From: Greg Kroah-Hartman Date: Tue, 8 Jun 2021 12:31:30 +0000 (+0200) Subject: 5.4-stable patches X-Git-Tag: v4.4.272~55 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1ce475cc208f575dcf1b89f8b0cf604b0ae3bdde;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: alsa-hda-fix-for-mute-key-led-for-hp-pavilion-15-ck0xx.patch alsa-timer-fix-master-timer-notification.patch arm-dts-imx6dl-yapp4-fix-rgmii-connection-to-qca8334-switch.patch arm-dts-imx6q-dhcom-add-pu-vdd1p1-vdd2p5-regulators.patch ext4-fix-bug-on-in-ext4_es_cache_extent-as-ext4_split_extent_at-failed.patch hid-i2c-hid-skip-elan-power-on-command-after-reset.patch hid-magicmouse-fix-null-deref-on-disconnect.patch hid-multitouch-require-finger-field-to-mark-win8-reports-as-mt.patch net-caif-add-proper-error-handling.patch net-caif-added-cfserl_release-function.patch net-caif-fix-memory-leak-in-caif_device_notify.patch net-caif-fix-memory-leak-in-cfusbl_device_notify.patch net-kcm-fix-memory-leak-in-kcm_sendmsg.patch --- diff --git a/queue-5.4/alsa-hda-fix-for-mute-key-led-for-hp-pavilion-15-ck0xx.patch b/queue-5.4/alsa-hda-fix-for-mute-key-led-for-hp-pavilion-15-ck0xx.patch new file mode 100644 index 00000000000..9a319734c04 --- /dev/null +++ b/queue-5.4/alsa-hda-fix-for-mute-key-led-for-hp-pavilion-15-ck0xx.patch @@ -0,0 +1,32 @@ +From 901be145a46eb79879367d853194346a549e623d Mon Sep 17 00:00:00 2001 +From: Carlos M +Date: Mon, 31 May 2021 22:20:26 +0200 +Subject: ALSA: hda: Fix for mute key LED for HP Pavilion 15-CK0xx + +From: Carlos M + +commit 901be145a46eb79879367d853194346a549e623d upstream. + +For the HP Pavilion 15-CK0xx, with audio subsystem ID 0x103c:0x841c, +adding a line in patch_realtek.c to apply the ALC269_FIXUP_HP_MUTE_LED_MIC3 +fix activates the mute key LED. + +Signed-off-by: Carlos M +Cc: +Link: https://lore.kernel.org/r/20210531202026.35427-1-carlos.marr.pz@gmail.com +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -8062,6 +8062,7 @@ static const struct snd_pci_quirk alc269 + SND_PCI_QUIRK(0x103c, 0x82bf, "HP G3 mini", ALC221_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x82c0, "HP G3 mini premium", ALC221_FIXUP_HP_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x83b9, "HP Spectre x360", ALC269_FIXUP_HP_MUTE_LED_MIC3), ++ SND_PCI_QUIRK(0x103c, 0x841c, "HP Pavilion 15-CK0xx", ALC269_FIXUP_HP_MUTE_LED_MIC3), + SND_PCI_QUIRK(0x103c, 0x8497, "HP Envy x360", ALC269_FIXUP_HP_MUTE_LED_MIC3), + SND_PCI_QUIRK(0x103c, 0x84da, "HP OMEN dc0019-ur", ALC295_FIXUP_HP_OMEN), + SND_PCI_QUIRK(0x103c, 0x84e7, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3), diff --git a/queue-5.4/alsa-timer-fix-master-timer-notification.patch b/queue-5.4/alsa-timer-fix-master-timer-notification.patch new file mode 100644 index 00000000000..d7c59b11e34 --- /dev/null +++ b/queue-5.4/alsa-timer-fix-master-timer-notification.patch @@ -0,0 +1,39 @@ +From 9c1fe96bded935369f8340c2ac2e9e189f697d5d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 2 Jun 2021 13:38:23 +0200 +Subject: ALSA: timer: Fix master timer notification + +From: Takashi Iwai + +commit 9c1fe96bded935369f8340c2ac2e9e189f697d5d upstream. + +snd_timer_notify1() calls the notification to each slave for a master +event, but it passes a wrong event number. It should be +10 offset, +corresponding to SNDRV_TIMER_EVENT_MXXX, but it's incorrectly with ++100 offset. Casually this was spotted by UBSAN check via syzkaller. + +Reported-by: syzbot+d102fa5b35335a7e544e@syzkaller.appspotmail.com +Reviewed-by: Jaroslav Kysela +Cc: +Link: https://lore.kernel.org/r/000000000000e5560e05c3bd1d63@google.com +Link: https://lore.kernel.org/r/20210602113823.23777-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman +--- + sound/core/timer.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/sound/core/timer.c ++++ b/sound/core/timer.c +@@ -491,9 +491,10 @@ static void snd_timer_notify1(struct snd + return; + if (timer->hw.flags & SNDRV_TIMER_HW_SLAVE) + return; ++ event += 10; /* convert to SNDRV_TIMER_EVENT_MXXX */ + list_for_each_entry(ts, &ti->slave_active_head, active_list) + if (ts->ccallback) +- ts->ccallback(ts, event + 100, &tstamp, resolution); ++ ts->ccallback(ts, event, &tstamp, resolution); + } + + /* start/continue a master timer */ diff --git a/queue-5.4/arm-dts-imx6dl-yapp4-fix-rgmii-connection-to-qca8334-switch.patch b/queue-5.4/arm-dts-imx6dl-yapp4-fix-rgmii-connection-to-qca8334-switch.patch new file mode 100644 index 00000000000..7a50e7960e3 --- /dev/null +++ b/queue-5.4/arm-dts-imx6dl-yapp4-fix-rgmii-connection-to-qca8334-switch.patch @@ -0,0 +1,47 @@ +From 0e4a4a08cd78efcaddbc2e4c5ed86b5a5cb8a15e Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20Vok=C3=A1=C4=8D?= +Date: Tue, 13 Apr 2021 16:45:57 +0200 +Subject: ARM: dts: imx6dl-yapp4: Fix RGMII connection to QCA8334 switch +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Michal Vokáč + +commit 0e4a4a08cd78efcaddbc2e4c5ed86b5a5cb8a15e upstream. + +The FEC does not have a PHY so it should not have a phy-handle. It is +connected to the switch at RGMII level so we need a fixed-link sub-node +on both ends. + +This was not a problem until the qca8k.c driver was converted to PHYLINK +by commit b3591c2a3661 ("net: dsa: qca8k: Switch to PHYLINK instead of +PHYLIB"). That commit revealed the FEC configuration was not correct. + +Fixes: 87489ec3a77f ("ARM: dts: imx: Add Y Soft IOTA Draco, Hydra and Ursa boards") +Cc: stable@vger.kernel.org +Signed-off-by: Michal Vokáč +Reviewed-by: Andrew Lunn +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/imx6dl-yapp4-common.dtsi | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi ++++ b/arch/arm/boot/dts/imx6dl-yapp4-common.dtsi +@@ -99,9 +99,13 @@ + phy-reset-gpios = <&gpio1 25 GPIO_ACTIVE_LOW>; + phy-reset-duration = <20>; + phy-supply = <&sw2_reg>; +- phy-handle = <ðphy0>; + status = "okay"; + ++ fixed-link { ++ speed = <1000>; ++ full-duplex; ++ }; ++ + mdio { + #address-cells = <1>; + #size-cells = <0>; diff --git a/queue-5.4/arm-dts-imx6q-dhcom-add-pu-vdd1p1-vdd2p5-regulators.patch b/queue-5.4/arm-dts-imx6q-dhcom-add-pu-vdd1p1-vdd2p5-regulators.patch new file mode 100644 index 00000000000..d94e8259568 --- /dev/null +++ b/queue-5.4/arm-dts-imx6q-dhcom-add-pu-vdd1p1-vdd2p5-regulators.patch @@ -0,0 +1,54 @@ +From 8967b27a6c1c19251989c7ab33c058d16e4a5f53 Mon Sep 17 00:00:00 2001 +From: Marek Vasut +Date: Mon, 26 Apr 2021 12:23:21 +0200 +Subject: ARM: dts: imx6q-dhcom: Add PU,VDD1P1,VDD2P5 regulators + +From: Marek Vasut + +commit 8967b27a6c1c19251989c7ab33c058d16e4a5f53 upstream. + +Per schematic, both PU and SOC regulator are supplied from LTC3676 SW1 +via VDDSOC_IN rail, add the PU input. Both VDD1P1, VDD2P5 are supplied +from LTC3676 SW2 via VDDHIGH_IN rail, add both inputs. + +While no instability or problems are currently observed, the regulators +should be fully described in DT and that description should fully match +the hardware, else this might lead to unforseen issues later. Fix this. + +Fixes: 52c7a088badd ("ARM: dts: imx6q: Add support for the DHCOM iMX6 SoM and PDK2") +Reviewed-by: Fabio Estevam +Signed-off-by: Marek Vasut +Cc: Christoph Niedermaier +Cc: Fabio Estevam +Cc: Ludwig Zenz +Cc: NXP Linux Team +Cc: Shawn Guo +Cc: stable@vger.kernel.org +Reviewed-by: Christoph Niedermaier +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman +--- + arch/arm/boot/dts/imx6q-dhcom-som.dtsi | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/arch/arm/boot/dts/imx6q-dhcom-som.dtsi ++++ b/arch/arm/boot/dts/imx6q-dhcom-som.dtsi +@@ -408,6 +408,18 @@ + vin-supply = <&sw1_reg>; + }; + ++®_pu { ++ vin-supply = <&sw1_reg>; ++}; ++ ++®_vdd1p1 { ++ vin-supply = <&sw2_reg>; ++}; ++ ++®_vdd2p5 { ++ vin-supply = <&sw2_reg>; ++}; ++ + &uart1 { + pinctrl-names = "default"; + pinctrl-0 = <&pinctrl_uart1>; diff --git a/queue-5.4/ext4-fix-bug-on-in-ext4_es_cache_extent-as-ext4_split_extent_at-failed.patch b/queue-5.4/ext4-fix-bug-on-in-ext4_es_cache_extent-as-ext4_split_extent_at-failed.patch new file mode 100644 index 00000000000..0712fdbbfba --- /dev/null +++ b/queue-5.4/ext4-fix-bug-on-in-ext4_es_cache_extent-as-ext4_split_extent_at-failed.patch @@ -0,0 +1,112 @@ +From 082cd4ec240b8734a82a89ffb890216ac98fec68 Mon Sep 17 00:00:00 2001 +From: Ye Bin +Date: Thu, 6 May 2021 22:10:42 +0800 +Subject: ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed + +From: Ye Bin + +commit 082cd4ec240b8734a82a89ffb890216ac98fec68 upstream. + +We got follow bug_on when run fsstress with injecting IO fault: +[130747.323114] kernel BUG at fs/ext4/extents_status.c:762! +[130747.323117] Internal error: Oops - BUG: 0 [#1] SMP +...... +[130747.334329] Call trace: +[130747.334553] ext4_es_cache_extent+0x150/0x168 [ext4] +[130747.334975] ext4_cache_extents+0x64/0xe8 [ext4] +[130747.335368] ext4_find_extent+0x300/0x330 [ext4] +[130747.335759] ext4_ext_map_blocks+0x74/0x1178 [ext4] +[130747.336179] ext4_map_blocks+0x2f4/0x5f0 [ext4] +[130747.336567] ext4_mpage_readpages+0x4a8/0x7a8 [ext4] +[130747.336995] ext4_readpage+0x54/0x100 [ext4] +[130747.337359] generic_file_buffered_read+0x410/0xae8 +[130747.337767] generic_file_read_iter+0x114/0x190 +[130747.338152] ext4_file_read_iter+0x5c/0x140 [ext4] +[130747.338556] __vfs_read+0x11c/0x188 +[130747.338851] vfs_read+0x94/0x150 +[130747.339110] ksys_read+0x74/0xf0 + +This patch's modification is according to Jan Kara's suggestion in: +https://patchwork.ozlabs.org/project/linux-ext4/patch/20210428085158.3728201-1-yebin10@huawei.com/ +"I see. Now I understand your patch. Honestly, seeing how fragile is trying +to fix extent tree after split has failed in the middle, I would probably +go even further and make sure we fix the tree properly in case of ENOSPC +and EDQUOT (those are easily user triggerable). Anything else indicates a +HW problem or fs corruption so I'd rather leave the extent tree as is and +don't try to fix it (which also means we will not create overlapping +extents)." + +Cc: stable@kernel.org +Signed-off-by: Ye Bin +Reviewed-by: Jan Kara +Link: https://lore.kernel.org/r/20210506141042.3298679-1-yebin10@huawei.com +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/extents.c | 43 +++++++++++++++++++++++-------------------- + 1 file changed, 23 insertions(+), 20 deletions(-) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -3378,7 +3378,10 @@ static int ext4_split_extent_at(handle_t + ext4_ext_mark_unwritten(ex2); + + err = ext4_ext_insert_extent(handle, inode, ppath, &newex, flags); +- if (err == -ENOSPC && (EXT4_EXT_MAY_ZEROOUT & split_flag)) { ++ if (err != -ENOSPC && err != -EDQUOT) ++ goto out; ++ ++ if (EXT4_EXT_MAY_ZEROOUT & split_flag) { + if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) { + if (split_flag & EXT4_EXT_DATA_VALID1) { + err = ext4_ext_zeroout(inode, ex2); +@@ -3404,30 +3407,30 @@ static int ext4_split_extent_at(handle_t + ext4_ext_pblock(&orig_ex)); + } + +- if (err) +- goto fix_extent_len; +- /* update the extent length and mark as initialized */ +- ex->ee_len = cpu_to_le16(ee_len); +- ext4_ext_try_to_merge(handle, inode, path, ex); +- err = ext4_ext_dirty(handle, inode, path + path->p_depth); +- if (err) +- goto fix_extent_len; +- +- /* update extent status tree */ +- err = ext4_zeroout_es(inode, &zero_ex); +- +- goto out; +- } else if (err) +- goto fix_extent_len; +- +-out: +- ext4_ext_show_leaf(inode, path); +- return err; ++ if (!err) { ++ /* update the extent length and mark as initialized */ ++ ex->ee_len = cpu_to_le16(ee_len); ++ ext4_ext_try_to_merge(handle, inode, path, ex); ++ err = ext4_ext_dirty(handle, inode, path + path->p_depth); ++ if (!err) ++ /* update extent status tree */ ++ err = ext4_zeroout_es(inode, &zero_ex); ++ /* If we failed at this point, we don't know in which ++ * state the extent tree exactly is so don't try to fix ++ * length of the original extent as it may do even more ++ * damage. ++ */ ++ goto out; ++ } ++ } + + fix_extent_len: + ex->ee_len = orig_ex.ee_len; + ext4_ext_dirty(handle, inode, path + path->p_depth); + return err; ++out: ++ ext4_ext_show_leaf(inode, path); ++ return err; + } + + /* diff --git a/queue-5.4/hid-i2c-hid-skip-elan-power-on-command-after-reset.patch b/queue-5.4/hid-i2c-hid-skip-elan-power-on-command-after-reset.patch new file mode 100644 index 00000000000..b4ebb7c5a3c --- /dev/null +++ b/queue-5.4/hid-i2c-hid-skip-elan-power-on-command-after-reset.patch @@ -0,0 +1,63 @@ +From ca66a6770bd9d6d99e469debd1c7363ac455daf9 Mon Sep 17 00:00:00 2001 +From: Johnny Chuang +Date: Tue, 13 Apr 2021 09:20:50 +0800 +Subject: HID: i2c-hid: Skip ELAN power-on command after reset + +From: Johnny Chuang + +commit ca66a6770bd9d6d99e469debd1c7363ac455daf9 upstream. + +For ELAN touchscreen, we found our boot code of IC was not flexible enough +to receive and handle this command. +Once the FW main code of our controller is crashed for some reason, +the controller could not be enumerated successfully to be recognized +by the system host. therefore, it lost touch functionality. + +Add quirk for skip send power-on command after reset. +It will impact to ELAN touchscreen and touchpad on HID over I2C projects. + +Fixes: 43b7029f475e ("HID: i2c-hid: Send power-on command after reset"). + +Cc: stable@vger.kernel.org +Signed-off-by: Johnny Chuang +Reviewed-by: Harry Cutts +Reviewed-by: Douglas Anderson +Tested-by: Douglas Anderson +Signed-off-by: Benjamin Tissoires +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/i2c-hid/i2c-hid-core.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/hid/i2c-hid/i2c-hid-core.c ++++ b/drivers/hid/i2c-hid/i2c-hid-core.c +@@ -50,6 +50,7 @@ + #define I2C_HID_QUIRK_BOGUS_IRQ BIT(4) + #define I2C_HID_QUIRK_RESET_ON_RESUME BIT(5) + #define I2C_HID_QUIRK_BAD_INPUT_SIZE BIT(6) ++#define I2C_HID_QUIRK_NO_WAKEUP_AFTER_RESET BIT(7) + + + /* flags */ +@@ -185,6 +186,11 @@ static const struct i2c_hid_quirks { + I2C_HID_QUIRK_RESET_ON_RESUME }, + { USB_VENDOR_ID_ITE, I2C_DEVICE_ID_ITE_LENOVO_LEGION_Y720, + I2C_HID_QUIRK_BAD_INPUT_SIZE }, ++ /* ++ * Sending the wakeup after reset actually break ELAN touchscreen controller ++ */ ++ { USB_VENDOR_ID_ELAN, HID_ANY_ID, ++ I2C_HID_QUIRK_NO_WAKEUP_AFTER_RESET }, + { 0, 0 } + }; + +@@ -468,7 +474,8 @@ static int i2c_hid_hwreset(struct i2c_cl + } + + /* At least some SIS devices need this after reset */ +- ret = i2c_hid_set_power(client, I2C_HID_PWR_ON); ++ if (!(ihid->quirks & I2C_HID_QUIRK_NO_WAKEUP_AFTER_RESET)) ++ ret = i2c_hid_set_power(client, I2C_HID_PWR_ON); + + out_unlock: + mutex_unlock(&ihid->reset_lock); diff --git a/queue-5.4/hid-magicmouse-fix-null-deref-on-disconnect.patch b/queue-5.4/hid-magicmouse-fix-null-deref-on-disconnect.patch new file mode 100644 index 00000000000..eb09119545e --- /dev/null +++ b/queue-5.4/hid-magicmouse-fix-null-deref-on-disconnect.patch @@ -0,0 +1,39 @@ +From 4b4f6cecca446abcb686c6e6c451d4f1ec1a7497 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 17 May 2021 12:04:30 +0200 +Subject: HID: magicmouse: fix NULL-deref on disconnect + +From: Johan Hovold + +commit 4b4f6cecca446abcb686c6e6c451d4f1ec1a7497 upstream. + +Commit 9d7b18668956 ("HID: magicmouse: add support for Apple Magic +Trackpad 2") added a sanity check for an Apple trackpad but returned +success instead of -ENODEV when the check failed. This means that the +remove callback will dereference the never-initialised driver data +pointer when the driver is later unbound (e.g. on USB disconnect). + +Reported-by: syzbot+ee6f6e2e68886ca256a8@syzkaller.appspotmail.com +Fixes: 9d7b18668956 ("HID: magicmouse: add support for Apple Magic Trackpad 2") +Cc: stable@vger.kernel.org # 4.20 +Cc: Claudio Mettler +Cc: Marek Wyborski +Cc: Sean O'Brien +Signed-off-by: Johan Hovold +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-magicmouse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/hid-magicmouse.c ++++ b/drivers/hid/hid-magicmouse.c +@@ -597,7 +597,7 @@ static int magicmouse_probe(struct hid_d + if (id->vendor == USB_VENDOR_ID_APPLE && + id->product == USB_DEVICE_ID_APPLE_MAGICTRACKPAD2 && + hdev->type != HID_TYPE_USBMOUSE) +- return 0; ++ return -ENODEV; + + msc = devm_kzalloc(&hdev->dev, sizeof(*msc), GFP_KERNEL); + if (msc == NULL) { diff --git a/queue-5.4/hid-multitouch-require-finger-field-to-mark-win8-reports-as-mt.patch b/queue-5.4/hid-multitouch-require-finger-field-to-mark-win8-reports-as-mt.patch new file mode 100644 index 00000000000..853d3ed8afd --- /dev/null +++ b/queue-5.4/hid-multitouch-require-finger-field-to-mark-win8-reports-as-mt.patch @@ -0,0 +1,50 @@ +From a2353e3b26012ff43bcdf81d37a3eaddd7ecdbf3 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ahelenia=20Ziemia=C5=84ska?= + +Date: Mon, 8 Mar 2021 18:42:03 +0100 +Subject: HID: multitouch: require Finger field to mark Win8 reports as MT +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ahelenia Ziemiańska + +commit a2353e3b26012ff43bcdf81d37a3eaddd7ecdbf3 upstream. + +This effectively changes collection_is_mt from + contact ID in report->field +to + (device is Win8 => collection is finger) && contact ID in report->field + +Some devices erroneously report Pen for fingers, and Win8 stylus-on-touchscreen +devices report contact ID, but mark the accompanying touchscreen device's +collection correctly + +Cc: stable@vger.kernel.org +Signed-off-by: Ahelenia Ziemiańska +Acked-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hid/hid-multitouch.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -611,9 +611,13 @@ static struct mt_report_data *mt_allocat + if (!(HID_MAIN_ITEM_VARIABLE & field->flags)) + continue; + +- for (n = 0; n < field->report_count; n++) { +- if (field->usage[n].hid == HID_DG_CONTACTID) +- rdata->is_mt_collection = true; ++ if (field->logical == HID_DG_FINGER || td->hdev->group != HID_GROUP_MULTITOUCH_WIN_8) { ++ for (n = 0; n < field->report_count; n++) { ++ if (field->usage[n].hid == HID_DG_CONTACTID) { ++ rdata->is_mt_collection = true; ++ break; ++ } ++ } + } + } + diff --git a/queue-5.4/net-caif-add-proper-error-handling.patch b/queue-5.4/net-caif-add-proper-error-handling.patch new file mode 100644 index 00000000000..c741958cd91 --- /dev/null +++ b/queue-5.4/net-caif-add-proper-error-handling.patch @@ -0,0 +1,152 @@ +From a2805dca5107d5603f4bbc027e81e20d93476e96 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Thu, 3 Jun 2021 19:38:51 +0300 +Subject: net: caif: add proper error handling + +From: Pavel Skripkin + +commit a2805dca5107d5603f4bbc027e81e20d93476e96 upstream. + +caif_enroll_dev() can fail in some cases. Ingnoring +these cases can lead to memory leak due to not assigning +link_support pointer to anywhere. + +Fixes: 7c18d2205ea7 ("caif: Restructure how link caif link layer enroll") +Cc: stable@vger.kernel.org +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/caif/caif_dev.h | 2 +- + include/net/caif/cfcnfg.h | 2 +- + net/caif/caif_dev.c | 8 +++++--- + net/caif/cfcnfg.c | 16 +++++++++++----- + 4 files changed, 18 insertions(+), 10 deletions(-) + +--- a/include/net/caif/caif_dev.h ++++ b/include/net/caif/caif_dev.h +@@ -119,7 +119,7 @@ void caif_free_client(struct cflayer *ad + * The link_support layer is used to add any Link Layer specific + * framing. + */ +-void caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev, ++int caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev, + struct cflayer *link_support, int head_room, + struct cflayer **layer, int (**rcv_func)( + struct sk_buff *, struct net_device *, +--- a/include/net/caif/cfcnfg.h ++++ b/include/net/caif/cfcnfg.h +@@ -62,7 +62,7 @@ void cfcnfg_remove(struct cfcnfg *cfg); + * @fcs: Specify if checksum is used in CAIF Framing Layer. + * @head_room: Head space needed by link specific protocol. + */ +-void ++int + cfcnfg_add_phy_layer(struct cfcnfg *cnfg, + struct net_device *dev, struct cflayer *phy_layer, + enum cfcnfg_phy_preference pref, +--- a/net/caif/caif_dev.c ++++ b/net/caif/caif_dev.c +@@ -307,7 +307,7 @@ static void dev_flowctrl(struct net_devi + caifd_put(caifd); + } + +-void caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev, ++int caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev, + struct cflayer *link_support, int head_room, + struct cflayer **layer, + int (**rcv_func)(struct sk_buff *, struct net_device *, +@@ -318,11 +318,12 @@ void caif_enroll_dev(struct net_device * + enum cfcnfg_phy_preference pref; + struct cfcnfg *cfg = get_cfcnfg(dev_net(dev)); + struct caif_device_entry_list *caifdevs; ++ int res; + + caifdevs = caif_device_list(dev_net(dev)); + caifd = caif_device_alloc(dev); + if (!caifd) +- return; ++ return -ENOMEM; + *layer = &caifd->layer; + spin_lock_init(&caifd->flow_lock); + +@@ -343,7 +344,7 @@ void caif_enroll_dev(struct net_device * + strlcpy(caifd->layer.name, dev->name, + sizeof(caifd->layer.name)); + caifd->layer.transmit = transmit; +- cfcnfg_add_phy_layer(cfg, ++ res = cfcnfg_add_phy_layer(cfg, + dev, + &caifd->layer, + pref, +@@ -353,6 +354,7 @@ void caif_enroll_dev(struct net_device * + mutex_unlock(&caifdevs->lock); + if (rcv_func) + *rcv_func = receive; ++ return res; + } + EXPORT_SYMBOL(caif_enroll_dev); + +--- a/net/caif/cfcnfg.c ++++ b/net/caif/cfcnfg.c +@@ -450,7 +450,7 @@ unlock: + rcu_read_unlock(); + } + +-void ++int + cfcnfg_add_phy_layer(struct cfcnfg *cnfg, + struct net_device *dev, struct cflayer *phy_layer, + enum cfcnfg_phy_preference pref, +@@ -459,7 +459,7 @@ cfcnfg_add_phy_layer(struct cfcnfg *cnfg + { + struct cflayer *frml; + struct cfcnfg_phyinfo *phyinfo = NULL; +- int i; ++ int i, res = 0; + u8 phyid; + + mutex_lock(&cnfg->lock); +@@ -473,12 +473,15 @@ cfcnfg_add_phy_layer(struct cfcnfg *cnfg + goto got_phyid; + } + pr_warn("Too many CAIF Link Layers (max 6)\n"); ++ res = -EEXIST; + goto out; + + got_phyid: + phyinfo = kzalloc(sizeof(struct cfcnfg_phyinfo), GFP_ATOMIC); +- if (!phyinfo) ++ if (!phyinfo) { ++ res = -ENOMEM; + goto out_err; ++ } + + phy_layer->id = phyid; + phyinfo->pref = pref; +@@ -492,8 +495,10 @@ got_phyid: + + frml = cffrml_create(phyid, fcs); + +- if (!frml) ++ if (!frml) { ++ res = -ENOMEM; + goto out_err; ++ } + phyinfo->frm_layer = frml; + layer_set_up(frml, cnfg->mux); + +@@ -511,11 +516,12 @@ got_phyid: + list_add_rcu(&phyinfo->node, &cnfg->phys); + out: + mutex_unlock(&cnfg->lock); +- return; ++ return res; + + out_err: + kfree(phyinfo); + mutex_unlock(&cnfg->lock); ++ return res; + } + EXPORT_SYMBOL(cfcnfg_add_phy_layer); + diff --git a/queue-5.4/net-caif-added-cfserl_release-function.patch b/queue-5.4/net-caif-added-cfserl_release-function.patch new file mode 100644 index 00000000000..113cf4ec852 --- /dev/null +++ b/queue-5.4/net-caif-added-cfserl_release-function.patch @@ -0,0 +1,42 @@ +From bce130e7f392ddde8cfcb09927808ebd5f9c8669 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Thu, 3 Jun 2021 19:38:12 +0300 +Subject: net: caif: added cfserl_release function + +From: Pavel Skripkin + +commit bce130e7f392ddde8cfcb09927808ebd5f9c8669 upstream. + +Added cfserl_release() function. + +Cc: stable@vger.kernel.org +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/caif/cfserl.h | 1 + + net/caif/cfserl.c | 5 +++++ + 2 files changed, 6 insertions(+) + +--- a/include/net/caif/cfserl.h ++++ b/include/net/caif/cfserl.h +@@ -9,4 +9,5 @@ + #include + + struct cflayer *cfserl_create(int instance, bool use_stx); ++void cfserl_release(struct cflayer *layer); + #endif +--- a/net/caif/cfserl.c ++++ b/net/caif/cfserl.c +@@ -31,6 +31,11 @@ static int cfserl_transmit(struct cflaye + static void cfserl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl, + int phyid); + ++void cfserl_release(struct cflayer *layer) ++{ ++ kfree(layer); ++} ++ + struct cflayer *cfserl_create(int instance, bool use_stx) + { + struct cfserl *this = kzalloc(sizeof(struct cfserl), GFP_ATOMIC); diff --git a/queue-5.4/net-caif-fix-memory-leak-in-caif_device_notify.patch b/queue-5.4/net-caif-fix-memory-leak-in-caif_device_notify.patch new file mode 100644 index 00000000000..bf713a17e47 --- /dev/null +++ b/queue-5.4/net-caif-fix-memory-leak-in-caif_device_notify.patch @@ -0,0 +1,46 @@ +From b53558a950a89824938e9811eddfc8efcd94e1bb Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Thu, 3 Jun 2021 19:39:11 +0300 +Subject: net: caif: fix memory leak in caif_device_notify + +From: Pavel Skripkin + +commit b53558a950a89824938e9811eddfc8efcd94e1bb upstream. + +In case of caif_enroll_dev() fail, allocated +link_support won't be assigned to the corresponding +structure. So simply free allocated pointer in case +of error + +Fixes: 7c18d2205ea7 ("caif: Restructure how link caif link layer enroll") +Cc: stable@vger.kernel.org +Reported-and-tested-by: syzbot+7ec324747ce876a29db6@syzkaller.appspotmail.com +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/caif/caif_dev.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/caif/caif_dev.c ++++ b/net/caif/caif_dev.c +@@ -369,6 +369,7 @@ static int caif_device_notify(struct not + struct cflayer *layer, *link_support; + int head_room = 0; + struct caif_device_entry_list *caifdevs; ++ int res; + + cfg = get_cfcnfg(dev_net(dev)); + caifdevs = caif_device_list(dev_net(dev)); +@@ -394,8 +395,10 @@ static int caif_device_notify(struct not + break; + } + } +- caif_enroll_dev(dev, caifdev, link_support, head_room, ++ res = caif_enroll_dev(dev, caifdev, link_support, head_room, + &layer, NULL); ++ if (res) ++ cfserl_release(link_support); + caifdev->flowctrl = dev_flowctrl; + break; + diff --git a/queue-5.4/net-caif-fix-memory-leak-in-cfusbl_device_notify.patch b/queue-5.4/net-caif-fix-memory-leak-in-cfusbl_device_notify.patch new file mode 100644 index 00000000000..f0caac0693c --- /dev/null +++ b/queue-5.4/net-caif-fix-memory-leak-in-cfusbl_device_notify.patch @@ -0,0 +1,68 @@ +From 7f5d86669fa4d485523ddb1d212e0a2d90bd62bb Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Thu, 3 Jun 2021 19:39:35 +0300 +Subject: net: caif: fix memory leak in cfusbl_device_notify + +From: Pavel Skripkin + +commit 7f5d86669fa4d485523ddb1d212e0a2d90bd62bb upstream. + +In case of caif_enroll_dev() fail, allocated +link_support won't be assigned to the corresponding +structure. So simply free allocated pointer in case +of error. + +Fixes: 7ad65bf68d70 ("caif: Add support for CAIF over CDC NCM USB interface") +Cc: stable@vger.kernel.org +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/caif/caif_usb.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/net/caif/caif_usb.c ++++ b/net/caif/caif_usb.c +@@ -115,6 +115,11 @@ static struct cflayer *cfusbl_create(int + return (struct cflayer *) this; + } + ++static void cfusbl_release(struct cflayer *layer) ++{ ++ kfree(layer); ++} ++ + static struct packet_type caif_usb_type __read_mostly = { + .type = cpu_to_be16(ETH_P_802_EX1), + }; +@@ -127,6 +132,7 @@ static int cfusbl_device_notify(struct n + struct cflayer *layer, *link_support; + struct usbnet *usbnet; + struct usb_device *usbdev; ++ int res; + + /* Check whether we have a NCM device, and find its VID/PID. */ + if (!(dev->dev.parent && dev->dev.parent->driver && +@@ -169,8 +175,11 @@ static int cfusbl_device_notify(struct n + if (dev->num_tx_queues > 1) + pr_warn("USB device uses more than one tx queue\n"); + +- caif_enroll_dev(dev, &common, link_support, CFUSB_MAX_HEADLEN, ++ res = caif_enroll_dev(dev, &common, link_support, CFUSB_MAX_HEADLEN, + &layer, &caif_usb_type.func); ++ if (res) ++ goto err; ++ + if (!pack_added) + dev_add_pack(&caif_usb_type); + pack_added = true; +@@ -178,6 +187,9 @@ static int cfusbl_device_notify(struct n + strlcpy(layer->name, dev->name, sizeof(layer->name)); + + return 0; ++err: ++ cfusbl_release(link_support); ++ return res; + } + + static struct notifier_block caif_device_notifier = { diff --git a/queue-5.4/net-kcm-fix-memory-leak-in-kcm_sendmsg.patch b/queue-5.4/net-kcm-fix-memory-leak-in-kcm_sendmsg.patch new file mode 100644 index 00000000000..da2decb70df --- /dev/null +++ b/queue-5.4/net-kcm-fix-memory-leak-in-kcm_sendmsg.patch @@ -0,0 +1,52 @@ +From c47cc304990a2813995b1a92bbc11d0bb9a19ea9 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Wed, 2 Jun 2021 22:26:40 +0300 +Subject: net: kcm: fix memory leak in kcm_sendmsg + +From: Pavel Skripkin + +commit c47cc304990a2813995b1a92bbc11d0bb9a19ea9 upstream. + +Syzbot reported memory leak in kcm_sendmsg()[1]. +The problem was in non-freed frag_list in case of error. + +In the while loop: + + if (head == skb) + skb_shinfo(head)->frag_list = tskb; + else + skb->next = tskb; + +frag_list filled with skbs, but nothing was freeing them. + +backtrace: + [<0000000094c02615>] __alloc_skb+0x5e/0x250 net/core/skbuff.c:198 + [<00000000e5386cbd>] alloc_skb include/linux/skbuff.h:1083 [inline] + [<00000000e5386cbd>] kcm_sendmsg+0x3b6/0xa50 net/kcm/kcmsock.c:967 [1] + [<00000000f1613a8a>] sock_sendmsg_nosec net/socket.c:652 [inline] + [<00000000f1613a8a>] sock_sendmsg+0x4c/0x60 net/socket.c:672 + +Reported-and-tested-by: syzbot+b039f5699bd82e1fb011@syzkaller.appspotmail.com +Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module") +Cc: stable@vger.kernel.org +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/kcm/kcmsock.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/kcm/kcmsock.c ++++ b/net/kcm/kcmsock.c +@@ -1068,6 +1068,11 @@ out_error: + goto partial_message; + } + ++ if (skb_has_frag_list(head)) { ++ kfree_skb_list(skb_shinfo(head)->frag_list); ++ skb_shinfo(head)->frag_list = NULL; ++ } ++ + if (head != kcm->seq_skb) + kfree_skb(head); + diff --git a/queue-5.4/series b/queue-5.4/series index 9fd4e29abbd..fcf0db72665 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -37,3 +37,16 @@ tipc-add-extack-messages-for-bearer-media-failure.patch tipc-fix-unique-bearer-names-sanity-check.patch bluetooth-fix-the-erroneous-flush_work-order.patch bluetooth-use-correct-lock-to-prevent-uaf-of-hdev-object.patch +net-kcm-fix-memory-leak-in-kcm_sendmsg.patch +net-caif-added-cfserl_release-function.patch +net-caif-add-proper-error-handling.patch +net-caif-fix-memory-leak-in-caif_device_notify.patch +net-caif-fix-memory-leak-in-cfusbl_device_notify.patch +hid-i2c-hid-skip-elan-power-on-command-after-reset.patch +hid-magicmouse-fix-null-deref-on-disconnect.patch +hid-multitouch-require-finger-field-to-mark-win8-reports-as-mt.patch +alsa-timer-fix-master-timer-notification.patch +alsa-hda-fix-for-mute-key-led-for-hp-pavilion-15-ck0xx.patch +arm-dts-imx6dl-yapp4-fix-rgmii-connection-to-qca8334-switch.patch +arm-dts-imx6q-dhcom-add-pu-vdd1p1-vdd2p5-regulators.patch +ext4-fix-bug-on-in-ext4_es_cache_extent-as-ext4_split_extent_at-failed.patch