From 69e357893e75ac141720157e91de240c1b440c41 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 14 Nov 2021 15:35:56 +0100 Subject: [PATCH] 4.14-stable patches added patches: iio-dac-ad5446-fix-ad5622_write-return-value.patch pinctrl-core-fix-possible-memory-leak-in-pinctrl_enable.patch usb-iowarrior-fix-control-message-timeouts.patch usb-serial-keyspan-fix-memleak-on-probe-errors.patch --- ...ad5446-fix-ad5622_write-return-value.patch | 47 +++++++++ ...ssible-memory-leak-in-pinctrl_enable.patch | 49 ++++++++++ queue-4.14/series | 4 + ...warrior-fix-control-message-timeouts.patch | 55 +++++++++++ ...-keyspan-fix-memleak-on-probe-errors.patch | 98 +++++++++++++++++++ 5 files changed, 253 insertions(+) create mode 100644 queue-4.14/iio-dac-ad5446-fix-ad5622_write-return-value.patch create mode 100644 queue-4.14/pinctrl-core-fix-possible-memory-leak-in-pinctrl_enable.patch create mode 100644 queue-4.14/usb-iowarrior-fix-control-message-timeouts.patch create mode 100644 queue-4.14/usb-serial-keyspan-fix-memleak-on-probe-errors.patch diff --git a/queue-4.14/iio-dac-ad5446-fix-ad5622_write-return-value.patch b/queue-4.14/iio-dac-ad5446-fix-ad5622_write-return-value.patch new file mode 100644 index 00000000000..bb545322e47 --- /dev/null +++ b/queue-4.14/iio-dac-ad5446-fix-ad5622_write-return-value.patch @@ -0,0 +1,47 @@ +From 558df982d4ead9cac628153d0d7b60feae05ddc8 Mon Sep 17 00:00:00 2001 +From: Pekka Korpinen +Date: Wed, 29 Sep 2021 21:57:55 +0300 +Subject: iio: dac: ad5446: Fix ad5622_write() return value + +From: Pekka Korpinen + +commit 558df982d4ead9cac628153d0d7b60feae05ddc8 upstream. + +On success i2c_master_send() returns the number of bytes written. The +call from iio_write_channel_info(), however, expects the return value to +be zero on success. + +This bug causes incorrect consumption of the sysfs buffer in +iio_write_channel_info(). When writing more than two characters to +out_voltage0_raw, the ad5446 write handler is called multiple times +causing unexpected behavior. + +Fixes: 3ec36a2cf0d5 ("iio:ad5446: Add support for I2C based DACs") +Signed-off-by: Pekka Korpinen +Link: https://lore.kernel.org/r/20210929185755.2384-1-pekka.korpinen@iki.fi +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/dac/ad5446.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/iio/dac/ad5446.c ++++ b/drivers/iio/dac/ad5446.c +@@ -510,8 +510,15 @@ static int ad5622_write(struct ad5446_st + { + struct i2c_client *client = to_i2c_client(st->dev); + __be16 data = cpu_to_be16(val); ++ int ret; + +- return i2c_master_send(client, (char *)&data, sizeof(data)); ++ ret = i2c_master_send(client, (char *)&data, sizeof(data)); ++ if (ret < 0) ++ return ret; ++ if (ret != sizeof(data)) ++ return -EIO; ++ ++ return 0; + } + + /** diff --git a/queue-4.14/pinctrl-core-fix-possible-memory-leak-in-pinctrl_enable.patch b/queue-4.14/pinctrl-core-fix-possible-memory-leak-in-pinctrl_enable.patch new file mode 100644 index 00000000000..4ef8eaa1ed8 --- /dev/null +++ b/queue-4.14/pinctrl-core-fix-possible-memory-leak-in-pinctrl_enable.patch @@ -0,0 +1,49 @@ +From c7892ae13e461ed20154321eb792e07ebe38f5b3 Mon Sep 17 00:00:00 2001 +From: Yang Yingliang +Date: Fri, 22 Oct 2021 09:43:23 +0800 +Subject: pinctrl: core: fix possible memory leak in pinctrl_enable() + +From: Yang Yingliang + +commit c7892ae13e461ed20154321eb792e07ebe38f5b3 upstream. + +I got memory leak as follows when doing fault injection test: + +unreferenced object 0xffff888020a7a680 (size 64): + comm "i2c-mcp23018-41", pid 23090, jiffies 4295160544 (age 8.680s) + hex dump (first 32 bytes): + 00 48 d3 1e 80 88 ff ff 00 1a 56 c1 ff ff ff ff .H........V..... + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<0000000083c79b35>] kmem_cache_alloc_trace+0x16d/0x360 + [<0000000051803c95>] pinctrl_init_controller+0x6ed/0xb70 + [<0000000064346707>] pinctrl_register+0x27/0x80 + [<0000000029b0e186>] devm_pinctrl_register+0x5b/0xe0 + [<00000000391f5a3e>] mcp23s08_probe_one+0x968/0x118a [pinctrl_mcp23s08] + [<000000006112c039>] mcp230xx_probe+0x266/0x560 [pinctrl_mcp23s08_i2c] + +If pinctrl_claim_hogs() fails, the 'pindesc' allocated in pinctrl_register_one_pin() +need be freed. + +Cc: stable@vger.kernel.org +Reported-by: Hulk Robot +Fixes: 950b0d91dc10 ("pinctrl: core: Fix regression caused by delayed work for hogs") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20211022014323.1156924-1-yangyingliang@huawei.com +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pinctrl/core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/pinctrl/core.c ++++ b/drivers/pinctrl/core.c +@@ -2061,6 +2061,8 @@ int pinctrl_enable(struct pinctrl_dev *p + if (error) { + dev_err(pctldev->dev, "could not claim hogs: %i\n", + error); ++ pinctrl_free_pindescs(pctldev, pctldev->desc->pins, ++ pctldev->desc->npins); + mutex_destroy(&pctldev->mutex); + kfree(pctldev); + diff --git a/queue-4.14/series b/queue-4.14/series index 222d6ff7fbf..398a5b059cc 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -63,3 +63,7 @@ pci-aardvark-fix-return-value-of-msi-domain-.alloc-method.patch pci-aardvark-read-all-16-bits-from-pcie_msi_payload_reg.patch quota-check-block-number-when-reading-the-block-in-quota-file.patch quota-correct-error-number-in-free_dqentry.patch +pinctrl-core-fix-possible-memory-leak-in-pinctrl_enable.patch +iio-dac-ad5446-fix-ad5622_write-return-value.patch +usb-serial-keyspan-fix-memleak-on-probe-errors.patch +usb-iowarrior-fix-control-message-timeouts.patch diff --git a/queue-4.14/usb-iowarrior-fix-control-message-timeouts.patch b/queue-4.14/usb-iowarrior-fix-control-message-timeouts.patch new file mode 100644 index 00000000000..15a5289a4c9 --- /dev/null +++ b/queue-4.14/usb-iowarrior-fix-control-message-timeouts.patch @@ -0,0 +1,55 @@ +From 79a4479a17b83310deb0b1a2a274fe5be12d2318 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:51:59 +0200 +Subject: USB: iowarrior: fix control-message timeouts + +From: Johan Hovold + +commit 79a4479a17b83310deb0b1a2a274fe5be12d2318 upstream. + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Use the common control-message timeout define for the five-second +timeout and drop the driver-specific one. + +Fixes: 946b960d13c1 ("USB: add driver for iowarrior devices.") +Cc: stable@vger.kernel.org # 2.6.21 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20211025115159.4954-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/misc/iowarrior.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/drivers/usb/misc/iowarrior.c ++++ b/drivers/usb/misc/iowarrior.c +@@ -103,10 +103,6 @@ struct iowarrior { + /* globals */ + /*--------------*/ + +-/* +- * USB spec identifies 5 second timeouts. +- */ +-#define GET_TIMEOUT 5 + #define USB_REQ_GET_REPORT 0x01 + //#if 0 + static int usb_get_report(struct usb_device *dev, +@@ -118,7 +114,7 @@ static int usb_get_report(struct usb_dev + USB_DIR_IN | USB_TYPE_CLASS | + USB_RECIP_INTERFACE, (type << 8) + id, + inter->desc.bInterfaceNumber, buf, size, +- GET_TIMEOUT*HZ); ++ USB_CTRL_GET_TIMEOUT); + } + //#endif + +@@ -133,7 +129,7 @@ static int usb_set_report(struct usb_int + USB_TYPE_CLASS | USB_RECIP_INTERFACE, + (type << 8) + id, + intf->cur_altsetting->desc.bInterfaceNumber, buf, +- size, HZ); ++ size, 1000); + } + + /*---------------------*/ diff --git a/queue-4.14/usb-serial-keyspan-fix-memleak-on-probe-errors.patch b/queue-4.14/usb-serial-keyspan-fix-memleak-on-probe-errors.patch new file mode 100644 index 00000000000..0103cc78bf1 --- /dev/null +++ b/queue-4.14/usb-serial-keyspan-fix-memleak-on-probe-errors.patch @@ -0,0 +1,98 @@ +From 910c996335c37552ee30fcb837375b808bb4f33b Mon Sep 17 00:00:00 2001 +From: Wang Hai +Date: Fri, 15 Oct 2021 16:55:43 +0800 +Subject: USB: serial: keyspan: fix memleak on probe errors + +From: Wang Hai + +commit 910c996335c37552ee30fcb837375b808bb4f33b upstream. + +I got memory leak as follows when doing fault injection test: + +unreferenced object 0xffff888258228440 (size 64): + comm "kworker/7:2", pid 2005, jiffies 4294989509 (age 824.540s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] slab_post_alloc_hook+0x9c/0x490 + [] kmem_cache_alloc_trace+0x1f7/0x470 + [] keyspan_port_probe+0xa4/0x5d0 [keyspan] + [] usb_serial_device_probe+0x97/0x1d0 [usbserial] + [] really_probe+0x167/0x460 + [] __driver_probe_device+0xf9/0x180 + [] driver_probe_device+0x53/0x130 + [] __device_attach_driver+0x105/0x130 + [] bus_for_each_drv+0x129/0x190 + [] __device_attach+0x1c9/0x270 + [] device_initial_probe+0x20/0x30 + [] bus_probe_device+0x142/0x160 + [] device_add+0x829/0x1300 + [] usb_serial_probe.cold+0xc9b/0x14ac [usbserial] + [] usb_probe_interface+0x1aa/0x3c0 [usbcore] + [] really_probe+0x167/0x460 + +If keyspan_port_probe() fails to allocate memory for an out_buffer[i] or +in_buffer[i], the previously allocated memory for out_buffer or +in_buffer needs to be freed on the error handling path, otherwise a +memory leak will result. + +Fixes: bad41a5bf177 ("USB: keyspan: fix port DMA-buffer allocations") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Link: https://lore.kernel.org/r/20211015085543.1203011-1-wanghai38@huawei.com +Cc: stable@vger.kernel.org # 3.12 +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/keyspan.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/usb/serial/keyspan.c ++++ b/drivers/usb/serial/keyspan.c +@@ -2914,22 +2914,22 @@ static int keyspan_port_probe(struct usb + for (i = 0; i < ARRAY_SIZE(p_priv->in_buffer); ++i) { + p_priv->in_buffer[i] = kzalloc(IN_BUFLEN, GFP_KERNEL); + if (!p_priv->in_buffer[i]) +- goto err_in_buffer; ++ goto err_free_in_buffer; + } + + for (i = 0; i < ARRAY_SIZE(p_priv->out_buffer); ++i) { + p_priv->out_buffer[i] = kzalloc(OUT_BUFLEN, GFP_KERNEL); + if (!p_priv->out_buffer[i]) +- goto err_out_buffer; ++ goto err_free_out_buffer; + } + + p_priv->inack_buffer = kzalloc(INACK_BUFLEN, GFP_KERNEL); + if (!p_priv->inack_buffer) +- goto err_inack_buffer; ++ goto err_free_out_buffer; + + p_priv->outcont_buffer = kzalloc(OUTCONT_BUFLEN, GFP_KERNEL); + if (!p_priv->outcont_buffer) +- goto err_outcont_buffer; ++ goto err_free_inack_buffer; + + p_priv->device_details = d_details; + +@@ -2975,15 +2975,14 @@ static int keyspan_port_probe(struct usb + + return 0; + +-err_outcont_buffer: ++err_free_inack_buffer: + kfree(p_priv->inack_buffer); +-err_inack_buffer: ++err_free_out_buffer: + for (i = 0; i < ARRAY_SIZE(p_priv->out_buffer); ++i) + kfree(p_priv->out_buffer[i]); +-err_out_buffer: ++err_free_in_buffer: + for (i = 0; i < ARRAY_SIZE(p_priv->in_buffer); ++i) + kfree(p_priv->in_buffer[i]); +-err_in_buffer: + kfree(p_priv); + + return -ENOMEM; -- 2.47.2