From c2325ebf159521382b98786a07cf563dfbbffcf4 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Tue, 20 Sep 2022 17:23:52 -0400 Subject: [PATCH] Fixes for 4.9 Signed-off-by: Sasha Levin --- ...ar-add-missing-of_node_put-in-time.c.patch | 61 +++++++ ...rnet-neterion-vxge-fix-a-use-after-f.patch | 170 ++++++++++++++++++ ...-an-union-to-store-the-page-flip-cal.patch | 76 ++++++++ ...tiq-add-missing-of_node_put-in-irq.c.patch | 35 ++++ ...con-fix-refcount-leak-bug-in-sysctrl.patch | 40 +++++ ...way-fix-refcount-leak-bug-in-sysctrl.patch | 38 ++++ ...c32-pic32mzda-fix-refcount-leak-bugs.patch | 63 +++++++ queue-4.9/series | 13 ++ ...i-cadence-detect-transmit-fifo-depth.patch | 117 ++++++++++++ ...fix-spi-cs-gets-toggling-sporadicall.patch | 67 +++++++ ...lfb-use-aperture-size-from-pci_resou.patch | 56 ++++++ ...xx-gcu-fix-integer-overflow-in-pxa3x.patch | 36 ++++ ...lefb-check-before-clk_put-not-needed.patch | 37 ++++ ...etonfb-fix-syntax-errors-in-comments.patch | 34 ++++ 14 files changed, 843 insertions(+) create mode 100644 queue-4.9/arm-mach-spear-add-missing-of_node_put-in-time.c.patch create mode 100644 queue-4.9/drivers-net-ethernet-neterion-vxge-fix-a-use-after-f.patch create mode 100644 queue-4.9/drm-vc4-crtc-use-an-union-to-store-the-page-flip-cal.patch create mode 100644 queue-4.9/mips-lantiq-add-missing-of_node_put-in-irq.c.patch create mode 100644 queue-4.9/mips-lantiq-falcon-fix-refcount-leak-bug-in-sysctrl.patch create mode 100644 queue-4.9/mips-lantiq-xway-fix-refcount-leak-bug-in-sysctrl.patch create mode 100644 queue-4.9/mips-pic32-pic32mzda-fix-refcount-leak-bugs.patch create mode 100644 queue-4.9/spi-cadence-detect-transmit-fifo-depth.patch create mode 100644 queue-4.9/spi-spi-cadence-fix-spi-cs-gets-toggling-sporadicall.patch create mode 100644 queue-4.9/video-fbdev-intelfb-use-aperture-size-from-pci_resou.patch create mode 100644 queue-4.9/video-fbdev-pxa3xx-gcu-fix-integer-overflow-in-pxa3x.patch create mode 100644 queue-4.9/video-fbdev-simplefb-check-before-clk_put-not-needed.patch create mode 100644 queue-4.9/video-fbdev-skeletonfb-fix-syntax-errors-in-comments.patch diff --git a/queue-4.9/arm-mach-spear-add-missing-of_node_put-in-time.c.patch b/queue-4.9/arm-mach-spear-add-missing-of_node_put-in-time.c.patch new file mode 100644 index 00000000000..12842639f7a --- /dev/null +++ b/queue-4.9/arm-mach-spear-add-missing-of_node_put-in-time.c.patch @@ -0,0 +1,61 @@ +From 36321bb4ae4d9831fed71238b076d1eb4a8bba8e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 16 Jun 2022 17:30:27 +0800 +Subject: arm: mach-spear: Add missing of_node_put() in time.c + +From: Liang He + +[ Upstream commit 2c629dd2d14fd7f64a553f809eda6d0b3a4f615a ] + +In spear_setup_of_timer(), of_find_matching_node() will return a +node pointer with refcount incrementd. We should use of_node_put() +in each fail path or when it is not used anymore. + +Signed-off-by: Liang He +Acked-by: Viresh Kumar +Link: https://lore.kernel.org/r/20220616093027.3984903-1-windhl@126.com' +Signed-off-by: Arnd Bergmann +Signed-off-by: Sasha Levin +--- + arch/arm/mach-spear/time.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/mach-spear/time.c b/arch/arm/mach-spear/time.c +index aaaa6781b9fe..57b77c7effa9 100644 +--- a/arch/arm/mach-spear/time.c ++++ b/arch/arm/mach-spear/time.c +@@ -223,13 +223,13 @@ void __init spear_setup_of_timer(void) + irq = irq_of_parse_and_map(np, 0); + if (!irq) { + pr_err("%s: No irq passed for timer via DT\n", __func__); +- return; ++ goto err_put_np; + } + + gpt_base = of_iomap(np, 0); + if (!gpt_base) { + pr_err("%s: of iomap failed\n", __func__); +- return; ++ goto err_put_np; + } + + gpt_clk = clk_get_sys("gpt0", NULL); +@@ -244,6 +244,8 @@ void __init spear_setup_of_timer(void) + goto err_prepare_enable_clk; + } + ++ of_node_put(np); ++ + spear_clockevent_init(irq); + spear_clocksource_init(); + +@@ -253,4 +255,6 @@ void __init spear_setup_of_timer(void) + clk_put(gpt_clk); + err_iomap: + iounmap(gpt_base); ++err_put_np: ++ of_node_put(np); + } +-- +2.35.1 + diff --git a/queue-4.9/drivers-net-ethernet-neterion-vxge-fix-a-use-after-f.patch b/queue-4.9/drivers-net-ethernet-neterion-vxge-fix-a-use-after-f.patch new file mode 100644 index 00000000000..4d1555d6149 --- /dev/null +++ b/queue-4.9/drivers-net-ethernet-neterion-vxge-fix-a-use-after-f.patch @@ -0,0 +1,170 @@ +From b8e2810ec3b386975ca5c2a205f7e0d0e1671e50 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Jun 2022 22:14:54 +0800 +Subject: drivers/net/ethernet/neterion/vxge: Fix a use-after-free bug in + vxge-main.c +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wentao_Liang + +[ Upstream commit 8fc74d18639a2402ca52b177e990428e26ea881f ] + +The pointer vdev points to a memory region adjacent to a net_device +structure ndev, which is a field of hldev. At line 4740, the invocation +to vxge_device_unregister unregisters device hldev, and it also releases +the memory region pointed by vdev->bar0. At line 4743, the freed memory +region is referenced (i.e., iounmap(vdev->bar0)), resulting in a +use-after-free vulnerability. We can fix the bug by calling iounmap +before vxge_device_unregister. + +4721. static void vxge_remove(struct pci_dev *pdev) +4722. { +4723. struct __vxge_hw_device *hldev; +4724. struct vxgedev *vdev; +… +4731. vdev = netdev_priv(hldev->ndev); +… +4740. vxge_device_unregister(hldev); +4741. /* Do not call pci_disable_sriov here, as it + will break child devices */ +4742. vxge_hw_device_terminate(hldev); +4743. iounmap(vdev->bar0); +… +4749 vxge_debug_init(vdev->level_trace, "%s:%d + Device unregistered", +4750 __func__, __LINE__); +4751 vxge_debug_entryexit(vdev->level_trace, "%s:%d + Exiting...", __func__, +4752 __LINE__); +4753. } + +This is the screenshot when the vulnerability is triggered by using +KASAN. We can see that there is a use-after-free reported by KASAN. + +/***************************start**************************/ + +root@kernel:~# echo 1 > /sys/bus/pci/devices/0000:00:03.0/remove +[ 178.296316] vxge_remove +[ 182.057081] + ================================================================== +[ 182.057548] BUG: KASAN: use-after-free in vxge_remove+0xe0/0x15c +[ 182.057760] Read of size 8 at addr ffff888006c76598 by task bash/119 +[ 182.057983] +[ 182.058747] CPU: 0 PID: 119 Comm: bash Not tainted 5.18.0 #5 +[ 182.058919] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS +rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 +[ 182.059463] Call Trace: +[ 182.059726] +[ 182.060017] dump_stack_lvl+0x34/0x44 +[ 182.060316] print_report.cold+0xb2/0x6b7 +[ 182.060401] ? kfree+0x89/0x290 +[ 182.060478] ? vxge_remove+0xe0/0x15c +[ 182.060545] kasan_report+0xa9/0x120 +[ 182.060629] ? vxge_remove+0xe0/0x15c +[ 182.060706] vxge_remove+0xe0/0x15c +[ 182.060793] pci_device_remove+0x5d/0xe0 +[ 182.060968] device_release_driver_internal+0xf1/0x180 +[ 182.061063] pci_stop_bus_device+0xae/0xe0 +[ 182.061150] pci_stop_and_remove_bus_device_locked+0x11/0x20 +[ 182.061236] remove_store+0xc6/0xe0 +[ 182.061297] ? subordinate_bus_number_show+0xc0/0xc0 +[ 182.061359] ? __mutex_lock_slowpath+0x10/0x10 +[ 182.061438] ? sysfs_kf_write+0x6d/0xa0 +[ 182.061525] kernfs_fop_write_iter+0x1b0/0x260 +[ 182.061610] ? sysfs_kf_bin_read+0xf0/0xf0 +[ 182.061695] new_sync_write+0x209/0x310 +[ 182.061789] ? new_sync_read+0x310/0x310 +[ 182.061865] ? cgroup_rstat_updated+0x5c/0x170 +[ 182.061937] ? preempt_count_sub+0xf/0xb0 +[ 182.061995] ? pick_next_entity+0x13a/0x220 +[ 182.062063] ? __inode_security_revalidate+0x44/0x80 +[ 182.062155] ? security_file_permission+0x46/0x2a0 +[ 182.062230] vfs_write+0x33f/0x3e0 +[ 182.062303] ksys_write+0xb4/0x150 +[ 182.062369] ? __ia32_sys_read+0x40/0x40 +[ 182.062451] do_syscall_64+0x3b/0x90 +[ 182.062531] entry_SYSCALL_64_after_hwframe+0x46/0xb0 +[ 182.062894] RIP: 0033:0x7f3f37d17274 +[ 182.063558] Code: 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b3 0f 1f +80 00 00 00 00 48 8d 05 89 54 0d 00 8b 00 85 c0 75 13 b8 01 00 00 00 0f +05 <48> 3d 00 f0 ff ff 77 54 c3 0f 1f 00 41 54 49 89 d4 55 48 89 f5 53 +[ 182.063797] RSP: 002b:00007ffd5ba9e178 EFLAGS: 00000246 +ORIG_RAX: 0000000000000001 +[ 182.064117] RAX: ffffffffffffffda RBX: 0000000000000002 +RCX: 00007f3f37d17274 +[ 182.064219] RDX: 0000000000000002 RSI: 000055bbec327180 +RDI: 0000000000000001 +[ 182.064315] RBP: 000055bbec327180 R08: 000000000000000a +R09: 00007f3f37de7cf0 +[ 182.064414] R10: 000000000000000a R11: 0000000000000246 +R12: 00007f3f37de8760 +[ 182.064513] R13: 0000000000000002 R14: 00007f3f37de3760 +R15: 0000000000000002 +[ 182.064691] +[ 182.064916] +[ 182.065224] The buggy address belongs to the physical page: +[ 182.065804] page:00000000ef31e4f4 refcount:0 mapcount:0 +mapping:0000000000000000 index:0x0 pfn:0x6c76 +[ 182.067419] flags: 0x100000000000000(node=0|zone=1) +[ 182.068997] raw: 0100000000000000 0000000000000000 +ffffea00001b1d88 0000000000000000 +[ 182.069118] raw: 0000000000000000 0000000000000000 +00000000ffffffff 0000000000000000 +[ 182.069294] page dumped because: kasan: bad access detected +[ 182.069331] +[ 182.069360] Memory state around the buggy address: +[ 182.070006] ffff888006c76480: ff ff ff ff ff ff ff ff ff ff ff + ff ff ff ff ff +[ 182.070136] ffff888006c76500: ff ff ff ff ff ff ff ff ff ff ff + ff ff ff ff ff +[ 182.070230] >ffff888006c76580: ff ff ff ff ff ff ff ff ff ff ff + ff ff ff ff ff +[ 182.070305] ^ +[ 182.070456] ffff888006c76600: ff ff ff ff ff ff ff ff ff ff ff + ff ff ff ff ff +[ 182.070505] ffff888006c76680: ff ff ff ff ff ff ff ff ff ff ff + ff ff ff ff ff +[ 182.070606] +================================================================== +[ 182.071374] Disabling lock debugging due to kernel taint + +/*****************************end*****************************/ + +After fixing the bug as done in the patch, we can find KASAN do not report + the bug and the device(00:03.0) has been successfully removed. + +/*****************************start***************************/ + +root@kernel:~# echo 1 > /sys/bus/pci/devices/0000:00:03.0/remove +root@kernel:~# + +/******************************end****************************/ + +Signed-off-by: Wentao_Liang +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + drivers/net/ethernet/neterion/vxge/vxge-main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/neterion/vxge/vxge-main.c b/drivers/net/ethernet/neterion/vxge/vxge-main.c +index c6950e580883..7fa71a66f19c 100644 +--- a/drivers/net/ethernet/neterion/vxge/vxge-main.c ++++ b/drivers/net/ethernet/neterion/vxge/vxge-main.c +@@ -4790,10 +4790,10 @@ static void vxge_remove(struct pci_dev *pdev) + for (i = 0; i < vdev->no_of_vpath; i++) + vxge_free_mac_add_list(&vdev->vpaths[i]); + ++ iounmap(vdev->bar0); + vxge_device_unregister(hldev); + /* Do not call pci_disable_sriov here, as it will break child devices */ + vxge_hw_device_terminate(hldev); +- iounmap(vdev->bar0); + pci_release_region(pdev, 0); + pci_disable_device(pdev); + driver_config->config_dev_cnt--; +-- +2.35.1 + diff --git a/queue-4.9/drm-vc4-crtc-use-an-union-to-store-the-page-flip-cal.patch b/queue-4.9/drm-vc4-crtc-use-an-union-to-store-the-page-flip-cal.patch new file mode 100644 index 00000000000..c3906f6c33e --- /dev/null +++ b/queue-4.9/drm-vc4-crtc-use-an-union-to-store-the-page-flip-cal.patch @@ -0,0 +1,76 @@ +From 22a5352f0089cd3d622a96fcd2c002bf8fc0bdc2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 10 Jun 2022 13:51:44 +0200 +Subject: drm/vc4: crtc: Use an union to store the page flip callback + +From: Maxime Ripard + +[ Upstream commit 2523e9dcc3be91bf9fdc0d1e542557ca00bbef42 ] + +We'll need to extend the vc4_async_flip_state structure to rely on +another callback implementation, so let's move the current one into a +union. + +Reviewed-by: Melissa Wen +Signed-off-by: Maxime Ripard +Link: https://lore.kernel.org/r/20220610115149.964394-10-maxime@cerno.tech +Signed-off-by: Sasha Levin +--- + drivers/gpu/drm/vc4/vc4_crtc.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/vc4/vc4_crtc.c b/drivers/gpu/drm/vc4/vc4_crtc.c +index 51d34e7275ab..9d97f535a4d6 100644 +--- a/drivers/gpu/drm/vc4/vc4_crtc.c ++++ b/drivers/gpu/drm/vc4/vc4_crtc.c +@@ -717,17 +717,17 @@ struct vc4_async_flip_state { + struct drm_framebuffer *fb; + struct drm_pending_vblank_event *event; + +- struct vc4_seqno_cb cb; ++ union { ++ struct vc4_seqno_cb seqno; ++ } cb; + }; + + /* Called when the V3D execution for the BO being flipped to is done, so that + * we can actually update the plane's address to point to it. + */ + static void +-vc4_async_page_flip_complete(struct vc4_seqno_cb *cb) ++vc4_async_page_flip_complete(struct vc4_async_flip_state *flip_state) + { +- struct vc4_async_flip_state *flip_state = +- container_of(cb, struct vc4_async_flip_state, cb); + struct drm_crtc *crtc = flip_state->crtc; + struct drm_device *dev = crtc->dev; + struct vc4_dev *vc4 = to_vc4_dev(dev); +@@ -749,6 +749,14 @@ vc4_async_page_flip_complete(struct vc4_seqno_cb *cb) + up(&vc4->async_modeset); + } + ++static void vc4_async_page_flip_seqno_complete(struct vc4_seqno_cb *cb) ++{ ++ struct vc4_async_flip_state *flip_state = ++ container_of(cb, struct vc4_async_flip_state, cb.seqno); ++ ++ vc4_async_page_flip_complete(flip_state); ++} ++ + /* Implements async (non-vblank-synced) page flips. + * + * The page flip ioctl needs to return immediately, so we grab the +@@ -794,8 +802,8 @@ static int vc4_async_page_flip(struct drm_crtc *crtc, + drm_atomic_set_fb_for_plane(plane->state, fb); + plane->fb = fb; + +- vc4_queue_seqno_cb(dev, &flip_state->cb, bo->seqno, +- vc4_async_page_flip_complete); ++ vc4_queue_seqno_cb(dev, &flip_state->cb.seqno, bo->seqno, ++ vc4_async_page_flip_seqno_complete); + + /* Driver takes ownership of state on successful async commit. */ + return 0; +-- +2.35.1 + diff --git a/queue-4.9/mips-lantiq-add-missing-of_node_put-in-irq.c.patch b/queue-4.9/mips-lantiq-add-missing-of_node_put-in-irq.c.patch new file mode 100644 index 00000000000..2413d272dc1 --- /dev/null +++ b/queue-4.9/mips-lantiq-add-missing-of_node_put-in-irq.c.patch @@ -0,0 +1,35 @@ +From 1c315afdf95d3009f791d5692315cfbf3edf846a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 21 Jun 2022 23:41:25 +0800 +Subject: mips: lantiq: Add missing of_node_put() in irq.c + +From: Liang He + +[ Upstream commit 3748d2185ac4c2c6f80989672253aad909ecaf95 ] + +In icu_of_init(), of_find_compatible_node() will return a node +pointer with refcount incremented. We should use of_node_put() +when it is not used anymore. + +Signed-off-by: Liang He +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/lantiq/irq.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/mips/lantiq/irq.c b/arch/mips/lantiq/irq.c +index e64f678ca12c..e29dc58271b2 100644 +--- a/arch/mips/lantiq/irq.c ++++ b/arch/mips/lantiq/irq.c +@@ -460,6 +460,7 @@ int __init icu_of_init(struct device_node *node, struct device_node *parent) + if (!ltq_eiu_membase) + panic("Failed to remap eiu memory"); + } ++ of_node_put(eiu_node); + + return 0; + } +-- +2.35.1 + diff --git a/queue-4.9/mips-lantiq-falcon-fix-refcount-leak-bug-in-sysctrl.patch b/queue-4.9/mips-lantiq-falcon-fix-refcount-leak-bug-in-sysctrl.patch new file mode 100644 index 00000000000..489a4751493 --- /dev/null +++ b/queue-4.9/mips-lantiq-falcon-fix-refcount-leak-bug-in-sysctrl.patch @@ -0,0 +1,40 @@ +From 08a37afa007c6a1b844d3f214c0bfdaead5c3c8a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jun 2022 20:19:58 +0800 +Subject: mips: lantiq: falcon: Fix refcount leak bug in sysctrl + +From: Liang He + +[ Upstream commit 72a2af539fff975caadd9a4db3f99963569bd9c9 ] + +In ltq_soc_init(), of_find_compatible_node() will return a node pointer +with refcount incremented. We should use of_node_put() when it is not +used anymore. + +Signed-off-by: Liang He +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/lantiq/falcon/sysctrl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/arch/mips/lantiq/falcon/sysctrl.c b/arch/mips/lantiq/falcon/sysctrl.c +index 714d92659489..665739bd4190 100644 +--- a/arch/mips/lantiq/falcon/sysctrl.c ++++ b/arch/mips/lantiq/falcon/sysctrl.c +@@ -210,6 +210,12 @@ void __init ltq_soc_init(void) + of_address_to_resource(np_sysgpe, 0, &res_sys[2])) + panic("Failed to get core resources"); + ++ of_node_put(np_status); ++ of_node_put(np_ebu); ++ of_node_put(np_sys1); ++ of_node_put(np_syseth); ++ of_node_put(np_sysgpe); ++ + if ((request_mem_region(res_status.start, resource_size(&res_status), + res_status.name) < 0) || + (request_mem_region(res_ebu.start, resource_size(&res_ebu), +-- +2.35.1 + diff --git a/queue-4.9/mips-lantiq-xway-fix-refcount-leak-bug-in-sysctrl.patch b/queue-4.9/mips-lantiq-xway-fix-refcount-leak-bug-in-sysctrl.patch new file mode 100644 index 00000000000..66d38bc55a6 --- /dev/null +++ b/queue-4.9/mips-lantiq-xway-fix-refcount-leak-bug-in-sysctrl.patch @@ -0,0 +1,38 @@ +From b3ff2f4b52221161b17864edb6ba5a78b03a3fba Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jun 2022 20:25:05 +0800 +Subject: mips: lantiq: xway: Fix refcount leak bug in sysctrl + +From: Liang He + +[ Upstream commit 76695592711ef1e215cc24ed3e1cd857d7fc3098 ] + +In ltq_soc_init(), of_find_compatible_node() will return a node +pointer with refcount incremented. We should use of_node_put() when +it is not used anymore. + +Signed-off-by: Liang He +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/lantiq/xway/sysctrl.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/arch/mips/lantiq/xway/sysctrl.c b/arch/mips/lantiq/xway/sysctrl.c +index dd7c36a193e3..6891456a7603 100644 +--- a/arch/mips/lantiq/xway/sysctrl.c ++++ b/arch/mips/lantiq/xway/sysctrl.c +@@ -457,6 +457,10 @@ void __init ltq_soc_init(void) + of_address_to_resource(np_ebu, 0, &res_ebu)) + panic("Failed to get core resources"); + ++ of_node_put(np_pmu); ++ of_node_put(np_cgu); ++ of_node_put(np_ebu); ++ + if (!request_mem_region(res_pmu.start, resource_size(&res_pmu), + res_pmu.name) || + !request_mem_region(res_cgu.start, resource_size(&res_cgu), +-- +2.35.1 + diff --git a/queue-4.9/mips-pic32-pic32mzda-fix-refcount-leak-bugs.patch b/queue-4.9/mips-pic32-pic32mzda-fix-refcount-leak-bugs.patch new file mode 100644 index 00000000000..f4dac98bb86 --- /dev/null +++ b/queue-4.9/mips-pic32-pic32mzda-fix-refcount-leak-bugs.patch @@ -0,0 +1,63 @@ +From ebbab11defed7127dbf9a060f088c08cad67f455 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 19 Jun 2022 12:54:27 +0800 +Subject: mips/pic32/pic32mzda: Fix refcount leak bugs + +From: Liang He + +[ Upstream commit eb9e9bc4fa5fb489c92ec588b3fb35f042ba6d86 ] + +of_find_matching_node(), of_find_compatible_node() and +of_find_node_by_path() will return node pointers with refcout +incremented. We should call of_node_put() when they are not +used anymore. + +Signed-off-by: Liang He +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/pic32/pic32mzda/init.c | 7 ++++++- + arch/mips/pic32/pic32mzda/time.c | 3 +++ + 2 files changed, 9 insertions(+), 1 deletion(-) + +diff --git a/arch/mips/pic32/pic32mzda/init.c b/arch/mips/pic32/pic32mzda/init.c +index 406c6c5cec29..f8985d4573e6 100644 +--- a/arch/mips/pic32/pic32mzda/init.c ++++ b/arch/mips/pic32/pic32mzda/init.c +@@ -131,13 +131,18 @@ static int __init pic32_of_prepare_platform_data(struct of_dev_auxdata *lookup) + np = of_find_compatible_node(NULL, NULL, lookup->compatible); + if (np) { + lookup->name = (char *)np->name; +- if (lookup->phys_addr) ++ if (lookup->phys_addr) { ++ of_node_put(np); + continue; ++ } + if (!of_address_to_resource(np, 0, &res)) + lookup->phys_addr = res.start; ++ of_node_put(np); + } + } + ++ of_node_put(root); ++ + return 0; + } + +diff --git a/arch/mips/pic32/pic32mzda/time.c b/arch/mips/pic32/pic32mzda/time.c +index 62a0a78b6c64..bfafe241c1b5 100644 +--- a/arch/mips/pic32/pic32mzda/time.c ++++ b/arch/mips/pic32/pic32mzda/time.c +@@ -40,6 +40,9 @@ static unsigned int pic32_xlate_core_timer_irq(void) + goto default_map; + + irq = irq_of_parse_and_map(node, 0); ++ ++ of_node_put(node); ++ + if (!irq) + goto default_map; + +-- +2.35.1 + diff --git a/queue-4.9/series b/queue-4.9/series index a6663fad619..4192f5e9e33 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -1,2 +1,15 @@ parisc-ccio-dma-add-missing-iounmap-in-error-path-in.patch cifs-don-t-send-down-the-destination-address-to-sendmsg-for-a-sock_stream.patch +spi-spi-cadence-fix-spi-cs-gets-toggling-sporadicall.patch +spi-cadence-detect-transmit-fifo-depth.patch +drm-vc4-crtc-use-an-union-to-store-the-page-flip-cal.patch +drivers-net-ethernet-neterion-vxge-fix-a-use-after-f.patch +video-fbdev-skeletonfb-fix-syntax-errors-in-comments.patch +video-fbdev-intelfb-use-aperture-size-from-pci_resou.patch +video-fbdev-pxa3xx-gcu-fix-integer-overflow-in-pxa3x.patch +video-fbdev-simplefb-check-before-clk_put-not-needed.patch +mips-lantiq-falcon-fix-refcount-leak-bug-in-sysctrl.patch +mips-lantiq-xway-fix-refcount-leak-bug-in-sysctrl.patch +mips-pic32-pic32mzda-fix-refcount-leak-bugs.patch +mips-lantiq-add-missing-of_node_put-in-irq.c.patch +arm-mach-spear-add-missing-of_node_put-in-time.c.patch diff --git a/queue-4.9/spi-cadence-detect-transmit-fifo-depth.patch b/queue-4.9/spi-cadence-detect-transmit-fifo-depth.patch new file mode 100644 index 00000000000..9213a8448f0 --- /dev/null +++ b/queue-4.9/spi-cadence-detect-transmit-fifo-depth.patch @@ -0,0 +1,117 @@ +From 2991f161280d1acb79edbfa5e241d18415f16dc8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 May 2022 11:11:43 +0200 +Subject: spi: cadence: Detect transmit FIFO depth + +From: Lars-Peter Clausen + +[ Upstream commit 7b40322f7183a92c4303457528ae7cda571c60b9 ] + +The depth of the transmit FIFO for the Cadence SPI controller is currently +hardcoded to 128. But the depth is a synthesis configuration parameter of +the core and can vary between different SoCs. + +If the configured FIFO size is less than 128 the driver will busy loop in +the cdns_spi_fill_tx_fifo() function waiting for FIFO space to become +available. + +Depending on the length and speed of the transfer it can spin for a +significant amount of time. The cdns_spi_fill_tx_fifo() function is called +from the drivers interrupt handler, so it can leave interrupts disabled for +a prolonged amount of time. + +In addition the read FIFO will also overflow and data will be discarded. + +To avoid this detect the actual size of the FIFO and use that rather than +the hardcoded value. + +To detect the FIFO size the FIFO threshold register is used. The register +is sized so that it can hold FIFO size - 1 as its maximum value. Bits that +are not needed to hold the threshold value will always read 0. By writing +0xffff to the register and then reading back the value in the register we +get the FIFO size. + +Signed-off-by: Lars-Peter Clausen +Link: https://lore.kernel.org/r/20220527091143.3780378-1-lars@metafoo.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-cadence.c | 27 +++++++++++++++++++++++---- + 1 file changed, 23 insertions(+), 4 deletions(-) + +diff --git a/drivers/spi/spi-cadence.c b/drivers/spi/spi-cadence.c +index 6d294a1fa5e5..733724e71a30 100644 +--- a/drivers/spi/spi-cadence.c ++++ b/drivers/spi/spi-cadence.c +@@ -96,9 +96,6 @@ + #define CDNS_SPI_ER_ENABLE 0x00000001 /* SPI Enable Bit Mask */ + #define CDNS_SPI_ER_DISABLE 0x0 /* SPI Disable Bit Mask */ + +-/* SPI FIFO depth in bytes */ +-#define CDNS_SPI_FIFO_DEPTH 128 +- + /* Default number of chip select lines */ + #define CDNS_SPI_DEFAULT_NUM_CS 4 + +@@ -114,6 +111,7 @@ + * @rx_bytes: Number of bytes requested + * @dev_busy: Device busy flag + * @is_decoded_cs: Flag for decoder property set or not ++ * @tx_fifo_depth: Depth of the TX FIFO + */ + struct cdns_spi { + void __iomem *regs; +@@ -127,6 +125,7 @@ struct cdns_spi { + int rx_bytes; + u8 dev_busy; + u32 is_decoded_cs; ++ unsigned int tx_fifo_depth; + }; + + /* Macros for the SPI controller read/write */ +@@ -308,7 +307,7 @@ static void cdns_spi_fill_tx_fifo(struct cdns_spi *xspi) + { + unsigned long trans_cnt = 0; + +- while ((trans_cnt < CDNS_SPI_FIFO_DEPTH) && ++ while ((trans_cnt < xspi->tx_fifo_depth) && + (xspi->tx_bytes > 0)) { + if (xspi->txbuf) + cdns_spi_write(xspi, CDNS_SPI_TXD, *xspi->txbuf++); +@@ -463,6 +462,24 @@ static int cdns_unprepare_transfer_hardware(struct spi_master *master) + return 0; + } + ++/** ++ * cdns_spi_detect_fifo_depth - Detect the FIFO depth of the hardware ++ * @xspi: Pointer to the cdns_spi structure ++ * ++ * The depth of the TX FIFO is a synthesis configuration parameter of the SPI ++ * IP. The FIFO threshold register is sized so that its maximum value can be the ++ * FIFO size - 1. This is used to detect the size of the FIFO. ++ */ ++static void cdns_spi_detect_fifo_depth(struct cdns_spi *xspi) ++{ ++ /* The MSBs will get truncated giving us the size of the FIFO */ ++ cdns_spi_write(xspi, CDNS_SPI_THLD, 0xffff); ++ xspi->tx_fifo_depth = cdns_spi_read(xspi, CDNS_SPI_THLD) + 1; ++ ++ /* Reset to default */ ++ cdns_spi_write(xspi, CDNS_SPI_THLD, 0x1); ++} ++ + /** + * cdns_spi_probe - Probe method for the SPI driver + * @pdev: Pointer to the platform_device structure +@@ -536,6 +553,8 @@ static int cdns_spi_probe(struct platform_device *pdev) + if (ret < 0) + xspi->is_decoded_cs = 0; + ++ cdns_spi_detect_fifo_depth(xspi); ++ + /* SPI controller initializations */ + cdns_spi_init_hw(xspi); + +-- +2.35.1 + diff --git a/queue-4.9/spi-spi-cadence-fix-spi-cs-gets-toggling-sporadicall.patch b/queue-4.9/spi-spi-cadence-fix-spi-cs-gets-toggling-sporadicall.patch new file mode 100644 index 00000000000..7209d828a9b --- /dev/null +++ b/queue-4.9/spi-spi-cadence-fix-spi-cs-gets-toggling-sporadicall.patch @@ -0,0 +1,67 @@ +From a2874c7fe4294710fe1f347212f4d8c262cb3a7c Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 6 Jun 2022 11:55:25 +0530 +Subject: spi: spi-cadence: Fix SPI CS gets toggling sporadically + +From: Sai Krishna Potthuri + +[ Upstream commit 21b511ddee09a78909035ec47a6a594349fe3296 ] + +As part of unprepare_transfer_hardware, SPI controller will be disabled +which will indirectly deassert the CS line. This will create a problem +in some of the devices where message will be transferred with +cs_change flag set(CS should not be deasserted). +As per SPI controller implementation, if SPI controller is disabled then +all output enables are inactive and all pins are set to input mode which +means CS will go to default state high(deassert). This leads to an issue +when core explicitly ask not to deassert the CS (cs_change = 1). This +patch fix the above issue by checking the Slave select status bits from +configuration register before disabling the SPI. + +Signed-off-by: Sai Krishna Potthuri +Signed-off-by: Amit Kumar Mahapatra +Link: https://lore.kernel.org/r/20220606062525.18447-1-amit.kumar-mahapatra@xilinx.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/spi/spi-cadence.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/spi/spi-cadence.c b/drivers/spi/spi-cadence.c +index e383c6368915..6d294a1fa5e5 100644 +--- a/drivers/spi/spi-cadence.c ++++ b/drivers/spi/spi-cadence.c +@@ -72,6 +72,7 @@ + #define CDNS_SPI_BAUD_DIV_SHIFT 3 /* Baud rate divisor shift in CR */ + #define CDNS_SPI_SS_SHIFT 10 /* Slave Select field shift in CR */ + #define CDNS_SPI_SS0 0x1 /* Slave Select zero */ ++#define CDNS_SPI_NOSS 0x3C /* No Slave select */ + + /* + * SPI Interrupt Registers bit Masks +@@ -444,15 +445,20 @@ static int cdns_prepare_transfer_hardware(struct spi_master *master) + * @master: Pointer to the spi_master structure which provides + * information about the controller. + * +- * This function disables the SPI master controller. ++ * This function disables the SPI master controller when no slave selected. + * + * Return: 0 always + */ + static int cdns_unprepare_transfer_hardware(struct spi_master *master) + { + struct cdns_spi *xspi = spi_master_get_devdata(master); ++ u32 ctrl_reg; + +- cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE); ++ /* Disable the SPI if slave is deselected */ ++ ctrl_reg = cdns_spi_read(xspi, CDNS_SPI_CR); ++ ctrl_reg = (ctrl_reg & CDNS_SPI_CR_SSCTRL) >> CDNS_SPI_SS_SHIFT; ++ if (ctrl_reg == CDNS_SPI_NOSS) ++ cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE); + + return 0; + } +-- +2.35.1 + diff --git a/queue-4.9/video-fbdev-intelfb-use-aperture-size-from-pci_resou.patch b/queue-4.9/video-fbdev-intelfb-use-aperture-size-from-pci_resou.patch new file mode 100644 index 00000000000..f1ee2d770ed --- /dev/null +++ b/queue-4.9/video-fbdev-intelfb-use-aperture-size-from-pci_resou.patch @@ -0,0 +1,56 @@ +From fe558347385f2a003ed12fe5a8807db4fb9148dc Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 17 Jun 2022 15:38:04 +0200 +Subject: video: fbdev: intelfb: Use aperture size from pci_resource_len + +From: Petr Cvek + +[ Upstream commit 25c9a15fb7bbfafb94dd3b4e3165c18b8e1bd039 ] + +Aperture size for i9x5 variants is determined from PCI base address. + + if (pci_resource_start(pdev, 2) & 0x08000000) + *aperture_size = MB(128); + ... + +This condition is incorrect as 128 MiB address can have the address +set as 0x?8000000 or 0x?0000000. Also the code can be simplified to just +use pci_resource_len(). + +The true settings of the aperture size is in the MSAC register, which +could be used instead. However the value is used only as an info message, +so it doesn't matter. + +Signed-off-by: Petr Cvek +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/intelfb/intelfbhw.c | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +diff --git a/drivers/video/fbdev/intelfb/intelfbhw.c b/drivers/video/fbdev/intelfb/intelfbhw.c +index d31ed4e2c46f..3aa93565e935 100644 +--- a/drivers/video/fbdev/intelfb/intelfbhw.c ++++ b/drivers/video/fbdev/intelfb/intelfbhw.c +@@ -199,13 +199,11 @@ int intelfbhw_get_memory(struct pci_dev *pdev, int *aperture_size, + case PCI_DEVICE_ID_INTEL_945GME: + case PCI_DEVICE_ID_INTEL_965G: + case PCI_DEVICE_ID_INTEL_965GM: +- /* 915, 945 and 965 chipsets support a 256MB aperture. +- Aperture size is determined by inspected the +- base address of the aperture. */ +- if (pci_resource_start(pdev, 2) & 0x08000000) +- *aperture_size = MB(128); +- else +- *aperture_size = MB(256); ++ /* ++ * 915, 945 and 965 chipsets support 64MB, 128MB or 256MB ++ * aperture. Determine size from PCI resource length. ++ */ ++ *aperture_size = pci_resource_len(pdev, 2); + break; + default: + if ((tmp & INTEL_GMCH_MEM_MASK) == INTEL_GMCH_MEM_64M) +-- +2.35.1 + diff --git a/queue-4.9/video-fbdev-pxa3xx-gcu-fix-integer-overflow-in-pxa3x.patch b/queue-4.9/video-fbdev-pxa3xx-gcu-fix-integer-overflow-in-pxa3x.patch new file mode 100644 index 00000000000..b4171ac8491 --- /dev/null +++ b/queue-4.9/video-fbdev-pxa3xx-gcu-fix-integer-overflow-in-pxa3x.patch @@ -0,0 +1,36 @@ +From 06b856a78321aedeacaa0fbb60105aec841e90b5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jun 2022 07:17:46 -0700 +Subject: video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write + +From: Hyunwoo Kim + +[ Upstream commit a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7 ] + +In pxa3xx_gcu_write, a count parameter of type size_t is passed to words of +type int. Then, copy_from_user() may cause a heap overflow because it is used +as the third argument of copy_from_user(). + +Signed-off-by: Hyunwoo Kim +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/pxa3xx-gcu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c +index 184773b6b9e4..2cca4b763d8d 100644 +--- a/drivers/video/fbdev/pxa3xx-gcu.c ++++ b/drivers/video/fbdev/pxa3xx-gcu.c +@@ -391,7 +391,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff, + struct pxa3xx_gcu_batch *buffer; + struct pxa3xx_gcu_priv *priv = to_pxa3xx_gcu_priv(file); + +- int words = count / 4; ++ size_t words = count / 4; + + /* Does not need to be atomic. There's a lock in user space, + * but anyhow, this is just for statistics. */ +-- +2.35.1 + diff --git a/queue-4.9/video-fbdev-simplefb-check-before-clk_put-not-needed.patch b/queue-4.9/video-fbdev-simplefb-check-before-clk_put-not-needed.patch new file mode 100644 index 00000000000..a47a2b7affc --- /dev/null +++ b/queue-4.9/video-fbdev-simplefb-check-before-clk_put-not-needed.patch @@ -0,0 +1,37 @@ +From 502b7bbb7aaf38fe36919b4d57cf696d48a8a061 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 2 Jun 2022 02:42:18 -0700 +Subject: video: fbdev: simplefb: Check before clk_put() not needed + +From: Yihao Han + +[ Upstream commit 5491424d17bdeb7b7852a59367858251783f8398 ] + +clk_put() already checks the clk ptr using !clk and IS_ERR() +so there is no need to check it again before calling it. + +Signed-off-by: Yihao Han +Reviewed-by: Hans de Goede +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/simplefb.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/video/fbdev/simplefb.c b/drivers/video/fbdev/simplefb.c +index 61f799a515dc..1efdbbc20f99 100644 +--- a/drivers/video/fbdev/simplefb.c ++++ b/drivers/video/fbdev/simplefb.c +@@ -231,8 +231,7 @@ static int simplefb_clocks_init(struct simplefb_par *par, + if (IS_ERR(clock)) { + if (PTR_ERR(clock) == -EPROBE_DEFER) { + while (--i >= 0) { +- if (par->clks[i]) +- clk_put(par->clks[i]); ++ clk_put(par->clks[i]); + } + kfree(par->clks); + return -EPROBE_DEFER; +-- +2.35.1 + diff --git a/queue-4.9/video-fbdev-skeletonfb-fix-syntax-errors-in-comments.patch b/queue-4.9/video-fbdev-skeletonfb-fix-syntax-errors-in-comments.patch new file mode 100644 index 00000000000..038af63febc --- /dev/null +++ b/queue-4.9/video-fbdev-skeletonfb-fix-syntax-errors-in-comments.patch @@ -0,0 +1,34 @@ +From 56e18b696e76f7df745950e4fe75c6adb35e28c2 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 5 Jun 2022 16:59:13 +0800 +Subject: video: fbdev: skeletonfb: Fix syntax errors in comments + +From: Xiang wangx + +[ Upstream commit fc378794a2f7a19cf26010dc33b89ba608d4c70f ] + +Delete the redundant word 'its'. + +Signed-off-by: Xiang wangx +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/skeletonfb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/skeletonfb.c b/drivers/video/fbdev/skeletonfb.c +index f948baa16d82..254bb6e2187c 100644 +--- a/drivers/video/fbdev/skeletonfb.c ++++ b/drivers/video/fbdev/skeletonfb.c +@@ -96,7 +96,7 @@ static struct fb_fix_screeninfo xxxfb_fix = { + + /* + * Modern graphical hardware not only supports pipelines but some +- * also support multiple monitors where each display can have its ++ * also support multiple monitors where each display can have + * its own unique data. In this case each display could be + * represented by a separate framebuffer device thus a separate + * struct fb_info. Now the struct xxx_par represents the graphics +-- +2.35.1 + -- 2.47.3