From e3b46db6fec6d6775ccd86e0ecf67304b2e7ba4b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 5 Sep 2022 18:00:25 +0200 Subject: [PATCH] 5.19-stable patches added patches: firmware_loader-fix-memory-leak-in-firmware-upload.patch firmware_loader-fix-use-after-free-during-unregister.patch iio-ad7292-prevent-regulator-double-disable.patch iio-adc-mcp3911-correct-microchip-device-addr-property.patch iio-adc-mcp3911-use-correct-formula-for-ad-conversion.patch iio-light-cm3605-fix-an-error-handling-path-in-cm3605_probe.patch input-iforce-wake-up-after-clearing-iforce_xmit_running-flag.patch landlock-fix-file-reparenting-without-explicit-landlock_access_fs_refer.patch misc-fastrpc-fix-memory-corruption-on-open.patch misc-fastrpc-fix-memory-corruption-on-probe.patch mmc-core-fix-inconsistent-sd3_bus_mode-at-uhs-i-sd-voltage-switch-failure.patch mmc-core-fix-uhs-i-sd-1.8v-workaround-branch.patch tty-serial-lpuart-disable-flow-control-while-waiting-for-the-transmit-engine-to-complete.patch usb-serial-ftdi_sio-add-omron-cs1w-cif31-device-id.patch --- ...r-fix-memory-leak-in-firmware-upload.patch | 89 ++++ ...fix-use-after-free-during-unregister.patch | 50 +++ ...292-prevent-regulator-double-disable.patch | 44 ++ ...rrect-microchip-device-addr-property.patch | 40 ++ ...se-correct-formula-for-ad-conversion.patch | 58 +++ ...-error-handling-path-in-cm3605_probe.patch | 43 ++ ...er-clearing-iforce_xmit_running-flag.patch | 121 +++++ ...ut-explicit-landlock_access_fs_refer.patch | 415 ++++++++++++++++++ ...astrpc-fix-memory-corruption-on-open.patch | 50 +++ ...strpc-fix-memory-corruption-on-probe.patch | 37 ++ ...e-at-uhs-i-sd-voltage-switch-failure.patch | 96 ++++ ...-fix-uhs-i-sd-1.8v-workaround-branch.patch | 56 +++ queue-5.19/series | 14 + ...-for-the-transmit-engine-to-complete.patch | 34 ++ ...i_sio-add-omron-cs1w-cif31-device-id.patch | 51 +++ 15 files changed, 1198 insertions(+) create mode 100644 queue-5.19/firmware_loader-fix-memory-leak-in-firmware-upload.patch create mode 100644 queue-5.19/firmware_loader-fix-use-after-free-during-unregister.patch create mode 100644 queue-5.19/iio-ad7292-prevent-regulator-double-disable.patch create mode 100644 queue-5.19/iio-adc-mcp3911-correct-microchip-device-addr-property.patch create mode 100644 queue-5.19/iio-adc-mcp3911-use-correct-formula-for-ad-conversion.patch create mode 100644 queue-5.19/iio-light-cm3605-fix-an-error-handling-path-in-cm3605_probe.patch create mode 100644 queue-5.19/input-iforce-wake-up-after-clearing-iforce_xmit_running-flag.patch create mode 100644 queue-5.19/landlock-fix-file-reparenting-without-explicit-landlock_access_fs_refer.patch create mode 100644 queue-5.19/misc-fastrpc-fix-memory-corruption-on-open.patch create mode 100644 queue-5.19/misc-fastrpc-fix-memory-corruption-on-probe.patch create mode 100644 queue-5.19/mmc-core-fix-inconsistent-sd3_bus_mode-at-uhs-i-sd-voltage-switch-failure.patch create mode 100644 queue-5.19/mmc-core-fix-uhs-i-sd-1.8v-workaround-branch.patch create mode 100644 queue-5.19/tty-serial-lpuart-disable-flow-control-while-waiting-for-the-transmit-engine-to-complete.patch create mode 100644 queue-5.19/usb-serial-ftdi_sio-add-omron-cs1w-cif31-device-id.patch diff --git a/queue-5.19/firmware_loader-fix-memory-leak-in-firmware-upload.patch b/queue-5.19/firmware_loader-fix-memory-leak-in-firmware-upload.patch new file mode 100644 index 00000000000..93c1e06a47d --- /dev/null +++ b/queue-5.19/firmware_loader-fix-memory-leak-in-firmware-upload.patch @@ -0,0 +1,89 @@ +From 789bba82f63c3e81dce426ba457fc7905b30ac6e Mon Sep 17 00:00:00 2001 +From: Russ Weight +Date: Tue, 30 Aug 2022 17:25:18 -0700 +Subject: firmware_loader: Fix memory leak in firmware upload + +From: Russ Weight + +commit 789bba82f63c3e81dce426ba457fc7905b30ac6e upstream. + +In the case of firmware-upload, an instance of struct fw_upload is +allocated in firmware_upload_register(). This data needs to be freed +in fw_dev_release(). Create a new fw_upload_free() function in +sysfs_upload.c to handle the firmware-upload specific memory frees +and incorporate the missing kfree call for the fw_upload structure. + +Fixes: 97730bbb242c ("firmware_loader: Add firmware-upload support") +Cc: stable +Signed-off-by: Russ Weight +Link: https://lore.kernel.org/r/20220831002518.465274-1-russell.h.weight@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/firmware_loader/sysfs.c | 7 +++---- + drivers/base/firmware_loader/sysfs.h | 5 +++++ + drivers/base/firmware_loader/sysfs_upload.c | 9 +++++++++ + 3 files changed, 17 insertions(+), 4 deletions(-) + +diff --git a/drivers/base/firmware_loader/sysfs.c b/drivers/base/firmware_loader/sysfs.c +index 77bad32c481a..5b66b3d1fa16 100644 +--- a/drivers/base/firmware_loader/sysfs.c ++++ b/drivers/base/firmware_loader/sysfs.c +@@ -93,10 +93,9 @@ static void fw_dev_release(struct device *dev) + { + struct fw_sysfs *fw_sysfs = to_fw_sysfs(dev); + +- if (fw_sysfs->fw_upload_priv) { +- free_fw_priv(fw_sysfs->fw_priv); +- kfree(fw_sysfs->fw_upload_priv); +- } ++ if (fw_sysfs->fw_upload_priv) ++ fw_upload_free(fw_sysfs); ++ + kfree(fw_sysfs); + } + +diff --git a/drivers/base/firmware_loader/sysfs.h b/drivers/base/firmware_loader/sysfs.h +index 5d8ff1675c79..df1d5add698f 100644 +--- a/drivers/base/firmware_loader/sysfs.h ++++ b/drivers/base/firmware_loader/sysfs.h +@@ -106,12 +106,17 @@ extern struct device_attribute dev_attr_cancel; + extern struct device_attribute dev_attr_remaining_size; + + int fw_upload_start(struct fw_sysfs *fw_sysfs); ++void fw_upload_free(struct fw_sysfs *fw_sysfs); + umode_t fw_upload_is_visible(struct kobject *kobj, struct attribute *attr, int n); + #else + static inline int fw_upload_start(struct fw_sysfs *fw_sysfs) + { + return 0; + } ++ ++static inline void fw_upload_free(struct fw_sysfs *fw_sysfs) ++{ ++} + #endif + + #endif /* __FIRMWARE_SYSFS_H */ +diff --git a/drivers/base/firmware_loader/sysfs_upload.c b/drivers/base/firmware_loader/sysfs_upload.c +index 63e15bddd80c..a0af8f5f13d8 100644 +--- a/drivers/base/firmware_loader/sysfs_upload.c ++++ b/drivers/base/firmware_loader/sysfs_upload.c +@@ -264,6 +264,15 @@ int fw_upload_start(struct fw_sysfs *fw_sysfs) + return 0; + } + ++void fw_upload_free(struct fw_sysfs *fw_sysfs) ++{ ++ struct fw_upload_priv *fw_upload_priv = fw_sysfs->fw_upload_priv; ++ ++ free_fw_priv(fw_sysfs->fw_priv); ++ kfree(fw_upload_priv->fw_upload); ++ kfree(fw_upload_priv); ++} ++ + /** + * firmware_upload_register() - register for the firmware upload sysfs API + * @module: kernel module of this device +-- +2.37.3 + diff --git a/queue-5.19/firmware_loader-fix-use-after-free-during-unregister.patch b/queue-5.19/firmware_loader-fix-use-after-free-during-unregister.patch new file mode 100644 index 00000000000..16f1511adea --- /dev/null +++ b/queue-5.19/firmware_loader-fix-use-after-free-during-unregister.patch @@ -0,0 +1,50 @@ +From 8b40c38e37492b5bdf8e95b46b5cca9517a9957a Mon Sep 17 00:00:00 2001 +From: Russ Weight +Date: Mon, 29 Aug 2022 10:45:57 -0700 +Subject: firmware_loader: Fix use-after-free during unregister + +From: Russ Weight + +commit 8b40c38e37492b5bdf8e95b46b5cca9517a9957a upstream. + +In the following code within firmware_upload_unregister(), the call to +device_unregister() could result in the dev_release function freeing the +fw_upload_priv structure before it is dereferenced for the call to +module_put(). This bug was found by the kernel test robot using +CONFIG_KASAN while running the firmware selftests. + + device_unregister(&fw_sysfs->dev); + module_put(fw_upload_priv->module); + +The problem is fixed by copying fw_upload_priv->module to a local variable +for use when calling device_unregister(). + +Fixes: 97730bbb242c ("firmware_loader: Add firmware-upload support") +Cc: stable +Reported-by: kernel test robot +Reviewed-by: Matthew Gerlach +Signed-off-by: Russ Weight +Link: https://lore.kernel.org/r/20220829174557.437047-1-russell.h.weight@intel.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/base/firmware_loader/sysfs_upload.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/base/firmware_loader/sysfs_upload.c ++++ b/drivers/base/firmware_loader/sysfs_upload.c +@@ -377,6 +377,7 @@ void firmware_upload_unregister(struct f + { + struct fw_sysfs *fw_sysfs = fw_upload->priv; + struct fw_upload_priv *fw_upload_priv = fw_sysfs->fw_upload_priv; ++ struct module *module = fw_upload_priv->module; + + mutex_lock(&fw_upload_priv->lock); + if (fw_upload_priv->progress == FW_UPLOAD_PROG_IDLE) { +@@ -392,6 +393,6 @@ void firmware_upload_unregister(struct f + + unregister: + device_unregister(&fw_sysfs->dev); +- module_put(fw_upload_priv->module); ++ module_put(module); + } + EXPORT_SYMBOL_GPL(firmware_upload_unregister); diff --git a/queue-5.19/iio-ad7292-prevent-regulator-double-disable.patch b/queue-5.19/iio-ad7292-prevent-regulator-double-disable.patch new file mode 100644 index 00000000000..0dfe0757754 --- /dev/null +++ b/queue-5.19/iio-ad7292-prevent-regulator-double-disable.patch @@ -0,0 +1,44 @@ +From 22b4277641c6823ec03d5b1cd82628e5e53e75b7 Mon Sep 17 00:00:00 2001 +From: Matti Vaittinen +Date: Fri, 19 Aug 2022 11:51:07 +0300 +Subject: iio: ad7292: Prevent regulator double disable + +From: Matti Vaittinen + +commit 22b4277641c6823ec03d5b1cd82628e5e53e75b7 upstream. + +The ad7292 tries to add an devm_action for disabling a regulator at +device detach using devm_add_action_or_reset(). The +devm_add_action_or_reset() does call the release function should adding +action fail. The driver inspects the value returned by +devm_add_action_or_reset() and manually calls regulator_disable() if +adding the action has failed. This leads to double disable and messes +the enable count for regulator. + +Do not manually call disable if devm_add_action_or_reset() fails. + +Fixes: 506d2e317a0a ("iio: adc: Add driver support for AD7292") +Signed-off-by: Matti Vaittinen +Tested-by: Marcelo Schmitt +Link: https://lore.kernel.org/r/Yv9O+9sxU7gAv3vM@fedora +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/ad7292.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/iio/adc/ad7292.c ++++ b/drivers/iio/adc/ad7292.c +@@ -287,10 +287,8 @@ static int ad7292_probe(struct spi_devic + + ret = devm_add_action_or_reset(&spi->dev, + ad7292_regulator_disable, st); +- if (ret) { +- regulator_disable(st->reg); ++ if (ret) + return ret; +- } + + ret = regulator_get_voltage(st->reg); + if (ret < 0) diff --git a/queue-5.19/iio-adc-mcp3911-correct-microchip-device-addr-property.patch b/queue-5.19/iio-adc-mcp3911-correct-microchip-device-addr-property.patch new file mode 100644 index 00000000000..f2f6dc05398 --- /dev/null +++ b/queue-5.19/iio-adc-mcp3911-correct-microchip-device-addr-property.patch @@ -0,0 +1,40 @@ +From cfbd76d5c9c449739bb74288d982bccf9ff822f4 Mon Sep 17 00:00:00 2001 +From: Marcus Folkesson +Date: Fri, 22 Jul 2022 15:07:19 +0200 +Subject: iio: adc: mcp3911: correct "microchip,device-addr" property + +From: Marcus Folkesson + +commit cfbd76d5c9c449739bb74288d982bccf9ff822f4 upstream. + +Go for the right property name that is documented in the bindings. + +Fixes: 3a89b289df5d ("iio: adc: add support for mcp3911") +Signed-off-by: Marcus Folkesson +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220722130726.7627-3-marcus.folkesson@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/mcp3911.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/iio/adc/mcp3911.c ++++ b/drivers/iio/adc/mcp3911.c +@@ -210,7 +210,14 @@ static int mcp3911_config(struct mcp3911 + u32 configreg; + int ret; + +- device_property_read_u32(dev, "device-addr", &adc->dev_addr); ++ ret = device_property_read_u32(dev, "microchip,device-addr", &adc->dev_addr); ++ ++ /* ++ * Fallback to "device-addr" due to historical mismatch between ++ * dt-bindings and implementation ++ */ ++ if (ret) ++ device_property_read_u32(dev, "device-addr", &adc->dev_addr); + if (adc->dev_addr > 3) { + dev_err(&adc->spi->dev, + "invalid device address (%i). Must be in range 0-3.\n", diff --git a/queue-5.19/iio-adc-mcp3911-use-correct-formula-for-ad-conversion.patch b/queue-5.19/iio-adc-mcp3911-use-correct-formula-for-ad-conversion.patch new file mode 100644 index 00000000000..b5d2886bbd1 --- /dev/null +++ b/queue-5.19/iio-adc-mcp3911-use-correct-formula-for-ad-conversion.patch @@ -0,0 +1,58 @@ +From 9e2238e3ae40d371a1130226e0e740aa1601efa6 Mon Sep 17 00:00:00 2001 +From: Marcus Folkesson +Date: Fri, 22 Jul 2022 15:07:20 +0200 +Subject: iio: adc: mcp3911: use correct formula for AD conversion + +From: Marcus Folkesson + +commit 9e2238e3ae40d371a1130226e0e740aa1601efa6 upstream. + +The ADC conversion is actually not rail-to-rail but with a factor 1.5. +Make use of this factor when calculating actual voltage. + +Fixes: 3a89b289df5d ("iio: adc: add support for mcp3911") +Signed-off-by: Marcus Folkesson +Reviewed-by: Andy Shevchenko +Link: https://lore.kernel.org/r/20220722130726.7627-4-marcus.folkesson@gmail.com +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/adc/mcp3911.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/iio/adc/mcp3911.c ++++ b/drivers/iio/adc/mcp3911.c +@@ -40,8 +40,8 @@ + #define MCP3911_CHANNEL(x) (MCP3911_REG_CHANNEL0 + x * 3) + #define MCP3911_OFFCAL(x) (MCP3911_REG_OFFCAL_CH0 + x * 6) + +-/* Internal voltage reference in uV */ +-#define MCP3911_INT_VREF_UV 1200000 ++/* Internal voltage reference in mV */ ++#define MCP3911_INT_VREF_MV 1200 + + #define MCP3911_REG_READ(reg, id) ((((reg) << 1) | ((id) << 5) | (1 << 0)) & 0xff) + #define MCP3911_REG_WRITE(reg, id) ((((reg) << 1) | ((id) << 5) | (0 << 0)) & 0xff) +@@ -139,11 +139,18 @@ static int mcp3911_read_raw(struct iio_d + + *val = ret / 1000; + } else { +- *val = MCP3911_INT_VREF_UV; ++ *val = MCP3911_INT_VREF_MV; + } + +- *val2 = 24; +- ret = IIO_VAL_FRACTIONAL_LOG2; ++ /* ++ * For 24bit Conversion ++ * Raw = ((Voltage)/(Vref) * 2^23 * Gain * 1.5 ++ * Voltage = Raw * (Vref)/(2^23 * Gain * 1.5) ++ */ ++ ++ /* val2 = (2^23 * 1.5) */ ++ *val2 = 12582912; ++ ret = IIO_VAL_FRACTIONAL; + break; + } + diff --git a/queue-5.19/iio-light-cm3605-fix-an-error-handling-path-in-cm3605_probe.patch b/queue-5.19/iio-light-cm3605-fix-an-error-handling-path-in-cm3605_probe.patch new file mode 100644 index 00000000000..4aa3029864e --- /dev/null +++ b/queue-5.19/iio-light-cm3605-fix-an-error-handling-path-in-cm3605_probe.patch @@ -0,0 +1,43 @@ +From 160905549e663019e26395ed9d66c24ee2cf5187 Mon Sep 17 00:00:00 2001 +From: Christophe JAILLET +Date: Sun, 7 Aug 2022 08:37:43 +0200 +Subject: iio: light: cm3605: Fix an error handling path in cm3605_probe() + +From: Christophe JAILLET + +commit 160905549e663019e26395ed9d66c24ee2cf5187 upstream. + +The commit in Fixes also introduced a new error handling path which should +goto the existing error handling path. +Otherwise some resources leak. + +Fixes: 0d31d91e6145 ("iio: light: cm3605: Make use of the helper function dev_err_probe()") +Signed-off-by: Christophe JAILLET +Link: https://lore.kernel.org/r/0e186de2c125b3e17476ebf9c54eae4a5d66f994.1659854238.git.christophe.jaillet@wanadoo.fr +Cc: +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman +--- + drivers/iio/light/cm3605.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/iio/light/cm3605.c b/drivers/iio/light/cm3605.c +index c721b69d5095..0b30db77f78b 100644 +--- a/drivers/iio/light/cm3605.c ++++ b/drivers/iio/light/cm3605.c +@@ -226,8 +226,10 @@ static int cm3605_probe(struct platform_device *pdev) + } + + irq = platform_get_irq(pdev, 0); +- if (irq < 0) +- return dev_err_probe(dev, irq, "failed to get irq\n"); ++ if (irq < 0) { ++ ret = dev_err_probe(dev, irq, "failed to get irq\n"); ++ goto out_disable_aset; ++ } + + ret = devm_request_threaded_irq(dev, irq, cm3605_prox_irq, + NULL, 0, "cm3605", indio_dev); +-- +2.37.3 + diff --git a/queue-5.19/input-iforce-wake-up-after-clearing-iforce_xmit_running-flag.patch b/queue-5.19/input-iforce-wake-up-after-clearing-iforce_xmit_running-flag.patch new file mode 100644 index 00000000000..873ae234ae4 --- /dev/null +++ b/queue-5.19/input-iforce-wake-up-after-clearing-iforce_xmit_running-flag.patch @@ -0,0 +1,121 @@ +From 98e01215708b6d416345465c09dce2bd4868c67a Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Sat, 27 Aug 2022 20:36:27 -0700 +Subject: Input: iforce - wake up after clearing IFORCE_XMIT_RUNNING flag + +From: Tetsuo Handa + +commit 98e01215708b6d416345465c09dce2bd4868c67a upstream. + +syzbot is reporting hung task at __input_unregister_device() [1], for +iforce_close() waiting at wait_event_interruptible() with dev->mutex held +is blocking input_disconnect_device() from __input_unregister_device(). + +It seems that the cause is simply that commit c2b27ef672992a20 ("Input: +iforce - wait for command completion when closing the device") forgot to +call wake_up() after clear_bit(). + +Fix this problem by introducing a helper that calls clear_bit() followed +by wake_up_all(). + +Reported-by: syzbot +Fixes: c2b27ef672992a20 ("Input: iforce - wait for command completion when closing the device") +Tested-by: syzbot +Suggested-by: Fabio M. De Francesco +Co-developed-by: Hillf Danton +Signed-off-by: Hillf Danton +Signed-off-by: Tetsuo Handa +Link: https://lore.kernel.org/r/887021c3-4f13-40ce-c8b9-aa6e09faa3a7@I-love.SAKURA.ne.jp +Cc: stable@vger.kernel.org +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman +--- + drivers/input/joystick/iforce/iforce-serio.c | 6 +++--- + drivers/input/joystick/iforce/iforce-usb.c | 8 ++++---- + drivers/input/joystick/iforce/iforce.h | 6 ++++++ + 3 files changed, 13 insertions(+), 7 deletions(-) + +--- a/drivers/input/joystick/iforce/iforce-serio.c ++++ b/drivers/input/joystick/iforce/iforce-serio.c +@@ -39,7 +39,7 @@ static void iforce_serio_xmit(struct ifo + + again: + if (iforce->xmit.head == iforce->xmit.tail) { +- clear_bit(IFORCE_XMIT_RUNNING, iforce->xmit_flags); ++ iforce_clear_xmit_and_wake(iforce); + spin_unlock_irqrestore(&iforce->xmit_lock, flags); + return; + } +@@ -64,7 +64,7 @@ again: + if (test_and_clear_bit(IFORCE_XMIT_AGAIN, iforce->xmit_flags)) + goto again; + +- clear_bit(IFORCE_XMIT_RUNNING, iforce->xmit_flags); ++ iforce_clear_xmit_and_wake(iforce); + + spin_unlock_irqrestore(&iforce->xmit_lock, flags); + } +@@ -169,7 +169,7 @@ static irqreturn_t iforce_serio_irq(stru + iforce_serio->cmd_response_len = iforce_serio->len; + + /* Signal that command is done */ +- wake_up(&iforce->wait); ++ wake_up_all(&iforce->wait); + } else if (likely(iforce->type)) { + iforce_process_packet(iforce, iforce_serio->id, + iforce_serio->data_in, +--- a/drivers/input/joystick/iforce/iforce-usb.c ++++ b/drivers/input/joystick/iforce/iforce-usb.c +@@ -30,7 +30,7 @@ static void __iforce_usb_xmit(struct ifo + spin_lock_irqsave(&iforce->xmit_lock, flags); + + if (iforce->xmit.head == iforce->xmit.tail) { +- clear_bit(IFORCE_XMIT_RUNNING, iforce->xmit_flags); ++ iforce_clear_xmit_and_wake(iforce); + spin_unlock_irqrestore(&iforce->xmit_lock, flags); + return; + } +@@ -58,9 +58,9 @@ static void __iforce_usb_xmit(struct ifo + XMIT_INC(iforce->xmit.tail, n); + + if ( (n=usb_submit_urb(iforce_usb->out, GFP_ATOMIC)) ) { +- clear_bit(IFORCE_XMIT_RUNNING, iforce->xmit_flags); + dev_warn(&iforce_usb->intf->dev, + "usb_submit_urb failed %d\n", n); ++ iforce_clear_xmit_and_wake(iforce); + } + + /* The IFORCE_XMIT_RUNNING bit is not cleared here. That's intended. +@@ -175,15 +175,15 @@ static void iforce_usb_out(struct urb *u + struct iforce *iforce = &iforce_usb->iforce; + + if (urb->status) { +- clear_bit(IFORCE_XMIT_RUNNING, iforce->xmit_flags); + dev_dbg(&iforce_usb->intf->dev, "urb->status %d, exiting\n", + urb->status); ++ iforce_clear_xmit_and_wake(iforce); + return; + } + + __iforce_usb_xmit(iforce); + +- wake_up(&iforce->wait); ++ wake_up_all(&iforce->wait); + } + + static int iforce_usb_probe(struct usb_interface *intf, +--- a/drivers/input/joystick/iforce/iforce.h ++++ b/drivers/input/joystick/iforce/iforce.h +@@ -119,6 +119,12 @@ static inline int iforce_get_id_packet(s + response_data, response_len); + } + ++static inline void iforce_clear_xmit_and_wake(struct iforce *iforce) ++{ ++ clear_bit(IFORCE_XMIT_RUNNING, iforce->xmit_flags); ++ wake_up_all(&iforce->wait); ++} ++ + /* Public functions */ + /* iforce-main.c */ + int iforce_init_device(struct device *parent, u16 bustype, diff --git a/queue-5.19/landlock-fix-file-reparenting-without-explicit-landlock_access_fs_refer.patch b/queue-5.19/landlock-fix-file-reparenting-without-explicit-landlock_access_fs_refer.patch new file mode 100644 index 00000000000..c229896fefd --- /dev/null +++ b/queue-5.19/landlock-fix-file-reparenting-without-explicit-landlock_access_fs_refer.patch @@ -0,0 +1,415 @@ +From 55e55920bbe3ccf516022c51f5527e7d026b8f1d Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micka=C3=ABl=20Sala=C3=BCn?= +Date: Wed, 31 Aug 2022 22:38:40 +0200 +Subject: landlock: Fix file reparenting without explicit LANDLOCK_ACCESS_FS_REFER +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mickaël Salaün + +commit 55e55920bbe3ccf516022c51f5527e7d026b8f1d upstream. + +This change fixes a mis-handling of the LANDLOCK_ACCESS_FS_REFER right +when multiple rulesets/domains are stacked. The expected behaviour was +that an additional ruleset can only restrict the set of permitted +operations, but in this particular case, it was potentially possible to +re-gain the LANDLOCK_ACCESS_FS_REFER right. + +With the introduction of LANDLOCK_ACCESS_FS_REFER, we added the first +globally denied-by-default access right. Indeed, this lifted an initial +Landlock limitation to rename and link files, which was initially always +denied when the source or the destination were different directories. + +This led to an inconsistent backward compatibility behavior which was +only taken into account if no domain layer were using the new +LANDLOCK_ACCESS_FS_REFER right. However, when restricting a thread with +a new ruleset handling LANDLOCK_ACCESS_FS_REFER, all inherited parent +rulesets/layers not explicitly handling LANDLOCK_ACCESS_FS_REFER would +behave as if they were handling this access right and with all their +rules allowing it. This means that renaming and linking files could +became allowed by these parent layers, but all the other required +accesses must also be granted: all layers must allow file removal or +creation, and renaming and linking operations cannot lead to privilege +escalation according to the Landlock policy. See detailed explanation +in commit b91c3e4ea756 ("landlock: Add support for file reparenting with +LANDLOCK_ACCESS_FS_REFER"). + +To say it another way, this bug may lift the renaming and linking +limitations of the initial Landlock version, and a same ruleset can +enforce different restrictions depending on previous or next enforced +ruleset (i.e. inconsistent behavior). The LANDLOCK_ACCESS_FS_REFER right +cannot give access to data not already allowed, but this doesn't follow +the contract of the first Landlock ABI. This fix puts back the +limitation for sandboxes that didn't opt-in for this additional right. + +For instance, if a first ruleset allows LANDLOCK_ACCESS_FS_MAKE_REG on +/dst and LANDLOCK_ACCESS_FS_REMOVE_FILE on /src, renaming /src/file to +/dst/file is denied. However, without this fix, stacking a new ruleset +which allows LANDLOCK_ACCESS_FS_REFER on / would now permit the +sandboxed thread to rename /src/file to /dst/file . + +This change fixes the (absolute) rule access rights, which now always +forbid LANDLOCK_ACCESS_FS_REFER except when it is explicitly allowed +when creating a rule. + +Making all domain handle LANDLOCK_ACCESS_FS_REFER was an initial +approach but there is two downsides: +* it makes the code more complex because we still want to check that a + rule allowing LANDLOCK_ACCESS_FS_REFER is legitimate according to the + ruleset's handled access rights (i.e. ABI v1 != ABI v2); +* it would not allow to identify if the user created a ruleset + explicitly handling LANDLOCK_ACCESS_FS_REFER or not, which will be an + issue to audit Landlock. + +Instead, this change adds an ACCESS_INITIALLY_DENIED list of +denied-by-default rights, which (only) contains +LANDLOCK_ACCESS_FS_REFER. All domains are treated as if they are also +handling this list, but without modifying their fs_access_masks field. + +A side effect is that the errno code returned by rename(2) or link(2) +*may* be changed from EXDEV to EACCES according to the enforced +restrictions. Indeed, we now have the mechanic to identify if an access +is denied because of a required right (e.g. LANDLOCK_ACCESS_FS_MAKE_REG, +LANDLOCK_ACCESS_FS_REMOVE_FILE) or if it is denied because of missing +LANDLOCK_ACCESS_FS_REFER rights. This may result in different errno +codes than for the initial Landlock version, but this approach is more +consistent and better for rename/link compatibility reasons, and it +wasn't possible before (hence no backport to ABI v1). The +layout1.rename_file test reflects this change. + +Add 4 layout1.refer_denied_by_default* test suites to check that the +behavior of a ruleset not handling LANDLOCK_ACCESS_FS_REFER (ABI v1) is +unchanged even if another layer handles LANDLOCK_ACCESS_FS_REFER (i.e. +ABI v1 precedence). Make sure rule's absolute access rights are correct +by testing with and without a matching path. Add test_rename() and +test_exchange() helpers. + +Extend layout1.inval tests to check that a denied-by-default access +right is not necessarily part of a domain's handled access rights. + +Test coverage for security/landlock is 95.3% of 599 lines according to +gcc/gcov-11. + +Fixes: b91c3e4ea756 ("landlock: Add support for file reparenting with LANDLOCK_ACCESS_FS_REFER") +Reviewed-by: Paul Moore +Reviewed-by: Günther Noack +Link: https://lore.kernel.org/r/20220831203840.1370732-1-mic@digikod.net +Cc: stable@vger.kernel.org +[mic: Constify and slightly simplify test helpers] +Signed-off-by: Mickaël Salaün +Signed-off-by: Greg Kroah-Hartman +--- + security/landlock/fs.c | 48 ++++--- + tools/testing/selftests/landlock/fs_test.c | 155 +++++++++++++++++++-- + 2 files changed, 170 insertions(+), 33 deletions(-) + +diff --git a/security/landlock/fs.c b/security/landlock/fs.c +index ec5a6247cd3e..a9dbd99d9ee7 100644 +--- a/security/landlock/fs.c ++++ b/security/landlock/fs.c +@@ -149,6 +149,16 @@ retry: + LANDLOCK_ACCESS_FS_READ_FILE) + /* clang-format on */ + ++/* ++ * All access rights that are denied by default whether they are handled or not ++ * by a ruleset/layer. This must be ORed with all ruleset->fs_access_masks[] ++ * entries when we need to get the absolute handled access masks. ++ */ ++/* clang-format off */ ++#define ACCESS_INITIALLY_DENIED ( \ ++ LANDLOCK_ACCESS_FS_REFER) ++/* clang-format on */ ++ + /* + * @path: Should have been checked by get_path_from_fd(). + */ +@@ -167,7 +177,9 @@ int landlock_append_fs_rule(struct landlock_ruleset *const ruleset, + return -EINVAL; + + /* Transforms relative access rights to absolute ones. */ +- access_rights |= LANDLOCK_MASK_ACCESS_FS & ~ruleset->fs_access_masks[0]; ++ access_rights |= ++ LANDLOCK_MASK_ACCESS_FS & ++ ~(ruleset->fs_access_masks[0] | ACCESS_INITIALLY_DENIED); + object = get_inode_object(d_backing_inode(path->dentry)); + if (IS_ERR(object)) + return PTR_ERR(object); +@@ -277,23 +289,12 @@ static inline bool is_nouser_or_private(const struct dentry *dentry) + static inline access_mask_t + get_handled_accesses(const struct landlock_ruleset *const domain) + { +- access_mask_t access_dom = 0; +- unsigned long access_bit; +- +- for (access_bit = 0; access_bit < LANDLOCK_NUM_ACCESS_FS; +- access_bit++) { +- size_t layer_level; ++ access_mask_t access_dom = ACCESS_INITIALLY_DENIED; ++ size_t layer_level; + +- for (layer_level = 0; layer_level < domain->num_layers; +- layer_level++) { +- if (domain->fs_access_masks[layer_level] & +- BIT_ULL(access_bit)) { +- access_dom |= BIT_ULL(access_bit); +- break; +- } +- } +- } +- return access_dom; ++ for (layer_level = 0; layer_level < domain->num_layers; layer_level++) ++ access_dom |= domain->fs_access_masks[layer_level]; ++ return access_dom & LANDLOCK_MASK_ACCESS_FS; + } + + static inline access_mask_t +@@ -316,8 +317,13 @@ init_layer_masks(const struct landlock_ruleset *const domain, + + for_each_set_bit(access_bit, &access_req, + ARRAY_SIZE(*layer_masks)) { +- if (domain->fs_access_masks[layer_level] & +- BIT_ULL(access_bit)) { ++ /* ++ * Artificially handles all initially denied by default ++ * access rights. ++ */ ++ if (BIT_ULL(access_bit) & ++ (domain->fs_access_masks[layer_level] | ++ ACCESS_INITIALLY_DENIED)) { + (*layer_masks)[access_bit] |= + BIT_ULL(layer_level); + handled_accesses |= BIT_ULL(access_bit); +@@ -857,10 +863,6 @@ static int current_check_refer_path(struct dentry *const old_dentry, + NULL, NULL); + } + +- /* Backward compatibility: no reparenting support. */ +- if (!(get_handled_accesses(dom) & LANDLOCK_ACCESS_FS_REFER)) +- return -EXDEV; +- + access_request_parent1 |= LANDLOCK_ACCESS_FS_REFER; + access_request_parent2 |= LANDLOCK_ACCESS_FS_REFER; + +diff --git a/tools/testing/selftests/landlock/fs_test.c b/tools/testing/selftests/landlock/fs_test.c +index 21a2ce8fa739..45de42a027c5 100644 +--- a/tools/testing/selftests/landlock/fs_test.c ++++ b/tools/testing/selftests/landlock/fs_test.c +@@ -4,7 +4,7 @@ + * + * Copyright © 2017-2020 Mickaël Salaün + * Copyright © 2020 ANSSI +- * Copyright © 2020-2021 Microsoft Corporation ++ * Copyright © 2020-2022 Microsoft Corporation + */ + + #define _GNU_SOURCE +@@ -371,6 +371,13 @@ TEST_F_FORK(layout1, inval) + ASSERT_EQ(EINVAL, errno); + path_beneath.allowed_access &= ~LANDLOCK_ACCESS_FS_EXECUTE; + ++ /* Tests with denied-by-default access right. */ ++ path_beneath.allowed_access |= LANDLOCK_ACCESS_FS_REFER; ++ ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, ++ &path_beneath, 0)); ++ ASSERT_EQ(EINVAL, errno); ++ path_beneath.allowed_access &= ~LANDLOCK_ACCESS_FS_REFER; ++ + /* Test with unknown (64-bits) value. */ + path_beneath.allowed_access |= (1ULL << 60); + ASSERT_EQ(-1, landlock_add_rule(ruleset_fd, LANDLOCK_RULE_PATH_BENEATH, +@@ -1826,6 +1833,20 @@ TEST_F_FORK(layout1, link) + ASSERT_EQ(0, link(file1_s1d3, file2_s1d3)); + } + ++static int test_rename(const char *const oldpath, const char *const newpath) ++{ ++ if (rename(oldpath, newpath)) ++ return errno; ++ return 0; ++} ++ ++static int test_exchange(const char *const oldpath, const char *const newpath) ++{ ++ if (renameat2(AT_FDCWD, oldpath, AT_FDCWD, newpath, RENAME_EXCHANGE)) ++ return errno; ++ return 0; ++} ++ + TEST_F_FORK(layout1, rename_file) + { + const struct rule rules[] = { +@@ -1867,10 +1888,10 @@ TEST_F_FORK(layout1, rename_file) + * to a different directory (which allows file removal). + */ + ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3)); +- ASSERT_EQ(EXDEV, errno); ++ ASSERT_EQ(EACCES, errno); + ASSERT_EQ(-1, renameat2(AT_FDCWD, file1_s2d1, AT_FDCWD, file1_s1d3, + RENAME_EXCHANGE)); +- ASSERT_EQ(EXDEV, errno); ++ ASSERT_EQ(EACCES, errno); + ASSERT_EQ(-1, renameat2(AT_FDCWD, dir_s2d2, AT_FDCWD, file1_s1d3, + RENAME_EXCHANGE)); + ASSERT_EQ(EXDEV, errno); +@@ -1894,7 +1915,7 @@ TEST_F_FORK(layout1, rename_file) + ASSERT_EQ(EXDEV, errno); + ASSERT_EQ(0, unlink(file1_s1d3)); + ASSERT_EQ(-1, rename(file1_s2d1, file1_s1d3)); +- ASSERT_EQ(EXDEV, errno); ++ ASSERT_EQ(EACCES, errno); + + /* Exchanges and renames files with same parent. */ + ASSERT_EQ(0, renameat2(AT_FDCWD, file2_s2d3, AT_FDCWD, file1_s2d3, +@@ -2014,6 +2035,115 @@ TEST_F_FORK(layout1, reparent_refer) + ASSERT_EQ(0, rename(dir_s1d3, dir_s2d3)); + } + ++/* Checks renames beneath dir_s1d1. */ ++static void refer_denied_by_default(struct __test_metadata *const _metadata, ++ const struct rule layer1[], ++ const int layer1_err, ++ const struct rule layer2[]) ++{ ++ int ruleset_fd; ++ ++ ASSERT_EQ(0, unlink(file1_s1d2)); ++ ++ ruleset_fd = create_ruleset(_metadata, layer1[0].access, layer1); ++ ASSERT_LE(0, ruleset_fd); ++ enforce_ruleset(_metadata, ruleset_fd); ++ ASSERT_EQ(0, close(ruleset_fd)); ++ ++ /* ++ * If the first layer handles LANDLOCK_ACCESS_FS_REFER (according to ++ * layer1_err), then it allows some different-parent renames and links. ++ */ ++ ASSERT_EQ(layer1_err, test_rename(file1_s1d1, file1_s1d2)); ++ if (layer1_err == 0) ++ ASSERT_EQ(layer1_err, test_rename(file1_s1d2, file1_s1d1)); ++ ASSERT_EQ(layer1_err, test_exchange(file2_s1d1, file2_s1d2)); ++ ASSERT_EQ(layer1_err, test_exchange(file2_s1d2, file2_s1d1)); ++ ++ ruleset_fd = create_ruleset(_metadata, layer2[0].access, layer2); ++ ASSERT_LE(0, ruleset_fd); ++ enforce_ruleset(_metadata, ruleset_fd); ++ ASSERT_EQ(0, close(ruleset_fd)); ++ ++ /* ++ * Now, either the first or the second layer does not handle ++ * LANDLOCK_ACCESS_FS_REFER, which means that any different-parent ++ * renames and links are denied, thus making the layer handling ++ * LANDLOCK_ACCESS_FS_REFER null and void. ++ */ ++ ASSERT_EQ(EXDEV, test_rename(file1_s1d1, file1_s1d2)); ++ ASSERT_EQ(EXDEV, test_exchange(file2_s1d1, file2_s1d2)); ++ ASSERT_EQ(EXDEV, test_exchange(file2_s1d2, file2_s1d1)); ++} ++ ++const struct rule layer_dir_s1d1_refer[] = { ++ { ++ .path = dir_s1d1, ++ .access = LANDLOCK_ACCESS_FS_REFER, ++ }, ++ {}, ++}; ++ ++const struct rule layer_dir_s1d1_execute[] = { ++ { ++ /* Matches a parent directory. */ ++ .path = dir_s1d1, ++ .access = LANDLOCK_ACCESS_FS_EXECUTE, ++ }, ++ {}, ++}; ++ ++const struct rule layer_dir_s2d1_execute[] = { ++ { ++ /* Does not match a parent directory. */ ++ .path = dir_s2d1, ++ .access = LANDLOCK_ACCESS_FS_EXECUTE, ++ }, ++ {}, ++}; ++ ++/* ++ * Tests precedence over renames: denied by default for different parent ++ * directories, *with* a rule matching a parent directory, but not directly ++ * denying access (with MAKE_REG nor REMOVE). ++ */ ++TEST_F_FORK(layout1, refer_denied_by_default1) ++{ ++ refer_denied_by_default(_metadata, layer_dir_s1d1_refer, 0, ++ layer_dir_s1d1_execute); ++} ++ ++/* ++ * Same test but this time turning around the ABI version order: the first ++ * layer does not handle LANDLOCK_ACCESS_FS_REFER. ++ */ ++TEST_F_FORK(layout1, refer_denied_by_default2) ++{ ++ refer_denied_by_default(_metadata, layer_dir_s1d1_execute, EXDEV, ++ layer_dir_s1d1_refer); ++} ++ ++/* ++ * Tests precedence over renames: denied by default for different parent ++ * directories, *without* a rule matching a parent directory, but not directly ++ * denying access (with MAKE_REG nor REMOVE). ++ */ ++TEST_F_FORK(layout1, refer_denied_by_default3) ++{ ++ refer_denied_by_default(_metadata, layer_dir_s1d1_refer, 0, ++ layer_dir_s2d1_execute); ++} ++ ++/* ++ * Same test but this time turning around the ABI version order: the first ++ * layer does not handle LANDLOCK_ACCESS_FS_REFER. ++ */ ++TEST_F_FORK(layout1, refer_denied_by_default4) ++{ ++ refer_denied_by_default(_metadata, layer_dir_s2d1_execute, EXDEV, ++ layer_dir_s1d1_refer); ++} ++ + TEST_F_FORK(layout1, reparent_link) + { + const struct rule layer1[] = { +@@ -2336,11 +2466,12 @@ TEST_F_FORK(layout1, reparent_exdev_layers_rename1) + ASSERT_EQ(EXDEV, errno); + + /* +- * However, moving the file2_s1d3 file below dir_s2d3 is allowed +- * because it cannot inherit MAKE_REG nor MAKE_DIR rights (which are +- * dedicated to directories). ++ * Moving the file2_s1d3 file below dir_s2d3 is denied because the ++ * second layer does not handle REFER, which is always denied by ++ * default. + */ +- ASSERT_EQ(0, rename(file2_s1d3, file1_s2d3)); ++ ASSERT_EQ(-1, rename(file2_s1d3, file1_s2d3)); ++ ASSERT_EQ(EXDEV, errno); + } + + TEST_F_FORK(layout1, reparent_exdev_layers_rename2) +@@ -2373,8 +2504,12 @@ TEST_F_FORK(layout1, reparent_exdev_layers_rename2) + ASSERT_EQ(EACCES, errno); + ASSERT_EQ(-1, rename(file1_s1d1, file1_s2d3)); + ASSERT_EQ(EXDEV, errno); +- /* Modify layout! */ +- ASSERT_EQ(0, rename(file2_s1d2, file1_s2d3)); ++ /* ++ * Modifying the layout is now denied because the second layer does not ++ * handle REFER, which is always denied by default. ++ */ ++ ASSERT_EQ(-1, rename(file2_s1d2, file1_s2d3)); ++ ASSERT_EQ(EXDEV, errno); + + /* Without REFER source, EACCES wins over EXDEV. */ + ASSERT_EQ(-1, rename(dir_s1d1, file1_s2d2)); +-- +2.37.3 + diff --git a/queue-5.19/misc-fastrpc-fix-memory-corruption-on-open.patch b/queue-5.19/misc-fastrpc-fix-memory-corruption-on-open.patch new file mode 100644 index 00000000000..c3dc2811c4f --- /dev/null +++ b/queue-5.19/misc-fastrpc-fix-memory-corruption-on-open.patch @@ -0,0 +1,50 @@ +From d245f43aab2b61195d8ebb64cef7b5a08c590ab4 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 29 Aug 2022 10:05:30 +0200 +Subject: misc: fastrpc: fix memory corruption on open + +From: Johan Hovold + +commit d245f43aab2b61195d8ebb64cef7b5a08c590ab4 upstream. + +The probe session-duplication overflow check incremented the session +count also when there were no more available sessions so that memory +beyond the fixed-size slab-allocated session array could be corrupted in +fastrpc_session_alloc() on open(). + +Fixes: f6f9279f2bf0 ("misc: fastrpc: Add Qualcomm fastrpc basic driver model") +Cc: stable@vger.kernel.org # 5.1 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20220829080531.29681-3-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -1948,7 +1948,7 @@ static int fastrpc_cb_probe(struct platf + spin_unlock_irqrestore(&cctx->lock, flags); + return -ENOSPC; + } +- sess = &cctx->session[cctx->sesscount]; ++ sess = &cctx->session[cctx->sesscount++]; + sess->used = false; + sess->valid = true; + sess->dev = dev; +@@ -1961,13 +1961,12 @@ static int fastrpc_cb_probe(struct platf + struct fastrpc_session_ctx *dup_sess; + + for (i = 1; i < sessions; i++) { +- if (cctx->sesscount++ >= FASTRPC_MAX_SESSIONS) ++ if (cctx->sesscount >= FASTRPC_MAX_SESSIONS) + break; +- dup_sess = &cctx->session[cctx->sesscount]; ++ dup_sess = &cctx->session[cctx->sesscount++]; + memcpy(dup_sess, sess, sizeof(*dup_sess)); + } + } +- cctx->sesscount++; + spin_unlock_irqrestore(&cctx->lock, flags); + rc = dma_set_mask(dev, DMA_BIT_MASK(32)); + if (rc) { diff --git a/queue-5.19/misc-fastrpc-fix-memory-corruption-on-probe.patch b/queue-5.19/misc-fastrpc-fix-memory-corruption-on-probe.patch new file mode 100644 index 00000000000..dcc1c401bf4 --- /dev/null +++ b/queue-5.19/misc-fastrpc-fix-memory-corruption-on-probe.patch @@ -0,0 +1,37 @@ +From 9baa1415d9abdd1e08362ea2dcfadfacee8690b5 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 29 Aug 2022 10:05:29 +0200 +Subject: misc: fastrpc: fix memory corruption on probe + +From: Johan Hovold + +commit 9baa1415d9abdd1e08362ea2dcfadfacee8690b5 upstream. + +Add the missing sanity check on the probed-session count to avoid +corrupting memory beyond the fixed-size slab-allocated session array +when there are more than FASTRPC_MAX_SESSIONS sessions defined in the +devicetree. + +Fixes: f6f9279f2bf0 ("misc: fastrpc: Add Qualcomm fastrpc basic driver model") +Cc: stable@vger.kernel.org # 5.1 +Signed-off-by: Johan Hovold +Link: https://lore.kernel.org/r/20220829080531.29681-2-johan+linaro@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/fastrpc.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/misc/fastrpc.c ++++ b/drivers/misc/fastrpc.c +@@ -1943,6 +1943,11 @@ static int fastrpc_cb_probe(struct platf + of_property_read_u32(dev->of_node, "qcom,nsessions", &sessions); + + spin_lock_irqsave(&cctx->lock, flags); ++ if (cctx->sesscount >= FASTRPC_MAX_SESSIONS) { ++ dev_err(&pdev->dev, "too many sessions\n"); ++ spin_unlock_irqrestore(&cctx->lock, flags); ++ return -ENOSPC; ++ } + sess = &cctx->session[cctx->sesscount]; + sess->used = false; + sess->valid = true; diff --git a/queue-5.19/mmc-core-fix-inconsistent-sd3_bus_mode-at-uhs-i-sd-voltage-switch-failure.patch b/queue-5.19/mmc-core-fix-inconsistent-sd3_bus_mode-at-uhs-i-sd-voltage-switch-failure.patch new file mode 100644 index 00000000000..44fc815cd1c --- /dev/null +++ b/queue-5.19/mmc-core-fix-inconsistent-sd3_bus_mode-at-uhs-i-sd-voltage-switch-failure.patch @@ -0,0 +1,96 @@ +From 63f1560930e4e1c4f6279b8ae715c9841fe1a6d3 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Mon, 15 Aug 2022 10:33:21 +0300 +Subject: mmc: core: Fix inconsistent sd3_bus_mode at UHS-I SD voltage switch failure + +From: Adrian Hunter + +commit 63f1560930e4e1c4f6279b8ae715c9841fe1a6d3 upstream. + +If re-initialization results is a different signal voltage, because the +voltage switch failed previously, but not this time (or vice versa), then +sd3_bus_mode will be inconsistent with the card because the SD_SWITCH +command is done only upon first initialization. + +Fix by always reading SD_SWITCH information during re-initialization, which +also means it does not need to be re-read later for the 1.8V fixup +workaround. + +Note, brief testing showed SD_SWITCH took about 1.8ms to 2ms which added +about 1% to 1.5% to the re-initialization time, so it's not particularly +significant. + +Reported-by: Seunghui Lee +Signed-off-by: Adrian Hunter +Reviewed-by: Seunghui Lee +Tested-by: Seunghui Lee +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220815073321.63382-3-adrian.hunter@intel.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/sd.c | 42 ++++++++++++++++-------------------------- + 1 file changed, 16 insertions(+), 26 deletions(-) + +--- a/drivers/mmc/core/sd.c ++++ b/drivers/mmc/core/sd.c +@@ -949,16 +949,17 @@ int mmc_sd_setup_card(struct mmc_host *h + + /* Erase init depends on CSD and SSR */ + mmc_init_erase(card); +- +- /* +- * Fetch switch information from card. +- */ +- err = mmc_read_switch(card); +- if (err) +- return err; + } + + /* ++ * Fetch switch information from card. Note, sd3_bus_mode can change if ++ * voltage switch outcome changes, so do this always. ++ */ ++ err = mmc_read_switch(card); ++ if (err) ++ return err; ++ ++ /* + * For SPI, enable CRC as appropriate. + * This CRC enable is located AFTER the reading of the + * card registers because some SDHC cards are not able +@@ -1480,26 +1481,15 @@ retry: + if (!v18_fixup_failed && !mmc_host_is_spi(host) && mmc_host_uhs(host) && + mmc_sd_card_using_v18(card) && + host->ios.signal_voltage != MMC_SIGNAL_VOLTAGE_180) { +- /* +- * Re-read switch information in case it has changed since +- * oldcard was initialized. +- */ +- if (oldcard) { +- err = mmc_read_switch(card); +- if (err) +- goto free_card; +- } +- if (mmc_sd_card_using_v18(card)) { +- if (mmc_host_set_uhs_voltage(host) || +- mmc_sd_init_uhs_card(card)) { +- v18_fixup_failed = true; +- mmc_power_cycle(host, ocr); +- if (!oldcard) +- mmc_remove_card(card); +- goto retry; +- } +- goto cont; ++ if (mmc_host_set_uhs_voltage(host) || ++ mmc_sd_init_uhs_card(card)) { ++ v18_fixup_failed = true; ++ mmc_power_cycle(host, ocr); ++ if (!oldcard) ++ mmc_remove_card(card); ++ goto retry; + } ++ goto cont; + } + + /* Initialization sequence for UHS-I cards */ diff --git a/queue-5.19/mmc-core-fix-uhs-i-sd-1.8v-workaround-branch.patch b/queue-5.19/mmc-core-fix-uhs-i-sd-1.8v-workaround-branch.patch new file mode 100644 index 00000000000..10a810f854b --- /dev/null +++ b/queue-5.19/mmc-core-fix-uhs-i-sd-1.8v-workaround-branch.patch @@ -0,0 +1,56 @@ +From 15c56208c79c340686869c31595c209d1431c5e8 Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Mon, 15 Aug 2022 10:33:20 +0300 +Subject: mmc: core: Fix UHS-I SD 1.8V workaround branch + +From: Adrian Hunter + +commit 15c56208c79c340686869c31595c209d1431c5e8 upstream. + +When introduced, upon success, the 1.8V fixup workaround in +mmc_sd_init_card() would branch to practically the end of the function, to +a label named "done". Unfortunately, perhaps due to the label name, over +time new code has been added that really should have come after "done" not +before it. Let's fix the problem by moving the label to the correct place +and rename it "cont". + +Fixes: 045d705dc1fb ("mmc: core: Enable the MMC host software queue for the SD card") +Signed-off-by: Adrian Hunter +Reviewed-by: Seunghui Lee +Cc: stable@vger.kernel.org +Link: https://lore.kernel.org/r/20220815073321.63382-2-adrian.hunter@intel.com +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/core/sd.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/mmc/core/sd.c ++++ b/drivers/mmc/core/sd.c +@@ -1498,7 +1498,7 @@ retry: + mmc_remove_card(card); + goto retry; + } +- goto done; ++ goto cont; + } + } + +@@ -1534,7 +1534,7 @@ retry: + mmc_set_bus_width(host, MMC_BUS_WIDTH_4); + } + } +- ++cont: + if (!oldcard) { + /* Read/parse the extension registers. */ + err = sd_read_ext_regs(card); +@@ -1566,7 +1566,7 @@ retry: + err = -EINVAL; + goto free_card; + } +-done: ++ + host->card = card; + return 0; + diff --git a/queue-5.19/series b/queue-5.19/series index fcc76792334..85b1e46cf40 100644 --- a/queue-5.19/series +++ b/queue-5.19/series @@ -68,3 +68,17 @@ powerpc-align-syscall-table-for-ppc32.patch powerpc-rtas-fix-rtas-msr-handling-for-cell.patch vt-clear-selection-before-changing-the-font.patch musb-fix-usb_musb_tusb6010-dependency.patch +tty-serial-lpuart-disable-flow-control-while-waiting-for-the-transmit-engine-to-complete.patch +input-iforce-wake-up-after-clearing-iforce_xmit_running-flag.patch +iio-light-cm3605-fix-an-error-handling-path-in-cm3605_probe.patch +iio-ad7292-prevent-regulator-double-disable.patch +iio-adc-mcp3911-correct-microchip-device-addr-property.patch +iio-adc-mcp3911-use-correct-formula-for-ad-conversion.patch +misc-fastrpc-fix-memory-corruption-on-probe.patch +misc-fastrpc-fix-memory-corruption-on-open.patch +firmware_loader-fix-use-after-free-during-unregister.patch +firmware_loader-fix-memory-leak-in-firmware-upload.patch +usb-serial-ftdi_sio-add-omron-cs1w-cif31-device-id.patch +landlock-fix-file-reparenting-without-explicit-landlock_access_fs_refer.patch +mmc-core-fix-uhs-i-sd-1.8v-workaround-branch.patch +mmc-core-fix-inconsistent-sd3_bus_mode-at-uhs-i-sd-voltage-switch-failure.patch diff --git a/queue-5.19/tty-serial-lpuart-disable-flow-control-while-waiting-for-the-transmit-engine-to-complete.patch b/queue-5.19/tty-serial-lpuart-disable-flow-control-while-waiting-for-the-transmit-engine-to-complete.patch new file mode 100644 index 00000000000..7473bdd73af --- /dev/null +++ b/queue-5.19/tty-serial-lpuart-disable-flow-control-while-waiting-for-the-transmit-engine-to-complete.patch @@ -0,0 +1,34 @@ +From d5a2e0834364377a5d5a2fff1890a0b3f0bafd1f Mon Sep 17 00:00:00 2001 +From: Sherry Sun +Date: Sun, 21 Aug 2022 18:15:27 +0800 +Subject: tty: serial: lpuart: disable flow control while waiting for the transmit engine to complete + +From: Sherry Sun + +commit d5a2e0834364377a5d5a2fff1890a0b3f0bafd1f upstream. + +When the user initializes the uart port, and waits for the transmit +engine to complete in lpuart32_set_termios(), if the UART TX fifo has +dirty data and the UARTMODIR enable the flow control, the TX fifo may +never be empty. So here we should disable the flow control first to make +sure the transmit engin can complete. + +Fixes: 380c966c093e ("tty: serial: fsl_lpuart: add 32-bit register interface support") +Cc: stable +Signed-off-by: Sherry Sun +Link: https://lore.kernel.org/r/20220821101527.10066-1-sherry.sun@nxp.com +Signed-off-by: Greg Kroah-Hartman +--- + drivers/tty/serial/fsl_lpuart.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/tty/serial/fsl_lpuart.c ++++ b/drivers/tty/serial/fsl_lpuart.c +@@ -2182,6 +2182,7 @@ lpuart32_set_termios(struct uart_port *p + uart_update_timeout(port, termios->c_cflag, baud); + + /* wait transmit engin complete */ ++ lpuart32_write(&sport->port, 0, UARTMODIR); + lpuart32_wait_bit_set(&sport->port, UARTSTAT, UARTSTAT_TC); + + /* disable transmit and receive */ diff --git a/queue-5.19/usb-serial-ftdi_sio-add-omron-cs1w-cif31-device-id.patch b/queue-5.19/usb-serial-ftdi_sio-add-omron-cs1w-cif31-device-id.patch new file mode 100644 index 00000000000..bce52530d9d --- /dev/null +++ b/queue-5.19/usb-serial-ftdi_sio-add-omron-cs1w-cif31-device-id.patch @@ -0,0 +1,51 @@ +From 001047ea241a9646010b2744451dfbc7289542f3 Mon Sep 17 00:00:00 2001 +From: Niek Nooijens +Date: Mon, 1 Aug 2022 10:39:25 +0200 +Subject: USB: serial: ftdi_sio: add Omron CS1W-CIF31 device id + +From: Niek Nooijens + +commit 001047ea241a9646010b2744451dfbc7289542f3 upstream. + +works perfectly with: +modprobe ftdi_sio +echo "0590 00b2" | tee +/sys/module/ftdi_sio/drivers/usb-serial\:ftdi_sio/new_id > /dev/null + +but doing this every reboot is a pain in the ass. + +Signed-off-by: Niek Nooijens +Cc: stable@vger.kernel.org +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman +--- + drivers/usb/serial/ftdi_sio.c | 2 ++ + drivers/usb/serial/ftdi_sio_ids.h | 6 ++++++ + 2 files changed, 8 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -1045,6 +1045,8 @@ static const struct usb_device_id id_tab + /* IDS GmbH devices */ + { USB_DEVICE(IDS_VID, IDS_SI31A_PID) }, + { USB_DEVICE(IDS_VID, IDS_CM31A_PID) }, ++ /* Omron devices */ ++ { USB_DEVICE(OMRON_VID, OMRON_CS1W_CIF31_PID) }, + /* U-Blox devices */ + { USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ZED_PID) }, + { USB_DEVICE(UBLOX_VID, UBLOX_C099F9P_ODIN_PID) }, +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -662,6 +662,12 @@ + #define INFINEON_TRIBOARD_TC2X7_PID 0x0043 /* DAS JTAG TriBoard TC2X7 V1.0 */ + + /* ++ * Omron corporation (https://www.omron.com) ++ */ ++ #define OMRON_VID 0x0590 ++ #define OMRON_CS1W_CIF31_PID 0x00b2 ++ ++/* + * Acton Research Corp. + */ + #define ACTON_VID 0x0647 /* Vendor ID */ -- 2.47.3