linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH 4.4 000/188] 4.4.276-rc1 review
@ 2021-07-19 14:49 Greg Kroah-Hartman
  2021-07-19 14:49 ` [PATCH 4.4 001/188] ALSA: usb-audio: fix rate on Ozone Z90 USB headset Greg Kroah-Hartman
                   ` (192 more replies)
  0 siblings, 193 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, torvalds, akpm, linux, shuah, patches,
	lkft-triage, pavel, jonathanh, f.fainelli, stable

This is the start of the stable review cycle for the 4.4.276 release.
There are 188 patches in this series, all will be posted as a response
to this one.  If anyone has any issues with these being applied, please
let me know.

Responses should be made by Wed, 21 Jul 2021 14:47:42 +0000.
Anything received after that time might be too late.

The whole patch series can be found in one patch at:
	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.276-rc1.gz
or in the git tree and branch at:
	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
and the diffstat can be found below.

thanks,

greg k-h

-------------
Pseudo-Shortlog of commits:

Greg Kroah-Hartman <gregkh@linuxfoundation.org>
    Linux 4.4.276-rc1

Martin Fäcknitz <faecknitz@hotsplots.de>
    MIPS: vdso: Invalid GIC access through VDSO

Randy Dunlap <rdunlap@infradead.org>
    mips: disable branch profiling in boot/decompress.o

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    scsi: be2iscsi: Fix an error handling path in beiscsi_dev_probe()

Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
    memory: fsl_ifc: fix leak of private memory on probe failure

Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
    memory: fsl_ifc: fix leak of IO mapping on probe failure

Dan Carpenter <dan.carpenter@oracle.com>
    rtc: fix snprintf() checking in is_rtc_hctosys()

Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
    ARM: dts: exynos: fix PWM LED max brightness on Odroid XU4

Nathan Chancellor <nathan@kernel.org>
    hexagon: use common DISCARDS macro

Zhen Lei <thunder.leizhen@huawei.com>
    ALSA: isa: Fix error return code in snd_cmi8330_probe()

Gao Xiang <hsiangkao@linux.alibaba.com>
    nfs: fix acl memory leak of posix_acl_create()

Zhen Lei <thunder.leizhen@huawei.com>
    um: fix error return code in winch_tramp()

Zhen Lei <thunder.leizhen@huawei.com>
    um: fix error return code in slip_open()

Krzysztof Wilczyński <kw@linux.com>
    PCI/sysfs: Fix dsm_label_utf16s_to_utf8s() buffer overrun

Xie Yongji <xieyongji@bytedance.com>
    virtio_console: Assure used length from device is limited

Xie Yongji <xieyongji@bytedance.com>
    virtio-blk: Fix memory leak among suspend/resume procedure

Zou Wei <zou_wei@huawei.com>
    power: supply: ab8500: add missing MODULE_DEVICE_TABLE

Zou Wei <zou_wei@huawei.com>
    power: supply: charger-manager: add missing MODULE_DEVICE_TABLE

Jeff Layton <jlayton@kernel.org>
    ceph: remove bogus checks and WARN_ONs from ceph_set_page_dirty

Zou Wei <zou_wei@huawei.com>
    watchdog: Fix possible use-after-free by calling del_timer_sync()

Zou Wei <zou_wei@huawei.com>
    watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff()

Zou Wei <zou_wei@huawei.com>
    watchdog: Fix possible use-after-free in wdt_startup()

Nick Desaulniers <ndesaulniers@google.com>
    ARM: 9087/1: kprobes: test-thumb: fix for LLVM_IAS=1

Bixuan Cui <cuibixuan@huawei.com>
    power: reset: gpio-poweroff: add missing MODULE_DEVICE_TABLE

Linus Walleij <linus.walleij@linaro.org>
    power: supply: ab8500: Avoid NULL pointers

Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    pwm: spear: Don't modify HW state in .remove callback

Dimitri John Ledkov <dimitri.ledkov@canonical.com>
    lib/decompress_unlz4.c: correctly handle zero-padding around initrds.

Jiajun Cao <jjcao20@fudan.edu.cn>
    ALSA: hda: Add IRQ check for platform_get_irq()

Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
    backlight: lm3630a: Fix return code of .update_status() callback

Benjamin Herrenschmidt <benh@kernel.crashing.org>
    powerpc/boot: Fixup device-tree on little endian

Yang Yingliang <yangyingliang@huawei.com>
    usb: gadget: hid: fix error return code in hid_bind()

Ruslan Bilovol <ruslan.bilovol@gmail.com>
    usb: gadget: f_hid: fix endianness issue with descriptors

Takashi Sakamoto <o-takashi@sakamocchi.jp>
    ALSA: bebob: add support for ToneWeal FW66

Zhen Lei <thunder.leizhen@huawei.com>
    ASoC: soc-core: Fix the error return code in snd_soc_of_parse_audio_routing()

Athira Rajeev <atrajeev@linux.vnet.ibm.com>
    selftests/powerpc: Fix "no_handler" EBB selftest

Yang Yingliang <yangyingliang@huawei.com>
    ALSA: ppc: fix error return code in snd_pmac_probe()

Srinivas Neeli <srinivas.neeli@xilinx.com>
    gpio: zynq: Check return value of pm_runtime_get_sync

Geoff Levand <geoff@infradead.org>
    powerpc/ps3: Add dma_mask to ps3_dma_region

Takashi Iwai <tiwai@suse.de>
    ALSA: sb: Fix potential double-free of CSP mixer elements

Zou Wei <zou_wei@huawei.com>
    mfd: da9052/stmpe: Add and modify MODULE_DEVICE_TABLE

Mike Christie <michael.christie@oracle.com>
    scsi: iscsi: Add iscsi_cls_conn refcount helpers

Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
    fs/jfs: Fix missing error code in lmLogInit()

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    tty: serial: 8250: serial_cs: Fix a memory leak in error handling path

James Smart <jsmart2021@gmail.com>
    scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology

Takashi Sakamoto <o-takashi@sakamocchi.jp>
    Revert "ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro"

Lv Yunlong <lyl2019@mail.ustc.edu.cn>
    misc/libmasm/module: Fix two use after free in ibmasm_init_one

Sherry Sun <sherry.sun@nxp.com>
    tty: serial: fsl_lpuart: fix the potential risk of division or modulo by zero

Lai Jiangshan <laijs@linux.alibaba.com>
    KVM: X86: Disable hardware breakpoints unconditionally before kvm_x86->run()

Sean Christopherson <seanjc@google.com>
    KVM: x86: Use guest MAXPHYADDR from CPUID.0x8000_0008 iff TDP is enabled

Pavel Skripkin <paskripkin@gmail.com>
    jfs: fix GPF in diFree

Benjamin Drung <bdrung@posteo.de>
    media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K

Johan Hovold <johan@kernel.org>
    media: gspca/sunplus: fix zero-length control requests

Johan Hovold <johan@kernel.org>
    media: gspca/sq905: fix control-request direction

Pavel Skripkin <paskripkin@gmail.com>
    media: zr364xx: fix memory leak in zr364xx_start_readpipe

Hou Tao <houtao1@huawei.com>
    dm btree remove: assign new_root only when removal succeeds

Lv Yunlong <lyl2019@mail.ustc.edu.cn>
    ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe

Yun Zhou <yun.zhou@windriver.com>
    seq_buf: Fix overflow in seq_buf_putmem_hex()

Linus Walleij <linus.walleij@linaro.org>
    power: supply: ab8500: Fix an old bug

Petr Pavlu <petr.pavlu@suse.com>
    ipmi/watchdog: Stop watchdog timer when the current action is 'none'

Dmitry Osipenko <digetx@gmail.com>
    ASoC: tegra: Set driver_name=tegra for all machine drivers

Timo Sigurdsson <public_timo.s@silentcreek.de>
    ata: ahci_sunxi: Disable DIPM

Al Cooper <alcooperx@gmail.com>
    mmc: sdhci: Fix warning message when accessing RPMB in HS400 mode

Nathan Chancellor <nathan@kernel.org>
    powerpc/barrier: Avoid collision with clang's __lwsync macro

Davis Mosenkovs <davis@mosenkovs.lv>
    mac80211: fix memory corruption in EAPOL handling

Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
    can: bcm: delay release of struct bcm_op after synchronize_rcu()

Oliver Hartkopp <socketcan@hartkopp.net>
    can: gw: synchronize rcu operations before removing gw job entry

Miklos Szeredi <mszeredi@redhat.com>
    fuse: reject internal errno

Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
    sctp: add size validation when walking chunks

Tim Jiang <tjiang@codeaurora.org>
    Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca btsoc.

Kai-Heng Feng <kai.heng.feng@canonical.com>
    Bluetooth: Shutdown controller after workqueues are flushed or cancelled

Yu Liu <yudiliu@google.com>
    Bluetooth: Fix the HCI to MGMT status conversion table

Gerd Rausch <gerd.rausch@oracle.com>
    RDMA/cma: Fix rdma_resolve_route() memory leak

Gustavo A. R. Silva <gustavoars@kernel.org>
    wireless: wext-spy: Fix out-of-bounds warning

Íñigo Huguet <ihuguet@redhat.com>
    sfc: error code if SRIOV cannot be disabled

Íñigo Huguet <ihuguet@redhat.com>
    sfc: avoid double pci_remove of VFs

Zheyu Ma <zheyuma97@gmail.com>
    atm: nicstar: register the interrupt handler in the right place

Zheyu Ma <zheyuma97@gmail.com>
    atm: nicstar: use 'dma_free_coherent' instead of 'kfree'

Zou Wei <zou_wei@huawei.com>
    cw1200: add missing MODULE_DEVICE_TABLE

Lee Gibson <leegib@gmail.com>
    wl1251: Fix possible buffer overflow in wl1251_cmd_scan

Tony Lindgren <tony@atomide.com>
    wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP

Steffen Klassert <steffen.klassert@secunet.com>
    xfrm: Fix error reporting in xfrm_state_construct.

Minchan Kim <minchan@kernel.org>
    selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC

Yang Yingliang <yangyingliang@huawei.com>
    net: micrel: check return value after calling platform_get_resource()

Joe Thornber <ejt@redhat.com>
    dm space maps: don't reset space map allocation cursor when committing

Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
    RDMA/cxgb4: Fix missing error code in create_qp()

Willy Tarreau <w@1wt.eu>
    ipv6: use prandom_u32() for ID generation

Jesse Brandeburg <jesse.brandeburg@intel.com>
    e100: handle eeprom as little endian

Arturo Giusti <koredump@protonmail.com>
    udf: Fix NULL pointer dereference in udf_symlink function

Xie Yongji <xieyongji@bytedance.com>
    drm/virtio: Fix double free on probe failure

Pavel Skripkin <paskripkin@gmail.com>
    reiserfs: add check for invalid 1st journal block

Sebastian Andrzej Siewior <bigeasy@linutronix.de>
    net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT

Zou Wei <zou_wei@huawei.com>
    atm: nicstar: Fix possible use-after-free in nicstar_cleanup()

Zou Wei <zou_wei@huawei.com>
    mISDN: fix possible use-after-free in HFC_cleanup()

Zou Wei <zou_wei@huawei.com>
    atm: iphase: fix possible use-after-free in ia_module_exit()

Bibo Mao <maobibo@loongson.cn>
    hugetlb: clear huge pte during flush function on mips platform

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    net: pch_gbe: Use proper accessors to BE data in pch_ptp_match()

Quat Le <quat.le@oracle.com>
    scsi: core: Retry I/O for Notify (Enable Spinup) Required error

Johan Hovold <johan@kernel.org>
    mmc: vub3000: fix control-request direction

Marek Szyprowski <m.szyprowski@samsung.com>
    extcon: max8997: Add missing modalias string

Stephan Gerhold <stephan@gerhold.net>
    extcon: sm5502: Drop invalid register write in sm5502_reg_data

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    phy: ti: dm816x: Fix the error handling path in 'dm816x_usb_phy_probe()

Zhen Lei <thunder.leizhen@huawei.com>
    scsi: mpt3sas: Fix error return value in _scsih_expander_add()

Dan Carpenter <dan.carpenter@oracle.com>
    staging: gdm724x: check for overflow in gdm_lte_netif_rx()

Dan Carpenter <dan.carpenter@oracle.com>
    staging: gdm724x: check for buffer overflow in gdm_lte_multi_sdu_pkt()

Randy Dunlap <rdunlap@infradead.org>
    s390: appldata depends on PROC_SYSCTL

Randy Dunlap <rdunlap@infradead.org>
    scsi: FlashPoint: Rename si_flags field

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    tty: nozomi: Fix the error handling path of 'nozomi_card_init()'

Yu Kuai <yukuai3@huawei.com>
    char: pcmcia: error out if 'num_bytes_read' is greater than 4 in set_protocol()

Zhen Lei <thunder.leizhen@huawei.com>
    Input: hil_kbd - fix error return code in hil_dev_connect()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: accel: stk8ba50: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: accel: stk8312: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Jonathan Cameron <Jonathan.Cameron@huawei.com>
    iio: accel: bma180: Fix buffer alignment in iio_push_to_buffers_with_timestamp()

Nuno Sa <nuno.sa@analog.com>
    iio: adis_buffer: do not return ints in irq handlers

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    tty: nozomi: Fix a resource leak in an error handling function

Muchun Song <songmuchun@bytedance.com>
    writeback: fix obtain a reference to a freeing memcg css

Dinghao Liu <dinghao.liu@zju.edu.cn>
    i40e: Fix error handling in i40e_vsi_open

Eric Dumazet <edumazet@google.com>
    vxlan: add missing rcu_read_lock() in neigh_reduce()

Pavel Skripkin <paskripkin@gmail.com>
    net: ethernet: ezchip: fix error handling

Pavel Skripkin <paskripkin@gmail.com>
    net: ethernet: ezchip: fix UAF in nps_enet_remove

Pavel Skripkin <paskripkin@gmail.com>
    net: ethernet: aeroflex: fix UAF in greth_of_remove

Pablo Neira Ayuso <pablo@netfilter.org>
    netfilter: nft_exthdr: check for IPv6 packet before further processing

Liu Shixin <liushixin2@huawei.com>
    netlabel: Fix memory leak in netlbl_mgmt_add_common

Yang Li <yang.lee@linux.alibaba.com>
    ath10k: Fix an error code in ath10k_add_interface()

Christophe JAILLET <christophe.jaillet@wanadoo.fr>
    brcmsmac: mac80211_if: Fix a resource leak in an error handling path

Randy Dunlap <rdunlap@infradead.org>
    wireless: carl9170: fix LEDS build errors & warnings

Colin Ian King <colin.king@canonical.com>
    drm: qxl: ensure surf.data is ininitialized

Zhen Lei <thunder.leizhen@huawei.com>
    ehea: fix error return code in ehea_restart_qps()

Andy Shevchenko <andriy.shevchenko@linux.intel.com>
    net: pch_gbe: Propagate error from devm_gpio_request_one()

Krzysztof Wilczyński <kw@linux.com>
    ACPI: sysfs: Fix a buffer overrun problem with description_show()

Herbert Xu <herbert@gondor.apana.org.au>
    crypto: nx - Fix RCU warning in nx842_OF_upd_status

Mirko Vogt <mirko-dev|linux@nanl.de>
    spi: spi-sun6i: Fix chipselect/clock bug

Dillon Min <dillon.minfei@gmail.com>
    media: s5p-g2d: Fix a memory leak on ctx->fh.m2m_ctx

Zhen Lei <thunder.leizhen@huawei.com>
    mmc: usdhi6rol0: fix error return code in usdhi6_probe()

Gustavo A. R. Silva <gustavoars@kernel.org>
    media: siano: Fix out-of-bounds warnings in smscore_load_firmware_family2()

Zhen Lei <thunder.leizhen@huawei.com>
    media: tc358743: Fix error return code in tc358743_probe_of()

Sergey Shtylyov <s.shtylyov@omprussia.ru>
    pata_ep93xx: fix deferred probing

Sergey Shtylyov <s.shtylyov@omp.ru>
    pata_octeon_cf: avoid WARN_ON() in ata_host_activate()

Randy Dunlap <rdunlap@infradead.org>
    media: I2C: change 'RST' to "RSET" to fix multiple build errors

Sergey Shtylyov <s.shtylyov@omprussia.ru>
    pata_rb532_cf: fix deferred probing

Sergey Shtylyov <s.shtylyov@omprussia.ru>
    sata_highbank: fix deferred probing

Zhen Lei <thunder.leizhen@huawei.com>
    crypto: ux500 - Fix error return code in hash_hw_final()

Corentin Labbe <clabbe@baylibre.com>
    crypto: ixp4xx - dma_unmap the correct address

Arnd Bergmann <arnd@arndb.de>
    ia64: mca_drv: fix incorrect array size calculation

Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
    platform/x86: toshiba_acpi: Fix missing error code in toshiba_acpi_setup_keyboard()

Hanjun Guo <guohanjun@huawei.com>
    ACPI: bus: Call kobject_put() in acpi_init() error path

Richard Fitzgerald <rf@opensource.cirrus.com>
    random32: Fix implicit truncation warning in prandom_seed_state()

Alexander Aring <aahringo@redhat.com>
    fs: dlm: cancel work sync othercon

zhangyi (F) <yi.zhang@huawei.com>
    block_dump: remove block_dump feature in mark_inode_dirty()

Mario Limonciello <mario.limonciello@amd.com>
    ACPI: processor idle: Fix up C-state latency if not ordered

Axel Lin <axel.lin@ingics.com>
    regulator: da9052: Ensure enough delay time for .set_voltage_time_sel

Christophe Leroy <christophe.leroy@csgroup.eu>
    btrfs: disable build on platforms having page size 256K

Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
    media: dvb_net: avoid speculation from net slot

Ard Biesheuvel <ardb@kernel.org>
    crypto: shash - avoid comparing pointers to exported functions under CFI

Zheyu Ma <zheyuma97@gmail.com>
    mmc: via-sdmmc: add a check against NULL pointer dereference

Zheyu Ma <zheyuma97@gmail.com>
    media: bt8xx: Fix a missing check bug in bt878_probe

Lv Yunlong <lyl2019@mail.ustc.edu.cn>
    media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release

Jack Xu <jack.xu@intel.com>
    crypto: qat - remove unused macro in FW loader

Jack Xu <jack.xu@intel.com>
    crypto: qat - check return code of qat_hal_rd_rel_reg()

Anirudh Rayabharam <mail@anirudhrb.com>
    media: pvrusb2: fix warning in pvr2_i2c_core_done

Pavel Skripkin <paskripkin@gmail.com>
    media: cpia2: fix memory leak in cpia2_usb_probe

Bixuan Cui <cuibixuan@huawei.com>
    crypto: nx - add missing MODULE_DEVICE_TABLE

Tian Tao <tiantao6@hisilicon.com>
    spi: omap-100k: Fix the length judgment problem

Jay Fang <f.fangjian@huawei.com>
    spi: spi-topcliff-pch: Fix potential double free in pch_spi_process_messages()

Miklos Szeredi <mszeredi@redhat.com>
    fuse: check connected before queueing on fpq->io

Yun Zhou <yun.zhou@windriver.com>
    seq_buf: Make trace_seq_putmem_hex() support data longer than 8

Michael Buesch <m@bues.ch>
    ssb: sdio: Don't overwrite const buffer if block_write fails

Pali Rohár <pali@kernel.org>
    ath9k: Fix kernel NULL pointer dereference during ath_reset_internal()

Ondrej Zary <linux@zary.sk>
    serial_cs: Add Option International GSM-Ready 56K/ISDN modem

Oliver Lang <Oliver.Lang@gossenmetrawatt.com>
    iio: ltr501: ltr501_read_ps(): add missing endianness conversion

Oliver Lang <Oliver.Lang@gossenmetrawatt.com>
    iio: ltr501: ltr559: fix initialization of LTR501_ALS_CONTR

Marc Kleine-Budde <mkl@pengutronix.de>
    iio: ltr501: mark register holding upper 8 bits of ALS_DATA{0,1} and PS_DATA as volatile, too

Vineeth Vijayan <vneethv@linux.ibm.com>
    s390/cio: dont call css_wait_for_slow_path() inside a lock

Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
    SUNRPC: Should wake up the privileged task firstly.

Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
    SUNRPC: Fix the batch tasks count wraparound.

Pan Dong <pandong.peter@bytedance.com>
    ext4: fix avefreec in find_group_orlov

Zhang Yi <yi.zhang@huawei.com>
    ext4: remove check for zero nr_to_scan in ext4_es_scan()

Zhang Yi <yi.zhang@huawei.com>
    ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit

Anirudh Rayabharam <mail@anirudhrb.com>
    ext4: fix kernel infoleak via ext4_extent_header

David Sterba <dsterba@suse.com>
    btrfs: clear defrag status of a root if starting transaction fails

Ludovic Desroches <ludovic.desroches@microchip.com>
    ARM: dts: at91: sama5d4: fix pinctrl muxing

Alexander Larkin <avlarkin82@gmail.com>
    Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl

Al Viro <viro@zeniv.linux.org.uk>
    iov_iter_fault_in_readable() should do nothing in xarray case

Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
    ntfs: fix validity check for file name attribute

Hannu Hartikainen <hannu@hrtk.in>
    USB: cdc-acm: blacklist Heimann USB Appset device

Linyu Yuan <linyyuan@codeaurora.com>
    usb: gadget: eem: fix echo command packet response issue

Pavel Skripkin <paskripkin@gmail.com>
    net: can: ems_usb: fix use-after-free in ems_usb_disconnect()

Johan Hovold <johan@kernel.org>
    Input: usbtouchscreen - fix control-request directions

Pavel Skripkin <paskripkin@gmail.com>
    media: dvb-usb: fix wrong definition

Daehwan Jung <dh10.jung@samsung.com>
    ALSA: usb-audio: fix rate on Ozone Z90 USB headset


-------------

Diffstat:

 Makefile                                           |  4 +-
 arch/arm/boot/dts/exynos5422-odroidxu4.dts         |  2 +-
 arch/arm/boot/dts/sama5d4.dtsi                     |  2 +-
 arch/arm/probes/kprobes/test-thumb.c               | 10 ++--
 arch/hexagon/kernel/vmlinux.lds.S                  |  7 +--
 arch/ia64/kernel/mca_drv.c                         |  2 +-
 arch/mips/boot/compressed/decompress.c             |  2 +
 arch/mips/include/asm/hugetlb.h                    |  8 ++-
 arch/mips/vdso/vdso.h                              |  2 +-
 arch/powerpc/boot/devtree.c                        | 59 +++++++++++++---------
 arch/powerpc/boot/ns16550.c                        |  9 +++-
 arch/powerpc/include/asm/barrier.h                 |  2 +
 arch/powerpc/include/asm/ps3.h                     |  2 +
 arch/powerpc/platforms/ps3/mm.c                    | 12 +++++
 arch/s390/Kconfig                                  |  2 +-
 arch/um/drivers/chan_user.c                        |  3 +-
 arch/um/drivers/slip_user.c                        |  3 +-
 arch/x86/kvm/cpuid.c                               |  8 ++-
 arch/x86/kvm/x86.c                                 |  2 +
 crypto/shash.c                                     | 18 +++++--
 drivers/acpi/bus.c                                 |  1 +
 drivers/acpi/device_sysfs.c                        |  2 +-
 drivers/acpi/processor_idle.c                      | 40 +++++++++++++++
 drivers/ata/ahci_sunxi.c                           |  2 +-
 drivers/ata/pata_ep93xx.c                          |  2 +-
 drivers/ata/pata_octeon_cf.c                       |  5 +-
 drivers/ata/pata_rb532_cf.c                        |  6 ++-
 drivers/ata/sata_highbank.c                        |  6 ++-
 drivers/atm/iphase.c                               |  2 +-
 drivers/atm/nicstar.c                              | 26 +++++-----
 drivers/block/virtio_blk.c                         |  2 +
 drivers/bluetooth/btusb.c                          |  5 ++
 drivers/char/ipmi/ipmi_watchdog.c                  | 22 ++++----
 drivers/char/pcmcia/cm4000_cs.c                    |  4 ++
 drivers/char/virtio_console.c                      |  4 +-
 drivers/crypto/ixp4xx_crypto.c                     |  2 +-
 drivers/crypto/nx/nx-842-pseries.c                 |  9 ++--
 drivers/crypto/qat/qat_common/qat_hal.c            |  6 ++-
 drivers/crypto/qat/qat_common/qat_uclo.c           |  1 -
 drivers/crypto/ux500/hash/hash_core.c              |  1 +
 drivers/extcon/extcon-max8997.c                    |  1 +
 drivers/extcon/extcon-sm5502.c                     |  1 -
 drivers/gpio/gpio-zynq.c                           |  5 +-
 drivers/gpu/drm/qxl/qxl_dumb.c                     |  2 +
 drivers/gpu/drm/virtio/virtgpu_kms.c               |  1 +
 drivers/iio/accel/bma180.c                         | 10 ++--
 drivers/iio/accel/stk8312.c                        | 12 +++--
 drivers/iio/accel/stk8ba50.c                       | 17 +++----
 drivers/iio/imu/adis_buffer.c                      |  3 --
 drivers/iio/light/ltr501.c                         | 15 ++++--
 drivers/infiniband/core/cma.c                      |  3 +-
 drivers/infiniband/hw/cxgb4/qp.c                   |  1 +
 drivers/input/joydev.c                             |  2 +-
 drivers/input/keyboard/hil_kbd.c                   |  1 +
 drivers/input/touchscreen/usbtouchscreen.c         |  8 +--
 drivers/ipack/carriers/tpci200.c                   |  5 +-
 drivers/isdn/hardware/mISDN/hfcpci.c               |  2 +-
 drivers/md/persistent-data/dm-btree-remove.c       |  3 +-
 drivers/md/persistent-data/dm-space-map-disk.c     |  9 +++-
 drivers/md/persistent-data/dm-space-map-metadata.c |  9 +++-
 drivers/media/common/siano/smscoreapi.c            | 22 ++++----
 drivers/media/common/siano/smscoreapi.h            |  4 +-
 drivers/media/dvb-core/dvb_net.c                   | 25 ++++++---
 drivers/media/i2c/s5c73m3/s5c73m3-core.c           |  6 +--
 drivers/media/i2c/s5c73m3/s5c73m3.h                |  2 +-
 drivers/media/i2c/s5k4ecgx.c                       | 10 ++--
 drivers/media/i2c/s5k5baf.c                        |  6 +--
 drivers/media/i2c/s5k6aa.c                         | 10 ++--
 drivers/media/i2c/tc358743.c                       |  1 +
 drivers/media/pci/bt8xx/bt878.c                    |  3 ++
 drivers/media/platform/s5p-g2d/g2d.c               |  3 ++
 drivers/media/usb/cpia2/cpia2.h                    |  1 +
 drivers/media/usb/cpia2/cpia2_core.c               | 12 +++++
 drivers/media/usb/cpia2/cpia2_usb.c                | 13 ++---
 drivers/media/usb/dvb-usb/cxusb.c                  |  2 +-
 drivers/media/usb/gspca/sq905.c                    |  2 +-
 drivers/media/usb/gspca/sunplus.c                  |  8 ++-
 drivers/media/usb/pvrusb2/pvrusb2-hdw.c            |  4 +-
 drivers/media/usb/uvc/uvc_video.c                  | 27 ++++++++++
 drivers/media/usb/zr364xx/zr364xx.c                |  1 +
 drivers/media/v4l2-core/v4l2-fh.c                  |  1 +
 drivers/memory/fsl_ifc.c                           |  8 +--
 drivers/mfd/da9052-i2c.c                           |  1 +
 drivers/mfd/stmpe-i2c.c                            |  2 +-
 drivers/misc/ibmasm/module.c                       |  5 +-
 drivers/mmc/host/sdhci.c                           |  4 ++
 drivers/mmc/host/sdhci.h                           |  1 +
 drivers/mmc/host/usdhi6rol0.c                      |  1 +
 drivers/mmc/host/via-sdmmc.c                       |  3 ++
 drivers/mmc/host/vub300.c                          |  2 +-
 drivers/net/can/usb/ems_usb.c                      |  3 +-
 drivers/net/ethernet/aeroflex/greth.c              |  3 +-
 drivers/net/ethernet/ezchip/nps_enet.c             |  4 +-
 drivers/net/ethernet/ibm/ehea/ehea_main.c          |  9 ++--
 drivers/net/ethernet/intel/e100.c                  | 12 ++---
 drivers/net/ethernet/intel/i40e/i40e_main.c        |  2 +
 drivers/net/ethernet/micrel/ks8842.c               |  4 ++
 .../net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c   | 29 +++++------
 drivers/net/ethernet/sfc/ef10_sriov.c              | 25 +++++----
 drivers/net/vxlan.c                                |  2 +
 drivers/net/wireless/ath/ath10k/mac.c              |  1 +
 drivers/net/wireless/ath/ath9k/main.c              |  5 ++
 drivers/net/wireless/ath/carl9170/Kconfig          |  8 ++-
 .../net/wireless/brcm80211/brcmsmac/mac80211_if.c  |  8 ++-
 drivers/net/wireless/cw1200/cw1200_sdio.c          |  1 +
 drivers/net/wireless/ti/wl1251/cmd.c               |  9 ++--
 drivers/net/wireless/ti/wl12xx/main.c              |  7 +++
 drivers/pci/pci-label.c                            |  2 +-
 drivers/phy/phy-dm816x-usb.c                       | 17 +++++--
 drivers/platform/x86/toshiba_acpi.c                |  1 +
 drivers/power/ab8500_btemp.c                       |  1 +
 drivers/power/ab8500_charger.c                     | 19 ++++++-
 drivers/power/ab8500_fg.c                          |  1 +
 drivers/power/charger-manager.c                    |  1 +
 drivers/power/reset/gpio-poweroff.c                |  1 +
 drivers/pwm/pwm-spear.c                            |  4 --
 drivers/regulator/da9052-regulator.c               |  3 +-
 drivers/rtc/rtc-proc.c                             |  4 +-
 drivers/s390/cio/chp.c                             |  3 ++
 drivers/s390/cio/chsc.c                            |  2 -
 drivers/scsi/FlashPoint.c                          | 32 ++++++------
 drivers/scsi/be2iscsi/be_main.c                    |  1 +
 drivers/scsi/libiscsi.c                            |  7 +--
 drivers/scsi/lpfc/lpfc_els.c                       |  9 ++++
 drivers/scsi/mpt3sas/mpt3sas_scsih.c               |  4 +-
 drivers/scsi/scsi_lib.c                            |  1 +
 drivers/scsi/scsi_transport_iscsi.c                | 12 +++++
 drivers/spi/spi-omap-100k.c                        |  2 +-
 drivers/spi/spi-sun6i.c                            |  6 ++-
 drivers/spi/spi-topcliff-pch.c                     |  4 +-
 drivers/ssb/sdio.c                                 |  1 -
 drivers/staging/gdm724x/gdm_lte.c                  | 20 ++++++--
 drivers/tty/nozomi.c                               |  9 ++--
 drivers/tty/serial/8250/serial_cs.c                | 12 ++++-
 drivers/tty/serial/fsl_lpuart.c                    |  3 ++
 drivers/usb/class/cdc-acm.c                        |  5 ++
 drivers/usb/gadget/function/f_eem.c                | 43 ++++++++++++++--
 drivers/usb/gadget/function/f_hid.c                |  2 +-
 drivers/usb/gadget/legacy/hid.c                    |  4 +-
 drivers/video/backlight/lm3630a_bl.c               | 12 ++---
 drivers/watchdog/lpc18xx_wdt.c                     |  2 +-
 drivers/watchdog/sbc60xxwdt.c                      |  2 +-
 drivers/watchdog/sc520_wdt.c                       |  2 +-
 drivers/watchdog/w83877f_wdt.c                     |  2 +-
 fs/btrfs/Kconfig                                   |  2 +
 fs/btrfs/transaction.c                             |  6 ++-
 fs/ceph/addr.c                                     | 10 +---
 fs/dlm/lowcomms.c                                  |  2 +-
 fs/ext4/extents.c                                  |  3 ++
 fs/ext4/extents_status.c                           |  4 +-
 fs/ext4/ialloc.c                                   | 11 ++--
 fs/fs-writeback.c                                  | 34 +++----------
 fs/fuse/dev.c                                      | 11 +++-
 fs/jfs/inode.c                                     |  3 +-
 fs/jfs/jfs_logmgr.c                                |  1 +
 fs/nfs/nfs3proc.c                                  |  4 +-
 fs/ntfs/inode.c                                    |  2 +-
 fs/reiserfs/journal.c                              | 14 +++++
 fs/udf/namei.c                                     |  4 ++
 include/crypto/internal/hash.h                     |  8 +--
 include/linux/mfd/abx500/ux500_chargalg.h          |  2 +-
 include/linux/prandom.h                            |  2 +-
 include/scsi/scsi_transport_iscsi.h                |  2 +
 lib/decompress_unlz4.c                             |  8 +++
 lib/iov_iter.c                                     |  2 +-
 lib/seq_buf.c                                      |  8 ++-
 net/bluetooth/hci_core.c                           | 16 +++---
 net/bluetooth/mgmt.c                               |  3 ++
 net/can/bcm.c                                      |  7 ++-
 net/can/gw.c                                       |  3 ++
 net/core/dev.c                                     | 11 +++-
 net/ipv6/output_core.c                             | 28 ++--------
 net/mac80211/rx.c                                  |  2 +-
 net/netfilter/nft_exthdr.c                         |  3 ++
 net/netlabel/netlabel_mgmt.c                       | 19 +++----
 net/sctp/input.c                                   |  2 +-
 net/sunrpc/sched.c                                 | 12 ++++-
 net/wireless/wext-spy.c                            | 14 ++---
 net/xfrm/xfrm_user.c                               | 28 +++++-----
 security/selinux/avc.c                             | 13 ++---
 sound/firewire/Kconfig                             |  5 +-
 sound/firewire/bebob/bebob.c                       |  5 +-
 sound/firewire/oxfw/oxfw.c                         |  2 +-
 sound/isa/cmi8330.c                                |  2 +-
 sound/isa/sb/sb16_csp.c                            |  8 ++-
 sound/pci/hda/hda_tegra.c                          |  3 ++
 sound/ppc/powermac.c                               |  6 ++-
 sound/soc/soc-core.c                               |  2 +-
 sound/soc/tegra/tegra_alc5632.c                    |  1 +
 sound/soc/tegra/tegra_max98090.c                   |  1 +
 sound/soc/tegra/tegra_rt5640.c                     |  1 +
 sound/soc/tegra/tegra_rt5677.c                     |  1 +
 sound/soc/tegra/tegra_wm8753.c                     |  1 +
 sound/soc/tegra/tegra_wm8903.c                     |  1 +
 sound/soc/tegra/tegra_wm9712.c                     |  1 +
 sound/soc/tegra/trimslice.c                        |  1 +
 sound/usb/format.c                                 |  2 +
 .../selftests/powerpc/pmu/ebb/no_handler_test.c    |  2 -
 198 files changed, 891 insertions(+), 453 deletions(-)



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 001/188] ALSA: usb-audio: fix rate on Ozone Z90 USB headset
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
@ 2021-07-19 14:49 ` Greg Kroah-Hartman
  2021-07-19 14:49 ` [PATCH 4.4 002/188] media: dvb-usb: fix wrong definition Greg Kroah-Hartman
                   ` (191 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Daehwan Jung, Takashi Iwai

From: Daehwan Jung <dh10.jung@samsung.com>

commit aecc19ec404bdc745c781058ac97a373731c3089 upstream.

It mislabels its 96 kHz altsetting and that's why it causes some noise

Signed-off-by: Daehwan Jung <dh10.jung@samsung.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/1623836097-61918-1-git-send-email-dh10.jung@samsung.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/usb/format.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/sound/usb/format.c
+++ b/sound/usb/format.c
@@ -191,9 +191,11 @@ static int parse_audio_format_rates_v1(s
 				continue;
 			/* C-Media CM6501 mislabels its 96 kHz altsetting */
 			/* Terratec Aureon 7.1 USB C-Media 6206, too */
+			/* Ozone Z90 USB C-Media, too */
 			if (rate == 48000 && nr_rates == 1 &&
 			    (chip->usb_id == USB_ID(0x0d8c, 0x0201) ||
 			     chip->usb_id == USB_ID(0x0d8c, 0x0102) ||
+			     chip->usb_id == USB_ID(0x0d8c, 0x0078) ||
 			     chip->usb_id == USB_ID(0x0ccd, 0x00b1)) &&
 			    fp->altsetting == 5 && fp->maxpacksize == 392)
 				rate = 96000;



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 002/188] media: dvb-usb: fix wrong definition
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
  2021-07-19 14:49 ` [PATCH 4.4 001/188] ALSA: usb-audio: fix rate on Ozone Z90 USB headset Greg Kroah-Hartman
@ 2021-07-19 14:49 ` Greg Kroah-Hartman
  2021-07-19 14:49 ` [PATCH 4.4 003/188] Input: usbtouchscreen - fix control-request directions Greg Kroah-Hartman
                   ` (190 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+7336195c02c1bd2f64e1,
	Pavel Skripkin, Sean Young, Mauro Carvalho Chehab

From: Pavel Skripkin <paskripkin@gmail.com>

commit c680ed46e418e9c785d76cf44eb33bfd1e8cf3f6 upstream.

syzbot reported WARNING in vmalloc. The problem
was in zero size passed to vmalloc.

The root case was in wrong cxusb_bluebird_lgz201_properties
definition. adapter array has only 1 entry, but num_adapters was
2.

Call Trace:
 __vmalloc_node mm/vmalloc.c:2963 [inline]
 vmalloc+0x67/0x80 mm/vmalloc.c:2996
 dvb_dmx_init+0xe4/0xb90 drivers/media/dvb-core/dvb_demux.c:1251
 dvb_usb_adapter_dvb_init+0x564/0x860 drivers/media/usb/dvb-usb/dvb-usb-dvb.c:184
 dvb_usb_adapter_init drivers/media/usb/dvb-usb/dvb-usb-init.c:86 [inline]
 dvb_usb_init drivers/media/usb/dvb-usb/dvb-usb-init.c:184 [inline]
 dvb_usb_device_init.cold+0xc94/0x146e drivers/media/usb/dvb-usb/dvb-usb-init.c:308
 cxusb_probe+0x159/0x5e0 drivers/media/usb/dvb-usb/cxusb.c:1634

Fixes: 4d43e13f723e ("V4L/DVB (4643): Multi-input patch for DVB-USB device")
Cc: stable@vger.kernel.org
Reported-by: syzbot+7336195c02c1bd2f64e1@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: Sean Young <sean@mess.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/media/usb/dvb-usb/cxusb.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/usb/dvb-usb/cxusb.c
+++ b/drivers/media/usb/dvb-usb/cxusb.c
@@ -1789,7 +1789,7 @@ static struct dvb_usb_device_properties
 
 	.size_of_priv     = sizeof(struct cxusb_state),
 
-	.num_adapters = 2,
+	.num_adapters = 1,
 	.adapter = {
 		{
 		.num_frontends = 1,



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 003/188] Input: usbtouchscreen - fix control-request directions
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
  2021-07-19 14:49 ` [PATCH 4.4 001/188] ALSA: usb-audio: fix rate on Ozone Z90 USB headset Greg Kroah-Hartman
  2021-07-19 14:49 ` [PATCH 4.4 002/188] media: dvb-usb: fix wrong definition Greg Kroah-Hartman
@ 2021-07-19 14:49 ` Greg Kroah-Hartman
  2021-07-19 14:49 ` [PATCH 4.4 004/188] net: can: ems_usb: fix use-after-free in ems_usb_disconnect() Greg Kroah-Hartman
                   ` (189 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Dmitry Torokhov

From: Johan Hovold <johan@kernel.org>

commit 41e81022a04a0294c55cfa7e366bc14b9634c66e upstream.

The direction of the pipe argument must match the request-type direction
bit or control requests may fail depending on the host-controller-driver
implementation.

Fix the four control requests which erroneously used usb_rcvctrlpipe().

Fixes: 1d3e20236d7a ("[PATCH] USB: usbtouchscreen: unified USB touchscreen driver")
Fixes: 24ced062a296 ("usbtouchscreen: add support for DMC TSC-10/25 devices")
Fixes: 9e3b25837a20 ("Input: usbtouchscreen - add support for e2i touchscreen controller")
Signed-off-by: Johan Hovold <johan@kernel.org>
Cc: stable@vger.kernel.org      # 2.6.17
Link: https://lore.kernel.org/r/20210524092048.4443-1-johan@kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/touchscreen/usbtouchscreen.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- a/drivers/input/touchscreen/usbtouchscreen.c
+++ b/drivers/input/touchscreen/usbtouchscreen.c
@@ -266,7 +266,7 @@ static int e2i_init(struct usbtouch_usb
 	int ret;
 	struct usb_device *udev = interface_to_usbdev(usbtouch->interface);
 
-	ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
+	ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
 	                      0x01, 0x02, 0x0000, 0x0081,
 	                      NULL, 0, USB_CTRL_SET_TIMEOUT);
 
@@ -462,7 +462,7 @@ static int mtouch_init(struct usbtouch_u
 	int ret, i;
 	struct usb_device *udev = interface_to_usbdev(usbtouch->interface);
 
-	ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
+	ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
 	                      MTOUCHUSB_RESET,
 	                      USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
 	                      1, 0, NULL, 0, USB_CTRL_SET_TIMEOUT);
@@ -474,7 +474,7 @@ static int mtouch_init(struct usbtouch_u
 	msleep(150);
 
 	for (i = 0; i < 3; i++) {
-		ret = usb_control_msg(udev, usb_rcvctrlpipe(udev, 0),
+		ret = usb_control_msg(udev, usb_sndctrlpipe(udev, 0),
 				      MTOUCHUSB_ASYNC_REPORT,
 				      USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
 				      1, 1, NULL, 0, USB_CTRL_SET_TIMEOUT);
@@ -645,7 +645,7 @@ static int dmc_tsc10_init(struct usbtouc
 	}
 
 	/* start sending data */
-	ret = usb_control_msg(dev, usb_rcvctrlpipe (dev, 0),
+	ret = usb_control_msg(dev, usb_sndctrlpipe(dev, 0),
 	                      TSC10_CMD_DATA1,
 	                      USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
 	                      0, 0, NULL, 0, USB_CTRL_SET_TIMEOUT);



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 004/188] net: can: ems_usb: fix use-after-free in ems_usb_disconnect()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (2 preceding siblings ...)
  2021-07-19 14:49 ` [PATCH 4.4 003/188] Input: usbtouchscreen - fix control-request directions Greg Kroah-Hartman
@ 2021-07-19 14:49 ` Greg Kroah-Hartman
  2021-07-19 14:49 ` [PATCH 4.4 005/188] usb: gadget: eem: fix echo command packet response issue Greg Kroah-Hartman
                   ` (188 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pavel Skripkin, Marc Kleine-Budde

From: Pavel Skripkin <paskripkin@gmail.com>

commit ab4a0b8fcb9a95c02909b62049811bd2e586aaa4 upstream.

In ems_usb_disconnect() dev pointer, which is netdev private data, is
used after free_candev() call:
| 	if (dev) {
| 		unregister_netdev(dev->netdev);
| 		free_candev(dev->netdev);
|
| 		unlink_all_urbs(dev);
|
| 		usb_free_urb(dev->intr_urb);
|
| 		kfree(dev->intr_in_buffer);
| 		kfree(dev->tx_msg_buffer);
| 	}

Fix it by simply moving free_candev() at the end of the block.

Fail log:
| BUG: KASAN: use-after-free in ems_usb_disconnect
| Read of size 8 at addr ffff88804e041008 by task kworker/1:2/2895
|
| CPU: 1 PID: 2895 Comm: kworker/1:2 Not tainted 5.13.0-rc5+ #164
| Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a-rebuilt.opensuse.4
| Workqueue: usb_hub_wq hub_event
| Call Trace:
|     dump_stack (lib/dump_stack.c:122)
|     print_address_description.constprop.0.cold (mm/kasan/report.c:234)
|     kasan_report.cold (mm/kasan/report.c:420 mm/kasan/report.c:436)
|     ems_usb_disconnect (drivers/net/can/usb/ems_usb.c:683 drivers/net/can/usb/ems_usb.c:1058)

Fixes: 702171adeed3 ("ems_usb: Added support for EMS CPC-USB/ARM7 CAN/USB interface")
Link: https://lore.kernel.org/r/20210617185130.5834-1-paskripkin@gmail.com
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/can/usb/ems_usb.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/net/can/usb/ems_usb.c
+++ b/drivers/net/can/usb/ems_usb.c
@@ -1071,7 +1071,6 @@ static void ems_usb_disconnect(struct us
 
 	if (dev) {
 		unregister_netdev(dev->netdev);
-		free_candev(dev->netdev);
 
 		unlink_all_urbs(dev);
 
@@ -1079,6 +1078,8 @@ static void ems_usb_disconnect(struct us
 
 		kfree(dev->intr_in_buffer);
 		kfree(dev->tx_msg_buffer);
+
+		free_candev(dev->netdev);
 	}
 }
 



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 005/188] usb: gadget: eem: fix echo command packet response issue
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (3 preceding siblings ...)
  2021-07-19 14:49 ` [PATCH 4.4 004/188] net: can: ems_usb: fix use-after-free in ems_usb_disconnect() Greg Kroah-Hartman
@ 2021-07-19 14:49 ` Greg Kroah-Hartman
  2021-07-19 14:49 ` [PATCH 4.4 006/188] USB: cdc-acm: blacklist Heimann USB Appset device Greg Kroah-Hartman
                   ` (187 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Linyu Yuan

From: Linyu Yuan <linyyuan@codeaurora.com>

commit 4249d6fbc10fd997abdf8a1ea49c0389a0edf706 upstream.

when receive eem echo command, it will send a response,
but queue this response to the usb request which allocate
from gadget device endpoint zero,
and transmit the request to IN endpoint of eem interface.

on dwc3 gadget, it will trigger following warning in function
__dwc3_gadget_ep_queue(),

	if (WARN(req->dep != dep, "request %pK belongs to '%s'\n",
				&req->request, req->dep->name))
		return -EINVAL;

fix it by allocating a usb request from IN endpoint of eem interface,
and transmit the usb request to same IN endpoint of eem interface.

Signed-off-by: Linyu Yuan <linyyuan@codeaurora.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210616115142.34075-1-linyyuan@codeaurora.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/gadget/function/f_eem.c |   43 ++++++++++++++++++++++++++++++++----
 1 file changed, 39 insertions(+), 4 deletions(-)

--- a/drivers/usb/gadget/function/f_eem.c
+++ b/drivers/usb/gadget/function/f_eem.c
@@ -34,6 +34,11 @@ struct f_eem {
 	u8				ctrl_id;
 };
 
+struct in_context {
+	struct sk_buff	*skb;
+	struct usb_ep	*ep;
+};
+
 static inline struct f_eem *func_to_eem(struct usb_function *f)
 {
 	return container_of(f, struct f_eem, port.func);
@@ -327,9 +332,12 @@ fail:
 
 static void eem_cmd_complete(struct usb_ep *ep, struct usb_request *req)
 {
-	struct sk_buff *skb = (struct sk_buff *)req->context;
+	struct in_context *ctx = req->context;
 
-	dev_kfree_skb_any(skb);
+	dev_kfree_skb_any(ctx->skb);
+	kfree(req->buf);
+	usb_ep_free_request(ctx->ep, req);
+	kfree(ctx);
 }
 
 /*
@@ -413,7 +421,9 @@ static int eem_unwrap(struct gether *por
 		 * b15:		bmType (0 == data, 1 == command)
 		 */
 		if (header & BIT(15)) {
-			struct usb_request	*req = cdev->req;
+			struct usb_request	*req;
+			struct in_context	*ctx;
+			struct usb_ep		*ep;
 			u16			bmEEMCmd;
 
 			/* EEM command packet format:
@@ -442,11 +452,36 @@ static int eem_unwrap(struct gether *por
 				skb_trim(skb2, len);
 				put_unaligned_le16(BIT(15) | BIT(11) | len,
 							skb_push(skb2, 2));
+
+				ep = port->in_ep;
+				req = usb_ep_alloc_request(ep, GFP_ATOMIC);
+				if (!req) {
+					dev_kfree_skb_any(skb2);
+					goto next;
+				}
+
+				req->buf = kmalloc(skb2->len, GFP_KERNEL);
+				if (!req->buf) {
+					usb_ep_free_request(ep, req);
+					dev_kfree_skb_any(skb2);
+					goto next;
+				}
+
+				ctx = kmalloc(sizeof(*ctx), GFP_KERNEL);
+				if (!ctx) {
+					kfree(req->buf);
+					usb_ep_free_request(ep, req);
+					dev_kfree_skb_any(skb2);
+					goto next;
+				}
+				ctx->skb = skb2;
+				ctx->ep = ep;
+
 				skb_copy_bits(skb2, 0, req->buf, skb2->len);
 				req->length = skb2->len;
 				req->complete = eem_cmd_complete;
 				req->zero = 1;
-				req->context = skb2;
+				req->context = ctx;
 				if (usb_ep_queue(port->in_ep, req, GFP_ATOMIC))
 					DBG(cdev, "echo response queue fail\n");
 				break;



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 006/188] USB: cdc-acm: blacklist Heimann USB Appset device
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (4 preceding siblings ...)
  2021-07-19 14:49 ` [PATCH 4.4 005/188] usb: gadget: eem: fix echo command packet response issue Greg Kroah-Hartman
@ 2021-07-19 14:49 ` Greg Kroah-Hartman
  2021-07-19 14:49 ` [PATCH 4.4 007/188] ntfs: fix validity check for file name attribute Greg Kroah-Hartman
                   ` (186 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hannu Hartikainen

From: Hannu Hartikainen <hannu@hrtk.in>

commit 4897807753e078655a78de39ed76044d784f3e63 upstream.

The device (32a7:0000 Heimann Sensor GmbH USB appset demo) claims to be
a CDC-ACM device in its descriptors but in fact is not. If it is run
with echo disabled it returns garbled data, probably due to something
that happens in the TTY layer. And when run with echo enabled (the
default), it will mess up the calibration data of the sensor the first
time any data is sent to the device.

In short, I had a bad time after connecting the sensor and trying to get
it to work. I hope blacklisting it in the cdc-acm driver will save
someone else a bit of trouble.

Signed-off-by: Hannu Hartikainen <hannu@hrtk.in>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210622141454.337948-1-hannu@hrtk.in
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/usb/class/cdc-acm.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1939,6 +1939,11 @@ static const struct usb_device_id acm_id
 	.driver_info = IGNORE_DEVICE,
 	},
 
+	/* Exclude Heimann Sensor GmbH USB appset demo */
+	{ USB_DEVICE(0x32a7, 0x0000),
+	.driver_info = IGNORE_DEVICE,
+	},
+
 	/* control interfaces without any protocol set */
 	{ USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
 		USB_CDC_PROTO_NONE) },



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 007/188] ntfs: fix validity check for file name attribute
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (5 preceding siblings ...)
  2021-07-19 14:49 ` [PATCH 4.4 006/188] USB: cdc-acm: blacklist Heimann USB Appset device Greg Kroah-Hartman
@ 2021-07-19 14:49 ` Greg Kroah-Hartman
  2021-07-19 14:49 ` [PATCH 4.4 008/188] [xarray] iov_iter_fault_in_readable() should do nothing in xarray case Greg Kroah-Hartman
                   ` (185 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Desmond Cheong Zhi Xi,
	syzbot+213ac8bb98f7f4420840, Anton Altaparmakov, Shuah Khan,
	Andrew Morton, Linus Torvalds

From: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>

commit d98e4d95411bbde2220a7afa38dcc9c14d71acbe upstream.

When checking the file name attribute, we want to ensure that it fits
within the bounds of ATTR_RECORD.  To do this, we should check that (attr
record + file name offset + file name length) < (attr record + attr record
length).

However, the original check did not include the file name offset in the
calculation.  This means that corrupted on-disk metadata might not caught
by the incorrect file name check, and lead to an invalid memory access.

An example can be seen in the crash report of a memory corruption error
found by Syzbot:
https://syzkaller.appspot.com/bug?id=a1a1e379b225812688566745c3e2f7242bffc246

Adding the file name offset to the validity check fixes this error and
passes the Syzbot reproducer test.

Link: https://lkml.kernel.org/r/20210614050540.289494-1-desmondcheongzx@gmail.com
Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
Reported-by: syzbot+213ac8bb98f7f4420840@syzkaller.appspotmail.com
Tested-by: syzbot+213ac8bb98f7f4420840@syzkaller.appspotmail.com
Acked-by: Anton Altaparmakov <anton@tuxera.com>
Cc: Shuah Khan <skhan@linuxfoundation.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ntfs/inode.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/ntfs/inode.c
+++ b/fs/ntfs/inode.c
@@ -502,7 +502,7 @@ err_corrupt_attr:
 		}
 		file_name_attr = (FILE_NAME_ATTR*)((u8*)attr +
 				le16_to_cpu(attr->data.resident.value_offset));
-		p2 = (u8*)attr + le32_to_cpu(attr->data.resident.value_length);
+		p2 = (u8 *)file_name_attr + le32_to_cpu(attr->data.resident.value_length);
 		if (p2 < (u8*)attr || p2 > p)
 			goto err_corrupt_attr;
 		/* This attribute is ok, but is it in the $Extend directory? */



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 008/188] [xarray] iov_iter_fault_in_readable() should do nothing in xarray case
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (6 preceding siblings ...)
  2021-07-19 14:49 ` [PATCH 4.4 007/188] ntfs: fix validity check for file name attribute Greg Kroah-Hartman
@ 2021-07-19 14:49 ` Greg Kroah-Hartman
  2021-07-19 14:49 ` [PATCH 4.4 009/188] Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl Greg Kroah-Hartman
                   ` (184 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Al Viro

From: Al Viro <viro@zeniv.linux.org.uk>

commit 0e8f0d67401589a141950856902c7d0ec8d9c985 upstream.

... and actually should just check it's given an iovec-backed iterator
in the first place.

Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 lib/iov_iter.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -311,7 +311,7 @@ int iov_iter_fault_in_readable(struct io
 	int err;
 	struct iovec v;
 
-	if (!(i->type & (ITER_BVEC|ITER_KVEC))) {
+	if (iter_is_iovec(i)) {
 		iterate_iovec(i, bytes, v, iov, skip, ({
 			err = fault_in_multipages_readable(v.iov_base,
 					v.iov_len);



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 009/188] Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (7 preceding siblings ...)
  2021-07-19 14:49 ` [PATCH 4.4 008/188] [xarray] iov_iter_fault_in_readable() should do nothing in xarray case Greg Kroah-Hartman
@ 2021-07-19 14:49 ` Greg Kroah-Hartman
  2021-07-19 14:49 ` [PATCH 4.4 010/188] ARM: dts: at91: sama5d4: fix pinctrl muxing Greg Kroah-Hartman
                   ` (183 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Murray McAllister, Linus Torvalds,
	Alexander Larkin, Dmitry Torokhov

From: Alexander Larkin <avlarkin82@gmail.com>

commit f8f84af5da9ee04ef1d271528656dac42a090d00 upstream.

Even though we validate user-provided inputs we then traverse past
validated data when applying the new map. The issue was originally
discovered by Murray McAllister with this simple POC (if the following
is executed by an unprivileged user it will instantly panic the system):

int main(void) {
	int fd, ret;
	unsigned int buffer[10000];

	fd = open("/dev/input/js0", O_RDONLY);
	if (fd == -1)
		printf("Error opening file\n");

	ret = ioctl(fd, JSIOCSBTNMAP & ~IOCSIZE_MASK, &buffer);
	printf("%d\n", ret);
}

The solution is to traverse internal buffer which is guaranteed to only
contain valid date when constructing the map.

Fixes: 182d679b2298 ("Input: joydev - prevent potential read overflow in ioctl")
Fixes: 999b874f4aa3 ("Input: joydev - validate axis/button maps before clobbering current ones")
Reported-by: Murray McAllister <murray.mcallister@gmail.com>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Alexander Larkin <avlarkin82@gmail.com>
Link: https://lore.kernel.org/r/20210620120030.1513655-1-avlarkin82@gmail.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/input/joydev.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/input/joydev.c
+++ b/drivers/input/joydev.c
@@ -492,7 +492,7 @@ static int joydev_handle_JSIOCSBTNMAP(st
 	memcpy(joydev->keypam, keypam, len);
 
 	for (i = 0; i < joydev->nkey; i++)
-		joydev->keymap[keypam[i] - BTN_MISC] = i;
+		joydev->keymap[joydev->keypam[i] - BTN_MISC] = i;
 
  out:
 	kfree(keypam);



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 010/188] ARM: dts: at91: sama5d4: fix pinctrl muxing
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (8 preceding siblings ...)
  2021-07-19 14:49 ` [PATCH 4.4 009/188] Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl Greg Kroah-Hartman
@ 2021-07-19 14:49 ` Greg Kroah-Hartman
  2021-07-19 14:49 ` [PATCH 4.4 011/188] btrfs: clear defrag status of a root if starting transaction fails Greg Kroah-Hartman
                   ` (182 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ludovic Desroches, Claudiu Beznea,
	Nicolas Ferre

From: Ludovic Desroches <ludovic.desroches@microchip.com>

commit 253adffb0e98eaf6da2e7cf73ae68695e21f2f3c upstream.

Fix pinctrl muxing, PD28, PD29 and PD31 can be muxed to peripheral A. It
allows to use SCK0, SCK1 and SPI0_NPCS2 signals.

Signed-off-by: Ludovic Desroches <ludovic.desroches@microchip.com>
Fixes: 679f8d92bb01 ("ARM: at91/dt: sama5d4: add pioD pin mux mask and enable pioD")
Cc: stable@vger.kernel.org # v4.4+
Reviewed-by: Claudiu Beznea <claudiu.beznea@microchip.com>
Signed-off-by: Nicolas Ferre <nicolas.ferre@microchip.com>
Link: https://lore.kernel.org/r/20191025084210.14726-1-ludovic.desroches@microchip.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/arm/boot/dts/sama5d4.dtsi |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/arch/arm/boot/dts/sama5d4.dtsi
+++ b/arch/arm/boot/dts/sama5d4.dtsi
@@ -1363,7 +1363,7 @@
 					0xffffffff 0x3ffcfe7c 0x1c010101	/* pioA */
 					0x7fffffff 0xfffccc3a 0x3f00cc3a	/* pioB */
 					0xffffffff 0x3ff83fff 0xff00ffff	/* pioC */
-					0x0003ff00 0x8002a800 0x00000000	/* pioD */
+					0xb003ff00 0x8002a800 0x00000000	/* pioD */
 					0xffffffff 0x7fffffff 0x76fff1bf	/* pioE */
 					>;
 



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 011/188] btrfs: clear defrag status of a root if starting transaction fails
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (9 preceding siblings ...)
  2021-07-19 14:49 ` [PATCH 4.4 010/188] ARM: dts: at91: sama5d4: fix pinctrl muxing Greg Kroah-Hartman
@ 2021-07-19 14:49 ` Greg Kroah-Hartman
  2021-07-19 14:49 ` [PATCH 4.4 012/188] ext4: fix kernel infoleak via ext4_extent_header Greg Kroah-Hartman
                   ` (181 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Qu Wenruo, Anand Jain, David Sterba

From: David Sterba <dsterba@suse.com>

commit 6819703f5a365c95488b07066a8744841bf14231 upstream.

The defrag loop processes leaves in batches and starting transaction for
each. The whole defragmentation on a given root is protected by a bit
but in case the transaction fails, the bit is not cleared

In case the transaction fails the bit would prevent starting
defragmentation again, so make sure it's cleared.

CC: stable@vger.kernel.org # 4.4+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/btrfs/transaction.c |    6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

--- a/fs/btrfs/transaction.c
+++ b/fs/btrfs/transaction.c
@@ -1264,8 +1264,10 @@ int btrfs_defrag_root(struct btrfs_root
 
 	while (1) {
 		trans = btrfs_start_transaction(root, 0);
-		if (IS_ERR(trans))
-			return PTR_ERR(trans);
+		if (IS_ERR(trans)) {
+			ret = PTR_ERR(trans);
+			break;
+		}
 
 		ret = btrfs_defrag_leaves(trans, root);
 



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 012/188] ext4: fix kernel infoleak via ext4_extent_header
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (10 preceding siblings ...)
  2021-07-19 14:49 ` [PATCH 4.4 011/188] btrfs: clear defrag status of a root if starting transaction fails Greg Kroah-Hartman
@ 2021-07-19 14:49 ` Greg Kroah-Hartman
  2021-07-19 14:49 ` [PATCH 4.4 013/188] ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit Greg Kroah-Hartman
                   ` (180 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:49 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, stable, syzbot+2dcfeaf8cb49b05e8f1a,
	Anirudh Rayabharam, Theodore Tso

From: Anirudh Rayabharam <mail@anirudhrb.com>

commit ce3aba43599f0b50adbebff133df8d08a3d5fffe upstream.

Initialize eh_generation of struct ext4_extent_header to prevent leaking
info to userspace. Fixes KMSAN kernel-infoleak bug reported by syzbot at:
http://syzkaller.appspot.com/bug?id=78e9ad0e6952a3ca16e8234724b2fa92d041b9b8

Cc: stable@kernel.org
Reported-by: syzbot+2dcfeaf8cb49b05e8f1a@syzkaller.appspotmail.com
Fixes: a86c61812637 ("[PATCH] ext3: add extent map support")
Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
Link: https://lore.kernel.org/r/20210506185655.7118-1-mail@anirudhrb.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/extents.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -865,6 +865,7 @@ int ext4_ext_tree_init(handle_t *handle,
 	eh->eh_entries = 0;
 	eh->eh_magic = EXT4_EXT_MAGIC;
 	eh->eh_max = cpu_to_le16(ext4_ext_space_root(inode, 0));
+	eh->eh_generation = 0;
 	ext4_mark_inode_dirty(handle, inode);
 	return 0;
 }
@@ -1128,6 +1129,7 @@ static int ext4_ext_split(handle_t *hand
 	neh->eh_max = cpu_to_le16(ext4_ext_space_block(inode, 0));
 	neh->eh_magic = EXT4_EXT_MAGIC;
 	neh->eh_depth = 0;
+	neh->eh_generation = 0;
 
 	/* move remainder of path[depth] to the new leaf */
 	if (unlikely(path[depth].p_hdr->eh_entries !=
@@ -1205,6 +1207,7 @@ static int ext4_ext_split(handle_t *hand
 		neh->eh_magic = EXT4_EXT_MAGIC;
 		neh->eh_max = cpu_to_le16(ext4_ext_space_block_idx(inode, 0));
 		neh->eh_depth = cpu_to_le16(depth - i);
+		neh->eh_generation = 0;
 		fidx = EXT_FIRST_INDEX(neh);
 		fidx->ei_block = border;
 		ext4_idx_store_pblock(fidx, oldblock);



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 013/188] ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (11 preceding siblings ...)
  2021-07-19 14:49 ` [PATCH 4.4 012/188] ext4: fix kernel infoleak via ext4_extent_header Greg Kroah-Hartman
@ 2021-07-19 14:49 ` Greg Kroah-Hartman
  2021-07-19 14:49 ` [PATCH 4.4 014/188] ext4: remove check for zero nr_to_scan in ext4_es_scan() Greg Kroah-Hartman
                   ` (179 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zhang Yi, Jan Kara, Theodore Tso

From: Zhang Yi <yi.zhang@huawei.com>

commit 4fb7c70a889ead2e91e184895ac6e5354b759135 upstream.

The cache_cnt parameter of tracepoint ext4_es_shrink_exit means the
remaining cache count after shrink, but now it is the cache count before
shrink, fix it by read sbi->s_extent_cache_cnt again.

Fixes: 1ab6c4997e04 ("fs: convert fs shrinkers to new scan/count API")
Cc: stable@vger.kernel.org # 3.12+
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20210522103045.690103-3-yi.zhang@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/extents_status.c |    1 +
 1 file changed, 1 insertion(+)

--- a/fs/ext4/extents_status.c
+++ b/fs/ext4/extents_status.c
@@ -1085,6 +1085,7 @@ static unsigned long ext4_es_scan(struct
 
 	nr_shrunk = __es_shrink(sbi, nr_to_scan, NULL);
 
+	ret = percpu_counter_read_positive(&sbi->s_es_stats.es_stats_shk_cnt);
 	trace_ext4_es_shrink_scan_exit(sbi->s_sb, nr_shrunk, ret);
 	return nr_shrunk;
 }



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 014/188] ext4: remove check for zero nr_to_scan in ext4_es_scan()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (12 preceding siblings ...)
  2021-07-19 14:49 ` [PATCH 4.4 013/188] ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit Greg Kroah-Hartman
@ 2021-07-19 14:49 ` Greg Kroah-Hartman
  2021-07-19 14:49 ` [PATCH 4.4 015/188] ext4: fix avefreec in find_group_orlov Greg Kroah-Hartman
                   ` (178 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zhang Yi, Jan Kara, Theodore Tso

From: Zhang Yi <yi.zhang@huawei.com>

commit e5e7010e5444d923e4091cafff61d05f2d19cada upstream.

After converting fs shrinkers to new scan/count API, we are no longer
pass zero nr_to_scan parameter to detect the number of objects to free,
just remove this check.

Fixes: 1ab6c4997e04 ("fs: convert fs shrinkers to new scan/count API")
Cc: stable@vger.kernel.org # 3.12+
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20210522103045.690103-2-yi.zhang@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/extents_status.c |    3 ---
 1 file changed, 3 deletions(-)

--- a/fs/ext4/extents_status.c
+++ b/fs/ext4/extents_status.c
@@ -1080,9 +1080,6 @@ static unsigned long ext4_es_scan(struct
 	ret = percpu_counter_read_positive(&sbi->s_es_stats.es_stats_shk_cnt);
 	trace_ext4_es_shrink_scan_enter(sbi->s_sb, nr_to_scan, ret);
 
-	if (!nr_to_scan)
-		return ret;
-
 	nr_shrunk = __es_shrink(sbi, nr_to_scan, NULL);
 
 	ret = percpu_counter_read_positive(&sbi->s_es_stats.es_stats_shk_cnt);



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 015/188] ext4: fix avefreec in find_group_orlov
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (13 preceding siblings ...)
  2021-07-19 14:49 ` [PATCH 4.4 014/188] ext4: remove check for zero nr_to_scan in ext4_es_scan() Greg Kroah-Hartman
@ 2021-07-19 14:49 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 016/188] SUNRPC: Fix the batch tasks count wraparound Greg Kroah-Hartman
                   ` (177 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:49 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, stable, Pan Dong, Theodore Tso

From: Pan Dong <pandong.peter@bytedance.com>

commit c89849cc0259f3d33624cc3bd127685c3c0fa25d upstream.

The avefreec should be average free clusters instead
of average free blocks, otherwize Orlov's allocator
will not work properly when bigalloc enabled.

Cc: stable@kernel.org
Signed-off-by: Pan Dong <pandong.peter@bytedance.com>
Link: https://lore.kernel.org/r/20210525073656.31594-1-pandong.peter@bytedance.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/ext4/ialloc.c |   11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
@@ -405,7 +405,7 @@ static void get_orlov_stats(struct super
  *
  * We always try to spread first-level directories.
  *
- * If there are blockgroups with both free inodes and free blocks counts
+ * If there are blockgroups with both free inodes and free clusters counts
  * not worse than average we return one with smallest directory count.
  * Otherwise we simply return a random group.
  *
@@ -414,7 +414,7 @@ static void get_orlov_stats(struct super
  * It's OK to put directory into a group unless
  * it has too many directories already (max_dirs) or
  * it has too few free inodes left (min_inodes) or
- * it has too few free blocks left (min_blocks) or
+ * it has too few free clusters left (min_clusters) or
  * Parent's group is preferred, if it doesn't satisfy these
  * conditions we search cyclically through the rest. If none
  * of the groups look good we just look for a group with more
@@ -430,7 +430,7 @@ static int find_group_orlov(struct super
 	ext4_group_t real_ngroups = ext4_get_groups_count(sb);
 	int inodes_per_group = EXT4_INODES_PER_GROUP(sb);
 	unsigned int freei, avefreei, grp_free;
-	ext4_fsblk_t freeb, avefreec;
+	ext4_fsblk_t freec, avefreec;
 	unsigned int ndirs;
 	int max_dirs, min_inodes;
 	ext4_grpblk_t min_clusters;
@@ -449,9 +449,8 @@ static int find_group_orlov(struct super
 
 	freei = percpu_counter_read_positive(&sbi->s_freeinodes_counter);
 	avefreei = freei / ngroups;
-	freeb = EXT4_C2B(sbi,
-		percpu_counter_read_positive(&sbi->s_freeclusters_counter));
-	avefreec = freeb;
+	freec = percpu_counter_read_positive(&sbi->s_freeclusters_counter);
+	avefreec = freec;
 	do_div(avefreec, ngroups);
 	ndirs = percpu_counter_read_positive(&sbi->s_dirs_counter);
 



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 016/188] SUNRPC: Fix the batch tasks count wraparound.
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (14 preceding siblings ...)
  2021-07-19 14:49 ` [PATCH 4.4 015/188] ext4: fix avefreec in find_group_orlov Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 017/188] SUNRPC: Should wake up the privileged task firstly Greg Kroah-Hartman
                   ` (176 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zhang Xiaoxu, Trond Myklebust

From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>

commit fcb170a9d825d7db4a3fb870b0300f5a40a8d096 upstream.

The 'queue->nr' will wraparound from 0 to 255 when only current
priority queue has tasks. This maybe lead a deadlock same as commit
dfe1fe75e00e ("NFSv4: Fix deadlock between nfs4_evict_inode()
and nfs4_opendata_get_inode()"):

Privileged delegreturn task is queued to privileged list because all
the slots are assigned. When non-privileged task complete and release
the slot, a non-privileged maybe picked out. It maybe allocate slot
failed when the session on draining.

If the 'queue->nr' has wraparound to 255, and no enough slot to
service it, then the privileged delegreturn will lost to wake up.

So we should avoid the wraparound on 'queue->nr'.

Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: 5fcdfacc01f3 ("NFSv4: Return delegations synchronously in evict_inode")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Cc: stable@vger.kernel.org
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/sunrpc/sched.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/net/sunrpc/sched.c
+++ b/net/sunrpc/sched.c
@@ -476,7 +476,8 @@ static struct rpc_task *__rpc_find_next_
 	 * Service a batch of tasks from a single owner.
 	 */
 	q = &queue->tasks[queue->priority];
-	if (!list_empty(q) && --queue->nr) {
+	if (!list_empty(q) && queue->nr) {
+		queue->nr--;
 		task = list_first_entry(q, struct rpc_task, u.tk_wait.list);
 		goto out;
 	}



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 017/188] SUNRPC: Should wake up the privileged task firstly.
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (15 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 016/188] SUNRPC: Fix the batch tasks count wraparound Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 018/188] s390/cio: dont call css_wait_for_slow_path() inside a lock Greg Kroah-Hartman
                   ` (175 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zhang Xiaoxu, Trond Myklebust

From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>

commit 5483b904bf336948826594610af4c9bbb0d9e3aa upstream.

When find a task from wait queue to wake up, a non-privileged task may
be found out, rather than the privileged. This maybe lead a deadlock
same as commit dfe1fe75e00e ("NFSv4: Fix deadlock between nfs4_evict_inode()
and nfs4_opendata_get_inode()"):

Privileged delegreturn task is queued to privileged list because all
the slots are assigned. If there has no enough slot to wake up the
non-privileged batch tasks(session less than 8 slot), then the privileged
delegreturn task maybe lost waked up because the found out task can't
get slot since the session is on draining.

So we should treate the privileged task as the emergency task, and
execute it as for as we can.

Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: 5fcdfacc01f3 ("NFSv4: Return delegations synchronously in evict_inode")
Cc: stable@vger.kernel.org
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/sunrpc/sched.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/net/sunrpc/sched.c
+++ b/net/sunrpc/sched.c
@@ -473,6 +473,15 @@ static struct rpc_task *__rpc_find_next_
 	struct rpc_task *task;
 
 	/*
+	 * Service the privileged queue.
+	 */
+	q = &queue->tasks[RPC_NR_PRIORITY - 1];
+	if (queue->maxpriority > RPC_PRIORITY_PRIVILEGED && !list_empty(q)) {
+		task = list_first_entry(q, struct rpc_task, u.tk_wait.list);
+		goto out;
+	}
+
+	/*
 	 * Service a batch of tasks from a single owner.
 	 */
 	q = &queue->tasks[queue->priority];



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 018/188] s390/cio: dont call css_wait_for_slow_path() inside a lock
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (16 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 017/188] SUNRPC: Should wake up the privileged task firstly Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 019/188] iio: ltr501: mark register holding upper 8 bits of ALS_DATA{0,1} and PS_DATA as volatile, too Greg Kroah-Hartman
                   ` (174 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Peter Oberparleiter, Vineeth Vijayan,
	Vasily Gorbik

From: Vineeth Vijayan <vneethv@linux.ibm.com>

commit c749d8c018daf5fba6dfac7b6c5c78b27efd7d65 upstream.

Currently css_wait_for_slow_path() gets called inside the chp->lock.
The path-verification-loop of slowpath inside this lock could lead to
deadlock as reported by the lockdep validator.

The ccw_device_get_chp_desc() during the instance of a device-set-online
would try to acquire the same 'chp->lock' to read the chp->desc.
The instance of this function can get called from multiple scenario,
like probing or setting-device online manually. This could, in some
corner-cases lead to the deadlock.

lockdep validator reported this as,

        CPU0                    CPU1
        ----                    ----
   lock(&chp->lock);
                                lock(kn->active#43);
                                lock(&chp->lock);
   lock((wq_completion)cio);

The chp->lock was introduced to serialize the access of struct
channel_path. This lock is not needed for the css_wait_for_slow_path()
function, so invoke the slow-path function outside this lock.

Fixes: b730f3a93395 ("[S390] cio: add lock to struct channel_path")
Cc: <stable@vger.kernel.org>
Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Signed-off-by: Vineeth Vijayan <vneethv@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/s390/cio/chp.c  |    3 +++
 drivers/s390/cio/chsc.c |    2 --
 2 files changed, 3 insertions(+), 2 deletions(-)

--- a/drivers/s390/cio/chp.c
+++ b/drivers/s390/cio/chp.c
@@ -257,6 +257,9 @@ static ssize_t chp_status_write(struct d
 	if (!num_args)
 		return count;
 
+	/* Wait until previous actions have settled. */
+	css_wait_for_slow_path();
+
 	if (!strncasecmp(cmd, "on", 2) || !strcmp(cmd, "1")) {
 		mutex_lock(&cp->lock);
 		error = s390_vary_chpid(cp->chpid, 1);
--- a/drivers/s390/cio/chsc.c
+++ b/drivers/s390/cio/chsc.c
@@ -769,8 +769,6 @@ int chsc_chp_vary(struct chp_id chpid, i
 {
 	struct channel_path *chp = chpid_to_chp(chpid);
 
-	/* Wait until previous actions have settled. */
-	css_wait_for_slow_path();
 	/*
 	 * Redo PathVerification on the devices the chpid connects to
 	 */



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 019/188] iio: ltr501: mark register holding upper 8 bits of ALS_DATA{0,1} and PS_DATA as volatile, too
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (17 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 018/188] s390/cio: dont call css_wait_for_slow_path() inside a lock Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 020/188] iio: ltr501: ltr559: fix initialization of LTR501_ALS_CONTR Greg Kroah-Hartman
                   ` (173 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oliver Lang, Andy Shevchenko,
	Marc Kleine-Budde, Stable, Jonathan Cameron, Nikita Travkin

From: Marc Kleine-Budde <mkl@pengutronix.de>

commit 2ac0b029a04b673ce83b5089368f467c5dca720c upstream.

The regmap is configured for 8 bit registers, uses a RB-Tree cache and
marks several registers as volatile (i.e. do not cache).

The ALS and PS data registers in the chip are 16 bit wide and spans
two regmap registers. In the current driver only the base register is
marked as volatile, resulting in the upper register only read once.

Further the data sheet notes:

| When the I2C read operation starts, all four ALS data registers are
| locked until the I2C read operation of register 0x8B is completed.

Which results in the registers never update after the 2nd read.

This patch fixes the problem by marking the upper 8 bits of the ALS
and PS registers as volatile, too.

Fixes: 2f2c96338afc ("iio: ltr501: Add regmap support.")
Reported-by: Oliver Lang <Oliver.Lang@gossenmetrawatt.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Tested-by: Nikita Travkin <nikita@trvn.ru> # ltr559
Link: https://lore.kernel.org/r/20210610134619.2101372-2-mkl@pengutronix.de
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/light/ltr501.c |    6 ++++++
 1 file changed, 6 insertions(+)

--- a/drivers/iio/light/ltr501.c
+++ b/drivers/iio/light/ltr501.c
@@ -35,9 +35,12 @@
 #define LTR501_PART_ID 0x86
 #define LTR501_MANUFAC_ID 0x87
 #define LTR501_ALS_DATA1 0x88 /* 16-bit, little endian */
+#define LTR501_ALS_DATA1_UPPER 0x89 /* upper 8 bits of LTR501_ALS_DATA1 */
 #define LTR501_ALS_DATA0 0x8a /* 16-bit, little endian */
+#define LTR501_ALS_DATA0_UPPER 0x8b /* upper 8 bits of LTR501_ALS_DATA0 */
 #define LTR501_ALS_PS_STATUS 0x8c
 #define LTR501_PS_DATA 0x8d /* 16-bit, little endian */
+#define LTR501_PS_DATA_UPPER 0x8e /* upper 8 bits of LTR501_PS_DATA */
 #define LTR501_INTR 0x8f /* output mode, polarity, mode */
 #define LTR501_PS_THRESH_UP 0x90 /* 11 bit, ps upper threshold */
 #define LTR501_PS_THRESH_LOW 0x92 /* 11 bit, ps lower threshold */
@@ -1328,9 +1331,12 @@ static bool ltr501_is_volatile_reg(struc
 {
 	switch (reg) {
 	case LTR501_ALS_DATA1:
+	case LTR501_ALS_DATA1_UPPER:
 	case LTR501_ALS_DATA0:
+	case LTR501_ALS_DATA0_UPPER:
 	case LTR501_ALS_PS_STATUS:
 	case LTR501_PS_DATA:
+	case LTR501_PS_DATA_UPPER:
 		return true;
 	default:
 		return false;



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 020/188] iio: ltr501: ltr559: fix initialization of LTR501_ALS_CONTR
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (18 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 019/188] iio: ltr501: mark register holding upper 8 bits of ALS_DATA{0,1} and PS_DATA as volatile, too Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 021/188] iio: ltr501: ltr501_read_ps(): add missing endianness conversion Greg Kroah-Hartman
                   ` (172 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oliver Lang, Andy Shevchenko,
	Marc Kleine-Budde, Stable, Jonathan Cameron, Nikita Travkin

From: Oliver Lang <Oliver.Lang@gossenmetrawatt.com>

commit 421a26f3d7a7c3ca43f3a9dc0f3cb0f562d5bd95 upstream.

The ltr559 chip uses only the lowest bit of the ALS_CONTR register to
configure between active and stand-by mode. In the original driver
BIT(1) is used, which does a software reset instead.

This patch fixes the problem by using BIT(0) as als_mode_active for
the ltr559 chip.

Fixes: 8592a7eefa54 ("iio: ltr501: Add support for ltr559 chip")
Signed-off-by: Oliver Lang <Oliver.Lang@gossenmetrawatt.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Tested-by: Nikita Travkin <nikita@trvn.ru> # ltr559
Link: https://lore.kernel.org/r/20210610134619.2101372-3-mkl@pengutronix.de
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/light/ltr501.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/iio/light/ltr501.c
+++ b/drivers/iio/light/ltr501.c
@@ -1183,7 +1183,7 @@ static struct ltr501_chip_info ltr501_ch
 		.als_gain_tbl_size = ARRAY_SIZE(ltr559_als_gain_tbl),
 		.ps_gain = ltr559_ps_gain_tbl,
 		.ps_gain_tbl_size = ARRAY_SIZE(ltr559_ps_gain_tbl),
-		.als_mode_active = BIT(1),
+		.als_mode_active = BIT(0),
 		.als_gain_mask = BIT(2) | BIT(3) | BIT(4),
 		.als_gain_shift = 2,
 		.info = &ltr501_info,



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 021/188] iio: ltr501: ltr501_read_ps(): add missing endianness conversion
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (19 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 020/188] iio: ltr501: ltr559: fix initialization of LTR501_ALS_CONTR Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 022/188] serial_cs: Add Option International GSM-Ready 56K/ISDN modem Greg Kroah-Hartman
                   ` (171 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oliver Lang, Andy Shevchenko,
	Marc Kleine-Budde, Stable, Jonathan Cameron, Nikita Travkin

From: Oliver Lang <Oliver.Lang@gossenmetrawatt.com>

commit 71b33f6f93ef9462c84560e2236ed22209d26a58 upstream.

The PS ADC Channel data is spread over 2 registers in little-endian
form. This patch adds the missing endianness conversion.

Fixes: 2690be905123 ("iio: Add Lite-On ltr501 ambient light / proximity sensor driver")
Signed-off-by: Oliver Lang <Oliver.Lang@gossenmetrawatt.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Tested-by: Nikita Travkin <nikita@trvn.ru> # ltr559
Link: https://lore.kernel.org/r/20210610134619.2101372-4-mkl@pengutronix.de
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/iio/light/ltr501.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

--- a/drivers/iio/light/ltr501.c
+++ b/drivers/iio/light/ltr501.c
@@ -411,18 +411,19 @@ static int ltr501_read_als(struct ltr501
 
 static int ltr501_read_ps(struct ltr501_data *data)
 {
-	int ret, status;
+	__le16 status;
+	int ret;
 
 	ret = ltr501_drdy(data, LTR501_STATUS_PS_RDY);
 	if (ret < 0)
 		return ret;
 
 	ret = regmap_bulk_read(data->regmap, LTR501_PS_DATA,
-			       &status, 2);
+			       &status, sizeof(status));
 	if (ret < 0)
 		return ret;
 
-	return status;
+	return le16_to_cpu(status);
 }
 
 static int ltr501_read_intr_prst(struct ltr501_data *data,



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 022/188] serial_cs: Add Option International GSM-Ready 56K/ISDN modem
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (20 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 021/188] iio: ltr501: ltr501_read_ps(): add missing endianness conversion Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 023/188] ath9k: Fix kernel NULL pointer dereference during ath_reset_internal() Greg Kroah-Hartman
                   ` (170 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ondrej Zary

From: Ondrej Zary <linux@zary.sk>

commit d495dd743d5ecd47288156e25c4d9163294a0992 upstream.

Add support for Option International GSM-Ready 56K/ISDN PCMCIA modem
card.

Signed-off-by: Ondrej Zary <linux@zary.sk>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20210611201940.23898-2-linux@zary.sk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/tty/serial/8250/serial_cs.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/tty/serial/8250/serial_cs.c
+++ b/drivers/tty/serial/8250/serial_cs.c
@@ -771,6 +771,7 @@ static const struct pcmcia_device_id ser
 	PCMCIA_DEVICE_PROD_ID12("Multi-Tech", "MT2834LT", 0x5f73be51, 0x4cd7c09e),
 	PCMCIA_DEVICE_PROD_ID12("OEM      ", "C288MX     ", 0xb572d360, 0xd2385b7a),
 	PCMCIA_DEVICE_PROD_ID12("Option International", "V34bis GSM/PSTN Data/Fax Modem", 0x9d7cd6f5, 0x5cb8bf41),
+	PCMCIA_DEVICE_PROD_ID12("Option International", "GSM-Ready 56K/ISDN", 0x9d7cd6f5, 0xb23844aa),
 	PCMCIA_DEVICE_PROD_ID12("PCMCIA   ", "C336MX     ", 0x99bcafe9, 0xaa25bcab),
 	PCMCIA_DEVICE_PROD_ID12("Quatech Inc", "PCMCIA Dual RS-232 Serial Port Card", 0xc4420b35, 0x92abc92f),
 	PCMCIA_DEVICE_PROD_ID12("Quatech Inc", "Dual RS-232 Serial Port PC Card", 0xc4420b35, 0x031a380d),



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 023/188] ath9k: Fix kernel NULL pointer dereference during ath_reset_internal()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (21 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 022/188] serial_cs: Add Option International GSM-Ready 56K/ISDN modem Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 024/188] ssb: sdio: Dont overwrite const buffer if block_write fails Greg Kroah-Hartman
                   ` (169 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pali Rohár, Kalle Valo

From: Pali Rohár <pali@kernel.org>

commit fb312ac5ccb007e843f982b38d4d6886ba4b32f2 upstream.

I got this crash more times during debugging of PCIe controller and crash
happens somehow at the time when PCIe kernel code started link retraining (as
part of ASPM code) when at the same time PCIe link went down and ath9k probably
executed hw reset procedure.

Currently I'm not able to reproduce this issue as it looks like to be
some race condition between link training, ASPM, link down and reset
path. And as always, race conditions which depends on more input
parameters are hard to reproduce as it depends on precise timings.

But it is clear that pointers are zero in this case and should be
properly filled as same code pattern is used in ath9k_stop() function.
Anyway I was able to reproduce this crash by manually triggering ath
reset worker prior putting card up. I created simple patch to export
reset functionality via debugfs and use it to "simulate" of triggering
reset.    s proved that NULL-pointer dereference issue is there.

Function ath9k_hw_reset() is dereferencing chan structure pointer, so it
needs to be non-NULL pointer.

Function ath9k_stop() already contains code which sets ah->curchan to valid
non-NULL pointer prior calling ath9k_hw_reset() function.

Add same code pattern also into ath_reset_internal() function to prevent
kernel NULL pointer dereference in ath9k_hw_reset() function.

This change fixes kernel NULL pointer dereference in ath9k_hw_reset() which
is caused by calling ath9k_hw_reset() from ath_reset_internal() with NULL
chan structure.

    [   45.334305] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000008
    [   45.344417] Mem abort info:
    [   45.347301]   ESR = 0x96000005
    [   45.350448]   EC = 0x25: DABT (current EL), IL = 32 bits
    [   45.356166]   SET = 0, FnV = 0
    [   45.359350]   EA = 0, S1PTW = 0
    [   45.362596] Data abort info:
    [   45.365756]   ISV = 0, ISS = 0x00000005
    [   45.369735]   CM = 0, WnR = 0
    [   45.372814] user pgtable: 4k pages, 39-bit VAs, pgdp=000000000685d000
    [   45.379663] [0000000000000008] pgd=0000000000000000, p4d=0000000000000000, pud=0000000000000000
    [   45.388856] Internal error: Oops: 96000005 [#1] SMP
    [   45.393897] Modules linked in: ath9k ath9k_common ath9k_hw
    [   45.399574] CPU: 1 PID: 309 Comm: kworker/u4:2 Not tainted 5.12.0-rc2-dirty #785
    [   45.414746] Workqueue: phy0 ath_reset_work [ath9k]
    [   45.419713] pstate: 40000005 (nZcv daif -PAN -UAO -TCO BTYPE=--)
    [   45.425910] pc : ath9k_hw_reset+0xc4/0x1c48 [ath9k_hw]
    [   45.431234] lr : ath9k_hw_reset+0xc0/0x1c48 [ath9k_hw]
    [   45.436548] sp : ffffffc0118dbca0
    [   45.439961] x29: ffffffc0118dbca0 x28: 0000000000000000
    [   45.445442] x27: ffffff800dee4080 x26: 0000000000000000
    [   45.450923] x25: ffffff800df9b9d8 x24: 0000000000000000
    [   45.456404] x23: ffffffc0115f6000 x22: ffffffc008d0d408
    [   45.461885] x21: ffffff800dee5080 x20: ffffff800df9b9d8
    [   45.467366] x19: 0000000000000000 x18: 0000000000000000
    [   45.472846] x17: 0000000000000000 x16: 0000000000000000
    [   45.478326] x15: 0000000000000010 x14: ffffffffffffffff
    [   45.483807] x13: ffffffc0918db94f x12: ffffffc011498720
    [   45.489289] x11: 0000000000000003 x10: ffffffc0114806e0
    [   45.494770] x9 : ffffffc01014b2ec x8 : 0000000000017fe8
    [   45.500251] x7 : c0000000ffffefff x6 : 0000000000000001
    [   45.505733] x5 : 0000000000000000 x4 : 0000000000000000
    [   45.511213] x3 : 0000000000000000 x2 : ffffff801fece870
    [   45.516693] x1 : ffffffc00eded000 x0 : 000000000000003f
    [   45.522174] Call trace:
    [   45.524695]  ath9k_hw_reset+0xc4/0x1c48 [ath9k_hw]
    [   45.529653]  ath_reset_internal+0x1a8/0x2b8 [ath9k]
    [   45.534696]  ath_reset_work+0x2c/0x40 [ath9k]
    [   45.539198]  process_one_work+0x210/0x480
    [   45.543339]  worker_thread+0x5c/0x510
    [   45.547115]  kthread+0x12c/0x130
    [   45.550445]  ret_from_fork+0x10/0x1c
    [   45.554138] Code: 910922c2 9117e021 95ff0398 b4000294 (b9400a61)
    [   45.560430] ---[ end trace 566410ba90b50e8b ]---
    [   45.565193] Kernel panic - not syncing: Oops: Fatal exception in interrupt
    [   45.572282] SMP: stopping secondary CPUs
    [   45.576331] Kernel Offset: disabled
    [   45.579924] CPU features: 0x00040002,0000200c
    [   45.584416] Memory Limit: none
    [   45.587564] Rebooting in 3 seconds..

Signed-off-by: Pali Rohár <pali@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210402122653.24014-1-pali@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/net/wireless/ath/ath9k/main.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/drivers/net/wireless/ath/ath9k/main.c
+++ b/drivers/net/wireless/ath/ath9k/main.c
@@ -302,6 +302,11 @@ static int ath_reset_internal(struct ath
 		hchan = ah->curchan;
 	}
 
+	if (!hchan) {
+		fastcc = false;
+		hchan = ath9k_cmn_get_channel(sc->hw, ah, &sc->cur_chan->chandef);
+	}
+
 	if (!ath_prepare_reset(sc))
 		fastcc = false;
 



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 024/188] ssb: sdio: Dont overwrite const buffer if block_write fails
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (22 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 023/188] ath9k: Fix kernel NULL pointer dereference during ath_reset_internal() Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 025/188] seq_buf: Make trace_seq_putmem_hex() support data longer than 8 Greg Kroah-Hartman
                   ` (168 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Michael Büsch, Kalle Valo

From: Michael Buesch <m@bues.ch>

commit 47ec636f7a25aa2549e198c48ecb6b1c25d05456 upstream.

It doesn't make sense to clobber the const driver-side buffer, if a
write-to-device attempt failed. All other SSB variants (PCI, PCMCIA and SoC)
also don't corrupt the buffer on any failure in block_write.
Therefore, remove this memset from the SDIO variant.

Signed-off-by: Michael Büsch <m@bues.ch>
Cc: stable@vger.kernel.org
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210515210252.318be2ba@wiggum
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/ssb/sdio.c |    1 -
 1 file changed, 1 deletion(-)

--- a/drivers/ssb/sdio.c
+++ b/drivers/ssb/sdio.c
@@ -411,7 +411,6 @@ static void ssb_sdio_block_write(struct
 	sdio_claim_host(bus->host_sdio);
 	if (unlikely(ssb_sdio_switch_core(bus, dev))) {
 		error = -EIO;
-		memset((void *)buffer, 0xff, count);
 		goto err_out;
 	}
 	offset |= bus->sdio_sbaddr & 0xffff;



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 025/188] seq_buf: Make trace_seq_putmem_hex() support data longer than 8
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (23 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 024/188] ssb: sdio: Dont overwrite const buffer if block_write fails Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 026/188] fuse: check connected before queueing on fpq->io Greg Kroah-Hartman
                   ` (167 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yun Zhou, Steven Rostedt (VMware)

From: Yun Zhou <yun.zhou@windriver.com>

commit 6a2cbc58d6c9d90cd74288cc497c2b45815bc064 upstream.

Since the raw memory 'data' does not go forward, it will dump repeated
data if the data length is more than 8. If we want to dump longer data
blocks, we need to repeatedly call macro SEQ_PUT_HEX_FIELD. I think it
is a bit redundant, and multiple function calls also affect the performance.

Link: https://lore.kernel.org/lkml/20210625122453.5e2fe304@oasis.local.home/
Link: https://lkml.kernel.org/r/20210626032156.47889-2-yun.zhou@windriver.com

Cc: stable@vger.kernel.org
Fixes: 6d2289f3faa7 ("tracing: Make trace_seq_putmem_hex() more robust")
Signed-off-by: Yun Zhou <yun.zhou@windriver.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 lib/seq_buf.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/lib/seq_buf.c
+++ b/lib/seq_buf.c
@@ -241,12 +241,14 @@ int seq_buf_putmem_hex(struct seq_buf *s
 			break;
 
 		/* j increments twice per loop */
-		len -= j / 2;
 		hex[j++] = ' ';
 
 		seq_buf_putmem(s, hex, j);
 		if (seq_buf_has_overflowed(s))
 			return -1;
+
+		len -= start_len;
+		data += start_len;
 	}
 	return 0;
 }



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 026/188] fuse: check connected before queueing on fpq->io
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (24 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 025/188] seq_buf: Make trace_seq_putmem_hex() support data longer than 8 Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 027/188] spi: spi-topcliff-pch: Fix potential double free in pch_spi_process_messages() Greg Kroah-Hartman
                   ` (166 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pradeep P V K, Miklos Szeredi

From: Miklos Szeredi <mszeredi@redhat.com>

commit 80ef08670d4c28a06a3de954bd350368780bcfef upstream.

A request could end up on the fpq->io list after fuse_abort_conn() has
reset fpq->connected and aborted requests on that list:

Thread-1			  Thread-2
========			  ========
->fuse_simple_request()           ->shutdown
  ->__fuse_request_send()
    ->queue_request()		->fuse_abort_conn()
->fuse_dev_do_read()                ->acquire(fpq->lock)
  ->wait_for(fpq->lock) 	  ->set err to all req's in fpq->io
				  ->release(fpq->lock)
  ->acquire(fpq->lock)
  ->add req to fpq->io

After the userspace copy is done the request will be ended, but
req->out.h.error will remain uninitialized.  Also the copy might block
despite being already aborted.

Fix both issues by not allowing the request to be queued on the fpq->io
list after fuse_abort_conn() has processed this list.

Reported-by: Pradeep P V K <pragalla@codeaurora.org>
Fixes: fd22d62ed0c3 ("fuse: no fc->lock for iqueue parts")
Cc: <stable@vger.kernel.org> # v4.2
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dev.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1315,6 +1315,15 @@ static ssize_t fuse_dev_do_read(struct f
 		goto restart;
 	}
 	spin_lock(&fpq->lock);
+	/*
+	 *  Must not put request on fpq->io queue after having been shut down by
+	 *  fuse_abort_conn()
+	 */
+	if (!fpq->connected) {
+		req->out.h.error = err = -ECONNABORTED;
+		goto out_end;
+
+	}
 	list_add(&req->list, &fpq->io);
 	spin_unlock(&fpq->lock);
 	cs->req = req;



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 027/188] spi: spi-topcliff-pch: Fix potential double free in pch_spi_process_messages()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (25 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 026/188] fuse: check connected before queueing on fpq->io Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 028/188] spi: omap-100k: Fix the length judgment problem Greg Kroah-Hartman
                   ` (165 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jay Fang, Mark Brown, Sasha Levin

From: Jay Fang <f.fangjian@huawei.com>

[ Upstream commit 026a1dc1af52742c5897e64a3431445371a71871 ]

pch_spi_set_tx() frees data->pkt_tx_buff on failure of kzalloc() for
data->pkt_rx_buff, but its caller, pch_spi_process_messages(), will
free data->pkt_tx_buff again. Set data->pkt_tx_buff to NULL after
kfree() to avoid double free.

Signed-off-by: Jay Fang <f.fangjian@huawei.com>
Link: https://lore.kernel.org/r/1620284888-65215-1-git-send-email-f.fangjian@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-topcliff-pch.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/spi/spi-topcliff-pch.c b/drivers/spi/spi-topcliff-pch.c
index 9f30a4ab2004..66c170e799fc 100644
--- a/drivers/spi/spi-topcliff-pch.c
+++ b/drivers/spi/spi-topcliff-pch.c
@@ -589,8 +589,10 @@ static void pch_spi_set_tx(struct pch_spi_data *data, int *bpw)
 	data->pkt_tx_buff = kzalloc(size, GFP_KERNEL);
 	if (data->pkt_tx_buff != NULL) {
 		data->pkt_rx_buff = kzalloc(size, GFP_KERNEL);
-		if (!data->pkt_rx_buff)
+		if (!data->pkt_rx_buff) {
 			kfree(data->pkt_tx_buff);
+			data->pkt_tx_buff = NULL;
+		}
 	}
 
 	if (!data->pkt_rx_buff) {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 028/188] spi: omap-100k: Fix the length judgment problem
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (26 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 027/188] spi: spi-topcliff-pch: Fix potential double free in pch_spi_process_messages() Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 029/188] crypto: nx - add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
                   ` (164 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tian Tao, Mark Brown, Sasha Levin

From: Tian Tao <tiantao6@hisilicon.com>

[ Upstream commit e7a1a3abea373e41ba7dfe0fbc93cb79b6a3a529 ]

word_len should be checked in the omap1_spi100k_setup_transfer
function to see if it exceeds 32.

Signed-off-by: Tian Tao <tiantao6@hisilicon.com>
Link: https://lore.kernel.org/r/1619695248-39045-1-git-send-email-tiantao6@hisilicon.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-omap-100k.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/spi/spi-omap-100k.c b/drivers/spi/spi-omap-100k.c
index 1eccdc4a4581..2eeb0fe2eed2 100644
--- a/drivers/spi/spi-omap-100k.c
+++ b/drivers/spi/spi-omap-100k.c
@@ -251,7 +251,7 @@ static int omap1_spi100k_setup_transfer(struct spi_device *spi,
 	else
 		word_len = spi->bits_per_word;
 
-	if (spi->bits_per_word > 32)
+	if (word_len > 32)
 		return -EINVAL;
 	cs->word_len = word_len;
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 029/188] crypto: nx - add missing MODULE_DEVICE_TABLE
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (27 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 028/188] spi: omap-100k: Fix the length judgment problem Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 030/188] media: cpia2: fix memory leak in cpia2_usb_probe Greg Kroah-Hartman
                   ` (163 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Bixuan Cui, Herbert Xu,
	Sasha Levin

From: Bixuan Cui <cuibixuan@huawei.com>

[ Upstream commit 06676aa1f455c74e3ad1624cea3acb9ed2ef71ae ]

This patch adds missing MODULE_DEVICE_TABLE definition which generates
correct modalias for automatic loading of this driver when it is built
as an external module.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Bixuan Cui <cuibixuan@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/crypto/nx/nx-842-pseries.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/crypto/nx/nx-842-pseries.c b/drivers/crypto/nx/nx-842-pseries.c
index cddc6d8b55d9..2e5b4004f0ee 100644
--- a/drivers/crypto/nx/nx-842-pseries.c
+++ b/drivers/crypto/nx/nx-842-pseries.c
@@ -1086,6 +1086,7 @@ static struct vio_device_id nx842_vio_driver_ids[] = {
 	{"ibm,compression-v1", "ibm,compression"},
 	{"", ""},
 };
+MODULE_DEVICE_TABLE(vio, nx842_vio_driver_ids);
 
 static struct vio_driver nx842_vio_driver = {
 	.name = KBUILD_MODNAME,
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 030/188] media: cpia2: fix memory leak in cpia2_usb_probe
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (28 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 029/188] crypto: nx - add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 031/188] media: pvrusb2: fix warning in pvr2_i2c_core_done Greg Kroah-Hartman
                   ` (162 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+d1e69c888f0d3866ead4,
	Pavel Skripkin, Hans Verkuil, Mauro Carvalho Chehab, Sasha Levin

From: Pavel Skripkin <paskripkin@gmail.com>

[ Upstream commit be8656e62e9e791837b606a027802b504a945c97 ]

syzbot reported leak in cpia2 usb driver. The problem was
in invalid error handling.

v4l2_device_register() is called in cpia2_init_camera_struct(), but
all error cases after cpia2_init_camera_struct() did not call the
v4l2_device_unregister()

Reported-by: syzbot+d1e69c888f0d3866ead4@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/usb/cpia2/cpia2.h      |  1 +
 drivers/media/usb/cpia2/cpia2_core.c | 12 ++++++++++++
 drivers/media/usb/cpia2/cpia2_usb.c  | 13 +++++++------
 3 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/drivers/media/usb/cpia2/cpia2.h b/drivers/media/usb/cpia2/cpia2.h
index cdef677d57ec..80a7af6482ae 100644
--- a/drivers/media/usb/cpia2/cpia2.h
+++ b/drivers/media/usb/cpia2/cpia2.h
@@ -442,6 +442,7 @@ int cpia2_send_command(struct camera_data *cam, struct cpia2_command *cmd);
 int cpia2_do_command(struct camera_data *cam,
 		     unsigned int command,
 		     unsigned char direction, unsigned char param);
+void cpia2_deinit_camera_struct(struct camera_data *cam, struct usb_interface *intf);
 struct camera_data *cpia2_init_camera_struct(struct usb_interface *intf);
 int cpia2_init_camera(struct camera_data *cam);
 int cpia2_allocate_buffers(struct camera_data *cam);
diff --git a/drivers/media/usb/cpia2/cpia2_core.c b/drivers/media/usb/cpia2/cpia2_core.c
index 187012ce444b..35c9e00267d5 100644
--- a/drivers/media/usb/cpia2/cpia2_core.c
+++ b/drivers/media/usb/cpia2/cpia2_core.c
@@ -2158,6 +2158,18 @@ static void reset_camera_struct(struct camera_data *cam)
 	cam->height = cam->params.roi.height;
 }
 
+/******************************************************************************
+ *
+ *  cpia2_init_camera_struct
+ *
+ *  Deinitialize camera struct
+ *****************************************************************************/
+void cpia2_deinit_camera_struct(struct camera_data *cam, struct usb_interface *intf)
+{
+	v4l2_device_unregister(&cam->v4l2_dev);
+	kfree(cam);
+}
+
 /******************************************************************************
  *
  *  cpia2_init_camera_struct
diff --git a/drivers/media/usb/cpia2/cpia2_usb.c b/drivers/media/usb/cpia2/cpia2_usb.c
index 76b9cb940b87..7bd50feadfe4 100644
--- a/drivers/media/usb/cpia2/cpia2_usb.c
+++ b/drivers/media/usb/cpia2/cpia2_usb.c
@@ -835,15 +835,13 @@ static int cpia2_usb_probe(struct usb_interface *intf,
 	ret = set_alternate(cam, USBIF_CMDONLY);
 	if (ret < 0) {
 		ERR("%s: usb_set_interface error (ret = %d)\n", __func__, ret);
-		kfree(cam);
-		return ret;
+		goto alt_err;
 	}
 
 
 	if((ret = cpia2_init_camera(cam)) < 0) {
 		ERR("%s: failed to initialize cpia2 camera (ret = %d)\n", __func__, ret);
-		kfree(cam);
-		return ret;
+		goto alt_err;
 	}
 	LOG("  CPiA Version: %d.%02d (%d.%d)\n",
 	       cam->params.version.firmware_revision_hi,
@@ -863,11 +861,14 @@ static int cpia2_usb_probe(struct usb_interface *intf,
 	ret = cpia2_register_camera(cam);
 	if (ret < 0) {
 		ERR("%s: Failed to register cpia2 camera (ret = %d)\n", __func__, ret);
-		kfree(cam);
-		return ret;
+		goto alt_err;
 	}
 
 	return 0;
+
+alt_err:
+	cpia2_deinit_camera_struct(cam, intf);
+	return ret;
 }
 
 /******************************************************************************
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 031/188] media: pvrusb2: fix warning in pvr2_i2c_core_done
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (29 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 030/188] media: cpia2: fix memory leak in cpia2_usb_probe Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 032/188] crypto: qat - check return code of qat_hal_rd_rel_reg() Greg Kroah-Hartman
                   ` (161 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+e74a998ca8f1df9cc332,
	Anirudh Rayabharam, Hans Verkuil, Mauro Carvalho Chehab,
	Sasha Levin

From: Anirudh Rayabharam <mail@anirudhrb.com>

[ Upstream commit f8194e5e63fdcb349e8da9eef9e574d5b1d687cb ]

syzbot has reported the following warning in pvr2_i2c_done:

	sysfs group 'power' not found for kobject '1-0043'

When the device is disconnected (pvr_hdw_disconnect), the i2c adapter is
not unregistered along with the USB and v4l2 teardown. As part of the USB
device disconnect, the sysfs files of the subdevices are also deleted.
So, by the time pvr_i2c_core_done is called by pvr_context_destroy, the
sysfs files have been deleted.

To fix this, unregister the i2c adapter too in pvr_hdw_disconnect. Make
the device deregistration code shared by calling pvr_hdw_disconnect from
pvr2_hdw_destroy.

Reported-by: syzbot+e74a998ca8f1df9cc332@syzkaller.appspotmail.com
Tested-by: syzbot+e74a998ca8f1df9cc332@syzkaller.appspotmail.com
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Anirudh Rayabharam <mail@anirudhrb.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/usb/pvrusb2/pvrusb2-hdw.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
index 232b0fd3e478..ba3b0141538d 100644
--- a/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
+++ b/drivers/media/usb/pvrusb2/pvrusb2-hdw.c
@@ -2731,9 +2731,8 @@ void pvr2_hdw_destroy(struct pvr2_hdw *hdw)
 		pvr2_stream_destroy(hdw->vid_stream);
 		hdw->vid_stream = NULL;
 	}
-	pvr2_i2c_core_done(hdw);
 	v4l2_device_unregister(&hdw->v4l2_dev);
-	pvr2_hdw_remove_usb_stuff(hdw);
+	pvr2_hdw_disconnect(hdw);
 	mutex_lock(&pvr2_unit_mtx);
 	do {
 		if ((hdw->unit_number >= 0) &&
@@ -2760,6 +2759,7 @@ void pvr2_hdw_disconnect(struct pvr2_hdw *hdw)
 {
 	pvr2_trace(PVR2_TRACE_INIT,"pvr2_hdw_disconnect(hdw=%p)",hdw);
 	LOCK_TAKE(hdw->big_lock);
+	pvr2_i2c_core_done(hdw);
 	LOCK_TAKE(hdw->ctl_lock);
 	pvr2_hdw_remove_usb_stuff(hdw);
 	LOCK_GIVE(hdw->ctl_lock);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 032/188] crypto: qat - check return code of qat_hal_rd_rel_reg()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (30 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 031/188] media: pvrusb2: fix warning in pvr2_i2c_core_done Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 033/188] crypto: qat - remove unused macro in FW loader Greg Kroah-Hartman
                   ` (160 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jack Xu, Zhehui Xiang,
	Giovanni Cabiddu, Herbert Xu, Sasha Levin

From: Jack Xu <jack.xu@intel.com>

[ Upstream commit 96b57229209490c8bca4335b01a426a96173dc56 ]

Check the return code of the function qat_hal_rd_rel_reg() and return it
to the caller.

This is to fix the following warning when compiling the driver with
clang scan-build:

    drivers/crypto/qat/qat_common/qat_hal.c:1436:2: warning: 6th function call argument is an uninitialized value

Signed-off-by: Jack Xu <jack.xu@intel.com>
Co-developed-by: Zhehui Xiang <zhehui.xiang@intel.com>
Signed-off-by: Zhehui Xiang <zhehui.xiang@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/crypto/qat/qat_common/qat_hal.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/crypto/qat/qat_common/qat_hal.c b/drivers/crypto/qat/qat_common/qat_hal.c
index 380e761801a7..5e5003379281 100644
--- a/drivers/crypto/qat/qat_common/qat_hal.c
+++ b/drivers/crypto/qat/qat_common/qat_hal.c
@@ -1210,7 +1210,11 @@ static int qat_hal_put_rel_wr_xfer(struct icp_qat_fw_loader_handle *handle,
 		pr_err("QAT: bad xfrAddr=0x%x\n", xfr_addr);
 		return -EINVAL;
 	}
-	qat_hal_rd_rel_reg(handle, ae, ctx, ICP_GPB_REL, gprnum, &gprval);
+	status = qat_hal_rd_rel_reg(handle, ae, ctx, ICP_GPB_REL, gprnum, &gprval);
+	if (status) {
+		pr_err("QAT: failed to read register");
+		return status;
+	}
 	gpr_addr = qat_hal_get_reg_addr(ICP_GPB_REL, gprnum);
 	data16low = 0xffff & data;
 	data16hi = 0xffff & (data >> 0x10);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 033/188] crypto: qat - remove unused macro in FW loader
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (31 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 032/188] crypto: qat - check return code of qat_hal_rd_rel_reg() Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 034/188] media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release Greg Kroah-Hartman
                   ` (159 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jack Xu, Zhehui Xiang,
	Giovanni Cabiddu, Herbert Xu, Sasha Levin

From: Jack Xu <jack.xu@intel.com>

[ Upstream commit 9afe77cf25d9670e61b489fd52cc6f75fd7f6803 ]

Remove the unused macro ICP_DH895XCC_PESRAM_BAR_SIZE in the firmware
loader.

This is to fix the following warning when compiling the driver using the
clang compiler with CC=clang W=2:

    drivers/crypto/qat/qat_common/qat_uclo.c:345:9: warning: macro is not used [-Wunused-macros]

Signed-off-by: Jack Xu <jack.xu@intel.com>
Co-developed-by: Zhehui Xiang <zhehui.xiang@intel.com>
Signed-off-by: Zhehui Xiang <zhehui.xiang@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/crypto/qat/qat_common/qat_uclo.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/crypto/qat/qat_common/qat_uclo.c b/drivers/crypto/qat/qat_common/qat_uclo.c
index 923bb1988973..28e642959a9a 100644
--- a/drivers/crypto/qat/qat_common/qat_uclo.c
+++ b/drivers/crypto/qat/qat_common/qat_uclo.c
@@ -360,7 +360,6 @@ static int qat_uclo_init_umem_seg(struct icp_qat_fw_loader_handle *handle,
 	return 0;
 }
 
-#define ICP_DH895XCC_PESRAM_BAR_SIZE 0x80000
 static int qat_uclo_init_ae_memory(struct icp_qat_fw_loader_handle *handle,
 				   struct icp_qat_uof_initmem *init_mem)
 {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 034/188] media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (32 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 033/188] crypto: qat - remove unused macro in FW loader Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 035/188] media: bt8xx: Fix a missing check bug in bt878_probe Greg Kroah-Hartman
                   ` (158 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lv Yunlong, Hans Verkuil,
	Mauro Carvalho Chehab, Sasha Levin

From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>

[ Upstream commit 7dd0c9e547b6924e18712b6b51aa3cba1896ee2c ]

A use after free bug caused by the dangling pointer
filp->privitate_data in v4l2_fh_release.
See https://lore.kernel.org/patchwork/patch/1419058/.

My patch sets the dangling pointer to NULL to provide
robust.

Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/v4l2-core/v4l2-fh.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/media/v4l2-core/v4l2-fh.c b/drivers/media/v4l2-core/v4l2-fh.c
index 1d076deb05a9..ce844ecc3340 100644
--- a/drivers/media/v4l2-core/v4l2-fh.c
+++ b/drivers/media/v4l2-core/v4l2-fh.c
@@ -107,6 +107,7 @@ int v4l2_fh_release(struct file *filp)
 		v4l2_fh_del(fh);
 		v4l2_fh_exit(fh);
 		kfree(fh);
+		filp->private_data = NULL;
 	}
 	return 0;
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 035/188] media: bt8xx: Fix a missing check bug in bt878_probe
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (33 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 034/188] media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 036/188] mmc: via-sdmmc: add a check against NULL pointer dereference Greg Kroah-Hartman
                   ` (157 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zheyu Ma, Hans Verkuil,
	Mauro Carvalho Chehab, Sasha Levin

From: Zheyu Ma <zheyuma97@gmail.com>

[ Upstream commit 1a4520090681853e6b850cbe54b27247a013e0e5 ]

In 'bt878_irq', the driver calls 'tasklet_schedule', but this tasklet is
set in 'dvb_bt8xx_load_card' of another driver 'dvb-bt8xx'.
However, this two drivers are separate. The user may not load the
'dvb-bt8xx' driver when loading the 'bt8xx' driver, that is, the tasklet
has not been initialized when 'tasklet_schedule' is called, so it is
necessary to check whether the tasklet is initialized in 'bt878_probe'.

Fix this by adding a check at the end of bt878_probe.

The KASAN's report reveals it:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
PGD 800000006aab2067 P4D 800000006aab2067 PUD 6b2ea067 PMD 0
Oops: 0010 [#1] PREEMPT SMP KASAN PTI
CPU: 2 PID: 8724 Comm: syz-executor.0 Not tainted 4.19.177-
gdba4159c14ef-dirty #40
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-
gc9ba5276e321-prebuilt.qemu.org 04/01/2014
RIP: 0010:          (null)
Code: Bad RIP value.
RSP: 0018:ffff88806c287ea0 EFLAGS: 00010246
RAX: fffffbfff1b01774 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 1ffffffff1b01775 RDI: 0000000000000000
RBP: ffff88806c287f00 R08: fffffbfff1b01774 R09: fffffbfff1b01774
R10: 0000000000000001 R11: fffffbfff1b01773 R12: 0000000000000000
R13: ffff88806c29f530 R14: ffffffff8d80bb88 R15: ffffffff8d80bb90
FS:  00007f6b550e6700(0000) GS:ffff88806c280000(0000) knlGS:
0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000005ec98000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 tasklet_action_common.isra.17+0x141/0x420 kernel/softirq.c:522
 tasklet_action+0x50/0x70 kernel/softirq.c:540
 __do_softirq+0x224/0x92c kernel/softirq.c:292
 invoke_softirq kernel/softirq.c:372 [inline]
 irq_exit+0x15a/0x180 kernel/softirq.c:412
 exiting_irq arch/x86/include/asm/apic.h:535 [inline]
 do_IRQ+0x123/0x1e0 arch/x86/kernel/irq.c:260
 common_interrupt+0xf/0xf arch/x86/entry/entry_64.S:670
 </IRQ>
RIP: 0010:__do_sys_interrupt kernel/sys.c:2593 [inline]
RIP: 0010:__se_sys_interrupt kernel/sys.c:2584 [inline]
RIP: 0010:__x64_sys_interrupt+0x5b/0x80 kernel/sys.c:2584
Code: ba 00 04 00 00 48 c7 c7 c0 99 31 8c e8 ae 76 5e 01 48 85 c0 75 21 e8
14 ae 24 00 48 c7 c3 c0 99 31 8c b8 0c 00 00 00 0f 01 c1 <31> db e8 fe ad
24 00 48 89 d8 5b 5d c3 48 c7 c3 ea ff ff ff eb ec
RSP: 0018:ffff888054167f10 EFLAGS: 00000212 ORIG_RAX: ffffffffffffffde
RAX: 000000000000000c RBX: ffffffff8c3199c0 RCX: ffffc90001ca6000
RDX: 000000000000001a RSI: ffffffff813478fc RDI: ffffffff8c319dc0
RBP: ffff888054167f18 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000080 R11: fffffbfff18633b7 R12: ffff888054167f58
R13: ffff88805f638000 R14: 0000000000000000 R15: 0000000000000000
 do_syscall_64+0xb0/0x4e0 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4692a9
Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f6b550e5c48 EFLAGS: 00000246 ORIG_RAX: 000000000000014f
RAX: ffffffffffffffda RBX: 000000000077bf60 RCX: 00000000004692a9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000140
RBP: 00000000004cf7eb R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000077bf60
R13: 0000000000000000 R14: 000000000077bf60 R15: 00007fff55a1dca0
Modules linked in:
Dumping ftrace buffer:
   (ftrace buffer empty)
CR2: 0000000000000000
---[ end trace 68e5849c3f77cbb6 ]---
RIP: 0010:          (null)
Code: Bad RIP value.
RSP: 0018:ffff88806c287ea0 EFLAGS: 00010246
RAX: fffffbfff1b01774 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 1ffffffff1b01775 RDI: 0000000000000000
RBP: ffff88806c287f00 R08: fffffbfff1b01774 R09: fffffbfff1b01774
R10: 0000000000000001 R11: fffffbfff1b01773 R12: 0000000000000000
R13: ffff88806c29f530 R14: ffffffff8d80bb88 R15: ffffffff8d80bb90
FS:  00007f6b550e6700(0000) GS:ffff88806c280000(0000) knlGS:
0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000005ec98000 CR4: 00000000000006e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Reported-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/pci/bt8xx/bt878.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/media/pci/bt8xx/bt878.c b/drivers/media/pci/bt8xx/bt878.c
index 90fcccc05b56..c678d7120727 100644
--- a/drivers/media/pci/bt8xx/bt878.c
+++ b/drivers/media/pci/bt8xx/bt878.c
@@ -494,6 +494,9 @@ static int bt878_probe(struct pci_dev *dev, const struct pci_device_id *pci_id)
 	btwrite(0, BT878_AINT_MASK);
 	bt878_num++;
 
+	if (!bt->tasklet.func)
+		tasklet_disable(&bt->tasklet);
+
 	return 0;
 
       fail2:
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 036/188] mmc: via-sdmmc: add a check against NULL pointer dereference
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (34 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 035/188] media: bt8xx: Fix a missing check bug in bt878_probe Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 037/188] crypto: shash - avoid comparing pointers to exported functions under CFI Greg Kroah-Hartman
                   ` (156 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zheyu Ma, Ulf Hansson, Sasha Levin

From: Zheyu Ma <zheyuma97@gmail.com>

[ Upstream commit 45c8ddd06c4b729c56a6083ab311bfbd9643f4a6 ]

Before referencing 'host->data', the driver needs to check whether it is
null pointer, otherwise it will cause a null pointer reference.

This log reveals it:

[   29.355199] BUG: kernel NULL pointer dereference, address:
0000000000000014
[   29.357323] #PF: supervisor write access in kernel mode
[   29.357706] #PF: error_code(0x0002) - not-present page
[   29.358088] PGD 0 P4D 0
[   29.358280] Oops: 0002 [#1] PREEMPT SMP PTI
[   29.358595] CPU: 2 PID: 0 Comm: swapper/2 Not tainted 5.12.4-
g70e7f0549188-dirty #102
[   29.359164] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
[   29.359978] RIP: 0010:via_sdc_isr+0x21f/0x410
[   29.360314] Code: ff ff e8 84 aa d0 fd 66 45 89 7e 28 66 41 f7 c4 00
10 75 56 e8 72 aa d0 fd 66 41 f7 c4 00 c0 74 10 e8 65 aa d0 fd 48 8b 43
18 <c7> 40 14 ac ff ff ff e8 55 aa d0 fd 48 89 df e8 ad fb ff ff e9 77
[   29.361661] RSP: 0018:ffffc90000118e98 EFLAGS: 00010046
[   29.362042] RAX: 0000000000000000 RBX: ffff888107d77880
RCX: 0000000000000000
[   29.362564] RDX: 0000000000000000 RSI: ffffffff835d20bb
RDI: 00000000ffffffff
[   29.363085] RBP: ffffc90000118ed8 R08: 0000000000000001
R09: 0000000000000001
[   29.363604] R10: 0000000000000000 R11: 0000000000000001
R12: 0000000000008600
[   29.364128] R13: ffff888107d779c8 R14: ffffc90009c00200
R15: 0000000000008000
[   29.364651] FS:  0000000000000000(0000) GS:ffff88817bc80000(0000)
knlGS:0000000000000000
[   29.365235] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   29.365655] CR2: 0000000000000014 CR3: 0000000005a2e000
CR4: 00000000000006e0
[   29.366170] DR0: 0000000000000000 DR1: 0000000000000000
DR2: 0000000000000000
[   29.366683] DR3: 0000000000000000 DR6: 00000000fffe0ff0
DR7: 0000000000000400
[   29.367197] Call Trace:
[   29.367381]  <IRQ>
[   29.367537]  __handle_irq_event_percpu+0x53/0x3e0
[   29.367916]  handle_irq_event_percpu+0x35/0x90
[   29.368247]  handle_irq_event+0x39/0x60
[   29.368632]  handle_fasteoi_irq+0xc2/0x1d0
[   29.368950]  __common_interrupt+0x7f/0x150
[   29.369254]  common_interrupt+0xb4/0xd0
[   29.369547]  </IRQ>
[   29.369708]  asm_common_interrupt+0x1e/0x40
[   29.370016] RIP: 0010:native_safe_halt+0x17/0x20
[   29.370360] Code: 07 0f 00 2d db 80 43 00 f4 5d c3 0f 1f 84 00 00 00
00 00 8b 05 c2 37 e5 01 55 48 89 e5 85 c0 7e 07 0f 00 2d bb 80 43 00 fb
f4 <5d> c3 cc cc cc cc cc cc cc 55 48 89 e5 e8 67 53 ff ff 8b 0d f9 91
[   29.371696] RSP: 0018:ffffc9000008fe90 EFLAGS: 00000246
[   29.372079] RAX: 0000000000000000 RBX: 0000000000000002
RCX: 0000000000000000
[   29.372595] RDX: 0000000000000000 RSI: ffffffff854f67a4
RDI: ffffffff85403406
[   29.373122] RBP: ffffc9000008fe90 R08: 0000000000000001
R09: 0000000000000001
[   29.373646] R10: 0000000000000000 R11: 0000000000000001
R12: ffffffff86009188
[   29.374160] R13: 0000000000000000 R14: 0000000000000000
R15: ffff888100258000
[   29.374690]  default_idle+0x9/0x10
[   29.374944]  arch_cpu_idle+0xa/0x10
[   29.375198]  default_idle_call+0x6e/0x250
[   29.375491]  do_idle+0x1f0/0x2d0
[   29.375740]  cpu_startup_entry+0x18/0x20
[   29.376034]  start_secondary+0x11f/0x160
[   29.376328]  secondary_startup_64_no_verify+0xb0/0xbb
[   29.376705] Modules linked in:
[   29.376939] Dumping ftrace buffer:
[   29.377187]    (ftrace buffer empty)
[   29.377460] CR2: 0000000000000014
[   29.377712] ---[ end trace 51a473dffb618c47 ]---
[   29.378056] RIP: 0010:via_sdc_isr+0x21f/0x410
[   29.378380] Code: ff ff e8 84 aa d0 fd 66 45 89 7e 28 66 41 f7 c4 00
10 75 56 e8 72 aa d0 fd 66 41 f7 c4 00 c0 74 10 e8 65 aa d0 fd 48 8b 43
18 <c7> 40 14 ac ff ff ff e8 55 aa d0 fd 48 89 df e8 ad fb ff ff e9 77
[   29.379714] RSP: 0018:ffffc90000118e98 EFLAGS: 00010046
[   29.380098] RAX: 0000000000000000 RBX: ffff888107d77880
RCX: 0000000000000000
[   29.380614] RDX: 0000000000000000 RSI: ffffffff835d20bb
RDI: 00000000ffffffff
[   29.381134] RBP: ffffc90000118ed8 R08: 0000000000000001
R09: 0000000000000001
[   29.381653] R10: 0000000000000000 R11: 0000000000000001
R12: 0000000000008600
[   29.382176] R13: ffff888107d779c8 R14: ffffc90009c00200
R15: 0000000000008000
[   29.382697] FS:  0000000000000000(0000) GS:ffff88817bc80000(0000)
knlGS:0000000000000000
[   29.383277] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   29.383697] CR2: 0000000000000014 CR3: 0000000005a2e000
CR4: 00000000000006e0
[   29.384223] DR0: 0000000000000000 DR1: 0000000000000000
DR2: 0000000000000000
[   29.384736] DR3: 0000000000000000 DR6: 00000000fffe0ff0
DR7: 0000000000000400
[   29.385260] Kernel panic - not syncing: Fatal exception in interrupt
[   29.385882] Dumping ftrace buffer:
[   29.386135]    (ftrace buffer empty)
[   29.386401] Kernel Offset: disabled
[   29.386656] Rebooting in 1 seconds..

Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Link: https://lore.kernel.org/r/1622727200-15808-1-git-send-email-zheyuma97@gmail.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/mmc/host/via-sdmmc.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/mmc/host/via-sdmmc.c b/drivers/mmc/host/via-sdmmc.c
index b455e9cf95af..a3472127bea3 100644
--- a/drivers/mmc/host/via-sdmmc.c
+++ b/drivers/mmc/host/via-sdmmc.c
@@ -859,6 +859,9 @@ static void via_sdc_data_isr(struct via_crdr_mmc_host *host, u16 intmask)
 {
 	BUG_ON(intmask == 0);
 
+	if (!host->data)
+		return;
+
 	if (intmask & VIA_CRDR_SDSTS_DT)
 		host->data->error = -ETIMEDOUT;
 	else if (intmask & (VIA_CRDR_SDSTS_RC | VIA_CRDR_SDSTS_WC))
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 037/188] crypto: shash - avoid comparing pointers to exported functions under CFI
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (35 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 036/188] mmc: via-sdmmc: add a check against NULL pointer dereference Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 038/188] media: dvb_net: avoid speculation from net slot Greg Kroah-Hartman
                   ` (155 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sami Tolvanen, Eric Biggers,
	Ard Biesheuvel, Eric Biggers, Herbert Xu, Sasha Levin

From: Ard Biesheuvel <ardb@kernel.org>

[ Upstream commit 22ca9f4aaf431a9413dcc115dd590123307f274f ]

crypto_shash_alg_has_setkey() is implemented by testing whether the
.setkey() member of a struct shash_alg points to the default version,
called shash_no_setkey(). As crypto_shash_alg_has_setkey() is a static
inline, this requires shash_no_setkey() to be exported to modules.

Unfortunately, when building with CFI, function pointers are routed
via CFI stubs which are private to each module (or to the kernel proper)
and so this function pointer comparison may fail spuriously.

Let's fix this by turning crypto_shash_alg_has_setkey() into an out of
line function.

Cc: Sami Tolvanen <samitolvanen@google.com>
Cc: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Sami Tolvanen <samitolvanen@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 crypto/shash.c                 | 18 +++++++++++++++---
 include/crypto/internal/hash.h |  8 +-------
 2 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/crypto/shash.c b/crypto/shash.c
index 4f89f78031e2..8f162476d214 100644
--- a/crypto/shash.c
+++ b/crypto/shash.c
@@ -24,12 +24,24 @@
 
 static const struct crypto_type crypto_shash_type;
 
-int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
-		    unsigned int keylen)
+static int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
+			   unsigned int keylen)
 {
 	return -ENOSYS;
 }
-EXPORT_SYMBOL_GPL(shash_no_setkey);
+
+/*
+ * Check whether an shash algorithm has a setkey function.
+ *
+ * For CFI compatibility, this must not be an inline function.  This is because
+ * when CFI is enabled, modules won't get the same address for shash_no_setkey
+ * (if it were exported, which inlining would require) as the core kernel will.
+ */
+bool crypto_shash_alg_has_setkey(struct shash_alg *alg)
+{
+	return alg->setkey != shash_no_setkey;
+}
+EXPORT_SYMBOL_GPL(crypto_shash_alg_has_setkey);
 
 static int shash_setkey_unaligned(struct crypto_shash *tfm, const u8 *key,
 				  unsigned int keylen)
diff --git a/include/crypto/internal/hash.h b/include/crypto/internal/hash.h
index dab9569f22bf..e51741670a60 100644
--- a/include/crypto/internal/hash.h
+++ b/include/crypto/internal/hash.h
@@ -83,13 +83,7 @@ int ahash_register_instance(struct crypto_template *tmpl,
 			    struct ahash_instance *inst);
 void ahash_free_instance(struct crypto_instance *inst);
 
-int shash_no_setkey(struct crypto_shash *tfm, const u8 *key,
-		    unsigned int keylen);
-
-static inline bool crypto_shash_alg_has_setkey(struct shash_alg *alg)
-{
-	return alg->setkey != shash_no_setkey;
-}
+bool crypto_shash_alg_has_setkey(struct shash_alg *alg);
 
 bool crypto_hash_alg_has_setkey(struct hash_alg_common *halg);
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 038/188] media: dvb_net: avoid speculation from net slot
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (36 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 037/188] crypto: shash - avoid comparing pointers to exported functions under CFI Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 039/188] btrfs: disable build on platforms having page size 256K Greg Kroah-Hartman
                   ` (154 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mauro Carvalho Chehab, Sasha Levin

From: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>

[ Upstream commit abc0226df64dc137b48b911c1fe4319aec5891bb ]

The risk of especulation is actually almost-non-existing here,
as there are very few users of TCP/IP using the DVB stack,
as, this is mainly used with DVB-S/S2 cards, and only by people
that receives TCP/IP from satellite connections, which limits
a lot the number of users of such feature(*).

(*) In thesis, DVB-C cards could also benefit from it, but I'm
yet to see a hardware that supports it.

Yet, fixing it is trivial.

Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/dvb-core/dvb_net.c | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/drivers/media/dvb-core/dvb_net.c b/drivers/media/dvb-core/dvb_net.c
index ce4332e80a91..735baa74043c 100644
--- a/drivers/media/dvb-core/dvb_net.c
+++ b/drivers/media/dvb-core/dvb_net.c
@@ -57,6 +57,7 @@
 #include <linux/module.h>
 #include <linux/kernel.h>
 #include <linux/netdevice.h>
+#include <linux/nospec.h>
 #include <linux/etherdevice.h>
 #include <linux/dvb/net.h>
 #include <linux/uio.h>
@@ -1350,14 +1351,20 @@ static int dvb_net_do_ioctl(struct file *file,
 		struct net_device *netdev;
 		struct dvb_net_priv *priv_data;
 		struct dvb_net_if *dvbnetif = parg;
+		int if_num = dvbnetif->if_num;
 
-		if (dvbnetif->if_num >= DVB_NET_DEVICES_MAX ||
-		    !dvbnet->state[dvbnetif->if_num]) {
+		if (if_num >= DVB_NET_DEVICES_MAX) {
 			ret = -EINVAL;
 			goto ioctl_error;
 		}
+		if_num = array_index_nospec(if_num, DVB_NET_DEVICES_MAX);
 
-		netdev = dvbnet->device[dvbnetif->if_num];
+		if (!dvbnet->state[if_num]) {
+			ret = -EINVAL;
+			goto ioctl_error;
+		}
+
+		netdev = dvbnet->device[if_num];
 
 		priv_data = netdev_priv(netdev);
 		dvbnetif->pid=priv_data->pid;
@@ -1410,14 +1417,20 @@ static int dvb_net_do_ioctl(struct file *file,
 		struct net_device *netdev;
 		struct dvb_net_priv *priv_data;
 		struct __dvb_net_if_old *dvbnetif = parg;
+		int if_num = dvbnetif->if_num;
+
+		if (if_num >= DVB_NET_DEVICES_MAX) {
+			ret = -EINVAL;
+			goto ioctl_error;
+		}
+		if_num = array_index_nospec(if_num, DVB_NET_DEVICES_MAX);
 
-		if (dvbnetif->if_num >= DVB_NET_DEVICES_MAX ||
-		    !dvbnet->state[dvbnetif->if_num]) {
+		if (!dvbnet->state[if_num]) {
 			ret = -EINVAL;
 			goto ioctl_error;
 		}
 
-		netdev = dvbnet->device[dvbnetif->if_num];
+		netdev = dvbnet->device[if_num];
 
 		priv_data = netdev_priv(netdev);
 		dvbnetif->pid=priv_data->pid;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 039/188] btrfs: disable build on platforms having page size 256K
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (37 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 038/188] media: dvb_net: avoid speculation from net slot Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 040/188] regulator: da9052: Ensure enough delay time for .set_voltage_time_sel Greg Kroah-Hartman
                   ` (153 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Christophe Leroy,
	David Sterba, Sasha Levin

From: Christophe Leroy <christophe.leroy@csgroup.eu>

[ Upstream commit b05fbcc36be1f8597a1febef4892053a0b2f3f60 ]

With a config having PAGE_SIZE set to 256K, BTRFS build fails
with the following message

  include/linux/compiler_types.h:326:38: error: call to
  '__compiletime_assert_791' declared with attribute error:
  BUILD_BUG_ON failed: (BTRFS_MAX_COMPRESSED % PAGE_SIZE) != 0

BTRFS_MAX_COMPRESSED being 128K, BTRFS cannot support platforms with
256K pages at the time being.

There are two platforms that can select 256K pages:
 - hexagon
 - powerpc

Disable BTRFS when 256K page size is selected. Supporting this would
require changes to the subpage mode that's currently being developed.
Given that 256K is many times larger than page sizes commonly used and
for what the algorithms and structures have been tuned, it's out of
scope and disabling build is a reasonable option.

Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
[ update changelog ]
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/btrfs/Kconfig | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/btrfs/Kconfig b/fs/btrfs/Kconfig
index 80e9c18ea64f..fd6b67c40d9d 100644
--- a/fs/btrfs/Kconfig
+++ b/fs/btrfs/Kconfig
@@ -9,6 +9,8 @@ config BTRFS_FS
 	select RAID6_PQ
 	select XOR_BLOCKS
 	select SRCU
+	depends on !PPC_256K_PAGES	# powerpc
+	depends on !PAGE_SIZE_256KB	# hexagon
 
 	help
 	  Btrfs is a general purpose copy-on-write filesystem with extents,
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 040/188] regulator: da9052: Ensure enough delay time for .set_voltage_time_sel
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (38 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 039/188] btrfs: disable build on platforms having page size 256K Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 041/188] ACPI: processor idle: Fix up C-state latency if not ordered Greg Kroah-Hartman
                   ` (152 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Axel Lin, Mark Brown, Sasha Levin

From: Axel Lin <axel.lin@ingics.com>

[ Upstream commit a336dc8f683e5be794186b5643cd34cb28dd2c53 ]

Use DIV_ROUND_UP to prevent truncation by integer division issue.
This ensures we return enough delay time.

Also fix returning negative value when new_sel < old_sel.

Signed-off-by: Axel Lin <axel.lin@ingics.com>
Link: https://lore.kernel.org/r/20210618141412.4014912-1-axel.lin@ingics.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/regulator/da9052-regulator.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/regulator/da9052-regulator.c b/drivers/regulator/da9052-regulator.c
index 12a25b40e473..fa9cb7df79de 100644
--- a/drivers/regulator/da9052-regulator.c
+++ b/drivers/regulator/da9052-regulator.c
@@ -258,7 +258,8 @@ static int da9052_regulator_set_voltage_time_sel(struct regulator_dev *rdev,
 	case DA9052_ID_BUCK3:
 	case DA9052_ID_LDO2:
 	case DA9052_ID_LDO3:
-		ret = (new_sel - old_sel) * info->step_uV / 6250;
+		ret = DIV_ROUND_UP(abs(new_sel - old_sel) * info->step_uV,
+				   6250);
 		break;
 	}
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 041/188] ACPI: processor idle: Fix up C-state latency if not ordered
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (39 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 040/188] regulator: da9052: Ensure enough delay time for .set_voltage_time_sel Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 042/188] block_dump: remove block_dump feature in mark_inode_dirty() Greg Kroah-Hartman
                   ` (151 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Prike Liang, Alex Deucher,
	Mario Limonciello, Rafael J. Wysocki, Sasha Levin

From: Mario Limonciello <mario.limonciello@amd.com>

[ Upstream commit 65ea8f2c6e230bdf71fed0137cf9e9d1b307db32 ]

Generally, the C-state latency is provided by the _CST method or
FADT, but some OEM platforms using AMD Picasso, Renoir, Van Gogh,
and Cezanne set the C2 latency greater than C3's which causes the
C2 state to be skipped.

That will block the core entering PC6, which prevents S0ix working
properly on Linux systems.

In other operating systems, the latency values are not validated and
this does not cause problems by skipping states.

To avoid this issue on Linux, detect when latencies are not an
arithmetic progression and sort them.

Link: https://gitlab.freedesktop.org/agd5f/linux/-/commit/026d186e4592c1ee9c1cb44295912d0294508725
Link: https://gitlab.freedesktop.org/drm/amd/-/issues/1230#note_712174
Suggested-by: Prike Liang <Prike.Liang@amd.com>
Suggested-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
[ rjw: Subject and changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/acpi/processor_idle.c | 40 +++++++++++++++++++++++++++++++++++
 1 file changed, 40 insertions(+)

diff --git a/drivers/acpi/processor_idle.c b/drivers/acpi/processor_idle.c
index 175c86bee3a9..69fec2d3a1f5 100644
--- a/drivers/acpi/processor_idle.c
+++ b/drivers/acpi/processor_idle.c
@@ -28,6 +28,7 @@
 #include <linux/acpi.h>
 #include <linux/dmi.h>
 #include <linux/sched.h>       /* need_resched() */
+#include <linux/sort.h>
 #include <linux/tick.h>
 #include <linux/cpuidle.h>
 #include <linux/syscore_ops.h>
@@ -572,10 +573,37 @@ static void acpi_processor_power_verify_c3(struct acpi_processor *pr,
 	return;
 }
 
+static int acpi_cst_latency_cmp(const void *a, const void *b)
+{
+	const struct acpi_processor_cx *x = a, *y = b;
+
+	if (!(x->valid && y->valid))
+		return 0;
+	if (x->latency > y->latency)
+		return 1;
+	if (x->latency < y->latency)
+		return -1;
+	return 0;
+}
+static void acpi_cst_latency_swap(void *a, void *b, int n)
+{
+	struct acpi_processor_cx *x = a, *y = b;
+	u32 tmp;
+
+	if (!(x->valid && y->valid))
+		return;
+	tmp = x->latency;
+	x->latency = y->latency;
+	y->latency = tmp;
+}
+
 static int acpi_processor_power_verify(struct acpi_processor *pr)
 {
 	unsigned int i;
 	unsigned int working = 0;
+	unsigned int last_latency = 0;
+	unsigned int last_type = 0;
+	bool buggy_latency = false;
 
 	pr->power.timer_broadcast_on_state = INT_MAX;
 
@@ -599,12 +627,24 @@ static int acpi_processor_power_verify(struct acpi_processor *pr)
 		}
 		if (!cx->valid)
 			continue;
+		if (cx->type >= last_type && cx->latency < last_latency)
+			buggy_latency = true;
+		last_latency = cx->latency;
+		last_type = cx->type;
 
 		lapic_timer_check_state(i, pr, cx);
 		tsc_check_state(cx->type);
 		working++;
 	}
 
+	if (buggy_latency) {
+		pr_notice("FW issue: working around C-state latencies out of order\n");
+		sort(&pr->power.states[1], max_cstate,
+		     sizeof(struct acpi_processor_cx),
+		     acpi_cst_latency_cmp,
+		     acpi_cst_latency_swap);
+	}
+
 	lapic_timer_propagate_broadcast(pr);
 
 	return (working);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 042/188] block_dump: remove block_dump feature in mark_inode_dirty()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (40 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 041/188] ACPI: processor idle: Fix up C-state latency if not ordered Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 043/188] fs: dlm: cancel work sync othercon Greg Kroah-Hartman
                   ` (150 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, zhangyi (F),
	Jan Kara, Christoph Hellwig, Jens Axboe, Sasha Levin

From: zhangyi (F) <yi.zhang@huawei.com>

[ Upstream commit 12e0613715e1cf305fffafaf0e89d810d9a85cc0 ]

block_dump is an old debugging interface, one of it's functions is used
to print the information about who write which file on disk. If we
enable block_dump through /proc/sys/vm/block_dump and turn on debug log
level, we can gather information about write process name, target file
name and disk from kernel message. This feature is realized in
block_dump___mark_inode_dirty(), it print above information into kernel
message directly when marking inode dirty, so it is noisy and can easily
trigger log storm. At the same time, get the dentry refcount is also not
safe, we found it will lead to deadlock on ext4 file system with
data=journal mode.

After tracepoints has been introduced into the kernel, we got a
tracepoint in __mark_inode_dirty(), which is a better replacement of
block_dump___mark_inode_dirty(). The only downside is that it only trace
the inode number and not a file name, but it probably doesn't matter
because the original printed file name in block_dump is not accurate in
some cases, and we can still find it through the inode number and device
id. So this patch delete the dirting inode part of block_dump feature.

Signed-off-by: zhangyi (F) <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20210313030146.2882027-2-yi.zhang@huawei.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/fs-writeback.c | 25 -------------------------
 1 file changed, 25 deletions(-)

diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
index 7f068330edb6..958a1bd0b5fc 100644
--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -2040,28 +2040,6 @@ int dirtytime_interval_handler(struct ctl_table *table, int write,
 	return ret;
 }
 
-static noinline void block_dump___mark_inode_dirty(struct inode *inode)
-{
-	if (inode->i_ino || strcmp(inode->i_sb->s_id, "bdev")) {
-		struct dentry *dentry;
-		const char *name = "?";
-
-		dentry = d_find_alias(inode);
-		if (dentry) {
-			spin_lock(&dentry->d_lock);
-			name = (const char *) dentry->d_name.name;
-		}
-		printk(KERN_DEBUG
-		       "%s(%d): dirtied inode %lu (%s) on %s\n",
-		       current->comm, task_pid_nr(current), inode->i_ino,
-		       name, inode->i_sb->s_id);
-		if (dentry) {
-			spin_unlock(&dentry->d_lock);
-			dput(dentry);
-		}
-	}
-}
-
 /**
  *	__mark_inode_dirty -	internal function
  *	@inode: inode to mark
@@ -2120,9 +2098,6 @@ void __mark_inode_dirty(struct inode *inode, int flags)
 	    (dirtytime && (inode->i_state & I_DIRTY_INODE)))
 		return;
 
-	if (unlikely(block_dump))
-		block_dump___mark_inode_dirty(inode);
-
 	spin_lock(&inode->i_lock);
 	if (dirtytime && (inode->i_state & I_DIRTY_INODE))
 		goto out_unlock_inode;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 043/188] fs: dlm: cancel work sync othercon
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (41 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 042/188] block_dump: remove block_dump feature in mark_inode_dirty() Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 044/188] random32: Fix implicit truncation warning in prandom_seed_state() Greg Kroah-Hartman
                   ` (149 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexander Aring, David Teigland, Sasha Levin

From: Alexander Aring <aahringo@redhat.com>

[ Upstream commit c6aa00e3d20c2767ba3f57b64eb862572b9744b3 ]

These rx tx flags arguments are for signaling close_connection() from
which worker they are called. Obviously the receive worker cannot cancel
itself and vice versa for swork. For the othercon the receive worker
should only be used, however to avoid deadlocks we should pass the same
flags as the original close_connection() was called.

Signed-off-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: David Teigland <teigland@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/dlm/lowcomms.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/dlm/lowcomms.c b/fs/dlm/lowcomms.c
index 9d7a4a714907..99f4cd91910f 100644
--- a/fs/dlm/lowcomms.c
+++ b/fs/dlm/lowcomms.c
@@ -554,7 +554,7 @@ static void close_connection(struct connection *con, bool and_other,
 	}
 	if (con->othercon && and_other) {
 		/* Will only re-enter once. */
-		close_connection(con->othercon, false, true, true);
+		close_connection(con->othercon, false, tx, rx);
 	}
 	if (con->rx_page) {
 		__free_page(con->rx_page);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 044/188] random32: Fix implicit truncation warning in prandom_seed_state()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (42 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 043/188] fs: dlm: cancel work sync othercon Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 045/188] ACPI: bus: Call kobject_put() in acpi_init() error path Greg Kroah-Hartman
                   ` (148 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot,
	Richard Fitzgerald, Petr Mladek, Sasha Levin

From: Richard Fitzgerald <rf@opensource.cirrus.com>

[ Upstream commit d327ea15a305024ef0085252fa3657bbb1ce25f5 ]

sparse generates the following warning:

 include/linux/prandom.h:114:45: sparse: sparse: cast truncates bits from
 constant value

This is because the 64-bit seed value is manipulated and then placed in a
u32, causing an implicit cast and truncation. A forced cast to u32 doesn't
prevent this warning, which is reasonable because a typecast doesn't prove
that truncation was expected.

Logical-AND the value with 0xffffffff to make explicit that truncation to
32-bit is intended.

Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Signed-off-by: Petr Mladek <pmladek@suse.com>
Link: https://lore.kernel.org/r/20210525122012.6336-3-rf@opensource.cirrus.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/prandom.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/linux/prandom.h b/include/linux/prandom.h
index cc1e71334e53..e20339c78a84 100644
--- a/include/linux/prandom.h
+++ b/include/linux/prandom.h
@@ -93,7 +93,7 @@ static inline u32 __seed(u32 x, u32 m)
  */
 static inline void prandom_seed_state(struct rnd_state *state, u64 seed)
 {
-	u32 i = (seed >> 32) ^ (seed << 10) ^ seed;
+	u32 i = ((seed >> 32) ^ (seed << 10) ^ seed) & 0xffffffffUL;
 
 	state->s1 = __seed(i,   2U);
 	state->s2 = __seed(i,   8U);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 045/188] ACPI: bus: Call kobject_put() in acpi_init() error path
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (43 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 044/188] random32: Fix implicit truncation warning in prandom_seed_state() Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 046/188] platform/x86: toshiba_acpi: Fix missing error code in toshiba_acpi_setup_keyboard() Greg Kroah-Hartman
                   ` (147 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hanjun Guo, Rafael J. Wysocki, Sasha Levin

From: Hanjun Guo <guohanjun@huawei.com>

[ Upstream commit 4ac7a817f1992103d4e68e9837304f860b5e7300 ]

Although the system will not be in a good condition or it will not
boot if acpi_bus_init() fails, it is still necessary to put the
kobject in the error path before returning to avoid leaking memory.

Signed-off-by: Hanjun Guo <guohanjun@huawei.com>
[ rjw: Subject and changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/acpi/bus.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/acpi/bus.c b/drivers/acpi/bus.c
index 521d1b28760c..d016eba51a95 100644
--- a/drivers/acpi/bus.c
+++ b/drivers/acpi/bus.c
@@ -1087,6 +1087,7 @@ static int __init acpi_init(void)
 	init_acpi_device_notify();
 	result = acpi_bus_init();
 	if (result) {
+		kobject_put(acpi_kobj);
 		disable_acpi();
 		return result;
 	}
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 046/188] platform/x86: toshiba_acpi: Fix missing error code in toshiba_acpi_setup_keyboard()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (44 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 045/188] ACPI: bus: Call kobject_put() in acpi_init() error path Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 047/188] ia64: mca_drv: fix incorrect array size calculation Greg Kroah-Hartman
                   ` (146 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Abaci Robot, Jiapeng Chong,
	Hans de Goede, Sasha Levin

From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>

[ Upstream commit 28e367127718a9cb85d615a71e152f7acee41bfc ]

The error code is missing in this code scenario, add the error code
'-EINVAL' to the return value 'error'.

Eliminate the follow smatch warning:

drivers/platform/x86/toshiba_acpi.c:2834 toshiba_acpi_setup_keyboard()
warn: missing error code 'error'.

Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
Link: https://lore.kernel.org/r/1622628348-87035-1-git-send-email-jiapeng.chong@linux.alibaba.com
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/platform/x86/toshiba_acpi.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/platform/x86/toshiba_acpi.c b/drivers/platform/x86/toshiba_acpi.c
index 1ff95b5a429d..974d4ac78d10 100644
--- a/drivers/platform/x86/toshiba_acpi.c
+++ b/drivers/platform/x86/toshiba_acpi.c
@@ -2448,6 +2448,7 @@ static int toshiba_acpi_setup_keyboard(struct toshiba_acpi_dev *dev)
 
 	if (!dev->info_supported && !dev->system_event_supported) {
 		pr_warn("No hotkey query interface found\n");
+		error = -EINVAL;
 		goto err_remove_filter;
 	}
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 047/188] ia64: mca_drv: fix incorrect array size calculation
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (45 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 046/188] platform/x86: toshiba_acpi: Fix missing error code in toshiba_acpi_setup_keyboard() Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 048/188] crypto: ixp4xx - dma_unmap the correct address Greg Kroah-Hartman
                   ` (145 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arnd Bergmann, Masahiro Yamada,
	Randy Dunlap, Andrew Morton, Linus Torvalds, Sasha Levin

From: Arnd Bergmann <arnd@arndb.de>

[ Upstream commit c5f320ff8a79501bb59338278336ec43acb9d7e2 ]

gcc points out a mistake in the mca driver that goes back to before the
git history:

arch/ia64/kernel/mca_drv.c: In function 'init_record_index_pools':
arch/ia64/kernel/mca_drv.c:346:54: error: expression does not compute the number of elements in this array; element typ
e is 'int', not 'size_t' {aka 'long unsigned int'} [-Werror=sizeof-array-div]
  346 |         for (i = 1; i < sizeof sal_log_sect_min_sizes/sizeof(size_t); i++)
      |                                                      ^

This is the same as sizeof(size_t), which is two shorter than the actual
array.  Use the ARRAY_SIZE() macro to get the correct calculation instead.

Link: https://lkml.kernel.org/r/20210514214123.875971-1-arnd@kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Cc: Masahiro Yamada <masahiroy@kernel.org>
Cc: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/ia64/kernel/mca_drv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/ia64/kernel/mca_drv.c b/arch/ia64/kernel/mca_drv.c
index 94f8bf777afa..3503d488e9b3 100644
--- a/arch/ia64/kernel/mca_drv.c
+++ b/arch/ia64/kernel/mca_drv.c
@@ -343,7 +343,7 @@ init_record_index_pools(void)
 
 	/* - 2 - */
 	sect_min_size = sal_log_sect_min_sizes[0];
-	for (i = 1; i < sizeof sal_log_sect_min_sizes/sizeof(size_t); i++)
+	for (i = 1; i < ARRAY_SIZE(sal_log_sect_min_sizes); i++)
 		if (sect_min_size > sal_log_sect_min_sizes[i])
 			sect_min_size = sal_log_sect_min_sizes[i];
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 048/188] crypto: ixp4xx - dma_unmap the correct address
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (46 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 047/188] ia64: mca_drv: fix incorrect array size calculation Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 049/188] crypto: ux500 - Fix error return code in hash_hw_final() Greg Kroah-Hartman
                   ` (144 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Corentin Labbe, Herbert Xu, Sasha Levin

From: Corentin Labbe <clabbe@baylibre.com>

[ Upstream commit 9395c58fdddd79cdd3882132cdd04e8ac7ad525f ]

Testing ixp4xx_crypto with CONFIG_DMA_API_DEBUG lead to the following error:
DMA-API: platform ixp4xx_crypto.0: device driver tries to free DMA memory it has not allocated [device address=0x0000000000000000] [size=24 bytes]

This is due to dma_unmap using the wrong address.

Fixes: 0d44dc59b2b4 ("crypto: ixp4xx - Fix handling of chained sg buffers")
Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/crypto/ixp4xx_crypto.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/crypto/ixp4xx_crypto.c b/drivers/crypto/ixp4xx_crypto.c
index 13657105cfb9..8d0613170d57 100644
--- a/drivers/crypto/ixp4xx_crypto.c
+++ b/drivers/crypto/ixp4xx_crypto.c
@@ -334,7 +334,7 @@ static void free_buf_chain(struct device *dev, struct buffer_desc *buf,u32 phys)
 
 		buf1 = buf->next;
 		phys1 = buf->phys_next;
-		dma_unmap_single(dev, buf->phys_next, buf->buf_len, buf->dir);
+		dma_unmap_single(dev, buf->phys_addr, buf->buf_len, buf->dir);
 		dma_pool_free(buffer_pool, buf, phys);
 		buf = buf1;
 		phys = phys1;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 049/188] crypto: ux500 - Fix error return code in hash_hw_final()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (47 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 048/188] crypto: ixp4xx - dma_unmap the correct address Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 050/188] sata_highbank: fix deferred probing Greg Kroah-Hartman
                   ` (143 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zhen Lei, Linus Walleij,
	Herbert Xu, Sasha Levin

From: Zhen Lei <thunder.leizhen@huawei.com>

[ Upstream commit b01360384009ab066940b45f34880991ea7ccbfb ]

Fix to return a negative error code from the error handling
case instead of 0, as done elsewhere in this function.

Fixes: 8a63b1994c50 ("crypto: ux500 - Add driver for HASH hardware")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/crypto/ux500/hash/hash_core.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/crypto/ux500/hash/hash_core.c b/drivers/crypto/ux500/hash/hash_core.c
index bca6b701c067..7021b5b49c03 100644
--- a/drivers/crypto/ux500/hash/hash_core.c
+++ b/drivers/crypto/ux500/hash/hash_core.c
@@ -1022,6 +1022,7 @@ static int hash_hw_final(struct ahash_request *req)
 			goto out;
 		}
 	} else if (req->nbytes == 0 && ctx->keylen > 0) {
+		ret = -EPERM;
 		dev_err(device_data->dev, "%s: Empty message with keylength > 0, NOT supported\n",
 			__func__);
 		goto out;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 050/188] sata_highbank: fix deferred probing
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (48 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 049/188] crypto: ux500 - Fix error return code in hash_hw_final() Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 051/188] pata_rb532_cf: " Greg Kroah-Hartman
                   ` (142 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sergey Shtylyov, Jens Axboe, Sasha Levin

From: Sergey Shtylyov <s.shtylyov@omprussia.ru>

[ Upstream commit 4a24efa16e7db02306fb5db84518bb0a7ada5a46 ]

The driver overrides the error codes returned by platform_get_irq() to
-EINVAL, so if it returns -EPROBE_DEFER, the driver would fail the probe
permanently instead of the deferred probing. Switch to propagating the
error code upstream, still checking/overriding IRQ0 as libata regards it
as "no IRQ" (thus polling) anyway...

Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
Link: https://lore.kernel.org/r/105b456d-1199-f6e9-ceb7-ffc5ba551d1a@omprussia.ru
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/ata/sata_highbank.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/ata/sata_highbank.c b/drivers/ata/sata_highbank.c
index 8638d575b2b9..77691154d2f1 100644
--- a/drivers/ata/sata_highbank.c
+++ b/drivers/ata/sata_highbank.c
@@ -483,10 +483,12 @@ static int ahci_highbank_probe(struct platform_device *pdev)
 	}
 
 	irq = platform_get_irq(pdev, 0);
-	if (irq <= 0) {
+	if (irq < 0) {
 		dev_err(dev, "no irq\n");
-		return -EINVAL;
+		return irq;
 	}
+	if (!irq)
+		return -EINVAL;
 
 	hpriv = devm_kzalloc(dev, sizeof(*hpriv), GFP_KERNEL);
 	if (!hpriv) {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 051/188] pata_rb532_cf: fix deferred probing
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (49 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 050/188] sata_highbank: fix deferred probing Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 052/188] media: I2C: change RST to "RSET" to fix multiple build errors Greg Kroah-Hartman
                   ` (141 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sergey Shtylyov, Jens Axboe, Sasha Levin

From: Sergey Shtylyov <s.shtylyov@omprussia.ru>

[ Upstream commit 2d3a62fbae8e5badc2342388f65ab2191c209cc0 ]

The driver overrides the error codes returned by platform_get_irq() to
-ENOENT, so if it returns -EPROBE_DEFER, the driver would fail the probe
permanently instead of the deferred probing. Switch to propagating the
error code upstream, still checking/overriding IRQ0 as libata regards it
as "no IRQ" (thus polling) anyway...

Fixes: 9ec36cafe43b ("of/irq: do irq resolution in platform_get_irq")
Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
Link: https://lore.kernel.org/r/771ced55-3efb-21f5-f21c-b99920aae611@omprussia.ru
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/ata/pata_rb532_cf.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/ata/pata_rb532_cf.c b/drivers/ata/pata_rb532_cf.c
index c8b6a780a290..76c550e160f6 100644
--- a/drivers/ata/pata_rb532_cf.c
+++ b/drivers/ata/pata_rb532_cf.c
@@ -120,10 +120,12 @@ static int rb532_pata_driver_probe(struct platform_device *pdev)
 	}
 
 	irq = platform_get_irq(pdev, 0);
-	if (irq <= 0) {
+	if (irq < 0) {
 		dev_err(&pdev->dev, "no IRQ resource found\n");
-		return -ENOENT;
+		return irq;
 	}
+	if (!irq)
+		return -EINVAL;
 
 	pdata = dev_get_platdata(&pdev->dev);
 	if (!pdata) {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 052/188] media: I2C: change RST to "RSET" to fix multiple build errors
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (50 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 051/188] pata_rb532_cf: " Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 053/188] pata_octeon_cf: avoid WARN_ON() in ata_host_activate() Greg Kroah-Hartman
                   ` (140 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Randy Dunlap, kernel test robot,
	Shawn Guo, Sascha Hauer, Pengutronix Kernel Team, Fabio Estevam,
	NXP Linux Team, moderated for non-subscribers, Andrzej Hajda,
	Sylwester Nawrocki, Sangwook Lee, Hans Verkuil,
	Mauro Carvalho Chehab, Sasha Levin

From: Randy Dunlap <rdunlap@infradead.org>

[ Upstream commit 8edcb5049ac29aa3c8acc5ef15dd4036543d747e ]

The use of an enum named 'RST' conflicts with a #define macro
named 'RST' in arch/mips/include/asm/mach-rc32434/rb.h.

The MIPS use of RST was there first (AFAICT), so change the
media/i2c/ uses of RST to be named 'RSET'.
'git grep -w RSET' does not report any naming conflicts with the
new name.

This fixes multiple build errors:

arch/mips/include/asm/mach-rc32434/rb.h:15:14: error: expected identifier before '(' token
   15 | #define RST  (1 << 15)
      |              ^
drivers/media/i2c/s5c73m3/s5c73m3.h:356:2: note: in expansion of macro 'RST'
  356 |  RST,
      |  ^~~

../arch/mips/include/asm/mach-rc32434/rb.h:15:14: error: expected identifier before '(' token
   15 | #define RST  (1 << 15)
      |              ^
../drivers/media/i2c/s5k6aa.c:180:2: note: in expansion of macro 'RST'
  180 |  RST,
      |  ^~~

../arch/mips/include/asm/mach-rc32434/rb.h:15:14: error: expected identifier before '(' token
   15 | #define RST  (1 << 15)
      |              ^
../drivers/media/i2c/s5k5baf.c:238:2: note: in expansion of macro 'RST'
  238 |  RST,
      |  ^~~

and some others that I have trimmed.

Fixes: cac47f1822fc ("[media] V4L: Add S5C73M3 camera driver")
Fixes: 8b99312b7214 ("[media] Add v4l2 subdev driver for S5K4ECGX sensor")
Fixes: 7d459937dc09 ("[media] Add driver for Samsung S5K5BAF camera sensor")
Fixes: bfa8dd3a0524 ("[media] v4l: Add v4l2 subdev driver for S5K6AAFX sensor")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: kernel test robot <lkp@intel.com>
Cc: Shawn Guo <shawnguo@kernel.org>
Cc: Sascha Hauer <s.hauer@pengutronix.de>
Cc: Pengutronix Kernel Team <kernel@pengutronix.de>
Cc: Fabio Estevam <festevam@gmail.com>
Cc: NXP Linux Team <linux-imx@nxp.com>
Cc: linux-arm-kernel@lists.infradead.org (moderated for non-subscribers)
Cc: Andrzej Hajda <a.hajda@samsung.com>
Cc: Sylwester Nawrocki <s.nawrocki@samsung.com>
Cc: Sangwook Lee <sangwook.lee@linaro.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/i2c/s5c73m3/s5c73m3-core.c |  6 +++---
 drivers/media/i2c/s5c73m3/s5c73m3.h      |  2 +-
 drivers/media/i2c/s5k4ecgx.c             | 10 +++++-----
 drivers/media/i2c/s5k5baf.c              |  6 +++---
 drivers/media/i2c/s5k6aa.c               | 10 +++++-----
 5 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/drivers/media/i2c/s5c73m3/s5c73m3-core.c b/drivers/media/i2c/s5c73m3/s5c73m3-core.c
index 51b26010403c..376ffa19555d 100644
--- a/drivers/media/i2c/s5c73m3/s5c73m3-core.c
+++ b/drivers/media/i2c/s5c73m3/s5c73m3-core.c
@@ -1393,7 +1393,7 @@ static int __s5c73m3_power_on(struct s5c73m3 *state)
 	s5c73m3_gpio_deassert(state, STBY);
 	usleep_range(100, 200);
 
-	s5c73m3_gpio_deassert(state, RST);
+	s5c73m3_gpio_deassert(state, RSET);
 	usleep_range(50, 100);
 
 	return 0;
@@ -1408,7 +1408,7 @@ static int __s5c73m3_power_off(struct s5c73m3 *state)
 {
 	int i, ret;
 
-	if (s5c73m3_gpio_assert(state, RST))
+	if (s5c73m3_gpio_assert(state, RSET))
 		usleep_range(10, 50);
 
 	if (s5c73m3_gpio_assert(state, STBY))
@@ -1613,7 +1613,7 @@ static int s5c73m3_get_platform_data(struct s5c73m3 *state)
 
 		state->mclk_frequency = pdata->mclk_frequency;
 		state->gpio[STBY] = pdata->gpio_stby;
-		state->gpio[RST] = pdata->gpio_reset;
+		state->gpio[RSET] = pdata->gpio_reset;
 		return 0;
 	}
 
diff --git a/drivers/media/i2c/s5c73m3/s5c73m3.h b/drivers/media/i2c/s5c73m3/s5c73m3.h
index 13aed59f0f5d..01f57055e20f 100644
--- a/drivers/media/i2c/s5c73m3/s5c73m3.h
+++ b/drivers/media/i2c/s5c73m3/s5c73m3.h
@@ -361,7 +361,7 @@ struct s5c73m3_ctrls {
 
 enum s5c73m3_gpio_id {
 	STBY,
-	RST,
+	RSET,
 	GPIO_NUM,
 };
 
diff --git a/drivers/media/i2c/s5k4ecgx.c b/drivers/media/i2c/s5k4ecgx.c
index 97084237275d..4959edcb76cd 100644
--- a/drivers/media/i2c/s5k4ecgx.c
+++ b/drivers/media/i2c/s5k4ecgx.c
@@ -177,7 +177,7 @@ static const char * const s5k4ecgx_supply_names[] = {
 
 enum s5k4ecgx_gpio_id {
 	STBY,
-	RST,
+	RSET,
 	GPIO_NUM,
 };
 
@@ -482,7 +482,7 @@ static int __s5k4ecgx_power_on(struct s5k4ecgx *priv)
 	if (s5k4ecgx_gpio_set_value(priv, STBY, priv->gpio[STBY].level))
 		usleep_range(30, 50);
 
-	if (s5k4ecgx_gpio_set_value(priv, RST, priv->gpio[RST].level))
+	if (s5k4ecgx_gpio_set_value(priv, RSET, priv->gpio[RSET].level))
 		usleep_range(30, 50);
 
 	return 0;
@@ -490,7 +490,7 @@ static int __s5k4ecgx_power_on(struct s5k4ecgx *priv)
 
 static int __s5k4ecgx_power_off(struct s5k4ecgx *priv)
 {
-	if (s5k4ecgx_gpio_set_value(priv, RST, !priv->gpio[RST].level))
+	if (s5k4ecgx_gpio_set_value(priv, RSET, !priv->gpio[RSET].level))
 		usleep_range(30, 50);
 
 	if (s5k4ecgx_gpio_set_value(priv, STBY, !priv->gpio[STBY].level))
@@ -878,7 +878,7 @@ static int s5k4ecgx_config_gpios(struct s5k4ecgx *priv,
 	int ret;
 
 	priv->gpio[STBY].gpio = -EINVAL;
-	priv->gpio[RST].gpio  = -EINVAL;
+	priv->gpio[RSET].gpio  = -EINVAL;
 
 	ret = s5k4ecgx_config_gpio(gpio->gpio, gpio->level, "S5K4ECGX_STBY");
 
@@ -897,7 +897,7 @@ static int s5k4ecgx_config_gpios(struct s5k4ecgx *priv,
 		s5k4ecgx_free_gpios(priv);
 		return ret;
 	}
-	priv->gpio[RST] = *gpio;
+	priv->gpio[RSET] = *gpio;
 	if (gpio_is_valid(gpio->gpio))
 		gpio_set_value(gpio->gpio, 0);
 
diff --git a/drivers/media/i2c/s5k5baf.c b/drivers/media/i2c/s5k5baf.c
index 774e0d0c94cb..a9052219a278 100644
--- a/drivers/media/i2c/s5k5baf.c
+++ b/drivers/media/i2c/s5k5baf.c
@@ -238,7 +238,7 @@ struct s5k5baf_gpio {
 
 enum s5k5baf_gpio_id {
 	STBY,
-	RST,
+	RSET,
 	NUM_GPIOS,
 };
 
@@ -973,7 +973,7 @@ static int s5k5baf_power_on(struct s5k5baf *state)
 
 	s5k5baf_gpio_deassert(state, STBY);
 	usleep_range(50, 100);
-	s5k5baf_gpio_deassert(state, RST);
+	s5k5baf_gpio_deassert(state, RSET);
 	return 0;
 
 err_reg_dis:
@@ -991,7 +991,7 @@ static int s5k5baf_power_off(struct s5k5baf *state)
 	state->apply_cfg = 0;
 	state->apply_crop = 0;
 
-	s5k5baf_gpio_assert(state, RST);
+	s5k5baf_gpio_assert(state, RSET);
 	s5k5baf_gpio_assert(state, STBY);
 
 	if (!IS_ERR(state->clock))
diff --git a/drivers/media/i2c/s5k6aa.c b/drivers/media/i2c/s5k6aa.c
index 5ac2babe123b..ca1c0568a561 100644
--- a/drivers/media/i2c/s5k6aa.c
+++ b/drivers/media/i2c/s5k6aa.c
@@ -181,7 +181,7 @@ static const char * const s5k6aa_supply_names[] = {
 
 enum s5k6aa_gpio_id {
 	STBY,
-	RST,
+	RSET,
 	GPIO_NUM,
 };
 
@@ -845,7 +845,7 @@ static int __s5k6aa_power_on(struct s5k6aa *s5k6aa)
 		ret = s5k6aa->s_power(1);
 	usleep_range(4000, 4000);
 
-	if (s5k6aa_gpio_deassert(s5k6aa, RST))
+	if (s5k6aa_gpio_deassert(s5k6aa, RSET))
 		msleep(20);
 
 	return ret;
@@ -855,7 +855,7 @@ static int __s5k6aa_power_off(struct s5k6aa *s5k6aa)
 {
 	int ret;
 
-	if (s5k6aa_gpio_assert(s5k6aa, RST))
+	if (s5k6aa_gpio_assert(s5k6aa, RSET))
 		usleep_range(100, 150);
 
 	if (s5k6aa->s_power) {
@@ -1514,7 +1514,7 @@ static int s5k6aa_configure_gpios(struct s5k6aa *s5k6aa,
 	int ret;
 
 	s5k6aa->gpio[STBY].gpio = -EINVAL;
-	s5k6aa->gpio[RST].gpio  = -EINVAL;
+	s5k6aa->gpio[RSET].gpio  = -EINVAL;
 
 	gpio = &pdata->gpio_stby;
 	if (gpio_is_valid(gpio->gpio)) {
@@ -1537,7 +1537,7 @@ static int s5k6aa_configure_gpios(struct s5k6aa *s5k6aa,
 		if (ret < 0)
 			return ret;
 
-		s5k6aa->gpio[RST] = *gpio;
+		s5k6aa->gpio[RSET] = *gpio;
 	}
 
 	return 0;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 053/188] pata_octeon_cf: avoid WARN_ON() in ata_host_activate()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (51 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 052/188] media: I2C: change RST to "RSET" to fix multiple build errors Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 054/188] pata_ep93xx: fix deferred probing Greg Kroah-Hartman
                   ` (139 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sergey Shtylyov, Jens Axboe, Sasha Levin

From: Sergey Shtylyov <s.shtylyov@omp.ru>

[ Upstream commit bfc1f378c8953e68ccdbfe0a8c20748427488b80 ]

Iff platform_get_irq() fails (or returns IRQ0) and thus the polling mode
has to be used, ata_host_activate() hits the WARN_ON() due to 'irq_handler'
parameter being non-NULL if the polling mode is selected.  Let's only set
the pointer to the driver's IRQ handler if platform_get_irq() returns a
valid IRQ # -- this should avoid the unnecessary WARN_ON()...

Fixes: 43f01da0f279 ("MIPS/OCTEON/ata: Convert pata_octeon_cf.c to use device tree.")
Signed-off-by: Sergey Shtylyov <s.shtylyov@omp.ru>
Link: https://lore.kernel.org/r/3a241167-f84d-1d25-5b9b-be910afbe666@omp.ru
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/ata/pata_octeon_cf.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/ata/pata_octeon_cf.c b/drivers/ata/pata_octeon_cf.c
index 27245957eee3..909de33f9158 100644
--- a/drivers/ata/pata_octeon_cf.c
+++ b/drivers/ata/pata_octeon_cf.c
@@ -909,10 +909,11 @@ static int octeon_cf_probe(struct platform_device *pdev)
 					return -EINVAL;
 				}
 
-				irq_handler = octeon_cf_interrupt;
 				i = platform_get_irq(dma_dev, 0);
-				if (i > 0)
+				if (i > 0) {
 					irq = i;
+					irq_handler = octeon_cf_interrupt;
+				}
 			}
 			of_node_put(dma_node);
 		}
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 054/188] pata_ep93xx: fix deferred probing
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (52 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 053/188] pata_octeon_cf: avoid WARN_ON() in ata_host_activate() Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 055/188] media: tc358743: Fix error return code in tc358743_probe_of() Greg Kroah-Hartman
                   ` (138 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sergey Shtylyov, Jens Axboe, Sasha Levin

From: Sergey Shtylyov <s.shtylyov@omprussia.ru>

[ Upstream commit 5c8121262484d99bffb598f39a0df445cecd8efb ]

The driver overrides the error codes returned by platform_get_irq() to
-ENXIO, so if it returns -EPROBE_DEFER, the driver would fail the probe
permanently instead of the deferred probing.  Propagate the error code
upstream, as it should have been done from the start...

Fixes: 2fff27512600 ("PATA host controller driver for ep93xx")
Signed-off-by: Sergey Shtylyov <s.shtylyov@omprussia.ru>
Link: https://lore.kernel.org/r/509fda88-2e0d-2cc7-f411-695d7e94b136@omprussia.ru
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/ata/pata_ep93xx.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/ata/pata_ep93xx.c b/drivers/ata/pata_ep93xx.c
index 634c814cbeda..ebdd2dfabbeb 100644
--- a/drivers/ata/pata_ep93xx.c
+++ b/drivers/ata/pata_ep93xx.c
@@ -927,7 +927,7 @@ static int ep93xx_pata_probe(struct platform_device *pdev)
 	/* INT[3] (IRQ_EP93XX_EXT3) line connected as pull down */
 	irq = platform_get_irq(pdev, 0);
 	if (irq < 0) {
-		err = -ENXIO;
+		err = irq;
 		goto err_rel_gpio;
 	}
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 055/188] media: tc358743: Fix error return code in tc358743_probe_of()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (53 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 054/188] pata_ep93xx: fix deferred probing Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 056/188] media: siano: Fix out-of-bounds warnings in smscore_load_firmware_family2() Greg Kroah-Hartman
                   ` (137 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zhen Lei, Hans Verkuil,
	Mauro Carvalho Chehab, Sasha Levin

From: Zhen Lei <thunder.leizhen@huawei.com>

[ Upstream commit a6b1e7093f0a099571fc8836ab4a589633f956a8 ]

When the CSI bps per lane is not in the valid range, an appropriate error
code -EINVAL should be returned. However, we currently do not explicitly
assign this error code to 'ret'. As a result, 0 was incorrectly returned.

Fixes: 256148246852 ("[media] tc358743: support probe from device tree")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/i2c/tc358743.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/media/i2c/tc358743.c b/drivers/media/i2c/tc358743.c
index 1e95fdb61041..c3befb3f5dcd 100644
--- a/drivers/media/i2c/tc358743.c
+++ b/drivers/media/i2c/tc358743.c
@@ -1761,6 +1761,7 @@ static int tc358743_probe_of(struct tc358743_state *state)
 	bps_pr_lane = 2 * endpoint->link_frequencies[0];
 	if (bps_pr_lane < 62500000U || bps_pr_lane > 1000000000U) {
 		dev_err(dev, "unsupported bps per lane: %u bps\n", bps_pr_lane);
+		ret = -EINVAL;
 		goto disable_clk;
 	}
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 056/188] media: siano: Fix out-of-bounds warnings in smscore_load_firmware_family2()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (54 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 055/188] media: tc358743: Fix error return code in tc358743_probe_of() Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 057/188] mmc: usdhi6rol0: fix error return code in usdhi6_probe() Greg Kroah-Hartman
                   ` (136 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kees Cook, Gustavo A. R. Silva, Sasha Levin

From: Gustavo A. R. Silva <gustavoars@kernel.org>

[ Upstream commit 13dfead49db07225335d4f587a560a2210391a1a ]

Rename struct sms_msg_data4 to sms_msg_data5 and increase the size of
its msg_data array from 4 to 5 elements. Notice that at some point
the 5th element of msg_data is being accessed in function
smscore_load_firmware_family2():

1006                 trigger_msg->msg_data[4] = 4; /* Task ID */

Also, there is no need for the object _trigger_msg_ of type struct
sms_msg_data *, when _msg_ can be used, directly. Notice that msg_data
in struct sms_msg_data is a one-element array, which causes multiple
out-of-bounds warnings when accessing beyond its first element
in function smscore_load_firmware_family2():

 992                 struct sms_msg_data *trigger_msg =
 993                         (struct sms_msg_data *) msg;
 994
 995                 pr_debug("sending MSG_SMS_SWDOWNLOAD_TRIGGER_REQ\n");
 996                 SMS_INIT_MSG(&msg->x_msg_header,
 997                                 MSG_SMS_SWDOWNLOAD_TRIGGER_REQ,
 998                                 sizeof(struct sms_msg_hdr) +
 999                                 sizeof(u32) * 5);
1000
1001                 trigger_msg->msg_data[0] = firmware->start_address;
1002                                         /* Entry point */
1003                 trigger_msg->msg_data[1] = 6; /* Priority */
1004                 trigger_msg->msg_data[2] = 0x200; /* Stack size */
1005                 trigger_msg->msg_data[3] = 0; /* Parameter */
1006                 trigger_msg->msg_data[4] = 4; /* Task ID */

even when enough dynamic memory is allocated for _msg_:

 929         /* PAGE_SIZE buffer shall be enough and dma aligned */
 930         msg = kmalloc(PAGE_SIZE, GFP_KERNEL | coredev->gfp_buf_flags);

but as _msg_ is casted to (struct sms_msg_data *):

 992                 struct sms_msg_data *trigger_msg =
 993                         (struct sms_msg_data *) msg;

the out-of-bounds warnings are actually valid and should be addressed.

Fix this by declaring object _msg_ of type struct sms_msg_data5 *,
which contains a 5-elements array, instead of just 4. And use
_msg_ directly, instead of creating object trigger_msg.

This helps with the ongoing efforts to enable -Warray-bounds by fixing
the following warnings:

  CC [M]  drivers/media/common/siano/smscoreapi.o
drivers/media/common/siano/smscoreapi.c: In function ‘smscore_load_firmware_family2’:
drivers/media/common/siano/smscoreapi.c:1003:24: warning: array subscript 1 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds]
 1003 |   trigger_msg->msg_data[1] = 6; /* Priority */
      |   ~~~~~~~~~~~~~~~~~~~~~^~~
In file included from drivers/media/common/siano/smscoreapi.c:12:
drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’
  619 |  u32 msg_data[1];
      |      ^~~~~~~~
drivers/media/common/siano/smscoreapi.c:1004:24: warning: array subscript 2 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds]
 1004 |   trigger_msg->msg_data[2] = 0x200; /* Stack size */
      |   ~~~~~~~~~~~~~~~~~~~~~^~~
In file included from drivers/media/common/siano/smscoreapi.c:12:
drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’
  619 |  u32 msg_data[1];
      |      ^~~~~~~~
drivers/media/common/siano/smscoreapi.c:1005:24: warning: array subscript 3 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds]
 1005 |   trigger_msg->msg_data[3] = 0; /* Parameter */
      |   ~~~~~~~~~~~~~~~~~~~~~^~~
In file included from drivers/media/common/siano/smscoreapi.c:12:
drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’
  619 |  u32 msg_data[1];
      |      ^~~~~~~~
drivers/media/common/siano/smscoreapi.c:1006:24: warning: array subscript 4 is above array bounds of ‘u32[1]’ {aka ‘unsigned int[1]’} [-Warray-bounds]
 1006 |   trigger_msg->msg_data[4] = 4; /* Task ID */
      |   ~~~~~~~~~~~~~~~~~~~~~^~~
In file included from drivers/media/common/siano/smscoreapi.c:12:
drivers/media/common/siano/smscoreapi.h:619:6: note: while referencing ‘msg_data’
  619 |  u32 msg_data[1];
      |      ^~~~~~~~

Fixes: 018b0c6f8acb ("[media] siano: make load firmware logic to work with newer firmwares")
Co-developed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/common/siano/smscoreapi.c | 22 +++++++++-------------
 drivers/media/common/siano/smscoreapi.h |  4 ++--
 2 files changed, 11 insertions(+), 15 deletions(-)

diff --git a/drivers/media/common/siano/smscoreapi.c b/drivers/media/common/siano/smscoreapi.c
index 2a8d9a36d6f0..5cc68144771c 100644
--- a/drivers/media/common/siano/smscoreapi.c
+++ b/drivers/media/common/siano/smscoreapi.c
@@ -914,7 +914,7 @@ static int smscore_load_firmware_family2(struct smscore_device_t *coredev,
 					 void *buffer, size_t size)
 {
 	struct sms_firmware *firmware = (struct sms_firmware *) buffer;
-	struct sms_msg_data4 *msg;
+	struct sms_msg_data5 *msg;
 	u32 mem_address,  calc_checksum = 0;
 	u32 i, *ptr;
 	u8 *payload = firmware->payload;
@@ -995,24 +995,20 @@ static int smscore_load_firmware_family2(struct smscore_device_t *coredev,
 		goto exit_fw_download;
 
 	if (coredev->mode == DEVICE_MODE_NONE) {
-		struct sms_msg_data *trigger_msg =
-			(struct sms_msg_data *) msg;
-
 		pr_debug("sending MSG_SMS_SWDOWNLOAD_TRIGGER_REQ\n");
 		SMS_INIT_MSG(&msg->x_msg_header,
 				MSG_SMS_SWDOWNLOAD_TRIGGER_REQ,
-				sizeof(struct sms_msg_hdr) +
-				sizeof(u32) * 5);
+				sizeof(*msg));
 
-		trigger_msg->msg_data[0] = firmware->start_address;
+		msg->msg_data[0] = firmware->start_address;
 					/* Entry point */
-		trigger_msg->msg_data[1] = 6; /* Priority */
-		trigger_msg->msg_data[2] = 0x200; /* Stack size */
-		trigger_msg->msg_data[3] = 0; /* Parameter */
-		trigger_msg->msg_data[4] = 4; /* Task ID */
+		msg->msg_data[1] = 6; /* Priority */
+		msg->msg_data[2] = 0x200; /* Stack size */
+		msg->msg_data[3] = 0; /* Parameter */
+		msg->msg_data[4] = 4; /* Task ID */
 
-		rc = smscore_sendrequest_and_wait(coredev, trigger_msg,
-					trigger_msg->x_msg_header.msg_length,
+		rc = smscore_sendrequest_and_wait(coredev, msg,
+					msg->x_msg_header.msg_length,
 					&coredev->trigger_done);
 	} else {
 		SMS_INIT_MSG(&msg->x_msg_header, MSG_SW_RELOAD_EXEC_REQ,
diff --git a/drivers/media/common/siano/smscoreapi.h b/drivers/media/common/siano/smscoreapi.h
index 4cc39e4a8318..55d02c27f124 100644
--- a/drivers/media/common/siano/smscoreapi.h
+++ b/drivers/media/common/siano/smscoreapi.h
@@ -636,9 +636,9 @@ struct sms_msg_data2 {
 	u32 msg_data[2];
 };
 
-struct sms_msg_data4 {
+struct sms_msg_data5 {
 	struct sms_msg_hdr x_msg_header;
-	u32 msg_data[4];
+	u32 msg_data[5];
 };
 
 struct sms_data_download {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 057/188] mmc: usdhi6rol0: fix error return code in usdhi6_probe()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (55 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 056/188] media: siano: Fix out-of-bounds warnings in smscore_load_firmware_family2() Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 058/188] media: s5p-g2d: Fix a memory leak on ctx->fh.m2m_ctx Greg Kroah-Hartman
                   ` (135 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zhen Lei, Ulf Hansson,
	Sasha Levin

From: Zhen Lei <thunder.leizhen@huawei.com>

[ Upstream commit 2f9ae69e5267f53e89e296fccee291975a85f0eb ]

Fix to return a negative error code from the error handling case instead
of 0, as done elsewhere in this function.

Fixes: 75fa9ea6e3c0 ("mmc: add a driver for the Renesas usdhi6rol0 SD/SDIO host controller")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Link: https://lore.kernel.org/r/20210508020321.1677-1-thunder.leizhen@huawei.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/mmc/host/usdhi6rol0.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/mmc/host/usdhi6rol0.c b/drivers/mmc/host/usdhi6rol0.c
index 2b6a9c6a6e96..49798a68299e 100644
--- a/drivers/mmc/host/usdhi6rol0.c
+++ b/drivers/mmc/host/usdhi6rol0.c
@@ -1751,6 +1751,7 @@ static int usdhi6_probe(struct platform_device *pdev)
 
 	version = usdhi6_read(host, USDHI6_VERSION);
 	if ((version & 0xfff) != 0xa0d) {
+		ret = -EPERM;
 		dev_err(dev, "Version not recognized %x\n", version);
 		goto e_clk_off;
 	}
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 058/188] media: s5p-g2d: Fix a memory leak on ctx->fh.m2m_ctx
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (56 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 057/188] mmc: usdhi6rol0: fix error return code in usdhi6_probe() Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 059/188] spi: spi-sun6i: Fix chipselect/clock bug Greg Kroah-Hartman
                   ` (134 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dillon Min, Hans Verkuil,
	Mauro Carvalho Chehab, Sasha Levin

From: Dillon Min <dillon.minfei@gmail.com>

[ Upstream commit 5d11e6aad1811ea293ee2996cec9124f7fccb661 ]

The m2m_ctx resources was allocated by v4l2_m2m_ctx_init() in g2d_open()
should be freed from g2d_release() when it's not used.

Fix it

Fixes: 918847341af0 ("[media] v4l: add G2D driver for s5p device family")
Signed-off-by: Dillon Min <dillon.minfei@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/platform/s5p-g2d/g2d.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/media/platform/s5p-g2d/g2d.c b/drivers/media/platform/s5p-g2d/g2d.c
index 2b939555cccb..21968ef9dc45 100644
--- a/drivers/media/platform/s5p-g2d/g2d.c
+++ b/drivers/media/platform/s5p-g2d/g2d.c
@@ -282,6 +282,9 @@ static int g2d_release(struct file *file)
 	struct g2d_dev *dev = video_drvdata(file);
 	struct g2d_ctx *ctx = fh2ctx(file->private_data);
 
+	mutex_lock(&dev->mutex);
+	v4l2_m2m_ctx_release(ctx->fh.m2m_ctx);
+	mutex_unlock(&dev->mutex);
 	v4l2_ctrl_handler_free(&ctx->ctrl_handler);
 	v4l2_fh_del(&ctx->fh);
 	v4l2_fh_exit(&ctx->fh);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 059/188] spi: spi-sun6i: Fix chipselect/clock bug
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (57 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 058/188] media: s5p-g2d: Fix a memory leak on ctx->fh.m2m_ctx Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 060/188] crypto: nx - Fix RCU warning in nx842_OF_upd_status Greg Kroah-Hartman
                   ` (133 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Mirko Vogt, Ralf Schlatterbeck,
	Mark Brown, Sasha Levin

From: Mirko Vogt <mirko-dev|linux@nanl.de>

[ Upstream commit 0d7993b234c9fad8cb6bec6adfaa74694ba85ecb ]

The current sun6i SPI implementation initializes the transfer too early,
resulting in SCK going high before the transfer. When using an additional
(gpio) chipselect with sun6i, the chipselect is asserted at a time when
clock is high, making the SPI transfer fail.

This is due to SUN6I_GBL_CTL_BUS_ENABLE being written into
SUN6I_GBL_CTL_REG at an early stage. Moving that to the transfer
function, hence, right before the transfer starts, mitigates that
problem.

Fixes: 3558fe900e8af (spi: sunxi: Add Allwinner A31 SPI controller driver)
Signed-off-by: Mirko Vogt <mirko-dev|linux@nanl.de>
Signed-off-by: Ralf Schlatterbeck <rsc@runtux.com>
Link: https://lore.kernel.org/r/20210614144507.y3udezjfbko7eavv@runtux.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/spi/spi-sun6i.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/drivers/spi/spi-sun6i.c b/drivers/spi/spi-sun6i.c
index 48888ab630c2..079bdc4e65ff 100644
--- a/drivers/spi/spi-sun6i.c
+++ b/drivers/spi/spi-sun6i.c
@@ -249,6 +249,10 @@ static int sun6i_spi_transfer_one(struct spi_master *master,
 	}
 
 	sun6i_spi_write(sspi, SUN6I_CLK_CTL_REG, reg);
+	/* Finally enable the bus - doing so before might raise SCK to HIGH */
+	reg = sun6i_spi_read(sspi, SUN6I_GBL_CTL_REG);
+	reg |= SUN6I_GBL_CTL_BUS_ENABLE;
+	sun6i_spi_write(sspi, SUN6I_GBL_CTL_REG, reg);
 
 	/* Setup the transfer now... */
 	if (sspi->tx_buf)
@@ -332,7 +336,7 @@ static int sun6i_spi_runtime_resume(struct device *dev)
 	}
 
 	sun6i_spi_write(sspi, SUN6I_GBL_CTL_REG,
-			SUN6I_GBL_CTL_BUS_ENABLE | SUN6I_GBL_CTL_MASTER | SUN6I_GBL_CTL_TP);
+			SUN6I_GBL_CTL_MASTER | SUN6I_GBL_CTL_TP);
 
 	return 0;
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 060/188] crypto: nx - Fix RCU warning in nx842_OF_upd_status
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (58 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 059/188] spi: spi-sun6i: Fix chipselect/clock bug Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 061/188] ACPI: sysfs: Fix a buffer overrun problem with description_show() Greg Kroah-Hartman
                   ` (132 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Herbert Xu, Sasha Levin

From: Herbert Xu <herbert@gondor.apana.org.au>

[ Upstream commit 2a96726bd0ccde4f12b9b9a9f61f7b1ac5af7e10 ]

The function nx842_OF_upd_status triggers a sparse RCU warning when
it directly dereferences the RCU-protected devdata.  This appears
to be an accident as there was another variable of the same name
that was passed in from the caller.

After it was removed (because the main purpose of using it, to
update the status member was itself removed) the global variable
unintenionally stood in as its replacement.

This patch restores the devdata parameter.

Fixes: 90fd73f912f0 ("crypto: nx - remove pSeries NX 'status' field")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/crypto/nx/nx-842-pseries.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/crypto/nx/nx-842-pseries.c b/drivers/crypto/nx/nx-842-pseries.c
index 2e5b4004f0ee..1b8c87770645 100644
--- a/drivers/crypto/nx/nx-842-pseries.c
+++ b/drivers/crypto/nx/nx-842-pseries.c
@@ -553,13 +553,15 @@ static int nx842_OF_set_defaults(struct nx842_devdata *devdata)
  * The status field indicates if the device is enabled when the status
  * is 'okay'.  Otherwise the device driver will be disabled.
  *
- * @prop - struct property point containing the maxsyncop for the update
+ * @devdata: struct nx842_devdata to use for dev_info
+ * @prop: struct property point containing the maxsyncop for the update
  *
  * Returns:
  *  0 - Device is available
  *  -ENODEV - Device is not available
  */
-static int nx842_OF_upd_status(struct property *prop)
+static int nx842_OF_upd_status(struct nx842_devdata *devdata,
+			       struct property *prop)
 {
 	const char *status = (const char *)prop->value;
 
@@ -773,7 +775,7 @@ static int nx842_OF_upd(struct property *new_prop)
 		goto out;
 
 	/* Perform property updates */
-	ret = nx842_OF_upd_status(status);
+	ret = nx842_OF_upd_status(new_devdata, status);
 	if (ret)
 		goto error_out;
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 061/188] ACPI: sysfs: Fix a buffer overrun problem with description_show()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (59 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 060/188] crypto: nx - Fix RCU warning in nx842_OF_upd_status Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 062/188] net: pch_gbe: Propagate error from devm_gpio_request_one() Greg Kroah-Hartman
                   ` (131 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Krzysztof Wilczyński,
	Bjorn Helgaas, Rafael J. Wysocki, Sasha Levin

From: Krzysztof Wilczyński <kw@linux.com>

[ Upstream commit 888be6067b97132c3992866bbcf647572253ab3f ]

Currently, a device description can be obtained using ACPI, if the _STR
method exists for a particular device, and then exposed to the userspace
via a sysfs object as a string value.

If the _STR method is available for a given device then the data
(usually a Unicode string) is read and stored in a buffer (of the
ACPI_TYPE_BUFFER type) with a pointer to said buffer cached in the
struct acpi_device_pnp for later access.

The description_show() function is responsible for exposing the device
description to the userspace via a corresponding sysfs object and
internally calls the utf16s_to_utf8s() function with a pointer to the
buffer that contains the Unicode string so that it can be converted from
UTF16 encoding to UTF8 and thus allowing for the value to be safely
stored and later displayed.

When invoking the utf16s_to_utf8s() function, the description_show()
function also sets a limit of the data that can be saved into a provided
buffer as a result of the character conversion to be a total of
PAGE_SIZE, and upon completion, the utf16s_to_utf8s() function returns
an integer value denoting the number of bytes that have been written
into the provided buffer.

Following the execution of the utf16s_to_utf8s() a newline character
will be added at the end of the resulting buffer so that when the value
is read in the userspace through the sysfs object then it would include
newline making it more accessible when working with the sysfs file
system in the shell, etc.  Normally, this wouldn't be a problem, but if
the function utf16s_to_utf8s() happens to return the number of bytes
written to be precisely PAGE_SIZE, then we would overrun the buffer and
write the newline character outside the allotted space which can have
undefined consequences or result in a failure.

To fix this buffer overrun, ensure that there always is enough space
left for the newline character to be safely appended.

Fixes: d1efe3c324ea ("ACPI: Add new sysfs interface to export device description")
Signed-off-by: Krzysztof Wilczyński <kw@linux.com>
Reviewed-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/acpi/device_sysfs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/acpi/device_sysfs.c b/drivers/acpi/device_sysfs.c
index 139ee989b0d0..c201aaf287dc 100644
--- a/drivers/acpi/device_sysfs.c
+++ b/drivers/acpi/device_sysfs.c
@@ -450,7 +450,7 @@ static ssize_t description_show(struct device *dev,
 		(wchar_t *)acpi_dev->pnp.str_obj->buffer.pointer,
 		acpi_dev->pnp.str_obj->buffer.length,
 		UTF16_LITTLE_ENDIAN, buf,
-		PAGE_SIZE);
+		PAGE_SIZE - 1);
 
 	buf[result++] = '\n';
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 062/188] net: pch_gbe: Propagate error from devm_gpio_request_one()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (60 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 061/188] ACPI: sysfs: Fix a buffer overrun problem with description_show() Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 063/188] ehea: fix error return code in ehea_restart_qps() Greg Kroah-Hartman
                   ` (130 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Andy Shevchenko, Flavio Suligoi,
	David S. Miller, Sasha Levin

From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>

[ Upstream commit 9e3617a7b84512bf96c04f9cf82d1a7257d33794 ]

If GPIO controller is not available yet we need to defer
the probe of GBE until provider will become available.

While here, drop GPIOF_EXPORT because it's deprecated and
may not be available.

Fixes: f1a26fdf5944 ("pch_gbe: Add MinnowBoard support")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Tested-by: Flavio Suligoi <f.suligoi@asem.it>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
index 3b98b263bad0..a7ec9492d126 100644
--- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
+++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
@@ -2625,9 +2625,13 @@ static int pch_gbe_probe(struct pci_dev *pdev,
 	adapter->pdev = pdev;
 	adapter->hw.back = adapter;
 	adapter->hw.reg = pcim_iomap_table(pdev)[PCH_GBE_PCI_BAR];
+
 	adapter->pdata = (struct pch_gbe_privdata *)pci_id->driver_data;
-	if (adapter->pdata && adapter->pdata->platform_init)
-		adapter->pdata->platform_init(pdev);
+	if (adapter->pdata && adapter->pdata->platform_init) {
+		ret = adapter->pdata->platform_init(pdev);
+		if (ret)
+			goto err_free_netdev;
+	}
 
 	adapter->ptp_pdev = pci_get_bus_and_slot(adapter->pdev->bus->number,
 					       PCI_DEVFN(12, 4));
@@ -2717,7 +2721,7 @@ err_free_netdev:
  */
 static int pch_gbe_minnow_platform_init(struct pci_dev *pdev)
 {
-	unsigned long flags = GPIOF_DIR_OUT | GPIOF_INIT_HIGH | GPIOF_EXPORT;
+	unsigned long flags = GPIOF_OUT_INIT_HIGH;
 	unsigned gpio = MINNOW_PHY_RESET_GPIO;
 	int ret;
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 063/188] ehea: fix error return code in ehea_restart_qps()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (61 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 062/188] net: pch_gbe: Propagate error from devm_gpio_request_one() Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 064/188] drm: qxl: ensure surf.data is ininitialized Greg Kroah-Hartman
                   ` (129 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zhen Lei, Jakub Kicinski,
	Sasha Levin

From: Zhen Lei <thunder.leizhen@huawei.com>

[ Upstream commit 015dbf5662fd689d581c0bc980711b073ca09a1a ]

Fix to return -EFAULT from the error handling case instead of 0, as done
elsewhere in this function.

By the way, when get_zeroed_page() fails, directly return -ENOMEM to
simplify code.

Fixes: 2c69448bbced ("ehea: DLPAR memory add fix")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Link: https://lore.kernel.org/r/20210528085555.9390-1-thunder.leizhen@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/ibm/ehea/ehea_main.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/drivers/net/ethernet/ibm/ehea/ehea_main.c b/drivers/net/ethernet/ibm/ehea/ehea_main.c
index efe84ca20da7..43fc6d370457 100644
--- a/drivers/net/ethernet/ibm/ehea/ehea_main.c
+++ b/drivers/net/ethernet/ibm/ehea/ehea_main.c
@@ -2654,10 +2654,8 @@ static int ehea_restart_qps(struct net_device *dev)
 	u16 dummy16 = 0;
 
 	cb0 = (void *)get_zeroed_page(GFP_KERNEL);
-	if (!cb0) {
-		ret = -ENOMEM;
-		goto out;
-	}
+	if (!cb0)
+		return -ENOMEM;
 
 	for (i = 0; i < (port->num_def_qps); i++) {
 		struct ehea_port_res *pr =  &port->port_res[i];
@@ -2677,6 +2675,7 @@ static int ehea_restart_qps(struct net_device *dev)
 					    cb0);
 		if (hret != H_SUCCESS) {
 			netdev_err(dev, "query_ehea_qp failed (1)\n");
+			ret = -EFAULT;
 			goto out;
 		}
 
@@ -2689,6 +2688,7 @@ static int ehea_restart_qps(struct net_device *dev)
 					     &dummy64, &dummy16, &dummy16);
 		if (hret != H_SUCCESS) {
 			netdev_err(dev, "modify_ehea_qp failed (1)\n");
+			ret = -EFAULT;
 			goto out;
 		}
 
@@ -2697,6 +2697,7 @@ static int ehea_restart_qps(struct net_device *dev)
 					    cb0);
 		if (hret != H_SUCCESS) {
 			netdev_err(dev, "query_ehea_qp failed (2)\n");
+			ret = -EFAULT;
 			goto out;
 		}
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 064/188] drm: qxl: ensure surf.data is ininitialized
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (62 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 063/188] ehea: fix error return code in ehea_restart_qps() Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 065/188] wireless: carl9170: fix LEDS build errors & warnings Greg Kroah-Hartman
                   ` (128 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Colin Ian King, Gerd Hoffmann, Sasha Levin

From: Colin Ian King <colin.king@canonical.com>

[ Upstream commit fbbf23ddb2a1cc0c12c9f78237d1561c24006f50 ]

The object surf is not fully initialized and the uninitialized
field surf.data is being copied by the call to qxl_bo_create
via the call to qxl_gem_object_create. Set surf.data to zero
to ensure garbage data from the stack is not being copied.

Addresses-Coverity: ("Uninitialized scalar variable")
Fixes: f64122c1f6ad ("drm: add new QXL driver. (v1.4)")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20210608161313.161922-1-colin.king@canonical.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/qxl/qxl_dumb.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/gpu/drm/qxl/qxl_dumb.c b/drivers/gpu/drm/qxl/qxl_dumb.c
index d34bb4130ff0..5f757328fced 100644
--- a/drivers/gpu/drm/qxl/qxl_dumb.c
+++ b/drivers/gpu/drm/qxl/qxl_dumb.c
@@ -57,6 +57,8 @@ int qxl_mode_dumb_create(struct drm_file *file_priv,
 	surf.height = args->height;
 	surf.stride = pitch;
 	surf.format = format;
+	surf.data = 0;
+
 	r = qxl_gem_object_create_with_handle(qdev, file_priv,
 					      QXL_GEM_DOMAIN_VRAM,
 					      args->size, &surf, &qobj,
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 065/188] wireless: carl9170: fix LEDS build errors & warnings
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (63 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 064/188] drm: qxl: ensure surf.data is ininitialized Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 066/188] brcmsmac: mac80211_if: Fix a resource leak in an error handling path Greg Kroah-Hartman
                   ` (127 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Randy Dunlap, kernel test robot,
	Kalle Valo, Christian Lamparter, linux-wireless, Arnd Bergmann,
	Christian Lamparter, Sasha Levin

From: Randy Dunlap <rdunlap@infradead.org>

[ Upstream commit 272fdc0c4542fad173b44965be02a16d6db95499 ]

kernel test robot reports over 200 build errors and warnings
that are due to this Kconfig problem when CARL9170=m,
MAC80211=y, and LEDS_CLASS=m.

WARNING: unmet direct dependencies detected for MAC80211_LEDS
  Depends on [n]: NET [=y] && WIRELESS [=y] && MAC80211 [=y] && (LEDS_CLASS [=m]=y || LEDS_CLASS [=m]=MAC80211 [=y])
  Selected by [m]:
  - CARL9170_LEDS [=y] && NETDEVICES [=y] && WLAN [=y] && WLAN_VENDOR_ATH [=y] && CARL9170 [=m]

CARL9170_LEDS selects MAC80211_LEDS even though its kconfig
dependencies are not met. This happens because 'select' does not follow
any Kconfig dependency chains.

Fix this by making CARL9170_LEDS depend on MAC80211_LEDS, where
the latter supplies any needed dependencies on LEDS_CLASS.

Fixes: 1d7e1e6b1b8ed ("carl9170: Makefile, Kconfig files and MAINTAINERS")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: kernel test robot <lkp@intel.com>
Cc: Kalle Valo <kvalo@codeaurora.org>
Cc: Christian Lamparter <chunkeey@googlemail.com>
Cc: linux-wireless@vger.kernel.org
Cc: Arnd Bergmann <arnd@arndb.de>
Suggested-by: Christian Lamparter <chunkeey@googlemail.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210530031134.23274-1-rdunlap@infradead.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/ath/carl9170/Kconfig | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/drivers/net/wireless/ath/carl9170/Kconfig b/drivers/net/wireless/ath/carl9170/Kconfig
index 1a796e5f69ec..3fc87997fcb3 100644
--- a/drivers/net/wireless/ath/carl9170/Kconfig
+++ b/drivers/net/wireless/ath/carl9170/Kconfig
@@ -17,13 +17,11 @@ config CARL9170
 
 config CARL9170_LEDS
 	bool "SoftLED Support"
-	depends on CARL9170
-	select MAC80211_LEDS
-	select LEDS_CLASS
-	select NEW_LEDS
 	default y
+	depends on CARL9170
+	depends on MAC80211_LEDS
 	help
-	  This option is necessary, if you want your device' LEDs to blink
+	  This option is necessary, if you want your device's LEDs to blink.
 
 	  Say Y, unless you need the LEDs for firmware debugging.
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 066/188] brcmsmac: mac80211_if: Fix a resource leak in an error handling path
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (64 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 065/188] wireless: carl9170: fix LEDS build errors & warnings Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 067/188] ath10k: Fix an error code in ath10k_add_interface() Greg Kroah-Hartman
                   ` (126 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christophe JAILLET, Arend van Spriel,
	Kalle Valo, Sasha Levin

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

[ Upstream commit 9a25344d5177c2b9285532236dc3d10a091f39a8 ]

If 'brcms_attach()' fails, we must undo the previous 'ieee80211_alloc_hw()'
as already done in the remove function.

Fixes: 5b435de0d786 ("net: wireless: add brcm80211 drivers")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/8fbc171a1a493b38db5a6f0873c6021fca026a6c.1620852921.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c b/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c
index a4e1eec96c60..e3a500fb4e3c 100644
--- a/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c
+++ b/drivers/net/wireless/brcm80211/brcmsmac/mac80211_if.c
@@ -1221,6 +1221,7 @@ static int brcms_bcma_probe(struct bcma_device *pdev)
 {
 	struct brcms_info *wl;
 	struct ieee80211_hw *hw;
+	int ret;
 
 	dev_info(&pdev->dev, "mfg %x core %x rev %d class %d irq %d\n",
 		 pdev->id.manuf, pdev->id.id, pdev->id.rev, pdev->id.class,
@@ -1245,11 +1246,16 @@ static int brcms_bcma_probe(struct bcma_device *pdev)
 	wl = brcms_attach(pdev);
 	if (!wl) {
 		pr_err("%s: brcms_attach failed!\n", __func__);
-		return -ENODEV;
+		ret = -ENODEV;
+		goto err_free_ieee80211;
 	}
 	brcms_led_register(wl);
 
 	return 0;
+
+err_free_ieee80211:
+	ieee80211_free_hw(hw);
+	return ret;
 }
 
 static int brcms_suspend(struct bcma_device *pdev)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 067/188] ath10k: Fix an error code in ath10k_add_interface()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (65 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 066/188] brcmsmac: mac80211_if: Fix a resource leak in an error handling path Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 068/188] netlabel: Fix memory leak in netlbl_mgmt_add_common Greg Kroah-Hartman
                   ` (125 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Abaci Robot, Yang Li, Kalle Valo,
	Sasha Levin

From: Yang Li <yang.lee@linux.alibaba.com>

[ Upstream commit e9ca70c735ce66fc6a0e02c8b6958434f74ef8de ]

When the code execute this if statement, the value of ret is 0.
However, we can see from the ath10k_warn() log that the value of
ret should be -EINVAL.

Clean up smatch warning:

drivers/net/wireless/ath/ath10k/mac.c:5596 ath10k_add_interface() warn:
missing error code 'ret'

Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Fixes: ccec9038c721 ("ath10k: enable raw encap mode and software crypto engine")
Signed-off-by: Yang Li <yang.lee@linux.alibaba.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1621939577-62218-1-git-send-email-yang.lee@linux.alibaba.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/ath/ath10k/mac.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/wireless/ath/ath10k/mac.c b/drivers/net/wireless/ath/ath10k/mac.c
index 5fad38c3feb1..7993ca956ede 100644
--- a/drivers/net/wireless/ath/ath10k/mac.c
+++ b/drivers/net/wireless/ath/ath10k/mac.c
@@ -4450,6 +4450,7 @@ static int ath10k_add_interface(struct ieee80211_hw *hw,
 
 	if (arvif->nohwcrypt &&
 	    !test_bit(ATH10K_FLAG_RAW_MODE, &ar->dev_flags)) {
+		ret = -EINVAL;
 		ath10k_warn(ar, "cryptmode module param needed for sw crypto\n");
 		goto err;
 	}
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 068/188] netlabel: Fix memory leak in netlbl_mgmt_add_common
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (66 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 067/188] ath10k: Fix an error code in ath10k_add_interface() Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 069/188] netfilter: nft_exthdr: check for IPv6 packet before further processing Greg Kroah-Hartman
                   ` (124 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Liu Shixin,
	David S. Miller, Sasha Levin

From: Liu Shixin <liushixin2@huawei.com>

[ Upstream commit b8f6b0522c298ae9267bd6584e19b942a0636910 ]

Hulk Robot reported memory leak in netlbl_mgmt_add_common.
The problem is non-freed map in case of netlbl_domhsh_add() failed.

BUG: memory leak
unreferenced object 0xffff888100ab7080 (size 96):
  comm "syz-executor537", pid 360, jiffies 4294862456 (age 22.678s)
  hex dump (first 32 bytes):
    05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    fe 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01  ................
  backtrace:
    [<0000000008b40026>] netlbl_mgmt_add_common.isra.0+0xb2a/0x1b40
    [<000000003be10950>] netlbl_mgmt_add+0x271/0x3c0
    [<00000000c70487ed>] genl_family_rcv_msg_doit.isra.0+0x20e/0x320
    [<000000001f2ff614>] genl_rcv_msg+0x2bf/0x4f0
    [<0000000089045792>] netlink_rcv_skb+0x134/0x3d0
    [<0000000020e96fdd>] genl_rcv+0x24/0x40
    [<0000000042810c66>] netlink_unicast+0x4a0/0x6a0
    [<000000002e1659f0>] netlink_sendmsg+0x789/0xc70
    [<000000006e43415f>] sock_sendmsg+0x139/0x170
    [<00000000680a73d7>] ____sys_sendmsg+0x658/0x7d0
    [<0000000065cbb8af>] ___sys_sendmsg+0xf8/0x170
    [<0000000019932b6c>] __sys_sendmsg+0xd3/0x190
    [<00000000643ac172>] do_syscall_64+0x37/0x90
    [<000000009b79d6dc>] entry_SYSCALL_64_after_hwframe+0x44/0xae

Fixes: 63c416887437 ("netlabel: Add network address selectors to the NetLabel/LSM domain mapping")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Liu Shixin <liushixin2@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netlabel/netlabel_mgmt.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/net/netlabel/netlabel_mgmt.c b/net/netlabel/netlabel_mgmt.c
index 13f777f20995..5f1218dc9162 100644
--- a/net/netlabel/netlabel_mgmt.c
+++ b/net/netlabel/netlabel_mgmt.c
@@ -92,6 +92,7 @@ static const struct nla_policy netlbl_mgmt_genl_policy[NLBL_MGMT_A_MAX + 1] = {
 static int netlbl_mgmt_add_common(struct genl_info *info,
 				  struct netlbl_audit *audit_info)
 {
+	void *pmap = NULL;
 	int ret_val = -EINVAL;
 	struct netlbl_domaddr_map *addrmap = NULL;
 	struct cipso_v4_doi *cipsov4 = NULL;
@@ -165,6 +166,7 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
 			ret_val = -ENOMEM;
 			goto add_free_addrmap;
 		}
+		pmap = map;
 		map->list.addr = addr->s_addr & mask->s_addr;
 		map->list.mask = mask->s_addr;
 		map->list.valid = 1;
@@ -173,10 +175,8 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
 			map->def.cipso = cipsov4;
 
 		ret_val = netlbl_af4list_add(&map->list, &addrmap->list4);
-		if (ret_val != 0) {
-			kfree(map);
-			goto add_free_addrmap;
-		}
+		if (ret_val != 0)
+			goto add_free_map;
 
 		entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
 		entry->def.addrsel = addrmap;
@@ -212,6 +212,7 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
 			ret_val = -ENOMEM;
 			goto add_free_addrmap;
 		}
+		pmap = map;
 		map->list.addr = *addr;
 		map->list.addr.s6_addr32[0] &= mask->s6_addr32[0];
 		map->list.addr.s6_addr32[1] &= mask->s6_addr32[1];
@@ -222,10 +223,8 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
 		map->def.type = entry->def.type;
 
 		ret_val = netlbl_af6list_add(&map->list, &addrmap->list6);
-		if (ret_val != 0) {
-			kfree(map);
-			goto add_free_addrmap;
-		}
+		if (ret_val != 0)
+			goto add_free_map;
 
 		entry->def.type = NETLBL_NLTYPE_ADDRSELECT;
 		entry->def.addrsel = addrmap;
@@ -234,10 +233,12 @@ static int netlbl_mgmt_add_common(struct genl_info *info,
 
 	ret_val = netlbl_domhsh_add(entry, audit_info);
 	if (ret_val != 0)
-		goto add_free_addrmap;
+		goto add_free_map;
 
 	return 0;
 
+add_free_map:
+	kfree(pmap);
 add_free_addrmap:
 	kfree(addrmap);
 add_doi_put_def:
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 069/188] netfilter: nft_exthdr: check for IPv6 packet before further processing
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (67 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 068/188] netlabel: Fix memory leak in netlbl_mgmt_add_common Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 070/188] net: ethernet: aeroflex: fix UAF in greth_of_remove Greg Kroah-Hartman
                   ` (123 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pablo Neira Ayuso, Sasha Levin

From: Pablo Neira Ayuso <pablo@netfilter.org>

[ Upstream commit cdd73cc545c0fb9b1a1f7b209f4f536e7990cff4 ]

ipv6_find_hdr() does not validate that this is an IPv6 packet. Add a
sanity check for calling ipv6_find_hdr() to make sure an IPv6 packet
is passed for parsing.

Fixes: 96518518cc41 ("netfilter: add nftables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/nft_exthdr.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index ba7aed13e174..a81f6bf42d1f 100644
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -34,6 +34,9 @@ static void nft_exthdr_eval(const struct nft_expr *expr,
 	unsigned int offset = 0;
 	int err;
 
+	if (pkt->skb->protocol != htons(ETH_P_IPV6))
+		goto err;
+
 	err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL);
 	if (err < 0)
 		goto err;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 070/188] net: ethernet: aeroflex: fix UAF in greth_of_remove
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (68 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 069/188] netfilter: nft_exthdr: check for IPv6 packet before further processing Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 071/188] net: ethernet: ezchip: fix UAF in nps_enet_remove Greg Kroah-Hartman
                   ` (122 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pavel Skripkin, David S. Miller, Sasha Levin

From: Pavel Skripkin <paskripkin@gmail.com>

[ Upstream commit e3a5de6d81d8b2199935c7eb3f7d17a50a7075b7 ]

static int greth_of_remove(struct platform_device *of_dev)
{
...
	struct greth_private *greth = netdev_priv(ndev);
...
	unregister_netdev(ndev);
	free_netdev(ndev);

	of_iounmap(&of_dev->resource[0], greth->regs, resource_size(&of_dev->resource[0]));
...
}

greth is netdev private data, but it is used
after free_netdev(). It can cause use-after-free when accessing greth
pointer. So, fix it by moving free_netdev() after of_iounmap()
call.

Fixes: d4c41139df6e ("net: Add Aeroflex Gaisler 10/100/1G Ethernet MAC driver")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/aeroflex/greth.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/aeroflex/greth.c b/drivers/net/ethernet/aeroflex/greth.c
index 20bf55dbd76f..e3ca8abb14f4 100644
--- a/drivers/net/ethernet/aeroflex/greth.c
+++ b/drivers/net/ethernet/aeroflex/greth.c
@@ -1579,10 +1579,11 @@ static int greth_of_remove(struct platform_device *of_dev)
 	mdiobus_unregister(greth->mdio);
 
 	unregister_netdev(ndev);
-	free_netdev(ndev);
 
 	of_iounmap(&of_dev->resource[0], greth->regs, resource_size(&of_dev->resource[0]));
 
+	free_netdev(ndev);
+
 	return 0;
 }
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 071/188] net: ethernet: ezchip: fix UAF in nps_enet_remove
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (69 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 070/188] net: ethernet: aeroflex: fix UAF in greth_of_remove Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 072/188] net: ethernet: ezchip: fix error handling Greg Kroah-Hartman
                   ` (121 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pavel Skripkin, David S. Miller, Sasha Levin

From: Pavel Skripkin <paskripkin@gmail.com>

[ Upstream commit e4b8700e07a86e8eab6916aa5c5ba99042c34089 ]

priv is netdev private data, but it is used
after free_netdev(). It can cause use-after-free when accessing priv
pointer. So, fix it by moving free_netdev() after netif_napi_del()
call.

Fixes: 0dd077093636 ("NET: Add ezchip ethernet driver")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/ezchip/nps_enet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/ezchip/nps_enet.c b/drivers/net/ethernet/ezchip/nps_enet.c
index b1026689b78f..73d2bc349b2f 100644
--- a/drivers/net/ethernet/ezchip/nps_enet.c
+++ b/drivers/net/ethernet/ezchip/nps_enet.c
@@ -621,8 +621,8 @@ static s32 nps_enet_remove(struct platform_device *pdev)
 	struct nps_enet_priv *priv = netdev_priv(ndev);
 
 	unregister_netdev(ndev);
-	free_netdev(ndev);
 	netif_napi_del(&priv->napi);
+	free_netdev(ndev);
 
 	return 0;
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 072/188] net: ethernet: ezchip: fix error handling
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (70 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 071/188] net: ethernet: ezchip: fix UAF in nps_enet_remove Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 073/188] vxlan: add missing rcu_read_lock() in neigh_reduce() Greg Kroah-Hartman
                   ` (120 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pavel Skripkin, David S. Miller, Sasha Levin

From: Pavel Skripkin <paskripkin@gmail.com>

[ Upstream commit 0de449d599594f5472e00267d651615c7f2c6c1d ]

As documented at drivers/base/platform.c for platform_get_irq:

 * Gets an IRQ for a platform device and prints an error message if finding the
 * IRQ fails. Device drivers should check the return value for errors so as to
 * not pass a negative integer value to the request_irq() APIs.

So, the driver should check that platform_get_irq() return value
is _negative_, not that it's equal to zero, because -ENXIO (return
value from request_irq() if irq was not found) will
pass this check and it leads to passing negative irq to request_irq()

Fixes: 0dd077093636 ("NET: Add ezchip ethernet driver")
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/ezchip/nps_enet.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/net/ethernet/ezchip/nps_enet.c b/drivers/net/ethernet/ezchip/nps_enet.c
index 73d2bc349b2f..2cb20d8e6bdf 100644
--- a/drivers/net/ethernet/ezchip/nps_enet.c
+++ b/drivers/net/ethernet/ezchip/nps_enet.c
@@ -586,7 +586,7 @@ static s32 nps_enet_probe(struct platform_device *pdev)
 
 	/* Get IRQ number */
 	priv->irq = platform_get_irq(pdev, 0);
-	if (!priv->irq) {
+	if (priv->irq < 0) {
 		dev_err(dev, "failed to retrieve <irq Rx-Tx> value from device tree\n");
 		err = -ENODEV;
 		goto out_netdev;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 073/188] vxlan: add missing rcu_read_lock() in neigh_reduce()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (71 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 072/188] net: ethernet: ezchip: fix error handling Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 074/188] i40e: Fix error handling in i40e_vsi_open Greg Kroah-Hartman
                   ` (119 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Eric Dumazet, syzbot,
	David S. Miller, Sasha Levin

From: Eric Dumazet <edumazet@google.com>

[ Upstream commit 85e8b032d6ebb0f698a34dd22c2f13443d905888 ]

syzbot complained in neigh_reduce(), because rcu_read_lock_bh()
is treated differently than rcu_read_lock()

WARNING: suspicious RCU usage
5.13.0-rc6-syzkaller #0 Not tainted
-----------------------------
include/net/addrconf.h:313 suspicious rcu_dereference_check() usage!

other info that might help us debug this:

rcu_scheduler_active = 2, debug_locks = 1
3 locks held by kworker/0:0/5:
 #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: arch_atomic64_set arch/x86/include/asm/atomic64_64.h:34 [inline]
 #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic64_set include/asm-generic/atomic-instrumented.h:856 [inline]
 #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: atomic_long_set include/asm-generic/atomic-long.h:41 [inline]
 #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_data kernel/workqueue.c:617 [inline]
 #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: set_work_pool_and_clear_pending kernel/workqueue.c:644 [inline]
 #0: ffff888011064d38 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x871/0x1600 kernel/workqueue.c:2247
 #1: ffffc90000ca7da8 ((work_completion)(&port->wq)){+.+.}-{0:0}, at: process_one_work+0x8a5/0x1600 kernel/workqueue.c:2251
 #2: ffffffff8bf795c0 (rcu_read_lock_bh){....}-{1:2}, at: __dev_queue_xmit+0x1da/0x3130 net/core/dev.c:4180

stack backtrace:
CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.13.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events ipvlan_process_multicast
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x141/0x1d7 lib/dump_stack.c:120
 __in6_dev_get include/net/addrconf.h:313 [inline]
 __in6_dev_get include/net/addrconf.h:311 [inline]
 neigh_reduce drivers/net/vxlan.c:2167 [inline]
 vxlan_xmit+0x34d5/0x4c30 drivers/net/vxlan.c:2919
 __netdev_start_xmit include/linux/netdevice.h:4944 [inline]
 netdev_start_xmit include/linux/netdevice.h:4958 [inline]
 xmit_one net/core/dev.c:3654 [inline]
 dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3670
 __dev_queue_xmit+0x2133/0x3130 net/core/dev.c:4246
 ipvlan_process_multicast+0xa99/0xd70 drivers/net/ipvlan/ipvlan_core.c:287
 process_one_work+0x98d/0x1600 kernel/workqueue.c:2276
 worker_thread+0x64c/0x1120 kernel/workqueue.c:2422
 kthread+0x3b1/0x4a0 kernel/kthread.c:313
 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:294

Fixes: f564f45c4518 ("vxlan: add ipv6 proxy support")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/vxlan.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
index 50ede6b8b874..4d44ec5b7cd7 100644
--- a/drivers/net/vxlan.c
+++ b/drivers/net/vxlan.c
@@ -1549,6 +1549,7 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb)
 	struct neighbour *n;
 	struct inet6_dev *in6_dev;
 
+	rcu_read_lock();
 	in6_dev = __in6_dev_get(dev);
 	if (!in6_dev)
 		goto out;
@@ -1605,6 +1606,7 @@ static int neigh_reduce(struct net_device *dev, struct sk_buff *skb)
 	}
 
 out:
+	rcu_read_unlock();
 	consume_skb(skb);
 	return NETDEV_TX_OK;
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 074/188] i40e: Fix error handling in i40e_vsi_open
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (72 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 073/188] vxlan: add missing rcu_read_lock() in neigh_reduce() Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:50 ` [PATCH 4.4 075/188] writeback: fix obtain a reference to a freeing memcg css Greg Kroah-Hartman
                   ` (118 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dinghao Liu, Tony Brelinski,
	Tony Nguyen, Sasha Levin

From: Dinghao Liu <dinghao.liu@zju.edu.cn>

[ Upstream commit 9c04cfcd4aad232e36306cdc5c74cd9fc9148a7e ]

When vsi->type == I40E_VSI_FDIR, we have caught the return value of
i40e_vsi_request_irq() but without further handling. Check and execute
memory clean on failure just like the other i40e_vsi_request_irq().

Fixes: 8a9eb7d3cbcab ("i40e: rework fdir setup and teardown")
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
Tested-by: Tony Brelinski <tonyx.brelinski@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/i40e/i40e_main.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/net/ethernet/intel/i40e/i40e_main.c b/drivers/net/ethernet/intel/i40e/i40e_main.c
index 8bdc17658f3f..d6d4faa5c542 100644
--- a/drivers/net/ethernet/intel/i40e/i40e_main.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_main.c
@@ -5409,6 +5409,8 @@ int i40e_vsi_open(struct i40e_vsi *vsi)
 			 dev_driver_string(&pf->pdev->dev),
 			 dev_name(&pf->pdev->dev));
 		err = i40e_vsi_request_irq(vsi, int_name);
+		if (err)
+			goto err_setup_rx;
 
 	} else {
 		err = -EINVAL;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 075/188] writeback: fix obtain a reference to a freeing memcg css
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (73 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 074/188] i40e: Fix error handling in i40e_vsi_open Greg Kroah-Hartman
@ 2021-07-19 14:50 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 076/188] tty: nozomi: Fix a resource leak in an error handling function Greg Kroah-Hartman
                   ` (117 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:50 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Muchun Song, Michal Hocko, Tejun Heo,
	Jan Kara, Sasha Levin

From: Muchun Song <songmuchun@bytedance.com>

[ Upstream commit 8b0ed8443ae6458786580d36b7d5f8125535c5d4 ]

The caller of wb_get_create() should pin the memcg, because
wb_get_create() relies on this guarantee. The rcu read lock
only can guarantee that the memcg css returned by css_from_id()
cannot be released, but the reference of the memcg can be zero.

  rcu_read_lock()
  memcg_css = css_from_id()
  wb_get_create(memcg_css)
      cgwb_create(memcg_css)
          // css_get can change the ref counter from 0 back to 1
          css_get(memcg_css)
  rcu_read_unlock()

Fix it by holding a reference to the css before calling
wb_get_create(). This is not a problem I encountered in the
real world. Just the result of a code review.

Fixes: 682aa8e1a6a1 ("writeback: implement unlocked_inode_to_wb transaction and use it for stat updates")
Link: https://lore.kernel.org/r/20210402091145.80635-1-songmuchun@bytedance.com
Signed-off-by: Muchun Song <songmuchun@bytedance.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/fs-writeback.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
index 958a1bd0b5fc..0ce7ff7a2ce8 100644
--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -512,9 +512,14 @@ static void inode_switch_wbs(struct inode *inode, int new_wb_id)
 	/* find and pin the new wb */
 	rcu_read_lock();
 	memcg_css = css_from_id(new_wb_id, &memory_cgrp_subsys);
-	if (memcg_css)
-		isw->new_wb = wb_get_create(bdi, memcg_css, GFP_ATOMIC);
+	if (memcg_css && !css_tryget(memcg_css))
+		memcg_css = NULL;
 	rcu_read_unlock();
+	if (!memcg_css)
+		goto out_free;
+
+	isw->new_wb = wb_get_create(bdi, memcg_css, GFP_ATOMIC);
+	css_put(memcg_css);
 	if (!isw->new_wb)
 		goto out_free;
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 076/188] tty: nozomi: Fix a resource leak in an error handling function
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (74 preceding siblings ...)
  2021-07-19 14:50 ` [PATCH 4.4 075/188] writeback: fix obtain a reference to a freeing memcg css Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 077/188] iio: adis_buffer: do not return ints in irq handlers Greg Kroah-Hartman
                   ` (116 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiri Slaby, Christophe JAILLET, Sasha Levin

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

[ Upstream commit 31a9a318255960d32ae183e95d0999daf2418608 ]

A 'request_irq()' call is not balanced by a corresponding 'free_irq()' in
the error handling path, as already done in the remove function.

Add it.

Fixes: 9842c38e9176 ("kfifo: fix warn_unused_result")
Reviewed-by: Jiri Slaby <jirislaby@kernel.org>
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Link: https://lore.kernel.org/r/4f0d2b3038e82f081d370ccb0cade3ad88463fe7.1620580838.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/tty/nozomi.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/tty/nozomi.c b/drivers/tty/nozomi.c
index 5cc80b80c82b..880cfc780e67 100644
--- a/drivers/tty/nozomi.c
+++ b/drivers/tty/nozomi.c
@@ -1479,6 +1479,7 @@ err_free_tty:
 		tty_unregister_device(ntty_driver, dc->index_start + i);
 		tty_port_destroy(&dc->port[i].port);
 	}
+	free_irq(pdev->irq, dc);
 err_free_kfifo:
 	for (i = 0; i < MAX_PORT; i++)
 		kfifo_free(&dc->port[i].fifo_ul);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 077/188] iio: adis_buffer: do not return ints in irq handlers
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (75 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 076/188] tty: nozomi: Fix a resource leak in an error handling function Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 078/188] iio: accel: bma180: Fix buffer alignment in iio_push_to_buffers_with_timestamp() Greg Kroah-Hartman
                   ` (115 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Alexandru Ardelean, Nuno Sa,
	Jonathan Cameron, Sasha Levin

From: Nuno Sa <nuno.sa@analog.com>

[ Upstream commit d877539ad8e8fdde9af69887055fec6402be1a13 ]

On an IRQ handler we should not return normal error codes as 'irqreturn_t'
is expected.

Not necessarily stable material as the old check cannot fail, so it's a bug
we can not hit.

Fixes: ccd2b52f4ac69 ("staging:iio: Add common ADIS library")
Reviewed-by: Alexandru Ardelean <ardeleanalex@gmail.com>
Signed-off-by: Nuno Sa <nuno.sa@analog.com>
Link: https://lore.kernel.org/r/20210422101911.135630-2-nuno.sa@analog.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iio/imu/adis_buffer.c | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/drivers/iio/imu/adis_buffer.c b/drivers/iio/imu/adis_buffer.c
index 9de553e8c214..625f54d9e382 100644
--- a/drivers/iio/imu/adis_buffer.c
+++ b/drivers/iio/imu/adis_buffer.c
@@ -83,9 +83,6 @@ static irqreturn_t adis_trigger_handler(int irq, void *p)
 	struct adis *adis = iio_device_get_drvdata(indio_dev);
 	int ret;
 
-	if (!adis->buffer)
-		return -ENOMEM;
-
 	if (adis->data->has_paging) {
 		mutex_lock(&adis->txrx_lock);
 		if (adis->current_page != 0) {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 078/188] iio: accel: bma180: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (76 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 077/188] iio: adis_buffer: do not return ints in irq handlers Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 079/188] iio: accel: stk8312: " Greg Kroah-Hartman
                   ` (114 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan Cameron, Peter Meerwald,
	Andy Shevchenko, Sasha Levin

From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

[ Upstream commit fc36da3131a747a9367a05caf06de19be1bcc972 ]

To make code more readable, use a structure to express the channel
layout and ensure the timestamp is 8 byte aligned.

Found during an audit of all calls of this function.

Fixes: b9a6a237ffc9 ("iio:bma180: Drop _update_scan_mode()")
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Cc: Peter Meerwald <pmeerw@pmeerw.net>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Link: https://lore.kernel.org/r/20210501170121.512209-2-jic23@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iio/accel/bma180.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/drivers/iio/accel/bma180.c b/drivers/iio/accel/bma180.c
index f04b88406995..68c9e5478fec 100644
--- a/drivers/iio/accel/bma180.c
+++ b/drivers/iio/accel/bma180.c
@@ -120,7 +120,11 @@ struct bma180_data {
 	int scale;
 	int bw;
 	bool pmode;
-	u8 buff[16]; /* 3x 16-bit + 8-bit + padding + timestamp */
+	/* Ensure timestamp is naturally aligned */
+	struct {
+		s16 chan[4];
+		s64 timestamp __aligned(8);
+	} scan;
 };
 
 enum bma180_chan {
@@ -666,12 +670,12 @@ static irqreturn_t bma180_trigger_handler(int irq, void *p)
 			mutex_unlock(&data->mutex);
 			goto err;
 		}
-		((s16 *)data->buff)[i++] = ret;
+		data->scan.chan[i++] = ret;
 	}
 
 	mutex_unlock(&data->mutex);
 
-	iio_push_to_buffers_with_timestamp(indio_dev, data->buff, time_ns);
+	iio_push_to_buffers_with_timestamp(indio_dev, &data->scan, time_ns);
 err:
 	iio_trigger_notify_done(indio_dev->trig);
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 079/188] iio: accel: stk8312: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (77 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 078/188] iio: accel: bma180: Fix buffer alignment in iio_push_to_buffers_with_timestamp() Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 080/188] iio: accel: stk8ba50: " Greg Kroah-Hartman
                   ` (113 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan Cameron, Andy Shevchenko,
	Sasha Levin

From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

[ Upstream commit f40a71ffec808e7e51848f63f0c0d3c32d65081b ]

To make code more readable, use a structure to express the channel
layout and ensure the timestamp is 8 byte aligned.

Found during an audit of all calls of this function.

Fixes: 95c12bba51c3 ("iio: accel: Add buffer mode for Sensortek STK8312")
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Link: https://lore.kernel.org/r/20210501170121.512209-7-jic23@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iio/accel/stk8312.c | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/drivers/iio/accel/stk8312.c b/drivers/iio/accel/stk8312.c
index 85fe7f7247c1..945c80183f35 100644
--- a/drivers/iio/accel/stk8312.c
+++ b/drivers/iio/accel/stk8312.c
@@ -107,7 +107,11 @@ struct stk8312_data {
 	u8 mode;
 	struct iio_trigger *dready_trig;
 	bool dready_trigger_on;
-	s8 buffer[16]; /* 3x8-bit channels + 5x8 padding + 64-bit timestamp */
+	/* Ensure timestamp is naturally aligned */
+	struct {
+		s8 chans[3];
+		s64 timestamp __aligned(8);
+	} scan;
 };
 
 static IIO_CONST_ATTR(in_accel_scale_available, STK8312_SCALE_AVAIL);
@@ -444,7 +448,7 @@ static irqreturn_t stk8312_trigger_handler(int irq, void *p)
 		ret = i2c_smbus_read_i2c_block_data(data->client,
 						    STK8312_REG_XOUT,
 						    STK8312_ALL_CHANNEL_SIZE,
-						    data->buffer);
+						    data->scan.chans);
 		if (ret < STK8312_ALL_CHANNEL_SIZE) {
 			dev_err(&data->client->dev, "register read failed\n");
 			mutex_unlock(&data->lock);
@@ -458,12 +462,12 @@ static irqreturn_t stk8312_trigger_handler(int irq, void *p)
 				mutex_unlock(&data->lock);
 				goto err;
 			}
-			data->buffer[i++] = ret;
+			data->scan.chans[i++] = ret;
 		}
 	}
 	mutex_unlock(&data->lock);
 
-	iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
+	iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
 					   pf->timestamp);
 err:
 	iio_trigger_notify_done(indio_dev->trig);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 080/188] iio: accel: stk8ba50: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (78 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 079/188] iio: accel: stk8312: " Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 081/188] Input: hil_kbd - fix error return code in hil_dev_connect() Greg Kroah-Hartman
                   ` (112 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jonathan Cameron, Andy Shevchenko,
	Sasha Levin

From: Jonathan Cameron <Jonathan.Cameron@huawei.com>

[ Upstream commit 334883894bc1e145a1e0f5de1b0d1b6a1133f0e6 ]

To make code more readable, use a structure to express the channel
layout and ensure the timestamp is 8 byte aligned.

Found during an audit of all calls of this function.

Fixes: db6a19b8251f ("iio: accel: Add trigger support for STK8BA50")
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Link: https://lore.kernel.org/r/20210501170121.512209-8-jic23@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/iio/accel/stk8ba50.c | 17 ++++++++---------
 1 file changed, 8 insertions(+), 9 deletions(-)

diff --git a/drivers/iio/accel/stk8ba50.c b/drivers/iio/accel/stk8ba50.c
index 5709d9eb8f34..b6e2d15024c8 100644
--- a/drivers/iio/accel/stk8ba50.c
+++ b/drivers/iio/accel/stk8ba50.c
@@ -95,12 +95,11 @@ struct stk8ba50_data {
 	u8 sample_rate_idx;
 	struct iio_trigger *dready_trig;
 	bool dready_trigger_on;
-	/*
-	 * 3 x 16-bit channels (10-bit data, 6-bit padding) +
-	 * 1 x 16 padding +
-	 * 4 x 16 64-bit timestamp
-	 */
-	s16 buffer[8];
+	/* Ensure timestamp is naturally aligned */
+	struct {
+		s16 chans[3];
+		s64 timetamp __aligned(8);
+	} scan;
 };
 
 #define STK8BA50_ACCEL_CHANNEL(index, reg, axis) {			\
@@ -330,7 +329,7 @@ static irqreturn_t stk8ba50_trigger_handler(int irq, void *p)
 		ret = i2c_smbus_read_i2c_block_data(data->client,
 						    STK8BA50_REG_XOUT,
 						    STK8BA50_ALL_CHANNEL_SIZE,
-						    (u8 *)data->buffer);
+						    (u8 *)data->scan.chans);
 		if (ret < STK8BA50_ALL_CHANNEL_SIZE) {
 			dev_err(&data->client->dev, "register read failed\n");
 			goto err;
@@ -343,10 +342,10 @@ static irqreturn_t stk8ba50_trigger_handler(int irq, void *p)
 			if (ret < 0)
 				goto err;
 
-			data->buffer[i++] = ret;
+			data->scan.chans[i++] = ret;
 		}
 	}
-	iio_push_to_buffers_with_timestamp(indio_dev, data->buffer,
+	iio_push_to_buffers_with_timestamp(indio_dev, &data->scan,
 					   pf->timestamp);
 err:
 	mutex_unlock(&data->lock);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 081/188] Input: hil_kbd - fix error return code in hil_dev_connect()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (79 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 080/188] iio: accel: stk8ba50: " Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 082/188] char: pcmcia: error out if num_bytes_read is greater than 4 in set_protocol() Greg Kroah-Hartman
                   ` (111 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zhen Lei,
	Dmitry Torokhov, Sasha Levin

From: Zhen Lei <thunder.leizhen@huawei.com>

[ Upstream commit d9b576917a1d0efa293801a264150a1b37691617 ]

Return error code -EINVAL rather than '0' when the combo devices are not
supported.

Fixes: fa71c605c2bb ("Input: combine hil_kbd and hil_ptr drivers")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Link: https://lore.kernel.org/r/20210515030053.6824-1-thunder.leizhen@huawei.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/input/keyboard/hil_kbd.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/input/keyboard/hil_kbd.c b/drivers/input/keyboard/hil_kbd.c
index 5b152f25a8e1..da07742fd9a4 100644
--- a/drivers/input/keyboard/hil_kbd.c
+++ b/drivers/input/keyboard/hil_kbd.c
@@ -512,6 +512,7 @@ static int hil_dev_connect(struct serio *serio, struct serio_driver *drv)
 		    HIL_IDD_NUM_AXES_PER_SET(*idd)) {
 			printk(KERN_INFO PREFIX
 				"combo devices are not supported.\n");
+			error = -EINVAL;
 			goto bail1;
 		}
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 082/188] char: pcmcia: error out if num_bytes_read is greater than 4 in set_protocol()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (80 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 081/188] Input: hil_kbd - fix error return code in hil_dev_connect() Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 083/188] tty: nozomi: Fix the error handling path of nozomi_card_init() Greg Kroah-Hartman
                   ` (110 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Yu Kuai, Sasha Levin

From: Yu Kuai <yukuai3@huawei.com>

[ Upstream commit 37188559c610f1b7eec83c8e448936c361c578de ]

Theoretically, it will cause index out of bounds error if
'num_bytes_read' is greater than 4. As we expect it(and was tested)
never to be greater than 4, error out if it happens.

Fixes: c1986ee9bea3 ("[PATCH] New Omnikey Cardman 4000 driver")
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Link: https://lore.kernel.org/r/20210521120617.138396-1-yukuai3@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/char/pcmcia/cm4000_cs.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/char/pcmcia/cm4000_cs.c b/drivers/char/pcmcia/cm4000_cs.c
index c115217c79ae..f8d98f7e6fb7 100644
--- a/drivers/char/pcmcia/cm4000_cs.c
+++ b/drivers/char/pcmcia/cm4000_cs.c
@@ -544,6 +544,10 @@ static int set_protocol(struct cm4000_dev *dev, struct ptsreq *ptsreq)
 		io_read_num_rec_bytes(iobase, &num_bytes_read);
 		if (num_bytes_read >= 4) {
 			DEBUGP(2, dev, "NumRecBytes = %i\n", num_bytes_read);
+			if (num_bytes_read > 4) {
+				rc = -EIO;
+				goto exit_setprotocol;
+			}
 			break;
 		}
 		mdelay(10);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 083/188] tty: nozomi: Fix the error handling path of nozomi_card_init()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (81 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 082/188] char: pcmcia: error out if num_bytes_read is greater than 4 in set_protocol() Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 084/188] scsi: FlashPoint: Rename si_flags field Greg Kroah-Hartman
                   ` (109 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Christophe JAILLET,
	Sasha Levin

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

[ Upstream commit 6ae7d0f5a92b9619f6e3c307ce56b2cefff3f0e9 ]

The error handling path is broken and we may un-register things that have
never been registered.

Update the loops index accordingly.

Fixes: 9842c38e9176 ("kfifo: fix warn_unused_result")
Suggested-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Link: https://lore.kernel.org/r/e28c2e92c7475da25b03d022ea2d6dcf1ba807a2.1621968629.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/tty/nozomi.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/drivers/tty/nozomi.c b/drivers/tty/nozomi.c
index 880cfc780e67..1a3cc6ef4331 100644
--- a/drivers/tty/nozomi.c
+++ b/drivers/tty/nozomi.c
@@ -1437,7 +1437,7 @@ static int nozomi_card_init(struct pci_dev *pdev,
 			NOZOMI_NAME, dc);
 	if (unlikely(ret)) {
 		dev_err(&pdev->dev, "can't request irq %d\n", pdev->irq);
-		goto err_free_kfifo;
+		goto err_free_all_kfifo;
 	}
 
 	DBG1("base_addr: %p", dc->base_addr);
@@ -1475,13 +1475,15 @@ static int nozomi_card_init(struct pci_dev *pdev,
 	return 0;
 
 err_free_tty:
-	for (i = 0; i < MAX_PORT; ++i) {
+	for (i--; i >= 0; i--) {
 		tty_unregister_device(ntty_driver, dc->index_start + i);
 		tty_port_destroy(&dc->port[i].port);
 	}
 	free_irq(pdev->irq, dc);
+err_free_all_kfifo:
+	i = MAX_PORT;
 err_free_kfifo:
-	for (i = 0; i < MAX_PORT; i++)
+	for (i--; i >= PORT_MDM; i--)
 		kfifo_free(&dc->port[i].fifo_ul);
 err_free_sbuf:
 	kfree(dc->send_buf);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 084/188] scsi: FlashPoint: Rename si_flags field
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (82 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 083/188] tty: nozomi: Fix the error handling path of nozomi_card_init() Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 085/188] s390: appldata depends on PROC_SYSCTL Greg Kroah-Hartman
                   ` (108 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, James E.J. Bottomley,
	Martin K. Petersen, Christoph Hellwig, Jens Axboe,
	Hannes Reinecke, Khalid Aziz, Khalid Aziz, kernel test robot,
	Randy Dunlap, Sasha Levin

From: Randy Dunlap <rdunlap@infradead.org>

[ Upstream commit 4d431153e751caa93f3b7e6f6313446974e92253 ]

The BusLogic driver has build errors on ia64 due to a name collision (in
the #included FlashPoint.c file). Rename the struct field in struct
sccb_mgr_info from si_flags to si_mflags (manager flags) to mend the build.

This is the first problem. There are 50+ others after this one:

In file included from ../include/uapi/linux/signal.h:6,
                 from ../include/linux/signal_types.h:10,
                 from ../include/linux/sched.h:29,
                 from ../include/linux/hardirq.h:9,
                 from ../include/linux/interrupt.h:11,
                 from ../drivers/scsi/BusLogic.c:27:
../arch/ia64/include/uapi/asm/siginfo.h:15:27: error: expected ':', ',', ';', '}' or '__attribute__' before '.' token
   15 | #define si_flags _sifields._sigfault._flags
      |                           ^
../drivers/scsi/FlashPoint.c:43:6: note: in expansion of macro 'si_flags'
   43 |  u16 si_flags;
      |      ^~~~~~~~
In file included from ../drivers/scsi/BusLogic.c:51:
../drivers/scsi/FlashPoint.c: In function 'FlashPoint_ProbeHostAdapter':
../drivers/scsi/FlashPoint.c:1076:11: error: 'struct sccb_mgr_info' has no member named '_sifields'
 1076 |  pCardInfo->si_flags = 0x0000;
      |           ^~
../drivers/scsi/FlashPoint.c:1079:12: error: 'struct sccb_mgr_info' has no member named '_sifields'

Link: https://lore.kernel.org/r/20210529234857.6870-1-rdunlap@infradead.org
Fixes: 391e2f25601e ("[SCSI] BusLogic: Port driver to 64-bit.")
Cc: "James E.J. Bottomley" <jejb@linux.ibm.com>
Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Hannes Reinecke <hare@suse.de>
Cc: Khalid Aziz <khalid.aziz@oracle.com>
Cc: Khalid Aziz <khalid@gonehiking.org>
Reported-by: kernel test robot <lkp@intel.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/FlashPoint.c | 32 ++++++++++++++++----------------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/drivers/scsi/FlashPoint.c b/drivers/scsi/FlashPoint.c
index 867b864f5047..4bca37d52bad 100644
--- a/drivers/scsi/FlashPoint.c
+++ b/drivers/scsi/FlashPoint.c
@@ -40,7 +40,7 @@ struct sccb_mgr_info {
 	u16 si_per_targ_ultra_nego;
 	u16 si_per_targ_no_disc;
 	u16 si_per_targ_wide_nego;
-	u16 si_flags;
+	u16 si_mflags;
 	unsigned char si_card_family;
 	unsigned char si_bustype;
 	unsigned char si_card_model[3];
@@ -1070,22 +1070,22 @@ static int FlashPoint_ProbeHostAdapter(struct sccb_mgr_info *pCardInfo)
 		ScamFlg =
 		    (unsigned char)FPT_utilEERead(ioport, SCAM_CONFIG / 2);
 
-	pCardInfo->si_flags = 0x0000;
+	pCardInfo->si_mflags = 0x0000;
 
 	if (i & 0x01)
-		pCardInfo->si_flags |= SCSI_PARITY_ENA;
+		pCardInfo->si_mflags |= SCSI_PARITY_ENA;
 
 	if (!(i & 0x02))
-		pCardInfo->si_flags |= SOFT_RESET;
+		pCardInfo->si_mflags |= SOFT_RESET;
 
 	if (i & 0x10)
-		pCardInfo->si_flags |= EXTENDED_TRANSLATION;
+		pCardInfo->si_mflags |= EXTENDED_TRANSLATION;
 
 	if (ScamFlg & SCAM_ENABLED)
-		pCardInfo->si_flags |= FLAG_SCAM_ENABLED;
+		pCardInfo->si_mflags |= FLAG_SCAM_ENABLED;
 
 	if (ScamFlg & SCAM_LEVEL2)
-		pCardInfo->si_flags |= FLAG_SCAM_LEVEL2;
+		pCardInfo->si_mflags |= FLAG_SCAM_LEVEL2;
 
 	j = (RD_HARPOON(ioport + hp_bm_ctrl) & ~SCSI_TERM_ENA_L);
 	if (i & 0x04) {
@@ -1101,7 +1101,7 @@ static int FlashPoint_ProbeHostAdapter(struct sccb_mgr_info *pCardInfo)
 
 	if (!(RD_HARPOON(ioport + hp_page_ctrl) & NARROW_SCSI_CARD))
 
-		pCardInfo->si_flags |= SUPPORT_16TAR_32LUN;
+		pCardInfo->si_mflags |= SUPPORT_16TAR_32LUN;
 
 	pCardInfo->si_card_family = HARPOON_FAMILY;
 	pCardInfo->si_bustype = BUSTYPE_PCI;
@@ -1137,15 +1137,15 @@ static int FlashPoint_ProbeHostAdapter(struct sccb_mgr_info *pCardInfo)
 
 	if (pCardInfo->si_card_model[1] == '3') {
 		if (RD_HARPOON(ioport + hp_ee_ctrl) & BIT(7))
-			pCardInfo->si_flags |= LOW_BYTE_TERM;
+			pCardInfo->si_mflags |= LOW_BYTE_TERM;
 	} else if (pCardInfo->si_card_model[2] == '0') {
 		temp = RD_HARPOON(ioport + hp_xfer_pad);
 		WR_HARPOON(ioport + hp_xfer_pad, (temp & ~BIT(4)));
 		if (RD_HARPOON(ioport + hp_ee_ctrl) & BIT(7))
-			pCardInfo->si_flags |= LOW_BYTE_TERM;
+			pCardInfo->si_mflags |= LOW_BYTE_TERM;
 		WR_HARPOON(ioport + hp_xfer_pad, (temp | BIT(4)));
 		if (RD_HARPOON(ioport + hp_ee_ctrl) & BIT(7))
-			pCardInfo->si_flags |= HIGH_BYTE_TERM;
+			pCardInfo->si_mflags |= HIGH_BYTE_TERM;
 		WR_HARPOON(ioport + hp_xfer_pad, temp);
 	} else {
 		temp = RD_HARPOON(ioport + hp_ee_ctrl);
@@ -1163,9 +1163,9 @@ static int FlashPoint_ProbeHostAdapter(struct sccb_mgr_info *pCardInfo)
 		WR_HARPOON(ioport + hp_ee_ctrl, temp);
 		WR_HARPOON(ioport + hp_xfer_pad, temp2);
 		if (!(temp3 & BIT(7)))
-			pCardInfo->si_flags |= LOW_BYTE_TERM;
+			pCardInfo->si_mflags |= LOW_BYTE_TERM;
 		if (!(temp3 & BIT(6)))
-			pCardInfo->si_flags |= HIGH_BYTE_TERM;
+			pCardInfo->si_mflags |= HIGH_BYTE_TERM;
 	}
 
 	ARAM_ACCESS(ioport);
@@ -1272,7 +1272,7 @@ static void *FlashPoint_HardwareResetHostAdapter(struct sccb_mgr_info
 	WR_HARPOON(ioport + hp_arb_id, pCardInfo->si_id);
 	CurrCard->ourId = pCardInfo->si_id;
 
-	i = (unsigned char)pCardInfo->si_flags;
+	i = (unsigned char)pCardInfo->si_mflags;
 	if (i & SCSI_PARITY_ENA)
 		WR_HARPOON(ioport + hp_portctrl_1, (HOST_MODE8 | CHK_SCSI_P));
 
@@ -1286,14 +1286,14 @@ static void *FlashPoint_HardwareResetHostAdapter(struct sccb_mgr_info
 		j |= SCSI_TERM_ENA_H;
 	WR_HARPOON(ioport + hp_ee_ctrl, j);
 
-	if (!(pCardInfo->si_flags & SOFT_RESET)) {
+	if (!(pCardInfo->si_mflags & SOFT_RESET)) {
 
 		FPT_sresb(ioport, thisCard);
 
 		FPT_scini(thisCard, pCardInfo->si_id, 0);
 	}
 
-	if (pCardInfo->si_flags & POST_ALL_UNDERRRUNS)
+	if (pCardInfo->si_mflags & POST_ALL_UNDERRRUNS)
 		CurrCard->globalFlags |= F_NO_FILTER;
 
 	if (pCurrNvRam) {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 085/188] s390: appldata depends on PROC_SYSCTL
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (83 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 084/188] scsi: FlashPoint: Rename si_flags field Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 086/188] staging: gdm724x: check for buffer overflow in gdm_lte_multi_sdu_pkt() Greg Kroah-Hartman
                   ` (107 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Randy Dunlap, Heiko Carstens,
	Vasily Gorbik, Christian Borntraeger, linux-s390, Sasha Levin

From: Randy Dunlap <rdunlap@infradead.org>

[ Upstream commit 5d3516b3647621d5a1180672ea9e0817fb718ada ]

APPLDATA_BASE should depend on PROC_SYSCTL instead of PROC_FS.
Building with PROC_FS but not PROC_SYSCTL causes a build error,
since appldata_base.c uses data and APIs from fs/proc/proc_sysctl.c.

arch/s390/appldata/appldata_base.o: in function `appldata_generic_handler':
appldata_base.c:(.text+0x192): undefined reference to `sysctl_vals'

Fixes: c185b783b099 ("[S390] Remove config options.")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Heiko Carstens <hca@linux.ibm.com>
Cc: Vasily Gorbik <gor@linux.ibm.com>
Cc: Christian Borntraeger <borntraeger@de.ibm.com>
Cc: linux-s390@vger.kernel.org
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Link: https://lore.kernel.org/r/20210528002420.17634-1-rdunlap@infradead.org
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/s390/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/s390/Kconfig b/arch/s390/Kconfig
index 9bdaeb38a768..7466e034e1fc 100644
--- a/arch/s390/Kconfig
+++ b/arch/s390/Kconfig
@@ -834,7 +834,7 @@ config CMM_IUCV
 config APPLDATA_BASE
 	def_bool n
 	prompt "Linux - VM Monitor Stream, base infrastructure"
-	depends on PROC_FS
+	depends on PROC_SYSCTL
 	help
 	  This provides a kernel interface for creating and updating z/VM APPLDATA
 	  monitor records. The monitor records are updated at certain time
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 086/188] staging: gdm724x: check for buffer overflow in gdm_lte_multi_sdu_pkt()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (84 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 085/188] s390: appldata depends on PROC_SYSCTL Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 087/188] staging: gdm724x: check for overflow in gdm_lte_netif_rx() Greg Kroah-Hartman
                   ` (106 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Sasha Levin

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit 4a36e160856db8a8ddd6a3d2e5db5a850ab87f82 ]

There needs to be a check to verify that we don't read beyond the end
of "buf".  This function is called from do_rx().  The "buf" is the USB
transfer_buffer and "len" is "urb->actual_length".

Fixes: 61e121047645 ("staging: gdm7240: adding LTE USB driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/YMcnl4zCwGWGDVMG@mwanda
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/staging/gdm724x/gdm_lte.c | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/gdm724x/gdm_lte.c b/drivers/staging/gdm724x/gdm_lte.c
index 79de678807cc..1eacf82d1bd0 100644
--- a/drivers/staging/gdm724x/gdm_lte.c
+++ b/drivers/staging/gdm724x/gdm_lte.c
@@ -689,6 +689,7 @@ static void gdm_lte_multi_sdu_pkt(struct phy_dev *phy_dev, char *buf, int len)
 	struct multi_sdu *multi_sdu = (struct multi_sdu *)buf;
 	struct sdu *sdu = NULL;
 	u8 *data = (u8 *)multi_sdu->data;
+	int copied;
 	u16 i = 0;
 	u16 num_packet;
 	u16 hci_len;
@@ -702,6 +703,12 @@ static void gdm_lte_multi_sdu_pkt(struct phy_dev *phy_dev, char *buf, int len)
 				      multi_sdu->num_packet);
 
 	for (i = 0; i < num_packet; i++) {
+		copied = data - multi_sdu->data;
+		if (len < copied + sizeof(*sdu)) {
+			pr_err("rx prevent buffer overflow");
+			return;
+		}
+
 		sdu = (struct sdu *)data;
 
 		cmd_evt = gdm_dev16_to_cpu(phy_dev->
@@ -715,7 +722,8 @@ static void gdm_lte_multi_sdu_pkt(struct phy_dev *phy_dev, char *buf, int len)
 			pr_err("rx sdu wrong hci %04x\n", cmd_evt);
 			return;
 		}
-		if (hci_len < 12) {
+		if (hci_len < 12 ||
+		    len < copied + sizeof(*sdu) + (hci_len - 12)) {
 			pr_err("rx sdu invalid len %d\n", hci_len);
 			return;
 		}
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 087/188] staging: gdm724x: check for overflow in gdm_lte_netif_rx()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (85 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 086/188] staging: gdm724x: check for buffer overflow in gdm_lte_multi_sdu_pkt() Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 088/188] scsi: mpt3sas: Fix error return value in _scsih_expander_add() Greg Kroah-Hartman
                   ` (105 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Sasha Levin

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit 7002b526f4ff1f6da34356e67085caafa6be383a ]

This code assumes that "len" is at least 62 bytes, but we need a check
to prevent a read overflow.

Fixes: 61e121047645 ("staging: gdm7240: adding LTE USB driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Link: https://lore.kernel.org/r/YMcoTPsCYlhh2TQo@mwanda
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/staging/gdm724x/gdm_lte.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/drivers/staging/gdm724x/gdm_lte.c b/drivers/staging/gdm724x/gdm_lte.c
index 1eacf82d1bd0..8561f7fb53e9 100644
--- a/drivers/staging/gdm724x/gdm_lte.c
+++ b/drivers/staging/gdm724x/gdm_lte.c
@@ -624,10 +624,12 @@ static void gdm_lte_netif_rx(struct net_device *dev, char *buf,
 						  * bytes (99,130,83,99 dec)
 						  */
 			} __packed;
-			void *addr = buf + sizeof(struct iphdr) +
-				sizeof(struct udphdr) +
-				offsetof(struct dhcp_packet, chaddr);
-			ether_addr_copy(nic->dest_mac_addr, addr);
+			int offset = sizeof(struct iphdr) +
+				     sizeof(struct udphdr) +
+				     offsetof(struct dhcp_packet, chaddr);
+			if (offset + ETH_ALEN > len)
+				return;
+			ether_addr_copy(nic->dest_mac_addr, buf + offset);
 		}
 	}
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 088/188] scsi: mpt3sas: Fix error return value in _scsih_expander_add()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (86 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 087/188] staging: gdm724x: check for overflow in gdm_lte_netif_rx() Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 089/188] phy: ti: dm816x: Fix the error handling path in dm816x_usb_phy_probe() Greg Kroah-Hartman
                   ` (104 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zhen Lei,
	Martin K. Petersen, Sasha Levin

From: Zhen Lei <thunder.leizhen@huawei.com>

[ Upstream commit d6c2ce435ffe23ef7f395ae76ec747414589db46 ]

When an expander does not contain any 'phys', an appropriate error code -1
should be returned, as done elsewhere in this function. However, we
currently do not explicitly assign this error code to 'rc'. As a result, 0
was incorrectly returned.

Link: https://lore.kernel.org/r/20210514081300.6650-1-thunder.leizhen@huawei.com
Fixes: f92363d12359 ("[SCSI] mpt3sas: add new driver supporting 12GB SAS")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/mpt3sas/mpt3sas_scsih.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/scsi/mpt3sas/mpt3sas_scsih.c b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
index 8735e4257028..49b751a8f5f3 100644
--- a/drivers/scsi/mpt3sas/mpt3sas_scsih.c
+++ b/drivers/scsi/mpt3sas/mpt3sas_scsih.c
@@ -5014,8 +5014,10 @@ _scsih_expander_add(struct MPT3SAS_ADAPTER *ioc, u16 handle)
 	    handle, parent_handle, (unsigned long long)
 	    sas_expander->sas_address, sas_expander->num_phys);
 
-	if (!sas_expander->num_phys)
+	if (!sas_expander->num_phys) {
+		rc = -1;
 		goto out_fail;
+	}
 	sas_expander->phy = kcalloc(sas_expander->num_phys,
 	    sizeof(struct _sas_phy), GFP_KERNEL);
 	if (!sas_expander->phy) {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 089/188] phy: ti: dm816x: Fix the error handling path in dm816x_usb_phy_probe()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (87 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 088/188] scsi: mpt3sas: Fix error return value in _scsih_expander_add() Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 090/188] extcon: sm5502: Drop invalid register write in sm5502_reg_data Greg Kroah-Hartman
                   ` (103 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christophe JAILLET, Vinod Koul, Sasha Levin

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

[ Upstream commit f7eedcb8539ddcbb6fe7791f1b4ccf43f905c72f ]

Add an error handling path in the probe to release some resources, as
already done in the remove function.

Fixes: 609adde838f4 ("phy: Add a driver for dm816x USB PHY")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Link: https://lore.kernel.org/r/ac5136881f6bdec50be19b3bf73b3bc1b15ef1f1.1622898974.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/phy/phy-dm816x-usb.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/drivers/phy/phy-dm816x-usb.c b/drivers/phy/phy-dm816x-usb.c
index b4bbef664d20..908b5ff0e888 100644
--- a/drivers/phy/phy-dm816x-usb.c
+++ b/drivers/phy/phy-dm816x-usb.c
@@ -246,19 +246,28 @@ static int dm816x_usb_phy_probe(struct platform_device *pdev)
 
 	pm_runtime_enable(phy->dev);
 	generic_phy = devm_phy_create(phy->dev, NULL, &ops);
-	if (IS_ERR(generic_phy))
-		return PTR_ERR(generic_phy);
+	if (IS_ERR(generic_phy)) {
+		error = PTR_ERR(generic_phy);
+		goto clk_unprepare;
+	}
 
 	phy_set_drvdata(generic_phy, phy);
 
 	phy_provider = devm_of_phy_provider_register(phy->dev,
 						     of_phy_simple_xlate);
-	if (IS_ERR(phy_provider))
-		return PTR_ERR(phy_provider);
+	if (IS_ERR(phy_provider)) {
+		error = PTR_ERR(phy_provider);
+		goto clk_unprepare;
+	}
 
 	usb_add_phy_dev(&phy->phy);
 
 	return 0;
+
+clk_unprepare:
+	pm_runtime_disable(phy->dev);
+	clk_unprepare(phy->refclk);
+	return error;
 }
 
 static int dm816x_usb_phy_remove(struct platform_device *pdev)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 090/188] extcon: sm5502: Drop invalid register write in sm5502_reg_data
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (88 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 089/188] phy: ti: dm816x: Fix the error handling path in dm816x_usb_phy_probe() Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 091/188] extcon: max8997: Add missing modalias string Greg Kroah-Hartman
                   ` (102 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Stephan Gerhold, Chanwoo Choi, Sasha Levin

From: Stephan Gerhold <stephan@gerhold.net>

[ Upstream commit d25b224f8e5507879b36a769a6d1324cf163466c ]

When sm5502_init_dev_type() iterates over sm5502_reg_data to
initialize the registers it is limited by ARRAY_SIZE(sm5502_reg_data).
There is no need to add another empty element to sm5502_reg_data.

Having the additional empty element in sm5502_reg_data will just
result in writing 0xff to register 0x00, which does not really
make sense.

Fixes: 914b881f9452 ("extcon: sm5502: Add support new SM5502 extcon device driver")
Signed-off-by: Stephan Gerhold <stephan@gerhold.net>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/extcon/extcon-sm5502.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/drivers/extcon/extcon-sm5502.c b/drivers/extcon/extcon-sm5502.c
index f63f9961ac12..9b8c79bc3acd 100644
--- a/drivers/extcon/extcon-sm5502.c
+++ b/drivers/extcon/extcon-sm5502.c
@@ -92,7 +92,6 @@ static struct reg_data sm5502_reg_data[] = {
 			| SM5502_REG_INTM2_MHL_MASK,
 		.invert = true,
 	},
-	{ }
 };
 
 /* List of detectable cables */
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 091/188] extcon: max8997: Add missing modalias string
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (89 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 090/188] extcon: sm5502: Drop invalid register write in sm5502_reg_data Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 092/188] mmc: vub3000: fix control-request direction Greg Kroah-Hartman
                   ` (101 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Marek Szyprowski, Chanwoo Choi, Sasha Levin

From: Marek Szyprowski <m.szyprowski@samsung.com>

[ Upstream commit dc11fc2991e9efbceef93912b83e333d2835fb19 ]

The platform device driver name is "max8997-muic", so advertise it
properly in the modalias string. This fixes automated module loading when
this driver is compiled as a module.

Fixes: b76668ba8a77 ("Extcon: add MAX8997 extcon driver")
Signed-off-by: Marek Szyprowski <m.szyprowski@samsung.com>
Signed-off-by: Chanwoo Choi <cw00.choi@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/extcon/extcon-max8997.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/extcon/extcon-max8997.c b/drivers/extcon/extcon-max8997.c
index 3d6b42f61f56..a37c7257ccc7 100644
--- a/drivers/extcon/extcon-max8997.c
+++ b/drivers/extcon/extcon-max8997.c
@@ -780,3 +780,4 @@ module_platform_driver(max8997_muic_driver);
 MODULE_DESCRIPTION("Maxim MAX8997 Extcon driver");
 MODULE_AUTHOR("Donggeun Kim <dg77.kim@samsung.com>");
 MODULE_LICENSE("GPL");
+MODULE_ALIAS("platform:max8997-muic");
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 092/188] mmc: vub3000: fix control-request direction
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (90 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 091/188] extcon: max8997: Add missing modalias string Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 093/188] scsi: core: Retry I/O for Notify (Enable Spinup) Required error Greg Kroah-Hartman
                   ` (100 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Ulf Hansson

From: Johan Hovold <johan@kernel.org>

commit 3c0bb3107703d2c58f7a0a7a2060bb57bc120326 upstream.

The direction of the pipe argument must match the request-type direction
bit or control requests may fail depending on the host-controller-driver
implementation.

Fix the SET_ROM_WAIT_STATES request which erroneously used
usb_rcvctrlpipe().

Fixes: 88095e7b473a ("mmc: Add new VUB300 USB-to-SD/SDIO/MMC driver")
Cc: stable@vger.kernel.org      # 3.0
Signed-off-by: Johan Hovold <johan@kernel.org>
Link: https://lore.kernel.org/r/20210521133026.17296-1-johan@kernel.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/vub300.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/mmc/host/vub300.c
+++ b/drivers/mmc/host/vub300.c
@@ -2294,7 +2294,7 @@ static int vub300_probe(struct usb_inter
 	if (retval < 0)
 		goto error5;
 	retval =
-		usb_control_msg(vub300->udev, usb_rcvctrlpipe(vub300->udev, 0),
+		usb_control_msg(vub300->udev, usb_sndctrlpipe(vub300->udev, 0),
 				SET_ROM_WAIT_STATES,
 				USB_DIR_OUT | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
 				firmware_rom_wait_states, 0x0000, NULL, 0, HZ);



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 093/188] scsi: core: Retry I/O for Notify (Enable Spinup) Required error
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (91 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 092/188] mmc: vub3000: fix control-request direction Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 094/188] net: pch_gbe: Use proper accessors to BE data in pch_ptp_match() Greg Kroah-Hartman
                   ` (99 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bart Van Assche, Quat Le, Martin K. Petersen

From: Quat Le <quat.le@oracle.com>

commit 104739aca4488909175e9e31d5cd7d75b82a2046 upstream.

If the device is power-cycled, it takes time for the initiator to transmit
the periodic NOTIFY (ENABLE SPINUP) SAS primitive, and for the device to
respond to the primitive to become ACTIVE. Retry the I/O request to allow
the device time to become ACTIVE.

Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20210629155826.48441-1-quat.le@oracle.com
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Signed-off-by: Quat Le <quat.le@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/scsi/scsi_lib.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/scsi/scsi_lib.c
+++ b/drivers/scsi/scsi_lib.c
@@ -1004,6 +1004,7 @@ void scsi_io_completion(struct scsi_cmnd
 				case 0x07: /* operation in progress */
 				case 0x08: /* Long write in progress */
 				case 0x09: /* self test in progress */
+				case 0x11: /* notify (enable spinup) required */
 				case 0x14: /* space allocation in progress */
 					action = ACTION_DELAYED_RETRY;
 					break;



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 094/188] net: pch_gbe: Use proper accessors to BE data in pch_ptp_match()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (92 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 093/188] scsi: core: Retry I/O for Notify (Enable Spinup) Required error Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 095/188] hugetlb: clear huge pte during flush function on mips platform Greg Kroah-Hartman
                   ` (98 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Andy Shevchenko,
	Flavio Suligoi, David S. Miller, Sasha Levin

From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>

[ Upstream commit 443ef39b499cc9c6635f83238101f1bb923e9326 ]

Sparse is not happy about handling of strict types in pch_ptp_match():

  .../pch_gbe_main.c:158:33: warning: incorrect type in argument 2 (different base types)
  .../pch_gbe_main.c:158:33:    expected unsigned short [usertype] uid_hi
  .../pch_gbe_main.c:158:33:    got restricted __be16 [usertype]
  .../pch_gbe_main.c:158:45: warning: incorrect type in argument 3 (different base types)
  .../pch_gbe_main.c:158:45:    expected unsigned int [usertype] uid_lo
  .../pch_gbe_main.c:158:45:    got restricted __be32 [usertype]
  .../pch_gbe_main.c:158:56: warning: incorrect type in argument 4 (different base types)
  .../pch_gbe_main.c:158:56:    expected unsigned short [usertype] seqid
  .../pch_gbe_main.c:158:56:    got restricted __be16 [usertype]

Fix that by switching to use proper accessors to BE data.

Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Tested-by: Flavio Suligoi <f.suligoi@asem.it>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 .../ethernet/oki-semi/pch_gbe/pch_gbe_main.c  | 19 ++++++-------------
 1 file changed, 6 insertions(+), 13 deletions(-)

diff --git a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
index a7ec9492d126..45cfb1a0933d 100644
--- a/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
+++ b/drivers/net/ethernet/oki-semi/pch_gbe/pch_gbe_main.c
@@ -124,7 +124,7 @@ static int pch_ptp_match(struct sk_buff *skb, u16 uid_hi, u32 uid_lo, u16 seqid)
 {
 	u8 *data = skb->data;
 	unsigned int offset;
-	u16 *hi, *id;
+	u16 hi, id;
 	u32 lo;
 
 	if (ptp_classify_raw(skb) == PTP_CLASS_NONE)
@@ -135,14 +135,11 @@ static int pch_ptp_match(struct sk_buff *skb, u16 uid_hi, u32 uid_lo, u16 seqid)
 	if (skb->len < offset + OFF_PTP_SEQUENCE_ID + sizeof(seqid))
 		return 0;
 
-	hi = (u16 *)(data + offset + OFF_PTP_SOURCE_UUID);
-	id = (u16 *)(data + offset + OFF_PTP_SEQUENCE_ID);
+	hi = get_unaligned_be16(data + offset + OFF_PTP_SOURCE_UUID + 0);
+	lo = get_unaligned_be32(data + offset + OFF_PTP_SOURCE_UUID + 2);
+	id = get_unaligned_be16(data + offset + OFF_PTP_SEQUENCE_ID);
 
-	memcpy(&lo, &hi[1], sizeof(lo));
-
-	return (uid_hi == *hi &&
-		uid_lo == lo &&
-		seqid  == *id);
+	return (uid_hi == hi && uid_lo == lo && seqid == id);
 }
 
 static void
@@ -152,7 +149,6 @@ pch_rx_timestamp(struct pch_gbe_adapter *adapter, struct sk_buff *skb)
 	struct pci_dev *pdev;
 	u64 ns;
 	u32 hi, lo, val;
-	u16 uid, seq;
 
 	if (!adapter->hwts_rx_en)
 		return;
@@ -168,10 +164,7 @@ pch_rx_timestamp(struct pch_gbe_adapter *adapter, struct sk_buff *skb)
 	lo = pch_src_uuid_lo_read(pdev);
 	hi = pch_src_uuid_hi_read(pdev);
 
-	uid = hi & 0xffff;
-	seq = (hi >> 16) & 0xffff;
-
-	if (!pch_ptp_match(skb, htons(uid), htonl(lo), htons(seq)))
+	if (!pch_ptp_match(skb, hi, lo, hi >> 16))
 		goto out;
 
 	ns = pch_rx_snap_read(pdev);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 095/188] hugetlb: clear huge pte during flush function on mips platform
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (93 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 094/188] net: pch_gbe: Use proper accessors to BE data in pch_ptp_match() Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 096/188] atm: iphase: fix possible use-after-free in ia_module_exit() Greg Kroah-Hartman
                   ` (97 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Bibo Mao, Thomas Bogendoerfer, Sasha Levin

From: Bibo Mao <maobibo@loongson.cn>

[ Upstream commit 33ae8f801ad8bec48e886d368739feb2816478f2 ]

If multiple threads are accessing the same huge page at the same
time, hugetlb_cow will be called if one thread write the COW huge
page. And function huge_ptep_clear_flush is called to notify other
threads to clear the huge pte tlb entry. The other threads clear
the huge pte tlb entry and reload it from page table, the reload
huge pte entry may be old.

This patch fixes this issue on mips platform, and it clears huge
pte entry before notifying other threads to flush current huge
page entry, it is similar with other architectures.

Signed-off-by: Bibo Mao <maobibo@loongson.cn>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/mips/include/asm/hugetlb.h | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/arch/mips/include/asm/hugetlb.h b/arch/mips/include/asm/hugetlb.h
index 982bc0685330..4747a4694669 100644
--- a/arch/mips/include/asm/hugetlb.h
+++ b/arch/mips/include/asm/hugetlb.h
@@ -67,7 +67,13 @@ static inline pte_t huge_ptep_get_and_clear(struct mm_struct *mm,
 static inline void huge_ptep_clear_flush(struct vm_area_struct *vma,
 					 unsigned long addr, pte_t *ptep)
 {
-	flush_tlb_page(vma, addr & huge_page_mask(hstate_vma(vma)));
+	/*
+	 * clear the huge pte entry firstly, so that the other smp threads will
+	 * not get old pte entry after finishing flush_tlb_page and before
+	 * setting new huge pte entry
+	 */
+	huge_ptep_get_and_clear(vma->vm_mm, addr, ptep);
+	flush_tlb_page(vma, addr);
 }
 
 static inline int huge_pte_none(pte_t pte)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 096/188] atm: iphase: fix possible use-after-free in ia_module_exit()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (94 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 095/188] hugetlb: clear huge pte during flush function on mips platform Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 097/188] mISDN: fix possible use-after-free in HFC_cleanup() Greg Kroah-Hartman
                   ` (96 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zou Wei, David S. Miller,
	Sasha Levin

From: Zou Wei <zou_wei@huawei.com>

[ Upstream commit 1c72e6ab66b9598cac741ed397438a52065a8f1f ]

This module's remove path calls del_timer(). However, that function
does not wait until the timer handler finishes. This means that the
timer handler may still be running after the driver's remove function
has finished, which would result in a use-after-free.

Fix by calling del_timer_sync(), which makes sure the timer handler
has finished, and unable to re-schedule itself.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zou Wei <zou_wei@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/atm/iphase.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/atm/iphase.c b/drivers/atm/iphase.c
index 860a33a90ebf..dc1b7f11e6af 100644
--- a/drivers/atm/iphase.c
+++ b/drivers/atm/iphase.c
@@ -3296,7 +3296,7 @@ static void __exit ia_module_exit(void)
 {
 	pci_unregister_driver(&ia_driver);
 
-        del_timer(&ia_timer);
+	del_timer_sync(&ia_timer);
 }
 
 module_init(ia_module_init);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 097/188] mISDN: fix possible use-after-free in HFC_cleanup()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (95 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 096/188] atm: iphase: fix possible use-after-free in ia_module_exit() Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 098/188] atm: nicstar: Fix possible use-after-free in nicstar_cleanup() Greg Kroah-Hartman
                   ` (95 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zou Wei, David S. Miller,
	Sasha Levin

From: Zou Wei <zou_wei@huawei.com>

[ Upstream commit 009fc857c5f6fda81f2f7dd851b2d54193a8e733 ]

This module's remove path calls del_timer(). However, that function
does not wait until the timer handler finishes. This means that the
timer handler may still be running after the driver's remove function
has finished, which would result in a use-after-free.

Fix by calling del_timer_sync(), which makes sure the timer handler
has finished, and unable to re-schedule itself.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zou Wei <zou_wei@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/isdn/hardware/mISDN/hfcpci.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/isdn/hardware/mISDN/hfcpci.c b/drivers/isdn/hardware/mISDN/hfcpci.c
index ff48da61c94c..89cf1d695a01 100644
--- a/drivers/isdn/hardware/mISDN/hfcpci.c
+++ b/drivers/isdn/hardware/mISDN/hfcpci.c
@@ -2352,7 +2352,7 @@ static void __exit
 HFC_cleanup(void)
 {
 	if (timer_pending(&hfc_tl))
-		del_timer(&hfc_tl);
+		del_timer_sync(&hfc_tl);
 
 	pci_unregister_driver(&hfc_driver);
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 098/188] atm: nicstar: Fix possible use-after-free in nicstar_cleanup()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (96 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 097/188] mISDN: fix possible use-after-free in HFC_cleanup() Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 099/188] net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT Greg Kroah-Hartman
                   ` (94 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zou Wei, David S. Miller,
	Sasha Levin

From: Zou Wei <zou_wei@huawei.com>

[ Upstream commit 34e7434ba4e97f4b85c1423a59b2922ba7dff2ea ]

This module's remove path calls del_timer(). However, that function
does not wait until the timer handler finishes. This means that the
timer handler may still be running after the driver's remove function
has finished, which would result in a use-after-free.

Fix by calling del_timer_sync(), which makes sure the timer handler
has finished, and unable to re-schedule itself.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zou Wei <zou_wei@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/atm/nicstar.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c
index 49da83f87170..486d7a114031 100644
--- a/drivers/atm/nicstar.c
+++ b/drivers/atm/nicstar.c
@@ -298,7 +298,7 @@ static void __exit nicstar_cleanup(void)
 {
 	XPRINTK("nicstar: nicstar_cleanup() called.\n");
 
-	del_timer(&ns_timer);
+	del_timer_sync(&ns_timer);
 
 	pci_unregister_driver(&nicstar_driver);
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 099/188] net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (97 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 098/188] atm: nicstar: Fix possible use-after-free in nicstar_cleanup() Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 100/188] reiserfs: add check for invalid 1st journal block Greg Kroah-Hartman
                   ` (93 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Juri Lelli,
	Sebastian Andrzej Siewior, Thomas Gleixner, David S. Miller,
	Sasha Levin

From: Sebastian Andrzej Siewior <bigeasy@linutronix.de>

[ Upstream commit 8380c81d5c4fced6f4397795a5ae65758272bbfd ]

__napi_schedule_irqoff() is an optimized version of __napi_schedule()
which can be used where it is known that interrupts are disabled,
e.g. in interrupt-handlers, spin_lock_irq() sections or hrtimer
callbacks.

On PREEMPT_RT enabled kernels this assumptions is not true. Force-
threaded interrupt handlers and spinlocks are not disabling interrupts
and the NAPI hrtimer callback is forced into softirq context which runs
with interrupts enabled as well.

Chasing all usage sites of __napi_schedule_irqoff() is a whack-a-mole
game so make __napi_schedule_irqoff() invoke __napi_schedule() for
PREEMPT_RT kernels.

The callers of ____napi_schedule() in the networking core have been
audited and are correct on PREEMPT_RT kernels as well.

Reported-by: Juri Lelli <juri.lelli@redhat.com>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Juri Lelli <juri.lelli@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/core/dev.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/net/core/dev.c b/net/core/dev.c
index 6fd356e72211..9a0c726bd124 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -4723,11 +4723,18 @@ EXPORT_SYMBOL(__napi_schedule);
  * __napi_schedule_irqoff - schedule for receive
  * @n: entry to schedule
  *
- * Variant of __napi_schedule() assuming hard irqs are masked
+ * Variant of __napi_schedule() assuming hard irqs are masked.
+ *
+ * On PREEMPT_RT enabled kernels this maps to __napi_schedule()
+ * because the interrupt disabled assumption might not be true
+ * due to force-threaded interrupts and spinlock substitution.
  */
 void __napi_schedule_irqoff(struct napi_struct *n)
 {
-	____napi_schedule(this_cpu_ptr(&softnet_data), n);
+	if (!IS_ENABLED(CONFIG_PREEMPT_RT))
+		____napi_schedule(this_cpu_ptr(&softnet_data), n);
+	else
+		__napi_schedule(n);
 }
 EXPORT_SYMBOL(__napi_schedule_irqoff);
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 100/188] reiserfs: add check for invalid 1st journal block
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (98 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 099/188] net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 101/188] drm/virtio: Fix double free on probe failure Greg Kroah-Hartman
                   ` (92 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+0ba9909df31c6a36974d,
	Pavel Skripkin, Jan Kara, Sasha Levin

From: Pavel Skripkin <paskripkin@gmail.com>

[ Upstream commit a149127be52fa7eaf5b3681a0317a2bbb772d5a9 ]

syzbot reported divide error in reiserfs.
The problem was in incorrect journal 1st block.

Syzbot's reproducer manualy generated wrong superblock
with incorrect 1st block. In journal_init() wasn't
any checks about this particular case.

For example, if 1st journal block is before superblock
1st block, it can cause zeroing important superblock members
in do_journal_end().

Link: https://lore.kernel.org/r/20210517121545.29645-1-paskripkin@gmail.com
Reported-by: syzbot+0ba9909df31c6a36974d@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/reiserfs/journal.c | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/fs/reiserfs/journal.c b/fs/reiserfs/journal.c
index 00985f9db9f7..6a0fa0cdc1ed 100644
--- a/fs/reiserfs/journal.c
+++ b/fs/reiserfs/journal.c
@@ -2770,6 +2770,20 @@ int journal_init(struct super_block *sb, const char *j_dev_name,
 		goto free_and_return;
 	}
 
+	/*
+	 * Sanity check to see if journal first block is correct.
+	 * If journal first block is invalid it can cause
+	 * zeroing important superblock members.
+	 */
+	if (!SB_ONDISK_JOURNAL_DEVICE(sb) &&
+	    SB_ONDISK_JOURNAL_1st_BLOCK(sb) < SB_JOURNAL_1st_RESERVED_BLOCK(sb)) {
+		reiserfs_warning(sb, "journal-1393",
+				 "journal 1st super block is invalid: 1st reserved block %d, but actual 1st block is %d",
+				 SB_JOURNAL_1st_RESERVED_BLOCK(sb),
+				 SB_ONDISK_JOURNAL_1st_BLOCK(sb));
+		goto free_and_return;
+	}
+
 	if (journal_init_dev(sb, journal, j_dev_name) != 0) {
 		reiserfs_warning(sb, "sh-462",
 				 "unable to initialize journal device");
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 101/188] drm/virtio: Fix double free on probe failure
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (99 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 100/188] reiserfs: add check for invalid 1st journal block Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 102/188] udf: Fix NULL pointer dereference in udf_symlink function Greg Kroah-Hartman
                   ` (91 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xie Yongji, Gerd Hoffmann, Sasha Levin

From: Xie Yongji <xieyongji@bytedance.com>

[ Upstream commit cec7f1774605a5ef47c134af62afe7c75c30b0ee ]

The virtio_gpu_init() will free vgdev and vgdev->vbufs on failure.
But such failure will be caught by virtio_gpu_probe() and then
virtio_gpu_release() will be called to do some cleanup which
will free vgdev and vgdev->vbufs again. So let's set dev->dev_private
to NULL to avoid double free.

Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20210517084913.403-2-xieyongji@bytedance.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpu/drm/virtio/virtgpu_kms.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/gpu/drm/virtio/virtgpu_kms.c b/drivers/gpu/drm/virtio/virtgpu_kms.c
index 476b9993b068..44f9762e86e8 100644
--- a/drivers/gpu/drm/virtio/virtgpu_kms.c
+++ b/drivers/gpu/drm/virtio/virtgpu_kms.c
@@ -233,6 +233,7 @@ err_ttm:
 err_vbufs:
 	vgdev->vdev->config->del_vqs(vgdev->vdev);
 err_vqs:
+	dev->dev_private = NULL;
 	kfree(vgdev);
 	return ret;
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 102/188] udf: Fix NULL pointer dereference in udf_symlink function
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (100 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 101/188] drm/virtio: Fix double free on probe failure Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 103/188] e100: handle eeprom as little endian Greg Kroah-Hartman
                   ` (90 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Arturo Giusti, Jan Kara, Sasha Levin

From: Arturo Giusti <koredump@protonmail.com>

[ Upstream commit fa236c2b2d4436d9f19ee4e5d5924e90ffd7bb43 ]

In function udf_symlink, epos.bh is assigned with the value returned
by udf_tgetblk. The function udf_tgetblk is defined in udf/misc.c
and returns the value of sb_getblk function that could be NULL.
Then, epos.bh is used without any check, causing a possible
NULL pointer dereference when sb_getblk fails.

This fix adds a check to validate the value of epos.bh.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=213083
Signed-off-by: Arturo Giusti <koredump@protonmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/udf/namei.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/fs/udf/namei.c b/fs/udf/namei.c
index f34c545f4e54..074560ad190e 100644
--- a/fs/udf/namei.c
+++ b/fs/udf/namei.c
@@ -945,6 +945,10 @@ static int udf_symlink(struct inode *dir, struct dentry *dentry,
 				iinfo->i_location.partitionReferenceNum,
 				0);
 		epos.bh = udf_tgetblk(sb, block);
+		if (unlikely(!epos.bh)) {
+			err = -ENOMEM;
+			goto out_no_entry;
+		}
 		lock_buffer(epos.bh);
 		memset(epos.bh->b_data, 0x00, bsize);
 		set_buffer_uptodate(epos.bh);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 103/188] e100: handle eeprom as little endian
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (101 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 102/188] udf: Fix NULL pointer dereference in udf_symlink function Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 104/188] ipv6: use prandom_u32() for ID generation Greg Kroah-Hartman
                   ` (89 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jesse Brandeburg, Tony Nguyen, Sasha Levin

From: Jesse Brandeburg <jesse.brandeburg@intel.com>

[ Upstream commit d4ef55288aa2e1b76033717242728ac98ddc4721 ]

Sparse tool was warning on some implicit conversions from
little endian data read from the EEPROM on the e100 cards.

Fix these by being explicit about the conversions using
le16_to_cpu().

Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/intel/e100.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/net/ethernet/intel/e100.c b/drivers/net/ethernet/intel/e100.c
index 93c29094ceff..9035cb5fc70d 100644
--- a/drivers/net/ethernet/intel/e100.c
+++ b/drivers/net/ethernet/intel/e100.c
@@ -1423,7 +1423,7 @@ static int e100_phy_check_without_mii(struct nic *nic)
 	u8 phy_type;
 	int without_mii;
 
-	phy_type = (nic->eeprom[eeprom_phy_iface] >> 8) & 0x0f;
+	phy_type = (le16_to_cpu(nic->eeprom[eeprom_phy_iface]) >> 8) & 0x0f;
 
 	switch (phy_type) {
 	case NoSuchPhy: /* Non-MII PHY; UNTESTED! */
@@ -1543,7 +1543,7 @@ static int e100_phy_init(struct nic *nic)
 		mdio_write(netdev, nic->mii.phy_id, MII_BMCR, bmcr);
 	} else if ((nic->mac >= mac_82550_D102) || ((nic->flags & ich) &&
 	   (mdio_read(netdev, nic->mii.phy_id, MII_TPISTATUS) & 0x8000) &&
-		(nic->eeprom[eeprom_cnfg_mdix] & eeprom_mdix_enabled))) {
+	   (le16_to_cpu(nic->eeprom[eeprom_cnfg_mdix]) & eeprom_mdix_enabled))) {
 		/* enable/disable MDI/MDI-X auto-switching. */
 		mdio_write(netdev, nic->mii.phy_id, MII_NCONFIG,
 				nic->mii.force_media ? 0 : NCONFIG_AUTO_SWITCH);
@@ -2298,9 +2298,9 @@ static int e100_asf(struct nic *nic)
 {
 	/* ASF can be enabled from eeprom */
 	return (nic->pdev->device >= 0x1050) && (nic->pdev->device <= 0x1057) &&
-	   (nic->eeprom[eeprom_config_asf] & eeprom_asf) &&
-	   !(nic->eeprom[eeprom_config_asf] & eeprom_gcl) &&
-	   ((nic->eeprom[eeprom_smbus_addr] & 0xFF) != 0xFE);
+	   (le16_to_cpu(nic->eeprom[eeprom_config_asf]) & eeprom_asf) &&
+	   !(le16_to_cpu(nic->eeprom[eeprom_config_asf]) & eeprom_gcl) &&
+	   ((le16_to_cpu(nic->eeprom[eeprom_smbus_addr]) & 0xFF) != 0xFE);
 }
 
 static int e100_up(struct nic *nic)
@@ -2952,7 +2952,7 @@ static int e100_probe(struct pci_dev *pdev, const struct pci_device_id *ent)
 
 	/* Wol magic packet can be enabled from eeprom */
 	if ((nic->mac >= mac_82558_D101_A4) &&
-	   (nic->eeprom[eeprom_id] & eeprom_id_wol)) {
+	   (le16_to_cpu(nic->eeprom[eeprom_id]) & eeprom_id_wol)) {
 		nic->flags |= wol_magic;
 		device_set_wakeup_enable(&pdev->dev, true);
 	}
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 104/188] ipv6: use prandom_u32() for ID generation
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (102 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 103/188] e100: handle eeprom as little endian Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 105/188] RDMA/cxgb4: Fix missing error code in create_qp() Greg Kroah-Hartman
                   ` (88 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Amit Klein, Willy Tarreau,
	Eric Dumazet, Jakub Kicinski, Sasha Levin

From: Willy Tarreau <w@1wt.eu>

[ Upstream commit 62f20e068ccc50d6ab66fdb72ba90da2b9418c99 ]

This is a complement to commit aa6dd211e4b1 ("inet: use bigger hash
table for IP ID generation"), but focusing on some specific aspects
of IPv6.

Contary to IPv4, IPv6 only uses packet IDs with fragments, and with a
minimum MTU of 1280, it's much less easy to force a remote peer to
produce many fragments to explore its ID sequence. In addition packet
IDs are 32-bit in IPv6, which further complicates their analysis. On
the other hand, it is often easier to choose among plenty of possible
source addresses and partially work around the bigger hash table the
commit above permits, which leaves IPv6 partially exposed to some
possibilities of remote analysis at the risk of weakening some
protocols like DNS if some IDs can be predicted with a good enough
probability.

Given the wide range of permitted IDs, the risk of collision is extremely
low so there's no need to rely on the positive increment algorithm that
is shared with the IPv4 code via ip_idents_reserve(). We have a fast
PRNG, so let's simply call prandom_u32() and be done with it.

Performance measurements at 10 Gbps couldn't show any difference with
the previous code, even when using a single core, because due to the
large fragments, we're limited to only ~930 kpps at 10 Gbps and the cost
of the random generation is completely offset by other operations and by
the network transfer time. In addition, this change removes the need to
update a shared entry in the idents table so it may even end up being
slightly faster on large scale systems where this matters.

The risk of at least one collision here is about 1/80 million among
10 IDs, 1/850k among 100 IDs, and still only 1/8.5k among 1000 IDs,
which remains very low compared to IPv4 where all IDs are reused
every 4 to 80ms on a 10 Gbps flow depending on packet sizes.

Reported-by: Amit Klein <aksecurity@gmail.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20210529110746.6796-1-w@1wt.eu
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv6/output_core.c | 28 +++++-----------------------
 1 file changed, 5 insertions(+), 23 deletions(-)

diff --git a/net/ipv6/output_core.c b/net/ipv6/output_core.c
index 6b896cc9604e..e2de4b0479f6 100644
--- a/net/ipv6/output_core.c
+++ b/net/ipv6/output_core.c
@@ -14,29 +14,11 @@ static u32 __ipv6_select_ident(struct net *net,
 			       const struct in6_addr *dst,
 			       const struct in6_addr *src)
 {
-	const struct {
-		struct in6_addr dst;
-		struct in6_addr src;
-	} __aligned(SIPHASH_ALIGNMENT) combined = {
-		.dst = *dst,
-		.src = *src,
-	};
-	u32 hash, id;
-
-	/* Note the following code is not safe, but this is okay. */
-	if (unlikely(siphash_key_is_zero(&net->ipv4.ip_id_key)))
-		get_random_bytes(&net->ipv4.ip_id_key,
-				 sizeof(net->ipv4.ip_id_key));
-
-	hash = siphash(&combined, sizeof(combined), &net->ipv4.ip_id_key);
-
-	/* Treat id of 0 as unset and if we get 0 back from ip_idents_reserve,
-	 * set the hight order instead thus minimizing possible future
-	 * collisions.
-	 */
-	id = ip_idents_reserve(hash, 1);
-	if (unlikely(!id))
-		id = 1 << 31;
+	u32 id;
+
+	do {
+		id = prandom_u32();
+	} while (!id);
 
 	return id;
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 105/188] RDMA/cxgb4: Fix missing error code in create_qp()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (103 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 104/188] ipv6: use prandom_u32() for ID generation Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 106/188] dm space maps: dont reset space map allocation cursor when committing Greg Kroah-Hartman
                   ` (87 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Abaci Robot, Jiapeng Chong,
	Jason Gunthorpe, Sasha Levin

From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>

[ Upstream commit aeb27bb76ad8197eb47890b1ff470d5faf8ec9a5 ]

The error code is missing in this code scenario so 0 will be returned. Add
the error code '-EINVAL' to the return value 'ret'.

Eliminates the follow smatch warning:

drivers/infiniband/hw/cxgb4/qp.c:298 create_qp() warn: missing error code 'ret'.

Link: https://lore.kernel.org/r/1622545669-20625-1-git-send-email-jiapeng.chong@linux.alibaba.com
Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/hw/cxgb4/qp.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/infiniband/hw/cxgb4/qp.c b/drivers/infiniband/hw/cxgb4/qp.c
index 07579e31168c..67e4002bd776 100644
--- a/drivers/infiniband/hw/cxgb4/qp.c
+++ b/drivers/infiniband/hw/cxgb4/qp.c
@@ -277,6 +277,7 @@ static int create_qp(struct c4iw_rdev *rdev, struct t4_wq *wq,
 	if (user && (!wq->sq.bar2_pa || !wq->rq.bar2_pa)) {
 		pr_warn(MOD "%s: sqid %u or rqid %u not in BAR2 range.\n",
 			pci_name(rdev->lldi.pdev), wq->sq.qid, wq->rq.qid);
+		ret = -EINVAL;
 		goto free_dma;
 	}
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 106/188] dm space maps: dont reset space map allocation cursor when committing
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (104 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 105/188] RDMA/cxgb4: Fix missing error code in create_qp() Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 107/188] net: micrel: check return value after calling platform_get_resource() Greg Kroah-Hartman
                   ` (86 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joe Thornber, Mike Snitzer, Sasha Levin

From: Joe Thornber <ejt@redhat.com>

[ Upstream commit 5faafc77f7de69147d1e818026b9a0cbf036a7b2 ]

Current commit code resets the place where the search for free blocks
will begin back to the start of the metadata device.  There are a couple
of repercussions to this:

- The first allocation after the commit is likely to take longer than
  normal as it searches for a free block in an area that is likely to
  have very few free blocks (if any).

- Any free blocks it finds will have been recently freed.  Reusing them
  means we have fewer old copies of the metadata to aid recovery from
  hardware error.

Fix these issues by leaving the cursor alone, only resetting when the
search hits the end of the metadata device.

Signed-off-by: Joe Thornber <ejt@redhat.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/md/persistent-data/dm-space-map-disk.c     | 9 ++++++++-
 drivers/md/persistent-data/dm-space-map-metadata.c | 9 ++++++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/drivers/md/persistent-data/dm-space-map-disk.c b/drivers/md/persistent-data/dm-space-map-disk.c
index bf4c5e2ccb6f..e0acae7a3815 100644
--- a/drivers/md/persistent-data/dm-space-map-disk.c
+++ b/drivers/md/persistent-data/dm-space-map-disk.c
@@ -171,6 +171,14 @@ static int sm_disk_new_block(struct dm_space_map *sm, dm_block_t *b)
 	 * Any block we allocate has to be free in both the old and current ll.
 	 */
 	r = sm_ll_find_common_free_block(&smd->old_ll, &smd->ll, smd->begin, smd->ll.nr_blocks, b);
+	if (r == -ENOSPC) {
+		/*
+		 * There's no free block between smd->begin and the end of the metadata device.
+		 * We search before smd->begin in case something has been freed.
+		 */
+		r = sm_ll_find_common_free_block(&smd->old_ll, &smd->ll, 0, smd->begin, b);
+	}
+
 	if (r)
 		return r;
 
@@ -199,7 +207,6 @@ static int sm_disk_commit(struct dm_space_map *sm)
 		return r;
 
 	memcpy(&smd->old_ll, &smd->ll, sizeof(smd->old_ll));
-	smd->begin = 0;
 	smd->nr_allocated_this_transaction = 0;
 
 	r = sm_disk_get_nr_free(sm, &nr_free);
diff --git a/drivers/md/persistent-data/dm-space-map-metadata.c b/drivers/md/persistent-data/dm-space-map-metadata.c
index 967d8f2a731f..62a4d7da9bd9 100644
--- a/drivers/md/persistent-data/dm-space-map-metadata.c
+++ b/drivers/md/persistent-data/dm-space-map-metadata.c
@@ -451,6 +451,14 @@ static int sm_metadata_new_block_(struct dm_space_map *sm, dm_block_t *b)
 	 * Any block we allocate has to be free in both the old and current ll.
 	 */
 	r = sm_ll_find_common_free_block(&smm->old_ll, &smm->ll, smm->begin, smm->ll.nr_blocks, b);
+	if (r == -ENOSPC) {
+		/*
+		 * There's no free block between smm->begin and the end of the metadata device.
+		 * We search before smm->begin in case something has been freed.
+		 */
+		r = sm_ll_find_common_free_block(&smm->old_ll, &smm->ll, 0, smm->begin, b);
+	}
+
 	if (r)
 		return r;
 
@@ -502,7 +510,6 @@ static int sm_metadata_commit(struct dm_space_map *sm)
 		return r;
 
 	memcpy(&smm->old_ll, &smm->ll, sizeof(smm->old_ll));
-	smm->begin = 0;
 	smm->allocated_this_transaction = 0;
 
 	return 0;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 107/188] net: micrel: check return value after calling platform_get_resource()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (105 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 106/188] dm space maps: dont reset space map allocation cursor when committing Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 108/188] selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC Greg Kroah-Hartman
                   ` (85 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yang Yingliang, David S. Miller, Sasha Levin

From: Yang Yingliang <yangyingliang@huawei.com>

[ Upstream commit 20f1932e2282c58cb5ac59517585206cf5b385ae ]

It will cause null-ptr-deref if platform_get_resource() returns NULL,
we need check the return value.

Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/micrel/ks8842.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/drivers/net/ethernet/micrel/ks8842.c b/drivers/net/ethernet/micrel/ks8842.c
index cb0102dd7f70..d691c33dffc6 100644
--- a/drivers/net/ethernet/micrel/ks8842.c
+++ b/drivers/net/ethernet/micrel/ks8842.c
@@ -1150,6 +1150,10 @@ static int ks8842_probe(struct platform_device *pdev)
 	unsigned i;
 
 	iomem = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+	if (!iomem) {
+		dev_err(&pdev->dev, "Invalid resource\n");
+		return -EINVAL;
+	}
 	if (!request_mem_region(iomem->start, resource_size(iomem), DRV_NAME))
 		goto err_mem_region;
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 108/188] selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (106 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 107/188] net: micrel: check return value after calling platform_get_resource() Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 109/188] xfrm: Fix error reporting in xfrm_state_construct Greg Kroah-Hartman
                   ` (84 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Minchan Kim, Paul Moore, Sasha Levin

From: Minchan Kim <minchan@kernel.org>

[ Upstream commit 648f2c6100cfa18e7dfe43bc0b9c3b73560d623c ]

In the field, we have seen lots of allocation failure from the call
path below.

06-03 13:29:12.999 1010315 31557 31557 W Binder  : 31542_2: page allocation failure: order:0, mode:0x800(GFP_NOWAIT), nodemask=(null),cpuset=background,mems_allowed=0
...
...
06-03 13:29:12.999 1010315 31557 31557 W Call trace:
06-03 13:29:12.999 1010315 31557 31557 W         : dump_backtrace.cfi_jt+0x0/0x8
06-03 13:29:12.999 1010315 31557 31557 W         : dump_stack+0xc8/0x14c
06-03 13:29:12.999 1010315 31557 31557 W         : warn_alloc+0x158/0x1c8
06-03 13:29:12.999 1010315 31557 31557 W         : __alloc_pages_slowpath+0x9d8/0xb80
06-03 13:29:12.999 1010315 31557 31557 W         : __alloc_pages_nodemask+0x1c4/0x430
06-03 13:29:12.999 1010315 31557 31557 W         : allocate_slab+0xb4/0x390
06-03 13:29:12.999 1010315 31557 31557 W         : ___slab_alloc+0x12c/0x3a4
06-03 13:29:12.999 1010315 31557 31557 W         : kmem_cache_alloc+0x358/0x5e4
06-03 13:29:12.999 1010315 31557 31557 W         : avc_alloc_node+0x30/0x184
06-03 13:29:12.999 1010315 31557 31557 W         : avc_update_node+0x54/0x4f0
06-03 13:29:12.999 1010315 31557 31557 W         : avc_has_extended_perms+0x1a4/0x460
06-03 13:29:12.999 1010315 31557 31557 W         : selinux_file_ioctl+0x320/0x3d0
06-03 13:29:12.999 1010315 31557 31557 W         : __arm64_sys_ioctl+0xec/0x1fc
06-03 13:29:12.999 1010315 31557 31557 W         : el0_svc_common+0xc0/0x24c
06-03 13:29:12.999 1010315 31557 31557 W         : el0_svc+0x28/0x88
06-03 13:29:12.999 1010315 31557 31557 W         : el0_sync_handler+0x8c/0xf0
06-03 13:29:12.999 1010315 31557 31557 W         : el0_sync+0x1a4/0x1c0
..
..
06-03 13:29:12.999 1010315 31557 31557 W SLUB    : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
06-03 13:29:12.999 1010315 31557 31557 W cache   : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
06-03 13:29:12.999 1010315 31557 31557 W node 0  : slabs: 57, objs: 2907, free: 0
06-03 13:29:12.999 1010161 10686 10686 W SLUB    : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
06-03 13:29:12.999 1010161 10686 10686 W cache   : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
06-03 13:29:12.999 1010161 10686 10686 W node 0  : slabs: 57, objs: 2907, free: 0
06-03 13:29:12.999 1010161 10686 10686 W SLUB    : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
06-03 13:29:12.999 1010161 10686 10686 W cache   : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
06-03 13:29:12.999 1010161 10686 10686 W node 0  : slabs: 57, objs: 2907, free: 0
06-03 13:29:12.999 1010161 10686 10686 W SLUB    : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
06-03 13:29:12.999 1010161 10686 10686 W cache   : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
06-03 13:29:12.999 1010161 10686 10686 W node 0  : slabs: 57, objs: 2907, free: 0
06-03 13:29:13.000 1010161 10686 10686 W SLUB    : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
06-03 13:29:13.000 1010161 10686 10686 W cache   : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
06-03 13:29:13.000 1010161 10686 10686 W node 0  : slabs: 57, objs: 2907, free: 0
06-03 13:29:13.000 1010161 10686 10686 W SLUB    : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
06-03 13:29:13.000 1010161 10686 10686 W cache   : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
06-03 13:29:13.000 1010161 10686 10686 W node 0  : slabs: 57, objs: 2907, free: 0
06-03 13:29:13.000 1010161 10686 10686 W SLUB    : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
06-03 13:29:13.000 1010161 10686 10686 W cache   : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
06-03 13:29:13.000 1010161 10686 10686 W node 0  : slabs: 57, objs: 2907, free: 0
06-03 13:29:13.000 10230 30892 30892 W SLUB    : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
06-03 13:29:13.000 10230 30892 30892 W cache   : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0
06-03 13:29:13.000 10230 30892 30892 W node 0  : slabs: 57, objs: 2907, free: 0
06-03 13:29:13.000 10230 30892 30892 W SLUB    : Unable to allocate memory on node -1, gfp=0x900(GFP_NOWAIT|__GFP_ZERO)
06-03 13:29:13.000 10230 30892 30892 W cache   : avc_node, object size: 72, buffer size: 80, default order: 0, min order: 0

Based on [1], selinux is tolerate for failure of memory allocation.
Then, use __GFP_NOWARN together.

[1] 476accbe2f6e ("selinux: use GFP_NOWAIT in the AVC kmem_caches")

Signed-off-by: Minchan Kim <minchan@kernel.org>
[PM: subj fix, line wraps, normalized commit refs]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 security/selinux/avc.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index f3c473791b69..a16c72c2a967 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -348,26 +348,27 @@ static struct avc_xperms_decision_node
 	struct avc_xperms_decision_node *xpd_node;
 	struct extended_perms_decision *xpd;
 
-	xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep, GFP_NOWAIT);
+	xpd_node = kmem_cache_zalloc(avc_xperms_decision_cachep,
+				     GFP_NOWAIT | __GFP_NOWARN);
 	if (!xpd_node)
 		return NULL;
 
 	xpd = &xpd_node->xpd;
 	if (which & XPERMS_ALLOWED) {
 		xpd->allowed = kmem_cache_zalloc(avc_xperms_data_cachep,
-						GFP_NOWAIT);
+						GFP_NOWAIT | __GFP_NOWARN);
 		if (!xpd->allowed)
 			goto error;
 	}
 	if (which & XPERMS_AUDITALLOW) {
 		xpd->auditallow = kmem_cache_zalloc(avc_xperms_data_cachep,
-						GFP_NOWAIT);
+						GFP_NOWAIT | __GFP_NOWARN);
 		if (!xpd->auditallow)
 			goto error;
 	}
 	if (which & XPERMS_DONTAUDIT) {
 		xpd->dontaudit = kmem_cache_zalloc(avc_xperms_data_cachep,
-						GFP_NOWAIT);
+						GFP_NOWAIT | __GFP_NOWARN);
 		if (!xpd->dontaudit)
 			goto error;
 	}
@@ -395,7 +396,7 @@ static struct avc_xperms_node *avc_xperms_alloc(void)
 {
 	struct avc_xperms_node *xp_node;
 
-	xp_node = kmem_cache_zalloc(avc_xperms_cachep, GFP_NOWAIT);
+	xp_node = kmem_cache_zalloc(avc_xperms_cachep, GFP_NOWAIT | __GFP_NOWARN);
 	if (!xp_node)
 		return xp_node;
 	INIT_LIST_HEAD(&xp_node->xpd_head);
@@ -548,7 +549,7 @@ static struct avc_node *avc_alloc_node(void)
 {
 	struct avc_node *node;
 
-	node = kmem_cache_zalloc(avc_node_cachep, GFP_NOWAIT);
+	node = kmem_cache_zalloc(avc_node_cachep, GFP_NOWAIT | __GFP_NOWARN);
 	if (!node)
 		goto out;
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 109/188] xfrm: Fix error reporting in xfrm_state_construct.
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (107 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 108/188] selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 110/188] wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP Greg Kroah-Hartman
                   ` (83 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tobias Brunner, Steffen Klassert,
	Sasha Levin

From: Steffen Klassert <steffen.klassert@secunet.com>

[ Upstream commit 6fd06963fa74197103cdbb4b494763127b3f2f34 ]

When memory allocation for XFRMA_ENCAP or XFRMA_COADDR fails,
the error will not be reported because the -ENOMEM assignment
to the err variable is overwritten before. Fix this by moving
these two in front of the function so that memory allocation
failures will be reported.

Reported-by: Tobias Brunner <tobias@strongswan.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/xfrm/xfrm_user.c | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 158f630cc7a6..98ea6ebc7317 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -566,6 +566,20 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
 
 	copy_from_user_state(x, p);
 
+	if (attrs[XFRMA_ENCAP]) {
+		x->encap = kmemdup(nla_data(attrs[XFRMA_ENCAP]),
+				   sizeof(*x->encap), GFP_KERNEL);
+		if (x->encap == NULL)
+			goto error;
+	}
+
+	if (attrs[XFRMA_COADDR]) {
+		x->coaddr = kmemdup(nla_data(attrs[XFRMA_COADDR]),
+				    sizeof(*x->coaddr), GFP_KERNEL);
+		if (x->coaddr == NULL)
+			goto error;
+	}
+
 	if (attrs[XFRMA_SA_EXTRA_FLAGS])
 		x->props.extra_flags = nla_get_u32(attrs[XFRMA_SA_EXTRA_FLAGS]);
 
@@ -586,23 +600,9 @@ static struct xfrm_state *xfrm_state_construct(struct net *net,
 				   attrs[XFRMA_ALG_COMP])))
 		goto error;
 
-	if (attrs[XFRMA_ENCAP]) {
-		x->encap = kmemdup(nla_data(attrs[XFRMA_ENCAP]),
-				   sizeof(*x->encap), GFP_KERNEL);
-		if (x->encap == NULL)
-			goto error;
-	}
-
 	if (attrs[XFRMA_TFCPAD])
 		x->tfcpad = nla_get_u32(attrs[XFRMA_TFCPAD]);
 
-	if (attrs[XFRMA_COADDR]) {
-		x->coaddr = kmemdup(nla_data(attrs[XFRMA_COADDR]),
-				    sizeof(*x->coaddr), GFP_KERNEL);
-		if (x->coaddr == NULL)
-			goto error;
-	}
-
 	xfrm_mark_get(attrs, &x->mark);
 
 	err = __xfrm_init_state(x, false);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 110/188] wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (108 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 109/188] xfrm: Fix error reporting in xfrm_state_construct Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 111/188] wl1251: Fix possible buffer overflow in wl1251_cmd_scan Greg Kroah-Hartman
                   ` (82 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Carl Philipp Klemm, Tony Lindgren,
	Kalle Valo, Sasha Levin

From: Tony Lindgren <tony@atomide.com>

[ Upstream commit 11ef6bc846dcdce838f0b00c5f6a562c57e5d43b ]

At least on wl12xx, reading the MAC after boot can fail with a warning
at drivers/net/wireless/ti/wlcore/sdio.c:78 wl12xx_sdio_raw_read.
The failed call comes from wl12xx_get_mac() that wlcore_nvs_cb() calls
after request_firmware_work_func().

After the error, no wireless interface is created. Reloading the wl12xx
module makes the interface work.

Turns out the wlan controller can be in a low-power ELP state after the
boot from the bootloader or kexec, and needs to be woken up first.

Let's wake the hardware and add a sleep after that similar to
wl12xx_pre_boot() is already doing.

Note that a similar issue could exist for wl18xx, but I have not seen it
so far. And a search for wl18xx_get_mac and wl12xx_sdio_raw_read did not
produce similar errors.

Cc: Carl Philipp Klemm <philipp@uvos.xyz>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210603062814.19464-1-tony@atomide.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/ti/wl12xx/main.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/net/wireless/ti/wl12xx/main.c b/drivers/net/wireless/ti/wl12xx/main.c
index e4b28d37046a..c453a634d769 100644
--- a/drivers/net/wireless/ti/wl12xx/main.c
+++ b/drivers/net/wireless/ti/wl12xx/main.c
@@ -1515,6 +1515,13 @@ static int wl12xx_get_fuse_mac(struct wl1271 *wl)
 	u32 mac1, mac2;
 	int ret;
 
+	/* Device may be in ELP from the bootloader or kexec */
+	ret = wlcore_write32(wl, WL12XX_WELP_ARM_COMMAND, WELP_ARM_COMMAND_VAL);
+	if (ret < 0)
+		goto out;
+
+	usleep_range(500000, 700000);
+
 	ret = wlcore_set_partition(wl, &wl->ptable[PART_DRPW]);
 	if (ret < 0)
 		goto out;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 111/188] wl1251: Fix possible buffer overflow in wl1251_cmd_scan
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (109 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 110/188] wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 112/188] cw1200: add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
                   ` (81 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lee Gibson, Kalle Valo, Sasha Levin

From: Lee Gibson <leegib@gmail.com>

[ Upstream commit d10a87a3535cce2b890897914f5d0d83df669c63 ]

Function wl1251_cmd_scan calls memcpy without checking the length.
Harden by checking the length is within the maximum allowed size.

Signed-off-by: Lee Gibson <leegib@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210428115508.25624-1-leegib@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/ti/wl1251/cmd.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/drivers/net/wireless/ti/wl1251/cmd.c b/drivers/net/wireless/ti/wl1251/cmd.c
index ede31f048ef9..247f4310a38f 100644
--- a/drivers/net/wireless/ti/wl1251/cmd.c
+++ b/drivers/net/wireless/ti/wl1251/cmd.c
@@ -465,9 +465,12 @@ int wl1251_cmd_scan(struct wl1251 *wl, u8 *ssid, size_t ssid_len,
 		cmd->channels[i].channel = channels[i]->hw_value;
 	}
 
-	cmd->params.ssid_len = ssid_len;
-	if (ssid)
-		memcpy(cmd->params.ssid, ssid, ssid_len);
+	if (ssid) {
+		int len = clamp_val(ssid_len, 0, IEEE80211_MAX_SSID_LEN);
+
+		cmd->params.ssid_len = len;
+		memcpy(cmd->params.ssid, ssid, len);
+	}
 
 	ret = wl1251_cmd_send(wl, CMD_SCAN, cmd, sizeof(*cmd));
 	if (ret < 0) {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 112/188] cw1200: add missing MODULE_DEVICE_TABLE
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (110 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 111/188] wl1251: Fix possible buffer overflow in wl1251_cmd_scan Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 113/188] atm: nicstar: use dma_free_coherent instead of kfree Greg Kroah-Hartman
                   ` (80 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zou Wei, Kalle Valo, Sasha Levin

From: Zou Wei <zou_wei@huawei.com>

[ Upstream commit dd778f89225cd258e8f0fed2b7256124982c8bb5 ]

This patch adds missing MODULE_DEVICE_TABLE definition which generates
correct modalias for automatic loading of this driver when it is built
as an external module.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zou Wei <zou_wei@huawei.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/1620788714-14300-1-git-send-email-zou_wei@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/wireless/cw1200/cw1200_sdio.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/net/wireless/cw1200/cw1200_sdio.c b/drivers/net/wireless/cw1200/cw1200_sdio.c
index d3acc85932a5..de92107549ee 100644
--- a/drivers/net/wireless/cw1200/cw1200_sdio.c
+++ b/drivers/net/wireless/cw1200/cw1200_sdio.c
@@ -62,6 +62,7 @@ static const struct sdio_device_id cw1200_sdio_ids[] = {
 	{ SDIO_DEVICE(SDIO_VENDOR_ID_STE, SDIO_DEVICE_ID_STE_CW1200) },
 	{ /* end: all zeroes */			},
 };
+MODULE_DEVICE_TABLE(sdio, cw1200_sdio_ids);
 
 /* hwbus_ops implemetation */
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 113/188] atm: nicstar: use dma_free_coherent instead of kfree
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (111 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 112/188] cw1200: add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 114/188] atm: nicstar: register the interrupt handler in the right place Greg Kroah-Hartman
                   ` (79 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zheyu Ma, David S. Miller, Sasha Levin

From: Zheyu Ma <zheyuma97@gmail.com>

[ Upstream commit 6a1e5a4af17e440dd82a58a2c5f40ff17a82b722 ]

When 'nicstar_init_one' fails, 'ns_init_card_error' will be executed for
error handling, but the correct memory free function should be used,
otherwise it will cause an error. Since 'card->rsq.org' and
'card->tsq.org' are allocated using 'dma_alloc_coherent' function, they
should be freed using 'dma_free_coherent'.

Fix this by using 'dma_free_coherent' instead of 'kfree'

This log reveals it:

[    3.440294] kernel BUG at mm/slub.c:4206!
[    3.441059] invalid opcode: 0000 [#1] PREEMPT SMP PTI
[    3.441430] CPU: 2 PID: 1 Comm: swapper/0 Not tainted 5.12.4-g70e7f0549188-dirty #141
[    3.441986] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
[    3.442780] RIP: 0010:kfree+0x26a/0x300
[    3.443065] Code: e8 3a c3 b9 ff e9 d6 fd ff ff 49 8b 45 00 31 db a9 00 00 01 00 75 4d 49 8b 45 00 a9 00 00 01 00 75 0a 49 8b 45 08 a8 01 75 02 <0f> 0b 89 d9 b8 00 10 00 00 be 06 00 00 00 48 d3 e0 f7 d8 48 63 d0
[    3.443396] RSP: 0000:ffffc90000017b70 EFLAGS: 00010246
[    3.443396] RAX: dead000000000100 RBX: 0000000000000000 RCX: 0000000000000000
[    3.443396] RDX: 0000000000000000 RSI: ffffffff85d3df94 RDI: ffffffff85df38e6
[    3.443396] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000001
[    3.443396] R10: 0000000000000000 R11: 0000000000000001 R12: ffff888107dc0000
[    3.443396] R13: ffffea00001f0100 R14: ffff888101a8bf00 R15: ffff888107dc0160
[    3.443396] FS:  0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000
[    3.443396] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    3.443396] CR2: 0000000000000000 CR3: 000000000642e000 CR4: 00000000000006e0
[    3.443396] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[    3.443396] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[    3.443396] Call Trace:
[    3.443396]  ns_init_card_error+0x12c/0x220
[    3.443396]  nicstar_init_one+0x10d2/0x1130
[    3.443396]  local_pci_probe+0x4a/0xb0
[    3.443396]  pci_device_probe+0x126/0x1d0
[    3.443396]  ? pci_device_remove+0x100/0x100
[    3.443396]  really_probe+0x27e/0x650
[    3.443396]  driver_probe_device+0x84/0x1d0
[    3.443396]  ? mutex_lock_nested+0x16/0x20
[    3.443396]  device_driver_attach+0x63/0x70
[    3.443396]  __driver_attach+0x117/0x1a0
[    3.443396]  ? device_driver_attach+0x70/0x70
[    3.443396]  bus_for_each_dev+0xb6/0x110
[    3.443396]  ? rdinit_setup+0x40/0x40
[    3.443396]  driver_attach+0x22/0x30
[    3.443396]  bus_add_driver+0x1e6/0x2a0
[    3.443396]  driver_register+0xa4/0x180
[    3.443396]  __pci_register_driver+0x77/0x80
[    3.443396]  ? uPD98402_module_init+0xd/0xd
[    3.443396]  nicstar_init+0x1f/0x75
[    3.443396]  do_one_initcall+0x7a/0x3d0
[    3.443396]  ? rdinit_setup+0x40/0x40
[    3.443396]  ? rcu_read_lock_sched_held+0x4a/0x70
[    3.443396]  kernel_init_freeable+0x2a7/0x2f9
[    3.443396]  ? rest_init+0x2c0/0x2c0
[    3.443396]  kernel_init+0x13/0x180
[    3.443396]  ? rest_init+0x2c0/0x2c0
[    3.443396]  ? rest_init+0x2c0/0x2c0
[    3.443396]  ret_from_fork+0x1f/0x30
[    3.443396] Modules linked in:
[    3.443396] Dumping ftrace buffer:
[    3.443396]    (ftrace buffer empty)
[    3.458593] ---[ end trace 3c6f8f0d8ef59bcd ]---
[    3.458922] RIP: 0010:kfree+0x26a/0x300
[    3.459198] Code: e8 3a c3 b9 ff e9 d6 fd ff ff 49 8b 45 00 31 db a9 00 00 01 00 75 4d 49 8b 45 00 a9 00 00 01 00 75 0a 49 8b 45 08 a8 01 75 02 <0f> 0b 89 d9 b8 00 10 00 00 be 06 00 00 00 48 d3 e0 f7 d8 48 63 d0
[    3.460499] RSP: 0000:ffffc90000017b70 EFLAGS: 00010246
[    3.460870] RAX: dead000000000100 RBX: 0000000000000000 RCX: 0000000000000000
[    3.461371] RDX: 0000000000000000 RSI: ffffffff85d3df94 RDI: ffffffff85df38e6
[    3.461873] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000001
[    3.462372] R10: 0000000000000000 R11: 0000000000000001 R12: ffff888107dc0000
[    3.462871] R13: ffffea00001f0100 R14: ffff888101a8bf00 R15: ffff888107dc0160
[    3.463368] FS:  0000000000000000(0000) GS:ffff88817bc80000(0000) knlGS:0000000000000000
[    3.463949] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    3.464356] CR2: 0000000000000000 CR3: 000000000642e000 CR4: 00000000000006e0
[    3.464856] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[    3.465356] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[    3.465860] Kernel panic - not syncing: Fatal exception
[    3.466370] Dumping ftrace buffer:
[    3.466616]    (ftrace buffer empty)
[    3.466871] Kernel Offset: disabled
[    3.467122] Rebooting in 1 seconds..

Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/atm/nicstar.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c
index 486d7a114031..86f3e72e686f 100644
--- a/drivers/atm/nicstar.c
+++ b/drivers/atm/nicstar.c
@@ -837,10 +837,12 @@ static void ns_init_card_error(ns_dev *card, int error)
 			dev_kfree_skb_any(hb);
 	}
 	if (error >= 12) {
-		kfree(card->rsq.org);
+		dma_free_coherent(&card->pcidev->dev, NS_RSQSIZE + NS_RSQ_ALIGNMENT,
+				card->rsq.org, card->rsq.dma);
 	}
 	if (error >= 11) {
-		kfree(card->tsq.org);
+		dma_free_coherent(&card->pcidev->dev, NS_TSQSIZE + NS_TSQ_ALIGNMENT,
+				card->tsq.org, card->tsq.dma);
 	}
 	if (error >= 10) {
 		free_irq(card->pcidev->irq, card);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 114/188] atm: nicstar: register the interrupt handler in the right place
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (112 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 113/188] atm: nicstar: use dma_free_coherent instead of kfree Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 115/188] sfc: avoid double pci_remove of VFs Greg Kroah-Hartman
                   ` (78 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zheyu Ma, David S. Miller, Sasha Levin

From: Zheyu Ma <zheyuma97@gmail.com>

[ Upstream commit 70b639dc41ad499384e41e106fce72e36805c9f2 ]

Because the error handling is sequential, the application of resources
should be carried out in the order of error handling, so the operation
of registering the interrupt handler should be put in front, so as not
to free the unregistered interrupt handler during error handling.

This log reveals it:

[    3.438724] Trying to free already-free IRQ 23
[    3.439060] WARNING: CPU: 5 PID: 1 at kernel/irq/manage.c:1825 free_irq+0xfb/0x480
[    3.440039] Modules linked in:
[    3.440257] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.12.4-g70e7f0549188-dirty #142
[    3.440793] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
[    3.441561] RIP: 0010:free_irq+0xfb/0x480
[    3.441845] Code: 6e 08 74 6f 4d 89 f4 e8 c3 78 09 00 4d 8b 74 24 18 4d 85 f6 75 e3 e8 b4 78 09 00 8b 75 c8 48 c7 c7 a0 ac d5 85 e8 95 d7 f5 ff <0f> 0b 48 8b 75 c0 4c 89 ff e8 87 c5 90 03 48 8b 43 40 4c 8b a0 80
[    3.443121] RSP: 0000:ffffc90000017b50 EFLAGS: 00010086
[    3.443483] RAX: 0000000000000000 RBX: ffff888107c6f000 RCX: 0000000000000000
[    3.443972] RDX: 0000000000000000 RSI: ffffffff8123f301 RDI: 00000000ffffffff
[    3.444462] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000003
[    3.444950] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
[    3.444994] R13: ffff888107dc0000 R14: ffff888104f6bf00 R15: ffff888107c6f0a8
[    3.444994] FS:  0000000000000000(0000) GS:ffff88817bd40000(0000) knlGS:0000000000000000
[    3.444994] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[    3.444994] CR2: 0000000000000000 CR3: 000000000642e000 CR4: 00000000000006e0
[    3.444994] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[    3.444994] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[    3.444994] Call Trace:
[    3.444994]  ns_init_card_error+0x18e/0x250
[    3.444994]  nicstar_init_one+0x10d2/0x1130
[    3.444994]  local_pci_probe+0x4a/0xb0
[    3.444994]  pci_device_probe+0x126/0x1d0
[    3.444994]  ? pci_device_remove+0x100/0x100
[    3.444994]  really_probe+0x27e/0x650
[    3.444994]  driver_probe_device+0x84/0x1d0
[    3.444994]  ? mutex_lock_nested+0x16/0x20
[    3.444994]  device_driver_attach+0x63/0x70
[    3.444994]  __driver_attach+0x117/0x1a0
[    3.444994]  ? device_driver_attach+0x70/0x70
[    3.444994]  bus_for_each_dev+0xb6/0x110
[    3.444994]  ? rdinit_setup+0x40/0x40
[    3.444994]  driver_attach+0x22/0x30
[    3.444994]  bus_add_driver+0x1e6/0x2a0
[    3.444994]  driver_register+0xa4/0x180
[    3.444994]  __pci_register_driver+0x77/0x80
[    3.444994]  ? uPD98402_module_init+0xd/0xd
[    3.444994]  nicstar_init+0x1f/0x75
[    3.444994]  do_one_initcall+0x7a/0x3d0
[    3.444994]  ? rdinit_setup+0x40/0x40
[    3.444994]  ? rcu_read_lock_sched_held+0x4a/0x70
[    3.444994]  kernel_init_freeable+0x2a7/0x2f9
[    3.444994]  ? rest_init+0x2c0/0x2c0
[    3.444994]  kernel_init+0x13/0x180
[    3.444994]  ? rest_init+0x2c0/0x2c0
[    3.444994]  ? rest_init+0x2c0/0x2c0
[    3.444994]  ret_from_fork+0x1f/0x30
[    3.444994] Kernel panic - not syncing: panic_on_warn set ...
[    3.444994] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 5.12.4-g70e7f0549188-dirty #142
[    3.444994] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
[    3.444994] Call Trace:
[    3.444994]  dump_stack+0xba/0xf5
[    3.444994]  ? free_irq+0xfb/0x480
[    3.444994]  panic+0x155/0x3ed
[    3.444994]  ? __warn+0xed/0x150
[    3.444994]  ? free_irq+0xfb/0x480
[    3.444994]  __warn+0x103/0x150
[    3.444994]  ? free_irq+0xfb/0x480
[    3.444994]  report_bug+0x119/0x1c0
[    3.444994]  handle_bug+0x3b/0x80
[    3.444994]  exc_invalid_op+0x18/0x70
[    3.444994]  asm_exc_invalid_op+0x12/0x20
[    3.444994] RIP: 0010:free_irq+0xfb/0x480
[    3.444994] Code: 6e 08 74 6f 4d 89 f4 e8 c3 78 09 00 4d 8b 74 24 18 4d 85 f6 75 e3 e8 b4 78 09 00 8b 75 c8 48 c7 c7 a0 ac d5 85 e8 95 d7 f5 ff <0f> 0b 48 8b 75 c0 4c 89 ff e8 87 c5 90 03 48 8b 43 40 4c 8b a0 80
[    3.444994] RSP: 0000:ffffc90000017b50 EFLAGS: 00010086
[    3.444994] RAX: 0000000000000000 RBX: ffff888107c6f000 RCX: 0000000000000000
[    3.444994] RDX: 0000000000000000 RSI: ffffffff8123f301 RDI: 00000000ffffffff
[    3.444994] RBP: ffffc90000017b90 R08: 0000000000000001 R09: 0000000000000003
[    3.444994] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
[    3.444994] R13: ffff888107dc0000 R14: ffff888104f6bf00 R15: ffff888107c6f0a8
[    3.444994]  ? vprintk_func+0x71/0x110
[    3.444994]  ns_init_card_error+0x18e/0x250
[    3.444994]  nicstar_init_one+0x10d2/0x1130
[    3.444994]  local_pci_probe+0x4a/0xb0
[    3.444994]  pci_device_probe+0x126/0x1d0
[    3.444994]  ? pci_device_remove+0x100/0x100
[    3.444994]  really_probe+0x27e/0x650
[    3.444994]  driver_probe_device+0x84/0x1d0
[    3.444994]  ? mutex_lock_nested+0x16/0x20
[    3.444994]  device_driver_attach+0x63/0x70
[    3.444994]  __driver_attach+0x117/0x1a0
[    3.444994]  ? device_driver_attach+0x70/0x70
[    3.444994]  bus_for_each_dev+0xb6/0x110
[    3.444994]  ? rdinit_setup+0x40/0x40
[    3.444994]  driver_attach+0x22/0x30
[    3.444994]  bus_add_driver+0x1e6/0x2a0
[    3.444994]  driver_register+0xa4/0x180
[    3.444994]  __pci_register_driver+0x77/0x80
[    3.444994]  ? uPD98402_module_init+0xd/0xd
[    3.444994]  nicstar_init+0x1f/0x75
[    3.444994]  do_one_initcall+0x7a/0x3d0
[    3.444994]  ? rdinit_setup+0x40/0x40
[    3.444994]  ? rcu_read_lock_sched_held+0x4a/0x70
[    3.444994]  kernel_init_freeable+0x2a7/0x2f9
[    3.444994]  ? rest_init+0x2c0/0x2c0
[    3.444994]  kernel_init+0x13/0x180
[    3.444994]  ? rest_init+0x2c0/0x2c0
[    3.444994]  ? rest_init+0x2c0/0x2c0
[    3.444994]  ret_from_fork+0x1f/0x30
[    3.444994] Dumping ftrace buffer:
[    3.444994]    (ftrace buffer empty)
[    3.444994] Kernel Offset: disabled
[    3.444994] Rebooting in 1 seconds..

Signed-off-by: Zheyu Ma <zheyuma97@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/atm/nicstar.c | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/drivers/atm/nicstar.c b/drivers/atm/nicstar.c
index 86f3e72e686f..56d464b58768 100644
--- a/drivers/atm/nicstar.c
+++ b/drivers/atm/nicstar.c
@@ -525,6 +525,15 @@ static int ns_init_card(int i, struct pci_dev *pcidev)
 	/* Set the VPI/VCI MSb mask to zero so we can receive OAM cells */
 	writel(0x00000000, card->membase + VPM);
 
+	card->intcnt = 0;
+	if (request_irq
+	    (pcidev->irq, &ns_irq_handler, IRQF_SHARED, "nicstar", card) != 0) {
+		pr_err("nicstar%d: can't allocate IRQ %d.\n", i, pcidev->irq);
+		error = 9;
+		ns_init_card_error(card, error);
+		return error;
+	}
+
 	/* Initialize TSQ */
 	card->tsq.org = dma_alloc_coherent(&card->pcidev->dev,
 					   NS_TSQSIZE + NS_TSQ_ALIGNMENT,
@@ -751,15 +760,6 @@ static int ns_init_card(int i, struct pci_dev *pcidev)
 
 	card->efbie = 1;
 
-	card->intcnt = 0;
-	if (request_irq
-	    (pcidev->irq, &ns_irq_handler, IRQF_SHARED, "nicstar", card) != 0) {
-		printk("nicstar%d: can't allocate IRQ %d.\n", i, pcidev->irq);
-		error = 9;
-		ns_init_card_error(card, error);
-		return error;
-	}
-
 	/* Register device */
 	card->atmdev = atm_dev_register("nicstar", &card->pcidev->dev, &atm_ops,
 					-1, NULL);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 115/188] sfc: avoid double pci_remove of VFs
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (113 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 114/188] atm: nicstar: register the interrupt handler in the right place Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 116/188] sfc: error code if SRIOV cannot be disabled Greg Kroah-Hartman
                   ` (77 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Íñigo Huguet,
	David S. Miller, Sasha Levin

From: Íñigo Huguet <ihuguet@redhat.com>

[ Upstream commit 45423cff1db66cf0993e8a9bd0ac93e740149e49 ]

If pci_remove was called for a PF with VFs, the removal of the VFs was
called twice from efx_ef10_sriov_fini: one directly with pci_driver->remove
and another implicit by calling pci_disable_sriov, which also perform
the VFs remove. This was leading to crashing the kernel on the second
attempt.

Given that pci_disable_sriov already calls to pci remove function, get
rid of the direct call to pci_driver->remove from the driver.

2 different ways to trigger the bug:
- Create one or more VFs, then attach the PF to a virtual machine (at
  least with qemu/KVM)
- Create one or more VFs, then remove the PF with:
  echo 1 > /sys/bus/pci/devices/PF_PCI_ID/remove

Removing sfc module does not trigger the error, at least for me, because
it removes the VF first, and then the PF.

Example of a log with the error:
    list_del corruption, ffff967fd20a8ad0->next is LIST_POISON1 (dead000000000100)
    ------------[ cut here ]------------
    kernel BUG at lib/list_debug.c:47!
    [...trimmed...]
    RIP: 0010:__list_del_entry_valid.cold.1+0x12/0x4c
    [...trimmed...]
    Call Trace:
    efx_dissociate+0x1f/0x140 [sfc]
    efx_pci_remove+0x27/0x150 [sfc]
    pci_device_remove+0x3b/0xc0
    device_release_driver_internal+0x103/0x1f0
    pci_stop_bus_device+0x69/0x90
    pci_stop_and_remove_bus_device+0xe/0x20
    pci_iov_remove_virtfn+0xba/0x120
    sriov_disable+0x2f/0xe0
    efx_ef10_pci_sriov_disable+0x52/0x80 [sfc]
    ? pcie_aer_is_native+0x12/0x40
    efx_ef10_sriov_fini+0x72/0x110 [sfc]
    efx_pci_remove+0x62/0x150 [sfc]
    pci_device_remove+0x3b/0xc0
    device_release_driver_internal+0x103/0x1f0
    unbind_store+0xf6/0x130
    kernfs_fop_write+0x116/0x190
    vfs_write+0xa5/0x1a0
    ksys_write+0x4f/0xb0
    do_syscall_64+0x5b/0x1a0
    entry_SYSCALL_64_after_hwframe+0x65/0xca

Signed-off-by: Íñigo Huguet <ihuguet@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/sfc/ef10_sriov.c | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/drivers/net/ethernet/sfc/ef10_sriov.c b/drivers/net/ethernet/sfc/ef10_sriov.c
index 3c17f274e802..b3c27331b374 100644
--- a/drivers/net/ethernet/sfc/ef10_sriov.c
+++ b/drivers/net/ethernet/sfc/ef10_sriov.c
@@ -415,7 +415,6 @@ int efx_ef10_sriov_init(struct efx_nic *efx)
 void efx_ef10_sriov_fini(struct efx_nic *efx)
 {
 	struct efx_ef10_nic_data *nic_data = efx->nic_data;
-	unsigned int i;
 	int rc;
 
 	if (!nic_data->vf) {
@@ -425,14 +424,7 @@ void efx_ef10_sriov_fini(struct efx_nic *efx)
 		return;
 	}
 
-	/* Remove any VFs in the host */
-	for (i = 0; i < efx->vf_count; ++i) {
-		struct efx_nic *vf_efx = nic_data->vf[i].efx;
-
-		if (vf_efx)
-			vf_efx->pci_dev->driver->remove(vf_efx->pci_dev);
-	}
-
+	/* Disable SRIOV and remove any VFs in the host */
 	rc = efx_ef10_pci_sriov_disable(efx, true);
 	if (rc)
 		netif_dbg(efx, drv, efx->net_dev,
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 116/188] sfc: error code if SRIOV cannot be disabled
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (114 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 115/188] sfc: avoid double pci_remove of VFs Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 117/188] wireless: wext-spy: Fix out-of-bounds warning Greg Kroah-Hartman
                   ` (76 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Íñigo Huguet,
	David S. Miller, Sasha Levin

From: Íñigo Huguet <ihuguet@redhat.com>

[ Upstream commit 1ebe4feb8b442884f5a28d2437040096723dd1ea ]

If SRIOV cannot be disabled during device removal or module unloading,
return error code so it can be logged properly in the calling function.

Note that this can only happen if any VF is currently attached to a
guest using Xen, but not with vfio/KVM. Despite that in that case the
VFs won't work properly with PF removed and/or the module unloaded, I
have let it as is because I don't know what side effects may have
changing it, and also it seems to be the same that other drivers are
doing in this situation.

In the case of being called during SRIOV reconfiguration, the behavior
hasn't changed because the function is called with force=false.

Signed-off-by: Íñigo Huguet <ihuguet@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/net/ethernet/sfc/ef10_sriov.c | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/drivers/net/ethernet/sfc/ef10_sriov.c b/drivers/net/ethernet/sfc/ef10_sriov.c
index b3c27331b374..8fce0c819a4b 100644
--- a/drivers/net/ethernet/sfc/ef10_sriov.c
+++ b/drivers/net/ethernet/sfc/ef10_sriov.c
@@ -378,12 +378,17 @@ fail1:
 	return rc;
 }
 
+/* Disable SRIOV and remove VFs
+ * If some VFs are attached to a guest (using Xen, only) nothing is
+ * done if force=false, and vports are freed if force=true (for the non
+ * attachedc ones, only) but SRIOV is not disabled and VFs are not
+ * removed in either case.
+ */
 static int efx_ef10_pci_sriov_disable(struct efx_nic *efx, bool force)
 {
 	struct pci_dev *dev = efx->pci_dev;
-	unsigned int vfs_assigned = 0;
-
-	vfs_assigned = pci_vfs_assigned(dev);
+	unsigned int vfs_assigned = pci_vfs_assigned(dev);
+	int rc = 0;
 
 	if (vfs_assigned && !force) {
 		netif_info(efx, drv, efx->net_dev, "VFs are assigned to guests; "
@@ -393,10 +398,12 @@ static int efx_ef10_pci_sriov_disable(struct efx_nic *efx, bool force)
 
 	if (!vfs_assigned)
 		pci_disable_sriov(dev);
+	else
+		rc = -EBUSY;
 
 	efx_ef10_sriov_free_vf_vswitching(efx);
 	efx->vf_count = 0;
-	return 0;
+	return rc;
 }
 
 int efx_ef10_sriov_configure(struct efx_nic *efx, int num_vfs)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 117/188] wireless: wext-spy: Fix out-of-bounds warning
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (115 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 116/188] sfc: error code if SRIOV cannot be disabled Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 118/188] RDMA/cma: Fix rdma_resolve_route() memory leak Greg Kroah-Hartman
                   ` (75 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot,
	Gustavo A. R. Silva, Kees Cook, Johannes Berg, Sasha Levin

From: Gustavo A. R. Silva <gustavoars@kernel.org>

[ Upstream commit e93bdd78406da9ed01554c51e38b2a02c8ef8025 ]

Fix the following out-of-bounds warning:

net/wireless/wext-spy.c:178:2: warning: 'memcpy' offset [25, 28] from the object at 'threshold' is out of the bounds of referenced subobject 'low' with type 'struct iw_quality' at offset 20 [-Warray-bounds]

The problem is that the original code is trying to copy data into a
couple of struct members adjacent to each other in a single call to
memcpy(). This causes a legitimate compiler warning because memcpy()
overruns the length of &threshold.low and &spydata->spy_thr_low. As
these are just a couple of struct members, fix this by using direct
assignments, instead of memcpy().

This helps with the ongoing efforts to globally enable -Warray-bounds
and get us closer to being able to tighten the FORTIFY_SOURCE routines
on memcpy().

Link: https://github.com/KSPP/linux/issues/109
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20210422200032.GA168995@embeddedor
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/wireless/wext-spy.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/net/wireless/wext-spy.c b/net/wireless/wext-spy.c
index 33bef22e44e9..b379a0371653 100644
--- a/net/wireless/wext-spy.c
+++ b/net/wireless/wext-spy.c
@@ -120,8 +120,8 @@ int iw_handler_set_thrspy(struct net_device *	dev,
 		return -EOPNOTSUPP;
 
 	/* Just do it */
-	memcpy(&(spydata->spy_thr_low), &(threshold->low),
-	       2 * sizeof(struct iw_quality));
+	spydata->spy_thr_low = threshold->low;
+	spydata->spy_thr_high = threshold->high;
 
 	/* Clear flag */
 	memset(spydata->spy_thr_under, '\0', sizeof(spydata->spy_thr_under));
@@ -147,8 +147,8 @@ int iw_handler_get_thrspy(struct net_device *	dev,
 		return -EOPNOTSUPP;
 
 	/* Just do it */
-	memcpy(&(threshold->low), &(spydata->spy_thr_low),
-	       2 * sizeof(struct iw_quality));
+	threshold->low = spydata->spy_thr_low;
+	threshold->high = spydata->spy_thr_high;
 
 	return 0;
 }
@@ -173,10 +173,10 @@ static void iw_send_thrspy_event(struct net_device *	dev,
 	memcpy(threshold.addr.sa_data, address, ETH_ALEN);
 	threshold.addr.sa_family = ARPHRD_ETHER;
 	/* Copy stats */
-	memcpy(&(threshold.qual), wstats, sizeof(struct iw_quality));
+	threshold.qual = *wstats;
 	/* Copy also thresholds */
-	memcpy(&(threshold.low), &(spydata->spy_thr_low),
-	       2 * sizeof(struct iw_quality));
+	threshold.low = spydata->spy_thr_low;
+	threshold.high = spydata->spy_thr_high;
 
 	/* Send event to user space */
 	wireless_send_event(dev, SIOCGIWTHRSPY, &wrqu, (char *) &threshold);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 118/188] RDMA/cma: Fix rdma_resolve_route() memory leak
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (116 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 117/188] wireless: wext-spy: Fix out-of-bounds warning Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 119/188] Bluetooth: Fix the HCI to MGMT status conversion table Greg Kroah-Hartman
                   ` (74 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Gerd Rausch, Jason Gunthorpe, Sasha Levin

From: Gerd Rausch <gerd.rausch@oracle.com>

[ Upstream commit 74f160ead74bfe5f2b38afb4fcf86189f9ff40c9 ]

Fix a memory leak when "mda_resolve_route() is called more than once on
the same "rdma_cm_id".

This is possible if cma_query_handler() triggers the
RDMA_CM_EVENT_ROUTE_ERROR flow which puts the state machine back and
allows rdma_resolve_route() to be called again.

Link: https://lore.kernel.org/r/f6662b7b-bdb7-2706-1e12-47c61d3474b6@oracle.com
Signed-off-by: Gerd Rausch <gerd.rausch@oracle.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/infiniband/core/cma.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/infiniband/core/cma.c b/drivers/infiniband/core/cma.c
index b59a4a819aaa..b5e7bd23857e 100644
--- a/drivers/infiniband/core/cma.c
+++ b/drivers/infiniband/core/cma.c
@@ -2227,7 +2227,8 @@ static int cma_resolve_ib_route(struct rdma_id_private *id_priv, int timeout_ms)
 	work->new_state = RDMA_CM_ROUTE_RESOLVED;
 	work->event.event = RDMA_CM_EVENT_ROUTE_RESOLVED;
 
-	route->path_rec = kmalloc(sizeof *route->path_rec, GFP_KERNEL);
+	if (!route->path_rec)
+		route->path_rec = kmalloc(sizeof *route->path_rec, GFP_KERNEL);
 	if (!route->path_rec) {
 		ret = -ENOMEM;
 		goto err1;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 119/188] Bluetooth: Fix the HCI to MGMT status conversion table
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (117 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 118/188] RDMA/cma: Fix rdma_resolve_route() memory leak Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 120/188] Bluetooth: Shutdown controller after workqueues are flushed or cancelled Greg Kroah-Hartman
                   ` (73 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Miao-chen Chou, Yu Liu,
	Marcel Holtmann, Sasha Levin

From: Yu Liu <yudiliu@google.com>

[ Upstream commit 4ef36a52b0e47c80bbfd69c0cce61c7ae9f541ed ]

0x2B, 0x31 and 0x33 are reserved for future use but were not present in
the HCI to MGMT conversion table, this caused the conversion to be
incorrect for the HCI status code greater than 0x2A.

Reviewed-by: Miao-chen Chou <mcchou@chromium.org>
Signed-off-by: Yu Liu <yudiliu@google.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/bluetooth/mgmt.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index ee761fb09559..4a95c89d8506 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -212,12 +212,15 @@ static u8 mgmt_status_table[] = {
 	MGMT_STATUS_TIMEOUT,		/* Instant Passed */
 	MGMT_STATUS_NOT_SUPPORTED,	/* Pairing Not Supported */
 	MGMT_STATUS_FAILED,		/* Transaction Collision */
+	MGMT_STATUS_FAILED,		/* Reserved for future use */
 	MGMT_STATUS_INVALID_PARAMS,	/* Unacceptable Parameter */
 	MGMT_STATUS_REJECTED,		/* QoS Rejected */
 	MGMT_STATUS_NOT_SUPPORTED,	/* Classification Not Supported */
 	MGMT_STATUS_REJECTED,		/* Insufficient Security */
 	MGMT_STATUS_INVALID_PARAMS,	/* Parameter Out Of Range */
+	MGMT_STATUS_FAILED,		/* Reserved for future use */
 	MGMT_STATUS_BUSY,		/* Role Switch Pending */
+	MGMT_STATUS_FAILED,		/* Reserved for future use */
 	MGMT_STATUS_FAILED,		/* Slot Violation */
 	MGMT_STATUS_FAILED,		/* Role Switch Failed */
 	MGMT_STATUS_INVALID_PARAMS,	/* EIR Too Large */
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 120/188] Bluetooth: Shutdown controller after workqueues are flushed or cancelled
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (118 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 119/188] Bluetooth: Fix the HCI to MGMT status conversion table Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 121/188] Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca btsoc Greg Kroah-Hartman
                   ` (72 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Kai-Heng Feng, Marcel Holtmann, Sasha Levin

From: Kai-Heng Feng <kai.heng.feng@canonical.com>

[ Upstream commit 0ea9fd001a14ebc294f112b0361a4e601551d508 ]

Rfkill block and unblock Intel USB Bluetooth [8087:0026] may make it
stops working:
[  509.691509] Bluetooth: hci0: HCI reset during shutdown failed
[  514.897584] Bluetooth: hci0: MSFT filter_enable is already on
[  530.044751] usb 3-10: reset full-speed USB device number 5 using xhci_hcd
[  545.660350] usb 3-10: device descriptor read/64, error -110
[  561.283530] usb 3-10: device descriptor read/64, error -110
[  561.519682] usb 3-10: reset full-speed USB device number 5 using xhci_hcd
[  566.686650] Bluetooth: hci0: unexpected event for opcode 0x0500
[  568.752452] Bluetooth: hci0: urb 0000000096cd309b failed to resubmit (113)
[  578.797955] Bluetooth: hci0: Failed to read MSFT supported features (-110)
[  586.286565] Bluetooth: hci0: urb 00000000c522f633 failed to resubmit (113)
[  596.215302] Bluetooth: hci0: Failed to read MSFT supported features (-110)

Or kernel panics because other workqueues already freed skb:
[ 2048.663763] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 2048.663775] #PF: supervisor read access in kernel mode
[ 2048.663779] #PF: error_code(0x0000) - not-present page
[ 2048.663782] PGD 0 P4D 0
[ 2048.663787] Oops: 0000 [#1] SMP NOPTI
[ 2048.663793] CPU: 3 PID: 4491 Comm: rfkill Tainted: G        W         5.13.0-rc1-next-20210510+ #20
[ 2048.663799] Hardware name: HP HP EliteBook 850 G8 Notebook PC/8846, BIOS T76 Ver. 01.01.04 12/02/2020
[ 2048.663801] RIP: 0010:__skb_ext_put+0x6/0x50
[ 2048.663814] Code: 8b 1b 48 85 db 75 db 5b 41 5c 5d c3 be 01 00 00 00 e8 de 13 c0 ff eb e7 be 02 00 00 00 e8 d2 13 c0 ff eb db 0f 1f 44 00 00 55 <8b> 07 48 89 e5 83 f8 01 74 14 b8 ff ff ff ff f0 0f c1
07 83 f8 01
[ 2048.663819] RSP: 0018:ffffc1d105b6fd80 EFLAGS: 00010286
[ 2048.663824] RAX: 0000000000000000 RBX: ffff9d9ac5649000 RCX: 0000000000000000
[ 2048.663827] RDX: ffffffffc0d1daf6 RSI: 0000000000000206 RDI: 0000000000000000
[ 2048.663830] RBP: ffffc1d105b6fd98 R08: 0000000000000001 R09: ffff9d9ace8ceac0
[ 2048.663834] R10: ffff9d9ace8ceac0 R11: 0000000000000001 R12: ffff9d9ac5649000
[ 2048.663838] R13: 0000000000000000 R14: 00007ffe0354d650 R15: 0000000000000000
[ 2048.663843] FS:  00007fe02ab19740(0000) GS:ffff9d9e5f8c0000(0000) knlGS:0000000000000000
[ 2048.663849] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2048.663853] CR2: 0000000000000000 CR3: 0000000111a52004 CR4: 0000000000770ee0
[ 2048.663856] PKRU: 55555554
[ 2048.663859] Call Trace:
[ 2048.663865]  ? skb_release_head_state+0x5e/0x80
[ 2048.663873]  kfree_skb+0x2f/0xb0
[ 2048.663881]  btusb_shutdown_intel_new+0x36/0x60 [btusb]
[ 2048.663905]  hci_dev_do_close+0x48c/0x5e0 [bluetooth]
[ 2048.663954]  ? __cond_resched+0x1a/0x50
[ 2048.663962]  hci_rfkill_set_block+0x56/0xa0 [bluetooth]
[ 2048.664007]  rfkill_set_block+0x98/0x170
[ 2048.664016]  rfkill_fop_write+0x136/0x1e0
[ 2048.664022]  vfs_write+0xc7/0x260
[ 2048.664030]  ksys_write+0xb1/0xe0
[ 2048.664035]  ? exit_to_user_mode_prepare+0x37/0x1c0
[ 2048.664042]  __x64_sys_write+0x1a/0x20
[ 2048.664048]  do_syscall_64+0x40/0xb0
[ 2048.664055]  entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 2048.664060] RIP: 0033:0x7fe02ac23c27
[ 2048.664066] Code: 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
[ 2048.664070] RSP: 002b:00007ffe0354d638 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
[ 2048.664075] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fe02ac23c27
[ 2048.664078] RDX: 0000000000000008 RSI: 00007ffe0354d650 RDI: 0000000000000003
[ 2048.664081] RBP: 0000000000000000 R08: 0000559b05998440 R09: 0000559b05998440
[ 2048.664084] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000003
[ 2048.664086] R13: 0000000000000000 R14: ffffffff00000000 R15: 00000000ffffffff

So move the shutdown callback to a place where workqueues are either
flushed or cancelled to resolve the issue.

Signed-off-by: Kai-Heng Feng <kai.heng.feng@canonical.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/bluetooth/hci_core.c | 16 ++++++++--------
 1 file changed, 8 insertions(+), 8 deletions(-)

diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 041e719543fe..c478924198d5 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -1666,14 +1666,6 @@ int hci_dev_do_close(struct hci_dev *hdev)
 
 	BT_DBG("%s %p", hdev->name, hdev);
 
-	if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) &&
-	    !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
-	    test_bit(HCI_UP, &hdev->flags)) {
-		/* Execute vendor specific shutdown routine */
-		if (hdev->shutdown)
-			hdev->shutdown(hdev);
-	}
-
 	cancel_delayed_work(&hdev->power_off);
 
 	hci_req_cancel(hdev, ENODEV);
@@ -1746,6 +1738,14 @@ int hci_dev_do_close(struct hci_dev *hdev)
 		clear_bit(HCI_INIT, &hdev->flags);
 	}
 
+	if (!hci_dev_test_flag(hdev, HCI_UNREGISTER) &&
+	    !hci_dev_test_flag(hdev, HCI_USER_CHANNEL) &&
+	    test_bit(HCI_UP, &hdev->flags)) {
+		/* Execute vendor specific shutdown routine */
+		if (hdev->shutdown)
+			hdev->shutdown(hdev);
+	}
+
 	/* flush cmd  work */
 	flush_work(&hdev->cmd_work);
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 121/188] Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca btsoc.
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (119 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 120/188] Bluetooth: Shutdown controller after workqueues are flushed or cancelled Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 122/188] sctp: add size validation when walking chunks Greg Kroah-Hartman
                   ` (71 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Tim Jiang, Marcel Holtmann, Sasha Levin

From: Tim Jiang <tjiang@codeaurora.org>

[ Upstream commit 4f00bfb372674d586c4a261bfc595cbce101fbb6 ]

This is btsoc timing issue, after host start to downloading bt firmware,
ep2 need time to switch from function acl to function dfu, so host add
20ms delay as workaround.

Signed-off-by: Tim Jiang <tjiang@codeaurora.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/bluetooth/btusb.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 7039a58a6a4e..3d62f17111cb 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -2555,6 +2555,11 @@ static int btusb_setup_qca_download_fw(struct hci_dev *hdev,
 	sent += size;
 	count -= size;
 
+	/* ep2 need time to switch from function acl to function dfu,
+	 * so we add 20ms delay here.
+	 */
+	msleep(20);
+
 	while (count) {
 		size = min_t(size_t, count, QCA_DFU_PACKET_LEN);
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 122/188] sctp: add size validation when walking chunks
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (120 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 121/188] Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca btsoc Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 123/188] fuse: reject internal errno Greg Kroah-Hartman
                   ` (70 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Ilja Van Sprundel,
	Marcelo Ricardo Leitner, David S. Miller, Sasha Levin

From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>

[ Upstream commit 50619dbf8db77e98d821d615af4f634d08e22698 ]

The first chunk in a packet is ensured to be present at the beginning of
sctp_rcv(), as a packet needs to have at least 1 chunk. But the second
one, may not be completely available and ch->length can be over
uninitialized memory.

Fix here is by only trying to walk on the next chunk if there is enough to
hold at least the header, and then proceed with the ch->length validation
that is already there.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/sctp/input.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sctp/input.c b/net/sctp/input.c
index 9fa89a35afcd..9dcc18db9918 100644
--- a/net/sctp/input.c
+++ b/net/sctp/input.c
@@ -1086,7 +1086,7 @@ static struct sctp_association *__sctp_rcv_walk_lookup(struct net *net,
 
 		ch = (sctp_chunkhdr_t *) ch_end;
 		chunk_num++;
-	} while (ch_end < skb_tail_pointer(skb));
+	} while (ch_end + sizeof(*ch) < skb_tail_pointer(skb));
 
 	return asoc;
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 123/188] fuse: reject internal errno
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (121 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 122/188] sctp: add size validation when walking chunks Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 124/188] can: gw: synchronize rcu operations before removing gw job entry Greg Kroah-Hartman
                   ` (69 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Anatoly Trosinenko, Miklos Szeredi

From: Miklos Szeredi <mszeredi@redhat.com>

commit 49221cf86d18bb66fe95d3338cb33bd4b9880ca5 upstream.

Don't allow userspace to report errors that could be kernel-internal.

Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
Fixes: 334f485df85a ("[PATCH] FUSE - device functions")
Cc: <stable@vger.kernel.org> # v2.6.14
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/dev.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1931,7 +1931,7 @@ static ssize_t fuse_dev_do_write(struct
 	}
 
 	err = -EINVAL;
-	if (oh.error <= -1000 || oh.error > 0)
+	if (oh.error <= -512 || oh.error > 0)
 		goto err_finish;
 
 	spin_lock(&fpq->lock);



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 124/188] can: gw: synchronize rcu operations before removing gw job entry
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (122 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 123/188] fuse: reject internal errno Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 125/188] can: bcm: delay release of struct bcm_op after synchronize_rcu() Greg Kroah-Hartman
                   ` (68 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Oliver Hartkopp, Marc Kleine-Budde

From: Oliver Hartkopp <socketcan@hartkopp.net>

commit fb8696ab14adadb2e3f6c17c18ed26b3ecd96691 upstream.

can_can_gw_rcv() is called under RCU protection, so after calling
can_rx_unregister(), we have to call synchronize_rcu in order to wait
for any RCU read-side critical sections to finish before removing the
kmem_cache entry with the referenced gw job entry.

Link: https://lore.kernel.org/r/20210618173645.2238-1-socketcan@hartkopp.net
Fixes: c1aabdf379bc ("can-gw: add netlink based CAN routing")
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/can/gw.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/net/can/gw.c
+++ b/net/can/gw.c
@@ -497,6 +497,7 @@ static int cgw_notifier(struct notifier_
 			if (gwj->src.dev == dev || gwj->dst.dev == dev) {
 				hlist_del(&gwj->list);
 				cgw_unregister_filter(gwj);
+				synchronize_rcu();
 				kmem_cache_free(cgw_cache, gwj);
 			}
 		}
@@ -941,6 +942,7 @@ static void cgw_remove_all_jobs(void)
 	hlist_for_each_entry_safe(gwj, nx, &cgw_list, list) {
 		hlist_del(&gwj->list);
 		cgw_unregister_filter(gwj);
+		synchronize_rcu();
 		kmem_cache_free(cgw_cache, gwj);
 	}
 }
@@ -1008,6 +1010,7 @@ static int cgw_remove_job(struct sk_buff
 
 		hlist_del(&gwj->list);
 		cgw_unregister_filter(gwj);
+		synchronize_rcu();
 		kmem_cache_free(cgw_cache, gwj);
 		err = 0;
 		break;



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 125/188] can: bcm: delay release of struct bcm_op after synchronize_rcu()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (123 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 124/188] can: gw: synchronize rcu operations before removing gw job entry Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 126/188] mac80211: fix memory corruption in EAPOL handling Greg Kroah-Hartman
                   ` (67 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+0f7e7e5e2f4f40fa89c0,
	Norbert Slusarek, Thadeu Lima de Souza Cascardo, Oliver Hartkopp,
	Marc Kleine-Budde

From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

commit d5f9023fa61ee8b94f37a93f08e94b136cf1e463 upstream.

can_rx_register() callbacks may be called concurrently to the call to
can_rx_unregister(). The callbacks and callback data, though, are
protected by RCU and the struct sock reference count.

So the callback data is really attached to the life of sk, meaning
that it should be released on sk_destruct. However, bcm_remove_op()
calls tasklet_kill(), and RCU callbacks may be called under RCU
softirq, so that cannot be used on kernels before the introduction of
HRTIMER_MODE_SOFT.

However, bcm_rx_handler() is called under RCU protection, so after
calling can_rx_unregister(), we may call synchronize_rcu() in order to
wait for any RCU read-side critical sections to finish. That is,
bcm_rx_handler() won't be called anymore for those ops. So, we only
free them, after we do that synchronize_rcu().

Fixes: ffd980f976e7 ("[CAN]: Add broadcast manager (bcm) protocol")
Link: https://lore.kernel.org/r/20210619161813.2098382-1-cascardo@canonical.com
Cc: linux-stable <stable@vger.kernel.org>
Reported-by: syzbot+0f7e7e5e2f4f40fa89c0@syzkaller.appspotmail.com
Reported-by: Norbert Slusarek <nslusarek@gmx.net>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Oliver Hartkopp <socketcan@hartkopp.net>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>


---
 net/can/bcm.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

--- a/net/can/bcm.c
+++ b/net/can/bcm.c
@@ -813,6 +813,7 @@ static int bcm_delete_rx_op(struct list_
 						  bcm_rx_handler, op);
 
 			list_del(&op->list);
+			synchronize_rcu();
 			bcm_remove_op(op);
 			return 1; /* done */
 		}
@@ -1538,9 +1539,13 @@ static int bcm_release(struct socket *so
 					  REGMASK(op->can_id),
 					  bcm_rx_handler, op);
 
-		bcm_remove_op(op);
 	}
 
+	synchronize_rcu();
+
+	list_for_each_entry_safe(op, next, &bo->rx_ops, list)
+		bcm_remove_op(op);
+
 	/* remove procfs entry */
 	if (proc_dir && bo->bcm_proc_read)
 		remove_proc_entry(bo->procname, proc_dir);



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 126/188] mac80211: fix memory corruption in EAPOL handling
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (124 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 125/188] can: bcm: delay release of struct bcm_op after synchronize_rcu() Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 127/188] powerpc/barrier: Avoid collision with clangs __lwsync macro Greg Kroah-Hartman
                   ` (66 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel, johannes
  Cc: Greg Kroah-Hartman, stable, linux-wireless@vger.kernel.org,
	stable@vger.kernel.org, Davis Mosenkovs, Davis Mosenkovs

From: Davis Mosenkovs <davis@mosenkovs.lv>

Commit e3d4030498c3 ("mac80211: do not accept/forward invalid EAPOL
frames") uses skb_mac_header() before eth_type_trans() is called
leading to incorrect pointer, the pointer gets written to. This issue
has appeared during backporting to 4.4, 4.9 and 4.14.

Fixes: e3d4030498c3 ("mac80211: do not accept/forward invalid EAPOL frames")
Link: https://lore.kernel.org/r/CAHQn7pKcyC_jYmGyTcPCdk9xxATwW5QPNph=bsZV8d-HPwNsyA@mail.gmail.com
Cc: <stable@vger.kernel.org> # 4.4.x
Signed-off-by: Davis Mosenkovs <davis@mosenkovs.lv>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/mac80211/rx.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/net/mac80211/rx.c
+++ b/net/mac80211/rx.c
@@ -2234,7 +2234,7 @@ ieee80211_deliver_skb(struct ieee80211_r
 #endif
 
 	if (skb) {
-		struct ethhdr *ehdr = (void *)skb_mac_header(skb);
+		struct ethhdr *ehdr = (struct ethhdr *)skb->data;
 
 		/* deliver to local stack */
 		skb->protocol = eth_type_trans(skb, dev);



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 127/188] powerpc/barrier: Avoid collision with clangs __lwsync macro
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (125 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 126/188] mac80211: fix memory corruption in EAPOL handling Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 128/188] mmc: sdhci: Fix warning message when accessing RPMB in HS400 mode Greg Kroah-Hartman
                   ` (65 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, Nick Desaulniers,
	Michael Ellerman

From: Nathan Chancellor <nathan@kernel.org>

commit 015d98149b326e0f1f02e44413112ca8b4330543 upstream.

A change in clang 13 results in the __lwsync macro being defined as
__builtin_ppc_lwsync, which emits 'lwsync' or 'msync' depending on what
the target supports. This breaks the build because of -Werror in
arch/powerpc, along with thousands of warnings:

 In file included from arch/powerpc/kernel/pmc.c:12:
 In file included from include/linux/bug.h:5:
 In file included from arch/powerpc/include/asm/bug.h:109:
 In file included from include/asm-generic/bug.h:20:
 In file included from include/linux/kernel.h:12:
 In file included from include/linux/bitops.h:32:
 In file included from arch/powerpc/include/asm/bitops.h:62:
 arch/powerpc/include/asm/barrier.h:49:9: error: '__lwsync' macro redefined [-Werror,-Wmacro-redefined]
 #define __lwsync()      __asm__ __volatile__ (stringify_in_c(LWSYNC) : : :"memory")
        ^
 <built-in>:308:9: note: previous definition is here
 #define __lwsync __builtin_ppc_lwsync
        ^
 1 error generated.

Undefine this macro so that the runtime patching introduced by
commit 2d1b2027626d ("powerpc: Fixup lwsync at runtime") continues to
work properly with clang and the build no longer breaks.

Cc: stable@vger.kernel.org
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://github.com/ClangBuiltLinux/linux/issues/1386
Link: https://github.com/llvm/llvm-project/commit/62b5df7fe2b3fda1772befeda15598fbef96a614
Link: https://lore.kernel.org/r/20210528182752.1852002-1-nathan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 arch/powerpc/include/asm/barrier.h |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/powerpc/include/asm/barrier.h
+++ b/arch/powerpc/include/asm/barrier.h
@@ -43,6 +43,8 @@
 #    define SMPWMB      eieio
 #endif
 
+/* clang defines this macro for a builtin, which will not work with runtime patching */
+#undef __lwsync
 #define __lwsync()	__asm__ __volatile__ (stringify_in_c(LWSYNC) : : :"memory")
 #define dma_rmb()	__lwsync()
 #define dma_wmb()	__asm__ __volatile__ (stringify_in_c(SMPWMB) : : :"memory")



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 128/188] mmc: sdhci: Fix warning message when accessing RPMB in HS400 mode
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (126 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 127/188] powerpc/barrier: Avoid collision with clangs __lwsync macro Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 129/188] ata: ahci_sunxi: Disable DIPM Greg Kroah-Hartman
                   ` (64 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Al Cooper, Adrian Hunter, Ulf Hansson

From: Al Cooper <alcooperx@gmail.com>

commit d0244847f9fc5e20df8b7483c8a4717fe0432d38 upstream.

When an eMMC device is being run in HS400 mode, any access to the
RPMB device will cause the error message "mmc1: Invalid UHS-I mode
selected". This happens as a result of tuning being disabled before
RPMB access and then re-enabled after the RPMB access is complete.
When tuning is re-enabled, the system has to switch from HS400
to HS200 to do the tuning and then back to HS400. As part of
sequence to switch from HS400 to HS200 the system is temporarily
put into HS mode. When switching to HS mode, sdhci_get_preset_value()
is called and does not have support for HS mode and prints the warning
message and returns the preset for SDR12. The fix is to add support
for MMC and SD HS modes to sdhci_get_preset_value().

This can be reproduced on any system running eMMC in HS400 mode
(not HS400ES) by using the "mmc" utility to run the following
command: "mmc rpmb read-counter /dev/mmcblk0rpmb".

Signed-off-by: Al Cooper <alcooperx@gmail.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Fixes: 52983382c74f ("mmc: sdhci: enhance preset value function")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20210624163045.33651-1-alcooperx@gmail.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/mmc/host/sdhci.c |    4 ++++
 drivers/mmc/host/sdhci.h |    1 +
 2 files changed, 5 insertions(+)

--- a/drivers/mmc/host/sdhci.c
+++ b/drivers/mmc/host/sdhci.c
@@ -1134,6 +1134,10 @@ static u16 sdhci_get_preset_value(struct
 	u16 preset = 0;
 
 	switch (host->timing) {
+	case MMC_TIMING_MMC_HS:
+	case MMC_TIMING_SD_HS:
+		preset = sdhci_readw(host, SDHCI_PRESET_FOR_HIGH_SPEED);
+		break;
 	case MMC_TIMING_UHS_SDR12:
 		preset = sdhci_readw(host, SDHCI_PRESET_FOR_SDR12);
 		break;
--- a/drivers/mmc/host/sdhci.h
+++ b/drivers/mmc/host/sdhci.h
@@ -232,6 +232,7 @@
 
 /* 60-FB reserved */
 
+#define SDHCI_PRESET_FOR_HIGH_SPEED	0x64
 #define SDHCI_PRESET_FOR_SDR12 0x66
 #define SDHCI_PRESET_FOR_SDR25 0x68
 #define SDHCI_PRESET_FOR_SDR50 0x6A



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 129/188] ata: ahci_sunxi: Disable DIPM
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (127 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 128/188] mmc: sdhci: Fix warning message when accessing RPMB in HS400 mode Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 130/188] ASoC: tegra: Set driver_name=tegra for all machine drivers Greg Kroah-Hartman
                   ` (63 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Timo Sigurdsson, Jens Axboe

From: Timo Sigurdsson <public_timo.s@silentcreek.de>

commit f6bca4d91b2ea052e917cca3f9d866b5cc1d500a upstream.

DIPM is unsupported or broken on sunxi. Trying to enable the power
management policy med_power_with_dipm on an Allwinner A20 SoC based board
leads to immediate I/O errors and the attached SATA disk disappears from
the /dev filesystem. A reset (power cycle) is required to make the SATA
controller or disk work again. The A10 and A20 SoC data sheets and manuals
don't mention DIPM at all [1], so it's fair to assume that it's simply not
supported. But even if it was, it should be considered broken and best be
disabled in the ahci_sunxi driver.

[1] https://github.com/allwinner-zh/documents/tree/master/

Fixes: c5754b5220f0 ("ARM: sunxi: Add support for Allwinner SUNXi SoCs sata to ahci_platform")
Cc: stable@vger.kernel.org
Signed-off-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
Tested-by: Timo Sigurdsson <public_timo.s@silentcreek.de>
Link: https://lore.kernel.org/r/20210614072539.3307-1-public_timo.s@silentcreek.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/ata/ahci_sunxi.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/ata/ahci_sunxi.c
+++ b/drivers/ata/ahci_sunxi.c
@@ -165,7 +165,7 @@ static void ahci_sunxi_start_engine(stru
 }
 
 static const struct ata_port_info ahci_sunxi_port_info = {
-	.flags		= AHCI_FLAG_COMMON | ATA_FLAG_NCQ,
+	.flags		= AHCI_FLAG_COMMON | ATA_FLAG_NCQ | ATA_FLAG_NO_DIPM,
 	.pio_mask	= ATA_PIO4,
 	.udma_mask	= ATA_UDMA6,
 	.port_ops	= &ahci_platform_ops,



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 130/188] ASoC: tegra: Set driver_name=tegra for all machine drivers
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (128 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 129/188] ata: ahci_sunxi: Disable DIPM Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 131/188] ipmi/watchdog: Stop watchdog timer when the current action is none Greg Kroah-Hartman
                   ` (62 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dmitry Osipenko, Mark Brown

From: Dmitry Osipenko <digetx@gmail.com>

commit f6eb84fa596abf28959fc7e0b626f925eb1196c7 upstream.

The driver_name="tegra" is now required by the newer ALSA UCMs, otherwise
Tegra UCMs don't match by the path/name.

All Tegra machine drivers are specifying the card's name, but it has no
effect if model name is specified in the device-tree since it overrides
the card's name. We need to set the driver_name to "tegra" in order to
get a usable lookup path for the updated ALSA UCMs. The new UCM lookup
path has a form of driver_name/card_name.

The old lookup paths that are based on driver module name continue to
work as before. Note that UCM matching never worked for Tegra ASoC drivers
if they were compiled as built-in, this is fixed by supporting the new
naming scheme.

Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Osipenko <digetx@gmail.com>
Link: https://lore.kernel.org/r/20210529154649.25936-2-digetx@gmail.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 sound/soc/tegra/tegra_alc5632.c  |    1 +
 sound/soc/tegra/tegra_max98090.c |    1 +
 sound/soc/tegra/tegra_rt5640.c   |    1 +
 sound/soc/tegra/tegra_rt5677.c   |    1 +
 sound/soc/tegra/tegra_wm8753.c   |    1 +
 sound/soc/tegra/tegra_wm8903.c   |    1 +
 sound/soc/tegra/tegra_wm9712.c   |    1 +
 sound/soc/tegra/trimslice.c      |    1 +
 8 files changed, 8 insertions(+)

--- a/sound/soc/tegra/tegra_alc5632.c
+++ b/sound/soc/tegra/tegra_alc5632.c
@@ -149,6 +149,7 @@ static struct snd_soc_dai_link tegra_alc
 
 static struct snd_soc_card snd_soc_tegra_alc5632 = {
 	.name = "tegra-alc5632",
+	.driver_name = "tegra",
 	.owner = THIS_MODULE,
 	.remove = tegra_alc5632_card_remove,
 	.dai_link = &tegra_alc5632_dai,
--- a/sound/soc/tegra/tegra_max98090.c
+++ b/sound/soc/tegra/tegra_max98090.c
@@ -205,6 +205,7 @@ static struct snd_soc_dai_link tegra_max
 
 static struct snd_soc_card snd_soc_tegra_max98090 = {
 	.name = "tegra-max98090",
+	.driver_name = "tegra",
 	.owner = THIS_MODULE,
 	.remove = tegra_max98090_card_remove,
 	.dai_link = &tegra_max98090_dai,
--- a/sound/soc/tegra/tegra_rt5640.c
+++ b/sound/soc/tegra/tegra_rt5640.c
@@ -150,6 +150,7 @@ static struct snd_soc_dai_link tegra_rt5
 
 static struct snd_soc_card snd_soc_tegra_rt5640 = {
 	.name = "tegra-rt5640",
+	.driver_name = "tegra",
 	.owner = THIS_MODULE,
 	.remove = tegra_rt5640_card_remove,
 	.dai_link = &tegra_rt5640_dai,
--- a/sound/soc/tegra/tegra_rt5677.c
+++ b/sound/soc/tegra/tegra_rt5677.c
@@ -198,6 +198,7 @@ static struct snd_soc_dai_link tegra_rt5
 
 static struct snd_soc_card snd_soc_tegra_rt5677 = {
 	.name = "tegra-rt5677",
+	.driver_name = "tegra",
 	.owner = THIS_MODULE,
 	.remove = tegra_rt5677_card_remove,
 	.dai_link = &tegra_rt5677_dai,
--- a/sound/soc/tegra/tegra_wm8753.c
+++ b/sound/soc/tegra/tegra_wm8753.c
@@ -110,6 +110,7 @@ static struct snd_soc_dai_link tegra_wm8
 
 static struct snd_soc_card snd_soc_tegra_wm8753 = {
 	.name = "tegra-wm8753",
+	.driver_name = "tegra",
 	.owner = THIS_MODULE,
 	.dai_link = &tegra_wm8753_dai,
 	.num_links = 1,
--- a/sound/soc/tegra/tegra_wm8903.c
+++ b/sound/soc/tegra/tegra_wm8903.c
@@ -227,6 +227,7 @@ static struct snd_soc_dai_link tegra_wm8
 
 static struct snd_soc_card snd_soc_tegra_wm8903 = {
 	.name = "tegra-wm8903",
+	.driver_name = "tegra",
 	.owner = THIS_MODULE,
 	.dai_link = &tegra_wm8903_dai,
 	.num_links = 1,
--- a/sound/soc/tegra/tegra_wm9712.c
+++ b/sound/soc/tegra/tegra_wm9712.c
@@ -59,6 +59,7 @@ static struct snd_soc_dai_link tegra_wm9
 
 static struct snd_soc_card snd_soc_tegra_wm9712 = {
 	.name = "tegra-wm9712",
+	.driver_name = "tegra",
 	.owner = THIS_MODULE,
 	.dai_link = &tegra_wm9712_dai,
 	.num_links = 1,
--- a/sound/soc/tegra/trimslice.c
+++ b/sound/soc/tegra/trimslice.c
@@ -103,6 +103,7 @@ static struct snd_soc_dai_link trimslice
 
 static struct snd_soc_card snd_soc_trimslice = {
 	.name = "tegra-trimslice",
+	.driver_name = "tegra",
 	.owner = THIS_MODULE,
 	.dai_link = &trimslice_tlv320aic23_dai,
 	.num_links = 1,



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 131/188] ipmi/watchdog: Stop watchdog timer when the current action is none
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (129 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 130/188] ASoC: tegra: Set driver_name=tegra for all machine drivers Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 132/188] power: supply: ab8500: Fix an old bug Greg Kroah-Hartman
                   ` (61 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Petr Pavlu, Corey Minyard

From: Petr Pavlu <petr.pavlu@suse.com>

commit 2253042d86f57d90a621ac2513a7a7a13afcf809 upstream.

When an IPMI watchdog timer is being stopped in ipmi_close() or
ipmi_ioctl(WDIOS_DISABLECARD), the current watchdog action is updated to
WDOG_TIMEOUT_NONE and _ipmi_set_timeout(IPMI_SET_TIMEOUT_NO_HB) is called
to install this action. The latter function ends up invoking
__ipmi_set_timeout() which makes the actual 'Set Watchdog Timer' IPMI
request.

For IPMI 1.0, this operation results in fully stopping the watchdog timer.
For IPMI >= 1.5, function __ipmi_set_timeout() always specifies the "don't
stop" flag in the prepared 'Set Watchdog Timer' IPMI request. This causes
that the watchdog timer has its action correctly updated to 'none' but the
timer continues to run. A problem is that IPMI firmware can then still log
an expiration event when the configured timeout is reached, which is
unexpected because the watchdog timer was requested to be stopped.

The patch fixes this problem by not setting the "don't stop" flag in
__ipmi_set_timeout() when the current action is WDOG_TIMEOUT_NONE which
results in stopping the watchdog timer. This makes the behaviour for
IPMI >= 1.5 consistent with IPMI 1.0. It also matches the logic in
__ipmi_heartbeat() which does not allow to reset the watchdog if the
current action is WDOG_TIMEOUT_NONE as that would start the timer.

Signed-off-by: Petr Pavlu <petr.pavlu@suse.com>
Message-Id: <10a41bdc-9c99-089c-8d89-fa98ce5ea080@suse.com>
Cc: stable@vger.kernel.org
Signed-off-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 drivers/char/ipmi/ipmi_watchdog.c |   22 ++++++++++++----------
 1 file changed, 12 insertions(+), 10 deletions(-)

--- a/drivers/char/ipmi/ipmi_watchdog.c
+++ b/drivers/char/ipmi/ipmi_watchdog.c
@@ -393,16 +393,18 @@ static int i_ipmi_set_timeout(struct ipm
 	data[0] = 0;
 	WDOG_SET_TIMER_USE(data[0], WDOG_TIMER_USE_SMS_OS);
 
-	if ((ipmi_version_major > 1)
-	    || ((ipmi_version_major == 1) && (ipmi_version_minor >= 5))) {
-		/* This is an IPMI 1.5-only feature. */
-		data[0] |= WDOG_DONT_STOP_ON_SET;
-	} else if (ipmi_watchdog_state != WDOG_TIMEOUT_NONE) {
-		/*
-		 * In ipmi 1.0, setting the timer stops the watchdog, we
-		 * need to start it back up again.
-		 */
-		hbnow = 1;
+	if (ipmi_watchdog_state != WDOG_TIMEOUT_NONE) {
+		if ((ipmi_version_major > 1) ||
+		    ((ipmi_version_major == 1) && (ipmi_version_minor >= 5))) {
+			/* This is an IPMI 1.5-only feature. */
+			data[0] |= WDOG_DONT_STOP_ON_SET;
+		} else {
+			/*
+			 * In ipmi 1.0, setting the timer stops the watchdog, we
+			 * need to start it back up again.
+			 */
+			hbnow = 1;
+		}
 	}
 
 	data[1] = 0;



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 132/188] power: supply: ab8500: Fix an old bug
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (130 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 131/188] ipmi/watchdog: Stop watchdog timer when the current action is none Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 133/188] seq_buf: Fix overflow in seq_buf_putmem_hex() Greg Kroah-Hartman
                   ` (60 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, Marcus Cooper,
	Linus Walleij, Sebastian Reichel

From: Linus Walleij <linus.walleij@linaro.org>

commit f1c74a6c07e76fcb31a4bcc1f437c4361a2674ce upstream.

Trying to get the AB8500 charging driver working I ran into a bit
of bitrot: we haven't used the driver for a while so errors in
refactorings won't be noticed.

This one is pretty self evident: use argument to the macro or we
end up with a random pointer to something else.

Cc: stable@vger.kernel.org
Cc: Krzysztof Kozlowski <krzk@kernel.org>
Cc: Marcus Cooper <codekipper@gmail.com>
Fixes: 297d716f6260 ("power_supply: Change ownership from driver to core")
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 include/linux/mfd/abx500/ux500_chargalg.h |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/include/linux/mfd/abx500/ux500_chargalg.h
+++ b/include/linux/mfd/abx500/ux500_chargalg.h
@@ -15,7 +15,7 @@
  * - POWER_SUPPLY_TYPE_USB,
  * because only them store as drv_data pointer to struct ux500_charger.
  */
-#define psy_to_ux500_charger(x) power_supply_get_drvdata(psy)
+#define psy_to_ux500_charger(x) power_supply_get_drvdata(x)
 
 /* Forward declaration */
 struct ux500_charger;



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 133/188] seq_buf: Fix overflow in seq_buf_putmem_hex()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (131 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 132/188] power: supply: ab8500: Fix an old bug Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 134/188] ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe Greg Kroah-Hartman
                   ` (59 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Yun Zhou, Steven Rostedt (VMware)

From: Yun Zhou <yun.zhou@windriver.com>

commit d3b16034a24a112bb83aeb669ac5b9b01f744bb7 upstream.

There's two variables being increased in that loop (i and j), and i
follows the raw data, and j follows what is being written into the buffer.
We should compare 'i' to MAX_MEMHEX_BYTES or compare 'j' to HEX_CHARS.
Otherwise, if 'j' goes bigger than HEX_CHARS, it will overflow the
destination buffer.

Link: https://lore.kernel.org/lkml/20210625122453.5e2fe304@oasis.local.home/
Link: https://lkml.kernel.org/r/20210626032156.47889-1-yun.zhou@windriver.com

Cc: stable@vger.kernel.org
Fixes: 5e3ca0ec76fce ("ftrace: introduce the "hex" output method")
Signed-off-by: Yun Zhou <yun.zhou@windriver.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 lib/seq_buf.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/lib/seq_buf.c
+++ b/lib/seq_buf.c
@@ -227,8 +227,10 @@ int seq_buf_putmem_hex(struct seq_buf *s
 
 	WARN_ON(s->size == 0);
 
+	BUILD_BUG_ON(MAX_MEMHEX_BYTES * 2 >= HEX_CHARS);
+
 	while (len) {
-		start_len = min(len, HEX_CHARS - 1);
+		start_len = min(len, MAX_MEMHEX_BYTES);
 #ifdef __BIG_ENDIAN
 		for (i = 0, j = 0; i < start_len; i++) {
 #else



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 134/188] ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (132 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 133/188] seq_buf: Fix overflow in seq_buf_putmem_hex() Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:51 ` [PATCH 4.4 135/188] dm btree remove: assign new_root only when removal succeeds Greg Kroah-Hartman
                   ` (58 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Samuel Iglesias Gonsalvez, Lv Yunlong

From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>

commit 9272e5d0028d45a3b45b58c9255e6e0df53f7ad9 upstream.

In the out_err_bus_register error branch of tpci200_pci_probe,
tpci200->info->cfg_regs is freed by tpci200_uninstall()->
tpci200_unregister()->pci_iounmap(..,tpci200->info->cfg_regs)
in the first time.

But later, iounmap() is called to free tpci200->info->cfg_regs
again.

My patch sets tpci200->info->cfg_regs to NULL after tpci200_uninstall()
to avoid the double free.

Fixes: cea2f7cdff2af ("Staging: ipack/bridges/tpci200: Use the TPCI200 in big endian mode")
Cc: stable <stable@vger.kernel.org>
Acked-by: Samuel Iglesias Gonsalvez <siglesias@igalia.com>
Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
Link: https://lore.kernel.org/r/20210524093205.8333-1-lyl2019@mail.ustc.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/ipack/carriers/tpci200.c |    5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

--- a/drivers/ipack/carriers/tpci200.c
+++ b/drivers/ipack/carriers/tpci200.c
@@ -591,8 +591,11 @@ static int tpci200_pci_probe(struct pci_
 
 out_err_bus_register:
 	tpci200_uninstall(tpci200);
+	/* tpci200->info->cfg_regs is unmapped in tpci200_uninstall */
+	tpci200->info->cfg_regs = NULL;
 out_err_install:
-	iounmap(tpci200->info->cfg_regs);
+	if (tpci200->info->cfg_regs)
+		iounmap(tpci200->info->cfg_regs);
 out_err_ioremap:
 	pci_release_region(pdev, TPCI200_CFG_MEM_BAR);
 out_err_pci_request:



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 135/188] dm btree remove: assign new_root only when removal succeeds
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (133 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 134/188] ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe Greg Kroah-Hartman
@ 2021-07-19 14:51 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 136/188] media: zr364xx: fix memory leak in zr364xx_start_readpipe Greg Kroah-Hartman
                   ` (57 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:51 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hou Tao, Mike Snitzer

From: Hou Tao <houtao1@huawei.com>

commit b6e58b5466b2959f83034bead2e2e1395cca8aeb upstream.

remove_raw() in dm_btree_remove() may fail due to IO read error
(e.g. read the content of origin block fails during shadowing),
and the value of shadow_spine::root is uninitialized, but
the uninitialized value is still assign to new_root in the
end of dm_btree_remove().

For dm-thin, the value of pmd->details_root or pmd->root will become
an uninitialized value, so if trying to read details_info tree again
out-of-bound memory may occur as showed below:

  general protection fault, probably for non-canonical address 0x3fdcb14c8d7520
  CPU: 4 PID: 515 Comm: dmsetup Not tainted 5.13.0-rc6
  Hardware name: QEMU Standard PC
  RIP: 0010:metadata_ll_load_ie+0x14/0x30
  Call Trace:
   sm_metadata_count_is_more_than_one+0xb9/0xe0
   dm_tm_shadow_block+0x52/0x1c0
   shadow_step+0x59/0xf0
   remove_raw+0xb2/0x170
   dm_btree_remove+0xf4/0x1c0
   dm_pool_delete_thin_device+0xc3/0x140
   pool_message+0x218/0x2b0
   target_message+0x251/0x290
   ctl_ioctl+0x1c4/0x4d0
   dm_ctl_ioctl+0xe/0x20
   __x64_sys_ioctl+0x7b/0xb0
   do_syscall_64+0x40/0xb0
   entry_SYSCALL_64_after_hwframe+0x44/0xae

Fixing it by only assign new_root when removal succeeds

Signed-off-by: Hou Tao <houtao1@huawei.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/md/persistent-data/dm-btree-remove.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/drivers/md/persistent-data/dm-btree-remove.c
+++ b/drivers/md/persistent-data/dm-btree-remove.c
@@ -549,7 +549,8 @@ int dm_btree_remove(struct dm_btree_info
 		delete_at(n, index);
 	}
 
-	*new_root = shadow_root(&spine);
+	if (!r)
+		*new_root = shadow_root(&spine);
 	exit_shadow_spine(&spine);
 
 	return r;



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 136/188] media: zr364xx: fix memory leak in zr364xx_start_readpipe
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (134 preceding siblings ...)
  2021-07-19 14:51 ` [PATCH 4.4 135/188] dm btree remove: assign new_root only when removal succeeds Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 137/188] media: gspca/sq905: fix control-request direction Greg Kroah-Hartman
                   ` (56 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, syzbot+af4fa391ef18efdd5f69,
	Pavel Skripkin, Hans Verkuil, Mauro Carvalho Chehab

From: Pavel Skripkin <paskripkin@gmail.com>

commit 0a045eac8d0427b64577a24d74bb8347c905ac65 upstream.

syzbot reported memory leak in zr364xx driver.
The problem was in non-freed urb in case of
usb_submit_urb() fail.

backtrace:
  [<ffffffff82baedf6>] kmalloc include/linux/slab.h:561 [inline]
  [<ffffffff82baedf6>] usb_alloc_urb+0x66/0xe0 drivers/usb/core/urb.c:74
  [<ffffffff82f7cce8>] zr364xx_start_readpipe+0x78/0x130 drivers/media/usb/zr364xx/zr364xx.c:1022
  [<ffffffff84251dfc>] zr364xx_board_init drivers/media/usb/zr364xx/zr364xx.c:1383 [inline]
  [<ffffffff84251dfc>] zr364xx_probe+0x6a3/0x851 drivers/media/usb/zr364xx/zr364xx.c:1516
  [<ffffffff82bb6507>] usb_probe_interface+0x177/0x370 drivers/usb/core/driver.c:396
  [<ffffffff826018a9>] really_probe+0x159/0x500 drivers/base/dd.c:576

Fixes: ccbf035ae5de ("V4L/DVB (12278): zr364xx: implement V4L2_CAP_STREAMING")
Cc: stable@vger.kernel.org
Reported-by: syzbot+af4fa391ef18efdd5f69@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/media/usb/zr364xx/zr364xx.c |    1 +
 1 file changed, 1 insertion(+)

--- a/drivers/media/usb/zr364xx/zr364xx.c
+++ b/drivers/media/usb/zr364xx/zr364xx.c
@@ -1068,6 +1068,7 @@ static int zr364xx_start_readpipe(struct
 	DBG("submitting URB %p\n", pipe_info->stream_urb);
 	retval = usb_submit_urb(pipe_info->stream_urb, GFP_KERNEL);
 	if (retval) {
+		usb_free_urb(pipe_info->stream_urb);
 		printk(KERN_ERR KBUILD_MODNAME ": start read pipe failed\n");
 		return retval;
 	}



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 137/188] media: gspca/sq905: fix control-request direction
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (135 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 136/188] media: zr364xx: fix memory leak in zr364xx_start_readpipe Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 138/188] media: gspca/sunplus: fix zero-length control requests Greg Kroah-Hartman
                   ` (55 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johan Hovold, Hans Verkuil,
	Mauro Carvalho Chehab

From: Johan Hovold <johan@kernel.org>

commit 53ae298fde7adcc4b1432bce2dbdf8dac54dfa72 upstream.

The direction of the pipe argument must match the request-type direction
bit or control requests may fail depending on the host-controller-driver
implementation.

Fix the USB_REQ_SYNCH_FRAME request which erroneously used
usb_sndctrlpipe().

Fixes: 27d35fc3fb06 ("V4L/DVB (10639): gspca - sq905: New subdriver.")
Cc: stable@vger.kernel.org      # 2.6.30
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/media/usb/gspca/sq905.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/drivers/media/usb/gspca/sq905.c
+++ b/drivers/media/usb/gspca/sq905.c
@@ -130,7 +130,7 @@ static int sq905_command(struct gspca_de
 	}
 
 	ret = usb_control_msg(gspca_dev->dev,
-			      usb_sndctrlpipe(gspca_dev->dev, 0),
+			      usb_rcvctrlpipe(gspca_dev->dev, 0),
 			      USB_REQ_SYNCH_FRAME,                /* request */
 			      USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
 			      SQ905_PING, 0, gspca_dev->usb_buf, 1,



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 138/188] media: gspca/sunplus: fix zero-length control requests
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (136 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 137/188] media: gspca/sq905: fix control-request direction Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 139/188] media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K Greg Kroah-Hartman
                   ` (54 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Johan Hovold, Hans Verkuil,
	Mauro Carvalho Chehab

From: Johan Hovold <johan@kernel.org>

commit b4bb4d425b7b02424afea2dfdcd77b3b4794175e upstream.

The direction of the pipe argument must match the request-type direction
bit or control requests may fail depending on the host-controller-driver
implementation.

Control transfers without a data stage are treated as OUT requests by
the USB stack and should be using usb_sndctrlpipe(). Failing to do so
will now trigger a warning.

Fix the single zero-length control request which was using the
read-register helper, and update the helper so that zero-length reads
fail with an error message instead.

Fixes: 6a7eba24e4f0 ("V4L/DVB (8157): gspca: all subdrivers")
Cc: stable@vger.kernel.org      # 2.6.27
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/media/usb/gspca/sunplus.c |    8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

--- a/drivers/media/usb/gspca/sunplus.c
+++ b/drivers/media/usb/gspca/sunplus.c
@@ -255,6 +255,10 @@ static void reg_r(struct gspca_dev *gspc
 		PERR("reg_r: buffer overflow\n");
 		return;
 	}
+	if (len == 0) {
+		PERR("reg_r: zero-length read\n");
+		return;
+	}
 	if (gspca_dev->usb_err < 0)
 		return;
 	ret = usb_control_msg(gspca_dev->dev,
@@ -263,7 +267,7 @@ static void reg_r(struct gspca_dev *gspc
 			USB_DIR_IN | USB_TYPE_VENDOR | USB_RECIP_DEVICE,
 			0,		/* value */
 			index,
-			len ? gspca_dev->usb_buf : NULL, len,
+			gspca_dev->usb_buf, len,
 			500);
 	if (ret < 0) {
 		pr_err("reg_r err %d\n", ret);
@@ -739,7 +743,7 @@ static int sd_start(struct gspca_dev *gs
 		case MegaImageVI:
 			reg_w_riv(gspca_dev, 0xf0, 0, 0);
 			spca504B_WaitCmdStatus(gspca_dev);
-			reg_r(gspca_dev, 0xf0, 4, 0);
+			reg_w_riv(gspca_dev, 0xf0, 4, 0);
 			spca504B_WaitCmdStatus(gspca_dev);
 			break;
 		default:



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 139/188] media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (137 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 138/188] media: gspca/sunplus: fix zero-length control requests Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 140/188] jfs: fix GPF in diFree Greg Kroah-Hartman
                   ` (53 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Benjamin Drung, Laurent Pinchart,
	Mauro Carvalho Chehab

From: Benjamin Drung <bdrung@posteo.de>

commit 4c6e0976295add7f0ed94d276c04a3d6f1ea8f83 upstream.

The Elgato Cam Link 4K HDMI video capture card reports to support three
different pixel formats, where the first format depends on the connected
HDMI device.

```
$ v4l2-ctl -d /dev/video0 --list-formats-ext
ioctl: VIDIOC_ENUM_FMT
	Type: Video Capture

	[0]: 'NV12' (Y/CbCr 4:2:0)
		Size: Discrete 3840x2160
			Interval: Discrete 0.033s (29.970 fps)
	[1]: 'NV12' (Y/CbCr 4:2:0)
		Size: Discrete 3840x2160
			Interval: Discrete 0.033s (29.970 fps)
	[2]: 'YU12' (Planar YUV 4:2:0)
		Size: Discrete 3840x2160
			Interval: Discrete 0.033s (29.970 fps)
```

Changing the pixel format to anything besides the first pixel format
does not work:

```
$ v4l2-ctl -d /dev/video0 --try-fmt-video pixelformat=YU12
Format Video Capture:
	Width/Height      : 3840/2160
	Pixel Format      : 'NV12' (Y/CbCr 4:2:0)
	Field             : None
	Bytes per Line    : 3840
	Size Image        : 12441600
	Colorspace        : sRGB
	Transfer Function : Rec. 709
	YCbCr/HSV Encoding: Rec. 709
	Quantization      : Default (maps to Limited Range)
	Flags             :
```

User space applications like VLC might show an error message on the
terminal in that case:

```
libv4l2: error set_fmt gave us a different result than try_fmt!
```

Depending on the error handling of the user space applications, they
might display a distorted video, because they use the wrong pixel format
for decoding the stream.

The Elgato Cam Link 4K responds to the USB video probe
VS_PROBE_CONTROL/VS_COMMIT_CONTROL with a malformed data structure: The
second byte contains bFormatIndex (instead of being the second byte of
bmHint). The first byte is always zero. The third byte is always 1.

The firmware bug was reported to Elgato on 2020-12-01 and it was
forwarded by the support team to the developers as feature request.
There is no firmware update available since then. The latest firmware
for Elgato Cam Link 4K as of 2021-03-23 has MCU 20.02.19 and FPGA 67.

Therefore correct the malformed data structure for this device. The
change was successfully tested with VLC, OBS, and Chromium using
different pixel formats (YUYV, NV12, YU12), resolutions (3840x2160,
1920x1080), and frame rates (29.970 and 59.940 fps).

Cc: stable@vger.kernel.org
Signed-off-by: Benjamin Drung <bdrung@posteo.de>
Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 drivers/media/usb/uvc/uvc_video.c |   27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)

--- a/drivers/media/usb/uvc/uvc_video.c
+++ b/drivers/media/usb/uvc/uvc_video.c
@@ -89,10 +89,37 @@ int uvc_query_ctrl(struct uvc_device *de
 static void uvc_fixup_video_ctrl(struct uvc_streaming *stream,
 	struct uvc_streaming_control *ctrl)
 {
+	static const struct usb_device_id elgato_cam_link_4k = {
+		USB_DEVICE(0x0fd9, 0x0066)
+	};
 	struct uvc_format *format = NULL;
 	struct uvc_frame *frame = NULL;
 	unsigned int i;
 
+	/*
+	 * The response of the Elgato Cam Link 4K is incorrect: The second byte
+	 * contains bFormatIndex (instead of being the second byte of bmHint).
+	 * The first byte is always zero. The third byte is always 1.
+	 *
+	 * The UVC 1.5 class specification defines the first five bits in the
+	 * bmHint bitfield. The remaining bits are reserved and should be zero.
+	 * Therefore a valid bmHint will be less than 32.
+	 *
+	 * Latest Elgato Cam Link 4K firmware as of 2021-03-23 needs this fix.
+	 * MCU: 20.02.19, FPGA: 67
+	 */
+	if (usb_match_one_id(stream->dev->intf, &elgato_cam_link_4k) &&
+	    ctrl->bmHint > 255) {
+		u8 corrected_format_index = ctrl->bmHint >> 8;
+
+		/* uvc_dbg(stream->dev, VIDEO,
+			"Correct USB video probe response from {bmHint: 0x%04x, bFormatIndex: %u} to {bmHint: 0x%04x, bFormatIndex: %u}\n",
+			ctrl->bmHint, ctrl->bFormatIndex,
+			1, corrected_format_index); */
+		ctrl->bmHint = 1;
+		ctrl->bFormatIndex = corrected_format_index;
+	}
+
 	for (i = 0; i < stream->nformats; ++i) {
 		if (stream->format[i].index == ctrl->bFormatIndex) {
 			format = &stream->format[i];



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 140/188] jfs: fix GPF in diFree
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (138 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 139/188] media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 141/188] KVM: x86: Use guest MAXPHYADDR from CPUID.0x8000_0008 iff TDP is enabled Greg Kroah-Hartman
                   ` (52 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Pavel Skripkin, Dave Kleikamp,
	syzbot+0a89a7b56db04c21a656

From: Pavel Skripkin <paskripkin@gmail.com>

commit 9d574f985fe33efd6911f4d752de6f485a1ea732 upstream.

Avoid passing inode with
JFS_SBI(inode->i_sb)->ipimap == NULL to
diFree()[1]. GFP will appear:

	struct inode *ipimap = JFS_SBI(ip->i_sb)->ipimap;
	struct inomap *imap = JFS_IP(ipimap)->i_imap;

JFS_IP() will return invalid pointer when ipimap == NULL

Call Trace:
 diFree+0x13d/0x2dc0 fs/jfs/jfs_imap.c:853 [1]
 jfs_evict_inode+0x2c9/0x370 fs/jfs/inode.c:154
 evict+0x2ed/0x750 fs/inode.c:578
 iput_final fs/inode.c:1654 [inline]
 iput.part.0+0x3fe/0x820 fs/inode.c:1680
 iput+0x58/0x70 fs/inode.c:1670

Reported-and-tested-by: syzbot+0a89a7b56db04c21a656@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/jfs/inode.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/fs/jfs/inode.c
+++ b/fs/jfs/inode.c
@@ -160,7 +160,8 @@ void jfs_evict_inode(struct inode *inode
 			if (test_cflag(COMMIT_Freewmap, inode))
 				jfs_free_zero_link(inode);
 
-			diFree(inode);
+			if (JFS_SBI(inode->i_sb)->ipimap)
+				diFree(inode);
 
 			/*
 			 * Free the inode from the quota allocation.



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 141/188] KVM: x86: Use guest MAXPHYADDR from CPUID.0x8000_0008 iff TDP is enabled
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (139 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 140/188] jfs: fix GPF in diFree Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 142/188] KVM: X86: Disable hardware breakpoints unconditionally before kvm_x86->run() Greg Kroah-Hartman
                   ` (51 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Sean Christopherson, Paolo Bonzini

From: Sean Christopherson <seanjc@google.com>

commit 4bf48e3c0aafd32b960d341c4925b48f416f14a5 upstream.

Ignore the guest MAXPHYADDR reported by CPUID.0x8000_0008 if TDP, i.e.
NPT, is disabled, and instead use the host's MAXPHYADDR.  Per AMD'S APM:

  Maximum guest physical address size in bits. This number applies only
  to guests using nested paging. When this field is zero, refer to the
  PhysAddrSize field for the maximum guest physical address size.

Fixes: 24c82e576b78 ("KVM: Sanitize cpuid")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20210623230552.4027702-2-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/cpuid.c |    8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -611,8 +611,14 @@ static inline int __do_cpuid_ent(struct
 		unsigned virt_as = max((entry->eax >> 8) & 0xff, 48U);
 		unsigned phys_as = entry->eax & 0xff;
 
-		if (!g_phys_as)
+		/*
+		 * Use bare metal's MAXPHADDR if the CPU doesn't report guest
+		 * MAXPHYADDR separately, or if TDP (NPT) is disabled, as the
+		 * guest version "applies only to guests using nested paging".
+		 */
+		if (!g_phys_as || !tdp_enabled)
 			g_phys_as = phys_as;
+
 		entry->eax = g_phys_as | (virt_as << 8);
 		entry->edx = 0;
 		/*



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 142/188] KVM: X86: Disable hardware breakpoints unconditionally before kvm_x86->run()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (140 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 141/188] KVM: x86: Use guest MAXPHYADDR from CPUID.0x8000_0008 iff TDP is enabled Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 143/188] tty: serial: fsl_lpuart: fix the potential risk of division or modulo by zero Greg Kroah-Hartman
                   ` (50 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lai Jiangshan, Paolo Bonzini

From: Lai Jiangshan <laijs@linux.alibaba.com>

commit f85d40160691881a17a397c448d799dfc90987ba upstream.

When the host is using debug registers but the guest is not using them
nor is the guest in guest-debug state, the kvm code does not reset
the host debug registers before kvm_x86->run().  Rather, it relies on
the hardware vmentry instruction to automatically reset the dr7 registers
which ensures that the host breakpoints do not affect the guest.

This however violates the non-instrumentable nature around VM entry
and exit; for example, when a host breakpoint is set on vcpu->arch.cr2,

Another issue is consistency.  When the guest debug registers are active,
the host breakpoints are reset before kvm_x86->run(). But when the
guest debug registers are inactive, the host breakpoints are delayed to
be disabled.  The host tracing tools may see different results depending
on what the guest is doing.

To fix the problems, we clear %db7 unconditionally before kvm_x86->run()
if the host has set any breakpoints, no matter if the guest is using
them or not.

Signed-off-by: Lai Jiangshan <laijs@linux.alibaba.com>
Message-Id: <20210628172632.81029-1-jiangshanlai@gmail.com>
Cc: stable@vger.kernel.org
[Only clear %db7 instead of reloading all debug registers. - Paolo]
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/x86/kvm/x86.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -6724,6 +6724,8 @@ static int vcpu_enter_guest(struct kvm_v
 		set_debugreg(vcpu->arch.eff_db[3], 3);
 		set_debugreg(vcpu->arch.dr6, 6);
 		vcpu->arch.switch_db_regs &= ~KVM_DEBUGREG_RELOAD;
+	} else if (unlikely(hw_breakpoint_active())) {
+		set_debugreg(0, 7);
 	}
 
 	kvm_x86_ops->run(vcpu);



^ permalink raw reply	[flat|nested] 195+ messages in thread

* [PATCH 4.4 143/188] tty: serial: fsl_lpuart: fix the potential risk of division or modulo by zero
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (141 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 142/188] KVM: X86: Disable hardware breakpoints unconditionally before kvm_x86->run() Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 144/188] misc/libmasm/module: Fix two use after free in ibmasm_init_one Greg Kroah-Hartman
                   ` (49 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sherry Sun, Sasha Levin

From: Sherry Sun <sherry.sun@nxp.com>

[ Upstream commit fcb10ee27fb91b25b68d7745db9817ecea9f1038 ]

We should be very careful about the register values that will be used
for division or modulo operations, althrough the possibility that the
UARTBAUD register value is zero is very low, but we had better to deal
with the "bad data" of hardware in advance to avoid division or modulo
by zero leading to undefined kernel behavior.

Signed-off-by: Sherry Sun <sherry.sun@nxp.com>
Link: https://lore.kernel.org/r/20210427021226.27468-1-sherry.sun@nxp.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/tty/serial/fsl_lpuart.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/tty/serial/fsl_lpuart.c b/drivers/tty/serial/fsl_lpuart.c
index 1544a7cc76ff..1319f3dd5b70 100644
--- a/drivers/tty/serial/fsl_lpuart.c
+++ b/drivers/tty/serial/fsl_lpuart.c
@@ -1681,6 +1681,9 @@ lpuart32_console_get_options(struct lpuart_port *sport, int *baud,
 
 	bd = lpuart32_read(sport->port.membase + UARTBAUD);
 	bd &= UARTBAUD_SBR_MASK;
+	if (!bd)
+		return;
+
 	sbr = bd;
 	uartclk = clk_get_rate(sport->clk);
 	/*
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 144/188] misc/libmasm/module: Fix two use after free in ibmasm_init_one
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (142 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 143/188] tty: serial: fsl_lpuart: fix the potential risk of division or modulo by zero Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 145/188] Revert "ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro" Greg Kroah-Hartman
                   ` (48 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lv Yunlong, Sasha Levin

From: Lv Yunlong <lyl2019@mail.ustc.edu.cn>

[ Upstream commit 7272b591c4cb9327c43443f67b8fbae7657dd9ae ]

In ibmasm_init_one, it calls ibmasm_init_remote_input_dev().
Inside ibmasm_init_remote_input_dev, mouse_dev and keybd_dev are
allocated by input_allocate_device(), and assigned to
sp->remote.mouse_dev and sp->remote.keybd_dev respectively.

In the err_free_devices error branch of ibmasm_init_one,
mouse_dev and keybd_dev are freed by input_free_device(), and return
error. Then the execution runs into error_send_message error branch
of ibmasm_init_one, where ibmasm_free_remote_input_dev(sp) is called
to unregister the freed sp->remote.mouse_dev and sp->remote.keybd_dev.

My patch add a "error_init_remote" label to handle the error of
ibmasm_init_remote_input_dev(), to avoid the uaf bugs.

Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
Link: https://lore.kernel.org/r/20210426170620.10546-1-lyl2019@mail.ustc.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/misc/ibmasm/module.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/misc/ibmasm/module.c b/drivers/misc/ibmasm/module.c
index 6b3bf9ab051d..706decef68a0 100644
--- a/drivers/misc/ibmasm/module.c
+++ b/drivers/misc/ibmasm/module.c
@@ -123,7 +123,7 @@ static int ibmasm_init_one(struct pci_dev *pdev, const struct pci_device_id *id)
 	result = ibmasm_init_remote_input_dev(sp);
 	if (result) {
 		dev_err(sp->dev, "Failed to initialize remote queue\n");
-		goto error_send_message;
+		goto error_init_remote;
 	}
 
 	result = ibmasm_send_driver_vpd(sp);
@@ -143,8 +143,9 @@ static int ibmasm_init_one(struct pci_dev *pdev, const struct pci_device_id *id)
 	return 0;
 
 error_send_message:
-	disable_sp_interrupts(sp->base_address);
 	ibmasm_free_remote_input_dev(sp);
+error_init_remote:
+	disable_sp_interrupts(sp->base_address);
 	free_irq(sp->irq, (void *)sp);
 error_request_irq:
 	iounmap(sp->base_address);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 145/188] Revert "ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro"
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (143 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 144/188] misc/libmasm/module: Fix two use after free in ibmasm_init_one Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 146/188] scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology Greg Kroah-Hartman
                   ` (47 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Takashi Sakamoto, Takashi Iwai, Sasha Levin

From: Takashi Sakamoto <o-takashi@sakamocchi.jp>

[ Upstream commit 5d6fb80a142b5994355ce675c517baba6089d199 ]

This reverts commit 0edabdfe89581669609eaac5f6a8d0ae6fe95e7f.

I've explained that optional FireWire card for d.2 is also built-in to
d.2 Pro, however it's wrong. The optional card uses DM1000 ASIC and has
'Mackie DJ Mixer' in its model name of configuration ROM. On the other
hand, built-in FireWire card for d.2 Pro and d.4 Pro uses OXFW971 ASIC
and has 'd.Pro' in its model name according to manuals and user
experiences. The former card is not the card for d.2 Pro. They are similar
in appearance but different internally.

Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Link: https://lore.kernel.org/r/20210518084557.102681-2-o-takashi@sakamocchi.jp
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/firewire/Kconfig       | 4 ++--
 sound/firewire/bebob/bebob.c | 2 +-
 sound/firewire/oxfw/oxfw.c   | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/sound/firewire/Kconfig b/sound/firewire/Kconfig
index fdc01466d143..4199cfc4a96a 100644
--- a/sound/firewire/Kconfig
+++ b/sound/firewire/Kconfig
@@ -36,7 +36,7 @@ config SND_OXFW
 	   * Mackie(Loud) Onyx-i series (former models)
 	   * Mackie(Loud) Onyx Satellite
 	   * Mackie(Loud) Tapco Link.Firewire
-	   * Mackie(Loud) d.4 pro
+	   * Mackie(Loud) d.2 pro/d.4 pro (built-in FireWire card with OXFW971 ASIC)
 	   * Mackie(Loud) U.420/U.420d
 	   * TASCAM FireOne
 
@@ -91,7 +91,7 @@ config SND_BEBOB
 	  * PreSonus FIREBOX/FIREPOD/FP10/Inspire1394
 	  * BridgeCo RDAudio1/Audio5
 	  * Mackie Onyx 1220/1620/1640 (FireWire I/O Card)
-	  * Mackie d.2 (FireWire Option) and d.2 Pro
+	  * Mackie d.2 (optional FireWire card with DM1000 ASIC)
 	  * Stanton FinalScratch 2 (ScratchAmp)
 	  * Tascam IF-FW/DM
 	  * Behringer XENIX UFX 1204/1604
diff --git a/sound/firewire/bebob/bebob.c b/sound/firewire/bebob/bebob.c
index 088250ff2429..64dca7931272 100644
--- a/sound/firewire/bebob/bebob.c
+++ b/sound/firewire/bebob/bebob.c
@@ -362,7 +362,7 @@ static const struct ieee1394_device_id bebob_id_table[] = {
 	SND_BEBOB_DEV_ENTRY(VEN_BRIDGECO, 0x00010049, &spec_normal),
 	/* Mackie, Onyx 1220/1620/1640 (Firewire I/O Card) */
 	SND_BEBOB_DEV_ENTRY(VEN_MACKIE2, 0x00010065, &spec_normal),
-	// Mackie, d.2 (Firewire option card) and d.2 Pro (the card is built-in).
+	// Mackie, d.2 (optional Firewire card with DM1000).
 	SND_BEBOB_DEV_ENTRY(VEN_MACKIE1, 0x00010067, &spec_normal),
 	/* Stanton, ScratchAmp */
 	SND_BEBOB_DEV_ENTRY(VEN_STANTON, 0x00000001, &spec_normal),
diff --git a/sound/firewire/oxfw/oxfw.c b/sound/firewire/oxfw/oxfw.c
index 2d310bf2f2b2..c700e11ab327 100644
--- a/sound/firewire/oxfw/oxfw.c
+++ b/sound/firewire/oxfw/oxfw.c
@@ -320,7 +320,7 @@ static const struct ieee1394_device_id oxfw_id_table[] = {
 	 *  Onyx-i series (former models):	0x081216
 	 *  Mackie Onyx Satellite:		0x00200f
 	 *  Tapco LINK.firewire 4x6:		0x000460
-	 *  d.4 pro:				Unknown
+	 *  d.2 pro/d.4 pro (built-in card):	Unknown
 	 *  U.420:				Unknown
 	 *  U.420d:				Unknown
 	 */
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 146/188] scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (144 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 145/188] Revert "ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro" Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 147/188] tty: serial: 8250: serial_cs: Fix a memory leak in error handling path Greg Kroah-Hartman
                   ` (46 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Justin Tee, James Smart,
	Martin K. Petersen, Sasha Levin

From: James Smart <jsmart2021@gmail.com>

[ Upstream commit e30d55137edef47434c40d7570276a0846fe922c ]

An 'unexpected timeout' message may be seen in a point-2-point topology.
The message occurs when a PLOGI is received before the driver is notified
of FLOGI completion. The FLOGI completion failure causes discovery to be
triggered for a second time. The discovery timer is restarted but no new
discovery activity is initiated, thus the timeout message eventually
appears.

In point-2-point, when discovery has progressed before the FLOGI completion
is processed, it is not a failure. Add code to FLOGI completion to detect
that discovery has progressed and exit the FLOGI handling (noop'ing it).

Link: https://lore.kernel.org/r/20210514195559.119853-4-jsmart2021@gmail.com
Co-developed-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/lpfc/lpfc_els.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index 5be938b47f48..b66b1ed6d2af 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -1142,6 +1142,15 @@ stop_rr_fcf_flogi:
 			phba->fcf.fcf_redisc_attempted = 0; /* reset */
 			goto out;
 		}
+	} else if (vport->port_state > LPFC_FLOGI &&
+		   vport->fc_flag & FC_PT2PT) {
+		/*
+		 * In a p2p topology, it is possible that discovery has
+		 * already progressed, and this completion can be ignored.
+		 * Recheck the indicated topology.
+		 */
+		if (!sp->cmn.fPort)
+			goto out;
 	}
 
 flogifail:
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 147/188] tty: serial: 8250: serial_cs: Fix a memory leak in error handling path
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (145 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 146/188] scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 148/188] fs/jfs: Fix missing error code in lmLogInit() Greg Kroah-Hartman
                   ` (45 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christophe JAILLET, Sasha Levin

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

[ Upstream commit fad92b11047a748c996ebd6cfb164a63814eeb2e ]

In the probe function, if the final 'serial_config()' fails, 'info' is
leaking.

Add a resource handling path to free this memory.

Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Link: https://lore.kernel.org/r/dc25f96b7faebf42e60fe8d02963c941cf4d8124.1621971720.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/tty/serial/8250/serial_cs.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/drivers/tty/serial/8250/serial_cs.c b/drivers/tty/serial/8250/serial_cs.c
index bf5feb2ea35a..92c64ed12295 100644
--- a/drivers/tty/serial/8250/serial_cs.c
+++ b/drivers/tty/serial/8250/serial_cs.c
@@ -305,6 +305,7 @@ static int serial_resume(struct pcmcia_device *link)
 static int serial_probe(struct pcmcia_device *link)
 {
 	struct serial_info *info;
+	int ret;
 
 	dev_dbg(&link->dev, "serial_attach()\n");
 
@@ -319,7 +320,15 @@ static int serial_probe(struct pcmcia_device *link)
 	if (do_sound)
 		link->config_flags |= CONF_ENABLE_SPKR;
 
-	return serial_config(link);
+	ret = serial_config(link);
+	if (ret)
+		goto free_info;
+
+	return 0;
+
+free_info:
+	kfree(info);
+	return ret;
 }
 
 static void serial_detach(struct pcmcia_device *link)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 148/188] fs/jfs: Fix missing error code in lmLogInit()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (146 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 147/188] tty: serial: 8250: serial_cs: Fix a memory leak in error handling path Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 149/188] scsi: iscsi: Add iscsi_cls_conn refcount helpers Greg Kroah-Hartman
                   ` (44 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Abaci Robot, Jiapeng Chong,
	Dave Kleikamp, Sasha Levin

From: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>

[ Upstream commit 492109333c29e1bb16d8732e1d597b02e8e0bf2e ]

The error code is missing in this code scenario, add the error code
'-EINVAL' to the return value 'rc.

Eliminate the follow smatch warning:

fs/jfs/jfs_logmgr.c:1327 lmLogInit() warn: missing error code 'rc'.

Reported-by: Abaci Robot <abaci@linux.alibaba.com>
Signed-off-by: Jiapeng Chong <jiapeng.chong@linux.alibaba.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/jfs/jfs_logmgr.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c
index a69bdf2a1085..d19542a88c2c 100644
--- a/fs/jfs/jfs_logmgr.c
+++ b/fs/jfs/jfs_logmgr.c
@@ -1339,6 +1339,7 @@ int lmLogInit(struct jfs_log * log)
 		} else {
 			if (memcmp(logsuper->uuid, log->uuid, 16)) {
 				jfs_warn("wrong uuid on JFS log device");
+				rc = -EINVAL;
 				goto errout20;
 			}
 			log->size = le32_to_cpu(logsuper->size);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 149/188] scsi: iscsi: Add iscsi_cls_conn refcount helpers
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (147 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 148/188] fs/jfs: Fix missing error code in lmLogInit() Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 150/188] mfd: da9052/stmpe: Add and modify MODULE_DEVICE_TABLE Greg Kroah-Hartman
                   ` (43 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Lee Duncan, Mike Christie,
	Martin K. Petersen, Sasha Levin

From: Mike Christie <michael.christie@oracle.com>

[ Upstream commit b1d19e8c92cfb0ded180ef3376c20e130414e067 ]

There are a couple places where we could free the iscsi_cls_conn while it's
still in use. This adds some helpers to get/put a refcount on the struct
and converts an exiting user. Subsequent commits will then use the helpers
to fix 2 bugs in the eh code.

Link: https://lore.kernel.org/r/20210525181821.7617-11-michael.christie@oracle.com
Reviewed-by: Lee Duncan <lduncan@suse.com>
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/libiscsi.c             |  7 ++-----
 drivers/scsi/scsi_transport_iscsi.c | 12 ++++++++++++
 include/scsi/scsi_transport_iscsi.h |  2 ++
 3 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/drivers/scsi/libiscsi.c b/drivers/scsi/libiscsi.c
index 18b8d86ef74b..0713d02cf112 100644
--- a/drivers/scsi/libiscsi.c
+++ b/drivers/scsi/libiscsi.c
@@ -1384,7 +1384,6 @@ void iscsi_session_failure(struct iscsi_session *session,
 			   enum iscsi_err err)
 {
 	struct iscsi_conn *conn;
-	struct device *dev;
 
 	spin_lock_bh(&session->frwd_lock);
 	conn = session->leadconn;
@@ -1393,10 +1392,8 @@ void iscsi_session_failure(struct iscsi_session *session,
 		return;
 	}
 
-	dev = get_device(&conn->cls_conn->dev);
+	iscsi_get_conn(conn->cls_conn);
 	spin_unlock_bh(&session->frwd_lock);
-	if (!dev)
-	        return;
 	/*
 	 * if the host is being removed bypass the connection
 	 * recovery initialization because we are going to kill
@@ -1406,7 +1403,7 @@ void iscsi_session_failure(struct iscsi_session *session,
 		iscsi_conn_error_event(conn->cls_conn, err);
 	else
 		iscsi_conn_failure(conn, err);
-	put_device(dev);
+	iscsi_put_conn(conn->cls_conn);
 }
 EXPORT_SYMBOL_GPL(iscsi_session_failure);
 
diff --git a/drivers/scsi/scsi_transport_iscsi.c b/drivers/scsi/scsi_transport_iscsi.c
index 42bc4b71b0ba..e0159e6a1065 100644
--- a/drivers/scsi/scsi_transport_iscsi.c
+++ b/drivers/scsi/scsi_transport_iscsi.c
@@ -2328,6 +2328,18 @@ int iscsi_destroy_conn(struct iscsi_cls_conn *conn)
 }
 EXPORT_SYMBOL_GPL(iscsi_destroy_conn);
 
+void iscsi_put_conn(struct iscsi_cls_conn *conn)
+{
+	put_device(&conn->dev);
+}
+EXPORT_SYMBOL_GPL(iscsi_put_conn);
+
+void iscsi_get_conn(struct iscsi_cls_conn *conn)
+{
+	get_device(&conn->dev);
+}
+EXPORT_SYMBOL_GPL(iscsi_get_conn);
+
 /*
  * iscsi interface functions
  */
diff --git a/include/scsi/scsi_transport_iscsi.h b/include/scsi/scsi_transport_iscsi.h
index 6183d20a01fb..e673c7c9c5fb 100644
--- a/include/scsi/scsi_transport_iscsi.h
+++ b/include/scsi/scsi_transport_iscsi.h
@@ -437,6 +437,8 @@ extern void iscsi_free_session(struct iscsi_cls_session *session);
 extern int iscsi_destroy_session(struct iscsi_cls_session *session);
 extern struct iscsi_cls_conn *iscsi_create_conn(struct iscsi_cls_session *sess,
 						int dd_size, uint32_t cid);
+extern void iscsi_put_conn(struct iscsi_cls_conn *conn);
+extern void iscsi_get_conn(struct iscsi_cls_conn *conn);
 extern int iscsi_destroy_conn(struct iscsi_cls_conn *conn);
 extern void iscsi_unblock_session(struct iscsi_cls_session *session);
 extern void iscsi_block_session(struct iscsi_cls_session *session);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 150/188] mfd: da9052/stmpe: Add and modify MODULE_DEVICE_TABLE
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (148 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 149/188] scsi: iscsi: Add iscsi_cls_conn refcount helpers Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 151/188] ALSA: sb: Fix potential double-free of CSP mixer elements Greg Kroah-Hartman
                   ` (42 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zou Wei, Lee Jones, Sasha Levin

From: Zou Wei <zou_wei@huawei.com>

[ Upstream commit 4700ef326556ed74aba188f12396740a8c1c21dd ]

This patch adds/modifies MODULE_DEVICE_TABLE definition which generates
correct modalias for automatic loading of this driver when it is built
as an external module.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zou Wei <zou_wei@huawei.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/mfd/da9052-i2c.c | 1 +
 drivers/mfd/stmpe-i2c.c  | 2 +-
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/mfd/da9052-i2c.c b/drivers/mfd/da9052-i2c.c
index 2697ffb08009..2992fd94bc0c 100644
--- a/drivers/mfd/da9052-i2c.c
+++ b/drivers/mfd/da9052-i2c.c
@@ -118,6 +118,7 @@ static const struct i2c_device_id da9052_i2c_id[] = {
 	{"da9053-bc", DA9053_BC},
 	{}
 };
+MODULE_DEVICE_TABLE(i2c, da9052_i2c_id);
 
 #ifdef CONFIG_OF
 static const struct of_device_id dialog_dt_ids[] = {
diff --git a/drivers/mfd/stmpe-i2c.c b/drivers/mfd/stmpe-i2c.c
index c3f4aab53b07..663a6c1c3d0d 100644
--- a/drivers/mfd/stmpe-i2c.c
+++ b/drivers/mfd/stmpe-i2c.c
@@ -107,7 +107,7 @@ static const struct i2c_device_id stmpe_i2c_id[] = {
 	{ "stmpe2403", STMPE2403 },
 	{ }
 };
-MODULE_DEVICE_TABLE(i2c, stmpe_id);
+MODULE_DEVICE_TABLE(i2c, stmpe_i2c_id);
 
 static struct i2c_driver stmpe_i2c_driver = {
 	.driver = {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 151/188] ALSA: sb: Fix potential double-free of CSP mixer elements
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (149 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 150/188] mfd: da9052/stmpe: Add and modify MODULE_DEVICE_TABLE Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 152/188] powerpc/ps3: Add dma_mask to ps3_dma_region Greg Kroah-Hartman
                   ` (41 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai, Sasha Levin

From: Takashi Iwai <tiwai@suse.de>

[ Upstream commit c305366a37441c2ac90b08711cb6f032b43672f2 ]

snd_sb_qsound_destroy() contains the calls of removing the previously
created mixer controls, but it doesn't clear the pointers.  As
snd_sb_qsound_destroy() itself may be repeatedly called via ioctl,
this could lead to double-free potentially.

Fix it by clearing the struct fields properly afterwards.

Link: https://lore.kernel.org/r/20210608140540.17885-4-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/isa/sb/sb16_csp.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/sound/isa/sb/sb16_csp.c b/sound/isa/sb/sb16_csp.c
index 2cc068be7d3b..90fa57ad14c0 100644
--- a/sound/isa/sb/sb16_csp.c
+++ b/sound/isa/sb/sb16_csp.c
@@ -1086,10 +1086,14 @@ static void snd_sb_qsound_destroy(struct snd_sb_csp * p)
 	card = p->chip->card;	
 	
 	down_write(&card->controls_rwsem);
-	if (p->qsound_switch)
+	if (p->qsound_switch) {
 		snd_ctl_remove(card, p->qsound_switch);
-	if (p->qsound_space)
+		p->qsound_switch = NULL;
+	}
+	if (p->qsound_space) {
 		snd_ctl_remove(card, p->qsound_space);
+		p->qsound_space = NULL;
+	}
 	up_write(&card->controls_rwsem);
 
 	/* cancel pending transfer of QSound parameters */
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 152/188] powerpc/ps3: Add dma_mask to ps3_dma_region
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (150 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 151/188] ALSA: sb: Fix potential double-free of CSP mixer elements Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 153/188] gpio: zynq: Check return value of pm_runtime_get_sync Greg Kroah-Hartman
                   ` (40 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Geoff Levand, Michael Ellerman, Sasha Levin

From: Geoff Levand <geoff@infradead.org>

[ Upstream commit 9733862e50fdba55e7f1554e4286fcc5302ff28e ]

Commit f959dcd6ddfd29235030e8026471ac1b022ad2b0 (dma-direct: Fix
potential NULL pointer dereference) added a null check on the
dma_mask pointer of the kernel's device structure.

Add a dma_mask variable to the ps3_dma_region structure and set
the device structure's dma_mask pointer to point to this new variable.

Fixes runtime errors like these:
# WARNING: Fixes tag on line 10 doesn't match correct format
# WARNING: Fixes tag on line 10 doesn't match correct format

  ps3_system_bus_match:349: dev=8.0(sb_01), drv=8.0(ps3flash): match
  WARNING: CPU: 0 PID: 1 at kernel/dma/mapping.c:151 .dma_map_page_attrs+0x34/0x1e0
  ps3flash sb_01: ps3stor_setup:193: map DMA region failed

Signed-off-by: Geoff Levand <geoff@infradead.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/562d0c9ea0100a30c3b186bcc7adb34b0bbd2cd7.1622746428.git.geoff@infradead.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/include/asm/ps3.h  |  2 ++
 arch/powerpc/platforms/ps3/mm.c | 12 ++++++++++++
 2 files changed, 14 insertions(+)

diff --git a/arch/powerpc/include/asm/ps3.h b/arch/powerpc/include/asm/ps3.h
index a1bc7e758422..2d729b53a556 100644
--- a/arch/powerpc/include/asm/ps3.h
+++ b/arch/powerpc/include/asm/ps3.h
@@ -83,6 +83,7 @@ struct ps3_dma_region_ops;
  * @bus_addr: The 'translated' bus address of the region.
  * @len: The length in bytes of the region.
  * @offset: The offset from the start of memory of the region.
+ * @dma_mask: Device dma_mask.
  * @ioid: The IOID of the device who owns this region
  * @chunk_list: Opaque variable used by the ioc page manager.
  * @region_ops: struct ps3_dma_region_ops - dma region operations
@@ -97,6 +98,7 @@ struct ps3_dma_region {
 	enum ps3_dma_region_type region_type;
 	unsigned long len;
 	unsigned long offset;
+	u64 dma_mask;
 
 	/* driver variables  (set by ps3_dma_region_create) */
 	unsigned long bus_addr;
diff --git a/arch/powerpc/platforms/ps3/mm.c b/arch/powerpc/platforms/ps3/mm.c
index 19bae78b1f25..76cbf1be9962 100644
--- a/arch/powerpc/platforms/ps3/mm.c
+++ b/arch/powerpc/platforms/ps3/mm.c
@@ -18,6 +18,7 @@
  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
  */
 
+#include <linux/dma-mapping.h>
 #include <linux/kernel.h>
 #include <linux/export.h>
 #include <linux/memblock.h>
@@ -1132,6 +1133,7 @@ int ps3_dma_region_init(struct ps3_system_bus_device *dev,
 	enum ps3_dma_region_type region_type, void *addr, unsigned long len)
 {
 	unsigned long lpar_addr;
+	int result;
 
 	lpar_addr = addr ? ps3_mm_phys_to_lpar(__pa(addr)) : 0;
 
@@ -1143,6 +1145,16 @@ int ps3_dma_region_init(struct ps3_system_bus_device *dev,
 		r->offset -= map.r1.offset;
 	r->len = len ? len : _ALIGN_UP(map.total, 1 << r->page_size);
 
+	dev->core.dma_mask = &r->dma_mask;
+
+	result = dma_set_mask_and_coherent(&dev->core, DMA_BIT_MASK(32));
+
+	if (result < 0) {
+		dev_err(&dev->core, "%s:%d: dma_set_mask_and_coherent failed: %d\n",
+			__func__, __LINE__, result);
+		return result;
+	}
+
 	switch (dev->dev_type) {
 	case PS3_DEVICE_TYPE_SB:
 		r->region_ops =  (USE_DYNAMIC_DMA)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 153/188] gpio: zynq: Check return value of pm_runtime_get_sync
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (151 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 152/188] powerpc/ps3: Add dma_mask to ps3_dma_region Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 154/188] ALSA: ppc: fix error return code in snd_pmac_probe() Greg Kroah-Hartman
                   ` (39 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Srinivas Neeli, Bartosz Golaszewski,
	Sasha Levin

From: Srinivas Neeli <srinivas.neeli@xilinx.com>

[ Upstream commit a51b2fb94b04ab71e53a71b9fad03fa826941254 ]

Return value of "pm_runtime_get_sync" API was neither captured nor checked.
Fixed it by capturing the return value and then checking for any warning.

Addresses-Coverity: "check_return"
Signed-off-by: Srinivas Neeli <srinivas.neeli@xilinx.com>
Signed-off-by: Bartosz Golaszewski <bgolaszewski@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/gpio/gpio-zynq.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/drivers/gpio/gpio-zynq.c b/drivers/gpio/gpio-zynq.c
index 8abeacac5885..ccfdf5a45998 100644
--- a/drivers/gpio/gpio-zynq.c
+++ b/drivers/gpio/gpio-zynq.c
@@ -764,8 +764,11 @@ err_disable_clk:
 static int zynq_gpio_remove(struct platform_device *pdev)
 {
 	struct zynq_gpio *gpio = platform_get_drvdata(pdev);
+	int ret;
 
-	pm_runtime_get_sync(&pdev->dev);
+	ret = pm_runtime_get_sync(&pdev->dev);
+	if (ret < 0)
+		dev_warn(&pdev->dev, "pm_runtime_get_sync() Failed\n");
 	gpiochip_remove(&gpio->chip);
 	clk_disable_unprepare(gpio->clk);
 	device_set_wakeup_capable(&pdev->dev, 0);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 154/188] ALSA: ppc: fix error return code in snd_pmac_probe()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (152 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 153/188] gpio: zynq: Check return value of pm_runtime_get_sync Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 155/188] selftests/powerpc: Fix "no_handler" EBB selftest Greg Kroah-Hartman
                   ` (38 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Yang Yingliang,
	Takashi Iwai, Sasha Levin

From: Yang Yingliang <yangyingliang@huawei.com>

[ Upstream commit 80b9c1be567c3c6bbe0d4b290af578e630485b5d ]

If snd_pmac_tumbler_init() or snd_pmac_tumbler_post_init() fails,
snd_pmac_probe() need return error code.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20210616021121.1991502-1-yangyingliang@huawei.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/ppc/powermac.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/sound/ppc/powermac.c b/sound/ppc/powermac.c
index 33c6be9fb388..7c70ba5e2540 100644
--- a/sound/ppc/powermac.c
+++ b/sound/ppc/powermac.c
@@ -90,7 +90,11 @@ static int snd_pmac_probe(struct platform_device *devptr)
 		sprintf(card->shortname, "PowerMac %s", name_ext);
 		sprintf(card->longname, "%s (Dev %d) Sub-frame %d",
 			card->shortname, chip->device_id, chip->subframe);
-		if ( snd_pmac_tumbler_init(chip) < 0 || snd_pmac_tumbler_post_init() < 0)
+		err = snd_pmac_tumbler_init(chip);
+		if (err < 0)
+			goto __error;
+		err = snd_pmac_tumbler_post_init();
+		if (err < 0)
 			goto __error;
 		break;
 	case PMAC_AWACS:
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 155/188] selftests/powerpc: Fix "no_handler" EBB selftest
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (153 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 154/188] ALSA: ppc: fix error return code in snd_pmac_probe() Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 156/188] ASoC: soc-core: Fix the error return code in snd_soc_of_parse_audio_routing() Greg Kroah-Hartman
                   ` (37 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Shirisha Ganta, Athira Rajeev,
	Michael Ellerman, Sasha Levin

From: Athira Rajeev <atrajeev@linux.vnet.ibm.com>

[ Upstream commit 45677c9aebe926192e59475b35a1ff35ff2d4217 ]

The "no_handler_test" in ebb selftests attempts to read the PMU
registers twice via helper function "dump_ebb_state". First dump is
just before closing of event and the second invocation is done after
closing of the event. The original intention of second
dump_ebb_state was to dump the state of registers at the end of
the test when the counters are frozen. But this will be achieved
with the first call itself since sample period is set to low value
and PMU will be frozen by then. Hence patch removes the
dump which was done before closing of the event.

Reported-by: Shirisha Ganta <shirisha.ganta1@ibm.com>
Signed-off-by: Athira Rajeev <atrajeev@linux.vnet.ibm.com>
Tested-by: Nageswara R Sastry <rnsastry@linux.ibm.com <mailto:rnsastry@linux.ibm.com>>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/1621950703-1532-2-git-send-email-atrajeev@linux.vnet.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 tools/testing/selftests/powerpc/pmu/ebb/no_handler_test.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/tools/testing/selftests/powerpc/pmu/ebb/no_handler_test.c b/tools/testing/selftests/powerpc/pmu/ebb/no_handler_test.c
index 8341d7778d5e..87630d44fb4c 100644
--- a/tools/testing/selftests/powerpc/pmu/ebb/no_handler_test.c
+++ b/tools/testing/selftests/powerpc/pmu/ebb/no_handler_test.c
@@ -50,8 +50,6 @@ static int no_handler_test(void)
 
 	event_close(&event);
 
-	dump_ebb_state();
-
 	/* The real test is that we never took an EBB at 0x0 */
 
 	return 0;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 156/188] ASoC: soc-core: Fix the error return code in snd_soc_of_parse_audio_routing()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (154 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 155/188] selftests/powerpc: Fix "no_handler" EBB selftest Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 157/188] ALSA: bebob: add support for ToneWeal FW66 Greg Kroah-Hartman
                   ` (36 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Zhen Lei, Mark Brown, Sasha Levin

From: Zhen Lei <thunder.leizhen@huawei.com>

[ Upstream commit 7d3865a10b9ff2669c531d5ddd60bf46b3d48f1e ]

When devm_kcalloc() fails, the error code -ENOMEM should be returned
instead of -EINVAL.

Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Link: https://lore.kernel.org/r/20210617103729.1918-1-thunder.leizhen@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/soc/soc-core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/soc/soc-core.c b/sound/soc/soc-core.c
index b927f9c81d92..e69a7f8b6163 100644
--- a/sound/soc/soc-core.c
+++ b/sound/soc/soc-core.c
@@ -3394,7 +3394,7 @@ int snd_soc_of_parse_audio_routing(struct snd_soc_card *card,
 	if (!routes) {
 		dev_err(card->dev,
 			"ASoC: Could not allocate DAPM route table\n");
-		return -EINVAL;
+		return -ENOMEM;
 	}
 
 	for (i = 0; i < num_routes; i++) {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 157/188] ALSA: bebob: add support for ToneWeal FW66
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (155 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 156/188] ASoC: soc-core: Fix the error return code in snd_soc_of_parse_audio_routing() Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 158/188] usb: gadget: f_hid: fix endianness issue with descriptors Greg Kroah-Hartman
                   ` (35 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Daniel Jozsef, Takashi Sakamoto,
	Takashi Iwai, Sasha Levin

From: Takashi Sakamoto <o-takashi@sakamocchi.jp>

[ Upstream commit 50ebe56222bfa0911a932930f9229ee5995508d9 ]

A user of FFADO project reported the issue of ToneWeal FW66. As a result,
the device is identified as one of applications of BeBoB solution.

I note that in the report the device returns contradictory result in plug
discovery process for audio subunit. Fortunately ALSA BeBoB driver doesn't
perform it thus it's likely to handle the device without issues.

I receive no reaction to test request for this patch yet, however it would
be worth to add support for it.

daniel@gibbonmoon:/sys/bus/firewire/devices/fw1$ grep -r . *
Binary file config_rom matches
dev:244:1
guid:0x0023270002000000
hardware_version:0x000002
is_local:0
model:0x020002
model_name:FW66
power/runtime_active_time:0
power/runtime_active_kids:0
power/runtime_usage:0
power/runtime_status:unsupported
power/async:disabled
power/runtime_suspended_time:0
power/runtime_enabled:disabled
power/control:auto
subsystem/drivers_autoprobe:1
uevent:MAJOR=244
uevent:MINOR=1
uevent:DEVNAME=fw1
units:0x00a02d:0x010001
vendor:0x002327
vendor_name:ToneWeal
fw1.0/uevent:MODALIAS=ieee1394:ven00002327mo00020002sp0000A02Dver00010001
fw1.0/power/runtime_active_time:0
fw1.0/power/runtime_active_kids:0
fw1.0/power/runtime_usage:0
fw1.0/power/runtime_status:unsupported
fw1.0/power/async:disabled
fw1.0/power/runtime_suspended_time:0
fw1.0/power/runtime_enabled:disabled
fw1.0/power/control:auto
fw1.0/model:0x020002
fw1.0/rom_index:15
fw1.0/specifier_id:0x00a02d
fw1.0/model_name:FW66
fw1.0/version:0x010001
fw1.0/modalias:ieee1394:ven00002327mo00020002sp0000A02Dver00010001

Cc: Daniel Jozsef <daniel.jozsef@gmail.com>
Reference: https://lore.kernel.org/alsa-devel/20200119164335.GA11974@workstation/
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Link: https://lore.kernel.org/r/20210619083922.16060-1-o-takashi@sakamocchi.jp
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/firewire/Kconfig       | 1 +
 sound/firewire/bebob/bebob.c | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/sound/firewire/Kconfig b/sound/firewire/Kconfig
index 4199cfc4a96a..850315d1abca 100644
--- a/sound/firewire/Kconfig
+++ b/sound/firewire/Kconfig
@@ -117,6 +117,7 @@ config SND_BEBOB
 	  * M-Audio Ozonic/NRV10/ProfireLightBridge
 	  * M-Audio FireWire 1814/ProjectMix IO
 	  * Digidesign Mbox 2 Pro
+	  * ToneWeal FW66
 
           To compile this driver as a module, choose M here: the module
           will be called snd-bebob.
diff --git a/sound/firewire/bebob/bebob.c b/sound/firewire/bebob/bebob.c
index 64dca7931272..c3c14e383e73 100644
--- a/sound/firewire/bebob/bebob.c
+++ b/sound/firewire/bebob/bebob.c
@@ -60,6 +60,7 @@ static DECLARE_BITMAP(devices_used, SNDRV_CARDS);
 #define VEN_MAUDIO1	0x00000d6c
 #define VEN_MAUDIO2	0x000007f5
 #define VEN_DIGIDESIGN	0x00a07e
+#define OUI_SHOUYO	0x002327
 
 #define MODEL_FOCUSRITE_SAFFIRE_BOTH	0x00000000
 #define MODEL_MAUDIO_AUDIOPHILE_BOTH	0x00010060
@@ -461,6 +462,8 @@ static const struct ieee1394_device_id bebob_id_table[] = {
 			    &maudio_special_spec),
 	/* Digidesign Mbox 2 Pro */
 	SND_BEBOB_DEV_ENTRY(VEN_DIGIDESIGN, 0x0000a9, &spec_normal),
+	// Toneweal FW66.
+	SND_BEBOB_DEV_ENTRY(OUI_SHOUYO, 0x020002, &spec_normal),
 	/* IDs are unknown but able to be supported */
 	/*  Apogee, Mini-ME Firewire */
 	/*  Apogee, Mini-DAC Firewire */
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 158/188] usb: gadget: f_hid: fix endianness issue with descriptors
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (156 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 157/188] ALSA: bebob: add support for ToneWeal FW66 Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 159/188] usb: gadget: hid: fix error return code in hid_bind() Greg Kroah-Hartman
                   ` (34 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Fabien Chouteau, Segiy Stetsyuk,
	Ruslan Bilovol, Sasha Levin

From: Ruslan Bilovol <ruslan.bilovol@gmail.com>

[ Upstream commit 33cb46c4676d01956811b68a29157ea969a5df70 ]

Running sparse checker it shows warning message about
incorrect endianness used for descriptor initialization:

| f_hid.c:91:43: warning: incorrect type in initializer (different base types)
| f_hid.c:91:43:    expected restricted __le16 [usertype] bcdHID
| f_hid.c:91:43:    got int

Fixing issue with cpu_to_le16() macro, however this is not a real issue
as the value is the same both endians.

Cc: Fabien Chouteau <fabien.chouteau@barco.com>
Cc: Segiy Stetsyuk <serg_stetsuk@ukr.net>
Signed-off-by: Ruslan Bilovol <ruslan.bilovol@gmail.com>
Link: https://lore.kernel.org/r/20210617162755.29676-1-ruslan.bilovol@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/gadget/function/f_hid.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/function/f_hid.c b/drivers/usb/gadget/function/f_hid.c
index a5dae5bb62ab..590e056d3618 100644
--- a/drivers/usb/gadget/function/f_hid.c
+++ b/drivers/usb/gadget/function/f_hid.c
@@ -91,7 +91,7 @@ static struct usb_interface_descriptor hidg_interface_desc = {
 static struct hid_descriptor hidg_desc = {
 	.bLength			= sizeof hidg_desc,
 	.bDescriptorType		= HID_DT_HID,
-	.bcdHID				= 0x0101,
+	.bcdHID				= cpu_to_le16(0x0101),
 	.bCountryCode			= 0x00,
 	.bNumDescriptors		= 0x1,
 	/*.desc[0].bDescriptorType	= DYNAMIC */
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 159/188] usb: gadget: hid: fix error return code in hid_bind()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (157 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 158/188] usb: gadget: f_hid: fix endianness issue with descriptors Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 160/188] powerpc/boot: Fixup device-tree on little endian Greg Kroah-Hartman
                   ` (33 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Yang Yingliang, Sasha Levin

From: Yang Yingliang <yangyingliang@huawei.com>

[ Upstream commit 88693f770bb09c196b1eb5f06a484a254ecb9924 ]

Fix to return a negative error code from the error handling
case instead of 0.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Link: https://lore.kernel.org/r/20210618043835.2641360-1-yangyingliang@huawei.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/usb/gadget/legacy/hid.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/drivers/usb/gadget/legacy/hid.c b/drivers/usb/gadget/legacy/hid.c
index 7e5d2c48476e..97329ba5d382 100644
--- a/drivers/usb/gadget/legacy/hid.c
+++ b/drivers/usb/gadget/legacy/hid.c
@@ -175,8 +175,10 @@ static int hid_bind(struct usb_composite_dev *cdev)
 		struct usb_descriptor_header *usb_desc;
 
 		usb_desc = usb_otg_descriptor_alloc(gadget);
-		if (!usb_desc)
+		if (!usb_desc) {
+			status = -ENOMEM;
 			goto put;
+		}
 		usb_otg_descriptor_init(gadget, usb_desc);
 		otg_desc[0] = usb_desc;
 		otg_desc[1] = NULL;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 160/188] powerpc/boot: Fixup device-tree on little endian
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (158 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 159/188] usb: gadget: hid: fix error return code in hid_bind() Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 161/188] backlight: lm3630a: Fix return code of .update_status() callback Greg Kroah-Hartman
                   ` (32 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Benjamin Herrenschmidt,
	Paul Mackerras, Segher Boessenkool, Nicholas Piggin,
	Michael Ellerman, Sasha Levin

From: Benjamin Herrenschmidt <benh@kernel.crashing.org>

[ Upstream commit c93f80849bdd9b45d834053ae1336e28f0026c84 ]

This fixes the core devtree.c functions and the ns16550 UART backend.

Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
Reviewed-by: Segher Boessenkool <segher@kernel.crashing.org>
Acked-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/YMwXrPT8nc4YUdJ9@thinks.paulus.ozlabs.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/powerpc/boot/devtree.c | 59 +++++++++++++++++++++----------------
 arch/powerpc/boot/ns16550.c |  9 ++++--
 2 files changed, 41 insertions(+), 27 deletions(-)

diff --git a/arch/powerpc/boot/devtree.c b/arch/powerpc/boot/devtree.c
index a7e21a35c03a..27c84b82b588 100644
--- a/arch/powerpc/boot/devtree.c
+++ b/arch/powerpc/boot/devtree.c
@@ -17,6 +17,7 @@
 #include "string.h"
 #include "stdio.h"
 #include "ops.h"
+#include "of.h"
 
 void dt_fixup_memory(u64 start, u64 size)
 {
@@ -27,21 +28,25 @@ void dt_fixup_memory(u64 start, u64 size)
 	root = finddevice("/");
 	if (getprop(root, "#address-cells", &naddr, sizeof(naddr)) < 0)
 		naddr = 2;
+	else
+		naddr = be32_to_cpu(naddr);
 	if (naddr < 1 || naddr > 2)
 		fatal("Can't cope with #address-cells == %d in /\n\r", naddr);
 
 	if (getprop(root, "#size-cells", &nsize, sizeof(nsize)) < 0)
 		nsize = 1;
+	else
+		nsize = be32_to_cpu(nsize);
 	if (nsize < 1 || nsize > 2)
 		fatal("Can't cope with #size-cells == %d in /\n\r", nsize);
 
 	i = 0;
 	if (naddr == 2)
-		memreg[i++] = start >> 32;
-	memreg[i++] = start & 0xffffffff;
+		memreg[i++] = cpu_to_be32(start >> 32);
+	memreg[i++] = cpu_to_be32(start & 0xffffffff);
 	if (nsize == 2)
-		memreg[i++] = size >> 32;
-	memreg[i++] = size & 0xffffffff;
+		memreg[i++] = cpu_to_be32(size >> 32);
+	memreg[i++] = cpu_to_be32(size & 0xffffffff);
 
 	memory = finddevice("/memory");
 	if (! memory) {
@@ -49,9 +54,9 @@ void dt_fixup_memory(u64 start, u64 size)
 		setprop_str(memory, "device_type", "memory");
 	}
 
-	printf("Memory <- <0x%x", memreg[0]);
+	printf("Memory <- <0x%x", be32_to_cpu(memreg[0]));
 	for (i = 1; i < (naddr + nsize); i++)
-		printf(" 0x%x", memreg[i]);
+		printf(" 0x%x", be32_to_cpu(memreg[i]));
 	printf("> (%ldMB)\n\r", (unsigned long)(size >> 20));
 
 	setprop(memory, "reg", memreg, (naddr + nsize)*sizeof(u32));
@@ -69,10 +74,10 @@ void dt_fixup_cpu_clocks(u32 cpu, u32 tb, u32 bus)
 		printf("CPU bus-frequency <- 0x%x (%dMHz)\n\r", bus, MHZ(bus));
 
 	while ((devp = find_node_by_devtype(devp, "cpu"))) {
-		setprop_val(devp, "clock-frequency", cpu);
-		setprop_val(devp, "timebase-frequency", tb);
+		setprop_val(devp, "clock-frequency", cpu_to_be32(cpu));
+		setprop_val(devp, "timebase-frequency", cpu_to_be32(tb));
 		if (bus > 0)
-			setprop_val(devp, "bus-frequency", bus);
+			setprop_val(devp, "bus-frequency", cpu_to_be32(bus));
 	}
 
 	timebase_period_ns = 1000000000 / tb;
@@ -84,7 +89,7 @@ void dt_fixup_clock(const char *path, u32 freq)
 
 	if (devp) {
 		printf("%s: clock-frequency <- %x (%dMHz)\n\r", path, freq, MHZ(freq));
-		setprop_val(devp, "clock-frequency", freq);
+		setprop_val(devp, "clock-frequency", cpu_to_be32(freq));
 	}
 }
 
@@ -137,8 +142,12 @@ void dt_get_reg_format(void *node, u32 *naddr, u32 *nsize)
 {
 	if (getprop(node, "#address-cells", naddr, 4) != 4)
 		*naddr = 2;
+	else
+		*naddr = be32_to_cpu(*naddr);
 	if (getprop(node, "#size-cells", nsize, 4) != 4)
 		*nsize = 1;
+	else
+		*nsize = be32_to_cpu(*nsize);
 }
 
 static void copy_val(u32 *dest, u32 *src, int naddr)
@@ -167,9 +176,9 @@ static int add_reg(u32 *reg, u32 *add, int naddr)
 	int i, carry = 0;
 
 	for (i = MAX_ADDR_CELLS - 1; i >= MAX_ADDR_CELLS - naddr; i--) {
-		u64 tmp = (u64)reg[i] + add[i] + carry;
+		u64 tmp = (u64)be32_to_cpu(reg[i]) + be32_to_cpu(add[i]) + carry;
 		carry = tmp >> 32;
-		reg[i] = (u32)tmp;
+		reg[i] = cpu_to_be32((u32)tmp);
 	}
 
 	return !carry;
@@ -184,18 +193,18 @@ static int compare_reg(u32 *reg, u32 *range, u32 *rangesize)
 	u32 end;
 
 	for (i = 0; i < MAX_ADDR_CELLS; i++) {
-		if (reg[i] < range[i])
+		if (be32_to_cpu(reg[i]) < be32_to_cpu(range[i]))
 			return 0;
-		if (reg[i] > range[i])
+		if (be32_to_cpu(reg[i]) > be32_to_cpu(range[i]))
 			break;
 	}
 
 	for (i = 0; i < MAX_ADDR_CELLS; i++) {
-		end = range[i] + rangesize[i];
+		end = be32_to_cpu(range[i]) + be32_to_cpu(rangesize[i]);
 
-		if (reg[i] < end)
+		if (be32_to_cpu(reg[i]) < end)
 			break;
-		if (reg[i] > end)
+		if (be32_to_cpu(reg[i]) > end)
 			return 0;
 	}
 
@@ -244,7 +253,6 @@ static int dt_xlate(void *node, int res, int reglen, unsigned long *addr,
 		return 0;
 
 	dt_get_reg_format(parent, &naddr, &nsize);
-
 	if (nsize > 2)
 		return 0;
 
@@ -256,10 +264,10 @@ static int dt_xlate(void *node, int res, int reglen, unsigned long *addr,
 
 	copy_val(last_addr, prop_buf + offset, naddr);
 
-	ret_size = prop_buf[offset + naddr];
+	ret_size = be32_to_cpu(prop_buf[offset + naddr]);
 	if (nsize == 2) {
 		ret_size <<= 32;
-		ret_size |= prop_buf[offset + naddr + 1];
+		ret_size |= be32_to_cpu(prop_buf[offset + naddr + 1]);
 	}
 
 	for (;;) {
@@ -282,7 +290,6 @@ static int dt_xlate(void *node, int res, int reglen, unsigned long *addr,
 
 		offset = find_range(last_addr, prop_buf, prev_naddr,
 		                    naddr, prev_nsize, buflen / 4);
-
 		if (offset < 0)
 			return 0;
 
@@ -300,8 +307,7 @@ static int dt_xlate(void *node, int res, int reglen, unsigned long *addr,
 	if (naddr > 2)
 		return 0;
 
-	ret_addr = ((u64)last_addr[2] << 32) | last_addr[3];
-
+	ret_addr = ((u64)be32_to_cpu(last_addr[2]) << 32) | be32_to_cpu(last_addr[3]);
 	if (sizeof(void *) == 4 &&
 	    (ret_addr >= 0x100000000ULL || ret_size > 0x100000000ULL ||
 	     ret_addr + ret_size > 0x100000000ULL))
@@ -354,11 +360,14 @@ int dt_is_compatible(void *node, const char *compat)
 int dt_get_virtual_reg(void *node, void **addr, int nres)
 {
 	unsigned long xaddr;
-	int n;
+	int n, i;
 
 	n = getprop(node, "virtual-reg", addr, nres * 4);
-	if (n > 0)
+	if (n > 0) {
+		for (i = 0; i < n/4; i ++)
+			((u32 *)addr)[i] = be32_to_cpu(((u32 *)addr)[i]);
 		return n / 4;
+	}
 
 	for (n = 0; n < nres; n++) {
 		if (!dt_xlate_reg(node, n, &xaddr, NULL))
diff --git a/arch/powerpc/boot/ns16550.c b/arch/powerpc/boot/ns16550.c
index 8c9ead94be06..cea34a20085c 100644
--- a/arch/powerpc/boot/ns16550.c
+++ b/arch/powerpc/boot/ns16550.c
@@ -14,6 +14,7 @@
 #include "stdio.h"
 #include "io.h"
 #include "ops.h"
+#include "of.h"
 
 #define UART_DLL	0	/* Out: Divisor Latch Low */
 #define UART_DLM	1	/* Out: Divisor Latch High */
@@ -57,16 +58,20 @@ int ns16550_console_init(void *devp, struct serial_console_data *scdp)
 	int n;
 	u32 reg_offset;
 
-	if (dt_get_virtual_reg(devp, (void **)&reg_base, 1) < 1)
+	if (dt_get_virtual_reg(devp, (void **)&reg_base, 1) < 1) {
+		printf("virt reg parse fail...\r\n");
 		return -1;
+	}
 
 	n = getprop(devp, "reg-offset", &reg_offset, sizeof(reg_offset));
 	if (n == sizeof(reg_offset))
-		reg_base += reg_offset;
+		reg_base += be32_to_cpu(reg_offset);
 
 	n = getprop(devp, "reg-shift", &reg_shift, sizeof(reg_shift));
 	if (n != sizeof(reg_shift))
 		reg_shift = 0;
+	else
+		reg_shift = be32_to_cpu(reg_shift);
 
 	scdp->open = ns16550_open;
 	scdp->putc = ns16550_putc;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 161/188] backlight: lm3630a: Fix return code of .update_status() callback
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (159 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 160/188] powerpc/boot: Fixup device-tree on little endian Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 162/188] ALSA: hda: Add IRQ check for platform_get_irq() Greg Kroah-Hartman
                   ` (31 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Uwe Kleine-König,
	Daniel Thompson, Lee Jones, Sasha Levin

From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>

[ Upstream commit b9481a667a90ec739995e85f91f3672ca44d6ffa ]

According to <linux/backlight.h> .update_status() is supposed to
return 0 on success and a negative error code otherwise. Adapt
lm3630a_bank_a_update_status() and lm3630a_bank_b_update_status() to
actually do it.

While touching that also add the error code to the failure message.

Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Reviewed-by: Daniel Thompson <daniel.thompson@linaro.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/video/backlight/lm3630a_bl.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/drivers/video/backlight/lm3630a_bl.c b/drivers/video/backlight/lm3630a_bl.c
index 5ef6f9d420a2..ab882c04f975 100644
--- a/drivers/video/backlight/lm3630a_bl.c
+++ b/drivers/video/backlight/lm3630a_bl.c
@@ -183,7 +183,7 @@ static int lm3630a_bank_a_update_status(struct backlight_device *bl)
 	if ((pwm_ctrl & LM3630A_PWM_BANK_A) != 0) {
 		lm3630a_pwm_ctrl(pchip, bl->props.brightness,
 				 bl->props.max_brightness);
-		return bl->props.brightness;
+		return 0;
 	}
 
 	/* disable sleep */
@@ -203,8 +203,8 @@ static int lm3630a_bank_a_update_status(struct backlight_device *bl)
 	return 0;
 
 out_i2c_err:
-	dev_err(pchip->dev, "i2c failed to access\n");
-	return bl->props.brightness;
+	dev_err(pchip->dev, "i2c failed to access (%pe)\n", ERR_PTR(ret));
+	return ret;
 }
 
 static int lm3630a_bank_a_get_brightness(struct backlight_device *bl)
@@ -260,7 +260,7 @@ static int lm3630a_bank_b_update_status(struct backlight_device *bl)
 	if ((pwm_ctrl & LM3630A_PWM_BANK_B) != 0) {
 		lm3630a_pwm_ctrl(pchip, bl->props.brightness,
 				 bl->props.max_brightness);
-		return bl->props.brightness;
+		return 0;
 	}
 
 	/* disable sleep */
@@ -280,8 +280,8 @@ static int lm3630a_bank_b_update_status(struct backlight_device *bl)
 	return 0;
 
 out_i2c_err:
-	dev_err(pchip->dev, "i2c failed to access REG_CTRL\n");
-	return bl->props.brightness;
+	dev_err(pchip->dev, "i2c failed to access (%pe)\n", ERR_PTR(ret));
+	return ret;
 }
 
 static int lm3630a_bank_b_get_brightness(struct backlight_device *bl)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 162/188] ALSA: hda: Add IRQ check for platform_get_irq()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (160 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 161/188] backlight: lm3630a: Fix return code of .update_status() callback Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 163/188] lib/decompress_unlz4.c: correctly handle zero-padding around initrds Greg Kroah-Hartman
                   ` (30 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Jiajun Cao, Xin Tan, Thierry Reding,
	Takashi Iwai, Sasha Levin

From: Jiajun Cao <jjcao20@fudan.edu.cn>

[ Upstream commit 8c13212443230d03ff25014514ec0d53498c0912 ]

The function hda_tegra_first_init() neglects to check the return
value after executing platform_get_irq().

hda_tegra_first_init() should check the return value (if negative
error number) for errors so as to not pass a negative value to
the devm_request_irq().

Fix it by adding a check for the return value irq_id.

Signed-off-by: Jiajun Cao <jjcao20@fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
Reviewed-by: Thierry Reding <treding@nvidia.com>
Link: https://lore.kernel.org/r/20210622131947.94346-1-jjcao20@fudan.edu.cn
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/pci/hda/hda_tegra.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/sound/pci/hda/hda_tegra.c b/sound/pci/hda/hda_tegra.c
index 039fbbb1e53c..89359a962e47 100644
--- a/sound/pci/hda/hda_tegra.c
+++ b/sound/pci/hda/hda_tegra.c
@@ -363,6 +363,9 @@ static int hda_tegra_first_init(struct azx *chip, struct platform_device *pdev)
 	unsigned short gcap;
 	int irq_id = platform_get_irq(pdev, 0);
 
+	if (irq_id < 0)
+		return irq_id;
+
 	err = hda_tegra_init_chip(chip, pdev);
 	if (err)
 		return err;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 163/188] lib/decompress_unlz4.c: correctly handle zero-padding around initrds.
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (161 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 162/188] ALSA: hda: Add IRQ check for platform_get_irq() Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 164/188] pwm: spear: Dont modify HW state in .remove callback Greg Kroah-Hartman
                   ` (29 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dimitri John Ledkov, Kyungsik Lee,
	Yinghai Lu, Bongkyu Kim, Kees Cook, Sven Schmidt, Rajat Asthana,
	Nick Terrell, Gao Xiang, Andrew Morton, Linus Torvalds,
	Sasha Levin

From: Dimitri John Ledkov <dimitri.ledkov@canonical.com>

[ Upstream commit 2c484419efc09e7234c667aa72698cb79ba8d8ed ]

lz4 compatible decompressor is simple.  The format is underspecified and
relies on EOF notification to determine when to stop.  Initramfs buffer
format[1] explicitly states that it can have arbitrary number of zero
padding.  Thus when operating without a fill function, be extra careful to
ensure that sizes less than 4, or apperantly empty chunksizes are treated
as EOF.

To test this I have created two cpio initrds, first a normal one,
main.cpio.  And second one with just a single /test-file with content
"second" second.cpio.  Then i compressed both of them with gzip, and with
lz4 -l.  Then I created a padding of 4 bytes (dd if=/dev/zero of=pad4 bs=1
count=4).  To create four testcase initrds:

 1) main.cpio.gzip + extra.cpio.gzip = pad0.gzip
 2) main.cpio.lz4  + extra.cpio.lz4 = pad0.lz4
 3) main.cpio.gzip + pad4 + extra.cpio.gzip = pad4.gzip
 4) main.cpio.lz4  + pad4 + extra.cpio.lz4 = pad4.lz4

The pad4 test-cases replicate the initrd load by grub, as it pads and
aligns every initrd it loads.

All of the above boot, however /test-file was not accessible in the initrd
for the testcase #4, as decoding in lz4 decompressor failed.  Also an
error message printed which usually is harmless.

Whith a patched kernel, all of the above testcases now pass, and
/test-file is accessible.

This fixes lz4 initrd decompress warning on every boot with grub.  And
more importantly this fixes inability to load multiple lz4 compressed
initrds with grub.  This patch has been shipping in Ubuntu kernels since
January 2021.

[1] ./Documentation/driver-api/early-userspace/buffer-format.rst

BugLink: https://bugs.launchpad.net/bugs/1835660
Link: https://lore.kernel.org/lkml/20210114200256.196589-1-xnox@ubuntu.com/ # v0
Link: https://lkml.kernel.org/r/20210513104831.432975-1-dimitri.ledkov@canonical.com
Signed-off-by: Dimitri John Ledkov <dimitri.ledkov@canonical.com>
Cc: Kyungsik Lee <kyungsik.lee@lge.com>
Cc: Yinghai Lu <yinghai@kernel.org>
Cc: Bongkyu Kim <bongkyu.kim@lge.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Sven Schmidt <4sschmid@informatik.uni-hamburg.de>
Cc: Rajat Asthana <thisisrast7@gmail.com>
Cc: Nick Terrell <terrelln@fb.com>
Cc: Gao Xiang <hsiangkao@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 lib/decompress_unlz4.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/lib/decompress_unlz4.c b/lib/decompress_unlz4.c
index 036fc882cd72..f1449244fdd4 100644
--- a/lib/decompress_unlz4.c
+++ b/lib/decompress_unlz4.c
@@ -115,6 +115,9 @@ STATIC inline int INIT unlz4(u8 *input, long in_len,
 				error("data corrupted");
 				goto exit_2;
 			}
+		} else if (size < 4) {
+			/* empty or end-of-file */
+			goto exit_3;
 		}
 
 		chunksize = get_unaligned_le32(inp);
@@ -128,6 +131,10 @@ STATIC inline int INIT unlz4(u8 *input, long in_len,
 			continue;
 		}
 
+		if (!fill && chunksize == 0) {
+			/* empty or end-of-file */
+			goto exit_3;
+		}
 
 		if (posp)
 			*posp += 4;
@@ -184,6 +191,7 @@ STATIC inline int INIT unlz4(u8 *input, long in_len,
 		}
 	}
 
+exit_3:
 	ret = 0;
 exit_2:
 	if (!input)
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 164/188] pwm: spear: Dont modify HW state in .remove callback
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (162 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 163/188] lib/decompress_unlz4.c: correctly handle zero-padding around initrds Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 165/188] power: supply: ab8500: Avoid NULL pointers Greg Kroah-Hartman
                   ` (28 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Uwe Kleine-König,
	Thierry Reding, Sasha Levin

From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>

[ Upstream commit b601a18f12383001e7a8da238de7ca1559ebc450 ]

A consumer is expected to disable a PWM before calling pwm_put(). And if
they didn't there is hopefully a good reason (or the consumer needs
fixing). Also if disabling an enabled PWM was the right thing to do,
this should better be done in the framework instead of in each low level
driver.

So drop the hardware modification from the .remove() callback.

Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Thierry Reding <thierry.reding@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pwm/pwm-spear.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/drivers/pwm/pwm-spear.c b/drivers/pwm/pwm-spear.c
index 6c6b44fd3f43..2d11ac277de8 100644
--- a/drivers/pwm/pwm-spear.c
+++ b/drivers/pwm/pwm-spear.c
@@ -231,10 +231,6 @@ static int spear_pwm_probe(struct platform_device *pdev)
 static int spear_pwm_remove(struct platform_device *pdev)
 {
 	struct spear_pwm_chip *pc = platform_get_drvdata(pdev);
-	int i;
-
-	for (i = 0; i < NUM_PWM; i++)
-		pwm_disable(&pc->chip.pwms[i]);
 
 	/* clk was prepared in probe, hence unprepare it here */
 	clk_unprepare(pc->clk);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 165/188] power: supply: ab8500: Avoid NULL pointers
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (163 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 164/188] pwm: spear: Dont modify HW state in .remove callback Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 166/188] power: reset: gpio-poweroff: add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
                   ` (27 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Linus Walleij, Sebastian Reichel,
	Sasha Levin

From: Linus Walleij <linus.walleij@linaro.org>

[ Upstream commit 5bcb5087c9dd3dca1ff0ebd8002c5313c9332b56 ]

Sometimes the code will crash because we haven't enabled
AC or USB charging and thus not created the corresponding
psy device. Fix it by checking that it is there before
notifying.

Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/power/ab8500_charger.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/drivers/power/ab8500_charger.c b/drivers/power/ab8500_charger.c
index e388171f4e58..98724c3a28e5 100644
--- a/drivers/power/ab8500_charger.c
+++ b/drivers/power/ab8500_charger.c
@@ -409,6 +409,14 @@ disable_otp:
 static void ab8500_power_supply_changed(struct ab8500_charger *di,
 					struct power_supply *psy)
 {
+	/*
+	 * This happens if we get notifications or interrupts and
+	 * the platform has been configured not to support one or
+	 * other type of charging.
+	 */
+	if (!psy)
+		return;
+
 	if (di->autopower_cfg) {
 		if (!di->usb.charger_connected &&
 		    !di->ac.charger_connected &&
@@ -435,7 +443,15 @@ static void ab8500_charger_set_usb_connected(struct ab8500_charger *di,
 		if (!connected)
 			di->flags.vbus_drop_end = false;
 
-		sysfs_notify(&di->usb_chg.psy->dev.kobj, NULL, "present");
+		/*
+		 * Sometimes the platform is configured not to support
+		 * USB charging and no psy has been created, but we still
+		 * will get these notifications.
+		 */
+		if (di->usb_chg.psy) {
+			sysfs_notify(&di->usb_chg.psy->dev.kobj, NULL,
+				     "present");
+		}
 
 		if (connected) {
 			mutex_lock(&di->charger_attached_mutex);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 166/188] power: reset: gpio-poweroff: add missing MODULE_DEVICE_TABLE
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (164 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 165/188] power: supply: ab8500: Avoid NULL pointers Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 167/188] ARM: 9087/1: kprobes: test-thumb: fix for LLVM_IAS=1 Greg Kroah-Hartman
                   ` (26 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Bixuan Cui,
	Sebastian Reichel, Sasha Levin

From: Bixuan Cui <cuibixuan@huawei.com>

[ Upstream commit ed3443fb4df4e140a22f65144546c8a8e1e27f4e ]

This patch adds missing MODULE_DEVICE_TABLE definition which generates
correct modalias for automatic loading of this driver when it is built
as an external module.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Bixuan Cui <cuibixuan@huawei.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/power/reset/gpio-poweroff.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/power/reset/gpio-poweroff.c b/drivers/power/reset/gpio-poweroff.c
index be3d81ff51cc..a44e3427fdeb 100644
--- a/drivers/power/reset/gpio-poweroff.c
+++ b/drivers/power/reset/gpio-poweroff.c
@@ -84,6 +84,7 @@ static const struct of_device_id of_gpio_poweroff_match[] = {
 	{ .compatible = "gpio-poweroff", },
 	{},
 };
+MODULE_DEVICE_TABLE(of, of_gpio_poweroff_match);
 
 static struct platform_driver gpio_poweroff_driver = {
 	.probe = gpio_poweroff_probe,
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 167/188] ARM: 9087/1: kprobes: test-thumb: fix for LLVM_IAS=1
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (165 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 166/188] power: reset: gpio-poweroff: add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 168/188] watchdog: Fix possible use-after-free in wdt_startup() Greg Kroah-Hartman
                   ` (25 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nick Desaulniers, Jian Cai,
	Russell King, Sasha Levin

From: Nick Desaulniers <ndesaulniers@google.com>

[ Upstream commit 8b95a7d90ce8160ac5cffd5bace6e2eba01a871e ]

There's a few instructions that GAS infers operands but Clang doesn't;
from what I can tell the Arm ARM doesn't say these are optional.

F5.1.257 TBB, TBH T1 Halfword variant
F5.1.238 STREXD T1 variant
F5.1.84 LDREXD T1 variant

Link: https://github.com/ClangBuiltLinux/linux/issues/1309

Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
Reviewed-by: Jian Cai <jiancai@google.com>
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/probes/kprobes/test-thumb.c | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/arch/arm/probes/kprobes/test-thumb.c b/arch/arm/probes/kprobes/test-thumb.c
index b683b4517458..4254391f3906 100644
--- a/arch/arm/probes/kprobes/test-thumb.c
+++ b/arch/arm/probes/kprobes/test-thumb.c
@@ -444,21 +444,21 @@ void kprobe_thumb32_test_cases(void)
 		"3:	mvn	r0, r0	\n\t"
 		"2:	nop		\n\t")
 
-	TEST_RX("tbh	[pc, r",7, (9f-(1f+4))>>1,"]",
+	TEST_RX("tbh	[pc, r",7, (9f-(1f+4))>>1,", lsl #1]",
 		"9:			\n\t"
 		".short	(2f-1b-4)>>1	\n\t"
 		".short	(3f-1b-4)>>1	\n\t"
 		"3:	mvn	r0, r0	\n\t"
 		"2:	nop		\n\t")
 
-	TEST_RX("tbh	[pc, r",12, ((9f-(1f+4))>>1)+1,"]",
+	TEST_RX("tbh	[pc, r",12, ((9f-(1f+4))>>1)+1,", lsl #1]",
 		"9:			\n\t"
 		".short	(2f-1b-4)>>1	\n\t"
 		".short	(3f-1b-4)>>1	\n\t"
 		"3:	mvn	r0, r0	\n\t"
 		"2:	nop		\n\t")
 
-	TEST_RRX("tbh	[r",1,9f, ", r",14,1,"]",
+	TEST_RRX("tbh	[r",1,9f, ", r",14,1,", lsl #1]",
 		"9:			\n\t"
 		".short	(2f-1b-4)>>1	\n\t"
 		".short	(3f-1b-4)>>1	\n\t"
@@ -471,10 +471,10 @@ void kprobe_thumb32_test_cases(void)
 
 	TEST_UNSUPPORTED("strexb	r0, r1, [r2]")
 	TEST_UNSUPPORTED("strexh	r0, r1, [r2]")
-	TEST_UNSUPPORTED("strexd	r0, r1, [r2]")
+	TEST_UNSUPPORTED("strexd	r0, r1, r2, [r2]")
 	TEST_UNSUPPORTED("ldrexb	r0, [r1]")
 	TEST_UNSUPPORTED("ldrexh	r0, [r1]")
-	TEST_UNSUPPORTED("ldrexd	r0, [r1]")
+	TEST_UNSUPPORTED("ldrexd	r0, r1, [r1]")
 
 	TEST_GROUP("Data-processing (shifted register) and (modified immediate)")
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 168/188] watchdog: Fix possible use-after-free in wdt_startup()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (166 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 167/188] ARM: 9087/1: kprobes: test-thumb: fix for LLVM_IAS=1 Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 169/188] watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff() Greg Kroah-Hartman
                   ` (24 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zou Wei, Guenter Roeck,
	Wim Van Sebroeck, Sasha Levin

From: Zou Wei <zou_wei@huawei.com>

[ Upstream commit c08a6b31e4917034f0ed0cb457c3bb209576f542 ]

This module's remove path calls del_timer(). However, that function
does not wait until the timer handler finishes. This means that the
timer handler may still be running after the driver's remove function
has finished, which would result in a use-after-free.

Fix by calling del_timer_sync(), which makes sure the timer handler
has finished, and unable to re-schedule itself.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zou Wei <zou_wei@huawei.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/1620716495-108352-1-git-send-email-zou_wei@huawei.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/watchdog/sbc60xxwdt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/watchdog/sbc60xxwdt.c b/drivers/watchdog/sbc60xxwdt.c
index 2eef58a0cf05..152db059d5aa 100644
--- a/drivers/watchdog/sbc60xxwdt.c
+++ b/drivers/watchdog/sbc60xxwdt.c
@@ -152,7 +152,7 @@ static void wdt_startup(void)
 static void wdt_turnoff(void)
 {
 	/* Stop the timer */
-	del_timer(&timer);
+	del_timer_sync(&timer);
 	inb_p(wdt_stop);
 	pr_info("Watchdog timer is now disabled...\n");
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 169/188] watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (167 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 168/188] watchdog: Fix possible use-after-free in wdt_startup() Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 170/188] watchdog: Fix possible use-after-free by calling del_timer_sync() Greg Kroah-Hartman
                   ` (23 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zou Wei, Guenter Roeck,
	Wim Van Sebroeck, Sasha Levin

From: Zou Wei <zou_wei@huawei.com>

[ Upstream commit 90b7c141132244e8e49a34a4c1e445cce33e07f4 ]

This module's remove path calls del_timer(). However, that function
does not wait until the timer handler finishes. This means that the
timer handler may still be running after the driver's remove function
has finished, which would result in a use-after-free.

Fix by calling del_timer_sync(), which makes sure the timer handler
has finished, and unable to re-schedule itself.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zou Wei <zou_wei@huawei.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/1620716691-108460-1-git-send-email-zou_wei@huawei.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/watchdog/sc520_wdt.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/watchdog/sc520_wdt.c b/drivers/watchdog/sc520_wdt.c
index 1cfd3f6a13d5..08500db8324f 100644
--- a/drivers/watchdog/sc520_wdt.c
+++ b/drivers/watchdog/sc520_wdt.c
@@ -190,7 +190,7 @@ static int wdt_startup(void)
 static int wdt_turnoff(void)
 {
 	/* Stop the timer */
-	del_timer(&timer);
+	del_timer_sync(&timer);
 
 	/* Stop the watchdog */
 	wdt_config(0);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 170/188] watchdog: Fix possible use-after-free by calling del_timer_sync()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (168 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 169/188] watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff() Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 171/188] ceph: remove bogus checks and WARN_ONs from ceph_set_page_dirty Greg Kroah-Hartman
                   ` (22 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zou Wei, Guenter Roeck,
	Vladimir Zapolskiy, Wim Van Sebroeck, Sasha Levin

From: Zou Wei <zou_wei@huawei.com>

[ Upstream commit d0212f095ab56672f6f36aabc605bda205e1e0bf ]

This driver's remove path calls del_timer(). However, that function
does not wait until the timer handler finishes. This means that the
timer handler may still be running after the driver's remove function
has finished, which would result in a use-after-free.

Fix by calling del_timer_sync(), which makes sure the timer handler
has finished, and unable to re-schedule itself.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zou Wei <zou_wei@huawei.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Acked-by: Vladimir Zapolskiy <vz@mleia.com>
Link: https://lore.kernel.org/r/1620802676-19701-1-git-send-email-zou_wei@huawei.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/watchdog/lpc18xx_wdt.c | 2 +-
 drivers/watchdog/w83877f_wdt.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/watchdog/lpc18xx_wdt.c b/drivers/watchdog/lpc18xx_wdt.c
index ab7b8b185d99..fbdc0f32e666 100644
--- a/drivers/watchdog/lpc18xx_wdt.c
+++ b/drivers/watchdog/lpc18xx_wdt.c
@@ -309,7 +309,7 @@ static int lpc18xx_wdt_remove(struct platform_device *pdev)
 	unregister_restart_handler(&lpc18xx_wdt->restart_handler);
 
 	dev_warn(&pdev->dev, "I quit now, hardware will probably reboot!\n");
-	del_timer(&lpc18xx_wdt->timer);
+	del_timer_sync(&lpc18xx_wdt->timer);
 
 	watchdog_unregister_device(&lpc18xx_wdt->wdt_dev);
 	clk_disable_unprepare(lpc18xx_wdt->wdt_clk);
diff --git a/drivers/watchdog/w83877f_wdt.c b/drivers/watchdog/w83877f_wdt.c
index f0483c75ed32..4b52cf321747 100644
--- a/drivers/watchdog/w83877f_wdt.c
+++ b/drivers/watchdog/w83877f_wdt.c
@@ -170,7 +170,7 @@ static void wdt_startup(void)
 static void wdt_turnoff(void)
 {
 	/* Stop the timer */
-	del_timer(&timer);
+	del_timer_sync(&timer);
 
 	wdt_change(WDT_DISABLE);
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 171/188] ceph: remove bogus checks and WARN_ONs from ceph_set_page_dirty
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (169 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 170/188] watchdog: Fix possible use-after-free by calling del_timer_sync() Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 172/188] power: supply: charger-manager: add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
                   ` (21 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Matthew Wilcox, Jeff Layton,
	Ilya Dryomov, Sasha Levin

From: Jeff Layton <jlayton@kernel.org>

[ Upstream commit 22d41cdcd3cfd467a4af074165357fcbea1c37f5 ]

The checks for page->mapping are odd, as set_page_dirty is an
address_space operation, and I don't see where it would be called on a
non-pagecache page.

The warning about the page lock also seems bogus.  The comment over
set_page_dirty() says that it can be called without the page lock in
some rare cases. I don't think we want to warn if that's the case.

Reported-by: Matthew Wilcox <willy@infradead.org>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/ceph/addr.c | 10 +---------
 1 file changed, 1 insertion(+), 9 deletions(-)

diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c
index fbf383048409..26de74684c17 100644
--- a/fs/ceph/addr.c
+++ b/fs/ceph/addr.c
@@ -72,10 +72,6 @@ static int ceph_set_page_dirty(struct page *page)
 	struct inode *inode;
 	struct ceph_inode_info *ci;
 	struct ceph_snap_context *snapc;
-	int ret;
-
-	if (unlikely(!mapping))
-		return !TestSetPageDirty(page);
 
 	if (PageDirty(page)) {
 		dout("%p set_page_dirty %p idx %lu -- already dirty\n",
@@ -121,11 +117,7 @@ static int ceph_set_page_dirty(struct page *page)
 	page->private = (unsigned long)snapc;
 	SetPagePrivate(page);
 
-	ret = __set_page_dirty_nobuffers(page);
-	WARN_ON(!PageLocked(page));
-	WARN_ON(!page->mapping);
-
-	return ret;
+	return __set_page_dirty_nobuffers(page);
 }
 
 /*
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 172/188] power: supply: charger-manager: add missing MODULE_DEVICE_TABLE
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (170 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 171/188] ceph: remove bogus checks and WARN_ONs from ceph_set_page_dirty Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 173/188] power: supply: ab8500: " Greg Kroah-Hartman
                   ` (20 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zou Wei,
	Sebastian Reichel, Sasha Levin

From: Zou Wei <zou_wei@huawei.com>

[ Upstream commit 073b5d5b1f9cc94a3eea25279fbafee3f4f5f097 ]

This patch adds missing MODULE_DEVICE_TABLE definition which generates
correct modalias for automatic loading of this driver when it is built
as an external module.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zou Wei <zou_wei@huawei.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/power/charger-manager.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/power/charger-manager.c b/drivers/power/charger-manager.c
index 1ea5d1aa268b..6656f847ed93 100644
--- a/drivers/power/charger-manager.c
+++ b/drivers/power/charger-manager.c
@@ -1490,6 +1490,7 @@ static const struct of_device_id charger_manager_match[] = {
 	},
 	{},
 };
+MODULE_DEVICE_TABLE(of, charger_manager_match);
 
 static struct charger_desc *of_cm_parse_desc(struct device *dev)
 {
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 173/188] power: supply: ab8500: add missing MODULE_DEVICE_TABLE
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (171 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 172/188] power: supply: charger-manager: add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 174/188] virtio-blk: Fix memory leak among suspend/resume procedure Greg Kroah-Hartman
                   ` (19 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zou Wei,
	Sebastian Reichel, Sasha Levin

From: Zou Wei <zou_wei@huawei.com>

[ Upstream commit dfe52db13ab8d24857a9840ec7ca75eef800c26c ]

This patch adds missing MODULE_DEVICE_TABLE definition which generates
correct modalias for automatic loading of this driver when it is built
as an external module.

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zou Wei <zou_wei@huawei.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/power/ab8500_btemp.c   | 1 +
 drivers/power/ab8500_charger.c | 1 +
 drivers/power/ab8500_fg.c      | 1 +
 3 files changed, 3 insertions(+)

diff --git a/drivers/power/ab8500_btemp.c b/drivers/power/ab8500_btemp.c
index 8f8044e1acf3..24732df01cf9 100644
--- a/drivers/power/ab8500_btemp.c
+++ b/drivers/power/ab8500_btemp.c
@@ -1186,6 +1186,7 @@ static const struct of_device_id ab8500_btemp_match[] = {
 	{ .compatible = "stericsson,ab8500-btemp", },
 	{ },
 };
+MODULE_DEVICE_TABLE(of, ab8500_btemp_match);
 
 static struct platform_driver ab8500_btemp_driver = {
 	.probe = ab8500_btemp_probe,
diff --git a/drivers/power/ab8500_charger.c b/drivers/power/ab8500_charger.c
index 98724c3a28e5..1a7013ec0caf 100644
--- a/drivers/power/ab8500_charger.c
+++ b/drivers/power/ab8500_charger.c
@@ -3756,6 +3756,7 @@ static const struct of_device_id ab8500_charger_match[] = {
 	{ .compatible = "stericsson,ab8500-charger", },
 	{ },
 };
+MODULE_DEVICE_TABLE(of, ab8500_charger_match);
 
 static struct platform_driver ab8500_charger_driver = {
 	.probe = ab8500_charger_probe,
diff --git a/drivers/power/ab8500_fg.c b/drivers/power/ab8500_fg.c
index d91111200dde..c58b496ca05a 100644
--- a/drivers/power/ab8500_fg.c
+++ b/drivers/power/ab8500_fg.c
@@ -3239,6 +3239,7 @@ static const struct of_device_id ab8500_fg_match[] = {
 	{ .compatible = "stericsson,ab8500-fg", },
 	{ },
 };
+MODULE_DEVICE_TABLE(of, ab8500_fg_match);
 
 static struct platform_driver ab8500_fg_driver = {
 	.probe = ab8500_fg_probe,
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 174/188] virtio-blk: Fix memory leak among suspend/resume procedure
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (172 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 173/188] power: supply: ab8500: " Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 175/188] virtio_console: Assure used length from device is limited Greg Kroah-Hartman
                   ` (18 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xie Yongji, Jason Wang,
	Michael S. Tsirkin, Sasha Levin

From: Xie Yongji <xieyongji@bytedance.com>

[ Upstream commit b71ba22e7c6c6b279c66f53ee7818709774efa1f ]

The vblk->vqs should be freed before we call init_vqs()
in virtblk_restore().

Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
Link: https://lore.kernel.org/r/20210517084332.280-1-xieyongji@bytedance.com
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/block/virtio_blk.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c
index bdc3efacd0d2..2bcc2bc64149 100644
--- a/drivers/block/virtio_blk.c
+++ b/drivers/block/virtio_blk.c
@@ -808,6 +808,8 @@ static int virtblk_freeze(struct virtio_device *vdev)
 	blk_mq_stop_hw_queues(vblk->disk->queue);
 
 	vdev->config->del_vqs(vdev);
+	kfree(vblk->vqs);
+
 	return 0;
 }
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 175/188] virtio_console: Assure used length from device is limited
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (173 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 174/188] virtio-blk: Fix memory leak among suspend/resume procedure Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-20 21:44   ` Pavel Machek
  2021-07-19 14:52 ` [PATCH 4.4 176/188] PCI/sysfs: Fix dsm_label_utf16s_to_utf8s() buffer overrun Greg Kroah-Hartman
                   ` (17 subsequent siblings)
  192 siblings, 1 reply; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Xie Yongji, Jason Wang,
	Michael S. Tsirkin, Sasha Levin

From: Xie Yongji <xieyongji@bytedance.com>

[ Upstream commit d00d8da5869a2608e97cfede094dfc5e11462a46 ]

The buf->len might come from an untrusted device. This
ensures the value would not exceed the size of the buffer
to avoid data corruption or loss.

Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Link: https://lore.kernel.org/r/20210525125622.1203-1-xieyongji@bytedance.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/char/virtio_console.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/char/virtio_console.c b/drivers/char/virtio_console.c
index 226ccb7891d4..c2f1c921cb2c 100644
--- a/drivers/char/virtio_console.c
+++ b/drivers/char/virtio_console.c
@@ -487,7 +487,7 @@ static struct port_buffer *get_inbuf(struct port *port)
 
 	buf = virtqueue_get_buf(port->in_vq, &len);
 	if (buf) {
-		buf->len = len;
+		buf->len = min_t(size_t, len, buf->size);
 		buf->offset = 0;
 		port->stats.bytes_received += len;
 	}
@@ -1752,7 +1752,7 @@ static void control_work_handler(struct work_struct *work)
 	while ((buf = virtqueue_get_buf(vq, &len))) {
 		spin_unlock(&portdev->c_ivq_lock);
 
-		buf->len = len;
+		buf->len = min_t(size_t, len, buf->size);
 		buf->offset = 0;
 
 		handle_control_message(vq->vdev, portdev, buf);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 176/188] PCI/sysfs: Fix dsm_label_utf16s_to_utf8s() buffer overrun
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (174 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 175/188] virtio_console: Assure used length from device is limited Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 177/188] um: fix error return code in slip_open() Greg Kroah-Hartman
                   ` (16 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Joe Perches,
	Krzysztof Wilczyński, Bjorn Helgaas, Sasha Levin

From: Krzysztof Wilczyński <kw@linux.com>

[ Upstream commit bdcdaa13ad96f1a530711c29e6d4b8311eff767c ]

"utf16s_to_utf8s(..., buf, PAGE_SIZE)" puts up to PAGE_SIZE bytes into
"buf" and returns the number of bytes it actually put there.  If it wrote
PAGE_SIZE bytes, the newline added by dsm_label_utf16s_to_utf8s() would
overrun "buf".

Reduce the size available for utf16s_to_utf8s() to use so there is always
space for the newline.

[bhelgaas: reorder patch in series, commit log]
Fixes: 6058989bad05 ("PCI: Export ACPI _DSM provided firmware instance number and string name to sysfs")
Link: https://lore.kernel.org/r/20210603000112.703037-7-kw@linux.com
Reported-by: Joe Perches <joe@perches.com>
Signed-off-by: Krzysztof Wilczyński <kw@linux.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/pci/pci-label.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/pci/pci-label.c b/drivers/pci/pci-label.c
index 024b5c179348..7d200a88cd74 100644
--- a/drivers/pci/pci-label.c
+++ b/drivers/pci/pci-label.c
@@ -157,7 +157,7 @@ static void dsm_label_utf16s_to_utf8s(union acpi_object *obj, char *buf)
 	len = utf16s_to_utf8s((const wchar_t *)obj->buffer.pointer,
 			      obj->buffer.length,
 			      UTF16_LITTLE_ENDIAN,
-			      buf, PAGE_SIZE);
+			      buf, PAGE_SIZE - 1);
 	buf[len] = '\n';
 }
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 177/188] um: fix error return code in slip_open()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (175 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 176/188] PCI/sysfs: Fix dsm_label_utf16s_to_utf8s() buffer overrun Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 178/188] um: fix error return code in winch_tramp() Greg Kroah-Hartman
                   ` (15 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zhen Lei, anton.ivanov,
	Richard Weinberger, Sasha Levin

From: Zhen Lei <thunder.leizhen@huawei.com>

[ Upstream commit b77e81fbe5f5fb4ad9a61ec80f6d1e30b6da093a ]

Fix to return a negative error code from the error handling case instead
of 0, as done elsewhere in this function.

Fixes: a3c77c67a443 ("[PATCH] uml: slirp and slip driver cleanups and fixes")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Acked-By: anton.ivanov@cambridgegreys.com
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/um/drivers/slip_user.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/um/drivers/slip_user.c b/arch/um/drivers/slip_user.c
index 0d6b66c64a81..76d155631c5d 100644
--- a/arch/um/drivers/slip_user.c
+++ b/arch/um/drivers/slip_user.c
@@ -145,7 +145,8 @@ static int slip_open(void *data)
 	}
 	sfd = err;
 
-	if (set_up_tty(sfd))
+	err = set_up_tty(sfd);
+	if (err)
 		goto out_close2;
 
 	pri->slave = sfd;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 178/188] um: fix error return code in winch_tramp()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (176 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 177/188] um: fix error return code in slip_open() Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 179/188] nfs: fix acl memory leak of posix_acl_create() Greg Kroah-Hartman
                   ` (14 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zhen Lei, anton.ivanov,
	Richard Weinberger, Sasha Levin

From: Zhen Lei <thunder.leizhen@huawei.com>

[ Upstream commit ccf1236ecac476d9d2704866d9a476c86e387971 ]

Fix to return a negative error code from the error handling case instead
of 0, as done elsewhere in this function.

Fixes: 89df6bfc0405 ("uml: DEBUG_SHIRQ fixes")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Acked-By: anton.ivanov@cambridgegreys.com
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/um/drivers/chan_user.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/arch/um/drivers/chan_user.c b/arch/um/drivers/chan_user.c
index 3fd7c3efdb18..feb7f5ab4084 100644
--- a/arch/um/drivers/chan_user.c
+++ b/arch/um/drivers/chan_user.c
@@ -256,7 +256,8 @@ static int winch_tramp(int fd, struct tty_port *port, int *fd_out,
 		goto out_close;
 	}
 
-	if (os_set_fd_block(*fd_out, 0)) {
+	err = os_set_fd_block(*fd_out, 0);
+	if (err) {
 		printk(UM_KERN_ERR "winch_tramp: failed to set thread_fd "
 		       "non-blocking.\n");
 		goto out_close;
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 179/188] nfs: fix acl memory leak of posix_acl_create()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (177 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 178/188] um: fix error return code in winch_tramp() Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 180/188] ALSA: isa: Fix error return code in snd_cmi8330_probe() Greg Kroah-Hartman
                   ` (13 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Trond Myklebust, Anna Schumaker,
	Christoph Hellwig, Joseph Qi, Gao Xiang, Sasha Levin

From: Gao Xiang <hsiangkao@linux.alibaba.com>

[ Upstream commit 1fcb6fcd74a222d9ead54d405842fc763bb86262 ]

When looking into another nfs xfstests report, I found acl and
default_acl in nfs3_proc_create() and nfs3_proc_mknod() error
paths are possibly leaked. Fix them in advance.

Fixes: 013cdf1088d7 ("nfs: use generic posix ACL infrastructure for v3 Posix ACLs")
Cc: Trond Myklebust <trond.myklebust@hammerspace.com>
Cc: Anna Schumaker <anna.schumaker@netapp.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Joseph Qi <joseph.qi@linux.alibaba.com>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/nfs/nfs3proc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/nfs/nfs3proc.c b/fs/nfs/nfs3proc.c
index cb28cceefebe..9f365b004453 100644
--- a/fs/nfs/nfs3proc.c
+++ b/fs/nfs/nfs3proc.c
@@ -363,7 +363,7 @@ nfs3_proc_create(struct inode *dir, struct dentry *dentry, struct iattr *sattr,
 				break;
 
 			case NFS3_CREATE_UNCHECKED:
-				goto out;
+				goto out_release_acls;
 		}
 		nfs_fattr_init(data->res.dir_attr);
 		nfs_fattr_init(data->res.fattr);
@@ -708,7 +708,7 @@ nfs3_proc_mknod(struct inode *dir, struct dentry *dentry, struct iattr *sattr,
 		break;
 	default:
 		status = -EINVAL;
-		goto out;
+		goto out_release_acls;
 	}
 
 	status = nfs3_do_create(dir, dentry, data);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 180/188] ALSA: isa: Fix error return code in snd_cmi8330_probe()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (178 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 179/188] nfs: fix acl memory leak of posix_acl_create() Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 181/188] hexagon: use common DISCARDS macro Greg Kroah-Hartman
                   ` (12 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Hulk Robot, Zhen Lei, Takashi Iwai,
	Sasha Levin

From: Zhen Lei <thunder.leizhen@huawei.com>

[ Upstream commit 31028cbed26a8afa25533a10425ffa2ab794c76c ]

When 'SB_HW_16' check fails, the error code -ENODEV instead of 0 should be
returned, which is the same as that returned when 'WSS_HW_CMI8330' check
fails.

Fixes: 43bcd973d6d0 ("[ALSA] Add snd_card_set_generic_dev() call to ISA drivers")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Zhen Lei <thunder.leizhen@huawei.com>
Link: https://lore.kernel.org/r/20210707074051.2663-1-thunder.leizhen@huawei.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 sound/isa/cmi8330.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sound/isa/cmi8330.c b/sound/isa/cmi8330.c
index dfedfd85f205..463906882b95 100644
--- a/sound/isa/cmi8330.c
+++ b/sound/isa/cmi8330.c
@@ -564,7 +564,7 @@ static int snd_cmi8330_probe(struct snd_card *card, int dev)
 	}
 	if (acard->sb->hardware != SB_HW_16) {
 		snd_printk(KERN_ERR PFX "SB16 not found during probe\n");
-		return err;
+		return -ENODEV;
 	}
 
 	snd_wss_out(acard->wss, CS4231_MISC_INFO, 0x40); /* switch on MODE2 */
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 181/188] hexagon: use common DISCARDS macro
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (179 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 180/188] ALSA: isa: Fix error return code in snd_cmi8330_probe() Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 182/188] ARM: dts: exynos: fix PWM LED max brightness on Odroid XU4 Greg Kroah-Hartman
                   ` (11 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, Nick Desaulniers,
	Brian Cain, David Rientjes, Oliver Glitta, Vlastimil Babka,
	Andrew Morton, Linus Torvalds, Sasha Levin

From: Nathan Chancellor <nathan@kernel.org>

[ Upstream commit 681ba73c72302214686401e707e2087ed11a6556 ]

ld.lld warns that the '.modinfo' section is not currently handled:

ld.lld: warning: kernel/built-in.a(workqueue.o):(.modinfo) is being placed in '.modinfo'
ld.lld: warning: kernel/built-in.a(printk/printk.o):(.modinfo) is being placed in '.modinfo'
ld.lld: warning: kernel/built-in.a(irq/spurious.o):(.modinfo) is being placed in '.modinfo'
ld.lld: warning: kernel/built-in.a(rcu/update.o):(.modinfo) is being placed in '.modinfo'

The '.modinfo' section was added in commit 898490c010b5 ("moduleparam:
Save information about built-in modules in separate file") to the DISCARDS
macro but Hexagon has never used that macro.  The unification of DISCARDS
happened in commit 023bf6f1b8bf ("linker script: unify usage of discard
definition") in 2009, prior to Hexagon being added in 2011.

Switch Hexagon over to the DISCARDS macro so that anything that is
expected to be discarded gets discarded.

Link: https://lkml.kernel.org/r/20210521011239.1332345-3-nathan@kernel.org
Fixes: e95bf452a9e2 ("Hexagon: Add configuration and makefiles for the Hexagon architecture.")
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Acked-by: Brian Cain <bcain@codeaurora.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Oliver Glitta <glittao@gmail.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/hexagon/kernel/vmlinux.lds.S | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/arch/hexagon/kernel/vmlinux.lds.S b/arch/hexagon/kernel/vmlinux.lds.S
index 5f268c1071b3..b5c050fe23a5 100644
--- a/arch/hexagon/kernel/vmlinux.lds.S
+++ b/arch/hexagon/kernel/vmlinux.lds.S
@@ -70,13 +70,8 @@ SECTIONS
 
 	_end = .;
 
-	/DISCARD/ : {
-		EXIT_TEXT
-		EXIT_DATA
-		EXIT_CALL
-	}
-
 	STABS_DEBUG
 	DWARF_DEBUG
 
+	DISCARDS
 }
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 182/188] ARM: dts: exynos: fix PWM LED max brightness on Odroid XU4
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (180 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 181/188] hexagon: use common DISCARDS macro Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 183/188] rtc: fix snprintf() checking in is_rtc_hctosys() Greg Kroah-Hartman
                   ` (10 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, Sasha Levin

From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>

[ Upstream commit fd2f1717966535b7d0b6fe45cf0d79e94330da5f ]

There is no "max_brightness" property as pointed out by dtschema:

  arch/arm/boot/dts/exynos5422-odroidxu4.dt.yaml: led-controller: led-1: 'max-brightness' is a required property

Fixes: 6658356014cb ("ARM: dts: Add support Odroid XU4 board for exynos5422-odroidxu4")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Link: https://lore.kernel.org/r/20210505135941.59898-5-krzysztof.kozlowski@canonical.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/arm/boot/dts/exynos5422-odroidxu4.dts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/arm/boot/dts/exynos5422-odroidxu4.dts b/arch/arm/boot/dts/exynos5422-odroidxu4.dts
index 2faf88627a48..b45e2a0c3908 100644
--- a/arch/arm/boot/dts/exynos5422-odroidxu4.dts
+++ b/arch/arm/boot/dts/exynos5422-odroidxu4.dts
@@ -26,7 +26,7 @@
 			label = "blue:heartbeat";
 			pwms = <&pwm 2 2000000 0>;
 			pwm-names = "pwm2";
-			max_brightness = <255>;
+			max-brightness = <255>;
 			linux,default-trigger = "heartbeat";
 		};
 	};
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 183/188] rtc: fix snprintf() checking in is_rtc_hctosys()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (181 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 182/188] ARM: dts: exynos: fix PWM LED max brightness on Odroid XU4 Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 184/188] memory: fsl_ifc: fix leak of IO mapping on probe failure Greg Kroah-Hartman
                   ` (9 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Dan Carpenter, Alexandre Belloni,
	Sasha Levin

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit 54b909436ede47e0ee07f1765da27ec2efa41e84 ]

The scnprintf() function silently truncates the printf() and returns
the number bytes that it was able to copy (not counting the NUL
terminator).  Thus, the highest value it can return here is
"NAME_SIZE - 1" and the overflow check is dead code.  Fix this by
using the snprintf() function which returns the number of bytes that
would have been copied if there was enough space and changing the
condition from "> NAME_SIZE" to ">= NAME_SIZE".

Fixes: 92589c986b33 ("rtc-proc: permit the /proc/driver/rtc device to use other devices")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Link: https://lore.kernel.org/r/YJov/pcGmhLi2pEl@mwanda
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/rtc/rtc-proc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/rtc/rtc-proc.c b/drivers/rtc/rtc-proc.c
index ffa69e1c9245..4f10cb1561cc 100644
--- a/drivers/rtc/rtc-proc.c
+++ b/drivers/rtc/rtc-proc.c
@@ -26,8 +26,8 @@ static bool is_rtc_hctosys(struct rtc_device *rtc)
 	int size;
 	char name[NAME_SIZE];
 
-	size = scnprintf(name, NAME_SIZE, "rtc%d", rtc->id);
-	if (size > NAME_SIZE)
+	size = snprintf(name, NAME_SIZE, "rtc%d", rtc->id);
+	if (size >= NAME_SIZE)
 		return false;
 
 	return !strncmp(name, CONFIG_RTC_HCTOSYS_DEVICE, NAME_SIZE);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 184/188] memory: fsl_ifc: fix leak of IO mapping on probe failure
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (182 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 183/188] rtc: fix snprintf() checking in is_rtc_hctosys() Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 185/188] memory: fsl_ifc: fix leak of private memory " Greg Kroah-Hartman
                   ` (8 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Dan Carpenter,
	Krzysztof Kozlowski, Sasha Levin

From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>

[ Upstream commit 3b132ab67fc7a358fff35e808fa65d4bea452521 ]

On probe error the driver should unmap the IO memory.  Smatch reports:

  drivers/memory/fsl_ifc.c:298 fsl_ifc_ctrl_probe() warn: 'fsl_ifc_ctrl_dev->gregs' not released on lines: 298.

Fixes: a20cbdeffce2 ("powerpc/fsl: Add support for Integrated Flash Controller")
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Link: https://lore.kernel.org/r/20210527154322.81253-1-krzysztof.kozlowski@canonical.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/memory/fsl_ifc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/memory/fsl_ifc.c b/drivers/memory/fsl_ifc.c
index acd1460cf787..040be4638140 100644
--- a/drivers/memory/fsl_ifc.c
+++ b/drivers/memory/fsl_ifc.c
@@ -228,8 +228,7 @@ static int fsl_ifc_ctrl_probe(struct platform_device *dev)
 	fsl_ifc_ctrl_dev->regs = of_iomap(dev->dev.of_node, 0);
 	if (!fsl_ifc_ctrl_dev->regs) {
 		dev_err(&dev->dev, "failed to get memory region\n");
-		ret = -ENODEV;
-		goto err;
+		return -ENODEV;
 	}
 
 	version = ifc_in32(&fsl_ifc_ctrl_dev->regs->ifc_rev) &
@@ -306,6 +305,7 @@ err_irq:
 	free_irq(fsl_ifc_ctrl_dev->irq, fsl_ifc_ctrl_dev);
 	irq_dispose_mapping(fsl_ifc_ctrl_dev->irq);
 err:
+	iounmap(fsl_ifc_ctrl_dev->gregs);
 	return ret;
 }
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 185/188] memory: fsl_ifc: fix leak of private memory on probe failure
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (183 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 184/188] memory: fsl_ifc: fix leak of IO mapping on probe failure Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 186/188] scsi: be2iscsi: Fix an error handling path in beiscsi_dev_probe() Greg Kroah-Hartman
                   ` (7 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, Sasha Levin

From: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>

[ Upstream commit 8e0d09b1232d0538066c40ed4c13086faccbdff6 ]

On probe error the driver should free the memory allocated for private
structure.  Fix this by using resource-managed allocation.

Fixes: a20cbdeffce2 ("powerpc/fsl: Add support for Integrated Flash Controller")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com>
Link: https://lore.kernel.org/r/20210527154322.81253-2-krzysztof.kozlowski@canonical.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/memory/fsl_ifc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/drivers/memory/fsl_ifc.c b/drivers/memory/fsl_ifc.c
index 040be4638140..65b984d64350 100644
--- a/drivers/memory/fsl_ifc.c
+++ b/drivers/memory/fsl_ifc.c
@@ -107,7 +107,6 @@ static int fsl_ifc_ctrl_remove(struct platform_device *dev)
 	iounmap(ctrl->regs);
 
 	dev_set_drvdata(&dev->dev, NULL);
-	kfree(ctrl);
 
 	return 0;
 }
@@ -218,7 +217,8 @@ static int fsl_ifc_ctrl_probe(struct platform_device *dev)
 
 	dev_info(&dev->dev, "Freescale Integrated Flash Controller\n");
 
-	fsl_ifc_ctrl_dev = kzalloc(sizeof(*fsl_ifc_ctrl_dev), GFP_KERNEL);
+	fsl_ifc_ctrl_dev = devm_kzalloc(&dev->dev, sizeof(*fsl_ifc_ctrl_dev),
+					GFP_KERNEL);
 	if (!fsl_ifc_ctrl_dev)
 		return -ENOMEM;
 
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 186/188] scsi: be2iscsi: Fix an error handling path in beiscsi_dev_probe()
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (184 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 185/188] memory: fsl_ifc: fix leak of private memory " Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 187/188] mips: disable branch profiling in boot/decompress.o Greg Kroah-Hartman
                   ` (6 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Christophe JAILLET,
	Martin K. Petersen, Sasha Levin

From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>

[ Upstream commit 030e4138d11fced3b831c2761e4cecf347bae99c ]

If an error occurs after a pci_enable_pcie_error_reporting() call, it must
be undone by a corresponding pci_disable_pcie_error_reporting() call, as
already done in the remove function.

Link: https://lore.kernel.org/r/77adb02cfea7f1364e5603ecf3930d8597ae356e.1623482155.git.christophe.jaillet@wanadoo.fr
Fixes: 3567f36a09d1 ("[SCSI] be2iscsi: Fix AER handling in driver")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/scsi/be2iscsi/be_main.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/drivers/scsi/be2iscsi/be_main.c b/drivers/scsi/be2iscsi/be_main.c
index 758f76e88704..c89aab5e0ef8 100644
--- a/drivers/scsi/be2iscsi/be_main.c
+++ b/drivers/scsi/be2iscsi/be_main.c
@@ -5812,6 +5812,7 @@ hba_free:
 		pci_disable_msix(phba->pcidev);
 	pci_dev_put(phba->pcidev);
 	iscsi_host_free(phba->shost);
+	pci_disable_pcie_error_reporting(pcidev);
 	pci_set_drvdata(pcidev, NULL);
 disable_pci:
 	pci_release_regions(pcidev);
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 187/188] mips: disable branch profiling in boot/decompress.o
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (185 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 186/188] scsi: be2iscsi: Fix an error handling path in beiscsi_dev_probe() Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 14:52 ` [PATCH 4.4 188/188] MIPS: vdso: Invalid GIC access through VDSO Greg Kroah-Hartman
                   ` (5 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, kernel test robot, Randy Dunlap,
	Thomas Bogendoerfer, linux-mips, Kyungsik Lee, Sasha Levin

From: Randy Dunlap <rdunlap@infradead.org>

[ Upstream commit 97e488073cfca0eea84450169ca4cbfcc64e33e3 ]

Use DISABLE_BRANCH_PROFILING for arch/mips/boot/compressed/decompress.o
to prevent linkage errors.

mips64-linux-ld: arch/mips/boot/compressed/decompress.o: in function `LZ4_decompress_fast_extDict':
decompress.c:(.text+0x8c): undefined reference to `ftrace_likely_update'
mips64-linux-ld: decompress.c:(.text+0xf4): undefined reference to `ftrace_likely_update'
mips64-linux-ld: decompress.c:(.text+0x200): undefined reference to `ftrace_likely_update'
mips64-linux-ld: decompress.c:(.text+0x230): undefined reference to `ftrace_likely_update'
mips64-linux-ld: decompress.c:(.text+0x320): undefined reference to `ftrace_likely_update'
mips64-linux-ld: arch/mips/boot/compressed/decompress.o:decompress.c:(.text+0x3f4): more undefined references to `ftrace_likely_update' follow

Fixes: e76e1fdfa8f8 ("lib: add support for LZ4-compressed kernel")
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Cc: linux-mips@vger.kernel.org
Cc: Kyungsik Lee <kyungsik.lee@lge.com>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/mips/boot/compressed/decompress.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/arch/mips/boot/compressed/decompress.c b/arch/mips/boot/compressed/decompress.c
index 080cd53bac36..a1a54a3af03b 100644
--- a/arch/mips/boot/compressed/decompress.c
+++ b/arch/mips/boot/compressed/decompress.c
@@ -11,6 +11,8 @@
  * option) any later version.
  */
 
+#define DISABLE_BRANCH_PROFILING
+
 #include <linux/types.h>
 #include <linux/kernel.h>
 #include <linux/string.h>
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* [PATCH 4.4 188/188] MIPS: vdso: Invalid GIC access through VDSO
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (186 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 187/188] mips: disable branch profiling in boot/decompress.o Greg Kroah-Hartman
@ 2021-07-19 14:52 ` Greg Kroah-Hartman
  2021-07-19 20:02 ` [PATCH 4.4 000/188] 4.4.276-rc1 review Pavel Machek
                   ` (4 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Greg Kroah-Hartman @ 2021-07-19 14:52 UTC (permalink / raw)
  To: linux-kernel
  Cc: Greg Kroah-Hartman, stable, Martin Fäcknitz,
	Thomas Bogendoerfer, Sasha Levin

From: Martin Fäcknitz <faecknitz@hotsplots.de>

[ Upstream commit 47ce8527fbba145a7723685bc9a27d9855e06491 ]

Accessing raw timers (currently only CLOCK_MONOTONIC_RAW) through VDSO
doesn't return the correct time when using the GIC as clock source.
The address of the GIC mapped page is in this case not calculated
correctly. The GIC mapped page is calculated from the VDSO data by
subtracting PAGE_SIZE:

  void *get_gic(const struct vdso_data *data) {
    return (void __iomem *)data - PAGE_SIZE;
  }

However, the data pointer is not page aligned for raw clock sources.
This is because the VDSO data for raw clock sources (CS_RAW = 1) is
stored after the VDSO data for coarse clock sources (CS_HRES_COARSE = 0).
Therefore, only the VDSO data for CS_HRES_COARSE is page aligned:

  +--------------------+
  |                    |
  | vd[CS_RAW]         | ---+
  | vd[CS_HRES_COARSE] |    |
  +--------------------+    | -PAGE_SIZE
  |                    |    |
  |  GIC mapped page   | <--+
  |                    |
  +--------------------+

When __arch_get_hw_counter() is called with &vd[CS_RAW], get_gic returns
the wrong address (somewhere inside the GIC mapped page). The GIC counter
values are not returned which results in an invalid time.

Fixes: a7f4df4e21dd ("MIPS: VDSO: Add implementations of gettimeofday() and clock_gettime()")
Signed-off-by: Martin Fäcknitz <faecknitz@hotsplots.de>
Signed-off-by: Thomas Bogendoerfer <tsbogend@alpha.franken.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 arch/mips/vdso/vdso.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/arch/mips/vdso/vdso.h b/arch/mips/vdso/vdso.h
index cfb1be441dec..921589b45bc2 100644
--- a/arch/mips/vdso/vdso.h
+++ b/arch/mips/vdso/vdso.h
@@ -81,7 +81,7 @@ static inline const union mips_vdso_data *get_vdso_data(void)
 
 static inline void __iomem *get_gic(const union mips_vdso_data *data)
 {
-	return (void __iomem *)data - PAGE_SIZE;
+	return (void __iomem *)((unsigned long)data & PAGE_MASK) - PAGE_SIZE;
 }
 
 #endif /* CONFIG_CLKSRC_MIPS_GIC */
-- 
2.30.2




^ permalink raw reply related	[flat|nested] 195+ messages in thread

* Re: [PATCH 4.4 000/188] 4.4.276-rc1 review
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (187 preceding siblings ...)
  2021-07-19 14:52 ` [PATCH 4.4 188/188] MIPS: vdso: Invalid GIC access through VDSO Greg Kroah-Hartman
@ 2021-07-19 20:02 ` Pavel Machek
  2021-07-20  0:33 ` Shuah Khan
                   ` (3 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Pavel Machek @ 2021-07-19 20:02 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, linux, shuah, patches, lkft-triage,
	pavel, jonathanh, f.fainelli, stable

[-- Attachment #1: Type: text/plain, Size: 664 bytes --]

Hi!

> This is the start of the stable review cycle for the 4.4.276 release.
> There are 188 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.

CIP testing did not find any problems here:

https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/tree/linux-4.4.y

Tested-by: Pavel Machek (CIP) <pavel@denx.de>

Best regards,
                                                                Pavel


-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 195 bytes --]

^ permalink raw reply	[flat|nested] 195+ messages in thread

* Re: [PATCH 4.4 000/188] 4.4.276-rc1 review
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (188 preceding siblings ...)
  2021-07-19 20:02 ` [PATCH 4.4 000/188] 4.4.276-rc1 review Pavel Machek
@ 2021-07-20  0:33 ` Shuah Khan
  2021-07-20 18:49 ` Guenter Roeck
                   ` (2 subsequent siblings)
  192 siblings, 0 replies; 195+ messages in thread
From: Shuah Khan @ 2021-07-20  0:33 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, linux, shuah, patches, lkft-triage, pavel,
	jonathanh, f.fainelli, stable, Shuah Khan

On 7/19/21 8:49 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.4.276 release.
> There are 188 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 21 Jul 2021 14:47:42 +0000.
> Anything received after that time might be too late.
> 
> The whole patch series can be found in one patch at:
> 	https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.276-rc1.gz
> or in the git tree and branch at:
> 	git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
> and the diffstat can be found below.
> 
> thanks,
> 
> greg k-h
> 

Compiled and booted on my test system. No dmesg regressions.

Tested-by: Shuah Khan <skhan@linuxfoundation.org>

thanks,
-- Shuah

^ permalink raw reply	[flat|nested] 195+ messages in thread

* Re: [PATCH 4.4 000/188] 4.4.276-rc1 review
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (189 preceding siblings ...)
  2021-07-20  0:33 ` Shuah Khan
@ 2021-07-20 18:49 ` Guenter Roeck
  2021-07-20 20:07 ` Guenter Roeck
  2021-07-21 10:42 ` Naresh Kamboju
  192 siblings, 0 replies; 195+ messages in thread
From: Guenter Roeck @ 2021-07-20 18:49 UTC (permalink / raw)
  To: Greg Kroah-Hartman, linux-kernel
  Cc: torvalds, akpm, shuah, patches, lkft-triage, pavel, jonathanh,
	f.fainelli, stable

On 7/19/21 7:49 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.4.276 release.
> There are 188 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 21 Jul 2021 14:47:42 +0000.
> Anything received after that time might be too late.
> 

Building ppc:mpc8544ds:mpc85xx_defconfig:net,e1000:initrd ... failed
------------
Error log:
drivers/memory/fsl_ifc.c: In function 'fsl_ifc_ctrl_probe':
drivers/memory/fsl_ifc.c:308:28: error: 'struct fsl_ifc_ctrl' has no member named 'gregs'; did you mean 'regs'?

Looks like 'regs' was at some point renamed to 'gregs'.

Guenter

^ permalink raw reply	[flat|nested] 195+ messages in thread

* Re: [PATCH 4.4 000/188] 4.4.276-rc1 review
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (190 preceding siblings ...)
  2021-07-20 18:49 ` Guenter Roeck
@ 2021-07-20 20:07 ` Guenter Roeck
  2021-07-21 10:42 ` Naresh Kamboju
  192 siblings, 0 replies; 195+ messages in thread
From: Guenter Roeck @ 2021-07-20 20:07 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, torvalds, akpm, shuah, patches, lkft-triage, pavel,
	jonathanh, f.fainelli, stable

On Mon, Jul 19, 2021 at 04:49:44PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 4.4.276 release.
> There are 188 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
> 
> Responses should be made by Wed, 21 Jul 2021 14:47:42 +0000.
> Anything received after that time might be too late.
> 

Build results:
	total: 160 pass: 160 fail: 0
Qemu test results:
	total: 328 pass: 315 fail: 13
Failed tests:
	ppc:mpc8544ds:mpc85xx_defconfig:net,e1000:initrd
	ppc:mpc8544ds:mpc85xx_defconfig:scsi[53C895A]:net,ne2k_pci:rootfs
	ppc:mpc8544ds:mpc85xx_defconfig:sata-sii3112:net,rtl8139:rootfs
	ppc:mpc8544ds:mpc85xx_defconfig:sdhci:mmc:net,usb-ohci:rootfs
	ppc:mpc8544ds:mpc85xx_smp_defconfig:net,e1000:initrd
	ppc:mpc8544ds:mpc85xx_smp_defconfig:scsi[DC395]:net,i82550:rootfs
	ppc:mpc8544ds:mpc85xx_smp_defconfig:scsi[53C895A]:net,usb-ohci:rootfs
	ppc:mpc8544ds:mpc85xx_smp_defconfig:sata-sii3112:net,ne2k_pci:rootfs
	ppc64:ppce500:corenet64_smp_defconfig:e5500:net,rtl8139:initrd
	ppc64:ppce500:corenet64_smp_defconfig:e5500:net,virtio-net:nvme:rootfs
	ppc64:ppce500:corenet64_smp_defconfig:e5500:net,e1000:sdhci:mmc:rootfs
	ppc64:ppce500:corenet64_smp_defconfig:e5500:net,tulip:scsi[53C895A]:rootfs
	ppc64:ppce500:corenet64_smp_defconfig:e5500:net,i82562:sata-sii3112:rootfs

All failed tests are due to

drivers/memory/fsl_ifc.c: In function ‘fsl_ifc_ctrl_probe’:
drivers/memory/fsl_ifc.c:308:28: error: ‘struct fsl_ifc_ctrl’ has no member named ‘gregs’; did you mean ‘regs’?

as already reported.

Guenter

^ permalink raw reply	[flat|nested] 195+ messages in thread

* Re: [PATCH 4.4 175/188] virtio_console: Assure used length from device is limited
  2021-07-19 14:52 ` [PATCH 4.4 175/188] virtio_console: Assure used length from device is limited Greg Kroah-Hartman
@ 2021-07-20 21:44   ` Pavel Machek
  0 siblings, 0 replies; 195+ messages in thread
From: Pavel Machek @ 2021-07-20 21:44 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: linux-kernel, stable, Xie Yongji, Jason Wang, Michael S. Tsirkin,
	Sasha Levin

[-- Attachment #1: Type: text/plain, Size: 1239 bytes --]

Hi!

> From: Xie Yongji <xieyongji@bytedance.com>
> 
> [ Upstream commit d00d8da5869a2608e97cfede094dfc5e11462a46 ]
> 
> The buf->len might come from an untrusted device. This
> ensures the value would not exceed the size of the buffer
> to avoid data corruption or loss.

Since we are not trusting the other side, do we need to use _nospec
variants to prevent speculation attacks?

Best regards,
								Pavel

> +++ b/drivers/char/virtio_console.c
> @@ -487,7 +487,7 @@ static struct port_buffer *get_inbuf(struct port *port)
>  
>  	buf = virtqueue_get_buf(port->in_vq, &len);
>  	if (buf) {
> -		buf->len = len;
> +		buf->len = min_t(size_t, len, buf->size);
>  		buf->offset = 0;
>  		port->stats.bytes_received += len;
>  	}
> @@ -1752,7 +1752,7 @@ static void control_work_handler(struct work_struct *work)
>  	while ((buf = virtqueue_get_buf(vq, &len))) {
>  		spin_unlock(&portdev->c_ivq_lock);
>  
> -		buf->len = len;
> +		buf->len = min_t(size_t, len, buf->size);
>  		buf->offset = 0;
>  
>  		handle_control_message(vq->vdev, portdev, buf);

-- 
DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 181 bytes --]

^ permalink raw reply	[flat|nested] 195+ messages in thread

* Re: [PATCH 4.4 000/188] 4.4.276-rc1 review
  2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
                   ` (191 preceding siblings ...)
  2021-07-20 20:07 ` Guenter Roeck
@ 2021-07-21 10:42 ` Naresh Kamboju
  192 siblings, 0 replies; 195+ messages in thread
From: Naresh Kamboju @ 2021-07-21 10:42 UTC (permalink / raw)
  To: Greg Kroah-Hartman
  Cc: open list, Linus Torvalds, Andrew Morton, Guenter Roeck,
	Shuah Khan, patches, lkft-triage, Pavel Machek, Jon Hunter,
	Florian Fainelli, linux-stable

On Mon, 19 Jul 2021 at 20:27, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 4.4.276 release.
> There are 188 patches in this series, all will be posted as a response
> to this one.  If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 21 Jul 2021 14:47:42 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
>         https://www.kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.4.276-rc1.gz
> or in the git tree and branch at:
>         git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-4.4.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h

Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.

Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>

## Build
* kernel: 4.4.276-rc1
* git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* git branch: linux-4.4.y
* git commit: ffa748a4e4ff211e492aa3a41d20c4b2e4a15aca
* git describe: v4.4.275-189-gffa748a4e4ff
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-4.4.y/build/v4.4.275-189-gffa748a4e4ff

## Regressions (compared to v4.4.275-189-g56a34275371b)
No regressions found.

Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>


## Fixes (compared to v4.4.275-189-g56a34275371b)
No fixes found.

## Test result summary
 total: 45986, pass: 36399, fail: 314, skip: 8033, xfail: 1240,

## Build Summary
* arm: 96 total, 96 passed, 0 failed
* arm64: 23 total, 23 passed, 0 failed
* i386: 13 total, 13 passed, 0 failed
* juno-r2: 1 total, 1 passed, 0 failed
* mips: 36 total, 36 passed, 0 failed
* sparc: 9 total, 9 passed, 0 failed
* x15: 1 total, 1 passed, 0 failed
* x86: 1 total, 1 passed, 0 failed
* x86_64: 13 total, 13 passed, 0 failed

## Test suites summary
* fwts
* install-android-platform-tools-r2600
* kselftest-android
* kselftest-bpf
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-efivarfs
* kselftest-filesystems
* kselftest-firmware
* kselftest-fpu
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-ir
* kselftest-kcmp
* kselftest-kexec
* kselftest-kvm
* kselftest-lib
* kselftest-livepatch
* kselftest-lkdtm
* kselftest-membarrier
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-splice
* kselftest-static_keys
* kselftest-sync
* kselftest-sysctl
* kselftest-timens
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user
* kselftest-vm
* kselftest-x86
* kselftest-zram
* kvm-unit-tests
* libhugetlbfs
* linux-log-parser
* ltp-cap_bounds-tests
* ltp-commands-tests
* ltp-containers-tests
* ltp-controllers-tests
* ltp-cpuhotplug-tests
* ltp-crypto-tests
* ltp-cve-tests
* ltp-dio-tests
* ltp-fcntl-locktests-tests
* ltp-filecaps-tests
* ltp-fs-tests
* ltp-fs_bind-tests
* ltp-fs_perms_simple-tests
* ltp-fsx-tests
* ltp-hugetlb-tests
* ltp-io-tests
* ltp-ipc-tests
* ltp-math-tests
* ltp-mm-tests
* ltp-nptl-tests
* ltp-open-posix-tests
* ltp-pty-tests
* ltp-sched-tests
* ltp-securebits-tests
* ltp-syscalls-tests
* ltp-tracing-tests
* network-basic-tests
* packetdrill
* perf
* ssuite
* v4l2-compliance

--
Linaro LKFT
https://lkft.linaro.org

^ permalink raw reply	[flat|nested] 195+ messages in thread

end of thread, other threads:[~2021-07-21 10:48 UTC | newest]

Thread overview: 195+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-19 14:49 [PATCH 4.4 000/188] 4.4.276-rc1 review Greg Kroah-Hartman
2021-07-19 14:49 ` [PATCH 4.4 001/188] ALSA: usb-audio: fix rate on Ozone Z90 USB headset Greg Kroah-Hartman
2021-07-19 14:49 ` [PATCH 4.4 002/188] media: dvb-usb: fix wrong definition Greg Kroah-Hartman
2021-07-19 14:49 ` [PATCH 4.4 003/188] Input: usbtouchscreen - fix control-request directions Greg Kroah-Hartman
2021-07-19 14:49 ` [PATCH 4.4 004/188] net: can: ems_usb: fix use-after-free in ems_usb_disconnect() Greg Kroah-Hartman
2021-07-19 14:49 ` [PATCH 4.4 005/188] usb: gadget: eem: fix echo command packet response issue Greg Kroah-Hartman
2021-07-19 14:49 ` [PATCH 4.4 006/188] USB: cdc-acm: blacklist Heimann USB Appset device Greg Kroah-Hartman
2021-07-19 14:49 ` [PATCH 4.4 007/188] ntfs: fix validity check for file name attribute Greg Kroah-Hartman
2021-07-19 14:49 ` [PATCH 4.4 008/188] [xarray] iov_iter_fault_in_readable() should do nothing in xarray case Greg Kroah-Hartman
2021-07-19 14:49 ` [PATCH 4.4 009/188] Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl Greg Kroah-Hartman
2021-07-19 14:49 ` [PATCH 4.4 010/188] ARM: dts: at91: sama5d4: fix pinctrl muxing Greg Kroah-Hartman
2021-07-19 14:49 ` [PATCH 4.4 011/188] btrfs: clear defrag status of a root if starting transaction fails Greg Kroah-Hartman
2021-07-19 14:49 ` [PATCH 4.4 012/188] ext4: fix kernel infoleak via ext4_extent_header Greg Kroah-Hartman
2021-07-19 14:49 ` [PATCH 4.4 013/188] ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit Greg Kroah-Hartman
2021-07-19 14:49 ` [PATCH 4.4 014/188] ext4: remove check for zero nr_to_scan in ext4_es_scan() Greg Kroah-Hartman
2021-07-19 14:49 ` [PATCH 4.4 015/188] ext4: fix avefreec in find_group_orlov Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 016/188] SUNRPC: Fix the batch tasks count wraparound Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 017/188] SUNRPC: Should wake up the privileged task firstly Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 018/188] s390/cio: dont call css_wait_for_slow_path() inside a lock Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 019/188] iio: ltr501: mark register holding upper 8 bits of ALS_DATA{0,1} and PS_DATA as volatile, too Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 020/188] iio: ltr501: ltr559: fix initialization of LTR501_ALS_CONTR Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 021/188] iio: ltr501: ltr501_read_ps(): add missing endianness conversion Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 022/188] serial_cs: Add Option International GSM-Ready 56K/ISDN modem Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 023/188] ath9k: Fix kernel NULL pointer dereference during ath_reset_internal() Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 024/188] ssb: sdio: Dont overwrite const buffer if block_write fails Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 025/188] seq_buf: Make trace_seq_putmem_hex() support data longer than 8 Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 026/188] fuse: check connected before queueing on fpq->io Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 027/188] spi: spi-topcliff-pch: Fix potential double free in pch_spi_process_messages() Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 028/188] spi: omap-100k: Fix the length judgment problem Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 029/188] crypto: nx - add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 030/188] media: cpia2: fix memory leak in cpia2_usb_probe Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 031/188] media: pvrusb2: fix warning in pvr2_i2c_core_done Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 032/188] crypto: qat - check return code of qat_hal_rd_rel_reg() Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 033/188] crypto: qat - remove unused macro in FW loader Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 034/188] media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 035/188] media: bt8xx: Fix a missing check bug in bt878_probe Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 036/188] mmc: via-sdmmc: add a check against NULL pointer dereference Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 037/188] crypto: shash - avoid comparing pointers to exported functions under CFI Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 038/188] media: dvb_net: avoid speculation from net slot Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 039/188] btrfs: disable build on platforms having page size 256K Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 040/188] regulator: da9052: Ensure enough delay time for .set_voltage_time_sel Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 041/188] ACPI: processor idle: Fix up C-state latency if not ordered Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 042/188] block_dump: remove block_dump feature in mark_inode_dirty() Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 043/188] fs: dlm: cancel work sync othercon Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 044/188] random32: Fix implicit truncation warning in prandom_seed_state() Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 045/188] ACPI: bus: Call kobject_put() in acpi_init() error path Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 046/188] platform/x86: toshiba_acpi: Fix missing error code in toshiba_acpi_setup_keyboard() Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 047/188] ia64: mca_drv: fix incorrect array size calculation Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 048/188] crypto: ixp4xx - dma_unmap the correct address Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 049/188] crypto: ux500 - Fix error return code in hash_hw_final() Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 050/188] sata_highbank: fix deferred probing Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 051/188] pata_rb532_cf: " Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 052/188] media: I2C: change RST to "RSET" to fix multiple build errors Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 053/188] pata_octeon_cf: avoid WARN_ON() in ata_host_activate() Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 054/188] pata_ep93xx: fix deferred probing Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 055/188] media: tc358743: Fix error return code in tc358743_probe_of() Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 056/188] media: siano: Fix out-of-bounds warnings in smscore_load_firmware_family2() Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 057/188] mmc: usdhi6rol0: fix error return code in usdhi6_probe() Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 058/188] media: s5p-g2d: Fix a memory leak on ctx->fh.m2m_ctx Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 059/188] spi: spi-sun6i: Fix chipselect/clock bug Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 060/188] crypto: nx - Fix RCU warning in nx842_OF_upd_status Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 061/188] ACPI: sysfs: Fix a buffer overrun problem with description_show() Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 062/188] net: pch_gbe: Propagate error from devm_gpio_request_one() Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 063/188] ehea: fix error return code in ehea_restart_qps() Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 064/188] drm: qxl: ensure surf.data is ininitialized Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 065/188] wireless: carl9170: fix LEDS build errors & warnings Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 066/188] brcmsmac: mac80211_if: Fix a resource leak in an error handling path Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 067/188] ath10k: Fix an error code in ath10k_add_interface() Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 068/188] netlabel: Fix memory leak in netlbl_mgmt_add_common Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 069/188] netfilter: nft_exthdr: check for IPv6 packet before further processing Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 070/188] net: ethernet: aeroflex: fix UAF in greth_of_remove Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 071/188] net: ethernet: ezchip: fix UAF in nps_enet_remove Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 072/188] net: ethernet: ezchip: fix error handling Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 073/188] vxlan: add missing rcu_read_lock() in neigh_reduce() Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 074/188] i40e: Fix error handling in i40e_vsi_open Greg Kroah-Hartman
2021-07-19 14:50 ` [PATCH 4.4 075/188] writeback: fix obtain a reference to a freeing memcg css Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 076/188] tty: nozomi: Fix a resource leak in an error handling function Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 077/188] iio: adis_buffer: do not return ints in irq handlers Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 078/188] iio: accel: bma180: Fix buffer alignment in iio_push_to_buffers_with_timestamp() Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 079/188] iio: accel: stk8312: " Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 080/188] iio: accel: stk8ba50: " Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 081/188] Input: hil_kbd - fix error return code in hil_dev_connect() Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 082/188] char: pcmcia: error out if num_bytes_read is greater than 4 in set_protocol() Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 083/188] tty: nozomi: Fix the error handling path of nozomi_card_init() Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 084/188] scsi: FlashPoint: Rename si_flags field Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 085/188] s390: appldata depends on PROC_SYSCTL Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 086/188] staging: gdm724x: check for buffer overflow in gdm_lte_multi_sdu_pkt() Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 087/188] staging: gdm724x: check for overflow in gdm_lte_netif_rx() Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 088/188] scsi: mpt3sas: Fix error return value in _scsih_expander_add() Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 089/188] phy: ti: dm816x: Fix the error handling path in dm816x_usb_phy_probe() Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 090/188] extcon: sm5502: Drop invalid register write in sm5502_reg_data Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 091/188] extcon: max8997: Add missing modalias string Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 092/188] mmc: vub3000: fix control-request direction Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 093/188] scsi: core: Retry I/O for Notify (Enable Spinup) Required error Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 094/188] net: pch_gbe: Use proper accessors to BE data in pch_ptp_match() Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 095/188] hugetlb: clear huge pte during flush function on mips platform Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 096/188] atm: iphase: fix possible use-after-free in ia_module_exit() Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 097/188] mISDN: fix possible use-after-free in HFC_cleanup() Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 098/188] atm: nicstar: Fix possible use-after-free in nicstar_cleanup() Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 099/188] net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 100/188] reiserfs: add check for invalid 1st journal block Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 101/188] drm/virtio: Fix double free on probe failure Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 102/188] udf: Fix NULL pointer dereference in udf_symlink function Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 103/188] e100: handle eeprom as little endian Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 104/188] ipv6: use prandom_u32() for ID generation Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 105/188] RDMA/cxgb4: Fix missing error code in create_qp() Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 106/188] dm space maps: dont reset space map allocation cursor when committing Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 107/188] net: micrel: check return value after calling platform_get_resource() Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 108/188] selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 109/188] xfrm: Fix error reporting in xfrm_state_construct Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 110/188] wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 111/188] wl1251: Fix possible buffer overflow in wl1251_cmd_scan Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 112/188] cw1200: add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 113/188] atm: nicstar: use dma_free_coherent instead of kfree Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 114/188] atm: nicstar: register the interrupt handler in the right place Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 115/188] sfc: avoid double pci_remove of VFs Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 116/188] sfc: error code if SRIOV cannot be disabled Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 117/188] wireless: wext-spy: Fix out-of-bounds warning Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 118/188] RDMA/cma: Fix rdma_resolve_route() memory leak Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 119/188] Bluetooth: Fix the HCI to MGMT status conversion table Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 120/188] Bluetooth: Shutdown controller after workqueues are flushed or cancelled Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 121/188] Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca btsoc Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 122/188] sctp: add size validation when walking chunks Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 123/188] fuse: reject internal errno Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 124/188] can: gw: synchronize rcu operations before removing gw job entry Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 125/188] can: bcm: delay release of struct bcm_op after synchronize_rcu() Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 126/188] mac80211: fix memory corruption in EAPOL handling Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 127/188] powerpc/barrier: Avoid collision with clangs __lwsync macro Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 128/188] mmc: sdhci: Fix warning message when accessing RPMB in HS400 mode Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 129/188] ata: ahci_sunxi: Disable DIPM Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 130/188] ASoC: tegra: Set driver_name=tegra for all machine drivers Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 131/188] ipmi/watchdog: Stop watchdog timer when the current action is none Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 132/188] power: supply: ab8500: Fix an old bug Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 133/188] seq_buf: Fix overflow in seq_buf_putmem_hex() Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 134/188] ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe Greg Kroah-Hartman
2021-07-19 14:51 ` [PATCH 4.4 135/188] dm btree remove: assign new_root only when removal succeeds Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 136/188] media: zr364xx: fix memory leak in zr364xx_start_readpipe Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 137/188] media: gspca/sq905: fix control-request direction Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 138/188] media: gspca/sunplus: fix zero-length control requests Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 139/188] media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 140/188] jfs: fix GPF in diFree Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 141/188] KVM: x86: Use guest MAXPHYADDR from CPUID.0x8000_0008 iff TDP is enabled Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 142/188] KVM: X86: Disable hardware breakpoints unconditionally before kvm_x86->run() Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 143/188] tty: serial: fsl_lpuart: fix the potential risk of division or modulo by zero Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 144/188] misc/libmasm/module: Fix two use after free in ibmasm_init_one Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 145/188] Revert "ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro" Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 146/188] scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 147/188] tty: serial: 8250: serial_cs: Fix a memory leak in error handling path Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 148/188] fs/jfs: Fix missing error code in lmLogInit() Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 149/188] scsi: iscsi: Add iscsi_cls_conn refcount helpers Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 150/188] mfd: da9052/stmpe: Add and modify MODULE_DEVICE_TABLE Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 151/188] ALSA: sb: Fix potential double-free of CSP mixer elements Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 152/188] powerpc/ps3: Add dma_mask to ps3_dma_region Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 153/188] gpio: zynq: Check return value of pm_runtime_get_sync Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 154/188] ALSA: ppc: fix error return code in snd_pmac_probe() Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 155/188] selftests/powerpc: Fix "no_handler" EBB selftest Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 156/188] ASoC: soc-core: Fix the error return code in snd_soc_of_parse_audio_routing() Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 157/188] ALSA: bebob: add support for ToneWeal FW66 Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 158/188] usb: gadget: f_hid: fix endianness issue with descriptors Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 159/188] usb: gadget: hid: fix error return code in hid_bind() Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 160/188] powerpc/boot: Fixup device-tree on little endian Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 161/188] backlight: lm3630a: Fix return code of .update_status() callback Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 162/188] ALSA: hda: Add IRQ check for platform_get_irq() Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 163/188] lib/decompress_unlz4.c: correctly handle zero-padding around initrds Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 164/188] pwm: spear: Dont modify HW state in .remove callback Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 165/188] power: supply: ab8500: Avoid NULL pointers Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 166/188] power: reset: gpio-poweroff: add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 167/188] ARM: 9087/1: kprobes: test-thumb: fix for LLVM_IAS=1 Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 168/188] watchdog: Fix possible use-after-free in wdt_startup() Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 169/188] watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff() Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 170/188] watchdog: Fix possible use-after-free by calling del_timer_sync() Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 171/188] ceph: remove bogus checks and WARN_ONs from ceph_set_page_dirty Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 172/188] power: supply: charger-manager: add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 173/188] power: supply: ab8500: " Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 174/188] virtio-blk: Fix memory leak among suspend/resume procedure Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 175/188] virtio_console: Assure used length from device is limited Greg Kroah-Hartman
2021-07-20 21:44   ` Pavel Machek
2021-07-19 14:52 ` [PATCH 4.4 176/188] PCI/sysfs: Fix dsm_label_utf16s_to_utf8s() buffer overrun Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 177/188] um: fix error return code in slip_open() Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 178/188] um: fix error return code in winch_tramp() Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 179/188] nfs: fix acl memory leak of posix_acl_create() Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 180/188] ALSA: isa: Fix error return code in snd_cmi8330_probe() Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 181/188] hexagon: use common DISCARDS macro Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 182/188] ARM: dts: exynos: fix PWM LED max brightness on Odroid XU4 Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 183/188] rtc: fix snprintf() checking in is_rtc_hctosys() Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 184/188] memory: fsl_ifc: fix leak of IO mapping on probe failure Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 185/188] memory: fsl_ifc: fix leak of private memory " Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 186/188] scsi: be2iscsi: Fix an error handling path in beiscsi_dev_probe() Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 187/188] mips: disable branch profiling in boot/decompress.o Greg Kroah-Hartman
2021-07-19 14:52 ` [PATCH 4.4 188/188] MIPS: vdso: Invalid GIC access through VDSO Greg Kroah-Hartman
2021-07-19 20:02 ` [PATCH 4.4 000/188] 4.4.276-rc1 review Pavel Machek
2021-07-20  0:33 ` Shuah Khan
2021-07-20 18:49 ` Guenter Roeck
2021-07-20 20:07 ` Guenter Roeck
2021-07-21 10:42 ` Naresh Kamboju

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).