From 46910a82c7e6e5ffceb7e404eaf1f9b0ca25ed40 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 8 Aug 2021 17:30:46 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...o-fix-incorrect-clock-source-setting.patch | 62 +++++ ...ri-imx6ull-limit-sdio-clock-to-25mhz.patch | 39 +++ queue-4.19/arm-imx-add-missing-iounmap.patch | 53 ++++ ...ror-out-if-blk_get_queue-failed-in-i.patch | 47 ++++ ...cleanup-of-resources-in-hci_unregist.patch | 244 ++++++++++++++++++ ...-fix-an-error-code-in-bnx2x_nic_load.patch | 37 +++ ...-post-divisor-setup-for-i2s-sai-plls.patch | 88 +++++++ ...core-dequeue-if-start_streaming-fail.patch | 71 +++++ queue-4.19/mips-fix-non-posix-regexp.patch | 57 ++++ ...fix-use-after-free-in-fec_drv_remove.patch | 50 ++++ ...urned-variable-type-in-ip6_skb_dst_m.patch | 40 +++ ...missing-pci_disable_device-in-probe-.patch | 65 +++++ ...uninit-value-in-get_interrupt_interv.patch | 96 +++++++ ...-after-free-in-vxge_device_unregiste.patch | 53 ++++ ...tool-reporting-of-pauseframe-control.patch | 39 +++ ...on-remove-not-physically-existing-vd.patch | 80 ++++++ ...orrect-event-when-media-event-code-i.patch | 46 ++++ ...tive_key-update-after-sh_keys-is-add.patch | 68 +++++ queue-4.19/series | 18 ++ 19 files changed, 1253 insertions(+) create mode 100644 queue-4.19/alsa-usb-audio-fix-incorrect-clock-source-setting.patch create mode 100644 queue-4.19/arm-dts-colibri-imx6ull-limit-sdio-clock-to-25mhz.patch create mode 100644 queue-4.19/arm-imx-add-missing-iounmap.patch create mode 100644 queue-4.19/blk-iolatency-error-out-if-blk_get_queue-failed-in-i.patch create mode 100644 queue-4.19/bluetooth-defer-cleanup-of-resources-in-hci_unregist.patch create mode 100644 queue-4.19/bnx2x-fix-an-error-code-in-bnx2x_nic_load.patch create mode 100644 queue-4.19/clk-stm32f4-fix-post-divisor-setup-for-i2s-sai-plls.patch create mode 100644 queue-4.19/media-videobuf2-core-dequeue-if-start_streaming-fail.patch create mode 100644 queue-4.19/mips-fix-non-posix-regexp.patch create mode 100644 queue-4.19/net-fec-fix-use-after-free-in-fec_drv_remove.patch create mode 100644 queue-4.19/net-ipv6-fix-returned-variable-type-in-ip6_skb_dst_m.patch create mode 100644 queue-4.19/net-natsemi-fix-missing-pci_disable_device-in-probe-.patch create mode 100644 queue-4.19/net-pegasus-fix-uninit-value-in-get_interrupt_interv.patch create mode 100644 queue-4.19/net-vxge-fix-use-after-free-in-vxge_device_unregiste.patch create mode 100644 queue-4.19/nfp-update-ethtool-reporting-of-pauseframe-control.patch create mode 100644 queue-4.19/omap5-board-common-remove-not-physically-existing-vd.patch create mode 100644 queue-4.19/scsi-sr-return-correct-event-when-media-event-code-i.patch create mode 100644 queue-4.19/sctp-move-the-active_key-update-after-sh_keys-is-add.patch create mode 100644 queue-4.19/series diff --git a/queue-4.19/alsa-usb-audio-fix-incorrect-clock-source-setting.patch b/queue-4.19/alsa-usb-audio-fix-incorrect-clock-source-setting.patch new file mode 100644 index 00000000000..627b44b7e41 --- /dev/null +++ b/queue-4.19/alsa-usb-audio-fix-incorrect-clock-source-setting.patch @@ -0,0 +1,62 @@ +From 5c6d00b706d258d9b8cd0484fc6d30fb4b3fedb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 24 Jul 2021 12:23:41 +0800 +Subject: ALSA: usb-audio: fix incorrect clock source setting + +From: chihhao.chen + +[ Upstream commit 4511781f95da0a3b2bad34f3f5e3967e80cd2d18 ] + +The following scenario describes an echo test for +Samsung USBC Headset (AKG) with VID/PID (0x04e8/0xa051). + +We first start a capture stream(USB IN transfer) in 96Khz/24bit/1ch mode. +In clock find source function, we get value 0x2 for clock selector +and 0x1 for clock source. + +Kernel-4.14 behavior +Since clock source is valid so clock selector was not set again. +We pass through this function and start a playback stream(USB OUT transfer) +in 48Khz/32bit/2ch mode. This time we get value 0x1 for clock selector +and 0x1 for clock source. Finally clock id with this setting is 0x9. + +Kernel-5.10 behavior +Clock selector was always set one more time even it is valid. +When we start a playback stream, we will get 0x2 for clock selector +and 0x1 for clock source. In this case clock id becomes 0xA. +This is an incorrect clock source setting and results in severe noises. +We see wrong data rate in USB IN transfer. +(From 288 bytes/ms becomes 144 bytes/ms) It should keep in 288 bytes/ms. + +This earphone works fine on older kernel version load because +this is a newly-added behavior. + +Fixes: d2e8f641257d ("ALSA: usb-audio: Explicitly set up the clock selector") +Signed-off-by: chihhao.chen +Link: https://lore.kernel.org/r/1627100621-19225-1-git-send-email-chihhao.chen@mediatek.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/clock.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/sound/usb/clock.c b/sound/usb/clock.c +index 863ac42076e5..d1455fb2c6fc 100644 +--- a/sound/usb/clock.c ++++ b/sound/usb/clock.c +@@ -296,6 +296,12 @@ static int __uac_clock_find_source(struct snd_usb_audio *chip, + selector->baCSourceID[ret - 1], + visited, validate); + if (ret > 0) { ++ /* ++ * For Samsung USBC Headset (AKG), setting clock selector again ++ * will result in incorrect default clock setting problems ++ */ ++ if (chip->usb_id == USB_ID(0x04e8, 0xa051)) ++ return ret; + err = uac_clock_selector_set_val(chip, entity_id, cur); + if (err < 0) + return err; +-- +2.30.2 + diff --git a/queue-4.19/arm-dts-colibri-imx6ull-limit-sdio-clock-to-25mhz.patch b/queue-4.19/arm-dts-colibri-imx6ull-limit-sdio-clock-to-25mhz.patch new file mode 100644 index 00000000000..491718899e0 --- /dev/null +++ b/queue-4.19/arm-dts-colibri-imx6ull-limit-sdio-clock-to-25mhz.patch @@ -0,0 +1,39 @@ +From 6f40d83f045e1af50ea90438aa41b62fda69793c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Jul 2021 23:21:07 +0300 +Subject: ARM: dts: colibri-imx6ull: limit SDIO clock to 25MHz + +From: Oleksandr Suvorov + +[ Upstream commit 828db68f4ff1ab6982a36a56522b585160dc8c8e ] + +NXP and AzureWave don't recommend using SDIO bus mode 3.3V@50MHz due +to noise affecting the wireless throughput. Colibri iMX6ULL uses only +3.3V signaling for Wi-Fi module AW-CM276NF. + +Limit the SDIO Clock on Colibri iMX6ULL to 25MHz. + +Fixes: c2e4987e0e02 ("ARM: dts: imx6ull: add Toradex Colibri iMX6ULL support") +Signed-off-by: Oleksandr Suvorov +Reviewed-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/imx6ull-colibri-wifi.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/boot/dts/imx6ull-colibri-wifi.dtsi b/arch/arm/boot/dts/imx6ull-colibri-wifi.dtsi +index 038d8c90f6df..621396884c31 100644 +--- a/arch/arm/boot/dts/imx6ull-colibri-wifi.dtsi ++++ b/arch/arm/boot/dts/imx6ull-colibri-wifi.dtsi +@@ -43,6 +43,7 @@ + assigned-clock-rates = <0>, <198000000>; + cap-power-off-card; + keep-power-in-suspend; ++ max-frequency = <25000000>; + mmc-pwrseq = <&wifi_pwrseq>; + no-1-8-v; + non-removable; +-- +2.30.2 + diff --git a/queue-4.19/arm-imx-add-missing-iounmap.patch b/queue-4.19/arm-imx-add-missing-iounmap.patch new file mode 100644 index 00000000000..98761cf6117 --- /dev/null +++ b/queue-4.19/arm-imx-add-missing-iounmap.patch @@ -0,0 +1,53 @@ +From be424f62f7207c910cb49369f1b5302af43b71a1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Jun 2021 20:52:38 +0800 +Subject: ARM: imx: add missing iounmap() + +From: Yang Yingliang + +[ Upstream commit f9613aa07f16d6042e74208d1b40a6104d72964a ] + +Commit e76bdfd7403a ("ARM: imx: Added perf functionality to mmdc driver") +introduced imx_mmdc_remove(), the mmdc_base need be unmapped in it if +config PERF_EVENTS is enabled. + +If imx_mmdc_perf_init() fails, the mmdc_base also need be unmapped. + +Fixes: e76bdfd7403a ("ARM: imx: Added perf functionality to mmdc driver") +Reported-by: Hulk Robot +Signed-off-by: Yang Yingliang +Reviewed-by: Dong Aisheng +Signed-off-by: Shawn Guo +Signed-off-by: Sasha Levin +--- + arch/arm/mach-imx/mmdc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/mach-imx/mmdc.c b/arch/arm/mach-imx/mmdc.c +index 04b3bf71de94..1d340fda5e4f 100644 +--- a/arch/arm/mach-imx/mmdc.c ++++ b/arch/arm/mach-imx/mmdc.c +@@ -472,6 +472,7 @@ static int imx_mmdc_remove(struct platform_device *pdev) + + cpuhp_state_remove_instance_nocalls(cpuhp_mmdc_state, &pmu_mmdc->node); + perf_pmu_unregister(&pmu_mmdc->pmu); ++ iounmap(pmu_mmdc->mmdc_base); + kfree(pmu_mmdc); + return 0; + } +@@ -564,7 +565,11 @@ static int imx_mmdc_probe(struct platform_device *pdev) + val &= ~(1 << BP_MMDC_MAPSR_PSD); + writel_relaxed(val, reg); + +- return imx_mmdc_perf_init(pdev, mmdc_base); ++ err = imx_mmdc_perf_init(pdev, mmdc_base); ++ if (err) ++ iounmap(mmdc_base); ++ ++ return err; + } + + int imx_mmdc_get_ddr_type(void) +-- +2.30.2 + diff --git a/queue-4.19/blk-iolatency-error-out-if-blk_get_queue-failed-in-i.patch b/queue-4.19/blk-iolatency-error-out-if-blk_get_queue-failed-in-i.patch new file mode 100644 index 00000000000..b1c2a815034 --- /dev/null +++ b/queue-4.19/blk-iolatency-error-out-if-blk_get_queue-failed-in-i.patch @@ -0,0 +1,47 @@ +From a552e49ba777dd123731f207143a35070914bbdf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Aug 2021 20:46:45 +0800 +Subject: blk-iolatency: error out if blk_get_queue() failed in + iolatency_set_limit() + +From: Yu Kuai + +[ Upstream commit 8d75d0eff6887bcac7225e12b9c75595e523d92d ] + +If queue is dying while iolatency_set_limit() is in progress, +blk_get_queue() won't increment the refcount of the queue. However, +blk_put_queue() will still decrement the refcount later, which will +cause the refcout to be unbalanced. + +Thus error out in such case to fix the problem. + +Fixes: 8c772a9bfc7c ("blk-iolatency: fix IO hang due to negative inflight counter") +Signed-off-by: Yu Kuai +Acked-by: Tejun Heo +Link: https://lore.kernel.org/r/20210805124645.543797-1-yukuai3@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-iolatency.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/block/blk-iolatency.c b/block/blk-iolatency.c +index 0529e94a20f7..019cf002ecee 100644 +--- a/block/blk-iolatency.c ++++ b/block/blk-iolatency.c +@@ -800,7 +800,11 @@ static ssize_t iolatency_set_limit(struct kernfs_open_file *of, char *buf, + + enable = iolatency_set_min_lat_nsec(blkg, lat_val); + if (enable) { +- WARN_ON_ONCE(!blk_get_queue(blkg->q)); ++ if (!blk_get_queue(blkg->q)) { ++ ret = -ENODEV; ++ goto out; ++ } ++ + blkg_get(blkg); + } + +-- +2.30.2 + diff --git a/queue-4.19/bluetooth-defer-cleanup-of-resources-in-hci_unregist.patch b/queue-4.19/bluetooth-defer-cleanup-of-resources-in-hci_unregist.patch new file mode 100644 index 00000000000..9645bb5dbfc --- /dev/null +++ b/queue-4.19/bluetooth-defer-cleanup-of-resources-in-hci_unregist.patch @@ -0,0 +1,244 @@ +From eaaec873d8d6bc53873c391db59b0a3c40fad3ad Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Aug 2021 19:26:56 +0900 +Subject: Bluetooth: defer cleanup of resources in hci_unregister_dev() + +From: Tetsuo Handa + +[ Upstream commit e04480920d1eec9c061841399aa6f35b6f987d8b ] + +syzbot is hitting might_sleep() warning at hci_sock_dev_event() due to +calling lock_sock() with rw spinlock held [1]. + +It seems that history of this locking problem is a trial and error. + +Commit b40df5743ee8 ("[PATCH] bluetooth: fix socket locking in +hci_sock_dev_event()") in 2.6.21-rc4 changed bh_lock_sock() to +lock_sock() as an attempt to fix lockdep warning. + +Then, commit 4ce61d1c7a8e ("[BLUETOOTH]: Fix locking in +hci_sock_dev_event().") in 2.6.22-rc2 changed lock_sock() to +local_bh_disable() + bh_lock_sock_nested() as an attempt to fix the +sleep in atomic context warning. + +Then, commit 4b5dd696f81b ("Bluetooth: Remove local_bh_disable() from +hci_sock.c") in 3.3-rc1 removed local_bh_disable(). + +Then, commit e305509e678b ("Bluetooth: use correct lock to prevent UAF +of hdev object") in 5.13-rc5 again changed bh_lock_sock_nested() to +lock_sock() as an attempt to fix CVE-2021-3573. + +This difficulty comes from current implementation that +hci_sock_dev_event(HCI_DEV_UNREG) is responsible for dropping all +references from sockets because hci_unregister_dev() immediately +reclaims resources as soon as returning from +hci_sock_dev_event(HCI_DEV_UNREG). + +But the history suggests that hci_sock_dev_event(HCI_DEV_UNREG) was not +doing what it should do. + +Therefore, instead of trying to detach sockets from device, let's accept +not detaching sockets from device at hci_sock_dev_event(HCI_DEV_UNREG), +by moving actual cleanup of resources from hci_unregister_dev() to +hci_cleanup_dev() which is called by bt_host_release() when all +references to this unregistered device (which is a kobject) are gone. + +Since hci_sock_dev_event(HCI_DEV_UNREG) no longer resets +hci_pi(sk)->hdev, we need to check whether this device was unregistered +and return an error based on HCI_UNREGISTER flag. There might be subtle +behavioral difference in "monitor the hdev" functionality; please report +if you found something went wrong due to this patch. + +Link: https://syzkaller.appspot.com/bug?extid=a5df189917e79d5e59c9 [1] +Reported-by: syzbot +Suggested-by: Linus Torvalds +Signed-off-by: Tetsuo Handa +Fixes: e305509e678b ("Bluetooth: use correct lock to prevent UAF of hdev object") +Acked-by: Luiz Augusto von Dentz +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + include/net/bluetooth/hci_core.h | 1 + + net/bluetooth/hci_core.c | 16 +++++------ + net/bluetooth/hci_sock.c | 49 +++++++++++++++++++++----------- + net/bluetooth/hci_sysfs.c | 3 ++ + 4 files changed, 45 insertions(+), 24 deletions(-) + +diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h +index 6a61faf0cc79..75d892dc7796 100644 +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -1042,6 +1042,7 @@ struct hci_dev *hci_alloc_dev(void); + void hci_free_dev(struct hci_dev *hdev); + int hci_register_dev(struct hci_dev *hdev); + void hci_unregister_dev(struct hci_dev *hdev); ++void hci_cleanup_dev(struct hci_dev *hdev); + int hci_suspend_dev(struct hci_dev *hdev); + int hci_resume_dev(struct hci_dev *hdev); + int hci_reset_dev(struct hci_dev *hdev); +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 219cdbb476fb..7a85f215da45 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -3261,14 +3261,10 @@ EXPORT_SYMBOL(hci_register_dev); + /* Unregister HCI device */ + void hci_unregister_dev(struct hci_dev *hdev) + { +- int id; +- + BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus); + + hci_dev_set_flag(hdev, HCI_UNREGISTER); + +- id = hdev->id; +- + write_lock(&hci_dev_list_lock); + list_del(&hdev->list); + write_unlock(&hci_dev_list_lock); +@@ -3297,7 +3293,14 @@ void hci_unregister_dev(struct hci_dev *hdev) + } + + device_del(&hdev->dev); ++ /* Actual cleanup is deferred until hci_cleanup_dev(). */ ++ hci_dev_put(hdev); ++} ++EXPORT_SYMBOL(hci_unregister_dev); + ++/* Cleanup HCI device */ ++void hci_cleanup_dev(struct hci_dev *hdev) ++{ + debugfs_remove_recursive(hdev->debugfs); + kfree_const(hdev->hw_info); + kfree_const(hdev->fw_info); +@@ -3320,11 +3323,8 @@ void hci_unregister_dev(struct hci_dev *hdev) + hci_discovery_filter_clear(hdev); + hci_dev_unlock(hdev); + +- hci_dev_put(hdev); +- +- ida_simple_remove(&hci_index_ida, id); ++ ida_simple_remove(&hci_index_ida, hdev->id); + } +-EXPORT_SYMBOL(hci_unregister_dev); + + /* Suspend HCI device */ + int hci_suspend_dev(struct hci_dev *hdev) +diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c +index 06156de24c50..3ba0c6df73ce 100644 +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -59,6 +59,17 @@ struct hci_pinfo { + char comm[TASK_COMM_LEN]; + }; + ++static struct hci_dev *hci_hdev_from_sock(struct sock *sk) ++{ ++ struct hci_dev *hdev = hci_pi(sk)->hdev; ++ ++ if (!hdev) ++ return ERR_PTR(-EBADFD); ++ if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) ++ return ERR_PTR(-EPIPE); ++ return hdev; ++} ++ + void hci_sock_set_flag(struct sock *sk, int nr) + { + set_bit(nr, &hci_pi(sk)->flags); +@@ -752,19 +763,13 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event) + if (event == HCI_DEV_UNREG) { + struct sock *sk; + +- /* Detach sockets from device */ ++ /* Wake up sockets using this dead device */ + read_lock(&hci_sk_list.lock); + sk_for_each(sk, &hci_sk_list.head) { +- lock_sock(sk); + if (hci_pi(sk)->hdev == hdev) { +- hci_pi(sk)->hdev = NULL; + sk->sk_err = EPIPE; +- sk->sk_state = BT_OPEN; + sk->sk_state_change(sk); +- +- hci_dev_put(hdev); + } +- release_sock(sk); + } + read_unlock(&hci_sk_list.lock); + } +@@ -923,10 +928,10 @@ static int hci_sock_blacklist_del(struct hci_dev *hdev, void __user *arg) + static int hci_sock_bound_ioctl(struct sock *sk, unsigned int cmd, + unsigned long arg) + { +- struct hci_dev *hdev = hci_pi(sk)->hdev; ++ struct hci_dev *hdev = hci_hdev_from_sock(sk); + +- if (!hdev) +- return -EBADFD; ++ if (IS_ERR(hdev)) ++ return PTR_ERR(hdev); + + if (hci_dev_test_flag(hdev, HCI_USER_CHANNEL)) + return -EBUSY; +@@ -1080,6 +1085,18 @@ static int hci_sock_bind(struct socket *sock, struct sockaddr *addr, + + lock_sock(sk); + ++ /* Allow detaching from dead device and attaching to alive device, if ++ * the caller wants to re-bind (instead of close) this socket in ++ * response to hci_sock_dev_event(HCI_DEV_UNREG) notification. ++ */ ++ hdev = hci_pi(sk)->hdev; ++ if (hdev && hci_dev_test_flag(hdev, HCI_UNREGISTER)) { ++ hci_pi(sk)->hdev = NULL; ++ sk->sk_state = BT_OPEN; ++ hci_dev_put(hdev); ++ } ++ hdev = NULL; ++ + if (sk->sk_state == BT_BOUND) { + err = -EALREADY; + goto done; +@@ -1356,9 +1373,9 @@ static int hci_sock_getname(struct socket *sock, struct sockaddr *addr, + + lock_sock(sk); + +- hdev = hci_pi(sk)->hdev; +- if (!hdev) { +- err = -EBADFD; ++ hdev = hci_hdev_from_sock(sk); ++ if (IS_ERR(hdev)) { ++ err = PTR_ERR(hdev); + goto done; + } + +@@ -1718,9 +1735,9 @@ static int hci_sock_sendmsg(struct socket *sock, struct msghdr *msg, + goto done; + } + +- hdev = hci_pi(sk)->hdev; +- if (!hdev) { +- err = -EBADFD; ++ hdev = hci_hdev_from_sock(sk); ++ if (IS_ERR(hdev)) { ++ err = PTR_ERR(hdev); + goto done; + } + +diff --git a/net/bluetooth/hci_sysfs.c b/net/bluetooth/hci_sysfs.c +index 9874844a95a9..b69d88b88d2e 100644 +--- a/net/bluetooth/hci_sysfs.c ++++ b/net/bluetooth/hci_sysfs.c +@@ -83,6 +83,9 @@ void hci_conn_del_sysfs(struct hci_conn *conn) + static void bt_host_release(struct device *dev) + { + struct hci_dev *hdev = to_hci_dev(dev); ++ ++ if (hci_dev_test_flag(hdev, HCI_UNREGISTER)) ++ hci_cleanup_dev(hdev); + kfree(hdev); + module_put(THIS_MODULE); + } +-- +2.30.2 + diff --git a/queue-4.19/bnx2x-fix-an-error-code-in-bnx2x_nic_load.patch b/queue-4.19/bnx2x-fix-an-error-code-in-bnx2x_nic_load.patch new file mode 100644 index 00000000000..9ac846bea02 --- /dev/null +++ b/queue-4.19/bnx2x-fix-an-error-code-in-bnx2x_nic_load.patch @@ -0,0 +1,37 @@ +From d41ba8acce2580e4bcb426e6cc7dfe25ea1b6345 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Aug 2021 13:38:26 +0300 +Subject: bnx2x: fix an error code in bnx2x_nic_load() + +From: Dan Carpenter + +[ Upstream commit fb653827c758725b149b5c924a5eb50ab4812750 ] + +Set the error code if bnx2x_alloc_fw_stats_mem() fails. The current +code returns success. + +Fixes: ad5afc89365e ("bnx2x: Separate VF and PF logic") +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +index cf01e73d1bcc..2610acf9ac36 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -2668,7 +2668,8 @@ int bnx2x_nic_load(struct bnx2x *bp, int load_mode) + } + + /* Allocated memory for FW statistics */ +- if (bnx2x_alloc_fw_stats_mem(bp)) ++ rc = bnx2x_alloc_fw_stats_mem(bp); ++ if (rc) + LOAD_ERROR_EXIT(bp, load_error0); + + /* request pf to initialize status blocks */ +-- +2.30.2 + diff --git a/queue-4.19/clk-stm32f4-fix-post-divisor-setup-for-i2s-sai-plls.patch b/queue-4.19/clk-stm32f4-fix-post-divisor-setup-for-i2s-sai-plls.patch new file mode 100644 index 00000000000..e5ea61e73ee --- /dev/null +++ b/queue-4.19/clk-stm32f4-fix-post-divisor-setup-for-i2s-sai-plls.patch @@ -0,0 +1,88 @@ +From 8273e5b308889361d94a93cf0c9fd4d0b29e1930 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 25 Jul 2021 18:07:25 +0200 +Subject: clk: stm32f4: fix post divisor setup for I2S/SAI PLLs + +From: Dario Binacchi + +[ Upstream commit 24b5b1978cd5a80db58e2a19db2f9c36fe8d4f7a ] + +Enabling the framebuffer leads to a system hang. Running, as a debug +hack, the store_pan() function in drivers/video/fbdev/core/fbsysfs.c +without taking the console_lock, allows to see the crash backtrace on +the serial line. + +~ # echo 0 0 > /sys/class/graphics/fb0/pan + +[ 9.719414] Unhandled exception: IPSR = 00000005 LR = fffffff1 +[ 9.726937] CPU: 0 PID: 49 Comm: sh Not tainted 5.13.0-rc5 #9 +[ 9.733008] Hardware name: STM32 (Device Tree Support) +[ 9.738296] PC is at clk_gate_is_enabled+0x0/0x28 +[ 9.743426] LR is at stm32f4_pll_div_set_rate+0xf/0x38 +[ 9.748857] pc : [<0011e4be>] lr : [<0011f9e3>] psr: 0100000b +[ 9.755373] sp : 00bc7be0 ip : 00000000 fp : 001f3ac4 +[ 9.760812] r10: 002610d0 r9 : 01efe920 r8 : 00540560 +[ 9.766269] r7 : 02e7ddb0 r6 : 0173eed8 r5 : 00000000 r4 : 004027c0 +[ 9.773081] r3 : 0011e4bf r2 : 02e7ddb0 r1 : 0173eed8 r0 : 1d3267b8 +[ 9.779911] xPSR: 0100000b +[ 9.782719] CPU: 0 PID: 49 Comm: sh Not tainted 5.13.0-rc5 #9 +[ 9.788791] Hardware name: STM32 (Device Tree Support) +[ 9.794120] [<0000afa1>] (unwind_backtrace) from [<0000a33f>] (show_stack+0xb/0xc) +[ 9.802421] [<0000a33f>] (show_stack) from [<0000a8df>] (__invalid_entry+0x4b/0x4c) + +The `pll_num' field in the post_div_data configuration contained a wrong +value which also referenced an uninitialized hardware clock when +clk_register_pll_div() was called. + +Fixes: 517633ef630e ("clk: stm32f4: Add post divisor for I2S & SAI PLLs") +Signed-off-by: Dario Binacchi +Reviewed-by: Gabriel Fernandez +Link: https://lore.kernel.org/r/20210725160725.10788-1-dariobin@libero.it +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/clk-stm32f4.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/clk/clk-stm32f4.c b/drivers/clk/clk-stm32f4.c +index 294850bdc195..61de486dec41 100644 +--- a/drivers/clk/clk-stm32f4.c ++++ b/drivers/clk/clk-stm32f4.c +@@ -454,7 +454,7 @@ struct stm32f4_pll { + + struct stm32f4_pll_post_div_data { + int idx; +- u8 pll_num; ++ int pll_idx; + const char *name; + const char *parent; + u8 flag; +@@ -485,13 +485,13 @@ static const struct clk_div_table post_divr_table[] = { + + #define MAX_POST_DIV 3 + static const struct stm32f4_pll_post_div_data post_div_data[MAX_POST_DIV] = { +- { CLK_I2SQ_PDIV, PLL_I2S, "plli2s-q-div", "plli2s-q", ++ { CLK_I2SQ_PDIV, PLL_VCO_I2S, "plli2s-q-div", "plli2s-q", + CLK_SET_RATE_PARENT, STM32F4_RCC_DCKCFGR, 0, 5, 0, NULL}, + +- { CLK_SAIQ_PDIV, PLL_SAI, "pllsai-q-div", "pllsai-q", ++ { CLK_SAIQ_PDIV, PLL_VCO_SAI, "pllsai-q-div", "pllsai-q", + CLK_SET_RATE_PARENT, STM32F4_RCC_DCKCFGR, 8, 5, 0, NULL }, + +- { NO_IDX, PLL_SAI, "pllsai-r-div", "pllsai-r", CLK_SET_RATE_PARENT, ++ { NO_IDX, PLL_VCO_SAI, "pllsai-r-div", "pllsai-r", CLK_SET_RATE_PARENT, + STM32F4_RCC_DCKCFGR, 16, 2, 0, post_divr_table }, + }; + +@@ -1499,7 +1499,7 @@ static void __init stm32f4_rcc_init(struct device_node *np) + post_div->width, + post_div->flag_div, + post_div->div_table, +- clks[post_div->pll_num], ++ clks[post_div->pll_idx], + &stm32f4_clk_lock); + + if (post_div->idx != NO_IDX) +-- +2.30.2 + diff --git a/queue-4.19/media-videobuf2-core-dequeue-if-start_streaming-fail.patch b/queue-4.19/media-videobuf2-core-dequeue-if-start_streaming-fail.patch new file mode 100644 index 00000000000..c33d95df5a8 --- /dev/null +++ b/queue-4.19/media-videobuf2-core-dequeue-if-start_streaming-fail.patch @@ -0,0 +1,71 @@ +From ed185dea8d48f642bb4c675d5e04de0861319cd0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Jun 2021 09:58:23 +0200 +Subject: media: videobuf2-core: dequeue if start_streaming fails + +From: Hans Verkuil + +[ Upstream commit c592b46907adbeb81243f7eb7a468c36692658b8 ] + +If a vb2_queue sets q->min_buffers_needed then when the number of +queued buffers reaches q->min_buffers_needed, vb2_core_qbuf() will call +the start_streaming() callback. If start_streaming() returns an error, +then that error was just returned by vb2_core_qbuf(), but the buffer +was still queued. However, userspace expects that if VIDIOC_QBUF fails, +the buffer is returned dequeued. + +So if start_streaming() fails, then remove the buffer from the queue, +thus avoiding this unwanted side-effect. + +Signed-off-by: Hans Verkuil +Reviewed-by: Laurent Pinchart +Tested-by: Kieran Bingham +Fixes: b3379c6201bb ("[media] vb2: only call start_streaming if sufficient buffers are queued") +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/common/videobuf2/videobuf2-core.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/common/videobuf2/videobuf2-core.c b/drivers/media/common/videobuf2/videobuf2-core.c +index 93d250db0b6f..50015a2ea5ce 100644 +--- a/drivers/media/common/videobuf2/videobuf2-core.c ++++ b/drivers/media/common/videobuf2/videobuf2-core.c +@@ -1391,6 +1391,7 @@ static int vb2_start_streaming(struct vb2_queue *q) + int vb2_core_qbuf(struct vb2_queue *q, unsigned int index, void *pb) + { + struct vb2_buffer *vb; ++ enum vb2_buffer_state orig_state; + int ret; + + if (q->error) { +@@ -1420,6 +1421,7 @@ int vb2_core_qbuf(struct vb2_queue *q, unsigned int index, void *pb) + * Add to the queued buffers list, a buffer will stay on it until + * dequeued in dqbuf. + */ ++ orig_state = vb->state; + list_add_tail(&vb->queued_entry, &q->queued_list); + q->queued_count++; + q->waiting_for_buffers = false; +@@ -1450,8 +1452,17 @@ int vb2_core_qbuf(struct vb2_queue *q, unsigned int index, void *pb) + if (q->streaming && !q->start_streaming_called && + q->queued_count >= q->min_buffers_needed) { + ret = vb2_start_streaming(q); +- if (ret) ++ if (ret) { ++ /* ++ * Since vb2_core_qbuf will return with an error, ++ * we should return it to state DEQUEUED since ++ * the error indicates that the buffer wasn't queued. ++ */ ++ list_del(&vb->queued_entry); ++ q->queued_count--; ++ vb->state = orig_state; + return ret; ++ } + } + + dprintk(2, "qbuf of buffer %d succeeded\n", vb->index); +-- +2.30.2 + diff --git a/queue-4.19/mips-fix-non-posix-regexp.patch b/queue-4.19/mips-fix-non-posix-regexp.patch new file mode 100644 index 00000000000..b6099a5fecc --- /dev/null +++ b/queue-4.19/mips-fix-non-posix-regexp.patch @@ -0,0 +1,57 @@ +From 287f1bd5608fe28aa753147d319f84944e8dcd6f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Jul 2021 10:57:10 +0200 +Subject: mips: Fix non-POSIX regexp + +From: H. Nikolaus Schaller + +[ Upstream commit 28bbbb9875a35975904e46f9b06fa689d051b290 ] + +When cross compiling a MIPS kernel on a BSD based HOSTCC leads +to errors like + + SYNC include/config/auto.conf.cmd - due to: .config +egrep: empty (sub)expression + UPD include/config/kernel.release + HOSTCC scripts/dtc/dtc.o - due to target missing + +It turns out that egrep uses this egrep pattern: + + (|MINOR_|PATCHLEVEL_) + +This is not valid syntax or gives undefined results according +to POSIX 9.5.3 ERE Grammar + + https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/V1_chap09.html + +It seems to be silently accepted by the Linux egrep implementation +while a BSD host complains. + +Such patterns can be replaced by a transformation like + + "(|p1|p2)" -> "(p1|p2)?" + +Fixes: 48c35b2d245f ("[MIPS] There is no __GNUC_MAJOR__") +Signed-off-by: H. Nikolaus Schaller +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + arch/mips/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/mips/Makefile b/arch/mips/Makefile +index 63e2ad43bd6a..8f4e169cde11 100644 +--- a/arch/mips/Makefile ++++ b/arch/mips/Makefile +@@ -325,7 +325,7 @@ KBUILD_LDFLAGS += -m $(ld-emul) + + ifdef CONFIG_MIPS + CHECKFLAGS += $(shell $(CC) $(KBUILD_CFLAGS) -dM -E -x c /dev/null | \ +- egrep -vw '__GNUC_(|MINOR_|PATCHLEVEL_)_' | \ ++ egrep -vw '__GNUC_(MINOR_|PATCHLEVEL_)?_' | \ + sed -e "s/^\#define /-D'/" -e "s/ /'='/" -e "s/$$/'/" -e 's/\$$/&&/g') + endif + +-- +2.30.2 + diff --git a/queue-4.19/net-fec-fix-use-after-free-in-fec_drv_remove.patch b/queue-4.19/net-fec-fix-use-after-free-in-fec_drv_remove.patch new file mode 100644 index 00000000000..1dfca41fc23 --- /dev/null +++ b/queue-4.19/net-fec-fix-use-after-free-in-fec_drv_remove.patch @@ -0,0 +1,50 @@ +From 23871cdd950b634c5fa87417d5026ab666fad362 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Aug 2021 18:51:51 +0300 +Subject: net: fec: fix use-after-free in fec_drv_remove + +From: Pavel Skripkin + +[ Upstream commit 44712965bf12ae1758cec4de53816ed4b914ca1a ] + +Smatch says: + drivers/net/ethernet/freescale/fec_main.c:3994 fec_drv_remove() error: Using fep after free_{netdev,candev}(ndev); + drivers/net/ethernet/freescale/fec_main.c:3995 fec_drv_remove() error: Using fep after free_{netdev,candev}(ndev); + +Since fep pointer is netdev private data, accessing it after free_netdev() +call can cause use-after-free bug. Fix it by moving free_netdev() call at +the end of the function + +Reported-by: Dan Carpenter +Fixes: a31eda65ba21 ("net: fec: fix clock count mis-match") +Signed-off-by: Pavel Skripkin +Reviewed-by: Joakim Zhang +Reviewed-by: Jesse Brandeburg +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fec_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c +index 6b9eada1feb2..3fc823e9cdc9 100644 +--- a/drivers/net/ethernet/freescale/fec_main.c ++++ b/drivers/net/ethernet/freescale/fec_main.c +@@ -3733,13 +3733,13 @@ fec_drv_remove(struct platform_device *pdev) + if (of_phy_is_fixed_link(np)) + of_phy_deregister_fixed_link(np); + of_node_put(fep->phy_node); +- free_netdev(ndev); + + clk_disable_unprepare(fep->clk_ahb); + clk_disable_unprepare(fep->clk_ipg); + pm_runtime_put_noidle(&pdev->dev); + pm_runtime_disable(&pdev->dev); + ++ free_netdev(ndev); + return 0; + } + +-- +2.30.2 + diff --git a/queue-4.19/net-ipv6-fix-returned-variable-type-in-ip6_skb_dst_m.patch b/queue-4.19/net-ipv6-fix-returned-variable-type-in-ip6_skb_dst_m.patch new file mode 100644 index 00000000000..afe7164f695 --- /dev/null +++ b/queue-4.19/net-ipv6-fix-returned-variable-type-in-ip6_skb_dst_m.patch @@ -0,0 +1,40 @@ +From 2056759d4bddf0a3e3ca05cf82f92a3717ed2aaa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Aug 2021 12:00:16 +0200 +Subject: net: ipv6: fix returned variable type in ip6_skb_dst_mtu + +From: Antoine Tenart + +[ Upstream commit 4039146777a91e1576da2bf38e0d8a1061a1ae47 ] + +The patch fixing the returned value of ip6_skb_dst_mtu (int -> unsigned +int) was rebased between its initial review and the version applied. In +the meantime fade56410c22 was applied, which added a new variable (int) +used as the returned value. This lead to a mismatch between the function +prototype and the variable used as the return value. + +Fixes: 40fc3054b458 ("net: ipv6: fix return value of ip6_skb_dst_mtu") +Cc: Vadim Fedorenko +Signed-off-by: Antoine Tenart +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/ip6_route.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h +index a8f5410ae0d4..f237573a2651 100644 +--- a/include/net/ip6_route.h ++++ b/include/net/ip6_route.h +@@ -243,7 +243,7 @@ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + + static inline unsigned int ip6_skb_dst_mtu(struct sk_buff *skb) + { +- int mtu; ++ unsigned int mtu; + + struct ipv6_pinfo *np = skb->sk && !dev_recursion_level() ? + inet6_sk(skb->sk) : NULL; +-- +2.30.2 + diff --git a/queue-4.19/net-natsemi-fix-missing-pci_disable_device-in-probe-.patch b/queue-4.19/net-natsemi-fix-missing-pci_disable_device-in-probe-.patch new file mode 100644 index 00000000000..8af1d5e77c2 --- /dev/null +++ b/queue-4.19/net-natsemi-fix-missing-pci_disable_device-in-probe-.patch @@ -0,0 +1,65 @@ +From 35cf53b325b9f232f9dbfeee618191bd09227a15 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 31 Jul 2021 14:38:01 +0800 +Subject: net: natsemi: Fix missing pci_disable_device() in probe and remove + +From: Wang Hai + +[ Upstream commit 7fe74dfd41c428afb24e2e615470832fa997ff14 ] + +Replace pci_enable_device() with pcim_enable_device(), +pci_disable_device() and pci_release_regions() will be +called in release automatically. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/natsemi/natsemi.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/ethernet/natsemi/natsemi.c b/drivers/net/ethernet/natsemi/natsemi.c +index b9a1a9f999ea..039d5dd98dfe 100644 +--- a/drivers/net/ethernet/natsemi/natsemi.c ++++ b/drivers/net/ethernet/natsemi/natsemi.c +@@ -819,7 +819,7 @@ static int natsemi_probe1(struct pci_dev *pdev, const struct pci_device_id *ent) + printk(version); + #endif + +- i = pci_enable_device(pdev); ++ i = pcim_enable_device(pdev); + if (i) return i; + + /* natsemi has a non-standard PM control register +@@ -852,7 +852,7 @@ static int natsemi_probe1(struct pci_dev *pdev, const struct pci_device_id *ent) + ioaddr = ioremap(iostart, iosize); + if (!ioaddr) { + i = -ENOMEM; +- goto err_ioremap; ++ goto err_pci_request_regions; + } + + /* Work around the dropped serial bit. */ +@@ -974,9 +974,6 @@ static int natsemi_probe1(struct pci_dev *pdev, const struct pci_device_id *ent) + err_register_netdev: + iounmap(ioaddr); + +- err_ioremap: +- pci_release_regions(pdev); +- + err_pci_request_regions: + free_netdev(dev); + return i; +@@ -3242,7 +3239,6 @@ static void natsemi_remove1(struct pci_dev *pdev) + + NATSEMI_REMOVE_FILE(pdev, dspcfg_workaround); + unregister_netdev (dev); +- pci_release_regions (pdev); + iounmap(ioaddr); + free_netdev (dev); + } +-- +2.30.2 + diff --git a/queue-4.19/net-pegasus-fix-uninit-value-in-get_interrupt_interv.patch b/queue-4.19/net-pegasus-fix-uninit-value-in-get_interrupt_interv.patch new file mode 100644 index 00000000000..21df261e7f7 --- /dev/null +++ b/queue-4.19/net-pegasus-fix-uninit-value-in-get_interrupt_interv.patch @@ -0,0 +1,96 @@ +From f68c15373f2e4707044b1f4f54c90007cfea4240 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Aug 2021 17:30:05 +0300 +Subject: net: pegasus: fix uninit-value in get_interrupt_interval + +From: Pavel Skripkin + +[ Upstream commit af35fc37354cda3c9c8cc4961b1d24bdc9d27903 ] + +Syzbot reported uninit value pegasus_probe(). The problem was in missing +error handling. + +get_interrupt_interval() internally calls read_eprom_word() which can +fail in some cases. For example: failed to receive usb control message. +These cases should be handled to prevent uninit value bug, since +read_eprom_word() will not initialize passed stack variable in case of +internal failure. + +Fail log: + +BUG: KMSAN: uninit-value in get_interrupt_interval drivers/net/usb/pegasus.c:746 [inline] +BUG: KMSAN: uninit-value in pegasus_probe+0x10e7/0x4080 drivers/net/usb/pegasus.c:1152 +CPU: 1 PID: 825 Comm: kworker/1:1 Not tainted 5.12.0-rc6-syzkaller #0 +... +Workqueue: usb_hub_wq hub_event +Call Trace: + __dump_stack lib/dump_stack.c:79 [inline] + dump_stack+0x24c/0x2e0 lib/dump_stack.c:120 + kmsan_report+0xfb/0x1e0 mm/kmsan/kmsan_report.c:118 + __msan_warning+0x5c/0xa0 mm/kmsan/kmsan_instr.c:197 + get_interrupt_interval drivers/net/usb/pegasus.c:746 [inline] + pegasus_probe+0x10e7/0x4080 drivers/net/usb/pegasus.c:1152 +.... + +Local variable ----data.i@pegasus_probe created at: + get_interrupt_interval drivers/net/usb/pegasus.c:1151 [inline] + pegasus_probe+0xe57/0x4080 drivers/net/usb/pegasus.c:1152 + get_interrupt_interval drivers/net/usb/pegasus.c:1151 [inline] + pegasus_probe+0xe57/0x4080 drivers/net/usb/pegasus.c:1152 + +Reported-and-tested-by: syzbot+02c9f70f3afae308464a@syzkaller.appspotmail.com +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Pavel Skripkin +Link: https://lore.kernel.org/r/20210804143005.439-1-paskripkin@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/pegasus.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c +index b7a0df95d4b0..9f1777e56d7d 100644 +--- a/drivers/net/usb/pegasus.c ++++ b/drivers/net/usb/pegasus.c +@@ -750,12 +750,16 @@ static inline void disable_net_traffic(pegasus_t *pegasus) + set_registers(pegasus, EthCtrl0, sizeof(tmp), &tmp); + } + +-static inline void get_interrupt_interval(pegasus_t *pegasus) ++static inline int get_interrupt_interval(pegasus_t *pegasus) + { + u16 data; + u8 interval; ++ int ret; ++ ++ ret = read_eprom_word(pegasus, 4, &data); ++ if (ret < 0) ++ return ret; + +- read_eprom_word(pegasus, 4, &data); + interval = data >> 8; + if (pegasus->usb->speed != USB_SPEED_HIGH) { + if (interval < 0x80) { +@@ -770,6 +774,8 @@ static inline void get_interrupt_interval(pegasus_t *pegasus) + } + } + pegasus->intr_interval = interval; ++ ++ return 0; + } + + static void set_carrier(struct net_device *net) +@@ -1188,7 +1194,9 @@ static int pegasus_probe(struct usb_interface *intf, + | NETIF_MSG_PROBE | NETIF_MSG_LINK); + + pegasus->features = usb_dev_id[dev_index].private; +- get_interrupt_interval(pegasus); ++ res = get_interrupt_interval(pegasus); ++ if (res) ++ goto out2; + if (reset_mac(pegasus)) { + dev_err(&intf->dev, "can't reset MAC\n"); + res = -EIO; +-- +2.30.2 + diff --git a/queue-4.19/net-vxge-fix-use-after-free-in-vxge_device_unregiste.patch b/queue-4.19/net-vxge-fix-use-after-free-in-vxge_device_unregiste.patch new file mode 100644 index 00000000000..403ee509806 --- /dev/null +++ b/queue-4.19/net-vxge-fix-use-after-free-in-vxge_device_unregiste.patch @@ -0,0 +1,53 @@ +From e5625cde413fb8f9bdec9267020ced66080b9909 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Aug 2021 18:52:20 +0300 +Subject: net: vxge: fix use-after-free in vxge_device_unregister + +From: Pavel Skripkin + +[ Upstream commit 942e560a3d3862dd5dee1411dbdd7097d29b8416 ] + +Smatch says: +drivers/net/ethernet/neterion/vxge/vxge-main.c:3518 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev); +drivers/net/ethernet/neterion/vxge/vxge-main.c:3518 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev); +drivers/net/ethernet/neterion/vxge/vxge-main.c:3520 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev); +drivers/net/ethernet/neterion/vxge/vxge-main.c:3520 vxge_device_unregister() error: Using vdev after free_{netdev,candev}(dev); + +Since vdev pointer is netdev private data accessing it after free_netdev() +call can cause use-after-free bug. Fix it by moving free_netdev() call at +the end of the function + +Fixes: 6cca200362b4 ("vxge: cleanup probe error paths") +Reported-by: Dan Carpenter +Signed-off-by: Pavel Skripkin +Reviewed-by: Jesse Brandeburg +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/neterion/vxge/vxge-main.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/neterion/vxge/vxge-main.c b/drivers/net/ethernet/neterion/vxge/vxge-main.c +index 5ae3fa82909f..0766288e2f38 100644 +--- a/drivers/net/ethernet/neterion/vxge/vxge-main.c ++++ b/drivers/net/ethernet/neterion/vxge/vxge-main.c +@@ -3529,13 +3529,13 @@ static void vxge_device_unregister(struct __vxge_hw_device *hldev) + + kfree(vdev->vpaths); + +- /* we are safe to free it now */ +- free_netdev(dev); +- + vxge_debug_init(vdev->level_trace, "%s: ethernet device unregistered", + buf); + vxge_debug_entryexit(vdev->level_trace, "%s: %s:%d Exiting...", buf, + __func__, __LINE__); ++ ++ /* we are safe to free it now */ ++ free_netdev(dev); + } + + /* +-- +2.30.2 + diff --git a/queue-4.19/nfp-update-ethtool-reporting-of-pauseframe-control.patch b/queue-4.19/nfp-update-ethtool-reporting-of-pauseframe-control.patch new file mode 100644 index 00000000000..32c64f4d56a --- /dev/null +++ b/queue-4.19/nfp-update-ethtool-reporting-of-pauseframe-control.patch @@ -0,0 +1,39 @@ +From ab82ff8ca9cc4a3283652c737b117d38b191eb4f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 3 Aug 2021 12:39:11 +0200 +Subject: nfp: update ethtool reporting of pauseframe control + +From: Fei Qin + +[ Upstream commit 9fdc5d85a8fe684cdf24dc31c6bc4a727decfe87 ] + +Pauseframe control is set to symmetric mode by default on the NFP. +Pause frames can not be configured through ethtool now, but ethtool can +report the supported mode. + +Fixes: 265aeb511bd5 ("nfp: add support for .get_link_ksettings()") +Signed-off-by: Fei Qin +Signed-off-by: Louis Peens +Signed-off-by: Simon Horman +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c +index 9043d2cadd5d..2e75d0af4a58 100644 +--- a/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c ++++ b/drivers/net/ethernet/netronome/nfp/nfp_net_ethtool.c +@@ -292,6 +292,8 @@ nfp_net_get_link_ksettings(struct net_device *netdev, + + /* Init to unknowns */ + ethtool_link_ksettings_add_link_mode(cmd, supported, FIBRE); ++ ethtool_link_ksettings_add_link_mode(cmd, supported, Pause); ++ ethtool_link_ksettings_add_link_mode(cmd, advertising, Pause); + cmd->base.port = PORT_OTHER; + cmd->base.speed = SPEED_UNKNOWN; + cmd->base.duplex = DUPLEX_UNKNOWN; +-- +2.30.2 + diff --git a/queue-4.19/omap5-board-common-remove-not-physically-existing-vd.patch b/queue-4.19/omap5-board-common-remove-not-physically-existing-vd.patch new file mode 100644 index 00000000000..0e3263e56b2 --- /dev/null +++ b/queue-4.19/omap5-board-common-remove-not-physically-existing-vd.patch @@ -0,0 +1,80 @@ +From b46a4e1f987950c42b69552d9036f50884d2dd17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Jul 2021 16:00:22 +0200 +Subject: omap5-board-common: remove not physically existing vdds_1v8_main + fixed-regulator + +From: H. Nikolaus Schaller + +[ Upstream commit c68ef4ad180e09805fa46965d15e1dfadf09ffa5 ] + +This device tree include file describes a fixed-regulator +connecting smps7_reg output (1.8V) to some 1.8V rail and +consumers (vdds_1v8_main). + +This regulator does not physically exist. + +I assume it was introduced as a wrapper around smps7_reg +to provide a speaking signal name "vdds_1v8_main" as label. + +This fixed-regulator without real function was not an issue +in driver code until + + Commit 98e48cd9283d ("regulator: core: resolve supply for boot-on/always-on regulators") + +introduced a new check for regulator initialization which +makes Palmas regulator registration fail: + +[ 5.407712] ldo1: supplied by vsys_cobra +[ 5.412748] ldo2: supplied by vsys_cobra +[ 5.417603] palmas-pmic 48070000.i2c:palmas@48:palmas_pmic: failed to register 48070000.i2c:palmas@48:palmas_pmic regulator + +The reason is that the supply-chain of regulators is too +long and goes from ldo3 through the virtual vdds_1v8_main +regulator and then back to smps7. This adds a cross-dependency +of probing Palmas regulators and the fixed-regulator which +leads to probe deferral by the new check and is no longer +resolved. + +Since we do not control what device tree files including this +one reference (either &vdds_1v8_main or &smps7_reg or both) +we keep both labels for smps7 for compatibility. + +Fixes: 98e48cd9283d ("regulator: core: resolve supply for boot-on/always-on regulators") +Signed-off-by: H. Nikolaus Schaller +Signed-off-by: Tony Lindgren +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/omap5-board-common.dtsi | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/arch/arm/boot/dts/omap5-board-common.dtsi b/arch/arm/boot/dts/omap5-board-common.dtsi +index 61a06f6add3c..d1cb9ba080b2 100644 +--- a/arch/arm/boot/dts/omap5-board-common.dtsi ++++ b/arch/arm/boot/dts/omap5-board-common.dtsi +@@ -33,14 +33,6 @@ + regulator-max-microvolt = <5000000>; + }; + +- vdds_1v8_main: fixedregulator-vdds_1v8_main { +- compatible = "regulator-fixed"; +- regulator-name = "vdds_1v8_main"; +- vin-supply = <&smps7_reg>; +- regulator-min-microvolt = <1800000>; +- regulator-max-microvolt = <1800000>; +- }; +- + vmmcsd_fixed: fixedregulator-mmcsd { + compatible = "regulator-fixed"; + regulator-name = "vmmcsd_fixed"; +@@ -490,6 +482,7 @@ + regulator-boot-on; + }; + ++ vdds_1v8_main: + smps7_reg: smps7 { + /* VDDS_1v8_OMAP over VDDS_1v8_MAIN */ + regulator-name = "smps7"; +-- +2.30.2 + diff --git a/queue-4.19/scsi-sr-return-correct-event-when-media-event-code-i.patch b/queue-4.19/scsi-sr-return-correct-event-when-media-event-code-i.patch new file mode 100644 index 00000000000..bd24c2d4286 --- /dev/null +++ b/queue-4.19/scsi-sr-return-correct-event-when-media-event-code-i.patch @@ -0,0 +1,46 @@ +From 0a8267a656a38632488a56118cf22b774548e650 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 26 Jul 2021 19:49:13 +0800 +Subject: scsi: sr: Return correct event when media event code is 3 + +From: Li Manyi + +[ Upstream commit 5c04243a56a7977185b00400e59ca7e108004faf ] + +Media event code 3 is defined in the MMC-6 spec as follows: + + "MediaRemoval: The media has been removed from the specified slot, and + the Drive is unable to access the media without user intervention. This + applies to media changers only." + +This indicated that treating the condition as an EJECT_REQUEST was +appropriate. However, doing so had the unfortunate side-effect of causing +the drive tray to be physically ejected on resume. Instead treat the event +as a MEDIA_CHANGE request. + +Fixes: 7dd753ca59d6 ("scsi: sr: Return appropriate error code when disk is ejected") +Link: https://bugzilla.kernel.org/show_bug.cgi?id=213759 +Link: https://lore.kernel.org/r/20210726114913.6760-1-limanyi@uniontech.com +Signed-off-by: Li Manyi +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/sr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/scsi/sr.c b/drivers/scsi/sr.c +index acf0c244141f..84dd776d36c3 100644 +--- a/drivers/scsi/sr.c ++++ b/drivers/scsi/sr.c +@@ -217,7 +217,7 @@ static unsigned int sr_get_events(struct scsi_device *sdev) + else if (med->media_event_code == 2) + return DISK_EVENT_MEDIA_CHANGE; + else if (med->media_event_code == 3) +- return DISK_EVENT_EJECT_REQUEST; ++ return DISK_EVENT_MEDIA_CHANGE; + return 0; + } + +-- +2.30.2 + diff --git a/queue-4.19/sctp-move-the-active_key-update-after-sh_keys-is-add.patch b/queue-4.19/sctp-move-the-active_key-update-after-sh_keys-is-add.patch new file mode 100644 index 00000000000..d4eb66a85f7 --- /dev/null +++ b/queue-4.19/sctp-move-the-active_key-update-after-sh_keys-is-add.patch @@ -0,0 +1,68 @@ +From 35ef2452ce7e47c4eea2208d2f301f50af81fc9e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 1 Aug 2021 02:25:31 -0400 +Subject: sctp: move the active_key update after sh_keys is added + +From: Xin Long + +[ Upstream commit ae954bbc451d267f7d60d7b49db811d5a68ebd7b ] + +In commit 58acd1009226 ("sctp: update active_key for asoc when old key is +being replaced"), sctp_auth_asoc_init_active_key() is called to update +the active_key right after the old key is deleted and before the new key +is added, and it caused that the active_key could be found with the key_id. + +In Ying Xu's testing, the BUG_ON in sctp_auth_asoc_init_active_key() was +triggered: + + [ ] kernel BUG at net/sctp/auth.c:416! + [ ] RIP: 0010:sctp_auth_asoc_init_active_key.part.8+0xe7/0xf0 [sctp] + [ ] Call Trace: + [ ] sctp_auth_set_key+0x16d/0x1b0 [sctp] + [ ] sctp_setsockopt.part.33+0x1ba9/0x2bd0 [sctp] + [ ] __sys_setsockopt+0xd6/0x1d0 + [ ] __x64_sys_setsockopt+0x20/0x30 + [ ] do_syscall_64+0x5b/0x1a0 + +So fix it by moving the active_key update after sh_keys is added. + +Fixes: 58acd1009226 ("sctp: update active_key for asoc when old key is being replaced") +Reported-by: Ying Xu +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sctp/auth.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +diff --git a/net/sctp/auth.c b/net/sctp/auth.c +index b2ca66c4a21d..9e0c98df20da 100644 +--- a/net/sctp/auth.c ++++ b/net/sctp/auth.c +@@ -880,14 +880,18 @@ int sctp_auth_set_key(struct sctp_endpoint *ep, + memcpy(key->data, &auth_key->sca_key[0], auth_key->sca_keylength); + cur_key->key = key; + +- if (replace) { +- list_del_init(&shkey->key_list); +- sctp_auth_shkey_release(shkey); +- if (asoc && asoc->active_key_id == auth_key->sca_keynumber) +- sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL); ++ if (!replace) { ++ list_add(&cur_key->key_list, sh_keys); ++ return 0; + } ++ ++ list_del_init(&shkey->key_list); ++ sctp_auth_shkey_release(shkey); + list_add(&cur_key->key_list, sh_keys); + ++ if (asoc && asoc->active_key_id == auth_key->sca_keynumber) ++ sctp_auth_asoc_init_active_key(asoc, GFP_KERNEL); ++ + return 0; + } + +-- +2.30.2 + diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..6883744181e --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1,18 @@ +arm-imx-add-missing-iounmap.patch +arm-dts-colibri-imx6ull-limit-sdio-clock-to-25mhz.patch +alsa-usb-audio-fix-incorrect-clock-source-setting.patch +clk-stm32f4-fix-post-divisor-setup-for-i2s-sai-plls.patch +omap5-board-common-remove-not-physically-existing-vd.patch +scsi-sr-return-correct-event-when-media-event-code-i.patch +media-videobuf2-core-dequeue-if-start_streaming-fail.patch +net-natsemi-fix-missing-pci_disable_device-in-probe-.patch +sctp-move-the-active_key-update-after-sh_keys-is-add.patch +nfp-update-ethtool-reporting-of-pauseframe-control.patch +net-ipv6-fix-returned-variable-type-in-ip6_skb_dst_m.patch +mips-fix-non-posix-regexp.patch +bnx2x-fix-an-error-code-in-bnx2x_nic_load.patch +net-pegasus-fix-uninit-value-in-get_interrupt_interv.patch +net-fec-fix-use-after-free-in-fec_drv_remove.patch +net-vxge-fix-use-after-free-in-vxge_device_unregiste.patch +blk-iolatency-error-out-if-blk_get_queue-failed-in-i.patch +bluetooth-defer-cleanup-of-resources-in-hci_unregist.patch -- 2.47.3