From 98d9f5d3893bf862b64921b493af9caa3bb52f92 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Sun, 2 Jan 2022 16:57:06 -0500 Subject: [PATCH] Fixes for 4.14 Signed-off-by: Sasha Levin --- ...sing-put_device-call-in-fman_port_pr.patch | 82 ++++++++++++++ ...sus-do-not-drop-long-ethernet-frames.patch | 63 +++++++++++ ...-memory-leak-in-device-probe-and-rem.patch | 101 ++++++++++++++++++ ...ate-string-in-lpfc_debugfs_nvmeio_tr.patch | 40 +++++++ queue-4.14/series | 4 + 5 files changed, 290 insertions(+) create mode 100644 queue-4.14/fsl-fman-fix-missing-put_device-call-in-fman_port_pr.patch create mode 100644 queue-4.14/net-usb-pegasus-do-not-drop-long-ethernet-frames.patch create mode 100644 queue-4.14/nfc-st21nfca-fix-memory-leak-in-device-probe-and-rem.patch create mode 100644 queue-4.14/scsi-lpfc-terminate-string-in-lpfc_debugfs_nvmeio_tr.patch diff --git a/queue-4.14/fsl-fman-fix-missing-put_device-call-in-fman_port_pr.patch b/queue-4.14/fsl-fman-fix-missing-put_device-call-in-fman_port_pr.patch new file mode 100644 index 00000000000..22b817a81fe --- /dev/null +++ b/queue-4.14/fsl-fman-fix-missing-put_device-call-in-fman_port_pr.patch @@ -0,0 +1,82 @@ +From 35d5c9f1059febbad4bab9a33cf1098f89b8fbd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 30 Dec 2021 12:26:27 +0000 +Subject: fsl/fman: Fix missing put_device() call in fman_port_probe + +From: Miaoqian Lin + +[ Upstream commit bf2b09fedc17248b315f80fb249087b7d28a69a6 ] + +The reference taken by 'of_find_device_by_node()' must be released when +not needed anymore. +Add the corresponding 'put_device()' in the and error handling paths. + +Fixes: 18a6c85fcc78 ("fsl/fman: Add FMan Port Support") +Signed-off-by: Miaoqian Lin +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/freescale/fman/fman_port.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/freescale/fman/fman_port.c b/drivers/net/ethernet/freescale/fman/fman_port.c +index ac3d791f52821..b7295f21aa580 100644 +--- a/drivers/net/ethernet/freescale/fman/fman_port.c ++++ b/drivers/net/ethernet/freescale/fman/fman_port.c +@@ -1779,7 +1779,7 @@ static int fman_port_probe(struct platform_device *of_dev) + fman = dev_get_drvdata(&fm_pdev->dev); + if (!fman) { + err = -EINVAL; +- goto return_err; ++ goto put_device; + } + + err = of_property_read_u32(port_node, "cell-index", &val); +@@ -1787,7 +1787,7 @@ static int fman_port_probe(struct platform_device *of_dev) + dev_err(port->dev, "%s: reading cell-index for %pOF failed\n", + __func__, port_node); + err = -EINVAL; +- goto return_err; ++ goto put_device; + } + port_id = (u8)val; + port->dts_params.id = port_id; +@@ -1821,7 +1821,7 @@ static int fman_port_probe(struct platform_device *of_dev) + } else { + dev_err(port->dev, "%s: Illegal port type\n", __func__); + err = -EINVAL; +- goto return_err; ++ goto put_device; + } + + port->dts_params.type = port_type; +@@ -1835,7 +1835,7 @@ static int fman_port_probe(struct platform_device *of_dev) + dev_err(port->dev, "%s: incorrect qman-channel-id\n", + __func__); + err = -EINVAL; +- goto return_err; ++ goto put_device; + } + port->dts_params.qman_channel_id = qman_channel_id; + } +@@ -1845,7 +1845,7 @@ static int fman_port_probe(struct platform_device *of_dev) + dev_err(port->dev, "%s: of_address_to_resource() failed\n", + __func__); + err = -ENOMEM; +- goto return_err; ++ goto put_device; + } + + port->dts_params.fman = fman; +@@ -1870,6 +1870,8 @@ static int fman_port_probe(struct platform_device *of_dev) + + return 0; + ++put_device: ++ put_device(&fm_pdev->dev); + return_err: + of_node_put(port_node); + free_port: +-- +2.34.1 + diff --git a/queue-4.14/net-usb-pegasus-do-not-drop-long-ethernet-frames.patch b/queue-4.14/net-usb-pegasus-do-not-drop-long-ethernet-frames.patch new file mode 100644 index 00000000000..002e0d79be0 --- /dev/null +++ b/queue-4.14/net-usb-pegasus-do-not-drop-long-ethernet-frames.patch @@ -0,0 +1,63 @@ +From 660ac47e537f2d39ef949876dea1019e01500372 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 26 Dec 2021 23:12:08 +0100 +Subject: net: usb: pegasus: Do not drop long Ethernet frames + +From: Matthias-Christian Ott + +[ Upstream commit ca506fca461b260ab32952b610c3d4aadc6c11fd ] + +The D-Link DSB-650TX (2001:4002) is unable to receive Ethernet frames +that are longer than 1518 octets, for example, Ethernet frames that +contain 802.1Q VLAN tags. + +The frames are sent to the pegasus driver via USB but the driver +discards them because they have the Long_pkt field set to 1 in the +received status report. The function read_bulk_callback of the pegasus +driver treats such received "packets" (in the terminology of the +hardware) as errors but the field simply does just indicate that the +Ethernet frame (MAC destination to FCS) is longer than 1518 octets. + +It seems that in the 1990s there was a distinction between +"giant" (> 1518) and "runt" (< 64) frames and the hardware includes +flags to indicate this distinction. It seems that the purpose of the +distinction "giant" frames was to not allow infinitely long frames due +to transmission errors and to allow hardware to have an upper limit of +the frame size. However, the hardware already has such limit with its +2048 octet receive buffer and, therefore, Long_pkt is merely a +convention and should not be treated as a receive error. + +Actually, the hardware is even able to receive Ethernet frames with 2048 +octets which exceeds the claimed limit frame size limit of the driver of +1536 octets (PEGASUS_MTU). + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Matthias-Christian Ott +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/usb/pegasus.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/usb/pegasus.c b/drivers/net/usb/pegasus.c +index d18a283a0ccff..408b996ff4dfb 100644 +--- a/drivers/net/usb/pegasus.c ++++ b/drivers/net/usb/pegasus.c +@@ -498,11 +498,11 @@ static void read_bulk_callback(struct urb *urb) + goto goon; + + rx_status = buf[count - 2]; +- if (rx_status & 0x1e) { ++ if (rx_status & 0x1c) { + netif_dbg(pegasus, rx_err, net, + "RX packet error %x\n", rx_status); + net->stats.rx_errors++; +- if (rx_status & 0x06) /* long or runt */ ++ if (rx_status & 0x04) /* runt */ + net->stats.rx_length_errors++; + if (rx_status & 0x08) + net->stats.rx_crc_errors++; +-- +2.34.1 + diff --git a/queue-4.14/nfc-st21nfca-fix-memory-leak-in-device-probe-and-rem.patch b/queue-4.14/nfc-st21nfca-fix-memory-leak-in-device-probe-and-rem.patch new file mode 100644 index 00000000000..e0f10fcdadc --- /dev/null +++ b/queue-4.14/nfc-st21nfca-fix-memory-leak-in-device-probe-and-rem.patch @@ -0,0 +1,101 @@ +From 1dfdb3198fd10c5d46976f15381dd72e87b683c7 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 28 Dec 2021 12:48:11 +0000 +Subject: NFC: st21nfca: Fix memory leak in device probe and remove + +From: Wei Yongjun + +[ Upstream commit 1b9dadba502234eea7244879b8d5d126bfaf9f0c ] + +'phy->pending_skb' is alloced when device probe, but forgot to free +in the error handling path and remove path, this cause memory leak +as follows: + +unreferenced object 0xffff88800bc06800 (size 512): + comm "8", pid 11775, jiffies 4295159829 (age 9.032s) + hex dump (first 32 bytes): + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace: + [<00000000d66c09ce>] __kmalloc_node_track_caller+0x1ed/0x450 + [<00000000c93382b3>] kmalloc_reserve+0x37/0xd0 + [<000000005fea522c>] __alloc_skb+0x124/0x380 + [<0000000019f29f9a>] st21nfca_hci_i2c_probe+0x170/0x8f2 + +Fix it by freeing 'pending_skb' in error and remove. + +Fixes: 68957303f44a ("NFC: ST21NFCA: Add driver for STMicroelectronics ST21NFCA NFC Chip") +Reported-by: Hulk Robot +Signed-off-by: Wei Yongjun +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/nfc/st21nfca/i2c.c | 29 ++++++++++++++++++++--------- + 1 file changed, 20 insertions(+), 9 deletions(-) + +diff --git a/drivers/nfc/st21nfca/i2c.c b/drivers/nfc/st21nfca/i2c.c +index cd1f7bfa75ebe..dc9dd66cf6735 100644 +--- a/drivers/nfc/st21nfca/i2c.c ++++ b/drivers/nfc/st21nfca/i2c.c +@@ -544,7 +544,8 @@ static int st21nfca_hci_i2c_probe(struct i2c_client *client, + phy->gpiod_ena = devm_gpiod_get(dev, "enable", GPIOD_OUT_LOW); + if (IS_ERR(phy->gpiod_ena)) { + nfc_err(dev, "Unable to get ENABLE GPIO\n"); +- return PTR_ERR(phy->gpiod_ena); ++ r = PTR_ERR(phy->gpiod_ena); ++ goto out_free; + } + + phy->se_status.is_ese_present = +@@ -555,7 +556,7 @@ static int st21nfca_hci_i2c_probe(struct i2c_client *client, + r = st21nfca_hci_platform_init(phy); + if (r < 0) { + nfc_err(&client->dev, "Unable to reboot st21nfca\n"); +- return r; ++ goto out_free; + } + + r = devm_request_threaded_irq(&client->dev, client->irq, NULL, +@@ -564,15 +565,23 @@ static int st21nfca_hci_i2c_probe(struct i2c_client *client, + ST21NFCA_HCI_DRIVER_NAME, phy); + if (r < 0) { + nfc_err(&client->dev, "Unable to register IRQ handler\n"); +- return r; ++ goto out_free; + } + +- return st21nfca_hci_probe(phy, &i2c_phy_ops, LLC_SHDLC_NAME, +- ST21NFCA_FRAME_HEADROOM, +- ST21NFCA_FRAME_TAILROOM, +- ST21NFCA_HCI_LLC_MAX_PAYLOAD, +- &phy->hdev, +- &phy->se_status); ++ r = st21nfca_hci_probe(phy, &i2c_phy_ops, LLC_SHDLC_NAME, ++ ST21NFCA_FRAME_HEADROOM, ++ ST21NFCA_FRAME_TAILROOM, ++ ST21NFCA_HCI_LLC_MAX_PAYLOAD, ++ &phy->hdev, ++ &phy->se_status); ++ if (r) ++ goto out_free; ++ ++ return 0; ++ ++out_free: ++ kfree_skb(phy->pending_skb); ++ return r; + } + + static int st21nfca_hci_i2c_remove(struct i2c_client *client) +@@ -585,6 +594,8 @@ static int st21nfca_hci_i2c_remove(struct i2c_client *client) + + if (phy->powered) + st21nfca_hci_i2c_disable(phy); ++ if (phy->pending_skb) ++ kfree_skb(phy->pending_skb); + + return 0; + } +-- +2.34.1 + diff --git a/queue-4.14/scsi-lpfc-terminate-string-in-lpfc_debugfs_nvmeio_tr.patch b/queue-4.14/scsi-lpfc-terminate-string-in-lpfc_debugfs_nvmeio_tr.patch new file mode 100644 index 00000000000..e6b2355b012 --- /dev/null +++ b/queue-4.14/scsi-lpfc-terminate-string-in-lpfc_debugfs_nvmeio_tr.patch @@ -0,0 +1,40 @@ +From 5cfbfca29ad49f1c782e9b1b64803717c01c85fb Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 14 Dec 2021 10:05:27 +0300 +Subject: scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write() + +From: Dan Carpenter + +[ Upstream commit 9020be114a47bf7ff33e179b3bb0016b91a098e6 ] + +The "mybuf" string comes from the user, so we need to ensure that it is NUL +terminated. + +Link: https://lore.kernel.org/r/20211214070527.GA27934@kili +Fixes: bd2cdd5e400f ("scsi: lpfc: NVME Initiator: Add debugfs support") +Reviewed-by: James Smart +Signed-off-by: Dan Carpenter +Signed-off-by: Martin K. Petersen +Signed-off-by: Sasha Levin +--- + drivers/scsi/lpfc/lpfc_debugfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c +index c77ad2b78ce49..39a1c9e18c0ea 100644 +--- a/drivers/scsi/lpfc/lpfc_debugfs.c ++++ b/drivers/scsi/lpfc/lpfc_debugfs.c +@@ -2177,8 +2177,8 @@ lpfc_debugfs_nvmeio_trc_write(struct file *file, const char __user *buf, + char mybuf[64]; + char *pbuf; + +- if (nbytes > 64) +- nbytes = 64; ++ if (nbytes > 63) ++ nbytes = 63; + + memset(mybuf, 0, sizeof(mybuf)); + +-- +2.34.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 99a1867bbff..b3596e433ae 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -3,3 +3,7 @@ tee-handle-lookup-of-shm-with-reference-count-0.patch platform-x86-apple-gmux-use-resource_size-with-res.patch recordmcount.pl-fix-typo-in-s390-mcount-regex.patch selinux-initialize-proto-variable-in-selinux_ip_postroute_compat.patch +scsi-lpfc-terminate-string-in-lpfc_debugfs_nvmeio_tr.patch +net-usb-pegasus-do-not-drop-long-ethernet-frames.patch +nfc-st21nfca-fix-memory-leak-in-device-probe-and-rem.patch +fsl-fman-fix-missing-put_device-call-in-fman_port_pr.patch -- 2.47.3