From: Greg Kroah-Hartman Date: Thu, 15 Jul 2021 14:14:35 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v5.4.133~33 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c45584bbbe4022b4255f3cbe3a3be3a99d32f4cb;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: asoc-tegra-set-driver_name-tegra-for-all-machine-drivers.patch dm-btree-remove-assign-new_root-only-when-removal-succeeds.patch ipack-carriers-tpci200-fix-a-double-free-in-tpci200_pci_probe.patch ipmi-watchdog-stop-watchdog-timer-when-the-current-action-is-none.patch power-supply-ab8500-fix-an-old-bug.patch seq_buf-fix-overflow-in-seq_buf_putmem_hex.patch --- diff --git a/queue-4.4/asoc-tegra-set-driver_name-tegra-for-all-machine-drivers.patch b/queue-4.4/asoc-tegra-set-driver_name-tegra-for-all-machine-drivers.patch new file mode 100644 index 00000000000..547bc78ceed --- /dev/null +++ b/queue-4.4/asoc-tegra-set-driver_name-tegra-for-all-machine-drivers.patch @@ -0,0 +1,120 @@ +From f6eb84fa596abf28959fc7e0b626f925eb1196c7 Mon Sep 17 00:00:00 2001 +From: Dmitry Osipenko +Date: Sat, 29 May 2021 18:46:46 +0300 +Subject: ASoC: tegra: Set driver_name=tegra for all machine drivers + +From: Dmitry Osipenko + +commit f6eb84fa596abf28959fc7e0b626f925eb1196c7 upstream. + +The driver_name="tegra" is now required by the newer ALSA UCMs, otherwise +Tegra UCMs don't match by the path/name. + +All Tegra machine drivers are specifying the card's name, but it has no +effect if model name is specified in the device-tree since it overrides +the card's name. We need to set the driver_name to "tegra" in order to +get a usable lookup path for the updated ALSA UCMs. The new UCM lookup +path has a form of driver_name/card_name. + +The old lookup paths that are based on driver module name continue to +work as before. Note that UCM matching never worked for Tegra ASoC drivers +if they were compiled as built-in, this is fixed by supporting the new +naming scheme. + +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Osipenko +Link: https://lore.kernel.org/r/20210529154649.25936-2-digetx@gmail.com +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/tegra/tegra_alc5632.c | 1 + + sound/soc/tegra/tegra_max98090.c | 1 + + sound/soc/tegra/tegra_rt5640.c | 1 + + sound/soc/tegra/tegra_rt5677.c | 1 + + sound/soc/tegra/tegra_wm8753.c | 1 + + sound/soc/tegra/tegra_wm8903.c | 1 + + sound/soc/tegra/tegra_wm9712.c | 1 + + sound/soc/tegra/trimslice.c | 1 + + 8 files changed, 8 insertions(+) + +--- a/sound/soc/tegra/tegra_alc5632.c ++++ b/sound/soc/tegra/tegra_alc5632.c +@@ -149,6 +149,7 @@ static struct snd_soc_dai_link tegra_alc + + static struct snd_soc_card snd_soc_tegra_alc5632 = { + .name = "tegra-alc5632", ++ .driver_name = "tegra", + .owner = THIS_MODULE, + .remove = tegra_alc5632_card_remove, + .dai_link = &tegra_alc5632_dai, +--- a/sound/soc/tegra/tegra_max98090.c ++++ b/sound/soc/tegra/tegra_max98090.c +@@ -205,6 +205,7 @@ static struct snd_soc_dai_link tegra_max + + static struct snd_soc_card snd_soc_tegra_max98090 = { + .name = "tegra-max98090", ++ .driver_name = "tegra", + .owner = THIS_MODULE, + .remove = tegra_max98090_card_remove, + .dai_link = &tegra_max98090_dai, +--- a/sound/soc/tegra/tegra_rt5640.c ++++ b/sound/soc/tegra/tegra_rt5640.c +@@ -150,6 +150,7 @@ static struct snd_soc_dai_link tegra_rt5 + + static struct snd_soc_card snd_soc_tegra_rt5640 = { + .name = "tegra-rt5640", ++ .driver_name = "tegra", + .owner = THIS_MODULE, + .remove = tegra_rt5640_card_remove, + .dai_link = &tegra_rt5640_dai, +--- a/sound/soc/tegra/tegra_rt5677.c ++++ b/sound/soc/tegra/tegra_rt5677.c +@@ -198,6 +198,7 @@ static struct snd_soc_dai_link tegra_rt5 + + static struct snd_soc_card snd_soc_tegra_rt5677 = { + .name = "tegra-rt5677", ++ .driver_name = "tegra", + .owner = THIS_MODULE, + .remove = tegra_rt5677_card_remove, + .dai_link = &tegra_rt5677_dai, +--- a/sound/soc/tegra/tegra_wm8753.c ++++ b/sound/soc/tegra/tegra_wm8753.c +@@ -110,6 +110,7 @@ static struct snd_soc_dai_link tegra_wm8 + + static struct snd_soc_card snd_soc_tegra_wm8753 = { + .name = "tegra-wm8753", ++ .driver_name = "tegra", + .owner = THIS_MODULE, + .dai_link = &tegra_wm8753_dai, + .num_links = 1, +--- a/sound/soc/tegra/tegra_wm8903.c ++++ b/sound/soc/tegra/tegra_wm8903.c +@@ -227,6 +227,7 @@ static struct snd_soc_dai_link tegra_wm8 + + static struct snd_soc_card snd_soc_tegra_wm8903 = { + .name = "tegra-wm8903", ++ .driver_name = "tegra", + .owner = THIS_MODULE, + .dai_link = &tegra_wm8903_dai, + .num_links = 1, +--- a/sound/soc/tegra/tegra_wm9712.c ++++ b/sound/soc/tegra/tegra_wm9712.c +@@ -59,6 +59,7 @@ static struct snd_soc_dai_link tegra_wm9 + + static struct snd_soc_card snd_soc_tegra_wm9712 = { + .name = "tegra-wm9712", ++ .driver_name = "tegra", + .owner = THIS_MODULE, + .dai_link = &tegra_wm9712_dai, + .num_links = 1, +--- a/sound/soc/tegra/trimslice.c ++++ b/sound/soc/tegra/trimslice.c +@@ -103,6 +103,7 @@ static struct snd_soc_dai_link trimslice + + static struct snd_soc_card snd_soc_trimslice = { + .name = "tegra-trimslice", ++ .driver_name = "tegra", + .owner = THIS_MODULE, + .dai_link = &trimslice_tlv320aic23_dai, + .num_links = 1, diff --git a/queue-4.4/dm-btree-remove-assign-new_root-only-when-removal-succeeds.patch b/queue-4.4/dm-btree-remove-assign-new_root-only-when-removal-succeeds.patch new file mode 100644 index 00000000000..9450012aa81 --- /dev/null +++ b/queue-4.4/dm-btree-remove-assign-new_root-only-when-removal-succeeds.patch @@ -0,0 +1,60 @@ +From b6e58b5466b2959f83034bead2e2e1395cca8aeb Mon Sep 17 00:00:00 2001 +From: Hou Tao +Date: Thu, 17 Jun 2021 15:45:47 +0800 +Subject: dm btree remove: assign new_root only when removal succeeds + +From: Hou Tao + +commit b6e58b5466b2959f83034bead2e2e1395cca8aeb upstream. + +remove_raw() in dm_btree_remove() may fail due to IO read error +(e.g. read the content of origin block fails during shadowing), +and the value of shadow_spine::root is uninitialized, but +the uninitialized value is still assign to new_root in the +end of dm_btree_remove(). + +For dm-thin, the value of pmd->details_root or pmd->root will become +an uninitialized value, so if trying to read details_info tree again +out-of-bound memory may occur as showed below: + + general protection fault, probably for non-canonical address 0x3fdcb14c8d7520 + CPU: 4 PID: 515 Comm: dmsetup Not tainted 5.13.0-rc6 + Hardware name: QEMU Standard PC + RIP: 0010:metadata_ll_load_ie+0x14/0x30 + Call Trace: + sm_metadata_count_is_more_than_one+0xb9/0xe0 + dm_tm_shadow_block+0x52/0x1c0 + shadow_step+0x59/0xf0 + remove_raw+0xb2/0x170 + dm_btree_remove+0xf4/0x1c0 + dm_pool_delete_thin_device+0xc3/0x140 + pool_message+0x218/0x2b0 + target_message+0x251/0x290 + ctl_ioctl+0x1c4/0x4d0 + dm_ctl_ioctl+0xe/0x20 + __x64_sys_ioctl+0x7b/0xb0 + do_syscall_64+0x40/0xb0 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixing it by only assign new_root when removal succeeds + +Signed-off-by: Hou Tao +Cc: stable@vger.kernel.org +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman +--- + drivers/md/persistent-data/dm-btree-remove.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/persistent-data/dm-btree-remove.c ++++ b/drivers/md/persistent-data/dm-btree-remove.c +@@ -549,7 +549,8 @@ int dm_btree_remove(struct dm_btree_info + delete_at(n, index); + } + +- *new_root = shadow_root(&spine); ++ if (!r) ++ *new_root = shadow_root(&spine); + exit_shadow_spine(&spine); + + return r; diff --git a/queue-4.4/ipack-carriers-tpci200-fix-a-double-free-in-tpci200_pci_probe.patch b/queue-4.4/ipack-carriers-tpci200-fix-a-double-free-in-tpci200_pci_probe.patch new file mode 100644 index 00000000000..4d5e1cd24c1 --- /dev/null +++ b/queue-4.4/ipack-carriers-tpci200-fix-a-double-free-in-tpci200_pci_probe.patch @@ -0,0 +1,45 @@ +From 9272e5d0028d45a3b45b58c9255e6e0df53f7ad9 Mon Sep 17 00:00:00 2001 +From: Lv Yunlong +Date: Mon, 24 May 2021 02:32:05 -0700 +Subject: ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe + +From: Lv Yunlong + +commit 9272e5d0028d45a3b45b58c9255e6e0df53f7ad9 upstream. + +In the out_err_bus_register error branch of tpci200_pci_probe, +tpci200->info->cfg_regs is freed by tpci200_uninstall()-> +tpci200_unregister()->pci_iounmap(..,tpci200->info->cfg_regs) +in the first time. + +But later, iounmap() is called to free tpci200->info->cfg_regs +again. + +My patch sets tpci200->info->cfg_regs to NULL after tpci200_uninstall() +to avoid the double free. + +Fixes: cea2f7cdff2af ("Staging: ipack/bridges/tpci200: Use the TPCI200 in big endian mode") +Cc: stable +Acked-by: Samuel Iglesias Gonsalvez +Signed-off-by: Lv Yunlong +Link: https://lore.kernel.org/r/20210524093205.8333-1-lyl2019@mail.ustc.edu.cn +Signed-off-by: Greg Kroah-Hartman +--- + drivers/ipack/carriers/tpci200.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/ipack/carriers/tpci200.c ++++ b/drivers/ipack/carriers/tpci200.c +@@ -591,8 +591,11 @@ static int tpci200_pci_probe(struct pci_ + + out_err_bus_register: + tpci200_uninstall(tpci200); ++ /* tpci200->info->cfg_regs is unmapped in tpci200_uninstall */ ++ tpci200->info->cfg_regs = NULL; + out_err_install: +- iounmap(tpci200->info->cfg_regs); ++ if (tpci200->info->cfg_regs) ++ iounmap(tpci200->info->cfg_regs); + out_err_ioremap: + pci_release_region(pdev, TPCI200_CFG_MEM_BAR); + out_err_pci_request: diff --git a/queue-4.4/ipmi-watchdog-stop-watchdog-timer-when-the-current-action-is-none.patch b/queue-4.4/ipmi-watchdog-stop-watchdog-timer-when-the-current-action-is-none.patch new file mode 100644 index 00000000000..8af028d9f4a --- /dev/null +++ b/queue-4.4/ipmi-watchdog-stop-watchdog-timer-when-the-current-action-is-none.patch @@ -0,0 +1,72 @@ +From 2253042d86f57d90a621ac2513a7a7a13afcf809 Mon Sep 17 00:00:00 2001 +From: Petr Pavlu +Date: Thu, 13 May 2021 14:26:36 +0200 +Subject: ipmi/watchdog: Stop watchdog timer when the current action is 'none' + +From: Petr Pavlu + +commit 2253042d86f57d90a621ac2513a7a7a13afcf809 upstream. + +When an IPMI watchdog timer is being stopped in ipmi_close() or +ipmi_ioctl(WDIOS_DISABLECARD), the current watchdog action is updated to +WDOG_TIMEOUT_NONE and _ipmi_set_timeout(IPMI_SET_TIMEOUT_NO_HB) is called +to install this action. The latter function ends up invoking +__ipmi_set_timeout() which makes the actual 'Set Watchdog Timer' IPMI +request. + +For IPMI 1.0, this operation results in fully stopping the watchdog timer. +For IPMI >= 1.5, function __ipmi_set_timeout() always specifies the "don't +stop" flag in the prepared 'Set Watchdog Timer' IPMI request. This causes +that the watchdog timer has its action correctly updated to 'none' but the +timer continues to run. A problem is that IPMI firmware can then still log +an expiration event when the configured timeout is reached, which is +unexpected because the watchdog timer was requested to be stopped. + +The patch fixes this problem by not setting the "don't stop" flag in +__ipmi_set_timeout() when the current action is WDOG_TIMEOUT_NONE which +results in stopping the watchdog timer. This makes the behaviour for +IPMI >= 1.5 consistent with IPMI 1.0. It also matches the logic in +__ipmi_heartbeat() which does not allow to reset the watchdog if the +current action is WDOG_TIMEOUT_NONE as that would start the timer. + +Signed-off-by: Petr Pavlu +Message-Id: <10a41bdc-9c99-089c-8d89-fa98ce5ea080@suse.com> +Cc: stable@vger.kernel.org +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/ipmi/ipmi_watchdog.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +--- a/drivers/char/ipmi/ipmi_watchdog.c ++++ b/drivers/char/ipmi/ipmi_watchdog.c +@@ -393,16 +393,18 @@ static int i_ipmi_set_timeout(struct ipm + data[0] = 0; + WDOG_SET_TIMER_USE(data[0], WDOG_TIMER_USE_SMS_OS); + +- if ((ipmi_version_major > 1) +- || ((ipmi_version_major == 1) && (ipmi_version_minor >= 5))) { +- /* This is an IPMI 1.5-only feature. */ +- data[0] |= WDOG_DONT_STOP_ON_SET; +- } else if (ipmi_watchdog_state != WDOG_TIMEOUT_NONE) { +- /* +- * In ipmi 1.0, setting the timer stops the watchdog, we +- * need to start it back up again. +- */ +- hbnow = 1; ++ if (ipmi_watchdog_state != WDOG_TIMEOUT_NONE) { ++ if ((ipmi_version_major > 1) || ++ ((ipmi_version_major == 1) && (ipmi_version_minor >= 5))) { ++ /* This is an IPMI 1.5-only feature. */ ++ data[0] |= WDOG_DONT_STOP_ON_SET; ++ } else { ++ /* ++ * In ipmi 1.0, setting the timer stops the watchdog, we ++ * need to start it back up again. ++ */ ++ hbnow = 1; ++ } + } + + data[1] = 0; diff --git a/queue-4.4/power-supply-ab8500-fix-an-old-bug.patch b/queue-4.4/power-supply-ab8500-fix-an-old-bug.patch new file mode 100644 index 00000000000..192b2b2c549 --- /dev/null +++ b/queue-4.4/power-supply-ab8500-fix-an-old-bug.patch @@ -0,0 +1,38 @@ +From f1c74a6c07e76fcb31a4bcc1f437c4361a2674ce Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Sun, 27 Jun 2021 01:47:49 +0200 +Subject: power: supply: ab8500: Fix an old bug + +From: Linus Walleij + +commit f1c74a6c07e76fcb31a4bcc1f437c4361a2674ce upstream. + +Trying to get the AB8500 charging driver working I ran into a bit +of bitrot: we haven't used the driver for a while so errors in +refactorings won't be noticed. + +This one is pretty self evident: use argument to the macro or we +end up with a random pointer to something else. + +Cc: stable@vger.kernel.org +Cc: Krzysztof Kozlowski +Cc: Marcus Cooper +Fixes: 297d716f6260 ("power_supply: Change ownership from driver to core") +Signed-off-by: Linus Walleij +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/mfd/abx500/ux500_chargalg.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/mfd/abx500/ux500_chargalg.h ++++ b/include/linux/mfd/abx500/ux500_chargalg.h +@@ -15,7 +15,7 @@ + * - POWER_SUPPLY_TYPE_USB, + * because only them store as drv_data pointer to struct ux500_charger. + */ +-#define psy_to_ux500_charger(x) power_supply_get_drvdata(psy) ++#define psy_to_ux500_charger(x) power_supply_get_drvdata(x) + + /* Forward declaration */ + struct ux500_charger; diff --git a/queue-4.4/seq_buf-fix-overflow-in-seq_buf_putmem_hex.patch b/queue-4.4/seq_buf-fix-overflow-in-seq_buf_putmem_hex.patch new file mode 100644 index 00000000000..459845b1e43 --- /dev/null +++ b/queue-4.4/seq_buf-fix-overflow-in-seq_buf_putmem_hex.patch @@ -0,0 +1,41 @@ +From d3b16034a24a112bb83aeb669ac5b9b01f744bb7 Mon Sep 17 00:00:00 2001 +From: Yun Zhou +Date: Sat, 26 Jun 2021 11:21:55 +0800 +Subject: seq_buf: Fix overflow in seq_buf_putmem_hex() + +From: Yun Zhou + +commit d3b16034a24a112bb83aeb669ac5b9b01f744bb7 upstream. + +There's two variables being increased in that loop (i and j), and i +follows the raw data, and j follows what is being written into the buffer. +We should compare 'i' to MAX_MEMHEX_BYTES or compare 'j' to HEX_CHARS. +Otherwise, if 'j' goes bigger than HEX_CHARS, it will overflow the +destination buffer. + +Link: https://lore.kernel.org/lkml/20210625122453.5e2fe304@oasis.local.home/ +Link: https://lkml.kernel.org/r/20210626032156.47889-1-yun.zhou@windriver.com + +Cc: stable@vger.kernel.org +Fixes: 5e3ca0ec76fce ("ftrace: introduce the "hex" output method") +Signed-off-by: Yun Zhou +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman +--- + lib/seq_buf.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/lib/seq_buf.c ++++ b/lib/seq_buf.c +@@ -227,8 +227,10 @@ int seq_buf_putmem_hex(struct seq_buf *s + + WARN_ON(s->size == 0); + ++ BUILD_BUG_ON(MAX_MEMHEX_BYTES * 2 >= HEX_CHARS); ++ + while (len) { +- start_len = min(len, HEX_CHARS - 1); ++ start_len = min(len, MAX_MEMHEX_BYTES); + #ifdef __BIG_ENDIAN + for (i = 0, j = 0; i < start_len; i++) { + #else diff --git a/queue-4.4/series b/queue-4.4/series index 1a029e0670a..80ebdd979c6 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -128,3 +128,9 @@ mac80211-fix-memory-corruption-in-eapol-handling.patch powerpc-barrier-avoid-collision-with-clang-s-__lwsync-macro.patch mmc-sdhci-fix-warning-message-when-accessing-rpmb-in-hs400-mode.patch ata-ahci_sunxi-disable-dipm.patch +asoc-tegra-set-driver_name-tegra-for-all-machine-drivers.patch +ipmi-watchdog-stop-watchdog-timer-when-the-current-action-is-none.patch +power-supply-ab8500-fix-an-old-bug.patch +seq_buf-fix-overflow-in-seq_buf_putmem_hex.patch +ipack-carriers-tpci200-fix-a-double-free-in-tpci200_pci_probe.patch +dm-btree-remove-assign-new_root-only-when-removal-succeeds.patch