From 5f59eeb92456034f119a3941f0fb5b6fa927756d Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sat, 3 Dec 2022 04:21:46 -0500 Subject: [PATCH] Fixes for 4.9 Signed-off-by: Sasha Levin --- ...-sleep-from-invalid-context-bug-in-b.patch | 65 +++++++++++ ..._isa_probe-add-missing-free_cc770dev.patch | 59 ++++++++++ ...sja1000_isa_probe-add-missing-free_s.patch | 59 ++++++++++ ...heck-for-null-before-removing-sysfs-.patch | 64 +++++++++++ ...ix-pci-device-refcount-leak-in-nv1a_.patch | 45 ++++++++ ..._temp-fix-missing-pci_disable_device.patch | 37 +++++++ ...-possible-uaf-when-ibmpex_register_b.patch | 44 ++++++++ ...403-fix-oob-read-in-afe4403_read_raw.patch | 72 +++++++++++++ ...04-fix-oob-read-in-afe4404_-read-wri.patch | 102 ++++++++++++++++++ ...ential-socket-leak-in-p9_socket_open.patch | 45 ++++++++ ...esas-ravb-fix-promiscuous-mode-after.patch | 41 +++++++ ...net-hsr-fix-potential-use-after-free.patch | 49 +++++++++ ...nitialized-variable-bug-in-outlen_wr.patch | 39 +++++++ ...ix-error-handling-in-ntb_netdev_init.patch | 48 +++++++++ ...ix-null-ptr-deref-while-probe-failed.patch | 73 +++++++++++++ ...t-tp_status_csum_valid-on-checksum_c.patch | 49 +++++++++ ...-in-atomic-context-bugs-caused-by-ms.patch | 70 ++++++++++++ queue-4.9/series | 17 +++ 18 files changed, 978 insertions(+) create mode 100644 queue-4.9/btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch create mode 100644 queue-4.9/can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch create mode 100644 queue-4.9/can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch create mode 100644 queue-4.9/hwmon-coretemp-check-for-null-before-removing-sysfs-.patch create mode 100644 queue-4.9/hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch create mode 100644 queue-4.9/hwmon-i5500_temp-fix-missing-pci_disable_device.patch create mode 100644 queue-4.9/hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch create mode 100644 queue-4.9/iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch create mode 100644 queue-4.9/iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch create mode 100644 queue-4.9/net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch create mode 100644 queue-4.9/net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch create mode 100644 queue-4.9/net-hsr-fix-potential-use-after-free.patch create mode 100644 queue-4.9/net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch create mode 100644 queue-4.9/net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch create mode 100644 queue-4.9/net-phy-fix-null-ptr-deref-while-probe-failed.patch create mode 100644 queue-4.9/packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch create mode 100644 queue-4.9/qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch diff --git a/queue-4.9/btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch b/queue-4.9/btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch new file mode 100644 index 00000000000..47a804bec6b --- /dev/null +++ b/queue-4.9/btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch @@ -0,0 +1,65 @@ +From 7cb48ab75aa20ac44b79cf12a0ea5e075c115e08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 22:23:54 +0800 +Subject: btrfs: qgroup: fix sleep from invalid context bug in + btrfs_qgroup_inherit() + +From: ChenXiaoSong + +[ Upstream commit f7e942b5bb35d8e3af54053d19a6bf04143a3955 ] + +Syzkaller reported BUG as follows: + + BUG: sleeping function called from invalid context at + include/linux/sched/mm.h:274 + Call Trace: + + dump_stack_lvl+0xcd/0x134 + __might_resched.cold+0x222/0x26b + kmem_cache_alloc+0x2e7/0x3c0 + update_qgroup_limit_item+0xe1/0x390 + btrfs_qgroup_inherit+0x147b/0x1ee0 + create_subvol+0x4eb/0x1710 + btrfs_mksubvol+0xfe5/0x13f0 + __btrfs_ioctl_snap_create+0x2b0/0x430 + btrfs_ioctl_snap_create_v2+0x25a/0x520 + btrfs_ioctl+0x2a1c/0x5ce0 + __x64_sys_ioctl+0x193/0x200 + do_syscall_64+0x35/0x80 + +Fix this by calling qgroup_dirty() on @dstqgroup, and update limit item in +btrfs_run_qgroups() later outside of the spinlock context. + +CC: stable@vger.kernel.org # 4.9+ +Reviewed-by: Qu Wenruo +Signed-off-by: ChenXiaoSong +Reviewed-by: David Sterba +Signed-off-by: David Sterba +Signed-off-by: Sasha Levin +--- + fs/btrfs/qgroup.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/fs/btrfs/qgroup.c b/fs/btrfs/qgroup.c +index d6795c6fdd66..a13a83ec6202 100644 +--- a/fs/btrfs/qgroup.c ++++ b/fs/btrfs/qgroup.c +@@ -1990,14 +1990,7 @@ int btrfs_qgroup_inherit(struct btrfs_trans_handle *trans, + dstgroup->rsv_rfer = inherit->lim.rsv_rfer; + dstgroup->rsv_excl = inherit->lim.rsv_excl; + +- ret = update_qgroup_limit_item(trans, quota_root, dstgroup); +- if (ret) { +- fs_info->qgroup_flags |= BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT; +- btrfs_info(fs_info, +- "unable to update quota limit for %llu", +- dstgroup->qgroupid); +- goto unlock; +- } ++ qgroup_dirty(fs_info, dstgroup); + } + + if (srcid) { +-- +2.35.1 + diff --git a/queue-4.9/can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch b/queue-4.9/can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch new file mode 100644 index 00000000000..c630d4229a6 --- /dev/null +++ b/queue-4.9/can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch @@ -0,0 +1,59 @@ +From a7b5ade53a4a21487f15c7134c9cce658bc032d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 20:09:16 +0800 +Subject: can: cc770: cc770_isa_probe(): add missing free_cc770dev() + +From: Zhang Changzhong + +[ Upstream commit 62ec89e74099a3d6995988ed9f2f996b368417ec ] + +Add the missing free_cc770dev() before return from cc770_isa_probe() +in the register_cc770dev() error handling case. + +In addition, remove blanks before goto labels. + +Fixes: 7e02e5433e00 ("can: cc770: legacy CC770 ISA bus driver") +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/all/1668168557-6024-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/cc770/cc770_isa.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/can/cc770/cc770_isa.c b/drivers/net/can/cc770/cc770_isa.c +index e0d15711e9ac..8df613bc3be3 100644 +--- a/drivers/net/can/cc770/cc770_isa.c ++++ b/drivers/net/can/cc770/cc770_isa.c +@@ -272,22 +272,24 @@ static int cc770_isa_probe(struct platform_device *pdev) + if (err) { + dev_err(&pdev->dev, + "couldn't register device (err=%d)\n", err); +- goto exit_unmap; ++ goto exit_free; + } + + dev_info(&pdev->dev, "device registered (reg_base=0x%p, irq=%d)\n", + priv->reg_base, dev->irq); + return 0; + +- exit_unmap: ++exit_free: ++ free_cc770dev(dev); ++exit_unmap: + if (mem[idx]) + iounmap(base); +- exit_release: ++exit_release: + if (mem[idx]) + release_mem_region(mem[idx], iosize); + else + release_region(port[idx], iosize); +- exit: ++exit: + return err; + } + +-- +2.35.1 + diff --git a/queue-4.9/can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch b/queue-4.9/can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch new file mode 100644 index 00000000000..6a7fadca6c5 --- /dev/null +++ b/queue-4.9/can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch @@ -0,0 +1,59 @@ +From 7ab243ee001404aaf57bc8631f84224f9c3eb632 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 20:08:41 +0800 +Subject: can: sja1000_isa: sja1000_isa_probe(): add missing free_sja1000dev() + +From: Zhang Changzhong + +[ Upstream commit 92dfd9310a71d28cefe6a2d5174d43fab240e631 ] + +Add the missing free_sja1000dev() before return from +sja1000_isa_probe() in the register_sja1000dev() error handling case. + +In addition, remove blanks before goto labels. + +Fixes: 2a6ba39ad6a2 ("can: sja1000: legacy SJA1000 ISA bus driver") +Signed-off-by: Zhang Changzhong +Link: https://lore.kernel.org/all/1668168521-5540-1-git-send-email-zhangchangzhong@huawei.com +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Sasha Levin +--- + drivers/net/can/sja1000/sja1000_isa.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/can/sja1000/sja1000_isa.c b/drivers/net/can/sja1000/sja1000_isa.c +index e97e6d35b300..5187fdabdca9 100644 +--- a/drivers/net/can/sja1000/sja1000_isa.c ++++ b/drivers/net/can/sja1000/sja1000_isa.c +@@ -213,22 +213,24 @@ static int sja1000_isa_probe(struct platform_device *pdev) + if (err) { + dev_err(&pdev->dev, "registering %s failed (err=%d)\n", + DRV_NAME, err); +- goto exit_unmap; ++ goto exit_free; + } + + dev_info(&pdev->dev, "%s device registered (reg_base=0x%p, irq=%d)\n", + DRV_NAME, priv->reg_base, dev->irq); + return 0; + +- exit_unmap: ++exit_free: ++ free_sja1000dev(dev); ++exit_unmap: + if (mem[idx]) + iounmap(base); +- exit_release: ++exit_release: + if (mem[idx]) + release_mem_region(mem[idx], iosize); + else + release_region(port[idx], iosize); +- exit: ++exit: + return err; + } + +-- +2.35.1 + diff --git a/queue-4.9/hwmon-coretemp-check-for-null-before-removing-sysfs-.patch b/queue-4.9/hwmon-coretemp-check-for-null-before-removing-sysfs-.patch new file mode 100644 index 00000000000..a76cfb3d088 --- /dev/null +++ b/queue-4.9/hwmon-coretemp-check-for-null-before-removing-sysfs-.patch @@ -0,0 +1,64 @@ +From 1c8978d516fa95b496b7a8b86e2f6c6a6a7548aa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 11:23:13 -0500 +Subject: hwmon: (coretemp) Check for null before removing sysfs attrs + +From: Phil Auld + +[ Upstream commit a89ff5f5cc64b9fe7a992cf56988fd36f56ca82a ] + +If coretemp_add_core() gets an error then pdata->core_data[indx] +is already NULL and has been kfreed. Don't pass that to +sysfs_remove_group() as that will crash in sysfs_remove_group(). + +[Shortened for readability] +[91854.020159] sysfs: cannot create duplicate filename '/devices/platform/coretemp.0/hwmon/hwmon2/temp20_label' + +[91855.126115] BUG: kernel NULL pointer dereference, address: 0000000000000188 +[91855.165103] #PF: supervisor read access in kernel mode +[91855.194506] #PF: error_code(0x0000) - not-present page +[91855.224445] PGD 0 P4D 0 +[91855.238508] Oops: 0000 [#1] PREEMPT SMP PTI +... +[91855.342716] RIP: 0010:sysfs_remove_group+0xc/0x80 +... +[91855.796571] Call Trace: +[91855.810524] coretemp_cpu_offline+0x12b/0x1dd [coretemp] +[91855.841738] ? coretemp_cpu_online+0x180/0x180 [coretemp] +[91855.871107] cpuhp_invoke_callback+0x105/0x4b0 +[91855.893432] cpuhp_thread_fun+0x8e/0x150 +... + +Fix this by checking for NULL first. + +Signed-off-by: Phil Auld +Cc: linux-hwmon@vger.kernel.org +Cc: Fenghua Yu +Cc: Jean Delvare +Cc: Guenter Roeck +Link: https://lore.kernel.org/r/20221117162313.3164803-1-pauld@redhat.com +Fixes: 199e0de7f5df3 ("hwmon: (coretemp) Merge pkgtemp with coretemp") +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/coretemp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c +index be1e380fa1c3..9e81842cff7d 100644 +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -557,6 +557,10 @@ static void coretemp_remove_core(struct platform_data *pdata, + { + struct temp_data *tdata = pdata->core_data[indx]; + ++ /* if we errored on add then this is already gone */ ++ if (!tdata) ++ return; ++ + /* Remove the sysfs attributes */ + sysfs_remove_group(&pdata->hwmon_dev->kobj, &tdata->attr_group); + +-- +2.35.1 + diff --git a/queue-4.9/hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch b/queue-4.9/hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch new file mode 100644 index 00000000000..5a00139c308 --- /dev/null +++ b/queue-4.9/hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch @@ -0,0 +1,45 @@ +From 5834052e21e7c9c68c961795f50b9d27117b8e46 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 18 Nov 2022 17:33:03 +0800 +Subject: hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new() + +From: Yang Yingliang + +[ Upstream commit 7dec14537c5906b8bf40fd6fd6d9c3850f8df11d ] + +As comment of pci_get_domain_bus_and_slot() says, it returns +a pci device with refcount increment, when finish using it, +the caller must decrement the reference count by calling +pci_dev_put(). So call it after using to avoid refcount leak. + +Fixes: 14513ee696a0 ("hwmon: (coretemp) Use PCI host bridge ID to identify CPU if necessary") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221118093303.214163-1-yangyingliang@huawei.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/coretemp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/hwmon/coretemp.c b/drivers/hwmon/coretemp.c +index 9e81842cff7d..7e796d68e23a 100644 +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -256,10 +256,13 @@ static int adjust_tjmax(struct cpuinfo_x86 *c, u32 id, struct device *dev) + */ + if (host_bridge && host_bridge->vendor == PCI_VENDOR_ID_INTEL) { + for (i = 0; i < ARRAY_SIZE(tjmax_pci_table); i++) { +- if (host_bridge->device == tjmax_pci_table[i].device) ++ if (host_bridge->device == tjmax_pci_table[i].device) { ++ pci_dev_put(host_bridge); + return tjmax_pci_table[i].tjmax; ++ } + } + } ++ pci_dev_put(host_bridge); + + for (i = 0; i < ARRAY_SIZE(tjmax_table); i++) { + if (strstr(c->x86_model_id, tjmax_table[i].id)) +-- +2.35.1 + diff --git a/queue-4.9/hwmon-i5500_temp-fix-missing-pci_disable_device.patch b/queue-4.9/hwmon-i5500_temp-fix-missing-pci_disable_device.patch new file mode 100644 index 00000000000..3dc5e39fa54 --- /dev/null +++ b/queue-4.9/hwmon-i5500_temp-fix-missing-pci_disable_device.patch @@ -0,0 +1,37 @@ +From 8ffe5de157600ae0870a3083cffbf7ec1d1d7384 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Nov 2022 20:56:06 +0800 +Subject: hwmon: (i5500_temp) fix missing pci_disable_device() + +From: Yang Yingliang + +[ Upstream commit 3b7f98f237528c496ea0b689bace0e35eec3e060 ] + +pci_disable_device() need be called while module exiting, switch to use +pcim_enable(), pci_disable_device() will be called in pcim_release(). + +Fixes: ada072816be1 ("hwmon: (i5500_temp) New driver for the Intel 5500/5520/X58 chipsets") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221112125606.3751430-1-yangyingliang@huawei.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/i5500_temp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hwmon/i5500_temp.c b/drivers/hwmon/i5500_temp.c +index 3e3ccbf18b4e..0064249fcc37 100644 +--- a/drivers/hwmon/i5500_temp.c ++++ b/drivers/hwmon/i5500_temp.c +@@ -117,7 +117,7 @@ static int i5500_temp_probe(struct pci_dev *pdev, + u32 tstimer; + s8 tsfsc; + +- err = pci_enable_device(pdev); ++ err = pcim_enable_device(pdev); + if (err) { + dev_err(&pdev->dev, "Failed to enable device\n"); + return err; +-- +2.35.1 + diff --git a/queue-4.9/hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch b/queue-4.9/hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch new file mode 100644 index 00000000000..968ab99cc3f --- /dev/null +++ b/queue-4.9/hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch @@ -0,0 +1,44 @@ +From 197cddd3498ddc3d50e1002aa1e829e7d251c54c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 11:44:23 +0800 +Subject: hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails + +From: Gaosheng Cui + +[ Upstream commit e2a87785aab0dac190ac89be6a9ba955e2c634f2 ] + +Smatch report warning as follows: + +drivers/hwmon/ibmpex.c:509 ibmpex_register_bmc() warn: + '&data->list' not removed from list + +If ibmpex_find_sensors() fails in ibmpex_register_bmc(), data will +be freed, but data->list will not be removed from driver_data.bmc_data, +then list traversal may cause UAF. + +Fix by removeing it from driver_data.bmc_data before free(). + +Fixes: 57c7c3a0fdea ("hwmon: IBM power meter driver") +Signed-off-by: Gaosheng Cui +Link: https://lore.kernel.org/r/20221117034423.2935739-1-cuigaosheng1@huawei.com +Signed-off-by: Guenter Roeck +Signed-off-by: Sasha Levin +--- + drivers/hwmon/ibmpex.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/hwmon/ibmpex.c b/drivers/hwmon/ibmpex.c +index 21b9c72f16bd..26a898781371 100644 +--- a/drivers/hwmon/ibmpex.c ++++ b/drivers/hwmon/ibmpex.c +@@ -517,6 +517,7 @@ static void ibmpex_register_bmc(int iface, struct device *dev) + return; + + out_register: ++ list_del(&data->list); + hwmon_device_unregister(data->hwmon_dev); + out_user: + ipmi_destroy_user(data->user); +-- +2.35.1 + diff --git a/queue-4.9/iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch b/queue-4.9/iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch new file mode 100644 index 00000000000..14f74bc4083 --- /dev/null +++ b/queue-4.9/iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch @@ -0,0 +1,72 @@ +From c69740cf4b9e6b5fdb778c174044855a95698c40 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 15:19:46 +0000 +Subject: iio: health: afe4403: Fix oob read in afe4403_read_raw + +From: Wei Yongjun + +[ Upstream commit 58143c1ed5882c138a3cd2251a336fc8755f23d9 ] + +KASAN report out-of-bounds read as follows: + +BUG: KASAN: global-out-of-bounds in afe4403_read_raw+0x42e/0x4c0 +Read of size 4 at addr ffffffffc02ac638 by task cat/279 + +Call Trace: + afe4403_read_raw + iio_read_channel_info + dev_attr_show + +The buggy address belongs to the variable: + afe4403_channel_leds+0x18/0xffffffffffffe9e0 + +This issue can be reproduced by singe command: + + $ cat /sys/bus/spi/devices/spi0.0/iio\:device0/in_intensity6_raw + +The array size of afe4403_channel_leds is less than channels, so access +with chan->address cause OOB read in afe4403_read_raw. Fix it by moving +access before use it. + +Fixes: b36e8257641a ("iio: health/afe440x: Use regmap fields") +Signed-off-by: Wei Yongjun +Acked-by: Andrew Davis +Link: https://lore.kernel.org/r/20221107151946.89260-1-weiyongjun@huaweicloud.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/health/afe4403.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/health/afe4403.c b/drivers/iio/health/afe4403.c +index 2f07c4d1398c..4756e9645f7d 100644 +--- a/drivers/iio/health/afe4403.c ++++ b/drivers/iio/health/afe4403.c +@@ -253,14 +253,14 @@ static int afe4403_read_raw(struct iio_dev *indio_dev, + int *val, int *val2, long mask) + { + struct afe4403_data *afe = iio_priv(indio_dev); +- unsigned int reg = afe4403_channel_values[chan->address]; +- unsigned int field = afe4403_channel_leds[chan->address]; ++ unsigned int reg, field; + int ret; + + switch (chan->type) { + case IIO_INTENSITY: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ reg = afe4403_channel_values[chan->address]; + ret = afe4403_read(afe, reg, val); + if (ret) + return ret; +@@ -270,6 +270,7 @@ static int afe4403_read_raw(struct iio_dev *indio_dev, + case IIO_CURRENT: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ field = afe4403_channel_leds[chan->address]; + ret = regmap_field_read(afe->fields[field], val); + if (ret) + return ret; +-- +2.35.1 + diff --git a/queue-4.9/iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch b/queue-4.9/iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch new file mode 100644 index 00000000000..9ca931a987b --- /dev/null +++ b/queue-4.9/iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch @@ -0,0 +1,102 @@ +From 33a439ab27abdc5810bb40981d2874fd8daaaf33 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 15:20:10 +0000 +Subject: iio: health: afe4404: Fix oob read in afe4404_[read|write]_raw + +From: Wei Yongjun + +[ Upstream commit fc92d9e3de0b2d30a3ccc08048a5fad533e4672b ] + +KASAN report out-of-bounds read as follows: + +BUG: KASAN: global-out-of-bounds in afe4404_read_raw+0x2ce/0x380 +Read of size 4 at addr ffffffffc00e4658 by task cat/278 + +Call Trace: + afe4404_read_raw + iio_read_channel_info + dev_attr_show + +The buggy address belongs to the variable: + afe4404_channel_leds+0x18/0xffffffffffffe9c0 + +This issue can be reproduce by singe command: + + $ cat /sys/bus/i2c/devices/0-0058/iio\:device0/in_intensity6_raw + +The array size of afe4404_channel_leds and afe4404_channel_offdacs +are less than channels, so access with chan->address cause OOB read +in afe4404_[read|write]_raw. Fix it by moving access before use them. + +Fixes: b36e8257641a ("iio: health/afe440x: Use regmap fields") +Signed-off-by: Wei Yongjun +Acked-by: Andrew Davis +Link: https://lore.kernel.org/r/20221107152010.95937-1-weiyongjun@huaweicloud.com +Signed-off-by: Jonathan Cameron +Signed-off-by: Sasha Levin +--- + drivers/iio/health/afe4404.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/iio/health/afe4404.c b/drivers/iio/health/afe4404.c +index 5e256b11ac87..29a906411bd8 100644 +--- a/drivers/iio/health/afe4404.c ++++ b/drivers/iio/health/afe4404.c +@@ -258,20 +258,20 @@ static int afe4404_read_raw(struct iio_dev *indio_dev, + int *val, int *val2, long mask) + { + struct afe4404_data *afe = iio_priv(indio_dev); +- unsigned int value_reg = afe4404_channel_values[chan->address]; +- unsigned int led_field = afe4404_channel_leds[chan->address]; +- unsigned int offdac_field = afe4404_channel_offdacs[chan->address]; ++ unsigned int value_reg, led_field, offdac_field; + int ret; + + switch (chan->type) { + case IIO_INTENSITY: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ value_reg = afe4404_channel_values[chan->address]; + ret = regmap_read(afe->regmap, value_reg, val); + if (ret) + return ret; + return IIO_VAL_INT; + case IIO_CHAN_INFO_OFFSET: ++ offdac_field = afe4404_channel_offdacs[chan->address]; + ret = regmap_field_read(afe->fields[offdac_field], val); + if (ret) + return ret; +@@ -281,6 +281,7 @@ static int afe4404_read_raw(struct iio_dev *indio_dev, + case IIO_CURRENT: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ led_field = afe4404_channel_leds[chan->address]; + ret = regmap_field_read(afe->fields[led_field], val); + if (ret) + return ret; +@@ -303,19 +304,20 @@ static int afe4404_write_raw(struct iio_dev *indio_dev, + int val, int val2, long mask) + { + struct afe4404_data *afe = iio_priv(indio_dev); +- unsigned int led_field = afe4404_channel_leds[chan->address]; +- unsigned int offdac_field = afe4404_channel_offdacs[chan->address]; ++ unsigned int led_field, offdac_field; + + switch (chan->type) { + case IIO_INTENSITY: + switch (mask) { + case IIO_CHAN_INFO_OFFSET: ++ offdac_field = afe4404_channel_offdacs[chan->address]; + return regmap_field_write(afe->fields[offdac_field], val); + } + break; + case IIO_CURRENT: + switch (mask) { + case IIO_CHAN_INFO_RAW: ++ led_field = afe4404_channel_leds[chan->address]; + return regmap_field_write(afe->fields[led_field], val); + } + break; +-- +2.35.1 + diff --git a/queue-4.9/net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch b/queue-4.9/net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch new file mode 100644 index 00000000000..564bf1df325 --- /dev/null +++ b/queue-4.9/net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch @@ -0,0 +1,45 @@ +From b4b1b7444d493c7ed3babdba7c6e0e6ba253506a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 16:10:05 +0800 +Subject: net/9p: Fix a potential socket leak in p9_socket_open + +From: Wang Hai + +[ Upstream commit dcc14cfd7debe11b825cb077e75d91d2575b4cb8 ] + +Both p9_fd_create_tcp() and p9_fd_create_unix() will call +p9_socket_open(). If the creation of p9_trans_fd fails, +p9_fd_create_tcp() and p9_fd_create_unix() will return an +error directly instead of releasing the cscoket, which will +result in a socket leak. + +This patch adds sock_release() to fix the leak issue. + +Fixes: 6b18662e239a ("9p connect fixes") +Signed-off-by: Wang Hai +ACKed-by: Al Viro +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/9p/trans_fd.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c +index e70e843ee48f..7e484f5b140c 100644 +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -851,8 +851,10 @@ static int p9_socket_open(struct p9_client *client, struct socket *csocket) + struct file *file; + + p = kzalloc(sizeof(struct p9_trans_fd), GFP_KERNEL); +- if (!p) ++ if (!p) { ++ sock_release(csocket); + return -ENOMEM; ++ } + + csocket->sk->sk_allocation = GFP_NOIO; + file = sock_alloc_file(csocket, 0, NULL); +-- +2.35.1 + diff --git a/queue-4.9/net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch b/queue-4.9/net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch new file mode 100644 index 00000000000..5179282811a --- /dev/null +++ b/queue-4.9/net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch @@ -0,0 +1,41 @@ +From d1356b8e193ccb2a13a7f87ccbb99a9a115c8042 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 15:56:04 +0900 +Subject: net: ethernet: renesas: ravb: Fix promiscuous mode after system + resumed + +From: Yoshihiro Shimoda + +[ Upstream commit d66233a312ec9013af3e37e4030b479a20811ec3 ] + +After system resumed on some environment board, the promiscuous mode +is disabled because the SoC turned off. So, call ravb_set_rx_mode() in +the ravb_resume() to fix the issue. + +Reported-by: Tho Vu +Fixes: 0184165b2f42 ("ravb: add sleep PM suspend/resume support") +Signed-off-by: Yoshihiro Shimoda +Reviewed-by: Pavan Chebbi +Reviewed-by: Sergey Shtylyov +Link: https://lore.kernel.org/r/20221128065604.1864391-1-yoshihiro.shimoda.uh@renesas.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/renesas/ravb_main.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/renesas/ravb_main.c b/drivers/net/ethernet/renesas/ravb_main.c +index 5452fe4bf12a..2bebf39fe047 100644 +--- a/drivers/net/ethernet/renesas/ravb_main.c ++++ b/drivers/net/ethernet/renesas/ravb_main.c +@@ -2183,6 +2183,7 @@ static int __maybe_unused ravb_resume(struct device *dev) + ret = ravb_open(ndev); + if (ret < 0) + return ret; ++ ravb_set_rx_mode(ndev); + netif_device_attach(ndev); + } + +-- +2.35.1 + diff --git a/queue-4.9/net-hsr-fix-potential-use-after-free.patch b/queue-4.9/net-hsr-fix-potential-use-after-free.patch new file mode 100644 index 00000000000..1d1a72b65ac --- /dev/null +++ b/queue-4.9/net-hsr-fix-potential-use-after-free.patch @@ -0,0 +1,49 @@ +From fa76d5085acf6ecf17d72c2c0835ae8f1946ab72 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 15:57:24 +0800 +Subject: net: hsr: Fix potential use-after-free + +From: YueHaibing + +[ Upstream commit 7e177d32442b7ed08a9fa61b61724abc548cb248 ] + +The skb is delivered to netif_rx() which may free it, after calling this, +dereferencing skb may trigger use-after-free. + +Fixes: f421436a591d ("net/hsr: Add support for the High-availability Seamless Redundancy protocol (HSRv0)") +Signed-off-by: YueHaibing +Link: https://lore.kernel.org/r/20221125075724.27912-1-yuehaibing@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/hsr/hsr_forward.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/hsr/hsr_forward.c b/net/hsr/hsr_forward.c +index 04b5450c5a55..adfb49760678 100644 +--- a/net/hsr/hsr_forward.c ++++ b/net/hsr/hsr_forward.c +@@ -207,17 +207,18 @@ static void hsr_deliver_master(struct sk_buff *skb, struct net_device *dev, + struct hsr_node *node_src) + { + bool was_multicast_frame; +- int res; ++ int res, recv_len; + + was_multicast_frame = (skb->pkt_type == PACKET_MULTICAST); + hsr_addr_subst_source(node_src, skb); + skb_pull(skb, ETH_HLEN); ++ recv_len = skb->len; + res = netif_rx(skb); + if (res == NET_RX_DROP) { + dev->stats.rx_dropped++; + } else { + dev->stats.rx_packets++; +- dev->stats.rx_bytes += skb->len; ++ dev->stats.rx_bytes += recv_len; + if (was_multicast_frame) + dev->stats.multicast++; + } +-- +2.35.1 + diff --git a/queue-4.9/net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch b/queue-4.9/net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch new file mode 100644 index 00000000000..8070f6db9ee --- /dev/null +++ b/queue-4.9/net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch @@ -0,0 +1,39 @@ +From 8df2cfbc5b98fe1c94384e6d7b3a6ba830e08469 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 19:22:04 +0800 +Subject: net/mlx5: Fix uninitialized variable bug in outlen_write() + +From: YueHaibing + +[ Upstream commit 3f5769a074c13d8f08455e40586600419e02a880 ] + +If sscanf() return 0, outlen is uninitialized and used in kzalloc(), +this is unexpected. We should return -EINVAL if the string is invalid. + +Fixes: e126ba97dba9 ("mlx5: Add driver for Mellanox Connect-IB adapters") +Signed-off-by: YueHaibing +Reviewed-by: Leon Romanovsky +Signed-off-by: Saeed Mahameed +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/mellanox/mlx5/core/cmd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +index b6113620cb1a..043eec677b2c 100644 +--- a/drivers/net/ethernet/mellanox/mlx5/core/cmd.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/cmd.c +@@ -1293,8 +1293,8 @@ static ssize_t outlen_write(struct file *filp, const char __user *buf, + return -EFAULT; + + err = sscanf(outlen_str, "%d", &outlen); +- if (err < 0) +- return err; ++ if (err != 1) ++ return -EINVAL; + + ptr = kzalloc(outlen, GFP_KERNEL); + if (!ptr) +-- +2.35.1 + diff --git a/queue-4.9/net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch b/queue-4.9/net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch new file mode 100644 index 00000000000..400de1a6aa3 --- /dev/null +++ b/queue-4.9/net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch @@ -0,0 +1,48 @@ +From bec4a2971ae3fca54181dd76d96f4bee4ed37fa5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 07:09:17 +0000 +Subject: net: net_netdev: Fix error handling in ntb_netdev_init_module() + +From: Yuan Can + +[ Upstream commit b8f79dccd38edf7db4911c353d9cd792ab13a327 ] + +The ntb_netdev_init_module() returns the ntb_transport_register_client() +directly without checking its return value, if +ntb_transport_register_client() failed, the NTB client device is not +unregistered. + +Fix by unregister NTB client device when ntb_transport_register_client() +failed. + +Fixes: 548c237c0a99 ("net: Add support for NTB virtual ethernet device") +Signed-off-by: Yuan Can +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ntb_netdev.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ntb_netdev.c b/drivers/net/ntb_netdev.c +index 03009f1becdd..bd6c19ceab30 100644 +--- a/drivers/net/ntb_netdev.c ++++ b/drivers/net/ntb_netdev.c +@@ -500,7 +500,14 @@ static int __init ntb_netdev_init_module(void) + rc = ntb_transport_register_client_dev(KBUILD_MODNAME); + if (rc) + return rc; +- return ntb_transport_register_client(&ntb_netdev_client); ++ ++ rc = ntb_transport_register_client(&ntb_netdev_client); ++ if (rc) { ++ ntb_transport_unregister_client_dev(KBUILD_MODNAME); ++ return rc; ++ } ++ ++ return 0; + } + module_init(ntb_netdev_init_module); + +-- +2.35.1 + diff --git a/queue-4.9/net-phy-fix-null-ptr-deref-while-probe-failed.patch b/queue-4.9/net-phy-fix-null-ptr-deref-while-probe-failed.patch new file mode 100644 index 00000000000..b8558ca243c --- /dev/null +++ b/queue-4.9/net-phy-fix-null-ptr-deref-while-probe-failed.patch @@ -0,0 +1,73 @@ +From ec3830664d262e531ca5825a4ae08acc11e29b38 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 21:28:08 +0800 +Subject: net: phy: fix null-ptr-deref while probe() failed + +From: Yang Yingliang + +[ Upstream commit 369eb2c9f1f72adbe91e0ea8efb130f0a2ba11a6 ] + +I got a null-ptr-deref report as following when doing fault injection test: + +BUG: kernel NULL pointer dereference, address: 0000000000000058 +Oops: 0000 [#1] PREEMPT SMP KASAN PTI +CPU: 1 PID: 253 Comm: 507-spi-dm9051 Tainted: G B N 6.1.0-rc3+ +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 +RIP: 0010:klist_put+0x2d/0xd0 +Call Trace: + + klist_remove+0xf1/0x1c0 + device_release_driver_internal+0x23e/0x2d0 + bus_remove_device+0x1bd/0x240 + device_del+0x357/0x770 + phy_device_remove+0x11/0x30 + mdiobus_unregister+0xa5/0x140 + release_nodes+0x6a/0xa0 + devres_release_all+0xf8/0x150 + device_unbind_cleanup+0x19/0xd0 + +//probe path: +phy_device_register() + device_add() + +phy_connect + phy_attach_direct() //set device driver + probe() //it's failed, driver is not bound + device_bind_driver() // probe failed, it's not called + +//remove path: +phy_device_remove() + device_del() + device_release_driver_internal() + __device_release_driver() //dev->drv is not NULL + klist_remove() <- knode_driver is not added yet, cause null-ptr-deref + +In phy_attach_direct(), after setting the 'dev->driver', probe() fails, +device_bind_driver() is not called, so the knode_driver->n_klist is not +set, then it causes null-ptr-deref in __device_release_driver() while +deleting device. Fix this by setting dev->driver to NULL in the error +path in phy_attach_direct(). + +Fixes: e13934563db0 ("[PATCH] PHY Layer fixup") +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/phy_device.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/phy/phy_device.c b/drivers/net/phy/phy_device.c +index a3ba95e96695..90dbf1b2a33a 100644 +--- a/drivers/net/phy/phy_device.c ++++ b/drivers/net/phy/phy_device.c +@@ -948,6 +948,7 @@ int phy_attach_direct(struct net_device *dev, struct phy_device *phydev, + + error_module_put: + module_put(d->driver->owner); ++ d->driver = NULL; + error_put_device: + put_device(d); + if (ndev_owner != bus->owner) +-- +2.35.1 + diff --git a/queue-4.9/packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch b/queue-4.9/packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch new file mode 100644 index 00000000000..b1832565c84 --- /dev/null +++ b/queue-4.9/packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch @@ -0,0 +1,49 @@ +From fa3410760fa547ce59e203b40ad6a64d5cb065d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 11:18:12 -0500 +Subject: packet: do not set TP_STATUS_CSUM_VALID on CHECKSUM_COMPLETE + +From: Willem de Bruijn + +[ Upstream commit b85f628aa158a653c006e9c1405a117baef8c868 ] + +CHECKSUM_COMPLETE signals that skb->csum stores the sum over the +entire packet. It does not imply that an embedded l4 checksum +field has been validated. + +Fixes: 682f048bd494 ("af_packet: pass checksum validation status to the user") +Signed-off-by: Willem de Bruijn +Link: https://lore.kernel.org/r/20221128161812.640098-1-willemdebruijn.kernel@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/packet/af_packet.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 2ae2801dd7be..c43a4f9404fe 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2207,8 +2207,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, + if (skb->ip_summed == CHECKSUM_PARTIAL) + status |= TP_STATUS_CSUMNOTREADY; + else if (skb->pkt_type != PACKET_OUTGOING && +- (skb->ip_summed == CHECKSUM_COMPLETE || +- skb_csum_unnecessary(skb))) ++ skb_csum_unnecessary(skb)) + status |= TP_STATUS_CSUM_VALID; + + if (snaplen > res) +@@ -3468,8 +3467,7 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, + if (skb->ip_summed == CHECKSUM_PARTIAL) + aux.tp_status |= TP_STATUS_CSUMNOTREADY; + else if (skb->pkt_type != PACKET_OUTGOING && +- (skb->ip_summed == CHECKSUM_COMPLETE || +- skb_csum_unnecessary(skb))) ++ skb_csum_unnecessary(skb)) + aux.tp_status |= TP_STATUS_CSUM_VALID; + + aux.tp_len = origlen; +-- +2.35.1 + diff --git a/queue-4.9/qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch b/queue-4.9/qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch new file mode 100644 index 00000000000..129093799dc --- /dev/null +++ b/queue-4.9/qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch @@ -0,0 +1,70 @@ +From 3af4eb263ae862382b7e2e5224d9d49d0bb07174 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 18:06:42 +0800 +Subject: qlcnic: fix sleep-in-atomic-context bugs caused by msleep + +From: Duoming Zhou + +[ Upstream commit 8dbd6e4ce1b9c527921643d9e34f188a10d4e893 ] + +The watchdog timer is used to monitor whether the process +of transmitting data is timeout. If we use qlcnic driver, +the dev_watchdog() that is the timer handler of watchdog +timer will call qlcnic_tx_timeout() to process the timeout. +But the qlcnic_tx_timeout() calls msleep(), as a result, +the sleep-in-atomic-context bugs will happen. The processes +are shown below: + + (atomic context) +dev_watchdog + qlcnic_tx_timeout + qlcnic_83xx_idc_request_reset + qlcnic_83xx_lock_driver + msleep + +--------------------------- + + (atomic context) +dev_watchdog + qlcnic_tx_timeout + qlcnic_83xx_idc_request_reset + qlcnic_83xx_lock_driver + qlcnic_83xx_recover_driver_lock + msleep + +Fix by changing msleep() to mdelay(), the mdelay() is +busy-waiting and the bugs could be mitigated. + +Fixes: 629263acaea3 ("qlcnic: 83xx CNA inter driver communication mechanism") +Signed-off-by: Duoming Zhou +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c +index 59b77bb89147..1134060b6962 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c +@@ -2992,7 +2992,7 @@ static void qlcnic_83xx_recover_driver_lock(struct qlcnic_adapter *adapter) + QLCWRX(adapter->ahw, QLC_83XX_RECOVER_DRV_LOCK, val); + dev_info(&adapter->pdev->dev, + "%s: lock recovery initiated\n", __func__); +- msleep(QLC_83XX_DRV_LOCK_RECOVERY_DELAY); ++ mdelay(QLC_83XX_DRV_LOCK_RECOVERY_DELAY); + val = QLCRDX(adapter->ahw, QLC_83XX_RECOVER_DRV_LOCK); + id = ((val >> 2) & 0xF); + if (id == adapter->portnum) { +@@ -3028,7 +3028,7 @@ int qlcnic_83xx_lock_driver(struct qlcnic_adapter *adapter) + if (status) + break; + +- msleep(QLC_83XX_DRV_LOCK_WAIT_DELAY); ++ mdelay(QLC_83XX_DRV_LOCK_WAIT_DELAY); + i++; + + if (i == 1) +-- +2.35.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 5b15e1d2dc4..46ca1944669 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -28,3 +28,20 @@ platform-x86-asus-wmi-add-missing-pci_dev_put-in-asu.patch tcp-configurable-source-port-perturb-table-size.patch net-usb-qmi_wwan-add-telit-0x103a-composition.patch drm-amdgpu-always-register-an-mmu-notifier-for-userptr.patch +iio-health-afe4403-fix-oob-read-in-afe4403_read_raw.patch +iio-health-afe4404-fix-oob-read-in-afe4404_-read-wri.patch +hwmon-i5500_temp-fix-missing-pci_disable_device.patch +hwmon-ibmpex-fix-possible-uaf-when-ibmpex_register_b.patch +net-mlx5-fix-uninitialized-variable-bug-in-outlen_wr.patch +can-sja1000_isa-sja1000_isa_probe-add-missing-free_s.patch +can-cc770-cc770_isa_probe-add-missing-free_cc770dev.patch +qlcnic-fix-sleep-in-atomic-context-bugs-caused-by-ms.patch +net-phy-fix-null-ptr-deref-while-probe-failed.patch +net-net_netdev-fix-error-handling-in-ntb_netdev_init.patch +net-9p-fix-a-potential-socket-leak-in-p9_socket_open.patch +net-hsr-fix-potential-use-after-free.patch +packet-do-not-set-tp_status_csum_valid-on-checksum_c.patch +net-ethernet-renesas-ravb-fix-promiscuous-mode-after.patch +hwmon-coretemp-check-for-null-before-removing-sysfs-.patch +hwmon-coretemp-fix-pci-device-refcount-leak-in-nv1a_.patch +btrfs-qgroup-fix-sleep-from-invalid-context-bug-in-b.patch -- 2.47.3