From cda4824dc1864585f52e833c9ee6601aabd2ee12 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Tue, 20 Sep 2022 17:23:50 -0400 Subject: [PATCH] Fixes for 5.4 Signed-off-by: Sasha Levin --- ...n-not-eremoteio-when-a-file-already-.patch | 41 +++++++ ...l-keep-power-up-while-beep-is-enable.patch | 71 ++++++++++++ ...egra-align-bdl-entry-to-4kb-boundary.patch | 39 +++++++ ...x-semaphore-unbalance-at-error-paths.patch | 101 ++++++++++++++++++ ...irq-fix-octeon_irq_force_ciu_mapping.patch | 61 +++++++++++ ...-mismatch-of-l0-symbols-in-system.ma.patch | 39 +++++++ .../net-usb-qmi_wwan-add-quectel-rm520n.patch | 67 ++++++++++++ ...00-fix-the-global-out-of-bounds-acce.patch | 42 ++++++++ queue-5.4/rxrpc-fix-calc-of-resend-age.patch | 34 ++++++ ...fix-local-destruction-being-repeated.patch | 38 +++++++ queue-5.4/series | 11 ++ ...xx-gcu-fix-integer-overflow-in-pxa3x.patch | 36 +++++++ 12 files changed, 580 insertions(+) create mode 100644 queue-5.4/afs-return-eagain-not-eremoteio-when-a-file-already-.patch create mode 100644 queue-5.4/alsa-hda-sigmatel-keep-power-up-while-beep-is-enable.patch create mode 100644 queue-5.4/alsa-hda-tegra-align-bdl-entry-to-4kb-boundary.patch create mode 100644 queue-5.4/asoc-nau8824-fix-semaphore-unbalance-at-error-paths.patch create mode 100644 queue-5.4/mips-octeon-irq-fix-octeon_irq_force_ciu_mapping.patch create mode 100644 queue-5.4/mksysmap-fix-the-mismatch-of-l0-symbols-in-system.ma.patch create mode 100644 queue-5.4/net-usb-qmi_wwan-add-quectel-rm520n.patch create mode 100644 queue-5.4/regulator-pfuze100-fix-the-global-out-of-bounds-acce.patch create mode 100644 queue-5.4/rxrpc-fix-calc-of-resend-age.patch create mode 100644 queue-5.4/rxrpc-fix-local-destruction-being-repeated.patch create mode 100644 queue-5.4/video-fbdev-pxa3xx-gcu-fix-integer-overflow-in-pxa3x.patch diff --git a/queue-5.4/afs-return-eagain-not-eremoteio-when-a-file-already-.patch b/queue-5.4/afs-return-eagain-not-eremoteio-when-a-file-already-.patch new file mode 100644 index 00000000000..3fbbb6115d3 --- /dev/null +++ b/queue-5.4/afs-return-eagain-not-eremoteio-when-a-file-already-.patch @@ -0,0 +1,41 @@ +From 7b4ca3e869ca2f10338112723a14f2bd5b385f9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 22:09:11 +0100 +Subject: afs: Return -EAGAIN, not -EREMOTEIO, when a file already locked + +From: David Howells + +[ Upstream commit 0066f1b0e27556381402db3ff31f85d2a2265858 ] + +When trying to get a file lock on an AFS file, the server may return +UAEAGAIN to indicate that the lock is already held. This is currently +translated by the default path to -EREMOTEIO. + +Translate it instead to -EAGAIN so that we know we can retry it. + +Signed-off-by: David Howells +Reviewed-by: Jeffrey E Altman +cc: Marc Dionne +cc: linux-afs@lists.infradead.org +Link: https://lore.kernel.org/r/166075761334.3533338.2591992675160918098.stgit@warthog.procyon.org.uk/ +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + fs/afs/misc.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/afs/misc.c b/fs/afs/misc.c +index 5334f1bd2bca..5171d6d99031 100644 +--- a/fs/afs/misc.c ++++ b/fs/afs/misc.c +@@ -69,6 +69,7 @@ int afs_abort_to_error(u32 abort_code) + /* Unified AFS error table */ + case UAEPERM: return -EPERM; + case UAENOENT: return -ENOENT; ++ case UAEAGAIN: return -EAGAIN; + case UAEACCES: return -EACCES; + case UAEBUSY: return -EBUSY; + case UAEEXIST: return -EEXIST; +-- +2.35.1 + diff --git a/queue-5.4/alsa-hda-sigmatel-keep-power-up-while-beep-is-enable.patch b/queue-5.4/alsa-hda-sigmatel-keep-power-up-while-beep-is-enable.patch new file mode 100644 index 00000000000..702292210bc --- /dev/null +++ b/queue-5.4/alsa-hda-sigmatel-keep-power-up-while-beep-is-enable.patch @@ -0,0 +1,71 @@ +From 1bcb27497f9fbbbf6e954259422951ec554e6c05 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 4 Sep 2022 09:27:50 +0200 +Subject: ALSA: hda/sigmatel: Keep power up while beep is enabled + +From: Takashi Iwai + +[ Upstream commit 414d38ba871092aeac4ed097ac4ced89486646f7 ] + +It seems that the beep playback doesn't work well on IDT codec devices +when the codec auto-pm is enabled. Keep the power on while the beep +switch is enabled. + +Link: https://bugzilla.suse.com/show_bug.cgi?id=1200544 +Link: https://lore.kernel.org/r/20220904072750.26164-1-tiwai@suse.de +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/patch_sigmatel.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/sound/pci/hda/patch_sigmatel.c b/sound/pci/hda/patch_sigmatel.c +index bfd3fe5eff31..7a8ecc21b347 100644 +--- a/sound/pci/hda/patch_sigmatel.c ++++ b/sound/pci/hda/patch_sigmatel.c +@@ -209,6 +209,7 @@ struct sigmatel_spec { + + /* beep widgets */ + hda_nid_t anabeep_nid; ++ bool beep_power_on; + + /* SPDIF-out mux */ + const char * const *spdif_labels; +@@ -4441,6 +4442,26 @@ static int stac_suspend(struct hda_codec *codec) + stac_shutup(codec); + return 0; + } ++ ++static int stac_check_power_status(struct hda_codec *codec, hda_nid_t nid) ++{ ++ struct sigmatel_spec *spec = codec->spec; ++ int ret = snd_hda_gen_check_power_status(codec, nid); ++ ++#ifdef CONFIG_SND_HDA_INPUT_BEEP ++ if (nid == spec->gen.beep_nid && codec->beep) { ++ if (codec->beep->enabled != spec->beep_power_on) { ++ spec->beep_power_on = codec->beep->enabled; ++ if (spec->beep_power_on) ++ snd_hda_power_up_pm(codec); ++ else ++ snd_hda_power_down_pm(codec); ++ } ++ ret |= spec->beep_power_on; ++ } ++#endif ++ return ret; ++} + #else + #define stac_suspend NULL + #endif /* CONFIG_PM */ +@@ -4453,6 +4474,7 @@ static const struct hda_codec_ops stac_patch_ops = { + .unsol_event = snd_hda_jack_unsol_event, + #ifdef CONFIG_PM + .suspend = stac_suspend, ++ .check_power_status = stac_check_power_status, + #endif + .reboot_notify = stac_shutup, + }; +-- +2.35.1 + diff --git a/queue-5.4/alsa-hda-tegra-align-bdl-entry-to-4kb-boundary.patch b/queue-5.4/alsa-hda-tegra-align-bdl-entry-to-4kb-boundary.patch new file mode 100644 index 00000000000..09021b92aec --- /dev/null +++ b/queue-5.4/alsa-hda-tegra-align-bdl-entry-to-4kb-boundary.patch @@ -0,0 +1,39 @@ +From 6a26476c8e0dafbe6a45a473a337a70ed2f976c6 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 22:54:20 +0530 +Subject: ALSA: hda/tegra: Align BDL entry to 4KB boundary + +From: Mohan Kumar + +[ Upstream commit 8d44e6044a0e885acdd01813768a0b27906d64fd ] + +AZA HW may send a burst read/write request crossing 4K memory boundary. +The 4KB boundary is not guaranteed by Tegra HDA HW. Make SW change to +include the flag AZX_DCAPS_4K_BDLE_BOUNDARY to align BDLE to 4K +boundary. + +Signed-off-by: Mohan Kumar +Link: https://lore.kernel.org/r/20220905172420.3801-1-mkumard@nvidia.com +Signed-off-by: Takashi Iwai +Signed-off-by: Sasha Levin +--- + sound/pci/hda/hda_tegra.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/sound/pci/hda/hda_tegra.c b/sound/pci/hda/hda_tegra.c +index 2971b34c87c1..e235c3ec634d 100644 +--- a/sound/pci/hda/hda_tegra.c ++++ b/sound/pci/hda/hda_tegra.c +@@ -428,7 +428,8 @@ MODULE_DEVICE_TABLE(of, hda_tegra_match); + static int hda_tegra_probe(struct platform_device *pdev) + { + const unsigned int driver_flags = AZX_DCAPS_CORBRP_SELF_CLEAR | +- AZX_DCAPS_PM_RUNTIME; ++ AZX_DCAPS_PM_RUNTIME | ++ AZX_DCAPS_4K_BDLE_BOUNDARY; + struct snd_card *card; + struct azx *chip; + struct hda_tegra *hda; +-- +2.35.1 + diff --git a/queue-5.4/asoc-nau8824-fix-semaphore-unbalance-at-error-paths.patch b/queue-5.4/asoc-nau8824-fix-semaphore-unbalance-at-error-paths.patch new file mode 100644 index 00000000000..67dabc9964d --- /dev/null +++ b/queue-5.4/asoc-nau8824-fix-semaphore-unbalance-at-error-paths.patch @@ -0,0 +1,101 @@ +From ba5f7a1c2f984f9a0a33b9ef6b30f04d502b2880 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 23 Aug 2022 10:09:57 +0200 +Subject: ASoC: nau8824: Fix semaphore unbalance at error paths + +From: Takashi Iwai + +[ Upstream commit 5628560e90395d3812800a8e44a01c32ffa429ec ] + +The semaphore of nau8824 wasn't properly unlocked at some error +handling code paths, hence this may result in the unbalance (and +potential lock-up). Fix them to handle the semaphore up properly. + +Signed-off-by: Takashi Iwai +Link: https://lore.kernel.org/r/20220823081000.2965-3-tiwai@suse.de +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + sound/soc/codecs/nau8824.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +diff --git a/sound/soc/codecs/nau8824.c b/sound/soc/codecs/nau8824.c +index c8ccfa2fff84..a95fe3fff1db 100644 +--- a/sound/soc/codecs/nau8824.c ++++ b/sound/soc/codecs/nau8824.c +@@ -1072,6 +1072,7 @@ static int nau8824_hw_params(struct snd_pcm_substream *substream, + struct snd_soc_component *component = dai->component; + struct nau8824 *nau8824 = snd_soc_component_get_drvdata(component); + unsigned int val_len = 0, osr, ctrl_val, bclk_fs, bclk_div; ++ int err = -EINVAL; + + nau8824_sema_acquire(nau8824, HZ); + +@@ -1088,7 +1089,7 @@ static int nau8824_hw_params(struct snd_pcm_substream *substream, + osr &= NAU8824_DAC_OVERSAMPLE_MASK; + if (nau8824_clock_check(nau8824, substream->stream, + nau8824->fs, osr)) +- return -EINVAL; ++ goto error; + regmap_update_bits(nau8824->regmap, NAU8824_REG_CLK_DIVIDER, + NAU8824_CLK_DAC_SRC_MASK, + osr_dac_sel[osr].clk_src << NAU8824_CLK_DAC_SRC_SFT); +@@ -1098,7 +1099,7 @@ static int nau8824_hw_params(struct snd_pcm_substream *substream, + osr &= NAU8824_ADC_SYNC_DOWN_MASK; + if (nau8824_clock_check(nau8824, substream->stream, + nau8824->fs, osr)) +- return -EINVAL; ++ goto error; + regmap_update_bits(nau8824->regmap, NAU8824_REG_CLK_DIVIDER, + NAU8824_CLK_ADC_SRC_MASK, + osr_adc_sel[osr].clk_src << NAU8824_CLK_ADC_SRC_SFT); +@@ -1119,7 +1120,7 @@ static int nau8824_hw_params(struct snd_pcm_substream *substream, + else if (bclk_fs <= 256) + bclk_div = 0; + else +- return -EINVAL; ++ goto error; + regmap_update_bits(nau8824->regmap, + NAU8824_REG_PORT0_I2S_PCM_CTRL_2, + NAU8824_I2S_LRC_DIV_MASK | NAU8824_I2S_BLK_DIV_MASK, +@@ -1140,15 +1141,17 @@ static int nau8824_hw_params(struct snd_pcm_substream *substream, + val_len |= NAU8824_I2S_DL_32; + break; + default: +- return -EINVAL; ++ goto error; + } + + regmap_update_bits(nau8824->regmap, NAU8824_REG_PORT0_I2S_PCM_CTRL_1, + NAU8824_I2S_DL_MASK, val_len); ++ err = 0; + ++ error: + nau8824_sema_release(nau8824); + +- return 0; ++ return err; + } + + static int nau8824_set_fmt(struct snd_soc_dai *dai, unsigned int fmt) +@@ -1157,8 +1160,6 @@ static int nau8824_set_fmt(struct snd_soc_dai *dai, unsigned int fmt) + struct nau8824 *nau8824 = snd_soc_component_get_drvdata(component); + unsigned int ctrl1_val = 0, ctrl2_val = 0; + +- nau8824_sema_acquire(nau8824, HZ); +- + switch (fmt & SND_SOC_DAIFMT_MASTER_MASK) { + case SND_SOC_DAIFMT_CBM_CFM: + ctrl2_val |= NAU8824_I2S_MS_MASTER; +@@ -1200,6 +1201,8 @@ static int nau8824_set_fmt(struct snd_soc_dai *dai, unsigned int fmt) + return -EINVAL; + } + ++ nau8824_sema_acquire(nau8824, HZ); ++ + regmap_update_bits(nau8824->regmap, NAU8824_REG_PORT0_I2S_PCM_CTRL_1, + NAU8824_I2S_DF_MASK | NAU8824_I2S_BP_MASK | + NAU8824_I2S_PCMB_EN, ctrl1_val); +-- +2.35.1 + diff --git a/queue-5.4/mips-octeon-irq-fix-octeon_irq_force_ciu_mapping.patch b/queue-5.4/mips-octeon-irq-fix-octeon_irq_force_ciu_mapping.patch new file mode 100644 index 00000000000..ef67ba9695a --- /dev/null +++ b/queue-5.4/mips-octeon-irq-fix-octeon_irq_force_ciu_mapping.patch @@ -0,0 +1,61 @@ +From 6b1b0999bb4dc745910d19ec70899633c38ace71 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 6 Sep 2022 11:59:43 +0200 +Subject: MIPS: OCTEON: irq: Fix octeon_irq_force_ciu_mapping() + +From: Alexander Sverdlin + +[ Upstream commit ba912afbd611d3a5f22af247721a071ad1d5b9e0 ] + +For irq_domain_associate() to work the virq descriptor has to be +pre-allocated in advance. Otherwise the following happens: + +WARNING: CPU: 0 PID: 0 at .../kernel/irq/irqdomain.c:527 irq_domain_associate+0x298/0x2e8 +error: virq128 is not allocated +Modules linked in: +CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.19.78-... #1 + ... +Call Trace: +[] show_stack+0x9c/0x130 +[] dump_stack+0x90/0xd0 +[] __warn+0x118/0x130 +[] warn_slowpath_fmt+0x4c/0x70 +[] irq_domain_associate+0x298/0x2e8 +[] octeon_irq_init_ciu+0x4c8/0x53c +[] of_irq_init+0x1e0/0x388 +[] init_IRQ+0x4c/0xf4 +[] start_kernel+0x404/0x698 + +Use irq_alloc_desc_at() to avoid the above problem. + +Signed-off-by: Alexander Sverdlin +Signed-off-by: Thomas Bogendoerfer +Signed-off-by: Sasha Levin +--- + arch/mips/cavium-octeon/octeon-irq.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/mips/cavium-octeon/octeon-irq.c b/arch/mips/cavium-octeon/octeon-irq.c +index 3ad1f76c063a..2d5e7b21d960 100644 +--- a/arch/mips/cavium-octeon/octeon-irq.c ++++ b/arch/mips/cavium-octeon/octeon-irq.c +@@ -127,6 +127,16 @@ static void octeon_irq_free_cd(struct irq_domain *d, unsigned int irq) + static int octeon_irq_force_ciu_mapping(struct irq_domain *domain, + int irq, int line, int bit) + { ++ struct device_node *of_node; ++ int ret; ++ ++ of_node = irq_domain_get_of_node(domain); ++ if (!of_node) ++ return -EINVAL; ++ ret = irq_alloc_desc_at(irq, of_node_to_nid(of_node)); ++ if (ret < 0) ++ return ret; ++ + return irq_domain_associate(domain, irq, line << 6 | bit); + } + +-- +2.35.1 + diff --git a/queue-5.4/mksysmap-fix-the-mismatch-of-l0-symbols-in-system.ma.patch b/queue-5.4/mksysmap-fix-the-mismatch-of-l0-symbols-in-system.ma.patch new file mode 100644 index 00000000000..b9b2b62fd27 --- /dev/null +++ b/queue-5.4/mksysmap-fix-the-mismatch-of-l0-symbols-in-system.ma.patch @@ -0,0 +1,39 @@ +From 800a6326ecf01d177d96c1e6a6b61237cad2335f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 1 Sep 2022 19:10:59 +0800 +Subject: mksysmap: Fix the mismatch of 'L0' symbols in System.map + +From: Youling Tang + +[ Upstream commit c17a2538704f926ee4d167ba625e09b1040d8439 ] + +When System.map was generated, the kernel used mksysmap to filter the +kernel symbols, we need to filter "L0" symbols in LoongArch architecture. + +$ cat System.map | grep L0 +9000000000221540 t L0 + +The L0 symbol exists in System.map, but not in .tmp_System.map. When +"cmp -s System.map .tmp_System.map" will show "Inconsistent kallsyms +data" error message in link-vmlinux.sh script. + +Signed-off-by: Youling Tang +Signed-off-by: Masahiro Yamada +Signed-off-by: Sasha Levin +--- + scripts/mksysmap | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/mksysmap b/scripts/mksysmap +index 9aa23d15862a..ad8bbc52267d 100755 +--- a/scripts/mksysmap ++++ b/scripts/mksysmap +@@ -41,4 +41,4 @@ + # so we just ignore them to let readprofile continue to work. + # (At least sparc64 has __crc_ in the middle). + +-$NM -n $1 | grep -v '\( [aNUw] \)\|\(__crc_\)\|\( \$[adt]\)\|\( \.L\)' > $2 ++$NM -n $1 | grep -v '\( [aNUw] \)\|\(__crc_\)\|\( \$[adt]\)\|\( \.L\)\|\( L0\)' > $2 +-- +2.35.1 + diff --git a/queue-5.4/net-usb-qmi_wwan-add-quectel-rm520n.patch b/queue-5.4/net-usb-qmi_wwan-add-quectel-rm520n.patch new file mode 100644 index 00000000000..89b5cfad8c6 --- /dev/null +++ b/queue-5.4/net-usb-qmi_wwan-add-quectel-rm520n.patch @@ -0,0 +1,67 @@ +From 39908c57469fef9ad4b971a5ed3cdc0c1082bb9f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 5 Sep 2022 09:24:52 +0800 +Subject: net: usb: qmi_wwan: add Quectel RM520N +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: jerry.meng + +[ Upstream commit e1091e226a2bab4ded1fe26efba2aee1aab06450 ] + +add support for Quectel RM520N which is based on Qualcomm SDX62 chip. + +0x0801: DIAG + NMEA + AT + MODEM + RMNET + +T: Bus=03 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 10 Spd=480 MxCh= 0 +D: Ver= 2.10 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 +P: Vendor=2c7c ProdID=0801 Rev= 5.04 +S: Manufacturer=Quectel +S: Product=RM520N-GL +S: SerialNumber=384af524 +C:* #Ifs= 5 Cfg#= 1 Atr=a0 MxPwr=500mA +I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option +E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=option +E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option +E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms +E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms +I:* If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan +E: Ad=88(I) Atr=03(Int.) MxPS= 8 Ivl=32ms +E: Ad=8e(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms +E: Ad=0f(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms + +Signed-off-by: jerry.meng +Acked-by: Bjørn Mork +Link: https://lore.kernel.org/r/tencent_E50CA8A206904897C2D20DDAE90731183C05@qq.com +Signed-off-by: Paolo Abeni +Signed-off-by: Sasha Levin +--- + drivers/net/usb/qmi_wwan.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c +index 8ef0a013874c..cee90e505d17 100644 +--- a/drivers/net/usb/qmi_wwan.c ++++ b/drivers/net/usb/qmi_wwan.c +@@ -1046,6 +1046,7 @@ static const struct usb_device_id products[] = { + {QMI_MATCH_FF_FF_FF(0x2c7c, 0x0512)}, /* Quectel EG12/EM12 */ + {QMI_MATCH_FF_FF_FF(0x2c7c, 0x0620)}, /* Quectel EM160R-GL */ + {QMI_MATCH_FF_FF_FF(0x2c7c, 0x0800)}, /* Quectel RM500Q-GL */ ++ {QMI_MATCH_FF_FF_FF(0x2c7c, 0x0801)}, /* Quectel RM520N */ + + /* 3. Combined interface devices matching on interface number */ + {QMI_FIXED_INTF(0x0408, 0xea42, 4)}, /* Yota / Megafon M100-1 */ +-- +2.35.1 + diff --git a/queue-5.4/regulator-pfuze100-fix-the-global-out-of-bounds-acce.patch b/queue-5.4/regulator-pfuze100-fix-the-global-out-of-bounds-acce.patch new file mode 100644 index 00000000000..a14ebba6640 --- /dev/null +++ b/queue-5.4/regulator-pfuze100-fix-the-global-out-of-bounds-acce.patch @@ -0,0 +1,42 @@ +From 77c1bd5584ee7011446e8e5a6ee1189133ac5069 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 25 Aug 2022 19:19:22 +0800 +Subject: regulator: pfuze100: Fix the global-out-of-bounds access in + pfuze100_regulator_probe() + +From: Xiaolei Wang + +[ Upstream commit 78e1e867f44e6bdc72c0e6a2609a3407642fb30b ] + +The pfuze_chip::regulator_descs is an array of size +PFUZE100_MAX_REGULATOR, the pfuze_chip::pfuze_regulators +is the pointer to the real regulators of a specific device. +The number of real regulator is supposed to be less than +the PFUZE100_MAX_REGULATOR, so we should use the size of +'regulator_num * sizeof(struct pfuze_regulator)' in memcpy(). +This fixes the out of bounds access bug reported by KASAN. + +Signed-off-by: Xiaolei Wang +Link: https://lore.kernel.org/r/20220825111922.1368055-1-xiaolei.wang@windriver.com +Signed-off-by: Mark Brown +Signed-off-by: Sasha Levin +--- + drivers/regulator/pfuze100-regulator.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/regulator/pfuze100-regulator.c b/drivers/regulator/pfuze100-regulator.c +index f873d97100e2..13609942d45c 100644 +--- a/drivers/regulator/pfuze100-regulator.c ++++ b/drivers/regulator/pfuze100-regulator.c +@@ -788,7 +788,7 @@ static int pfuze100_regulator_probe(struct i2c_client *client, + ((pfuze_chip->chip_id == PFUZE3000) ? "3000" : "3001")))); + + memcpy(pfuze_chip->regulator_descs, pfuze_chip->pfuze_regulators, +- sizeof(pfuze_chip->regulator_descs)); ++ regulator_num * sizeof(struct pfuze_regulator)); + + ret = pfuze_parse_regulators_dt(pfuze_chip); + if (ret) +-- +2.35.1 + diff --git a/queue-5.4/rxrpc-fix-calc-of-resend-age.patch b/queue-5.4/rxrpc-fix-calc-of-resend-age.patch new file mode 100644 index 00000000000..49fcdabec7d --- /dev/null +++ b/queue-5.4/rxrpc-fix-calc-of-resend-age.patch @@ -0,0 +1,34 @@ +From 9a415349def005ee7d2c19290fef3ab3c3780903 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 5 Apr 2022 13:34:09 +0100 +Subject: rxrpc: Fix calc of resend age + +From: David Howells + +[ Upstream commit 214a9dc7d852216e83acac7b75bc18f01ce184c2 ] + +Fix the calculation of the resend age to add a microsecond value as +microseconds, not nanoseconds. + +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/call_event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/rxrpc/call_event.c b/net/rxrpc/call_event.c +index 8574e7066d94..b5f173960725 100644 +--- a/net/rxrpc/call_event.c ++++ b/net/rxrpc/call_event.c +@@ -166,7 +166,7 @@ static void rxrpc_resend(struct rxrpc_call *call, unsigned long now_j) + _enter("{%d,%d}", call->tx_hard_ack, call->tx_top); + + now = ktime_get_real(); +- max_age = ktime_sub(now, jiffies_to_usecs(call->peer->rto_j)); ++ max_age = ktime_sub_us(now, jiffies_to_usecs(call->peer->rto_j)); + + spin_lock_bh(&call->lock); + +-- +2.35.1 + diff --git a/queue-5.4/rxrpc-fix-local-destruction-being-repeated.patch b/queue-5.4/rxrpc-fix-local-destruction-being-repeated.patch new file mode 100644 index 00000000000..57e2796778b --- /dev/null +++ b/queue-5.4/rxrpc-fix-local-destruction-being-repeated.patch @@ -0,0 +1,38 @@ +From c851d4228ba0023c831723611d79cfed6cd006f1 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 6 May 2022 23:55:21 +0100 +Subject: rxrpc: Fix local destruction being repeated + +From: David Howells + +[ Upstream commit d3d863036d688313f8d566b87acd7d99daf82749 ] + +If the local processor work item for the rxrpc local endpoint gets requeued +by an event (such as an incoming packet) between it getting scheduled for +destruction and the UDP socket being closed, the rxrpc_local_destroyer() +function can get run twice. The second time it can hang because it can end +up waiting for cleanup events that will never happen. + +Signed-off-by: David Howells +Signed-off-by: Sasha Levin +--- + net/rxrpc/local_object.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/rxrpc/local_object.c b/net/rxrpc/local_object.c +index 01135e54d95d..fc784fcc3a94 100644 +--- a/net/rxrpc/local_object.c ++++ b/net/rxrpc/local_object.c +@@ -448,6 +448,9 @@ static void rxrpc_local_processor(struct work_struct *work) + container_of(work, struct rxrpc_local, processor); + bool again; + ++ if (local->dead) ++ return; ++ + trace_rxrpc_local(local->debug_id, rxrpc_local_processing, + atomic_read(&local->usage), NULL); + +-- +2.35.1 + diff --git a/queue-5.4/series b/queue-5.4/series index 2d5943b1b03..cdbd5aee88d 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -11,3 +11,14 @@ task_stack-x86-cea-force-inline-stack-helpers.patch tracing-hold-caller_addr-to-hardirq_-enable-disable-.patch cifs-revalidate-mapping-when-doing-direct-writes.patch cifs-don-t-send-down-the-destination-address-to-sendmsg-for-a-sock_stream.patch +asoc-nau8824-fix-semaphore-unbalance-at-error-paths.patch +regulator-pfuze100-fix-the-global-out-of-bounds-acce.patch +rxrpc-fix-local-destruction-being-repeated.patch +rxrpc-fix-calc-of-resend-age.patch +alsa-hda-sigmatel-keep-power-up-while-beep-is-enable.patch +alsa-hda-tegra-align-bdl-entry-to-4kb-boundary.patch +net-usb-qmi_wwan-add-quectel-rm520n.patch +afs-return-eagain-not-eremoteio-when-a-file-already-.patch +mips-octeon-irq-fix-octeon_irq_force_ciu_mapping.patch +mksysmap-fix-the-mismatch-of-l0-symbols-in-system.ma.patch +video-fbdev-pxa3xx-gcu-fix-integer-overflow-in-pxa3x.patch diff --git a/queue-5.4/video-fbdev-pxa3xx-gcu-fix-integer-overflow-in-pxa3x.patch b/queue-5.4/video-fbdev-pxa3xx-gcu-fix-integer-overflow-in-pxa3x.patch new file mode 100644 index 00000000000..011d0324bbb --- /dev/null +++ b/queue-5.4/video-fbdev-pxa3xx-gcu-fix-integer-overflow-in-pxa3x.patch @@ -0,0 +1,36 @@ +From 452b94001a03513470c9afd3d369bc21aa3f04fe Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jun 2022 07:17:46 -0700 +Subject: video: fbdev: pxa3xx-gcu: Fix integer overflow in pxa3xx_gcu_write + +From: Hyunwoo Kim + +[ Upstream commit a09d2d00af53b43c6f11e6ab3cb58443c2cac8a7 ] + +In pxa3xx_gcu_write, a count parameter of type size_t is passed to words of +type int. Then, copy_from_user() may cause a heap overflow because it is used +as the third argument of copy_from_user(). + +Signed-off-by: Hyunwoo Kim +Signed-off-by: Helge Deller +Signed-off-by: Sasha Levin +--- + drivers/video/fbdev/pxa3xx-gcu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/video/fbdev/pxa3xx-gcu.c b/drivers/video/fbdev/pxa3xx-gcu.c +index 7c4694d70dac..15162b37f302 100644 +--- a/drivers/video/fbdev/pxa3xx-gcu.c ++++ b/drivers/video/fbdev/pxa3xx-gcu.c +@@ -382,7 +382,7 @@ pxa3xx_gcu_write(struct file *file, const char *buff, + struct pxa3xx_gcu_batch *buffer; + struct pxa3xx_gcu_priv *priv = to_pxa3xx_gcu_priv(file); + +- int words = count / 4; ++ size_t words = count / 4; + + /* Does not need to be atomic. There's a lock in user space, + * but anyhow, this is just for statistics. */ +-- +2.35.1 + -- 2.47.3