From: Greg Kroah-Hartman Date: Mon, 27 Apr 2020 18:07:11 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.19.119~15 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c23b8b55563b63aa94fa3d7277b87d00056e79a4;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: arm-imx-provide-v7_cpu_resume-only-on-arm_cpu_suspend-y.patch staging-comedi-dt2815-fix-writing-hi-byte-of-analog-output.patch staging-comedi-fix-comedi_device-refcnt-leak-in-comedi_open.patch staging-vt6656-fix-drivers-tbtt-timing-counter.patch staging-vt6656-power-save-stop-wake_up_count-wrap-around.patch uas-fix-deadlock-in-error-handling-and-pm-flushing-work.patch uas-no-use-logging-any-details-in-case-of-enodev.patch usb-f_fs-clear-os-extended-descriptor-counts-to-zero-in-ffs_data_reset.patch --- diff --git a/queue-4.4/arm-imx-provide-v7_cpu_resume-only-on-arm_cpu_suspend-y.patch b/queue-4.4/arm-imx-provide-v7_cpu_resume-only-on-arm_cpu_suspend-y.patch new file mode 100644 index 00000000000..189fc536211 --- /dev/null +++ b/queue-4.4/arm-imx-provide-v7_cpu_resume-only-on-arm_cpu_suspend-y.patch @@ -0,0 +1,46 @@ +From f1baca8896ae18e12c45552a4c4ae2086aa7e02c Mon Sep 17 00:00:00 2001 +From: Ahmad Fatoum +Date: Mon, 23 Mar 2020 09:19:33 +0100 +Subject: ARM: imx: provide v7_cpu_resume() only on ARM_CPU_SUSPEND=y + +From: Ahmad Fatoum + +commit f1baca8896ae18e12c45552a4c4ae2086aa7e02c upstream. + +512a928affd5 ("ARM: imx: build v7_cpu_resume() unconditionally") +introduced an unintended linker error for i.MX6 configurations that have +ARM_CPU_SUSPEND=n which can happen if neither CONFIG_PM, CONFIG_CPU_IDLE, +nor ARM_PSCI_FW are selected. + +Fix this by having v7_cpu_resume() compiled only when cpu_resume() it +calls is available as well. + +The C declaration for the function remains unguarded to avoid future code +inadvertently using a stub and introducing a regression to the bug the +original commit fixed. + +Cc: +Fixes: 512a928affd5 ("ARM: imx: build v7_cpu_resume() unconditionally") +Reported-by: Clemens Gruber +Signed-off-by: Ahmad Fatoum +Tested-by: Roland Hieber +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-imx/Makefile | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/mach-imx/Makefile ++++ b/arch/arm/mach-imx/Makefile +@@ -91,8 +91,10 @@ AFLAGS_suspend-imx6.o :=-Wa,-march=armv7 + obj-$(CONFIG_SOC_IMX6) += suspend-imx6.o + obj-$(CONFIG_SOC_IMX53) += suspend-imx53.o + endif ++ifeq ($(CONFIG_ARM_CPU_SUSPEND),y) + AFLAGS_resume-imx6.o :=-Wa,-march=armv7-a + obj-$(CONFIG_SOC_IMX6) += resume-imx6.o ++endif + obj-$(CONFIG_SOC_IMX6) += pm-imx6.o + + obj-$(CONFIG_SOC_IMX50) += mach-imx50.o diff --git a/queue-4.4/series b/queue-4.4/series index 30b5180118b..0f3fc804226 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -43,3 +43,11 @@ tty-rocket-avoid-oob-access.patch usb-storage-add-unusual_devs-entry-for-jmicron-jms566.patch audit-check-the-length-of-userspace-generated-audit-records.patch asoc-dapm-fixup-dapm-kcontrol-widget.patch +arm-imx-provide-v7_cpu_resume-only-on-arm_cpu_suspend-y.patch +staging-comedi-dt2815-fix-writing-hi-byte-of-analog-output.patch +staging-comedi-fix-comedi_device-refcnt-leak-in-comedi_open.patch +staging-vt6656-fix-drivers-tbtt-timing-counter.patch +staging-vt6656-power-save-stop-wake_up_count-wrap-around.patch +uas-no-use-logging-any-details-in-case-of-enodev.patch +uas-fix-deadlock-in-error-handling-and-pm-flushing-work.patch +usb-f_fs-clear-os-extended-descriptor-counts-to-zero-in-ffs_data_reset.patch diff --git a/queue-4.4/staging-comedi-dt2815-fix-writing-hi-byte-of-analog-output.patch b/queue-4.4/staging-comedi-dt2815-fix-writing-hi-byte-of-analog-output.patch new file mode 100644 index 00000000000..a087dc9d4f8 --- /dev/null +++ b/queue-4.4/staging-comedi-dt2815-fix-writing-hi-byte-of-analog-output.patch @@ -0,0 +1,62 @@ +From ed87d33ddbcd9a1c3b5ae87995da34e6f51a862c Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 6 Apr 2020 15:20:15 +0100 +Subject: staging: comedi: dt2815: fix writing hi byte of analog output + +From: Ian Abbott + +commit ed87d33ddbcd9a1c3b5ae87995da34e6f51a862c upstream. + +The DT2815 analog output command is 16 bits wide, consisting of the +12-bit sample value in bits 15 to 4, the channel number in bits 3 to 1, +and a voltage or current selector in bit 0. Both bytes of the 16-bit +command need to be written in turn to a single 8-bit data register. +However, the driver currently only writes the low 8-bits. It is broken +and appears to have always been broken. + +Electronic copies of the DT2815 User's Manual seem impossible to find +online, but looking at the source code, a best guess for the sequence +the driver intended to use to write the analog output command is as +follows: + +1. Wait for the status register to read 0x00. +2. Write the low byte of the command to the data register. +3. Wait for the status register to read 0x80. +4. Write the high byte of the command to the data register. + +Step 4 is missing from the driver. Add step 4 to (hopefully) fix the +driver. + +Also add a "FIXME" comment about setting bit 0 of the low byte of the +command. Supposedly, it is used to choose between voltage output and +current output, but the current driver always sets it to 1. + +Signed-off-by: Ian Abbott +Cc: stable +Link: https://lore.kernel.org/r/20200406142015.126982-1-abbotti@mev.co.uk +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/dt2815.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/staging/comedi/drivers/dt2815.c ++++ b/drivers/staging/comedi/drivers/dt2815.c +@@ -101,6 +101,7 @@ static int dt2815_ao_insn(struct comedi_ + int ret; + + for (i = 0; i < insn->n; i++) { ++ /* FIXME: lo bit 0 chooses voltage output or current output */ + lo = ((data[i] & 0x0f) << 4) | (chan << 1) | 0x01; + hi = (data[i] & 0xff0) >> 4; + +@@ -114,6 +115,8 @@ static int dt2815_ao_insn(struct comedi_ + if (ret) + return ret; + ++ outb(hi, dev->iobase + DT2815_DATA); ++ + devpriv->ao_readback[chan] = data[i]; + } + return i; diff --git a/queue-4.4/staging-comedi-fix-comedi_device-refcnt-leak-in-comedi_open.patch b/queue-4.4/staging-comedi-fix-comedi_device-refcnt-leak-in-comedi_open.patch new file mode 100644 index 00000000000..fc4564512dc --- /dev/null +++ b/queue-4.4/staging-comedi-fix-comedi_device-refcnt-leak-in-comedi_open.patch @@ -0,0 +1,49 @@ +From 332e0e17ad49e084b7db670ef43b5eb59abd9e34 Mon Sep 17 00:00:00 2001 +From: Xiyu Yang +Date: Mon, 20 Apr 2020 13:44:16 +0800 +Subject: staging: comedi: Fix comedi_device refcnt leak in comedi_open + +From: Xiyu Yang + +commit 332e0e17ad49e084b7db670ef43b5eb59abd9e34 upstream. + +comedi_open() invokes comedi_dev_get_from_minor(), which returns a +reference of the COMEDI device to "dev" with increased refcount. + +When comedi_open() returns, "dev" becomes invalid, so the refcount +should be decreased to keep refcount balanced. + +The reference counting issue happens in one exception handling path of +comedi_open(). When "cfp" allocation is failed, the refcnt increased by +comedi_dev_get_from_minor() is not decreased, causing a refcnt leak. + +Fix this issue by calling comedi_dev_put() on this error path when "cfp" +allocation is failed. + +Fixes: 20f083c07565 ("staging: comedi: prepare support for per-file read and write subdevices") +Signed-off-by: Xiyu Yang +Cc: stable +Signed-off-by: Xin Tan +Signed-off-by: Ian Abbott +Link: https://lore.kernel.org/r/1587361459-83622-1-git-send-email-xiyuyang19@fudan.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/comedi_fops.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/staging/comedi/comedi_fops.c ++++ b/drivers/staging/comedi/comedi_fops.c +@@ -2592,8 +2592,10 @@ static int comedi_open(struct inode *ino + } + + cfp = kzalloc(sizeof(*cfp), GFP_KERNEL); +- if (!cfp) ++ if (!cfp) { ++ comedi_dev_put(dev); + return -ENOMEM; ++ } + + cfp->dev = dev; + diff --git a/queue-4.4/staging-vt6656-fix-drivers-tbtt-timing-counter.patch b/queue-4.4/staging-vt6656-fix-drivers-tbtt-timing-counter.patch new file mode 100644 index 00000000000..3e1909961ab --- /dev/null +++ b/queue-4.4/staging-vt6656-fix-drivers-tbtt-timing-counter.patch @@ -0,0 +1,45 @@ +From 09057742af98a39ebffa27fac4f889dc873132de Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Sat, 18 Apr 2020 17:43:24 +0100 +Subject: staging: vt6656: Fix drivers TBTT timing counter. + +From: Malcolm Priestley + +commit 09057742af98a39ebffa27fac4f889dc873132de upstream. + +The drivers TBTT counter is not synchronized with mac80211 timestamp. + +Reorder the functions and use vnt_update_next_tbtt to do the final +synchronize. + +Fixes: c15158797df6 ("staging: vt6656: implement TSF counter") +Cc: stable +Signed-off-by: Malcolm Priestley +Link: https://lore.kernel.org/r/375d0b25-e8bc-c8f7-9b10-6cc705d486ee@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/vt6656/main_usb.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/staging/vt6656/main_usb.c ++++ b/drivers/staging/vt6656/main_usb.c +@@ -762,12 +762,15 @@ static void vnt_bss_info_changed(struct + vnt_mac_reg_bits_on(priv, MAC_REG_TFTCTL, + TFTCTL_TSFCNTREN); + +- vnt_adjust_tsf(priv, conf->beacon_rate->hw_value, +- conf->sync_tsf, priv->current_tsf); +- + vnt_mac_set_beacon_interval(priv, conf->beacon_int); + + vnt_reset_next_tbtt(priv, conf->beacon_int); ++ ++ vnt_adjust_tsf(priv, conf->beacon_rate->hw_value, ++ conf->sync_tsf, priv->current_tsf); ++ ++ vnt_update_next_tbtt(priv, ++ conf->sync_tsf, conf->beacon_int); + } else { + vnt_clear_current_tsf(priv); + diff --git a/queue-4.4/staging-vt6656-power-save-stop-wake_up_count-wrap-around.patch b/queue-4.4/staging-vt6656-power-save-stop-wake_up_count-wrap-around.patch new file mode 100644 index 00000000000..f73a5a1b02a --- /dev/null +++ b/queue-4.4/staging-vt6656-power-save-stop-wake_up_count-wrap-around.patch @@ -0,0 +1,37 @@ +From ea81c3486442f4643fc9825a2bb1b430b829bccd Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Tue, 14 Apr 2020 11:39:23 +0100 +Subject: staging: vt6656: Power save stop wake_up_count wrap around. + +From: Malcolm Priestley + +commit ea81c3486442f4643fc9825a2bb1b430b829bccd upstream. + +conf.listen_interval can sometimes be zero causing wake_up_count +to wrap around up to many beacons too late causing +CTRL-EVENT-BEACON-LOSS as in. + +wpa_supplicant[795]: message repeated 45 times: [..CTRL-EVENT-BEACON-LOSS ] + +Fixes: 43c93d9bf5e2 ("staging: vt6656: implement power saving code.") +Cc: stable +Signed-off-by: Malcolm Priestley +Link: https://lore.kernel.org/r/fce47bb5-7ca6-7671-5094-5c6107302f2b@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/vt6656/int.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/staging/vt6656/int.c ++++ b/drivers/staging/vt6656/int.c +@@ -157,7 +157,8 @@ void vnt_int_process_data(struct vnt_pri + priv->wake_up_count = + priv->hw->conf.listen_interval; + +- --priv->wake_up_count; ++ if (priv->wake_up_count) ++ --priv->wake_up_count; + + /* Turn on wake up to listen next beacon */ + if (priv->wake_up_count == 1) diff --git a/queue-4.4/uas-fix-deadlock-in-error-handling-and-pm-flushing-work.patch b/queue-4.4/uas-fix-deadlock-in-error-handling-and-pm-flushing-work.patch new file mode 100644 index 00000000000..808fecd807b --- /dev/null +++ b/queue-4.4/uas-fix-deadlock-in-error-handling-and-pm-flushing-work.patch @@ -0,0 +1,99 @@ +From f6cc6093a729ede1ff5658b493237c42b82ba107 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Wed, 15 Apr 2020 16:17:50 +0200 +Subject: UAS: fix deadlock in error handling and PM flushing work + +From: Oliver Neukum + +commit f6cc6093a729ede1ff5658b493237c42b82ba107 upstream. + +A SCSI error handler and block runtime PM must not allocate +memory with GFP_KERNEL. Furthermore they must not wait for +tasks allocating memory with GFP_KERNEL. +That means that they cannot share a workqueue with arbitrary tasks. + +Fix this for UAS using a private workqueue. + +Signed-off-by: Oliver Neukum +Fixes: f9dc024a2da1f ("uas: pre_reset and suspend: Fix a few races") +Cc: stable +Link: https://lore.kernel.org/r/20200415141750.811-2-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/uas.c | 43 ++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 40 insertions(+), 3 deletions(-) + +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -82,6 +82,19 @@ static void uas_free_streams(struct uas_ + static void uas_log_cmd_state(struct scsi_cmnd *cmnd, const char *prefix, + int status); + ++/* ++ * This driver needs its own workqueue, as we need to control memory allocation. ++ * ++ * In the course of error handling and power management uas_wait_for_pending_cmnds() ++ * needs to flush pending work items. In these contexts we cannot allocate memory ++ * by doing block IO as we would deadlock. For the same reason we cannot wait ++ * for anything allocating memory not heeding these constraints. ++ * ++ * So we have to control all work items that can be on the workqueue we flush. ++ * Hence we cannot share a queue and need our own. ++ */ ++static struct workqueue_struct *workqueue; ++ + static void uas_do_work(struct work_struct *work) + { + struct uas_dev_info *devinfo = +@@ -110,7 +123,7 @@ static void uas_do_work(struct work_stru + if (!err) + cmdinfo->state &= ~IS_IN_WORK_LIST; + else +- schedule_work(&devinfo->work); ++ queue_work(workqueue, &devinfo->work); + } + out: + spin_unlock_irqrestore(&devinfo->lock, flags); +@@ -135,7 +148,7 @@ static void uas_add_work(struct uas_cmd_ + + lockdep_assert_held(&devinfo->lock); + cmdinfo->state |= IS_IN_WORK_LIST; +- schedule_work(&devinfo->work); ++ queue_work(workqueue, &devinfo->work); + } + + static void uas_zap_pending(struct uas_dev_info *devinfo, int result) +@@ -1176,7 +1189,31 @@ static struct usb_driver uas_driver = { + .id_table = uas_usb_ids, + }; + +-module_usb_driver(uas_driver); ++static int __init uas_init(void) ++{ ++ int rv; ++ ++ workqueue = alloc_workqueue("uas", WQ_MEM_RECLAIM, 0); ++ if (!workqueue) ++ return -ENOMEM; ++ ++ rv = usb_register(&uas_driver); ++ if (rv) { ++ destroy_workqueue(workqueue); ++ return -ENOMEM; ++ } ++ ++ return 0; ++} ++ ++static void __exit uas_exit(void) ++{ ++ usb_deregister(&uas_driver); ++ destroy_workqueue(workqueue); ++} ++ ++module_init(uas_init); ++module_exit(uas_exit); + + MODULE_LICENSE("GPL"); + MODULE_AUTHOR( diff --git a/queue-4.4/uas-no-use-logging-any-details-in-case-of-enodev.patch b/queue-4.4/uas-no-use-logging-any-details-in-case-of-enodev.patch new file mode 100644 index 00000000000..116326dc20e --- /dev/null +++ b/queue-4.4/uas-no-use-logging-any-details-in-case-of-enodev.patch @@ -0,0 +1,33 @@ +From 5963dec98dc52d52476390485f07a29c30c6a582 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Wed, 15 Apr 2020 16:17:49 +0200 +Subject: UAS: no use logging any details in case of ENODEV + +From: Oliver Neukum + +commit 5963dec98dc52d52476390485f07a29c30c6a582 upstream. + +Once a device is gone, the internal state does not matter anymore. +There is no need to spam the logs. + +Signed-off-by: Oliver Neukum +Cc: stable +Fixes: 326349f824619 ("uas: add dead request list") +Link: https://lore.kernel.org/r/20200415141750.811-1-oneukum@suse.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/storage/uas.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/storage/uas.c ++++ b/drivers/usb/storage/uas.c +@@ -191,6 +191,9 @@ static void uas_log_cmd_state(struct scs + struct uas_cmd_info *ci = (void *)&cmnd->SCp; + struct uas_cmd_info *cmdinfo = (void *)&cmnd->SCp; + ++ if (status == -ENODEV) /* too late */ ++ return; ++ + scmd_printk(KERN_INFO, cmnd, + "%s %d uas-tag %d inflight:%s%s%s%s%s%s%s%s%s%s%s%s ", + prefix, status, cmdinfo->uas_tag, diff --git a/queue-4.4/usb-f_fs-clear-os-extended-descriptor-counts-to-zero-in-ffs_data_reset.patch b/queue-4.4/usb-f_fs-clear-os-extended-descriptor-counts-to-zero-in-ffs_data_reset.patch new file mode 100644 index 00000000000..d92dd851aee --- /dev/null +++ b/queue-4.4/usb-f_fs-clear-os-extended-descriptor-counts-to-zero-in-ffs_data_reset.patch @@ -0,0 +1,46 @@ +From 1c2e54fbf1da5e5445a0ab132c862b02ccd8d230 Mon Sep 17 00:00:00 2001 +From: Udipto Goswami +Date: Thu, 2 Apr 2020 10:15:21 +0530 +Subject: usb: f_fs: Clear OS Extended descriptor counts to zero in ffs_data_reset() + +From: Udipto Goswami + +commit 1c2e54fbf1da5e5445a0ab132c862b02ccd8d230 upstream. + +For userspace functions using OS Descriptors, if a function also supplies +Extended Property descriptors currently the counts and lengths stored in +the ms_os_descs_ext_prop_{count,name_len,data_len} variables are not +getting reset to 0 during an unbind or when the epfiles are closed. If +the same function is re-bound and the descriptors are re-written, this +results in those count/length variables to monotonically increase +causing the VLA allocation in _ffs_func_bind() to grow larger and larger +at each bind/unbind cycle and eventually fail to allocate. + +Fix this by clearing the ms_os_descs_ext_prop count & lengths to 0 in +ffs_data_reset(). + +Fixes: f0175ab51993 ("usb: gadget: f_fs: OS descriptors support") +Cc: stable@vger.kernel.org +Signed-off-by: Udipto Goswami +Signed-off-by: Sriharsha Allenki +Reviewed-by: Manu Gautam +Link: https://lore.kernel.org/r/20200402044521.9312-1-sallenki@codeaurora.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/function/f_fs.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/gadget/function/f_fs.c ++++ b/drivers/usb/gadget/function/f_fs.c +@@ -1511,6 +1511,10 @@ static void ffs_data_reset(struct ffs_da + ffs->state = FFS_READ_DESCRIPTORS; + ffs->setup_state = FFS_NO_SETUP; + ffs->flags = 0; ++ ++ ffs->ms_os_descs_ext_prop_count = 0; ++ ffs->ms_os_descs_ext_prop_name_len = 0; ++ ffs->ms_os_descs_ext_prop_data_len = 0; + } + +