From: Sasha Levin Date: Fri, 10 Nov 2023 17:35:14 +0000 (-0500) Subject: Fixes for 4.14 X-Git-Tag: v4.14.330~64 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=14c6e1e0b5461b3ee2233ffee67d5b0b4b1414e2;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/acpi-sysfs-fix-create_pnp_modalias-and-create_of_mod.patch b/queue-4.14/acpi-sysfs-fix-create_pnp_modalias-and-create_of_mod.patch new file mode 100644 index 00000000000..61b80b2ed10 --- /dev/null +++ b/queue-4.14/acpi-sysfs-fix-create_pnp_modalias-and-create_of_mod.patch @@ -0,0 +1,62 @@ +From 78381ab2d6aca52d500950b38e02c831f9481199 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 23 Oct 2023 20:32:54 +0200 +Subject: ACPI: sysfs: Fix create_pnp_modalias() and create_of_modalias() + +From: Christophe JAILLET + +[ Upstream commit 48cf49d31994ff97b33c4044e618560ec84d35fb ] + +snprintf() does not return negative values on error. + +To know if the buffer was too small, the returned value needs to be +compared with the length of the passed buffer. If it is greater or +equal, the output has been truncated, so add checks for the truncation +to create_pnp_modalias() and create_of_modalias(). Also make them +return -ENOMEM in that case, as they already do that elsewhere. + +Moreover, the remaining size of the buffer used by snprintf() needs to +be updated after the first write to avoid out-of-bounds access as +already done correctly in create_pnp_modalias(), but not in +create_of_modalias(), so change the latter accordingly. + +Fixes: 8765c5ba1949 ("ACPI / scan: Rework modalias creation when "compatible" is present") +Signed-off-by: Christophe JAILLET +[ rjw: Merge two patches into one, combine changelogs, add subject ] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/acpi/device_sysfs.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/acpi/device_sysfs.c b/drivers/acpi/device_sysfs.c +index 9f4743d9804b5..93e947d5cc435 100644 +--- a/drivers/acpi/device_sysfs.c ++++ b/drivers/acpi/device_sysfs.c +@@ -164,8 +164,8 @@ static int create_pnp_modalias(struct acpi_device *acpi_dev, char *modalias, + return 0; + + len = snprintf(modalias, size, "acpi:"); +- if (len <= 0) +- return len; ++ if (len >= size) ++ return -ENOMEM; + + size -= len; + +@@ -218,8 +218,10 @@ static int create_of_modalias(struct acpi_device *acpi_dev, char *modalias, + len = snprintf(modalias, size, "of:N%sT", (char *)buf.pointer); + ACPI_FREE(buf.pointer); + +- if (len <= 0) +- return len; ++ if (len >= size) ++ return -ENOMEM; ++ ++ size -= len; + + of_compatible = acpi_dev->data.of_compatible; + if (of_compatible->type == ACPI_TYPE_PACKAGE) { +-- +2.42.0 + diff --git a/queue-4.14/arm-9321-1-memset-cast-the-constant-byte-to-unsigned.patch b/queue-4.14/arm-9321-1-memset-cast-the-constant-byte-to-unsigned.patch new file mode 100644 index 00000000000..99fe0ae2c59 --- /dev/null +++ b/queue-4.14/arm-9321-1-memset-cast-the-constant-byte-to-unsigned.patch @@ -0,0 +1,63 @@ +From 9f7b24c3f2e26825dee9ce59119fe03ff1e048e3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 22 Aug 2023 15:06:06 +0100 +Subject: ARM: 9321/1: memset: cast the constant byte to unsigned char + +From: Kursad Oney + +[ Upstream commit c0e824661f443b8cab3897006c1bbc69fd0e7bc4 ] + +memset() description in ISO/IEC 9899:1999 (and elsewhere) says: + + The memset function copies the value of c (converted to an + unsigned char) into each of the first n characters of the + object pointed to by s. + +The kernel's arm32 memset does not cast c to unsigned char. This results +in the following code to produce erroneous output: + + char a[128]; + memset(a, -128, sizeof(a)); + +This is because gcc will generally emit the following code before +it calls memset() : + + mov r0, r7 + mvn r1, #127 ; 0x7f + bl 00000000 + +r1 ends up with 0xffffff80 before being used by memset() and the +'a' array will have -128 once in every four bytes while the other +bytes will be set incorrectly to -1 like this (printing the first +8 bytes) : + + test_module: -128 -1 -1 -1 + test_module: -1 -1 -1 -128 + +The change here is to 'and' r1 with 255 before it is used. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reviewed-by: Ard Biesheuvel +Reviewed-by: Linus Walleij +Signed-off-by: Kursad Oney +Signed-off-by: Russell King (Oracle) +Signed-off-by: Sasha Levin +--- + arch/arm/lib/memset.S | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/lib/memset.S b/arch/arm/lib/memset.S +index ed6d35d9cdb5a..a68688f3f3b3d 100644 +--- a/arch/arm/lib/memset.S ++++ b/arch/arm/lib/memset.S +@@ -19,6 +19,7 @@ + ENTRY(mmioset) + ENTRY(memset) + UNWIND( .fnstart ) ++ and r1, r1, #255 @ cast to unsigned char + ands r3, r0, #3 @ 1 unaligned? + mov ip, r0 @ preserve r0 as return value + bne 6f @ 1 +-- +2.42.0 + diff --git a/queue-4.14/arm-dts-qcom-mdm9615-populate-vsdcc-fixed-regulator.patch b/queue-4.14/arm-dts-qcom-mdm9615-populate-vsdcc-fixed-regulator.patch new file mode 100644 index 00000000000..46024fda3f7 --- /dev/null +++ b/queue-4.14/arm-dts-qcom-mdm9615-populate-vsdcc-fixed-regulator.patch @@ -0,0 +1,51 @@ +From 471724751cd347d7e39adc5406a99b054b9b290b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 24 Sep 2023 20:39:13 +0200 +Subject: ARM: dts: qcom: mdm9615: populate vsdcc fixed regulator + +From: Krzysztof Kozlowski + +[ Upstream commit 09f8ee81b6da5f76de8b83c8bfc4475b54e101e0 ] + +Fixed regulator put under "regulators" node will not be populated, +unless simple-bus or something similar is used. Drop the "regulators" +wrapper node to fix this. + +Fixes: 2c5e596524e7 ("ARM: dts: Add MDM9615 dtsi") +Signed-off-by: Krzysztof Kozlowski +Reviewed-by: Dmitry Baryshkov +Link: https://lore.kernel.org/r/20230924183914.51414-3-krzysztof.kozlowski@linaro.org +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + arch/arm/boot/dts/qcom-mdm9615.dtsi | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/arch/arm/boot/dts/qcom-mdm9615.dtsi b/arch/arm/boot/dts/qcom-mdm9615.dtsi +index c852b69229c97..26d49f35331b8 100644 +--- a/arch/arm/boot/dts/qcom-mdm9615.dtsi ++++ b/arch/arm/boot/dts/qcom-mdm9615.dtsi +@@ -82,14 +82,12 @@ cxo_board { + }; + }; + +- regulators { +- vsdcc_fixed: vsdcc-regulator { +- compatible = "regulator-fixed"; +- regulator-name = "SDCC Power"; +- regulator-min-microvolt = <2700000>; +- regulator-max-microvolt = <2700000>; +- regulator-always-on; +- }; ++ vsdcc_fixed: vsdcc-regulator { ++ compatible = "regulator-fixed"; ++ regulator-name = "SDCC Power"; ++ regulator-min-microvolt = <2700000>; ++ regulator-max-microvolt = <2700000>; ++ regulator-always-on; + }; + + soc: soc { +-- +2.42.0 + diff --git a/queue-4.14/asoc-intel-skylake-fix-mem-leak-when-parsing-uuids-f.patch b/queue-4.14/asoc-intel-skylake-fix-mem-leak-when-parsing-uuids-f.patch new file mode 100644 index 00000000000..55ba644d777 --- /dev/null +++ b/queue-4.14/asoc-intel-skylake-fix-mem-leak-when-parsing-uuids-f.patch @@ -0,0 +1,40 @@ +From 0f0125a84d67691f230e9eb0f4d257951a95a7ff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 26 Oct 2023 10:25:58 +0200 +Subject: ASoC: Intel: Skylake: Fix mem leak when parsing UUIDs fails +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Cezary Rojewski + +[ Upstream commit 168d97844a61db302dec76d44406e9d4d7106b8e ] + +Error path in snd_skl_parse_uuids() shall free last allocated module if +its instance_id allocation fails. + +Fixes: f8e066521192 ("ASoC: Intel: Skylake: Fix uuid_module memory leak in failure case") +Signed-off-by: Cezary Rojewski +Signed-off-by: Amadeusz Sławiński +Link: https://lore.kernel.org/r/20231026082558.1864910-1-amadeuszx.slawinski@linux.intel.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/intel/skylake/skl-sst-utils.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/intel/skylake/skl-sst-utils.c b/sound/soc/intel/skylake/skl-sst-utils.c +index 8ff89280d9fd4..fdfaf1bbdb8a6 100644 +--- a/sound/soc/intel/skylake/skl-sst-utils.c ++++ b/sound/soc/intel/skylake/skl-sst-utils.c +@@ -315,6 +315,7 @@ int snd_skl_parse_uuids(struct sst_dsp *ctx, const struct firmware *fw, + module->instance_id = devm_kzalloc(ctx->dev, size, GFP_KERNEL); + if (!module->instance_id) { + ret = -ENOMEM; ++ kfree(module); + goto free_uuid_list; + } + +-- +2.42.0 + diff --git a/queue-4.14/clk-keystone-pll-fix-a-couple-null-vs-is_err-checks.patch b/queue-4.14/clk-keystone-pll-fix-a-couple-null-vs-is_err-checks.patch new file mode 100644 index 00000000000..8b6b771998e --- /dev/null +++ b/queue-4.14/clk-keystone-pll-fix-a-couple-null-vs-is_err-checks.patch @@ -0,0 +1,60 @@ +From 98cb3c7e297a8fe33dd5d4f21f3da122e8beb528 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 5 Oct 2023 17:01:57 +0300 +Subject: clk: keystone: pll: fix a couple NULL vs IS_ERR() checks + +From: Dan Carpenter + +[ Upstream commit a5d14f8b551eb1551c10053653ee8e27f19672fa ] + +The clk_register_divider() and clk_register_mux() functions returns +error pointers on error but this code checks for NULL. Fix that. + +Fixes: b9e0d40c0d83 ("clk: keystone: add Keystone PLL clock driver") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/d9da4c97-0da9-499f-9a21-1f8e3f148dc1@moroto.mountain +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/keystone/pll.c | 15 +++++++++------ + 1 file changed, 9 insertions(+), 6 deletions(-) + +diff --git a/drivers/clk/keystone/pll.c b/drivers/clk/keystone/pll.c +index 526694c2a6c97..a75ece5992394 100644 +--- a/drivers/clk/keystone/pll.c ++++ b/drivers/clk/keystone/pll.c +@@ -285,12 +285,13 @@ static void __init of_pll_div_clk_init(struct device_node *node) + + clk = clk_register_divider(NULL, clk_name, parent_name, 0, reg, shift, + mask, 0, NULL); +- if (clk) { +- of_clk_add_provider(node, of_clk_src_simple_get, clk); +- } else { ++ if (IS_ERR(clk)) { + pr_err("%s: error registering divider %s\n", __func__, clk_name); + iounmap(reg); ++ return; + } ++ ++ of_clk_add_provider(node, of_clk_src_simple_get, clk); + } + CLK_OF_DECLARE(pll_divider_clock, "ti,keystone,pll-divider-clock", of_pll_div_clk_init); + +@@ -332,9 +333,11 @@ static void __init of_pll_mux_clk_init(struct device_node *node) + clk = clk_register_mux(NULL, clk_name, (const char **)&parents, + ARRAY_SIZE(parents) , 0, reg, shift, mask, + 0, NULL); +- if (clk) +- of_clk_add_provider(node, of_clk_src_simple_get, clk); +- else ++ if (IS_ERR(clk)) { + pr_err("%s: error registering mux %s\n", __func__, clk_name); ++ return; ++ } ++ ++ of_clk_add_provider(node, of_clk_src_simple_get, clk); + } + CLK_OF_DECLARE(pll_mux_clock, "ti,keystone,pll-mux-clock", of_pll_mux_clk_init); +-- +2.42.0 + diff --git a/queue-4.14/clk-mediatek-clk-mt2701-add-check-for-mtk_alloc_clk_.patch b/queue-4.14/clk-mediatek-clk-mt2701-add-check-for-mtk_alloc_clk_.patch new file mode 100644 index 00000000000..36c48e0fb69 --- /dev/null +++ b/queue-4.14/clk-mediatek-clk-mt2701-add-check-for-mtk_alloc_clk_.patch @@ -0,0 +1,66 @@ +From b2d5e073af1b4c755cfd3a8f4f1303c67e807d17 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 10:46:58 +0800 +Subject: clk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data + +From: Jiasheng Jiang + +[ Upstream commit 0d6e24b422a2166a9297a8286ff2e6ab9a5e8cd3 ] + +Add the check for the return value of mtk_alloc_clk_data() in order to +avoid NULL pointer dereference. + +Fixes: e9862118272a ("clk: mediatek: Add MT2701 clock support") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20230901024658.23405-1-jiasheng@iscas.ac.cn +Reviewed-by: Markus Schneider-Pargmann +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/mediatek/clk-mt2701.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/clk/mediatek/clk-mt2701.c b/drivers/clk/mediatek/clk-mt2701.c +index ccfe5d30fe10f..5890b4a5fcbb7 100644 +--- a/drivers/clk/mediatek/clk-mt2701.c ++++ b/drivers/clk/mediatek/clk-mt2701.c +@@ -690,6 +690,8 @@ static int mtk_topckgen_init(struct platform_device *pdev) + return PTR_ERR(base); + + clk_data = mtk_alloc_clk_data(CLK_TOP_NR); ++ if (!clk_data) ++ return -ENOMEM; + + mtk_clk_register_fixed_clks(top_fixed_clks, ARRAY_SIZE(top_fixed_clks), + clk_data); +@@ -757,6 +759,8 @@ static void mtk_infrasys_init_early(struct device_node *node) + + if (!infra_clk_data) { + infra_clk_data = mtk_alloc_clk_data(CLK_INFRA_NR); ++ if (!infra_clk_data) ++ return; + + for (i = 0; i < CLK_INFRA_NR; i++) + infra_clk_data->clks[i] = ERR_PTR(-EPROBE_DEFER); +@@ -783,6 +787,8 @@ static int mtk_infrasys_init(struct platform_device *pdev) + + if (!infra_clk_data) { + infra_clk_data = mtk_alloc_clk_data(CLK_INFRA_NR); ++ if (!infra_clk_data) ++ return -ENOMEM; + } else { + for (i = 0; i < CLK_INFRA_NR; i++) { + if (infra_clk_data->clks[i] == ERR_PTR(-EPROBE_DEFER)) +@@ -911,6 +917,8 @@ static int mtk_pericfg_init(struct platform_device *pdev) + return PTR_ERR(base); + + clk_data = mtk_alloc_clk_data(CLK_PERI_NR); ++ if (!clk_data) ++ return -ENOMEM; + + mtk_clk_register_gates(node, peri_clks, ARRAY_SIZE(peri_clks), + clk_data); +-- +2.42.0 + diff --git a/queue-4.14/clk-mediatek-clk-mt6797-add-check-for-mtk_alloc_clk_.patch b/queue-4.14/clk-mediatek-clk-mt6797-add-check-for-mtk_alloc_clk_.patch new file mode 100644 index 00000000000..7f02684afc3 --- /dev/null +++ b/queue-4.14/clk-mediatek-clk-mt6797-add-check-for-mtk_alloc_clk_.patch @@ -0,0 +1,56 @@ +From b2d11671de3ed51afda41406f96b308a4cfc3c49 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 12 Sep 2023 17:34:05 +0800 +Subject: clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data + +From: Jiasheng Jiang + +[ Upstream commit 606f6366a35a3329545e38129804d65ef26ed7d2 ] + +Add the check for the return value of mtk_alloc_clk_data() in order to +avoid NULL pointer dereference. + +Fixes: 96596aa06628 ("clk: mediatek: add clk support for MT6797") +Signed-off-by: Jiasheng Jiang +Link: https://lore.kernel.org/r/20230912093407.21505-3-jiasheng@iscas.ac.cn +Reviewed-by: AngeloGioacchino Del Regno +Signed-off-by: Stephen Boyd +Signed-off-by: Sasha Levin +--- + drivers/clk/mediatek/clk-mt6797.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/clk/mediatek/clk-mt6797.c b/drivers/clk/mediatek/clk-mt6797.c +index 5702bc974ed99..1ee45f32c1d4e 100644 +--- a/drivers/clk/mediatek/clk-mt6797.c ++++ b/drivers/clk/mediatek/clk-mt6797.c +@@ -396,6 +396,8 @@ static int mtk_topckgen_init(struct platform_device *pdev) + return PTR_ERR(base); + + clk_data = mtk_alloc_clk_data(CLK_TOP_NR); ++ if (!clk_data) ++ return -ENOMEM; + + mtk_clk_register_factors(top_fixed_divs, ARRAY_SIZE(top_fixed_divs), + clk_data); +@@ -554,6 +556,8 @@ static void mtk_infrasys_init_early(struct device_node *node) + + if (!infra_clk_data) { + infra_clk_data = mtk_alloc_clk_data(CLK_INFRA_NR); ++ if (!infra_clk_data) ++ return; + + for (i = 0; i < CLK_INFRA_NR; i++) + infra_clk_data->clks[i] = ERR_PTR(-EPROBE_DEFER); +@@ -578,6 +582,8 @@ static int mtk_infrasys_init(struct platform_device *pdev) + + if (!infra_clk_data) { + infra_clk_data = mtk_alloc_clk_data(CLK_INFRA_NR); ++ if (!infra_clk_data) ++ return -ENOMEM; + } else { + for (i = 0; i < CLK_INFRA_NR; i++) { + if (infra_clk_data->clks[i] == ERR_PTR(-EPROBE_DEFER)) +-- +2.42.0 + diff --git a/queue-4.14/clk-qcom-clk-rcg2-fix-clock-rate-overflow-for-high-p.patch b/queue-4.14/clk-qcom-clk-rcg2-fix-clock-rate-overflow-for-high-p.patch new file mode 100644 index 00000000000..a45ce7c61e0 --- /dev/null +++ b/queue-4.14/clk-qcom-clk-rcg2-fix-clock-rate-overflow-for-high-p.patch @@ -0,0 +1,57 @@ +From bb5723303090b1f105d0536bf1c469d93e5134e4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 1 Sep 2023 13:06:40 +0530 +Subject: clk: qcom: clk-rcg2: Fix clock rate overflow for high parent + frequencies + +From: Devi Priya + +[ Upstream commit f7b7d30158cff246667273bd2a62fc93ee0725d2 ] + +If the parent clock rate is greater than unsigned long max/2 then +integer overflow happens when calculating the clock rate on 32-bit systems. +As RCG2 uses half integer dividers, the clock rate is first being +multiplied by 2 which will overflow the unsigned long max value. +Hence, replace the common pattern of doing 64-bit multiplication +and then a do_div() call with simpler mult_frac call. + +Fixes: bcd61c0f535a ("clk: qcom: Add support for root clock generators (RCGs)") +Signed-off-by: Devi Priya +Reviewed-by: Marijn Suijten +Link: https://lore.kernel.org/r/20230901073640.4973-1-quic_devipriy@quicinc.com +[bjorn: Also drop unnecessary {} around single statements] +Signed-off-by: Bjorn Andersson +Signed-off-by: Sasha Levin +--- + drivers/clk/qcom/clk-rcg2.c | 14 ++++---------- + 1 file changed, 4 insertions(+), 10 deletions(-) + +diff --git a/drivers/clk/qcom/clk-rcg2.c b/drivers/clk/qcom/clk-rcg2.c +index 9743af6ae84f9..7c7c140bba4c3 100644 +--- a/drivers/clk/qcom/clk-rcg2.c ++++ b/drivers/clk/qcom/clk-rcg2.c +@@ -139,17 +139,11 @@ static int clk_rcg2_set_parent(struct clk_hw *hw, u8 index) + static unsigned long + calc_rate(unsigned long rate, u32 m, u32 n, u32 mode, u32 hid_div) + { +- if (hid_div) { +- rate *= 2; +- rate /= hid_div + 1; +- } ++ if (hid_div) ++ rate = mult_frac(rate, 2, hid_div + 1); + +- if (mode) { +- u64 tmp = rate; +- tmp *= m; +- do_div(tmp, n); +- rate = tmp; +- } ++ if (mode) ++ rate = mult_frac(rate, m, n); + + return rate; + } +-- +2.42.0 + diff --git a/queue-4.14/dmaengine-pxa_dma-remove-an-erroneous-bug_on-in-pxad.patch b/queue-4.14/dmaengine-pxa_dma-remove-an-erroneous-bug_on-in-pxad.patch new file mode 100644 index 00000000000..5c052af5558 --- /dev/null +++ b/queue-4.14/dmaengine-pxa_dma-remove-an-erroneous-bug_on-in-pxad.patch @@ -0,0 +1,43 @@ +From 970e5fdd019eaa328285e1ac0a1bcb0d9badce3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Oct 2023 13:13:09 +0200 +Subject: dmaengine: pxa_dma: Remove an erroneous BUG_ON() in pxad_free_desc() + +From: Christophe JAILLET + +[ Upstream commit 83c761f568733277ce1f7eb9dc9e890649c29a8c ] + +If pxad_alloc_desc() fails on the first dma_pool_alloc() call, then +sw_desc->nb_desc is zero. +In such a case pxad_free_desc() is called and it will BUG_ON(). + +Remove this erroneous BUG_ON(). + +It is also useless, because if "sw_desc->nb_desc == 0", then, on the first +iteration of the for loop, i is -1 and the loop will not be executed. +(both i and sw_desc->nb_desc are 'int') + +Fixes: a57e16cf0333 ("dmaengine: pxa: add pxa dmaengine driver") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/c8fc5563c9593c914fde41f0f7d1489a21b45a9a.1696676782.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/pxa_dma.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/dma/pxa_dma.c b/drivers/dma/pxa_dma.c +index 99a8ff130ad51..4ca19cd626180 100644 +--- a/drivers/dma/pxa_dma.c ++++ b/drivers/dma/pxa_dma.c +@@ -768,7 +768,6 @@ static void pxad_free_desc(struct virt_dma_desc *vd) + dma_addr_t dma; + struct pxad_desc_sw *sw_desc = to_pxad_sw_desc(vd); + +- BUG_ON(sw_desc->nb_desc == 0); + for (i = sw_desc->nb_desc - 1; i >= 0; i--) { + if (i > 0) + dma = sw_desc->hw_desc[i - 1]->ddadr; +-- +2.42.0 + diff --git a/queue-4.14/dmaengine-ti-edma-handle-irq_of_parse_and_map-errors.patch b/queue-4.14/dmaengine-ti-edma-handle-irq_of_parse_and_map-errors.patch new file mode 100644 index 00000000000..443801d316a --- /dev/null +++ b/queue-4.14/dmaengine-ti-edma-handle-irq_of_parse_and_map-errors.patch @@ -0,0 +1,48 @@ +From c8f5282db6dc1af4f26750adea8e4973ccbd0db2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 15 Sep 2023 15:59:59 +0300 +Subject: dmaengine: ti: edma: handle irq_of_parse_and_map() errors + +From: Dan Carpenter + +[ Upstream commit 14f6d317913f634920a640e9047aa2e66f5bdcb7 ] + +Zero is not a valid IRQ for in-kernel code and the irq_of_parse_and_map() +function returns zero on error. So this check for valid IRQs should only +accept values > 0. + +Fixes: 2b6b3b742019 ("ARM/dmaengine: edma: Merge the two drivers under drivers/dma/") +Signed-off-by: Dan Carpenter +Acked-by: Peter Ujfalusi +Link: https://lore.kernel.org/r/f15cb6a7-8449-4f79-98b6-34072f04edbc@moroto.mountain +Signed-off-by: Vinod Koul +Signed-off-by: Sasha Levin +--- + drivers/dma/edma.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/dma/edma.c b/drivers/dma/edma.c +index 57a49fe713fdc..84a61f0e98828 100644 +--- a/drivers/dma/edma.c ++++ b/drivers/dma/edma.c +@@ -2298,7 +2298,7 @@ static int edma_probe(struct platform_device *pdev) + if (irq < 0 && node) + irq = irq_of_parse_and_map(node, 0); + +- if (irq >= 0) { ++ if (irq > 0) { + irq_name = devm_kasprintf(dev, GFP_KERNEL, "%s_ccint", + dev_name(dev)); + ret = devm_request_irq(dev, irq, dma_irq_handler, 0, irq_name, +@@ -2314,7 +2314,7 @@ static int edma_probe(struct platform_device *pdev) + if (irq < 0 && node) + irq = irq_of_parse_and_map(node, 2); + +- if (irq >= 0) { ++ if (irq > 0) { + irq_name = devm_kasprintf(dev, GFP_KERNEL, "%s_ccerrint", + dev_name(dev)); + ret = devm_request_irq(dev, irq, dma_ccerr_handler, 0, irq_name, +-- +2.42.0 + diff --git a/queue-4.14/drm-radeon-possible-buffer-overflow.patch b/queue-4.14/drm-radeon-possible-buffer-overflow.patch new file mode 100644 index 00000000000..756d6e63886 --- /dev/null +++ b/queue-4.14/drm-radeon-possible-buffer-overflow.patch @@ -0,0 +1,47 @@ +From e4f142e1ba8d062c90bac72b5bd53a63a6486d3c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 17 Aug 2023 19:33:49 +0800 +Subject: drm/radeon: possible buffer overflow + +From: Konstantin Meskhidze + +[ Upstream commit dd05484f99d16715a88eedfca363828ef9a4c2d4 ] + +Buffer 'afmt_status' of size 6 could overflow, since index 'afmt_idx' is +checked after access. + +Fixes: 5cc4e5fc293b ("drm/radeon: Cleanup HDMI audio interrupt handling for evergreen") +Co-developed-by: Ivanov Mikhail +Signed-off-by: Konstantin Meskhidze +Signed-off-by: Alex Deucher +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/radeon/evergreen.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c +index 24fe66c89dfb0..1f8d5658a5b85 100644 +--- a/drivers/gpu/drm/radeon/evergreen.c ++++ b/drivers/gpu/drm/radeon/evergreen.c +@@ -4814,14 +4814,15 @@ int evergreen_irq_process(struct radeon_device *rdev) + break; + case 44: /* hdmi */ + afmt_idx = src_data; +- if (!(afmt_status[afmt_idx] & AFMT_AZ_FORMAT_WTRIG)) +- DRM_DEBUG("IH: IH event w/o asserted irq bit?\n"); +- + if (afmt_idx > 5) { + DRM_ERROR("Unhandled interrupt: %d %d\n", + src_id, src_data); + break; + } ++ ++ if (!(afmt_status[afmt_idx] & AFMT_AZ_FORMAT_WTRIG)) ++ DRM_DEBUG("IH: IH event w/o asserted irq bit?\n"); ++ + afmt_status[afmt_idx] &= ~AFMT_AZ_FORMAT_WTRIG; + queue_hdmi = true; + DRM_DEBUG("IH: HDMI%d\n", afmt_idx + 1); +-- +2.42.0 + diff --git a/queue-4.14/drm-rockchip-cdn-dp-fix-some-error-handling-paths-in.patch b/queue-4.14/drm-rockchip-cdn-dp-fix-some-error-handling-paths-in.patch new file mode 100644 index 00000000000..4ddf928b3f8 --- /dev/null +++ b/queue-4.14/drm-rockchip-cdn-dp-fix-some-error-handling-paths-in.patch @@ -0,0 +1,60 @@ +From 42700b76acf3350f33bb3789c6b0f25190c36c1e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 2 Sep 2023 19:34:31 +0200 +Subject: drm/rockchip: cdn-dp: Fix some error handling paths in cdn_dp_probe() + +From: Christophe JAILLET + +[ Upstream commit 44b968d0d0868b7a9b7a5c64464ada464ff4d532 ] + +cdn_dp_audio_codec_init() can fail. So add some error handling. + +If component_add() fails, the previous cdn_dp_audio_codec_init() call +should be undone, as already done in the remove function. + +Fixes: 88582f564692 ("drm/rockchip: cdn-dp: Don't unregister audio dev when unbinding") +Signed-off-by: Christophe JAILLET +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/8494a41602fadb7439630921a9779640698f2f9f.1693676045.git.christophe.jaillet@wanadoo.fr +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/cdn-dp-core.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/rockchip/cdn-dp-core.c b/drivers/gpu/drm/rockchip/cdn-dp-core.c +index 97ce3c5c3fce0..074614d390b31 100644 +--- a/drivers/gpu/drm/rockchip/cdn-dp-core.c ++++ b/drivers/gpu/drm/rockchip/cdn-dp-core.c +@@ -1173,6 +1173,7 @@ static int cdn_dp_probe(struct platform_device *pdev) + struct cdn_dp_device *dp; + struct extcon_dev *extcon; + struct phy *phy; ++ int ret; + int i; + + dp = devm_kzalloc(dev, sizeof(*dp), GFP_KERNEL); +@@ -1213,9 +1214,19 @@ static int cdn_dp_probe(struct platform_device *pdev) + mutex_init(&dp->lock); + dev_set_drvdata(dev, dp); + +- cdn_dp_audio_codec_init(dp, dev); ++ ret = cdn_dp_audio_codec_init(dp, dev); ++ if (ret) ++ return ret; ++ ++ ret = component_add(dev, &cdn_dp_component_ops); ++ if (ret) ++ goto err_audio_deinit; + +- return component_add(dev, &cdn_dp_component_ops); ++ return 0; ++ ++err_audio_deinit: ++ platform_device_unregister(dp->audio_pdev); ++ return ret; + } + + static int cdn_dp_remove(struct platform_device *pdev) +-- +2.42.0 + diff --git a/queue-4.14/drm-rockchip-vop-fix-reset-of-state-in-duplicate-sta.patch b/queue-4.14/drm-rockchip-vop-fix-reset-of-state-in-duplicate-sta.patch new file mode 100644 index 00000000000..363a531c515 --- /dev/null +++ b/queue-4.14/drm-rockchip-vop-fix-reset-of-state-in-duplicate-sta.patch @@ -0,0 +1,42 @@ +From a96a99ede535b26bbc21f25a6571e86080649ab4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 21 Jun 2023 22:33:17 +0000 +Subject: drm/rockchip: vop: Fix reset of state in duplicate state crtc funcs + +From: Jonas Karlman + +[ Upstream commit 13fc28804bf10ca0b7bce3efbba95c534836d7ca ] + +struct rockchip_crtc_state members such as output_type, output_bpc and +enable_afbc is always reset to zero in the atomic_duplicate_state crtc +funcs. + +Fix this by using kmemdup on the subclass rockchip_crtc_state struct. + +Fixes: 4e257d9eee23 ("drm/rockchip: get rid of rockchip_drm_crtc_mode_config") +Signed-off-by: Jonas Karlman +Reviewed-by: Sascha Hauer +Signed-off-by: Heiko Stuebner +Link: https://patchwork.freedesktop.org/patch/msgid/20230621223311.2239547-2-jonas@kwiboo.se +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c +index feb6a458f82d1..3f32be1a682e5 100644 +--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c ++++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c +@@ -1071,7 +1071,8 @@ static struct drm_crtc_state *vop_crtc_duplicate_state(struct drm_crtc *crtc) + if (WARN_ON(!crtc->state)) + return NULL; + +- rockchip_state = kzalloc(sizeof(*rockchip_state), GFP_KERNEL); ++ rockchip_state = kmemdup(to_rockchip_crtc_state(crtc->state), ++ sizeof(*rockchip_state), GFP_KERNEL); + if (!rockchip_state) + return NULL; + +-- +2.42.0 + diff --git a/queue-4.14/ext4-move-ix-sanity-check-to-corrent-position.patch b/queue-4.14/ext4-move-ix-sanity-check-to-corrent-position.patch new file mode 100644 index 00000000000..58d29d9c446 --- /dev/null +++ b/queue-4.14/ext4-move-ix-sanity-check-to-corrent-position.patch @@ -0,0 +1,51 @@ +From 576e88151f318efc2693e62a5d1db1fa0a653a6d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 6 Sep 2023 09:33:41 +0800 +Subject: ext4: move 'ix' sanity check to corrent position + +From: Gou Hao + +[ Upstream commit af90a8f4a09ec4a3de20142e37f37205d4687f28 ] + +Check 'ix' before it is used. + +Fixes: 80e675f906db ("ext4: optimize memmmove lengths in extent/index insertions") +Signed-off-by: Gou Hao +Link: https://lore.kernel.org/r/20230906013341.7199-1-gouhao@uniontech.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Sasha Levin +--- + fs/ext4/extents.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index 652d16f90beb7..c8cce6bb02765 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -1002,6 +1002,11 @@ static int ext4_ext_insert_index(handle_t *handle, struct inode *inode, + ix = curp->p_idx; + } + ++ if (unlikely(ix > EXT_MAX_INDEX(curp->p_hdr))) { ++ EXT4_ERROR_INODE(inode, "ix > EXT_MAX_INDEX!"); ++ return -EFSCORRUPTED; ++ } ++ + len = EXT_LAST_INDEX(curp->p_hdr) - ix + 1; + BUG_ON(len < 0); + if (len > 0) { +@@ -1011,11 +1016,6 @@ static int ext4_ext_insert_index(handle_t *handle, struct inode *inode, + memmove(ix + 1, ix, len * sizeof(struct ext4_extent_idx)); + } + +- if (unlikely(ix > EXT_MAX_INDEX(curp->p_hdr))) { +- EXT4_ERROR_INODE(inode, "ix > EXT_MAX_INDEX!"); +- return -EFSCORRUPTED; +- } +- + ix->ei_block = cpu_to_le32(logical); + ext4_idx_store_pblock(ix, ptr); + le16_add_cpu(&curp->p_hdr->eh_entries, 1); +-- +2.42.0 + diff --git a/queue-4.14/firmware-ti_sci-mark-driver-as-non-removable.patch b/queue-4.14/firmware-ti_sci-mark-driver-as-non-removable.patch new file mode 100644 index 00000000000..4519945ff7b --- /dev/null +++ b/queue-4.14/firmware-ti_sci-mark-driver-as-non-removable.patch @@ -0,0 +1,113 @@ +From e8b8703b497626827e0bb516f549087fc7881260 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 21 Sep 2023 14:40:26 +0530 +Subject: firmware: ti_sci: Mark driver as non removable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dhruva Gole + +[ Upstream commit 7b7a224b1ba1703583b25a3641ad9798f34d832a ] + +The TI-SCI message protocol provides a way to communicate between +various compute processors with a central system controller entity. It +provides the fundamental device management capability and clock control +in the SOCs that it's used in. + +The remove function failed to do all the necessary cleanup if +there are registered users. Some things are freed however which +likely results in an oops later on. + +Ensure that the driver isn't unbound by suppressing its bind and unbind +sysfs attributes. As the driver is built-in there is no way to remove +device once bound. + +We can also remove the ti_sci_remove call along with the +ti_sci_debugfs_destroy as there are no callers for it any longer. + +Fixes: aa276781a64a ("firmware: Add basic support for TI System Control Interface (TI-SCI) protocol") +Reported-by: Uwe Kleine-König +Closes: https://lore.kernel.org/linux-arm-kernel/20230216083908.mvmydic5lpi3ogo7@pengutronix.de/ +Suggested-by: Uwe Kleine-König +Acked-by: Uwe Kleine-König +Signed-off-by: Dhruva Gole +Link: https://lore.kernel.org/r/20230921091025.133130-1-d-gole@ti.com +Signed-off-by: Nishanth Menon +Signed-off-by: Sasha Levin +--- + drivers/firmware/ti_sci.c | 46 +-------------------------------------- + 1 file changed, 1 insertion(+), 45 deletions(-) + +diff --git a/drivers/firmware/ti_sci.c b/drivers/firmware/ti_sci.c +index 1620722115cda..dd677fc4578ae 100644 +--- a/drivers/firmware/ti_sci.c ++++ b/drivers/firmware/ti_sci.c +@@ -213,19 +213,6 @@ static int ti_sci_debugfs_create(struct platform_device *pdev, + return 0; + } + +-/** +- * ti_sci_debugfs_destroy() - clean up log debug file +- * @pdev: platform device pointer +- * @info: Pointer to SCI entity information +- */ +-static void ti_sci_debugfs_destroy(struct platform_device *pdev, +- struct ti_sci_info *info) +-{ +- if (IS_ERR(info->debug_region)) +- return; +- +- debugfs_remove(info->d); +-} + #else /* CONFIG_DEBUG_FS */ + static inline int ti_sci_debugfs_create(struct platform_device *dev, + struct ti_sci_info *info) +@@ -1945,43 +1932,12 @@ static int ti_sci_probe(struct platform_device *pdev) + return ret; + } + +-static int ti_sci_remove(struct platform_device *pdev) +-{ +- struct ti_sci_info *info; +- struct device *dev = &pdev->dev; +- int ret = 0; +- +- of_platform_depopulate(dev); +- +- info = platform_get_drvdata(pdev); +- +- if (info->nb.notifier_call) +- unregister_restart_handler(&info->nb); +- +- mutex_lock(&ti_sci_list_mutex); +- if (info->users) +- ret = -EBUSY; +- else +- list_del(&info->node); +- mutex_unlock(&ti_sci_list_mutex); +- +- if (!ret) { +- ti_sci_debugfs_destroy(pdev, info); +- +- /* Safe to free channels since no more users */ +- mbox_free_channel(info->chan_tx); +- mbox_free_channel(info->chan_rx); +- } +- +- return ret; +-} +- + static struct platform_driver ti_sci_driver = { + .probe = ti_sci_probe, +- .remove = ti_sci_remove, + .driver = { + .name = "ti-sci", + .of_match_table = of_match_ptr(ti_sci_of_match), ++ .suppress_bind_attrs = true, + }, + }; + module_platform_driver(ti_sci_driver); +-- +2.42.0 + diff --git a/queue-4.14/hwrng-geode-fix-accessing-registers.patch b/queue-4.14/hwrng-geode-fix-accessing-registers.patch new file mode 100644 index 00000000000..d452c00d8fa --- /dev/null +++ b/queue-4.14/hwrng-geode-fix-accessing-registers.patch @@ -0,0 +1,58 @@ +From d3f74e21eaefff0e58705f46710e5dcc59ba6dff Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 10 Sep 2023 10:34:17 +0200 +Subject: hwrng: geode - fix accessing registers + +From: Jonas Gorski + +[ Upstream commit 464bd8ec2f06707f3773676a1bd2c64832a3c805 ] + +When the membase and pci_dev pointer were moved to a new struct in priv, +the actual membase users were left untouched, and they started reading +out arbitrary memory behind the struct instead of registers. This +unfortunately turned the RNG into a constant number generator, depending +on the content of what was at that offset. + +To fix this, update geode_rng_data_{read,present}() to also get the +membase via amd_geode_priv, and properly read from the right addresses +again. + +Fixes: 9f6ec8dc574e ("hwrng: geode - Fix PCI device refcount leak") +Reported-by: Timur I. Davletshin +Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217882 +Tested-by: Timur I. Davletshin +Suggested-by: Jo-Philipp Wich +Signed-off-by: Jonas Gorski +Signed-off-by: Herbert Xu +Signed-off-by: Sasha Levin +--- + drivers/char/hw_random/geode-rng.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/char/hw_random/geode-rng.c b/drivers/char/hw_random/geode-rng.c +index 207272979f233..2f8289865ec81 100644 +--- a/drivers/char/hw_random/geode-rng.c ++++ b/drivers/char/hw_random/geode-rng.c +@@ -58,7 +58,8 @@ struct amd_geode_priv { + + static int geode_rng_data_read(struct hwrng *rng, u32 *data) + { +- void __iomem *mem = (void __iomem *)rng->priv; ++ struct amd_geode_priv *priv = (struct amd_geode_priv *)rng->priv; ++ void __iomem *mem = priv->membase; + + *data = readl(mem + GEODE_RNG_DATA_REG); + +@@ -67,7 +68,8 @@ static int geode_rng_data_read(struct hwrng *rng, u32 *data) + + static int geode_rng_data_present(struct hwrng *rng, int wait) + { +- void __iomem *mem = (void __iomem *)rng->priv; ++ struct amd_geode_priv *priv = (struct amd_geode_priv *)rng->priv; ++ void __iomem *mem = priv->membase; + int data, i; + + for (i = 0; i < 20; i++) { +-- +2.42.0 + diff --git a/queue-4.14/i40e-fix-potential-memory-leaks-in-i40e_remove.patch b/queue-4.14/i40e-fix-potential-memory-leaks-in-i40e_remove.patch new file mode 100644 index 00000000000..90282f7a8d7 --- /dev/null +++ b/queue-4.14/i40e-fix-potential-memory-leaks-in-i40e_remove.patch @@ -0,0 +1,50 @@ +From 699650fe5efb3b5078c4f0028110b98bcf825041 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 8 Sep 2023 14:42:01 +0200 +Subject: i40e: fix potential memory leaks in i40e_remove() + +From: Andrii Staikov + +[ Upstream commit 5ca636d927a106780451d957734f02589b972e2b ] + +Instead of freeing memory of a single VSI, make sure +the memory for all VSIs is cleared before releasing VSIs. +Add releasing of their resources in a loop with the iteration +number equal to the number of allocated VSIs. + +Fixes: 41c445ff0f48 ("i40e: main driver core") +Signed-off-by: Andrii Staikov +Signed-off-by: Aleksandr Loktionov +Reviewed-by: Simon Horman +Signed-off-by: Tony Nguyen +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/intel/i40e/i40e_main.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c +index 50aa53988b483..a7bcdf7c6686c 100644 +--- a/drivers/net/ethernet/intel/i40e/i40e_main.c ++++ b/drivers/net/ethernet/intel/i40e/i40e_main.c +@@ -11882,11 +11882,15 @@ static void i40e_remove(struct pci_dev *pdev) + i40e_switch_branch_release(pf->veb[i]); + } + +- /* Now we can shutdown the PF's VSI, just before we kill ++ /* Now we can shutdown the PF's VSIs, just before we kill + * adminq and hmc. + */ +- if (pf->vsi[pf->lan_vsi]) +- i40e_vsi_release(pf->vsi[pf->lan_vsi]); ++ for (i = pf->num_alloc_vsi; i--;) ++ if (pf->vsi[i]) { ++ i40e_vsi_close(pf->vsi[i]); ++ i40e_vsi_release(pf->vsi[i]); ++ pf->vsi[i] = NULL; ++ } + + /* remove attached clients */ + if (pf->flags & I40E_FLAG_IWARP_ENABLED) { +-- +2.42.0 + diff --git a/queue-4.14/ipv6-avoid-atomic-fragment-on-gso-packets.patch b/queue-4.14/ipv6-avoid-atomic-fragment-on-gso-packets.patch new file mode 100644 index 00000000000..fc31955e75e --- /dev/null +++ b/queue-4.14/ipv6-avoid-atomic-fragment-on-gso-packets.patch @@ -0,0 +1,54 @@ +From aa8df1963309d9829f3eecc8382382b527df30f5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Oct 2023 07:26:40 -0700 +Subject: ipv6: avoid atomic fragment on GSO packets + +From: Yan Zhai + +[ Upstream commit 03d6c848bfb406e9ef6d9846d759e97beaeea113 ] + +When the ipv6 stack output a GSO packet, if its gso_size is larger than +dst MTU, then all segments would be fragmented. However, it is possible +for a GSO packet to have a trailing segment with smaller actual size +than both gso_size as well as the MTU, which leads to an "atomic +fragment". Atomic fragments are considered harmful in RFC-8021. An +Existing report from APNIC also shows that atomic fragments are more +likely to be dropped even it is equivalent to a no-op [1]. + +Add an extra check in the GSO slow output path. For each segment from +the original over-sized packet, if it fits with the path MTU, then avoid +generating an atomic fragment. + +Link: https://www.potaroo.net/presentations/2022-03-01-ipv6-frag.pdf [1] +Fixes: b210de4f8c97 ("net: ipv6: Validate GSO SKB before finish IPv6 processing") +Reported-by: David Wragg +Signed-off-by: Yan Zhai +Link: https://lore.kernel.org/r/90912e3503a242dca0bc36958b11ed03a2696e5e.1698156966.git.yan@cloudflare.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/ipv6/ip6_output.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index c9322e6a1c0cb..a7814e69ecd89 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -153,7 +153,13 @@ ip6_finish_output_gso_slowpath_drop(struct net *net, struct sock *sk, + int err; + + skb_mark_not_on_list(segs); +- err = ip6_fragment(net, sk, segs, ip6_finish_output2); ++ /* Last GSO segment can be smaller than gso_size (and MTU). ++ * Adding a fragment header would produce an "atomic fragment", ++ * which is considered harmful (RFC-8021). Avoid that. ++ */ ++ err = segs->len > mtu ? ++ ip6_fragment(net, sk, segs, ip6_finish_output2) : ++ ip6_finish_output2(net, sk, segs); + if (err && ret == 0) + ret = err; + } +-- +2.42.0 + diff --git a/queue-4.14/media-dvb-usb-v2-af9035-fix-missing-unlock.patch b/queue-4.14/media-dvb-usb-v2-af9035-fix-missing-unlock.patch new file mode 100644 index 00000000000..266b21eed71 --- /dev/null +++ b/queue-4.14/media-dvb-usb-v2-af9035-fix-missing-unlock.patch @@ -0,0 +1,67 @@ +From cc193d18b07a1f4273a18ada03097f169ad54b5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 Oct 2023 12:08:45 +0200 +Subject: media: dvb-usb-v2: af9035: fix missing unlock + +From: Hans Verkuil + +[ Upstream commit f31b2cb85f0ee165d78e1c43f6d69f82cc3b2145 ] + +Instead of returning an error, goto the mutex unlock at +the end of the function. + +Fixes smatch warning: + +drivers/media/usb/dvb-usb-v2/af9035.c:467 af9035_i2c_master_xfer() warn: inconsistent returns '&d->i2c_mutex'. + Locked on : 326,387 + Unlocked on: 465,467 + +Signed-off-by: Hans Verkuil +Fixes: 7bf744f2de0a ("media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer") +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/usb/dvb-usb-v2/af9035.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/usb/dvb-usb-v2/af9035.c b/drivers/media/usb/dvb-usb-v2/af9035.c +index 8a83f27875ec9..2ed29a99fee1e 100644 +--- a/drivers/media/usb/dvb-usb-v2/af9035.c ++++ b/drivers/media/usb/dvb-usb-v2/af9035.c +@@ -337,8 +337,10 @@ static int af9035_i2c_master_xfer(struct i2c_adapter *adap, + ret = -EOPNOTSUPP; + } else if ((msg[0].addr == state->af9033_i2c_addr[0]) || + (msg[0].addr == state->af9033_i2c_addr[1])) { +- if (msg[0].len < 3 || msg[1].len < 1) +- return -EOPNOTSUPP; ++ if (msg[0].len < 3 || msg[1].len < 1) { ++ ret = -EOPNOTSUPP; ++ goto unlock; ++ } + /* demod access via firmware interface */ + reg = msg[0].buf[0] << 16 | msg[0].buf[1] << 8 | + msg[0].buf[2]; +@@ -398,8 +400,10 @@ static int af9035_i2c_master_xfer(struct i2c_adapter *adap, + ret = -EOPNOTSUPP; + } else if ((msg[0].addr == state->af9033_i2c_addr[0]) || + (msg[0].addr == state->af9033_i2c_addr[1])) { +- if (msg[0].len < 3) +- return -EOPNOTSUPP; ++ if (msg[0].len < 3) { ++ ret = -EOPNOTSUPP; ++ goto unlock; ++ } + /* demod access via firmware interface */ + reg = msg[0].buf[0] << 16 | msg[0].buf[1] << 8 | + msg[0].buf[2]; +@@ -474,6 +478,7 @@ static int af9035_i2c_master_xfer(struct i2c_adapter *adap, + ret = -EOPNOTSUPP; + } + ++unlock: + mutex_unlock(&d->i2c_mutex); + + if (ret < 0) +-- +2.42.0 + diff --git a/queue-4.14/media-s3c-camif-avoid-inappropriate-kfree.patch b/queue-4.14/media-s3c-camif-avoid-inappropriate-kfree.patch new file mode 100644 index 00000000000..c963d41ced7 --- /dev/null +++ b/queue-4.14/media-s3c-camif-avoid-inappropriate-kfree.patch @@ -0,0 +1,54 @@ +From 0c3f217456950760a49229b4cb6fb8ceabfc0c52 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Sep 2023 14:55:06 +0300 +Subject: media: s3c-camif: Avoid inappropriate kfree() + +From: Katya Orlova + +[ Upstream commit 61334819aca018c3416ee6c330a08a49c1524fc3 ] + +s3c_camif_register_video_node() works with video_device structure stored +as a field of camif_vp, so it should not be kfreed. +But there is video_device_release() on error path that do it. + +Found by Linux Verification Center (linuxtesting.org) with SVACE. + +Fixes: babde1c243b2 ("[media] V4L: Add driver for S3C24XX/S3C64XX SoC series camera interface") +Signed-off-by: Katya Orlova +Signed-off-by: Hans Verkuil +Signed-off-by: Sasha Levin +--- + drivers/media/platform/s3c-camif/camif-capture.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +diff --git a/drivers/media/platform/s3c-camif/camif-capture.c b/drivers/media/platform/s3c-camif/camif-capture.c +index 85d26713cedb9..63710f73fc3c4 100644 +--- a/drivers/media/platform/s3c-camif/camif-capture.c ++++ b/drivers/media/platform/s3c-camif/camif-capture.c +@@ -1142,12 +1142,12 @@ int s3c_camif_register_video_node(struct camif_dev *camif, int idx) + + ret = vb2_queue_init(q); + if (ret) +- goto err_vd_rel; ++ return ret; + + vp->pad.flags = MEDIA_PAD_FL_SINK; + ret = media_entity_pads_init(&vfd->entity, 1, &vp->pad); + if (ret) +- goto err_vd_rel; ++ return ret; + + video_set_drvdata(vfd, vp); + +@@ -1179,8 +1179,6 @@ int s3c_camif_register_video_node(struct camif_dev *camif, int idx) + v4l2_ctrl_handler_free(&vp->ctrl_handler); + err_me_cleanup: + media_entity_cleanup(&vfd->entity); +-err_vd_rel: +- video_device_release(vfd); + return ret; + } + +-- +2.42.0 + diff --git a/queue-4.14/mfd-dln2-fix-double-put-in-dln2_probe.patch b/queue-4.14/mfd-dln2-fix-double-put-in-dln2_probe.patch new file mode 100644 index 00000000000..1f10a258489 --- /dev/null +++ b/queue-4.14/mfd-dln2-fix-double-put-in-dln2_probe.patch @@ -0,0 +1,37 @@ +From 1234d125e239f3cb97d366a009ef80e786d769a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 25 Sep 2023 10:41:33 +0800 +Subject: mfd: dln2: Fix double put in dln2_probe + +From: Dinghao Liu + +[ Upstream commit 759c409bc5fc496cbc22cd0b392d3cbb0c0e23eb ] + +The dln2_free() already contains usb_put_dev(). Therefore, +the redundant usb_put_dev() before dln2_free() may lead to +a double free. + +Fixes: 96da8f148396 ("mfd: dln2: Fix memory leak in dln2_probe()") +Signed-off-by: Dinghao Liu +Link: https://lore.kernel.org/r/20230925024134.9683-1-dinghao.liu@zju.edu.cn +Signed-off-by: Lee Jones +Signed-off-by: Sasha Levin +--- + drivers/mfd/dln2.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/mfd/dln2.c b/drivers/mfd/dln2.c +index a0ad99ca495fd..97a69cd6f1278 100644 +--- a/drivers/mfd/dln2.c ++++ b/drivers/mfd/dln2.c +@@ -804,7 +804,6 @@ static int dln2_probe(struct usb_interface *interface, + dln2_stop_rx_urbs(dln2); + + out_free: +- usb_put_dev(dln2->usb_dev); + dln2_free(dln2); + + return ret; +-- +2.42.0 + diff --git a/queue-4.14/misc-st_core-do-not-call-kfree_skb-under-spin_lock_i.patch b/queue-4.14/misc-st_core-do-not-call-kfree_skb-under-spin_lock_i.patch new file mode 100644 index 00000000000..1dbe9922899 --- /dev/null +++ b/queue-4.14/misc-st_core-do-not-call-kfree_skb-under-spin_lock_i.patch @@ -0,0 +1,65 @@ +From 5f8ad8ce147b60f5ebe1ab63461cbb7c5a7dfdba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 23 Aug 2023 11:50:20 +0800 +Subject: misc: st_core: Do not call kfree_skb() under spin_lock_irqsave() + +From: Jinjie Ruan + +[ Upstream commit 4d08c3d12b61022501989f9f071514d2d6f77c47 ] + +It is not allowed to call kfree_skb() from hardware interrupt +context or with hardware interrupts being disabled. +So replace kfree_skb() with dev_kfree_skb_irq() under +spin_lock_irqsave(). Compile tested only. + +Fixes: 53618cc1e51e ("Staging: sources for ST core") +Signed-off-by: Jinjie Ruan +Link: https://lore.kernel.org/r/20230823035020.1281892-1-ruanjinjie@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/misc/ti-st/st_core.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/misc/ti-st/st_core.c b/drivers/misc/ti-st/st_core.c +index eda8d407be287..e5fbd61f69c8e 100644 +--- a/drivers/misc/ti-st/st_core.c ++++ b/drivers/misc/ti-st/st_core.c +@@ -28,6 +28,7 @@ + #include + + #include ++#include + + extern void st_kim_recv(void *, const unsigned char *, long); + void st_int_recv(void *, const unsigned char *, long); +@@ -436,7 +437,7 @@ static void st_int_enqueue(struct st_data_s *st_gdata, struct sk_buff *skb) + case ST_LL_AWAKE_TO_ASLEEP: + pr_err("ST LL is illegal state(%ld)," + "purging received skb.", st_ll_getstate(st_gdata)); +- kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + break; + case ST_LL_ASLEEP: + skb_queue_tail(&st_gdata->tx_waitq, skb); +@@ -445,7 +446,7 @@ static void st_int_enqueue(struct st_data_s *st_gdata, struct sk_buff *skb) + default: + pr_err("ST LL is illegal state(%ld)," + "purging received skb.", st_ll_getstate(st_gdata)); +- kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + break; + } + +@@ -499,7 +500,7 @@ void st_tx_wakeup(struct st_data_s *st_data) + spin_unlock_irqrestore(&st_data->lock, flags); + break; + } +- kfree_skb(skb); ++ dev_kfree_skb_irq(skb); + spin_unlock_irqrestore(&st_data->lock, flags); + } + /* if wake-up is set in another context- restart sending */ +-- +2.42.0 + diff --git a/queue-4.14/pcmcia-cs-fix-possible-hung-task-and-memory-leak-pcc.patch b/queue-4.14/pcmcia-cs-fix-possible-hung-task-and-memory-leak-pcc.patch new file mode 100644 index 00000000000..744c514151f --- /dev/null +++ b/queue-4.14/pcmcia-cs-fix-possible-hung-task-and-memory-leak-pcc.patch @@ -0,0 +1,43 @@ +From e0557ff98ff5bc0c3fee7076cae3a382fb02238a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Nov 2022 17:25:41 +0800 +Subject: pcmcia: cs: fix possible hung task and memory leak pccardd() + +From: Yang Yingliang + +[ Upstream commit e3ea1b4847e49234e691c0d66bf030bd65bb7f2b ] + +If device_register() returns error in pccardd(), it leads two issues: + +1. The socket_released has never been completed, it will block + pcmcia_unregister_socket(), because of waiting for completion + of socket_released. +2. The device name allocated by dev_set_name() is leaked. + +Fix this two issues by calling put_device() when device_register() fails. +socket_released can be completed in pcmcia_release_socket(), the name can +be freed in kobject_cleanup(). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Yang Yingliang +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +--- + drivers/pcmcia/cs.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/pcmcia/cs.c b/drivers/pcmcia/cs.c +index 182e5ef4ab83d..e99ef7b745aeb 100644 +--- a/drivers/pcmcia/cs.c ++++ b/drivers/pcmcia/cs.c +@@ -608,6 +608,7 @@ static int pccardd(void *__skt) + dev_warn(&skt->dev, "PCMCIA: unable to register socket\n"); + skt->thread = NULL; + complete(&skt->thread_done); ++ put_device(&skt->dev); + return 0; + } + ret = pccard_sysfs_add_socket(&skt->dev); +-- +2.42.0 + diff --git a/queue-4.14/pcmcia-ds-fix-possible-name-leak-in-error-path-in-pc.patch b/queue-4.14/pcmcia-ds-fix-possible-name-leak-in-error-path-in-pc.patch new file mode 100644 index 00000000000..0557aa3e788 --- /dev/null +++ b/queue-4.14/pcmcia-ds-fix-possible-name-leak-in-error-path-in-pc.patch @@ -0,0 +1,53 @@ +From 5315d4c12c65d26cb2511f8a0bf238647422c1c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Nov 2022 17:29:24 +0800 +Subject: pcmcia: ds: fix possible name leak in error path in + pcmcia_device_add() + +From: Yang Yingliang + +[ Upstream commit 99e1241049a92dd3e9a90a0f91e32ce390133278 ] + +Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's +bus_id string array"), the name of device is allocated dynamically. +Therefore, it needs to be freed, which is done by the driver core for +us once all references to the device are gone. Therefore, move the +dev_set_name() call immediately before the call device_register(), which +either succeeds (then the freeing will be done upon subsequent remvoal), +or puts the reference in the error call. Also, it is not unusual that the +return value of dev_set_name is not checked. + +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Yang Yingliang +[linux@dominikbrodowski.net: simplification, commit message modified] +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +--- + drivers/pcmcia/ds.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/pcmcia/ds.c b/drivers/pcmcia/ds.c +index e07bd5249f271..3701887be32e8 100644 +--- a/drivers/pcmcia/ds.c ++++ b/drivers/pcmcia/ds.c +@@ -521,9 +521,6 @@ static struct pcmcia_device *pcmcia_device_add(struct pcmcia_socket *s, + /* by default don't allow DMA */ + p_dev->dma_mask = DMA_MASK_NONE; + p_dev->dev.dma_mask = &p_dev->dma_mask; +- dev_set_name(&p_dev->dev, "%d.%d", p_dev->socket->sock, p_dev->device_no); +- if (!dev_name(&p_dev->dev)) +- goto err_free; + p_dev->devname = kasprintf(GFP_KERNEL, "pcmcia%s", dev_name(&p_dev->dev)); + if (!p_dev->devname) + goto err_free; +@@ -581,6 +578,7 @@ static struct pcmcia_device *pcmcia_device_add(struct pcmcia_socket *s, + + pcmcia_device_query(p_dev); + ++ dev_set_name(&p_dev->dev, "%d.%d", p_dev->socket->sock, p_dev->device_no); + if (device_register(&p_dev->dev)) { + mutex_lock(&s->ops_mutex); + list_del(&p_dev->socket_device_list); +-- +2.42.0 + diff --git a/queue-4.14/pcmcia-ds-fix-refcount-leak-in-pcmcia_device_add.patch b/queue-4.14/pcmcia-ds-fix-refcount-leak-in-pcmcia_device_add.patch new file mode 100644 index 00000000000..b997a84ced6 --- /dev/null +++ b/queue-4.14/pcmcia-ds-fix-refcount-leak-in-pcmcia_device_add.patch @@ -0,0 +1,49 @@ +From cfc852ab2305efacbb2845e1c51287622f1798f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 12 Nov 2022 17:29:23 +0800 +Subject: pcmcia: ds: fix refcount leak in pcmcia_device_add() + +From: Yang Yingliang + +[ Upstream commit 402ab979b29126068e0b596b641422ff7490214c ] + +As the comment of device_register() says, it should use put_device() +to give up the reference in the error path. Then, insofar resources +will be freed in pcmcia_release_dev(), the error path is no longer +needed. In particular, this means that the (previously missing) dropping +of the reference to &p_dev->function_config->ref is now handled by +pcmcia_release_dev(). + +Fixes: 360b65b95bae ("[PATCH] pcmcia: make config_t independent, add reference counting") +Signed-off-by: Yang Yingliang +[linux@dominikbrodowski.net: simplification, commit message rewrite] +Signed-off-by: Dominik Brodowski +Signed-off-by: Sasha Levin +--- + drivers/pcmcia/ds.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/pcmcia/ds.c b/drivers/pcmcia/ds.c +index a9258f641ceed..e07bd5249f271 100644 +--- a/drivers/pcmcia/ds.c ++++ b/drivers/pcmcia/ds.c +@@ -581,8 +581,14 @@ static struct pcmcia_device *pcmcia_device_add(struct pcmcia_socket *s, + + pcmcia_device_query(p_dev); + +- if (device_register(&p_dev->dev)) +- goto err_unreg; ++ if (device_register(&p_dev->dev)) { ++ mutex_lock(&s->ops_mutex); ++ list_del(&p_dev->socket_device_list); ++ s->device_count--; ++ mutex_unlock(&s->ops_mutex); ++ put_device(&p_dev->dev); ++ return NULL; ++ } + + return p_dev; + +-- +2.42.0 + diff --git a/queue-4.14/platform-x86-wmi-fix-probe-failure-when-failing-to-r.patch b/queue-4.14/platform-x86-wmi-fix-probe-failure-when-failing-to-r.patch new file mode 100644 index 00000000000..a8a553a7e06 --- /dev/null +++ b/queue-4.14/platform-x86-wmi-fix-probe-failure-when-failing-to-r.patch @@ -0,0 +1,84 @@ +From 04f765a624a98ffdba77c6cd28db499e5fd5884a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 20 Oct 2023 23:10:03 +0200 +Subject: platform/x86: wmi: Fix probe failure when failing to register WMI + devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Armin Wolf + +[ Upstream commit ed85891a276edaf7a867de0e9acd0837bc3008f2 ] + +When a WMI device besides the first one somehow fails to register, +retval is returned while still containing a negative error code. This +causes the ACPI device fail to probe, leaving behind zombie WMI devices +leading to various errors later. + +Handle the single error path separately and return 0 unconditionally +after trying to register all WMI devices to solve the issue. Also +continue to register WMI devices even if some fail to allocate memory. + +Fixes: 6ee50aaa9a20 ("platform/x86: wmi: Instantiate all devices before adding them") +Signed-off-by: Armin Wolf +Link: https://lore.kernel.org/r/20231020211005.38216-4-W_Armin@gmx.de +Reviewed-by: Ilpo Järvinen +Signed-off-by: Ilpo Järvinen +Signed-off-by: Sasha Levin +--- + drivers/platform/x86/wmi.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/platform/x86/wmi.c b/drivers/platform/x86/wmi.c +index 07c1e0829b19a..f7ff07514eb65 100644 +--- a/drivers/platform/x86/wmi.c ++++ b/drivers/platform/x86/wmi.c +@@ -953,8 +953,8 @@ static int parse_wdg(struct device *wmi_bus_dev, struct acpi_device *device) + struct wmi_block *wblock, *next; + union acpi_object *obj; + acpi_status status; +- int retval = 0; + u32 i, total; ++ int retval; + + status = acpi_evaluate_object(device->handle, "_WDG", NULL, &out); + if (ACPI_FAILURE(status)) +@@ -965,8 +965,8 @@ static int parse_wdg(struct device *wmi_bus_dev, struct acpi_device *device) + return -ENXIO; + + if (obj->type != ACPI_TYPE_BUFFER) { +- retval = -ENXIO; +- goto out_free_pointer; ++ kfree(obj); ++ return -ENXIO; + } + + gblock = (const struct guid_block *)obj->buffer.pointer; +@@ -987,8 +987,8 @@ static int parse_wdg(struct device *wmi_bus_dev, struct acpi_device *device) + + wblock = kzalloc(sizeof(struct wmi_block), GFP_KERNEL); + if (!wblock) { +- retval = -ENOMEM; +- break; ++ dev_err(wmi_bus_dev, "Failed to allocate %pUL\n", &gblock[i].guid); ++ continue; + } + + wblock->acpi_device = device; +@@ -1027,9 +1027,9 @@ static int parse_wdg(struct device *wmi_bus_dev, struct acpi_device *device) + } + } + +-out_free_pointer: +- kfree(out.pointer); +- return retval; ++ kfree(obj); ++ ++ return 0; + } + + /* +-- +2.42.0 + diff --git a/queue-4.14/rdma-hfi1-workaround-truncation-compilation-error.patch b/queue-4.14/rdma-hfi1-workaround-truncation-compilation-error.patch new file mode 100644 index 00000000000..1dcdcf2b9c8 --- /dev/null +++ b/queue-4.14/rdma-hfi1-workaround-truncation-compilation-error.patch @@ -0,0 +1,57 @@ +From 8bf5278d910fe6bf905b7ced87afbc6829717e3b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 24 Oct 2023 18:07:31 +0300 +Subject: RDMA/hfi1: Workaround truncation compilation error +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Leon Romanovsky + +[ Upstream commit d4b2d165714c0ce8777d5131f6e0aad617b7adc4 ] + +Increase name array to be large enough to overcome the following +compilation error. + +drivers/infiniband/hw/hfi1/efivar.c: In function ‘read_hfi1_efi_var’: +drivers/infiniband/hw/hfi1/efivar.c:124:44: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=] + 124 | snprintf(name, sizeof(name), "%s-%s", prefix_name, kind); + | ^ +drivers/infiniband/hw/hfi1/efivar.c:124:9: note: ‘snprintf’ output 2 or more bytes (assuming 65) into a destination of size 64 + 124 | snprintf(name, sizeof(name), "%s-%s", prefix_name, kind); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +drivers/infiniband/hw/hfi1/efivar.c:133:52: error: ‘snprintf’ output may be truncated before the last format character [-Werror=format-truncation=] + 133 | snprintf(name, sizeof(name), "%s-%s", prefix_name, kind); + | ^ +drivers/infiniband/hw/hfi1/efivar.c:133:17: note: ‘snprintf’ output 2 or more bytes (assuming 65) into a destination of size 64 + 133 | snprintf(name, sizeof(name), "%s-%s", prefix_name, kind); + | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ +cc1: all warnings being treated as errors +make[6]: *** [scripts/Makefile.build:243: drivers/infiniband/hw/hfi1/efivar.o] Error 1 + +Fixes: c03c08d50b3d ("IB/hfi1: Check upper-case EFI variables") +Signed-off-by: Leon Romanovsky +Link: https://lore.kernel.org/r/238fa39a8fd60e87a5ad7e1ca6584fcdf32e9519.1698159993.git.leonro@nvidia.com +Acked-by: Dennis Dalessandro +Signed-off-by: Leon Romanovsky +Signed-off-by: Sasha Levin +--- + drivers/infiniband/hw/hfi1/efivar.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/infiniband/hw/hfi1/efivar.c b/drivers/infiniband/hw/hfi1/efivar.c +index d106d23016ba0..75e39e403a581 100644 +--- a/drivers/infiniband/hw/hfi1/efivar.c ++++ b/drivers/infiniband/hw/hfi1/efivar.c +@@ -152,7 +152,7 @@ int read_hfi1_efi_var(struct hfi1_devdata *dd, const char *kind, + unsigned long *size, void **return_data) + { + char prefix_name[64]; +- char name[64]; ++ char name[128]; + int result; + int i; + +-- +2.42.0 + diff --git a/queue-4.14/series b/queue-4.14/series index e69de29bb2d..c34682d0253 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -0,0 +1,35 @@ +i40e-fix-potential-memory-leaks-in-i40e_remove.patch +tcp_metrics-properly-set-tp-snd_ssthresh-in-tcp_init.patch +tcp_metrics-do-not-create-an-entry-from-tcp_init_met.patch +wifi-rtlwifi-fix-edca-limit-set-by-bt-coexistence.patch +thermal-core-prevent-potential-string-overflow.patch +acpi-sysfs-fix-create_pnp_modalias-and-create_of_mod.patch +ipv6-avoid-atomic-fragment-on-gso-packets.patch +clk-qcom-clk-rcg2-fix-clock-rate-overflow-for-high-p.patch +clk-keystone-pll-fix-a-couple-null-vs-is_err-checks.patch +clk-mediatek-clk-mt6797-add-check-for-mtk_alloc_clk_.patch +clk-mediatek-clk-mt2701-add-check-for-mtk_alloc_clk_.patch +platform-x86-wmi-fix-probe-failure-when-failing-to-r.patch +drm-rockchip-vop-fix-reset-of-state-in-duplicate-sta.patch +drm-radeon-possible-buffer-overflow.patch +drm-rockchip-cdn-dp-fix-some-error-handling-paths-in.patch +arm-dts-qcom-mdm9615-populate-vsdcc-fixed-regulator.patch +firmware-ti_sci-mark-driver-as-non-removable.patch +hwrng-geode-fix-accessing-registers.patch +arm-9321-1-memset-cast-the-constant-byte-to-unsigned.patch +ext4-move-ix-sanity-check-to-corrent-position.patch +rdma-hfi1-workaround-truncation-compilation-error.patch +sh-bios-revive-earlyprintk-support.patch +asoc-intel-skylake-fix-mem-leak-when-parsing-uuids-f.patch +mfd-dln2-fix-double-put-in-dln2_probe.patch +tty-tty_jobctrl-fix-pid-memleak-in-disassociate_ctty.patch +usb-dwc2-fix-possible-null-pointer-dereference-cause.patch +dmaengine-ti-edma-handle-irq_of_parse_and_map-errors.patch +misc-st_core-do-not-call-kfree_skb-under-spin_lock_i.patch +usb-usbip-fix-stub_dev-hub-disconnect.patch +dmaengine-pxa_dma-remove-an-erroneous-bug_on-in-pxad.patch +pcmcia-cs-fix-possible-hung-task-and-memory-leak-pcc.patch +pcmcia-ds-fix-refcount-leak-in-pcmcia_device_add.patch +pcmcia-ds-fix-possible-name-leak-in-error-path-in-pc.patch +media-s3c-camif-avoid-inappropriate-kfree.patch +media-dvb-usb-v2-af9035-fix-missing-unlock.patch diff --git a/queue-4.14/sh-bios-revive-earlyprintk-support.patch b/queue-4.14/sh-bios-revive-earlyprintk-support.patch new file mode 100644 index 00000000000..a331f9938e3 --- /dev/null +++ b/queue-4.14/sh-bios-revive-earlyprintk-support.patch @@ -0,0 +1,52 @@ +From c38d549e116a8a72940f8d480520b5adceb1eda5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 19 Oct 2023 11:46:43 +0200 +Subject: sh: bios: Revive earlyprintk support + +From: Geert Uytterhoeven + +[ Upstream commit 553f7ac78fbb41b2c93ab9b9d78e42274d27daa9 ] + +The SuperH BIOS earlyprintk code is protected by CONFIG_EARLY_PRINTK. +However, when this protection was added, it was missed that SuperH no +longer defines an EARLY_PRINTK config symbol since commit +e76fe57447e88916 ("sh: Remove old early serial console code V2"), so +BIOS earlyprintk can no longer be used. + +Fix this by reviving the EARLY_PRINTK config symbol. + +Fixes: d0380e6c3c0f6edb ("early_printk: consolidate random copies of identical code") +Signed-off-by: Geert Uytterhoeven +Reviewed-by: John Paul Adrian Glaubitz +Link: https://lore.kernel.org/r/c40972dfec3dcc6719808d5df388857360262878.1697708489.git.geert+renesas@glider.be +Signed-off-by: John Paul Adrian Glaubitz +Signed-off-by: Sasha Levin +--- + arch/sh/Kconfig.debug | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/arch/sh/Kconfig.debug b/arch/sh/Kconfig.debug +index 4209405179262..4737cbd95cd53 100644 +--- a/arch/sh/Kconfig.debug ++++ b/arch/sh/Kconfig.debug +@@ -29,6 +29,17 @@ config STACK_DEBUG + every function call and will therefore incur a major + performance hit. Most users should say N. + ++config EARLY_PRINTK ++ bool "Early printk" ++ depends on SH_STANDARD_BIOS ++ help ++ Say Y here to redirect kernel printk messages to the serial port ++ used by the SH-IPL bootloader, starting very early in the boot ++ process and ending when the kernel's serial console is initialised. ++ This option is only useful while porting the kernel to a new machine, ++ when the kernel may crash or hang before the serial console is ++ initialised. If unsure, say N. ++ + config 4KSTACKS + bool "Use 4Kb for kernel stacks instead of 8Kb" + depends on DEBUG_KERNEL && (MMU || BROKEN) && !PAGE_SIZE_64KB +-- +2.42.0 + diff --git a/queue-4.14/tcp_metrics-do-not-create-an-entry-from-tcp_init_met.patch b/queue-4.14/tcp_metrics-do-not-create-an-entry-from-tcp_init_met.patch new file mode 100644 index 00000000000..3eb2744758d --- /dev/null +++ b/queue-4.14/tcp_metrics-do-not-create-an-entry-from-tcp_init_met.patch @@ -0,0 +1,39 @@ +From 2a32da847a8592372a018b6d628ccb2ca51603fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Sep 2023 22:03:55 +0000 +Subject: tcp_metrics: do not create an entry from tcp_init_metrics() + +From: Eric Dumazet + +[ Upstream commit a135798e6e200ecb2f864cecca6d257ba278370c ] + +tcp_init_metrics() only wants to get metrics if they were +previously stored in the cache. Creating an entry is adding +useless costs, especially when tcp_no_metrics_save is set. + +Fixes: 51c5d0c4b169 ("tcp: Maintain dynamic metrics in local cache.") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Acked-by: Neal Cardwell +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_metrics.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c +index 164e917d71b21..820a97f92235a 100644 +--- a/net/ipv4/tcp_metrics.c ++++ b/net/ipv4/tcp_metrics.c +@@ -475,7 +475,7 @@ void tcp_init_metrics(struct sock *sk) + goto reset; + + rcu_read_lock(); +- tm = tcp_get_metrics(sk, dst, true); ++ tm = tcp_get_metrics(sk, dst, false); + if (!tm) { + rcu_read_unlock(); + goto reset; +-- +2.42.0 + diff --git a/queue-4.14/tcp_metrics-properly-set-tp-snd_ssthresh-in-tcp_init.patch b/queue-4.14/tcp_metrics-properly-set-tp-snd_ssthresh-in-tcp_init.patch new file mode 100644 index 00000000000..bf195abff8d --- /dev/null +++ b/queue-4.14/tcp_metrics-properly-set-tp-snd_ssthresh-in-tcp_init.patch @@ -0,0 +1,52 @@ +From 8ee512af6a457d9c6e2a08a989dbbbbd6429d3cc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 22 Sep 2023 22:03:54 +0000 +Subject: tcp_metrics: properly set tp->snd_ssthresh in tcp_init_metrics() + +From: Eric Dumazet + +[ Upstream commit 081480014a64a69d901f8ef1ffdd56d6085cf87e ] + +We need to set tp->snd_ssthresh to TCP_INFINITE_SSTHRESH +in the case tcp_get_metrics() fails for some reason. + +Fixes: 9ad7c049f0f7 ("tcp: RFC2988bis + taking RTT sample from 3WHS for the passive open side") +Signed-off-by: Eric Dumazet +Reviewed-by: David Ahern +Acked-by: Neal Cardwell +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + net/ipv4/tcp_metrics.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c +index 11bb9751a799f..164e917d71b21 100644 +--- a/net/ipv4/tcp_metrics.c ++++ b/net/ipv4/tcp_metrics.c +@@ -467,6 +467,10 @@ void tcp_init_metrics(struct sock *sk) + u32 val, crtt = 0; /* cached RTT scaled by 8 */ + + sk_dst_confirm(sk); ++ /* ssthresh may have been reduced unnecessarily during. ++ * 3WHS. Restore it back to its initial default. ++ */ ++ tp->snd_ssthresh = TCP_INFINITE_SSTHRESH; + if (!dst) + goto reset; + +@@ -485,11 +489,6 @@ void tcp_init_metrics(struct sock *sk) + tp->snd_ssthresh = val; + if (tp->snd_ssthresh > tp->snd_cwnd_clamp) + tp->snd_ssthresh = tp->snd_cwnd_clamp; +- } else { +- /* ssthresh may have been reduced unnecessarily during. +- * 3WHS. Restore it back to its initial default. +- */ +- tp->snd_ssthresh = TCP_INFINITE_SSTHRESH; + } + val = tcp_metric_get(tm, TCP_METRIC_REORDERING); + if (val && tp->reordering != val) { +-- +2.42.0 + diff --git a/queue-4.14/thermal-core-prevent-potential-string-overflow.patch b/queue-4.14/thermal-core-prevent-potential-string-overflow.patch new file mode 100644 index 00000000000..9b81310989c --- /dev/null +++ b/queue-4.14/thermal-core-prevent-potential-string-overflow.patch @@ -0,0 +1,47 @@ +From 8f9c43a51d87f0627868e60d25193050f7b28ad6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 7 Oct 2023 11:59:39 +0300 +Subject: thermal: core: prevent potential string overflow + +From: Dan Carpenter + +[ Upstream commit c99626092efca3061b387043d4a7399bf75fbdd5 ] + +The dev->id value comes from ida_alloc() so it's a number between zero +and INT_MAX. If it's too high then these sprintf()s will overflow. + +Fixes: 203d3d4aa482 ("the generic thermal sysfs driver") +Signed-off-by: Dan Carpenter +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Sasha Levin +--- + drivers/thermal/thermal_core.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/thermal/thermal_core.c b/drivers/thermal/thermal_core.c +index 8374b8078b7df..e24d46f715715 100644 +--- a/drivers/thermal/thermal_core.c ++++ b/drivers/thermal/thermal_core.c +@@ -737,7 +737,8 @@ int thermal_zone_bind_cooling_device(struct thermal_zone_device *tz, + if (result) + goto release_ida; + +- sprintf(dev->attr_name, "cdev%d_trip_point", dev->id); ++ snprintf(dev->attr_name, sizeof(dev->attr_name), "cdev%d_trip_point", ++ dev->id); + sysfs_attr_init(&dev->attr.attr); + dev->attr.attr.name = dev->attr_name; + dev->attr.attr.mode = 0444; +@@ -746,7 +747,8 @@ int thermal_zone_bind_cooling_device(struct thermal_zone_device *tz, + if (result) + goto remove_symbol_link; + +- sprintf(dev->weight_attr_name, "cdev%d_weight", dev->id); ++ snprintf(dev->weight_attr_name, sizeof(dev->weight_attr_name), ++ "cdev%d_weight", dev->id); + sysfs_attr_init(&dev->weight_attr.attr); + dev->weight_attr.attr.name = dev->weight_attr_name; + dev->weight_attr.attr.mode = S_IWUSR | S_IRUGO; +-- +2.42.0 + diff --git a/queue-4.14/tty-tty_jobctrl-fix-pid-memleak-in-disassociate_ctty.patch b/queue-4.14/tty-tty_jobctrl-fix-pid-memleak-in-disassociate_ctty.patch new file mode 100644 index 00000000000..f897d99b6b6 --- /dev/null +++ b/queue-4.14/tty-tty_jobctrl-fix-pid-memleak-in-disassociate_ctty.patch @@ -0,0 +1,117 @@ +From f797ac736c19409ea2fadd30c04343bfbfbaef29 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 31 Aug 2023 10:33:29 +0800 +Subject: tty: tty_jobctrl: fix pid memleak in disassociate_ctty() + +From: Yi Yang + +[ Upstream commit 11e7f27b79757b6586645d87b95d5b78375ecdfc ] + +There is a pid leakage: +------------------------------ +unreferenced object 0xffff88810c181940 (size 224): + comm "sshd", pid 8191, jiffies 4294946950 (age 524.570s) + hex dump (first 32 bytes): + 01 00 00 00 00 00 00 00 00 00 00 00 ad 4e ad de .............N.. + ff ff ff ff 6b 6b 6b 6b ff ff ff ff ff ff ff ff ....kkkk........ + backtrace: + [] kmem_cache_alloc+0x5c6/0x9b0 + [] alloc_pid+0x72/0x570 + [] copy_process+0x1374/0x2470 + [] kernel_clone+0xb7/0x900 + [] __se_sys_clone+0x85/0xb0 + [] __x64_sys_clone+0x2b/0x30 + [] do_syscall_64+0x32/0x80 + [] entry_SYSCALL_64_after_hwframe+0x61/0xc6 + +It turns out that there is a race condition between disassociate_ctty() and +tty_signal_session_leader(), which caused this leakage. + +The pid memleak is triggered by the following race: +task[sshd] task[bash] +----------------------- ----------------------- + disassociate_ctty(); + spin_lock_irq(¤t->sighand->siglock); + put_pid(current->signal->tty_old_pgrp); + current->signal->tty_old_pgrp = NULL; + tty = tty_kref_get(current->signal->tty); + spin_unlock_irq(¤t->sighand->siglock); +tty_vhangup(); +tty_lock(tty); +... +tty_signal_session_leader(); +spin_lock_irq(&p->sighand->siglock); +... +if (tty->ctrl.pgrp) //tty->ctrl.pgrp is not NULL +p->signal->tty_old_pgrp = get_pid(tty->ctrl.pgrp); //An extra get +spin_unlock_irq(&p->sighand->siglock); +... +tty_unlock(tty); + if (tty) { + tty_lock(tty); + ... + put_pid(tty->ctrl.pgrp); + tty->ctrl.pgrp = NULL; //It's too late + ... + tty_unlock(tty); + } + +The issue is believed to be introduced by commit c8bcd9c5be24 ("tty: +Fix ->session locking") who moves the unlock of siglock in +disassociate_ctty() above "if (tty)", making a small window allowing +tty_signal_session_leader() to kick in. It can be easily reproduced by +adding a delay before "if (tty)" and at the entrance of +tty_signal_session_leader(). + +To fix this issue, we move "put_pid(current->signal->tty_old_pgrp)" after +"tty->ctrl.pgrp = NULL". + +Fixes: c8bcd9c5be24 ("tty: Fix ->session locking") +Signed-off-by: Yi Yang +Co-developed-by: GUO Zihua +Signed-off-by: GUO Zihua +Link: https://lore.kernel.org/r/20230831023329.165737-1-yiyang13@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/tty_jobctrl.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/drivers/tty/tty_jobctrl.c b/drivers/tty/tty_jobctrl.c +index b71e61e79c5a3..29b3957f329c6 100644 +--- a/drivers/tty/tty_jobctrl.c ++++ b/drivers/tty/tty_jobctrl.c +@@ -289,12 +289,7 @@ void disassociate_ctty(int on_exit) + return; + } + +- spin_lock_irq(¤t->sighand->siglock); +- put_pid(current->signal->tty_old_pgrp); +- current->signal->tty_old_pgrp = NULL; +- tty = tty_kref_get(current->signal->tty); +- spin_unlock_irq(¤t->sighand->siglock); +- ++ tty = get_current_tty(); + if (tty) { + unsigned long flags; + +@@ -309,6 +304,16 @@ void disassociate_ctty(int on_exit) + tty_kref_put(tty); + } + ++ /* If tty->ctrl.pgrp is not NULL, it may be assigned to ++ * current->signal->tty_old_pgrp in a race condition, and ++ * cause pid memleak. Release current->signal->tty_old_pgrp ++ * after tty->ctrl.pgrp set to NULL. ++ */ ++ spin_lock_irq(¤t->sighand->siglock); ++ put_pid(current->signal->tty_old_pgrp); ++ current->signal->tty_old_pgrp = NULL; ++ spin_unlock_irq(¤t->sighand->siglock); ++ + /* Now clear signal->tty under the lock */ + read_lock(&tasklist_lock); + session_clear_tty(task_session(current)); +-- +2.42.0 + diff --git a/queue-4.14/usb-dwc2-fix-possible-null-pointer-dereference-cause.patch b/queue-4.14/usb-dwc2-fix-possible-null-pointer-dereference-cause.patch new file mode 100644 index 00000000000..9c8fc60b9ba --- /dev/null +++ b/queue-4.14/usb-dwc2-fix-possible-null-pointer-dereference-cause.patch @@ -0,0 +1,69 @@ +From 3d10c57b622be7559f787c5b5f157807ed54ba81 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 26 Sep 2023 10:44:04 +0800 +Subject: usb: dwc2: fix possible NULL pointer dereference caused by driver + concurrency + +From: Jia-Ju Bai + +[ Upstream commit ef307bc6ef04e8c1ea843231db58e3afaafa9fa6 ] + +In _dwc2_hcd_urb_enqueue(), "urb->hcpriv = NULL" is executed without +holding the lock "hsotg->lock". In _dwc2_hcd_urb_dequeue(): + + spin_lock_irqsave(&hsotg->lock, flags); + ... + if (!urb->hcpriv) { + dev_dbg(hsotg->dev, "## urb->hcpriv is NULL ##\n"); + goto out; + } + rc = dwc2_hcd_urb_dequeue(hsotg, urb->hcpriv); // Use urb->hcpriv + ... +out: + spin_unlock_irqrestore(&hsotg->lock, flags); + +When _dwc2_hcd_urb_enqueue() and _dwc2_hcd_urb_dequeue() are +concurrently executed, the NULL check of "urb->hcpriv" can be executed +before "urb->hcpriv = NULL". After urb->hcpriv is NULL, it can be used +in the function call to dwc2_hcd_urb_dequeue(), which can cause a NULL +pointer dereference. + +This possible bug is found by an experimental static analysis tool +developed by myself. This tool analyzes the locking APIs to extract +function pairs that can be concurrently executed, and then analyzes the +instructions in the paired functions to identify possible concurrency +bugs including data races and atomicity violations. The above possible +bug is reported, when my tool analyzes the source code of Linux 6.5. + +To fix this possible bug, "urb->hcpriv = NULL" should be executed with +holding the lock "hsotg->lock". After using this patch, my tool never +reports the possible bug, with the kernelconfiguration allyesconfig for +x86_64. Because I have no associated hardware, I cannot test the patch +in runtime testing, and just verify it according to the code logic. + +Fixes: 33ad261aa62b ("usb: dwc2: host: spinlock urb_enqueue") +Signed-off-by: Jia-Ju Bai +Link: https://lore.kernel.org/r/20230926024404.832096-1-baijiaju@buaa.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/dwc2/hcd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/usb/dwc2/hcd.c b/drivers/usb/dwc2/hcd.c +index 50ec2cd36db0a..6d2060377dc4a 100644 +--- a/drivers/usb/dwc2/hcd.c ++++ b/drivers/usb/dwc2/hcd.c +@@ -4842,8 +4842,8 @@ static int _dwc2_hcd_urb_enqueue(struct usb_hcd *hcd, struct urb *urb, + if (qh_allocated && qh->channel && qh->channel->qh == qh) + qh->channel->qh = NULL; + fail2: +- spin_unlock_irqrestore(&hsotg->lock, flags); + urb->hcpriv = NULL; ++ spin_unlock_irqrestore(&hsotg->lock, flags); + kfree(qtd); + qtd = NULL; + fail1: +-- +2.42.0 + diff --git a/queue-4.14/usb-usbip-fix-stub_dev-hub-disconnect.patch b/queue-4.14/usb-usbip-fix-stub_dev-hub-disconnect.patch new file mode 100644 index 00000000000..ef787aa3b7d --- /dev/null +++ b/queue-4.14/usb-usbip-fix-stub_dev-hub-disconnect.patch @@ -0,0 +1,46 @@ +From 223781a8676881eb13e9ec1ee8750bd98d7b2564 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Jun 2023 11:28:10 +0200 +Subject: USB: usbip: fix stub_dev hub disconnect + +From: Jonas Blixt + +[ Upstream commit 97475763484245916735a1aa9a3310a01d46b008 ] + +If a hub is disconnected that has device(s) that's attached to the usbip layer +the disconnect function might fail because it tries to release the port +on an already disconnected hub. + +Fixes: 6080cd0e9239 ("staging: usbip: claim ports used by shared devices") +Signed-off-by: Jonas Blixt +Acked-by: Shuah Khan +Link: https://lore.kernel.org/r/20230615092810.1215490-1-jonas.blixt@actia.se +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/usb/usbip/stub_dev.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/usb/usbip/stub_dev.c b/drivers/usb/usbip/stub_dev.c +index 16bb3197d6580..d179b281b9521 100644 +--- a/drivers/usb/usbip/stub_dev.c ++++ b/drivers/usb/usbip/stub_dev.c +@@ -511,8 +511,13 @@ static void stub_disconnect(struct usb_device *udev) + /* release port */ + rc = usb_hub_release_port(udev->parent, udev->portnum, + (struct usb_dev_state *) udev); +- if (rc) { +- dev_dbg(&udev->dev, "unable to release port\n"); ++ /* ++ * NOTE: If a HUB disconnect triggered disconnect of the down stream ++ * device usb_hub_release_port will return -ENODEV so we can safely ignore ++ * that error here. ++ */ ++ if (rc && (rc != -ENODEV)) { ++ dev_dbg(&udev->dev, "unable to release port (%i)\n", rc); + return; + } + +-- +2.42.0 + diff --git a/queue-4.14/wifi-rtlwifi-fix-edca-limit-set-by-bt-coexistence.patch b/queue-4.14/wifi-rtlwifi-fix-edca-limit-set-by-bt-coexistence.patch new file mode 100644 index 00000000000..a0672d2d035 --- /dev/null +++ b/queue-4.14/wifi-rtlwifi-fix-edca-limit-set-by-bt-coexistence.patch @@ -0,0 +1,70 @@ +From 4c5aa4f6ed4b23410d7f25cb6c6b2edc45cdb3b2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 28 Sep 2023 08:23:19 +0300 +Subject: wifi: rtlwifi: fix EDCA limit set by BT coexistence + +From: Dmitry Antipov + +[ Upstream commit 3391ee7f9ea508c375d443cd712c2e699be235b4 ] + +In 'rtl92c_dm_check_edca_turbo()', 'rtl88e_dm_check_edca_turbo()', +and 'rtl8723e_dm_check_edca_turbo()', the DL limit should be set +from the corresponding field of 'rtlpriv->btcoexist' rather than +UL. Compile tested only. + +Fixes: 0529c6b81761 ("rtlwifi: rtl8723ae: Update driver to match 06/28/14 Realtek version") +Fixes: c151aed6aa14 ("rtlwifi: rtl8188ee: Update driver to match Realtek release of 06282014") +Fixes: beb5bc402043 ("rtlwifi: rtl8192c-common: Convert common dynamic management routines for addition of rtl8192se and rtl8192de") +Signed-off-by: Dmitry Antipov +Acked-by: Ping-Ke Shih +Signed-off-by: Kalle Valo +Link: https://lore.kernel.org/r/20230928052327.120178-1-dmantipov@yandex.ru +Signed-off-by: Sasha Levin +--- + drivers/net/wireless/realtek/rtlwifi/rtl8188ee/dm.c | 2 +- + drivers/net/wireless/realtek/rtlwifi/rtl8192c/dm_common.c | 2 +- + drivers/net/wireless/realtek/rtlwifi/rtl8723ae/dm.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/dm.c b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/dm.c +index f936a491371b7..92791217b378d 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/dm.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8188ee/dm.c +@@ -827,7 +827,7 @@ static void rtl88e_dm_check_edca_turbo(struct ieee80211_hw *hw) + } + + if (rtlpriv->btcoexist.bt_edca_dl != 0) { +- edca_be_ul = rtlpriv->btcoexist.bt_edca_dl; ++ edca_be_dl = rtlpriv->btcoexist.bt_edca_dl; + bt_change_edca = true; + } + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/dm_common.c b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/dm_common.c +index 0b5a06ffa4826..ed3ef78e5394e 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8192c/dm_common.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8192c/dm_common.c +@@ -663,7 +663,7 @@ static void rtl92c_dm_check_edca_turbo(struct ieee80211_hw *hw) + } + + if (rtlpriv->btcoexist.bt_edca_dl != 0) { +- edca_be_ul = rtlpriv->btcoexist.bt_edca_dl; ++ edca_be_dl = rtlpriv->btcoexist.bt_edca_dl; + bt_change_edca = true; + } + +diff --git a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/dm.c b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/dm.c +index 42a6fba90ba91..fedde63d9bc5b 100644 +--- a/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/dm.c ++++ b/drivers/net/wireless/realtek/rtlwifi/rtl8723ae/dm.c +@@ -592,7 +592,7 @@ static void rtl8723e_dm_check_edca_turbo(struct ieee80211_hw *hw) + } + + if (rtlpriv->btcoexist.bt_edca_dl != 0) { +- edca_be_ul = rtlpriv->btcoexist.bt_edca_dl; ++ edca_be_dl = rtlpriv->btcoexist.bt_edca_dl; + bt_change_edca = true; + } + +-- +2.42.0 +