From: Sasha Levin Date: Sun, 14 Aug 2022 03:03:41 +0000 (-0400) Subject: Revert "Fixes for 4.9" X-Git-Tag: v5.15.61~129 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3b9e1eb1936ab3de741f1b8deafa70b085976f8b;p=thirdparty%2Fkernel%2Fstable-queue.git Revert "Fixes for 4.9" This reverts commit 02fa3aafd90901abac967755d2235a419eb3ef45. --- diff --git a/queue-4.9/acpi-lpss-fix-missing-check-in-register_device_clock.patch b/queue-4.9/acpi-lpss-fix-missing-check-in-register_device_clock.patch deleted file mode 100644 index ca729fc39b6..00000000000 --- a/queue-4.9/acpi-lpss-fix-missing-check-in-register_device_clock.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 6ab2d9e571efc3a43e640919b8dde25b8cc671e2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 23 Jun 2022 21:21:27 +0800 -Subject: ACPI: LPSS: Fix missing check in register_device_clock() - -From: huhai - -[ Upstream commit b4f1f61ed5928b1128e60e38d0dffa16966f06dc ] - -register_device_clock() misses a check for platform_device_register_simple(). -Add a check to fix it. - -Signed-off-by: huhai -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Sasha Levin ---- - drivers/acpi/acpi_lpss.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/acpi/acpi_lpss.c b/drivers/acpi/acpi_lpss.c -index a9158858f54c..6ca4b3dc11ca 100644 ---- a/drivers/acpi/acpi_lpss.c -+++ b/drivers/acpi/acpi_lpss.c -@@ -330,6 +330,9 @@ static int register_device_clock(struct acpi_device *adev, - if (!lpss_clk_dev) - lpt_register_clock_device(); - -+ if (IS_ERR(lpss_clk_dev)) -+ return PTR_ERR(lpss_clk_dev); -+ - clk_data = platform_get_drvdata(lpss_clk_dev); - if (!clk_data) - return -ENODEV; --- -2.35.1 - diff --git a/queue-4.9/acpi-video-force-backlight-native-for-some-tongfang-.patch b/queue-4.9/acpi-video-force-backlight-native-for-some-tongfang-.patch deleted file mode 100644 index c2ca7b78a20..00000000000 --- a/queue-4.9/acpi-video-force-backlight-native-for-some-tongfang-.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 93766b6291e89cd3c9cc9616a400cd5d81624df7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 7 Jul 2022 20:09:52 +0200 -Subject: ACPI: video: Force backlight native for some TongFang devices - -From: Werner Sembach - -commit c752089f7cf5b5800c6ace4cdd1a8351ee78a598 upstream. - -The TongFang PF5PU1G, PF4NU1F, PF5NU1G, and PF5LUXG/TUXEDO BA15 Gen10, -Pulse 14/15 Gen1, and Pulse 15 Gen2 have the same problem as the Clevo -NL5xRU and NL5xNU/TUXEDO Aura 15 Gen1 and Gen2: -They have a working native and video interface. However the default -detection mechanism first registers the video interface before -unregistering it again and switching to the native interface during boot. -This results in a dangling SBIOS request for backlight change for some -reason, causing the backlight to switch to ~2% once per boot on the first -power cord connect or disconnect event. Setting the native interface -explicitly circumvents this buggy behaviour by avoiding the unregistering -process. - -Signed-off-by: Werner Sembach -Cc: All applicable -Reviewed-by: Hans de Goede -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Greg Kroah-Hartman ---- - drivers/acpi/video_detect.c | 51 ++++++++++++++++++++++++++++++++++++- - 1 file changed, 50 insertions(+), 1 deletion(-) - -diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c -index 2837b2f98213..22760cc959c4 100644 ---- a/drivers/acpi/video_detect.c -+++ b/drivers/acpi/video_detect.c -@@ -210,7 +210,56 @@ static const struct dmi_system_id video_detect_dmi_table[] = { - DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"), - }, - }, -- -+ /* -+ * The TongFang PF5PU1G, PF4NU1F, PF5NU1G, and PF5LUXG/TUXEDO BA15 Gen10, -+ * Pulse 14/15 Gen1, and Pulse 15 Gen2 have the same problem as the Clevo -+ * NL5xRU and NL5xNU/TUXEDO Aura 15 Gen1 and Gen2. See the description -+ * above. -+ */ -+ { -+ .callback = video_detect_force_native, -+ .ident = "TongFang PF5PU1G", -+ .matches = { -+ DMI_MATCH(DMI_BOARD_NAME, "PF5PU1G"), -+ }, -+ }, -+ { -+ .callback = video_detect_force_native, -+ .ident = "TongFang PF4NU1F", -+ .matches = { -+ DMI_MATCH(DMI_BOARD_NAME, "PF4NU1F"), -+ }, -+ }, -+ { -+ .callback = video_detect_force_native, -+ .ident = "TongFang PF4NU1F", -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"), -+ DMI_MATCH(DMI_BOARD_NAME, "PULSE1401"), -+ }, -+ }, -+ { -+ .callback = video_detect_force_native, -+ .ident = "TongFang PF5NU1G", -+ .matches = { -+ DMI_MATCH(DMI_BOARD_NAME, "PF5NU1G"), -+ }, -+ }, -+ { -+ .callback = video_detect_force_native, -+ .ident = "TongFang PF5NU1G", -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"), -+ DMI_MATCH(DMI_BOARD_NAME, "PULSE1501"), -+ }, -+ }, -+ { -+ .callback = video_detect_force_native, -+ .ident = "TongFang PF5LUXG", -+ .matches = { -+ DMI_MATCH(DMI_BOARD_NAME, "PF5LUXG"), -+ }, -+ }, - /* - * These models have a working acpi_video backlight control, and using - * native backlight causes a regression where backlight does not work --- -2.35.1 - diff --git a/queue-4.9/acpi-video-shortening-quirk-list-by-identifying-clev.patch b/queue-4.9/acpi-video-shortening-quirk-list-by-identifying-clev.patch deleted file mode 100644 index bad13c8c9c9..00000000000 --- a/queue-4.9/acpi-video-shortening-quirk-list-by-identifying-clev.patch +++ /dev/null @@ -1,81 +0,0 @@ -From 0856d2c00d39ed0687caefbbc123e421a3f688f4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 7 Jul 2022 20:09:53 +0200 -Subject: ACPI: video: Shortening quirk list by identifying Clevo by board_name - only - -From: Werner Sembach - -commit f0341e67b3782603737f7788e71bd3530012a4f4 upstream. - -Taking a recent change in the i8042 quirklist to this one: Clevo -board_names are somewhat unique, and if not: The generic Board_-/Sys_Vendor -string "Notebook" doesn't help much anyway. So identifying the devices just -by the board_name helps keeping the list significantly shorter and might -even hit more devices requiring the fix. - -Signed-off-by: Werner Sembach -Fixes: c844d22fe0c0 ("ACPI: video: Force backlight native for Clevo NL5xRU and NL5xNU") -Cc: All applicable -Reviewed-by: Hans de Goede -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Greg Kroah-Hartman ---- - drivers/acpi/video_detect.c | 34 ---------------------------------- - 1 file changed, 34 deletions(-) - -diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c -index 22760cc959c4..10ce6533874f 100644 ---- a/drivers/acpi/video_detect.c -+++ b/drivers/acpi/video_detect.c -@@ -150,23 +150,6 @@ static const struct dmi_system_id video_detect_dmi_table[] = { - .callback = video_detect_force_native, - .ident = "Clevo NL5xRU", - .matches = { -- DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"), -- DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"), -- }, -- }, -- { -- .callback = video_detect_force_native, -- .ident = "Clevo NL5xRU", -- .matches = { -- DMI_MATCH(DMI_SYS_VENDOR, "SchenkerTechnologiesGmbH"), -- DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"), -- }, -- }, -- { -- .callback = video_detect_force_native, -- .ident = "Clevo NL5xRU", -- .matches = { -- DMI_MATCH(DMI_SYS_VENDOR, "Notebook"), - DMI_MATCH(DMI_BOARD_NAME, "NL5xRU"), - }, - }, -@@ -190,23 +173,6 @@ static const struct dmi_system_id video_detect_dmi_table[] = { - .callback = video_detect_force_native, - .ident = "Clevo NL5xNU", - .matches = { -- DMI_MATCH(DMI_SYS_VENDOR, "TUXEDO"), -- DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"), -- }, -- }, -- { -- .callback = video_detect_force_native, -- .ident = "Clevo NL5xNU", -- .matches = { -- DMI_MATCH(DMI_SYS_VENDOR, "SchenkerTechnologiesGmbH"), -- DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"), -- }, -- }, -- { -- .callback = video_detect_force_native, -- .ident = "Clevo NL5xNU", -- .matches = { -- DMI_MATCH(DMI_SYS_VENDOR, "Notebook"), - DMI_MATCH(DMI_BOARD_NAME, "NL5xNU"), - }, - }, --- -2.35.1 - diff --git a/queue-4.9/add-barriers-to-buffer_uptodate-and-set_buffer_uptod.patch b/queue-4.9/add-barriers-to-buffer_uptodate-and-set_buffer_uptod.patch deleted file mode 100644 index 8b186baedf9..00000000000 --- a/queue-4.9/add-barriers-to-buffer_uptodate-and-set_buffer_uptod.patch +++ /dev/null @@ -1,82 +0,0 @@ -From dc753a8618aa3b404acf324831809617c452dbdd Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 9 Aug 2022 14:32:13 -0400 -Subject: add barriers to buffer_uptodate and set_buffer_uptodate - -From: Mikulas Patocka - -commit d4252071b97d2027d246f6a82cbee4d52f618b47 upstream. - -Let's have a look at this piece of code in __bread_slow: - - get_bh(bh); - bh->b_end_io = end_buffer_read_sync; - submit_bh(REQ_OP_READ, 0, bh); - wait_on_buffer(bh); - if (buffer_uptodate(bh)) - return bh; - -Neither wait_on_buffer nor buffer_uptodate contain any memory barrier. -Consequently, if someone calls sb_bread and then reads the buffer data, -the read of buffer data may be executed before wait_on_buffer(bh) on -architectures with weak memory ordering and it may return invalid data. - -Fix this bug by adding a memory barrier to set_buffer_uptodate and an -acquire barrier to buffer_uptodate (in a similar way as -folio_test_uptodate and folio_mark_uptodate). - -Signed-off-by: Mikulas Patocka -Reviewed-by: Matthew Wilcox (Oracle) -Cc: stable@vger.kernel.org -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - include/linux/buffer_head.h | 25 ++++++++++++++++++++++++- - 1 file changed, 24 insertions(+), 1 deletion(-) - -diff --git a/include/linux/buffer_head.h b/include/linux/buffer_head.h -index 4431ea2c8802..13a63ab47ef5 100644 ---- a/include/linux/buffer_head.h -+++ b/include/linux/buffer_head.h -@@ -113,7 +113,6 @@ static __always_inline int test_clear_buffer_##name(struct buffer_head *bh) \ - * of the form "mark_buffer_foo()". These are higher-level functions which - * do something in addition to setting a b_state bit. - */ --BUFFER_FNS(Uptodate, uptodate) - BUFFER_FNS(Dirty, dirty) - TAS_BUFFER_FNS(Dirty, dirty) - BUFFER_FNS(Lock, locked) -@@ -131,6 +130,30 @@ BUFFER_FNS(Meta, meta) - BUFFER_FNS(Prio, prio) - BUFFER_FNS(Defer_Completion, defer_completion) - -+static __always_inline void set_buffer_uptodate(struct buffer_head *bh) -+{ -+ /* -+ * make it consistent with folio_mark_uptodate -+ * pairs with smp_load_acquire in buffer_uptodate -+ */ -+ smp_mb__before_atomic(); -+ set_bit(BH_Uptodate, &bh->b_state); -+} -+ -+static __always_inline void clear_buffer_uptodate(struct buffer_head *bh) -+{ -+ clear_bit(BH_Uptodate, &bh->b_state); -+} -+ -+static __always_inline int buffer_uptodate(const struct buffer_head *bh) -+{ -+ /* -+ * make it consistent with folio_test_uptodate -+ * pairs with smp_mb__before_atomic in set_buffer_uptodate -+ */ -+ return (smp_load_acquire(&bh->b_state) & (1UL << BH_Uptodate)) != 0; -+} -+ - #define bh_offset(bh) ((unsigned long)(bh)->b_data & ~PAGE_MASK) - - /* If we *know* page->private refers to buffer_heads */ --- -2.35.1 - diff --git a/queue-4.9/alsa-bcd2000-fix-a-uaf-bug-on-the-error-path-of-prob.patch b/queue-4.9/alsa-bcd2000-fix-a-uaf-bug-on-the-error-path-of-prob.patch deleted file mode 100644 index efe5ab86165..00000000000 --- a/queue-4.9/alsa-bcd2000-fix-a-uaf-bug-on-the-error-path-of-prob.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 417b02292c38ad7837cc70a12c419eed2230ca3c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 15 Jul 2022 09:05:15 +0800 -Subject: ALSA: bcd2000: Fix a UAF bug on the error path of probing - -From: Zheyu Ma - -commit ffb2759df7efbc00187bfd9d1072434a13a54139 upstream. - -When the driver fails in snd_card_register() at probe time, it will free -the 'bcd2k->midi_out_urb' before killing it, which may cause a UAF bug. - -The following log can reveal it: - -[ 50.727020] BUG: KASAN: use-after-free in bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000] -[ 50.727623] Read of size 8 at addr ffff88810fab0e88 by task swapper/4/0 -[ 50.729530] Call Trace: -[ 50.732899] bcd2000_input_complete+0x1f1/0x2e0 [snd_bcd2000] - -Fix this by adding usb_kill_urb() before usb_free_urb(). - -Fixes: b47a22290d58 ("ALSA: MIDI driver for Behringer BCD2000 USB device") -Signed-off-by: Zheyu Ma -Cc: -Link: https://lore.kernel.org/r/20220715010515.2087925-1-zheyuma97@gmail.com -Signed-off-by: Takashi Iwai -Signed-off-by: Greg Kroah-Hartman ---- - sound/usb/bcd2000/bcd2000.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/sound/usb/bcd2000/bcd2000.c b/sound/usb/bcd2000/bcd2000.c -index d060dddcc52d..379bdf26e985 100644 ---- a/sound/usb/bcd2000/bcd2000.c -+++ b/sound/usb/bcd2000/bcd2000.c -@@ -350,7 +350,8 @@ static int bcd2000_init_midi(struct bcd2000 *bcd2k) - static void bcd2000_free_usb_related_resources(struct bcd2000 *bcd2k, - struct usb_interface *interface) - { -- /* usb_kill_urb not necessary, urb is aborted automatically */ -+ usb_kill_urb(bcd2k->midi_out_urb); -+ usb_kill_urb(bcd2k->midi_in_urb); - - usb_free_urb(bcd2k->midi_out_urb); - usb_free_urb(bcd2k->midi_in_urb); --- -2.35.1 - diff --git a/queue-4.9/arm-bcm-fix-refcount-leak-in-bcm_kona_smc_init.patch b/queue-4.9/arm-bcm-fix-refcount-leak-in-bcm_kona_smc_init.patch deleted file mode 100644 index 9bc171cd2fd..00000000000 --- a/queue-4.9/arm-bcm-fix-refcount-leak-in-bcm_kona_smc_init.patch +++ /dev/null @@ -1,36 +0,0 @@ -From edd4d7fe57fcc51180fa691b75d12dd161cebeaa Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 26 May 2022 12:13:25 +0400 -Subject: ARM: bcm: Fix refcount leak in bcm_kona_smc_init - -From: Miaoqian Lin - -[ Upstream commit cb23389a2458c2e4bfd6c86a513cbbe1c4d35e76 ] - -of_find_matching_node() returns a node pointer with refcount -incremented, we should use of_node_put() on it when not need anymore. -Add missing of_node_put() to avoid refcount leak. - -Fixes: b8eb35fd594a ("ARM: bcm281xx: Add L2 cache enable code") -Signed-off-by: Miaoqian Lin -Signed-off-by: Florian Fainelli -Signed-off-by: Sasha Levin ---- - arch/arm/mach-bcm/bcm_kona_smc.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/arch/arm/mach-bcm/bcm_kona_smc.c b/arch/arm/mach-bcm/bcm_kona_smc.c -index a55a7ecf146a..dd0b4195e629 100644 ---- a/arch/arm/mach-bcm/bcm_kona_smc.c -+++ b/arch/arm/mach-bcm/bcm_kona_smc.c -@@ -54,6 +54,7 @@ int __init bcm_kona_smc_init(void) - return -ENODEV; - - prop_val = of_get_address(node, 0, &prop_size, NULL); -+ of_node_put(node); - if (!prop_val) - return -EINVAL; - --- -2.35.1 - diff --git a/queue-4.9/arm-crypto-comment-out-gcc-warning-that-breaks-clang.patch b/queue-4.9/arm-crypto-comment-out-gcc-warning-that-breaks-clang.patch deleted file mode 100644 index 5e10c3c8632..00000000000 --- a/queue-4.9/arm-crypto-comment-out-gcc-warning-that-breaks-clang.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 8c4def254cbe07030f328911c9242fd4971a5955 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 31 Jul 2022 12:05:51 +0200 -Subject: ARM: crypto: comment out gcc warning that breaks clang builds - -From: Greg Kroah-Hartman - -The gcc build warning prevents all clang-built kernels from working -properly, so comment it out to fix the build. - -This is a -stable kernel only patch for now, it will be resolved -differently in mainline releases in the future. - -Cc: "Jason A. Donenfeld" -Cc: "Justin M. Forbes" -Cc: Ard Biesheuvel -Acked-by: Arnd Bergmann -Cc: Nicolas Pitre -Cc: Nathan Chancellor -Cc: Nick Desaulniers -Signed-off-by: Greg Kroah-Hartman ---- - arch/arm/lib/xor-neon.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/arch/arm/lib/xor-neon.c b/arch/arm/lib/xor-neon.c -index c691b901092f..b4feebc385bc 100644 ---- a/arch/arm/lib/xor-neon.c -+++ b/arch/arm/lib/xor-neon.c -@@ -29,8 +29,9 @@ MODULE_LICENSE("GPL"); - * While older versions of GCC do not generate incorrect code, they fail to - * recognize the parallel nature of these functions, and emit plain ARM code, - * which is known to be slower than the optimized ARM code in asm-arm/xor.h. -+ * -+ * #warning This code requires at least version 4.6 of GCC - */ --#warning This code requires at least version 4.6 of GCC - #endif - - #pragma GCC diagnostic ignored "-Wunused-variable" --- -2.35.1 - diff --git a/queue-4.9/arm-dts-ast2500-evb-fix-board-compatible.patch b/queue-4.9/arm-dts-ast2500-evb-fix-board-compatible.patch deleted file mode 100644 index 512071d505a..00000000000 --- a/queue-4.9/arm-dts-ast2500-evb-fix-board-compatible.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 7c4917c490e35214c63e3501993b4be29632882f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 29 May 2022 12:49:25 +0200 -Subject: ARM: dts: ast2500-evb: fix board compatible - -From: Krzysztof Kozlowski - -[ Upstream commit 30b276fca5c0644f3cb17bceb1bd6a626c670184 ] - -The AST2500 EVB board should have dedicated compatible. - -Fixes: 02440622656d ("arm/dst: Add Aspeed ast2500 device tree") -Signed-off-by: Krzysztof Kozlowski -Link: https://lore.kernel.org/r/20220529104928.79636-4-krzysztof.kozlowski@linaro.org -Signed-off-by: Sasha Levin ---- - arch/arm/boot/dts/aspeed-ast2500-evb.dts | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/arm/boot/dts/aspeed-ast2500-evb.dts b/arch/arm/boot/dts/aspeed-ast2500-evb.dts -index d7774d35e466..a85966bad725 100644 ---- a/arch/arm/boot/dts/aspeed-ast2500-evb.dts -+++ b/arch/arm/boot/dts/aspeed-ast2500-evb.dts -@@ -4,7 +4,7 @@ - - / { - model = "AST2500 EVB"; -- compatible = "aspeed,ast2500"; -+ compatible = "aspeed,ast2500-evb", "aspeed,ast2500"; - - aliases { - serial4 = &uart5; --- -2.35.1 - diff --git a/queue-4.9/arm-dts-imx6ul-add-missing-properties-for-sram.patch b/queue-4.9/arm-dts-imx6ul-add-missing-properties-for-sram.patch deleted file mode 100644 index 624c304ff47..00000000000 --- a/queue-4.9/arm-dts-imx6ul-add-missing-properties-for-sram.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 588d37a1d2074c3b79179873c6449b36dcc9672b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 13 Jun 2022 14:33:51 +0200 -Subject: ARM: dts: imx6ul: add missing properties for sram - -From: Alexander Stein - -[ Upstream commit 5655699cf5cff9f4c4ee703792156bdd05d1addf ] - -All 3 properties are required by sram.yaml. Fixes the dtbs_check -warning: -sram@900000: '#address-cells' is a required property -sram@900000: '#size-cells' is a required property -sram@900000: 'ranges' is a required property - -Signed-off-by: Alexander Stein -Signed-off-by: Shawn Guo -Signed-off-by: Sasha Levin ---- - arch/arm/boot/dts/imx6ul.dtsi | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/arch/arm/boot/dts/imx6ul.dtsi b/arch/arm/boot/dts/imx6ul.dtsi -index 200d9082caa4..41ae79dc4c21 100644 ---- a/arch/arm/boot/dts/imx6ul.dtsi -+++ b/arch/arm/boot/dts/imx6ul.dtsi -@@ -142,6 +142,9 @@ pmu { - ocram: sram@00900000 { - compatible = "mmio-sram"; - reg = <0x00900000 0x20000>; -+ ranges = <0 0x00900000 0x20000>; -+ #address-cells = <1>; -+ #size-cells = <1>; - }; - - dma_apbh: dma-apbh@01804000 { --- -2.35.1 - diff --git a/queue-4.9/arm-dts-imx6ul-fix-qspi-node-compatible.patch b/queue-4.9/arm-dts-imx6ul-fix-qspi-node-compatible.patch deleted file mode 100644 index 60295eed9af..00000000000 --- a/queue-4.9/arm-dts-imx6ul-fix-qspi-node-compatible.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 219743c30f968916ca94cc4f4a0a7f0b4d0fb5d3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 13 Jun 2022 14:33:57 +0200 -Subject: ARM: dts: imx6ul: fix qspi node compatible - -From: Alexander Stein - -[ Upstream commit 0c6cf86e1ab433b2d421880fdd9c6e954f404948 ] - -imx6ul is not compatible to imx6sx, both have different erratas. -Fixes the dt_binding_check warning: -spi@21e0000: compatible: 'oneOf' conditional failed, one must be fixed: -['fsl,imx6ul-qspi', 'fsl,imx6sx-qspi'] is too long -Additional items are not allowed ('fsl,imx6sx-qspi' was unexpected) -'fsl,imx6ul-qspi' is not one of ['fsl,ls1043a-qspi'] -'fsl,imx6ul-qspi' is not one of ['fsl,imx8mq-qspi'] -'fsl,ls1021a-qspi' was expected -'fsl,imx7d-qspi' was expected - -Signed-off-by: Alexander Stein -Signed-off-by: Shawn Guo -Signed-off-by: Sasha Levin ---- - arch/arm/boot/dts/imx6ul.dtsi | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/arm/boot/dts/imx6ul.dtsi b/arch/arm/boot/dts/imx6ul.dtsi -index 41ae79dc4c21..5ec16b26f7c7 100644 ---- a/arch/arm/boot/dts/imx6ul.dtsi -+++ b/arch/arm/boot/dts/imx6ul.dtsi -@@ -866,7 +866,7 @@ lcdif: lcdif@021c8000 { - qspi: qspi@021e0000 { - #address-cells = <1>; - #size-cells = <0>; -- compatible = "fsl,imx6ul-qspi", "fsl,imx6sx-qspi"; -+ compatible = "fsl,imx6ul-qspi"; - reg = <0x021e0000 0x4000>, <0x60000000 0x10000000>; - reg-names = "QuadSPI", "QuadSPI-memory"; - interrupts = ; --- -2.35.1 - diff --git a/queue-4.9/arm-dts-qcom-pm8841-add-required-thermal-sensor-cell.patch b/queue-4.9/arm-dts-qcom-pm8841-add-required-thermal-sensor-cell.patch deleted file mode 100644 index 00febab6993..00000000000 --- a/queue-4.9/arm-dts-qcom-pm8841-add-required-thermal-sensor-cell.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 3d861c9d1bd6be2a6e8f21d2d55ff2361822e715 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 8 Jun 2022 13:27:02 +0200 -Subject: ARM: dts: qcom: pm8841: add required thermal-sensor-cells - -From: Krzysztof Kozlowski - -[ Upstream commit e2759fa0676c9a32bbddb9aff955b54bb35066ad ] - -The PM8841 temperature sensor has to define thermal-sensor-cells. - -Fixes: dab8134ca072 ("ARM: dts: qcom: Add PM8841 functions device nodes") -Signed-off-by: Krzysztof Kozlowski -Signed-off-by: Bjorn Andersson -Link: https://lore.kernel.org/r/20220608112702.80873-2-krzysztof.kozlowski@linaro.org -Signed-off-by: Sasha Levin ---- - arch/arm/boot/dts/qcom-pm8841.dtsi | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/arch/arm/boot/dts/qcom-pm8841.dtsi b/arch/arm/boot/dts/qcom-pm8841.dtsi -index 0512f645922e..2702792f2a69 100644 ---- a/arch/arm/boot/dts/qcom-pm8841.dtsi -+++ b/arch/arm/boot/dts/qcom-pm8841.dtsi -@@ -24,6 +24,7 @@ temp-alarm@2400 { - compatible = "qcom,spmi-temp-alarm"; - reg = <0x2400>; - interrupts = <4 0x24 0 IRQ_TYPE_EDGE_RISING>; -+ #thermal-sensor-cells = <0>; - }; - }; - --- -2.35.1 - diff --git a/queue-4.9/arm-findbit-fix-overflowing-offset.patch b/queue-4.9/arm-findbit-fix-overflowing-offset.patch deleted file mode 100644 index 5a16a3f86d8..00000000000 --- a/queue-4.9/arm-findbit-fix-overflowing-offset.patch +++ /dev/null @@ -1,76 +0,0 @@ -From f2bead70c0b2e71b5e949f00852e8bdf41073313 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 26 Jul 2022 23:51:48 +0100 -Subject: ARM: findbit: fix overflowing offset - -From: Russell King (Oracle) - -[ Upstream commit ec85bd369fd2bfaed6f45dd678706429d4f75b48 ] - -When offset is larger than the size of the bit array, we should not -attempt to access the array as we can perform an access beyond the -end of the array. Fix this by changing the pre-condition. - -Using "cmp r2, r1; bhs ..." covers us for the size == 0 case, since -this will always take the branch when r1 is zero, irrespective of -the value of r2. This means we can fix this bug without adding any -additional code! - -Tested-by: Guenter Roeck -Signed-off-by: Russell King (Oracle) -Signed-off-by: Sasha Levin ---- - arch/arm/lib/findbit.S | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - -diff --git a/arch/arm/lib/findbit.S b/arch/arm/lib/findbit.S -index 7848780e8834..20fef6c41f6f 100644 ---- a/arch/arm/lib/findbit.S -+++ b/arch/arm/lib/findbit.S -@@ -43,8 +43,8 @@ ENDPROC(_find_first_zero_bit_le) - * Prototype: int find_next_zero_bit(void *addr, unsigned int maxbit, int offset) - */ - ENTRY(_find_next_zero_bit_le) -- teq r1, #0 -- beq 3b -+ cmp r2, r1 -+ bhs 3b - ands ip, r2, #7 - beq 1b @ If new byte, goto old routine - ARM( ldrb r3, [r0, r2, lsr #3] ) -@@ -84,8 +84,8 @@ ENDPROC(_find_first_bit_le) - * Prototype: int find_next_zero_bit(void *addr, unsigned int maxbit, int offset) - */ - ENTRY(_find_next_bit_le) -- teq r1, #0 -- beq 3b -+ cmp r2, r1 -+ bhs 3b - ands ip, r2, #7 - beq 1b @ If new byte, goto old routine - ARM( ldrb r3, [r0, r2, lsr #3] ) -@@ -118,8 +118,8 @@ ENTRY(_find_first_zero_bit_be) - ENDPROC(_find_first_zero_bit_be) - - ENTRY(_find_next_zero_bit_be) -- teq r1, #0 -- beq 3b -+ cmp r2, r1 -+ bhs 3b - ands ip, r2, #7 - beq 1b @ If new byte, goto old routine - eor r3, r2, #0x18 @ big endian byte ordering -@@ -152,8 +152,8 @@ ENTRY(_find_first_bit_be) - ENDPROC(_find_first_bit_be) - - ENTRY(_find_next_bit_be) -- teq r1, #0 -- beq 3b -+ cmp r2, r1 -+ bhs 3b - ands ip, r2, #7 - beq 1b @ If new byte, goto old routine - eor r3, r2, #0x18 @ big endian byte ordering --- -2.35.1 - diff --git a/queue-4.9/arm64-fix-oops-in-concurrently-setting-insn_emulatio.patch b/queue-4.9/arm64-fix-oops-in-concurrently-setting-insn_emulatio.patch deleted file mode 100644 index 8be5bfab661..00000000000 --- a/queue-4.9/arm64-fix-oops-in-concurrently-setting-insn_emulatio.patch +++ /dev/null @@ -1,93 +0,0 @@ -From d11fd57d7876964c06e2423f753f77ff513d7604 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 2 Jul 2022 05:43:19 +0000 -Subject: arm64: fix oops in concurrently setting insn_emulation sysctls -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: haibinzhang (张海斌) - -[ Upstream commit af483947d472eccb79e42059276c4deed76f99a6 ] - -emulation_proc_handler() changes table->data for proc_dointvec_minmax -and can generate the following Oops if called concurrently with itself: - - | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000010 - | Internal error: Oops: 96000006 [#1] SMP - | Call trace: - | update_insn_emulation_mode+0xc0/0x148 - | emulation_proc_handler+0x64/0xb8 - | proc_sys_call_handler+0x9c/0xf8 - | proc_sys_write+0x18/0x20 - | __vfs_write+0x20/0x48 - | vfs_write+0xe4/0x1d0 - | ksys_write+0x70/0xf8 - | __arm64_sys_write+0x20/0x28 - | el0_svc_common.constprop.0+0x7c/0x1c0 - | el0_svc_handler+0x2c/0xa0 - | el0_svc+0x8/0x200 - -To fix this issue, keep the table->data as &insn->current_mode and -use container_of() to retrieve the insn pointer. Another mutex is -used to protect against the current_mode update but not for retrieving -insn_emulation as table->data is no longer changing. - -Co-developed-by: hewenliang -Signed-off-by: hewenliang -Signed-off-by: Haibin Zhang -Reviewed-by: Catalin Marinas -Link: https://lore.kernel.org/r/20220128090324.2727688-1-hewenliang4@huawei.com -Link: https://lore.kernel.org/r/9A004C03-250B-46C5-BF39-782D7551B00E@tencent.com -Signed-off-by: Will Deacon -Signed-off-by: Sasha Levin ---- - arch/arm64/kernel/armv8_deprecated.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/arch/arm64/kernel/armv8_deprecated.c b/arch/arm64/kernel/armv8_deprecated.c -index 49989207989a..89946ed1adb9 100644 ---- a/arch/arm64/kernel/armv8_deprecated.c -+++ b/arch/arm64/kernel/armv8_deprecated.c -@@ -64,6 +64,7 @@ struct insn_emulation { - static LIST_HEAD(insn_emulation); - static int nr_insn_emulated __initdata; - static DEFINE_RAW_SPINLOCK(insn_emulation_lock); -+static DEFINE_MUTEX(insn_emulation_mutex); - - static void register_emulation_hooks(struct insn_emulation_ops *ops) - { -@@ -209,10 +210,10 @@ static int emulation_proc_handler(struct ctl_table *table, int write, - loff_t *ppos) - { - int ret = 0; -- struct insn_emulation *insn = (struct insn_emulation *) table->data; -+ struct insn_emulation *insn = container_of(table->data, struct insn_emulation, current_mode); - enum insn_emulation_mode prev_mode = insn->current_mode; - -- table->data = &insn->current_mode; -+ mutex_lock(&insn_emulation_mutex); - ret = proc_dointvec_minmax(table, write, buffer, lenp, ppos); - - if (ret || !write || prev_mode == insn->current_mode) -@@ -225,7 +226,7 @@ static int emulation_proc_handler(struct ctl_table *table, int write, - update_insn_emulation_mode(insn, INSN_UNDEF); - } - ret: -- table->data = insn; -+ mutex_unlock(&insn_emulation_mutex); - return ret; - } - -@@ -255,7 +256,7 @@ static void __init register_insn_emulation_sysctl(struct ctl_table *table) - sysctl->maxlen = sizeof(int); - - sysctl->procname = insn->ops->name; -- sysctl->data = insn; -+ sysctl->data = &insn->current_mode; - sysctl->extra1 = &insn->min; - sysctl->extra2 = &insn->max; - sysctl->proc_handler = emulation_proc_handler; --- -2.35.1 - diff --git a/queue-4.9/asoc-codecs-da7210-add-check-for-i2c_add_driver.patch b/queue-4.9/asoc-codecs-da7210-add-check-for-i2c_add_driver.patch deleted file mode 100644 index bfabc0c02cc..00000000000 --- a/queue-4.9/asoc-codecs-da7210-add-check-for-i2c_add_driver.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 6cb5c0f38bfe44dbde5102e176354b7884ec218a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 31 May 2022 17:47:12 +0800 -Subject: ASoC: codecs: da7210: add check for i2c_add_driver - -From: Jiasheng Jiang - -[ Upstream commit 82fa8f581a954ddeec1602bed9f8b4a09d100e6e ] - -As i2c_add_driver could return error if fails, it should be -better to check the return value. -However, if the CONFIG_I2C and CONFIG_SPI_MASTER are both true, -the return value of i2c_add_driver will be covered by -spi_register_driver. -Therefore, it is necessary to add check and return error if fails. - -Fixes: aa0e25caafb7 ("ASoC: da7210: Add support for spi regmap") -Signed-off-by: Jiasheng Jiang -Link: https://lore.kernel.org/r/20220531094712.2376759-1-jiasheng@iscas.ac.cn -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - sound/soc/codecs/da7210.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/sound/soc/codecs/da7210.c b/sound/soc/codecs/da7210.c -index 17053dfc94cf..c7b030dae8fc 100644 ---- a/sound/soc/codecs/da7210.c -+++ b/sound/soc/codecs/da7210.c -@@ -1351,6 +1351,8 @@ static int __init da7210_modinit(void) - int ret = 0; - #if IS_ENABLED(CONFIG_I2C) - ret = i2c_add_driver(&da7210_i2c_driver); -+ if (ret) -+ return ret; - #endif - #if defined(CONFIG_SPI_MASTER) - ret = spi_register_driver(&da7210_spi_driver); --- -2.35.1 - diff --git a/queue-4.9/asoc-mediatek-mt8173-fix-refcount-leak-in-mt8173_rt5.patch b/queue-4.9/asoc-mediatek-mt8173-fix-refcount-leak-in-mt8173_rt5.patch deleted file mode 100644 index 0271f49fb34..00000000000 --- a/queue-4.9/asoc-mediatek-mt8173-fix-refcount-leak-in-mt8173_rt5.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 290dd90f1d8c6fbf1909a8df2a8bfc94320b1c4c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 2 Jun 2022 07:41:42 +0400 -Subject: ASoC: mediatek: mt8173: Fix refcount leak in - mt8173_rt5650_rt5676_dev_probe - -From: Miaoqian Lin - -[ Upstream commit ae4f11c1ed2d67192fdf3d89db719ee439827c11 ] - -of_parse_phandle() returns a node pointer with refcount -incremented, we should use of_node_put() on it when not need anymore. -Fix missing of_node_put() in error paths. - -Fixes: 94319ba10eca ("ASoC: mediatek: Use platform_of_node for machine drivers") -Signed-off-by: Miaoqian Lin -Link: https://lore.kernel.org/r/20220602034144.60159-1-linmq006@gmail.com -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c -index 5d75b04f074f..aee860f4d20b 100644 ---- a/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c -+++ b/sound/soc/mediatek/mt8173/mt8173-rt5650-rt5676.c -@@ -255,14 +255,16 @@ static int mt8173_rt5650_rt5676_dev_probe(struct platform_device *pdev) - if (!mt8173_rt5650_rt5676_codecs[0].of_node) { - dev_err(&pdev->dev, - "Property 'audio-codec' missing or invalid\n"); -- return -EINVAL; -+ ret = -EINVAL; -+ goto put_node; - } - mt8173_rt5650_rt5676_codecs[1].of_node = - of_parse_phandle(pdev->dev.of_node, "mediatek,audio-codec", 1); - if (!mt8173_rt5650_rt5676_codecs[1].of_node) { - dev_err(&pdev->dev, - "Property 'audio-codec' missing or invalid\n"); -- return -EINVAL; -+ ret = -EINVAL; -+ goto put_node; - } - mt8173_rt5650_rt5676_codec_conf[0].of_node = - mt8173_rt5650_rt5676_codecs[1].of_node; -@@ -275,7 +277,8 @@ static int mt8173_rt5650_rt5676_dev_probe(struct platform_device *pdev) - if (!mt8173_rt5650_rt5676_dais[DAI_LINK_HDMI_I2S].codec_of_node) { - dev_err(&pdev->dev, - "Property 'audio-codec' missing or invalid\n"); -- return -EINVAL; -+ ret = -EINVAL; -+ goto put_node; - } - - card->dev = &pdev->dev; -@@ -286,6 +289,7 @@ static int mt8173_rt5650_rt5676_dev_probe(struct platform_device *pdev) - dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n", - __func__, ret); - -+put_node: - of_node_put(platform_node); - return ret; - } --- -2.35.1 - diff --git a/queue-4.9/asoc-mediatek-mt8173-rt5650-fix-refcount-leak-in-mt8.patch b/queue-4.9/asoc-mediatek-mt8173-rt5650-fix-refcount-leak-in-mt8.patch deleted file mode 100644 index fa45cee13e1..00000000000 --- a/queue-4.9/asoc-mediatek-mt8173-rt5650-fix-refcount-leak-in-mt8.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 822f83094e55cd167f79d917c436c4e992b42208 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 3 Jun 2022 16:42:41 +0400 -Subject: ASoC: mediatek: mt8173-rt5650: Fix refcount leak in - mt8173_rt5650_dev_probe - -From: Miaoqian Lin - -[ Upstream commit efe2178d1a32492f99e7f1f2568eea5c88a85729 ] - -of_parse_phandle() returns a node pointer with refcount -incremented, we should use of_node_put() on it when not need anymore. -Fix refcount leak in some error paths. - -Fixes: 0f83f9296d5c ("ASoC: mediatek: Add machine driver for ALC5650 codec") -Signed-off-by: Miaoqian Lin -Link: https://lore.kernel.org/r/20220603124243.31358-1-linmq006@gmail.com -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - sound/soc/mediatek/mt8173/mt8173-rt5650.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/sound/soc/mediatek/mt8173/mt8173-rt5650.c b/sound/soc/mediatek/mt8173/mt8173-rt5650.c -index d02a90201b13..b249080cfca4 100644 ---- a/sound/soc/mediatek/mt8173/mt8173-rt5650.c -+++ b/sound/soc/mediatek/mt8173/mt8173-rt5650.c -@@ -270,7 +270,8 @@ static int mt8173_rt5650_dev_probe(struct platform_device *pdev) - if (!mt8173_rt5650_codecs[0].of_node) { - dev_err(&pdev->dev, - "Property 'audio-codec' missing or invalid\n"); -- return -EINVAL; -+ ret = -EINVAL; -+ goto put_platform_node; - } - mt8173_rt5650_codecs[1].of_node = mt8173_rt5650_codecs[0].of_node; - -@@ -287,7 +288,7 @@ static int mt8173_rt5650_dev_probe(struct platform_device *pdev) - dev_err(&pdev->dev, - "%s codec_capture_dai name fail %d\n", - __func__, ret); -- return ret; -+ goto put_platform_node; - } - mt8173_rt5650_codecs[1].dai_name = codec_capture_dai; - } -@@ -308,7 +309,8 @@ static int mt8173_rt5650_dev_probe(struct platform_device *pdev) - if (!mt8173_rt5650_dais[DAI_LINK_HDMI_I2S].codec_of_node) { - dev_err(&pdev->dev, - "Property 'audio-codec' missing or invalid\n"); -- return -EINVAL; -+ ret = -EINVAL; -+ goto put_platform_node; - } - card->dev = &pdev->dev; - platform_set_drvdata(pdev, card); -@@ -318,6 +320,7 @@ static int mt8173_rt5650_dev_probe(struct platform_device *pdev) - dev_err(&pdev->dev, "%s snd_soc_register_card fail %d\n", - __func__, ret); - -+put_platform_node: - of_node_put(platform_node); - return ret; - } --- -2.35.1 - diff --git a/queue-4.9/ath9k-fix-use-after-free-in-ath9k_hif_usb_rx_cb.patch b/queue-4.9/ath9k-fix-use-after-free-in-ath9k_hif_usb_rx_cb.patch deleted file mode 100644 index 82e8683d7a0..00000000000 --- a/queue-4.9/ath9k-fix-use-after-free-in-ath9k_hif_usb_rx_cb.patch +++ /dev/null @@ -1,94 +0,0 @@ -From 4b74b3d4c23a3087b8250cc41b89c5fddb719bb1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 13 Jun 2022 21:43:59 +0300 -Subject: ath9k: fix use-after-free in ath9k_hif_usb_rx_cb -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Pavel Skripkin - -[ Upstream commit 0ac4827f78c7ffe8eef074bc010e7e34bc22f533 ] - -Syzbot reported use-after-free Read in ath9k_hif_usb_rx_cb() [0]. The -problem was in incorrect htc_handle->drv_priv initialization. - -Probable call trace which can trigger use-after-free: - -ath9k_htc_probe_device() - /* htc_handle->drv_priv = priv; */ - ath9k_htc_wait_for_target() <--- Failed - ieee80211_free_hw() <--- priv pointer is freed - - -... -ath9k_hif_usb_rx_cb() - ath9k_hif_usb_rx_stream() - RX_STAT_INC() <--- htc_handle->drv_priv access - -In order to not add fancy protection for drv_priv we can move -htc_handle->drv_priv initialization at the end of the -ath9k_htc_probe_device() and add helper macro to make -all *_STAT_* macros NULL safe, since syzbot has reported related NULL -deref in that macros [1] - -Link: https://syzkaller.appspot.com/bug?id=6ead44e37afb6866ac0c7dd121b4ce07cb665f60 [0] -Link: https://syzkaller.appspot.com/bug?id=b8101ffcec107c0567a0cd8acbbacec91e9ee8de [1] -Fixes: fb9987d0f748 ("ath9k_htc: Support for AR9271 chipset.") -Reported-and-tested-by: syzbot+03110230a11411024147@syzkaller.appspotmail.com -Reported-and-tested-by: syzbot+c6dde1f690b60e0b9fbe@syzkaller.appspotmail.com -Signed-off-by: Pavel Skripkin -Acked-by: Toke Høiland-Jørgensen -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/d57bbedc857950659bfacac0ab48790c1eda00c8.1655145743.git.paskripkin@gmail.com -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/ath/ath9k/htc.h | 10 +++++----- - drivers/net/wireless/ath/ath9k/htc_drv_init.c | 3 ++- - 2 files changed, 7 insertions(+), 6 deletions(-) - -diff --git a/drivers/net/wireless/ath/ath9k/htc.h b/drivers/net/wireless/ath/ath9k/htc.h -index 16dff4b89a86..d66d3c9299fb 100644 ---- a/drivers/net/wireless/ath/ath9k/htc.h -+++ b/drivers/net/wireless/ath/ath9k/htc.h -@@ -325,11 +325,11 @@ static inline struct ath9k_htc_tx_ctl *HTC_SKB_CB(struct sk_buff *skb) - } - - #ifdef CONFIG_ATH9K_HTC_DEBUGFS -- --#define TX_STAT_INC(c) (hif_dev->htc_handle->drv_priv->debug.tx_stats.c++) --#define TX_STAT_ADD(c, a) (hif_dev->htc_handle->drv_priv->debug.tx_stats.c += a) --#define RX_STAT_INC(c) (hif_dev->htc_handle->drv_priv->debug.skbrx_stats.c++) --#define RX_STAT_ADD(c, a) (hif_dev->htc_handle->drv_priv->debug.skbrx_stats.c += a) -+#define __STAT_SAFE(expr) (hif_dev->htc_handle->drv_priv ? (expr) : 0) -+#define TX_STAT_INC(c) __STAT_SAFE(hif_dev->htc_handle->drv_priv->debug.tx_stats.c++) -+#define TX_STAT_ADD(c, a) __STAT_SAFE(hif_dev->htc_handle->drv_priv->debug.tx_stats.c += a) -+#define RX_STAT_INC(c) __STAT_SAFE(hif_dev->htc_handle->drv_priv->debug.skbrx_stats.c++) -+#define RX_STAT_ADD(c, a) __STAT_SAFE(hif_dev->htc_handle->drv_priv->debug.skbrx_stats.c += a) - #define CAB_STAT_INC priv->debug.tx_stats.cab_queued++ - - #define TX_QSTAT_INC(q) (priv->debug.tx_stats.queue_stats[q]++) -diff --git a/drivers/net/wireless/ath/ath9k/htc_drv_init.c b/drivers/net/wireless/ath/ath9k/htc_drv_init.c -index 09d737f3461b..992cc2cc01a0 100644 ---- a/drivers/net/wireless/ath/ath9k/htc_drv_init.c -+++ b/drivers/net/wireless/ath/ath9k/htc_drv_init.c -@@ -944,7 +944,6 @@ int ath9k_htc_probe_device(struct htc_target *htc_handle, struct device *dev, - priv->hw = hw; - priv->htc = htc_handle; - priv->dev = dev; -- htc_handle->drv_priv = priv; - SET_IEEE80211_DEV(hw, priv->dev); - - ret = ath9k_htc_wait_for_target(priv); -@@ -965,6 +964,8 @@ int ath9k_htc_probe_device(struct htc_target *htc_handle, struct device *dev, - if (ret) - goto err_init; - -+ htc_handle->drv_priv = priv; -+ - return 0; - - err_init: --- -2.35.1 - diff --git a/queue-4.9/bluetooth-hci_intel-add-check-for-platform_driver_re.patch b/queue-4.9/bluetooth-hci_intel-add-check-for-platform_driver_re.patch deleted file mode 100644 index 7f57577741d..00000000000 --- a/queue-4.9/bluetooth-hci_intel-add-check-for-platform_driver_re.patch +++ /dev/null @@ -1,41 +0,0 @@ -From c10bc79ebb6805c4d9a0ff885edf3f5b05f6fffc Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 3 Jun 2022 09:24:36 +0800 -Subject: Bluetooth: hci_intel: Add check for platform_driver_register - -From: Jiasheng Jiang - -[ Upstream commit ab2d2a982ff721f4b029282d9a40602ea46a745e ] - -As platform_driver_register() could fail, it should be better -to deal with the return value in order to maintain the code -consisitency. - -Fixes: 1ab1f239bf17 ("Bluetooth: hci_intel: Add support for platform driver") -Signed-off-by: Jiasheng Jiang -Signed-off-by: Marcel Holtmann -Signed-off-by: Sasha Levin ---- - drivers/bluetooth/hci_intel.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/drivers/bluetooth/hci_intel.c b/drivers/bluetooth/hci_intel.c -index f822e862b689..70fba2d3c49f 100644 ---- a/drivers/bluetooth/hci_intel.c -+++ b/drivers/bluetooth/hci_intel.c -@@ -1280,7 +1280,11 @@ static struct platform_driver intel_driver = { - - int __init intel_init(void) - { -- platform_driver_register(&intel_driver); -+ int err; -+ -+ err = platform_driver_register(&intel_driver); -+ if (err) -+ return err; - - return hci_uart_register_proto(&intel_proto); - } --- -2.35.1 - diff --git a/queue-4.9/bluetooth-l2cap-fix-use-after-free-caused-by-l2cap_c.patch b/queue-4.9/bluetooth-l2cap-fix-use-after-free-caused-by-l2cap_c.patch deleted file mode 100644 index 3f85277b967..00000000000 --- a/queue-4.9/bluetooth-l2cap-fix-use-after-free-caused-by-l2cap_c.patch +++ /dev/null @@ -1,271 +0,0 @@ -From c06472afae2a7ff9db51b447d2b2fca7f1f9a49a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 21 Jul 2022 09:10:50 -0700 -Subject: Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put - -From: Luiz Augusto von Dentz - -commit d0be8347c623e0ac4202a1d4e0373882821f56b0 upstream. - -This fixes the following trace which is caused by hci_rx_work starting up -*after* the final channel reference has been put() during sock_close() but -*before* the references to the channel have been destroyed, so instead -the code now rely on kref_get_unless_zero/l2cap_chan_hold_unless_zero to -prevent referencing a channel that is about to be destroyed. - - refcount_t: increment on 0; use-after-free. - BUG: KASAN: use-after-free in refcount_dec_and_test+0x20/0xd0 - Read of size 4 at addr ffffffc114f5bf18 by task kworker/u17:14/705 - - CPU: 4 PID: 705 Comm: kworker/u17:14 Tainted: G S W - 4.14.234-00003-g1fb6d0bd49a4-dirty #28 - Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 - Google Inc. MSM sm8150 Flame DVT (DT) - Workqueue: hci0 hci_rx_work - Call trace: - dump_backtrace+0x0/0x378 - show_stack+0x20/0x2c - dump_stack+0x124/0x148 - print_address_description+0x80/0x2e8 - __kasan_report+0x168/0x188 - kasan_report+0x10/0x18 - __asan_load4+0x84/0x8c - refcount_dec_and_test+0x20/0xd0 - l2cap_chan_put+0x48/0x12c - l2cap_recv_frame+0x4770/0x6550 - l2cap_recv_acldata+0x44c/0x7a4 - hci_acldata_packet+0x100/0x188 - hci_rx_work+0x178/0x23c - process_one_work+0x35c/0x95c - worker_thread+0x4cc/0x960 - kthread+0x1a8/0x1c4 - ret_from_fork+0x10/0x18 - -Cc: stable@kernel.org -Reported-by: Lee Jones -Signed-off-by: Luiz Augusto von Dentz -Tested-by: Lee Jones -Signed-off-by: Luiz Augusto von Dentz -Signed-off-by: Greg Kroah-Hartman ---- - include/net/bluetooth/l2cap.h | 1 + - net/bluetooth/l2cap_core.c | 61 +++++++++++++++++++++++++++-------- - 2 files changed, 49 insertions(+), 13 deletions(-) - -diff --git a/include/net/bluetooth/l2cap.h b/include/net/bluetooth/l2cap.h -index 9c50d458ee83..d9e9f86e6107 100644 ---- a/include/net/bluetooth/l2cap.h -+++ b/include/net/bluetooth/l2cap.h -@@ -798,6 +798,7 @@ enum { - }; - - void l2cap_chan_hold(struct l2cap_chan *c); -+struct l2cap_chan *l2cap_chan_hold_unless_zero(struct l2cap_chan *c); - void l2cap_chan_put(struct l2cap_chan *c); - - static inline void l2cap_chan_lock(struct l2cap_chan *chan) -diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c -index 204b6ebd2a24..40256e44651e 100644 ---- a/net/bluetooth/l2cap_core.c -+++ b/net/bluetooth/l2cap_core.c -@@ -113,7 +113,8 @@ static struct l2cap_chan *__l2cap_get_chan_by_scid(struct l2cap_conn *conn, - } - - /* Find channel with given SCID. -- * Returns locked channel. */ -+ * Returns a reference locked channel. -+ */ - static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, - u16 cid) - { -@@ -121,15 +122,19 @@ static struct l2cap_chan *l2cap_get_chan_by_scid(struct l2cap_conn *conn, - - mutex_lock(&conn->chan_lock); - c = __l2cap_get_chan_by_scid(conn, cid); -- if (c) -- l2cap_chan_lock(c); -+ if (c) { -+ /* Only lock if chan reference is not 0 */ -+ c = l2cap_chan_hold_unless_zero(c); -+ if (c) -+ l2cap_chan_lock(c); -+ } - mutex_unlock(&conn->chan_lock); - - return c; - } - - /* Find channel with given DCID. -- * Returns locked channel. -+ * Returns a reference locked channel. - */ - static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn, - u16 cid) -@@ -138,8 +143,12 @@ static struct l2cap_chan *l2cap_get_chan_by_dcid(struct l2cap_conn *conn, - - mutex_lock(&conn->chan_lock); - c = __l2cap_get_chan_by_dcid(conn, cid); -- if (c) -- l2cap_chan_lock(c); -+ if (c) { -+ /* Only lock if chan reference is not 0 */ -+ c = l2cap_chan_hold_unless_zero(c); -+ if (c) -+ l2cap_chan_lock(c); -+ } - mutex_unlock(&conn->chan_lock); - - return c; -@@ -164,8 +173,12 @@ static struct l2cap_chan *l2cap_get_chan_by_ident(struct l2cap_conn *conn, - - mutex_lock(&conn->chan_lock); - c = __l2cap_get_chan_by_ident(conn, ident); -- if (c) -- l2cap_chan_lock(c); -+ if (c) { -+ /* Only lock if chan reference is not 0 */ -+ c = l2cap_chan_hold_unless_zero(c); -+ if (c) -+ l2cap_chan_lock(c); -+ } - mutex_unlock(&conn->chan_lock); - - return c; -@@ -491,6 +504,16 @@ void l2cap_chan_hold(struct l2cap_chan *c) - kref_get(&c->kref); - } - -+struct l2cap_chan *l2cap_chan_hold_unless_zero(struct l2cap_chan *c) -+{ -+ BT_DBG("chan %p orig refcnt %u", c, kref_read(&c->kref)); -+ -+ if (!kref_get_unless_zero(&c->kref)) -+ return NULL; -+ -+ return c; -+} -+ - void l2cap_chan_put(struct l2cap_chan *c) - { - BT_DBG("chan %p orig refcnt %d", c, atomic_read(&c->kref.refcount)); -@@ -1803,7 +1826,10 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, - src_match = !bacmp(&c->src, src); - dst_match = !bacmp(&c->dst, dst); - if (src_match && dst_match) { -- l2cap_chan_hold(c); -+ c = l2cap_chan_hold_unless_zero(c); -+ if (!c) -+ continue; -+ - read_unlock(&chan_list_lock); - return c; - } -@@ -1818,7 +1844,7 @@ static struct l2cap_chan *l2cap_global_chan_by_psm(int state, __le16 psm, - } - - if (c1) -- l2cap_chan_hold(c1); -+ c1 = l2cap_chan_hold_unless_zero(c1); - - read_unlock(&chan_list_lock); - -@@ -4194,6 +4220,7 @@ static inline int l2cap_config_req(struct l2cap_conn *conn, - - unlock: - l2cap_chan_unlock(chan); -+ l2cap_chan_put(chan); - return err; - } - -@@ -4306,6 +4333,7 @@ static inline int l2cap_config_rsp(struct l2cap_conn *conn, - - done: - l2cap_chan_unlock(chan); -+ l2cap_chan_put(chan); - return err; - } - -@@ -5034,6 +5062,7 @@ static inline int l2cap_move_channel_req(struct l2cap_conn *conn, - l2cap_send_move_chan_rsp(chan, result); - - l2cap_chan_unlock(chan); -+ l2cap_chan_put(chan); - - return 0; - } -@@ -5126,6 +5155,7 @@ static void l2cap_move_continue(struct l2cap_conn *conn, u16 icid, u16 result) - } - - l2cap_chan_unlock(chan); -+ l2cap_chan_put(chan); - } - - static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid, -@@ -5155,6 +5185,7 @@ static void l2cap_move_fail(struct l2cap_conn *conn, u8 ident, u16 icid, - l2cap_send_move_chan_cfm(chan, L2CAP_MC_UNCONFIRMED); - - l2cap_chan_unlock(chan); -+ l2cap_chan_put(chan); - } - - static int l2cap_move_channel_rsp(struct l2cap_conn *conn, -@@ -5218,6 +5249,7 @@ static int l2cap_move_channel_confirm(struct l2cap_conn *conn, - l2cap_send_move_chan_cfm_rsp(conn, cmd->ident, icid); - - l2cap_chan_unlock(chan); -+ l2cap_chan_put(chan); - - return 0; - } -@@ -5253,6 +5285,7 @@ static inline int l2cap_move_channel_confirm_rsp(struct l2cap_conn *conn, - } - - l2cap_chan_unlock(chan); -+ l2cap_chan_put(chan); - - return 0; - } -@@ -5625,12 +5658,11 @@ static inline int l2cap_le_credits(struct l2cap_conn *conn, - if (credits > max_credits) { - BT_ERR("LE credits overflow"); - l2cap_send_disconn_req(chan, ECONNRESET); -- l2cap_chan_unlock(chan); - - /* Return 0 so that we don't trigger an unnecessary - * command reject packet. - */ -- return 0; -+ goto unlock; - } - - chan->tx_credits += credits; -@@ -5643,7 +5675,9 @@ static inline int l2cap_le_credits(struct l2cap_conn *conn, - if (chan->tx_credits) - chan->ops->resume(chan); - -+unlock: - l2cap_chan_unlock(chan); -+ l2cap_chan_put(chan); - - return 0; - } -@@ -6941,6 +6975,7 @@ static void l2cap_data_channel(struct l2cap_conn *conn, u16 cid, - - done: - l2cap_chan_unlock(chan); -+ l2cap_chan_put(chan); - } - - static void l2cap_conless_channel(struct l2cap_conn *conn, __le16 psm, -@@ -7345,7 +7380,7 @@ static struct l2cap_chan *l2cap_global_fixed_chan(struct l2cap_chan *c, - if (src_type != c->src_type) - continue; - -- l2cap_chan_hold(c); -+ c = l2cap_chan_hold_unless_zero(c); - read_unlock(&chan_list_lock); - return c; - } --- -2.35.1 - diff --git a/queue-4.9/can-error-specify-the-values-of-data-5.7-of-can-erro.patch b/queue-4.9/can-error-specify-the-values-of-data-5.7-of-can-erro.patch deleted file mode 100644 index 6aafc58eaf5..00000000000 --- a/queue-4.9/can-error-specify-the-values-of-data-5.7-of-can-erro.patch +++ /dev/null @@ -1,49 +0,0 @@ -From a19f9ba54e8dda85337758c3ac4369ce7ae6cf0e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 19 Jul 2022 23:35:48 +0900 -Subject: can: error: specify the values of data[5..7] of CAN error frames - -From: Vincent Mailhol - -[ Upstream commit e70a3263a7eed768d5f947b8f2aff8d2a79c9d97 ] - -Currently, data[5..7] of struct can_frame, when used as a CAN error -frame, are defined as being "controller specific". Device specific -behaviours are problematic because it prevents someone from writing -code which is portable between devices. - -As a matter of fact, data[5] is never used, data[6] is always used to -report TX error counter and data[7] is always used to report RX error -counter. can-utils also relies on this. - -This patch updates the comment in the uapi header to specify that -data[5] is reserved (and thus should not be used) and that data[6..7] -are used for error counters. - -Fixes: 0d66548a10cb ("[CAN]: Add PF_CAN core module") -Link: https://lore.kernel.org/all/20220719143550.3681-11-mailhol.vincent@wanadoo.fr -Signed-off-by: Vincent Mailhol -Signed-off-by: Marc Kleine-Budde -Signed-off-by: Sasha Levin ---- - include/uapi/linux/can/error.h | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/include/uapi/linux/can/error.h b/include/uapi/linux/can/error.h -index 1c508be9687f..31a804222d74 100644 ---- a/include/uapi/linux/can/error.h -+++ b/include/uapi/linux/can/error.h -@@ -119,6 +119,9 @@ - #define CAN_ERR_TRX_CANL_SHORT_TO_GND 0x70 /* 0111 0000 */ - #define CAN_ERR_TRX_CANL_SHORT_TO_CANH 0x80 /* 1000 0000 */ - --/* controller specific additional information / data[5..7] */ -+/* data[5] is reserved (do not use) */ -+ -+/* TX error counter / data[6] */ -+/* RX error counter / data[7] */ - - #endif /* _UAPI_CAN_ERROR_H */ --- -2.35.1 - diff --git a/queue-4.9/can-pch_can-do-not-report-txerr-and-rxerr-during-bus.patch b/queue-4.9/can-pch_can-do-not-report-txerr-and-rxerr-during-bus.patch deleted file mode 100644 index f0ccdfc69a7..00000000000 --- a/queue-4.9/can-pch_can-do-not-report-txerr-and-rxerr-during-bus.patch +++ /dev/null @@ -1,48 +0,0 @@ -From f7b0ec74d517541abe1734ff3d188fcf690a91a0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 19 Jul 2022 23:35:39 +0900 -Subject: can: pch_can: do not report txerr and rxerr during bus-off - -From: Vincent Mailhol - -[ Upstream commit 3a5c7e4611ddcf0ef37a3a17296b964d986161a6 ] - -During bus off, the error count is greater than 255 and can not fit in -a u8. - -Fixes: 0c78ab76a05c ("pch_can: Add setting TEC/REC statistics processing") -Link: https://lore.kernel.org/all/20220719143550.3681-2-mailhol.vincent@wanadoo.fr -Signed-off-by: Vincent Mailhol -Signed-off-by: Marc Kleine-Budde -Signed-off-by: Sasha Levin ---- - drivers/net/can/pch_can.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/can/pch_can.c b/drivers/net/can/pch_can.c -index ced11ea89269..3e1d71c70b0d 100644 ---- a/drivers/net/can/pch_can.c -+++ b/drivers/net/can/pch_can.c -@@ -507,6 +507,9 @@ static void pch_can_error(struct net_device *ndev, u32 status) - cf->can_id |= CAN_ERR_BUSOFF; - priv->can.can_stats.bus_off++; - can_bus_off(ndev); -+ } else { -+ cf->data[6] = errc & PCH_TEC; -+ cf->data[7] = (errc & PCH_REC) >> 8; - } - - errc = ioread32(&priv->regs->errc); -@@ -567,9 +570,6 @@ static void pch_can_error(struct net_device *ndev, u32 status) - break; - } - -- cf->data[6] = errc & PCH_TEC; -- cf->data[7] = (errc & PCH_REC) >> 8; -- - priv->can.state = state; - netif_receive_skb(skb); - --- -2.35.1 - diff --git a/queue-4.9/can-pch_can-pch_can_error-initialize-errc-before-usi.patch b/queue-4.9/can-pch_can-pch_can_error-initialize-errc-before-usi.patch deleted file mode 100644 index a9e1f0ecafd..00000000000 --- a/queue-4.9/can-pch_can-pch_can_error-initialize-errc-before-usi.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 3dbd692082798055b3bb1023efb0cc22e05085cc Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 22 Jul 2022 01:00:32 +0900 -Subject: can: pch_can: pch_can_error(): initialize errc before using it - -From: Vincent Mailhol - -[ Upstream commit 9950f11211331180269867aef848c7cf56861742 ] - -After commit 3a5c7e4611dd, the variable errc is accessed before being -initialized, c.f. below W=2 warning: - -| In function 'pch_can_error', -| inlined from 'pch_can_poll' at drivers/net/can/pch_can.c:739:4: -| drivers/net/can/pch_can.c:501:29: warning: 'errc' may be used uninitialized [-Wmaybe-uninitialized] -| 501 | cf->data[6] = errc & PCH_TEC; -| | ^ -| drivers/net/can/pch_can.c: In function 'pch_can_poll': -| drivers/net/can/pch_can.c:484:13: note: 'errc' was declared here -| 484 | u32 errc, lec; -| | ^~~~ - -Moving errc initialization up solves this issue. - -Fixes: 3a5c7e4611dd ("can: pch_can: do not report txerr and rxerr during bus-off") -Reported-by: Nathan Chancellor -Signed-off-by: Vincent Mailhol -Reviewed-by: Nathan Chancellor -Link: https://lore.kernel.org/all/20220721160032.9348-1-mailhol.vincent@wanadoo.fr -Signed-off-by: Marc Kleine-Budde -Signed-off-by: Sasha Levin ---- - drivers/net/can/pch_can.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/can/pch_can.c b/drivers/net/can/pch_can.c -index 3e1d71c70b0d..25def028a1dc 100644 ---- a/drivers/net/can/pch_can.c -+++ b/drivers/net/can/pch_can.c -@@ -500,6 +500,7 @@ static void pch_can_error(struct net_device *ndev, u32 status) - if (!skb) - return; - -+ errc = ioread32(&priv->regs->errc); - if (status & PCH_BUS_OFF) { - pch_can_set_tx_all(priv, 0); - pch_can_set_rx_all(priv, 0); -@@ -512,7 +513,6 @@ static void pch_can_error(struct net_device *ndev, u32 status) - cf->data[7] = (errc & PCH_REC) >> 8; - } - -- errc = ioread32(&priv->regs->errc); - /* Warning interrupt. */ - if (status & PCH_EWARN) { - state = CAN_STATE_ERROR_WARNING; --- -2.35.1 - diff --git a/queue-4.9/can-rcar_can-do-not-report-txerr-and-rxerr-during-bu.patch b/queue-4.9/can-rcar_can-do-not-report-txerr-and-rxerr-during-bu.patch deleted file mode 100644 index e219818dfac..00000000000 --- a/queue-4.9/can-rcar_can-do-not-report-txerr-and-rxerr-during-bu.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 3d65281bd57cbf60320d5aa4b5ad57452373802a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 19 Jul 2022 23:35:40 +0900 -Subject: can: rcar_can: do not report txerr and rxerr during bus-off - -From: Vincent Mailhol - -[ Upstream commit a37b7245e831a641df360ca41db6a71c023d3746 ] - -During bus off, the error count is greater than 255 and can not fit in -a u8. - -Fixes: fd1159318e55 ("can: add Renesas R-Car CAN driver") -Link: https://lore.kernel.org/all/20220719143550.3681-3-mailhol.vincent@wanadoo.fr -Signed-off-by: Vincent Mailhol -Signed-off-by: Marc Kleine-Budde -Signed-off-by: Sasha Levin ---- - drivers/net/can/rcar/rcar_can.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/drivers/net/can/rcar/rcar_can.c b/drivers/net/can/rcar/rcar_can.c -index 2ac33ee1067e..001170349234 100644 ---- a/drivers/net/can/rcar/rcar_can.c -+++ b/drivers/net/can/rcar/rcar_can.c -@@ -233,11 +233,8 @@ static void rcar_can_error(struct net_device *ndev) - if (eifr & (RCAR_CAN_EIFR_EWIF | RCAR_CAN_EIFR_EPIF)) { - txerr = readb(&priv->regs->tecr); - rxerr = readb(&priv->regs->recr); -- if (skb) { -+ if (skb) - cf->can_id |= CAN_ERR_CRTL; -- cf->data[6] = txerr; -- cf->data[7] = rxerr; -- } - } - if (eifr & RCAR_CAN_EIFR_BEIF) { - int rx_errors = 0, tx_errors = 0; -@@ -337,6 +334,9 @@ static void rcar_can_error(struct net_device *ndev) - can_bus_off(ndev); - if (skb) - cf->can_id |= CAN_ERR_BUSOFF; -+ } else if (skb) { -+ cf->data[6] = txerr; -+ cf->data[7] = rxerr; - } - if (eifr & RCAR_CAN_EIFR_ORIF) { - netdev_dbg(priv->ndev, "Receive overrun error interrupt\n"); --- -2.35.1 - diff --git a/queue-4.9/can-sja1000-do-not-report-txerr-and-rxerr-during-bus.patch b/queue-4.9/can-sja1000-do-not-report-txerr-and-rxerr-during-bus.patch deleted file mode 100644 index 5aa54528417..00000000000 --- a/queue-4.9/can-sja1000-do-not-report-txerr-and-rxerr-during-bus.patch +++ /dev/null @@ -1,49 +0,0 @@ -From f16180400439a1e57b23f04b58b9369f560053db Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 19 Jul 2022 23:35:41 +0900 -Subject: can: sja1000: do not report txerr and rxerr during bus-off - -From: Vincent Mailhol - -[ Upstream commit 164d7cb2d5a30f1b3a5ab4fab1a27731fb1494a8 ] - -During bus off, the error count is greater than 255 and can not fit in -a u8. - -Fixes: 215db1856e83 ("can: sja1000: Consolidate and unify state change handling") -Link: https://lore.kernel.org/all/20220719143550.3681-4-mailhol.vincent@wanadoo.fr -Signed-off-by: Vincent Mailhol -Signed-off-by: Marc Kleine-Budde -Signed-off-by: Sasha Levin ---- - drivers/net/can/sja1000/sja1000.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/can/sja1000/sja1000.c b/drivers/net/can/sja1000/sja1000.c -index 9f107798f904..e7327ceabb76 100644 ---- a/drivers/net/can/sja1000/sja1000.c -+++ b/drivers/net/can/sja1000/sja1000.c -@@ -405,9 +405,6 @@ static int sja1000_err(struct net_device *dev, uint8_t isrc, uint8_t status) - txerr = priv->read_reg(priv, SJA1000_TXERR); - rxerr = priv->read_reg(priv, SJA1000_RXERR); - -- cf->data[6] = txerr; -- cf->data[7] = rxerr; -- - if (isrc & IRQ_DOI) { - /* data overrun interrupt */ - netdev_dbg(dev, "data overrun interrupt\n"); -@@ -429,6 +426,10 @@ static int sja1000_err(struct net_device *dev, uint8_t isrc, uint8_t status) - else - state = CAN_STATE_ERROR_ACTIVE; - } -+ if (state != CAN_STATE_BUS_OFF) { -+ cf->data[6] = txerr; -+ cf->data[7] = rxerr; -+ } - if (isrc & IRQ_BEI) { - /* bus error interrupt */ - priv->can.can_stats.bus_error++; --- -2.35.1 - diff --git a/queue-4.9/can-sun4i_can-do-not-report-txerr-and-rxerr-during-b.patch b/queue-4.9/can-sun4i_can-do-not-report-txerr-and-rxerr-during-b.patch deleted file mode 100644 index fb8f9a22bfe..00000000000 --- a/queue-4.9/can-sun4i_can-do-not-report-txerr-and-rxerr-during-b.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 2392d539e2ad075ef21ea766f1fc40f30e2a9780 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 19 Jul 2022 23:35:44 +0900 -Subject: can: sun4i_can: do not report txerr and rxerr during bus-off - -From: Vincent Mailhol - -[ Upstream commit 0ac15a8f661b941519379831d09bfb12271b23ee ] - -During bus off, the error count is greater than 255 and can not fit in -a u8. - -Fixes: 0738eff14d81 ("can: Allwinner A10/A20 CAN Controller support - Kernel module") -Link: https://lore.kernel.org/all/20220719143550.3681-7-mailhol.vincent@wanadoo.fr -CC: Chen-Yu Tsai -Signed-off-by: Vincent Mailhol -Signed-off-by: Marc Kleine-Budde -Signed-off-by: Sasha Levin ---- - drivers/net/can/sun4i_can.c | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/drivers/net/can/sun4i_can.c b/drivers/net/can/sun4i_can.c -index 1ac2090a1721..fea82be623b3 100644 ---- a/drivers/net/can/sun4i_can.c -+++ b/drivers/net/can/sun4i_can.c -@@ -525,11 +525,6 @@ static int sun4i_can_err(struct net_device *dev, u8 isrc, u8 status) - rxerr = (errc >> 16) & 0xFF; - txerr = errc & 0xFF; - -- if (skb) { -- cf->data[6] = txerr; -- cf->data[7] = rxerr; -- } -- - if (isrc & SUN4I_INT_DATA_OR) { - /* data overrun interrupt */ - netdev_dbg(dev, "data overrun interrupt\n"); -@@ -560,6 +555,10 @@ static int sun4i_can_err(struct net_device *dev, u8 isrc, u8 status) - else - state = CAN_STATE_ERROR_ACTIVE; - } -+ if (skb && state != CAN_STATE_BUS_OFF) { -+ cf->data[6] = txerr; -+ cf->data[7] = rxerr; -+ } - if (isrc & SUN4I_INT_BUS_ERR) { - /* bus error interrupt */ - netdev_dbg(dev, "bus error interrupt\n"); --- -2.35.1 - diff --git a/queue-4.9/can-usb_8dev-do-not-report-txerr-and-rxerr-during-bu.patch b/queue-4.9/can-usb_8dev-do-not-report-txerr-and-rxerr-during-bu.patch deleted file mode 100644 index bc00d3b60cd..00000000000 --- a/queue-4.9/can-usb_8dev-do-not-report-txerr-and-rxerr-during-bu.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 83a21f6d288c1ecb55cb628e067784abe1afc9d6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 19 Jul 2022 23:35:47 +0900 -Subject: can: usb_8dev: do not report txerr and rxerr during bus-off - -From: Vincent Mailhol - -[ Upstream commit aebe8a2433cd090ccdc222861f44bddb75eb01de ] - -During bus off, the error count is greater than 255 and can not fit in -a u8. - -Fixes: 0024d8ad1639 ("can: usb_8dev: Add support for USB2CAN interface from 8 devices") -Link: https://lore.kernel.org/all/20220719143550.3681-10-mailhol.vincent@wanadoo.fr -Signed-off-by: Vincent Mailhol -Signed-off-by: Marc Kleine-Budde -Signed-off-by: Sasha Levin ---- - drivers/net/can/usb/usb_8dev.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/can/usb/usb_8dev.c b/drivers/net/can/usb/usb_8dev.c -index df99354ec12a..9a1123f04a5d 100644 ---- a/drivers/net/can/usb/usb_8dev.c -+++ b/drivers/net/can/usb/usb_8dev.c -@@ -453,9 +453,10 @@ static void usb_8dev_rx_err_msg(struct usb_8dev_priv *priv, - - if (rx_errors) - stats->rx_errors++; -- -- cf->data[6] = txerr; -- cf->data[7] = rxerr; -+ if (priv->can.state != CAN_STATE_BUS_OFF) { -+ cf->data[6] = txerr; -+ cf->data[7] = rxerr; -+ } - - priv->bec.txerr = txerr; - priv->bec.rxerr = rxerr; --- -2.35.1 - diff --git a/queue-4.9/cpufreq-zynq-fix-refcount-leak-in-zynq_get_revision.patch b/queue-4.9/cpufreq-zynq-fix-refcount-leak-in-zynq_get_revision.patch deleted file mode 100644 index e7de7101f27..00000000000 --- a/queue-4.9/cpufreq-zynq-fix-refcount-leak-in-zynq_get_revision.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 9f4b34a1fe29ee6587ee45508fd9fc11dfd42ec2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 5 Jun 2022 12:28:07 +0400 -Subject: cpufreq: zynq: Fix refcount leak in zynq_get_revision - -From: Miaoqian Lin - -[ Upstream commit d1ff2559cef0f6f8d97fba6337b28adb10689e16 ] - -of_find_compatible_node() returns a node pointer with refcount -incremented, we should use of_node_put() on it when done. -Add missing of_node_put() to avoid refcount leak. - -Fixes: 00f7dc636366 ("ARM: zynq: Add support for SOC_BUS") -Signed-off-by: Miaoqian Lin -Link: https://lore.kernel.org/r/20220605082807.21526-1-linmq006@gmail.com -Signed-off-by: Michal Simek -Signed-off-by: Sasha Levin ---- - arch/arm/mach-zynq/common.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/arch/arm/mach-zynq/common.c b/arch/arm/mach-zynq/common.c -index ed118648313f..a9773e26a404 100644 ---- a/arch/arm/mach-zynq/common.c -+++ b/arch/arm/mach-zynq/common.c -@@ -84,6 +84,7 @@ static int __init zynq_get_revision(void) - } - - zynq_devcfg_base = of_iomap(np, 0); -+ of_node_put(np); - if (!zynq_devcfg_base) { - pr_err("%s: Unable to map I/O memory\n", __func__); - return -1; --- -2.35.1 - diff --git a/queue-4.9/dccp-put-dccp_qpolicy_full-and-dccp_qpolicy_push-in-.patch b/queue-4.9/dccp-put-dccp_qpolicy_full-and-dccp_qpolicy_push-in-.patch deleted file mode 100644 index c3e391022c8..00000000000 --- a/queue-4.9/dccp-put-dccp_qpolicy_full-and-dccp_qpolicy_push-in-.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 5d2aa401eb382a9a6c4c55a67066c8ef4299ab4a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 29 Jul 2022 19:00:27 +0800 -Subject: dccp: put dccp_qpolicy_full() and dccp_qpolicy_push() in the same - lock - -From: Hangyu Hua - -[ Upstream commit a41b17ff9dacd22f5f118ee53d82da0f3e52d5e3 ] - -In the case of sk->dccps_qpolicy == DCCPQ_POLICY_PRIO, dccp_qpolicy_full -will drop a skb when qpolicy is full. And the lock in dccp_sendmsg is -released before sock_alloc_send_skb and then relocked after -sock_alloc_send_skb. The following conditions may lead dccp_qpolicy_push -to add skb to an already full sk_write_queue: - -thread1--->lock -thread1--->dccp_qpolicy_full: queue is full. drop a skb -thread1--->unlock -thread2--->lock -thread2--->dccp_qpolicy_full: queue is not full. no need to drop. -thread2--->unlock -thread1--->lock -thread1--->dccp_qpolicy_push: add a skb. queue is full. -thread1--->unlock -thread2--->lock -thread2--->dccp_qpolicy_push: add a skb! -thread2--->unlock - -Fix this by moving dccp_qpolicy_full. - -Fixes: b1308dc015eb ("[DCCP]: Set TX Queue Length Bounds via Sysctl") -Signed-off-by: Hangyu Hua -Link: https://lore.kernel.org/r/20220729110027.40569-1-hbh25y@gmail.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/dccp/proto.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/net/dccp/proto.c b/net/dccp/proto.c -index 936dab12f99f..e552009b6cc5 100644 ---- a/net/dccp/proto.c -+++ b/net/dccp/proto.c -@@ -764,11 +764,6 @@ int dccp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) - - lock_sock(sk); - -- if (dccp_qpolicy_full(sk)) { -- rc = -EAGAIN; -- goto out_release; -- } -- - timeo = sock_sndtimeo(sk, noblock); - - /* -@@ -787,6 +782,11 @@ int dccp_sendmsg(struct sock *sk, struct msghdr *msg, size_t len) - if (skb == NULL) - goto out_release; - -+ if (dccp_qpolicy_full(sk)) { -+ rc = -EAGAIN; -+ goto out_discard; -+ } -+ - if (sk->sk_state == DCCP_CLOSED) { - rc = -ENOTCONN; - goto out_discard; --- -2.35.1 - diff --git a/queue-4.9/dm-return-early-from-dm_pr_call-if-dm-device-is-susp.patch b/queue-4.9/dm-return-early-from-dm_pr_call-if-dm-device-is-susp.patch deleted file mode 100644 index 96151f554e2..00000000000 --- a/queue-4.9/dm-return-early-from-dm_pr_call-if-dm-device-is-susp.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 88435808439ff037792443b72083f54883a726c8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 22 Jul 2022 15:31:23 -0400 -Subject: dm: return early from dm_pr_call() if DM device is suspended - -From: Mike Snitzer - -[ Upstream commit e120a5f1e78fab6223544e425015f393d90d6f0d ] - -Otherwise PR ops may be issued while the broader DM device is being -reconfigured, etc. - -Fixes: 9c72bad1f31a ("dm: call PR reserve/unreserve on each underlying device") -Signed-off-by: Mike Snitzer -Signed-off-by: Sasha Levin ---- - drivers/md/dm.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/drivers/md/dm.c b/drivers/md/dm.c -index ec6c2b566621..8b340f89c692 100644 ---- a/drivers/md/dm.c -+++ b/drivers/md/dm.c -@@ -2657,6 +2657,11 @@ static int dm_call_pr(struct block_device *bdev, iterate_devices_callout_fn fn, - goto out; - ti = dm_table_get_target(table, 0); - -+ if (dm_suspended_md(md)) { -+ ret = -EAGAIN; -+ goto out; -+ } -+ - ret = -EINVAL; - if (!ti->type->iterate_devices) - goto out; --- -2.35.1 - diff --git a/queue-4.9/drm-bridge-adv7511-add-check-for-mipi_dsi_driver_reg.patch b/queue-4.9/drm-bridge-adv7511-add-check-for-mipi_dsi_driver_reg.patch deleted file mode 100644 index 8ae83b4e47c..00000000000 --- a/queue-4.9/drm-bridge-adv7511-add-check-for-mipi_dsi_driver_reg.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 90714b10dead66893368a0785c70df273b2248fc Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 2 Jun 2022 18:34:01 +0800 -Subject: drm: bridge: adv7511: Add check for mipi_dsi_driver_register - -From: Jiasheng Jiang - -[ Upstream commit 831463667b5f4f1e5bce9c3b94e9e794d2bc8923 ] - -As mipi_dsi_driver_register could return error if fails, -it should be better to check the return value and return error -if fails. -Moreover, if i2c_add_driver fails, mipi_dsi_driver_register -should be reverted. - -Fixes: 1e4d58cd7f88 ("drm/bridge: adv7533: Create a MIPI DSI device") -Signed-off-by: Jiasheng Jiang -Reviewed-by: Laurent Pinchart -Signed-off-by: Sam Ravnborg -Link: https://patchwork.freedesktop.org/patch/msgid/20220602103401.2980938-1-jiasheng@iscas.ac.cn -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 17 ++++++++++++++--- - 1 file changed, 14 insertions(+), 3 deletions(-) - -diff --git a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c -index 1b2fae915ecc..a40db5ede9bf 100644 ---- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c -+++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c -@@ -1142,10 +1142,21 @@ static struct i2c_driver adv7511_driver = { - - static int __init adv7511_init(void) - { -- if (IS_ENABLED(CONFIG_DRM_MIPI_DSI)) -- mipi_dsi_driver_register(&adv7533_dsi_driver); -+ int ret; -+ -+ if (IS_ENABLED(CONFIG_DRM_MIPI_DSI)) { -+ ret = mipi_dsi_driver_register(&adv7533_dsi_driver); -+ if (ret) -+ return ret; -+ } - -- return i2c_add_driver(&adv7511_driver); -+ ret = i2c_add_driver(&adv7511_driver); -+ if (ret) { -+ if (IS_ENABLED(CONFIG_DRM_MIPI_DSI)) -+ mipi_dsi_driver_unregister(&adv7533_dsi_driver); -+ } -+ -+ return ret; - } - module_init(adv7511_init); - --- -2.35.1 - diff --git a/queue-4.9/drm-mediatek-dpi-remove-output-format-of-yuv.patch b/queue-4.9/drm-mediatek-dpi-remove-output-format-of-yuv.patch deleted file mode 100644 index 1973bdc8213..00000000000 --- a/queue-4.9/drm-mediatek-dpi-remove-output-format-of-yuv.patch +++ /dev/null @@ -1,73 +0,0 @@ -From a4e95476f12d836e92b4fd8b5f64de0242b514a3 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 1 Jul 2022 11:58:33 +0800 -Subject: drm/mediatek: dpi: Remove output format of YUV - -From: Bo-Chen Chen - -[ Upstream commit c9ed0713b3c35fc45677707ba47f432cad95da56 ] - -DPI is not support output format as YUV, but there is the setting of -configuring output YUV. Therefore, remove them in this patch. - -Fixes: 9e629c17aa8d ("drm/mediatek: Add DPI sub driver") -Signed-off-by: Bo-Chen Chen -Link: https://patchwork.kernel.org/project/linux-mediatek/patch/20220701035845.16458-5-rex-bc.chen@mediatek.com/ -Signed-off-by: Chun-Kuang Hu -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/mediatek/mtk_dpi.c | 31 ++++++------------------------ - 1 file changed, 6 insertions(+), 25 deletions(-) - -diff --git a/drivers/gpu/drm/mediatek/mtk_dpi.c b/drivers/gpu/drm/mediatek/mtk_dpi.c -index 90fb831ef031..782f0ef9e6e0 100644 ---- a/drivers/gpu/drm/mediatek/mtk_dpi.c -+++ b/drivers/gpu/drm/mediatek/mtk_dpi.c -@@ -51,13 +51,7 @@ enum mtk_dpi_out_channel_swap { - }; - - enum mtk_dpi_out_color_format { -- MTK_DPI_COLOR_FORMAT_RGB, -- MTK_DPI_COLOR_FORMAT_RGB_FULL, -- MTK_DPI_COLOR_FORMAT_YCBCR_444, -- MTK_DPI_COLOR_FORMAT_YCBCR_422, -- MTK_DPI_COLOR_FORMAT_XV_YCC, -- MTK_DPI_COLOR_FORMAT_YCBCR_444_FULL, -- MTK_DPI_COLOR_FORMAT_YCBCR_422_FULL -+ MTK_DPI_COLOR_FORMAT_RGB - }; - - struct mtk_dpi { -@@ -345,24 +339,11 @@ static void mtk_dpi_config_2n_h_fre(struct mtk_dpi *dpi) - static void mtk_dpi_config_color_format(struct mtk_dpi *dpi, - enum mtk_dpi_out_color_format format) - { -- if ((format == MTK_DPI_COLOR_FORMAT_YCBCR_444) || -- (format == MTK_DPI_COLOR_FORMAT_YCBCR_444_FULL)) { -- mtk_dpi_config_yuv422_enable(dpi, false); -- mtk_dpi_config_csc_enable(dpi, true); -- mtk_dpi_config_swap_input(dpi, false); -- mtk_dpi_config_channel_swap(dpi, MTK_DPI_OUT_CHANNEL_SWAP_BGR); -- } else if ((format == MTK_DPI_COLOR_FORMAT_YCBCR_422) || -- (format == MTK_DPI_COLOR_FORMAT_YCBCR_422_FULL)) { -- mtk_dpi_config_yuv422_enable(dpi, true); -- mtk_dpi_config_csc_enable(dpi, true); -- mtk_dpi_config_swap_input(dpi, true); -- mtk_dpi_config_channel_swap(dpi, MTK_DPI_OUT_CHANNEL_SWAP_RGB); -- } else { -- mtk_dpi_config_yuv422_enable(dpi, false); -- mtk_dpi_config_csc_enable(dpi, false); -- mtk_dpi_config_swap_input(dpi, false); -- mtk_dpi_config_channel_swap(dpi, MTK_DPI_OUT_CHANNEL_SWAP_RGB); -- } -+ /* only support RGB888 */ -+ mtk_dpi_config_yuv422_enable(dpi, false); -+ mtk_dpi_config_csc_enable(dpi, false); -+ mtk_dpi_config_swap_input(dpi, false); -+ mtk_dpi_config_channel_swap(dpi, MTK_DPI_OUT_CHANNEL_SWAP_RGB); - } - - static void mtk_dpi_power_off(struct mtk_dpi *dpi, enum mtk_dpi_power_ctl pctl) --- -2.35.1 - diff --git a/queue-4.9/drm-msm-hdmi-enable-core-vcc-core-vdda-supply-for-89.patch b/queue-4.9/drm-msm-hdmi-enable-core-vcc-core-vdda-supply-for-89.patch deleted file mode 100644 index 5bc461691a1..00000000000 --- a/queue-4.9/drm-msm-hdmi-enable-core-vcc-core-vdda-supply-for-89.patch +++ /dev/null @@ -1,40 +0,0 @@ -From ffc83f483ce4f1a0dc1aa593d8ba47174c613e51 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 9 Jun 2022 15:23:43 +0300 -Subject: drm/msm/hdmi: enable core-vcc/core-vdda-supply for 8996 platform - -From: Dmitry Baryshkov - -[ Upstream commit 1f88301794595ff4c28a1f1befe690e8dbac72a2 ] - -DB820c makes use of core-vcc-supply and core-vdda-supply, however the -driver code doesn't support these regulators. Enable them for HDMI on -8996 platform. - -Fixes: 0afbe59edd3f ("drm/msm/hdmi: Add basic HDMI support for msm8996") -Signed-off-by: Dmitry Baryshkov -Reviewed-by: Stephen Boyd -Patchwork: https://patchwork.freedesktop.org/patch/488857/ -Link: https://lore.kernel.org/r/20220609122350.3157529-8-dmitry.baryshkov@linaro.org -Signed-off-by: Dmitry Baryshkov -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/msm/hdmi/hdmi.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/msm/hdmi/hdmi.c b/drivers/gpu/drm/msm/hdmi/hdmi.c -index 48ab46726707..4946d3ec6776 100644 ---- a/drivers/gpu/drm/msm/hdmi/hdmi.c -+++ b/drivers/gpu/drm/msm/hdmi/hdmi.c -@@ -403,7 +403,7 @@ static struct hdmi_platform_config hdmi_tx_8994_config = { - }; - - static struct hdmi_platform_config hdmi_tx_8996_config = { -- HDMI_CFG(pwr_reg, none), -+ HDMI_CFG(pwr_reg, 8x74), - HDMI_CFG(hpd_reg, none), - HDMI_CFG(pwr_clk, 8x74), - HDMI_CFG(hpd_clk, 8x74), --- -2.35.1 - diff --git a/queue-4.9/drm-radeon-fix-potential-buffer-overflow-in-ni_set_m.patch b/queue-4.9/drm-radeon-fix-potential-buffer-overflow-in-ni_set_m.patch deleted file mode 100644 index 5ef0050b0ce..00000000000 --- a/queue-4.9/drm-radeon-fix-potential-buffer-overflow-in-ni_set_m.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 756769ef5d66dffba7148aac7d2401d4f8e2ed03 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 6 Jun 2022 16:50:54 +0300 -Subject: drm/radeon: fix potential buffer overflow in - ni_set_mc_special_registers() - -From: Alexey Kodanev - -[ Upstream commit 136f614931a2bb73616b292cf542da3a18daefd5 ] - -The last case label can write two buffers 'mc_reg_address[j]' and -'mc_data[j]' with 'j' offset equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE -since there are no checks for this value in both case labels after the -last 'j++'. - -Instead of changing '>' to '>=' there, add the bounds check at the start -of the second 'case' (the first one already has it). - -Also, remove redundant last checks for 'j' index bigger than array size. -The expression is always false. Moreover, before or after the patch -'table->last' can be equal to SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE and it -seems it can be a valid value. - -Detected using the static analysis tool - Svace. -Fixes: 69e0b57a91ad ("drm/radeon/kms: add dpm support for cayman (v5)") -Signed-off-by: Alexey Kodanev -Signed-off-by: Alex Deucher -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/radeon/ni_dpm.c | 6 ++---- - 1 file changed, 2 insertions(+), 4 deletions(-) - -diff --git a/drivers/gpu/drm/radeon/ni_dpm.c b/drivers/gpu/drm/radeon/ni_dpm.c -index a32cf6dbd3ee..cae3738885c8 100644 ---- a/drivers/gpu/drm/radeon/ni_dpm.c -+++ b/drivers/gpu/drm/radeon/ni_dpm.c -@@ -2738,10 +2738,10 @@ static int ni_set_mc_special_registers(struct radeon_device *rdev, - table->mc_reg_table_entry[k].mc_data[j] |= 0x100; - } - j++; -- if (j > SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE) -- return -EINVAL; - break; - case MC_SEQ_RESERVE_M >> 2: -+ if (j >= SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE) -+ return -EINVAL; - temp_reg = RREG32(MC_PMG_CMD_MRS1); - table->mc_reg_address[j].s1 = MC_PMG_CMD_MRS1 >> 2; - table->mc_reg_address[j].s0 = MC_SEQ_PMG_CMD_MRS1_LP >> 2; -@@ -2750,8 +2750,6 @@ static int ni_set_mc_special_registers(struct radeon_device *rdev, - (temp_reg & 0xffff0000) | - (table->mc_reg_table_entry[k].mc_data[i] & 0x0000ffff); - j++; -- if (j > SMC_NISLANDS_MC_REGISTER_ARRAY_SIZE) -- return -EINVAL; - break; - default: - break; --- -2.35.1 - diff --git a/queue-4.9/drm-rockchip-vop-don-t-crash-for-invalid-duplicate_s.patch b/queue-4.9/drm-rockchip-vop-don-t-crash-for-invalid-duplicate_s.patch deleted file mode 100644 index 825f63c6d20..00000000000 --- a/queue-4.9/drm-rockchip-vop-don-t-crash-for-invalid-duplicate_s.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 81244abaa071400ace2eeed1855b0f0aa061964a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 17 Jun 2022 17:26:52 -0700 -Subject: drm/rockchip: vop: Don't crash for invalid duplicate_state() - -From: Brian Norris - -[ Upstream commit 1449110b0dade8b638d2c17ab7c5b0ff696bfccb ] - -It's possible for users to try to duplicate the CRTC state even when the -state doesn't exist. drm_atomic_helper_crtc_duplicate_state() (and other -users of __drm_atomic_helper_crtc_duplicate_state()) already guard this -with a WARN_ON() instead of crashing, so let's do that here too. - -Fixes: 4e257d9eee23 ("drm/rockchip: get rid of rockchip_drm_crtc_mode_config") -Signed-off-by: Brian Norris -Reviewed-by: Sean Paul -Reviewed-by: Douglas Anderson -Signed-off-by: Heiko Stuebner -Link: https://patchwork.freedesktop.org/patch/msgid/20220617172623.1.I62db228170b1559ada60b8d3e1637e1688424926@changeid -Signed-off-by: Sasha Levin ---- - drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c -index 050f9a59ed54..5b8f005a91ef 100644 ---- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c -+++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c -@@ -1089,6 +1089,9 @@ static struct drm_crtc_state *vop_crtc_duplicate_state(struct drm_crtc *crtc) - { - struct rockchip_crtc_state *rockchip_state; - -+ if (WARN_ON(!crtc->state)) -+ return NULL; -+ - rockchip_state = kzalloc(sizeof(*rockchip_state), GFP_KERNEL); - if (!rockchip_state) - return NULL; --- -2.35.1 - diff --git a/queue-4.9/ext2-add-more-validity-checks-for-inode-counts.patch b/queue-4.9/ext2-add-more-validity-checks-for-inode-counts.patch deleted file mode 100644 index aa4d75bda45..00000000000 --- a/queue-4.9/ext2-add-more-validity-checks-for-inode-counts.patch +++ /dev/null @@ -1,55 +0,0 @@ -From bb689673700242d803d565deabd1b0b9b35fe157 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 26 Jul 2022 13:13:50 +0200 -Subject: ext2: Add more validity checks for inode counts - -From: Jan Kara - -[ Upstream commit fa78f336937240d1bc598db817d638086060e7e9 ] - -Add checks verifying number of inodes stored in the superblock matches -the number computed from number of inodes per group. Also verify we have -at least one block worth of inodes per group. This prevents crashes on -corrupted filesystems. - -Reported-by: syzbot+d273f7d7f58afd93be48@syzkaller.appspotmail.com -Signed-off-by: Jan Kara -Signed-off-by: Sasha Levin ---- - fs/ext2/super.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/fs/ext2/super.c b/fs/ext2/super.c -index 5ca1f73958b0..7cc83403ebe7 100644 ---- a/fs/ext2/super.c -+++ b/fs/ext2/super.c -@@ -1042,9 +1042,10 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent) - sbi->s_frags_per_group); - goto failed_mount; - } -- if (sbi->s_inodes_per_group > sb->s_blocksize * 8) { -+ if (sbi->s_inodes_per_group < sbi->s_inodes_per_block || -+ sbi->s_inodes_per_group > sb->s_blocksize * 8) { - ext2_msg(sb, KERN_ERR, -- "error: #inodes per group too big: %lu", -+ "error: invalid #inodes per group: %lu", - sbi->s_inodes_per_group); - goto failed_mount; - } -@@ -1054,6 +1055,13 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent) - sbi->s_groups_count = ((le32_to_cpu(es->s_blocks_count) - - le32_to_cpu(es->s_first_data_block) - 1) - / EXT2_BLOCKS_PER_GROUP(sb)) + 1; -+ if ((u64)sbi->s_groups_count * sbi->s_inodes_per_group != -+ le32_to_cpu(es->s_inodes_count)) { -+ ext2_msg(sb, KERN_ERR, "error: invalid #inodes: %u vs computed %llu", -+ le32_to_cpu(es->s_inodes_count), -+ (u64)sbi->s_groups_count * sbi->s_inodes_per_group); -+ goto failed_mount; -+ } - db_count = (sbi->s_groups_count + EXT2_DESC_PER_BLOCK(sb) - 1) / - EXT2_DESC_PER_BLOCK(sb); - sbi->s_group_desc = kmalloc (db_count * sizeof (struct buffer_head *), GFP_KERNEL); --- -2.35.1 - diff --git a/queue-4.9/ext4-recover-csum-seed-of-tmp_inode-after-migrating-.patch b/queue-4.9/ext4-recover-csum-seed-of-tmp_inode-after-migrating-.patch deleted file mode 100644 index eb1828ccf6d..00000000000 --- a/queue-4.9/ext4-recover-csum-seed-of-tmp_inode-after-migrating-.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 156f9a905c8b0102df7c2f93f63b1068b6d9cf4b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 17 Jun 2022 14:25:15 +0800 -Subject: ext4: recover csum seed of tmp_inode after migrating to extents - -From: Li Lingfeng - -[ Upstream commit 07ea7a617d6b278fb7acedb5cbe1a81ce2de7d0c ] - -When migrating to extents, the checksum seed of temporary inode -need to be replaced by inode's, otherwise the inode checksums -will be incorrect when swapping the inodes data. - -However, the temporary inode can not match it's checksum to -itself since it has lost it's own checksum seed. - -mkfs.ext4 -F /dev/sdc -mount /dev/sdc /mnt/sdc -xfs_io -fc "pwrite 4k 4k" -c "fsync" /mnt/sdc/testfile -chattr -e /mnt/sdc/testfile -chattr +e /mnt/sdc/testfile -umount /dev/sdc -fsck -fn /dev/sdc - -======== -... -Pass 1: Checking inodes, blocks, and sizes -Inode 13 passes checks, but checksum does not match inode. Fix? no -... -======== - -The fix is simple, save the checksum seed of temporary inode, and -recover it after migrating to extents. - -Fixes: e81c9302a6c3 ("ext4: set csum seed in tmp inode while migrating to extents") -Signed-off-by: Li Lingfeng -Reviewed-by: Jan Kara -Link: https://lore.kernel.org/r/20220617062515.2113438-1-lilingfeng3@huawei.com -Signed-off-by: Theodore Ts'o -Signed-off-by: Sasha Levin ---- - fs/ext4/migrate.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/fs/ext4/migrate.c b/fs/ext4/migrate.c -index 6967ab3306e7..0f8213404400 100644 ---- a/fs/ext4/migrate.c -+++ b/fs/ext4/migrate.c -@@ -442,7 +442,7 @@ int ext4_ext_migrate(struct inode *inode) - struct inode *tmp_inode = NULL; - struct migrate_struct lb; - unsigned long max_entries; -- __u32 goal; -+ __u32 goal, tmp_csum_seed; - uid_t owner[2]; - - /* -@@ -490,6 +490,7 @@ int ext4_ext_migrate(struct inode *inode) - * the migration. - */ - ei = EXT4_I(inode); -+ tmp_csum_seed = EXT4_I(tmp_inode)->i_csum_seed; - EXT4_I(tmp_inode)->i_csum_seed = ei->i_csum_seed; - i_size_write(tmp_inode, i_size_read(inode)); - /* -@@ -600,6 +601,7 @@ int ext4_ext_migrate(struct inode *inode) - * the inode is not visible to user space. - */ - tmp_inode->i_blocks = 0; -+ EXT4_I(tmp_inode)->i_csum_seed = tmp_csum_seed; - - /* Reset the extent details */ - ext4_ext_tree_init(handle, tmp_inode); --- -2.35.1 - diff --git a/queue-4.9/fs-check-fmode_lseek-to-control-internal-pipe-splici.patch b/queue-4.9/fs-check-fmode_lseek-to-control-internal-pipe-splici.patch deleted file mode 100644 index 7129758c4e6..00000000000 --- a/queue-4.9/fs-check-fmode_lseek-to-control-internal-pipe-splici.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 684c280cc762971e581611fab4ac9386315351e7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 29 Jun 2022 15:06:58 +0200 -Subject: fs: check FMODE_LSEEK to control internal pipe splicing - -From: Jason A. Donenfeld - -[ Upstream commit 97ef77c52b789ec1411d360ed99dca1efe4b2c81 ] - -The original direct splicing mechanism from Jens required the input to -be a regular file because it was avoiding the special socket case. It -also recognized blkdevs as being close enough to a regular file. But it -forgot about chardevs, which behave the same way and work fine here. - -This is an okayish heuristic, but it doesn't totally work. For example, -a few chardevs should be spliceable here. And a few regular files -shouldn't. This patch fixes this by instead checking whether FMODE_LSEEK -is set, which represents decently enough what we need rewinding for when -splicing to internal pipes. - -Fixes: b92ce5589374 ("[PATCH] splice: add direct fd <-> fd splicing support") -Cc: Jens Axboe -Signed-off-by: Jason A. Donenfeld -Signed-off-by: Al Viro -Signed-off-by: Sasha Levin ---- - fs/splice.c | 10 ++++------ - 1 file changed, 4 insertions(+), 6 deletions(-) - -diff --git a/fs/splice.c b/fs/splice.c -index 8bfbc8a50164..53fe0177724a 100644 ---- a/fs/splice.c -+++ b/fs/splice.c -@@ -917,17 +917,15 @@ ssize_t splice_direct_to_actor(struct file *in, struct splice_desc *sd, - { - struct pipe_inode_info *pipe; - long ret, bytes; -- umode_t i_mode; - size_t len; - int i, flags, more; - - /* -- * We require the input being a regular file, as we don't want to -- * randomly drop data for eg socket -> socket splicing. Use the -- * piped splicing for that! -+ * We require the input to be seekable, as we don't want to randomly -+ * drop data for eg socket -> socket splicing. Use the piped splicing -+ * for that! - */ -- i_mode = file_inode(in)->i_mode; -- if (unlikely(!S_ISREG(i_mode) && !S_ISBLK(i_mode))) -+ if (unlikely(!(in->f_mode & FMODE_LSEEK))) - return -EINVAL; - - /* --- -2.35.1 - diff --git a/queue-4.9/genelf-use-have_libcrypto_support-not-the-never-defi.patch b/queue-4.9/genelf-use-have_libcrypto_support-not-the-never-defi.patch deleted file mode 100644 index 82c52e97421..00000000000 --- a/queue-4.9/genelf-use-have_libcrypto_support-not-the-never-defi.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 2c9813f247365b41d7608700c191a04649de9d8a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 2 Aug 2022 15:13:22 -0300 -Subject: genelf: Use HAVE_LIBCRYPTO_SUPPORT, not the never defined - HAVE_LIBCRYPTO -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Arnaldo Carvalho de Melo - -[ Upstream commit 91cea6be90e436c55cde8770a15e4dac9d3032d0 ] - -When genelf was introduced it tested for HAVE_LIBCRYPTO not -HAVE_LIBCRYPTO_SUPPORT, which is the define the feature test for openssl -defines, fix it. - -This also adds disables the deprecation warning, someone has to fix this -to build with openssl 3.0 before the warning becomes a hard error. - -Fixes: 9b07e27f88b9cd78 ("perf inject: Add jitdump mmap injection support") -Reported-by: 谭梓煊 -Cc: Alexei Starovoitov -Cc: Andrii Nakryiko -Cc: Daniel Borkmann -Cc: Jiri Olsa -Cc: John Fastabend -Cc: KP Singh -Cc: Martin KaFai Lau -Cc: Nick Terrell -Cc: Song Liu -Cc: Stephane Eranian -Link: http://lore.kernel.org/lkml/YulpPqXSOG0Q4J1o@kernel.org -Signed-off-by: Arnaldo Carvalho de Melo -Signed-off-by: Sasha Levin ---- - tools/perf/util/genelf.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/tools/perf/util/genelf.c b/tools/perf/util/genelf.c -index 14a73acc549c..895083f1dd34 100644 ---- a/tools/perf/util/genelf.c -+++ b/tools/perf/util/genelf.c -@@ -31,7 +31,11 @@ - - #define BUILD_ID_URANDOM /* different uuid for each run */ - --#ifdef HAVE_LIBCRYPTO -+// FIXME, remove this and fix the deprecation warnings before its removed and -+// We'll break for good here... -+#pragma GCC diagnostic ignored "-Wdeprecated-declarations" -+ -+#ifdef HAVE_LIBCRYPTO_SUPPORT - - #define BUILD_ID_MD5 - #undef BUILD_ID_SHA /* does not seem to work well when linked with Java */ --- -2.35.1 - diff --git a/queue-4.9/gpio-gpiolib-of-fix-refcount-bugs-in-of_mm_gpiochip_.patch b/queue-4.9/gpio-gpiolib-of-fix-refcount-bugs-in-of_mm_gpiochip_.patch deleted file mode 100644 index 54da27ca413..00000000000 --- a/queue-4.9/gpio-gpiolib-of-fix-refcount-bugs-in-of_mm_gpiochip_.patch +++ /dev/null @@ -1,53 +0,0 @@ -From aa127826ca5b5b46a13d44e22e6c0e5b7e2841bd Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 11 Jul 2022 20:52:38 +0800 -Subject: gpio: gpiolib-of: Fix refcount bugs in of_mm_gpiochip_add_data() - -From: Liang He - -[ Upstream commit 5d07a692f9562f9c06e62cce369e9dd108173a0f ] - -We should use of_node_get() when a new reference of device_node -is created. It is noted that the old reference stored in -'mm_gc->gc.of_node' should also be decreased. - -This patch is based on the fact that there is a call site in function -'qe_add_gpiochips()' of src file 'drivers\soc\fsl\qe\gpio.c'. In this -function, of_mm_gpiochip_add_data() is contained in an iteration of -for_each_compatible_node() which will automatically increase and -decrease the refcount. So we need additional of_node_get() for the -reference escape in of_mm_gpiochip_add_data(). - -Fixes: a19e3da5bc5f ("of/gpio: Kill of_gpio_chip and add members directly to gpio_chip") -Signed-off-by: Liang He -Signed-off-by: Bartosz Golaszewski -Signed-off-by: Sasha Levin ---- - drivers/gpio/gpiolib-of.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/drivers/gpio/gpiolib-of.c b/drivers/gpio/gpiolib-of.c -index 9e40914c0984..6e6065977cc5 100644 ---- a/drivers/gpio/gpiolib-of.c -+++ b/drivers/gpio/gpiolib-of.c -@@ -382,7 +382,8 @@ int of_mm_gpiochip_add_data(struct device_node *np, - if (mm_gc->save_regs) - mm_gc->save_regs(mm_gc); - -- mm_gc->gc.of_node = np; -+ of_node_put(mm_gc->gc.of_node); -+ mm_gc->gc.of_node = of_node_get(np); - - ret = gpiochip_add_data(gc, data); - if (ret) -@@ -390,6 +391,7 @@ int of_mm_gpiochip_add_data(struct device_node *np, - - return 0; - err2: -+ of_node_put(np); - iounmap(mm_gc->regs); - err1: - kfree(gc->label); --- -2.35.1 - diff --git a/queue-4.9/hwmon-sht15-fix-wrong-assumptions-in-device-remove-c.patch b/queue-4.9/hwmon-sht15-fix-wrong-assumptions-in-device-remove-c.patch deleted file mode 100644 index f05e713a170..00000000000 --- a/queue-4.9/hwmon-sht15-fix-wrong-assumptions-in-device-remove-c.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 17ccd0df830f664d47fff4d2cb6ba5f0c2f06adb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 25 Jul 2022 21:43:44 +0200 -Subject: hwmon: (sht15) Fix wrong assumptions in device remove callback -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Uwe Kleine-König - -[ Upstream commit 7d4edccc9bbfe1dcdff641343f7b0c6763fbe774 ] - -Taking a lock at the beginning of .remove() doesn't prevent new readers. -With the existing approach it can happen, that a read occurs just when -the lock was taken blocking the reader until the lock is released at the -end of the remove callback which then accessed *data that is already -freed then. - -To actually fix this problem the hwmon core needs some adaption. Until -this is implemented take the optimistic approach of assuming that all -readers are gone after hwmon_device_unregister() and -sysfs_remove_group() as most other drivers do. (And once the core -implements that, taking the lock would deadlock.) - -So drop the lock, move the reset to after device unregistration to keep -the device in a workable state until it's deregistered. Also add a error -message in case the reset fails and return 0 anyhow. (Returning an error -code, doesn't stop the platform device unregistration and only results -in a little helpful error message before the devm cleanup handlers are -called.) - -Signed-off-by: Uwe Kleine-König -Link: https://lore.kernel.org/r/20220725194344.150098-1-u.kleine-koenig@pengutronix.de -Signed-off-by: Guenter Roeck -Signed-off-by: Sasha Levin ---- - drivers/hwmon/sht15.c | 17 ++++++----------- - 1 file changed, 6 insertions(+), 11 deletions(-) - -diff --git a/drivers/hwmon/sht15.c b/drivers/hwmon/sht15.c -index a2fdbb7d20ed..3bff2dce3123 100644 ---- a/drivers/hwmon/sht15.c -+++ b/drivers/hwmon/sht15.c -@@ -1040,25 +1040,20 @@ static int sht15_probe(struct platform_device *pdev) - static int sht15_remove(struct platform_device *pdev) - { - struct sht15_data *data = platform_get_drvdata(pdev); -+ int ret; - -- /* -- * Make sure any reads from the device are done and -- * prevent new ones beginning -- */ -- mutex_lock(&data->read_lock); -- if (sht15_soft_reset(data)) { -- mutex_unlock(&data->read_lock); -- return -EFAULT; -- } - hwmon_device_unregister(data->hwmon_dev); - sysfs_remove_group(&pdev->dev.kobj, &sht15_attr_group); -+ -+ ret = sht15_soft_reset(data); -+ if (ret) -+ dev_err(&pdev->dev, "Failed to reset device (%pe)\n", ERR_PTR(ret)); -+ - if (!IS_ERR(data->reg)) { - regulator_unregister_notifier(data->reg, &data->nb); - regulator_disable(data->reg); - } - -- mutex_unlock(&data->read_lock); -- - return 0; - } - --- -2.35.1 - diff --git a/queue-4.9/i2c-cadence-support-pec-for-smbus-block-read.patch b/queue-4.9/i2c-cadence-support-pec-for-smbus-block-read.patch deleted file mode 100644 index 0606f58befe..00000000000 --- a/queue-4.9/i2c-cadence-support-pec-for-smbus-block-read.patch +++ /dev/null @@ -1,77 +0,0 @@ -From f88852eeab32566e0744ac9d708217097a1027e9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 17 Jul 2022 16:52:44 +0200 -Subject: i2c: cadence: Support PEC for SMBus block read - -From: Lars-Peter Clausen - -[ Upstream commit 9fdf6d97f03035ad5298e2d1635036c74c2090ed ] - -SMBus packet error checking (PEC) is implemented by appending one -additional byte of checksum data at the end of the message. This provides -additional protection and allows to detect data corruption on the I2C bus. - -SMBus block reads support variable length reads. The first byte in the read -message is the number of available data bytes. - -The combination of PEC and block read is currently not supported by the -Cadence I2C driver. - * When PEC is enabled the maximum transfer length for block reads - increases from 33 to 34 bytes. - * The I2C core smbus emulation layer relies on the driver updating the - `i2c_msg` `len` field with the number of received bytes. The updated - length is used when checking the PEC. - -Add support to the Cadence I2C driver for handling SMBus block reads with -PEC. To determine the maximum transfer length uses the initial `len` value -of the `i2c_msg`. When PEC is enabled this will be 2, when it is disabled -it will be 1. - -Once a read transfer is done also increment the `len` field by the amount -of received data bytes. - -This change has been tested with a UCM90320 PMBus power monitor, which -requires block reads to access certain data fields, but also has PEC -enabled by default. - -Fixes: df8eb5691c48 ("i2c: Add driver for Cadence I2C controller") -Signed-off-by: Lars-Peter Clausen -Tested-by: Shubhrajyoti Datta -Signed-off-by: Wolfram Sang -Signed-off-by: Sasha Levin ---- - drivers/i2c/busses/i2c-cadence.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/drivers/i2c/busses/i2c-cadence.c b/drivers/i2c/busses/i2c-cadence.c -index fce1906e7df1..d67dc1b943cb 100644 ---- a/drivers/i2c/busses/i2c-cadence.c -+++ b/drivers/i2c/busses/i2c-cadence.c -@@ -353,8 +353,13 @@ static void cdns_i2c_mrecv(struct cdns_i2c *id) - ctrl_reg = cdns_i2c_readreg(CDNS_I2C_CR_OFFSET); - ctrl_reg |= CDNS_I2C_CR_RW | CDNS_I2C_CR_CLR_FIFO; - -+ /* -+ * Receive up to I2C_SMBUS_BLOCK_MAX data bytes, plus one message length -+ * byte, plus one checksum byte if PEC is enabled. p_msg->len will be 2 if -+ * PEC is enabled, otherwise 1. -+ */ - if (id->p_msg->flags & I2C_M_RECV_LEN) -- id->recv_count = I2C_SMBUS_BLOCK_MAX + 1; -+ id->recv_count = I2C_SMBUS_BLOCK_MAX + id->p_msg->len; - - id->curr_recv_count = id->recv_count; - -@@ -540,6 +545,9 @@ static int cdns_i2c_process_msg(struct cdns_i2c *id, struct i2c_msg *msg, - if (id->err_status & CDNS_I2C_IXR_ARB_LOST) - return -EAGAIN; - -+ if (msg->flags & I2C_M_RECV_LEN) -+ msg->len += min_t(unsigned int, msg->buf[0], I2C_SMBUS_BLOCK_MAX); -+ - return 0; - } - --- -2.35.1 - diff --git a/queue-4.9/include-uapi-linux-swab.h-fix-userspace-breakage-use.patch b/queue-4.9/include-uapi-linux-swab.h-fix-userspace-breakage-use.patch deleted file mode 100644 index 6920ab2bc50..00000000000 --- a/queue-4.9/include-uapi-linux-swab.h-fix-userspace-breakage-use.patch +++ /dev/null @@ -1,77 +0,0 @@ -From a77748523ed3bcdbbd3870139571e1ac03eb45c2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 20 Feb 2020 20:04:03 -0800 -Subject: include/uapi/linux/swab.h: fix userspace breakage, use - __BITS_PER_LONG for swap - -From: Christian Borntraeger - -commit 467d12f5c7842896d2de3ced74e4147ee29e97c8 upstream. - -QEMU has a funny new build error message when I use the upstream kernel -headers: - - CC block/file-posix.o - In file included from /home/cborntra/REPOS/qemu/include/qemu/timer.h:4, - from /home/cborntra/REPOS/qemu/include/qemu/timed-average.h:29, - from /home/cborntra/REPOS/qemu/include/block/accounting.h:28, - from /home/cborntra/REPOS/qemu/include/block/block_int.h:27, - from /home/cborntra/REPOS/qemu/block/file-posix.c:30: - /usr/include/linux/swab.h: In function `__swab': - /home/cborntra/REPOS/qemu/include/qemu/bitops.h:20:34: error: "sizeof" is not defined, evaluates to 0 [-Werror=undef] - 20 | #define BITS_PER_LONG (sizeof (unsigned long) * BITS_PER_BYTE) - | ^~~~~~ - /home/cborntra/REPOS/qemu/include/qemu/bitops.h:20:41: error: missing binary operator before token "(" - 20 | #define BITS_PER_LONG (sizeof (unsigned long) * BITS_PER_BYTE) - | ^ - cc1: all warnings being treated as errors - make: *** [/home/cborntra/REPOS/qemu/rules.mak:69: block/file-posix.o] Error 1 - rm tests/qemu-iotests/socket_scm_helper.o - -This was triggered by commit d5767057c9a ("uapi: rename ext2_swab() to -swab() and share globally in swab.h"). That patch is doing - - #include - -but it uses BITS_PER_LONG. - -The kernel file asm/bitsperlong.h provide only __BITS_PER_LONG. - -Let us use the __ variant in swap.h - -Link: http://lkml.kernel.org/r/20200213142147.17604-1-borntraeger@de.ibm.com -Fixes: d5767057c9a ("uapi: rename ext2_swab() to swab() and share globally in swab.h") -Signed-off-by: Christian Borntraeger -Cc: Yury Norov -Cc: Allison Randal -Cc: Joe Perches -Cc: Thomas Gleixner -Cc: William Breathitt Gray -Cc: Torsten Hilbrich -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Hans-Christian Noren Egtvedt -Signed-off-by: Greg Kroah-Hartman ---- - include/uapi/linux/swab.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/include/uapi/linux/swab.h b/include/uapi/linux/swab.h -index 1f42d110987a..51502eabdb05 100644 ---- a/include/uapi/linux/swab.h -+++ b/include/uapi/linux/swab.h -@@ -134,9 +134,9 @@ static inline __attribute_const__ __u32 __fswahb32(__u32 val) - - static __always_inline unsigned long __swab(const unsigned long y) - { --#if BITS_PER_LONG == 64 -+#if __BITS_PER_LONG == 64 - return __swab64(y); --#else /* BITS_PER_LONG == 32 */ -+#else /* __BITS_PER_LONG == 32 */ - return __swab32(y); - #endif - } --- -2.35.1 - diff --git a/queue-4.9/init-main-fix-double-the-in-comment.patch-30143 b/queue-4.9/init-main-fix-double-the-in-comment.patch-30143 deleted file mode 100644 index e40c3cbc7b5..00000000000 --- a/queue-4.9/init-main-fix-double-the-in-comment.patch-30143 +++ /dev/null @@ -1,35 +0,0 @@ -From f1837c7d859ea9d3ec1f2346f8138f3877f173f4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 23 Mar 2017 17:00:04 +0530 -Subject: init/main: Fix double "the" in comment - -From: Viresh Kumar - -commit 6623f1c6150c09ce946c8e27a4c814d64919495b upstream. - -s/the\ the/the - -Signed-off-by: Viresh Kumar -Signed-off-by: Jiri Kosina -Signed-off-by: Hans-Christian Noren Egtvedt -Signed-off-by: Greg Kroah-Hartman ---- - init/main.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/init/main.c b/init/main.c -index 30226a836c8b..a6ecdd492ed2 100644 ---- a/init/main.c -+++ b/init/main.c -@@ -488,7 +488,7 @@ asmlinkage __visible void __init start_kernel(void) - debug_objects_early_init(); - - /* -- * Set up the the initial canary ASAP: -+ * Set up the initial canary ASAP: - */ - add_latent_entropy(); - boot_init_stack_canary(); --- -2.35.1 - diff --git a/queue-4.9/init-main-properly-align-the-multi-line-comment.patch-21796 b/queue-4.9/init-main-properly-align-the-multi-line-comment.patch-21796 deleted file mode 100644 index f900e6f8df7..00000000000 --- a/queue-4.9/init-main-properly-align-the-multi-line-comment.patch-21796 +++ /dev/null @@ -1,42 +0,0 @@ -From ff8e3af969da8b78da113a93aa03f79704bf6842 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 23 Mar 2017 17:00:05 +0530 -Subject: init/main: properly align the multi-line comment - -From: Viresh Kumar - -commit 1b3b3b49b9961401331a1b496db5bec5c7b41ae6 upstream. - -Add a tab before it to follow standard practices. Also add the missing -full stop '.'. - -Signed-off-by: Viresh Kumar -Signed-off-by: Jiri Kosina -Signed-off-by: Hans-Christian Noren Egtvedt -Signed-off-by: Greg Kroah-Hartman ---- - init/main.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/init/main.c b/init/main.c -index a6ecdd492ed2..8b803078d7b3 100644 ---- a/init/main.c -+++ b/init/main.c -@@ -498,10 +498,10 @@ asmlinkage __visible void __init start_kernel(void) - local_irq_disable(); - early_boot_irqs_disabled = true; - --/* -- * Interrupts are still disabled. Do necessary setups, then -- * enable them -- */ -+ /* -+ * Interrupts are still disabled. Do necessary setups, then -+ * enable them. -+ */ - boot_cpu_init(); - page_address_init(); - pr_notice("%s", linux_banner); --- -2.35.1 - diff --git a/queue-4.9/init-main.c-extract-early-boot-entropy-from-the-pass.patch b/queue-4.9/init-main.c-extract-early-boot-entropy-from-the-pass.patch deleted file mode 100644 index 3eb8204a38c..00000000000 --- a/queue-4.9/init-main.c-extract-early-boot-entropy-from-the-pass.patch +++ /dev/null @@ -1,81 +0,0 @@ -From f9e9de266f9df738524e936b2963716b906addff Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 8 Sep 2017 16:16:20 -0700 -Subject: init/main.c: extract early boot entropy from the passed cmdline - -From: Daniel Micay - -commit 33d72f3822d7ff8a9e45bd7413c811085cb87aa5 upstream. - -Feed the boot command-line as to the /dev/random entropy pool - -Existing Android bootloaders usually pass data which may not be known by -an external attacker on the kernel command-line. It may also be the -case on other embedded systems. Sample command-line from a Google Pixel -running CopperheadOS.... - - console=ttyHSL0,115200,n8 androidboot.console=ttyHSL0 - androidboot.hardware=sailfish user_debug=31 ehci-hcd.park=3 - lpm_levels.sleep_disabled=1 cma=32M@0-0xffffffff buildvariant=user - veritykeyid=id:dfcb9db0089e5b3b4090a592415c28e1cb4545ab - androidboot.bootdevice=624000.ufshc androidboot.verifiedbootstate=yellow - androidboot.veritymode=enforcing androidboot.keymaster=1 - androidboot.serialno=FA6CE0305299 androidboot.baseband=msm - mdss_mdp.panel=1:dsi:0:qcom,mdss_dsi_samsung_ea8064tg_1080p_cmd:1:none:cfg:single_dsi - androidboot.slot_suffix=_b fpsimd.fpsimd_settings=0 - app_setting.use_app_setting=0 kernelflag=0x00000000 debugflag=0x00000000 - androidboot.hardware.revision=PVT radioflag=0x00000000 - radioflagex1=0x00000000 radioflagex2=0x00000000 cpumask=0x00000000 - androidboot.hardware.ddr=4096MB,Hynix,LPDDR4 androidboot.ddrinfo=00000006 - androidboot.ddrsize=4GB androidboot.hardware.color=GRA00 - androidboot.hardware.ufs=32GB,Samsung androidboot.msm.hw_ver_id=268824801 - androidboot.qf.st=2 androidboot.cid=11111111 androidboot.mid=G-2PW4100 - androidboot.bootloader=8996-012001-1704121145 - androidboot.oem_unlock_support=1 androidboot.fp_src=1 - androidboot.htc.hrdump=detected androidboot.ramdump.opt=mem@2g:2g,mem@4g:2g - androidboot.bootreason=reboot androidboot.ramdump_enable=0 ro - root=/dev/dm-0 dm="system none ro,0 1 android-verity /dev/sda34" - rootwait skip_initramfs init=/init androidboot.wificountrycode=US - androidboot.boottime=1BLL:85,1BLE:669,2BLL:0,2BLE:1777,SW:6,KL:8136 - -Among other things, it contains a value unique to the device -(androidboot.serialno=FA6CE0305299), unique to the OS builds for the -device variant (veritykeyid=id:dfcb9db0089e5b3b4090a592415c28e1cb4545ab) -and timings from the bootloader stages in milliseconds -(androidboot.boottime=1BLL:85,1BLE:669,2BLL:0,2BLE:1777,SW:6,KL:8136). - -[tytso@mit.edu: changelog tweak] -[labbott@redhat.com: line-wrapped command line] -Link: http://lkml.kernel.org/r/20170816231458.2299-3-labbott@redhat.com -Signed-off-by: Daniel Micay -Signed-off-by: Laura Abbott -Acked-by: Kees Cook -Cc: "Theodore Ts'o" -Cc: Laura Abbott -Cc: Nick Kralevich -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Hans-Christian Noren Egtvedt -Signed-off-by: Greg Kroah-Hartman ---- - init/main.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/init/main.c b/init/main.c -index 67fa94c59674..6bc1a3fa1526 100644 ---- a/init/main.c -+++ b/init/main.c -@@ -502,8 +502,10 @@ asmlinkage __visible void __init start_kernel(void) - setup_arch(&command_line); - /* - * Set up the the initial canary and entropy after arch -+ * and after adding latent and command line entropy. - */ - add_latent_entropy(); -+ add_device_randomness(command_line, strlen(command_line)); - boot_init_stack_canary(); - mm_init_cpumask(&init_mm); - setup_command_line(command_line); --- -2.35.1 - diff --git a/queue-4.9/init-move-stack-canary-initialization-after-setup_ar.patch b/queue-4.9/init-move-stack-canary-initialization-after-setup_ar.patch deleted file mode 100644 index aaf94ee6a1c..00000000000 --- a/queue-4.9/init-move-stack-canary-initialization-after-setup_ar.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 65a923b113288f27b1f6d2acb6517c85f979b0a0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 8 Sep 2017 16:16:17 -0700 -Subject: init: move stack canary initialization after setup_arch - -From: Laura Abbott - -commit 121388a31362b0d3176dc1190ac8064b98a61b20 upstream. - -Patch series "Command line randomness", v3. - -A series to add the kernel command line as a source of randomness. - -This patch (of 2): - -Stack canary intialization involves getting a random number. Getting this -random number may involve accessing caches or other architectural specific -features which are not available until after the architecture is setup. -Move the stack canary initialization later to accommodate this. - -Link: http://lkml.kernel.org/r/20170816231458.2299-2-labbott@redhat.com -Signed-off-by: Laura Abbott -Signed-off-by: Laura Abbott -Acked-by: Kees Cook -Cc: "Theodore Ts'o" -Cc: Daniel Micay -Cc: Nick Kralevich -Signed-off-by: Andrew Morton -Signed-off-by: Linus Torvalds -Signed-off-by: Hans-Christian Noren Egtvedt -Signed-off-by: Greg Kroah-Hartman ---- - init/main.c | 11 +++++------ - 1 file changed, 5 insertions(+), 6 deletions(-) - -diff --git a/init/main.c b/init/main.c -index 8b803078d7b3..67fa94c59674 100644 ---- a/init/main.c -+++ b/init/main.c -@@ -487,12 +487,6 @@ asmlinkage __visible void __init start_kernel(void) - smp_setup_processor_id(); - debug_objects_early_init(); - -- /* -- * Set up the initial canary ASAP: -- */ -- add_latent_entropy(); -- boot_init_stack_canary(); -- - cgroup_init_early(); - - local_irq_disable(); -@@ -506,6 +500,11 @@ asmlinkage __visible void __init start_kernel(void) - page_address_init(); - pr_notice("%s", linux_banner); - setup_arch(&command_line); -+ /* -+ * Set up the the initial canary and entropy after arch -+ */ -+ add_latent_entropy(); -+ boot_init_stack_canary(); - mm_init_cpumask(&init_mm); - setup_command_line(command_line); - setup_nr_cpu_ids(); --- -2.35.1 - diff --git a/queue-4.9/ion-make-user_ion_handle_put_nolock-a-void-function.patch-382 b/queue-4.9/ion-make-user_ion_handle_put_nolock-a-void-function.patch-382 deleted file mode 100644 index 70fbd209993..00000000000 --- a/queue-4.9/ion-make-user_ion_handle_put_nolock-a-void-function.patch-382 +++ /dev/null @@ -1,60 +0,0 @@ -From 6747c5b8d01e233fdb983db335c9eb36c9b04b8b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 27 Jul 2022 09:46:17 -0700 -Subject: ion: Make user_ion_handle_put_nolock() a void function - -From: Nathan Chancellor - -Clang warns: - - drivers/staging/android/ion/ion-ioctl.c:71:6: warning: variable 'ret' is used uninitialized whenever 'if' condition is false [-Wsometimes-uninitialized] - if (--handle->user_ref_count == 0) - ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - drivers/staging/android/ion/ion-ioctl.c:74:9: note: uninitialized use occurs here - return ret; - ^~~ - drivers/staging/android/ion/ion-ioctl.c:71:2: note: remove the 'if' if its condition is always true - if (--handle->user_ref_count == 0) - ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - drivers/staging/android/ion/ion-ioctl.c:69:9: note: initialize the variable 'ret' to silence this warning - int ret; - ^ - = 0 - 1 warning generated. - -The return value of user_ion_handle_put_nolock() is not checked in its -one call site in user_ion_free_nolock() so just make -user_ion_handle_put_nolock() return void to remove the warning. - -Fixes: a8200613c8c9 ("ion: Protect kref from userspace manipulation") -Reported-by: kernel test robot -Signed-off-by: Nathan Chancellor -Signed-off-by: Greg Kroah-Hartman ---- - drivers/staging/android/ion/ion-ioctl.c | 8 ++------ - 1 file changed, 2 insertions(+), 6 deletions(-) - -diff --git a/drivers/staging/android/ion/ion-ioctl.c b/drivers/staging/android/ion/ion-ioctl.c -index a27865b94416..e020a23d05f2 100644 ---- a/drivers/staging/android/ion/ion-ioctl.c -+++ b/drivers/staging/android/ion/ion-ioctl.c -@@ -64,14 +64,10 @@ static struct ion_handle *pass_to_user(struct ion_handle *handle) - } - - /* Must hold the client lock */ --static int user_ion_handle_put_nolock(struct ion_handle *handle) -+static void user_ion_handle_put_nolock(struct ion_handle *handle) - { -- int ret; -- - if (--handle->user_ref_count == 0) -- ret = ion_handle_put_nolock(handle); -- -- return ret; -+ ion_handle_put_nolock(handle); - } - - static void user_ion_free_nolock(struct ion_client *client, --- -2.35.1 - diff --git a/queue-4.9/jbd2-fix-assertion-jh-b_frozen_data-null-failure-whe.patch b/queue-4.9/jbd2-fix-assertion-jh-b_frozen_data-null-failure-whe.patch deleted file mode 100644 index 20098aae57b..00000000000 --- a/queue-4.9/jbd2-fix-assertion-jh-b_frozen_data-null-failure-whe.patch +++ /dev/null @@ -1,110 +0,0 @@ -From 60a91094a1dd63ef378c76ac910aa8792847073a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 15 Jul 2022 20:51:52 +0800 -Subject: jbd2: fix assertion 'jh->b_frozen_data == NULL' failure when journal - aborted - -From: Zhihao Cheng - -[ Upstream commit 4a734f0869f970b8a9b65062ea40b09a5da9dba8 ] - -Following process will fail assertion 'jh->b_frozen_data == NULL' in -jbd2_journal_dirty_metadata(): - - jbd2_journal_commit_transaction -unlink(dir/a) - jh->b_transaction = trans1 - jh->b_jlist = BJ_Metadata - journal->j_running_transaction = NULL - trans1->t_state = T_COMMIT -unlink(dir/b) - handle->h_trans = trans2 - do_get_write_access - jh->b_modified = 0 - jh->b_frozen_data = frozen_buffer - jh->b_next_transaction = trans2 - jbd2_journal_dirty_metadata - is_handle_aborted - is_journal_aborted // return false - - --> jbd2 abort <-- - - while (commit_transaction->t_buffers) - if (is_journal_aborted) - jbd2_journal_refile_buffer - __jbd2_journal_refile_buffer - WRITE_ONCE(jh->b_transaction, - jh->b_next_transaction) - WRITE_ONCE(jh->b_next_transaction, NULL) - __jbd2_journal_file_buffer(jh, BJ_Reserved) - J_ASSERT_JH(jh, jh->b_frozen_data == NULL) // assertion failure ! - -The reproducer (See detail in [Link]) reports: - ------------[ cut here ]------------ - kernel BUG at fs/jbd2/transaction.c:1629! - invalid opcode: 0000 [#1] PREEMPT SMP - CPU: 2 PID: 584 Comm: unlink Tainted: G W - 5.19.0-rc6-00115-g4a57a8400075-dirty #697 - RIP: 0010:jbd2_journal_dirty_metadata+0x3c5/0x470 - RSP: 0018:ffffc90000be7ce0 EFLAGS: 00010202 - Call Trace: - - __ext4_handle_dirty_metadata+0xa0/0x290 - ext4_handle_dirty_dirblock+0x10c/0x1d0 - ext4_delete_entry+0x104/0x200 - __ext4_unlink+0x22b/0x360 - ext4_unlink+0x275/0x390 - vfs_unlink+0x20b/0x4c0 - do_unlinkat+0x42f/0x4c0 - __x64_sys_unlink+0x37/0x50 - do_syscall_64+0x35/0x80 - -After journal aborting, __jbd2_journal_refile_buffer() is executed with -holding @jh->b_state_lock, we can fix it by moving 'is_handle_aborted()' -into the area protected by @jh->b_state_lock. - -Link: https://bugzilla.kernel.org/show_bug.cgi?id=216251 -Fixes: 470decc613ab20 ("[PATCH] jbd2: initial copy of files from jbd") -Signed-off-by: Zhihao Cheng -Link: https://lore.kernel.org/r/20220715125152.4022726-1-chengzhihao1@huawei.com -Signed-off-by: Theodore Ts'o -Signed-off-by: Sasha Levin ---- - fs/jbd2/transaction.c | 14 ++++++++++++-- - 1 file changed, 12 insertions(+), 2 deletions(-) - -diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c -index cfbf5474bcca..1e0d77e826fc 100644 ---- a/fs/jbd2/transaction.c -+++ b/fs/jbd2/transaction.c -@@ -1325,8 +1325,6 @@ int jbd2_journal_dirty_metadata(handle_t *handle, struct buffer_head *bh) - struct journal_head *jh; - int ret = 0; - -- if (is_handle_aborted(handle)) -- return -EROFS; - if (!buffer_jbd(bh)) - return -EUCLEAN; - -@@ -1373,6 +1371,18 @@ int jbd2_journal_dirty_metadata(handle_t *handle, struct buffer_head *bh) - journal = transaction->t_journal; - jbd_lock_bh_state(bh); - -+ if (is_handle_aborted(handle)) { -+ /* -+ * Check journal aborting with @jh->b_state_lock locked, -+ * since 'jh->b_transaction' could be replaced with -+ * 'jh->b_next_transaction' during old transaction -+ * committing if journal aborted, which may fail -+ * assertion on 'jh->b_frozen_data == NULL'. -+ */ -+ ret = -EROFS; -+ goto out_unlock_bh; -+ } -+ - if (jh->b_modified == 0) { - /* - * This buffer's got modified and becoming part --- -2.35.1 - diff --git a/queue-4.9/kfifo-fix-kfifo_to_user-return-type.patch b/queue-4.9/kfifo-fix-kfifo_to_user-return-type.patch deleted file mode 100644 index 61d03137aad..00000000000 --- a/queue-4.9/kfifo-fix-kfifo_to_user-return-type.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 7bedd98f87c5aa8d77d26ef0f53ea3368c0b681b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 24 Jun 2022 08:30:04 +0300 -Subject: kfifo: fix kfifo_to_user() return type - -From: Dan Carpenter - -[ Upstream commit 045ed31e23aea840648c290dbde04797064960db ] - -The kfifo_to_user() macro is supposed to return zero for success or -negative error codes. Unfortunately, there is a signedness bug so it -returns unsigned int. This only affects callers which try to save the -result in ssize_t and as far as I can see the only place which does that -is line6_hwdep_read(). - -TL;DR: s/_uint/_int/. - -Link: https://lkml.kernel.org/r/YrVL3OJVLlNhIMFs@kili -Fixes: 144ecf310eb5 ("kfifo: fix kfifo_alloc() to return a signed int value") -Signed-off-by: Dan Carpenter -Cc: Stefani Seibold -Cc: Randy Dunlap -Signed-off-by: Andrew Morton -Signed-off-by: Sasha Levin ---- - include/linux/kfifo.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/include/linux/kfifo.h b/include/linux/kfifo.h -index 41eb6fdf87a8..c17b63b0d269 100644 ---- a/include/linux/kfifo.h -+++ b/include/linux/kfifo.h -@@ -628,7 +628,7 @@ __kfifo_uint_must_check_helper( \ - * writer, you don't need extra locking to use these macro. - */ - #define kfifo_to_user(fifo, to, len, copied) \ --__kfifo_uint_must_check_helper( \ -+__kfifo_int_must_check_helper( \ - ({ \ - typeof((fifo) + 1) __tmp = (fifo); \ - void __user *__to = (to); \ --- -2.35.1 - diff --git a/queue-4.9/kvm-svm-don-t-bug-if-userspace-injects-an-interrupt-.patch b/queue-4.9/kvm-svm-don-t-bug-if-userspace-injects-an-interrupt-.patch deleted file mode 100644 index 339f94014c8..00000000000 --- a/queue-4.9/kvm-svm-don-t-bug-if-userspace-injects-an-interrupt-.patch +++ /dev/null @@ -1,67 +0,0 @@ -From ab6b61575745d81f0c439dfa40f7e5ce9a15d17c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 2 May 2022 00:07:26 +0200 -Subject: KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0 - -From: Maciej S. Szmigiero - -commit f17c31c48e5cde9895a491d91c424eeeada3e134 upstream. - -Don't BUG/WARN on interrupt injection due to GIF being cleared, -since it's trivial for userspace to force the situation via -KVM_SET_VCPU_EVENTS (even if having at least a WARN there would be correct -for KVM internally generated injections). - - kernel BUG at arch/x86/kvm/svm/svm.c:3386! - invalid opcode: 0000 [#1] SMP - CPU: 15 PID: 926 Comm: smm_test Not tainted 5.17.0-rc3+ #264 - Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 0.0.0 02/06/2015 - RIP: 0010:svm_inject_irq+0xab/0xb0 [kvm_amd] - Code: <0f> 0b 0f 1f 00 0f 1f 44 00 00 80 3d ac b3 01 00 00 55 48 89 f5 53 - RSP: 0018:ffffc90000b37d88 EFLAGS: 00010246 - RAX: 0000000000000000 RBX: ffff88810a234ac0 RCX: 0000000000000006 - RDX: 0000000000000000 RSI: ffffc90000b37df7 RDI: ffff88810a234ac0 - RBP: ffffc90000b37df7 R08: ffff88810a1fa410 R09: 0000000000000000 - R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 - R13: ffff888109571000 R14: ffff88810a234ac0 R15: 0000000000000000 - FS: 0000000001821380(0000) GS:ffff88846fdc0000(0000) knlGS:0000000000000000 - CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 - CR2: 00007f74fc550008 CR3: 000000010a6fe000 CR4: 0000000000350ea0 - Call Trace: - - inject_pending_event+0x2f7/0x4c0 [kvm] - kvm_arch_vcpu_ioctl_run+0x791/0x17a0 [kvm] - kvm_vcpu_ioctl+0x26d/0x650 [kvm] - __x64_sys_ioctl+0x82/0xb0 - do_syscall_64+0x3b/0xc0 - entry_SYSCALL_64_after_hwframe+0x44/0xae - - -Fixes: 219b65dcf6c0 ("KVM: SVM: Improve nested interrupt injection") -Cc: stable@vger.kernel.org -Co-developed-by: Sean Christopherson -Signed-off-by: Sean Christopherson -Signed-off-by: Maciej S. Szmigiero -Message-Id: <35426af6e123cbe91ec7ce5132ce72521f02b1b5.1651440202.git.maciej.szmigiero@oracle.com> -Signed-off-by: Paolo Bonzini -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kvm/svm.c | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c -index 03fdeab057d2..c8e18144ecf2 100644 ---- a/arch/x86/kvm/svm.c -+++ b/arch/x86/kvm/svm.c -@@ -4492,8 +4492,6 @@ static void svm_set_irq(struct kvm_vcpu *vcpu) - { - struct vcpu_svm *svm = to_svm(vcpu); - -- BUG_ON(!(gif_set(svm))); -- - trace_kvm_inj_virq(vcpu->arch.interrupt.nr); - ++vcpu->stat.irq_injections; - --- -2.35.1 - diff --git a/queue-4.9/kvm-x86-mark-tss-busy-during-ltr-emulation-_after_-a.patch b/queue-4.9/kvm-x86-mark-tss-busy-during-ltr-emulation-_after_-a.patch deleted file mode 100644 index c59b7b24bd6..00000000000 --- a/queue-4.9/kvm-x86-mark-tss-busy-during-ltr-emulation-_after_-a.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 106b4e61bb8b71d943fd06a2d872af39b5f46544 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 11 Jul 2022 23:27:48 +0000 -Subject: KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks - -From: Sean Christopherson - -commit ec6e4d863258d4bfb36d48d5e3ef68140234d688 upstream. - -Wait to mark the TSS as busy during LTR emulation until after all fault -checks for the LTR have passed. Specifically, don't mark the TSS busy if -the new TSS base is non-canonical. - -Opportunistically drop the one-off !seg_desc.PRESENT check for TR as the -only reason for the early check was to avoid marking a !PRESENT TSS as -busy, i.e. the common !PRESENT is now done before setting the busy bit. - -Fixes: e37a75a13cda ("KVM: x86: Emulator ignores LDTR/TR extended base on LLDT/LTR") -Reported-by: syzbot+760a73552f47a8cd0fd9@syzkaller.appspotmail.com -Cc: stable@vger.kernel.org -Cc: Tetsuo Handa -Cc: Hou Wenlong -Signed-off-by: Sean Christopherson -Reviewed-by: Maxim Levitsky -Link: https://lore.kernel.org/r/20220711232750.1092012-2-seanjc@google.com -Signed-off-by: Sean Christopherson -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/kvm/emulate.c | 19 +++++++++---------- - 1 file changed, 9 insertions(+), 10 deletions(-) - -diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index 3edafdffa687..2a5a18ca8837 100644 ---- a/arch/x86/kvm/emulate.c -+++ b/arch/x86/kvm/emulate.c -@@ -1713,16 +1713,6 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, - case VCPU_SREG_TR: - if (seg_desc.s || (seg_desc.type != 1 && seg_desc.type != 9)) - goto exception; -- if (!seg_desc.p) { -- err_vec = NP_VECTOR; -- goto exception; -- } -- old_desc = seg_desc; -- seg_desc.type |= 2; /* busy */ -- ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc, -- sizeof(seg_desc), &ctxt->exception); -- if (ret != X86EMUL_CONTINUE) -- return ret; - break; - case VCPU_SREG_LDTR: - if (seg_desc.s || seg_desc.type != 2) -@@ -1763,6 +1753,15 @@ static int __load_segment_descriptor(struct x86_emulate_ctxt *ctxt, - ((u64)base3 << 32))) - return emulate_gp(ctxt, 0); - } -+ -+ if (seg == VCPU_SREG_TR) { -+ old_desc = seg_desc; -+ seg_desc.type |= 2; /* busy */ -+ ret = ctxt->ops->cmpxchg_emulated(ctxt, desc_addr, &old_desc, &seg_desc, -+ sizeof(seg_desc), &ctxt->exception); -+ if (ret != X86EMUL_CONTINUE) -+ return ret; -+ } - load: - ctxt->ops->set_segment(ctxt, selector, &seg_desc, base3, seg); - if (desc) --- -2.35.1 - diff --git a/queue-4.9/macintosh-adb-fix-oob-read-in-do_adb_query-function.patch-16127 b/queue-4.9/macintosh-adb-fix-oob-read-in-do_adb_query-function.patch-16127 deleted file mode 100644 index 5dca1059cd5..00000000000 --- a/queue-4.9/macintosh-adb-fix-oob-read-in-do_adb_query-function.patch-16127 +++ /dev/null @@ -1,42 +0,0 @@ -From 91f5770eac36c7a3cd49c6b5c81e702ac538f28b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 13 Jul 2022 23:37:34 +0800 -Subject: macintosh/adb: fix oob read in do_adb_query() function - -From: Ning Qiang - -commit fd97e4ad6d3b0c9fce3bca8ea8e6969d9ce7423b upstream. - -In do_adb_query() function of drivers/macintosh/adb.c, req->data is copied -form userland. The parameter "req->data[2]" is missing check, the array -size of adb_handler[] is 16, so adb_handler[req->data[2]].original_address and -adb_handler[req->data[2]].handler_id will lead to oob read. - -Cc: stable -Signed-off-by: Ning Qiang -Reviewed-by: Kees Cook -Reviewed-by: Greg Kroah-Hartman -Acked-by: Benjamin Herrenschmidt -Signed-off-by: Michael Ellerman -Link: https://lore.kernel.org/r/20220713153734.2248-1-sohu0106@126.com -Signed-off-by: Greg Kroah-Hartman ---- - drivers/macintosh/adb.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/macintosh/adb.c b/drivers/macintosh/adb.c -index 226179b975a0..1f5db323e5a5 100644 ---- a/drivers/macintosh/adb.c -+++ b/drivers/macintosh/adb.c -@@ -650,7 +650,7 @@ do_adb_query(struct adb_request *req) - - switch(req->data[1]) { - case ADB_QUERY_GETDEVINFO: -- if (req->nbytes < 3) -+ if (req->nbytes < 3 || req->data[2] >= 16) - break; - mutex_lock(&adb_handler_mutex); - req->reply[0] = adb_handler[req->data[2]].original_address; --- -2.35.1 - diff --git a/queue-4.9/makefile-link-with-z-noexecstack-no-warn-rwx-segment.patch b/queue-4.9/makefile-link-with-z-noexecstack-no-warn-rwx-segment.patch deleted file mode 100644 index 64546e12199..00000000000 --- a/queue-4.9/makefile-link-with-z-noexecstack-no-warn-rwx-segment.patch +++ /dev/null @@ -1,64 +0,0 @@ -From bf6cd74379cdbf17683dabf2071c21dcb922f7c0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 10 Aug 2022 15:24:40 -0700 -Subject: Makefile: link with -z noexecstack --no-warn-rwx-segments - -From: Nick Desaulniers - -commit 0d362be5b14200b77ecc2127936a5ff82fbffe41 upstream. - -Users of GNU ld (BFD) from binutils 2.39+ will observe multiple -instances of a new warning when linking kernels in the form: - - ld: warning: vmlinux: missing .note.GNU-stack section implies executable stack - ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker - ld: warning: vmlinux has a LOAD segment with RWX permissions - -Generally, we would like to avoid the stack being executable. Because -there could be a need for the stack to be executable, assembler sources -have to opt-in to this security feature via explicit creation of the -.note.GNU-stack feature (which compilers create by default) or command -line flag --noexecstack. Or we can simply tell the linker the -production of such sections is irrelevant and to link the stack as ---noexecstack. - -LLVM's LLD linker defaults to -z noexecstack, so this flag isn't -strictly necessary when linking with LLD, only BFD, but it doesn't hurt -to be explicit here for all linkers IMO. --no-warn-rwx-segments is -currently BFD specific and only available in the current latest release, -so it's wrapped in an ld-option check. - -While the kernel makes extensive usage of ELF sections, it doesn't use -permissions from ELF segments. - -Link: https://lore.kernel.org/linux-block/3af4127a-f453-4cf7-f133-a181cce06f73@kernel.dk/ -Link: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107 -Link: https://github.com/llvm/llvm-project/issues/57009 -Reported-and-tested-by: Jens Axboe -Suggested-by: Fangrui Song -Signed-off-by: Nick Desaulniers -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - Makefile | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/Makefile b/Makefile -index 6042ded26347..0b1bf3a98b56 100644 ---- a/Makefile -+++ b/Makefile -@@ -870,6 +870,11 @@ ifdef CONFIG_LD_DEAD_CODE_DATA_ELIMINATION - LDFLAGS_vmlinux += $(call ld-option, --gc-sections,) - endif - -+LDFLAGS += -z noexecstack -+ifeq ($(CONFIG_LD_IS_BFD),y) -+LDFLAGS += $(call ld-option,--no-warn-rwx-segments) -+endif -+ - ifeq ($(CONFIG_STRIP_ASM_SYMS),y) - LDFLAGS_vmlinux += $(call ld-option, -X,) - endif --- -2.35.1 - diff --git a/queue-4.9/media-hdpvr-fix-error-value-returns-in-hdpvr_read.patch b/queue-4.9/media-hdpvr-fix-error-value-returns-in-hdpvr_read.patch deleted file mode 100644 index dc9be7e5dda..00000000000 --- a/queue-4.9/media-hdpvr-fix-error-value-returns-in-hdpvr_read.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 0b28ab1d83a208297488483f4d59792ab53cfce0 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 14 Jun 2022 18:50:02 +0100 -Subject: media: hdpvr: fix error value returns in hdpvr_read - -From: Niels Dossche - -[ Upstream commit 359c27c6ddbde404f44a9c0d3ec88ccd1e2042f2 ] - -Error return values are supposed to be negative in hdpvr_read. Most -error returns are currently handled via an unsigned integer "ret". When -setting a negative error value to "ret", the value actually becomes a -large positive value, because "ret" is unsigned. Later on, the "ret" -value is returned. But as ssize_t is a 64-bit signed number, the error -return value stays a large positive integer instead of a negative -integer. This can cause an error value to be interpreted as the read -size, which can cause a buffer overread for applications relying on the -returned size. - -Fixes: 9aba42efe85b ("V4L/DVB (11096): V4L2 Driver for the Hauppauge HD PVR usb capture device") -Signed-off-by: Niels Dossche -Signed-off-by: Hans Verkuil -Signed-off-by: Mauro Carvalho Chehab -Signed-off-by: Sasha Levin ---- - drivers/media/usb/hdpvr/hdpvr-video.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/media/usb/hdpvr/hdpvr-video.c b/drivers/media/usb/hdpvr/hdpvr-video.c -index cfd8c09f9ded..92c20a44749a 100644 ---- a/drivers/media/usb/hdpvr/hdpvr-video.c -+++ b/drivers/media/usb/hdpvr/hdpvr-video.c -@@ -415,7 +415,7 @@ static ssize_t hdpvr_read(struct file *file, char __user *buffer, size_t count, - struct hdpvr_device *dev = video_drvdata(file); - struct hdpvr_buffer *buf = NULL; - struct urb *urb; -- unsigned int ret = 0; -+ int ret = 0; - int rem, cnt; - - if (*pos) --- -2.35.1 - diff --git a/queue-4.9/memstick-ms_block-fix-a-memory-leak.patch b/queue-4.9/memstick-ms_block-fix-a-memory-leak.patch deleted file mode 100644 index 48da2bcf923..00000000000 --- a/queue-4.9/memstick-ms_block-fix-a-memory-leak.patch +++ /dev/null @@ -1,39 +0,0 @@ -From e76f872a77e8a66349697d4e11595e76edd7ccbf Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 25 Jun 2022 14:55:56 +0200 -Subject: memstick/ms_block: Fix a memory leak - -From: Christophe JAILLET - -[ Upstream commit 54eb7a55be6779c4d0c25eaf5056498a28595049 ] - -'erased_blocks_bitmap' is never freed. As it is allocated at the same time -as 'used_blocks_bitmap', it is likely that it should be freed also at the -same time. - -Add the corresponding bitmap_free() in msb_data_clear(). - -Fixes: 0ab30494bc4f ("memstick: add support for legacy memorysticks") -Signed-off-by: Christophe JAILLET -Link: https://lore.kernel.org/r/b3b78926569445962ea5c3b6e9102418a9effb88.1656155715.git.christophe.jaillet@wanadoo.fr -Signed-off-by: Ulf Hansson -Signed-off-by: Sasha Levin ---- - drivers/memstick/core/ms_block.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/memstick/core/ms_block.c b/drivers/memstick/core/ms_block.c -index 4d98a6f7507d..25a24d9a17f1 100644 ---- a/drivers/memstick/core/ms_block.c -+++ b/drivers/memstick/core/ms_block.c -@@ -1960,6 +1960,7 @@ static void msb_data_clear(struct msb_data *msb) - { - kfree(msb->boot_page); - bitmap_free(msb->used_blocks_bitmap); -+ bitmap_free(msb->erased_blocks_bitmap); - kfree(msb->lba_to_pba_table); - kfree(msb->cache); - msb->card = NULL; --- -2.35.1 - diff --git a/queue-4.9/memstick-ms_block-fix-some-incorrect-memory-allocati.patch b/queue-4.9/memstick-ms_block-fix-some-incorrect-memory-allocati.patch deleted file mode 100644 index 96873b5e35c..00000000000 --- a/queue-4.9/memstick-ms_block-fix-some-incorrect-memory-allocati.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 7e88060bed46de500352f53c4e9ff6a703869d28 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 25 Jun 2022 14:55:25 +0200 -Subject: memstick/ms_block: Fix some incorrect memory allocation - -From: Christophe JAILLET - -[ Upstream commit 2e531bc3e0d86362fcd8a577b3278d9ef3cc2ba0 ] - -Some functions of the bitmap API take advantage of the fact that a bitmap -is an array of long. - -So, to make sure this assertion is correct, allocate bitmaps with -bitmap_zalloc() instead of kzalloc()+hand-computed number of bytes. - -While at it, also use bitmap_free() instead of kfree() to keep the -semantic. - -Fixes: 0ab30494bc4f ("memstick: add support for legacy memorysticks") -Signed-off-by: Christophe JAILLET -Link: https://lore.kernel.org/r/dbf633c48c24ae6d95f852557e8d8b3bbdef65fe.1656155715.git.christophe.jaillet@wanadoo.fr -Signed-off-by: Ulf Hansson -Signed-off-by: Sasha Levin ---- - drivers/memstick/core/ms_block.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/drivers/memstick/core/ms_block.c b/drivers/memstick/core/ms_block.c -index 45136b700d2c..4d98a6f7507d 100644 ---- a/drivers/memstick/core/ms_block.c -+++ b/drivers/memstick/core/ms_block.c -@@ -1338,16 +1338,16 @@ static int msb_ftl_initialize(struct msb_data *msb) - msb->zone_count = msb->block_count / MS_BLOCKS_IN_ZONE; - msb->logical_block_count = msb->zone_count * 496 - 2; - -- msb->used_blocks_bitmap = kzalloc(msb->block_count / 8, GFP_KERNEL); -- msb->erased_blocks_bitmap = kzalloc(msb->block_count / 8, GFP_KERNEL); -+ msb->used_blocks_bitmap = bitmap_zalloc(msb->block_count, GFP_KERNEL); -+ msb->erased_blocks_bitmap = bitmap_zalloc(msb->block_count, GFP_KERNEL); - msb->lba_to_pba_table = - kmalloc(msb->logical_block_count * sizeof(u16), GFP_KERNEL); - - if (!msb->used_blocks_bitmap || !msb->lba_to_pba_table || - !msb->erased_blocks_bitmap) { -- kfree(msb->used_blocks_bitmap); -+ bitmap_free(msb->used_blocks_bitmap); -+ bitmap_free(msb->erased_blocks_bitmap); - kfree(msb->lba_to_pba_table); -- kfree(msb->erased_blocks_bitmap); - return -ENOMEM; - } - -@@ -1959,7 +1959,7 @@ static int msb_bd_open(struct block_device *bdev, fmode_t mode) - static void msb_data_clear(struct msb_data *msb) - { - kfree(msb->boot_page); -- kfree(msb->used_blocks_bitmap); -+ bitmap_free(msb->used_blocks_bitmap); - kfree(msb->lba_to_pba_table); - kfree(msb->cache); - msb->card = NULL; --- -2.35.1 - diff --git a/queue-4.9/mfd-t7l66xb-drop-platform-disable-callback.patch b/queue-4.9/mfd-t7l66xb-drop-platform-disable-callback.patch deleted file mode 100644 index 7940f87dc43..00000000000 --- a/queue-4.9/mfd-t7l66xb-drop-platform-disable-callback.patch +++ /dev/null @@ -1,70 +0,0 @@ -From bce2590818843ad9117d09497488e5d90875531a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 30 May 2022 21:24:28 +0200 -Subject: mfd: t7l66xb: Drop platform disable callback -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Uwe Kleine-König - -[ Upstream commit 128ac294e1b437cb8a7f2ff8ede1cde9082bddbe ] - -None of the in-tree instantiations of struct t7l66xb_platform_data -provides a disable callback. So better don't dereference this function -pointer unconditionally. As there is no user, drop it completely instead -of calling it conditional. - -This is a preparation for making platform remove callbacks return void. - -Fixes: 1f192015ca5b ("mfd: driver for the T7L66XB TMIO SoC") -Signed-off-by: Uwe Kleine-König -Signed-off-by: Lee Jones -Link: https://lore.kernel.org/r/20220530192430.2108217-3-u.kleine-koenig@pengutronix.de -Signed-off-by: Sasha Levin ---- - drivers/mfd/t7l66xb.c | 6 +----- - include/linux/mfd/t7l66xb.h | 1 - - 2 files changed, 1 insertion(+), 6 deletions(-) - -diff --git a/drivers/mfd/t7l66xb.c b/drivers/mfd/t7l66xb.c -index 94bd89cb1f06..92ace843f0c9 100644 ---- a/drivers/mfd/t7l66xb.c -+++ b/drivers/mfd/t7l66xb.c -@@ -401,11 +401,8 @@ static int t7l66xb_probe(struct platform_device *dev) - - static int t7l66xb_remove(struct platform_device *dev) - { -- struct t7l66xb_platform_data *pdata = dev_get_platdata(&dev->dev); - struct t7l66xb *t7l66xb = platform_get_drvdata(dev); -- int ret; - -- ret = pdata->disable(dev); - clk_disable_unprepare(t7l66xb->clk48m); - clk_put(t7l66xb->clk48m); - clk_disable_unprepare(t7l66xb->clk32k); -@@ -416,8 +413,7 @@ static int t7l66xb_remove(struct platform_device *dev) - mfd_remove_devices(&dev->dev); - kfree(t7l66xb); - -- return ret; -- -+ return 0; - } - - static struct platform_driver t7l66xb_platform_driver = { -diff --git a/include/linux/mfd/t7l66xb.h b/include/linux/mfd/t7l66xb.h -index b4629818aea5..d4e7f0453c91 100644 ---- a/include/linux/mfd/t7l66xb.h -+++ b/include/linux/mfd/t7l66xb.h -@@ -16,7 +16,6 @@ - - struct t7l66xb_platform_data { - int (*enable)(struct platform_device *dev); -- int (*disable)(struct platform_device *dev); - int (*suspend)(struct platform_device *dev); - int (*resume)(struct platform_device *dev); - --- -2.35.1 - diff --git a/queue-4.9/misc-rtsx-fix-an-error-handling-path-in-rtsx_pci_pro.patch b/queue-4.9/misc-rtsx-fix-an-error-handling-path-in-rtsx_pci_pro.patch deleted file mode 100644 index f3121c2e31c..00000000000 --- a/queue-4.9/misc-rtsx-fix-an-error-handling-path-in-rtsx_pci_pro.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 42162cca7f530dc7e2433fe7e957b80be898d62d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 15 Jun 2022 07:33:44 +0200 -Subject: misc: rtsx: Fix an error handling path in rtsx_pci_probe() - -From: Christophe JAILLET - -[ Upstream commit 44fd1917314e9d4f53dd95dd65df1c152f503d3a ] - -If an error occurs after a successful idr_alloc() call, the corresponding -resource must be released with idr_remove() as already done in the .remove -function. - -Update the error handling path to add the missing idr_remove() call. - -Fixes: ada8a8a13b13 ("mfd: Add realtek pcie card reader driver") -Signed-off-by: Christophe JAILLET -Link: https://lore.kernel.org/r/e8dc41716cbf52fb37a12e70d8972848e69df6d6.1655271216.git.christophe.jaillet@wanadoo.fr -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/mfd/rtsx_pcr.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/drivers/mfd/rtsx_pcr.c b/drivers/mfd/rtsx_pcr.c -index be61f8606a04..4304bb0845e1 100644 ---- a/drivers/mfd/rtsx_pcr.c -+++ b/drivers/mfd/rtsx_pcr.c -@@ -1210,7 +1210,7 @@ static int rtsx_pci_probe(struct pci_dev *pcidev, - pcr->remap_addr = ioremap_nocache(base, len); - if (!pcr->remap_addr) { - ret = -ENOMEM; -- goto free_handle; -+ goto free_idr; - } - - pcr->rtsx_resv_buf = dma_alloc_coherent(&(pcidev->dev), -@@ -1272,6 +1272,10 @@ static int rtsx_pci_probe(struct pci_dev *pcidev, - pcr->rtsx_resv_buf, pcr->rtsx_resv_buf_addr); - unmap: - iounmap(pcr->remap_addr); -+free_idr: -+ spin_lock(&rtsx_pci_lock); -+ idr_remove(&rtsx_pci_idr, pcr->id); -+ spin_unlock(&rtsx_pci_lock); - free_handle: - kfree(handle); - free_pcr: --- -2.35.1 - diff --git a/queue-4.9/mm-mmap.c-fix-missing-call-to-vm_unacct_memory-in-mm.patch b/queue-4.9/mm-mmap.c-fix-missing-call-to-vm_unacct_memory-in-mm.patch deleted file mode 100644 index ba195948f1a..00000000000 --- a/queue-4.9/mm-mmap.c-fix-missing-call-to-vm_unacct_memory-in-mm.patch +++ /dev/null @@ -1,40 +0,0 @@ -From e135f509d6f8f7974bba50747083e09bf7d96ce5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 18 Jun 2022 16:20:27 +0800 -Subject: mm/mmap.c: fix missing call to vm_unacct_memory in mmap_region - -From: Miaohe Lin - -[ Upstream commit 7f82f922319ede486540e8746769865b9508d2c2 ] - -Since the beginning, charged is set to 0 to avoid calling vm_unacct_memory -twice because vm_unacct_memory will be called by above unmap_region. But -since commit 4f74d2c8e827 ("vm: remove 'nr_accounted' calculations from -the unmap_vmas() interfaces"), unmap_region doesn't call vm_unacct_memory -anymore. So charged shouldn't be set to 0 now otherwise the calling to -paired vm_unacct_memory will be missed and leads to imbalanced account. - -Link: https://lkml.kernel.org/r/20220618082027.43391-1-linmiaohe@huawei.com -Fixes: 4f74d2c8e827 ("vm: remove 'nr_accounted' calculations from the unmap_vmas() interfaces") -Signed-off-by: Miaohe Lin -Signed-off-by: Andrew Morton -Signed-off-by: Sasha Levin ---- - mm/mmap.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/mm/mmap.c b/mm/mmap.c -index 18bd38ac1531..0877a2e5b660 100644 ---- a/mm/mmap.c -+++ b/mm/mmap.c -@@ -1772,7 +1772,6 @@ unsigned long mmap_region(struct file *file, unsigned long addr, - - /* Undo any partial mapping done by a device driver. */ - unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end); -- charged = 0; - if (vm_flags & VM_SHARED) - mapping_unmap_writable(file->f_mapping); - allow_write_and_free_vma: --- -2.35.1 - diff --git a/queue-4.9/mmc-sdhci-of-at91-fix-set_uhs_signaling-rewriting-of.patch b/queue-4.9/mmc-sdhci-of-at91-fix-set_uhs_signaling-rewriting-of.patch deleted file mode 100644 index 4f136b2eaca..00000000000 --- a/queue-4.9/mmc-sdhci-of-at91-fix-set_uhs_signaling-rewriting-of.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 95c43650963eb78e2eb05622fcdceedebac279cb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 30 Jun 2022 12:09:26 +0300 -Subject: mmc: sdhci-of-at91: fix set_uhs_signaling rewriting of MC1R - -From: Eugen Hristev - -[ Upstream commit 5987e6ded29d52e42fc7b06aa575c60a25eee38e ] - -In set_uhs_signaling, the DDR bit is being set by fully writing the MC1R -register. -This can lead to accidental erase of certain bits in this register. -Avoid this by doing a read-modify-write operation. - -Fixes: d0918764c17b ("mmc: sdhci-of-at91: fix MMC_DDR_52 timing selection") -Signed-off-by: Eugen Hristev -Tested-by: Karl Olsen -Acked-by: Adrian Hunter -Link: https://lore.kernel.org/r/20220630090926.15061-1-eugen.hristev@microchip.com -Signed-off-by: Ulf Hansson -Signed-off-by: Sasha Levin ---- - drivers/mmc/host/sdhci-of-at91.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/drivers/mmc/host/sdhci-of-at91.c b/drivers/mmc/host/sdhci-of-at91.c -index c354711f8f56..55f06c86bc1b 100644 ---- a/drivers/mmc/host/sdhci-of-at91.c -+++ b/drivers/mmc/host/sdhci-of-at91.c -@@ -117,8 +117,13 @@ static void sdhci_at91_set_power(struct sdhci_host *host, unsigned char mode, - - void sdhci_at91_set_uhs_signaling(struct sdhci_host *host, unsigned int timing) - { -- if (timing == MMC_TIMING_MMC_DDR52) -- sdhci_writeb(host, SDMMC_MC1R_DDR, SDMMC_MC1R); -+ u8 mc1r; -+ -+ if (timing == MMC_TIMING_MMC_DDR52) { -+ mc1r = sdhci_readb(host, SDMMC_MC1R); -+ mc1r |= SDMMC_MC1R_DDR; -+ sdhci_writeb(host, mc1r, SDMMC_MC1R); -+ } - sdhci_set_uhs_signaling(host, timing); - } - --- -2.35.1 - diff --git a/queue-4.9/mt7601u-add-usb-device-id-for-some-versions-of-xiaod.patch b/queue-4.9/mt7601u-add-usb-device-id-for-some-versions-of-xiaod.patch deleted file mode 100644 index 7c3533983f7..00000000000 --- a/queue-4.9/mt7601u-add-usb-device-id-for-some-versions-of-xiaod.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 7368ea16226106b9a4d9e5bc0645f567b691428a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sat, 19 Jun 2021 00:08:40 +0800 -Subject: mt7601u: add USB device ID for some versions of XiaoDu WiFi Dongle. - -From: Wei Mingzhi - -commit 829eea7c94e0bac804e65975639a2f2e5f147033 upstream. - -USB device ID of some versions of XiaoDu WiFi Dongle is 2955:1003 -instead of 2955:1001. Both are the same mt7601u hardware. - -Signed-off-by: Wei Mingzhi -Acked-by: Jakub Kicinski -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20210618160840.305024-1-whistler@member.fsf.org -Cc: Yan Xinyu -Signed-off-by: Greg Kroah-Hartman ---- - drivers/net/wireless/mediatek/mt7601u/usb.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/net/wireless/mediatek/mt7601u/usb.c b/drivers/net/wireless/mediatek/mt7601u/usb.c -index 416c6045ff31..ae83a5c36127 100644 ---- a/drivers/net/wireless/mediatek/mt7601u/usb.c -+++ b/drivers/net/wireless/mediatek/mt7601u/usb.c -@@ -34,6 +34,7 @@ static struct usb_device_id mt7601u_device_table[] = { - { USB_DEVICE(0x2717, 0x4106) }, - { USB_DEVICE(0x2955, 0x0001) }, - { USB_DEVICE(0x2955, 0x1001) }, -+ { USB_DEVICE(0x2955, 0x1003) }, - { USB_DEVICE(0x2a5f, 0x1000) }, - { USB_DEVICE(0x7392, 0x7710) }, - { 0, } --- -2.35.1 - diff --git a/queue-4.9/mtd-maps-fix-refcount-leak-in-ap_flash_init.patch b/queue-4.9/mtd-maps-fix-refcount-leak-in-ap_flash_init.patch deleted file mode 100644 index 051eb98457f..00000000000 --- a/queue-4.9/mtd-maps-fix-refcount-leak-in-ap_flash_init.patch +++ /dev/null @@ -1,38 +0,0 @@ -From e518b5920d81263ff8863d0ef93ce4b524c829e2 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 23 May 2022 18:32:55 +0400 -Subject: mtd: maps: Fix refcount leak in ap_flash_init - -From: Miaoqian Lin - -[ Upstream commit 77087a04c8fd554134bddcb8a9ff87b21f357926 ] - -of_find_matching_node() returns a node pointer with refcount -incremented, we should use of_node_put() on it when not need anymore. -Add missing of_node_put() to avoid refcount leak. - -Fixes: b0afd44bc192 ("mtd: physmap_of: add a hook for Versatile write protection") -Signed-off-by: Miaoqian Lin -Reviewed-by: Linus Walleij -Signed-off-by: Miquel Raynal -Link: https://lore.kernel.org/linux-mtd/20220523143255.4376-1-linmq006@gmail.com -Signed-off-by: Sasha Levin ---- - drivers/mtd/maps/physmap_of_versatile.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/mtd/maps/physmap_of_versatile.c b/drivers/mtd/maps/physmap_of_versatile.c -index 189c8bffa60c..ff38d440b7ed 100644 ---- a/drivers/mtd/maps/physmap_of_versatile.c -+++ b/drivers/mtd/maps/physmap_of_versatile.c -@@ -107,6 +107,7 @@ static int ap_flash_init(struct platform_device *pdev) - return -ENODEV; - } - ebi_base = of_iomap(ebi, 0); -+ of_node_put(ebi); - if (!ebi_base) - return -ENODEV; - --- -2.35.1 - diff --git a/queue-4.9/mtd-maps-fix-refcount-leak-in-of_flash_probe_versati.patch b/queue-4.9/mtd-maps-fix-refcount-leak-in-of_flash_probe_versati.patch deleted file mode 100644 index a91c9cc3bdb..00000000000 --- a/queue-4.9/mtd-maps-fix-refcount-leak-in-of_flash_probe_versati.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 74ab5b7bff790f0cc558a4524469449f4e819f46 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 23 May 2022 18:02:05 +0400 -Subject: mtd: maps: Fix refcount leak in of_flash_probe_versatile - -From: Miaoqian Lin - -[ Upstream commit 33ec82a6d2b119938f26e5c8040ed5d92378eb54 ] - -of_find_matching_node_and_match() returns a node pointer with refcount -incremented, we should use of_node_put() on it when not need anymore. -Add missing of_node_put() to avoid refcount leak. - -Fixes: b0afd44bc192 ("mtd: physmap_of: add a hook for Versatile write protection") -Signed-off-by: Miaoqian Lin -Reviewed-by: Linus Walleij -Signed-off-by: Miquel Raynal -Link: https://lore.kernel.org/linux-mtd/20220523140205.48625-1-linmq006@gmail.com -Signed-off-by: Sasha Levin ---- - drivers/mtd/maps/physmap_of_versatile.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/mtd/maps/physmap_of_versatile.c b/drivers/mtd/maps/physmap_of_versatile.c -index 0f39b2a015f4..189c8bffa60c 100644 ---- a/drivers/mtd/maps/physmap_of_versatile.c -+++ b/drivers/mtd/maps/physmap_of_versatile.c -@@ -221,6 +221,7 @@ int of_flash_probe_versatile(struct platform_device *pdev, - - versatile_flashprot = (enum versatile_flashprot)devid->data; - rmap = syscon_node_to_regmap(sysnp); -+ of_node_put(sysnp); - if (IS_ERR(rmap)) - return PTR_ERR(rmap); - --- -2.35.1 - diff --git a/queue-4.9/mtd-sm_ftl-fix-deadlock-caused-by-cancel_work_sync-i.patch b/queue-4.9/mtd-sm_ftl-fix-deadlock-caused-by-cancel_work_sync-i.patch deleted file mode 100644 index 54cb0a09f34..00000000000 --- a/queue-4.9/mtd-sm_ftl-fix-deadlock-caused-by-cancel_work_sync-i.patch +++ /dev/null @@ -1,53 +0,0 @@ -From f13f1ec282921db71fa4bd08f936c605e9bf52b5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 24 May 2022 12:48:41 +0800 -Subject: mtd: sm_ftl: Fix deadlock caused by cancel_work_sync in sm_release - -From: Duoming Zhou - -[ Upstream commit a61528d997619a518ee8c51cf0ef0513021afaff ] - -There is a deadlock between sm_release and sm_cache_flush_work -which is a work item. The cancel_work_sync in sm_release will -not return until sm_cache_flush_work is finished. If we hold -mutex_lock and use cancel_work_sync to wait the work item to -finish, the work item also requires mutex_lock. As a result, -the sm_release will be blocked forever. The race condition is -shown below: - - (Thread 1) | (Thread 2) -sm_release | - mutex_lock(&ftl->mutex) | sm_cache_flush_work - | mutex_lock(&ftl->mutex) - cancel_work_sync | ... - -This patch moves del_timer_sync and cancel_work_sync out of -mutex_lock in order to mitigate deadlock. - -Fixes: 7d17c02a01a1 ("mtd: Add new SmartMedia/xD FTL") -Signed-off-by: Duoming Zhou -Signed-off-by: Miquel Raynal -Link: https://lore.kernel.org/linux-mtd/20220524044841.10517-1-duoming@zju.edu.cn -Signed-off-by: Sasha Levin ---- - drivers/mtd/sm_ftl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/mtd/sm_ftl.c b/drivers/mtd/sm_ftl.c -index 3692dd547879..e48718393ddf 100644 ---- a/drivers/mtd/sm_ftl.c -+++ b/drivers/mtd/sm_ftl.c -@@ -1109,9 +1109,9 @@ static void sm_release(struct mtd_blktrans_dev *dev) - { - struct sm_ftl *ftl = dev->priv; - -- mutex_lock(&ftl->mutex); - del_timer_sync(&ftl->timer); - cancel_work_sync(&ftl->flush_work); -+ mutex_lock(&ftl->mutex); - sm_cache_flush(ftl); - mutex_unlock(&ftl->mutex); - } --- -2.35.1 - diff --git a/queue-4.9/net-ping6-fix-memleak-in-ipv6_renew_options.patch-3986 b/queue-4.9/net-ping6-fix-memleak-in-ipv6_renew_options.patch-3986 deleted file mode 100644 index fc9e4da55cc..00000000000 --- a/queue-4.9/net-ping6-fix-memleak-in-ipv6_renew_options.patch-3986 +++ /dev/null @@ -1,110 +0,0 @@ -From e13eb7567633ccdb5d5f3b92705b4ec7fed87e45 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 27 Jul 2022 18:22:20 -0700 -Subject: net: ping6: Fix memleak in ipv6_renew_options(). - -From: Kuniyuki Iwashima - -commit e27326009a3d247b831eda38878c777f6f4eb3d1 upstream. - -When we close ping6 sockets, some resources are left unfreed because -pingv6_prot is missing sk->sk_prot->destroy(). As reported by -syzbot [0], just three syscalls leak 96 bytes and easily cause OOM. - - struct ipv6_sr_hdr *hdr; - char data[24] = {0}; - int fd; - - hdr = (struct ipv6_sr_hdr *)data; - hdr->hdrlen = 2; - hdr->type = IPV6_SRCRT_TYPE_4; - - fd = socket(AF_INET6, SOCK_DGRAM, NEXTHDR_ICMP); - setsockopt(fd, IPPROTO_IPV6, IPV6_RTHDR, data, 24); - close(fd); - -To fix memory leaks, let's add a destroy function. - -Note the socket() syscall checks if the GID is within the range of -net.ipv4.ping_group_range. The default value is [1, 0] so that no -GID meets the condition (1 <= GID <= 0). Thus, the local DoS does -not succeed until we change the default value. However, at least -Ubuntu/Fedora/RHEL loosen it. - - $ cat /usr/lib/sysctl.d/50-default.conf - ... - -net.ipv4.ping_group_range = 0 2147483647 - -Also, there could be another path reported with these options, and -some of them require CAP_NET_RAW. - - setsockopt - IPV6_ADDRFORM (inet6_sk(sk)->pktoptions) - IPV6_RECVPATHMTU (inet6_sk(sk)->rxpmtu) - IPV6_HOPOPTS (inet6_sk(sk)->opt) - IPV6_RTHDRDSTOPTS (inet6_sk(sk)->opt) - IPV6_RTHDR (inet6_sk(sk)->opt) - IPV6_DSTOPTS (inet6_sk(sk)->opt) - IPV6_2292PKTOPTIONS (inet6_sk(sk)->opt) - - getsockopt - IPV6_FLOWLABEL_MGR (inet6_sk(sk)->ipv6_fl_list) - -For the record, I left a different splat with syzbot's one. - - unreferenced object 0xffff888006270c60 (size 96): - comm "repro2", pid 231, jiffies 4294696626 (age 13.118s) - hex dump (first 32 bytes): - 01 00 00 00 44 00 00 00 00 00 00 00 00 00 00 00 ....D........... - 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ - backtrace: - [<00000000f6bc7ea9>] sock_kmalloc (net/core/sock.c:2564 net/core/sock.c:2554) - [<000000006d699550>] do_ipv6_setsockopt.constprop.0 (net/ipv6/ipv6_sockglue.c:715) - [<00000000c3c3b1f5>] ipv6_setsockopt (net/ipv6/ipv6_sockglue.c:1024) - [<000000007096a025>] __sys_setsockopt (net/socket.c:2254) - [<000000003a8ff47b>] __x64_sys_setsockopt (net/socket.c:2265 net/socket.c:2262 net/socket.c:2262) - [<000000007c409dcb>] do_syscall_64 (arch/x86/entry/common.c:50 arch/x86/entry/common.c:80) - [<00000000e939c4a9>] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:120) - -[0]: https://syzkaller.appspot.com/bug?extid=a8430774139ec3ab7176 - -Fixes: 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.") -Reported-by: syzbot+a8430774139ec3ab7176@syzkaller.appspotmail.com -Reported-by: Ayushman Dutta -Signed-off-by: Kuniyuki Iwashima -Reviewed-by: David Ahern -Reviewed-by: Eric Dumazet -Link: https://lore.kernel.org/r/20220728012220.46918-1-kuniyu@amazon.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Greg Kroah-Hartman ---- - net/ipv6/ping.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c -index e209ae19fe78..298ac357a132 100644 ---- a/net/ipv6/ping.c -+++ b/net/ipv6/ping.c -@@ -26,6 +26,11 @@ - #include - #include - -+static void ping_v6_destroy(struct sock *sk) -+{ -+ inet6_destroy_sock(sk); -+} -+ - /* Compatibility glue so we can support IPv6 when it's compiled as a module */ - static int dummy_ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, - int *addr_len) -@@ -179,6 +184,7 @@ struct proto pingv6_prot = { - .owner = THIS_MODULE, - .init = ping_init_sock, - .close = ping_close, -+ .destroy = ping_v6_destroy, - .connect = ip6_datagram_connect_v6_only, - .disconnect = __udp_disconnect, - .setsockopt = ipv6_setsockopt, --- -2.35.1 - diff --git a/queue-4.9/net-rose-fix-netdev-reference-changes.patch b/queue-4.9/net-rose-fix-netdev-reference-changes.patch deleted file mode 100644 index 35e5f25e502..00000000000 --- a/queue-4.9/net-rose-fix-netdev-reference-changes.patch +++ /dev/null @@ -1,110 +0,0 @@ -From bac683f0d2c08c224d9d42d617eda3f9c8f1661b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 29 Jul 2022 09:12:32 +0000 -Subject: net: rose: fix netdev reference changes - -From: Eric Dumazet - -[ Upstream commit 931027820e4dafabc78aff82af59f8c1c4bd3128 ] - -Bernard reported that trying to unload rose module would lead -to infamous messages: - -unregistered_netdevice: waiting for rose0 to become free. Usage count = xx - -This patch solves the issue, by making sure each socket referring to -a netdevice holds a reference count on it, and properly releases it -in rose_release(). - -rose_dev_first() is also fixed to take a device reference -before leaving the rcu_read_locked section. - -Following patch will add ref_tracker annotations to ease -future bug hunting. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Reported-by: Bernard Pidoux -Signed-off-by: Eric Dumazet -Tested-by: Bernard Pidoux -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/rose/af_rose.c | 11 +++++++++-- - net/rose/rose_route.c | 2 ++ - 2 files changed, 11 insertions(+), 2 deletions(-) - -diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c -index 129d357d2722..5ae7f54f2ffc 100644 ---- a/net/rose/af_rose.c -+++ b/net/rose/af_rose.c -@@ -194,6 +194,7 @@ static void rose_kill_by_device(struct net_device *dev) - rose_disconnect(s, ENETUNREACH, ROSE_OUT_OF_ORDER, 0); - if (rose->neighbour) - rose->neighbour->use--; -+ dev_put(rose->device); - rose->device = NULL; - } - } -@@ -593,6 +594,8 @@ static struct sock *rose_make_new(struct sock *osk) - rose->idle = orose->idle; - rose->defer = orose->defer; - rose->device = orose->device; -+ if (rose->device) -+ dev_hold(rose->device); - rose->qbitincl = orose->qbitincl; - - return sk; -@@ -646,6 +649,7 @@ static int rose_release(struct socket *sock) - break; - } - -+ dev_put(rose->device); - sock->sk = NULL; - release_sock(sk); - sock_put(sk); -@@ -720,7 +724,6 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le - struct rose_sock *rose = rose_sk(sk); - struct sockaddr_rose *addr = (struct sockaddr_rose *)uaddr; - unsigned char cause, diagnostic; -- struct net_device *dev; - ax25_uid_assoc *user; - int n, err = 0; - -@@ -777,9 +780,12 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le - } - - if (sock_flag(sk, SOCK_ZAPPED)) { /* Must bind first - autobinding in this may or may not work */ -+ struct net_device *dev; -+ - sock_reset_flag(sk, SOCK_ZAPPED); - -- if ((dev = rose_dev_first()) == NULL) { -+ dev = rose_dev_first(); -+ if (!dev) { - err = -ENETUNREACH; - goto out_release; - } -@@ -787,6 +793,7 @@ static int rose_connect(struct socket *sock, struct sockaddr *uaddr, int addr_le - user = ax25_findbyuid(current_euid()); - if (!user) { - err = -EINVAL; -+ dev_put(dev); - goto out_release; - } - -diff --git a/net/rose/rose_route.c b/net/rose/rose_route.c -index 34e7e2ab78fe..a798f9c00607 100644 ---- a/net/rose/rose_route.c -+++ b/net/rose/rose_route.c -@@ -614,6 +614,8 @@ struct net_device *rose_dev_first(void) - if (first == NULL || strncmp(dev->name, first->name, 3) < 0) - first = dev; - } -+ if (first) -+ dev_hold(first); - rcu_read_unlock(); - - return first; --- -2.35.1 - diff --git a/queue-4.9/net-sungem_phy-add-of_node_put-for-reference-returne.patch-29127 b/queue-4.9/net-sungem_phy-add-of_node_put-for-reference-returne.patch-29127 deleted file mode 100644 index 912e2c520e7..00000000000 --- a/queue-4.9/net-sungem_phy-add-of_node_put-for-reference-returne.patch-29127 +++ /dev/null @@ -1,37 +0,0 @@ -From 2b7642e293d0d27c2bb3095311475c0707aafec4 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 20 Jul 2022 21:10:03 +0800 -Subject: net: sungem_phy: Add of_node_put() for reference returned by - of_get_parent() - -From: Liang He - -[ Upstream commit ebbbe23fdf6070e31509638df3321688358cc211 ] - -In bcm5421_init(), we should call of_node_put() for the reference -returned by of_get_parent() which has increased the refcount. - -Fixes: 3c326fe9cb7a ("[PATCH] ppc64: Add new PHY to sungem") -Signed-off-by: Liang He -Link: https://lore.kernel.org/r/20220720131003.1287426-1-windhl@126.com -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - drivers/net/sungem_phy.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/net/sungem_phy.c b/drivers/net/sungem_phy.c -index 92578d72e4ee..c5efdde21c2e 100644 ---- a/drivers/net/sungem_phy.c -+++ b/drivers/net/sungem_phy.c -@@ -453,6 +453,7 @@ static int bcm5421_init(struct mii_phy* phy) - int can_low_power = 1; - if (np == NULL || of_get_property(np, "no-autolowpower", NULL)) - can_low_power = 0; -+ of_node_put(np); - if (can_low_power) { - /* Enable automatic low-power */ - sungem_phy_write(phy, 0x1c, 0x9002); --- -2.35.1 - diff --git a/queue-4.9/netfilter-nf_queue-do-not-allow-packet-truncation-be.patch-29959 b/queue-4.9/netfilter-nf_queue-do-not-allow-packet-truncation-be.patch-29959 deleted file mode 100644 index b18528ca402..00000000000 --- a/queue-4.9/netfilter-nf_queue-do-not-allow-packet-truncation-be.patch-29959 +++ /dev/null @@ -1,53 +0,0 @@ -From e582631e49c35fb646b8817e16dd28c110e8956e Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 26 Jul 2022 12:42:06 +0200 -Subject: netfilter: nf_queue: do not allow packet truncation below transport - header offset - -From: Florian Westphal - -[ Upstream commit 99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164 ] - -Domingo Dirutigliano and Nicola Guerrera report kernel panic when -sending nf_queue verdict with 1-byte nfta_payload attribute. - -The IP/IPv6 stack pulls the IP(v6) header from the packet after the -input hook. - -If user truncates the packet below the header size, this skb_pull() will -result in a malformed skb (skb->len < 0). - -Fixes: 7af4cc3fa158 ("[NETFILTER]: Add "nfnetlink_queue" netfilter queue handler over nfnetlink") -Reported-by: Domingo Dirutigliano -Signed-off-by: Florian Westphal -Reviewed-by: Pablo Neira Ayuso -Signed-off-by: Sasha Levin ---- - net/netfilter/nfnetlink_queue.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c -index 66814a9d030c..80715b495d7c 100644 ---- a/net/netfilter/nfnetlink_queue.c -+++ b/net/netfilter/nfnetlink_queue.c -@@ -807,11 +807,16 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum) - } - - static int --nfqnl_mangle(void *data, int data_len, struct nf_queue_entry *e, int diff) -+nfqnl_mangle(void *data, unsigned int data_len, struct nf_queue_entry *e, int diff) - { - struct sk_buff *nskb; - - if (diff < 0) { -+ unsigned int min_len = skb_transport_offset(e->skb); -+ -+ if (data_len < min_len) -+ return -EINVAL; -+ - if (pskb_trim(e->skb, data_len)) - return -ENOMEM; - } else if (diff > 0) { --- -2.35.1 - diff --git a/queue-4.9/ntfs-fix-use-after-free-in-ntfs_ucsncmp.patch-16365 b/queue-4.9/ntfs-fix-use-after-free-in-ntfs_ucsncmp.patch-16365 deleted file mode 100644 index 5e75d5a6f4a..00000000000 --- a/queue-4.9/ntfs-fix-use-after-free-in-ntfs_ucsncmp.patch-16365 +++ /dev/null @@ -1,112 +0,0 @@ -From eaab4ae0a7e1b4f19dfd654defeda1f694431c8d Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 7 Jul 2022 18:53:29 +0800 -Subject: ntfs: fix use-after-free in ntfs_ucsncmp() - -From: ChenXiaoSong - -commit 38c9c22a85aeed28d0831f230136e9cf6fa2ed44 upstream. - -Syzkaller reported use-after-free bug as follows: - -================================================================== -BUG: KASAN: use-after-free in ntfs_ucsncmp+0x123/0x130 -Read of size 2 at addr ffff8880751acee8 by task a.out/879 - -CPU: 7 PID: 879 Comm: a.out Not tainted 5.19.0-rc4-next-20220630-00001-gcc5218c8bd2c-dirty #7 -Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 -Call Trace: - - dump_stack_lvl+0x1c0/0x2b0 - print_address_description.constprop.0.cold+0xd4/0x484 - print_report.cold+0x55/0x232 - kasan_report+0xbf/0xf0 - ntfs_ucsncmp+0x123/0x130 - ntfs_are_names_equal.cold+0x2b/0x41 - ntfs_attr_find+0x43b/0xb90 - ntfs_attr_lookup+0x16d/0x1e0 - ntfs_read_locked_attr_inode+0x4aa/0x2360 - ntfs_attr_iget+0x1af/0x220 - ntfs_read_locked_inode+0x246c/0x5120 - ntfs_iget+0x132/0x180 - load_system_files+0x1cc6/0x3480 - ntfs_fill_super+0xa66/0x1cf0 - mount_bdev+0x38d/0x460 - legacy_get_tree+0x10d/0x220 - vfs_get_tree+0x93/0x300 - do_new_mount+0x2da/0x6d0 - path_mount+0x496/0x19d0 - __x64_sys_mount+0x284/0x300 - do_syscall_64+0x3b/0xc0 - entry_SYSCALL_64_after_hwframe+0x46/0xb0 -RIP: 0033:0x7f3f2118d9ea -Code: 48 8b 0d a9 f4 0b 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 76 f4 0b 00 f7 d8 64 89 01 48 -RSP: 002b:00007ffc269deac8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5 -RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3f2118d9ea -RDX: 0000000020000000 RSI: 0000000020000100 RDI: 00007ffc269dec00 -RBP: 00007ffc269dec80 R08: 00007ffc269deb00 R09: 00007ffc269dec44 -R10: 0000000000000000 R11: 0000000000000202 R12: 000055f81ab1d220 -R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 - - -The buggy address belongs to the physical page: -page:0000000085430378 refcount:1 mapcount:1 mapping:0000000000000000 index:0x555c6a81d pfn:0x751ac -memcg:ffff888101f7e180 -anon flags: 0xfffffc00a0014(uptodate|lru|mappedtodisk|swapbacked|node=0|zone=1|lastcpupid=0x1fffff) -raw: 000fffffc00a0014 ffffea0001bf2988 ffffea0001de2448 ffff88801712e201 -raw: 0000000555c6a81d 0000000000000000 0000000100000000 ffff888101f7e180 -page dumped because: kasan: bad access detected - -Memory state around the buggy address: - ffff8880751acd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ffff8880751ace00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ->ffff8880751ace80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ^ - ffff8880751acf00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - ffff8880751acf80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 -================================================================== - -The reason is that struct ATTR_RECORD->name_offset is 6485, end address of -name string is out of bounds. - -Fix this by adding sanity check on end address of attribute name string. - -[akpm@linux-foundation.org: coding-style cleanups] -[chenxiaosong2@huawei.com: cleanup suggested by Hawkins Jiawei] - Link: https://lkml.kernel.org/r/20220709064511.3304299-1-chenxiaosong2@huawei.com -Link: https://lkml.kernel.org/r/20220707105329.4020708-1-chenxiaosong2@huawei.com -Signed-off-by: ChenXiaoSong -Signed-off-by: Hawkins Jiawei -Cc: Anton Altaparmakov -Cc: ChenXiaoSong -Cc: Yongqiang Liu -Cc: Zhang Yi -Cc: Zhang Xiaoxu -Signed-off-by: Andrew Morton -Signed-off-by: Greg Kroah-Hartman ---- - fs/ntfs/attrib.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/fs/ntfs/attrib.c b/fs/ntfs/attrib.c -index 44a39a099b54..62b49197e5f6 100644 ---- a/fs/ntfs/attrib.c -+++ b/fs/ntfs/attrib.c -@@ -606,8 +606,12 @@ static int ntfs_attr_find(const ATTR_TYPE type, const ntfschar *name, - a = (ATTR_RECORD*)((u8*)ctx->attr + - le32_to_cpu(ctx->attr->length)); - for (;; a = (ATTR_RECORD*)((u8*)a + le32_to_cpu(a->length))) { -- if ((u8*)a < (u8*)ctx->mrec || (u8*)a > (u8*)ctx->mrec + -- le32_to_cpu(ctx->mrec->bytes_allocated)) -+ u8 *mrec_end = (u8 *)ctx->mrec + -+ le32_to_cpu(ctx->mrec->bytes_allocated); -+ u8 *name_end = (u8 *)a + le16_to_cpu(a->name_offset) + -+ a->name_length * sizeof(ntfschar); -+ if ((u8*)a < (u8*)ctx->mrec || (u8*)a > mrec_end || -+ name_end > mrec_end) - break; - ctx->attr = a; - if (unlikely(le32_to_cpu(a->type) > le32_to_cpu(type) || --- -2.35.1 - diff --git a/queue-4.9/platform-olpc-fix-uninitialized-data-in-debugfs-writ.patch b/queue-4.9/platform-olpc-fix-uninitialized-data-in-debugfs-writ.patch deleted file mode 100644 index acb9436779c..00000000000 --- a/queue-4.9/platform-olpc-fix-uninitialized-data-in-debugfs-writ.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 659583f83d6568ca56597572f37af25e6de68850 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 20 Jul 2022 21:23:38 +0300 -Subject: platform/olpc: Fix uninitialized data in debugfs write - -From: Dan Carpenter - -[ Upstream commit 40ec787e1adf302c11668d4cc69838f4d584187d ] - -The call to: - - size = simple_write_to_buffer(cmdbuf, sizeof(cmdbuf), ppos, buf, size); - -will succeed if at least one byte is written to the "cmdbuf" buffer. -The "*ppos" value controls which byte is written. Another problem is -that this code does not check for errors so it's possible for the entire -buffer to be uninitialized. - -Inintialize the struct to zero to prevent reading uninitialized stack -data. - -Debugfs is normally only writable by root so the impact of this bug is -very minimal. - -Fixes: 6cca83d498bd ("Platform: OLPC: move debugfs support from x86 EC driver") -Signed-off-by: Dan Carpenter -Link: https://lore.kernel.org/r/YthIKn+TfZSZMEcM@kili -Reviewed-by: Hans de Goede -Signed-off-by: Hans de Goede -Signed-off-by: Sasha Levin ---- - drivers/platform/olpc/olpc-ec.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/platform/olpc/olpc-ec.c b/drivers/platform/olpc/olpc-ec.c -index 374a8028fec7..b36a000ed969 100644 ---- a/drivers/platform/olpc/olpc-ec.c -+++ b/drivers/platform/olpc/olpc-ec.c -@@ -170,7 +170,7 @@ static ssize_t ec_dbgfs_cmd_write(struct file *file, const char __user *buf, - int i, m; - unsigned char ec_cmd[EC_MAX_CMD_ARGS]; - unsigned int ec_cmd_int[EC_MAX_CMD_ARGS]; -- char cmdbuf[64]; -+ char cmdbuf[64] = ""; - int ec_cmd_bytes; - - mutex_lock(&ec_dbgfs_lock); --- -2.35.1 - diff --git a/queue-4.9/pm-hibernate-defer-device-probing-when-resuming-from.patch b/queue-4.9/pm-hibernate-defer-device-probing-when-resuming-from.patch deleted file mode 100644 index 2ff6a9fef31..00000000000 --- a/queue-4.9/pm-hibernate-defer-device-probing-when-resuming-from.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 1d0eca850d28014f2888055c5c23dd6a6e6c3e96 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 15 Jul 2022 14:49:58 +0900 -Subject: PM: hibernate: defer device probing when resuming from hibernation - -From: Tetsuo Handa - -[ Upstream commit 8386c414e27caba8501119948e9551e52b527f59 ] - -syzbot is reporting hung task at misc_open() [1], for there is a race -window of AB-BA deadlock which involves probe_count variable. Currently -wait_for_device_probe() from snapshot_open() from misc_open() can sleep -forever with misc_mtx held if probe_count cannot become 0. - -When a device is probed by hub_event() work function, probe_count is -incremented before the probe function starts, and probe_count is -decremented after the probe function completed. - -There are three cases that can prevent probe_count from dropping to 0. - - (a) A device being probed stopped responding (i.e. broken/malicious - hardware). - - (b) A process emulating a USB device using /dev/raw-gadget interface - stopped responding for some reason. - - (c) New device probe requests keeps coming in before existing device - probe requests complete. - -The phenomenon syzbot is reporting is (b). A process which is holding -system_transition_mutex and misc_mtx is waiting for probe_count to become -0 inside wait_for_device_probe(), but the probe function which is called - from hub_event() work function is waiting for the processes which are -blocked at mutex_lock(&misc_mtx) to respond via /dev/raw-gadget interface. - -This patch mitigates (b) by deferring wait_for_device_probe() from -snapshot_open() to snapshot_write() and snapshot_ioctl(). Please note that -the possibility of (b) remains as long as any thread which is emulating a -USB device via /dev/raw-gadget interface can be blocked by uninterruptible -blocking operations (e.g. mutex_lock()). - -Please also note that (a) and (c) are not addressed. Regarding (c), we -should change the code to wait for only one device which contains the -image for resuming from hibernation. I don't know how to address (a), for -use of timeout for wait_for_device_probe() might result in loss of user -data in the image. Maybe we should require the userland to wait for the -image device before opening /dev/snapshot interface. - -Link: https://syzkaller.appspot.com/bug?extid=358c9ab4c93da7b7238c [1] -Reported-by: syzbot -Signed-off-by: Tetsuo Handa -Tested-by: syzbot -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Sasha Levin ---- - kernel/power/user.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/kernel/power/user.c b/kernel/power/user.c -index bc6dde1f1567..a84f9e549ad5 100644 ---- a/kernel/power/user.c -+++ b/kernel/power/user.c -@@ -29,6 +29,7 @@ - - #include "power.h" - -+static bool need_wait; - - #define SNAPSHOT_MINOR 231 - -@@ -82,7 +83,7 @@ static int snapshot_open(struct inode *inode, struct file *filp) - * Resuming. We may need to wait for the image device to - * appear. - */ -- wait_for_device_probe(); -+ need_wait = true; - - data->swap = -1; - data->mode = O_WRONLY; -@@ -174,6 +175,11 @@ static ssize_t snapshot_write(struct file *filp, const char __user *buf, - ssize_t res; - loff_t pg_offp = *offp & ~PAGE_MASK; - -+ if (need_wait) { -+ wait_for_device_probe(); -+ need_wait = false; -+ } -+ - lock_system_sleep(); - - data = filp->private_data; -@@ -209,6 +215,11 @@ static long snapshot_ioctl(struct file *filp, unsigned int cmd, - loff_t size; - sector_t offset; - -+ if (need_wait) { -+ wait_for_device_probe(); -+ need_wait = false; -+ } -+ - if (_IOC_TYPE(cmd) != SNAPSHOT_IOC_MAGIC) - return -ENOTTY; - if (_IOC_NR(cmd) > SNAPSHOT_IOC_MAXNR) --- -2.35.1 - diff --git a/queue-4.9/powerpc-cell-axon_msi-fix-refcount-leak-in-setup_msi.patch b/queue-4.9/powerpc-cell-axon_msi-fix-refcount-leak-in-setup_msi.patch deleted file mode 100644 index ee644a76770..00000000000 --- a/queue-4.9/powerpc-cell-axon_msi-fix-refcount-leak-in-setup_msi.patch +++ /dev/null @@ -1,37 +0,0 @@ -From d23a1b0268d32f41244d5e6cc24e08502132f2ac Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 5 Jun 2022 10:51:29 +0400 -Subject: powerpc/cell/axon_msi: Fix refcount leak in setup_msi_msg_address - -From: Miaoqian Lin - -[ Upstream commit df5d4b616ee76abc97e5bd348e22659c2b095b1c ] - -of_get_next_parent() returns a node pointer with refcount incremented, -we should use of_node_put() on it when not need anymore. -Add missing of_node_put() in the error path to avoid refcount leak. - -Fixes: ce21b3c9648a ("[CELL] add support for MSI on Axon-based Cell systems") -Signed-off-by: Miaoqian Lin -Signed-off-by: Michael Ellerman -Link: https://lore.kernel.org/r/20220605065129.63906-1-linmq006@gmail.com -Signed-off-by: Sasha Levin ---- - arch/powerpc/platforms/cell/axon_msi.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/arch/powerpc/platforms/cell/axon_msi.c b/arch/powerpc/platforms/cell/axon_msi.c -index 8b55c5f19d4c..e1e6ca243628 100644 ---- a/arch/powerpc/platforms/cell/axon_msi.c -+++ b/arch/powerpc/platforms/cell/axon_msi.c -@@ -230,6 +230,7 @@ static int setup_msi_msg_address(struct pci_dev *dev, struct msi_msg *msg) - if (!prop) { - dev_dbg(&dev->dev, - "axon_msi: no msi-address-(32|64) properties found\n"); -+ of_node_put(dn); - return -ENOENT; - } - --- -2.35.1 - diff --git a/queue-4.9/powerpc-pci-fix-phb-numbering-when-using-opal-phbid.patch b/queue-4.9/powerpc-pci-fix-phb-numbering-when-using-opal-phbid.patch deleted file mode 100644 index bed4c5065c3..00000000000 --- a/queue-4.9/powerpc-pci-fix-phb-numbering-when-using-opal-phbid.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 08d64186d49e7e5d390535e38e10201447c0ba56 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 2 Aug 2022 20:38:32 +1000 -Subject: powerpc/pci: Fix PHB numbering when using opal-phbid -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Michael Ellerman - -[ Upstream commit f4b39e88b42d13366b831270306326b5c20971ca ] - -The recent change to the PHB numbering logic has a logic error in the -handling of "ibm,opal-phbid". - -When an "ibm,opal-phbid" property is present, &prop is written to and -ret is set to zero. - -The following call to of_alias_get_id() is skipped because ret == 0. - -But then the if (ret >= 0) is true, and the body of that if statement -sets prop = ret which throws away the value that was just read from -"ibm,opal-phbid". - -Fix the logic by only doing the ret >= 0 check in the of_alias_get_id() -case. - -Fixes: 0fe1e96fef0a ("powerpc/pci: Prefer PCI domain assignment via DT 'linux,pci-domain' and alias") -Reviewed-by: Pali Rohár -Signed-off-by: Michael Ellerman -Link: https://lore.kernel.org/r/20220802105723.1055178-1-mpe@ellerman.id.au -Signed-off-by: Sasha Levin ---- - arch/powerpc/kernel/pci-common.c | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/arch/powerpc/kernel/pci-common.c b/arch/powerpc/kernel/pci-common.c -index decf78f34419..c7b699312d19 100644 ---- a/arch/powerpc/kernel/pci-common.c -+++ b/arch/powerpc/kernel/pci-common.c -@@ -95,11 +95,13 @@ static int get_phb_number(struct device_node *dn) - } - if (ret) - ret = of_property_read_u64(dn, "ibm,opal-phbid", &prop); -- if (ret) -+ -+ if (ret) { - ret = of_alias_get_id(dn, "pci"); -- if (ret >= 0) { -- prop = ret; -- ret = 0; -+ if (ret >= 0) { -+ prop = ret; -+ ret = 0; -+ } - } - if (ret) { - u32 prop_32; --- -2.35.1 - diff --git a/queue-4.9/powerpc-pci-prefer-pci-domain-assignment-via-dt-linu.patch b/queue-4.9/powerpc-pci-prefer-pci-domain-assignment-via-dt-linu.patch deleted file mode 100644 index b810d712d15..00000000000 --- a/queue-4.9/powerpc-pci-prefer-pci-domain-assignment-via-dt-linu.patch +++ /dev/null @@ -1,88 +0,0 @@ -From b63cf8536099ac80b21508367bed19d742fcf266 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 6 Jul 2022 12:21:48 +0200 -Subject: powerpc/pci: Prefer PCI domain assignment via DT 'linux,pci-domain' - and alias -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Pali Rohár - -[ Upstream commit 0fe1e96fef0a5c53b4c0d1500d356f3906000f81 ] - -Other Linux architectures use DT property 'linux,pci-domain' for -specifying fixed PCI domain of PCI controller specified in Device-Tree. - -And lot of Freescale powerpc boards have defined numbered pci alias in -Device-Tree for every PCIe controller which number specify preferred PCI -domain. - -So prefer usage of DT property 'linux,pci-domain' (via function -of_get_pci_domain_nr()) and DT pci alias (via function -of_alias_get_id()) on powerpc architecture for assigning PCI domain to -PCI controller. - -Fixes: 63a72284b159 ("powerpc/pci: Assign fixed PHB number based on device-tree properties") -Signed-off-by: Pali Rohár -Signed-off-by: Michael Ellerman -Link: https://lore.kernel.org/r/20220706102148.5060-2-pali@kernel.org -Signed-off-by: Sasha Levin ---- - arch/powerpc/kernel/pci-common.c | 27 +++++++++++++++++++-------- - 1 file changed, 19 insertions(+), 8 deletions(-) - -diff --git a/arch/powerpc/kernel/pci-common.c b/arch/powerpc/kernel/pci-common.c -index 74bec5498972..decf78f34419 100644 ---- a/arch/powerpc/kernel/pci-common.c -+++ b/arch/powerpc/kernel/pci-common.c -@@ -79,16 +79,30 @@ EXPORT_SYMBOL(get_pci_dma_ops); - static int get_phb_number(struct device_node *dn) - { - int ret, phb_id = -1; -- u32 prop_32; - u64 prop; - - /* - * Try fixed PHB numbering first, by checking archs and reading -- * the respective device-tree properties. Firstly, try powernv by -- * reading "ibm,opal-phbid", only present in OPAL environment. -+ * the respective device-tree properties. Firstly, try reading -+ * standard "linux,pci-domain", then try reading "ibm,opal-phbid" -+ * (only present in powernv OPAL environment), then try device-tree -+ * alias and as the last try to use lower bits of "reg" property. - */ -- ret = of_property_read_u64(dn, "ibm,opal-phbid", &prop); -+ ret = of_get_pci_domain_nr(dn); -+ if (ret >= 0) { -+ prop = ret; -+ ret = 0; -+ } -+ if (ret) -+ ret = of_property_read_u64(dn, "ibm,opal-phbid", &prop); -+ if (ret) -+ ret = of_alias_get_id(dn, "pci"); -+ if (ret >= 0) { -+ prop = ret; -+ ret = 0; -+ } - if (ret) { -+ u32 prop_32; - ret = of_property_read_u32_index(dn, "reg", 1, &prop_32); - prop = prop_32; - } -@@ -100,10 +114,7 @@ static int get_phb_number(struct device_node *dn) - if ((phb_id >= 0) && !test_and_set_bit(phb_id, phb_bitmap)) - return phb_id; - -- /* -- * If not pseries nor powernv, or if fixed PHB numbering tried to add -- * the same PHB number twice, then fallback to dynamic PHB numbering. -- */ -+ /* If everything fails then fallback to dynamic PHB numbering. */ - phb_id = find_first_zero_bit(phb_bitmap, MAX_PHBS); - BUG_ON(phb_id >= MAX_PHBS); - set_bit(phb_id, phb_bitmap); --- -2.35.1 - diff --git a/queue-4.9/powerpc-spufs-fix-refcount-leak-in-spufs_init_isolat.patch b/queue-4.9/powerpc-spufs-fix-refcount-leak-in-spufs_init_isolat.patch deleted file mode 100644 index 014dddaf5dd..00000000000 --- a/queue-4.9/powerpc-spufs-fix-refcount-leak-in-spufs_init_isolat.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 8ff7a3852fca507c5de8c5da7ec233c661efd988 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 3 Jun 2022 16:15:42 +0400 -Subject: powerpc/spufs: Fix refcount leak in spufs_init_isolated_loader - -From: Miaoqian Lin - -[ Upstream commit 6ac059dacffa8ab2f7798f20e4bd3333890c541c ] - -of_find_node_by_path() returns remote device nodepointer with -refcount incremented, we should use of_node_put() on it when done. -Add missing of_node_put() to avoid refcount leak. - -Fixes: 0afacde3df4c ("[POWERPC] spufs: allow isolated mode apps by starting the SPE loader") -Signed-off-by: Miaoqian Lin -Acked-by: Arnd Bergmann -Signed-off-by: Michael Ellerman -Link: https://lore.kernel.org/r/20220603121543.22884-1-linmq006@gmail.com -Signed-off-by: Sasha Levin ---- - arch/powerpc/platforms/cell/spufs/inode.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/arch/powerpc/platforms/cell/spufs/inode.c b/arch/powerpc/platforms/cell/spufs/inode.c -index 5364d4a54249..c0b47856cc5c 100644 ---- a/arch/powerpc/platforms/cell/spufs/inode.c -+++ b/arch/powerpc/platforms/cell/spufs/inode.c -@@ -666,6 +666,7 @@ spufs_init_isolated_loader(void) - return; - - loader = of_get_property(dn, "loader", &size); -+ of_node_put(dn); - if (!loader) - return; - --- -2.35.1 - diff --git a/queue-4.9/proc-pass-file-mode-to-proc_pid_make_inode.patch-13217 b/queue-4.9/proc-pass-file-mode-to-proc_pid_make_inode.patch-13217 deleted file mode 100644 index 90b9896cdad..00000000000 --- a/queue-4.9/proc-pass-file-mode-to-proc_pid_make_inode.patch-13217 +++ /dev/null @@ -1,195 +0,0 @@ -From b196c754708de40ddb3455cac32f398ba3b74dc5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 10 Nov 2016 22:18:28 +0100 -Subject: proc: Pass file mode to proc_pid_make_inode - -From: Andreas Gruenbacher - -commit db978da8fa1d0819b210c137d31a339149b88875 upstream. - -Pass the file mode of the proc inode to be created to -proc_pid_make_inode. In proc_pid_make_inode, initialize inode->i_mode -before calling security_task_to_inode. This allows selinux to set -isec->sclass right away without introducing "half-initialized" inode -security structs. - -Signed-off-by: Andreas Gruenbacher -Signed-off-by: Paul Moore -Signed-off-by: Alexander Grund -Signed-off-by: Greg Kroah-Hartman ---- - fs/proc/base.c | 23 +++++++++-------------- - fs/proc/fd.c | 6 ++---- - fs/proc/internal.h | 2 +- - fs/proc/namespaces.c | 3 +-- - security/selinux/hooks.c | 1 + - 5 files changed, 14 insertions(+), 21 deletions(-) - -diff --git a/fs/proc/base.c b/fs/proc/base.c -index 886e408f4769..2dd4a2b7222c 100644 ---- a/fs/proc/base.c -+++ b/fs/proc/base.c -@@ -1676,7 +1676,8 @@ const struct inode_operations proc_pid_link_inode_operations = { - - /* building an inode */ - --struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *task) -+struct inode *proc_pid_make_inode(struct super_block * sb, -+ struct task_struct *task, umode_t mode) - { - struct inode * inode; - struct proc_inode *ei; -@@ -1690,6 +1691,7 @@ struct inode *proc_pid_make_inode(struct super_block * sb, struct task_struct *t - - /* Common stuff */ - ei = PROC_I(inode); -+ inode->i_mode = mode; - inode->i_ino = get_next_ino(); - inode->i_mtime = inode->i_atime = inode->i_ctime = current_time(inode); - inode->i_op = &proc_def_inode_operations; -@@ -2041,7 +2043,9 @@ proc_map_files_instantiate(struct inode *dir, struct dentry *dentry, - struct proc_inode *ei; - struct inode *inode; - -- inode = proc_pid_make_inode(dir->i_sb, task); -+ inode = proc_pid_make_inode(dir->i_sb, task, S_IFLNK | -+ ((mode & FMODE_READ ) ? S_IRUSR : 0) | -+ ((mode & FMODE_WRITE) ? S_IWUSR : 0)); - if (!inode) - return -ENOENT; - -@@ -2050,12 +2054,6 @@ proc_map_files_instantiate(struct inode *dir, struct dentry *dentry, - - inode->i_op = &proc_map_files_link_inode_operations; - inode->i_size = 64; -- inode->i_mode = S_IFLNK; -- -- if (mode & FMODE_READ) -- inode->i_mode |= S_IRUSR; -- if (mode & FMODE_WRITE) -- inode->i_mode |= S_IWUSR; - - d_set_d_op(dentry, &tid_map_files_dentry_operations); - d_add(dentry, inode); -@@ -2409,12 +2407,11 @@ static int proc_pident_instantiate(struct inode *dir, - struct inode *inode; - struct proc_inode *ei; - -- inode = proc_pid_make_inode(dir->i_sb, task); -+ inode = proc_pid_make_inode(dir->i_sb, task, p->mode); - if (!inode) - goto out; - - ei = PROC_I(inode); -- inode->i_mode = p->mode; - if (S_ISDIR(inode->i_mode)) - set_nlink(inode, 2); /* Use getattr to fix if necessary */ - if (p->iop) -@@ -3109,11 +3106,10 @@ static int proc_pid_instantiate(struct inode *dir, - { - struct inode *inode; - -- inode = proc_pid_make_inode(dir->i_sb, task); -+ inode = proc_pid_make_inode(dir->i_sb, task, S_IFDIR | S_IRUGO | S_IXUGO); - if (!inode) - goto out; - -- inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO; - inode->i_op = &proc_tgid_base_inode_operations; - inode->i_fop = &proc_tgid_base_operations; - inode->i_flags|=S_IMMUTABLE; -@@ -3404,11 +3400,10 @@ static int proc_task_instantiate(struct inode *dir, - struct dentry *dentry, struct task_struct *task, const void *ptr) - { - struct inode *inode; -- inode = proc_pid_make_inode(dir->i_sb, task); -+ inode = proc_pid_make_inode(dir->i_sb, task, S_IFDIR | S_IRUGO | S_IXUGO); - - if (!inode) - goto out; -- inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO; - inode->i_op = &proc_tid_base_inode_operations; - inode->i_fop = &proc_tid_base_operations; - inode->i_flags|=S_IMMUTABLE; -diff --git a/fs/proc/fd.c b/fs/proc/fd.c -index d21dafef3102..4274f83bf100 100644 ---- a/fs/proc/fd.c -+++ b/fs/proc/fd.c -@@ -183,14 +183,13 @@ proc_fd_instantiate(struct inode *dir, struct dentry *dentry, - struct proc_inode *ei; - struct inode *inode; - -- inode = proc_pid_make_inode(dir->i_sb, task); -+ inode = proc_pid_make_inode(dir->i_sb, task, S_IFLNK); - if (!inode) - goto out; - - ei = PROC_I(inode); - ei->fd = fd; - -- inode->i_mode = S_IFLNK; - inode->i_op = &proc_pid_link_inode_operations; - inode->i_size = 64; - -@@ -322,14 +321,13 @@ proc_fdinfo_instantiate(struct inode *dir, struct dentry *dentry, - struct proc_inode *ei; - struct inode *inode; - -- inode = proc_pid_make_inode(dir->i_sb, task); -+ inode = proc_pid_make_inode(dir->i_sb, task, S_IFREG | S_IRUSR); - if (!inode) - goto out; - - ei = PROC_I(inode); - ei->fd = fd; - -- inode->i_mode = S_IFREG | S_IRUSR; - inode->i_fop = &proc_fdinfo_file_operations; - - d_set_d_op(dentry, &tid_fd_dentry_operations); -diff --git a/fs/proc/internal.h b/fs/proc/internal.h -index c0bdeceaaeb6..5bc057be6fa3 100644 ---- a/fs/proc/internal.h -+++ b/fs/proc/internal.h -@@ -163,7 +163,7 @@ extern int proc_pid_statm(struct seq_file *, struct pid_namespace *, - extern const struct dentry_operations pid_dentry_operations; - extern int pid_getattr(struct vfsmount *, struct dentry *, struct kstat *); - extern int proc_setattr(struct dentry *, struct iattr *); --extern struct inode *proc_pid_make_inode(struct super_block *, struct task_struct *); -+extern struct inode *proc_pid_make_inode(struct super_block *, struct task_struct *, umode_t); - extern int pid_revalidate(struct dentry *, unsigned int); - extern int pid_delete_dentry(const struct dentry *); - extern int proc_pid_readdir(struct file *, struct dir_context *); -diff --git a/fs/proc/namespaces.c b/fs/proc/namespaces.c -index 51b8b0a8ad91..766f0c637ad1 100644 ---- a/fs/proc/namespaces.c -+++ b/fs/proc/namespaces.c -@@ -92,12 +92,11 @@ static int proc_ns_instantiate(struct inode *dir, - struct inode *inode; - struct proc_inode *ei; - -- inode = proc_pid_make_inode(dir->i_sb, task); -+ inode = proc_pid_make_inode(dir->i_sb, task, S_IFLNK | S_IRWXUGO); - if (!inode) - goto out; - - ei = PROC_I(inode); -- inode->i_mode = S_IFLNK|S_IRWXUGO; - inode->i_op = &proc_ns_link_inode_operations; - ei->ns_ops = ns_ops; - -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 43f81db42169..1997d87b35d5 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -3958,6 +3958,7 @@ static void selinux_task_to_inode(struct task_struct *p, - struct inode_security_struct *isec = inode->i_security; - u32 sid = task_sid(p); - -+ isec->sclass = inode_mode_to_security_class(inode->i_mode); - isec->sid = sid; - isec->initialized = LABEL_INITIALIZED; - } --- -2.35.1 - diff --git a/queue-4.9/profiling-fix-shift-too-large-makes-kernel-panic.patch b/queue-4.9/profiling-fix-shift-too-large-makes-kernel-panic.patch deleted file mode 100644 index f109ab03dbc..00000000000 --- a/queue-4.9/profiling-fix-shift-too-large-makes-kernel-panic.patch +++ /dev/null @@ -1,91 +0,0 @@ -From e00892c2451eaba48b4eaec80658f712fecf5886 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 31 May 2022 09:28:54 +0800 -Subject: profiling: fix shift too large makes kernel panic - -From: Chen Zhongjin - -[ Upstream commit 0fe6ee8f123a4dfb529a5aff07536bb481f34043 ] - -2d186afd04d6 ("profiling: fix shift-out-of-bounds bugs") limits shift -value by [0, BITS_PER_LONG -1], which means [0, 63]. - -However, syzbot found that the max shift value should be the bit number of -(_etext - _stext). If shift is outside of this, the "buffer_bytes" will -be zero and will cause kzalloc(0). Then the kernel panics due to -dereferencing the returned pointer 16. - -This can be easily reproduced by passing a large number like 60 to enable -profiling and then run readprofile. - -LOGS: - BUG: kernel NULL pointer dereference, address: 0000000000000010 - #PF: supervisor write access in kernel mode - #PF: error_code(0x0002) - not-present page - PGD 6148067 P4D 6148067 PUD 6142067 PMD 0 - PREEMPT SMP - CPU: 4 PID: 184 Comm: readprofile Not tainted 5.18.0+ #162 - Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 - RIP: 0010:read_profile+0x104/0x220 - RSP: 0018:ffffc900006fbe80 EFLAGS: 00000202 - RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 - RDX: ffff888006150000 RSI: 0000000000000001 RDI: ffffffff82aba4a0 - RBP: 000000000188bb60 R08: 0000000000000010 R09: ffff888006151000 - R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff82aba4a0 - R13: 0000000000000000 R14: ffffc900006fbf08 R15: 0000000000020c30 - FS: 000000000188a8c0(0000) GS:ffff88803ed00000(0000) knlGS:0000000000000000 - CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 - CR2: 0000000000000010 CR3: 0000000006144000 CR4: 00000000000006e0 - Call Trace: - - proc_reg_read+0x56/0x70 - vfs_read+0x9a/0x1b0 - ksys_read+0xa1/0xe0 - ? fpregs_assert_state_consistent+0x1e/0x40 - do_syscall_64+0x3a/0x80 - entry_SYSCALL_64_after_hwframe+0x46/0xb0 - RIP: 0033:0x4d4b4e - RSP: 002b:00007ffebb668d58 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 - RAX: ffffffffffffffda RBX: 000000000188a8a0 RCX: 00000000004d4b4e - RDX: 0000000000000400 RSI: 000000000188bb60 RDI: 0000000000000003 - RBP: 0000000000000003 R08: 000000000000006e R09: 0000000000000000 - R10: 0000000000000041 R11: 0000000000000246 R12: 000000000188bb60 - R13: 0000000000000400 R14: 0000000000000000 R15: 000000000188bb60 - - Modules linked in: - CR2: 0000000000000010 -Killed - ---[ end trace 0000000000000000 ]--- - -Check prof_len in profile_init() to prevent it be zero. - -Link: https://lkml.kernel.org/r/20220531012854.229439-1-chenzhongjin@huawei.com -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Chen Zhongjin -Signed-off-by: Andrew Morton -Signed-off-by: Sasha Levin ---- - kernel/profile.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/kernel/profile.c b/kernel/profile.c -index 9c78e3ab4b42..cb6dcf908639 100644 ---- a/kernel/profile.c -+++ b/kernel/profile.c -@@ -106,6 +106,13 @@ int __ref profile_init(void) - - /* only text is profiled */ - prof_len = (_etext - _stext) >> prof_shift; -+ -+ if (!prof_len) { -+ pr_warn("profiling shift: %u too large\n", prof_shift); -+ prof_on = 0; -+ return -EINVAL; -+ } -+ - buffer_bytes = prof_len*sizeof(atomic_t); - - if (!alloc_cpumask_var(&prof_cpu_mask, GFP_KERNEL)) --- -2.35.1 - diff --git a/queue-4.9/random-only-call-boot_init_stack_canary-once.patch-957 b/queue-4.9/random-only-call-boot_init_stack_canary-once.patch-957 deleted file mode 100644 index c6591dc5bd5..00000000000 --- a/queue-4.9/random-only-call-boot_init_stack_canary-once.patch-957 +++ /dev/null @@ -1,46 +0,0 @@ -From fd8fe0fac12f2a9431ce7fc78d3c1c1a87fa2530 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 3 Aug 2022 16:01:51 +0200 -Subject: random: only call boot_init_stack_canary() once - -From: Hans-Christian Noren Egtvedt - -In commit 166a592cad36 ("random: move rand_initialize() earlier") the -boot_init_stack_canary() call was added after the new random_init() -call. - -However, the upstream commit d55535232c3d ("random: move -rand_initialize() earlier") also included removing the earlier call to -boot_init_stack_canary(), making sure this call is done after -random_init(). - -Hence fix what I assume is a wrong merge conflict resolution on the -linux-4.9.y stable branch. - -Signed-off-by: Hans-Christian Noren Egtvedt -Signed-off-by: Greg Kroah-Hartman ---- - init/main.c | 7 ------- - 1 file changed, 7 deletions(-) - -diff --git a/init/main.c b/init/main.c -index 6bc1a3fa1526..6537f51a0bac 100644 ---- a/init/main.c -+++ b/init/main.c -@@ -500,13 +500,6 @@ asmlinkage __visible void __init start_kernel(void) - page_address_init(); - pr_notice("%s", linux_banner); - setup_arch(&command_line); -- /* -- * Set up the the initial canary and entropy after arch -- * and after adding latent and command line entropy. -- */ -- add_latent_entropy(); -- add_device_randomness(command_line, strlen(command_line)); -- boot_init_stack_canary(); - mm_init_cpumask(&init_mm); - setup_command_line(command_line); - setup_nr_cpu_ids(); --- -2.35.1 - diff --git a/queue-4.9/rdma-rxe-fix-error-unwind-in-rxe_create_qp.patch b/queue-4.9/rdma-rxe-fix-error-unwind-in-rxe_create_qp.patch deleted file mode 100644 index 57c6d6302bd..00000000000 --- a/queue-4.9/rdma-rxe-fix-error-unwind-in-rxe_create_qp.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 174678a0382a04fcee57951e8c604e3c441f3b34 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 31 Jul 2022 02:36:21 -0400 -Subject: RDMA/rxe: Fix error unwind in rxe_create_qp() - -From: Zhu Yanjun - -[ Upstream commit fd5382c5805c4bcb50fd25b7246247d3f7114733 ] - -In the function rxe_create_qp(), rxe_qp_from_init() is called to -initialize qp, internally things like the spin locks are not setup until -rxe_qp_init_req(). - -If an error occures before this point then the unwind will call -rxe_cleanup() and eventually to rxe_qp_do_cleanup()/rxe_cleanup_task() -which will oops when trying to access the uninitialized spinlock. - -Move the spinlock initializations earlier before any failures. - -Fixes: 8700e3e7c485 ("Soft RoCE driver") -Link: https://lore.kernel.org/r/20220731063621.298405-1-yanjun.zhu@linux.dev -Reported-by: syzbot+833061116fa28df97f3b@syzkaller.appspotmail.com -Signed-off-by: Zhu Yanjun -Signed-off-by: Jason Gunthorpe -Signed-off-by: Sasha Levin ---- - drivers/infiniband/sw/rxe/rxe_qp.c | 12 ++++++++---- - 1 file changed, 8 insertions(+), 4 deletions(-) - -diff --git a/drivers/infiniband/sw/rxe/rxe_qp.c b/drivers/infiniband/sw/rxe/rxe_qp.c -index 5fa1442fd4f1..959c8a3b2e24 100644 ---- a/drivers/infiniband/sw/rxe/rxe_qp.c -+++ b/drivers/infiniband/sw/rxe/rxe_qp.c -@@ -220,6 +220,14 @@ static void rxe_qp_init_misc(struct rxe_dev *rxe, struct rxe_qp *qp, - spin_lock_init(&qp->grp_lock); - spin_lock_init(&qp->state_lock); - -+ spin_lock_init(&qp->req.task.state_lock); -+ spin_lock_init(&qp->resp.task.state_lock); -+ spin_lock_init(&qp->comp.task.state_lock); -+ -+ spin_lock_init(&qp->sq.sq_lock); -+ spin_lock_init(&qp->rq.producer_lock); -+ spin_lock_init(&qp->rq.consumer_lock); -+ - atomic_set(&qp->ssn, 0); - atomic_set(&qp->skb_out, 0); - } -@@ -267,7 +275,6 @@ static int rxe_qp_init_req(struct rxe_dev *rxe, struct rxe_qp *qp, - qp->req.opcode = -1; - qp->comp.opcode = -1; - -- spin_lock_init(&qp->sq.sq_lock); - skb_queue_head_init(&qp->req_pkts); - - rxe_init_task(rxe, &qp->req.task, qp, -@@ -321,9 +328,6 @@ static int rxe_qp_init_resp(struct rxe_dev *rxe, struct rxe_qp *qp, - } - } - -- spin_lock_init(&qp->rq.producer_lock); -- spin_lock_init(&qp->rq.consumer_lock); -- - skb_queue_head_init(&qp->resp_pkts); - - rxe_init_task(rxe, &qp->resp.task, qp, --- -2.35.1 - diff --git a/queue-4.9/regulator-of-fix-refcount-leak-bug-in-of_get_regulat.patch b/queue-4.9/regulator-of-fix-refcount-leak-bug-in-of_get_regulat.patch deleted file mode 100644 index e6435d02738..00000000000 --- a/queue-4.9/regulator-of-fix-refcount-leak-bug-in-of_get_regulat.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 7d958fda14fa159fbd370db4363e6964a4d3e6c9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 15 Jul 2022 19:10:27 +0800 -Subject: regulator: of: Fix refcount leak bug in - of_get_regulation_constraints() - -From: Liang He - -[ Upstream commit 66efb665cd5ad69b27dca8571bf89fc6b9c628a4 ] - -We should call the of_node_put() for the reference returned by -of_get_child_by_name() which has increased the refcount. - -Fixes: 40e20d68bb3f ("regulator: of: Add support for parsing regulator_state for suspend state") -Signed-off-by: Liang He -Link: https://lore.kernel.org/r/20220715111027.391032-1-windhl@126.com -Signed-off-by: Mark Brown -Signed-off-by: Sasha Levin ---- - drivers/regulator/of_regulator.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/drivers/regulator/of_regulator.c b/drivers/regulator/of_regulator.c -index 037675bb36b6..0c8ec4064e07 100644 ---- a/drivers/regulator/of_regulator.c -+++ b/drivers/regulator/of_regulator.c -@@ -134,8 +134,12 @@ static void of_get_regulation_constraints(struct device_node *np, - } - - suspend_np = of_get_child_by_name(np, regulator_states[i]); -- if (!suspend_np || !suspend_state) -+ if (!suspend_np) - continue; -+ if (!suspend_state) { -+ of_node_put(suspend_np); -+ continue; -+ } - - if (!of_property_read_u32(suspend_np, "regulator-mode", - &pval)) { --- -2.35.1 - diff --git a/queue-4.9/remoteproc-qcom-wcnss-fix-handling-of-irqs.patch b/queue-4.9/remoteproc-qcom-wcnss-fix-handling-of-irqs.patch deleted file mode 100644 index f5329659724..00000000000 --- a/queue-4.9/remoteproc-qcom-wcnss-fix-handling-of-irqs.patch +++ /dev/null @@ -1,60 +0,0 @@ -From bddc0904ff068d4688234531a071364321735a35 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 26 May 2022 19:47:39 +0530 -Subject: remoteproc: qcom: wcnss: Fix handling of IRQs - -From: Sireesh Kodali - -[ Upstream commit bed0adac1ded4cb486ba19a3a7e730fbd9a1c9c6 ] - -The wcnss_get_irq function is expected to return a value > 0 in the -event that an IRQ is succssfully obtained, but it instead returns 0. -This causes the stop and ready IRQs to never actually be used despite -being defined in the device-tree. This patch fixes that. - -Fixes: aed361adca9f ("remoteproc: qcom: Introduce WCNSS peripheral image loader") -Signed-off-by: Sireesh Kodali -Signed-off-by: Bjorn Andersson -Link: https://lore.kernel.org/r/20220526141740.15834-2-sireeshkodali1@gmail.com -Signed-off-by: Sasha Levin ---- - drivers/remoteproc/qcom_wcnss.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/drivers/remoteproc/qcom_wcnss.c b/drivers/remoteproc/qcom_wcnss.c -index 9f76ad9e959d..f672bb963b9d 100644 ---- a/drivers/remoteproc/qcom_wcnss.c -+++ b/drivers/remoteproc/qcom_wcnss.c -@@ -439,6 +439,7 @@ static int wcnss_request_irq(struct qcom_wcnss *wcnss, - irq_handler_t thread_fn) - { - int ret; -+ int irq_number; - - ret = platform_get_irq_byname(pdev, name); - if (ret < 0 && optional) { -@@ -449,14 +450,19 @@ static int wcnss_request_irq(struct qcom_wcnss *wcnss, - return ret; - } - -+ irq_number = ret; -+ - ret = devm_request_threaded_irq(&pdev->dev, ret, - NULL, thread_fn, - IRQF_TRIGGER_RISING | IRQF_ONESHOT, - "wcnss", wcnss); -- if (ret) -+ if (ret) { - dev_err(&pdev->dev, "request %s IRQ failed\n", name); -+ return ret; -+ } - -- return ret; -+ /* Return the IRQ number if the IRQ was successfully acquired */ -+ return irq_number; - } - - static int wcnss_alloc_memory_region(struct qcom_wcnss *wcnss) --- -2.35.1 - diff --git a/queue-4.9/s390-zcore-fix-race-when-reading-from-hardware-syste.patch b/queue-4.9/s390-zcore-fix-race-when-reading-from-hardware-syste.patch deleted file mode 100644 index 422e3cee2ef..00000000000 --- a/queue-4.9/s390-zcore-fix-race-when-reading-from-hardware-syste.patch +++ /dev/null @@ -1,84 +0,0 @@ -From c1001193bd630819a9a0797fee069cda344971eb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 19 Jul 2022 07:16:33 +0200 -Subject: s390/zcore: fix race when reading from hardware system area - -From: Alexander Gordeev - -[ Upstream commit 9ffed254d938c9e99eb7761c7f739294c84e0367 ] - -Memory buffer used for reading out data from hardware system -area is not protected against concurrent access. - -Reported-by: Matthew Wilcox -Fixes: 411ed3225733 ("[S390] zfcpdump support.") -Acked-by: Heiko Carstens -Tested-by: Alexander Egorenkov -Link: https://lore.kernel.org/r/e68137f0f9a0d2558f37becc20af18e2939934f6.1658206891.git.agordeev@linux.ibm.com -Signed-off-by: Alexander Gordeev -Signed-off-by: Sasha Levin ---- - drivers/s390/char/zcore.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/drivers/s390/char/zcore.c b/drivers/s390/char/zcore.c -index 16992e2a40ad..3757be56c75a 100644 ---- a/drivers/s390/char/zcore.c -+++ b/drivers/s390/char/zcore.c -@@ -54,6 +54,7 @@ static struct dentry *zcore_reipl_file; - static struct dentry *zcore_hsa_file; - static struct ipl_parameter_block *ipl_block; - -+static DEFINE_MUTEX(hsa_buf_mutex); - static char hsa_buf[PAGE_SIZE] __aligned(PAGE_SIZE); - - /* -@@ -70,19 +71,24 @@ int memcpy_hsa_user(void __user *dest, unsigned long src, size_t count) - if (!hsa_available) - return -ENODATA; - -+ mutex_lock(&hsa_buf_mutex); - while (count) { - if (sclp_sdias_copy(hsa_buf, src / PAGE_SIZE + 2, 1)) { - TRACE("sclp_sdias_copy() failed\n"); -+ mutex_unlock(&hsa_buf_mutex); - return -EIO; - } - offset = src % PAGE_SIZE; - bytes = min(PAGE_SIZE - offset, count); -- if (copy_to_user(dest, hsa_buf + offset, bytes)) -+ if (copy_to_user(dest, hsa_buf + offset, bytes)) { -+ mutex_unlock(&hsa_buf_mutex); - return -EFAULT; -+ } - src += bytes; - dest += bytes; - count -= bytes; - } -+ mutex_unlock(&hsa_buf_mutex); - return 0; - } - -@@ -100,9 +106,11 @@ int memcpy_hsa_kernel(void *dest, unsigned long src, size_t count) - if (!hsa_available) - return -ENODATA; - -+ mutex_lock(&hsa_buf_mutex); - while (count) { - if (sclp_sdias_copy(hsa_buf, src / PAGE_SIZE + 2, 1)) { - TRACE("sclp_sdias_copy() failed\n"); -+ mutex_unlock(&hsa_buf_mutex); - return -EIO; - } - offset = src % PAGE_SIZE; -@@ -112,6 +120,7 @@ int memcpy_hsa_kernel(void *dest, unsigned long src, size_t count) - dest += bytes; - count -= bytes; - } -+ mutex_unlock(&hsa_buf_mutex); - return 0; - } - --- -2.35.1 - diff --git a/queue-4.9/scsi-smartpqi-fix-dma-direction-for-raid-requests.patch b/queue-4.9/scsi-smartpqi-fix-dma-direction-for-raid-requests.patch deleted file mode 100644 index da028d306d8..00000000000 --- a/queue-4.9/scsi-smartpqi-fix-dma-direction-for-raid-requests.patch +++ /dev/null @@ -1,68 +0,0 @@ -From 9fc76fc75d9e94f5344ead0edd0a9d36f5004623 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 8 Jul 2022 13:47:36 -0500 -Subject: scsi: smartpqi: Fix DMA direction for RAID requests - -From: Mahesh Rajashekhara - -[ Upstream commit 69695aeaa6621bc49cdd7a8e5a8d1042461e496e ] - -Correct a SOP READ and WRITE DMA flags for some requests. - -This update corrects DMA direction issues with SCSI commands removed from -the controller's internal lookup table. - -Currently, SCSI READ BLOCK LIMITS (0x5) was removed from the controller -lookup table and exposed a DMA direction flag issue. - -SCSI READ BLOCK LIMITS was recently removed from our controller lookup -table so the controller uses the respective IU flag field to set the DMA -data direction. Since the DMA direction is incorrect the FW never completes -the request causing a hang. - -Some SCSI commands which use SCSI READ BLOCK LIMITS - - * sg_map - * mt -f /dev/stX status - -After updating controller firmware, users may notice their tape units -failing. This patch resolves the issue. - -Also, the AIO path DMA direction is correct. - -The DMA direction flag is a day-one bug with no reported BZ. - -Fixes: 6c223761eb54 ("smartpqi: initial commit of Microsemi smartpqi driver") -Link: https://lore.kernel.org/r/165730605618.177165.9054223644512926624.stgit@brunhilda -Reviewed-by: Scott Benesh -Reviewed-by: Scott Teel -Reviewed-by: Mike McGowen -Reviewed-by: Kevin Barnett -Signed-off-by: Mahesh Rajashekhara -Signed-off-by: Don Brace -Signed-off-by: Martin K. Petersen -Signed-off-by: Sasha Levin ---- - drivers/scsi/smartpqi/smartpqi_init.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c -index b12f7f952b70..b482de43dbad 100644 ---- a/drivers/scsi/smartpqi/smartpqi_init.c -+++ b/drivers/scsi/smartpqi/smartpqi_init.c -@@ -4396,10 +4396,10 @@ static int pqi_raid_submit_scsi_cmd(struct pqi_ctrl_info *ctrl_info, - } - - switch (scmd->sc_data_direction) { -- case DMA_TO_DEVICE: -+ case DMA_FROM_DEVICE: - request->data_direction = SOP_READ_FLAG; - break; -- case DMA_FROM_DEVICE: -+ case DMA_TO_DEVICE: - request->data_direction = SOP_WRITE_FLAG; - break; - case DMA_NONE: --- -2.35.1 - diff --git a/queue-4.9/scsi-ufs-host-hold-reference-returned-by-of_parse_ph.patch b/queue-4.9/scsi-ufs-host-hold-reference-returned-by-of_parse_ph.patch deleted file mode 100644 index e5f92c98e71..00000000000 --- a/queue-4.9/scsi-ufs-host-hold-reference-returned-by-of_parse_ph.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 0704d779141d89b6ea479c8c0cdacf258b3c057c Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 19 Jul 2022 15:15:29 +0800 -Subject: scsi: ufs: host: Hold reference returned by of_parse_phandle() - -From: Liang He - -commit a3435afba87dc6cd83f5595e7607f3c40f93ef01 upstream. - -In ufshcd_populate_vreg(), we should hold the reference returned by -of_parse_phandle() and then use it to call of_node_put() for refcount -balance. - -Link: https://lore.kernel.org/r/20220719071529.1081166-1-windhl@126.com -Fixes: aa4976130934 ("ufs: Add regulator enable support") -Reviewed-by: Bart Van Assche -Signed-off-by: Liang He -Signed-off-by: Martin K. Petersen -Signed-off-by: Greg Kroah-Hartman ---- - drivers/scsi/ufs/ufshcd-pltfrm.c | 15 +++++++++++++-- - 1 file changed, 13 insertions(+), 2 deletions(-) - -diff --git a/drivers/scsi/ufs/ufshcd-pltfrm.c b/drivers/scsi/ufs/ufshcd-pltfrm.c -index e9b0cc4cbb4d..d4ab22b42d69 100644 ---- a/drivers/scsi/ufs/ufshcd-pltfrm.c -+++ b/drivers/scsi/ufs/ufshcd-pltfrm.c -@@ -126,9 +126,20 @@ static int ufshcd_parse_clock_info(struct ufs_hba *hba) - return ret; - } - -+static bool phandle_exists(const struct device_node *np, -+ const char *phandle_name, int index) -+{ -+ struct device_node *parse_np = of_parse_phandle(np, phandle_name, index); -+ -+ if (parse_np) -+ of_node_put(parse_np); -+ -+ return parse_np != NULL; -+} -+ - #define MAX_PROP_SIZE 32 - static int ufshcd_populate_vreg(struct device *dev, const char *name, -- struct ufs_vreg **out_vreg) -+ struct ufs_vreg **out_vreg) - { - int ret = 0; - char prop_name[MAX_PROP_SIZE]; -@@ -141,7 +152,7 @@ static int ufshcd_populate_vreg(struct device *dev, const char *name, - } - - snprintf(prop_name, MAX_PROP_SIZE, "%s-supply", name); -- if (!of_parse_phandle(np, prop_name, 0)) { -+ if (!phandle_exists(np, prop_name, 0)) { - dev_info(dev, "%s: Unable to find %s regulator, assuming enabled\n", - __func__, prop_name); - goto out; --- -2.35.1 - diff --git a/queue-4.9/selftests-timers-clocksource-switch-fix-passing-erro.patch b/queue-4.9/selftests-timers-clocksource-switch-fix-passing-erro.patch deleted file mode 100644 index ee747e427fc..00000000000 --- a/queue-4.9/selftests-timers-clocksource-switch-fix-passing-erro.patch +++ /dev/null @@ -1,43 +0,0 @@ -From de55e21649e92a9b4b4635bd8bdfd0260fe52c20 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 13 Jul 2022 22:46:17 +0200 -Subject: selftests: timers: clocksource-switch: fix passing errors from child - -From: Wolfram Sang - -[ Upstream commit 4d8f52ac5fa9eede7b7aa2f2d67c841d9eeb655f ] - -The return value from system() is a waitpid-style integer. Do not return -it directly because with the implicit masking in exit() it will always -return 0. Access it with appropriate macros to really pass on errors. - -Fixes: 7290ce1423c3 ("selftests/timers: Add clocksource-switch test from timetest suite") -Signed-off-by: Wolfram Sang -Acked-by: John Stultz -Signed-off-by: Shuah Khan -Signed-off-by: Sasha Levin ---- - tools/testing/selftests/timers/clocksource-switch.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/tools/testing/selftests/timers/clocksource-switch.c b/tools/testing/selftests/timers/clocksource-switch.c -index fd88e3025bed..9c00db829b9c 100644 ---- a/tools/testing/selftests/timers/clocksource-switch.c -+++ b/tools/testing/selftests/timers/clocksource-switch.c -@@ -121,10 +121,10 @@ int run_tests(int secs) - - sprintf(buf, "./inconsistency-check -t %i", secs); - ret = system(buf); -- if (ret) -- return ret; -+ if (WIFEXITED(ret) && WEXITSTATUS(ret)) -+ return WEXITSTATUS(ret); - ret = system("./nanosleep"); -- return ret; -+ return WIFEXITED(ret) ? WEXITSTATUS(ret) : 0; - } - - --- -2.35.1 - diff --git a/queue-4.9/selftests-timers-valid-adjtimex-build-fix-for-newer-.patch b/queue-4.9/selftests-timers-valid-adjtimex-build-fix-for-newer-.patch deleted file mode 100644 index 9029de0ede1..00000000000 --- a/queue-4.9/selftests-timers-valid-adjtimex-build-fix-for-newer-.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 8fa73b514a7e3e9d27b4e6f0386be3fc176ced2a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 13 Jul 2022 22:46:13 +0200 -Subject: selftests: timers: valid-adjtimex: build fix for newer toolchains -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Wolfram Sang - -[ Upstream commit 9a162977d20436be5678a8e21a8e58eb4616d86a ] - -Toolchains with an include file 'sys/timex.h' based on 3.18 will have a -'clock_adjtime' definition added, so it can't be static in the code: - -valid-adjtimex.c:43:12: error: static declaration of ‘clock_adjtime’ follows non-static declaration - -Fixes: e03a58c320e1 ("kselftests: timers: Add adjtimex SETOFFSET validity tests") -Signed-off-by: Wolfram Sang -Acked-by: John Stultz -Signed-off-by: Shuah Khan -Signed-off-by: Sasha Levin ---- - tools/testing/selftests/timers/valid-adjtimex.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/tools/testing/selftests/timers/valid-adjtimex.c b/tools/testing/selftests/timers/valid-adjtimex.c -index a747645d79f4..a3f6ef834c6f 100644 ---- a/tools/testing/selftests/timers/valid-adjtimex.c -+++ b/tools/testing/selftests/timers/valid-adjtimex.c -@@ -51,7 +51,7 @@ static inline int ksft_exit_fail(void) - #define ADJ_SETOFFSET 0x0100 - - #include --static int clock_adjtime(clockid_t id, struct timex *tx) -+int clock_adjtime(clockid_t id, struct timex *tx) - { - return syscall(__NR_clock_adjtime, id, tx); - } --- -2.35.1 - diff --git a/queue-4.9/selinux-add-boundary-check-in-put_entry.patch b/queue-4.9/selinux-add-boundary-check-in-put_entry.patch deleted file mode 100644 index 454313326b0..00000000000 --- a/queue-4.9/selinux-add-boundary-check-in-put_entry.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 6a83bd538d3ce471ebf759ce9c487b216486feea Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 14 Jun 2022 10:14:49 +0800 -Subject: selinux: Add boundary check in put_entry() - -From: Xiu Jianfeng - -[ Upstream commit 15ec76fb29be31df2bccb30fc09875274cba2776 ] - -Just like next_entry(), boundary check is necessary to prevent memory -out-of-bound access. - -Signed-off-by: Xiu Jianfeng -Signed-off-by: Paul Moore -Signed-off-by: Sasha Levin ---- - security/selinux/ss/policydb.h | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/security/selinux/ss/policydb.h b/security/selinux/ss/policydb.h -index 725d5945a97e..178d8804ecb1 100644 ---- a/security/selinux/ss/policydb.h -+++ b/security/selinux/ss/policydb.h -@@ -349,6 +349,8 @@ static inline int put_entry(const void *buf, size_t bytes, int num, struct polic - { - size_t len = bytes * num; - -+ if (len > fp->len) -+ return -EINVAL; - memcpy(fp->data, buf, len); - fp->data += len; - fp->len -= len; --- -2.35.1 - diff --git a/queue-4.9/selinux-clean-up-initialization-of-isec-sclass.patch-26295 b/queue-4.9/selinux-clean-up-initialization-of-isec-sclass.patch-26295 deleted file mode 100644 index a4aa9b282f2..00000000000 --- a/queue-4.9/selinux-clean-up-initialization-of-isec-sclass.patch-26295 +++ /dev/null @@ -1,74 +0,0 @@ -From 240b4571b84b1a241e38d37784b77202f9babe66 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 10 Nov 2016 22:18:29 +0100 -Subject: selinux: Clean up initialization of isec->sclass - -From: Andreas Gruenbacher - -commit 13457d073c29da92001f6ee809075eaa8757fb96 upstream. - -Now that isec->initialized == LABEL_INITIALIZED implies that -isec->sclass is valid, skip such inodes immediately in -inode_doinit_with_dentry. - -For the remaining inodes, initialize isec->sclass at the beginning of -inode_doinit_with_dentry to simplify the code. - -Signed-off-by: Andreas Gruenbacher -Signed-off-by: Paul Moore -Signed-off-by: Alexander Grund -Signed-off-by: Greg Kroah-Hartman ---- - security/selinux/hooks.c | 10 ++++------ - 1 file changed, 4 insertions(+), 6 deletions(-) - -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 1997d87b35d5..d21b95a848b8 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -1395,12 +1395,15 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent - int rc = 0; - - if (isec->initialized == LABEL_INITIALIZED) -- goto out; -+ return 0; - - mutex_lock(&isec->lock); - if (isec->initialized == LABEL_INITIALIZED) - goto out_unlock; - -+ if (isec->sclass == SECCLASS_FILE) -+ isec->sclass = inode_mode_to_security_class(inode->i_mode); -+ - sbsec = inode->i_sb->s_security; - if (!(sbsec->flags & SE_SBINITIALIZED)) { - /* Defer initialization until selinux_complete_init, -@@ -1518,7 +1521,6 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent - isec->sid = sbsec->sid; - - /* Try to obtain a transition SID. */ -- isec->sclass = inode_mode_to_security_class(inode->i_mode); - rc = security_transition_sid(isec->task_sid, sbsec->sid, - isec->sclass, NULL, &sid); - if (rc) -@@ -1554,7 +1556,6 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent - */ - if (!dentry) - goto out_unlock; -- isec->sclass = inode_mode_to_security_class(inode->i_mode); - rc = selinux_genfs_get_sid(dentry, isec->sclass, - sbsec->flags, &sid); - dput(dentry); -@@ -1569,9 +1570,6 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent - - out_unlock: - mutex_unlock(&isec->lock); --out: -- if (isec->sclass == SECCLASS_FILE) -- isec->sclass = inode_mode_to_security_class(inode->i_mode); - return rc; - } - --- -2.35.1 - diff --git a/queue-4.9/selinux-convert-isec-lock-into-a-spinlock.patch-30199 b/queue-4.9/selinux-convert-isec-lock-into-a-spinlock.patch-30199 deleted file mode 100644 index f9bddac7d09..00000000000 --- a/queue-4.9/selinux-convert-isec-lock-into-a-spinlock.patch-30199 +++ /dev/null @@ -1,338 +0,0 @@ -From d6f7e857ee16728dc15278a9b8cd27804f42c9bc Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 15 Nov 2016 11:06:40 +0100 -Subject: selinux: Convert isec->lock into a spinlock - -From: Andreas Gruenbacher - -commit 9287aed2ad1ff1bde5eb190bcd6dccd5f1cf47d3 upstream. - -Convert isec->lock from a mutex into a spinlock. Instead of holding -the lock while sleeping in inode_doinit_with_dentry, set -isec->initialized to LABEL_PENDING and release the lock. Then, when -the sid has been determined, re-acquire the lock. If isec->initialized -is still set to LABEL_PENDING, set isec->sid; otherwise, the sid has -been set by another task (LABEL_INITIALIZED) or invalidated -(LABEL_INVALID) in the meantime. - -This fixes a deadlock on gfs2 where - - * one task is in inode_doinit_with_dentry -> gfs2_getxattr, holds - isec->lock, and tries to acquire the inode's glock, and - - * another task is in do_xmote -> inode_go_inval -> - selinux_inode_invalidate_secctx, holds the inode's glock, and - tries to acquire isec->lock. - -Signed-off-by: Andreas Gruenbacher -[PM: minor tweaks to keep checkpatch.pl happy] -Signed-off-by: Paul Moore -Signed-off-by: Alexander Grund -Signed-off-by: Greg Kroah-Hartman ---- - security/selinux/hooks.c | 101 +++++++++++++++++++----------- - security/selinux/include/objsec.h | 5 +- - 2 files changed, 66 insertions(+), 40 deletions(-) - -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index d21b95a848b8..d252890debf7 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -231,7 +231,7 @@ static int inode_alloc_security(struct inode *inode) - if (!isec) - return -ENOMEM; - -- mutex_init(&isec->lock); -+ spin_lock_init(&isec->lock); - INIT_LIST_HEAD(&isec->list); - isec->inode = inode; - isec->sid = SECINITSID_UNLABELED; -@@ -1387,7 +1387,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent - { - struct superblock_security_struct *sbsec = NULL; - struct inode_security_struct *isec = inode->i_security; -- u32 sid; -+ u32 task_sid, sid = 0; -+ u16 sclass; - struct dentry *dentry; - #define INITCONTEXTLEN 255 - char *context = NULL; -@@ -1397,7 +1398,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent - if (isec->initialized == LABEL_INITIALIZED) - return 0; - -- mutex_lock(&isec->lock); -+ spin_lock(&isec->lock); - if (isec->initialized == LABEL_INITIALIZED) - goto out_unlock; - -@@ -1416,12 +1417,18 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent - goto out_unlock; - } - -+ sclass = isec->sclass; -+ task_sid = isec->task_sid; -+ sid = isec->sid; -+ isec->initialized = LABEL_PENDING; -+ spin_unlock(&isec->lock); -+ - switch (sbsec->behavior) { - case SECURITY_FS_USE_NATIVE: - break; - case SECURITY_FS_USE_XATTR: - if (!(inode->i_opflags & IOP_XATTR)) { -- isec->sid = sbsec->def_sid; -+ sid = sbsec->def_sid; - break; - } - /* Need a dentry, since the xattr API requires one. -@@ -1443,7 +1450,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent - * inode_doinit with a dentry, before these inodes could - * be used again by userspace. - */ -- goto out_unlock; -+ goto out; - } - - len = INITCONTEXTLEN; -@@ -1451,7 +1458,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent - if (!context) { - rc = -ENOMEM; - dput(dentry); -- goto out_unlock; -+ goto out; - } - context[len] = '\0'; - rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); -@@ -1462,14 +1469,14 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent - rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, NULL, 0); - if (rc < 0) { - dput(dentry); -- goto out_unlock; -+ goto out; - } - len = rc; - context = kmalloc(len+1, GFP_NOFS); - if (!context) { - rc = -ENOMEM; - dput(dentry); -- goto out_unlock; -+ goto out; - } - context[len] = '\0'; - rc = __vfs_getxattr(dentry, inode, XATTR_NAME_SELINUX, context, len); -@@ -1481,7 +1488,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent - "%d for dev=%s ino=%ld\n", __func__, - -rc, inode->i_sb->s_id, inode->i_ino); - kfree(context); -- goto out_unlock; -+ goto out; - } - /* Map ENODATA to the default file SID */ - sid = sbsec->def_sid; -@@ -1511,28 +1518,25 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent - } - } - kfree(context); -- isec->sid = sid; - break; - case SECURITY_FS_USE_TASK: -- isec->sid = isec->task_sid; -+ sid = task_sid; - break; - case SECURITY_FS_USE_TRANS: - /* Default to the fs SID. */ -- isec->sid = sbsec->sid; -+ sid = sbsec->sid; - - /* Try to obtain a transition SID. */ -- rc = security_transition_sid(isec->task_sid, sbsec->sid, -- isec->sclass, NULL, &sid); -+ rc = security_transition_sid(task_sid, sid, sclass, NULL, &sid); - if (rc) -- goto out_unlock; -- isec->sid = sid; -+ goto out; - break; - case SECURITY_FS_USE_MNTPOINT: -- isec->sid = sbsec->mntpoint_sid; -+ sid = sbsec->mntpoint_sid; - break; - default: - /* Default to the fs superblock SID. */ -- isec->sid = sbsec->sid; -+ sid = sbsec->sid; - - if ((sbsec->flags & SE_SBGENFS) && !S_ISLNK(inode->i_mode)) { - /* We must have a dentry to determine the label on -@@ -1555,21 +1559,30 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent - * could be used again by userspace. - */ - if (!dentry) -- goto out_unlock; -- rc = selinux_genfs_get_sid(dentry, isec->sclass, -+ goto out; -+ rc = selinux_genfs_get_sid(dentry, sclass, - sbsec->flags, &sid); - dput(dentry); - if (rc) -- goto out_unlock; -- isec->sid = sid; -+ goto out; - } - break; - } - -- isec->initialized = LABEL_INITIALIZED; -+out: -+ spin_lock(&isec->lock); -+ if (isec->initialized == LABEL_PENDING) { -+ if (!sid || rc) { -+ isec->initialized = LABEL_INVALID; -+ goto out_unlock; -+ } -+ -+ isec->initialized = LABEL_INITIALIZED; -+ isec->sid = sid; -+ } - - out_unlock: -- mutex_unlock(&isec->lock); -+ spin_unlock(&isec->lock); - return rc; - } - -@@ -3199,9 +3212,11 @@ static void selinux_inode_post_setxattr(struct dentry *dentry, const char *name, - } - - isec = backing_inode_security(dentry); -+ spin_lock(&isec->lock); - isec->sclass = inode_mode_to_security_class(inode->i_mode); - isec->sid = newsid; - isec->initialized = LABEL_INITIALIZED; -+ spin_unlock(&isec->lock); - - return; - } -@@ -3298,9 +3313,11 @@ static int selinux_inode_setsecurity(struct inode *inode, const char *name, - if (rc) - return rc; - -+ spin_lock(&isec->lock); - isec->sclass = inode_mode_to_security_class(inode->i_mode); - isec->sid = newsid; - isec->initialized = LABEL_INITIALIZED; -+ spin_unlock(&isec->lock); - return 0; - } - -@@ -3956,9 +3973,11 @@ static void selinux_task_to_inode(struct task_struct *p, - struct inode_security_struct *isec = inode->i_security; - u32 sid = task_sid(p); - -+ spin_lock(&isec->lock); - isec->sclass = inode_mode_to_security_class(inode->i_mode); - isec->sid = sid; - isec->initialized = LABEL_INITIALIZED; -+ spin_unlock(&isec->lock); - } - - /* Returns error only if unable to parse addresses */ -@@ -4277,24 +4296,24 @@ static int selinux_socket_post_create(struct socket *sock, int family, - const struct task_security_struct *tsec = current_security(); - struct inode_security_struct *isec = inode_security_novalidate(SOCK_INODE(sock)); - struct sk_security_struct *sksec; -+ u16 sclass = socket_type_to_security_class(family, type, protocol); -+ u32 sid = SECINITSID_KERNEL; - int err = 0; - -- isec->sclass = socket_type_to_security_class(family, type, protocol); -- -- if (kern) -- isec->sid = SECINITSID_KERNEL; -- else { -- err = socket_sockcreate_sid(tsec, isec->sclass, &(isec->sid)); -+ if (!kern) { -+ err = socket_sockcreate_sid(tsec, sclass, &sid); - if (err) - return err; - } - -+ isec->sclass = sclass; -+ isec->sid = sid; - isec->initialized = LABEL_INITIALIZED; - - if (sock->sk) { - sksec = sock->sk->sk_security; -- sksec->sid = isec->sid; -- sksec->sclass = isec->sclass; -+ sksec->sclass = sclass; -+ sksec->sid = sid; - err = selinux_netlbl_socket_post_create(sock->sk, family); - } - -@@ -4478,16 +4497,22 @@ static int selinux_socket_accept(struct socket *sock, struct socket *newsock) - int err; - struct inode_security_struct *isec; - struct inode_security_struct *newisec; -+ u16 sclass; -+ u32 sid; - - err = sock_has_perm(current, sock->sk, SOCKET__ACCEPT); - if (err) - return err; - -- newisec = inode_security_novalidate(SOCK_INODE(newsock)); -- - isec = inode_security_novalidate(SOCK_INODE(sock)); -- newisec->sclass = isec->sclass; -- newisec->sid = isec->sid; -+ spin_lock(&isec->lock); -+ sclass = isec->sclass; -+ sid = isec->sid; -+ spin_unlock(&isec->lock); -+ -+ newisec = inode_security_novalidate(SOCK_INODE(newsock)); -+ newisec->sclass = sclass; -+ newisec->sid = sid; - newisec->initialized = LABEL_INITIALIZED; - - return 0; -@@ -6010,9 +6035,9 @@ static void selinux_inode_invalidate_secctx(struct inode *inode) - { - struct inode_security_struct *isec = inode->i_security; - -- mutex_lock(&isec->lock); -+ spin_lock(&isec->lock); - isec->initialized = LABEL_INVALID; -- mutex_unlock(&isec->lock); -+ spin_unlock(&isec->lock); - } - - /* -diff --git a/security/selinux/include/objsec.h b/security/selinux/include/objsec.h -index c21e135460a5..e8dab0f02c72 100644 ---- a/security/selinux/include/objsec.h -+++ b/security/selinux/include/objsec.h -@@ -39,7 +39,8 @@ struct task_security_struct { - - enum label_initialized { - LABEL_INVALID, /* invalid or not initialized */ -- LABEL_INITIALIZED /* initialized */ -+ LABEL_INITIALIZED, /* initialized */ -+ LABEL_PENDING - }; - - struct inode_security_struct { -@@ -52,7 +53,7 @@ struct inode_security_struct { - u32 sid; /* SID of this object */ - u16 sclass; /* security class of this object */ - unsigned char initialized; /* initialization flag */ -- struct mutex lock; -+ spinlock_t lock; - }; - - struct file_security_struct { --- -2.35.1 - diff --git a/queue-4.9/selinux-fix-error-initialization-in-inode_doinit_wit.patch b/queue-4.9/selinux-fix-error-initialization-in-inode_doinit_wit.patch deleted file mode 100644 index 5302874154f..00000000000 --- a/queue-4.9/selinux-fix-error-initialization-in-inode_doinit_wit.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 88d598f3135ab41031904ddaad5cc20292925b84 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 9 Oct 2020 09:36:30 +0800 -Subject: selinux: fix error initialization in inode_doinit_with_dentry() - -From: Tianyue Ren - -commit 83370b31a915493231e5b9addc72e4bef69f8d31 upstream. - -Mark the inode security label as invalid if we cannot find -a dentry so that we will retry later rather than marking it -initialized with the unlabeled SID. - -Fixes: 9287aed2ad1f ("selinux: Convert isec->lock into a spinlock") -Signed-off-by: Tianyue Ren -[PM: minor comment tweaks] -Signed-off-by: Paul Moore -Signed-off-by: Alexander Grund -Signed-off-by: Greg Kroah-Hartman ---- - security/selinux/hooks.c | 19 ++++++++++++++++--- - 1 file changed, 16 insertions(+), 3 deletions(-) - -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index d252890debf7..b9c7e089906c 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -1450,7 +1450,13 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent - * inode_doinit with a dentry, before these inodes could - * be used again by userspace. - */ -- goto out; -+ isec->initialized = LABEL_INVALID; -+ /* -+ * There is nothing useful to jump to the "out" -+ * label, except a needless spin lock/unlock -+ * cycle. -+ */ -+ return 0; - } - - len = INITCONTEXTLEN; -@@ -1558,8 +1564,15 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent - * inode_doinit() with a dentry, before these inodes - * could be used again by userspace. - */ -- if (!dentry) -- goto out; -+ if (!dentry) { -+ isec->initialized = LABEL_INVALID; -+ /* -+ * There is nothing useful to jump to the "out" -+ * label, except a needless spin lock/unlock -+ * cycle. -+ */ -+ return 0; -+ } - rc = selinux_genfs_get_sid(dentry, sclass, - sbsec->flags, &sid); - dput(dentry); --- -2.35.1 - diff --git a/queue-4.9/selinux-fix-inode_doinit_with_dentry-label_invalid-e.patch b/queue-4.9/selinux-fix-inode_doinit_with_dentry-label_invalid-e.patch deleted file mode 100644 index fe22fd0b2d8..00000000000 --- a/queue-4.9/selinux-fix-inode_doinit_with_dentry-label_invalid-e.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 90e3a1cb90dc445726d2422ea450d216f9fbc87f Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 3 Nov 2020 11:49:38 -0500 -Subject: selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling - -From: Paul Moore - -commit 200ea5a2292dc444a818b096ae6a32ba3caa51b9 upstream. - -A previous fix, commit 83370b31a915 ("selinux: fix error initialization -in inode_doinit_with_dentry()"), changed how failures were handled -before a SELinux policy was loaded. Unfortunately that patch was -potentially problematic for two reasons: it set the isec->initialized -state without holding a lock, and it didn't set the inode's SELinux -label to the "default" for the particular filesystem. The later can -be a problem if/when a later attempt to revalidate the inode fails -and SELinux reverts to the existing inode label. - -This patch should restore the default inode labeling that existed -before the original fix, without affecting the LABEL_INVALID marking -such that revalidation will still be attempted in the future. - -Fixes: 83370b31a915 ("selinux: fix error initialization in inode_doinit_with_dentry()") -Reported-by: Sven Schnelle -Tested-by: Sven Schnelle -Reviewed-by: Ondrej Mosnacek -Signed-off-by: Paul Moore -Signed-off-by: Alexander Grund -Signed-off-by: Greg Kroah-Hartman ---- - security/selinux/hooks.c | 31 +++++++++++++------------------ - 1 file changed, 13 insertions(+), 18 deletions(-) - -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index b9c7e089906c..ac2381eec27f 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -1450,13 +1450,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent - * inode_doinit with a dentry, before these inodes could - * be used again by userspace. - */ -- isec->initialized = LABEL_INVALID; -- /* -- * There is nothing useful to jump to the "out" -- * label, except a needless spin lock/unlock -- * cycle. -- */ -- return 0; -+ goto out_invalid; - } - - len = INITCONTEXTLEN; -@@ -1564,15 +1558,8 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent - * inode_doinit() with a dentry, before these inodes - * could be used again by userspace. - */ -- if (!dentry) { -- isec->initialized = LABEL_INVALID; -- /* -- * There is nothing useful to jump to the "out" -- * label, except a needless spin lock/unlock -- * cycle. -- */ -- return 0; -- } -+ if (!dentry) -+ goto out_invalid; - rc = selinux_genfs_get_sid(dentry, sclass, - sbsec->flags, &sid); - dput(dentry); -@@ -1585,11 +1572,10 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent - out: - spin_lock(&isec->lock); - if (isec->initialized == LABEL_PENDING) { -- if (!sid || rc) { -+ if (rc) { - isec->initialized = LABEL_INVALID; - goto out_unlock; - } -- - isec->initialized = LABEL_INITIALIZED; - isec->sid = sid; - } -@@ -1597,6 +1583,15 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent - out_unlock: - spin_unlock(&isec->lock); - return rc; -+ -+out_invalid: -+ spin_lock(&isec->lock); -+ if (isec->initialized == LABEL_PENDING) { -+ isec->initialized = LABEL_INVALID; -+ isec->sid = sid; -+ } -+ spin_unlock(&isec->lock); -+ return 0; - } - - /* Convert a Linux signal to an access vector. */ --- -2.35.1 - diff --git a/queue-4.9/selinux-minor-cleanups.patch-30930 b/queue-4.9/selinux-minor-cleanups.patch-30930 deleted file mode 100644 index 68aefc645f4..00000000000 --- a/queue-4.9/selinux-minor-cleanups.patch-30930 +++ /dev/null @@ -1,69 +0,0 @@ -From 57875eda8b84fcc466fad418ae0e42ad38ecdfd7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 10 Nov 2016 22:18:27 +0100 -Subject: selinux: Minor cleanups - -From: Andreas Gruenbacher - -commit 420591128cb206201dc444c2d42fb6f299b2ecd0 upstream. - -Fix the comment for function __inode_security_revalidate, which returns -an integer. - -Use the LABEL_* constants consistently for isec->initialized. - -Signed-off-by: Andreas Gruenbacher -Signed-off-by: Paul Moore -Signed-off-by: Alexander Grund -Signed-off-by: Greg Kroah-Hartman ---- - security/selinux/hooks.c | 3 ++- - security/selinux/selinuxfs.c | 4 ++-- - 2 files changed, 4 insertions(+), 3 deletions(-) - -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index eb503eccbacc..43f81db42169 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -237,6 +237,7 @@ static int inode_alloc_security(struct inode *inode) - isec->sid = SECINITSID_UNLABELED; - isec->sclass = SECCLASS_FILE; - isec->task_sid = sid; -+ isec->initialized = LABEL_INVALID; - inode->i_security = isec; - - return 0; -@@ -247,7 +248,7 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent - /* - * Try reloading inode security labels that have been marked as invalid. The - * @may_sleep parameter indicates when sleeping and thus reloading labels is -- * allowed; when set to false, returns ERR_PTR(-ECHILD) when the label is -+ * allowed; when set to false, returns -ECHILD when the label is - * invalid. The @opt_dentry parameter should be set to a dentry of the inode; - * when no dentry is available, set it to NULL instead. - */ -diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c -index ef1226c1c3ad..a033306d14ee 100644 ---- a/security/selinux/selinuxfs.c -+++ b/security/selinux/selinuxfs.c -@@ -1301,7 +1301,7 @@ static int sel_make_bools(void) - goto out; - - isec->sid = sid; -- isec->initialized = 1; -+ isec->initialized = LABEL_INITIALIZED; - inode->i_fop = &sel_bool_ops; - inode->i_ino = i|SEL_BOOL_INO_OFFSET; - d_add(dentry, inode); -@@ -1835,7 +1835,7 @@ static int sel_fill_super(struct super_block *sb, void *data, int silent) - isec = (struct inode_security_struct *)inode->i_security; - isec->sid = SECINITSID_DEVNULL; - isec->sclass = SECCLASS_CHR_FILE; -- isec->initialized = 1; -+ isec->initialized = LABEL_INITIALIZED; - - init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO, MKDEV(MEM_MAJOR, 3)); - d_add(dentry, inode); --- -2.35.1 - diff --git a/queue-4.9/series b/queue-4.9/series index a71a287514a..acd6212d29d 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -45,119 +45,3 @@ mips-cpuinfo-fix-a-warning-for-config_cpumask_offstack.patch usb-hcd-fix-urb-giveback-issue-in-tasklet-function.patch usb-gadget-fix-use-after-free-read-in-usb_udc_uevent.patch netfilter-nf_tables-fix-null-deref-due-to-zeroed-list-head.patch -bluetooth-l2cap-fix-use-after-free-caused-by-l2cap_c.patch -ntfs-fix-use-after-free-in-ntfs_ucsncmp.patch-16365 -scsi-ufs-host-hold-reference-returned-by-of_parse_ph.patch -net-ping6-fix-memleak-in-ipv6_renew_options.patch-3986 -net-sungem_phy-add-of_node_put-for-reference-returne.patch-29127 -netfilter-nf_queue-do-not-allow-packet-truncation-be.patch-29959 -arm-crypto-comment-out-gcc-warning-that-breaks-clang.patch -mt7601u-add-usb-device-id-for-some-versions-of-xiaod.patch -ion-make-user_ion_handle_put_nolock-a-void-function.patch-382 -selinux-minor-cleanups.patch-30930 -proc-pass-file-mode-to-proc_pid_make_inode.patch-13217 -selinux-clean-up-initialization-of-isec-sclass.patch-26295 -selinux-convert-isec-lock-into-a-spinlock.patch-30199 -selinux-fix-error-initialization-in-inode_doinit_wit.patch -selinux-fix-inode_doinit_with_dentry-label_invalid-e.patch -include-uapi-linux-swab.h-fix-userspace-breakage-use.patch -init-main-fix-double-the-in-comment.patch-30143 -init-main-properly-align-the-multi-line-comment.patch-21796 -init-move-stack-canary-initialization-after-setup_ar.patch -init-main.c-extract-early-boot-entropy-from-the-pass.patch -acpi-video-force-backlight-native-for-some-tongfang-.patch -acpi-video-shortening-quirk-list-by-identifying-clev.patch -random-only-call-boot_init_stack_canary-once.patch-957 -macintosh-adb-fix-oob-read-in-do_adb_query-function.patch-16127 -makefile-link-with-z-noexecstack-no-warn-rwx-segment.patch -x86-link-vdso-and-boot-with-z-noexecstack-no-warn-rw.patch -alsa-bcd2000-fix-a-uaf-bug-on-the-error-path-of-prob.patch -add-barriers-to-buffer_uptodate-and-set_buffer_uptod.patch -kvm-svm-don-t-bug-if-userspace-injects-an-interrupt-.patch -kvm-x86-mark-tss-busy-during-ltr-emulation-_after_-a.patch -arm64-fix-oops-in-concurrently-setting-insn_emulatio.patch -ext2-add-more-validity-checks-for-inode-counts.patch -arm-dts-imx6ul-add-missing-properties-for-sram.patch -arm-dts-imx6ul-fix-qspi-node-compatible.patch -acpi-lpss-fix-missing-check-in-register_device_clock.patch -hwmon-sht15-fix-wrong-assumptions-in-device-remove-c.patch -pm-hibernate-defer-device-probing-when-resuming-from.patch -selinux-add-boundary-check-in-put_entry.patch -arm-findbit-fix-overflowing-offset.patch -arm-bcm-fix-refcount-leak-in-bcm_kona_smc_init.patch -x86-pmem-fix-platform-device-leak-in-error-path.patch -arm-dts-ast2500-evb-fix-board-compatible.patch -cpufreq-zynq-fix-refcount-leak-in-zynq_get_revision.patch -arm-dts-qcom-pm8841-add-required-thermal-sensor-cell.patch -regulator-of-fix-refcount-leak-bug-in-of_get_regulat.patch -thermal-tools-tmon-include-pthread-and-time-headers-.patch -dm-return-early-from-dm_pr_call-if-dm-device-is-susp.patch -drm-radeon-fix-potential-buffer-overflow-in-ni_set_m.patch -ath9k-fix-use-after-free-in-ath9k_hif_usb_rx_cb.patch -wifi-iwlegacy-4965-fix-potential-off-by-one-overflow.patch -drm-bridge-adv7511-add-check-for-mipi_dsi_driver_reg.patch -media-hdpvr-fix-error-value-returns-in-hdpvr_read.patch -drm-rockchip-vop-don-t-crash-for-invalid-duplicate_s.patch -drm-mediatek-dpi-remove-output-format-of-yuv.patch -drm-msm-hdmi-enable-core-vcc-core-vdda-supply-for-89.patch -tcp-make-retransmitted-skb-fit-into-the-send-window.patch -selftests-timers-valid-adjtimex-build-fix-for-newer-.patch -selftests-timers-clocksource-switch-fix-passing-erro.patch -fs-check-fmode_lseek-to-control-internal-pipe-splici.patch -wifi-wil6210-debugfs-fix-info-leak-in-wil_write_file.patch -wifi-p54-fix-an-error-handling-path-in-p54spi_probe.patch -wifi-p54-add-missing-parentheses-in-p54_flush.patch -can-pch_can-do-not-report-txerr-and-rxerr-during-bus.patch -can-rcar_can-do-not-report-txerr-and-rxerr-during-bu.patch -can-sja1000-do-not-report-txerr-and-rxerr-during-bus.patch -can-sun4i_can-do-not-report-txerr-and-rxerr-during-b.patch -can-usb_8dev-do-not-report-txerr-and-rxerr-during-bu.patch -can-error-specify-the-values-of-data-5.7-of-can-erro.patch -can-pch_can-pch_can_error-initialize-errc-before-usi.patch -bluetooth-hci_intel-add-check-for-platform_driver_re.patch -i2c-cadence-support-pec-for-smbus-block-read.patch -wifi-wil6210-debugfs-fix-uninitialized-variable-use-.patch -wifi-libertas-fix-possible-refcount-leak-in-if_usb_p.patch -net-rose-fix-netdev-reference-changes.patch -dccp-put-dccp_qpolicy_full-and-dccp_qpolicy_push-in-.patch -mtd-maps-fix-refcount-leak-in-of_flash_probe_versati.patch -mtd-maps-fix-refcount-leak-in-ap_flash_init.patch -mtd-sm_ftl-fix-deadlock-caused-by-cancel_work_sync-i.patch -usb-host-fix-refcount-leak-in-ehci_hcd_ppc_of_probe.patch -misc-rtsx-fix-an-error-handling-path-in-rtsx_pci_pro.patch -memstick-ms_block-fix-some-incorrect-memory-allocati.patch -memstick-ms_block-fix-a-memory-leak.patch -mmc-sdhci-of-at91-fix-set_uhs_signaling-rewriting-of.patch -scsi-smartpqi-fix-dma-direction-for-raid-requests.patch -gpio-gpiolib-of-fix-refcount-bugs-in-of_mm_gpiochip_.patch -usb-serial-fix-tty-port-initialized-comments.patch -platform-olpc-fix-uninitialized-data-in-debugfs-writ.patch -mm-mmap.c-fix-missing-call-to-vm_unacct_memory-in-mm.patch -rdma-rxe-fix-error-unwind-in-rxe_create_qp.patch -ext4-recover-csum-seed-of-tmp_inode-after-migrating-.patch -jbd2-fix-assertion-jh-b_frozen_data-null-failure-whe.patch -asoc-mediatek-mt8173-fix-refcount-leak-in-mt8173_rt5.patch -asoc-codecs-da7210-add-check-for-i2c_add_driver.patch -asoc-mediatek-mt8173-rt5650-fix-refcount-leak-in-mt8.patch -profiling-fix-shift-too-large-makes-kernel-panic.patch -tty-n_gsm-fix-non-flow-control-frames-during-mux-flo.patch -tty-n_gsm-fix-packet-re-transmission-without-open-co.patch -tty-n_gsm-fix-race-condition-in-gsmld_write.patch -remoteproc-qcom-wcnss-fix-handling-of-irqs.patch -tty-n_gsm-fix-wrong-t1-retry-count-handling.patch -tty-n_gsm-fix-dm-command.patch -kfifo-fix-kfifo_to_user-return-type.patch -mfd-t7l66xb-drop-platform-disable-callback.patch -s390-zcore-fix-race-when-reading-from-hardware-syste.patch -video-fbdev-sis-fix-typos-in-sis_getmodeid.patch -powerpc-pci-prefer-pci-domain-assignment-via-dt-linu.patch -powerpc-spufs-fix-refcount-leak-in-spufs_init_isolat.patch -powerpc-cell-axon_msi-fix-refcount-leak-in-setup_msi.patch -powerpc-pci-fix-phb-numbering-when-using-opal-phbid.patch -genelf-use-have_libcrypto_support-not-the-never-defi.patch -x86-numa-use-cpumask_available-instead-of-hardcoded-.patch -video-fbdev-arkfb-fix-a-divide-by-zero-bug-in-ark_se.patch -tools-thermal-fix-possible-path-truncations.patch -video-fbdev-vt8623fb-check-the-size-of-screen-before.patch -video-fbdev-arkfb-check-the-size-of-screen-before-me.patch -video-fbdev-s3fb-check-the-size-of-screen-before-mem.patch diff --git a/queue-4.9/tcp-make-retransmitted-skb-fit-into-the-send-window.patch b/queue-4.9/tcp-make-retransmitted-skb-fit-into-the-send-window.patch deleted file mode 100644 index e14d62262f9..00000000000 --- a/queue-4.9/tcp-make-retransmitted-skb-fit-into-the-send-window.patch +++ /dev/null @@ -1,112 +0,0 @@ -From 291a2f27ac6fa9472cb5d28b7e93055d1abe1efe Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 11 Jul 2022 17:47:18 +0800 -Subject: tcp: make retransmitted SKB fit into the send window - -From: Yonglong Li - -[ Upstream commit 536a6c8e05f95e3d1118c40ae8b3022ee2d05d52 ] - -current code of __tcp_retransmit_skb only check TCP_SKB_CB(skb)->seq -in send window, and TCP_SKB_CB(skb)->seq_end maybe out of send window. -If receiver has shrunk his window, and skb is out of new window, it -should retransmit a smaller portion of the payload. - -test packetdrill script: - 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 - +0 fcntl(3, F_GETFL) = 0x2 (flags O_RDWR) - +0 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 - - +0 connect(3, ..., ...) = -1 EINPROGRESS (Operation now in progress) - +0 > S 0:0(0) win 65535 - +.05 < S. 0:0(0) ack 1 win 6000 - +0 > . 1:1(0) ack 1 - - +0 write(3, ..., 10000) = 10000 - - +0 > . 1:2001(2000) ack 1 win 65535 - +0 > . 2001:4001(2000) ack 1 win 65535 - +0 > . 4001:6001(2000) ack 1 win 65535 - - +.05 < . 1:1(0) ack 4001 win 1001 - -and tcpdump show: -192.168.226.67.55 > 192.0.2.1.8080: Flags [.], seq 1:2001, ack 1, win 65535, length 2000 -192.168.226.67.55 > 192.0.2.1.8080: Flags [.], seq 2001:4001, ack 1, win 65535, length 2000 -192.168.226.67.55 > 192.0.2.1.8080: Flags [P.], seq 4001:5001, ack 1, win 65535, length 1000 -192.168.226.67.55 > 192.0.2.1.8080: Flags [.], seq 5001:6001, ack 1, win 65535, length 1000 -192.0.2.1.8080 > 192.168.226.67.55: Flags [.], ack 4001, win 1001, length 0 -192.168.226.67.55 > 192.0.2.1.8080: Flags [.], seq 5001:6001, ack 1, win 65535, length 1000 -192.168.226.67.55 > 192.0.2.1.8080: Flags [P.], seq 4001:5001, ack 1, win 65535, length 1000 - -when cient retract window to 1001, send window is [4001,5002], -but TLP send 5001-6001 packet which is out of send window. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Yonglong Li -Signed-off-by: Eric Dumazet -Link: https://lore.kernel.org/r/1657532838-20200-1-git-send-email-liyonglong@chinatelecom.cn -Signed-off-by: Jakub Kicinski -Signed-off-by: Sasha Levin ---- - net/ipv4/tcp_output.c | 23 ++++++++++++++++------- - 1 file changed, 16 insertions(+), 7 deletions(-) - -diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c -index 5b6d935a028c..a8aa549e5b25 100644 ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -2722,7 +2722,7 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs) - struct tcp_sock *tp = tcp_sk(sk); - unsigned int cur_mss; - int diff, len, err; -- -+ int avail_wnd; - - /* Inconclusive MTU probe */ - if (icsk->icsk_mtup.probe_size) -@@ -2752,17 +2752,25 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs) - return -EHOSTUNREACH; /* Routing failure or similar. */ - - cur_mss = tcp_current_mss(sk); -+ avail_wnd = tcp_wnd_end(tp) - TCP_SKB_CB(skb)->seq; - - /* If receiver has shrunk his window, and skb is out of - * new window, do not retransmit it. The exception is the - * case, when window is shrunk to zero. In this case -- * our retransmit serves as a zero window probe. -+ * our retransmit of one segment serves as a zero window probe. - */ -- if (!before(TCP_SKB_CB(skb)->seq, tcp_wnd_end(tp)) && -- TCP_SKB_CB(skb)->seq != tp->snd_una) -- return -EAGAIN; -+ if (avail_wnd <= 0) { -+ if (TCP_SKB_CB(skb)->seq != tp->snd_una) -+ return -EAGAIN; -+ avail_wnd = cur_mss; -+ } - - len = cur_mss * segs; -+ if (len > avail_wnd) { -+ len = rounddown(avail_wnd, cur_mss); -+ if (!len) -+ len = avail_wnd; -+ } - if (skb->len > len) { - if (tcp_fragment(sk, skb, len, cur_mss, GFP_ATOMIC)) - return -ENOMEM; /* We'll try again later. */ -@@ -2775,8 +2783,9 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb, int segs) - diff -= tcp_skb_pcount(skb); - if (diff) - tcp_adjust_pcount(sk, skb, diff); -- if (skb->len < cur_mss) -- tcp_retrans_try_collapse(sk, skb, cur_mss); -+ avail_wnd = min_t(int, avail_wnd, cur_mss); -+ if (skb->len < avail_wnd) -+ tcp_retrans_try_collapse(sk, skb, avail_wnd); - } - - /* RFC3168, section 6.1.1.1. ECN fallback */ --- -2.35.1 - diff --git a/queue-4.9/thermal-tools-tmon-include-pthread-and-time-headers-.patch b/queue-4.9/thermal-tools-tmon-include-pthread-and-time-headers-.patch deleted file mode 100644 index 31058bbac67..00000000000 --- a/queue-4.9/thermal-tools-tmon-include-pthread-and-time-headers-.patch +++ /dev/null @@ -1,62 +0,0 @@ -From d2eaf6b3c1593abb62eb1b91556add090d6b9ea8 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 17 Jul 2022 20:10:39 -0700 -Subject: thermal/tools/tmon: Include pthread and time headers in tmon.h -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Markus Mayer - -[ Upstream commit 0cf51bfe999524377fbb71becb583b4ca6d07cfc ] - -Include sys/time.h and pthread.h in tmon.h, so that types -"pthread_mutex_t" and "struct timeval tv" are known when tmon.h -references them. - -Without these headers, compiling tmon against musl-libc will fail with -these errors: - -In file included from sysfs.c:31:0: -tmon.h:47:8: error: unknown type name 'pthread_mutex_t' - extern pthread_mutex_t input_lock; - ^~~~~~~~~~~~~~~ -make[3]: *** [: sysfs.o] Error 1 -make[3]: *** Waiting for unfinished jobs.... -In file included from tui.c:31:0: -tmon.h:54:17: error: field 'tv' has incomplete type - struct timeval tv; - ^~ -make[3]: *** [: tui.o] Error 1 -make[2]: *** [Makefile:83: tmon] Error 2 - -Signed-off-by: Markus Mayer -Acked-by: Florian Fainelli -Reviewed-by: Sumeet Pawnikar -Acked-by: Alejandro González -Tested-by: Alejandro González -Fixes: 94f69966faf8 ("tools/thermal: Introduce tmon, a tool for thermal subsystem") -Link: https://lore.kernel.org/r/20220718031040.44714-1-f.fainelli@gmail.com -Signed-off-by: Daniel Lezcano -Signed-off-by: Sasha Levin ---- - tools/thermal/tmon/tmon.h | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/tools/thermal/tmon/tmon.h b/tools/thermal/tmon/tmon.h -index 9e3c49c547ac..7b090a6c95b6 100644 ---- a/tools/thermal/tmon/tmon.h -+++ b/tools/thermal/tmon/tmon.h -@@ -36,6 +36,9 @@ - #define NR_LINES_TZDATA 1 - #define TMON_LOG_FILE "/var/tmp/tmon.log" - -+#include -+#include -+ - extern unsigned long ticktime; - extern double time_elapsed; - extern unsigned long target_temp_user; --- -2.35.1 - diff --git a/queue-4.9/tools-thermal-fix-possible-path-truncations.patch b/queue-4.9/tools-thermal-fix-possible-path-truncations.patch deleted file mode 100644 index a2afb93c5be..00000000000 --- a/queue-4.9/tools-thermal-fix-possible-path-truncations.patch +++ /dev/null @@ -1,109 +0,0 @@ -From dd5fa1841bc40bc376e999f80259345bf4fa80ea Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 25 Jul 2022 10:37:54 -0700 -Subject: tools/thermal: Fix possible path truncations - -From: Florian Fainelli - -[ Upstream commit 6c58cf40e3a1d2f47c09d3489857e9476316788a ] - -A build with -D_FORTIFY_SOURCE=2 enabled will produce the following warnings: - -sysfs.c:63:30: warning: '%s' directive output may be truncated writing up to 255 bytes into a region of size between 0 and 255 [-Wformat-truncation=] - snprintf(filepath, 256, "%s/%s", path, filename); - ^~ -Bump up the buffer to PATH_MAX which is the limit and account for all of -the possible NUL and separators that could lead to exceeding the -allocated buffer sizes. - -Fixes: 94f69966faf8 ("tools/thermal: Introduce tmon, a tool for thermal subsystem") -Signed-off-by: Florian Fainelli -Signed-off-by: Rafael J. Wysocki -Signed-off-by: Sasha Levin ---- - tools/thermal/tmon/sysfs.c | 24 +++++++++++++----------- - 1 file changed, 13 insertions(+), 11 deletions(-) - -diff --git a/tools/thermal/tmon/sysfs.c b/tools/thermal/tmon/sysfs.c -index 18f523557983..1b17cbc54c9d 100644 ---- a/tools/thermal/tmon/sysfs.c -+++ b/tools/thermal/tmon/sysfs.c -@@ -22,6 +22,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -42,9 +43,9 @@ int sysfs_set_ulong(char *path, char *filename, unsigned long val) - { - FILE *fd; - int ret = -1; -- char filepath[256]; -+ char filepath[PATH_MAX + 2]; /* NUL and '/' */ - -- snprintf(filepath, 256, "%s/%s", path, filename); -+ snprintf(filepath, sizeof(filepath), "%s/%s", path, filename); - - fd = fopen(filepath, "w"); - if (!fd) { -@@ -66,9 +67,9 @@ static int sysfs_get_ulong(char *path, char *filename, unsigned long *p_ulong) - { - FILE *fd; - int ret = -1; -- char filepath[256]; -+ char filepath[PATH_MAX + 2]; /* NUL and '/' */ - -- snprintf(filepath, 256, "%s/%s", path, filename); -+ snprintf(filepath, sizeof(filepath), "%s/%s", path, filename); - - fd = fopen(filepath, "r"); - if (!fd) { -@@ -85,9 +86,9 @@ static int sysfs_get_string(char *path, char *filename, char *str) - { - FILE *fd; - int ret = -1; -- char filepath[256]; -+ char filepath[PATH_MAX + 2]; /* NUL and '/' */ - -- snprintf(filepath, 256, "%s/%s", path, filename); -+ snprintf(filepath, sizeof(filepath), "%s/%s", path, filename); - - fd = fopen(filepath, "r"); - if (!fd) { -@@ -208,8 +209,8 @@ static int find_tzone_cdev(struct dirent *nl, char *tz_name, - { - unsigned long trip_instance = 0; - char cdev_name_linked[256]; -- char cdev_name[256]; -- char cdev_trip_name[256]; -+ char cdev_name[PATH_MAX]; -+ char cdev_trip_name[PATH_MAX]; - int cdev_id; - - if (nl->d_type == DT_LNK) { -@@ -222,7 +223,8 @@ static int find_tzone_cdev(struct dirent *nl, char *tz_name, - return -EINVAL; - } - /* find the link to real cooling device record binding */ -- snprintf(cdev_name, 256, "%s/%s", tz_name, nl->d_name); -+ snprintf(cdev_name, sizeof(cdev_name) - 2, "%s/%s", -+ tz_name, nl->d_name); - memset(cdev_name_linked, 0, sizeof(cdev_name_linked)); - if (readlink(cdev_name, cdev_name_linked, - sizeof(cdev_name_linked) - 1) != -1) { -@@ -235,8 +237,8 @@ static int find_tzone_cdev(struct dirent *nl, char *tz_name, - /* find the trip point in which the cdev is binded to - * in this tzone - */ -- snprintf(cdev_trip_name, 256, "%s%s", nl->d_name, -- "_trip_point"); -+ snprintf(cdev_trip_name, sizeof(cdev_trip_name) - 1, -+ "%s%s", nl->d_name, "_trip_point"); - sysfs_get_ulong(tz_name, cdev_trip_name, - &trip_instance); - /* validate trip point range, e.g. trip could return -1 --- -2.35.1 - diff --git a/queue-4.9/tty-n_gsm-fix-dm-command.patch b/queue-4.9/tty-n_gsm-fix-dm-command.patch deleted file mode 100644 index bb342e60a3b..00000000000 --- a/queue-4.9/tty-n_gsm-fix-dm-command.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 01738a739525aa96bd4833b0e71ac01509ad4c95 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 7 Jul 2022 13:32:21 +0200 -Subject: tty: n_gsm: fix DM command - -From: Daniel Starke - -[ Upstream commit 18a948c7d90995d127785e308fa7b701df4c499f ] - -n_gsm is based on the 3GPP 07.010 and its newer version is the 3GPP 27.010. -See https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1516 -The changes from 07.010 to 27.010 are non-functional. Therefore, I refer to -the newer 27.010 here. Chapter 5.3.3 defines the DM response. There exists -no DM command. However, the current implementation incorrectly sends DM as -command in case of unexpected UIH frames in gsm_queue(). -Correct this behavior by always sending DM as response. - -Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") -Signed-off-by: Daniel Starke -Link: https://lore.kernel.org/r/20220707113223.3685-2-daniel.starke@siemens.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/tty/n_gsm.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c -index 7f50f7f15b86..08db25ca4e97 100644 ---- a/drivers/tty/n_gsm.c -+++ b/drivers/tty/n_gsm.c -@@ -1910,7 +1910,7 @@ static void gsm_queue(struct gsm_mux *gsm) - goto invalid; - #endif - if (dlci == NULL || dlci->state != DLCI_OPEN) { -- gsm_command(gsm, address, DM|PF); -+ gsm_response(gsm, address, DM|PF); - return; - } - dlci->data(dlci, gsm->buf, gsm->len); --- -2.35.1 - diff --git a/queue-4.9/tty-n_gsm-fix-non-flow-control-frames-during-mux-flo.patch b/queue-4.9/tty-n_gsm-fix-non-flow-control-frames-during-mux-flo.patch deleted file mode 100644 index 07d40d71328..00000000000 --- a/queue-4.9/tty-n_gsm-fix-non-flow-control-frames-during-mux-flo.patch +++ /dev/null @@ -1,116 +0,0 @@ -From b740372021969cbcac22f3eed95c131d34384f8a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 1 Jul 2022 08:16:48 +0200 -Subject: tty: n_gsm: fix non flow control frames during mux flow off - -From: Daniel Starke - -[ Upstream commit bec0224816d19abe4fe503586d16d51890540615 ] - -n_gsm is based on the 3GPP 07.010 and its newer version is the 3GPP 27.010. -See https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1516 -The changes from 07.010 to 27.010 are non-functional. Therefore, I refer to -the newer 27.010 here. Chapter 5.4.6.3.6 states that FCoff stops the -transmission on all channels except the control channel. This is already -implemented in gsm_data_kick(). However, chapter 5.4.8.1 explains that this -shall result in the same behavior as software flow control on the ldisc in -advanced option mode. That means only flow control frames shall be sent -during flow off. The current implementation does not consider this case. - -Change gsm_data_kick() to send only flow control frames if constipated to -abide the standard. gsm_read_ea_val() and gsm_is_flow_ctrl_msg() are -introduced as helper functions for this. -It is planned to use gsm_read_ea_val() in later code cleanups for other -functions, too. - -Fixes: c01af4fec2c8 ("n_gsm : Flow control handling in Mux driver") -Signed-off-by: Daniel Starke -Link: https://lore.kernel.org/r/20220701061652.39604-5-daniel.starke@siemens.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/tty/n_gsm.c | 54 ++++++++++++++++++++++++++++++++++++++++++++- - 1 file changed, 53 insertions(+), 1 deletion(-) - -diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c -index 3badb10229ef..e7fd4ed08bd5 100644 ---- a/drivers/tty/n_gsm.c -+++ b/drivers/tty/n_gsm.c -@@ -426,6 +426,27 @@ static int gsm_read_ea(unsigned int *val, u8 c) - return c & EA; - } - -+/** -+ * gsm_read_ea_val - read a value until EA -+ * @val: variable holding value -+ * @data: buffer of data -+ * @dlen: length of data -+ * -+ * Processes an EA value. Updates the passed variable and -+ * returns the processed data length. -+ */ -+static unsigned int gsm_read_ea_val(unsigned int *val, const u8 *data, int dlen) -+{ -+ unsigned int len = 0; -+ -+ for (; dlen > 0; dlen--) { -+ len++; -+ if (gsm_read_ea(val, *data++)) -+ break; -+ } -+ return len; -+} -+ - /** - * gsm_encode_modem - encode modem data bits - * @dlci: DLCI to encode from -@@ -673,6 +694,37 @@ static struct gsm_msg *gsm_data_alloc(struct gsm_mux *gsm, u8 addr, int len, - return m; - } - -+/** -+ * gsm_is_flow_ctrl_msg - checks if flow control message -+ * @msg: message to check -+ * -+ * Returns true if the given message is a flow control command of the -+ * control channel. False is returned in any other case. -+ */ -+static bool gsm_is_flow_ctrl_msg(struct gsm_msg *msg) -+{ -+ unsigned int cmd; -+ -+ if (msg->addr > 0) -+ return false; -+ -+ switch (msg->ctrl & ~PF) { -+ case UI: -+ case UIH: -+ cmd = 0; -+ if (gsm_read_ea_val(&cmd, msg->data + 2, msg->len - 2) < 1) -+ break; -+ switch (cmd & ~PF) { -+ case CMD_FCOFF: -+ case CMD_FCON: -+ return true; -+ } -+ break; -+ } -+ -+ return false; -+} -+ - /** - * gsm_data_kick - poke the queue - * @gsm: GSM Mux -@@ -691,7 +743,7 @@ static void gsm_data_kick(struct gsm_mux *gsm, struct gsm_dlci *dlci) - int len; - - list_for_each_entry_safe(msg, nmsg, &gsm->tx_list, list) { -- if (gsm->constipated && msg->addr) -+ if (gsm->constipated && !gsm_is_flow_ctrl_msg(msg)) - continue; - if (gsm->encoding != 0) { - gsm->txframe[0] = GSM1_SOF; --- -2.35.1 - diff --git a/queue-4.9/tty-n_gsm-fix-packet-re-transmission-without-open-co.patch b/queue-4.9/tty-n_gsm-fix-packet-re-transmission-without-open-co.patch deleted file mode 100644 index 44b544cedfe..00000000000 --- a/queue-4.9/tty-n_gsm-fix-packet-re-transmission-without-open-co.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 1503c79d18b419c40fedd0123f45200b2a5c1bd1 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 1 Jul 2022 08:16:50 +0200 -Subject: tty: n_gsm: fix packet re-transmission without open control channel - -From: Daniel Starke - -[ Upstream commit 4fae831b3a71fc5a44cc5c7d0b8c1267ee7659f5 ] - -In the current implementation control packets are re-transmitted even if -the control channel closed down during T2. This is wrong. -Check whether the control channel is open before re-transmitting any -packets. Note that control channel open/close is handled by T1 and not T2 -and remains unaffected by this. - -Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") -Signed-off-by: Daniel Starke -Link: https://lore.kernel.org/r/20220701061652.39604-7-daniel.starke@siemens.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/tty/n_gsm.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c -index e7fd4ed08bd5..01ff3f1b2350 100644 ---- a/drivers/tty/n_gsm.c -+++ b/drivers/tty/n_gsm.c -@@ -1398,7 +1398,7 @@ static void gsm_control_retransmit(unsigned long data) - spin_lock_irqsave(&gsm->control_lock, flags); - ctrl = gsm->pending_cmd; - if (ctrl) { -- if (gsm->cretries == 0) { -+ if (gsm->cretries == 0 || !gsm->dlci[0] || gsm->dlci[0]->dead) { - gsm->pending_cmd = NULL; - ctrl->error = -ETIMEDOUT; - ctrl->done = 1; --- -2.35.1 - diff --git a/queue-4.9/tty-n_gsm-fix-race-condition-in-gsmld_write.patch b/queue-4.9/tty-n_gsm-fix-race-condition-in-gsmld_write.patch deleted file mode 100644 index da5b9c4aca6..00000000000 --- a/queue-4.9/tty-n_gsm-fix-race-condition-in-gsmld_write.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 6574e22c5225ebeb8b1b3ad9cd3febc9ed10df96 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 1 Jul 2022 08:16:52 +0200 -Subject: tty: n_gsm: fix race condition in gsmld_write() - -From: Daniel Starke - -[ Upstream commit 32dd59f96924f45e33bc79854f7a00679c0fa28e ] - -The function may be used by the user directly and also by the n_gsm -internal functions. They can lead into a race condition which results in -interleaved frames if both are writing at the same time. The receiving side -is not able to decode those interleaved frames correctly. - -Add a lock around the low side tty write to avoid race conditions and frame -interleaving between user originated writes and n_gsm writes. - -Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") -Signed-off-by: Daniel Starke -Link: https://lore.kernel.org/r/20220701061652.39604-9-daniel.starke@siemens.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/tty/n_gsm.c | 21 +++++++++++++++++---- - 1 file changed, 17 insertions(+), 4 deletions(-) - -diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c -index 01ff3f1b2350..8ab288a4950f 100644 ---- a/drivers/tty/n_gsm.c -+++ b/drivers/tty/n_gsm.c -@@ -2521,11 +2521,24 @@ static ssize_t gsmld_read(struct tty_struct *tty, struct file *file, - static ssize_t gsmld_write(struct tty_struct *tty, struct file *file, - const unsigned char *buf, size_t nr) - { -- int space = tty_write_room(tty); -+ struct gsm_mux *gsm = tty->disc_data; -+ unsigned long flags; -+ int space; -+ int ret; -+ -+ if (!gsm) -+ return -ENODEV; -+ -+ ret = -ENOBUFS; -+ spin_lock_irqsave(&gsm->tx_lock, flags); -+ space = tty_write_room(tty); - if (space >= nr) -- return tty->ops->write(tty, buf, nr); -- set_bit(TTY_DO_WRITE_WAKEUP, &tty->flags); -- return -ENOBUFS; -+ ret = tty->ops->write(tty, buf, nr); -+ else -+ set_bit(TTY_DO_WRITE_WAKEUP, &tty->flags); -+ spin_unlock_irqrestore(&gsm->tx_lock, flags); -+ -+ return ret; - } - - /** --- -2.35.1 - diff --git a/queue-4.9/tty-n_gsm-fix-wrong-t1-retry-count-handling.patch b/queue-4.9/tty-n_gsm-fix-wrong-t1-retry-count-handling.patch deleted file mode 100644 index 094029896df..00000000000 --- a/queue-4.9/tty-n_gsm-fix-wrong-t1-retry-count-handling.patch +++ /dev/null @@ -1,55 +0,0 @@ -From f9b82239f7893193a51df0349b71494af2045ad9 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 7 Jul 2022 13:32:20 +0200 -Subject: tty: n_gsm: fix wrong T1 retry count handling - -From: Daniel Starke - -[ Upstream commit f30e10caa80aa1f35508bc17fc302dbbde9a833c ] - -n_gsm is based on the 3GPP 07.010 and its newer version is the 3GPP 27.010. -See https://portal.3gpp.org/desktopmodules/Specifications/SpecificationDetails.aspx?specificationId=1516 -The changes from 07.010 to 27.010 are non-functional. Therefore, I refer to -the newer 27.010 here. Chapter 5.7.3 states that the valid range for the -maximum number of retransmissions (N2) is from 0 to 255 (both including). -gsm_dlci_t1() handles this number incorrectly by performing N2 - 1 -retransmission attempts. Setting N2 to zero results in more than 255 -retransmission attempts. -Fix gsm_dlci_t1() to comply with 3GPP 27.010. - -Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") -Signed-off-by: Daniel Starke -Link: https://lore.kernel.org/r/20220707113223.3685-1-daniel.starke@siemens.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/tty/n_gsm.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c -index 8ab288a4950f..7f50f7f15b86 100644 ---- a/drivers/tty/n_gsm.c -+++ b/drivers/tty/n_gsm.c -@@ -1550,8 +1550,8 @@ static void gsm_dlci_t1(unsigned long data) - - switch (dlci->state) { - case DLCI_OPENING: -- dlci->retries--; - if (dlci->retries) { -+ dlci->retries--; - gsm_command(dlci->gsm, dlci->addr, SABM|PF); - mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100); - } else if (!dlci->addr && gsm->control == (DM | PF)) { -@@ -1566,8 +1566,8 @@ static void gsm_dlci_t1(unsigned long data) - - break; - case DLCI_CLOSING: -- dlci->retries--; - if (dlci->retries) { -+ dlci->retries--; - gsm_command(dlci->gsm, dlci->addr, DISC|PF); - mod_timer(&dlci->t1, jiffies + gsm->t1 * HZ / 100); - } else --- -2.35.1 - diff --git a/queue-4.9/usb-host-fix-refcount-leak-in-ehci_hcd_ppc_of_probe.patch b/queue-4.9/usb-host-fix-refcount-leak-in-ehci_hcd_ppc_of_probe.patch deleted file mode 100644 index 1d830b573c0..00000000000 --- a/queue-4.9/usb-host-fix-refcount-leak-in-ehci_hcd_ppc_of_probe.patch +++ /dev/null @@ -1,38 +0,0 @@ -From aa0d2afaaed87efe107ab293f1f3646f70101de5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 2 Jun 2022 15:08:49 +0400 -Subject: usb: host: Fix refcount leak in ehci_hcd_ppc_of_probe - -From: Miaoqian Lin - -[ Upstream commit b5c5b13cb45e2c88181308186b0001992cb41954 ] - -of_find_compatible_node() returns a node pointer with refcount -incremented, we should use of_node_put() on it when done. -Add missing of_node_put() to avoid refcount leak. - -Fixes: 796bcae7361c ("USB: powerpc: Workaround for the PPC440EPX USBH_23 errata [take 3]") -Acked-by: Alan Stern -Signed-off-by: Miaoqian Lin -Link: https://lore.kernel.org/r/20220602110849.58549-1-linmq006@gmail.com -Signed-off-by: Greg Kroah-Hartman -Signed-off-by: Sasha Levin ---- - drivers/usb/host/ehci-ppc-of.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/usb/host/ehci-ppc-of.c b/drivers/usb/host/ehci-ppc-of.c -index 1a10c8d542ca..d36aa2c29d39 100644 ---- a/drivers/usb/host/ehci-ppc-of.c -+++ b/drivers/usb/host/ehci-ppc-of.c -@@ -147,6 +147,7 @@ static int ehci_hcd_ppc_of_probe(struct platform_device *op) - } else { - ehci->has_amcc_usb23 = 1; - } -+ of_node_put(np); - } - - if (of_get_property(dn, "big-endian", NULL)) { --- -2.35.1 - diff --git a/queue-4.9/usb-serial-fix-tty-port-initialized-comments.patch b/queue-4.9/usb-serial-fix-tty-port-initialized-comments.patch deleted file mode 100644 index 85e62fd2465..00000000000 --- a/queue-4.9/usb-serial-fix-tty-port-initialized-comments.patch +++ /dev/null @@ -1,66 +0,0 @@ -From d989a24661b8719d839f6d0186e1bbf2d2ae85a6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 25 Jul 2022 10:44:57 +0200 -Subject: USB: serial: fix tty-port initialized comments - -From: Johan Hovold - -[ Upstream commit 688ee1d1785c1359f9040f615dd8e6054962bce2 ] - -Fix up the tty-port initialized comments which got truncated and -obfuscated when replacing the old ASYNCB_INITIALIZED flag. - -Fixes: d41861ca19c9 ("tty: Replace ASYNC_INITIALIZED bit and update atomically") -Reviewed-by: Greg Kroah-Hartman -Signed-off-by: Johan Hovold -Signed-off-by: Sasha Levin ---- - drivers/usb/serial/sierra.c | 3 ++- - drivers/usb/serial/usb-serial.c | 2 +- - drivers/usb/serial/usb_wwan.c | 3 ++- - 3 files changed, 5 insertions(+), 3 deletions(-) - -diff --git a/drivers/usb/serial/sierra.c b/drivers/usb/serial/sierra.c -index fbc7b29e855e..0474295cab32 100644 ---- a/drivers/usb/serial/sierra.c -+++ b/drivers/usb/serial/sierra.c -@@ -776,7 +776,8 @@ static void sierra_close(struct usb_serial_port *port) - - /* - * Need to take susp_lock to make sure port is not already being -- * resumed, but no need to hold it due to initialized -+ * resumed, but no need to hold it due to the tty-port initialized -+ * flag. - */ - spin_lock_irq(&intfdata->susp_lock); - if (--intfdata->open_ports == 0) -diff --git a/drivers/usb/serial/usb-serial.c b/drivers/usb/serial/usb-serial.c -index 8a24a11b7ffc..0031afd97783 100644 ---- a/drivers/usb/serial/usb-serial.c -+++ b/drivers/usb/serial/usb-serial.c -@@ -255,7 +255,7 @@ static int serial_open(struct tty_struct *tty, struct file *filp) - * - * Shut down a USB serial port. Serialized against activate by the - * tport mutex and kept to matching open/close pairs -- * of calls by the initialized flag. -+ * of calls by the tty-port initialized flag. - * - * Not called if tty is console. - */ -diff --git a/drivers/usb/serial/usb_wwan.c b/drivers/usb/serial/usb_wwan.c -index 0fbb34fcbddf..1434b6e14a2a 100644 ---- a/drivers/usb/serial/usb_wwan.c -+++ b/drivers/usb/serial/usb_wwan.c -@@ -468,7 +468,8 @@ void usb_wwan_close(struct usb_serial_port *port) - - /* - * Need to take susp_lock to make sure port is not already being -- * resumed, but no need to hold it due to initialized -+ * resumed, but no need to hold it due to the tty-port initialized -+ * flag. - */ - spin_lock_irq(&intfdata->susp_lock); - if (--intfdata->open_ports == 0) --- -2.35.1 - diff --git a/queue-4.9/video-fbdev-arkfb-check-the-size-of-screen-before-me.patch b/queue-4.9/video-fbdev-arkfb-check-the-size-of-screen-before-me.patch deleted file mode 100644 index fb74dc46cb5..00000000000 --- a/queue-4.9/video-fbdev-arkfb-check-the-size-of-screen-before-me.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 2b725e70331008d975d93fecab1a78473d67c5b6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 4 Aug 2022 20:41:24 +0800 -Subject: video: fbdev: arkfb: Check the size of screen before memset_io() - -From: Zheyu Ma - -[ Upstream commit 96b550971c65d54d64728d8ba973487878a06454 ] - -In the function arkfb_set_par(), the value of 'screen_size' is -calculated by the user input. If the user provides the improper value, -the value of 'screen_size' may larger than 'info->screen_size', which -may cause the following bug: - -[ 659.399066] BUG: unable to handle page fault for address: ffffc90003000000 -[ 659.399077] #PF: supervisor write access in kernel mode -[ 659.399079] #PF: error_code(0x0002) - not-present page -[ 659.399094] RIP: 0010:memset_orig+0x33/0xb0 -[ 659.399116] Call Trace: -[ 659.399122] arkfb_set_par+0x143f/0x24c0 -[ 659.399130] fb_set_var+0x604/0xeb0 -[ 659.399161] do_fb_ioctl+0x234/0x670 -[ 659.399189] fb_ioctl+0xdd/0x130 - -Fix the this by checking the value of 'screen_size' before memset_io(). - -Fixes: 681e14730c73 ("arkfb: new framebuffer driver for ARK Logic cards") -Signed-off-by: Zheyu Ma -Signed-off-by: Helge Deller -Signed-off-by: Sasha Levin ---- - drivers/video/fbdev/arkfb.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/video/fbdev/arkfb.c b/drivers/video/fbdev/arkfb.c -index 6af8043541c7..3acf245c1453 100644 ---- a/drivers/video/fbdev/arkfb.c -+++ b/drivers/video/fbdev/arkfb.c -@@ -794,6 +794,8 @@ static int arkfb_set_par(struct fb_info *info) - value = ((value * hmul / hdiv) / 8) - 5; - vga_wcrt(par->state.vgabase, 0x42, (value + 1) / 2); - -+ if (screen_size > info->screen_size) -+ screen_size = info->screen_size; - memset_io(info->screen_base, 0x00, screen_size); - /* Device and screen back on */ - svga_wcrt_mask(par->state.vgabase, 0x17, 0x80, 0x80); --- -2.35.1 - diff --git a/queue-4.9/video-fbdev-arkfb-fix-a-divide-by-zero-bug-in-ark_se.patch b/queue-4.9/video-fbdev-arkfb-fix-a-divide-by-zero-bug-in-ark_se.patch deleted file mode 100644 index f11de642981..00000000000 --- a/queue-4.9/video-fbdev-arkfb-fix-a-divide-by-zero-bug-in-ark_se.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 6da48afa34f1cc1b61ff83e60246a3cf36f37551 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 3 Aug 2022 17:23:12 +0800 -Subject: video: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock() - -From: Zheyu Ma - -[ Upstream commit 2f1c4523f7a3aaabe7e53d3ebd378292947e95c8 ] - -Since the user can control the arguments of the ioctl() from the user -space, under special arguments that may result in a divide-by-zero bug -in: - drivers/video/fbdev/arkfb.c:784: ark_set_pixclock(info, (hdiv * info->var.pixclock) / hmul); -with hdiv=1, pixclock=1 and hmul=2 you end up with (1*1)/2 = (int) 0. -and then in: - drivers/video/fbdev/arkfb.c:504: rv = dac_set_freq(par->dac, 0, 1000000000 / pixclock); -we'll get a division-by-zero. - -The following log can reveal it: - -divide error: 0000 [#1] PREEMPT SMP KASAN PTI -RIP: 0010:ark_set_pixclock drivers/video/fbdev/arkfb.c:504 [inline] -RIP: 0010:arkfb_set_par+0x10fc/0x24c0 drivers/video/fbdev/arkfb.c:784 -Call Trace: - fb_set_var+0x604/0xeb0 drivers/video/fbdev/core/fbmem.c:1034 - do_fb_ioctl+0x234/0x670 drivers/video/fbdev/core/fbmem.c:1110 - fb_ioctl+0xdd/0x130 drivers/video/fbdev/core/fbmem.c:1189 - -Fix this by checking the argument of ark_set_pixclock() first. - -Fixes: 681e14730c73 ("arkfb: new framebuffer driver for ARK Logic cards") -Signed-off-by: Zheyu Ma -Signed-off-by: Helge Deller -Signed-off-by: Sasha Levin ---- - drivers/video/fbdev/arkfb.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/drivers/video/fbdev/arkfb.c b/drivers/video/fbdev/arkfb.c -index 6a317de7082c..6af8043541c7 100644 ---- a/drivers/video/fbdev/arkfb.c -+++ b/drivers/video/fbdev/arkfb.c -@@ -778,7 +778,12 @@ static int arkfb_set_par(struct fb_info *info) - return -EINVAL; - } - -- ark_set_pixclock(info, (hdiv * info->var.pixclock) / hmul); -+ value = (hdiv * info->var.pixclock) / hmul; -+ if (!value) { -+ fb_dbg(info, "invalid pixclock\n"); -+ value = 1; -+ } -+ ark_set_pixclock(info, value); - svga_set_timings(par->state.vgabase, &ark_timing_regs, &(info->var), hmul, hdiv, - (info->var.vmode & FB_VMODE_DOUBLE) ? 2 : 1, - (info->var.vmode & FB_VMODE_INTERLACED) ? 2 : 1, --- -2.35.1 - diff --git a/queue-4.9/video-fbdev-s3fb-check-the-size-of-screen-before-mem.patch b/queue-4.9/video-fbdev-s3fb-check-the-size-of-screen-before-mem.patch deleted file mode 100644 index 6625f6c39a6..00000000000 --- a/queue-4.9/video-fbdev-s3fb-check-the-size-of-screen-before-mem.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 96d8be0e846ebedde2b2c745144b2762b0bee95a Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 4 Aug 2022 20:41:25 +0800 -Subject: video: fbdev: s3fb: Check the size of screen before memset_io() - -From: Zheyu Ma - -[ Upstream commit 6ba592fa014f21f35a8ee8da4ca7b95a018f13e8 ] - -In the function s3fb_set_par(), the value of 'screen_size' is -calculated by the user input. If the user provides the improper value, -the value of 'screen_size' may larger than 'info->screen_size', which -may cause the following bug: - -[ 54.083733] BUG: unable to handle page fault for address: ffffc90003000000 -[ 54.083742] #PF: supervisor write access in kernel mode -[ 54.083744] #PF: error_code(0x0002) - not-present page -[ 54.083760] RIP: 0010:memset_orig+0x33/0xb0 -[ 54.083782] Call Trace: -[ 54.083788] s3fb_set_par+0x1ec6/0x4040 -[ 54.083806] fb_set_var+0x604/0xeb0 -[ 54.083836] do_fb_ioctl+0x234/0x670 - -Fix the this by checking the value of 'screen_size' before memset_io(). - -Fixes: a268422de8bf ("fbdev driver for S3 Trio/Virge") -Signed-off-by: Zheyu Ma -Signed-off-by: Helge Deller -Signed-off-by: Sasha Levin ---- - drivers/video/fbdev/s3fb.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/video/fbdev/s3fb.c b/drivers/video/fbdev/s3fb.c -index 13b109073c63..b9db8df7ff9e 100644 ---- a/drivers/video/fbdev/s3fb.c -+++ b/drivers/video/fbdev/s3fb.c -@@ -902,6 +902,8 @@ static int s3fb_set_par(struct fb_info *info) - value = clamp((htotal + hsstart + 1) / 2 + 2, hsstart + 4, htotal + 1); - svga_wcrt_multi(par->state.vgabase, s3_dtpc_regs, value); - -+ if (screen_size > info->screen_size) -+ screen_size = info->screen_size; - memset_io(info->screen_base, 0x00, screen_size); - /* Device and screen back on */ - svga_wcrt_mask(par->state.vgabase, 0x17, 0x80, 0x80); --- -2.35.1 - diff --git a/queue-4.9/video-fbdev-sis-fix-typos-in-sis_getmodeid.patch b/queue-4.9/video-fbdev-sis-fix-typos-in-sis_getmodeid.patch deleted file mode 100644 index 7eb207c9174..00000000000 --- a/queue-4.9/video-fbdev-sis-fix-typos-in-sis_getmodeid.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 9ec0a2cc48ff6b11c53d9525ed95f158fc5ebaac Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 18 Jul 2022 15:43:43 +0300 -Subject: video: fbdev: sis: fix typos in SiS_GetModeID() - -From: Rustam Subkhankulov - -[ Upstream commit 3eb8fccc244bfb41a7961969e4db280d44911226 ] - -The second operand of a '&&' operator has no impact on expression -result for cases 400 and 512 in SiS_GetModeID(). - -Judging by the logic and the names of the variables, in both cases a -typo was made. - -Found by Linux Verification Center (linuxtesting.org) with SVACE. - -Signed-off-by: Rustam Subkhankulov -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Helge Deller -Signed-off-by: Sasha Levin ---- - drivers/video/fbdev/sis/init.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/video/fbdev/sis/init.c b/drivers/video/fbdev/sis/init.c -index fde27feae5d0..d6b2ce95a859 100644 ---- a/drivers/video/fbdev/sis/init.c -+++ b/drivers/video/fbdev/sis/init.c -@@ -355,12 +355,12 @@ SiS_GetModeID(int VGAEngine, unsigned int VBFlags, int HDisplay, int VDisplay, - } - break; - case 400: -- if((!(VBFlags & CRT1_LCDA)) || ((LCDwidth >= 800) && (LCDwidth >= 600))) { -+ if((!(VBFlags & CRT1_LCDA)) || ((LCDwidth >= 800) && (LCDheight >= 600))) { - if(VDisplay == 300) ModeIndex = ModeIndex_400x300[Depth]; - } - break; - case 512: -- if((!(VBFlags & CRT1_LCDA)) || ((LCDwidth >= 1024) && (LCDwidth >= 768))) { -+ if((!(VBFlags & CRT1_LCDA)) || ((LCDwidth >= 1024) && (LCDheight >= 768))) { - if(VDisplay == 384) ModeIndex = ModeIndex_512x384[Depth]; - } - break; --- -2.35.1 - diff --git a/queue-4.9/video-fbdev-vt8623fb-check-the-size-of-screen-before.patch b/queue-4.9/video-fbdev-vt8623fb-check-the-size-of-screen-before.patch deleted file mode 100644 index 7e55535c003..00000000000 --- a/queue-4.9/video-fbdev-vt8623fb-check-the-size-of-screen-before.patch +++ /dev/null @@ -1,50 +0,0 @@ -From d669c5dd48c2acd4ffbc006eb6a3097df37964ea Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 4 Aug 2022 20:41:23 +0800 -Subject: video: fbdev: vt8623fb: Check the size of screen before memset_io() - -From: Zheyu Ma - -[ Upstream commit ec0754c60217248fa77cc9005d66b2b55200ac06 ] - -In the function vt8623fb_set_par(), the value of 'screen_size' is -calculated by the user input. If the user provides the improper value, -the value of 'screen_size' may larger than 'info->screen_size', which -may cause the following bug: - -[ 583.339036] BUG: unable to handle page fault for address: ffffc90005000000 -[ 583.339049] #PF: supervisor write access in kernel mode -[ 583.339052] #PF: error_code(0x0002) - not-present page -[ 583.339074] RIP: 0010:memset_orig+0x33/0xb0 -[ 583.339110] Call Trace: -[ 583.339118] vt8623fb_set_par+0x11cd/0x21e0 -[ 583.339146] fb_set_var+0x604/0xeb0 -[ 583.339181] do_fb_ioctl+0x234/0x670 -[ 583.339209] fb_ioctl+0xdd/0x130 - -Fix the this by checking the value of 'screen_size' before memset_io(). - -Fixes: 558b7bd86c32 ("vt8623fb: new framebuffer driver for VIA VT8623") -Signed-off-by: Zheyu Ma -Signed-off-by: Helge Deller -Signed-off-by: Sasha Levin ---- - drivers/video/fbdev/vt8623fb.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/video/fbdev/vt8623fb.c b/drivers/video/fbdev/vt8623fb.c -index dd0f18e42d3e..f0549d5e1364 100644 ---- a/drivers/video/fbdev/vt8623fb.c -+++ b/drivers/video/fbdev/vt8623fb.c -@@ -504,6 +504,8 @@ static int vt8623fb_set_par(struct fb_info *info) - (info->var.vmode & FB_VMODE_DOUBLE) ? 2 : 1, 1, - 1, info->node); - -+ if (screen_size > info->screen_size) -+ screen_size = info->screen_size; - memset_io(info->screen_base, 0x00, screen_size); - - /* Device and screen back on */ --- -2.35.1 - diff --git a/queue-4.9/wifi-iwlegacy-4965-fix-potential-off-by-one-overflow.patch b/queue-4.9/wifi-iwlegacy-4965-fix-potential-off-by-one-overflow.patch deleted file mode 100644 index aa1d95646c3..00000000000 --- a/queue-4.9/wifi-iwlegacy-4965-fix-potential-off-by-one-overflow.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 4eca910aa44c5f0d03395e708613144181e8e626 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 8 Jun 2022 20:16:14 +0300 -Subject: wifi: iwlegacy: 4965: fix potential off-by-one overflow in - il4965_rs_fill_link_cmd() - -From: Alexey Kodanev - -[ Upstream commit a8eb8e6f7159c7c20c0ddac428bde3d110890aa7 ] - -As a result of the execution of the inner while loop, the value -of 'idx' can be equal to LINK_QUAL_MAX_RETRY_NUM. However, this -is not checked after the loop and 'idx' is used to write the -LINK_QUAL_MAX_RETRY_NUM size array 'lq_cmd->rs_table[idx]' below -in the outer loop. - -The fix is to check the new value of 'idx' inside the nested loop, -and break both loops if index equals the size. Checking it at the -start is now pointless, so let's remove it. - -Detected using the static analysis tool - Svace. - -Fixes: be663ab67077 ("iwlwifi: split the drivers for agn and legacy devices 3945/4965") -Signed-off-by: Alexey Kodanev -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20220608171614.28891-1-aleksei.kodanev@bell-sw.com -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/intel/iwlegacy/4965-rs.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/intel/iwlegacy/4965-rs.c b/drivers/net/wireless/intel/iwlegacy/4965-rs.c -index a867ae7f4095..cd63b253cf75 100644 ---- a/drivers/net/wireless/intel/iwlegacy/4965-rs.c -+++ b/drivers/net/wireless/intel/iwlegacy/4965-rs.c -@@ -2424,7 +2424,7 @@ il4965_rs_fill_link_cmd(struct il_priv *il, struct il_lq_sta *lq_sta, - /* Repeat initial/next rate. - * For legacy IL_NUMBER_TRY == 1, this loop will not execute. - * For HT IL_HT_NUMBER_TRY == 3, this executes twice. */ -- while (repeat_rate > 0 && idx < LINK_QUAL_MAX_RETRY_NUM) { -+ while (repeat_rate > 0) { - if (is_legacy(tbl_type.lq_type)) { - if (ant_toggle_cnt < NUM_TRY_BEFORE_ANT_TOGGLE) - ant_toggle_cnt++; -@@ -2443,6 +2443,8 @@ il4965_rs_fill_link_cmd(struct il_priv *il, struct il_lq_sta *lq_sta, - cpu_to_le32(new_rate); - repeat_rate--; - idx++; -+ if (idx >= LINK_QUAL_MAX_RETRY_NUM) -+ goto out; - } - - il4965_rs_get_tbl_info_from_mcs(new_rate, lq_sta->band, -@@ -2487,6 +2489,7 @@ il4965_rs_fill_link_cmd(struct il_priv *il, struct il_lq_sta *lq_sta, - repeat_rate--; - } - -+out: - lq_cmd->agg_params.agg_frame_cnt_limit = LINK_QUAL_AGG_FRAME_LIMIT_DEF; - lq_cmd->agg_params.agg_dis_start_th = LINK_QUAL_AGG_DISABLE_START_DEF; - --- -2.35.1 - diff --git a/queue-4.9/wifi-libertas-fix-possible-refcount-leak-in-if_usb_p.patch b/queue-4.9/wifi-libertas-fix-possible-refcount-leak-in-if_usb_p.patch deleted file mode 100644 index 4e7a9d1fc7e..00000000000 --- a/queue-4.9/wifi-libertas-fix-possible-refcount-leak-in-if_usb_p.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 3705d375d511167862542ef4e88baaac4820f0e5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 20 Jun 2022 17:23:50 +0800 -Subject: wifi: libertas: Fix possible refcount leak in if_usb_probe() - -From: Hangyu Hua - -[ Upstream commit 6fd57e1d120bf13d4dc6c200a7cf914e6347a316 ] - -usb_get_dev will be called before lbs_get_firmware_async which means that -usb_put_dev need to be called when lbs_get_firmware_async fails. - -Fixes: ce84bb69f50e ("libertas USB: convert to asynchronous firmware loading") -Signed-off-by: Hangyu Hua -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20220620092350.39960-1-hbh25y@gmail.com -Link: https://lore.kernel.org/r/20220622113402.16969-1-colin.i.king@gmail.com -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/marvell/libertas/if_usb.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/net/wireless/marvell/libertas/if_usb.c b/drivers/net/wireless/marvell/libertas/if_usb.c -index 9f19fd5c18d0..e9229f4d4e71 100644 ---- a/drivers/net/wireless/marvell/libertas/if_usb.c -+++ b/drivers/net/wireless/marvell/libertas/if_usb.c -@@ -287,6 +287,7 @@ static int if_usb_probe(struct usb_interface *intf, - return 0; - - err_get_fw: -+ usb_put_dev(udev); - lbs_remove_card(priv); - err_add_card: - if_usb_reset_device(cardp); --- -2.35.1 - diff --git a/queue-4.9/wifi-p54-add-missing-parentheses-in-p54_flush.patch b/queue-4.9/wifi-p54-add-missing-parentheses-in-p54_flush.patch deleted file mode 100644 index 4f817a81bb7..00000000000 --- a/queue-4.9/wifi-p54-add-missing-parentheses-in-p54_flush.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 00abc0abf3d5d9b4e65309b98610660a89fc2aa5 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 14 Jul 2022 16:48:31 +0300 -Subject: wifi: p54: add missing parentheses in p54_flush() - -From: Rustam Subkhankulov - -[ Upstream commit bcfd9d7f6840b06d5988c7141127795cf405805e ] - -The assignment of the value to the variable total in the loop -condition must be enclosed in additional parentheses, since otherwise, -in accordance with the precedence of the operators, the conjunction -will be performed first, and only then the assignment. - -Due to this error, a warning later in the function after the loop may -not occur in the situation when it should. - -Found by Linux Verification Center (linuxtesting.org) with SVACE. - -Signed-off-by: Rustam Subkhankulov -Fixes: 0d4171e2153b ("p54: implement flush callback") -Acked-by: Christian Lamparter -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20220714134831.106004-1-subkhankulov@ispras.ru -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/intersil/p54/main.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/intersil/p54/main.c b/drivers/net/wireless/intersil/p54/main.c -index ab6d39e12069..120c3f21f382 100644 ---- a/drivers/net/wireless/intersil/p54/main.c -+++ b/drivers/net/wireless/intersil/p54/main.c -@@ -688,7 +688,7 @@ static void p54_flush(struct ieee80211_hw *dev, struct ieee80211_vif *vif, - * queues have already been stopped and no new frames can sneak - * up from behind. - */ -- while ((total = p54_flush_count(priv) && i--)) { -+ while ((total = p54_flush_count(priv)) && i--) { - /* waste time */ - msleep(20); - } --- -2.35.1 - diff --git a/queue-4.9/wifi-p54-fix-an-error-handling-path-in-p54spi_probe.patch b/queue-4.9/wifi-p54-fix-an-error-handling-path-in-p54spi_probe.patch deleted file mode 100644 index 97369ad43b4..00000000000 --- a/queue-4.9/wifi-p54-fix-an-error-handling-path-in-p54spi_probe.patch +++ /dev/null @@ -1,52 +0,0 @@ -From fb3b760eef9818e6a308fb14abb777db070ecd52 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 12 Jun 2022 23:12:20 +0200 -Subject: wifi: p54: Fix an error handling path in p54spi_probe() - -From: Christophe JAILLET - -[ Upstream commit 83781f0162d080fec7dcb911afd1bc2f5ad04471 ] - -If an error occurs after a successful call to p54spi_request_firmware(), it -must be undone by a corresponding release_firmware() as already done in -the error handling path of p54spi_request_firmware() and in the .remove() -function. - -Add the missing call in the error handling path and remove it from -p54spi_request_firmware() now that it is the responsibility of the caller -to release the firmware - -Fixes: cd8d3d321285 ("p54spi: p54spi driver") -Signed-off-by: Christophe JAILLET -Acked-by: Christian Lamparter -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/297d2547ff2ee627731662abceeab9dbdaf23231.1655068321.git.christophe.jaillet@wanadoo.fr -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/intersil/p54/p54spi.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/intersil/p54/p54spi.c b/drivers/net/wireless/intersil/p54/p54spi.c -index 7ab2f43ab425..3aa80d257162 100644 ---- a/drivers/net/wireless/intersil/p54/p54spi.c -+++ b/drivers/net/wireless/intersil/p54/p54spi.c -@@ -177,7 +177,7 @@ static int p54spi_request_firmware(struct ieee80211_hw *dev) - - ret = p54_parse_firmware(dev, priv->firmware); - if (ret) { -- release_firmware(priv->firmware); -+ /* the firmware is released by the caller */ - return ret; - } - -@@ -672,6 +672,7 @@ static int p54spi_probe(struct spi_device *spi) - return 0; - - err_free_common: -+ release_firmware(priv->firmware); - free_irq(gpio_to_irq(p54spi_gpio_irq), spi); - err_free_gpio_irq: - gpio_free(p54spi_gpio_irq); --- -2.35.1 - diff --git a/queue-4.9/wifi-wil6210-debugfs-fix-info-leak-in-wil_write_file.patch b/queue-4.9/wifi-wil6210-debugfs-fix-info-leak-in-wil_write_file.patch deleted file mode 100644 index 104ed617a93..00000000000 --- a/queue-4.9/wifi-wil6210-debugfs-fix-info-leak-in-wil_write_file.patch +++ /dev/null @@ -1,52 +0,0 @@ -From a91478bf291ffe8fd78460d5c39d9e211afd6905 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Fri, 15 Jul 2022 13:35:18 +0300 -Subject: wifi: wil6210: debugfs: fix info leak in wil_write_file_wmi() - -From: Dan Carpenter - -[ Upstream commit 7a4836560a6198d245d5732e26f94898b12eb760 ] - -The simple_write_to_buffer() function will succeed if even a single -byte is initialized. However, we need to initialize the whole buffer -to prevent information leaks. Just use memdup_user(). - -Fixes: ff974e408334 ("wil6210: debugfs interface to send raw WMI command") -Signed-off-by: Dan Carpenter -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/Ysg14NdKAZF/hcNG@kili -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/ath/wil6210/debugfs.c | 14 ++++---------- - 1 file changed, 4 insertions(+), 10 deletions(-) - -diff --git a/drivers/net/wireless/ath/wil6210/debugfs.c b/drivers/net/wireless/ath/wil6210/debugfs.c -index cbf3958d788a..9ceded62ccf4 100644 ---- a/drivers/net/wireless/ath/wil6210/debugfs.c -+++ b/drivers/net/wireless/ath/wil6210/debugfs.c -@@ -836,18 +836,12 @@ static ssize_t wil_write_file_wmi(struct file *file, const char __user *buf, - u16 cmdid; - int rc, rc1; - -- if (cmdlen < 0) -+ if (cmdlen < 0 || *ppos != 0) - return -EINVAL; - -- wmi = kmalloc(len, GFP_KERNEL); -- if (!wmi) -- return -ENOMEM; -- -- rc = simple_write_to_buffer(wmi, len, ppos, buf, len); -- if (rc < 0) { -- kfree(wmi); -- return rc; -- } -+ wmi = memdup_user(buf, len); -+ if (IS_ERR(wmi)) -+ return PTR_ERR(wmi); - - cmd = (cmdlen > 0) ? &wmi[1] : NULL; - cmdid = le16_to_cpu(wmi->command_id); --- -2.35.1 - diff --git a/queue-4.9/wifi-wil6210-debugfs-fix-uninitialized-variable-use-.patch b/queue-4.9/wifi-wil6210-debugfs-fix-uninitialized-variable-use-.patch deleted file mode 100644 index af30a3d7f56..00000000000 --- a/queue-4.9/wifi-wil6210-debugfs-fix-uninitialized-variable-use-.patch +++ /dev/null @@ -1,59 +0,0 @@ -From 9c518f3065c4cefd5b2d533f0806721f6d2a0714 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 25 Jul 2022 20:49:11 +0300 -Subject: wifi: wil6210: debugfs: fix uninitialized variable use in - `wil_write_file_wmi()` - -From: Ammar Faizi - -[ Upstream commit d578e0af3a003736f6c440188b156483d451b329 ] - -Commit 7a4836560a61 changes simple_write_to_buffer() with memdup_user() -but it forgets to change the value to be returned that came from -simple_write_to_buffer() call. It results in the following warning: - - warning: variable 'rc' is uninitialized when used here [-Wuninitialized] - return rc; - ^~ - -Remove rc variable and just return the passed in length if the -memdup_user() succeeds. - -Cc: Dan Carpenter -Reported-by: kernel test robot -Fixes: 7a4836560a6198d245d5732e26f94898b12eb760 ("wifi: wil6210: debugfs: fix info leak in wil_write_file_wmi()") -Fixes: ff974e4083341383d3dd4079e52ed30f57f376f0 ("wil6210: debugfs interface to send raw WMI command") -Signed-off-by: Ammar Faizi -Reviewed-by: Dan Carpenter -Signed-off-by: Kalle Valo -Link: https://lore.kernel.org/r/20220724202452.61846-1-ammar.faizi@intel.com -Signed-off-by: Sasha Levin ---- - drivers/net/wireless/ath/wil6210/debugfs.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/wireless/ath/wil6210/debugfs.c b/drivers/net/wireless/ath/wil6210/debugfs.c -index 9ceded62ccf4..f29934eb9994 100644 ---- a/drivers/net/wireless/ath/wil6210/debugfs.c -+++ b/drivers/net/wireless/ath/wil6210/debugfs.c -@@ -834,7 +834,7 @@ static ssize_t wil_write_file_wmi(struct file *file, const char __user *buf, - void *cmd; - int cmdlen = len - sizeof(struct wmi_cmd_hdr); - u16 cmdid; -- int rc, rc1; -+ int rc1; - - if (cmdlen < 0 || *ppos != 0) - return -EINVAL; -@@ -851,7 +851,7 @@ static ssize_t wil_write_file_wmi(struct file *file, const char __user *buf, - - wil_info(wil, "%s(0x%04x[%d]) -> %d\n", __func__, cmdid, cmdlen, rc1); - -- return rc; -+ return len; - } - - static const struct file_operations fops_wmi = { --- -2.35.1 - diff --git a/queue-4.9/x86-link-vdso-and-boot-with-z-noexecstack-no-warn-rw.patch b/queue-4.9/x86-link-vdso-and-boot-with-z-noexecstack-no-warn-rw.patch deleted file mode 100644 index c331b6c8c87..00000000000 --- a/queue-4.9/x86-link-vdso-and-boot-with-z-noexecstack-no-warn-rw.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 48743dd7af756c78525a20ebeb0fa2aaa3ad56af Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Wed, 10 Aug 2022 15:24:41 -0700 -Subject: x86: link vdso and boot with -z noexecstack --no-warn-rwx-segments - -From: Nick Desaulniers - -commit ffcf9c5700e49c0aee42dcba9a12ba21338e8136 upstream. - -Users of GNU ld (BFD) from binutils 2.39+ will observe multiple -instances of a new warning when linking kernels in the form: - - ld: warning: arch/x86/boot/pmjump.o: missing .note.GNU-stack section implies executable stack - ld: NOTE: This behaviour is deprecated and will be removed in a future version of the linker - ld: warning: arch/x86/boot/compressed/vmlinux has a LOAD segment with RWX permissions - -Generally, we would like to avoid the stack being executable. Because -there could be a need for the stack to be executable, assembler sources -have to opt-in to this security feature via explicit creation of the -.note.GNU-stack feature (which compilers create by default) or command -line flag --noexecstack. Or we can simply tell the linker the -production of such sections is irrelevant and to link the stack as ---noexecstack. - -LLVM's LLD linker defaults to -z noexecstack, so this flag isn't -strictly necessary when linking with LLD, only BFD, but it doesn't hurt -to be explicit here for all linkers IMO. --no-warn-rwx-segments is -currently BFD specific and only available in the current latest release, -so it's wrapped in an ld-option check. - -While the kernel makes extensive usage of ELF sections, it doesn't use -permissions from ELF segments. - -Link: https://lore.kernel.org/linux-block/3af4127a-f453-4cf7-f133-a181cce06f73@kernel.dk/ -Link: https://sourceware.org/git/?p=binutils-gdb.git;a=commit;h=ba951afb99912da01a6e8434126b8fac7aa75107 -Link: https://github.com/llvm/llvm-project/issues/57009 -Reported-and-tested-by: Jens Axboe -Suggested-by: Fangrui Song -Signed-off-by: Nick Desaulniers -Signed-off-by: Linus Torvalds -Signed-off-by: Greg Kroah-Hartman ---- - arch/x86/boot/Makefile | 2 +- - arch/x86/boot/compressed/Makefile | 6 ++++++ - arch/x86/entry/vdso/Makefile | 2 +- - 3 files changed, 8 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/boot/Makefile b/arch/x86/boot/Makefile -index d1df7d2e31b1..ffa96111eacc 100644 ---- a/arch/x86/boot/Makefile -+++ b/arch/x86/boot/Makefile -@@ -100,7 +100,7 @@ $(obj)/zoffset.h: $(obj)/compressed/vmlinux FORCE - AFLAGS_header.o += -I$(objtree)/$(obj) - $(obj)/header.o: $(obj)/zoffset.h - --LDFLAGS_setup.elf := -m elf_i386 -T -+LDFLAGS_setup.elf := -m elf_i386 -z noexecstack -T - $(obj)/setup.elf: $(src)/setup.ld $(SETUP_OBJS) FORCE - $(call if_changed,ld) - -diff --git a/arch/x86/boot/compressed/Makefile b/arch/x86/boot/compressed/Makefile -index 7be7acd6a540..3985eb76d12a 100644 ---- a/arch/x86/boot/compressed/Makefile -+++ b/arch/x86/boot/compressed/Makefile -@@ -54,6 +54,12 @@ else - LDFLAGS += $(shell $(LD) --help 2>&1 | grep -q "\-z noreloc-overflow" \ - && echo "-z noreloc-overflow -pie --no-dynamic-linker") - endif -+ -+LDFLAGS += -z noexecstack -+ifeq ($(CONFIG_LD_IS_BFD),y) -+LDFLAGS += $(call ld-option,--no-warn-rwx-segments) -+endif -+ - LDFLAGS_vmlinux := -T - - hostprogs-y := mkpiggy -diff --git a/arch/x86/entry/vdso/Makefile b/arch/x86/entry/vdso/Makefile -index 0d3ebdfa0739..99597d3648f3 100644 ---- a/arch/x86/entry/vdso/Makefile -+++ b/arch/x86/entry/vdso/Makefile -@@ -168,7 +168,7 @@ quiet_cmd_vdso = VDSO $@ - - VDSO_LDFLAGS = -shared $(call ld-option, --hash-style=both) \ - $(call ld-option, --build-id) $(call ld-option, --eh-frame-hdr) \ -- -Bsymbolic -+ -Bsymbolic -z noexecstack - GCOV_PROFILE := n - - # --- -2.35.1 - diff --git a/queue-4.9/x86-numa-use-cpumask_available-instead-of-hardcoded-.patch b/queue-4.9/x86-numa-use-cpumask_available-instead-of-hardcoded-.patch deleted file mode 100644 index a96d6445d57..00000000000 --- a/queue-4.9/x86-numa-use-cpumask_available-instead-of-hardcoded-.patch +++ /dev/null @@ -1,76 +0,0 @@ -From ee4776aaa37caf0fc48694aaf957d1ae35a27542 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Sun, 31 Jul 2022 21:39:13 +0530 -Subject: x86/numa: Use cpumask_available instead of hardcoded NULL check -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -From: Siddh Raman Pant - -[ Upstream commit 625395c4a0f4775e0fe00f616888d2e6c1ba49db ] - -GCC-12 started triggering a new warning: - - arch/x86/mm/numa.c: In function ‘cpumask_of_node’: - arch/x86/mm/numa.c:916:39: warning: the comparison will always evaluate as ‘false’ for the address of ‘node_to_cpumask_map’ will never be NULL [-Waddress] - 916 | if (node_to_cpumask_map[node] == NULL) { - | ^~ - -node_to_cpumask_map is of type cpumask_var_t[]. - -When CONFIG_CPUMASK_OFFSTACK is set, cpumask_var_t is typedef'd to a -pointer for dynamic allocation, else to an array of one element. The -"wicked game" can be checked on line 700 of include/linux/cpumask.h. - -The original code in debug_cpumask_set_cpu() and cpumask_of_node() were -probably written by the original authors with CONFIG_CPUMASK_OFFSTACK=y -(i.e. dynamic allocation) in mind, checking if the cpumask was available -via a direct NULL check. - -When CONFIG_CPUMASK_OFFSTACK is not set, GCC gives the above warning -while compiling the kernel. - -Fix that by using cpumask_available(), which does the NULL check when -CONFIG_CPUMASK_OFFSTACK is set, otherwise returns true. Use it wherever -such checks are made. - -Conditional definitions of cpumask_available() can be found along with -the definition of cpumask_var_t. Check the cpumask.h reference mentioned -above. - -Fixes: c032ef60d1aa ("cpumask: convert node_to_cpumask_map[] to cpumask_var_t") -Fixes: de2d9445f162 ("x86: Unify node_to_cpumask_map handling between 32 and 64bit") -Signed-off-by: Siddh Raman Pant -Signed-off-by: Ingo Molnar -Link: https://lore.kernel.org/r/20220731160913.632092-1-code@siddh.me -Signed-off-by: Sasha Levin ---- - arch/x86/mm/numa.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/mm/numa.c b/arch/x86/mm/numa.c -index 3f35b48d1d9d..4249bae6e404 100644 ---- a/arch/x86/mm/numa.c -+++ b/arch/x86/mm/numa.c -@@ -826,7 +826,7 @@ void debug_cpumask_set_cpu(int cpu, int node, bool enable) - return; - } - mask = node_to_cpumask_map[node]; -- if (!mask) { -+ if (!cpumask_available(mask)) { - pr_err("node_to_cpumask_map[%i] NULL\n", node); - dump_stack(); - return; -@@ -872,7 +872,7 @@ const struct cpumask *cpumask_of_node(int node) - dump_stack(); - return cpu_none_mask; - } -- if (node_to_cpumask_map[node] == NULL) { -+ if (!cpumask_available(node_to_cpumask_map[node])) { - printk(KERN_WARNING - "cpumask_of_node(%d): no node_to_cpumask_map!\n", - node); --- -2.35.1 - diff --git a/queue-4.9/x86-pmem-fix-platform-device-leak-in-error-path.patch b/queue-4.9/x86-pmem-fix-platform-device-leak-in-error-path.patch deleted file mode 100644 index ce6679e84e5..00000000000 --- a/queue-4.9/x86-pmem-fix-platform-device-leak-in-error-path.patch +++ /dev/null @@ -1,41 +0,0 @@ -From deb46fe8806fab0ef7bd669ed5ec978cef94f0a7 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 20 Jun 2022 16:07:23 +0200 -Subject: x86/pmem: Fix platform-device leak in error path - -From: Johan Hovold - -[ Upstream commit 229e73d46994f15314f58b2d39bf952111d89193 ] - -Make sure to free the platform device in the unlikely event that -registration fails. - -Fixes: 7a67832c7e44 ("libnvdimm, e820: make CONFIG_X86_PMEM_LEGACY a tristate option") -Signed-off-by: Johan Hovold -Signed-off-by: Borislav Petkov -Link: https://lore.kernel.org/r/20220620140723.9810-1-johan@kernel.org -Signed-off-by: Sasha Levin ---- - arch/x86/kernel/pmem.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/kernel/pmem.c b/arch/x86/kernel/pmem.c -index 0c5315d322c8..9fa65b6a1458 100644 ---- a/arch/x86/kernel/pmem.c -+++ b/arch/x86/kernel/pmem.c -@@ -26,6 +26,11 @@ static __init int register_e820_pmem(void) - * simply here to trigger the module to load on demand. - */ - pdev = platform_device_alloc("e820_pmem", -1); -- return platform_device_add(pdev); -+ -+ rc = platform_device_add(pdev); -+ if (rc) -+ platform_device_put(pdev); -+ -+ return rc; - } - device_initcall(register_e820_pmem); --- -2.35.1 -