From: Greg Kroah-Hartman Date: Wed, 12 May 2021 08:34:10 +0000 (+0200) Subject: 5.12-stable patches X-Git-Tag: v5.4.119~90 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=904689bc4e6328d54cad43306e14c057e5cf764c;p=thirdparty%2Fkernel%2Fstable-queue.git 5.12-stable patches added patches: bluetooth-eliminate-the-potential-race-condition-when-removing-the-hci-controller.patch bluetooth-verify-amp-hci_chan-before-amp_destroy.patch coresight-etm-perf-fix-define-build-issue-when-built-as-module.patch drm-bridge-fix-lontium-use-of-mipi_dsi_-functions.patch io_uring-truncate-lengths-larger-than-max_rw_count-on-provide-buffers.patch net-nfc-fix-use-after-free-llcp_sock_bind-connect.patch revert-usb-cdc-acm-fix-rounding-error-in-tiocsserial.patch software-node-allow-node-addition-to-already-existing-device.patch staging-fwserial-fix-tiocsserial-jiffies-conversions.patch staging-fwserial-fix-tiocsserial-permission-check.patch staging-greybus-uart-fix-tiocsserial-jiffies-conversions.patch tty-amiserial-fix-tiocsserial-permission-check.patch tty-moxa-fix-tiocsserial-jiffies-conversions.patch tty-moxa-fix-tiocsserial-permission-check.patch tty-mxser-fix-tiocsserial-jiffies-conversions.patch tty-mxser-fix-tiocsserial-permission-check.patch usb-roles-call-try_module_get-from-usb_role_switch_find_by_fwnode.patch usb-serial-ti_usb_3410_5052-fix-tiocsserial-permission-check.patch usb-serial-usb_wwan-fix-tiocsserial-jiffies-conversions.patch --- diff --git a/queue-5.12/bluetooth-eliminate-the-potential-race-condition-when-removing-the-hci-controller.patch b/queue-5.12/bluetooth-eliminate-the-potential-race-condition-when-removing-the-hci-controller.patch new file mode 100644 index 00000000000..96362f04b56 --- /dev/null +++ b/queue-5.12/bluetooth-eliminate-the-potential-race-condition-when-removing-the-hci-controller.patch @@ -0,0 +1,53 @@ +From e2cb6b891ad2b8caa9131e3be70f45243df82a80 Mon Sep 17 00:00:00 2001 +From: Lin Ma +Date: Mon, 12 Apr 2021 19:17:57 +0800 +Subject: bluetooth: eliminate the potential race condition when removing the HCI controller + +From: Lin Ma + +commit e2cb6b891ad2b8caa9131e3be70f45243df82a80 upstream. + +There is a possible race condition vulnerability between issuing a HCI +command and removing the cont. Specifically, functions hci_req_sync() +and hci_dev_do_close() can race each other like below: + +thread-A in hci_req_sync() | thread-B in hci_dev_do_close() + | hci_req_sync_lock(hdev); +test_bit(HCI_UP, &hdev->flags); | +... | test_and_clear_bit(HCI_UP, &hdev->flags) +hci_req_sync_lock(hdev); | + | +In this commit we alter the sequence in function hci_req_sync(). Hence, +the thread-A cannot issue th. + +Signed-off-by: Lin Ma +Cc: Marcel Holtmann +Fixes: 7c6a329e4447 ("[Bluetooth] Fix regression from using default link policy") +Signed-off-by: Greg Kroah-Hartman +--- + net/bluetooth/hci_request.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/net/bluetooth/hci_request.c ++++ b/net/bluetooth/hci_request.c +@@ -272,12 +272,16 @@ int hci_req_sync(struct hci_dev *hdev, i + { + int ret; + +- if (!test_bit(HCI_UP, &hdev->flags)) +- return -ENETDOWN; +- + /* Serialize all requests */ + hci_req_sync_lock(hdev); +- ret = __hci_req_sync(hdev, req, opt, timeout, hci_status); ++ /* check the state after obtaing the lock to protect the HCI_UP ++ * against any races from hci_dev_do_close when the controller ++ * gets removed. ++ */ ++ if (test_bit(HCI_UP, &hdev->flags)) ++ ret = __hci_req_sync(hdev, req, opt, timeout, hci_status); ++ else ++ ret = -ENETDOWN; + hci_req_sync_unlock(hdev); + + return ret; diff --git a/queue-5.12/bluetooth-verify-amp-hci_chan-before-amp_destroy.patch b/queue-5.12/bluetooth-verify-amp-hci_chan-before-amp_destroy.patch new file mode 100644 index 00000000000..06aaf129e95 --- /dev/null +++ b/queue-5.12/bluetooth-verify-amp-hci_chan-before-amp_destroy.patch @@ -0,0 +1,138 @@ +From 5c4c8c9544099bb9043a10a5318130a943e32fc3 Mon Sep 17 00:00:00 2001 +From: Archie Pusaka +Date: Mon, 22 Mar 2021 14:03:11 +0800 +Subject: Bluetooth: verify AMP hci_chan before amp_destroy + +From: Archie Pusaka + +commit 5c4c8c9544099bb9043a10a5318130a943e32fc3 upstream. + +hci_chan can be created in 2 places: hci_loglink_complete_evt() if +it is an AMP hci_chan, or l2cap_conn_add() otherwise. In theory, +Only AMP hci_chan should be removed by a call to +hci_disconn_loglink_complete_evt(). However, the controller might mess +up, call that function, and destroy an hci_chan which is not initiated +by hci_loglink_complete_evt(). + +This patch adds a verification that the destroyed hci_chan must have +been init'd by hci_loglink_complete_evt(). + +Example crash call trace: +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0xe3/0x144 lib/dump_stack.c:118 + print_address_description+0x67/0x22a mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report mm/kasan/report.c:412 [inline] + kasan_report+0x251/0x28f mm/kasan/report.c:396 + hci_send_acl+0x3b/0x56e net/bluetooth/hci_core.c:4072 + l2cap_send_cmd+0x5af/0x5c2 net/bluetooth/l2cap_core.c:877 + l2cap_send_move_chan_cfm_icid+0x8e/0xb1 net/bluetooth/l2cap_core.c:4661 + l2cap_move_fail net/bluetooth/l2cap_core.c:5146 [inline] + l2cap_move_channel_rsp net/bluetooth/l2cap_core.c:5185 [inline] + l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:5464 [inline] + l2cap_sig_channel net/bluetooth/l2cap_core.c:5799 [inline] + l2cap_recv_frame+0x1d12/0x51aa net/bluetooth/l2cap_core.c:7023 + l2cap_recv_acldata+0x2ea/0x693 net/bluetooth/l2cap_core.c:7596 + hci_acldata_packet net/bluetooth/hci_core.c:4606 [inline] + hci_rx_work+0x2bd/0x45e net/bluetooth/hci_core.c:4796 + process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175 + worker_thread+0x4fc/0x670 kernel/workqueue.c:2321 + kthread+0x2f0/0x304 kernel/kthread.c:253 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415 + +Allocated by task 38: + set_track mm/kasan/kasan.c:460 [inline] + kasan_kmalloc+0x8d/0x9a mm/kasan/kasan.c:553 + kmem_cache_alloc_trace+0x102/0x129 mm/slub.c:2787 + kmalloc include/linux/slab.h:515 [inline] + kzalloc include/linux/slab.h:709 [inline] + hci_chan_create+0x86/0x26d net/bluetooth/hci_conn.c:1674 + l2cap_conn_add.part.0+0x1c/0x814 net/bluetooth/l2cap_core.c:7062 + l2cap_conn_add net/bluetooth/l2cap_core.c:7059 [inline] + l2cap_connect_cfm+0x134/0x852 net/bluetooth/l2cap_core.c:7381 + hci_connect_cfm+0x9d/0x122 include/net/bluetooth/hci_core.h:1404 + hci_remote_ext_features_evt net/bluetooth/hci_event.c:4161 [inline] + hci_event_packet+0x463f/0x72fa net/bluetooth/hci_event.c:5981 + hci_rx_work+0x197/0x45e net/bluetooth/hci_core.c:4791 + process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175 + worker_thread+0x4fc/0x670 kernel/workqueue.c:2321 + kthread+0x2f0/0x304 kernel/kthread.c:253 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415 + +Freed by task 1732: + set_track mm/kasan/kasan.c:460 [inline] + __kasan_slab_free mm/kasan/kasan.c:521 [inline] + __kasan_slab_free+0x106/0x128 mm/kasan/kasan.c:493 + slab_free_hook mm/slub.c:1409 [inline] + slab_free_freelist_hook+0xaa/0xf6 mm/slub.c:1436 + slab_free mm/slub.c:3009 [inline] + kfree+0x182/0x21e mm/slub.c:3972 + hci_disconn_loglink_complete_evt net/bluetooth/hci_event.c:4891 [inline] + hci_event_packet+0x6a1c/0x72fa net/bluetooth/hci_event.c:6050 + hci_rx_work+0x197/0x45e net/bluetooth/hci_core.c:4791 + process_one_work+0x6f8/0xb50 kernel/workqueue.c:2175 + worker_thread+0x4fc/0x670 kernel/workqueue.c:2321 + kthread+0x2f0/0x304 kernel/kthread.c:253 + ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:415 + +The buggy address belongs to the object at ffff8881d7af9180 + which belongs to the cache kmalloc-128 of size 128 +The buggy address is located 24 bytes inside of + 128-byte region [ffff8881d7af9180, ffff8881d7af9200) +The buggy address belongs to the page: +page:ffffea00075ebe40 count:1 mapcount:0 mapping:ffff8881da403200 index:0x0 +flags: 0x8000000000000200(slab) +raw: 8000000000000200 dead000000000100 dead000000000200 ffff8881da403200 +raw: 0000000000000000 0000000080150015 00000001ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff8881d7af9080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb + ffff8881d7af9100: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc +>ffff8881d7af9180: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb + ^ + ffff8881d7af9200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff8881d7af9280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + +Signed-off-by: Archie Pusaka +Reported-by: syzbot+98228e7407314d2d4ba2@syzkaller.appspotmail.com +Reviewed-by: Alain Michaud +Reviewed-by: Abhishek Pandit-Subedi +Signed-off-by: Marcel Holtmann +Cc: George Kennedy +Signed-off-by: Greg Kroah-Hartman +--- + include/net/bluetooth/hci_core.h | 1 + + net/bluetooth/hci_event.c | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/include/net/bluetooth/hci_core.h ++++ b/include/net/bluetooth/hci_core.h +@@ -704,6 +704,7 @@ struct hci_chan { + struct sk_buff_head data_q; + unsigned int sent; + __u8 state; ++ bool amp; + }; + + struct hci_conn_params { +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -5005,6 +5005,7 @@ static void hci_loglink_complete_evt(str + return; + + hchan->handle = le16_to_cpu(ev->handle); ++ hchan->amp = true; + + BT_DBG("hcon %p mgr %p hchan %p", hcon, hcon->amp_mgr, hchan); + +@@ -5037,7 +5038,7 @@ static void hci_disconn_loglink_complete + hci_dev_lock(hdev); + + hchan = hci_chan_lookup_handle(hdev, le16_to_cpu(ev->handle)); +- if (!hchan) ++ if (!hchan || !hchan->amp) + goto unlock; + + amp_destroy_logical_link(hchan, ev->reason); diff --git a/queue-5.12/coresight-etm-perf-fix-define-build-issue-when-built-as-module.patch b/queue-5.12/coresight-etm-perf-fix-define-build-issue-when-built-as-module.patch new file mode 100644 index 00000000000..4cc4956abb4 --- /dev/null +++ b/queue-5.12/coresight-etm-perf-fix-define-build-issue-when-built-as-module.patch @@ -0,0 +1,40 @@ +From 9204ff94868496f2d9b8b173af52ec455160c364 Mon Sep 17 00:00:00 2001 +From: Mike Leach +Date: Thu, 15 Apr 2021 14:24:04 -0600 +Subject: coresight: etm-perf: Fix define build issue when built as module + +From: Mike Leach + +commit 9204ff94868496f2d9b8b173af52ec455160c364 upstream. + +CONFIG_CORESIGHT_SOURCE_ETM4X is undefined when built as module, +CONFIG_CORESIGHT_SOURCE_ETM4X_MODULE is defined instead. + +Therefore code in format_attr_contextid_show() not correctly complied +when coresight built as module. + +Use IS_ENABLED(CONFIG_CORESIGHT_SOURCE_ETM4X) to correct this. + +Link: https://lore.kernel.org/r/20210414194808.22872-1-mike.leach@linaro.org +Fixes: 88f11864cf1d ("coresight: etm-perf: Support PID tracing for kernel at EL2") +Reviewed-by: Leo Yan +Signed-off-by: Mike Leach +Signed-off-by: Mathieu Poirier +Cc: stable +Link: https://lore.kernel.org/r/20210415202404.945368-2-mathieu.poirier@linaro.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/hwtracing/coresight/coresight-etm-perf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwtracing/coresight/coresight-etm-perf.c ++++ b/drivers/hwtracing/coresight/coresight-etm-perf.c +@@ -52,7 +52,7 @@ static ssize_t format_attr_contextid_sho + { + int pid_fmt = ETM_OPT_CTXTID; + +-#if defined(CONFIG_CORESIGHT_SOURCE_ETM4X) ++#if IS_ENABLED(CONFIG_CORESIGHT_SOURCE_ETM4X) + pid_fmt = is_kernel_in_hyp_mode() ? ETM_OPT_CTXTID2 : ETM_OPT_CTXTID; + #endif + return sprintf(page, "config:%d\n", pid_fmt); diff --git a/queue-5.12/drm-bridge-fix-lontium-use-of-mipi_dsi_-functions.patch b/queue-5.12/drm-bridge-fix-lontium-use-of-mipi_dsi_-functions.patch new file mode 100644 index 00000000000..d68c320b8b1 --- /dev/null +++ b/queue-5.12/drm-bridge-fix-lontium-use-of-mipi_dsi_-functions.patch @@ -0,0 +1,74 @@ +From ad085b3a712a89e4a48472121b231add7a8362e4 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap +Date: Thu, 15 Apr 2021 11:36:39 -0700 +Subject: drm: bridge: fix LONTIUM use of mipi_dsi_() functions + +From: Randy Dunlap + +commit ad085b3a712a89e4a48472121b231add7a8362e4 upstream. + +The Lontium DRM bridge drivers use mipi_dsi_() function interfaces so +they need to select DRM_MIPI_DSI to prevent build errors. + +ERROR: modpost: "mipi_dsi_attach" [drivers/gpu/drm/bridge/lontium-lt9611uxc.ko] undefined! +ERROR: modpost: "mipi_dsi_device_register_full" [drivers/gpu/drm/bridge/lontium-lt9611uxc.ko] undefined! +ERROR: modpost: "of_find_mipi_dsi_host_by_node" [drivers/gpu/drm/bridge/lontium-lt9611uxc.ko] undefined! +ERROR: modpost: "mipi_dsi_device_unregister" [drivers/gpu/drm/bridge/lontium-lt9611uxc.ko] undefined! +ERROR: modpost: "mipi_dsi_detach" [drivers/gpu/drm/bridge/lontium-lt9611uxc.ko] undefined! +ERROR: modpost: "mipi_dsi_attach" [drivers/gpu/drm/bridge/lontium-lt9611.ko] undefined! +ERROR: modpost: "mipi_dsi_device_register_full" [drivers/gpu/drm/bridge/lontium-lt9611.ko] undefined! +ERROR: modpost: "of_find_mipi_dsi_host_by_node" [drivers/gpu/drm/bridge/lontium-lt9611.ko] undefined! +ERROR: modpost: "mipi_dsi_device_unregister" [drivers/gpu/drm/bridge/lontium-lt9611.ko] undefined! +ERROR: modpost: "mipi_dsi_detach" [drivers/gpu/drm/bridge/lontium-lt9611.ko] undefined! +WARNING: modpost: suppressed 5 unresolved symbol warnings because there were too many) + +Fixes: 23278bf54afe ("drm/bridge: Introduce LT9611 DSI to HDMI bridge") +Fixes: 0cbbd5b1a012 ("drm: bridge: add support for lontium LT9611UXC bridge") +Fixes: 30e2ae943c26 ("drm/bridge: Introduce LT8912B DSI to HDMI bridge") +Reported-by: kernel test robot +Signed-off-by: Randy Dunlap +Reviewed-by: Adren Grassein +Cc: Dmitry Baryshkov +Cc: Sam Ravnborg +Cc: Vinod Koul +Cc: Bjorn Andersson +Cc: Srinivas Kandagatla +Cc: Adrien Grassein +Cc: Andrzej Hajda +Cc: Neil Armstrong +Cc: Robert Foss +Cc: dri-devel@lists.freedesktop.org +Cc: stable@vger.kernel.org +Signed-off-by: Robert Foss +Link: https://patchwork.freedesktop.org/patch/msgid/20210415183639.1487-1-rdunlap@infradead.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/gpu/drm/bridge/Kconfig | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/bridge/Kconfig ++++ b/drivers/gpu/drm/bridge/Kconfig +@@ -67,6 +67,7 @@ config DRM_LONTIUM_LT9611UXC + depends on OF + select DRM_PANEL_BRIDGE + select DRM_KMS_HELPER ++ select DRM_MIPI_DSI + select REGMAP_I2C + help + Driver for Lontium LT9611UXC DSI to HDMI bridge +@@ -151,6 +152,7 @@ config DRM_SII902X + tristate "Silicon Image sii902x RGB/HDMI bridge" + depends on OF + select DRM_KMS_HELPER ++ select DRM_MIPI_DSI + select REGMAP_I2C + select I2C_MUX + select SND_SOC_HDMI_CODEC if SND_SOC +@@ -200,6 +202,7 @@ config DRM_TOSHIBA_TC358767 + tristate "Toshiba TC358767 eDP bridge" + depends on OF + select DRM_KMS_HELPER ++ select DRM_MIPI_DSI + select REGMAP_I2C + select DRM_PANEL + help diff --git a/queue-5.12/io_uring-truncate-lengths-larger-than-max_rw_count-on-provide-buffers.patch b/queue-5.12/io_uring-truncate-lengths-larger-than-max_rw_count-on-provide-buffers.patch new file mode 100644 index 00000000000..8efad1fb3a8 --- /dev/null +++ b/queue-5.12/io_uring-truncate-lengths-larger-than-max_rw_count-on-provide-buffers.patch @@ -0,0 +1,49 @@ +From d1f82808877bb10d3deee7cf3374a4eb3fb582db Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Wed, 5 May 2021 09:47:06 -0300 +Subject: io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers + +From: Thadeu Lima de Souza Cascardo + +commit d1f82808877bb10d3deee7cf3374a4eb3fb582db upstream. + +Read and write operations are capped to MAX_RW_COUNT. Some read ops rely on +that limit, and that is not guaranteed by the IORING_OP_PROVIDE_BUFFERS. + +Truncate those lengths when doing io_add_buffers, so buffer addresses still +use the uncapped length. + +Also, take the chance and change struct io_buffer len member to __u32, so +it matches struct io_provide_buffer len member. + +This fixes CVE-2021-3491, also reported as ZDI-CAN-13546. + +Fixes: ddf0322db79c ("io_uring: add IORING_OP_PROVIDE_BUFFERS") +Reported-by: Billy Jheng Bing-Jhong (@st424204) +Signed-off-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman +--- + fs/io_uring.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/io_uring.c ++++ b/fs/io_uring.c +@@ -238,7 +238,7 @@ struct fixed_rsrc_data { + struct io_buffer { + struct list_head list; + __u64 addr; +- __s32 len; ++ __u32 len; + __u16 bid; + }; + +@@ -4017,7 +4017,7 @@ static int io_add_buffers(struct io_prov + break; + + buf->addr = addr; +- buf->len = pbuf->len; ++ buf->len = min_t(__u32, pbuf->len, MAX_RW_COUNT); + buf->bid = bid; + addr += pbuf->len; + bid++; diff --git a/queue-5.12/net-nfc-fix-use-after-free-llcp_sock_bind-connect.patch b/queue-5.12/net-nfc-fix-use-after-free-llcp_sock_bind-connect.patch new file mode 100644 index 00000000000..25c57d1789c --- /dev/null +++ b/queue-5.12/net-nfc-fix-use-after-free-llcp_sock_bind-connect.patch @@ -0,0 +1,73 @@ +From c61760e6940dd4039a7f5e84a6afc9cdbf4d82b6 Mon Sep 17 00:00:00 2001 +From: Or Cohen +Date: Tue, 4 May 2021 10:16:46 +0300 +Subject: net/nfc: fix use-after-free llcp_sock_bind/connect + +From: Or Cohen + +commit c61760e6940dd4039a7f5e84a6afc9cdbf4d82b6 upstream. + +Commits 8a4cd82d ("nfc: fix refcount leak in llcp_sock_connect()") +and c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()") +fixed a refcount leak bug in bind/connect but introduced a +use-after-free if the same local is assigned to 2 different sockets. + +This can be triggered by the following simple program: + int sock1 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP ); + int sock2 = socket( AF_NFC, SOCK_STREAM, NFC_SOCKPROTO_LLCP ); + memset( &addr, 0, sizeof(struct sockaddr_nfc_llcp) ); + addr.sa_family = AF_NFC; + addr.nfc_protocol = NFC_PROTO_NFC_DEP; + bind( sock1, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) ) + bind( sock2, (struct sockaddr*) &addr, sizeof(struct sockaddr_nfc_llcp) ) + close(sock1); + close(sock2); + +Fix this by assigning NULL to llcp_sock->local after calling +nfc_llcp_local_put. + +This addresses CVE-2021-23134. + +Reported-by: Or Cohen +Reported-by: Nadav Markus +Fixes: c33b1cc62 ("nfc: fix refcount leak in llcp_sock_bind()") +Signed-off-by: Or Cohen +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/nfc/llcp_sock.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -109,12 +109,14 @@ static int llcp_sock_bind(struct socket + GFP_KERNEL); + if (!llcp_sock->service_name) { + nfc_llcp_local_put(llcp_sock->local); ++ llcp_sock->local = NULL; + ret = -ENOMEM; + goto put_dev; + } + llcp_sock->ssap = nfc_llcp_get_sdp_ssap(local, llcp_sock); + if (llcp_sock->ssap == LLCP_SAP_MAX) { + nfc_llcp_local_put(llcp_sock->local); ++ llcp_sock->local = NULL; + kfree(llcp_sock->service_name); + llcp_sock->service_name = NULL; + ret = -EADDRINUSE; +@@ -709,6 +711,7 @@ static int llcp_sock_connect(struct sock + llcp_sock->ssap = nfc_llcp_get_local_ssap(local); + if (llcp_sock->ssap == LLCP_SAP_MAX) { + nfc_llcp_local_put(llcp_sock->local); ++ llcp_sock->local = NULL; + ret = -ENOMEM; + goto put_dev; + } +@@ -756,6 +759,7 @@ sock_unlink: + sock_llcp_release: + nfc_llcp_put_ssap(local, llcp_sock->ssap); + nfc_llcp_local_put(llcp_sock->local); ++ llcp_sock->local = NULL; + + put_dev: + nfc_put_device(dev); diff --git a/queue-5.12/revert-usb-cdc-acm-fix-rounding-error-in-tiocsserial.patch b/queue-5.12/revert-usb-cdc-acm-fix-rounding-error-in-tiocsserial.patch new file mode 100644 index 00000000000..0ff7737511c --- /dev/null +++ b/queue-5.12/revert-usb-cdc-acm-fix-rounding-error-in-tiocsserial.patch @@ -0,0 +1,69 @@ +From 729f7955cb987c5b7d7e54c87c5ad71c789934f7 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 8 Apr 2021 15:16:00 +0200 +Subject: Revert "USB: cdc-acm: fix rounding error in TIOCSSERIAL" + +From: Johan Hovold + +commit 729f7955cb987c5b7d7e54c87c5ad71c789934f7 upstream. + +This reverts commit b401f8c4f492cbf74f3f59c9141e5be3071071bb. + +The offending commit claimed that trying to set the values reported back +by TIOCGSERIAL as a regular user could result in an -EPERM error when HZ +is 250, but that was never the case. + +With HZ=250, the default 0.5 second value of close_delay is converted to +125 jiffies when set and is converted back to 50 centiseconds by +TIOCGSERIAL as expected (not 12 cs as was claimed, even if that was the +case before an earlier fix). + +Comparing the internal current and new jiffies values is just fine to +determine if the value is about to change so drop the bogus workaround +(which was also backported to stable). + +For completeness: With different default values for these parameters or +with a HZ value not divisible by two, the lack of rounding when setting +the default values in tty_port_init() could result in an -EPERM being +returned, but this is hardly something we need to worry about. + +Cc: Anthony Mallet +Cc: stable@vger.kernel.org +Acked-by: Oliver Neukum +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210408131602.27956-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/class/cdc-acm.c | 11 ++--------- + 1 file changed, 2 insertions(+), 9 deletions(-) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -942,7 +942,6 @@ static int set_serial_info(struct tty_st + { + struct acm *acm = tty->driver_data; + unsigned int closing_wait, close_delay; +- unsigned int old_closing_wait, old_close_delay; + int retval = 0; + + close_delay = msecs_to_jiffies(ss->close_delay * 10); +@@ -950,17 +949,11 @@ static int set_serial_info(struct tty_st + ASYNC_CLOSING_WAIT_NONE : + msecs_to_jiffies(ss->closing_wait * 10); + +- /* we must redo the rounding here, so that the values match */ +- old_close_delay = jiffies_to_msecs(acm->port.close_delay) / 10; +- old_closing_wait = acm->port.closing_wait == ASYNC_CLOSING_WAIT_NONE ? +- ASYNC_CLOSING_WAIT_NONE : +- jiffies_to_msecs(acm->port.closing_wait) / 10; +- + mutex_lock(&acm->port.mutex); + + if (!capable(CAP_SYS_ADMIN)) { +- if ((ss->close_delay != old_close_delay) || +- (ss->closing_wait != old_closing_wait)) ++ if ((close_delay != acm->port.close_delay) || ++ (closing_wait != acm->port.closing_wait)) + retval = -EPERM; + else + retval = -EOPNOTSUPP; diff --git a/queue-5.12/software-node-allow-node-addition-to-already-existing-device.patch b/queue-5.12/software-node-allow-node-addition-to-already-existing-device.patch new file mode 100644 index 00000000000..08364f3357d --- /dev/null +++ b/queue-5.12/software-node-allow-node-addition-to-already-existing-device.patch @@ -0,0 +1,46 @@ +From b622b24519f5b008f6d4e20e5675eaffa8fbd87b Mon Sep 17 00:00:00 2001 +From: Heikki Krogerus +Date: Wed, 14 Apr 2021 10:54:38 +0300 +Subject: software node: Allow node addition to already existing device + +From: Heikki Krogerus + +commit b622b24519f5b008f6d4e20e5675eaffa8fbd87b upstream. + +If the node is added to an already exiting device, the node +needs to be also linked to the device separately. + +This will make sure the reference count is kept in balance +also when the node is injected to a device afterwards. + +Fixes: e68d0119e328 ("software node: Introduce device_add_software_node()") +Reported-by: Pierre-Louis Bossart +Signed-off-by: Heikki Krogerus +Cc: stable +Link: https://lore.kernel.org/r/20210414075438.64547-1-heikki.krogerus@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/swnode.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/base/swnode.c ++++ b/drivers/base/swnode.c +@@ -1032,6 +1032,7 @@ int device_add_software_node(struct devi + } + + set_secondary_fwnode(dev, &swnode->fwnode); ++ software_node_notify(dev, KOBJ_ADD); + + return 0; + } +@@ -1105,8 +1106,8 @@ int software_node_notify(struct device * + + switch (action) { + case KOBJ_ADD: +- ret = sysfs_create_link(&dev->kobj, &swnode->kobj, +- "software_node"); ++ ret = sysfs_create_link_nowarn(&dev->kobj, &swnode->kobj, ++ "software_node"); + if (ret) + break; + diff --git a/queue-5.12/staging-fwserial-fix-tiocsserial-jiffies-conversions.patch b/queue-5.12/staging-fwserial-fix-tiocsserial-jiffies-conversions.patch new file mode 100644 index 00000000000..865e83b486f --- /dev/null +++ b/queue-5.12/staging-fwserial-fix-tiocsserial-jiffies-conversions.patch @@ -0,0 +1,45 @@ +From 7a3791afdbd5a951b09a7689bba856bd9f6c6a9f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 7 Apr 2021 12:23:19 +0200 +Subject: staging: fwserial: fix TIOCSSERIAL jiffies conversions + +From: Johan Hovold + +commit 7a3791afdbd5a951b09a7689bba856bd9f6c6a9f upstream. + +The port close_delay parameter set by TIOCSSERIAL is specified in +jiffies, while the value returned by TIOCGSERIAL is specified in +centiseconds. + +Add the missing conversions so that TIOCGSERIAL works as expected also +when HZ is not 100. + +Fixes: 7355ba3445f2 ("staging: fwserial: Add TTY-over-Firewire serial driver") +Cc: stable@vger.kernel.org # 3.8 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210407102334.32361-2-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/fwserial/fwserial.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/staging/fwserial/fwserial.c ++++ b/drivers/staging/fwserial/fwserial.c +@@ -1223,7 +1223,7 @@ static int get_serial_info(struct tty_st + ss->flags = port->port.flags; + ss->xmit_fifo_size = FWTTY_PORT_TXFIFO_LEN; + ss->baud_base = 400000000; +- ss->close_delay = port->port.close_delay; ++ ss->close_delay = jiffies_to_msecs(port->port.close_delay) / 10; + mutex_unlock(&port->port.mutex); + return 0; + } +@@ -1245,7 +1245,7 @@ static int set_serial_info(struct tty_st + return -EPERM; + } + } +- port->port.close_delay = ss->close_delay * HZ / 100; ++ port->port.close_delay = msecs_to_jiffies(ss->close_delay * 10); + mutex_unlock(&port->port.mutex); + + return 0; diff --git a/queue-5.12/staging-fwserial-fix-tiocsserial-permission-check.patch b/queue-5.12/staging-fwserial-fix-tiocsserial-permission-check.patch new file mode 100644 index 00000000000..52f3cdb9516 --- /dev/null +++ b/queue-5.12/staging-fwserial-fix-tiocsserial-permission-check.patch @@ -0,0 +1,50 @@ +From 2104eb283df66a482b60254299acbe3c68c03412 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 7 Apr 2021 12:23:20 +0200 +Subject: staging: fwserial: fix TIOCSSERIAL permission check + +From: Johan Hovold + +commit 2104eb283df66a482b60254299acbe3c68c03412 upstream. + +Changing the port close-delay parameter is a privileged operation so +make sure to return -EPERM if a regular user tries to change it. + +Fixes: 7355ba3445f2 ("staging: fwserial: Add TTY-over-Firewire serial driver") +Cc: stable@vger.kernel.org # 3.8 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210407102334.32361-3-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/fwserial/fwserial.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/staging/fwserial/fwserial.c ++++ b/drivers/staging/fwserial/fwserial.c +@@ -1232,20 +1232,24 @@ static int set_serial_info(struct tty_st + struct serial_struct *ss) + { + struct fwtty_port *port = tty->driver_data; ++ unsigned int cdelay; + + if (ss->irq != 0 || ss->port != 0 || ss->custom_divisor != 0 || + ss->baud_base != 400000000) + return -EPERM; + ++ cdelay = msecs_to_jiffies(ss->close_delay * 10); ++ + mutex_lock(&port->port.mutex); + if (!capable(CAP_SYS_ADMIN)) { +- if (((ss->flags & ~ASYNC_USR_MASK) != ++ if (cdelay != port->port.close_delay || ++ ((ss->flags & ~ASYNC_USR_MASK) != + (port->port.flags & ~ASYNC_USR_MASK))) { + mutex_unlock(&port->port.mutex); + return -EPERM; + } + } +- port->port.close_delay = msecs_to_jiffies(ss->close_delay * 10); ++ port->port.close_delay = cdelay; + mutex_unlock(&port->port.mutex); + + return 0; diff --git a/queue-5.12/staging-greybus-uart-fix-tiocsserial-jiffies-conversions.patch b/queue-5.12/staging-greybus-uart-fix-tiocsserial-jiffies-conversions.patch new file mode 100644 index 00000000000..fadfffb2fd6 --- /dev/null +++ b/queue-5.12/staging-greybus-uart-fix-tiocsserial-jiffies-conversions.patch @@ -0,0 +1,54 @@ +From b71e571adaa58be4fd289abebc8997e05b4c6b40 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 7 Apr 2021 12:23:23 +0200 +Subject: staging: greybus: uart: fix TIOCSSERIAL jiffies conversions + +From: Johan Hovold + +commit b71e571adaa58be4fd289abebc8997e05b4c6b40 upstream. + +The port close_delay and closing_wait parameters set by TIOCSSERIAL are +specified in jiffies and not milliseconds. + +Add the missing conversions so that TIOCSSERIAL works as expected also +when HZ is not 1000. + +Fixes: e68453ed28c5 ("greybus: uart-gb: now builds, more framework added") +Cc: stable@vger.kernel.org # 4.9 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210407102334.32361-6-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/staging/greybus/uart.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/drivers/staging/greybus/uart.c ++++ b/drivers/staging/greybus/uart.c +@@ -614,10 +614,12 @@ static int get_serial_info(struct tty_st + ss->line = gb_tty->minor; + ss->xmit_fifo_size = 16; + ss->baud_base = 9600; +- ss->close_delay = gb_tty->port.close_delay / 10; ++ ss->close_delay = jiffies_to_msecs(gb_tty->port.close_delay) / 10; + ss->closing_wait = + gb_tty->port.closing_wait == ASYNC_CLOSING_WAIT_NONE ? +- ASYNC_CLOSING_WAIT_NONE : gb_tty->port.closing_wait / 10; ++ ASYNC_CLOSING_WAIT_NONE : ++ jiffies_to_msecs(gb_tty->port.closing_wait) / 10; ++ + return 0; + } + +@@ -629,9 +631,10 @@ static int set_serial_info(struct tty_st + unsigned int close_delay; + int retval = 0; + +- close_delay = ss->close_delay * 10; ++ close_delay = msecs_to_jiffies(ss->close_delay * 10); + closing_wait = ss->closing_wait == ASYNC_CLOSING_WAIT_NONE ? +- ASYNC_CLOSING_WAIT_NONE : ss->closing_wait * 10; ++ ASYNC_CLOSING_WAIT_NONE : ++ msecs_to_jiffies(ss->closing_wait * 10); + + mutex_lock(&gb_tty->port.mutex); + if (!capable(CAP_SYS_ADMIN)) { diff --git a/queue-5.12/tty-amiserial-fix-tiocsserial-permission-check.patch b/queue-5.12/tty-amiserial-fix-tiocsserial-permission-check.patch new file mode 100644 index 00000000000..868596fbbcf --- /dev/null +++ b/queue-5.12/tty-amiserial-fix-tiocsserial-permission-check.patch @@ -0,0 +1,32 @@ +From 1d31a831cc04f5f942de3e7d91edaa52310d3c99 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 7 Apr 2021 12:23:26 +0200 +Subject: tty: amiserial: fix TIOCSSERIAL permission check + +From: Johan Hovold + +commit 1d31a831cc04f5f942de3e7d91edaa52310d3c99 upstream. + +Changing the port closing_wait parameter is a privileged operation. + +Add the missing check to TIOCSSERIAL so that -EPERM is returned in case +an unprivileged user tries to change the closing-wait setting. + +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210407102334.32361-9-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/amiserial.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/amiserial.c ++++ b/drivers/tty/amiserial.c +@@ -970,6 +970,7 @@ static int set_serial_info(struct tty_st + if (!serial_isroot()) { + if ((ss->baud_base != state->baud_base) || + (ss->close_delay != port->close_delay) || ++ (ss->closing_wait != port->closing_wait) || + (ss->xmit_fifo_size != state->xmit_fifo_size) || + ((ss->flags & ~ASYNC_USR_MASK) != + (port->flags & ~ASYNC_USR_MASK))) { diff --git a/queue-5.12/tty-moxa-fix-tiocsserial-jiffies-conversions.patch b/queue-5.12/tty-moxa-fix-tiocsserial-jiffies-conversions.patch new file mode 100644 index 00000000000..0d8d557c15e --- /dev/null +++ b/queue-5.12/tty-moxa-fix-tiocsserial-jiffies-conversions.patch @@ -0,0 +1,44 @@ +From 6e70b73ca5240c0059a1fbf8ccd4276d6cf71956 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 7 Apr 2021 12:23:28 +0200 +Subject: tty: moxa: fix TIOCSSERIAL jiffies conversions + +From: Johan Hovold + +commit 6e70b73ca5240c0059a1fbf8ccd4276d6cf71956 upstream. + +The port close_delay parameter set by TIOCSSERIAL is specified in +jiffies, while the value returned by TIOCGSERIAL is specified in +centiseconds. + +Add the missing conversions so that TIOCGSERIAL works as expected also +when HZ is not 100. + +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210407102334.32361-11-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/moxa.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/tty/moxa.c ++++ b/drivers/tty/moxa.c +@@ -2040,7 +2040,7 @@ static int moxa_get_serial_info(struct t + ss->line = info->port.tty->index, + ss->flags = info->port.flags, + ss->baud_base = 921600, +- ss->close_delay = info->port.close_delay; ++ ss->close_delay = jiffies_to_msecs(info->port.close_delay) / 10; + mutex_unlock(&info->port.mutex); + return 0; + } +@@ -2069,7 +2069,7 @@ static int moxa_set_serial_info(struct t + return -EPERM; + } + } +- info->port.close_delay = ss->close_delay * HZ / 100; ++ info->port.close_delay = msecs_to_jiffies(ss->close_delay * 10); + + MoxaSetFifo(info, ss->type == PORT_16550A); + diff --git a/queue-5.12/tty-moxa-fix-tiocsserial-permission-check.patch b/queue-5.12/tty-moxa-fix-tiocsserial-permission-check.patch new file mode 100644 index 00000000000..f497aad1ded --- /dev/null +++ b/queue-5.12/tty-moxa-fix-tiocsserial-permission-check.patch @@ -0,0 +1,60 @@ +From dc8c8437658667be9b11ec25c4b5482ed2becdaa Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 7 Apr 2021 12:23:29 +0200 +Subject: tty: moxa: fix TIOCSSERIAL permission check + +From: Johan Hovold + +commit dc8c8437658667be9b11ec25c4b5482ed2becdaa upstream. + +Changing the port close delay or type are privileged operations so make +sure to return -EPERM if a regular user tries to change them. + +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210407102334.32361-12-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/moxa.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/drivers/tty/moxa.c ++++ b/drivers/tty/moxa.c +@@ -2050,6 +2050,7 @@ static int moxa_set_serial_info(struct t + struct serial_struct *ss) + { + struct moxa_port *info = tty->driver_data; ++ unsigned int close_delay; + + if (tty->index == MAX_PORTS) + return -EINVAL; +@@ -2061,19 +2062,24 @@ static int moxa_set_serial_info(struct t + ss->baud_base != 921600) + return -EPERM; + ++ close_delay = msecs_to_jiffies(ss->close_delay * 10); ++ + mutex_lock(&info->port.mutex); + if (!capable(CAP_SYS_ADMIN)) { +- if (((ss->flags & ~ASYNC_USR_MASK) != ++ if (close_delay != info->port.close_delay || ++ ss->type != info->type || ++ ((ss->flags & ~ASYNC_USR_MASK) != + (info->port.flags & ~ASYNC_USR_MASK))) { + mutex_unlock(&info->port.mutex); + return -EPERM; + } +- } +- info->port.close_delay = msecs_to_jiffies(ss->close_delay * 10); ++ } else { ++ info->port.close_delay = close_delay; + +- MoxaSetFifo(info, ss->type == PORT_16550A); ++ MoxaSetFifo(info, ss->type == PORT_16550A); + +- info->type = ss->type; ++ info->type = ss->type; ++ } + mutex_unlock(&info->port.mutex); + return 0; + } diff --git a/queue-5.12/tty-mxser-fix-tiocsserial-jiffies-conversions.patch b/queue-5.12/tty-mxser-fix-tiocsserial-jiffies-conversions.patch new file mode 100644 index 00000000000..de37950d26e --- /dev/null +++ b/queue-5.12/tty-mxser-fix-tiocsserial-jiffies-conversions.patch @@ -0,0 +1,91 @@ +From be6cf583d24dfe87324dd2830d90fc056e0a6648 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 7 Apr 2021 12:23:31 +0200 +Subject: tty: mxser: fix TIOCSSERIAL jiffies conversions + +From: Johan Hovold + +commit be6cf583d24dfe87324dd2830d90fc056e0a6648 upstream. + +The port close_delay and closing wait parameters set by TIOCSSERIAL are +specified in jiffies, while the values returned by TIOCGSERIAL are +specified in centiseconds. + +Add the missing conversions so that TIOCSSERIAL works as expected also +when HZ is not 100. + +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210407102334.32361-14-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/mxser.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +--- a/drivers/tty/mxser.c ++++ b/drivers/tty/mxser.c +@@ -1208,19 +1208,26 @@ static int mxser_get_serial_info(struct + { + struct mxser_port *info = tty->driver_data; + struct tty_port *port = &info->port; ++ unsigned int closing_wait, close_delay; + + if (tty->index == MXSER_PORTS) + return -ENOTTY; + + mutex_lock(&port->mutex); ++ ++ close_delay = jiffies_to_msecs(info->port.close_delay) / 10; ++ closing_wait = info->port.closing_wait; ++ if (closing_wait != ASYNC_CLOSING_WAIT_NONE) ++ closing_wait = jiffies_to_msecs(closing_wait) / 10; ++ + ss->type = info->type, + ss->line = tty->index, + ss->port = info->ioaddr, + ss->irq = info->board->irq, + ss->flags = info->port.flags, + ss->baud_base = info->baud_base, +- ss->close_delay = info->port.close_delay, +- ss->closing_wait = info->port.closing_wait, ++ ss->close_delay = close_delay; ++ ss->closing_wait = closing_wait; + ss->custom_divisor = info->custom_divisor, + mutex_unlock(&port->mutex); + return 0; +@@ -1233,7 +1240,7 @@ static int mxser_set_serial_info(struct + struct tty_port *port = &info->port; + speed_t baud; + unsigned long sl_flags; +- unsigned int flags; ++ unsigned int flags, close_delay, closing_wait; + int retval = 0; + + if (tty->index == MXSER_PORTS) +@@ -1255,9 +1262,14 @@ static int mxser_set_serial_info(struct + + flags = port->flags & ASYNC_SPD_MASK; + ++ close_delay = msecs_to_jiffies(ss->close_delay * 10); ++ closing_wait = ss->closing_wait; ++ if (closing_wait != ASYNC_CLOSING_WAIT_NONE) ++ closing_wait = msecs_to_jiffies(closing_wait * 10); ++ + if (!capable(CAP_SYS_ADMIN)) { + if ((ss->baud_base != info->baud_base) || +- (ss->close_delay != info->port.close_delay) || ++ (close_delay != info->port.close_delay) || + ((ss->flags & ~ASYNC_USR_MASK) != (info->port.flags & ~ASYNC_USR_MASK))) { + mutex_unlock(&port->mutex); + return -EPERM; +@@ -1271,8 +1283,8 @@ static int mxser_set_serial_info(struct + */ + port->flags = ((port->flags & ~ASYNC_FLAGS) | + (ss->flags & ASYNC_FLAGS)); +- port->close_delay = ss->close_delay * HZ / 100; +- port->closing_wait = ss->closing_wait * HZ / 100; ++ port->close_delay = close_delay; ++ port->closing_wait = closing_wait; + if ((port->flags & ASYNC_SPD_MASK) == ASYNC_SPD_CUST && + (ss->baud_base != info->baud_base || + ss->custom_divisor != diff --git a/queue-5.12/tty-mxser-fix-tiocsserial-permission-check.patch b/queue-5.12/tty-mxser-fix-tiocsserial-permission-check.patch new file mode 100644 index 00000000000..a399df86c7c --- /dev/null +++ b/queue-5.12/tty-mxser-fix-tiocsserial-permission-check.patch @@ -0,0 +1,49 @@ +From b91cfb2573aeb5ab426fc3c35bcfe9e0d2a7ecbc Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 7 Apr 2021 12:23:32 +0200 +Subject: tty: mxser: fix TIOCSSERIAL permission check + +From: Johan Hovold + +commit b91cfb2573aeb5ab426fc3c35bcfe9e0d2a7ecbc upstream. + +Changing the port type and closing_wait parameter are privileged +operations so make sure to return -EPERM if a regular user tries to +change them. + +Note that the closing_wait parameter would not actually have been +changed but the return value did not indicate that. + +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20210407102334.32361-15-johan@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/mxser.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/tty/mxser.c ++++ b/drivers/tty/mxser.c +@@ -1270,6 +1270,7 @@ static int mxser_set_serial_info(struct + if (!capable(CAP_SYS_ADMIN)) { + if ((ss->baud_base != info->baud_base) || + (close_delay != info->port.close_delay) || ++ (closing_wait != info->port.closing_wait) || + ((ss->flags & ~ASYNC_USR_MASK) != (info->port.flags & ~ASYNC_USR_MASK))) { + mutex_unlock(&port->mutex); + return -EPERM; +@@ -1296,11 +1297,11 @@ static int mxser_set_serial_info(struct + baud = ss->baud_base / ss->custom_divisor; + tty_encode_baud_rate(tty, baud, baud); + } +- } + +- info->type = ss->type; ++ info->type = ss->type; + +- process_txrx_fifo(info); ++ process_txrx_fifo(info); ++ } + + if (tty_port_initialized(port)) { + if (flags != (port->flags & ASYNC_SPD_MASK)) { diff --git a/queue-5.12/usb-roles-call-try_module_get-from-usb_role_switch_find_by_fwnode.patch b/queue-5.12/usb-roles-call-try_module_get-from-usb_role_switch_find_by_fwnode.patch new file mode 100644 index 00000000000..ad744215f14 --- /dev/null +++ b/queue-5.12/usb-roles-call-try_module_get-from-usb_role_switch_find_by_fwnode.patch @@ -0,0 +1,42 @@ +From 3a2a91a2d51761557843996a66098eb7182b48b4 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Fri, 9 Apr 2021 14:41:36 +0200 +Subject: usb: roles: Call try_module_get() from usb_role_switch_find_by_fwnode() + +From: Hans de Goede + +commit 3a2a91a2d51761557843996a66098eb7182b48b4 upstream. + +usb_role_switch_find_by_fwnode() returns a reference to the role-switch +which must be put by calling usb_role_switch_put(). + +usb_role_switch_put() calls module_put(sw->dev.parent->driver->owner), +add a matching try_module_get() to usb_role_switch_find_by_fwnode(), +making it behave the same as the other usb_role_switch functions +which return a reference. + +This avoids a WARN_ON being hit at kernel/module.c:1158 due to the +module-refcount going below 0. + +Fixes: c6919d5e0cd1 ("usb: roles: Add usb_role_switch_find_by_fwnode()") +Cc: stable +Reviewed-by: Guenter Roeck +Reviewed-by: Heikki Krogerus +Signed-off-by: Hans de Goede +Link: https://lore.kernel.org/r/20210409124136.65591-1-hdegoede@redhat.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/roles/class.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/roles/class.c ++++ b/drivers/usb/roles/class.c +@@ -189,6 +189,8 @@ usb_role_switch_find_by_fwnode(const str + return NULL; + + dev = class_find_device_by_fwnode(role_class, fwnode); ++ if (dev) ++ WARN_ON(!try_module_get(dev->parent->driver->owner)); + + return dev ? to_role_switch(dev) : NULL; + } diff --git a/queue-5.12/usb-serial-ti_usb_3410_5052-fix-tiocsserial-permission-check.patch b/queue-5.12/usb-serial-ti_usb_3410_5052-fix-tiocsserial-permission-check.patch new file mode 100644 index 00000000000..77c8cbb5837 --- /dev/null +++ b/queue-5.12/usb-serial-ti_usb_3410_5052-fix-tiocsserial-permission-check.patch @@ -0,0 +1,44 @@ +From d370c90dcd64e427a79a093a070117a1571d4cd8 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 7 Apr 2021 12:39:15 +0200 +Subject: USB: serial: ti_usb_3410_5052: fix TIOCSSERIAL permission check + +From: Johan Hovold + +commit d370c90dcd64e427a79a093a070117a1571d4cd8 upstream. + +Changing the port closing-wait parameter is a privileged operation so +make sure to return -EPERM if a regular user tries to change it. + +Cc: stable@vger.kernel.org +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/ti_usb_3410_5052.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/usb/serial/ti_usb_3410_5052.c ++++ b/drivers/usb/serial/ti_usb_3410_5052.c +@@ -1418,14 +1418,19 @@ static int ti_set_serial_info(struct tty + struct serial_struct *ss) + { + struct usb_serial_port *port = tty->driver_data; +- struct ti_port *tport = usb_get_serial_port_data(port); ++ struct tty_port *tport = &port->port; + unsigned cwait; + + cwait = ss->closing_wait; + if (cwait != ASYNC_CLOSING_WAIT_NONE) + cwait = msecs_to_jiffies(10 * ss->closing_wait); + +- tport->tp_port->port.closing_wait = cwait; ++ if (!capable(CAP_SYS_ADMIN)) { ++ if (cwait != tport->closing_wait) ++ return -EPERM; ++ } ++ ++ tport->closing_wait = cwait; + + return 0; + } diff --git a/queue-5.12/usb-serial-usb_wwan-fix-tiocsserial-jiffies-conversions.patch b/queue-5.12/usb-serial-usb_wwan-fix-tiocsserial-jiffies-conversions.patch new file mode 100644 index 00000000000..9db81df9835 --- /dev/null +++ b/queue-5.12/usb-serial-usb_wwan-fix-tiocsserial-jiffies-conversions.patch @@ -0,0 +1,52 @@ +From 3d732690d2267f4d0e19077b178dffbedafdf0c9 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 7 Apr 2021 12:39:16 +0200 +Subject: USB: serial: usb_wwan: fix TIOCSSERIAL jiffies conversions + +From: Johan Hovold + +commit 3d732690d2267f4d0e19077b178dffbedafdf0c9 upstream. + +The port close_delay and closing_wait parameters set by TIOCSSERIAL are +specified in jiffies and not milliseconds. + +Add the missing conversions so that the TIOCSSERIAL works as expected +also when HZ is not 1000. + +Fixes: 02303f73373a ("usb-wwan: implement TIOCGSERIAL and TIOCSSERIAL to avoid blocking close(2)") +Cc: stable@vger.kernel.org # 2.6.38 +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/usb_wwan.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/usb/serial/usb_wwan.c ++++ b/drivers/usb/serial/usb_wwan.c +@@ -140,10 +140,10 @@ int usb_wwan_get_serial_info(struct tty_ + ss->line = port->minor; + ss->port = port->port_number; + ss->baud_base = tty_get_baud_rate(port->port.tty); +- ss->close_delay = port->port.close_delay / 10; ++ ss->close_delay = jiffies_to_msecs(port->port.close_delay) / 10; + ss->closing_wait = port->port.closing_wait == ASYNC_CLOSING_WAIT_NONE ? + ASYNC_CLOSING_WAIT_NONE : +- port->port.closing_wait / 10; ++ jiffies_to_msecs(port->port.closing_wait) / 10; + return 0; + } + EXPORT_SYMBOL(usb_wwan_get_serial_info); +@@ -155,9 +155,10 @@ int usb_wwan_set_serial_info(struct tty_ + unsigned int closing_wait, close_delay; + int retval = 0; + +- close_delay = ss->close_delay * 10; ++ close_delay = msecs_to_jiffies(ss->close_delay * 10); + closing_wait = ss->closing_wait == ASYNC_CLOSING_WAIT_NONE ? +- ASYNC_CLOSING_WAIT_NONE : ss->closing_wait * 10; ++ ASYNC_CLOSING_WAIT_NONE : ++ msecs_to_jiffies(ss->closing_wait * 10); + + mutex_lock(&port->port.mutex); +