linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect()
@ 2019-11-22 19:48 Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 02/25] RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN Sasha Levin
                   ` (23 more replies)
  0 siblings, 24 replies; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Al Viro, Sasha Levin, autofs

From: Al Viro <viro@zeniv.linux.org.uk>

[ Upstream commit 03ad0d703df75c43f78bd72e16124b5b94a95188 ]

if the second call of should_expire() in there ends up
grabbing and returning a new reference to dentry, we need
to drop it before continuing.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/autofs/expire.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/autofs/expire.c b/fs/autofs/expire.c
index 28d9c2b1b3bb3..70e9afe589fbf 100644
--- a/fs/autofs/expire.c
+++ b/fs/autofs/expire.c
@@ -501,9 +501,10 @@ static struct dentry *autofs_expire_indirect(struct super_block *sb,
 		 */
 		how &= ~AUTOFS_EXP_LEAVES;
 		found = should_expire(expired, mnt, timeout, how);
-		if (!found || found != expired)
-			/* Something has changed, continue */
+		if (found != expired) { // something has changed, continue
+			dput(found);
 			goto next;
+		}
 
 		if (expired != dentry)
 			dput(dentry);
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* [PATCH AUTOSEL 4.19 02/25] RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN
  2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
@ 2019-11-22 19:48 ` Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 03/25] xfrm: Fix memleak on xfrm state destroy Sasha Levin
                   ` (22 subsequent siblings)
  23 siblings, 0 replies; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Sirong Wang, Weihang Li, Jason Gunthorpe, Sasha Levin, linux-rdma

From: Sirong Wang <wangsirong@huawei.com>

[ Upstream commit 531eb45b3da4267fc2a64233ba256c8ffb02edd2 ]

Size of pointer to buf field of struct hns_roce_hem_chunk should be
considered when calculating HNS_ROCE_HEM_CHUNK_LEN, or sg table size will
be larger than expected when allocating hem.

Fixes: 9a4435375cd1 ("IB/hns: Add driver files for hns RoCE driver")
Link: https://lore.kernel.org/r/1572575610-52530-2-git-send-email-liweihang@hisilicon.com
Signed-off-by: Sirong Wang <wangsirong@huawei.com>
Signed-off-by: Weihang Li <liweihang@hisilicon.com>
Signed-off-by: Jason Gunthorpe <jgg@mellanox.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/hw/hns/hns_roce_hem.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/infiniband/hw/hns/hns_roce_hem.h b/drivers/infiniband/hw/hns/hns_roce_hem.h
index e8850d59e7804..a94444db3045a 100644
--- a/drivers/infiniband/hw/hns/hns_roce_hem.h
+++ b/drivers/infiniband/hw/hns/hns_roce_hem.h
@@ -54,7 +54,7 @@ enum {
 
 #define HNS_ROCE_HEM_CHUNK_LEN	\
 	 ((256 - sizeof(struct list_head) - 2 * sizeof(int)) /	 \
-	 (sizeof(struct scatterlist)))
+	 (sizeof(struct scatterlist) + sizeof(void *)))
 
 #define check_whether_bt_num_3(type, hop_num) \
 	(type < HEM_TYPE_MTT && hop_num == 2)
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* [PATCH AUTOSEL 4.19 03/25] xfrm: Fix memleak on xfrm state destroy
  2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 02/25] RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN Sasha Levin
@ 2019-11-22 19:48 ` Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 04/25] iwlwifi: pcie: don't consider IV len in A-MSDU Sasha Levin
                   ` (21 subsequent siblings)
  23 siblings, 0 replies; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Steffen Klassert, JD, Paul Wouters, Sasha Levin, netdev

From: Steffen Klassert <steffen.klassert@secunet.com>

[ Upstream commit 86c6739eda7d2a03f2db30cbee67a5fb81afa8ba ]

We leak the page that we use to create skb page fragments
when destroying the xfrm_state. Fix this by dropping a
page reference if a page was assigned to the xfrm_state.

Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Reported-by: JD <jdtxs00@gmail.com>
Reported-by: Paul Wouters <paul@nohats.ca>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/xfrm/xfrm_state.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/xfrm/xfrm_state.c b/net/xfrm/xfrm_state.c
index 11e09eb138d60..47a8ff972a2bf 100644
--- a/net/xfrm/xfrm_state.c
+++ b/net/xfrm/xfrm_state.c
@@ -456,6 +456,8 @@ static void ___xfrm_state_destroy(struct xfrm_state *x)
 		x->type->destructor(x);
 		xfrm_put_type(x->type);
 	}
+	if (x->xfrag.page)
+		put_page(x->xfrag.page);
 	xfrm_dev_state_free(x);
 	security_xfrm_state_free(x);
 	xfrm_state_free(x);
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* [PATCH AUTOSEL 4.19 04/25] iwlwifi: pcie: don't consider IV len in A-MSDU
  2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 02/25] RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 03/25] xfrm: Fix memleak on xfrm state destroy Sasha Levin
@ 2019-11-22 19:48 ` Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 05/25] exportfs_decode_fh(): negative pinned may become positive without the parent locked Sasha Levin
                   ` (20 subsequent siblings)
  23 siblings, 0 replies; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Mordechay Goodstein, Luca Coelho, Kalle Valo, Sasha Levin,
	linux-wireless, netdev

From: Mordechay Goodstein <mordechay.goodstein@intel.com>

[ Upstream commit cb1a4badf59275eb7221dcec621e8154917eabd1 ]

From gen2 PN is totally offloaded to hardware (also the space for the
IV isn't part of the skb).  As you can see in mvm/mac80211.c:3545, the
MAC for cipher types CCMP/GCMP doesn't set
IEEE80211_KEY_FLAG_PUT_IV_SPACE for gen2 NICs.

This causes all the AMSDU data to be corrupted with cipher enabled.

Signed-off-by: Mordechay Goodstein <mordechay.goodstein@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../net/wireless/intel/iwlwifi/pcie/tx-gen2.c | 20 +++++++------------
 1 file changed, 7 insertions(+), 13 deletions(-)

diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c b/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c
index b99f33ff91230..98f4507799be7 100644
--- a/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/tx-gen2.c
@@ -242,27 +242,23 @@ static int iwl_pcie_gen2_build_amsdu(struct iwl_trans *trans,
 	struct ieee80211_hdr *hdr = (void *)skb->data;
 	unsigned int snap_ip_tcp_hdrlen, ip_hdrlen, total_len, hdr_room;
 	unsigned int mss = skb_shinfo(skb)->gso_size;
-	u16 length, iv_len, amsdu_pad;
+	u16 length, amsdu_pad;
 	u8 *start_hdr;
 	struct iwl_tso_hdr_page *hdr_page;
 	struct page **page_ptr;
 	struct tso_t tso;
 
-	/* if the packet is protected, then it must be CCMP or GCMP */
-	iv_len = ieee80211_has_protected(hdr->frame_control) ?
-		IEEE80211_CCMP_HDR_LEN : 0;
-
 	trace_iwlwifi_dev_tx(trans->dev, skb, tfd, sizeof(*tfd),
 			     &dev_cmd->hdr, start_len, 0);
 
 	ip_hdrlen = skb_transport_header(skb) - skb_network_header(skb);
 	snap_ip_tcp_hdrlen = 8 + ip_hdrlen + tcp_hdrlen(skb);
-	total_len = skb->len - snap_ip_tcp_hdrlen - hdr_len - iv_len;
+	total_len = skb->len - snap_ip_tcp_hdrlen - hdr_len;
 	amsdu_pad = 0;
 
 	/* total amount of header we may need for this A-MSDU */
 	hdr_room = DIV_ROUND_UP(total_len, mss) *
-		(3 + snap_ip_tcp_hdrlen + sizeof(struct ethhdr)) + iv_len;
+		(3 + snap_ip_tcp_hdrlen + sizeof(struct ethhdr));
 
 	/* Our device supports 9 segments at most, it will fit in 1 page */
 	hdr_page = get_page_hdr(trans, hdr_room);
@@ -273,14 +269,12 @@ static int iwl_pcie_gen2_build_amsdu(struct iwl_trans *trans,
 	start_hdr = hdr_page->pos;
 	page_ptr = (void *)((u8 *)skb->cb + trans_pcie->page_offs);
 	*page_ptr = hdr_page->page;
-	memcpy(hdr_page->pos, skb->data + hdr_len, iv_len);
-	hdr_page->pos += iv_len;
 
 	/*
-	 * Pull the ieee80211 header + IV to be able to use TSO core,
+	 * Pull the ieee80211 header to be able to use TSO core,
 	 * we will restore it for the tx_status flow.
 	 */
-	skb_pull(skb, hdr_len + iv_len);
+	skb_pull(skb, hdr_len);
 
 	/*
 	 * Remove the length of all the headers that we don't actually
@@ -355,8 +349,8 @@ static int iwl_pcie_gen2_build_amsdu(struct iwl_trans *trans,
 		}
 	}
 
-	/* re -add the WiFi header and IV */
-	skb_push(skb, hdr_len + iv_len);
+	/* re -add the WiFi header */
+	skb_push(skb, hdr_len);
 
 	return 0;
 
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* [PATCH AUTOSEL 4.19 05/25] exportfs_decode_fh(): negative pinned may become positive without the parent locked
  2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
                   ` (2 preceding siblings ...)
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 04/25] iwlwifi: pcie: don't consider IV len in A-MSDU Sasha Levin
@ 2019-11-22 19:48 ` Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 06/25] audit_get_nd(): don't unlock parent too early Sasha Levin
                   ` (19 subsequent siblings)
  23 siblings, 0 replies; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Al Viro, Sasha Levin

From: Al Viro <viro@zeniv.linux.org.uk>

[ Upstream commit a2ece088882666e1dc7113744ac912eb161e3f87 ]

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/exportfs/expfs.c | 31 +++++++++++++++++++------------
 1 file changed, 19 insertions(+), 12 deletions(-)

diff --git a/fs/exportfs/expfs.c b/fs/exportfs/expfs.c
index 63707abcbeb3e..808cae6d5f50f 100644
--- a/fs/exportfs/expfs.c
+++ b/fs/exportfs/expfs.c
@@ -517,26 +517,33 @@ struct dentry *exportfs_decode_fh(struct vfsmount *mnt, struct fid *fid,
 		 * inode is actually connected to the parent.
 		 */
 		err = exportfs_get_name(mnt, target_dir, nbuf, result);
-		if (!err) {
-			inode_lock(target_dir->d_inode);
-			nresult = lookup_one_len(nbuf, target_dir,
-						 strlen(nbuf));
-			inode_unlock(target_dir->d_inode);
-			if (!IS_ERR(nresult)) {
-				if (nresult->d_inode) {
-					dput(result);
-					result = nresult;
-				} else
-					dput(nresult);
-			}
+		if (err) {
+			dput(target_dir);
+			goto err_result;
 		}
 
+		inode_lock(target_dir->d_inode);
+		nresult = lookup_one_len(nbuf, target_dir, strlen(nbuf));
+		if (!IS_ERR(nresult)) {
+			if (unlikely(nresult->d_inode != result->d_inode)) {
+				dput(nresult);
+				nresult = ERR_PTR(-ESTALE);
+			}
+		}
+		inode_unlock(target_dir->d_inode);
 		/*
 		 * At this point we are done with the parent, but it's pinned
 		 * by the child dentry anyway.
 		 */
 		dput(target_dir);
 
+		if (IS_ERR(nresult)) {
+			err = PTR_ERR(nresult);
+			goto err_result;
+		}
+		dput(result);
+		result = nresult;
+
 		/*
 		 * And finally make sure the dentry is actually acceptable
 		 * to NFSD.
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* [PATCH AUTOSEL 4.19 06/25] audit_get_nd(): don't unlock parent too early
  2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
                   ` (3 preceding siblings ...)
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 05/25] exportfs_decode_fh(): negative pinned may become positive without the parent locked Sasha Levin
@ 2019-11-22 19:48 ` Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 07/25] NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error Sasha Levin
                   ` (18 subsequent siblings)
  23 siblings, 0 replies; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Al Viro, Sasha Levin, linux-audit

From: Al Viro <viro@zeniv.linux.org.uk>

[ Upstream commit 69924b89687a2923e88cc42144aea27868913d0e ]

if the child has been negative and just went positive
under us, we want coherent d_is_positive() and ->d_inode.
Don't unlock the parent until we'd done that work...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/audit_watch.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/audit_watch.c b/kernel/audit_watch.c
index 787c7afdf8294..4f7262eba73d8 100644
--- a/kernel/audit_watch.c
+++ b/kernel/audit_watch.c
@@ -366,12 +366,12 @@ static int audit_get_nd(struct audit_watch *watch, struct path *parent)
 	struct dentry *d = kern_path_locked(watch->path, parent);
 	if (IS_ERR(d))
 		return PTR_ERR(d);
-	inode_unlock(d_backing_inode(parent->dentry));
 	if (d_is_positive(d)) {
 		/* update watch filter fields */
 		watch->dev = d->d_sb->s_dev;
 		watch->ino = d_backing_inode(d)->i_ino;
 	}
+	inode_unlock(d_backing_inode(parent->dentry));
 	dput(d);
 	return 0;
 }
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* [PATCH AUTOSEL 4.19 07/25] NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error
  2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
                   ` (4 preceding siblings ...)
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 06/25] audit_get_nd(): don't unlock parent too early Sasha Levin
@ 2019-11-22 19:48 ` Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 08/25] xfrm: release device reference for invalid state Sasha Levin
                   ` (17 subsequent siblings)
  23 siblings, 0 replies; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Stephan Gerhold, Andy Shevchenko, David S . Miller, Sasha Levin,
	linux-nfc, netdev

From: Stephan Gerhold <stephan@gerhold.net>

[ Upstream commit a71a29f50de1ef97ab55c151a1598eb12dde379d ]

I2C communication errors (-EREMOTEIO) during the IRQ handler of nxp-nci
result in a NULL pointer dereference at the moment:

    BUG: kernel NULL pointer dereference, address: 0000000000000000
    Oops: 0002 [#1] PREEMPT SMP NOPTI
    CPU: 1 PID: 355 Comm: irq/137-nxp-nci Not tainted 5.4.0-rc6 #1
    RIP: 0010:skb_queue_tail+0x25/0x50
    Call Trace:
     nci_recv_frame+0x36/0x90 [nci]
     nxp_nci_i2c_irq_thread_fn+0xd1/0x285 [nxp_nci_i2c]
     ? preempt_count_add+0x68/0xa0
     ? irq_forced_thread_fn+0x80/0x80
     irq_thread_fn+0x20/0x60
     irq_thread+0xee/0x180
     ? wake_threads_waitq+0x30/0x30
     kthread+0xfb/0x130
     ? irq_thread_check_affinity+0xd0/0xd0
     ? kthread_park+0x90/0x90
     ret_from_fork+0x1f/0x40

Afterward the kernel must be rebooted to work properly again.

This happens because it attempts to call nci_recv_frame() with skb == NULL.
However, unlike nxp_nci_fw_recv_frame(), nci_recv_frame() does not have any
NULL checks for skb, causing the NULL pointer dereference.

Change the code to call only nxp_nci_fw_recv_frame() in case of an error.
Make sure to log it so it is obvious that a communication error occurred.
The error above then becomes:

    nxp-nci_i2c i2c-NXP1001:00: NFC: Read failed with error -121
    nci: __nci_request: wait_for_completion_interruptible_timeout failed 0
    nxp-nci_i2c i2c-NXP1001:00: NFC: Read failed with error -121

Fixes: 6be88670fc59 ("NFC: nxp-nci_i2c: Add I2C support to NXP NCI driver")
Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/nfc/nxp-nci/i2c.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/nfc/nxp-nci/i2c.c b/drivers/nfc/nxp-nci/i2c.c
index ba695e392c3b7..0df745cad601a 100644
--- a/drivers/nfc/nxp-nci/i2c.c
+++ b/drivers/nfc/nxp-nci/i2c.c
@@ -236,8 +236,10 @@ static irqreturn_t nxp_nci_i2c_irq_thread_fn(int irq, void *phy_id)
 
 	if (r == -EREMOTEIO) {
 		phy->hard_fault = r;
-		skb = NULL;
-	} else if (r < 0) {
+		if (info->mode == NXP_NCI_MODE_FW)
+			nxp_nci_fw_recv_frame(phy->ndev, NULL);
+	}
+	if (r < 0) {
 		nfc_err(&client->dev, "Read failed with error %d\n", r);
 		goto exit_irq_handled;
 	}
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* [PATCH AUTOSEL 4.19 08/25] xfrm: release device reference for invalid state
  2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
                   ` (5 preceding siblings ...)
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 07/25] NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error Sasha Levin
@ 2019-11-22 19:48 ` Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 09/25] Input: cyttsp4_core - fix use after free bug Sasha Levin
                   ` (16 subsequent siblings)
  23 siblings, 0 replies; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Xiaodong Xu, Bo Chen, Steffen Klassert, Sasha Levin, netdev

From: Xiaodong Xu <stid.smth@gmail.com>

[ Upstream commit 4944a4b1077f74d89073624bd286219d2fcbfce3 ]

An ESP packet could be decrypted in async mode if the input handler for
this packet returns -EINPROGRESS in xfrm_input(). At this moment the device
reference in skb is held. Later xfrm_input() will be invoked again to
resume the processing.
If the transform state is still valid it would continue to release the
device reference and there won't be a problem; however if the transform
state is not valid when async resumption happens, the packet will be
dropped while the device reference is still being held.
When the device is deleted for some reason and the reference to this
device is not properly released, the kernel will keep logging like:

unregister_netdevice: waiting for ppp2 to become free. Usage count = 1

The issue is observed when running IPsec traffic over a PPPoE device based
on a bridge interface. By terminating the PPPoE connection on the server
end for multiple times, the PPPoE device on the client side will eventually
get stuck on the above warning message.

This patch will check the async mode first and continue to release device
reference in async resumption, before it is dropped due to invalid state.

v2: Do not assign address family from outer_mode in the transform if the
state is invalid

v3: Release device reference in the error path instead of jumping to resume

Fixes: 4ce3dbe397d7b ("xfrm: Fix xfrm_input() to verify state is valid when (encap_type < 0)")
Signed-off-by: Xiaodong Xu <stid.smth@gmail.com>
Reported-by: Bo Chen <chenborfc@163.com>
Tested-by: Bo Chen <chenborfc@163.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/xfrm/xfrm_input.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
index 790b514f86b62..b0b1294daef17 100644
--- a/net/xfrm/xfrm_input.c
+++ b/net/xfrm/xfrm_input.c
@@ -246,6 +246,9 @@ int xfrm_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
 			else
 				XFRM_INC_STATS(net,
 					       LINUX_MIB_XFRMINSTATEINVALID);
+
+			if (encap_type == -1)
+				dev_put(skb->dev);
 			goto drop;
 		}
 
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* [PATCH AUTOSEL 4.19 09/25] Input: cyttsp4_core - fix use after free bug
  2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
                   ` (6 preceding siblings ...)
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 08/25] xfrm: release device reference for invalid state Sasha Levin
@ 2019-11-22 19:48 ` Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 10/25] sched/core: Avoid spurious lock dependencies Sasha Levin
                   ` (15 subsequent siblings)
  23 siblings, 0 replies; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Pan Bian, Dmitry Torokhov, Sasha Levin, linux-input

From: Pan Bian <bianpan2016@163.com>

[ Upstream commit 79aae6acbef16f720a7949f8fc6ac69816c79d62 ]

The device md->input is used after it is released. Setting the device
data to NULL is unnecessary as the device is never used again. Instead,
md->input should be assigned NULL to avoid accessing the freed memory
accidently. Besides, checking md->si against NULL is superfluous as it
points to a variable address, which cannot be NULL.

Signed-off-by: Pan Bian <bianpan2016@163.com>
Link: https://lore.kernel.org/r/1572936379-6423-1-git-send-email-bianpan2016@163.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/input/touchscreen/cyttsp4_core.c | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/drivers/input/touchscreen/cyttsp4_core.c b/drivers/input/touchscreen/cyttsp4_core.c
index 727c3232517cd..c84ee739a8d50 100644
--- a/drivers/input/touchscreen/cyttsp4_core.c
+++ b/drivers/input/touchscreen/cyttsp4_core.c
@@ -2000,11 +2000,6 @@ static int cyttsp4_mt_probe(struct cyttsp4 *cd)
 
 	/* get sysinfo */
 	md->si = &cd->sysinfo;
-	if (!md->si) {
-		dev_err(dev, "%s: Fail get sysinfo pointer from core p=%p\n",
-			__func__, md->si);
-		goto error_get_sysinfo;
-	}
 
 	rc = cyttsp4_setup_input_device(cd);
 	if (rc)
@@ -2014,8 +2009,6 @@ static int cyttsp4_mt_probe(struct cyttsp4 *cd)
 
 error_init_input:
 	input_free_device(md->input);
-error_get_sysinfo:
-	input_set_drvdata(md->input, NULL);
 error_alloc_failed:
 	dev_err(dev, "%s failed.\n", __func__);
 	return rc;
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* [PATCH AUTOSEL 4.19 10/25] sched/core: Avoid spurious lock dependencies
  2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
                   ` (7 preceding siblings ...)
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 09/25] Input: cyttsp4_core - fix use after free bug Sasha Levin
@ 2019-11-22 19:48 ` Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 11/25] perf/core: Consistently fail fork on allocation failures Sasha Levin
                   ` (14 subsequent siblings)
  23 siblings, 0 replies; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Peter Zijlstra, Linus Torvalds, Qian Cai, Thomas Gleixner, akpm,
	bigeasy, cl, keescook, penberg, rientjes, thgarnie, tytso, will,
	Ingo Molnar, Sasha Levin

From: Peter Zijlstra <peterz@infradead.org>

[ Upstream commit ff51ff84d82aea5a889b85f2b9fb3aa2b8691668 ]

While seemingly harmless, __sched_fork() does hrtimer_init(), which,
when DEBUG_OBJETS, can end up doing allocations.

This then results in the following lock order:

  rq->lock
    zone->lock.rlock
      batched_entropy_u64.lock

Which in turn causes deadlocks when we do wakeups while holding that
batched_entropy lock -- as the random code does.

Solve this by moving __sched_fork() out from under rq->lock. This is
safe because nothing there relies on rq->lock, as also evident from the
other __sched_fork() callsite.

Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Qian Cai <cai@lca.pw>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: akpm@linux-foundation.org
Cc: bigeasy@linutronix.de
Cc: cl@linux.com
Cc: keescook@chromium.org
Cc: penberg@kernel.org
Cc: rientjes@google.com
Cc: thgarnie@google.com
Cc: tytso@mit.edu
Cc: will@kernel.org
Fixes: b7d5dc21072c ("random: add a spinlock_t to struct batched_entropy")
Link: https://lkml.kernel.org/r/20191001091837.GK4536@hirez.programming.kicks-ass.net
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/sched/core.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/sched/core.c b/kernel/sched/core.c
index 78ecdfae25b69..2befd2c4ce9e6 100644
--- a/kernel/sched/core.c
+++ b/kernel/sched/core.c
@@ -5413,10 +5413,11 @@ void init_idle(struct task_struct *idle, int cpu)
 	struct rq *rq = cpu_rq(cpu);
 	unsigned long flags;
 
+	__sched_fork(0, idle);
+
 	raw_spin_lock_irqsave(&idle->pi_lock, flags);
 	raw_spin_lock(&rq->lock);
 
-	__sched_fork(0, idle);
 	idle->state = TASK_RUNNING;
 	idle->se.exec_start = sched_clock();
 	idle->flags |= PF_IDLE;
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* [PATCH AUTOSEL 4.19 11/25] perf/core: Consistently fail fork on allocation failures
  2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
                   ` (8 preceding siblings ...)
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 10/25] sched/core: Avoid spurious lock dependencies Sasha Levin
@ 2019-11-22 19:48 ` Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 12/25] ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed() Sasha Levin
                   ` (13 subsequent siblings)
  23 siblings, 0 replies; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Alexander Shishkin, Peter Zijlstra, Arnaldo Carvalho de Melo,
	David Ahern, Jiri Olsa, Jiri Olsa, Linus Torvalds, Mark Rutland,
	Namhyung Kim, Stephane Eranian, Thomas Gleixner, Vince Weaver,
	Ingo Molnar, Sasha Levin

From: Alexander Shishkin <alexander.shishkin@linux.intel.com>

[ Upstream commit 697d877849d4b34ab58d7078d6930bad0ef6fc66 ]

Commit:

  313ccb9615948 ("perf: Allocate context task_ctx_data for child event")

makes the inherit path skip over the current event in case of task_ctx_data
allocation failure. This, however, is inconsistent with allocation failures
in perf_event_alloc(), which would abort the fork.

Correct this by returning an error code on task_ctx_data allocation
failure and failing the fork in that case.

Signed-off-by: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: David Ahern <dsahern@gmail.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Stephane Eranian <eranian@google.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Link: https://lkml.kernel.org/r/20191105075702.60319-1-alexander.shishkin@linux.intel.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/events/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kernel/events/core.c b/kernel/events/core.c
index 625ba462e5bbd..460d5fd3ec4e4 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -11377,7 +11377,7 @@ inherit_event(struct perf_event *parent_event,
 						   GFP_KERNEL);
 		if (!child_ctx->task_ctx_data) {
 			free_event(child_event);
-			return NULL;
+			return ERR_PTR(-ENOMEM);
 		}
 	}
 
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* [PATCH AUTOSEL 4.19 12/25] ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed()
  2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
                   ` (9 preceding siblings ...)
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 11/25] perf/core: Consistently fail fork on allocation failures Sasha Levin
@ 2019-11-22 19:48 ` Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 13/25] drm/sun4i: tcon: Set min division of TCON0_DCLK to 1 Sasha Levin
                   ` (12 subsequent siblings)
  23 siblings, 0 replies; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: paulhsia, Takashi Iwai, Sasha Levin, alsa-devel

From: paulhsia <paulhsia@chromium.org>

[ Upstream commit f5cdc9d4003a2f66ea57b3edd3e04acc2b1a4439 ]

If the nullity check for `substream->runtime` is outside of the lock
region, it is possible to have a null runtime in the critical section
if snd_pcm_detach_substream is called right before the lock.

Signed-off-by: paulhsia <paulhsia@chromium.org>
Link: https://lore.kernel.org/r/20191112171715.128727-2-paulhsia@chromium.org
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/core/pcm_lib.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/sound/core/pcm_lib.c b/sound/core/pcm_lib.c
index 4e6110d778bd2..ad52126d3d22e 100644
--- a/sound/core/pcm_lib.c
+++ b/sound/core/pcm_lib.c
@@ -1797,11 +1797,14 @@ void snd_pcm_period_elapsed(struct snd_pcm_substream *substream)
 	struct snd_pcm_runtime *runtime;
 	unsigned long flags;
 
-	if (PCM_RUNTIME_CHECK(substream))
+	if (snd_BUG_ON(!substream))
 		return;
-	runtime = substream->runtime;
 
 	snd_pcm_stream_lock_irqsave(substream, flags);
+	if (PCM_RUNTIME_CHECK(substream))
+		goto _unlock;
+	runtime = substream->runtime;
+
 	if (!snd_pcm_running(substream) ||
 	    snd_pcm_update_hw_ptr0(substream, 1) < 0)
 		goto _end;
@@ -1812,6 +1815,7 @@ void snd_pcm_period_elapsed(struct snd_pcm_substream *substream)
 #endif
  _end:
 	kill_fasync(&runtime->fasync, SIGIO, POLL_IN);
+ _unlock:
 	snd_pcm_stream_unlock_irqrestore(substream, flags);
 }
 EXPORT_SYMBOL(snd_pcm_period_elapsed);
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* [PATCH AUTOSEL 4.19 13/25] drm/sun4i: tcon: Set min division of TCON0_DCLK to 1.
  2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
                   ` (10 preceding siblings ...)
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 12/25] ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed() Sasha Levin
@ 2019-11-22 19:48 ` Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 14/25] selftests: kvm: fix build with glibc >= 2.30 Sasha Levin
                   ` (11 subsequent siblings)
  23 siblings, 0 replies; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Yunhao Tian, Maxime Ripard, Sasha Levin, dri-devel, linux-arm-kernel

From: Yunhao Tian <t123yh@outlook.com>

[ Upstream commit 0b8e7bbde5e7e2c419567e1ee29587dae3b78ee3 ]

The datasheet of V3s (and various other chips) wrote
that TCON0_DCLK_DIV can be >= 1 if only dclk is used,
and must >= 6 if dclk1 or dclk2 is used. As currently
neither dclk1 nor dclk2 is used (no writes to these
bits), let's set minimal division to 1.

If this minimal division is 6, some common dot clock
frequencies can't be produced (e.g. 30MHz will not be
possible and will fallback to 25MHz), which is
obviously not an expected behaviour.

Signed-off-by: Yunhao Tian <t123yh@outlook.com>
Signed-off-by: Maxime Ripard <maxime@cerno.tech>
Link: https://lore.kernel.org/linux-arm-kernel/MN2PR08MB57905AD8A00C08DA219377C989760@MN2PR08MB5790.namprd08.prod.outlook.com/
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/sun4i/sun4i_tcon.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/gpu/drm/sun4i/sun4i_tcon.c b/drivers/gpu/drm/sun4i/sun4i_tcon.c
index 8c31c9ab06f8b..fda1ae12069a7 100644
--- a/drivers/gpu/drm/sun4i/sun4i_tcon.c
+++ b/drivers/gpu/drm/sun4i/sun4i_tcon.c
@@ -423,7 +423,7 @@ static void sun4i_tcon0_mode_set_rgb(struct sun4i_tcon *tcon,
 
 	WARN_ON(!tcon->quirks->has_channel_0);
 
-	tcon->dclk_min_div = 6;
+	tcon->dclk_min_div = 1;
 	tcon->dclk_max_div = 127;
 	sun4i_tcon0_mode_set_common(tcon, mode);
 
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* [PATCH AUTOSEL 4.19 14/25] selftests: kvm: fix build with glibc >= 2.30
  2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
                   ` (11 preceding siblings ...)
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 13/25] drm/sun4i: tcon: Set min division of TCON0_DCLK to 1 Sasha Levin
@ 2019-11-22 19:48 ` Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 15/25] net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules Sasha Levin
                   ` (10 subsequent siblings)
  23 siblings, 0 replies; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Vitaly Kuznetsov, Paolo Bonzini, Sasha Levin, kvm, linux-kselftest

From: Vitaly Kuznetsov <vkuznets@redhat.com>

[ Upstream commit e37f9f139f62deddff90c7298ae3a85026a71067 ]

Glibc-2.30 gained gettid() wrapper, selftests fail to compile:

lib/assert.c:58:14: error: static declaration of ‘gettid’ follows non-static declaration
   58 | static pid_t gettid(void)
      |              ^~~~~~
In file included from /usr/include/unistd.h:1170,
                 from include/test_util.h:18,
                 from lib/assert.c:10:
/usr/include/bits/unistd_ext.h:34:16: note: previous declaration of ‘gettid’ was here
   34 | extern __pid_t gettid (void) __THROW;
      |                ^~~~~~

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/kvm/lib/assert.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/testing/selftests/kvm/lib/assert.c b/tools/testing/selftests/kvm/lib/assert.c
index cd01144d27c8d..d306677065699 100644
--- a/tools/testing/selftests/kvm/lib/assert.c
+++ b/tools/testing/selftests/kvm/lib/assert.c
@@ -56,7 +56,7 @@ static void test_dump_stack(void)
 #pragma GCC diagnostic pop
 }
 
-static pid_t gettid(void)
+static pid_t _gettid(void)
 {
 	return syscall(SYS_gettid);
 }
@@ -73,7 +73,7 @@ test_assert(bool exp, const char *exp_str,
 		fprintf(stderr, "==== Test Assertion Failure ====\n"
 			"  %s:%u: %s\n"
 			"  pid=%d tid=%d - %s\n",
-			file, line, exp_str, getpid(), gettid(),
+			file, line, exp_str, getpid(), _gettid(),
 			strerror(errno));
 		test_dump_stack();
 		if (fmt) {
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* [PATCH AUTOSEL 4.19 15/25] net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules
  2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
                   ` (12 preceding siblings ...)
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 14/25] selftests: kvm: fix build with glibc >= 2.30 Sasha Levin
@ 2019-11-22 19:48 ` Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 16/25] slip: Fix memory leak in slip_open error path Sasha Levin
                   ` (9 subsequent siblings)
  23 siblings, 0 replies; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Aleksander Morgado, Bjørn Mork, David S . Miller,
	Sasha Levin, netdev, linux-usb

From: Aleksander Morgado <aleksander@aleksander.es>

[ Upstream commit 802753cb0b141cf5170ab97fe7e79f5ca10d06b0 ]

These are the Foxconn-branded variants of the Dell DW5821e modules,
same USB layout as those.

The QMI interface is exposed in USB configuration #1:

P:  Vendor=0489 ProdID=e0b4 Rev=03.18
S:  Manufacturer=FII
S:  Product=T77W968 LTE
S:  SerialNumber=0123456789ABCDEF
C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
I:  If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
I:  If#=0x1 Alt= 0 #EPs= 1 Cls=03(HID  ) Sub=00 Prot=00 Driver=usbhid
I:  If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#=0x4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
I:  If#=0x5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option

Signed-off-by: Aleksander Morgado <aleksander@aleksander.es>
Acked-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/usb/qmi_wwan.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/usb/qmi_wwan.c b/drivers/net/usb/qmi_wwan.c
index 9f037c50054df..b55fd76348f9f 100644
--- a/drivers/net/usb/qmi_wwan.c
+++ b/drivers/net/usb/qmi_wwan.c
@@ -1306,6 +1306,8 @@ static const struct usb_device_id products[] = {
 	{QMI_QUIRK_SET_DTR(0x2c7c, 0x0191, 4)},	/* Quectel EG91 */
 	{QMI_FIXED_INTF(0x2c7c, 0x0296, 4)},	/* Quectel BG96 */
 	{QMI_QUIRK_SET_DTR(0x2cb7, 0x0104, 4)},	/* Fibocom NL678 series */
+	{QMI_FIXED_INTF(0x0489, 0xe0b4, 0)},	/* Foxconn T77W968 LTE */
+	{QMI_FIXED_INTF(0x0489, 0xe0b5, 0)},	/* Foxconn T77W968 LTE with eSIM support*/
 
 	/* 4. Gobi 1000 devices */
 	{QMI_GOBI1K_DEVICE(0x05c6, 0x9212)},	/* Acer Gobi Modem Device */
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* [PATCH AUTOSEL 4.19 16/25] slip: Fix memory leak in slip_open error path
  2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
                   ` (13 preceding siblings ...)
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 15/25] net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules Sasha Levin
@ 2019-11-22 19:48 ` Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 17/25] net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() Sasha Levin
                   ` (8 subsequent siblings)
  23 siblings, 0 replies; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Jouni Hogander, David S. Miller, Oliver Hartkopp, Lukas Bulwahn,
	Sasha Levin, netdev

From: Jouni Hogander <jouni.hogander@unikie.com>

[ Upstream commit 3b5a39979dafea9d0cd69c7ae06088f7a84cdafa ]

Driver/net/can/slcan.c is derived from slip.c. Memory leak was detected
by Syzkaller in slcan. Same issue exists in slip.c and this patch is
addressing the leak in slip.c.

Here is the slcan memory leak trace reported by Syzkaller:

BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):
  comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s)
  hex dump (first 32 bytes):
    73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  backtrace:
    [<00000000a06eec0d>] __kmalloc+0x18b/0x2c0
    [<0000000083306e66>] kvmalloc_node+0x3a/0xc0
    [<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080
    [<0000000061a996c9>] slcan_open+0x3ae/0x9a0
    [<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0
    [<0000000019289631>] tty_set_ldisc+0x28c/0x5f0
    [<000000004de5a617>] tty_ioctl+0x48d/0x1590
    [<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510
    [<0000000059068dbc>] ksys_ioctl+0x99/0xb0
    [<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0
    [<0000000053d0332e>] do_syscall_64+0x16f/0x580
    [<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [<000000008ea75434>] 0xfffffffffffffff

Cc: "David S. Miller" <davem@davemloft.net>
Cc: Oliver Hartkopp <socketcan@hartkopp.net>
Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/slip/slip.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/slip/slip.c b/drivers/net/slip/slip.c
index b008266e91eab..a5874059da9d8 100644
--- a/drivers/net/slip/slip.c
+++ b/drivers/net/slip/slip.c
@@ -855,6 +855,7 @@ static int slip_open(struct tty_struct *tty)
 	sl->tty = NULL;
 	tty->disc_data = NULL;
 	clear_bit(SLF_INUSE, &sl->flags);
+	free_netdev(sl->dev);
 
 err_exit:
 	rtnl_unlock();
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* [PATCH AUTOSEL 4.19 17/25] net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size()
  2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
                   ` (14 preceding siblings ...)
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 16/25] slip: Fix memory leak in slip_open error path Sasha Levin
@ 2019-11-22 19:48 ` Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 18/25] slcan: Fix memory leak in error path Sasha Levin
                   ` (7 subsequent siblings)
  23 siblings, 0 replies; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Dan Carpenter, David S . Miller, Sasha Levin, linux-usb, netdev

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit a56dcc6b455830776899ce3686735f1172e12243 ]

This code is supposed to test for negative error codes and partial
reads, but because sizeof() is size_t (unsigned) type then negative
error codes are type promoted to high positive values and the condition
doesn't work as expected.

Fixes: 332f989a3b00 ("CDC-NCM: handle incomplete transfer of MTU")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/usb/cdc_ncm.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c
index a57d82ef0f810..1f57a6a2b8a25 100644
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -579,7 +579,7 @@ static void cdc_ncm_set_dgram_size(struct usbnet *dev, int new_size)
 	err = usbnet_read_cmd(dev, USB_CDC_GET_MAX_DATAGRAM_SIZE,
 			      USB_TYPE_CLASS | USB_DIR_IN | USB_RECIP_INTERFACE,
 			      0, iface_no, &max_datagram_size, sizeof(max_datagram_size));
-	if (err < sizeof(max_datagram_size)) {
+	if (err != sizeof(max_datagram_size)) {
 		dev_dbg(&dev->intf->dev, "GET_MAX_DATAGRAM_SIZE failed\n");
 		goto out;
 	}
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* [PATCH AUTOSEL 4.19 18/25] slcan: Fix memory leak in error path
  2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
                   ` (15 preceding siblings ...)
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 17/25] net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() Sasha Levin
@ 2019-11-22 19:48 ` Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 19/25] rsxx: add missed destroy_workqueue calls in remove Sasha Levin
                   ` (6 subsequent siblings)
  23 siblings, 0 replies; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Jouni Hogander, Wolfgang Grandegger, Marc Kleine-Budde,
	Lukas Bulwahn, Sasha Levin, linux-can, netdev

From: Jouni Hogander <jouni.hogander@unikie.com>

[ Upstream commit ed50e1600b4483c049ce76e6bd3b665a6a9300ed ]

This patch is fixing memory leak reported by Syzkaller:

BUG: memory leak unreferenced object 0xffff888067f65500 (size 4096):
  comm "syz-executor043", pid 454, jiffies 4294759719 (age 11.930s)
  hex dump (first 32 bytes):
    73 6c 63 61 6e 30 00 00 00 00 00 00 00 00 00 00 slcan0..........
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  backtrace:
    [<00000000a06eec0d>] __kmalloc+0x18b/0x2c0
    [<0000000083306e66>] kvmalloc_node+0x3a/0xc0
    [<000000006ac27f87>] alloc_netdev_mqs+0x17a/0x1080
    [<0000000061a996c9>] slcan_open+0x3ae/0x9a0
    [<000000001226f0f9>] tty_ldisc_open.isra.1+0x76/0xc0
    [<0000000019289631>] tty_set_ldisc+0x28c/0x5f0
    [<000000004de5a617>] tty_ioctl+0x48d/0x1590
    [<00000000daef496f>] do_vfs_ioctl+0x1c7/0x1510
    [<0000000059068dbc>] ksys_ioctl+0x99/0xb0
    [<000000009a6eb334>] __x64_sys_ioctl+0x78/0xb0
    [<0000000053d0332e>] do_syscall_64+0x16f/0x580
    [<0000000021b83b99>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
    [<000000008ea75434>] 0xffffffffffffffff

Cc: Wolfgang Grandegger <wg@grandegger.com>
Cc: Marc Kleine-Budde <mkl@pengutronix.de>
Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/can/slcan.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/can/slcan.c b/drivers/net/can/slcan.c
index aa97dbc797b6b..5d338b2ac39e1 100644
--- a/drivers/net/can/slcan.c
+++ b/drivers/net/can/slcan.c
@@ -613,6 +613,7 @@ static int slcan_open(struct tty_struct *tty)
 	sl->tty = NULL;
 	tty->disc_data = NULL;
 	clear_bit(SLF_INUSE, &sl->flags);
+	free_netdev(sl->dev);
 
 err_exit:
 	rtnl_unlock();
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* [PATCH AUTOSEL 4.19 19/25] rsxx: add missed destroy_workqueue calls in remove
  2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
                   ` (16 preceding siblings ...)
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 18/25] slcan: Fix memory leak in error path Sasha Levin
@ 2019-11-22 19:48 ` Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 20/25] ax88172a: fix information leak on short answers Sasha Levin
                   ` (5 subsequent siblings)
  23 siblings, 0 replies; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Chuhong Yuan, Jens Axboe, Sasha Levin, linux-block

From: Chuhong Yuan <hslester96@gmail.com>

[ Upstream commit dcb77e4b274b8f13ac6482dfb09160cd2fae9a40 ]

The driver misses calling destroy_workqueue in remove like what is done
when probe fails.
Add the missed calls to fix it.

Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/block/rsxx/core.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/block/rsxx/core.c b/drivers/block/rsxx/core.c
index f2c631ce793cc..14056dc450642 100644
--- a/drivers/block/rsxx/core.c
+++ b/drivers/block/rsxx/core.c
@@ -1014,8 +1014,10 @@ static void rsxx_pci_remove(struct pci_dev *dev)
 
 	cancel_work_sync(&card->event_work);
 
+	destroy_workqueue(card->event_wq);
 	rsxx_destroy_dev(card);
 	rsxx_dma_destroy(card);
+	destroy_workqueue(card->creg_ctrl.creg_wq);
 
 	spin_lock_irqsave(&card->irq_lock, flags);
 	rsxx_disable_ier_and_isr(card, CR_INTR_ALL);
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* [PATCH AUTOSEL 4.19 20/25] ax88172a: fix information leak on short answers
  2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
                   ` (17 preceding siblings ...)
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 19/25] rsxx: add missed destroy_workqueue calls in remove Sasha Levin
@ 2019-11-22 19:48 ` Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 21/25] net: ep93xx_eth: fix mismatch of request_mem_region in remove Sasha Levin
                   ` (4 subsequent siblings)
  23 siblings, 0 replies; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Oliver Neukum, syzbot+a8d4acdad35e6bbca308, David S . Miller,
	Sasha Levin, linux-usb, netdev

From: Oliver Neukum <oneukum@suse.com>

[ Upstream commit a9a51bd727d141a67b589f375fe69d0e54c4fe22 ]

If a malicious device gives a short MAC it can elicit up to
5 bytes of leaked memory out of the driver. We need to check for
ETH_ALEN instead.

Reported-by: syzbot+a8d4acdad35e6bbca308@syzkaller.appspotmail.com
Signed-off-by: Oliver Neukum <oneukum@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/usb/ax88172a.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/usb/ax88172a.c b/drivers/net/usb/ax88172a.c
index 501576f538546..914cac55a7ae7 100644
--- a/drivers/net/usb/ax88172a.c
+++ b/drivers/net/usb/ax88172a.c
@@ -208,7 +208,7 @@ static int ax88172a_bind(struct usbnet *dev, struct usb_interface *intf)
 
 	/* Get the MAC address */
 	ret = asix_read_cmd(dev, AX_CMD_READ_NODE_ID, 0, 0, ETH_ALEN, buf, 0);
-	if (ret < 0) {
+	if (ret < ETH_ALEN) {
 		netdev_err(dev->net, "Failed to read MAC address: %d\n", ret);
 		goto free;
 	}
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* [PATCH AUTOSEL 4.19 21/25] net: ep93xx_eth: fix mismatch of request_mem_region in remove
  2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
                   ` (18 preceding siblings ...)
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 20/25] ax88172a: fix information leak on short answers Sasha Levin
@ 2019-11-22 19:48 ` Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 22/25] i2c: acpi: Force bus speed to 400KHz if a Silead touchscreen is present Sasha Levin
                   ` (3 subsequent siblings)
  23 siblings, 0 replies; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Chuhong Yuan, David S . Miller, Sasha Levin, netdev

From: Chuhong Yuan <hslester96@gmail.com>

[ Upstream commit 3df70afe8d33f4977d0e0891bdcfb639320b5257 ]

The driver calls release_resource in remove to match request_mem_region
in probe, which is incorrect.
Fix it by using the right one, release_mem_region.

Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/cirrus/ep93xx_eth.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/ethernet/cirrus/ep93xx_eth.c b/drivers/net/ethernet/cirrus/ep93xx_eth.c
index 13dfdfca49fc7..edc1d19c9c02e 100644
--- a/drivers/net/ethernet/cirrus/ep93xx_eth.c
+++ b/drivers/net/ethernet/cirrus/ep93xx_eth.c
@@ -767,6 +767,7 @@ static int ep93xx_eth_remove(struct platform_device *pdev)
 {
 	struct net_device *dev;
 	struct ep93xx_priv *ep;
+	struct resource *mem;
 
 	dev = platform_get_drvdata(pdev);
 	if (dev == NULL)
@@ -782,8 +783,8 @@ static int ep93xx_eth_remove(struct platform_device *pdev)
 		iounmap(ep->base_addr);
 
 	if (ep->res != NULL) {
-		release_resource(ep->res);
-		kfree(ep->res);
+		mem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+		release_mem_region(mem->start, resource_size(mem));
 	}
 
 	free_netdev(dev);
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* [PATCH AUTOSEL 4.19 22/25] i2c: acpi: Force bus speed to 400KHz if a Silead touchscreen is present
  2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
                   ` (19 preceding siblings ...)
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 21/25] net: ep93xx_eth: fix mismatch of request_mem_region in remove Sasha Levin
@ 2019-11-22 19:48 ` Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 23/25] i2c: core: fix use after free in of_i2c_notify Sasha Levin
                   ` (2 subsequent siblings)
  23 siblings, 0 replies; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Hans de Goede, youling 257, Jarkko Nikula, Mika Westerberg,
	Wolfram Sang, stable, Sasha Levin, linux-i2c, linux-acpi

From: Hans de Goede <hdegoede@redhat.com>

[ Upstream commit 7574c0db2e68c4d0bae9d415a683bdd8b2a761e9 ]

Many cheap devices use Silead touchscreen controllers. Testing has shown
repeatedly that these touchscreen controllers work fine at 400KHz, but for
unknown reasons do not work properly at 100KHz. This has been seen on
both ARM and x86 devices using totally different i2c controllers.

On some devices the ACPI tables list another device at the same I2C-bus
as only being capable of 100KHz, testing has shown that these other
devices work fine at 400KHz (as can be expected of any recent I2C hw).

This commit makes i2c_acpi_find_bus_speed() always return 400KHz if a
Silead touchscreen controller is present, fixing the touchscreen not
working on devices which ACPI tables' wrongly list another device on the
same bus as only being capable of 100KHz.

Specifically this fixes the touchscreen on the Jumper EZpad 6 m4 not
working.

Reported-by: youling 257 <youling257@gmail.com>
Tested-by: youling 257 <youling257@gmail.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Acked-by: Mika Westerberg <mika.westerberg@linux.intel.com>
[wsa: rewording warning a little]
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Cc: stable@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/i2c/i2c-core-acpi.c | 28 +++++++++++++++++++++++++++-
 1 file changed, 27 insertions(+), 1 deletion(-)

diff --git a/drivers/i2c/i2c-core-acpi.c b/drivers/i2c/i2c-core-acpi.c
index 32affd3fa8bd1..559c3b1284d73 100644
--- a/drivers/i2c/i2c-core-acpi.c
+++ b/drivers/i2c/i2c-core-acpi.c
@@ -43,6 +43,7 @@ struct i2c_acpi_lookup {
 	int index;
 	u32 speed;
 	u32 min_speed;
+	u32 force_speed;
 };
 
 static int i2c_acpi_fill_info(struct acpi_resource *ares, void *data)
@@ -240,6 +241,19 @@ i2c_acpi_match_device(const struct acpi_device_id *matches,
 	return acpi_match_device(matches, &client->dev);
 }
 
+static const struct acpi_device_id i2c_acpi_force_400khz_device_ids[] = {
+	/*
+	 * These Silead touchscreen controllers only work at 400KHz, for
+	 * some reason they do not work at 100KHz. On some devices the ACPI
+	 * tables list another device at their bus as only being capable
+	 * of 100KHz, testing has shown that these other devices work fine
+	 * at 400KHz (as can be expected of any recent i2c hw) so we force
+	 * the speed of the bus to 400 KHz if a Silead device is present.
+	 */
+	{ "MSSL1680", 0 },
+	{}
+};
+
 static acpi_status i2c_acpi_lookup_speed(acpi_handle handle, u32 level,
 					   void *data, void **return_value)
 {
@@ -258,6 +272,9 @@ static acpi_status i2c_acpi_lookup_speed(acpi_handle handle, u32 level,
 	if (lookup->speed <= lookup->min_speed)
 		lookup->min_speed = lookup->speed;
 
+	if (acpi_match_device_ids(adev, i2c_acpi_force_400khz_device_ids) == 0)
+		lookup->force_speed = 400000;
+
 	return AE_OK;
 }
 
@@ -295,7 +312,16 @@ u32 i2c_acpi_find_bus_speed(struct device *dev)
 		return 0;
 	}
 
-	return lookup.min_speed != UINT_MAX ? lookup.min_speed : 0;
+	if (lookup.force_speed) {
+		if (lookup.force_speed != lookup.min_speed)
+			dev_warn(dev, FW_BUG "DSDT uses known not-working I2C bus speed %d, forcing it to %d\n",
+				 lookup.min_speed, lookup.force_speed);
+		return lookup.force_speed;
+	} else if (lookup.min_speed != UINT_MAX) {
+		return lookup.min_speed;
+	} else {
+		return 0;
+	}
 }
 EXPORT_SYMBOL_GPL(i2c_acpi_find_bus_speed);
 
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* [PATCH AUTOSEL 4.19 23/25] i2c: core: fix use after free in of_i2c_notify
  2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
                   ` (20 preceding siblings ...)
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 22/25] i2c: acpi: Force bus speed to 400KHz if a Silead touchscreen is present Sasha Levin
@ 2019-11-22 19:48 ` Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 24/25] Input: synaptics - enable RMI mode for X1 Extreme 2nd Generation Sasha Levin
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 25/25] net: gemini: add missed free_netdev Sasha Levin
  23 siblings, 0 replies; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable; +Cc: Wen Yang, Wolfram Sang, Sasha Levin, linux-i2c

From: Wen Yang <wenyang@linux.alibaba.com>

[ Upstream commit a4c2fec16f5e6a5fee4865e6e0e91e2bc2d10f37 ]

We can't use "adap->dev" after it has been freed.

Fixes: 5bf4fa7daea6 ("i2c: break out OF support into separate file")
Signed-off-by: Wen Yang <wenyang@linux.alibaba.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/i2c/i2c-core-of.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/i2c/i2c-core-of.c b/drivers/i2c/i2c-core-of.c
index 0f01cdba9d2c6..14d4884996968 100644
--- a/drivers/i2c/i2c-core-of.c
+++ b/drivers/i2c/i2c-core-of.c
@@ -253,14 +253,14 @@ static int of_i2c_notify(struct notifier_block *nb, unsigned long action,
 		}
 
 		client = of_i2c_register_device(adap, rd->dn);
-		put_device(&adap->dev);
-
 		if (IS_ERR(client)) {
 			dev_err(&adap->dev, "failed to create client for '%pOF'\n",
 				 rd->dn);
+			put_device(&adap->dev);
 			of_node_clear_flag(rd->dn, OF_POPULATED);
 			return notifier_from_errno(PTR_ERR(client));
 		}
+		put_device(&adap->dev);
 		break;
 	case OF_RECONFIG_CHANGE_REMOVE:
 		/* already depopulated? */
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* [PATCH AUTOSEL 4.19 24/25] Input: synaptics - enable RMI mode for X1 Extreme 2nd Generation
  2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
                   ` (21 preceding siblings ...)
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 23/25] i2c: core: fix use after free in of_i2c_notify Sasha Levin
@ 2019-11-22 19:48 ` Sasha Levin
  2019-11-22 19:55   ` Dmitry Torokhov
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 25/25] net: gemini: add missed free_netdev Sasha Levin
  23 siblings, 1 reply; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Lyude Paul, Dmitry Torokhov, Sasha Levin, linux-input

From: Lyude Paul <lyude@redhat.com>

[ Upstream commit 768ea88bcb235ac3a92754bf82afcd3f12200bcc ]

Just got one of these for debugging some unrelated issues, and noticed
that Lenovo seems to have gone back to using RMI4 over smbus with
Synaptics touchpads on some of their new systems, particularly this one.
So, let's enable RMI mode for the X1 Extreme 2nd Generation.

Signed-off-by: Lyude Paul <lyude@redhat.com>
Link: https://lore.kernel.org/r/20191115221814.31903-1-lyude@redhat.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/input/mouse/synaptics.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
index 06cebde2422ea..afdb9947d8af9 100644
--- a/drivers/input/mouse/synaptics.c
+++ b/drivers/input/mouse/synaptics.c
@@ -180,6 +180,7 @@ static const char * const smbus_pnp_ids[] = {
 	"LEN0096", /* X280 */
 	"LEN0097", /* X280 -> ALPS trackpoint */
 	"LEN009b", /* T580 */
+	"LEN0402", /* X1 Extreme 2nd Generation */
 	"LEN200f", /* T450s */
 	"LEN2054", /* E480 */
 	"LEN2055", /* E580 */
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* [PATCH AUTOSEL 4.19 25/25] net: gemini: add missed free_netdev
  2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
                   ` (22 preceding siblings ...)
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 24/25] Input: synaptics - enable RMI mode for X1 Extreme 2nd Generation Sasha Levin
@ 2019-11-22 19:48 ` Sasha Levin
  23 siblings, 0 replies; 27+ messages in thread
From: Sasha Levin @ 2019-11-22 19:48 UTC (permalink / raw)
  To: linux-kernel, stable
  Cc: Chuhong Yuan, Linus Walleij, David S . Miller, Sasha Levin,
	linux-arm-kernel, netdev

From: Chuhong Yuan <hslester96@gmail.com>

[ Upstream commit 18d647ae74116bfee38953978501cea2960a0c25 ]

This driver forgets to free allocated netdev in remove like
what is done in probe failure.
Add the free to fix it.

Signed-off-by: Chuhong Yuan <hslester96@gmail.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/cortina/gemini.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/ethernet/cortina/gemini.c b/drivers/net/ethernet/cortina/gemini.c
index dfd1ad0b1cb94..4af78de0e077a 100644
--- a/drivers/net/ethernet/cortina/gemini.c
+++ b/drivers/net/ethernet/cortina/gemini.c
@@ -2530,6 +2530,7 @@ static int gemini_ethernet_port_remove(struct platform_device *pdev)
 	struct gemini_ethernet_port *port = platform_get_drvdata(pdev);
 
 	gemini_port_remove(port);
+	free_netdev(port->netdev);
 	return 0;
 }
 
-- 
2.20.1


^ permalink raw reply related	[flat|nested] 27+ messages in thread

* Re: [PATCH AUTOSEL 4.19 24/25] Input: synaptics - enable RMI mode for X1 Extreme 2nd Generation
  2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 24/25] Input: synaptics - enable RMI mode for X1 Extreme 2nd Generation Sasha Levin
@ 2019-11-22 19:55   ` Dmitry Torokhov
  2019-12-06 12:14     ` Sasha Levin
  0 siblings, 1 reply; 27+ messages in thread
From: Dmitry Torokhov @ 2019-11-22 19:55 UTC (permalink / raw)
  To: Sasha Levin; +Cc: linux-kernel, stable, Lyude Paul, linux-input

Hi Sasha,

On Fri, Nov 22, 2019 at 02:48:57PM -0500, Sasha Levin wrote:
> From: Lyude Paul <lyude@redhat.com>
> 
> [ Upstream commit 768ea88bcb235ac3a92754bf82afcd3f12200bcc ]
> 
> Just got one of these for debugging some unrelated issues, and noticed
> that Lenovo seems to have gone back to using RMI4 over smbus with
> Synaptics touchpads on some of their new systems, particularly this one.
> So, let's enable RMI mode for the X1 Extreme 2nd Generation.
> 
> Signed-off-by: Lyude Paul <lyude@redhat.com>
> Link: https://lore.kernel.org/r/20191115221814.31903-1-lyude@redhat.com
> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
> Signed-off-by: Sasha Levin <sashal@kernel.org>

This will be reverted, do not pick up for stable.

> ---
>  drivers/input/mouse/synaptics.c | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/input/mouse/synaptics.c b/drivers/input/mouse/synaptics.c
> index 06cebde2422ea..afdb9947d8af9 100644
> --- a/drivers/input/mouse/synaptics.c
> +++ b/drivers/input/mouse/synaptics.c
> @@ -180,6 +180,7 @@ static const char * const smbus_pnp_ids[] = {
>  	"LEN0096", /* X280 */
>  	"LEN0097", /* X280 -> ALPS trackpoint */
>  	"LEN009b", /* T580 */
> +	"LEN0402", /* X1 Extreme 2nd Generation */
>  	"LEN200f", /* T450s */
>  	"LEN2054", /* E480 */
>  	"LEN2055", /* E580 */
> -- 
> 2.20.1
> 

Thanks.

-- 
Dmitry

^ permalink raw reply	[flat|nested] 27+ messages in thread

* Re: [PATCH AUTOSEL 4.19 24/25] Input: synaptics - enable RMI mode for X1 Extreme 2nd Generation
  2019-11-22 19:55   ` Dmitry Torokhov
@ 2019-12-06 12:14     ` Sasha Levin
  0 siblings, 0 replies; 27+ messages in thread
From: Sasha Levin @ 2019-12-06 12:14 UTC (permalink / raw)
  To: Dmitry Torokhov; +Cc: linux-kernel, stable, Lyude Paul, linux-input

On Fri, Nov 22, 2019 at 11:55:32AM -0800, Dmitry Torokhov wrote:
>Hi Sasha,
>
>On Fri, Nov 22, 2019 at 02:48:57PM -0500, Sasha Levin wrote:
>> From: Lyude Paul <lyude@redhat.com>
>>
>> [ Upstream commit 768ea88bcb235ac3a92754bf82afcd3f12200bcc ]
>>
>> Just got one of these for debugging some unrelated issues, and noticed
>> that Lenovo seems to have gone back to using RMI4 over smbus with
>> Synaptics touchpads on some of their new systems, particularly this one.
>> So, let's enable RMI mode for the X1 Extreme 2nd Generation.
>>
>> Signed-off-by: Lyude Paul <lyude@redhat.com>
>> Link: https://lore.kernel.org/r/20191115221814.31903-1-lyude@redhat.com
>> Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
>> Signed-off-by: Sasha Levin <sashal@kernel.org>
>
>This will be reverted, do not pick up for stable.

I've dropped it, thanks!

-- 
Thanks,
Sasha

^ permalink raw reply	[flat|nested] 27+ messages in thread

end of thread, other threads:[~2019-12-06 12:14 UTC | newest]

Thread overview: 27+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-22 19:48 [PATCH AUTOSEL 4.19 01/25] autofs: fix a leak in autofs_expire_indirect() Sasha Levin
2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 02/25] RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN Sasha Levin
2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 03/25] xfrm: Fix memleak on xfrm state destroy Sasha Levin
2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 04/25] iwlwifi: pcie: don't consider IV len in A-MSDU Sasha Levin
2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 05/25] exportfs_decode_fh(): negative pinned may become positive without the parent locked Sasha Levin
2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 06/25] audit_get_nd(): don't unlock parent too early Sasha Levin
2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 07/25] NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error Sasha Levin
2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 08/25] xfrm: release device reference for invalid state Sasha Levin
2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 09/25] Input: cyttsp4_core - fix use after free bug Sasha Levin
2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 10/25] sched/core: Avoid spurious lock dependencies Sasha Levin
2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 11/25] perf/core: Consistently fail fork on allocation failures Sasha Levin
2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 12/25] ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed() Sasha Levin
2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 13/25] drm/sun4i: tcon: Set min division of TCON0_DCLK to 1 Sasha Levin
2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 14/25] selftests: kvm: fix build with glibc >= 2.30 Sasha Levin
2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 15/25] net: usb: qmi_wwan: add support for Foxconn T77W968 LTE modules Sasha Levin
2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 16/25] slip: Fix memory leak in slip_open error path Sasha Levin
2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 17/25] net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() Sasha Levin
2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 18/25] slcan: Fix memory leak in error path Sasha Levin
2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 19/25] rsxx: add missed destroy_workqueue calls in remove Sasha Levin
2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 20/25] ax88172a: fix information leak on short answers Sasha Levin
2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 21/25] net: ep93xx_eth: fix mismatch of request_mem_region in remove Sasha Levin
2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 22/25] i2c: acpi: Force bus speed to 400KHz if a Silead touchscreen is present Sasha Levin
2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 23/25] i2c: core: fix use after free in of_i2c_notify Sasha Levin
2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 24/25] Input: synaptics - enable RMI mode for X1 Extreme 2nd Generation Sasha Levin
2019-11-22 19:55   ` Dmitry Torokhov
2019-12-06 12:14     ` Sasha Levin
2019-11-22 19:48 ` [PATCH AUTOSEL 4.19 25/25] net: gemini: add missed free_netdev Sasha Levin

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).