From a29d85099cef04767a0d9407794bc63380e25a38 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Mon, 21 Nov 2022 00:02:43 -0500 Subject: [PATCH] Fixes for 4.19 Signed-off-by: Sasha Levin --- ...e-fix-use-after-free-in-snd_soc_exit.patch | 89 +++++++++++++++ ...-remove-__exit-for-snd_soc_util_exit.patch | 39 +++++++ ...port-fix-double-ata_host_put-in-ata_.patch | 66 +++++++++++ ...ed-opal-kmalloc-the-cmd-resp-buffers.patch | 104 ++++++++++++++++++ ...ebugfs-when-pci_register_driver-fail.patch | 50 +++++++++ ...-return-value-checking-when-getflags.patch | 45 ++++++++ ...use-after-free-in-drbd_create_device.patch | 50 +++++++++ ...-of-put_device-in-misdn_register_dev.patch | 35 ++++++ ...le-memory-leak-in-misdn_dsp_element_.patch | 51 +++++++++ ...p-free_netdev-from-bgmac_enet_remove.patch | 38 +++++++ ...ble-disconnect-client-in-chnl_net_op.patch | 37 +++++++ ...olt-fix-error-handling-in-tbnet_init.patch | 73 ++++++++++++ ...x-skb-leak-in-x25_lapb_receive_frame.patch | 39 +++++++ ...-avoid-fifo-port-location-truncation.patch | 43 ++++++++ ...ee-fix-null-pointer-dereferencing-in.patch | 48 ++++++++ ...250-omap-flush-pm-qos-work-on-remove.patch | 39 +++++++ ...-remove-wait-loop-from-errata-i202-w.patch | 67 +++++++++++ ...ial-imx-add-missing-.thaw_noirq-hook.patch | 95 ++++++++++++++++ queue-4.19/series | 21 ++++ ...sible-memory-leak-in-siox_device_add.patch | 46 ++++++++ ...eep-in-atomic-context-bug-in-gsm_con.patch | 49 +++++++++ ...ossible-memory-leak-in-register_pcpu.patch | 40 +++++++ 22 files changed, 1164 insertions(+) create mode 100644 queue-4.19/asoc-core-fix-use-after-free-in-snd_soc_exit.patch create mode 100644 queue-4.19/asoc-soc-utils-remove-__exit-for-snd_soc_util_exit.patch create mode 100644 queue-4.19/ata-libata-transport-fix-double-ata_host_put-in-ata_.patch create mode 100644 queue-4.19/block-sed-opal-kmalloc-the-cmd-resp-buffers.patch create mode 100644 queue-4.19/bnxt_en-remove-debugfs-when-pci_register_driver-fail.patch create mode 100644 queue-4.19/cifs-fix-wrong-return-value-checking-when-getflags.patch create mode 100644 queue-4.19/drbd-use-after-free-in-drbd_create_device.patch create mode 100644 queue-4.19/misdn-fix-misuse-of-put_device-in-misdn_register_dev.patch create mode 100644 queue-4.19/misdn-fix-possible-memory-leak-in-misdn_dsp_element_.patch create mode 100644 queue-4.19/net-bgmac-drop-free_netdev-from-bgmac_enet_remove.patch create mode 100644 queue-4.19/net-caif-fix-double-disconnect-client-in-chnl_net_op.patch create mode 100644 queue-4.19/net-thunderbolt-fix-error-handling-in-tbnet_init.patch create mode 100644 queue-4.19/net-x25-fix-skb-leak-in-x25_lapb_receive_frame.patch create mode 100644 queue-4.19/parport_pc-avoid-fifo-port-location-truncation.patch create mode 100644 queue-4.19/pinctrl-devicetree-fix-null-pointer-dereferencing-in.patch create mode 100644 queue-4.19/serial-8250-omap-flush-pm-qos-work-on-remove.patch create mode 100644 queue-4.19/serial-8250_omap-remove-wait-loop-from-errata-i202-w.patch create mode 100644 queue-4.19/serial-imx-add-missing-.thaw_noirq-hook.patch create mode 100644 queue-4.19/siox-fix-possible-memory-leak-in-siox_device_add.patch create mode 100644 queue-4.19/tty-n_gsm-fix-sleep-in-atomic-context-bug-in-gsm_con.patch create mode 100644 queue-4.19/xen-pcpu-fix-possible-memory-leak-in-register_pcpu.patch diff --git a/queue-4.19/asoc-core-fix-use-after-free-in-snd_soc_exit.patch b/queue-4.19/asoc-core-fix-use-after-free-in-snd_soc_exit.patch new file mode 100644 index 00000000000..8b936cdedc7 --- /dev/null +++ b/queue-4.19/asoc-core-fix-use-after-free-in-snd_soc_exit.patch @@ -0,0 +1,89 @@ +From d60714bb3fe195798e5e0a733c6b4903b83022ac Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Oct 2022 11:16:03 +0800 +Subject: ASoC: core: Fix use-after-free in snd_soc_exit() + +From: Chen Zhongjin + +[ Upstream commit 6ec27c53886c8963729885bcf2dd996eba2767a7 ] + +KASAN reports a use-after-free: + +BUG: KASAN: use-after-free in device_del+0xb5b/0xc60 +Read of size 8 at addr ffff888008655050 by task rmmod/387 +CPU: 2 PID: 387 Comm: rmmod +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996) +Call Trace: + +dump_stack_lvl+0x79/0x9a +print_report+0x17f/0x47b +kasan_report+0xbb/0xf0 +device_del+0xb5b/0xc60 +platform_device_del.part.0+0x24/0x200 +platform_device_unregister+0x2e/0x40 +snd_soc_exit+0xa/0x22 [snd_soc_core] +__do_sys_delete_module.constprop.0+0x34f/0x5b0 +do_syscall_64+0x3a/0x90 +entry_SYSCALL_64_after_hwframe+0x63/0xcd +... + + +It's bacause in snd_soc_init(), snd_soc_util_init() is possble to fail, +but its ret is ignored, which makes soc_dummy_dev unregistered twice. + +snd_soc_init() + snd_soc_util_init() + platform_device_register_simple(soc_dummy_dev) + platform_driver_register() # fail + platform_device_unregister(soc_dummy_dev) + platform_driver_register() # success +... +snd_soc_exit() + snd_soc_util_exit() + # soc_dummy_dev will be unregistered for second time + +To fix it, handle error and stop snd_soc_init() when util_init() fail. +Also clean debugfs when util_init() or driver_register() fail. + +Fixes: fb257897bf20 ("ASoC: Work around allmodconfig failure") +Signed-off-by: Chen Zhongjin +Link: https://lore.kernel.org/r/20221028031603.59416-1-chenzhongjin@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-core.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c +index 9ca7dff5593d..07875867f5c2 100644 +--- a/sound/soc/soc-core.c ++++ b/sound/soc/soc-core.c +@@ -3863,10 +3863,23 @@ EXPORT_SYMBOL_GPL(snd_soc_of_get_dai_link_codecs); + + static int __init snd_soc_init(void) + { ++ int ret; ++ + snd_soc_debugfs_init(); +- snd_soc_util_init(); ++ ret = snd_soc_util_init(); ++ if (ret) ++ goto err_util_init; + +- return platform_driver_register(&soc_driver); ++ ret = platform_driver_register(&soc_driver); ++ if (ret) ++ goto err_register; ++ return 0; ++ ++err_register: ++ snd_soc_util_exit(); ++err_util_init: ++ snd_soc_debugfs_exit(); ++ return ret; + } + module_init(snd_soc_init); + +-- +2.35.1 + diff --git a/queue-4.19/asoc-soc-utils-remove-__exit-for-snd_soc_util_exit.patch b/queue-4.19/asoc-soc-utils-remove-__exit-for-snd_soc_util_exit.patch new file mode 100644 index 00000000000..479fb8aad91 --- /dev/null +++ b/queue-4.19/asoc-soc-utils-remove-__exit-for-snd_soc_util_exit.patch @@ -0,0 +1,39 @@ +From a7cfa1e71a6b931e8a9125f53bc49301ac32c06c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 31 Oct 2022 21:40:31 +0800 +Subject: ASoC: soc-utils: Remove __exit for snd_soc_util_exit() + +From: Chen Zhongjin + +[ Upstream commit 314d34fe7f0a5836cb0472950c1f17744b4efde8 ] + +snd_soc_util_exit() is called in __init snd_soc_init() for cleanup. +Remove the __exit annotation for it to fix the build warning: + +WARNING: modpost: sound/soc/snd-soc-core.o: section mismatch in reference: init_module (section: .init.text) -> snd_soc_util_exit (section: .exit.text) + +Fixes: 6ec27c53886c ("ASoC: core: Fix use-after-free in snd_soc_exit()") +Signed-off-by: Chen Zhongjin +Link: https://lore.kernel.org/r/20221031134031.256511-1-chenzhongjin@huawei.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/soc-utils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/soc/soc-utils.c b/sound/soc/soc-utils.c +index e0c93496c0cd..ba7e5ee30f66 100644 +--- a/sound/soc/soc-utils.c ++++ b/sound/soc/soc-utils.c +@@ -373,7 +373,7 @@ int __init snd_soc_util_init(void) + return ret; + } + +-void __exit snd_soc_util_exit(void) ++void snd_soc_util_exit(void) + { + platform_driver_unregister(&soc_dummy_driver); + platform_device_unregister(soc_dummy_dev); +-- +2.35.1 + diff --git a/queue-4.19/ata-libata-transport-fix-double-ata_host_put-in-ata_.patch b/queue-4.19/ata-libata-transport-fix-double-ata_host_put-in-ata_.patch new file mode 100644 index 00000000000..6e7346aedbd --- /dev/null +++ b/queue-4.19/ata-libata-transport-fix-double-ata_host_put-in-ata_.patch @@ -0,0 +1,66 @@ +From d917ed43a3555ad243eba2b07e2e33fe8e8a4308 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 8 Nov 2022 21:40:01 +0800 +Subject: ata: libata-transport: fix double ata_host_put() in ata_tport_add() + +From: Yang Yingliang + +[ Upstream commit 8c76310740807ade5ecdab5888f70ecb6d35732e ] + +In the error path in ata_tport_add(), when calling put_device(), +ata_tport_release() is called, it will put the refcount of 'ap->host'. + +And then ata_host_put() is called again, the refcount is decreased +to 0, ata_host_release() is called, all ports are freed and set to +null. + +When unbinding the device after failure, ata_host_stop() is called +to release the resources, it leads a null-ptr-deref(), because all +the ports all freed and null. + +Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008 +CPU: 7 PID: 18671 Comm: modprobe Kdump: loaded Tainted: G E 6.1.0-rc3+ #8 +pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) +pc : ata_host_stop+0x3c/0x84 [libata] +lr : release_nodes+0x64/0xd0 +Call trace: + ata_host_stop+0x3c/0x84 [libata] + release_nodes+0x64/0xd0 + devres_release_all+0xbc/0x1b0 + device_unbind_cleanup+0x20/0x70 + really_probe+0x158/0x320 + __driver_probe_device+0x84/0x120 + driver_probe_device+0x44/0x120 + __driver_attach+0xb4/0x220 + bus_for_each_dev+0x78/0xdc + driver_attach+0x2c/0x40 + bus_add_driver+0x184/0x240 + driver_register+0x80/0x13c + __pci_register_driver+0x4c/0x60 + ahci_pci_driver_init+0x30/0x1000 [ahci] + +Fix this by removing redundant ata_host_put() in the error path. + +Fixes: 2623c7a5f279 ("libata: add refcounting to ata_host") +Signed-off-by: Yang Yingliang +Signed-off-by: Damien Le Moal +Signed-off-by: Sasha Levin +--- + drivers/ata/libata-transport.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/ata/libata-transport.c b/drivers/ata/libata-transport.c +index 43a91495ee67..f04f4f977400 100644 +--- a/drivers/ata/libata-transport.c ++++ b/drivers/ata/libata-transport.c +@@ -317,7 +317,6 @@ int ata_tport_add(struct device *parent, + tport_err: + transport_destroy_device(dev); + put_device(dev); +- ata_host_put(ap->host); + return error; + } + +-- +2.35.1 + diff --git a/queue-4.19/block-sed-opal-kmalloc-the-cmd-resp-buffers.patch b/queue-4.19/block-sed-opal-kmalloc-the-cmd-resp-buffers.patch new file mode 100644 index 00000000000..2843a2fbecb --- /dev/null +++ b/queue-4.19/block-sed-opal-kmalloc-the-cmd-resp-buffers.patch @@ -0,0 +1,104 @@ +From 82d25b1592adf3374f70e77371b211add38b929b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 7 Nov 2022 23:39:44 +0300 +Subject: block: sed-opal: kmalloc the cmd/resp buffers + +From: Serge Semin + +[ Upstream commit f829230dd51974c1f4478900ed30bb77ba530b40 ] + +In accordance with [1] the DMA-able memory buffers must be +cacheline-aligned otherwise the cache writing-back and invalidation +performed during the mapping may cause the adjacent data being lost. It's +specifically required for the DMA-noncoherent platforms [2]. Seeing the +opal_dev.{cmd,resp} buffers are implicitly used for DMAs in the NVME and +SCSI/SD drivers in framework of the nvme_sec_submit() and sd_sec_submit() +methods respectively they must be cacheline-aligned to prevent the denoted +problem. One of the option to guarantee that is to kmalloc the buffers +[2]. Let's explicitly allocate them then instead of embedding into the +opal_dev structure instance. + +Note this fix was inspired by the commit c94b7f9bab22 ("nvme-hwmon: +kmalloc the NVME SMART log buffer"). + +[1] Documentation/core-api/dma-api.rst +[2] Documentation/core-api/dma-api-howto.rst + +Fixes: 455a7b238cd6 ("block: Add Sed-opal library") +Signed-off-by: Serge Semin +Reviewed-by: Christoph Hellwig +Link: https://lore.kernel.org/r/20221107203944.31686-1-Sergey.Semin@baikalelectronics.ru +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + block/sed-opal.c | 32 ++++++++++++++++++++++++++++---- + 1 file changed, 28 insertions(+), 4 deletions(-) + +diff --git a/block/sed-opal.c b/block/sed-opal.c +index 119640897293..9651c40e093a 100644 +--- a/block/sed-opal.c ++++ b/block/sed-opal.c +@@ -94,8 +94,8 @@ struct opal_dev { + u64 lowest_lba; + + size_t pos; +- u8 cmd[IO_BUFFER_LENGTH]; +- u8 resp[IO_BUFFER_LENGTH]; ++ u8 *cmd; ++ u8 *resp; + + struct parsed_resp parsed; + size_t prev_d_len; +@@ -2028,6 +2028,8 @@ void free_opal_dev(struct opal_dev *dev) + if (!dev) + return; + clean_opal_dev(dev); ++ kfree(dev->resp); ++ kfree(dev->cmd); + kfree(dev); + } + EXPORT_SYMBOL(free_opal_dev); +@@ -2040,16 +2042,38 @@ struct opal_dev *init_opal_dev(void *data, sec_send_recv *send_recv) + if (!dev) + return NULL; + ++ /* ++ * Presumably DMA-able buffers must be cache-aligned. Kmalloc makes ++ * sure the allocated buffer is DMA-safe in that regard. ++ */ ++ dev->cmd = kmalloc(IO_BUFFER_LENGTH, GFP_KERNEL); ++ if (!dev->cmd) ++ goto err_free_dev; ++ ++ dev->resp = kmalloc(IO_BUFFER_LENGTH, GFP_KERNEL); ++ if (!dev->resp) ++ goto err_free_cmd; ++ + INIT_LIST_HEAD(&dev->unlk_lst); + mutex_init(&dev->dev_lock); + dev->data = data; + dev->send_recv = send_recv; + if (check_opal_support(dev) != 0) { + pr_debug("Opal is not supported on this device\n"); +- kfree(dev); +- return NULL; ++ goto err_free_resp; + } + return dev; ++ ++err_free_resp: ++ kfree(dev->resp); ++ ++err_free_cmd: ++ kfree(dev->cmd); ++ ++err_free_dev: ++ kfree(dev); ++ ++ return NULL; + } + EXPORT_SYMBOL(init_opal_dev); + +-- +2.35.1 + diff --git a/queue-4.19/bnxt_en-remove-debugfs-when-pci_register_driver-fail.patch b/queue-4.19/bnxt_en-remove-debugfs-when-pci_register_driver-fail.patch new file mode 100644 index 00000000000..1a45a6fde99 --- /dev/null +++ b/queue-4.19/bnxt_en-remove-debugfs-when-pci_register_driver-fail.patch @@ -0,0 +1,50 @@ +From f5f471f27313f2af4fa0e638e1c4810977c9d653 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 15:04:33 +0800 +Subject: bnxt_en: Remove debugfs when pci_register_driver failed + +From: Gaosheng Cui + +[ Upstream commit 991aef4ee4f6eb999924f429b943441a32835c8f ] + +When pci_register_driver failed, we need to remove debugfs, +which will caused a resource leak, fix it. + +Resource leak logs as follows: +[ 52.184456] debugfs: Directory 'bnxt_en' with parent '/' already present! + +Fixes: cabfb09d87bd ("bnxt_en: add debugfs support for DIM") +Signed-off-by: Gaosheng Cui +Reviewed-by: Leon Romanovsky +Reviewed-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bnxt/bnxt.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +index b49f8a97d753..dc106212259a 100644 +--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c ++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c +@@ -9383,8 +9383,16 @@ static struct pci_driver bnxt_pci_driver = { + + static int __init bnxt_init(void) + { ++ int err; ++ + bnxt_debug_init(); +- return pci_register_driver(&bnxt_pci_driver); ++ err = pci_register_driver(&bnxt_pci_driver); ++ if (err) { ++ bnxt_debug_exit(); ++ return err; ++ } ++ ++ return 0; + } + + static void __exit bnxt_exit(void) +-- +2.35.1 + diff --git a/queue-4.19/cifs-fix-wrong-return-value-checking-when-getflags.patch b/queue-4.19/cifs-fix-wrong-return-value-checking-when-getflags.patch new file mode 100644 index 00000000000..9af4d85ce85 --- /dev/null +++ b/queue-4.19/cifs-fix-wrong-return-value-checking-when-getflags.patch @@ -0,0 +1,45 @@ +From ee298c784cbe9a68bd7c41d9fcea643af1e75679 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 18:39:34 +0800 +Subject: cifs: Fix wrong return value checking when GETFLAGS + +From: Zhang Xiaoxu + +[ Upstream commit 92bbd67a55fee50743b42825d1c016e7fd5c79f9 ] + +The return value of CIFSGetExtAttr is negative, should be checked +with -EOPNOTSUPP rather than EOPNOTSUPP. + +Fixes: 64a5cfa6db94 ("Allow setting per-file compression via SMB2/3") +Signed-off-by: Zhang Xiaoxu +Signed-off-by: Steve French +Signed-off-by: Sasha Levin +--- + fs/cifs/ioctl.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/cifs/ioctl.c b/fs/cifs/ioctl.c +index 54f32f9143a9..5a7020e767e4 100644 +--- a/fs/cifs/ioctl.c ++++ b/fs/cifs/ioctl.c +@@ -149,7 +149,7 @@ long cifs_ioctl(struct file *filep, unsigned int command, unsigned long arg) + rc = put_user(ExtAttrBits & + FS_FL_USER_VISIBLE, + (int __user *)arg); +- if (rc != EOPNOTSUPP) ++ if (rc != -EOPNOTSUPP) + break; + } + #endif /* CONFIG_CIFS_POSIX */ +@@ -178,7 +178,7 @@ long cifs_ioctl(struct file *filep, unsigned int command, unsigned long arg) + * pSMBFile->fid.netfid, + * extAttrBits, + * &ExtAttrMask); +- * if (rc != EOPNOTSUPP) ++ * if (rc != -EOPNOTSUPP) + * break; + */ + +-- +2.35.1 + diff --git a/queue-4.19/drbd-use-after-free-in-drbd_create_device.patch b/queue-4.19/drbd-use-after-free-in-drbd_create_device.patch new file mode 100644 index 00000000000..5256cc6f9f1 --- /dev/null +++ b/queue-4.19/drbd-use-after-free-in-drbd_create_device.patch @@ -0,0 +1,50 @@ +From 1dba2c450fa8d1f548ae3f28f9bb7ef20ac39356 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 15 Nov 2022 16:16:43 +0300 +Subject: drbd: use after free in drbd_create_device() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Dan Carpenter + +[ Upstream commit a7a1598189228b5007369a9622ccdf587be0730f ] + +The drbd_destroy_connection() frees the "connection" so use the _safe() +iterator to prevent a use after free. + +Fixes: b6f85ef9538b ("drbd: Iterate over all connections") +Signed-off-by: Dan Carpenter +Reviewed-by: Christoph Böhmwalder +Link: https://lore.kernel.org/r/Y3Jd5iZRbNQ9w6gm@kili +Signed-off-by: Jens Axboe +Signed-off-by: Sasha Levin +--- + drivers/block/drbd/drbd_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/block/drbd/drbd_main.c b/drivers/block/drbd/drbd_main.c +index c3e4f9d83b29..3ae718aa6b39 100644 +--- a/drivers/block/drbd/drbd_main.c ++++ b/drivers/block/drbd/drbd_main.c +@@ -2770,7 +2770,7 @@ static int init_submitter(struct drbd_device *device) + enum drbd_ret_code drbd_create_device(struct drbd_config_context *adm_ctx, unsigned int minor) + { + struct drbd_resource *resource = adm_ctx->resource; +- struct drbd_connection *connection; ++ struct drbd_connection *connection, *n; + struct drbd_device *device; + struct drbd_peer_device *peer_device, *tmp_peer_device; + struct gendisk *disk; +@@ -2898,7 +2898,7 @@ enum drbd_ret_code drbd_create_device(struct drbd_config_context *adm_ctx, unsig + out_idr_remove_vol: + idr_remove(&connection->peer_devices, vnr); + out_idr_remove_from_resource: +- for_each_connection(connection, resource) { ++ for_each_connection_safe(connection, n, resource) { + peer_device = idr_remove(&connection->peer_devices, vnr); + if (peer_device) + kref_put(&connection->kref, drbd_destroy_connection); +-- +2.35.1 + diff --git a/queue-4.19/misdn-fix-misuse-of-put_device-in-misdn_register_dev.patch b/queue-4.19/misdn-fix-misuse-of-put_device-in-misdn_register_dev.patch new file mode 100644 index 00000000000..b9adee6d6fa --- /dev/null +++ b/queue-4.19/misdn-fix-misuse-of-put_device-in-misdn_register_dev.patch @@ -0,0 +1,35 @@ +From eee1f7be1b4845a923bcb2459f7c38e49dfc854f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 19:38:23 +0800 +Subject: mISDN: fix misuse of put_device() in mISDN_register_device() + +From: Wang ShaoBo + +[ Upstream commit 2d25107e111a85c56f601a5470f1780ec054e6ac ] + +We should not release reference by put_device() before calling device_initialize(). + +Fixes: e7d1d4d9ac0d ("mISDN: fix possible memory leak in mISDN_register_device()") +Signed-off-by: Wang ShaoBo +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/isdn/mISDN/core.c b/drivers/isdn/mISDN/core.c +index 5cd53b2c47c7..e542439f4950 100644 +--- a/drivers/isdn/mISDN/core.c ++++ b/drivers/isdn/mISDN/core.c +@@ -231,7 +231,7 @@ mISDN_register_device(struct mISDNdevice *dev, + + err = get_free_devid(); + if (err < 0) +- goto error1; ++ return err; + dev->id = err; + + device_initialize(&dev->dev); +-- +2.35.1 + diff --git a/queue-4.19/misdn-fix-possible-memory-leak-in-misdn_dsp_element_.patch b/queue-4.19/misdn-fix-possible-memory-leak-in-misdn_dsp_element_.patch new file mode 100644 index 00000000000..7bc64409b41 --- /dev/null +++ b/queue-4.19/misdn-fix-possible-memory-leak-in-misdn_dsp_element_.patch @@ -0,0 +1,51 @@ +From 5cf3cde64c209bb6b2e78a003419aa0adec9888e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 21:28:32 +0800 +Subject: mISDN: fix possible memory leak in mISDN_dsp_element_register() + +From: Yang Yingliang + +[ Upstream commit 98a2ac1ca8fd6eca6867726fe238d06e75eb1acd ] + +Afer commit 1fa5ae857bb1 ("driver core: get rid of struct device's +bus_id string array"), the name of device is allocated dynamically, +use put_device() to give up the reference, so that the name can be +freed in kobject_cleanup() when the refcount is 0. + +The 'entry' is going to be freed in mISDN_dsp_dev_release(), so the +kfree() is removed. list_del() is called in mISDN_dsp_dev_release(), +so it need be initialized. + +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Yang Yingliang +Link: https://lore.kernel.org/r/20221109132832.3270119-1-yangyingliang@huawei.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/isdn/mISDN/dsp_pipeline.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/isdn/mISDN/dsp_pipeline.c b/drivers/isdn/mISDN/dsp_pipeline.c +index e72b4e73cd61..796cae691560 100644 +--- a/drivers/isdn/mISDN/dsp_pipeline.c ++++ b/drivers/isdn/mISDN/dsp_pipeline.c +@@ -97,6 +97,7 @@ int mISDN_dsp_element_register(struct mISDN_dsp_element *elem) + if (!entry) + return -ENOMEM; + ++ INIT_LIST_HEAD(&entry->list); + entry->elem = elem; + + entry->dev.class = elements_class; +@@ -131,7 +132,7 @@ int mISDN_dsp_element_register(struct mISDN_dsp_element *elem) + device_unregister(&entry->dev); + return ret; + err1: +- kfree(entry); ++ put_device(&entry->dev); + return ret; + } + EXPORT_SYMBOL(mISDN_dsp_element_register); +-- +2.35.1 + diff --git a/queue-4.19/net-bgmac-drop-free_netdev-from-bgmac_enet_remove.patch b/queue-4.19/net-bgmac-drop-free_netdev-from-bgmac_enet_remove.patch new file mode 100644 index 00000000000..602b61e3307 --- /dev/null +++ b/queue-4.19/net-bgmac-drop-free_netdev-from-bgmac_enet_remove.patch @@ -0,0 +1,38 @@ +From 8b9327840a8f3bdb07327e99cf3b18687cd95200 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 9 Nov 2022 15:01:36 +0000 +Subject: net: bgmac: Drop free_netdev() from bgmac_enet_remove() + +From: Wei Yongjun + +[ Upstream commit 6f928ab8ee9bfbcb0e631c47ea8a16c3d5116ff1 ] + +netdev is allocated in bgmac_alloc() with devm_alloc_etherdev() and will +be auto released in ->remove and ->probe failure path. Using free_netdev() +in bgmac_enet_remove() leads to double free. + +Fixes: 34a5102c3235 ("net: bgmac: allocate struct bgmac just once & don't copy it") +Signed-off-by: Wei Yongjun + +Link: https://lore.kernel.org/r/20221109150136.2991171-1-weiyongjun@huaweicloud.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/broadcom/bgmac.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/drivers/net/ethernet/broadcom/bgmac.c b/drivers/net/ethernet/broadcom/bgmac.c +index 4c94d9218bba..50c5afc46eb0 100644 +--- a/drivers/net/ethernet/broadcom/bgmac.c ++++ b/drivers/net/ethernet/broadcom/bgmac.c +@@ -1566,7 +1566,6 @@ void bgmac_enet_remove(struct bgmac *bgmac) + phy_disconnect(bgmac->net_dev->phydev); + netif_napi_del(&bgmac->napi); + bgmac_dma_free(bgmac); +- free_netdev(bgmac->net_dev); + } + EXPORT_SYMBOL_GPL(bgmac_enet_remove); + +-- +2.35.1 + diff --git a/queue-4.19/net-caif-fix-double-disconnect-client-in-chnl_net_op.patch b/queue-4.19/net-caif-fix-double-disconnect-client-in-chnl_net_op.patch new file mode 100644 index 00000000000..541401b1044 --- /dev/null +++ b/queue-4.19/net-caif-fix-double-disconnect-client-in-chnl_net_op.patch @@ -0,0 +1,37 @@ +From 3be7eca686802fdf9869a0dc9ccd1408c4dc2d8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 11 Nov 2022 09:47:34 +0800 +Subject: net: caif: fix double disconnect client in chnl_net_open() + +From: Zhengchao Shao + +[ Upstream commit 8fbb53c8bfd8c56ecf1f78dc821778b58f505503 ] + +When connecting to client timeout, disconnect client for twice in +chnl_net_open(). Remove one. Compile tested only. + +Fixes: 2aa40aef9deb ("caif: Use link layer MTU instead of fixed MTU") +Signed-off-by: Zhengchao Shao +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/caif/chnl_net.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/net/caif/chnl_net.c b/net/caif/chnl_net.c +index 8aeece7aa9e9..ece140ad0ac1 100644 +--- a/net/caif/chnl_net.c ++++ b/net/caif/chnl_net.c +@@ -314,9 +314,6 @@ static int chnl_net_open(struct net_device *dev) + + if (result == 0) { + pr_debug("connect timeout\n"); +- caif_disconnect_client(dev_net(dev), &priv->chnl); +- priv->state = CAIF_DISCONNECTED; +- pr_debug("state disconnected\n"); + result = -ETIMEDOUT; + goto error; + } +-- +2.35.1 + diff --git a/queue-4.19/net-thunderbolt-fix-error-handling-in-tbnet_init.patch b/queue-4.19/net-thunderbolt-fix-error-handling-in-tbnet_init.patch new file mode 100644 index 00000000000..cfb20365c7a --- /dev/null +++ b/queue-4.19/net-thunderbolt-fix-error-handling-in-tbnet_init.patch @@ -0,0 +1,73 @@ +From 5eb03a80b6c6a54fe5021367630625851bdc4794 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 14:22:25 +0000 +Subject: net: thunderbolt: Fix error handling in tbnet_init() + +From: Yuan Can + +[ Upstream commit f524b7289bbb0c8ffaa2ba3c34c146e43da54fb2 ] + +A problem about insmod thunderbolt-net failed is triggered with following +log given while lsmod does not show thunderbolt_net: + + insmod: ERROR: could not insert module thunderbolt-net.ko: File exists + +The reason is that tbnet_init() returns tb_register_service_driver() +directly without checking its return value, if tb_register_service_driver() +failed, it returns without removing property directory, resulting the +property directory can never be created later. + + tbnet_init() + tb_register_property_dir() # register property directory + tb_register_service_driver() + driver_register() + bus_add_driver() + priv = kzalloc(...) # OOM happened + # return without remove property directory + +Fix by remove property directory when tb_register_service_driver() returns +error. + +Fixes: e69b6c02b4c3 ("net: Add support for networking over Thunderbolt cable") +Signed-off-by: Yuan Can +Acked-by: Mika Westerberg +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/thunderbolt.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/thunderbolt.c b/drivers/net/thunderbolt.c +index 4b5af2413970..51b5442fbc66 100644 +--- a/drivers/net/thunderbolt.c ++++ b/drivers/net/thunderbolt.c +@@ -1342,12 +1342,21 @@ static int __init tbnet_init(void) + TBNET_MATCH_FRAGS_ID); + + ret = tb_register_property_dir("network", tbnet_dir); +- if (ret) { +- tb_property_free_dir(tbnet_dir); +- return ret; +- } ++ if (ret) ++ goto err_free_dir; ++ ++ ret = tb_register_service_driver(&tbnet_driver); ++ if (ret) ++ goto err_unregister; + +- return tb_register_service_driver(&tbnet_driver); ++ return 0; ++ ++err_unregister: ++ tb_unregister_property_dir("network", tbnet_dir); ++err_free_dir: ++ tb_property_free_dir(tbnet_dir); ++ ++ return ret; + } + module_init(tbnet_init); + +-- +2.35.1 + diff --git a/queue-4.19/net-x25-fix-skb-leak-in-x25_lapb_receive_frame.patch b/queue-4.19/net-x25-fix-skb-leak-in-x25_lapb_receive_frame.patch new file mode 100644 index 00000000000..e44fba0fd6d --- /dev/null +++ b/queue-4.19/net-x25-fix-skb-leak-in-x25_lapb_receive_frame.patch @@ -0,0 +1,39 @@ +From 19a26e02e26f725246160b7ca45f05eb7b3c2ebd Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 14 Nov 2022 11:05:19 +0000 +Subject: net/x25: Fix skb leak in x25_lapb_receive_frame() + +From: Wei Yongjun + +[ Upstream commit 2929cceb2fcf0ded7182562e4888afafece82cce ] + +x25_lapb_receive_frame() using skb_copy() to get a private copy of +skb, the new skb should be freed in the undersized/fragmented skb +error handling path. Otherwise there is a memory leak. + +Fixes: cb101ed2c3c7 ("x25: Handle undersized/fragmented skbs") +Signed-off-by: Wei Yongjun +Acked-by: Martin Schiller +Link: https://lore.kernel.org/r/20221114110519.514538-1-weiyongjun@huaweicloud.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Sasha Levin +--- + net/x25/x25_dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/x25/x25_dev.c b/net/x25/x25_dev.c +index 30f71620d4e3..24f2676e3b66 100644 +--- a/net/x25/x25_dev.c ++++ b/net/x25/x25_dev.c +@@ -122,7 +122,7 @@ int x25_lapb_receive_frame(struct sk_buff *skb, struct net_device *dev, + + if (!pskb_may_pull(skb, 1)) { + x25_neigh_put(nb); +- return 0; ++ goto drop; + } + + switch (skb->data[0]) { +-- +2.35.1 + diff --git a/queue-4.19/parport_pc-avoid-fifo-port-location-truncation.patch b/queue-4.19/parport_pc-avoid-fifo-port-location-truncation.patch new file mode 100644 index 00000000000..febf519ecff --- /dev/null +++ b/queue-4.19/parport_pc-avoid-fifo-port-location-truncation.patch @@ -0,0 +1,43 @@ +From fc0acc4be5bf85db1a11377f50f10c9ce072905b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 23 Sep 2022 19:52:08 +0100 +Subject: parport_pc: Avoid FIFO port location truncation + +From: Maciej W. Rozycki + +[ Upstream commit ab126f51c93a15093df604f661c9480854c005a3 ] + +Match the data type of a temporary holding a reference to the FIFO port +with the type of the original reference coming from `struct parport', +avoiding data truncation with LP64 ports such as SPARC64 that refer to +PCI port I/O locations via their corresponding MMIO addresses and will +therefore have non-zero bits in the high 32-bit part of the reference. +And in any case it is cleaner to have the data types matching here. + +Signed-off-by: Maciej W. Rozycki +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Link: https://lore.kernel.org/linux-pci/20220419033752.GA1101844@bhelgaas/ +Acked-by: Sudip Mukherjee +Link: https://lore.kernel.org/r/alpine.DEB.2.21.2209231912550.29493@angie.orcam.me.uk +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/parport/parport_pc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/parport/parport_pc.c b/drivers/parport/parport_pc.c +index dee5b9e35ffd..d99ac73a1d89 100644 +--- a/drivers/parport/parport_pc.c ++++ b/drivers/parport/parport_pc.c +@@ -474,7 +474,7 @@ static size_t parport_pc_fifo_write_block_pio(struct parport *port, + const unsigned char *bufp = buf; + size_t left = length; + unsigned long expire = jiffies + port->physport->cad->timeout; +- const int fifo = FIFO(port); ++ const unsigned long fifo = FIFO(port); + int poll_for = 8; /* 80 usecs */ + const struct parport_pc_private *priv = port->physport->private_data; + const int fifo_depth = priv->fifo_depth; +-- +2.35.1 + diff --git a/queue-4.19/pinctrl-devicetree-fix-null-pointer-dereferencing-in.patch b/queue-4.19/pinctrl-devicetree-fix-null-pointer-dereferencing-in.patch new file mode 100644 index 00000000000..c153d455362 --- /dev/null +++ b/queue-4.19/pinctrl-devicetree-fix-null-pointer-dereferencing-in.patch @@ -0,0 +1,48 @@ +From 284eed46a0e729ffaed41ddbfc29b8458a25ae3f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 16:20:56 +0800 +Subject: pinctrl: devicetree: fix null pointer dereferencing in + pinctrl_dt_to_map + +From: Zeng Heng + +[ Upstream commit 91d5c5060ee24fe8da88cd585bb43b843d2f0dce ] + +Here is the BUG report by KASAN about null pointer dereference: + +BUG: KASAN: null-ptr-deref in strcmp+0x2e/0x50 +Read of size 1 at addr 0000000000000000 by task python3/2640 +Call Trace: + strcmp + __of_find_property + of_find_property + pinctrl_dt_to_map + +kasprintf() would return NULL pointer when kmalloc() fail to allocate. +So directly return ENOMEM, if kasprintf() return NULL pointer. + +Fixes: 57291ce295c0 ("pinctrl: core device tree mapping table parsing support") +Signed-off-by: Zeng Heng +Link: https://lore.kernel.org/r/20221110082056.2014898-1-zengheng4@huawei.com +Signed-off-by: Linus Walleij +Signed-off-by: Sasha Levin +--- + drivers/pinctrl/devicetree.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/pinctrl/devicetree.c b/drivers/pinctrl/devicetree.c +index 177ee1136e34..6f5acfcba57c 100644 +--- a/drivers/pinctrl/devicetree.c ++++ b/drivers/pinctrl/devicetree.c +@@ -235,6 +235,8 @@ int pinctrl_dt_to_map(struct pinctrl *p, struct pinctrl_dev *pctldev) + for (state = 0; ; state++) { + /* Retrieve the pinctrl-* property */ + propname = kasprintf(GFP_KERNEL, "pinctrl-%d", state); ++ if (!propname) ++ return -ENOMEM; + prop = of_find_property(np, propname, &size); + kfree(propname); + if (!prop) { +-- +2.35.1 + diff --git a/queue-4.19/serial-8250-omap-flush-pm-qos-work-on-remove.patch b/queue-4.19/serial-8250-omap-flush-pm-qos-work-on-remove.patch new file mode 100644 index 00000000000..11fbc447766 --- /dev/null +++ b/queue-4.19/serial-8250-omap-flush-pm-qos-work-on-remove.patch @@ -0,0 +1,39 @@ +From 15b8bae6305e109c5472b34869a49a933ef63773 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 28 Oct 2022 14:00:44 +0300 +Subject: serial: 8250: omap: Flush PM QOS work on remove + +From: Tony Lindgren + +[ Upstream commit d0b68629bd2fb61e0171a62f2e8da3db322f5cf6 ] + +Rebinding 8250_omap in a loop will at some point produce a warning for +kernel/power/qos.c:296 cpu_latency_qos_update_request() with error +"cpu_latency_qos_update_request called for unknown object". Let's flush +the possibly pending PM QOS work scheduled from omap8250_runtime_suspend() +before we disable runtime PM. + +Fixes: 61929cf0169d ("tty: serial: Add 8250-core based omap driver") +Signed-off-by: Tony Lindgren +Link: https://lore.kernel.org/r/20221028110044.54719-1-tony@atomide.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_omap.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c +index b81fb44e2bd7..8cf4819312f5 100644 +--- a/drivers/tty/serial/8250/8250_omap.c ++++ b/drivers/tty/serial/8250/8250_omap.c +@@ -1262,6 +1262,7 @@ static int omap8250_remove(struct platform_device *pdev) + + pm_runtime_dont_use_autosuspend(&pdev->dev); + pm_runtime_put_sync(&pdev->dev); ++ flush_work(&priv->qos_work); + pm_runtime_disable(&pdev->dev); + serial8250_unregister_port(priv->line); + pm_qos_remove_request(&priv->pm_qos_request); +-- +2.35.1 + diff --git a/queue-4.19/serial-8250_omap-remove-wait-loop-from-errata-i202-w.patch b/queue-4.19/serial-8250_omap-remove-wait-loop-from-errata-i202-w.patch new file mode 100644 index 00000000000..878d6a5780a --- /dev/null +++ b/queue-4.19/serial-8250_omap-remove-wait-loop-from-errata-i202-w.patch @@ -0,0 +1,67 @@ +From 710b3a816696f91e4d4c434dacfe7d41f3ef2c76 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 13 Oct 2022 13:23:39 +0200 +Subject: serial: 8250_omap: remove wait loop from Errata i202 workaround +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Matthias Schiffer + +[ Upstream commit e828e56684d61b17317e0cfdef83791fa61cb76b ] + +We were occasionally seeing the "Errata i202: timedout" on an AM335x +board when repeatedly opening and closing a UART connected to an active +sender. As new input may arrive at any time, it is possible to miss the +"RX FIFO empty" condition, forcing the loop to wait until it times out. + +Nothing in the i202 Advisory states that such a wait is even necessary; +other FIFO clear functions like serial8250_clear_fifos() do not wait +either. For this reason, it seems safe to remove the wait, fixing the +mentioned issue. + +Fixes: 61929cf0169d ("tty: serial: Add 8250-core based omap driver") +Reviewed-by: Ilpo Järvinen +Signed-off-by: Matthias Schiffer +Link: https://lore.kernel.org/r/20221013112339.2540767-1-matthias.schiffer@ew.tq-group.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_omap.c | 17 ----------------- + 1 file changed, 17 deletions(-) + +diff --git a/drivers/tty/serial/8250/8250_omap.c b/drivers/tty/serial/8250/8250_omap.c +index c1166b45c288..b81fb44e2bd7 100644 +--- a/drivers/tty/serial/8250/8250_omap.c ++++ b/drivers/tty/serial/8250/8250_omap.c +@@ -162,27 +162,10 @@ static void omap8250_set_mctrl(struct uart_port *port, unsigned int mctrl) + static void omap_8250_mdr1_errataset(struct uart_8250_port *up, + struct omap8250_priv *priv) + { +- u8 timeout = 255; +- + serial_out(up, UART_OMAP_MDR1, priv->mdr1); + udelay(2); + serial_out(up, UART_FCR, up->fcr | UART_FCR_CLEAR_XMIT | + UART_FCR_CLEAR_RCVR); +- /* +- * Wait for FIFO to empty: when empty, RX_FIFO_E bit is 0 and +- * TX_FIFO_E bit is 1. +- */ +- while (UART_LSR_THRE != (serial_in(up, UART_LSR) & +- (UART_LSR_THRE | UART_LSR_DR))) { +- timeout--; +- if (!timeout) { +- /* Should *never* happen. we warn and carry on */ +- dev_crit(up->port.dev, "Errata i202: timedout %x\n", +- serial_in(up, UART_LSR)); +- break; +- } +- udelay(1); +- } + } + + static void omap_8250_get_divisor(struct uart_port *port, unsigned int baud, +-- +2.35.1 + diff --git a/queue-4.19/serial-imx-add-missing-.thaw_noirq-hook.patch b/queue-4.19/serial-imx-add-missing-.thaw_noirq-hook.patch new file mode 100644 index 00000000000..dea55c8e7c4 --- /dev/null +++ b/queue-4.19/serial-imx-add-missing-.thaw_noirq-hook.patch @@ -0,0 +1,95 @@ +From cc823b0af4593db263eb7419eaad43ec0fdcd41d Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 12 Oct 2022 20:13:53 +0800 +Subject: serial: imx: Add missing .thaw_noirq hook + +From: Shawn Guo + +[ Upstream commit 4561d8008a467cb05ac632a215391d6b787f40aa ] + +The following warning is seen with non-console UART instance when +system hibernates. + +[ 37.371969] ------------[ cut here ]------------ +[ 37.376599] uart3_root_clk already disabled +[ 37.380810] WARNING: CPU: 0 PID: 296 at drivers/clk/clk.c:952 clk_core_disable+0xa4/0xb0 +... +[ 37.506986] Call trace: +[ 37.509432] clk_core_disable+0xa4/0xb0 +[ 37.513270] clk_disable+0x34/0x50 +[ 37.516672] imx_uart_thaw+0x38/0x5c +[ 37.520250] platform_pm_thaw+0x30/0x6c +[ 37.524089] dpm_run_callback.constprop.0+0x3c/0xd4 +[ 37.528972] device_resume+0x7c/0x160 +[ 37.532633] dpm_resume+0xe8/0x230 +[ 37.536036] hibernation_snapshot+0x288/0x430 +[ 37.540397] hibernate+0x10c/0x2e0 +[ 37.543798] state_store+0xc4/0xd0 +[ 37.547203] kobj_attr_store+0x1c/0x30 +[ 37.550953] sysfs_kf_write+0x48/0x60 +[ 37.554619] kernfs_fop_write_iter+0x118/0x1ac +[ 37.559063] new_sync_write+0xe8/0x184 +[ 37.562812] vfs_write+0x230/0x290 +[ 37.566214] ksys_write+0x68/0xf4 +[ 37.569529] __arm64_sys_write+0x20/0x2c +[ 37.573452] invoke_syscall.constprop.0+0x50/0xf0 +[ 37.578156] do_el0_svc+0x11c/0x150 +[ 37.581648] el0_svc+0x30/0x140 +[ 37.584792] el0t_64_sync_handler+0xe8/0xf0 +[ 37.588976] el0t_64_sync+0x1a0/0x1a4 +[ 37.592639] ---[ end trace 56e22eec54676d75 ]--- + +On hibernating, pm core calls into related hooks in sequence like: + + .freeze + .freeze_noirq + .thaw_noirq + .thaw + +With .thaw_noirq hook being absent, the clock will be disabled in a +unbalanced call which results the warning above. + + imx_uart_freeze() + clk_prepare_enable() + imx_uart_suspend_noirq() + clk_disable() + imx_uart_thaw + clk_disable_unprepare() + +Adding the missing .thaw_noirq hook as imx_uart_resume_noirq() will have +the call sequence corrected as below and thus fix the warning. + + imx_uart_freeze() + clk_prepare_enable() + imx_uart_suspend_noirq() + clk_disable() + imx_uart_resume_noirq() + clk_enable() + imx_uart_thaw + clk_disable_unprepare() + +Fixes: 09df0b3464e5 ("serial: imx: fix endless loop during suspend") +Reviewed-by: Martin Kaiser +Signed-off-by: Shawn Guo +Link: https://lore.kernel.org/r/20221012121353.2346280-1-shawn.guo@linaro.org +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/imx.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/tty/serial/imx.c b/drivers/tty/serial/imx.c +index aeda1fe71eeb..819f340a8a7a 100644 +--- a/drivers/tty/serial/imx.c ++++ b/drivers/tty/serial/imx.c +@@ -2510,6 +2510,7 @@ static const struct dev_pm_ops imx_uart_pm_ops = { + .suspend_noirq = imx_uart_suspend_noirq, + .resume_noirq = imx_uart_resume_noirq, + .freeze_noirq = imx_uart_suspend_noirq, ++ .thaw_noirq = imx_uart_resume_noirq, + .restore_noirq = imx_uart_resume_noirq, + .suspend = imx_uart_suspend, + .resume = imx_uart_resume, +-- +2.35.1 + diff --git a/queue-4.19/series b/queue-4.19/series index 33faf23e70b..a47c838b465 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -51,3 +51,24 @@ nfsv4-retry-lock-on-old_stateid-during-delegation-re.patch drm-imx-imx-tve-fix-return-type-of-imx_tve_connector.patch btrfs-remove-pointless-and-double-ulist-frees-in-err.patch bluetooth-l2cap-fix-l2cap_global_chan_by_psm.patch +asoc-core-fix-use-after-free-in-snd_soc_exit.patch +serial-8250_omap-remove-wait-loop-from-errata-i202-w.patch +serial-8250-omap-flush-pm-qos-work-on-remove.patch +serial-imx-add-missing-.thaw_noirq-hook.patch +tty-n_gsm-fix-sleep-in-atomic-context-bug-in-gsm_con.patch +asoc-soc-utils-remove-__exit-for-snd_soc_util_exit.patch +block-sed-opal-kmalloc-the-cmd-resp-buffers.patch +siox-fix-possible-memory-leak-in-siox_device_add.patch +parport_pc-avoid-fifo-port-location-truncation.patch +pinctrl-devicetree-fix-null-pointer-dereferencing-in.patch +ata-libata-transport-fix-double-ata_host_put-in-ata_.patch +net-bgmac-drop-free_netdev-from-bgmac_enet_remove.patch +misdn-fix-possible-memory-leak-in-misdn_dsp_element_.patch +misdn-fix-misuse-of-put_device-in-misdn_register_dev.patch +net-caif-fix-double-disconnect-client-in-chnl_net_op.patch +bnxt_en-remove-debugfs-when-pci_register_driver-fail.patch +xen-pcpu-fix-possible-memory-leak-in-register_pcpu.patch +drbd-use-after-free-in-drbd_create_device.patch +net-x25-fix-skb-leak-in-x25_lapb_receive_frame.patch +cifs-fix-wrong-return-value-checking-when-getflags.patch +net-thunderbolt-fix-error-handling-in-tbnet_init.patch diff --git a/queue-4.19/siox-fix-possible-memory-leak-in-siox_device_add.patch b/queue-4.19/siox-fix-possible-memory-leak-in-siox_device_add.patch new file mode 100644 index 00000000000..2da52645ea3 --- /dev/null +++ b/queue-4.19/siox-fix-possible-memory-leak-in-siox_device_add.patch @@ -0,0 +1,46 @@ +From 566d60a9b45e6cd276a2506eaf7b688011d019b0 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 4 Nov 2022 10:13:34 +0800 +Subject: siox: fix possible memory leak in siox_device_add() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Yang Yingliang + +[ Upstream commit 6e63153db50059fb78b8a8447b132664887d24e3 ] + +If device_register() returns error in siox_device_add(), +the name allocated by dev_set_name() need be freed. As +comment of device_register() says, it should use put_device() +to give up the reference in the error path. So fix this +by calling put_device(), then the name can be freed in +kobject_cleanup(), and sdevice is freed in siox_device_release(), +set it to null in error path. + +Fixes: bbecb07fa0af ("siox: new driver framework for eckelmann SIOX") +Signed-off-by: Yang Yingliang +Reviewed-by: Uwe Kleine-König +Link: https://lore.kernel.org/r/20221104021334.618189-1-yangyingliang@huawei.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/siox/siox-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/siox/siox-core.c b/drivers/siox/siox-core.c +index f8c08fb9891d..e0ffef6e9386 100644 +--- a/drivers/siox/siox-core.c ++++ b/drivers/siox/siox-core.c +@@ -835,6 +835,8 @@ static struct siox_device *siox_device_add(struct siox_master *smaster, + + err_device_register: + /* don't care to make the buffer smaller again */ ++ put_device(&sdevice->dev); ++ sdevice = NULL; + + err_buf_alloc: + siox_master_unlock(smaster); +-- +2.35.1 + diff --git a/queue-4.19/tty-n_gsm-fix-sleep-in-atomic-context-bug-in-gsm_con.patch b/queue-4.19/tty-n_gsm-fix-sleep-in-atomic-context-bug-in-gsm_con.patch new file mode 100644 index 00000000000..252064123f5 --- /dev/null +++ b/queue-4.19/tty-n_gsm-fix-sleep-in-atomic-context-bug-in-gsm_con.patch @@ -0,0 +1,49 @@ +From 1ac92231e8925b1feb9aeddc71009d4fee702fc4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 2 Oct 2022 12:07:09 +0800 +Subject: tty: n_gsm: fix sleep-in-atomic-context bug in gsm_control_send + +From: Duoming Zhou + +[ Upstream commit 7b7dfe4833c70a11cdfa51b38705103bd31eddaa ] + +The function gsm_dlci_t1() is a timer handler that runs in an +atomic context, but it calls "kzalloc(..., GFP_KERNEL)" that +may sleep. As a result, the sleep-in-atomic-context bug will +happen. The process is shown below: + +gsm_dlci_t1() + gsm_dlci_open() + gsm_modem_update() + gsm_modem_upd_via_msc() + gsm_control_send() + kzalloc(sizeof(.., GFP_KERNEL) //may sleep + +This patch changes the gfp_t parameter of kzalloc() from GFP_KERNEL to +GFP_ATOMIC in order to mitigate the bug. + +Fixes: e1eaea46bb40 ("tty: n_gsm line discipline") +Signed-off-by: Duoming Zhou +Link: https://lore.kernel.org/r/20221002040709.27849-1-duoming@zju.edu.cn +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/n_gsm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/tty/n_gsm.c b/drivers/tty/n_gsm.c +index f6d2be13b32e..4a890011eba3 100644 +--- a/drivers/tty/n_gsm.c ++++ b/drivers/tty/n_gsm.c +@@ -1413,7 +1413,7 @@ static struct gsm_control *gsm_control_send(struct gsm_mux *gsm, + unsigned int command, u8 *data, int clen) + { + struct gsm_control *ctrl = kzalloc(sizeof(struct gsm_control), +- GFP_KERNEL); ++ GFP_ATOMIC); + unsigned long flags; + if (ctrl == NULL) + return NULL; +-- +2.35.1 + diff --git a/queue-4.19/xen-pcpu-fix-possible-memory-leak-in-register_pcpu.patch b/queue-4.19/xen-pcpu-fix-possible-memory-leak-in-register_pcpu.patch new file mode 100644 index 00000000000..e9d92e1f27d --- /dev/null +++ b/queue-4.19/xen-pcpu-fix-possible-memory-leak-in-register_pcpu.patch @@ -0,0 +1,40 @@ +From 3290ac60fdb90ead212d0c231de31b63ae7187a5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 10 Nov 2022 23:24:41 +0800 +Subject: xen/pcpu: fix possible memory leak in register_pcpu() + +From: Yang Yingliang + +[ Upstream commit da36a2a76b01b210ffaa55cdc2c99bc8783697c5 ] + +In device_add(), dev_set_name() is called to allocate name, if it returns +error, the name need be freed. As comment of device_register() says, it +should use put_device() to give up the reference in the error path. So fix +this by calling put_device(), then the name can be freed in kobject_cleanup(). + +Fixes: f65c9bb3fb72 ("xen/pcpu: Xen physical cpus online/offline sys interface") +Signed-off-by: Yang Yingliang +Reviewed-by: Juergen Gross +Link: https://lore.kernel.org/r/20221110152441.401630-1-yangyingliang@huawei.com +Signed-off-by: Juergen Gross +Signed-off-by: Sasha Levin +--- + drivers/xen/pcpu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/xen/pcpu.c b/drivers/xen/pcpu.c +index cdc6daa7a9f6..9cf7085a260b 100644 +--- a/drivers/xen/pcpu.c ++++ b/drivers/xen/pcpu.c +@@ -228,7 +228,7 @@ static int register_pcpu(struct pcpu *pcpu) + + err = device_register(dev); + if (err) { +- pcpu_release(dev); ++ put_device(dev); + return err; + } + +-- +2.35.1 + -- 2.47.3