4.4-stable patches

added patches:
	nios2-make-nios2_dtb_source_bool-depend-on-compile_test.patch
	regmap-fix-possible-double-free-in-regcache_rbtree_exit.patch

diff --git a/queue-4.4/nios2-make-nios2_dtb_source_bool-depend-on-compile_test.patch b/queue-4.4/nios2-make-nios2_dtb_source_bool-depend-on-compile_test.patch
new file mode 100644 (file)
index 0000000..6474a53
--- /dev/null
+++ b/queue-4.4/nios2-make-nios2_dtb_source_bool-depend-on-compile_test.patch
@@ -0,0 +1,39 @@
+From 4a089e95b4d6bb625044d47aed0c442a8f7bd093 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Wed, 20 Oct 2021 12:11:16 -0700
+Subject: nios2: Make NIOS2_DTB_SOURCE_BOOL depend on !COMPILE_TEST
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 4a089e95b4d6bb625044d47aed0c442a8f7bd093 upstream.
+
+nios2:allmodconfig builds fail with
+
+make[1]: *** No rule to make target 'arch/nios2/boot/dts/""',
+       needed by 'arch/nios2/boot/dts/built-in.a'.  Stop.
+make: [Makefile:1868: arch/nios2/boot/dts] Error 2 (ignored)
+
+This is seen with compile tests since those enable NIOS2_DTB_SOURCE_BOOL,
+which in turn enables NIOS2_DTB_SOURCE. This causes the build error
+because the default value for NIOS2_DTB_SOURCE is an empty string.
+Disable NIOS2_DTB_SOURCE_BOOL for compile tests to avoid the error.
+
+Fixes: 2fc8483fdcde ("nios2: Build infrastructure")
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Randy Dunlap <rdunlap@infradead.org>
+Signed-off-by: Dinh Nguyen <dinguyen@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/nios2/platform/Kconfig.platform |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/nios2/platform/Kconfig.platform
++++ b/arch/nios2/platform/Kconfig.platform
+@@ -37,6 +37,7 @@ config NIOS2_DTB_PHYS_ADDR
+ 
+ config NIOS2_DTB_SOURCE_BOOL
+       bool "Compile and link device tree into kernel image"
++      depends on !COMPILE_TEST
+       default n
+       help
+         This allows you to specify a dts (device tree source) file

diff --git a/queue-4.4/regmap-fix-possible-double-free-in-regcache_rbtree_exit.patch b/queue-4.4/regmap-fix-possible-double-free-in-regcache_rbtree_exit.patch
new file mode 100644 (file)
index 0000000..fbf1cd4
--- /dev/null
+++ b/queue-4.4/regmap-fix-possible-double-free-in-regcache_rbtree_exit.patch
@@ -0,0 +1,70 @@
+From 55e6d8037805b3400096d621091dfbf713f97e83 Mon Sep 17 00:00:00 2001
+From: Yang Yingliang <yangyingliang@huawei.com>
+Date: Tue, 12 Oct 2021 10:37:35 +0800
+Subject: regmap: Fix possible double-free in regcache_rbtree_exit()
+
+From: Yang Yingliang <yangyingliang@huawei.com>
+
+commit 55e6d8037805b3400096d621091dfbf713f97e83 upstream.
+
+In regcache_rbtree_insert_to_block(), when 'present' realloc failed,
+the 'blk' which is supposed to assign to 'rbnode->block' will be freed,
+so 'rbnode->block' points a freed memory, in the error handling path of
+regcache_rbtree_init(), 'rbnode->block' will be freed again in
+regcache_rbtree_exit(), KASAN will report double-free as follows:
+
+BUG: KASAN: double-free or invalid-free in kfree+0xce/0x390
+Call Trace:
+ slab_free_freelist_hook+0x10d/0x240
+ kfree+0xce/0x390
+ regcache_rbtree_exit+0x15d/0x1a0
+ regcache_rbtree_init+0x224/0x2c0
+ regcache_init+0x88d/0x1310
+ __regmap_init+0x3151/0x4a80
+ __devm_regmap_init+0x7d/0x100
+ madera_spi_probe+0x10f/0x333 [madera_spi]
+ spi_probe+0x183/0x210
+ really_probe+0x285/0xc30
+
+To fix this, moving up the assignment of rbnode->block to immediately after
+the reallocation has succeeded so that the data structure stays valid even
+if the second reallocation fails.
+
+Reported-by: Hulk Robot <hulkci@huawei.com>
+Fixes: 3f4ff561bc88b ("regmap: rbtree: Make cache_present bitmap per node")
+Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
+Link: https://lore.kernel.org/r/20211012023735.1632786-1-yangyingliang@huawei.com
+Signed-off-by: Mark Brown <broonie@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/base/regmap/regcache-rbtree.c |    7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/base/regmap/regcache-rbtree.c
++++ b/drivers/base/regmap/regcache-rbtree.c
+@@ -296,14 +296,14 @@ static int regcache_rbtree_insert_to_blo
+       if (!blk)
+               return -ENOMEM;
+ 
++      rbnode->block = blk;
++
+       if (BITS_TO_LONGS(blklen) > BITS_TO_LONGS(rbnode->blklen)) {
+               present = krealloc(rbnode->cache_present,
+                                  BITS_TO_LONGS(blklen) * sizeof(*present),
+                                  GFP_KERNEL);
+-              if (!present) {
+-                      kfree(blk);
++              if (!present)
+                       return -ENOMEM;
+-              }
+ 
+               memset(present + BITS_TO_LONGS(rbnode->blklen), 0,
+                      (BITS_TO_LONGS(blklen) - BITS_TO_LONGS(rbnode->blklen))
+@@ -320,7 +320,6 @@ static int regcache_rbtree_insert_to_blo
+       }
+ 
+       /* update the rbnode block, its size and the base register */
+-      rbnode->block = blk;
+       rbnode->blklen = blklen;
+       rbnode->base_reg = base_reg;
+       rbnode->cache_present = present;

diff --git a/queue-4.4/series b/queue-4.4/series
index 4a7b39ba55d88b3276ce91b363bff914ab49dce9..7165e17f9ef28f490ec67f0559a022eb9ff0209e 100644 (file)
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -11,3 +11,5 @@ mmc-vub300-fix-control-message-timeouts.patch
 mmc-dw_mmc-exynos-fix-the-finding-clock-sample-value.patch
 mmc-sdhci-map-more-voltage-level-to-sdhci_power_330.patch
 net-lan78xx-fix-division-by-zero-in-send-path.patch
+regmap-fix-possible-double-free-in-regcache_rbtree_exit.patch
+nios2-make-nios2_dtb_source_bool-depend-on-compile_test.patch