From c4f453f1c4e2265626bc805caaaee4cedb57c165 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 26 Jul 2020 21:19:23 -0400 Subject: [PATCH] Fixes for 4.4 Signed-off-by: Sasha Levin --- ...sk_thread_flag-for-checking-tif_sing.patch | 42 ++++++++++++ ...x88172a-fix-ax88172a_unbind-failures.patch | 36 ++++++++++ ...-used-in-a-pci_free_consistent-in-an.patch | 39 +++++++++++ ...siocshwtstamp-to-update-the-struct-w.patch | 66 +++++++++++++++++++ ...ossible-memory-leak-in-smc_drv_probe.patch | 47 +++++++++++++ ...t_regmap_match-fix-string-comparison.patch | 43 ++++++++++++ ...tacktrace-strip-basepath-from-all-pa.patch | 49 ++++++++++++++ queue-4.4/series | 9 +++ ...r_udc-fix-memleak-on-error-handling-.patch | 45 +++++++++++++ ...th-emu-fix-up-cmp-insn-for-clang-ias.patch | 43 ++++++++++++ 10 files changed, 419 insertions(+) create mode 100644 queue-4.4/arm64-use-test_tsk_thread_flag-for-checking-tif_sing.patch create mode 100644 queue-4.4/ax88172a-fix-ax88172a_unbind-failures.patch create mode 100644 queue-4.4/hippi-fix-a-size-used-in-a-pci_free_consistent-in-an.patch create mode 100644 queue-4.4/net-dp83640-fix-siocshwtstamp-to-update-the-struct-w.patch create mode 100644 queue-4.4/net-smc91x-fix-possible-memory-leak-in-smc_drv_probe.patch create mode 100644 queue-4.4/regmap-dev_get_regmap_match-fix-string-comparison.patch create mode 100644 queue-4.4/scripts-decode_stacktrace-strip-basepath-from-all-pa.patch create mode 100644 queue-4.4/usb-gadget-udc-gr_udc-fix-memleak-on-error-handling-.patch create mode 100644 queue-4.4/x86-math-emu-fix-up-cmp-insn-for-clang-ias.patch diff --git a/queue-4.4/arm64-use-test_tsk_thread_flag-for-checking-tif_sing.patch b/queue-4.4/arm64-use-test_tsk_thread_flag-for-checking-tif_sing.patch new file mode 100644 index 00000000000..8fc5052bc5a --- /dev/null +++ b/queue-4.4/arm64-use-test_tsk_thread_flag-for-checking-tif_sing.patch @@ -0,0 +1,42 @@ +From b6f11af5a020259ae094001b831e04c1159ea2dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Feb 2020 12:12:26 +0000 +Subject: arm64: Use test_tsk_thread_flag() for checking TIF_SINGLESTEP + +From: Will Deacon + +[ Upstream commit 5afc78551bf5d53279036e0bf63314e35631d79f ] + +Rather than open-code test_tsk_thread_flag() at each callsite, simply +replace the couple of offenders with calls to test_tsk_thread_flag() +directly. + +Signed-off-by: Will Deacon +Signed-off-by: Sasha Levin +--- + arch/arm64/kernel/debug-monitors.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm64/kernel/debug-monitors.c b/arch/arm64/kernel/debug-monitors.c +index 8e7675e5ce4a5..77fbcabcd9e34 100644 +--- a/arch/arm64/kernel/debug-monitors.c ++++ b/arch/arm64/kernel/debug-monitors.c +@@ -387,13 +387,13 @@ void user_rewind_single_step(struct task_struct *task) + * If single step is active for this thread, then set SPSR.SS + * to 1 to avoid returning to the active-pending state. + */ +- if (test_ti_thread_flag(task_thread_info(task), TIF_SINGLESTEP)) ++ if (test_tsk_thread_flag(task, TIF_SINGLESTEP)) + set_regs_spsr_ss(task_pt_regs(task)); + } + + void user_fastforward_single_step(struct task_struct *task) + { +- if (test_ti_thread_flag(task_thread_info(task), TIF_SINGLESTEP)) ++ if (test_tsk_thread_flag(task, TIF_SINGLESTEP)) + clear_regs_spsr_ss(task_pt_regs(task)); + } + +-- +2.25.1 + diff --git a/queue-4.4/ax88172a-fix-ax88172a_unbind-failures.patch b/queue-4.4/ax88172a-fix-ax88172a_unbind-failures.patch new file mode 100644 index 00000000000..7defc626540 --- /dev/null +++ b/queue-4.4/ax88172a-fix-ax88172a_unbind-failures.patch @@ -0,0 +1,36 @@ +From 18fab65a8c4c4b4d288fa8fe88cd4d24d56e6ac5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jul 2020 09:59:31 -0400 +Subject: ax88172a: fix ax88172a_unbind() failures + +From: George Kennedy + +[ Upstream commit c28d9a285668c799eeae2f7f93e929a6028a4d6d ] + +If ax88172a_unbind() fails, make sure that the return code is +less than zero so that cleanup is done properly and avoid UAF. + +Fixes: a9a51bd727d1 ("ax88172a: fix information leak on short answers") +Signed-off-by: George Kennedy +Reported-by: syzbot+4cd84f527bf4a10fc9c1@syzkaller.appspotmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/usb/ax88172a.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/ax88172a.c b/drivers/net/usb/ax88172a.c +index 6b1d03b73eeb8..6b734c7ffec39 100644 +--- a/drivers/net/usb/ax88172a.c ++++ b/drivers/net/usb/ax88172a.c +@@ -245,6 +245,7 @@ static int ax88172a_bind(struct usbnet *dev, struct usb_interface *intf) + ret = asix_read_cmd(dev, AX_CMD_READ_NODE_ID, 0, 0, ETH_ALEN, buf); + if (ret < ETH_ALEN) { + netdev_err(dev->net, "Failed to read MAC address: %d\n", ret); ++ ret = -EIO; + goto free; + } + memcpy(dev->net->dev_addr, buf, ETH_ALEN); +-- +2.25.1 + diff --git a/queue-4.4/hippi-fix-a-size-used-in-a-pci_free_consistent-in-an.patch b/queue-4.4/hippi-fix-a-size-used-in-a-pci_free_consistent-in-an.patch new file mode 100644 index 00000000000..90ae85326db --- /dev/null +++ b/queue-4.4/hippi-fix-a-size-used-in-a-pci_free_consistent-in-an.patch @@ -0,0 +1,39 @@ +From 6dd91f6644a73284262e81690b9a25cd0a9b96c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Jul 2020 13:00:27 +0200 +Subject: hippi: Fix a size used in a 'pci_free_consistent()' in an error + handling path + +From: Christophe JAILLET + +[ Upstream commit 3195c4706b00106aa82c73acd28340fa8fc2bfc1 ] + +The size used when calling 'pci_alloc_consistent()' and +'pci_free_consistent()' should match. + +Fix it and have it consistent with the corresponding call in 'rr_close()'. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hippi/rrunner.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/hippi/rrunner.c b/drivers/net/hippi/rrunner.c +index 313e006f74feb..6f3519123eb66 100644 +--- a/drivers/net/hippi/rrunner.c ++++ b/drivers/net/hippi/rrunner.c +@@ -1250,7 +1250,7 @@ static int rr_open(struct net_device *dev) + rrpriv->info = NULL; + } + if (rrpriv->rx_ctrl) { +- pci_free_consistent(pdev, sizeof(struct ring_ctrl), ++ pci_free_consistent(pdev, 256 * sizeof(struct ring_ctrl), + rrpriv->rx_ctrl, rrpriv->rx_ctrl_dma); + rrpriv->rx_ctrl = NULL; + } +-- +2.25.1 + diff --git a/queue-4.4/net-dp83640-fix-siocshwtstamp-to-update-the-struct-w.patch b/queue-4.4/net-dp83640-fix-siocshwtstamp-to-update-the-struct-w.patch new file mode 100644 index 00000000000..fc135f9d4de --- /dev/null +++ b/queue-4.4/net-dp83640-fix-siocshwtstamp-to-update-the-struct-w.patch @@ -0,0 +1,66 @@ +From bf277bea9d5fbcef5d26ff8a9ae7aebe1204387e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 15 Jul 2020 19:10:00 +0300 +Subject: net: dp83640: fix SIOCSHWTSTAMP to update the struct with actual + configuration + +From: Sergey Organov + +[ Upstream commit 473309fb8372365ad211f425bca760af800e10a7 ] + +From Documentation/networking/timestamping.txt: + + A driver which supports hardware time stamping shall update the + struct with the actual, possibly more permissive configuration. + +Do update the struct passed when we upscale the requested time +stamping mode. + +Fixes: cb646e2b02b2 ("ptp: Added a clock driver for the National Semiconductor PHYTER.") +Signed-off-by: Sergey Organov +Acked-by: Richard Cochran +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/phy/dp83640.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/phy/dp83640.c b/drivers/net/phy/dp83640.c +index 847c9fc10f9a9..0da80adc545af 100644 +--- a/drivers/net/phy/dp83640.c ++++ b/drivers/net/phy/dp83640.c +@@ -1335,6 +1335,7 @@ static int dp83640_hwtstamp(struct phy_device *phydev, struct ifreq *ifr) + dp83640->hwts_rx_en = 1; + dp83640->layer = PTP_CLASS_L4; + dp83640->version = PTP_CLASS_V1; ++ cfg.rx_filter = HWTSTAMP_FILTER_PTP_V1_L4_EVENT; + break; + case HWTSTAMP_FILTER_PTP_V2_L4_EVENT: + case HWTSTAMP_FILTER_PTP_V2_L4_SYNC: +@@ -1342,6 +1343,7 @@ static int dp83640_hwtstamp(struct phy_device *phydev, struct ifreq *ifr) + dp83640->hwts_rx_en = 1; + dp83640->layer = PTP_CLASS_L4; + dp83640->version = PTP_CLASS_V2; ++ cfg.rx_filter = HWTSTAMP_FILTER_PTP_V2_L4_EVENT; + break; + case HWTSTAMP_FILTER_PTP_V2_L2_EVENT: + case HWTSTAMP_FILTER_PTP_V2_L2_SYNC: +@@ -1349,6 +1351,7 @@ static int dp83640_hwtstamp(struct phy_device *phydev, struct ifreq *ifr) + dp83640->hwts_rx_en = 1; + dp83640->layer = PTP_CLASS_L2; + dp83640->version = PTP_CLASS_V2; ++ cfg.rx_filter = HWTSTAMP_FILTER_PTP_V2_L2_EVENT; + break; + case HWTSTAMP_FILTER_PTP_V2_EVENT: + case HWTSTAMP_FILTER_PTP_V2_SYNC: +@@ -1356,6 +1359,7 @@ static int dp83640_hwtstamp(struct phy_device *phydev, struct ifreq *ifr) + dp83640->hwts_rx_en = 1; + dp83640->layer = PTP_CLASS_L4 | PTP_CLASS_L2; + dp83640->version = PTP_CLASS_V2; ++ cfg.rx_filter = HWTSTAMP_FILTER_PTP_V2_EVENT; + break; + default: + return -ERANGE; +-- +2.25.1 + diff --git a/queue-4.4/net-smc91x-fix-possible-memory-leak-in-smc_drv_probe.patch b/queue-4.4/net-smc91x-fix-possible-memory-leak-in-smc_drv_probe.patch new file mode 100644 index 00000000000..28106325f6e --- /dev/null +++ b/queue-4.4/net-smc91x-fix-possible-memory-leak-in-smc_drv_probe.patch @@ -0,0 +1,47 @@ +From d2296b3e94202de67babf6e2679e575775805dce Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jul 2020 11:50:38 +0800 +Subject: net: smc91x: Fix possible memory leak in smc_drv_probe() + +From: Wang Hai + +[ Upstream commit bca9749b1aa23d964d3ab930938af66dbf887f15 ] + +If try_toggle_control_gpio() failed in smc_drv_probe(), free_netdev(ndev) +should be called to free the ndev created earlier. Otherwise, a memleak +will occur. + +Fixes: 7d2911c43815 ("net: smc91x: Fix gpios for device tree based booting") +Reported-by: Hulk Robot +Signed-off-by: Wang Hai +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/smsc/smc91x.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/smsc/smc91x.c b/drivers/net/ethernet/smsc/smc91x.c +index 7405f537beca7..8531a72019680 100644 +--- a/drivers/net/ethernet/smsc/smc91x.c ++++ b/drivers/net/ethernet/smsc/smc91x.c +@@ -2289,7 +2289,7 @@ static int smc_drv_probe(struct platform_device *pdev) + ret = try_toggle_control_gpio(&pdev->dev, &lp->power_gpio, + "power", 0, 0, 100); + if (ret) +- return ret; ++ goto out_free_netdev; + + /* + * Optional reset GPIO configured? Minimum 100 ns reset needed +@@ -2298,7 +2298,7 @@ static int smc_drv_probe(struct platform_device *pdev) + ret = try_toggle_control_gpio(&pdev->dev, &lp->reset_gpio, + "reset", 0, 0, 100); + if (ret) +- return ret; ++ goto out_free_netdev; + + /* + * Need to wait for optional EEPROM to load, max 750 us according +-- +2.25.1 + diff --git a/queue-4.4/regmap-dev_get_regmap_match-fix-string-comparison.patch b/queue-4.4/regmap-dev_get_regmap_match-fix-string-comparison.patch new file mode 100644 index 00000000000..fdbc7d51079 --- /dev/null +++ b/queue-4.4/regmap-dev_get_regmap_match-fix-string-comparison.patch @@ -0,0 +1,43 @@ +From ee5c06178fa883b8d2ec68b6ecba337d4f8c5fdc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 3 Jul 2020 12:33:15 +0200 +Subject: regmap: dev_get_regmap_match(): fix string comparison + +From: Marc Kleine-Budde + +[ Upstream commit e84861fec32dee8a2e62bbaa52cded6b05a2a456 ] + +This function is used by dev_get_regmap() to retrieve a regmap for the +specified device. If the device has more than one regmap, the name parameter +can be used to specify one. + +The code here uses a pointer comparison to check for equal strings. This +however will probably always fail, as the regmap->name is allocated via +kstrdup_const() from the regmap's config->name. + +Fix this by using strcmp() instead. + +Signed-off-by: Marc Kleine-Budde +Link: https://lore.kernel.org/r/20200703103315.267996-1-mkl@pengutronix.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/base/regmap/regmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/base/regmap/regmap.c b/drivers/base/regmap/regmap.c +index 77cabde977edd..4a4efc6f54b55 100644 +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -1106,7 +1106,7 @@ static int dev_get_regmap_match(struct device *dev, void *res, void *data) + + /* If the user didn't specify a name match any */ + if (data) +- return (*r)->name == data; ++ return !strcmp((*r)->name, data); + else + return 1; + } +-- +2.25.1 + diff --git a/queue-4.4/scripts-decode_stacktrace-strip-basepath-from-all-pa.patch b/queue-4.4/scripts-decode_stacktrace-strip-basepath-from-all-pa.patch new file mode 100644 index 00000000000..7f374f9c89a --- /dev/null +++ b/queue-4.4/scripts-decode_stacktrace-strip-basepath-from-all-pa.patch @@ -0,0 +1,49 @@ +From d8be31b455454d1bf4fe899bdbd8fa535bc365f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 23 Jul 2020 21:15:43 -0700 +Subject: scripts/decode_stacktrace: strip basepath from all paths + +From: Pi-Hsun Shih + +[ Upstream commit d178770d8d21489abf5bafefcbb6d5243b482e9a ] + +Currently the basepath is removed only from the beginning of the string. +When the symbol is inlined and there's multiple line outputs of +addr2line, only the first line would have basepath removed. + +Change to remove the basepath prefix from all lines. + +Fixes: 31013836a71e ("scripts/decode_stacktrace: match basepath using shell prefix operator, not regex") +Co-developed-by: Shik Chen +Signed-off-by: Pi-Hsun Shih +Signed-off-by: Shik Chen +Signed-off-by: Andrew Morton +Reviewed-by: Stephen Boyd +Cc: Sasha Levin +Cc: Nicolas Boichat +Cc: Jiri Slaby +Link: http://lkml.kernel.org/r/20200720082709.252805-1-pihsun@chromium.org +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + scripts/decode_stacktrace.sh | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/scripts/decode_stacktrace.sh b/scripts/decode_stacktrace.sh +index 4f5e76f76b9dc..003968cb04d4a 100755 +--- a/scripts/decode_stacktrace.sh ++++ b/scripts/decode_stacktrace.sh +@@ -63,8 +63,8 @@ parse_symbol() { + return + fi + +- # Strip out the base of the path +- code=${code#$basepath/} ++ # Strip out the base of the path on each line ++ code=$(while read -r line; do echo "${line#$basepath/}"; done <<< "$code") + + # In the case of inlines, move everything to same line + code=${code//$'\n'/' '} +-- +2.25.1 + diff --git a/queue-4.4/series b/queue-4.4/series index cfe32fd723a..a49273da3f4 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -14,3 +14,12 @@ asoc-rt5670-correct-rt5670_ldo_sel_mask.patch btrfs-fix-double-free-on-ulist-after-backref-resolution-failure.patch x86-fpu-disable-bottom-halves-while-loading-fpu-regi.patch btrfs-fix-mount-failure-caused-by-race-with-umount.patch +hippi-fix-a-size-used-in-a-pci_free_consistent-in-an.patch +ax88172a-fix-ax88172a_unbind-failures.patch +net-dp83640-fix-siocshwtstamp-to-update-the-struct-w.patch +net-smc91x-fix-possible-memory-leak-in-smc_drv_probe.patch +scripts-decode_stacktrace-strip-basepath-from-all-pa.patch +regmap-dev_get_regmap_match-fix-string-comparison.patch +usb-gadget-udc-gr_udc-fix-memleak-on-error-handling-.patch +arm64-use-test_tsk_thread_flag-for-checking-tif_sing.patch +x86-math-emu-fix-up-cmp-insn-for-clang-ias.patch diff --git a/queue-4.4/usb-gadget-udc-gr_udc-fix-memleak-on-error-handling-.patch b/queue-4.4/usb-gadget-udc-gr_udc-fix-memleak-on-error-handling-.patch new file mode 100644 index 00000000000..8191413db48 --- /dev/null +++ b/queue-4.4/usb-gadget-udc-gr_udc-fix-memleak-on-error-handling-.patch @@ -0,0 +1,45 @@ +From 141bf0c12ab2c39b2b9747f760b660c864cdb4b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 26 Jun 2020 16:17:47 +0300 +Subject: usb: gadget: udc: gr_udc: fix memleak on error handling path in + gr_ep_init() + +From: Evgeny Novikov + +[ Upstream commit c8f8529e2c4141afa2ebb487ad48e8a6ec3e8c99 ] + +gr_ep_init() does not assign the allocated request anywhere if allocation +of memory for the buffer fails. This is a memory leak fixed by the given +patch. + +Found by Linux Driver Verification project (linuxtesting.org). + +Signed-off-by: Evgeny Novikov +Signed-off-by: Felipe Balbi +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/gr_udc.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/gadget/udc/gr_udc.c b/drivers/usb/gadget/udc/gr_udc.c +index 594639e5cbf82..78168e1827b5e 100644 +--- a/drivers/usb/gadget/udc/gr_udc.c ++++ b/drivers/usb/gadget/udc/gr_udc.c +@@ -2001,9 +2001,12 @@ static int gr_ep_init(struct gr_udc *dev, int num, int is_in, u32 maxplimit) + + if (num == 0) { + _req = gr_alloc_request(&ep->ep, GFP_ATOMIC); ++ if (!_req) ++ return -ENOMEM; ++ + buf = devm_kzalloc(dev->dev, PAGE_SIZE, GFP_DMA | GFP_ATOMIC); +- if (!_req || !buf) { +- /* possible _req freed by gr_probe via gr_remove */ ++ if (!buf) { ++ gr_free_request(&ep->ep, _req); + return -ENOMEM; + } + +-- +2.25.1 + diff --git a/queue-4.4/x86-math-emu-fix-up-cmp-insn-for-clang-ias.patch b/queue-4.4/x86-math-emu-fix-up-cmp-insn-for-clang-ias.patch new file mode 100644 index 00000000000..baac02600f8 --- /dev/null +++ b/queue-4.4/x86-math-emu-fix-up-cmp-insn-for-clang-ias.patch @@ -0,0 +1,43 @@ +From 940a7ed70011b8015fd059660955b19158a0ec52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 27 May 2020 15:53:46 +0200 +Subject: x86: math-emu: Fix up 'cmp' insn for clang ias + +From: Arnd Bergmann + +[ Upstream commit 81e96851ea32deb2c921c870eecabf335f598aeb ] + +The clang integrated assembler requires the 'cmp' instruction to +have a length prefix here: + +arch/x86/math-emu/wm_sqrt.S:212:2: error: ambiguous instructions require an explicit suffix (could be 'cmpb', 'cmpw', or 'cmpl') + cmp $0xffffffff,-24(%ebp) + ^ + +Make this a 32-bit comparison, which it was clearly meant to be. + +Signed-off-by: Arnd Bergmann +Signed-off-by: Thomas Gleixner +Reviewed-by: Nick Desaulniers +Link: https://lkml.kernel.org/r/20200527135352.1198078-1-arnd@arndb.de +Signed-off-by: Sasha Levin +--- + arch/x86/math-emu/wm_sqrt.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/math-emu/wm_sqrt.S b/arch/x86/math-emu/wm_sqrt.S +index d258f59564e11..3b40c98bbbd40 100644 +--- a/arch/x86/math-emu/wm_sqrt.S ++++ b/arch/x86/math-emu/wm_sqrt.S +@@ -208,7 +208,7 @@ sqrt_stage_2_finish: + + #ifdef PARANOID + /* It should be possible to get here only if the arg is ffff....ffff */ +- cmp $0xffffffff,FPU_fsqrt_arg_1 ++ cmpl $0xffffffff,FPU_fsqrt_arg_1 + jnz sqrt_stage_2_error + #endif /* PARANOID */ + +-- +2.25.1 + -- 2.47.3