From f9e6227dbbd3c277829bdfe01e075ba25b8b42e7 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 23 Apr 2022 19:59:37 -0400 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...ix-undefined-behavior-due-to-shift-o.patch | 49 ++++++ ...-avoid-negative-array-index-when-smp.patch | 58 +++++++ ...e-system-clock-tree-configuration-fo.patch | 142 ++++++++++++++++++ ...-digital-check-failure-for-devm_snd_.patch | 47 ++++++ ...x-undefined-behavior-due-to-shift-ov.patch | 59 ++++++++ ...ck-the-iocb_direct-flag-not-o_direct.patch | 39 +++++ ...ma-fix-error-checking-in-sdma_event_.patch | 46 ++++++ ...sing-of_node_put-in-dpaa_get_ts_info.patch | 46 ++++++ ...msm-mdp5-check-the-return-of-kzalloc.patch | 45 ++++++ ...ed-behavior-due-to-shift-overflowing.patch | 56 +++++++ ...-tx-only-if-queue-pointer-is-lagging.patch | 64 ++++++++ ...acket_sock-xmit-return-value-checkin.patch | 59 ++++++++ ...2-fix-possible-leak-in-u32_init_knod.patch | 57 +++++++ ...twork-and-mac-headers-in-netlink_dum.patch | 136 +++++++++++++++++ ...sung-laptop-fix-an-unsigned-comparis.patch | 41 +++++ ...-restore-handle-errors-in-bpmp-respo.patch | 58 +++++++ ...rxrpc-restore-removed-timer-deletion.patch | 59 ++++++++ queue-4.19/series | 19 +++ ...stency-between-struct-stat-and-struc.patch | 138 +++++++++++++++++ ...rror-return-code-in-vxlan_fdb_append.patch | 40 +++++ 20 files changed, 1258 insertions(+) create mode 100644 queue-4.19/alsa-usb-audio-fix-undefined-behavior-due-to-shift-o.patch create mode 100644 queue-4.19/arm-vexpress-spc-avoid-negative-array-index-when-smp.patch create mode 100644 queue-4.19/asoc-atmel-remove-system-clock-tree-configuration-fo.patch create mode 100644 queue-4.19/asoc-msm8916-wcd-digital-check-failure-for-devm_snd_.patch create mode 100644 queue-4.19/brcmfmac-sdio-fix-undefined-behavior-due-to-shift-ov.patch create mode 100644 queue-4.19/cifs-check-the-iocb_direct-flag-not-o_direct.patch create mode 100644 queue-4.19/dmaengine-imx-sdma-fix-error-checking-in-sdma_event_.patch create mode 100644 queue-4.19/dpaa_eth-fix-missing-of_node_put-in-dpaa_get_ts_info.patch create mode 100644 queue-4.19/drm-msm-mdp5-check-the-return-of-kzalloc.patch create mode 100644 queue-4.19/mt76-fix-undefined-behavior-due-to-shift-overflowing.patch create mode 100644 queue-4.19/net-macb-restart-tx-only-if-queue-pointer-is-lagging.patch create mode 100644 queue-4.19/net-packet-fix-packet_sock-xmit-return-value-checkin.patch create mode 100644 queue-4.19/net-sched-cls_u32-fix-possible-leak-in-u32_init_knod.patch create mode 100644 queue-4.19/netlink-reset-network-and-mac-headers-in-netlink_dum.patch create mode 100644 queue-4.19/platform-x86-samsung-laptop-fix-an-unsigned-comparis.patch create mode 100644 queue-4.19/reset-tegra-bpmp-restore-handle-errors-in-bpmp-respo.patch create mode 100644 queue-4.19/rxrpc-restore-removed-timer-deletion.patch create mode 100644 queue-4.19/stat-fix-inconsistency-between-struct-stat-and-struc.patch create mode 100644 queue-4.19/vxlan-fix-error-return-code-in-vxlan_fdb_append.patch diff --git a/queue-4.19/alsa-usb-audio-fix-undefined-behavior-due-to-shift-o.patch b/queue-4.19/alsa-usb-audio-fix-undefined-behavior-due-to-shift-o.patch new file mode 100644 index 00000000000..f4d265e536e --- /dev/null +++ b/queue-4.19/alsa-usb-audio-fix-undefined-behavior-due-to-shift-o.patch @@ -0,0 +1,49 @@ +From 88b5951267ea668867f93c9050fe4bd9be939fae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Apr 2022 17:15:08 +0200 +Subject: ALSA: usb-audio: Fix undefined behavior due to shift overflowing the + constant +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Borislav Petkov + +[ Upstream commit 1ef8715975de8bd481abbd0839ed4f49d9e5b0ff ] + +Fix: + + sound/usb/midi.c: In function ‘snd_usbmidi_out_endpoint_create’: + sound/usb/midi.c:1389:2: error: case label does not reduce to an integer constant + case USB_ID(0xfc08, 0x0101): /* Unknown vendor Cable */ + ^~~~ + +See https://lore.kernel.org/r/YkwQ6%2BtIH8GQpuct@zn.tnic for the gory +details as to why it triggers with older gccs only. + +[ A slight correction with parentheses around the argument by tiwai ] + +Signed-off-by: Borislav Petkov +Link: https://lore.kernel.org/r/20220405151517.29753-3-bp@alien8.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/usb/usbaudio.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/usb/usbaudio.h b/sound/usb/usbaudio.h +index 0c7ea78317fc..0206fecfd377 100644 +--- a/sound/usb/usbaudio.h ++++ b/sound/usb/usbaudio.h +@@ -22,7 +22,7 @@ + */ + + /* handling of USB vendor/product ID pairs as 32-bit numbers */ +-#define USB_ID(vendor, product) (((vendor) << 16) | (product)) ++#define USB_ID(vendor, product) (((unsigned int)(vendor) << 16) | (product)) + #define USB_ID_VENDOR(id) ((id) >> 16) + #define USB_ID_PRODUCT(id) ((u16)(id)) + +-- +2.35.1 + diff --git a/queue-4.19/arm-vexpress-spc-avoid-negative-array-index-when-smp.patch b/queue-4.19/arm-vexpress-spc-avoid-negative-array-index-when-smp.patch new file mode 100644 index 00000000000..317227990b7 --- /dev/null +++ b/queue-4.19/arm-vexpress-spc-avoid-negative-array-index-when-smp.patch @@ -0,0 +1,58 @@ +From f5f86772649771c681d3aaa75f5bece324735919 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Mar 2022 12:04:43 -0700 +Subject: ARM: vexpress/spc: Avoid negative array index when !SMP + +From: Kees Cook + +[ Upstream commit b3f1dd52c991d79118f35e6d1bf4d7cb09882e38 ] + +When building multi_v7_defconfig+CONFIG_SMP=n, -Warray-bounds exposes +a couple negative array index accesses: + +arch/arm/mach-vexpress/spc.c: In function 've_spc_clk_init': +arch/arm/mach-vexpress/spc.c:583:21: warning: array subscript -1 is below array bounds of 'bool[2]' {aka '_Bool[2]'} [-Warray-bounds] + 583 | if (init_opp_table[cluster]) + | ~~~~~~~~~~~~~~^~~~~~~~~ +arch/arm/mach-vexpress/spc.c:556:7: note: while referencing 'init_opp_table' + 556 | bool init_opp_table[MAX_CLUSTERS] = { false }; + | ^~~~~~~~~~~~~~ +arch/arm/mach-vexpress/spc.c:592:18: warning: array subscript -1 is below array bounds of 'bool[2]' {aka '_Bool[2]'} [-Warray-bounds] + 592 | init_opp_table[cluster] = true; + | ~~~~~~~~~~~~~~^~~~~~~~~ +arch/arm/mach-vexpress/spc.c:556:7: note: while referencing 'init_opp_table' + 556 | bool init_opp_table[MAX_CLUSTERS] = { false }; + | ^~~~~~~~~~~~~~ + +Skip this logic when built !SMP. + +Link: https://lore.kernel.org/r/20220331190443.851661-1-keescook@chromium.org +Cc: Liviu Dudau +Cc: Sudeep Holla +Cc: Lorenzo Pieralisi +Cc: Russell King +Cc: linux-arm-kernel@lists.infradead.org +Acked-by: Liviu Dudau +Signed-off-by: Kees Cook +Signed-off-by: Sudeep Holla +Signed-off-by: Sasha Levin +--- + arch/arm/mach-vexpress/spc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/mach-vexpress/spc.c b/arch/arm/mach-vexpress/spc.c +index 55bbbc3b328f..e65c04be86cc 100644 +--- a/arch/arm/mach-vexpress/spc.c ++++ b/arch/arm/mach-vexpress/spc.c +@@ -580,7 +580,7 @@ static int __init ve_spc_clk_init(void) + } + + cluster = topology_physical_package_id(cpu_dev->id); +- if (init_opp_table[cluster]) ++ if (cluster < 0 || init_opp_table[cluster]) + continue; + + if (ve_init_opp_table(cpu_dev)) +-- +2.35.1 + diff --git a/queue-4.19/asoc-atmel-remove-system-clock-tree-configuration-fo.patch b/queue-4.19/asoc-atmel-remove-system-clock-tree-configuration-fo.patch new file mode 100644 index 00000000000..42f42cec3b0 --- /dev/null +++ b/queue-4.19/asoc-atmel-remove-system-clock-tree-configuration-fo.patch @@ -0,0 +1,142 @@ +From cfe4aacb3a13c2a3adc3e88ad4f17154356d2594 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Mar 2022 15:42:39 +0000 +Subject: ASoC: atmel: Remove system clock tree configuration for at91sam9g20ek + +From: Mark Brown + +[ Upstream commit c775cbf62ed4911e4f0f23880f01815753123690 ] + +The MCLK of the WM8731 on the AT91SAM9G20-EK board is connected to the +PCK0 output of the SoC, intended in the reference software to be supplied +using PLLB and programmed to 12MHz. As originally written for use with a +board file the audio driver was responsible for configuring the entire tree +but in the conversion to the common clock framework the registration of +the named pck0 and pllb clocks was removed so the driver has failed to +instantiate ever since. + +Since the WM8731 driver has had support for managing a MCLK provided via +the common clock framework for some time we can simply drop all the clock +management code from the machine driver other than configuration of the +sysclk rate, the CODEC driver still respects that configuration from the +machine driver. + +Fixes: ff78a189b0ae55f ("ARM: at91: remove old at91-specific clock driver") +Signed-off-by: Mark Brown +Reviewed-by: Codrin Ciubotariu +Link: https://lore.kernel.org/r/20220325154241.1600757-2-broonie@kernel.org +Signed-off-by: Sasha Levin +--- + sound/soc/atmel/sam9g20_wm8731.c | 61 -------------------------------- + 1 file changed, 61 deletions(-) + +diff --git a/sound/soc/atmel/sam9g20_wm8731.c b/sound/soc/atmel/sam9g20_wm8731.c +index 5041f43ee5f7..06d32257ddb6 100644 +--- a/sound/soc/atmel/sam9g20_wm8731.c ++++ b/sound/soc/atmel/sam9g20_wm8731.c +@@ -59,35 +59,6 @@ + */ + #undef ENABLE_MIC_INPUT + +-static struct clk *mclk; +- +-static int at91sam9g20ek_set_bias_level(struct snd_soc_card *card, +- struct snd_soc_dapm_context *dapm, +- enum snd_soc_bias_level level) +-{ +- static int mclk_on; +- int ret = 0; +- +- switch (level) { +- case SND_SOC_BIAS_ON: +- case SND_SOC_BIAS_PREPARE: +- if (!mclk_on) +- ret = clk_enable(mclk); +- if (ret == 0) +- mclk_on = 1; +- break; +- +- case SND_SOC_BIAS_OFF: +- case SND_SOC_BIAS_STANDBY: +- if (mclk_on) +- clk_disable(mclk); +- mclk_on = 0; +- break; +- } +- +- return ret; +-} +- + static const struct snd_soc_dapm_widget at91sam9g20ek_dapm_widgets[] = { + SND_SOC_DAPM_MIC("Int Mic", NULL), + SND_SOC_DAPM_SPK("Ext Spk", NULL), +@@ -146,7 +117,6 @@ static struct snd_soc_card snd_soc_at91sam9g20ek = { + .owner = THIS_MODULE, + .dai_link = &at91sam9g20ek_dai, + .num_links = 1, +- .set_bias_level = at91sam9g20ek_set_bias_level, + + .dapm_widgets = at91sam9g20ek_dapm_widgets, + .num_dapm_widgets = ARRAY_SIZE(at91sam9g20ek_dapm_widgets), +@@ -159,7 +129,6 @@ static int at91sam9g20ek_audio_probe(struct platform_device *pdev) + { + struct device_node *np = pdev->dev.of_node; + struct device_node *codec_np, *cpu_np; +- struct clk *pllb; + struct snd_soc_card *card = &snd_soc_at91sam9g20ek; + int ret; + +@@ -173,31 +142,6 @@ static int at91sam9g20ek_audio_probe(struct platform_device *pdev) + return -EINVAL; + } + +- /* +- * Codec MCLK is supplied by PCK0 - set it up. +- */ +- mclk = clk_get(NULL, "pck0"); +- if (IS_ERR(mclk)) { +- dev_err(&pdev->dev, "Failed to get MCLK\n"); +- ret = PTR_ERR(mclk); +- goto err; +- } +- +- pllb = clk_get(NULL, "pllb"); +- if (IS_ERR(pllb)) { +- dev_err(&pdev->dev, "Failed to get PLLB\n"); +- ret = PTR_ERR(pllb); +- goto err_mclk; +- } +- ret = clk_set_parent(mclk, pllb); +- clk_put(pllb); +- if (ret != 0) { +- dev_err(&pdev->dev, "Failed to set MCLK parent\n"); +- goto err_mclk; +- } +- +- clk_set_rate(mclk, MCLK_RATE); +- + card->dev = &pdev->dev; + + /* Parse device node info */ +@@ -241,9 +185,6 @@ static int at91sam9g20ek_audio_probe(struct platform_device *pdev) + + return ret; + +-err_mclk: +- clk_put(mclk); +- mclk = NULL; + err: + atmel_ssc_put_audio(0); + return ret; +@@ -253,8 +194,6 @@ static int at91sam9g20ek_audio_remove(struct platform_device *pdev) + { + struct snd_soc_card *card = platform_get_drvdata(pdev); + +- clk_disable(mclk); +- mclk = NULL; + snd_soc_unregister_card(card); + atmel_ssc_put_audio(0); + +-- +2.35.1 + diff --git a/queue-4.19/asoc-msm8916-wcd-digital-check-failure-for-devm_snd_.patch b/queue-4.19/asoc-msm8916-wcd-digital-check-failure-for-devm_snd_.patch new file mode 100644 index 00000000000..a5f20e6f1e1 --- /dev/null +++ b/queue-4.19/asoc-msm8916-wcd-digital-check-failure-for-devm_snd_.patch @@ -0,0 +1,47 @@ +From b2a689b390cef37a1a72e4858276e06604fe6124 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 3 Apr 2022 11:52:39 +0000 +Subject: ASoC: msm8916-wcd-digital: Check failure for + devm_snd_soc_register_component + +From: Miaoqian Lin + +[ Upstream commit e927b05f3cc20de87f6b7d912a5bbe556931caca ] + +devm_snd_soc_register_component() may fails, we should check the error +and do the corresponding error handling. + +Fixes: 150db8c5afa1 ("ASoC: codecs: Add msm8916-wcd digital codec") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220403115239.30140-1-linmq006@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/msm8916-wcd-digital.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/sound/soc/codecs/msm8916-wcd-digital.c b/sound/soc/codecs/msm8916-wcd-digital.c +index e6750bda542a..fa813ec32119 100644 +--- a/sound/soc/codecs/msm8916-wcd-digital.c ++++ b/sound/soc/codecs/msm8916-wcd-digital.c +@@ -923,9 +923,16 @@ static int msm8916_wcd_digital_probe(struct platform_device *pdev) + + dev_set_drvdata(dev, priv); + +- return devm_snd_soc_register_component(dev, &msm8916_wcd_digital, ++ ret = devm_snd_soc_register_component(dev, &msm8916_wcd_digital, + msm8916_wcd_digital_dai, + ARRAY_SIZE(msm8916_wcd_digital_dai)); ++ if (ret) ++ goto err_mclk; ++ ++ return 0; ++ ++err_mclk: ++ clk_disable_unprepare(priv->mclk); + err_clk: + clk_disable_unprepare(priv->ahbclk); + return ret; +-- +2.35.1 + diff --git a/queue-4.19/brcmfmac-sdio-fix-undefined-behavior-due-to-shift-ov.patch b/queue-4.19/brcmfmac-sdio-fix-undefined-behavior-due-to-shift-ov.patch new file mode 100644 index 00000000000..3ffc05ef772 --- /dev/null +++ b/queue-4.19/brcmfmac-sdio-fix-undefined-behavior-due-to-shift-ov.patch @@ -0,0 +1,59 @@ +From 6abe44f8c5b988af22577033460ce4b2aabf5c43 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Apr 2022 18:55:37 +0200 +Subject: brcmfmac: sdio: Fix undefined behavior due to shift overflowing the + constant +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Borislav Petkov + +[ Upstream commit 6fb3a5868b2117611f41e421e10e6a8c2a13039a ] + +Fix: + + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c: In function ‘brcmf_sdio_drivestrengthinit’: + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:3798:2: error: case label does not reduce to an integer constant + case SDIOD_DRVSTR_KEY(BRCM_CC_43143_CHIP_ID, 17): + ^~~~ + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c:3809:2: error: case label does not reduce to an integer constant + case SDIOD_DRVSTR_KEY(BRCM_CC_43362_CHIP_ID, 13): + ^~~~ + +See https://lore.kernel.org/r/YkwQ6%2BtIH8GQpuct@zn.tnic for the gory +details as to why it triggers with older gccs only. + +Signed-off-by: Borislav Petkov +Cc: Arend van Spriel +Cc: Franky Lin +Cc: Hante Meuleman +Cc: Kalle Valo +Cc: "David S. Miller" +Cc: Jakub Kicinski +Cc: brcm80211-dev-list.pdl@broadcom.com +Cc: netdev@vger.kernel.org +Acked-by: Arend van Spriel +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/Ykx0iRlvtBnKqtbG@zn.tnic +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +index a5195bdb4d9b..0a96c1071e5b 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -560,7 +560,7 @@ enum brcmf_sdio_frmtype { + BRCMF_SDIO_FT_SUB, + }; + +-#define SDIOD_DRVSTR_KEY(chip, pmu) (((chip) << 16) | (pmu)) ++#define SDIOD_DRVSTR_KEY(chip, pmu) (((unsigned int)(chip) << 16) | (pmu)) + + /* SDIO Pad drive strength to select value mappings */ + struct sdiod_drive_str { +-- +2.35.1 + diff --git a/queue-4.19/cifs-check-the-iocb_direct-flag-not-o_direct.patch b/queue-4.19/cifs-check-the-iocb_direct-flag-not-o_direct.patch new file mode 100644 index 00000000000..bbf6cb75c4e --- /dev/null +++ b/queue-4.19/cifs-check-the-iocb_direct-flag-not-o_direct.patch @@ -0,0 +1,39 @@ +From 36d01e0313b1240b4e2d41268430f4733bbb369e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 00:03:14 +0100 +Subject: cifs: Check the IOCB_DIRECT flag, not O_DIRECT + +From: David Howells + +[ Upstream commit 994fd530a512597ffcd713b0f6d5bc916c5698f0 ] + +Use the IOCB_DIRECT indicator flag on the I/O context rather than checking to +see if the file was opened O_DIRECT. + +Signed-off-by: David Howells +cc: Steve French +cc: Shyam Prasad N +cc: Rohith Surabattula +cc: linux-cifs@vger.kernel.org +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/cifsfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/cifs/cifsfs.c b/fs/cifs/cifsfs.c +index baa1713d6695..52b1524b40cd 100644 +--- a/fs/cifs/cifsfs.c ++++ b/fs/cifs/cifsfs.c +@@ -813,7 +813,7 @@ cifs_loose_read_iter(struct kiocb *iocb, struct iov_iter *iter) + ssize_t rc; + struct inode *inode = file_inode(iocb->ki_filp); + +- if (iocb->ki_filp->f_flags & O_DIRECT) ++ if (iocb->ki_flags & IOCB_DIRECT) + return cifs_user_readv(iocb, iter); + + rc = cifs_revalidate_mapping(inode); +-- +2.35.1 + diff --git a/queue-4.19/dmaengine-imx-sdma-fix-error-checking-in-sdma_event_.patch b/queue-4.19/dmaengine-imx-sdma-fix-error-checking-in-sdma_event_.patch new file mode 100644 index 00000000000..92e6d609612 --- /dev/null +++ b/queue-4.19/dmaengine-imx-sdma-fix-error-checking-in-sdma_event_.patch @@ -0,0 +1,46 @@ +From fd806592bdcd2fee055f5a4303847f5da5613d84 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Mar 2022 06:49:51 +0000 +Subject: dmaengine: imx-sdma: Fix error checking in sdma_event_remap + +From: Miaoqian Lin + +[ Upstream commit 7104b9cb35a33ad803a1adbbfa50569b008faf15 ] + +of_parse_phandle() returns NULL on errors, rather than error +pointers. Using NULL check on grp_np to fix this. + +Fixes: d078cd1b4185 ("dmaengine: imx-sdma: Add imx6sx platform support") +Signed-off-by: Miaoqian Lin +Link: https://lore.kernel.org/r/20220308064952.15743-1-linmq006@gmail.com +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/imx-sdma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/imx-sdma.c b/drivers/dma/imx-sdma.c +index eea89c3b54c1..709ead443fc5 100644 +--- a/drivers/dma/imx-sdma.c ++++ b/drivers/dma/imx-sdma.c +@@ -1771,7 +1771,7 @@ static int sdma_event_remap(struct sdma_engine *sdma) + u32 reg, val, shift, num_map, i; + int ret = 0; + +- if (IS_ERR(np) || IS_ERR(gpr_np)) ++ if (IS_ERR(np) || !gpr_np) + goto out; + + event_remap = of_find_property(np, propname, NULL); +@@ -1819,7 +1819,7 @@ static int sdma_event_remap(struct sdma_engine *sdma) + } + + out: +- if (!IS_ERR(gpr_np)) ++ if (gpr_np) + of_node_put(gpr_np); + + return ret; +-- +2.35.1 + diff --git a/queue-4.19/dpaa_eth-fix-missing-of_node_put-in-dpaa_get_ts_info.patch b/queue-4.19/dpaa_eth-fix-missing-of_node_put-in-dpaa_get_ts_info.patch new file mode 100644 index 00000000000..4043789e1a0 --- /dev/null +++ b/queue-4.19/dpaa_eth-fix-missing-of_node_put-in-dpaa_get_ts_info.patch @@ -0,0 +1,46 @@ +From e5d14c25000e428e46083a265f3564ef6f06c138 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Apr 2022 09:49:41 +0000 +Subject: dpaa_eth: Fix missing of_node_put in dpaa_get_ts_info() + +From: Lv Ruyi + +[ Upstream commit 1a7eb80d170c28be2928433702256fe2a0bd1e0f ] + +Both of of_get_parent() and of_parse_phandle() return node pointer with +refcount incremented, use of_node_put() on it to decrease refcount +when done. + +Reported-by: Zeal Robot +Signed-off-by: Lv Ruyi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c +index 3184c8f7cdd0..6e69bcdf9c40 100644 +--- a/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c ++++ b/drivers/net/ethernet/freescale/dpaa/dpaa_ethtool.c +@@ -530,11 +530,15 @@ static int dpaa_get_ts_info(struct net_device *net_dev, + info->phc_index = -1; + + fman_node = of_get_parent(mac_node); +- if (fman_node) ++ if (fman_node) { + ptp_node = of_parse_phandle(fman_node, "ptimer-handle", 0); ++ of_node_put(fman_node); ++ } + +- if (ptp_node) ++ if (ptp_node) { + ptp_dev = of_find_device_by_node(ptp_node); ++ of_node_put(ptp_node); ++ } + + if (ptp_dev) + ptp = platform_get_drvdata(ptp_dev); +-- +2.35.1 + diff --git a/queue-4.19/drm-msm-mdp5-check-the-return-of-kzalloc.patch b/queue-4.19/drm-msm-mdp5-check-the-return-of-kzalloc.patch new file mode 100644 index 00000000000..c26f9a8267b --- /dev/null +++ b/queue-4.19/drm-msm-mdp5-check-the-return-of-kzalloc.patch @@ -0,0 +1,45 @@ +From 8dce970c1b9852a0bf5bac3709344810c3e8166c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 10:31:51 +0800 +Subject: drm/msm/mdp5: check the return of kzalloc() + +From: Xiaoke Wang + +[ Upstream commit 047ae665577776b7feb11bd4f81f46627cff95e7 ] + +kzalloc() is a memory allocation function which can return NULL when +some internal memory errors happen. So it is better to check it to +prevent potential wrong memory access. + +Besides, since mdp5_plane_reset() is void type, so we should better +set `plane-state` to NULL after releasing it. + +Signed-off-by: Xiaoke Wang +Reviewed-by: Dmitry Baryshkov +Patchwork: https://patchwork.freedesktop.org/patch/481055/ +Link: https://lore.kernel.org/r/tencent_8E2A1C78140EE1784AB2FF4B2088CC0AB908@qq.com +Signed-off-by: Dmitry Baryshkov +Signed-off-by: Rob Clark +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c b/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c +index 1ddf07514de6..3d8eaa25bea0 100644 +--- a/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c ++++ b/drivers/gpu/drm/msm/disp/mdp5/mdp5_plane.c +@@ -188,7 +188,10 @@ static void mdp5_plane_reset(struct drm_plane *plane) + drm_framebuffer_unreference(plane->state->fb); + + kfree(to_mdp5_plane_state(plane->state)); ++ plane->state = NULL; + mdp5_state = kzalloc(sizeof(*mdp5_state), GFP_KERNEL); ++ if (!mdp5_state) ++ return; + + /* assign default blend parameters */ + mdp5_state->alpha = 255; +-- +2.35.1 + diff --git a/queue-4.19/mt76-fix-undefined-behavior-due-to-shift-overflowing.patch b/queue-4.19/mt76-fix-undefined-behavior-due-to-shift-overflowing.patch new file mode 100644 index 00000000000..0320f782387 --- /dev/null +++ b/queue-4.19/mt76-fix-undefined-behavior-due-to-shift-overflowing.patch @@ -0,0 +1,56 @@ +From 517689ea725abce265be76f1e03b9a69e6810449 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Apr 2022 17:15:14 +0200 +Subject: mt76: Fix undefined behavior due to shift overflowing the constant +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Borislav Petkov + +[ Upstream commit dbc2b1764734857d68425468ffa8486e97ab89df ] + +Fix: + + drivers/net/wireless/mediatek/mt76/mt76x2/pci.c: In function ‘mt76x2e_probe’: + ././include/linux/compiler_types.h:352:38: error: call to ‘__compiletime_assert_946’ \ + declared with attribute error: FIELD_PREP: mask is not constant + _compiletime_assert(condition, msg, __compiletime_assert_, __COUNTER__) + +See https://lore.kernel.org/r/YkwQ6%2BtIH8GQpuct@zn.tnic for the gory +details as to why it triggers with older gccs only. + +Signed-off-by: Borislav Petkov +Cc: Felix Fietkau +Cc: Lorenzo Bianconi +Cc: Ryder Lee +Cc: Shayne Chen +Cc: Sean Wang +Cc: Kalle Valo +Cc: "David S. Miller" +Cc: Jakub Kicinski +Cc: linux-wireless@vger.kernel.org +Cc: netdev@vger.kernel.org +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220405151517.29753-9-bp@alien8.de +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/mediatek/mt76/mt76x2_pci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/mediatek/mt76/mt76x2_pci.c b/drivers/net/wireless/mediatek/mt76/mt76x2_pci.c +index 26cfda24ce08..e26947f89299 100644 +--- a/drivers/net/wireless/mediatek/mt76/mt76x2_pci.c ++++ b/drivers/net/wireless/mediatek/mt76/mt76x2_pci.c +@@ -73,7 +73,7 @@ mt76pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + mt76_rmw_field(dev, 0x15a10, 0x1f << 16, 0x9); + + /* RG_SSUSB_G1_CDR_BIC_LTR = 0xf */ +- mt76_rmw_field(dev, 0x15a0c, 0xf << 28, 0xf); ++ mt76_rmw_field(dev, 0x15a0c, 0xfU << 28, 0xf); + + /* RG_SSUSB_CDR_BR_PE1D = 0x3 */ + mt76_rmw_field(dev, 0x15c58, 0x3 << 6, 0x3); +-- +2.35.1 + diff --git a/queue-4.19/net-macb-restart-tx-only-if-queue-pointer-is-lagging.patch b/queue-4.19/net-macb-restart-tx-only-if-queue-pointer-is-lagging.patch new file mode 100644 index 00000000000..9b105f89f53 --- /dev/null +++ b/queue-4.19/net-macb-restart-tx-only-if-queue-pointer-is-lagging.patch @@ -0,0 +1,64 @@ +From afa2a41ba81d3d506a83d20ba2a1c1aedb192afe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 7 Apr 2022 19:16:59 +0300 +Subject: net: macb: Restart tx only if queue pointer is lagging + +From: Tomas Melin + +[ Upstream commit 5ad7f18cd82cee8e773d40cc7a1465a526f2615c ] + +commit 4298388574da ("net: macb: restart tx after tx used bit read") +added support for restarting transmission. Restarting tx does not work +in case controller asserts TXUBR interrupt and TQBP is already at the end +of the tx queue. In that situation, restarting tx will immediately cause +assertion of another TXUBR interrupt. The driver will end up in an infinite +interrupt loop which it cannot break out of. + +For cases where TQBP is at the end of the tx queue, instead +only clear TX_USED interrupt. As more data gets pushed to the queue, +transmission will resume. + +This issue was observed on a Xilinx Zynq-7000 based board. +During stress test of the network interface, +driver would get stuck on interrupt loop within seconds or minutes +causing CPU to stall. + +Signed-off-by: Tomas Melin +Tested-by: Claudiu Beznea +Reviewed-by: Claudiu Beznea +Link: https://lore.kernel.org/r/20220407161659.14532-1-tomas.melin@vaisala.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/cadence/macb_main.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/ethernet/cadence/macb_main.c b/drivers/net/ethernet/cadence/macb_main.c +index 460bb81acf2b..d8e4842af055 100644 +--- a/drivers/net/ethernet/cadence/macb_main.c ++++ b/drivers/net/ethernet/cadence/macb_main.c +@@ -1364,6 +1364,7 @@ static void macb_tx_restart(struct macb_queue *queue) + unsigned int head = queue->tx_head; + unsigned int tail = queue->tx_tail; + struct macb *bp = queue->bp; ++ unsigned int head_idx, tbqp; + + if (bp->caps & MACB_CAPS_ISR_CLEAR_ON_WRITE) + queue_writel(queue, ISR, MACB_BIT(TXUBR)); +@@ -1371,6 +1372,13 @@ static void macb_tx_restart(struct macb_queue *queue) + if (head == tail) + return; + ++ tbqp = queue_readl(queue, TBQP) / macb_dma_desc_get_size(bp); ++ tbqp = macb_adj_dma_desc_idx(bp, macb_tx_ring_wrap(bp, tbqp)); ++ head_idx = macb_adj_dma_desc_idx(bp, macb_tx_ring_wrap(bp, head)); ++ ++ if (tbqp == head_idx) ++ return; ++ + macb_writel(bp, NCR, macb_readl(bp, NCR) | MACB_BIT(TSTART)); + } + +-- +2.35.1 + diff --git a/queue-4.19/net-packet-fix-packet_sock-xmit-return-value-checkin.patch b/queue-4.19/net-packet-fix-packet_sock-xmit-return-value-checkin.patch new file mode 100644 index 00000000000..4f9b98a6aa0 --- /dev/null +++ b/queue-4.19/net-packet-fix-packet_sock-xmit-return-value-checkin.patch @@ -0,0 +1,59 @@ +From c1bd88eaafe7466e552ffd209fa4066789e243dd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Apr 2022 16:49:25 +0800 +Subject: net/packet: fix packet_sock xmit return value checking + +From: Hangbin Liu + +[ Upstream commit 29e8e659f984be00d75ec5fef4e37c88def72712 ] + +packet_sock xmit could be dev_queue_xmit, which also returns negative +errors. So only checking positive errors is not enough, or userspace +sendmsg may return success while packet is not send out. + +Move the net_xmit_errno() assignment in the braces as checkpatch.pl said +do not use assignment in if condition. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: Flavio Leitner +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index b951f411dded..f654f79e3310 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2791,8 +2791,9 @@ static int tpacket_snd(struct packet_sock *po, struct msghdr *msg) + + status = TP_STATUS_SEND_REQUEST; + err = po->xmit(skb); +- if (unlikely(err > 0)) { +- err = net_xmit_errno(err); ++ if (unlikely(err != 0)) { ++ if (err > 0) ++ err = net_xmit_errno(err); + if (err && __packet_get_status(po, ph) == + TP_STATUS_AVAILABLE) { + /* skb was destructed already */ +@@ -2993,8 +2994,12 @@ static int packet_snd(struct socket *sock, struct msghdr *msg, size_t len) + skb->no_fcs = 1; + + err = po->xmit(skb); +- if (err > 0 && (err = net_xmit_errno(err)) != 0) +- goto out_unlock; ++ if (unlikely(err != 0)) { ++ if (err > 0) ++ err = net_xmit_errno(err); ++ if (err) ++ goto out_unlock; ++ } + + dev_put(dev); + +-- +2.35.1 + diff --git a/queue-4.19/net-sched-cls_u32-fix-possible-leak-in-u32_init_knod.patch b/queue-4.19/net-sched-cls_u32-fix-possible-leak-in-u32_init_knod.patch new file mode 100644 index 00000000000..05bcffeea93 --- /dev/null +++ b/queue-4.19/net-sched-cls_u32-fix-possible-leak-in-u32_init_knod.patch @@ -0,0 +1,57 @@ +From 11132b4e43a9170714018c5b4d7f165d43123b19 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Apr 2022 10:35:42 -0700 +Subject: net/sched: cls_u32: fix possible leak in u32_init_knode() + +From: Eric Dumazet + +[ Upstream commit ec5b0f605b105457f257f2870acad4a5d463984b ] + +While investigating a related syzbot report, +I found that whenever call to tcf_exts_init() +from u32_init_knode() is failing, we end up +with an elevated refcount on ht->refcnt + +To avoid that, only increase the refcount after +all possible errors have been evaluated. + +Fixes: b9a24bb76bf6 ("net_sched: properly handle failure case of tcf_exts_init()") +Signed-off-by: Eric Dumazet +Cc: Cong Wang +Cc: Jiri Pirko +Acked-by: Jamal Hadi Salim +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/sched/cls_u32.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/net/sched/cls_u32.c b/net/sched/cls_u32.c +index fe246e03fcd9..5eee26cf9011 100644 +--- a/net/sched/cls_u32.c ++++ b/net/sched/cls_u32.c +@@ -873,10 +873,6 @@ static struct tc_u_knode *u32_init_knode(struct tcf_proto *tp, + new->flags = n->flags; + RCU_INIT_POINTER(new->ht_down, ht); + +- /* bump reference count as long as we hold pointer to structure */ +- if (ht) +- ht->refcnt++; +- + #ifdef CONFIG_CLS_U32_PERF + /* Statistics may be incremented by readers during update + * so we must keep them in tact. When the node is later destroyed +@@ -899,6 +895,10 @@ static struct tc_u_knode *u32_init_knode(struct tcf_proto *tp, + return NULL; + } + ++ /* bump reference count as long as we hold pointer to structure */ ++ if (ht) ++ ht->refcnt++; ++ + return new; + } + +-- +2.35.1 + diff --git a/queue-4.19/netlink-reset-network-and-mac-headers-in-netlink_dum.patch b/queue-4.19/netlink-reset-network-and-mac-headers-in-netlink_dum.patch new file mode 100644 index 00000000000..582e6d8c293 --- /dev/null +++ b/queue-4.19/netlink-reset-network-and-mac-headers-in-netlink_dum.patch @@ -0,0 +1,136 @@ +From b13650c03d4afaf903b9ee9a9ac1838731e30a17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Apr 2022 11:14:42 -0700 +Subject: netlink: reset network and mac headers in netlink_dump() + +From: Eric Dumazet + +[ Upstream commit 99c07327ae11e24886d552dddbe4537bfca2765d ] + +netlink_dump() is allocating an skb, reserves space in it +but forgets to reset network header. + +This allows a BPF program, invoked later from sk_filter() +to access uninitialized kernel memory from the reserved +space. + +Theorically mac header reset could be omitted, because +it is set to a special initial value. +bpf_internal_load_pointer_neg_helper calls skb_mac_header() +without checking skb_mac_header_was_set(). +Relying on skb->len not being too big seems fragile. +We also could add a sanity check in bpf_internal_load_pointer_neg_helper() +to avoid surprises in the future. + +syzbot report was: + +BUG: KMSAN: uninit-value in ___bpf_prog_run+0xa22b/0xb420 kernel/bpf/core.c:1637 + ___bpf_prog_run+0xa22b/0xb420 kernel/bpf/core.c:1637 + __bpf_prog_run32+0x121/0x180 kernel/bpf/core.c:1796 + bpf_dispatcher_nop_func include/linux/bpf.h:784 [inline] + __bpf_prog_run include/linux/filter.h:626 [inline] + bpf_prog_run include/linux/filter.h:633 [inline] + __bpf_prog_run_save_cb+0x168/0x580 include/linux/filter.h:756 + bpf_prog_run_save_cb include/linux/filter.h:770 [inline] + sk_filter_trim_cap+0x3bc/0x8c0 net/core/filter.c:150 + sk_filter include/linux/filter.h:905 [inline] + netlink_dump+0xe0c/0x16c0 net/netlink/af_netlink.c:2276 + netlink_recvmsg+0x1129/0x1c80 net/netlink/af_netlink.c:2002 + sock_recvmsg_nosec net/socket.c:948 [inline] + sock_recvmsg net/socket.c:966 [inline] + sock_read_iter+0x5a9/0x630 net/socket.c:1039 + do_iter_readv_writev+0xa7f/0xc70 + do_iter_read+0x52c/0x14c0 fs/read_write.c:786 + vfs_readv fs/read_write.c:906 [inline] + do_readv+0x432/0x800 fs/read_write.c:943 + __do_sys_readv fs/read_write.c:1034 [inline] + __se_sys_readv fs/read_write.c:1031 [inline] + __x64_sys_readv+0xe5/0x120 fs/read_write.c:1031 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Uninit was stored to memory at: + ___bpf_prog_run+0x96c/0xb420 kernel/bpf/core.c:1558 + __bpf_prog_run32+0x121/0x180 kernel/bpf/core.c:1796 + bpf_dispatcher_nop_func include/linux/bpf.h:784 [inline] + __bpf_prog_run include/linux/filter.h:626 [inline] + bpf_prog_run include/linux/filter.h:633 [inline] + __bpf_prog_run_save_cb+0x168/0x580 include/linux/filter.h:756 + bpf_prog_run_save_cb include/linux/filter.h:770 [inline] + sk_filter_trim_cap+0x3bc/0x8c0 net/core/filter.c:150 + sk_filter include/linux/filter.h:905 [inline] + netlink_dump+0xe0c/0x16c0 net/netlink/af_netlink.c:2276 + netlink_recvmsg+0x1129/0x1c80 net/netlink/af_netlink.c:2002 + sock_recvmsg_nosec net/socket.c:948 [inline] + sock_recvmsg net/socket.c:966 [inline] + sock_read_iter+0x5a9/0x630 net/socket.c:1039 + do_iter_readv_writev+0xa7f/0xc70 + do_iter_read+0x52c/0x14c0 fs/read_write.c:786 + vfs_readv fs/read_write.c:906 [inline] + do_readv+0x432/0x800 fs/read_write.c:943 + __do_sys_readv fs/read_write.c:1034 [inline] + __se_sys_readv fs/read_write.c:1031 [inline] + __x64_sys_readv+0xe5/0x120 fs/read_write.c:1031 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Uninit was created at: + slab_post_alloc_hook mm/slab.h:737 [inline] + slab_alloc_node mm/slub.c:3244 [inline] + __kmalloc_node_track_caller+0xde3/0x14f0 mm/slub.c:4972 + kmalloc_reserve net/core/skbuff.c:354 [inline] + __alloc_skb+0x545/0xf90 net/core/skbuff.c:426 + alloc_skb include/linux/skbuff.h:1158 [inline] + netlink_dump+0x30f/0x16c0 net/netlink/af_netlink.c:2242 + netlink_recvmsg+0x1129/0x1c80 net/netlink/af_netlink.c:2002 + sock_recvmsg_nosec net/socket.c:948 [inline] + sock_recvmsg net/socket.c:966 [inline] + sock_read_iter+0x5a9/0x630 net/socket.c:1039 + do_iter_readv_writev+0xa7f/0xc70 + do_iter_read+0x52c/0x14c0 fs/read_write.c:786 + vfs_readv fs/read_write.c:906 [inline] + do_readv+0x432/0x800 fs/read_write.c:943 + __do_sys_readv fs/read_write.c:1034 [inline] + __se_sys_readv fs/read_write.c:1031 [inline] + __x64_sys_readv+0xe5/0x120 fs/read_write.c:1031 + do_syscall_x64 arch/x86/entry/common.c:51 [inline] + do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:81 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +CPU: 0 PID: 3470 Comm: syz-executor751 Not tainted 5.17.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 + +Fixes: db65a3aaf29e ("netlink: Trim skb to alloc size to avoid MSG_TRUNC") +Fixes: 9063e21fb026 ("netlink: autosize skb lengthes") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Link: https://lore.kernel.org/r/20220415181442.551228-1-eric.dumazet@gmail.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/netlink/af_netlink.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 5c6241964637..e2120221b957 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -2243,6 +2243,13 @@ static int netlink_dump(struct sock *sk) + * single netdev. The outcome is MSG_TRUNC error. + */ + skb_reserve(skb, skb_tailroom(skb) - alloc_size); ++ ++ /* Make sure malicious BPF programs can not read unitialized memory ++ * from skb->head -> skb->data ++ */ ++ skb_reset_network_header(skb); ++ skb_reset_mac_header(skb); ++ + netlink_skb_set_owner_r(skb, sk); + + if (nlk->dump_done_errno > 0) +-- +2.35.1 + diff --git a/queue-4.19/platform-x86-samsung-laptop-fix-an-unsigned-comparis.patch b/queue-4.19/platform-x86-samsung-laptop-fix-an-unsigned-comparis.patch new file mode 100644 index 00000000000..5236e69f95d --- /dev/null +++ b/queue-4.19/platform-x86-samsung-laptop-fix-an-unsigned-comparis.patch @@ -0,0 +1,41 @@ +From b78bd0642b622afb82f0b259469deadd2555311c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Mar 2022 14:18:30 +0800 +Subject: platform/x86: samsung-laptop: Fix an unsigned comparison which can + never be negative + +From: Jiapeng Chong + +[ Upstream commit 0284d4d1be753f648f28b77bdfbe6a959212af5c ] + +Eliminate the follow smatch warnings: + +drivers/platform/x86/samsung-laptop.c:1124 kbd_led_set() warn: unsigned +'value' is never less than zero. + +Reported-by: Abaci Robot +Signed-off-by: Jiapeng Chong +Link: https://lore.kernel.org/r/20220322061830.105579-1-jiapeng.chong@linux.alibaba.com +Reviewed-by: Hans de Goede +Signed-off-by: Hans de Goede +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/samsung-laptop.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/platform/x86/samsung-laptop.c b/drivers/platform/x86/samsung-laptop.c +index 7b160ee98115..3e66be504a0d 100644 +--- a/drivers/platform/x86/samsung-laptop.c ++++ b/drivers/platform/x86/samsung-laptop.c +@@ -1125,8 +1125,6 @@ static void kbd_led_set(struct led_classdev *led_cdev, + + if (value > samsung->kbd_led.max_brightness) + value = samsung->kbd_led.max_brightness; +- else if (value < 0) +- value = 0; + + samsung->kbd_led_wk = value; + queue_work(samsung->led_workqueue, &samsung->kbd_led_work); +-- +2.35.1 + diff --git a/queue-4.19/reset-tegra-bpmp-restore-handle-errors-in-bpmp-respo.patch b/queue-4.19/reset-tegra-bpmp-restore-handle-errors-in-bpmp-respo.patch new file mode 100644 index 00000000000..c45fcc85a5b --- /dev/null +++ b/queue-4.19/reset-tegra-bpmp-restore-handle-errors-in-bpmp-respo.patch @@ -0,0 +1,58 @@ +From 0cea98e55a55c0169ebbd40e2a8bca2f200947ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Jan 2022 19:26:46 +0530 +Subject: reset: tegra-bpmp: Restore Handle errors in BPMP response + +From: Sameer Pujar + +[ Upstream commit d1da1052ffad63aa5181b69f20a6952e31f339c2 ] + +This reverts following commit 69125b4b9440 ("reset: tegra-bpmp: Revert +Handle errors in BPMP response"). + +The Tegra194 HDA reset failure is fixed by commit d278dc9151a0 ("ALSA: +hda/tegra: Fix Tegra194 HDA reset failure"). The temporary revert of +original commit c045ceb5a145 ("reset: tegra-bpmp: Handle errors in BPMP +response") can be removed now. + +Signed-off-by: Sameer Pujar +Tested-by: Jon Hunter +Reviewed-by: Jon Hunter +Acked-by: Thierry Reding +Signed-off-by: Philipp Zabel +Link: https://lore.kernel.org/r/1641995806-15245-1-git-send-email-spujar@nvidia.com +Signed-off-by: Sasha Levin +--- + drivers/reset/tegra/reset-bpmp.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/reset/tegra/reset-bpmp.c b/drivers/reset/tegra/reset-bpmp.c +index 5daf2ee1a396..f9790b60f996 100644 +--- a/drivers/reset/tegra/reset-bpmp.c ++++ b/drivers/reset/tegra/reset-bpmp.c +@@ -23,6 +23,7 @@ static int tegra_bpmp_reset_common(struct reset_controller_dev *rstc, + struct tegra_bpmp *bpmp = to_tegra_bpmp(rstc); + struct mrq_reset_request request; + struct tegra_bpmp_message msg; ++ int err; + + memset(&request, 0, sizeof(request)); + request.cmd = command; +@@ -33,7 +34,13 @@ static int tegra_bpmp_reset_common(struct reset_controller_dev *rstc, + msg.tx.data = &request; + msg.tx.size = sizeof(request); + +- return tegra_bpmp_transfer(bpmp, &msg); ++ err = tegra_bpmp_transfer(bpmp, &msg); ++ if (err) ++ return err; ++ if (msg.rx.ret) ++ return -EINVAL; ++ ++ return 0; + } + + static int tegra_bpmp_reset_module(struct reset_controller_dev *rstc, +-- +2.35.1 + diff --git a/queue-4.19/rxrpc-restore-removed-timer-deletion.patch b/queue-4.19/rxrpc-restore-removed-timer-deletion.patch new file mode 100644 index 00000000000..f42312daa38 --- /dev/null +++ b/queue-4.19/rxrpc-restore-removed-timer-deletion.patch @@ -0,0 +1,59 @@ +From 1939258f45e63ed8cbadcc3ca6371135e9a520ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 13 Apr 2022 11:16:25 +0100 +Subject: rxrpc: Restore removed timer deletion + +From: David Howells + +[ Upstream commit ee3b0826b4764f6c13ad6db67495c5a1c38e9025 ] + +A recent patch[1] from Eric Dumazet flipped the order in which the +keepalive timer and the keepalive worker were cancelled in order to fix a +syzbot reported issue[2]. Unfortunately, this enables the mirror image bug +whereby the timer races with rxrpc_exit_net(), restarting the worker after +it has been cancelled: + + CPU 1 CPU 2 + =============== ===================== + if (rxnet->live) + + rxnet->live = false; + cancel_work_sync(&rxnet->peer_keepalive_work); + rxrpc_queue_work(&rxnet->peer_keepalive_work); + del_timer_sync(&rxnet->peer_keepalive_timer); + +Fix this by restoring the removed del_timer_sync() so that we try to remove +the timer twice. If the timer runs again, it should see ->live == false +and not restart the worker. + +Fixes: 1946014ca3b1 ("rxrpc: fix a race in rxrpc_exit_net()") +Signed-off-by: David Howells +cc: Eric Dumazet +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/r/20220404183439.3537837-1-eric.dumazet@gmail.com/ [1] +Link: https://syzkaller.appspot.com/bug?extid=724378c4bb58f703b09a [2] +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/rxrpc/net_ns.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/rxrpc/net_ns.c b/net/rxrpc/net_ns.c +index 1b403c2573da..39579cfcf9b8 100644 +--- a/net/rxrpc/net_ns.c ++++ b/net/rxrpc/net_ns.c +@@ -117,7 +117,9 @@ static __net_exit void rxrpc_exit_net(struct net *net) + struct rxrpc_net *rxnet = rxrpc_net(net); + + rxnet->live = false; ++ del_timer_sync(&rxnet->peer_keepalive_timer); + cancel_work_sync(&rxnet->peer_keepalive_work); ++ /* Remove the timer again as the worker may have restarted it. */ + del_timer_sync(&rxnet->peer_keepalive_timer); + rxrpc_destroy_all_calls(rxnet); + rxrpc_destroy_all_connections(rxnet); +-- +2.35.1 + diff --git a/queue-4.19/series b/queue-4.19/series index 1bf682aee6d..56ef477284d 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -7,3 +7,22 @@ gfs2-assign-rgrp-glock-before-compute_bitstructs.patch alsa-usb-audio-clear-midi-port-active-flag-after-draining.patch tcp-fix-race-condition-when-creating-child-sockets-f.patch tcp-fix-potential-use-after-free-due-to-double-kfree.patch +asoc-atmel-remove-system-clock-tree-configuration-fo.patch +asoc-msm8916-wcd-digital-check-failure-for-devm_snd_.patch +dmaengine-imx-sdma-fix-error-checking-in-sdma_event_.patch +rxrpc-restore-removed-timer-deletion.patch +net-packet-fix-packet_sock-xmit-return-value-checkin.patch +net-sched-cls_u32-fix-possible-leak-in-u32_init_knod.patch +netlink-reset-network-and-mac-headers-in-netlink_dum.patch +arm-vexpress-spc-avoid-negative-array-index-when-smp.patch +reset-tegra-bpmp-restore-handle-errors-in-bpmp-respo.patch +platform-x86-samsung-laptop-fix-an-unsigned-comparis.patch +alsa-usb-audio-fix-undefined-behavior-due-to-shift-o.patch +vxlan-fix-error-return-code-in-vxlan_fdb_append.patch +cifs-check-the-iocb_direct-flag-not-o_direct.patch +mt76-fix-undefined-behavior-due-to-shift-overflowing.patch +brcmfmac-sdio-fix-undefined-behavior-due-to-shift-ov.patch +dpaa_eth-fix-missing-of_node_put-in-dpaa_get_ts_info.patch +drm-msm-mdp5-check-the-return-of-kzalloc.patch +net-macb-restart-tx-only-if-queue-pointer-is-lagging.patch +stat-fix-inconsistency-between-struct-stat-and-struc.patch diff --git a/queue-4.19/stat-fix-inconsistency-between-struct-stat-and-struc.patch b/queue-4.19/stat-fix-inconsistency-between-struct-stat-and-struc.patch new file mode 100644 index 00000000000..9c15a3400c0 --- /dev/null +++ b/queue-4.19/stat-fix-inconsistency-between-struct-stat-and-struc.patch @@ -0,0 +1,138 @@ +From 97853cd77330d1eb13c34fccf8930b297453b62c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Apr 2022 05:41:00 -0400 +Subject: stat: fix inconsistency between struct stat and struct compat_stat + +From: Mikulas Patocka + +[ Upstream commit 932aba1e169090357a77af18850a10c256b50819 ] + +struct stat (defined in arch/x86/include/uapi/asm/stat.h) has 32-bit +st_dev and st_rdev; struct compat_stat (defined in +arch/x86/include/asm/compat.h) has 16-bit st_dev and st_rdev followed by +a 16-bit padding. + +This patch fixes struct compat_stat to match struct stat. + +[ Historical note: the old x86 'struct stat' did have that 16-bit field + that the compat layer had kept around, but it was changes back in 2003 + by "struct stat - support larger dev_t": + + https://git.kernel.org/pub/scm/linux/kernel/git/tglx/history.git/commit/?id=e95b2065677fe32512a597a79db94b77b90c968d + + and back in those days, the x86_64 port was still new, and separate + from the i386 code, and had already picked up the old version with a + 16-bit st_dev field ] + +Note that we can't change compat_dev_t because it is used by +compat_loop_info. + +Also, if the st_dev and st_rdev values are 32-bit, we don't have to use +old_valid_dev to test if the value fits into them. This fixes +-EOVERFLOW on filesystems that are on NVMe because NVMe uses the major +number 259. + +Signed-off-by: Mikulas Patocka +Cc: Andreas Schwab +Cc: Matthew Wilcox +Cc: Christoph Hellwig +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + arch/x86/include/asm/compat.h | 6 ++---- + fs/stat.c | 19 ++++++++++--------- + 2 files changed, 12 insertions(+), 13 deletions(-) + +diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h +index fb97cf7c4137..1def972b6ca3 100644 +--- a/arch/x86/include/asm/compat.h ++++ b/arch/x86/include/asm/compat.h +@@ -46,15 +46,13 @@ typedef u64 __attribute__((aligned(4))) compat_u64; + typedef u32 compat_uptr_t; + + struct compat_stat { +- compat_dev_t st_dev; +- u16 __pad1; ++ u32 st_dev; + compat_ino_t st_ino; + compat_mode_t st_mode; + compat_nlink_t st_nlink; + __compat_uid_t st_uid; + __compat_gid_t st_gid; +- compat_dev_t st_rdev; +- u16 __pad2; ++ u32 st_rdev; + u32 st_size; + u32 st_blksize; + u32 st_blocks; +diff --git a/fs/stat.c b/fs/stat.c +index f8e6fb2c3657..376543199b5a 100644 +--- a/fs/stat.c ++++ b/fs/stat.c +@@ -286,9 +286,6 @@ SYSCALL_DEFINE2(fstat, unsigned int, fd, struct __old_kernel_stat __user *, stat + # define choose_32_64(a,b) b + #endif + +-#define valid_dev(x) choose_32_64(old_valid_dev(x),true) +-#define encode_dev(x) choose_32_64(old_encode_dev,new_encode_dev)(x) +- + #ifndef INIT_STRUCT_STAT_PADDING + # define INIT_STRUCT_STAT_PADDING(st) memset(&st, 0, sizeof(st)) + #endif +@@ -297,7 +294,9 @@ static int cp_new_stat(struct kstat *stat, struct stat __user *statbuf) + { + struct stat tmp; + +- if (!valid_dev(stat->dev) || !valid_dev(stat->rdev)) ++ if (sizeof(tmp.st_dev) < 4 && !old_valid_dev(stat->dev)) ++ return -EOVERFLOW; ++ if (sizeof(tmp.st_rdev) < 4 && !old_valid_dev(stat->rdev)) + return -EOVERFLOW; + #if BITS_PER_LONG == 32 + if (stat->size > MAX_NON_LFS) +@@ -305,7 +304,7 @@ static int cp_new_stat(struct kstat *stat, struct stat __user *statbuf) + #endif + + INIT_STRUCT_STAT_PADDING(tmp); +- tmp.st_dev = encode_dev(stat->dev); ++ tmp.st_dev = new_encode_dev(stat->dev); + tmp.st_ino = stat->ino; + if (sizeof(tmp.st_ino) < sizeof(stat->ino) && tmp.st_ino != stat->ino) + return -EOVERFLOW; +@@ -315,7 +314,7 @@ static int cp_new_stat(struct kstat *stat, struct stat __user *statbuf) + return -EOVERFLOW; + SET_UID(tmp.st_uid, from_kuid_munged(current_user_ns(), stat->uid)); + SET_GID(tmp.st_gid, from_kgid_munged(current_user_ns(), stat->gid)); +- tmp.st_rdev = encode_dev(stat->rdev); ++ tmp.st_rdev = new_encode_dev(stat->rdev); + tmp.st_size = stat->size; + tmp.st_atime = stat->atime.tv_sec; + tmp.st_mtime = stat->mtime.tv_sec; +@@ -588,11 +587,13 @@ static int cp_compat_stat(struct kstat *stat, struct compat_stat __user *ubuf) + { + struct compat_stat tmp; + +- if (!old_valid_dev(stat->dev) || !old_valid_dev(stat->rdev)) ++ if (sizeof(tmp.st_dev) < 4 && !old_valid_dev(stat->dev)) ++ return -EOVERFLOW; ++ if (sizeof(tmp.st_rdev) < 4 && !old_valid_dev(stat->rdev)) + return -EOVERFLOW; + + memset(&tmp, 0, sizeof(tmp)); +- tmp.st_dev = old_encode_dev(stat->dev); ++ tmp.st_dev = new_encode_dev(stat->dev); + tmp.st_ino = stat->ino; + if (sizeof(tmp.st_ino) < sizeof(stat->ino) && tmp.st_ino != stat->ino) + return -EOVERFLOW; +@@ -602,7 +603,7 @@ static int cp_compat_stat(struct kstat *stat, struct compat_stat __user *ubuf) + return -EOVERFLOW; + SET_UID(tmp.st_uid, from_kuid_munged(current_user_ns(), stat->uid)); + SET_GID(tmp.st_gid, from_kgid_munged(current_user_ns(), stat->gid)); +- tmp.st_rdev = old_encode_dev(stat->rdev); ++ tmp.st_rdev = new_encode_dev(stat->rdev); + if ((u64) stat->size > MAX_NON_LFS) + return -EOVERFLOW; + tmp.st_size = stat->size; +-- +2.35.1 + diff --git a/queue-4.19/vxlan-fix-error-return-code-in-vxlan_fdb_append.patch b/queue-4.19/vxlan-fix-error-return-code-in-vxlan_fdb_append.patch new file mode 100644 index 00000000000..9d21d3ceb8e --- /dev/null +++ b/queue-4.19/vxlan-fix-error-return-code-in-vxlan_fdb_append.patch @@ -0,0 +1,40 @@ +From c6d3df73d8a2a41a89d792cfa7bfc962335b53d5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Apr 2022 22:46:22 -0400 +Subject: vxlan: fix error return code in vxlan_fdb_append + +From: Hongbin Wang + +[ Upstream commit 7cea5560bf656b84f9ed01c0cc829d4eecd0640b ] + +When kmalloc and dst_cache_init failed, +should return ENOMEM rather than ENOBUFS. + +Signed-off-by: Hongbin Wang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/vxlan.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c +index eacc1e32d547..1b98a888a168 100644 +--- a/drivers/net/vxlan.c ++++ b/drivers/net/vxlan.c +@@ -524,11 +524,11 @@ static int vxlan_fdb_append(struct vxlan_fdb *f, + + rd = kmalloc(sizeof(*rd), GFP_ATOMIC); + if (rd == NULL) +- return -ENOBUFS; ++ return -ENOMEM; + + if (dst_cache_init(&rd->dst_cache, GFP_ATOMIC)) { + kfree(rd); +- return -ENOBUFS; ++ return -ENOMEM; + } + + rd->remote_ip = *ip; +-- +2.35.1 + -- 2.47.3