From: Sasha Levin Date: Mon, 31 May 2021 02:37:07 +0000 (-0400) Subject: Fixes for 4.9 X-Git-Tag: v4.4.271~43 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=54220c90490b4c12bfcdc60386ab542e9281bab8;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.9 Signed-off-by: Sasha Levin --- diff --git a/queue-4.9/asoc-cs35l33-fix-an-error-code-in-probe.patch b/queue-4.9/asoc-cs35l33-fix-an-error-code-in-probe.patch new file mode 100644 index 00000000000..2f57104497b --- /dev/null +++ b/queue-4.9/asoc-cs35l33-fix-an-error-code-in-probe.patch @@ -0,0 +1,36 @@ +From c8a96acbd47da6e860dabeee21ea7824302ad35e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 May 2021 08:08:24 +0300 +Subject: ASoC: cs35l33: fix an error code in probe() + +From: Dan Carpenter + +[ Upstream commit 833bc4cf9754643acc69b3c6b65988ca78df4460 ] + +This error path returns zero (success) but it should return -EINVAL. + +Fixes: 3333cb7187b9 ("ASoC: cs35l33: Initial commit of the cs35l33 CODEC driver.") +Signed-off-by: Dan Carpenter +Reviewed-by: Charles Keepax +Link: https://lore.kernel.org/r/YKXuyGEzhPT35R3G@mwanda +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/cs35l33.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/sound/soc/codecs/cs35l33.c b/sound/soc/codecs/cs35l33.c +index 6df29fa30fb9..9e449dd8da92 100644 +--- a/sound/soc/codecs/cs35l33.c ++++ b/sound/soc/codecs/cs35l33.c +@@ -1209,6 +1209,7 @@ static int cs35l33_i2c_probe(struct i2c_client *i2c_client, + dev_err(&i2c_client->dev, + "CS35L33 Device ID (%X). Expected ID %X\n", + devid, CS35L33_CHIP_ID); ++ ret = -EINVAL; + goto err_enable; + } + +-- +2.30.2 + diff --git a/queue-4.9/mips-alchemy-xxs1500-add-gpio-au1000.h-header-file.patch b/queue-4.9/mips-alchemy-xxs1500-add-gpio-au1000.h-header-file.patch new file mode 100644 index 00000000000..629b285ae76 --- /dev/null +++ b/queue-4.9/mips-alchemy-xxs1500-add-gpio-au1000.h-header-file.patch @@ -0,0 +1,46 @@ +From 9d79ca7dc0d985868a8822d1587f6f5f46a27721 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 May 2021 17:01:08 -0700 +Subject: MIPS: alchemy: xxs1500: add gpio-au1000.h header file + +From: Randy Dunlap + +[ Upstream commit ff4cff962a7eedc73e54b5096693da7f86c61346 ] + +board-xxs1500.c references 2 functions without declaring them, so add +the header file to placate the build. + +../arch/mips/alchemy/board-xxs1500.c: In function 'board_setup': +../arch/mips/alchemy/board-xxs1500.c:56:2: error: implicit declaration of function 'alchemy_gpio1_input_enable' [-Werror=implicit-function-declaration] + 56 | alchemy_gpio1_input_enable(); +../arch/mips/alchemy/board-xxs1500.c:57:2: error: implicit declaration of function 'alchemy_gpio2_enable'; did you mean 'alchemy_uart_enable'? [-Werror=implicit-function-declaration] + 57 | alchemy_gpio2_enable(); + +Fixes: 8e026910fcd4 ("MIPS: Alchemy: merge GPR/MTX-1/XXS1500 board code into single files") +Signed-off-by: Randy Dunlap +Cc: Thomas Bogendoerfer +Cc: linux-mips@vger.kernel.org +Cc: Manuel Lauss +Cc: Ralf Baechle +Acked-by: Manuel Lauss +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/alchemy/board-xxs1500.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/mips/alchemy/board-xxs1500.c b/arch/mips/alchemy/board-xxs1500.c +index 0fc53e08a894..c05f7376148a 100644 +--- a/arch/mips/alchemy/board-xxs1500.c ++++ b/arch/mips/alchemy/board-xxs1500.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + #include + + const char *get_system_type(void) +-- +2.30.2 + diff --git a/queue-4.9/mips-ralink-export-rt_sysc_membase-for-rt2880_wdt.c.patch b/queue-4.9/mips-ralink-export-rt_sysc_membase-for-rt2880_wdt.c.patch new file mode 100644 index 00000000000..941e2dcb75b --- /dev/null +++ b/queue-4.9/mips-ralink-export-rt_sysc_membase-for-rt2880_wdt.c.patch @@ -0,0 +1,53 @@ +From af4b0aeb552cff6c79e1b6c0a13acc42a078930a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 May 2021 17:54:17 -0700 +Subject: MIPS: ralink: export rt_sysc_membase for rt2880_wdt.c + +From: Randy Dunlap + +[ Upstream commit fef532ea0cd871afab7d9a7b6e9da99ac2c24371 ] + +rt2880_wdt.c uses (well, attempts to use) rt_sysc_membase. However, +when this watchdog driver is built as a loadable module, there is a +build error since the rt_sysc_membase symbol is not exported. +Export it to quell the build error. + +ERROR: modpost: "rt_sysc_membase" [drivers/watchdog/rt2880_wdt.ko] undefined! + +Fixes: 473cf939ff34 ("watchdog: add ralink watchdog driver") +Signed-off-by: Randy Dunlap +Cc: Guenter Roeck +Cc: Wim Van Sebroeck +Cc: John Crispin +Cc: linux-mips@vger.kernel.org +Cc: linux-watchdog@vger.kernel.org +Acked-by: Guenter Roeck +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/ralink/of.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/mips/ralink/of.c b/arch/mips/ralink/of.c +index 0aa67a2d0ae6..6b7226830354 100644 +--- a/arch/mips/ralink/of.c ++++ b/arch/mips/ralink/of.c +@@ -10,6 +10,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -27,6 +28,7 @@ + + __iomem void *rt_sysc_membase; + __iomem void *rt_memc_membase; ++EXPORT_SYMBOL_GPL(rt_sysc_membase); + + __iomem void *plat_of_remap_node(const char *node) + { +-- +2.30.2 + diff --git a/queue-4.9/mld-fix-panic-in-mld_newpack.patch b/queue-4.9/mld-fix-panic-in-mld_newpack.patch new file mode 100644 index 00000000000..76b045e063d --- /dev/null +++ b/queue-4.9/mld-fix-panic-in-mld_newpack.patch @@ -0,0 +1,112 @@ +From 3a1cccf56f48bf5642ddfbf86bb069d9836fb7f0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 16 May 2021 14:44:42 +0000 +Subject: mld: fix panic in mld_newpack() + +From: Taehee Yoo + +[ Upstream commit 020ef930b826d21c5446fdc9db80fd72a791bc21 ] + +mld_newpack() doesn't allow to allocate high order page, +only order-0 allocation is allowed. +If headroom size is too large, a kernel panic could occur in skb_put(). + +Test commands: + ip netns del A + ip netns del B + ip netns add A + ip netns add B + ip link add veth0 type veth peer name veth1 + ip link set veth0 netns A + ip link set veth1 netns B + + ip netns exec A ip link set lo up + ip netns exec A ip link set veth0 up + ip netns exec A ip -6 a a 2001:db8:0::1/64 dev veth0 + ip netns exec B ip link set lo up + ip netns exec B ip link set veth1 up + ip netns exec B ip -6 a a 2001:db8:0::2/64 dev veth1 + for i in {1..99} + do + let A=$i-1 + ip netns exec A ip link add ip6gre$i type ip6gre \ + local 2001:db8:$A::1 remote 2001:db8:$A::2 encaplimit 100 + ip netns exec A ip -6 a a 2001:db8:$i::1/64 dev ip6gre$i + ip netns exec A ip link set ip6gre$i up + + ip netns exec B ip link add ip6gre$i type ip6gre \ + local 2001:db8:$A::2 remote 2001:db8:$A::1 encaplimit 100 + ip netns exec B ip -6 a a 2001:db8:$i::2/64 dev ip6gre$i + ip netns exec B ip link set ip6gre$i up + done + +Splat looks like: +kernel BUG at net/core/skbuff.c:110! +invalid opcode: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN PTI +CPU: 0 PID: 7 Comm: kworker/0:1 Not tainted 5.12.0+ #891 +Workqueue: ipv6_addrconf addrconf_dad_work +RIP: 0010:skb_panic+0x15d/0x15f +Code: 92 fe 4c 8b 4c 24 10 53 8b 4d 70 45 89 e0 48 c7 c7 00 ae 79 83 +41 57 41 56 41 55 48 8b 54 24 a6 26 f9 ff <0f> 0b 48 8b 6c 24 20 89 +34 24 e8 4a 4e 92 fe 8b 34 24 48 c7 c1 20 +RSP: 0018:ffff88810091f820 EFLAGS: 00010282 +RAX: 0000000000000089 RBX: ffff8881086e9000 RCX: 0000000000000000 +RDX: 0000000000000089 RSI: 0000000000000008 RDI: ffffed1020123efb +RBP: ffff888005f6eac0 R08: ffffed1022fc0031 R09: ffffed1022fc0031 +R10: ffff888117e00187 R11: ffffed1022fc0030 R12: 0000000000000028 +R13: ffff888008284eb0 R14: 0000000000000ed8 R15: 0000000000000ec0 +FS: 0000000000000000(0000) GS:ffff888117c00000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007f8b801c5640 CR3: 0000000033c2c006 CR4: 00000000003706f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600 + ? ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600 + skb_put.cold.104+0x22/0x22 + ip6_mc_hdr.isra.26.constprop.46+0x12a/0x600 + ? rcu_read_lock_sched_held+0x91/0xc0 + mld_newpack+0x398/0x8f0 + ? ip6_mc_hdr.isra.26.constprop.46+0x600/0x600 + ? lock_contended+0xc40/0xc40 + add_grhead.isra.33+0x280/0x380 + add_grec+0x5ca/0xff0 + ? mld_sendpack+0xf40/0xf40 + ? lock_downgrade+0x690/0x690 + mld_send_initial_cr.part.34+0xb9/0x180 + ipv6_mc_dad_complete+0x15d/0x1b0 + addrconf_dad_completed+0x8d2/0xbb0 + ? lock_downgrade+0x690/0x690 + ? addrconf_rs_timer+0x660/0x660 + ? addrconf_dad_work+0x73c/0x10e0 + addrconf_dad_work+0x73c/0x10e0 + +Allowing high order page allocation could fix this problem. + +Fixes: 72e09ad107e7 ("ipv6: avoid high order allocations") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/ipv6/mcast.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c +index f904b9b24027..9a78b89690bd 100644 +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -1580,10 +1580,7 @@ static struct sk_buff *mld_newpack(struct inet6_dev *idev, unsigned int mtu) + IPV6_TLV_PADN, 0 }; + + /* we assume size > sizeof(ra) here */ +- /* limit our allocations to order-0 page */ +- size = min_t(int, size, SKB_MAX_ORDER(0, 0)); + skb = sock_alloc_send_skb(sk, size, 1, &err); +- + if (!skb) + return NULL; + +-- +2.30.2 + diff --git a/queue-4.9/net-bnx2-fix-error-return-code-in-bnx2_init_board.patch b/queue-4.9/net-bnx2-fix-error-return-code-in-bnx2_init_board.patch new file mode 100644 index 00000000000..42e9f4ac786 --- /dev/null +++ b/queue-4.9/net-bnx2-fix-error-return-code-in-bnx2_init_board.patch @@ -0,0 +1,40 @@ +From 23380d285ce3062f7b979ecc90f7e7682880c72b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 15 May 2021 15:16:05 +0800 +Subject: net: bnx2: Fix error return code in bnx2_init_board() + +From: Zhen Lei + +[ Upstream commit 28c66b6da4087b8cfe81c2ec0a46eb6116dafda9 ] + +Fix to return -EPERM from the error handling case instead of 0, as done +elsewhere in this function. + +Fixes: b6016b767397 ("[BNX2]: New Broadcom gigabit network driver.") +Reported-by: Hulk Robot +Signed-off-by: Zhen Lei +Reviewed-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnx2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnx2.c b/drivers/net/ethernet/broadcom/bnx2.c +index 1f7034d739b0..e15e487c14dd 100644 +--- a/drivers/net/ethernet/broadcom/bnx2.c ++++ b/drivers/net/ethernet/broadcom/bnx2.c +@@ -8256,9 +8256,9 @@ bnx2_init_board(struct pci_dev *pdev, struct net_device *dev) + BNX2_WR(bp, PCI_COMMAND, reg); + } else if ((BNX2_CHIP_ID(bp) == BNX2_CHIP_ID_5706_A1) && + !(bp->flags & BNX2_FLAG_PCIX)) { +- + dev_err(&pdev->dev, + "5706 A1 can only be used in a PCIX bus, aborting\n"); ++ rc = -EPERM; + goto err_out_unmap; + } + +-- +2.30.2 + diff --git a/queue-4.9/net-mdio-octeon-fix-some-double-free-issues.patch b/queue-4.9/net-mdio-octeon-fix-some-double-free-issues.patch new file mode 100644 index 00000000000..b016f26585c --- /dev/null +++ b/queue-4.9/net-mdio-octeon-fix-some-double-free-issues.patch @@ -0,0 +1,50 @@ +From ebf59fad1f098ba16184092522468aea86894fd8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 May 2021 09:24:55 +0200 +Subject: net: mdio: octeon: Fix some double free issues + +From: Christophe JAILLET + +[ Upstream commit e1d027dd97e1e750669cdc0d3b016a4f54e473eb ] + +'bus->mii_bus' has been allocated with 'devm_mdiobus_alloc_size()' in the +probe function. So it must not be freed explicitly or there will be a +double free. + +Remove the incorrect 'mdiobus_free' in the error handling path of the +probe function and in remove function. + +Suggested-By: Andrew Lunn +Fixes: 35d2aeac9810 ("phy: mdio-octeon: Use devm_mdiobus_alloc_size()") +Signed-off-by: Christophe JAILLET +Reviewed-by: Russell King +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mdio-octeon.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/drivers/net/phy/mdio-octeon.c b/drivers/net/phy/mdio-octeon.c +index ab6914f8bd50..1da104150f44 100644 +--- a/drivers/net/phy/mdio-octeon.c ++++ b/drivers/net/phy/mdio-octeon.c +@@ -75,7 +75,6 @@ static int octeon_mdiobus_probe(struct platform_device *pdev) + + return 0; + fail_register: +- mdiobus_free(bus->mii_bus); + smi_en.u64 = 0; + oct_mdio_writeq(smi_en.u64, bus->register_base + SMI_EN); + return err; +@@ -89,7 +88,6 @@ static int octeon_mdiobus_remove(struct platform_device *pdev) + bus = platform_get_drvdata(pdev); + + mdiobus_unregister(bus->mii_bus); +- mdiobus_free(bus->mii_bus); + smi_en.u64 = 0; + oct_mdio_writeq(smi_en.u64, bus->register_base + SMI_EN); + return 0; +-- +2.30.2 + diff --git a/queue-4.9/net-mdio-thunder-fix-a-double-free-issue-in-the-.rem.patch b/queue-4.9/net-mdio-thunder-fix-a-double-free-issue-in-the-.rem.patch new file mode 100644 index 00000000000..9764b158483 --- /dev/null +++ b/queue-4.9/net-mdio-thunder-fix-a-double-free-issue-in-the-.rem.patch @@ -0,0 +1,40 @@ +From 60ba744592930f6955717103f2872ac8a7e23d8f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 May 2021 09:44:49 +0200 +Subject: net: mdio: thunder: Fix a double free issue in the .remove function + +From: Christophe JAILLET + +[ Upstream commit a93a0a15876d2a077a3bc260b387d2457a051f24 ] + +'bus->mii_bus' have been allocated with 'devm_mdiobus_alloc_size()' in the +probe function. So it must not be freed explicitly or there will be a +double free. + +Remove the incorrect 'mdiobus_free' in the remove function. + +Fixes: 379d7ac7ca31 ("phy: mdio-thunder: Add driver for Cavium Thunder SoC MDIO buses.") +Signed-off-by: Christophe JAILLET +Reviewed-by: Russell King +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/phy/mdio-thunder.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/phy/mdio-thunder.c b/drivers/net/phy/mdio-thunder.c +index 564616968cad..c0c922eff760 100644 +--- a/drivers/net/phy/mdio-thunder.c ++++ b/drivers/net/phy/mdio-thunder.c +@@ -129,7 +129,6 @@ static void thunder_mdiobus_pci_remove(struct pci_dev *pdev) + continue; + + mdiobus_unregister(bus->mii_bus); +- mdiobus_free(bus->mii_bus); + oct_mdio_writeq(0, bus->register_base + SMI_EN); + } + pci_set_drvdata(pdev, NULL); +-- +2.30.2 + diff --git a/queue-4.9/net-netcp-fix-an-error-message.patch b/queue-4.9/net-netcp-fix-an-error-message.patch new file mode 100644 index 00000000000..b41d29f5c3a --- /dev/null +++ b/queue-4.9/net-netcp-fix-an-error-message.patch @@ -0,0 +1,41 @@ +From 8b1ff5766fc718633afb414211c9aba5056b36a4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sat, 8 May 2021 07:38:22 +0200 +Subject: net: netcp: Fix an error message + +From: Christophe JAILLET + +[ Upstream commit ddb6e00f8413e885ff826e32521cff7924661de0 ] + +'ret' is known to be 0 here. +The expected error code is stored in 'tx_pipe->dma_queue', so use it +instead. + +While at it, switch from %d to %pe which is more user friendly. + +Fixes: 84640e27f230 ("net: netcp: Add Keystone NetCP core ethernet driver") +Signed-off-by: Christophe JAILLET +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/ti/netcp_core.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/ti/netcp_core.c b/drivers/net/ethernet/ti/netcp_core.c +index 32516661f180..a55e83a0946a 100644 +--- a/drivers/net/ethernet/ti/netcp_core.c ++++ b/drivers/net/ethernet/ti/netcp_core.c +@@ -1325,8 +1325,8 @@ int netcp_txpipe_open(struct netcp_tx_pipe *tx_pipe) + tx_pipe->dma_queue = knav_queue_open(name, tx_pipe->dma_queue_id, + KNAV_QUEUE_SHARED); + if (IS_ERR(tx_pipe->dma_queue)) { +- dev_err(dev, "Could not open DMA queue for channel \"%s\": %d\n", +- name, ret); ++ dev_err(dev, "Could not open DMA queue for channel \"%s\": %pe\n", ++ name, tx_pipe->dma_queue); + ret = PTR_ERR(tx_pipe->dma_queue); + goto err; + } +-- +2.30.2 + diff --git a/queue-4.9/sch_dsmark-fix-a-null-deref-in-qdisc_reset.patch b/queue-4.9/sch_dsmark-fix-a-null-deref-in-qdisc_reset.patch new file mode 100644 index 00000000000..2aed8e13bf6 --- /dev/null +++ b/queue-4.9/sch_dsmark-fix-a-null-deref-in-qdisc_reset.patch @@ -0,0 +1,76 @@ +From aa648a6087cac17663e91a6da696099f88bdd06c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 23 May 2021 14:38:53 +0000 +Subject: sch_dsmark: fix a NULL deref in qdisc_reset() + +From: Taehee Yoo + +[ Upstream commit 9b76eade16423ef06829cccfe3e100cfce31afcd ] + +If Qdisc_ops->init() is failed, Qdisc_ops->reset() would be called. +When dsmark_init(Qdisc_ops->init()) is failed, it possibly doesn't +initialize dsmark_qdisc_data->q. But dsmark_reset(Qdisc_ops->reset()) +uses dsmark_qdisc_data->q pointer wihtout any null checking. +So, panic would occur. + +Test commands: + sysctl net.core.default_qdisc=dsmark -w + ip link add dummy0 type dummy + ip link add vw0 link dummy0 type virt_wifi + ip link set vw0 up + +Splat looks like: +KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] +CPU: 3 PID: 684 Comm: ip Not tainted 5.12.0+ #910 +RIP: 0010:qdisc_reset+0x2b/0x680 +Code: 1f 44 00 00 48 b8 00 00 00 00 00 fc ff df 41 57 41 56 41 55 41 54 +55 48 89 fd 48 83 c7 18 53 48 89 fa 48 c1 ea 03 48 83 ec 20 <80> 3c 02 +00 0f 85 09 06 00 00 4c 8b 65 18 0f 1f 44 00 00 65 8b 1d +RSP: 0018:ffff88800fda6bf8 EFLAGS: 00010282 +RAX: dffffc0000000000 RBX: ffff8880050ed800 RCX: 0000000000000000 +RDX: 0000000000000003 RSI: ffffffff99e34100 RDI: 0000000000000018 +RBP: 0000000000000000 R08: fffffbfff346b553 R09: fffffbfff346b553 +R10: 0000000000000001 R11: fffffbfff346b552 R12: ffffffffc0824940 +R13: ffff888109e83800 R14: 00000000ffffffff R15: ffffffffc08249e0 +FS: 00007f5042287680(0000) GS:ffff888119800000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000055ae1f4dbd90 CR3: 0000000006760002 CR4: 00000000003706e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + ? rcu_read_lock_bh_held+0xa0/0xa0 + dsmark_reset+0x3d/0xf0 [sch_dsmark] + qdisc_reset+0xa9/0x680 + qdisc_destroy+0x84/0x370 + qdisc_create_dflt+0x1fe/0x380 + attach_one_default_qdisc.constprop.41+0xa4/0x180 + dev_activate+0x4d5/0x8c0 + ? __dev_open+0x268/0x390 + __dev_open+0x270/0x390 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/sched/sch_dsmark.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sched/sch_dsmark.c b/net/sched/sch_dsmark.c +index 551cf193649e..02ef78d2b3df 100644 +--- a/net/sched/sch_dsmark.c ++++ b/net/sched/sch_dsmark.c +@@ -388,7 +388,8 @@ static void dsmark_reset(struct Qdisc *sch) + struct dsmark_qdisc_data *p = qdisc_priv(sch); + + pr_debug("%s(sch %p,[qdisc %p])\n", __func__, sch, p); +- qdisc_reset(p->q); ++ if (p->q) ++ qdisc_reset(p->q); + sch->qstats.backlog = 0; + sch->q.qlen = 0; + } +-- +2.30.2 + diff --git a/queue-4.9/scsi-libsas-use-_safe-loop-in-sas_resume_port.patch b/queue-4.9/scsi-libsas-use-_safe-loop-in-sas_resume_port.patch new file mode 100644 index 00000000000..9a6a0d502d5 --- /dev/null +++ b/queue-4.9/scsi-libsas-use-_safe-loop-in-sas_resume_port.patch @@ -0,0 +1,51 @@ +From e4dc6ec4d708e94b2be5a3890f478445775e62a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 May 2021 17:20:27 +0300 +Subject: scsi: libsas: Use _safe() loop in sas_resume_port() + +From: Dan Carpenter + +[ Upstream commit 8c7e7b8486cda21269d393245883c5e4737d5ee7 ] + +If sas_notify_lldd_dev_found() fails then this code calls: + + sas_unregister_dev(port, dev); + +which removes "dev", our list iterator, from the list. This could lead to +an endless loop. We need to use list_for_each_entry_safe(). + +Link: https://lore.kernel.org/r/YKUeq6gwfGcvvhty@mwanda +Fixes: 303694eeee5e ("[SCSI] libsas: suspend / resume support") +Reviewed-by: John Garry +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/libsas/sas_port.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/libsas/sas_port.c b/drivers/scsi/libsas/sas_port.c +index d3c5297c6c89..30e0730f613e 100644 +--- a/drivers/scsi/libsas/sas_port.c ++++ b/drivers/scsi/libsas/sas_port.c +@@ -41,7 +41,7 @@ static bool phy_is_wideport_member(struct asd_sas_port *port, struct asd_sas_phy + + static void sas_resume_port(struct asd_sas_phy *phy) + { +- struct domain_device *dev; ++ struct domain_device *dev, *n; + struct asd_sas_port *port = phy->port; + struct sas_ha_struct *sas_ha = phy->ha; + struct sas_internal *si = to_sas_internal(sas_ha->core.shost->transportt); +@@ -60,7 +60,7 @@ static void sas_resume_port(struct asd_sas_phy *phy) + * 1/ presume every device came back + * 2/ force the next revalidation to check all expander phys + */ +- list_for_each_entry(dev, &port->dev_list, dev_list_node) { ++ list_for_each_entry_safe(dev, n, &port->dev_list, dev_list_node) { + int i, rc; + + rc = sas_notify_lldd_dev_found(dev); +-- +2.30.2 + diff --git a/queue-4.9/series b/queue-4.9/series index 1d2e8545593..483f06768ed 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -53,3 +53,14 @@ openrisc-define-memory-barrier-mb.patch btrfs-do-not-bug_on-in-link_to_fixup_dir.patch platform-x86-intel_punit_ipc-append-module_device_ta.patch drm-amdgpu-fix-a-use-after-free.patch +net-netcp-fix-an-error-message.patch +net-mdio-thunder-fix-a-double-free-issue-in-the-.rem.patch +net-mdio-octeon-fix-some-double-free-issues.patch +net-bnx2-fix-error-return-code-in-bnx2_init_board.patch +mld-fix-panic-in-mld_newpack.patch +staging-emxx_udc-fix-loop-in-_nbu2ss_nuke.patch +asoc-cs35l33-fix-an-error-code-in-probe.patch +scsi-libsas-use-_safe-loop-in-sas_resume_port.patch +sch_dsmark-fix-a-null-deref-in-qdisc_reset.patch +mips-alchemy-xxs1500-add-gpio-au1000.h-header-file.patch +mips-ralink-export-rt_sysc_membase-for-rt2880_wdt.c.patch diff --git a/queue-4.9/staging-emxx_udc-fix-loop-in-_nbu2ss_nuke.patch b/queue-4.9/staging-emxx_udc-fix-loop-in-_nbu2ss_nuke.patch new file mode 100644 index 00000000000..b9fe32c5525 --- /dev/null +++ b/queue-4.9/staging-emxx_udc-fix-loop-in-_nbu2ss_nuke.patch @@ -0,0 +1,49 @@ +From 1843df75bf96019cf3d815847f7fb82dd9878a9c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 19 May 2021 17:16:50 +0300 +Subject: staging: emxx_udc: fix loop in _nbu2ss_nuke() + +From: Dan Carpenter + +[ Upstream commit e0112a7c9e847ada15a631b88e279d547e8f26a7 ] + +The _nbu2ss_ep_done() function calls: + + list_del_init(&req->queue); + +which means that the loop will never exit. + +Fixes: ca3d253eb967 ("Staging: emxx_udc: Iterate list using list_for_each_entry") +Signed-off-by: Dan Carpenter +Link: https://lore.kernel.org/r/YKUd0sDyjm/lkJfJ@mwanda +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/staging/emxx_udc/emxx_udc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/emxx_udc/emxx_udc.c b/drivers/staging/emxx_udc/emxx_udc.c +index 1055649f034c..59266650e071 100644 +--- a/drivers/staging/emxx_udc/emxx_udc.c ++++ b/drivers/staging/emxx_udc/emxx_udc.c +@@ -2173,7 +2173,7 @@ static int _nbu2ss_nuke(struct nbu2ss_udc *udc, + struct nbu2ss_ep *ep, + int status) + { +- struct nbu2ss_req *req; ++ struct nbu2ss_req *req, *n; + + /* Endpoint Disable */ + _nbu2ss_epn_exit(udc, ep); +@@ -2185,7 +2185,7 @@ static int _nbu2ss_nuke(struct nbu2ss_udc *udc, + return 0; + + /* called with irqs blocked */ +- list_for_each_entry(req, &ep->queue, queue) { ++ list_for_each_entry_safe(req, n, &ep->queue, queue) { + _nbu2ss_ep_done(ep, req, status); + } + +-- +2.30.2 +