From eeebef1c67a69ff3bbe34a4154298f6caae9a569 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 23 Jan 2022 15:32:49 +0100 Subject: [PATCH] 4.4-stable patches added patches: can-softing_cs-softingcs_probe-fix-memleak-on-registration-failure.patch media-dib0700-fix-undefined-behavior-in-tuner-shutdown.patch media-em28xx-fix-control-message-timeouts.patch media-mceusb-fix-control-message-timeouts.patch media-pvrusb2-fix-control-message-timeouts.patch media-stk1160-fix-control-message-timeouts.patch nfc-llcp-fix-null-error-pointer-dereference-on-sendmsg-after-failed-bind.patch pci-add-function-1-dma-alias-quirk-for-marvell-88se9125-sata-controller.patch rtc-cmos-take-rtc_lock-while-reading-from-cmos.patch --- ...-fix-memleak-on-registration-failure.patch | 36 +++++++ ...undefined-behavior-in-tuner-shutdown.patch | 51 +++++++++ ...-em28xx-fix-control-message-timeouts.patch | 42 ++++++++ ...-mceusb-fix-control-message-timeouts.patch | 57 ++++++++++ ...pvrusb2-fix-control-message-timeouts.patch | 60 +++++++++++ ...stk1160-fix-control-message-timeouts.patch | 42 ++++++++ ...ference-on-sendmsg-after-failed-bind.patch | 102 ++++++++++++++++++ ...for-marvell-88se9125-sata-controller.patch | 57 ++++++++++ ...ake-rtc_lock-while-reading-from-cmos.patch | 49 +++++++++ queue-4.4/series | 9 ++ 10 files changed, 505 insertions(+) create mode 100644 queue-4.4/can-softing_cs-softingcs_probe-fix-memleak-on-registration-failure.patch create mode 100644 queue-4.4/media-dib0700-fix-undefined-behavior-in-tuner-shutdown.patch create mode 100644 queue-4.4/media-em28xx-fix-control-message-timeouts.patch create mode 100644 queue-4.4/media-mceusb-fix-control-message-timeouts.patch create mode 100644 queue-4.4/media-pvrusb2-fix-control-message-timeouts.patch create mode 100644 queue-4.4/media-stk1160-fix-control-message-timeouts.patch create mode 100644 queue-4.4/nfc-llcp-fix-null-error-pointer-dereference-on-sendmsg-after-failed-bind.patch create mode 100644 queue-4.4/pci-add-function-1-dma-alias-quirk-for-marvell-88se9125-sata-controller.patch create mode 100644 queue-4.4/rtc-cmos-take-rtc_lock-while-reading-from-cmos.patch diff --git a/queue-4.4/can-softing_cs-softingcs_probe-fix-memleak-on-registration-failure.patch b/queue-4.4/can-softing_cs-softingcs_probe-fix-memleak-on-registration-failure.patch new file mode 100644 index 00000000000..e9b0009f758 --- /dev/null +++ b/queue-4.4/can-softing_cs-softingcs_probe-fix-memleak-on-registration-failure.patch @@ -0,0 +1,36 @@ +From ced4913efb0acc844ed65cc01d091a85d83a2082 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 22 Dec 2021 11:48:43 +0100 +Subject: can: softing_cs: softingcs_probe(): fix memleak on registration failure + +From: Johan Hovold + +commit ced4913efb0acc844ed65cc01d091a85d83a2082 upstream. + +In case device registration fails during probe, the driver state and +the embedded platform device structure needs to be freed using +platform_device_put() to properly free all resources (e.g. the device +name). + +Fixes: 0a0b7a5f7a04 ("can: add driver for Softing card") +Link: https://lore.kernel.org/all/20211222104843.6105-1-johan@kernel.org +Cc: stable@vger.kernel.org # 2.6.38 +Signed-off-by: Johan Hovold +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/softing/softing_cs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/can/softing/softing_cs.c ++++ b/drivers/net/can/softing/softing_cs.c +@@ -304,7 +304,7 @@ static int softingcs_probe(struct pcmcia + return 0; + + platform_failed: +- kfree(dev); ++ platform_device_put(pdev); + mem_failed: + pcmcia_bad: + pcmcia_failed: diff --git a/queue-4.4/media-dib0700-fix-undefined-behavior-in-tuner-shutdown.patch b/queue-4.4/media-dib0700-fix-undefined-behavior-in-tuner-shutdown.patch new file mode 100644 index 00000000000..081f08d679c --- /dev/null +++ b/queue-4.4/media-dib0700-fix-undefined-behavior-in-tuner-shutdown.patch @@ -0,0 +1,51 @@ +From f7b77ebe6d2f49c7747b2d619586d1aa33f9ea91 Mon Sep 17 00:00:00 2001 +From: Michael Kuron +Date: Sun, 26 Sep 2021 21:51:26 +0100 +Subject: media: dib0700: fix undefined behavior in tuner shutdown + +From: Michael Kuron + +commit f7b77ebe6d2f49c7747b2d619586d1aa33f9ea91 upstream. + +This fixes a problem where closing the tuner would leave it in a state +where it would not tune to any channel when reopened. This problem was +discovered as part of https://github.com/hselasky/webcamd/issues/16. + +Since adap->id is 0 or 1, this bit-shift overflows, which is undefined +behavior. The driver still worked in practice as the overflow would in +most environments result in 0, which rendered the line a no-op. When +running the driver as part of webcamd however, the overflow could lead +to 0xff due to optimizations by the compiler, which would, in the end, +improperly shut down the tuner. + +The bug is a regression introduced in the commit referenced below. The +present patch causes identical behavior to before that commit for +adap->id equal to 0 or 1. The driver does not contain support for +dib0700 devices with more adapters, assuming such even exist. + +Tests have been performed with the Xbox One Digital TV Tuner on amd64. +Not all dib0700 devices are expected to be affected by the regression; +this code path is only taken by those with incorrect endpoint numbers. + +Link: https://lore.kernel.org/linux-media/1d2fc36d94ced6f67c7cc21dcc469d5e5bdd8201.1632689033.git.mchehab+huawei@kernel.org + +Cc: stable@vger.kernel.org +Fixes: 7757ddda6f4f ("[media] DiB0700: add function to change I2C-speed") +Signed-off-by: Michael Kuron +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/dvb-usb/dib0700_core.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/media/usb/dvb-usb/dib0700_core.c ++++ b/drivers/media/usb/dvb-usb/dib0700_core.c +@@ -583,8 +583,6 @@ int dib0700_streaming_ctrl(struct dvb_us + deb_info("the endpoint number (%i) is not correct, use the adapter id instead", adap->fe_adap[0].stream.props.endpoint); + if (onoff) + st->channel_state |= 1 << (adap->id); +- else +- st->channel_state |= 1 << ~(adap->id); + } else { + if (onoff) + st->channel_state |= 1 << (adap->fe_adap[0].stream.props.endpoint-2); diff --git a/queue-4.4/media-em28xx-fix-control-message-timeouts.patch b/queue-4.4/media-em28xx-fix-control-message-timeouts.patch new file mode 100644 index 00000000000..b7afe61c7a2 --- /dev/null +++ b/queue-4.4/media-em28xx-fix-control-message-timeouts.patch @@ -0,0 +1,42 @@ +From d9b7e8df3aa9b8c10708aab60e72e79ac08237e4 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:16:38 +0100 +Subject: media: em28xx: fix control-message timeouts + +From: Johan Hovold + +commit d9b7e8df3aa9b8c10708aab60e72e79ac08237e4 upstream. + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Fixes: a6c2ba283565 ("[PATCH] v4l: 716: support for em28xx board family") +Cc: stable@vger.kernel.org # 2.6.16 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/em28xx/em28xx-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/em28xx/em28xx-core.c ++++ b/drivers/media/usb/em28xx/em28xx-core.c +@@ -99,7 +99,7 @@ int em28xx_read_reg_req_len(struct em28x + mutex_lock(&dev->ctrl_urb_lock); + ret = usb_control_msg(dev->udev, pipe, req, + USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, +- 0x0000, reg, dev->urb_buf, len, HZ); ++ 0x0000, reg, dev->urb_buf, len, 1000); + if (ret < 0) { + if (reg_debug) + printk(" failed!\n"); +@@ -182,7 +182,7 @@ int em28xx_write_regs_req(struct em28xx + memcpy(dev->urb_buf, buf, len); + ret = usb_control_msg(dev->udev, pipe, req, + USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE, +- 0x0000, reg, dev->urb_buf, len, HZ); ++ 0x0000, reg, dev->urb_buf, len, 1000); + mutex_unlock(&dev->ctrl_urb_lock); + + if (ret < 0) diff --git a/queue-4.4/media-mceusb-fix-control-message-timeouts.patch b/queue-4.4/media-mceusb-fix-control-message-timeouts.patch new file mode 100644 index 00000000000..2e21193349e --- /dev/null +++ b/queue-4.4/media-mceusb-fix-control-message-timeouts.patch @@ -0,0 +1,57 @@ +From 16394e998cbb050730536bdf7e89f5a70efbd974 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:16:34 +0100 +Subject: media: mceusb: fix control-message timeouts + +From: Johan Hovold + +commit 16394e998cbb050730536bdf7e89f5a70efbd974 upstream. + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Fixes: 66e89522aff7 ("V4L/DVB: IR: add mceusb IR receiver driver") +Cc: stable@vger.kernel.org # 2.6.36 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/rc/mceusb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/media/rc/mceusb.c ++++ b/drivers/media/rc/mceusb.c +@@ -1118,7 +1118,7 @@ static void mceusb_gen1_init(struct mceu + */ + ret = usb_control_msg(ir->usbdev, usb_rcvctrlpipe(ir->usbdev, 0), + USB_REQ_SET_ADDRESS, USB_TYPE_VENDOR, 0, 0, +- data, USB_CTRL_MSG_SZ, HZ * 3); ++ data, USB_CTRL_MSG_SZ, 3000); + dev_dbg(dev, "set address - ret = %d", ret); + dev_dbg(dev, "set address - data[0] = %d, data[1] = %d", + data[0], data[1]); +@@ -1126,20 +1126,20 @@ static void mceusb_gen1_init(struct mceu + /* set feature: bit rate 38400 bps */ + ret = usb_control_msg(ir->usbdev, usb_sndctrlpipe(ir->usbdev, 0), + USB_REQ_SET_FEATURE, USB_TYPE_VENDOR, +- 0xc04e, 0x0000, NULL, 0, HZ * 3); ++ 0xc04e, 0x0000, NULL, 0, 3000); + + dev_dbg(dev, "set feature - ret = %d", ret); + + /* bRequest 4: set char length to 8 bits */ + ret = usb_control_msg(ir->usbdev, usb_sndctrlpipe(ir->usbdev, 0), + 4, USB_TYPE_VENDOR, +- 0x0808, 0x0000, NULL, 0, HZ * 3); ++ 0x0808, 0x0000, NULL, 0, 3000); + dev_dbg(dev, "set char length - retB = %d", ret); + + /* bRequest 2: set handshaking to use DTR/DSR */ + ret = usb_control_msg(ir->usbdev, usb_sndctrlpipe(ir->usbdev, 0), + 2, USB_TYPE_VENDOR, +- 0x0000, 0x0100, NULL, 0, HZ * 3); ++ 0x0000, 0x0100, NULL, 0, 3000); + dev_dbg(dev, "set handshake - retC = %d", ret); + + /* device resume */ diff --git a/queue-4.4/media-pvrusb2-fix-control-message-timeouts.patch b/queue-4.4/media-pvrusb2-fix-control-message-timeouts.patch new file mode 100644 index 00000000000..ca0540165aa --- /dev/null +++ b/queue-4.4/media-pvrusb2-fix-control-message-timeouts.patch @@ -0,0 +1,60 @@ +From b82bf9b9dc305d7d3d93eab106d70dbf2171b43e Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:16:39 +0100 +Subject: media: pvrusb2: fix control-message timeouts + +From: Johan Hovold + +commit b82bf9b9dc305d7d3d93eab106d70dbf2171b43e upstream. + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Fixes: d855497edbfb ("V4L/DVB (4228a): pvrusb2 to kernel 2.6.18") +Cc: stable@vger.kernel.org # 2.6.18 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c ++++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c +@@ -1488,7 +1488,7 @@ static int pvr2_upload_firmware1(struct + for (address = 0; address < fwsize; address += 0x800) { + memcpy(fw_ptr, fw_entry->data + address, 0x800); + ret += usb_control_msg(hdw->usb_dev, pipe, 0xa0, 0x40, address, +- 0, fw_ptr, 0x800, HZ); ++ 0, fw_ptr, 0x800, 1000); + } + + trace_firmware("Upload done, releasing device's CPU"); +@@ -1627,7 +1627,7 @@ int pvr2_upload_firmware2(struct pvr2_hd + ((u32 *)fw_ptr)[icnt] = swab32(((u32 *)fw_ptr)[icnt]); + + ret |= usb_bulk_msg(hdw->usb_dev, pipe, fw_ptr,bcnt, +- &actual_length, HZ); ++ &actual_length, 1000); + ret |= (actual_length != bcnt); + if (ret) break; + fw_done += bcnt; +@@ -3491,7 +3491,7 @@ void pvr2_hdw_cpufw_set_enabled(struct p + 0xa0,0xc0, + address,0, + hdw->fw_buffer+address, +- 0x800,HZ); ++ 0x800,1000); + if (ret < 0) break; + } + +@@ -4017,7 +4017,7 @@ void pvr2_hdw_cpureset_assert(struct pvr + /* Write the CPUCS register on the 8051. The lsb of the register + is the reset bit; a 1 asserts reset while a 0 clears it. */ + pipe = usb_sndctrlpipe(hdw->usb_dev, 0); +- ret = usb_control_msg(hdw->usb_dev,pipe,0xa0,0x40,0xe600,0,da,1,HZ); ++ ret = usb_control_msg(hdw->usb_dev,pipe,0xa0,0x40,0xe600,0,da,1,1000); + if (ret < 0) { + pvr2_trace(PVR2_TRACE_ERROR_LEGS, + "cpureset_assert(%d) error=%d",val,ret); diff --git a/queue-4.4/media-stk1160-fix-control-message-timeouts.patch b/queue-4.4/media-stk1160-fix-control-message-timeouts.patch new file mode 100644 index 00000000000..dd24a5599c6 --- /dev/null +++ b/queue-4.4/media-stk1160-fix-control-message-timeouts.patch @@ -0,0 +1,42 @@ +From 6aa6e70cdb5b863a57bad61310bf89b6617a5d2d Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 25 Oct 2021 13:16:41 +0100 +Subject: media: stk1160: fix control-message timeouts + +From: Johan Hovold + +commit 6aa6e70cdb5b863a57bad61310bf89b6617a5d2d upstream. + +USB control-message timeouts are specified in milliseconds and should +specifically not vary with CONFIG_HZ. + +Fixes: 9cb2173e6ea8 ("[media] media: Add stk1160 new driver (easycap replacement)") +Cc: stable@vger.kernel.org # 3.7 +Signed-off-by: Johan Hovold +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman +--- + drivers/media/usb/stk1160/stk1160-core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/stk1160/stk1160-core.c ++++ b/drivers/media/usb/stk1160/stk1160-core.c +@@ -76,7 +76,7 @@ int stk1160_read_reg(struct stk1160 *dev + return -ENOMEM; + ret = usb_control_msg(dev->udev, pipe, 0x00, + USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE, +- 0x00, reg, buf, sizeof(u8), HZ); ++ 0x00, reg, buf, sizeof(u8), 1000); + if (ret < 0) { + stk1160_err("read failed on reg 0x%x (%d)\n", + reg, ret); +@@ -96,7 +96,7 @@ int stk1160_write_reg(struct stk1160 *de + + ret = usb_control_msg(dev->udev, pipe, 0x01, + USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE, +- value, reg, NULL, 0, HZ); ++ value, reg, NULL, 0, 1000); + if (ret < 0) { + stk1160_err("write failed on reg 0x%x (%d)\n", + reg, ret); diff --git a/queue-4.4/nfc-llcp-fix-null-error-pointer-dereference-on-sendmsg-after-failed-bind.patch b/queue-4.4/nfc-llcp-fix-null-error-pointer-dereference-on-sendmsg-after-failed-bind.patch new file mode 100644 index 00000000000..e7912b5385e --- /dev/null +++ b/queue-4.4/nfc-llcp-fix-null-error-pointer-dereference-on-sendmsg-after-failed-bind.patch @@ -0,0 +1,102 @@ +From dded08927ca3c31a5c37f8e7f95fe98770475dd4 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Wed, 19 Jan 2022 08:48:16 +0100 +Subject: nfc: llcp: fix NULL error pointer dereference on sendmsg() after failed bind() + +From: Krzysztof Kozlowski + +commit dded08927ca3c31a5c37f8e7f95fe98770475dd4 upstream. + +Syzbot detected a NULL pointer dereference of nfc_llcp_sock->dev pointer +(which is a 'struct nfc_dev *') with calls to llcp_sock_sendmsg() after +a failed llcp_sock_bind(). The message being sent is a SOCK_DGRAM. + +KASAN report: + + BUG: KASAN: null-ptr-deref in nfc_alloc_send_skb+0x2d/0xc0 + Read of size 4 at addr 00000000000005c8 by task llcp_sock_nfc_a/899 + + CPU: 5 PID: 899 Comm: llcp_sock_nfc_a Not tainted 5.16.0-rc6-next-20211224-00001-gc6437fbf18b0 #125 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 + Call Trace: + + dump_stack_lvl+0x45/0x59 + ? nfc_alloc_send_skb+0x2d/0xc0 + __kasan_report.cold+0x117/0x11c + ? mark_lock+0x480/0x4f0 + ? nfc_alloc_send_skb+0x2d/0xc0 + kasan_report+0x38/0x50 + nfc_alloc_send_skb+0x2d/0xc0 + nfc_llcp_send_ui_frame+0x18c/0x2a0 + ? nfc_llcp_send_i_frame+0x230/0x230 + ? __local_bh_enable_ip+0x86/0xe0 + ? llcp_sock_connect+0x470/0x470 + ? llcp_sock_connect+0x470/0x470 + sock_sendmsg+0x8e/0xa0 + ____sys_sendmsg+0x253/0x3f0 + ... + +The issue was visible only with multiple simultaneous calls to bind() and +sendmsg(), which resulted in most of the bind() calls to fail. The +bind() was failing on checking if there is available WKS/SDP/SAP +(respective bit in 'struct nfc_llcp_local' fields). When there was no +available WKS/SDP/SAP, the bind returned error but the sendmsg() to such +socket was able to trigger mentioned NULL pointer dereference of +nfc_llcp_sock->dev. + +The code looks simply racy and currently it protects several paths +against race with checks for (!nfc_llcp_sock->local) which is NULL-ified +in error paths of bind(). The llcp_sock_sendmsg() did not have such +check but called function nfc_llcp_send_ui_frame() had, although not +protected with lock_sock(). + +Therefore the race could look like (same socket is used all the time): + CPU0 CPU1 + ==== ==== + llcp_sock_bind() + - lock_sock() + - success + - release_sock() + - return 0 + llcp_sock_sendmsg() + - lock_sock() + - release_sock() + llcp_sock_bind(), same socket + - lock_sock() + - error + - nfc_llcp_send_ui_frame() + - if (!llcp_sock->local) + - llcp_sock->local = NULL + - nfc_put_device(dev) + - dereference llcp_sock->dev + - release_sock() + - return -ERRNO + +The nfc_llcp_send_ui_frame() checked llcp_sock->local outside of the +lock, which is racy and ineffective check. Instead, its caller +llcp_sock_sendmsg(), should perform the check inside lock_sock(). + +Reported-and-tested-by: syzbot+7f23bcddf626e0593a39@syzkaller.appspotmail.com +Fixes: b874dec21d1c ("NFC: Implement LLCP connection less Tx path") +Cc: +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/llcp_sock.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -790,6 +790,11 @@ static int llcp_sock_sendmsg(struct sock + + lock_sock(sk); + ++ if (!llcp_sock->local) { ++ release_sock(sk); ++ return -ENODEV; ++ } ++ + if (sk->sk_type == SOCK_DGRAM) { + DECLARE_SOCKADDR(struct sockaddr_nfc_llcp *, addr, + msg->msg_name); diff --git a/queue-4.4/pci-add-function-1-dma-alias-quirk-for-marvell-88se9125-sata-controller.patch b/queue-4.4/pci-add-function-1-dma-alias-quirk-for-marvell-88se9125-sata-controller.patch new file mode 100644 index 00000000000..0c16c32a00c --- /dev/null +++ b/queue-4.4/pci-add-function-1-dma-alias-quirk-for-marvell-88se9125-sata-controller.patch @@ -0,0 +1,57 @@ +From e445375882883f69018aa669b67cbb37ec873406 Mon Sep 17 00:00:00 2001 +From: Yifeng Li +Date: Thu, 2 Dec 2021 06:35:21 +0000 +Subject: PCI: Add function 1 DMA alias quirk for Marvell 88SE9125 SATA controller +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yifeng Li + +commit e445375882883f69018aa669b67cbb37ec873406 upstream. + +Like other SATA controller chips in the Marvell 88SE91xx series, the +Marvell 88SE9125 has the same DMA requester ID hardware bug that prevents +it from working under IOMMU. Add it to the list of devices that need the +quirk. + +Without this patch, device initialization fails with DMA errors: + + ata8: softreset failed (1st FIS failed) + DMAR: DRHD: handling fault status reg 2 + DMAR: [DMA Write NO_PASID] Request device [03:00.1] fault addr 0xfffc0000 [fault reason 0x02] Present bit in context entry is clear + DMAR: DRHD: handling fault status reg 2 + DMAR: [DMA Read NO_PASID] Request device [03:00.1] fault addr 0xfffc0000 [fault reason 0x02] Present bit in context entry is clear + +After applying the patch, the controller can be successfully initialized: + + ata8: SATA link up 1.5 Gbps (SStatus 113 SControl 330) + ata8.00: ATAPI: PIONEER BD-RW BDR-207M, 1.21, max UDMA/100 + ata8.00: configured for UDMA/100 + scsi 7:0:0:0: CD-ROM PIONEER BD-RW BDR-207M 1.21 PQ: 0 ANSI: 5 + +Link: https://lore.kernel.org/r/YahpKVR+McJVDdkD@work +Reported-by: Sam Bingner +Tested-by: Sam Bingner +Tested-by: Yifeng Li +Signed-off-by: Yifeng Li +Signed-off-by: Bjorn Helgaas +Reviewed-by: Krzysztof Wilczyński +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/pci/quirks.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -3657,6 +3657,9 @@ DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_M + quirk_dma_func1_alias); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9123, + quirk_dma_func1_alias); ++/* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c136 */ ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9125, ++ quirk_dma_func1_alias); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MARVELL_EXT, 0x9128, + quirk_dma_func1_alias); + /* https://bugzilla.kernel.org/show_bug.cgi?id=42679#c14 */ diff --git a/queue-4.4/rtc-cmos-take-rtc_lock-while-reading-from-cmos.patch b/queue-4.4/rtc-cmos-take-rtc_lock-while-reading-from-cmos.patch new file mode 100644 index 00000000000..0f0d4ee6cce --- /dev/null +++ b/queue-4.4/rtc-cmos-take-rtc_lock-while-reading-from-cmos.patch @@ -0,0 +1,49 @@ +From 454f47ff464325223129b9b5b8d0b61946ec704d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Mateusz=20Jo=C5=84czyk?= +Date: Fri, 10 Dec 2021 21:01:23 +0100 +Subject: rtc: cmos: take rtc_lock while reading from CMOS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mateusz Jończyk + +commit 454f47ff464325223129b9b5b8d0b61946ec704d upstream. + +Reading from the CMOS involves writing to the index register and then +reading from the data register. Therefore access to the CMOS has to be +serialized with rtc_lock. This invocation of CMOS_READ was not +serialized, which could cause trouble when other code is accessing CMOS +at the same time. + +Use spin_lock_irq() like the rest of the function. + +Nothing in kernel modifies the RTC_DM_BINARY bit, so there could be a +separate pair of spin_lock_irq() / spin_unlock_irq() before doing the +math. + +Signed-off-by: Mateusz Jończyk +Reviewed-by: Nobuhiro Iwamatsu +Cc: Alessandro Zummo +Cc: Alexandre Belloni +Cc: stable@vger.kernel.org +Signed-off-by: Alexandre Belloni +Link: https://lore.kernel.org/r/20211210200131.153887-2-mat.jonczyk@o2.pl +Signed-off-by: Greg Kroah-Hartman +--- + drivers/rtc/rtc-cmos.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/rtc/rtc-cmos.c ++++ b/drivers/rtc/rtc-cmos.c +@@ -343,7 +343,10 @@ static int cmos_set_alarm(struct device + min = t->time.tm_min; + sec = t->time.tm_sec; + ++ spin_lock_irq(&rtc_lock); + rtc_control = CMOS_READ(RTC_CONTROL); ++ spin_unlock_irq(&rtc_lock); ++ + if (!(rtc_control & RTC_DM_BINARY) || RTC_ALWAYS_BCD) { + /* Writing 0xff means "don't care" or "match all". */ + mon = (mon <= 12) ? bin2bcd(mon) : 0xff; diff --git a/queue-4.4/series b/queue-4.4/series index 863d8293524..7a0795dfa01 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -8,3 +8,12 @@ drm-i915-avoid-bitwise-vs-logical-or-warning-in-snb_wm_latency_quirk.patch media-uvcvideo-fix-division-by-zero-at-stream-start.patch rtlwifi-rtl8192cu-fix-warning-when-calling-local_irq_restore-with-interrupts-enabled.patch hid-uhid-fix-worker-destroying-device-without-any-protection.patch +nfc-llcp-fix-null-error-pointer-dereference-on-sendmsg-after-failed-bind.patch +rtc-cmos-take-rtc_lock-while-reading-from-cmos.patch +media-mceusb-fix-control-message-timeouts.patch +media-em28xx-fix-control-message-timeouts.patch +media-dib0700-fix-undefined-behavior-in-tuner-shutdown.patch +media-pvrusb2-fix-control-message-timeouts.patch +media-stk1160-fix-control-message-timeouts.patch +can-softing_cs-softingcs_probe-fix-memleak-on-registration-failure.patch +pci-add-function-1-dma-alias-quirk-for-marvell-88se9125-sata-controller.patch -- 2.47.2