malhuda/msm-4.14
1
0
Fork 0
mirror of https://github.com/rd-stuffs/msm-4.14.git synced 2025-02-20 11:45:48 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
811,127 Commits 5 Branches 0 Tags
Commit Graph

6574 Commits

Author SHA1 Message Date
Richard Raya
fad3b5236d This is the 4.14.349 OpenELA-Extended LTS stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQJNBAABCAA3FiEERFwmR4yFob14UDOYC8702P6YulgFAmaYMNYZHHZlZ2FyZC5u
 b3NzdW1Ab3JhY2xlLmNvbQAKCRALzvTY/pi6WI+2EACbJP/GYZL4iZezt3yp9J6y
 ObeobshL3ODENH9J4Rpjo7EJNdRbiJmqK07C6g3gxfEBqYhMDxYCBbhwTTvvHmu7
 ezr1rmQmUlyzf2qW905a+rTawUrKztZpvZ0ycRXgfQHjX8w64salq/G5X9kJ1CZQ
 0TYwhDXXYRc1yuhJkVH0+ZUP+FvSBYXY42QZQ8tRzviBKgHUqyQ2JiLN7yGXStSp
 PEOCeXuEsQxkzbFU1rG7J9KXfUYndih+fiGSvuUUZF6WTHNobfkh+nrGzsdadtUp
 UW9nEdHjjEhTpTr125uOGc3H2Y1rWVPrcZ9kvJBhzf4WKNBFu2v7Bc5i2/Yz/jKU
 5cz7bjqpSnFOAmNe1f+pOO2oIsBk/xhAbMrPHS1eTJfUJmVL21HgDS3nXfV3yYcR
 0cHH10HGf7DEx2PRh3DM53XzaiumOXY3e/eFt+syYFWtsPY0XKHjsfwLeoujCVgh
 Sb6yiV1HTNg2hkGck+CQKTvHKZhSs1uE+vGSHiSTpryrsXYCTRJySSXEdiU0QpeL
 c9xzRE0PrUaUKNucdimGr6EqvXL11M1I59Z3ygk8vyLGI13vSmkRZ9Sl7m0tbirA
 0K1Ws2PkwuYQEOut8Esp6DJ2n38Uz3j0lnb2lreC0KbfXMvPWQfP81M1Lc+Pkpn6
 Zgbbs68F6jYs0KV/iRty2A==
 =RvUO
 -----END PGP SIGNATURE-----

Merge tag 'v4.14.349-openela' of https://github.com/openela/kernel-lts

This is the 4.14.349 OpenELA-Extended LTS stable release

* tag 'v4.14.349-openela' of https://github.com/openela/kernel-lts: (160 commits)
  LTS: Update to 4.14.349
  x86/kvm: Disable all PV features on crash
  x86/kvm: Disable kvmclock on all CPUs on shutdown
  x86/kvm: Teardown PV features on boot CPU as well
  crypto: algif_aead - fix uninitialized ctx->init
  nfs: fix undefined behavior in nfs_block_bits()
  ext4: fix mb_cache_entry's e_refcnt leak in ext4_xattr_block_cache_find()
  sparc: move struct termio to asm/termios.h
  kdb: Use format-specifiers rather than memset() for padding in kdb_read()
  kdb: Merge identical case statements in kdb_read()
  kdb: Fix console handling when editing and tab-completing commands
  kdb: Use format-strings rather than '\0' injection in kdb_read()
  kdb: Fix buffer overflow during tab-complete
  sparc64: Fix number of online CPUs
  intel_th: pci: Add Meteor Lake-S CPU support
  net/9p: fix uninit-value in p9_client_rpc()
  crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak
  KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode
  netfilter: nft_dynset: relax superfluous check on set updates
  netfilter: nft_dynset: report EOPNOTSUPP on missing set feature
  ...

Change-Id: Idb0053e6b2186ef17f31e15fdb601ae451c81283
Signed-off-by: Richard Raya <rdxzv.dev@gmail.com>
 2024-07-18 01:54:59 -03:00
Maxim Korotkov
73bc0203a1 mtd: rawnand: hynix: fixed typo 
[ Upstream commit 6819db94e1cd3ce24a432f3616cd563ed0c4eaba ]

The function hynix_nand_rr_init() should probably return an error code.
Judging by the usage, it seems that the return code is passed up
the call stack.
Right now, it always returns 0 and the function hynix_nand_cleanup()
in hynix_nand_init() has never been called.

Found by RASU JSC and Linux Verification Center (linuxtesting.org)

Fixes: 626994e07480 ("mtd: nand: hynix: Add read-retry support for 1x nm MLC NANDs")

Signed-off-by: Maxim Korotkov <korotkov.maxim.s@gmail.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20240313102721.1991299-1-korotkov.maxim.s@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 80850a39e2548988f4feae26f3fd66286b460278)
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
 2024-07-08 08:15:03 +00:00
Richard Raya
3143685e95 Merge branch 'linux-4.14.y' of https://github.com/openela/kernel-lts 
* 'linux-4.14.y' of https://github.com/openela/kernel-lts: (278 commits)
  LTS: Update to 4.14.348
  docs: kernel_include.py: Cope with docutils 0.21
  serial: kgdboc: Fix NMI-safety problems from keyboard reset code
  btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks()
  dm: limit the number of targets and parameter size area
  Revert "selftests: mm: fix map_hugetlb failure on 64K page size systems"
  LTS: Update to 4.14.347
  rds: Fix build regression.
  RDS: IB: Use DEFINE_PER_CPU_SHARED_ALIGNED for rds_ib_stats
  af_unix: Suppress false-positive lockdep splat for spin_lock() in __unix_gc().
  net: fix out-of-bounds access in ops_init
  drm/vmwgfx: Fix invalid reads in fence signaled events
  dyndbg: fix old BUG_ON in >control parser
  tipc: fix UAF in error path
  usb: gadget: f_fs: Fix a race condition when processing setup packets.
  usb: gadget: composite: fix OS descriptors w_value logic
  firewire: nosy: ensure user_length is taken into account when fetching packet contents
  af_unix: Fix garbage collector racing against connect()
  af_unix: Do not use atomic ops for unix_sk(sk)->inflight.
  ipv6: fib6_rules: avoid possible NULL dereference in fib6_rule_action()
  ...

Change-Id: If329d39dd4e95e14045bb7c58494c197d1352d60
Signed-off-by: Richard Raya <rdxzv.dev@gmail.com>
 2024-06-04 16:33:29 -03:00
Arnd Bergmann
cd3a5b7416 mtd: diskonchip: work around ubsan link failure 
commit 21c9fb611c25d5cd038f6fe485232e7884bb0b3d upstream.

I ran into a randconfig build failure with UBSAN using gcc-13.2:

arm-linux-gnueabi-ld: error: unplaced orphan section `.bss..Lubsan_data31' from `drivers/mtd/nand/raw/diskonchip.o'

I'm not entirely sure what is going on here, but I suspect this has something
to do with the check for the end of the doc_locations[] array that contains
an (unsigned long)0xffffffff element, which is compared against the signed
(int)0xffffffff. If this is the case, we should get a runtime check for
undefined behavior, but we instead get an unexpected build-time error.

I would have expected this to work fine on 32-bit architectures despite the
signed integer overflow, though on 64-bit architectures this likely won't
ever work.

Changing the contition to instead check for the size of the array makes the
code safe everywhere and avoids the ubsan check that leads to the link
error. The loop code goes back to before 2.6.12.

Cc: stable@vger.kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20240405143015.717429-1-arnd@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit 153adb5d7878d18e2b9be173996034f858fbce8e)
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
 2024-05-31 12:57:28 +00:00
Zhang Yi
13e3ca30e7 ubi: correct the calculation of fastmap size 
[ Upstream commit 7f174ae4f39e8475adcc09d26c5a43394689ad6c ]

Now that the calculation of fastmap size in ubi_calc_fm_size() is
incorrect since it miss each user volume's ubi_fm_eba structure and the
Internal UBI volume info. Let's correct the calculation.

Cc: stable@vger.kernel.org
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 113d2c358fe9b9c2b307b4984ed41dfce6f78347)
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
 2024-05-30 08:58:49 +00:00
Richard Weinberger
c05dbbe027 ubi: Check for too small LEB size in VTBL code 
[ Upstream commit 68a24aba7c593eafa8fd00f2f76407b9b32b47a9 ]

If the LEB size is smaller than a volume table record we cannot
have volumes.
In this case abort attaching.

Cc: Chenyuan Yang <cy54@illinois.edu>
Cc: stable@vger.kernel.org
Fixes: 801c135ce73d ("UBI: Unsorted Block Images")
Reported-by: Chenyuan Yang <cy54@illinois.edu>
Closes: https://lore.kernel.org/linux-mtd/1433EB7A-FC89-47D6-8F47-23BE41B263B3@illinois.edu/
Signed-off-by: Richard Weinberger <richard@nod.at>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit ff818a59ecdfb13a8eb4a38a87b869090dd1745c)
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
 2024-05-30 08:58:49 +00:00
Richard Raya
59c72f3544 Merge branch 'linux-4.14.y' of https://github.com/openela/kernel-lts 
* 'linux-4.14.y' of https://github.com/openela/kernel-lts: (186 commits)
  LTS: Update to 4.14.344
  binder: signal epoll threads of self-work
  ANDROID: binder: Add thread->process_todo flag.
  scsi: bnx2fc: Fix skb double free in bnx2fc_rcv()
  scsi: bnx2fc: Remove set but not used variable 'oxid'
  net: check dev->gso_max_size in gso_features_check()
  driver: staging: count ashmem_range into SLAB_RECLAIMBLE
  net: warn if gso_type isn't set for a GSO SKB
  staging: android: ashmem: Remove use of unlikely()
  ALSA: hda/realtek: Enable headset on Lenovo M90 Gen5
  ALSA: hda/realtek: Enable headset onLenovo M70/M90
  ALSA: hda/realtek: Add quirk for Lenovo TianYi510Pro-14IOB
  ALSA: hda/realtek - ALC897 headset MIC no sound
  ALSA: hda/realtek - Add headset Mic support for Lenovo ALC897 platform
  ALSA: hda/realtek: Fix the mic type detection issue for ASUS G551JW
  ALSA: hda/realtek - The front Mic on a HP machine doesn't work
  ALSA: hda/realtek - Enable the headset of Acer N50-600 with ALC662
  ALSA: hda/realtek - Enable headset mic of Acer X2660G with ALC662
  ALSA: hda/realtek - Add Headset Mic supported for HP cPC
  ALSA: hda/realtek - More constifications
  ...

Change-Id: I3d093c0e457ab7e7e7b98b46eb44e82b6f4636f9
Signed-off-by: Richard Raya <rdxzv.dev@gmail.com>
 2024-05-08 19:24:35 -03:00
Linus Walleij
2d6c830b5b mtd: cfi_cmdset_0001: Byte swap OTP info 
[ Upstream commit 565fe150624ee77dc63a735cc1b3bff5101f38a3 ]

Currently the offset into the device when looking for OTP
bits can go outside of the address of the MTD NOR devices,
and if that memory isn't readable, bad things happen
on the IXP4xx (added prints that illustrate the problem before
the crash):

cfi_intelext_otp_walk walk OTP on chip 0 start at reg_prot_offset 0x00000100
ixp4xx_copy_from copy from 0x00000100 to 0xc880dd78
cfi_intelext_otp_walk walk OTP on chip 0 start at reg_prot_offset 0x12000000
ixp4xx_copy_from copy from 0x12000000 to 0xc880dd78
8<--- cut here ---
Unable to handle kernel paging request at virtual address db000000
[db000000] *pgd=00000000
(...)

This happens in this case because the IXP4xx is big endian and
the 32- and 16-bit fields in the struct cfi_intelext_otpinfo are not
properly byteswapped. Compare to how the code in read_pri_intelext()
byteswaps the fields in struct cfi_pri_intelext.

Adding a small byte swapping loop for the OTP in read_pri_intelext()
and the crash goes away.

The problem went unnoticed for many years until I enabled
CONFIG_MTD_OTP on the IXP4xx as well, triggering the bug.

Cc: stable@vger.kernel.org
Reviewed-by: Nicolas Pitre <nico@fluxnic.net>
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20231020-mtd-otp-byteswap-v4-1-0d132c06aa9d@linaro.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
 2024-05-06 14:36:42 +00:00
Jean-Philippe Brucker
c3b3e5c5fd mtd: cfi_cmdset_0001: Support the absence of protection registers 
[ Upstream commit b359ed5184aebf9d987e54abc5dae7ac03ed29ae ]

The flash controller implemented by the Arm Base platform behaves like
the Intel StrataFlash J3 device, but omits several features. In
particular it doesn't implement a protection register, so "Number of
Protection register fields" in the Primary Vendor-Specific Extended
Query, is 0.

The Intel StrataFlash J3 datasheet only lists 1 as a valid value for
NumProtectionFields. It describes the field as:

	"Number of Protection register fields in JEDEC ID space.
	“00h,” indicates that 256 protection bytes are available"

While a value of 0 may arguably not be architecturally valid, the
driver's current behavior is certainly wrong: if NumProtectionFields is
0, read_pri_intelext() adds a negative value to the unsigned extra_size,
and ends up in an infinite loop.

Fix it by ignoring a NumProtectionFields of 0.

Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
Tested-by: Sudeep Holla <sudeep.holla@arm.com>
Tested-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Vignesh Raghavendra <vigneshr@ti.com>
Stable-dep-of: 565fe150624e ("mtd: cfi_cmdset_0001: Byte swap OTP info")
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
 2024-05-06 14:36:42 +00:00
Richard Raya
d5b9f06c4e Merge branch 'linux-4.14.y' of https://github.com/openela/kernel-lts 
* 'linux-4.14.y' of https://github.com/openela/kernel-lts: (176 commits)
  LTS: Update to 4.14.343
  crypto: af_alg - Work around empty control messages without MSG_MORE
  crypto: af_alg - Fix regression on empty requests
  spi: spi-mt65xx: Fix NULL pointer access in interrupt handler
  net/bnx2x: Prevent access to a freed page in page_pool
  hsr: Handle failures in module init
  rds: introduce acquire/release ordering in acquire/release_in_xmit()
  hsr: Fix uninit-value access in hsr_get_node()
  net: hsr: fix placement of logical operator in a multi-line statement
  usb: gadget: net2272: Use irqflags in the call to net2272_probe_fin
  staging: greybus: fix get_channel_from_mode() failure path
  serial: 8250_exar: Don't remove GPIO device on suspend
  rtc: mt6397: select IRQ_DOMAIN instead of depending on it
  rtc: mediatek: enhance the description for MediaTek PMIC based RTC
  tty: serial: samsung: fix tx_empty() to return TIOCSER_TEMT
  serial: max310x: fix syntax error in IRQ error message
  clk: qcom: gdsc: Add support to update GDSC transition delay
  NFS: Fix an off by one in root_nfs_cat()
  net: sunrpc: Fix an off by one in rpc_sockaddr2uaddr()
  scsi: bfa: Fix function pointer type mismatch for hcb_qe->cbfn
  ...

Change-Id: Ib9b7d4f4fbb66b54b4fc2d35e945418da4c02331
Signed-off-by: Richard Raya <rdxzv.dev@gmail.com>
 2024-04-18 09:46:38 -03:00
Arnd Bergmann
1b84c12eba mtd: rawnand: lpc32xx_mlc: fix irq handler prototype 
[ Upstream commit 347b828882e6334690e7003ce5e2fe5f233dc508 ]

clang-16 warns about mismatched function prototypes:

drivers/mtd/nand/raw/lpc32xx_mlc.c:783:29: error: cast from 'irqreturn_t (*)(int, struct lpc32xx_nand_host *)' (aka 'enum irqreturn (*)(int, struct lpc32xx_nand_host *)') to 'irq_handler_t' (aka 'enum irqreturn (*)(int, void *)') converts to incompatible function type [-Werror,-Wcast-function-type-strict]

Change the interrupt handler to the normal way of just passing
a void* pointer and converting it inside the function..

Fixes: 70f7cb78ec53 ("mtd: add LPC32xx MLC NAND driver")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20240213100146.455811-1-arnd@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 9fc05d7953b0d71372b632e1d62abf78c6ac9d64)
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
 2024-04-16 10:30:33 +00:00
Richard Raya
a9e2d194be Merge branch 'linux-4.14.y' of https://github.com/openela/kernel-lts 
* 'linux-4.14.y' of https://github.com/openela/kernel-lts: (350 commits)
  LTS: Update to 4.14.340
  fs/aio: Restrict kiocb_set_cancel_fn() to I/O submitted via libaio
  KVM: arm64: vgic-its: Test for valid IRQ in its_sync_lpi_pending_table()
  PCI/MSI: Prevent MSI hardware interrupt number truncation
  s390: use the correct count for __iowrite64_copy()
  packet: move from strlcpy with unused retval to strscpy
  ipv6: sr: fix possible use-after-free and null-ptr-deref
  nouveau: fix function cast warnings
  scsi: jazz_esp: Only build if SCSI core is builtin
  RDMA/srpt: fix function pointer cast warnings
  RDMA/srpt: Support specifying the srpt_service_guid parameter
  IB/hfi1: Fix a memleak in init_credit_return
  usb: gadget: ncm: Avoid dropping datagrams of properly parsed NTBs
  l2tp: pass correct message length to ip6_append_data
  gtp: fix use-after-free and null-ptr-deref in gtp_genl_dump_pdp()
  dm-crypt: don't modify the data when using authenticated encryption
  mm: memcontrol: switch to rcu protection in drain_all_stock()
  s390/qeth: Fix potential loss of L3-IP@ in case of network issues
  virtio-blk: Ensure no requests in virtqueues before deleting vqs.
  firewire: core: send bus reset promptly on gap count error
  ...

Change-Id: Ieafdd459ee41343bf15ed781b3e45adc2be29cc1
Signed-off-by: Richard Raya <rdxzv.dev@gmail.com>
 2024-03-26 00:15:05 -03:00
ZhaoLong Wang
27f0c87acc mtd: Fix gluebi NULL pointer dereference caused by ftl notifier 
[ Upstream commit a43bdc376deab5fff1ceb93dca55bcab8dbdc1d6 ]

If both ftl.ko and gluebi.ko are loaded, the notifier of ftl
triggers NULL pointer dereference when trying to access
‘gluebi->desc’ in gluebi_read().

ubi_gluebi_init
  ubi_register_volume_notifier
    ubi_enumerate_volumes
      ubi_notify_all
        gluebi_notify    nb->notifier_call()
          gluebi_create
            mtd_device_register
              mtd_device_parse_register
                add_mtd_device
                  blktrans_notify_add   not->add()
                    ftl_add_mtd         tr->add_mtd()
                      scan_header
                        mtd_read
                          mtd_read_oob
                            mtd_read_oob_std
                              gluebi_read   mtd->read()
                                gluebi->desc - NULL

Detailed reproduction information available at the Link [1],

In the normal case, obtain gluebi->desc in the gluebi_get_device(),
and access gluebi->desc in the gluebi_read(). However,
gluebi_get_device() is not executed in advance in the
ftl_add_mtd() process, which leads to NULL pointer dereference.

The solution for the gluebi module is to run jffs2 on the UBI
volume without considering working with ftl or mtdblock [2].
Therefore, this problem can be avoided by preventing gluebi from
creating the mtdblock device after creating mtd partition of the
type MTD_UBIVOLUME.

Fixes: 2ba3d76a1e29 ("UBI: make gluebi a separate module")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=217992 [1]
Link: https://lore.kernel.org/lkml/441107100.23734.1697904580252.JavaMail.zimbra@nod.at/ [2]
Signed-off-by: ZhaoLong Wang <wangzhaolong1@huawei.com>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Acked-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20231220024619.2138625-1-wangzhaolong1@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit aeba358bcc8ffddf9b4a9bd0e5ec9eb338d46022)
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
 2024-02-02 11:33:39 +00:00
Ronald Monthero
e18751caa6 mtd: rawnand: Increment IFC_TIMEOUT_MSECS for nand controller response 
[ Upstream commit 923fb6238cb3ac529aa2bf13b3b1e53762186a8b ]

Under heavy load it is likely that the controller is done
with its own task but the thread unlocking the wait is not
scheduled in time. Increasing IFC_TIMEOUT_MSECS allows the
controller to respond within allowable timeslice of 1 sec.

fsl,ifc-nand 7e800000.nand: Controller is not responding

[<804b2047>] (nand_get_device) from [<804b5335>] (nand_write_oob+0x1b/0x4a)
[<804b5335>] (nand_write_oob) from [<804a3585>] (mtd_write+0x41/0x5c)
[<804a3585>] (mtd_write) from [<804c1d47>] (ubi_io_write+0x17f/0x22c)
[<804c1d47>] (ubi_io_write) from [<804c047b>] (ubi_eba_write_leb+0x5b/0x1d0)

Fixes: 82771882d960 ("NAND Machine support for Integrated Flash Controller")
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Ronald Monthero <debug.penguin32@gmail.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20231118083156.776887-1-debug.penguin32@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 238f46e6bbe689fb70d3933ffc2b9b7b0caf38b9)
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
 2024-02-02 11:33:38 +00:00
Richard Raya
b5b21c729b Merge branch 'android-4.14-stable' of https://android.googlesource.com/kernel/common 
* 'android-4.14-stable' of https://android.googlesource.com/kernel/common: (31 commits)
  Linux 4.14.332
  driver core: Release all resources during unbind before updating device links
  net: ravb: Start TX queues after HW initialization succeeded
  ravb: Fix races between ravb_tx_timeout_work() and net related ops
  ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet
  btrfs: send: ensure send_fd is writable
  btrfs: fix off-by-one when checking chunk map includes logical address
  powerpc: Don't clobber f0/vs0 during fp|altivec register save
  dm verity: don't perform FEC for failed readahead IO
  dm-verity: align struct dm_verity_fec_io properly
  firewire: core: fix possible memory leak in create_units()
  pinctrl: avoid reload of p state in list iteration
  usb: dwc3: set the dma max_seg_size
  USB: serial: option: don't claim interface 4 for ZTE MF290
  USB: serial: option: fix FM101R-GL defines
  USB: serial: option: add Fibocom L7xx modules
  bcache: prevent potential division by zero error
  bcache: check return value from btree_node_alloc_replacement()
  USB: serial: option: add Luat Air72*U series products
  s390/dasd: protect device queue against concurrent access
  ...

Change-Id: I4952e24f22e6450a5ddf2dd61a649a32b8fbcda3
 2023-12-12 00:12:26 -03:00
Greg Kroah-Hartman
fc26a9488d This is the 4.14.332 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmVyyNgACgkQONu9yGCS
 aT790w//TNkuLD8tIgoZOECmfmCHtNIFd2EnQpgNjGWzsKowTywVZxoc2jtuQoia
 MtAyzIEqWxKlL1GRUlGAdZk/lzvLCpXACJNhSnA4mlWbsg1xuLarFQY4DF0BwyBF
 kTPSIiW/1RytgFOsTo+wNLbzDpkt1isGtexsiDtwaCIXNA/UNqJY/kTX9oyFbHko
 SjxkSWvn3+5Mxdqh08OmaKK74saAU6A90VeM47zS+5YG7bMNpu2+hQhd7GE+2tsf
 CPf+mLWg++h/Q3OZo936gekvskC5C/tO/yLp/Rbk/02NdBc0+fV4FZ8bvgxdV5Zh
 /4SVNwdRGIydaN37b+CryL3uUeIWDQkOX032E9SXEjzN+GexTWIG45THS/lQ+3tx
 sL4A/wKJYn9YLOroVhOeRfQuh3dWxR4z/w22O9X2d82MKRVhLs748IoIK2mlZN0F
 hp5Y/mr6QDONhljzLbV+9R/y/JH5qGoGZPgku1ZGyFbA91QyuUj4vqtxecJ7OpsQ
 3cs/Q9aSBxh1+HAJv0fwlX69qd4VJRQ2T3A+mHuuL0QuhMUzvRxqlOkmmBvVKXkA
 lvTiOFdGyd2LQB0fl1N7jJDzH4OKLHW6cpj5NlvSdzwqjy4nWZ1blVqNDbA8/krV
 gpavDAdkpYY40svz6TkwRlMxQn3MLZ3PrwWcyBc7qwyQndKiw+Q=
 =80xi
 -----END PGP SIGNATURE-----

Merge 4.14.332 into android-4.14-stable

Changes in 4.14.332
	RDMA/irdma: Prevent zero-length STAG registration
	drm/panel: simple: Fix Innolux G101ICE-L01 timings
	ata: pata_isapnp: Add missing error check for devm_ioport_map()
	drm/rockchip: vop: Fix color for RGB888/BGR888 format on VOP full
	ipv4: Correct/silence an endian warning in __ip_do_redirect
	net: usb: ax88179_178a: fix failed operations during ax88179_reset
	arm/xen: fix xen_vcpu_info allocation alignment
	amd-xgbe: handle corner-case during sfp hotplug
	amd-xgbe: propagate the correct speed and duplex status
	net: axienet: Fix check for partial TX checksum
	mtd: rawnand: brcmnand: Fix ecc chunk calculation for erased page bitfips
	s390/dasd: protect device queue against concurrent access
	USB: serial: option: add Luat Air72*U series products
	bcache: check return value from btree_node_alloc_replacement()
	bcache: prevent potential division by zero error
	USB: serial: option: add Fibocom L7xx modules
	USB: serial: option: fix FM101R-GL defines
	USB: serial: option: don't claim interface 4 for ZTE MF290
	usb: dwc3: set the dma max_seg_size
	pinctrl: avoid reload of p state in list iteration
	firewire: core: fix possible memory leak in create_units()
	dm-verity: align struct dm_verity_fec_io properly
	dm verity: don't perform FEC for failed readahead IO
	powerpc: Don't clobber f0/vs0 during fp|altivec register save
	btrfs: fix off-by-one when checking chunk map includes logical address
	btrfs: send: ensure send_fd is writable
	ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet
	ravb: Fix races between ravb_tx_timeout_work() and net related ops
	net: ravb: Start TX queues after HW initialization succeeded
	driver core: Release all resources during unbind before updating device links
	Linux 4.14.332

Change-Id: Ia04d4ea54ddcce3f8ba06d6a28b26e1021e5b56f
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
 2023-12-08 09:23:10 +00:00
Claire Lin
5f3473a3e5 mtd: rawnand: brcmnand: Fix ecc chunk calculation for erased page bitfips 
commit 7f852cc1579297fd763789f8cd370639d0c654b6 upstream.

In brcmstb_nand_verify_erased_page(), the ECC chunk pointer calculation
while correcting erased page bitflips is wrong, fix it.

Fixes: 02b88eea9f9c ("mtd: brcmnand: Add check for erased page bitflips")
Signed-off-by: Claire Lin <claire.lin@broadcom.com>
Reviewed-by: Ray Jui <ray.jui@broadcom.com>
Signed-off-by: Kamal Dasu <kdasu.kdev@gmail.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Yuta Hayama <hayama@lineo.co.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2023-12-08 08:41:59 +01:00
Richard Raya
9cdc78c354 Merge branch 'android-4.14-stable' of https://android.googlesource.com/kernel/common 
* 'android-4.14-stable' of https://android.googlesource.com/kernel/common: (2966 commits)
  Linux 4.14.331
  net: sched: fix race condition in qdisc_graft()
  scsi: virtio_scsi: limit number of hw queues by nr_cpu_ids
  ext4: remove gdb backup copy for meta bg in setup_new_flex_group_blocks
  ext4: correct return value of ext4_convert_meta_bg
  ext4: correct offset of gdb backup in non meta_bg group to update_backups
  ext4: apply umask if ACL support is disabled
  media: venus: hfi: fix the check to handle session buffer requirement
  media: sharp: fix sharp encoding
  i2c: i801: fix potential race in i801_block_transaction_byte_by_byte
  net: dsa: lan9303: consequently nested-lock physical MDIO
  ALSA: info: Fix potential deadlock at disconnection
  parisc/pgtable: Do not drop upper 5 address bits of physical address
  parisc: Prevent booting 64-bit kernels on PA1.x machines
  mcb: fix error handling for different scenarios when parsing
  jbd2: fix potential data lost in recovering journal raced with synchronizing fs bdev
  genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware
  mmc: meson-gx: Remove setting of CMD_CFG_ERROR
  PM: hibernate: Clean up sync_read handling in snapshot_write_next()
  PM: hibernate: Use __get_safe_page() rather than touching the list
  ...

Change-Id: I755d2aa7c525ace28adc4aee433572b3110ea39b
 2023-12-07 20:15:44 -03:00
Greg Kroah-Hartman
27c2ecdf37 This is the 4.14.327 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmUlqXsACgkQONu9yGCS
 aT7KDQ//QlDFupXGqqqAkyOVgKr1eIP0/V6LarJFCRsHt+zTzdijtex7UrAX26R0
 d8cN6oGZmuPJSRifvJkNI2zijVq/K/nYoN5+RA9+TjiYX7+kOsZcmWcjkwEfbDGZ
 SMU13d7owzsqmM48pMQtPkqjxvo+3486icaiNLl+gEPex4BERVSX5k2Nu48J+JKX
 kH4ebxCpiAqlCBXvz0cuR3Eto97cWJV7KiLGdgllhiCInDguIySA5GduPytvm4qx
 +W+Ya1JN3lUxziODoFZ7eG1WrRaw4EigG1YQTvqafu3FVJcm/0Uxl1RHmeMDTcwP
 vWmPHvrCR1x/vYEiAOmV5sOjDJSDKR/LZ8eVi2psgD3BTRo+ESOGtAj7rDyMyznU
 02SzorFdRUm4VXJOjSnZer3Mv+0vLhXwIM2KYkdcDpXCnvfN3bIvlip17dI6p4yz
 2/DxB82wr1C/OGPW/jQzKLpZh2JAT3N0Fmoy1R96UTa6tTdiGE7jS7xarwbPJnwZ
 IuF45Vq4Y9FKI3xIn0+7FjbVi7O3X1z95b9v9SH8YoKhzAoKUaRh9RtoPjZmAJt3
 s0JHeMMX7fPJl4C8mjMW1UGcAfysootll1/naGopgNXAl7qj8YrOWpQK8Pavn21q
 AdoAwUOOsM9INMfDFpgJ89dgkixw1jeDSsHMEZtBAj3nWcjIj+8=
 =ac+3
 -----END PGP SIGNATURE-----

Merge 4.14.327 into android-4.14-stable

Changes in 4.14.327
	NFS/pNFS: Report EINVAL errors from connect() to the server
	ipv4: fix null-deref in ipv4_link_failure
	powerpc/perf/hv-24x7: Update domain value check
	dccp: fix dccp_v4_err()/dccp_v6_err() again
	team: fix null-ptr-deref when team device type is changed
	gpio: tb10x: Fix an error handling path in tb10x_gpio_probe()
	i2c: mux: demux-pinctrl: check the return value of devm_kstrdup()
	clk: tegra: fix error return case for recalc_rate
	xtensa: boot: don't add include-dirs
	xtensa: boot/lib: fix function prototypes
	parisc: sba: Fix compile warning wrt list of SBA devices
	parisc: iosapic.c: Fix sparse warnings
	parisc: irq: Make irq_stack_union static to avoid sparse warning
	selftests/ftrace: Correctly enable event in instance-event.tc
	ring-buffer: Avoid softlockup in ring_buffer_resize()
	ata: libata-eh: do not clear ATA_PFLAG_EH_PENDING in ata_eh_reset()
	fbdev/sh7760fb: Depend on FB=y
	ata: ahci: Drop pointless VPRINTK() calls and convert the remaining ones
	ata: libahci: clear pending interrupt status
	watchdog: iTCO_wdt: No need to stop the timer in probe
	watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not already running
	serial: 8250_port: Check IRQ data before use
	nilfs2: fix potential use after free in nilfs_gccache_submit_read_data()
	ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED OPERATION CODES
	i2c: i801: unregister tco_pdev in i801_probe() error path
	btrfs: properly report 0 avail for very full file systems
	ata: libata-core: Fix ata_port_request_pm() locking
	ata: libata-core: Fix port and device removal
	ata: libata-sata: increase PMP SRST timeout to 10s
	fs: binfmt_elf_efpic: fix personality for ELF-FDPIC
	vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF
	ext4: fix rec_len verify error
	net/sched: sch_hfsc: Ensure inner classes have fsc curve
	ata: libata: disallow dev-initiated LPM transitions to unsupported states
	media: dvb: symbol fixup for dvb_attach() - again
	scsi: zfcp: Fix a double put in zfcp_port_enqueue()
	wifi: mwifiex: Fix tlv_buf_left calculation
	ubi: Refuse attaching if mtd's erasesize is 0
	wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet
	drivers/net: process the result of hdlc_open() and add call of hdlc_close() in uhdlc_close()
	regmap: rbtree: Fix wrong register marked as in-cache when creating new node
	scsi: target: core: Fix deadlock due to recursive locking
	modpost: add missing else to the "of" check
	ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()
	net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg
	tcp: fix delayed ACKs for MSS boundary condition
	sctp: update transport state when processing a dupcook packet
	sctp: update hb timer immediately after users change hb_interval
	cpupower: add Makefile dependencies for install targets
	IB/mlx4: Fix the size of a buffer in add_port_entries()
	gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config()
	RDMA/cma: Fix truncation compilation warning in make_cma_ports
	RDMA/mlx5: Fix NULL string error
	parisc: Restore __ldcw_align for PA-RISC 2.0 processors
	Revert "rtnetlink: Reject negative ifindexes in RTM_NEWLINK"
	rtnetlink: Reject negative ifindexes in RTM_NEWLINK
	xen/events: replace evtchn_rwlock with RCU
	Linux 4.14.327

Change-Id: Id05d43bbb2482e858390f6cb31f43ba16c669675
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
 2023-10-11 19:14:52 +00:00
Zhihao Cheng
ef7a4c97a8 ubi: Refuse attaching if mtd's erasesize is 0 
[ Upstream commit 017c73a34a661a861712f7cc1393a123e5b2208c ]

There exists mtd devices with zero erasesize, which will trigger a
divide-by-zero exception while attaching ubi device.
Fix it by refusing attaching if mtd's erasesize is 0.

Fixes: 801c135ce73d ("UBI: Unsorted Block Images")
Reported-by: Yu Hao <yhao016@ucr.edu>
Link: https://lore.kernel.org/lkml/977347543.226888.1682011999468.JavaMail.zimbra@nod.at/T/
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2023-10-10 21:43:41 +02:00
Greg Kroah-Hartman
3b3807ea9f This is the 4.14.326 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmUOphQACgkQONu9yGCS
 aT48SA//UAwiChca8ejeMfb5naUV7yr0r7Vpe32I7+Z+vY+YmuKO2UWOdBi4rvrY
 +PYIFCA7nfLpp6hXZg14ljX3w1Qh8WftXwlIeml5PJX+/IpyGT2FAx+CcYXAKdQk
 KqANTdDAogw4wfPF+jY0hqRUP0NuIW2jzPU9cMQHm6/reRs8sSqs9wHo5tqlLLBN
 YF66O+MyI/FZRwD3HxSeVlaNk1Rrk6I7CtdnXaUqMo7CosagayoiODn5vPMUJXZW
 I7WOz4hFYJJhvnJKYKCoMUwmpsEQrQwxyeBipfXsoCjdSOn7TBJaTNEqo0cTq1aQ
 kD34afHBY5cZaS2d0EKFcCYVxRwtzh0N73RuimPNTT3Rfkot9ARFwQjk+eOHrJDh
 UQlx4aWq2vX400V68LeE6nSxwAoml888mISVrVqeLu4Xzt9dl4JlLD99GC0tu2GG
 xKZp3BZ2spxEUciGT4Hby3f6PEGO3oJ/m8MSTNsn5wqdeZMbTUQ4O8yWLQZPaacc
 M+FEHK/beW5inq5mi2hy0rs2uvhbSQoLV79jbS0EeN2x5Z6MTyWfifRqLx1VzvgF
 oZHw7AeSv97oJGQfqF5j9BIUOC8jMzMircmxY5z/MmWvvjpkoMtTi0Fm66KbR6c/
 Ydm83ptyuPg0XotdjlGAc1tGkVQatx7c1XzYqeOhKDBxvY4l13A=
 =RCAu
 -----END PGP SIGNATURE-----

Merge 4.14.326 into android-4.14-stable

Changes in 4.14.326
	ARM: pxa: remove use of symbol_get()
	mmc: au1xmmc: force non-modular build and remove symbol_get usage
	rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff
	modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules
	USB: serial: option: add Quectel EM05G variant (0x030e)
	USB: serial: option: add FOXCONN T99W368/T99W373 product
	HID: wacom: remove the battery when the EKR is off
	Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
	serial: sc16is7xx: fix bug when first setting GPIO direction
	nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers()
	nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse
	pinctrl: amd: Don't show `Invalid config param` errors
	lib/ubsan: remove returns-nonnull-attribute checks
	9p: virtio: make sure 'offs' is initialized in zc_request
	ASoC: da7219: Flush pending AAD IRQ when suspending
	ethernet: atheros: fix return value check in atl1c_tso_csum()
	m68k: Fix invalid .section syntax
	s390/dasd: use correct number of retries for ERP requests
	fs/nls: make load_nls() take a const parameter
	ASoc: codecs: ES8316: Fix DMIC config
	security: keys: perform capable check only on privileged operations
	net: usb: qmi_wwan: add Quectel EM05GV2
	idmaengine: make FSL_EDMA and INTEL_IDMA64 depends on HAS_IOMEM
	scsi: qedi: Fix potential deadlock on &qedi_percpu->p_work_lock
	netlabel: fix shift wrapping bug in netlbl_catmap_setlong()
	bnx2x: fix page fault following EEH recovery
	sctp: handle invalid error codes without calling BUG()
	cifs: add a warning when the in-flight count goes negative
	ALSA: seq: oss: Fix racy open/close of MIDI devices
	powerpc/32: Include .branch_lt in data section
	powerpc/32s: Fix assembler warning about r0
	udf: Check consistency of Space Bitmap Descriptor
	udf: Handle error when adding extent to a file
	Revert "net: macsec: preserve ingress frame ordering"
	reiserfs: Check the return value from __getblk()
	fs: Fix error checking for d_hash_and_lookup()
	cpufreq: powernow-k8: Use related_cpus instead of cpus in driver.exit()
	regmap: rbtree: Use alloc_flags for memory allocations
	spi: tegra20-sflash: fix to check return value of platform_get_irq() in tegra_sflash_probe()
	can: gs_usb: gs_usb_receive_bulk_callback(): count RX overflow errors also in case of OOM
	wifi: mwifiex: Fix OOB and integer underflow when rx packets
	Bluetooth: nokia: fix value check in nokia_bluetooth_serdev_probe()
	net: tcp: fix unexcepted socket die when snd_wnd is 0
	crypto: caam - fix unchecked return value error
	lwt: Check LWTUNNEL_XMIT_CONTINUE strictly
	fs: ocfs2: namei: check return value of ocfs2_add_entry()
	wifi: mwifiex: fix memory leak in mwifiex_histogram_read()
	wifi: mwifiex: Fix missed return in oob checks failed path
	wifi: ath9k: protect WMI command response buffer replacement with a lock
	wifi: mwifiex: avoid possible NULL skb pointer dereference
	wifi: ath9k: use IS_ERR() with debugfs_create_dir()
	net: arcnet: Do not call kfree_skb() under local_irq_disable()
	netrom: Deny concurrent connect().
	ARM: dts: BCM53573: Add cells sizes to PCIe node
	ARM: dts: samsung: s3c6410-mini6410: correct ethernet reg addresses (split)
	ARM: dts: samsung: s5pv210-smdkv210: correct ethernet reg addresses (split)
	drm: adv7511: Fix low refresh rate register for ADV7533/5
	of: unittest: fix null pointer dereferencing in of_unittest_find_node_by_name()
	smackfs: Prevent underflow in smk_set_cipso()
	audit: fix possible soft lockup in __audit_inode_child()
	ALSA: ac97: Fix possible error value of *rac97
	drivers: clk: keystone: Fix parameter judgment in _of_pll_clk_init()
	clk: sunxi-ng: Modify mismatched function name
	PCI: Mark NVIDIA T4 GPUs to avoid bus reset
	PCI: pciehp: Use RMW accessors for changing LNKCTL
	wifi: ath10k: Use RMW accessors for changing LNKCTL
	nfs/blocklayout: Use the passed in gfp flags
	powerpc/iommu: Fix notifiers being shared by PCI and VIO buses
	jfs: validate max amount of blocks before allocation.
	fs: lockd: avoid possible wrong NULL parameter
	NFSD: da_addr_body field missing in some GETDEVICEINFO replies
	drivers: usb: smsusb: fix error handling code in smsusb_init_device
	media: dib7000p: Fix potential division by zero
	media: dvb-usb: m920x: Fix a potential memory leak in m920x_i2c_xfer()
	media: cx24120: Add retval check for cx24120_message_send()
	media: mediatek: vcodec: Return NULL if no vdec_fb is found
	usb: phy: mxs: fix getting wrong state with mxs_phy_is_otg_host()
	scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param()
	scsi: be2iscsi: Add length check when parsing nlattrs
	scsi: qla4xxx: Add length check when parsing nlattrs
	x86/APM: drop the duplicate APM_MINOR_DEV macro
	scsi: qedf: Do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly
	scsi: qedf: Do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly
	dma-buf/sync_file: Fix docs syntax
	media: go7007: Remove redundant if statement
	USB: gadget: f_mass_storage: Fix unused variable warning
	cgroup:namespace: Remove unused cgroup_namespaces_init()
	scsi: core: Use 32-bit hostnum in scsi_host_lookup()
	scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock
	serial: tegra: handle clk prepare error in tegra_uart_hw_init()
	amba: bus: fix refcount leak
	Revert "IB/isert: Fix incorrect release of isert connection"
	HID: multitouch: Correct devm device reference for hidinput input_dev name
	rpmsg: glink: Add check for kstrdup
	dmaengine: ste_dma40: Add missing IRQ check in d40_probe
	igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU
	netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c
	netfilter: xt_u32: validate user space input
	netfilter: xt_sctp: validate the flag_info count
	igb: set max size RX buffer when store bad packet is enabled
	PM / devfreq: Fix leak in devfreq_dev_release()
	ALSA: pcm: Fix missing fixup call in compat hw_refine ioctl
	ARM: OMAP2+: Fix -Warray-bounds warning in _pwrdm_state_switch()
	backlight/gpio_backlight: Compare against struct fb_info.device
	backlight/bd6107: Compare against struct fb_info.device
	backlight/lv5207lp: Compare against struct fb_info.device
	media: dvb: symbol fixup for dvb_attach()
	ntb: Drop packets when qp link is down
	ntb: Clean up tx tail index on link down
	ntb: Fix calculation ntb_transport_tx_free_entry()
	Revert "PCI: Mark NVIDIA T4 GPUs to avoid bus reset"
	procfs: block chmod on /proc/thread-self/comm
	parisc: Fix /proc/cpuinfo output for lscpu
	dccp: Fix out of bounds access in DCCP error handler
	X.509: if signature is unsupported skip validation
	net: handle ARPHRD_PPP in dev_is_mac_header_xmit()
	pstore/ram: Check start of empty przs during init
	crypto: stm32 - fix loop iterating through scatterlist for DMA
	scsi: qla2xxx: fix inconsistent TMF timeout
	scsi: qla2xxx: Turn off noisy message log
	fbdev/ep93xx-fb: Do not assign to struct fb_info.dev
	drm/ast: Fix DRAM init on AST2200
	parisc: led: Fix LAN receive and transmit LEDs
	parisc: led: Reduce CPU overhead for disk & lan LED computation
	clk: qcom: gcc-mdm9615: use proper parent for pll0_vote clock
	NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info
	x86/virt: Drop unnecessary check on extended CPUID level in cpu_has_svm()
	watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load
	pwm: lpc32xx: Remove handling of PWM channels
	net: read sk->sk_family once in sk_mc_loop()
	igb: disable virtualization features on 82580
	net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr
	af_unix: Fix data-races around user->unix_inflight.
	af_unix: Fix data-race around unix_tot_inflight.
	af_unix: Fix data-races around sk->sk_shutdown.
	af_unix: Fix data race around sk->sk_err.
	net: sched: sch_qfq: Fix UAF in qfq_dequeue()
	kcm: Destroy mutex in kcm_exit_net()
	igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80
	igb: Change IGB_MIN to allow set rx/tx value between 64 and 80
	ata: sata_gemini: Add missing MODULE_DESCRIPTION
	ata: pata_ftide010: Add missing MODULE_DESCRIPTION
	net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all()
	kcm: Fix memory leak in error path of kcm_sendmsg()
	ixgbe: fix timestamp configuration code
	kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
	parisc: Drop loops_per_jiffy from per_cpu struct
	autofs: fix memory leak of waitqueues in autofs_catatonic_mode
	btrfs: output extra debug info if we failed to find an inline backref
	ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer
	ACPI: video: Add backlight=native DMI quirk for Lenovo Ideapad Z470
	hw_breakpoint: fix single-stepping when using bpf_overflow_handler
	wifi: ath9k: fix printk specifier
	wifi: mwifiex: fix fortify warning
	crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui()
	tpm_tis: Resend command to recover from data transfer errors
	alx: fix OOB-read compiler warning
	drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
	md: raid1: fix potential OOB in raid1_remove_disk()
	ext2: fix datatype of block number in ext2_xattr_set2()
	fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()
	jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount
	powerpc/pseries: fix possible memory leak in ibmebus_bus_init()
	media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer
	media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer()
	media: af9005: Fix null-ptr-deref in af9005_i2c_xfer
	media: anysee: fix null-ptr-deref in anysee_master_xfer
	media: az6007: Fix null-ptr-deref in az6007_i2c_xfer()
	iio: core: Use min() instead of min_t() to make code more robust
	media: tuners: qt1010: replace BUG_ON with a regular error
	media: pci: cx23885: replace BUG with error return
	usb: gadget: fsl_qe_udc: validate endpoint index for ch9 udc
	scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()
	serial: cpm_uart: Avoid suspicious locking
	kobject: Add sanity check for kset->kobj.ktype in kset_register()
	md/raid1: fix error: ISO C90 forbids mixed declarations
	attr: block mode changes of symlinks
	btrfs: fix lockdep splat and potential deadlock after failure running delayed items
	nfsd: fix change_info in NFSv4 RENAME replies
	mtd: rawnand: brcmnand: Fix crash during the panic_write
	mtd: rawnand: brcmnand: Fix potential false time out warning
	mtd: rawnand: brcmnand: Fix ECC level field setting for v7.2 controller
	mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write
	net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free
	net/sched: Retire rsvp classifier
	Linux 4.14.326

Change-Id: I22815ecf1b4b346f889ccaa561b7cb9a20f204ce
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
 2023-09-30 11:44:35 +00:00
William Zhang
2bc3d6ac70 mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write 
commit 5d53244186c9ac58cb88d76a0958ca55b83a15cd upstream.

When the oob buffer length is not in multiple of words, the oob write
function does out-of-bounds read on the oob source buffer at the last
iteration. Fix that by always checking length limit on the oob buffer
read and fill with 0xff when reaching the end of the buffer to the oob
registers.

Fixes: 27c5b17cd1b1 ("mtd: nand: add NAND driver "library" for Broadcom STB NAND controller")
Signed-off-by: William Zhang <william.zhang@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Cc: stable@vger.kernel.org
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20230706182909.79151-5-william.zhang@broadcom.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2023-09-23 10:47:06 +02:00
William Zhang
cec195f6e4 mtd: rawnand: brcmnand: Fix ECC level field setting for v7.2 controller 
commit 2ec2839a9062db8a592525a3fdabd42dcd9a3a9b upstream.

v7.2 controller has different ECC level field size and shift in the acc
control register than its predecessor and successor controller. It needs
to be set specifically.

Fixes: decba6d47869 ("mtd: brcmnand: Add v7.2 controller support")
Signed-off-by: William Zhang <william.zhang@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Cc: stable@vger.kernel.org
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20230706182909.79151-2-william.zhang@broadcom.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2023-09-23 10:47:06 +02:00
William Zhang
58c6c90170 mtd: rawnand: brcmnand: Fix potential false time out warning 
commit 9cc0a598b944816f2968baf2631757f22721b996 upstream.

If system is busy during the command status polling function, the driver
may not get the chance to poll the status register till the end of time
out and return the premature status.  Do a final check after time out
happens to ensure reading the correct status.

Fixes: 9d2ee0a60b8b ("mtd: nand: brcmnand: Check flash #WP pin status before nand erase/program")
Signed-off-by: William Zhang <william.zhang@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Cc: stable@vger.kernel.org
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20230706182909.79151-3-william.zhang@broadcom.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2023-09-23 10:47:06 +02:00
William Zhang
0f60ac8681 mtd: rawnand: brcmnand: Fix crash during the panic_write 
commit e66dd317194daae0475fe9e5577c80aa97f16cb9 upstream.

When executing a NAND command within the panic write path, wait for any
pending command instead of calling BUG_ON to avoid crashing while
already crashing.

Fixes: 27c5b17cd1b1 ("mtd: nand: add NAND driver "library" for Broadcom STB NAND controller")
Signed-off-by: William Zhang <william.zhang@broadcom.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Kursad Oney <kursad.oney@broadcom.com>
Reviewed-by: Kamal Dasu <kamal.dasu@broadcom.com>
Cc: stable@vger.kernel.org
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20230706182909.79151-4-william.zhang@broadcom.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2023-09-23 10:47:05 +02:00
Greg Kroah-Hartman
fce78edbb4 This is the 4.14.322 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmTWAT4ACgkQONu9yGCS
 aT6kKxAA00HDcoEbS4CpQxK1ggeeW6xMFqPHHwUz62ScZPR1zcrR4ag5UrKOQALF
 cCQwt2nVBMUXciiQd3gY+MciAYPRVIXLMK9QqQEJSBZ+2p8zY3nb/HbM6o8iKQeV
 xIhUneiyHtbOyTo3oQcyET7ngwxtDp9uEnd+8I+sSbGi8Wyh8Z8L2daVQTrke1Js
 QIe3wDQsUj0pEDhRfYx29JKeQ8fBOfZlxtFEsdHvGgP/4j2EXGwyMVnt3/DVuwM8
 5/b/SML0skSh8YM9JfMQwpYpR+MAFGyyYKoF2pGu1trvyoh2Jd3TYuYcNqjwIywg
 W+ODGmULcYUYPBzUMdvrefwpn4l/2qpPCJ8FHB80h+4Jmy6PMN7lm1YnMBeQK4GP
 ACLr2BzJ4Tp5LavWZpTpqdRlC039aSZqY+7K+H/eoNstwZMU3hKc3Kn2KrPss0pp
 K0M7+8oukTnSiFNgIXVJOsr+kN1nNvtQmqCVRWlrn2cQckdDf8pVkPl/QtC3ZtWf
 aI8xYr6UpAr0z1elK5p9lO6N0R8FLwVmDG7B4b/6nLbWtRSt53ay/nMAzebodpn1
 8r+6ZoXO5LedNJsUOMJqE58X0ywbUgcx8mfkuRS8PLXEk7yI4+PR7DCeWyZ/YdVX
 dUqaYIK0yYx9yXAkMaSdrnMs+OSqa6lK9c9juPDvFox+ngLAjNk=
 =67ef
 -----END PGP SIGNATURE-----

Merge 4.14.322 into android-4.14-stable

Changes in 4.14.322
	gfs2: Don't deref jdesc in evict
	x86/microcode/AMD: Load late on both threads too
	x86/smp: Use dedicated cache-line for mwait_play_dead()
	fbdev: imsttfb: Fix use after free bug in imsttfb_probe
	drm/edid: Fix uninitialized variable in drm_cvt_modes()
	scripts/tags.sh: Resolve gtags empty index generation
	drm/amdgpu: Validate VM ioctl flags.
	treewide: Remove uninitialized_var() usage
	md/raid10: fix overflow of md/safe_mode_delay
	md/raid10: fix wrong setting of max_corr_read_errors
	md/raid10: fix io loss while replacement replace rdev
	PM: domains: fix integer overflow issues in genpd_parse_state()
	evm: Complete description of evm_inode_setattr()
	wifi: ath9k: fix AR9003 mac hardware hang check register offset calculation
	wifi: ath9k: avoid referencing uninit memory in ath9k_wmi_ctrl_rx
	wifi: orinoco: Fix an error handling path in spectrum_cs_probe()
	wifi: orinoco: Fix an error handling path in orinoco_cs_probe()
	wifi: atmel: Fix an error handling path in atmel_probe()
	wifi: wl3501_cs: Fix an error handling path in wl3501_probe()
	wifi: ray_cs: Fix an error handling path in ray_probe()
	wifi: ath9k: don't allow to overwrite ENDPOINT0 attributes
	watchdog/perf: define dummy watchdog_update_hrtimer_threshold() on correct config
	watchdog/perf: more properly prevent false positives with turbo modes
	kexec: fix a memory leak in crash_shrink_memory()
	memstick r592: make memstick_debug_get_tpc_name() static
	wifi: ath9k: Fix possible stall on ath9k_txq_list_has_key()
	wifi: ath9k: convert msecs to jiffies where needed
	netlink: fix potential deadlock in netlink_set_err()
	netlink: do not hard code device address lenth in fdb dumps
	gtp: Fix use-after-free in __gtp_encap_destroy().
	lib/ts_bm: reset initial match offset for every block of text
	netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() return value.
	netlink: Add __sock_i_ino() for __netlink_diag_dump().
	radeon: avoid double free in ci_dpm_init()
	Input: drv260x - sleep between polling GO bit
	ARM: dts: BCM5301X: Drop "clock-names" from the SPI node
	Input: adxl34x - do not hardcode interrupt trigger type
	drm/panel: simple: fix active size for Ampire AM-480272H3TMQW-T01H
	ARM: ep93xx: fix missing-prototype warnings
	ASoC: es8316: Increment max value for ALC Capture Target Volume control
	soc/fsl/qe: fix usb.c build errors
	fbdev: omapfb: lcd_mipid: Fix an error handling path in mipid_spi_probe()
	drm/radeon: fix possible division-by-zero errors
	ALSA: ac97: Fix possible NULL dereference in snd_ac97_mixer
	scsi: 3w-xxxx: Add error handling for initialization failure in tw_probe()
	PCI: Add pci_clear_master() stub for non-CONFIG_PCI
	pinctrl: cherryview: Return correct value if pin in push-pull mode
	perf dwarf-aux: Fix off-by-one in die_get_varname()
	pinctrl: at91-pio4: check return value of devm_kasprintf()
	crypto: nx - fix build warnings when DEBUG_FS is not enabled
	modpost: fix section mismatch message for R_ARM_ABS32
	modpost: fix section mismatch message for R_ARM_{PC24,CALL,JUMP24}
	modpost: fix off by one in is_executable_section()
	USB: serial: option: add LARA-R6 01B PIDs
	block: change all __u32 annotations to __be32 in affs_hardblocks.h
	w1: fix loop in w1_fini()
	sh: j2: Use ioremap() to translate device tree address into kernel memory
	media: usb: Check az6007_read() return value
	media: videodev2.h: Fix struct v4l2_input tuner index comment
	media: usb: siano: Fix warning due to null work_func_t function pointer
	extcon: Fix kernel doc of property fields to avoid warnings
	extcon: Fix kernel doc of property capability fields to avoid warnings
	usb: phy: phy-tahvo: fix memory leak in tahvo_usb_probe()
	mfd: rt5033: Drop rt5033-battery sub-device
	mfd: intel-lpss: Add missing check for platform_get_resource
	mfd: stmpe: Only disable the regulators if they are enabled
	rtc: st-lpc: Release some resources in st_rtc_probe() in case of error
	sctp: fix potential deadlock on &net->sctp.addr_wq_lock
	Add MODULE_FIRMWARE() for FIRMWARE_TG357766.
	spi: bcm-qspi: return error if neither hif_mspi nor mspi is available
	mailbox: ti-msgmgr: Fill non-message tx data fields with 0x0
	powerpc: allow PPC_EARLY_DEBUG_CPM only when SERIAL_CPM=y
	net: bridge: keep ports without IFF_UNICAST_FLT in BR_PROMISC mode
	tcp: annotate data races in __tcp_oow_rate_limited()
	net/sched: act_pedit: Add size check for TCA_PEDIT_PARMS_EX
	sh: dma: Fix DMA channel offset calculation
	NFSD: add encoding of op_recall flag for write delegation
	mmc: core: disable TRIM on Kingston EMMC04G-M627
	mmc: core: disable TRIM on Micron MTFC4GACAJCN-1M
	integrity: Fix possible multiple allocation in integrity_inode_get()
	jffs2: reduce stack usage in jffs2_build_xattr_subsystem()
	btrfs: fix race when deleting quota root from the dirty cow roots list
	ARM: orion5x: fix d2net gpio initialization
	spi: spi-fsl-spi: remove always-true conditional in fsl_spi_do_one_msg
	spi: spi-fsl-spi: relax message sanity checking a little
	spi: spi-fsl-spi: allow changing bits_per_word while CS is still active
	netfilter: nf_tables: incorrect error path handling with NFT_MSG_NEWRULE
	netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain
	netfilter: nf_tables: unbind non-anonymous set if rule construction fails
	netfilter: conntrack: Avoid nf_ct_helper_hash uses after free
	netfilter: nf_tables: prevent OOB access in nft_byteorder_eval
	workqueue: clean up WORK_* constant types, clarify masking
	net: mvneta: fix txq_map in case of txq_number==1
	udp6: fix udp6_ehashfn() typo
	ntb: idt: Fix error handling in idt_pci_driver_init()
	NTB: amd: Fix error handling in amd_ntb_pci_driver_init()
	ntb: intel: Fix error handling in intel_ntb_pci_driver_init()
	NTB: ntb_transport: fix possible memory leak while device_register() fails
	ipv6/addrconf: fix a potential refcount underflow for idev
	wifi: airo: avoid uninitialized warning in airo_get_rate()
	net/sched: make psched_mtu() RTNL-less safe
	tpm: tpm_vtpm_proxy: fix a race condition in /dev/vtpmx creation
	SUNRPC: Fix UAF in svc_tcp_listen_data_ready()
	perf intel-pt: Fix CYC timestamps after standalone CBR
	ext4: fix wrong unit use in ext4_mb_clear_bb
	ext4: only update i_reserved_data_blocks on successful block allocation
	jfs: jfs_dmap: Validate db_l2nbperpage while mounting
	PCI: Add function 1 DMA alias quirk for Marvell 88SE9235
	misc: pci_endpoint_test: Re-init completion for every test
	md/raid0: add discard support for the 'original' layout
	fs: dlm: return positive pid value for F_GETLK
	hwrng: imx-rngc - fix the timeout for init and self check
	meson saradc: fix clock divider mask length
	Revert "8250: add support for ASIX devices with a FIFO bug"
	tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() in case of error
	tty: serial: samsung_tty: Fix a memory leak in s3c24xx_serial_getclk() when iterating clk
	ring-buffer: Fix deadloop issue on reading trace_pipe
	xtensa: ISS: fix call to split_if_spec
	scsi: qla2xxx: Wait for io return on terminate rport
	scsi: qla2xxx: Fix potential NULL pointer dereference
	scsi: qla2xxx: Check valid rport returned by fc_bsg_to_rport()
	scsi: qla2xxx: Pointer may be dereferenced
	serial: atmel: don't enable IRQs prematurely
	perf probe: Add test for regression introduced by switch to die_get_decl_file()
	fuse: revalidate: don't invalidate if interrupted
	can: bcm: Fix UAF in bcm_proc_show()
	ext4: correct inline offset when handling xattrs in inode body
	debugobjects: Recheck debug_objects_enabled before reporting
	nbd: Add the maximum limit of allocated index in nbd_dev_add
	md: fix data corruption for raid456 when reshape restart while grow up
	md/raid10: prevent soft lockup while flush writes
	posix-timers: Ensure timer ID search-loop limit is valid
	sched/fair: Don't balance task to its current running CPU
	bpf: Address KCSAN report on bpf_lru_list
	wifi: wext-core: Fix -Wstringop-overflow warning in ioctl_standard_iw_point()
	igb: Fix igb_down hung on surprise removal
	spi: bcm63xx: fix max prepend length
	fbdev: imxfb: warn about invalid left/right margin
	pinctrl: amd: Use amd_pinconf_set() for all config options
	net: ethernet: ti: cpsw_ale: Fix cpsw_ale_get_field()/cpsw_ale_set_field()
	fbdev: au1200fb: Fix missing IRQ check in au1200fb_drv_probe
	llc: Don't drop packet from non-root netns.
	netfilter: nf_tables: fix spurious set element insertion failure
	tcp: annotate data-races around rskq_defer_accept
	tcp: annotate data-races around tp->notsent_lowat
	tcp: annotate data-races around fastopenq.max_qlen
	gpio: tps68470: Make tps68470_gpio_output() always set the initial value
	i40e: Fix an NULL vs IS_ERR() bug for debugfs_create_dir()
	ethernet: atheros: fix return value check in atl1e_tso_csum()
	ipv6 addrconf: fix bug where deleting a mngtmpaddr can create a new temporary address
	tcp: Reduce chance of collisions in inet6_hashfn().
	bonding: reset bond's flags when down link is P2P device
	team: reset team's flags when down link is P2P device
	platform/x86: msi-laptop: Fix rfkill out-of-sync on MSI Wind U100
	benet: fix return value check in be_lancer_xmit_workarounds()
	ASoC: fsl_spdif: Silence output on stop
	block: Fix a source code comment in include/uapi/linux/blkzoned.h
	dm raid: fix missing reconfig_mutex unlock in raid_ctr() error paths
	ata: pata_ns87415: mark ns87560_tf_read static
	ring-buffer: Fix wrong stat of cpu_buffer->read
	tracing: Fix warning in trace_buffered_event_disable()
	USB: serial: option: support Quectel EM060K_128
	USB: serial: option: add Quectel EC200A module support
	USB: serial: simple: add Kaufmann RKS+CAN VCP
	USB: serial: simple: sort driver entries
	can: gs_usb: gs_can_close(): add missing set of CAN state to CAN_STATE_STOPPED
	usb: ohci-at91: Fix the unhandle interrupt when resume
	usb: xhci-mtk: set the dma max_seg_size
	Documentation: security-bugs.rst: update preferences when dealing with the linux-distros group
	staging: ks7010: potential buffer overflow in ks_wlan_set_encode_ext()
	hwmon: (nct7802) Fix for temp6 (PECI1) processed even if PECI1 disabled
	tpm_tis: Explicitly check for error code
	irq-bcm6345-l1: Do not assume a fixed block to cpu mapping
	s390/dasd: fix hanging device after quiesce/resume
	ASoC: wm8904: Fill the cache for WM8904_ADC_TEST_0 register
	dm cache policy smq: ensure IO doesn't prevent cleaner policy progress
	drm/client: Fix memory leak in drm_client_target_cloned
	net/sched: cls_fw: Fix improper refcount update leads to use-after-free
	net/sched: sch_qfq: account for stab overhead in qfq_enqueue
	net/sched: cls_u32: Fix reference counter leak leading to overflow
	perf: Fix function pointer case
	word-at-a-time: use the same return type for has_zero regardless of endianness
	net/mlx5e: fix return value check in mlx5e_ipsec_remove_trailer()
	perf test uprobe_from_different_cu: Skip if there is no gcc
	net: add missing data-race annotations around sk->sk_peek_off
	net: add missing data-race annotation for sk_ll_usec
	net/sched: cls_u32: No longer copy tcf_result on update to avoid use-after-free
	net/sched: cls_route: No longer copy tcf_result on update to avoid use-after-free
	ip6mr: Fix skb_under_panic in ip6mr_cache_report()
	tcp_metrics: fix addr_same() helper
	tcp_metrics: annotate data-races around tm->tcpm_stamp
	tcp_metrics: annotate data-races around tm->tcpm_lock
	tcp_metrics: annotate data-races around tm->tcpm_vals[]
	tcp_metrics: annotate data-races around tm->tcpm_net
	tcp_metrics: fix data-race in tcpm_suck_dst() vs fastopen
	loop: Select I/O scheduler 'none' from inside add_disk()
	libceph: fix potential hang in ceph_osdc_notify()
	USB: zaurus: Add ID for A-300/B-500/C-700
	fs/sysv: Null check to prevent null-ptr-deref bug
	Bluetooth: L2CAP: Fix use-after-free in l2cap_sock_ready_cb
	net: usbnet: Fix WARNING in usbnet_start_xmit/usb_submit_urb
	ext2: Drop fragment support
	test_firmware: fix a memory leak with reqs buffer
	mtd: rawnand: omap_elm: Fix incorrect type in assignment
	drm/edid: fix objtool warning in drm_cvt_modes()
	Linux 4.14.322

Change-Id: Ia25c00bd23a112b634b83577ec7d54569e8b7c70
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
 2023-08-23 14:54:21 +00:00
Roger Quadros
808373f1ac mtd: rawnand: omap_elm: Fix incorrect type in assignment 
[ Upstream commit d8403b9eeee66d5dd81ecb9445800b108c267ce3 ]

Once the ECC word endianness is converted to BE32, we force cast it
to u32 so we can use elm_write_reg() which in turn uses writel().

Fixes below sparse warnings:

   drivers/mtd/nand/raw/omap_elm.c:180:37: sparse:     expected unsigned int [usertype] val
   drivers/mtd/nand/raw/omap_elm.c:180:37: sparse:     got restricted __be32 [usertype]
   drivers/mtd/nand/raw/omap_elm.c:185:37: sparse:     expected unsigned int [usertype] val
   drivers/mtd/nand/raw/omap_elm.c:185:37: sparse:     got restricted __be32 [usertype]
   drivers/mtd/nand/raw/omap_elm.c:190:37: sparse:     expected unsigned int [usertype] val
   drivers/mtd/nand/raw/omap_elm.c:190:37: sparse:     got restricted __be32 [usertype]
>> drivers/mtd/nand/raw/omap_elm.c:200:40: sparse: sparse: restricted __be32 degrades to integer
   drivers/mtd/nand/raw/omap_elm.c:206:39: sparse: sparse: restricted __be32 degrades to integer
   drivers/mtd/nand/raw/omap_elm.c:210:37: sparse:     expected unsigned int [assigned] [usertype] val
   drivers/mtd/nand/raw/omap_elm.c:210:37: sparse:     got restricted __be32 [usertype]
   drivers/mtd/nand/raw/omap_elm.c:213:37: sparse:     expected unsigned int [assigned] [usertype] val
   drivers/mtd/nand/raw/omap_elm.c:213:37: sparse:     got restricted __be32 [usertype]
   drivers/mtd/nand/raw/omap_elm.c:216:37: sparse:     expected unsigned int [assigned] [usertype] val
   drivers/mtd/nand/raw/omap_elm.c:216:37: sparse:     got restricted __be32 [usertype]
   drivers/mtd/nand/raw/omap_elm.c:219:37: sparse:     expected unsigned int [assigned] [usertype] val
   drivers/mtd/nand/raw/omap_elm.c:219:37: sparse:     got restricted __be32 [usertype]
   drivers/mtd/nand/raw/omap_elm.c:222:37: sparse:     expected unsigned int [assigned] [usertype] val
   drivers/mtd/nand/raw/omap_elm.c:222:37: sparse:     got restricted __be32 [usertype]
   drivers/mtd/nand/raw/omap_elm.c:225:37: sparse:     expected unsigned int [assigned] [usertype] val
   drivers/mtd/nand/raw/omap_elm.c:225:37: sparse:     got restricted __be32 [usertype]
   drivers/mtd/nand/raw/omap_elm.c:228:39: sparse: sparse: restricted __be32 degrades to integer

Fixes: bf22433575ef ("mtd: devices: elm: Add support for ELM error correction")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202306212211.WDXokuWh-lkp@intel.com/
Signed-off-by: Roger Quadros <rogerq@kernel.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20230624184021.7740-1-rogerq@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2023-08-11 11:33:57 +02:00
Kees Cook
d68627697d treewide: Remove uninitialized_var() usage 
commit 3f649ab728cda8038259d8f14492fe400fbab911 upstream.

Using uninitialized_var() is dangerous as it papers over real bugs[1]
(or can in the future), and suppresses unrelated compiler warnings
(e.g. "unused variable"). If the compiler thinks it is uninitialized,
either simply initialize the variable or make compiler changes.

In preparation for removing[2] the[3] macro[4], remove all remaining
needless uses with the following script:

git grep '\buninitialized_var\b' | cut -d: -f1 | sort -u | \
	xargs perl -pi -e \
		's/\buninitialized_var\(([^\)]+)\)/\1/g;
		 s:\s*/\* (GCC be quiet|to make compiler happy) \*/$::g;'

drivers/video/fbdev/riva/riva_hw.c was manually tweaked to avoid
pathological white-space.

No outstanding warnings were found building allmodconfig with GCC 9.3.0
for x86_64, i386, arm64, arm, powerpc, powerpc64le, s390x, mips, sparc64,
alpha, and m68k.

[1] https://lore.kernel.org/lkml/20200603174714.192027-1-glider@google.com/
[2] https://lore.kernel.org/lkml/CA+55aFw+Vbj0i=1TGqCR5vQkCzWJ0QxK6CernOU6eedsudAixw@mail.gmail.com/
[3] https://lore.kernel.org/lkml/CA+55aFwgbgqhbp1fkxvRKEpzyR5J8n1vKT1VZdz9knmPuXhOeg@mail.gmail.com/
[4] https://lore.kernel.org/lkml/CA+55aFz2500WfbKXAx8s67wrm9=yVJu65TpLgN_ybYNv0VEOKA@mail.gmail.com/

Reviewed-by: Leon Romanovsky <leonro@mellanox.com> # drivers/infiniband and mlx4/mlx5
Acked-by: Jason Gunthorpe <jgg@mellanox.com> # IB
Acked-by: Kalle Valo <kvalo@codeaurora.org> # wireless drivers
Reviewed-by: Chao Yu <yuchao0@huawei.com> # erofs
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2023-08-11 11:33:32 +02:00
Greg Kroah-Hartman
0efbe093b6 This is the 4.14.315 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmRkmmMACgkQONu9yGCS
 aT5S/g/+LHkUcwpnnPu5llymtK0jd/0WvwWUJfJAOlGpa3l9CkoPtjHzNwtagoFR
 2+woN7zhC7UteTz20/RXMFtNv7zFOMA91nsVSmYp4Cc997XpILeTkzpQMzoCm8Qt
 YFMpKEX0op6sAR+NUJ5Vaj/HaFBvO9J2ZMGGrxeUKVPAAgRk3AdvTGfHFwzXlmfb
 AKVo9jhG7NszYeLYIHRONMDJRyiBLJXrLSLfn+u+uKKRjNnBqJJEDQu3zYt6kavy
 M/8CE6QgOoCAcbyTIgVw9ZU51ydWfbKiEnMpEwPAEHy6C4xrYfMnWqF8LDjkSNCL
 xsNYbAyaPh/MdJoLGdTcuRSp58xP5dNT366xShN78RLqbeKPfg0nZCHMDWnC4BZP
 ET+zAwiueaf64Hu3NWHq8IC74EhgM8ZCzLiVb9CqCyllcVCT2xjdRE8eJtXz5Vgq
 ahsuJmvzGdSIkX6HFh8QKpWdoeRSPbOol+/xD/0fPFf97EiAvMZX5kLgfI+o0rGj
 6fZuENIECp/WHiIqHJ2bsGb69M/OeJfoISxUUVFrCnGduXA59Gnj9zKftNHyNMQZ
 GCu2yHYkkM50RRw9xSO/286Z3mbz84fFRc8PKwWzu7veghuPXYOOKaA4Eleaw/Oy
 Sx92e2OTKjQVGKadHT4HfTd1xabks/9qLGBpx20GuRsfhHt/yJo=
 =ef7P
 -----END PGP SIGNATURE-----

Merge 4.14.315 into android-4.14-stable

Changes in 4.14.315
	wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies()
	bluetooth: Perform careful capability checks in hci_sock_ioctl()
	USB: serial: option: add UNISOC vendor and TOZED LT70C product
	iio: adc: palmas_gpadc: fix NULL dereference on rmmod
	USB: dwc3: fix runtime pm imbalance on unbind
	perf sched: Cast PTHREAD_STACK_MIN to int as it may turn into sysconf(__SC_THREAD_STACK_MIN_VALUE)
	staging: iio: resolver: ads1210: fix config mode
	MIPS: fw: Allow firmware to pass a empty env
	ring-buffer: Sync IRQ works before buffer destruction
	reiserfs: Add security prefix to xattr name in reiserfs_security_write()
	i2c: omap: Fix standard mode false ACK readings
	Revert "ubifs: dirty_cow_znode: Fix memleak in error handling path"
	ubi: Fix return value overwrite issue in try_write_vid_and_data()
	ubifs: Free memory for tmpfile name
	selinux: fix Makefile dependencies of flask.h
	selinux: ensure av_permissions.h is built when needed
	drm/rockchip: Drop unbalanced obj unref
	drm/vgem: add missing mutex_destroy
	drm/probe-helper: Cancel previous job before starting new one
	media: bdisp: Add missing check for create_workqueue
	media: av7110: prevent underflow in write_ts_to_decoder()
	x86/apic: Fix atomic update of offset in reserve_eilvt_offset()
	media: dm1105: Fix use after free bug in dm1105_remove due to race condition
	x86/ioapic: Don't return 0 from arch_dynirq_lower_bound()
	arm64: kgdb: Set PSTATE.SS to 1 to re-enable single-step
	wifi: ath6kl: minor fix for allocation size
	wifi: ath5k: fix an off by one check in ath5k_eeprom_read_freq_list()
	wifi: ath6kl: reduce WARN to dev_dbg() in callback
	scm: fix MSG_CTRUNC setting condition for SO_PASSSEC
	vlan: partially enable SIOCSHWTSTAMP in container
	net/packet: convert po->origdev to an atomic flag
	net/packet: convert po->auxdata to an atomic flag
	scsi: target: iscsit: Fix TAS handling during conn cleanup
	scsi: megaraid: Fix mega_cmd_done() CMDID_INT_CMDS
	md/raid10: fix leak of 'r10bio->remaining' for recovery
	wifi: iwlwifi: make the loop for card preparation effective
	wifi: iwlwifi: mvm: check firmware response size
	ixgbe: Allow flow hash to be set via ethtool
	ixgbe: Enable setting RSS table to default values
	ipv4: Fix potential uninit variable access bug in __ip_make_skb()
	Revert "Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work"
	net: amd: Fix link leak when verifying config failed
	tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.
	pstore: Revert pmsg_lock back to a normal mutex
	linux/vt_buffer.h: allow either builtin or modular for macros
	spi: fsl-spi: Fix CPM/QE mode Litte Endian
	of: Fix modalias string generation
	ia64: mm/contig: fix section mismatch warning/error
	uapi/linux/const.h: prefer ISO-friendly __typeof__
	sh: sq: Fix incorrect element size for allocating bitmap buffer
	usb: chipidea: fix missing goto in `ci_hdrc_probe`
	tty: serial: fsl_lpuart: adjust buffer length to the intended size
	serial: 8250: Add missing wakeup event reporting
	staging: rtl8192e: Fix W_DISABLE# does not work after stop/start
	spmi: Add a check for remove callback when removing a SPMI driver
	macintosh/windfarm_smu_sat: Add missing of_node_put()
	powerpc/mpc512x: fix resource printk format warning
	powerpc/wii: fix resource printk format warnings
	powerpc/sysdev/tsi108: fix resource printk format warnings
	macintosh: via-pmu-led: requires ATA to be set
	powerpc/rtas: use memmove for potentially overlapping buffer copy
	perf/core: Fix hardlockup failure caused by perf throttle
	RDMA/rdmavt: Delete unnecessary NULL check
	power: supply: generic-adc-battery: fix unit scaling
	clk: add missing of_node_put() in "assigned-clocks" property parsing
	IB/hfi1: Fix SDMA mmu_rb_node not being evicted in LRU order
	NFSv4.1: Always send a RECLAIM_COMPLETE after establishing lease
	SUNRPC: remove the maximum number of retries in call_bind_status
	phy: tegra: xusb: Add missing tegra_xusb_port_unregister for usb2_port and ulpi_port
	dmaengine: at_xdmac: do not enable all cyclic channels
	parisc: Fix argument pointer in real64_call_asm()
	nilfs2: do not write dirty data after degenerating to read-only
	nilfs2: fix infinite loop in nilfs_mdt_get_block()
	wifi: rtl8xxxu: RTL8192EU always needs full init
	clk: rockchip: rk3399: allow clk_cifout to force clk_cifout_src to reparent
	btrfs: scrub: reject unsupported scrub flags
	s390/dasd: fix hanging blockdevice after request requeue
	dm integrity: call kmem_cache_destroy() in dm_integrity_init() error path
	dm flakey: fix a crash with invalid table line
	dm ioctl: fix nested locking in table_clear() to remove deadlock concern
	perf auxtrace: Fix address filter entire kernel size
	netfilter: nf_tables: split set destruction in deactivate and destroy phase
	netfilter: nf_tables: unbind set in rule from commit path
	netfilter: nft_hash: fix nft_hash_deactivate
	netfilter: nf_tables: use-after-free in failing rule with bound set
	netfilter: nf_tables: bogus EBUSY when deleting set after flush
	netfilter: nf_tables: deactivate anonymous set from preparation phase
	sit: update dev->needed_headroom in ipip6_tunnel_bind_dev()
	writeback: fix call of incorrect macro
	net/sched: act_mirred: Add carrier check
	af_packet: Don't send zero-byte data in packet_sendmsg_spkt().
	ALSA: caiaq: input: Add error handling for unsupported input methods in `snd_usb_caiaq_input_init`
	perf vendor events power9: Remove UTF-8 characters from JSON files
	perf map: Delete two variable initialisations before null pointer checks in sort__sym_from_cmp()
	perf symbols: Fix return incorrect build_id size in elf_read_build_id()
	btrfs: fix btrfs_prev_leaf() to not return the same key twice
	btrfs: print-tree: parent bytenr must be aligned to sector size
	cifs: fix pcchunk length type in smb2_copychunk_range
	sh: math-emu: fix macro redefined warning
	sh: nmi_debug: fix return value of __setup handler
	ARM: dts: exynos: fix WM8960 clock name in Itop Elite
	ARM: dts: s5pv210: correct MIPI CSIS clock name
	HID: wacom: Set a default resolution for older tablets
	ext4: avoid a potential slab-out-of-bounds in ext4_group_desc_csum
	ext4: improve error recovery code paths in __ext4_remount()
	ext4: add bounds checking in get_max_inline_xattr_value_size()
	ext4: bail out of ext4_xattr_ibody_get() fails for any reason
	ext4: remove a BUG_ON in ext4_mb_release_group_pa()
	ext4: fix invalid free tracking in ext4_xattr_move_to_block()
	perf bench: Share some global variables to fix build with gcc 10
	tty: Prevent writing chars during tcsetattr TCSADRAIN/FLUSH
	serial: 8250: Fix serial8250_tx_empty() race with DMA Tx
	drbd: correctly submit flush bio on barrier
	printk: declare printk_deferred_{enter,safe}() in include/linux/printk.h
	mm/page_alloc: fix potential deadlock on zonelist_update_seq seqlock
	Linux 4.14.315

Change-Id: I7e3fda05118b08edc995f33280f9eec1f563b951
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
 2023-05-18 15:49:55 +00:00
Wang YanQing
3144855d46 ubi: Fix return value overwrite issue in try_write_vid_and_data() 
commit 31a149d5c13c4cbcf97de3435817263a2d8c9d6e upstream.

The commit 2d78aee426d8 ("UBI: simplify LEB write and atomic LEB change code")
adds helper function, try_write_vid_and_data(), to simplify the code, but this
helper function has bug, it will return 0 (success) when ubi_io_write_vid_hdr()
or the ubi_io_write_data() return error number (-EIO, etc), because the return
value of ubi_wl_put_peb() will overwrite the original return value.

This issue will cause unexpected data loss issue, because the caller of this
function and UBIFS willn't know the data is lost.

Fixes: 2d78aee426d8 ("UBI: simplify LEB write and atomic LEB change code")
Cc: stable@vger.kernel.org
Signed-off-by: Wang YanQing <udknight@gmail.com>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2023-05-17 11:11:39 +02:00
Greg Kroah-Hartman
7b854fbace This is the 4.14.313 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmRBDasACgkQONu9yGCS
 aT6b+RAA10Y7oyJ3XTY4Iezj9155aG+8pQdraHCUeQ2mQSf5vQXszDZY466dsaam
 7ONyW4cjZBBcQHAfiN2LYIPBmEq27ooDBoUZt8r9xX2I/xXSrYKJ64sI7QObpXz/
 fJ5H94lLaxkldYmXl/o6fVstRcn5dPJ0FXaKvdWLwD/G/3y6Z/odFEmmbeZiHEtm
 G4owwbKMDxJ82sDBi9jTOVFy3ciINDbixydGF1g8VkV3aL2mk8lPd5nPsSxf1b3N
 GE+gKHIlW44/TuObYPewd6c9uQerIk7RG/pgo3z2vda0i2X3WYxF1bYmCjeHuoKE
 zmv3/mtltymRQf2nszyWcK3mEuGiQVOb4ikx0sDoo02+9YVF2kC/hs/vFJE8MR8J
 3IkgMy675EEwQcoK21W8PqYhXwyJNaf53PWsxa5J6FdGby/9BJnQ94K3Ri06SlAi
 6fB1xXvc+qRm0+ARssxO4e/d3zTZlhFgKwvrCyt2vQEvAZc4+NksrPeGpzMkIKLj
 44fBwo+tDZ4Xg7rfYS+/lsN0ZxvkMdz06AF54MRGPSxjDIGqU94/jrZ1oqb3uvtl
 ta5LZsZvTXXUIFhrfi65/yBoEhAvGpkYbVcCeqqA+U97mtQ2yd24fV8oHwYVGu/g
 zoYfPIlWxrRx9TN1W6wwQvJxfdPbK67W5akfikqvB8fHeX7/xMw=
 =/dv7
 -----END PGP SIGNATURE-----

Merge 4.14.313 into android-4.14-stable

Changes in 4.14.313
	pwm: cros-ec: Explicitly set .polarity in .get_state()
	wifi: mac80211: fix invalid drv_sta_pre_rcu_remove calls for non-uploaded sta
	icmp: guard against too small mtu
	ipv6: Fix an uninit variable access bug in __ip6_make_skb()
	gpio: davinci: Add irq chip flag to skip set wake
	USB: serial: cp210x: add Silicon Labs IFS-USB-DATACABLE IDs
	USB: serial: option: add Telit FE990 compositions
	USB: serial: option: add Quectel RM500U-CN modem
	iio: dac: cio-dac: Fix max DAC write value check for 12-bit
	tty: serial: sh-sci: Fix Rx on RZ/G2L SCI
	nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread()
	nilfs2: fix sysfs interface lifetime
	perf/core: Fix the same task check in perf_event_set_output
	ftrace: Mark get_lock_parent_ip() __always_inline
	ring-buffer: Fix race while reader and writer are on the same page
	mm/swap: fix swap_info_struct race between swapoff and get_swap_pages()
	ALSA: emu10k1: fix capture interrupt handler unlinking
	ALSA: hda/sigmatel: add pin overrides for Intel DP45SG motherboard
	ALSA: i2c/cs8427: fix iec958 mixer control deactivation
	ALSA: hda/sigmatel: fix S/PDIF out on Intel D*45* motherboards
	Bluetooth: L2CAP: Fix use-after-free in l2cap_disconnect_{req,rsp}
	Bluetooth: Fix race condition in hidp_session_thread
	mtdblock: tolerate corrected bit-flips
	9p/xen : Fix use after free bug in xen_9pfs_front_remove due to race condition
	niu: Fix missing unwind goto in niu_alloc_channels()
	qlcnic: check pci_reset_function result
	net: macb: fix a memory corruption in extended buffer descriptor mode
	i2c: imx-lpi2c: clean rx/tx buffers upon new message
	efi: sysfb_efi: Add quirk for Lenovo Yoga Book X91F/L
	verify_pefile: relax wrapper length check
	ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size
	cgroup/cpuset: Wake up cpuset_attach_wq tasks in cpuset_cancel_attach()
	watchdog: sbsa_wdog: Make sure the timeout programming is within the limits
	coresight-etm4: Fix for() loop drvdata->nr_addr_cmp range bug
	KVM: arm64: Factor out core register ID enumeration
	KVM: arm64: Filter out invalid core register IDs in KVM_GET_REG_LIST
	arm64: KVM: Fix system register enumeration
	Linux 4.14.313

Change-Id: I9dcef9855d47e02e4ccbfcc7dd59e976c6ab9fb1
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
 2023-04-21 13:29:20 +00:00
Zhihao Cheng
a1f760178f ubi: Fix failure attaching when vid_hdr offset equals to (sub)page size 
commit 1e020e1b96afdecd20680b5b5be2a6ffc3d27628 upstream.

Following process will make ubi attaching failed since commit
1b42b1a36fc946 ("ubi: ensure that VID header offset ... size"):

ID="0xec,0xa1,0x00,0x15" # 128M 128KB 2KB
modprobe nandsim id_bytes=$ID
flash_eraseall /dev/mtd0
modprobe ubi mtd="0,2048"  # set vid_hdr offset as 2048 (one page)
(dmesg):
  ubi0 error: ubi_attach_mtd_dev [ubi]: VID header offset 2048 too large.
  UBI error: cannot attach mtd0
  UBI error: cannot initialize UBI, error -22

Rework original solution, the key point is making sure
'vid_hdr_shift + UBI_VID_HDR_SIZE < ubi->vid_hdr_alsize',
so we should check vid_hdr_shift rather not vid_hdr_offset.
Then, ubi still support (sub)page aligined VID header offset.

Fixes: 1b42b1a36fc946 ("ubi: ensure that VID header offset ... size")
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Tested-by: Nicolas Schichan <nschichan@freebox.fr>
Tested-by: Miquel Raynal <miquel.raynal@bootlin.com> # v5.10, v4.19
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2023-04-20 12:02:12 +02:00
Bang Li
ff6e02b752 mtdblock: tolerate corrected bit-flips 
commit 0c3089601f064d80b3838eceb711fcac04bceaad upstream.

mtd_read() may return -EUCLEAN in case of corrected bit-flips.This
particular condition should not be treated like an error.

Signed-off-by: Bang Li <libang.linuxer@gmail.com>
Fixes: e47f68587b82 ("mtd: check for max_bitflips in mtd_read_oob()")
Cc: <stable@vger.kernel.org> # v3.7
Acked-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20230328163012.4264-1-libang.linuxer@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2023-04-20 12:02:11 +02:00
Greg Kroah-Hartman
dcf8e96bea This is the 4.14.308 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmQMngEACgkQONu9yGCS
 aT5ifBAAlRcsirDWn3jLJYYFuBv02tDCwZWOlkNUhobBYP6V5Qiu0clDb8GOW7px
 VLSy6uxKS3FSVFxv7Jg0tM0Kb4id6u3hn1OpXDgKFDpofwH1mF/pHHm0TszlwBkK
 1d3X04HfowiGrmFEx0uz5RCJSFj/7xDcmq2AivRs2KmTvThHmOZBVSIiv5kr+t1z
 7TJ5JNE3OK9IaHK/Ic9p3/8r3Xx0pwpZnS9vBL2KbPOjDiYIAnwtfQ5efg++Dfw8
 rCeFpDFGVVW0Biau17Q+1NBN8GhVcn0A7C6oCZZhEgGhWdEPkTn3UVaYaYE8FPnV
 wM1zPhcYUus0QVUUE9wgsxmVFsiSc2KcSraii98PPgnNFdj2nYQzYNAfmiyByKnr
 U3wuQvF69L+Z9sRo4z3zjjVnO2gYNgdygdwekbXnVraTDv5NhbVwyJ7LngaseGXN
 QQZMD2AEJtAbng9zDi8kQbHM1MpdRWhtcUyhP2R9qZ2rcnXyk1cJz2Qw3oqJV6Av
 yLl8g74112CErNyVDJqMJV1TzQDtkN6A1xXzLwUtMLUJ8dYedlopduhhDRaM94Xx
 ZJjiduSsif1eeYMheNC82F3pR5As7FJFlnqTBcJIYSmfYQ3ooYUBGhyGhp3tFn1F
 HY7AXdIQRqtbRcJMx2Hs0ZA86FCWHYafQDr+4QO9WEU1d8y5vvg=
 =ch57
 -----END PGP SIGNATURE-----

Merge 4.14.308 into android-4.14-stable

Changes in 4.14.308
	ARM: dts: rockchip: add power-domains property to dp node on rk3288
	btrfs: send: limit number of clones and allocated memory size
	IB/hfi1: Assign npages earlier
	net: Remove WARN_ON_ONCE(sk->sk_forward_alloc) from sk_stream_kill_queues().
	bpf: Do not use ax register in interpreter on div/mod
	bpf: fix subprog verifier bypass by div/mod by 0 exception
	bpf: Fix 32 bit src register truncation on div/mod
	bpf: Fix truncation handling for mod32 dst reg wrt zero
	dmaengine: sh: rcar-dmac: Check for error num after dma_set_max_seg_size
	USB: serial: option: add support for VW/Skoda "Carstick LTE"
	USB: core: Don't hold device lock while reading the "descriptors" sysfs file
	HID: asus: Remove check for same LED brightness on set
	HID: asus: use spinlock to protect concurrent accesses
	HID: asus: use spinlock to safely schedule workers
	ARM: OMAP2+: Fix memory leak in realtime_counter_init()
	ARM: zynq: Fix refcount leak in zynq_early_slcr_init
	arm64: dts: meson-gx: Fix Ethernet MAC address unit name
	arm64: dts: meson-gx: Fix the SCPI DVFS node name and unit address
	ARM: OMAP1: call platform_device_put() in error case in omap1_dm_timer_init()
	ARM: dts: exynos: correct wr-active property in Exynos3250 Rinato
	arm64: dts: amlogic: meson-gx: fix SCPI clock dvfs node name
	arm64: dts: amlogic: meson-gx: add missing unit address to rng node name
	arm64: dts: amlogic: meson-gxl: add missing unit address to eth-phy-mux node name
	block: bio-integrity: Copy flags when bio_integrity_payload is cloned
	wifi: libertas: fix memory leak in lbs_init_adapter()
	wifi: rtl8xxxu: don't call dev_kfree_skb() under spin_lock_irqsave()
	wifi: ipw2200: fix memory leak in ipw_wdev_init()
	wifi: brcmfmac: fix potential memory leak in brcmf_netdev_start_xmit()
	wifi: brcmfmac: unmap dma buffer in brcmf_msgbuf_alloc_pktid()
	wifi: libertas: main: don't call kfree_skb() under spin_lock_irqsave()
	wifi: libertas: cmdresp: don't call kfree_skb() under spin_lock_irqsave()
	wifi: wl3501_cs: don't call kfree_skb() under spin_lock_irqsave()
	genirq: Fix the return type of kstat_cpu_irqs_sum()
	lib/mpi: Fix buffer overrun when SG is too long
	ACPICA: nsrepair: handle cases without a return value correctly
	wifi: orinoco: check return value of hermes_write_wordrec()
	wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function
	wifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback()
	ACPI: battery: Fix missing NUL-termination with large strings
	crypto: seqiv - Handle EBUSY correctly
	net/mlx5: Enhance debug print in page allocation failure
	irqchip/alpine-msi: Fix refcount leak in alpine_msix_init_domains
	irqchip/irq-mvebu-gicp: Fix refcount leak in mvebu_gicp_probe
	cpufreq: davinci: Fix clk use after free
	Bluetooth: L2CAP: Fix potential user-after-free
	crypto: rsa-pkcs1pad - Use akcipher_request_complete
	m68k: /proc/hardware should depend on PROC_FS
	wifi: mwifiex: fix loop iterator in mwifiex_update_ampdu_txwinsize()
	can: esd_usb: Move mislocated storage of SJA1000_ECC_SEG bits in case of a bus error
	irqchip/irq-bcm7120-l2: Set IRQ_LEVEL for level triggered interrupts
	drm: mxsfb: DRM_MXSFB should depend on ARCH_MXS || ARCH_MXC
	drm/bridge: megachips: Fix error handling in i2c_register_driver()
	gpu: ipu-v3: common: Add of_node_put() for reference returned by of_graph_get_port_by_id()
	drm/msm/hdmi: Add missing check for alloc_ordered_workqueue
	pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups
	ALSA: hda/ca0132: minor fix for allocation size
	drm/mipi-dsi: Fix byte order of 16-bit DCS set/get brightness
	drm/mediatek: Drop unbalanced obj unref
	ASoC: soc-compress.c: fixup private_data on snd_soc_new_compress()
	gpio: vf610: connect GPIO label to dev name
	hwmon: (ltc2945) Handle error case in ltc2945_value_store
	scsi: aic94xx: Add missing check for dma_map_single()
	dm: remove flush_scheduled_work() during local_exit()
	mfd: pcf50633-adc: Fix potential memleak in pcf50633_adc_async_read()
	mtd: rawnand: sunxi: Fix the size of the last OOB region
	Input: ads7846 - don't report pressure for ads7845
	Input: ads7846 - don't check penirq immediately for 7845
	powerpc/powernv/ioda: Skip unallocated resources when mapping to PE
	powerpc/pseries/lparcfg: add missing RTAS retry status handling
	MIPS: vpe-mt: drop physical_memsize
	media: platform: ti: Add missing check for devm_regulator_get
	media: rc: Fix use-after-free bugs caused by ene_tx_irqsim()
	media: usb: siano: Fix use after free bugs caused by do_submit_urb
	rpmsg: glink: Avoid infinite loop on intent for missing channel
	udf: Define EFSCORRUPTED error code
	ARM: dts: exynos: Use Exynos5420 compatible for the MIPI video phy
	wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds()
	rcu: Suppress smp_processor_id() complaint in synchronize_rcu_expedited_wait()
	thermal: intel: Fix unsigned comparison with less than zero
	timers: Prevent union confusion from unexpected restart_syscall()
	x86/bugs: Reset speculation control settings on init
	inet: fix fast path in __inet_hash_connect()
	ACPI: Don't build ACPICA with '-Os'
	net: bcmgenet: Add a check for oversized packets
	m68k: Check syscall_trace_enter() return code
	ACPI: video: Fix Lenovo Ideapad Z570 DMI match
	drm/radeon: free iio for atombios when driver shutdown
	drm/msm/dsi: Add missing check for alloc_ordered_workqueue
	docs/scripts/gdb: add necessary make scripts_gdb step
	ASoC: kirkwood: Iterate over array indexes instead of using pointer math
	regulator: max77802: Bounds check regulator id against opmode
	regulator: s5m8767: Bounds check id indexing into arrays
	pinctrl: at91: use devm_kasprintf() to avoid potential leaks
	dm thin: add cond_resched() to various workqueue loops
	dm cache: add cond_resched() to various workqueue loops
	spi: bcm63xx-hsspi: Fix multi-bit mode setting
	wifi: rtl8xxxu: fixing transmisison failure for rtl8192eu
	rtc: pm8xxx: fix set-alarm race
	s390/kprobes: fix irq mask clobbering on kprobe reenter from post_handler
	s390/kprobes: fix current_kprobe never cleared after kprobes reenter
	hfs: fix missing hfs_bnode_get() in __hfs_bnode_create
	fs: hfsplus: fix UAF issue in hfsplus_put_super
	f2fs: fix information leak in f2fs_move_inline_dirents()
	ocfs2: fix defrag path triggering jbd2 ASSERT
	ocfs2: fix non-auto defrag path not working issue
	udf: Truncate added extents on failed expansion
	udf: Do not bother merging very long extents
	udf: Do not update file length for failed writes to inline files
	udf: Fix file corruption when appending just after end of preallocated extent
	x86/virt: Force GIF=1 prior to disabling SVM (for reboot flows)
	x86/crash: Disable virt in core NMI crash handler to avoid double shootdown
	x86/reboot: Disable virtualization in an emergency if SVM is supported
	x86/reboot: Disable SVM, not just VMX, when stopping CPUs
	x86/kprobes: Fix __recover_optprobed_insn check optimizing logic
	x86/kprobes: Fix arch_check_optimized_kprobe check within optimized_kprobe range
	x86/microcode/amd: Remove load_microcode_amd()'s bsp parameter
	x86/microcode/AMD: Add a @cpu parameter to the reloading functions
	x86/microcode/AMD: Fix mixed steppings support
	x86/speculation: Allow enabling STIBP with legacy IBRS
	Documentation/hw-vuln: Document the interaction between IBRS and STIBP
	ima: Align ima_file_mmap() parameters with mmap_file LSM hook
	irqdomain: Fix association race
	irqdomain: Fix disassociation race
	irqdomain: Drop bogus fwspec-mapping error handling
	ALSA: ice1712: Do not left ice->gpio_mutex locked in aureon_add_controls()
	ext4: optimize ea_inode block expansion
	ext4: refuse to create ea block when umounted
	wifi: rtl8xxxu: Use a longer retry limit of 48
	wifi: cfg80211: Fix use after free for wext
	dm flakey: fix logic when corrupting a bio
	dm flakey: don't corrupt the zero page
	ARM: dts: exynos: correct TMU phandle in Exynos4
	ARM: dts: exynos: correct TMU phandle in Odroid XU
	rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails
	alpha: fix FEN fault handling
	mips: fix syscall_get_nr
	ktest.pl: Fix missing "end_monitor" when machine check fails
	scsi: qla2xxx: Fix link failure in NPIV environment
	scsi: qla2xxx: Fix erroneous link down
	scsi: ses: Don't attach if enclosure has no components
	scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process()
	scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses
	scsi: ses: Fix possible desc_ptr out-of-bounds accesses
	scsi: ses: Fix slab-out-of-bounds in ses_intf_remove()
	PCI: Avoid FLR for AMD FCH AHCI adapters
	drm/radeon: Fix eDP for single-display iMac11,2
	kbuild: Port silent mode detection to future gnu make.
	net/sched: Retire tcindex classifier
	fs/jfs: fix shift exponent db_agl2size negative
	pwm: stm32-lp: fix the check on arr and cmp registers update
	ubi: ensure that VID header offset + VID header size <= alloc, size
	ubifs: Rectify space budget for ubifs_xrename()
	ubifs: Fix wrong dirty space budget for dirty inode
	ubifs: Reserve one leb for each journal head while doing budget
	ubi: Fix use-after-free when volume resizing failed
	ubi: Fix unreferenced object reported by kmemleak in ubi_resize_volume()
	ubi: Fix possible null-ptr-deref in ubi_free_volume()
	ubifs: Re-statistic cleaned znode count if commit failed
	ubifs: dirty_cow_znode: Fix memleak in error handling path
	ubifs: ubifs_writepage: Mark page dirty after writing inode failed
	ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show()
	ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed
	x86: um: vdso: Add '%rcx' and '%r11' to the syscall clobber list
	watchdog: at91sam9_wdt: use devm_request_irq to avoid missing free_irq() in error path
	watchdog: Fix kmemleak in watchdog_cdev_register
	watchdog: pcwd_usb: Fix attempting to access uninitialized memory
	netfilter: ctnetlink: fix possible refcount leak in ctnetlink_create_conntrack()
	net: fix __dev_kfree_skb_any() vs drop monitor
	9p/xen: fix version parsing
	9p/xen: fix connection sequence
	nfc: fix memory leak of se_io context in nfc_genl_se_io
	ARM: dts: spear320-hmi: correct STMPE GPIO compatible
	tcp: tcp_check_req() can be called from process context
	scsi: ipr: Work around fortify-string warning
	thermal: intel: quark_dts: fix error pointer dereference
	tracing: Add NULL checks for buffer in ring_buffer_free_read_page()
	firmware/efi sysfb_efi: Add quirk for Lenovo IdeaPad Duet 3
	media: uvcvideo: Handle cameras with invalid descriptors
	tty: fix out-of-bounds access in tty_driver_lookup_tty()
	tty: serial: fsl_lpuart: disable the CTS when send break signal
	tools/iio/iio_utils:fix memory leak
	iio: accel: mma9551_core: Prevent uninitialized variable in mma9551_read_status_word()
	iio: accel: mma9551_core: Prevent uninitialized variable in mma9551_read_config_word()
	usb: host: xhci: mvebu: Iterate over array indexes instead of using pointer math
	USB: ene_usb6250: Allocate enough memory for full object
	usb: uvc: Enumerate valid values for color matching
	phy: rockchip-typec: Fix unsigned comparison with less than zero
	Bluetooth: hci_sock: purge socket queues in the destruct() callback
	s390/maccess: add no DAT mode to kernel_write
	s390/setup: init jump labels before command line parsing
	tcp: Fix listen() regression in 4.14.303.
	thermal: intel: powerclamp: Fix cur_state for multi package system
	Linux 4.14.308

Change-Id: Iad2a41de33ff004df8050f949aa00955604b4cf6
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
 2023-03-12 15:40:21 +00:00
Zhihao Cheng
b40d2fbf47 ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed 
[ Upstream commit 4d57a7333e26040f2b583983e1970d9d460e56b0 ]

Following process will trigger an infinite loop in ubi_wl_put_peb():

	ubifs_bgt		ubi_bgt
ubifs_leb_unmap
  ubi_leb_unmap
    ubi_eba_unmap_leb
      ubi_wl_put_peb	wear_leveling_worker
                          e1 = rb_entry(rb_first(&ubi->used)
			  e2 = get_peb_for_wl(ubi)
			  ubi_io_read_vid_hdr  // return err (flash fault)
			  out_error:
			    ubi->move_from = ubi->move_to = NULL
			    wl_entry_destroy(ubi, e1)
			      ubi->lookuptbl[e->pnum] = NULL
      retry:
        e = ubi->lookuptbl[pnum];	// return NULL
	if (e == ubi->move_from) {	// NULL == NULL gets true
	  goto retry;			// infinite loop !!!

$ top
  PID USER      PR  NI    VIRT    RES    SHR S  %CPU %MEM     COMMAND
  7676 root     20   0       0      0      0 R 100.0  0.0  ubifs_bgt0_0

Fix it by:
 1) Letting ubi_wl_put_peb() returns directly if wearl leveling entry has
    been removed from 'ubi->lookuptbl'.
 2) Using 'ubi->wl_lock' protecting wl entry deletion to preventing an
    use-after-free problem for wl entry in ubi_wl_put_peb().

Fetch a reproducer in [Link].

Fixes: 43f9b25a9cdd7b1 ("UBI: bugfix: protect from volume removal")
Fixes: ee59ba8b064f692 ("UBI: Fix stale pointers in ubi->lookuptbl")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=216111
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2023-03-11 16:26:51 +01:00
Zhihao Cheng
3f9b63dfce ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show() 
[ Upstream commit a240bc5c43130c6aa50831d7caaa02a1d84e1bce ]

Wear-leveling entry could be freed in error path, which may be accessed
again in eraseblk_count_seq_show(), for example:

__erase_worker                eraseblk_count_seq_show
                                wl = ubi->lookuptbl[*block_number]
				if (wl)
  wl_entry_destroy
    ubi->lookuptbl[e->pnum] = NULL
    kmem_cache_free(ubi_wl_entry_slab, e)
		                   erase_count = wl->ec  // UAF!

Wear-leveling entry updating/accessing in ubi->lookuptbl should be
protected by ubi->wl_lock, fix it by adding ubi->wl_lock to serialize
wl entry accessing between wl_entry_destroy() and
eraseblk_count_seq_show().

Fetch a reproducer in [Link].

Link: https://bugzilla.kernel.org/show_bug.cgi?id=216305
Fixes: 7bccd12d27b7e3 ("ubi: Add debugfs file for tracking PEB state")
Fixes: 801c135ce73d5d ("UBI: Unsorted Block Images")
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2023-03-11 16:26:51 +01:00
Yang Yingliang
5558bcf1c5 ubi: Fix possible null-ptr-deref in ubi_free_volume() 
[ Upstream commit c15859bfd326c10230f09cb48a17f8a35f190342 ]

It willl cause null-ptr-deref in the following case:

uif_init()
  ubi_add_volume()
    cdev_add() -> if it fails, call kill_volumes()
    device_register()

kill_volumes() -> if ubi_add_volume() fails call this function
  ubi_free_volume()
    cdev_del()
    device_unregister() -> trying to delete a not added device,
			   it causes null-ptr-deref

So in ubi_free_volume(), it delete devices whether they are added
or not, it will causes null-ptr-deref.

Handle the error case whlie calling ubi_add_volume() to fix this
problem. If add volume fails, set the corresponding vol to null,
so it can not be accessed in kill_volumes() and release the
resource in ubi_add_volume() error path.

Fixes: 801c135ce73d ("UBI: Unsorted Block Images")
Suggested-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2023-03-11 16:26:51 +01:00
Li Zetao
09780a4409 ubi: Fix unreferenced object reported by kmemleak in ubi_resize_volume() 
[ Upstream commit 1e591ea072df7211f64542a09482b5f81cb3ad27 ]

There is a memory leaks problem reported by kmemleak:

unreferenced object 0xffff888102007a00 (size 128):
  comm "ubirsvol", pid 32090, jiffies 4298464136 (age 2361.231s)
  hex dump (first 32 bytes):
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff  ................
  backtrace:
[<ffffffff8176cecd>] __kmalloc+0x4d/0x150
[<ffffffffa02a9a36>] ubi_eba_create_table+0x76/0x170 [ubi]
[<ffffffffa029764e>] ubi_resize_volume+0x1be/0xbc0 [ubi]
[<ffffffffa02a3321>] ubi_cdev_ioctl+0x701/0x1850 [ubi]
[<ffffffff81975d2d>] __x64_sys_ioctl+0x11d/0x170
[<ffffffff83c142a5>] do_syscall_64+0x35/0x80
[<ffffffff83e0006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0

This is due to a mismatch between create and destroy interfaces, and
in detail that "new_eba_tbl" created by ubi_eba_create_table() but
destroyed by kfree(), while will causing "new_eba_tbl->entries" not
freed.

Fix it by replacing kfree(new_eba_tbl) with
ubi_eba_destroy_table(new_eba_tbl)

Fixes: 799dca34ac54 ("UBI: hide EBA internals")
Signed-off-by: Li Zetao <lizetao1@huawei.com>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2023-03-11 16:26:50 +01:00
Li Zetao
bf9875aa7f ubi: Fix use-after-free when volume resizing failed 
[ Upstream commit 9af31d6ec1a4be4caab2550096c6bd2ba8fba472 ]

There is an use-after-free problem reported by KASAN:
  ==================================================================
  BUG: KASAN: use-after-free in ubi_eba_copy_table+0x11f/0x1c0 [ubi]
  Read of size 8 at addr ffff888101eec008 by task ubirsvol/4735

  CPU: 2 PID: 4735 Comm: ubirsvol
  Not tainted 6.1.0-rc1-00003-g84fa3304a7fc-dirty #14
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
  BIOS 1.14.0-1.fc33 04/01/2014
  Call Trace:
   <TASK>
   dump_stack_lvl+0x34/0x44
   print_report+0x171/0x472
   kasan_report+0xad/0x130
   ubi_eba_copy_table+0x11f/0x1c0 [ubi]
   ubi_resize_volume+0x4f9/0xbc0 [ubi]
   ubi_cdev_ioctl+0x701/0x1850 [ubi]
   __x64_sys_ioctl+0x11d/0x170
   do_syscall_64+0x35/0x80
   entry_SYSCALL_64_after_hwframe+0x46/0xb0
   </TASK>

When ubi_change_vtbl_record() returns an error in ubi_resize_volume(),
"new_eba_tbl" will be freed on error handing path, but it is holded
by "vol->eba_tbl" in ubi_eba_replace_table(). It means that the liftcycle
of "vol->eba_tbl" and "vol" are different, so when resizing volume in
next time, it causing an use-after-free fault.

Fix it by not freeing "new_eba_tbl" after it replaced in
ubi_eba_replace_table(), while will be freed in next volume resizing.

Fixes: 801c135ce73d ("UBI: Unsorted Block Images")
Signed-off-by: Li Zetao <lizetao1@huawei.com>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2023-03-11 16:26:50 +01:00
George Kennedy
61e04db3be ubi: ensure that VID header offset + VID header size <= alloc, size 
[ Upstream commit 1b42b1a36fc946f0d7088425b90d491b4257ca3e ]

Ensure that the VID header offset + VID header size does not exceed
the allocated area to avoid slab OOB.

BUG: KASAN: slab-out-of-bounds in crc32_body lib/crc32.c:111 [inline]
BUG: KASAN: slab-out-of-bounds in crc32_le_generic lib/crc32.c:179 [inline]
BUG: KASAN: slab-out-of-bounds in crc32_le_base+0x58c/0x626 lib/crc32.c:197
Read of size 4 at addr ffff88802bb36f00 by task syz-executor136/1555

CPU: 2 PID: 1555 Comm: syz-executor136 Tainted: G        W
6.0.0-1868 #1
Hardware name: Red Hat KVM, BIOS 1.13.0-2.module+el8.3.0+7860+a7792d29
04/01/2014
Call Trace:
  <TASK>
  __dump_stack lib/dump_stack.c:88 [inline]
  dump_stack_lvl+0x85/0xad lib/dump_stack.c:106
  print_address_description mm/kasan/report.c:317 [inline]
  print_report.cold.13+0xb6/0x6bb mm/kasan/report.c:433
  kasan_report+0xa7/0x11b mm/kasan/report.c:495
  crc32_body lib/crc32.c:111 [inline]
  crc32_le_generic lib/crc32.c:179 [inline]
  crc32_le_base+0x58c/0x626 lib/crc32.c:197
  ubi_io_write_vid_hdr+0x1b7/0x472 drivers/mtd/ubi/io.c:1067
  create_vtbl+0x4d5/0x9c4 drivers/mtd/ubi/vtbl.c:317
  create_empty_lvol drivers/mtd/ubi/vtbl.c:500 [inline]
  ubi_read_volume_table+0x67b/0x288a drivers/mtd/ubi/vtbl.c:812
  ubi_attach+0xf34/0x1603 drivers/mtd/ubi/attach.c:1601
  ubi_attach_mtd_dev+0x6f3/0x185e drivers/mtd/ubi/build.c:965
  ctrl_cdev_ioctl+0x2db/0x347 drivers/mtd/ubi/cdev.c:1043
  vfs_ioctl fs/ioctl.c:51 [inline]
  __do_sys_ioctl fs/ioctl.c:870 [inline]
  __se_sys_ioctl fs/ioctl.c:856 [inline]
  __x64_sys_ioctl+0x193/0x213 fs/ioctl.c:856
  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
  do_syscall_64+0x3e/0x86 arch/x86/entry/common.c:80
  entry_SYSCALL_64_after_hwframe+0x63/0x0
RIP: 0033:0x7f96d5cf753d
Code:
RSP: 002b:00007fffd72206f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f96d5cf753d
RDX: 0000000020000080 RSI: 0000000040186f40 RDI: 0000000000000003
RBP: 0000000000400cd0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000400be0
R13: 00007fffd72207e0 R14: 0000000000000000 R15: 0000000000000000
  </TASK>

Allocated by task 1555:
  kasan_save_stack+0x20/0x3d mm/kasan/common.c:38
  kasan_set_track mm/kasan/common.c:45 [inline]
  set_alloc_info mm/kasan/common.c:437 [inline]
  ____kasan_kmalloc mm/kasan/common.c:516 [inline]
  __kasan_kmalloc+0x88/0xa3 mm/kasan/common.c:525
  kasan_kmalloc include/linux/kasan.h:234 [inline]
  __kmalloc+0x138/0x257 mm/slub.c:4429
  kmalloc include/linux/slab.h:605 [inline]
  ubi_alloc_vid_buf drivers/mtd/ubi/ubi.h:1093 [inline]
  create_vtbl+0xcc/0x9c4 drivers/mtd/ubi/vtbl.c:295
  create_empty_lvol drivers/mtd/ubi/vtbl.c:500 [inline]
  ubi_read_volume_table+0x67b/0x288a drivers/mtd/ubi/vtbl.c:812
  ubi_attach+0xf34/0x1603 drivers/mtd/ubi/attach.c:1601
  ubi_attach_mtd_dev+0x6f3/0x185e drivers/mtd/ubi/build.c:965
  ctrl_cdev_ioctl+0x2db/0x347 drivers/mtd/ubi/cdev.c:1043
  vfs_ioctl fs/ioctl.c:51 [inline]
  __do_sys_ioctl fs/ioctl.c:870 [inline]
  __se_sys_ioctl fs/ioctl.c:856 [inline]
  __x64_sys_ioctl+0x193/0x213 fs/ioctl.c:856
  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
  do_syscall_64+0x3e/0x86 arch/x86/entry/common.c:80
  entry_SYSCALL_64_after_hwframe+0x63/0x0

The buggy address belongs to the object at ffff88802bb36e00
  which belongs to the cache kmalloc-256 of size 256
The buggy address is located 0 bytes to the right of
  256-byte region [ffff88802bb36e00, ffff88802bb36f00)

The buggy address belongs to the physical page:
page:00000000ea4d1263 refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0x2bb36
head:00000000ea4d1263 order:1 compound_mapcount:0 compound_pincount:0
flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
raw: 000fffffc0010200 ffffea000066c300 dead000000000003 ffff888100042b40
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff88802bb36e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffff88802bb36e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff88802bb36f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                    ^
  ffff88802bb36f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff88802bb37000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Fixes: 801c135ce73d ("UBI: Unsorted Block Images")
Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: George Kennedy <george.kennedy@oracle.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2023-03-11 16:26:50 +01:00
Samuel Holland
4f59dd7d97 mtd: rawnand: sunxi: Fix the size of the last OOB region 
[ Upstream commit 34569d869532b54d6e360d224a0254dcdd6a1785 ]

The previous code assigned to the wrong structure member.

Fixes: c66811e6d350 ("mtd: nand: sunxi: switch to mtd_ooblayout_ops")
Signed-off-by: Samuel Holland <samuel@sholland.org>
Acked-By: Dhruva Gole <d-gole@ti.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20221229181526.53766-6-samuel@sholland.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2023-03-11 16:26:40 +01:00
Greg Kroah-Hartman
524b0e422c This is the 4.14.303 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmPHrWcACgkQONu9yGCS
 aT5CpQ//ZY5pRk/M5QREXNbAhBY8NPBVAsBEXooK+nBIfD8Qi4KFGyxUG8nns8/G
 6YiNVt0xjEkIre1U9u0+WmXMpWEwSZIWuAdrO+R1B9SjzaT5NIypm9lIjXjTungm
 S4Z4X85BfLL46z3CnKfuuiX5Y08qDON8NKmvjBWKHhNMOaehYDnCk/CC1COlW7iJ
 r59VhsmHrvVQuYVZIOLKrERfIyIj2xzgobaKmb/El0UVzylEyIXsyGC4pe+PV8uD
 8/xTqiC+rAJGeS7ZzrObPvEjJrnwt5AqI/bHMnWTMgsXtgx+X7Q6ppdU1795ZnU4
 Db56rIWNzkZ5YGI1sadNA8DTeVWKh1UkElz81ABj+eCyfCTSb8GH86zPflDb3oQT
 0fFGtpKjSXPDSEJ5qKU+4xGO7VAkW6GLl2W6bwkOUp29+iifbGt2TbzNB/DObuVK
 /eH4GdNC4CXy/+bHzwv2uahNUQDQpnhwHey83rjvpP6uG4K9sZnn/ufrV3O/b8xQ
 jg+iiuicz1GWAdkiNZtwRj52VrLVRuP6VnoUVvD3k7i5insdXsptzqz+UNZh6bei
 UmxWkHz1RRaH6tGwsNFQaMkTbodzMFWOzw8zoeUwNQxfid1bhdigJAHotpIJmkkJ
 c21fW/HJDO8Z9KEd3HPOfz8q/pPkiCGOg4CURn2Vqr1DofmjXLo=
 =HUNl
 -----END PGP SIGNATURE-----

Merge 4.14.303 into android-4.14-stable

Changes in 4.14.303
	libtraceevent: Fix build with binutils 2.35
	once: add DO_ONCE_SLOW() for sleepable contexts
	mm/khugepaged: fix GUP-fast interaction by sending IPI
	mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths
	block: unhash blkdev part inode when the part is deleted
	nfp: fix use-after-free in area_cache_get()
	ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx()
	can: sja1000: fix size of OCR_MODE_MASK define
	can: mcba_usb: Fix termination command argument
	ASoC: ops: Correct bounds check for second channel on SX controls
	perf script python: Remove explicit shebang from tests/attr.c
	udf: Discard preallocation before extending file with a hole
	udf: Drop unused arguments of udf_delete_aext()
	udf: Fix preallocation discarding at indirect extent boundary
	udf: Do not bother looking for prealloc extents if i_lenExtents matches i_size
	udf: Fix extending file within last block
	usb: gadget: uvc: Prevent buffer overflow in setup handler
	USB: serial: option: add Quectel EM05-G modem
	USB: serial: cp210x: add Kamstrup RF sniffer PIDs
	igb: Initialize mailbox message for VF reset
	Bluetooth: L2CAP: Fix u8 overflow
	net: loopback: use NET_NAME_PREDICTABLE for name_assign_type
	usb: musb: remove extra check in musb_gadget_vbus_draw
	ARM: dts: qcom: apq8064: fix coresight compatible
	drivers: soc: ti: knav_qmss_queue: Mark knav_acc_firmwares as static
	arm: dts: spear600: Fix clcd interrupt
	soc: ti: smartreflex: Fix PM disable depth imbalance in omap_sr_probe
	arm64: dts: mediatek: mt6797: Fix 26M oscillator unit name
	ARM: dts: dove: Fix assigned-addresses for every PCIe Root Port
	ARM: dts: armada-370: Fix assigned-addresses for every PCIe Root Port
	ARM: dts: armada-xp: Fix assigned-addresses for every PCIe Root Port
	ARM: dts: armada-375: Fix assigned-addresses for every PCIe Root Port
	ARM: dts: armada-38x: Fix assigned-addresses for every PCIe Root Port
	ARM: dts: armada-39x: Fix assigned-addresses for every PCIe Root Port
	ARM: dts: turris-omnia: Add ethernet aliases
	ARM: dts: turris-omnia: Add switch port 6 node
	pstore/ram: Fix error return code in ramoops_probe()
	ARM: mmp: fix timer_read delay
	pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP
	tpm/tpm_crb: Fix error message in __crb_relinquish_locality()
	cpuidle: dt: Return the correct numbers of parsed idle states
	alpha: fix syscall entry in !AUDUT_SYSCALL case
	PM: hibernate: Fix mistake in kerneldoc comment
	fs: don't audit the capability check in simple_xattr_list()
	perf: Fix possible memleak in pmu_dev_alloc()
	timerqueue: Use rb_entry_safe() in timerqueue_getnext()
	ocfs2: fix memory leak in ocfs2_stack_glue_init()
	MIPS: vpe-mt: fix possible memory leak while module exiting
	MIPS: vpe-cmp: fix possible memory leak while module exiting
	PNP: fix name memory leak in pnp_alloc_dev()
	irqchip: gic-pm: Use pm_runtime_resume_and_get() in gic_probe()
	libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value
	lib/notifier-error-inject: fix error when writing -errno to debugfs file
	rapidio: fix possible name leaks when rio_add_device() fails
	rapidio: rio: fix possible name leak in rio_register_mport()
	ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()
	uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix
	x86/xen: Fix memory leak in xen_init_lock_cpu()
	platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]()
	MIPS: BCM63xx: Add check for NULL for clk in clk_enable
	fs: sysv: Fix sysv_nblocks() returns wrong value
	rapidio: fix possible UAF when kfifo_alloc() fails
	eventfd: change int to __u64 in eventfd_signal() ifndef CONFIG_EVENTFD
	hfs: Fix OOB Write in hfs_asc2mac
	rapidio: devices: fix missing put_device in mport_cdev_open
	wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs()
	wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb()
	media: i2c: ad5820: Fix error path
	spi: Update reference to struct spi_controller
	media: vivid: fix compose size exceed boundary
	mtd: Fix device name leak when register device failed in add_mtd_device()
	media: camss: Clean up received buffers on failed start of streaming
	drm/radeon: Add the missed acpi_put_table() to fix memory leak
	ASoC: pxa: fix null-pointer dereference in filter()
	regulator: core: fix unbalanced of node refcount in regulator_dev_lookup()
	ima: Fix misuse of dereference of pointer in template_desc_init_fields()
	wifi: ath10k: Fix return value in ath10k_pci_init()
	mtd: lpddr2_nvm: Fix possible null-ptr-deref
	Input: elants_i2c - properly handle the reset GPIO when power is off
	media: solo6x10: fix possible memory leak in solo_sysfs_init()
	media: platform: exynos4-is: Fix error handling in fimc_md_init()
	HID: hid-sensor-custom: set fixed size for custom attributes
	ALSA: seq: fix undefined behavior in bit shift for SNDRV_SEQ_FILTER_USE_EVENT
	clk: rockchip: Fix memory leak in rockchip_clk_register_pll()
	mtd: maps: pxa2xx-flash: fix memory leak in probe
	media: imon: fix a race condition in send_packet()
	pinctrl: pinconf-generic: add missing of_node_put()
	media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()
	media: s5p-mfc: Add variant data for MFC v7 hardware for Exynos 3250 SoC
	NFSv4.2: Fix a memory stomp in decode_attr_security_label
	NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn
	ALSA: asihpi: fix missing pci_disable_device()
	drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()
	drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios()
	ASoC: pcm512x: Fix PM disable depth imbalance in pcm512x_probe
	bonding: uninitialized variable in bond_miimon_inspect()
	regulator: core: fix module refcount leak in set_supply()
	media: saa7164: fix missing pci_disable_device()
	ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt
	SUNRPC: Fix missing release socket in rpc_sockname()
	NFSv4.x: Fail client initialisation if state manager thread can't run
	mmc: moxart: fix return value check of mmc_add_host()
	mmc: mxcmmc: fix return value check of mmc_add_host()
	mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host()
	mmc: toshsd: fix return value check of mmc_add_host()
	mmc: vub300: fix return value check of mmc_add_host()
	mmc: wmt-sdmmc: fix return value check of mmc_add_host()
	mmc: via-sdmmc: fix return value check of mmc_add_host()
	mmc: wbsd: fix return value check of mmc_add_host()
	mmc: mmci: fix return value check of mmc_add_host()
	media: c8sectpfe: Add of_node_put() when breaking out of loop
	media: coda: Add check for dcoda_iram_alloc
	media: coda: Add check for kmalloc
	clk: samsung: Fix memory leak in _samsung_clk_register_pll()
	wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h
	wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware()
	blktrace: Fix output non-blktrace event when blk_classic option enabled
	net: vmw_vsock: vmci: Check memcpy_from_msg()
	net: defxx: Fix missing err handling in dfx_init()
	drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init()
	ethernet: s2io: don't call dev_kfree_skb() under spin_lock_irqsave()
	net: farsync: Fix kmemleak when rmmods farsync
	net/tunnel: wait until all sk_user_data reader finish before releasing the sock
	net: apple: mace: don't call dev_kfree_skb() under spin_lock_irqsave()
	net: apple: bmac: don't call dev_kfree_skb() under spin_lock_irqsave()
	net: emaclite: don't call dev_kfree_skb() under spin_lock_irqsave()
	net: ethernet: dnet: don't call dev_kfree_skb() under spin_lock_irqsave()
	hamradio: don't call dev_kfree_skb() under spin_lock_irqsave()
	net: amd: lance: don't call dev_kfree_skb() under spin_lock_irqsave()
	net: amd-xgbe: Check only the minimum speed for active/passive cables
	net: lan9303: Fix read error execution path
	ntb_netdev: Use dev_kfree_skb_any() in interrupt context
	Bluetooth: btusb: don't call kfree_skb() under spin_lock_irqsave()
	Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave()
	Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave()
	Bluetooth: hci_bcsp: don't call kfree_skb() under spin_lock_irqsave()
	Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave()
	Bluetooth: RFCOMM: don't call kfree_skb() under spin_lock_irqsave()
	stmmac: fix potential division by 0
	apparmor: fix a memleak in multi_transaction_new()
	PCI: Check for alloc failure in pci_request_irq()
	RDMA/hfi: Decrease PCI device reference count in error path
	RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed
	scsi: hpsa: Fix error handling in hpsa_add_sas_host()
	scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device()
	scsi: fcoe: Fix possible name leak when device_register() fails
	scsi: ipr: Fix WARNING in ipr_init()
	scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails
	scsi: snic: Fix possible UAF in snic_tgt_create()
	RDMA/hfi1: Fix error return code in parse_platform_config()
	orangefs: Fix sysfs not cleanup when dev init failed
	crypto: img-hash - Fix variable dereferenced before check 'hdev->req'
	hwrng: amd - Fix PCI device refcount leak
	hwrng: geode - Fix PCI device refcount leak
	IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces
	drivers: dio: fix possible memory leak in dio_init()
	class: fix possible memory leak in __class_register()
	vfio: platform: Do not pass return buffer to ACPI _RST method
	uio: uio_dmem_genirq: Fix missing unlock in irq configuration
	uio: uio_dmem_genirq: Fix deadlock between irq config and handling
	usb: fotg210-udc: Fix ages old endianness issues
	staging: vme_user: Fix possible UAF in tsi148_dma_list_add
	serial: amba-pl011: avoid SBSA UART accessing DMACR register
	serial: pch: Fix PCI device refcount leak in pch_request_dma()
	serial: sunsab: Fix error handling in sunsab_init()
	test_firmware: fix memory leak in test_firmware_init()
	misc: tifm: fix possible memory leak in tifm_7xx1_switch_media()
	misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os
	cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter()
	cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter()
	drivers: mcb: fix resource leak in mcb_probe()
	mcb: mcb-parse: fix error handing in chameleon_parse_gdd()
	chardev: fix error handling in cdev_device_add()
	i2c: pxa-pci: fix missing pci_disable_device() on error in ce4100_i2c_probe
	staging: rtl8192u: Fix use after free in ieee80211_rx()
	staging: rtl8192e: Fix potential use-after-free in rtllib_rx_Monitor()
	vme: Fix error not catched in fake_init()
	i2c: ismt: Fix an out-of-bounds bug in ismt_access()
	usb: storage: Add check for kcalloc
	fbdev: ssd1307fb: Drop optional dependency
	fbdev: pm2fb: fix missing pci_disable_device()
	fbdev: via: Fix error in via_core_init()
	fbdev: vermilion: decrease reference count in error path
	fbdev: uvesafb: Fixes an error handling path in uvesafb_probe()
	HSI: omap_ssi_core: fix unbalanced pm_runtime_disable()
	HSI: omap_ssi_core: fix possible memory leak in ssi_probe()
	power: supply: fix residue sysfs file in error handle route of __power_supply_register()
	HSI: omap_ssi_core: Fix error handling in ssi_init()
	include/uapi/linux/swab: Fix potentially missing __always_inline
	rtc: snvs: Allow a time difference on clock register read
	iommu/amd: Fix pci device refcount leak in ppr_notifier()
	iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe()
	macintosh: fix possible memory leak in macio_add_one_device()
	macintosh/macio-adb: check the return value of ioremap()
	powerpc/52xx: Fix a resource leak in an error handling path
	cxl: Fix refcount leak in cxl_calc_capp_routing
	powerpc/xive: add missing iounmap() in error path in xive_spapr_populate_irq_data()
	powerpc/perf: callchain validate kernel stack pointer bounds
	powerpc/83xx/mpc832x_rdb: call platform_device_put() in error case in of_fsl_spi_probe()
	powerpc/hv-gpci: Fix hv_gpci event list
	selftests/powerpc: Fix resource leaks
	rtc: st-lpc: Add missing clk_disable_unprepare in st_rtc_probe()
	nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure
	mISDN: hfcsusb: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
	mISDN: hfcpci: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
	mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
	nfc: pn533: Clear nfc_target before being used
	r6040: Fix kmemleak in probe and remove
	openvswitch: Fix flow lookup to use unmasked key
	skbuff: Account for tail adjustment during pull operations
	net_sched: reject TCF_EM_SIMPLE case for complex ematch module
	myri10ge: Fix an error handling path in myri10ge_probe()
	net: stream: purge sk_error_queue in sk_stream_kill_queues()
	binfmt_misc: fix shift-out-of-bounds in check_special_flags
	fs: jfs: fix shift-out-of-bounds in dbAllocAG
	udf: Avoid double brelse() in udf_rename()
	fs: jfs: fix shift-out-of-bounds in dbDiscardAG
	ACPICA: Fix error code path in acpi_ds_call_control_method()
	nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset()
	acct: fix potential integer overflow in encode_comp_t()
	hfs: fix OOB Read in __hfs_brec_find
	wifi: ath9k: verify the expected usb_endpoints are present
	wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out
	ASoC: codecs: rt298: Add quirk for KBL-R RVP platform
	ipmi: fix memleak when unload ipmi driver
	bpf: make sure skb->len != 0 when redirecting to a tunneling device
	net: ethernet: ti: Fix return type of netcp_ndo_start_xmit()
	hamradio: baycom_epp: Fix return type of baycom_send_packet()
	wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()
	igb: Do not free q_vector unless new one was allocated
	s390/ctcm: Fix return type of ctc{mp,}m_tx()
	s390/netiucv: Fix return type of netiucv_tx()
	s390/lcs: Fix return type of lcs_start_xmit()
	drm/sti: Use drm_mode_copy()
	md/raid1: stop mdx_raid1 thread when raid1 array run failed
	mrp: introduce active flags to prevent UAF when applicant uninit
	ppp: associate skb with a device at tx
	media: dvb-frontends: fix leak of memory fw
	media: dvbdev: adopts refcnt to avoid UAF
	media: dvb-usb: fix memory leak in dvb_usb_adapter_init()
	blk-mq: fix possible memleak when register 'hctx' failed
	mmc: f-sdh30: Add quirks for broken timeout clock capability
	media: si470x: Fix use-after-free in si470x_int_in_callback()
	clk: st: Fix memory leak in st_of_quadfs_setup()
	drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid()
	drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid()
	orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()
	ASoC: mediatek: mt8173-rt5650-rt5514: fix refcount leak in mt8173_rt5650_rt5514_dev_probe()
	ASoC: rockchip: pdm: Add missing clk_disable_unprepare() in rockchip_pdm_runtime_resume()
	ASoC: wm8994: Fix potential deadlock
	ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in rk_spdif_runtime_resume()
	ASoC: rt5670: Remove unbalanced pm_runtime_put()
	pstore: Switch pmsg_lock to an rt_mutex to avoid priority inversion
	pstore: Make sure CONFIG_PSTORE_PMSG selects CONFIG_RT_MUTEXES
	usb: dwc3: core: defer probe on ulpi_read_id timeout
	HID: wacom: Ensure bootloader PID is usable in hidraw mode
	reiserfs: Add missing calls to reiserfs_security_free()
	iio: adc: ad_sigma_delta: do not use internal iio_dev lock
	gcov: add support for checksum field
	media: dvbdev: fix refcnt bug
	powerpc/rtas: avoid device tree lookups in rtas_os_term()
	powerpc/rtas: avoid scheduling in rtas_os_term()
	HID: plantronics: Additional PIDs for double volume key presses quirk
	hfsplus: fix bug causing custom uid and gid being unable to be assigned with mount
	ALSA: line6: correct midi status byte when receiving data from podxt
	ALSA: line6: fix stack overflow in line6_midi_transmit
	pnode: terminate at peers of source
	md: fix a crash in mempool_free
	mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING
	tpm: tpm_crb: Add the missed acpi_put_table() to fix memory leak
	tpm: tpm_tis: Add the missed acpi_put_table() to fix memory leak
	media: stv0288: use explicitly signed char
	ktest.pl minconfig: Unset configs instead of just removing them
	ARM: ux500: do not directly dereference __iomem
	selftests: Use optional USERCFLAGS and USERLDFLAGS
	dm cache: Fix ABBA deadlock between shrink_slab and dm_cache_metadata_abort
	dm thin: Use last transaction's pmd->root when commit failed
	dm thin: Fix UAF in run_timer_softirq()
	dm cache: Fix UAF in destroy()
	dm cache: set needs_check flag after aborting metadata
	x86/microcode/intel: Do not retry microcode reloading on the APs
	tracing: Fix infinite loop in tracing_read_pipe on overflowed print_trace_line
	ARM: 9256/1: NWFPE: avoid compiler-generated __aeabi_uldivmod
	media: dvb-core: Fix double free in dvb_register_device()
	media: dvb-core: Fix UAF due to refcount races at releasing
	cifs: fix confusing debug message
	ima: Fix a potential NULL pointer access in ima_restore_measurement_list
	PCI: Fix pci_device_is_present() for VFs by checking PF
	PCI/sysfs: Fix double free in error path
	crypto: n2 - add missing hash statesize
	iommu/amd: Fix ivrs_acpihid cmdline parsing code
	parisc: led: Fix potential null-ptr-deref in start_task()
	device_cgroup: Roll back to original exceptions after copy failure
	drm/connector: send hotplug uevent on connector cleanup
	drm/vmwgfx: Validate the box size for the snooped cursor
	ext4: add inode table check in __ext4_get_inode_loc to aovid possible infinite loop
	ext4: fix undefined behavior in bit shift for ext4_check_flag_values
	ext4: fix bug_on in __es_tree_search caused by bad boot loader inode
	ext4: init quota for 'old.inode' in 'ext4_rename'
	ext4: fix error code return to user-space in ext4_get_branch()
	ext4: avoid BUG_ON when creating xattrs
	ext4: fix inode leak in ext4_xattr_inode_create() on an error path
	ext4: initialize quota before expanding inode in setproject ioctl
	ext4: avoid unaccounted block allocation when expanding inode
	ext4: allocate extended attribute value in vmalloc area
	SUNRPC: ensure the matching upcall is in-flight upon downcall
	bpf: pull before calling skb_postpull_rcsum()
	qlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure
	nfc: Fix potential resource leaks
	net: amd-xgbe: add missed tasklet_kill
	net: phy: xgmiitorgmii: Fix refcount leak in xgmiitorgmii_probe
	net: sched: atm: dont intepret cls results when asked to drop
	usb: rndis_host: Secure rndis_query check against int overflow
	caif: fix memory leak in cfctrl_linkup_request()
	udf: Fix extension of the last extent in the file
	x86/bugs: Flush IBP in ib_prctl_set()
	nfsd: fix handling of readdir in v4root vs. mount upcall timeout
	hfs/hfsplus: use WARN_ON for sanity check
	hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling
	parisc: Align parisc MADV_XXX constants with all other architectures
	driver core: Fix bus_type.match() error handling in __driver_attach()
	ravb: Fix "failed to switch device to config mode" message during unbind
	net: sched: disallow noqueue for qdisc classes
	docs: Fix the docs build with Sphinx 6.0
	perf auxtrace: Fix address filter duplicate symbol selection
	s390/percpu: add READ_ONCE() to arch_this_cpu_to_op_simple()
	net/ulp: prevent ULP without clone op from entering the LISTEN status
	ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF
	platform/x86: sony-laptop: Don't turn off 0x153 keyboard backlight during probe
	ipv6: raw: Deduct extension header length in rawv6_push_pending_frames
	netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function.
	x86/boot: Avoid using Intel mnemonics in AT&T syntax asm
	EDAC/device: Fix period calculation in edac_device_reset_delay_period()
	regulator: da9211: Use irq handler when ready
	hvc/xen: lock console list traversal
	nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()
	Revert "usb: ulpi: defer ulpi_register on ulpi_read_id timeout"
	Linux 4.14.303

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: If642f7084f2f69491d3104a3a2565bafd19765c9
 2023-01-18 09:32:42 +01:00
Zheng Yongjun
e2324a0912 mtd: maps: pxa2xx-flash: fix memory leak in probe 
[ Upstream commit 2399401feee27c639addc5b7e6ba519d3ca341bf ]

Free 'info' upon remapping error to avoid a memory leak.

Fixes: e644f7d62894 ("[MTD] MAPS: Merge Lubbock and Mainstone drivers into common PXA2xx driver")
Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com>
[<miquel.raynal@bootlin.com>: Reword the commit log]
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20221119073307.22929-1-zhengyongjun3@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2023-01-18 09:26:14 +01:00
Hui Tang
bb9ccb6121 mtd: lpddr2_nvm: Fix possible null-ptr-deref 
[ Upstream commit 6bdd45d795adf9e73b38ced5e7f750cd199499ff ]

It will cause null-ptr-deref when resource_size(add_range) invoked,
if platform_get_resource() returns NULL.

Fixes: 96ba9dd65788 ("mtd: lpddr: add driver for LPDDR2-NVM PCM memories")
Signed-off-by: Hui Tang <tanghui20@huawei.com>
Acked-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20221114090240.244172-1-tanghui20@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2023-01-18 09:26:13 +01:00
Zhang Xiaoxu
2302e2dc42 mtd: Fix device name leak when register device failed in add_mtd_device() 
[ Upstream commit 895d68a39481a75c680aa421546931fb11942fa6 ]

There is a kmemleak when register device failed:
  unreferenced object 0xffff888101aab550 (size 8):
    comm "insmod", pid 3922, jiffies 4295277753 (age 925.408s)
    hex dump (first 8 bytes):
      6d 74 64 30 00 88 ff ff                          mtd0....
    backtrace:
      [<00000000bde26724>] __kmalloc_node_track_caller+0x4e/0x150
      [<000000003c32b416>] kvasprintf+0xb0/0x130
      [<000000001f7a8f15>] kobject_set_name_vargs+0x2f/0xb0
      [<000000006e781163>] dev_set_name+0xab/0xe0
      [<00000000e30d0c78>] add_mtd_device+0x4bb/0x700
      [<00000000f3d34de7>] mtd_device_parse_register+0x2ac/0x3f0
      [<00000000c0d88488>] 0xffffffffa0238457
      [<00000000b40d0922>] 0xffffffffa02a008f
      [<0000000023d17b9d>] do_one_initcall+0x87/0x2a0
      [<00000000770f6ca6>] do_init_module+0xdf/0x320
      [<000000007b6768fe>] load_module+0x2f98/0x3330
      [<00000000346bed5a>] __do_sys_finit_module+0x113/0x1b0
      [<00000000674c2290>] do_syscall_64+0x35/0x80
      [<000000004c6a8d97>] entry_SYSCALL_64_after_hwframe+0x46/0xb0

If register device failed, should call put_device() to give up the
reference.

Fixes: 1f24b5a8ecbb ("[MTD] driver model updates")
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20221022121352.2534682-1-zhangxiaoxu5@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2023-01-18 09:26:12 +01:00
Greg Kroah-Hartman
17b9525fc5 Merge fc4de8009fd6 ("RDMA/hfi1: fix potential memory leak in setup_base_ctxt()") into android-mainline 
Steps on the way to 4.14.291

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I7e68a13ad388a77cf5665ae3ff43ce00f32d500b
 2022-09-06 16:55:21 +02:00
Uwe Kleine-König
34e4e5b005 mtd: st_spi_fsm: Add a clk_disable_unprepare() in .probe()'s error path 
[ Upstream commit 28607b426c3d050714f250d0faeb99d2e9106e90 ]

For all but one error path clk_disable_unprepare() is already there. Add
it to the one location where it's missing.

Fixes: 481815a6193b ("mtd: st_spi_fsm: Handle clk_prepare_enable/clk_disable_unprepare.")
Fixes: 69d5af8d016c ("mtd: st_spi_fsm: Obtain and use EMI clock")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20220607152458.232847-2-u.kleine-koenig@pengutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2022-08-25 11:11:21 +02:00
Duoming Zhou
9b4fb916e6 mtd: sm_ftl: Fix deadlock caused by cancel_work_sync in sm_release 
[ Upstream commit a61528d997619a518ee8c51cf0ef0513021afaff ]

There is a deadlock between sm_release and sm_cache_flush_work
which is a work item. The cancel_work_sync in sm_release will
not return until sm_cache_flush_work is finished. If we hold
mutex_lock and use cancel_work_sync to wait the work item to
finish, the work item also requires mutex_lock. As a result,
the sm_release will be blocked forever. The race condition is
shown below:

    (Thread 1)             |   (Thread 2)
sm_release                 |
  mutex_lock(&ftl->mutex)  | sm_cache_flush_work
                           |   mutex_lock(&ftl->mutex)
  cancel_work_sync         |   ...

This patch moves del_timer_sync and cancel_work_sync out of
mutex_lock in order to mitigate deadlock.

Fixes: 7d17c02a01a1 ("mtd: Add new SmartMedia/xD FTL")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20220524044841.10517-1-duoming@zju.edu.cn
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2022-08-25 11:11:20 +02:00
Miaoqian Lin
995fb2874b mtd: maps: Fix refcount leak in ap_flash_init 
[ Upstream commit 77087a04c8fd554134bddcb8a9ff87b21f357926 ]

of_find_matching_node() returns a node pointer with refcount
incremented, we should use of_node_put() on it when not need anymore.
Add missing of_node_put() to avoid refcount leak.

Fixes: b0afd44bc192 ("mtd: physmap_of: add a hook for Versatile write protection")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20220523143255.4376-1-linmq006@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2022-08-25 11:11:20 +02:00
Miaoqian Lin
3c8de6a838 mtd: maps: Fix refcount leak in of_flash_probe_versatile 
[ Upstream commit 33ec82a6d2b119938f26e5c8040ed5d92378eb54 ]

of_find_matching_node_and_match() returns a node pointer with refcount
incremented, we should use of_node_put() on it when not need anymore.
Add missing of_node_put() to avoid refcount leak.

Fixes: b0afd44bc192 ("mtd: physmap_of: add a hook for Versatile write protection")
Signed-off-by: Miaoqian Lin <linmq006@gmail.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20220523140205.48625-1-linmq006@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
 2022-08-25 11:11:20 +02:00