From: Sasha Levin Date: Sun, 25 Dec 2022 03:33:11 +0000 (-0500) Subject: Fixes for 4.9 X-Git-Tag: v5.15.86~75 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=060df872c963118f54886192a35aadddaa146a18;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/acct-fix-potential-integer-overflow-in-encode_comp_t.patch b/queue-4.9/acct-fix-potential-integer-overflow-in-encode_comp_t.patch new file mode 100644 index 00000000000..403d9cb2b7f --- /dev/null +++ b/queue-4.9/acct-fix-potential-integer-overflow-in-encode_comp_t.patch @@ -0,0 +1,51 @@ +From 5668009ffdf80bcc62b13a7c91b47c369cc31a9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 May 2021 22:06:31 +0800 +Subject: acct: fix potential integer overflow in encode_comp_t() + +From: Zheng Yejian + +[ Upstream commit c5f31c655bcc01b6da53b836ac951c1556245305 ] + +The integer overflow is descripted with following codes: + > 317 static comp_t encode_comp_t(u64 value) + > 318 { + > 319 int exp, rnd; + ...... + > 341 exp <<= MANTSIZE; + > 342 exp += value; + > 343 return exp; + > 344 } + +Currently comp_t is defined as type of '__u16', but the variable 'exp' is +type of 'int', so overflow would happen when variable 'exp' in line 343 is +greater than 65535. + +Link: https://lkml.kernel.org/r/20210515140631.369106-3-zhengyejian1@huawei.com +Signed-off-by: Zheng Yejian +Cc: Hanjun Guo +Cc: Randy Dunlap +Cc: Vlastimil Babka +Cc: Zhang Jinhao +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + kernel/acct.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/kernel/acct.c b/kernel/acct.c +index 37f1dc696fbd..928ed84f50df 100644 +--- a/kernel/acct.c ++++ b/kernel/acct.c +@@ -328,6 +328,8 @@ static comp_t encode_comp_t(unsigned long value) + exp++; + } + ++ if (exp > (((comp_t) ~0U) >> MANTSIZE)) ++ return (comp_t) ~0U; + /* + * Clean it up and polish it off. + */ +-- +2.35.1 + diff --git a/queue-4.9/acpica-fix-error-code-path-in-acpi_ds_call_control_m.patch b/queue-4.9/acpica-fix-error-code-path-in-acpi_ds_call_control_m.patch new file mode 100644 index 00000000000..6c8636abcea --- /dev/null +++ b/queue-4.9/acpica-fix-error-code-path-in-acpi_ds_call_control_m.patch @@ -0,0 +1,68 @@ +From 7f7b29a901b1f5c3b9ede04799d3fc26db5403cb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 18:42:36 +0100 +Subject: ACPICA: Fix error code path in acpi_ds_call_control_method() + +From: Rafael J. Wysocki + +[ Upstream commit 404ec60438add1afadaffaed34bb5fe4ddcadd40 ] + +A use-after-free in acpi_ps_parse_aml() after a failing invocaion of +acpi_ds_call_control_method() is reported by KASAN [1] and code +inspection reveals that next_walk_state pushed to the thread by +acpi_ds_create_walk_state() is freed on errors, but it is not popped +from the thread beforehand. Thus acpi_ds_get_current_walk_state() +called by acpi_ps_parse_aml() subsequently returns it as the new +walk state which is incorrect. + +To address this, make acpi_ds_call_control_method() call +acpi_ds_pop_walk_state() to pop next_walk_state from the thread before +returning an error. + +Link: https://lore.kernel.org/linux-acpi/20221019073443.248215-1-chenzhongjin@huawei.com/ # [1] +Reported-by: Chen Zhongjin +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Chen Zhongjin +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/dsmethod.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/acpi/acpica/dsmethod.c b/drivers/acpi/acpica/dsmethod.c +index 2b3210f42a46..b77d6b86e3f9 100644 +--- a/drivers/acpi/acpica/dsmethod.c ++++ b/drivers/acpi/acpica/dsmethod.c +@@ -547,7 +547,7 @@ acpi_ds_call_control_method(struct acpi_thread_state *thread, + info = ACPI_ALLOCATE_ZEROED(sizeof(struct acpi_evaluate_info)); + if (!info) { + status = AE_NO_MEMORY; +- goto cleanup; ++ goto pop_walk_state; + } + + info->parameters = &this_walk_state->operands[0]; +@@ -559,7 +559,7 @@ acpi_ds_call_control_method(struct acpi_thread_state *thread, + + ACPI_FREE(info); + if (ACPI_FAILURE(status)) { +- goto cleanup; ++ goto pop_walk_state; + } + + /* +@@ -591,6 +591,12 @@ acpi_ds_call_control_method(struct acpi_thread_state *thread, + + return_ACPI_STATUS(status); + ++pop_walk_state: ++ ++ /* On error, pop the walk state to be deleted from thread */ ++ ++ acpi_ds_pop_walk_state(thread); ++ + cleanup: + + /* On error, we must terminate the method properly */ +-- +2.35.1 + diff --git a/queue-4.9/acpica-fix-use-after-free-in-acpi_ut_copy_ipackage_t.patch b/queue-4.9/acpica-fix-use-after-free-in-acpi_ut_copy_ipackage_t.patch new file mode 100644 index 00000000000..a83bf16ced6 --- /dev/null +++ b/queue-4.9/acpica-fix-use-after-free-in-acpi_ut_copy_ipackage_t.patch @@ -0,0 +1,70 @@ +From 11beb1c668e419866ba3653785681a2013c9f0fd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 16:05:14 +0800 +Subject: ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() + +From: Li Zetao + +[ Upstream commit 470188b09e92d83c5a997f25f0e8fb8cd2bc3469 ] + +There is an use-after-free reported by KASAN: + + BUG: KASAN: use-after-free in acpi_ut_remove_reference+0x3b/0x82 + Read of size 1 at addr ffff888112afc460 by task modprobe/2111 + CPU: 0 PID: 2111 Comm: modprobe Not tainted 6.1.0-rc7-dirty + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), + Call Trace: + + kasan_report+0xae/0xe0 + acpi_ut_remove_reference+0x3b/0x82 + acpi_ut_copy_iobject_to_iobject+0x3be/0x3d5 + acpi_ds_store_object_to_local+0x15d/0x3a0 + acpi_ex_store+0x78d/0x7fd + acpi_ex_opcode_1A_1T_1R+0xbe4/0xf9b + acpi_ps_parse_aml+0x217/0x8d5 + ... + + +The root cause of the problem is that the acpi_operand_object +is freed when acpi_ut_walk_package_tree() fails in +acpi_ut_copy_ipackage_to_ipackage(), lead to repeated release in +acpi_ut_copy_iobject_to_iobject(). The problem was introduced +by "8aa5e56eeb61" commit, this commit is to fix memory leak in +acpi_ut_copy_iobject_to_iobject(), repeatedly adding remove +operation, lead to "acpi_operand_object" used after free. + +Fix it by removing acpi_ut_remove_reference() in +acpi_ut_copy_ipackage_to_ipackage(). acpi_ut_copy_ipackage_to_ipackage() +is called to copy an internal package object into another internal +package object, when it fails, the memory of acpi_operand_object +should be freed by the caller. + +Fixes: 8aa5e56eeb61 ("ACPICA: Utilities: Fix memory leak in acpi_ut_copy_iobject_to_iobject") +Signed-off-by: Li Zetao +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/acpica/utcopy.c | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/drivers/acpi/acpica/utcopy.c b/drivers/acpi/acpica/utcopy.c +index 82f971402d85..646e296e4c13 100644 +--- a/drivers/acpi/acpica/utcopy.c ++++ b/drivers/acpi/acpica/utcopy.c +@@ -950,13 +950,6 @@ acpi_ut_copy_ipackage_to_ipackage(union acpi_operand_object *source_obj, + status = acpi_ut_walk_package_tree(source_obj, dest_obj, + acpi_ut_copy_ielement_to_ielement, + walk_state); +- if (ACPI_FAILURE(status)) { +- +- /* On failure, delete the destination package object */ +- +- acpi_ut_remove_reference(dest_obj); +- } +- + return_ACPI_STATUS(status); + } + +-- +2.35.1 + diff --git a/queue-4.9/alpha-fix-syscall-entry-in-audut_syscall-case.patch b/queue-4.9/alpha-fix-syscall-entry-in-audut_syscall-case.patch new file mode 100644 index 00000000000..45811821636 --- /dev/null +++ b/queue-4.9/alpha-fix-syscall-entry-in-audut_syscall-case.patch @@ -0,0 +1,40 @@ +From a293d76462d76a13771a25867b5d34ad8eef20d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 18 Sep 2021 18:18:48 -0400 +Subject: alpha: fix syscall entry in !AUDUT_SYSCALL case + +From: Al Viro + +[ Upstream commit f7b2431a6d22f7a91c567708e071dfcd6d66db14 ] + +We only want to take the slow path if SYSCALL_TRACE or SYSCALL_AUDIT is +set; on !AUDIT_SYSCALL configs the current tree hits it whenever _any_ +thread flag (including NEED_RESCHED, NOTIFY_SIGNAL, etc.) happens to +be set. + +Fixes: a9302e843944 "alpha: Enable system-call auditing support" +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + arch/alpha/kernel/entry.S | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/alpha/kernel/entry.S b/arch/alpha/kernel/entry.S +index 98703d99b565..d752ccc53b24 100644 +--- a/arch/alpha/kernel/entry.S ++++ b/arch/alpha/kernel/entry.S +@@ -468,8 +468,10 @@ entSys: + #ifdef CONFIG_AUDITSYSCALL + lda $6, _TIF_SYSCALL_TRACE | _TIF_SYSCALL_AUDIT + and $3, $6, $3 +-#endif + bne $3, strace ++#else ++ blbs $3, strace /* check for SYSCALL_TRACE in disguise */ ++#endif + beq $4, 1f + ldq $27, 0($5) + 1: jsr $26, ($27), alpha_ni_syscall +-- +2.35.1 + diff --git a/queue-4.9/alsa-asihpi-fix-missing-pci_disable_device.patch b/queue-4.9/alsa-asihpi-fix-missing-pci_disable_device.patch new file mode 100644 index 00000000000..331ae7e41a5 --- /dev/null +++ b/queue-4.9/alsa-asihpi-fix-missing-pci_disable_device.patch @@ -0,0 +1,37 @@ +From c5d2d33ae218abf86624b7e65e417a59b2331ed2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Nov 2022 10:14:29 +0800 +Subject: ALSA: asihpi: fix missing pci_disable_device() + +From: Liu Shixin + +[ Upstream commit 9d86515c3d4c0564a0c31a2df87d735353a1971e ] + +pci_disable_device() need be called while module exiting, switch to use +pcim_enable(), pci_disable_device() will be called in pcim_release(). + +Fixes: 3285ea10e9b0 ("ALSA: asihpi - Interrelated HPI tidy up.") +Signed-off-by: Liu Shixin +Link: https://lore.kernel.org/r/20221126021429.3029562-1-liushixin2@huawei.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/asihpi/hpioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/pci/asihpi/hpioctl.c b/sound/pci/asihpi/hpioctl.c +index 0d5ff00cdabc..90245f9d6c36 100644 +--- a/sound/pci/asihpi/hpioctl.c ++++ b/sound/pci/asihpi/hpioctl.c +@@ -355,7 +355,7 @@ int asihpi_adapter_probe(struct pci_dev *pci_dev, + pci_dev->device, pci_dev->subsystem_vendor, + pci_dev->subsystem_device, pci_dev->devfn); + +- if (pci_enable_device(pci_dev) < 0) { ++ if (pcim_enable_device(pci_dev) < 0) { + dev_err(&pci_dev->dev, + "pci_enable_device failed, disabling device\n"); + return -EIO; +-- +2.35.1 + diff --git a/queue-4.9/alsa-mts64-fix-possible-null-ptr-defer-in-snd_mts64_.patch b/queue-4.9/alsa-mts64-fix-possible-null-ptr-defer-in-snd_mts64_.patch new file mode 100644 index 00000000000..ebd65ccd66a --- /dev/null +++ b/queue-4.9/alsa-mts64-fix-possible-null-ptr-defer-in-snd_mts64_.patch @@ -0,0 +1,103 @@ +From 8e319d98e803c3f774321114044d52e881b880ee Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Dec 2022 14:10:04 +0800 +Subject: ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt + +From: Gaosheng Cui + +[ Upstream commit cf2ea3c86ad90d63d1c572b43e1ca9276b0357ad ] + +I got a null-ptr-defer error report when I do the following tests +on the qemu platform: + +make defconfig and CONFIG_PARPORT=m, CONFIG_PARPORT_PC=m, +CONFIG_SND_MTS64=m + +Then making test scripts: +cat>test_mod1.sh< + snd_mts64_interrupt+0x24/0xa0 [snd_mts64] + parport_irq_handler+0x37/0x50 [parport] + __handle_irq_event_percpu+0x39/0x190 + handle_irq_event_percpu+0xa/0x30 + handle_irq_event+0x2f/0x50 + handle_edge_irq+0x99/0x1b0 + __common_interrupt+0x5d/0x100 + common_interrupt+0xa0/0xc0 + + + asm_common_interrupt+0x22/0x40 + RIP: 0010:_raw_write_unlock_irqrestore+0x11/0x30 + parport_claim+0xbd/0x230 [parport] + snd_mts64_probe+0x14a/0x465 [snd_mts64] + platform_probe+0x3f/0xa0 + really_probe+0x129/0x2c0 + __driver_probe_device+0x6d/0xc0 + driver_probe_device+0x1a/0xa0 + __device_attach_driver+0x7a/0xb0 + bus_for_each_drv+0x62/0xb0 + __device_attach+0xe4/0x180 + bus_probe_device+0x82/0xa0 + device_add+0x550/0x920 + platform_device_add+0x106/0x220 + snd_mts64_attach+0x2e/0x80 [snd_mts64] + port_check+0x14/0x20 [parport] + bus_for_each_dev+0x6e/0xc0 + __parport_register_driver+0x7c/0xb0 [parport] + snd_mts64_module_init+0x31/0x1000 [snd_mts64] + do_one_initcall+0x3c/0x1f0 + do_init_module+0x46/0x1c6 + load_module+0x1d8d/0x1e10 + __do_sys_finit_module+0xa2/0xf0 + do_syscall_64+0x37/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + + Kernel panic - not syncing: Fatal exception in interrupt + Rebooting in 1 seconds.. + +The mts wa not initialized during interrupt, we add check for +mts to fix this bug. + +Fixes: 68ab801e32bb ("[ALSA] Add snd-mts64 driver for ESI Miditerminal 4140") +Signed-off-by: Gaosheng Cui +Link: https://lore.kernel.org/r/20221206061004.1222966-1-cuigaosheng1@huawei.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/drivers/mts64.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/sound/drivers/mts64.c b/sound/drivers/mts64.c +index fd4d18df84d3..03b1b49c1afe 100644 +--- a/sound/drivers/mts64.c ++++ b/sound/drivers/mts64.c +@@ -830,6 +830,9 @@ static void snd_mts64_interrupt(void *private) + u8 status, data; + struct snd_rawmidi_substream *substream; + ++ if (!mts) ++ return; ++ + spin_lock(&mts->lock); + ret = mts64_read(mts->pardev->port); + data = ret & 0x00ff; +-- +2.35.1 + diff --git a/queue-4.9/alsa-seq-fix-undefined-behavior-in-bit-shift-for-snd.patch b/queue-4.9/alsa-seq-fix-undefined-behavior-in-bit-shift-for-snd.patch new file mode 100644 index 00000000000..cadd370795e --- /dev/null +++ b/queue-4.9/alsa-seq-fix-undefined-behavior-in-bit-shift-for-snd.patch @@ -0,0 +1,66 @@ +From 698f6efd771401f533f0681ed8ba111e385b9ca7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 19:16:30 +0800 +Subject: ALSA: seq: fix undefined behavior in bit shift for + SNDRV_SEQ_FILTER_USE_EVENT + +From: Baisong Zhong + +[ Upstream commit cf59e1e4c79bf741905484cdb13c130b53576a16 ] + +Shifting signed 32-bit value by 31 bits is undefined, so changing +significant bit to unsigned. The UBSAN warning calltrace like below: + +UBSAN: shift-out-of-bounds in sound/core/seq/seq_clientmgr.c:509:22 +left shift of 1 by 31 places cannot be represented in type 'int' +... +Call Trace: + + dump_stack_lvl+0x8d/0xcf + ubsan_epilogue+0xa/0x44 + __ubsan_handle_shift_out_of_bounds+0x1e7/0x208 + snd_seq_deliver_single_event.constprop.21+0x191/0x2f0 + snd_seq_deliver_event+0x1a2/0x350 + snd_seq_kernel_client_dispatch+0x8b/0xb0 + snd_seq_client_notify_subscription+0x72/0xa0 + snd_seq_ioctl_subscribe_port+0x128/0x160 + snd_seq_kernel_client_ctl+0xce/0xf0 + snd_seq_oss_create_client+0x109/0x15b + alsa_seq_oss_init+0x11c/0x1aa + do_one_initcall+0x80/0x440 + kernel_init_freeable+0x370/0x3c3 + kernel_init+0x1b/0x190 + ret_from_fork+0x1f/0x30 + + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Baisong Zhong +Link: https://lore.kernel.org/r/20221121111630.3119259-1-zhongbaisong@huawei.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + include/uapi/sound/asequencer.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/include/uapi/sound/asequencer.h b/include/uapi/sound/asequencer.h +index 7b7659a79ac4..98c8f6b56dff 100644 +--- a/include/uapi/sound/asequencer.h ++++ b/include/uapi/sound/asequencer.h +@@ -343,10 +343,10 @@ typedef int __bitwise snd_seq_client_type_t; + #define KERNEL_CLIENT ((__force snd_seq_client_type_t) 2) + + /* event filter flags */ +-#define SNDRV_SEQ_FILTER_BROADCAST (1<<0) /* accept broadcast messages */ +-#define SNDRV_SEQ_FILTER_MULTICAST (1<<1) /* accept multicast messages */ +-#define SNDRV_SEQ_FILTER_BOUNCE (1<<2) /* accept bounce event in error */ +-#define SNDRV_SEQ_FILTER_USE_EVENT (1<<31) /* use event filter */ ++#define SNDRV_SEQ_FILTER_BROADCAST (1U<<0) /* accept broadcast messages */ ++#define SNDRV_SEQ_FILTER_MULTICAST (1U<<1) /* accept multicast messages */ ++#define SNDRV_SEQ_FILTER_BOUNCE (1U<<2) /* accept bounce event in error */ ++#define SNDRV_SEQ_FILTER_USE_EVENT (1U<<31) /* use event filter */ + + struct snd_seq_client_info { + int client; /* client number to inquire */ +-- +2.35.1 + diff --git a/queue-4.9/arm-dts-armada-370-fix-assigned-addresses-for-every-.patch b/queue-4.9/arm-dts-armada-370-fix-assigned-addresses-for-every-.patch new file mode 100644 index 00000000000..82165760949 --- /dev/null +++ b/queue-4.9/arm-dts-armada-370-fix-assigned-addresses-for-every-.patch @@ -0,0 +1,40 @@ +From 3c1772adba466b73b6b306c8907d256ecd5da6a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 00:30:49 +0200 +Subject: ARM: dts: armada-370: Fix assigned-addresses for every PCIe Root Port +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit d9208b0fa2e803d16b28d91bf1d46b7ee9ea13c6 ] + +BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port +(PCI-to-PCI bridge) should match BDF in address part in that DT node name +as specified resource belongs to Marvell PCIe Root Port itself. + +Fixes: a09a0b7c6ff1 ("arm: mvebu: add PCIe Device Tree informations for Armada 370") +Signed-off-by: Pali Rohár +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/armada-370.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/armada-370.dtsi b/arch/arm/boot/dts/armada-370.dtsi +index b4258105e91f..b00e328b54a1 100644 +--- a/arch/arm/boot/dts/armada-370.dtsi ++++ b/arch/arm/boot/dts/armada-370.dtsi +@@ -108,7 +108,7 @@ pcie@1,0 { + + pcie@2,0 { + device_type = "pci"; +- assigned-addresses = <0x82002800 0 0x80000 0 0x2000>; ++ assigned-addresses = <0x82001000 0 0x80000 0 0x2000>; + reg = <0x1000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +-- +2.35.1 + diff --git a/queue-4.9/arm-dts-armada-375-fix-assigned-addresses-for-every-.patch b/queue-4.9/arm-dts-armada-375-fix-assigned-addresses-for-every-.patch new file mode 100644 index 00000000000..518353c8435 --- /dev/null +++ b/queue-4.9/arm-dts-armada-375-fix-assigned-addresses-for-every-.patch @@ -0,0 +1,40 @@ +From 0f21842489ea2911299cb77ec07c1bdde5228d82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 00:30:51 +0200 +Subject: ARM: dts: armada-375: Fix assigned-addresses for every PCIe Root Port +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 823956d2436f70ced74c0fe8ab99facd8abfc060 ] + +BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port +(PCI-to-PCI bridge) should match BDF in address part in that DT node name +as specified resource belongs to Marvell PCIe Root Port itself. + +Fixes: 4de59085091f ("ARM: mvebu: add Device Tree description of the Armada 375 SoC") +Signed-off-by: Pali Rohár +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/armada-375.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/armada-375.dtsi b/arch/arm/boot/dts/armada-375.dtsi +index 024f1b75b0a3..681c8458c8f2 100644 +--- a/arch/arm/boot/dts/armada-375.dtsi ++++ b/arch/arm/boot/dts/armada-375.dtsi +@@ -618,7 +618,7 @@ pcie@1,0 { + + pcie@2,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>; ++ assigned-addresses = <0x82001000 0 0x44000 0 0x2000>; + reg = <0x1000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +-- +2.35.1 + diff --git a/queue-4.9/arm-dts-armada-38x-fix-assigned-addresses-for-every-.patch b/queue-4.9/arm-dts-armada-38x-fix-assigned-addresses-for-every-.patch new file mode 100644 index 00000000000..4eacd330fec --- /dev/null +++ b/queue-4.9/arm-dts-armada-38x-fix-assigned-addresses-for-every-.patch @@ -0,0 +1,81 @@ +From 9eff9f830bf5f2654584a0dea93cfce8146a2b87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 00:30:52 +0200 +Subject: ARM: dts: armada-38x: Fix assigned-addresses for every PCIe Root Port +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 44f47b7a8fa4678ce4c38ea74837e4996b9df6d6 ] + +BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port +(PCI-to-PCI bridge) should match BDF in address part in that DT node name +as specified resource belongs to Marvell PCIe Root Port itself. + +Fixes: 0d3d96ab0059 ("ARM: mvebu: add Device Tree description of the Armada 380/385 SoCs") +Signed-off-by: Pali Rohár +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/armada-380.dtsi | 4 ++-- + arch/arm/boot/dts/armada-385.dtsi | 6 +++--- + 2 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/arch/arm/boot/dts/armada-380.dtsi b/arch/arm/boot/dts/armada-380.dtsi +index 5102d19cc8f4..43477ca6eaa3 100644 +--- a/arch/arm/boot/dts/armada-380.dtsi ++++ b/arch/arm/boot/dts/armada-380.dtsi +@@ -115,7 +115,7 @@ pcie@1,0 { + /* x1 port */ + pcie@2,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x40000 0 0x2000>; ++ assigned-addresses = <0x82001000 0 0x40000 0 0x2000>; + reg = <0x1000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -133,7 +133,7 @@ pcie@2,0 { + /* x1 port */ + pcie@3,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>; ++ assigned-addresses = <0x82001800 0 0x44000 0 0x2000>; + reg = <0x1800 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +diff --git a/arch/arm/boot/dts/armada-385.dtsi b/arch/arm/boot/dts/armada-385.dtsi +index 8e67d2c083dd..0451bc14386c 100644 +--- a/arch/arm/boot/dts/armada-385.dtsi ++++ b/arch/arm/boot/dts/armada-385.dtsi +@@ -126,7 +126,7 @@ pcie@1,0 { + /* x1 port */ + pcie@2,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x40000 0 0x2000>; ++ assigned-addresses = <0x82001000 0 0x40000 0 0x2000>; + reg = <0x1000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -144,7 +144,7 @@ pcie@2,0 { + /* x1 port */ + pcie@3,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>; ++ assigned-addresses = <0x82001800 0 0x44000 0 0x2000>; + reg = <0x1800 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -165,7 +165,7 @@ pcie@3,0 { + */ + pcie@4,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x48000 0 0x2000>; ++ assigned-addresses = <0x82002000 0 0x48000 0 0x2000>; + reg = <0x2000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +-- +2.35.1 + diff --git a/queue-4.9/arm-dts-armada-39x-fix-assigned-addresses-for-every-.patch b/queue-4.9/arm-dts-armada-39x-fix-assigned-addresses-for-every-.patch new file mode 100644 index 00000000000..72529fc1ad4 --- /dev/null +++ b/queue-4.9/arm-dts-armada-39x-fix-assigned-addresses-for-every-.patch @@ -0,0 +1,58 @@ +From e3f65c62a57b5085b5f94030c30f8fe64e93f519 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 00:30:53 +0200 +Subject: ARM: dts: armada-39x: Fix assigned-addresses for every PCIe Root Port +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit 69236d2391b4d7324b11c3252921571577892e7b ] + +BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port +(PCI-to-PCI bridge) should match BDF in address part in that DT node name +as specified resource belongs to Marvell PCIe Root Port itself. + +Fixes: 538da83ddbea ("ARM: mvebu: add Device Tree files for Armada 39x SoC and board") +Signed-off-by: Pali Rohár +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/armada-39x.dtsi | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/arm/boot/dts/armada-39x.dtsi b/arch/arm/boot/dts/armada-39x.dtsi +index aeecfa7e5ea3..3ca83e37112b 100644 +--- a/arch/arm/boot/dts/armada-39x.dtsi ++++ b/arch/arm/boot/dts/armada-39x.dtsi +@@ -492,7 +492,7 @@ pcie@1,0 { + /* x1 port */ + pcie@2,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x40000 0 0x2000>; ++ assigned-addresses = <0x82001000 0 0x40000 0 0x2000>; + reg = <0x1000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -510,7 +510,7 @@ pcie@2,0 { + /* x1 port */ + pcie@3,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>; ++ assigned-addresses = <0x82001800 0 0x44000 0 0x2000>; + reg = <0x1800 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -531,7 +531,7 @@ pcie@3,0 { + */ + pcie@4,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x48000 0 0x2000>; ++ assigned-addresses = <0x82002000 0 0x48000 0 0x2000>; + reg = <0x2000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +-- +2.35.1 + diff --git a/queue-4.9/arm-dts-armada-39x-fix-compatible-string-for-gpios.patch b/queue-4.9/arm-dts-armada-39x-fix-compatible-string-for-gpios.patch new file mode 100644 index 00000000000..7055d41cc1d --- /dev/null +++ b/queue-4.9/arm-dts-armada-39x-fix-compatible-string-for-gpios.patch @@ -0,0 +1,52 @@ +From 10f754198eeb53259a63cc30bbf37828a470f0e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 14 Jul 2022 20:33:28 +0200 +Subject: ARM: dts: armada-39x: Fix compatible string for gpios +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit d10886a4e6f85ee18d47a1066a52168461370ded ] + +Armada 39x supports per CPU interrupts for gpios, like Armada XP. + +So add compatible string "marvell,armadaxp-gpio" for Armada 39x GPIO nodes. + +Driver gpio-mvebu.c which handles both pre-XP and XP variants already +provides support for per CPU interrupts on XP and newer variants. + +Signed-off-by: Pali Rohár +Fixes: d81a914fc630 ("ARM: dts: mvebu: armada-39x: add missing nodes describing GPIO's") +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/armada-39x.dtsi | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/boot/dts/armada-39x.dtsi b/arch/arm/boot/dts/armada-39x.dtsi +index 3ca83e37112b..9155075eaa8a 100644 +--- a/arch/arm/boot/dts/armada-39x.dtsi ++++ b/arch/arm/boot/dts/armada-39x.dtsi +@@ -253,7 +253,7 @@ nand_pins: nand-pins { + }; + + gpio0: gpio@18100 { +- compatible = "marvell,orion-gpio"; ++ compatible = "marvell,armadaxp-gpio", "marvell,orion-gpio"; + reg = <0x18100 0x40>; + ngpios = <32>; + gpio-controller; +@@ -267,7 +267,7 @@ gpio0: gpio@18100 { + }; + + gpio1: gpio@18140 { +- compatible = "marvell,orion-gpio"; ++ compatible = "marvell,armadaxp-gpio", "marvell,orion-gpio"; + reg = <0x18140 0x40>; + ngpios = <28>; + gpio-controller; +-- +2.35.1 + diff --git a/queue-4.9/arm-dts-armada-xp-fix-assigned-addresses-for-every-p.patch b/queue-4.9/arm-dts-armada-xp-fix-assigned-addresses-for-every-p.patch new file mode 100644 index 00000000000..8e3e92bb60c --- /dev/null +++ b/queue-4.9/arm-dts-armada-xp-fix-assigned-addresses-for-every-p.patch @@ -0,0 +1,146 @@ +From 74b7a6ec86c6635d64fb8f1a4cac9bd8e2852bfa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 00:30:50 +0200 +Subject: ARM: dts: armada-xp: Fix assigned-addresses for every PCIe Root Port +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit eab276787f456cbea89fabea110fe0728673d308 ] + +BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port +(PCI-to-PCI bridge) should match BDF in address part in that DT node name +as specified resource belongs to Marvell PCIe Root Port itself. + +Fixes: 9d8f44f02d4a ("arm: mvebu: add PCIe Device Tree informations for Armada XP") +Fixes: 12b69a599745 ("ARM: mvebu: second PCIe unit of Armada XP mv78230 is only x1 capable") +Fixes: 2163e61c92d9 ("ARM: mvebu: fix second and third PCIe unit of Armada XP mv78260") +Signed-off-by: Pali Rohár +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/armada-xp-mv78230.dtsi | 8 ++++---- + arch/arm/boot/dts/armada-xp-mv78260.dtsi | 16 ++++++++-------- + 2 files changed, 12 insertions(+), 12 deletions(-) + +diff --git a/arch/arm/boot/dts/armada-xp-mv78230.dtsi b/arch/arm/boot/dts/armada-xp-mv78230.dtsi +index 6e6d0f04bf2b..b6e787b994ad 100644 +--- a/arch/arm/boot/dts/armada-xp-mv78230.dtsi ++++ b/arch/arm/boot/dts/armada-xp-mv78230.dtsi +@@ -133,7 +133,7 @@ pcie@1,0 { + + pcie@2,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>; ++ assigned-addresses = <0x82001000 0 0x44000 0 0x2000>; + reg = <0x1000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -150,7 +150,7 @@ pcie@2,0 { + + pcie@3,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x48000 0 0x2000>; ++ assigned-addresses = <0x82001800 0 0x48000 0 0x2000>; + reg = <0x1800 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -167,7 +167,7 @@ pcie@3,0 { + + pcie@4,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x4c000 0 0x2000>; ++ assigned-addresses = <0x82002000 0 0x4c000 0 0x2000>; + reg = <0x2000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -184,7 +184,7 @@ pcie@4,0 { + + pcie@5,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x80000 0 0x2000>; ++ assigned-addresses = <0x82002800 0 0x80000 0 0x2000>; + reg = <0x2800 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +diff --git a/arch/arm/boot/dts/armada-xp-mv78260.dtsi b/arch/arm/boot/dts/armada-xp-mv78260.dtsi +index c5fdc99f0dbe..a4856b05440a 100644 +--- a/arch/arm/boot/dts/armada-xp-mv78260.dtsi ++++ b/arch/arm/boot/dts/armada-xp-mv78260.dtsi +@@ -148,7 +148,7 @@ pcie@1,0 { + + pcie@2,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x44000 0 0x2000>; ++ assigned-addresses = <0x82001000 0 0x44000 0 0x2000>; + reg = <0x1000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -165,7 +165,7 @@ pcie@2,0 { + + pcie@3,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x48000 0 0x2000>; ++ assigned-addresses = <0x82001800 0 0x48000 0 0x2000>; + reg = <0x1800 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -182,7 +182,7 @@ pcie@3,0 { + + pcie@4,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x4c000 0 0x2000>; ++ assigned-addresses = <0x82002000 0 0x4c000 0 0x2000>; + reg = <0x2000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -199,7 +199,7 @@ pcie@4,0 { + + pcie@5,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x80000 0 0x2000>; ++ assigned-addresses = <0x82002800 0 0x80000 0 0x2000>; + reg = <0x2800 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -216,7 +216,7 @@ pcie@5,0 { + + pcie@6,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x84000 0 0x2000>; ++ assigned-addresses = <0x82003000 0 0x84000 0 0x2000>; + reg = <0x3000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -233,7 +233,7 @@ pcie@6,0 { + + pcie@7,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x88000 0 0x2000>; ++ assigned-addresses = <0x82003800 0 0x88000 0 0x2000>; + reg = <0x3800 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -250,7 +250,7 @@ pcie@7,0 { + + pcie@8,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x8c000 0 0x2000>; ++ assigned-addresses = <0x82004000 0 0x8c000 0 0x2000>; + reg = <0x4000 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +@@ -267,7 +267,7 @@ pcie@8,0 { + + pcie@9,0 { + device_type = "pci"; +- assigned-addresses = <0x82000800 0 0x42000 0 0x2000>; ++ assigned-addresses = <0x82004800 0 0x42000 0 0x2000>; + reg = <0x4800 0 0 0 0>; + #address-cells = <3>; + #size-cells = <2>; +-- +2.35.1 + diff --git a/queue-4.9/arm-dts-dove-fix-assigned-addresses-for-every-pcie-r.patch b/queue-4.9/arm-dts-dove-fix-assigned-addresses-for-every-pcie-r.patch new file mode 100644 index 00000000000..a2a5b89a230 --- /dev/null +++ b/queue-4.9/arm-dts-dove-fix-assigned-addresses-for-every-pcie-r.patch @@ -0,0 +1,40 @@ +From 3e164f720df5cc18f9299c8a132d1da139bd39c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 18 Aug 2022 00:30:48 +0200 +Subject: ARM: dts: dove: Fix assigned-addresses for every PCIe Root Port +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Pali Rohár + +[ Upstream commit dcc7d8c72b64a479b8017e4332d99179deb8802d ] + +BDF of resource in DT assigned-addresses property of Marvell PCIe Root Port +(PCI-to-PCI bridge) should match BDF in address part in that DT node name +as specified resource belongs to Marvell PCIe Root Port itself. + +Fixes: 74ecaa403a74 ("ARM: dove: add PCIe controllers to SoC DT") +Signed-off-by: Pali Rohár +Signed-off-by: Gregory CLEMENT +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/dove.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/dove.dtsi b/arch/arm/boot/dts/dove.dtsi +index 11342aeccb73..278c7321b1b9 100644 +--- a/arch/arm/boot/dts/dove.dtsi ++++ b/arch/arm/boot/dts/dove.dtsi +@@ -127,7 +127,7 @@ pcie0: pcie-port@0 { + pcie1: pcie-port@1 { + device_type = "pci"; + status = "disabled"; +- assigned-addresses = <0x82002800 0 0x80000 0 0x2000>; ++ assigned-addresses = <0x82001000 0 0x80000 0 0x2000>; + reg = <0x1000 0 0 0 0>; + clocks = <&gate_clk 5>; + marvell,pcie-port = <1>; +-- +2.35.1 + diff --git a/queue-4.9/arm-dts-spear600-fix-clcd-interrupt.patch b/queue-4.9/arm-dts-spear600-fix-clcd-interrupt.patch new file mode 100644 index 00000000000..366510e4ae3 --- /dev/null +++ b/queue-4.9/arm-dts-spear600-fix-clcd-interrupt.patch @@ -0,0 +1,37 @@ +From 5d2ccbeb81cd62745e2edafc5b6eeae93e01d481 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 18:10:06 +0100 +Subject: arm: dts: spear600: Fix clcd interrupt + +From: Kory Maincent + +[ Upstream commit 0336e2ce34e7a89832b6c214f924eb7bc58940be ] + +Interrupt 12 of the Interrupt controller belongs to the SMI controller, +the right one for the display controller is the interrupt 13. + +Fixes: 8113ba917dfa ("ARM: SPEAr: DT: Update device nodes") +Signed-off-by: Kory Maincent +Acked-by: Viresh Kumar +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/spear600.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/spear600.dtsi b/arch/arm/boot/dts/spear600.dtsi +index bd379034993c..89318273d787 100644 +--- a/arch/arm/boot/dts/spear600.dtsi ++++ b/arch/arm/boot/dts/spear600.dtsi +@@ -53,7 +53,7 @@ clcd@fc200000 { + compatible = "arm,pl110", "arm,primecell"; + reg = <0xfc200000 0x1000>; + interrupt-parent = <&vic1>; +- interrupts = <12>; ++ interrupts = <13>; + status = "disabled"; + }; + +-- +2.35.1 + diff --git a/queue-4.9/arm-mmp-fix-timer_read-delay.patch b/queue-4.9/arm-mmp-fix-timer_read-delay.patch new file mode 100644 index 00000000000..3f3fcd1f0cf --- /dev/null +++ b/queue-4.9/arm-mmp-fix-timer_read-delay.patch @@ -0,0 +1,59 @@ +From 776cea7d6d73c6e76777727cb4ddd93e00caad61 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 16:51:17 -0800 +Subject: ARM: mmp: fix timer_read delay + +From: Doug Brown + +[ Upstream commit e348b4014c31041e13ff370669ba3348c4d385e3 ] + +timer_read() was using an empty 100-iteration loop to wait for the +TMR_CVWR register to capture the latest timer counter value. The delay +wasn't long enough. This resulted in CPU idle time being extremely +underreported on PXA168 with CONFIG_NO_HZ_IDLE=y. + +Switch to the approach used in the vendor kernel, which implements the +capture delay by reading TMR_CVWR a few times instead. + +Fixes: 49cbe78637eb ("[ARM] pxa: add base support for Marvell's PXA168 processor line") +Signed-off-by: Doug Brown +Link: https://lore.kernel.org/r/20221204005117.53452-3-doug@schmorgal.com +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/mach-mmp/time.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/mach-mmp/time.c b/arch/arm/mach-mmp/time.c +index 3c2c92aaa0ae..f06220a4b2e2 100644 +--- a/arch/arm/mach-mmp/time.c ++++ b/arch/arm/mach-mmp/time.c +@@ -52,18 +52,21 @@ + static void __iomem *mmp_timer_base = TIMERS_VIRT_BASE; + + /* +- * FIXME: the timer needs some delay to stablize the counter capture ++ * Read the timer through the CVWR register. Delay is required after requesting ++ * a read. The CR register cannot be directly read due to metastability issues ++ * documented in the PXA168 software manual. + */ + static inline uint32_t timer_read(void) + { +- int delay = 100; ++ uint32_t val; ++ int delay = 3; + + __raw_writel(1, mmp_timer_base + TMR_CVWR(1)); + + while (delay--) +- cpu_relax(); ++ val = __raw_readl(mmp_timer_base + TMR_CVWR(1)); + +- return __raw_readl(mmp_timer_base + TMR_CVWR(1)); ++ return val; + } + + static u64 notrace mmp_read_sched_clock(void) +-- +2.35.1 + diff --git a/queue-4.9/asoc-pcm512x-fix-pm-disable-depth-imbalance-in-pcm51.patch b/queue-4.9/asoc-pcm512x-fix-pm-disable-depth-imbalance-in-pcm51.patch new file mode 100644 index 00000000000..6e37ff03c1c --- /dev/null +++ b/queue-4.9/asoc-pcm512x-fix-pm-disable-depth-imbalance-in-pcm51.patch @@ -0,0 +1,64 @@ +From b483df56f59f4c82f60c1cc74264fd4b94d607ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 29 Sep 2022 00:04:02 +0800 +Subject: ASoC: pcm512x: Fix PM disable depth imbalance in pcm512x_probe + +From: Zhang Qilong + +[ Upstream commit 97b801be6f8e53676b9f2b105f54e35c745c1b22 ] + +The pm_runtime_enable will increase power disable depth. Thus +a pairing decrement is needed on the error handling path to +keep it balanced according to context. We fix it by going to +err_pm instead of err_clk. + +Fixes:f086ba9d5389c ("ASoC: pcm512x: Support mastering BCLK/LRCLK using the PLL") + +Signed-off-by: Zhang Qilong +Link: https://lore.kernel.org/r/20220928160402.126140-1-zhangqilong3@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/pcm512x.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/sound/soc/codecs/pcm512x.c b/sound/soc/codecs/pcm512x.c +index c0807b82399a..614d39258e40 100644 +--- a/sound/soc/codecs/pcm512x.c ++++ b/sound/soc/codecs/pcm512x.c +@@ -1475,7 +1475,7 @@ int pcm512x_probe(struct device *dev, struct regmap *regmap) + if (val > 6) { + dev_err(dev, "Invalid pll-in\n"); + ret = -EINVAL; +- goto err_clk; ++ goto err_pm; + } + pcm512x->pll_in = val; + } +@@ -1484,7 +1484,7 @@ int pcm512x_probe(struct device *dev, struct regmap *regmap) + if (val > 6) { + dev_err(dev, "Invalid pll-out\n"); + ret = -EINVAL; +- goto err_clk; ++ goto err_pm; + } + pcm512x->pll_out = val; + } +@@ -1493,12 +1493,12 @@ int pcm512x_probe(struct device *dev, struct regmap *regmap) + dev_err(dev, + "Error: both pll-in and pll-out, or none\n"); + ret = -EINVAL; +- goto err_clk; ++ goto err_pm; + } + if (pcm512x->pll_in && pcm512x->pll_in == pcm512x->pll_out) { + dev_err(dev, "Error: pll-in == pll-out\n"); + ret = -EINVAL; +- goto err_clk; ++ goto err_pm; + } + } + #endif +-- +2.35.1 + diff --git a/queue-4.9/asoc-pxa-fix-null-pointer-dereference-in-filter.patch b/queue-4.9/asoc-pxa-fix-null-pointer-dereference-in-filter.patch new file mode 100644 index 00000000000..f8a617f1468 --- /dev/null +++ b/queue-4.9/asoc-pxa-fix-null-pointer-dereference-in-filter.patch @@ -0,0 +1,37 @@ +From 8d019ec11a9a963cb78aaef73cb38b8e54c185a2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 16:56:29 +0800 +Subject: ASoC: pxa: fix null-pointer dereference in filter() + +From: Zeng Heng + +[ Upstream commit ec7bf231aaa1bdbcb69d23bc50c753c80fb22429 ] + +kasprintf() would return NULL pointer when kmalloc() fail to allocate. +Need to check the return pointer before calling strcmp(). + +Fixes: 7a824e214e25 ("ASoC: mmp: add audio dma support") +Signed-off-by: Zeng Heng +Link: https://lore.kernel.org/r/20221114085629.1910435-1-zengheng4@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/pxa/mmp-pcm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/pxa/mmp-pcm.c b/sound/soc/pxa/mmp-pcm.c +index 96df9b2d8fc4..d32a276e9205 100644 +--- a/sound/soc/pxa/mmp-pcm.c ++++ b/sound/soc/pxa/mmp-pcm.c +@@ -88,7 +88,7 @@ static bool filter(struct dma_chan *chan, void *param) + + devname = kasprintf(GFP_KERNEL, "%s.%d", dma_data->dma_res->name, + dma_data->ssp_id); +- if ((strcmp(dev_name(chan->device->dev), devname) == 0) && ++ if (devname && (strcmp(dev_name(chan->device->dev), devname) == 0) && + (chan->chan_id == dma_data->dma_res->start)) { + found = true; + } +-- +2.35.1 + diff --git a/queue-4.9/binfmt_misc-fix-shift-out-of-bounds-in-check_special.patch b/queue-4.9/binfmt_misc-fix-shift-out-of-bounds-in-check_special.patch new file mode 100644 index 00000000000..642e7b3393c --- /dev/null +++ b/queue-4.9/binfmt_misc-fix-shift-out-of-bounds-in-check_special.patch @@ -0,0 +1,61 @@ +From 1ae779b296b553927bb5cf7961e5a97c4e142462 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 10:51:23 +0800 +Subject: binfmt_misc: fix shift-out-of-bounds in check_special_flags + +From: Liu Shixin + +[ Upstream commit 6a46bf558803dd2b959ca7435a5c143efe837217 ] + +UBSAN reported a shift-out-of-bounds warning: + + left shift of 1 by 31 places cannot be represented in type 'int' + Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x8d/0xcf lib/dump_stack.c:106 + ubsan_epilogue+0xa/0x44 lib/ubsan.c:151 + __ubsan_handle_shift_out_of_bounds+0x1e7/0x208 lib/ubsan.c:322 + check_special_flags fs/binfmt_misc.c:241 [inline] + create_entry fs/binfmt_misc.c:456 [inline] + bm_register_write+0x9d3/0xa20 fs/binfmt_misc.c:654 + vfs_write+0x11e/0x580 fs/read_write.c:582 + ksys_write+0xcf/0x120 fs/read_write.c:637 + do_syscall_x64 arch/x86/entry/common.c:50 [inline] + do_syscall_64+0x34/0x80 arch/x86/entry/common.c:80 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + RIP: 0033:0x4194e1 + +Since the type of Node's flags is unsigned long, we should define these +macros with same type too. + +Signed-off-by: Liu Shixin +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20221102025123.1117184-1-liushixin2@huawei.com +Signed-off-by: Sasha Levin +--- + fs/binfmt_misc.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/binfmt_misc.c b/fs/binfmt_misc.c +index 2bda9245cabe..558e4007131e 100644 +--- a/fs/binfmt_misc.c ++++ b/fs/binfmt_misc.c +@@ -42,10 +42,10 @@ static LIST_HEAD(entries); + static int enabled = 1; + + enum {Enabled, Magic}; +-#define MISC_FMT_PRESERVE_ARGV0 (1 << 31) +-#define MISC_FMT_OPEN_BINARY (1 << 30) +-#define MISC_FMT_CREDENTIALS (1 << 29) +-#define MISC_FMT_OPEN_FILE (1 << 28) ++#define MISC_FMT_PRESERVE_ARGV0 (1UL << 31) ++#define MISC_FMT_OPEN_BINARY (1UL << 30) ++#define MISC_FMT_CREDENTIALS (1UL << 29) ++#define MISC_FMT_OPEN_FILE (1UL << 28) + + typedef struct { + struct list_head list; +-- +2.35.1 + diff --git a/queue-4.9/blk-mq-fix-possible-memleak-when-register-hctx-faile.patch b/queue-4.9/blk-mq-fix-possible-memleak-when-register-hctx-faile.patch new file mode 100644 index 00000000000..d28777e0d05 --- /dev/null +++ b/queue-4.9/blk-mq-fix-possible-memleak-when-register-hctx-faile.patch @@ -0,0 +1,86 @@ +From 2376c7bcba8d99f72f134c536458d23c47a62790 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 10:29:40 +0800 +Subject: blk-mq: fix possible memleak when register 'hctx' failed + +From: Ye Bin + +[ Upstream commit 4b7a21c57b14fbcd0e1729150189e5933f5088e9 ] + +There's issue as follows when do fault injection test: +unreferenced object 0xffff888132a9f400 (size 512): + comm "insmod", pid 308021, jiffies 4324277909 (age 509.733s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 08 f4 a9 32 81 88 ff ff ...........2.... + 08 f4 a9 32 81 88 ff ff 00 00 00 00 00 00 00 00 ...2............ + backtrace: + [<00000000e8952bb4>] kmalloc_node_trace+0x22/0xa0 + [<00000000f9980e0f>] blk_mq_alloc_and_init_hctx+0x3f1/0x7e0 + [<000000002e719efa>] blk_mq_realloc_hw_ctxs+0x1e6/0x230 + [<000000004f1fda40>] blk_mq_init_allocated_queue+0x27e/0x910 + [<00000000287123ec>] __blk_mq_alloc_disk+0x67/0xf0 + [<00000000a2a34657>] 0xffffffffa2ad310f + [<00000000b173f718>] 0xffffffffa2af824a + [<0000000095a1dabb>] do_one_initcall+0x87/0x2a0 + [<00000000f32fdf93>] do_init_module+0xdf/0x320 + [<00000000cbe8541e>] load_module+0x3006/0x3390 + [<0000000069ed1bdb>] __do_sys_finit_module+0x113/0x1b0 + [<00000000a1a29ae8>] do_syscall_64+0x35/0x80 + [<000000009cd878b0>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +Fault injection context as follows: + kobject_add + blk_mq_register_hctx + blk_mq_sysfs_register + blk_register_queue + device_add_disk + null_add_dev.part.0 [null_blk] + +As 'blk_mq_register_hctx' may already add some objects when failed halfway, +but there isn't do fallback, caller don't know which objects add failed. +To solve above issue just do fallback when add objects failed halfway in +'blk_mq_register_hctx'. + +Signed-off-by: Ye Bin +Reviewed-by: Ming Lei +Link: https://lore.kernel.org/r/20221117022940.873959-1-yebin@huaweicloud.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/blk-mq-sysfs.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/block/blk-mq-sysfs.c b/block/blk-mq-sysfs.c +index 5b64d9d7d147..fc9362e0a118 100644 +--- a/block/blk-mq-sysfs.c ++++ b/block/blk-mq-sysfs.c +@@ -380,7 +380,7 @@ static int blk_mq_register_hctx(struct blk_mq_hw_ctx *hctx) + { + struct request_queue *q = hctx->queue; + struct blk_mq_ctx *ctx; +- int i, ret; ++ int i, j, ret; + + if (!hctx->nr_ctx) + return 0; +@@ -392,9 +392,16 @@ static int blk_mq_register_hctx(struct blk_mq_hw_ctx *hctx) + hctx_for_each_ctx(hctx, ctx, i) { + ret = kobject_add(&ctx->kobj, &hctx->kobj, "cpu%u", ctx->cpu); + if (ret) +- break; ++ goto out; + } + ++ return 0; ++out: ++ hctx_for_each_ctx(hctx, ctx, j) { ++ if (j < i) ++ kobject_del(&ctx->kobj); ++ } ++ kobject_del(&hctx->kobj); + return ret; + } + +-- +2.35.1 + diff --git a/queue-4.9/blktrace-fix-output-non-blktrace-event-when-blk_clas.patch b/queue-4.9/blktrace-fix-output-non-blktrace-event-when-blk_clas.patch new file mode 100644 index 00000000000..15034496a50 --- /dev/null +++ b/queue-4.9/blktrace-fix-output-non-blktrace-event-when-blk_clas.patch @@ -0,0 +1,47 @@ +From c033b2edcc10731161935411efe71f351a4feae1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 12:04:10 +0800 +Subject: blktrace: Fix output non-blktrace event when blk_classic option + enabled + +From: Yang Jihong + +[ Upstream commit f596da3efaf4130ff61cd029558845808df9bf99 ] + +When the blk_classic option is enabled, non-blktrace events must be +filtered out. Otherwise, events of other types are output in the blktrace +classic format, which is unexpected. + +The problem can be triggered in the following ways: + + # echo 1 > /sys/kernel/debug/tracing/options/blk_classic + # echo 1 > /sys/kernel/debug/tracing/events/enable + # echo blk > /sys/kernel/debug/tracing/current_tracer + # cat /sys/kernel/debug/tracing/trace_pipe + +Fixes: c71a89615411 ("blktrace: add ftrace plugin") +Signed-off-by: Yang Jihong +Link: https://lore.kernel.org/r/20221122040410.85113-1-yangjihong1@huawei.com +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + kernel/trace/blktrace.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c +index 056107787f4a..c6b58ff8ea72 100644 +--- a/kernel/trace/blktrace.c ++++ b/kernel/trace/blktrace.c +@@ -1517,7 +1517,8 @@ blk_trace_event_print_binary(struct trace_iterator *iter, int flags, + + static enum print_line_t blk_tracer_print_line(struct trace_iterator *iter) + { +- if (!(blk_tracer_flags.val & TRACE_BLK_OPT_CLASSIC)) ++ if ((iter->ent->type != TRACE_BLK) || ++ !(blk_tracer_flags.val & TRACE_BLK_OPT_CLASSIC)) + return TRACE_TYPE_UNHANDLED; + + return print_one_line(iter, true); +-- +2.35.1 + diff --git a/queue-4.9/bluetooth-btusb-don-t-call-kfree_skb-under-spin_lock.patch b/queue-4.9/bluetooth-btusb-don-t-call-kfree_skb-under-spin_lock.patch new file mode 100644 index 00000000000..dc0f93aff86 --- /dev/null +++ b/queue-4.9/bluetooth-btusb-don-t-call-kfree_skb-under-spin_lock.patch @@ -0,0 +1,45 @@ +From 09b423c6c3d0f4756e7c79cf96cd7df684d30017 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Dec 2022 20:59:10 +0800 +Subject: Bluetooth: btusb: don't call kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit b15a6bd3c80c77faec8317319b97f976b1a08332 ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). + +Fixes: 803b58367ffb ("Bluetooth: btusb: Implement driver internal packet reassembly") +Signed-off-by: Yang Yingliang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/btusb.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c +index 2069080191ee..532e492f92e0 100644 +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -440,13 +440,13 @@ static inline void btusb_free_frags(struct btusb_data *data) + + spin_lock_irqsave(&data->rxlock, flags); + +- kfree_skb(data->evt_skb); ++ dev_kfree_skb_irq(data->evt_skb); + data->evt_skb = NULL; + +- kfree_skb(data->acl_skb); ++ dev_kfree_skb_irq(data->acl_skb); + data->acl_skb = NULL; + +- kfree_skb(data->sco_skb); ++ dev_kfree_skb_irq(data->sco_skb); + data->sco_skb = NULL; + + spin_unlock_irqrestore(&data->rxlock, flags); +-- +2.35.1 + diff --git a/queue-4.9/bluetooth-hci_bcsp-don-t-call-kfree_skb-under-spin_l.patch b/queue-4.9/bluetooth-hci_bcsp-don-t-call-kfree_skb-under-spin_l.patch new file mode 100644 index 00000000000..9e20319ac9a --- /dev/null +++ b/queue-4.9/bluetooth-hci_bcsp-don-t-call-kfree_skb-under-spin_l.patch @@ -0,0 +1,37 @@ +From 0645d46ac7142190c1d2ac13c3b49396f2e654d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 10:18:33 +0800 +Subject: Bluetooth: hci_bcsp: don't call kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 7b503e339c1a80bf0051ec2d19c3bc777014ac61 ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_bcsp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/hci_bcsp.c b/drivers/bluetooth/hci_bcsp.c +index 26f9982bab26..2056d5c01afa 100644 +--- a/drivers/bluetooth/hci_bcsp.c ++++ b/drivers/bluetooth/hci_bcsp.c +@@ -392,7 +392,7 @@ static void bcsp_pkt_cull(struct bcsp_struct *bcsp) + i++; + + __skb_unlink(skb, &bcsp->unack); +- kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + } + + if (skb_queue_empty(&bcsp->unack)) +-- +2.35.1 + diff --git a/queue-4.9/bluetooth-hci_core-don-t-call-kfree_skb-under-spin_l.patch b/queue-4.9/bluetooth-hci_core-don-t-call-kfree_skb-under-spin_l.patch new file mode 100644 index 00000000000..5c317528bcb --- /dev/null +++ b/queue-4.9/bluetooth-hci_core-don-t-call-kfree_skb-under-spin_l.patch @@ -0,0 +1,37 @@ +From 0afb7511b5e55cbf614626b02e7a264f195b5bd6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 10:18:34 +0800 +Subject: Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 39c1eb6fcbae8ce9bb71b2ac5cb609355a2b181b ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). + +Fixes: 9238f36a5a50 ("Bluetooth: Add request cmd_complete and cmd_status functions") +Signed-off-by: Yang Yingliang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + net/bluetooth/hci_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c +index 6f99da11d207..61ffa0f12925 100644 +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -4181,7 +4181,7 @@ void hci_req_cmd_complete(struct hci_dev *hdev, u16 opcode, u8 status, + *req_complete_skb = bt_cb(skb)->hci.req_complete_skb; + else + *req_complete = bt_cb(skb)->hci.req_complete; +- kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + } + spin_unlock_irqrestore(&hdev->cmd_q.lock, flags); + } +-- +2.35.1 + diff --git a/queue-4.9/bluetooth-hci_h5-don-t-call-kfree_skb-under-spin_loc.patch b/queue-4.9/bluetooth-hci_h5-don-t-call-kfree_skb-under-spin_loc.patch new file mode 100644 index 00000000000..3a2d27ab15e --- /dev/null +++ b/queue-4.9/bluetooth-hci_h5-don-t-call-kfree_skb-under-spin_loc.patch @@ -0,0 +1,37 @@ +From a8e899aad9eab04a4f34bcf3ec8db58eac268a0e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 10:18:32 +0800 +Subject: Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 383630cc6758d619874c2e8bb2f68a61f3f9ef6e ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). + +Fixes: 43eb12d78960 ("Bluetooth: Fix/implement Three-wire reliable packet sending") +Signed-off-by: Yang Yingliang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_h5.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/hci_h5.c b/drivers/bluetooth/hci_h5.c +index 0879d64b1caf..a947e3c0af18 100644 +--- a/drivers/bluetooth/hci_h5.c ++++ b/drivers/bluetooth/hci_h5.c +@@ -266,7 +266,7 @@ static void h5_pkt_cull(struct h5 *h5) + break; + + __skb_unlink(skb, &h5->unack); +- kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + } + + if (skb_queue_empty(&h5->unack)) +-- +2.35.1 + diff --git a/queue-4.9/bluetooth-hci_qca-don-t-call-kfree_skb-under-spin_lo.patch b/queue-4.9/bluetooth-hci_qca-don-t-call-kfree_skb-under-spin_lo.patch new file mode 100644 index 00000000000..633846abdcc --- /dev/null +++ b/queue-4.9/bluetooth-hci_qca-don-t-call-kfree_skb-under-spin_lo.patch @@ -0,0 +1,37 @@ +From 9e657618fc6ce503111d63e61224331f394f806f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 10:18:30 +0800 +Subject: Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit df4cfc91208e0a98f078223793f5871b1a82cc54 ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with interrupts being disabled. So replace kfree_skb() +with dev_kfree_skb_irq() under spin_lock_irqsave(). + +Fixes: 0ff252c1976d ("Bluetooth: hciuart: Add support QCA chipset for UART") +Signed-off-by: Yang Yingliang +Signed-off-by: Luiz Augusto von Dentz +Signed-off-by: Sasha Levin +--- + drivers/bluetooth/hci_qca.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/bluetooth/hci_qca.c b/drivers/bluetooth/hci_qca.c +index 0986c324459f..af407cd8425f 100644 +--- a/drivers/bluetooth/hci_qca.c ++++ b/drivers/bluetooth/hci_qca.c +@@ -718,7 +718,7 @@ static int qca_enqueue(struct hci_uart *hu, struct sk_buff *skb) + default: + BT_ERR("Illegal tx state: %d (losing packet)", + qca->tx_ibs_state); +- kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + break; + } + +-- +2.35.1 + diff --git a/queue-4.9/bonding-uninitialized-variable-in-bond_miimon_inspec.patch b/queue-4.9/bonding-uninitialized-variable-in-bond_miimon_inspec.patch new file mode 100644 index 00000000000..4a8512711be --- /dev/null +++ b/queue-4.9/bonding-uninitialized-variable-in-bond_miimon_inspec.patch @@ -0,0 +1,41 @@ +From 697127cdcacbc489755fd4d8ccfcb32bbac4f804 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 28 Nov 2022 14:06:14 +0300 +Subject: bonding: uninitialized variable in bond_miimon_inspect() + +From: Dan Carpenter + +[ Upstream commit e5214f363dabca240446272dac54d404501ad5e5 ] + +The "ignore_updelay" variable needs to be initialized to false. + +Fixes: f8a65ab2f3ff ("bonding: fix link recovery in mode 2 when updelay is nonzero") +Signed-off-by: Dan Carpenter +Reviewed-by: Pavan Chebbi +Acked-by: Jay Vosburgh +Link: https://lore.kernel.org/r/Y4SWJlh3ohJ6EPTL@kili +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/bonding/bond_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 33843b89ab04..d606e0a6b335 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -2052,10 +2052,10 @@ static int bond_slave_info_query(struct net_device *bond_dev, struct ifslave *in + /* called with rcu_read_lock() */ + static int bond_miimon_inspect(struct bonding *bond) + { ++ bool ignore_updelay = false; + int link_state, commit = 0; + struct list_head *iter; + struct slave *slave; +- bool ignore_updelay; + + ignore_updelay = !rcu_dereference(bond->curr_active_slave); + +-- +2.35.1 + diff --git a/queue-4.9/chardev-fix-error-handling-in-cdev_device_add.patch b/queue-4.9/chardev-fix-error-handling-in-cdev_device_add.patch new file mode 100644 index 00000000000..c4614e622fc --- /dev/null +++ b/queue-4.9/chardev-fix-error-handling-in-cdev_device_add.patch @@ -0,0 +1,54 @@ +From 3667fb08c3b9a32ca41c2d216024432cafe0d477 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 11:02:37 +0800 +Subject: chardev: fix error handling in cdev_device_add() + +From: Yang Yingliang + +[ Upstream commit 11fa7fefe3d8fac7da56bc9aa3dd5fb3081ca797 ] + +While doing fault injection test, I got the following report: + +------------[ cut here ]------------ +kobject: '(null)' (0000000039956980): is not initialized, yet kobject_put() is being called. +WARNING: CPU: 3 PID: 6306 at kobject_put+0x23d/0x4e0 +CPU: 3 PID: 6306 Comm: 283 Tainted: G W 6.1.0-rc2-00005-g307c1086d7c9 #1253 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 +RIP: 0010:kobject_put+0x23d/0x4e0 +Call Trace: + + cdev_device_add+0x15e/0x1b0 + __iio_device_register+0x13b4/0x1af0 [industrialio] + __devm_iio_device_register+0x22/0x90 [industrialio] + max517_probe+0x3d8/0x6b4 [max517] + i2c_device_probe+0xa81/0xc00 + +When device_add() is injected fault and returns error, if dev->devt is not set, +cdev_add() is not called, cdev_del() is not needed. Fix this by checking dev->devt +in error path. + +Fixes: 233ed09d7fda ("chardev: add helper function to register char devs with a struct device") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221202030237.520280-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + fs/char_dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/char_dev.c b/fs/char_dev.c +index 1bbb966c0783..9f79fd345e79 100644 +--- a/fs/char_dev.c ++++ b/fs/char_dev.c +@@ -528,7 +528,7 @@ int cdev_device_add(struct cdev *cdev, struct device *dev) + } + + rc = device_add(dev); +- if (rc) ++ if (rc && dev->devt) + cdev_del(cdev); + + return rc; +-- +2.35.1 + diff --git a/queue-4.9/clk-rockchip-fix-memory-leak-in-rockchip_clk_registe.patch b/queue-4.9/clk-rockchip-fix-memory-leak-in-rockchip_clk_registe.patch new file mode 100644 index 00000000000..caf44dcdc83 --- /dev/null +++ b/queue-4.9/clk-rockchip-fix-memory-leak-in-rockchip_clk_registe.patch @@ -0,0 +1,37 @@ +From aa91cb53a715741a40f48ab364083045d5c5c823 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 17:12:01 +0800 +Subject: clk: rockchip: Fix memory leak in rockchip_clk_register_pll() + +From: Xiu Jianfeng + +[ Upstream commit 739a6a6bbdb793bd57938cb24aa5a6df89983546 ] + +If clk_register() fails, @pll->rate_table may have allocated memory by +kmemdup(), so it needs to be freed, otherwise will cause memory leak +issue, this patch fixes it. + +Fixes: 90c590254051 ("clk: rockchip: add clock type for pll clocks and pll used on rk3066") +Signed-off-by: Xiu Jianfeng +Link: https://lore.kernel.org/r/20221123091201.199819-1-xiujianfeng@huawei.com +Signed-off-by: Heiko Stuebner +Signed-off-by: Sasha Levin +--- + drivers/clk/rockchip/clk-pll.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/clk/rockchip/clk-pll.c b/drivers/clk/rockchip/clk-pll.c +index 9c1373e81683..347d659c8f34 100644 +--- a/drivers/clk/rockchip/clk-pll.c ++++ b/drivers/clk/rockchip/clk-pll.c +@@ -957,6 +957,7 @@ struct clk *rockchip_clk_register_pll(struct rockchip_clk_provider *ctx, + return mux_clk; + + err_pll: ++ kfree(pll->rate_table); + clk_unregister(mux_clk); + mux_clk = pll_clk; + err_mux: +-- +2.35.1 + diff --git a/queue-4.9/clk-st-fix-memory-leak-in-st_of_quadfs_setup.patch b/queue-4.9/clk-st-fix-memory-leak-in-st_of_quadfs_setup.patch new file mode 100644 index 00000000000..e211f103144 --- /dev/null +++ b/queue-4.9/clk-st-fix-memory-leak-in-st_of_quadfs_setup.patch @@ -0,0 +1,41 @@ +From 2137676501f5db78ac3258fd846bca234af6fbe5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 21:36:14 +0800 +Subject: clk: st: Fix memory leak in st_of_quadfs_setup() + +From: Xiu Jianfeng + +[ Upstream commit cfd3ffb36f0d566846163118651d868e607300ba ] + +If st_clk_register_quadfs_pll() fails, @lock should be freed before goto +@err_exit, otherwise will cause meory leak issue, fix it. + +Signed-off-by: Xiu Jianfeng +Link: https://lore.kernel.org/r/20221122133614.184910-1-xiujianfeng@huawei.com +Reviewed-by: Patrice Chotard +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/st/clkgen-fsyn.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/clk/st/clkgen-fsyn.c b/drivers/clk/st/clkgen-fsyn.c +index 14819d919df1..715c5d3a5cde 100644 +--- a/drivers/clk/st/clkgen-fsyn.c ++++ b/drivers/clk/st/clkgen-fsyn.c +@@ -948,9 +948,10 @@ static void __init st_of_quadfs_setup(struct device_node *np, + + clk = st_clk_register_quadfs_pll(pll_name, clk_parent_name, data, + reg, lock); +- if (IS_ERR(clk)) ++ if (IS_ERR(clk)) { ++ kfree(lock); + goto err_exit; +- else ++ } else + pr_debug("%s: parent %s rate %u\n", + __clk_get_name(clk), + __clk_get_name(clk_get_parent(clk)), +-- +2.35.1 + diff --git a/queue-4.9/cpuidle-dt-return-the-correct-numbers-of-parsed-idle.patch b/queue-4.9/cpuidle-dt-return-the-correct-numbers-of-parsed-idle.patch new file mode 100644 index 00000000000..30660a927c5 --- /dev/null +++ b/queue-4.9/cpuidle-dt-return-the-correct-numbers-of-parsed-idle.patch @@ -0,0 +1,44 @@ +From ecd29bda70f541fe34773742d6d87b38eced2738 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 21 Oct 2022 17:10:12 +0200 +Subject: cpuidle: dt: Return the correct numbers of parsed idle states + +From: Ulf Hansson + +[ Upstream commit ee3c2c8ad6ba6785f14a60e4081d7c82e88162a2 ] + +While we correctly skips to initialize an idle state from a disabled idle +state node in DT, the returned value from dt_init_idle_driver() don't get +adjusted accordingly. Instead the number of found idle state nodes are +returned, while the callers are expecting the number of successfully +initialized idle states from DT. + +This leads to cpuidle drivers unnecessarily continues to initialize their +idle state specific data. Moreover, in the case when all idle states have +been disabled in DT, we would end up registering a cpuidle driver, rather +than relying on the default arch specific idle call. + +Fixes: 9f14da345599 ("drivers: cpuidle: implement DT based idle states infrastructure") +Signed-off-by: Ulf Hansson +Reviewed-by: Sudeep Holla +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/cpuidle/dt_idle_states.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/cpuidle/dt_idle_states.c b/drivers/cpuidle/dt_idle_states.c +index ea11a33e7fff..1a79ac569770 100644 +--- a/drivers/cpuidle/dt_idle_states.c ++++ b/drivers/cpuidle/dt_idle_states.c +@@ -218,6 +218,6 @@ int dt_init_idle_driver(struct cpuidle_driver *drv, + * also be 0 on platforms with missing DT idle states or legacy DT + * configuration predating the DT idle states bindings. + */ +- return i; ++ return state_idx - start_idx; + } + EXPORT_SYMBOL_GPL(dt_init_idle_driver); +-- +2.35.1 + diff --git a/queue-4.9/crypto-img-hash-fix-variable-dereferenced-before-che.patch b/queue-4.9/crypto-img-hash-fix-variable-dereferenced-before-che.patch new file mode 100644 index 00000000000..b5db87f2710 --- /dev/null +++ b/queue-4.9/crypto-img-hash-fix-variable-dereferenced-before-che.patch @@ -0,0 +1,52 @@ +From d09efedddda746127ad671c8a2e6750317c51b51 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 14:25:26 +0800 +Subject: crypto: img-hash - Fix variable dereferenced before check 'hdev->req' + +From: Gaosheng Cui + +[ Upstream commit 04ba54e5af8f8f0137b08cb51a0b3a2e1ea46c94 ] + +Smatch report warning as follows: + +drivers/crypto/img-hash.c:366 img_hash_dma_task() warn: variable +dereferenced before check 'hdev->req' + +Variable dereferenced should be done after check 'hdev->req', +fix it. + +Fixes: d358f1abbf71 ("crypto: img-hash - Add Imagination Technologies hw hash accelerator") +Fixes: 10badea259fa ("crypto: img-hash - Fix null pointer exception") +Signed-off-by: Gaosheng Cui +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/crypto/img-hash.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/crypto/img-hash.c b/drivers/crypto/img-hash.c +index a2e77b87485b..157c8f5c879c 100644 +--- a/drivers/crypto/img-hash.c ++++ b/drivers/crypto/img-hash.c +@@ -359,12 +359,16 @@ static int img_hash_dma_init(struct img_hash_dev *hdev) + static void img_hash_dma_task(unsigned long d) + { + struct img_hash_dev *hdev = (struct img_hash_dev *)d; +- struct img_hash_request_ctx *ctx = ahash_request_ctx(hdev->req); ++ struct img_hash_request_ctx *ctx; + u8 *addr; + size_t nbytes, bleft, wsend, len, tbc; + struct scatterlist tsg; + +- if (!hdev->req || !ctx->sg) ++ if (!hdev->req) ++ return; ++ ++ ctx = ahash_request_ctx(hdev->req); ++ if (!ctx->sg) + return; + + addr = sg_virt(ctx->sg); +-- +2.35.1 + diff --git a/queue-4.9/cxl-fix-possible-null-ptr-deref-in-cxl_guest_init_af.patch b/queue-4.9/cxl-fix-possible-null-ptr-deref-in-cxl_guest_init_af.patch new file mode 100644 index 00000000000..dc8ddc7625d --- /dev/null +++ b/queue-4.9/cxl-fix-possible-null-ptr-deref-in-cxl_guest_init_af.patch @@ -0,0 +1,99 @@ +From cbe9904142eb135e1a47912e450b552881ae7227 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 22:54:39 +0800 +Subject: cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter() + +From: Yang Yingliang + +[ Upstream commit 61c80d1c3833e196256fb060382db94f24d3d9a7 ] + +If device_register() fails in cxl_register_afu|adapter(), the device +is not added, device_unregister() can not be called in the error path, +otherwise it will cause a null-ptr-deref because of removing not added +device. + +As comment of device_register() says, it should use put_device() to give +up the reference in the error path. So split device_unregister() into +device_del() and put_device(), then goes to put dev when register fails. + +Fixes: 14baf4d9c739 ("cxl: Add guest-specific code") +Signed-off-by: Yang Yingliang +Acked-by: Andrew Donnellan +Acked-by: Frederic Barrat +Link: https://lore.kernel.org/r/20221111145440.2426970-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/cxl/guest.c | 24 ++++++++++++++---------- + 1 file changed, 14 insertions(+), 10 deletions(-) + +diff --git a/drivers/misc/cxl/guest.c b/drivers/misc/cxl/guest.c +index d08509cd978a..2cefe1f3ce7e 100644 +--- a/drivers/misc/cxl/guest.c ++++ b/drivers/misc/cxl/guest.c +@@ -969,10 +969,10 @@ int cxl_guest_init_afu(struct cxl *adapter, int slice, struct device_node *afu_n + * if it returns an error! + */ + if ((rc = cxl_register_afu(afu))) +- goto err_put1; ++ goto err_put_dev; + + if ((rc = cxl_sysfs_afu_add(afu))) +- goto err_put1; ++ goto err_del_dev; + + /* + * pHyp doesn't expose the programming models supported by the +@@ -988,7 +988,7 @@ int cxl_guest_init_afu(struct cxl *adapter, int slice, struct device_node *afu_n + afu->modes_supported = CXL_MODE_DIRECTED; + + if ((rc = cxl_afu_select_best_mode(afu))) +- goto err_put2; ++ goto err_remove_sysfs; + + adapter->afu[afu->slice] = afu; + +@@ -1008,10 +1008,12 @@ int cxl_guest_init_afu(struct cxl *adapter, int slice, struct device_node *afu_n + + return 0; + +-err_put2: ++err_remove_sysfs: + cxl_sysfs_afu_remove(afu); +-err_put1: +- device_unregister(&afu->dev); ++err_del_dev: ++ device_del(&afu->dev); ++err_put_dev: ++ put_device(&afu->dev); + free = false; + guest_release_serr_irq(afu); + err2: +@@ -1145,18 +1147,20 @@ struct cxl *cxl_guest_init_adapter(struct device_node *np, struct platform_devic + * even if it returns an error! + */ + if ((rc = cxl_register_adapter(adapter))) +- goto err_put1; ++ goto err_put_dev; + + if ((rc = cxl_sysfs_adapter_add(adapter))) +- goto err_put1; ++ goto err_del_dev; + + /* release the context lock as the adapter is configured */ + cxl_adapter_context_unlock(adapter); + + return adapter; + +-err_put1: +- device_unregister(&adapter->dev); ++err_del_dev: ++ device_del(&adapter->dev); ++err_put_dev: ++ put_device(&adapter->dev); + free = false; + cxl_guest_remove_chardev(adapter); + err1: +-- +2.35.1 + diff --git a/queue-4.9/cxl-fix-possible-null-ptr-deref-in-cxl_pci_init_afu-.patch b/queue-4.9/cxl-fix-possible-null-ptr-deref-in-cxl_pci_init_afu-.patch new file mode 100644 index 00000000000..9174b241cca --- /dev/null +++ b/queue-4.9/cxl-fix-possible-null-ptr-deref-in-cxl_pci_init_afu-.patch @@ -0,0 +1,94 @@ +From 60c4e091898a4af6a3e0a4fcbf6f2e2af99b1d82 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 22:54:40 +0800 +Subject: cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter() + +From: Yang Yingliang + +[ Upstream commit 02cd3032b154fa02fdf90e7467abaeed889330b2 ] + +If device_register() fails in cxl_pci_afu|adapter(), the device +is not added, device_unregister() can not be called in the error +path, otherwise it will cause a null-ptr-deref because of removing +not added device. + +As comment of device_register() says, it should use put_device() to give +up the reference in the error path. So split device_unregister() into +device_del() and put_device(), then goes to put dev when register fails. + +Fixes: f204e0b8cedd ("cxl: Driver code for powernv PCIe based cards for userspace access") +Signed-off-by: Yang Yingliang +Acked-by: Frederic Barrat +Acked-by: Andrew Donnellan +Link: https://lore.kernel.org/r/20221111145440.2426970-2-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/cxl/pci.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/drivers/misc/cxl/pci.c b/drivers/misc/cxl/pci.c +index a5422f483ad5..f7417033a7a8 100644 +--- a/drivers/misc/cxl/pci.c ++++ b/drivers/misc/cxl/pci.c +@@ -1187,10 +1187,10 @@ static int pci_init_afu(struct cxl *adapter, int slice, struct pci_dev *dev) + * if it returns an error! + */ + if ((rc = cxl_register_afu(afu))) +- goto err_put1; ++ goto err_put_dev; + + if ((rc = cxl_sysfs_afu_add(afu))) +- goto err_put1; ++ goto err_del_dev; + + adapter->afu[afu->slice] = afu; + +@@ -1199,10 +1199,12 @@ static int pci_init_afu(struct cxl *adapter, int slice, struct pci_dev *dev) + + return 0; + +-err_put1: ++err_del_dev: ++ device_del(&afu->dev); ++err_put_dev: + pci_deconfigure_afu(afu); + cxl_debugfs_afu_remove(afu); +- device_unregister(&afu->dev); ++ put_device(&afu->dev); + return rc; + + err_free_native: +@@ -1589,23 +1591,25 @@ static struct cxl *cxl_pci_init_adapter(struct pci_dev *dev) + * even if it returns an error! + */ + if ((rc = cxl_register_adapter(adapter))) +- goto err_put1; ++ goto err_put_dev; + + if ((rc = cxl_sysfs_adapter_add(adapter))) +- goto err_put1; ++ goto err_del_dev; + + /* Release the context lock as adapter is configured */ + cxl_adapter_context_unlock(adapter); + + return adapter; + +-err_put1: ++err_del_dev: ++ device_del(&adapter->dev); ++err_put_dev: + /* This should mirror cxl_remove_adapter, except without the + * sysfs parts + */ + cxl_debugfs_adapter_remove(adapter); + cxl_deconfigure_adapter(adapter); +- device_unregister(&adapter->dev); ++ put_device(&adapter->dev); + return ERR_PTR(rc); + + err_release: +-- +2.35.1 + diff --git a/queue-4.9/drivers-dio-fix-possible-memory-leak-in-dio_init.patch b/queue-4.9/drivers-dio-fix-possible-memory-leak-in-dio_init.patch new file mode 100644 index 00000000000..e503ec2cb85 --- /dev/null +++ b/queue-4.9/drivers-dio-fix-possible-memory-leak-in-dio_init.patch @@ -0,0 +1,60 @@ +From 69fe90c848371da92c6a282b14c7bfd05c5308d1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 14:40:36 +0800 +Subject: drivers: dio: fix possible memory leak in dio_init() + +From: Yang Yingliang + +[ Upstream commit e63e99397b2613d50a5f4f02ed07307e67a190f1 ] + +If device_register() returns error, the 'dev' and name needs be +freed. Add a release function, and then call put_device() in the +error path, so the name is freed in kobject_cleanup() and to the +'dev' is freed in release function. + +Fixes: 2e4c77bea3d8 ("m68k: dio - Kill warn_unused_result warnings") +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221109064036.1835346-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/dio/dio.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/dio/dio.c b/drivers/dio/dio.c +index 55dd88d82d6d..e85895fc258d 100644 +--- a/drivers/dio/dio.c ++++ b/drivers/dio/dio.c +@@ -109,6 +109,12 @@ static char dio_no_name[] = { 0 }; + + #endif /* CONFIG_DIO_CONSTANTS */ + ++static void dio_dev_release(struct device *dev) ++{ ++ struct dio_dev *ddev = container_of(dev, typeof(struct dio_dev), dev); ++ kfree(ddev); ++} ++ + int __init dio_find(int deviceid) + { + /* Called to find a DIO device before the full bus scan has run. +@@ -234,6 +240,7 @@ static int __init dio_init(void) + dev->bus = &dio_bus; + dev->dev.parent = &dio_bus.dev; + dev->dev.bus = &dio_bus_type; ++ dev->dev.release = dio_dev_release; + dev->scode = scode; + dev->resource.start = pa; + dev->resource.end = pa + DIO_SIZE(scode, va); +@@ -261,6 +268,7 @@ static int __init dio_init(void) + if (error) { + pr_err("DIO: Error registering device %s\n", + dev->name); ++ put_device(&dev->dev); + continue; + } + error = dio_create_sysfs_dev_files(dev); +-- +2.35.1 + diff --git a/queue-4.9/drivers-mcb-fix-resource-leak-in-mcb_probe.patch b/queue-4.9/drivers-mcb-fix-resource-leak-in-mcb_probe.patch new file mode 100644 index 00000000000..e35296b4b91 --- /dev/null +++ b/queue-4.9/drivers-mcb-fix-resource-leak-in-mcb_probe.patch @@ -0,0 +1,41 @@ +From 617d53ab4d718bb7b9bfaea26a3072c0b66b4a8c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 01:38:49 -0800 +Subject: drivers: mcb: fix resource leak in mcb_probe() + +From: Zhengchao Shao + +[ Upstream commit d7237462561fcd224fa687c56ccb68629f50fc0d ] + +When probe hook function failed in mcb_probe(), it doesn't put the device. +Compiled test only. + +Fixes: 7bc364097a89 ("mcb: Acquire reference to device in probe") +Signed-off-by: Zhengchao Shao +Signed-off-by: Johannes Thumshirn +Link: https://lore.kernel.org/r/9f87de36bfb85158b506cb78c6fc9db3f6a3bad1.1669624063.git.johannes.thumshirn@wdc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/mcb/mcb-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mcb/mcb-core.c b/drivers/mcb/mcb-core.c +index 96801137a144..80e70d9fd402 100644 +--- a/drivers/mcb/mcb-core.c ++++ b/drivers/mcb/mcb-core.c +@@ -74,8 +74,10 @@ static int mcb_probe(struct device *dev) + + get_device(dev); + ret = mdrv->probe(mdev, found_id); +- if (ret) ++ if (ret) { + module_put(carrier_mod); ++ put_device(dev); ++ } + + return ret; + } +-- +2.35.1 + diff --git a/queue-4.9/drivers-net-qlcnic-fix-potential-memory-leak-in-qlcn.patch b/queue-4.9/drivers-net-qlcnic-fix-potential-memory-leak-in-qlcn.patch new file mode 100644 index 00000000000..e9b89859bc3 --- /dev/null +++ b/queue-4.9/drivers-net-qlcnic-fix-potential-memory-leak-in-qlcn.patch @@ -0,0 +1,38 @@ +From 9f6d3ad4a32f6f73942d6ce6da84d232c7528651 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 08:54:10 +0000 +Subject: drivers: net: qlcnic: Fix potential memory leak in + qlcnic_sriov_init() + +From: Yuan Can + +[ Upstream commit 01de1123322e4fe1bbd0fcdf0982511b55519c03 ] + +If vp alloc failed in qlcnic_sriov_init(), all previously allocated vp +needs to be freed. + +Fixes: f197a7aa6288 ("qlcnic: VF-PF communication channel implementation") +Signed-off-by: Yuan Can +Reviewed-by: Leon Romanovsky +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +index 44caa7c2077e..d89d9247b7b9 100644 +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_common.c +@@ -222,6 +222,8 @@ int qlcnic_sriov_init(struct qlcnic_adapter *adapter, int num_vfs) + return 0; + + qlcnic_destroy_async_wq: ++ while (i--) ++ kfree(sriov->vf_info[i].vp); + destroy_workqueue(bc->bc_async_wq); + + qlcnic_destroy_trans_wq: +-- +2.35.1 + diff --git a/queue-4.9/drivers-soc-ti-knav_qmss_queue-mark-knav_acc_firmwar.patch b/queue-4.9/drivers-soc-ti-knav_qmss_queue-mark-knav_acc_firmwar.patch new file mode 100644 index 00000000000..c07f8d30723 --- /dev/null +++ b/queue-4.9/drivers-soc-ti-knav_qmss_queue-mark-knav_acc_firmwar.patch @@ -0,0 +1,42 @@ +From d2bd14b11debd052bbe3cf9f51252c1648ed8738 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Oct 2022 23:32:12 +0800 +Subject: drivers: soc: ti: knav_qmss_queue: Mark knav_acc_firmwares as static + +From: Chen Jiahao + +[ Upstream commit adf85adc2a7199b41e7a4da083bd17274a3d6969 ] + +There is a sparse warning shown below: + +drivers/soc/ti/knav_qmss_queue.c:70:12: warning: symbol +'knav_acc_firmwares' was not declared. Should it be static? + +Since 'knav_acc_firmwares' is only called within knav_qmss_queue.c, +mark it as static to fix the warning. + +Fixes: 96ee19becc3b ("soc: ti: add firmware file name as part of the driver") +Signed-off-by: Chen Jiahao +Signed-off-by: Nishanth Menon +Link: https://lore.kernel.org/r/20221019153212.72350-1-chenjiahao16@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/soc/ti/knav_qmss_queue.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/soc/ti/knav_qmss_queue.c b/drivers/soc/ti/knav_qmss_queue.c +index 5248649b0b41..5faafe677341 100644 +--- a/drivers/soc/ti/knav_qmss_queue.c ++++ b/drivers/soc/ti/knav_qmss_queue.c +@@ -72,7 +72,7 @@ static DEFINE_MUTEX(knav_dev_lock); + * Newest followed by older ones. Search is done from start of the array + * until a firmware file is found. + */ +-const char *knav_acc_firmwares[] = {"ks2_qmss_pdsp_acc48.bin"}; ++static const char * const knav_acc_firmwares[] = {"ks2_qmss_pdsp_acc48.bin"}; + + /** + * knav_queue_notify: qmss queue notfier call +-- +2.35.1 + diff --git a/queue-4.9/drm-amdgpu-fix-pci-device-refcount-leak-in-amdgpu_at.patch b/queue-4.9/drm-amdgpu-fix-pci-device-refcount-leak-in-amdgpu_at.patch new file mode 100644 index 00000000000..eecce5d5f87 --- /dev/null +++ b/queue-4.9/drm-amdgpu-fix-pci-device-refcount-leak-in-amdgpu_at.patch @@ -0,0 +1,40 @@ +From ae882538349bcb56e41e50b7778fce3408aacac7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 19:30:43 +0800 +Subject: drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios() + +From: Xiongfeng Wang + +[ Upstream commit ca54639c7752edf1304d92ff4d0c049d4efc9ba0 ] + +As comment of pci_get_class() says, it returns a pci_device with its +refcount increased and decreased the refcount for the input parameter +@from if it is not NULL. + +If we break the loop in amdgpu_atrm_get_bios() with 'pdev' not NULL, we +need to call pci_dev_put() to decrease the refcount. Add the missing +pci_dev_put() to avoid refcount leak. + +Fixes: d38ceaf99ed0 ("drm/amdgpu: add core driver (v4)") +Signed-off-by: Xiongfeng Wang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c +index 2b6afe123f3d..d6ecce5fe1a6 100644 +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_bios.c +@@ -253,6 +253,7 @@ static bool amdgpu_atrm_get_bios(struct amdgpu_device *adev) + + if (!found) + return false; ++ pci_dev_put(pdev); + + adev->bios = kmalloc(size, GFP_KERNEL); + if (!adev->bios) { +-- +2.35.1 + diff --git a/queue-4.9/drm-fsl-dcu-fix-return-type-of-fsl_dcu_drm_connector.patch b/queue-4.9/drm-fsl-dcu-fix-return-type-of-fsl_dcu_drm_connector.patch new file mode 100644 index 00000000000..fcf27c58919 --- /dev/null +++ b/queue-4.9/drm-fsl-dcu-fix-return-type-of-fsl_dcu_drm_connector.patch @@ -0,0 +1,57 @@ +From e1b745091bd2d1d82ffdc057fe82ac58c10603f3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 08:42:15 -0700 +Subject: drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid() + +From: Nathan Chancellor + +[ Upstream commit 96d845a67b7e406cfed7880a724c8ca6121e022e ] + +With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), +indirect call targets are validated against the expected function +pointer prototype to make sure the call target is valid to help mitigate +ROP attacks. If they are not identical, there is a failure at run time, +which manifests as either a kernel panic or thread getting killed. A +proposed warning in clang aims to catch these at compile time, which +reveals: + + drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c:74:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .mode_valid = fsl_dcu_drm_connector_mode_valid, + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + 1 error generated. + +->mode_valid() in 'struct drm_connector_helper_funcs' expects a return +type of 'enum drm_mode_status', not 'int'. Adjust the return type of +fsl_dcu_drm_connector_mode_valid() to match the prototype's to resolve +the warning and CFI failure. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1750 +Reported-by: Sami Tolvanen +Signed-off-by: Nathan Chancellor +Reviewed-by: Kees Cook +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20221102154215.78059-1-nathan@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c +index e1dd75b18118..5993d6ac85e6 100644 +--- a/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c ++++ b/drivers/gpu/drm/fsl-dcu/fsl_dcu_drm_rgb.c +@@ -90,8 +90,9 @@ static int fsl_dcu_drm_connector_get_modes(struct drm_connector *connector) + return num_modes; + } + +-static int fsl_dcu_drm_connector_mode_valid(struct drm_connector *connector, +- struct drm_display_mode *mode) ++static enum drm_mode_status ++fsl_dcu_drm_connector_mode_valid(struct drm_connector *connector, ++ struct drm_display_mode *mode) + { + if (mode->hdisplay & 0xf) + return MODE_ERROR; +-- +2.35.1 + diff --git a/queue-4.9/drm-radeon-fix-pci-device-refcount-leak-in-radeon_at.patch b/queue-4.9/drm-radeon-fix-pci-device-refcount-leak-in-radeon_at.patch new file mode 100644 index 00000000000..0d5692efe2d --- /dev/null +++ b/queue-4.9/drm-radeon-fix-pci-device-refcount-leak-in-radeon_at.patch @@ -0,0 +1,41 @@ +From 8b49305f726f0aac368e3c6e3e83e01d3af01c23 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 19:30:42 +0800 +Subject: drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios() + +From: Xiongfeng Wang + +[ Upstream commit 725a521a18734f65de05b8d353b5bd0d3ca4c37a ] + +As comment of pci_get_class() says, it returns a pci_device with its +refcount increased and decreased the refcount for the input parameter +@from if it is not NULL. + +If we break the loop in radeon_atrm_get_bios() with 'pdev' not NULL, we +need to call pci_dev_put() to decrease the refcount. Add the missing +pci_dev_put() to avoid refcount leak. + +Fixes: d8ade3526b2a ("drm/radeon: handle non-VGA class pci devices with ATRM") +Fixes: c61e2775873f ("drm/radeon: split ATRM support out from the ATPX handler (v3)") +Signed-off-by: Xiongfeng Wang +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/radeon_bios.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/radeon/radeon_bios.c b/drivers/gpu/drm/radeon/radeon_bios.c +index 21b6732425c5..82ea78fce748 100644 +--- a/drivers/gpu/drm/radeon/radeon_bios.c ++++ b/drivers/gpu/drm/radeon/radeon_bios.c +@@ -215,6 +215,7 @@ static bool radeon_atrm_get_bios(struct radeon_device *rdev) + + if (!found) + return false; ++ pci_dev_put(pdev); + + rdev->bios = kmalloc(size, GFP_KERNEL); + if (!rdev->bios) { +-- +2.35.1 + diff --git a/queue-4.9/drm-sti-fix-return-type-of-sti_-dvo-hda-hdmi-_connec.patch b/queue-4.9/drm-sti-fix-return-type-of-sti_-dvo-hda-hdmi-_connec.patch new file mode 100644 index 00000000000..62836800dc4 --- /dev/null +++ b/queue-4.9/drm-sti-fix-return-type-of-sti_-dvo-hda-hdmi-_connec.patch @@ -0,0 +1,95 @@ +From 14289355d86284cb079ecf87d086b1e8d3e75c7a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 08:56:23 -0700 +Subject: drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid() + +From: Nathan Chancellor + +[ Upstream commit 0ad811cc08a937d875cbad0149c1bab17f84ba05 ] + +With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), +indirect call targets are validated against the expected function +pointer prototype to make sure the call target is valid to help mitigate +ROP attacks. If they are not identical, there is a failure at run time, +which manifests as either a kernel panic or thread getting killed. A +proposed warning in clang aims to catch these at compile time, which +reveals: + + drivers/gpu/drm/sti/sti_hda.c:637:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .mode_valid = sti_hda_connector_mode_valid, + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ + drivers/gpu/drm/sti/sti_dvo.c:376:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .mode_valid = sti_dvo_connector_mode_valid, + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~ + drivers/gpu/drm/sti/sti_hdmi.c:1035:16: error: incompatible function pointer types initializing 'enum drm_mode_status (*)(struct drm_connector *, struct drm_display_mode *)' with an expression of type 'int (struct drm_connector *, struct drm_display_mode *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .mode_valid = sti_hdmi_connector_mode_valid, + ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + +->mode_valid() in 'struct drm_connector_helper_funcs' expects a return +type of 'enum drm_mode_status', not 'int'. Adjust the return type of +sti_{dvo,hda,hdmi}_connector_mode_valid() to match the prototype's to +resolve the warning and CFI failure. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1750 +Signed-off-by: Nathan Chancellor +Reviewed-by: Kees Cook +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20221102155623.3042869-1-nathan@kernel.org +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sti/sti_dvo.c | 5 +++-- + drivers/gpu/drm/sti/sti_hda.c | 5 +++-- + drivers/gpu/drm/sti/sti_hdmi.c | 5 +++-- + 3 files changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/sti/sti_dvo.c b/drivers/gpu/drm/sti/sti_dvo.c +index 4be5b5670599..10e33a89b74c 100644 +--- a/drivers/gpu/drm/sti/sti_dvo.c ++++ b/drivers/gpu/drm/sti/sti_dvo.c +@@ -354,8 +354,9 @@ static int sti_dvo_connector_get_modes(struct drm_connector *connector) + + #define CLK_TOLERANCE_HZ 50 + +-static int sti_dvo_connector_mode_valid(struct drm_connector *connector, +- struct drm_display_mode *mode) ++static enum drm_mode_status ++sti_dvo_connector_mode_valid(struct drm_connector *connector, ++ struct drm_display_mode *mode) + { + int target = mode->clock * 1000; + int target_min = target - CLK_TOLERANCE_HZ; +diff --git a/drivers/gpu/drm/sti/sti_hda.c b/drivers/gpu/drm/sti/sti_hda.c +index cbceea7d4f87..1c36758660f5 100644 +--- a/drivers/gpu/drm/sti/sti_hda.c ++++ b/drivers/gpu/drm/sti/sti_hda.c +@@ -606,8 +606,9 @@ static int sti_hda_connector_get_modes(struct drm_connector *connector) + + #define CLK_TOLERANCE_HZ 50 + +-static int sti_hda_connector_mode_valid(struct drm_connector *connector, +- struct drm_display_mode *mode) ++static enum drm_mode_status ++sti_hda_connector_mode_valid(struct drm_connector *connector, ++ struct drm_display_mode *mode) + { + int target = mode->clock * 1000; + int target_min = target - CLK_TOLERANCE_HZ; +diff --git a/drivers/gpu/drm/sti/sti_hdmi.c b/drivers/gpu/drm/sti/sti_hdmi.c +index c450668883b5..28186bcc8139 100644 +--- a/drivers/gpu/drm/sti/sti_hdmi.c ++++ b/drivers/gpu/drm/sti/sti_hdmi.c +@@ -906,8 +906,9 @@ static int sti_hdmi_connector_get_modes(struct drm_connector *connector) + + #define CLK_TOLERANCE_HZ 50 + +-static int sti_hdmi_connector_mode_valid(struct drm_connector *connector, +- struct drm_display_mode *mode) ++static enum drm_mode_status ++sti_hdmi_connector_mode_valid(struct drm_connector *connector, ++ struct drm_display_mode *mode) + { + int target = mode->clock * 1000; + int target_min = target - CLK_TOLERANCE_HZ; +-- +2.35.1 + diff --git a/queue-4.9/drm-sti-use-drm_mode_copy.patch b/queue-4.9/drm-sti-use-drm_mode_copy.patch new file mode 100644 index 00000000000..d4d1b6a22b1 --- /dev/null +++ b/queue-4.9/drm-sti-use-drm_mode_copy.patch @@ -0,0 +1,121 @@ +From 33ada30af3d0b8dcc9de30b42ad3473117364255 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 21:25:45 +0200 +Subject: drm/sti: Use drm_mode_copy() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +[ Upstream commit 442cf8e22ba25a77cb9092d78733fdbac9844e50 ] + +struct drm_display_mode embeds a list head, so overwriting +the full struct with another one will corrupt the list +(if the destination mode is on a list). Use drm_mode_copy() +instead which explicitly preserves the list head of +the destination mode. + +Even if we know the destination mode is not on any list +using drm_mode_copy() seems decent as it sets a good +example. Bad examples of not using it might eventually +get copied into code where preserving the list head +actually matters. + +Obviously one case not covered here is when the mode +itself is embedded in a larger structure and the whole +structure is copied. But if we are careful when copying +into modes embedded in structures I think we can be a +little more reassured that bogus list heads haven't been +propagated in. + +@is_mode_copy@ +@@ +drm_mode_copy(...) +{ +... +} + +@depends on !is_mode_copy@ +struct drm_display_mode *mode; +expression E, S; +@@ +( +- *mode = E ++ drm_mode_copy(mode, &E) +| +- memcpy(mode, E, S) ++ drm_mode_copy(mode, E) +) + +@depends on !is_mode_copy@ +struct drm_display_mode mode; +expression E; +@@ +( +- mode = E ++ drm_mode_copy(&mode, &E) +| +- memcpy(&mode, E, S) ++ drm_mode_copy(&mode, E) +) + +@@ +struct drm_display_mode *mode; +@@ +- &*mode ++ mode + +Cc: Alain Volmat +Signed-off-by: Ville Syrjälä +Link: https://patchwork.freedesktop.org/patch/msgid/20221107192545.9896-8-ville.syrjala@linux.intel.com +Reviewed-by: Daniel Vetter +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/sti/sti_dvo.c | 2 +- + drivers/gpu/drm/sti/sti_hda.c | 2 +- + drivers/gpu/drm/sti/sti_hdmi.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/sti/sti_dvo.c b/drivers/gpu/drm/sti/sti_dvo.c +index e8c1ed08a9f7..4be5b5670599 100644 +--- a/drivers/gpu/drm/sti/sti_dvo.c ++++ b/drivers/gpu/drm/sti/sti_dvo.c +@@ -296,7 +296,7 @@ static void sti_dvo_set_mode(struct drm_bridge *bridge, + + DRM_DEBUG_DRIVER("\n"); + +- memcpy(&dvo->mode, mode, sizeof(struct drm_display_mode)); ++ drm_mode_copy(&dvo->mode, mode); + + /* According to the path used (main or aux), the dvo clocks should + * have a different parent clock. */ +diff --git a/drivers/gpu/drm/sti/sti_hda.c b/drivers/gpu/drm/sti/sti_hda.c +index 08808e3701de..cbceea7d4f87 100644 +--- a/drivers/gpu/drm/sti/sti_hda.c ++++ b/drivers/gpu/drm/sti/sti_hda.c +@@ -528,7 +528,7 @@ static void sti_hda_set_mode(struct drm_bridge *bridge, + + DRM_DEBUG_DRIVER("\n"); + +- memcpy(&hda->mode, mode, sizeof(struct drm_display_mode)); ++ drm_mode_copy(&hda->mode, mode); + + if (!hda_get_mode_idx(hda->mode, &mode_idx)) { + DRM_ERROR("Undefined mode\n"); +diff --git a/drivers/gpu/drm/sti/sti_hdmi.c b/drivers/gpu/drm/sti/sti_hdmi.c +index a5412a6fbeca..c450668883b5 100644 +--- a/drivers/gpu/drm/sti/sti_hdmi.c ++++ b/drivers/gpu/drm/sti/sti_hdmi.c +@@ -848,7 +848,7 @@ static void sti_hdmi_set_mode(struct drm_bridge *bridge, + DRM_DEBUG_DRIVER("\n"); + + /* Copy the drm display mode in the connector local structure */ +- memcpy(&hdmi->mode, mode, sizeof(struct drm_display_mode)); ++ drm_mode_copy(&hdmi->mode, mode); + + /* Update clock framerate according to the selected mode */ + ret = clk_set_rate(hdmi->clk_pix, mode->clock * 1000); +-- +2.35.1 + diff --git a/queue-4.9/ethernet-s2io-don-t-call-dev_kfree_skb-under-spin_lo.patch b/queue-4.9/ethernet-s2io-don-t-call-dev_kfree_skb-under-spin_lo.patch new file mode 100644 index 00000000000..80acdcf2e13 --- /dev/null +++ b/queue-4.9/ethernet-s2io-don-t-call-dev_kfree_skb-under-spin_lo.patch @@ -0,0 +1,45 @@ +From 2d1206ea94d07d8b819a9abaa127c7f96ca4b1d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 20:01:21 +0800 +Subject: ethernet: s2io: don't call dev_kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 6cee96e09df54ae17784c0f38a49e0ed8229b825 ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. +The difference between them is free reason, dev_kfree_skb_irq() means +the SKB is dropped in error and dev_consume_skb_irq() means the SKB +is consumed in normal. + +In this case, dev_kfree_skb() is called in free_tx_buffers() to drop +the SKBs in tx buffers, when the card is down, so replace it with +dev_kfree_skb_irq() here. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/neterion/s2io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/neterion/s2io.c b/drivers/net/ethernet/neterion/s2io.c +index a66f4b867e3a..a66b797cdbbe 100644 +--- a/drivers/net/ethernet/neterion/s2io.c ++++ b/drivers/net/ethernet/neterion/s2io.c +@@ -2384,7 +2384,7 @@ static void free_tx_buffers(struct s2io_nic *nic) + skb = s2io_txdl_getskb(&mac_control->fifos[i], txdp, j); + if (skb) { + swstats->mem_freed += skb->truesize; +- dev_kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + cnt++; + } + } +-- +2.35.1 + diff --git a/queue-4.9/eventfd-change-int-to-__u64-in-eventfd_signal-ifndef.patch b/queue-4.9/eventfd-change-int-to-__u64-in-eventfd_signal-ifndef.patch new file mode 100644 index 00000000000..58009452408 --- /dev/null +++ b/queue-4.9/eventfd-change-int-to-__u64-in-eventfd_signal-ifndef.patch @@ -0,0 +1,41 @@ +From 1c9b80162f4c5d1b09ea10fcf80d9a2cf2772a9a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 22:01:54 +0800 +Subject: eventfd: change int to __u64 in eventfd_signal() ifndef + CONFIG_EVENTFD + +From: Zhang Qilong + +[ Upstream commit fd4e60bf0ef8eb9edcfa12dda39e8b6ee9060492 ] + +Commit ee62c6b2dc93 ("eventfd: change int to __u64 in eventfd_signal()") +forgot to change int to __u64 in the CONFIG_EVENTFD=n stub function. + +Link: https://lkml.kernel.org/r/20221124140154.104680-1-zhangqilong3@huawei.com +Fixes: ee62c6b2dc93 ("eventfd: change int to __u64 in eventfd_signal()") +Signed-off-by: Zhang Qilong +Cc: Dylan Yudaken +Cc: Jens Axboe +Cc: Sha Zhengju +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + include/linux/eventfd.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/eventfd.h b/include/linux/eventfd.h +index ff0b981f078e..c5a383162c0b 100644 +--- a/include/linux/eventfd.h ++++ b/include/linux/eventfd.h +@@ -56,7 +56,7 @@ static inline struct eventfd_ctx *eventfd_ctx_fdget(int fd) + return ERR_PTR(-ENOSYS); + } + +-static inline int eventfd_signal(struct eventfd_ctx *ctx, int n) ++static inline int eventfd_signal(struct eventfd_ctx *ctx, __u64 n) + { + return -ENOSYS; + } +-- +2.35.1 + diff --git a/queue-4.9/fbdev-pm2fb-fix-missing-pci_disable_device.patch b/queue-4.9/fbdev-pm2fb-fix-missing-pci_disable_device.patch new file mode 100644 index 00000000000..ecb40f3f8bf --- /dev/null +++ b/queue-4.9/fbdev-pm2fb-fix-missing-pci_disable_device.patch @@ -0,0 +1,56 @@ +From acc0911a235cbcf894d10da6b828a0c891ab5a90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Nov 2022 17:55:10 +0800 +Subject: fbdev: pm2fb: fix missing pci_disable_device() + +From: Yang Yingliang + +[ Upstream commit ed359a464846b48f76ea6cc5cd8257e545ac97f4 ] + +Add missing pci_disable_device() in error path of probe() and remove() path. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/pm2fb.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/pm2fb.c b/drivers/video/fbdev/pm2fb.c +index 9b32b9fc44a5..6e8bd281ee0f 100644 +--- a/drivers/video/fbdev/pm2fb.c ++++ b/drivers/video/fbdev/pm2fb.c +@@ -1527,8 +1527,10 @@ static int pm2fb_probe(struct pci_dev *pdev, const struct pci_device_id *id) + } + + info = framebuffer_alloc(sizeof(struct pm2fb_par), &pdev->dev); +- if (!info) +- return -ENOMEM; ++ if (!info) { ++ err = -ENOMEM; ++ goto err_exit_disable; ++ } + default_par = info->par; + + switch (pdev->device) { +@@ -1709,6 +1711,8 @@ static int pm2fb_probe(struct pci_dev *pdev, const struct pci_device_id *id) + release_mem_region(pm2fb_fix.mmio_start, pm2fb_fix.mmio_len); + err_exit_neither: + framebuffer_release(info); ++ err_exit_disable: ++ pci_disable_device(pdev); + return retval; + } + +@@ -1735,6 +1739,7 @@ static void pm2fb_remove(struct pci_dev *pdev) + fb_dealloc_cmap(&info->cmap); + kfree(info->pixmap.addr); + framebuffer_release(info); ++ pci_disable_device(pdev); + } + + static struct pci_device_id pm2fb_id_table[] = { +-- +2.35.1 + diff --git a/queue-4.9/fbdev-ssd1307fb-drop-optional-dependency.patch b/queue-4.9/fbdev-ssd1307fb-drop-optional-dependency.patch new file mode 100644 index 00000000000..1f63938dd8c --- /dev/null +++ b/queue-4.9/fbdev-ssd1307fb-drop-optional-dependency.patch @@ -0,0 +1,38 @@ +From c4735a8b4e147d0cc66dee65602dd18244c67bec Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 17:09:46 +0200 +Subject: fbdev: ssd1307fb: Drop optional dependency + +From: Andy Shevchenko + +[ Upstream commit 025e3b507a3a8e1ee96a3112bb67495c77d6cdb6 ] + +Only a single out of three devices need a PWM, so from driver it's +optional. Moreover it's a single driver in the entire kernel that +currently selects PWM. Unfortunately this selection is a root cause +of the circular dependencies when we want to enable optional PWM +for some other drivers that select GPIOLIB. + +Fixes: a2ed00da5047 ("drivers/video: add support for the Solomon SSD1307 OLED Controller") +Signed-off-by: Andy Shevchenko +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/video/fbdev/Kconfig b/drivers/video/fbdev/Kconfig +index c0d4e645f3b5..e2c51e2ffc80 100644 +--- a/drivers/video/fbdev/Kconfig ++++ b/drivers/video/fbdev/Kconfig +@@ -2471,7 +2471,6 @@ config FB_SSD1307 + select FB_SYS_COPYAREA + select FB_SYS_IMAGEBLIT + select FB_DEFERRED_IO +- select PWM + select FB_BACKLIGHT + help + This driver implements support for the Solomon SSD1307 +-- +2.35.1 + diff --git a/queue-4.9/fbdev-uvesafb-fixes-an-error-handling-path-in-uvesaf.patch b/queue-4.9/fbdev-uvesafb-fixes-an-error-handling-path-in-uvesaf.patch new file mode 100644 index 00000000000..d9483ac7918 --- /dev/null +++ b/queue-4.9/fbdev-uvesafb-fixes-an-error-handling-path-in-uvesaf.patch @@ -0,0 +1,39 @@ +From 7e032e068be45e70a5aa6e58cfe130762235757c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Dec 2022 12:35:22 +0100 +Subject: fbdev: uvesafb: Fixes an error handling path in uvesafb_probe() + +From: Christophe JAILLET + +[ Upstream commit a94371040712031ba129c7e9d8ff04a06a2f8207 ] + +If an error occurs after a successful uvesafb_init_mtrr() call, it must be +undone by a corresponding arch_phys_wc_del() call, as already done in the +remove function. + +This has been added in the remove function in commit 63e28a7a5ffc +("uvesafb: Clean up MTRR code") + +Fixes: 8bdb3a2d7df4 ("uvesafb: the driver core") +Signed-off-by: Christophe JAILLET +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/uvesafb.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/video/fbdev/uvesafb.c b/drivers/video/fbdev/uvesafb.c +index 9fe0d0bcdf62..01a3d9931348 100644 +--- a/drivers/video/fbdev/uvesafb.c ++++ b/drivers/video/fbdev/uvesafb.c +@@ -1776,6 +1776,7 @@ static int uvesafb_probe(struct platform_device *dev) + out_unmap: + iounmap(info->screen_base); + out_mem: ++ arch_phys_wc_del(par->mtrr_handle); + release_mem_region(info->fix.smem_start, info->fix.smem_len); + out_reg: + release_region(0x3c0, 32); +-- +2.35.1 + diff --git a/queue-4.9/fbdev-vermilion-decrease-reference-count-in-error-pa.patch b/queue-4.9/fbdev-vermilion-decrease-reference-count-in-error-pa.patch new file mode 100644 index 00000000000..46b1eea1b5d --- /dev/null +++ b/queue-4.9/fbdev-vermilion-decrease-reference-count-in-error-pa.patch @@ -0,0 +1,40 @@ +From a664d33608b627425457b93c6c12e61a621da823 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 16:56:54 +0800 +Subject: fbdev: vermilion: decrease reference count in error path + +From: Xiongfeng Wang + +[ Upstream commit 001f2cdb952a9566c77fb4b5470cc361db5601bb ] + +pci_get_device() will increase the reference count for the returned +pci_dev. For the error path, we need to use pci_dev_put() to decrease +the reference count. + +Fixes: dbe7e429fedb ("vmlfb: framebuffer driver for Intel Vermilion Range") +Signed-off-by: Xiongfeng Wang +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/vermilion/vermilion.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/vermilion/vermilion.c b/drivers/video/fbdev/vermilion/vermilion.c +index 1c1e95a0b8fa..9774e9513ad0 100644 +--- a/drivers/video/fbdev/vermilion/vermilion.c ++++ b/drivers/video/fbdev/vermilion/vermilion.c +@@ -291,8 +291,10 @@ static int vmlfb_get_gpu(struct vml_par *par) + + mutex_unlock(&vml_mutex); + +- if (pci_enable_device(par->gpu) < 0) ++ if (pci_enable_device(par->gpu) < 0) { ++ pci_dev_put(par->gpu); + return -ENODEV; ++ } + + return 0; + } +-- +2.35.1 + diff --git a/queue-4.9/fbdev-via-fix-error-in-via_core_init.patch b/queue-4.9/fbdev-via-fix-error-in-via_core_init.patch new file mode 100644 index 00000000000..87bd6762ec8 --- /dev/null +++ b/queue-4.9/fbdev-via-fix-error-in-via_core_init.patch @@ -0,0 +1,47 @@ +From 948ef75bc1c018fbc87ceea161c30a930a43d2e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 09:08:52 +0800 +Subject: fbdev: via: Fix error in via_core_init() + +From: Shang XiaoJing + +[ Upstream commit 5886b130de953cfb8826f7771ec8640a79934a7f ] + +via_core_init() won't exit the driver when pci_register_driver() failed. +Exit the viafb-i2c and the viafb-gpio in failed path to prevent error. + +VIA Graphics Integration Chipset framebuffer 2.4 initializing +Error: Driver 'viafb-i2c' is already registered, aborting... +Error: Driver 'viafb-gpio' is already registered, aborting... + +Fixes: 7582eb9be85f ("viafb: Turn GPIO and i2c into proper platform devices") +Signed-off-by: Shang XiaoJing +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/via/via-core.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/via/via-core.c b/drivers/video/fbdev/via/via-core.c +index 1d28e16888e9..84f7835956a9 100644 +--- a/drivers/video/fbdev/via/via-core.c ++++ b/drivers/video/fbdev/via/via-core.c +@@ -775,7 +775,14 @@ static int __init via_core_init(void) + return ret; + viafb_i2c_init(); + viafb_gpio_init(); +- return pci_register_driver(&via_driver); ++ ret = pci_register_driver(&via_driver); ++ if (ret) { ++ viafb_gpio_exit(); ++ viafb_i2c_exit(); ++ return ret; ++ } ++ ++ return 0; + } + + static void __exit via_core_exit(void) +-- +2.35.1 + diff --git a/queue-4.9/fs-don-t-audit-the-capability-check-in-simple_xattr_.patch b/queue-4.9/fs-don-t-audit-the-capability-check-in-simple_xattr_.patch new file mode 100644 index 00000000000..d409b841dca --- /dev/null +++ b/queue-4.9/fs-don-t-audit-the-capability-check-in-simple_xattr_.patch @@ -0,0 +1,54 @@ +From 6b5f420152a9c37d22df765d66122cbc3c89d073 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 16:12:05 +0100 +Subject: fs: don't audit the capability check in simple_xattr_list() + +From: Ondrej Mosnacek + +[ Upstream commit e7eda157c4071cd1e69f4b1687b0fbe1ae5e6f46 ] + +The check being unconditional may lead to unwanted denials reported by +LSMs when a process has the capability granted by DAC, but denied by an +LSM. In the case of SELinux such denials are a problem, since they can't +be effectively filtered out via the policy and when not silenced, they +produce noise that may hide a true problem or an attack. + +Checking for the capability only if any trusted xattr is actually +present wouldn't really address the issue, since calling listxattr(2) on +such node on its own doesn't indicate an explicit attempt to see the +trusted xattrs. Additionally, it could potentially leak the presence of +trusted xattrs to an unprivileged user if they can check for the denials +(e.g. through dmesg). + +Therefore, it's best (and simplest) to keep the check unconditional and +instead use ns_capable_noaudit() that will silence any associated LSM +denials. + +Fixes: 38f38657444d ("xattr: extract simple_xattr code from tmpfs") +Reported-by: Martin Pitt +Suggested-by: Christian Brauner (Microsoft) +Signed-off-by: Ondrej Mosnacek +Reviewed-by: Christian Brauner (Microsoft) +Reviewed-by: Paul Moore +Signed-off-by: Christian Brauner (Microsoft) +Signed-off-by: Sasha Levin +--- + fs/xattr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/xattr.c b/fs/xattr.c +index c0fd99c95aa1..d66983d1e57c 100644 +--- a/fs/xattr.c ++++ b/fs/xattr.c +@@ -1017,7 +1017,7 @@ static int xattr_list_one(char **buffer, ssize_t *remaining_size, + ssize_t simple_xattr_list(struct inode *inode, struct simple_xattrs *xattrs, + char *buffer, size_t size) + { +- bool trusted = capable(CAP_SYS_ADMIN); ++ bool trusted = ns_capable_noaudit(&init_user_ns, CAP_SYS_ADMIN); + struct simple_xattr *xattr; + ssize_t remaining_size = size; + int err = 0; +-- +2.35.1 + diff --git a/queue-4.9/fs-jfs-fix-shift-out-of-bounds-in-dballocag.patch b/queue-4.9/fs-jfs-fix-shift-out-of-bounds-in-dballocag.patch new file mode 100644 index 00000000000..d1cd0269499 --- /dev/null +++ b/queue-4.9/fs-jfs-fix-shift-out-of-bounds-in-dballocag.patch @@ -0,0 +1,90 @@ +From 3155d422ab0e18c154fe8c6f09202638d7585c27 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Oct 2022 08:48:07 -0500 +Subject: fs: jfs: fix shift-out-of-bounds in dbAllocAG + +From: Dongliang Mu + +[ Upstream commit 898f706695682b9954f280d95e49fa86ffa55d08 ] + +Syzbot found a crash : UBSAN: shift-out-of-bounds in dbAllocAG. The +underlying bug is the missing check of bmp->db_agl2size. The field can +be greater than 64 and trigger the shift-out-of-bounds. + +Fix this bug by adding a check of bmp->db_agl2size in dbMount since this +field is used in many following functions. The upper bound for this +field is L2MAXL2SIZE - L2MAXAG, thanks for the help of Dave Kleikamp. +Note that, for maintenance, I reorganized error handling code of dbMount. + +Reported-by: syzbot+15342c1aa6a00fb7a438@syzkaller.appspotmail.com +Signed-off-by: Dongliang Mu +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index a07fbb60ac3c..a46fa0f3db57 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -168,7 +168,7 @@ int dbMount(struct inode *ipbmap) + struct bmap *bmp; + struct dbmap_disk *dbmp_le; + struct metapage *mp; +- int i; ++ int i, err; + + /* + * allocate/initialize the in-memory bmap descriptor +@@ -183,8 +183,8 @@ int dbMount(struct inode *ipbmap) + BMAPBLKNO << JFS_SBI(ipbmap->i_sb)->l2nbperpage, + PSIZE, 0); + if (mp == NULL) { +- kfree(bmp); +- return -EIO; ++ err = -EIO; ++ goto err_kfree_bmp; + } + + /* copy the on-disk bmap descriptor to its in-memory version. */ +@@ -194,9 +194,8 @@ int dbMount(struct inode *ipbmap) + bmp->db_l2nbperpage = le32_to_cpu(dbmp_le->dn_l2nbperpage); + bmp->db_numag = le32_to_cpu(dbmp_le->dn_numag); + if (!bmp->db_numag) { +- release_metapage(mp); +- kfree(bmp); +- return -EINVAL; ++ err = -EINVAL; ++ goto err_release_metapage; + } + + bmp->db_maxlevel = le32_to_cpu(dbmp_le->dn_maxlevel); +@@ -207,6 +206,11 @@ int dbMount(struct inode *ipbmap) + bmp->db_agwidth = le32_to_cpu(dbmp_le->dn_agwidth); + bmp->db_agstart = le32_to_cpu(dbmp_le->dn_agstart); + bmp->db_agl2size = le32_to_cpu(dbmp_le->dn_agl2size); ++ if (bmp->db_agl2size > L2MAXL2SIZE - L2MAXAG) { ++ err = -EINVAL; ++ goto err_release_metapage; ++ } ++ + for (i = 0; i < MAXAG; i++) + bmp->db_agfree[i] = le64_to_cpu(dbmp_le->dn_agfree[i]); + bmp->db_agsize = le64_to_cpu(dbmp_le->dn_agsize); +@@ -227,6 +231,12 @@ int dbMount(struct inode *ipbmap) + BMAP_LOCK_INIT(bmp); + + return (0); ++ ++err_release_metapage: ++ release_metapage(mp); ++err_kfree_bmp: ++ kfree(bmp); ++ return err; + } + + +-- +2.35.1 + diff --git a/queue-4.9/fs-jfs-fix-shift-out-of-bounds-in-dbdiscardag.patch b/queue-4.9/fs-jfs-fix-shift-out-of-bounds-in-dbdiscardag.patch new file mode 100644 index 00000000000..0c4ca1cb769 --- /dev/null +++ b/queue-4.9/fs-jfs-fix-shift-out-of-bounds-in-dbdiscardag.patch @@ -0,0 +1,39 @@ +From 470fb25ead93508932036550ee51dba944b80453 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 25 Oct 2022 23:20:45 +0800 +Subject: fs: jfs: fix shift-out-of-bounds in dbDiscardAG + +From: Hoi Pok Wu + +[ Upstream commit 25e70c6162f207828dd405b432d8f2a98dbf7082 ] + +This should be applied to most URSAN bugs found recently by syzbot, +by guarding the dbMount. As syzbot feeding rubbish into the bmap +descriptor. + +Signed-off-by: Hoi Pok Wu +Signed-off-by: Dave Kleikamp +Signed-off-by: Sasha Levin +--- + fs/jfs/jfs_dmap.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c +index a46fa0f3db57..0ca1ad2610df 100644 +--- a/fs/jfs/jfs_dmap.c ++++ b/fs/jfs/jfs_dmap.c +@@ -211,6 +211,11 @@ int dbMount(struct inode *ipbmap) + goto err_release_metapage; + } + ++ if (((bmp->db_mapsize - 1) >> bmp->db_agl2size) > MAXAG) { ++ err = -EINVAL; ++ goto err_release_metapage; ++ } ++ + for (i = 0; i < MAXAG; i++) + bmp->db_agfree[i] = le64_to_cpu(dbmp_le->dn_agfree[i]); + bmp->db_agsize = le64_to_cpu(dbmp_le->dn_agsize); +-- +2.35.1 + diff --git a/queue-4.9/fs-sysv-fix-sysv_nblocks-returns-wrong-value.patch b/queue-4.9/fs-sysv-fix-sysv_nblocks-returns-wrong-value.patch new file mode 100644 index 00000000000..d88f4f62477 --- /dev/null +++ b/queue-4.9/fs-sysv-fix-sysv_nblocks-returns-wrong-value.patch @@ -0,0 +1,42 @@ +From 52e4bcfd6d22300ec601c09f51f1f41f9687fa31 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Dec 2022 18:04:48 +0800 +Subject: fs: sysv: Fix sysv_nblocks() returns wrong value + +From: Chen Zhongjin + +[ Upstream commit e0c49bd2b4d3cd1751491eb2d940bce968ac65e9 ] + +sysv_nblocks() returns 'blocks' rather than 'res', which only counting +the number of triple-indirect blocks and causing sysv_getattr() gets a +wrong result. + +[AV: this is actually a sysv counterpart of minixfs fix - +0fcd426de9d0 "[PATCH] minix block usage counting fix" in +historical tree; mea culpa, should've thought to check +fs/sysv back then...] + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Chen Zhongjin +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + fs/sysv/itree.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c +index 08d3e630b49c..f5b0837511cf 100644 +--- a/fs/sysv/itree.c ++++ b/fs/sysv/itree.c +@@ -437,7 +437,7 @@ static unsigned sysv_nblocks(struct super_block *s, loff_t size) + res += blocks; + direct = 1; + } +- return blocks; ++ return res; + } + + int sysv_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) +-- +2.35.1 + diff --git a/queue-4.9/hamradio-baycom_epp-fix-return-type-of-baycom_send_p.patch b/queue-4.9/hamradio-baycom_epp-fix-return-type-of-baycom_send_p.patch new file mode 100644 index 00000000000..935aac77f3e --- /dev/null +++ b/queue-4.9/hamradio-baycom_epp-fix-return-type-of-baycom_send_p.patch @@ -0,0 +1,52 @@ +From 0def69e70d3fbaed7d8c0c96135430305a4e55bc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 09:06:10 -0700 +Subject: hamradio: baycom_epp: Fix return type of baycom_send_packet() + +From: Nathan Chancellor + +[ Upstream commit c5733e5b15d91ab679646ec3149e192996a27d5d ] + +With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), +indirect call targets are validated against the expected function +pointer prototype to make sure the call target is valid to help mitigate +ROP attacks. If they are not identical, there is a failure at run time, +which manifests as either a kernel panic or thread getting killed. A +proposed warning in clang aims to catch these at compile time, which +reveals: + + drivers/net/hamradio/baycom_epp.c:1119:25: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .ndo_start_xmit = baycom_send_packet, + ^~~~~~~~~~~~~~~~~~ + 1 error generated. + +->ndo_start_xmit() in 'struct net_device_ops' expects a return type of +'netdev_tx_t', not 'int'. Adjust the return type of baycom_send_packet() +to match the prototype's to resolve the warning and CFI failure. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1750 +Signed-off-by: Nathan Chancellor +Reviewed-by: Kees Cook +Link: https://lore.kernel.org/r/20221102160610.1186145-1-nathan@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/hamradio/baycom_epp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/hamradio/baycom_epp.c b/drivers/net/hamradio/baycom_epp.c +index 78dbc44540f6..b7831d0fd084 100644 +--- a/drivers/net/hamradio/baycom_epp.c ++++ b/drivers/net/hamradio/baycom_epp.c +@@ -768,7 +768,7 @@ static void epp_bh(struct work_struct *work) + * ===================== network driver interface ========================= + */ + +-static int baycom_send_packet(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t baycom_send_packet(struct sk_buff *skb, struct net_device *dev) + { + struct baycom_state *bc = netdev_priv(dev); + +-- +2.35.1 + diff --git a/queue-4.9/hamradio-don-t-call-dev_kfree_skb-under-spin_lock_ir.patch b/queue-4.9/hamradio-don-t-call-dev_kfree_skb-under-spin_lock_ir.patch new file mode 100644 index 00000000000..791bc10f82b --- /dev/null +++ b/queue-4.9/hamradio-don-t-call-dev_kfree_skb-under-spin_lock_ir.patch @@ -0,0 +1,62 @@ +From 3932f2c8fcecd60914b46c06ab33a1cd258c3904 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 22:21:46 +0800 +Subject: hamradio: don't call dev_kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 3727f742915f04f6fc550b80cf406999bd4e90d0 ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. +The difference between them is free reason, dev_kfree_skb_irq() means +the SKB is dropped in error and dev_consume_skb_irq() means the SKB +is consumed in normal. + +In scc_discard_buffers(), dev_kfree_skb() is called to discard the SKBs, +so replace it with dev_kfree_skb_irq(). + +In scc_net_tx(), dev_kfree_skb() is called to drop the SKB that exceed +queue length, so replace it with dev_kfree_skb_irq(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/hamradio/scc.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/hamradio/scc.c b/drivers/net/hamradio/scc.c +index b8083161ef46..9b9daf45adad 100644 +--- a/drivers/net/hamradio/scc.c ++++ b/drivers/net/hamradio/scc.c +@@ -299,12 +299,12 @@ static inline void scc_discard_buffers(struct scc_channel *scc) + spin_lock_irqsave(&scc->lock, flags); + if (scc->tx_buff != NULL) + { +- dev_kfree_skb(scc->tx_buff); ++ dev_kfree_skb_irq(scc->tx_buff); + scc->tx_buff = NULL; + } + + while (!skb_queue_empty(&scc->tx_queue)) +- dev_kfree_skb(skb_dequeue(&scc->tx_queue)); ++ dev_kfree_skb_irq(skb_dequeue(&scc->tx_queue)); + + spin_unlock_irqrestore(&scc->lock, flags); + } +@@ -1666,7 +1666,7 @@ static netdev_tx_t scc_net_tx(struct sk_buff *skb, struct net_device *dev) + if (skb_queue_len(&scc->tx_queue) > scc->dev->tx_queue_len) { + struct sk_buff *skb_del; + skb_del = skb_dequeue(&scc->tx_queue); +- dev_kfree_skb(skb_del); ++ dev_kfree_skb_irq(skb_del); + } + skb_queue_tail(&scc->tx_queue, skb); + netif_trans_update(dev); +-- +2.35.1 + diff --git a/queue-4.9/hfs-fix-oob-read-in-__hfs_brec_find.patch b/queue-4.9/hfs-fix-oob-read-in-__hfs_brec_find.patch new file mode 100644 index 00000000000..f62f844b253 --- /dev/null +++ b/queue-4.9/hfs-fix-oob-read-in-__hfs_brec_find.patch @@ -0,0 +1,81 @@ +From fb79913d5d17185053cfa86712422c3f993c7196 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Nov 2022 06:59:59 +0000 +Subject: hfs: fix OOB Read in __hfs_brec_find + +From: ZhangPeng + +[ Upstream commit 8d824e69d9f3fa3121b2dda25053bae71e2460d2 ] + +Syzbot reported a OOB read bug: + +================================================================== +BUG: KASAN: slab-out-of-bounds in hfs_strcmp+0x117/0x190 +fs/hfs/string.c:84 +Read of size 1 at addr ffff88807eb62c4e by task kworker/u4:1/11 +CPU: 1 PID: 11 Comm: kworker/u4:1 Not tainted +6.1.0-rc6-syzkaller-00308-g644e9524388a #0 +Workqueue: writeback wb_workfn (flush-7:0) +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 + print_address_description+0x74/0x340 mm/kasan/report.c:284 + print_report+0x107/0x1f0 mm/kasan/report.c:395 + kasan_report+0xcd/0x100 mm/kasan/report.c:495 + hfs_strcmp+0x117/0x190 fs/hfs/string.c:84 + __hfs_brec_find+0x213/0x5c0 fs/hfs/bfind.c:75 + hfs_brec_find+0x276/0x520 fs/hfs/bfind.c:138 + hfs_write_inode+0x34c/0xb40 fs/hfs/inode.c:462 + write_inode fs/fs-writeback.c:1440 [inline] + +If the input inode of hfs_write_inode() is incorrect: +struct inode + struct hfs_inode_info + struct hfs_cat_key + struct hfs_name + u8 len # len is greater than HFS_NAMELEN(31) which is the +maximum length of an HFS filename + +OOB read occurred: +hfs_write_inode() + hfs_brec_find() + __hfs_brec_find() + hfs_cat_keycmp() + hfs_strcmp() # OOB read occurred due to len is too large + +Fix this by adding a Check on len in hfs_write_inode() before calling +hfs_brec_find(). + +Link: https://lkml.kernel.org/r/20221130065959.2168236-1-zhangpeng362@huawei.com +Signed-off-by: ZhangPeng +Reported-by: +Cc: Damien Le Moal +Cc: Ira Weiny +Cc: Jeff Layton +Cc: Kefeng Wang +Cc: Matthew Wilcox +Cc: Nanyong Sun +Cc: Viacheslav Dubeyko +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/hfs/inode.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/fs/hfs/inode.c b/fs/hfs/inode.c +index de0d6d4c46b6..cd4eee5b8358 100644 +--- a/fs/hfs/inode.c ++++ b/fs/hfs/inode.c +@@ -452,6 +452,8 @@ int hfs_write_inode(struct inode *inode, struct writeback_control *wbc) + /* panic? */ + return -EIO; + ++ if (HFS_I(main_inode)->cat_key.CName.len > HFS_NAMELEN) ++ return -EIO; + fd.search_key->cat = HFS_I(main_inode)->cat_key; + if (hfs_brec_find(&fd)) + /* panic? */ +-- +2.35.1 + diff --git a/queue-4.9/hfs-fix-oob-write-in-hfs_asc2mac.patch b/queue-4.9/hfs-fix-oob-write-in-hfs_asc2mac.patch new file mode 100644 index 00000000000..1aaf9772d94 --- /dev/null +++ b/queue-4.9/hfs-fix-oob-write-in-hfs_asc2mac.patch @@ -0,0 +1,66 @@ +From 2f397e0a9fef444d9b6bdd7f95072d2669f0e63d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 03:00:38 +0000 +Subject: hfs: Fix OOB Write in hfs_asc2mac + +From: ZhangPeng + +[ Upstream commit c53ed55cb275344086e32a7080a6b19cb183650b ] + +Syzbot reported a OOB Write bug: + +loop0: detected capacity change from 0 to 64 +================================================================== +BUG: KASAN: slab-out-of-bounds in hfs_asc2mac+0x467/0x9a0 +fs/hfs/trans.c:133 +Write of size 1 at addr ffff88801848314e by task syz-executor391/3632 + +Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 + print_address_description+0x74/0x340 mm/kasan/report.c:284 + print_report+0x107/0x1f0 mm/kasan/report.c:395 + kasan_report+0xcd/0x100 mm/kasan/report.c:495 + hfs_asc2mac+0x467/0x9a0 fs/hfs/trans.c:133 + hfs_cat_build_key+0x92/0x170 fs/hfs/catalog.c:28 + hfs_lookup+0x1ab/0x2c0 fs/hfs/dir.c:31 + lookup_open fs/namei.c:3391 [inline] + open_last_lookups fs/namei.c:3481 [inline] + path_openat+0x10e6/0x2df0 fs/namei.c:3710 + do_filp_open+0x264/0x4f0 fs/namei.c:3740 + +If in->len is much larger than HFS_NAMELEN(31) which is the maximum +length of an HFS filename, a OOB write could occur in hfs_asc2mac(). In +that case, when the dst reaches the boundary, the srclen is still +greater than 0, which causes a OOB write. +Fix this by adding a check on dstlen in while() before writing to dst +address. + +Link: https://lkml.kernel.org/r/20221202030038.1391945-1-zhangpeng362@huawei.com +Fixes: 328b92278650 ("[PATCH] hfs: NLS support") +Signed-off-by: ZhangPeng +Reviewed-by: Viacheslav Dubeyko +Reported-by: +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/hfs/trans.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/hfs/trans.c b/fs/hfs/trans.c +index 39f5e343bf4d..fdb0edb8a607 100644 +--- a/fs/hfs/trans.c ++++ b/fs/hfs/trans.c +@@ -109,7 +109,7 @@ void hfs_asc2mac(struct super_block *sb, struct hfs_name *out, const struct qstr + if (nls_io) { + wchar_t ch; + +- while (srclen > 0) { ++ while (srclen > 0 && dstlen > 0) { + size = nls_io->char2uni(src, srclen, &ch); + if (size < 0) { + ch = '?'; +-- +2.35.1 + diff --git a/queue-4.9/hid-hid-sensor-custom-set-fixed-size-for-custom-attr.patch b/queue-4.9/hid-hid-sensor-custom-set-fixed-size-for-custom-attr.patch new file mode 100644 index 00000000000..b14c15555a0 --- /dev/null +++ b/queue-4.9/hid-hid-sensor-custom-set-fixed-size-for-custom-attr.patch @@ -0,0 +1,48 @@ +From c5fb6ae1da4aa7e5deeb4d27eafc0d462cb7189d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 13:13:26 +0100 +Subject: HID: hid-sensor-custom: set fixed size for custom attributes + +From: Marcus Folkesson + +[ Upstream commit 9d013910df22de91333a0acc81d1dbb115bd76f6 ] + +This is no bugfix (so no Fixes: tag is necessary) as it is +taken care of in hid_sensor_custom_add_attributes(). + +The motivation for this patch is that: +hid_sensor_custom_field.attr_name and +hid_sensor_custom_field.attrs +has the size of HID_CUSTOM_TOTAL_ATTRS and used in same context. + +We compare against HID_CUSTOM_TOTAL_ATTRS when +looping through hid_custom_attrs. + +We will silent the smatch error: +hid_sensor_custom_add_attributes() error: buffer overflow +'hid_custom_attrs' 8 <= 10 + +Signed-off-by: Marcus Folkesson +Acked-by: Jonathan Cameron +Signed-off-by: Jiri Kosina +Signed-off-by: Sasha Levin +--- + drivers/hid/hid-sensor-custom.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-sensor-custom.c b/drivers/hid/hid-sensor-custom.c +index 3a84aaf1418b..683bfcb41926 100644 +--- a/drivers/hid/hid-sensor-custom.c ++++ b/drivers/hid/hid-sensor-custom.c +@@ -67,7 +67,7 @@ struct hid_sensor_sample { + u32 raw_len; + } __packed; + +-static struct attribute hid_custom_attrs[] = { ++static struct attribute hid_custom_attrs[HID_CUSTOM_TOTAL_ATTRS] = { + {.name = "name", .mode = S_IRUGO}, + {.name = "units", .mode = S_IRUGO}, + {.name = "unit-expo", .mode = S_IRUGO}, +-- +2.35.1 + diff --git a/queue-4.9/hsi-omap_ssi_core-fix-error-handling-in-ssi_init.patch b/queue-4.9/hsi-omap_ssi_core-fix-error-handling-in-ssi_init.patch new file mode 100644 index 00000000000..4ab22697ff0 --- /dev/null +++ b/queue-4.9/hsi-omap_ssi_core-fix-error-handling-in-ssi_init.patch @@ -0,0 +1,45 @@ +From e2ce35c3ce3ceb17ee870957b847af96c02bc71b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 11:33:32 +0000 +Subject: HSI: omap_ssi_core: Fix error handling in ssi_init() + +From: Yuan Can + +[ Upstream commit 3ffa9f713c39a213a08d9ff13ab983a8aa5d8b5d ] + +The ssi_init() returns the platform_driver_register() directly without +checking its return value, if platform_driver_register() failed, the +ssi_pdriver is not unregistered. +Fix by unregister ssi_pdriver when the last platform_driver_register() +failed. + +Fixes: 0fae198988b8 ("HSI: omap_ssi: built omap_ssi and omap_ssi_port into one module") +Signed-off-by: Yuan Can +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/hsi/controllers/omap_ssi_core.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/hsi/controllers/omap_ssi_core.c b/drivers/hsi/controllers/omap_ssi_core.c +index 9e82f9f8f0a3..c885c3bc2e85 100644 +--- a/drivers/hsi/controllers/omap_ssi_core.c ++++ b/drivers/hsi/controllers/omap_ssi_core.c +@@ -669,7 +669,13 @@ static int __init ssi_init(void) { + if (ret) + return ret; + +- return platform_driver_register(&ssi_port_pdriver); ++ ret = platform_driver_register(&ssi_port_pdriver); ++ if (ret) { ++ platform_driver_unregister(&ssi_pdriver); ++ return ret; ++ } ++ ++ return 0; + } + module_init(ssi_init); + +-- +2.35.1 + diff --git a/queue-4.9/hsi-omap_ssi_core-fix-possible-memory-leak-in-ssi_pr.patch b/queue-4.9/hsi-omap_ssi_core-fix-possible-memory-leak-in-ssi_pr.patch new file mode 100644 index 00000000000..34f03ffeeb3 --- /dev/null +++ b/queue-4.9/hsi-omap_ssi_core-fix-possible-memory-leak-in-ssi_pr.patch @@ -0,0 +1,41 @@ +From 92e541c6369064ba64c8b2c35648ee0c270b1e3e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Oct 2022 15:43:37 +0800 +Subject: HSI: omap_ssi_core: fix possible memory leak in ssi_probe() + +From: Yang Yingliang + +[ Upstream commit 1aff514e1d2bd47854dbbdf867970b9d463d4c57 ] + +If ssi_add_controller() returns error, it should call hsi_put_controller() +to give up the reference that was set in hsi_alloc_controller(), so that +it can call hsi_controller_release() to free controller and ports that +allocated in hsi_alloc_controller(). + +Fixes: b209e047bc74 ("HSI: Introduce OMAP SSI driver") +Signed-off-by: Yang Yingliang +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/hsi/controllers/omap_ssi_core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/hsi/controllers/omap_ssi_core.c b/drivers/hsi/controllers/omap_ssi_core.c +index db9328c05492..9e82f9f8f0a3 100644 +--- a/drivers/hsi/controllers/omap_ssi_core.c ++++ b/drivers/hsi/controllers/omap_ssi_core.c +@@ -540,8 +540,10 @@ static int ssi_probe(struct platform_device *pd) + platform_set_drvdata(pd, ssi); + + err = ssi_add_controller(ssi, pd); +- if (err < 0) ++ if (err < 0) { ++ hsi_put_controller(ssi); + goto out1; ++ } + + pm_runtime_enable(&pd->dev); + +-- +2.35.1 + diff --git a/queue-4.9/hsi-omap_ssi_core-fix-unbalanced-pm_runtime_disable.patch b/queue-4.9/hsi-omap_ssi_core-fix-unbalanced-pm_runtime_disable.patch new file mode 100644 index 00000000000..ce66ea55377 --- /dev/null +++ b/queue-4.9/hsi-omap_ssi_core-fix-unbalanced-pm_runtime_disable.patch @@ -0,0 +1,38 @@ +From 7d81cf757c9cb995358ccfd62ebe9ff9ca8731af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 11:41:18 +0800 +Subject: HSI: omap_ssi_core: fix unbalanced pm_runtime_disable() + +From: Yang Yingliang + +[ Upstream commit f5181c35ed7ba0ceb6e42872aad1334d994b0175 ] + +In error label 'out1' path in ssi_probe(), the pm_runtime_enable() +has not been called yet, so pm_runtime_disable() is not needed. + +Fixes: b209e047bc74 ("HSI: Introduce OMAP SSI driver") +Signed-off-by: Yang Yingliang +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/hsi/controllers/omap_ssi_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hsi/controllers/omap_ssi_core.c b/drivers/hsi/controllers/omap_ssi_core.c +index 56de30c25063..db9328c05492 100644 +--- a/drivers/hsi/controllers/omap_ssi_core.c ++++ b/drivers/hsi/controllers/omap_ssi_core.c +@@ -574,9 +574,9 @@ static int ssi_probe(struct platform_device *pd) + device_for_each_child(&pd->dev, NULL, ssi_remove_ports); + out2: + ssi_remove_controller(ssi); ++ pm_runtime_disable(&pd->dev); + out1: + platform_set_drvdata(pd, NULL); +- pm_runtime_disable(&pd->dev); + + return err; + } +-- +2.35.1 + diff --git a/queue-4.9/hwrng-amd-fix-pci-device-refcount-leak.patch b/queue-4.9/hwrng-amd-fix-pci-device-refcount-leak.patch new file mode 100644 index 00000000000..0a5aab74ab9 --- /dev/null +++ b/queue-4.9/hwrng-amd-fix-pci-device-refcount-leak.patch @@ -0,0 +1,76 @@ +From 7413e656361c7065c464ee02f02f0510d4d5cafd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 21:22:33 +0800 +Subject: hwrng: amd - Fix PCI device refcount leak + +From: Xiongfeng Wang + +[ Upstream commit ecadb5b0111ea19fc7c240bb25d424a94471eb7d ] + +for_each_pci_dev() is implemented by pci_get_device(). The comment of +pci_get_device() says that it will increase the reference count for the +returned pci_dev and also decrease the reference count for the input +pci_dev @from if it is not NULL. + +If we break for_each_pci_dev() loop with pdev not NULL, we need to call +pci_dev_put() to decrease the reference count. Add the missing +pci_dev_put() for the normal and error path. + +Fixes: 96d63c0297cc ("[PATCH] Add AMD HW RNG driver") +Signed-off-by: Xiongfeng Wang +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/amd-rng.c | 18 +++++++++++++----- + 1 file changed, 13 insertions(+), 5 deletions(-) + +diff --git a/drivers/char/hw_random/amd-rng.c b/drivers/char/hw_random/amd-rng.c +index 9959c762da2f..db3dd467194c 100644 +--- a/drivers/char/hw_random/amd-rng.c ++++ b/drivers/char/hw_random/amd-rng.c +@@ -143,15 +143,19 @@ static int __init mod_init(void) + found: + err = pci_read_config_dword(pdev, 0x58, &pmbase); + if (err) +- return err; ++ goto put_dev; + + pmbase &= 0x0000FF00; +- if (pmbase == 0) +- return -EIO; ++ if (pmbase == 0) { ++ err = -EIO; ++ goto put_dev; ++ } + + priv = kzalloc(sizeof(*priv), GFP_KERNEL); +- if (!priv) +- return -ENOMEM; ++ if (!priv) { ++ err = -ENOMEM; ++ goto put_dev; ++ } + + if (!request_region(pmbase + PMBASE_OFFSET, PMBASE_SIZE, DRV_NAME)) { + dev_err(&pdev->dev, DRV_NAME " region 0x%x already in use!\n", +@@ -185,6 +189,8 @@ static int __init mod_init(void) + release_region(pmbase + PMBASE_OFFSET, PMBASE_SIZE); + out: + kfree(priv); ++put_dev: ++ pci_dev_put(pdev); + return err; + } + +@@ -200,6 +206,8 @@ static void __exit mod_exit(void) + + release_region(priv->pmbase + PMBASE_OFFSET, PMBASE_SIZE); + ++ pci_dev_put(priv->pcidev); ++ + kfree(priv); + } + +-- +2.35.1 + diff --git a/queue-4.9/hwrng-geode-fix-pci-device-refcount-leak.patch b/queue-4.9/hwrng-geode-fix-pci-device-refcount-leak.patch new file mode 100644 index 00000000000..cab573ec529 --- /dev/null +++ b/queue-4.9/hwrng-geode-fix-pci-device-refcount-leak.patch @@ -0,0 +1,115 @@ +From 33eccbb33f10574033f8309ae3ab2974afa07826 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 21:22:34 +0800 +Subject: hwrng: geode - Fix PCI device refcount leak + +From: Xiongfeng Wang + +[ Upstream commit 9f6ec8dc574efb7f4f3d7ee9cd59ae307e78f445 ] + +for_each_pci_dev() is implemented by pci_get_device(). The comment of +pci_get_device() says that it will increase the reference count for the +returned pci_dev and also decrease the reference count for the input +pci_dev @from if it is not NULL. + +If we break for_each_pci_dev() loop with pdev not NULL, we need to call +pci_dev_put() to decrease the reference count. We add a new struct +'amd_geode_priv' to record pointer of the pci_dev and membase, and then +add missing pci_dev_put() for the normal and error path. + +Fixes: ef5d862734b8 ("[PATCH] Add Geode HW RNG driver") +Signed-off-by: Xiongfeng Wang +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/geode-rng.c | 36 +++++++++++++++++++++++------- + 1 file changed, 28 insertions(+), 8 deletions(-) + +diff --git a/drivers/char/hw_random/geode-rng.c b/drivers/char/hw_random/geode-rng.c +index e1d421a36a13..207272979f23 100644 +--- a/drivers/char/hw_random/geode-rng.c ++++ b/drivers/char/hw_random/geode-rng.c +@@ -51,6 +51,10 @@ static const struct pci_device_id pci_tbl[] = { + }; + MODULE_DEVICE_TABLE(pci, pci_tbl); + ++struct amd_geode_priv { ++ struct pci_dev *pcidev; ++ void __iomem *membase; ++}; + + static int geode_rng_data_read(struct hwrng *rng, u32 *data) + { +@@ -90,6 +94,7 @@ static int __init mod_init(void) + const struct pci_device_id *ent; + void __iomem *mem; + unsigned long rng_base; ++ struct amd_geode_priv *priv; + + for_each_pci_dev(pdev) { + ent = pci_match_id(pci_tbl, pdev); +@@ -97,17 +102,26 @@ static int __init mod_init(void) + goto found; + } + /* Device not found. */ +- goto out; ++ return err; + + found: ++ priv = kzalloc(sizeof(*priv), GFP_KERNEL); ++ if (!priv) { ++ err = -ENOMEM; ++ goto put_dev; ++ } ++ + rng_base = pci_resource_start(pdev, 0); + if (rng_base == 0) +- goto out; ++ goto free_priv; + err = -ENOMEM; + mem = ioremap(rng_base, 0x58); + if (!mem) +- goto out; +- geode_rng.priv = (unsigned long)mem; ++ goto free_priv; ++ ++ geode_rng.priv = (unsigned long)priv; ++ priv->membase = mem; ++ priv->pcidev = pdev; + + pr_info("AMD Geode RNG detected\n"); + err = hwrng_register(&geode_rng); +@@ -116,20 +130,26 @@ static int __init mod_init(void) + err); + goto err_unmap; + } +-out: + return err; + + err_unmap: + iounmap(mem); +- goto out; ++free_priv: ++ kfree(priv); ++put_dev: ++ pci_dev_put(pdev); ++ return err; + } + + static void __exit mod_exit(void) + { +- void __iomem *mem = (void __iomem *)geode_rng.priv; ++ struct amd_geode_priv *priv; + ++ priv = (struct amd_geode_priv *)geode_rng.priv; + hwrng_unregister(&geode_rng); +- iounmap(mem); ++ iounmap(priv->membase); ++ pci_dev_put(priv->pcidev); ++ kfree(priv); + } + + module_init(mod_init); +-- +2.35.1 + diff --git a/queue-4.9/i2c-ismt-fix-an-out-of-bounds-bug-in-ismt_access.patch b/queue-4.9/i2c-ismt-fix-an-out-of-bounds-bug-in-ismt_access.patch new file mode 100644 index 00000000000..8466b2708bf --- /dev/null +++ b/queue-4.9/i2c-ismt-fix-an-out-of-bounds-bug-in-ismt_access.patch @@ -0,0 +1,54 @@ +From a733d73484f4ed3bd63e05f3c1f528f6b3246bcf Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Jul 2022 19:02:16 +0800 +Subject: i2c: ismt: Fix an out-of-bounds bug in ismt_access() + +From: Zheyu Ma + +[ Upstream commit 39244cc754829bf707dccd12e2ce37510f5b1f8d ] + +When the driver does not check the data from the user, the variable +'data->block[0]' may be very large to cause an out-of-bounds bug. + +The following log can reveal it: + +[ 33.995542] i2c i2c-1: ioctl, cmd=0x720, arg=0x7ffcb3dc3a20 +[ 33.995978] ismt_smbus 0000:00:05.0: I2C_SMBUS_BLOCK_DATA: WRITE +[ 33.996475] ================================================================== +[ 33.996995] BUG: KASAN: out-of-bounds in ismt_access.cold+0x374/0x214b +[ 33.997473] Read of size 18446744073709551615 at addr ffff88810efcfdb1 by task ismt_poc/485 +[ 33.999450] Call Trace: +[ 34.001849] memcpy+0x20/0x60 +[ 34.002077] ismt_access.cold+0x374/0x214b +[ 34.003382] __i2c_smbus_xfer+0x44f/0xfb0 +[ 34.004007] i2c_smbus_xfer+0x10a/0x390 +[ 34.004291] i2cdev_ioctl_smbus+0x2c8/0x710 +[ 34.005196] i2cdev_ioctl+0x5ec/0x74c + +Fix this bug by checking the size of 'data->block[0]' first. + +Fixes: 13f35ac14cd0 ("i2c: Adding support for Intel iSMT SMBus 2.0 host controller") +Signed-off-by: Zheyu Ma +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-ismt.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/i2c/busses/i2c-ismt.c b/drivers/i2c/busses/i2c-ismt.c +index b51adffa4841..e689c7acea62 100644 +--- a/drivers/i2c/busses/i2c-ismt.c ++++ b/drivers/i2c/busses/i2c-ismt.c +@@ -495,6 +495,9 @@ static int ismt_access(struct i2c_adapter *adap, u16 addr, + if (read_write == I2C_SMBUS_WRITE) { + /* Block Write */ + dev_dbg(dev, "I2C_SMBUS_BLOCK_DATA: WRITE\n"); ++ if (data->block[0] < 1 || data->block[0] > I2C_SMBUS_BLOCK_MAX) ++ return -EINVAL; ++ + dma_size = data->block[0] + 1; + dma_direction = DMA_TO_DEVICE; + desc->wr_len_cmd = dma_size; +-- +2.35.1 + diff --git a/queue-4.9/i2c-pxa-pci-fix-missing-pci_disable_device-on-error-.patch b/queue-4.9/i2c-pxa-pci-fix-missing-pci_disable_device-on-error-.patch new file mode 100644 index 00000000000..bd047ac6ecc --- /dev/null +++ b/queue-4.9/i2c-pxa-pci-fix-missing-pci_disable_device-on-error-.patch @@ -0,0 +1,58 @@ +From 0e34d948fa68a922548f398df26c60f0679c0ea7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 17:25:40 +0800 +Subject: i2c: pxa-pci: fix missing pci_disable_device() on error in + ce4100_i2c_probe + +From: Hui Tang + +[ Upstream commit d78a167332e1ca8113268ed922c1212fd71b73ad ] + +Using pcim_enable_device() to avoid missing pci_disable_device(). + +Fixes: 7e94dd154e93 ("i2c-pxa2xx: Add PCI support for PXA I2C controller") +Signed-off-by: Hui Tang +Signed-off-by: Wolfram Sang +Signed-off-by: Sasha Levin +--- + drivers/i2c/busses/i2c-pxa-pci.c | 10 +++------- + 1 file changed, 3 insertions(+), 7 deletions(-) + +diff --git a/drivers/i2c/busses/i2c-pxa-pci.c b/drivers/i2c/busses/i2c-pxa-pci.c +index 417464e9ea2a..3113b06b4fc1 100644 +--- a/drivers/i2c/busses/i2c-pxa-pci.c ++++ b/drivers/i2c/busses/i2c-pxa-pci.c +@@ -101,7 +101,7 @@ static int ce4100_i2c_probe(struct pci_dev *dev, + int i; + struct ce4100_devices *sds; + +- ret = pci_enable_device_mem(dev); ++ ret = pcim_enable_device(dev); + if (ret) + return ret; + +@@ -110,10 +110,8 @@ static int ce4100_i2c_probe(struct pci_dev *dev, + return -EINVAL; + } + sds = kzalloc(sizeof(*sds), GFP_KERNEL); +- if (!sds) { +- ret = -ENOMEM; +- goto err_mem; +- } ++ if (!sds) ++ return -ENOMEM; + + for (i = 0; i < ARRAY_SIZE(sds->pdev); i++) { + sds->pdev[i] = add_i2c_device(dev, i); +@@ -129,8 +127,6 @@ static int ce4100_i2c_probe(struct pci_dev *dev, + + err_dev_add: + kfree(sds); +-err_mem: +- pci_disable_device(dev); + return ret; + } + +-- +2.35.1 + diff --git a/queue-4.9/ib-ipoib-fix-queue-count-inconsistency-for-pkey-chil.patch b/queue-4.9/ib-ipoib-fix-queue-count-inconsistency-for-pkey-chil.patch new file mode 100644 index 00000000000..5945db6f83c --- /dev/null +++ b/queue-4.9/ib-ipoib-fix-queue-count-inconsistency-for-pkey-chil.patch @@ -0,0 +1,61 @@ +From 059e0733a413f182587331217867a67f5906b946 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 09:52:54 +0200 +Subject: IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces + +From: Dragos Tatulea + +[ Upstream commit dbc94a0fb81771a38733c0e8f2ea8c4fa6934dc1 ] + +There are 2 ways to create IPoIB PKEY child interfaces: +1) Writing a PKEY to /sys/class/net//create_child. +2) Using netlink with iproute. + +While with sysfs the child interface has the same number of tx and +rx queues as the parent, with netlink there will always be 1 tx +and 1 rx queue for the child interface. That's because the +get_num_tx/rx_queues() netlink ops are missing and the default value +of 1 is taken for the number of queues (in rtnl_create_link()). + +This change adds the get_num_tx/rx_queues() ops which allows for +interfaces with multiple queues to be created over netlink. This +constant only represents the max number of tx and rx queues on that +net device. + +Fixes: 9baa0b036410 ("IB/ipoib: Add rtnl_link_ops support") +Signed-off-by: Dragos Tatulea +Link: https://lore.kernel.org/r/f4a42c8aa43c02d5ae5559a60c3e5e0f18c82531.1670485816.git.leonro@nvidia.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/ulp/ipoib/ipoib_netlink.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c +index cdc7df4fdb8a..20a6d1071014 100644 +--- a/drivers/infiniband/ulp/ipoib/ipoib_netlink.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_netlink.c +@@ -42,6 +42,11 @@ static const struct nla_policy ipoib_policy[IFLA_IPOIB_MAX + 1] = { + [IFLA_IPOIB_UMCAST] = { .type = NLA_U16 }, + }; + ++static unsigned int ipoib_get_max_num_queues(void) ++{ ++ return min_t(unsigned int, num_possible_cpus(), 128); ++} ++ + static int ipoib_fill_info(struct sk_buff *skb, const struct net_device *dev) + { + struct ipoib_dev_priv *priv = netdev_priv(dev); +@@ -167,6 +172,8 @@ static struct rtnl_link_ops ipoib_link_ops __read_mostly = { + .dellink = ipoib_unregister_child_dev, + .get_size = ipoib_get_size, + .fill_info = ipoib_fill_info, ++ .get_num_rx_queues = ipoib_get_max_num_queues, ++ .get_num_tx_queues = ipoib_get_max_num_queues, + }; + + int __init ipoib_netlink_init(void) +-- +2.35.1 + diff --git a/queue-4.9/igb-do-not-free-q_vector-unless-new-one-was-allocate.patch b/queue-4.9/igb-do-not-free-q_vector-unless-new-one-was-allocate.patch new file mode 100644 index 00000000000..b6c90641c16 --- /dev/null +++ b/queue-4.9/igb-do-not-free-q_vector-unless-new-one-was-allocate.patch @@ -0,0 +1,53 @@ +From 323531be642b023859b7a5b7f4e290eaabdd096a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Oct 2022 02:25:24 -0700 +Subject: igb: Do not free q_vector unless new one was allocated + +From: Kees Cook + +[ Upstream commit 0668716506ca66f90d395f36ccdaebc3e0e84801 ] + +Avoid potential use-after-free condition under memory pressure. If the +kzalloc() fails, q_vector will be freed but left in the original +adapter->q_vector[v_idx] array position. + +Cc: Jesse Brandeburg +Cc: Tony Nguyen +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: intel-wired-lan@lists.osuosl.org +Cc: netdev@vger.kernel.org +Signed-off-by: Kees Cook +Reviewed-by: Michael J. Ruhl +Reviewed-by: Jacob Keller +Tested-by: Gurucharan (A Contingent worker at Intel) +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/igb/igb_main.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c +index 2e713e5f75cd..bbca786f0427 100644 +--- a/drivers/net/ethernet/intel/igb/igb_main.c ++++ b/drivers/net/ethernet/intel/igb/igb_main.c +@@ -1219,8 +1219,12 @@ static int igb_alloc_q_vector(struct igb_adapter *adapter, + if (!q_vector) { + q_vector = kzalloc(size, GFP_KERNEL); + } else if (size > ksize(q_vector)) { +- kfree_rcu(q_vector, rcu); +- q_vector = kzalloc(size, GFP_KERNEL); ++ struct igb_q_vector *new_q_vector; ++ ++ new_q_vector = kzalloc(size, GFP_KERNEL); ++ if (new_q_vector) ++ kfree_rcu(q_vector, rcu); ++ q_vector = new_q_vector; + } else { + memset(q_vector, 0, size); + } +-- +2.35.1 + diff --git a/queue-4.9/ima-fix-misuse-of-dereference-of-pointer-in-template.patch b/queue-4.9/ima-fix-misuse-of-dereference-of-pointer-in-template.patch new file mode 100644 index 00000000000..101a90cc6a1 --- /dev/null +++ b/queue-4.9/ima-fix-misuse-of-dereference-of-pointer-in-template.patch @@ -0,0 +1,47 @@ +From 27a9b785122aa9fa4017601689b3b35957c02a91 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Nov 2022 17:27:19 +0800 +Subject: ima: Fix misuse of dereference of pointer in + template_desc_init_fields() + +From: Xiu Jianfeng + +[ Upstream commit 25369175ce84813dd99d6604e710dc2491f68523 ] + +The input parameter @fields is type of struct ima_template_field ***, so +when allocates array memory for @fields, the size of element should be +sizeof(**field) instead of sizeof(*field). + +Actually the original code would not cause any runtime error, but it's +better to make it logically right. + +Fixes: adf53a778a0a ("ima: new templates management mechanism") +Signed-off-by: Xiu Jianfeng +Reviewed-by: Roberto Sassu +Signed-off-by: Mimi Zohar +Signed-off-by: Sasha Levin +--- + security/integrity/ima/ima_template.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/security/integrity/ima/ima_template.c b/security/integrity/ima/ima_template.c +index febd12ed9b55..fdba86fa90ee 100644 +--- a/security/integrity/ima/ima_template.c ++++ b/security/integrity/ima/ima_template.c +@@ -171,11 +171,11 @@ static int template_desc_init_fields(const char *template_fmt, + } + + if (fields && num_fields) { +- *fields = kmalloc_array(i, sizeof(*fields), GFP_KERNEL); ++ *fields = kmalloc_array(i, sizeof(**fields), GFP_KERNEL); + if (*fields == NULL) + return -ENOMEM; + +- memcpy(*fields, found_fields, i * sizeof(*fields)); ++ memcpy(*fields, found_fields, i * sizeof(**fields)); + *num_fields = i; + } + +-- +2.35.1 + diff --git a/queue-4.9/include-uapi-linux-swab-fix-potentially-missing-__al.patch b/queue-4.9/include-uapi-linux-swab-fix-potentially-missing-__al.patch new file mode 100644 index 00000000000..e3d3b098c3e --- /dev/null +++ b/queue-4.9/include-uapi-linux-swab-fix-potentially-missing-__al.patch @@ -0,0 +1,64 @@ +From 00e9b860ff3dfe7ba6f8ee953426af3c8cf3cbb6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 27 Sep 2022 14:52:56 -0700 +Subject: include/uapi/linux/swab: Fix potentially missing __always_inline +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matt Redfearn + +[ Upstream commit defbab270d45e32b068e7e73c3567232d745c60f ] + +Commit bc27fb68aaad ("include/uapi/linux/byteorder, swab: force inlining +of some byteswap operations") added __always_inline to swab functions +and commit 283d75737837 ("uapi/linux/stddef.h: Provide __always_inline to +userspace headers") added a definition of __always_inline for use in +exported headers when the kernel's compiler.h is not available. + +However, since swab.h does not include stddef.h, if the header soup does +not indirectly include it, the definition of __always_inline is missing, +resulting in a compilation failure, which was observed compiling the +perf tool using exported headers containing this commit: + +In file included from /usr/include/linux/byteorder/little_endian.h:12:0, + from /usr/include/asm/byteorder.h:14, + from tools/include/uapi/linux/perf_event.h:20, + from perf.h:8, + from builtin-bench.c:18: +/usr/include/linux/swab.h:160:8: error: unknown type name `__always_inline' + static __always_inline __u16 __swab16p(const __u16 *p) + +Fix this by replacing the inclusion of linux/compiler.h with +linux/stddef.h to ensure that we pick up that definition if required, +without relying on it's indirect inclusion. compiler.h is then included +indirectly, via stddef.h. + +Fixes: 283d75737837 ("uapi/linux/stddef.h: Provide __always_inline to userspace headers") +Signed-off-by: Matt Redfearn +Signed-off-by: Florian Fainelli +Signed-off-by: Arnd Bergmann +Tested-by: Nathan Chancellor +Reviewed-by: Petr Vaněk +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + include/uapi/linux/swab.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/uapi/linux/swab.h b/include/uapi/linux/swab.h +index 51502eabdb05..0915a8781eae 100644 +--- a/include/uapi/linux/swab.h ++++ b/include/uapi/linux/swab.h +@@ -2,7 +2,7 @@ + #define _UAPI_LINUX_SWAB_H + + #include +-#include ++#include + #include + #include + +-- +2.35.1 + diff --git a/queue-4.9/input-elants_i2c-properly-handle-the-reset-gpio-when.patch b/queue-4.9/input-elants_i2c-properly-handle-the-reset-gpio-when.patch new file mode 100644 index 00000000000..6023e6d2590 --- /dev/null +++ b/queue-4.9/input-elants_i2c-properly-handle-the-reset-gpio-when.patch @@ -0,0 +1,90 @@ +From 4e7ed46451e8ac87e31e8bb0a6e78c5d93eb2776 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 21:49:19 -0800 +Subject: Input: elants_i2c - properly handle the reset GPIO when power is off + +From: Douglas Anderson + +[ Upstream commit a85fbd6498441694475716a4d5c65f9d3e073faf ] + +As can be seen in elants_i2c_power_off(), we want the reset GPIO +asserted when power is off. The reset GPIO is active low so we need +the reset line logic low when power is off to avoid leakage. + +We have a problem, though, at probe time. At probe time we haven't +powered the regulators on yet but we have: + + devm_gpiod_get(&client->dev, "reset", GPIOD_OUT_LOW); + +While that _looks_ right, it turns out that it's not. The +GPIOD_OUT_LOW doesn't mean to init the GPIO to low. It means init the +GPIO to "not asserted". Since this is an active low GPIO that inits it +to be high. + +Let's fix this to properly init the GPIO. Now after both probe and +power off the state of the GPIO is consistent (it's "asserted" or +level low). + +Once we fix this, we can see that at power on time we no longer to +assert the reset GPIO as the first thing. The reset GPIO is _always_ +asserted before powering on. Let's fix powering on to account for +this. + +Fixes: afe10358e47a ("Input: elants_i2c - wire up regulator support") +Signed-off-by: Douglas Anderson +Link: https://lore.kernel.org/r/20221117123805.1.I9959ac561dd6e1e8e1ce7085e4de6167b27c574f@changeid +Signed-off-by: Dmitry Torokhov +Signed-off-by: Sasha Levin +--- + drivers/input/touchscreen/elants_i2c.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +diff --git a/drivers/input/touchscreen/elants_i2c.c b/drivers/input/touchscreen/elants_i2c.c +index 3e6003d32e56..184310a2ba69 100644 +--- a/drivers/input/touchscreen/elants_i2c.c ++++ b/drivers/input/touchscreen/elants_i2c.c +@@ -1088,14 +1088,12 @@ static int elants_i2c_power_on(struct elants_data *ts) + if (IS_ERR_OR_NULL(ts->reset_gpio)) + return 0; + +- gpiod_set_value_cansleep(ts->reset_gpio, 1); +- + error = regulator_enable(ts->vcc33); + if (error) { + dev_err(&ts->client->dev, + "failed to enable vcc33 regulator: %d\n", + error); +- goto release_reset_gpio; ++ return error; + } + + error = regulator_enable(ts->vccio); +@@ -1104,7 +1102,7 @@ static int elants_i2c_power_on(struct elants_data *ts) + "failed to enable vccio regulator: %d\n", + error); + regulator_disable(ts->vcc33); +- goto release_reset_gpio; ++ return error; + } + + /* +@@ -1113,7 +1111,6 @@ static int elants_i2c_power_on(struct elants_data *ts) + */ + udelay(ELAN_POWERON_DELAY_USEC); + +-release_reset_gpio: + gpiod_set_value_cansleep(ts->reset_gpio, 0); + if (error) + return error; +@@ -1182,7 +1179,7 @@ static int elants_i2c_probe(struct i2c_client *client, + return error; + } + +- ts->reset_gpio = devm_gpiod_get(&client->dev, "reset", GPIOD_OUT_LOW); ++ ts->reset_gpio = devm_gpiod_get(&client->dev, "reset", GPIOD_OUT_HIGH); + if (IS_ERR(ts->reset_gpio)) { + error = PTR_ERR(ts->reset_gpio); + +-- +2.35.1 + diff --git a/queue-4.9/iommu-fsl_pamu-fix-resource-leak-in-fsl_pamu_probe.patch b/queue-4.9/iommu-fsl_pamu-fix-resource-leak-in-fsl_pamu_probe.patch new file mode 100644 index 00000000000..147f1765a9f --- /dev/null +++ b/queue-4.9/iommu-fsl_pamu-fix-resource-leak-in-fsl_pamu_probe.patch @@ -0,0 +1,38 @@ +From 72a224ac99564aa5f6c6b72de30c434d41a4e7a3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 08:20:22 +0000 +Subject: iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe() + +From: Yuan Can + +[ Upstream commit 73f5fc5f884ad0c5f7d57f66303af64f9f002526 ] + +The fsl_pamu_probe() returns directly when create_csd() failed, leaving +irq and memories unreleased. +Fix by jumping to error if create_csd() returns error. + +Fixes: 695093e38c3e ("iommu/fsl: Freescale PAMU driver and iommu implementation.") +Signed-off-by: Yuan Can +Link: https://lore.kernel.org/r/20221121082022.19091-1-yuancan@huawei.com +Signed-off-by: Joerg Roedel +Signed-off-by: Sasha Levin +--- + drivers/iommu/fsl_pamu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/iommu/fsl_pamu.c b/drivers/iommu/fsl_pamu.c +index a34355fca37a..4d6bdc465dde 100644 +--- a/drivers/iommu/fsl_pamu.c ++++ b/drivers/iommu/fsl_pamu.c +@@ -1131,7 +1131,7 @@ static int fsl_pamu_probe(struct platform_device *pdev) + ret = create_csd(ppaact_phys, mem_size, csd_port_id); + if (ret) { + dev_err(dev, "could not create coherence subdomain\n"); +- return ret; ++ goto error; + } + } + +-- +2.35.1 + diff --git a/queue-4.9/ipmi-fix-memleak-when-unload-ipmi-driver.patch b/queue-4.9/ipmi-fix-memleak-when-unload-ipmi-driver.patch new file mode 100644 index 00000000000..6fc26fdf658 --- /dev/null +++ b/queue-4.9/ipmi-fix-memleak-when-unload-ipmi-driver.patch @@ -0,0 +1,64 @@ +From 491d36ab00967a275f0a537d3c171ce31cb0e866 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 7 Oct 2022 17:26:17 +0800 +Subject: ipmi: fix memleak when unload ipmi driver + +From: Zhang Yuchen + +[ Upstream commit 36992eb6b9b83f7f9cdc8e74fb5799d7b52e83e9 ] + +After the IPMI disconnect problem, the memory kept rising and we tried +to unload the driver to free the memory. However, only part of the +free memory is recovered after the driver is uninstalled. Using +ebpf to hook free functions, we find that neither ipmi_user nor +ipmi_smi_msg is free, only ipmi_recv_msg is free. + +We find that the deliver_smi_err_response call in clean_smi_msgs does +the destroy processing on each message from the xmit_msg queue without +checking the return value and free ipmi_smi_msg. + +deliver_smi_err_response is called only at this location. Adding the +free handling has no effect. + +To verify, try using ebpf to trace the free function. + + $ bpftrace -e 'kretprobe:ipmi_alloc_recv_msg {printf("alloc rcv + %p\n",retval);} kprobe:free_recv_msg {printf("free recv %p\n", + arg0)} kretprobe:ipmi_alloc_smi_msg {printf("alloc smi %p\n", + retval);} kprobe:free_smi_msg {printf("free smi %p\n",arg0)}' + +Signed-off-by: Zhang Yuchen +Message-Id: <20221007092617.87597-4-zhangyuchen.lcr@bytedance.com> +[Fixed the comment above handle_one_recv_msg().] +Signed-off-by: Corey Minyard +Signed-off-by: Sasha Levin +--- + drivers/char/ipmi/ipmi_msghandler.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/char/ipmi/ipmi_msghandler.c b/drivers/char/ipmi/ipmi_msghandler.c +index 74044b52d2c6..97d3c9d4ebc7 100644 +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -2930,12 +2930,16 @@ static void deliver_smi_err_response(ipmi_smi_t intf, + struct ipmi_smi_msg *msg, + unsigned char err) + { ++ int rv; + msg->rsp[0] = msg->data[0] | 4; + msg->rsp[1] = msg->data[1]; + msg->rsp[2] = err; + msg->rsp_size = 3; +- /* It's an error, so it will never requeue, no need to check return. */ +- handle_one_recv_msg(intf, msg); ++ ++ /* This will never requeue, but it may ask us to free the message. */ ++ rv = handle_one_recv_msg(intf, msg); ++ if (rv == 0) ++ ipmi_free_smi_msg(msg); + } + + static void cleanup_smi_msgs(ipmi_smi_t intf) +-- +2.35.1 + diff --git a/queue-4.9/irqchip-gic-pm-use-pm_runtime_resume_and_get-in-gic_.patch b/queue-4.9/irqchip-gic-pm-use-pm_runtime_resume_and_get-in-gic_.patch new file mode 100644 index 00000000000..a3ae20e0989 --- /dev/null +++ b/queue-4.9/irqchip-gic-pm-use-pm_runtime_resume_and_get-in-gic_.patch @@ -0,0 +1,39 @@ +From 87bd286f9b7a567cbe27c7b62f3f02ca81efd104 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 14:51:50 +0800 +Subject: irqchip: gic-pm: Use pm_runtime_resume_and_get() in gic_probe() + +From: Shang XiaoJing + +[ Upstream commit f9ee20c85b3a3ba0afd3672630ec4f93d339f015 ] + +gic_probe() calls pm_runtime_get_sync() and added fail path as +rpm_put to put usage_counter. However, pm_runtime_get_sync() +will increment usage_counter even it failed. Fix it by replacing it with +pm_runtime_resume_and_get() to keep usage counter balanced. + +Fixes: 9c8edddfc992 ("irqchip/gic: Add platform driver for non-root GICs that require RPM") +Signed-off-by: Shang XiaoJing +Signed-off-by: Marc Zyngier +Link: https://lore.kernel.org/r/20221124065150.22809-1-shangxiaojing@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/irqchip/irq-gic-pm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/irqchip/irq-gic-pm.c b/drivers/irqchip/irq-gic-pm.c +index ecafd295c31c..21c5decfc55b 100644 +--- a/drivers/irqchip/irq-gic-pm.c ++++ b/drivers/irqchip/irq-gic-pm.c +@@ -112,7 +112,7 @@ static int gic_probe(struct platform_device *pdev) + + pm_runtime_enable(dev); + +- ret = pm_runtime_get_sync(dev); ++ ret = pm_runtime_resume_and_get(dev); + if (ret < 0) + goto rpm_disable; + +-- +2.35.1 + diff --git a/queue-4.9/lib-notifier-error-inject-fix-error-when-writing-err.patch b/queue-4.9/lib-notifier-error-inject-fix-error-when-writing-err.patch new file mode 100644 index 00000000000..904b15ae8bd --- /dev/null +++ b/queue-4.9/lib-notifier-error-inject-fix-error-when-writing-err.patch @@ -0,0 +1,52 @@ +From e7f8050701a7c9d82b318dd592d2576201ebb418 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 02:24:17 +0900 +Subject: lib/notifier-error-inject: fix error when writing -errno to debugfs + file + +From: Akinobu Mita + +[ Upstream commit f883c3edd2c432a2931ec8773c70a570115a50fe ] + +The simple attribute files do not accept a negative value since the commit +488dac0c9237 ("libfs: fix error cast of negative value in +simple_attr_write()"). + +This restores the previous behaviour by using newly introduced +DEFINE_SIMPLE_ATTRIBUTE_SIGNED instead of DEFINE_SIMPLE_ATTRIBUTE. + +Link: https://lkml.kernel.org/r/20220919172418.45257-3-akinobu.mita@gmail.com +Fixes: 488dac0c9237 ("libfs: fix error cast of negative value in simple_attr_write()") +Signed-off-by: Akinobu Mita +Reported-by: Zhao Gongyi +Reviewed-by: David Hildenbrand +Reviewed-by: Greg Kroah-Hartman +Cc: Alexander Viro +Cc: Jonathan Corbet +Cc: Oscar Salvador +Cc: Rafael J. Wysocki +Cc: Shuah Khan +Cc: Wei Yongjun +Cc: Yicong Yang +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + lib/notifier-error-inject.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/lib/notifier-error-inject.c b/lib/notifier-error-inject.c +index eb4a04afea80..125ea8ce23a4 100644 +--- a/lib/notifier-error-inject.c ++++ b/lib/notifier-error-inject.c +@@ -14,7 +14,7 @@ static int debugfs_errno_get(void *data, u64 *val) + return 0; + } + +-DEFINE_SIMPLE_ATTRIBUTE(fops_errno, debugfs_errno_get, debugfs_errno_set, ++DEFINE_SIMPLE_ATTRIBUTE_SIGNED(fops_errno, debugfs_errno_get, debugfs_errno_set, + "%lld\n"); + + static struct dentry *debugfs_create_errno(const char *name, umode_t mode, +-- +2.35.1 + diff --git a/queue-4.9/libfs-add-define_simple_attribute_signed-for-signed-.patch b/queue-4.9/libfs-add-define_simple_attribute_signed-for-signed-.patch new file mode 100644 index 00000000000..cb1181ccc72 --- /dev/null +++ b/queue-4.9/libfs-add-define_simple_attribute_signed-for-signed-.patch @@ -0,0 +1,139 @@ +From e8e550cd8a52c91375e06392e134722dc0e3fb1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 20 Sep 2022 02:24:16 +0900 +Subject: libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value + +From: Akinobu Mita + +[ Upstream commit 2e41f274f9aa71cdcc69dc1f26a3f9304a651804 ] + +Patch series "fix error when writing negative value to simple attribute +files". + +The simple attribute files do not accept a negative value since the commit +488dac0c9237 ("libfs: fix error cast of negative value in +simple_attr_write()"), but some attribute files want to accept a negative +value. + +This patch (of 3): + +The simple attribute files do not accept a negative value since the commit +488dac0c9237 ("libfs: fix error cast of negative value in +simple_attr_write()"), so we have to use a 64-bit value to write a +negative value. + +This adds DEFINE_SIMPLE_ATTRIBUTE_SIGNED for a signed value. + +Link: https://lkml.kernel.org/r/20220919172418.45257-1-akinobu.mita@gmail.com +Link: https://lkml.kernel.org/r/20220919172418.45257-2-akinobu.mita@gmail.com +Fixes: 488dac0c9237 ("libfs: fix error cast of negative value in simple_attr_write()") +Signed-off-by: Akinobu Mita +Reported-by: Zhao Gongyi +Reviewed-by: David Hildenbrand +Reviewed-by: Greg Kroah-Hartman +Cc: Alexander Viro +Cc: Jonathan Corbet +Cc: Oscar Salvador +Cc: Rafael J. Wysocki +Cc: Shuah Khan +Cc: Wei Yongjun +Cc: Yicong Yang +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/libfs.c | 22 +++++++++++++++++++--- + include/linux/fs.h | 12 ++++++++++-- + 2 files changed, 29 insertions(+), 5 deletions(-) + +diff --git a/fs/libfs.c b/fs/libfs.c +index 835d25e33509..75eeddc35b57 100644 +--- a/fs/libfs.c ++++ b/fs/libfs.c +@@ -861,8 +861,8 @@ ssize_t simple_attr_read(struct file *file, char __user *buf, + EXPORT_SYMBOL_GPL(simple_attr_read); + + /* interpret the buffer as a number to call the set function with */ +-ssize_t simple_attr_write(struct file *file, const char __user *buf, +- size_t len, loff_t *ppos) ++static ssize_t simple_attr_write_xsigned(struct file *file, const char __user *buf, ++ size_t len, loff_t *ppos, bool is_signed) + { + struct simple_attr *attr; + unsigned long long val; +@@ -883,7 +883,10 @@ ssize_t simple_attr_write(struct file *file, const char __user *buf, + goto out; + + attr->set_buf[size] = '\0'; +- ret = kstrtoull(attr->set_buf, 0, &val); ++ if (is_signed) ++ ret = kstrtoll(attr->set_buf, 0, &val); ++ else ++ ret = kstrtoull(attr->set_buf, 0, &val); + if (ret) + goto out; + ret = attr->set(attr->data, val); +@@ -893,8 +896,21 @@ ssize_t simple_attr_write(struct file *file, const char __user *buf, + mutex_unlock(&attr->mutex); + return ret; + } ++ ++ssize_t simple_attr_write(struct file *file, const char __user *buf, ++ size_t len, loff_t *ppos) ++{ ++ return simple_attr_write_xsigned(file, buf, len, ppos, false); ++} + EXPORT_SYMBOL_GPL(simple_attr_write); + ++ssize_t simple_attr_write_signed(struct file *file, const char __user *buf, ++ size_t len, loff_t *ppos) ++{ ++ return simple_attr_write_xsigned(file, buf, len, ppos, true); ++} ++EXPORT_SYMBOL_GPL(simple_attr_write_signed); ++ + /** + * generic_fh_to_dentry - generic helper for the fh_to_dentry export operation + * @sb: filesystem to do the file handle conversion on +diff --git a/include/linux/fs.h b/include/linux/fs.h +index 9e4a75005280..a794954e2c8e 100644 +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -3132,7 +3132,7 @@ void simple_transaction_set(struct file *file, size_t n); + * All attributes contain a text representation of a numeric value + * that are accessed with the get() and set() functions. + */ +-#define DEFINE_SIMPLE_ATTRIBUTE(__fops, __get, __set, __fmt) \ ++#define DEFINE_SIMPLE_ATTRIBUTE_XSIGNED(__fops, __get, __set, __fmt, __is_signed) \ + static int __fops ## _open(struct inode *inode, struct file *file) \ + { \ + __simple_attr_check_format(__fmt, 0ull); \ +@@ -3143,10 +3143,16 @@ static const struct file_operations __fops = { \ + .open = __fops ## _open, \ + .release = simple_attr_release, \ + .read = simple_attr_read, \ +- .write = simple_attr_write, \ ++ .write = (__is_signed) ? simple_attr_write_signed : simple_attr_write, \ + .llseek = generic_file_llseek, \ + } + ++#define DEFINE_SIMPLE_ATTRIBUTE(__fops, __get, __set, __fmt) \ ++ DEFINE_SIMPLE_ATTRIBUTE_XSIGNED(__fops, __get, __set, __fmt, false) ++ ++#define DEFINE_SIMPLE_ATTRIBUTE_SIGNED(__fops, __get, __set, __fmt) \ ++ DEFINE_SIMPLE_ATTRIBUTE_XSIGNED(__fops, __get, __set, __fmt, true) ++ + static inline __printf(1, 2) + void __simple_attr_check_format(const char *fmt, ...) + { +@@ -3161,6 +3167,8 @@ ssize_t simple_attr_read(struct file *file, char __user *buf, + size_t len, loff_t *ppos); + ssize_t simple_attr_write(struct file *file, const char __user *buf, + size_t len, loff_t *ppos); ++ssize_t simple_attr_write_signed(struct file *file, const char __user *buf, ++ size_t len, loff_t *ppos); + + struct ctl_table; + int proc_nr_files(struct ctl_table *table, int write, +-- +2.35.1 + diff --git a/queue-4.9/macintosh-fix-possible-memory-leak-in-macio_add_one_.patch b/queue-4.9/macintosh-fix-possible-memory-leak-in-macio_add_one_.patch new file mode 100644 index 00000000000..802e8e46819 --- /dev/null +++ b/queue-4.9/macintosh-fix-possible-memory-leak-in-macio_add_one_.patch @@ -0,0 +1,43 @@ +From cf16086556ef10c79a52a2a369f8d71d41450cd9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 11:25:51 +0800 +Subject: macintosh: fix possible memory leak in macio_add_one_device() + +From: Yang Yingliang + +[ Upstream commit 5ca86eae55a2f006e6c1edd2029b2cacb6979515 ] + +Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's +bus_id string array"), the name of device is allocated dynamically. It +needs to be freed when of_device_register() fails. Call put_device() to +give up the reference that's taken in device_initialize(), so that it +can be freed in kobject_cleanup() when the refcount hits 0. + +macio device is freed in macio_release_dev(), so the kfree() can be +removed. + +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Yang Yingliang +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20221104032551.1075335-1-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/macintosh/macio_asic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/macintosh/macio_asic.c b/drivers/macintosh/macio_asic.c +index 3f041b187033..04da09af5531 100644 +--- a/drivers/macintosh/macio_asic.c ++++ b/drivers/macintosh/macio_asic.c +@@ -425,7 +425,7 @@ static struct macio_dev * macio_add_one_device(struct macio_chip *chip, + if (of_device_register(&dev->ofdev) != 0) { + printk(KERN_DEBUG"macio: device registration error for %s!\n", + dev_name(&dev->ofdev.dev)); +- kfree(dev); ++ put_device(&dev->ofdev.dev); + return NULL; + } + +-- +2.35.1 + diff --git a/queue-4.9/macintosh-macio-adb-check-the-return-value-of-iorema.patch b/queue-4.9/macintosh-macio-adb-check-the-return-value-of-iorema.patch new file mode 100644 index 00000000000..78c02b08c78 --- /dev/null +++ b/queue-4.9/macintosh-macio-adb-check-the-return-value-of-iorema.patch @@ -0,0 +1,40 @@ +From 46ed77e5230e6fe0102083b9921fabf0cc2dc264 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 2 Aug 2022 15:41:48 +0800 +Subject: macintosh/macio-adb: check the return value of ioremap() + +From: Xie Shaowen + +[ Upstream commit dbaa3105736d4d73063ea0a3b01cd7fafce924e6 ] + +The function ioremap() in macio_init() can fail, so its return value +should be checked. + +Fixes: 36874579dbf4c ("[PATCH] powerpc: macio-adb build fix") +Reported-by: Hacash Robot +Signed-off-by: Xie Shaowen +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20220802074148.3213659-1-studentxswpy@163.com +Signed-off-by: Sasha Levin +--- + drivers/macintosh/macio-adb.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/macintosh/macio-adb.c b/drivers/macintosh/macio-adb.c +index 87de8d9bcfad..e620c50768cd 100644 +--- a/drivers/macintosh/macio-adb.c ++++ b/drivers/macintosh/macio-adb.c +@@ -106,6 +106,10 @@ int macio_init(void) + return -ENXIO; + } + adb = ioremap(r.start, sizeof(struct adb_regs)); ++ if (!adb) { ++ of_node_put(adbs); ++ return -ENOMEM; ++ } + + out_8(&adb->ctrl.r, 0); + out_8(&adb->intr.r, 0); +-- +2.35.1 + diff --git a/queue-4.9/mcb-mcb-parse-fix-error-handing-in-chameleon_parse_g.patch b/queue-4.9/mcb-mcb-parse-fix-error-handing-in-chameleon_parse_g.patch new file mode 100644 index 00000000000..d10145f1070 --- /dev/null +++ b/queue-4.9/mcb-mcb-parse-fix-error-handing-in-chameleon_parse_g.patch @@ -0,0 +1,40 @@ +From 312b7ed2b8ac7c5b7392aab5869b36f1c25ff667 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 01:38:50 -0800 +Subject: mcb: mcb-parse: fix error handing in chameleon_parse_gdd() + +From: Yang Yingliang + +[ Upstream commit 728ac3389296caf68638628c987aeae6c8851e2d ] + +If mcb_device_register() returns error in chameleon_parse_gdd(), the refcount +of bus and device name are leaked. Fix this by calling put_device() to give up +the reference, so they can be released in mcb_release_dev() and kobject_cleanup(). + +Fixes: 3764e82e5150 ("drivers: Introduce MEN Chameleon Bus") +Reviewed-by: Johannes Thumshirn +Signed-off-by: Yang Yingliang +Signed-off-by: Johannes Thumshirn +Link: https://lore.kernel.org/r/ebfb06e39b19272f0197fa9136b5e4b6f34ad732.1669624063.git.johannes.thumshirn@wdc.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/mcb/mcb-parse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/mcb/mcb-parse.c b/drivers/mcb/mcb-parse.c +index 4ca2739b4fad..fdc35341ff6c 100644 +--- a/drivers/mcb/mcb-parse.c ++++ b/drivers/mcb/mcb-parse.c +@@ -107,7 +107,7 @@ static int chameleon_parse_gdd(struct mcb_bus *bus, + return 0; + + err: +- mcb_free_dev(mdev); ++ put_device(&mdev->dev); + + return ret; + } +-- +2.35.1 + diff --git a/queue-4.9/md-raid1-stop-mdx_raid1-thread-when-raid1-array-run-.patch b/queue-4.9/md-raid1-stop-mdx_raid1-thread-when-raid1-array-run-.patch new file mode 100644 index 00000000000..7f0baeeb622 --- /dev/null +++ b/queue-4.9/md-raid1-stop-mdx_raid1-thread-when-raid1-array-run-.patch @@ -0,0 +1,71 @@ +From 04cd7683b57de0ea2ab9e587be64ba470e56e578 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 22:16:59 +0800 +Subject: md/raid1: stop mdx_raid1 thread when raid1 array run failed + +From: Jiang Li + +[ Upstream commit b611ad14006e5be2170d9e8e611bf49dff288911 ] + +fail run raid1 array when we assemble array with the inactive disk only, +but the mdx_raid1 thread were not stop, Even if the associated resources +have been released. it will caused a NULL dereference when we do poweroff. + +This causes the following Oops: + [ 287.587787] BUG: kernel NULL pointer dereference, address: 0000000000000070 + [ 287.594762] #PF: supervisor read access in kernel mode + [ 287.599912] #PF: error_code(0x0000) - not-present page + [ 287.605061] PGD 0 P4D 0 + [ 287.607612] Oops: 0000 [#1] SMP NOPTI + [ 287.611287] CPU: 3 PID: 5265 Comm: md0_raid1 Tainted: G U 5.10.146 #0 + [ 287.619029] Hardware name: xxxxxxx/To be filled by O.E.M, BIOS 5.19 06/16/2022 + [ 287.626775] RIP: 0010:md_check_recovery+0x57/0x500 [md_mod] + [ 287.632357] Code: fe 01 00 00 48 83 bb 10 03 00 00 00 74 08 48 89 ...... + [ 287.651118] RSP: 0018:ffffc90000433d78 EFLAGS: 00010202 + [ 287.656347] RAX: 0000000000000000 RBX: ffff888105986800 RCX: 0000000000000000 + [ 287.663491] RDX: ffffc90000433bb0 RSI: 00000000ffffefff RDI: ffff888105986800 + [ 287.670634] RBP: ffffc90000433da0 R08: 0000000000000000 R09: c0000000ffffefff + [ 287.677771] R10: 0000000000000001 R11: ffffc90000433ba8 R12: ffff888105986800 + [ 287.684907] R13: 0000000000000000 R14: fffffffffffffe00 R15: ffff888100b6b500 + [ 287.692052] FS: 0000000000000000(0000) GS:ffff888277f80000(0000) knlGS:0000000000000000 + [ 287.700149] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + [ 287.705897] CR2: 0000000000000070 CR3: 000000000320a000 CR4: 0000000000350ee0 + [ 287.713033] Call Trace: + [ 287.715498] raid1d+0x6c/0xbbb [raid1] + [ 287.719256] ? __schedule+0x1ff/0x760 + [ 287.722930] ? schedule+0x3b/0xb0 + [ 287.726260] ? schedule_timeout+0x1ed/0x290 + [ 287.730456] ? __switch_to+0x11f/0x400 + [ 287.734219] md_thread+0xe9/0x140 [md_mod] + [ 287.738328] ? md_thread+0xe9/0x140 [md_mod] + [ 287.742601] ? wait_woken+0x80/0x80 + [ 287.746097] ? md_register_thread+0xe0/0xe0 [md_mod] + [ 287.751064] kthread+0x11a/0x140 + [ 287.754300] ? kthread_park+0x90/0x90 + [ 287.757974] ret_from_fork+0x1f/0x30 + +In fact, when raid1 array run fail, we need to do +md_unregister_thread() before raid1_free(). + +Signed-off-by: Jiang Li +Signed-off-by: Song Liu +Signed-off-by: Sasha Levin +--- + drivers/md/raid1.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/md/raid1.c b/drivers/md/raid1.c +index 8a50da4f148f..26ae749184da 100644 +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -2964,6 +2964,7 @@ static int raid1_run(struct mddev *mddev) + * RAID1 needs at least one disk in active + */ + if (conf->raid_disks - mddev->degraded < 1) { ++ md_unregister_thread(&conf->thread); + ret = -EINVAL; + goto abort; + } +-- +2.35.1 + diff --git a/queue-4.9/media-c8sectpfe-add-of_node_put-when-breaking-out-of.patch b/queue-4.9/media-c8sectpfe-add-of_node_put-when-breaking-out-of.patch new file mode 100644 index 00000000000..9431f76263a --- /dev/null +++ b/queue-4.9/media-c8sectpfe-add-of_node_put-when-breaking-out-of.patch @@ -0,0 +1,36 @@ +From 73a39143aadd0fe54bb06db7b9344869392c6195 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 19 Jul 2022 22:10:23 +0800 +Subject: media: c8sectpfe: Add of_node_put() when breaking out of loop + +From: Liang He + +[ Upstream commit 63ff05a1ad242a5a0f897921c87b70d601bda59c ] + +In configure_channels(), we should call of_node_put() when breaking +out of for_each_child_of_node() which will automatically increase +and decrease the refcount. + +Fixes: c5f5d0f99794 ("[media] c8sectpfe: STiH407/10 Linux DVB demux support") +Signed-off-by: Liang He +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c b/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c +index 06e2cfd09855..c79dcc497e13 100644 +--- a/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c ++++ b/drivers/media/platform/sti/c8sectpfe/c8sectpfe-core.c +@@ -953,6 +953,7 @@ static int configure_channels(struct c8sectpfei *fei) + if (ret) { + dev_err(fei->dev, + "configure_memdma_and_inputblock failed\n"); ++ of_node_put(child); + goto err_unmap; + } + index++; +-- +2.35.1 + diff --git a/queue-4.9/media-coda-add-check-for-dcoda_iram_alloc.patch b/queue-4.9/media-coda-add-check-for-dcoda_iram_alloc.patch new file mode 100644 index 00000000000..ff20366a24f --- /dev/null +++ b/queue-4.9/media-coda-add-check-for-dcoda_iram_alloc.patch @@ -0,0 +1,47 @@ +From 89625c0501e581cb6d1b8acaa422e5422b1178df Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 14:56:52 +0800 +Subject: media: coda: Add check for dcoda_iram_alloc + +From: Jiasheng Jiang + +[ Upstream commit 6b8082238fb8bb20f67e46388123e67a5bbc558d ] + +As the coda_iram_alloc may return NULL pointer, +it should be better to check the return value +in order to avoid NULL poineter dereference, +same as the others. + +Fixes: b313bcc9a467 ("[media] coda: simplify IRAM setup") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/coda/coda-bit.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c +index 7b4c93619c3d..b62c7098fc8c 100644 +--- a/drivers/media/platform/coda/coda-bit.c ++++ b/drivers/media/platform/coda/coda-bit.c +@@ -595,7 +595,7 @@ static void coda_setup_iram(struct coda_ctx *ctx) + /* Only H.264BP and H.263P3 are considered */ + iram_info->buf_dbk_y_use = coda_iram_alloc(iram_info, w64); + iram_info->buf_dbk_c_use = coda_iram_alloc(iram_info, w64); +- if (!iram_info->buf_dbk_c_use) ++ if (!iram_info->buf_dbk_y_use || !iram_info->buf_dbk_c_use) + goto out; + iram_info->axi_sram_use |= dbk_bits; + +@@ -619,7 +619,7 @@ static void coda_setup_iram(struct coda_ctx *ctx) + + iram_info->buf_dbk_y_use = coda_iram_alloc(iram_info, w128); + iram_info->buf_dbk_c_use = coda_iram_alloc(iram_info, w128); +- if (!iram_info->buf_dbk_c_use) ++ if (!iram_info->buf_dbk_y_use || !iram_info->buf_dbk_c_use) + goto out; + iram_info->axi_sram_use |= dbk_bits; + +-- +2.35.1 + diff --git a/queue-4.9/media-coda-add-check-for-kmalloc.patch b/queue-4.9/media-coda-add-check-for-kmalloc.patch new file mode 100644 index 00000000000..fb54703aa6a --- /dev/null +++ b/queue-4.9/media-coda-add-check-for-kmalloc.patch @@ -0,0 +1,48 @@ +From 8e46fd2e38edfc91e54af5473f866fb5f2f968e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 15:02:36 +0800 +Subject: media: coda: Add check for kmalloc + +From: Jiasheng Jiang + +[ Upstream commit 6e5e5defdb8b0186312c2f855ace175aee6daf9b ] + +As the kmalloc may return NULL pointer, +it should be better to check the return value +in order to avoid NULL poineter dereference, +same as the others. + +Fixes: cb1d3a336371 ("[media] coda: add CODA7541 JPEG support") +Signed-off-by: Jiasheng Jiang +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/coda/coda-bit.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/coda/coda-bit.c b/drivers/media/platform/coda/coda-bit.c +index b62c7098fc8c..a933c0cb24de 100644 +--- a/drivers/media/platform/coda/coda-bit.c ++++ b/drivers/media/platform/coda/coda-bit.c +@@ -821,10 +821,16 @@ static int coda_start_encoding(struct coda_ctx *ctx) + } + + if (dst_fourcc == V4L2_PIX_FMT_JPEG) { +- if (!ctx->params.jpeg_qmat_tab[0]) ++ if (!ctx->params.jpeg_qmat_tab[0]) { + ctx->params.jpeg_qmat_tab[0] = kmalloc(64, GFP_KERNEL); +- if (!ctx->params.jpeg_qmat_tab[1]) ++ if (!ctx->params.jpeg_qmat_tab[0]) ++ return -ENOMEM; ++ } ++ if (!ctx->params.jpeg_qmat_tab[1]) { + ctx->params.jpeg_qmat_tab[1] = kmalloc(64, GFP_KERNEL); ++ if (!ctx->params.jpeg_qmat_tab[1]) ++ return -ENOMEM; ++ } + coda_set_jpeg_compression_quality(ctx, ctx->params.jpeg_quality); + } + +-- +2.35.1 + diff --git a/queue-4.9/media-dvb-frontends-fix-leak-of-memory-fw.patch b/queue-4.9/media-dvb-frontends-fix-leak-of-memory-fw.patch new file mode 100644 index 00000000000..8d1cc45751f --- /dev/null +++ b/queue-4.9/media-dvb-frontends-fix-leak-of-memory-fw.patch @@ -0,0 +1,32 @@ +From 2b5b88525127cd7e3da295642c4815657296dff6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Apr 2022 07:19:25 +0100 +Subject: media: dvb-frontends: fix leak of memory fw + +From: Yan Lei + +[ Upstream commit a15fe8d9f1bf460a804bcf18a890bfd2cf0d5caa ] + +Link: https://lore.kernel.org/linux-media/20220410061925.4107-1-chinayanlei2002@163.com +Signed-off-by: Yan Lei +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/dvb-frontends/bcm3510.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/dvb-frontends/bcm3510.c b/drivers/media/dvb-frontends/bcm3510.c +index bb698839e477..fc1dbdfb0cba 100644 +--- a/drivers/media/dvb-frontends/bcm3510.c ++++ b/drivers/media/dvb-frontends/bcm3510.c +@@ -648,6 +648,7 @@ static int bcm3510_download_firmware(struct dvb_frontend* fe) + deb_info("firmware chunk, addr: 0x%04x, len: 0x%04x, total length: 0x%04zx\n",addr,len,fw->size); + if ((ret = bcm3510_write_ram(st,addr,&b[i+4],len)) < 0) { + err("firmware download failed: %d\n",ret); ++ release_firmware(fw); + return ret; + } + i += 4 + len; +-- +2.35.1 + diff --git a/queue-4.9/media-dvb-usb-az6027-fix-null-ptr-deref-in-az6027_i2.patch b/queue-4.9/media-dvb-usb-az6027-fix-null-ptr-deref-in-az6027_i2.patch new file mode 100644 index 00000000000..b0e54f75998 --- /dev/null +++ b/queue-4.9/media-dvb-usb-az6027-fix-null-ptr-deref-in-az6027_i2.patch @@ -0,0 +1,64 @@ +From 2a4e0248b43194ae507beb2dcda8ecdffd6970e8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 20 Nov 2022 06:59:18 +0000 +Subject: media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer() + +From: Baisong Zhong + +[ Upstream commit 0ed554fd769a19ea8464bb83e9ac201002ef74ad ] + +Wei Chen reports a kernel bug as blew: + +general protection fault, probably for non-canonical address +KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017] +... +Call Trace: + +__i2c_transfer+0x77e/0x1930 drivers/i2c/i2c-core-base.c:2109 +i2c_transfer+0x1d5/0x3d0 drivers/i2c/i2c-core-base.c:2170 +i2cdev_ioctl_rdwr+0x393/0x660 drivers/i2c/i2c-dev.c:297 +i2cdev_ioctl+0x75d/0x9f0 drivers/i2c/i2c-dev.c:458 +vfs_ioctl fs/ioctl.c:51 [inline] +__do_sys_ioctl fs/ioctl.c:870 [inline] +__se_sys_ioctl+0xfb/0x170 fs/ioctl.c:856 +do_syscall_x64 arch/x86/entry/common.c:50 [inline] +do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80 +entry_SYSCALL_64_after_hwframe+0x63/0xcd +RIP: 0033:0x7fd834a8bded + +In az6027_i2c_xfer(), if msg[i].addr is 0x99, +a null-ptr-deref will caused when accessing msg[i].buf. +For msg[i].len is 0 and msg[i].buf is null. + +Fix this by checking msg[i].len in az6027_i2c_xfer(). + +Link: https://lore.kernel.org/lkml/CAO4mrfcPHB5aQJO=mpqV+p8mPLNg-Fok0gw8gZ=zemAfMGTzMg@mail.gmail.com/ + +Link: https://lore.kernel.org/linux-media/20221120065918.2160782-1-zhongbaisong@huawei.com +Fixes: 76f9a820c867 ("V4L/DVB: AZ6027: Initial import of the driver") +Reported-by: Wei Chen +Signed-off-by: Baisong Zhong +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/az6027.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/usb/dvb-usb/az6027.c b/drivers/media/usb/dvb-usb/az6027.c +index 382c8075ef52..f2b5ba1d2809 100644 +--- a/drivers/media/usb/dvb-usb/az6027.c ++++ b/drivers/media/usb/dvb-usb/az6027.c +@@ -978,6 +978,10 @@ static int az6027_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msg[], int n + if (msg[i].addr == 0x99) { + req = 0xBE; + index = 0; ++ if (msg[i].len < 1) { ++ i = -EOPNOTSUPP; ++ break; ++ } + value = msg[i].buf[0] & 0x00ff; + length = 1; + az6027_usb_out_op(d, req, value, index, data, length); +-- +2.35.1 + diff --git a/queue-4.9/media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch b/queue-4.9/media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch new file mode 100644 index 00000000000..dee363791d0 --- /dev/null +++ b/queue-4.9/media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch @@ -0,0 +1,97 @@ +From 160c121ca3dce37c9c384e7e8e786e88e231e90b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 24 Aug 2022 02:21:52 +0100 +Subject: media: dvb-usb: fix memory leak in dvb_usb_adapter_init() + +From: Mazin Al Haddad + +[ Upstream commit 94d90fb06b94a90c176270d38861bcba34ce377d ] + +Syzbot reports a memory leak in "dvb_usb_adapter_init()". +The leak is due to not accounting for and freeing current iteration's +adapter->priv in case of an error. Currently if an error occurs, +it will exit before incrementing "num_adapters_initalized", +which is used as a reference counter to free all adap->priv +in "dvb_usb_adapter_exit()". There are multiple error paths that +can exit from before incrementing the counter. Including the +error handling paths for "dvb_usb_adapter_stream_init()", +"dvb_usb_adapter_dvb_init()" and "dvb_usb_adapter_frontend_init()" +within "dvb_usb_adapter_init()". + +This means that in case of an error in any of these functions the +current iteration is not accounted for and the current iteration's +adap->priv is not freed. + +Fix this by freeing the current iteration's adap->priv in the +"stream_init_err:" label in the error path. The rest of the +(accounted for) adap->priv objects are freed in dvb_usb_adapter_exit() +as expected using the num_adapters_initalized variable. + +Syzbot report: + +BUG: memory leak +unreferenced object 0xffff8881172f1a00 (size 512): + comm "kworker/0:2", pid 139, jiffies 4294994873 (age 10.960s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +backtrace: + [] dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:75 [inline] + [] dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline] + [] dvb_usb_device_init.cold+0x4e5/0x79e drivers/media/usb/dvb-usb/dvb-usb-init.c:308 + [] dib0700_probe+0x8d/0x1b0 drivers/media/usb/dvb-usb/dib0700_core.c:883 + [] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396 + [] call_driver_probe drivers/base/dd.c:542 [inline] + [] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621 + [] really_probe drivers/base/dd.c:583 [inline] + [] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752 + [] driver_probe_device+0x2a/0x120 drivers/base/dd.c:782 + [] __device_attach_driver+0xf6/0x140 drivers/base/dd.c:899 + [] bus_for_each_drv+0xb7/0x100 drivers/base/bus.c:427 + [] __device_attach+0x122/0x260 drivers/base/dd.c:970 + [] bus_probe_device+0xc6/0xe0 drivers/base/bus.c:487 + [] device_add+0x5fb/0xdf0 drivers/base/core.c:3405 + [] usb_set_configuration+0x8f2/0xb80 drivers/usb/core/message.c:2170 + [] usb_generic_driver_probe+0x8c/0xc0 drivers/usb/core/generic.c:238 + [] usb_probe_device+0x5c/0x140 drivers/usb/core/driver.c:293 + [] call_driver_probe drivers/base/dd.c:542 [inline] + [] really_probe.part.0+0xe7/0x310 drivers/base/dd.c:621 + [] really_probe drivers/base/dd.c:583 [inline] + [] __driver_probe_device+0x10c/0x1e0 drivers/base/dd.c:752 + +Link: https://syzkaller.appspot.com/bug?extid=f66dd31987e6740657be +Reported-and-tested-by: syzbot+f66dd31987e6740657be@syzkaller.appspotmail.com + +Link: https://lore.kernel.org/linux-media/20220824012152.539788-1-mazinalhaddad05@gmail.com +Signed-off-by: Mazin Al Haddad +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb/dvb-usb-init.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/usb/dvb-usb/dvb-usb-init.c b/drivers/media/usb/dvb-usb/dvb-usb-init.c +index 690c1e06fbfa..28077f3c9edf 100644 +--- a/drivers/media/usb/dvb-usb/dvb-usb-init.c ++++ b/drivers/media/usb/dvb-usb/dvb-usb-init.c +@@ -84,7 +84,7 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs) + + ret = dvb_usb_adapter_stream_init(adap); + if (ret) +- return ret; ++ goto stream_init_err; + + ret = dvb_usb_adapter_dvb_init(adap, adapter_nrs); + if (ret) +@@ -117,6 +117,8 @@ static int dvb_usb_adapter_init(struct dvb_usb_device *d, short *adapter_nrs) + dvb_usb_adapter_dvb_exit(adap); + dvb_init_err: + dvb_usb_adapter_stream_exit(adap); ++stream_init_err: ++ kfree(adap->priv); + return ret; + } + +-- +2.35.1 + diff --git a/queue-4.9/media-i2c-ad5820-fix-error-path.patch b/queue-4.9/media-i2c-ad5820-fix-error-path.patch new file mode 100644 index 00000000000..bbcc408c6c9 --- /dev/null +++ b/queue-4.9/media-i2c-ad5820-fix-error-path.patch @@ -0,0 +1,51 @@ +From c6b961252c15a1572e34e92662012a8fdee3c0ed Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Sep 2022 13:38:00 +0200 +Subject: media: i2c: ad5820: Fix error path + +From: Ricardo Ribalda + +[ Upstream commit 9fce241660f37d9e95e93c0ae6fba8cfefa5797b ] + +Error path seems to be swaped. Fix the order and provide some meaningful +names. + +Fixes: bee3d5115611 ("[media] ad5820: Add driver for auto-focus coil") +Signed-off-by: Ricardo Ribalda +Signed-off-by: Sakari Ailus +Signed-off-by: Sasha Levin +--- + drivers/media/i2c/ad5820.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/media/i2c/ad5820.c b/drivers/media/i2c/ad5820.c +index beab2f381b81..84e378cbc726 100644 +--- a/drivers/media/i2c/ad5820.c ++++ b/drivers/media/i2c/ad5820.c +@@ -320,18 +320,18 @@ static int ad5820_probe(struct i2c_client *client, + + ret = media_entity_pads_init(&coil->subdev.entity, 0, NULL); + if (ret < 0) +- goto cleanup2; ++ goto clean_mutex; + + ret = v4l2_async_register_subdev(&coil->subdev); + if (ret < 0) +- goto cleanup; ++ goto clean_entity; + + return ret; + +-cleanup2: +- mutex_destroy(&coil->power_lock); +-cleanup: ++clean_entity: + media_entity_cleanup(&coil->subdev.entity); ++clean_mutex: ++ mutex_destroy(&coil->power_lock); + return ret; + } + +-- +2.35.1 + diff --git a/queue-4.9/media-imon-fix-a-race-condition-in-send_packet.patch b/queue-4.9/media-imon-fix-a-race-condition-in-send_packet.patch new file mode 100644 index 00000000000..045ee317c75 --- /dev/null +++ b/queue-4.9/media-imon-fix-a-race-condition-in-send_packet.patch @@ -0,0 +1,79 @@ +From 48e9683aba36765757176b245fc6f51e89515b90 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 Oct 2022 06:02:14 +0100 +Subject: media: imon: fix a race condition in send_packet() + +From: Gautam Menghani + +[ Upstream commit 813ceef062b53d68f296aa3cb944b21a091fabdb ] + +The function send_packet() has a race condition as follows: + +func send_packet() +{ + // do work + call usb_submit_urb() + mutex_unlock() + wait_for_event_interruptible() <-- lock gone + mutex_lock() +} + +func vfd_write() +{ + mutex_lock() + call send_packet() <- prev call is not completed + mutex_unlock() +} + +When the mutex is unlocked and the function send_packet() waits for the +call to complete, vfd_write() can start another call, which leads to the +"URB submitted while active" warning in usb_submit_urb(). +Fix this by removing the mutex_unlock() call in send_packet() and using +mutex_lock_interruptible(). + +Link: https://syzkaller.appspot.com/bug?id=e378e6a51fbe6c5cc43e34f131cc9a315ef0337e + +Fixes: 21677cfc562a ("V4L/DVB: ir-core: add imon driver") +Reported-by: syzbot+0c3cb6dc05fbbdc3ad66@syzkaller.appspotmail.com +Signed-off-by: Gautam Menghani +Signed-off-by: Sean Young +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/rc/imon.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/media/rc/imon.c b/drivers/media/rc/imon.c +index 0b386fd518cc..9c644b4fb22d 100644 +--- a/drivers/media/rc/imon.c ++++ b/drivers/media/rc/imon.c +@@ -622,15 +622,14 @@ static int send_packet(struct imon_context *ictx) + pr_err_ratelimited("error submitting urb(%d)\n", retval); + } else { + /* Wait for transmission to complete (or abort) */ +- mutex_unlock(&ictx->lock); + retval = wait_for_completion_interruptible( + &ictx->tx.finished); + if (retval) { + usb_kill_urb(ictx->tx_urb); + pr_err_ratelimited("task interrupted\n"); + } +- mutex_lock(&ictx->lock); + ++ ictx->tx.busy = false; + retval = ictx->tx.status; + if (retval) + pr_err_ratelimited("packet tx failed (%d)\n", retval); +@@ -939,7 +938,8 @@ static ssize_t vfd_write(struct file *file, const char __user *buf, + return -ENODEV; + } + +- mutex_lock(&ictx->lock); ++ if (mutex_lock_interruptible(&ictx->lock)) ++ return -ERESTARTSYS; + + if (!ictx->dev_present_intf0) { + pr_err_ratelimited("no iMON device present\n"); +-- +2.35.1 + diff --git a/queue-4.9/media-platform-exynos4-is-fix-error-handling-in-fimc.patch b/queue-4.9/media-platform-exynos4-is-fix-error-handling-in-fimc.patch new file mode 100644 index 00000000000..98c4b4507cb --- /dev/null +++ b/queue-4.9/media-platform-exynos4-is-fix-error-handling-in-fimc.patch @@ -0,0 +1,75 @@ +From d46a307086ac8b3207b777b255a03abc1681d47d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 06:08:53 +0000 +Subject: media: platform: exynos4-is: Fix error handling in fimc_md_init() + +From: Yuan Can + +[ Upstream commit b434422c45282a0573d8123239abc41fa72665d4 ] + +A problem about modprobe s5p_fimc failed is triggered with the +following log given: + + [ 272.075275] Error: Driver 'exynos4-fimc' is already registered, aborting... + modprobe: ERROR: could not insert 's5p_fimc': Device or resource busy + +The reason is that fimc_md_init() returns platform_driver_register() +directly without checking its return value, if platform_driver_register() +failed, it returns without unregister fimc_driver, resulting the +s5p_fimc can never be installed later. +A simple call graph is shown as below: + + fimc_md_init() + fimc_register_driver() # register fimc_driver + platform_driver_register() + platform_driver_register() + driver_register() + bus_add_driver() + dev = kzalloc(...) # OOM happened + # return without unregister fimc_driver + +Fix by unregister fimc_driver when platform_driver_register() returns +error. + +Fixes: d3953223b090 ("[media] s5p-fimc: Add the media device driver") +Signed-off-by: Yuan Can +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/exynos4-is/fimc-core.c | 2 +- + drivers/media/platform/exynos4-is/media-dev.c | 6 +++++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/platform/exynos4-is/fimc-core.c b/drivers/media/platform/exynos4-is/fimc-core.c +index 8f89ca21b631..b86d6f724618 100644 +--- a/drivers/media/platform/exynos4-is/fimc-core.c ++++ b/drivers/media/platform/exynos4-is/fimc-core.c +@@ -1245,7 +1245,7 @@ int __init fimc_register_driver(void) + return platform_driver_register(&fimc_driver); + } + +-void __exit fimc_unregister_driver(void) ++void fimc_unregister_driver(void) + { + platform_driver_unregister(&fimc_driver); + } +diff --git a/drivers/media/platform/exynos4-is/media-dev.c b/drivers/media/platform/exynos4-is/media-dev.c +index a1599659b88b..75f6f7acc46b 100644 +--- a/drivers/media/platform/exynos4-is/media-dev.c ++++ b/drivers/media/platform/exynos4-is/media-dev.c +@@ -1559,7 +1559,11 @@ static int __init fimc_md_init(void) + if (ret) + return ret; + +- return platform_driver_register(&fimc_md_driver); ++ ret = platform_driver_register(&fimc_md_driver); ++ if (ret) ++ fimc_unregister_driver(); ++ ++ return ret; + } + + static void __exit fimc_md_exit(void) +-- +2.35.1 + diff --git a/queue-4.9/media-saa7164-fix-missing-pci_disable_device.patch b/queue-4.9/media-saa7164-fix-missing-pci_disable_device.patch new file mode 100644 index 00000000000..f80ccadd593 --- /dev/null +++ b/queue-4.9/media-saa7164-fix-missing-pci_disable_device.patch @@ -0,0 +1,45 @@ +From 3b9174395cdbaf6929fa95694aca8ab02e48f0af Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 26 Nov 2022 11:31:26 +0000 +Subject: media: saa7164: fix missing pci_disable_device() + +From: Liu Shixin + +[ Upstream commit 57fb35d7542384cac8f198cd1c927540ad38b61a ] + +Add missing pci_disable_device() in the error path in saa7164_initdev(). + +Fixes: 443c1228d505 ("V4L/DVB (12923): SAA7164: Add support for the NXP SAA7164 silicon") +Signed-off-by: Liu Shixin +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Sasha Levin +--- + drivers/media/pci/saa7164/saa7164-core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/pci/saa7164/saa7164-core.c b/drivers/media/pci/saa7164/saa7164-core.c +index 8bbd092fbe1d..d0ad0f5ba035 100644 +--- a/drivers/media/pci/saa7164/saa7164-core.c ++++ b/drivers/media/pci/saa7164/saa7164-core.c +@@ -1250,7 +1250,7 @@ static int saa7164_initdev(struct pci_dev *pci_dev, + + if (saa7164_dev_setup(dev) < 0) { + err = -EINVAL; +- goto fail_free; ++ goto fail_dev; + } + + /* print pci info */ +@@ -1422,6 +1422,8 @@ static int saa7164_initdev(struct pci_dev *pci_dev, + + fail_irq: + saa7164_dev_unregister(dev); ++fail_dev: ++ pci_disable_device(pci_dev); + fail_free: + v4l2_device_unregister(&dev->v4l2_dev); + kfree(dev); +-- +2.35.1 + diff --git a/queue-4.9/media-si470x-fix-use-after-free-in-si470x_int_in_cal.patch b/queue-4.9/media-si470x-fix-use-after-free-in-si470x_int_in_cal.patch new file mode 100644 index 00000000000..78184d6bce9 --- /dev/null +++ b/queue-4.9/media-si470x-fix-use-after-free-in-si470x_int_in_cal.patch @@ -0,0 +1,64 @@ +From 0ae9a97046ba80c01b1a471214e4d11ccba36275 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 03:51:59 +0900 +Subject: media: si470x: Fix use-after-free in si470x_int_in_callback() + +From: Shigeru Yoshida + +[ Upstream commit 7d21e0b1b41b21d628bf2afce777727bd4479aa5 ] + +syzbot reported use-after-free in si470x_int_in_callback() [1]. This +indicates that urb->context, which contains struct si470x_device +object, is freed when si470x_int_in_callback() is called. + +The cause of this issue is that si470x_int_in_callback() is called for +freed urb. + +si470x_usb_driver_probe() calls si470x_start_usb(), which then calls +usb_submit_urb() and si470x_start(). If si470x_start_usb() fails, +si470x_usb_driver_probe() doesn't kill urb, but it just frees struct +si470x_device object, as depicted below: + +si470x_usb_driver_probe() + ... + si470x_start_usb() + ... + usb_submit_urb() + retval = si470x_start() + return retval + if (retval < 0) + free struct si470x_device object, but don't kill urb + +This patch fixes this issue by killing urb when si470x_start_usb() +fails and urb is submitted. If si470x_start_usb() fails and urb is +not submitted, i.e. submitting usb fails, it just frees struct +si470x_device object. + +Reported-by: syzbot+9ca7a12fd736d93e0232@syzkaller.appspotmail.com +Link: https://syzkaller.appspot.com/bug?id=94ed6dddd5a55e90fd4bab942aa4bb297741d977 [1] +Signed-off-by: Shigeru Yoshida +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/radio/si470x/radio-si470x-usb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/media/radio/si470x/radio-si470x-usb.c b/drivers/media/radio/si470x/radio-si470x-usb.c +index a8a0ff9a1f83..6724c5287cc3 100644 +--- a/drivers/media/radio/si470x/radio-si470x-usb.c ++++ b/drivers/media/radio/si470x/radio-si470x-usb.c +@@ -741,8 +741,10 @@ static int si470x_usb_driver_probe(struct usb_interface *intf, + + /* start radio */ + retval = si470x_start_usb(radio); +- if (retval < 0) ++ if (retval < 0 && !radio->int_in_running) + goto err_buf; ++ else if (retval < 0) /* in case of radio->int_in_running == 1 */ ++ goto err_all; + + /* set initial frequency */ + si470x_set_freq(radio, 87.5 * FREQ_MUL); /* available in all regions */ +-- +2.35.1 + diff --git a/queue-4.9/media-solo6x10-fix-possible-memory-leak-in-solo_sysf.patch b/queue-4.9/media-solo6x10-fix-possible-memory-leak-in-solo_sysf.patch new file mode 100644 index 00000000000..ab84290b6c1 --- /dev/null +++ b/queue-4.9/media-solo6x10-fix-possible-memory-leak-in-solo_sysf.patch @@ -0,0 +1,38 @@ +From 5a2991d4c8f4be815d20ab419a639b5201b5c0d0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 16:24:23 +0800 +Subject: media: solo6x10: fix possible memory leak in solo_sysfs_init() + +From: Yang Yingliang + +[ Upstream commit 7f5866dd96d95b74e439f6ee17b8abd8195179fb ] + +If device_register() returns error in solo_sysfs_init(), the +name allocated by dev_set_name() need be freed. As comment of +device_register() says, it should use put_device() to give up +the reference in the error path. So fix this by calling +put_device(), then the name can be freed in kobject_cleanup(). + +Fixes: dcae5dacbce5 ("[media] solo6x10: sync to latest code from Bluecherry's git repo") +Signed-off-by: Yang Yingliang +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/pci/solo6x10/solo6x10-core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/pci/solo6x10/solo6x10-core.c b/drivers/media/pci/solo6x10/solo6x10-core.c +index f50d07229236..fc45d4aeb77e 100644 +--- a/drivers/media/pci/solo6x10/solo6x10-core.c ++++ b/drivers/media/pci/solo6x10/solo6x10-core.c +@@ -428,6 +428,7 @@ static int solo_sysfs_init(struct solo_dev *solo_dev) + solo_dev->nr_chans); + + if (device_register(dev)) { ++ put_device(dev); + dev->parent = NULL; + return -ENOMEM; + } +-- +2.35.1 + diff --git a/queue-4.9/media-vivid-fix-compose-size-exceed-boundary.patch b/queue-4.9/media-vivid-fix-compose-size-exceed-boundary.patch new file mode 100644 index 00000000000..94d0f4ad15a --- /dev/null +++ b/queue-4.9/media-vivid-fix-compose-size-exceed-boundary.patch @@ -0,0 +1,57 @@ +From e0a5f9b0766e41c7315feb1c5333ec88b1cbf95a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 20:38:55 +0800 +Subject: media: vivid: fix compose size exceed boundary + +From: Liu Shixin + +[ Upstream commit 94a7ad9283464b75b12516c5512541d467cefcf8 ] + +syzkaller found a bug: + + BUG: unable to handle page fault for address: ffffc9000a3b1000 + #PF: supervisor write access in kernel mode + #PF: error_code(0x0002) - not-present page + PGD 100000067 P4D 100000067 PUD 10015f067 PMD 1121ca067 PTE 0 + Oops: 0002 [#1] PREEMPT SMP + CPU: 0 PID: 23489 Comm: vivid-000-vid-c Not tainted 6.1.0-rc1+ #512 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 + RIP: 0010:memcpy_erms+0x6/0x10 +[...] + Call Trace: + + ? tpg_fill_plane_buffer+0x856/0x15b0 + vivid_fillbuff+0x8ac/0x1110 + vivid_thread_vid_cap_tick+0x361/0xc90 + vivid_thread_vid_cap+0x21a/0x3a0 + kthread+0x143/0x180 + ret_from_fork+0x1f/0x30 + + +This is because we forget to check boundary after adjust compose->height +int V4L2_SEL_TGT_CROP case. Add v4l2_rect_map_inside() to fix this problem +for this case. + +Fixes: ef834f7836ec ("[media] vivid: add the video capture and output parts") +Signed-off-by: Liu Shixin +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/vivid/vivid-vid-cap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/media/platform/vivid/vivid-vid-cap.c b/drivers/media/platform/vivid/vivid-vid-cap.c +index 198b26687b57..b7bda691fa57 100644 +--- a/drivers/media/platform/vivid/vivid-vid-cap.c ++++ b/drivers/media/platform/vivid/vivid-vid-cap.c +@@ -915,6 +915,7 @@ int vivid_vid_cap_s_selection(struct file *file, void *fh, struct v4l2_selection + if (dev->has_compose_cap) { + v4l2_rect_set_min_size(compose, &min_rect); + v4l2_rect_set_max_size(compose, &max_rect); ++ v4l2_rect_map_inside(compose, &fmt); + } + dev->fmt_cap_rect = fmt; + tpg_s_buf_height(&dev->tpg, fmt.height); +-- +2.35.1 + diff --git a/queue-4.9/mips-bcm63xx-add-check-for-null-for-clk-in-clk_enabl.patch b/queue-4.9/mips-bcm63xx-add-check-for-null-for-clk-in-clk_enabl.patch new file mode 100644 index 00000000000..0234f124053 --- /dev/null +++ b/queue-4.9/mips-bcm63xx-add-check-for-null-for-clk-in-clk_enabl.patch @@ -0,0 +1,44 @@ +From 0653781c3d830b3aea3c3560c16ba8d46c3e1069 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 9 Dec 2022 13:05:50 +0300 +Subject: MIPS: BCM63xx: Add check for NULL for clk in clk_enable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Anastasia Belova + +[ Upstream commit ee9ef11bd2a59c2fefaa0959e5efcdf040d7c654 ] + +Check clk for NULL before calling clk_enable_unlocked where clk +is dereferenced. There is such check in other implementations +of clk_enable. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: e7300d04bd08 ("MIPS: BCM63xx: Add support for the Broadcom BCM63xx family of SOCs.") +Signed-off-by: Anastasia Belova +Reviewed-by: Philippe Mathieu-Daudé +Acked-by: Florian Fainelli +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/bcm63xx/clk.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/mips/bcm63xx/clk.c b/arch/mips/bcm63xx/clk.c +index 3be875a45c83..0b718a94656a 100644 +--- a/arch/mips/bcm63xx/clk.c ++++ b/arch/mips/bcm63xx/clk.c +@@ -316,6 +316,8 @@ static struct clk clk_periph = { + */ + int clk_enable(struct clk *clk) + { ++ if (!clk) ++ return 0; + mutex_lock(&clocks_mutex); + clk_enable_unlocked(clk); + mutex_unlock(&clocks_mutex); +-- +2.35.1 + diff --git a/queue-4.9/mips-vpe-cmp-fix-possible-memory-leak-while-module-e.patch b/queue-4.9/mips-vpe-cmp-fix-possible-memory-leak-while-module-e.patch new file mode 100644 index 00000000000..57a368de34e --- /dev/null +++ b/queue-4.9/mips-vpe-cmp-fix-possible-memory-leak-while-module-e.patch @@ -0,0 +1,55 @@ +From e8b3aff2af810de823330d9bb127a8adee9166bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 11:39:45 +0800 +Subject: MIPS: vpe-cmp: fix possible memory leak while module exiting + +From: Yang Yingliang + +[ Upstream commit c5ed1fe0801f0c66b0fbce2785239a5664629057 ] + +dev_set_name() allocates memory for name, it need be freed +when module exiting, call put_device() to give up reference, +so that it can be freed in kobject_cleanup() when the refcount +hit to 0. The vpe_device is static, so remove kfree() from +vpe_device_release(). + +Fixes: 17a1d523aa58 ("MIPS: APRP: Add VPE loader support for CMP platforms.") +Signed-off-by: Yang Yingliang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/vpe-cmp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/kernel/vpe-cmp.c b/arch/mips/kernel/vpe-cmp.c +index 9268ebc0f61e..903c07bdc92d 100644 +--- a/arch/mips/kernel/vpe-cmp.c ++++ b/arch/mips/kernel/vpe-cmp.c +@@ -75,7 +75,6 @@ ATTRIBUTE_GROUPS(vpe); + + static void vpe_device_release(struct device *cd) + { +- kfree(cd); + } + + static struct class vpe_class = { +@@ -157,6 +156,7 @@ int __init vpe_module_init(void) + device_del(&vpe_device); + + out_class: ++ put_device(&vpe_device); + class_unregister(&vpe_class); + + out_chrdev: +@@ -169,7 +169,7 @@ void __exit vpe_module_exit(void) + { + struct vpe *v, *n; + +- device_del(&vpe_device); ++ device_unregister(&vpe_device); + class_unregister(&vpe_class); + unregister_chrdev(major, VPE_MODULE_NAME); + +-- +2.35.1 + diff --git a/queue-4.9/mips-vpe-mt-fix-possible-memory-leak-while-module-ex.patch b/queue-4.9/mips-vpe-mt-fix-possible-memory-leak-while-module-ex.patch new file mode 100644 index 00000000000..8618b2209df --- /dev/null +++ b/queue-4.9/mips-vpe-mt-fix-possible-memory-leak-while-module-ex.patch @@ -0,0 +1,56 @@ +From 3ee60d767ac44c5354444d6c9e63ffb3d6f1ac45 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 11:39:44 +0800 +Subject: MIPS: vpe-mt: fix possible memory leak while module exiting + +From: Yang Yingliang + +[ Upstream commit 5822e8cc84ee37338ab0bdc3124f6eec04dc232d ] + +Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's +bus_id string array"), the name of device is allocated dynamically, +it need be freed when module exiting, call put_device() to give up +reference, so that it can be freed in kobject_cleanup() when the +refcount hit to 0. The vpe_device is static, so remove kfree() from +vpe_device_release(). + +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Yang Yingliang +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/kernel/vpe-mt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/mips/kernel/vpe-mt.c b/arch/mips/kernel/vpe-mt.c +index 2e003b11a098..9fd7cd48ea1d 100644 +--- a/arch/mips/kernel/vpe-mt.c ++++ b/arch/mips/kernel/vpe-mt.c +@@ -313,7 +313,6 @@ ATTRIBUTE_GROUPS(vpe); + + static void vpe_device_release(struct device *cd) + { +- kfree(cd); + } + + static struct class vpe_class = { +@@ -497,6 +496,7 @@ int __init vpe_module_init(void) + device_del(&vpe_device); + + out_class: ++ put_device(&vpe_device); + class_unregister(&vpe_class); + + out_chrdev: +@@ -509,7 +509,7 @@ void __exit vpe_module_exit(void) + { + struct vpe *v, *n; + +- device_del(&vpe_device); ++ device_unregister(&vpe_device); + class_unregister(&vpe_class); + unregister_chrdev(major, VPE_MODULE_NAME); + +-- +2.35.1 + diff --git a/queue-4.9/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch b/queue-4.9/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch new file mode 100644 index 00000000000..a5d4909839c --- /dev/null +++ b/queue-4.9/misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch @@ -0,0 +1,140 @@ +From 6db67bdf0a2619562620b65bac814378ee58722f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 11:50:33 +0800 +Subject: misc: sgi-gru: fix use-after-free error in gru_set_context_option, + gru_fault and gru_handle_user_call_os + +From: Zheng Wang + +[ Upstream commit 643a16a0eb1d6ac23744bb6e90a00fc21148a9dc ] + +In some bad situation, the gts may be freed gru_check_chiplet_assignment. +The call chain can be gru_unload_context->gru_free_gru_context->gts_drop +and kfree finally. However, the caller didn't know if the gts is freed +or not and use it afterwards. This will trigger a Use after Free bug. + +Fix it by introducing a return value to see if it's in error path or not. +Free the gts in caller if gru_check_chiplet_assignment check failed. + +Fixes: 55484c45dbec ("gru: allow users to specify gru chiplet 2") +Signed-off-by: Zheng Wang +Acked-by: Dimitri Sivanich +Link: https://lore.kernel.org/r/20221110035033.19498-1-zyytlz.wz@163.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/sgi-gru/grufault.c | 13 +++++++++++-- + drivers/misc/sgi-gru/grumain.c | 22 ++++++++++++++++++---- + drivers/misc/sgi-gru/grutables.h | 2 +- + 3 files changed, 30 insertions(+), 7 deletions(-) + +diff --git a/drivers/misc/sgi-gru/grufault.c b/drivers/misc/sgi-gru/grufault.c +index 6fb773dbcd0c..a43a496ca9b9 100644 +--- a/drivers/misc/sgi-gru/grufault.c ++++ b/drivers/misc/sgi-gru/grufault.c +@@ -656,6 +656,7 @@ int gru_handle_user_call_os(unsigned long cb) + if ((cb & (GRU_HANDLE_STRIDE - 1)) || ucbnum >= GRU_NUM_CB) + return -EINVAL; + ++again: + gts = gru_find_lock_gts(cb); + if (!gts) + return -EINVAL; +@@ -664,7 +665,11 @@ int gru_handle_user_call_os(unsigned long cb) + if (ucbnum >= gts->ts_cbr_au_count * GRU_CBR_AU_SIZE) + goto exit; + +- gru_check_context_placement(gts); ++ if (gru_check_context_placement(gts)) { ++ gru_unlock_gts(gts); ++ gru_unload_context(gts, 1); ++ goto again; ++ } + + /* + * CCH may contain stale data if ts_force_cch_reload is set. +@@ -882,7 +887,11 @@ int gru_set_context_option(unsigned long arg) + } else { + gts->ts_user_blade_id = req.val1; + gts->ts_user_chiplet_id = req.val0; +- gru_check_context_placement(gts); ++ if (gru_check_context_placement(gts)) { ++ gru_unlock_gts(gts); ++ gru_unload_context(gts, 1); ++ return ret; ++ } + } + break; + case sco_gseg_owner: +diff --git a/drivers/misc/sgi-gru/grumain.c b/drivers/misc/sgi-gru/grumain.c +index 33741ad4a74a..bc2d5233660c 100644 +--- a/drivers/misc/sgi-gru/grumain.c ++++ b/drivers/misc/sgi-gru/grumain.c +@@ -729,9 +729,10 @@ static int gru_check_chiplet_assignment(struct gru_state *gru, + * chiplet. Misassignment can occur if the process migrates to a different + * blade or if the user changes the selected blade/chiplet. + */ +-void gru_check_context_placement(struct gru_thread_state *gts) ++int gru_check_context_placement(struct gru_thread_state *gts) + { + struct gru_state *gru; ++ int ret = 0; + + /* + * If the current task is the context owner, verify that the +@@ -739,15 +740,23 @@ void gru_check_context_placement(struct gru_thread_state *gts) + * references. Pthread apps use non-owner references to the CBRs. + */ + gru = gts->ts_gru; ++ /* ++ * If gru or gts->ts_tgid_owner isn't initialized properly, return ++ * success to indicate that the caller does not need to unload the ++ * gru context.The caller is responsible for their inspection and ++ * reinitialization if needed. ++ */ + if (!gru || gts->ts_tgid_owner != current->tgid) +- return; ++ return ret; + + if (!gru_check_chiplet_assignment(gru, gts)) { + STAT(check_context_unload); +- gru_unload_context(gts, 1); ++ ret = -EINVAL; + } else if (gru_retarget_intr(gts)) { + STAT(check_context_retarget_intr); + } ++ ++ return ret; + } + + +@@ -946,7 +955,12 @@ int gru_fault(struct vm_area_struct *vma, struct vm_fault *vmf) + mutex_lock(>s->ts_ctxlock); + preempt_disable(); + +- gru_check_context_placement(gts); ++ if (gru_check_context_placement(gts)) { ++ preempt_enable(); ++ mutex_unlock(>s->ts_ctxlock); ++ gru_unload_context(gts, 1); ++ return VM_FAULT_NOPAGE; ++ } + + if (!gts->ts_gru) { + STAT(load_user_context); +diff --git a/drivers/misc/sgi-gru/grutables.h b/drivers/misc/sgi-gru/grutables.h +index 5c3ce2459675..a1dfca557fc3 100644 +--- a/drivers/misc/sgi-gru/grutables.h ++++ b/drivers/misc/sgi-gru/grutables.h +@@ -651,7 +651,7 @@ extern int gru_user_flush_tlb(unsigned long arg); + extern int gru_user_unload_context(unsigned long arg); + extern int gru_get_exception_detail(unsigned long arg); + extern int gru_set_context_option(unsigned long address); +-extern void gru_check_context_placement(struct gru_thread_state *gts); ++extern int gru_check_context_placement(struct gru_thread_state *gts); + extern int gru_cpu_fault_map_id(void); + extern struct vm_area_struct *gru_find_vma(unsigned long vaddr); + extern void gru_flush_all_tlb(struct gru_state *gru); +-- +2.35.1 + diff --git a/queue-4.9/misc-tifm-fix-possible-memory-leak-in-tifm_7xx1_swit.patch b/queue-4.9/misc-tifm-fix-possible-memory-leak-in-tifm_7xx1_swit.patch new file mode 100644 index 00000000000..7dfb2602370 --- /dev/null +++ b/queue-4.9/misc-tifm-fix-possible-memory-leak-in-tifm_7xx1_swit.patch @@ -0,0 +1,42 @@ +From e1af1e12a4dc065f0505a5ff88e610c91f9c683b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 14:47:25 +0800 +Subject: misc: tifm: fix possible memory leak in tifm_7xx1_switch_media() + +From: ruanjinjie + +[ Upstream commit fd2c930cf6a5b9176382c15f9acb1996e76e25ad ] + +If device_register() returns error in tifm_7xx1_switch_media(), +name of kobject which is allocated in dev_set_name() called in device_add() +is leaked. + +Never directly free @dev after calling device_register(), even +if it returned an error! Always use put_device() to give up the +reference initialized. + +Fixes: 2428a8fe2261 ("tifm: move common device management tasks from tifm_7xx1 to tifm_core") +Signed-off-by: ruanjinjie +Link: https://lore.kernel.org/r/20221117064725.3478402-1-ruanjinjie@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/tifm_7xx1.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/misc/tifm_7xx1.c b/drivers/misc/tifm_7xx1.c +index a37a42f67088..8498282d1212 100644 +--- a/drivers/misc/tifm_7xx1.c ++++ b/drivers/misc/tifm_7xx1.c +@@ -194,7 +194,7 @@ static void tifm_7xx1_switch_media(struct work_struct *work) + spin_unlock_irqrestore(&fm->lock, flags); + } + if (sock) +- tifm_free_device(&sock->dev); ++ put_device(&sock->dev); + } + spin_lock_irqsave(&fm->lock, flags); + } +-- +2.35.1 + diff --git a/queue-4.9/misdn-hfcmulti-don-t-call-dev_kfree_skb-kfree_skb-un.patch b/queue-4.9/misdn-hfcmulti-don-t-call-dev_kfree_skb-kfree_skb-un.patch new file mode 100644 index 00000000000..b90b5ad2d20 --- /dev/null +++ b/queue-4.9/misdn-hfcmulti-don-t-call-dev_kfree_skb-kfree_skb-un.patch @@ -0,0 +1,112 @@ +From ed2d126d4c7425c50c99446ed6fec7b8dffdf0d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Dec 2022 16:41:39 +0800 +Subject: mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under + spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 1232946cf522b8de9e398828bde325d7c41f29dd ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +skb_queue_purge() is called under spin_lock_irqsave() in handle_dmsg() +and hfcm_l1callback(), kfree_skb() is called in them, to fix this, use +skb_queue_splice_init() to move the dch->squeue to a free queue, also +enqueue the tx_skb and rx_skb, at last calling __skb_queue_purge() to +free the SKBs afer unlock. + +Fixes: af69fb3a8ffa ("Add mISDN HFC multiport driver") +Signed-off-by: Yang Yingliang +Reviewed-by: Alexander Duyck +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/hardware/mISDN/hfcmulti.c | 19 +++++++++++++------ + 1 file changed, 13 insertions(+), 6 deletions(-) + +diff --git a/drivers/isdn/hardware/mISDN/hfcmulti.c b/drivers/isdn/hardware/mISDN/hfcmulti.c +index 8feb8e9e29a6..decec530bdf4 100644 +--- a/drivers/isdn/hardware/mISDN/hfcmulti.c ++++ b/drivers/isdn/hardware/mISDN/hfcmulti.c +@@ -3234,6 +3234,7 @@ static int + hfcm_l1callback(struct dchannel *dch, u_int cmd) + { + struct hfc_multi *hc = dch->hw; ++ struct sk_buff_head free_queue; + u_long flags; + + switch (cmd) { +@@ -3262,6 +3263,7 @@ hfcm_l1callback(struct dchannel *dch, u_int cmd) + l1_event(dch->l1, HW_POWERUP_IND); + break; + case HW_DEACT_REQ: ++ __skb_queue_head_init(&free_queue); + /* start deactivation */ + spin_lock_irqsave(&hc->lock, flags); + if (hc->ctype == HFC_TYPE_E1) { +@@ -3281,20 +3283,21 @@ hfcm_l1callback(struct dchannel *dch, u_int cmd) + plxsd_checksync(hc, 0); + } + } +- skb_queue_purge(&dch->squeue); ++ skb_queue_splice_init(&dch->squeue, &free_queue); + if (dch->tx_skb) { +- dev_kfree_skb(dch->tx_skb); ++ __skb_queue_tail(&free_queue, dch->tx_skb); + dch->tx_skb = NULL; + } + dch->tx_idx = 0; + if (dch->rx_skb) { +- dev_kfree_skb(dch->rx_skb); ++ __skb_queue_tail(&free_queue, dch->rx_skb); + dch->rx_skb = NULL; + } + test_and_clear_bit(FLG_TX_BUSY, &dch->Flags); + if (test_and_clear_bit(FLG_BUSY_TIMER, &dch->Flags)) + del_timer(&dch->timer); + spin_unlock_irqrestore(&hc->lock, flags); ++ __skb_queue_purge(&free_queue); + break; + case HW_POWERUP_REQ: + spin_lock_irqsave(&hc->lock, flags); +@@ -3401,6 +3404,9 @@ handle_dmsg(struct mISDNchannel *ch, struct sk_buff *skb) + case PH_DEACTIVATE_REQ: + test_and_clear_bit(FLG_L2_ACTIVATED, &dch->Flags); + if (dch->dev.D.protocol != ISDN_P_TE_S0) { ++ struct sk_buff_head free_queue; ++ ++ __skb_queue_head_init(&free_queue); + spin_lock_irqsave(&hc->lock, flags); + if (debug & DEBUG_HFCMULTI_MSG) + printk(KERN_DEBUG +@@ -3422,14 +3428,14 @@ handle_dmsg(struct mISDNchannel *ch, struct sk_buff *skb) + /* deactivate */ + dch->state = 1; + } +- skb_queue_purge(&dch->squeue); ++ skb_queue_splice_init(&dch->squeue, &free_queue); + if (dch->tx_skb) { +- dev_kfree_skb(dch->tx_skb); ++ __skb_queue_tail(&free_queue, dch->tx_skb); + dch->tx_skb = NULL; + } + dch->tx_idx = 0; + if (dch->rx_skb) { +- dev_kfree_skb(dch->rx_skb); ++ __skb_queue_tail(&free_queue, dch->rx_skb); + dch->rx_skb = NULL; + } + test_and_clear_bit(FLG_TX_BUSY, &dch->Flags); +@@ -3441,6 +3447,7 @@ handle_dmsg(struct mISDNchannel *ch, struct sk_buff *skb) + #endif + ret = 0; + spin_unlock_irqrestore(&hc->lock, flags); ++ __skb_queue_purge(&free_queue); + } else + ret = l1_event(dch->l1, hh->prim); + break; +-- +2.35.1 + diff --git a/queue-4.9/misdn-hfcpci-don-t-call-dev_kfree_skb-kfree_skb-unde.patch b/queue-4.9/misdn-hfcpci-don-t-call-dev_kfree_skb-kfree_skb-unde.patch new file mode 100644 index 00000000000..f7f4b72240d --- /dev/null +++ b/queue-4.9/misdn-hfcpci-don-t-call-dev_kfree_skb-kfree_skb-unde.patch @@ -0,0 +1,71 @@ +From b95466b6159504889be7ca0f98f51c971e87515a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Dec 2022 16:41:38 +0800 +Subject: mISDN: hfcpci: don't call dev_kfree_skb/kfree_skb() under + spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit f0f596bd75a9d573ca9b587abb39cee0b916bb82 ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +skb_queue_purge() is called under spin_lock_irqsave() in hfcpci_l2l1D(), +kfree_skb() is called in it, to fix this, use skb_queue_splice_init() +to move the dch->squeue to a free queue, also enqueue the tx_skb and +rx_skb, at last calling __skb_queue_purge() to free the SKBs afer unlock. + +Fixes: 1700fe1a10dc ("Add mISDN HFC PCI driver") +Signed-off-by: Yang Yingliang +Reviewed-by: Alexander Duyck +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/hardware/mISDN/hfcpci.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/isdn/hardware/mISDN/hfcpci.c b/drivers/isdn/hardware/mISDN/hfcpci.c +index 89cf1d695a01..e33b58f560bf 100644 +--- a/drivers/isdn/hardware/mISDN/hfcpci.c ++++ b/drivers/isdn/hardware/mISDN/hfcpci.c +@@ -1631,16 +1631,19 @@ hfcpci_l2l1D(struct mISDNchannel *ch, struct sk_buff *skb) + test_and_clear_bit(FLG_L2_ACTIVATED, &dch->Flags); + spin_lock_irqsave(&hc->lock, flags); + if (hc->hw.protocol == ISDN_P_NT_S0) { ++ struct sk_buff_head free_queue; ++ ++ __skb_queue_head_init(&free_queue); + /* prepare deactivation */ + Write_hfc(hc, HFCPCI_STATES, 0x40); +- skb_queue_purge(&dch->squeue); ++ skb_queue_splice_init(&dch->squeue, &free_queue); + if (dch->tx_skb) { +- dev_kfree_skb(dch->tx_skb); ++ __skb_queue_tail(&free_queue, dch->tx_skb); + dch->tx_skb = NULL; + } + dch->tx_idx = 0; + if (dch->rx_skb) { +- dev_kfree_skb(dch->rx_skb); ++ __skb_queue_tail(&free_queue, dch->rx_skb); + dch->rx_skb = NULL; + } + test_and_clear_bit(FLG_TX_BUSY, &dch->Flags); +@@ -1653,10 +1656,12 @@ hfcpci_l2l1D(struct mISDNchannel *ch, struct sk_buff *skb) + hc->hw.mst_m &= ~HFCPCI_MASTER; + Write_hfc(hc, HFCPCI_MST_MODE, hc->hw.mst_m); + ret = 0; ++ spin_unlock_irqrestore(&hc->lock, flags); ++ __skb_queue_purge(&free_queue); + } else { + ret = l1_event(dch->l1, hh->prim); ++ spin_unlock_irqrestore(&hc->lock, flags); + } +- spin_unlock_irqrestore(&hc->lock, flags); + break; + } + if (!ret) +-- +2.35.1 + diff --git a/queue-4.9/misdn-hfcsusb-don-t-call-dev_kfree_skb-kfree_skb-und.patch b/queue-4.9/misdn-hfcsusb-don-t-call-dev_kfree_skb-kfree_skb-und.patch new file mode 100644 index 00000000000..dff8af826a0 --- /dev/null +++ b/queue-4.9/misdn-hfcsusb-don-t-call-dev_kfree_skb-kfree_skb-und.patch @@ -0,0 +1,79 @@ +From a5caefacdef31330a79e2f5c4f0296a25788625f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Dec 2022 16:41:37 +0800 +Subject: mISDN: hfcsusb: don't call dev_kfree_skb/kfree_skb() under + spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit ddc9648db162eee556edd5222d2808fe33730203 ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. +The difference between them is free reason, dev_kfree_skb_irq() means +the SKB is dropped in error and dev_consume_skb_irq() means the SKB +is consumed in normal. + +skb_queue_purge() is called under spin_lock_irqsave() in hfcusb_l2l1D(), +kfree_skb() is called in it, to fix this, use skb_queue_splice_init() +to move the dch->squeue to a free queue, also enqueue the tx_skb and +rx_skb, at last calling __skb_queue_purge() to free the SKBs afer unlock. + +In tx_iso_complete(), dev_kfree_skb() is called to consume the transmitted +SKB, so replace it with dev_consume_skb_irq(). + +Fixes: 69f52adb2d53 ("mISDN: Add HFC USB driver") +Signed-off-by: Yang Yingliang +Reviewed-by: Alexander Duyck +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/hardware/mISDN/hfcsusb.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/isdn/hardware/mISDN/hfcsusb.c b/drivers/isdn/hardware/mISDN/hfcsusb.c +index 726fba452f5f..4c49ef9fc391 100644 +--- a/drivers/isdn/hardware/mISDN/hfcsusb.c ++++ b/drivers/isdn/hardware/mISDN/hfcsusb.c +@@ -337,20 +337,24 @@ hfcusb_l2l1D(struct mISDNchannel *ch, struct sk_buff *skb) + test_and_clear_bit(FLG_L2_ACTIVATED, &dch->Flags); + + if (hw->protocol == ISDN_P_NT_S0) { ++ struct sk_buff_head free_queue; ++ ++ __skb_queue_head_init(&free_queue); + hfcsusb_ph_command(hw, HFC_L1_DEACTIVATE_NT); + spin_lock_irqsave(&hw->lock, flags); +- skb_queue_purge(&dch->squeue); ++ skb_queue_splice_init(&dch->squeue, &free_queue); + if (dch->tx_skb) { +- dev_kfree_skb(dch->tx_skb); ++ __skb_queue_tail(&free_queue, dch->tx_skb); + dch->tx_skb = NULL; + } + dch->tx_idx = 0; + if (dch->rx_skb) { +- dev_kfree_skb(dch->rx_skb); ++ __skb_queue_tail(&free_queue, dch->rx_skb); + dch->rx_skb = NULL; + } + test_and_clear_bit(FLG_TX_BUSY, &dch->Flags); + spin_unlock_irqrestore(&hw->lock, flags); ++ __skb_queue_purge(&free_queue); + #ifdef FIXME + if (test_and_clear_bit(FLG_L1_BUSY, &dch->Flags)) + dchannel_sched_event(&hc->dch, D_CLEARBUSY); +@@ -1340,7 +1344,7 @@ tx_iso_complete(struct urb *urb) + printk("\n"); + } + +- dev_kfree_skb(tx_skb); ++ dev_consume_skb_irq(tx_skb); + tx_skb = NULL; + if (fifo->dch && get_next_dframe(fifo->dch)) + tx_skb = fifo->dch->tx_skb; +-- +2.35.1 + diff --git a/queue-4.9/mmc-f-sdh30-add-quirks-for-broken-timeout-clock-capa.patch b/queue-4.9/mmc-f-sdh30-add-quirks-for-broken-timeout-clock-capa.patch new file mode 100644 index 00000000000..7a3a0a7ab62 --- /dev/null +++ b/queue-4.9/mmc-f-sdh30-add-quirks-for-broken-timeout-clock-capa.patch @@ -0,0 +1,38 @@ +From 387b8d56e6607f7af4fcca363d238357f6011703 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 17:10:33 +0900 +Subject: mmc: f-sdh30: Add quirks for broken timeout clock capability + +From: Kunihiko Hayashi + +[ Upstream commit aae9d3a440736691b3c1cb09ae2c32c4f1ee2e67 ] + +There is a case where the timeout clock is not supplied to the capability. +Add a quirk for that. + +Signed-off-by: Kunihiko Hayashi +Acked-by: Jassi Brar +Link: https://lore.kernel.org/r/20221111081033.3813-7-hayashi.kunihiko@socionext.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/sdhci_f_sdh30.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/mmc/host/sdhci_f_sdh30.c b/drivers/mmc/host/sdhci_f_sdh30.c +index 111b66f5439b..43e787954293 100644 +--- a/drivers/mmc/host/sdhci_f_sdh30.c ++++ b/drivers/mmc/host/sdhci_f_sdh30.c +@@ -180,6 +180,9 @@ static int sdhci_f_sdh30_probe(struct platform_device *pdev) + if (reg & SDHCI_CAN_DO_8BIT) + priv->vendor_hs200 = F_SDH30_EMMC_HS200; + ++ if (!(reg & SDHCI_TIMEOUT_CLK_MASK)) ++ host->quirks |= SDHCI_QUIRK_DATA_TIMEOUT_USES_SDCLK; ++ + ret = sdhci_add_host(host); + if (ret) + goto err_add_host; +-- +2.35.1 + diff --git a/queue-4.9/mmc-mmci-fix-return-value-check-of-mmc_add_host.patch b/queue-4.9/mmc-mmci-fix-return-value-check-of-mmc_add_host.patch new file mode 100644 index 00000000000..b36fa104765 --- /dev/null +++ b/queue-4.9/mmc-mmci-fix-return-value-check-of-mmc_add_host.patch @@ -0,0 +1,46 @@ +From b17257df97cee091ac8fcb9af5e0e86e42930ce5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 21:35:39 +0800 +Subject: mmc: mmci: fix return value check of mmc_add_host() + +From: Yang Yingliang + +[ Upstream commit b38a20f29a49ae04d23750d104b25400b792b98c ] + +mmc_add_host() may return error, if we ignore its return value, +it will lead two issues: +1. The memory that allocated in mmc_alloc_host() is leaked. +2. In the remove() path, mmc_remove_host() will be called to + delete device, but it's not added yet, it will lead a kernel + crash because of null-ptr-deref in device_del(). + +So fix this by checking the return value and goto error path which +will call mmc_free_host(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221109133539.3275664-1-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/mmci.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/mmci.c b/drivers/mmc/host/mmci.c +index df990bb8c873..347dffaea105 100644 +--- a/drivers/mmc/host/mmci.c ++++ b/drivers/mmc/host/mmci.c +@@ -1718,7 +1718,9 @@ static int mmci_probe(struct amba_device *dev, + pm_runtime_set_autosuspend_delay(&dev->dev, 50); + pm_runtime_use_autosuspend(&dev->dev); + +- mmc_add_host(mmc); ++ ret = mmc_add_host(mmc); ++ if (ret) ++ goto clk_disable; + + pm_runtime_put(&dev->dev); + return 0; +-- +2.35.1 + diff --git a/queue-4.9/mmc-moxart-fix-return-value-check-of-mmc_add_host.patch b/queue-4.9/mmc-moxart-fix-return-value-check-of-mmc_add_host.patch new file mode 100644 index 00000000000..93c66482ec0 --- /dev/null +++ b/queue-4.9/mmc-moxart-fix-return-value-check-of-mmc_add_host.patch @@ -0,0 +1,43 @@ +From 64324b58a1169cd63ebdf6337ee8bc341a56717f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 14:30:16 +0800 +Subject: mmc: moxart: fix return value check of mmc_add_host() + +From: Yang Yingliang + +[ Upstream commit 0ca18d09c744fb030ae9bc5836c3e357e0237dea ] + +mmc_add_host() may return error, if we ignore its return value, the memory +that allocated in mmc_alloc_host() will be leaked and it will lead a kernel +crash because of deleting not added device in the remove path. + +So fix this by checking the return value and goto error path which will call +mmc_free_host(). + +Fixes: 1b66e94e6b99 ("mmc: moxart: Add MOXA ART SD/MMC driver") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221101063023.1664968-3-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/moxart-mmc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/moxart-mmc.c b/drivers/mmc/host/moxart-mmc.c +index 4f8588c3bf53..48645b736ba5 100644 +--- a/drivers/mmc/host/moxart-mmc.c ++++ b/drivers/mmc/host/moxart-mmc.c +@@ -662,7 +662,9 @@ static int moxart_probe(struct platform_device *pdev) + goto out; + + dev_set_drvdata(dev, mmc); +- mmc_add_host(mmc); ++ ret = mmc_add_host(mmc); ++ if (ret) ++ goto out; + + dev_dbg(dev, "IRQ=%d, FIFO is %d bytes\n", irq, host->fifo_width); + +-- +2.35.1 + diff --git a/queue-4.9/mmc-mxcmmc-fix-return-value-check-of-mmc_add_host.patch b/queue-4.9/mmc-mxcmmc-fix-return-value-check-of-mmc_add_host.patch new file mode 100644 index 00000000000..ca7d9a08f9f --- /dev/null +++ b/queue-4.9/mmc-mxcmmc-fix-return-value-check-of-mmc_add_host.patch @@ -0,0 +1,43 @@ +From 5ae092c61dd8cfa1a666db2a91dd72e118bd9155 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 14:30:17 +0800 +Subject: mmc: mxcmmc: fix return value check of mmc_add_host() + +From: Yang Yingliang + +[ Upstream commit cde600af7b413c9fe03e85c58c4279df90e91d13 ] + +mmc_add_host() may return error, if we ignore its return value, the memory +that allocated in mmc_alloc_host() will be leaked and it will lead a kernel +crash because of deleting not added device in the remove path. + +So fix this by checking the return value and goto error path which will call +mmc_free_host(). + +Fixes: d96be879ff46 ("mmc: Add a MX2/MX3 specific SDHC driver") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221101063023.1664968-4-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/mxcmmc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/mxcmmc.c b/drivers/mmc/host/mxcmmc.c +index fb3ca8296273..2c57cccb0fa1 100644 +--- a/drivers/mmc/host/mxcmmc.c ++++ b/drivers/mmc/host/mxcmmc.c +@@ -1159,7 +1159,9 @@ static int mxcmci_probe(struct platform_device *pdev) + host->watchdog.function = &mxcmci_watchdog; + host->watchdog.data = (unsigned long)mmc; + +- mmc_add_host(mmc); ++ ret = mmc_add_host(mmc); ++ if (ret) ++ goto out_free_dma; + + return 0; + +-- +2.35.1 + diff --git a/queue-4.9/mmc-pxamci-fix-return-value-check-of-mmc_add_host.patch b/queue-4.9/mmc-pxamci-fix-return-value-check-of-mmc_add_host.patch new file mode 100644 index 00000000000..3c47ffb8653 --- /dev/null +++ b/queue-4.9/mmc-pxamci-fix-return-value-check-of-mmc_add_host.patch @@ -0,0 +1,46 @@ +From 3a6d14c9e92183ea83eb3413b6f34c819072e8d4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 14:30:18 +0800 +Subject: mmc: pxamci: fix return value check of mmc_add_host() + +From: Yang Yingliang + +[ Upstream commit 80e1ef3afb8bfbe768380b70ffe1b6cab87d1a3b ] + +mmc_add_host() may return error, if we ignore its return value, the memory +that allocated in mmc_alloc_host() will be leaked and it will lead a kernel +crash because of deleting not added device in the remove path. + +So fix this by checking the return value and goto error path which will call +mmc_free_host(), besides, ->exit() need be called to uninit the pdata. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221101063023.1664968-5-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/pxamci.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/pxamci.c b/drivers/mmc/host/pxamci.c +index 3e139692fe8f..f6a2f10d7d12 100644 +--- a/drivers/mmc/host/pxamci.c ++++ b/drivers/mmc/host/pxamci.c +@@ -816,7 +816,12 @@ static int pxamci_probe(struct platform_device *pdev) + if (gpio_is_valid(gpio_ro) && host->pdata->get_ro) + dev_warn(&pdev->dev, "gpio_ro and get_ro() both defined\n"); + +- mmc_add_host(mmc); ++ ret = mmc_add_host(mmc); ++ if (ret) { ++ if (host->pdata && host->pdata->exit) ++ host->pdata->exit(dev, mmc); ++ goto out; ++ } + + return 0; + +-- +2.35.1 + diff --git a/queue-4.9/mmc-rtsx_usb_sdmmc-fix-return-value-check-of-mmc_add.patch b/queue-4.9/mmc-rtsx_usb_sdmmc-fix-return-value-check-of-mmc_add.patch new file mode 100644 index 00000000000..923d790b55d --- /dev/null +++ b/queue-4.9/mmc-rtsx_usb_sdmmc-fix-return-value-check-of-mmc_add.patch @@ -0,0 +1,58 @@ +From 3293538c3e3a70d6fb41e942f8270c6fe45e0b04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 14:30:20 +0800 +Subject: mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host() + +From: Yang Yingliang + +[ Upstream commit fc38a5a10e9e5a75eb9189854abeb8405b214cc9 ] + +mmc_add_host() may return error, if we ignore its return value, the memory +that allocated in mmc_alloc_host() will be leaked and it will lead a kernel +crash because of deleting not added device in the remove path. + +So fix this by checking the return value and calling mmc_free_host() in the +error path, besides, led_classdev_unregister() and pm_runtime_disable() also +need be called. + +Fixes: c7f6558d84af ("mmc: Add realtek USB sdmmc host driver") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221101063023.1664968-7-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/rtsx_usb_sdmmc.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/rtsx_usb_sdmmc.c b/drivers/mmc/host/rtsx_usb_sdmmc.c +index 6e9c0f8fddb1..817fbf510d1e 100644 +--- a/drivers/mmc/host/rtsx_usb_sdmmc.c ++++ b/drivers/mmc/host/rtsx_usb_sdmmc.c +@@ -1355,6 +1355,7 @@ static int rtsx_usb_sdmmc_drv_probe(struct platform_device *pdev) + #ifdef RTSX_USB_USE_LEDS_CLASS + int err; + #endif ++ int ret; + + ucr = usb_get_intfdata(to_usb_interface(pdev->dev.parent)); + if (!ucr) +@@ -1391,7 +1392,15 @@ static int rtsx_usb_sdmmc_drv_probe(struct platform_device *pdev) + INIT_WORK(&host->led_work, rtsx_usb_update_led); + + #endif +- mmc_add_host(mmc); ++ ret = mmc_add_host(mmc); ++ if (ret) { ++#ifdef RTSX_USB_USE_LEDS_CLASS ++ led_classdev_unregister(&host->led); ++#endif ++ mmc_free_host(mmc); ++ pm_runtime_disable(&pdev->dev); ++ return ret; ++ } + + return 0; + } +-- +2.35.1 + diff --git a/queue-4.9/mmc-toshsd-fix-return-value-check-of-mmc_add_host.patch b/queue-4.9/mmc-toshsd-fix-return-value-check-of-mmc_add_host.patch new file mode 100644 index 00000000000..da6ff7045bf --- /dev/null +++ b/queue-4.9/mmc-toshsd-fix-return-value-check-of-mmc_add_host.patch @@ -0,0 +1,52 @@ +From 9b96ab023616c0e7bdf14be36ceeed8c3c406c28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 14:30:21 +0800 +Subject: mmc: toshsd: fix return value check of mmc_add_host() + +From: Yang Yingliang + +[ Upstream commit f670744a316ea983113a65313dcd387b5a992444 ] + +mmc_add_host() may return error, if we ignore its return value, the memory +that allocated in mmc_alloc_host() will be leaked and it will lead a kernel +crash because of deleting not added device in the remove path. + +So fix this by checking the return value and goto error path which will call +mmc_free_host(), besides, free_irq() also needs be called. + +Fixes: a5eb8bbd66cc ("mmc: add Toshiba PCI SD controller driver") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221101063023.1664968-8-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/toshsd.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/toshsd.c b/drivers/mmc/host/toshsd.c +index 553ef41bb806..c0d3b289d8d4 100644 +--- a/drivers/mmc/host/toshsd.c ++++ b/drivers/mmc/host/toshsd.c +@@ -655,7 +655,9 @@ static int toshsd_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + if (ret) + goto unmap; + +- mmc_add_host(mmc); ++ ret = mmc_add_host(mmc); ++ if (ret) ++ goto free_irq; + + base = pci_resource_start(pdev, 0); + dev_dbg(&pdev->dev, "MMIO %pa, IRQ %d\n", &base, pdev->irq); +@@ -664,6 +666,8 @@ static int toshsd_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + return 0; + ++free_irq: ++ free_irq(pdev->irq, host); + unmap: + pci_iounmap(pdev, host->ioaddr); + release: +-- +2.35.1 + diff --git a/queue-4.9/mmc-via-sdmmc-fix-return-value-check-of-mmc_add_host.patch b/queue-4.9/mmc-via-sdmmc-fix-return-value-check-of-mmc_add_host.patch new file mode 100644 index 00000000000..db7f14bbfc5 --- /dev/null +++ b/queue-4.9/mmc-via-sdmmc-fix-return-value-check-of-mmc_add_host.patch @@ -0,0 +1,46 @@ +From 59236ab3b97797d248df9345a5099db93cfa8e04 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 21:09:49 +0800 +Subject: mmc: via-sdmmc: fix return value check of mmc_add_host() + +From: Yang Yingliang + +[ Upstream commit e4e46fb61e3bb4628170810d3f2b996b709b90d9 ] + +mmc_add_host() may return error, if we ignore its return value, +it will lead two issues: +1. The memory that allocated in mmc_alloc_host() is leaked. +2. In the remove() path, mmc_remove_host() will be called to + delete device, but it's not added yet, it will lead a kernel + crash because of null-ptr-deref in device_del(). + +Fix this by checking the return value and goto error path which +will call mmc_free_host(). + +Fixes: f0bf7f61b840 ("mmc: Add new via-sdmmc host controller driver") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221108130949.1067699-1-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/via-sdmmc.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/via-sdmmc.c b/drivers/mmc/host/via-sdmmc.c +index a3472127bea3..74ac1ac55f42 100644 +--- a/drivers/mmc/host/via-sdmmc.c ++++ b/drivers/mmc/host/via-sdmmc.c +@@ -1162,7 +1162,9 @@ static int via_sd_probe(struct pci_dev *pcidev, + pcidev->subsystem_device == 0x3891) + sdhost->quirks = VIA_CRDR_QUIRK_300MS_PWRDELAY; + +- mmc_add_host(mmc); ++ ret = mmc_add_host(mmc); ++ if (ret) ++ goto unmap; + + return 0; + +-- +2.35.1 + diff --git a/queue-4.9/mmc-vub300-fix-return-value-check-of-mmc_add_host.patch b/queue-4.9/mmc-vub300-fix-return-value-check-of-mmc_add_host.patch new file mode 100644 index 00000000000..b7e093499e9 --- /dev/null +++ b/queue-4.9/mmc-vub300-fix-return-value-check-of-mmc_add_host.patch @@ -0,0 +1,67 @@ +From df08d26802bb856ab24f566c6f8023d4771f8829 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 14:30:22 +0800 +Subject: mmc: vub300: fix return value check of mmc_add_host() + +From: Yang Yingliang + +[ Upstream commit 0613ad2401f88bdeae5594c30afe318e93b14676 ] + +mmc_add_host() may return error, if we ignore its return value, the memory +that allocated in mmc_alloc_host() will be leaked and it will lead a kernel +crash because of deleting not added device in the remove path. + +So fix this by checking the return value and goto error path which will call +mmc_free_host(), besides, the timer added before mmc_add_host() needs be del. + +And this patch fixes another missing call mmc_free_host() if usb_control_msg() +fails. + +Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221101063023.1664968-9-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/vub300.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/mmc/host/vub300.c b/drivers/mmc/host/vub300.c +index 875e438ab973..d962e88572a1 100644 +--- a/drivers/mmc/host/vub300.c ++++ b/drivers/mmc/host/vub300.c +@@ -2312,14 +2312,14 @@ static int vub300_probe(struct usb_interface *interface, + 0x0000, 0x0000, &vub300->system_port_status, + sizeof(vub300->system_port_status), 1000); + if (retval < 0) { +- goto error4; ++ goto error5; + } else if (sizeof(vub300->system_port_status) == retval) { + vub300->card_present = + (0x0001 & vub300->system_port_status.port_flags) ? 1 : 0; + vub300->read_only = + (0x0010 & vub300->system_port_status.port_flags) ? 1 : 0; + } else { +- goto error4; ++ goto error5; + } + usb_set_intfdata(interface, vub300); + INIT_DELAYED_WORK(&vub300->pollwork, vub300_pollwork_thread); +@@ -2345,8 +2345,13 @@ static int vub300_probe(struct usb_interface *interface, + "USB vub300 remote SDIO host controller[%d]" + "connected with no SD/SDIO card inserted\n", + interface_to_InterfaceNumber(interface)); +- mmc_add_host(mmc); ++ retval = mmc_add_host(mmc); ++ if (retval) ++ goto error6; ++ + return 0; ++error6: ++ del_timer_sync(&vub300->inactivity_timer); + error5: + mmc_free_host(mmc); + /* +-- +2.35.1 + diff --git a/queue-4.9/mmc-wbsd-fix-return-value-check-of-mmc_add_host.patch b/queue-4.9/mmc-wbsd-fix-return-value-check-of-mmc_add_host.patch new file mode 100644 index 00000000000..ec20a6ec068 --- /dev/null +++ b/queue-4.9/mmc-wbsd-fix-return-value-check-of-mmc_add_host.patch @@ -0,0 +1,55 @@ +From 3aa786e2cc5edaa0340513f8b22bd78a9aad88e7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 21:32:37 +0800 +Subject: mmc: wbsd: fix return value check of mmc_add_host() + +From: Yang Yingliang + +[ Upstream commit dc5b9b50fc9d1334407e316e6e29a5097ef833bd ] + +mmc_add_host() may return error, if we ignore its return value, +it will lead two issues: +1. The memory that allocated in mmc_alloc_host() is leaked. +2. In the remove() path, mmc_remove_host() will be called to + delete device, but it's not added yet, it will lead a kernel + crash because of null-ptr-deref in device_del(). + +So fix this by checking the return value and goto error path which +will call mmc_free_host(), besides, other resources also need be +released. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221109133237.3273558-1-yangyingliang@huawei.com +Signed-off-by: Ulf Hansson +Signed-off-by: Sasha Levin +--- + drivers/mmc/host/wbsd.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/wbsd.c b/drivers/mmc/host/wbsd.c +index c3fd16d997ca..402b044c9a0b 100644 +--- a/drivers/mmc/host/wbsd.c ++++ b/drivers/mmc/host/wbsd.c +@@ -1712,7 +1712,17 @@ static int wbsd_init(struct device *dev, int base, int irq, int dma, + */ + wbsd_init_device(host); + +- mmc_add_host(mmc); ++ ret = mmc_add_host(mmc); ++ if (ret) { ++ if (!pnp) ++ wbsd_chip_poweroff(host); ++ ++ wbsd_release_resources(host); ++ wbsd_free_mmc(dev); ++ ++ mmc_free_host(mmc); ++ return ret; ++ } + + pr_info("%s: W83L51xD", mmc_hostname(mmc)); + if (host->chip_id != 0) +-- +2.35.1 + diff --git a/queue-4.9/mrp-introduce-active-flags-to-prevent-uaf-when-appli.patch b/queue-4.9/mrp-introduce-active-flags-to-prevent-uaf-when-appli.patch new file mode 100644 index 00000000000..e53a5e06b22 --- /dev/null +++ b/queue-4.9/mrp-introduce-active-flags-to-prevent-uaf-when-appli.patch @@ -0,0 +1,126 @@ +From 17dadf31fa896a62e098fa22079696913673ad0b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 16 Nov 2022 19:45:11 +0800 +Subject: mrp: introduce active flags to prevent UAF when applicant uninit + +From: Schspa Shi + +[ Upstream commit ab0377803dafc58f1e22296708c1c28e309414d6 ] + +The caller of del_timer_sync must prevent restarting of the timer, If +we have no this synchronization, there is a small probability that the +cancellation will not be successful. + +And syzbot report the fellowing crash: +================================================================== +BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline] +BUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605 +Write at addr f9ff000024df6058 by task syz-fuzzer/2256 +Pointer tag: [f9], memory tag: [fe] + +CPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008- +ge01d50cbd6ee #0 +Hardware name: linux,dummy-virt (DT) +Call trace: + dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156 + dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline] + show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163 + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106 + print_address_description mm/kasan/report.c:284 [inline] + print_report+0x1a8/0x4a0 mm/kasan/report.c:395 + kasan_report+0x94/0xb4 mm/kasan/report.c:495 + __do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320 + do_bad_area arch/arm64/mm/fault.c:473 [inline] + do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749 + do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825 + el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367 + el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427 + el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576 + hlist_add_head include/linux/list.h:929 [inline] + enqueue_timer+0x18/0xa4 kernel/time/timer.c:605 + mod_timer+0x14/0x20 kernel/time/timer.c:1161 + mrp_periodic_timer_arm net/802/mrp.c:614 [inline] + mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627 + call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474 + expire_timers+0x98/0xc4 kernel/time/timer.c:1519 + +To fix it, we can introduce a new active flags to make sure the timer will +not restart. + +Reported-by: syzbot+6fd64001c20aa99e34a4@syzkaller.appspotmail.com + +Signed-off-by: Schspa Shi +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + include/net/mrp.h | 1 + + net/802/mrp.c | 18 +++++++++++++----- + 2 files changed, 14 insertions(+), 5 deletions(-) + +diff --git a/include/net/mrp.h b/include/net/mrp.h +index 31912c3be772..9338d6305159 100644 +--- a/include/net/mrp.h ++++ b/include/net/mrp.h +@@ -119,6 +119,7 @@ struct mrp_applicant { + struct sk_buff *pdu; + struct rb_root mad; + struct rcu_head rcu; ++ bool active; + }; + + struct mrp_port { +diff --git a/net/802/mrp.c b/net/802/mrp.c +index 4ee3af3d400b..ac6b6374a1fc 100644 +--- a/net/802/mrp.c ++++ b/net/802/mrp.c +@@ -610,7 +610,10 @@ static void mrp_join_timer(unsigned long data) + spin_unlock(&app->lock); + + mrp_queue_xmit(app); +- mrp_join_timer_arm(app); ++ spin_lock(&app->lock); ++ if (likely(app->active)) ++ mrp_join_timer_arm(app); ++ spin_unlock(&app->lock); + } + + static void mrp_periodic_timer_arm(struct mrp_applicant *app) +@@ -624,11 +627,12 @@ static void mrp_periodic_timer(unsigned long data) + struct mrp_applicant *app = (struct mrp_applicant *)data; + + spin_lock(&app->lock); +- mrp_mad_event(app, MRP_EVENT_PERIODIC); +- mrp_pdu_queue(app); ++ if (likely(app->active)) { ++ mrp_mad_event(app, MRP_EVENT_PERIODIC); ++ mrp_pdu_queue(app); ++ mrp_periodic_timer_arm(app); ++ } + spin_unlock(&app->lock); +- +- mrp_periodic_timer_arm(app); + } + + static int mrp_pdu_parse_end_mark(struct sk_buff *skb, int *offset) +@@ -876,6 +880,7 @@ int mrp_init_applicant(struct net_device *dev, struct mrp_application *appl) + app->dev = dev; + app->app = appl; + app->mad = RB_ROOT; ++ app->active = true; + spin_lock_init(&app->lock); + skb_queue_head_init(&app->queue); + rcu_assign_pointer(dev->mrp_port->applicants[appl->type], app); +@@ -905,6 +910,9 @@ void mrp_uninit_applicant(struct net_device *dev, struct mrp_application *appl) + + RCU_INIT_POINTER(port->applicants[appl->type], NULL); + ++ spin_lock_bh(&app->lock); ++ app->active = false; ++ spin_unlock_bh(&app->lock); + /* Delete timer and generate a final TX event to flush out + * all pending messages before the applicant is gone. + */ +-- +2.35.1 + diff --git a/queue-4.9/mtd-fix-device-name-leak-when-register-device-failed.patch b/queue-4.9/mtd-fix-device-name-leak-when-register-device-failed.patch new file mode 100644 index 00000000000..1e2c0464296 --- /dev/null +++ b/queue-4.9/mtd-fix-device-name-leak-when-register-device-failed.patch @@ -0,0 +1,62 @@ +From f64d61f1de45c28e72cc92876256dce619a6072d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 22 Oct 2022 20:13:52 +0800 +Subject: mtd: Fix device name leak when register device failed in + add_mtd_device() + +From: Zhang Xiaoxu + +[ Upstream commit 895d68a39481a75c680aa421546931fb11942fa6 ] + +There is a kmemleak when register device failed: + unreferenced object 0xffff888101aab550 (size 8): + comm "insmod", pid 3922, jiffies 4295277753 (age 925.408s) + hex dump (first 8 bytes): + 6d 74 64 30 00 88 ff ff mtd0.... + backtrace: + [<00000000bde26724>] __kmalloc_node_track_caller+0x4e/0x150 + [<000000003c32b416>] kvasprintf+0xb0/0x130 + [<000000001f7a8f15>] kobject_set_name_vargs+0x2f/0xb0 + [<000000006e781163>] dev_set_name+0xab/0xe0 + [<00000000e30d0c78>] add_mtd_device+0x4bb/0x700 + [<00000000f3d34de7>] mtd_device_parse_register+0x2ac/0x3f0 + [<00000000c0d88488>] 0xffffffffa0238457 + [<00000000b40d0922>] 0xffffffffa02a008f + [<0000000023d17b9d>] do_one_initcall+0x87/0x2a0 + [<00000000770f6ca6>] do_init_module+0xdf/0x320 + [<000000007b6768fe>] load_module+0x2f98/0x3330 + [<00000000346bed5a>] __do_sys_finit_module+0x113/0x1b0 + [<00000000674c2290>] do_syscall_64+0x35/0x80 + [<000000004c6a8d97>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +If register device failed, should call put_device() to give up the +reference. + +Fixes: 1f24b5a8ecbb ("[MTD] driver model updates") +Signed-off-by: Zhang Xiaoxu +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20221022121352.2534682-1-zhangxiaoxu5@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/mtdcore.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/mtd/mtdcore.c b/drivers/mtd/mtdcore.c +index d46e4adf6d2b..4cf97cdbdefe 100644 +--- a/drivers/mtd/mtdcore.c ++++ b/drivers/mtd/mtdcore.c +@@ -552,8 +552,10 @@ int add_mtd_device(struct mtd_info *mtd) + dev_set_drvdata(&mtd->dev, mtd); + of_node_get(mtd_get_of_node(mtd)); + error = device_register(&mtd->dev); +- if (error) ++ if (error) { ++ put_device(&mtd->dev); + goto fail_added; ++ } + + device_create(&mtd_class, mtd->dev.parent, MTD_DEVT(i) + 1, NULL, + "mtd%dro", i); +-- +2.35.1 + diff --git a/queue-4.9/mtd-lpddr2_nvm-fix-possible-null-ptr-deref.patch b/queue-4.9/mtd-lpddr2_nvm-fix-possible-null-ptr-deref.patch new file mode 100644 index 00000000000..5db171fd3c2 --- /dev/null +++ b/queue-4.9/mtd-lpddr2_nvm-fix-possible-null-ptr-deref.patch @@ -0,0 +1,41 @@ +From 4c63a6d43b0368d98117201c5e54ec2a56b464c3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 17:02:40 +0800 +Subject: mtd: lpddr2_nvm: Fix possible null-ptr-deref +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hui Tang + +[ Upstream commit 6bdd45d795adf9e73b38ced5e7f750cd199499ff ] + +It will cause null-ptr-deref when resource_size(add_range) invoked, +if platform_get_resource() returns NULL. + +Fixes: 96ba9dd65788 ("mtd: lpddr: add driver for LPDDR2-NVM PCM memories") +Signed-off-by: Hui Tang +Acked-by: Uwe Kleine-König +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20221114090240.244172-1-tanghui20@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/lpddr/lpddr2_nvm.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/mtd/lpddr/lpddr2_nvm.c b/drivers/mtd/lpddr/lpddr2_nvm.c +index 5e36366d9b36..19b00225c7ef 100644 +--- a/drivers/mtd/lpddr/lpddr2_nvm.c ++++ b/drivers/mtd/lpddr/lpddr2_nvm.c +@@ -448,6 +448,8 @@ static int lpddr2_nvm_probe(struct platform_device *pdev) + + /* lpddr2_nvm address range */ + add_range = platform_get_resource(pdev, IORESOURCE_MEM, 0); ++ if (!add_range) ++ return -ENODEV; + + /* Populate map_info data structure */ + *map = (struct map_info) { +-- +2.35.1 + diff --git a/queue-4.9/mtd-maps-pxa2xx-flash-fix-memory-leak-in-probe.patch b/queue-4.9/mtd-maps-pxa2xx-flash-fix-memory-leak-in-probe.patch new file mode 100644 index 00000000000..7eb885ab2aa --- /dev/null +++ b/queue-4.9/mtd-maps-pxa2xx-flash-fix-memory-leak-in-probe.patch @@ -0,0 +1,44 @@ +From e210e1af4d8e3677c3182d8d5ba9ae15aad087ef Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 19 Nov 2022 07:33:07 +0000 +Subject: mtd: maps: pxa2xx-flash: fix memory leak in probe + +From: Zheng Yongjun + +[ Upstream commit 2399401feee27c639addc5b7e6ba519d3ca341bf ] + +Free 'info' upon remapping error to avoid a memory leak. + +Fixes: e644f7d62894 ("[MTD] MAPS: Merge Lubbock and Mainstone drivers into common PXA2xx driver") +Signed-off-by: Zheng Yongjun +[: Reword the commit log] +Signed-off-by: Miquel Raynal +Link: https://lore.kernel.org/linux-mtd/20221119073307.22929-1-zhengyongjun3@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/mtd/maps/pxa2xx-flash.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/mtd/maps/pxa2xx-flash.c b/drivers/mtd/maps/pxa2xx-flash.c +index 2cde28ed95c9..59d2fe1f46e1 100644 +--- a/drivers/mtd/maps/pxa2xx-flash.c ++++ b/drivers/mtd/maps/pxa2xx-flash.c +@@ -69,6 +69,7 @@ static int pxa2xx_flash_probe(struct platform_device *pdev) + if (!info->map.virt) { + printk(KERN_WARNING "Failed to ioremap %s\n", + info->map.name); ++ kfree(info); + return -ENOMEM; + } + info->map.cached = +@@ -91,6 +92,7 @@ static int pxa2xx_flash_probe(struct platform_device *pdev) + iounmap((void *)info->map.virt); + if (info->map.cached) + iounmap(info->map.cached); ++ kfree(info); + return -EIO; + } + info->mtd->dev.parent = &pdev->dev; +-- +2.35.1 + diff --git a/queue-4.9/myri10ge-fix-an-error-handling-path-in-myri10ge_prob.patch b/queue-4.9/myri10ge-fix-an-error-handling-path-in-myri10ge_prob.patch new file mode 100644 index 00000000000..9a2101555ad --- /dev/null +++ b/queue-4.9/myri10ge-fix-an-error-handling-path-in-myri10ge_prob.patch @@ -0,0 +1,37 @@ +From 3acecdfb0e835a7c4eb7927856b28a360644250f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 18 Dec 2022 19:08:40 +0100 +Subject: myri10ge: Fix an error handling path in myri10ge_probe() + +From: Christophe JAILLET + +[ Upstream commit d83b950d44d2982c0e62e3d81b0f35ab09431008 ] + +Some memory allocated in myri10ge_probe_slices() is not released in the +error handling path of myri10ge_probe(). + +Add the corresponding kfree(), as already done in the remove function. + +Fixes: 0dcffac1a329 ("myri10ge: add multislices support") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/myricom/myri10ge/myri10ge.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c +index 5eeba263b5f8..d50cee7aae4d 100644 +--- a/drivers/net/ethernet/myricom/myri10ge/myri10ge.c ++++ b/drivers/net/ethernet/myricom/myri10ge/myri10ge.c +@@ -4152,6 +4152,7 @@ static int myri10ge_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + myri10ge_free_slices(mgp); + + abort_with_firmware: ++ kfree(mgp->msix_vectors); + myri10ge_dummy_rdma(mgp, 0); + + abort_with_ioremap: +-- +2.35.1 + diff --git a/queue-4.9/net-amd-lance-don-t-call-dev_kfree_skb-under-spin_lo.patch b/queue-4.9/net-amd-lance-don-t-call-dev_kfree_skb-under-spin_lo.patch new file mode 100644 index 00000000000..d8291025c27 --- /dev/null +++ b/queue-4.9/net-amd-lance-don-t-call-dev_kfree_skb-under-spin_lo.patch @@ -0,0 +1,58 @@ +From 940739e15a3c7d6d4113e86975b604679b9896bb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 22:21:47 +0800 +Subject: net: amd: lance: don't call dev_kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 6151d105dfce8c23edf30eed35e97f3d9b96a35c ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. +The difference between them is free reason, dev_kfree_skb_irq() means +the SKB is dropped in error and dev_consume_skb_irq() means the SKB +is consumed in normal. + +In these two cases, dev_kfree_skb() is called consume the xmited SKB, +so replace it with dev_consume_skb_irq(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/amd/atarilance.c | 2 +- + drivers/net/ethernet/amd/lance.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/amd/atarilance.c b/drivers/net/ethernet/amd/atarilance.c +index 35a9f252ceb6..421e47f8b54a 100644 +--- a/drivers/net/ethernet/amd/atarilance.c ++++ b/drivers/net/ethernet/amd/atarilance.c +@@ -826,7 +826,7 @@ lance_start_xmit(struct sk_buff *skb, struct net_device *dev) + lp->memcpy_f( PKTBUF_ADDR(head), (void *)skb->data, skb->len ); + head->flag = TMD1_OWN_CHIP | TMD1_ENP | TMD1_STP; + dev->stats.tx_bytes += skb->len; +- dev_kfree_skb( skb ); ++ dev_consume_skb_irq(skb); + lp->cur_tx++; + while( lp->cur_tx >= TX_RING_SIZE && lp->dirty_tx >= TX_RING_SIZE ) { + lp->cur_tx -= TX_RING_SIZE; +diff --git a/drivers/net/ethernet/amd/lance.c b/drivers/net/ethernet/amd/lance.c +index abb1ba228b26..3495e0b4d3ef 100644 +--- a/drivers/net/ethernet/amd/lance.c ++++ b/drivers/net/ethernet/amd/lance.c +@@ -998,7 +998,7 @@ static netdev_tx_t lance_start_xmit(struct sk_buff *skb, + skb_copy_from_linear_data(skb, &lp->tx_bounce_buffs[entry], skb->len); + lp->tx_ring[entry].base = + ((u32)isa_virt_to_bus((lp->tx_bounce_buffs + entry)) & 0xffffff) | 0x83000000; +- dev_kfree_skb(skb); ++ dev_consume_skb_irq(skb); + } else { + lp->tx_skbuff[entry] = skb; + lp->tx_ring[entry].base = ((u32)isa_virt_to_bus(skb->data) & 0xffffff) | 0x83000000; +-- +2.35.1 + diff --git a/queue-4.9/net-apple-bmac-don-t-call-dev_kfree_skb-under-spin_l.patch b/queue-4.9/net-apple-bmac-don-t-call-dev_kfree_skb-under-spin_l.patch new file mode 100644 index 00000000000..b9d4e4ed1c9 --- /dev/null +++ b/queue-4.9/net-apple-bmac-don-t-call-dev_kfree_skb-under-spin_l.patch @@ -0,0 +1,45 @@ +From 14a36004d5d4f533708cf807c0766d62d361e507 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 21:37:35 +0800 +Subject: net: apple: bmac: don't call dev_kfree_skb() under + spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 5fe02e046e6422c4adfdbc50206ec7186077da24 ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. +The difference between them is free reason, dev_kfree_skb_irq() means +the SKB is dropped in error and dev_consume_skb_irq() means the SKB +is consumed in normal. + +In this case, dev_kfree_skb() is called in bmac_tx_timeout() to drop +the SKB, when tx timeout, so replace it with dev_kfree_skb_irq(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/apple/bmac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/apple/bmac.c b/drivers/net/ethernet/apple/bmac.c +index ffa7e7e6d18d..01874e1dbb8b 100644 +--- a/drivers/net/ethernet/apple/bmac.c ++++ b/drivers/net/ethernet/apple/bmac.c +@@ -1518,7 +1518,7 @@ static void bmac_tx_timeout(unsigned long data) + i = bp->tx_empty; + ++dev->stats.tx_errors; + if (i != bp->tx_fill) { +- dev_kfree_skb(bp->tx_bufs[i]); ++ dev_kfree_skb_irq(bp->tx_bufs[i]); + bp->tx_bufs[i] = NULL; + if (++i >= N_TX_RING) i = 0; + bp->tx_empty = i; +-- +2.35.1 + diff --git a/queue-4.9/net-apple-mace-don-t-call-dev_kfree_skb-under-spin_l.patch b/queue-4.9/net-apple-mace-don-t-call-dev_kfree_skb-under-spin_l.patch new file mode 100644 index 00000000000..d5c2c025387 --- /dev/null +++ b/queue-4.9/net-apple-mace-don-t-call-dev_kfree_skb-under-spin_l.patch @@ -0,0 +1,45 @@ +From 6d50b47b1b29e357994eedcb5df2008c6811b719 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 21:37:34 +0800 +Subject: net: apple: mace: don't call dev_kfree_skb() under + spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit 3dfe3486c1cd4f82b466b7d307f23777137b8acc ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. +The difference between them is free reason, dev_kfree_skb_irq() means +the SKB is dropped in error and dev_consume_skb_irq() means the SKB +is consumed in normal. + +In this case, dev_kfree_skb() is called in mace_tx_timeout() to drop +the SKB, when tx timeout, so replace it with dev_kfree_skb_irq(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/apple/mace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/apple/mace.c b/drivers/net/ethernet/apple/mace.c +index e58a7c73766e..ea6199425b67 100644 +--- a/drivers/net/ethernet/apple/mace.c ++++ b/drivers/net/ethernet/apple/mace.c +@@ -843,7 +843,7 @@ static void mace_tx_timeout(unsigned long data) + if (mp->tx_bad_runt) { + mp->tx_bad_runt = 0; + } else if (i != mp->tx_fill) { +- dev_kfree_skb(mp->tx_bufs[i]); ++ dev_kfree_skb_irq(mp->tx_bufs[i]); + if (++i >= N_TX_RING) + i = 0; + mp->tx_empty = i; +-- +2.35.1 + diff --git a/queue-4.9/net-defxx-fix-missing-err-handling-in-dfx_init.patch b/queue-4.9/net-defxx-fix-missing-err-handling-in-dfx_init.patch new file mode 100644 index 00000000000..7db7cc42d37 --- /dev/null +++ b/queue-4.9/net-defxx-fix-missing-err-handling-in-dfx_init.patch @@ -0,0 +1,61 @@ +From 78d1db9fbaf7e62f5cb7af4626a33c3733216e39 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 7 Dec 2022 07:20:45 +0000 +Subject: net: defxx: Fix missing err handling in dfx_init() + +From: Yongqiang Liu + +[ Upstream commit ae18dcdff0f8d7e84cd3fd9f496518b5e72d185d ] + +When eisa_driver_register() or tc_register_driver() failed, +the modprobe defxx would fail with some err log as follows: + + Error: Driver 'defxx' is already registered, aborting... + +Fix this issue by adding err hanling in dfx_init(). + +Fixes: e89a2cfb7d7b5 ("[TC] defxx: TURBOchannel support") +Signed-off-by: Yongqiang Liu +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/fddi/defxx.c | 22 ++++++++++++++++++---- + 1 file changed, 18 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/fddi/defxx.c b/drivers/net/fddi/defxx.c +index bdcf4aa34566..bb3c7781cdfa 100644 +--- a/drivers/net/fddi/defxx.c ++++ b/drivers/net/fddi/defxx.c +@@ -3844,10 +3844,24 @@ static int dfx_init(void) + int status; + + status = pci_register_driver(&dfx_pci_driver); +- if (!status) +- status = eisa_driver_register(&dfx_eisa_driver); +- if (!status) +- status = tc_register_driver(&dfx_tc_driver); ++ if (status) ++ goto err_pci_register; ++ ++ status = eisa_driver_register(&dfx_eisa_driver); ++ if (status) ++ goto err_eisa_register; ++ ++ status = tc_register_driver(&dfx_tc_driver); ++ if (status) ++ goto err_tc_register; ++ ++ return 0; ++ ++err_tc_register: ++ eisa_driver_unregister(&dfx_eisa_driver); ++err_eisa_register: ++ pci_unregister_driver(&dfx_pci_driver); ++err_pci_register: + return status; + } + +-- +2.35.1 + diff --git a/queue-4.9/net-emaclite-don-t-call-dev_kfree_skb-under-spin_loc.patch b/queue-4.9/net-emaclite-don-t-call-dev_kfree_skb-under-spin_loc.patch new file mode 100644 index 00000000000..ba3cb87c7a6 --- /dev/null +++ b/queue-4.9/net-emaclite-don-t-call-dev_kfree_skb-under-spin_loc.patch @@ -0,0 +1,44 @@ +From 20d5a20cb0ad0f9d419acf251eea0974d85927b7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 22:21:44 +0800 +Subject: net: emaclite: don't call dev_kfree_skb() under spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit d1678bf45f21fa5ae4a456f821858679556ea5f8 ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +It should use dev_kfree_skb_irq() or dev_consume_skb_irq() instead. +The difference between them is free reason, dev_kfree_skb_irq() means +the SKB is dropped in error and dev_consume_skb_irq() means the SKB +is consumed in normal. + +In this case, dev_kfree_skb() is called in xemaclite_tx_timeout() to +drop the SKB, when tx timeout, so replace it with dev_kfree_skb_irq(). + +Fixes: bb81b2ddfa19 ("net: add Xilinx emac lite device driver") +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/xilinx/xilinx_emaclite.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/xilinx/xilinx_emaclite.c b/drivers/net/ethernet/xilinx/xilinx_emaclite.c +index cdcc86060749..99c7872504fe 100644 +--- a/drivers/net/ethernet/xilinx/xilinx_emaclite.c ++++ b/drivers/net/ethernet/xilinx/xilinx_emaclite.c +@@ -537,7 +537,7 @@ static void xemaclite_tx_timeout(struct net_device *dev) + xemaclite_enable_interrupts(lp); + + if (lp->deferred_skb) { +- dev_kfree_skb(lp->deferred_skb); ++ dev_kfree_skb_irq(lp->deferred_skb); + lp->deferred_skb = NULL; + dev->stats.tx_errors++; + } +-- +2.35.1 + diff --git a/queue-4.9/net-ethernet-dnet-don-t-call-dev_kfree_skb-under-spi.patch b/queue-4.9/net-ethernet-dnet-don-t-call-dev_kfree_skb-under-spi.patch new file mode 100644 index 00000000000..660cf95cec0 --- /dev/null +++ b/queue-4.9/net-ethernet-dnet-don-t-call-dev_kfree_skb-under-spi.patch @@ -0,0 +1,45 @@ +From 014ac02f9b4baca869fe648c6a8f4c0157631109 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 22:21:45 +0800 +Subject: net: ethernet: dnet: don't call dev_kfree_skb() under + spin_lock_irqsave() + +From: Yang Yingliang + +[ Upstream commit f07fadcbee2a5e84caa67c7c445424200bffb60b ] + +It is not allowed to call kfree_skb() or consume_skb() from hardware +interrupt context or with hardware interrupts being disabled. + +In this case, the lock is used to protected 'bp', so we can move +dev_kfree_skb() after the spin_unlock_irqrestore(). + +Fixes: 4796417417a6 ("dnet: Dave DNET ethernet controller driver (updated)") +Signed-off-by: Yang Yingliang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/dnet.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/dnet.c b/drivers/net/ethernet/dnet.c +index c3b64cdd0dec..62fcedd6f732 100644 +--- a/drivers/net/ethernet/dnet.c ++++ b/drivers/net/ethernet/dnet.c +@@ -558,11 +558,11 @@ static netdev_tx_t dnet_start_xmit(struct sk_buff *skb, struct net_device *dev) + + skb_tx_timestamp(skb); + ++ spin_unlock_irqrestore(&bp->lock, flags); ++ + /* free the buffer */ + dev_kfree_skb(skb); + +- spin_unlock_irqrestore(&bp->lock, flags); +- + return NETDEV_TX_OK; + } + +-- +2.35.1 + diff --git a/queue-4.9/net-ethernet-ti-fix-return-type-of-netcp_ndo_start_x.patch b/queue-4.9/net-ethernet-ti-fix-return-type-of-netcp_ndo_start_x.patch new file mode 100644 index 00000000000..54e76e96eb9 --- /dev/null +++ b/queue-4.9/net-ethernet-ti-fix-return-type-of-netcp_ndo_start_x.patch @@ -0,0 +1,53 @@ +From abc7429706d14ed6e742eb1e2dda29b4c6fc47c8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 2 Nov 2022 09:09:33 -0700 +Subject: net: ethernet: ti: Fix return type of netcp_ndo_start_xmit() + +From: Nathan Chancellor + +[ Upstream commit 63fe6ff674a96cfcfc0fa8df1051a27aa31c70b4 ] + +With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), +indirect call targets are validated against the expected function +pointer prototype to make sure the call target is valid to help mitigate +ROP attacks. If they are not identical, there is a failure at run time, +which manifests as either a kernel panic or thread getting killed. A +proposed warning in clang aims to catch these at compile time, which +reveals: + + drivers/net/ethernet/ti/netcp_core.c:1944:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .ndo_start_xmit = netcp_ndo_start_xmit, + ^~~~~~~~~~~~~~~~~~~~ + 1 error generated. + +->ndo_start_xmit() in 'struct net_device_ops' expects a return type of +'netdev_tx_t', not 'int'. Adjust the return type of +netcp_ndo_start_xmit() to match the prototype's to resolve the warning +and CFI failure. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1750 +Signed-off-by: Nathan Chancellor +Reviewed-by: Kees Cook +Link: https://lore.kernel.org/r/20221102160933.1601260-1-nathan@kernel.org +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/netcp_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/ti/netcp_core.c b/drivers/net/ethernet/ti/netcp_core.c +index c17967b23d3c..957701d48712 100644 +--- a/drivers/net/ethernet/ti/netcp_core.c ++++ b/drivers/net/ethernet/ti/netcp_core.c +@@ -1237,7 +1237,7 @@ static int netcp_tx_submit_skb(struct netcp_intf *netcp, + } + + /* Submit the packet */ +-static int netcp_ndo_start_xmit(struct sk_buff *skb, struct net_device *ndev) ++static netdev_tx_t netcp_ndo_start_xmit(struct sk_buff *skb, struct net_device *ndev) + { + struct netcp_intf *netcp = netdev_priv(ndev); + int subqueue = skb_get_queue_mapping(skb); +-- +2.35.1 + diff --git a/queue-4.9/net-farsync-fix-kmemleak-when-rmmods-farsync.patch b/queue-4.9/net-farsync-fix-kmemleak-when-rmmods-farsync.patch new file mode 100644 index 00000000000..2d604ac53e7 --- /dev/null +++ b/queue-4.9/net-farsync-fix-kmemleak-when-rmmods-farsync.patch @@ -0,0 +1,75 @@ +From 8264bc7a9de597f26355b6972f93e923a31b61b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 20:05:40 +0800 +Subject: net: farsync: Fix kmemleak when rmmods farsync + +From: Li Zetao + +[ Upstream commit 2f623aaf9f31de968dea6169849706a2f9be444c ] + +There are two memory leaks reported by kmemleak: + + unreferenced object 0xffff888114b20200 (size 128): + comm "modprobe", pid 4846, jiffies 4295146524 (age 401.345s) + hex dump (first 32 bytes): + e0 62 57 09 81 88 ff ff e0 62 57 09 81 88 ff ff .bW......bW..... + 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmalloc_trace+0x22/0x60 + [] __hw_addr_add_ex+0x198/0x6c0 + [] dev_addr_init+0x13d/0x230 + [] alloc_netdev_mqs+0x10d/0xe50 + [] alloc_hdlcdev+0x2e/0x80 + [] fst_add_one+0x601/0x10e0 [farsync] + ... + + unreferenced object 0xffff88810b85b000 (size 1024): + comm "modprobe", pid 4846, jiffies 4295146523 (age 401.346s) + hex dump (first 32 bytes): + 00 00 b0 02 00 c9 ff ff 00 70 0a 00 00 c9 ff ff .........p...... + 00 00 00 f2 00 00 00 f3 0a 00 00 00 02 00 00 00 ................ + backtrace: + [] kmalloc_trace+0x22/0x60 + [] fst_add_one+0x154/0x10e0 [farsync] + [] local_pci_probe+0xd3/0x170 + ... + +The root cause is traced to the netdev and fst_card_info are not freed +when removes one fst in fst_remove_one(), which may trigger oom if +repeated insmod and rmmod module. + +Fix it by adding free_netdev() and kfree() in fst_remove_one(), just as +the operations on the error handling path in fst_add_one(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Li Zetao +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/wan/farsync.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/wan/farsync.c b/drivers/net/wan/farsync.c +index 3c9cbf908ec7..e8522014a67a 100644 +--- a/drivers/net/wan/farsync.c ++++ b/drivers/net/wan/farsync.c +@@ -2620,6 +2620,7 @@ fst_remove_one(struct pci_dev *pdev) + for (i = 0; i < card->nports; i++) { + struct net_device *dev = port_to_dev(&card->ports[i]); + unregister_hdlc_device(dev); ++ free_netdev(dev); + } + + fst_disable_intr(card); +@@ -2640,6 +2641,7 @@ fst_remove_one(struct pci_dev *pdev) + card->tx_dma_handle_card); + } + fst_card_array[card->card_no] = NULL; ++ kfree(card); + } + + static struct pci_driver fst_driver = { +-- +2.35.1 + diff --git a/queue-4.9/net-stream-purge-sk_error_queue-in-sk_stream_kill_qu.patch b/queue-4.9/net-stream-purge-sk_error_queue-in-sk_stream_kill_qu.patch new file mode 100644 index 00000000000..25682c5c0da --- /dev/null +++ b/queue-4.9/net-stream-purge-sk_error_queue-in-sk_stream_kill_qu.patch @@ -0,0 +1,69 @@ +From 806da2e8df810943dde4e0d091c39f43814a5c7f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 16 Dec 2022 16:29:17 +0000 +Subject: net: stream: purge sk_error_queue in sk_stream_kill_queues() + +From: Eric Dumazet + +[ Upstream commit e0c8bccd40fc1c19e1d246c39bcf79e357e1ada3 ] + +Changheon Lee reported TCP socket leaks, with a nice repro. + +It seems we leak TCP sockets with the following sequence: + +1) SOF_TIMESTAMPING_TX_ACK is enabled on the socket. + + Each ACK will cook an skb put in error queue, from __skb_tstamp_tx(). + __skb_tstamp_tx() is using skb_clone(), unless + SOF_TIMESTAMPING_OPT_TSONLY was also requested. + +2) If the application is also using MSG_ZEROCOPY, then we put in the + error queue cloned skbs that had a struct ubuf_info attached to them. + + Whenever an struct ubuf_info is allocated, sock_zerocopy_alloc() + does a sock_hold(). + + As long as the cloned skbs are still in sk_error_queue, + socket refcount is kept elevated. + +3) Application closes the socket, while error queue is not empty. + +Since tcp_close() no longer purges the socket error queue, +we might end up with a TCP socket with at least one skb in +error queue keeping the socket alive forever. + +This bug can be (ab)used to consume all kernel memory +and freeze the host. + +We need to purge the error queue, with proper synchronization +against concurrent writers. + +Fixes: 24bcbe1cc69f ("net: stream: don't purge sk_error_queue in sk_stream_kill_queues()") +Reported-by: Changheon Lee +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/stream.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/net/core/stream.c b/net/core/stream.c +index 05b63feac7e5..6f5979c6f2b0 100644 +--- a/net/core/stream.c ++++ b/net/core/stream.c +@@ -193,6 +193,12 @@ void sk_stream_kill_queues(struct sock *sk) + /* First the read buffer. */ + __skb_queue_purge(&sk->sk_receive_queue); + ++ /* Next, the error queue. ++ * We need to use queue lock, because other threads might ++ * add packets to the queue without socket lock being held. ++ */ ++ skb_queue_purge(&sk->sk_error_queue); ++ + /* Next, the write queue. */ + WARN_ON(!skb_queue_empty(&sk->sk_write_queue)); + +-- +2.35.1 + diff --git a/queue-4.9/net-tunnel-wait-until-all-sk_user_data-reader-finish.patch b/queue-4.9/net-tunnel-wait-until-all-sk_user_data-reader-finish.patch new file mode 100644 index 00000000000..1f4c452ccd9 --- /dev/null +++ b/queue-4.9/net-tunnel-wait-until-all-sk_user_data-reader-finish.patch @@ -0,0 +1,75 @@ +From 88d0a89c1d0a0ca450df25e56946b6550b454ae7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 20:04:52 +0800 +Subject: net/tunnel: wait until all sk_user_data reader finish before + releasing the sock + +From: Hangbin Liu + +[ Upstream commit 3cf7203ca620682165706f70a1b12b5194607dce ] + +There is a race condition in vxlan that when deleting a vxlan device +during receiving packets, there is a possibility that the sock is +released after getting vxlan_sock vs from sk_user_data. Then in +later vxlan_ecn_decapsulate(), vxlan_get_sk_family() we will got +NULL pointer dereference. e.g. + + #0 [ffffa25ec6978a38] machine_kexec at ffffffff8c669757 + #1 [ffffa25ec6978a90] __crash_kexec at ffffffff8c7c0a4d + #2 [ffffa25ec6978b58] crash_kexec at ffffffff8c7c1c48 + #3 [ffffa25ec6978b60] oops_end at ffffffff8c627f2b + #4 [ffffa25ec6978b80] page_fault_oops at ffffffff8c678fcb + #5 [ffffa25ec6978bd8] exc_page_fault at ffffffff8d109542 + #6 [ffffa25ec6978c00] asm_exc_page_fault at ffffffff8d200b62 + [exception RIP: vxlan_ecn_decapsulate+0x3b] + RIP: ffffffffc1014e7b RSP: ffffa25ec6978cb0 RFLAGS: 00010246 + RAX: 0000000000000008 RBX: ffff8aa000888000 RCX: 0000000000000000 + RDX: 000000000000000e RSI: ffff8a9fc7ab803e RDI: ffff8a9fd1168700 + RBP: ffff8a9fc7ab803e R8: 0000000000700000 R9: 00000000000010ae + R10: ffff8a9fcb748980 R11: 0000000000000000 R12: ffff8a9fd1168700 + R13: ffff8aa000888000 R14: 00000000002a0000 R15: 00000000000010ae + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + #7 [ffffa25ec6978ce8] vxlan_rcv at ffffffffc10189cd [vxlan] + #8 [ffffa25ec6978d90] udp_queue_rcv_one_skb at ffffffff8cfb6507 + #9 [ffffa25ec6978dc0] udp_unicast_rcv_skb at ffffffff8cfb6e45 + #10 [ffffa25ec6978dc8] __udp4_lib_rcv at ffffffff8cfb8807 + #11 [ffffa25ec6978e20] ip_protocol_deliver_rcu at ffffffff8cf76951 + #12 [ffffa25ec6978e48] ip_local_deliver at ffffffff8cf76bde + #13 [ffffa25ec6978ea0] __netif_receive_skb_one_core at ffffffff8cecde9b + #14 [ffffa25ec6978ec8] process_backlog at ffffffff8cece139 + #15 [ffffa25ec6978f00] __napi_poll at ffffffff8ceced1a + #16 [ffffa25ec6978f28] net_rx_action at ffffffff8cecf1f3 + #17 [ffffa25ec6978fa0] __softirqentry_text_start at ffffffff8d4000ca + #18 [ffffa25ec6978ff0] do_softirq at ffffffff8c6fbdc3 + +Reproducer: https://github.com/Mellanox/ovs-tests/blob/master/test-ovs-vxlan-remove-tunnel-during-traffic.sh + +Fix this by waiting for all sk_user_data reader to finish before +releasing the sock. + +Reported-by: Jianlin Shi +Suggested-by: Jakub Sitnicki +Fixes: 6a93cc905274 ("udp-tunnel: Add a few more UDP tunnel APIs") +Signed-off-by: Hangbin Liu +Reviewed-by: Jiri Pirko +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv4/udp_tunnel.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/ipv4/udp_tunnel.c b/net/ipv4/udp_tunnel.c +index 58bd39fb14b4..1f530a9b0357 100644 +--- a/net/ipv4/udp_tunnel.c ++++ b/net/ipv4/udp_tunnel.c +@@ -163,6 +163,7 @@ EXPORT_SYMBOL_GPL(udp_tunnel_xmit_skb); + void udp_tunnel_sock_release(struct socket *sock) + { + rcu_assign_sk_user_data(sock->sk, NULL); ++ synchronize_rcu(); + kernel_sock_shutdown(sock, SHUT_RDWR); + sock_release(sock); + } +-- +2.35.1 + diff --git a/queue-4.9/net-vmw_vsock-vmci-check-memcpy_from_msg.patch b/queue-4.9/net-vmw_vsock-vmci-check-memcpy_from_msg.patch new file mode 100644 index 00000000000..c9cf49b2799 --- /dev/null +++ b/queue-4.9/net-vmw_vsock-vmci-check-memcpy_from_msg.patch @@ -0,0 +1,47 @@ +From 746c38556de3f52524ce7159892b6992025bb376 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Dec 2022 09:58:34 +0300 +Subject: net: vmw_vsock: vmci: Check memcpy_from_msg() + +From: Artem Chernyshev + +[ Upstream commit 44aa5a6dba8283bfda28b1517af4de711c5652a4 ] + +vmci_transport_dgram_enqueue() does not check the return value +of memcpy_from_msg(). If memcpy_from_msg() fails, it is possible that +uninitialized memory contents are sent unintentionally instead of user's +message in the datagram to the destination. Return with an error if +memcpy_from_msg() fails. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: 0f7db23a07af ("vmci_transport: switch ->enqeue_dgram, ->enqueue_stream and ->dequeue_stream to msghdr") +Signed-off-by: Artem Chernyshev +Reviewed-by: Stefano Garzarella +Reviewed-by: Vishnu Dasa +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/vmw_vsock/vmci_transport.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c +index c09efcdf72d2..d096ef9d1c89 100644 +--- a/net/vmw_vsock/vmci_transport.c ++++ b/net/vmw_vsock/vmci_transport.c +@@ -1738,7 +1738,11 @@ static int vmci_transport_dgram_enqueue( + if (!dg) + return -ENOMEM; + +- memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len); ++ err = memcpy_from_msg(VMCI_DG_PAYLOAD(dg), msg, len); ++ if (err) { ++ kfree(dg); ++ return err; ++ } + + dg->dst = vmci_make_handle(remote_addr->svm_cid, + remote_addr->svm_port); +-- +2.35.1 + diff --git a/queue-4.9/net_sched-reject-tcf_em_simple-case-for-complex-emat.patch b/queue-4.9/net_sched-reject-tcf_em_simple-case-for-complex-emat.patch new file mode 100644 index 00000000000..9d6a5df9f27 --- /dev/null +++ b/queue-4.9/net_sched-reject-tcf_em_simple-case-for-complex-emat.patch @@ -0,0 +1,52 @@ +From d1700e6a5ab0f7f8635d0d573280c19af7d8df4d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 17 Dec 2022 14:17:07 -0800 +Subject: net_sched: reject TCF_EM_SIMPLE case for complex ematch module + +From: Cong Wang + +[ Upstream commit 9cd3fd2054c3b3055163accbf2f31a4426f10317 ] + +When TCF_EM_SIMPLE was introduced, it is supposed to be convenient +for ematch implementation: + +https://lore.kernel.org/all/20050105110048.GO26856@postel.suug.ch/ + +"You don't have to, providing a 32bit data chunk without TCF_EM_SIMPLE +set will simply result in allocating & copy. It's an optimization, +nothing more." + +So if an ematch module provides ops->datalen that means it wants a +complex data structure (saved in its em->data) instead of a simple u32 +value. We should simply reject such a combination, otherwise this u32 +could be misinterpreted as a pointer. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-and-tested-by: syzbot+4caeae4c7103813598ae@syzkaller.appspotmail.com +Reported-by: Jun Nie +Cc: Jamal Hadi Salim +Cc: Paolo Abeni +Signed-off-by: Cong Wang +Acked-by: Paolo Abeni +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/ematch.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/sched/ematch.c b/net/sched/ematch.c +index d4d6f9c91e8c..59340d633253 100644 +--- a/net/sched/ematch.c ++++ b/net/sched/ematch.c +@@ -259,6 +259,8 @@ static int tcf_em_validate(struct tcf_proto *tp, + * the value carried. + */ + if (em_hdr->flags & TCF_EM_SIMPLE) { ++ if (em->ops->datalen > 0) ++ goto errout; + if (data_len < sizeof(u32)) + goto errout; + em->data = *(u32 *) data; +-- +2.35.1 + diff --git a/queue-4.9/nfc-pn533-clear-nfc_target-before-being-used.patch b/queue-4.9/nfc-pn533-clear-nfc_target-before-being-used.patch new file mode 100644 index 00000000000..2183394d171 --- /dev/null +++ b/queue-4.9/nfc-pn533-clear-nfc_target-before-being-used.patch @@ -0,0 +1,73 @@ +From 18ed45a4ee687b4c74a0a8253bafaf8b208fd336 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Dec 2022 10:51:39 +0900 +Subject: nfc: pn533: Clear nfc_target before being used + +From: Minsuk Kang + +[ Upstream commit 9f28157778ede0d4f183f7ab3b46995bb400abbe ] + +Fix a slab-out-of-bounds read that occurs in nla_put() called from +nfc_genl_send_target() when target->sensb_res_len, which is duplicated +from an nfc_target in pn533, is too large as the nfc_target is not +properly initialized and retains garbage values. Clear nfc_targets with +memset() before they are used. + +Found by a modified version of syzkaller. + +BUG: KASAN: slab-out-of-bounds in nla_put +Call Trace: + memcpy + nla_put + nfc_genl_dump_targets + genl_lock_dumpit + netlink_dump + __netlink_dump_start + genl_family_rcv_msg_dumpit + genl_rcv_msg + netlink_rcv_skb + genl_rcv + netlink_unicast + netlink_sendmsg + sock_sendmsg + ____sys_sendmsg + ___sys_sendmsg + __sys_sendmsg + do_syscall_64 + +Fixes: 673088fb42d0 ("NFC: pn533: Send ATR_REQ directly for active device detection") +Fixes: 361f3cb7f9cf ("NFC: DEP link hook implementation for pn533") +Signed-off-by: Minsuk Kang +Reviewed-by: Krzysztof Kozlowski +Link: https://lore.kernel.org/r/20221214015139.119673-1-linuxlovemin@yonsei.ac.kr +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/nfc/pn533/pn533.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c +index 806309ee4165..fe81946a9ab4 100644 +--- a/drivers/nfc/pn533/pn533.c ++++ b/drivers/nfc/pn533/pn533.c +@@ -1294,6 +1294,8 @@ static int pn533_poll_dep_complete(struct pn533 *dev, void *arg, + if (IS_ERR(resp)) + return PTR_ERR(resp); + ++ memset(&nfc_target, 0, sizeof(struct nfc_target)); ++ + rsp = (struct pn533_cmd_jump_dep_response *)resp->data; + + rc = rsp->status & PN533_CMD_RET_MASK; +@@ -1776,6 +1778,8 @@ static int pn533_in_dep_link_up_complete(struct pn533 *dev, void *arg, + + dev_dbg(dev->dev, "Creating new target\n"); + ++ memset(&nfc_target, 0, sizeof(struct nfc_target)); ++ + nfc_target.supported_protocols = NFC_PROTO_NFC_DEP_MASK; + nfc_target.nfcid1_len = 10; + memcpy(nfc_target.nfcid1, rsp->nfcid3t, nfc_target.nfcid1_len); +-- +2.35.1 + diff --git a/queue-4.9/nfsd-under-nfsv4.1-fix-double-svc_xprt_put-on-rpc_cr.patch b/queue-4.9/nfsd-under-nfsv4.1-fix-double-svc_xprt_put-on-rpc_cr.patch new file mode 100644 index 00000000000..2018a53f23f --- /dev/null +++ b/queue-4.9/nfsd-under-nfsv4.1-fix-double-svc_xprt_put-on-rpc_cr.patch @@ -0,0 +1,87 @@ +From 789f7eb9a7fb81e619f191ce0e21c19c713a31e9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 12 Dec 2022 13:11:06 +0200 +Subject: nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure + +From: Dan Aloni + +[ Upstream commit 3bc8edc98bd43540dbe648e4ef91f443d6d20a24 ] + +On error situation `clp->cl_cb_conn.cb_xprt` should not be given +a reference to the xprt otherwise both client cleanup and the +error handling path of the caller call to put it. Better to +delay handing over the reference to a later branch. + +[ 72.530665] refcount_t: underflow; use-after-free. +[ 72.531933] WARNING: CPU: 0 PID: 173 at lib/refcount.c:28 refcount_warn_saturate+0xcf/0x120 +[ 72.533075] Modules linked in: nfsd(OE) nfsv4(OE) nfsv3(OE) nfs(OE) lockd(OE) compat_nfs_ssc(OE) nfs_acl(OE) rpcsec_gss_krb5(OE) auth_rpcgss(OE) rpcrdma(OE) dns_resolver fscache netfs grace rdma_cm iw_cm ib_cm sunrpc(OE) mlx5_ib mlx5_core mlxfw pci_hyperv_intf ib_uverbs ib_core xt_MASQUERADE nf_conntrack_netlink nft_counter xt_addrtype nft_compat br_netfilter bridge stp llc nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 ip_set overlay nf_tables nfnetlink crct10dif_pclmul crc32_pclmul ghash_clmulni_intel xfs serio_raw virtio_net virtio_blk net_failover failover fuse [last unloaded: sunrpc] +[ 72.540389] CPU: 0 PID: 173 Comm: kworker/u16:5 Tainted: G OE 5.15.82-dan #1 +[ 72.541511] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-3.module+el8.7.0+1084+97b81f61 04/01/2014 +[ 72.542717] Workqueue: nfsd4_callbacks nfsd4_run_cb_work [nfsd] +[ 72.543575] RIP: 0010:refcount_warn_saturate+0xcf/0x120 +[ 72.544299] Code: 55 00 0f 0b 5d e9 01 50 98 00 80 3d 75 9e 39 08 00 0f 85 74 ff ff ff 48 c7 c7 e8 d1 60 8e c6 05 61 9e 39 08 01 e8 f6 51 55 00 <0f> 0b 5d e9 d9 4f 98 00 80 3d 4b 9e 39 08 00 0f 85 4c ff ff ff 48 +[ 72.546666] RSP: 0018:ffffb3f841157cf0 EFLAGS: 00010286 +[ 72.547393] RAX: 0000000000000026 RBX: ffff89ac6231d478 RCX: 0000000000000000 +[ 72.548324] RDX: ffff89adb7c2c2c0 RSI: ffff89adb7c205c0 RDI: ffff89adb7c205c0 +[ 72.549271] RBP: ffffb3f841157cf0 R08: 0000000000000000 R09: c0000000ffefffff +[ 72.550209] R10: 0000000000000001 R11: ffffb3f841157ad0 R12: ffff89ac6231d180 +[ 72.551142] R13: ffff89ac6231d478 R14: ffff89ac40c06180 R15: ffff89ac6231d4b0 +[ 72.552089] FS: 0000000000000000(0000) GS:ffff89adb7c00000(0000) knlGS:0000000000000000 +[ 72.553175] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 72.553934] CR2: 0000563a310506a8 CR3: 0000000109a66000 CR4: 0000000000350ef0 +[ 72.554874] Call Trace: +[ 72.555278] +[ 72.555614] svc_xprt_put+0xaf/0xe0 [sunrpc] +[ 72.556276] nfsd4_process_cb_update.isra.11+0xb7/0x410 [nfsd] +[ 72.557087] ? update_load_avg+0x82/0x610 +[ 72.557652] ? cpuacct_charge+0x60/0x70 +[ 72.558212] ? dequeue_entity+0xdb/0x3e0 +[ 72.558765] ? queued_spin_unlock+0x9/0x20 +[ 72.559358] nfsd4_run_cb_work+0xfc/0x270 [nfsd] +[ 72.560031] process_one_work+0x1df/0x390 +[ 72.560600] worker_thread+0x37/0x3b0 +[ 72.561644] ? process_one_work+0x390/0x390 +[ 72.562247] kthread+0x12f/0x150 +[ 72.562710] ? set_kthread_struct+0x50/0x50 +[ 72.563309] ret_from_fork+0x22/0x30 +[ 72.563818] +[ 72.564189] ---[ end trace 031117b1c72ec616 ]--- +[ 72.566019] list_add corruption. next->prev should be prev (ffff89ac4977e538), but was ffff89ac4763e018. (next=ffff89ac4763e018). +[ 72.567647] ------------[ cut here ]------------ + +Fixes: a4abc6b12eb1 ("nfsd: Fix svc_xprt refcnt leak when setup callback client failed") +Cc: Xiyu Yang +Cc: J. Bruce Fields +Signed-off-by: Dan Aloni +Reviewed-by: Jeff Layton +Signed-off-by: Chuck Lever +Signed-off-by: Sasha Levin +--- + fs/nfsd/nfs4callback.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c +index 172f697864ab..39d6b5c53131 100644 +--- a/fs/nfsd/nfs4callback.c ++++ b/fs/nfsd/nfs4callback.c +@@ -808,7 +808,6 @@ static int setup_callback_client(struct nfs4_client *clp, struct nfs4_cb_conn *c + } else { + if (!conn->cb_xprt) + return -EINVAL; +- clp->cl_cb_conn.cb_xprt = conn->cb_xprt; + clp->cl_cb_session = ses; + args.bc_xprt = conn->cb_xprt; + args.prognumber = clp->cl_cb_session->se_cb_prog; +@@ -828,6 +827,9 @@ static int setup_callback_client(struct nfs4_client *clp, struct nfs4_cb_conn *c + rpc_shutdown_client(client); + return PTR_ERR(cred); + } ++ ++ if (clp->cl_minorversion != 0) ++ clp->cl_cb_conn.cb_xprt = conn->cb_xprt; + clp->cl_cb_client = client; + clp->cl_cb_cred = cred; + return 0; +-- +2.35.1 + diff --git a/queue-4.9/nfsv4-fix-a-deadlock-between-nfs4_open_recover_helpe.patch b/queue-4.9/nfsv4-fix-a-deadlock-between-nfs4_open_recover_helpe.patch new file mode 100644 index 00000000000..8037e60b95f --- /dev/null +++ b/queue-4.9/nfsv4-fix-a-deadlock-between-nfs4_open_recover_helpe.patch @@ -0,0 +1,73 @@ +From 451eae83ea587138812ad5f6a920318b0c73238b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 13:20:01 -0400 +Subject: NFSv4: Fix a deadlock between nfs4_open_recover_helper() and + delegreturn + +From: Trond Myklebust + +[ Upstream commit 51069e4aef6257b0454057359faed0ab0c9af083 ] + +If we're asked to recover open state while a delegation return is +outstanding, then the state manager thread cannot use a cached open, so +if the server returns a delegation, we can end up deadlocked behind the +pending delegreturn. +To avoid this problem, let's just ask the server not to give us a +delegation unless we're explicitly reclaiming one. + +Fixes: be36e185bd26 ("NFSv4: nfs4_open_recover_helper() must set share access") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4proc.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index 5baf6ed7732d..4771fc16d7d1 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1822,18 +1822,18 @@ static struct nfs4_opendata *nfs4_open_recoverdata_alloc(struct nfs_open_context + } + + static int nfs4_open_recover_helper(struct nfs4_opendata *opendata, +- fmode_t fmode) ++ fmode_t fmode) + { + struct nfs4_state *newstate; ++ struct nfs_server *server = NFS_SB(opendata->dentry->d_sb); ++ int openflags = opendata->o_arg.open_flags; + int ret; + + if (!nfs4_mode_match_open_stateid(opendata->state, fmode)) + return 0; +- opendata->o_arg.open_flags = 0; + opendata->o_arg.fmode = fmode; +- opendata->o_arg.share_access = nfs4_map_atomic_open_share( +- NFS_SB(opendata->dentry->d_sb), +- fmode, 0); ++ opendata->o_arg.share_access = ++ nfs4_map_atomic_open_share(server, fmode, openflags); + memset(&opendata->o_res, 0, sizeof(opendata->o_res)); + memset(&opendata->c_res, 0, sizeof(opendata->c_res)); + nfs4_init_opendata_res(opendata); +@@ -2411,10 +2411,15 @@ static int _nfs4_open_expired(struct nfs_open_context *ctx, struct nfs4_state *s + struct nfs4_opendata *opendata; + int ret; + +- opendata = nfs4_open_recoverdata_alloc(ctx, state, +- NFS4_OPEN_CLAIM_FH); ++ opendata = nfs4_open_recoverdata_alloc(ctx, state, NFS4_OPEN_CLAIM_FH); + if (IS_ERR(opendata)) + return PTR_ERR(opendata); ++ /* ++ * We're not recovering a delegation, so ask for no delegation. ++ * Otherwise the recovery thread could deadlock with an outstanding ++ * delegation return. ++ */ ++ opendata->o_arg.open_flags = O_DIRECT; + ret = nfs4_open_recover(opendata, state); + if (ret == -ESTALE) + d_drop(ctx->dentry); +-- +2.35.1 + diff --git a/queue-4.9/nfsv4.2-fix-a-memory-stomp-in-decode_attr_security_l.patch b/queue-4.9/nfsv4.2-fix-a-memory-stomp-in-decode_attr_security_l.patch new file mode 100644 index 00000000000..95c1242689d --- /dev/null +++ b/queue-4.9/nfsv4.2-fix-a-memory-stomp-in-decode_attr_security_l.patch @@ -0,0 +1,43 @@ +From d8884f7a0be532fd0721eab3efc62d947b4e9ff5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Oct 2022 18:21:14 -0400 +Subject: NFSv4.2: Fix a memory stomp in decode_attr_security_label + +From: Trond Myklebust + +[ Upstream commit 43c1031f7110967c240cb6e922adcfc4b8899183 ] + +We must not change the value of label->len if it is zero, since that +indicates we stored a label. + +Fixes: b4487b935452 ("nfs: Fix getxattr kernel panic and memory overflow") +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + fs/nfs/nfs4xdr.c | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) + +diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c +index b50c97c6aecb..fc5583531fc0 100644 +--- a/fs/nfs/nfs4xdr.c ++++ b/fs/nfs/nfs4xdr.c +@@ -4160,12 +4160,10 @@ static int decode_attr_security_label(struct xdr_stream *xdr, uint32_t *bitmap, + if (unlikely(!p)) + goto out_overflow; + if (len < NFS4_MAXLABELLEN) { +- if (label) { +- if (label->len) { +- if (label->len < len) +- return -ERANGE; +- memcpy(label->label, p, len); +- } ++ if (label && label->len) { ++ if (label->len < len) ++ return -ERANGE; ++ memcpy(label->label, p, len); + label->len = len; + label->pi = pi; + label->lfs = lfs; +-- +2.35.1 + diff --git a/queue-4.9/nilfs2-fix-shift-out-of-bounds-overflow-in-nilfs_sb2.patch b/queue-4.9/nilfs2-fix-shift-out-of-bounds-overflow-in-nilfs_sb2.patch new file mode 100644 index 00000000000..823ff6aa485 --- /dev/null +++ b/queue-4.9/nilfs2-fix-shift-out-of-bounds-overflow-in-nilfs_sb2.patch @@ -0,0 +1,114 @@ +From cc16fb055fc39502371ea5353a337d31ef337af1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 27 Oct 2022 13:43:05 +0900 +Subject: nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset() + +From: Ryusuke Konishi + +[ Upstream commit 610a2a3d7d8be3537458a378ec69396a76c385b6 ] + +Patch series "nilfs2: fix UBSAN shift-out-of-bounds warnings on mount +time". + +The first patch fixes a bug reported by syzbot, and the second one fixes +the remaining bug of the same kind. Although they are triggered by the +same super block data anomaly, I divided it into the above two because the +details of the issues and how to fix it are different. + +Both are required to eliminate the shift-out-of-bounds issues at mount +time. + +This patch (of 2): + +If the block size exponent information written in an on-disk superblock is +corrupted, nilfs_sb2_bad_offset helper function can trigger +shift-out-of-bounds warning followed by a kernel panic (if panic_on_warn +is set): + + shift exponent 38983 is too large for 64-bit type 'unsigned long long' + Call Trace: + + __dump_stack lib/dump_stack.c:88 [inline] + dump_stack_lvl+0x1b1/0x28e lib/dump_stack.c:106 + ubsan_epilogue lib/ubsan.c:151 [inline] + __ubsan_handle_shift_out_of_bounds+0x33d/0x3b0 lib/ubsan.c:322 + nilfs_sb2_bad_offset fs/nilfs2/the_nilfs.c:449 [inline] + nilfs_load_super_block+0xdf5/0xe00 fs/nilfs2/the_nilfs.c:523 + init_nilfs+0xb7/0x7d0 fs/nilfs2/the_nilfs.c:577 + nilfs_fill_super+0xb1/0x5d0 fs/nilfs2/super.c:1047 + nilfs_mount+0x613/0x9b0 fs/nilfs2/super.c:1317 + ... + +In addition, since nilfs_sb2_bad_offset() performs multiplication without +considering the upper bound, the computation may overflow if the disk +layout parameters are not normal. + +This fixes these issues by inserting preliminary sanity checks for those +parameters and by converting the comparison from one involving +multiplication and left bit-shifting to one using division and right +bit-shifting. + +Link: https://lkml.kernel.org/r/20221027044306.42774-1-konishi.ryusuke@gmail.com +Link: https://lkml.kernel.org/r/20221027044306.42774-2-konishi.ryusuke@gmail.com +Signed-off-by: Ryusuke Konishi +Reported-by: syzbot+e91619dd4c11c4960706@syzkaller.appspotmail.com +Tested-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/nilfs2/the_nilfs.c | 31 +++++++++++++++++++++++++++---- + 1 file changed, 27 insertions(+), 4 deletions(-) + +diff --git a/fs/nilfs2/the_nilfs.c b/fs/nilfs2/the_nilfs.c +index 9bbdd152c296..3e143c2da06d 100644 +--- a/fs/nilfs2/the_nilfs.c ++++ b/fs/nilfs2/the_nilfs.c +@@ -22,6 +22,7 @@ + #include + #include + #include ++#include + #include + #include "nilfs.h" + #include "segment.h" +@@ -457,11 +458,33 @@ static int nilfs_valid_sb(struct nilfs_super_block *sbp) + return crc == le32_to_cpu(sbp->s_sum); + } + +-static int nilfs_sb2_bad_offset(struct nilfs_super_block *sbp, u64 offset) ++/** ++ * nilfs_sb2_bad_offset - check the location of the second superblock ++ * @sbp: superblock raw data buffer ++ * @offset: byte offset of second superblock calculated from device size ++ * ++ * nilfs_sb2_bad_offset() checks if the position on the second ++ * superblock is valid or not based on the filesystem parameters ++ * stored in @sbp. If @offset points to a location within the segment ++ * area, or if the parameters themselves are not normal, it is ++ * determined to be invalid. ++ * ++ * Return Value: true if invalid, false if valid. ++ */ ++static bool nilfs_sb2_bad_offset(struct nilfs_super_block *sbp, u64 offset) + { +- return offset < ((le64_to_cpu(sbp->s_nsegments) * +- le32_to_cpu(sbp->s_blocks_per_segment)) << +- (le32_to_cpu(sbp->s_log_block_size) + 10)); ++ unsigned int shift_bits = le32_to_cpu(sbp->s_log_block_size); ++ u32 blocks_per_segment = le32_to_cpu(sbp->s_blocks_per_segment); ++ u64 nsegments = le64_to_cpu(sbp->s_nsegments); ++ u64 index; ++ ++ if (blocks_per_segment < NILFS_SEG_MIN_BLOCKS || ++ shift_bits > ilog2(NILFS_MAX_BLOCK_SIZE) - BLOCK_SIZE_BITS) ++ return true; ++ ++ index = offset >> (shift_bits + BLOCK_SIZE_BITS); ++ do_div(index, blocks_per_segment); ++ return index < nsegments; + } + + static void nilfs_release_super_block(struct the_nilfs *nilfs) +-- +2.35.1 + diff --git a/queue-4.9/ntb_netdev-use-dev_kfree_skb_any-in-interrupt-contex.patch b/queue-4.9/ntb_netdev-use-dev_kfree_skb_any-in-interrupt-contex.patch new file mode 100644 index 00000000000..dfa5a7a3887 --- /dev/null +++ b/queue-4.9/ntb_netdev-use-dev_kfree_skb_any-in-interrupt-contex.patch @@ -0,0 +1,73 @@ +From 2ab445c74bdcf4f7271994bd218ce8f64ff5fdfa Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 16:06:59 -0800 +Subject: ntb_netdev: Use dev_kfree_skb_any() in interrupt context + +From: Eric Pilmore + +[ Upstream commit 5f7d78b2b12a9d561f48fa00bab29b40f4616dad ] + +TX/RX callback handlers (ntb_netdev_tx_handler(), +ntb_netdev_rx_handler()) can be called in interrupt +context via the DMA framework when the respective +DMA operations have completed. As such, any calls +by these routines to free skb's, should use the +interrupt context safe dev_kfree_skb_any() function. + +Previously, these callback handlers would call the +interrupt unsafe version of dev_kfree_skb(). This has +not presented an issue on Intel IOAT DMA engines as +that driver utilizes tasklets rather than a hard +interrupt handler, like the AMD PTDMA DMA driver. +On AMD systems, a kernel WARNING message is +encountered, which is being issued from +skb_release_head_state() due to in_hardirq() +being true. + +Besides the user visible WARNING from the kernel, +the other symptom of this bug was that TCP/IP performance +across the ntb_netdev interface was very poor, i.e. +approximately an order of magnitude below what was +expected. With the repair to use dev_kfree_skb_any(), +kernel WARNINGs from skb_release_head_state() ceased +and TCP/IP performance, as measured by iperf, was on +par with expected results, approximately 20 Gb/s on +AMD Milan based server. Note that this performance +is comparable with Intel based servers. + +Fixes: 765ccc7bc3d91 ("ntb_netdev: correct skb leak") +Fixes: 548c237c0a997 ("net: Add support for NTB virtual ethernet device") +Signed-off-by: Eric Pilmore +Reviewed-by: Dave Jiang +Link: https://lore.kernel.org/r/20221209000659.8318-1-epilmore@gigaio.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ntb_netdev.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ntb_netdev.c b/drivers/net/ntb_netdev.c +index bd6c19ceab30..c4a3143cef25 100644 +--- a/drivers/net/ntb_netdev.c ++++ b/drivers/net/ntb_netdev.c +@@ -140,7 +140,7 @@ static void ntb_netdev_rx_handler(struct ntb_transport_qp *qp, void *qp_data, + enqueue_again: + rc = ntb_transport_rx_enqueue(qp, skb, skb->data, ndev->mtu + ETH_HLEN); + if (rc) { +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + ndev->stats.rx_errors++; + ndev->stats.rx_fifo_errors++; + } +@@ -195,7 +195,7 @@ static void ntb_netdev_tx_handler(struct ntb_transport_qp *qp, void *qp_data, + ndev->stats.tx_aborted_errors++; + } + +- dev_kfree_skb(skb); ++ dev_kfree_skb_any(skb); + + if (ntb_transport_tx_free_entry(dev->qp) >= tx_start) { + /* Make sure anybody stopping the queue after this sees the new +-- +2.35.1 + diff --git a/queue-4.9/ocfs2-fix-memory-leak-in-ocfs2_stack_glue_init.patch b/queue-4.9/ocfs2-fix-memory-leak-in-ocfs2_stack_glue_init.patch new file mode 100644 index 00000000000..eab921398b8 --- /dev/null +++ b/queue-4.9/ocfs2-fix-memory-leak-in-ocfs2_stack_glue_init.patch @@ -0,0 +1,73 @@ +From 16fb0ed890422ad03c6c13cb080e2ed2d3fecb1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 19:15:33 +0800 +Subject: ocfs2: fix memory leak in ocfs2_stack_glue_init() + +From: Shang XiaoJing + +[ Upstream commit 13b6269dd022aaa69ca8d1df374ab327504121cf ] + +ocfs2_table_header should be free in ocfs2_stack_glue_init() if +ocfs2_sysfs_init() failed, otherwise kmemleak will report memleak. + +BUG: memory leak +unreferenced object 0xffff88810eeb5800 (size 128): + comm "modprobe", pid 4507, jiffies 4296182506 (age 55.888s) + hex dump (first 32 bytes): + c0 40 14 a0 ff ff ff ff 00 00 00 00 01 00 00 00 .@.............. + 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<000000001e59e1cd>] __register_sysctl_table+0xca/0xef0 + [<00000000c04f70f7>] 0xffffffffa0050037 + [<000000001bd12912>] do_one_initcall+0xdb/0x480 + [<0000000064f766c9>] do_init_module+0x1cf/0x680 + [<000000002ba52db0>] load_module+0x6441/0x6f20 + [<000000009772580d>] __do_sys_finit_module+0x12f/0x1c0 + [<00000000380c1f22>] do_syscall_64+0x3f/0x90 + [<000000004cf473bc>] entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Link: https://lkml.kernel.org/r/41651ca1-432a-db34-eb97-d35744559de1@linux.alibaba.com +Fixes: 3878f110f71a ("ocfs2: Move the hb_ctl_path sysctl into the stack glue.") +Signed-off-by: Shang XiaoJing +Reviewed-by: Joseph Qi +Cc: Mark Fasheh +Cc: Joel Becker +Cc: Junxiao Bi +Cc: Changwei Ge +Cc: Gang He +Cc: Jun Piao +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + fs/ocfs2/stackglue.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/fs/ocfs2/stackglue.c b/fs/ocfs2/stackglue.c +index 03e1c6cd6f3c..52ee7c90dc5c 100644 +--- a/fs/ocfs2/stackglue.c ++++ b/fs/ocfs2/stackglue.c +@@ -715,6 +715,8 @@ static struct ctl_table_header *ocfs2_table_header; + + static int __init ocfs2_stack_glue_init(void) + { ++ int ret; ++ + strcpy(cluster_stack_name, OCFS2_STACK_PLUGIN_O2CB); + + ocfs2_table_header = register_sysctl_table(ocfs2_root_table); +@@ -724,7 +726,11 @@ static int __init ocfs2_stack_glue_init(void) + return -ENOMEM; /* or something. */ + } + +- return ocfs2_sysfs_init(); ++ ret = ocfs2_sysfs_init(); ++ if (ret) ++ unregister_sysctl_table(ocfs2_table_header); ++ ++ return ret; + } + + static void __exit ocfs2_stack_glue_exit(void) +-- +2.35.1 + diff --git a/queue-4.9/openvswitch-fix-flow-lookup-to-use-unmasked-key.patch b/queue-4.9/openvswitch-fix-flow-lookup-to-use-unmasked-key.patch new file mode 100644 index 00000000000..648fc71e621 --- /dev/null +++ b/queue-4.9/openvswitch-fix-flow-lookup-to-use-unmasked-key.patch @@ -0,0 +1,121 @@ +From 18d2ab7d607dceaf7fd976b78198e0162dd12f03 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Dec 2022 15:46:33 +0100 +Subject: openvswitch: Fix flow lookup to use unmasked key + +From: Eelco Chaudron + +[ Upstream commit 68bb10101e6b0a6bb44e9c908ef795fc4af99eae ] + +The commit mentioned below causes the ovs_flow_tbl_lookup() function +to be called with the masked key. However, it's supposed to be called +with the unmasked key. This due to the fact that the datapath supports +installing wider flows, and OVS relies on this behavior. For example +if ipv4(src=1.1.1.1/192.0.0.0, dst=1.1.1.2/192.0.0.0) exists, a wider +flow (smaller mask) of ipv4(src=192.1.1.1/128.0.0.0,dst=192.1.1.2/ +128.0.0.0) is allowed to be added. + +However, if we try to add a wildcard rule, the installation fails: + +$ ovs-appctl dpctl/add-flow system@myDP "in_port(1),eth_type(0x0800), \ + ipv4(src=1.1.1.1/192.0.0.0,dst=1.1.1.2/192.0.0.0,frag=no)" 2 +$ ovs-appctl dpctl/add-flow system@myDP "in_port(1),eth_type(0x0800), \ + ipv4(src=192.1.1.1/0.0.0.0,dst=49.1.1.2/0.0.0.0,frag=no)" 2 +ovs-vswitchd: updating flow table (File exists) + +The reason is that the key used to determine if the flow is already +present in the system uses the original key ANDed with the mask. +This results in the IP address not being part of the (miniflow) key, +i.e., being substituted with an all-zero value. When doing the actual +lookup, this results in the key wrongfully matching the first flow, +and therefore the flow does not get installed. + +This change reverses the commit below, but rather than having the key +on the stack, it's allocated. + +Fixes: 190aa3e77880 ("openvswitch: Fix Frame-size larger than 1024 bytes warning.") + +Signed-off-by: Eelco Chaudron +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/openvswitch/datapath.c | 25 ++++++++++++++++--------- + 1 file changed, 16 insertions(+), 9 deletions(-) + +diff --git a/net/openvswitch/datapath.c b/net/openvswitch/datapath.c +index 56999d8528a4..e4404f5053ae 100644 +--- a/net/openvswitch/datapath.c ++++ b/net/openvswitch/datapath.c +@@ -944,6 +944,7 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + struct sw_flow_mask mask; + struct sk_buff *reply; + struct datapath *dp; ++ struct sw_flow_key *key; + struct sw_flow_actions *acts; + struct sw_flow_match match; + u32 ufid_flags = ovs_nla_get_ufid_flags(a[OVS_FLOW_ATTR_UFID_FLAGS]); +@@ -971,24 +972,26 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + } + + /* Extract key. */ +- ovs_match_init(&match, &new_flow->key, false, &mask); ++ key = kzalloc(sizeof(*key), GFP_KERNEL); ++ if (!key) { ++ error = -ENOMEM; ++ goto err_kfree_key; ++ } ++ ++ ovs_match_init(&match, key, false, &mask); + error = ovs_nla_get_match(net, &match, a[OVS_FLOW_ATTR_KEY], + a[OVS_FLOW_ATTR_MASK], log); + if (error) + goto err_kfree_flow; + ++ ovs_flow_mask_key(&new_flow->key, key, true, &mask); ++ + /* Extract flow identifier. */ + error = ovs_nla_get_identifier(&new_flow->id, a[OVS_FLOW_ATTR_UFID], +- &new_flow->key, log); ++ key, log); + if (error) + goto err_kfree_flow; + +- /* unmasked key is needed to match when ufid is not used. */ +- if (ovs_identifier_is_key(&new_flow->id)) +- match.key = new_flow->id.unmasked_key; +- +- ovs_flow_mask_key(&new_flow->key, &new_flow->key, true, &mask); +- + /* Validate actions. */ + error = ovs_nla_copy_actions(net, a[OVS_FLOW_ATTR_ACTIONS], + &new_flow->key, &acts, log); +@@ -1015,7 +1018,7 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + if (ovs_identifier_is_ufid(&new_flow->id)) + flow = ovs_flow_tbl_lookup_ufid(&dp->table, &new_flow->id); + if (!flow) +- flow = ovs_flow_tbl_lookup(&dp->table, &new_flow->key); ++ flow = ovs_flow_tbl_lookup(&dp->table, key); + if (likely(!flow)) { + rcu_assign_pointer(new_flow->sf_acts, acts); + +@@ -1085,6 +1088,8 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + + if (reply) + ovs_notify(&dp_flow_genl_family, reply, info); ++ ++ kfree(key); + return 0; + + err_unlock_ovs: +@@ -1094,6 +1099,8 @@ static int ovs_flow_cmd_new(struct sk_buff *skb, struct genl_info *info) + ovs_nla_free_flow_actions(acts); + err_kfree_flow: + ovs_flow_free(new_flow, false); ++err_kfree_key: ++ kfree(key); + error: + return error; + } +-- +2.35.1 + diff --git a/queue-4.9/orangefs-fix-kmemleak-in-orangefs_prepare_debugfs_he.patch b/queue-4.9/orangefs-fix-kmemleak-in-orangefs_prepare_debugfs_he.patch new file mode 100644 index 00000000000..c1d125e6fa8 --- /dev/null +++ b/queue-4.9/orangefs-fix-kmemleak-in-orangefs_prepare_debugfs_he.patch @@ -0,0 +1,62 @@ +From c085d77d80e2f32baf387d9da4a16c8842425809 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Oct 2022 12:40:05 +0800 +Subject: orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string() + +From: Zhang Xiaoxu + +[ Upstream commit d23417a5bf3a3afc55de5442eb46e1e60458b0a1 ] + +When insert and remove the orangefs module, then debug_help_string will +be leaked: + + unreferenced object 0xffff8881652ba000 (size 4096): + comm "insmod", pid 1701, jiffies 4294893639 (age 13218.530s) + hex dump (first 32 bytes): + 43 6c 69 65 6e 74 20 44 65 62 75 67 20 4b 65 79 Client Debug Key + 77 6f 72 64 73 20 61 72 65 20 75 6e 6b 6e 6f 77 words are unknow + backtrace: + [<0000000004e6f8e3>] kmalloc_trace+0x27/0xa0 + [<0000000006f75d85>] orangefs_prepare_debugfs_help_string+0x5e/0x480 [orangefs] + [<0000000091270a2a>] _sub_I_65535_1+0x57/0xf70 [crc_itu_t] + [<000000004b1ee1a3>] do_one_initcall+0x87/0x2a0 + [<000000001d0614ae>] do_init_module+0xdf/0x320 + [<00000000efef068c>] load_module+0x2f98/0x3330 + [<000000006533b44d>] __do_sys_finit_module+0x113/0x1b0 + [<00000000a0da6f99>] do_syscall_64+0x35/0x80 + [<000000007790b19b>] entry_SYSCALL_64_after_hwframe+0x46/0xb0 + +When remove the module, should always free debug_help_string. Should +always free the allocated buffer when change the free_debug_help_string. + +Signed-off-by: Zhang Xiaoxu +Signed-off-by: Mike Marshall +Signed-off-by: Sasha Levin +--- + fs/orangefs/orangefs-debugfs.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/fs/orangefs/orangefs-debugfs.c b/fs/orangefs/orangefs-debugfs.c +index 7d7df003f9d8..401d70944e49 100644 +--- a/fs/orangefs/orangefs-debugfs.c ++++ b/fs/orangefs/orangefs-debugfs.c +@@ -253,6 +253,8 @@ static int orangefs_kernel_debug_init(void) + void orangefs_debugfs_cleanup(void) + { + debugfs_remove_recursive(debug_dir); ++ kfree(debug_help_string); ++ debug_help_string = NULL; + } + + /* open ORANGEFS_KMOD_DEBUG_HELP_FILE */ +@@ -706,6 +708,7 @@ int orangefs_prepare_debugfs_help_string(int at_boot) + memset(debug_help_string, 0, DEBUG_HELP_STRING_SIZE); + strlcat(debug_help_string, new, string_size); + mutex_unlock(&orangefs_help_file_lock); ++ kfree(new); + } + + rc = 0; +-- +2.35.1 + diff --git a/queue-4.9/orangefs-fix-sysfs-not-cleanup-when-dev-init-failed.patch b/queue-4.9/orangefs-fix-sysfs-not-cleanup-when-dev-init-failed.patch new file mode 100644 index 00000000000..2599a03080e --- /dev/null +++ b/queue-4.9/orangefs-fix-sysfs-not-cleanup-when-dev-init-failed.patch @@ -0,0 +1,74 @@ +From 442bd30c3f45f3e485c78bec5d942876ae59361e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Oct 2022 12:40:04 +0800 +Subject: orangefs: Fix sysfs not cleanup when dev init failed + +From: Zhang Xiaoxu + +[ Upstream commit ea60a4ad0cf88b411cde6888b8c890935686ecd7 ] + +When the dev init failed, should cleanup the sysfs, otherwise, the +module will never be loaded since can not create duplicate sysfs +directory: + + sysfs: cannot create duplicate filename '/fs/orangefs' + + CPU: 1 PID: 6549 Comm: insmod Tainted: G W 6.0.0+ #44 + Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-1.fc33 04/01/2014 + Call Trace: + + dump_stack_lvl+0x34/0x44 + sysfs_warn_dup.cold+0x17/0x24 + sysfs_create_dir_ns+0x16d/0x180 + kobject_add_internal+0x156/0x3a0 + kobject_init_and_add+0xcf/0x120 + orangefs_sysfs_init+0x7e/0x3a0 [orangefs] + orangefs_init+0xfe/0x1000 [orangefs] + do_one_initcall+0x87/0x2a0 + do_init_module+0xdf/0x320 + load_module+0x2f98/0x3330 + __do_sys_finit_module+0x113/0x1b0 + do_syscall_64+0x35/0x80 + entry_SYSCALL_64_after_hwframe+0x46/0xb0 + + kobject_add_internal failed for orangefs with -EEXIST, don't try to register things with the same name in the same directory. + +Fixes: 2f83ace37181 ("orangefs: put register_chrdev immediately before register_filesystem") +Signed-off-by: Zhang Xiaoxu +Signed-off-by: Mike Marshall +Signed-off-by: Sasha Levin +--- + fs/orangefs/orangefs-mod.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/orangefs/orangefs-mod.c b/fs/orangefs/orangefs-mod.c +index 4113eb0495bf..74b8ee19e167 100644 +--- a/fs/orangefs/orangefs-mod.c ++++ b/fs/orangefs/orangefs-mod.c +@@ -147,7 +147,7 @@ static int __init orangefs_init(void) + gossip_err("%s: could not initialize device subsystem %d!\n", + __func__, + ret); +- goto cleanup_device; ++ goto cleanup_sysfs; + } + + ret = register_filesystem(&orangefs_fs_type); +@@ -159,11 +159,11 @@ static int __init orangefs_init(void) + goto out; + } + +- orangefs_sysfs_exit(); +- +-cleanup_device: + orangefs_dev_cleanup(); + ++cleanup_sysfs: ++ orangefs_sysfs_exit(); ++ + sysfs_init_failed: + + debugfs_init_failed: +-- +2.35.1 + diff --git a/queue-4.9/perf-fix-possible-memleak-in-pmu_dev_alloc.patch b/queue-4.9/perf-fix-possible-memleak-in-pmu_dev_alloc.patch new file mode 100644 index 00000000000..9ce500d31a9 --- /dev/null +++ b/queue-4.9/perf-fix-possible-memleak-in-pmu_dev_alloc.patch @@ -0,0 +1,71 @@ +From 39558b0e80ddf263baa530f2d3cfe28af1b0f2e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 18:36:53 +0800 +Subject: perf: Fix possible memleak in pmu_dev_alloc() + +From: Chen Zhongjin + +[ Upstream commit e8d7a90c08ce963c592fb49845f2ccc606a2ac21 ] + +In pmu_dev_alloc(), when dev_set_name() failed, it will goto free_dev +and call put_device(pmu->dev) to release it. +However pmu->dev->release is assigned after this, which makes warning +and memleak. +Call dev_set_name() after pmu->dev->release = pmu_dev_release to fix it. + + Device '(null)' does not have a release() function... + WARNING: CPU: 2 PID: 441 at drivers/base/core.c:2332 device_release+0x1b9/0x240 + ... + Call Trace: + + kobject_put+0x17f/0x460 + put_device+0x20/0x30 + pmu_dev_alloc+0x152/0x400 + perf_pmu_register+0x96b/0xee0 + ... + kmemleak: 1 new suspected memory leaks (see /sys/kernel/debug/kmemleak) + unreferenced object 0xffff888014759000 (size 2048): + comm "modprobe", pid 441, jiffies 4294931444 (age 38.332s) + backtrace: + [<0000000005aed3b4>] kmalloc_trace+0x27/0x110 + [<000000006b38f9b8>] pmu_dev_alloc+0x50/0x400 + [<00000000735f17be>] perf_pmu_register+0x96b/0xee0 + [<00000000e38477f1>] 0xffffffffc0ad8603 + [<000000004e162216>] do_one_initcall+0xd0/0x4e0 + ... + +Fixes: abe43400579d ("perf: Sysfs enumeration") +Signed-off-by: Chen Zhongjin +Signed-off-by: Peter Zijlstra (Intel) +Link: https://lkml.kernel.org/r/20221111103653.91058-1-chenzhongjin@huawei.com +Signed-off-by: Sasha Levin +--- + kernel/events/core.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index 58ef731d52c7..a25b5a8182ec 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -8864,13 +8864,15 @@ static int pmu_dev_alloc(struct pmu *pmu) + + pmu->dev->groups = pmu->attr_groups; + device_initialize(pmu->dev); +- ret = dev_set_name(pmu->dev, "%s", pmu->name); +- if (ret) +- goto free_dev; + + dev_set_drvdata(pmu->dev, pmu); + pmu->dev->bus = &pmu_bus; + pmu->dev->release = pmu_dev_release; ++ ++ ret = dev_set_name(pmu->dev, "%s", pmu->name); ++ if (ret) ++ goto free_dev; ++ + ret = device_add(pmu->dev); + if (ret) + goto free_dev; +-- +2.35.1 + diff --git a/queue-4.9/pinctrl-pinconf-generic-add-missing-of_node_put.patch b/queue-4.9/pinctrl-pinconf-generic-add-missing-of_node_put.patch new file mode 100644 index 00000000000..bd8eb154ceb --- /dev/null +++ b/queue-4.9/pinctrl-pinconf-generic-add-missing-of_node_put.patch @@ -0,0 +1,40 @@ +From 1890a01838b11246ad4a4ecb0acea22b37f9b0e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 25 Nov 2022 07:01:56 +0000 +Subject: pinctrl: pinconf-generic: add missing of_node_put() + +From: ZhangPeng + +[ Upstream commit 5ead93289815a075d43c415e35c8beafafb801c9 ] + +of_node_put() needs to be called when jumping out of the loop, since +for_each_available_child_of_node() will increase the refcount of node. + +Fixes: c7289500e29d ("pinctrl: pinconf-generic: scan also referenced phandle node") +Signed-off-by: ZhangPeng +Link: https://lore.kernel.org/r/20221125070156.3535855-1-zhangpeng362@huawei.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/pinconf-generic.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/pinconf-generic.c b/drivers/pinctrl/pinconf-generic.c +index 074a7e044e25..b0e41fb3623d 100644 +--- a/drivers/pinctrl/pinconf-generic.c ++++ b/drivers/pinctrl/pinconf-generic.c +@@ -384,8 +384,10 @@ int pinconf_generic_dt_node_to_map(struct pinctrl_dev *pctldev, + for_each_child_of_node(np_config, np) { + ret = pinconf_generic_dt_subnode_to_map(pctldev, np, map, + &reserved_maps, num_maps, type); +- if (ret < 0) ++ if (ret < 0) { ++ of_node_put(np); + goto exit; ++ } + } + return 0; + +-- +2.35.1 + diff --git a/queue-4.9/pm-hibernate-fix-mistake-in-kerneldoc-comment.patch b/queue-4.9/pm-hibernate-fix-mistake-in-kerneldoc-comment.patch new file mode 100644 index 00000000000..8c6ebd07b5e --- /dev/null +++ b/queue-4.9/pm-hibernate-fix-mistake-in-kerneldoc-comment.patch @@ -0,0 +1,45 @@ +From 41033716b746ba86bed2cb034c94175ebb9d2497 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 1 Nov 2022 10:28:39 +0800 +Subject: PM: hibernate: Fix mistake in kerneldoc comment + +From: xiongxin + +[ Upstream commit 6e5d7300cbe7c3541bc31f16db3e9266e6027b4b ] + +The actual maximum image size formula in hibernate_preallocate_memory() +is as follows: + +max_size = (count - (size + PAGES_FOR_IO)) / 2 + - 2 * DIV_ROUND_UP(reserved_size, PAGE_SIZE); + +but the one in the kerneldoc comment of the function is different and +incorrect. + +Fixes: ddeb64870810 ("PM / Hibernate: Add sysfs knob to control size of memory for drivers") +Signed-off-by: xiongxin +[ rjw: Subject and changelog rewrite ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + kernel/power/snapshot.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/kernel/power/snapshot.c b/kernel/power/snapshot.c +index 5dfac92521fa..b02850cfc8ee 100644 +--- a/kernel/power/snapshot.c ++++ b/kernel/power/snapshot.c +@@ -1677,8 +1677,8 @@ static unsigned long minimum_image_size(unsigned long saveable) + * /sys/power/reserved_size, respectively). To make this happen, we compute the + * total number of available page frames and allocate at least + * +- * ([page frames total] + PAGES_FOR_IO + [metadata pages]) / 2 +- * + 2 * DIV_ROUND_UP(reserved_size, PAGE_SIZE) ++ * ([page frames total] - PAGES_FOR_IO - [metadata pages]) / 2 ++ * - 2 * DIV_ROUND_UP(reserved_size, PAGE_SIZE) + * + * of them, which corresponds to the maximum size of a hibernation image. + * +-- +2.35.1 + diff --git a/queue-4.9/pnp-fix-name-memory-leak-in-pnp_alloc_dev.patch b/queue-4.9/pnp-fix-name-memory-leak-in-pnp_alloc_dev.patch new file mode 100644 index 00000000000..aea64750469 --- /dev/null +++ b/queue-4.9/pnp-fix-name-memory-leak-in-pnp_alloc_dev.patch @@ -0,0 +1,46 @@ +From 555a8cd715a91bf29a87b80beaed36625edebc1a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 09:23:58 +0800 +Subject: PNP: fix name memory leak in pnp_alloc_dev() + +From: Yang Yingliang + +[ Upstream commit 110d7b0325c55ff3620073ba4201845f59e22ebf ] + +After commit 1fa5ae857bb1 ("driver core: get rid of struct device's +bus_id string array"), the name of device is allocated dynamically, +move dev_set_name() after pnp_add_id() to avoid memory leak. + +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Yang Yingliang +Reviewed-by: Hanjun Guo +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/pnp/core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/pnp/core.c b/drivers/pnp/core.c +index b54620e53830..3d5865c7694b 100644 +--- a/drivers/pnp/core.c ++++ b/drivers/pnp/core.c +@@ -159,14 +159,14 @@ struct pnp_dev *pnp_alloc_dev(struct pnp_protocol *protocol, int id, + dev->dev.coherent_dma_mask = dev->dma_mask; + dev->dev.release = &pnp_release_device; + +- dev_set_name(&dev->dev, "%02x:%02x", dev->protocol->number, dev->number); +- + dev_id = pnp_add_id(dev, pnpid); + if (!dev_id) { + kfree(dev); + return NULL; + } + ++ dev_set_name(&dev->dev, "%02x:%02x", dev->protocol->number, dev->number); ++ + return dev; + } + +-- +2.35.1 + diff --git a/queue-4.9/power-supply-fix-residue-sysfs-file-in-error-handle-.patch b/queue-4.9/power-supply-fix-residue-sysfs-file-in-error-handle-.patch new file mode 100644 index 00000000000..0b009f968d5 --- /dev/null +++ b/queue-4.9/power-supply-fix-residue-sysfs-file-in-error-handle-.patch @@ -0,0 +1,50 @@ +From 36a3a54e5f58d991b28b4f663a3fa7d4c4b66475 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 16:32:19 +0800 +Subject: power: supply: fix residue sysfs file in error handle route of + __power_supply_register() + +From: Zeng Heng + +[ Upstream commit 5b79480ce1978864ac3f06f2134dfa3b6691fe74 ] + +If device_add() succeeds, we should call device_del() when want to +get rid of it, so move it into proper jump symbol. + +Otherwise, when __power_supply_register() returns fail and goto +wakeup_init_failed to exit, there is still residue device file in sysfs. +When attempt to probe device again, sysfs would complain as below: + +sysfs: cannot create duplicate filename '/devices/platform/i2c/i2c-0/0-001c/power_supply/adp5061' +Call Trace: + dump_stack_lvl+0x68/0x85 + sysfs_warn_dup.cold+0x1c/0x29 + sysfs_create_dir_ns+0x1b1/0x1d0 + kobject_add_internal+0x143/0x390 + kobject_add+0x108/0x170 + +Fixes: 80c6463e2fa3 ("power_supply: Fix Oops from NULL pointer dereference from wakeup_source_activate") +Signed-off-by: Zeng Heng +Signed-off-by: Sebastian Reichel +Signed-off-by: Sasha Levin +--- + drivers/power/supply/power_supply_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/power/supply/power_supply_core.c b/drivers/power/supply/power_supply_core.c +index cb0b3d3d132f..af156b7f346f 100644 +--- a/drivers/power/supply/power_supply_core.c ++++ b/drivers/power/supply/power_supply_core.c +@@ -807,8 +807,8 @@ __power_supply_register(struct device *parent, + register_cooler_failed: + psy_unregister_thermal(psy); + register_thermal_failed: +- device_del(dev); + wakeup_init_failed: ++ device_del(dev); + device_add_failed: + check_supplies_failed: + dev_set_name_failed: +-- +2.35.1 + diff --git a/queue-4.9/powerpc-52xx-fix-a-resource-leak-in-an-error-handlin.patch b/queue-4.9/powerpc-52xx-fix-a-resource-leak-in-an-error-handlin.patch new file mode 100644 index 00000000000..1934020d7b5 --- /dev/null +++ b/queue-4.9/powerpc-52xx-fix-a-resource-leak-in-an-error-handlin.patch @@ -0,0 +1,38 @@ +From b001a31c36d217cc615e1465814902147cda701a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Jan 2022 08:16:04 +0100 +Subject: powerpc/52xx: Fix a resource leak in an error handling path + +From: Christophe JAILLET + +[ Upstream commit 5836947613ef33d311b4eff6a32d019580a214f5 ] + +The error handling path of mpc52xx_lpbfifo_probe() has a request_irq() +that is not balanced by a corresponding free_irq(). + +Add the missing call, as already done in the remove function. + +Fixes: 3c9059d79f5e ("powerpc/5200: add LocalPlus bus FIFO device driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/dec1496d46ccd5311d0f6e9f9ca4238be11bf6a6.1643440531.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c b/arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c +index 7bb42a0100de..caaaaf2bea52 100644 +--- a/arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c ++++ b/arch/powerpc/platforms/52xx/mpc52xx_lpbfifo.c +@@ -531,6 +531,7 @@ static int mpc52xx_lpbfifo_probe(struct platform_device *op) + err_bcom_rx_irq: + bcom_gen_bd_rx_release(lpbfifo.bcom_rx_task); + err_bcom_rx: ++ free_irq(lpbfifo.irq, &lpbfifo); + err_irq: + iounmap(lpbfifo.regs); + lpbfifo.regs = NULL; +-- +2.35.1 + diff --git a/queue-4.9/powerpc-83xx-mpc832x_rdb-call-platform_device_put-in.patch b/queue-4.9/powerpc-83xx-mpc832x_rdb-call-platform_device_put-in.patch new file mode 100644 index 00000000000..1d43d79c143 --- /dev/null +++ b/queue-4.9/powerpc-83xx-mpc832x_rdb-call-platform_device_put-in.patch @@ -0,0 +1,39 @@ +From 3e50aa39615483eb86088908b287ee772361c27f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 29 Oct 2022 19:16:26 +0800 +Subject: powerpc/83xx/mpc832x_rdb: call platform_device_put() in error case in + of_fsl_spi_probe() + +From: Yang Yingliang + +[ Upstream commit 4d0eea415216fe3791da2f65eb41399e70c7bedf ] + +If platform_device_add() is not called or failed, it can not call +platform_device_del() to clean up memory, it should call +platform_device_put() in error case. + +Fixes: 26f6cb999366 ("[POWERPC] fsl_soc: add support for fsl_spi") +Signed-off-by: Yang Yingliang +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20221029111626.429971-1-yangyingliang@huawei.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/platforms/83xx/mpc832x_rdb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/83xx/mpc832x_rdb.c b/arch/powerpc/platforms/83xx/mpc832x_rdb.c +index d7c9b186954d..3e5e51de9a0d 100644 +--- a/arch/powerpc/platforms/83xx/mpc832x_rdb.c ++++ b/arch/powerpc/platforms/83xx/mpc832x_rdb.c +@@ -111,7 +111,7 @@ static int __init of_fsl_spi_probe(char *type, char *compatible, u32 sysclk, + + goto next; + unreg: +- platform_device_del(pdev); ++ platform_device_put(pdev); + err: + pr_err("%s: registration failed\n", np->full_name); + next: +-- +2.35.1 + diff --git a/queue-4.9/powerpc-dts-t208x-mark-mac1-and-mac2-as-10g.patch b/queue-4.9/powerpc-dts-t208x-mark-mac1-and-mac2-as-10g.patch new file mode 100644 index 00000000000..174455395d8 --- /dev/null +++ b/queue-4.9/powerpc-dts-t208x-mark-mac1-and-mac2-as-10g.patch @@ -0,0 +1,142 @@ +From d91de12937cdb1742a6e098e871af05ed7637a79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 17 Oct 2022 16:22:39 -0400 +Subject: powerpc: dts: t208x: Mark MAC1 and MAC2 as 10G + +From: Sean Anderson + +[ Upstream commit 36926a7d70c2d462fca1ed85bfee000d17fd8662 ] + +On the T208X SoCs, MAC1 and MAC2 support XGMII. Add some new MAC dtsi +fragments, and mark the QMAN ports as 10G. + +Fixes: da414bb923d9 ("powerpc/mpc85xx: Add FSL QorIQ DPAA FMan support to the SoC device tree(s)") +Signed-off-by: Sean Anderson +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + .../boot/dts/fsl/qoriq-fman3-0-10g-2.dtsi | 44 +++++++++++++++++++ + .../boot/dts/fsl/qoriq-fman3-0-10g-3.dtsi | 44 +++++++++++++++++++ + arch/powerpc/boot/dts/fsl/t2081si-post.dtsi | 4 +- + 3 files changed, 90 insertions(+), 2 deletions(-) + create mode 100644 arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-2.dtsi + create mode 100644 arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-3.dtsi + +diff --git a/arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-2.dtsi b/arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-2.dtsi +new file mode 100644 +index 000000000000..437dab3fc017 +--- /dev/null ++++ b/arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-2.dtsi +@@ -0,0 +1,44 @@ ++// SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0-or-later ++/* ++ * QorIQ FMan v3 10g port #2 device tree stub [ controller @ offset 0x400000 ] ++ * ++ * Copyright 2022 Sean Anderson ++ * Copyright 2012 - 2015 Freescale Semiconductor Inc. ++ */ ++ ++fman@400000 { ++ fman0_rx_0x08: port@88000 { ++ cell-index = <0x8>; ++ compatible = "fsl,fman-v3-port-rx"; ++ reg = <0x88000 0x1000>; ++ fsl,fman-10g-port; ++ }; ++ ++ fman0_tx_0x28: port@a8000 { ++ cell-index = <0x28>; ++ compatible = "fsl,fman-v3-port-tx"; ++ reg = <0xa8000 0x1000>; ++ fsl,fman-10g-port; ++ }; ++ ++ ethernet@e0000 { ++ cell-index = <0>; ++ compatible = "fsl,fman-memac"; ++ reg = <0xe0000 0x1000>; ++ fsl,fman-ports = <&fman0_rx_0x08 &fman0_tx_0x28>; ++ ptp-timer = <&ptp_timer0>; ++ pcsphy-handle = <&pcsphy0>; ++ }; ++ ++ mdio@e1000 { ++ #address-cells = <1>; ++ #size-cells = <0>; ++ compatible = "fsl,fman-memac-mdio", "fsl,fman-xmdio"; ++ reg = <0xe1000 0x1000>; ++ fsl,erratum-a011043; /* must ignore read errors */ ++ ++ pcsphy0: ethernet-phy@0 { ++ reg = <0x0>; ++ }; ++ }; ++}; +diff --git a/arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-3.dtsi b/arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-3.dtsi +new file mode 100644 +index 000000000000..ad116b17850a +--- /dev/null ++++ b/arch/powerpc/boot/dts/fsl/qoriq-fman3-0-10g-3.dtsi +@@ -0,0 +1,44 @@ ++// SPDX-License-Identifier: BSD-3-Clause OR GPL-2.0-or-later ++/* ++ * QorIQ FMan v3 10g port #3 device tree stub [ controller @ offset 0x400000 ] ++ * ++ * Copyright 2022 Sean Anderson ++ * Copyright 2012 - 2015 Freescale Semiconductor Inc. ++ */ ++ ++fman@400000 { ++ fman0_rx_0x09: port@89000 { ++ cell-index = <0x9>; ++ compatible = "fsl,fman-v3-port-rx"; ++ reg = <0x89000 0x1000>; ++ fsl,fman-10g-port; ++ }; ++ ++ fman0_tx_0x29: port@a9000 { ++ cell-index = <0x29>; ++ compatible = "fsl,fman-v3-port-tx"; ++ reg = <0xa9000 0x1000>; ++ fsl,fman-10g-port; ++ }; ++ ++ ethernet@e2000 { ++ cell-index = <1>; ++ compatible = "fsl,fman-memac"; ++ reg = <0xe2000 0x1000>; ++ fsl,fman-ports = <&fman0_rx_0x09 &fman0_tx_0x29>; ++ ptp-timer = <&ptp_timer0>; ++ pcsphy-handle = <&pcsphy1>; ++ }; ++ ++ mdio@e3000 { ++ #address-cells = <1>; ++ #size-cells = <0>; ++ compatible = "fsl,fman-memac-mdio", "fsl,fman-xmdio"; ++ reg = <0xe3000 0x1000>; ++ fsl,erratum-a011043; /* must ignore read errors */ ++ ++ pcsphy1: ethernet-phy@0 { ++ reg = <0x0>; ++ }; ++ }; ++}; +diff --git a/arch/powerpc/boot/dts/fsl/t2081si-post.dtsi b/arch/powerpc/boot/dts/fsl/t2081si-post.dtsi +index c744569a20e1..5fa9068a2929 100644 +--- a/arch/powerpc/boot/dts/fsl/t2081si-post.dtsi ++++ b/arch/powerpc/boot/dts/fsl/t2081si-post.dtsi +@@ -631,8 +631,8 @@ usb1: usb@211000 { + /include/ "qoriq-bman1.dtsi" + + /include/ "qoriq-fman3-0.dtsi" +-/include/ "qoriq-fman3-0-1g-0.dtsi" +-/include/ "qoriq-fman3-0-1g-1.dtsi" ++/include/ "qoriq-fman3-0-10g-2.dtsi" ++/include/ "qoriq-fman3-0-10g-3.dtsi" + /include/ "qoriq-fman3-0-1g-2.dtsi" + /include/ "qoriq-fman3-0-1g-3.dtsi" + /include/ "qoriq-fman3-0-1g-4.dtsi" +-- +2.35.1 + diff --git a/queue-4.9/powerpc-hv-gpci-fix-hv_gpci-event-list.patch b/queue-4.9/powerpc-hv-gpci-fix-hv_gpci-event-list.patch new file mode 100644 index 00000000000..2a468617200 --- /dev/null +++ b/queue-4.9/powerpc-hv-gpci-fix-hv_gpci-event-list.patch @@ -0,0 +1,174 @@ +From 43cd429965b7243d817d21e2a990883ca60bc498 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 30 Nov 2022 23:15:13 +0530 +Subject: powerpc/hv-gpci: Fix hv_gpci event list + +From: Kajol Jain + +[ Upstream commit 03f7c1d2a49acd30e38789cd809d3300721e9b0e ] + +Based on getPerfCountInfo v1.018 documentation, some of the +hv_gpci events were deprecated for platform firmware that +supports counter_info_version 0x8 or above. + +Fix the hv_gpci event list by adding a new attribute group +called "hv_gpci_event_attrs_v6" and a "ENABLE_EVENTS_COUNTERINFO_V6" +macro to enable these events for platform firmware +that supports counter_info_version 0x6 or below. And assigning +the hv_gpci event list based on output counter info version +of underlying plaform. + +Fixes: 97bf2640184f ("powerpc/perf/hv-gpci: add the remaining gpci requests") +Signed-off-by: Kajol Jain +Reviewed-by: Madhavan Srinivasan +Reviewed-by: Athira Rajeev +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20221130174513.87501-1-kjain@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/hv-gpci-requests.h | 4 ++++ + arch/powerpc/perf/hv-gpci.c | 33 +++++++++++++++++++++++++++- + arch/powerpc/perf/hv-gpci.h | 1 + + arch/powerpc/perf/req-gen/perf.h | 20 +++++++++++++++++ + 4 files changed, 57 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/perf/hv-gpci-requests.h b/arch/powerpc/perf/hv-gpci-requests.h +index 5ea24d16a74a..2530dd0c3788 100644 +--- a/arch/powerpc/perf/hv-gpci-requests.h ++++ b/arch/powerpc/perf/hv-gpci-requests.h +@@ -78,6 +78,7 @@ REQUEST(__field(0, 8, partition_id) + ) + #include I(REQUEST_END) + ++#ifdef ENABLE_EVENTS_COUNTERINFO_V6 + /* + * Not available for counter_info_version >= 0x8, use + * run_instruction_cycles_by_partition(0x100) instead. +@@ -91,6 +92,7 @@ REQUEST(__field(0, 8, partition_id) + __count(0x10, 8, cycles) + ) + #include I(REQUEST_END) ++#endif + + #define REQUEST_NAME system_performance_capabilities + #define REQUEST_NUM 0x40 +@@ -102,6 +104,7 @@ REQUEST(__field(0, 1, perf_collect_privileged) + ) + #include I(REQUEST_END) + ++#ifdef ENABLE_EVENTS_COUNTERINFO_V6 + #define REQUEST_NAME processor_bus_utilization_abc_links + #define REQUEST_NUM 0x50 + #define REQUEST_IDX_KIND "hw_chip_id=?" +@@ -193,6 +196,7 @@ REQUEST(__field(0, 4, phys_processor_idx) + __count(0x28, 8, instructions_completed) + ) + #include I(REQUEST_END) ++#endif + + /* Processor_core_power_mode (0x95) skipped, no counters */ + /* Affinity_domain_information_by_virtual_processor (0xA0) skipped, +diff --git a/arch/powerpc/perf/hv-gpci.c b/arch/powerpc/perf/hv-gpci.c +index 160b86d9d819..126409bb5626 100644 +--- a/arch/powerpc/perf/hv-gpci.c ++++ b/arch/powerpc/perf/hv-gpci.c +@@ -74,7 +74,7 @@ static struct attribute_group format_group = { + + static struct attribute_group event_group = { + .name = "events", +- .attrs = hv_gpci_event_attrs, ++ /* .attrs is set in init */ + }; + + #define HV_CAPS_ATTR(_name, _format) \ +@@ -292,6 +292,7 @@ static int hv_gpci_init(void) + int r; + unsigned long hret; + struct hv_perf_caps caps; ++ struct hv_gpci_request_buffer *arg; + + hv_gpci_assert_offsets_correct(); + +@@ -310,6 +311,36 @@ static int hv_gpci_init(void) + /* sampling not supported */ + h_gpci_pmu.capabilities |= PERF_PMU_CAP_NO_INTERRUPT; + ++ arg = (void *)get_cpu_var(hv_gpci_reqb); ++ memset(arg, 0, HGPCI_REQ_BUFFER_SIZE); ++ ++ /* ++ * hcall H_GET_PERF_COUNTER_INFO populates the output ++ * counter_info_version value based on the system hypervisor. ++ * Pass the counter request 0x10 corresponds to request type ++ * 'Dispatch_timebase_by_processor', to get the supported ++ * counter_info_version. ++ */ ++ arg->params.counter_request = cpu_to_be32(0x10); ++ ++ r = plpar_hcall_norets(H_GET_PERF_COUNTER_INFO, ++ virt_to_phys(arg), HGPCI_REQ_BUFFER_SIZE); ++ if (r) { ++ pr_devel("hcall failed, can't get supported counter_info_version: 0x%x\n", r); ++ arg->params.counter_info_version_out = 0x8; ++ } ++ ++ /* ++ * Use counter_info_version_out value to assign ++ * required hv-gpci event list. ++ */ ++ if (arg->params.counter_info_version_out >= 0x8) ++ event_group.attrs = hv_gpci_event_attrs; ++ else ++ event_group.attrs = hv_gpci_event_attrs_v6; ++ ++ put_cpu_var(hv_gpci_reqb); ++ + r = perf_pmu_register(&h_gpci_pmu, h_gpci_pmu.name, -1); + if (r) + return r; +diff --git a/arch/powerpc/perf/hv-gpci.h b/arch/powerpc/perf/hv-gpci.h +index 86ede8275961..83300e73c398 100644 +--- a/arch/powerpc/perf/hv-gpci.h ++++ b/arch/powerpc/perf/hv-gpci.h +@@ -52,6 +52,7 @@ enum { + #define REQUEST_FILE "../hv-gpci-requests.h" + #define NAME_LOWER hv_gpci + #define NAME_UPPER HV_GPCI ++#define ENABLE_EVENTS_COUNTERINFO_V6 + #include "req-gen/perf.h" + #undef REQUEST_FILE + #undef NAME_LOWER +diff --git a/arch/powerpc/perf/req-gen/perf.h b/arch/powerpc/perf/req-gen/perf.h +index 1b122469323d..9628b57a8635 100644 +--- a/arch/powerpc/perf/req-gen/perf.h ++++ b/arch/powerpc/perf/req-gen/perf.h +@@ -137,6 +137,26 @@ PMU_EVENT_ATTR_STRING( \ + #define REQUEST_(r_name, r_value, r_idx_1, r_fields) \ + r_fields + ++/* Generate event list for platforms with counter_info_version 0x6 or below */ ++static __maybe_unused struct attribute *hv_gpci_event_attrs_v6[] = { ++#include REQUEST_FILE ++ NULL ++}; ++ ++/* ++ * Based on getPerfCountInfo v1.018 documentation, some of the hv-gpci ++ * events were deprecated for platform firmware that supports ++ * counter_info_version 0x8 or above. ++ * Those deprecated events are still part of platform firmware that ++ * support counter_info_version 0x6 and below. As per the getPerfCountInfo ++ * v1.018 documentation there is no counter_info_version 0x7. ++ * Undefining macro ENABLE_EVENTS_COUNTERINFO_V6, to disable the addition of ++ * deprecated events in "hv_gpci_event_attrs" attribute group, for platforms ++ * that supports counter_info_version 0x8 or above. ++ */ ++#undef ENABLE_EVENTS_COUNTERINFO_V6 ++ ++/* Generate event list for platforms with counter_info_version 0x8 or above*/ + static __maybe_unused struct attribute *hv_gpci_event_attrs[] = { + #include REQUEST_FILE + NULL +-- +2.35.1 + diff --git a/queue-4.9/powerpc-perf-callchain-validate-kernel-stack-pointer.patch b/queue-4.9/powerpc-perf-callchain-validate-kernel-stack-pointer.patch new file mode 100644 index 00000000000..0f61ae8bf27 --- /dev/null +++ b/queue-4.9/powerpc-perf-callchain-validate-kernel-stack-pointer.patch @@ -0,0 +1,46 @@ +From 734c5e2dc5344a20b0f885bef9b6da8566444d4a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 27 Nov 2022 22:49:28 +1000 +Subject: powerpc/perf: callchain validate kernel stack pointer bounds + +From: Nicholas Piggin + +[ Upstream commit 32c5209214bd8d4f8c4e9d9b630ef4c671f58e79 ] + +The interrupt frame detection and loads from the hypothetical pt_regs +are not bounds-checked. The next-frame validation only bounds-checks +STACK_FRAME_OVERHEAD, which does not include the pt_regs. Add another +test for this. + +The user could set r1 to be equal to the address matching the first +interrupt frame - STACK_INT_FRAME_SIZE, which is in the previous page +due to the kernel redzone, and induce the kernel to load the marker from +there. Possibly this could cause a crash at least. If the user could +induce the previous page to contain a valid marker, then it might be +able to direct perf to read specific memory addresses in a way that +could be transmitted back to the user in the perf data. + +Fixes: 20002ded4d93 ("perf_counter: powerpc: Add callchain support") +Signed-off-by: Nicholas Piggin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20221127124942.1665522-4-npiggin@gmail.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/perf/callchain.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/powerpc/perf/callchain.c b/arch/powerpc/perf/callchain.c +index 0fc26714780a..a4c4685096f8 100644 +--- a/arch/powerpc/perf/callchain.c ++++ b/arch/powerpc/perf/callchain.c +@@ -67,6 +67,7 @@ perf_callchain_kernel(struct perf_callchain_entry_ctx *entry, struct pt_regs *re + next_sp = fp[0]; + + if (next_sp == sp + STACK_INT_FRAME_SIZE && ++ validate_sp(sp, current, STACK_INT_FRAME_SIZE) && + fp[STACK_FRAME_MARKER] == STACK_FRAME_REGS_MARKER) { + /* + * This looks like an interrupt frame for an +-- +2.35.1 + diff --git a/queue-4.9/ppp-associate-skb-with-a-device-at-tx.patch b/queue-4.9/ppp-associate-skb-with-a-device-at-tx.patch new file mode 100644 index 00000000000..fab735a1492 --- /dev/null +++ b/queue-4.9/ppp-associate-skb-with-a-device-at-tx.patch @@ -0,0 +1,62 @@ +From 9c6add5f238324350c36792983895b75f7b27233 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 21 Nov 2022 10:29:13 -0800 +Subject: ppp: associate skb with a device at tx + +From: Stanislav Fomichev + +[ Upstream commit 9f225444467b98579cf28d94f4ad053460dfdb84 ] + +Syzkaller triggered flow dissector warning with the following: + +r0 = openat$ppp(0xffffffffffffff9c, &(0x7f0000000000), 0xc0802, 0x0) +ioctl$PPPIOCNEWUNIT(r0, 0xc004743e, &(0x7f00000000c0)) +ioctl$PPPIOCSACTIVE(r0, 0x40107446, &(0x7f0000000240)={0x2, &(0x7f0000000180)=[{0x20, 0x0, 0x0, 0xfffff034}, {0x6}]}) +pwritev(r0, &(0x7f0000000040)=[{&(0x7f0000000140)='\x00!', 0x2}], 0x1, 0x0, 0x0) + +[ 9.485814] WARNING: CPU: 3 PID: 329 at net/core/flow_dissector.c:1016 __skb_flow_dissect+0x1ee0/0x1fa0 +[ 9.485929] skb_get_poff+0x53/0xa0 +[ 9.485937] bpf_skb_get_pay_offset+0xe/0x20 +[ 9.485944] ? ppp_send_frame+0xc2/0x5b0 +[ 9.485949] ? _raw_spin_unlock_irqrestore+0x40/0x60 +[ 9.485958] ? __ppp_xmit_process+0x7a/0xe0 +[ 9.485968] ? ppp_xmit_process+0x5b/0xb0 +[ 9.485974] ? ppp_write+0x12a/0x190 +[ 9.485981] ? do_iter_write+0x18e/0x2d0 +[ 9.485987] ? __import_iovec+0x30/0x130 +[ 9.485997] ? do_pwritev+0x1b6/0x240 +[ 9.486016] ? trace_hardirqs_on+0x47/0x50 +[ 9.486023] ? __x64_sys_pwritev+0x24/0x30 +[ 9.486026] ? do_syscall_64+0x3d/0x80 +[ 9.486031] ? entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Flow dissector tries to find skb net namespace either via device +or via socket. Neigher is set in ppp_send_frame, so let's manually +use ppp->dev. + +Cc: Paul Mackerras +Cc: linux-ppp@vger.kernel.org +Reported-by: syzbot+41cab52ab62ee99ed24a@syzkaller.appspotmail.com +Signed-off-by: Stanislav Fomichev +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ppp/ppp_generic.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c +index 6287d2ad77c6..f6cf25cba16e 100644 +--- a/drivers/net/ppp/ppp_generic.c ++++ b/drivers/net/ppp/ppp_generic.c +@@ -1541,6 +1541,8 @@ ppp_send_frame(struct ppp *ppp, struct sk_buff *skb) + int len; + unsigned char *cp; + ++ skb->dev = ppp->dev; ++ + if (proto < 0x8000) { + #ifdef CONFIG_PPP_FILTER + /* check if we should pass this packet */ +-- +2.35.1 + diff --git a/queue-4.9/pstore-avoid-kcore-oops-by-vmap-ing-with-vm_ioremap.patch b/queue-4.9/pstore-avoid-kcore-oops-by-vmap-ing-with-vm_ioremap.patch new file mode 100644 index 00000000000..d2f0b62f370 --- /dev/null +++ b/queue-4.9/pstore-avoid-kcore-oops-by-vmap-ing-with-vm_ioremap.patch @@ -0,0 +1,103 @@ +From 63dc30d925fbabd7c532bba84a5375a271b662e1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 15:31:36 -0800 +Subject: pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP + +From: Stephen Boyd + +[ Upstream commit e6b842741b4f39007215fd7e545cb55aa3d358a2 ] + +An oops can be induced by running 'cat /proc/kcore > /dev/null' on +devices using pstore with the ram backend because kmap_atomic() assumes +lowmem pages are accessible with __va(). + + Unable to handle kernel paging request at virtual address ffffff807ff2b000 + Mem abort info: + ESR = 0x96000006 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x06: level 2 translation fault + Data abort info: + ISV = 0, ISS = 0x00000006 + CM = 0, WnR = 0 + swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000081d87000 + [ffffff807ff2b000] pgd=180000017fe18003, p4d=180000017fe18003, pud=180000017fe18003, pmd=0000000000000000 + Internal error: Oops: 96000006 [#1] PREEMPT SMP + Modules linked in: dm_integrity + CPU: 7 PID: 21179 Comm: perf Not tainted 5.15.67-10882-ge4eb2eb988cd #1 baa443fb8e8477896a370b31a821eb2009f9bfba + Hardware name: Google Lazor (rev3 - 8) (DT) + pstate: a0400009 (NzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) + pc : __memcpy+0x110/0x260 + lr : vread+0x194/0x294 + sp : ffffffc013ee39d0 + x29: ffffffc013ee39f0 x28: 0000000000001000 x27: ffffff807ff2b000 + x26: 0000000000001000 x25: ffffffc0085a2000 x24: ffffff802d4b3000 + x23: ffffff80f8a60000 x22: ffffff802d4b3000 x21: ffffffc0085a2000 + x20: ffffff8080b7bc68 x19: 0000000000001000 x18: 0000000000000000 + x17: 0000000000000000 x16: 0000000000000000 x15: ffffffd3073f2e60 + x14: ffffffffad588000 x13: 0000000000000000 x12: 0000000000000001 + x11: 00000000000001a2 x10: 00680000fff2bf0b x9 : 03fffffff807ff2b + x8 : 0000000000000001 x7 : 0000000000000000 x6 : 0000000000000000 + x5 : ffffff802d4b4000 x4 : ffffff807ff2c000 x3 : ffffffc013ee3a78 + x2 : 0000000000001000 x1 : ffffff807ff2b000 x0 : ffffff802d4b3000 + Call trace: + __memcpy+0x110/0x260 + read_kcore+0x584/0x778 + proc_reg_read+0xb4/0xe4 + +During early boot, memblock reserves the pages for the ramoops reserved +memory node in DT that would otherwise be part of the direct lowmem +mapping. Pstore's ram backend reuses those reserved pages to change the +memory type (writeback or non-cached) by passing the pages to vmap() +(see pfn_to_page() usage in persistent_ram_vmap() for more details) with +specific flags. When read_kcore() starts iterating over the vmalloc +region, it runs over the virtual address that vmap() returned for +ramoops. In aligned_vread() the virtual address is passed to +vmalloc_to_page() which returns the page struct for the reserved lowmem +area. That lowmem page is passed to kmap_atomic(), which effectively +calls page_to_virt() that assumes a lowmem page struct must be directly +accessible with __va() and friends. These pages are mapped via vmap() +though, and the lowmem mapping was never made, so accessing them via the +lowmem virtual address oopses like above. + +Let's side-step this problem by passing VM_IOREMAP to vmap(). This will +tell vread() to not include the ramoops region in the kcore. Instead the +area will look like a bunch of zeros. The alternative is to teach kmap() +about vmalloc areas that intersect with lowmem. Presumably such a change +isn't a one-liner, and there isn't much interest in inspecting the +ramoops region in kcore files anyway, so the most expedient route is +taken for now. + +Cc: Brian Geffon +Cc: Mike Rapoport +Cc: Andrew Morton +Fixes: 404a6043385d ("staging: android: persistent_ram: handle reserving and mapping memory") +Signed-off-by: Stephen Boyd +Signed-off-by: Kees Cook +Link: https://lore.kernel.org/r/20221205233136.3420802-1-swboyd@chromium.org +Signed-off-by: Sasha Levin +--- + fs/pstore/ram_core.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/fs/pstore/ram_core.c b/fs/pstore/ram_core.c +index 11e558efd61e..b56cf56ae926 100644 +--- a/fs/pstore/ram_core.c ++++ b/fs/pstore/ram_core.c +@@ -418,7 +418,11 @@ static void *persistent_ram_vmap(phys_addr_t start, size_t size, + phys_addr_t addr = page_start + i * PAGE_SIZE; + pages[i] = pfn_to_page(addr >> PAGE_SHIFT); + } +- vaddr = vmap(pages, page_count, VM_MAP, prot); ++ /* ++ * VM_IOREMAP used here to bypass this region during vread() ++ * and kmap_atomic() (i.e. kcore) to avoid __va() failures. ++ */ ++ vaddr = vmap(pages, page_count, VM_MAP | VM_IOREMAP, prot); + kfree(pages); + + /* +-- +2.35.1 + diff --git a/queue-4.9/r6040-fix-kmemleak-in-probe-and-remove.patch b/queue-4.9/r6040-fix-kmemleak-in-probe-and-remove.patch new file mode 100644 index 00000000000..b95eb24cd96 --- /dev/null +++ b/queue-4.9/r6040-fix-kmemleak-in-probe-and-remove.patch @@ -0,0 +1,96 @@ +From 00b2badcd4d407eb2dc5603958d79396ba216614 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 13 Dec 2022 20:56:14 +0800 +Subject: r6040: Fix kmemleak in probe and remove + +From: Li Zetao + +[ Upstream commit 7e43039a49c2da45edc1d9d7c9ede4003ab45a5f ] + +There is a memory leaks reported by kmemleak: + + unreferenced object 0xffff888116111000 (size 2048): + comm "modprobe", pid 817, jiffies 4294759745 (age 76.502s) + hex dump (first 32 bytes): + 00 c4 0a 04 81 88 ff ff 08 10 11 16 81 88 ff ff ................ + 08 10 11 16 81 88 ff ff 00 00 00 00 00 00 00 00 ................ + backtrace: + [] kmalloc_trace+0x22/0x60 + [] phy_device_create+0x4e/0x90 + [] get_phy_device+0xd2/0x220 + [] mdiobus_scan+0xa4/0x2e0 + [] __mdiobus_register+0x482/0x8b0 + [] r6040_init_one+0x714/0xd2c [r6040] + ... + +The problem occurs in probe process as follows: + r6040_init_one: + mdiobus_register + mdiobus_scan <- alloc and register phy_device, + the reference count of phy_device is 3 + r6040_mii_probe + phy_connect <- connect to the first phy_device, + so the reference count of the first + phy_device is 4, others are 3 + register_netdev <- fault inject succeeded, goto error handling path + + // error handling path + err_out_mdio_unregister: + mdiobus_unregister(lp->mii_bus); + err_out_mdio: + mdiobus_free(lp->mii_bus); <- the reference count of the first + phy_device is 1, it is not released + and other phy_devices are released + // similarly, the remove process also has the same problem + +The root cause is traced to the phy_device is not disconnected when +removes one r6040 device in r6040_remove_one() or on error handling path +after r6040_mii probed successfully. In r6040_mii_probe(), a net ethernet +device is connected to the first PHY device of mii_bus, in order to +notify the connected driver when the link status changes, which is the +default behavior of the PHY infrastructure to handle everything. +Therefore the phy_device should be disconnected when removes one r6040 +device or on error handling path. + +Fix it by adding phy_disconnect() when removes one r6040 device or on +error handling path after r6040_mii probed successfully. + +Fixes: 3831861b4ad8 ("r6040: implement phylib") +Signed-off-by: Li Zetao +Reviewed-by: Leon Romanovsky +Link: https://lore.kernel.org/r/20221213125614.927754-1-lizetao1@huawei.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/rdc/r6040.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/rdc/r6040.c b/drivers/net/ethernet/rdc/r6040.c +index 065a63123863..4a963b4ec0eb 100644 +--- a/drivers/net/ethernet/rdc/r6040.c ++++ b/drivers/net/ethernet/rdc/r6040.c +@@ -1185,10 +1185,12 @@ static int r6040_init_one(struct pci_dev *pdev, const struct pci_device_id *ent) + err = register_netdev(dev); + if (err) { + dev_err(&pdev->dev, "Failed to register net device\n"); +- goto err_out_mdio_unregister; ++ goto err_out_phy_disconnect; + } + return 0; + ++err_out_phy_disconnect: ++ phy_disconnect(dev->phydev); + err_out_mdio_unregister: + mdiobus_unregister(lp->mii_bus); + err_out_mdio: +@@ -1212,6 +1214,7 @@ static void r6040_remove_one(struct pci_dev *pdev) + struct r6040_private *lp = netdev_priv(dev); + + unregister_netdev(dev); ++ phy_disconnect(dev->phydev); + mdiobus_unregister(lp->mii_bus); + mdiobus_free(lp->mii_bus); + netif_napi_del(&lp->napi); +-- +2.35.1 + diff --git a/queue-4.9/rapidio-devices-fix-missing-put_device-in-mport_cdev.patch b/queue-4.9/rapidio-devices-fix-missing-put_device-in-mport_cdev.patch new file mode 100644 index 00000000000..4c5425a31cb --- /dev/null +++ b/queue-4.9/rapidio-devices-fix-missing-put_device-in-mport_cdev.patch @@ -0,0 +1,44 @@ +From 1a017be9e663c893f5c278a779e5715d79fbde11 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 3 Dec 2022 08:57:21 +0000 +Subject: rapidio: devices: fix missing put_device in mport_cdev_open + +From: Cai Xinchen + +[ Upstream commit d5b6e6eba3af11cb2a2791fa36a2524990fcde1a ] + +When kfifo_alloc fails, the refcount of chdev->dev is left incremental. +We should use put_device(&chdev->dev) to decrease the ref count of +chdev->dev to avoid refcount leak. + +Link: https://lkml.kernel.org/r/20221203085721.13146-1-caixinchen1@huawei.com +Fixes: e8de370188d0 ("rapidio: add mport char device driver") +Signed-off-by: Cai Xinchen +Cc: Alexandre Bounine +Cc: Dan Carpenter +Cc: Jakob Koschel +Cc: John Hubbard +Cc: Matt Porter +Cc: Wang Weiyang +Cc: Yang Yingliang +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + drivers/rapidio/devices/rio_mport_cdev.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c +index 381354ef0959..2c232217fd35 100644 +--- a/drivers/rapidio/devices/rio_mport_cdev.c ++++ b/drivers/rapidio/devices/rio_mport_cdev.c +@@ -1972,6 +1972,7 @@ static int mport_cdev_open(struct inode *inode, struct file *filp) + sizeof(struct rio_event) * MPORT_EVENT_DEPTH, + GFP_KERNEL); + if (ret < 0) { ++ put_device(&chdev->dev); + dev_err(&chdev->dev, DRV_NAME ": kfifo_alloc failed\n"); + ret = -ENOMEM; + goto err_fifo; +-- +2.35.1 + diff --git a/queue-4.9/rapidio-fix-possible-name-leaks-when-rio_add_device-.patch b/queue-4.9/rapidio-fix-possible-name-leaks-when-rio_add_device-.patch new file mode 100644 index 00000000000..dab3a8c3a7f --- /dev/null +++ b/queue-4.9/rapidio-fix-possible-name-leaks-when-rio_add_device-.patch @@ -0,0 +1,76 @@ +From 762a5c48f85b7365d85071881429cff7c48340ca Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 23:26:35 +0800 +Subject: rapidio: fix possible name leaks when rio_add_device() fails + +From: Yang Yingliang + +[ Upstream commit f9574cd48679926e2a569e1957a5a1bcc8a719ac ] + +Patch series "rapidio: fix three possible memory leaks". + +This patchset fixes three name leaks in error handling. + - patch #1 fixes two name leaks while rio_add_device() fails. + - patch #2 fixes a name leak while rio_register_mport() fails. + +This patch (of 2): + +If rio_add_device() returns error, the name allocated by dev_set_name() +need be freed. It should use put_device() to give up the reference in the +error path, so that the name can be freed in kobject_cleanup(), and the +'rdev' can be freed in rio_release_dev(). + +Link: https://lkml.kernel.org/r/20221114152636.2939035-1-yangyingliang@huawei.com +Link: https://lkml.kernel.org/r/20221114152636.2939035-2-yangyingliang@huawei.com +Fixes: e8de370188d0 ("rapidio: add mport char device driver") +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Yang Yingliang +Cc: Alexandre Bounine +Cc: Matt Porter +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + drivers/rapidio/devices/rio_mport_cdev.c | 7 +++++-- + drivers/rapidio/rio-scan.c | 8 ++++++-- + 2 files changed, 11 insertions(+), 4 deletions(-) + +diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c +index c246d3a2fc5f..c0597b6d75ef 100644 +--- a/drivers/rapidio/devices/rio_mport_cdev.c ++++ b/drivers/rapidio/devices/rio_mport_cdev.c +@@ -1864,8 +1864,11 @@ static int rio_mport_add_riodev(struct mport_cdev_priv *priv, + rio_init_dbell_res(&rdev->riores[RIO_DOORBELL_RESOURCE], + 0, 0xffff); + err = rio_add_device(rdev); +- if (err) +- goto cleanup; ++ if (err) { ++ put_device(&rdev->dev); ++ return err; ++ } ++ + rio_dev_get(rdev); + + return 0; +diff --git a/drivers/rapidio/rio-scan.c b/drivers/rapidio/rio-scan.c +index 23429bdaca84..26ab8c463dae 100644 +--- a/drivers/rapidio/rio-scan.c ++++ b/drivers/rapidio/rio-scan.c +@@ -460,8 +460,12 @@ static struct rio_dev *rio_setup_device(struct rio_net *net, + 0, 0xffff); + + ret = rio_add_device(rdev); +- if (ret) +- goto cleanup; ++ if (ret) { ++ if (rswitch) ++ kfree(rswitch->route_table); ++ put_device(&rdev->dev); ++ return NULL; ++ } + + rio_dev_get(rdev); + +-- +2.35.1 + diff --git a/queue-4.9/rapidio-fix-possible-uaf-when-kfifo_alloc-fails.patch b/queue-4.9/rapidio-fix-possible-uaf-when-kfifo_alloc-fails.patch new file mode 100644 index 00000000000..4b54294561c --- /dev/null +++ b/queue-4.9/rapidio-fix-possible-uaf-when-kfifo_alloc-fails.patch @@ -0,0 +1,58 @@ +From 5a9cc1aad7471856a16e9f32c3eff79462154339 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 17:51:47 +0800 +Subject: rapidio: fix possible UAF when kfifo_alloc() fails + +From: Wang Weiyang + +[ Upstream commit 02d7d89f816951e0862147d751b1150d67aaebdd ] + +If kfifo_alloc() fails in mport_cdev_open(), goto err_fifo and just free +priv. But priv is still in the chdev->file_list, then list traversal +may cause UAF. This fixes the following smatch warning: + +drivers/rapidio/devices/rio_mport_cdev.c:1930 mport_cdev_open() warn: '&priv->list' not removed from list + +Link: https://lkml.kernel.org/r/20221123095147.52408-1-wangweiyang2@huawei.com +Fixes: e8de370188d0 ("rapidio: add mport char device driver") +Signed-off-by: Wang Weiyang +Cc: Alexandre Bounine +Cc: Dan Carpenter +Cc: Jakob Koschel +Cc: John Hubbard +Cc: Matt Porter +Cc: Yang Yingliang +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + drivers/rapidio/devices/rio_mport_cdev.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/drivers/rapidio/devices/rio_mport_cdev.c b/drivers/rapidio/devices/rio_mport_cdev.c +index c0597b6d75ef..381354ef0959 100644 +--- a/drivers/rapidio/devices/rio_mport_cdev.c ++++ b/drivers/rapidio/devices/rio_mport_cdev.c +@@ -1964,10 +1964,6 @@ static int mport_cdev_open(struct inode *inode, struct file *filp) + + priv->md = chdev; + +- mutex_lock(&chdev->file_mutex); +- list_add_tail(&priv->list, &chdev->file_list); +- mutex_unlock(&chdev->file_mutex); +- + INIT_LIST_HEAD(&priv->db_filters); + INIT_LIST_HEAD(&priv->pw_filters); + spin_lock_init(&priv->fifo_lock); +@@ -1987,6 +1983,9 @@ static int mport_cdev_open(struct inode *inode, struct file *filp) + spin_lock_init(&priv->req_lock); + mutex_init(&priv->dma_lock); + #endif ++ mutex_lock(&chdev->file_mutex); ++ list_add_tail(&priv->list, &chdev->file_list); ++ mutex_unlock(&chdev->file_mutex); + + filp->private_data = priv; + goto out; +-- +2.35.1 + diff --git a/queue-4.9/rapidio-rio-fix-possible-name-leak-in-rio_register_m.patch b/queue-4.9/rapidio-rio-fix-possible-name-leak-in-rio_register_m.patch new file mode 100644 index 00000000000..b71e33ec47d --- /dev/null +++ b/queue-4.9/rapidio-rio-fix-possible-name-leak-in-rio_register_m.patch @@ -0,0 +1,51 @@ +From f17ae7799d965428eeed3bb643d2321c64224024 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 23:26:36 +0800 +Subject: rapidio: rio: fix possible name leak in rio_register_mport() + +From: Yang Yingliang + +[ Upstream commit e92a216d16bde65d21a3227e0fb2aa0794576525 ] + +If device_register() returns error, the name allocated by dev_set_name() +need be freed. It should use put_device() to give up the reference in the +error path, so that the name can be freed in kobject_cleanup(), and +list_del() is called to delete the port from rio_mports. + +Link: https://lkml.kernel.org/r/20221114152636.2939035-3-yangyingliang@huawei.com +Fixes: 2aaf308b95b2 ("rapidio: rework device hierarchy and introduce mport class of devices") +Signed-off-by: Yang Yingliang +Cc: Alexandre Bounine +Cc: Matt Porter +Signed-off-by: Andrew Morton +Signed-off-by: Sasha Levin +--- + drivers/rapidio/rio.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/rapidio/rio.c b/drivers/rapidio/rio.c +index 37042858c2db..4710286096dc 100644 +--- a/drivers/rapidio/rio.c ++++ b/drivers/rapidio/rio.c +@@ -2275,11 +2275,16 @@ int rio_register_mport(struct rio_mport *port) + atomic_set(&port->state, RIO_DEVICE_RUNNING); + + res = device_register(&port->dev); +- if (res) ++ if (res) { + dev_err(&port->dev, "RIO: mport%d registration failed ERR=%d\n", + port->id, res); +- else ++ mutex_lock(&rio_mport_list_lock); ++ list_del(&port->node); ++ mutex_unlock(&rio_mport_list_lock); ++ put_device(&port->dev); ++ } else { + dev_dbg(&port->dev, "RIO: registered mport%d\n", port->id); ++ } + + return res; + } +-- +2.35.1 + diff --git a/queue-4.9/regulator-core-fix-module-refcount-leak-in-set_suppl.patch b/queue-4.9/regulator-core-fix-module-refcount-leak-in-set_suppl.patch new file mode 100644 index 00000000000..80bbe5f8b5f --- /dev/null +++ b/queue-4.9/regulator-core-fix-module-refcount-leak-in-set_suppl.patch @@ -0,0 +1,36 @@ +From 6a2559fabeb97d9b0bf458eebf2cfce829a9af87 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 20:27:05 +0800 +Subject: regulator: core: fix module refcount leak in set_supply() + +From: Yang Yingliang + +[ Upstream commit da46ee19cbd8344d6860816b4827a7ce95764867 ] + +If create_regulator() fails in set_supply(), the module refcount +needs be put to keep refcount balanced. + +Fixes: e2c09ae7a74d ("regulator: core: Increase refcount for regulator supply's module") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221201122706.4055992-2-yangyingliang@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index e1f934fec562..cbc3397258f6 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -1157,6 +1157,7 @@ static int set_supply(struct regulator_dev *rdev, + + rdev->supply = create_regulator(supply_rdev, &rdev->dev, "SUPPLY"); + if (rdev->supply == NULL) { ++ module_put(supply_rdev->owner); + err = -ENOMEM; + return err; + } +-- +2.35.1 + diff --git a/queue-4.9/regulator-core-fix-unbalanced-of-node-refcount-in-re.patch b/queue-4.9/regulator-core-fix-unbalanced-of-node-refcount-in-re.patch new file mode 100644 index 00000000000..ed60555d627 --- /dev/null +++ b/queue-4.9/regulator-core-fix-unbalanced-of-node-refcount-in-re.patch @@ -0,0 +1,43 @@ +From d5bca91dc9fa3d18410d143917098acdc2e20708 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 17:15:08 +0800 +Subject: regulator: core: fix unbalanced of node refcount in + regulator_dev_lookup() + +From: Yang Yingliang + +[ Upstream commit f2b41b748c19962b82709d9f23c6b2b0ce9d2f91 ] + +I got the the following report: + + OF: ERROR: memory leak, expected refcount 1 instead of 2, + of_node_get()/of_node_put() unbalanced - destroy cset entry: + attach overlay node /i2c/pmic@62/regulators/exten + +In of_get_regulator(), the node is returned from of_parse_phandle() +with refcount incremented, after using it, of_node_put() need be called. + +Fixes: 69511a452e6d ("regulator: map consumer regulator based on device tree") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221115091508.900752-1-yangyingliang@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/core.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c +index 23323add5b0b..e1f934fec562 100644 +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -1471,6 +1471,7 @@ static struct regulator_dev *regulator_dev_lookup(struct device *dev, + node = of_get_regulator(dev, supply); + if (node) { + r = of_find_regulator_by_node(node); ++ of_node_put(node); + if (r) + return r; + *ret = -EPROBE_DEFER; +-- +2.35.1 + diff --git a/queue-4.9/rtc-snvs-allow-a-time-difference-on-clock-register-r.patch b/queue-4.9/rtc-snvs-allow-a-time-difference-on-clock-register-r.patch new file mode 100644 index 00000000000..ad12b8d99e3 --- /dev/null +++ b/queue-4.9/rtc-snvs-allow-a-time-difference-on-clock-register-r.patch @@ -0,0 +1,92 @@ +From c0cf51137035b81964cb94a1b87ccdd5e9ca42d9 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 6 Nov 2022 12:59:15 +0100 +Subject: rtc: snvs: Allow a time difference on clock register read + +From: Stefan Eichenberger + +[ Upstream commit 0462681e207ccc44778a77b3297af728b1cf5b9f ] + +On an iMX6ULL the following message appears when a wakealarm is set: + +echo 0 > /sys/class/rtc/rtc1/wakealarm +rtc rtc1: Timeout trying to get valid LPSRT Counter read + +This does not always happen but is reproducible quite often (7 out of 10 +times). The problem appears because the iMX6ULL is not able to read the +registers within one 32kHz clock cycle which is the base clock of the +RTC. Therefore, this patch allows a difference of up to 320 cycles +(10ms). 10ms was chosen to be big enough even on systems with less cpu +power (e.g. iMX6ULL). According to the reference manual a difference is +fine: +- If the two consecutive reads are similar, the value is correct. +The values have to be similar, not equal. + +Fixes: cd7f3a249dbe ("rtc: snvs: Add timeouts to avoid kernel lockups") +Reviewed-by: Francesco Dolcini +Signed-off-by: Stefan Eichenberger +Signed-off-by: Francesco Dolcini +Link: https://lore.kernel.org/r/20221106115915.7930-1-francesco@dolcini.it +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-snvs.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/drivers/rtc/rtc-snvs.c b/drivers/rtc/rtc-snvs.c +index 71eee39520f0..792089ffc274 100644 +--- a/drivers/rtc/rtc-snvs.c ++++ b/drivers/rtc/rtc-snvs.c +@@ -39,6 +39,14 @@ + #define SNVS_LPPGDR_INIT 0x41736166 + #define CNTR_TO_SECS_SH 15 + ++/* The maximum RTC clock cycles that are allowed to pass between two ++ * consecutive clock counter register reads. If the values are corrupted a ++ * bigger difference is expected. The RTC frequency is 32kHz. With 320 cycles ++ * we end at 10ms which should be enough for most cases. If it once takes ++ * longer than expected we do a retry. ++ */ ++#define MAX_RTC_READ_DIFF_CYCLES 320 ++ + struct snvs_rtc_data { + struct rtc_device *rtc; + struct regmap *regmap; +@@ -63,6 +71,7 @@ static u64 rtc_read_lpsrt(struct snvs_rtc_data *data) + static u32 rtc_read_lp_counter(struct snvs_rtc_data *data) + { + u64 read1, read2; ++ s64 diff; + unsigned int timeout = 100; + + /* As expected, the registers might update between the read of the LSB +@@ -73,7 +82,8 @@ static u32 rtc_read_lp_counter(struct snvs_rtc_data *data) + do { + read2 = read1; + read1 = rtc_read_lpsrt(data); +- } while (read1 != read2 && --timeout); ++ diff = read1 - read2; ++ } while (((diff < 0) || (diff > MAX_RTC_READ_DIFF_CYCLES)) && --timeout); + if (!timeout) + dev_err(&data->rtc->dev, "Timeout trying to get valid LPSRT Counter read\n"); + +@@ -85,13 +95,15 @@ static u32 rtc_read_lp_counter(struct snvs_rtc_data *data) + static int rtc_read_lp_counter_lsb(struct snvs_rtc_data *data, u32 *lsb) + { + u32 count1, count2; ++ s32 diff; + unsigned int timeout = 100; + + regmap_read(data->regmap, data->offset + SNVS_LPSRTCLR, &count1); + do { + count2 = count1; + regmap_read(data->regmap, data->offset + SNVS_LPSRTCLR, &count1); +- } while (count1 != count2 && --timeout); ++ diff = count1 - count2; ++ } while (((diff < 0) || (diff > MAX_RTC_READ_DIFF_CYCLES)) && --timeout); + if (!timeout) { + dev_err(&data->rtc->dev, "Timeout trying to get valid LPSRT Counter read\n"); + return -ETIMEDOUT; +-- +2.35.1 + diff --git a/queue-4.9/rtc-st-lpc-add-missing-clk_disable_unprepare-in-st_r.patch b/queue-4.9/rtc-st-lpc-add-missing-clk_disable_unprepare-in-st_r.patch new file mode 100644 index 00000000000..789800eef42 --- /dev/null +++ b/queue-4.9/rtc-st-lpc-add-missing-clk_disable_unprepare-in-st_r.patch @@ -0,0 +1,36 @@ +From 2492dfbe90cb75037622ac30b9a7d1f6b1683d28 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 09:48:05 +0800 +Subject: rtc: st-lpc: Add missing clk_disable_unprepare in st_rtc_probe() + +From: Gaosheng Cui + +[ Upstream commit 5fb733d7bd6949e90028efdce8bd528c6ab7cf1e ] + +The clk_disable_unprepare() should be called in the error handling +of clk_get_rate(), fix it. + +Fixes: b5b2bdfc2893 ("rtc: st: Add new driver for ST's LPC RTC") +Signed-off-by: Gaosheng Cui +Link: https://lore.kernel.org/r/20221123014805.1993052-1-cuigaosheng1@huawei.com +Signed-off-by: Alexandre Belloni +Signed-off-by: Sasha Levin +--- + drivers/rtc/rtc-st-lpc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/rtc/rtc-st-lpc.c b/drivers/rtc/rtc-st-lpc.c +index 74c0a336ceea..85756ef63c22 100644 +--- a/drivers/rtc/rtc-st-lpc.c ++++ b/drivers/rtc/rtc-st-lpc.c +@@ -249,6 +249,7 @@ static int st_rtc_probe(struct platform_device *pdev) + + rtc->clkrate = clk_get_rate(rtc->clk); + if (!rtc->clkrate) { ++ clk_disable_unprepare(rtc->clk); + dev_err(&pdev->dev, "Unable to fetch clock rate\n"); + return -EINVAL; + } +-- +2.35.1 + diff --git a/queue-4.9/s390-ctcm-fix-return-type-of-ctc-mp-m_tx.patch b/queue-4.9/s390-ctcm-fix-return-type-of-ctc-mp-m_tx.patch new file mode 100644 index 00000000000..a685eb234ee --- /dev/null +++ b/queue-4.9/s390-ctcm-fix-return-type-of-ctc-mp-m_tx.patch @@ -0,0 +1,76 @@ +From 13421d9772b48edc8435dc818f9dae924d903881 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 10:01:28 -0700 +Subject: s390/ctcm: Fix return type of ctc{mp,}m_tx() + +From: Nathan Chancellor + +[ Upstream commit aa5bf80c3c067b82b4362cd6e8e2194623bcaca6 ] + +With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), +indirect call targets are validated against the expected function +pointer prototype to make sure the call target is valid to help mitigate +ROP attacks. If they are not identical, there is a failure at run time, +which manifests as either a kernel panic or thread getting killed. A +proposed warning in clang aims to catch these at compile time, which +reveals: + + drivers/s390/net/ctcm_main.c:1064:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .ndo_start_xmit = ctcm_tx, + ^~~~~~~ + drivers/s390/net/ctcm_main.c:1072:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .ndo_start_xmit = ctcmpc_tx, + ^~~~~~~~~ + +->ndo_start_xmit() in 'struct net_device_ops' expects a return type of +'netdev_tx_t', not 'int'. Adjust the return type of ctc{mp,}m_tx() to +match the prototype's to resolve the warning and potential CFI failure, +should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. + +Additionally, while in the area, remove a comment block that is no +longer relevant. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1750 +Reviewed-by: Alexandra Winter +Reviewed-by: Kees Cook +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/ctcm_main.c | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +diff --git a/drivers/s390/net/ctcm_main.c b/drivers/s390/net/ctcm_main.c +index e22b9ac3e564..ab48eef72d4f 100644 +--- a/drivers/s390/net/ctcm_main.c ++++ b/drivers/s390/net/ctcm_main.c +@@ -866,16 +866,9 @@ static int ctcmpc_transmit_skb(struct channel *ch, struct sk_buff *skb) + /** + * Start transmission of a packet. + * Called from generic network device layer. +- * +- * skb Pointer to buffer containing the packet. +- * dev Pointer to interface struct. +- * +- * returns 0 if packet consumed, !0 if packet rejected. +- * Note: If we return !0, then the packet is free'd by +- * the generic network layer. + */ + /* first merge version - leaving both functions separated */ +-static int ctcm_tx(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t ctcm_tx(struct sk_buff *skb, struct net_device *dev) + { + struct ctcm_priv *priv = dev->ml_priv; + +@@ -918,7 +911,7 @@ static int ctcm_tx(struct sk_buff *skb, struct net_device *dev) + } + + /* unmerged MPC variant of ctcm_tx */ +-static int ctcmpc_tx(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t ctcmpc_tx(struct sk_buff *skb, struct net_device *dev) + { + int len = 0; + struct ctcm_priv *priv = dev->ml_priv; +-- +2.35.1 + diff --git a/queue-4.9/s390-lcs-fix-return-type-of-lcs_start_xmit.patch b/queue-4.9/s390-lcs-fix-return-type-of-lcs_start_xmit.patch new file mode 100644 index 00000000000..c18bf782112 --- /dev/null +++ b/queue-4.9/s390-lcs-fix-return-type-of-lcs_start_xmit.patch @@ -0,0 +1,68 @@ +From 5064fe4dfb5a1c47944038253d6405545368ade2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 10:01:30 -0700 +Subject: s390/lcs: Fix return type of lcs_start_xmit() + +From: Nathan Chancellor + +[ Upstream commit bb16db8393658e0978c3f0d30ae069e878264fa3 ] + +With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), +indirect call targets are validated against the expected function +pointer prototype to make sure the call target is valid to help mitigate +ROP attacks. If they are not identical, there is a failure at run time, +which manifests as either a kernel panic or thread getting killed. A +proposed warning in clang aims to catch these at compile time, which +reveals: + + drivers/s390/net/lcs.c:2090:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .ndo_start_xmit = lcs_start_xmit, + ^~~~~~~~~~~~~~ + drivers/s390/net/lcs.c:2097:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .ndo_start_xmit = lcs_start_xmit, + ^~~~~~~~~~~~~~ + +->ndo_start_xmit() in 'struct net_device_ops' expects a return type of +'netdev_tx_t', not 'int'. Adjust the return type of lcs_start_xmit() to +match the prototype's to resolve the warning and potential CFI failure, +should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1750 +Reviewed-by: Alexandra Winter +Reviewed-by: Kees Cook +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/lcs.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/s390/net/lcs.c b/drivers/s390/net/lcs.c +index 4d3caad7e981..3bd2241c13e8 100644 +--- a/drivers/s390/net/lcs.c ++++ b/drivers/s390/net/lcs.c +@@ -1544,9 +1544,8 @@ lcs_txbuffer_cb(struct lcs_channel *channel, struct lcs_buffer *buffer) + /** + * Packet transmit function called by network stack + */ +-static int +-__lcs_start_xmit(struct lcs_card *card, struct sk_buff *skb, +- struct net_device *dev) ++static netdev_tx_t __lcs_start_xmit(struct lcs_card *card, struct sk_buff *skb, ++ struct net_device *dev) + { + struct lcs_header *header; + int rc = NETDEV_TX_OK; +@@ -1607,8 +1606,7 @@ __lcs_start_xmit(struct lcs_card *card, struct sk_buff *skb, + return rc; + } + +-static int +-lcs_start_xmit(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t lcs_start_xmit(struct sk_buff *skb, struct net_device *dev) + { + struct lcs_card *card; + int rc; +-- +2.35.1 + diff --git a/queue-4.9/s390-netiucv-fix-return-type-of-netiucv_tx.patch b/queue-4.9/s390-netiucv-fix-return-type-of-netiucv_tx.patch new file mode 100644 index 00000000000..6215b72b103 --- /dev/null +++ b/queue-4.9/s390-netiucv-fix-return-type-of-netiucv_tx.patch @@ -0,0 +1,63 @@ +From ab92e9ca4abe5bf9da8fdd056cc6b8625e5a10c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 3 Nov 2022 10:01:29 -0700 +Subject: s390/netiucv: Fix return type of netiucv_tx() + +From: Nathan Chancellor + +[ Upstream commit 88d86d18d7cf7e9137c95f9d212bb9fff8a1b4be ] + +With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG), +indirect call targets are validated against the expected function +pointer prototype to make sure the call target is valid to help mitigate +ROP attacks. If they are not identical, there is a failure at run time, +which manifests as either a kernel panic or thread getting killed. A +proposed warning in clang aims to catch these at compile time, which +reveals: + + drivers/s390/net/netiucv.c:1854:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict] + .ndo_start_xmit = netiucv_tx, + ^~~~~~~~~~ + +->ndo_start_xmit() in 'struct net_device_ops' expects a return type of +'netdev_tx_t', not 'int'. Adjust the return type of netiucv_tx() to +match the prototype's to resolve the warning and potential CFI failure, +should s390 select ARCH_SUPPORTS_CFI_CLANG in the future. + +Additionally, while in the area, remove a comment block that is no +longer relevant. + +Link: https://github.com/ClangBuiltLinux/linux/issues/1750 +Reviewed-by: Alexandra Winter +Reviewed-by: Kees Cook +Signed-off-by: Nathan Chancellor +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/s390/net/netiucv.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/drivers/s390/net/netiucv.c b/drivers/s390/net/netiucv.c +index b0e8ffdf864b..3465ea3d667b 100644 +--- a/drivers/s390/net/netiucv.c ++++ b/drivers/s390/net/netiucv.c +@@ -1361,15 +1361,8 @@ static int netiucv_pm_restore_thaw(struct device *dev) + /** + * Start transmission of a packet. + * Called from generic network device layer. +- * +- * @param skb Pointer to buffer containing the packet. +- * @param dev Pointer to interface struct. +- * +- * @return 0 if packet consumed, !0 if packet rejected. +- * Note: If we return !0, then the packet is free'd by +- * the generic network layer. + */ +-static int netiucv_tx(struct sk_buff *skb, struct net_device *dev) ++static netdev_tx_t netiucv_tx(struct sk_buff *skb, struct net_device *dev) + { + struct netiucv_priv *privptr = netdev_priv(dev); + int rc; +-- +2.35.1 + diff --git a/queue-4.9/scsi-fcoe-fix-possible-name-leak-when-device_registe.patch b/queue-4.9/scsi-fcoe-fix-possible-name-leak-when-device_registe.patch new file mode 100644 index 00000000000..fe07f2351fd --- /dev/null +++ b/queue-4.9/scsi-fcoe-fix-possible-name-leak-when-device_registe.patch @@ -0,0 +1,78 @@ +From 9adc26f875dab449dc794b18c37958f7aca9068f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Nov 2022 17:43:10 +0800 +Subject: scsi: fcoe: Fix possible name leak when device_register() fails + +From: Yang Yingliang + +[ Upstream commit 47b6a122c7b69a876c7ee2fc064a26b09627de9d ] + +If device_register() returns an error, the name allocated by dev_set_name() +needs to be freed. As the comment of device_register() says, one should use +put_device() to give up the reference in the error path. Fix this by +calling put_device(), then the name can be freed in kobject_cleanup(). + +The 'fcf' is freed in fcoe_fcf_device_release(), so the kfree() in the +error path can be removed. + +The 'ctlr' is freed in fcoe_ctlr_device_release(), so don't use the error +label, just return NULL after calling put_device(). + +Fixes: 9a74e884ee71 ("[SCSI] libfcoe: Add fcoe_sysfs") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221112094310.3633291-1-yangyingliang@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/fcoe/fcoe_sysfs.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +diff --git a/drivers/scsi/fcoe/fcoe_sysfs.c b/drivers/scsi/fcoe/fcoe_sysfs.c +index 0675fd128734..17a45131a379 100644 +--- a/drivers/scsi/fcoe/fcoe_sysfs.c ++++ b/drivers/scsi/fcoe/fcoe_sysfs.c +@@ -752,14 +752,15 @@ struct fcoe_ctlr_device *fcoe_ctlr_device_add(struct device *parent, + + dev_set_name(&ctlr->dev, "ctlr_%d", ctlr->id); + error = device_register(&ctlr->dev); +- if (error) +- goto out_del_q2; ++ if (error) { ++ destroy_workqueue(ctlr->devloss_work_q); ++ destroy_workqueue(ctlr->work_q); ++ put_device(&ctlr->dev); ++ return NULL; ++ } + + return ctlr; + +-out_del_q2: +- destroy_workqueue(ctlr->devloss_work_q); +- ctlr->devloss_work_q = NULL; + out_del_q: + destroy_workqueue(ctlr->work_q); + ctlr->work_q = NULL; +@@ -958,16 +959,16 @@ struct fcoe_fcf_device *fcoe_fcf_device_add(struct fcoe_ctlr_device *ctlr, + fcf->selected = new_fcf->selected; + + error = device_register(&fcf->dev); +- if (error) +- goto out_del; ++ if (error) { ++ put_device(&fcf->dev); ++ goto out; ++ } + + fcf->state = FCOE_FCF_STATE_CONNECTED; + list_add_tail(&fcf->peers, &ctlr->fcfs); + + return fcf; + +-out_del: +- kfree(fcf); + out: + return NULL; + } +-- +2.35.1 + diff --git a/queue-4.9/scsi-fcoe-fix-transport-not-deattached-when-fcoe_if_.patch b/queue-4.9/scsi-fcoe-fix-transport-not-deattached-when-fcoe_if_.patch new file mode 100644 index 00000000000..b3f0a24f417 --- /dev/null +++ b/queue-4.9/scsi-fcoe-fix-transport-not-deattached-when-fcoe_if_.patch @@ -0,0 +1,46 @@ +From a098d823a4aeab47f6ea9dc0527169f5d451211d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 17:24:42 +0800 +Subject: scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails + +From: Chen Zhongjin + +[ Upstream commit 4155658cee394b22b24c6d64e49247bf26d95b92 ] + +fcoe_init() calls fcoe_transport_attach(&fcoe_sw_transport), but when +fcoe_if_init() fails, &fcoe_sw_transport is not detached and leaves freed +&fcoe_sw_transport on fcoe_transports list. This causes panic when +reinserting module. + + BUG: unable to handle page fault for address: fffffbfff82e2213 + RIP: 0010:fcoe_transport_attach+0xe1/0x230 [libfcoe] + Call Trace: + + do_one_initcall+0xd0/0x4e0 + load_module+0x5eee/0x7210 + ... + +Fixes: 78a582463c1e ("[SCSI] fcoe: convert fcoe.ko to become an fcoe transport provider driver") +Signed-off-by: Chen Zhongjin +Link: https://lore.kernel.org/r/20221115092442.133088-1-chenzhongjin@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/fcoe/fcoe.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/scsi/fcoe/fcoe.c b/drivers/scsi/fcoe/fcoe.c +index 9bd41a35a78a..42b00b9f4be8 100644 +--- a/drivers/scsi/fcoe/fcoe.c ++++ b/drivers/scsi/fcoe/fcoe.c +@@ -2518,6 +2518,7 @@ static int __init fcoe_init(void) + + out_free: + mutex_unlock(&fcoe_config_mutex); ++ fcoe_transport_detach(&fcoe_sw_transport); + out_destroy: + destroy_workqueue(fcoe_wq); + return rc; +-- +2.35.1 + diff --git a/queue-4.9/scsi-hpsa-fix-error-handling-in-hpsa_add_sas_host.patch b/queue-4.9/scsi-hpsa-fix-error-handling-in-hpsa_add_sas_host.patch new file mode 100644 index 00000000000..10247cf30d0 --- /dev/null +++ b/queue-4.9/scsi-hpsa-fix-error-handling-in-hpsa_add_sas_host.patch @@ -0,0 +1,54 @@ +From fe942e5d43262fdba9ec32f708636307362f8ac3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 23:11:29 +0800 +Subject: scsi: hpsa: Fix error handling in hpsa_add_sas_host() + +From: Yang Yingliang + +[ Upstream commit 4ef174a3ad9b5d73c1b6573e244ebba2b0d86eac ] + +hpsa_sas_port_add_phy() does: + ... + sas_phy_add() -> may return error here + sas_port_add_phy() + ... + +Whereas hpsa_free_sas_phy() does: + ... + sas_port_delete_phy() + sas_phy_delete() + ... + +If hpsa_sas_port_add_phy() returns an error, hpsa_free_sas_phy() can not be +called to free the memory because the port and the phy have not been added +yet. + +Replace hpsa_free_sas_phy() with sas_phy_free() and kfree() to avoid kernel +crash in this case. + +Fixes: d04e62b9d63a ("hpsa: add in sas transport class") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221110151129.394389-1-yangyingliang@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hpsa.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c +index 7f1d6d52d48b..5e11500eae19 100644 +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -9837,7 +9837,8 @@ static int hpsa_add_sas_host(struct ctlr_info *h) + return 0; + + free_sas_phy: +- hpsa_free_sas_phy(hpsa_sas_phy); ++ sas_phy_free(hpsa_sas_phy->phy); ++ kfree(hpsa_sas_phy); + free_sas_port: + hpsa_free_sas_port(hpsa_sas_port); + free_sas_node: +-- +2.35.1 + diff --git a/queue-4.9/scsi-hpsa-fix-possible-memory-leak-in-hpsa_add_sas_d.patch b/queue-4.9/scsi-hpsa-fix-possible-memory-leak-in-hpsa_add_sas_d.patch new file mode 100644 index 00000000000..fdde74a14fe --- /dev/null +++ b/queue-4.9/scsi-hpsa-fix-possible-memory-leak-in-hpsa_add_sas_d.patch @@ -0,0 +1,43 @@ +From 388b1475be14c2b779ddc6a8a5d443a9962b73f6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 12:30:12 +0800 +Subject: scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device() + +From: Yang Yingliang + +[ Upstream commit fda34a5d304d0b98cc967e8763b52221b66dc202 ] + +If hpsa_sas_port_add_rphy() returns an error, the 'rphy' allocated in +sas_end_device_alloc() needs to be freed. Address this by calling +sas_rphy_free() in the error path. + +Fixes: d04e62b9d63a ("hpsa: add in sas transport class") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221111043012.1074466-1-yangyingliang@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/hpsa.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/hpsa.c b/drivers/scsi/hpsa.c +index 5e11500eae19..aa1e388e86f2 100644 +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -9874,10 +9874,12 @@ static int hpsa_add_sas_device(struct hpsa_sas_node *hpsa_sas_node, + + rc = hpsa_sas_port_add_rphy(hpsa_sas_port, rphy); + if (rc) +- goto free_sas_port; ++ goto free_sas_rphy; + + return 0; + ++free_sas_rphy: ++ sas_rphy_free(rphy); + free_sas_port: + hpsa_free_sas_port(hpsa_sas_port); + device->sas_port = NULL; +-- +2.35.1 + diff --git a/queue-4.9/scsi-ipr-fix-warning-in-ipr_init.patch b/queue-4.9/scsi-ipr-fix-warning-in-ipr_init.patch new file mode 100644 index 00000000000..3d01351b472 --- /dev/null +++ b/queue-4.9/scsi-ipr-fix-warning-in-ipr_init.patch @@ -0,0 +1,73 @@ +From 344ff888c7ee220c9ffd87d6c5a67b125f6f6366 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 13 Nov 2022 14:45:13 +0800 +Subject: scsi: ipr: Fix WARNING in ipr_init() + +From: Shang XiaoJing + +[ Upstream commit e6f108bffc3708ddcff72324f7d40dfcd0204894 ] + +ipr_init() will not call unregister_reboot_notifier() when +pci_register_driver() fails, which causes a WARNING. Call +unregister_reboot_notifier() when pci_register_driver() fails. + +notifier callback ipr_halt [ipr] already registered +WARNING: CPU: 3 PID: 299 at kernel/notifier.c:29 +notifier_chain_register+0x16d/0x230 +Modules linked in: ipr(+) xhci_pci_renesas xhci_hcd ehci_hcd usbcore +led_class gpu_sched drm_buddy video wmi drm_ttm_helper ttm +drm_display_helper drm_kms_helper drm drm_panel_orientation_quirks +agpgart cfbft +CPU: 3 PID: 299 Comm: modprobe Tainted: G W +6.1.0-rc1-00190-g39508d23b672-dirty #332 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS +rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 +RIP: 0010:notifier_chain_register+0x16d/0x230 +Call Trace: + + __blocking_notifier_chain_register+0x73/0xb0 + ipr_init+0x30/0x1000 [ipr] + do_one_initcall+0xdb/0x480 + do_init_module+0x1cf/0x680 + load_module+0x6a50/0x70a0 + __do_sys_finit_module+0x12f/0x1c0 + do_syscall_64+0x3f/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Fixes: f72919ec2bbb ("[SCSI] ipr: implement shutdown changes and remove obsolete write cache parameter") +Signed-off-by: Shang XiaoJing +Link: https://lore.kernel.org/r/20221113064513.14028-1-shangxiaojing@huawei.com +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/ipr.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c +index 7760b9a1e0ae..96c45cc091a6 100644 +--- a/drivers/scsi/ipr.c ++++ b/drivers/scsi/ipr.c +@@ -10772,11 +10772,19 @@ static struct notifier_block ipr_notifier = { + **/ + static int __init ipr_init(void) + { ++ int rc; ++ + ipr_info("IBM Power RAID SCSI Device Driver version: %s %s\n", + IPR_DRIVER_VERSION, IPR_DRIVER_DATE); + + register_reboot_notifier(&ipr_notifier); +- return pci_register_driver(&ipr_driver); ++ rc = pci_register_driver(&ipr_driver); ++ if (rc) { ++ unregister_reboot_notifier(&ipr_notifier); ++ return rc; ++ } ++ ++ return 0; + } + + /** +-- +2.35.1 + diff --git a/queue-4.9/scsi-snic-fix-possible-uaf-in-snic_tgt_create.patch b/queue-4.9/scsi-snic-fix-possible-uaf-in-snic_tgt_create.patch new file mode 100644 index 00000000000..52ab3dab45e --- /dev/null +++ b/queue-4.9/scsi-snic-fix-possible-uaf-in-snic_tgt_create.patch @@ -0,0 +1,47 @@ +From 600bb1f102dad4f82fb3740cbbcc35f8637e43c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 11:51:00 +0800 +Subject: scsi: snic: Fix possible UAF in snic_tgt_create() + +From: Gaosheng Cui + +[ Upstream commit e118df492320176af94deec000ae034cc92be754 ] + +Smatch reports a warning as follows: + +drivers/scsi/snic/snic_disc.c:307 snic_tgt_create() warn: + '&tgt->list' not removed from list + +If device_add() fails in snic_tgt_create(), tgt will be freed, but +tgt->list will not be removed from snic->disc.tgt_list, then list traversal +may cause UAF. + +Remove from snic->disc.tgt_list before free(). + +Fixes: c8806b6c9e82 ("snic: driver for Cisco SCSI HBA") +Signed-off-by: Gaosheng Cui +Link: https://lore.kernel.org/r/20221117035100.2944812-1-cuigaosheng1@huawei.com +Acked-by: Narsimhulu Musini +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/snic/snic_disc.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/snic/snic_disc.c b/drivers/scsi/snic/snic_disc.c +index b106596cc0cf..69c5e26a9d5b 100644 +--- a/drivers/scsi/snic/snic_disc.c ++++ b/drivers/scsi/snic/snic_disc.c +@@ -317,6 +317,9 @@ snic_tgt_create(struct snic *snic, struct snic_tgt_id *tgtid) + ret); + + put_device(&snic->shost->shost_gendev); ++ spin_lock_irqsave(snic->shost->host_lock, flags); ++ list_del(&tgt->list); ++ spin_unlock_irqrestore(snic->shost->host_lock, flags); + kfree(tgt); + tgt = NULL; + +-- +2.35.1 + diff --git a/queue-4.9/selftests-powerpc-fix-resource-leaks.patch b/queue-4.9/selftests-powerpc-fix-resource-leaks.patch new file mode 100644 index 00000000000..643da6c4b43 --- /dev/null +++ b/queue-4.9/selftests-powerpc-fix-resource-leaks.patch @@ -0,0 +1,51 @@ +From b0ed8e5e347c338f8708339598711a0a6f9fce79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 12:44:27 +0400 +Subject: selftests/powerpc: Fix resource leaks + +From: Miaoqian Lin + +[ Upstream commit 8f4ab7da904ab7027ccd43ddb4f0094e932a5877 ] + +In check_all_cpu_dscr_defaults, opendir() opens the directory stream. +Add missing closedir() in the error path to release it. + +In check_cpu_dscr_default, open() creates an open file descriptor. +Add missing close() in the error path to release it. + +Fixes: ebd5858c904b ("selftests/powerpc: Add test for all DSCR sysfs interfaces") +Signed-off-by: Miaoqian Lin +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20221205084429.570654-1-linmq006@gmail.com +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c b/tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c +index 17fb1b43c320..d6fb6f1125f9 100644 +--- a/tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c ++++ b/tools/testing/selftests/powerpc/dscr/dscr_sysfs_test.c +@@ -27,6 +27,7 @@ static int check_cpu_dscr_default(char *file, unsigned long val) + rc = read(fd, buf, sizeof(buf)); + if (rc == -1) { + perror("read() failed"); ++ close(fd); + return 1; + } + close(fd); +@@ -64,8 +65,10 @@ static int check_all_cpu_dscr_defaults(unsigned long val) + if (access(file, F_OK)) + continue; + +- if (check_cpu_dscr_default(file, val)) ++ if (check_cpu_dscr_default(file, val)) { ++ closedir(sysfs); + return 1; ++ } + } + closedir(sysfs); + return 0; +-- +2.35.1 + diff --git a/queue-4.9/serial-amba-pl011-avoid-sbsa-uart-accessing-dmacr-re.patch b/queue-4.9/serial-amba-pl011-avoid-sbsa-uart-accessing-dmacr-re.patch new file mode 100644 index 00000000000..baa41a96ba7 --- /dev/null +++ b/queue-4.9/serial-amba-pl011-avoid-sbsa-uart-accessing-dmacr-re.patch @@ -0,0 +1,93 @@ +From 47b0a570bd09c2a7213b439250984542c41e998a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 18:32:37 +0800 +Subject: serial: amba-pl011: avoid SBSA UART accessing DMACR register + +From: Jiamei Xie + +[ Upstream commit 94cdb9f33698478b0e7062586633c42c6158a786 ] + +Chapter "B Generic UART" in "ARM Server Base System Architecture" [1] +documentation describes a generic UART interface. Such generic UART +does not support DMA. In current code, sbsa_uart_pops and +amba_pl011_pops share the same stop_rx operation, which will invoke +pl011_dma_rx_stop, leading to an access of the DMACR register. This +commit adds a using_rx_dma check in pl011_dma_rx_stop to avoid the +access to DMACR register for SBSA UARTs which does not support DMA. + +When the kernel enables DMA engine with "CONFIG_DMA_ENGINE=y", Linux +SBSA PL011 driver will access PL011 DMACR register in some functions. +For most real SBSA Pl011 hardware implementations, the DMACR write +behaviour will be ignored. So these DMACR operations will not cause +obvious problems. But for some virtual SBSA PL011 hardware, like Xen +virtual SBSA PL011 (vpl011) device, the behaviour might be different. +Xen vpl011 emulation will inject a data abort to guest, when guest is +accessing an unimplemented UART register. As Xen VPL011 is SBSA +compatible, it will not implement DMACR register. So when Linux SBSA +PL011 driver access DMACR register, it will get an unhandled data abort +fault and the application will get a segmentation fault: +Unhandled fault at 0xffffffc00944d048 +Mem abort info: + ESR = 0x96000000 + EC = 0x25: DABT (current EL), IL = 32 bits + SET = 0, FnV = 0 + EA = 0, S1PTW = 0 + FSC = 0x00: ttbr address size fault +Data abort info: + ISV = 0, ISS = 0x00000000 + CM = 0, WnR = 0 +swapper pgtable: 4k pages, 39-bit VAs, pgdp=0000000020e2e000 +[ffffffc00944d048] pgd=100000003ffff803, p4d=100000003ffff803, pud=100000003ffff803, pmd=100000003fffa803, pte=006800009c090f13 +Internal error: ttbr address size fault: 96000000 [#1] PREEMPT SMP +... +Call trace: + pl011_stop_rx+0x70/0x80 + tty_port_shutdown+0x7c/0xb4 + tty_port_close+0x60/0xcc + uart_close+0x34/0x8c + tty_release+0x144/0x4c0 + __fput+0x78/0x220 + ____fput+0x1c/0x30 + task_work_run+0x88/0xc0 + do_notify_resume+0x8d0/0x123c + el0_svc+0xa8/0xc0 + el0t_64_sync_handler+0xa4/0x130 + el0t_64_sync+0x1a0/0x1a4 +Code: b9000083 b901f001 794038a0 8b000042 (b9000041) +---[ end trace 83dd93df15c3216f ]--- +note: bootlogd[132] exited with preempt_count 1 +/etc/rcS.d/S07bootlogd: line 47: 132 Segmentation fault start-stop-daemon + +This has been discussed in the Xen community, and we think it should fix +this in Linux. See [2] for more information. + +[1] https://developer.arm.com/documentation/den0094/c/?lang=en +[2] https://lists.xenproject.org/archives/html/xen-devel/2022-11/msg00543.html + +Fixes: 0dd1e247fd39 (drivers: PL011: add support for the ARM SBSA generic UART) +Signed-off-by: Jiamei Xie +Reviewed-by: Andre Przywara +Link: https://lore.kernel.org/r/20221117103237.86856-1-jiamei.xie@arm.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/amba-pl011.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/tty/serial/amba-pl011.c b/drivers/tty/serial/amba-pl011.c +index ad1d665e9962..59092f1d2856 100644 +--- a/drivers/tty/serial/amba-pl011.c ++++ b/drivers/tty/serial/amba-pl011.c +@@ -1048,6 +1048,9 @@ static void pl011_dma_rx_callback(void *data) + */ + static inline void pl011_dma_rx_stop(struct uart_amba_port *uap) + { ++ if (!uap->using_rx_dma) ++ return; ++ + /* FIXME. Just disable the DMA enable */ + uap->dmacr &= ~UART011_RXDMAE; + pl011_write(uap->dmacr, uap, REG_DMACR); +-- +2.35.1 + diff --git a/queue-4.9/serial-pch-fix-pci-device-refcount-leak-in-pch_reque.patch b/queue-4.9/serial-pch-fix-pci-device-refcount-leak-in-pch_reque.patch new file mode 100644 index 00000000000..c41dc8b99ef --- /dev/null +++ b/queue-4.9/serial-pch-fix-pci-device-refcount-leak-in-pch_reque.patch @@ -0,0 +1,58 @@ +From cb4337d7c66a47209de9c842af44996c889bd0ab Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Nov 2022 19:45:59 +0800 +Subject: serial: pch: Fix PCI device refcount leak in pch_request_dma() + +From: Xiongfeng Wang + +[ Upstream commit 8be3a7bf773700534a6e8f87f6ed2ed111254be5 ] + +As comment of pci_get_slot() says, it returns a pci_device with its +refcount increased. The caller must decrement the reference count by +calling pci_dev_put(). + +Since 'dma_dev' is only used to filter the channel in filter(), we can +call pci_dev_put() before exiting from pch_request_dma(). Add the +missing pci_dev_put() for the normal and error path. + +Fixes: 3c6a483275f4 ("Serial: EG20T: add PCH_UART driver") +Signed-off-by: Xiongfeng Wang +Link: https://lore.kernel.org/r/20221122114559.27692-1-wangxiongfeng2@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/pch_uart.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/tty/serial/pch_uart.c b/drivers/tty/serial/pch_uart.c +index 30b577384a1d..e8d450fdbb04 100644 +--- a/drivers/tty/serial/pch_uart.c ++++ b/drivers/tty/serial/pch_uart.c +@@ -753,6 +753,7 @@ static void pch_request_dma(struct uart_port *port) + if (!chan) { + dev_err(priv->port.dev, "%s:dma_request_channel FAILS(Tx)\n", + __func__); ++ pci_dev_put(dma_dev); + return; + } + priv->chan_tx = chan; +@@ -769,6 +770,7 @@ static void pch_request_dma(struct uart_port *port) + __func__); + dma_release_channel(priv->chan_tx); + priv->chan_tx = NULL; ++ pci_dev_put(dma_dev); + return; + } + +@@ -776,6 +778,8 @@ static void pch_request_dma(struct uart_port *port) + priv->rx_buf_virt = dma_alloc_coherent(port->dev, port->fifosize, + &priv->rx_buf_dma, GFP_KERNEL); + priv->chan_rx = chan; ++ ++ pci_dev_put(dma_dev); + } + + static void pch_dma_rx_complete(void *arg) +-- +2.35.1 + diff --git a/queue-4.9/serial-sunsab-fix-error-handling-in-sunsab_init.patch b/queue-4.9/serial-sunsab-fix-error-handling-in-sunsab_init.patch new file mode 100644 index 00000000000..6f5a720036e --- /dev/null +++ b/queue-4.9/serial-sunsab-fix-error-handling-in-sunsab_init.patch @@ -0,0 +1,46 @@ +From bd5bfa1341f72443f49c1bc9d9d4d71b93d42dae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 06:12:12 +0000 +Subject: serial: sunsab: Fix error handling in sunsab_init() + +From: Yuan Can + +[ Upstream commit 1a6ec673fb627c26e2267ca0a03849f91dbd9b40 ] + +The sunsab_init() returns the platform_driver_register() directly without +checking its return value, if platform_driver_register() failed, the +allocated sunsab_ports is leaked. +Fix by free sunsab_ports and set it to NULL when platform_driver_register() +failed. + +Fixes: c4d37215a824 ("[SERIAL] sunsab: Convert to of_driver framework.") +Signed-off-by: Yuan Can +Link: https://lore.kernel.org/r/20221123061212.52593-1-yuancan@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/sunsab.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/drivers/tty/serial/sunsab.c b/drivers/tty/serial/sunsab.c +index b5e3195b3697..60fc4ed3f042 100644 +--- a/drivers/tty/serial/sunsab.c ++++ b/drivers/tty/serial/sunsab.c +@@ -1138,7 +1138,13 @@ static int __init sunsab_init(void) + } + } + +- return platform_driver_register(&sab_driver); ++ err = platform_driver_register(&sab_driver); ++ if (err) { ++ kfree(sunsab_ports); ++ sunsab_ports = NULL; ++ } ++ ++ return err; + } + + static void __exit sunsab_exit(void) +-- +2.35.1 + diff --git a/queue-4.9/series b/queue-4.9/series index 9a0b2ee6d81..b6a30962b4a 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -13,3 +13,200 @@ usb-gadget-uvc-prevent-buffer-overflow-in-setup-handler.patch usb-serial-cp210x-add-kamstrup-rf-sniffer-pids.patch bluetooth-l2cap-fix-u8-overflow.patch net-loopback-use-net_name_predictable-for-name_assig.patch +drivers-soc-ti-knav_qmss_queue-mark-knav_acc_firmwar.patch +arm-dts-spear600-fix-clcd-interrupt.patch +soc-ti-smartreflex-fix-pm-disable-depth-imbalance-in.patch +arm-dts-dove-fix-assigned-addresses-for-every-pcie-r.patch +arm-dts-armada-370-fix-assigned-addresses-for-every-.patch +arm-dts-armada-xp-fix-assigned-addresses-for-every-p.patch +arm-dts-armada-375-fix-assigned-addresses-for-every-.patch +arm-dts-armada-38x-fix-assigned-addresses-for-every-.patch +arm-dts-armada-39x-fix-assigned-addresses-for-every-.patch +arm-dts-armada-39x-fix-compatible-string-for-gpios.patch +arm-mmp-fix-timer_read-delay.patch +pstore-avoid-kcore-oops-by-vmap-ing-with-vm_ioremap.patch +cpuidle-dt-return-the-correct-numbers-of-parsed-idle.patch +alpha-fix-syscall-entry-in-audut_syscall-case.patch +pm-hibernate-fix-mistake-in-kerneldoc-comment.patch +fs-don-t-audit-the-capability-check-in-simple_xattr_.patch +perf-fix-possible-memleak-in-pmu_dev_alloc.patch +timerqueue-use-rb_entry_safe-in-timerqueue_getnext.patch +ocfs2-fix-memory-leak-in-ocfs2_stack_glue_init.patch +mips-vpe-mt-fix-possible-memory-leak-while-module-ex.patch +mips-vpe-cmp-fix-possible-memory-leak-while-module-e.patch +pnp-fix-name-memory-leak-in-pnp_alloc_dev.patch +irqchip-gic-pm-use-pm_runtime_resume_and_get-in-gic_.patch +libfs-add-define_simple_attribute_signed-for-signed-.patch +lib-notifier-error-inject-fix-error-when-writing-err.patch +rapidio-fix-possible-name-leaks-when-rio_add_device-.patch +rapidio-rio-fix-possible-name-leak-in-rio_register_m.patch +acpica-fix-use-after-free-in-acpi_ut_copy_ipackage_t.patch +uprobes-x86-allow-to-probe-a-nop-instruction-with-0x.patch +x86-xen-fix-memory-leak-in-xen_init_lock_cpu.patch +mips-bcm63xx-add-check-for-null-for-clk-in-clk_enabl.patch +fs-sysv-fix-sysv_nblocks-returns-wrong-value.patch +rapidio-fix-possible-uaf-when-kfifo_alloc-fails.patch +eventfd-change-int-to-__u64-in-eventfd_signal-ifndef.patch +hfs-fix-oob-write-in-hfs_asc2mac.patch +rapidio-devices-fix-missing-put_device-in-mport_cdev.patch +wifi-ath9k-hif_usb-fix-memory-leak-of-urbs-in-ath9k_.patch +wifi-ath9k-hif_usb-fix-use-after-free-in-ath9k_hif_u.patch +powerpc-dts-t208x-mark-mac1-and-mac2-as-10g.patch +media-i2c-ad5820-fix-error-path.patch +media-vivid-fix-compose-size-exceed-boundary.patch +mtd-fix-device-name-leak-when-register-device-failed.patch +asoc-pxa-fix-null-pointer-dereference-in-filter.patch +regulator-core-fix-unbalanced-of-node-refcount-in-re.patch +ima-fix-misuse-of-dereference-of-pointer-in-template.patch +wifi-ath10k-fix-return-value-in-ath10k_pci_init.patch +mtd-lpddr2_nvm-fix-possible-null-ptr-deref.patch +input-elants_i2c-properly-handle-the-reset-gpio-when.patch +media-solo6x10-fix-possible-memory-leak-in-solo_sysf.patch +media-platform-exynos4-is-fix-error-handling-in-fimc.patch +hid-hid-sensor-custom-set-fixed-size-for-custom-attr.patch +alsa-seq-fix-undefined-behavior-in-bit-shift-for-snd.patch +clk-rockchip-fix-memory-leak-in-rockchip_clk_registe.patch +mtd-maps-pxa2xx-flash-fix-memory-leak-in-probe.patch +media-imon-fix-a-race-condition-in-send_packet.patch +pinctrl-pinconf-generic-add-missing-of_node_put.patch +media-dvb-usb-az6027-fix-null-ptr-deref-in-az6027_i2.patch +nfsv4.2-fix-a-memory-stomp-in-decode_attr_security_l.patch +nfsv4-fix-a-deadlock-between-nfs4_open_recover_helpe.patch +alsa-asihpi-fix-missing-pci_disable_device.patch +drm-radeon-fix-pci-device-refcount-leak-in-radeon_at.patch +drm-amdgpu-fix-pci-device-refcount-leak-in-amdgpu_at.patch +asoc-pcm512x-fix-pm-disable-depth-imbalance-in-pcm51.patch +bonding-uninitialized-variable-in-bond_miimon_inspec.patch +regulator-core-fix-module-refcount-leak-in-set_suppl.patch +media-saa7164-fix-missing-pci_disable_device.patch +alsa-mts64-fix-possible-null-ptr-defer-in-snd_mts64_.patch +sunrpc-fix-missing-release-socket-in-rpc_sockname.patch +mmc-moxart-fix-return-value-check-of-mmc_add_host.patch +mmc-mxcmmc-fix-return-value-check-of-mmc_add_host.patch +mmc-pxamci-fix-return-value-check-of-mmc_add_host.patch +mmc-rtsx_usb_sdmmc-fix-return-value-check-of-mmc_add.patch +mmc-toshsd-fix-return-value-check-of-mmc_add_host.patch +mmc-vub300-fix-return-value-check-of-mmc_add_host.patch +mmc-via-sdmmc-fix-return-value-check-of-mmc_add_host.patch +mmc-wbsd-fix-return-value-check-of-mmc_add_host.patch +mmc-mmci-fix-return-value-check-of-mmc_add_host.patch +media-c8sectpfe-add-of_node_put-when-breaking-out-of.patch +media-coda-add-check-for-dcoda_iram_alloc.patch +media-coda-add-check-for-kmalloc.patch +wifi-rtl8xxxu-add-__packed-to-struct-rtl8723bu_c2h.patch +wifi-brcmfmac-fix-error-return-code-in-brcmf_sdio_do.patch +blktrace-fix-output-non-blktrace-event-when-blk_clas.patch +net-vmw_vsock-vmci-check-memcpy_from_msg.patch +net-defxx-fix-missing-err-handling-in-dfx_init.patch +drivers-net-qlcnic-fix-potential-memory-leak-in-qlcn.patch +ethernet-s2io-don-t-call-dev_kfree_skb-under-spin_lo.patch +net-farsync-fix-kmemleak-when-rmmods-farsync.patch +net-tunnel-wait-until-all-sk_user_data-reader-finish.patch +net-apple-mace-don-t-call-dev_kfree_skb-under-spin_l.patch +net-apple-bmac-don-t-call-dev_kfree_skb-under-spin_l.patch +net-emaclite-don-t-call-dev_kfree_skb-under-spin_loc.patch +net-ethernet-dnet-don-t-call-dev_kfree_skb-under-spi.patch +hamradio-don-t-call-dev_kfree_skb-under-spin_lock_ir.patch +net-amd-lance-don-t-call-dev_kfree_skb-under-spin_lo.patch +ntb_netdev-use-dev_kfree_skb_any-in-interrupt-contex.patch +bluetooth-btusb-don-t-call-kfree_skb-under-spin_lock.patch +bluetooth-hci_qca-don-t-call-kfree_skb-under-spin_lo.patch +bluetooth-hci_h5-don-t-call-kfree_skb-under-spin_loc.patch +bluetooth-hci_bcsp-don-t-call-kfree_skb-under-spin_l.patch +bluetooth-hci_core-don-t-call-kfree_skb-under-spin_l.patch +stmmac-fix-potential-division-by-0.patch +scsi-hpsa-fix-error-handling-in-hpsa_add_sas_host.patch +scsi-hpsa-fix-possible-memory-leak-in-hpsa_add_sas_d.patch +scsi-fcoe-fix-possible-name-leak-when-device_registe.patch +scsi-ipr-fix-warning-in-ipr_init.patch +scsi-fcoe-fix-transport-not-deattached-when-fcoe_if_.patch +scsi-snic-fix-possible-uaf-in-snic_tgt_create.patch +orangefs-fix-sysfs-not-cleanup-when-dev-init-failed.patch +crypto-img-hash-fix-variable-dereferenced-before-che.patch +hwrng-amd-fix-pci-device-refcount-leak.patch +hwrng-geode-fix-pci-device-refcount-leak.patch +ib-ipoib-fix-queue-count-inconsistency-for-pkey-chil.patch +drivers-dio-fix-possible-memory-leak-in-dio_init.patch +vfio-platform-do-not-pass-return-buffer-to-acpi-_rst.patch +uio-uio_dmem_genirq-fix-missing-unlock-in-irq-config.patch +uio-uio_dmem_genirq-fix-deadlock-between-irq-config-.patch +usb-fotg210-udc-fix-ages-old-endianness-issues.patch +staging-vme_user-fix-possible-uaf-in-tsi148_dma_list.patch +serial-amba-pl011-avoid-sbsa-uart-accessing-dmacr-re.patch +serial-pch-fix-pci-device-refcount-leak-in-pch_reque.patch +serial-sunsab-fix-error-handling-in-sunsab_init.patch +misc-tifm-fix-possible-memory-leak-in-tifm_7xx1_swit.patch +misc-sgi-gru-fix-use-after-free-error-in-gru_set_con.patch +cxl-fix-possible-null-ptr-deref-in-cxl_guest_init_af.patch +cxl-fix-possible-null-ptr-deref-in-cxl_pci_init_afu-.patch +drivers-mcb-fix-resource-leak-in-mcb_probe.patch +mcb-mcb-parse-fix-error-handing-in-chameleon_parse_g.patch +chardev-fix-error-handling-in-cdev_device_add.patch +i2c-pxa-pci-fix-missing-pci_disable_device-on-error-.patch +staging-rtl8192u-fix-use-after-free-in-ieee80211_rx.patch +staging-rtl8192e-fix-potential-use-after-free-in-rtl.patch +vme-fix-error-not-catched-in-fake_init.patch +i2c-ismt-fix-an-out-of-bounds-bug-in-ismt_access.patch +usb-storage-add-check-for-kcalloc.patch +fbdev-ssd1307fb-drop-optional-dependency.patch +fbdev-pm2fb-fix-missing-pci_disable_device.patch +fbdev-via-fix-error-in-via_core_init.patch +fbdev-vermilion-decrease-reference-count-in-error-pa.patch +fbdev-uvesafb-fixes-an-error-handling-path-in-uvesaf.patch +hsi-omap_ssi_core-fix-unbalanced-pm_runtime_disable.patch +hsi-omap_ssi_core-fix-possible-memory-leak-in-ssi_pr.patch +power-supply-fix-residue-sysfs-file-in-error-handle-.patch +hsi-omap_ssi_core-fix-error-handling-in-ssi_init.patch +include-uapi-linux-swab-fix-potentially-missing-__al.patch +rtc-snvs-allow-a-time-difference-on-clock-register-r.patch +iommu-fsl_pamu-fix-resource-leak-in-fsl_pamu_probe.patch +macintosh-fix-possible-memory-leak-in-macio_add_one_.patch +macintosh-macio-adb-check-the-return-value-of-iorema.patch +powerpc-52xx-fix-a-resource-leak-in-an-error-handlin.patch +powerpc-perf-callchain-validate-kernel-stack-pointer.patch +powerpc-83xx-mpc832x_rdb-call-platform_device_put-in.patch +powerpc-hv-gpci-fix-hv_gpci-event-list.patch +selftests-powerpc-fix-resource-leaks.patch +rtc-st-lpc-add-missing-clk_disable_unprepare-in-st_r.patch +nfsd-under-nfsv4.1-fix-double-svc_xprt_put-on-rpc_cr.patch +misdn-hfcsusb-don-t-call-dev_kfree_skb-kfree_skb-und.patch +misdn-hfcpci-don-t-call-dev_kfree_skb-kfree_skb-unde.patch +misdn-hfcmulti-don-t-call-dev_kfree_skb-kfree_skb-un.patch +nfc-pn533-clear-nfc_target-before-being-used.patch +r6040-fix-kmemleak-in-probe-and-remove.patch +openvswitch-fix-flow-lookup-to-use-unmasked-key.patch +skbuff-account-for-tail-adjustment-during-pull-opera.patch +net_sched-reject-tcf_em_simple-case-for-complex-emat.patch +myri10ge-fix-an-error-handling-path-in-myri10ge_prob.patch +net-stream-purge-sk_error_queue-in-sk_stream_kill_qu.patch +binfmt_misc-fix-shift-out-of-bounds-in-check_special.patch +fs-jfs-fix-shift-out-of-bounds-in-dballocag.patch +udf-avoid-double-brelse-in-udf_rename.patch +fs-jfs-fix-shift-out-of-bounds-in-dbdiscardag.patch +acpica-fix-error-code-path-in-acpi_ds_call_control_m.patch +nilfs2-fix-shift-out-of-bounds-overflow-in-nilfs_sb2.patch +acct-fix-potential-integer-overflow-in-encode_comp_t.patch +hfs-fix-oob-read-in-__hfs_brec_find.patch +wifi-ath9k-verify-the-expected-usb_endpoints-are-pre.patch +wifi-ar5523-fix-use-after-free-on-ar5523_cmd-timed-o.patch +ipmi-fix-memleak-when-unload-ipmi-driver.patch +net-ethernet-ti-fix-return-type-of-netcp_ndo_start_x.patch +hamradio-baycom_epp-fix-return-type-of-baycom_send_p.patch +wifi-brcmfmac-fix-potential-shift-out-of-bounds-in-b.patch +igb-do-not-free-q_vector-unless-new-one-was-allocate.patch +s390-ctcm-fix-return-type-of-ctc-mp-m_tx.patch +s390-netiucv-fix-return-type-of-netiucv_tx.patch +s390-lcs-fix-return-type-of-lcs_start_xmit.patch +drm-sti-use-drm_mode_copy.patch +md-raid1-stop-mdx_raid1-thread-when-raid1-array-run-.patch +mrp-introduce-active-flags-to-prevent-uaf-when-appli.patch +ppp-associate-skb-with-a-device-at-tx.patch +media-dvb-frontends-fix-leak-of-memory-fw.patch +media-dvb-usb-fix-memory-leak-in-dvb_usb_adapter_ini.patch +blk-mq-fix-possible-memleak-when-register-hctx-faile.patch +mmc-f-sdh30-add-quirks-for-broken-timeout-clock-capa.patch +media-si470x-fix-use-after-free-in-si470x_int_in_cal.patch +clk-st-fix-memory-leak-in-st_of_quadfs_setup.patch +drm-fsl-dcu-fix-return-type-of-fsl_dcu_drm_connector.patch +drm-sti-fix-return-type-of-sti_-dvo-hda-hdmi-_connec.patch +orangefs-fix-kmemleak-in-orangefs_prepare_debugfs_he.patch diff --git a/queue-4.9/skbuff-account-for-tail-adjustment-during-pull-opera.patch b/queue-4.9/skbuff-account-for-tail-adjustment-during-pull-opera.patch new file mode 100644 index 00000000000..97513503c8b --- /dev/null +++ b/queue-4.9/skbuff-account-for-tail-adjustment-during-pull-opera.patch @@ -0,0 +1,66 @@ +From c44899ba9c8fa06158d9bca54e31f4d29c17dacd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 14 Dec 2022 23:11:58 -0700 +Subject: skbuff: Account for tail adjustment during pull operations + +From: Subash Abhinov Kasiviswanathan + +[ Upstream commit 2d7afdcbc9d32423f177ee12b7c93783aea338fb ] + +Extending the tail can have some unexpected side effects if a program uses +a helper like BPF_FUNC_skb_pull_data to read partial content beyond the +head skb headlen when all the skbs in the gso frag_list are linear with no +head_frag - + + kernel BUG at net/core/skbuff.c:4219! + pc : skb_segment+0xcf4/0xd2c + lr : skb_segment+0x63c/0xd2c + Call trace: + skb_segment+0xcf4/0xd2c + __udp_gso_segment+0xa4/0x544 + udp4_ufo_fragment+0x184/0x1c0 + inet_gso_segment+0x16c/0x3a4 + skb_mac_gso_segment+0xd4/0x1b0 + __skb_gso_segment+0xcc/0x12c + udp_rcv_segment+0x54/0x16c + udp_queue_rcv_skb+0x78/0x144 + udp_unicast_rcv_skb+0x8c/0xa4 + __udp4_lib_rcv+0x490/0x68c + udp_rcv+0x20/0x30 + ip_protocol_deliver_rcu+0x1b0/0x33c + ip_local_deliver+0xd8/0x1f0 + ip_rcv+0x98/0x1a4 + deliver_ptype_list_skb+0x98/0x1ec + __netif_receive_skb_core+0x978/0xc60 + +Fix this by marking these skbs as GSO_DODGY so segmentation can handle +the tail updates accordingly. + +Fixes: 3dcbdb134f32 ("net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list") +Signed-off-by: Sean Tranchetti +Signed-off-by: Subash Abhinov Kasiviswanathan +Reviewed-by: Alexander Duyck +Link: https://lore.kernel.org/r/1671084718-24796-1-git-send-email-quic_subashab@quicinc.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/core/skbuff.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 5dcdbffdee49..0186fbe06281 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -1693,6 +1693,9 @@ unsigned char *__pskb_pull_tail(struct sk_buff *skb, int delta) + insp = list; + } else { + /* Eaten partially. */ ++ if (skb_is_gso(skb) && !list->head_frag && ++ skb_headlen(list)) ++ skb_shinfo(skb)->gso_type |= SKB_GSO_DODGY; + + if (skb_shared(list)) { + /* Sucks! We need to fork list. :-( */ +-- +2.35.1 + diff --git a/queue-4.9/soc-ti-smartreflex-fix-pm-disable-depth-imbalance-in.patch b/queue-4.9/soc-ti-smartreflex-fix-pm-disable-depth-imbalance-in.patch new file mode 100644 index 00000000000..83e37540039 --- /dev/null +++ b/queue-4.9/soc-ti-smartreflex-fix-pm-disable-depth-imbalance-in.patch @@ -0,0 +1,37 @@ +From 2737fb29add21557f533606239a73fe86eac0e36 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 16:03:22 +0800 +Subject: soc: ti: smartreflex: Fix PM disable depth imbalance in omap_sr_probe + +From: Zhang Qilong + +[ Upstream commit 69460e68eb662064ab4188d4e129ff31c1f23ed9 ] + +The pm_runtime_enable will increase power disable depth. Thus +a pairing decrement is needed on the error handling path to +keep it balanced according to context. + +Fixes: 984aa6dbf4ca ("OMAP3: PM: Adding smartreflex driver support.") +Signed-off-by: Zhang Qilong +Signed-off-by: Nishanth Menon +Link: https://lore.kernel.org/r/20221108080322.52268-3-zhangqilong3@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/power/avs/smartreflex.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/power/avs/smartreflex.c b/drivers/power/avs/smartreflex.c +index bb7b817cca59..a695c87ae459 100644 +--- a/drivers/power/avs/smartreflex.c ++++ b/drivers/power/avs/smartreflex.c +@@ -971,6 +971,7 @@ static int __init omap_sr_probe(struct platform_device *pdev) + err_debugfs: + debugfs_remove_recursive(sr_info->dbg_dir); + err_list_del: ++ pm_runtime_disable(&pdev->dev); + list_del(&sr_info->node); + return ret; + } +-- +2.35.1 + diff --git a/queue-4.9/staging-rtl8192e-fix-potential-use-after-free-in-rtl.patch b/queue-4.9/staging-rtl8192e-fix-potential-use-after-free-in-rtl.patch new file mode 100644 index 00000000000..2558911032b --- /dev/null +++ b/queue-4.9/staging-rtl8192e-fix-potential-use-after-free-in-rtl.patch @@ -0,0 +1,41 @@ +From fcec8618abb68808be00e9f5bb4b9d6cff25bd77 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 16:12:53 +0800 +Subject: staging: rtl8192e: Fix potential use-after-free in + rtllib_rx_Monitor() + +From: YueHaibing + +[ Upstream commit d30f4436f364b4ad915ca2c09be07cd0f93ceb44 ] + +The skb is delivered to netif_rx() in rtllib_monitor_rx(), which may free it, +after calling this, dereferencing skb may trigger use-after-free. +Found by Smatch. + +Fixes: 94a799425eee ("From: wlanfae [PATCH 1/8] rtl8192e: Import new version of driver from realtek") +Signed-off-by: YueHaibing +Link: https://lore.kernel.org/r/20221123081253.22296-1-yuehaibing@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8192e/rtllib_rx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/staging/rtl8192e/rtllib_rx.c b/drivers/staging/rtl8192e/rtllib_rx.c +index 247475aa522e..23c917342943 100644 +--- a/drivers/staging/rtl8192e/rtllib_rx.c ++++ b/drivers/staging/rtl8192e/rtllib_rx.c +@@ -1508,9 +1508,9 @@ static int rtllib_rx_Monitor(struct rtllib_device *ieee, struct sk_buff *skb, + hdrlen += 4; + } + +- rtllib_monitor_rx(ieee, skb, rx_stats, hdrlen); + ieee->stats.rx_packets++; + ieee->stats.rx_bytes += skb->len; ++ rtllib_monitor_rx(ieee, skb, rx_stats, hdrlen); + + return 1; + } +-- +2.35.1 + diff --git a/queue-4.9/staging-rtl8192u-fix-use-after-free-in-ieee80211_rx.patch b/queue-4.9/staging-rtl8192u-fix-use-after-free-in-ieee80211_rx.patch new file mode 100644 index 00000000000..dc557842579 --- /dev/null +++ b/queue-4.9/staging-rtl8192u-fix-use-after-free-in-ieee80211_rx.patch @@ -0,0 +1,41 @@ +From cf0cdd99b10635450ad88cc116d76ab1cccb32d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 09:43:14 +0300 +Subject: staging: rtl8192u: Fix use after free in ieee80211_rx() + +From: Dan Carpenter + +[ Upstream commit bcc5e2dcf09089b337b76fc1a589f6ff95ca19ac ] + +We cannot dereference the "skb" pointer after calling +ieee80211_monitor_rx(), because it is a use after free. + +Fixes: 8fc8598e61f6 ("Staging: Added Realtek rtl8192u driver to staging") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/Y33BArx3k/aw6yv/@kili +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c +index 89cbc077a48d..085cc86e7c32 100644 +--- a/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c ++++ b/drivers/staging/rtl8192u/ieee80211/ieee80211_rx.c +@@ -965,9 +965,11 @@ int ieee80211_rx(struct ieee80211_device *ieee, struct sk_buff *skb, + #endif + + if (ieee->iw_mode == IW_MODE_MONITOR) { ++ unsigned int len = skb->len; ++ + ieee80211_monitor_rx(ieee, skb, rx_stats); + stats->rx_packets++; +- stats->rx_bytes += skb->len; ++ stats->rx_bytes += len; + return 1; + } + +-- +2.35.1 + diff --git a/queue-4.9/staging-vme_user-fix-possible-uaf-in-tsi148_dma_list.patch b/queue-4.9/staging-vme_user-fix-possible-uaf-in-tsi148_dma_list.patch new file mode 100644 index 00000000000..b4b4fbc0900 --- /dev/null +++ b/queue-4.9/staging-vme_user-fix-possible-uaf-in-tsi148_dma_list.patch @@ -0,0 +1,44 @@ +From 1629f7728b713ec9d4a85fa8fd2664b84c5d85d8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Nov 2022 11:59:14 +0800 +Subject: staging: vme_user: Fix possible UAF in tsi148_dma_list_add + +From: Gaosheng Cui + +[ Upstream commit 357057ee55d3c99a5de5abe8150f7bca04f8e53b ] + +Smatch report warning as follows: + +drivers/staging/vme_user/vme_tsi148.c:1757 tsi148_dma_list_add() warn: + '&entry->list' not removed from list + +In tsi148_dma_list_add(), the error path "goto err_dma" will not +remove entry->list from list->entries, but entry will be freed, +then list traversal may cause UAF. + +Fix by removeing it from list->entries before free(). + +Fixes: b2383c90a9d6 ("vme: tsi148: fix first DMA item mapping") +Signed-off-by: Gaosheng Cui +Link: https://lore.kernel.org/r/20221117035914.2954454-1-cuigaosheng1@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/vme/bridges/vme_tsi148.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/vme/bridges/vme_tsi148.c b/drivers/vme/bridges/vme_tsi148.c +index fc1b634b969a..2058403f8806 100644 +--- a/drivers/vme/bridges/vme_tsi148.c ++++ b/drivers/vme/bridges/vme_tsi148.c +@@ -1778,6 +1778,7 @@ static int tsi148_dma_list_add(struct vme_dma_list *list, + return 0; + + err_dma: ++ list_del(&entry->list); + err_dest: + err_source: + err_align: +-- +2.35.1 + diff --git a/queue-4.9/stmmac-fix-potential-division-by-0.patch b/queue-4.9/stmmac-fix-potential-division-by-0.patch new file mode 100644 index 00000000000..f315f040beb --- /dev/null +++ b/queue-4.9/stmmac-fix-potential-division-by-0.patch @@ -0,0 +1,89 @@ +From e123880a46f984e1bd29e1e6c2b68b6634ffbb32 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 10 Dec 2022 23:37:22 +0100 +Subject: stmmac: fix potential division by 0 + +From: Piergiorgio Beruto + +[ Upstream commit ede5a389852d3640a28e7187fb32b7f204380901 ] + +When the MAC is connected to a 10 Mb/s PHY and the PTP clock is derived +from the MAC reference clock (default), the clk_ptp_rate becomes too +small and the calculated sub second increment becomes 0 when computed by +the stmmac_config_sub_second_increment() function within +stmmac_init_tstamp_counter(). + +Therefore, the subsequent div_u64 in stmmac_init_tstamp_counter() +operation triggers a divide by 0 exception as shown below. + +[ 95.062067] socfpga-dwmac ff700000.ethernet eth0: Register MEM_TYPE_PAGE_POOL RxQ-0 +[ 95.076440] socfpga-dwmac ff700000.ethernet eth0: PHY [stmmac-0:08] driver [NCN26000] (irq=49) +[ 95.095964] dwmac1000: Master AXI performs any burst length +[ 95.101588] socfpga-dwmac ff700000.ethernet eth0: No Safety Features support found +[ 95.109428] Division by zero in kernel. +[ 95.113447] CPU: 0 PID: 239 Comm: ifconfig Not tainted 6.1.0-rc7-centurion3-1.0.3.0-01574-gb624218205b7-dirty #77 +[ 95.123686] Hardware name: Altera SOCFPGA +[ 95.127695] unwind_backtrace from show_stack+0x10/0x14 +[ 95.132938] show_stack from dump_stack_lvl+0x40/0x4c +[ 95.137992] dump_stack_lvl from Ldiv0+0x8/0x10 +[ 95.142527] Ldiv0 from __aeabi_uidivmod+0x8/0x18 +[ 95.147232] __aeabi_uidivmod from div_u64_rem+0x1c/0x40 +[ 95.152552] div_u64_rem from stmmac_init_tstamp_counter+0xd0/0x164 +[ 95.158826] stmmac_init_tstamp_counter from stmmac_hw_setup+0x430/0xf00 +[ 95.165533] stmmac_hw_setup from __stmmac_open+0x214/0x2d4 +[ 95.171117] __stmmac_open from stmmac_open+0x30/0x44 +[ 95.176182] stmmac_open from __dev_open+0x11c/0x134 +[ 95.181172] __dev_open from __dev_change_flags+0x168/0x17c +[ 95.186750] __dev_change_flags from dev_change_flags+0x14/0x50 +[ 95.192662] dev_change_flags from devinet_ioctl+0x2b4/0x604 +[ 95.198321] devinet_ioctl from inet_ioctl+0x1ec/0x214 +[ 95.203462] inet_ioctl from sock_ioctl+0x14c/0x3c4 +[ 95.208354] sock_ioctl from vfs_ioctl+0x20/0x38 +[ 95.212984] vfs_ioctl from sys_ioctl+0x250/0x844 +[ 95.217691] sys_ioctl from ret_fast_syscall+0x0/0x4c +[ 95.222743] Exception stack(0xd0ee1fa8 to 0xd0ee1ff0) +[ 95.227790] 1fa0: 00574c4f be9aeca4 00000003 00008914 be9aeca4 be9aec50 +[ 95.235945] 1fc0: 00574c4f be9aeca4 0059f078 00000036 be9aee8c be9aef7a 00000015 00000000 +[ 95.244096] 1fe0: 005a01f0 be9aec38 004d7484 b6e67d74 + +Signed-off-by: Piergiorgio Beruto +Fixes: 91a2559c1dc5 ("net: stmmac: Fix sub-second increment") +Reviewed-by: Andrew Lunn +Link: https://lore.kernel.org/r/de4c64ccac9084952c56a06a8171d738604c4770.1670678513.git.piergiorgio.beruto@gmail.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c | 3 ++- + drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c b/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c +index 5b91a95476de..c925a8fb1993 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c +@@ -57,7 +57,8 @@ static u32 stmmac_config_sub_second_increment(void __iomem *ioaddr, + if (!(value & PTP_TCR_TSCTRLSSR)) + data = (data * 1000) / 465; + +- data &= PTP_SSIR_SSINC_MASK; ++ if (data > PTP_SSIR_SSINC_MAX) ++ data = PTP_SSIR_SSINC_MAX; + + reg_value = data; + if (gmac4) +diff --git a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h +index 174777cd888e..06fd27fc9a08 100644 +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.h +@@ -69,7 +69,7 @@ + #define PTP_TCR_TSENMACADDR BIT(18) + + /* SSIR defines */ +-#define PTP_SSIR_SSINC_MASK 0xff ++#define PTP_SSIR_SSINC_MAX 0xff + #define GMAC4_PTP_SSIR_SSINC_SHIFT 16 + + #endif /* __STMMAC_PTP_H__ */ +-- +2.35.1 + diff --git a/queue-4.9/sunrpc-fix-missing-release-socket-in-rpc_sockname.patch b/queue-4.9/sunrpc-fix-missing-release-socket-in-rpc_sockname.patch new file mode 100644 index 00000000000..db31259afee --- /dev/null +++ b/queue-4.9/sunrpc-fix-missing-release-socket-in-rpc_sockname.patch @@ -0,0 +1,37 @@ +From 53871bc770120f3186cddd73dbe63b66ee3fa93e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 24 Nov 2022 17:23:42 +0800 +Subject: SUNRPC: Fix missing release socket in rpc_sockname() + +From: Wang ShaoBo + +[ Upstream commit 50fa355bc0d75911fe9d5072a5ba52cdb803aff7 ] + +socket dynamically created is not released when getting an unintended +address family type in rpc_sockname(), direct to out_release for calling +sock_release(). + +Fixes: 2e738fdce22f ("SUNRPC: Add API to acquire source address") +Signed-off-by: Wang ShaoBo +Signed-off-by: Trond Myklebust +Signed-off-by: Sasha Levin +--- + net/sunrpc/clnt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index eef2f732fbe3..9447670b5a63 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -1275,7 +1275,7 @@ static int rpc_sockname(struct net *net, struct sockaddr *sap, size_t salen, + break; + default: + err = -EAFNOSUPPORT; +- goto out; ++ goto out_release; + } + if (err < 0) { + dprintk("RPC: can't bind UDP socket (%d)\n", err); +-- +2.35.1 + diff --git a/queue-4.9/timerqueue-use-rb_entry_safe-in-timerqueue_getnext.patch b/queue-4.9/timerqueue-use-rb_entry_safe-in-timerqueue_getnext.patch new file mode 100644 index 00000000000..03abf9736f4 --- /dev/null +++ b/queue-4.9/timerqueue-use-rb_entry_safe-in-timerqueue_getnext.patch @@ -0,0 +1,44 @@ +From 18359754f68d6480244d4390d767f9618aa21ca6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 19:54:23 +0000 +Subject: timerqueue: Use rb_entry_safe() in timerqueue_getnext() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Barnabás Pőcze + +[ Upstream commit 2f117484329b233455ee278f2d9b0a4356835060 ] + +When `timerqueue_getnext()` is called on an empty timer queue, it will +use `rb_entry()` on a NULL pointer, which is invalid. Fix that by using +`rb_entry_safe()` which handles NULL pointers. + +This has not caused any issues so far because the offset of the `rb_node` +member in `timerqueue_node` is 0, so `rb_entry()` is essentially a no-op. + +Fixes: 511885d7061e ("lib/timerqueue: Rely on rbtree semantics for next timer") +Signed-off-by: Barnabás Pőcze +Signed-off-by: Thomas Gleixner +Link: https://lore.kernel.org/r/20221114195421.342929-1-pobrn@protonmail.com +Signed-off-by: Sasha Levin +--- + include/linux/timerqueue.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/linux/timerqueue.h b/include/linux/timerqueue.h +index 42868a9b4365..df7841c6fdf4 100644 +--- a/include/linux/timerqueue.h ++++ b/include/linux/timerqueue.h +@@ -34,7 +34,7 @@ struct timerqueue_node *timerqueue_getnext(struct timerqueue_head *head) + { + struct rb_node *leftmost = rb_first_cached(&head->rb_root); + +- return rb_entry(leftmost, struct timerqueue_node, node); ++ return rb_entry_safe(leftmost, struct timerqueue_node, node); + } + + static inline void timerqueue_init(struct timerqueue_node *node) +-- +2.35.1 + diff --git a/queue-4.9/udf-avoid-double-brelse-in-udf_rename.patch b/queue-4.9/udf-avoid-double-brelse-in-udf_rename.patch new file mode 100644 index 00000000000..9e3f1acb970 --- /dev/null +++ b/queue-4.9/udf-avoid-double-brelse-in-udf_rename.patch @@ -0,0 +1,93 @@ +From 140fac13169ecf2160b0fdfc57304862e05259db Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 Oct 2022 18:57:41 +0900 +Subject: udf: Avoid double brelse() in udf_rename() + +From: Shigeru Yoshida + +[ Upstream commit c791730f2554a9ebb8f18df9368dc27d4ebc38c2 ] + +syzbot reported a warning like below [1]: + +VFS: brelse: Trying to free free buffer +WARNING: CPU: 2 PID: 7301 at fs/buffer.c:1145 __brelse+0x67/0xa0 +... +Call Trace: + + invalidate_bh_lru+0x99/0x150 + smp_call_function_many_cond+0xe2a/0x10c0 + ? generic_remap_file_range_prep+0x50/0x50 + ? __brelse+0xa0/0xa0 + ? __mutex_lock+0x21c/0x12d0 + ? smp_call_on_cpu+0x250/0x250 + ? rcu_read_lock_sched_held+0xb/0x60 + ? lock_release+0x587/0x810 + ? __brelse+0xa0/0xa0 + ? generic_remap_file_range_prep+0x50/0x50 + on_each_cpu_cond_mask+0x3c/0x80 + blkdev_flush_mapping+0x13a/0x2f0 + blkdev_put_whole+0xd3/0xf0 + blkdev_put+0x222/0x760 + deactivate_locked_super+0x96/0x160 + deactivate_super+0xda/0x100 + cleanup_mnt+0x222/0x3d0 + task_work_run+0x149/0x240 + ? task_work_cancel+0x30/0x30 + do_exit+0xb29/0x2a40 + ? reacquire_held_locks+0x4a0/0x4a0 + ? do_raw_spin_lock+0x12a/0x2b0 + ? mm_update_next_owner+0x7c0/0x7c0 + ? rwlock_bug.part.0+0x90/0x90 + ? zap_other_threads+0x234/0x2d0 + do_group_exit+0xd0/0x2a0 + __x64_sys_exit_group+0x3a/0x50 + do_syscall_64+0x34/0xb0 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +The cause of the issue is that brelse() is called on both ofibh.sbh +and ofibh.ebh by udf_find_entry() when it returns NULL. However, +brelse() is called by udf_rename(), too. So, b_count on buffer_head +becomes unbalanced. + +This patch fixes the issue by not calling brelse() by udf_rename() +when udf_find_entry() returns NULL. + +Link: https://syzkaller.appspot.com/bug?id=8297f45698159c6bca8a1f87dc983667c1a1c851 [1] +Reported-by: syzbot+7902cd7684bc35306224@syzkaller.appspotmail.com +Signed-off-by: Shigeru Yoshida +Signed-off-by: Jan Kara +Link: https://lore.kernel.org/r/20221023095741.271430-1-syoshida@redhat.com +Signed-off-by: Sasha Levin +--- + fs/udf/namei.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/fs/udf/namei.c b/fs/udf/namei.c +index aefa939176e1..0ab842460ed3 100644 +--- a/fs/udf/namei.c ++++ b/fs/udf/namei.c +@@ -1112,8 +1112,9 @@ static int udf_rename(struct inode *old_dir, struct dentry *old_dentry, + return -EINVAL; + + ofi = udf_find_entry(old_dir, &old_dentry->d_name, &ofibh, &ocfi); +- if (IS_ERR(ofi)) { +- retval = PTR_ERR(ofi); ++ if (!ofi || IS_ERR(ofi)) { ++ if (IS_ERR(ofi)) ++ retval = PTR_ERR(ofi); + goto end_rename; + } + +@@ -1122,8 +1123,7 @@ static int udf_rename(struct inode *old_dir, struct dentry *old_dentry, + + brelse(ofibh.sbh); + tloc = lelb_to_cpu(ocfi.icb.extLocation); +- if (!ofi || udf_get_lb_pblock(old_dir->i_sb, &tloc, 0) +- != old_inode->i_ino) ++ if (udf_get_lb_pblock(old_dir->i_sb, &tloc, 0) != old_inode->i_ino) + goto end_rename; + + nfi = udf_find_entry(new_dir, &new_dentry->d_name, &nfibh, &ncfi); +-- +2.35.1 + diff --git a/queue-4.9/uio-uio_dmem_genirq-fix-deadlock-between-irq-config-.patch b/queue-4.9/uio-uio_dmem_genirq-fix-deadlock-between-irq-config-.patch new file mode 100644 index 00000000000..3815bf33a80 --- /dev/null +++ b/queue-4.9/uio-uio_dmem_genirq-fix-deadlock-between-irq-config-.patch @@ -0,0 +1,64 @@ +From 398e0731f7253936bf40d24e347c9918c1ca265a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Sep 2022 19:40:58 -0300 +Subject: uio: uio_dmem_genirq: Fix deadlock between irq config and handling + +From: Rafael Mendonca + +[ Upstream commit 118b918018175d9fcd8db667f905012e986cc2c9 ] + +This fixes a concurrency issue addressed in commit 34cb27528398 ("UIO: Fix +concurrency issue"): + + "In a SMP case there was a race condition issue between + Uio_pdrv_genirq_irqcontrol() running on one CPU and irq handler on + another CPU. Fix it by spin_locking shared resources access inside irq + handler." + +The implementation of "uio_dmem_genirq" was based on "uio_pdrv_genirq" and +it is used in a similar manner to the "uio_pdrv_genirq" driver with respect +to interrupt configuration and handling. At the time "uio_dmem_genirq" was +merged, both had the same implementation of the 'uio_info' handlers +irqcontrol() and handler(), thus, both had the same concurrency issue +mentioned by the above commit. However, the above patch was only applied to +the "uio_pdrv_genirq" driver. + +Split out from commit 34cb27528398 ("UIO: Fix concurrency issue"). + +Fixes: 0a0c3b5a24bd ("Add new uio device for dynamic memory allocation") +Signed-off-by: Rafael Mendonca +Link: https://lore.kernel.org/r/20220930224100.816175-3-rafaelmendsr@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/uio/uio_dmem_genirq.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/uio/uio_dmem_genirq.c b/drivers/uio/uio_dmem_genirq.c +index c25a6bcb2d21..b4b7fa05b29b 100644 +--- a/drivers/uio/uio_dmem_genirq.c ++++ b/drivers/uio/uio_dmem_genirq.c +@@ -113,8 +113,10 @@ static irqreturn_t uio_dmem_genirq_handler(int irq, struct uio_info *dev_info) + * remember the state so we can allow user space to enable it later. + */ + ++ spin_lock(&priv->lock); + if (!test_and_set_bit(0, &priv->flags)) + disable_irq_nosync(irq); ++ spin_unlock(&priv->lock); + + return IRQ_HANDLED; + } +@@ -128,7 +130,8 @@ static int uio_dmem_genirq_irqcontrol(struct uio_info *dev_info, s32 irq_on) + * in the interrupt controller, but keep track of the + * state to prevent per-irq depth damage. + * +- * Serialize this operation to support multiple tasks. ++ * Serialize this operation to support multiple tasks and concurrency ++ * with irq handler on SMP systems. + */ + + spin_lock_irqsave(&priv->lock, flags); +-- +2.35.1 + diff --git a/queue-4.9/uio-uio_dmem_genirq-fix-missing-unlock-in-irq-config.patch b/queue-4.9/uio-uio_dmem_genirq-fix-missing-unlock-in-irq-config.patch new file mode 100644 index 00000000000..6ac9e25526d --- /dev/null +++ b/queue-4.9/uio-uio_dmem_genirq-fix-missing-unlock-in-irq-config.patch @@ -0,0 +1,127 @@ +From f8c85ec17cddd0ccdbcf328f04d84996df137be3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 30 Sep 2022 19:40:57 -0300 +Subject: uio: uio_dmem_genirq: Fix missing unlock in irq configuration + +From: Rafael Mendonca + +[ Upstream commit 9de255c461d1b3f0242b3ad1450c3323a3e00b34 ] + +Commit b74351287d4b ("uio: fix a sleep-in-atomic-context bug in +uio_dmem_genirq_irqcontrol()") started calling disable_irq() without +holding the spinlock because it can sleep. However, that fix introduced +another bug: if interrupt is already disabled and a new disable request +comes in, then the spinlock is not unlocked: + +root@localhost:~# printf '\x00\x00\x00\x00' > /dev/uio0 +root@localhost:~# printf '\x00\x00\x00\x00' > /dev/uio0 +root@localhost:~# [ 14.851538] BUG: scheduling while atomic: bash/223/0x00000002 +[ 14.851991] Modules linked in: uio_dmem_genirq uio myfpga(OE) bochs drm_vram_helper drm_ttm_helper ttm drm_kms_helper drm snd_pcm ppdev joydev psmouse snd_timer snd e1000fb_sys_fops syscopyarea parport sysfillrect soundcore sysimgblt input_leds pcspkr i2c_piix4 serio_raw floppy evbug qemu_fw_cfg mac_hid pata_acpi ip_tables x_tables autofs4 [last unloaded: parport_pc] +[ 14.854206] CPU: 0 PID: 223 Comm: bash Tainted: G OE 6.0.0-rc7 #21 +[ 14.854786] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 +[ 14.855664] Call Trace: +[ 14.855861] +[ 14.856025] dump_stack_lvl+0x4d/0x67 +[ 14.856325] dump_stack+0x14/0x1a +[ 14.856583] __schedule_bug.cold+0x4b/0x5c +[ 14.856915] __schedule+0xe81/0x13d0 +[ 14.857199] ? idr_find+0x13/0x20 +[ 14.857456] ? get_work_pool+0x2d/0x50 +[ 14.857756] ? __flush_work+0x233/0x280 +[ 14.858068] ? __schedule+0xa95/0x13d0 +[ 14.858307] ? idr_find+0x13/0x20 +[ 14.858519] ? get_work_pool+0x2d/0x50 +[ 14.858798] schedule+0x6c/0x100 +[ 14.859009] schedule_hrtimeout_range_clock+0xff/0x110 +[ 14.859335] ? tty_write_room+0x1f/0x30 +[ 14.859598] ? n_tty_poll+0x1ec/0x220 +[ 14.859830] ? tty_ldisc_deref+0x1a/0x20 +[ 14.860090] schedule_hrtimeout_range+0x17/0x20 +[ 14.860373] do_select+0x596/0x840 +[ 14.860627] ? __kernel_text_address+0x16/0x50 +[ 14.860954] ? poll_freewait+0xb0/0xb0 +[ 14.861235] ? poll_freewait+0xb0/0xb0 +[ 14.861517] ? rpm_resume+0x49d/0x780 +[ 14.861798] ? common_interrupt+0x59/0xa0 +[ 14.862127] ? asm_common_interrupt+0x2b/0x40 +[ 14.862511] ? __uart_start.isra.0+0x61/0x70 +[ 14.862902] ? __check_object_size+0x61/0x280 +[ 14.863255] core_sys_select+0x1c6/0x400 +[ 14.863575] ? vfs_write+0x1c9/0x3d0 +[ 14.863853] ? vfs_write+0x1c9/0x3d0 +[ 14.864121] ? _copy_from_user+0x45/0x70 +[ 14.864526] do_pselect.constprop.0+0xb3/0xf0 +[ 14.864893] ? do_syscall_64+0x6d/0x90 +[ 14.865228] ? do_syscall_64+0x6d/0x90 +[ 14.865556] __x64_sys_pselect6+0x76/0xa0 +[ 14.865906] do_syscall_64+0x60/0x90 +[ 14.866214] ? syscall_exit_to_user_mode+0x2a/0x50 +[ 14.866640] ? do_syscall_64+0x6d/0x90 +[ 14.866972] ? do_syscall_64+0x6d/0x90 +[ 14.867286] ? do_syscall_64+0x6d/0x90 +[ 14.867626] entry_SYSCALL_64_after_hwframe+0x63/0xcd +[...] stripped +[ 14.872959] + +('myfpga' is a simple 'uio_dmem_genirq' driver I wrote to test this) + +The implementation of "uio_dmem_genirq" was based on "uio_pdrv_genirq" and +it is used in a similar manner to the "uio_pdrv_genirq" driver with respect +to interrupt configuration and handling. At the time "uio_dmem_genirq" was +introduced, both had the same implementation of the 'uio_info' handlers +irqcontrol() and handler(). Then commit 34cb27528398 ("UIO: Fix concurrency +issue"), which was only applied to "uio_pdrv_genirq", ended up making them +a little different. That commit, among other things, changed disable_irq() +to disable_irq_nosync() in the implementation of irqcontrol(). The +motivation there was to avoid a deadlock between irqcontrol() and +handler(), since it added a spinlock in the irq handler, and disable_irq() +waits for the completion of the irq handler. + +By changing disable_irq() to disable_irq_nosync() in irqcontrol(), we also +avoid the sleeping-while-atomic bug that commit b74351287d4b ("uio: fix a +sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()") was trying to +fix. Thus, this fixes the missing unlock in irqcontrol() by importing the +implementation of irqcontrol() handler from the "uio_pdrv_genirq" driver. +In the end, it reverts commit b74351287d4b ("uio: fix a +sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()") and change +disable_irq() to disable_irq_nosync(). + +It is worth noting that this still does not address the concurrency issue +fixed by commit 34cb27528398 ("UIO: Fix concurrency issue"). It will be +addressed separately in the next commits. + +Split out from commit 34cb27528398 ("UIO: Fix concurrency issue"). + +Fixes: b74351287d4b ("uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()") +Signed-off-by: Rafael Mendonca +Link: https://lore.kernel.org/r/20220930224100.816175-2-rafaelmendsr@gmail.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/uio/uio_dmem_genirq.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/uio/uio_dmem_genirq.c b/drivers/uio/uio_dmem_genirq.c +index a00b4aee6c79..c25a6bcb2d21 100644 +--- a/drivers/uio/uio_dmem_genirq.c ++++ b/drivers/uio/uio_dmem_genirq.c +@@ -135,13 +135,11 @@ static int uio_dmem_genirq_irqcontrol(struct uio_info *dev_info, s32 irq_on) + if (irq_on) { + if (test_and_clear_bit(0, &priv->flags)) + enable_irq(dev_info->irq); +- spin_unlock_irqrestore(&priv->lock, flags); + } else { +- if (!test_and_set_bit(0, &priv->flags)) { +- spin_unlock_irqrestore(&priv->lock, flags); +- disable_irq(dev_info->irq); +- } ++ if (!test_and_set_bit(0, &priv->flags)) ++ disable_irq_nosync(dev_info->irq); + } ++ spin_unlock_irqrestore(&priv->lock, flags); + + return 0; + } +-- +2.35.1 + diff --git a/queue-4.9/uprobes-x86-allow-to-probe-a-nop-instruction-with-0x.patch b/queue-4.9/uprobes-x86-allow-to-probe-a-nop-instruction-with-0x.patch new file mode 100644 index 00000000000..646f808f2f2 --- /dev/null +++ b/queue-4.9/uprobes-x86-allow-to-probe-a-nop-instruction-with-0x.patch @@ -0,0 +1,53 @@ +From c7d67024b68d7c91381799778f5894dd54e82f64 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Dec 2022 18:39:33 +0100 +Subject: uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix + +From: Oleg Nesterov + +[ Upstream commit cefa72129e45313655d53a065b8055aaeb01a0c9 ] + +Intel ICC -hotpatch inserts 2-byte "0x66 0x90" NOP at the start of each +function to reserve extra space for hot-patching, and currently it is not +possible to probe these functions because branch_setup_xol_ops() wrongly +rejects NOP with REP prefix as it treats them like word-sized branch +instructions. + +Fixes: 250bbd12c2fe ("uprobes/x86: Refuse to attach uprobe to "word-sized" branch insns") +Reported-by: Seiji Nishikawa +Suggested-by: Denys Vlasenko +Signed-off-by: Oleg Nesterov +Signed-off-by: Thomas Gleixner +Acked-by: Masami Hiramatsu (Google) +Link: https://lore.kernel.org/r/20221204173933.GA31544@redhat.com +Signed-off-by: Sasha Levin +--- + arch/x86/kernel/uprobes.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kernel/uprobes.c b/arch/x86/kernel/uprobes.c +index 52bb7413f352..953ed5b5a218 100644 +--- a/arch/x86/kernel/uprobes.c ++++ b/arch/x86/kernel/uprobes.c +@@ -718,8 +718,9 @@ static int branch_setup_xol_ops(struct arch_uprobe *auprobe, struct insn *insn) + switch (opc1) { + case 0xeb: /* jmp 8 */ + case 0xe9: /* jmp 32 */ +- case 0x90: /* prefix* + nop; same as jmp with .offs = 0 */ + break; ++ case 0x90: /* prefix* + nop; same as jmp with .offs = 0 */ ++ goto setup; + + case 0xe8: /* call relative */ + branch_clear_offset(auprobe, insn); +@@ -748,6 +749,7 @@ static int branch_setup_xol_ops(struct arch_uprobe *auprobe, struct insn *insn) + return -ENOTSUPP; + } + ++setup: + auprobe->branch.opc1 = opc1; + auprobe->branch.ilen = insn->length; + auprobe->branch.offs = insn->immediate.value; +-- +2.35.1 + diff --git a/queue-4.9/usb-fotg210-udc-fix-ages-old-endianness-issues.patch b/queue-4.9/usb-fotg210-udc-fix-ages-old-endianness-issues.patch new file mode 100644 index 00000000000..9b722102ca5 --- /dev/null +++ b/queue-4.9/usb-fotg210-udc-fix-ages-old-endianness-issues.patch @@ -0,0 +1,71 @@ +From 394a7a584d968ba04c231c04c9ce16fc3f4c8177 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 10:03:17 +0100 +Subject: usb: fotg210-udc: Fix ages old endianness issues + +From: Linus Walleij + +[ Upstream commit 46ed6026ca2181c917c8334a82e3eaf40a6234dd ] + +The code in the FOTG210 driver isn't entirely endianness-agnostic +as reported by the kernel robot sparse testing. This came to +the surface while moving the files around. + +The driver is only used on little-endian systems, so this causes +no real-world regression, but it is nice to be strict and have +some compile coverage also on big endian machines, so fix it +up with the right LE accessors. + +Fixes: b84a8dee23fd ("usb: gadget: add Faraday fotg210_udc driver") +Reported-by: kernel test robot +Link: https://lore.kernel.org/linux-usb/202211110910.0dJ7nZCn-lkp@intel.com/ +Signed-off-by: Linus Walleij +Link: https://lore.kernel.org/r/20221111090317.94228-1-linus.walleij@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/gadget/udc/fotg210-udc.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/drivers/usb/gadget/udc/fotg210-udc.c b/drivers/usb/gadget/udc/fotg210-udc.c +index 9e102ba9cf66..88415a3a9b43 100644 +--- a/drivers/usb/gadget/udc/fotg210-udc.c ++++ b/drivers/usb/gadget/udc/fotg210-udc.c +@@ -636,10 +636,10 @@ static void fotg210_request_error(struct fotg210_udc *fotg210) + static void fotg210_set_address(struct fotg210_udc *fotg210, + struct usb_ctrlrequest *ctrl) + { +- if (ctrl->wValue >= 0x0100) { ++ if (le16_to_cpu(ctrl->wValue) >= 0x0100) { + fotg210_request_error(fotg210); + } else { +- fotg210_set_dev_addr(fotg210, ctrl->wValue); ++ fotg210_set_dev_addr(fotg210, le16_to_cpu(ctrl->wValue)); + fotg210_set_cxdone(fotg210); + } + } +@@ -720,17 +720,17 @@ static void fotg210_get_status(struct fotg210_udc *fotg210, + + switch (ctrl->bRequestType & USB_RECIP_MASK) { + case USB_RECIP_DEVICE: +- fotg210->ep0_data = 1 << USB_DEVICE_SELF_POWERED; ++ fotg210->ep0_data = cpu_to_le16(1 << USB_DEVICE_SELF_POWERED); + break; + case USB_RECIP_INTERFACE: +- fotg210->ep0_data = 0; ++ fotg210->ep0_data = cpu_to_le16(0); + break; + case USB_RECIP_ENDPOINT: + epnum = ctrl->wIndex & USB_ENDPOINT_NUMBER_MASK; + if (epnum) + fotg210->ep0_data = +- fotg210_is_epnstall(fotg210->ep[epnum]) +- << USB_ENDPOINT_HALT; ++ cpu_to_le16(fotg210_is_epnstall(fotg210->ep[epnum]) ++ << USB_ENDPOINT_HALT); + else + fotg210_request_error(fotg210); + break; +-- +2.35.1 + diff --git a/queue-4.9/usb-storage-add-check-for-kcalloc.patch b/queue-4.9/usb-storage-add-check-for-kcalloc.patch new file mode 100644 index 00000000000..f3ebbd9afae --- /dev/null +++ b/queue-4.9/usb-storage-add-check-for-kcalloc.patch @@ -0,0 +1,39 @@ +From 030978127f9cdd47ec001620cb1f277924f0dfae Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 8 Dec 2022 19:00:58 +0800 +Subject: usb: storage: Add check for kcalloc + +From: Jiasheng Jiang + +[ Upstream commit c35ca10f53c51eeb610d3f8fbc6dd6d511b58a58 ] + +As kcalloc may return NULL pointer, the return value should +be checked and return error if fails as same as the ones in +alauda_read_map. + +Fixes: e80b0fade09e ("[PATCH] USB Storage: add alauda support") +Acked-by: Alan Stern +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20221208110058.12983-1-jiasheng@iscas.ac.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/storage/alauda.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/usb/storage/alauda.c b/drivers/usb/storage/alauda.c +index 878b4b8761f5..3dbd60540372 100644 +--- a/drivers/usb/storage/alauda.c ++++ b/drivers/usb/storage/alauda.c +@@ -450,6 +450,8 @@ static int alauda_init_media(struct us_data *us) + + MEDIA_INFO(us).blockshift + MEDIA_INFO(us).pageshift); + MEDIA_INFO(us).pba_to_lba = kcalloc(num_zones, sizeof(u16*), GFP_NOIO); + MEDIA_INFO(us).lba_to_pba = kcalloc(num_zones, sizeof(u16*), GFP_NOIO); ++ if (MEDIA_INFO(us).pba_to_lba == NULL || MEDIA_INFO(us).lba_to_pba == NULL) ++ return USB_STOR_TRANSPORT_ERROR; + + if (alauda_reset_media(us) != USB_STOR_XFER_GOOD) + return USB_STOR_TRANSPORT_ERROR; +-- +2.35.1 + diff --git a/queue-4.9/vfio-platform-do-not-pass-return-buffer-to-acpi-_rst.patch b/queue-4.9/vfio-platform-do-not-pass-return-buffer-to-acpi-_rst.patch new file mode 100644 index 00000000000..692683b3c68 --- /dev/null +++ b/queue-4.9/vfio-platform-do-not-pass-return-buffer-to-acpi-_rst.patch @@ -0,0 +1,43 @@ +From 7f3f99340f814d43a4d800830168b462fb5420d6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 18 Oct 2022 12:28:25 -0300 +Subject: vfio: platform: Do not pass return buffer to ACPI _RST method + +From: Rafael Mendonca + +[ Upstream commit e67e070632a665c932d534b8b800477bb3111449 ] + +The ACPI _RST method has no return value, there's no need to pass a return +buffer to acpi_evaluate_object(). + +Fixes: d30daa33ec1d ("vfio: platform: call _RST method when using ACPI") +Signed-off-by: Rafael Mendonca +Reviewed-by: Eric Auger +Link: https://lore.kernel.org/r/20221018152825.891032-1-rafaelmendsr@gmail.com +Signed-off-by: Alex Williamson +Signed-off-by: Sasha Levin +--- + drivers/vfio/platform/vfio_platform_common.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/vfio/platform/vfio_platform_common.c b/drivers/vfio/platform/vfio_platform_common.c +index 9b1b6c1e218d..d5b15630050b 100644 +--- a/drivers/vfio/platform/vfio_platform_common.c ++++ b/drivers/vfio/platform/vfio_platform_common.c +@@ -77,12 +77,11 @@ static int vfio_platform_acpi_call_reset(struct vfio_platform_device *vdev, + const char **extra_dbg) + { + #ifdef CONFIG_ACPI +- struct acpi_buffer buffer = { ACPI_ALLOCATE_BUFFER, NULL }; + struct device *dev = vdev->device; + acpi_handle handle = ACPI_HANDLE(dev); + acpi_status acpi_ret; + +- acpi_ret = acpi_evaluate_object(handle, "_RST", NULL, &buffer); ++ acpi_ret = acpi_evaluate_object(handle, "_RST", NULL, NULL); + if (ACPI_FAILURE(acpi_ret)) { + if (extra_dbg) + *extra_dbg = acpi_format_exception(acpi_ret); +-- +2.35.1 + diff --git a/queue-4.9/vme-fix-error-not-catched-in-fake_init.patch b/queue-4.9/vme-fix-error-not-catched-in-fake_init.patch new file mode 100644 index 00000000000..ca865cf99f7 --- /dev/null +++ b/queue-4.9/vme-fix-error-not-catched-in-fake_init.patch @@ -0,0 +1,49 @@ +From 362f8a5bef9fd7c3539b65dd43ac7115b928994f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Dec 2022 16:48:05 +0800 +Subject: vme: Fix error not catched in fake_init() + +From: Chen Zhongjin + +[ Upstream commit 7bef797d707f1744f71156b21d41e3b8c946631f ] + +In fake_init(), __root_device_register() is possible to fail but it's +ignored, which can cause unregistering vme_root fail when exit. + + general protection fault, + probably for non-canonical address 0xdffffc000000008c + KASAN: null-ptr-deref in range [0x0000000000000460-0x0000000000000467] + RIP: 0010:root_device_unregister+0x26/0x60 + Call Trace: + + __x64_sys_delete_module+0x34f/0x540 + do_syscall_64+0x38/0x90 + entry_SYSCALL_64_after_hwframe+0x63/0xcd + +Return error when __root_device_register() fails. + +Fixes: 658bcdae9c67 ("vme: Adding Fake VME driver") +Signed-off-by: Chen Zhongjin +Link: https://lore.kernel.org/r/20221205084805.147436-1-chenzhongjin@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/vme/bridges/vme_fake.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/vme/bridges/vme_fake.c b/drivers/vme/bridges/vme_fake.c +index e81ec763b555..150ee8b3507f 100644 +--- a/drivers/vme/bridges/vme_fake.c ++++ b/drivers/vme/bridges/vme_fake.c +@@ -1077,6 +1077,8 @@ static int __init fake_init(void) + + /* We need a fake parent device */ + vme_root = __root_device_register("vme", THIS_MODULE); ++ if (IS_ERR(vme_root)) ++ return PTR_ERR(vme_root); + + /* If we want to support more than one bridge at some point, we need to + * dynamically allocate this so we get one per device. +-- +2.35.1 + diff --git a/queue-4.9/wifi-ar5523-fix-use-after-free-on-ar5523_cmd-timed-o.patch b/queue-4.9/wifi-ar5523-fix-use-after-free-on-ar5523_cmd-timed-o.patch new file mode 100644 index 00000000000..44d72008728 --- /dev/null +++ b/queue-4.9/wifi-ar5523-fix-use-after-free-on-ar5523_cmd-timed-o.patch @@ -0,0 +1,110 @@ +From 30f70857954305d481d9b46293ed9097b703fc07 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Oct 2022 03:32:23 +0900 +Subject: wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out + +From: Shigeru Yoshida + +[ Upstream commit b6702a942a069c2a975478d719e98d83cdae1797 ] + +syzkaller reported use-after-free with the stack trace like below [1]: + +[ 38.960489][ C3] ================================================================== +[ 38.963216][ C3] BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240 +[ 38.964950][ C3] Read of size 8 at addr ffff888048e03450 by task swapper/3/0 +[ 38.966363][ C3] +[ 38.967053][ C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.0.0-09039-ga6afa4199d3d-dirty #18 +[ 38.968464][ C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014 +[ 38.969959][ C3] Call Trace: +[ 38.970841][ C3] +[ 38.971663][ C3] dump_stack_lvl+0xfc/0x174 +[ 38.972620][ C3] print_report.cold+0x2c3/0x752 +[ 38.973626][ C3] ? ar5523_cmd_tx_cb+0x220/0x240 +[ 38.974644][ C3] kasan_report+0xb1/0x1d0 +[ 38.975720][ C3] ? ar5523_cmd_tx_cb+0x220/0x240 +[ 38.976831][ C3] ar5523_cmd_tx_cb+0x220/0x240 +[ 38.978412][ C3] __usb_hcd_giveback_urb+0x353/0x5b0 +[ 38.979755][ C3] usb_hcd_giveback_urb+0x385/0x430 +[ 38.981266][ C3] dummy_timer+0x140c/0x34e0 +[ 38.982925][ C3] ? notifier_call_chain+0xb5/0x1e0 +[ 38.984761][ C3] ? rcu_read_lock_sched_held+0xb/0x60 +[ 38.986242][ C3] ? lock_release+0x51c/0x790 +[ 38.987323][ C3] ? _raw_read_unlock_irqrestore+0x37/0x70 +[ 38.988483][ C3] ? __wake_up_common_lock+0xde/0x130 +[ 38.989621][ C3] ? reacquire_held_locks+0x4a0/0x4a0 +[ 38.990777][ C3] ? lock_acquire+0x472/0x550 +[ 38.991919][ C3] ? rcu_read_lock_sched_held+0xb/0x60 +[ 38.993138][ C3] ? lock_acquire+0x472/0x550 +[ 38.994890][ C3] ? dummy_urb_enqueue+0x860/0x860 +[ 38.996266][ C3] ? do_raw_spin_unlock+0x16f/0x230 +[ 38.997670][ C3] ? dummy_urb_enqueue+0x860/0x860 +[ 38.999116][ C3] call_timer_fn+0x1a0/0x6a0 +[ 39.000668][ C3] ? add_timer_on+0x4a0/0x4a0 +[ 39.002137][ C3] ? reacquire_held_locks+0x4a0/0x4a0 +[ 39.003809][ C3] ? __next_timer_interrupt+0x226/0x2a0 +[ 39.005509][ C3] __run_timers.part.0+0x69a/0xac0 +[ 39.007025][ C3] ? dummy_urb_enqueue+0x860/0x860 +[ 39.008716][ C3] ? call_timer_fn+0x6a0/0x6a0 +[ 39.010254][ C3] ? cpuacct_percpu_seq_show+0x10/0x10 +[ 39.011795][ C3] ? kvm_sched_clock_read+0x14/0x40 +[ 39.013277][ C3] ? sched_clock_cpu+0x69/0x2b0 +[ 39.014724][ C3] run_timer_softirq+0xb6/0x1d0 +[ 39.016196][ C3] __do_softirq+0x1d2/0x9be +[ 39.017616][ C3] __irq_exit_rcu+0xeb/0x190 +[ 39.019004][ C3] irq_exit_rcu+0x5/0x20 +[ 39.020361][ C3] sysvec_apic_timer_interrupt+0x8f/0xb0 +[ 39.021965][ C3] +[ 39.023237][ C3] + +In ar5523_probe(), ar5523_host_available() calls ar5523_cmd() as below +(there are other functions which finally call ar5523_cmd()): + +ar5523_probe() +-> ar5523_host_available() + -> ar5523_cmd_read() + -> ar5523_cmd() + +If ar5523_cmd() timed out, then ar5523_host_available() failed and +ar5523_probe() freed the device structure. So, ar5523_cmd_tx_cb() +might touch the freed structure. + +This patch fixes this issue by canceling in-flight tx cmd if submitted +urb timed out. + +Link: https://syzkaller.appspot.com/bug?id=9e12b2d54300842b71bdd18b54971385ff0d0d3a [1] +Reported-by: syzbot+95001b1fd6dfcc716c29@syzkaller.appspotmail.com +Signed-off-by: Shigeru Yoshida +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221009183223.420015-1-syoshida@redhat.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ar5523/ar5523.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c +index 0c6b33c464cd..187061a43f7f 100644 +--- a/drivers/net/wireless/ath/ar5523/ar5523.c ++++ b/drivers/net/wireless/ath/ar5523/ar5523.c +@@ -241,6 +241,11 @@ static void ar5523_cmd_tx_cb(struct urb *urb) + } + } + ++static void ar5523_cancel_tx_cmd(struct ar5523 *ar) ++{ ++ usb_kill_urb(ar->tx_cmd.urb_tx); ++} ++ + static int ar5523_cmd(struct ar5523 *ar, u32 code, const void *idata, + int ilen, void *odata, int olen, int flags) + { +@@ -280,6 +285,7 @@ static int ar5523_cmd(struct ar5523 *ar, u32 code, const void *idata, + } + + if (!wait_for_completion_timeout(&cmd->done, 2 * HZ)) { ++ ar5523_cancel_tx_cmd(ar); + cmd->odata = NULL; + ar5523_err(ar, "timeout waiting for command %02x reply\n", + code); +-- +2.35.1 + diff --git a/queue-4.9/wifi-ath10k-fix-return-value-in-ath10k_pci_init.patch b/queue-4.9/wifi-ath10k-fix-return-value-in-ath10k_pci_init.patch new file mode 100644 index 00000000000..a5ef22dfc11 --- /dev/null +++ b/queue-4.9/wifi-ath10k-fix-return-value-in-ath10k_pci_init.patch @@ -0,0 +1,63 @@ +From b331aef34203b0748ef94150058179cc240716bd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 14:19:26 +0800 +Subject: wifi: ath10k: Fix return value in ath10k_pci_init() + +From: Xiu Jianfeng + +[ Upstream commit 2af7749047d8d6ad43feff69f555a13a6a6c2831 ] + +This driver is attempting to register to support two different buses. +if either of these is successful then ath10k_pci_init() should return 0 +so that hardware attached to the successful bus can be probed and +supported. only if both of these are unsuccessful should ath10k_pci_init() +return an errno. + +Fixes: 0b523ced9a3c ("ath10k: add basic skeleton to support ahb") +Signed-off-by: Xiu Jianfeng +Reviewed-by: Jeff Johnson +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221110061926.18163-1-xiujianfeng@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath10k/pci.c | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath10k/pci.c b/drivers/net/wireless/ath/ath10k/pci.c +index d96e062647fd..450eb7b31256 100644 +--- a/drivers/net/wireless/ath/ath10k/pci.c ++++ b/drivers/net/wireless/ath/ath10k/pci.c +@@ -3381,18 +3381,22 @@ static struct pci_driver ath10k_pci_driver = { + + static int __init ath10k_pci_init(void) + { +- int ret; ++ int ret1, ret2; + +- ret = pci_register_driver(&ath10k_pci_driver); +- if (ret) ++ ret1 = pci_register_driver(&ath10k_pci_driver); ++ if (ret1) + printk(KERN_ERR "failed to register ath10k pci driver: %d\n", +- ret); ++ ret1); + +- ret = ath10k_ahb_init(); +- if (ret) +- printk(KERN_ERR "ahb init failed: %d\n", ret); ++ ret2 = ath10k_ahb_init(); ++ if (ret2) ++ printk(KERN_ERR "ahb init failed: %d\n", ret2); + +- return ret; ++ if (ret1 && ret2) ++ return ret1; ++ ++ /* registered to at least one bus */ ++ return 0; + } + module_init(ath10k_pci_init); + +-- +2.35.1 + diff --git a/queue-4.9/wifi-ath9k-hif_usb-fix-memory-leak-of-urbs-in-ath9k_.patch b/queue-4.9/wifi-ath9k-hif_usb-fix-memory-leak-of-urbs-in-ath9k_.patch new file mode 100644 index 00000000000..d926109e4a6 --- /dev/null +++ b/queue-4.9/wifi-ath9k-hif_usb-fix-memory-leak-of-urbs-in-ath9k_.patch @@ -0,0 +1,61 @@ +From d3419ca7f5a43c7950be3eef302e8c7761680a71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Jul 2022 18:13:59 +0300 +Subject: wifi: ath9k: hif_usb: fix memory leak of urbs in + ath9k_hif_usb_dealloc_tx_urbs() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit c2a94de38c74e86f49124ac14f093d6a5c377a90 ] + +Syzkaller reports a long-known leak of urbs in +ath9k_hif_usb_dealloc_tx_urbs(). + +The cause of the leak is that usb_get_urb() is called but usb_free_urb() +(or usb_put_urb()) is not called inside usb_kill_urb() as urb->dev or +urb->ep fields have not been initialized and usb_kill_urb() returns +immediately. + +The patch removes trying to kill urbs located in hif_dev->tx.tx_buf +because hif_dev->tx.tx_buf is not supposed to contain urbs which are in +pending state (the pending urbs are stored in hif_dev->tx.tx_pending). +The tx.tx_lock is acquired so there should not be any changes in the list. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 03fb92a432ea ("ath9k: hif_usb: fix race condition between usb_get_urb() and usb_kill_anchored_urbs()") +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20220725151359.283704-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 4 ---- + 1 file changed, 4 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c +index 33a6be0f21ca..519cc8fd3299 100644 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -779,14 +779,10 @@ static void ath9k_hif_usb_dealloc_tx_urbs(struct hif_device_usb *hif_dev) + spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + list_for_each_entry_safe(tx_buf, tx_buf_tmp, + &hif_dev->tx.tx_buf, list) { +- usb_get_urb(tx_buf->urb); +- spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); +- usb_kill_urb(tx_buf->urb); + list_del(&tx_buf->list); + usb_free_urb(tx_buf->urb); + kfree(tx_buf->buf); + kfree(tx_buf); +- spin_lock_irqsave(&hif_dev->tx.tx_lock, flags); + } + spin_unlock_irqrestore(&hif_dev->tx.tx_lock, flags); + +-- +2.35.1 + diff --git a/queue-4.9/wifi-ath9k-hif_usb-fix-use-after-free-in-ath9k_hif_u.patch b/queue-4.9/wifi-ath9k-hif_usb-fix-use-after-free-in-ath9k_hif_u.patch new file mode 100644 index 00000000000..8f543aacc85 --- /dev/null +++ b/queue-4.9/wifi-ath9k-hif_usb-fix-use-after-free-in-ath9k_hif_u.patch @@ -0,0 +1,118 @@ +From c6b35c6e01dff660364943f4fed4e0bd6101e967 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 Oct 2022 14:49:17 +0300 +Subject: wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit dd95f2239fc846795fc926787c3ae0ca701c9840 ] + +It is possible that skb is freed in ath9k_htc_rx_msg(), then +usb_submit_urb() fails and we try to free skb again. It causes +use-after-free bug. Moreover, if alloc_skb() fails, urb->context becomes +NULL but rx_buf is not freed and there can be a memory leak. + +The patch removes unnecessary nskb and makes skb processing more clear: it +is supposed that ath9k_htc_rx_msg() either frees old skb or passes its +managing to another callback function. + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Fixes: 3deff76095c4 ("ath9k_htc: Increase URB count for REG_IN pipe") +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221008114917.21404-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 28 +++++++++++++----------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c +index 519cc8fd3299..719cb53d8b4d 100644 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -707,14 +707,13 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb) + struct rx_buf *rx_buf = (struct rx_buf *)urb->context; + struct hif_device_usb *hif_dev = rx_buf->hif_dev; + struct sk_buff *skb = rx_buf->skb; +- struct sk_buff *nskb; + int ret; + + if (!skb) + return; + + if (!hif_dev) +- goto free; ++ goto free_skb; + + switch (urb->status) { + case 0: +@@ -723,7 +722,7 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb) + case -ECONNRESET: + case -ENODEV: + case -ESHUTDOWN: +- goto free; ++ goto free_skb; + default: + skb_reset_tail_pointer(skb); + skb_trim(skb, 0); +@@ -734,25 +733,27 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb) + if (likely(urb->actual_length != 0)) { + skb_put(skb, urb->actual_length); + +- /* Process the command first */ ++ /* ++ * Process the command first. ++ * skb is either freed here or passed to be ++ * managed to another callback function. ++ */ + ath9k_htc_rx_msg(hif_dev->htc_handle, skb, + skb->len, USB_REG_IN_PIPE); + +- +- nskb = alloc_skb(MAX_REG_IN_BUF_SIZE, GFP_ATOMIC); +- if (!nskb) { ++ skb = alloc_skb(MAX_REG_IN_BUF_SIZE, GFP_ATOMIC); ++ if (!skb) { + dev_err(&hif_dev->udev->dev, + "ath9k_htc: REG_IN memory allocation failure\n"); +- urb->context = NULL; +- return; ++ goto free_rx_buf; + } + +- rx_buf->skb = nskb; ++ rx_buf->skb = skb; + + usb_fill_int_urb(urb, hif_dev->udev, + usb_rcvintpipe(hif_dev->udev, + USB_REG_IN_PIPE), +- nskb->data, MAX_REG_IN_BUF_SIZE, ++ skb->data, MAX_REG_IN_BUF_SIZE, + ath9k_hif_usb_reg_in_cb, rx_buf, 1); + } + +@@ -761,12 +762,13 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb) + ret = usb_submit_urb(urb, GFP_ATOMIC); + if (ret) { + usb_unanchor_urb(urb); +- goto free; ++ goto free_skb; + } + + return; +-free: ++free_skb: + kfree_skb(skb); ++free_rx_buf: + kfree(rx_buf); + urb->context = NULL; + } +-- +2.35.1 + diff --git a/queue-4.9/wifi-ath9k-verify-the-expected-usb_endpoints-are-pre.patch b/queue-4.9/wifi-ath9k-verify-the-expected-usb_endpoints-are-pre.patch new file mode 100644 index 00000000000..7ddfdca2d7d --- /dev/null +++ b/queue-4.9/wifi-ath9k-verify-the-expected-usb_endpoints-are-pre.patch @@ -0,0 +1,80 @@ +From 55b45d015979b357a00fa0bc91b41ff9961cc2e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 9 Oct 2022 00:15:32 +0300 +Subject: wifi: ath9k: verify the expected usb_endpoints are present +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Fedor Pchelkin + +[ Upstream commit 16ef02bad239f11f322df8425d302be62f0443ce ] + +The bug arises when a USB device claims to be an ATH9K but doesn't +have the expected endpoints. (In this case there was an interrupt +endpoint where the driver expected a bulk endpoint.) The kernel +needs to be able to handle such devices without getting an internal error. + +usb 1-1: BOGUS urb xfer, pipe 3 != type 1 +WARNING: CPU: 3 PID: 500 at drivers/usb/core/urb.c:493 usb_submit_urb+0xce2/0x1430 drivers/usb/core/urb.c:493 +Modules linked in: +CPU: 3 PID: 500 Comm: kworker/3:2 Not tainted 5.10.135-syzkaller #0 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 +Workqueue: events request_firmware_work_func +RIP: 0010:usb_submit_urb+0xce2/0x1430 drivers/usb/core/urb.c:493 +Call Trace: + ath9k_hif_usb_alloc_rx_urbs drivers/net/wireless/ath/ath9k/hif_usb.c:908 [inline] + ath9k_hif_usb_alloc_urbs+0x75e/0x1010 drivers/net/wireless/ath/ath9k/hif_usb.c:1019 + ath9k_hif_usb_dev_init drivers/net/wireless/ath/ath9k/hif_usb.c:1109 [inline] + ath9k_hif_usb_firmware_cb+0x142/0x530 drivers/net/wireless/ath/ath9k/hif_usb.c:1242 + request_firmware_work_func+0x12e/0x240 drivers/base/firmware_loader/main.c:1097 + process_one_work+0x9af/0x1600 kernel/workqueue.c:2279 + worker_thread+0x61d/0x12f0 kernel/workqueue.c:2425 + kthread+0x3b4/0x4a0 kernel/kthread.c:313 + ret_from_fork+0x22/0x30 arch/x86/entry/entry_64.S:299 + +Found by Linux Verification Center (linuxtesting.org) with Syzkaller. + +Suggested-by: Alan Stern +Signed-off-by: Fedor Pchelkin +Signed-off-by: Alexey Khoroshilov +Acked-by: Toke Høiland-Jørgensen +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221008211532.74583-1-pchelkin@ispras.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c +index 719cb53d8b4d..438323182d07 100644 +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -1325,10 +1325,24 @@ static int send_eject_command(struct usb_interface *interface) + static int ath9k_hif_usb_probe(struct usb_interface *interface, + const struct usb_device_id *id) + { ++ struct usb_endpoint_descriptor *bulk_in, *bulk_out, *int_in, *int_out; + struct usb_device *udev = interface_to_usbdev(interface); ++ struct usb_host_interface *alt; + struct hif_device_usb *hif_dev; + int ret = 0; + ++ /* Verify the expected endpoints are present */ ++ alt = interface->cur_altsetting; ++ if (usb_find_common_endpoints(alt, &bulk_in, &bulk_out, &int_in, &int_out) < 0 || ++ usb_endpoint_num(bulk_in) != USB_WLAN_RX_PIPE || ++ usb_endpoint_num(bulk_out) != USB_WLAN_TX_PIPE || ++ usb_endpoint_num(int_in) != USB_REG_IN_PIPE || ++ usb_endpoint_num(int_out) != USB_REG_OUT_PIPE) { ++ dev_err(&udev->dev, ++ "ath9k_htc: Device endpoint numbers are not the expected ones\n"); ++ return -ENODEV; ++ } ++ + if (id->driver_info == STORAGE_DEVICE) + return send_eject_command(interface); + +-- +2.35.1 + diff --git a/queue-4.9/wifi-brcmfmac-fix-error-return-code-in-brcmf_sdio_do.patch b/queue-4.9/wifi-brcmfmac-fix-error-return-code-in-brcmf_sdio_do.patch new file mode 100644 index 00000000000..ad2dfe98f61 --- /dev/null +++ b/queue-4.9/wifi-brcmfmac-fix-error-return-code-in-brcmf_sdio_do.patch @@ -0,0 +1,53 @@ +From 517fc0c5f6ec59ddcb2e17fbbe03d6b828ba72e5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 2 Dec 2022 13:35:42 +0800 +Subject: wifi: brcmfmac: Fix error return code in + brcmf_sdio_download_firmware() + +From: Wang Yufen + +[ Upstream commit c2f2924bc7f9ea75ef8d95863e710168f8196256 ] + +Fix to return a negative error code instead of 0 when +brcmf_chip_set_active() fails. In addition, change the return +value for brcmf_pcie_exit_download_state() to keep consistent. + +Fixes: d380ebc9b6fb ("brcmfmac: rename chip download functions") +Signed-off-by: Wang Yufen +Reviewed-by: Arend van Spriel +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1669959342-27144-1-git-send-email-wangyufen@huawei.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c | 2 +- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c | 1 + + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +index 9e90737f4d49..45464bcd0960 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/pcie.c +@@ -578,7 +578,7 @@ static int brcmf_pcie_exit_download_state(struct brcmf_pciedev_info *devinfo, + } + + if (!brcmf_chip_set_active(devinfo->ci, resetintr)) +- return -EINVAL; ++ return -EIO; + return 0; + } + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +index d8f34883c096..d80aee2f5802 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/sdio.c +@@ -3310,6 +3310,7 @@ static int brcmf_sdio_download_firmware(struct brcmf_sdio *bus, + /* Take arm out of reset */ + if (!brcmf_chip_set_active(bus->ci, rstvec)) { + brcmf_err("error getting out of ARM core reset\n"); ++ bcmerror = -EIO; + goto err; + } + +-- +2.35.1 + diff --git a/queue-4.9/wifi-brcmfmac-fix-potential-shift-out-of-bounds-in-b.patch b/queue-4.9/wifi-brcmfmac-fix-potential-shift-out-of-bounds-in-b.patch new file mode 100644 index 00000000000..ef394f3073b --- /dev/null +++ b/queue-4.9/wifi-brcmfmac-fix-potential-shift-out-of-bounds-in-b.patch @@ -0,0 +1,149 @@ +From 2abce68ab8032637501fbe7d647c21b772e8ae09 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 24 Oct 2022 16:13:29 +0900 +Subject: wifi: brcmfmac: Fix potential shift-out-of-bounds in + brcmf_fw_alloc_request() + +From: Minsuk Kang + +[ Upstream commit 81d17f6f3331f03c8eafdacea68ab773426c1e3c ] + +This patch fixes a shift-out-of-bounds in brcmfmac that occurs in +BIT(chiprev) when a 'chiprev' provided by the device is too large. +It should also not be equal to or greater than BITS_PER_TYPE(u32) +as we do bitwise AND with a u32 variable and BIT(chiprev). The patch +adds a check that makes the function return NULL if that is the case. +Note that the NULL case is later handled by the bus-specific caller, +brcmf_usb_probe_cb() or brcmf_usb_reset_resume(), for example. + +Found by a modified version of syzkaller. + +UBSAN: shift-out-of-bounds in drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c +shift exponent 151055786 is too large for 64-bit type 'long unsigned int' +CPU: 0 PID: 1885 Comm: kworker/0:2 Tainted: G O 5.14.0+ #132 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014 +Workqueue: usb_hub_wq hub_event +Call Trace: + dump_stack_lvl+0x57/0x7d + ubsan_epilogue+0x5/0x40 + __ubsan_handle_shift_out_of_bounds.cold+0x53/0xdb + ? lock_chain_count+0x20/0x20 + brcmf_fw_alloc_request.cold+0x19/0x3ea + ? brcmf_fw_get_firmwares+0x250/0x250 + ? brcmf_usb_ioctl_resp_wait+0x1a7/0x1f0 + brcmf_usb_get_fwname+0x114/0x1a0 + ? brcmf_usb_reset_resume+0x120/0x120 + ? number+0x6c4/0x9a0 + brcmf_c_process_clm_blob+0x168/0x590 + ? put_dec+0x90/0x90 + ? enable_ptr_key_workfn+0x20/0x20 + ? brcmf_common_pd_remove+0x50/0x50 + ? rcu_read_lock_sched_held+0xa1/0xd0 + brcmf_c_preinit_dcmds+0x673/0xc40 + ? brcmf_c_set_joinpref_default+0x100/0x100 + ? rcu_read_lock_sched_held+0xa1/0xd0 + ? rcu_read_lock_bh_held+0xb0/0xb0 + ? lock_acquire+0x19d/0x4e0 + ? find_held_lock+0x2d/0x110 + ? brcmf_usb_deq+0x1cc/0x260 + ? mark_held_locks+0x9f/0xe0 + ? lockdep_hardirqs_on_prepare+0x273/0x3e0 + ? _raw_spin_unlock_irqrestore+0x47/0x50 + ? trace_hardirqs_on+0x1c/0x120 + ? brcmf_usb_deq+0x1a7/0x260 + ? brcmf_usb_rx_fill_all+0x5a/0xf0 + brcmf_attach+0x246/0xd40 + ? wiphy_new_nm+0x1476/0x1d50 + ? kmemdup+0x30/0x40 + brcmf_usb_probe+0x12de/0x1690 + ? brcmf_usbdev_qinit.constprop.0+0x470/0x470 + usb_probe_interface+0x25f/0x710 + really_probe+0x1be/0xa90 + __driver_probe_device+0x2ab/0x460 + ? usb_match_id.part.0+0x88/0xc0 + driver_probe_device+0x49/0x120 + __device_attach_driver+0x18a/0x250 + ? driver_allows_async_probing+0x120/0x120 + bus_for_each_drv+0x123/0x1a0 + ? bus_rescan_devices+0x20/0x20 + ? lockdep_hardirqs_on_prepare+0x273/0x3e0 + ? trace_hardirqs_on+0x1c/0x120 + __device_attach+0x207/0x330 + ? device_bind_driver+0xb0/0xb0 + ? kobject_uevent_env+0x230/0x12c0 + bus_probe_device+0x1a2/0x260 + device_add+0xa61/0x1ce0 + ? __mutex_unlock_slowpath+0xe7/0x660 + ? __fw_devlink_link_to_suppliers+0x550/0x550 + usb_set_configuration+0x984/0x1770 + ? kernfs_create_link+0x175/0x230 + usb_generic_driver_probe+0x69/0x90 + usb_probe_device+0x9c/0x220 + really_probe+0x1be/0xa90 + __driver_probe_device+0x2ab/0x460 + driver_probe_device+0x49/0x120 + __device_attach_driver+0x18a/0x250 + ? driver_allows_async_probing+0x120/0x120 + bus_for_each_drv+0x123/0x1a0 + ? bus_rescan_devices+0x20/0x20 + ? lockdep_hardirqs_on_prepare+0x273/0x3e0 + ? trace_hardirqs_on+0x1c/0x120 + __device_attach+0x207/0x330 + ? device_bind_driver+0xb0/0xb0 + ? kobject_uevent_env+0x230/0x12c0 + bus_probe_device+0x1a2/0x260 + device_add+0xa61/0x1ce0 + ? __fw_devlink_link_to_suppliers+0x550/0x550 + usb_new_device.cold+0x463/0xf66 + ? hub_disconnect+0x400/0x400 + ? _raw_spin_unlock_irq+0x24/0x30 + hub_event+0x10d5/0x3330 + ? hub_port_debounce+0x280/0x280 + ? __lock_acquire+0x1671/0x5790 + ? wq_calc_node_cpumask+0x170/0x2a0 + ? lock_release+0x640/0x640 + ? rcu_read_lock_sched_held+0xa1/0xd0 + ? rcu_read_lock_bh_held+0xb0/0xb0 + ? lockdep_hardirqs_on_prepare+0x273/0x3e0 + process_one_work+0x873/0x13e0 + ? lock_release+0x640/0x640 + ? pwq_dec_nr_in_flight+0x320/0x320 + ? rwlock_bug.part.0+0x90/0x90 + worker_thread+0x8b/0xd10 + ? __kthread_parkme+0xd9/0x1d0 + ? process_one_work+0x13e0/0x13e0 + kthread+0x379/0x450 + ? _raw_spin_unlock_irq+0x24/0x30 + ? set_kthread_struct+0x100/0x100 + ret_from_fork+0x1f/0x30 + +Reported-by: Dokyung Song +Reported-by: Jisoo Jang +Reported-by: Minsuk Kang +Signed-off-by: Minsuk Kang +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20221024071329.504277-1-linuxlovemin@yonsei.ac.kr +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c +index 33a7378164b8..6675de16e3b9 100644 +--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c ++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/firmware.c +@@ -572,6 +572,11 @@ int brcmf_fw_map_chip_to_name(u32 chip, u32 chiprev, + u32 i; + char end; + ++ if (chiprev >= BITS_PER_TYPE(u32)) { ++ brcmf_err("Invalid chip revision %u\n", chiprev); ++ return NULL; ++ } ++ + for (i = 0; i < table_size; i++) { + if (mapping_table[i].chipid == chip && + mapping_table[i].revmask & BIT(chiprev)) +-- +2.35.1 + diff --git a/queue-4.9/wifi-rtl8xxxu-add-__packed-to-struct-rtl8723bu_c2h.patch b/queue-4.9/wifi-rtl8xxxu-add-__packed-to-struct-rtl8723bu_c2h.patch new file mode 100644 index 00000000000..5f674c19809 --- /dev/null +++ b/queue-4.9/wifi-rtl8xxxu-add-__packed-to-struct-rtl8723bu_c2h.patch @@ -0,0 +1,41 @@ +From bde240b4e131784f5c3f222ebd3173e924fa2d08 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Dec 2022 16:13:57 +0200 +Subject: wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h + +From: Bitterblue Smith + +[ Upstream commit dd469a754afdb782ba3033cee102147493dc39f4 ] + +This struct is used to access a sequence of bytes received from the +wifi chip. It must not have any padding bytes between the members. + +This doesn't change anything on my system, possibly because currently +none of the members need more than byte alignment. + +Fixes: b2b43b7837ba ("rtl8xxxu: Initial functionality to handle C2H events for 8723bu") +Signed-off-by: Bitterblue Smith +Reviewed-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/1a270918-da22-ff5f-29fc-7855f740c5ba@gmail.com +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h +index 9143b173935d..c2c0e5635795 100644 +--- a/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h ++++ b/drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h +@@ -1191,7 +1191,7 @@ struct rtl8723bu_c2h { + u8 dummy3_0; + } __packed ra_report; + }; +-}; ++} __packed; + + struct rtl8xxxu_fileops; + +-- +2.35.1 + diff --git a/queue-4.9/x86-xen-fix-memory-leak-in-xen_init_lock_cpu.patch b/queue-4.9/x86-xen-fix-memory-leak-in-xen_init_lock_cpu.patch new file mode 100644 index 00000000000..773f3de6a00 --- /dev/null +++ b/queue-4.9/x86-xen-fix-memory-leak-in-xen_init_lock_cpu.patch @@ -0,0 +1,64 @@ +From eb54cf032257848353d9ca703aafd0d2df573e24 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Nov 2022 23:58:58 +0800 +Subject: x86/xen: Fix memory leak in xen_init_lock_cpu() + +From: Xiu Jianfeng + +[ Upstream commit ca84ce153d887b1dc8b118029976cc9faf2a9b40 ] + +In xen_init_lock_cpu(), the @name has allocated new string by kasprintf(), +if bind_ipi_to_irqhandler() fails, it should be freed, otherwise may lead +to a memory leak issue, fix it. + +Fixes: 2d9e1e2f58b5 ("xen: implement Xen-specific spinlocks") +Signed-off-by: Xiu Jianfeng +Reviewed-by: Juergen Gross +Link: https://lore.kernel.org/r/20221123155858.11382-3-xiujianfeng@huawei.com +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + arch/x86/xen/spinlock.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/arch/x86/xen/spinlock.c b/arch/x86/xen/spinlock.c +index 44bf8a22c97b..4e540958ea36 100644 +--- a/arch/x86/xen/spinlock.c ++++ b/arch/x86/xen/spinlock.c +@@ -80,6 +80,7 @@ void xen_init_lock_cpu(int cpu) + cpu, per_cpu(lock_kicker_irq, cpu)); + + name = kasprintf(GFP_KERNEL, "spinlock%d", cpu); ++ per_cpu(irq_name, cpu) = name; + irq = bind_ipi_to_irqhandler(XEN_SPIN_UNLOCK_VECTOR, + cpu, + dummy_handler, +@@ -90,7 +91,6 @@ void xen_init_lock_cpu(int cpu) + if (irq >= 0) { + disable_irq(irq); /* make sure it's never delivered */ + per_cpu(lock_kicker_irq, cpu) = irq; +- per_cpu(irq_name, cpu) = name; + } + + printk("cpu %d spinlock event irq %d\n", cpu, irq); +@@ -103,6 +103,8 @@ void xen_uninit_lock_cpu(int cpu) + if (!xen_pvspin) + return; + ++ kfree(per_cpu(irq_name, cpu)); ++ per_cpu(irq_name, cpu) = NULL; + /* + * When booting the kernel with 'mitigations=auto,nosmt', the secondary + * CPUs are not activated, and lock_kicker_irq is not initialized. +@@ -113,8 +115,6 @@ void xen_uninit_lock_cpu(int cpu) + + unbind_from_irqhandler(irq, NULL); + per_cpu(lock_kicker_irq, cpu) = -1; +- kfree(per_cpu(irq_name, cpu)); +- per_cpu(irq_name, cpu) = NULL; + } + + +-- +2.35.1 +