592: Fix a UAF bug when removing the driver + +From: Zheyu Ma + +[ Upstream commit 738216c1953e802aa9f930c5d15b8f9092c847ff ] + +In r592_remove(), the driver will free dma after freeing the host, which +may cause a UAF bug. + +The following log reveals it: + +[ 45.361796 ] BUG: KASAN: use-after-free in r592_remove+0x269/0x350 [r592] +[ 45.364286 ] Call Trace: +[ 45.364472 ] dump_stack_lvl+0xa8/0xd1 +[ 45.364751 ] print_address_description+0x87/0x3b0 +[ 45.365137 ] kasan_report+0x172/0x1c0 +[ 45.365415 ] ? r592_remove+0x269/0x350 [r592] +[ 45.365834 ] ? r592_remove+0x269/0x350 [r592] +[ 45.366168 ] __asan_report_load8_noabort+0x14/0x20 +[ 45.366531 ] r592_remove+0x269/0x350 [r592] +[ 45.378785 ] +[ 45.378903 ] Allocated by task 4674: +[ 45.379162 ] ____kasan_kmalloc+0xb5/0xe0 +[ 45.379455 ] __kasan_kmalloc+0x9/0x10 +[ 45.379730 ] __kmalloc+0x150/0x280 +[ 45.379984 ] memstick_alloc_host+0x2a/0x190 +[ 45.380664 ] +[ 45.380781 ] Freed by task 5509: +[ 45.381014 ] kasan_set_track+0x3d/0x70 +[ 45.381293 ] kasan_set_free_info+0x23/0x40 +[ 45.381635 ] ____kasan_slab_free+0x10b/0x140 +[ 45.381950 ] __kasan_slab_free+0x11/0x20 +[ 45.382241 ] slab_free_freelist_hook+0x81/0x150 +[ 45.382575 ] kfree+0x13e/0x290 +[ 45.382805 ] memstick_free+0x1c/0x20 +[ 45.383070 ] device_release+0x9c/0x1d0 +[ 45.383349 ] kobject_put+0x2ef/0x4c0 +[ 45.383616 ] put_device+0x1f/0x30 +[ 45.383865 ] memstick_free_host+0x24/0x30 +[ 45.384162 ] r592_remove+0x242/0x350 [r592] +[ 45.384473 ] pci_device_remove+0xa9/0x250 + +Signed-off-by: Zheyu Ma +Link: https://lore.kernel.org/r/1634383581-11055-1-git-send-email-zheyuma97@gmail.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/memstick/host/r592.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c +index b3857445d6736..7779aaa6b9b81 100644 +--- a/drivers/memstick/host/r592.c ++++ b/drivers/memstick/host/r592.c +@@ -842,15 +842,15 @@ static void r592_remove(struct pci_dev *pdev) + } + memstick_remove_host(dev->host); + ++ if (dev->dummy_dma_page) ++ dma_free_coherent(&pdev->dev, PAGE_SIZE, dev->dummy_dma_page, ++ dev->dummy_dma_page_physical_address); ++ + free_irq(dev->irq, dev); + iounmap(dev->mmio); + pci_release_regions(pdev); + pci_disable_device(pdev); + memstick_free_host(dev->host); +- +- if (dev->dummy_dma_page) +- dma_free_coherent(&pdev->dev, PAGE_SIZE, dev->dummy_dma_page, +- dev->dummy_dma_page_physical_address); + } + + #ifdef CONFIG_PM_SLEEP +-- +2.33.0 + diff --git a/queue-4.4/mips-lantiq-dma-add-small-delay-after-reset.patch b/queue-4.4/mips-lantiq-dma-add-small-delay-after-reset.patch new file mode 100644 index 00000000000..eb56d627ea1 --- /dev/null +++ b/queue-4.4/mips-lantiq-dma-add-small-delay-after-reset.patch @@ -0,0 +1,43 @@ +From 04afbac18b4a2f1835793fdd7699fcbf010b2884 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 23:20:58 +0200 +Subject: MIPS: lantiq: dma: add small delay after reset + +From: Aleksander Jan Bajkowski + +[ Upstream commit c12aa581f6d5e80c3c3675ab26a52c2b3b62f76e ] + +Reading the DMA registers immediately after the reset causes +Data Bus Error. Adding a small delay fixes this issue. + +Signed-off-by: Aleksander Jan Bajkowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + arch/mips/lantiq/xway/dma.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/mips/lantiq/xway/dma.c b/arch/mips/lantiq/xway/dma.c +index 34a116e840d8b..932161284213c 100644 +--- a/arch/mips/lantiq/xway/dma.c ++++ b/arch/mips/lantiq/xway/dma.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + + #include +@@ -232,6 +233,8 @@ ltq_dma_init(struct platform_device *pdev) + clk_enable(clk); + ltq_dma_w32_mask(0, DMA_RESET, LTQ_DMA_CTRL); + ++ usleep_range(1, 10); ++ + /* disable all interrupts */ + ltq_dma_w32(0, LTQ_DMA_IRNEN); + +-- +2.33.0 + diff --git a/queue-4.4/mips-lantiq-dma-reset-correct-number-of-channel.patch b/queue-4.4/mips-lantiq-dma-reset-correct-number-of-channel.patch new file mode 100644 index 00000000000..104274c2cd7 --- /dev/null +++ b/queue-4.4/mips-lantiq-dma-reset-correct-number-of-channel.patch @@ -0,0 +1,79 @@ +From b5633dde3d2375633c1c26886d1e5d7291571f9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Sep 2021 23:20:59 +0200 +Subject: MIPS: lantiq: dma: reset correct number of channel + +From: Aleksander Jan Bajkowski + +[ Upstream commit 5ca9ce2ba4d5884cd94d1a856c675ab1242cd242 ] + +Different SoCs have a different number of channels, e.g .: +* amazon-se has 10 channels, +* danube+ar9 have 20 channels, +* vr9 has 28 channels, +* ar10 has 24 channels. + +We can read the ID register and, depending on the reported +number of channels, reset the appropriate number of channels. + +Signed-off-by: Aleksander Jan Bajkowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + arch/mips/lantiq/xway/dma.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/arch/mips/lantiq/xway/dma.c b/arch/mips/lantiq/xway/dma.c +index 932161284213c..35b7d1a0cad35 100644 +--- a/arch/mips/lantiq/xway/dma.c ++++ b/arch/mips/lantiq/xway/dma.c +@@ -40,6 +40,7 @@ + #define LTQ_DMA_PCTRL 0x44 + #define LTQ_DMA_IRNEN 0xf4 + ++#define DMA_ID_CHNR GENMASK(26, 20) /* channel number */ + #define DMA_DESCPT BIT(3) /* descriptor complete irq */ + #define DMA_TX BIT(8) /* TX channel direction */ + #define DMA_CHAN_ON BIT(0) /* channel on / off bit */ +@@ -50,7 +51,6 @@ + #define DMA_POLL BIT(31) /* turn on channel polling */ + #define DMA_CLK_DIV4 BIT(6) /* polling clock divider */ + #define DMA_2W_BURST BIT(1) /* 2 word burst length */ +-#define DMA_MAX_CHANNEL 20 /* the soc has 20 channels */ + #define DMA_ETOP_ENDIANNESS (0xf << 8) /* endianness swap etop channels */ + #define DMA_WEIGHT (BIT(17) | BIT(16)) /* default channel wheight */ + +@@ -217,7 +217,7 @@ ltq_dma_init(struct platform_device *pdev) + { + struct clk *clk; + struct resource *res; +- unsigned id; ++ unsigned int id, nchannels; + int i; + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); +@@ -239,17 +239,18 @@ ltq_dma_init(struct platform_device *pdev) + ltq_dma_w32(0, LTQ_DMA_IRNEN); + + /* reset/configure each channel */ +- for (i = 0; i < DMA_MAX_CHANNEL; i++) { ++ id = ltq_dma_r32(LTQ_DMA_ID); ++ nchannels = ((id & DMA_ID_CHNR) >> 20); ++ for (i = 0; i < nchannels; i++) { + ltq_dma_w32(i, LTQ_DMA_CS); + ltq_dma_w32(DMA_CHAN_RST, LTQ_DMA_CCTRL); + ltq_dma_w32(DMA_POLL | DMA_CLK_DIV4, LTQ_DMA_CPOLL); + ltq_dma_w32_mask(DMA_CHAN_ON, 0, LTQ_DMA_CCTRL); + } + +- id = ltq_dma_r32(LTQ_DMA_ID); + dev_info(&pdev->dev, + "Init done - hw rev: %X, ports: %d, channels: %d\n", +- id & 0x1f, (id >> 16) & 0xf, id >> 20); ++ id & 0x1f, (id >> 16) & 0xf, nchannels); + + return 0; + } +-- +2.33.0 + diff --git a/queue-4.4/mwifiex-send-delba-requests-according-to-spec.patch b/queue-4.4/mwifiex-send-delba-requests-according-to-spec.patch new file mode 100644 index 00000000000..d61c75aa16d --- /dev/null +++ b/queue-4.4/mwifiex-send-delba-requests-according-to-spec.patch @@ -0,0 +1,56 @@ +From dd261f601763cf749b6edb170dc69fc461e79f75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Oct 2021 17:32:43 +0200 +Subject: mwifiex: Send DELBA requests according to spec +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jonas Dreßler + +[ Upstream commit cc8a8bc37466f79b24d972555237f3d591150602 ] + +While looking at on-air packets using Wireshark, I noticed we're never +setting the initiator bit when sending DELBA requests to the AP: While +we set the bit on our del_ba_param_set bitmask, we forget to actually +copy that bitmask over to the command struct, which means we never +actually set the initiator bit. + +Fix that and copy the bitmask over to the host_cmd_ds_11n_delba command +struct. + +Fixes: 5e6e3a92b9a4 ("wireless: mwifiex: initial commit for Marvell mwifiex driver") +Signed-off-by: Jonas Dreßler +Acked-by: Pali Rohár +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20211016153244.24353-5-verdre@v0yd.nl +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mwifiex/11n.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/mwifiex/11n.c b/drivers/net/wireless/mwifiex/11n.c +index c174e79e6df2b..b70eac7d2dd79 100644 +--- a/drivers/net/wireless/mwifiex/11n.c ++++ b/drivers/net/wireless/mwifiex/11n.c +@@ -630,14 +630,15 @@ int mwifiex_send_delba(struct mwifiex_private *priv, int tid, u8 *peer_mac, + uint16_t del_ba_param_set; + + memset(&delba, 0, sizeof(delba)); +- delba.del_ba_param_set = cpu_to_le16(tid << DELBA_TID_POS); + +- del_ba_param_set = le16_to_cpu(delba.del_ba_param_set); ++ del_ba_param_set = tid << DELBA_TID_POS; ++ + if (initiator) + del_ba_param_set |= IEEE80211_DELBA_PARAM_INITIATOR_MASK; + else + del_ba_param_set &= ~IEEE80211_DELBA_PARAM_INITIATOR_MASK; + ++ delba.del_ba_param_set = cpu_to_le16(del_ba_param_set); + memcpy(&delba.peer_mac_addr, peer_mac, ETH_ALEN); + + /* We don't wait for the response of this command */ +-- +2.33.0 + diff --git a/queue-4.4/mwl8k-fix-use-after-free-in-mwl8k_fw_state_machine.patch b/queue-4.4/mwl8k-fix-use-after-free-in-mwl8k_fw_state_machine.patch new file mode 100644 index 00000000000..18dd783b59e --- /dev/null +++ b/queue-4.4/mwl8k-fix-use-after-free-in-mwl8k_fw_state_machine.patch @@ -0,0 +1,61 @@ +From 3b5b97826ab9b763426557c7a4db4852b5f49bd2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 16 Oct 2021 04:02:59 +0000 +Subject: mwl8k: Fix use-after-free in mwl8k_fw_state_machine() + +From: Zheyu Ma + +[ Upstream commit 257051a235c17e33782b6e24a4b17f2d7915aaec ] + +When the driver fails to request the firmware, it calls its error +handler. In the error handler, the driver detaches device from driver +first before releasing the firmware, which can cause a use-after-free bug. + +Fix this by releasing firmware first. + +The following log reveals it: + +[ 9.007301 ] BUG: KASAN: use-after-free in mwl8k_fw_state_machine+0x320/0xba0 +[ 9.010143 ] Workqueue: events request_firmware_work_func +[ 9.010830 ] Call Trace: +[ 9.010830 ] dump_stack_lvl+0xa8/0xd1 +[ 9.010830 ] print_address_description+0x87/0x3b0 +[ 9.010830 ] kasan_report+0x172/0x1c0 +[ 9.010830 ] ? mutex_unlock+0xd/0x10 +[ 9.010830 ] ? mwl8k_fw_state_machine+0x320/0xba0 +[ 9.010830 ] ? mwl8k_fw_state_machine+0x320/0xba0 +[ 9.010830 ] __asan_report_load8_noabort+0x14/0x20 +[ 9.010830 ] mwl8k_fw_state_machine+0x320/0xba0 +[ 9.010830 ] ? mwl8k_load_firmware+0x5f0/0x5f0 +[ 9.010830 ] request_firmware_work_func+0x172/0x250 +[ 9.010830 ] ? read_lock_is_recursive+0x20/0x20 +[ 9.010830 ] ? process_one_work+0x7a1/0x1100 +[ 9.010830 ] ? request_firmware_nowait+0x460/0x460 +[ 9.010830 ] ? __this_cpu_preempt_check+0x13/0x20 +[ 9.010830 ] process_one_work+0x9bb/0x1100 + +Signed-off-by: Zheyu Ma +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1634356979-6211-1-git-send-email-zheyuma97@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mwl8k.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mwl8k.c b/drivers/net/wireless/mwl8k.c +index d448480b84063..073968eccbc2b 100644 +--- a/drivers/net/wireless/mwl8k.c ++++ b/drivers/net/wireless/mwl8k.c +@@ -5783,8 +5783,8 @@ static void mwl8k_fw_state_machine(const struct firmware *fw, void *context) + fail: + priv->fw_state = FW_STATE_ERROR; + complete(&priv->firmware_loading_complete); +- device_release_driver(&priv->pdev->dev); + mwl8k_release_firmware(priv); ++ device_release_driver(&priv->pdev->dev); + } + + #define MAX_RESTART_ATTEMPTS 1 +-- +2.33.0 + diff --git a/queue-4.4/net-davinci_emac-fix-interrupt-pacing-disable.patch b/queue-4.4/net-davinci_emac-fix-interrupt-pacing-disable.patch new file mode 100644 index 00000000000..116f22eb3f9 --- /dev/null +++ b/queue-4.4/net-davinci_emac-fix-interrupt-pacing-disable.patch @@ -0,0 +1,59 @@ +From 4a2ffc5c20cadee7ed1334977f46588c68009a30 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 1 Nov 2021 18:23:41 +0300 +Subject: net: davinci_emac: Fix interrupt pacing disable + +From: Maxim Kiselev + +[ Upstream commit d52bcb47bdf971a59a2467975d2405fcfcb2fa19 ] + +This patch allows to use 0 for `coal->rx_coalesce_usecs` param to +disable rx irq coalescing. + +Previously we could enable rx irq coalescing via ethtool +(For ex: `ethtool -C eth0 rx-usecs 2000`) but we couldn't disable +it because this part rejects 0 value: + + if (!coal->rx_coalesce_usecs) + return -EINVAL; + +Fixes: 84da2658a619 ("TI DaVinci EMAC : Implement interrupt pacing functionality.") +Signed-off-by: Maxim Kiselev +Reviewed-by: Grygorii Strashko +Link: https://lore.kernel.org/r/20211101152343.4193233-1-bigunclemax@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/davinci_emac.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/ti/davinci_emac.c b/drivers/net/ethernet/ti/davinci_emac.c +index e11f436b0726e..ac61d017a4b51 100644 +--- a/drivers/net/ethernet/ti/davinci_emac.c ++++ b/drivers/net/ethernet/ti/davinci_emac.c +@@ -555,8 +555,20 @@ static int emac_set_coalesce(struct net_device *ndev, + u32 int_ctrl, num_interrupts = 0; + u32 prescale = 0, addnl_dvdr = 1, coal_intvl = 0; + +- if (!coal->rx_coalesce_usecs) +- return -EINVAL; ++ if (!coal->rx_coalesce_usecs) { ++ priv->coal_intvl = 0; ++ ++ switch (priv->version) { ++ case EMAC_VERSION_2: ++ emac_ctrl_write(EMAC_DM646X_CMINTCTRL, 0); ++ break; ++ default: ++ emac_ctrl_write(EMAC_CTRL_EWINTTCNT, 0); ++ break; ++ } ++ ++ return 0; ++ } + + coal_intvl = coal->rx_coalesce_usecs; + +-- +2.33.0 + diff --git a/queue-4.4/net-stream-don-t-purge-sk_error_queue-in-sk_stream_k.patch b/queue-4.4/net-stream-don-t-purge-sk_error_queue-in-sk_stream_k.patch new file mode 100644 index 00000000000..f207f917dc9 --- /dev/null +++ b/queue-4.4/net-stream-don-t-purge-sk_error_queue-in-sk_stream_k.patch @@ -0,0 +1,68 @@ +From 980efe8215ba69c8cda8bb5129501e9794d9290b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Oct 2021 06:37:39 -0700 +Subject: net: stream: don't purge sk_error_queue in sk_stream_kill_queues() + +From: Jakub Kicinski + +[ Upstream commit 24bcbe1cc69fa52dc4f7b5b2456678ed464724d8 ] + +sk_stream_kill_queues() can be called on close when there are +still outstanding skbs to transmit. Those skbs may try to queue +notifications to the error queue (e.g. timestamps). +If sk_stream_kill_queues() purges the queue without taking +its lock the queue may get corrupted, and skbs leaked. + +This shows up as a warning about an rmem leak: + +WARNING: CPU: 24 PID: 0 at net/ipv4/af_inet.c:154 inet_sock_destruct+0x... + +The leak is always a multiple of 0x300 bytes (the value is in +%rax on my builds, so RAX: 0000000000000300). 0x300 is truesize of +an empty sk_buff. Indeed if we dump the socket state at the time +of the warning the sk_error_queue is often (but not always) +corrupted. The ->next pointer points back at the list head, +but not the ->prev pointer. Indeed we can find the leaked skb +by scanning the kernel memory for something that looks like +an skb with ->sk = socket in question, and ->truesize = 0x300. +The contents of ->cb[] of the skb confirms the suspicion that +it is indeed a timestamp notification (as generated in +__skb_complete_tx_timestamp()). + +Removing purging of sk_error_queue should be okay, since +inet_sock_destruct() does it again once all socket refs +are gone. Eric suggests this may cause sockets that go +thru disconnect() to maintain notifications from the +previous incarnations of the socket, but that should be +okay since the race was there anyway, and disconnect() +is not exactly dependable. + +Thanks to Jonathan Lemon and Omar Sandoval for help at various +stages of tracing the issue. + +Fixes: cb9eff097831 ("net: new user space API for time stamping of incoming and outgoing packets") +Signed-off-by: Jakub Kicinski +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/stream.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/core/stream.c b/net/core/stream.c +index 3089b014bb538..2c50c71cb806f 100644 +--- a/net/core/stream.c ++++ b/net/core/stream.c +@@ -194,9 +194,6 @@ void sk_stream_kill_queues(struct sock *sk) + /* First the read buffer. */ + __skb_queue_purge(&sk->sk_receive_queue); + +- /* Next, the error queue. */ +- __skb_queue_purge(&sk->sk_error_queue); +- + /* Next, the write queue. */ + WARN_ON(!skb_queue_empty(&sk->sk_write_queue)); + +-- +2.33.0 + diff --git a/queue-4.4/netfilter-nfnetlink_queue-fix-oob-when-mac-header-wa.patch b/queue-4.4/netfilter-nfnetlink_queue-fix-oob-when-mac-header-wa.patch new file mode 100644 index 00000000000..552f7bfe4f8 --- /dev/null +++ b/queue-4.4/netfilter-nfnetlink_queue-fix-oob-when-mac-header-wa.patch @@ -0,0 +1,55 @@ +From 390d036c03e13fe5def702b95998b76c5728a0e2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 20 Oct 2021 18:08:10 +0200 +Subject: netfilter: nfnetlink_queue: fix OOB when mac header was cleared + +From: Florian Westphal + +[ Upstream commit 5648b5e1169ff1d6d6a46c35c0b5fbebd2a5cbb2 ] + +On 64bit platforms the MAC header is set to 0xffff on allocation and +also when a helper like skb_unset_mac_header() is called. + +dev_parse_header may call skb_mac_header() which assumes valid mac offset: + + BUG: KASAN: use-after-free in eth_header_parse+0x75/0x90 + Read of size 6 at addr ffff8881075a5c05 by task nf-queue/1364 + Call Trace: + memcpy+0x20/0x60 + eth_header_parse+0x75/0x90 + __nfqnl_enqueue_packet+0x1a61/0x3380 + __nf_queue+0x597/0x1300 + nf_queue+0xf/0x40 + nf_hook_slow+0xed/0x190 + nf_hook+0x184/0x440 + ip_output+0x1c0/0x2a0 + nf_reinject+0x26f/0x700 + nfqnl_recv_verdict+0xa16/0x18b0 + nfnetlink_rcv_msg+0x506/0xe70 + +The existing code only works if the skb has a mac header. + +Fixes: 2c38de4c1f8da7 ("netfilter: fix looped (broad|multi)cast's MAC handling") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Sasha Levin +--- + net/netfilter/nfnetlink_queue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c +index 54cde78c27183..ebce25080f7ff 100644 +--- a/net/netfilter/nfnetlink_queue.c ++++ b/net/netfilter/nfnetlink_queue.c +@@ -486,7 +486,7 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, + goto nla_put_failure; + + if (indev && entskb->dev && +- entskb->mac_header != entskb->network_header) { ++ skb_mac_header_was_set(entskb)) { + struct nfqnl_msg_packet_hw phw; + int len; + +-- +2.33.0 + diff --git a/queue-4.4/nfc-pn533-fix-double-free-when-pn533_fill_fragment_s.patch b/queue-4.4/nfc-pn533-fix-double-free-when-pn533_fill_fragment_s.patch new file mode 100644 index 00000000000..61a31288ac2 --- /dev/null +++ b/queue-4.4/nfc-pn533-fix-double-free-when-pn533_fill_fragment_s.patch @@ -0,0 +1,59 @@ +From f2037bedea0ecf45be9bb9aa9adb2d421b728430 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 5 Nov 2021 06:36:36 -0700 +Subject: nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails + +From: Chengfeng Ye + +[ Upstream commit 9fec40f850658e00a14a7dd9e06f7fbc7e59cc4a ] + +skb is already freed by dev_kfree_skb in pn533_fill_fragment_skbs, +but follow error handler branch when pn533_fill_fragment_skbs() +fails, skb is freed again, results in double free issue. Fix this +by not free skb in error path of pn533_fill_fragment_skbs. + +Fixes: 963a82e07d4e ("NFC: pn533: Split large Tx frames in chunks") +Fixes: 93ad42020c2d ("NFC: pn533: Target mode Tx fragmentation support") +Signed-off-by: Chengfeng Ye +Reviewed-by: Dan Carpenter +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/nfc/pn533.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/nfc/pn533.c b/drivers/nfc/pn533.c +index 001c12867e430..9e0d74a08d584 100644 +--- a/drivers/nfc/pn533.c ++++ b/drivers/nfc/pn533.c +@@ -2592,7 +2592,7 @@ static int pn533_fill_fragment_skbs(struct pn533 *dev, struct sk_buff *skb) + frag = pn533_alloc_skb(dev, frag_size); + if (!frag) { + skb_queue_purge(&dev->fragment_skb); +- break; ++ return -ENOMEM; + } + + if (!dev->tgt_mode) { +@@ -2662,7 +2662,7 @@ static int pn533_transceive(struct nfc_dev *nfc_dev, + /* jumbo frame ? */ + if (skb->len > PN533_CMD_DATAEXCH_DATA_MAXLEN) { + rc = pn533_fill_fragment_skbs(dev, skb); +- if (rc <= 0) ++ if (rc < 0) + goto error; + + skb = skb_dequeue(&dev->fragment_skb); +@@ -2734,7 +2734,7 @@ static int pn533_tm_send(struct nfc_dev *nfc_dev, struct sk_buff *skb) + /* let's split in multiple chunks if size's too big */ + if (skb->len > PN533_CMD_DATAEXCH_DATA_MAXLEN) { + rc = pn533_fill_fragment_skbs(dev, skb); +- if (rc <= 0) ++ if (rc < 0) + goto error; + + /* get the first skb */ +-- +2.33.0 + diff --git a/queue-4.4/parisc-fix-warning-in-flush_tlb_all.patch b/queue-4.4/parisc-fix-warning-in-flush_tlb_all.patch new file mode 100644 index 00000000000..d1aea9d918a --- /dev/null +++ b/queue-4.4/parisc-fix-warning-in-flush_tlb_all.patch @@ -0,0 +1,68 @@ +From 76e8472b745580121f8a3d4ef411243111623445 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 9 Oct 2021 20:24:39 +0200 +Subject: parisc: fix warning in flush_tlb_all + +From: Sven Schnelle + +[ Upstream commit 1030d681319b43869e0d5b568b9d0226652d1a6f ] + +I've got the following splat after enabling preemption: + +[ 3.724721] BUG: using __this_cpu_add() in preemptible [00000000] code: swapper/0/1 +[ 3.734630] caller is __this_cpu_preempt_check+0x38/0x50 +[ 3.740635] CPU: 1 PID: 1 Comm: swapper/0 Not tainted 5.15.0-rc4-64bit+ #324 +[ 3.744605] Hardware name: 9000/785/C8000 +[ 3.744605] Backtrace: +[ 3.744605] [<00000000401d9d58>] show_stack+0x74/0xb0 +[ 3.744605] [<0000000040c27bd4>] dump_stack_lvl+0x10c/0x188 +[ 3.744605] [<0000000040c27c84>] dump_stack+0x34/0x48 +[ 3.744605] [<0000000040c33438>] check_preemption_disabled+0x178/0x1b0 +[ 3.744605] [<0000000040c334f8>] __this_cpu_preempt_check+0x38/0x50 +[ 3.744605] [<00000000401d632c>] flush_tlb_all+0x58/0x2e0 +[ 3.744605] [<00000000401075c0>] 0x401075c0 +[ 3.744605] [<000000004010b8fc>] 0x4010b8fc +[ 3.744605] [<00000000401080fc>] 0x401080fc +[ 3.744605] [<00000000401d5224>] do_one_initcall+0x128/0x378 +[ 3.744605] [<0000000040102de8>] 0x40102de8 +[ 3.744605] [<0000000040c33864>] kernel_init+0x60/0x3a8 +[ 3.744605] [<00000000401d1020>] ret_from_kernel_thread+0x20/0x28 +[ 3.744605] + +Fix this by moving the __inc_irq_stat() into the locked section. + +Signed-off-by: Sven Schnelle +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + arch/parisc/mm/init.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/parisc/mm/init.c b/arch/parisc/mm/init.c +index d72f003106835..ad6545dafe039 100644 +--- a/arch/parisc/mm/init.c ++++ b/arch/parisc/mm/init.c +@@ -940,9 +940,9 @@ void flush_tlb_all(void) + { + int do_recycle; + +- __inc_irq_stat(irq_tlb_count); + do_recycle = 0; + spin_lock(&sid_lock); ++ __inc_irq_stat(irq_tlb_count); + if (dirty_space_ids > RECYCLE_THRESHOLD) { + BUG_ON(recycle_inuse); /* FIXME: Use a semaphore/wait queue here */ + get_dirty_sids(&recycle_ndirty,recycle_dirty_array); +@@ -961,8 +961,8 @@ void flush_tlb_all(void) + #else + void flush_tlb_all(void) + { +- __inc_irq_stat(irq_tlb_count); + spin_lock(&sid_lock); ++ __inc_irq_stat(irq_tlb_count); + flush_tlb_all_local(NULL); + recycle_sids(); + spin_unlock(&sid_lock); +-- +2.33.0 + diff --git a/queue-4.4/parisc-kgdb-add-kgdb_roundup-to-make-kgdb-work-with-.patch b/queue-4.4/parisc-kgdb-add-kgdb_roundup-to-make-kgdb-work-with-.patch new file mode 100644 index 00000000000..a3df907fa0c --- /dev/null +++ b/queue-4.4/parisc-kgdb-add-kgdb_roundup-to-make-kgdb-work-with-.patch @@ -0,0 +1,78 @@ +From 469fa33bab4bf1f4682ae5661f4fd42eafbe9992 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Oct 2021 21:49:23 +0200 +Subject: parisc/kgdb: add kgdb_roundup() to make kgdb work with idle polling + +From: Sven Schnelle + +[ Upstream commit 66e29fcda1824f0427966fbee2bd2c85bf362c82 ] + +With idle polling, IPIs are not sent when a CPU idle, but queued +and run later from do_idle(). The default kgdb_call_nmi_hook() +implementation gets the pointer to struct pt_regs from get_irq_reqs(), +which doesn't work in that case because it was not called from the +IPI interrupt handler. Fix it by defining our own kgdb_roundup() +function which sents an IPI_ENTER_KGDB. When that IPI is received +on the target CPU kgdb_nmicallback() is called. + +Signed-off-by: Sven Schnelle +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + arch/parisc/kernel/smp.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/arch/parisc/kernel/smp.c b/arch/parisc/kernel/smp.c +index 52e85973a283c..5a2c4771e9d1f 100644 +--- a/arch/parisc/kernel/smp.c ++++ b/arch/parisc/kernel/smp.c +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -74,7 +75,10 @@ enum ipi_message_type { + IPI_CALL_FUNC, + IPI_CPU_START, + IPI_CPU_STOP, +- IPI_CPU_TEST ++ IPI_CPU_TEST, ++#ifdef CONFIG_KGDB ++ IPI_ENTER_KGDB, ++#endif + }; + + +@@ -170,7 +174,12 @@ ipi_interrupt(int irq, void *dev_id) + case IPI_CPU_TEST: + smp_debug(100, KERN_DEBUG "CPU%d is alive!\n", this_cpu); + break; +- ++#ifdef CONFIG_KGDB ++ case IPI_ENTER_KGDB: ++ smp_debug(100, KERN_DEBUG "CPU%d ENTER_KGDB\n", this_cpu); ++ kgdb_nmicallback(raw_smp_processor_id(), get_irq_regs()); ++ break; ++#endif + default: + printk(KERN_CRIT "Unknown IPI num on CPU%d: %lu\n", + this_cpu, which); +@@ -226,6 +235,12 @@ send_IPI_allbutself(enum ipi_message_type op) + } + } + ++#ifdef CONFIG_KGDB ++void kgdb_roundup_cpus(void) ++{ ++ send_IPI_allbutself(IPI_ENTER_KGDB); ++} ++#endif + + inline void + smp_send_stop(void) { send_IPI_allbutself(IPI_CPU_STOP); } +-- +2.33.0 + diff --git a/queue-4.4/platform-x86-thinkpad_acpi-fix-bitwise-vs.-logical-w.patch b/queue-4.4/platform-x86-thinkpad_acpi-fix-bitwise-vs.-logical-w.patch new file mode 100644 index 00000000000..f8dc87bf9a9 --- /dev/null +++ b/queue-4.4/platform-x86-thinkpad_acpi-fix-bitwise-vs.-logical-w.patch @@ -0,0 +1,50 @@ +From f1860ae86e56d84a2aad1851dd6aaa0bd138e429 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 18 Oct 2021 11:25:37 -0700 +Subject: platform/x86: thinkpad_acpi: Fix bitwise vs. logical warning + +From: Nathan Chancellor + +[ Upstream commit fd96e35ea7b95f1e216277805be89d66e4ae962d ] + +A new warning in clang points out a use of bitwise OR with boolean +expressions in this driver: + +drivers/platform/x86/thinkpad_acpi.c:9061:11: error: use of bitwise '|' with boolean operands [-Werror,-Wbitwise-instead-of-logical] + else if ((strlencmp(cmd, "level disengaged") == 0) | + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + || +drivers/platform/x86/thinkpad_acpi.c:9061:11: note: cast one or both operands to int to silence this warning +1 error generated. + +This should clearly be a logical OR so change it to fix the warning. + +Fixes: fe98a52ce754 ("ACPI: thinkpad-acpi: add sysfs support to fan subdriver") +Link: https://github.com/ClangBuiltLinux/linux/issues/1476 +Reported-by: Tor Vic +Signed-off-by: Nathan Chancellor +Reviewed-by: Nick Desaulniers +Link: https://lore.kernel.org/r/20211018182537.2316800-1-nathan@kernel.org +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/thinkpad_acpi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c +index 20c588af33d88..f3954af14f52f 100644 +--- a/drivers/platform/x86/thinkpad_acpi.c ++++ b/drivers/platform/x86/thinkpad_acpi.c +@@ -8606,7 +8606,7 @@ static int fan_write_cmd_level(const char *cmd, int *rc) + + if (strlencmp(cmd, "level auto") == 0) + level = TP_EC_FAN_AUTO; +- else if ((strlencmp(cmd, "level disengaged") == 0) | ++ else if ((strlencmp(cmd, "level disengaged") == 0) || + (strlencmp(cmd, "level full-speed") == 0)) + level = TP_EC_FAN_FULLSPEED; + else if (sscanf(cmd, "level %d", &level) != 1) +-- +2.33.0 + diff --git a/queue-4.4/platform-x86-wmi-do-not-fail-if-disabling-fails.patch b/queue-4.4/platform-x86-wmi-do-not-fail-if-disabling-fails.patch new file mode 100644 index 00000000000..28fe7160934 --- /dev/null +++ b/queue-4.4/platform-x86-wmi-do-not-fail-if-disabling-fails.patch @@ -0,0 +1,52 @@ +From 569563281966873cafa60ceb7aa829c0b039a98b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 4 Sep 2021 17:56:26 +0000 +Subject: platform/x86: wmi: do not fail if disabling fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Pőcze + +[ Upstream commit 1975718c488a39128f1f515b23ae61a5a214cc3d ] + +Previously, `__query_block()` would fail if the +second WCxx method call failed. However, the +WQxx method might have succeeded, and potentially +allocated memory for the result. Instead of +throwing away the result and potentially +leaking memory, ignore the result of +the second WCxx call. + +Signed-off-by: Barnabás Pőcze +Link: https://lore.kernel.org/r/20210904175450.156801-25-pobrn@protonmail.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index eb391a2818330..fb16c83900a02 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -367,7 +367,14 @@ struct acpi_buffer *out) + * the WQxx method failed - we should disable collection anyway. + */ + if ((block->flags & ACPI_WMI_EXPENSIVE) && ACPI_SUCCESS(wc_status)) { +- status = acpi_execute_simple_method(handle, wc_method, 0); ++ /* ++ * Ignore whether this WCxx call succeeds or not since ++ * the previously executed WQxx method call might have ++ * succeeded, and returning the failing status code ++ * of this call would throw away the result of the WQxx ++ * call, potentially leaking memory. ++ */ ++ acpi_execute_simple_method(handle, wc_method, 0); + } + + return status; +-- +2.33.0 + diff --git a/queue-4.4/pm-hibernate-get-block-device-exclusively-in-swsusp_.patch b/queue-4.4/pm-hibernate-get-block-device-exclusively-in-swsusp_.patch new file mode 100644 index 00000000000..302ee0150a8 --- /dev/null +++ b/queue-4.4/pm-hibernate-get-block-device-exclusively-in-swsusp_.patch @@ -0,0 +1,100 @@ +From 9d5477d2b523bc9ab9d7f980fd6a13e9e2af5d62 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Oct 2021 20:19:14 +0800 +Subject: PM: hibernate: Get block device exclusively in swsusp_check() + +From: Ye Bin + +[ Upstream commit 39fbef4b0f77f9c89c8f014749ca533643a37c9f ] + +The following kernel crash can be triggered: + +[ 89.266592] ------------[ cut here ]------------ +[ 89.267427] kernel BUG at fs/buffer.c:3020! +[ 89.268264] invalid opcode: 0000 [#1] SMP KASAN PTI +[ 89.269116] CPU: 7 PID: 1750 Comm: kmmpd-loop0 Not tainted 5.10.0-862.14.0.6.x86_64-08610-gc932cda3cef4-dirty #20 +[ 89.273169] RIP: 0010:submit_bh_wbc.isra.0+0x538/0x6d0 +[ 89.277157] RSP: 0018:ffff888105ddfd08 EFLAGS: 00010246 +[ 89.278093] RAX: 0000000000000005 RBX: ffff888124231498 RCX: ffffffffb2772612 +[ 89.279332] RDX: 1ffff11024846293 RSI: 0000000000000008 RDI: ffff888124231498 +[ 89.280591] RBP: ffff8881248cc000 R08: 0000000000000001 R09: ffffed1024846294 +[ 89.281851] R10: ffff88812423149f R11: ffffed1024846293 R12: 0000000000003800 +[ 89.283095] R13: 0000000000000001 R14: 0000000000000000 R15: ffff8881161f7000 +[ 89.284342] FS: 0000000000000000(0000) GS:ffff88839b5c0000(0000) knlGS:0000000000000000 +[ 89.285711] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 89.286701] CR2: 00007f166ebc01a0 CR3: 0000000435c0e000 CR4: 00000000000006e0 +[ 89.287919] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 89.289138] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +[ 89.290368] Call Trace: +[ 89.290842] write_mmp_block+0x2ca/0x510 +[ 89.292218] kmmpd+0x433/0x9a0 +[ 89.294902] kthread+0x2dd/0x3e0 +[ 89.296268] ret_from_fork+0x22/0x30 +[ 89.296906] Modules linked in: + +by running the following commands: + + 1. mkfs.ext4 -O mmp /dev/sda -b 1024 + 2. mount /dev/sda /home/test + 3. echo "/dev/sda" > /sys/power/resume + +That happens because swsusp_check() calls set_blocksize() on the +target partition which confuses the file system: + + Thread1 Thread2 +mount /dev/sda /home/test +get s_mmp_bh --> has mapped flag +start kmmpd thread + echo "/dev/sda" > /sys/power/resume + resume_store + software_resume + swsusp_check + set_blocksize + truncate_inode_pages_range + truncate_cleanup_page + block_invalidatepage + discard_buffer --> clean mapped flag +write_mmp_block + submit_bh + submit_bh_wbc + BUG_ON(!buffer_mapped(bh)) + +To address this issue, modify swsusp_check() to open the target block +device with exclusive access. + +Signed-off-by: Ye Bin +[ rjw: Subject and changelog edits ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/swap.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/kernel/power/swap.c b/kernel/power/swap.c +index 160e1006640d5..a7630e7b22a5d 100644 +--- a/kernel/power/swap.c ++++ b/kernel/power/swap.c +@@ -1519,9 +1519,10 @@ end: + int swsusp_check(void) + { + int error; ++ void *holder; + + hib_resume_bdev = blkdev_get_by_dev(swsusp_resume_device, +- FMODE_READ, NULL); ++ FMODE_READ | FMODE_EXCL, &holder); + if (!IS_ERR(hib_resume_bdev)) { + set_blocksize(hib_resume_bdev, PAGE_SIZE); + clear_page(swsusp_header); +@@ -1541,7 +1542,7 @@ int swsusp_check(void) + + put: + if (error) +- blkdev_put(hib_resume_bdev, FMODE_READ); ++ blkdev_put(hib_resume_bdev, FMODE_READ | FMODE_EXCL); + else + pr_debug("PM: Image signature found, resuming\n"); + } else { +-- +2.33.0 + diff --git a/queue-4.4/power-supply-rt5033_battery-change-voltage-values-to.patch b/queue-4.4/power-supply-rt5033_battery-change-voltage-values-to.patch new file mode 100644 index 00000000000..4e8b646bd5a --- /dev/null +++ b/queue-4.4/power-supply-rt5033_battery-change-voltage-values-to.patch @@ -0,0 +1,42 @@ +From f9415a8e86f97fd5a0392eb52c05197ba7143dcb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Oct 2021 10:32:45 +0200 +Subject: =?UTF-8?q?power:=20supply:=20rt5033=5Fbattery:=20Change=20voltage?= + =?UTF-8?q?=20values=20to=20=C2=B5V?= +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jakob Hauser + +[ Upstream commit bf895295e9a73411889816f1a0c1f4f1a2d9c678 ] + +Currently the rt5033_battery driver provides voltage values in mV. It +should be µV as stated in Documentation/power/power_supply_class.rst. + +Fixes: b847dd96e659 ("power: rt5033_battery: Add RT5033 Fuel gauge device driver") +Cc: Beomho Seo +Cc: Chanwoo Choi +Signed-off-by: Jakob Hauser +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/rt5033_battery.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/power/rt5033_battery.c b/drivers/power/rt5033_battery.c +index bcdd830484929..c9a58ed4dc9f1 100644 +--- a/drivers/power/rt5033_battery.c ++++ b/drivers/power/rt5033_battery.c +@@ -63,7 +63,7 @@ static int rt5033_battery_get_watt_prop(struct i2c_client *client, + regmap_read(battery->regmap, regh, &msb); + regmap_read(battery->regmap, regl, &lsb); + +- ret = ((msb << 4) + (lsb >> 4)) * 1250 / 1000; ++ ret = ((msb << 4) + (lsb >> 4)) * 1250; + + return ret; + } +-- +2.33.0 + diff --git a/queue-4.4/rdma-mlx4-return-missed-an-error-if-device-doesn-t-s.patch b/queue-4.4/rdma-mlx4-return-missed-an-error-if-device-doesn-t-s.patch new file mode 100644 index 00000000000..3c35becfb95 --- /dev/null +++ b/queue-4.4/rdma-mlx4-return-missed-an-error-if-device-doesn-t-s.patch @@ -0,0 +1,42 @@ +From ef692679e9b4223645976bd65aee081a77948b43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Oct 2021 10:28:43 +0300 +Subject: RDMA/mlx4: Return missed an error if device doesn't support steering + +From: Leon Romanovsky + +[ Upstream commit f4e56ec4452f48b8292dcf0e1c4bdac83506fb8b ] + +The error flow fixed in this patch is not possible because all kernel +users of create QP interface check that device supports steering before +set IB_QP_CREATE_NETIF_QP flag. + +Fixes: c1c98501121e ("IB/mlx4: Add support for steerable IB UD QPs") +Link: https://lore.kernel.org/r/91c61f6e60eb0240f8bbc321fda7a1d2986dd03c.1634023677.git.leonro@nvidia.com +Reported-by: Dan Carpenter +Signed-off-by: Leon Romanovsky +Signed-off-by: Jason Gunthorpe +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/mlx4/qp.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/mlx4/qp.c b/drivers/infiniband/hw/mlx4/qp.c +index ecd461ee6dbe2..a15beb161b64c 100644 +--- a/drivers/infiniband/hw/mlx4/qp.c ++++ b/drivers/infiniband/hw/mlx4/qp.c +@@ -766,8 +766,10 @@ static int create_qp_common(struct mlx4_ib_dev *dev, struct ib_pd *pd, + if (dev->steering_support == + MLX4_STEERING_MODE_DEVICE_MANAGED) + qp->flags |= MLX4_IB_QP_NETIF; +- else ++ else { ++ err = -EINVAL; + goto err; ++ } + } + + err = set_kernel_sq_size(dev, &init_attr->cap, qp_type, qp); +-- +2.33.0 + diff --git a/queue-4.4/scsi-csiostor-uninitialized-data-in-csio_ln_vnp_read.patch b/queue-4.4/scsi-csiostor-uninitialized-data-in-csio_ln_vnp_read.patch new file mode 100644 index 00000000000..bceeef90e7d --- /dev/null +++ b/queue-4.4/scsi-csiostor-uninitialized-data-in-csio_ln_vnp_read.patch @@ -0,0 +1,40 @@ +From 8a4730fdbdb59b44ba7b7601cc643ccfffe02393 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Oct 2021 10:32:43 +0300 +Subject: scsi: csiostor: Uninitialized data in csio_ln_vnp_read_cbfn() + +From: Dan Carpenter + +[ Upstream commit f4875d509a0a78ad294a1a538d534b5ba94e685a ] + +This variable is just a temporary variable, used to do an endian +conversion. The problem is that the last byte is not initialized. After +the conversion is completely done, the last byte is discarded so it doesn't +cause a problem. But static checkers and the KMSan runtime checker can +detect the uninitialized read and will complain about it. + +Link: https://lore.kernel.org/r/20211006073242.GA8404@kili +Fixes: 5036f0a0ecd3 ("[SCSI] csiostor: Fix sparse warnings.") +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/csiostor/csio_lnode.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/csiostor/csio_lnode.c b/drivers/scsi/csiostor/csio_lnode.c +index 957767d383610..d1df694d9ed00 100644 +--- a/drivers/scsi/csiostor/csio_lnode.c ++++ b/drivers/scsi/csiostor/csio_lnode.c +@@ -611,7 +611,7 @@ csio_ln_vnp_read_cbfn(struct csio_hw *hw, struct csio_mb *mbp) + struct fc_els_csp *csp; + struct fc_els_cssp *clsp; + enum fw_retval retval; +- __be32 nport_id; ++ __be32 nport_id = 0; + + retval = FW_CMD_RETVAL_G(ntohl(rsp->alloc_to_len16)); + if (retval != FW_SUCCESS) { +-- +2.33.0 + diff --git a/queue-4.4/scsi-dc395-fix-error-case-unwinding.patch b/queue-4.4/scsi-dc395-fix-error-case-unwinding.patch new file mode 100644 index 00000000000..b103daf2c3d --- /dev/null +++ b/queue-4.4/scsi-dc395-fix-error-case-unwinding.patch @@ -0,0 +1,43 @@ +From 613bdb71cead0ba9835700507e9d03e085f28c68 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Sep 2021 21:07:02 -0700 +Subject: scsi: dc395: Fix error case unwinding + +From: Tong Zhang + +[ Upstream commit cbd9a3347c757383f3d2b50cf7cfd03eb479c481 ] + +dc395x_init_one()->adapter_init() might fail. In this case, the acb is +already cleaned up by adapter_init(), no need to do that in +adapter_uninit(acb) again. + +[ 1.252251] dc395x: adapter init failed +[ 1.254900] RIP: 0010:adapter_uninit+0x94/0x170 [dc395x] +[ 1.260307] Call Trace: +[ 1.260442] dc395x_init_one.cold+0x72a/0x9bb [dc395x] + +Link: https://lore.kernel.org/r/20210907040702.1846409-1-ztong0001@gmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Finn Thain +Signed-off-by: Tong Zhang +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/dc395x.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/dc395x.c b/drivers/scsi/dc395x.c +index 830b2d2dcf206..8490d0ff04ca7 100644 +--- a/drivers/scsi/dc395x.c ++++ b/drivers/scsi/dc395x.c +@@ -4809,6 +4809,7 @@ static int dc395x_init_one(struct pci_dev *dev, const struct pci_device_id *id) + /* initialise the adapter and everything we need */ + if (adapter_init(acb, io_port_base, io_port_len, irq)) { + dprintkl(KERN_INFO, "adapter init failed\n"); ++ acb = NULL; + goto fail; + } + +-- +2.33.0 + diff --git a/queue-4.4/scsi-qla2xxx-turn-off-target-reset-during-issue_lip.patch b/queue-4.4/scsi-qla2xxx-turn-off-target-reset-during-issue_lip.patch new file mode 100644 index 00000000000..909f3351b07 --- /dev/null +++ b/queue-4.4/scsi-qla2xxx-turn-off-target-reset-during-issue_lip.patch @@ -0,0 +1,131 @@ +From f0451b50943fa9edb76b976da156034dd81769f4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Oct 2021 04:54:02 -0700 +Subject: scsi: qla2xxx: Turn off target reset during issue_lip + +From: Quinn Tran + +[ Upstream commit 0b7a9fd934a68ebfc1019811b7bdc1742072ad7b ] + +When user uses issue_lip to do link bounce, driver sends additional target +reset to remote device before resetting the link. The target reset would +affect other paths with active I/Os. This patch will remove the unnecessary +target reset. + +Link: https://lore.kernel.org/r/20211026115412.27691-4-njavali@marvell.com +Fixes: 5854771e314e ("[SCSI] qla2xxx: Add ISPFX00 specific bus reset routine") +Reviewed-by: Himanshu Madhani +Signed-off-by: Quinn Tran +Signed-off-by: Nilesh Javali +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/qla2xxx/qla_gbl.h | 2 -- + drivers/scsi/qla2xxx/qla_mr.c | 23 ----------------------- + drivers/scsi/qla2xxx/qla_os.c | 27 ++------------------------- + 3 files changed, 2 insertions(+), 50 deletions(-) + +diff --git a/drivers/scsi/qla2xxx/qla_gbl.h b/drivers/scsi/qla2xxx/qla_gbl.h +index 7686bfe9a4a9e..fb30329e60f0b 100644 +--- a/drivers/scsi/qla2xxx/qla_gbl.h ++++ b/drivers/scsi/qla2xxx/qla_gbl.h +@@ -112,7 +112,6 @@ extern int ql2xasynctmfenable; + extern int ql2xgffidenable; + extern int ql2xenabledif; + extern int ql2xenablehba_err_chk; +-extern int ql2xtargetreset; + extern int ql2xdontresethba; + extern uint64_t ql2xmaxlun; + extern int ql2xmdcapmask; +@@ -643,7 +642,6 @@ extern void qlafx00_abort_iocb(srb_t *, struct abort_iocb_entry_fx00 *); + extern void qlafx00_fxdisc_iocb(srb_t *, struct fxdisc_entry_fx00 *); + extern void qlafx00_timer_routine(scsi_qla_host_t *); + extern int qlafx00_rescan_isp(scsi_qla_host_t *); +-extern int qlafx00_loop_reset(scsi_qla_host_t *vha); + + /* qla82xx related functions */ + +diff --git a/drivers/scsi/qla2xxx/qla_mr.c b/drivers/scsi/qla2xxx/qla_mr.c +index b5029e543b918..4e75179e43687 100644 +--- a/drivers/scsi/qla2xxx/qla_mr.c ++++ b/drivers/scsi/qla2xxx/qla_mr.c +@@ -737,29 +737,6 @@ qlafx00_lun_reset(fc_port_t *fcport, uint64_t l, int tag) + return qla2x00_async_tm_cmd(fcport, TCF_LUN_RESET, l, tag); + } + +-int +-qlafx00_loop_reset(scsi_qla_host_t *vha) +-{ +- int ret; +- struct fc_port *fcport; +- struct qla_hw_data *ha = vha->hw; +- +- if (ql2xtargetreset) { +- list_for_each_entry(fcport, &vha->vp_fcports, list) { +- if (fcport->port_type != FCT_TARGET) +- continue; +- +- ret = ha->isp_ops->target_reset(fcport, 0, 0); +- if (ret != QLA_SUCCESS) { +- ql_dbg(ql_dbg_taskm, vha, 0x803d, +- "Bus Reset failed: Reset=%d " +- "d_id=%x.\n", ret, fcport->d_id.b24); +- } +- } +- } +- return QLA_SUCCESS; +-} +- + int + qlafx00_iospace_config(struct qla_hw_data *ha) + { +diff --git a/drivers/scsi/qla2xxx/qla_os.c b/drivers/scsi/qla2xxx/qla_os.c +index daafb60fa13e6..4fa0cd3c36634 100644 +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -177,12 +177,6 @@ MODULE_PARM_DESC(ql2xdbwr, + " 0 -- Regular doorbell.\n" + " 1 -- CAMRAM doorbell (faster).\n"); + +-int ql2xtargetreset = 1; +-module_param(ql2xtargetreset, int, S_IRUGO); +-MODULE_PARM_DESC(ql2xtargetreset, +- "Enable target reset." +- "Default is 1 - use hw defaults."); +- + int ql2xgffidenable; + module_param(ql2xgffidenable, int, S_IRUGO); + MODULE_PARM_DESC(ql2xgffidenable, +@@ -1315,27 +1309,10 @@ int + qla2x00_loop_reset(scsi_qla_host_t *vha) + { + int ret; +- struct fc_port *fcport; + struct qla_hw_data *ha = vha->hw; + +- if (IS_QLAFX00(ha)) { +- return qlafx00_loop_reset(vha); +- } +- +- if (ql2xtargetreset == 1 && ha->flags.enable_target_reset) { +- list_for_each_entry(fcport, &vha->vp_fcports, list) { +- if (fcport->port_type != FCT_TARGET) +- continue; +- +- ret = ha->isp_ops->target_reset(fcport, 0, 0); +- if (ret != QLA_SUCCESS) { +- ql_dbg(ql_dbg_taskm, vha, 0x802c, +- "Bus Reset failed: Reset=%d " +- "d_id=%x.\n", ret, fcport->d_id.b24); +- } +- } +- } +- ++ if (IS_QLAFX00(ha)) ++ return QLA_SUCCESS; + + if (ha->flags.enable_lip_full_login && !IS_CNA_CAPABLE(ha)) { + atomic_set(&vha->loop_state, LOOP_DOWN); +-- +2.33.0 + diff --git a/queue-4.4/serial-8250_dw-drop-wrong-use-of-acpi_ptr.patch b/queue-4.4/serial-8250_dw-drop-wrong-use-of-acpi_ptr.patch new file mode 100644 index 00000000000..a916a203985 --- /dev/null +++ b/queue-4.4/serial-8250_dw-drop-wrong-use-of-acpi_ptr.patch @@ -0,0 +1,40 @@ +From 8385e1940858138a0efa9e6797d58f660eb126bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Oct 2021 16:45:16 +0300 +Subject: serial: 8250_dw: Drop wrong use of ACPI_PTR() + +From: Andy Shevchenko + +[ Upstream commit ebabb77a2a115b6c5e68f7364b598310b5f61fb2 ] + +ACPI_PTR() is more harmful than helpful. For example, in this case +if CONFIG_ACPI=n, the ID table left unused which is not what we want. + +Instead of adding ifdeffery here and there, drop ACPI_PTR(). + +Fixes: 6a7320c4669f ("serial: 8250_dw: Add ACPI 5.0 support") +Reported-by: Daniel Palmer +Signed-off-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20211005134516.23218-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_dw.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/8250/8250_dw.c b/drivers/tty/serial/8250/8250_dw.c +index 039837db65fcc..f3ed1eeaed4e1 100644 +--- a/drivers/tty/serial/8250/8250_dw.c ++++ b/drivers/tty/serial/8250/8250_dw.c +@@ -607,7 +607,7 @@ static struct platform_driver dw8250_platform_driver = { + .name = "dw-apb-uart", + .pm = &dw8250_pm_ops, + .of_match_table = dw8250_of_match, +- .acpi_match_table = ACPI_PTR(dw8250_acpi_match), ++ .acpi_match_table = dw8250_acpi_match, + }, + .probe = dw8250_probe, + .remove = dw8250_remove, +-- +2.33.0 + diff --git a/queue-4.4/series b/queue-4.4/series index 262f61c374b..1ba27d67b78 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -39,3 +39,70 @@ quota-correct-error-number-in-free_dqentry.patch iio-dac-ad5446-fix-ad5622_write-return-value.patch usb-serial-keyspan-fix-memleak-on-probe-errors.patch usb-iowarrior-fix-control-message-timeouts.patch +bluetooth-sco-fix-lock_sock-blockage-by-memcpy_from_.patch +bluetooth-fix-use-after-free-error-in-lock_sock_nest.patch +platform-x86-wmi-do-not-fail-if-disabling-fails.patch +mips-lantiq-dma-add-small-delay-after-reset.patch +mips-lantiq-dma-reset-correct-number-of-channel.patch +smackfs-fix-use-after-free-in-netlbl_catmap_walk.patch +x86-increase-exception-stack-sizes.patch +media-mt9p031-fix-corrupted-frame-after-restarting-s.patch +media-netup_unidvb-handle-interrupt-properly-accordi.patch +media-uvcvideo-set-capability-in-s_param.patch +media-s5p-mfc-fix-possible-null-pointer-dereference-.patch +media-mceusb-return-without-resubmitting-urb-in-case.patch +ia64-don-t-do-ia64_cmpxchg_debug-without-config_prin.patch +acpica-avoid-evaluating-methods-too-early-during-sys.patch +media-usb-dvd-usb-fix-uninit-value-bug-in-dibusb_rea.patch +tracefs-have-tracefs-directories-not-set-oth-permiss.patch +ath-dfs_pattern_detector-fix-possible-null-pointer-d.patch +acpi-battery-accept-charges-over-the-design-capacity.patch +memstick-r592-fix-a-uaf-bug-when-removing-the-driver.patch +lib-xz-avoid-overlapping-memcpy-with-invalid-input-w.patch +lib-xz-validate-the-value-before-assigning-it-to-an-.patch +mwl8k-fix-use-after-free-in-mwl8k_fw_state_machine.patch +pm-hibernate-get-block-device-exclusively-in-swsusp_.patch +iwlwifi-mvm-disable-rx-diversity-in-powersave.patch +smackfs-use-__gfp_nofail-for-smk_cipso_doi.patch +arm-clang-do-not-rely-on-lr-register-for-stacktrace.patch +arm-9136-1-armv7-m-uses-be-8-not-be-32.patch +parisc-fix-warning-in-flush_tlb_all.patch +parisc-kgdb-add-kgdb_roundup-to-make-kgdb-work-with-.patch +media-dvb-usb-fix-ununit-value-in-az6027_rc_query.patch +media-si470x-avoid-card-name-truncation.patch +cpuidle-fix-kobject-memory-leaks-in-error-paths.patch +ath9k-fix-potential-interrupt-storm-on-queue-reset.patch +crypto-qat-detect-pfvf-collision-after-ack.patch +b43legacy-fix-a-lower-bounds-test.patch +b43-fix-a-lower-bounds-test.patch +memstick-avoid-out-of-range-warning.patch +memstick-jmb38x_ms-use-appropriate-free-function-in-.patch +drm-msm-uninitialized-variable-in-msm_gem_import.patch +net-stream-don-t-purge-sk_error_queue-in-sk_stream_k.patch +platform-x86-thinkpad_acpi-fix-bitwise-vs.-logical-w.patch +mwifiex-send-delba-requests-according-to-spec.patch +smackfs-use-netlbl_cfg_cipsov4_del-for-deleting-cips.patch +libertas_tf-fix-possible-memory-leak-in-probe-and-di.patch +libertas-fix-possible-memory-leak-in-probe-and-disco.patch +crypto-pcrypt-delay-write-to-padata-info.patch +arm-s3c-irq-s3c24xx-fix-return-value-check-for-s3c24.patch +scsi-dc395-fix-error-case-unwinding.patch +jfs-fix-memleak-in-jfs_mount.patch +memory-fsl_ifc-fix-leak-of-irq-and-nand_irq-in-fsl_i.patch +video-fbdev-chipsfb-use-memset_io-instead-of-memset.patch +serial-8250_dw-drop-wrong-use-of-acpi_ptr.patch +usb-gadget-hid-fix-error-code-in-do_config.patch +power-supply-rt5033_battery-change-voltage-values-to.patch +scsi-csiostor-uninitialized-data-in-csio_ln_vnp_read.patch +rdma-mlx4-return-missed-an-error-if-device-doesn-t-s.patch +dmaengine-at_xdmac-fix-at_xdmac_cc_perid-macro.patch +netfilter-nfnetlink_queue-fix-oob-when-mac-header-wa.patch +m68k-set-a-default-value-for-memory_reserve.patch +watchdog-f71808e_wdt-fix-inaccurate-report-in-wdioc_.patch +scsi-qla2xxx-turn-off-target-reset-during-issue_lip.patch +xen-pciback-fix-return-in-pm_ctrl_init.patch +net-davinci_emac-fix-interrupt-pacing-disable.patch +bonding-fix-a-use-after-free-problem-when-bond_sysfs.patch +llc-fix-out-of-bound-array-index-in-llc_sk_dev_hash.patch +nfc-pn533-fix-double-free-when-pn533_fill_fragment_s.patch +vsock-prevent-unnecessary-refcnt-inc-for-nonblocking.patch diff --git a/queue-4.4/smackfs-fix-use-after-free-in-netlbl_catmap_walk.patch b/queue-4.4/smackfs-fix-use-after-free-in-netlbl_catmap_walk.patch new file mode 100644 index 00000000000..641bf58597b --- /dev/null +++ b/queue-4.4/smackfs-fix-use-after-free-in-netlbl_catmap_walk.patch @@ -0,0 +1,55 @@ +From 47b29781f0e0a7de888a544b1516e1a32f8fdc60 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 28 Aug 2021 23:41:40 -0700 +Subject: smackfs: Fix use-after-free in netlbl_catmap_walk() + +From: Pawan Gupta + +[ Upstream commit 0817534ff9ea809fac1322c5c8c574be8483ea57 ] + +Syzkaller reported use-after-free bug as described in [1]. The bug is +triggered when smk_set_cipso() tries to free stale category bitmaps +while there are concurrent reader(s) using the same bitmaps. + +Wait for RCU grace period to finish before freeing the category bitmaps +in smk_set_cipso(). This makes sure that there are no more readers using +the stale bitmaps and freeing them should be safe. + +[1] https://lore.kernel.org/netdev/000000000000a814c505ca657a4e@google.com/ + +Reported-by: syzbot+3f91de0b813cc3d19a80@syzkaller.appspotmail.com +Signed-off-by: Pawan Gupta +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smackfs.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index df082648eb0aa..845ed464fb8cd 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -859,6 +859,7 @@ static int smk_open_cipso(struct inode *inode, struct file *file) + static ssize_t smk_set_cipso(struct file *file, const char __user *buf, + size_t count, loff_t *ppos, int format) + { ++ struct netlbl_lsm_catmap *old_cat; + struct smack_known *skp; + struct netlbl_lsm_secattr ncats; + char mapcatset[SMK_CIPSOLEN]; +@@ -952,9 +953,11 @@ static ssize_t smk_set_cipso(struct file *file, const char __user *buf, + + rc = smk_netlbl_mls(maplevel, mapcatset, &ncats, SMK_CIPSOLEN); + if (rc >= 0) { +- netlbl_catmap_free(skp->smk_netlabel.attr.mls.cat); ++ old_cat = skp->smk_netlabel.attr.mls.cat; + skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat; + skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl; ++ synchronize_rcu(); ++ netlbl_catmap_free(old_cat); + rc = count; + } + +-- +2.33.0 + diff --git a/queue-4.4/smackfs-use-__gfp_nofail-for-smk_cipso_doi.patch b/queue-4.4/smackfs-use-__gfp_nofail-for-smk_cipso_doi.patch new file mode 100644 index 00000000000..2855ba16cc1 --- /dev/null +++ b/queue-4.4/smackfs-use-__gfp_nofail-for-smk_cipso_doi.patch @@ -0,0 +1,41 @@ +From cc3cc4b0ed8c7439914ae0ce2b16c26f39f4e35e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 20:54:31 +0900 +Subject: smackfs: use __GFP_NOFAIL for smk_cipso_doi() + +From: Tetsuo Handa + +[ Upstream commit f91488ee15bd3cac467e2d6a361fc2d34d1052ae ] + +syzbot is reporting kernel panic at smk_cipso_doi() due to memory +allocation fault injection [1]. The reason for need to use panic() was +not explained. But since no fix was proposed for 18 months, for now +let's use __GFP_NOFAIL for utilizing syzbot resource on other bugs. + +Link: https://syzkaller.appspot.com/bug?extid=89731ccb6fec15ce1c22 [1] +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smackfs.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index 845ed464fb8cd..40c8b2b8a4722 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -721,9 +721,7 @@ static void smk_cipso_doi(void) + printk(KERN_WARNING "%s:%d remove rc = %d\n", + __func__, __LINE__, rc); + +- doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL); +- if (doip == NULL) +- panic("smack: Failed to initialize cipso DOI.\n"); ++ doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL | __GFP_NOFAIL); + doip->map.std = NULL; + doip->doi = smk_cipso_doi_value; + doip->type = CIPSO_V4_MAP_PASS; +-- +2.33.0 + diff --git a/queue-4.4/smackfs-use-netlbl_cfg_cipsov4_del-for-deleting-cips.patch b/queue-4.4/smackfs-use-netlbl_cfg_cipsov4_del-for-deleting-cips.patch new file mode 100644 index 00000000000..d22c2156806 --- /dev/null +++ b/queue-4.4/smackfs-use-netlbl_cfg_cipsov4_del-for-deleting-cips.patch @@ -0,0 +1,41 @@ +From d2c3ffe0397aff14d3fa0c65f6594578f3c114d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Oct 2021 20:27:26 +0900 +Subject: smackfs: use netlbl_cfg_cipsov4_del() for deleting cipso_v4_doi + +From: Tetsuo Handa + +[ Upstream commit 0934ad42bb2c5df90a1b9de690f93de735b622fe ] + +syzbot is reporting UAF at cipso_v4_doi_search() [1], for smk_cipso_doi() +is calling kfree() without removing from the cipso_v4_doi_list list after +netlbl_cfg_cipsov4_map_add() returned an error. We need to use +netlbl_cfg_cipsov4_del() in order to remove from the list and wait for +RCU grace period before kfree(). + +Link: https://syzkaller.appspot.com/bug?extid=93dba5b91f0fed312cbd [1] +Reported-by: syzbot +Signed-off-by: Tetsuo Handa +Fixes: 6c2e8ac0953fccdd ("netlabel: Update kernel configuration API") +Signed-off-by: Casey Schaufler +Signed-off-by: Sasha Levin +--- + security/smack/smackfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c +index 40c8b2b8a4722..ce30b61c56171 100644 +--- a/security/smack/smackfs.c ++++ b/security/smack/smackfs.c +@@ -740,7 +740,7 @@ static void smk_cipso_doi(void) + if (rc != 0) { + printk(KERN_WARNING "%s:%d map add rc = %d\n", + __func__, __LINE__, rc); +- kfree(doip); ++ netlbl_cfg_cipsov4_del(doip->doi, &nai); + return; + } + } +-- +2.33.0 + diff --git a/queue-4.4/tracefs-have-tracefs-directories-not-set-oth-permiss.patch b/queue-4.4/tracefs-have-tracefs-directories-not-set-oth-permiss.patch new file mode 100644 index 00000000000..99433e65693 --- /dev/null +++ b/queue-4.4/tracefs-have-tracefs-directories-not-set-oth-permiss.patch @@ -0,0 +1,47 @@ +From 984565fcf3aa032c2236ec085aeefefab585d973 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 18 Aug 2021 11:24:50 -0400 +Subject: tracefs: Have tracefs directories not set OTH permission bits by + default + +From: Steven Rostedt (VMware) + +[ Upstream commit 49d67e445742bbcb03106b735b2ab39f6e5c56bc ] + +The tracefs file system is by default mounted such that only root user can +access it. But there are legitimate reasons to create a group and allow +those added to the group to have access to tracing. By changing the +permissions of the tracefs mount point to allow access, it will allow +group access to the tracefs directory. + +There should not be any real reason to allow all access to the tracefs +directory as it contains sensitive information. Have the default +permission of directories being created not have any OTH (other) bits set, +such that an admin that wants to give permission to a group has to first +disable all OTH bits in the file system. + +Link: https://lkml.kernel.org/r/20210818153038.664127804@goodmis.org + +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Sasha Levin +--- + fs/tracefs/inode.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/tracefs/inode.c b/fs/tracefs/inode.c +index c66f2423e1f5c..6ccfd47157d37 100644 +--- a/fs/tracefs/inode.c ++++ b/fs/tracefs/inode.c +@@ -429,7 +429,8 @@ static struct dentry *__create_dir(const char *name, struct dentry *parent, + if (unlikely(!inode)) + return failed_creating(dentry); + +- inode->i_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO; ++ /* Do not set bits for OTH */ ++ inode->i_mode = S_IFDIR | S_IRWXU | S_IRUSR| S_IRGRP | S_IXUSR | S_IXGRP; + inode->i_op = ops; + inode->i_fop = &simple_dir_operations; + +-- +2.33.0 + diff --git a/queue-4.4/usb-gadget-hid-fix-error-code-in-do_config.patch b/queue-4.4/usb-gadget-hid-fix-error-code-in-do_config.patch new file mode 100644 index 00000000000..3c352daca8c --- /dev/null +++ b/queue-4.4/usb-gadget-hid-fix-error-code-in-do_config.patch @@ -0,0 +1,40 @@ +From 761de57fedcc185398860526abf19e4b892e2529 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 11 Oct 2021 15:37:39 +0300 +Subject: usb: gadget: hid: fix error code in do_config() + +From: Dan Carpenter + +[ Upstream commit 68e7c510fdf4f6167404609da52e1979165649f6 ] + +Return an error code if usb_get_function() fails. Don't return success. + +Fixes: 4bc8a33f2407 ("usb: gadget: hid: convert to new interface of f_hid") +Acked-by: Felipe Balbi +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/20211011123739.GC15188@kili +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/legacy/hid.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/gadget/legacy/hid.c b/drivers/usb/gadget/legacy/hid.c +index 97329ba5d3820..5cb3359cf126e 100644 +--- a/drivers/usb/gadget/legacy/hid.c ++++ b/drivers/usb/gadget/legacy/hid.c +@@ -103,8 +103,10 @@ static int do_config(struct usb_configuration *c) + + list_for_each_entry(e, &hidg_func_list, node) { + e->f = usb_get_function(e->fi); +- if (IS_ERR(e->f)) ++ if (IS_ERR(e->f)) { ++ status = PTR_ERR(e->f); + goto put; ++ } + status = usb_add_function(c, e->f); + if (status < 0) { + usb_put_function(e->f); +-- +2.33.0 + diff --git a/queue-4.4/video-fbdev-chipsfb-use-memset_io-instead-of-memset.patch b/queue-4.4/video-fbdev-chipsfb-use-memset_io-instead-of-memset.patch new file mode 100644 index 00000000000..41e5a407bf2 --- /dev/null +++ b/queue-4.4/video-fbdev-chipsfb-use-memset_io-instead-of-memset.patch @@ -0,0 +1,84 @@ +From 60525d22d8f88f3e4e2a30f41412dbc9650fa403 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 15:34:35 +0200 +Subject: video: fbdev: chipsfb: use memset_io() instead of memset() + +From: Christophe Leroy + +[ Upstream commit f2719b26ae27282c145202ffd656d5ff1fe737cc ] + +While investigating a lockup at startup on Powerbook 3400C, it was +identified that the fbdev driver generates alignment exception at +startup: + + --- interrupt: 600 at memset+0x60/0xc0 + NIP: c0021414 LR: c03fc49c CTR: 00007fff + REGS: ca021c10 TRAP: 0600 Tainted: G W (5.14.2-pmac-00727-g12a41fa69492) + MSR: 00009032 CR: 44008442 XER: 20000100 + DAR: cab80020 DSISR: 00017c07 + GPR00: 00000007 ca021cd0 c14412e0 cab80000 00000000 00100000 cab8001c 00000004 + GPR08: 00100000 00007fff 00000000 00000000 84008442 00000000 c0006fb4 00000000 + GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00100000 + GPR24: 00000000 81800000 00000320 c15fa400 c14d1878 00000000 c14d1800 c094e19c + NIP [c0021414] memset+0x60/0xc0 + LR [c03fc49c] chipsfb_pci_init+0x160/0x580 + --- interrupt: 600 + [ca021cd0] [c03fc46c] chipsfb_pci_init+0x130/0x580 (unreliable) + [ca021d20] [c03a3a70] pci_device_probe+0xf8/0x1b8 + [ca021d50] [c043d584] really_probe.part.0+0xac/0x388 + [ca021d70] [c043d914] __driver_probe_device+0xb4/0x170 + [ca021d90] [c043da18] driver_probe_device+0x48/0x144 + [ca021dc0] [c043e318] __driver_attach+0x11c/0x1c4 + [ca021de0] [c043ad30] bus_for_each_dev+0x88/0xf0 + [ca021e10] [c043c724] bus_add_driver+0x190/0x22c + [ca021e40] [c043ee94] driver_register+0x9c/0x170 + [ca021e60] [c0006c28] do_one_initcall+0x54/0x1ec + [ca021ed0] [c08246e4] kernel_init_freeable+0x1c0/0x270 + [ca021f10] [c0006fdc] kernel_init+0x28/0x11c + [ca021f30] [c0017148] ret_from_kernel_thread+0x14/0x1c + Instruction dump: + 7d4601a4 39490777 7d4701a4 39490888 7d4801a4 39490999 7d4901a4 39290aaa + 7d2a01a4 4c00012c 4bfffe88 0fe00000 <4bfffe80> 9421fff0 38210010 48001970 + +This is due to 'dcbz' instruction being used on non-cached memory. +'dcbz' instruction is used by memset() to zeroize a complete +cacheline at once, and memset() is not expected to be used on non +cached memory. + +When performing a 'sparse' check on fbdev driver, it also appears +that the use of memset() is unexpected: + + drivers/video/fbdev/chipsfb.c:334:17: warning: incorrect type in argument 1 (different address spaces) + drivers/video/fbdev/chipsfb.c:334:17: expected void * + drivers/video/fbdev/chipsfb.c:334:17: got char [noderef] __iomem *screen_base + drivers/video/fbdev/chipsfb.c:334:15: warning: memset with byte count of 1048576 + +Use fb_memset() instead of memset(). fb_memset() is defined as +memset_io() for powerpc. + +Fixes: 8c8709334cec ("[PATCH] ppc32: Remove CONFIG_PMAC_PBOOK") +Reported-by: Stan Johnson +Signed-off-by: Christophe Leroy +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/884a54f1e5cb774c1d9b4db780209bee5d4f6718.1631712563.git.christophe.leroy@csgroup.eu +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/chipsfb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/chipsfb.c b/drivers/video/fbdev/chipsfb.c +index 314b7eceb81c5..84a3778552eba 100644 +--- a/drivers/video/fbdev/chipsfb.c ++++ b/drivers/video/fbdev/chipsfb.c +@@ -332,7 +332,7 @@ static struct fb_var_screeninfo chipsfb_var = { + + static void init_chips(struct fb_info *p, unsigned long addr) + { +- memset(p->screen_base, 0, 0x100000); ++ fb_memset(p->screen_base, 0, 0x100000); + + p->fix = chipsfb_fix; + p->fix.smem_start = addr; +-- +2.33.0 + diff --git a/queue-4.4/vsock-prevent-unnecessary-refcnt-inc-for-nonblocking.patch b/queue-4.4/vsock-prevent-unnecessary-refcnt-inc-for-nonblocking.patch new file mode 100644 index 00000000000..1f560805ec2 --- /dev/null +++ b/queue-4.4/vsock-prevent-unnecessary-refcnt-inc-for-nonblocking.patch @@ -0,0 +1,42 @@ +From 2917f4fd06e117d9811717e9192aecb1a1874cac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 9 Nov 2021 00:15:02 +0000 +Subject: vsock: prevent unnecessary refcnt inc for nonblocking connect + +From: Eiichi Tsukata + +[ Upstream commit c7cd82b90599fa10915f41e3dd9098a77d0aa7b6 ] + +Currently vosck_connect() increments sock refcount for nonblocking +socket each time it's called, which can lead to memory leak if +it's called multiple times because connect timeout function decrements +sock refcount only once. + +Fixes it by making vsock_connect() return -EALREADY immediately when +sock state is already SS_CONNECTING. + +Fixes: d021c344051a ("VSOCK: Introduce VM Sockets") +Reviewed-by: Stefano Garzarella +Signed-off-by: Eiichi Tsukata +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/af_vsock.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 8f5fec0956bd9..537d57558c216 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1152,6 +1152,8 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr, + * non-blocking call. + */ + err = -EALREADY; ++ if (flags & O_NONBLOCK) ++ goto out; + break; + default: + if ((sk->sk_state == VSOCK_SS_LISTEN) || +-- +2.33.0 + diff --git a/queue-4.4/watchdog-f71808e_wdt-fix-inaccurate-report-in-wdioc_.patch b/queue-4.4/watchdog-f71808e_wdt-fix-inaccurate-report-in-wdioc_.patch new file mode 100644 index 00000000000..eb724c0bf1a --- /dev/null +++ b/queue-4.4/watchdog-f71808e_wdt-fix-inaccurate-report-in-wdioc_.patch @@ -0,0 +1,53 @@ +From 14e023d2984b32c06039a2dd33eed5604d430f7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 9 Aug 2021 18:20:31 +0200 +Subject: watchdog: f71808e_wdt: fix inaccurate report in WDIOC_GETTIMEOUT + +From: Ahmad Fatoum + +[ Upstream commit 164483c735190775f29d0dcbac0363adc51a068d ] + +The fintek watchdog timer can configure timeouts of second granularity +only up to 255 seconds. Beyond that, the timeout needs to be configured +with minute granularity. WDIOC_GETTIMEOUT should report the actual +timeout configured, not just echo back the timeout configured by the +user. Do so. + +Fixes: 96cb4eb019ce ("watchdog: f71808e_wdt: new watchdog driver for Fintek F71808E and F71882FG") +Suggested-by: Guenter Roeck +Reviewed-by: Guenter Roeck +Signed-off-by: Ahmad Fatoum +Link: https://lore.kernel.org/r/5e17960fe8cc0e3cb2ba53de4730b75d9a0f33d5.1628525954.git-series.a.fatoum@pengutronix.de +Signed-off-by: Guenter Roeck +Signed-off-by: Wim Van Sebroeck +Signed-off-by: Sasha Levin +--- + drivers/watchdog/f71808e_wdt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/watchdog/f71808e_wdt.c b/drivers/watchdog/f71808e_wdt.c +index 2b12ef019ae02..96bf71802eff5 100644 +--- a/drivers/watchdog/f71808e_wdt.c ++++ b/drivers/watchdog/f71808e_wdt.c +@@ -225,15 +225,17 @@ static int watchdog_set_timeout(int timeout) + + mutex_lock(&watchdog.lock); + +- watchdog.timeout = timeout; + if (timeout > 0xff) { + watchdog.timer_val = DIV_ROUND_UP(timeout, 60); + watchdog.minutes_mode = true; ++ timeout = watchdog.timer_val * 60; + } else { + watchdog.timer_val = timeout; + watchdog.minutes_mode = false; + } + ++ watchdog.timeout = timeout; ++ + mutex_unlock(&watchdog.lock); + + return 0; +-- +2.33.0 + diff --git a/queue-4.4/x86-increase-exception-stack-sizes.patch b/queue-4.4/x86-increase-exception-stack-sizes.patch new file mode 100644 index 00000000000..5a7b71fb571 --- /dev/null +++ b/queue-4.4/x86-increase-exception-stack-sizes.patch @@ -0,0 +1,37 @@ +From 52e63e71aaca259fa4b0aa5d605978dd3a305114 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Sep 2021 16:19:46 +0200 +Subject: x86: Increase exception stack sizes + +From: Peter Zijlstra + +[ Upstream commit 7fae4c24a2b84a66c7be399727aca11e7a888462 ] + +It turns out that a single page of stack is trivial to overflow with +all the tracing gunk enabled. Raise the exception stacks to 2 pages, +which is still half the interrupt stacks, which are at 4 pages. + +Reported-by: Michael Wang +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/YUIO9Ye98S5Eb68w@hirez.programming.kicks-ass.net +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/page_64_types.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/include/asm/page_64_types.h b/arch/x86/include/asm/page_64_types.h +index fb1251946b45e..67a140d77f336 100644 +--- a/arch/x86/include/asm/page_64_types.h ++++ b/arch/x86/include/asm/page_64_types.h +@@ -15,7 +15,7 @@ + #define THREAD_SIZE (PAGE_SIZE << THREAD_SIZE_ORDER) + #define CURRENT_MASK (~(THREAD_SIZE - 1)) + +-#define EXCEPTION_STACK_ORDER (0 + KASAN_STACK_ORDER) ++#define EXCEPTION_STACK_ORDER (1 + KASAN_STACK_ORDER) + #define EXCEPTION_STKSZ (PAGE_SIZE << EXCEPTION_STACK_ORDER) + + #define DEBUG_STACK_ORDER (EXCEPTION_STACK_ORDER + 1) +-- +2.33.0 + diff --git a/queue-4.4/xen-pciback-fix-return-in-pm_ctrl_init.patch b/queue-4.4/xen-pciback-fix-return-in-pm_ctrl_init.patch new file mode 100644 index 00000000000..f4b1514ba21 --- /dev/null +++ b/queue-4.4/xen-pciback-fix-return-in-pm_ctrl_init.patch @@ -0,0 +1,40 @@ +From bafbe2230b30bcf43eeb536cc2ed5c0aac5bd348 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Oct 2021 15:44:17 +0800 +Subject: xen-pciback: Fix return in pm_ctrl_init() + +From: YueHaibing + +[ Upstream commit 4745ea2628bb43a7ec34b71763b5a56407b33990 ] + +Return NULL instead of passing to ERR_PTR while err is zero, +this fix smatch warnings: +drivers/xen/xen-pciback/conf_space_capability.c:163 + pm_ctrl_init() warn: passing zero to 'ERR_PTR' + +Fixes: a92336a1176b ("xen/pciback: Drop two backends, squash and cleanup some code.") +Signed-off-by: YueHaibing +Reviewed-by: Juergen Gross +Link: https://lore.kernel.org/r/20211008074417.8260-1-yuehaibing@huawei.com +Signed-off-by: Boris Ostrovsky +Signed-off-by: Sasha Levin +--- + drivers/xen/xen-pciback/conf_space_capability.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/xen/xen-pciback/conf_space_capability.c b/drivers/xen/xen-pciback/conf_space_capability.c +index b1a1d7de0894e..daa2e89a50fa3 100644 +--- a/drivers/xen/xen-pciback/conf_space_capability.c ++++ b/drivers/xen/xen-pciback/conf_space_capability.c +@@ -159,7 +159,7 @@ static void *pm_ctrl_init(struct pci_dev *dev, int offset) + } + + out: +- return ERR_PTR(err); ++ return err ? ERR_PTR(err) : NULL; + } + + static const struct config_field caplist_pm[] = { +-- +2.33.0 + -- 2.47.2